--- /dev/null
+From 2db4e2ae61b4c8cffee2b0f8cdcf1e52054e735f Mon Sep 17 00:00:00 2001
+From: Matt Flax <flatmax@flatmax.org>
+Date: Wed, 8 May 2019 16:33:13 +1000
+Subject: ASoC : cs4265 : readable register too low
+
+[ Upstream commit f3df05c805983427319eddc2411a2105ee1757cf ]
+
+The cs4265_readable_register function stopped short of the maximum
+register.
+
+An example bug is taken from :
+https://github.com/Audio-Injector/Ultra/issues/25
+
+Where alsactl store fails with :
+Cannot read control '2,0,0,C Data Buffer,0': Input/output error
+
+This patch fixes the bug by setting the cs4265 to have readable
+registers up to the maximum hardware register CS4265_MAX_REGISTER.
+
+Signed-off-by: Matt Flax <flatmax@flatmax.org>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs4265.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs4265.c b/sound/soc/codecs/cs4265.c
+index 6e8eb1f5a041..bed64723e5d9 100644
+--- a/sound/soc/codecs/cs4265.c
++++ b/sound/soc/codecs/cs4265.c
+@@ -60,7 +60,7 @@ static const struct reg_default cs4265_reg_defaults[] = {
+ static bool cs4265_readable_register(struct device *dev, unsigned int reg)
+ {
+ switch (reg) {
+- case CS4265_CHIP_ID ... CS4265_SPDIF_CTL2:
++ case CS4265_CHIP_ID ... CS4265_MAX_REGISTER:
+ return true;
+ default:
+ return false;
+--
+2.20.1
+
--- /dev/null
+From 25449b1b3f4d5b141611d66fdbb1c3210e0c5e4b Mon Sep 17 00:00:00 2001
+From: Yu-Hsuan Hsu <yuhsuan@chromium.org>
+Date: Tue, 4 Jun 2019 18:49:09 +0800
+Subject: ASoC: max98090: remove 24-bit format support if RJ is 0
+
+[ Upstream commit 5628c8979642a076f91ee86c3bae5ad251639af0 ]
+
+The supported formats are S16_LE and S24_LE now. However, by datasheet
+of max98090, S24_LE is only supported when it is in the right justified
+mode. We should remove 24-bit format if it is not in that mode to avoid
+triggering error.
+
+Signed-off-by: Yu-Hsuan Hsu <yuhsuan@chromium.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/max98090.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c
+index cc66ea5cc776..3fe09828745a 100644
+--- a/sound/soc/codecs/max98090.c
++++ b/sound/soc/codecs/max98090.c
+@@ -1924,6 +1924,21 @@ static int max98090_configure_dmic(struct max98090_priv *max98090,
+ return 0;
+ }
+
++static int max98090_dai_startup(struct snd_pcm_substream *substream,
++ struct snd_soc_dai *dai)
++{
++ struct snd_soc_component *component = dai->component;
++ struct max98090_priv *max98090 = snd_soc_component_get_drvdata(component);
++ unsigned int fmt = max98090->dai_fmt;
++
++ /* Remove 24-bit format support if it is not in right justified mode. */
++ if ((fmt & SND_SOC_DAIFMT_FORMAT_MASK) != SND_SOC_DAIFMT_RIGHT_J) {
++ substream->runtime->hw.formats = SNDRV_PCM_FMTBIT_S16_LE;
++ snd_pcm_hw_constraint_msbits(substream->runtime, 0, 16, 16);
++ }
++ return 0;
++}
++
+ static int max98090_dai_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params,
+ struct snd_soc_dai *dai)
+@@ -2331,6 +2346,7 @@ EXPORT_SYMBOL_GPL(max98090_mic_detect);
+ #define MAX98090_FORMATS (SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE)
+
+ static const struct snd_soc_dai_ops max98090_dai_ops = {
++ .startup = max98090_dai_startup,
+ .set_sysclk = max98090_dai_set_sysclk,
+ .set_fmt = max98090_dai_set_fmt,
+ .set_tdm_slot = max98090_set_tdm_slot,
+--
+2.20.1
+
--- /dev/null
+From 170067c034a5a4d18be0a1f72762be260a317da2 Mon Sep 17 00:00:00 2001
+From: Libin Yang <libin.yang@intel.com>
+Date: Wed, 8 May 2019 10:32:41 +0800
+Subject: ASoC: soc-pcm: BE dai needs prepare when pause release after resume
+
+[ Upstream commit 5087a8f17df868601cd7568299e91c28086d2b45 ]
+
+If playback/capture is paused and system enters S3, after system returns
+from suspend, BE dai needs to call prepare() callback when playback/capture
+is released from pause if RESUME_INFO flag is not set.
+
+Currently, the dpcm_be_dai_prepare() function will block calling prepare()
+if the pcm is in SND_SOC_DPCM_STATE_PAUSED state. This will cause the
+following test case fail if the pcm uses BE:
+
+playback -> pause -> S3 suspend -> S3 resume -> pause release
+
+The playback may exit abnormally when pause is released because the BE dai
+prepare() is not called.
+
+This patch allows dpcm_be_dai_prepare() to call dai prepare() callback in
+SND_SOC_DPCM_STATE_PAUSED state.
+
+Signed-off-by: Libin Yang <libin.yang@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-pcm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
+index 584b7ffe78f5..052b6294a428 100644
+--- a/sound/soc/soc-pcm.c
++++ b/sound/soc/soc-pcm.c
+@@ -2233,7 +2233,8 @@ int dpcm_be_dai_prepare(struct snd_soc_pcm_runtime *fe, int stream)
+
+ if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_HW_PARAMS) &&
+ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_STOP) &&
+- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_SUSPEND))
++ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_SUSPEND) &&
++ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED))
+ continue;
+
+ dev_dbg(be->dev, "ASoC: prepare BE %s\n",
+--
+2.20.1
+
--- /dev/null
+From 0da0b907136db2fb3b4f3602a8e19269a15c33a4 Mon Sep 17 00:00:00 2001
+From: Marcus Cooper <codekipper@gmail.com>
+Date: Mon, 3 Jun 2019 19:47:28 +0200
+Subject: ASoC: sun4i-i2s: Add offset to RX channel select
+
+[ Upstream commit f9927000cb35f250051f0f1878db12ee2626eea1 ]
+
+Whilst testing the capture functionality of the i2s on the newer
+SoCs it was noticed that the recording was somewhat distorted.
+This was due to the offset not being set correctly on the receiver
+side.
+
+Signed-off-by: Marcus Cooper <codekipper@gmail.com>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sunxi/sun4i-i2s.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/soc/sunxi/sun4i-i2s.c b/sound/soc/sunxi/sun4i-i2s.c
+index a10913f8293f..da0a2083e12a 100644
+--- a/sound/soc/sunxi/sun4i-i2s.c
++++ b/sound/soc/sunxi/sun4i-i2s.c
+@@ -442,6 +442,10 @@ static int sun4i_i2s_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+ regmap_update_bits(i2s->regmap, SUN8I_I2S_TX_CHAN_SEL_REG,
+ SUN8I_I2S_TX_CHAN_OFFSET_MASK,
+ SUN8I_I2S_TX_CHAN_OFFSET(offset));
++
++ regmap_update_bits(i2s->regmap, SUN8I_I2S_RX_CHAN_SEL_REG,
++ SUN8I_I2S_TX_CHAN_OFFSET_MASK,
++ SUN8I_I2S_TX_CHAN_OFFSET(offset));
+ }
+
+ regmap_field_write(i2s->field_fmt_mode, val);
+--
+2.20.1
+
--- /dev/null
+From 3042398d89176f92b2946df604e300fc6d33bf5c Mon Sep 17 00:00:00 2001
+From: Marcus Cooper <codekipper@gmail.com>
+Date: Mon, 3 Jun 2019 19:47:27 +0200
+Subject: ASoC: sun4i-i2s: Fix sun8i tx channel offset mask
+
+[ Upstream commit 7e46169a5f35762f335898a75d1b8a242f2ae0f5 ]
+
+Although not causing any noticeable issues, the mask for the
+channel offset is covering too many bits.
+
+Signed-off-by: Marcus Cooper <codekipper@gmail.com>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sunxi/sun4i-i2s.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sunxi/sun4i-i2s.c b/sound/soc/sunxi/sun4i-i2s.c
+index b4af5ce78ecb..a10913f8293f 100644
+--- a/sound/soc/sunxi/sun4i-i2s.c
++++ b/sound/soc/sunxi/sun4i-i2s.c
+@@ -110,7 +110,7 @@
+
+ #define SUN8I_I2S_TX_CHAN_MAP_REG 0x44
+ #define SUN8I_I2S_TX_CHAN_SEL_REG 0x34
+-#define SUN8I_I2S_TX_CHAN_OFFSET_MASK GENMASK(13, 11)
++#define SUN8I_I2S_TX_CHAN_OFFSET_MASK GENMASK(13, 12)
+ #define SUN8I_I2S_TX_CHAN_OFFSET(offset) (offset << 12)
+ #define SUN8I_I2S_TX_CHAN_EN_MASK GENMASK(11, 4)
+ #define SUN8I_I2S_TX_CHAN_EN(num_chan) (((1 << num_chan) - 1) << 4)
+--
+2.20.1
+
--- /dev/null
+From 55f010e0436e35c8e3c3bc68c26690375d916518 Mon Sep 17 00:00:00 2001
+From: Joel Savitz <jsavitz@redhat.com>
+Date: Wed, 12 Jun 2019 11:50:48 -0400
+Subject: cpuset: restore sanity to cpuset_cpus_allowed_fallback()
+
+[ Upstream commit d477f8c202d1f0d4791ab1263ca7657bbe5cf79e ]
+
+In the case that a process is constrained by taskset(1) (i.e.
+sched_setaffinity(2)) to a subset of available cpus, and all of those are
+subsequently offlined, the scheduler will set tsk->cpus_allowed to
+the current value of task_cs(tsk)->effective_cpus.
+
+This is done via a call to do_set_cpus_allowed() in the context of
+cpuset_cpus_allowed_fallback() made by the scheduler when this case is
+detected. This is the only call made to cpuset_cpus_allowed_fallback()
+in the latest mainline kernel.
+
+However, this is not sane behavior.
+
+I will demonstrate this on a system running the latest upstream kernel
+with the following initial configuration:
+
+ # grep -i cpu /proc/$$/status
+ Cpus_allowed: ffffffff,fffffff
+ Cpus_allowed_list: 0-63
+
+(Where cpus 32-63 are provided via smt.)
+
+If we limit our current shell process to cpu2 only and then offline it
+and reonline it:
+
+ # taskset -p 4 $$
+ pid 2272's current affinity mask: ffffffffffffffff
+ pid 2272's new affinity mask: 4
+
+ # echo off > /sys/devices/system/cpu/cpu2/online
+ # dmesg | tail -3
+ [ 2195.866089] process 2272 (bash) no longer affine to cpu2
+ [ 2195.872700] IRQ 114: no longer affine to CPU2
+ [ 2195.879128] smpboot: CPU 2 is now offline
+
+ # echo on > /sys/devices/system/cpu/cpu2/online
+ # dmesg | tail -1
+ [ 2617.043572] smpboot: Booting Node 0 Processor 2 APIC 0x4
+
+We see that our current process now has an affinity mask containing
+every cpu available on the system _except_ the one we originally
+constrained it to:
+
+ # grep -i cpu /proc/$$/status
+ Cpus_allowed: ffffffff,fffffffb
+ Cpus_allowed_list: 0-1,3-63
+
+This is not sane behavior, as the scheduler can now not only place the
+process on previously forbidden cpus, it can't even schedule it on
+the cpu it was originally constrained to!
+
+Other cases result in even more exotic affinity masks. Take for instance
+a process with an affinity mask containing only cpus provided by smt at
+the moment that smt is toggled, in a configuration such as the following:
+
+ # taskset -p f000000000 $$
+ # grep -i cpu /proc/$$/status
+ Cpus_allowed: 000000f0,00000000
+ Cpus_allowed_list: 36-39
+
+A double toggle of smt results in the following behavior:
+
+ # echo off > /sys/devices/system/cpu/smt/control
+ # echo on > /sys/devices/system/cpu/smt/control
+ # grep -i cpus /proc/$$/status
+ Cpus_allowed: ffffff00,ffffffff
+ Cpus_allowed_list: 0-31,40-63
+
+This is even less sane than the previous case, as the new affinity mask
+excludes all smt-provided cpus with ids less than those that were
+previously in the affinity mask, as well as those that were actually in
+the mask.
+
+With this patch applied, both of these cases end in the following state:
+
+ # grep -i cpu /proc/$$/status
+ Cpus_allowed: ffffffff,ffffffff
+ Cpus_allowed_list: 0-63
+
+The original policy is discarded. Though not ideal, it is the simplest way
+to restore sanity to this fallback case without reinventing the cpuset
+wheel that rolls down the kernel just fine in cgroup v2. A user who wishes
+for the previous affinity mask to be restored in this fallback case can use
+that mechanism instead.
+
+This patch modifies scheduler behavior by instead resetting the mask to
+task_cs(tsk)->cpus_allowed by default, and cpu_possible mask in legacy
+mode. I tested the cases above on both modes.
+
+Note that the scheduler uses this fallback mechanism if and only if
+_every_ other valid avenue has been traveled, and it is the last resort
+before calling BUG().
+
+Suggested-by: Waiman Long <longman@redhat.com>
+Suggested-by: Phil Auld <pauld@redhat.com>
+Signed-off-by: Joel Savitz <jsavitz@redhat.com>
+Acked-by: Phil Auld <pauld@redhat.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cpuset.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
+index 4657e2924ecb..0a0e1aa11f5e 100644
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -2436,10 +2436,23 @@ void cpuset_cpus_allowed(struct task_struct *tsk, struct cpumask *pmask)
+ spin_unlock_irqrestore(&callback_lock, flags);
+ }
+
++/**
++ * cpuset_cpus_allowed_fallback - final fallback before complete catastrophe.
++ * @tsk: pointer to task_struct with which the scheduler is struggling
++ *
++ * Description: In the case that the scheduler cannot find an allowed cpu in
++ * tsk->cpus_allowed, we fall back to task_cs(tsk)->cpus_allowed. In legacy
++ * mode however, this value is the same as task_cs(tsk)->effective_cpus,
++ * which will not contain a sane cpumask during cases such as cpu hotplugging.
++ * This is the absolute last resort for the scheduler and it is only used if
++ * _every_ other avenue has been traveled.
++ **/
++
+ void cpuset_cpus_allowed_fallback(struct task_struct *tsk)
+ {
+ rcu_read_lock();
+- do_set_cpus_allowed(tsk, task_cs(tsk)->effective_cpus);
++ do_set_cpus_allowed(tsk, is_in_v2_mode() ?
++ task_cs(tsk)->cpus_allowed : cpu_possible_mask);
+ rcu_read_unlock();
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From e923ce69352ec643d5cecf484e3d2c265fbfe297 Mon Sep 17 00:00:00 2001
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+Date: Wed, 29 May 2019 18:25:54 +0800
+Subject: drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver
+
+[ Upstream commit cf49b24ffa62766f8f04cd1c4cf17b75d29b240a ]
+
+shutdown all CRTC when unbinding drm driver.
+
+Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Signed-off-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+index a2ca90fc403c..cada1c75c41c 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+@@ -270,6 +270,7 @@ err_config_cleanup:
+ static void mtk_drm_kms_deinit(struct drm_device *drm)
+ {
+ drm_kms_helper_poll_fini(drm);
++ drm_atomic_helper_shutdown(drm);
+
+ component_unbind_all(drm->dev, drm);
+ drm_mode_config_cleanup(drm);
+--
+2.20.1
+
--- /dev/null
+From 08821f0282376a09cad2010f7862e21bf334896e Mon Sep 17 00:00:00 2001
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+Date: Thu, 30 May 2019 17:18:47 +0800
+Subject: drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable()
+
+[ Upstream commit 2458d9d6d94be982b917e93c61a89b4426f32e31 ]
+
+mtk_dsi_stop() should be called after mtk_drm_crtc_atomic_disable(), which
+needs ovl irq for drm_crtc_wait_one_vblank(), since after mtk_dsi_stop() is
+called, ovl irq will be disabled. If drm_crtc_wait_one_vblank() is called
+after last irq, it will timeout with this message: "vblank wait timed out
+on crtc 0". This happens sometimes when turning off the screen.
+
+In drm_atomic_helper.c#disable_outputs(),
+the calling sequence when turning off the screen is:
+
+1. mtk_dsi_encoder_disable()
+ --> mtk_output_dsi_disable()
+ --> mtk_dsi_stop(); /* sometimes make vblank timeout in
+ atomic_disable */
+ --> mtk_dsi_poweroff();
+2. mtk_drm_crtc_atomic_disable()
+ --> drm_crtc_wait_one_vblank();
+ ...
+ --> mtk_dsi_ddp_stop()
+ --> mtk_dsi_poweroff();
+
+mtk_dsi_poweroff() has reference count design, change to make
+mtk_dsi_stop() called in mtk_dsi_poweroff() when refcount is 0.
+
+Fixes: 0707632b5bac ("drm/mediatek: update DSI sub driver flow for sending commands to panel")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Signed-off-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dsi.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
+index 413313f19c36..c1b8caad65e6 100644
+--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
+@@ -631,6 +631,15 @@ static void mtk_dsi_poweroff(struct mtk_dsi *dsi)
+ if (--dsi->refcount != 0)
+ return;
+
++ /*
++ * mtk_dsi_stop() and mtk_dsi_start() is asymmetric, since
++ * mtk_dsi_stop() should be called after mtk_drm_crtc_atomic_disable(),
++ * which needs irq for vblank, and mtk_dsi_stop() will disable irq.
++ * mtk_dsi_start() needs to be called in mtk_output_dsi_enable(),
++ * after dsi is fully set.
++ */
++ mtk_dsi_stop(dsi);
++
+ if (!mtk_dsi_switch_to_cmd_mode(dsi, VM_DONE_INT_FLAG, 500)) {
+ if (dsi->panel) {
+ if (drm_panel_unprepare(dsi->panel)) {
+@@ -697,7 +706,6 @@ static void mtk_output_dsi_disable(struct mtk_dsi *dsi)
+ }
+ }
+
+- mtk_dsi_stop(dsi);
+ mtk_dsi_poweroff(dsi);
+
+ dsi->enabled = false;
+--
+2.20.1
+
--- /dev/null
+From 2d5a0ab074ec5593b9977e95e278feb0fe61f59a Mon Sep 17 00:00:00 2001
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+Date: Wed, 29 May 2019 18:25:52 +0800
+Subject: drm/mediatek: fix unbind functions
+
+[ Upstream commit 8fd7a37b191f93737f6280a9b5de65f98acc12c9 ]
+
+detatch panel in mtk_dsi_destroy_conn_enc(), since .bind will try to
+attach it again.
+
+Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Signed-off-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
+index 7e5e24c2152a..413313f19c36 100644
+--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
+@@ -851,6 +851,8 @@ static void mtk_dsi_destroy_conn_enc(struct mtk_dsi *dsi)
+ /* Skip connector cleanup if creation was delegated to the bridge */
+ if (dsi->conn.dev)
+ drm_connector_cleanup(&dsi->conn);
++ if (dsi->panel)
++ drm_panel_detach(dsi->panel);
+ }
+
+ static void mtk_dsi_ddp_start(struct mtk_ddp_comp *comp)
+--
+2.20.1
+
--- /dev/null
+From fab8ae35a3cb780dfbcf4143e1696b40d4961280 Mon Sep 17 00:00:00 2001
+From: Wei Li <liwei391@huawei.com>
+Date: Thu, 6 Jun 2019 11:17:54 +0800
+Subject: ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper()
+
+[ Upstream commit 04e03d9a616c19a47178eaca835358610e63a1dd ]
+
+The mapper may be NULL when called from register_ftrace_function_probe()
+with probe->data == NULL.
+
+This issue can be reproduced as follow (it may be covered by compiler
+optimization sometime):
+
+/ # cat /sys/kernel/debug/tracing/set_ftrace_filter
+#### all functions enabled ####
+/ # echo foo_bar:dump > /sys/kernel/debug/tracing/set_ftrace_filter
+[ 206.949100] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+[ 206.952402] Mem abort info:
+[ 206.952819] ESR = 0x96000006
+[ 206.955326] Exception class = DABT (current EL), IL = 32 bits
+[ 206.955844] SET = 0, FnV = 0
+[ 206.956272] EA = 0, S1PTW = 0
+[ 206.956652] Data abort info:
+[ 206.957320] ISV = 0, ISS = 0x00000006
+[ 206.959271] CM = 0, WnR = 0
+[ 206.959938] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000419f3a000
+[ 206.960483] [0000000000000000] pgd=0000000411a87003, pud=0000000411a83003, pmd=0000000000000000
+[ 206.964953] Internal error: Oops: 96000006 [#1] SMP
+[ 206.971122] Dumping ftrace buffer:
+[ 206.973677] (ftrace buffer empty)
+[ 206.975258] Modules linked in:
+[ 206.976631] Process sh (pid: 281, stack limit = 0x(____ptrval____))
+[ 206.978449] CPU: 10 PID: 281 Comm: sh Not tainted 5.2.0-rc1+ #17
+[ 206.978955] Hardware name: linux,dummy-virt (DT)
+[ 206.979883] pstate: 60000005 (nZCv daif -PAN -UAO)
+[ 206.980499] pc : free_ftrace_func_mapper+0x2c/0x118
+[ 206.980874] lr : ftrace_count_free+0x68/0x80
+[ 206.982539] sp : ffff0000182f3ab0
+[ 206.983102] x29: ffff0000182f3ab0 x28: ffff8003d0ec1700
+[ 206.983632] x27: ffff000013054b40 x26: 0000000000000001
+[ 206.984000] x25: ffff00001385f000 x24: 0000000000000000
+[ 206.984394] x23: ffff000013453000 x22: ffff000013054000
+[ 206.984775] x21: 0000000000000000 x20: ffff00001385fe28
+[ 206.986575] x19: ffff000013872c30 x18: 0000000000000000
+[ 206.987111] x17: 0000000000000000 x16: 0000000000000000
+[ 206.987491] x15: ffffffffffffffb0 x14: 0000000000000000
+[ 206.987850] x13: 000000000017430e x12: 0000000000000580
+[ 206.988251] x11: 0000000000000000 x10: cccccccccccccccc
+[ 206.988740] x9 : 0000000000000000 x8 : ffff000013917550
+[ 206.990198] x7 : ffff000012fac2e8 x6 : ffff000012fac000
+[ 206.991008] x5 : ffff0000103da588 x4 : 0000000000000001
+[ 206.991395] x3 : 0000000000000001 x2 : ffff000013872a28
+[ 206.991771] x1 : 0000000000000000 x0 : 0000000000000000
+[ 206.992557] Call trace:
+[ 206.993101] free_ftrace_func_mapper+0x2c/0x118
+[ 206.994827] ftrace_count_free+0x68/0x80
+[ 206.995238] release_probe+0xfc/0x1d0
+[ 206.995555] register_ftrace_function_probe+0x4a8/0x868
+[ 206.995923] ftrace_trace_probe_callback.isra.4+0xb8/0x180
+[ 206.996330] ftrace_dump_callback+0x50/0x70
+[ 206.996663] ftrace_regex_write.isra.29+0x290/0x3a8
+[ 206.997157] ftrace_filter_write+0x44/0x60
+[ 206.998971] __vfs_write+0x64/0xf0
+[ 206.999285] vfs_write+0x14c/0x2f0
+[ 206.999591] ksys_write+0xbc/0x1b0
+[ 206.999888] __arm64_sys_write+0x3c/0x58
+[ 207.000246] el0_svc_common.constprop.0+0x408/0x5f0
+[ 207.000607] el0_svc_handler+0x144/0x1c8
+[ 207.000916] el0_svc+0x8/0xc
+[ 207.003699] Code: aa0003f8 a9025bf5 aa0103f5 f946ea80 (f9400303)
+[ 207.008388] ---[ end trace 7b6d11b5f542bdf1 ]---
+[ 207.010126] Kernel panic - not syncing: Fatal exception
+[ 207.011322] SMP: stopping secondary CPUs
+[ 207.013956] Dumping ftrace buffer:
+[ 207.014595] (ftrace buffer empty)
+[ 207.015632] Kernel Offset: disabled
+[ 207.017187] CPU features: 0x002,20006008
+[ 207.017985] Memory Limit: none
+[ 207.019825] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Link: http://lkml.kernel.org/r/20190606031754.10798-1-liwei391@huawei.com
+
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ftrace.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 4e4b88047fcc..ff3c8ca907c4 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -4286,10 +4286,13 @@ void free_ftrace_func_mapper(struct ftrace_func_mapper *mapper,
+ struct ftrace_func_entry *entry;
+ struct ftrace_func_map *map;
+ struct hlist_head *hhd;
+- int size = 1 << mapper->hash.size_bits;
+- int i;
++ int size, i;
++
++ if (!mapper)
++ return;
+
+ if (free_func && mapper->hash.count) {
++ size = 1 << mapper->hash.size_bits;
+ for (i = 0; i < size; i++) {
+ hhd = &mapper->hash.buckets[i];
+ hlist_for_each_entry(entry, hhd, hlist) {
+--
+2.20.1
+
--- /dev/null
+From aba466fa2f305d1e1cdba389294abfc7e31c01e7 Mon Sep 17 00:00:00 2001
+From: swkhack <swkhack@gmail.com>
+Date: Thu, 13 Jun 2019 15:56:08 -0700
+Subject: mm/mlock.c: change count_mm_mlocked_page_nr return type
+
+[ Upstream commit 0874bb49bb21bf24deda853e8bf61b8325e24bcb ]
+
+On a 64-bit machine the value of "vma->vm_end - vma->vm_start" may be
+negative when using 32 bit ints and the "count >> PAGE_SHIFT"'s result
+will be wrong. So change the local variable and return value to
+unsigned long to fix the problem.
+
+Link: http://lkml.kernel.org/r/20190513023701.83056-1-swkhack@gmail.com
+Fixes: 0cf2f6f6dc60 ("mm: mlock: check against vma for actual mlock() size")
+Signed-off-by: swkhack <swkhack@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/mlock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mm/mlock.c b/mm/mlock.c
+index 46af369c13e5..1f9ee86672e8 100644
+--- a/mm/mlock.c
++++ b/mm/mlock.c
+@@ -629,11 +629,11 @@ static int apply_vma_lock_flags(unsigned long start, size_t len,
+ * is also counted.
+ * Return value: previously mlocked page counts
+ */
+-static int count_mm_mlocked_page_nr(struct mm_struct *mm,
++static unsigned long count_mm_mlocked_page_nr(struct mm_struct *mm,
+ unsigned long start, size_t len)
+ {
+ struct vm_area_struct *vma;
+- int count = 0;
++ unsigned long count = 0;
+
+ if (mm == NULL)
+ mm = current->mm;
+--
+2.20.1
+
--- /dev/null
+From 2edc582e34e53c3c594c23618da2ea0772eca8bf Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Thu, 13 Jun 2019 20:07:22 -0500
+Subject: module: Fix livepatch/ftrace module text permissions race
+
+[ Upstream commit 9f255b632bf12c4dd7fc31caee89aa991ef75176 ]
+
+It's possible for livepatch and ftrace to be toggling a module's text
+permissions at the same time, resulting in the following panic:
+
+ BUG: unable to handle page fault for address: ffffffffc005b1d9
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0003) - permissions violation
+ PGD 3ea0c067 P4D 3ea0c067 PUD 3ea0e067 PMD 3cc13067 PTE 3b8a1061
+ Oops: 0003 [#1] PREEMPT SMP PTI
+ CPU: 1 PID: 453 Comm: insmod Tainted: G O K 5.2.0-rc1-a188339ca5 #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
+ RIP: 0010:apply_relocate_add+0xbe/0x14c
+ Code: fa 0b 74 21 48 83 fa 18 74 38 48 83 fa 0a 75 40 eb 08 48 83 38 00 74 33 eb 53 83 38 00 75 4e 89 08 89 c8 eb 0a 83 38 00 75 43 <89> 08 48 63 c1 48 39 c8 74 2e eb 48 83 38 00 75 32 48 29 c1 89 08
+ RSP: 0018:ffffb223c00dbb10 EFLAGS: 00010246
+ RAX: ffffffffc005b1d9 RBX: 0000000000000000 RCX: ffffffff8b200060
+ RDX: 000000000000000b RSI: 0000004b0000000b RDI: ffff96bdfcd33000
+ RBP: ffffb223c00dbb38 R08: ffffffffc005d040 R09: ffffffffc005c1f0
+ R10: ffff96bdfcd33c40 R11: ffff96bdfcd33b80 R12: 0000000000000018
+ R13: ffffffffc005c1f0 R14: ffffffffc005e708 R15: ffffffff8b2fbc74
+ FS: 00007f5f447beba8(0000) GS:ffff96bdff900000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffffffc005b1d9 CR3: 000000003cedc002 CR4: 0000000000360ea0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ klp_init_object_loaded+0x10f/0x219
+ ? preempt_latency_start+0x21/0x57
+ klp_enable_patch+0x662/0x809
+ ? virt_to_head_page+0x3a/0x3c
+ ? kfree+0x8c/0x126
+ patch_init+0x2ed/0x1000 [livepatch_test02]
+ ? 0xffffffffc0060000
+ do_one_initcall+0x9f/0x1c5
+ ? kmem_cache_alloc_trace+0xc4/0xd4
+ ? do_init_module+0x27/0x210
+ do_init_module+0x5f/0x210
+ load_module+0x1c41/0x2290
+ ? fsnotify_path+0x3b/0x42
+ ? strstarts+0x2b/0x2b
+ ? kernel_read+0x58/0x65
+ __do_sys_finit_module+0x9f/0xc3
+ ? __do_sys_finit_module+0x9f/0xc3
+ __x64_sys_finit_module+0x1a/0x1c
+ do_syscall_64+0x52/0x61
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The above panic occurs when loading two modules at the same time with
+ftrace enabled, where at least one of the modules is a livepatch module:
+
+CPU0 CPU1
+klp_enable_patch()
+ klp_init_object_loaded()
+ module_disable_ro()
+ ftrace_module_enable()
+ ftrace_arch_code_modify_post_process()
+ set_all_modules_text_ro()
+ klp_write_object_relocations()
+ apply_relocate_add()
+ *patches read-only code* - BOOM
+
+A similar race exists when toggling ftrace while loading a livepatch
+module.
+
+Fix it by ensuring that the livepatch and ftrace code patching
+operations -- and their respective permissions changes -- are protected
+by the text_mutex.
+
+Link: http://lkml.kernel.org/r/ab43d56ab909469ac5d2520c5d944ad6d4abd476.1560474114.git.jpoimboe@redhat.com
+
+Reported-by: Johannes Erdfelt <johannes@erdfelt.com>
+Fixes: 444d13ff10fb ("modules: add ro_after_init support")
+Acked-by: Jessica Yu <jeyu@kernel.org>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/livepatch/core.c | 6 ++++++
+ kernel/trace/ftrace.c | 10 +++++++++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
+index 7c51f065b212..88754e9790f9 100644
+--- a/kernel/livepatch/core.c
++++ b/kernel/livepatch/core.c
+@@ -30,6 +30,7 @@
+ #include <linux/elf.h>
+ #include <linux/moduleloader.h>
+ #include <linux/completion.h>
++#include <linux/memory.h>
+ #include <asm/cacheflush.h>
+ #include "core.h"
+ #include "patch.h"
+@@ -635,16 +636,21 @@ static int klp_init_object_loaded(struct klp_patch *patch,
+ struct klp_func *func;
+ int ret;
+
++ mutex_lock(&text_mutex);
++
+ module_disable_ro(patch->mod);
+ ret = klp_write_object_relocations(patch->mod, obj);
+ if (ret) {
+ module_enable_ro(patch->mod, true);
++ mutex_unlock(&text_mutex);
+ return ret;
+ }
+
+ arch_klp_init_object_loaded(patch, obj);
+ module_enable_ro(patch->mod, true);
+
++ mutex_unlock(&text_mutex);
++
+ klp_for_each_func(obj, func) {
+ ret = klp_find_object_symbol(obj->name, func->old_name,
+ func->old_sympos,
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 3e92852c8b23..4e4b88047fcc 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -34,6 +34,7 @@
+ #include <linux/hash.h>
+ #include <linux/rcupdate.h>
+ #include <linux/kprobes.h>
++#include <linux/memory.h>
+
+ #include <trace/events/sched.h>
+
+@@ -2692,10 +2693,12 @@ static void ftrace_run_update_code(int command)
+ {
+ int ret;
+
++ mutex_lock(&text_mutex);
++
+ ret = ftrace_arch_code_modify_prepare();
+ FTRACE_WARN_ON(ret);
+ if (ret)
+- return;
++ goto out_unlock;
+
+ /*
+ * By default we use stop_machine() to modify the code.
+@@ -2707,6 +2710,9 @@ static void ftrace_run_update_code(int command)
+
+ ret = ftrace_arch_code_modify_post_process();
+ FTRACE_WARN_ON(ret);
++
++out_unlock:
++ mutex_unlock(&text_mutex);
+ }
+
+ static void ftrace_run_modify_code(struct ftrace_ops *ops, int command,
+@@ -5791,6 +5797,7 @@ void ftrace_module_enable(struct module *mod)
+ struct ftrace_page *pg;
+
+ mutex_lock(&ftrace_lock);
++ mutex_lock(&text_mutex);
+
+ if (ftrace_disabled)
+ goto out_unlock;
+@@ -5851,6 +5858,7 @@ void ftrace_module_enable(struct module *mod)
+ ftrace_arch_code_modify_post_process();
+
+ out_unlock:
++ mutex_unlock(&text_mutex);
+ mutex_unlock(&ftrace_lock);
+
+ process_cached_mods(mod->name);
+--
+2.20.1
+
--- /dev/null
+From 8c9275ebdc5de43922c5c9a386bb1cd6b4005a82 Mon Sep 17 00:00:00 2001
+From: Vadim Pasternak <vadimp@mellanox.com>
+Date: Wed, 5 Jun 2019 07:51:03 +0000
+Subject: platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device
+ registration
+
+[ Upstream commit 160da20b254dd4bfc5828f12c208fa831ad4be6c ]
+
+Fix the issue found while running kernel with the option
+CONFIG_DEBUG_TEST_DRIVER_REMOVE.
+Driver 'mlx-platform' registers 'i2c_mlxcpld' device and then registers
+few underlying 'i2c-mux-reg' devices:
+ priv->pdev_i2c = platform_device_register_simple("i2c_mlxcpld", nr,
+ NULL, 0);
+ ...
+ for (i = 0; i < ARRAY_SIZE(mlxplat_mux_data); i++) {
+ priv->pdev_mux[i] = platform_device_register_resndata(
+ &mlxplat_dev->dev,
+ "i2c-mux-reg", i, NULL,
+ 0, &mlxplat_mux_data[i],
+ sizeof(mlxplat_mux_data[i]));
+
+But actual parent of "i2c-mux-reg" device is priv->pdev_i2c->dev and
+not mlxplat_dev->dev.
+Patch fixes parent device parameter in a call to
+platform_device_register_resndata() for "i2c-mux-reg".
+
+It solves the race during initialization flow while 'i2c_mlxcpld.1' is
+removing after probe, while 'i2c-mux-reg.0' is still in probing flow:
+'i2c_mlxcpld.1' flow: probe -> remove -> probe.
+'i2c-mux-reg.0' flow: probe -> ...
+
+[ 12:621096] Registering platform device 'i2c_mlxcpld.1'. Parent at platform
+[ 12:621117] device: 'i2c_mlxcpld.1': device_add
+[ 12:621155] bus: 'platform': add device i2c_mlxcpld.1
+[ 12:621384] Registering platform device 'i2c-mux-reg.0'. Parent at mlxplat
+[ 12:621395] device: 'i2c-mux-reg.0': device_add
+[ 12:621425] bus: 'platform': add device i2c-mux-reg.0
+[ 12:621806] Registering platform device 'i2c-mux-reg.1'. Parent at mlxplat
+[ 12:621828] device: 'i2c-mux-reg.1': device_add
+[ 12:621892] bus: 'platform': add device i2c-mux-reg.1
+[ 12:621906] bus: 'platform': add driver i2c_mlxcpld
+[ 12:621996] bus: 'platform': driver_probe_device: matched device i2c_mlxcpld.1 with driver i2c_mlxcpld
+[ 12:622003] bus: 'platform': really_probe: probing driver i2c_mlxcpld with device i2c_mlxcpld.1
+[ 12:622100] i2c_mlxcpld i2c_mlxcpld.1: no default pinctrl state
+[ 12:622293] device: 'i2c-1': device_add
+[ 12:627280] bus: 'i2c': add device i2c-1
+[ 12:627692] device: 'i2c-1': device_add
+[ 12.629639] bus: 'platform': add driver i2c-mux-reg
+[ 12.629718] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg
+[ 12.629723] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0
+[ 12.629818] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state
+[ 12.629981] platform i2c-mux-reg.0: Driver i2c-mux-reg requests probe deferral
+[ 12.629986] platform i2c-mux-reg.0: Added to deferred list
+[ 12.629992] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.1 with driver i2c-mux-reg
+[ 12.629997] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.1
+[ 12.630091] i2c-mux-reg i2c-mux-reg.1: no default pinctrl state
+[ 12.630247] platform i2c-mux-reg.1: Driver i2c-mux-reg requests probe deferral
+[ 12.630252] platform i2c-mux-reg.1: Added to deferred list
+[ 12.640892] devices_kset: Moving i2c-mux-reg.0 to end of list
+[ 12.640900] platform i2c-mux-reg.0: Retrying from deferred list
+[ 12.640911] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg
+[ 12.640919] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0
+[ 12.640999] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state
+[ 12.641177] platform i2c-mux-reg.0: Driver i2c-mux-reg requests probe deferral
+[ 12.641187] platform i2c-mux-reg.0: Added to deferred list
+[ 12.641198] devices_kset: Moving i2c-mux-reg.1 to end of list
+[ 12.641219] platform i2c-mux-reg.1: Retrying from deferred list
+[ 12.641237] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.1 with driver i2c-mux-reg
+[ 12.641247] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.1
+[ 12.641331] i2c-mux-reg i2c-mux-reg.1: no default pinctrl state
+[ 12.641465] platform i2c-mux-reg.1: Driver i2c-mux-reg requests probe deferral
+[ 12.641469] platform i2c-mux-reg.1: Added to deferred list
+[ 12.646427] device: 'i2c-1': device_add
+[ 12.646647] bus: 'i2c': add device i2c-1
+[ 12.647104] device: 'i2c-1': device_add
+[ 12.669231] devices_kset: Moving i2c-mux-reg.0 to end of list
+[ 12.669240] platform i2c-mux-reg.0: Retrying from deferred list
+[ 12.669258] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg
+[ 12.669263] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0
+[ 12.669343] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state
+[ 12.669585] device: 'i2c-2': device_add
+[ 12.669795] bus: 'i2c': add device i2c-2
+[ 12.670201] device: 'i2c-2': device_add
+[ 12.671427] i2c i2c-1: Added multiplexed i2c bus 2
+[ 12.671514] device: 'i2c-3': device_add
+[ 12.671724] bus: 'i2c': add device i2c-3
+[ 12.672136] device: 'i2c-3': device_add
+[ 12.673378] i2c i2c-1: Added multiplexed i2c bus 3
+[ 12.673472] device: 'i2c-4': device_add
+[ 12.673676] bus: 'i2c': add device i2c-4
+[ 12.674060] device: 'i2c-4': device_add
+[ 12.675861] i2c i2c-1: Added multiplexed i2c bus 4
+[ 12.675941] device: 'i2c-5': device_add
+[ 12.676150] bus: 'i2c': add device i2c-5
+[ 12.676550] device: 'i2c-5': device_add
+[ 12.678103] i2c i2c-1: Added multiplexed i2c bus 5
+[ 12.678193] device: 'i2c-6': device_add
+[ 12.678395] bus: 'i2c': add device i2c-6
+[ 12.678774] device: 'i2c-6': device_add
+[ 12.679969] i2c i2c-1: Added multiplexed i2c bus 6
+[ 12.680065] device: 'i2c-7': device_add
+[ 12.680275] bus: 'i2c': add device i2c-7
+[ 12.680913] device: 'i2c-7': device_add
+[ 12.682506] i2c i2c-1: Added multiplexed i2c bus 7
+[ 12.682600] device: 'i2c-8': device_add
+[ 12.682808] bus: 'i2c': add device i2c-8
+[ 12.683189] device: 'i2c-8': device_add
+[ 12.683907] device: 'i2c-1': device_unregister
+[ 12.683945] device: 'i2c-1': device_unregister
+[ 12.684387] device: 'i2c-1': device_create_release
+[ 12.684536] bus: 'i2c': remove device i2c-1
+[ 12.686019] i2c i2c-8: Failed to create compatibility class link
+[ 12.686086] ------------[ cut here ]------------
+[ 12.686087] can't create symlink to mux device
+[ 12.686224] Workqueue: events deferred_probe_work_func
+[ 12.686135] WARNING: CPU: 7 PID: 436 at drivers/i2c/i2c-mux.c:416 i2c_mux_add_adapter+0x729/0x7d0 [i2c_mux]
+[ 12.686232] RIP: 0010:i2c_mux_add_adapter+0x729/0x7d0 [i2c_mux]
+[ 0x190/0x190 [i2c_mux]
+[ 12.686300] ? i2c_mux_alloc+0xac/0x110 [i2c_mux]
+[ 12.686306] ? i2c_mux_reg_set+0x200/0x200 [i2c_mux_reg]
+[ 12.686313] i2c_mux_reg_probe+0x22c/0x731 [i2c_mux_reg]
+[ 12.686322] ? i2c_mux_reg_deselect+0x60/0x60 [i2c_mux_reg]
+[ 12.686346] platform_drv_probe+0xa8/0x110
+[ 12.686351] really_probe+0x185/0x720
+[ 12.686358] driver_probe_device+0xdf/0x1f0
+...
+[ 12.686522] i2c i2c-1: Added multiplexed i2c bus 8
+[ 12.686621] device: 'i2c-9': device_add
+[ 12.686626] kobject_add_internal failed for i2c-9 (error: -2 parent: i2c-1)
+[ 12.694729] i2c-core: adapter 'i2c-1-mux (chan_id 8)': can't register device (-2)
+[ 12.705726] i2c i2c-1: failed to add mux-adapter 8 as bus 9 (error=-2)
+[ 12.714494] device: 'i2c-8': device_unregister
+[ 12.714537] device: 'i2c-8': device_unregister
+
+Fixes: 6613d18e9038 ("platform/x86: mlx-platform: Move module from arch/x86")
+Signed-off-by: Vadim Pasternak <vadimp@mellanox.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/mlx-platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/mlx-platform.c b/drivers/platform/x86/mlx-platform.c
+index 4f3de2a8c4df..9aced80f31a2 100644
+--- a/drivers/platform/x86/mlx-platform.c
++++ b/drivers/platform/x86/mlx-platform.c
+@@ -318,7 +318,7 @@ static int __init mlxplat_init(void)
+
+ for (i = 0; i < ARRAY_SIZE(mlxplat_mux_data); i++) {
+ priv->pdev_mux[i] = platform_device_register_resndata(
+- &mlxplat_dev->dev,
++ &priv->pdev_i2c->dev,
+ "i2c-mux-reg", i, NULL,
+ 0, &mlxplat_mux_data[i],
+ sizeof(mlxplat_mux_data[i]));
+--
+2.20.1
+
--- /dev/null
+From 7731d00d1d28f18b270fec454a2c2be37e0eef43 Mon Sep 17 00:00:00 2001
+From: Manuel Traut <manut@linutronix.de>
+Date: Thu, 13 Jun 2019 15:55:52 -0700
+Subject: scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE
+
+[ Upstream commit c04e32e911653442fc834be6e92e072aeebe01a1 ]
+
+At least for ARM64 kernels compiled with the crosstoolchain from
+Debian/stretch or with the toolchain from kernel.org the line number is
+not decoded correctly by 'decode_stacktrace.sh':
+
+ $ echo "[ 136.513051] f1+0x0/0xc [kcrash]" | \
+ CROSS_COMPILE=/opt/gcc-8.1.0-nolibc/aarch64-linux/bin/aarch64-linux- \
+ ./scripts/decode_stacktrace.sh /scratch/linux-arm64/vmlinux \
+ /scratch/linux-arm64 \
+ /nfs/debian/lib/modules/4.20.0-devel
+ [ 136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:68) kcrash
+
+If addr2line from the toolchain is used the decoded line number is correct:
+
+ [ 136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:57) kcrash
+
+Link: http://lkml.kernel.org/r/20190527083425.3763-1-manut@linutronix.de
+Signed-off-by: Manuel Traut <manut@linutronix.de>
+Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/decode_stacktrace.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
+index 98a7d63a723e..c4a9ddb174bc 100755
+--- a/scripts/decode_stacktrace.sh
++++ b/scripts/decode_stacktrace.sh
+@@ -66,7 +66,7 @@ parse_symbol() {
+ if [[ "${cache[$module,$address]+isset}" == "isset" ]]; then
+ local code=${cache[$module,$address]}
+ else
+- local code=$(addr2line -i -e "$objfile" "$address")
++ local code=$(${CROSS_COMPILE}addr2line -i -e "$objfile" "$address")
+ cache[$module,$address]=$code
+ fi
+
+--
+2.20.1
+
--- /dev/null
+From d68db9bbd7ee279e1b8d4ad0810022f0e74c8fbe Mon Sep 17 00:00:00 2001
+From: Don Brace <don.brace@microsemi.com>
+Date: Mon, 3 Jun 2019 16:43:29 -0500
+Subject: scsi: hpsa: correct ioaccel2 chaining
+
+[ Upstream commit 625d7d3518875c4d303c652a198feaa13d9f52d9 ]
+
+- set ioaccel2_sg_element member 'chain_indicator' to IOACCEL2_LAST_SG for
+ the last s/g element.
+
+- set ioaccel2_sg_element member 'chain_indicator' to IOACCEL2_CHAIN when
+ chaining.
+
+Reviewed-by: Bader Ali - Saleh <bader.alisaleh@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Reviewed-by: Matt Perricone <matt.perricone@microsemi.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hpsa.c | 7 ++++++-
+ drivers/scsi/hpsa_cmd.h | 1 +
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 5b4b7f9be2d7..6d520e8945f7 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -4800,7 +4800,7 @@ static int hpsa_scsi_ioaccel2_queue_command(struct ctlr_info *h,
+ curr_sg->reserved[0] = 0;
+ curr_sg->reserved[1] = 0;
+ curr_sg->reserved[2] = 0;
+- curr_sg->chain_indicator = 0x80;
++ curr_sg->chain_indicator = IOACCEL2_CHAIN;
+
+ curr_sg = h->ioaccel2_cmd_sg_list[c->cmdindex];
+ }
+@@ -4817,6 +4817,11 @@ static int hpsa_scsi_ioaccel2_queue_command(struct ctlr_info *h,
+ curr_sg++;
+ }
+
++ /*
++ * Set the last s/g element bit
++ */
++ (curr_sg - 1)->chain_indicator = IOACCEL2_LAST_SG;
++
+ switch (cmd->sc_data_direction) {
+ case DMA_TO_DEVICE:
+ cp->direction &= ~IOACCEL2_DIRECTION_MASK;
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 078afe448115..ecf15344b55d 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -516,6 +516,7 @@ struct ioaccel2_sg_element {
+ u8 reserved[3];
+ u8 chain_indicator;
+ #define IOACCEL2_CHAIN 0x80
++#define IOACCEL2_LAST_SG 0x40
+ };
+
+ /*
+--
+2.20.1
+
bluetooth-fix-faulty-expression-for-minimum-encryption-key-size-check.patch
+asoc-cs4265-readable-register-too-low.patch
+asoc-soc-pcm-be-dai-needs-prepare-when-pause-release.patch
+spi-bitbang-fix-null-pointer-dereference-in-spi_unre.patch
+drm-mediatek-fix-unbind-functions.patch
+drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch
+drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch
+asoc-max98090-remove-24-bit-format-support-if-rj-is-.patch
+asoc-sun4i-i2s-fix-sun8i-tx-channel-offset-mask.patch
+asoc-sun4i-i2s-add-offset-to-rx-channel-select.patch
+usb-gadget-fusb300_udc-fix-memory-leak-of-fusb300-ep.patch
+usb-gadget-udc-lpc32xx-allocate-descriptor-with-gfp_.patch
+soc-rt274-fix-internal-jack-assignment-in-set_jack-c.patch
+scsi-hpsa-correct-ioaccel2-chaining.patch
+platform-x86-mlx-platform-fix-parent-device-in-i2c-m.patch
+cpuset-restore-sanity-to-cpuset_cpus_allowed_fallbac.patch
+scripts-decode_stacktrace.sh-prefix-addr2line-with-c.patch
+mm-mlock.c-change-count_mm_mlocked_page_nr-return-ty.patch
+module-fix-livepatch-ftrace-module-text-permissions-.patch
+ftrace-fix-null-pointer-dereference-in-free_ftrace_f.patch
--- /dev/null
+From f4bb117a2a6e8a94ea6ae8693d4c6daba054d4a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?=
+ <amadeuszx.slawinski@linux.intel.com>
+Date: Wed, 5 Jun 2019 15:45:52 +0200
+Subject: SoC: rt274: Fix internal jack assignment in set_jack callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 04268bf2757a125616b6c2140e6250f43b7b737a ]
+
+When we call snd_soc_component_set_jack(component, NULL, NULL) we should
+set rt274->jack to passed jack, so when interrupt is triggered it calls
+snd_soc_jack_report(rt274->jack, ...) with proper value.
+
+This fixes problem in machine where in register, we call
+snd_soc_register(component, &headset, NULL), which just calls
+rt274_mic_detect via callback.
+Now when machine driver is removed "headset" will be gone, so we
+need to tell codec driver that it's gone with:
+snd_soc_register(component, NULL, NULL), but we also need to be able
+to handle NULL jack argument here gracefully.
+If we don't set it to NULL, next time the rt274_irq runs it will call
+snd_soc_jack_report with first argument being invalid pointer and there
+will be Oops.
+
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt274.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/rt274.c b/sound/soc/codecs/rt274.c
+index cd048df76232..43086ac9ffec 100644
+--- a/sound/soc/codecs/rt274.c
++++ b/sound/soc/codecs/rt274.c
+@@ -398,6 +398,8 @@ static int rt274_mic_detect(struct snd_soc_codec *codec,
+ {
+ struct rt274_priv *rt274 = snd_soc_codec_get_drvdata(codec);
+
++ rt274->jack = jack;
++
+ if (jack == NULL) {
+ /* Disable jack detection */
+ regmap_update_bits(rt274->regmap, RT274_EAPD_GPIO_IRQ_CTRL,
+@@ -405,7 +407,6 @@ static int rt274_mic_detect(struct snd_soc_codec *codec,
+
+ return 0;
+ }
+- rt274->jack = jack;
+
+ regmap_update_bits(rt274->regmap, RT274_EAPD_GPIO_IRQ_CTRL,
+ RT274_IRQ_EN, RT274_IRQ_EN);
+--
+2.20.1
+
--- /dev/null
+From f9e301ffd02ed9ecd481c8089cbdecb5a6e28583 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 16 May 2019 15:56:56 +0800
+Subject: spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
+
+[ Upstream commit 5caaf29af5ca82d5da8bc1d0ad07d9e664ccf1d8 ]
+
+If spi_register_master fails in spi_bitbang_start
+because device_add failure, We should return the
+error code other than 0, otherwise calling
+spi_bitbang_stop may trigger NULL pointer dereference
+like this:
+
+BUG: KASAN: null-ptr-deref in __list_del_entry_valid+0x45/0xd0
+Read of size 8 at addr 0000000000000000 by task syz-executor.0/3661
+
+CPU: 0 PID: 3661 Comm: syz-executor.0 Not tainted 5.1.0+ #28
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ dump_stack+0xa9/0x10e
+ ? __list_del_entry_valid+0x45/0xd0
+ ? __list_del_entry_valid+0x45/0xd0
+ __kasan_report+0x171/0x18d
+ ? __list_del_entry_valid+0x45/0xd0
+ kasan_report+0xe/0x20
+ __list_del_entry_valid+0x45/0xd0
+ spi_unregister_controller+0x99/0x1b0
+ spi_lm70llp_attach+0x3ae/0x4b0 [spi_lm70llp]
+ ? 0xffffffffc1128000
+ ? klist_next+0x131/0x1e0
+ ? driver_detach+0x40/0x40 [parport]
+ port_check+0x3b/0x50 [parport]
+ bus_for_each_dev+0x115/0x180
+ ? subsys_dev_iter_exit+0x20/0x20
+ __parport_register_driver+0x1f0/0x210 [parport]
+ ? 0xffffffffc1150000
+ do_one_initcall+0xb9/0x3b5
+ ? perf_trace_initcall_level+0x270/0x270
+ ? kasan_unpoison_shadow+0x30/0x40
+ ? kasan_unpoison_shadow+0x30/0x40
+ do_init_module+0xe0/0x330
+ load_module+0x38eb/0x4270
+ ? module_frob_arch_sections+0x20/0x20
+ ? kernel_read_file+0x188/0x3f0
+ ? find_held_lock+0x6d/0xd0
+ ? fput_many+0x1a/0xe0
+ ? __do_sys_finit_module+0x162/0x190
+ __do_sys_finit_module+0x162/0x190
+ ? __ia32_sys_init_module+0x40/0x40
+ ? __mutex_unlock_slowpath+0xb4/0x3f0
+ ? wait_for_completion+0x240/0x240
+ ? vfs_write+0x160/0x2a0
+ ? lockdep_hardirqs_off+0xb5/0x100
+ ? mark_held_locks+0x1a/0x90
+ ? do_syscall_64+0x14/0x2a0
+ do_syscall_64+0x72/0x2a0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 702a4879ec33 ("spi: bitbang: Let spi_bitbang_start() take a reference to master")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Axel Lin <axel.lin@ingics.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bitbang.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bitbang.c b/drivers/spi/spi-bitbang.c
+index 3aa9e6e3dac8..4ef54436b9d4 100644
+--- a/drivers/spi/spi-bitbang.c
++++ b/drivers/spi/spi-bitbang.c
+@@ -392,7 +392,7 @@ int spi_bitbang_start(struct spi_bitbang *bitbang)
+ if (ret)
+ spi_master_put(master);
+
+- return 0;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(spi_bitbang_start);
+
+--
+2.20.1
+
--- /dev/null
+From b681cec0a7090d14243592a71db0c9d5fe5ea40c Mon Sep 17 00:00:00 2001
+From: Young Xiao <92siuyang@gmail.com>
+Date: Tue, 28 May 2019 20:17:54 +0800
+Subject: usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i]
+
+[ Upstream commit 62fd0e0a24abeebe2c19fce49dd5716d9b62042d ]
+
+There is no deallocation of fusb300->ep[i] elements, allocated at
+fusb300_probe.
+
+The patch adds deallocation of fusb300->ep array elements.
+
+Signed-off-by: Young Xiao <92siuyang@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fusb300_udc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/fusb300_udc.c b/drivers/usb/gadget/udc/fusb300_udc.c
+index e0c1b0099265..089f39de6897 100644
+--- a/drivers/usb/gadget/udc/fusb300_udc.c
++++ b/drivers/usb/gadget/udc/fusb300_udc.c
+@@ -1345,12 +1345,15 @@ static const struct usb_gadget_ops fusb300_gadget_ops = {
+ static int fusb300_remove(struct platform_device *pdev)
+ {
+ struct fusb300 *fusb300 = platform_get_drvdata(pdev);
++ int i;
+
+ usb_del_gadget_udc(&fusb300->gadget);
+ iounmap(fusb300->reg);
+ free_irq(platform_get_irq(pdev, 0), fusb300);
+
+ fusb300_free_request(&fusb300->ep[0]->ep, fusb300->ep0_req);
++ for (i = 0; i < FUSB300_MAX_NUM_EP; i++)
++ kfree(fusb300->ep[i]);
+ kfree(fusb300);
+
+ return 0;
+@@ -1494,6 +1497,8 @@ clean_up:
+ if (fusb300->ep0_req)
+ fusb300_free_request(&fusb300->ep[0]->ep,
+ fusb300->ep0_req);
++ for (i = 0; i < FUSB300_MAX_NUM_EP; i++)
++ kfree(fusb300->ep[i]);
+ kfree(fusb300);
+ }
+ if (reg)
+--
+2.20.1
+
--- /dev/null
+From 95e34a93aded667af0002a39170e438333da1b46 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 22 May 2019 14:07:36 +0200
+Subject: usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC
+
+[ Upstream commit fbc318afadd6e7ae2252d6158cf7d0c5a2132f7d ]
+
+Gadget drivers may queue request in interrupt context. This would lead to
+a descriptor allocation in that context. In that case we would hit
+BUG_ON(in_interrupt()) in __get_vm_area_node.
+
+Also remove the unnecessary cast.
+
+Acked-by: Sylvain Lemieux <slemieux.tyco@gmail.com>
+Tested-by: James Grant <jamesg@zaltys.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/lpc32xx_udc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
+index 8f32b5ee7734..6df1aded4503 100644
+--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
+@@ -935,8 +935,7 @@ static struct lpc32xx_usbd_dd_gad *udc_dd_alloc(struct lpc32xx_udc *udc)
+ dma_addr_t dma;
+ struct lpc32xx_usbd_dd_gad *dd;
+
+- dd = (struct lpc32xx_usbd_dd_gad *) dma_pool_alloc(
+- udc->dd_cache, (GFP_KERNEL | GFP_DMA), &dma);
++ dd = dma_pool_alloc(udc->dd_cache, GFP_ATOMIC | GFP_DMA, &dma);
+ if (dd)
+ dd->this_dma = dma;
+
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
