--- /dev/null
+From 706ad6746a66546daf96d4e4a95e46faf6cf689a Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 3 Nov 2019 00:09:20 +0900
+Subject: ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 706ad6746a66546daf96d4e4a95e46faf6cf689a upstream.
+
+For Focusrite Saffire Pro i/o, the lowest 8 bits of register represents
+configured source of sampling clock. The next lowest 8 bits represents
+whether the configured source is actually detected or not just after
+the register is changed for the source.
+
+Current implementation evaluates whole the register to detect configured
+source. This results in failure due to the next lowest 8 bits when the
+source is connected in advance.
+
+This commit fixes the bug.
+
+Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series")
+Cc: <stable@vger.kernel.org> # v3.16+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20191102150920.20367-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob_focusrite.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/firewire/bebob/bebob_focusrite.c
++++ b/sound/firewire/bebob/bebob_focusrite.c
+@@ -28,6 +28,8 @@
+ #define SAFFIRE_CLOCK_SOURCE_SPDIF 1
+
+ /* clock sources as returned from register of Saffire Pro 10 and 26 */
++#define SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK 0x000000ff
++#define SAFFIREPRO_CLOCK_SOURCE_DETECT_MASK 0x0000ff00
+ #define SAFFIREPRO_CLOCK_SOURCE_INTERNAL 0
+ #define SAFFIREPRO_CLOCK_SOURCE_SKIP 1 /* never used on hardware */
+ #define SAFFIREPRO_CLOCK_SOURCE_SPDIF 2
+@@ -190,6 +192,7 @@ saffirepro_both_clk_src_get(struct snd_b
+ map = saffirepro_clk_maps[1];
+
+ /* In a case that this driver cannot handle the value of register. */
++ value &= SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK;
+ if (value >= SAFFIREPRO_CLOCK_SOURCE_COUNT || map[value] < 0) {
+ err = -EIO;
+ goto end;
--- /dev/null
+From 15c2b3cc09a31620914955cb2a89c277c18ee999 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 5 Nov 2019 14:43:16 +0100
+Subject: ALSA: hda/ca0132 - Fix possible workqueue stall
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 15c2b3cc09a31620914955cb2a89c277c18ee999 upstream.
+
+The unsolicited event handler for the headphone jack on CA0132 codec
+driver tries to reschedule the another delayed work with
+cancel_delayed_work_sync(). It's no good idea, unfortunately,
+especially after we changed the work queue to the standard global
+one; this may lead to a stall because both works are using the same
+global queue.
+
+Fix it by dropping the _sync but does call cancel_delayed_work()
+instead.
+
+Fixes: 993884f6a26c ("ALSA: hda/ca0132 - Delay HP amp turnon.")
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1155836
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191105134316.19294-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_ca0132.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4440,7 +4440,7 @@ static void hp_callback(struct hda_codec
+ /* Delay enabling the HP amp, to let the mic-detection
+ * state machine run.
+ */
+- cancel_delayed_work_sync(&spec->unsol_hp_work);
++ cancel_delayed_work(&spec->unsol_hp_work);
+ schedule_delayed_work(&spec->unsol_hp_work, msecs_to_jiffies(500));
+ tbl = snd_hda_jack_tbl_get(codec, cb->nid);
+ if (tbl)
--- /dev/null
+From e7af6307a8a54f0b873960b32b6a644f2d0fbd97 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 6 Nov 2019 17:55:47 +0100
+Subject: ALSA: timer: Fix incorrectly assigned timer instance
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit e7af6307a8a54f0b873960b32b6a644f2d0fbd97 upstream.
+
+The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in
+snd_timer_open()") unified the error handling code paths with the
+standard goto, but it introduced a subtle bug: the timer instance is
+stored in snd_timer_open() incorrectly even if it returns an error.
+This may eventually lead to UAF, as spotted by fuzzer.
+
+The culprit is the snd_timer_open() code checks the
+SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri.
+This variable is supposed to be the newly created instance, but we
+(ab-)used it for a temporary check before the actual creation of a
+timer instance. After that point, there is another check for the max
+number of instances, and it bails out if over the threshold. Before
+the refactoring above, it worked fine because the code returned
+directly from that point. After the refactoring, however, it jumps to
+the unified error path that stores the timeri variable in return --
+even if it returns an error. Unfortunately this stored value is kept
+in the caller side (snd_timer_user_tselect()) in tu->timeri. This
+causes inconsistency later, as if the timer was successfully
+assigned.
+
+In this patch, we fix it by not re-using timeri variable but a
+temporary variable for testing the exclusive connection, so timeri
+remains NULL at that point.
+
+Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()")
+Reported-and-tested-by: Tristan Madani <tristmd@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -297,11 +297,11 @@ int snd_timer_open(struct snd_timer_inst
+ goto unlock;
+ }
+ if (!list_empty(&timer->open_list_head)) {
+- timeri = list_entry(timer->open_list_head.next,
++ struct snd_timer_instance *t =
++ list_entry(timer->open_list_head.next,
+ struct snd_timer_instance, open_list);
+- if (timeri->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) {
++ if (t->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) {
+ err = -EBUSY;
+- timeri = NULL;
+ goto unlock;
+ }
+ }
--- /dev/null
+From 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 Mon Sep 17 00:00:00 2001
+From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+Date: Tue, 1 Oct 2019 09:40:36 +0200
+Subject: can: c_can: c_can_poll(): only read status register after status IRQ
+
+From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+
+commit 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 upstream.
+
+When the status register is read without the status IRQ pending, the
+chip may not raise the interrupt line for an upcoming status interrupt
+and the driver may miss a status interrupt.
+
+It is critical that the BUSOFF status interrupt is forwarded to the
+higher layers, since no more interrupts will follow without
+intervention.
+
+Thanks to Wolfgang and Joe for bringing up the first idea.
+
+Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Joe Burmeister <joe.burmeister@devtank.co.uk>
+Fixes: fa39b54ccf28 ("can: c_can: Get rid of pointless interrupts")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/c_can/c_can.c | 25 ++++++++++++++++++++-----
+ drivers/net/can/c_can/c_can.h | 1 +
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/c_can/c_can.c
++++ b/drivers/net/can/c_can/c_can.c
+@@ -97,6 +97,9 @@
+ #define BTR_TSEG2_SHIFT 12
+ #define BTR_TSEG2_MASK (0x7 << BTR_TSEG2_SHIFT)
+
++/* interrupt register */
++#define INT_STS_PENDING 0x8000
++
+ /* brp extension register */
+ #define BRP_EXT_BRPE_MASK 0x0f
+ #define BRP_EXT_BRPE_SHIFT 0
+@@ -1029,10 +1032,16 @@ static int c_can_poll(struct napi_struct
+ u16 curr, last = priv->last_status;
+ int work_done = 0;
+
+- priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG);
+- /* Ack status on C_CAN. D_CAN is self clearing */
+- if (priv->type != BOSCH_D_CAN)
+- priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED);
++ /* Only read the status register if a status interrupt was pending */
++ if (atomic_xchg(&priv->sie_pending, 0)) {
++ priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG);
++ /* Ack status on C_CAN. D_CAN is self clearing */
++ if (priv->type != BOSCH_D_CAN)
++ priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED);
++ } else {
++ /* no change detected ... */
++ curr = last;
++ }
+
+ /* handle state changes */
+ if ((curr & STATUS_EWARN) && (!(last & STATUS_EWARN))) {
+@@ -1083,10 +1092,16 @@ static irqreturn_t c_can_isr(int irq, vo
+ {
+ struct net_device *dev = (struct net_device *)dev_id;
+ struct c_can_priv *priv = netdev_priv(dev);
++ int reg_int;
+
+- if (!priv->read_reg(priv, C_CAN_INT_REG))
++ reg_int = priv->read_reg(priv, C_CAN_INT_REG);
++ if (!reg_int)
+ return IRQ_NONE;
+
++ /* save for later use */
++ if (reg_int & INT_STS_PENDING)
++ atomic_set(&priv->sie_pending, 1);
++
+ /* disable all interrupts and schedule the NAPI */
+ c_can_irq_control(priv, false);
+ napi_schedule(&priv->napi);
+--- a/drivers/net/can/c_can/c_can.h
++++ b/drivers/net/can/c_can/c_can.h
+@@ -198,6 +198,7 @@ struct c_can_priv {
+ struct net_device *dev;
+ struct device *device;
+ atomic_t tx_active;
++ atomic_t sie_pending;
+ unsigned long tx_dir;
+ int last_status;
+ u16 (*read_reg) (const struct c_can_priv *priv, enum reg index);
--- /dev/null
+From fb5be6a7b4863ecc44963bb80ca614584b6c7817 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 19 Sep 2019 21:44:38 -0500
+Subject: can: gs_usb: gs_can_open(): prevent memory leak
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit fb5be6a7b4863ecc44963bb80ca614584b6c7817 upstream.
+
+In gs_can_open() if usb_submit_urb() fails the allocated urb should be
+released.
+
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/gs_usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -632,6 +632,7 @@ static int gs_can_open(struct net_device
+ rc);
+
+ usb_unanchor_urb(urb);
++ usb_free_urb(urb);
+ break;
+ }
+
--- /dev/null
+From de280f403f2996679e2607384980703710576fed Mon Sep 17 00:00:00 2001
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Tue, 8 Oct 2019 10:35:44 +0200
+Subject: can: peak_usb: fix a potential out-of-sync while decoding packets
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+commit de280f403f2996679e2607384980703710576fed upstream.
+
+When decoding a buffer received from PCAN-USB, the first timestamp read in
+a packet is a 16-bit coded time base, and the next ones are an 8-bit
+offset to this base, regardless of the type of packet read.
+
+This patch corrects a potential loss of synchronization by using a
+timestamp index read from the buffer, rather than an index of received
+data packets, to determine on the sizeof the timestamp to be read from the
+packet being decoded.
+
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Fixes: 46be265d3388 ("can: usb: PEAK-System Technik PCAN-USB specific part")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
+@@ -108,7 +108,7 @@ struct pcan_usb_msg_context {
+ u8 *end;
+ u8 rec_cnt;
+ u8 rec_idx;
+- u8 rec_data_idx;
++ u8 rec_ts_idx;
+ struct net_device *netdev;
+ struct pcan_usb *pdev;
+ };
+@@ -552,10 +552,15 @@ static int pcan_usb_decode_status(struct
+ mc->ptr += PCAN_USB_CMD_ARGS;
+
+ if (status_len & PCAN_USB_STATUSLEN_TIMESTAMP) {
+- int err = pcan_usb_decode_ts(mc, !mc->rec_idx);
++ int err = pcan_usb_decode_ts(mc, !mc->rec_ts_idx);
+
+ if (err)
+ return err;
++
++ /* Next packet in the buffer will have a timestamp on a single
++ * byte
++ */
++ mc->rec_ts_idx++;
+ }
+
+ switch (f) {
+@@ -638,10 +643,13 @@ static int pcan_usb_decode_data(struct p
+
+ cf->can_dlc = get_can_dlc(rec_len);
+
+- /* first data packet timestamp is a word */
+- if (pcan_usb_decode_ts(mc, !mc->rec_data_idx))
++ /* Only first packet timestamp is a word */
++ if (pcan_usb_decode_ts(mc, !mc->rec_ts_idx))
+ goto decode_failed;
+
++ /* Next packet in the buffer will have a timestamp on a single byte */
++ mc->rec_ts_idx++;
++
+ /* read data */
+ memset(cf->data, 0x0, sizeof(cf->data));
+ if (status_len & PCAN_USB_STATUSLEN_RTR) {
+@@ -695,7 +703,6 @@ static int pcan_usb_decode_msg(struct pe
+ /* handle normal can frames here */
+ } else {
+ err = pcan_usb_decode_data(&mc, sl);
+- mc.rec_data_idx++;
+ }
+ }
+
--- /dev/null
+From f7a1337f0d29b98733c8824e165fca3371d7d4fd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 23 Oct 2019 10:27:05 +0200
+Subject: can: peak_usb: fix slab info leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f7a1337f0d29b98733c8824e165fca3371d7d4fd upstream.
+
+Fix a small slab info leak due to a failure to clear the command buffer
+at allocation.
+
+The first 16 bytes of the command buffer are always sent to the device
+in pcan_usb_send_cmd() even though only the first two may have been
+initialised in case no argument payload is provided (e.g. when waiting
+for a response).
+
+Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
+Cc: stable <stable@vger.kernel.org> # 3.4
+Reported-by: syzbot+863724e7128e14b26732@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -774,7 +774,7 @@ static int peak_usb_create_dev(const str
+ dev = netdev_priv(netdev);
+
+ /* allocate a buffer large enough to send commands */
+- dev->cmd_buf = kmalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL);
++ dev->cmd_buf = kzalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL);
+ if (!dev->cmd_buf) {
+ err = -ENOMEM;
+ goto lbl_free_candev;
--- /dev/null
+From 3759739426186a924675651b388d1c3963c5710e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Oct 2019 12:29:14 +0200
+Subject: can: usb_8dev: fix use-after-free on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3759739426186a924675651b388d1c3963c5710e upstream.
+
+The driver was accessing its driver data after having freed it.
+
+Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
+Cc: stable <stable@vger.kernel.org> # 3.9
+Cc: Bernd Krumboeck <b.krumboeck@gmail.com>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/usb_8dev.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -1007,9 +1007,8 @@ static void usb_8dev_disconnect(struct u
+ netdev_info(priv->netdev, "device disconnected\n");
+
+ unregister_netdev(priv->netdev);
+- free_candev(priv->netdev);
+-
+ unlink_all_urbs(priv);
++ free_candev(priv->netdev);
+ }
+
+ }
--- /dev/null
+From ea60ed6fcf29eebc78f2ce91491e6309ee005a01 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 25 Oct 2019 14:05:24 +0100
+Subject: ceph: fix use-after-free in __ceph_remove_cap()
+
+From: Luis Henriques <lhenriques@suse.com>
+
+commit ea60ed6fcf29eebc78f2ce91491e6309ee005a01 upstream.
+
+KASAN reports a use-after-free when running xfstest generic/531, with the
+following trace:
+
+[ 293.903362] kasan_report+0xe/0x20
+[ 293.903365] rb_erase+0x1f/0x790
+[ 293.903370] __ceph_remove_cap+0x201/0x370
+[ 293.903375] __ceph_remove_caps+0x4b/0x70
+[ 293.903380] ceph_evict_inode+0x4e/0x360
+[ 293.903386] evict+0x169/0x290
+[ 293.903390] __dentry_kill+0x16f/0x250
+[ 293.903394] dput+0x1c6/0x440
+[ 293.903398] __fput+0x184/0x330
+[ 293.903404] task_work_run+0xb9/0xe0
+[ 293.903410] exit_to_usermode_loop+0xd3/0xe0
+[ 293.903413] do_syscall_64+0x1a0/0x1c0
+[ 293.903417] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+This happens because __ceph_remove_cap() may queue a cap release
+(__ceph_queue_cap_release) which can be scheduled before that cap is
+removed from the inode list with
+
+ rb_erase(&cap->ci_node, &ci->i_caps);
+
+And, when this finally happens, the use-after-free will occur.
+
+This can be fixed by removing the cap from the inode list before being
+removed from the session list, and thus eliminating the risk of an UAF.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/caps.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -933,6 +933,11 @@ void __ceph_remove_cap(struct ceph_cap *
+
+ dout("__ceph_remove_cap %p from %p\n", cap, &ci->vfs_inode);
+
++ /* remove from inode's cap rbtree, and clear auth cap */
++ rb_erase(&cap->ci_node, &ci->i_caps);
++ if (ci->i_auth_cap == cap)
++ ci->i_auth_cap = NULL;
++
+ /* remove from session list */
+ spin_lock(&session->s_cap_lock);
+ if (session->s_cap_iterator == cap) {
+@@ -968,11 +973,6 @@ void __ceph_remove_cap(struct ceph_cap *
+
+ spin_unlock(&session->s_cap_lock);
+
+- /* remove from inode list */
+- rb_erase(&cap->ci_node, &ci->i_caps);
+- if (ci->i_auth_cap == cap)
+- ci->i_auth_cap = NULL;
+-
+ if (removed)
+ ceph_put_cap(mdsc, cap);
+
--- /dev/null
+From 2c409ba81be25516afe05ae27a4a15da01740b01 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 30 Oct 2019 10:21:28 -0400
+Subject: drm/radeon: fix si_enable_smc_cac() failed issue
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 2c409ba81be25516afe05ae27a4a15da01740b01 upstream.
+
+Need to set the dte flag on this asic.
+
+Port the fix from amdgpu:
+5cb818b861be114 ("drm/amd/amdgpu: fix si_enable_smc_cac() failed issue")
+
+Reviewed-by: Yong Zhao <yong.zhao@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -1956,6 +1956,7 @@ static void si_initialize_powertune_defa
+ case 0x682C:
+ si_pi->cac_weights = cac_weights_cape_verde_pro;
+ si_pi->dte_data = dte_data_sun_xt;
++ update_dte_from_pl2 = true;
+ break;
+ case 0x6825:
+ case 0x6827:
--- /dev/null
+From 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Tue, 5 Nov 2019 21:16:57 -0800
+Subject: dump_stack: avoid the livelock of the dump_lock
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f upstream.
+
+In the current code, we use the atomic_cmpxchg() to serialize the output
+of the dump_stack(), but this implementation suffers the thundering herd
+problem. We have observed such kind of livelock on a Marvell cn96xx
+board(24 cpus) when heavily using the dump_stack() in a kprobe handler.
+Actually we can let the competitors to wait for the releasing of the
+lock before jumping to atomic_cmpxchg(). This will definitely mitigate
+the thundering herd problem. Thanks Linus for the suggestion.
+
+[akpm@linux-foundation.org: fix comment]
+Link: http://lkml.kernel.org/r/20191030031637.6025-1-haokexin@gmail.com
+Fixes: b58d977432c8 ("dump_stack: serialize the output from dump_stack()")
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/dump_stack.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/lib/dump_stack.c
++++ b/lib/dump_stack.c
+@@ -44,7 +44,12 @@ retry:
+ was_locked = 1;
+ } else {
+ local_irq_restore(flags);
+- cpu_relax();
++ /*
++ * Wait for the lock to release before jumping to
++ * atomic_cmpxchg() in order to mitigate the thundering herd
++ * problem.
++ */
++ do { cpu_relax(); } while (atomic_read(&dump_lock) != -1);
+ goto retry;
+ }
+
--- /dev/null
+From 24e1eb5c0d78cfb9750b690bbe997d4d59170258 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Tue, 8 Oct 2019 17:15:37 +0300
+Subject: iio: imu: adis16480: make sure provided frequency is positive
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit 24e1eb5c0d78cfb9750b690bbe997d4d59170258 upstream.
+
+It could happen that either `val` or `val2` [provided from userspace] is
+negative. In that case the computed frequency could get a weird value.
+
+Fix this by checking that neither of the 2 variables is negative, and check
+that the computed result is not-zero.
+
+Fixes: e4f959390178 ("iio: imu: adis16480 switch sampling frequency attr to core support")
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis16480.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/adis16480.c
++++ b/drivers/iio/imu/adis16480.c
+@@ -266,8 +266,11 @@ static int adis16480_set_freq(struct iio
+ struct adis16480 *st = iio_priv(indio_dev);
+ unsigned int t;
+
++ if (val < 0 || val2 < 0)
++ return -EINVAL;
++
+ t = val * 1000 + val2 / 1000;
+- if (t <= 0)
++ if (t == 0)
+ return -EINVAL;
+
+ t = 2460000 / t;
--- /dev/null
+From 3adbb5718dd5264666ddbc2b9b43799d292e9cb6 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 28 Oct 2019 09:06:50 +0200
+Subject: intel_th: pci: Add Comet Lake PCH support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 3adbb5718dd5264666ddbc2b9b43799d292e9cb6 upstream.
+
+This adds support for Intel TH on Comet Lake PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191028070651.9770-7-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -96,6 +96,11 @@ static const struct pci_device_id intel_
+ .driver_data = (kernel_ulong_t)0,
+ },
+ {
++ /* Comet Lake PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x06a6),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
++ {
+ /* Gemini Lake */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e),
+ .driver_data = (kernel_ulong_t)0,
--- /dev/null
+From 3e8fc0075e24338b1117cdff6a79477427b8dbed Mon Sep 17 00:00:00 2001
+From: Mel Gorman <mgorman@techsingularity.net>
+Date: Tue, 5 Nov 2019 21:16:27 -0800
+Subject: mm, meminit: recalculate pcpu batch and high limits after init completes
+
+From: Mel Gorman <mgorman@techsingularity.net>
+
+commit 3e8fc0075e24338b1117cdff6a79477427b8dbed upstream.
+
+Deferred memory initialisation updates zone->managed_pages during the
+initialisation phase but before that finishes, the per-cpu page
+allocator (pcpu) calculates the number of pages allocated/freed in
+batches as well as the maximum number of pages allowed on a per-cpu
+list. As zone->managed_pages is not up to date yet, the pcpu
+initialisation calculates inappropriately low batch and high values.
+
+This increases zone lock contention quite severely in some cases with
+the degree of severity depending on how many CPUs share a local zone and
+the size of the zone. A private report indicated that kernel build
+times were excessive with extremely high system CPU usage. A perf
+profile indicated that a large chunk of time was lost on zone->lock
+contention.
+
+This patch recalculates the pcpu batch and high values after deferred
+initialisation completes for every populated zone in the system. It was
+tested on a 2-socket AMD EPYC 2 machine using a kernel compilation
+workload -- allmodconfig and all available CPUs.
+
+mmtests configuration: config-workload-kernbench-max Configuration was
+modified to build on a fresh XFS partition.
+
+kernbench
+ 5.4.0-rc3 5.4.0-rc3
+ vanilla resetpcpu-v2
+Amean user-256 13249.50 ( 0.00%) 16401.31 * -23.79%*
+Amean syst-256 14760.30 ( 0.00%) 4448.39 * 69.86%*
+Amean elsp-256 162.42 ( 0.00%) 119.13 * 26.65%*
+Stddev user-256 42.97 ( 0.00%) 19.15 ( 55.43%)
+Stddev syst-256 336.87 ( 0.00%) 6.71 ( 98.01%)
+Stddev elsp-256 2.46 ( 0.00%) 0.39 ( 84.03%)
+
+ 5.4.0-rc3 5.4.0-rc3
+ vanilla resetpcpu-v2
+Duration User 39766.24 49221.79
+Duration System 44298.10 13361.67
+Duration Elapsed 519.11 388.87
+
+The patch reduces system CPU usage by 69.86% and total build time by
+26.65%. The variance of system CPU usage is also much reduced.
+
+Before, this was the breakdown of batch and high values over all zones
+was:
+
+ 256 batch: 1
+ 256 batch: 63
+ 512 batch: 7
+ 256 high: 0
+ 256 high: 378
+ 512 high: 42
+
+512 pcpu pagesets had a batch limit of 7 and a high limit of 42. After
+the patch:
+
+ 256 batch: 1
+ 768 batch: 63
+ 256 high: 0
+ 768 high: 378
+
+[mgorman@techsingularity.net: fix merge/linkage snafu]
+ Link: http://lkml.kernel.org/r/20191023084705.GD3016@techsingularity.netLink: http://lkml.kernel.org/r/20191021094808.28824-2-mgorman@techsingularity.net
+Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Qian Cai <cai@lca.pw>
+Cc: <stable@vger.kernel.org> [4.1+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -2051,6 +2051,14 @@ static void reserve_highatomic_pageblock
+ unsigned long max_managed, flags;
+
+ /*
++ * The number of managed pages has changed due to the initialisation
++ * so the pcpu batch and high limits needs to be updated or the limits
++ * will be artificially small.
++ */
++ for_each_populated_zone(zone)
++ zone_pcp_update(zone);
++
++ /*
+ * Limit the number reserved to 1 pageblock or roughly 1% of a zone.
+ * Check is race-prone but harmless.
+ */
+@@ -7385,7 +7393,6 @@ void free_contig_range(unsigned long pfn
+ }
+ #endif
+
+-#ifdef CONFIG_MEMORY_HOTPLUG
+ /*
+ * The zone indicated has a new number of managed_pages; batch sizes and percpu
+ * page high values need to be recalulated.
+@@ -7399,7 +7406,6 @@ void __meminit zone_pcp_update(struct zo
+ per_cpu_ptr(zone->pageset, cpu));
+ mutex_unlock(&pcp_batch_high_lock);
+ }
+-#endif
+
+ void zone_pcp_reset(struct zone *zone)
+ {
--- /dev/null
+From 169226f7e0d275c1879551f37484ef6683579a5c Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang.shi@linux.alibaba.com>
+Date: Tue, 5 Nov 2019 21:16:30 -0800
+Subject: mm: thp: handle page cache THP correctly in PageTransCompoundMap
+
+From: Yang Shi <yang.shi@linux.alibaba.com>
+
+commit 169226f7e0d275c1879551f37484ef6683579a5c upstream.
+
+We have a usecase to use tmpfs as QEMU memory backend and we would like
+to take the advantage of THP as well. But, our test shows the EPT is
+not PMD mapped even though the underlying THP are PMD mapped on host.
+The number showed by /sys/kernel/debug/kvm/largepage is much less than
+the number of PMD mapped shmem pages as the below:
+
+ 7f2778200000-7f2878200000 rw-s 00000000 00:14 262232 /dev/shm/qemu_back_mem.mem.Hz2hSf (deleted)
+ Size: 4194304 kB
+ [snip]
+ AnonHugePages: 0 kB
+ ShmemPmdMapped: 579584 kB
+ [snip]
+ Locked: 0 kB
+
+ cat /sys/kernel/debug/kvm/largepages
+ 12
+
+And some benchmarks do worse than with anonymous THPs.
+
+By digging into the code we figured out that commit 127393fbe597 ("mm:
+thp: kvm: fix memory corruption in KVM with THP enabled") checks if
+there is a single PTE mapping on the page for anonymous THP when setting
+up EPT map. But the _mapcount < 0 check doesn't work for page cache THP
+since every subpage of page cache THP would get _mapcount inc'ed once it
+is PMD mapped, so PageTransCompoundMap() always returns false for page
+cache THP. This would prevent KVM from setting up PMD mapped EPT entry.
+
+So we need handle page cache THP correctly. However, when page cache
+THP's PMD gets split, kernel just remove the map instead of setting up
+PTE map like what anonymous THP does. Before KVM calls get_user_pages()
+the subpages may get PTE mapped even though it is still a THP since the
+page cache THP may be mapped by other processes at the mean time.
+
+Checking its _mapcount and whether the THP has PTE mapped or not.
+Although this may report some false negative cases (PTE mapped by other
+processes), it looks not trivial to make this accurate.
+
+With this fix /sys/kernel/debug/kvm/largepage would show reasonable
+pages are PMD mapped by EPT as the below:
+
+ 7fbeaee00000-7fbfaee00000 rw-s 00000000 00:14 275464 /dev/shm/qemu_back_mem.mem.SKUvat (deleted)
+ Size: 4194304 kB
+ [snip]
+ AnonHugePages: 0 kB
+ ShmemPmdMapped: 557056 kB
+ [snip]
+ Locked: 0 kB
+
+ cat /sys/kernel/debug/kvm/largepages
+ 271
+
+And the benchmarks are as same as anonymous THPs.
+
+[yang.shi@linux.alibaba.com: v4]
+ Link: http://lkml.kernel.org/r/1571865575-42913-1-git-send-email-yang.shi@linux.alibaba.com
+Link: http://lkml.kernel.org/r/1571769577-89735-1-git-send-email-yang.shi@linux.alibaba.com
+Fixes: dd78fedde4b9 ("rmap: support file thp")
+Signed-off-by: Yang Shi <yang.shi@linux.alibaba.com>
+Reported-by: Gang Deng <gavin.dg@linux.alibaba.com>
+Tested-by: Gang Deng <gavin.dg@linux.alibaba.com>
+Suggested-by: Hugh Dickins <hughd@google.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: <stable@vger.kernel.org> [4.8+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mm.h | 5 -----
+ include/linux/mm_types.h | 5 +++++
+ include/linux/page-flags.h | 20 ++++++++++++++++++--
+ 3 files changed, 23 insertions(+), 7 deletions(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -504,11 +504,6 @@ static inline int is_vmalloc_or_module_a
+
+ extern void kvfree(const void *addr);
+
+-static inline atomic_t *compound_mapcount_ptr(struct page *page)
+-{
+- return &page[1].compound_mapcount;
+-}
+-
+ static inline int compound_mapcount(struct page *page)
+ {
+ VM_BUG_ON_PAGE(!PageCompound(page), page);
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -262,6 +262,11 @@ struct page_frag_cache {
+
+ typedef unsigned long vm_flags_t;
+
++static inline atomic_t *compound_mapcount_ptr(struct page *page)
++{
++ return &page[1].compound_mapcount;
++}
++
+ /*
+ * A region containing a mapping of a non-memory backed file under NOMMU
+ * conditions. These are held in a global tree and are pinned by the VMAs that
+--- a/include/linux/page-flags.h
++++ b/include/linux/page-flags.h
+@@ -545,12 +545,28 @@ static inline int PageTransCompound(stru
+ *
+ * Unlike PageTransCompound, this is safe to be called only while
+ * split_huge_pmd() cannot run from under us, like if protected by the
+- * MMU notifier, otherwise it may result in page->_mapcount < 0 false
++ * MMU notifier, otherwise it may result in page->_mapcount check false
+ * positives.
++ *
++ * We have to treat page cache THP differently since every subpage of it
++ * would get _mapcount inc'ed once it is PMD mapped. But, it may be PTE
++ * mapped in the current process so comparing subpage's _mapcount to
++ * compound_mapcount to filter out PTE mapped case.
+ */
+ static inline int PageTransCompoundMap(struct page *page)
+ {
+- return PageTransCompound(page) && atomic_read(&page->_mapcount) < 0;
++ struct page *head;
++
++ if (!PageTransCompound(page))
++ return 0;
++
++ if (PageAnon(page))
++ return atomic_read(&page->_mapcount) < 0;
++
++ head = compound_head(page);
++ /* File THP is PMD mapped and not PTE mapped */
++ return atomic_read(&page->_mapcount) ==
++ atomic_read(compound_mapcount_ptr(head));
+ }
+
+ /*
--- /dev/null
+From abaed0112c1db08be15a784a2c5c8a8b3063cdd3 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Tue, 5 Nov 2019 21:16:40 -0800
+Subject: mm, vmstat: hide /proc/pagetypeinfo from normal users
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream.
+
+/proc/pagetypeinfo is a debugging tool to examine internal page
+allocator state wrt to fragmentation. It is not very useful for any
+other use so normal users really do not need to read this file.
+
+Waiman Long has noticed that reading this file can have negative side
+effects because zone->lock is necessary for gathering data and that a)
+interferes with the page allocator and its users and b) can lead to hard
+lockups on large machines which have very long free_list.
+
+Reduce both issues by simply not exporting the file to regular users.
+
+Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org
+Fixes: 467c996c1e19 ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo")
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Waiman Long <longman@redhat.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Rafael Aquini <aquini@redhat.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Cc: Jann Horn <jannh@google.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmstat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -1794,7 +1794,7 @@ static int __init setup_vmstat(void)
+ #endif
+ #ifdef CONFIG_PROC_FS
+ proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
+- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
++ proc_create("pagetypeinfo", 0400, NULL, &pagetypeinfo_file_ops);
+ proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
+ proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
+ #endif
--- /dev/null
+From 30b7244d79651460ff114ba8f7987ed94c86b99a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 24 Aug 2019 17:49:55 +0300
+Subject: netfilter: ipset: Fix an error code in ip_set_sockfn_get()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 30b7244d79651460ff114ba8f7987ed94c86b99a upstream.
+
+The copy_to_user() function returns the number of bytes remaining to be
+copied. In this code, that positive return is checked at the end of the
+function and we return zero/success. What we should do instead is
+return -EFAULT.
+
+Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1942,8 +1942,9 @@ ip_set_sockfn_get(struct sock *sk, int o
+ }
+
+ req_version->version = IPSET_PROTOCOL;
+- ret = copy_to_user(user, req_version,
+- sizeof(struct ip_set_req_version));
++ if (copy_to_user(user, req_version,
++ sizeof(struct ip_set_req_version)))
++ ret = -EFAULT;
+ goto done;
+ }
+ case IP_SET_OP_GET_BYNAME: {
+@@ -2000,7 +2001,8 @@ ip_set_sockfn_get(struct sock *sk, int o
+ } /* end of switch(op) */
+
+ copy:
+- ret = copy_to_user(user, data, copylen);
++ if (copy_to_user(user, data, copylen))
++ ret = -EFAULT;
+
+ done:
+ vfree(data);
--- /dev/null
+From 250367c59e6ba0d79d702a059712d66edacd4a1a Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 31 Oct 2019 11:06:24 +0100
+Subject: netfilter: nf_tables: Align nft_expr private data to 64-bit
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 250367c59e6ba0d79d702a059712d66edacd4a1a upstream.
+
+Invoking the following commands on a 32-bit architecture with strict
+alignment requirements (such as an ARMv7-based Raspberry Pi) results
+in an alignment exception:
+
+ # nft add table ip test-ip4
+ # nft add chain ip test-ip4 output { type filter hook output priority 0; }
+ # nft add rule ip test-ip4 output quota 1025 bytes
+
+Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>]
+Unhandled fault: alignment exception (0x001) at 0xb832e824
+Internal error: : 1 [#1] PREEMPT SMP ARM
+Hardware name: BCM2835
+[<7f4473fc>] (nft_quota_do_init [nft_quota])
+[<7f447448>] (nft_quota_init [nft_quota])
+[<7f4260d0>] (nf_tables_newrule [nf_tables])
+[<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink])
+[<7f416bd0>] (nfnetlink_rcv [nfnetlink])
+[<8078b334>] (netlink_unicast)
+[<8078b664>] (netlink_sendmsg)
+[<8071b47c>] (sock_sendmsg)
+[<8071bd18>] (___sys_sendmsg)
+[<8071ce3c>] (__sys_sendmsg)
+[<8071ce94>] (sys_sendmsg)
+
+The reason is that nft_quota_do_init() calls atomic64_set() on an
+atomic64_t which is only aligned to 32-bit, not 64-bit, because it
+succeeds struct nft_expr in memory which only contains a 32-bit pointer.
+Fix by aligning the nft_expr private data to 64-bit.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_tables.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -705,7 +705,8 @@ struct nft_expr_ops {
+ */
+ struct nft_expr {
+ const struct nft_expr_ops *ops;
+- unsigned char data[];
++ unsigned char data[]
++ __attribute__((aligned(__alignof__(u64))));
+ };
+
+ static inline void *nft_expr_priv(const struct nft_expr *expr)
--- /dev/null
+From 722ddfde366fd46205456a9c5ff9b3359dc9a75e Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Tue, 5 Nov 2019 00:27:11 +0100
+Subject: perf tools: Fix time sorting
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit 722ddfde366fd46205456a9c5ff9b3359dc9a75e upstream.
+
+The final sort might get confused when the comparison is done over
+bigger numbers than int like for -s time.
+
+Check the following report for longer workloads:
+
+ $ perf report -s time -F time,overhead --stdio
+
+Fix hist_entry__sort() to properly return int64_t and not possible cut
+int.
+
+Fixes: 043ca389a318 ("perf tools: Use hpp formats to sort final output")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Michael Petlan <mpetlan@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org # v3.16+
+Link: http://lore.kernel.org/lkml/20191104232711.16055-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/hist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -1485,7 +1485,7 @@ int hists__collapse_resort(struct hists
+ return 0;
+ }
+
+-static int hist_entry__sort(struct hist_entry *a, struct hist_entry *b)
++static int64_t hist_entry__sort(struct hist_entry *a, struct hist_entry *b)
+ {
+ struct hists *hists = a->hists;
+ struct perf_hpp_fmt *fmt;
nfc-netlink-fix-double-device-reference-drop.patch
nfc-st21nfca-fix-double-free.patch
qede-fix-null-pointer-deref-in-__qede_remove.patch
+alsa-timer-fix-incorrectly-assigned-timer-instance.patch
+alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch
+alsa-hda-ca0132-fix-possible-workqueue-stall.patch
+mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch
+mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch
+mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch
+dump_stack-avoid-the-livelock-of-the-dump_lock.patch
+perf-tools-fix-time-sorting.patch
+drm-radeon-fix-si_enable_smc_cac-failed-issue.patch
+ceph-fix-use-after-free-in-__ceph_remove_cap.patch
+iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch
+netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch
+netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch
+intel_th-pci-add-comet-lake-pch-support.patch
+can-usb_8dev-fix-use-after-free-on-disconnect.patch
+can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch
+can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch
+can-gs_usb-gs_can_open-prevent-memory-leak.patch
+can-peak_usb-fix-slab-info-leak.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
