--- /dev/null
+From bc0e757868f4ba3bdb05458024e7c2546ee1661a Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Tue, 30 Apr 2019 10:52:29 -0500
+Subject: ACPI / property: fix handling of data_nodes in
+ acpi_get_next_subnode()
+
+[ Upstream commit 23583f7795025e3c783b680d906509366b0906ad ]
+
+When the DSDT tables expose devices with subdevices and a set of
+hierarchical _DSD properties, the data returned by
+acpi_get_next_subnode() is incorrect, with the results suggesting a bad
+pointer assignment. The parser works fine with device_nodes or
+data_nodes, but not with a combination of the two.
+
+The problem is traced to an invalid pointer used when jumping from
+handling device_nodes to data nodes. The existing code looks for data
+nodes below the last subdevice found instead of the common root. Fix
+by forcing the acpi_device pointer to be derived from the same fwnode
+for the two types of subnodes.
+
+This same problem of handling device and data nodes was already fixed
+in a similar way by 'commit bf4703fdd166 ("ACPI / property: fix data
+node parsing in acpi_get_next_subnode()")' but broken later by 'commit
+34055190b19 ("ACPI / property: Add fwnode_get_next_child_node()")', so
+this should probably go to linux-stable all the way to 4.12
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/property.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c
+index e26ea209b63ef..7a3194e2e0906 100644
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -943,6 +943,14 @@ struct fwnode_handle *acpi_get_next_subnode(const struct fwnode_handle *fwnode,
+ const struct acpi_data_node *data = to_acpi_data_node(fwnode);
+ struct acpi_data_node *dn;
+
++ /*
++ * We can have a combination of device and data nodes, e.g. with
++ * hierarchical _DSD properties. Make sure the adev pointer is
++ * restored before going through data nodes, otherwise we will
++ * be looking for data_nodes below the last device found instead
++ * of the common fwnode shared by device_nodes and data_nodes.
++ */
++ adev = to_acpi_device_node(fwnode);
+ if (adev)
+ head = &adev->data.subnodes;
+ else if (data)
+--
+2.20.1
+
--- /dev/null
+From 9681ce2b279bde1b0870552873e30585a386e8d4 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Mon, 8 Apr 2019 16:49:01 +0100
+Subject: ARM: vdso: Remove dependency with the arch_timer driver internals
+
+[ Upstream commit 1f5b62f09f6b314c8d70b9de5182dae4de1f94da ]
+
+The VDSO code uses the kernel helper that was originally designed
+to abstract the access between 32 and 64bit systems. It worked so
+far because this function is declared as 'inline'.
+
+As we're about to revamp that part of the code, the VDSO would
+break. Let's fix it by doing what should have been done from
+the start, a proper system register access.
+
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/cp15.h | 2 ++
+ arch/arm/vdso/vgettimeofday.c | 5 +++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/include/asm/cp15.h b/arch/arm/include/asm/cp15.h
+index 07e27f212dc75..d2453e2d3f1f3 100644
+--- a/arch/arm/include/asm/cp15.h
++++ b/arch/arm/include/asm/cp15.h
+@@ -68,6 +68,8 @@
+ #define BPIALL __ACCESS_CP15(c7, 0, c5, 6)
+ #define ICIALLU __ACCESS_CP15(c7, 0, c5, 0)
+
++#define CNTVCT __ACCESS_CP15_64(1, c14)
++
+ extern unsigned long cr_alignment; /* defined in entry-armv.S */
+
+ static inline unsigned long get_cr(void)
+diff --git a/arch/arm/vdso/vgettimeofday.c b/arch/arm/vdso/vgettimeofday.c
+index 79214d5ff0970..3af02d2a0b7f2 100644
+--- a/arch/arm/vdso/vgettimeofday.c
++++ b/arch/arm/vdso/vgettimeofday.c
+@@ -18,9 +18,9 @@
+ #include <linux/compiler.h>
+ #include <linux/hrtimer.h>
+ #include <linux/time.h>
+-#include <asm/arch_timer.h>
+ #include <asm/barrier.h>
+ #include <asm/bug.h>
++#include <asm/cp15.h>
+ #include <asm/page.h>
+ #include <asm/unistd.h>
+ #include <asm/vdso_datapage.h>
+@@ -123,7 +123,8 @@ static notrace u64 get_ns(struct vdso_data *vdata)
+ u64 cycle_now;
+ u64 nsec;
+
+- cycle_now = arch_counter_get_cntvct();
++ isb();
++ cycle_now = read_sysreg(CNTVCT);
+
+ cycle_delta = (cycle_now - vdata->cs_cycle_last) & vdata->cs_mask;
+
+--
+2.20.1
+
--- /dev/null
+From e6eae0d4084887ae9417b8a275edd18bb12c5193 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 5 Mar 2019 19:34:05 +0800
+Subject: arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
+
+[ Upstream commit 92606ec9285fb84cd9b5943df23f07d741384bfc ]
+
+The call to of_get_next_child returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+ ./arch/arm64/kernel/cpu_ops.c:102:1-7: ERROR: missing of_node_put;
+ acquired a node pointer with refcount incremented on line 69, but
+ without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/cpu_ops.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kernel/cpu_ops.c b/arch/arm64/kernel/cpu_ops.c
+index d16978213c5b3..e2a9d04d05175 100644
+--- a/arch/arm64/kernel/cpu_ops.c
++++ b/arch/arm64/kernel/cpu_ops.c
+@@ -85,6 +85,7 @@ static const char *__init cpu_read_enable_method(int cpu)
+ pr_err("%pOF: missing enable-method property\n",
+ dn);
+ }
++ of_node_put(dn);
+ } else {
+ enable_method = acpi_get_enable_method(cpu);
+ if (!enable_method) {
+--
+2.20.1
+
--- /dev/null
+From 1ed4d037fd8c476b8b4a0febcfdc2e90b835ea55 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Mon, 29 Apr 2019 13:37:01 -0400
+Subject: arm64: Fix compiler warning from pte_unmap() with
+ -Wunused-but-set-variable
+
+[ Upstream commit 74dd022f9e6260c3b5b8d15901d27ebcc5f21eda ]
+
+When building with -Wunused-but-set-variable, the compiler shouts about
+a number of pte_unmap() users, since this expands to an empty macro on
+arm64:
+
+ | mm/gup.c: In function 'gup_pte_range':
+ | mm/gup.c:1727:16: warning: variable 'ptem' set but not used
+ | [-Wunused-but-set-variable]
+ | mm/gup.c: At top level:
+ | mm/memory.c: In function 'copy_pte_range':
+ | mm/memory.c:821:24: warning: variable 'orig_dst_pte' set but not used
+ | [-Wunused-but-set-variable]
+ | mm/memory.c:821:9: warning: variable 'orig_src_pte' set but not used
+ | [-Wunused-but-set-variable]
+ | mm/swap_state.c: In function 'swap_ra_info':
+ | mm/swap_state.c:641:15: warning: variable 'orig_pte' set but not used
+ | [-Wunused-but-set-variable]
+ | mm/madvise.c: In function 'madvise_free_pte_range':
+ | mm/madvise.c:318:9: warning: variable 'orig_pte' set but not used
+ | [-Wunused-but-set-variable]
+
+Rewrite pte_unmap() as a static inline function, which silences the
+warnings.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/pgtable.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index aafea648a30ff..ee77556b01243 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -420,6 +420,8 @@ static inline phys_addr_t pmd_page_paddr(pmd_t pmd)
+ return pmd_val(pmd) & PHYS_MASK & (s32)PAGE_MASK;
+ }
+
++static inline void pte_unmap(pte_t *pte) { }
++
+ /* Find an entry in the third-level page table. */
+ #define pte_index(addr) (((addr) >> PAGE_SHIFT) & (PTRS_PER_PTE - 1))
+
+@@ -428,7 +430,6 @@ static inline phys_addr_t pmd_page_paddr(pmd_t pmd)
+
+ #define pte_offset_map(dir,addr) pte_offset_kernel((dir), (addr))
+ #define pte_offset_map_nested(dir,addr) pte_offset_kernel((dir), (addr))
+-#define pte_unmap(pte) do { } while (0)
+ #define pte_unmap_nested(pte) do { } while (0)
+
+ #define pte_set_fixmap(addr) ((pte_t *)set_fixmap_offset(FIX_PTE, addr))
+--
+2.20.1
+
--- /dev/null
+From 7f5f379a1ced1fe564fd4208382c9d99f7ee8972 Mon Sep 17 00:00:00 2001
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Date: Tue, 16 Apr 2019 17:14:30 +0100
+Subject: arm64: vdso: Fix clock_getres() for CLOCK_REALTIME
+
+[ Upstream commit 81fb8736dd81da3fe94f28968dac60f392ec6746 ]
+
+clock_getres() in the vDSO library has to preserve the same behaviour
+of posix_get_hrtimer_res().
+
+In particular, posix_get_hrtimer_res() does:
+
+ sec = 0;
+ ns = hrtimer_resolution;
+
+where 'hrtimer_resolution' depends on whether or not high resolution
+timers are enabled, which is a runtime decision.
+
+The vDSO incorrectly returns the constant CLOCK_REALTIME_RES. Fix this
+by exposing 'hrtimer_resolution' in the vDSO datapage and returning that
+instead.
+
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+[will: Use WRITE_ONCE(), move adr off COARSE path, renumber labels, use 'w' reg]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/vdso_datapage.h | 1 +
+ arch/arm64/kernel/asm-offsets.c | 2 +-
+ arch/arm64/kernel/vdso.c | 3 +++
+ arch/arm64/kernel/vdso/gettimeofday.S | 7 +++----
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/include/asm/vdso_datapage.h b/arch/arm64/include/asm/vdso_datapage.h
+index 2b9a63771eda8..f89263c8e11af 100644
+--- a/arch/arm64/include/asm/vdso_datapage.h
++++ b/arch/arm64/include/asm/vdso_datapage.h
+@@ -38,6 +38,7 @@ struct vdso_data {
+ __u32 tz_minuteswest; /* Whacky timezone stuff */
+ __u32 tz_dsttime;
+ __u32 use_syscall;
++ __u32 hrtimer_res;
+ };
+
+ #endif /* !__ASSEMBLY__ */
+diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c
+index b5e43b01b396c..b4a0f4ab770ab 100644
+--- a/arch/arm64/kernel/asm-offsets.c
++++ b/arch/arm64/kernel/asm-offsets.c
+@@ -95,7 +95,7 @@ int main(void)
+ DEFINE(CLOCK_REALTIME, CLOCK_REALTIME);
+ DEFINE(CLOCK_MONOTONIC, CLOCK_MONOTONIC);
+ DEFINE(CLOCK_MONOTONIC_RAW, CLOCK_MONOTONIC_RAW);
+- DEFINE(CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC);
++ DEFINE(CLOCK_REALTIME_RES, offsetof(struct vdso_data, hrtimer_res));
+ DEFINE(CLOCK_REALTIME_COARSE, CLOCK_REALTIME_COARSE);
+ DEFINE(CLOCK_MONOTONIC_COARSE,CLOCK_MONOTONIC_COARSE);
+ DEFINE(CLOCK_COARSE_RES, LOW_RES_NSEC);
+diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c
+index 2d419006ad433..ec0bb588d7553 100644
+--- a/arch/arm64/kernel/vdso.c
++++ b/arch/arm64/kernel/vdso.c
+@@ -232,6 +232,9 @@ void update_vsyscall(struct timekeeper *tk)
+ vdso_data->wtm_clock_sec = tk->wall_to_monotonic.tv_sec;
+ vdso_data->wtm_clock_nsec = tk->wall_to_monotonic.tv_nsec;
+
++ /* Read without the seqlock held by clock_getres() */
++ WRITE_ONCE(vdso_data->hrtimer_res, hrtimer_resolution);
++
+ if (!use_syscall) {
+ /* tkr_mono.cycle_last == tkr_raw.cycle_last */
+ vdso_data->cs_cycle_last = tk->tkr_mono.cycle_last;
+diff --git a/arch/arm64/kernel/vdso/gettimeofday.S b/arch/arm64/kernel/vdso/gettimeofday.S
+index 76320e9209651..df829c4346fac 100644
+--- a/arch/arm64/kernel/vdso/gettimeofday.S
++++ b/arch/arm64/kernel/vdso/gettimeofday.S
+@@ -301,13 +301,14 @@ ENTRY(__kernel_clock_getres)
+ ccmp w0, #CLOCK_MONOTONIC_RAW, #0x4, ne
+ b.ne 1f
+
+- ldr x2, 5f
++ adr vdso_data, _vdso_data
++ ldr w2, [vdso_data, #CLOCK_REALTIME_RES]
+ b 2f
+ 1:
+ cmp w0, #CLOCK_REALTIME_COARSE
+ ccmp w0, #CLOCK_MONOTONIC_COARSE, #0x4, ne
+ b.ne 4f
+- ldr x2, 6f
++ ldr x2, 5f
+ 2:
+ cbz w1, 3f
+ stp xzr, x2, [x1]
+@@ -321,8 +322,6 @@ ENTRY(__kernel_clock_getres)
+ svc #0
+ ret
+ 5:
+- .quad CLOCK_REALTIME_RES
+-6:
+ .quad CLOCK_COARSE_RES
+ .cfi_endproc
+ ENDPROC(__kernel_clock_getres)
+--
+2.20.1
+
--- /dev/null
+From d8f1bf5a82900b97a36b7d625193b27c438d18e3 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 7 Mar 2019 11:11:30 +0100
+Subject: ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
+
+[ Upstream commit 8ca5104715cfd14254ea5aecc390ae583b707607 ]
+
+Building with clang shows a variable that is only used by the
+suspend/resume functions but defined outside of their #ifdef block:
+
+sound/soc/ti/davinci-mcasp.c:48:12: error: variable 'context_regs' is not needed and will not be emitted
+
+We commonly fix these by marking the PM functions as __maybe_unused,
+but here that would grow the davinci_mcasp structure, so instead
+add another #ifdef here.
+
+Fixes: 1cc0c054f380 ("ASoC: davinci-mcasp: Convert the context save/restore to use array")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/davinci/davinci-mcasp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c
+index f395bbc7c3545..9aa741d272798 100644
+--- a/sound/soc/davinci/davinci-mcasp.c
++++ b/sound/soc/davinci/davinci-mcasp.c
+@@ -43,6 +43,7 @@
+
+ #define MCASP_MAX_AFIFO_DEPTH 64
+
++#ifdef CONFIG_PM
+ static u32 context_regs[] = {
+ DAVINCI_MCASP_TXFMCTL_REG,
+ DAVINCI_MCASP_RXFMCTL_REG,
+@@ -65,6 +66,7 @@ struct davinci_mcasp_context {
+ u32 *xrsr_regs; /* for serializer configuration */
+ bool pm_state;
+ };
++#endif
+
+ struct davinci_mcasp_ruledata {
+ struct davinci_mcasp *mcasp;
+--
+2.20.1
+
--- /dev/null
+From d580f1e3c97a4ee5cb489b0888990939cbc2daa6 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:51 +0800
+Subject: ASoC: eukrea-tlv320: fix a leaked reference by adding missing
+ of_node_put
+
+[ Upstream commit b820d52e7eed7b30b2dfef5f4213a2bc3cbea6f3 ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
+./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/eukrea-tlv320.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c
+index 84ef6385736cd..4c6f19ef98b25 100644
+--- a/sound/soc/fsl/eukrea-tlv320.c
++++ b/sound/soc/fsl/eukrea-tlv320.c
+@@ -119,13 +119,13 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(&pdev->dev,
+ "fsl,mux-int-port node missing or invalid.\n");
+- return ret;
++ goto err;
+ }
+ ret = of_property_read_u32(np, "fsl,mux-ext-port", &ext_port);
+ if (ret) {
+ dev_err(&pdev->dev,
+ "fsl,mux-ext-port node missing or invalid.\n");
+- return ret;
++ goto err;
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 846892ba072782330ea2af17b14c61b27b66148e Mon Sep 17 00:00:00 2001
+From: Daniel Baluta <daniel.baluta@nxp.com>
+Date: Sun, 21 Apr 2019 19:39:08 +0000
+Subject: ASoC: fsl_sai: Update is_slave_mode with correct value
+
+[ Upstream commit ddb351145a967ee791a0fb0156852ec2fcb746ba ]
+
+is_slave_mode defaults to false because sai structure
+that contains it is kzalloc'ed.
+
+Anyhow, if we decide to set the following configuration
+SAI slave -> SAI master, is_slave_mode will remain set on true
+although SAI being master it should be set to false.
+
+Fix this by updating is_slave_mode for each call of
+fsl_sai_set_dai_fmt.
+
+Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index 18e5ce81527d2..c1c733b573a7f 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -274,12 +274,14 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
+ case SND_SOC_DAIFMT_CBS_CFS:
+ val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
+ val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
++ sai->is_slave_mode = false;
+ break;
+ case SND_SOC_DAIFMT_CBM_CFM:
+ sai->is_slave_mode = true;
+ break;
+ case SND_SOC_DAIFMT_CBS_CFM:
+ val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
++ sai->is_slave_mode = false;
+ break;
+ case SND_SOC_DAIFMT_CBM_CFS:
+ val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
+--
+2.20.1
+
--- /dev/null
+From 46c1a1142253515bd6c4b89fd465a2f58e9bf1a5 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:50 +0800
+Subject: ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
+
+[ Upstream commit c705247136a523488eac806bd357c3e5d79a7acd ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Timur Tabi <timur@kernel.org>
+Cc: Nicolin Chen <nicoleotsuka@gmail.com>
+Cc: Xiubo Li <Xiubo.Lee@gmail.com>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/fsl/fsl_utils.c b/sound/soc/fsl/fsl_utils.c
+index b9e42b503a377..4f8bdb7650e84 100644
+--- a/sound/soc/fsl/fsl_utils.c
++++ b/sound/soc/fsl/fsl_utils.c
+@@ -75,6 +75,7 @@ int fsl_asoc_get_dma_channel(struct device_node *ssi_np,
+ iprop = of_get_property(dma_np, "cell-index", NULL);
+ if (!iprop) {
+ of_node_put(dma_np);
++ of_node_put(dma_channel_np);
+ return -EINVAL;
+ }
+ *dma_id = be32_to_cpup(iprop);
+--
+2.20.1
+
--- /dev/null
+From 6cae6fe7f1ad33f0f8711bc101573d248a90d45a Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Mon, 29 Apr 2019 15:29:39 +0200
+Subject: ASoC: hdmi-codec: unlock the device on startup errors
+
+[ Upstream commit 30180e8436046344b12813dc954b2e01dfdcd22d ]
+
+If the hdmi codec startup fails, it should clear the current_substream
+pointer to free the device. This is properly done for the audio_startup()
+callback but for snd_pcm_hw_constraint_eld().
+
+Make sure the pointer cleared if an error is reported.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdmi-codec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/hdmi-codec.c b/sound/soc/codecs/hdmi-codec.c
+index 7406695ee5dc2..e00f5f49f21d1 100644
+--- a/sound/soc/codecs/hdmi-codec.c
++++ b/sound/soc/codecs/hdmi-codec.c
+@@ -446,8 +446,12 @@ static int hdmi_codec_startup(struct snd_pcm_substream *substream,
+ if (!ret) {
+ ret = snd_pcm_hw_constraint_eld(substream->runtime,
+ hcp->eld);
+- if (ret)
++ if (ret) {
++ mutex_lock(&hcp->current_stream_lock);
++ hcp->current_stream = NULL;
++ mutex_unlock(&hcp->current_stream_lock);
+ return ret;
++ }
+ }
+ /* Select chmap supported */
+ hdmi_codec_eld_chmap(hcp);
+--
+2.20.1
+
--- /dev/null
+From 18e10469933f7554f2810a8b05e1acdeb2a5cb60 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 16 Apr 2019 15:12:23 +0200
+Subject: ASoC: imx: fix fiq dependencies
+
+[ Upstream commit ea751227c813ab833609afecfeedaf0aa26f327e ]
+
+During randconfig builds, I occasionally run into an invalid configuration
+of the freescale FIQ sound support:
+
+WARNING: unmet direct dependencies detected for SND_SOC_IMX_PCM_FIQ
+ Depends on [m]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]
+ Selected by [y]:
+ - SND_SOC_FSL_SPDIF [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]!=n && (MXC_TZIC [=n] || MXC_AVIC [=y])
+
+sound/soc/fsl/imx-ssi.o: In function `imx_ssi_remove':
+imx-ssi.c:(.text+0x28): undefined reference to `imx_pcm_fiq_exit'
+sound/soc/fsl/imx-ssi.o: In function `imx_ssi_probe':
+imx-ssi.c:(.text+0xa64): undefined reference to `imx_pcm_fiq_init'
+
+The Kconfig warning is a result of the symbol being defined inside of
+the "if SND_IMX_SOC" block, and is otherwise harmless. The link error
+is more tricky and happens with SND_SOC_IMX_SSI=y, which may or may not
+imply FIQ support. However, if SND_SOC_FSL_SSI is set to =m at the same
+time, that selects SND_SOC_IMX_PCM_FIQ as a loadable module dependency,
+which then causes a link failure from imx-ssi.
+
+The solution here is to make SND_SOC_IMX_PCM_FIQ built-in whenever
+one of its potential users is built-in.
+
+Fixes: ff40260f79dc ("ASoC: fsl: refine DMA/FIQ dependencies")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/Kconfig | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig
+index 4087deeda7cf9..2523b00659908 100644
+--- a/sound/soc/fsl/Kconfig
++++ b/sound/soc/fsl/Kconfig
+@@ -173,16 +173,17 @@ config SND_MPC52xx_SOC_EFIKA
+
+ endif # SND_POWERPC_SOC
+
++config SND_SOC_IMX_PCM_FIQ
++ tristate
++ default y if SND_SOC_IMX_SSI=y && (SND_SOC_FSL_SSI=m || SND_SOC_FSL_SPDIF=m) && (MXC_TZIC || MXC_AVIC)
++ select FIQ
++
+ if SND_IMX_SOC
+
+ config SND_SOC_IMX_SSI
+ tristate
+ select SND_SOC_FSL_UTILS
+
+-config SND_SOC_IMX_PCM_FIQ
+- tristate
+- select FIQ
+-
+ comment "SoC Audio support for Freescale i.MX boards:"
+
+ config SND_MXC_SOC_WM1133_EV1
+--
+2.20.1
+
--- /dev/null
+From 5236226053c4f6445bd7a61df770957f8ca66fae Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 19 Apr 2019 20:49:29 -0500
+Subject: audit: fix a memory leak bug
+
+[ Upstream commit 70c4cf17e445264453bc5323db3e50aa0ac9e81f ]
+
+In audit_rule_change(), audit_data_to_entry() is firstly invoked to
+translate the payload data to the kernel's rule representation. In
+audit_data_to_entry(), depending on the audit field type, an audit tree may
+be created in audit_make_tree(), which eventually invokes kmalloc() to
+allocate the tree. Since this tree is a temporary tree, it will be then
+freed in the following execution, e.g., audit_add_rule() if the message
+type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
+AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
+AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
+temporary tree is not freed.
+
+To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
+or AUDIT_DEL_RULE.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/auditfilter.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
+index 8dd4063647c2c..215c6e1ee026f 100644
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -1094,22 +1094,24 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
+ int err = 0;
+ struct audit_entry *entry;
+
+- entry = audit_data_to_entry(data, datasz);
+- if (IS_ERR(entry))
+- return PTR_ERR(entry);
+-
+ switch (type) {
+ case AUDIT_ADD_RULE:
++ entry = audit_data_to_entry(data, datasz);
++ if (IS_ERR(entry))
++ return PTR_ERR(entry);
+ err = audit_add_rule(entry);
+ audit_log_rule_change("add_rule", &entry->rule, !err);
+ break;
+ case AUDIT_DEL_RULE:
++ entry = audit_data_to_entry(data, datasz);
++ if (IS_ERR(entry))
++ return PTR_ERR(entry);
+ err = audit_del_rule(entry);
+ audit_log_rule_change("remove_rule", &entry->rule, !err);
+ break;
+ default:
+- err = -EINVAL;
+ WARN_ON(1);
++ return -EINVAL;
+ }
+
+ if (err || type == AUDIT_DEL_RULE) {
+--
+2.20.1
+
--- /dev/null
+From 8e0f82ba04e496393ca610d857c7feb62569b54c Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2019 15:37:02 +0100
+Subject: b43: shut up clang -Wuninitialized variable warning
+
+[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]
+
+Clang warns about what is clearly a case of passing an uninitalized
+variable into a static function:
+
+drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
+ [-Werror,-Wuninitialized]
+ lpphy_papd_cal(dev, gains, 0, 1, 30);
+ ^~~~~
+drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
+ struct lpphy_tx_gains gains, oldgains;
+ ^
+1 error generated.
+
+However, this function is empty, and its arguments are never evaluated,
+so gcc in contrast does not warn here. Both compilers behave in a
+reasonable way as far as I can tell, so we should change the code
+to avoid the warning everywhere.
+
+We could just eliminate the lpphy_papd_cal() function entirely,
+given that it has had the TODO comment in it for 10 years now
+and is rather unlikely to ever get done. I'm doing a simpler
+change here, and just pass the 'oldgains' variable in that has
+been initialized, based on the guess that this is what was
+originally meant.
+
+Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration & software RFKILL support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/phy_lp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c
+index 6922cbb99a044..5a0699fb4b9ab 100644
+--- a/drivers/net/wireless/broadcom/b43/phy_lp.c
++++ b/drivers/net/wireless/broadcom/b43/phy_lp.c
+@@ -1834,7 +1834,7 @@ static void lpphy_papd_cal(struct b43_wldev *dev, struct lpphy_tx_gains gains,
+ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev)
+ {
+ struct b43_phy_lp *lpphy = dev->phy.lp;
+- struct lpphy_tx_gains gains, oldgains;
++ struct lpphy_tx_gains oldgains;
+ int old_txpctl, old_afe_ovr, old_rf, old_bbmult;
+
+ lpphy_read_tx_pctl_mode_from_hardware(dev);
+@@ -1848,9 +1848,9 @@ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev)
+ lpphy_set_tx_power_control(dev, B43_LPPHY_TXPCTL_OFF);
+
+ if (dev->dev->chip_id == 0x4325 && dev->dev->chip_rev == 0)
+- lpphy_papd_cal(dev, gains, 0, 1, 30);
++ lpphy_papd_cal(dev, oldgains, 0, 1, 30);
+ else
+- lpphy_papd_cal(dev, gains, 0, 1, 65);
++ lpphy_papd_cal(dev, oldgains, 0, 1, 65);
+
+ if (old_afe_ovr)
+ lpphy_set_tx_gains(dev, oldgains);
+--
+2.20.1
+
--- /dev/null
+From 41658c2af8c15a60eb32a56dca2ef51b784a3b1c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Thu, 14 Feb 2019 16:52:43 +0100
+Subject: batman-adv: allow updating DAT entry timeouts on incoming ARP Replies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 099e6cc1582dc2903fecb898bbeae8f7cf4262c7 ]
+
+Currently incoming ARP Replies, for example via a DHT-PUT message, do
+not update the timeout for an already existing DAT entry. These ARP
+Replies are dropped instead.
+
+This however defeats the purpose of the DHCPACK snooping, for instance.
+Right now, a DAT entry in the DHT will be purged every five minutes,
+likely leading to a mesh-wide ARP Request broadcast after this timeout.
+Which then recreates the entry. The idea of the DHCPACK snooping is to
+be able to update an entry before a timeout happens, to avoid ARP Request
+flooding.
+
+This patch fixes this issue by updating a DAT entry on incoming
+ARP Replies even if a matching DAT entry already exists. While still
+filtering the ARP Reply towards the soft-interface, to avoid duplicate
+messages on the client device side.
+
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/distributed-arp-table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index 4f0111bc6621e..8d1d0fdb157e7 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -1240,7 +1240,6 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ hw_src, &ip_src, hw_dst, &ip_dst,
+ dat_entry->mac_addr, &dat_entry->ip);
+ dropped = true;
+- goto out;
+ }
+
+ /* Update our internal cache with both the IP addresses the node got
+@@ -1249,6 +1248,9 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ batadv_dat_entry_add(bat_priv, ip_src, hw_src, vid);
+ batadv_dat_entry_add(bat_priv, ip_dst, hw_dst, vid);
+
++ if (dropped)
++ goto out;
++
+ /* If BLA is enabled, only forward ARP replies if we have claimed the
+ * source of the ARP reply or if no one else of the same backbone has
+ * already claimed that client. This prevents that different gateways
+--
+2.20.1
+
--- /dev/null
+From cf865b8733cdb55a6d8f13060fddf358217d28e8 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Thu, 25 Apr 2019 00:48:34 +0800
+Subject: bcache: add failure check to run_cache_set() for journal replay
+
+[ Upstream commit ce3e4cfb59cb382f8e5ce359238aa580d4ae7778 ]
+
+Currently run_cache_set() has no return value, if there is failure in
+bch_journal_replay(), the caller of run_cache_set() has no idea about
+such failure and just continue to execute following code after
+run_cache_set(). The internal failure is triggered inside
+bch_journal_replay() and being handled in async way. This behavior is
+inefficient, while failure handling inside bch_journal_replay(), cache
+register code is still running to start the cache set. Registering and
+unregistering code running as same time may introduce some rare race
+condition, and make the code to be more hard to be understood.
+
+This patch adds return value to run_cache_set(), and returns -EIO if
+bch_journal_rreplay() fails. Then caller of run_cache_set() may detect
+such failure and stop registering code flow immedidately inside
+register_cache_set().
+
+If journal replay fails, run_cache_set() can report error immediately
+to register_cache_set(). This patch makes the failure handling for
+bch_journal_replay() be in synchronized way, easier to understand and
+debug, and avoid poetential race condition for register-and-unregister
+in same time.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 175bab2d72067..85a5afe01d397 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1560,7 +1560,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
+ return NULL;
+ }
+
+-static void run_cache_set(struct cache_set *c)
++static int run_cache_set(struct cache_set *c)
+ {
+ const char *err = "cannot allocate memory";
+ struct cached_dev *dc, *t;
+@@ -1652,7 +1652,9 @@ static void run_cache_set(struct cache_set *c)
+ if (j->version < BCACHE_JSET_VERSION_UUID)
+ __uuid_write(c);
+
+- bch_journal_replay(c, &journal);
++ err = "bcache: replay journal failed";
++ if (bch_journal_replay(c, &journal))
++ goto err;
+ } else {
+ pr_notice("invalidating existing data");
+
+@@ -1720,11 +1722,13 @@ static void run_cache_set(struct cache_set *c)
+ flash_devs_run(c);
+
+ set_bit(CACHE_SET_RUNNING, &c->flags);
+- return;
++ return 0;
+ err:
+ closure_sync(&cl);
+ /* XXX: test this, it's broken */
+ bch_cache_set_error(c, "%s", err);
++
++ return -EIO;
+ }
+
+ static bool can_attach_cache(struct cache *ca, struct cache_set *c)
+@@ -1788,8 +1792,11 @@ static const char *register_cache_set(struct cache *ca)
+ ca->set->cache[ca->sb.nr_this_dev] = ca;
+ c->cache_by_alloc[c->caches_loaded++] = ca;
+
+- if (c->caches_loaded == c->sb.nr_in_set)
+- run_cache_set(c);
++ if (c->caches_loaded == c->sb.nr_in_set) {
++ err = "failed to run cache set";
++ if (run_cache_set(c) < 0)
++ goto err;
++ }
+
+ return NULL;
+ err:
+--
+2.20.1
+
--- /dev/null
+From bcaff2ccef252d47c6ae468cb10bc32f5383c50b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 25 Apr 2019 00:48:28 +0800
+Subject: bcache: avoid clang -Wunintialized warning
+
+[ Upstream commit 78d4eb8ad9e1d413449d1b7a060f50b6efa81ebd ]
+
+clang has identified a code path in which it thinks a
+variable may be unused:
+
+drivers/md/bcache/alloc.c:333:4: error: variable 'bucket' is used uninitialized whenever 'if' condition is false
+ [-Werror,-Wsometimes-uninitialized]
+ fifo_pop(&ca->free_inc, bucket);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
+ #define fifo_pop(fifo, i) fifo_pop_front(fifo, (i))
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/md/bcache/util.h:189:6: note: expanded from macro 'fifo_pop_front'
+ if (_r) { \
+ ^~
+drivers/md/bcache/alloc.c:343:46: note: uninitialized use occurs here
+ allocator_wait(ca, bch_allocator_push(ca, bucket));
+ ^~~~~~
+drivers/md/bcache/alloc.c:287:7: note: expanded from macro 'allocator_wait'
+ if (cond) \
+ ^~~~
+drivers/md/bcache/alloc.c:333:4: note: remove the 'if' if its condition is always true
+ fifo_pop(&ca->free_inc, bucket);
+ ^
+drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
+ #define fifo_pop(fifo, i) fifo_pop_front(fifo, (i))
+ ^
+drivers/md/bcache/util.h:189:2: note: expanded from macro 'fifo_pop_front'
+ if (_r) { \
+ ^
+drivers/md/bcache/alloc.c:331:15: note: initialize the variable 'bucket' to silence this warning
+ long bucket;
+ ^
+
+This cannot happen in practice because we only enter the loop
+if there is at least one element in the list.
+
+Slightly rearranging the code makes this clearer to both the
+reader and the compiler, which avoids the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/alloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
+index 8c13a9036d07f..ada94a01e1423 100644
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -325,10 +325,11 @@ static int bch_allocator_thread(void *arg)
+ * possibly issue discards to them, then we add the bucket to
+ * the free list:
+ */
+- while (!fifo_empty(&ca->free_inc)) {
++ while (1) {
+ long bucket;
+
+- fifo_pop(&ca->free_inc, bucket);
++ if (!fifo_pop(&ca->free_inc, bucket))
++ break;
+
+ if (ca->discard) {
+ mutex_unlock(&ca->set->bucket_lock);
+--
+2.20.1
+
--- /dev/null
+From 740ffffed5373575d37fdf60693e5f04d794bcc4 Mon Sep 17 00:00:00 2001
+From: Tang Junhui <tang.junhui.linux@gmail.com>
+Date: Thu, 25 Apr 2019 00:48:41 +0800
+Subject: bcache: fix failure in journal relplay
+
+[ Upstream commit 631207314d88e9091be02fbdd1fdadb1ae2ed79a ]
+
+journal replay failed with messages:
+Sep 10 19:10:43 ceph kernel: bcache: error on
+bb379a64-e44e-4812-b91d-a5599871a3b1: bcache: journal entries
+2057493-2057567 missing! (replaying 2057493-2076601), disabling
+caching
+
+The reason is in journal_reclaim(), when discard is enabled, we send
+discard command and reclaim those journal buckets whose seq is old
+than the last_seq_now, but before we write a journal with last_seq_now,
+the machine is restarted, so the journal with the last_seq_now is not
+written to the journal bucket, and the last_seq_wrote in the newest
+journal is old than last_seq_now which we expect to be, so when we doing
+replay, journals from last_seq_wrote to last_seq_now are missing.
+
+It's hard to write a journal immediately after journal_reclaim(),
+and it harmless if those missed journal are caused by discarding
+since those journals are already wrote to btree node. So, if miss
+seqs are started from the beginning journal, we treat it as normal,
+and only print a message to show the miss journal, and point out
+it maybe caused by discarding.
+
+Patch v2 add a judgement condition to ignore the missed journal
+only when discard enabled as Coly suggested.
+
+(Coly Li: rebase the patch with other changes in bch_journal_replay())
+
+Signed-off-by: Tang Junhui <tang.junhui.linux@gmail.com>
+Tested-by: Dennis Schridde <devurandom@gmx.net>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index cd8a82655e647..6394be5ee9a8f 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -310,6 +310,18 @@ void bch_journal_mark(struct cache_set *c, struct list_head *list)
+ }
+ }
+
++bool is_discard_enabled(struct cache_set *s)
++{
++ struct cache *ca;
++ unsigned int i;
++
++ for_each_cache(ca, s, i)
++ if (ca->discard)
++ return true;
++
++ return false;
++}
++
+ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ {
+ int ret = 0, keys = 0, entries = 0;
+@@ -324,10 +336,15 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ BUG_ON(i->pin && atomic_read(i->pin) != 1);
+
+ if (n != i->j.seq) {
+- pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
+- n, i->j.seq - 1, start, end);
+- ret = -EIO;
+- goto err;
++ if (n == start && is_discard_enabled(s))
++ pr_info("bcache: journal entries %llu-%llu may be discarded! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ else {
++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ ret = -EIO;
++ goto err;
++ }
+ }
+
+ for (k = i->j.start;
+--
+2.20.1
+
--- /dev/null
+From fba1f83317871d9044769812848b2e1405cf461a Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Thu, 25 Apr 2019 00:48:36 +0800
+Subject: bcache: return error immediately in bch_journal_replay()
+
+[ Upstream commit 68d10e6979a3b59e3cd2e90bfcafed79c4cf180a ]
+
+When failure happens inside bch_journal_replay(), calling
+cache_set_err_on() and handling the failure in async way is not a good
+idea. Because after bch_journal_replay() returns, registering code will
+continue to execute following steps, and unregistering code triggered
+by cache_set_err_on() is running in same time. First it is unnecessary
+to handle failure and unregister cache set in an async way, second there
+might be potential race condition to run register and unregister code
+for same cache set.
+
+So in this patch, if failure happens in bch_journal_replay(), we don't
+call cache_set_err_on(), and just print out the same error message to
+kernel message buffer, then return -EIO immediately caller. Then caller
+can detect such failure and handle it in synchrnozied way.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index c02394c3181f7..cd8a82655e647 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -323,9 +323,12 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ list_for_each_entry(i, list, list) {
+ BUG_ON(i->pin && atomic_read(i->pin) != 1);
+
+- cache_set_err_on(n != i->j.seq, s,
+-"bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
+- n, i->j.seq - 1, start, end);
++ if (n != i->j.seq) {
++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ ret = -EIO;
++ goto err;
++ }
+
+ for (k = i->j.start;
+ k < bset_bkey_last(&i->j);
+--
+2.20.1
+
--- /dev/null
+From bf1a997c22a88b2c3b794c8f085ee1abfe73f2ab Mon Sep 17 00:00:00 2001
+From: David Kozub <zub@linux.fjfi.cvut.cz>
+Date: Thu, 14 Feb 2019 01:15:53 +0100
+Subject: block: sed-opal: fix IOC_OPAL_ENABLE_DISABLE_MBR
+
+[ Upstream commit 78bf47353b0041865564deeed257a54f047c2fdc ]
+
+The implementation of IOC_OPAL_ENABLE_DISABLE_MBR handled the value
+opal_mbr_data.enable_disable incorrectly: enable_disable is expected
+to be one of OPAL_MBR_ENABLE(0) or OPAL_MBR_DISABLE(1). enable_disable
+was passed directly to set_mbr_done and set_mbr_enable_disable where
+is was interpreted as either OPAL_TRUE(1) or OPAL_FALSE(0). The end
+result was that calling IOC_OPAL_ENABLE_DISABLE_MBR with OPAL_MBR_ENABLE
+actually disabled the shadow MBR and vice versa.
+
+This patch adds correct conversion from OPAL_MBR_DISABLE/ENABLE to
+OPAL_FALSE/TRUE. The change affects existing programs using
+IOC_OPAL_ENABLE_DISABLE_MBR but this is typically used only once when
+setting up an Opal drive.
+
+Acked-by: Jon Derrick <jonathan.derrick@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Scott Bauer <sbauer@plzdonthack.me>
+Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/sed-opal.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/block/sed-opal.c b/block/sed-opal.c
+index 4f5e70d4abc3c..c64011cda9fcc 100644
+--- a/block/sed-opal.c
++++ b/block/sed-opal.c
+@@ -2078,13 +2078,16 @@ static int opal_erase_locking_range(struct opal_dev *dev,
+ static int opal_enable_disable_shadow_mbr(struct opal_dev *dev,
+ struct opal_mbr_data *opal_mbr)
+ {
++ u8 enable_disable = opal_mbr->enable_disable == OPAL_MBR_ENABLE ?
++ OPAL_TRUE : OPAL_FALSE;
++
+ const struct opal_step mbr_steps[] = {
+ { opal_discovery0, },
+ { start_admin1LSP_opal_session, &opal_mbr->key },
+- { set_mbr_done, &opal_mbr->enable_disable },
++ { set_mbr_done, &enable_disable },
+ { end_opal_session, },
+ { start_admin1LSP_opal_session, &opal_mbr->key },
+- { set_mbr_enable_disable, &opal_mbr->enable_disable },
++ { set_mbr_enable_disable, &enable_disable },
+ { end_opal_session, },
+ { NULL, }
+ };
+@@ -2204,7 +2207,7 @@ static int __opal_lock_unlock(struct opal_dev *dev,
+
+ static int __opal_set_mbr_done(struct opal_dev *dev, struct opal_key *key)
+ {
+- u8 mbr_done_tf = 1;
++ u8 mbr_done_tf = OPAL_TRUE;
+ const struct opal_step mbrdone_step [] = {
+ { opal_discovery0, },
+ { start_admin1LSP_opal_session, key },
+--
+2.20.1
+
--- /dev/null
+From 27331b5a601a6b36d124abf57fabb89ca9a7acf2 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 12:52:18 +0300
+Subject: brcm80211: potential NULL dereference in
+ brcmf_cfg80211_vndr_cmds_dcmd_handler()
+
+[ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ]
+
+If "ret_len" is negative then it could lead to a NULL dereference.
+
+The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
+then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to
+brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
+Most of the functions in that call tree check whether the buffer we pass
+is NULL but there are at least a couple places which don't such as
+brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and
+from the buffer so it would result in a NULL dereference.
+
+The fix is to change the types so that "ret_len" can't be negative. (If
+we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
+issue).
+
+Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
+index 8eff2753abade..d493021f60318 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
+@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
+ struct brcmf_if *ifp;
+ const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
+ struct sk_buff *reply;
+- int ret, payload, ret_len;
++ unsigned int payload, ret_len;
+ void *dcmd_buf = NULL, *wr_pointer;
+ u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
++ int ret;
+
+ if (len < sizeof(*cmdhdr)) {
+ brcmf_err("vendor command too short: %d\n", len);
+@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
+ brcmf_err("oversize return buffer %d\n", ret_len);
+ ret_len = BRCMF_DCMD_MAXLEN;
+ }
+- payload = max(ret_len, len) + 1;
++ payload = max_t(unsigned int, ret_len, len) + 1;
+ dcmd_buf = vzalloc(payload);
+ if (NULL == dcmd_buf)
+ return -ENOMEM;
+--
+2.20.1
+
--- /dev/null
+From 56155a4a12c611aad25aa510c6c30878f9c1464f Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:42 +0000
+Subject: brcmfmac: convert dev_init_lock mutex to completion
+
+[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]
+
+Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
+kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
+which silences those warnings and improves code readability.
+
+Fix below errors when connecting the USB WiFi dongle:
+
+brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
+BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
+ last function: hub_event
+1 lock held by kworker/0:2/434:
+ #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: usb_hub_wq hub_event
+[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
+[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
+[<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808)
+[<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xed1d9fb0 to 0xed1d9ff8)
+9fa0: 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+======================================================
+WARNING: possible circular locking dependency detected
+4.19.23-00084-g454a789-dirty #123 Not tainted
+------------------------------------------------------
+kworker/0:2/434 is trying to acquire lock:
+e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808
+
+but task is already holding lock:
+18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (&devinfo->dev_init_lock){+.+.}:
+ mutex_lock_nested+0x1c/0x24
+ brcmf_usb_probe+0x78/0x550 [brcmfmac]
+ usb_probe_interface+0xc0/0x1bc
+ really_probe+0x228/0x2c0
+ __driver_attach+0xe4/0xe8
+ bus_for_each_dev+0x68/0xb4
+ bus_add_driver+0x19c/0x214
+ driver_register+0x78/0x110
+ usb_register_driver+0x84/0x148
+ process_one_work+0x228/0x808
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+-> #1 (brcmf_driver_work){+.+.}:
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+-> #0 ((wq_completion)"events"){+.+.}:
+ process_one_work+0x1b8/0x808
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+other info that might help us debug this:
+
+Chain exists of:
+ (wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&devinfo->dev_init_lock);
+ lock(brcmf_driver_work);
+ lock(&devinfo->dev_init_lock);
+ lock((wq_completion)"events");
+
+ *** DEADLOCK ***
+
+1 lock held by kworker/0:2/434:
+ #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+
+stack backtrace:
+CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: events request_firmware_work_func
+[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
+[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
+[<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330)
+[<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30)
+[<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268)
+[<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808)
+[<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xed1d9fb0 to 0xed1d9ff8)
+9fa0: 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/usb.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+index 11ffaa01599eb..267dcefdacb29 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -160,7 +160,7 @@ struct brcmf_usbdev_info {
+
+ struct usb_device *usbdev;
+ struct device *dev;
+- struct mutex dev_init_lock;
++ struct completion dev_init_done;
+
+ int ctl_in_pipe, ctl_out_pipe;
+ struct urb *ctl_urb; /* URB for control endpoint */
+@@ -1192,11 +1192,11 @@ static void brcmf_usb_probe_phase2(struct device *dev, int ret,
+ if (ret)
+ goto error;
+
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ return;
+ error:
+ brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ device_release_driver(dev);
+ }
+
+@@ -1242,7 +1242,7 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
+ if (ret)
+ goto fail;
+ /* we are done */
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ return 0;
+ }
+ bus->chip = bus_pub->devid;
+@@ -1303,11 +1303,10 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+
+ devinfo->usbdev = usb;
+ devinfo->dev = &usb->dev;
+- /* Take an init lock, to protect for disconnect while still loading.
++ /* Init completion, to protect for disconnect while still loading.
+ * Necessary because of the asynchronous firmware load construction
+ */
+- mutex_init(&devinfo->dev_init_lock);
+- mutex_lock(&devinfo->dev_init_lock);
++ init_completion(&devinfo->dev_init_done);
+
+ usb_set_intfdata(intf, devinfo);
+
+@@ -1385,7 +1384,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+ return 0;
+
+ fail:
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ kfree(devinfo);
+ usb_set_intfdata(intf, NULL);
+ return ret;
+@@ -1400,7 +1399,7 @@ brcmf_usb_disconnect(struct usb_interface *intf)
+ devinfo = (struct brcmf_usbdev_info *)usb_get_intfdata(intf);
+
+ if (devinfo) {
+- mutex_lock(&devinfo->dev_init_lock);
++ wait_for_completion(&devinfo->dev_init_done);
+ /* Make sure that devinfo still exists. Firmware probe routines
+ * may have released the device and cleared the intfdata.
+ */
+--
+2.20.1
+
--- /dev/null
+From 1c75114270915a855fb961e607b596656dcba682 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 12:04:32 -0500
+Subject: brcmfmac: fix missing checks for kmemdup
+
+[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]
+
+In case kmemdup fails, the fix sets conn_info->req_ie_len and
+conn_info->resp_ie_len to zero to avoid buffer overflows.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 6f0ea31b0f59b..04fa66ed99a0f 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5467,6 +5467,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
+ conn_info->req_ie =
+ kmemdup(cfg->extra_buf, conn_info->req_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->req_ie)
++ conn_info->req_ie_len = 0;
+ } else {
+ conn_info->req_ie_len = 0;
+ conn_info->req_ie = NULL;
+@@ -5483,6 +5485,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
+ conn_info->resp_ie =
+ kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->resp_ie)
++ conn_info->resp_ie_len = 0;
+ } else {
+ conn_info->resp_ie_len = 0;
+ conn_info->resp_ie = NULL;
+--
+2.20.1
+
--- /dev/null
+From 5a98b22368ee2b9e010f5ec5d39fa8b44fe82d42 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:01 +0000
+Subject: brcmfmac: fix Oops when bringing up interface during USB disconnect
+
+[ Upstream commit 24d413a31afaee9bbbf79226052c386b01780ce2 ]
+
+Fix a race which leads to an Oops with NULL pointer dereference. The
+dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
+net_device structure of interface with index 0 via if2bss mapping. This
+shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
+but it's not synchronised with USB disconnect and there is a race: after
+the check the bus can be marked down and the mapping for interface 0 may be
+gone.
+
+Solve this by modifying disconnect handling so that the removal of mapping
+of ifidx to brcmf_if structure happens after netdev removal (which is
+synchronous with brcmf_netdev_open() thanks to rtln being locked in
+devinet_ioctl()). This assures brcmf_netdev_open() returns before the
+mapping is removed during disconnect.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = bcae2612
+[00000008] *pgd=8be73831
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
+iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
+nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
+u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
+usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
+udc_core [last unloaded: brcmutil]
+CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
+LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
+pc : [<7f26a91c>] lr : [<7f26a914>] psr: a0070013
+sp : eca99d28 ip : 00000000 fp : ee9c6c00
+r10: 00000036 r9 : 00000000 r8 : ece4002c
+r7 : edb5b800 r6 : 00000000 r5 : 80f08448 r4 : edb5b968
+r3 : ffffffff r2 : 00000000 r1 : 00000002 r0 : 00000000
+Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 7ca0c04a DAC: 00000051
+Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
+Stack: (0xeca99d28 to 0xeca9a000)
+9d20: 00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
+9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
+9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
+9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
+9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
+9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
+9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
+9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
+9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
+9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
+9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
+9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
+9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
+9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
+9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
+9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
+9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
+9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
+9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
+9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
+9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
+[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
+[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150)
+[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4)
+[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48)
+[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c)
+[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4)
+[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524)
+[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0)
+[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c)
+[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xeca99fa8 to 0xeca99ff0)
+9fa0: 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
+Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
+---[ end trace 5cbac2333f3ac5df ]---
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index 79eacad387048..bfc0e37b7f344 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -664,17 +664,17 @@ static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx,
+ bool rtnl_locked)
+ {
+ struct brcmf_if *ifp;
++ int ifidx;
+
+ ifp = drvr->iflist[bsscfgidx];
+- drvr->iflist[bsscfgidx] = NULL;
+ if (!ifp) {
+ brcmf_err("Null interface, bsscfgidx=%d\n", bsscfgidx);
+ return;
+ }
+ brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx,
+ ifp->ifidx);
+- if (drvr->if2bss[ifp->ifidx] == bsscfgidx)
+- drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID;
++ ifidx = ifp->ifidx;
++
+ if (ifp->ndev) {
+ if (bsscfgidx == 0) {
+ if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
+@@ -702,6 +702,10 @@ static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx,
+ brcmf_p2p_ifp_removed(ifp, rtnl_locked);
+ kfree(ifp);
+ }
++
++ drvr->iflist[bsscfgidx] = NULL;
++ if (drvr->if2bss[ifidx] == bsscfgidx)
++ drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID;
+ }
+
+ void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked)
+--
+2.20.1
+
--- /dev/null
+From 6a13df6bcf8de5e4cdc7e13fb88cd3eb96e130aa Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Fri, 8 Mar 2019 15:25:04 +0000
+Subject: brcmfmac: fix race during disconnect when USB completion is in
+ progress
+
+[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]
+
+It was observed that rarely during USB disconnect happening shortly after
+connect (before full initialization completes) usb_hub_wq would wait
+forever for the dev_init_lock to be unlocked. dev_init_lock would remain
+locked though because of infinite wait during usb_kill_urb:
+
+[ 2730.656472] kworker/0:2 D 0 260 2 0x00000000
+[ 2730.660700] Workqueue: events request_firmware_work_func
+[ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
+[ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
+[ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
+[ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
+[ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
+[ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
+[ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
+[ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+[ 2733.099695] kworker/0:3 D 0 1065 2 0x00000000
+[ 2733.103926] Workqueue: usb_hub_wq hub_event
+[ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
+[ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
+[ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
+[ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
+[ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
+[ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
+[ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
+[ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
+[ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
+[ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
+[ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+It was traced down to a case where usb_kill_urb would be called on an URB
+structure containing more or less random data, including large number in
+its use_count. During the debugging it appeared that in brcmf_usb_free_q()
+the traversal over URBs' lists is not synchronized with operations on those
+lists in brcmf_usb_rx_complete() leading to handling
+brcmf_usbdev_info structure (holding lists' head) as lists' element and in
+result causing above problem.
+
+Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
+arrays of requests instead of linked lists.
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+index 267dcefdacb29..be855aa32154d 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -684,12 +684,18 @@ static int brcmf_usb_up(struct device *dev)
+
+ static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo)
+ {
++ int i;
++
+ if (devinfo->ctl_urb)
+ usb_kill_urb(devinfo->ctl_urb);
+ if (devinfo->bulk_urb)
+ usb_kill_urb(devinfo->bulk_urb);
+- brcmf_usb_free_q(&devinfo->tx_postq, true);
+- brcmf_usb_free_q(&devinfo->rx_postq, true);
++ if (devinfo->tx_reqs)
++ for (i = 0; i < devinfo->bus_pub.ntxq; i++)
++ usb_kill_urb(devinfo->tx_reqs[i].urb);
++ if (devinfo->rx_reqs)
++ for (i = 0; i < devinfo->bus_pub.nrxq; i++)
++ usb_kill_urb(devinfo->rx_reqs[i].urb);
+ }
+
+ static void brcmf_usb_down(struct device *dev)
+--
+2.20.1
+
--- /dev/null
+From 75e521beca6b4af5a1bb38110016016e2d4094ce Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Mon, 4 Mar 2019 15:42:49 +0000
+Subject: brcmfmac: fix WARNING during USB disconnect in case of unempty psq
+
+[ Upstream commit c80d26e81ef1802f30364b4ad1955c1443a592b9 ]
+
+brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
+which is part of any queue. After USB disconnect this may have happened
+when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
+cleaned when removing the interface.
+Change brcmf_fws_macdesc_cleanup() in a way that it removes the
+corresponding packets from hanger table (to avoid double-free when
+brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
+interface specific packet queue.
+
+Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
+running in AP mode. This was reproducible when the interface was
+transmitting during the disconnect and is fixed with this commit.
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
+Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
+CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: usb_hub_wq hub_event
+[<8010ff84>] (unwind_backtrace) from [<8010bb64>] (show_stack+0x10/0x14)
+[<8010bb64>] (show_stack) from [<80840278>] (dump_stack+0x88/0x9c)
+[<80840278>] (dump_stack) from [<8011f5ec>] (__warn+0xfc/0x114)
+[<8011f5ec>] (__warn) from [<8011f71c>] (warn_slowpath_null+0x40/0x48)
+[<8011f71c>] (warn_slowpath_null) from [<805a476c>] (brcmu_pkt_buf_free_skb+0x3c/0x40)
+[<805a476c>] (brcmu_pkt_buf_free_skb) from [<805bb6c4>] (brcmf_fws_cleanup+0x1e4/0x22c)
+[<805bb6c4>] (brcmf_fws_cleanup) from [<805bc854>] (brcmf_fws_del_interface+0x58/0x68)
+[<805bc854>] (brcmf_fws_del_interface) from [<805b66ac>] (brcmf_remove_interface+0x40/0x150)
+[<805b66ac>] (brcmf_remove_interface) from [<805b6870>] (brcmf_detach+0x6c/0xb0)
+[<805b6870>] (brcmf_detach) from [<805bdbb8>] (brcmf_usb_disconnect+0x30/0x4c)
+[<805bdbb8>] (brcmf_usb_disconnect) from [<805e5d64>] (usb_unbind_interface+0x5c/0x1e0)
+[<805e5d64>] (usb_unbind_interface) from [<804aab10>] (device_release_driver_internal+0x154/0x1ec)
+[<804aab10>] (device_release_driver_internal) from [<804a97f4>] (bus_remove_device+0xcc/0xf8)
+[<804a97f4>] (bus_remove_device) from [<804a6fc0>] (device_del+0x118/0x308)
+[<804a6fc0>] (device_del) from [<805e488c>] (usb_disable_device+0xa0/0x1c8)
+[<805e488c>] (usb_disable_device) from [<805dcf98>] (usb_disconnect+0x70/0x1d8)
+[<805dcf98>] (usb_disconnect) from [<805ddd84>] (hub_event+0x464/0xf50)
+[<805ddd84>] (hub_event) from [<80135a70>] (process_one_work+0x138/0x3f8)
+[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
+[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
+[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
+Exception stack(0xecf8dfb0 to 0xecf8dff8)
+dfa0: 00000000 00000000 00000000 00000000
+dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+---[ end trace 38d234018e9e2a90 ]---
+------------[ cut here ]------------
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmfmac/fwsignal.c | 42 +++++++++++--------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+index f59642b2c935a..2370060ef980a 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+@@ -579,24 +579,6 @@ static bool brcmf_fws_ifidx_match(struct sk_buff *skb, void *arg)
+ return ifidx == *(int *)arg;
+ }
+
+-static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
+- int ifidx)
+-{
+- bool (*matchfn)(struct sk_buff *, void *) = NULL;
+- struct sk_buff *skb;
+- int prec;
+-
+- if (ifidx != -1)
+- matchfn = brcmf_fws_ifidx_match;
+- for (prec = 0; prec < q->num_prec; prec++) {
+- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
+- while (skb) {
+- brcmu_pkt_buf_free_skb(skb);
+- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
+- }
+- }
+-}
+-
+ static void brcmf_fws_hanger_init(struct brcmf_fws_hanger *hanger)
+ {
+ int i;
+@@ -668,6 +650,28 @@ static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h,
+ return 0;
+ }
+
++static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
++ int ifidx)
++{
++ bool (*matchfn)(struct sk_buff *, void *) = NULL;
++ struct sk_buff *skb;
++ int prec;
++ u32 hslot;
++
++ if (ifidx != -1)
++ matchfn = brcmf_fws_ifidx_match;
++ for (prec = 0; prec < q->num_prec; prec++) {
++ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
++ while (skb) {
++ hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT);
++ brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb,
++ true);
++ brcmu_pkt_buf_free_skb(skb);
++ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
++ }
++ }
++}
++
+ static int brcmf_fws_hanger_mark_suppressed(struct brcmf_fws_hanger *h,
+ u32 slot_id)
+ {
+@@ -2168,6 +2172,8 @@ void brcmf_fws_del_interface(struct brcmf_if *ifp)
+ brcmf_fws_lock(fws);
+ ifp->fws_desc = NULL;
+ brcmf_dbg(TRACE, "deleting %s\n", entry->name);
++ brcmf_fws_macdesc_cleanup(fws, &fws->desc.iface[ifp->ifidx],
++ ifp->ifidx);
+ brcmf_fws_macdesc_deinit(entry);
+ brcmf_fws_cleanup(fws, ifp->ifidx);
+ brcmf_fws_unlock(fws);
+--
+2.20.1
+
--- /dev/null
+From 88399b6abc07be1fcf487b7d3c87f16c7f2c9931 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 26 Feb 2019 16:33:56 +0800
+Subject: btrfs: Don't panic when we can't find a root key
+
+[ Upstream commit 7ac1e464c4d473b517bb784f30d40da1f842482e ]
+
+When we failed to find a root key in btrfs_update_root(), we just panic.
+
+That's definitely not cool, fix it by outputting an unique error
+message, aborting current transaction and return -EUCLEAN. This should
+not normally happen as the root has been used by the callers in some
+way.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/root-tree.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c
+index a44519b1897fe..7bae7cff150e9 100644
+--- a/fs/btrfs/root-tree.c
++++ b/fs/btrfs/root-tree.c
+@@ -148,11 +148,14 @@ int btrfs_update_root(struct btrfs_trans_handle *trans, struct btrfs_root
+ if (ret < 0)
+ goto out;
+
+- if (ret != 0) {
+- btrfs_print_leaf(path->nodes[0]);
+- btrfs_crit(fs_info, "unable to update root key %llu %u %llu",
+- key->objectid, key->type, key->offset);
+- BUG_ON(1);
++ if (ret > 0) {
++ btrfs_crit(fs_info,
++ "unable to find root key (%llu %u %llu) in tree %llu",
++ key->objectid, key->type, key->offset,
++ root->root_key.objectid);
++ ret = -EUCLEAN;
++ btrfs_abort_transaction(trans, ret);
++ goto out;
+ }
+
+ l = path->nodes[0];
+--
+2.20.1
+
--- /dev/null
+From d6ba58b51853232fef0f5df3c84cd1f0cca824f8 Mon Sep 17 00:00:00 2001
+From: Robbie Ko <robbieko@synology.com>
+Date: Tue, 26 Mar 2019 11:56:11 +0800
+Subject: Btrfs: fix data bytes_may_use underflow with fallocate due to failed
+ quota reserve
+
+[ Upstream commit 39ad317315887c2cb9a4347a93a8859326ddf136 ]
+
+When doing fallocate, we first add the range to the reserve_list and
+then reserve the quota. If quota reservation fails, we'll release all
+reserved parts of reserve_list.
+
+However, cur_offset is not updated to indicate that this range is
+already been inserted into the list. Therefore, the same range is freed
+twice. Once at list_for_each_entry loop, and once at the end of the
+function. This will result in WARN_ON on bytes_may_use when we free the
+remaining space.
+
+At the end, under the 'out' label we have a call to:
+
+ btrfs_free_reserved_data_space(inode, data_reserved, alloc_start, alloc_end - cur_offset);
+
+The start offset, third argument, should be cur_offset.
+
+Everything from alloc_start to cur_offset was freed by the
+list_for_each_entry_safe_loop.
+
+Fixes: 18513091af94 ("btrfs: update btrfs_space_info's bytes_may_use timely")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Robbie Ko <robbieko@synology.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index 821001138c296..97958ecaeed9d 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2976,6 +2976,7 @@ static long btrfs_fallocate(struct file *file, int mode,
+ ret = btrfs_qgroup_reserve_data(inode, &data_reserved,
+ cur_offset, last_byte - cur_offset);
+ if (ret < 0) {
++ cur_offset = last_byte;
+ free_extent_map(em);
+ break;
+ }
+@@ -3046,7 +3047,7 @@ static long btrfs_fallocate(struct file *file, int mode,
+ /* Let go of our reservation. */
+ if (ret != 0)
+ btrfs_free_reserved_data_space(inode, data_reserved,
+- alloc_start, alloc_end - cur_offset);
++ cur_offset, alloc_end - cur_offset);
+ extent_changeset_free(data_reserved);
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 6685ff5a7fefd048021fbe8490d53a7702a2cc49 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 25 Feb 2019 11:14:45 -0500
+Subject: btrfs: fix panic during relocation after ENOSPC before writeback
+ happens
+
+[ Upstream commit ff612ba7849964b1898fd3ccd1f56941129c6aab ]
+
+We've been seeing the following sporadically throughout our fleet
+
+panic: kernel BUG at fs/btrfs/relocation.c:4584!
+netversion: 5.0-0
+Backtrace:
+ #0 [ffffc90003adb880] machine_kexec at ffffffff81041da8
+ #1 [ffffc90003adb8c8] __crash_kexec at ffffffff8110396c
+ #2 [ffffc90003adb988] crash_kexec at ffffffff811048ad
+ #3 [ffffc90003adb9a0] oops_end at ffffffff8101c19a
+ #4 [ffffc90003adb9c0] do_trap at ffffffff81019114
+ #5 [ffffc90003adba00] do_error_trap at ffffffff810195d0
+ #6 [ffffc90003adbab0] invalid_op at ffffffff81a00a9b
+ [exception RIP: btrfs_reloc_cow_block+692]
+ RIP: ffffffff8143b614 RSP: ffffc90003adbb68 RFLAGS: 00010246
+ RAX: fffffffffffffff7 RBX: ffff8806b9c32000 RCX: ffff8806aad00690
+ RDX: ffff880850b295e0 RSI: ffff8806b9c32000 RDI: ffff88084f205bd0
+ RBP: ffff880849415000 R8: ffffc90003adbbe0 R9: ffff88085ac90000
+ R10: ffff8805f7369140 R11: 0000000000000000 R12: ffff880850b295e0
+ R13: ffff88084f205bd0 R14: 0000000000000000 R15: 0000000000000000
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ #7 [ffffc90003adbbb0] __btrfs_cow_block at ffffffff813bf1cd
+ #8 [ffffc90003adbc28] btrfs_cow_block at ffffffff813bf4b3
+ #9 [ffffc90003adbc78] btrfs_search_slot at ffffffff813c2e6c
+
+The way relocation moves data extents is by creating a reloc inode and
+preallocating extents in this inode and then copying the data into these
+preallocated extents. Once we've done this for all of our extents,
+we'll write out these dirty pages, which marks the extent written, and
+goes into btrfs_reloc_cow_block(). From here we get our current
+reloc_control, which _should_ match the reloc_control for the current
+block group we're relocating.
+
+However if we get an ENOSPC in this path at some point we'll bail out,
+never initiating writeback on this inode. Not a huge deal, unless we
+happen to be doing relocation on a different block group, and this block
+group is now rc->stage == UPDATE_DATA_PTRS. This trips the BUG_ON() in
+btrfs_reloc_cow_block(), because we expect to be done modifying the data
+inode. We are in fact done modifying the metadata for the data inode
+we're currently using, but not the one from the failed block group, and
+thus we BUG_ON().
+
+(This happens when writeback finishes for extents from the previous
+group, when we are at btrfs_finish_ordered_io() which updates the data
+reloc tree (inode item, drops/adds extent items, etc).)
+
+Fix this by writing out the reloc data inode always, and then breaking
+out of the loop after that point to keep from tripping this BUG_ON()
+later.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+[ add note from Filipe ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/relocation.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 5feb8b03ffe86..9fa6db6a6f7d5 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -4403,27 +4403,36 @@ int btrfs_relocate_block_group(struct btrfs_fs_info *fs_info, u64 group_start)
+ mutex_lock(&fs_info->cleaner_mutex);
+ ret = relocate_block_group(rc);
+ mutex_unlock(&fs_info->cleaner_mutex);
+- if (ret < 0) {
++ if (ret < 0)
+ err = ret;
+- goto out;
+- }
+-
+- if (rc->extents_found == 0)
+- break;
+-
+- btrfs_info(fs_info, "found %llu extents", rc->extents_found);
+
++ /*
++ * We may have gotten ENOSPC after we already dirtied some
++ * extents. If writeout happens while we're relocating a
++ * different block group we could end up hitting the
++ * BUG_ON(rc->stage == UPDATE_DATA_PTRS) in
++ * btrfs_reloc_cow_block. Make sure we write everything out
++ * properly so we don't trip over this problem, and then break
++ * out of the loop if we hit an error.
++ */
+ if (rc->stage == MOVE_DATA_EXTENTS && rc->found_file_extent) {
+ ret = btrfs_wait_ordered_range(rc->data_inode, 0,
+ (u64)-1);
+- if (ret) {
++ if (ret)
+ err = ret;
+- goto out;
+- }
+ invalidate_mapping_pages(rc->data_inode->i_mapping,
+ 0, -1);
+ rc->stage = UPDATE_DATA_PTRS;
+ }
++
++ if (err < 0)
++ goto out;
++
++ if (rc->extents_found == 0)
++ break;
++
++ btrfs_info(fs_info, "found %llu extents", rc->extents_found);
++
+ }
+
+ WARN_ON(rc->block_group->pinned > 0);
+--
+2.20.1
+
--- /dev/null
+From b7fcee5f1f629cacfba749e723bbd29a62f1fdca Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 19 Apr 2019 10:03:03 -0700
+Subject: cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock
+
+[ Upstream commit 4dcabece4c3a9f9522127be12cc12cc120399b2f ]
+
+The number of descendant cgroups and the number of dying
+descendant cgroups are currently synchronized using the cgroup_mutex.
+
+The number of descendant cgroups will be required by the cgroup v2
+freezer, which will use it to determine if a cgroup is frozen
+(depending on total number of descendants and number of frozen
+descendants). It's not always acceptable to grab the cgroup_mutex,
+especially from quite hot paths (e.g. exit()).
+
+To avoid this, let's additionally synchronize these counters using
+the css_set_lock.
+
+So, it's safe to read these counters with either cgroup_mutex or
+css_set_lock locked, and for changing both locks should be acquired.
+
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: kernel-team@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/cgroup-defs.h | 5 +++++
+ kernel/cgroup/cgroup.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
+index 93a2469a9130c..eb396f71285f7 100644
+--- a/include/linux/cgroup-defs.h
++++ b/include/linux/cgroup-defs.h
+@@ -287,6 +287,11 @@ struct cgroup {
+ * Dying cgroups are cgroups which were deleted by a user,
+ * but are still existing because someone else is holding a reference.
+ * max_descendants is a maximum allowed number of descent cgroups.
++ *
++ * nr_descendants and nr_dying_descendants are protected
++ * by cgroup_mutex and css_set_lock. It's fine to read them holding
++ * any of cgroup_mutex and css_set_lock; for writing both locks
++ * should be held.
+ */
+ int nr_descendants;
+ int nr_dying_descendants;
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 694b1cc8d144e..d30a51da94e2f 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -4546,9 +4546,11 @@ static void css_release_work_fn(struct work_struct *work)
+ /* cgroup release path */
+ trace_cgroup_release(cgrp);
+
++ spin_lock_irq(&css_set_lock);
+ for (tcgrp = cgroup_parent(cgrp); tcgrp;
+ tcgrp = cgroup_parent(tcgrp))
+ tcgrp->nr_dying_descendants--;
++ spin_unlock_irq(&css_set_lock);
+
+ cgroup_idr_remove(&cgrp->root->cgroup_idr, cgrp->id);
+ cgrp->id = -1;
+@@ -4745,12 +4747,14 @@ static struct cgroup *cgroup_create(struct cgroup *parent)
+ cgrp->root = root;
+ cgrp->level = level;
+
++ spin_lock_irq(&css_set_lock);
+ for (tcgrp = cgrp; tcgrp; tcgrp = cgroup_parent(tcgrp)) {
+ cgrp->ancestor_ids[tcgrp->level] = tcgrp->id;
+
+ if (tcgrp != cgrp)
+ tcgrp->nr_descendants++;
+ }
++ spin_unlock_irq(&css_set_lock);
+
+ if (notify_on_release(parent))
+ set_bit(CGRP_NOTIFY_ON_RELEASE, &cgrp->flags);
+@@ -5033,10 +5037,12 @@ static int cgroup_destroy_locked(struct cgroup *cgrp)
+ if (parent && cgroup_is_threaded(cgrp))
+ parent->nr_threaded_children--;
+
++ spin_lock_irq(&css_set_lock);
+ for (tcgrp = cgroup_parent(cgrp); tcgrp; tcgrp = cgroup_parent(tcgrp)) {
+ tcgrp->nr_descendants--;
+ tcgrp->nr_dying_descendants++;
+ }
++ spin_unlock_irq(&css_set_lock);
+
+ cgroup1_check_for_release(parent);
+
+--
+2.20.1
+
--- /dev/null
+From 5714537470c537526a5ec13a05baeb4fbf37b20e Mon Sep 17 00:00:00 2001
+From: Chengguang Xu <cgxu519@gmx.com>
+Date: Fri, 15 Feb 2019 20:27:11 +0800
+Subject: chardev: add additional check for minor range overlap
+
+[ Upstream commit de36e16d1557a0b6eb328bc3516359a12ba5c25c ]
+
+Current overlap checking cannot correctly handle
+a case which is baseminor < existing baseminor &&
+baseminor + minorct > existing baseminor + minorct.
+
+Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/char_dev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/char_dev.c b/fs/char_dev.c
+index a65e4a56318ca..20ce45c7c57c7 100644
+--- a/fs/char_dev.c
++++ b/fs/char_dev.c
+@@ -159,6 +159,12 @@ __register_chrdev_region(unsigned int major, unsigned int baseminor,
+ ret = -EBUSY;
+ goto out;
+ }
++
++ if (new_min < old_min && new_max > old_max) {
++ ret = -EBUSY;
++ goto out;
++ }
++
+ }
+
+ cd->next = *cp;
+--
+2.20.1
+
--- /dev/null
+From dcbb74d698d7f2b066778df50b0e0399d45fcee8 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 11 Apr 2019 06:55:55 -0700
+Subject: clk: rockchip: Fix video codec clocks on rk3288
+
+[ Upstream commit 00c0cd9e59d265b393553e9afa54fee8b10e8158 ]
+
+It appears that there is a typo in the rk3288 TRM. For
+GRF_SOC_CON0[7] it says that 0 means "vepu" and 1 means "vdpu". It's
+the other way around.
+
+How do I know? Here's my evidence:
+
+1. Prior to commit 4d3e84f99628 ("clk: rockchip: describe aclk_vcodec
+ using the new muxgrf type on rk3288") we always pretended that we
+ were using "aclk_vdpu" and the comment in the code said that this
+ matched the default setting in the system. In fact the default
+ setting is 0 according to the TRM and according to reading memory
+ at bootup. In addition rk3288-based Chromebooks ran like this and
+ the video codecs worked.
+2. With the existing clock code if you boot up and try to enable the
+ new VIDEO_ROCKCHIP_VPU as a module (and without "clk_ignore_unused"
+ on the command line), you get errors like "failed to get ack on
+ domain 'pd_video', val=0x80208". After flipping vepu/vdpu things
+ init OK.
+3. If I export and add both the vepu and vdpu to the list of clocks
+ for RK3288_PD_VIDEO I can get past the power domain errors, but now
+ I freeze when the vpu_mmu gets initted.
+4. If I just mark the "vdpu" as IGNORE_UNUSED then everything boots up
+ and probes OK showing that somehow the "vdpu" was important to keep
+ enabled. This is because we were actually using it as a parent.
+5. After this change I can hack "aclk_vcodec_pre" to parent from
+ "aclk_vepu" using assigned-clocks and the video codec still probes
+ OK.
+6. Rockchip has said so on the mailing list [1].
+
+...so let's fix it.
+
+Let's also add CLK_SET_RATE_PARENT to "aclk_vcodec_pre" as suggested
+by Jonas Karlman. Prior to the same commit you could do
+clk_set_rate() on "aclk_vcodec" and it would change "aclk_vdpu".
+That's because "aclk_vcodec" was a simple gate clock (always gets
+CLK_SET_RATE_PARENT) and its direct parent was "aclk_vdpu". After
+that commit "aclk_vcodec_pre" gets in the way so we need to add
+CLK_SET_RATE_PARENT to it too.
+
+[1] https://lkml.kernel.org/r/1d17b015-9e17-34b9-baf8-c285dc1957aa@rock-chips.com
+
+Fixes: 4d3e84f99628 ("clk: rockchip: describe aclk_vcodec using the new muxgrf type on rk3288")
+Suggested-by: Jonas Karlman <jonas@kwiboo.se>
+Suggested-by: Randy Li <ayaka@soulik.info>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3288.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c
+index 45cd2897e586b..c6cd6d28af56f 100644
+--- a/drivers/clk/rockchip/clk-rk3288.c
++++ b/drivers/clk/rockchip/clk-rk3288.c
+@@ -198,7 +198,7 @@ PNAME(mux_hsadcout_p) = { "hsadc_src", "ext_hsadc" };
+ PNAME(mux_edp_24m_p) = { "ext_edp_24m", "xin24m" };
+ PNAME(mux_tspout_p) = { "cpll", "gpll", "npll", "xin27m" };
+
+-PNAME(mux_aclk_vcodec_pre_p) = { "aclk_vepu", "aclk_vdpu" };
++PNAME(mux_aclk_vcodec_pre_p) = { "aclk_vdpu", "aclk_vepu" };
+ PNAME(mux_usbphy480m_p) = { "sclk_otgphy1_480m", "sclk_otgphy2_480m",
+ "sclk_otgphy0_480m" };
+ PNAME(mux_hsicphy480m_p) = { "cpll", "gpll", "usbphy480m_src" };
+@@ -399,7 +399,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ COMPOSITE(0, "aclk_vdpu", mux_pll_src_cpll_gpll_usb480m_p, 0,
+ RK3288_CLKSEL_CON(32), 14, 2, MFLAGS, 8, 5, DFLAGS,
+ RK3288_CLKGATE_CON(3), 11, GFLAGS),
+- MUXGRF(0, "aclk_vcodec_pre", mux_aclk_vcodec_pre_p, 0,
++ MUXGRF(0, "aclk_vcodec_pre", mux_aclk_vcodec_pre_p, CLK_SET_RATE_PARENT,
+ RK3288_GRF_SOC_CON(0), 7, 1, MFLAGS),
+ GATE(ACLK_VCODEC, "aclk_vcodec", "aclk_vcodec_pre", 0,
+ RK3288_CLKGATE_CON(9), 0, GFLAGS),
+--
+2.20.1
+
--- /dev/null
+From 534dede0e38d5e949fbd3c2e2cdf0fd158666ef6 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 9 Apr 2019 13:47:06 -0700
+Subject: clk: rockchip: Make rkpwm a critical clock on rk3288
+
+[ Upstream commit dfe7fb21cd9e730230d55a79bc72cf2ece67cdd5 ]
+
+Most rk3288-based boards are derived from the EVB and thus use a PWM
+regulator for the logic rail. However, most rk3288-based boards don't
+specify the PWM regulator in their device tree. We'll deal with that
+by making it critical.
+
+NOTE: it's important to make it critical and not just IGNORE_UNUSED
+because all PWMs in the system share the same clock. We don't want
+another PWM user to turn the clock on and off and kill the logic rail.
+
+This change is in preparation for actually having the PWMs in the
+rk3288 device tree actually point to the proper PWM clock. Up until
+now they've all pointed to the clock for the old IP block and they've
+all worked due to the fact that rkpwm was IGNORE_UNUSED and that the
+clock rates for both clocks were the same.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3288.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c
+index c6cd6d28af56f..64191694ff6e9 100644
+--- a/drivers/clk/rockchip/clk-rk3288.c
++++ b/drivers/clk/rockchip/clk-rk3288.c
+@@ -676,7 +676,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ GATE(PCLK_TZPC, "pclk_tzpc", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 3, GFLAGS),
+ GATE(PCLK_UART2, "pclk_uart2", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 9, GFLAGS),
+ GATE(PCLK_EFUSE256, "pclk_efuse_256", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 10, GFLAGS),
+- GATE(PCLK_RKPWM, "pclk_rkpwm", "pclk_cpu", CLK_IGNORE_UNUSED, RK3288_CLKGATE_CON(11), 11, GFLAGS),
++ GATE(PCLK_RKPWM, "pclk_rkpwm", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 11, GFLAGS),
+
+ /* ddrctrl [DDR Controller PHY clock] gates */
+ GATE(0, "nclk_ddrupctl0", "ddrphy", CLK_IGNORE_UNUSED, RK3288_CLKGATE_CON(11), 4, GFLAGS),
+@@ -817,6 +817,8 @@ static const char *const rk3288_critical_clocks[] __initconst = {
+ "pclk_pd_pmu",
+ "pclk_pmu_niu",
+ "pmu_hclk_otg0",
++ /* pwm-regulators on some boards, so handoff-critical later */
++ "pclk_rkpwm",
+ };
+
+ static void __iomem *rk3288_cru_base;
+--
+2.20.1
+
--- /dev/null
+From ceebbeccd3fcea53bea4446a69fd94fa0abff708 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 12 Apr 2019 09:17:47 -0700
+Subject: clk: rockchip: undo several noc and special clocks as critical on
+ rk3288
+
+[ Upstream commit f4033db5b84ebe4b32c25ba2ed65ab20b628996a ]
+
+This is mostly a revert of commit 55bb6a633c33 ("clk: rockchip: mark
+noc and some special clk as critical on rk3288") except that we're
+keeping "pmu_hclk_otg0" as critical still.
+
+NOTE: turning these clocks off doesn't seem to do a whole lot in terms
+of power savings (checking the power on the logic rail). It appears
+to save maybe 1-2mW. ...but still it seems like we should turn the
+clocks off if they aren't needed.
+
+About "pmu_hclk_otg0" (the one clock from the original commit we're
+still keeping critical) from an email thread:
+
+> pmu ahb clock
+>
+> Function: Clock to pmu module when hibernation and/or ADP is
+> enabled. Must be greater than or equal to 30 MHz.
+>
+> If the SOC design does not support hibernation/ADP function, only have
+> hclk_otg, this clk can be switched according to the usage of otg.
+> If the SOC design support hibernation/ADP, has two clocks, hclk_otg and
+> pmu_hclk_otg0.
+> Hclk_otg belongs to the closed part of otg logic, which can be switched
+> according to the use of otg.
+>
+> pmu_hclk_otg0 belongs to the always on part.
+>
+> As for whether pmu_hclk_otg0 can be turned off when otg is not in use,
+> we have not tested. IC suggest make pmu_hclk_otg0 always on.
+
+For the rest of the clocks:
+
+atclk: No documentation about this clock other than that it goes to
+the CPU. CPU functions fine without it on. Maybe needed for JTAG?
+
+jtag: Presumably this clock is only needed if you're debugging with
+JTAG. It doesn't seem like it makes sense to waste power for every
+rk3288 user. In any case to do JTAG you'd need private patches to
+adjust the pinctrl the mux the JTAG out anyway.
+
+pclk_dbg, pclk_core_niu: On veyron Chromebooks we turn these two
+clocks on only during kernel panics in order to access some coresight
+registers. Since nothing in the upstream kernel does this we should
+be able to leave them off safely. Maybe also needed for JTAG?
+
+hsicphy12m_xin12m: There is no indication of why this clock would need
+to be turned on for boards that don't use HSIC.
+
+pclk_ddrupctl[0-1], pclk_publ0[0-1]: On veyron Chromebooks we turn
+these 4 clocks on only when doing DDR transitions and they are off
+otherwise. I see no reason why they'd need to be on in the upstream
+kernel which doesn't support DDRFreq.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Elaine Zhang <zhangqing@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3288.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c
+index 450de24a1b422..45cd2897e586b 100644
+--- a/drivers/clk/rockchip/clk-rk3288.c
++++ b/drivers/clk/rockchip/clk-rk3288.c
+@@ -292,13 +292,13 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ COMPOSITE_NOMUX(0, "aclk_core_mp", "armclk", CLK_IGNORE_UNUSED,
+ RK3288_CLKSEL_CON(0), 4, 4, DFLAGS | CLK_DIVIDER_READ_ONLY,
+ RK3288_CLKGATE_CON(12), 6, GFLAGS),
+- COMPOSITE_NOMUX(0, "atclk", "armclk", CLK_IGNORE_UNUSED,
++ COMPOSITE_NOMUX(0, "atclk", "armclk", 0,
+ RK3288_CLKSEL_CON(37), 4, 5, DFLAGS | CLK_DIVIDER_READ_ONLY,
+ RK3288_CLKGATE_CON(12), 7, GFLAGS),
+ COMPOSITE_NOMUX(0, "pclk_dbg_pre", "armclk", CLK_IGNORE_UNUSED,
+ RK3288_CLKSEL_CON(37), 9, 5, DFLAGS | CLK_DIVIDER_READ_ONLY,
+ RK3288_CLKGATE_CON(12), 8, GFLAGS),
+- GATE(0, "pclk_dbg", "pclk_dbg_pre", CLK_IGNORE_UNUSED,
++ GATE(0, "pclk_dbg", "pclk_dbg_pre", 0,
+ RK3288_CLKGATE_CON(12), 9, GFLAGS),
+ GATE(0, "cs_dbg", "pclk_dbg_pre", CLK_IGNORE_UNUSED,
+ RK3288_CLKGATE_CON(12), 10, GFLAGS),
+@@ -626,7 +626,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ INVERTER(SCLK_HSADC, "sclk_hsadc", "sclk_hsadc_out",
+ RK3288_CLKSEL_CON(22), 7, IFLAGS),
+
+- GATE(0, "jtag", "ext_jtag", CLK_IGNORE_UNUSED,
++ GATE(0, "jtag", "ext_jtag", 0,
+ RK3288_CLKGATE_CON(4), 14, GFLAGS),
+
+ COMPOSITE_NODIV(SCLK_USBPHY480M_SRC, "usbphy480m_src", mux_usbphy480m_p, 0,
+@@ -635,7 +635,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ COMPOSITE_NODIV(SCLK_HSICPHY480M, "sclk_hsicphy480m", mux_hsicphy480m_p, 0,
+ RK3288_CLKSEL_CON(29), 0, 2, MFLAGS,
+ RK3288_CLKGATE_CON(3), 6, GFLAGS),
+- GATE(0, "hsicphy12m_xin12m", "xin12m", CLK_IGNORE_UNUSED,
++ GATE(0, "hsicphy12m_xin12m", "xin12m", 0,
+ RK3288_CLKGATE_CON(13), 9, GFLAGS),
+ DIV(0, "hsicphy12m_usbphy", "sclk_hsicphy480m", 0,
+ RK3288_CLKSEL_CON(11), 8, 6, DFLAGS),
+@@ -816,11 +816,6 @@ static const char *const rk3288_critical_clocks[] __initconst = {
+ "pclk_alive_niu",
+ "pclk_pd_pmu",
+ "pclk_pmu_niu",
+- "pclk_core_niu",
+- "pclk_ddrupctl0",
+- "pclk_publ0",
+- "pclk_ddrupctl1",
+- "pclk_publ1",
+ "pmu_hclk_otg0",
+ };
+
+--
+2.20.1
+
--- /dev/null
+From df5aa7fb115464bacb2d6b8a0861e12edb645b36 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:50 +0800
+Subject: cpufreq: kirkwood: fix possible object reference leak
+
+[ Upstream commit 7c468966f05ac9c17bb5948275283d34e6fe0660 ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/kirkwood-cpufreq.c:127:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 118, but without a corresponding object release within this function.
+./drivers/cpufreq/kirkwood-cpufreq.c:133:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 118, but without a corresponding object release within this function.
+
+and also do some cleanup:
+- of_node_put(np);
+- np = NULL;
+...
+of_node_put(np);
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/kirkwood-cpufreq.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/cpufreq/kirkwood-cpufreq.c b/drivers/cpufreq/kirkwood-cpufreq.c
+index c2dd43f3f5d8a..8d63a6dc8383c 100644
+--- a/drivers/cpufreq/kirkwood-cpufreq.c
++++ b/drivers/cpufreq/kirkwood-cpufreq.c
+@@ -124,13 +124,14 @@ static int kirkwood_cpufreq_probe(struct platform_device *pdev)
+ priv.cpu_clk = of_clk_get_by_name(np, "cpu_clk");
+ if (IS_ERR(priv.cpu_clk)) {
+ dev_err(priv.dev, "Unable to get cpuclk\n");
+- return PTR_ERR(priv.cpu_clk);
++ err = PTR_ERR(priv.cpu_clk);
++ goto out_node;
+ }
+
+ err = clk_prepare_enable(priv.cpu_clk);
+ if (err) {
+ dev_err(priv.dev, "Unable to prepare cpuclk\n");
+- return err;
++ goto out_node;
+ }
+
+ kirkwood_freq_table[0].frequency = clk_get_rate(priv.cpu_clk) / 1000;
+@@ -161,20 +162,22 @@ static int kirkwood_cpufreq_probe(struct platform_device *pdev)
+ goto out_ddr;
+ }
+
+- of_node_put(np);
+- np = NULL;
+-
+ err = cpufreq_register_driver(&kirkwood_cpufreq_driver);
+- if (!err)
+- return 0;
++ if (err) {
++ dev_err(priv.dev, "Failed to register cpufreq driver\n");
++ goto out_powersave;
++ }
+
+- dev_err(priv.dev, "Failed to register cpufreq driver\n");
++ of_node_put(np);
++ return 0;
+
++out_powersave:
+ clk_disable_unprepare(priv.powersave_clk);
+ out_ddr:
+ clk_disable_unprepare(priv.ddr_clk);
+ out_cpu:
+ clk_disable_unprepare(priv.cpu_clk);
++out_node:
+ of_node_put(np);
+
+ return err;
+--
+2.20.1
+
--- /dev/null
+From aacd19b238472e5229e92512ca5c50af70835950 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:52 +0800
+Subject: cpufreq/pasemi: fix possible object reference leak
+
+[ Upstream commit a9acc26b75f652f697e02a9febe2ab0da648a571 ]
+
+The call to of_get_cpu_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/pasemi-cpufreq.c:212:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function.
+./drivers/cpufreq/pasemi-cpufreq.c:220:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/pasemi-cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
+index b257fc7d52041..8456492124f0c 100644
+--- a/drivers/cpufreq/pasemi-cpufreq.c
++++ b/drivers/cpufreq/pasemi-cpufreq.c
+@@ -146,6 +146,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
+
+ cpu = of_get_cpu_node(policy->cpu, NULL);
+
++ of_node_put(cpu);
+ if (!cpu)
+ goto out;
+
+--
+2.20.1
+
--- /dev/null
+From 2e802912d1982e7e6a6304544da8c58158f43b67 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:53 +0800
+Subject: cpufreq: pmac32: fix possible object reference leak
+
+[ Upstream commit 8d10dc28a9ea6e8c02e825dab28699f3c72b02d9 ]
+
+The call to of_find_node_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/pmac32-cpufreq.c:557:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function.
+./drivers/cpufreq/pmac32-cpufreq.c:569:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function.
+./drivers/cpufreq/pmac32-cpufreq.c:598:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 587, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linux-pm@vger.kernel.org
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/pmac32-cpufreq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/cpufreq/pmac32-cpufreq.c b/drivers/cpufreq/pmac32-cpufreq.c
+index 61ae06ca008e7..e225edb5c3593 100644
+--- a/drivers/cpufreq/pmac32-cpufreq.c
++++ b/drivers/cpufreq/pmac32-cpufreq.c
+@@ -552,6 +552,7 @@ static int pmac_cpufreq_init_7447A(struct device_node *cpunode)
+ volt_gpio_np = of_find_node_by_name(NULL, "cpu-vcore-select");
+ if (volt_gpio_np)
+ voltage_gpio = read_gpio(volt_gpio_np);
++ of_node_put(volt_gpio_np);
+ if (!voltage_gpio){
+ pr_err("missing cpu-vcore-select gpio\n");
+ return 1;
+@@ -588,6 +589,7 @@ static int pmac_cpufreq_init_750FX(struct device_node *cpunode)
+ if (volt_gpio_np)
+ voltage_gpio = read_gpio(volt_gpio_np);
+
++ of_node_put(volt_gpio_np);
+ pvr = mfspr(SPRN_PVR);
+ has_cpu_l2lve = !((pvr & 0xf00) == 0x100);
+
+--
+2.20.1
+
--- /dev/null
+From 34cf5b379e1a13dd4456d7ee2a08d695baeccb4a Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:54 +0800
+Subject: cpufreq: ppc_cbe: fix possible object reference leak
+
+[ Upstream commit 233298032803f2802fe99892d0de4ab653bfece4 ]
+
+The call to of_get_cpu_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function.
+./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/ppc_cbe_cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/ppc_cbe_cpufreq.c b/drivers/cpufreq/ppc_cbe_cpufreq.c
+index 5a4c5a639f618..2eaeebcc93afe 100644
+--- a/drivers/cpufreq/ppc_cbe_cpufreq.c
++++ b/drivers/cpufreq/ppc_cbe_cpufreq.c
+@@ -86,6 +86,7 @@ static int cbe_cpufreq_cpu_init(struct cpufreq_policy *policy)
+ if (!cbe_get_cpu_pmd_regs(policy->cpu) ||
+ !cbe_get_cpu_mic_tm_regs(policy->cpu)) {
+ pr_info("invalid CBE regs pointers for cpufreq\n");
++ of_node_put(cpu);
+ return -EINVAL;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 290e8bdf8786083d1b1a6738dda16636d3858589 Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe.montjoie@gmail.com>
+Date: Thu, 18 Apr 2019 10:17:34 +0200
+Subject: crypto: sun4i-ss - Fix invalid calculation of hash end
+
+[ Upstream commit f87391558acf816b48f325a493d81d45dec40da0 ]
+
+When nbytes < 4, end is wronlgy set to a negative value which, due to
+uint, is then interpreted to a large value leading to a deadlock in the
+following code.
+
+This patch fix this problem.
+
+Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
+index a4b5ff2b72f87..f6936bb3b7be4 100644
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
+@@ -240,7 +240,10 @@ static int sun4i_hash(struct ahash_request *areq)
+ }
+ } else {
+ /* Since we have the flag final, we can go up to modulo 4 */
+- end = ((areq->nbytes + op->len) / 4) * 4 - op->len;
++ if (areq->nbytes < 4)
++ end = 0;
++ else
++ end = ((areq->nbytes + op->len) / 4) * 4 - op->len;
+ }
+
+ /* TODO if SGlen % 4 and !op->len then DMA */
+--
+2.20.1
+
--- /dev/null
+From e505ca4eaa604c132a4304e9431b782e418018b7 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 29 Mar 2019 10:27:26 -0500
+Subject: cxgb3/l2t: Fix undefined behaviour
+
+[ Upstream commit 76497732932f15e7323dc805e8ea8dc11bb587cf ]
+
+The use of zero-sized array causes undefined behaviour when it is not
+the last member in a structure. As it happens to be in this case.
+
+Also, the current code makes use of a language extension to the C90
+standard, but the preferred mechanism to declare variable-length
+types such as this one is a flexible array member, introduced in
+C99:
+
+struct foo {
+ int stuff;
+ struct boo array[];
+};
+
+By making use of the mechanism above, we will get a compiler warning
+in case the flexible array does not occur last. Which is beneficial
+to cultivate a high-quality code.
+
+Fixes: e48f129c2f20 ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+index c2fd323c40782..ea75f275023ff 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
++++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+@@ -75,8 +75,8 @@ struct l2t_data {
+ struct l2t_entry *rover; /* starting point for next allocation */
+ atomic_t nfree; /* number of free entries */
+ rwlock_t lock;
+- struct l2t_entry l2tab[0];
+ struct rcu_head rcu_head; /* to handle rcu cleanup */
++ struct l2t_entry l2tab[];
+ };
+
+ typedef void (*arp_failure_handler_func)(struct t3cdev * dev,
+--
+2.20.1
+
--- /dev/null
+From dd6303abf45381a69697ec02f5dacc78dfdbd2f5 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 6 May 2019 23:57:54 +0800
+Subject: cxgb4: Fix error path in cxgb4_init_module
+
+[ Upstream commit a3147770bea76c8dbad73eca3a24c2118da5e719 ]
+
+BUG: unable to handle kernel paging request at ffffffffa016a270
+PGD 3270067 P4D 3270067 PUD 3271063 PMD 230bbd067 PTE 0
+Oops: 0000 [#1
+CPU: 0 PID: 6134 Comm: modprobe Not tainted 5.1.0+ #33
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+RIP: 0010:atomic_notifier_chain_register+0x24/0x60
+Code: 1f 80 00 00 00 00 55 48 89 e5 41 54 49 89 f4 53 48 89 fb e8 ae b4 38 01 48 8b 53 38 48 8d 4b 38 48 85 d2 74 20 45 8b 44 24 10 <44> 3b 42 10 7e 08 eb 13 44 39 42 10 7c 0d 48 8d 4a 08 48 8b 52 08
+RSP: 0018:ffffc90000e2bc60 EFLAGS: 00010086
+RAX: 0000000000000292 RBX: ffffffff83467240 RCX: ffffffff83467278
+RDX: ffffffffa016a260 RSI: ffffffff83752140 RDI: ffffffff83467240
+RBP: ffffc90000e2bc70 R08: 0000000000000000 R09: 0000000000000001
+R10: 0000000000000000 R11: 00000000014fa61f R12: ffffffffa01c8260
+R13: ffff888231091e00 R14: 0000000000000000 R15: ffffc90000e2be78
+FS: 00007fbd8d7cd540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffa016a270 CR3: 000000022c7e3000 CR4: 00000000000006f0
+Call Trace:
+ register_inet6addr_notifier+0x13/0x20
+ cxgb4_init_module+0x6c/0x1000 [cxgb4
+ ? 0xffffffffa01d7000
+ do_one_initcall+0x6c/0x3cc
+ ? do_init_module+0x22/0x1f1
+ ? rcu_read_lock_sched_held+0x97/0xb0
+ ? kmem_cache_alloc_trace+0x325/0x3b0
+ do_init_module+0x5b/0x1f1
+ load_module+0x1db1/0x2690
+ ? m_show+0x1d0/0x1d0
+ __do_sys_finit_module+0xc5/0xd0
+ __x64_sys_finit_module+0x15/0x20
+ do_syscall_64+0x6b/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+If pci_register_driver fails, register inet6addr_notifier is
+pointless. This patch fix the error path in cxgb4_init_module.
+
+Fixes: b5a02f503caa ("cxgb4 : Update ipv6 address handling api")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+index 74a42f12064b6..0e13989608f19 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -5399,15 +5399,24 @@ static int __init cxgb4_init_module(void)
+
+ ret = pci_register_driver(&cxgb4_driver);
+ if (ret < 0)
+- debugfs_remove(cxgb4_debugfs_root);
++ goto err_pci;
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (!inet6addr_registered) {
+- register_inet6addr_notifier(&cxgb4_inet6addr_notifier);
+- inet6addr_registered = true;
++ ret = register_inet6addr_notifier(&cxgb4_inet6addr_notifier);
++ if (ret)
++ pci_unregister_driver(&cxgb4_driver);
++ else
++ inet6addr_registered = true;
+ }
+ #endif
+
++ if (ret == 0)
++ return ret;
++
++err_pci:
++ debugfs_remove(cxgb4_debugfs_root);
++
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d215c8b89d8df3dbbf8c89e6d1e3615f1cef2183 Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+Date: Wed, 3 Apr 2019 12:23:57 +0200
+Subject: dmaengine: at_xdmac: remove BUG_ON macro in tasklet
+
+[ Upstream commit e2c114c06da2d9ffad5b16690abf008d6696f689 ]
+
+Even if this case shouldn't happen when controller is properly programmed,
+it's still better to avoid dumping a kernel Oops for this.
+As the sequence may happen only for debugging purposes, log the error and
+just finish the tasklet call.
+
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index 4db2cd1c611de..22764cd30cc39 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -1606,7 +1606,11 @@ static void at_xdmac_tasklet(unsigned long data)
+ struct at_xdmac_desc,
+ xfer_node);
+ dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, desc);
+- BUG_ON(!desc->active_xfer);
++ if (!desc->active_xfer) {
++ dev_err(chan2dev(&atchan->chan), "Xfer not active: exiting");
++ spin_unlock_bh(&atchan->lock);
++ return;
++ }
+
+ txd = &desc->tx_dma_desc;
+
+--
+2.20.1
+
--- /dev/null
+From 7f9d3984e9eea1c5f644e34435d58c3188e8277b Mon Sep 17 00:00:00 2001
+From: Sugar Zhang <sugar.zhang@rock-chips.com>
+Date: Wed, 3 Apr 2019 19:06:22 +0800
+Subject: dmaengine: pl330: _stop: clear interrupt status
+
+[ Upstream commit 2da254cc7908105a60a6bb219d18e8dced03dcb9 ]
+
+This patch kill instructs the DMAC to immediately terminate
+execution of a thread. and then clear the interrupt status,
+at last, stop generating interrupts for DMA_SEV. to guarantee
+the next dma start is clean. otherwise, one interrupt maybe leave
+to next start and make some mistake.
+
+we can reporduce the problem as follows:
+
+DMASEV: modify the event-interrupt resource, and if the INTEN sets
+function as interrupt, the DMAC will set irq<event_num> HIGH to
+generate interrupt. write INTCLR to clear interrupt.
+
+ DMA EXECUTING INSTRUCTS DMA TERMINATE
+ | |
+ | |
+ ... _stop
+ | |
+ | spin_lock_irqsave
+ DMASEV |
+ | |
+ | mask INTEN
+ | |
+ | DMAKILL
+ | |
+ | spin_unlock_irqrestore
+
+in above case, a interrupt was left, and if we unmask INTEN, the DMAC
+will set irq<event_num> HIGH to generate interrupt.
+
+to fix this, do as follows:
+
+ DMA EXECUTING INSTRUCTS DMA TERMINATE
+ | |
+ | |
+ ... _stop
+ | |
+ | spin_lock_irqsave
+ DMASEV |
+ | |
+ | DMAKILL
+ | |
+ | clear INTCLR
+ | mask INTEN
+ | |
+ | spin_unlock_irqrestore
+
+Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pl330.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
+index 6afd42cfbf5d5..b4fa555a243f9 100644
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -960,6 +960,7 @@ static void _stop(struct pl330_thread *thrd)
+ {
+ void __iomem *regs = thrd->dmac->base;
+ u8 insn[6] = {0, 0, 0, 0, 0, 0};
++ u32 inten = readl(regs + INTEN);
+
+ if (_state(thrd) == PL330_STATE_FAULT_COMPLETING)
+ UNTIL(thrd, PL330_STATE_FAULTING | PL330_STATE_KILLING);
+@@ -972,10 +973,13 @@ static void _stop(struct pl330_thread *thrd)
+
+ _emit_KILL(0, insn);
+
+- /* Stop generating interrupts for SEV */
+- writel(readl(regs + INTEN) & ~(1 << thrd->ev), regs + INTEN);
+-
+ _execute_DBGINSN(thrd, insn, is_manager(thrd));
++
++ /* clear the event */
++ if (inten & (1 << thrd->ev))
++ writel(1 << thrd->ev, regs + INTCLR);
++ /* Stop generating interrupts for SEV */
++ writel(inten & ~(1 << thrd->ev), regs + INTEN);
+ }
+
+ /* Start doing req 'idx' of thread 'thrd' */
+--
+2.20.1
+
--- /dev/null
+From 6c67dd58e20de4b1ffcb4090b8f1c082076a1186 Mon Sep 17 00:00:00 2001
+From: Sameer Pujar <spujar@nvidia.com>
+Date: Wed, 13 Mar 2019 17:02:36 +0530
+Subject: dmaengine: tegra210-adma: use devm_clk_*() helpers
+
+[ Upstream commit f6ed6491d565c336a360471e0c29228e34f4380e ]
+
+adma driver is using pm_clk_*() interface for managing clock resources.
+With this it is observed that clocks remain ON always. This happens on
+Tegra devices which use BPMP co-processor to manage clock resources,
+where clocks are enabled during prepare phase. This is necessary because
+clocks to BPMP are always blocking. When pm_clk_*() interface is used on
+such Tegra devices, clock prepare count is not balanced till remove call
+happens for the driver and hence clocks are seen ON always. Thus this
+patch replaces pm_clk_*() with devm_clk_*() framework.
+
+Suggested-by: Mohan Kumar D <mkumard@nvidia.com>
+Reviewed-by: Jonathan Hunter <jonathanh@nvidia.com>
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index 08b10274284a8..09b6756366c30 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -22,7 +22,6 @@
+ #include <linux/of_device.h>
+ #include <linux/of_dma.h>
+ #include <linux/of_irq.h>
+-#include <linux/pm_clock.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/slab.h>
+
+@@ -141,6 +140,7 @@ struct tegra_adma {
+ struct dma_device dma_dev;
+ struct device *dev;
+ void __iomem *base_addr;
++ struct clk *ahub_clk;
+ unsigned int nr_channels;
+ unsigned long rx_requests_reserved;
+ unsigned long tx_requests_reserved;
+@@ -637,8 +637,9 @@ static int tegra_adma_runtime_suspend(struct device *dev)
+ struct tegra_adma *tdma = dev_get_drvdata(dev);
+
+ tdma->global_cmd = tdma_read(tdma, ADMA_GLOBAL_CMD);
++ clk_disable_unprepare(tdma->ahub_clk);
+
+- return pm_clk_suspend(dev);
++ return 0;
+ }
+
+ static int tegra_adma_runtime_resume(struct device *dev)
+@@ -646,10 +647,11 @@ static int tegra_adma_runtime_resume(struct device *dev)
+ struct tegra_adma *tdma = dev_get_drvdata(dev);
+ int ret;
+
+- ret = pm_clk_resume(dev);
+- if (ret)
++ ret = clk_prepare_enable(tdma->ahub_clk);
++ if (ret) {
++ dev_err(dev, "ahub clk_enable failed: %d\n", ret);
+ return ret;
+-
++ }
+ tdma_write(tdma, ADMA_GLOBAL_CMD, tdma->global_cmd);
+
+ return 0;
+@@ -692,13 +694,11 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ if (IS_ERR(tdma->base_addr))
+ return PTR_ERR(tdma->base_addr);
+
+- ret = pm_clk_create(&pdev->dev);
+- if (ret)
+- return ret;
+-
+- ret = of_pm_clk_add_clk(&pdev->dev, "d_audio");
+- if (ret)
+- goto clk_destroy;
++ tdma->ahub_clk = devm_clk_get(&pdev->dev, "d_audio");
++ if (IS_ERR(tdma->ahub_clk)) {
++ dev_err(&pdev->dev, "Error: Missing ahub controller clock\n");
++ return PTR_ERR(tdma->ahub_clk);
++ }
+
+ pm_runtime_enable(&pdev->dev);
+
+@@ -775,8 +775,6 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ pm_runtime_put_sync(&pdev->dev);
+ rpm_disable:
+ pm_runtime_disable(&pdev->dev);
+-clk_destroy:
+- pm_clk_destroy(&pdev->dev);
+
+ return ret;
+ }
+@@ -794,7 +792,6 @@ static int tegra_adma_remove(struct platform_device *pdev)
+
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+- pm_clk_destroy(&pdev->dev);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From a5ca611edd38b11762374f38db649105061fc35a Mon Sep 17 00:00:00 2001
+From: Sameer Pujar <spujar@nvidia.com>
+Date: Thu, 2 May 2019 18:25:16 +0530
+Subject: dmaengine: tegra210-dma: free dma controller in remove()
+
+[ Upstream commit f030e419501cb95e961e9ed35c493b5d46a04eca ]
+
+Following kernel panic is seen during DMA driver unload->load sequence
+==========================================================================
+Unable to handle kernel paging request at virtual address ffffff8001198880
+Internal error: Oops: 86000007 [#1] PREEMPT SMP
+CPU: 0 PID: 5907 Comm: HwBinder:4123_1 Tainted: G C 4.9.128-tegra-g065839f
+Hardware name: galen (DT)
+task: ffffffc3590d1a80 task.stack: ffffffc3d0678000
+PC is at 0xffffff8001198880
+LR is at of_dma_request_slave_channel+0xd8/0x1f8
+pc : [<ffffff8001198880>] lr : [<ffffff8008746f30>] pstate: 60400045
+sp : ffffffc3d067b710
+x29: ffffffc3d067b710 x28: 000000000000002f
+x27: ffffff800949e000 x26: ffffff800949e750
+x25: ffffff800949e000 x24: ffffffbefe817d84
+x23: ffffff8009f77cb0 x22: 0000000000000028
+x21: ffffffc3ffda49c8 x20: 0000000000000029
+x19: 0000000000000001 x18: ffffffffffffffff
+x17: 0000000000000000 x16: ffffff80082b66a0
+x15: ffffff8009e78250 x14: 000000000000000a
+x13: 0000000000000038 x12: 0101010101010101
+x11: 0000000000000030 x10: 0101010101010101
+x9 : fffffffffffffffc x8 : 7f7f7f7f7f7f7f7f
+x7 : 62ff726b6b64622c x6 : 0000000000008064
+x5 : 6400000000000000 x4 : ffffffbefe817c44
+x3 : ffffffc3ffda3e08 x2 : ffffff8001198880
+x1 : ffffffc3d48323c0 x0 : ffffffc3d067b788
+
+Process HwBinder:4123_1 (pid: 5907, stack limit = 0xffffffc3d0678028)
+Call trace:
+[<ffffff8001198880>] 0xffffff8001198880
+[<ffffff80087459f8>] dma_request_chan+0x50/0x1f0
+[<ffffff8008745bc0>] dma_request_slave_channel+0x28/0x40
+[<ffffff8001552c44>] tegra_alt_pcm_open+0x114/0x170
+[<ffffff8008d65fa4>] soc_pcm_open+0x10c/0x878
+[<ffffff8008d18618>] snd_pcm_open_substream+0xc0/0x170
+[<ffffff8008d1878c>] snd_pcm_open+0xc4/0x240
+[<ffffff8008d189e0>] snd_pcm_playback_open+0x58/0x80
+[<ffffff8008cfc6d4>] snd_open+0xb4/0x178
+[<ffffff8008250628>] chrdev_open+0xb8/0x1d0
+[<ffffff8008246fdc>] do_dentry_open+0x214/0x318
+[<ffffff80082485d0>] vfs_open+0x58/0x88
+[<ffffff800825bce0>] do_last+0x450/0xde0
+[<ffffff800825c718>] path_openat+0xa8/0x368
+[<ffffff800825dd84>] do_filp_open+0x8c/0x110
+[<ffffff8008248a74>] do_sys_open+0x164/0x220
+[<ffffff80082b66dc>] compat_SyS_openat+0x3c/0x50
+[<ffffff8008083040>] el0_svc_naked+0x34/0x38
+---[ end trace 67e6d544e65b5145 ]---
+Kernel panic - not syncing: Fatal exception
+==========================================================================
+
+In device probe(), of_dma_controller_register() registers DMA controller.
+But when driver is removed, this is not freed. During driver reload this
+results in data abort and kernel panic. Add of_dma_controller_free() in
+driver remove path to fix the issue.
+
+Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index b26256f23d67f..08b10274284a8 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -786,6 +786,7 @@ static int tegra_adma_remove(struct platform_device *pdev)
+ struct tegra_adma *tdma = platform_get_drvdata(pdev);
+ int i;
+
++ of_dma_controller_free(pdev->dev.of_node);
+ dma_async_device_unregister(&tdma->dma_dev);
+
+ for (i = 0; i < tdma->nr_channels; ++i)
+--
+2.20.1
+
--- /dev/null
+From c24e171129e3740f23a3ccfa4136bc0ff2b43f51 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Fri, 29 Mar 2019 19:30:23 +0100
+Subject: drm/amdgpu: fix old fence check in amdgpu_fence_emit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3d2aca8c8620346abdba96c6300d2c0b90a1d0cc ]
+
+We don't hold a reference to the old fence, so it can go away
+any time we are waiting for it to signal.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Chunming Zhou <david1.zhou@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 24 ++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+index 333bad7490678..415e9a384799e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+@@ -135,8 +135,9 @@ int amdgpu_fence_emit(struct amdgpu_ring *ring, struct dma_fence **f)
+ {
+ struct amdgpu_device *adev = ring->adev;
+ struct amdgpu_fence *fence;
+- struct dma_fence *old, **ptr;
++ struct dma_fence __rcu **ptr;
+ uint32_t seq;
++ int r;
+
+ fence = kmem_cache_alloc(amdgpu_fence_slab, GFP_KERNEL);
+ if (fence == NULL)
+@@ -152,15 +153,24 @@ int amdgpu_fence_emit(struct amdgpu_ring *ring, struct dma_fence **f)
+ seq, AMDGPU_FENCE_FLAG_INT);
+
+ ptr = &ring->fence_drv.fences[seq & ring->fence_drv.num_fences_mask];
++ if (unlikely(rcu_dereference_protected(*ptr, 1))) {
++ struct dma_fence *old;
++
++ rcu_read_lock();
++ old = dma_fence_get_rcu_safe(ptr);
++ rcu_read_unlock();
++
++ if (old) {
++ r = dma_fence_wait(old, false);
++ dma_fence_put(old);
++ if (r)
++ return r;
++ }
++ }
++
+ /* This function can't be called concurrently anyway, otherwise
+ * emitting the fence would mess up the hardware ring buffer.
+ */
+- old = rcu_dereference_protected(*ptr, 1);
+- if (old && !dma_fence_is_signaled(old)) {
+- DRM_INFO("rcu slot is busy\n");
+- dma_fence_wait(old, false);
+- }
+-
+ rcu_assign_pointer(*ptr, dma_fence_get(&fence->base));
+
+ *f = &fence->base;
+--
+2.20.1
+
--- /dev/null
+From 1ddbe7991036938ca4d15a6105e2c46f7f3ff2ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Mon, 25 Feb 2019 15:42:26 +0100
+Subject: drm/drv: Hold ref on parent device during drm_device lifetime
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 56be6503aab2bc3a30beae408071b9be5e1bae51 ]
+
+This makes it safe to access drm_device->dev after the parent device has
+been removed/unplugged.
+
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190225144232.20761-2-noralf@tronnes.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
+index a7b6734bc3c32..340440febf9a5 100644
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -505,7 +505,7 @@ int drm_dev_init(struct drm_device *dev,
+ }
+
+ kref_init(&dev->ref);
+- dev->dev = parent;
++ dev->dev = get_device(parent);
+ dev->driver = driver;
+
+ INIT_LIST_HEAD(&dev->filelist);
+@@ -572,6 +572,7 @@ int drm_dev_init(struct drm_device *dev,
+ drm_minor_free(dev, DRM_MINOR_CONTROL);
+ drm_fs_inode_free(dev->anon_inode);
+ err_free:
++ put_device(dev->dev);
+ mutex_destroy(&dev->master_mutex);
+ mutex_destroy(&dev->ctxlist_mutex);
+ mutex_destroy(&dev->filelist_mutex);
+@@ -607,6 +608,8 @@ void drm_dev_fini(struct drm_device *dev)
+ drm_minor_free(dev, DRM_MINOR_RENDER);
+ drm_minor_free(dev, DRM_MINOR_CONTROL);
+
++ put_device(dev->dev);
++
+ mutex_destroy(&dev->master_mutex);
+ mutex_destroy(&dev->ctxlist_mutex);
+ mutex_destroy(&dev->filelist_mutex);
+--
+2.20.1
+
--- /dev/null
+From 5af34f5fd4d8cefd3afbb002abadabd6e9de8724 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Thu, 4 Apr 2019 00:04:11 +0800
+Subject: drm/msm: a5xx: fix possible object reference leak
+
+[ Upstream commit 6cd5235c3135ea84b32469ea51b2aae384eda8af ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: Sean Paul <sean@poorly.run>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Jordan Crouse <jcrouse@codeaurora.org>
+Cc: Mamta Shukla <mamtashukla555@gmail.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Sharat Masetty <smasetty@codeaurora.org>
+Cc: linux-arm-msm@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: freedreno@lists.freedesktop.org
+Cc: linux-kernel@vger.kernel.org (open list)
+Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index 17c59d839e6fa..f1aaa76cc2e4e 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -29,7 +29,7 @@ static void a5xx_dump(struct msm_gpu *gpu);
+ static int zap_shader_load_mdt(struct device *dev, const char *fwname)
+ {
+ const struct firmware *fw;
+- struct device_node *np;
++ struct device_node *np, *mem_np;
+ struct resource r;
+ phys_addr_t mem_phys;
+ ssize_t mem_size;
+@@ -43,11 +43,13 @@ static int zap_shader_load_mdt(struct device *dev, const char *fwname)
+ if (!np)
+ return -ENODEV;
+
+- np = of_parse_phandle(np, "memory-region", 0);
+- if (!np)
++ mem_np = of_parse_phandle(np, "memory-region", 0);
++ of_node_put(np);
++ if (!mem_np)
+ return -EINVAL;
+
+- ret = of_address_to_resource(np, 0, &r);
++ ret = of_address_to_resource(mem_np, 0, &r);
++ of_node_put(mem_np);
+ if (ret)
+ return ret;
+
+--
+2.20.1
+
--- /dev/null
+From e54856711003baaa505633de2ab80ffde1ddda28 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Fri, 4 Aug 2017 09:23:28 +0100
+Subject: drm: Wake up next in drm_read() chain if we are forced to putback the
+ event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 60b801999c48b6c1dd04e653a38e2e613664264e ]
+
+After an event is sent, we try to copy it into the user buffer of the
+first waiter in drm_read() and if the user buffer doesn't have enough
+room we put it back onto the list. However, we didn't wake up any
+subsequent waiter, so that event may sit on the list until either a new
+vblank event is sent or a new waiter appears. Rare, but in the worst
+case may lead to a stuck process.
+
+Testcase: igt/drm_read/short-buffer-wakeup
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170804082328.17173-1-chris@chris-wilson.co.uk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
+index 03244b3c985d7..3cf07f5063ff6 100644
+--- a/drivers/gpu/drm/drm_file.c
++++ b/drivers/gpu/drm/drm_file.c
+@@ -525,6 +525,7 @@ ssize_t drm_read(struct file *filp, char __user *buffer,
+ file_priv->event_space -= length;
+ list_add(&e->link, &file_priv->event_list);
+ spin_unlock_irq(&dev->event_lock);
++ wake_up_interruptible(&file_priv->event_wait);
+ break;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8ec7e24d466f04d69fcd8ff2a62352db5b46577f Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Thu, 4 Apr 2019 17:33:56 +0100
+Subject: extcon: arizona: Disable mic detect if running when driver is removed
+
+[ Upstream commit 00053de52231117ddc154042549f2256183ffb86 ]
+
+Microphone detection provides the button detection features on the
+Arizona CODECs as such it will be running if the jack is currently
+inserted. If the driver is unbound whilst the jack is still inserted
+this will cause warnings from the regulator framework as the MICVDD
+regulator is put but was never disabled.
+
+Correct this by disabling microphone detection on driver removal and if
+the microphone detection was running disable the regulator and put the
+runtime reference that was currently held.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-arizona.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index f84da4a17724c..4937a404fee82 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -1726,6 +1726,16 @@ static int arizona_extcon_remove(struct platform_device *pdev)
+ struct arizona_extcon_info *info = platform_get_drvdata(pdev);
+ struct arizona *arizona = info->arizona;
+ int jack_irq_rise, jack_irq_fall;
++ bool change;
++
++ regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1,
++ ARIZONA_MICD_ENA, 0,
++ &change);
++
++ if (change) {
++ regulator_disable(info->micvdd);
++ pm_runtime_put(info->dev);
++ }
+
+ gpiod_put(info->micd_pol_gpio);
+
+--
+2.20.1
+
--- /dev/null
+From 8036a4af34a0ccbd173f7ece75e4a3ba2fdc7f07 Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Wed, 27 Mar 2019 17:09:17 +0000
+Subject: gfs2: Fix lru_count going negative
+
+[ Upstream commit 7881ef3f33bb80f459ea6020d1e021fc524a6348 ]
+
+Under certain conditions, lru_count may drop below zero resulting in
+a large amount of log spam like this:
+
+vmscan: shrink_slab: gfs2_dump_glock+0x3b0/0x630 [gfs2] \
+ negative objects to delete nr=-1
+
+This happens as follows:
+1) A glock is moved from lru_list to the dispose list and lru_count is
+ decremented.
+2) The dispose function calls cond_resched() and drops the lru lock.
+3) Another thread takes the lru lock and tries to add the same glock to
+ lru_list, checking if the glock is on an lru list.
+4) It is on a list (actually the dispose list) and so it avoids
+ incrementing lru_count.
+5) The glock is moved to lru_list.
+5) The original thread doesn't dispose it because it has been re-added
+ to the lru list but the lru_count has still decreased by one.
+
+Fix by checking if the LRU flag is set on the glock rather than checking
+if the glock is on some list and rearrange the code so that the LRU flag
+is added/removed precisely when the glock is added/removed from lru_list.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index d5284d0dbdb59..cd6a64478a026 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -183,15 +183,19 @@ static int demote_ok(const struct gfs2_glock *gl)
+
+ void gfs2_glock_add_to_lru(struct gfs2_glock *gl)
+ {
++ if (!(gl->gl_ops->go_flags & GLOF_LRU))
++ return;
++
+ spin_lock(&lru_lock);
+
+- if (!list_empty(&gl->gl_lru))
+- list_del_init(&gl->gl_lru);
+- else
++ list_del(&gl->gl_lru);
++ list_add_tail(&gl->gl_lru, &lru_list);
++
++ if (!test_bit(GLF_LRU, &gl->gl_flags)) {
++ set_bit(GLF_LRU, &gl->gl_flags);
+ atomic_inc(&lru_count);
++ }
+
+- list_add_tail(&gl->gl_lru, &lru_list);
+- set_bit(GLF_LRU, &gl->gl_flags);
+ spin_unlock(&lru_lock);
+ }
+
+@@ -201,7 +205,7 @@ static void gfs2_glock_remove_from_lru(struct gfs2_glock *gl)
+ return;
+
+ spin_lock(&lru_lock);
+- if (!list_empty(&gl->gl_lru)) {
++ if (test_bit(GLF_LRU, &gl->gl_flags)) {
+ list_del_init(&gl->gl_lru);
+ atomic_dec(&lru_count);
+ clear_bit(GLF_LRU, &gl->gl_flags);
+@@ -1158,8 +1162,7 @@ void gfs2_glock_dq(struct gfs2_holder *gh)
+ !test_bit(GLF_DEMOTE, &gl->gl_flags))
+ fast_path = 1;
+ }
+- if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl) &&
+- (glops->go_flags & GLOF_LRU))
++ if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl))
+ gfs2_glock_add_to_lru(gl);
+
+ trace_gfs2_glock_queue(gh, 0);
+@@ -1454,6 +1457,7 @@ __acquires(&lru_lock)
+ if (!spin_trylock(&gl->gl_lockref.lock)) {
+ add_back_to_lru:
+ list_add(&gl->gl_lru, &lru_list);
++ set_bit(GLF_LRU, &gl->gl_flags);
+ atomic_inc(&lru_count);
+ continue;
+ }
+@@ -1461,7 +1465,6 @@ __acquires(&lru_lock)
+ spin_unlock(&gl->gl_lockref.lock);
+ goto add_back_to_lru;
+ }
+- clear_bit(GLF_LRU, &gl->gl_flags);
+ gl->gl_lockref.count++;
+ if (demote_ok(gl))
+ handle_callback(gl, LM_ST_UNLOCKED, 0, false);
+@@ -1496,6 +1499,7 @@ static long gfs2_scan_glock_lru(int nr)
+ if (!test_bit(GLF_LOCK, &gl->gl_flags)) {
+ list_move(&gl->gl_lru, &dispose);
+ atomic_dec(&lru_count);
++ clear_bit(GLF_LRU, &gl->gl_flags);
+ freed++;
+ continue;
+ }
+--
+2.20.1
+
--- /dev/null
+From 02af600ca70e05cb4003fd73fccad19b02738729 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Thu, 4 Apr 2019 21:11:11 +0100
+Subject: gfs2: Fix occasional glock use-after-free
+
+[ Upstream commit 9287c6452d2b1f24ea8e84bd3cf6f3c6f267f712 ]
+
+This patch has to do with the life cycle of glocks and buffers. When
+gfs2 metadata or journaled data is queued to be written, a gfs2_bufdata
+object is assigned to track the buffer, and that is queued to various
+lists, including the glock's gl_ail_list to indicate it's on the active
+items list. Once the page associated with the buffer has been written,
+it is removed from the ail list, but its life isn't over until a revoke
+has been successfully written.
+
+So after the block is written, its bufdata object is moved from the
+glock's gl_ail_list to a file-system-wide list of pending revokes,
+sd_log_le_revoke. At that point the glock still needs to track how many
+revokes it contributed to that list (in gl_revokes) so that things like
+glock go_sync can ensure all the metadata has been not only written, but
+also revoked before the glock is granted to a different node. This is
+to guarantee journal replay doesn't replay the block once the glock has
+been granted to another node.
+
+Ross Lagerwall recently discovered a race in which an inode could be
+evicted, and its glock freed after its ail list had been synced, but
+while it still had unwritten revokes on the sd_log_le_revoke list. The
+evict decremented the glock reference count to zero, which allowed the
+glock to be freed. After the revoke was written, function
+revoke_lo_after_commit tried to adjust the glock's gl_revokes counter
+and clear its GLF_LFLUSH flag, at which time it referenced the freed
+glock.
+
+This patch fixes the problem by incrementing the glock reference count
+in gfs2_add_revoke when the glock's first bufdata object is moved from
+the glock to the global revokes list. Later, when the glock's last such
+bufdata object is freed, the reference count is decremented. This
+guarantees that whichever process finishes last (the revoke writing or
+the evict) will properly free the glock, and neither will reference the
+glock after it has been freed.
+
+Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 1 +
+ fs/gfs2/log.c | 3 ++-
+ fs/gfs2/lops.c | 6 ++++--
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index cd6a64478a026..aea1ed0aebd0f 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -140,6 +140,7 @@ void gfs2_glock_free(struct gfs2_glock *gl)
+ {
+ struct gfs2_sbd *sdp = gl->gl_name.ln_sbd;
+
++ BUG_ON(atomic_read(&gl->gl_revokes));
+ rhashtable_remove_fast(&gl_hash_table, &gl->gl_node, ht_parms);
+ smp_mb();
+ wake_up_glock(gl);
+diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
+index f72c442314062..483b82e2be923 100644
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@ -588,7 +588,8 @@ void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
+ bd->bd_bh = NULL;
+ bd->bd_ops = &gfs2_revoke_lops;
+ sdp->sd_log_num_revoke++;
+- atomic_inc(&gl->gl_revokes);
++ if (atomic_inc_return(&gl->gl_revokes) == 1)
++ gfs2_glock_hold(gl);
+ set_bit(GLF_LFLUSH, &gl->gl_flags);
+ list_add(&bd->bd_list, &sdp->sd_log_le_revoke);
+ }
+diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
+index c8ff7b7954f05..049f8c6721b4a 100644
+--- a/fs/gfs2/lops.c
++++ b/fs/gfs2/lops.c
+@@ -660,8 +660,10 @@ static void revoke_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)
+ bd = list_entry(head->next, struct gfs2_bufdata, bd_list);
+ list_del_init(&bd->bd_list);
+ gl = bd->bd_gl;
+- atomic_dec(&gl->gl_revokes);
+- clear_bit(GLF_LFLUSH, &gl->gl_flags);
++ if (atomic_dec_return(&gl->gl_revokes) == 0) {
++ clear_bit(GLF_LFLUSH, &gl->gl_flags);
++ gfs2_glock_queue_put(gl);
++ }
+ kmem_cache_free(gfs2_bufdata_cachep, bd);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 7cdcd2b6578e21f0de619a179f627433b706d47c Mon Sep 17 00:00:00 2001
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Date: Wed, 27 Mar 2019 11:18:48 +0100
+Subject: HID: core: move Usage Page concatenation to Main item
+
+[ Upstream commit 58e75155009cc800005629955d3482f36a1e0eec ]
+
+As seen on some USB wireless keyboards manufactured by Primax, the HID
+parser was using some assumptions that are not always true. In this case
+it's s the fact that, inside the scope of a main item, an Usage Page
+will always precede an Usage.
+
+The spec is not pretty clear as 6.2.2.7 states "Any usage that follows
+is interpreted as a Usage ID and concatenated with the Usage Page".
+While 6.2.2.8 states "When the parser encounters a main item it
+concatenates the last declared Usage Page with a Usage to form a
+complete usage value." Being somewhat contradictory it was decided to
+match Window's implementation, which follows 6.2.2.8.
+
+In summary, the patch moves the Usage Page concatenation from the local
+item parsing function to the main item parsing function.
+
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Reviewed-by: Terry Junge <terry.junge@poly.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 36 ++++++++++++++++++++++++------------
+ include/linux/hid.h | 1 +
+ 2 files changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index a306493e2e970..7c8049a5bd990 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -199,13 +199,14 @@ static unsigned hid_lookup_collection(struct hid_parser *parser, unsigned type)
+ * Add a usage to the temporary parser table.
+ */
+
+-static int hid_add_usage(struct hid_parser *parser, unsigned usage)
++static int hid_add_usage(struct hid_parser *parser, unsigned usage, u8 size)
+ {
+ if (parser->local.usage_index >= HID_MAX_USAGES) {
+ hid_err(parser->device, "usage index exceeded\n");
+ return -1;
+ }
+ parser->local.usage[parser->local.usage_index] = usage;
++ parser->local.usage_size[parser->local.usage_index] = size;
+ parser->local.collection_index[parser->local.usage_index] =
+ parser->collection_stack_ptr ?
+ parser->collection_stack[parser->collection_stack_ptr - 1] : 0;
+@@ -462,10 +463,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+- return hid_add_usage(parser, data);
++ return hid_add_usage(parser, data, item->size);
+
+ case HID_LOCAL_ITEM_TAG_USAGE_MINIMUM:
+
+@@ -474,9 +472,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+ parser->local.usage_minimum = data;
+ return 0;
+
+@@ -487,9 +482,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+ count = data - parser->local.usage_minimum;
+ if (count + parser->local.usage_index >= HID_MAX_USAGES) {
+ /*
+@@ -509,7 +501,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ }
+
+ for (n = parser->local.usage_minimum; n <= data; n++)
+- if (hid_add_usage(parser, n)) {
++ if (hid_add_usage(parser, n, item->size)) {
+ dbg_hid("hid_add_usage failed\n");
+ return -1;
+ }
+@@ -523,6 +515,22 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
++/*
++ * Concatenate Usage Pages into Usages where relevant:
++ * As per specification, 6.2.2.8: "When the parser encounters a main item it
++ * concatenates the last declared Usage Page with a Usage to form a complete
++ * usage value."
++ */
++
++static void hid_concatenate_usage_page(struct hid_parser *parser)
++{
++ int i;
++
++ for (i = 0; i < parser->local.usage_index; i++)
++ if (parser->local.usage_size[i] <= 2)
++ parser->local.usage[i] += parser->global.usage_page << 16;
++}
++
+ /*
+ * Process a main item.
+ */
+@@ -532,6 +540,8 @@ static int hid_parser_main(struct hid_parser *parser, struct hid_item *item)
+ __u32 data;
+ int ret;
+
++ hid_concatenate_usage_page(parser);
++
+ data = item_udata(item);
+
+ switch (item->tag) {
+@@ -741,6 +751,8 @@ static int hid_scan_main(struct hid_parser *parser, struct hid_item *item)
+ __u32 data;
+ int i;
+
++ hid_concatenate_usage_page(parser);
++
+ data = item_udata(item);
+
+ switch (item->tag) {
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index 06e6e04e6c11c..3656a04d764ba 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -398,6 +398,7 @@ struct hid_global {
+
+ struct hid_local {
+ unsigned usage[HID_MAX_USAGES]; /* usage array */
++ u8 usage_size[HID_MAX_USAGES]; /* usage size array */
+ unsigned collection_index[HID_MAX_USAGES]; /* collection index array */
+ unsigned usage_index;
+ unsigned usage_minimum;
+--
+2.20.1
+
--- /dev/null
+From 79c6e1a8a7c762d5a48e53379ff347054b0bbd61 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 22 Mar 2019 08:41:40 +0100
+Subject: HID: logitech-hidpp: change low battery level threshold from 31 to 30
+ percent
+
+[ Upstream commit 1f87b0cd32b3456d7efdfb017fcf74d0bfe3ec29 ]
+
+According to hidpp20_batterylevel_get_battery_info my Logitech K270
+keyboard reports only 2 battery levels. This matches with what I've seen
+after testing with batteries at varying level of fullness, it always
+reports either 5% or 30%.
+
+Windows reports "battery good" for the 30% level. I've captured an USB
+trace of Windows reading the battery and it is getting the same info
+as the Linux hidpp code gets.
+
+Now that Linux handles these devices as hidpp devices, it reports the
+battery as being low as it treats anything under 31% as low, this leads
+to the user constantly getting a "Keyboard battery is low" warning from
+GNOME3, which is very annoying.
+
+This commit fixes this by changing the low threshold to anything under
+30%, which I assume is what Windows does.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index d209b12057d59..b705cbb58ca6b 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -910,7 +910,11 @@ static int hidpp_map_battery_level(int capacity)
+ {
+ if (capacity < 11)
+ return POWER_SUPPLY_CAPACITY_LEVEL_CRITICAL;
+- else if (capacity < 31)
++ /*
++ * The spec says this should be < 31 but some devices report 30
++ * with brand new batteries and Windows reports 30 as "Good".
++ */
++ else if (capacity < 30)
+ return POWER_SUPPLY_CAPACITY_LEVEL_LOW;
+ else if (capacity < 81)
+ return POWER_SUPPLY_CAPACITY_LEVEL_NORMAL;
+--
+2.20.1
+
--- /dev/null
+From bce2ef17c66498585b0c599a90f7bfe1207d86b7 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 20 Apr 2019 13:22:10 +0200
+Subject: HID: logitech-hidpp: use RAP instead of FAP to get the protocol
+ version
+
+[ Upstream commit 096377525cdb8251e4656085efc988bdf733fb4c ]
+
+According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc:
+https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf
+
+We should use a register-access-protocol request using the short input /
+output report ids. This is necessary because 27MHz HID++ receivers have
+a max-packetsize on their HIP++ endpoint of 8, so they cannot support
+long reports. Using a feature-access-protocol request (which is always
+long or very-long) with these will cause a timeout error, followed by
+the hidpp driver treating the device as not being HID++ capable.
+
+This commit fixes this by switching to using a rap request to get the
+protocol version.
+
+Besides being tested with a (046d:c517) 27MHz receiver with various
+27MHz keyboards and mice, this has also been tested to not cause
+regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with
+k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver
+(046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index b83d4173fc7f5..d209b12057d59 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -725,13 +725,16 @@ static int hidpp_root_get_feature(struct hidpp_device *hidpp, u16 feature,
+
+ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
+ {
++ const u8 ping_byte = 0x5a;
++ u8 ping_data[3] = { 0, 0, ping_byte };
+ struct hidpp_report response;
+ int ret;
+
+- ret = hidpp_send_fap_command_sync(hidpp,
++ ret = hidpp_send_rap_command_sync(hidpp,
++ REPORT_ID_HIDPP_SHORT,
+ HIDPP_PAGE_ROOT_IDX,
+ CMD_ROOT_GET_PROTOCOL_VERSION,
+- NULL, 0, &response);
++ ping_data, sizeof(ping_data), &response);
+
+ if (ret == HIDPP_ERROR_INVALID_SUBID) {
+ hidpp->protocol_major = 1;
+@@ -751,8 +754,14 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
+ if (ret)
+ return ret;
+
+- hidpp->protocol_major = response.fap.params[0];
+- hidpp->protocol_minor = response.fap.params[1];
++ if (response.rap.params[2] != ping_byte) {
++ hid_err(hidpp->hid_dev, "%s: ping mismatch 0x%02x != 0x%02x\n",
++ __func__, response.rap.params[2], ping_byte);
++ return -EPROTO;
++ }
++
++ hidpp->protocol_major = response.rap.params[0];
++ hidpp->protocol_minor = response.rap.params[1];
+
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From c75e172f2b66555d235bee9d3247fc8f03af10cf Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 10:52:43 -0700
+Subject: hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 73e6ff71a7ea924fb7121d576a2d41e3be3fc6b5 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Unable to handle kernel paging request at virtual address ffffffbffee0002e
+pgd = ffffffc1d68d4000
+[ffffffbffee0002e] *pgd=0000000000000000, *pud=0000000000000000
+Internal error: Oops: 94000046 [#1] PREEMPT SMP
+Modules linked in: f71805f(+) hwmon
+CPU: 3 PID: 1659 Comm: insmod Not tainted 4.5.0+ #88
+Hardware name: linux,dummy-virt (DT)
+task: ffffffc1f6665400 ti: ffffffc1d6418000 task.ti: ffffffc1d6418000
+PC is at f71805f_find+0x6c/0x358 [f71805f]
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple
+drivers is synchronized.
+
+Fixes: e53004e20a58e ("hwmon: New f71805f driver")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/f71805f.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwmon/f71805f.c b/drivers/hwmon/f71805f.c
+index 73c681162653b..623736d2a7c1d 100644
+--- a/drivers/hwmon/f71805f.c
++++ b/drivers/hwmon/f71805f.c
+@@ -96,17 +96,23 @@ superio_select(int base, int ld)
+ outb(ld, base + 1);
+ }
+
+-static inline void
++static inline int
+ superio_enter(int base)
+ {
++ if (!request_muxed_region(base, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x87, base);
+ outb(0x87, base);
++
++ return 0;
+ }
+
+ static inline void
+ superio_exit(int base)
+ {
+ outb(0xaa, base);
++ release_region(base, 2);
+ }
+
+ /*
+@@ -1561,7 +1567,7 @@ static int __init f71805f_device_add(unsigned short address,
+ static int __init f71805f_find(int sioaddr, unsigned short *address,
+ struct f71805f_sio_data *sio_data)
+ {
+- int err = -ENODEV;
++ int err;
+ u16 devid;
+
+ static const char * const names[] = {
+@@ -1569,8 +1575,11 @@ static int __init f71805f_find(int sioaddr, unsigned short *address,
+ "F71872F/FG or F71806F/FG",
+ };
+
+- superio_enter(sioaddr);
++ err = superio_enter(sioaddr);
++ if (err)
++ return err;
+
++ err = -ENODEV;
+ devid = superio_inw(sioaddr, SIO_REG_MANID);
+ if (devid != SIO_FINTEK_ID)
+ goto exit;
+--
+2.20.1
+
--- /dev/null
+From b777ce46996092e464f6451143c9f2abc4a110b4 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:16:20 -0700
+Subject: hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 755a9b0f8aaa5639ba5671ca50080852babb89ce ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: ba224e2c4f0a7 ("hwmon: New PC87427 hardware monitoring driver")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pc87427.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/pc87427.c b/drivers/hwmon/pc87427.c
+index dc5a9d5ada516..81a05cd1a5121 100644
+--- a/drivers/hwmon/pc87427.c
++++ b/drivers/hwmon/pc87427.c
+@@ -106,6 +106,13 @@ static const char *logdev_str[2] = { DRVNAME " FMC", DRVNAME " HMC" };
+ #define LD_IN 1
+ #define LD_TEMP 1
+
++static inline int superio_enter(int sioaddr)
++{
++ if (!request_muxed_region(sioaddr, 2, DRVNAME))
++ return -EBUSY;
++ return 0;
++}
++
+ static inline void superio_outb(int sioaddr, int reg, int val)
+ {
+ outb(reg, sioaddr);
+@@ -122,6 +129,7 @@ static inline void superio_exit(int sioaddr)
+ {
+ outb(0x02, sioaddr);
+ outb(0x02, sioaddr + 1);
++ release_region(sioaddr, 2);
+ }
+
+ /*
+@@ -1220,7 +1228,11 @@ static int __init pc87427_find(int sioaddr, struct pc87427_sio_data *sio_data)
+ {
+ u16 val;
+ u8 cfg, cfg_b;
+- int i, err = 0;
++ int i, err;
++
++ err = superio_enter(sioaddr);
++ if (err)
++ return err;
+
+ /* Identify device */
+ val = force_id ? force_id : superio_inb(sioaddr, SIOREG_DEVID);
+--
+2.20.1
+
--- /dev/null
+From ab76e8d03c6d1d56d8f604cc4fe55409356028dc Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:22:42 -0700
+Subject: hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 8c0826756744c0ac1df600a5e4cca1a341b13101 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/smsc47b397.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/smsc47b397.c b/drivers/hwmon/smsc47b397.c
+index 6bd2007565603..cbdb5c4991ae3 100644
+--- a/drivers/hwmon/smsc47b397.c
++++ b/drivers/hwmon/smsc47b397.c
+@@ -72,14 +72,19 @@ static inline void superio_select(int ld)
+ superio_outb(0x07, ld);
+ }
+
+-static inline void superio_enter(void)
++static inline int superio_enter(void)
+ {
++ if (!request_muxed_region(REG, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x55, REG);
++ return 0;
+ }
+
+ static inline void superio_exit(void)
+ {
+ outb(0xAA, REG);
++ release_region(REG, 2);
+ }
+
+ #define SUPERIO_REG_DEVID 0x20
+@@ -300,8 +305,12 @@ static int __init smsc47b397_find(void)
+ u8 id, rev;
+ char *name;
+ unsigned short addr;
++ int err;
++
++ err = superio_enter();
++ if (err)
++ return err;
+
+- superio_enter();
+ id = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID);
+
+ switch (id) {
+--
+2.20.1
+
--- /dev/null
+From a0ccc640c7ca30326eb82f17c94fbc3a9cc23c2a Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:28:37 -0700
+Subject: hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit d6410408ad2a798c4cc685252c1baa713be0ad69 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/smsc47m1.c | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/hwmon/smsc47m1.c b/drivers/hwmon/smsc47m1.c
+index c7b6a425e2c02..5eeac9853d0ae 100644
+--- a/drivers/hwmon/smsc47m1.c
++++ b/drivers/hwmon/smsc47m1.c
+@@ -73,16 +73,21 @@ superio_inb(int reg)
+ /* logical device for fans is 0x0A */
+ #define superio_select() superio_outb(0x07, 0x0A)
+
+-static inline void
++static inline int
+ superio_enter(void)
+ {
++ if (!request_muxed_region(REG, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x55, REG);
++ return 0;
+ }
+
+ static inline void
+ superio_exit(void)
+ {
+ outb(0xAA, REG);
++ release_region(REG, 2);
+ }
+
+ #define SUPERIO_REG_ACT 0x30
+@@ -531,8 +536,12 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data)
+ {
+ u8 val;
+ unsigned short addr;
++ int err;
++
++ err = superio_enter();
++ if (err)
++ return err;
+
+- superio_enter();
+ val = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID);
+
+ /*
+@@ -608,13 +617,14 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data)
+ static void smsc47m1_restore(const struct smsc47m1_sio_data *sio_data)
+ {
+ if ((sio_data->activate & 0x01) == 0) {
+- superio_enter();
+- superio_select();
+-
+- pr_info("Disabling device\n");
+- superio_outb(SUPERIO_REG_ACT, sio_data->activate);
+-
+- superio_exit();
++ if (!superio_enter()) {
++ superio_select();
++ pr_info("Disabling device\n");
++ superio_outb(SUPERIO_REG_ACT, sio_data->activate);
++ superio_exit();
++ } else {
++ pr_warn("Failed to disable device\n");
++ }
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 73fa10b372aee8e2106b2de379754bc6a9d8abb7 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 5 Apr 2019 08:53:08 -0700
+Subject: hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 14b97ba5c20056102b3dd22696bf17b057e60976 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 2219cd81a6cd ("hwmon/vt1211: Add probing of alternate config index port")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/vt1211.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwmon/vt1211.c b/drivers/hwmon/vt1211.c
+index 3a6bfa51cb94f..95d5e8ec8b7fc 100644
+--- a/drivers/hwmon/vt1211.c
++++ b/drivers/hwmon/vt1211.c
+@@ -226,15 +226,21 @@ static inline void superio_select(int sio_cip, int ldn)
+ outb(ldn, sio_cip + 1);
+ }
+
+-static inline void superio_enter(int sio_cip)
++static inline int superio_enter(int sio_cip)
+ {
++ if (!request_muxed_region(sio_cip, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x87, sio_cip);
+ outb(0x87, sio_cip);
++
++ return 0;
+ }
+
+ static inline void superio_exit(int sio_cip)
+ {
+ outb(0xaa, sio_cip);
++ release_region(sio_cip, 2);
+ }
+
+ /* ---------------------------------------------------------------------
+@@ -1282,11 +1288,14 @@ static int __init vt1211_device_add(unsigned short address)
+
+ static int __init vt1211_find(int sio_cip, unsigned short *address)
+ {
+- int err = -ENODEV;
++ int err;
+ int devid;
+
+- superio_enter(sio_cip);
++ err = superio_enter(sio_cip);
++ if (err)
++ return err;
+
++ err = -ENODEV;
+ devid = force_id ? force_id : superio_inb(sio_cip, SIO_VT1211_DEVID);
+ if (devid != SIO_VT1211_ID)
+ goto EXIT;
+--
+2.20.1
+
--- /dev/null
+From c34200206ed142d48de3d4c2e164d5f3738388c0 Mon Sep 17 00:00:00 2001
+From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Date: Mon, 11 Mar 2019 11:58:57 +0100
+Subject: hwrng: omap - Set default quality
+
+[ Upstream commit 62f95ae805fa9e1e84d47d3219adddd97b2654b7 ]
+
+Newer combinations of the glibc, kernel and openssh can result in long initial
+startup times on OMAP devices:
+
+[ 6.671425] systemd-rc-once[102]: Creating ED25519 key; this may take some time ...
+[ 142.652491] systemd-rc-once[102]: Creating ED25519 key; done.
+
+due to the blocking getrandom(2) system call:
+
+[ 142.610335] random: crng init done
+
+Set the quality level for the omap hwrng driver allowing the kernel to use the
+hwrng as an entropy source at boot.
+
+Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/omap-rng.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/char/hw_random/omap-rng.c b/drivers/char/hw_random/omap-rng.c
+index 74d11ae6abe9a..25173454efa32 100644
+--- a/drivers/char/hw_random/omap-rng.c
++++ b/drivers/char/hw_random/omap-rng.c
+@@ -442,6 +442,7 @@ static int omap_rng_probe(struct platform_device *pdev)
+ priv->rng.read = omap_rng_do_read;
+ priv->rng.init = omap_rng_init;
+ priv->rng.cleanup = omap_rng_cleanup;
++ priv->rng.quality = 900;
+
+ priv->rng.priv = (unsigned long)priv;
+ platform_set_drvdata(pdev, priv);
+--
+2.20.1
+
--- /dev/null
+From dbd3d0918f6ecc215bdd9d408759bfea4ab2b750 Mon Sep 17 00:00:00 2001
+From: Adam Ludkiewicz <adam.ludkiewicz@intel.com>
+Date: Wed, 6 Feb 2019 15:08:25 -0800
+Subject: i40e: Able to add up to 16 MAC filters on an untrusted VF
+
+[ Upstream commit 06b6e2a2333eb3581567a7ac43ca465ef45f4daa ]
+
+This patch fixes the problem with the driver being able to add only 7
+multicast MAC address filters instead of 16. The problem is fixed by
+changing the maximum number of MAC address filters to 16+1+1 (two extra
+are needed because the driver uses 1 for unicast MAC address and 1 for
+broadcast).
+
+Signed-off-by: Adam Ludkiewicz <adam.ludkiewicz@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 4a85a24ced1c8..bdb7523216000 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2029,8 +2029,10 @@ static int i40e_vc_get_stats_msg(struct i40e_vf *vf, u8 *msg, u16 msglen)
+ (u8 *)&stats, sizeof(stats));
+ }
+
+-/* If the VF is not trusted restrict the number of MAC/VLAN it can program */
+-#define I40E_VC_MAX_MAC_ADDR_PER_VF 12
++/* If the VF is not trusted restrict the number of MAC/VLAN it can program
++ * MAC filters: 16 for multicast, 1 for MAC, 1 for broadcast
++ */
++#define I40E_VC_MAX_MAC_ADDR_PER_VF (16 + 1 + 1)
+ #define I40E_VC_MAX_VLAN_PER_VF 8
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 9087a801084a401bb904c7954e389c35fb15ac11 Mon Sep 17 00:00:00 2001
+From: Nicholas Nunley <nicholas.d.nunley@intel.com>
+Date: Wed, 6 Feb 2019 15:08:17 -0800
+Subject: i40e: don't allow changes to HW VLAN stripping on active port VLANs
+
+[ Upstream commit bfb0ebed53857cfc57f11c63fa3689940d71c1c8 ]
+
+Modifying the VLAN stripping options when a port VLAN is configured
+will break traffic for the VSI, and conceptually doesn't make sense,
+so don't allow this.
+
+Signed-off-by: Nicholas Nunley <nicholas.d.nunley@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 5d47a51e74eb8..39029a12a2337 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2499,6 +2499,10 @@ void i40e_vlan_stripping_enable(struct i40e_vsi *vsi)
+ struct i40e_vsi_context ctxt;
+ i40e_status ret;
+
++ /* Don't modify stripping options if a port VLAN is active */
++ if (vsi->info.pvid)
++ return;
++
+ if ((vsi->info.valid_sections &
+ cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) &&
+ ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_MODE_MASK) == 0))
+@@ -2529,6 +2533,10 @@ void i40e_vlan_stripping_disable(struct i40e_vsi *vsi)
+ struct i40e_vsi_context ctxt;
+ i40e_status ret;
+
++ /* Don't modify stripping options if a port VLAN is active */
++ if (vsi->info.pvid)
++ return;
++
+ if ((vsi->info.valid_sections &
+ cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) &&
+ ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_EMOD_MASK) ==
+--
+2.20.1
+
--- /dev/null
+From 3fa60a1ae55f5673c499fadbe944cef4916e9286 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Mon, 18 Mar 2019 09:55:09 -0700
+Subject: IB/hfi1: Fix WQ_MEM_RECLAIM warning
+
+[ Upstream commit 4c4b1996b5db688e2dcb8242b0a3bf7b1e845e42 ]
+
+The work_item cancels that occur when a QP is destroyed can elicit the
+following trace:
+
+ workqueue: WQ_MEM_RECLAIM ipoib_wq:ipoib_cm_tx_reap [ib_ipoib] is flushing !WQ_MEM_RECLAIM hfi0_0:_hfi1_do_send [hfi1]
+ WARNING: CPU: 7 PID: 1403 at kernel/workqueue.c:2486 check_flush_dependency+0xb1/0x100
+ Call Trace:
+ __flush_work.isra.29+0x8c/0x1a0
+ ? __switch_to_asm+0x40/0x70
+ __cancel_work_timer+0x103/0x190
+ ? schedule+0x32/0x80
+ iowait_cancel_work+0x15/0x30 [hfi1]
+ rvt_reset_qp+0x1f8/0x3e0 [rdmavt]
+ rvt_destroy_qp+0x65/0x1f0 [rdmavt]
+ ? _cond_resched+0x15/0x30
+ ib_destroy_qp+0xe9/0x230 [ib_core]
+ ipoib_cm_tx_reap+0x21c/0x560 [ib_ipoib]
+ process_one_work+0x171/0x370
+ worker_thread+0x49/0x3f0
+ kthread+0xf8/0x130
+ ? max_active_store+0x80/0x80
+ ? kthread_bind+0x10/0x10
+ ret_from_fork+0x35/0x40
+
+Since QP destruction frees memory, hfi1_wq should have the WQ_MEM_RECLAIM.
+
+The hfi1_wq does not allocate memory with GFP_KERNEL or otherwise become
+entangled with memory reclaim, so this flag is appropriate.
+
+Fixes: 0a226edd203f ("staging/rdma/hfi1: Use parallel workqueue for SDMA engines")
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/init.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c
+index b7481701542e9..27e7de4c4a34b 100644
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -769,7 +769,8 @@ static int create_workqueues(struct hfi1_devdata *dd)
+ ppd->hfi1_wq =
+ alloc_workqueue(
+ "hfi%d_%d",
+- WQ_SYSFS | WQ_HIGHPRI | WQ_CPU_INTENSIVE,
++ WQ_SYSFS | WQ_HIGHPRI | WQ_CPU_INTENSIVE |
++ WQ_MEM_RECLAIM,
+ HFI1_MAX_ACTIVE_WORKQUEUE_ENTRIES,
+ dd->unit, pidx);
+ if (!ppd->hfi1_wq)
+--
+2.20.1
+
--- /dev/null
+From 2904efe7ca2947316132fbd8889369d4e4522fc9 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Tue, 19 Mar 2019 13:37:55 +0200
+Subject: iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
+
+[ Upstream commit df1d80aee963480c5c2938c64ec0ac3e4a0df2e0 ]
+
+For devices from the SigmaDelta family we need to keep CS low when doing a
+conversion, since the device will use the MISO line as a interrupt to
+indicate that the conversion is complete.
+
+This is why the driver locks the SPI bus and when the SPI bus is locked
+keeps as long as a conversion is going on. The current implementation gets
+one small detail wrong though. CS is only de-asserted after the SPI bus is
+unlocked. This means it is possible for a different SPI device on the same
+bus to send a message which would be wrongfully be addressed to the
+SigmaDelta device as well. Make sure that the last SPI transfer that is
+done while holding the SPI bus lock de-asserts the CS signal.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Alexandru Ardelean <Alexandru.Ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c | 16 +++++++++++-----
+ include/linux/iio/adc/ad_sigma_delta.h | 1 +
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
+index a1d072ecb7171..30f200ad6b978 100644
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -62,7 +62,7 @@ int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
+ struct spi_transfer t = {
+ .tx_buf = data,
+ .len = size + 1,
+- .cs_change = sigma_delta->bus_locked,
++ .cs_change = sigma_delta->keep_cs_asserted,
+ };
+ struct spi_message m;
+ int ret;
+@@ -217,6 +217,7 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
+ reinit_completion(&sigma_delta->completion);
+
+ ret = ad_sigma_delta_set_mode(sigma_delta, mode);
+@@ -234,9 +235,10 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+ ret = 0;
+ }
+ out:
++ sigma_delta->keep_cs_asserted = false;
++ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ sigma_delta->bus_locked = false;
+ spi_bus_unlock(sigma_delta->spi->master);
+- ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+
+ return ret;
+ }
+@@ -288,6 +290,7 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
+ reinit_completion(&sigma_delta->completion);
+
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_SINGLE);
+@@ -297,9 +300,6 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ ret = wait_for_completion_interruptible_timeout(
+ &sigma_delta->completion, HZ);
+
+- sigma_delta->bus_locked = false;
+- spi_bus_unlock(sigma_delta->spi->master);
+-
+ if (ret == 0)
+ ret = -EIO;
+ if (ret < 0)
+@@ -315,7 +315,10 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ sigma_delta->irq_dis = true;
+ }
+
++ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
++ sigma_delta->bus_locked = false;
++ spi_bus_unlock(sigma_delta->spi->master);
+ mutex_unlock(&indio_dev->mlock);
+
+ if (ret)
+@@ -352,6 +355,8 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev)
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
++
+ ret = ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_CONTINUOUS);
+ if (ret)
+ goto err_unlock;
+@@ -380,6 +385,7 @@ static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
+ sigma_delta->irq_dis = true;
+ }
+
++ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+
+ sigma_delta->bus_locked = false;
+diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h
+index 1fc7abd28b0b0..7b7157c26d313 100644
+--- a/include/linux/iio/adc/ad_sigma_delta.h
++++ b/include/linux/iio/adc/ad_sigma_delta.h
+@@ -66,6 +66,7 @@ struct ad_sigma_delta {
+ bool irq_dis;
+
+ bool bus_locked;
++ bool keep_cs_asserted;
+
+ uint8_t comm;
+
+--
+2.20.1
+
--- /dev/null
+From cf9816e92a0cb907af559f68e91391bd4eff7cd3 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Thu, 7 Mar 2019 14:45:46 -0700
+Subject: iio: common: ssp_sensors: Initialize calculated_time in
+ ssp_common_process_data
+
+[ Upstream commit 6f9ca1d3eb74b81f811a87002de2d51640d135b1 ]
+
+When building with -Wsometimes-uninitialized, Clang warns:
+
+drivers/iio/common/ssp_sensors/ssp_iio.c:95:6: warning: variable
+'calculated_time' is used uninitialized whenever 'if' condition is false
+[-Wsometimes-uninitialized]
+
+While it isn't wrong, this will never be a problem because
+iio_push_to_buffers_with_timestamp only uses calculated_time
+on the same condition that it is assigned (when scan_timestamp
+is not zero). While iio_push_to_buffers_with_timestamp is marked
+as inline, Clang does inlining in the optimization stage, which
+happens after the semantic analysis phase (plus inline is merely
+a hint to the compiler).
+
+Fix this by just zero initializing calculated_time.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/394
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/common/ssp_sensors/ssp_iio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/common/ssp_sensors/ssp_iio.c b/drivers/iio/common/ssp_sensors/ssp_iio.c
+index 645f2e3975db4..e38f704d88b7e 100644
+--- a/drivers/iio/common/ssp_sensors/ssp_iio.c
++++ b/drivers/iio/common/ssp_sensors/ssp_iio.c
+@@ -81,7 +81,7 @@ int ssp_common_process_data(struct iio_dev *indio_dev, void *buf,
+ unsigned int len, int64_t timestamp)
+ {
+ __le32 time;
+- int64_t calculated_time;
++ int64_t calculated_time = 0;
+ struct ssp_sensor_data *spd = iio_priv(indio_dev);
+
+ if (indio_dev->scan_bytes == 0)
+--
+2.20.1
+
--- /dev/null
+From 78dc0a45b01fbae20e6c121655ab5395e9356d19 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 16 Mar 2019 17:08:33 -0500
+Subject: iio: hmc5843: fix potential NULL pointer dereferences
+
+[ Upstream commit 536cc27deade8f1ec3c1beefa60d5fbe0f6fcb28 ]
+
+devm_regmap_init_i2c may fail and return NULL. The fix returns
+the error when it fails.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/hmc5843_i2c.c | 7 ++++++-
+ drivers/iio/magnetometer/hmc5843_spi.c | 7 ++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/magnetometer/hmc5843_i2c.c b/drivers/iio/magnetometer/hmc5843_i2c.c
+index 3de7f4426ac40..86abba5827a25 100644
+--- a/drivers/iio/magnetometer/hmc5843_i2c.c
++++ b/drivers/iio/magnetometer/hmc5843_i2c.c
+@@ -58,8 +58,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config = {
+ static int hmc5843_i2c_probe(struct i2c_client *cli,
+ const struct i2c_device_id *id)
+ {
++ struct regmap *regmap = devm_regmap_init_i2c(cli,
++ &hmc5843_i2c_regmap_config);
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
++
+ return hmc5843_common_probe(&cli->dev,
+- devm_regmap_init_i2c(cli, &hmc5843_i2c_regmap_config),
++ regmap,
+ id->driver_data, id->name);
+ }
+
+diff --git a/drivers/iio/magnetometer/hmc5843_spi.c b/drivers/iio/magnetometer/hmc5843_spi.c
+index 535f03a70d630..79b2b707f90e7 100644
+--- a/drivers/iio/magnetometer/hmc5843_spi.c
++++ b/drivers/iio/magnetometer/hmc5843_spi.c
+@@ -58,6 +58,7 @@ static const struct regmap_config hmc5843_spi_regmap_config = {
+ static int hmc5843_spi_probe(struct spi_device *spi)
+ {
+ int ret;
++ struct regmap *regmap;
+ const struct spi_device_id *id = spi_get_device_id(spi);
+
+ spi->mode = SPI_MODE_3;
+@@ -67,8 +68,12 @@ static int hmc5843_spi_probe(struct spi_device *spi)
+ if (ret)
+ return ret;
+
++ regmap = devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config);
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
++
+ return hmc5843_common_probe(&spi->dev,
+- devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config),
++ regmap,
+ id->driver_data, id->name);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From a68d3e1dbd65ff3c3adfe0698b7489e875257c76 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 5 Mar 2019 10:31:11 +0100
+Subject: iwlwifi: pcie: don't crash on invalid RX interrupt
+
+[ Upstream commit 30f24eabab8cd801064c5c37589d803cb4341929 ]
+
+If for some reason the device gives us an RX interrupt before we're
+ready for it, perhaps during device power-on with misconfigured IRQ
+causes mapping or so, we can crash trying to access the queues.
+
+Prevent that by checking that we actually have RXQs and that they
+were properly allocated.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+index a40ad4675e19e..953e0254a94c1 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -1252,10 +1252,15 @@ static void iwl_pcie_rx_handle_rb(struct iwl_trans *trans,
+ static void iwl_pcie_rx_handle(struct iwl_trans *trans, int queue)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+- struct iwl_rxq *rxq = &trans_pcie->rxq[queue];
++ struct iwl_rxq *rxq;
+ u32 r, i, count = 0;
+ bool emergency = false;
+
++ if (WARN_ON_ONCE(!trans_pcie->rxq || !trans_pcie->rxq[queue].bd))
++ return;
++
++ rxq = &trans_pcie->rxq[queue];
++
+ restart:
+ spin_lock(&rxq->lock);
+ /* uCode's read index (stored in shared DRAM) indicates the last Rx
+--
+2.20.1
+
--- /dev/null
+From cb7a0e99e9b6f49e38451d157e887edd86dca433 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sun, 17 Mar 2019 14:02:31 +0900
+Subject: kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice.
+
+[ Upstream commit c03a0fd0b609e2f5c669c2b7f27c8e1928e9196e ]
+
+syzbot is hitting use-after-free bug in uinput module [1]. This is because
+kobject_uevent(KOBJ_REMOVE) is called again due to commit 0f4dafc0563c6c49
+("Kobject: auto-cleanup on final unref") after memory allocation fault
+injection made kobject_uevent(KOBJ_REMOVE) from device_del() from
+input_unregister_device() fail, while uinput_destroy_device() is expecting
+that kobject_uevent(KOBJ_REMOVE) is not called after device_del() from
+input_unregister_device() completed.
+
+That commit intended to catch cases where nobody even attempted to send
+"remove" uevents. But there is no guarantee that an event will ultimately
+be sent. We are at the point of no return as far as the rest of the kernel
+is concerned; there are no repeats or do-overs.
+
+Also, it is not clear whether some subsystem depends on that commit.
+If no subsystem depends on that commit, it will be better to remove
+the state_{add,remove}_uevent_sent logic. But we don't want to risk
+a regression (in a patch which will be backported) by trying to remove
+that logic. Therefore, as a first step, let's avoid the use-after-free bug
+by making sure that kobject_uevent(KOBJ_REMOVE) won't be triggered twice.
+
+[1] https://syzkaller.appspot.com/bug?id=8b17c134fe938bbddd75a45afaa9e68af43a362d
+
+Reported-by: syzbot <syzbot+f648cfb7e0b52bf7ae32@syzkaller.appspotmail.com>
+Analyzed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Fixes: 0f4dafc0563c6c49 ("Kobject: auto-cleanup on final unref")
+Cc: Kay Sievers <kay@vrfy.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kobject_uevent.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
+index f237a09a58627..3916cf0e2f0ae 100644
+--- a/lib/kobject_uevent.c
++++ b/lib/kobject_uevent.c
+@@ -340,6 +340,13 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
+ struct uevent_sock *ue_sk;
+ #endif
+
++ /*
++ * Mark "remove" event done regardless of result, for some subsystems
++ * do not want to re-trigger "remove" event via automatic cleanup.
++ */
++ if (action == KOBJ_REMOVE)
++ kobj->state_remove_uevent_sent = 1;
++
+ pr_debug("kobject: '%s' (%p): %s\n",
+ kobject_name(kobj), kobj, __func__);
+
+@@ -441,10 +448,6 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
+ kobj->state_add_uevent_sent = 1;
+ break;
+
+- case KOBJ_REMOVE:
+- kobj->state_remove_uevent_sent = 1;
+- break;
+-
+ case KOBJ_UNBIND:
+ zap_modalias_env(env);
+ break;
+--
+2.20.1
+
--- /dev/null
+From 6501db7c0cf1dd57a2d1b8a69df6c5ccfb80da8e Mon Sep 17 00:00:00 2001
+From: "Daniel T. Lee" <danieltimlee@gmail.com>
+Date: Wed, 24 Apr 2019 05:24:56 +0900
+Subject: libbpf: fix samples/bpf build failure due to undefined UINT32_MAX
+
+[ Upstream commit 32e621e55496a0009f44fe4914cd4a23cade4984 ]
+
+Currently, building bpf samples will cause the following error.
+
+ ./tools/lib/bpf/bpf.h:132:27: error: 'UINT32_MAX' undeclared here (not in a function) ..
+ #define BPF_LOG_BUF_SIZE (UINT32_MAX >> 8) /* verifier maximum in kernels <= 5.1 */
+ ^
+ ./samples/bpf/bpf_load.h:31:25: note: in expansion of macro 'BPF_LOG_BUF_SIZE'
+ extern char bpf_log_buf[BPF_LOG_BUF_SIZE];
+ ^~~~~~~~~~~~~~~~
+
+Due to commit 4519efa6f8ea ("libbpf: fix BPF_LOG_BUF_SIZE off-by-one error")
+hard-coded size of BPF_LOG_BUF_SIZE has been replaced with UINT32_MAX which is
+defined in <stdint.h> header.
+
+Even with this change, bpf selftests are running fine since these are built
+with clang and it includes header(-idirafter) from clang/6.0.0/include.
+(it has <stdint.h>)
+
+ clang -I. -I./include/uapi -I../../../include/uapi -idirafter /usr/local/include -idirafter /usr/include \
+ -idirafter /usr/lib/llvm-6.0/lib/clang/6.0.0/include -idirafter /usr/include/x86_64-linux-gnu \
+ -Wno-compare-distinct-pointer-types -O2 -target bpf -emit-llvm -c progs/test_sysctl_prog.c -o - | \
+ llc -march=bpf -mcpu=generic -filetype=obj -o /linux/tools/testing/selftests/bpf/test_sysctl_prog.o
+
+But bpf samples are compiled with GCC, and it only searches and includes
+headers declared at the target file. As '#include <stdint.h>' hasn't been
+declared in tools/lib/bpf/bpf.h, it causes build failure of bpf samples.
+
+ gcc -Wp,-MD,./samples/bpf/.sockex3_user.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes \
+ -O2 -fomit-frame-pointer -std=gnu89 -I./usr/include -I./tools/lib/ -I./tools/testing/selftests/bpf/ \
+ -I./tools/ lib/ -I./tools/include -I./tools/perf -c -o ./samples/bpf/sockex3_user.o ./samples/bpf/sockex3_user.c;
+
+This commit add declaration of '#include <stdint.h>' to tools/lib/bpf/bpf.h
+to fix this problem.
+
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h
+index b8ea5843c39ee..e9423d6af9332 100644
+--- a/tools/lib/bpf/bpf.h
++++ b/tools/lib/bpf/bpf.h
+@@ -23,6 +23,7 @@
+
+ #include <linux/bpf.h>
+ #include <stddef.h>
++#include <stdint.h>
+
+ int bpf_create_map_node(enum bpf_map_type map_type, int key_size,
+ int value_size, int max_entries, __u32 map_flags,
+--
+2.20.1
+
--- /dev/null
+From bdd4b4f55ff6bd687236c5df59a59f9835a34a67 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
+Date: Tue, 26 Mar 2019 09:27:37 +0000
+Subject: mac80211/cfg80211: update bss channel on channel switch
+
+[ Upstream commit 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8 ]
+
+FullMAC STAs have no way to update bss channel after CSA channel switch
+completion. As a result, user-space tools may provide inconsistent
+channel info. For instance, consider the following two commands:
+$ sudo iw dev wlan0 link
+$ sudo iw dev wlan0 info
+The latter command gets channel info from the hardware, so most probably
+its output will be correct. However the former command gets channel info
+from scan cache, so its output will contain outdated channel info.
+In fact, current bss channel info will not be updated until the
+next [re-]connect.
+
+Note that mac80211 STAs have a workaround for this, but it requires
+access to internal cfg80211 data, see ieee80211_chswitch_work:
+
+ /* XXX: shouldn't really modify cfg80211-owned data! */
+ ifmgd->associated->channel = sdata->csa_chandef.chan;
+
+This patch suggests to convert mac80211 workaround into cfg80211 behavior
+and to update current bss channel in cfg80211_ch_switch_notify.
+
+Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 3 ---
+ net/wireless/nl80211.c | 5 +++++
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 4c59b5507e7ac..33bd6da00a1c5 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1071,9 +1071,6 @@ static void ieee80211_chswitch_work(struct work_struct *work)
+ goto out;
+ }
+
+- /* XXX: shouldn't really modify cfg80211-owned data! */
+- ifmgd->associated->channel = sdata->csa_chandef.chan;
+-
+ ifmgd->csa_waiting_bcn = true;
+
+ ieee80211_sta_reset_beacon_monitor(sdata);
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index c1a2ad050e617..c672a790df1ce 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -14706,6 +14706,11 @@ void cfg80211_ch_switch_notify(struct net_device *dev,
+
+ wdev->chandef = *chandef;
+ wdev->preset_chandef = *chandef;
++
++ if (wdev->iftype == NL80211_IFTYPE_STATION &&
++ !WARN_ON(!wdev->current_bss))
++ wdev->current_bss->pub.channel = chandef->chan;
++
+ nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
+ NL80211_CMD_CH_SWITCH_NOTIFY, 0);
+ }
+--
+2.20.1
+
--- /dev/null
+From 999afb4b2fda9e7eea793dd577cde4086c5e89a4 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuah@kernel.org>
+Date: Mon, 1 Apr 2019 20:43:17 -0400
+Subject: media: au0828: Fix NULL pointer dereference in
+ au0828_analog_stream_enable()
+
+[ Upstream commit 898bc40bfcc26abb6e06e960d6d4754c36c58b50 ]
+
+Fix au0828_analog_stream_enable() to check if device is in the right
+state first. When unbind happens while bind is in progress, usbdev
+pointer could be invalid in au0828_analog_stream_enable() and a call
+to usb_ifnum_to_if() will result in the null pointer dereference.
+
+This problem is found with the new media_dev_allocator.sh test.
+
+kernel: [ 590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
+kernel: [ 590.359627] #PF error: [normal kernel read fault]
+kernel: [ 590.359629] PGD 0 P4D 0
+kernel: [ 590.359632] Oops: 0000 [#1] SMP PTI
+kernel: [ 590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
+kernel: [ 590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
+kernel: [ 590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
+kernel: [ 590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4
+ 10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
+6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
+9 74
+kernel: [ 590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
+kernel: [ 590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
+kernel: [ 590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
+kernel: [ 590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
+kernel: [ 590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
+kernel: [ 590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
+kernel: [ 590.359654] FS: 00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
+kernel: [ 590.359655] CS: 0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
+kernel: [ 590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
+kernel: [ 590.359658] Call Trace:
+kernel: [ 590.359664] ? au0828_analog_stream_enable+0x2c/0x180
+kernel: [ 590.359666] au0828_v4l2_open+0xa4/0x110
+kernel: [ 590.359670] v4l2_open+0x8b/0x120
+kernel: [ 590.359674] chrdev_open+0xa6/0x1c0
+kernel: [ 590.359676] ? cdev_put.part.3+0x20/0x20
+kernel: [ 590.359678] do_dentry_open+0x1f6/0x360
+kernel: [ 590.359681] vfs_open+0x2f/0x40
+kernel: [ 590.359684] path_openat+0x299/0xc20
+kernel: [ 590.359688] do_filp_open+0x9b/0x110
+kernel: [ 590.359695] ? _raw_spin_unlock+0x27/0x40
+kernel: [ 590.359697] ? __alloc_fd+0xb2/0x160
+kernel: [ 590.359700] do_sys_open+0x1ba/0x260
+kernel: [ 590.359702] ? do_sys_open+0x1ba/0x260
+kernel: [ 590.359712] __x64_sys_openat+0x20/0x30
+kernel: [ 590.359715] do_syscall_64+0x5a/0x120
+kernel: [ 590.359718] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/au0828/au0828-video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
+index 7cd2daf869895..067f46c4f61a7 100644
+--- a/drivers/media/usb/au0828/au0828-video.c
++++ b/drivers/media/usb/au0828/au0828-video.c
+@@ -758,6 +758,9 @@ static int au0828_analog_stream_enable(struct au0828_dev *d)
+
+ dprintk(1, "au0828_analog_stream_enable called\n");
+
++ if (test_bit(DEV_DISCONNECTED, &d->dev_state))
++ return -ENODEV;
++
+ iface = usb_ifnum_to_if(d->usbdev, 0);
+ if (iface && iface->cur_altsetting->desc.bAlternateSetting != 5) {
+ dprintk(1, "Changing intf#0 to alt 5\n");
+--
+2.20.1
+
--- /dev/null
+From 2ed78f97530cc5a62bf51e756c400b56464b90aa Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Tue, 2 Apr 2019 03:24:15 -0400
+Subject: media: au0828: stop video streaming only when last user stops
+
+[ Upstream commit f604f0f5afb88045944567f604409951b5eb6af8 ]
+
+If the application was streaming from both videoX and vbiX, and streaming
+from videoX was stopped, then the vbi streaming also stopped.
+
+The cause being that stop_streaming for video stopped the subdevs as well,
+instead of only doing that if dev->streaming_users reached 0.
+
+au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs
+at all when dev->streaming_users reached 0.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Tested-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/au0828/au0828-video.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
+index 9342402b92f76..7cd2daf869895 100644
+--- a/drivers/media/usb/au0828/au0828-video.c
++++ b/drivers/media/usb/au0828/au0828-video.c
+@@ -839,9 +839,9 @@ int au0828_start_analog_streaming(struct vb2_queue *vq, unsigned int count)
+ return rc;
+ }
+
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 1);
++
+ if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+- v4l2_device_call_all(&dev->v4l2_dev, 0, video,
+- s_stream, 1);
+ dev->vid_timeout_running = 1;
+ mod_timer(&dev->vid_timeout, jiffies + (HZ / 10));
+ } else if (vq->type == V4L2_BUF_TYPE_VBI_CAPTURE) {
+@@ -861,10 +861,11 @@ static void au0828_stop_streaming(struct vb2_queue *vq)
+
+ dprintk(1, "au0828_stop_streaming called %d\n", dev->streaming_users);
+
+- if (dev->streaming_users-- == 1)
++ if (dev->streaming_users-- == 1) {
+ au0828_uninit_isoc(dev);
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
++ }
+
+- v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
+ dev->vid_timeout_running = 0;
+ del_timer_sync(&dev->vid_timeout);
+
+@@ -893,8 +894,10 @@ void au0828_stop_vbi_streaming(struct vb2_queue *vq)
+ dprintk(1, "au0828_stop_vbi_streaming called %d\n",
+ dev->streaming_users);
+
+- if (dev->streaming_users-- == 1)
++ if (dev->streaming_users-- == 1) {
+ au0828_uninit_isoc(dev);
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
++ }
+
+ spin_lock_irqsave(&dev->slock, flags);
+ if (dev->isoc_ctl.vbi_buf != NULL) {
+--
+2.20.1
+
--- /dev/null
+From 461e77a9d1168bebe21077237231cefff9c00148 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Mon, 8 Apr 2019 08:32:49 -0400
+Subject: media: coda: clear error return value before picture run
+
+[ Upstream commit bbeefa7357a648afe70e7183914c87c3878d528d ]
+
+The error return value is not written by some firmware codecs, such as
+MPEG-2 decode on CodaHx4. Clear the error return value before starting
+the picture run to avoid misinterpreting unrelated values returned by
+sequence initialization as error return value.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index 3457a5f1c8a8e..6eee55430d46a 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1948,6 +1948,9 @@ static int coda_prepare_decode(struct coda_ctx *ctx)
+ /* Clear decode success flag */
+ coda_write(dev, 0, CODA_RET_DEC_PIC_SUCCESS);
+
++ /* Clear error return value */
++ coda_write(dev, 0, CODA_RET_DEC_PIC_ERR_MB);
++
+ trace_coda_dec_pic_run(ctx, meta);
+
+ coda_command_async(ctx, CODA_COMMAND_PIC_RUN);
+--
+2.20.1
+
--- /dev/null
+From bd407435483f2948e868203ee705343fb9928ae4 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 12:01:58 -0500
+Subject: media: go7007: avoid clang frame overflow warning with KASAN
+
+[ Upstream commit ed713a4a1367aca5c0f2f329579465db00c17995 ]
+
+clang-8 warns about one function here when KASAN is enabled, even
+without the 'asan-stack' option:
+
+drivers/media/usb/go7007/go7007-fw.c:1551:5: warning: stack frame size of 2656 bytes in function
+
+I have reported this issue in the llvm bugzilla, but to make
+it work with the clang-8 release, a small annotation is still
+needed.
+
+Link: https://bugs.llvm.org/show_bug.cgi?id=38809
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix checkpatch warning]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/go7007/go7007-fw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/go7007/go7007-fw.c b/drivers/media/usb/go7007/go7007-fw.c
+index 60bf5f0644d11..a5efcd4f7b4f5 100644
+--- a/drivers/media/usb/go7007/go7007-fw.c
++++ b/drivers/media/usb/go7007/go7007-fw.c
+@@ -1499,8 +1499,8 @@ static int modet_to_package(struct go7007 *go, __le16 *code, int space)
+ return cnt;
+ }
+
+-static int do_special(struct go7007 *go, u16 type, __le16 *code, int space,
+- int *framelen)
++static noinline_for_stack int do_special(struct go7007 *go, u16 type,
++ __le16 *code, int space, int *framelen)
+ {
+ switch (type) {
+ case SPECIAL_FRM_HEAD:
+--
+2.20.1
+
--- /dev/null
+From 2146583cf6bf5db0d96587d9df4a2160f9502f38 Mon Sep 17 00:00:00 2001
+From: James Hutchinson <jahutchinson99@googlemail.com>
+Date: Sun, 13 Jan 2019 16:13:47 -0500
+Subject: media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
+
+[ Upstream commit 981fbe3da20a6f35f17977453bce7dfc1664d74f ]
+
+Ref: https://bugzilla.kernel.org/show_bug.cgi?id=199323
+
+Users are experiencing problems with the DVBSky S960/S960C USB devices
+since the following commit:
+
+9d659ae: ("locking/mutex: Add lock handoff to avoid starvation")
+
+The device malfunctions after running for an indeterminable period of
+time, and the problem can only be cleared by rebooting the machine.
+
+It is possible to encourage the problem to surface by blocking the
+signal to the LNB.
+
+Further debugging revealed the cause of the problem.
+
+In the following capture:
+- thread #1325 is running m88ds3103_set_frontend
+- thread #42 is running ts2020_stat_work
+
+a> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 80
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 08
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 68 3f
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 08 ff
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 3d
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+b> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 00
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 21
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 66
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+ [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 60 02 10 0b
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+
+Two i2c messages are sent to perform a reset in m88ds3103_set_frontend:
+
+ a. 0x07, 0x80
+ b. 0x07, 0x00
+
+However, as shown in the capture, the regmap mutex is being handed over
+to another thread (ts2020_stat_work) in between these two messages.
+
+>From here, the device responds to every i2c message with an 07 message,
+and will only return to normal operation following a power cycle.
+
+Use regmap_multi_reg_write to group the two reset messages, ensuring
+both are processed before the regmap mutex is unlocked.
+
+Signed-off-by: James Hutchinson <jahutchinson99@googlemail.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/m88ds3103.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
+index 65d157fe76d19..b4bd1af34745d 100644
+--- a/drivers/media/dvb-frontends/m88ds3103.c
++++ b/drivers/media/dvb-frontends/m88ds3103.c
+@@ -309,6 +309,9 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ u16 u16tmp;
+ u32 tuner_frequency_khz, target_mclk;
+ s32 s32tmp;
++ static const struct reg_sequence reset_buf[] = {
++ {0x07, 0x80}, {0x07, 0x00}
++ };
+
+ dev_dbg(&client->dev,
+ "delivery_system=%d modulation=%d frequency=%u symbol_rate=%d inversion=%d pilot=%d rolloff=%d\n",
+@@ -321,11 +324,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ }
+
+ /* reset */
+- ret = regmap_write(dev->regmap, 0x07, 0x80);
+- if (ret)
+- goto err;
+-
+- ret = regmap_write(dev->regmap, 0x07, 0x00);
++ ret = regmap_multi_reg_write(dev->regmap, reset_buf, 2);
+ if (ret)
+ goto err;
+
+--
+2.20.1
+
--- /dev/null
+From cc2ec3d94f8f71a08b7224242a6532207c916f4f Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sat, 30 Mar 2019 10:01:31 -0400
+Subject: media: ov2659: make S_FMT succeed even if requested format doesn't
+ match
+
+[ Upstream commit bccb89cf9cd07a0690d519696a00c00a973b3fe4 ]
+
+This driver returns an error if unsupported media bus pixel code is
+requested by VIDIOC_SUBDEV_S_FMT.
+
+But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst,
+
+Drivers must not return an error solely because the requested format
+doesn't match the device capabilities. They must instead modify the
+format to match what the hardware can provide.
+
+So select default format code and return success in that case.
+
+This is detected by v4l2-compliance.
+
+Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov2659.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c
+index 122dd6c5eb389..ce23f436e130d 100644
+--- a/drivers/media/i2c/ov2659.c
++++ b/drivers/media/i2c/ov2659.c
+@@ -1117,8 +1117,10 @@ static int ov2659_set_fmt(struct v4l2_subdev *sd,
+ if (ov2659_formats[index].code == mf->code)
+ break;
+
+- if (index < 0)
+- return -EINVAL;
++ if (index < 0) {
++ index = 0;
++ mf->code = ov2659_formats[index].code;
++ }
+
+ mf->colorspace = V4L2_COLORSPACE_SRGB;
+ mf->field = V4L2_FIELD_NONE;
+--
+2.20.1
+
--- /dev/null
+From 10fbe9f9615fc8a3aff607534846adfcd88a3df5 Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Fri, 29 Mar 2019 21:06:09 -0400
+Subject: media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
+
+[ Upstream commit ccdd85d518d8b9320ace1d87271f0ba2175f21fa ]
+
+In preparation for adding asynchronous subdevice support to the driver,
+don't acquire v4l2_clk from the driver .probe() callback as that may
+fail if the clock is provided by a bridge driver which may be not yet
+initialized. Move the v4l2_clk_get() to ov6650_video_probe() helper
+which is going to be converted to v4l2_subdev_internal_ops.registered()
+callback, executed only when the bridge driver is ready.
+
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov6650.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c
+index 07bc819f5819d..025869eec2ac9 100644
+--- a/drivers/media/i2c/ov6650.c
++++ b/drivers/media/i2c/ov6650.c
+@@ -822,9 +822,16 @@ static int ov6650_video_probe(struct i2c_client *client)
+ u8 pidh, pidl, midh, midl;
+ int ret;
+
++ priv->clk = v4l2_clk_get(&client->dev, NULL);
++ if (IS_ERR(priv->clk)) {
++ ret = PTR_ERR(priv->clk);
++ dev_err(&client->dev, "v4l2_clk request err: %d\n", ret);
++ return ret;
++ }
++
+ ret = ov6650_s_power(&priv->subdev, 1);
+ if (ret < 0)
+- return ret;
++ goto eclkput;
+
+ msleep(20);
+
+@@ -861,6 +868,11 @@ static int ov6650_video_probe(struct i2c_client *client)
+
+ done:
+ ov6650_s_power(&priv->subdev, 0);
++ if (!ret)
++ return 0;
++eclkput:
++ v4l2_clk_put(priv->clk);
++
+ return ret;
+ }
+
+@@ -1006,18 +1018,9 @@ static int ov6650_probe(struct i2c_client *client,
+ priv->code = MEDIA_BUS_FMT_YUYV8_2X8;
+ priv->colorspace = V4L2_COLORSPACE_JPEG;
+
+- priv->clk = v4l2_clk_get(&client->dev, NULL);
+- if (IS_ERR(priv->clk)) {
+- ret = PTR_ERR(priv->clk);
+- goto eclkget;
+- }
+-
+ ret = ov6650_video_probe(client);
+- if (ret) {
+- v4l2_clk_put(priv->clk);
+-eclkget:
++ if (ret)
+ v4l2_ctrl_handler_free(&priv->hdl);
+- }
+
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 3e0fb086adac416dec44e200280c8d5d0cd204d8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 8 Apr 2019 05:52:38 -0400
+Subject: media: pvrusb2: Prevent a buffer overflow
+
+[ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ]
+
+The ctrl_check_input() function is called from pvr2_ctrl_range_check().
+It's supposed to validate user supplied input and return true or false
+depending on whether the input is valid or not. The problem is that
+negative shifts or shifts greater than 31 are undefined in C. In
+practice with GCC they result in shift wrapping so this function returns
+true for some inputs which are not valid and this could result in a
+buffer overflow:
+
+ drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
+ warn: uncapped user index 'names[val]'
+
+The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
+and the highest valid bit is BIT(4).
+
+Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+index 44975061b9536..ddededc4ced45 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -666,6 +666,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp)
+
+ static int ctrl_check_input(struct pvr2_ctrl *cptr,int v)
+ {
++ if (v < 0 || v > PVR2_CVAL_INPUT_MAX)
++ return 0;
+ return ((1 << v) & cptr->hdw->input_allowed_mask) != 0;
+ }
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+index 25648add77e58..bd2b7a67b7322 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+@@ -50,6 +50,7 @@
+ #define PVR2_CVAL_INPUT_COMPOSITE 2
+ #define PVR2_CVAL_INPUT_SVIDEO 3
+ #define PVR2_CVAL_INPUT_RADIO 4
++#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO
+
+ enum pvr2_config {
+ pvr2_config_empty, /* No configuration */
+--
+2.20.1
+
--- /dev/null
+From 9afb480e95d6ce8d66ecb5037bbb50189c07a1bf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 12:01:56 -0500
+Subject: media: saa7146: avoid high stack usage with clang
+
+[ Upstream commit 03aa4f191a36f33fce015387f84efa0eee94408e ]
+
+Two saa7146/hexium files contain a construct that causes a warning
+when built with clang:
+
+drivers/media/pci/saa7146/hexium_orion.c:210:12: error: stack frame size of 2272 bytes in function 'hexium_probe'
+ [-Werror,-Wframe-larger-than=]
+static int hexium_probe(struct saa7146_dev *dev)
+ ^
+drivers/media/pci/saa7146/hexium_gemini.c:257:12: error: stack frame size of 2304 bytes in function 'hexium_attach'
+ [-Werror,-Wframe-larger-than=]
+static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
+ ^
+
+This one happens regardless of KASAN, and the problem is that a
+constructor to initialize a dynamically allocated structure leads
+to a copy of that structure on the stack, whereas gcc initializes
+it in place.
+
+Link: https://bugs.llvm.org/show_bug.cgi?id=40776
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix checkpatch warnings]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7146/hexium_gemini.c | 5 ++---
+ drivers/media/pci/saa7146/hexium_orion.c | 5 ++---
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
+index f708cab01fef1..934332f1fd8e6 100644
+--- a/drivers/media/pci/saa7146/hexium_gemini.c
++++ b/drivers/media/pci/saa7146/hexium_gemini.c
+@@ -270,9 +270,8 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
+ /* enable i2c-port pins */
+ saa7146_write(dev, MC1, (MASK_08 | MASK_24 | MASK_10 | MASK_26));
+
+- hexium->i2c_adapter = (struct i2c_adapter) {
+- .name = "hexium gemini",
+- };
++ strscpy(hexium->i2c_adapter.name, "hexium gemini",
++ sizeof(hexium->i2c_adapter.name));
+ saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
+ if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
+ DEB_S("cannot register i2c-device. skipping.\n");
+diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
+index 01f01580c7cac..cb71653a66694 100644
+--- a/drivers/media/pci/saa7146/hexium_orion.c
++++ b/drivers/media/pci/saa7146/hexium_orion.c
+@@ -232,9 +232,8 @@ static int hexium_probe(struct saa7146_dev *dev)
+ saa7146_write(dev, DD1_STREAM_B, 0x00000000);
+ saa7146_write(dev, MC2, (MASK_09 | MASK_25 | MASK_10 | MASK_26));
+
+- hexium->i2c_adapter = (struct i2c_adapter) {
+- .name = "hexium orion",
+- };
++ strscpy(hexium->i2c_adapter.name, "hexium orion",
++ sizeof(hexium->i2c_adapter.name));
+ saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
+ if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
+ DEB_S("cannot register i2c-device. skipping.\n");
+--
+2.20.1
+
--- /dev/null
+From 25cfcc7caa45f9a046a6717656f6d24d6d34e2c1 Mon Sep 17 00:00:00 2001
+From: Hugues Fruchet <hugues.fruchet@st.com>
+Date: Mon, 1 Apr 2019 04:56:09 -0400
+Subject: media: stm32-dcmi: fix crash when subdev do not expose any formats
+
+[ Upstream commit 33dfeb62e23c31619d2197850f7e8b50e8cc5466 ]
+
+Do not access sd_formats[] if num_of_sd_formats is zero, ie
+subdev sensor didn't expose any formats.
+
+Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/stm32/stm32-dcmi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c
+index 35ba6f211b790..4281f3f76ab15 100644
+--- a/drivers/media/platform/stm32/stm32-dcmi.c
++++ b/drivers/media/platform/stm32/stm32-dcmi.c
+@@ -775,6 +775,9 @@ static int dcmi_try_fmt(struct stm32_dcmi *dcmi, struct v4l2_format *f,
+
+ sd_fmt = find_format_by_fourcc(dcmi, pix->pixelformat);
+ if (!sd_fmt) {
++ if (!dcmi->num_of_sd_formats)
++ return -ENODATA;
++
+ sd_fmt = dcmi->sd_formats[dcmi->num_of_sd_formats - 1];
+ pix->pixelformat = sd_fmt->fourcc;
+ }
+@@ -946,6 +949,9 @@ static int dcmi_set_sensor_format(struct stm32_dcmi *dcmi,
+
+ sd_fmt = find_format_by_fourcc(dcmi, pix->pixelformat);
+ if (!sd_fmt) {
++ if (!dcmi->num_of_sd_formats)
++ return -ENODATA;
++
+ sd_fmt = dcmi->sd_formats[dcmi->num_of_sd_formats - 1];
+ pix->pixelformat = sd_fmt->fourcc;
+ }
+--
+2.20.1
+
--- /dev/null
+From 9f7da669d9c8f3e518c743fb8cb6e517a8d7ad1e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 9 Mar 2019 02:20:56 -0500
+Subject: media: video-mux: fix null pointer dereferences
+
+[ Upstream commit aeb0d0f581e2079868e64a2e5ee346d340376eae ]
+
+devm_kcalloc may fail and return a null pointer. The fix returns
+-ENOMEM upon failures to avoid null pointer dereferences.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/video-mux.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/video-mux.c b/drivers/media/platform/video-mux.c
+index ee89ad76bee23..eedc0b99a891e 100644
+--- a/drivers/media/platform/video-mux.c
++++ b/drivers/media/platform/video-mux.c
+@@ -242,9 +242,14 @@ static int video_mux_probe(struct platform_device *pdev)
+ vmux->active = -1;
+ vmux->pads = devm_kcalloc(dev, num_pads, sizeof(*vmux->pads),
+ GFP_KERNEL);
++ if (!vmux->pads)
++ return -ENOMEM;
++
+ vmux->format_mbus = devm_kcalloc(dev, num_pads,
+ sizeof(*vmux->format_mbus),
+ GFP_KERNEL);
++ if (!vmux->format_mbus)
++ return -ENOMEM;
+
+ for (i = 0; i < num_pads - 1; i++)
+ vmux->pads[i].flags = MEDIA_PAD_FL_SINK;
+--
+2.20.1
+
--- /dev/null
+From f219f6e7411c960b63e4492b20c9988bf5af224e Mon Sep 17 00:00:00 2001
+From: Helen Fornazier <helen.koike@collabora.com>
+Date: Wed, 6 Mar 2019 17:42:38 -0500
+Subject: media: vimc: stream: fix thread state before sleep
+
+[ Upstream commit 2978a505aaa981b279ef359f74ba93d25098e0a0 ]
+
+The state TASK_UNINTERRUPTIBLE should be set just before
+schedule_timeout() call, so it knows the sleep mode it should enter.
+There is no point in setting TASK_UNINTERRUPTIBLE at the initialization
+of the thread as schedule_timeout() will set the state back to
+TASK_RUNNING.
+
+This fixes a warning in __might_sleep() call, as it's expecting the
+task to be in TASK_RUNNING state just before changing the state to
+a sleeping state.
+
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Helen Koike <helen.koike@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vimc/vimc-streamer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/vimc/vimc-streamer.c b/drivers/media/platform/vimc/vimc-streamer.c
+index fcc897fb247bc..392754c18046c 100644
+--- a/drivers/media/platform/vimc/vimc-streamer.c
++++ b/drivers/media/platform/vimc/vimc-streamer.c
+@@ -120,7 +120,6 @@ static int vimc_streamer_thread(void *data)
+ int i;
+
+ set_freezable();
+- set_current_state(TASK_UNINTERRUPTIBLE);
+
+ for (;;) {
+ try_to_freeze();
+@@ -137,6 +136,7 @@ static int vimc_streamer_thread(void *data)
+ break;
+ }
+ //wait for 60hz
++ set_current_state(TASK_UNINTERRUPTIBLE);
+ schedule_timeout(HZ / 60);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 55af1d8fe855b2b8d81dd7db2456bc0f2b3749dd Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Fri, 8 Mar 2019 08:02:26 -0500
+Subject: media: vimc: zero the media_device on probe
+
+[ Upstream commit f74267b51cb36321f777807b2e04ca02167ecc08 ]
+
+The media_device is part of a static global vimc_device struct.
+The media framework expects this to be zeroed before it is
+used, however, since this is a global this is not the case if
+vimc is unbound and then bound again.
+
+So call memset to ensure any left-over values are cleared.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vimc/vimc-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/vimc/vimc-core.c b/drivers/media/platform/vimc/vimc-core.c
+index 51c0eee61ca67..57e5d6a020b0e 100644
+--- a/drivers/media/platform/vimc/vimc-core.c
++++ b/drivers/media/platform/vimc/vimc-core.c
+@@ -302,6 +302,8 @@ static int vimc_probe(struct platform_device *pdev)
+
+ dev_dbg(&pdev->dev, "probe");
+
++ memset(&vimc->mdev, 0, sizeof(vimc->mdev));
++
+ /* Create platform_device for each entity in the topology*/
+ vimc->subdevs = devm_kcalloc(&vimc->pdev.dev, vimc->pipe_cfg->num_ents,
+ sizeof(*vimc->subdevs), GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From e104a16b5c854a65dd3bfbb70fe1beab2fe1c924 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 26 Mar 2019 01:12:07 -0400
+Subject: media: wl128x: prevent two potential buffer overflows
+
+[ Upstream commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 ]
+
+Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
+can copy up to 255 bytes and we only have room for two bytes. Even
+if this comes from the firmware and we trust it, the new policy
+generally is just to fix it as kernel hardenning.
+
+I can't test this code so I tried to be very conservative. I considered
+not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
+whole variable but in the end I decided to allow it and manually
+initialized "asic_id" and "asic_ver" to zero.
+
+Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/wl128x/fmdrv_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c
+index ab3428bf63fee..26895ae42fcf4 100644
+--- a/drivers/media/radio/wl128x/fmdrv_common.c
++++ b/drivers/media/radio/wl128x/fmdrv_common.c
+@@ -489,7 +489,8 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 fm_op, u16 type, void *payload,
+ return -EIO;
+ }
+ /* Send response data to caller */
+- if (response != NULL && response_len != NULL && evt_hdr->dlen) {
++ if (response != NULL && response_len != NULL && evt_hdr->dlen &&
++ evt_hdr->dlen <= payload_len) {
+ /* Skip header info and copy only response data */
+ skb_pull(skb, sizeof(struct fm_event_msg_hdr));
+ memcpy(response, skb->data, evt_hdr->dlen);
+@@ -583,6 +584,8 @@ static void fm_irq_handle_flag_getcmd_resp(struct fmdev *fmdev)
+ return;
+
+ fm_evt_hdr = (void *)skb->data;
++ if (fm_evt_hdr->dlen > sizeof(fmdev->irq_info.flag))
++ return;
+
+ /* Skip header info and copy only response data */
+ skb_pull(skb, sizeof(struct fm_event_msg_hdr));
+@@ -1308,7 +1311,7 @@ static int load_default_rx_configuration(struct fmdev *fmdev)
+ static int fm_power_up(struct fmdev *fmdev, u8 mode)
+ {
+ u16 payload;
+- __be16 asic_id, asic_ver;
++ __be16 asic_id = 0, asic_ver = 0;
+ int resp_len, ret;
+ u8 fw_name[50];
+
+--
+2.20.1
+
--- /dev/null
+From 8d5b6d749e8b4e42215074fdc5b30fb5c77e7f80 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 24 Apr 2019 09:19:25 +0200
+Subject: mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older
+ GCC versions
+
+[ Upstream commit 29da93fea3ea39ab9b12270cc6be1b70ef201c9e ]
+
+Randy reported objtool triggered on his (GCC-7.4) build:
+
+ lib/strncpy_from_user.o: warning: objtool: strncpy_from_user()+0x315: call to __ubsan_handle_add_overflow() with UACCESS enabled
+ lib/strnlen_user.o: warning: objtool: strnlen_user()+0x337: call to __ubsan_handle_sub_overflow() with UACCESS enabled
+
+This is due to UBSAN generating signed-overflow-UB warnings where it
+should not. Prior to GCC-8 UBSAN ignored -fwrapv (which the kernel
+uses through -fno-strict-overflow).
+
+Make the functions use 'unsigned long' throughout.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: luto@kernel.org
+Link: http://lkml.kernel.org/r/20190424072208.754094071@infradead.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/strncpy_from_user.c | 5 +++--
+ lib/strnlen_user.c | 4 ++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
+index b53e1b5d80f42..e304b54c9c7dd 100644
+--- a/lib/strncpy_from_user.c
++++ b/lib/strncpy_from_user.c
+@@ -23,10 +23,11 @@
+ * hit it), 'max' is the address space maximum (and we return
+ * -EFAULT if we hit it).
+ */
+-static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
++static inline long do_strncpy_from_user(char *dst, const char __user *src,
++ unsigned long count, unsigned long max)
+ {
+ const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
+- long res = 0;
++ unsigned long res = 0;
+
+ /*
+ * Truncate 'max' to the user-specified limit, so that
+diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
+index 60d0bbda8f5e5..184f80f7bacfa 100644
+--- a/lib/strnlen_user.c
++++ b/lib/strnlen_user.c
+@@ -28,7 +28,7 @@
+ static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
+ {
+ const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
+- long align, res = 0;
++ unsigned long align, res = 0;
+ unsigned long c;
+
+ /*
+@@ -42,7 +42,7 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
+ * Do everything aligned. But that means that we
+ * need to also expand the maximum..
+ */
+- align = (sizeof(long) - 1) & (unsigned long)src;
++ align = (sizeof(unsigned long) - 1) & (unsigned long)src;
+ src -= align;
+ max += align;
+
+--
+2.20.1
+
--- /dev/null
+From 1937c042de637775ae2d6b26ee4921b1222f7a3d Mon Sep 17 00:00:00 2001
+From: Andrea Merello <andrea.merello@gmail.com>
+Date: Fri, 5 Apr 2019 10:34:58 +0200
+Subject: mmc: core: make pwrseq_emmc (partially) support sleepy GPIO
+ controllers
+
+[ Upstream commit 002ee28e8b322d4d4b7b83234b5d0f4ebd428eda ]
+
+pwrseq_emmc.c implements a HW reset procedure for eMMC chip by driving a
+GPIO line.
+
+It registers the .reset() cb on mmc_pwrseq_ops and it registers a system
+restart notification handler; both of them perform reset by unconditionally
+calling gpiod_set_value().
+
+If the eMMC reset line is tied to a GPIO controller whose driver can sleep
+(i.e. I2C GPIO controller), then the kernel would spit warnings when trying
+to reset the eMMC chip by means of .reset() mmc_pwrseq_ops cb (that is
+exactly what I'm seeing during boot).
+
+Furthermore, on system reset we would gets to the system restart
+notification handler with disabled interrupts - local_irq_disable() is
+called in machine_restart() at least on ARM/ARM64 - and we would be in
+trouble when the GPIO driver tries to sleep (which indeed doesn't happen
+here, likely because in my case the machine specific code doesn't call
+do_kernel_restart(), I guess..).
+
+This patch fixes the .reset() cb to make use of gpiod_set_value_cansleep(),
+so that the eMMC gets reset on boot without complaints, while, since there
+isn't that much we can do, we avoid register the restart handler if the
+GPIO controller has a sleepy driver (and we spit a dev_notice() message to
+let people know)..
+
+This had been tested on a downstream 4.9 kernel with backported
+commit 83f37ee7ba33 ("mmc: pwrseq: Add reset callback to the struct
+mmc_pwrseq_ops") and commit ae60fb031cf2 ("mmc: core: Don't do eMMC HW
+reset when resuming the eMMC card"), because I couldn't boot my board
+otherwise. Maybe worth to RFT.
+
+Signed-off-by: Andrea Merello <andrea.merello@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/pwrseq_emmc.c | 38 ++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/mmc/core/pwrseq_emmc.c b/drivers/mmc/core/pwrseq_emmc.c
+index efb8a7965dd4a..154f4204d58cb 100644
+--- a/drivers/mmc/core/pwrseq_emmc.c
++++ b/drivers/mmc/core/pwrseq_emmc.c
+@@ -30,19 +30,14 @@ struct mmc_pwrseq_emmc {
+
+ #define to_pwrseq_emmc(p) container_of(p, struct mmc_pwrseq_emmc, pwrseq)
+
+-static void __mmc_pwrseq_emmc_reset(struct mmc_pwrseq_emmc *pwrseq)
+-{
+- gpiod_set_value(pwrseq->reset_gpio, 1);
+- udelay(1);
+- gpiod_set_value(pwrseq->reset_gpio, 0);
+- udelay(200);
+-}
+-
+ static void mmc_pwrseq_emmc_reset(struct mmc_host *host)
+ {
+ struct mmc_pwrseq_emmc *pwrseq = to_pwrseq_emmc(host->pwrseq);
+
+- __mmc_pwrseq_emmc_reset(pwrseq);
++ gpiod_set_value_cansleep(pwrseq->reset_gpio, 1);
++ udelay(1);
++ gpiod_set_value_cansleep(pwrseq->reset_gpio, 0);
++ udelay(200);
+ }
+
+ static int mmc_pwrseq_emmc_reset_nb(struct notifier_block *this,
+@@ -50,8 +45,11 @@ static int mmc_pwrseq_emmc_reset_nb(struct notifier_block *this,
+ {
+ struct mmc_pwrseq_emmc *pwrseq = container_of(this,
+ struct mmc_pwrseq_emmc, reset_nb);
++ gpiod_set_value(pwrseq->reset_gpio, 1);
++ udelay(1);
++ gpiod_set_value(pwrseq->reset_gpio, 0);
++ udelay(200);
+
+- __mmc_pwrseq_emmc_reset(pwrseq);
+ return NOTIFY_DONE;
+ }
+
+@@ -72,14 +70,18 @@ static int mmc_pwrseq_emmc_probe(struct platform_device *pdev)
+ if (IS_ERR(pwrseq->reset_gpio))
+ return PTR_ERR(pwrseq->reset_gpio);
+
+- /*
+- * register reset handler to ensure emmc reset also from
+- * emergency_reboot(), priority 255 is the highest priority
+- * so it will be executed before any system reboot handler.
+- */
+- pwrseq->reset_nb.notifier_call = mmc_pwrseq_emmc_reset_nb;
+- pwrseq->reset_nb.priority = 255;
+- register_restart_handler(&pwrseq->reset_nb);
++ if (!gpiod_cansleep(pwrseq->reset_gpio)) {
++ /*
++ * register reset handler to ensure emmc reset also from
++ * emergency_reboot(), priority 255 is the highest priority
++ * so it will be executed before any system reboot handler.
++ */
++ pwrseq->reset_nb.notifier_call = mmc_pwrseq_emmc_reset_nb;
++ pwrseq->reset_nb.priority = 255;
++ register_restart_handler(&pwrseq->reset_nb);
++ } else {
++ dev_notice(dev, "EMMC reset pin tied to a sleepy GPIO driver; reset on emergency-reboot disabled\n");
++ }
+
+ pwrseq->pwrseq.ops = &mmc_pwrseq_emmc_ops;
+ pwrseq->pwrseq.dev = dev;
+--
+2.20.1
+
--- /dev/null
+From b6fc49fc1f08f131ecf5bdf306d7487a190664db Mon Sep 17 00:00:00 2001
+From: Raul E Rangel <rrangel@chromium.org>
+Date: Mon, 29 Apr 2019 11:32:39 -0600
+Subject: mmc: core: Verify SD bus width
+
+[ Upstream commit 9e4be8d03f50d1b25c38e2b59e73b194c130df7d ]
+
+The SD Physical Layer Spec says the following: Since the SD Memory Card
+shall support at least the two bus modes 1-bit or 4-bit width, then any SD
+Card shall set at least bits 0 and 2 (SD_BUS_WIDTH="0101").
+
+This change verifies the card has specified a bus width.
+
+AMD SDHC Device 7806 can get into a bad state after a card disconnect
+where anything transferred via the DATA lines will always result in a
+zero filled buffer. Currently the driver will continue without error if
+the HC is in this condition. A block device will be created, but reading
+from it will result in a zero buffer. This makes it seem like the SD
+device has been erased, when in actuality the data is never getting
+copied from the DATA lines to the data buffer.
+
+SCR is the first command in the SD initialization sequence that uses the
+DATA lines. By checking that the response was invalid, we can abort
+mounting the card.
+
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Raul E Rangel <rrangel@chromium.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/sd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c
+index eb9de21349679..fe2ef52135b6b 100644
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -216,6 +216,14 @@ static int mmc_decode_scr(struct mmc_card *card)
+
+ if (scr->sda_spec3)
+ scr->cmds = UNSTUFF_BITS(resp, 32, 2);
++
++ /* SD Spec says: any SD Card shall set at least bits 0 and 2 */
++ if (!(scr->bus_widths & SD_SCR_BUS_WIDTH_1) ||
++ !(scr->bus_widths & SD_SCR_BUS_WIDTH_4)) {
++ pr_err("%s: invalid bus width\n", mmc_hostname(card->host));
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 7f537d1d366ab9a8c3815f01df49aefca26222c7 Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:44 +0000
+Subject: mmc: sdhci-of-esdhc: add erratum A-009204 support
+
+[ Upstream commit 5dd195522562542bc6ebe6e7bd47890d8b7ca93c ]
+
+In the event of that any data error (like, IRQSTAT[DCE]) occurs
+during an eSDHC data transaction where DMA is used for data
+transfer to/from the system memory, setting the SYSCTL[RSTD]
+register may cause a system hang. If software sets the register
+SYSCTL[RSTD] to 1 for error recovery while DMA transferring is
+not complete, eSDHC may hang the system bus. This happens because
+the software register SYSCTL[RSTD] resets the DMA engine without
+waiting for the completion of pending system transactions. This
+erratum is to fix this issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index 9207820514ceb..e26efda46b995 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -610,6 +610,9 @@ static void esdhc_reset(struct sdhci_host *host, u8 mask)
+ sdhci_writel(host, host->ier, SDHCI_INT_ENABLE);
+ sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE);
+
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ mdelay(5);
++
+ if (mask & SDHCI_RESET_ALL) {
+ val = sdhci_readl(host, ESDHC_TBCTL);
+ val &= ~ESDHC_TB_EN;
+--
+2.20.1
+
--- /dev/null
+From ffda817367a66a4ee025ac0cb3348994ba80e689 Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:40 +0000
+Subject: mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 05cb6b2a66fa7837211a060878e91be5eb10cb07 ]
+
+eSDHC-A001: The data timeout counter (SYSCTL[DTOCV]) is not
+reliable for DTOCV values 0x4(2^17 SD clock), 0x8(2^21 SD clock),
+and 0xC(2^25 SD clock). The data timeout counter can count from
+2^13–2^27, but for values 2^17, 2^21, and 2^25, the timeout
+counter counts for only 2^13 SD clocks.
+A-008358: The data timeout counter value loaded into the timeout
+counter is less than expected and can result into early timeout
+error in case of eSDHC data transactions. The table below shows
+the expected vs actual timeout period for different values of
+SYSCTL[DTOCV]:
+these two erratum has the same quirk to control it, and set
+SDHCI_QUIRK_RESET_AFTER_REQUEST to fix above issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index e26efda46b995..bcfa84aa2113a 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -883,8 +883,10 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
+ if (esdhc->vendor_ver > VENDOR_V_22)
+ host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
+
+- if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) {
+ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
++ host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL;
++ }
+
+ if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
+ of_device_is_compatible(np, "fsl,p5020-esdhc") ||
+--
+2.20.1
+
--- /dev/null
+From c49b4d893750fde8b6dbfc57286cca047a9c0210 Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:36 +0000
+Subject: mmc: sdhci-of-esdhc: add erratum eSDHC5 support
+
+[ Upstream commit a46e42712596b51874f04c73f1cdf1017f88df52 ]
+
+Software writing to the Transfer Type configuration register
+(system clock domain) can cause a setup/hold violation in the
+CRC flops (card clock domain), which can cause write accesses
+to be sent with corrupt CRC values. This issue occurs only for
+write preceded by read. this erratum is to fix this issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index 7b7d077e40fd4..9207820514ceb 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -880,6 +880,9 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
+ if (esdhc->vendor_ver > VENDOR_V_22)
+ host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
+
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
++
+ if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
+ of_device_is_compatible(np, "fsl,p5020-esdhc") ||
+ of_device_is_compatible(np, "fsl,p4080-esdhc") ||
+--
+2.20.1
+
--- /dev/null
+From 1375bcbc2c0c02d8221a4c4669d94d43f1f42f7f Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Mon, 11 Mar 2019 00:53:33 -0500
+Subject: mmc_spi: add a status check for spi_sync_locked
+
+[ Upstream commit 611025983b7976df0183390a63a2166411d177f1 ]
+
+In case spi_sync_locked fails, the fix reports the error and
+returns the error code upstream.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmc_spi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
+index 67f6bd24a9d0c..ea254d00541f1 100644
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct spi_transfer *t,
+ }
+
+ status = spi_sync_locked(spi, &host->m);
++ if (status < 0) {
++ dev_dbg(&spi->dev, "read error %d\n", status);
++ return status;
++ }
+
+ if (host->dma_dev) {
+ dma_sync_single_for_cpu(host->dma_dev,
+--
+2.20.1
+
--- /dev/null
+From 151fbb1f67c7484924cd42bd6f3b6c6e67dd99fa Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 12 Mar 2019 15:03:58 +0800
+Subject: mwifiex: Fix mem leak in mwifiex_tm_cmd
+
+[ Upstream commit 003b686ace820ce2d635a83f10f2d7f9c147dabc ]
+
+'hostcmd' is alloced by kzalloc, should be freed before
+leaving from the error handling cases, otherwise it will
+cause mem leak.
+
+Fixes: 3935ccc14d2c ("mwifiex: add cfg80211 testmode support")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index 68aa0c7a81394..dde47c5488184 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -4024,16 +4024,20 @@ static int mwifiex_tm_cmd(struct wiphy *wiphy, struct wireless_dev *wdev,
+
+ if (mwifiex_send_cmd(priv, 0, 0, 0, hostcmd, true)) {
+ dev_err(priv->adapter->dev, "Failed to process hostcmd\n");
++ kfree(hostcmd);
+ return -EFAULT;
+ }
+
+ /* process hostcmd response*/
+ skb = cfg80211_testmode_alloc_reply_skb(wiphy, hostcmd->len);
+- if (!skb)
++ if (!skb) {
++ kfree(hostcmd);
+ return -ENOMEM;
++ }
+ err = nla_put(skb, MWIFIEX_TM_ATTR_DATA,
+ hostcmd->len, hostcmd->cmd);
+ if (err) {
++ kfree(hostcmd);
+ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+--
+2.20.1
+
--- /dev/null
+From 56aa5ef35ddb8410dfc758ff8ff9b965010400d8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Apr 2019 11:44:23 +0300
+Subject: mwifiex: prevent an array overflow
+
+[ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ]
+
+The "rate_index" is only used as an index into the phist_data->rx_rate[]
+array in the mwifiex_hist_data_set() function. That array has
+MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
+debugfs information. The "rate_index" variable comes from the network
+skb->data[] and it is a u8 so it's in the 0-255 range. We need to cap
+it to prevent an array overflow.
+
+Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfp.c b/drivers/net/wireless/marvell/mwifiex/cfp.c
+index bfe84e55df776..f1522fb1c1e87 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfp.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfp.c
+@@ -531,5 +531,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv,
+ rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ?
+ rx_rate - 1 : rx_rate;
+
++ if (rate_index >= MWIFIEX_MAX_AC_RX_RATES)
++ rate_index = MWIFIEX_MAX_AC_RX_RATES - 1;
++
+ return rate_index;
+ }
+--
+2.20.1
+
--- /dev/null
+From 6c9112f080cfc402d4e28b28013f8d3e982a3925 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 03:05:02 -0500
+Subject: net: cw1200: fix a NULL pointer dereference
+
+[ Upstream commit 0ed2a005347400500a39ea7c7318f1fea57fb3ca ]
+
+In case create_singlethread_workqueue fails, the fix free the
+hardware and returns NULL to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/st/cw1200/main.c b/drivers/net/wireless/st/cw1200/main.c
+index dc478cedbde0d..84624c812a15f 100644
+--- a/drivers/net/wireless/st/cw1200/main.c
++++ b/drivers/net/wireless/st/cw1200/main.c
+@@ -345,6 +345,11 @@ static struct ieee80211_hw *cw1200_init_common(const u8 *macaddr,
+ mutex_init(&priv->wsm_cmd_mux);
+ mutex_init(&priv->conf_mutex);
+ priv->workqueue = create_singlethread_workqueue("cw1200_wq");
++ if (!priv->workqueue) {
++ ieee80211_free_hw(hw);
++ return NULL;
++ }
++
+ sema_init(&priv->scan.lock, 1);
+ INIT_WORK(&priv->scan.work, cw1200_scan_work);
+ INIT_DELAYED_WORK(&priv->scan.probe_work, cw1200_probe_work);
+--
+2.20.1
+
--- /dev/null
+From 12f26d3d63f5fbb9594086e621db1b4453b8d682 Mon Sep 17 00:00:00 2001
+From: Sameeh Jubran <sameehj@amazon.com>
+Date: Wed, 1 May 2019 16:47:10 +0300
+Subject: net: ena: gcc 8: fix compilation warning
+
+[ Upstream commit f913308879bc6ae437ce64d878c7b05643ddea44 ]
+
+GCC 8 contains a number of new warnings as well as enhancements to existing
+checkers. The warning - Wstringop-truncation - warns for calls to bounded
+string manipulation functions such as strncat, strncpy, and stpncpy that
+may either truncate the copied string or leave the destination unchanged.
+
+In our case the destination string length (32 bytes) is much shorter than
+the source string (64 bytes) which causes this warning to show up. In
+general the destination has to be at least a byte larger than the length
+of the source string with strncpy for this warning not to showup.
+
+This can be easily fixed by using strlcpy instead which already does the
+truncation to the string. Documentation for this function can be
+found here:
+
+https://elixir.bootlin.com/linux/latest/source/lib/string.c#L141
+
+Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 3c7813f04962b..db6f6a877f630 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -2229,7 +2229,7 @@ static void ena_config_host_info(struct ena_com_dev *ena_dev)
+
+ host_info->os_type = ENA_ADMIN_OS_LINUX;
+ host_info->kernel_ver = LINUX_VERSION_CODE;
+- strncpy(host_info->kernel_ver_str, utsname()->version,
++ strlcpy(host_info->kernel_ver_str, utsname()->version,
+ sizeof(host_info->kernel_ver_str) - 1);
+ host_info->os_dist = 0;
+ strncpy(host_info->os_dist_str, utsname()->release,
+--
+2.20.1
+
--- /dev/null
+From 358940451a39cb408536d6217d834619ae6d444b Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Thu, 9 May 2019 07:25:21 -0400
+Subject: NFS: Fix a double unlock from nfs_match,get_client
+
+[ Upstream commit c260121a97a3e4df6536edbc2f26e166eff370ce ]
+
+Now that nfs_match_client drops the nfs_client_lock, we should be
+careful
+to always return it in the same condition: locked.
+
+Fixes: 950a578c6128 ("NFS: make nfs_match_client killable")
+Reported-by: syzbot+228a82b263b5da91883d@syzkaller.appspotmail.com
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/client.c b/fs/nfs/client.c
+index 65da2c105f434..0c7008fb6d5ab 100644
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -305,9 +305,9 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat
+ spin_unlock(&nn->nfs_client_lock);
+ error = nfs_wait_client_init_complete(clp);
+ nfs_put_client(clp);
++ spin_lock(&nn->nfs_client_lock);
+ if (error < 0)
+ return ERR_PTR(error);
+- spin_lock(&nn->nfs_client_lock);
+ goto again;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 9386d806ff9b0cf953a3f87643802272e9f1157a Mon Sep 17 00:00:00 2001
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Date: Thu, 25 Apr 2019 15:36:51 +0200
+Subject: NFS: make nfs_match_client killable
+
+[ Upstream commit 950a578c6128c2886e295b9c7ecb0b6b22fcc92b ]
+
+ Actually we don't do anything with return value from
+ nfs_wait_client_init_complete in nfs_match_client, as a
+ consequence if we get a fatal signal and client is not
+ fully initialised, we'll loop to "again" label
+
+ This has been proven to cause soft lockups on some scenarios
+ (no-carrier but configured network interfaces)
+
+Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/client.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/client.c b/fs/nfs/client.c
+index a98d64a6eda5c..65da2c105f434 100644
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -290,6 +290,7 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat
+ struct nfs_client *clp;
+ const struct sockaddr *sap = data->addr;
+ struct nfs_net *nn = net_generic(data->net, nfs_net_id);
++ int error;
+
+ again:
+ list_for_each_entry(clp, &nn->nfs_client_list, cl_share_link) {
+@@ -302,8 +303,10 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat
+ if (clp->cl_cons_state > NFS_CS_READY) {
+ atomic_inc(&clp->cl_count);
+ spin_unlock(&nn->nfs_client_lock);
+- nfs_wait_client_init_complete(clp);
++ error = nfs_wait_client_init_complete(clp);
+ nfs_put_client(clp);
++ if (error < 0)
++ return ERR_PTR(error);
+ spin_lock(&nn->nfs_client_lock);
+ goto again;
+ }
+@@ -413,6 +416,8 @@ struct nfs_client *nfs_get_client(const struct nfs_client_initdata *cl_init)
+ clp = nfs_match_client(cl_init);
+ if (clp) {
+ spin_unlock(&nn->nfs_client_lock);
++ if (IS_ERR(clp))
++ return clp;
+ if (new)
+ new->rpc_ops->free_client(new);
+ return nfs_found_client(cl_init, clp);
+--
+2.20.1
+
--- /dev/null
+From 538b9d0a201d93235ac5d59b2acb981b8a7ee41a Mon Sep 17 00:00:00 2001
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Thu, 14 Mar 2019 14:05:18 +0100
+Subject: phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode
+
+[ Upstream commit e6f32efb1b128344a2c7df9875bc1a1abaa1d395 ]
+
+On platforms where the MUSB and HCI controllers share PHY0, PHY passby
+is required when using the HCI controller with the PHY, but it must be
+disabled when the MUSB controller is used instead.
+
+Without this, PHY0 passby is always enabled, which results in broken
+peripheral mode on such platforms (e.g. H3/H5).
+
+Fixes: ba4bdc9e1dc0 ("PHY: sunxi: Add driver for sunxi usb phy")
+
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/allwinner/phy-sun4i-usb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/phy/allwinner/phy-sun4i-usb.c b/drivers/phy/allwinner/phy-sun4i-usb.c
+index 4d34dfb64998f..46d60a3bf2608 100644
+--- a/drivers/phy/allwinner/phy-sun4i-usb.c
++++ b/drivers/phy/allwinner/phy-sun4i-usb.c
+@@ -549,6 +549,7 @@ static void sun4i_usb_phy0_id_vbus_det_scan(struct work_struct *work)
+ struct sun4i_usb_phy_data *data =
+ container_of(work, struct sun4i_usb_phy_data, detect.work);
+ struct phy *phy0 = data->phys[0].phy;
++ struct sun4i_usb_phy *phy = phy_get_drvdata(phy0);
+ bool force_session_end, id_notify = false, vbus_notify = false;
+ int id_det, vbus_det;
+
+@@ -605,6 +606,9 @@ static void sun4i_usb_phy0_id_vbus_det_scan(struct work_struct *work)
+ mutex_unlock(&phy0->mutex);
+ }
+
++ /* Enable PHY0 passby for host mode only. */
++ sun4i_usb_phy_passby(phy, !id_det);
++
+ /* Re-route PHY0 if necessary */
+ if (data->cfg->phy0_dual_route)
+ sun4i_usb_phy0_reroute(data, id_det);
+--
+2.20.1
+
--- /dev/null
+From 1f85167f07788a5b1607d8bc5ea7d2902a1af434 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:19 +0800
+Subject: pinctrl: pistachio: fix leaked of_node references
+
+[ Upstream commit 44a4455ac2c6b0981eace683a2b6eccf47689022 ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-pistachio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/pinctrl-pistachio.c b/drivers/pinctrl/pinctrl-pistachio.c
+index 55375b1b3cc81..b2b7e238bda97 100644
+--- a/drivers/pinctrl/pinctrl-pistachio.c
++++ b/drivers/pinctrl/pinctrl-pistachio.c
+@@ -1368,6 +1368,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
+ if (!of_find_property(child, "gpio-controller", NULL)) {
+ dev_err(pctl->dev,
+ "No gpio-controller property for bank %u\n", i);
++ of_node_put(child);
+ ret = -ENODEV;
+ goto err;
+ }
+@@ -1375,6 +1376,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
+ irq = irq_of_parse_and_map(child, 0);
+ if (irq < 0) {
+ dev_err(pctl->dev, "No IRQ for bank %u: %d\n", i, irq);
++ of_node_put(child);
+ ret = irq;
+ goto err;
+ }
+--
+2.20.1
+
--- /dev/null
+From ecc56ae3914ffa6070aa095fb2fde6ef4704b62e Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:22 +0800
+Subject: pinctrl: samsung: fix leaked of_node references
+
+[ Upstream commit 44b9f86cd41db6c522effa5aec251d664a52fbc0 ]
+
+The call to of_find_compatible_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:76:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function.
+./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:82:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Tomasz Figa <tomasz.figa@gmail.com>
+Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Cc: Kukjin Kim <kgene@kernel.org>
+Cc: linux-samsung-soc@vger.kernel.org
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/samsung/pinctrl-exynos-arm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/samsung/pinctrl-exynos-arm.c b/drivers/pinctrl/samsung/pinctrl-exynos-arm.c
+index afeb4876ffb2c..07eb4f071fa87 100644
+--- a/drivers/pinctrl/samsung/pinctrl-exynos-arm.c
++++ b/drivers/pinctrl/samsung/pinctrl-exynos-arm.c
+@@ -76,6 +76,7 @@ s5pv210_retention_init(struct samsung_pinctrl_drv_data *drvdata,
+ }
+
+ clk_base = of_iomap(np, 0);
++ of_node_put(np);
+ if (!clk_base) {
+ pr_err("%s: failed to map clock registers\n", __func__);
+ return ERR_PTR(-EINVAL);
+--
+2.20.1
+
--- /dev/null
+From 8bbe598945e6b94feed274f7ebdc200ee3c09e9d Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:23 +0800
+Subject: pinctrl: zte: fix leaked of_node references
+
+[ Upstream commit 02d15f0d80720545f1f4922a1550ea4aaad4e152 ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/zte/pinctrl-zx.c:415:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+./drivers/pinctrl/zte/pinctrl-zx.c:422:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+./drivers/pinctrl/zte/pinctrl-zx.c:436:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+./drivers/pinctrl/zte/pinctrl-zx.c:444:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+./drivers/pinctrl/zte/pinctrl-zx.c:448:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Jun Nie <jun.nie@linaro.org>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Acked-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/zte/pinctrl-zx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/zte/pinctrl-zx.c b/drivers/pinctrl/zte/pinctrl-zx.c
+index ded366bb6564d..91955e770236e 100644
+--- a/drivers/pinctrl/zte/pinctrl-zx.c
++++ b/drivers/pinctrl/zte/pinctrl-zx.c
+@@ -411,6 +411,7 @@ int zx_pinctrl_init(struct platform_device *pdev,
+ }
+
+ zpctl->aux_base = of_iomap(np, 0);
++ of_node_put(np);
+ if (!zpctl->aux_base)
+ return -ENOMEM;
+
+--
+2.20.1
+
--- /dev/null
+From cbc95c55b81f65f2778b05e49f3db92e577d6e1e Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 10 Apr 2019 11:55:16 +0200
+Subject: PM / core: Propagate dev->power.wakeup_path when no callbacks
+
+[ Upstream commit dc351d4c5f4fe4d0f274d6d660227be0c3a03317 ]
+
+The dev->power.direct_complete flag may become set in device_prepare() in
+case the device don't have any PM callbacks (dev->power.no_pm_callbacks is
+set). This leads to a broken behaviour, when there is child having wakeup
+enabled and relies on its parent to be used in the wakeup path.
+
+More precisely, when the direct complete path becomes selected for the
+child in __device_suspend(), the propagation of the dev->power.wakeup_path
+becomes skipped as well.
+
+Let's address this problem, by checking if the device is a part the wakeup
+path or has wakeup enabled, then prevent the direct complete path from
+being used.
+
+Reported-by: Loic Pallardy <loic.pallardy@st.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ rjw: Comment cleanup ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index d16b40cd26cc9..a30ff97632a54 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1485,6 +1485,10 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async)
+ if (dev->power.syscore)
+ goto Complete;
+
++ /* Avoid direct_complete to let wakeup_path propagate. */
++ if (device_may_wakeup(dev) || dev->power.wakeup_path)
++ dev->power.direct_complete = false;
++
+ if (dev->power.direct_complete) {
+ if (pm_runtime_status_suspended(dev)) {
+ pm_runtime_disable(dev);
+--
+2.20.1
+
--- /dev/null
+From fc10d71618f422d38854e9086e90fa903daefd77 Mon Sep 17 00:00:00 2001
+From: Russell Currey <ruscur@russell.cc>
+Date: Wed, 27 Mar 2019 14:35:54 +1100
+Subject: powerpc/64: Fix booting large kernels with STRICT_KERNEL_RWX
+
+[ Upstream commit 56c46bba9bbfe229b4472a5be313c44c5b714a39 ]
+
+With STRICT_KERNEL_RWX enabled anything marked __init is placed at a 16M
+boundary. This is necessary so that it can be repurposed later with
+different permissions. However, in kernels with text larger than 16M,
+this pushes early_setup past 32M, incapable of being reached by the
+branch instruction.
+
+Fix this by setting the CTR and branching there instead.
+
+Fixes: 1e0fc9d1eb2b ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs")
+Signed-off-by: Russell Currey <ruscur@russell.cc>
+[mpe: Fix it to work on BE by using DOTSYM()]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/head_64.S | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S
+index ff8511d6d8ead..4f2e18266e34a 100644
+--- a/arch/powerpc/kernel/head_64.S
++++ b/arch/powerpc/kernel/head_64.S
+@@ -961,7 +961,9 @@ start_here_multiplatform:
+
+ /* Restore parameters passed from prom_init/kexec */
+ mr r3,r31
+- bl early_setup /* also sets r13 and SPRG_PACA */
++ LOAD_REG_ADDR(r12, DOTSYM(early_setup))
++ mtctr r12
++ bctrl /* also sets r13 and SPRG_PACA */
+
+ LOAD_REG_ADDR(r3, start_here_common)
+ ld r4,PACAKMSR(r13)
+--
+2.20.1
+
--- /dev/null
+From 645b70f0ee9b7bbca32e9c8b72b6a84796b23257 Mon Sep 17 00:00:00 2001
+From: Bo YU <tsu.yubo@gmail.com>
+Date: Tue, 30 Oct 2018 09:21:55 -0400
+Subject: powerpc/boot: Fix missing check of lseek() return value
+
+[ Upstream commit 5d085ec04a000fefb5182d3b03ee46ca96d8389b ]
+
+This is detected by Coverity scan: CID: 1440481
+
+Signed-off-by: Bo YU <tsu.yubo@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/addnote.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c
+index 9d9f6f334d3cc..3da3e2b1b51bc 100644
+--- a/arch/powerpc/boot/addnote.c
++++ b/arch/powerpc/boot/addnote.c
+@@ -223,7 +223,11 @@ main(int ac, char **av)
+ PUT_16(E_PHNUM, np + 2);
+
+ /* write back */
+- lseek(fd, (long) 0, SEEK_SET);
++ i = lseek(fd, (long) 0, SEEK_SET);
++ if (i < 0) {
++ perror("lseek");
++ exit(1);
++ }
+ i = write(fd, buf, n);
+ if (i < 0) {
+ perror("write");
+--
+2.20.1
+
--- /dev/null
+From 0c50f3ff8515c968a5b32baee30c2a831004b58c Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathanl@linux.ibm.com>
+Date: Thu, 18 Apr 2019 13:56:57 -0500
+Subject: powerpc/numa: improve control of topology updates
+
+[ Upstream commit 2d4d9b308f8f8dec68f6dbbff18c68ec7c6bd26f ]
+
+When booted with "topology_updates=no", or when "off" is written to
+/proc/powerpc/topology_updates, NUMA reassignments are inhibited for
+PRRN and VPHN events. However, migration and suspend unconditionally
+re-enable reassignments via start_topology_update(). This is
+incoherent.
+
+Check the topology_updates_enabled flag in
+start/stop_topology_update() so that callers of those APIs need not be
+aware of whether reassignments are enabled. This allows the
+administrative decision on reassignments to remain in force across
+migrations and suspensions.
+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/numa.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
+index 0a02c73a27b3c..417ea6db7b1d2 100644
+--- a/arch/powerpc/mm/numa.c
++++ b/arch/powerpc/mm/numa.c
+@@ -1561,6 +1561,9 @@ int start_topology_update(void)
+ {
+ int rc = 0;
+
++ if (!topology_updates_enabled)
++ return 0;
++
+ if (firmware_has_feature(FW_FEATURE_PRRN)) {
+ if (!prrn_enabled) {
+ prrn_enabled = 1;
+@@ -1590,6 +1593,9 @@ int stop_topology_update(void)
+ {
+ int rc = 0;
+
++ if (!topology_updates_enabled)
++ return 0;
++
+ if (prrn_enabled) {
+ prrn_enabled = 0;
+ #ifdef CONFIG_SMP
+@@ -1635,11 +1641,13 @@ static ssize_t topology_write(struct file *file, const char __user *buf,
+
+ kbuf[read_len] = '\0';
+
+- if (!strncmp(kbuf, "on", 2))
++ if (!strncmp(kbuf, "on", 2)) {
++ topology_updates_enabled = true;
+ start_topology_update();
+- else if (!strncmp(kbuf, "off", 3))
++ } else if (!strncmp(kbuf, "off", 3)) {
+ stop_topology_update();
+- else
++ topology_updates_enabled = false;
++ } else
+ return -EINVAL;
+
+ return count;
+@@ -1654,9 +1662,7 @@ static const struct file_operations topology_ops = {
+
+ static int topology_update_init(void)
+ {
+- /* Do not poll for changes if disabled at boot */
+- if (topology_updates_enabled)
+- start_topology_update();
++ start_topology_update();
+
+ if (!proc_create("powerpc/topology_updates", 0644, NULL, &topology_ops))
+ return -ENOMEM;
+--
+2.20.1
+
--- /dev/null
+From c3b14222fc7a652e1d1ff3b4c7f1ecf47a427ec8 Mon Sep 17 00:00:00 2001
+From: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Date: Tue, 27 Nov 2018 13:54:52 +0530
+Subject: powerpc/perf: Return accordingly on invalid chip-id in
+
+[ Upstream commit a913e5e8b43be1d3897a141ce61c1ec071cad89c ]
+
+Nest hardware counter memory resides in a per-chip reserve-memory.
+During nest_imc_event_init(), chip-id of the event-cpu is considered to
+calculate the base memory addresss for that cpu. Return, proper error
+condition if the chip_id calculated is invalid.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 885dcd709ba91 ("powerpc/perf: Add nest IMC PMU support")
+Reviewed-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/imc-pmu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c
+index b73961b95c345..994e4392cac5c 100644
+--- a/arch/powerpc/perf/imc-pmu.c
++++ b/arch/powerpc/perf/imc-pmu.c
+@@ -481,6 +481,11 @@ static int nest_imc_event_init(struct perf_event *event)
+ * Get the base memory addresss for this cpu.
+ */
+ chip_id = cpu_to_chip_id(event->cpu);
++
++ /* Return, if chip_id is not valid */
++ if (chip_id < 0)
++ return -ENODEV;
++
+ pcni = pmu->mem_info;
+ do {
+ if (pcni->id == chip_id) {
+--
+2.20.1
+
--- /dev/null
+From d2109084ed2983530bf73af772c634d10518addc Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Sat, 20 Apr 2019 00:09:51 -0400
+Subject: random: add a spinlock_t to struct batched_entropy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit b7d5dc21072cda7124d13eae2aefb7343ef94197 ]
+
+The per-CPU variable batched_entropy_uXX is protected by get_cpu_var().
+This is just a preempt_disable() which ensures that the variable is only
+from the local CPU. It does not protect against users on the same CPU
+from another context. It is possible that a preemptible context reads
+slot 0 and then an interrupt occurs and the same value is read again.
+
+The above scenario is confirmed by lockdep if we add a spinlock:
+| ================================
+| WARNING: inconsistent lock state
+| 5.1.0-rc3+ #42 Not tainted
+| --------------------------------
+| inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
+| ksoftirqd/9/56 [HC0[0]:SC1[1]:HE0:SE0] takes:
+| (____ptrval____) (batched_entropy_u32.lock){+.?.}, at: get_random_u32+0x3e/0xe0
+| {SOFTIRQ-ON-W} state was registered at:
+| _raw_spin_lock+0x2a/0x40
+| get_random_u32+0x3e/0xe0
+| new_slab+0x15c/0x7b0
+| ___slab_alloc+0x492/0x620
+| __slab_alloc.isra.73+0x53/0xa0
+| kmem_cache_alloc_node+0xaf/0x2a0
+| copy_process.part.41+0x1e1/0x2370
+| _do_fork+0xdb/0x6d0
+| kernel_thread+0x20/0x30
+| kthreadd+0x1ba/0x220
+| ret_from_fork+0x3a/0x50
+…
+| other info that might help us debug this:
+| Possible unsafe locking scenario:
+|
+| CPU0
+| ----
+| lock(batched_entropy_u32.lock);
+| <Interrupt>
+| lock(batched_entropy_u32.lock);
+|
+| *** DEADLOCK ***
+|
+| stack backtrace:
+| Call Trace:
+…
+| kmem_cache_alloc_trace+0x20e/0x270
+| ipmi_alloc_recv_msg+0x16/0x40
+…
+| __do_softirq+0xec/0x48d
+| run_ksoftirqd+0x37/0x60
+| smpboot_thread_fn+0x191/0x290
+| kthread+0xfe/0x130
+| ret_from_fork+0x3a/0x50
+
+Add a spinlock_t to the batched_entropy data structure and acquire the
+lock while accessing it. Acquire the lock with disabled interrupts
+because this function may be used from interrupt context.
+
+Remove the batched_entropy_reset_lock lock. Now that we have a lock for
+the data scructure, we can access it from a remote CPU.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/random.c | 52 ++++++++++++++++++++++---------------------
+ 1 file changed, 27 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index ea4dbfa306574..e6efa07e9f9ea 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2188,8 +2188,8 @@ struct batched_entropy {
+ u32 entropy_u32[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+ };
+ unsigned int position;
++ spinlock_t batch_lock;
+ };
+-static rwlock_t batched_entropy_reset_lock = __RW_LOCK_UNLOCKED(batched_entropy_reset_lock);
+
+ /*
+ * Get a random word for internal kernel use only. The quality of the random
+@@ -2199,12 +2199,14 @@ static rwlock_t batched_entropy_reset_lock = __RW_LOCK_UNLOCKED(batched_entropy_
+ * wait_for_random_bytes() should be called and return 0 at least once
+ * at any point prior.
+ */
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64);
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
++ .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),
++};
++
+ u64 get_random_u64(void)
+ {
+ u64 ret;
+- bool use_lock;
+- unsigned long flags = 0;
++ unsigned long flags;
+ struct batched_entropy *batch;
+ static void *previous;
+
+@@ -2219,28 +2221,25 @@ u64 get_random_u64(void)
+
+ warn_unseeded_randomness(&previous);
+
+- use_lock = READ_ONCE(crng_init) < 2;
+- batch = &get_cpu_var(batched_entropy_u64);
+- if (use_lock)
+- read_lock_irqsave(&batched_entropy_reset_lock, flags);
++ batch = raw_cpu_ptr(&batched_entropy_u64);
++ spin_lock_irqsave(&batch->batch_lock, flags);
+ if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
+ extract_crng((u8 *)batch->entropy_u64);
+ batch->position = 0;
+ }
+ ret = batch->entropy_u64[batch->position++];
+- if (use_lock)
+- read_unlock_irqrestore(&batched_entropy_reset_lock, flags);
+- put_cpu_var(batched_entropy_u64);
++ spin_unlock_irqrestore(&batch->batch_lock, flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(get_random_u64);
+
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32);
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
++ .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock),
++};
+ u32 get_random_u32(void)
+ {
+ u32 ret;
+- bool use_lock;
+- unsigned long flags = 0;
++ unsigned long flags;
+ struct batched_entropy *batch;
+ static void *previous;
+
+@@ -2249,18 +2248,14 @@ u32 get_random_u32(void)
+
+ warn_unseeded_randomness(&previous);
+
+- use_lock = READ_ONCE(crng_init) < 2;
+- batch = &get_cpu_var(batched_entropy_u32);
+- if (use_lock)
+- read_lock_irqsave(&batched_entropy_reset_lock, flags);
++ batch = raw_cpu_ptr(&batched_entropy_u32);
++ spin_lock_irqsave(&batch->batch_lock, flags);
+ if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
+ extract_crng((u8 *)batch->entropy_u32);
+ batch->position = 0;
+ }
+ ret = batch->entropy_u32[batch->position++];
+- if (use_lock)
+- read_unlock_irqrestore(&batched_entropy_reset_lock, flags);
+- put_cpu_var(batched_entropy_u32);
++ spin_unlock_irqrestore(&batch->batch_lock, flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(get_random_u32);
+@@ -2274,12 +2269,19 @@ static void invalidate_batched_entropy(void)
+ int cpu;
+ unsigned long flags;
+
+- write_lock_irqsave(&batched_entropy_reset_lock, flags);
+ for_each_possible_cpu (cpu) {
+- per_cpu_ptr(&batched_entropy_u32, cpu)->position = 0;
+- per_cpu_ptr(&batched_entropy_u64, cpu)->position = 0;
++ struct batched_entropy *batched_entropy;
++
++ batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu);
++ spin_lock_irqsave(&batched_entropy->batch_lock, flags);
++ batched_entropy->position = 0;
++ spin_unlock(&batched_entropy->batch_lock);
++
++ batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu);
++ spin_lock(&batched_entropy->batch_lock);
++ batched_entropy->position = 0;
++ spin_unlock_irqrestore(&batched_entropy->batch_lock, flags);
+ }
+- write_unlock_irqrestore(&batched_entropy_reset_lock, flags);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 4a98bee6d5448ece2e8f0c578da6e78c08e49f3f Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Date: Thu, 21 Mar 2019 10:26:41 -0700
+Subject: rcuperf: Fix cleanup path for invalid perf_type strings
+
+[ Upstream commit ad092c027713a68a34168942a5ef422e42e039f4 ]
+
+If the specified rcuperf.perf_type is not in the rcu_perf_init()
+function's perf_ops[] array, rcuperf prints some console messages and
+then invokes rcu_perf_cleanup() to set state so that a future torture
+test can run. However, rcu_perf_cleanup() also attempts to end the
+test that didn't actually start, and in doing so relies on the value
+of cur_ops, a value that is not particularly relevant in this case.
+This can result in confusing output or even follow-on failures due to
+attempts to use facilities that have not been properly initialized.
+
+This commit therefore sets the value of cur_ops to NULL in this case and
+inserts a check near the beginning of rcu_perf_cleanup(), thus avoiding
+relying on an irrelevant cur_ops value.
+
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/rcuperf.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/rcu/rcuperf.c b/kernel/rcu/rcuperf.c
+index 1f87a02c33999..9b0d38812eb62 100644
+--- a/kernel/rcu/rcuperf.c
++++ b/kernel/rcu/rcuperf.c
+@@ -542,6 +542,10 @@ rcu_perf_cleanup(void)
+
+ if (torture_cleanup_begin())
+ return;
++ if (!cur_ops) {
++ torture_cleanup_end();
++ return;
++ }
+
+ if (reader_tasks) {
+ for (i = 0; i < nrealreaders; i++)
+@@ -663,6 +667,7 @@ rcu_perf_init(void)
+ pr_alert(" %s", perf_ops[i]->name);
+ pr_alert("\n");
+ firsterr = -EINVAL;
++ cur_ops = NULL;
+ goto unwind;
+ }
+ if (cur_ops->init)
+--
+2.20.1
+
--- /dev/null
+From c61740f1a09e4185c07821003d15b1923e505eae Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Date: Thu, 21 Mar 2019 09:27:28 -0700
+Subject: rcutorture: Fix cleanup path for invalid torture_type strings
+
+[ Upstream commit b813afae7ab6a5e91b4e16cc567331d9c2ae1f04 ]
+
+If the specified rcutorture.torture_type is not in the rcu_torture_init()
+function's torture_ops[] array, rcutorture prints some console messages
+and then invokes rcu_torture_cleanup() to set state so that a future
+torture test can run. However, rcu_torture_cleanup() also attempts to
+end the test that didn't actually start, and in doing so relies on the
+value of cur_ops, a value that is not particularly relevant in this case.
+This can result in confusing output or even follow-on failures due to
+attempts to use facilities that have not been properly initialized.
+
+This commit therefore sets the value of cur_ops to NULL in this case
+and inserts a check near the beginning of rcu_torture_cleanup(),
+thus avoiding relying on an irrelevant cur_ops value.
+
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/rcutorture.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
+index 45f2ffbc1e78e..f0c599bf4058c 100644
+--- a/kernel/rcu/rcutorture.c
++++ b/kernel/rcu/rcutorture.c
+@@ -1599,6 +1599,10 @@ rcu_torture_cleanup(void)
+ cur_ops->cb_barrier();
+ return;
+ }
++ if (!cur_ops) {
++ torture_cleanup_end();
++ return;
++ }
+
+ rcu_torture_barrier_cleanup();
+ torture_stop_kthread(rcu_torture_stall, stall_task);
+@@ -1734,6 +1738,7 @@ rcu_torture_init(void)
+ pr_alert(" %s", torture_ops[i]->name);
+ pr_alert("\n");
+ firsterr = -EINVAL;
++ cur_ops = NULL;
+ goto unwind;
+ }
+ if (cur_ops->fqs == NULL && fqs_duration != 0) {
+--
+2.20.1
+
--- /dev/null
+From f27f08d9ea6d623006fca355211cee8ff411ffdf Mon Sep 17 00:00:00 2001
+From: Parav Pandit <parav@mellanox.com>
+Date: Wed, 10 Apr 2019 11:23:04 +0300
+Subject: RDMA/cma: Consider scope_id while binding to ipv6 ll address
+
+[ Upstream commit 5d7ed2f27bbd482fd29e6b2e204b1a1ee8a0b268 ]
+
+When two netdev have same link local addresses (such as vlan and non
+vlan), two rdma cm listen id should be able to bind to following different
+addresses.
+
+listener-1: addr=lla, scope_id=A, port=X
+listener-2: addr=lla, scope_id=B, port=X
+
+However while comparing the addresses only addr and port are considered,
+due to which 2nd listener fails to listen.
+
+In below example of two listeners, 2nd listener is failing with address in
+use error.
+
+$ rping -sv -a fe80::268a:7ff:feb3:d113%ens2f1 -p 4545&
+
+$ rping -sv -a fe80::268a:7ff:feb3:d113%ens2f1.200 -p 4545
+rdma_bind_addr: Address already in use
+
+To overcome this, consider the scope_ids as well which forms the accurate
+IPv6 link local address.
+
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 7c5eca312aa88..620e2ec92bb5a 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1076,18 +1076,31 @@ static inline int cma_any_addr(struct sockaddr *addr)
+ return cma_zero_addr(addr) || cma_loopback_addr(addr);
+ }
+
+-static int cma_addr_cmp(struct sockaddr *src, struct sockaddr *dst)
++static int cma_addr_cmp(const struct sockaddr *src, const struct sockaddr *dst)
+ {
+ if (src->sa_family != dst->sa_family)
+ return -1;
+
+ switch (src->sa_family) {
+ case AF_INET:
+- return ((struct sockaddr_in *) src)->sin_addr.s_addr !=
+- ((struct sockaddr_in *) dst)->sin_addr.s_addr;
+- case AF_INET6:
+- return ipv6_addr_cmp(&((struct sockaddr_in6 *) src)->sin6_addr,
+- &((struct sockaddr_in6 *) dst)->sin6_addr);
++ return ((struct sockaddr_in *)src)->sin_addr.s_addr !=
++ ((struct sockaddr_in *)dst)->sin_addr.s_addr;
++ case AF_INET6: {
++ struct sockaddr_in6 *src_addr6 = (struct sockaddr_in6 *)src;
++ struct sockaddr_in6 *dst_addr6 = (struct sockaddr_in6 *)dst;
++ bool link_local;
++
++ if (ipv6_addr_cmp(&src_addr6->sin6_addr,
++ &dst_addr6->sin6_addr))
++ return 1;
++ link_local = ipv6_addr_type(&dst_addr6->sin6_addr) &
++ IPV6_ADDR_LINKLOCAL;
++ /* Link local must match their scope_ids */
++ return link_local ? (src_addr6->sin6_scope_id !=
++ dst_addr6->sin6_scope_id) :
++ 0;
++ }
++
+ default:
+ return ib_addr_cmp(&((struct sockaddr_ib *) src)->sib_addr,
+ &((struct sockaddr_ib *) dst)->sib_addr);
+--
+2.20.1
+
--- /dev/null
+From e9595818776430d00f9ac6e25fe182237818df57 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 13 Apr 2019 17:00:26 +0100
+Subject: RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
+
+[ Upstream commit a6d2a5a92e67d151c98886babdc86d530d27111c ]
+
+Currently if alloc_skb fails to allocate the skb a null skb is passed to
+t4_set_arp_err_handler and this ends up dereferencing the null skb. Avoid
+the NULL pointer dereference by checking for a NULL skb and returning
+early.
+
+Addresses-Coverity: ("Dereference null return")
+Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index e17f11782821b..d87f08cd78ad4 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -456,6 +456,8 @@ static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
+ skb_reset_transport_header(skb);
+ } else {
+ skb = alloc_skb(len, gfp);
++ if (!skb)
++ return NULL;
+ }
+ t4_set_arp_err_handler(skb, NULL, NULL);
+ return skb;
+--
+2.20.1
+
--- /dev/null
+From f21762219b55e5bbc5a4b825f8d0f8dfc0d6fd39 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 19 Mar 2019 11:10:08 +0200
+Subject: RDMA/hns: Fix bad endianess of port_pd variable
+
+[ Upstream commit 6734b2973565e36659e97e12ab0d0faf1d9f3fbe ]
+
+port_pd is treated as le32 in declaration and read, fix assignment to be
+in le32 too. This change fixes the following compilation warnings.
+
+drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: warning: incorrect type
+in assignment (different base types)
+drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: expected restricted __le32 [usertype] port_pd
+drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: got restricted __be32 [usertype]
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Gal Pressman <galpress@amazon.com>
+Reviewed-by: Lijun Ou <ouliun@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_ah.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c
+index d545302b8ef8c..0cdd4492811bb 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_ah.c
++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c
+@@ -91,7 +91,7 @@ struct ib_ah *hns_roce_create_ah(struct ib_pd *ibpd,
+ HNS_ROCE_VLAN_SL_BIT_MASK) <<
+ HNS_ROCE_VLAN_SL_SHIFT;
+
+- ah->av.port_pd = cpu_to_be32(to_hr_pd(ibpd)->pdn |
++ ah->av.port_pd = cpu_to_le32(to_hr_pd(ibpd)->pdn |
+ (rdma_ah_get_port_num(ah_attr) <<
+ HNS_ROCE_PORT_NUM_SHIFT));
+ ah->av.gid_index = grh->sgid_index;
+--
+2.20.1
+
--- /dev/null
+From 056ff6e8117c3d9dab361f8468b1717b006783cb Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Fri, 26 Apr 2019 14:36:35 -0400
+Subject: rtc: 88pm860x: prevent use-after-free on device remove
+
+[ Upstream commit f22b1ba15ee5785aa028384ebf77dd39e8e47b70 ]
+
+The device's remove() attempts to shut down the delayed_work scheduled
+on the kernel-global workqueue by calling flush_scheduled_work().
+
+Unfortunately, flush_scheduled_work() does not prevent the delayed_work
+from re-scheduling itself. The delayed_work might run after the device
+has been removed, and touch the already de-allocated info structure.
+This is a potential use-after-free.
+
+Fix by calling cancel_delayed_work_sync() during remove(): this ensures
+that the delayed work is properly cancelled, is no longer running, and
+is not able to re-schedule itself.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-88pm860x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c
+index 19e53b3b8e005..166faae3a59cd 100644
+--- a/drivers/rtc/rtc-88pm860x.c
++++ b/drivers/rtc/rtc-88pm860x.c
+@@ -414,7 +414,7 @@ static int pm860x_rtc_remove(struct platform_device *pdev)
+ struct pm860x_rtc_info *info = platform_get_drvdata(pdev);
+
+ #ifdef VRTC_CALIBRATION
+- flush_scheduled_work();
++ cancel_delayed_work_sync(&info->calib_work);
+ /* disable measurement */
+ pm860x_set_bits(info->i2c, PM8607_MEAS_EN2, MEAS2_VRTC, 0);
+ #endif /* VRTC_CALIBRATION */
+--
+2.20.1
+
--- /dev/null
+From 0172ef994d2795e3f86cc63038bd50e28ec04b17 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 20 Mar 2019 13:32:27 +0100
+Subject: rtc: xgene: fix possible race condition
+
+[ Upstream commit a652e00ee1233e251a337c28e18a1da59224e5ce ]
+
+The IRQ is requested before the struct rtc is allocated and registered, but
+this struct is used in the IRQ handler. This may lead to a NULL pointer
+dereference.
+
+Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
+struct before requesting the IRQ.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-xgene.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/rtc/rtc-xgene.c b/drivers/rtc/rtc-xgene.c
+index 65b432a096fe2..f68f84205b48d 100644
+--- a/drivers/rtc/rtc-xgene.c
++++ b/drivers/rtc/rtc-xgene.c
+@@ -163,6 +163,10 @@ static int xgene_rtc_probe(struct platform_device *pdev)
+ if (IS_ERR(pdata->csr_base))
+ return PTR_ERR(pdata->csr_base);
+
++ pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
++ if (IS_ERR(pdata->rtc))
++ return PTR_ERR(pdata->rtc);
++
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0) {
+ dev_err(&pdev->dev, "No IRQ resource\n");
+@@ -187,15 +191,15 @@ static int xgene_rtc_probe(struct platform_device *pdev)
+
+ device_init_wakeup(&pdev->dev, 1);
+
+- pdata->rtc = devm_rtc_device_register(&pdev->dev, pdev->name,
+- &xgene_rtc_ops, THIS_MODULE);
+- if (IS_ERR(pdata->rtc)) {
+- clk_disable_unprepare(pdata->clk);
+- return PTR_ERR(pdata->rtc);
+- }
+-
+ /* HW does not support update faster than 1 seconds */
+ pdata->rtc->uie_unsupported = 1;
++ pdata->rtc->ops = &xgene_rtc_ops;
++
++ ret = rtc_register_device(pdata->rtc);
++ if (ret) {
++ clk_disable_unprepare(pdata->clk);
++ return ret;
++ }
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 07b8e784e5e306f0500c74b8782a6a0b40d34594 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 02:56:33 -0500
+Subject: rtlwifi: fix a potential NULL pointer dereference
+
+[ Upstream commit 765976285a8c8db3f0eb7f033829a899d0c2786e ]
+
+In case alloc_workqueue fails, the fix reports the error and
+returns to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
+index ec82c1c3f12e4..4a3c713ad3247 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -468,6 +468,11 @@ static void _rtl_init_deferred_work(struct ieee80211_hw *hw)
+ /* <2> work queue */
+ rtlpriv->works.hw = hw;
+ rtlpriv->works.rtl_wq = alloc_workqueue("%s", 0, 0, rtlpriv->cfg->name);
++ if (unlikely(!rtlpriv->works.rtl_wq)) {
++ pr_err("Failed to allocate work queue\n");
++ return;
++ }
++
+ INIT_DELAYED_WORK(&rtlpriv->works.watchdog_wq,
+ (void *)rtl_watchdog_wq_callback);
+ INIT_DELAYED_WORK(&rtlpriv->works.ips_nic_off_wq,
+--
+2.20.1
+
--- /dev/null
+From 564d784861d4d779b36da88a9d0914e9c17ca2ee Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Tue, 12 Mar 2019 17:06:48 +0800
+Subject: rtlwifi: fix potential NULL pointer dereference
+
+[ Upstream commit 60209d482b97743915883d293c8b85226d230c19 ]
+
+In case dev_alloc_skb fails, the fix safely returns to avoid
+potential NULL pointer dereference.
+
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c | 4 ++++
+ 6 files changed, 14 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c
+index a2eca669873b6..726d3d5fa2ef9 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c
+@@ -620,6 +620,8 @@ void rtl88e_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
+index 015476e3f7e54..b7c1d7cc4f459 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
+@@ -647,6 +647,8 @@ void rtl92c_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ if (cmd_send_packet)
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
+index f9563ae301ad2..45808ab025d1e 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
+@@ -766,6 +766,8 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
+index bf9859f74b6f5..52f108744e969 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
+@@ -470,6 +470,8 @@ void rtl8723e_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
+index 4b963fd27d646..b444b27263c32 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
+@@ -584,6 +584,8 @@ void rtl8723be_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+ u1rsvdpageloc, sizeof(u1rsvdpageloc));
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
+index f2b2c549e5b27..53a7ef29fce61 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
+@@ -1645,6 +1645,8 @@ void rtl8812ae_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+ &reserved_page_packet_8812[0], totalpacketlen);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet_8812, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+@@ -1781,6 +1783,8 @@ void rtl8821ae_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+ &reserved_page_packet_8821[0], totalpacketlen);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet_8821, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+--
+2.20.1
+
--- /dev/null
+From 9e8fc0b93e4b3583f009671b1ee76bfc9ee3cb6b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 8 Apr 2019 23:26:20 +0200
+Subject: s390: cio: fix cio_irb declaration
+
+[ Upstream commit e91012ee855ad9f5ef2ab106a3de51db93fe4d0c ]
+
+clang points out that the declaration of cio_irb does not match the
+definition exactly, it is missing the alignment attribute:
+
+../drivers/s390/cio/cio.c:50:1: warning: section does not match previous declaration [-Wsection]
+DEFINE_PER_CPU_ALIGNED(struct irb, cio_irb);
+^
+../include/linux/percpu-defs.h:150:2: note: expanded from macro 'DEFINE_PER_CPU_ALIGNED'
+ DEFINE_PER_CPU_SECTION(type, name, PER_CPU_ALIGNED_SECTION) \
+ ^
+../include/linux/percpu-defs.h:93:9: note: expanded from macro 'DEFINE_PER_CPU_SECTION'
+ extern __PCPU_ATTRS(sec) __typeof__(type) name; \
+ ^
+../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS'
+ __percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \
+ ^
+../drivers/s390/cio/cio.h:118:1: note: previous attribute is here
+DECLARE_PER_CPU(struct irb, cio_irb);
+^
+../include/linux/percpu-defs.h:111:2: note: expanded from macro 'DECLARE_PER_CPU'
+ DECLARE_PER_CPU_SECTION(type, name, "")
+ ^
+../include/linux/percpu-defs.h:87:9: note: expanded from macro 'DECLARE_PER_CPU_SECTION'
+ extern __PCPU_ATTRS(sec) __typeof__(type) name
+ ^
+../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS'
+ __percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \
+ ^
+Use DECLARE_PER_CPU_ALIGNED() here, to make the two match.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/cio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h
+index 94cd813bdcfef..d23d43cf9cbca 100644
+--- a/drivers/s390/cio/cio.h
++++ b/drivers/s390/cio/cio.h
+@@ -115,7 +115,7 @@ struct subchannel {
+ struct schib_config config;
+ } __attribute__ ((aligned(8)));
+
+-DECLARE_PER_CPU(struct irb, cio_irb);
++DECLARE_PER_CPU_ALIGNED(struct irb, cio_irb);
+
+ #define to_subchannel(n) container_of(n, struct subchannel, dev)
+
+--
+2.20.1
+
--- /dev/null
+From ef17f46e64cf0626097467525fddee287131fe08 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 8 Apr 2019 23:26:18 +0200
+Subject: s390: zcrypt: initialize variables before_use
+
+[ Upstream commit 913140e221567b3ecd21b4242257a7e3fa279026 ]
+
+The 'func_code' variable gets printed in debug statements without
+a prior initialization in multiple functions, as reported when building
+with clang:
+
+drivers/s390/crypto/zcrypt_api.c:659:6: warning: variable 'func_code' is used uninitialized whenever 'if' condition is true
+ [-Wsometimes-uninitialized]
+ if (mex->outputdatalength < mex->inputdatalength) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/s390/crypto/zcrypt_api.c:725:29: note: uninitialized use occurs here
+ trace_s390_zcrypt_rep(mex, func_code, rc,
+ ^~~~~~~~~
+drivers/s390/crypto/zcrypt_api.c:659:2: note: remove the 'if' if its condition is always false
+ if (mex->outputdatalength < mex->inputdatalength) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/s390/crypto/zcrypt_api.c:654:24: note: initialize the variable 'func_code' to silence this warning
+ unsigned int func_code;
+ ^
+
+Add initializations to all affected code paths to shut up the warning
+and make the warning output consistent.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_api.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
+index a9a56aa9c26b7..3743828106db8 100644
+--- a/drivers/s390/crypto/zcrypt_api.c
++++ b/drivers/s390/crypto/zcrypt_api.c
+@@ -237,6 +237,7 @@ static long zcrypt_rsa_modexpo(struct ica_rsa_modexpo *mex)
+ trace_s390_zcrypt_req(mex, TP_ICARSAMODEXPO);
+
+ if (mex->outputdatalength < mex->inputdatalength) {
++ func_code = 0;
+ rc = -EINVAL;
+ goto out;
+ }
+@@ -311,6 +312,7 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt)
+ trace_s390_zcrypt_req(crt, TP_ICARSACRT);
+
+ if (crt->outputdatalength < crt->inputdatalength) {
++ func_code = 0;
+ rc = -EINVAL;
+ goto out;
+ }
+@@ -492,6 +494,7 @@ static long zcrypt_send_ep11_cprb(struct ep11_urb *xcrb)
+
+ targets = kcalloc(target_num, sizeof(*targets), GFP_KERNEL);
+ if (!targets) {
++ func_code = 0;
+ rc = -ENOMEM;
+ goto out;
+ }
+@@ -499,6 +502,7 @@ static long zcrypt_send_ep11_cprb(struct ep11_urb *xcrb)
+ uptr = (struct ep11_target_dev __force __user *) xcrb->targets;
+ if (copy_from_user(targets, uptr,
+ target_num * sizeof(*targets))) {
++ func_code = 0;
+ rc = -EFAULT;
+ goto out;
+ }
+--
+2.20.1
+
--- /dev/null
+From 8178d89e6da41445ac491f33870c172e727c3323 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 27 Feb 2019 11:10:20 +0300
+Subject: sched/core: Check quota and period overflow at usec to nsec
+ conversion
+
+[ Upstream commit 1a8b4540db732ca16c9e43ac7c08b1b8f0b252d8 ]
+
+Large values could overflow u64 and pass following sanity checks.
+
+ # echo 18446744073750000 > cpu.cfs_period_us
+ # cat cpu.cfs_period_us
+ 40448
+
+ # echo 18446744073750000 > cpu.cfs_quota_us
+ # cat cpu.cfs_quota_us
+ 40448
+
+After this patch they will fail with -EINVAL.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/155125502079.293431.3947497929372138600.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 0552ddbb25e2a..2464a242d6c9d 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -6482,8 +6482,10 @@ int tg_set_cfs_quota(struct task_group *tg, long cfs_quota_us)
+ period = ktime_to_ns(tg->cfs_bandwidth.period);
+ if (cfs_quota_us < 0)
+ quota = RUNTIME_INF;
+- else
++ else if ((u64)cfs_quota_us <= U64_MAX / NSEC_PER_USEC)
+ quota = (u64)cfs_quota_us * NSEC_PER_USEC;
++ else
++ return -EINVAL;
+
+ return tg_set_cfs_bandwidth(tg, period, quota);
+ }
+@@ -6505,6 +6507,9 @@ int tg_set_cfs_period(struct task_group *tg, long cfs_period_us)
+ {
+ u64 quota, period;
+
++ if ((u64)cfs_period_us > U64_MAX / NSEC_PER_USEC)
++ return -EINVAL;
++
+ period = (u64)cfs_period_us * NSEC_PER_USEC;
+ quota = tg->cfs_bandwidth.quota;
+
+--
+2.20.1
+
--- /dev/null
+From a242e1c718700bb869747ef8bd9868a6d0e6601d Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 27 Feb 2019 11:10:18 +0300
+Subject: sched/core: Handle overflow in cpu_shares_write_u64
+
+[ Upstream commit 5b61d50ab4ef590f5e1d4df15cd2cea5f5715308 ]
+
+Bit shift in scale_load() could overflow shares. This patch saturates
+it to MAX_SHARES like following sched_group_set_shares().
+
+Example:
+
+ # echo 9223372036854776832 > cpu.shares
+ # cat cpu.shares
+
+Before patch: 1024
+After pattch: 262144
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/155125501891.293431.3345233332801109696.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 2464a242d6c9d..b3ff73d6a4c23 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -6380,6 +6380,8 @@ static void cpu_cgroup_attach(struct cgroup_taskset *tset)
+ static int cpu_shares_write_u64(struct cgroup_subsys_state *css,
+ struct cftype *cftype, u64 shareval)
+ {
++ if (shareval > scale_load_down(ULONG_MAX))
++ shareval = MAX_SHARES;
+ return sched_group_set_shares(css_tg(css), scale_load(shareval));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From c5fbe7666560419da55c214ed215f3f64ccf0f6b Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Tue, 30 Apr 2019 11:35:52 +0530
+Subject: sched/cpufreq: Fix kobject memleak
+
+[ Upstream commit 9a4f26cc98d81b67ecc23b890c28e2df324e29f3 ]
+
+Currently the error return path from kobject_init_and_add() is not
+followed by a call to kobject_put() - which means we are leaking
+the kobject.
+
+Fix it by adding a call to kobject_put() in the error path of
+kobject_init_and_add().
+
+Signed-off-by: Tobin C. Harding <tobin@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tobin C. Harding <tobin@kernel.org>
+Cc: Vincent Guittot <vincent.guittot@linaro.org>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Link: http://lkml.kernel.org/r/20190430001144.24890-1-tobin@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 1 +
+ drivers/cpufreq/cpufreq_governor.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 9f5c51cd67ad9..fceb18d26db8e 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1101,6 +1101,7 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
+ cpufreq_global_kobject, "policy%u", cpu);
+ if (ret) {
+ pr_err("%s: failed to init policy->kobj: %d\n", __func__, ret);
++ kobject_put(&policy->kobj);
+ goto err_free_real_cpus;
+ }
+
+diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
+index 6a16d22bc6043..146237aab395d 100644
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -459,6 +459,8 @@ int cpufreq_dbs_governor_init(struct cpufreq_policy *policy)
+ /* Failure, so roll back. */
+ pr_err("initialization failed (dbs_data kobject init error %d)\n", ret);
+
++ kobject_put(&dbs_data->attr_set.kobj);
++
+ policy->governor_data = NULL;
+
+ if (!have_governor_per_policy())
+--
+2.20.1
+
--- /dev/null
+From f6162292260db581c28ad811c2371f4f7ee30176 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 27 Feb 2019 11:10:17 +0300
+Subject: sched/rt: Check integer overflow at usec to nsec conversion
+
+[ Upstream commit 1a010e29cfa00fee2888fd2fd4983f848cbafb58 ]
+
+Example of unhandled overflows:
+
+ # echo 18446744073709651 > cpu.rt_runtime_us
+ # cat cpu.rt_runtime_us
+ 99
+
+ # echo 18446744073709900 > cpu.rt_period_us
+ # cat cpu.rt_period_us
+ 348
+
+After this patch they will fail with -EINVAL.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/155125501739.293431.5252197504404771496.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/rt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
+index cb9a5b8532fa5..cc7dd1aaf08e3 100644
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -2533,6 +2533,8 @@ int sched_group_set_rt_runtime(struct task_group *tg, long rt_runtime_us)
+ rt_runtime = (u64)rt_runtime_us * NSEC_PER_USEC;
+ if (rt_runtime_us < 0)
+ rt_runtime = RUNTIME_INF;
++ else if ((u64)rt_runtime_us > U64_MAX / NSEC_PER_USEC)
++ return -EINVAL;
+
+ return tg_set_rt_bandwidth(tg, rt_period, rt_runtime);
+ }
+@@ -2553,6 +2555,9 @@ int sched_group_set_rt_period(struct task_group *tg, u64 rt_period_us)
+ {
+ u64 rt_runtime, rt_period;
+
++ if (rt_period_us > U64_MAX / NSEC_PER_USEC)
++ return -EINVAL;
++
+ rt_period = rt_period_us * NSEC_PER_USEC;
+ rt_runtime = tg->rt_bandwidth.rt_runtime;
+
+--
+2.20.1
+
--- /dev/null
+From a923f282b45d308d63b794f75b9bb43c2fd7c810 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Fri, 12 Apr 2019 16:57:56 +0800
+Subject: scsi: libsas: Do discovery on empty PHY to update PHY info
+
+[ Upstream commit d8649fc1c5e40e691d589ed825998c36a947491c ]
+
+When we discover the PHY is empty in sas_rediscover_dev(), the PHY
+information (like negotiated linkrate) is not updated.
+
+As such, for a user examining sysfs for that PHY, they would see
+incorrect values:
+
+root@(none)$ cd /sys/class/sas_phy/phy-0:0:20
+root@(none)$ more negotiated_linkrate
+3.0 Gbit
+root@(none)$ echo 0 > enable
+root@(none)$ more negotiated_linkrate
+3.0 Gbit
+
+So fix this, simply discover the PHY again, even though we know it's empty;
+in the above example, this gives us:
+
+root@(none)$ more negotiated_linkrate
+Phy disabled
+
+We must do this after unregistering the device associated with the PHY
+(in sas_unregister_devs_sas_addr()).
+
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 1c0d2784574aa..ffea620a147d4 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -2038,6 +2038,11 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id, bool last)
+ if ((SAS_ADDR(sas_addr) == 0) || (res == -ECOMM)) {
+ phy->phy_state = PHY_EMPTY;
+ sas_unregister_devs_sas_addr(dev, phy_id, last);
++ /*
++ * Even though the PHY is empty, for convenience we discover
++ * the PHY to update the PHY info, like negotiated linkrate.
++ */
++ sas_ex_phy_discover(dev, phy_id);
+ return res;
+ } else if (SAS_ADDR(sas_addr) == SAS_ADDR(phy->attached_sas_addr) &&
+ dev_type_flutter(type, phy->attached_dev_type)) {
+--
+2.20.1
+
--- /dev/null
+From 37fe01b8f1959df054cf9b9db9990f53eebe8e3a Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:21 -0700
+Subject: scsi: lpfc: Fix fc4type information for FDMI
+
+[ Upstream commit 32a80c093b524a0682f1c6166c910387b116ffce ]
+
+The driver is reporting support for NVME even when not configured for NVME
+operation.
+
+Fix (and make more readable) when NVME protocol support is indicated.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_ct.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
+index 54664a07d92ec..601a4ee60de85 100644
+--- a/drivers/scsi/lpfc/lpfc_ct.c
++++ b/drivers/scsi/lpfc/lpfc_ct.c
+@@ -2092,10 +2092,11 @@ lpfc_fdmi_port_attr_fc4type(struct lpfc_vport *vport,
+ ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ memset(ae, 0, 32);
+
+- ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */
+- ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */
+- ae->un.AttrTypes[6] = 0x01; /* Type 40 - NVME */
+- ae->un.AttrTypes[7] = 0x01; /* Type 32 - CT */
++ ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */
++ ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */
++ if (vport->nvmei_support || vport->phba->nvmet_support)
++ ae->un.AttrTypes[6] = 0x01; /* Type 0x28 - NVME */
++ ae->un.AttrTypes[7] = 0x01; /* Type 0x20 - CT */
+ size = FOURBYTES + 32;
+ ad->AttrLen = cpu_to_be16(size);
+ ad->AttrType = cpu_to_be16(RPRT_SUPPORTED_FC4_TYPES);
+@@ -2395,9 +2396,11 @@ lpfc_fdmi_port_attr_active_fc4type(struct lpfc_vport *vport,
+ ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ memset(ae, 0, 32);
+
+- ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */
+- ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */
+- ae->un.AttrTypes[7] = 0x01; /* Type 32 - CT */
++ ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */
++ ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */
++ if (vport->phba->cfg_enable_fc4_type & LPFC_ENABLE_NVME)
++ ae->un.AttrTypes[6] = 0x1; /* Type 0x28 - NVME */
++ ae->un.AttrTypes[7] = 0x01; /* Type 0x20 - CT */
+ size = FOURBYTES + 32;
+ ad->AttrLen = cpu_to_be16(size);
+ ad->AttrType = cpu_to_be16(RPRT_ACTIVE_FC4_TYPES);
+--
+2.20.1
+
--- /dev/null
+From bfcb1e87628951fa35b41f1e487cb1870860f78e Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:20 -0700
+Subject: scsi: lpfc: Fix FDMI manufacturer attribute value
+
+[ Upstream commit d67f935b79a76ac9d86dde1a27bdd413feb5d987 ]
+
+The FDMI manufacturer value being reported on Linux is inconsistent with
+other OS's.
+
+Set the value to "Emulex Corporation" for consistency.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_ct.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
+index 126723a5bc6f6..54664a07d92ec 100644
+--- a/drivers/scsi/lpfc/lpfc_ct.c
++++ b/drivers/scsi/lpfc/lpfc_ct.c
+@@ -1734,6 +1734,9 @@ lpfc_fdmi_hba_attr_manufacturer(struct lpfc_vport *vport,
+ ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ memset(ae, 0, 256);
+
++ /* This string MUST be consistent with other FC platforms
++ * supported by Broadcom.
++ */
+ strncpy(ae->un.AttrString,
+ "Emulex Corporation",
+ sizeof(ae->un.AttrString));
+--
+2.20.1
+
--- /dev/null
+From 3e7276c6018670798eb49e737be3635fd2bb327f Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:07 -0700
+Subject: scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
+
+[ Upstream commit c95a3b4b0fb8d351e2329a96f87c4fc96a149505 ]
+
+During debug, it was seen that the driver is issuing commands specific to
+SLI3 on SLI4 devices. Although the adapter correctly rejected the command,
+this should not be done.
+
+Revise the code to stop sending these commands on a SLI4 adapter.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index 4962d665b4d21..b970933a218d5 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -924,7 +924,11 @@ lpfc_linkdown(struct lpfc_hba *phba)
+ }
+ }
+ lpfc_destroy_vport_work_array(phba, vports);
+- /* Clean up any firmware default rpi's */
++
++ /* Clean up any SLI3 firmware default rpi's */
++ if (phba->sli_rev > LPFC_SLI_REV3)
++ goto skip_unreg_did;
++
+ mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (mb) {
+ lpfc_unreg_did(phba, 0xffff, LPFC_UNREG_ALL_DFLT_RPIS, mb);
+@@ -936,6 +940,7 @@ lpfc_linkdown(struct lpfc_hba *phba)
+ }
+ }
+
++ skip_unreg_did:
+ /* Setup myDID for link up if we are in pt2pt mode */
+ if (phba->pport->fc_flag & FC_PT2PT) {
+ mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+@@ -4853,6 +4858,10 @@ lpfc_unreg_default_rpis(struct lpfc_vport *vport)
+ LPFC_MBOXQ_t *mbox;
+ int rc;
+
++ /* Unreg DID is an SLI3 operation. */
++ if (phba->sli_rev > LPFC_SLI_REV3)
++ return;
++
+ mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (mbox) {
+ lpfc_unreg_did(phba, vport->vpi, LPFC_UNREG_ALL_DFLT_RPIS,
+--
+2.20.1
+
--- /dev/null
+From 91d0babb500abba6c37ab7fa15930118f8b3d459 Mon Sep 17 00:00:00 2001
+From: Chad Dupuis <cdupuis@marvell.com>
+Date: Tue, 26 Mar 2019 00:38:35 -0700
+Subject: scsi: qedf: Add missing return in qedf_post_io_req() in the fcport
+ offload check
+
+[ Upstream commit c5e06ba2f76809ad1492fdad312e81335df46bc5 ]
+
+Fixes the following crash as the return was missing from the check if an
+fcport is offloaded. If we hit this code we continue to try to post an
+invalid task which can lead to the crash:
+
+[30259.616411] [0000:61:00.3]:[qedf_post_io_req:989]:3: Session not offloaded yet.
+[30259.616413] [0000:61:00.3]:[qedf_upload_connection:1340]:3: Uploading connection port_id=490020.
+[30259.623769] BUG: unable to handle kernel NULL pointer dereference at 0000000000000198
+[30259.631645] IP: [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
+[30259.638816] PGD 0
+[30259.640841] Oops: 0000 [#1] SMP
+[30259.644098] Modules linked in: fuse xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables devlink ip6table_filter ip6_tables iptable_filter vfat fat ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib ib_ucm ib_umad dm_service_time skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel rpcrdma sunrpc rdma_ucm ib_uverbs lrw gf128mul ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi qedr(OE) glue_helper ablk_helper cryptd ib_core dm_round_robin joydev pcspkr ipmi_ssif ses enclosure ipmi_si ipmi_devintf ipmi_msghandler mei_me
+[30259.715529] mei sg hpilo hpwdt shpchp wmi lpc_ich acpi_power_meter dm_multipath ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic uas usb_storage mgag200 qedf(OE) i2c_algo_bit libfcoe drm_kms_helper libfc syscopyarea sysfillrect scsi_transport_fc qede(OE) sysimgblt fb_sys_fops ptp ttm pps_core drm qed(OE) smartpqi crct10dif_pclmul crct10dif_common crc32c_intel i2c_core scsi_transport_sas scsi_tgt dm_mirror dm_region_hash dm_log dm_mod
+[30259.754237] CPU: 9 PID: 977 Comm: kdmwork-253:7 Kdump: loaded Tainted: G W OE ------------ 3.10.0-862.el7.x86_64 #1
+[30259.765664] Hardware name: HPE Synergy 480 Gen10/Synergy 480 Gen10 Compute Module, BIOS I42 04/04/2018
+[30259.775000] task: ffff8c801efd0000 ti: ffff8c801efd8000 task.ti: ffff8c801efd8000
+[30259.782505] RIP: 0010:[<ffffffffc035b1ed>] [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
+[30259.792116] RSP: 0018:ffff8c801efdbbb0 EFLAGS: 00010046
+[30259.797444] RAX: 0000000000000000 RBX: ffffa7f1450948d8 RCX: ffff8c7fe5bc40c8
+[30259.804600] RDX: ffff8c800715b300 RSI: ffffa7f1450948d8 RDI: ffff8c80169c2480
+[30259.811755] RBP: ffff8c801efdbc30 R08: 00000000000000ae R09: ffff8c800a314540
+[30259.818911] R10: ffff8c7fe5bc40c8 R11: ffff8c801efdb8ae R12: 0000000000000000
+[30259.826068] R13: ffff8c800715b300 R14: ffff8c80169c2480 R15: ffff8c8005da28e0
+[30259.833223] FS: 0000000000000000(0000) GS:ffff8c803f840000(0000) knlGS:0000000000000000
+[30259.841338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[30259.847100] CR2: 0000000000000198 CR3: 000000081242e000 CR4: 00000000007607e0
+[30259.854256] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[30259.861412] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[30259.868568] PKRU: 00000000
+[30259.871278] Call Trace:
+[30259.873737] [<ffffffffc035c948>] qedf_post_io_req+0x148/0x680 [qedf]
+[30259.880201] [<ffffffffc035d070>] qedf_queuecommand+0x1f0/0x240 [qedf]
+[30259.886749] [<ffffffffa329b050>] scsi_dispatch_cmd+0xb0/0x240
+[30259.892600] [<ffffffffa32a45bc>] scsi_request_fn+0x4cc/0x680
+[30259.898364] [<ffffffffa3118ad9>] __blk_run_queue+0x39/0x50
+[30259.903954] [<ffffffffa3114393>] __elv_add_request+0xd3/0x260
+[30259.909805] [<ffffffffa311baf0>] blk_insert_cloned_request+0xf0/0x1b0
+[30259.916358] [<ffffffffc010b622>] map_request+0x142/0x220 [dm_mod]
+[30259.922560] [<ffffffffc010b716>] map_tio_request+0x16/0x40 [dm_mod]
+[30259.928932] [<ffffffffa2ebb1f5>] kthread_worker_fn+0x85/0x180
+[30259.934782] [<ffffffffa2ebb170>] ? kthread_stop+0xf0/0xf0
+[30259.940284] [<ffffffffa2ebae31>] kthread+0xd1/0xe0
+[30259.945176] [<ffffffffa2ebad60>] ? insert_kthread_work+0x40/0x40
+[30259.951290] [<ffffffffa351f61d>] ret_from_fork_nospec_begin+0x7/0x21
+[30259.957750] [<ffffffffa2ebad60>] ? insert_kthread_work+0x40/0x40
+[30259.963860] Code: fe 41 55 49 89 d5 41 54 53 48 89 f3 48 83 ec 58 4c 8b 67 28 4c 8b 4e 18 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 4c 8b 7e 58 <49> 8b 84 24 98 01 00 00 48 8b 00 f6 80 31 01 00 00 10 0f 85 0b
+[30259.983372] RIP [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
+[30259.990630] RSP <ffff8c801efdbbb0>
+[30259.994127] CR2: 0000000000000198
+
+Signed-off-by: Chad Dupuis <cdupuis@marvell.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c
+index ded386036c277..f3e9df8dcd8f1 100644
+--- a/drivers/scsi/qedf/qedf_io.c
++++ b/drivers/scsi/qedf/qedf_io.c
+@@ -883,6 +883,7 @@ int qedf_post_io_req(struct qedf_rport *fcport, struct qedf_ioreq *io_req)
+ if (!test_bit(QEDF_RPORT_SESSION_READY, &fcport->flags)) {
+ QEDF_ERR(&(qedf->dbg_ctx), "Session not offloaded yet.\n");
+ kref_put(&io_req->refcount, qedf_release_cmd);
++ return -EINVAL;
+ }
+
+ /* Obtain free SQE */
+--
+2.20.1
+
--- /dev/null
+From 3665d46dee9c1177d05e7c90d8535062a6bd4ce9 Mon Sep 17 00:00:00 2001
+From: Manish Rangankar <mrangankar@marvell.com>
+Date: Fri, 26 Apr 2019 03:55:45 -0700
+Subject: scsi: qedi: Abort ep termination if offload not scheduled
+
+[ Upstream commit f848bfd8e167210a29374e8a678892bed591684f ]
+
+Sometimes during connection recovery when there is a failure to resolve
+ARP, and offload connection was not issued, driver tries to flush pending
+offload connection work which was not queued up.
+
+kernel: WARNING: CPU: 19 PID: 10110 at kernel/workqueue.c:3030 __flush_work.isra.34+0x19c/0x1b0
+kernel: CPU: 19 PID: 10110 Comm: iscsid Tainted: G W 5.1.0-rc4 #11
+kernel: Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 2.9.1 12/04/2018
+kernel: RIP: 0010:__flush_work.isra.34+0x19c/0x1b0
+kernel: Code: 8b fb 66 0f 1f 44 00 00 31 c0 eb ab 48 89 ef c6 07 00 0f 1f 40 00 fb 66 0f 1f 44 00 00 31 c0 eb 96 e8 08 16 fe ff 0f 0b eb 8d <0f> 0b 31 c0 eb 87 0f 1f 40 00 66 2e 0f 1
+f 84 00 00 00 00 00 0f 1f
+kernel: RSP: 0018:ffffa6b4054dba68 EFLAGS: 00010246
+kernel: RAX: 0000000000000000 RBX: ffff91df21c36fc0 RCX: 0000000000000000
+kernel: RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff91df21c36fc0
+kernel: RBP: ffff91df21c36ef0 R08: 0000000000000000 R09: 0000000000000000
+kernel: R10: 0000000000000038 R11: ffffa6b4054dbd60 R12: ffffffffc05e72c0
+kernel: R13: ffff91db10280820 R14: 0000000000000048 R15: 0000000000000000
+kernel: FS: 00007f5d83cc1740(0000) GS:ffff91df2f840000(0000) knlGS:0000000000000000
+kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+kernel: CR2: 0000000001cc5000 CR3: 0000000465450002 CR4: 00000000001606e0
+kernel: Call Trace:
+kernel: ? try_to_del_timer_sync+0x4d/0x80
+kernel: qedi_ep_disconnect+0x3b/0x410 [qedi]
+kernel: ? 0xffffffffc083c000
+kernel: ? klist_iter_exit+0x14/0x20
+kernel: ? class_find_device+0x93/0xf0
+kernel: iscsi_if_ep_disconnect.isra.18+0x58/0x70 [scsi_transport_iscsi]
+kernel: iscsi_if_recv_msg+0x10e2/0x1510 [scsi_transport_iscsi]
+kernel: ? copyout+0x22/0x30
+kernel: ? _copy_to_iter+0xa0/0x430
+kernel: ? _cond_resched+0x15/0x30
+kernel: ? __kmalloc_node_track_caller+0x1f9/0x270
+kernel: iscsi_if_rx+0xa5/0x1e0 [scsi_transport_iscsi]
+kernel: netlink_unicast+0x17f/0x230
+kernel: netlink_sendmsg+0x2d2/0x3d0
+kernel: sock_sendmsg+0x36/0x50
+kernel: ___sys_sendmsg+0x280/0x2a0
+kernel: ? timerqueue_add+0x54/0x80
+kernel: ? enqueue_hrtimer+0x38/0x90
+kernel: ? hrtimer_start_range_ns+0x19f/0x2c0
+kernel: __sys_sendmsg+0x58/0xa0
+kernel: do_syscall_64+0x5b/0x180
+kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_iscsi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
+index 45f044f35cea8..0b7267e683360 100644
+--- a/drivers/scsi/qedi/qedi_iscsi.c
++++ b/drivers/scsi/qedi/qedi_iscsi.c
+@@ -1008,6 +1008,9 @@ static void qedi_ep_disconnect(struct iscsi_endpoint *ep)
+ qedi_ep = ep->dd_data;
+ qedi = qedi_ep->qedi;
+
++ if (qedi_ep->state == EP_STATE_OFLDCONN_START)
++ goto ep_exit_recover;
++
+ flush_work(&qedi_ep->offload_work);
+
+ if (qedi_ep->conn) {
+--
+2.20.1
+
--- /dev/null
+From bddde847f37b5a0606234ae242fbf2be8de299ad Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:43 -0700
+Subject: scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in
+ tcm_qla2xxx_close_session()
+
+[ Upstream commit d4023db71108375e4194e92730ba0d32d7f07813 ]
+
+This patch avoids that lockdep reports the following warning:
+
+=====================================================
+WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
+5.1.0-rc1-dbg+ #11 Tainted: G W
+-----------------------------------------------------
+rmdir/1478 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
+00000000e7ac4607 (&(&k->k_lock)->rlock){+.+.}, at: klist_next+0x43/0x1d0
+
+and this task is already holding:
+00000000cf0baf5e (&(&ha->tgt.sess_lock)->rlock){-...}, at: tcm_qla2xxx_close_session+0x57/0xb0 [tcm_qla2xxx]
+which would create a new lock dependency:
+ (&(&ha->tgt.sess_lock)->rlock){-...} -> (&(&k->k_lock)->rlock){+.+.}
+
+but this new dependency connects a HARDIRQ-irq-safe lock:
+ (&(&ha->tgt.sess_lock)->rlock){-...}
+
+... which became HARDIRQ-irq-safe at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla2x00_fcport_event_handler+0x1f3d/0x22b0 [qla2xxx]
+ qla2x00_async_login_sp_done+0x1dc/0x1f0 [qla2xxx]
+ qla24xx_process_response_queue+0xa37/0x10e0 [qla2xxx]
+ qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx]
+ __handle_irq_event_percpu+0x79/0x3c0
+ handle_irq_event_percpu+0x70/0xf0
+ handle_irq_event+0x5a/0x8b
+ handle_edge_irq+0x12c/0x310
+ handle_irq+0x192/0x20a
+ do_IRQ+0x73/0x160
+ ret_from_intr+0x0/0x1d
+ default_idle+0x23/0x1f0
+ arch_cpu_idle+0x15/0x20
+ default_idle_call+0x35/0x40
+ do_idle+0x2bb/0x2e0
+ cpu_startup_entry+0x1d/0x20
+ start_secondary+0x24d/0x2d0
+ secondary_startup_64+0xa4/0xb0
+
+to a HARDIRQ-irq-unsafe lock:
+ (&(&k->k_lock)->rlock){+.+.}
+
+... which became HARDIRQ-irq-unsafe at:
+...
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7f4/0xb60
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+
+other info that might help us debug this:
+
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&(&k->k_lock)->rlock);
+ local_irq_disable();
+ lock(&(&ha->tgt.sess_lock)->rlock);
+ lock(&(&k->k_lock)->rlock);
+ <Interrupt>
+ lock(&(&ha->tgt.sess_lock)->rlock);
+
+ *** DEADLOCK ***
+
+4 locks held by rmdir/1478:
+ #0: 000000002c7f1ba4 (sb_writers#10){.+.+}, at: mnt_want_write+0x32/0x70
+ #1: 00000000c85eb147 (&default_group_class[depth - 1]#2/1){+.+.}, at: do_rmdir+0x217/0x2d0
+ #2: 000000002b164d6f (&sb->s_type->i_mutex_key#13){++++}, at: vfs_rmdir+0x7e/0x1d0
+ #3: 00000000cf0baf5e (&(&ha->tgt.sess_lock)->rlock){-...}, at: tcm_qla2xxx_close_session+0x57/0xb0 [tcm_qla2xxx]
+
+the dependencies between HARDIRQ-irq-safe lock and the holding lock:
+-> (&(&ha->tgt.sess_lock)->rlock){-...} ops: 127 {
+ IN-HARDIRQ-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla2x00_fcport_event_handler+0x1f3d/0x22b0 [qla2xxx]
+ qla2x00_async_login_sp_done+0x1dc/0x1f0 [qla2xxx]
+ qla24xx_process_response_queue+0xa37/0x10e0 [qla2xxx]
+ qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx]
+ __handle_irq_event_percpu+0x79/0x3c0
+ handle_irq_event_percpu+0x70/0xf0
+ handle_irq_event+0x5a/0x8b
+ handle_edge_irq+0x12c/0x310
+ handle_irq+0x192/0x20a
+ do_IRQ+0x73/0x160
+ ret_from_intr+0x0/0x1d
+ default_idle+0x23/0x1f0
+ arch_cpu_idle+0x15/0x20
+ default_idle_call+0x35/0x40
+ do_idle+0x2bb/0x2e0
+ cpu_startup_entry+0x1d/0x20
+ start_secondary+0x24d/0x2d0
+ secondary_startup_64+0xa4/0xb0
+ INITIAL USE at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla2x00_loop_resync+0xb3d/0x2690 [qla2xxx]
+ qla2x00_do_dpc+0xcee/0xf30 [qla2xxx]
+ kthread+0x1d2/0x1f0
+ ret_from_fork+0x3a/0x50
+ }
+ ... key at: [<ffffffffa125f700>] __key.62804+0x0/0xfffffffffff7e900 [qla2xxx]
+ ... acquired at:
+ __lock_acquire+0x11ed/0x1b60
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx]
+ qlt_unreg_sess+0x104/0x2c0 [qla2xxx]
+ tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx]
+ target_shutdown_sessions+0x17b/0x190 [target_core_mod]
+ core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod]
+ target_fabric_nacl_base_release+0x25/0x30 [target_core_mod]
+ config_item_release+0x9f/0x120 [configfs]
+ config_item_put+0x29/0x2b [configfs]
+ configfs_rmdir+0x3d2/0x520 [configfs]
+ vfs_rmdir+0xb3/0x1d0
+ do_rmdir+0x25c/0x2d0
+ __x64_sys_rmdir+0x24/0x30
+ do_syscall_64+0x77/0x220
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+the dependencies between the lock to be acquired
+ and HARDIRQ-irq-unsafe lock:
+-> (&(&k->k_lock)->rlock){+.+.} ops: 14568 {
+ HARDIRQ-ON-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7f4/0xb60
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ SOFTIRQ-ON-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7f4/0xb60
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7f4/0xb60
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ }
+ ... key at: [<ffffffff83f3d900>] __key.15805+0x0/0x40
+ ... acquired at:
+ __lock_acquire+0x11ed/0x1b60
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx]
+ qlt_unreg_sess+0x104/0x2c0 [qla2xxx]
+ tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx]
+ target_shutdown_sessions+0x17b/0x190 [target_core_mod]
+ core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod]
+ target_fabric_nacl_base_release+0x25/0x30 [target_core_mod]
+ config_item_release+0x9f/0x120 [configfs]
+ config_item_put+0x29/0x2b [configfs]
+ configfs_rmdir+0x3d2/0x520 [configfs]
+ vfs_rmdir+0xb3/0x1d0
+ do_rmdir+0x25c/0x2d0
+ __x64_sys_rmdir+0x24/0x30
+ do_syscall_64+0x77/0x220
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+stack backtrace:
+CPU: 7 PID: 1478 Comm: rmdir Tainted: G W 5.1.0-rc1-dbg+ #11
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Call Trace:
+ dump_stack+0x86/0xca
+ check_usage.cold.59+0x473/0x563
+ check_prev_add.constprop.43+0x1f1/0x1170
+ __lock_acquire+0x11ed/0x1b60
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx]
+ qlt_unreg_sess+0x104/0x2c0 [qla2xxx]
+ tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx]
+ target_shutdown_sessions+0x17b/0x190 [target_core_mod]
+ core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod]
+ target_fabric_nacl_base_release+0x25/0x30 [target_core_mod]
+ config_item_release+0x9f/0x120 [configfs]
+ config_item_put+0x29/0x2b [configfs]
+ configfs_rmdir+0x3d2/0x520 [configfs]
+ vfs_rmdir+0xb3/0x1d0
+ do_rmdir+0x25c/0x2d0
+ __x64_sys_rmdir+0x24/0x30
+ do_syscall_64+0x77/0x220
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index 4c99f1797b489..2fcdaadd10fa5 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -366,8 +366,9 @@ static void tcm_qla2xxx_close_session(struct se_session *se_sess)
+
+ spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags);
+ target_sess_cmd_list_set_waiting(se_sess);
+- tcm_qla2xxx_put_sess(sess);
+ spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags);
++
++ tcm_qla2xxx_put_sess(sess);
+ }
+
+ static u32 tcm_qla2xxx_sess_get_index(struct se_session *se_sess)
+--
+2.20.1
+
--- /dev/null
+From f582c12da59cfbee0ff0b12e1636ffd927b6589b Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:24 -0700
+Subject: scsi: qla2xxx: Fix a qla24xx_enable_msix() error path
+
+[ Upstream commit 24afabdbd0b3553963a2bbf465895492b14d1107 ]
+
+Make sure that the allocated interrupts are freed if allocating memory for
+the msix_entries array fails.
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index e073eb16f8a4a..df94ef816826b 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -3395,7 +3395,7 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp)
+ ql_log(ql_log_fatal, vha, 0x00c8,
+ "Failed to allocate memory for ha->msix_entries.\n");
+ ret = -ENOMEM;
+- goto msix_out;
++ goto free_irqs;
+ }
+ ha->flags.msix_enabled = 1;
+
+@@ -3477,6 +3477,10 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp)
+
+ msix_out:
+ return ret;
++
++free_irqs:
++ pci_free_irq_vectors(ha->pdev);
++ goto msix_out;
+ }
+
+ int
+--
+2.20.1
+
--- /dev/null
+From 2570a4418426aa4b762a98ba17b36eeea6cd52bc Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:28 -0700
+Subject: scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending()
+
+[ Upstream commit e209783d66bca04b5fce4429e59338517ffc1a0b ]
+
+Implementations of the .write_pending() callback functions must guarantee
+that an appropriate LIO core callback function will be called immediately or
+at a later time. Make sure that this guarantee is met for aborted SCSI
+commands.
+
+[mkp: typo]
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Fixes: 694833ee00c4 ("scsi: tcm_qla2xxx: Do not allow aborted cmd to advance.") # v4.13.
+Fixes: a07100e00ac4 ("qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM") # v4.5.
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index 9465acd18df03..4c99f1797b489 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -391,6 +391,8 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd)
+ cmd->se_cmd.transport_state,
+ cmd->se_cmd.t_state,
+ cmd->se_cmd.se_cmd_flags);
++ transport_generic_request_failure(&cmd->se_cmd,
++ TCM_CHECK_CONDITION_ABORT_CMD);
+ return 0;
+ }
+ cmd->trc_flags |= TRC_XFR_RDY;
+--
+2.20.1
+
--- /dev/null
+From a479822ede802b72da62ed39f4a61e474cffb082 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2019 15:25:03 +0100
+Subject: scsi: qla4xxx: avoid freeing unallocated dma memory
+
+[ Upstream commit 608f729c31d4caf52216ea00d20092a80959256d ]
+
+Clang -Wuninitialized notices that on is_qla40XX we never allocate any DMA
+memory in get_fw_boot_info() but attempt to free it anyway:
+
+drivers/scsi/qla4xxx/ql4_os.c:5915:7: error: variable 'buf_dma' is used uninitialized whenever 'if' condition is false
+ [-Werror,-Wsometimes-uninitialized]
+ if (!(val & 0x07)) {
+ ^~~~~~~~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5985:47: note: uninitialized use occurs here
+ dma_free_coherent(&ha->pdev->dev, size, buf, buf_dma);
+ ^~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5915:3: note: remove the 'if' if its condition is always true
+ if (!(val & 0x07)) {
+ ^~~~~~~~~~~~~~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5885:20: note: initialize the variable 'buf_dma' to silence this warning
+ dma_addr_t buf_dma;
+ ^
+ = 0
+
+Skip the call to dma_free_coherent() here.
+
+Fixes: 2a991c215978 ("[SCSI] qla4xxx: Boot from SAN support for open-iscsi")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 630b7404843d0..4421f9bdfcf77 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -5939,7 +5939,7 @@ static int get_fw_boot_info(struct scsi_qla_host *ha, uint16_t ddb_index[])
+ val = rd_nvram_byte(ha, sec_addr);
+ if (val & BIT_7)
+ ddb_index[1] = (val & 0x7f);
+-
++ goto exit_boot_info;
+ } else if (is_qla80XX(ha)) {
+ buf = dma_alloc_coherent(&ha->pdev->dev, size,
+ &buf_dma, GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From 7b5170661e4ffcc15d9e8711ab7e54392d02ed71 Mon Sep 17 00:00:00 2001
+From: Stanley Chu <stanley.chu@mediatek.com>
+Date: Thu, 28 Mar 2019 17:16:24 +0800
+Subject: scsi: ufs: Avoid configuring regulator with undefined voltage range
+
+[ Upstream commit 3b141e8cfd54ba3e5c610717295b2a02aab26a05 ]
+
+For regulators used by UFS, vcc, vccq and vccq2 will have voltage range
+initialized by ufshcd_populate_vreg(), however other regulators may have
+undefined voltage range if dt-bindings have no such definition.
+
+In above undefined case, both "min_uV" and "max_uV" fields in ufs_vreg
+struct will be zero values and these values will be configured on
+regulators in different power modes.
+
+Currently this may have no harm if both "min_uV" and "max_uV" always keep
+"zero values" because regulator_set_voltage() will always bypass such
+invalid values and return "good" results.
+
+However improper values shall be fixed to avoid potential bugs. Simply
+bypass voltage configuration if voltage range is not defined.
+
+Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index c2395b8e72894..d8f0a1ccd9b19 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -6580,12 +6580,15 @@ static int ufshcd_config_vreg(struct device *dev,
+ name = vreg->name;
+
+ if (regulator_count_voltages(reg) > 0) {
+- min_uV = on ? vreg->min_uV : 0;
+- ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
+- if (ret) {
+- dev_err(dev, "%s: %s set voltage failed, err=%d\n",
++ if (vreg->min_uV && vreg->max_uV) {
++ min_uV = on ? vreg->min_uV : 0;
++ ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
++ if (ret) {
++ dev_err(dev,
++ "%s: %s set voltage failed, err=%d\n",
+ __func__, name, ret);
+- goto out;
++ goto out;
++ }
+ }
+
+ uA_load = on ? vreg->max_uA : 0;
+--
+2.20.1
+
--- /dev/null
+From 7dfc76e2a50f46e7e367d522189756fbca345fcc Mon Sep 17 00:00:00 2001
+From: Stanley Chu <stanley.chu@mediatek.com>
+Date: Thu, 28 Mar 2019 17:16:25 +0800
+Subject: scsi: ufs: Fix regulator load and icc-level configuration
+
+[ Upstream commit 0487fff76632ec023d394a05b82e87a971db8c03 ]
+
+Currently if a regulator has "<name>-fixed-regulator" property in device
+tree, it will skip current limit initialization. This lead to a zero
+"max_uA" value in struct ufs_vreg.
+
+However, "regulator_set_load" operation shall be required on regulators
+which have valid current limits, otherwise a zero "max_uA" set by
+"regulator_set_load" may cause unexpected behavior when this regulator is
+enabled or set as high power mode.
+
+Similarly, in device's icc_level configuration flow, the target icc_level
+shall be updated if regulator also has valid current limit, otherwise a
+wrong icc_level will be calculated by zero "max_uA" and thus causes
+unexpected results after it is written to device.
+
+Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 581571de24614..c2395b8e72894 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -5911,19 +5911,19 @@ static u32 ufshcd_find_max_sup_active_icc_level(struct ufs_hba *hba,
+ goto out;
+ }
+
+- if (hba->vreg_info.vcc)
++ if (hba->vreg_info.vcc && hba->vreg_info.vcc->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vcc->max_uA,
+ POWER_DESC_MAX_ACTV_ICC_LVLS - 1,
+ &desc_buf[PWR_DESC_ACTIVE_LVLS_VCC_0]);
+
+- if (hba->vreg_info.vccq)
++ if (hba->vreg_info.vccq && hba->vreg_info.vccq->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vccq->max_uA,
+ icc_level,
+ &desc_buf[PWR_DESC_ACTIVE_LVLS_VCCQ_0]);
+
+- if (hba->vreg_info.vccq2)
++ if (hba->vreg_info.vccq2 && hba->vreg_info.vccq2->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vccq2->max_uA,
+ icc_level,
+@@ -6525,6 +6525,15 @@ static int ufshcd_config_vreg_load(struct device *dev, struct ufs_vreg *vreg,
+ if (!vreg)
+ return 0;
+
++ /*
++ * "set_load" operation shall be required on those regulators
++ * which specifically configured current limitation. Otherwise
++ * zero max_uA may cause unexpected behavior when regulator is
++ * enabled or set as high power mode.
++ */
++ if (!vreg->max_uA)
++ return 0;
++
+ ret = regulator_set_load(vreg->reg, ua);
+ if (ret < 0) {
+ dev_err(dev, "%s: %s set load (ua=%d) failed, err=%d\n",
+--
+2.20.1
+
at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
net-erspan-fix-use-after-free.patch
revert-btrfs-honour-fitrim-range-constraints-during-free-space-trim.patch
+gfs2-fix-lru_count-going-negative.patch
+cxgb4-fix-error-path-in-cxgb4_init_module.patch
+nfs-make-nfs_match_client-killable.patch
+ib-hfi1-fix-wq_mem_reclaim-warning.patch
+gfs2-fix-occasional-glock-use-after-free.patch
+mmc-core-verify-sd-bus-width.patch
+tools-bpf-fix-perf-build-error-with-uclibc-seen-on-a.patch
+dmaengine-tegra210-dma-free-dma-controller-in-remove.patch
+net-ena-gcc-8-fix-compilation-warning.patch
+pinctrl-zte-fix-leaked-of_node-references.patch
+asoc-hdmi-codec-unlock-the-device-on-startup-errors.patch
+powerpc-perf-return-accordingly-on-invalid-chip-id-i.patch
+powerpc-boot-fix-missing-check-of-lseek-return-value.patch
+asoc-imx-fix-fiq-dependencies.patch
+spi-pxa2xx-fix-scr-divisor-calculation.patch
+brcm80211-potential-null-dereference-in-brcmf_cfg802.patch
+acpi-property-fix-handling-of-data_nodes-in-acpi_get.patch
+arm-vdso-remove-dependency-with-the-arch_timer-drive.patch
+arm64-fix-compiler-warning-from-pte_unmap-with-wunus.patch
+sched-cpufreq-fix-kobject-memleak.patch
+scsi-qla2xxx-fix-a-qla24xx_enable_msix-error-path.patch
+scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write.patch
+scsi-qla2xxx-avoid-that-lockdep-complains-about-unsa.patch
+btrfs-fix-data-bytes_may_use-underflow-with-fallocat.patch
+btrfs-fix-panic-during-relocation-after-enospc-befor.patch
+btrfs-don-t-panic-when-we-can-t-find-a-root-key.patch
+iwlwifi-pcie-don-t-crash-on-invalid-rx-interrupt.patch
+rtc-88pm860x-prevent-use-after-free-on-device-remove.patch
+scsi-qedi-abort-ep-termination-if-offload-not-schedu.patch
+w1-fix-the-resume-command-api.patch
+dmaengine-pl330-_stop-clear-interrupt-status.patch
+mac80211-cfg80211-update-bss-channel-on-channel-swit.patch
+libbpf-fix-samples-bpf-build-failure-due-to-undefine.patch
+asoc-fsl_sai-update-is_slave_mode-with-correct-value.patch
+mwifiex-prevent-an-array-overflow.patch
+net-cw1200-fix-a-null-pointer-dereference.patch
+crypto-sun4i-ss-fix-invalid-calculation-of-hash-end.patch
+bcache-return-error-immediately-in-bch_journal_repla.patch
+bcache-fix-failure-in-journal-relplay.patch
+bcache-add-failure-check-to-run_cache_set-for-journa.patch
+bcache-avoid-clang-wunintialized-warning.patch
+rdma-cma-consider-scope_id-while-binding-to-ipv6-ll-.patch
+vfio-ccw-do-not-call-flush_workqueue-while-holding-t.patch
+vfio-ccw-release-any-channel-program-when-releasing-.patch
+x86-build-move-_etext-to-actual-end-of-.text.patch
+smpboot-place-the-__percpu-annotation-correctly.patch
+x86-mm-remove-in_nmi-warning-from-64-bit-implementat.patch
+mm-uaccess-use-unsigned-long-to-placate-ubsan-warnin.patch
+hid-logitech-hidpp-use-rap-instead-of-fap-to-get-the.patch
+pinctrl-pistachio-fix-leaked-of_node-references.patch
+pinctrl-samsung-fix-leaked-of_node-references.patch
+clk-rockchip-undo-several-noc-and-special-clocks-as-.patch
+dmaengine-at_xdmac-remove-bug_on-macro-in-tasklet.patch
+media-coda-clear-error-return-value-before-picture-r.patch
+media-ov6650-move-v4l2_clk_get-to-ov6650_video_probe.patch
+media-au0828-stop-video-streaming-only-when-last-use.patch
+media-ov2659-make-s_fmt-succeed-even-if-requested-fo.patch
+audit-fix-a-memory-leak-bug.patch
+media-stm32-dcmi-fix-crash-when-subdev-do-not-expose.patch
+media-au0828-fix-null-pointer-dereference-in-au0828_.patch
+media-pvrusb2-prevent-a-buffer-overflow.patch
+powerpc-numa-improve-control-of-topology-updates.patch
+powerpc-64-fix-booting-large-kernels-with-strict_ker.patch
+random-add-a-spinlock_t-to-struct-batched_entropy.patch
+cgroup-protect-cgroup-nr_-dying_-descendants-by-css_.patch
+sched-core-check-quota-and-period-overflow-at-usec-t.patch
+sched-rt-check-integer-overflow-at-usec-to-nsec-conv.patch
+sched-core-handle-overflow-in-cpu_shares_write_u64.patch
+drm-msm-a5xx-fix-possible-object-reference-leak.patch
+usb-core-don-t-unbind-interfaces-following-device-re.patch
+x86-irq-64-limit-ist-stack-overflow-check-to-db-stac.patch
+phy-sun4i-usb-make-sure-to-disable-phy0-passby-for-p.patch
+i40e-able-to-add-up-to-16-mac-filters-on-an-untruste.patch
+i40e-don-t-allow-changes-to-hw-vlan-stripping-on-act.patch
+arm64-vdso-fix-clock_getres-for-clock_realtime.patch
+rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb.patch
+hwmon-vt1211-use-request_muxed_region-for-super-io-a.patch
+hwmon-smsc47m1-use-request_muxed_region-for-super-io.patch
+hwmon-smsc47b397-use-request_muxed_region-for-super-.patch
+hwmon-pc87427-use-request_muxed_region-for-super-io-.patch
+hwmon-f71805f-use-request_muxed_region-for-super-io-.patch
+scsi-libsas-do-discovery-on-empty-phy-to-update-phy-.patch
+mmc-core-make-pwrseq_emmc-partially-support-sleepy-g.patch
+mmc_spi-add-a-status-check-for-spi_sync_locked.patch
+mmc-sdhci-of-esdhc-add-erratum-esdhc5-support.patch
+mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch
+mmc-sdhci-of-esdhc-add-erratum-esdhc-a001-and-a-0083.patch
+drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch
+pm-core-propagate-dev-power.wakeup_path-when-no-call.patch
+clk-rockchip-fix-video-codec-clocks-on-rk3288.patch
+extcon-arizona-disable-mic-detect-if-running-when-dr.patch
+clk-rockchip-make-rkpwm-a-critical-clock-on-rk3288.patch
+s390-zcrypt-initialize-variables-before_use.patch
+x86-microcode-fix-the-ancient-deprecated-microcode-l.patch
+s390-cio-fix-cio_irb-declaration.patch
+cpufreq-ppc_cbe-fix-possible-object-reference-leak.patch
+cpufreq-pasemi-fix-possible-object-reference-leak.patch
+cpufreq-pmac32-fix-possible-object-reference-leak.patch
+cpufreq-kirkwood-fix-possible-object-reference-leak.patch
+block-sed-opal-fix-ioc_opal_enable_disable_mbr.patch
+x86-build-keep-local-relocations-with-ld.lld.patch
+iio-ad_sigma_delta-properly-handle-spi-bus-locking-v.patch
+iio-hmc5843-fix-potential-null-pointer-dereferences.patch
+iio-common-ssp_sensors-initialize-calculated_time-in.patch
+rtlwifi-fix-a-potential-null-pointer-dereference.patch
+mwifiex-fix-mem-leak-in-mwifiex_tm_cmd.patch
+brcmfmac-fix-missing-checks-for-kmemdup.patch
+b43-shut-up-clang-wuninitialized-variable-warning.patch
+brcmfmac-convert-dev_init_lock-mutex-to-completion.patch
+brcmfmac-fix-warning-during-usb-disconnect-in-case-o.patch
+brcmfmac-fix-race-during-disconnect-when-usb-complet.patch
+brcmfmac-fix-oops-when-bringing-up-interface-during-.patch
+rtc-xgene-fix-possible-race-condition.patch
+rtlwifi-fix-potential-null-pointer-dereference.patch
+scsi-ufs-fix-regulator-load-and-icc-level-configurat.patch
+scsi-ufs-avoid-configuring-regulator-with-undefined-.patch
+arm64-cpu_ops-fix-a-leaked-reference-by-adding-missi.patch
+x86-uaccess-ftrace-fix-ftrace_likely_update-vs.-smap.patch
+x86-uaccess-signal-fix-ac-1-bloat.patch
+x86-ia32-fix-ia32_restore_sigcontext-ac-leak.patch
+chardev-add-additional-check-for-minor-range-overlap.patch
+rdma-hns-fix-bad-endianess-of-port_pd-variable.patch
+hid-core-move-usage-page-concatenation-to-main-item.patch
+asoc-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch
+asoc-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch
+cxgb3-l2t-fix-undefined-behaviour.patch
+hid-logitech-hidpp-change-low-battery-level-threshol.patch
+spi-tegra114-reset-controller-on-probe.patch
+kobject-don-t-trigger-kobject_uevent-kobj_remove-twi.patch
+media-video-mux-fix-null-pointer-dereferences.patch
+media-wl128x-prevent-two-potential-buffer-overflows.patch
+scsi-qedf-add-missing-return-in-qedf_post_io_req-in-.patch
+virtio_console-initialize-vtermno-value-for-ports.patch
+tty-ipwireless-fix-missing-checks-for-ioremap.patch
+x86-mce-fix-machine_check_poll-tests-for-error-types.patch
+rcutorture-fix-cleanup-path-for-invalid-torture_type.patch
+rcuperf-fix-cleanup-path-for-invalid-perf_type-strin.patch
+usb-core-add-pm-runtime-calls-to-usb_hcd_platform_sh.patch
+scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch
+batman-adv-allow-updating-dat-entry-timeouts-on-inco.patch
+dmaengine-tegra210-adma-use-devm_clk_-helpers.patch
+hwrng-omap-set-default-quality.patch
+thunderbolt-fix-to-check-for-kmemdup-failure.patch
+media-m88ds3103-serialize-reset-messages-in-m88ds310.patch
+media-vimc-stream-fix-thread-state-before-sleep.patch
+media-go7007-avoid-clang-frame-overflow-warning-with.patch
+media-vimc-zero-the-media_device-on-probe.patch
+scsi-lpfc-fix-fdmi-manufacturer-attribute-value.patch
+scsi-lpfc-fix-fc4type-information-for-fdmi.patch
+media-saa7146-avoid-high-stack-usage-with-clang.patch
+scsi-lpfc-fix-sli3-commands-being-issued-on-sli4-dev.patch
+spi-spi-topcliff-pch-fix-to-handle-empty-dma-buffers.patch
+spi-rspi-fix-sequencer-reset-during-initialization.patch
+spi-fix-zero-length-xfer-bug.patch
+asoc-davinci-mcasp-fix-clang-warning-without-config_.patch
+drm-drv-hold-ref-on-parent-device-during-drm_device-.patch
+drm-wake-up-next-in-drm_read-chain-if-we-are-forced-.patch
+vfio-ccw-prevent-quiesce-function-going-into-an-infi.patch
+nfs-fix-a-double-unlock-from-nfs_match-get_client.patch
--- /dev/null
+From 2e2db60a5eafce0c5346a018aaea7254079a7482 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Wed, 24 Apr 2019 10:52:53 +0200
+Subject: smpboot: Place the __percpu annotation correctly
+
+[ Upstream commit d4645d30b50d1691c26ff0f8fa4e718b08f8d3bb ]
+
+The test robot reported a wrong assignment of a per-CPU variable which
+it detected by using sparse and sent a report. The assignment itself is
+correct. The annotation for sparse was wrong and hence the report.
+The first pointer is a "normal" pointer and points to the per-CPU memory
+area. That means that the __percpu annotation has to be moved.
+
+Move the __percpu annotation to pointer which points to the per-CPU
+area. This change affects only the sparse tool (and is ignored by the
+compiler).
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E. McKenney <paulmck@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: f97f8f06a49fe ("smpboot: Provide infrastructure for percpu hotplug threads")
+Link: http://lkml.kernel.org/r/20190424085253.12178-1-bigeasy@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/smpboot.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/smpboot.h b/include/linux/smpboot.h
+index c174844cf663e..585e777a7f6ef 100644
+--- a/include/linux/smpboot.h
++++ b/include/linux/smpboot.h
+@@ -31,7 +31,7 @@ struct smpboot_thread_data;
+ * @thread_comm: The base name of the thread
+ */
+ struct smp_hotplug_thread {
+- struct task_struct __percpu **store;
++ struct task_struct * __percpu *store;
+ struct list_head list;
+ int (*thread_should_run)(unsigned int cpu);
+ void (*thread_fn)(unsigned int cpu);
+--
+2.20.1
+
--- /dev/null
+From 76de8414298cf402c046b661260a6f2d7006619c Mon Sep 17 00:00:00 2001
+From: Chris Lesiak <chris.lesiak@licor.com>
+Date: Thu, 7 Mar 2019 20:39:00 +0000
+Subject: spi: Fix zero length xfer bug
+
+[ Upstream commit 5442dcaa0d90fc376bdfc179a018931a8f43dea4 ]
+
+This fixes a bug for messages containing both zero length and
+unidirectional xfers.
+
+The function spi_map_msg will allocate dummy tx and/or rx buffers
+for use with unidirectional transfers when the hardware can only do
+a bidirectional transfer. That dummy buffer will be used in place
+of a NULL buffer even when the xfer length is 0.
+
+Then in the function __spi_map_msg, if he hardware can dma,
+the zero length xfer will have spi_map_buf called on the dummy
+buffer.
+
+Eventually, __sg_alloc_table is called and returns -EINVAL
+because nents == 0.
+
+This fix prevents the error by not using the dummy buffer when
+the xfer length is zero.
+
+Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index 670dbb7a8500a..56035637d8f6c 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -991,6 +991,8 @@ static int spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg)
+ if (max_tx || max_rx) {
+ list_for_each_entry(xfer, &msg->transfers,
+ transfer_list) {
++ if (!xfer->len)
++ continue;
+ if (!xfer->tx_buf)
+ xfer->tx_buf = ctlr->dummy_tx;
+ if (!xfer->rx_buf)
+--
+2.20.1
+
--- /dev/null
+From 35a5c3ac3a30f565b9cdc206541ba9bcf34210f8 Mon Sep 17 00:00:00 2001
+From: Flavio Suligoi <f.suligoi@asem.it>
+Date: Fri, 12 Apr 2019 09:32:19 +0200
+Subject: spi: pxa2xx: fix SCR (divisor) calculation
+
+[ Upstream commit 29f2133717c527f492933b0622a4aafe0b3cbe9e ]
+
+Calculate the divisor for the SCR (Serial Clock Rate), avoiding
+that the SSP transmission rate can be greater than the device rate.
+
+When the division between the SSP clock and the device rate generates
+a reminder, we have to increment by one the divisor.
+In this way the resulting SSP clock will never be greater than the
+device SPI max frequency.
+
+For example, with:
+
+ - ssp_clk = 50 MHz
+ - dev freq = 15 MHz
+
+without this patch the SSP clock will be greater than 15 MHz:
+
+ - 25 MHz for PXA25x_SSP and CE4100_SSP
+ - 16,56 MHz for the others
+
+Instead, with this patch, we have in both case an SSP clock of 12.5MHz,
+so the max rate of the SPI device clock is respected.
+
+Signed-off-by: Flavio Suligoi <f.suligoi@asem.it>
+Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-pxa2xx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
+index c0e915d8da5d2..efdae686a7619 100644
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -938,10 +938,14 @@ static unsigned int ssp_get_clk_div(struct driver_data *drv_data, int rate)
+
+ rate = min_t(int, ssp_clk, rate);
+
++ /*
++ * Calculate the divisor for the SCR (Serial Clock Rate), avoiding
++ * that the SSP transmission rate can be greater than the device rate
++ */
+ if (ssp->type == PXA25x_SSP || ssp->type == CE4100_SSP)
+- return (ssp_clk / (2 * rate) - 1) & 0xff;
++ return (DIV_ROUND_UP(ssp_clk, 2 * rate) - 1) & 0xff;
+ else
+- return (ssp_clk / rate - 1) & 0xfff;
++ return (DIV_ROUND_UP(ssp_clk, rate) - 1) & 0xfff;
+ }
+
+ static unsigned int pxa2xx_ssp_get_clk_div(struct driver_data *drv_data,
+--
+2.20.1
+
--- /dev/null
+From 9481adee5f711e32bedad368e2e57b4bd3d65719 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 12 Mar 2019 19:45:13 +0100
+Subject: spi: rspi: Fix sequencer reset during initialization
+
+[ Upstream commit 26843bb128590edd7eba1ad7ce22e4b9f1066ce3 ]
+
+While the sequencer is reset after each SPI message since commit
+880c6d114fd79a69 ("spi: rspi: Add support for Quad and Dual SPI
+Transfers on QSPI"), it was never reset for the first message, thus
+relying on reset state or bootloader settings.
+
+Fix this by initializing it explicitly during configuration.
+
+Fixes: 0b2182ddac4b8837 ("spi: add support for Renesas RSPI")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-rspi.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c
+index 20981e08ee975..f4a797a9d76e9 100644
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -279,7 +279,8 @@ static int rspi_set_config_register(struct rspi_data *rspi, int access_size)
+ /* Sets parity, interrupt mask */
+ rspi_write8(rspi, 0x00, RSPI_SPCR2);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+@@ -323,7 +324,8 @@ static int rspi_rz_set_config_register(struct rspi_data *rspi, int access_size)
+ rspi_write8(rspi, 0x00, RSPI_SSLND);
+ rspi_write8(rspi, 0x00, RSPI_SPND);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+@@ -374,7 +376,8 @@ static int qspi_set_config_register(struct rspi_data *rspi, int access_size)
+ /* Sets buffer to allow normal operation */
+ rspi_write8(rspi, 0x00, QSPI_SPBFCR);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+ /* Enables SPI function in master mode */
+--
+2.20.1
+
--- /dev/null
+From 01f5853cacefc4791d938c687661be7d0ab8179e Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 13 Mar 2019 11:55:41 -0500
+Subject: spi : spi-topcliff-pch: Fix to handle empty DMA buffers
+
+[ Upstream commit f37d8e67f39e6d3eaf4cc5471e8a3d21209843c6 ]
+
+pch_alloc_dma_buf allocated tx, rx DMA buffers which can fail. Further,
+these buffers are used without a check. The patch checks for these
+failures and sends the error upstream.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-topcliff-pch.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c
+index 97d137591b18d..4389ab80c23e6 100644
+--- a/drivers/spi/spi-topcliff-pch.c
++++ b/drivers/spi/spi-topcliff-pch.c
+@@ -1294,18 +1294,27 @@ static void pch_free_dma_buf(struct pch_spi_board_data *board_dat,
+ dma->rx_buf_virt, dma->rx_buf_dma);
+ }
+
+-static void pch_alloc_dma_buf(struct pch_spi_board_data *board_dat,
++static int pch_alloc_dma_buf(struct pch_spi_board_data *board_dat,
+ struct pch_spi_data *data)
+ {
+ struct pch_spi_dma_ctrl *dma;
++ int ret;
+
+ dma = &data->dma;
++ ret = 0;
+ /* Get Consistent memory for Tx DMA */
+ dma->tx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev,
+ PCH_BUF_SIZE, &dma->tx_buf_dma, GFP_KERNEL);
++ if (!dma->tx_buf_virt)
++ ret = -ENOMEM;
++
+ /* Get Consistent memory for Rx DMA */
+ dma->rx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev,
+ PCH_BUF_SIZE, &dma->rx_buf_dma, GFP_KERNEL);
++ if (!dma->rx_buf_virt)
++ ret = -ENOMEM;
++
++ return ret;
+ }
+
+ static int pch_spi_pd_probe(struct platform_device *plat_dev)
+@@ -1382,7 +1391,9 @@ static int pch_spi_pd_probe(struct platform_device *plat_dev)
+
+ if (use_dma) {
+ dev_info(&plat_dev->dev, "Use DMA for data transfers\n");
+- pch_alloc_dma_buf(board_dat, data);
++ ret = pch_alloc_dma_buf(board_dat, data);
++ if (ret)
++ goto err_spi_register_master;
+ }
+
+ ret = spi_register_master(master);
+--
+2.20.1
+
--- /dev/null
+From d08bd1477cb1b86fc089c75b51374876b455588a Mon Sep 17 00:00:00 2001
+From: Sowjanya Komatineni <skomatineni@nvidia.com>
+Date: Tue, 26 Mar 2019 22:56:32 -0700
+Subject: spi: tegra114: reset controller on probe
+
+[ Upstream commit 019194933339b3e9b486639c8cb3692020844d65 ]
+
+Fixes: SPI driver can be built as module so perform SPI controller reset
+on probe to make sure it is in valid state before initiating transfer.
+
+Signed-off-by: Sowjanya Komatineni <skomatineni@nvidia.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra114.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c
+index 44550182a4a36..2ad04796ef298 100644
+--- a/drivers/spi/spi-tegra114.c
++++ b/drivers/spi/spi-tegra114.c
+@@ -1067,27 +1067,19 @@ static int tegra_spi_probe(struct platform_device *pdev)
+
+ spi_irq = platform_get_irq(pdev, 0);
+ tspi->irq = spi_irq;
+- ret = request_threaded_irq(tspi->irq, tegra_spi_isr,
+- tegra_spi_isr_thread, IRQF_ONESHOT,
+- dev_name(&pdev->dev), tspi);
+- if (ret < 0) {
+- dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
+- tspi->irq);
+- goto exit_free_master;
+- }
+
+ tspi->clk = devm_clk_get(&pdev->dev, "spi");
+ if (IS_ERR(tspi->clk)) {
+ dev_err(&pdev->dev, "can not get clock\n");
+ ret = PTR_ERR(tspi->clk);
+- goto exit_free_irq;
++ goto exit_free_master;
+ }
+
+ tspi->rst = devm_reset_control_get_exclusive(&pdev->dev, "spi");
+ if (IS_ERR(tspi->rst)) {
+ dev_err(&pdev->dev, "can not get reset\n");
+ ret = PTR_ERR(tspi->rst);
+- goto exit_free_irq;
++ goto exit_free_master;
+ }
+
+ tspi->max_buf_size = SPI_FIFO_DEPTH << 2;
+@@ -1095,7 +1087,7 @@ static int tegra_spi_probe(struct platform_device *pdev)
+
+ ret = tegra_spi_init_dma_param(tspi, true);
+ if (ret < 0)
+- goto exit_free_irq;
++ goto exit_free_master;
+ ret = tegra_spi_init_dma_param(tspi, false);
+ if (ret < 0)
+ goto exit_rx_dma_free;
+@@ -1117,18 +1109,32 @@ static int tegra_spi_probe(struct platform_device *pdev)
+ dev_err(&pdev->dev, "pm runtime get failed, e = %d\n", ret);
+ goto exit_pm_disable;
+ }
++
++ reset_control_assert(tspi->rst);
++ udelay(2);
++ reset_control_deassert(tspi->rst);
+ tspi->def_command1_reg = SPI_M_S;
+ tegra_spi_writel(tspi, tspi->def_command1_reg, SPI_COMMAND1);
+ pm_runtime_put(&pdev->dev);
++ ret = request_threaded_irq(tspi->irq, tegra_spi_isr,
++ tegra_spi_isr_thread, IRQF_ONESHOT,
++ dev_name(&pdev->dev), tspi);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
++ tspi->irq);
++ goto exit_pm_disable;
++ }
+
+ master->dev.of_node = pdev->dev.of_node;
+ ret = devm_spi_register_master(&pdev->dev, master);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "can not register to master err %d\n", ret);
+- goto exit_pm_disable;
++ goto exit_free_irq;
+ }
+ return ret;
+
++exit_free_irq:
++ free_irq(spi_irq, tspi);
+ exit_pm_disable:
+ pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+@@ -1136,8 +1142,6 @@ static int tegra_spi_probe(struct platform_device *pdev)
+ tegra_spi_deinit_dma_param(tspi, false);
+ exit_rx_dma_free:
+ tegra_spi_deinit_dma_param(tspi, true);
+-exit_free_irq:
+- free_irq(spi_irq, tspi);
+ exit_free_master:
+ spi_master_put(master);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From d0d1e4cc17b3a25922f8fac295ca8b3ac3c644cc Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 10:57:54 -0500
+Subject: thunderbolt: Fix to check for kmemdup failure
+
+[ Upstream commit 2cc12751cf464a722ff57b54d17d30c84553f9c0 ]
+
+Memory allocated via kmemdup might fail and return a NULL pointer.
+This patch adds a check on the return value of kmemdup and passes the
+error upstream.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/switch.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c
+index 8bd1371099808..fe2384b019ec9 100644
+--- a/drivers/thunderbolt/switch.c
++++ b/drivers/thunderbolt/switch.c
+@@ -1206,13 +1206,14 @@ int tb_switch_configure(struct tb_switch *sw)
+ return tb_plug_events_active(sw, true);
+ }
+
+-static void tb_switch_set_uuid(struct tb_switch *sw)
++static int tb_switch_set_uuid(struct tb_switch *sw)
+ {
+ u32 uuid[4];
+- int cap;
++ int cap, ret;
+
++ ret = 0;
+ if (sw->uuid)
+- return;
++ return ret;
+
+ /*
+ * The newer controllers include fused UUID as part of link
+@@ -1220,7 +1221,9 @@ static void tb_switch_set_uuid(struct tb_switch *sw)
+ */
+ cap = tb_switch_find_vse_cap(sw, TB_VSE_CAP_LINK_CONTROLLER);
+ if (cap > 0) {
+- tb_sw_read(sw, uuid, TB_CFG_SWITCH, cap + 3, 4);
++ ret = tb_sw_read(sw, uuid, TB_CFG_SWITCH, cap + 3, 4);
++ if (ret)
++ return ret;
+ } else {
+ /*
+ * ICM generates UUID based on UID and fills the upper
+@@ -1235,6 +1238,9 @@ static void tb_switch_set_uuid(struct tb_switch *sw)
+ }
+
+ sw->uuid = kmemdup(uuid, sizeof(uuid), GFP_KERNEL);
++ if (!sw->uuid)
++ ret = -ENOMEM;
++ return ret;
+ }
+
+ static int tb_switch_add_dma_port(struct tb_switch *sw)
+@@ -1280,7 +1286,9 @@ static int tb_switch_add_dma_port(struct tb_switch *sw)
+
+ if (status) {
+ tb_sw_info(sw, "switch flash authentication failed\n");
+- tb_switch_set_uuid(sw);
++ ret = tb_switch_set_uuid(sw);
++ if (ret)
++ return ret;
+ nvm_set_auth_status(sw, status);
+ }
+
+@@ -1330,7 +1338,9 @@ int tb_switch_add(struct tb_switch *sw)
+ }
+ tb_sw_info(sw, "uid: %#llx\n", sw->uid);
+
+- tb_switch_set_uuid(sw);
++ ret = tb_switch_set_uuid(sw);
++ if (ret)
++ return ret;
+
+ for (i = 0; i <= sw->config.max_port_number; i++) {
+ if (sw->ports[i].disabled) {
+--
+2.20.1
+
--- /dev/null
+From 470db632a0e7126bccfe257992d8952fb2ec1ddf Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Date: Thu, 2 May 2019 08:56:50 -0700
+Subject: tools/bpf: fix perf build error with uClibc (seen on ARC)
+
+[ Upstream commit ca31ca8247e2d3807ff5fa1d1760616a2292001c ]
+
+When build perf for ARC recently, there was a build failure due to lack
+of __NR_bpf.
+
+| Auto-detecting system features:
+|
+| ... get_cpuid: [ OFF ]
+| ... bpf: [ on ]
+|
+| # error __NR_bpf not defined. libbpf does not support your arch.
+ ^~~~~
+| bpf.c: In function 'sys_bpf':
+| bpf.c:66:17: error: '__NR_bpf' undeclared (first use in this function)
+| return syscall(__NR_bpf, cmd, attr, size);
+| ^~~~~~~~
+| sys_bpf
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c
+index 1d6907d379c99..976b28137d836 100644
+--- a/tools/lib/bpf/bpf.c
++++ b/tools/lib/bpf/bpf.c
+@@ -41,6 +41,8 @@
+ # define __NR_bpf 349
+ # elif defined(__s390__)
+ # define __NR_bpf 351
++# elif defined(__arc__)
++# define __NR_bpf 280
+ # else
+ # error __NR_bpf not defined. libbpf does not support your arch.
+ # endif
+--
+2.20.1
+
--- /dev/null
+From 9ecc43cd2ee9849cc80e8ace0b3d08f89277029d Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 02:07:12 -0500
+Subject: tty: ipwireless: fix missing checks for ioremap
+
+[ Upstream commit 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3 ]
+
+ipw->attr_memory and ipw->common_memory are assigned with the
+return value of ioremap. ioremap may fail, but no checks
+are enforced. The fix inserts the checks to avoid potential
+NULL pointer dereferences.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/ipwireless/main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c
+index 655c7948261c7..2fa4f91234693 100644
+--- a/drivers/tty/ipwireless/main.c
++++ b/drivers/tty/ipwireless/main.c
+@@ -113,6 +113,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
+
+ ipw->common_memory = ioremap(p_dev->resource[2]->start,
+ resource_size(p_dev->resource[2]));
++ if (!ipw->common_memory) {
++ ret = -ENOMEM;
++ goto exit1;
++ }
+ if (!request_mem_region(p_dev->resource[2]->start,
+ resource_size(p_dev->resource[2]),
+ IPWIRELESS_PCCARD_NAME)) {
+@@ -133,6 +137,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
+
+ ipw->attr_memory = ioremap(p_dev->resource[3]->start,
+ resource_size(p_dev->resource[3]));
++ if (!ipw->attr_memory) {
++ ret = -ENOMEM;
++ goto exit3;
++ }
+ if (!request_mem_region(p_dev->resource[3]->start,
+ resource_size(p_dev->resource[3]),
+ IPWIRELESS_PCCARD_NAME)) {
+--
+2.20.1
+
--- /dev/null
+From 1c21a9cb8a1fc810f51c4344b0c98d204dc15c98 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 22 Mar 2019 14:54:05 -0700
+Subject: usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
+
+[ Upstream commit 8ead7e817224d7832fe51a19783cb8fcadc79467 ]
+
+If ohci-platform is runtime suspended, we can currently get an "imprecise
+external abort" on reboot with ohci-platform loaded when PM runtime
+is implemented for the SoC.
+
+Let's fix this by adding PM runtime support to usb_hcd_platform_shutdown.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hcd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index d0b2e0ed9babb..5fcea1114e2f6 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -3053,6 +3053,9 @@ usb_hcd_platform_shutdown(struct platform_device *dev)
+ {
+ struct usb_hcd *hcd = platform_get_drvdata(dev);
+
++ /* No need for pm_runtime_put(), we're shutting down */
++ pm_runtime_get_sync(&dev->dev);
++
+ if (hcd->driver->shutdown)
+ hcd->driver->shutdown(hcd);
+ }
+--
+2.20.1
+
--- /dev/null
+From 4f00af0bce27da700255de0b07922e4f4afae67c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 Apr 2019 10:50:01 -0400
+Subject: USB: core: Don't unbind interfaces following device reset failure
+
+[ Upstream commit 381419fa720060ba48b7bbc483be787d5b1dca6f ]
+
+The SCSI core does not like to have devices or hosts unregistered
+while error recovery is in progress. Trying to do so can lead to
+self-deadlock: Part of the removal code tries to obtain a lock already
+held by the error handler.
+
+This can cause problems for the usb-storage and uas drivers, because
+their error handler routines perform a USB reset, and if the reset
+fails then the USB core automatically goes on to unbind all drivers
+from the device's interfaces -- all while still in the context of the
+SCSI error handler.
+
+As it turns out, practically all the scenarios leading to a USB reset
+failure end up causing a device disconnect (the main error pathway in
+usb_reset_and_verify_device(), at the end of the routine, calls
+hub_port_logical_disconnect() before returning). As a result, the
+hub_wq thread will soon become aware of the problem and will unbind
+all the device's drivers in its own context, not in the
+error-handler's context.
+
+This means that usb_reset_device() does not need to call
+usb_unbind_and_rebind_marked_interfaces() in cases where
+usb_reset_and_verify_device() has returned an error, because hub_wq
+will take care of everything anyway.
+
+This particular problem was observed in somewhat artificial
+circumstances, by using usbfs to tell a hub to power-down a port
+connected to a USB-3 mass storage device using the UAS protocol. With
+the port turned off, the currently executing command timed out and the
+error handler started running. The USB reset naturally failed,
+because the hub port was off, and the error handler deadlocked as
+described above. Not carrying out the call to
+usb_unbind_and_rebind_marked_interfaces() fixes this issue.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
+Tested-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
+CC: Bart Van Assche <bvanassche@acm.org>
+CC: Martin K. Petersen <martin.petersen@oracle.com>
+CC: Jacky Cao <Jacky.Cao@sony.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hub.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index a9541525ea4f0..eddecaf1f0b20 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5713,7 +5713,10 @@ int usb_reset_device(struct usb_device *udev)
+ cintf->needs_binding = 1;
+ }
+ }
+- usb_unbind_and_rebind_marked_interfaces(udev);
++
++ /* If the reset failed, hub_wq will unbind drivers later */
++ if (ret == 0)
++ usb_unbind_and_rebind_marked_interfaces(udev);
+ }
+
+ usb_autosuspend_device(udev);
+--
+2.20.1
+
--- /dev/null
+From 2f03d822ff797d46a084ae21a775d336da0de34c Mon Sep 17 00:00:00 2001
+From: Farhan Ali <alifm@linux.ibm.com>
+Date: Mon, 8 Apr 2019 17:05:31 -0400
+Subject: vfio-ccw: Do not call flush_workqueue while holding the spinlock
+
+[ Upstream commit cea5dde42a83b5f0a039da672f8686455936b8d8 ]
+
+Currently we call flush_workqueue while holding the subchannel
+spinlock. But flush_workqueue function can go to sleep, so
+do not call the function while holding the spinlock.
+
+Fixes the following bug:
+
+[ 285.203430] BUG: scheduling while atomic: bash/14193/0x00000002
+[ 285.203434] INFO: lockdep is turned off.
+....
+[ 285.203485] Preemption disabled at:
+[ 285.203488] [<000003ff80243e5c>] vfio_ccw_sch_quiesce+0xbc/0x120 [vfio_ccw]
+[ 285.203496] CPU: 7 PID: 14193 Comm: bash Tainted: G W
+....
+[ 285.203504] Call Trace:
+[ 285.203510] ([<0000000000113772>] show_stack+0x82/0xd0)
+[ 285.203514] [<0000000000b7a102>] dump_stack+0x92/0xd0
+[ 285.203518] [<000000000017b8be>] __schedule_bug+0xde/0xf8
+[ 285.203524] [<0000000000b95b5a>] __schedule+0x7a/0xc38
+[ 285.203528] [<0000000000b9678a>] schedule+0x72/0xb0
+[ 285.203533] [<0000000000b9bfbc>] schedule_timeout+0x34/0x528
+[ 285.203538] [<0000000000b97608>] wait_for_common+0x118/0x1b0
+[ 285.203544] [<0000000000166d6a>] flush_workqueue+0x182/0x548
+[ 285.203550] [<000003ff80243e6e>] vfio_ccw_sch_quiesce+0xce/0x120 [vfio_ccw]
+[ 285.203556] [<000003ff80245278>] vfio_ccw_mdev_reset+0x38/0x70 [vfio_ccw]
+[ 285.203562] [<000003ff802458b0>] vfio_ccw_mdev_remove+0x40/0x78 [vfio_ccw]
+[ 285.203567] [<000003ff801a499c>] mdev_device_remove_ops+0x3c/0x80 [mdev]
+[ 285.203573] [<000003ff801a4d5c>] mdev_device_remove+0xc4/0x130 [mdev]
+[ 285.203578] [<000003ff801a5074>] remove_store+0x6c/0xa8 [mdev]
+[ 285.203582] [<000000000046f494>] kernfs_fop_write+0x14c/0x1f8
+[ 285.203588] [<00000000003c1530>] __vfs_write+0x38/0x1a8
+[ 285.203593] [<00000000003c187c>] vfs_write+0xb4/0x198
+[ 285.203597] [<00000000003c1af2>] ksys_write+0x5a/0xb0
+[ 285.203601] [<0000000000b9e270>] system_call+0xdc/0x2d8
+
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Reviewed-by: Eric Farman <farman@linux.ibm.com>
+Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
+Message-Id: <626bab8bb2958ae132452e1ddaf1b20882ad5a9d.1554756534.git.alifm@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
+index d22759eb66407..59eb5e6d9c79d 100644
+--- a/drivers/s390/cio/vfio_ccw_drv.c
++++ b/drivers/s390/cio/vfio_ccw_drv.c
+@@ -52,9 +52,9 @@ int vfio_ccw_sch_quiesce(struct subchannel *sch)
+
+ wait_for_completion_timeout(&completion, 3*HZ);
+
+- spin_lock_irq(sch->lock);
+ private->completion = NULL;
+ flush_workqueue(vfio_ccw_work_q);
++ spin_lock_irq(sch->lock);
+ ret = cio_cancel_halt_clear(sch, &iretry);
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 5f991a326dcf05b0b4ada56ccc95f8fcda63cfe4 Mon Sep 17 00:00:00 2001
+From: Farhan Ali <alifm@linux.ibm.com>
+Date: Tue, 16 Apr 2019 17:23:14 -0400
+Subject: vfio-ccw: Prevent quiesce function going into an infinite loop
+
+[ Upstream commit d1ffa760d22aa1d8190478e5ef555c59a771db27 ]
+
+The quiesce function calls cio_cancel_halt_clear() and if we
+get an -EBUSY we go into a loop where we:
+ - wait for any interrupts
+ - flush all I/O in the workqueue
+ - retry cio_cancel_halt_clear
+
+During the period where we are waiting for interrupts or
+flushing all I/O, the channel subsystem could have completed
+a halt/clear action and turned off the corresponding activity
+control bits in the subchannel status word. This means the next
+time we call cio_cancel_halt_clear(), we will again start by
+calling cancel subchannel and so we can be stuck between calling
+cancel and halt forever.
+
+Rather than calling cio_cancel_halt_clear() immediately after
+waiting, let's try to disable the subchannel. If we succeed in
+disabling the subchannel then we know nothing else can happen
+with the device.
+
+Suggested-by: Eric Farman <farman@linux.ibm.com>
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Message-Id: <4d5a4b98ab1b41ac6131b5c36de18b76c5d66898.1555449329.git.alifm@linux.ibm.com>
+Reviewed-by: Eric Farman <farman@linux.ibm.com>
+Acked-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_drv.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
+index 59eb5e6d9c79d..6cd41086f23e4 100644
+--- a/drivers/s390/cio/vfio_ccw_drv.c
++++ b/drivers/s390/cio/vfio_ccw_drv.c
+@@ -38,26 +38,30 @@ int vfio_ccw_sch_quiesce(struct subchannel *sch)
+ if (ret != -EBUSY)
+ goto out_unlock;
+
++ iretry = 255;
+ do {
+- iretry = 255;
+
+ ret = cio_cancel_halt_clear(sch, &iretry);
+- while (ret == -EBUSY) {
+- /*
+- * Flush all I/O and wait for
+- * cancel/halt/clear completion.
+- */
+- private->completion = &completion;
+- spin_unlock_irq(sch->lock);
+
+- wait_for_completion_timeout(&completion, 3*HZ);
++ if (ret == -EIO) {
++ pr_err("vfio_ccw: could not quiesce subchannel 0.%x.%04x!\n",
++ sch->schid.ssid, sch->schid.sch_no);
++ break;
++ }
++
++ /*
++ * Flush all I/O and wait for
++ * cancel/halt/clear completion.
++ */
++ private->completion = &completion;
++ spin_unlock_irq(sch->lock);
+
+- private->completion = NULL;
+- flush_workqueue(vfio_ccw_work_q);
+- spin_lock_irq(sch->lock);
+- ret = cio_cancel_halt_clear(sch, &iretry);
+- };
++ if (ret == -EBUSY)
++ wait_for_completion_timeout(&completion, 3*HZ);
+
++ private->completion = NULL;
++ flush_workqueue(vfio_ccw_work_q);
++ spin_lock_irq(sch->lock);
+ ret = cio_disable_subchannel(sch);
+ } while (ret == -EBUSY);
+ out_unlock:
+--
+2.20.1
+
--- /dev/null
+From cfcff0515c98b418a9dfc039d0bf1a6f9be74ab7 Mon Sep 17 00:00:00 2001
+From: Farhan Ali <alifm@linux.ibm.com>
+Date: Mon, 8 Apr 2019 17:05:33 -0400
+Subject: vfio-ccw: Release any channel program when releasing/removing
+ vfio-ccw mdev
+
+[ Upstream commit b49bdc8602b7c9c7a977758bee4125683f73e59f ]
+
+When releasing the vfio-ccw mdev, we currently do not release
+any existing channel program and its pinned pages. This can
+lead to the following warning:
+
+[1038876.561565] WARNING: CPU: 2 PID: 144727 at drivers/vfio/vfio_iommu_type1.c:1494 vfio_sanity_check_pfn_list+0x40/0x70 [vfio_iommu_type1]
+
+....
+
+1038876.561921] Call Trace:
+[1038876.561935] ([<00000009897fb870>] 0x9897fb870)
+[1038876.561949] [<000003ff8013bf62>] vfio_iommu_type1_detach_group+0xda/0x2f0 [vfio_iommu_type1]
+[1038876.561965] [<000003ff8007b634>] __vfio_group_unset_container+0x64/0x190 [vfio]
+[1038876.561978] [<000003ff8007b87e>] vfio_group_put_external_user+0x26/0x38 [vfio]
+[1038876.562024] [<000003ff806fc608>] kvm_vfio_group_put_external_user+0x40/0x60 [kvm]
+[1038876.562045] [<000003ff806fcb9e>] kvm_vfio_destroy+0x5e/0xd0 [kvm]
+[1038876.562065] [<000003ff806f63fc>] kvm_put_kvm+0x2a4/0x3d0 [kvm]
+[1038876.562083] [<000003ff806f655e>] kvm_vm_release+0x36/0x48 [kvm]
+[1038876.562098] [<00000000003c2dc4>] __fput+0x144/0x228
+[1038876.562113] [<000000000016ee82>] task_work_run+0x8a/0xd8
+[1038876.562125] [<000000000014c7a8>] do_exit+0x5d8/0xd90
+[1038876.562140] [<000000000014d084>] do_group_exit+0xc4/0xc8
+[1038876.562155] [<000000000015c046>] get_signal+0x9ae/0xa68
+[1038876.562169] [<0000000000108d66>] do_signal+0x66/0x768
+[1038876.562185] [<0000000000b9e37e>] system_call+0x1ea/0x2d8
+[1038876.562195] 2 locks held by qemu-system-s39/144727:
+[1038876.562205] #0: 00000000537abaf9 (&container->group_lock){++++}, at: __vfio_group_unset_container+0x3c/0x190 [vfio]
+[1038876.562230] #1: 00000000670008b5 (&iommu->lock){+.+.}, at: vfio_iommu_type1_detach_group+0x36/0x2f0 [vfio_iommu_type1]
+[1038876.562250] Last Breaking-Event-Address:
+[1038876.562262] [<000003ff8013aa24>] vfio_sanity_check_pfn_list+0x3c/0x70 [vfio_iommu_type1]
+[1038876.562272] irq event stamp: 4236481
+[1038876.562287] hardirqs last enabled at (4236489): [<00000000001cee7a>] console_unlock+0x6d2/0x740
+[1038876.562299] hardirqs last disabled at (4236496): [<00000000001ce87e>] console_unlock+0xd6/0x740
+[1038876.562311] softirqs last enabled at (4234162): [<0000000000b9fa1e>] __do_softirq+0x556/0x598
+[1038876.562325] softirqs last disabled at (4234153): [<000000000014e4cc>] irq_exit+0xac/0x108
+[1038876.562337] ---[ end trace 6c96d467b1c3ca06 ]---
+
+Similarly we do not free the channel program when we are removing
+the vfio-ccw device. Let's fix this by resetting the device and freeing
+the channel program and pinned pages in the release path. For the remove
+path we can just quiesce the device, since in the remove path the mediated
+device is going away for good and so we don't need to do a full reset.
+
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Message-Id: <ae9f20dc8873f2027f7b3c5d2aaa0bdfe06850b8.1554756534.git.alifm@linux.ibm.com>
+Acked-by: Eric Farman <farman@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_ops.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_ops.c b/drivers/s390/cio/vfio_ccw_ops.c
+index 41eeb57d68a3d..560013c8d2a48 100644
+--- a/drivers/s390/cio/vfio_ccw_ops.c
++++ b/drivers/s390/cio/vfio_ccw_ops.c
+@@ -130,11 +130,12 @@ static int vfio_ccw_mdev_remove(struct mdev_device *mdev)
+
+ if ((private->state != VFIO_CCW_STATE_NOT_OPER) &&
+ (private->state != VFIO_CCW_STATE_STANDBY)) {
+- if (!vfio_ccw_mdev_reset(mdev))
++ if (!vfio_ccw_sch_quiesce(private->sch))
+ private->state = VFIO_CCW_STATE_STANDBY;
+ /* The state will be NOT_OPER on error. */
+ }
+
++ cp_free(&private->cp);
+ private->mdev = NULL;
+ atomic_inc(&private->avail);
+
+@@ -158,6 +159,14 @@ static void vfio_ccw_mdev_release(struct mdev_device *mdev)
+ struct vfio_ccw_private *private =
+ dev_get_drvdata(mdev_parent_dev(mdev));
+
++ if ((private->state != VFIO_CCW_STATE_NOT_OPER) &&
++ (private->state != VFIO_CCW_STATE_STANDBY)) {
++ if (!vfio_ccw_mdev_reset(mdev))
++ private->state = VFIO_CCW_STATE_STANDBY;
++ /* The state will be NOT_OPER on error. */
++ }
++
++ cp_free(&private->cp);
+ vfio_unregister_notifier(mdev_dev(mdev), VFIO_IOMMU_NOTIFY,
+ &private->nb);
+ }
+--
+2.20.1
+
--- /dev/null
+From 39b6c0f154569031367751e208795947fcade6c2 Mon Sep 17 00:00:00 2001
+From: Pankaj Gupta <pagupta@redhat.com>
+Date: Tue, 19 Mar 2019 11:34:06 +0530
+Subject: virtio_console: initialize vtermno value for ports
+
+[ Upstream commit 4b0a2c5ff7215206ea6135a405f17c5f6fca7d00 ]
+
+For regular serial ports we do not initialize value of vtermno
+variable. A garbage value is assigned for non console ports.
+The value can be observed as a random integer with [1].
+
+[1] vim /sys/kernel/debug/virtio-ports/vport*p*
+
+This patch initialize the value of vtermno for console serial
+ports to '1' and regular serial ports are initiaized to '0'.
+
+Reported-by: siliu@redhat.com
+Signed-off-by: Pankaj Gupta <pagupta@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/virtio_console.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
+index a089474cb046a..65454acd4b974 100644
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -75,7 +75,7 @@ struct ports_driver_data {
+ /* All the console devices handled by this driver */
+ struct list_head consoles;
+ };
+-static struct ports_driver_data pdrvdata;
++static struct ports_driver_data pdrvdata = { .next_vtermno = 1};
+
+ static DEFINE_SPINLOCK(pdrvdata_lock);
+ static DECLARE_COMPLETION(early_console_added);
+@@ -1422,6 +1422,7 @@ static int add_port(struct ports_device *portdev, u32 id)
+ port->async_queue = NULL;
+
+ port->cons.ws.ws_row = port->cons.ws.ws_col = 0;
++ port->cons.vtermno = 0;
+
+ port->host_connected = port->guest_connected = false;
+ port->stats = (struct port_stats) { 0 };
+--
+2.20.1
+
--- /dev/null
+From 0c85c7669aa6b2086486e78f805d31c013bd9c97 Mon Sep 17 00:00:00 2001
+From: Mariusz Bialonczyk <manio@skyboo.net>
+Date: Thu, 21 Mar 2019 11:52:55 +0100
+Subject: w1: fix the resume command API
+
+[ Upstream commit 62909da8aca048ecf9fbd7e484e5100608f40a63 ]
+
+>From the DS2408 datasheet [1]:
+"Resume Command function checks the status of the RC flag and, if it is set,
+ directly transfers control to the control functions, similar to a Skip ROM
+ command. The only way to set the RC flag is through successfully executing
+ the Match ROM, Search ROM, Conditional Search ROM, or Overdrive-Match ROM
+ command"
+
+The function currently works perfectly fine in a multidrop bus, but when we
+have only a single slave connected, then only a Skip ROM is used and Match
+ROM is not called at all. This is leading to problems e.g. with single one
+DS2408 connected, as the Resume Command is not working properly and the
+device is responding with failing results after the Resume Command.
+
+This commit is fixing this by using a Skip ROM instead in those cases.
+The bandwidth / performance advantage is exactly the same.
+
+Refs:
+[1] https://datasheets.maximintegrated.com/en/ds/DS2408.pdf
+
+Signed-off-by: Mariusz Bialonczyk <manio@skyboo.net>
+Reviewed-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1_io.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/w1/w1_io.c b/drivers/w1/w1_io.c
+index d191e1f805799..661551c4ffa25 100644
+--- a/drivers/w1/w1_io.c
++++ b/drivers/w1/w1_io.c
+@@ -430,8 +430,7 @@ int w1_reset_resume_command(struct w1_master *dev)
+ if (w1_reset_bus(dev))
+ return -1;
+
+- /* This will make only the last matched slave perform a skip ROM. */
+- w1_write_8(dev, W1_RESUME_CMD);
++ w1_write_8(dev, dev->slave_count > 1 ? W1_RESUME_CMD : W1_SKIP_ROM);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(w1_reset_resume_command);
+--
+2.20.1
+
--- /dev/null
+From f6704822e318da58f5453ef758287ae62010b1a4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 4 Apr 2019 14:40:27 -0700
+Subject: x86/build: Keep local relocations with ld.lld
+
+[ Upstream commit 7c21383f3429dd70da39c0c7f1efa12377a47ab6 ]
+
+The LLVM linker (ld.lld) defaults to removing local relocations, which
+causes KASLR boot failures. ld.bfd and ld.gold already handle this
+correctly. This adds the explicit instruction "--discard-none" during
+the link phase. There is no change in output for ld.bfd and ld.gold,
+but ld.lld now produces an image with all the needed relocations.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: clang-built-linux@googlegroups.com
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190404214027.GA7324@beast
+Link: https://github.com/ClangBuiltLinux/linux/issues/404
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index eb1f8f249dc35..b4c72da8a7adb 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -48,7 +48,7 @@ export REALMODE_CFLAGS
+ export BITS
+
+ ifdef CONFIG_X86_NEED_RELOCS
+- LDFLAGS_vmlinux := --emit-relocs
++ LDFLAGS_vmlinux := --emit-relocs --discard-none
+ endif
+
+ #
+--
+2.20.1
+
--- /dev/null
+From 2ffd59a59de7de7086e5eccc8bc05c070f3939c3 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 23 Apr 2019 11:38:27 -0700
+Subject: x86/build: Move _etext to actual end of .text
+
+[ Upstream commit 392bef709659abea614abfe53cf228e7a59876a4 ]
+
+When building x86 with Clang LTO and CFI, CFI jump regions are
+automatically added to the end of the .text section late in linking. As a
+result, the _etext position was being labelled before the appended jump
+regions, causing confusion about where the boundaries of the executable
+region actually are in the running kernel, and broke at least the fault
+injection code. This moves the _etext mark to outside (and immediately
+after) the .text area, as it already the case on other architectures
+(e.g. arm64, arm).
+
+Reported-and-tested-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20190423183827.GA4012@beast
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/vmlinux.lds.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
+index 2384a2ae5ec3e..23df6eebe82f4 100644
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -131,11 +131,11 @@ SECTIONS
+ *(.text.__x86.indirect_thunk)
+ __indirect_thunk_end = .;
+ #endif
+-
+- /* End of text section */
+- _etext = .;
+ } :text = 0x9090
+
++ /* End of text section */
++ _etext = .;
++
+ NOTES :text :note
+
+ EXCEPTION_TABLE(16) :text = 0x9090
+--
+2.20.1
+
--- /dev/null
+From 76a57a342b7cd728c4e386b81b4629481b429e3c Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 25 Feb 2019 12:56:35 +0100
+Subject: x86/ia32: Fix ia32_restore_sigcontext() AC leak
+
+[ Upstream commit 67a0514afdbb8b2fc70b771b8c77661a9cb9d3a9 ]
+
+Objtool spotted that we call native_load_gs_index() with AC set.
+Re-arrange the code to avoid that.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/ia32/ia32_signal.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
+index 41c671854642f..789284d19b558 100644
+--- a/arch/x86/ia32/ia32_signal.c
++++ b/arch/x86/ia32/ia32_signal.c
+@@ -62,9 +62,8 @@
+ } while (0)
+
+ #define RELOAD_SEG(seg) { \
+- unsigned int pre = GET_SEG(seg); \
++ unsigned int pre = (seg) | 3; \
+ unsigned int cur = get_user_seg(seg); \
+- pre |= 3; \
+ if (pre != cur) \
+ set_user_seg(seg, pre); \
+ }
+@@ -73,6 +72,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ struct sigcontext_32 __user *sc)
+ {
+ unsigned int tmpflags, err = 0;
++ u16 gs, fs, es, ds;
+ void __user *buf;
+ u32 tmp;
+
+@@ -80,16 +80,10 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ current->restart_block.fn = do_no_restart_syscall;
+
+ get_user_try {
+- /*
+- * Reload fs and gs if they have changed in the signal
+- * handler. This does not handle long fs/gs base changes in
+- * the handler, but does not clobber them at least in the
+- * normal case.
+- */
+- RELOAD_SEG(gs);
+- RELOAD_SEG(fs);
+- RELOAD_SEG(ds);
+- RELOAD_SEG(es);
++ gs = GET_SEG(gs);
++ fs = GET_SEG(fs);
++ ds = GET_SEG(ds);
++ es = GET_SEG(es);
+
+ COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx);
+ COPY(dx); COPY(cx); COPY(ip); COPY(ax);
+@@ -107,6 +101,17 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ buf = compat_ptr(tmp);
+ } get_user_catch(err);
+
++ /*
++ * Reload fs and gs if they have changed in the signal
++ * handler. This does not handle long fs/gs base changes in
++ * the handler, but does not clobber them at least in the
++ * normal case.
++ */
++ RELOAD_SEG(gs);
++ RELOAD_SEG(fs);
++ RELOAD_SEG(ds);
++ RELOAD_SEG(es);
++
+ err |= fpu__restore_sig(buf, 1);
+
+ force_iret();
+--
+2.20.1
+
--- /dev/null
+From e7abfc10ab11bcff510c90fefd90d4bce4a3bd0e Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 14 Apr 2019 17:59:38 +0200
+Subject: x86/irq/64: Limit IST stack overflow check to #DB stack
+
+[ Upstream commit 7dbcf2b0b770eeb803a416ee8dcbef78e6389d40 ]
+
+Commit
+
+ 37fe6a42b343 ("x86: Check stack overflow in detail")
+
+added a broad check for the full exception stack area, i.e. it considers
+the full exception stack area as valid.
+
+That's wrong in two aspects:
+
+ 1) It does not check the individual areas one by one
+
+ 2) #DF, NMI and #MCE are not enabling interrupts which means that a
+ regular device interrupt cannot happen in their context. In fact if a
+ device interrupt hits one of those IST stacks that's a bug because some
+ code path enabled interrupts while handling the exception.
+
+Limit the check to the #DB stack and consider all other IST stacks as
+'overflow' or invalid.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
+Cc: Nicolai Stange <nstange@suse.de>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190414160143.682135110@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/irq_64.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
+index 0469cd078db15..b50ac9c7397bb 100644
+--- a/arch/x86/kernel/irq_64.c
++++ b/arch/x86/kernel/irq_64.c
+@@ -26,9 +26,18 @@ int sysctl_panic_on_stackoverflow;
+ /*
+ * Probabilistic stack overflow check:
+ *
+- * Only check the stack in process context, because everything else
+- * runs on the big interrupt stacks. Checking reliably is too expensive,
+- * so we just check from interrupts.
++ * Regular device interrupts can enter on the following stacks:
++ *
++ * - User stack
++ *
++ * - Kernel task stack
++ *
++ * - Interrupt stack if a device driver reenables interrupts
++ * which should only happen in really old drivers.
++ *
++ * - Debug IST stack
++ *
++ * All other contexts are invalid.
+ */
+ static inline void stack_overflow_check(struct pt_regs *regs)
+ {
+@@ -53,8 +62,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+ return;
+
+ oist = this_cpu_ptr(&orig_ist);
+- estack_top = (u64)oist->ist[0] - EXCEPTION_STKSZ + STACK_TOP_MARGIN;
+- estack_bottom = (u64)oist->ist[N_EXCEPTION_STACKS - 1];
++ estack_bottom = (u64)oist->ist[DEBUG_STACK];
++ estack_top = estack_bottom - DEBUG_STKSZ + STACK_TOP_MARGIN;
+ if (regs->sp >= estack_top && regs->sp <= estack_bottom)
+ return;
+
+--
+2.20.1
+
--- /dev/null
+From f03c1a56ef6239050a864ba32ee02f3e6d27f67d Mon Sep 17 00:00:00 2001
+From: Tony Luck <tony.luck@intel.com>
+Date: Tue, 12 Mar 2019 10:09:38 -0700
+Subject: x86/mce: Fix machine_check_poll() tests for error types
+
+[ Upstream commit f19501aa07f18268ab14f458b51c1c6b7f72a134 ]
+
+There has been a lurking "TBD" in the machine check poll routine ever
+since it was first split out from the machine check handler. The
+potential issue is that the poll routine may have just begun a read from
+the STATUS register in a machine check bank when the hardware logs an
+error in that bank and signals a machine check.
+
+That race used to be pretty small back when machine checks were
+broadcast, but the addition of local machine check means that the poll
+code could continue running and clear the error from the bank before the
+local machine check handler on another CPU gets around to reading it.
+
+Fix the code to be sure to only process errors that need to be processed
+in the poll code, leaving other logged errors alone for the machine
+check handler to find and process.
+
+ [ bp: Massage a bit and flip the "== 0" check to the usual !(..) test. ]
+
+Fixes: b79109c3bbcf ("x86, mce: separate correct machine check poller and fatal exception handler")
+Fixes: ed7290d0ee8f ("x86, mce: implement new status bits")
+Reported-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Cc: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Link: https://lkml.kernel.org/r/20190312170938.GA23035@agluck-desk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 44 +++++++++++++++++++++++++++-----
+ 1 file changed, 37 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
+index 54874e2b1d325..4f3be91f0b0bc 100644
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -701,19 +701,49 @@ bool machine_check_poll(enum mcp_flags flags, mce_banks_t *b)
+
+ barrier();
+ m.status = mce_rdmsrl(msr_ops.status(i));
++
++ /* If this entry is not valid, ignore it */
+ if (!(m.status & MCI_STATUS_VAL))
+ continue;
+
+ /*
+- * Uncorrected or signalled events are handled by the exception
+- * handler when it is enabled, so don't process those here.
+- *
+- * TBD do the same check for MCI_STATUS_EN here?
++ * If we are logging everything (at CPU online) or this
++ * is a corrected error, then we must log it.
+ */
+- if (!(flags & MCP_UC) &&
+- (m.status & (mca_cfg.ser ? MCI_STATUS_S : MCI_STATUS_UC)))
+- continue;
++ if ((flags & MCP_UC) || !(m.status & MCI_STATUS_UC))
++ goto log_it;
++
++ /*
++ * Newer Intel systems that support software error
++ * recovery need to make additional checks. Other
++ * CPUs should skip over uncorrected errors, but log
++ * everything else.
++ */
++ if (!mca_cfg.ser) {
++ if (m.status & MCI_STATUS_UC)
++ continue;
++ goto log_it;
++ }
++
++ /* Log "not enabled" (speculative) errors */
++ if (!(m.status & MCI_STATUS_EN))
++ goto log_it;
++
++ /*
++ * Log UCNA (SDM: 15.6.3 "UCR Error Classification")
++ * UC == 1 && PCC == 0 && S == 0
++ */
++ if (!(m.status & MCI_STATUS_PCC) && !(m.status & MCI_STATUS_S))
++ goto log_it;
++
++ /*
++ * Skip anything else. Presumption is that our read of this
++ * bank is racing with a machine check. Leave the log alone
++ * for do_machine_check() to deal with it.
++ */
++ continue;
+
++log_it:
+ error_seen = true;
+
+ mce_read_aux(&m, i);
+--
+2.20.1
+
--- /dev/null
+From dabccb0221f58359a83cda7915a4a970c9098143 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Thu, 4 Apr 2019 22:14:07 +0200
+Subject: x86/microcode: Fix the ancient deprecated microcode loading method
+
+[ Upstream commit 24613a04ad1c0588c10f4b5403ca60a73d164051 ]
+
+Commit
+
+ 2613f36ed965 ("x86/microcode: Attempt late loading only when new microcode is present")
+
+added the new define UCODE_NEW to denote that an update should happen
+only when newer microcode (than installed on the system) has been found.
+
+But it missed adjusting that for the old /dev/cpu/microcode loading
+interface. Fix it.
+
+Fixes: 2613f36ed965 ("x86/microcode: Attempt late loading only when new microcode is present")
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Jann Horn <jannh@google.com>
+Link: https://lkml.kernel.org/r/20190405133010.24249-3-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/microcode/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 387a8f44fba1e..b6b44017cf164 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -418,8 +418,9 @@ static int do_microcode_update(const void __user *buf, size_t size)
+ if (ustate == UCODE_ERROR) {
+ error = -1;
+ break;
+- } else if (ustate == UCODE_OK)
++ } else if (ustate == UCODE_NEW) {
+ apply_microcode_on_target(cpu);
++ }
+ }
+
+ return error;
+--
+2.20.1
+
--- /dev/null
+From cdd489d9ddf9782bd59f14912f27cd05cdc41131 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 24 Apr 2019 09:04:57 +0200
+Subject: x86/mm: Remove in_nmi() warning from 64-bit implementation of
+ vmalloc_fault()
+
+[ Upstream commit a65c88e16f32aa9ef2e8caa68ea5c29bd5eb0ff0 ]
+
+In-NMI warnings have been added to vmalloc_fault() via:
+
+ ebc8827f75 ("x86: Barf when vmalloc and kmemcheck faults happen in NMI")
+
+back in the time when our NMI entry code could not cope with nested NMIs.
+
+These days, it's perfectly fine to take a fault in NMI context and we
+don't have to care about the fact that IRET from the fault handler might
+cause NMI nesting.
+
+This warning has already been removed from 32-bit implementation of
+vmalloc_fault() in:
+
+ 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
+
+but the 64-bit version was omitted.
+
+Remove the bogus warning also from 64-bit implementation of vmalloc_fault().
+
+Reported-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1904240902280.9803@cbobk.fhfr.pm
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/fault.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index 794c35c4ca736..b162f92fd55cf 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -426,8 +426,6 @@ static noinline int vmalloc_fault(unsigned long address)
+ if (!(address >= VMALLOC_START && address < VMALLOC_END))
+ return -1;
+
+- WARN_ON_ONCE(in_nmi());
+-
+ /*
+ * Copy kernel mappings over when needed. This can also
+ * happen within a race in page table update. In the later
+--
+2.20.1
+
--- /dev/null
+From 9b9a333dfd3d4148be904198ca9c68627530ab7f Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 7 Mar 2019 11:09:13 +0100
+Subject: x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP
+
+[ Upstream commit 4a6c91fbdef846ec7250b82f2eeeb87ac5f18cf9 ]
+
+For CONFIG_TRACE_BRANCH_PROFILING=y the likely/unlikely things get
+overloaded and generate callouts to this code, and thus also when
+AC=1.
+
+Make it safe.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_branch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/trace/trace_branch.c b/kernel/trace/trace_branch.c
+index 4ad967453b6fb..3ea65cdff30d5 100644
+--- a/kernel/trace/trace_branch.c
++++ b/kernel/trace/trace_branch.c
+@@ -205,6 +205,8 @@ void trace_likely_condition(struct ftrace_likely_data *f, int val, int expect)
+ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
+ int expect, int is_constant)
+ {
++ unsigned long flags = user_access_save();
++
+ /* A constant is always correct */
+ if (is_constant) {
+ f->constant++;
+@@ -223,6 +225,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
+ f->data.correct++;
+ else
+ f->data.incorrect++;
++
++ user_access_restore(flags);
+ }
+ EXPORT_SYMBOL(ftrace_likely_update);
+
+--
+2.20.1
+
--- /dev/null
+From fad224c8225935575b23b21d7c70b398d2d5c9fa Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 3 Apr 2019 09:39:48 +0200
+Subject: x86/uaccess, signal: Fix AC=1 bloat
+
+[ Upstream commit 88e4718275c1bddca6f61f300688b4553dc8584b ]
+
+Occasionally GCC is less agressive with inlining and the following is
+observed:
+
+ arch/x86/kernel/signal.o: warning: objtool: restore_sigcontext()+0x3cc: call to force_valid_ss.isra.5() with UACCESS enabled
+ arch/x86/kernel/signal.o: warning: objtool: do_signal()+0x384: call to frame_uc_flags.isra.0() with UACCESS enabled
+
+Cure this by moving this code out of the AC=1 region, since it really
+isn't needed for the user access.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/signal.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
+index 4cdc0b27ec82f..01741834fd6a0 100644
+--- a/arch/x86/kernel/signal.c
++++ b/arch/x86/kernel/signal.c
+@@ -131,16 +131,6 @@ static int restore_sigcontext(struct pt_regs *regs,
+ COPY_SEG_CPL3(cs);
+ COPY_SEG_CPL3(ss);
+
+-#ifdef CONFIG_X86_64
+- /*
+- * Fix up SS if needed for the benefit of old DOSEMU and
+- * CRIU.
+- */
+- if (unlikely(!(uc_flags & UC_STRICT_RESTORE_SS) &&
+- user_64bit_mode(regs)))
+- force_valid_ss(regs);
+-#endif
+-
+ get_user_ex(tmpflags, &sc->flags);
+ regs->flags = (regs->flags & ~FIX_EFLAGS) | (tmpflags & FIX_EFLAGS);
+ regs->orig_ax = -1; /* disable syscall checks */
+@@ -149,6 +139,15 @@ static int restore_sigcontext(struct pt_regs *regs,
+ buf = (void __user *)buf_val;
+ } get_user_catch(err);
+
++#ifdef CONFIG_X86_64
++ /*
++ * Fix up SS if needed for the benefit of old DOSEMU and
++ * CRIU.
++ */
++ if (unlikely(!(uc_flags & UC_STRICT_RESTORE_SS) && user_64bit_mode(regs)))
++ force_valid_ss(regs);
++#endif
++
+ err |= fpu__restore_sig(buf, IS_ENABLED(CONFIG_X86_32));
+
+ force_iret();
+@@ -460,6 +459,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
+ {
+ struct rt_sigframe __user *frame;
+ void __user *fp = NULL;
++ unsigned long uc_flags;
+ int err = 0;
+
+ frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe), &fp);
+@@ -472,9 +472,11 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
+ return -EFAULT;
+ }
+
++ uc_flags = frame_uc_flags(regs);
++
+ put_user_try {
+ /* Create the ucontext. */
+- put_user_ex(frame_uc_flags(regs), &frame->uc.uc_flags);
++ put_user_ex(uc_flags, &frame->uc.uc_flags);
+ put_user_ex(0, &frame->uc.uc_link);
+ save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+
+@@ -540,6 +542,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
+ {
+ #ifdef CONFIG_X86_X32_ABI
+ struct rt_sigframe_x32 __user *frame;
++ unsigned long uc_flags;
+ void __user *restorer;
+ int err = 0;
+ void __user *fpstate = NULL;
+@@ -554,9 +557,11 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
+ return -EFAULT;
+ }
+
++ uc_flags = frame_uc_flags(regs);
++
+ put_user_try {
+ /* Create the ucontext. */
+- put_user_ex(frame_uc_flags(regs), &frame->uc.uc_flags);
++ put_user_ex(uc_flags, &frame->uc.uc_flags);
+ put_user_ex(0, &frame->uc.uc_link);
+ compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+ put_user_ex(0, &frame->uc.uc__pad0);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
