--- /dev/null
+From 410f954cb1d1c79ae485dd83a175f21954fd87cd Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 10 Sep 2019 15:26:49 +0100
+Subject: Btrfs: fix assertion failure during fsync and use of stale transaction
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 410f954cb1d1c79ae485dd83a175f21954fd87cd upstream.
+
+Sometimes when fsync'ing a file we need to log that other inodes exist and
+when we need to do that we acquire a reference on the inodes and then drop
+that reference using iput() after logging them.
+
+That generally is not a problem except if we end up doing the final iput()
+(dropping the last reference) on the inode and that inode has a link count
+of 0, which can happen in a very short time window if the logging path
+gets a reference on the inode while it's being unlinked.
+
+In that case we end up getting the eviction callback, btrfs_evict_inode(),
+invoked through the iput() call chain which needs to drop all of the
+inode's items from its subvolume btree, and in order to do that, it needs
+to join a transaction at the helper function evict_refill_and_join().
+However because the task previously started a transaction at the fsync
+handler, btrfs_sync_file(), it has current->journal_info already pointing
+to a transaction handle and therefore evict_refill_and_join() will get
+that transaction handle from btrfs_join_transaction(). From this point on,
+two different problems can happen:
+
+1) evict_refill_and_join() will often change the transaction handle's
+ block reserve (->block_rsv) and set its ->bytes_reserved field to a
+ value greater than 0. If evict_refill_and_join() never commits the
+ transaction, the eviction handler ends up decreasing the reference
+ count (->use_count) of the transaction handle through the call to
+ btrfs_end_transaction(), and after that point we have a transaction
+ handle with a NULL ->block_rsv (which is the value prior to the
+ transaction join from evict_refill_and_join()) and a ->bytes_reserved
+ value greater than 0. If after the eviction/iput completes the inode
+ logging path hits an error or it decides that it must fallback to a
+ transaction commit, the btrfs fsync handle, btrfs_sync_file(), gets a
+ non-zero value from btrfs_log_dentry_safe(), and because of that
+ non-zero value it tries to commit the transaction using a handle with
+ a NULL ->block_rsv and a non-zero ->bytes_reserved value. This makes
+ the transaction commit hit an assertion failure at
+ btrfs_trans_release_metadata() because ->bytes_reserved is not zero but
+ the ->block_rsv is NULL. The produced stack trace for that is like the
+ following:
+
+ [192922.917158] assertion failed: !trans->bytes_reserved, file: fs/btrfs/transaction.c, line: 816
+ [192922.917553] ------------[ cut here ]------------
+ [192922.917922] kernel BUG at fs/btrfs/ctree.h:3532!
+ [192922.918310] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
+ [192922.918666] CPU: 2 PID: 883 Comm: fsstress Tainted: G W 5.1.4-btrfs-next-47 #1
+ [192922.919035] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [192922.919801] RIP: 0010:assfail.constprop.25+0x18/0x1a [btrfs]
+ (...)
+ [192922.920925] RSP: 0018:ffffaebdc8a27da8 EFLAGS: 00010286
+ [192922.921315] RAX: 0000000000000051 RBX: ffff95c9c16a41c0 RCX: 0000000000000000
+ [192922.921692] RDX: 0000000000000000 RSI: ffff95cab6b16838 RDI: ffff95cab6b16838
+ [192922.922066] RBP: ffff95c9c16a41c0 R08: 0000000000000000 R09: 0000000000000000
+ [192922.922442] R10: ffffaebdc8a27e70 R11: 0000000000000000 R12: ffff95ca731a0980
+ [192922.922820] R13: 0000000000000000 R14: ffff95ca84c73338 R15: ffff95ca731a0ea8
+ [192922.923200] FS: 00007f337eda4e80(0000) GS:ffff95cab6b00000(0000) knlGS:0000000000000000
+ [192922.923579] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [192922.923948] CR2: 00007f337edad000 CR3: 00000001e00f6002 CR4: 00000000003606e0
+ [192922.924329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [192922.924711] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [192922.925105] Call Trace:
+ [192922.925505] btrfs_trans_release_metadata+0x10c/0x170 [btrfs]
+ [192922.925911] btrfs_commit_transaction+0x3e/0xaf0 [btrfs]
+ [192922.926324] btrfs_sync_file+0x44c/0x490 [btrfs]
+ [192922.926731] do_fsync+0x38/0x60
+ [192922.927138] __x64_sys_fdatasync+0x13/0x20
+ [192922.927543] do_syscall_64+0x60/0x1c0
+ [192922.927939] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ (...)
+ [192922.934077] ---[ end trace f00808b12068168f ]---
+
+2) If evict_refill_and_join() decides to commit the transaction, it will
+ be able to do it, since the nested transaction join only increments the
+ transaction handle's ->use_count reference counter and it does not
+ prevent the transaction from getting committed. This means that after
+ eviction completes, the fsync logging path will be using a transaction
+ handle that refers to an already committed transaction. What happens
+ when using such a stale transaction can be unpredictable, we are at
+ least having a use-after-free on the transaction handle itself, since
+ the transaction commit will call kmem_cache_free() against the handle
+ regardless of its ->use_count value, or we can end up silently losing
+ all the updates to the log tree after that iput() in the logging path,
+ or using a transaction handle that in the meanwhile was allocated to
+ another task for a new transaction, etc, pretty much unpredictable
+ what can happen.
+
+In order to fix both of them, instead of using iput() during logging, use
+btrfs_add_delayed_iput(), so that the logging path of fsync never drops
+the last reference on an inode, that step is offloaded to a safe context
+(usually the cleaner kthread).
+
+The assertion failure issue was sporadically triggered by the test case
+generic/475 from fstests, which loads the dm error target while fsstress
+is running, which lead to fsync failing while logging inodes with -EIO
+errors and then trying later to commit the transaction, triggering the
+assertion failure.
+
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4985,7 +4985,7 @@ static int log_conflicting_inodes(struct
+ BTRFS_I(inode),
+ LOG_OTHER_INODE_ALL,
+ 0, LLONG_MAX, ctx);
+- iput(inode);
++ btrfs_add_delayed_iput(inode);
+ }
+ }
+ continue;
+@@ -5000,7 +5000,7 @@ static int log_conflicting_inodes(struct
+ ret = btrfs_log_inode(trans, root, BTRFS_I(inode),
+ LOG_OTHER_INODE, 0, LLONG_MAX, ctx);
+ if (ret) {
+- iput(inode);
++ btrfs_add_delayed_iput(inode);
+ continue;
+ }
+
+@@ -5009,7 +5009,7 @@ static int log_conflicting_inodes(struct
+ key.offset = 0;
+ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
+ if (ret < 0) {
+- iput(inode);
++ btrfs_add_delayed_iput(inode);
+ continue;
+ }
+
+@@ -5056,7 +5056,7 @@ static int log_conflicting_inodes(struct
+ }
+ path->slots[0]++;
+ }
+- iput(inode);
++ btrfs_add_delayed_iput(inode);
+ }
+
+ return ret;
+@@ -5689,7 +5689,7 @@ process_leaf:
+ }
+
+ if (btrfs_inode_in_log(BTRFS_I(di_inode), trans->transid)) {
+- iput(di_inode);
++ btrfs_add_delayed_iput(di_inode);
+ break;
+ }
+
+@@ -5701,7 +5701,7 @@ process_leaf:
+ if (!ret &&
+ btrfs_must_commit_transaction(trans, BTRFS_I(di_inode)))
+ ret = 1;
+- iput(di_inode);
++ btrfs_add_delayed_iput(di_inode);
+ if (ret)
+ goto next_dir_inode;
+ if (ctx->log_new_dentries) {
+@@ -5848,7 +5848,7 @@ static int btrfs_log_all_parents(struct
+ if (!ret && ctx && ctx->log_new_dentries)
+ ret = log_new_dir_dentries(trans, root,
+ BTRFS_I(dir_inode), ctx);
+- iput(dir_inode);
++ btrfs_add_delayed_iput(dir_inode);
+ if (ret)
+ goto out;
+ }
+@@ -5891,7 +5891,7 @@ static int log_new_ancestors(struct btrf
+ ret = btrfs_log_inode(trans, root, BTRFS_I(inode),
+ LOG_INODE_EXISTS,
+ 0, LLONG_MAX, ctx);
+- iput(inode);
++ btrfs_add_delayed_iput(inode);
+ if (ret)
+ return ret;
+
--- /dev/null
+From 97a61369830ab085df5aed0ff9256f35b07d425a Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Thu, 12 Sep 2019 10:56:45 -0700
+Subject: cgroup: freezer: fix frozen state inheritance
+
+From: Roman Gushchin <guro@fb.com>
+
+commit 97a61369830ab085df5aed0ff9256f35b07d425a upstream.
+
+If a new child cgroup is created in the frozen cgroup hierarchy
+(one or more of ancestor cgroups is frozen), the CGRP_FREEZE cgroup
+flag should be set. Otherwise if a process will be attached to the
+child cgroup, it won't become frozen.
+
+The problem can be reproduced with the test_cgfreezer_mkdir test.
+
+This is the output before this patch:
+ ~/test_freezer
+ ok 1 test_cgfreezer_simple
+ ok 2 test_cgfreezer_tree
+ ok 3 test_cgfreezer_forkbomb
+ Cgroup /sys/fs/cgroup/cg_test_mkdir_A/cg_test_mkdir_B isn't frozen
+ not ok 4 test_cgfreezer_mkdir
+ ok 5 test_cgfreezer_rmdir
+ ok 6 test_cgfreezer_migrate
+ ok 7 test_cgfreezer_ptrace
+ ok 8 test_cgfreezer_stopped
+ ok 9 test_cgfreezer_ptraced
+ ok 10 test_cgfreezer_vfork
+
+And with this patch:
+ ~/test_freezer
+ ok 1 test_cgfreezer_simple
+ ok 2 test_cgfreezer_tree
+ ok 3 test_cgfreezer_forkbomb
+ ok 4 test_cgfreezer_mkdir
+ ok 5 test_cgfreezer_rmdir
+ ok 6 test_cgfreezer_migrate
+ ok 7 test_cgfreezer_ptrace
+ ok 8 test_cgfreezer_stopped
+ ok 9 test_cgfreezer_ptraced
+ ok 10 test_cgfreezer_vfork
+
+Reported-by: Mark Crossen <mcrossen@fb.com>
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Fixes: 76f969e8948d ("cgroup: cgroup v2 freezer")
+Cc: Tejun Heo <tj@kernel.org>
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup/cgroup.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -5213,8 +5213,16 @@ static struct cgroup *cgroup_create(stru
+ * if the parent has to be frozen, the child has too.
+ */
+ cgrp->freezer.e_freeze = parent->freezer.e_freeze;
+- if (cgrp->freezer.e_freeze)
++ if (cgrp->freezer.e_freeze) {
++ /*
++ * Set the CGRP_FREEZE flag, so when a process will be
++ * attached to the child cgroup, it will become frozen.
++ * At this point the new cgroup is unpopulated, so we can
++ * consider it frozen immediately.
++ */
++ set_bit(CGRP_FREEZE, &cgrp->flags);
+ set_bit(CGRP_FROZEN, &cgrp->flags);
++ }
+
+ spin_lock_irq(&css_set_lock);
+ for (tcgrp = cgrp; tcgrp; tcgrp = cgroup_parent(tcgrp)) {
--- /dev/null
+From bb1a71f9c4672fbfcf2158fd57d0c5c0cdae5612 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 28 Aug 2019 13:20:59 +0300
+Subject: drm/i915: Limit MST to <= 8bpc once again
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit bb1a71f9c4672fbfcf2158fd57d0c5c0cdae5612 upstream.
+
+My attempt at allowing MST to use the higher color depths has
+regressed some configurations. Apparently people have setups
+where all MST streams will fit into the DP link with 8bpc but
+won't fit with higher color depths.
+
+What we really should be doing is reducing the bpc for all the
+streams on the same link until they start to fit. But that requires
+a bit more work, so in the meantime let's revert back closer to
+the old behavior and limit MST to at most 8bpc.
+
+Cc: stable@vger.kernel.org
+Cc: Lyude Paul <lyude@redhat.com>
+Tested-by: Geoffrey Bennett <gmux22@gmail.com>
+Fixes: f1477219869c ("drm/i915: Remove the 8bpc shackles from DP MST")
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111505
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190828102059.2512-1-ville.syrjala@linux.intel.com
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+(cherry picked from commit 75427b2a2bffc083d51dec389c235722a9c69b05)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_dp_mst.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_dp_mst.c
++++ b/drivers/gpu/drm/i915/intel_dp_mst.c
+@@ -125,7 +125,15 @@ static int intel_dp_mst_compute_config(s
+ limits.max_lane_count = intel_dp_max_lane_count(intel_dp);
+
+ limits.min_bpp = intel_dp_min_bpp(pipe_config);
+- limits.max_bpp = pipe_config->pipe_bpp;
++ /*
++ * FIXME: If all the streams can't fit into the link with
++ * their current pipe_bpp we should reduce pipe_bpp across
++ * the board until things start to fit. Until then we
++ * limit to <= 8bpc since that's what was hardcoded for all
++ * MST streams previously. This hack should be removed once
++ * we have the proper retry logic in place.
++ */
++ limits.max_bpp = min(pipe_config->pipe_bpp, 24);
+
+ intel_dp_adjust_compliance_config(intel_dp, pipe_config, &limits);
+
--- /dev/null
+From 2eb0964eec5f1d99f9eaf4963eee267acc72b615 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Wed, 4 Sep 2019 11:07:07 +0100
+Subject: drm/i915: Restore relaxed padding (OCL_OOB_SUPPRES_ENABLE) for skl+
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 2eb0964eec5f1d99f9eaf4963eee267acc72b615 upstream.
+
+This bit was fliped on for "syncing dependencies between camera and
+graphics". BSpec has no recollection why, and it is causing
+unrecoverable GPU hangs with Vulkan compute workloads.
+
+From BSpec, setting bit5 to 0 enables relaxed padding requirements for
+buffers, 1D and 2D non-array, non-MSAA, non-mip-mapped linear surfaces;
+and *must* be set to 0h on skl+ to ensure "Out of Bounds" case is
+suppressed.
+
+Reported-by: Jason Ekstrand <jason@jlekstrand.net>
+Suggested-by: Jason Ekstrand <jason@jlekstrand.net>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110998
+Fixes: 8424171e135c ("drm/i915/gen9: h/w w/a: syncing dependencies between camera and graphics")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Tested-by: denys.kostin@globallogic.com
+Cc: Jason Ekstrand <jason@jlekstrand.net>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v4.1+
+Reviewed-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190904100707.7377-1-chris@chris-wilson.co.uk
+(cherry picked from commit 9d7b01e93526efe79dbf75b69cc5972b5a4f7b37)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_workarounds.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_workarounds.c
++++ b/drivers/gpu/drm/i915/intel_workarounds.c
+@@ -294,11 +294,6 @@ static void gen9_ctx_workarounds_init(st
+ FLOW_CONTROL_ENABLE |
+ PARTIAL_INSTRUCTION_SHOOTDOWN_DISABLE);
+
+- /* Syncing dependencies between camera and graphics:skl,bxt,kbl */
+- if (!IS_COFFEELAKE(i915))
+- WA_SET_BIT_MASKED(HALF_SLICE_CHICKEN3,
+- GEN9_DISABLE_OCL_OOB_SUPPRESS_LOGIC);
+-
+ /* WaEnableYV12BugFixInHalfSliceChicken7:skl,bxt,kbl,glk,cfl */
+ /* WaEnableSamplerGPGPUPreemptionSupport:skl,bxt,kbl,cfl */
+ WA_SET_BIT_MASKED(GEN9_HALF_SLICE_CHICKEN7,
--- /dev/null
+From 21670bd78a25001cf8ef2679b378c73fb73b904f Mon Sep 17 00:00:00 2001
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+Date: Sat, 7 Sep 2019 19:48:00 -0700
+Subject: drm/lima: fix lima_gem_wait() return value
+
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+
+commit 21670bd78a25001cf8ef2679b378c73fb73b904f upstream.
+
+drm_gem_reservation_object_wait() returns 0 if it succeeds and -ETIME
+if it timeouts, but lima driver assumed that 0 is error.
+
+Cc: stable@vger.kernel.org
+Fixes: a1d2a6339961e ("drm/lima: driver for ARM Mali4xx GPUs")
+Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Signed-off-by: Qiang Yu <yuq825@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190908024800.23229-1-anarsoul@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/lima/lima_gem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/lima/lima_gem.c
++++ b/drivers/gpu/drm/lima/lima_gem.c
+@@ -342,7 +342,7 @@ int lima_gem_wait(struct drm_file *file,
+ timeout = drm_timeout_abs_to_jiffies(timeout_ns);
+
+ ret = drm_gem_reservation_object_wait(file, handle, write, timeout);
+- if (ret == 0)
++ if (ret == -ETIME)
+ ret = timeout ? -ETIMEDOUT : -EBUSY;
+
+ return ret;
--- /dev/null
+From eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a Mon Sep 17 00:00:00 2001
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+Date: Wed, 4 Sep 2019 20:46:25 +0800
+Subject: genirq: Prevent NULL pointer dereference in resend_irqs()
+
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+
+commit eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a upstream.
+
+The following crash was observed:
+
+ Unable to handle kernel NULL pointer dereference at 0000000000000158
+ Internal error: Oops: 96000004 [#1] SMP
+ pc : resend_irqs+0x68/0xb0
+ lr : resend_irqs+0x64/0xb0
+ ...
+ Call trace:
+ resend_irqs+0x68/0xb0
+ tasklet_action_common.isra.6+0x84/0x138
+ tasklet_action+0x2c/0x38
+ __do_softirq+0x120/0x324
+ run_ksoftirqd+0x44/0x60
+ smpboot_thread_fn+0x1ac/0x1e8
+ kthread+0x134/0x138
+ ret_from_fork+0x10/0x18
+
+The reason for this is that the interrupt resend mechanism happens in soft
+interrupt context, which is a asynchronous mechanism versus other
+operations on interrupts. free_irq() does not take resend handling into
+account. Thus, the irq descriptor might be already freed before the resend
+tasklet is executed. resend_irqs() does not check the return value of the
+interrupt descriptor lookup and derefences the return value
+unconditionally.
+
+ 1):
+ __setup_irq
+ irq_startup
+ check_irq_resend // activate softirq to handle resend irq
+ 2):
+ irq_domain_free_irqs
+ irq_free_descs
+ free_desc
+ call_rcu(&desc->rcu, delayed_free_desc)
+ 3):
+ __do_softirq
+ tasklet_action
+ resend_irqs
+ desc = irq_to_desc(irq)
+ desc->handle_irq(desc) // desc is NULL --> Ooops
+
+Fix this by adding a NULL pointer check in resend_irqs() before derefencing
+the irq descriptor.
+
+Fixes: a4633adcdbc1 ("[PATCH] genirq: add genirq sw IRQ-retrigger")
+Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1630ae13-5c8e-901e-de09-e740b6a426a7@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/resend.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/irq/resend.c
++++ b/kernel/irq/resend.c
+@@ -36,6 +36,8 @@ static void resend_irqs(unsigned long ar
+ irq = find_first_bit(irqs_resend, nr_irqs);
+ clear_bit(irq, irqs_resend);
+ desc = irq_to_desc(irq);
++ if (!desc)
++ continue;
+ local_irq_disable();
+ desc->handle_irq(desc);
+ local_irq_enable();
--- /dev/null
+From 5ca2f54b597c816df54ff1b28eb99cf7262b955d Mon Sep 17 00:00:00 2001
+From: Kent Gibson <warthog618@gmail.com>
+Date: Mon, 9 Sep 2019 03:24:06 +0000
+Subject: gpio: fix line flag validation in lineevent_create
+
+From: Kent Gibson <warthog618@gmail.com>
+
+commit 5ca2f54b597c816df54ff1b28eb99cf7262b955d upstream.
+
+lineevent_create should not allow any of GPIOHANDLE_REQUEST_OUTPUT,
+GPIOHANDLE_REQUEST_OPEN_DRAIN or GPIOHANDLE_REQUEST_OPEN_SOURCE to be set.
+
+Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Kent Gibson <warthog618@gmail.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -934,7 +934,9 @@ static int lineevent_create(struct gpio_
+ }
+
+ /* This is just wrong: we don't look for events on output lines */
+- if (lflags & GPIOHANDLE_REQUEST_OUTPUT) {
++ if ((lflags & GPIOHANDLE_REQUEST_OUTPUT) ||
++ (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN) ||
++ (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE)) {
+ ret = -EINVAL;
+ goto out_free_label;
+ }
+@@ -948,10 +950,6 @@ static int lineevent_create(struct gpio_
+
+ if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW)
+ set_bit(FLAG_ACTIVE_LOW, &desc->flags);
+- if (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN)
+- set_bit(FLAG_OPEN_DRAIN, &desc->flags);
+- if (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE)
+- set_bit(FLAG_OPEN_SOURCE, &desc->flags);
+
+ ret = gpiod_direction_input(desc);
+ if (ret)
--- /dev/null
+From e95fbc130a162ba9ad956311b95aa0da269eea48 Mon Sep 17 00:00:00 2001
+From: Kent Gibson <warthog618@gmail.com>
+Date: Mon, 9 Sep 2019 03:22:18 +0000
+Subject: gpio: fix line flag validation in linehandle_create
+
+From: Kent Gibson <warthog618@gmail.com>
+
+commit e95fbc130a162ba9ad956311b95aa0da269eea48 upstream.
+
+linehandle_create should not allow both GPIOHANDLE_REQUEST_INPUT
+and GPIOHANDLE_REQUEST_OUTPUT to be set.
+
+Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Kent Gibson <warthog618@gmail.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -536,6 +536,14 @@ static int linehandle_create(struct gpio
+ return -EINVAL;
+
+ /*
++ * Do not allow both INPUT & OUTPUT flags to be set as they are
++ * contradictory.
++ */
++ if ((lflags & GPIOHANDLE_REQUEST_INPUT) &&
++ (lflags & GPIOHANDLE_REQUEST_OUTPUT))
++ return -EINVAL;
++
++ /*
+ * Do not allow OPEN_SOURCE & OPEN_DRAIN flags in a single request. If
+ * the hardware actually supports enabling both at the same time the
+ * electrical result would be disastrous.
--- /dev/null
+From 59929d3a2eb6c4abafc5b61a20c98aa8728ec378 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Wed, 4 Sep 2019 14:18:34 +0000
+Subject: gpio: mockup: add missing single_release()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 59929d3a2eb6c4abafc5b61a20c98aa8728ec378 upstream.
+
+When using single_open() for opening, single_release() should be
+used instead of seq_release(), otherwise there is a memory leak.
+
+Fixes: 2a9e27408e12 ("gpio: mockup: rework debugfs interface")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-mockup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-mockup.c
++++ b/drivers/gpio/gpio-mockup.c
+@@ -309,6 +309,7 @@ static const struct file_operations gpio
+ .read = gpio_mockup_debugfs_read,
+ .write = gpio_mockup_debugfs_write,
+ .llseek = no_llseek,
++ .release = single_release,
+ };
+
+ static void gpio_mockup_debugfs_setup(struct device *dev,
--- /dev/null
+From 61f7f7c8f978b1c0d80e43c83b7d110ca0496eb4 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 27 Aug 2019 22:28:35 +0200
+Subject: gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 61f7f7c8f978b1c0d80e43c83b7d110ca0496eb4 upstream.
+
+Another day; another DSDT bug we need to workaround...
+
+Since commit ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events
+at least once on boot") we call _AEI edge handlers at boot.
+
+In some rare cases this causes problems. One example of this is the Minix
+Neo Z83-4 mini PC, this device has a clear DSDT bug where it has some copy
+and pasted code for dealing with Micro USB-B connector host/device role
+switching, while the mini PC does not even have a micro-USB connector.
+This code, which should not be there, messes with the DDC data pin from
+the HDMI connector (switching it to GPIO mode) breaking HDMI support.
+
+To avoid problems like this, this commit adds a new
+gpiolib_acpi.run_edge_events_on_boot kernel commandline option, which
+allows disabling the running of _AEI edge event handlers at boot.
+
+The default value is -1/auto which uses a DMI based blacklist, the initial
+version of this blacklist contains the Neo Z83-4 fixing the HDMI breakage.
+
+Cc: stable@vger.kernel.org
+Cc: Daniel Drake <drake@endlessm.com>
+Cc: Ian W MORRISON <ianwmorrison@gmail.com>
+Reported-by: Ian W MORRISON <ianwmorrison@gmail.com>
+Suggested-by: Ian W MORRISON <ianwmorrison@gmail.com>
+Fixes: ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events at least once on boot")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20190827202835.213456-1-hdegoede@redhat.com
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Ian W MORRISON <ianwmorrison@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-acpi.c | 42 ++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 38 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -7,6 +7,7 @@
+ * Mika Westerberg <mika.westerberg@linux.intel.com>
+ */
+
++#include <linux/dmi.h>
+ #include <linux/errno.h>
+ #include <linux/gpio/consumer.h>
+ #include <linux/gpio/driver.h>
+@@ -19,6 +20,11 @@
+
+ #include "gpiolib.h"
+
++static int run_edge_events_on_boot = -1;
++module_param(run_edge_events_on_boot, int, 0444);
++MODULE_PARM_DESC(run_edge_events_on_boot,
++ "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto");
++
+ /**
+ * struct acpi_gpio_event - ACPI GPIO event handler data
+ *
+@@ -170,10 +176,13 @@ static void acpi_gpiochip_request_irq(st
+ event->irq_requested = true;
+
+ /* Make sure we trigger the initial state of edge-triggered IRQs */
+- value = gpiod_get_raw_value_cansleep(event->desc);
+- if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
+- ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0))
+- event->handler(event->irq, event);
++ if (run_edge_events_on_boot &&
++ (event->irqflags & (IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING))) {
++ value = gpiod_get_raw_value_cansleep(event->desc);
++ if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
++ ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0))
++ event->handler(event->irq, event);
++ }
+ }
+
+ static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio)
+@@ -1283,3 +1292,28 @@ static int acpi_gpio_handle_deferred_req
+ }
+ /* We must use _sync so that this runs after the first deferred_probe run */
+ late_initcall_sync(acpi_gpio_handle_deferred_request_irqs);
++
++static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = {
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MINIX"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"),
++ }
++ },
++ {} /* Terminating entry */
++};
++
++static int acpi_gpio_setup_params(void)
++{
++ if (run_edge_events_on_boot < 0) {
++ if (dmi_check_system(run_edge_events_on_boot_blacklist))
++ run_edge_events_on_boot = 0;
++ else
++ run_edge_events_on_boot = 1;
++ }
++
++ return 0;
++}
++
++/* Directly after dmi_setup() which runs as core_initcall() */
++postcore_initcall(acpi_gpio_setup_params);
--- /dev/null
+From 78e05972c5e6c8e9ca4c00ccc6985409da69f904 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 5 Sep 2019 16:20:09 +0200
+Subject: ipc: fix semtimedop for generic 32-bit architectures
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 78e05972c5e6c8e9ca4c00ccc6985409da69f904 upstream.
+
+As Vincent noticed, the y2038 conversion of semtimedop in linux-5.1
+broke when commit 00bf25d693e7 ("y2038: use time32 syscall names on
+32-bit") changed all system calls on all architectures that take
+a 32-bit time_t to point to the _time32 implementation, but left out
+semtimedop in the asm-generic header.
+
+This affects all 32-bit architectures using asm-generic/unistd.h:
+h8300, unicore32, openrisc, nios2, hexagon, c6x, arc, nds32 and csky.
+
+The notable exception is riscv32, which has dropped support for the
+time32 system calls entirely.
+
+Reported-by: Vincent Chen <deanbo422@gmail.com>
+Cc: stable@vger.kernel.org
+Cc: Vincent Chen <deanbo422@gmail.com>
+Cc: Greentime Hu <green.hu@gmail.com>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Guan Xuetao <gxt@pku.edu.cn>
+Cc: Stafford Horne <shorne@gmail.com>
+Cc: Jonas Bonn <jonas@southpole.se>
+Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
+Cc: Ley Foon Tan <lftan@altera.com>
+Cc: Richard Kuo <rkuo@codeaurora.org>
+Cc: Mark Salter <msalter@redhat.com>
+Cc: Aurelien Jacquiot <jacquiot.aurelien@gmail.com>
+Cc: Guo Ren <guoren@kernel.org>
+Fixes: 00bf25d693e7 ("y2038: use time32 syscall names on 32-bit")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/asm-generic/unistd.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/asm-generic/unistd.h
++++ b/include/uapi/asm-generic/unistd.h
+@@ -569,7 +569,7 @@ __SYSCALL(__NR_semget, sys_semget)
+ __SC_COMP(__NR_semctl, sys_semctl, compat_sys_semctl)
+ #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32
+ #define __NR_semtimedop 192
+-__SC_COMP(__NR_semtimedop, sys_semtimedop, sys_semtimedop_time32)
++__SC_3264(__NR_semtimedop, sys_semtimedop_time32, sys_semtimedop)
+ #endif
+ #define __NR_semop 193
+ __SYSCALL(__NR_semop, sys_semop)
--- /dev/null
+From fb377eb80c80339b580831a3c0fcce34a4c9d1ad Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 5 Sep 2019 16:48:38 +0200
+Subject: ipc: fix sparc64 ipc() wrapper
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit fb377eb80c80339b580831a3c0fcce34a4c9d1ad upstream.
+
+Matt bisected a sparc64 specific issue with semctl, shmctl and msgctl
+to a commit from my y2038 series in linux-5.1, as I missed the custom
+sys_ipc() wrapper that sparc64 uses in place of the generic version that
+I patched.
+
+The problem is that the sys_{sem,shm,msg}ctl() functions in the kernel
+now do not allow being called with the IPC_64 flag any more, resulting
+in a -EINVAL error when they don't recognize the command.
+
+Instead, the correct way to do this now is to call the internal
+ksys_old_{sem,shm,msg}ctl() functions to select the API version.
+
+As we generally move towards these functions anyway, change all of
+sparc_ipc() to consistently use those in place of the sys_*() versions,
+and move the required ksys_*() declarations into linux/syscalls.h
+
+The IS_ENABLED(CONFIG_SYSVIPC) check is required to avoid link
+errors when ipc is disabled.
+
+Reported-by: Matt Turner <mattst88@gmail.com>
+Fixes: 275f22148e87 ("ipc: rename old-style shmctl/semctl/msgctl syscalls")
+Cc: stable@vger.kernel.org
+Tested-by: Matt Turner <mattst88@gmail.com>
+Tested-by: Anatoly Pugachev <matorola@gmail.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sparc/kernel/sys_sparc_64.c | 33 ++++++++++++++++++---------------
+ include/linux/syscalls.h | 19 +++++++++++++++++++
+ ipc/util.h | 25 ++-----------------------
+ 3 files changed, 39 insertions(+), 38 deletions(-)
+
+--- a/arch/sparc/kernel/sys_sparc_64.c
++++ b/arch/sparc/kernel/sys_sparc_64.c
+@@ -336,25 +336,28 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int,
+ {
+ long err;
+
++ if (!IS_ENABLED(CONFIG_SYSVIPC))
++ return -ENOSYS;
++
+ /* No need for backward compatibility. We can start fresh... */
+ if (call <= SEMTIMEDOP) {
+ switch (call) {
+ case SEMOP:
+- err = sys_semtimedop(first, ptr,
+- (unsigned int)second, NULL);
++ err = ksys_semtimedop(first, ptr,
++ (unsigned int)second, NULL);
+ goto out;
+ case SEMTIMEDOP:
+- err = sys_semtimedop(first, ptr, (unsigned int)second,
++ err = ksys_semtimedop(first, ptr, (unsigned int)second,
+ (const struct __kernel_timespec __user *)
+- (unsigned long) fifth);
++ (unsigned long) fifth);
+ goto out;
+ case SEMGET:
+- err = sys_semget(first, (int)second, (int)third);
++ err = ksys_semget(first, (int)second, (int)third);
+ goto out;
+ case SEMCTL: {
+- err = sys_semctl(first, second,
+- (int)third | IPC_64,
+- (unsigned long) ptr);
++ err = ksys_old_semctl(first, second,
++ (int)third | IPC_64,
++ (unsigned long) ptr);
+ goto out;
+ }
+ default:
+@@ -365,18 +368,18 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int,
+ if (call <= MSGCTL) {
+ switch (call) {
+ case MSGSND:
+- err = sys_msgsnd(first, ptr, (size_t)second,
++ err = ksys_msgsnd(first, ptr, (size_t)second,
+ (int)third);
+ goto out;
+ case MSGRCV:
+- err = sys_msgrcv(first, ptr, (size_t)second, fifth,
++ err = ksys_msgrcv(first, ptr, (size_t)second, fifth,
+ (int)third);
+ goto out;
+ case MSGGET:
+- err = sys_msgget((key_t)first, (int)second);
++ err = ksys_msgget((key_t)first, (int)second);
+ goto out;
+ case MSGCTL:
+- err = sys_msgctl(first, (int)second | IPC_64, ptr);
++ err = ksys_old_msgctl(first, (int)second | IPC_64, ptr);
+ goto out;
+ default:
+ err = -ENOSYS;
+@@ -396,13 +399,13 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int,
+ goto out;
+ }
+ case SHMDT:
+- err = sys_shmdt(ptr);
++ err = ksys_shmdt(ptr);
+ goto out;
+ case SHMGET:
+- err = sys_shmget(first, (size_t)second, (int)third);
++ err = ksys_shmget(first, (size_t)second, (int)third);
+ goto out;
+ case SHMCTL:
+- err = sys_shmctl(first, (int)second | IPC_64, ptr);
++ err = ksys_old_shmctl(first, (int)second | IPC_64, ptr);
+ goto out;
+ default:
+ err = -ENOSYS;
+--- a/include/linux/syscalls.h
++++ b/include/linux/syscalls.h
+@@ -1397,4 +1397,23 @@ static inline unsigned int ksys_personal
+ return old;
+ }
+
++/* for __ARCH_WANT_SYS_IPC */
++long ksys_semtimedop(int semid, struct sembuf __user *tsops,
++ unsigned int nsops,
++ const struct __kernel_timespec __user *timeout);
++long ksys_semget(key_t key, int nsems, int semflg);
++long ksys_old_semctl(int semid, int semnum, int cmd, unsigned long arg);
++long ksys_msgget(key_t key, int msgflg);
++long ksys_old_msgctl(int msqid, int cmd, struct msqid_ds __user *buf);
++long ksys_msgrcv(int msqid, struct msgbuf __user *msgp, size_t msgsz,
++ long msgtyp, int msgflg);
++long ksys_msgsnd(int msqid, struct msgbuf __user *msgp, size_t msgsz,
++ int msgflg);
++long ksys_shmget(key_t key, size_t size, int shmflg);
++long ksys_shmdt(char __user *shmaddr);
++long ksys_old_shmctl(int shmid, int cmd, struct shmid_ds __user *buf);
++long compat_ksys_semtimedop(int semid, struct sembuf __user *tsems,
++ unsigned int nsops,
++ const struct old_timespec32 __user *timeout);
++
+ #endif
+--- a/ipc/util.h
++++ b/ipc/util.h
+@@ -276,29 +276,7 @@ static inline int compat_ipc_parse_versi
+ *cmd &= ~IPC_64;
+ return version;
+ }
+-#endif
+-
+-/* for __ARCH_WANT_SYS_IPC */
+-long ksys_semtimedop(int semid, struct sembuf __user *tsops,
+- unsigned int nsops,
+- const struct __kernel_timespec __user *timeout);
+-long ksys_semget(key_t key, int nsems, int semflg);
+-long ksys_old_semctl(int semid, int semnum, int cmd, unsigned long arg);
+-long ksys_msgget(key_t key, int msgflg);
+-long ksys_old_msgctl(int msqid, int cmd, struct msqid_ds __user *buf);
+-long ksys_msgrcv(int msqid, struct msgbuf __user *msgp, size_t msgsz,
+- long msgtyp, int msgflg);
+-long ksys_msgsnd(int msqid, struct msgbuf __user *msgp, size_t msgsz,
+- int msgflg);
+-long ksys_shmget(key_t key, size_t size, int shmflg);
+-long ksys_shmdt(char __user *shmaddr);
+-long ksys_old_shmctl(int shmid, int cmd, struct shmid_ds __user *buf);
+
+-/* for CONFIG_ARCH_WANT_OLD_COMPAT_IPC */
+-long compat_ksys_semtimedop(int semid, struct sembuf __user *tsems,
+- unsigned int nsops,
+- const struct old_timespec32 __user *timeout);
+-#ifdef CONFIG_COMPAT
+ long compat_ksys_old_semctl(int semid, int semnum, int cmd, int arg);
+ long compat_ksys_old_msgctl(int msqid, int cmd, void __user *uptr);
+ long compat_ksys_msgrcv(int msqid, compat_uptr_t msgp, compat_ssize_t msgsz,
+@@ -306,6 +284,7 @@ long compat_ksys_msgrcv(int msqid, compa
+ long compat_ksys_msgsnd(int msqid, compat_uptr_t msgp,
+ compat_ssize_t msgsz, int msgflg);
+ long compat_ksys_old_shmctl(int shmid, int cmd, void __user *uptr);
+-#endif /* CONFIG_COMPAT */
++
++#endif
+
+ #endif
--- /dev/null
+From bf280c0387ebbf8eebad1036fca8f7b85ebfde32 Mon Sep 17 00:00:00 2001
+From: Ilya Maximets <i.maximets@samsung.com>
+Date: Thu, 22 Aug 2019 20:12:37 +0300
+Subject: ixgbe: fix double clean of Tx descriptors with xdp
+
+From: Ilya Maximets <i.maximets@samsung.com>
+
+commit bf280c0387ebbf8eebad1036fca8f7b85ebfde32 upstream.
+
+Tx code doesn't clear the descriptors' status after cleaning.
+So, if the budget is larger than number of used elems in a ring, some
+descriptors will be accounted twice and xsk_umem_complete_tx will move
+prod_tail far beyond the prod_head breaking the completion queue ring.
+
+Fix that by limiting the number of descriptors to clean by the number
+of used descriptors in the Tx ring.
+
+'ixgbe_clean_xdp_tx_irq()' function refactored to look more like
+'ixgbe_xsk_clean_tx_ring()' since we're allowed to directly use
+'next_to_clean' and 'next_to_use' indexes.
+
+CC: stable@vger.kernel.org
+Fixes: 8221c5eba8c1 ("ixgbe: add AF_XDP zero-copy Tx support")
+Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
+Tested-by: William Tu <u9012063@gmail.com>
+Tested-by: Eelco Chaudron <echaudro@redhat.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 29 ++++++++++-----------------
+ 1 file changed, 11 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
+@@ -679,19 +679,17 @@ static void ixgbe_clean_xdp_tx_buffer(st
+ bool ixgbe_clean_xdp_tx_irq(struct ixgbe_q_vector *q_vector,
+ struct ixgbe_ring *tx_ring, int napi_budget)
+ {
++ u16 ntc = tx_ring->next_to_clean, ntu = tx_ring->next_to_use;
+ unsigned int total_packets = 0, total_bytes = 0;
+- u32 i = tx_ring->next_to_clean, xsk_frames = 0;
+- unsigned int budget = q_vector->tx.work_limit;
+ struct xdp_umem *umem = tx_ring->xsk_umem;
+ union ixgbe_adv_tx_desc *tx_desc;
+ struct ixgbe_tx_buffer *tx_bi;
+- bool xmit_done;
++ u32 xsk_frames = 0;
+
+- tx_bi = &tx_ring->tx_buffer_info[i];
+- tx_desc = IXGBE_TX_DESC(tx_ring, i);
+- i -= tx_ring->count;
++ tx_bi = &tx_ring->tx_buffer_info[ntc];
++ tx_desc = IXGBE_TX_DESC(tx_ring, ntc);
+
+- do {
++ while (ntc != ntu) {
+ if (!(tx_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD)))
+ break;
+
+@@ -708,22 +706,18 @@ bool ixgbe_clean_xdp_tx_irq(struct ixgbe
+
+ tx_bi++;
+ tx_desc++;
+- i++;
+- if (unlikely(!i)) {
+- i -= tx_ring->count;
++ ntc++;
++ if (unlikely(ntc == tx_ring->count)) {
++ ntc = 0;
+ tx_bi = tx_ring->tx_buffer_info;
+ tx_desc = IXGBE_TX_DESC(tx_ring, 0);
+ }
+
+ /* issue prefetch for next Tx descriptor */
+ prefetch(tx_desc);
++ }
+
+- /* update budget accounting */
+- budget--;
+- } while (likely(budget));
+-
+- i += tx_ring->count;
+- tx_ring->next_to_clean = i;
++ tx_ring->next_to_clean = ntc;
+
+ u64_stats_update_begin(&tx_ring->syncp);
+ tx_ring->stats.bytes += total_bytes;
+@@ -735,8 +729,7 @@ bool ixgbe_clean_xdp_tx_irq(struct ixgbe
+ if (xsk_frames)
+ xsk_umem_complete_tx(umem, xsk_frames);
+
+- xmit_done = ixgbe_xmit_zc(tx_ring, q_vector->tx.work_limit);
+- return budget > 0 && xmit_done;
++ return ixgbe_xmit_zc(tx_ring, q_vector->tx.work_limit);
+ }
+
+ int ixgbe_xsk_async_xmit(struct net_device *dev, u32 qid)
--- /dev/null
+From 377228accbbb8b9738f615d791aa803f41c067e0 Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Date: Wed, 4 Sep 2019 08:07:11 -0700
+Subject: ixgbe: Prevent u8 wrapping of ITR value to something less than 10us
+
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+
+commit 377228accbbb8b9738f615d791aa803f41c067e0 upstream.
+
+There were a couple cases where the ITR value generated via the adaptive
+ITR scheme could exceed 126. This resulted in the value becoming either 0
+or something less than 10. Switching back and forth between a value less
+than 10 and a value greater than 10 can cause issues as certain hardware
+features such as RSC to not function well when the ITR value has dropped
+that low.
+
+CC: stable@vger.kernel.org
+Fixes: b4ded8327fea ("ixgbe: Update adaptive ITR algorithm")
+Reported-by: Gregg Leventhal <gleventhal@janestreet.com>
+Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -2622,7 +2622,7 @@ adjust_by_size:
+ /* 16K ints/sec to 9.2K ints/sec */
+ avg_wire_size *= 15;
+ avg_wire_size += 11452;
+- } else if (avg_wire_size <= 1980) {
++ } else if (avg_wire_size < 1968) {
+ /* 9.2K ints/sec to 8K ints/sec */
+ avg_wire_size *= 5;
+ avg_wire_size += 22420;
+@@ -2655,6 +2655,8 @@ adjust_by_size:
+ case IXGBE_LINK_SPEED_2_5GB_FULL:
+ case IXGBE_LINK_SPEED_1GB_FULL:
+ case IXGBE_LINK_SPEED_10_FULL:
++ if (avg_wire_size > 8064)
++ avg_wire_size = 8064;
+ itr += DIV_ROUND_UP(avg_wire_size,
+ IXGBE_ITR_ADAPTIVE_MIN_INC * 64) *
+ IXGBE_ITR_ADAPTIVE_MIN_INC;
--- /dev/null
+From f7eea636c3d505fe6f1d1066234f1aaf7171b681 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sat, 14 Sep 2019 00:26:27 +0200
+Subject: KVM: nVMX: handle page fault in vmread
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit f7eea636c3d505fe6f1d1066234f1aaf7171b681 upstream.
+
+The implementation of vmread to memory is still incomplete, as it
+lacks the ability to do vmread to I/O memory just like vmptrst.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx/nested.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -4411,6 +4411,7 @@ static int handle_vmread(struct kvm_vcpu
+ int len;
+ gva_t gva = 0;
+ struct vmcs12 *vmcs12;
++ struct x86_exception e;
+
+ if (!nested_vmx_check_permission(vcpu))
+ return 1;
+@@ -4451,7 +4452,8 @@ static int handle_vmread(struct kvm_vcpu
+ vmx_instruction_info, true, len, &gva))
+ return 1;
+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
+- kvm_write_guest_virt_system(vcpu, gva, &field_value, len, NULL);
++ if (kvm_write_guest_virt_system(vcpu, gva, &field_value, len, &e))
++ kvm_inject_page_fault(vcpu, &e);
+ }
+
+ return nested_vmx_succeed(vcpu);
--- /dev/null
+From 53936b5bf35e140ae27e4bbf0447a61063f400da Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 12 Sep 2019 13:54:38 +0200
+Subject: KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 53936b5bf35e140ae27e4bbf0447a61063f400da upstream.
+
+When the userspace program runs the KVM_S390_INTERRUPT ioctl to inject
+an interrupt, we convert them from the legacy struct kvm_s390_interrupt
+to the new struct kvm_s390_irq via the s390int_to_s390irq() function.
+However, this function does not take care of all types of interrupts
+that we can inject into the guest later (see do_inject_vcpu()). Since we
+do not clear out the s390irq values before calling s390int_to_s390irq(),
+there is a chance that we copy random data from the kernel stack which
+could be leaked to the userspace later.
+
+Specifically, the problem exists with the KVM_S390_INT_PFAULT_INIT
+interrupt: s390int_to_s390irq() does not handle it, and the function
+__inject_pfault_init() later copies irq->u.ext which contains the
+random kernel stack data. This data can then be leaked either to
+the guest memory in __deliver_pfault_init(), or the userspace might
+retrieve it directly with the KVM_S390_GET_IRQ_STATE ioctl.
+
+Fix it by handling that interrupt type in s390int_to_s390irq(), too,
+and by making sure that the s390irq struct is properly pre-initialized.
+And while we're at it, make sure that s390int_to_s390irq() now
+directly returns -EINVAL for unknown interrupt types, so that we
+immediately get a proper error code in case we add more interrupt
+types to do_inject_vcpu() without updating s390int_to_s390irq()
+sometime in the future.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Link: https://lore.kernel.org/kvm/20190912115438.25761-1-thuth@redhat.com
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c | 10 ++++++++++
+ arch/s390/kvm/kvm-s390.c | 2 +-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1978,6 +1978,16 @@ int s390int_to_s390irq(struct kvm_s390_i
+ case KVM_S390_MCHK:
+ irq->u.mchk.mcic = s390int->parm64;
+ break;
++ case KVM_S390_INT_PFAULT_INIT:
++ irq->u.ext.ext_params = s390int->parm;
++ irq->u.ext.ext_params2 = s390int->parm64;
++ break;
++ case KVM_S390_RESTART:
++ case KVM_S390_INT_CLOCK_COMP:
++ case KVM_S390_INT_CPU_TIMER:
++ break;
++ default:
++ return -EINVAL;
+ }
+ return 0;
+ }
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -4327,7 +4327,7 @@ long kvm_arch_vcpu_async_ioctl(struct fi
+ }
+ case KVM_S390_INTERRUPT: {
+ struct kvm_s390_interrupt s390int;
+- struct kvm_s390_irq s390irq;
++ struct kvm_s390_irq s390irq = {};
+
+ if (copy_from_user(&s390int, argp, sizeof(s390int)))
+ return -EFAULT;
--- /dev/null
+From 13a17cc0526f08d1df9507f7484176371cd263a0 Mon Sep 17 00:00:00 2001
+From: Igor Mammedov <imammedo@redhat.com>
+Date: Wed, 11 Sep 2019 03:52:18 -0400
+Subject: KVM: s390: kvm_s390_vm_start_migration: check dirty_bitmap before using it as target for memset()
+
+From: Igor Mammedov <imammedo@redhat.com>
+
+commit 13a17cc0526f08d1df9507f7484176371cd263a0 upstream.
+
+If userspace doesn't set KVM_MEM_LOG_DIRTY_PAGES on memslot before calling
+kvm_s390_vm_start_migration(), kernel will oops with:
+
+ Unable to handle kernel pointer dereference in virtual kernel address space
+ Failing address: 0000000000000000 TEID: 0000000000000483
+ Fault in home space mode while using kernel ASCE.
+ AS:0000000002a2000b R2:00000001bff8c00b R3:00000001bff88007 S:00000001bff91000 P:000000000000003d
+ Oops: 0004 ilc:2 [#1] SMP
+ ...
+ Call Trace:
+ ([<001fffff804ec552>] kvm_s390_vm_set_attr+0x347a/0x3828 [kvm])
+ [<001fffff804ecfc0>] kvm_arch_vm_ioctl+0x6c0/0x1998 [kvm]
+ [<001fffff804b67e4>] kvm_vm_ioctl+0x51c/0x11a8 [kvm]
+ [<00000000008ba572>] do_vfs_ioctl+0x1d2/0xe58
+ [<00000000008bb284>] ksys_ioctl+0x8c/0xb8
+ [<00000000008bb2e2>] sys_ioctl+0x32/0x40
+ [<000000000175552c>] system_call+0x2b8/0x2d8
+ INFO: lockdep is turned off.
+ Last Breaking-Event-Address:
+ [<0000000000dbaf60>] __memset+0xc/0xa0
+
+due to ms->dirty_bitmap being NULL, which might crash the host.
+
+Make sure that ms->dirty_bitmap is set before using it or
+return -EINVAL otherwise.
+
+Cc: <stable@vger.kernel.org>
+Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots")
+Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+Link: https://lore.kernel.org/kvm/20190911075218.29153-1-imammedo@redhat.com/
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -1013,6 +1013,8 @@ static int kvm_s390_vm_start_migration(s
+ /* mark all the pages in active slots as dirty */
+ for (slotnr = 0; slotnr < slots->used_slots; slotnr++) {
+ ms = slots->memslots + slotnr;
++ if (!ms->dirty_bitmap)
++ return -EINVAL;
+ /*
+ * The second half of the bitmap is only used on x86,
+ * and would be wasted otherwise, so we put it to good
--- /dev/null
+From 002c5f73c508f7df5681bda339831c27f3c1aef4 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 12 Sep 2019 19:46:02 -0700
+Subject: KVM: x86/mmu: Reintroduce fast invalidate/zap for flushing memslot
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 002c5f73c508f7df5681bda339831c27f3c1aef4 upstream.
+
+James Harvey reported a livelock that was introduced by commit
+d012a06ab1d23 ("Revert "KVM: x86/mmu: Zap only the relevant pages when
+removing a memslot"").
+
+The livelock occurs because kvm_mmu_zap_all() as it exists today will
+voluntarily reschedule and drop KVM's mmu_lock, which allows other vCPUs
+to add shadow pages. With enough vCPUs, kvm_mmu_zap_all() can get stuck
+in an infinite loop as it can never zap all pages before observing lock
+contention or the need to reschedule. The equivalent of kvm_mmu_zap_all()
+that was in use at the time of the reverted commit (4e103134b8623, "KVM:
+x86/mmu: Zap only the relevant pages when removing a memslot") employed
+a fast invalidate mechanism and was not susceptible to the above livelock.
+
+There are three ways to fix the livelock:
+
+- Reverting the revert (commit d012a06ab1d23) is not a viable option as
+ the revert is needed to fix a regression that occurs when the guest has
+ one or more assigned devices. It's unlikely we'll root cause the device
+ assignment regression soon enough to fix the regression timely.
+
+- Remove the conditional reschedule from kvm_mmu_zap_all(). However, although
+ removing the reschedule would be a smaller code change, it's less safe
+ in the sense that the resulting kvm_mmu_zap_all() hasn't been used in
+ the wild for flushing memslots since the fast invalidate mechanism was
+ introduced by commit 6ca18b6950f8d ("KVM: x86: use the fast way to
+ invalidate all pages"), back in 2013.
+
+- Reintroduce the fast invalidate mechanism and use it when zapping shadow
+ pages in response to a memslot being deleted/moved, which is what this
+ patch does.
+
+For all intents and purposes, this is a revert of commit ea145aacf4ae8
+("Revert "KVM: MMU: fast invalidate all pages"") and a partial revert of
+commit 7390de1e99a70 ("Revert "KVM: x86: use the fast way to invalidate
+all pages""), i.e. restores the behavior of commit 5304b8d37c2a5 ("KVM:
+MMU: fast invalidate all pages") and commit 6ca18b6950f8d ("KVM: x86:
+use the fast way to invalidate all pages") respectively.
+
+Fixes: d012a06ab1d23 ("Revert "KVM: x86/mmu: Zap only the relevant pages when removing a memslot"")
+Reported-by: James Harvey <jamespharvey20@gmail.com>
+Cc: Alex Willamson <alex.williamson@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 2
+ arch/x86/kvm/mmu.c | 101 +++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 101 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -333,6 +333,7 @@ struct kvm_mmu_page {
+ int root_count; /* Currently serving as active root */
+ unsigned int unsync_children;
+ struct kvm_rmap_head parent_ptes; /* rmap pointers to parent sptes */
++ unsigned long mmu_valid_gen;
+ DECLARE_BITMAP(unsync_child_bitmap, 512);
+
+ #ifdef CONFIG_X86_32
+@@ -851,6 +852,7 @@ struct kvm_arch {
+ unsigned long n_requested_mmu_pages;
+ unsigned long n_max_mmu_pages;
+ unsigned int indirect_shadow_pages;
++ unsigned long mmu_valid_gen;
+ struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
+ /*
+ * Hash table of struct kvm_mmu_page.
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2066,6 +2066,12 @@ static struct kvm_mmu_page *kvm_mmu_allo
+ if (!direct)
+ sp->gfns = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache);
+ set_page_private(virt_to_page(sp->spt), (unsigned long)sp);
++
++ /*
++ * active_mmu_pages must be a FIFO list, as kvm_zap_obsolete_pages()
++ * depends on valid pages being added to the head of the list. See
++ * comments in kvm_zap_obsolete_pages().
++ */
+ list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
+ kvm_mod_used_mmu_pages(vcpu->kvm, +1);
+ return sp;
+@@ -2215,7 +2221,7 @@ static void kvm_mmu_commit_zap_page(stru
+ #define for_each_valid_sp(_kvm, _sp, _gfn) \
+ hlist_for_each_entry(_sp, \
+ &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
+- if ((_sp)->role.invalid) { \
++ if (is_obsolete_sp((_kvm), (_sp)) || (_sp)->role.invalid) { \
+ } else
+
+ #define for_each_gfn_indirect_valid_sp(_kvm, _sp, _gfn) \
+@@ -2272,6 +2278,11 @@ static void kvm_mmu_audit(struct kvm_vcp
+ static void mmu_audit_disable(void) { }
+ #endif
+
++static bool is_obsolete_sp(struct kvm *kvm, struct kvm_mmu_page *sp)
++{
++ return unlikely(sp->mmu_valid_gen != kvm->arch.mmu_valid_gen);
++}
++
+ static bool kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
+ struct list_head *invalid_list)
+ {
+@@ -2496,6 +2507,7 @@ static struct kvm_mmu_page *kvm_mmu_get_
+ if (level > PT_PAGE_TABLE_LEVEL && need_sync)
+ flush |= kvm_sync_pages(vcpu, gfn, &invalid_list);
+ }
++ sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
+ clear_page(sp->spt);
+ trace_kvm_mmu_get_page(sp, true);
+
+@@ -4229,6 +4241,13 @@ static bool fast_cr3_switch(struct kvm_v
+ return false;
+
+ if (cached_root_available(vcpu, new_cr3, new_role)) {
++ /*
++ * It is possible that the cached previous root page is
++ * obsolete because of a change in the MMU generation
++ * number. However, changing the generation number is
++ * accompanied by KVM_REQ_MMU_RELOAD, which will free
++ * the root set here and allocate a new one.
++ */
+ kvm_make_request(KVM_REQ_LOAD_CR3, vcpu);
+ if (!skip_tlb_flush) {
+ kvm_make_request(KVM_REQ_MMU_SYNC, vcpu);
+@@ -5645,11 +5664,89 @@ int kvm_mmu_create(struct kvm_vcpu *vcpu
+ return alloc_mmu_pages(vcpu);
+ }
+
++
++static void kvm_zap_obsolete_pages(struct kvm *kvm)
++{
++ struct kvm_mmu_page *sp, *node;
++ LIST_HEAD(invalid_list);
++ int ign;
++
++restart:
++ list_for_each_entry_safe_reverse(sp, node,
++ &kvm->arch.active_mmu_pages, link) {
++ /*
++ * No obsolete valid page exists before a newly created page
++ * since active_mmu_pages is a FIFO list.
++ */
++ if (!is_obsolete_sp(kvm, sp))
++ break;
++
++ /*
++ * Do not repeatedly zap a root page to avoid unnecessary
++ * KVM_REQ_MMU_RELOAD, otherwise we may not be able to
++ * progress:
++ * vcpu 0 vcpu 1
++ * call vcpu_enter_guest():
++ * 1): handle KVM_REQ_MMU_RELOAD
++ * and require mmu-lock to
++ * load mmu
++ * repeat:
++ * 1): zap root page and
++ * send KVM_REQ_MMU_RELOAD
++ *
++ * 2): if (cond_resched_lock(mmu-lock))
++ *
++ * 2): hold mmu-lock and load mmu
++ *
++ * 3): see KVM_REQ_MMU_RELOAD bit
++ * on vcpu->requests is set
++ * then return 1 to call
++ * vcpu_enter_guest() again.
++ * goto repeat;
++ *
++ * Since we are reversely walking the list and the invalid
++ * list will be moved to the head, skip the invalid page
++ * can help us to avoid the infinity list walking.
++ */
++ if (sp->role.invalid)
++ continue;
++
++ if (need_resched() || spin_needbreak(&kvm->mmu_lock)) {
++ kvm_mmu_commit_zap_page(kvm, &invalid_list);
++ cond_resched_lock(&kvm->mmu_lock);
++ goto restart;
++ }
++
++ if (__kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list, &ign))
++ goto restart;
++ }
++
++ kvm_mmu_commit_zap_page(kvm, &invalid_list);
++}
++
++/*
++ * Fast invalidate all shadow pages and use lock-break technique
++ * to zap obsolete pages.
++ *
++ * It's required when memslot is being deleted or VM is being
++ * destroyed, in these cases, we should ensure that KVM MMU does
++ * not use any resource of the being-deleted slot or all slots
++ * after calling the function.
++ */
++static void kvm_mmu_zap_all_fast(struct kvm *kvm)
++{
++ spin_lock(&kvm->mmu_lock);
++ kvm->arch.mmu_valid_gen++;
++
++ kvm_zap_obsolete_pages(kvm);
++ spin_unlock(&kvm->mmu_lock);
++}
++
+ static void kvm_mmu_invalidate_zap_pages_in_memslot(struct kvm *kvm,
+ struct kvm_memory_slot *slot,
+ struct kvm_page_track_notifier_node *node)
+ {
+- kvm_mmu_zap_all(kvm);
++ kvm_mmu_zap_all_fast(kvm);
+ }
+
+ void kvm_mmu_init_vm(struct kvm *kvm)
--- /dev/null
+From 541ab2aeb28251bf7135c7961f3a6080eebcc705 Mon Sep 17 00:00:00 2001
+From: Fuqian Huang <huangfq.daxian@gmail.com>
+Date: Thu, 12 Sep 2019 12:18:17 +0800
+Subject: KVM: x86: work around leak of uninitialized stack contents
+
+From: Fuqian Huang <huangfq.daxian@gmail.com>
+
+commit 541ab2aeb28251bf7135c7961f3a6080eebcc705 upstream.
+
+Emulation of VMPTRST can incorrectly inject a page fault
+when passed an operand that points to an MMIO address.
+The page fault will use uninitialized kernel stack memory
+as the CR2 and error code.
+
+The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
+exit to userspace; however, it is not an easy fix, so for now just ensure
+that the error code and CR2 are zero.
+
+Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
+Cc: stable@vger.kernel.org
+[add comment]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5265,6 +5265,13 @@ int kvm_write_guest_virt_system(struct k
+ /* kvm_write_guest_virt_system can pull in tons of pages. */
+ vcpu->arch.l1tf_flush_l1d = true;
+
++ /*
++ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
++ * is returned, but our callers are not ready for that and they blindly
++ * call kvm_inject_page_fault. Ensure that they at least do not leak
++ * uninitialized kernel stack memory into cr2 and error code.
++ */
++ memset(exception, 0, sizeof(*exception));
+ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
+ PFERR_WRITE_MASK, exception);
+ }
--- /dev/null
+From aa86f1a3887523d78bfadd1c4e4df8f919336511 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Fri, 13 Sep 2019 11:19:26 +0200
+Subject: mmc: tmio: Fixup runtime PM management during probe
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit aa86f1a3887523d78bfadd1c4e4df8f919336511 upstream.
+
+The tmio_mmc_host_probe() calls pm_runtime_set_active() to update the
+runtime PM status of the device, as to make it reflect the current status
+of the HW. This works fine for most cases, but unfortunate not for all.
+Especially, there is a generic problem when the device has a genpd attached
+and that genpd have the ->start|stop() callbacks assigned.
+
+More precisely, if the driver calls pm_runtime_set_active() during
+->probe(), genpd does not get to invoke the ->start() callback for it,
+which means the HW isn't really fully powered on. Furthermore, in the next
+phase, when the device becomes runtime suspended, genpd will invoke the
+->stop() callback for it, potentially leading to usage count imbalance
+problems, depending on what's implemented behind the callbacks of course.
+
+To fix this problem, convert to call pm_runtime_get_sync() from
+tmio_mmc_host_probe() rather than pm_runtime_set_active(). Additionally, to
+avoid bumping usage counters and unnecessary re-initializing the HW the
+first time the tmio driver's ->runtime_resume() callback is called,
+introduce a state flag to keeping track of this.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/tmio_mmc.h | 1 +
+ drivers/mmc/host/tmio_mmc_core.c | 9 ++++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/tmio_mmc.h
++++ b/drivers/mmc/host/tmio_mmc.h
+@@ -163,6 +163,7 @@ struct tmio_mmc_host {
+ unsigned long last_req_ts;
+ struct mutex ios_lock; /* protect set_ios() context */
+ bool native_hotplug;
++ bool runtime_synced;
+ bool sdio_irq_enabled;
+
+ /* Mandatory callback */
+--- a/drivers/mmc/host/tmio_mmc_core.c
++++ b/drivers/mmc/host/tmio_mmc_core.c
+@@ -1258,20 +1258,22 @@ int tmio_mmc_host_probe(struct tmio_mmc_
+ /* See if we also get DMA */
+ tmio_mmc_request_dma(_host, pdata);
+
+- pm_runtime_set_active(&pdev->dev);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, 50);
+ pm_runtime_use_autosuspend(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
++ pm_runtime_get_sync(&pdev->dev);
+
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto remove_host;
+
+ dev_pm_qos_expose_latency_limit(&pdev->dev, 100);
++ pm_runtime_put(&pdev->dev);
+
+ return 0;
+
+ remove_host:
++ pm_runtime_put_noidle(&pdev->dev);
+ tmio_mmc_host_remove(_host);
+ return ret;
+ }
+@@ -1340,6 +1342,11 @@ int tmio_mmc_host_runtime_resume(struct
+ {
+ struct tmio_mmc_host *host = dev_get_drvdata(dev);
+
++ if (!host->runtime_synced) {
++ host->runtime_synced = true;
++ return 0;
++ }
++
+ tmio_mmc_clk_enable(host);
+ tmio_mmc_hw_reset(host->mmc);
+
--- /dev/null
+From 87b5d602a1cc76169b8d81ec2c74c8d95d9350dc Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Fri, 13 Sep 2019 11:20:22 +0200
+Subject: mmc: tmio: Fixup runtime PM management during remove
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 87b5d602a1cc76169b8d81ec2c74c8d95d9350dc upstream.
+
+Accessing the device when it may be runtime suspended is a bug, which is
+the case in tmio_mmc_host_remove(). Let's fix the behaviour.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/tmio_mmc_core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/tmio_mmc_core.c
++++ b/drivers/mmc/host/tmio_mmc_core.c
+@@ -1284,12 +1284,11 @@ void tmio_mmc_host_remove(struct tmio_mm
+ struct platform_device *pdev = host->pdev;
+ struct mmc_host *mmc = host->mmc;
+
++ pm_runtime_get_sync(&pdev->dev);
++
+ if (host->pdata->flags & TMIO_MMC_SDIO_IRQ)
+ sd_ctrl_write16(host, CTL_TRANSACTION_CTL, 0x0000);
+
+- if (!host->native_hotplug)
+- pm_runtime_get_sync(&pdev->dev);
+-
+ dev_pm_qos_hide_latency_limit(&pdev->dev);
+
+ mmc_remove_host(mmc);
+@@ -1298,6 +1297,8 @@ void tmio_mmc_host_remove(struct tmio_mm
+ tmio_mmc_release_dma(host);
+
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
++ if (host->native_hotplug)
++ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ }
--- /dev/null
+From 70702265a04aa0ce5a7bde77d13456209992b32f Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Tue, 13 Aug 2019 15:36:56 +0200
+Subject: mt76: mt76x0e: disable 5GHz band for MT7630E
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 70702265a04aa0ce5a7bde77d13456209992b32f upstream.
+
+MT7630E hardware does support 5GHz, but we do not properly configure phy
+for 5GHz channels. Scanning at this band not only do not show any APs
+but also can hang the firmware.
+
+Since vendor reference driver do not support 5GHz we don't know how
+properly configure 5GHz channels. So disable this band for MT7630E .
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c
+@@ -59,6 +59,11 @@ static void mt76x0_set_chip_cap(struct m
+ dev_dbg(dev->mt76.dev, "mask out 2GHz support\n");
+ }
+
++ if (is_mt7630(dev)) {
++ dev->mt76.cap.has_5ghz = false;
++ dev_dbg(dev->mt76.dev, "mask out 5GHz support\n");
++ }
++
+ if (!mt76x02_field_valid(nic_conf1 & 0xff))
+ nic_conf1 &= 0xff00;
+
--- /dev/null
+From 3829100a63724f6dbf264b2a7f06e7f638ed952d Mon Sep 17 00:00:00 2001
+From: Andreas Kemnade <andreas@kemnade.info>
+Date: Wed, 14 Aug 2019 23:43:19 +0200
+Subject: regulator: twl: voltage lists for vdd1/2 on twl4030
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+commit 3829100a63724f6dbf264b2a7f06e7f638ed952d upstream.
+
+_opp_supported_by_regulators() wrongly ignored errors from
+regulator_is_supported_voltage(), so it considered errors as
+success. Since
+commit 498209445124 ("regulator: core: simplify return value on suported_voltage")
+regulator_is_supported_voltage() returns a real boolean, so
+errors make _opp_supported_by_regulators() return false.
+
+That reveals a problem with the declaration of the VDD1/2
+regulators on twl4030.
+The VDD1/VDD2 regulators on twl4030 are neither defined with
+voltage lists nor with the continuous flag set, so
+regulator_is_supported_voltage() returns false and an error
+before above mentioned commit (which was considered success)
+The result is that after the above mentioned commit cpufreq
+does not work properly e.g. dm3730.
+
+[ 2.490997] core: _opp_supported_by_regulators: OPP minuV: 1012500 maxuV: 1012500, not supported by regulator
+[ 2.501617] cpu cpu0: _opp_add: OPP not supported by regulators (300000000)
+[ 2.509246] core: _opp_supported_by_regulators: OPP minuV: 1200000 maxuV: 1200000, not supported by regulator
+[ 2.519775] cpu cpu0: _opp_add: OPP not supported by regulators (600000000)
+[ 2.527313] core: _opp_supported_by_regulators: OPP minuV: 1325000 maxuV: 1325000, not supported by regulator
+[ 2.537750] cpu cpu0: _opp_add: OPP not supported by regulators (800000000)
+
+The patch fixes declaration of VDD1/2 regulators by
+adding proper voltage lists.
+
+Fixes: 498209445124 ("regulator: core: simplify return value on suported_voltage")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Tested-by: Adam Ford <aford173@gmail.com> #logicpd-torpedo-37xx-devkit
+Link: https://lore.kernel.org/r/20190814214319.24087-1-andreas@kemnade.info
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/twl-regulator.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+--- a/drivers/regulator/twl-regulator.c
++++ b/drivers/regulator/twl-regulator.c
+@@ -359,6 +359,17 @@ static const u16 VINTANA2_VSEL_table[] =
+ 2500, 2750,
+ };
+
++/* 600mV to 1450mV in 12.5 mV steps */
++static const struct regulator_linear_range VDD1_ranges[] = {
++ REGULATOR_LINEAR_RANGE(600000, 0, 68, 12500)
++};
++
++/* 600mV to 1450mV in 12.5 mV steps, everything above = 1500mV */
++static const struct regulator_linear_range VDD2_ranges[] = {
++ REGULATOR_LINEAR_RANGE(600000, 0, 68, 12500),
++ REGULATOR_LINEAR_RANGE(1500000, 69, 69, 12500)
++};
++
+ static int twl4030ldo_list_voltage(struct regulator_dev *rdev, unsigned index)
+ {
+ struct twlreg_info *info = rdev_get_drvdata(rdev);
+@@ -427,6 +438,8 @@ static int twl4030smps_get_voltage(struc
+ }
+
+ static const struct regulator_ops twl4030smps_ops = {
++ .list_voltage = regulator_list_voltage_linear_range,
++
+ .set_voltage = twl4030smps_set_voltage,
+ .get_voltage = twl4030smps_get_voltage,
+ };
+@@ -466,7 +479,8 @@ static const struct twlreg_info TWL4030_
+ }, \
+ }
+
+-#define TWL4030_ADJUSTABLE_SMPS(label, offset, num, turnon_delay, remap_conf) \
++#define TWL4030_ADJUSTABLE_SMPS(label, offset, num, turnon_delay, remap_conf, \
++ n_volt) \
+ static const struct twlreg_info TWL4030_INFO_##label = { \
+ .base = offset, \
+ .id = num, \
+@@ -479,6 +493,9 @@ static const struct twlreg_info TWL4030_
+ .owner = THIS_MODULE, \
+ .enable_time = turnon_delay, \
+ .of_map_mode = twl4030reg_map_mode, \
++ .n_voltages = n_volt, \
++ .n_linear_ranges = ARRAY_SIZE(label ## _ranges), \
++ .linear_ranges = label ## _ranges, \
+ }, \
+ }
+
+@@ -518,8 +535,8 @@ TWL4030_ADJUSTABLE_LDO(VSIM, 0x37, 9, 10
+ TWL4030_ADJUSTABLE_LDO(VDAC, 0x3b, 10, 100, 0x08);
+ TWL4030_ADJUSTABLE_LDO(VINTANA2, 0x43, 12, 100, 0x08);
+ TWL4030_ADJUSTABLE_LDO(VIO, 0x4b, 14, 1000, 0x08);
+-TWL4030_ADJUSTABLE_SMPS(VDD1, 0x55, 15, 1000, 0x08);
+-TWL4030_ADJUSTABLE_SMPS(VDD2, 0x63, 16, 1000, 0x08);
++TWL4030_ADJUSTABLE_SMPS(VDD1, 0x55, 15, 1000, 0x08, 68);
++TWL4030_ADJUSTABLE_SMPS(VDD2, 0x63, 16, 1000, 0x08, 69);
+ /* VUSBCP is managed *only* by the USB subchip */
+ TWL4030_FIXED_LDO(VINTANA1, 0x3f, 1500, 11, 100, 0x08);
+ TWL4030_FIXED_LDO(VINTDIG, 0x47, 1500, 13, 100, 0x08);
--- /dev/null
+From aea64b583601aa5e0d6ea51a0420e46e43710bd4 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Sun, 8 Sep 2019 09:45:52 +0200
+Subject: Revert "mmc: bcm2835: Terminate timeout work synchronously"
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+commit aea64b583601aa5e0d6ea51a0420e46e43710bd4 upstream.
+
+The commit 37fefadee8bb ("mmc: bcm2835: Terminate timeout work
+synchronously") causes lockups in case of hardware timeouts due the
+timeout work also calling cancel_delayed_work_sync() on its own.
+So revert it.
+
+Fixes: 37fefadee8bb ("mmc: bcm2835: Terminate timeout work synchronously")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/bcm2835.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/bcm2835.c
++++ b/drivers/mmc/host/bcm2835.c
+@@ -597,7 +597,7 @@ static void bcm2835_finish_request(struc
+ struct dma_chan *terminate_chan = NULL;
+ struct mmc_request *mrq;
+
+- cancel_delayed_work_sync(&host->timeout_work);
++ cancel_delayed_work(&host->timeout_work);
+
+ mrq = host->mrq;
+
--- /dev/null
+From 49baa01c8b99ef92958e18fb58ebeb5dfdcde8af Mon Sep 17 00:00:00 2001
+From: Daniel Drake <drake@endlessm.com>
+Date: Thu, 5 Sep 2019 12:55:57 +0800
+Subject: Revert "mmc: sdhci: Remove unneeded quirk2 flag of O2 SD host controller"
+
+From: Daniel Drake <drake@endlessm.com>
+
+commit 49baa01c8b99ef92958e18fb58ebeb5dfdcde8af upstream.
+
+This reverts commit 414126f9e5abf1973c661d24229543a9458fa8ce.
+
+This commit broke eMMC storage access on a new consumer MiniPC based on
+AMD SoC, which has eMMC connected to:
+
+02:00.0 SD Host controller: O2 Micro, Inc. Device 8620 (rev 01) (prog-if 01)
+ Subsystem: O2 Micro, Inc. Device 0002
+
+During probe, several errors are seen including:
+
+ mmc1: Got data interrupt 0x02000000 even though no data operation was in progress.
+ mmc1: Timeout waiting for hardware interrupt.
+ mmc1: error -110 whilst initialising MMC card
+
+Reverting this commit allows the eMMC storage to be detected & usable
+again.
+
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Fixes: 414126f9e5ab ("mmc: sdhci: Remove unneeded quirk2 flag of O2 SD host
+controller")
+Cc: stable@vger.kernel.org # v5.1+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-pci-o2micro.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-pci-o2micro.c
++++ b/drivers/mmc/host/sdhci-pci-o2micro.c
+@@ -432,7 +432,6 @@ int sdhci_pci_o2_probe_slot(struct sdhci
+ mmc_hostname(host->mmc));
+ host->flags &= ~SDHCI_SIGNALING_330;
+ host->flags |= SDHCI_SIGNALING_180;
+- host->quirks2 |= SDHCI_QUIRK2_CLEAR_TRANSFERMODE_REG_BEFORE_CMD;
+ host->mmc->caps2 |= MMC_CAP2_NO_SD;
+ host->mmc->caps2 |= MMC_CAP2_NO_SDIO;
+ pci_write_config_dword(chip->pdev,
+@@ -682,6 +681,7 @@ static const struct sdhci_ops sdhci_pci_
+ const struct sdhci_pci_fixes sdhci_o2 = {
+ .probe = sdhci_pci_o2_probe,
+ .quirks = SDHCI_QUIRK_NO_ENDATTR_IN_NOPDESC,
++ .quirks2 = SDHCI_QUIRK2_CLEAR_TRANSFERMODE_REG_BEFORE_CMD,
+ .probe_slot = sdhci_pci_o2_probe_slot,
+ #ifdef CONFIG_PM_SLEEP
+ .resume = sdhci_pci_o2_resume,
--- /dev/null
+From 13fa451568ab9e8b3074ef741477c7938c713c42 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 29 Aug 2019 13:29:59 +0200
+Subject: Revert "rt2800: enable TX_PIN_CFG_LNA_PE_ bits per band"
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 13fa451568ab9e8b3074ef741477c7938c713c42 upstream.
+
+This reverts commit 9ad3b55654455258a9463384edb40077439d879f.
+
+As reported by Sergey:
+
+"I got some problem after upgrade kernel to 5.2 version (debian testing
+linux-image-5.2.0-2-amd64). 5Ghz client stopped to see AP.
+Some tests with 1metre distance between client-AP: 2.4Ghz -22dBm, for
+5Ghz - 53dBm !, for longer distance (8m + walls) 2.4 - 61dBm, 5Ghz not
+visible."
+
+It was identified that rx signal level degradation was caused by
+9ad3b5565445 ("rt2800: enable TX_PIN_CFG_LNA_PE_ bits per band").
+So revert this commit.
+
+Cc: <stable@vger.kernel.org> # v5.1+
+Reported-and-tested-by: Sergey Maranchuk <slav0nic0@gmail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -4156,24 +4156,18 @@ static void rt2800_config_channel(struct
+ switch (rt2x00dev->default_ant.rx_chain_num) {
+ case 3:
+ /* Turn on tertiary LNAs */
+- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A2_EN,
+- rf->channel > 14);
+- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G2_EN,
+- rf->channel <= 14);
++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A2_EN, 1);
++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G2_EN, 1);
+ /* fall-through */
+ case 2:
+ /* Turn on secondary LNAs */
+- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A1_EN,
+- rf->channel > 14);
+- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G1_EN,
+- rf->channel <= 14);
++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A1_EN, 1);
++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G1_EN, 1);
+ /* fall-through */
+ case 1:
+ /* Turn on primary LNAs */
+- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A0_EN,
+- rf->channel > 14);
+- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G0_EN,
+- rf->channel <= 14);
++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A0_EN, 1);
++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G0_EN, 1);
+ break;
+ }
+
net-fixed_phy-add-forward-declaration-for-struct-gpio_desc.patch
sctp-fix-the-missing-put_user-when-dumping-transport-thresholds.patch
net-sock_map-fix-missing-ulp-check-in-sock-hash-case.patch
+gpiolib-acpi-add-gpiolib_acpi_run_edge_events_on_boot-option-and-blacklist.patch
+gpio-mockup-add-missing-single_release.patch
+gpio-fix-line-flag-validation-in-linehandle_create.patch
+gpio-fix-line-flag-validation-in-lineevent_create.patch
+btrfs-fix-assertion-failure-during-fsync-and-use-of-stale-transaction.patch
+cgroup-freezer-fix-frozen-state-inheritance.patch
+revert-mmc-bcm2835-terminate-timeout-work-synchronously.patch
+revert-mmc-sdhci-remove-unneeded-quirk2-flag-of-o2-sd-host-controller.patch
+mmc-tmio-fixup-runtime-pm-management-during-probe.patch
+mmc-tmio-fixup-runtime-pm-management-during-remove.patch
+drm-lima-fix-lima_gem_wait-return-value.patch
+drm-i915-limit-mst-to-8bpc-once-again.patch
+drm-i915-restore-relaxed-padding-ocl_oob_suppres_enable-for-skl.patch
+ipc-fix-semtimedop-for-generic-32-bit-architectures.patch
+ipc-fix-sparc64-ipc-wrapper.patch
+ixgbe-fix-double-clean-of-tx-descriptors-with-xdp.patch
+ixgbe-prevent-u8-wrapping-of-itr-value-to-something-less-than-10us.patch
+revert-rt2800-enable-tx_pin_cfg_lna_pe_-bits-per-band.patch
+mt76-mt76x0e-disable-5ghz-band-for-mt7630e.patch
+genirq-prevent-null-pointer-dereference-in-resend_irqs.patch
+regulator-twl-voltage-lists-for-vdd1-2-on-twl4030.patch
+kvm-s390-kvm_s390_vm_start_migration-check-dirty_bitmap-before-using-it-as-target-for-memset.patch
+kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl.patch
+kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch
+kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch
+kvm-nvmx-handle-page-fault-in-vmread.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
