--- /dev/null
+From 9f00baf74e4b6f79a3a3dfab44fb7bb2e797b551 Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Tue, 30 Jul 2019 16:05:24 +0000
+Subject: crypto: ccp - Add support for valid authsize values less than 16
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit 9f00baf74e4b6f79a3a3dfab44fb7bb2e797b551 upstream.
+
+AES GCM encryption allows for authsize values of 4, 8, and 12-16 bytes.
+Validate the requested authsize, and retain it to save in the request
+context.
+
+Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-crypto-aes-galois.c | 14 ++++++++++++++
+ drivers/crypto/ccp/ccp-ops.c | 26 +++++++++++++++++++++-----
+ include/linux/ccp.h | 2 ++
+ 3 files changed, 37 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-crypto-aes-galois.c
++++ b/drivers/crypto/ccp/ccp-crypto-aes-galois.c
+@@ -61,6 +61,19 @@ static int ccp_aes_gcm_setkey(struct cry
+ static int ccp_aes_gcm_setauthsize(struct crypto_aead *tfm,
+ unsigned int authsize)
+ {
++ switch (authsize) {
++ case 16:
++ case 15:
++ case 14:
++ case 13:
++ case 12:
++ case 8:
++ case 4:
++ break;
++ default:
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+@@ -107,6 +120,7 @@ static int ccp_aes_gcm_crypt(struct aead
+ memset(&rctx->cmd, 0, sizeof(rctx->cmd));
+ INIT_LIST_HEAD(&rctx->cmd.entry);
+ rctx->cmd.engine = CCP_ENGINE_AES;
++ rctx->cmd.u.aes.authsize = crypto_aead_authsize(tfm);
+ rctx->cmd.u.aes.type = ctx->u.aes.type;
+ rctx->cmd.u.aes.mode = ctx->u.aes.mode;
+ rctx->cmd.u.aes.action = encrypt;
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -625,6 +625,7 @@ static int ccp_run_aes_gcm_cmd(struct cc
+
+ unsigned long long *final;
+ unsigned int dm_offset;
++ unsigned int authsize;
+ unsigned int jobid;
+ unsigned int ilen;
+ bool in_place = true; /* Default value */
+@@ -646,6 +647,21 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ if (!aes->key) /* Gotta have a key SGL */
+ return -EINVAL;
+
++ /* Zero defaults to 16 bytes, the maximum size */
++ authsize = aes->authsize ? aes->authsize : AES_BLOCK_SIZE;
++ switch (authsize) {
++ case 16:
++ case 15:
++ case 14:
++ case 13:
++ case 12:
++ case 8:
++ case 4:
++ break;
++ default:
++ return -EINVAL;
++ }
++
+ /* First, decompose the source buffer into AAD & PT,
+ * and the destination buffer into AAD, CT & tag, or
+ * the input into CT & tag.
+@@ -660,7 +676,7 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ p_tag = scatterwalk_ffwd(sg_tag, p_outp, ilen);
+ } else {
+ /* Input length for decryption includes tag */
+- ilen = aes->src_len - AES_BLOCK_SIZE;
++ ilen = aes->src_len - authsize;
+ p_tag = scatterwalk_ffwd(sg_tag, p_inp, ilen);
+ }
+
+@@ -842,19 +858,19 @@ static int ccp_run_aes_gcm_cmd(struct cc
+
+ if (aes->action == CCP_AES_ACTION_ENCRYPT) {
+ /* Put the ciphered tag after the ciphertext. */
+- ccp_get_dm_area(&final_wa, 0, p_tag, 0, AES_BLOCK_SIZE);
++ ccp_get_dm_area(&final_wa, 0, p_tag, 0, authsize);
+ } else {
+ /* Does this ciphered tag match the input? */
+- ret = ccp_init_dm_workarea(&tag, cmd_q, AES_BLOCK_SIZE,
++ ret = ccp_init_dm_workarea(&tag, cmd_q, authsize,
+ DMA_BIDIRECTIONAL);
+ if (ret)
+ goto e_tag;
+- ret = ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
++ ret = ccp_set_dm_area(&tag, 0, p_tag, 0, authsize);
+ if (ret)
+ goto e_tag;
+
+ ret = crypto_memneq(tag.address, final_wa.address,
+- AES_BLOCK_SIZE) ? -EBADMSG : 0;
++ authsize) ? -EBADMSG : 0;
+ ccp_dm_free(&tag);
+ }
+
+--- a/include/linux/ccp.h
++++ b/include/linux/ccp.h
+@@ -173,6 +173,8 @@ struct ccp_aes_engine {
+ enum ccp_aes_mode mode;
+ enum ccp_aes_action action;
+
++ u32 authsize;
++
+ struct scatterlist *key;
+ u32 key_len; /* In bytes */
+
--- /dev/null
+From 25e44338321af545ab34243a6081c3f0fc6107d0 Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Tue, 30 Jul 2019 16:05:22 +0000
+Subject: crypto: ccp - Fix oops by properly managing allocated structures
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit 25e44338321af545ab34243a6081c3f0fc6107d0 upstream.
+
+A plaintext or ciphertext length of 0 is allowed in AES, in which case
+no encryption occurs. Ensure that we don't clean up data structures
+that were never allocated.
+
+Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-ops.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -862,11 +862,11 @@ e_tag:
+ ccp_dm_free(&final_wa);
+
+ e_dst:
+- if (aes->src_len && !in_place)
++ if (ilen > 0 && !in_place)
+ ccp_free_data(&dst, cmd_q);
+
+ e_src:
+- if (aes->src_len)
++ if (ilen > 0)
+ ccp_free_data(&src, cmd_q);
+
+ e_aad:
--- /dev/null
+From e2664ecbb2f26225ac6646876f2899558ffb2604 Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Tue, 30 Jul 2019 16:05:26 +0000
+Subject: crypto: ccp - Ignore tag length when decrypting GCM ciphertext
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit e2664ecbb2f26225ac6646876f2899558ffb2604 upstream.
+
+AES GCM input buffers for decryption contain AAD+CTEXT+TAG. Only
+decrypt the ciphertext, and use the tag for comparison.
+
+Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-ops.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -785,8 +785,7 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ while (src.sg_wa.bytes_left) {
+ ccp_prepare_data(&src, &dst, &op, AES_BLOCK_SIZE, true);
+ if (!src.sg_wa.bytes_left) {
+- unsigned int nbytes = aes->src_len
+- % AES_BLOCK_SIZE;
++ unsigned int nbytes = ilen % AES_BLOCK_SIZE;
+
+ if (nbytes) {
+ op.eom = 1;
--- /dev/null
+From ae8cc91a7d85e018c0c267f580820b2bb558cd48 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Tue, 9 Jul 2019 22:04:17 -0700
+Subject: iio: adc: max9611: Fix misuse of GENMASK macro
+
+From: Joe Perches <joe@perches.com>
+
+commit ae8cc91a7d85e018c0c267f580820b2bb558cd48 upstream.
+
+Arguments are supposed to be ordered high then low.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Fixes: 69780a3bbc0b ("iio: adc: Add Maxim max9611 ADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/max9611.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/max9611.c
++++ b/drivers/iio/adc/max9611.c
+@@ -86,7 +86,7 @@
+ #define MAX9611_TEMP_MAX_POS 0x7f80
+ #define MAX9611_TEMP_MAX_NEG 0xff80
+ #define MAX9611_TEMP_MIN_NEG 0xd980
+-#define MAX9611_TEMP_MASK GENMASK(7, 15)
++#define MAX9611_TEMP_MASK GENMASK(15, 7)
+ #define MAX9611_TEMP_SHIFT 0x07
+ #define MAX9611_TEMP_RAW(_r) ((_r) >> MAX9611_TEMP_SHIFT)
+ #define MAX9611_TEMP_SCALE_NUM 1000000
--- /dev/null
+From 6cdff99c9f7d7d28b87cf05dd464f7c7736332ae Mon Sep 17 00:00:00 2001
+From: Gwendal Grignou <gwendal@chromium.org>
+Date: Fri, 28 Jun 2019 12:17:09 -0700
+Subject: iio: cros_ec_accel_legacy: Fix incorrect channel setting
+
+From: Gwendal Grignou <gwendal@chromium.org>
+
+commit 6cdff99c9f7d7d28b87cf05dd464f7c7736332ae upstream.
+
+INFO_SCALE is set both for each channel and all channels.
+iio is using all channel setting, so the error was not user visible.
+
+Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/cros_ec_accel_legacy.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/iio/accel/cros_ec_accel_legacy.c
++++ b/drivers/iio/accel/cros_ec_accel_legacy.c
+@@ -328,7 +328,6 @@ static const struct iio_chan_spec_ext_in
+ .modified = 1, \
+ .info_mask_separate = \
+ BIT(IIO_CHAN_INFO_RAW) | \
+- BIT(IIO_CHAN_INFO_SCALE) | \
+ BIT(IIO_CHAN_INFO_CALIBBIAS), \
+ .info_mask_shared_by_all = BIT(IIO_CHAN_INFO_SCALE), \
+ .ext_info = cros_ec_accel_legacy_ext_info, \
--- /dev/null
+From 883a2a80f79ca5c0c105605fafabd1f3df99b34c Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 22 Jul 2019 10:56:55 +0300
+Subject: Input: elantech - enable SMBus on new (2018+) systems
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 883a2a80f79ca5c0c105605fafabd1f3df99b34c upstream.
+
+There are some new HP laptops with Elantech touchpad that don't support
+multitouch.
+
+Currently we use ETP_NEW_IC_SMBUS_HOST_NOTIFY() to check if SMBus is supported,
+but in addition to firmware version, the bus type also informs us whether the IC
+can support SMBus. To avoid breaking old ICs, we will only enable SMbus support
+based the bus type on systems manufactured after 2018.
+
+Lastly, let's consolidate all checks into elantech_use_host_notify() and use it
+to determine whether to use PS/2 or SMBus.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 54 ++++++++++++++++++-----------------------
+ 1 file changed, 25 insertions(+), 29 deletions(-)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1810,6 +1810,30 @@ static int elantech_create_smbus(struct
+ leave_breadcrumbs);
+ }
+
++static bool elantech_use_host_notify(struct psmouse *psmouse,
++ struct elantech_device_info *info)
++{
++ if (ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version))
++ return true;
++
++ switch (info->bus) {
++ case ETP_BUS_PS2_ONLY:
++ /* expected case */
++ break;
++ case ETP_BUS_SMB_HST_NTFY_ONLY:
++ case ETP_BUS_PS2_SMB_HST_NTFY:
++ /* SMbus implementation is stable since 2018 */
++ if (dmi_get_bios_year() >= 2018)
++ return true;
++ default:
++ psmouse_dbg(psmouse,
++ "Ignoring SMBus bus provider %d\n", info->bus);
++ break;
++ }
++
++ return false;
++}
++
+ /**
+ * elantech_setup_smbus - called once the PS/2 devices are enumerated
+ * and decides to instantiate a SMBus InterTouch device.
+@@ -1829,7 +1853,7 @@ static int elantech_setup_smbus(struct p
+ * i2c_blacklist_pnp_ids.
+ * Old ICs are up to the user to decide.
+ */
+- if (!ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version) ||
++ if (!elantech_use_host_notify(psmouse, info) ||
+ psmouse_matches_pnp_id(psmouse, i2c_blacklist_pnp_ids))
+ return -ENXIO;
+ }
+@@ -1849,34 +1873,6 @@ static int elantech_setup_smbus(struct p
+ return 0;
+ }
+
+-static bool elantech_use_host_notify(struct psmouse *psmouse,
+- struct elantech_device_info *info)
+-{
+- if (ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version))
+- return true;
+-
+- switch (info->bus) {
+- case ETP_BUS_PS2_ONLY:
+- /* expected case */
+- break;
+- case ETP_BUS_SMB_ALERT_ONLY:
+- /* fall-through */
+- case ETP_BUS_PS2_SMB_ALERT:
+- psmouse_dbg(psmouse, "Ignoring SMBus provider through alert protocol.\n");
+- break;
+- case ETP_BUS_SMB_HST_NTFY_ONLY:
+- /* fall-through */
+- case ETP_BUS_PS2_SMB_HST_NTFY:
+- return true;
+- default:
+- psmouse_dbg(psmouse,
+- "Ignoring SMBus bus provider %d.\n",
+- info->bus);
+- }
+-
+- return false;
+-}
+-
+ int elantech_init_smbus(struct psmouse *psmouse)
+ {
+ struct elantech_device_info info;
--- /dev/null
+From 25f8c834e2a6871920cc1ca113f02fb301d007c3 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 12 Jul 2019 11:37:17 -0700
+Subject: Input: synaptics - enable RMI mode for HP Spectre X360
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 25f8c834e2a6871920cc1ca113f02fb301d007c3 upstream.
+
+The 2016 kabylake HP Spectre X360 (model number 13-w013dx) works much better
+with psmouse.synaptics_intertouch=1 kernel parameter, so let's enable RMI4
+mode automatically.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204115
+Reported-by: Nate Graham <pointedstick@zoho.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -185,6 +185,7 @@ static const char * const smbus_pnp_ids[
+ "LEN2055", /* E580 */
+ "SYN3052", /* HP EliteBook 840 G4 */
+ "SYN3221", /* HP 15-ay000 */
++ "SYN323d", /* HP Spectre X360 13-w013dx */
+ NULL
+ };
+
--- /dev/null
+From b55d996f057bf2e7ba9422a80b5e17e99860cb0b Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 1 Aug 2019 09:40:26 -0700
+Subject: Input: usbtouchscreen - initialize PM mutex before using it
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit b55d996f057bf2e7ba9422a80b5e17e99860cb0b upstream.
+
+Mutexes shall be initialized before they are used.
+
+Fixes: 12e510dbc57b2 ("Input: usbtouchscreen - fix deadlock in autosuspend")
+Reported-by: syzbot+199ea16c7f26418b4365@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/usbtouchscreen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/touchscreen/usbtouchscreen.c
++++ b/drivers/input/touchscreen/usbtouchscreen.c
+@@ -1672,6 +1672,8 @@ static int usbtouch_probe(struct usb_int
+ if (!usbtouch || !input_dev)
+ goto out_free;
+
++ mutex_init(&usbtouch->pm_mutex);
++
+ type = &usbtouch_dev_info[id->driver_info];
+ usbtouch->type = type;
+ if (!type->process_pkt)
--- /dev/null
+From d0a255e795ab976481565f6ac178314b34fbf891 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 8 Aug 2019 11:17:01 -0400
+Subject: loop: set PF_MEMALLOC_NOIO for the worker thread
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d0a255e795ab976481565f6ac178314b34fbf891 upstream.
+
+A deadlock with this stacktrace was observed.
+
+The loop thread does a GFP_KERNEL allocation, it calls into dm-bufio
+shrinker and the shrinker depends on I/O completion in the dm-bufio
+subsystem.
+
+In order to fix the deadlock (and other similar ones), we set the flag
+PF_MEMALLOC_NOIO at loop thread entry.
+
+PID: 474 TASK: ffff8813e11f4600 CPU: 10 COMMAND: "kswapd0"
+ #0 [ffff8813dedfb938] __schedule at ffffffff8173f405
+ #1 [ffff8813dedfb990] schedule at ffffffff8173fa27
+ #2 [ffff8813dedfb9b0] schedule_timeout at ffffffff81742fec
+ #3 [ffff8813dedfba60] io_schedule_timeout at ffffffff8173f186
+ #4 [ffff8813dedfbaa0] bit_wait_io at ffffffff8174034f
+ #5 [ffff8813dedfbac0] __wait_on_bit at ffffffff8173fec8
+ #6 [ffff8813dedfbb10] out_of_line_wait_on_bit at ffffffff8173ff81
+ #7 [ffff8813dedfbb90] __make_buffer_clean at ffffffffa038736f [dm_bufio]
+ #8 [ffff8813dedfbbb0] __try_evict_buffer at ffffffffa0387bb8 [dm_bufio]
+ #9 [ffff8813dedfbbd0] dm_bufio_shrink_scan at ffffffffa0387cc3 [dm_bufio]
+ #10 [ffff8813dedfbc40] shrink_slab at ffffffff811a87ce
+ #11 [ffff8813dedfbd30] shrink_zone at ffffffff811ad778
+ #12 [ffff8813dedfbdc0] kswapd at ffffffff811ae92f
+ #13 [ffff8813dedfbec0] kthread at ffffffff810a8428
+ #14 [ffff8813dedfbf50] ret_from_fork at ffffffff81745242
+
+ PID: 14127 TASK: ffff881455749c00 CPU: 11 COMMAND: "loop1"
+ #0 [ffff88272f5af228] __schedule at ffffffff8173f405
+ #1 [ffff88272f5af280] schedule at ffffffff8173fa27
+ #2 [ffff88272f5af2a0] schedule_preempt_disabled at ffffffff8173fd5e
+ #3 [ffff88272f5af2b0] __mutex_lock_slowpath at ffffffff81741fb5
+ #4 [ffff88272f5af330] mutex_lock at ffffffff81742133
+ #5 [ffff88272f5af350] dm_bufio_shrink_count at ffffffffa03865f9 [dm_bufio]
+ #6 [ffff88272f5af380] shrink_slab at ffffffff811a86bd
+ #7 [ffff88272f5af470] shrink_zone at ffffffff811ad778
+ #8 [ffff88272f5af500] do_try_to_free_pages at ffffffff811adb34
+ #9 [ffff88272f5af590] try_to_free_pages at ffffffff811adef8
+ #10 [ffff88272f5af610] __alloc_pages_nodemask at ffffffff811a09c3
+ #11 [ffff88272f5af710] alloc_pages_current at ffffffff811e8b71
+ #12 [ffff88272f5af760] new_slab at ffffffff811f4523
+ #13 [ffff88272f5af7b0] __slab_alloc at ffffffff8173a1b5
+ #14 [ffff88272f5af880] kmem_cache_alloc at ffffffff811f484b
+ #15 [ffff88272f5af8d0] do_blockdev_direct_IO at ffffffff812535b3
+ #16 [ffff88272f5afb00] __blockdev_direct_IO at ffffffff81255dc3
+ #17 [ffff88272f5afb30] xfs_vm_direct_IO at ffffffffa01fe3fc [xfs]
+ #18 [ffff88272f5afb90] generic_file_read_iter at ffffffff81198994
+ #19 [ffff88272f5afc50] __dta_xfs_file_read_iter_2398 at ffffffffa020c970 [xfs]
+ #20 [ffff88272f5afcc0] lo_rw_aio at ffffffffa0377042 [loop]
+ #21 [ffff88272f5afd70] loop_queue_work at ffffffffa0377c3b [loop]
+ #22 [ffff88272f5afe60] kthread_worker_fn at ffffffff810a8a0c
+ #23 [ffff88272f5afec0] kthread at ffffffff810a8428
+ #24 [ffff88272f5aff50] ret_from_fork at ffffffff81745242
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -886,7 +886,7 @@ static void loop_unprepare_queue(struct
+
+ static int loop_kthread_worker_fn(void *worker_ptr)
+ {
+- current->flags |= PF_LESS_THROTTLE;
++ current->flags |= PF_LESS_THROTTLE | PF_MEMALLOC_NOIO;
+ return kthread_worker_fn(worker_ptr);
+ }
+
--- /dev/null
+From b803974a86039913d5280add083d730b2b9ed8ec Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Fri, 26 Jul 2019 10:30:49 +0800
+Subject: mmc: cavium: Add the missing dma unmap when the dma has finished.
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit b803974a86039913d5280add083d730b2b9ed8ec upstream.
+
+This fixes the below calltrace when the CONFIG_DMA_API_DEBUG is enabled.
+ DMA-API: thunderx_mmc 0000:01:01.4: cpu touching an active dma mapped cacheline [cln=0x000000002fdf9800]
+ WARNING: CPU: 21 PID: 1 at kernel/dma/debug.c:596 debug_dma_assert_idle+0x1f8/0x270
+ Modules linked in:
+ CPU: 21 PID: 1 Comm: init Not tainted 5.3.0-rc1-next-20190725-yocto-standard+ #64
+ Hardware name: Marvell OcteonTX CN96XX board (DT)
+ pstate: 80400009 (Nzcv daif +PAN -UAO)
+ pc : debug_dma_assert_idle+0x1f8/0x270
+ lr : debug_dma_assert_idle+0x1f8/0x270
+ sp : ffff0000113cfc10
+ x29: ffff0000113cfc10 x28: 0000ffff8c880000
+ x27: ffff800bc72a0000 x26: ffff000010ff8000
+ x25: ffff000010ff8940 x24: ffff000010ff8968
+ x23: 0000000000000000 x22: ffff000010e83700
+ x21: ffff000010ea2000 x20: ffff000010e835c8
+ x19: ffff800bc2c73300 x18: ffffffffffffffff
+ x17: 0000000000000000 x16: 0000000000000000
+ x15: ffff000010e835c8 x14: 6d20616d64206576
+ x13: 69746361206e6120 x12: 676e696863756f74
+ x11: 20757063203a342e x10: 31303a31303a3030
+ x9 : 303020636d6d5f78 x8 : 3230303030303030
+ x7 : 00000000000002fd x6 : ffff000010fd57d0
+ x5 : 0000000000000000 x4 : ffff0000106c5210
+ x3 : 00000000ffffffff x2 : 0000800bee9c0000
+ x1 : 57d5843f4aa62800 x0 : 0000000000000000
+ Call trace:
+ debug_dma_assert_idle+0x1f8/0x270
+ wp_page_copy+0xb0/0x688
+ do_wp_page+0xa8/0x5b8
+ __handle_mm_fault+0x600/0xd00
+ handle_mm_fault+0x118/0x1e8
+ do_page_fault+0x200/0x500
+ do_mem_abort+0x50/0xb0
+ el0_da+0x20/0x24
+ ---[ end trace a005534bd23e109f ]---
+ DMA-API: Mapped at:
+ debug_dma_map_sg+0x94/0x350
+ cvm_mmc_request+0x3c4/0x988
+ __mmc_start_request+0x9c/0x1f8
+ mmc_start_request+0x7c/0xb0
+ mmc_blk_mq_issue_rq+0x5c4/0x7b8
+
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/cavium.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/cavium.c
++++ b/drivers/mmc/host/cavium.c
+@@ -374,6 +374,7 @@ static int finish_dma_single(struct cvm_
+ {
+ data->bytes_xfered = data->blocks * data->blksz;
+ data->error = 0;
++ dma_unmap_sg(host->dev, data->sg, data->sg_len, get_dma_dir(data));
+ return 1;
+ }
+
--- /dev/null
+From fa25eba6993b3750f417baabba169afaba076178 Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Fri, 26 Jul 2019 10:30:48 +0800
+Subject: mmc: cavium: Set the correct dma max segment size for mmc_host
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit fa25eba6993b3750f417baabba169afaba076178 upstream.
+
+We have set the mmc_host.max_seg_size to 8M, but the dma max segment
+size of PCI device is set to 64K by default in function pci_device_add().
+The mmc_host.max_seg_size is used to set the max segment size of
+the blk queue. Then this mismatch will trigger a calltrace like below
+when a bigger than 64K segment request arrives at mmc dev. So we should
+consider the limitation of the cvm_mmc_host when setting the
+mmc_host.max_seg_size.
+ DMA-API: thunderx_mmc 0000:01:01.4: mapping sg segment longer than device claims to support [len=131072] [max=65536]
+ WARNING: CPU: 6 PID: 238 at kernel/dma/debug.c:1221 debug_dma_map_sg+0x2b8/0x350
+ Modules linked in:
+ CPU: 6 PID: 238 Comm: kworker/6:1H Not tainted 5.3.0-rc1-next-20190724-yocto-standard+ #62
+ Hardware name: Marvell OcteonTX CN96XX board (DT)
+ Workqueue: kblockd blk_mq_run_work_fn
+ pstate: 80c00009 (Nzcv daif +PAN +UAO)
+ pc : debug_dma_map_sg+0x2b8/0x350
+ lr : debug_dma_map_sg+0x2b8/0x350
+ sp : ffff00001770f9e0
+ x29: ffff00001770f9e0 x28: ffffffff00000000
+ x27: 00000000ffffffff x26: ffff800bc2c73180
+ x25: ffff000010e83700 x24: 0000000000000002
+ x23: 0000000000000001 x22: 0000000000000001
+ x21: 0000000000000000 x20: ffff800bc48ba0b0
+ x19: ffff800bc97e8c00 x18: ffffffffffffffff
+ x17: 0000000000000000 x16: 0000000000000000
+ x15: ffff000010e835c8 x14: 6874207265676e6f
+ x13: 6c20746e656d6765 x12: 7320677320676e69
+ x11: 7070616d203a342e x10: 31303a31303a3030
+ x9 : 303020636d6d5f78 x8 : 35363d78616d5b20
+ x7 : 00000000000002fd x6 : ffff000010fd57dc
+ x5 : 0000000000000000 x4 : ffff0000106c61f0
+ x3 : 00000000ffffffff x2 : 0000800bee060000
+ x1 : 7010678df3041a00 x0 : 0000000000000000
+ Call trace:
+ debug_dma_map_sg+0x2b8/0x350
+ cvm_mmc_request+0x3c4/0x988
+ __mmc_start_request+0x9c/0x1f8
+ mmc_start_request+0x7c/0xb0
+ mmc_blk_mq_issue_rq+0x5c4/0x7b8
+ mmc_mq_queue_rq+0x11c/0x278
+ blk_mq_dispatch_rq_list+0xb0/0x568
+ blk_mq_do_dispatch_sched+0x6c/0x108
+ blk_mq_sched_dispatch_requests+0x110/0x1b8
+ __blk_mq_run_hw_queue+0xb0/0x118
+ blk_mq_run_work_fn+0x28/0x38
+ process_one_work+0x210/0x490
+ worker_thread+0x48/0x458
+ kthread+0x130/0x138
+ ret_from_fork+0x10/0x1c
+
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/cavium.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/cavium.c
++++ b/drivers/mmc/host/cavium.c
+@@ -1046,7 +1046,8 @@ int cvm_mmc_of_slot_probe(struct device
+ mmc->max_segs = 1;
+
+ /* DMA size field can address up to 8 MB */
+- mmc->max_seg_size = 8 * 1024 * 1024;
++ mmc->max_seg_size = min_t(unsigned int, 8 * 1024 * 1024,
++ dma_get_max_seg_size(host->dev));
+ mmc->max_req_size = mmc->max_seg_size;
+ /* External DMA is in 512 byte blocks */
+ mmc->max_blk_size = 512;
--- /dev/null
+From c7cd7c748a3250ca33509f9235efab9c803aca09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 8 Aug 2019 00:15:21 -0500
+Subject: sound: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit c7cd7c748a3250ca33509f9235efab9c803aca09 upstream.
+
+In sound_insert_unit(), the controlling structure 's' is allocated through
+kmalloc(). Then it is added to the sound driver list by invoking
+__sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
+removed from the list through __sound_remove_unit(). If 'index' is not less
+than 0, -EBUSY is returned to indicate the error. However, 's' is not
+deallocated on this execution path, leading to a memory leak bug.
+
+To fix the above issue, free 's' before -EBUSY is returned.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/sound_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/sound_core.c
++++ b/sound/sound_core.c
+@@ -280,7 +280,8 @@ retry:
+ goto retry;
+ }
+ spin_unlock(&sound_loader_lock);
+- return -EBUSY;
++ r = -EBUSY;
++ goto fail;
+ }
+ }
+
--- /dev/null
+From 8f9e86ee795971eabbf372e6d804d6b8578287a7 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 1 Jul 2019 19:55:19 +0900
+Subject: staging: android: ion: Bail out upon SIGKILL when allocating memory.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 8f9e86ee795971eabbf372e6d804d6b8578287a7 upstream.
+
+syzbot found that a thread can stall for minutes inside
+ion_system_heap_allocate() after that thread was killed by SIGKILL [1].
+Let's check for SIGKILL before doing memory allocation.
+
+[1] https://syzkaller.appspot.com/bug?id=a0e3436829698d5824231251fad9d8e998f94f5e
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot <syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com>
+Acked-by: Laura Abbott <labbott@redhat.com>
+Acked-by: Sumit Semwal <sumit.semwal@linaro.org>
+Link: https://lore.kernel.org/r/d088f188-5f32-d8fc-b9a0-0b404f7501cc@I-love.SAKURA.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ion/ion_page_pool.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/staging/android/ion/ion_page_pool.c
++++ b/drivers/staging/android/ion/ion_page_pool.c
+@@ -8,11 +8,14 @@
+ #include <linux/list.h>
+ #include <linux/slab.h>
+ #include <linux/swap.h>
++#include <linux/sched/signal.h>
+
+ #include "ion.h"
+
+ static inline struct page *ion_page_pool_alloc_pages(struct ion_page_pool *pool)
+ {
++ if (fatal_signal_pending(current))
++ return NULL;
+ return alloc_pages(pool->gfp_mask, pool->order);
+ }
+
--- /dev/null
+From 66665bb9979246729562a09fcdbb101c83127989 Mon Sep 17 00:00:00 2001
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+Date: Wed, 10 Jul 2019 23:45:18 +0300
+Subject: staging: gasket: apex: fix copy-paste typo
+
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+
+commit 66665bb9979246729562a09fcdbb101c83127989 upstream.
+
+In sysfs_show() case-branches ATTR_KERNEL_HIB_PAGE_TABLE_SIZE and
+ATTR_KERNEL_HIB_SIMPLE_PAGE_TABLE_SIZE do the same. It looks like
+copy-paste mistake.
+
+Signed-off-by: Ivan Bornyakov <brnkv.i1@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190710204518.16814-1-brnkv.i1@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/gasket/apex_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/gasket/apex_driver.c
++++ b/drivers/staging/gasket/apex_driver.c
+@@ -538,7 +538,7 @@ static ssize_t sysfs_show(struct device
+ break;
+ case ATTR_KERNEL_HIB_SIMPLE_PAGE_TABLE_SIZE:
+ ret = scnprintf(buf, PAGE_SIZE, "%u\n",
+- gasket_page_table_num_entries(
++ gasket_page_table_num_simple_entries(
+ gasket_dev->page_table[0]));
+ break;
+ case ATTR_KERNEL_HIB_NUM_ACTIVE_PAGES:
--- /dev/null
+From fb2b055b7e6e44efda737c7c92f46c0868bb04e5 Mon Sep 17 00:00:00 2001
+From: Adham Abozaeid <adham.abozaeid@microchip.com>
+Date: Mon, 22 Jul 2019 21:38:44 +0000
+Subject: staging: wilc1000: flush the workqueue before deinit the host
+
+From: Adham Abozaeid <adham.abozaeid@microchip.com>
+
+commit fb2b055b7e6e44efda737c7c92f46c0868bb04e5 upstream.
+
+Before deinitializing the host interface, the workqueue should be flushed
+to handle any pending deferred work
+
+Signed-off-by: Adham Abozaeid <adham.abozaeid@microchip.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190722213837.21952-1-adham.abozaeid@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
++++ b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
+@@ -2192,6 +2192,7 @@ int wilc_deinit_host_int(struct net_devi
+
+ op_ifcs--;
+
++ flush_workqueue(vif->wilc->hif_workqueue);
+ mutex_destroy(&priv->scan_req_lock);
+ ret = wilc_deinit(vif);
+
--- /dev/null
+From c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 8 Aug 2019 11:27:28 +0200
+Subject: usb: iowarrior: fix deadlock on disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream.
+
+We have to drop the mutex before we close() upon disconnect()
+as close() needs the lock. This is safe to do by dropping the
+mutex as intfdata is already set to NULL, so open() will fail.
+
+Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior")
+Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -866,19 +866,20 @@ static void iowarrior_disconnect(struct
+ dev = usb_get_intfdata(interface);
+ mutex_lock(&iowarrior_open_disc_lock);
+ usb_set_intfdata(interface, NULL);
++ /* prevent device read, write and ioctl */
++ dev->present = 0;
+
+ minor = dev->minor;
++ mutex_unlock(&iowarrior_open_disc_lock);
++ /* give back our minor - this will call close() locks need to be dropped at this point*/
+
+- /* give back our minor */
+ usb_deregister_dev(interface, &iowarrior_class);
+
+ mutex_lock(&dev->mutex);
+
+ /* prevent device read, write and ioctl */
+- dev->present = 0;
+
+ mutex_unlock(&dev->mutex);
+- mutex_unlock(&iowarrior_open_disc_lock);
+
+ if (dev->opened) {
+ /* There is a process that holds a filedescriptor to the device ,
--- /dev/null
+From c43f28dfdc4654e738aa6d3fd08a105b2bee758d Mon Sep 17 00:00:00 2001
+From: Gavin Li <git@thegavinli.com>
+Date: Sun, 4 Aug 2019 16:50:44 -0700
+Subject: usb: usbfs: fix double-free of usb memory upon submiturb error
+
+From: Gavin Li <git@thegavinli.com>
+
+commit c43f28dfdc4654e738aa6d3fd08a105b2bee758d upstream.
+
+Upon an error within proc_do_submiturb(), dec_usb_memory_use_count()
+gets called once by the error handling tail and again by free_async().
+Remove the first call.
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1792,8 +1792,6 @@ static int proc_do_submiturb(struct usb_
+ return 0;
+
+ error:
+- if (as && as->usbm)
+- dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
+ kfree(isopkt);
+ kfree(dr);
+ if (as)
projects / thirdparty / kernel / stable-queue.git / commitdiff
