--- /dev/null
+From a103109ef920af2b281e705c25e6ff5ea933b157 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jan 2019 14:14:51 +0100
+Subject: ALSA: hda/realtek - Apply ALC294 hp init also for S4 resume
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit f6ef4e0e284251ff795c541db1129c84515ed044 ]
+
+The init sequence for ALC294 headphone stuff is needed not only for
+the boot up time but also for the resume from hibernation, where the
+device is switched from the boot kernel without sound driver to the
+suspended image. Since we record the PM event in the device
+power_state field, we can now recognize the call pattern and apply the
+sequence conditionally.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 5412952557f7a..8d6c5be387362 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3246,7 +3246,9 @@ static void alc294_init(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+
+- if (!spec->done_hp_init) {
++ /* required only at boot or S4 resume time */
++ if (!spec->done_hp_init ||
++ codec->core.dev.power.power_state.event == PM_EVENT_RESTORE) {
+ alc294_hp_init(codec);
+ spec->done_hp_init = true;
+ }
+--
+2.20.1
+
--- /dev/null
+From 3b10eea8beb993dce44134f3a2a0f27385a4bef8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 10:49:35 +0100
+Subject: arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1
+ #1542419
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit dd8a1f13488438c6c220b7cafa500baaf21a6e53 ]
+
+CPUs affected by Neoverse-N1 #1542419 may execute a stale instruction if
+it was recently modified. The affected sequence requires freshly written
+instructions to be executable before a branch to them is updated.
+
+There are very few places in the kernel that modify executable text,
+all but one come with sufficient synchronisation:
+ * The module loader's flush_module_icache() calls flush_icache_range(),
+ which does a kick_all_cpus_sync()
+ * bpf_int_jit_compile() calls flush_icache_range().
+ * Kprobes calls aarch64_insn_patch_text(), which does its work in
+ stop_machine().
+ * static keys and ftrace both patch between nops and branches to
+ existing kernel code (not generated code).
+
+The affected sequence is the interaction between ftrace and modules.
+The module PLT is cleaned using __flush_icache_range() as the trampoline
+shouldn't be executable until we update the branch to it.
+
+Drop the double-underscore so that this path runs kick_all_cpus_sync()
+too.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/ftrace.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c
+index fac79d75d1d9d..6eefd5873aef4 100644
+--- a/arch/arm64/kernel/ftrace.c
++++ b/arch/arm64/kernel/ftrace.c
+@@ -119,7 +119,13 @@ int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr)
+
+ /*
+ * Ensure updated trampoline is visible to instruction
+- * fetch before we patch in the branch.
++ * fetch before we patch in the branch. Although the
++ * architecture doesn't require an IPI in this case,
++ * Neoverse-N1 erratum #1542419 does require one
++ * if the TLB maintenance in module_enable_ro() is
++ * skipped due to rodata_enabled. It doesn't seem worth
++ * it to make it conditional given that this is
++ * certainly not a fast-path.
+ */
+ flush_icache_range((unsigned long)&dst[0],
+ (unsigned long)&dst[1]);
+--
+2.20.1
+
--- /dev/null
+From ad0cba41857804d0c6043ecc0ee98016e09f447c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 15:41:42 +0800
+Subject: clk: boston: unregister clks on failure in clk_boston_setup()
+
+From: Yi Wang <wang.yi59@zte.com.cn>
+
+[ Upstream commit 8b627f616ed63dcaf922369fc14a5daf8ad03038 ]
+
+The registered clks should unregister when something wrong happens
+before going out in function clk_boston_setup().
+
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imgtec/clk-boston.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clk/imgtec/clk-boston.c b/drivers/clk/imgtec/clk-boston.c
+index f5d54a64d33c5..dddda45127a80 100644
+--- a/drivers/clk/imgtec/clk-boston.c
++++ b/drivers/clk/imgtec/clk-boston.c
+@@ -73,31 +73,39 @@ static void __init clk_boston_setup(struct device_node *np)
+ hw = clk_hw_register_fixed_rate(NULL, "input", NULL, 0, in_freq);
+ if (IS_ERR(hw)) {
+ pr_err("failed to register input clock: %ld\n", PTR_ERR(hw));
+- goto error;
++ goto fail_input;
+ }
+ onecell->hws[BOSTON_CLK_INPUT] = hw;
+
+ hw = clk_hw_register_fixed_rate(NULL, "sys", "input", 0, sys_freq);
+ if (IS_ERR(hw)) {
+ pr_err("failed to register sys clock: %ld\n", PTR_ERR(hw));
+- goto error;
++ goto fail_sys;
+ }
+ onecell->hws[BOSTON_CLK_SYS] = hw;
+
+ hw = clk_hw_register_fixed_rate(NULL, "cpu", "input", 0, cpu_freq);
+ if (IS_ERR(hw)) {
+ pr_err("failed to register cpu clock: %ld\n", PTR_ERR(hw));
+- goto error;
++ goto fail_cpu;
+ }
+ onecell->hws[BOSTON_CLK_CPU] = hw;
+
+ err = of_clk_add_hw_provider(np, of_clk_hw_onecell_get, onecell);
+- if (err)
++ if (err) {
+ pr_err("failed to add DT provider: %d\n", err);
++ goto fail_clk_add;
++ }
+
+ return;
+
+-error:
++fail_clk_add:
++ clk_hw_unregister_fixed_rate(onecell->hws[BOSTON_CLK_CPU]);
++fail_cpu:
++ clk_hw_unregister_fixed_rate(onecell->hws[BOSTON_CLK_SYS]);
++fail_sys:
++ clk_hw_unregister_fixed_rate(onecell->hws[BOSTON_CLK_INPUT]);
++fail_input:
+ kfree(onecell);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e98409c1e53e1790d74165e8f9df1db939c1e0dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 06:14:17 -0400
+Subject: dm snapshot: introduce account_start_copy() and account_end_copy()
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit a2f83e8b0c82c9500421a26c49eb198b25fcdea3 ]
+
+This simple refactoring moves code for modifying the semaphore cow_count
+into separate functions to prepare for changes that will extend these
+methods to provide for a more sophisticated mechanism for COW
+throttling.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Nikos Tsironis <ntsironis@arrikto.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-snap.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
+index 8b1556e77a0a0..a9575122a0c6e 100644
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -1399,6 +1399,16 @@ static void snapshot_dtr(struct dm_target *ti)
+ kfree(s);
+ }
+
++static void account_start_copy(struct dm_snapshot *s)
++{
++ down(&s->cow_count);
++}
++
++static void account_end_copy(struct dm_snapshot *s)
++{
++ up(&s->cow_count);
++}
++
+ /*
+ * Flush a list of buffers.
+ */
+@@ -1581,7 +1591,7 @@ static void copy_callback(int read_err, unsigned long write_err, void *context)
+ }
+ list_add(&pe->out_of_order_entry, lh);
+ }
+- up(&s->cow_count);
++ account_end_copy(s);
+ }
+
+ /*
+@@ -1605,7 +1615,7 @@ static void start_copy(struct dm_snap_pending_exception *pe)
+ dest.count = src.count;
+
+ /* Hand over to kcopyd */
+- down(&s->cow_count);
++ account_start_copy(s);
+ dm_kcopyd_copy(s->kcopyd_client, &src, 1, &dest, 0, copy_callback, pe);
+ }
+
+@@ -1625,7 +1635,7 @@ static void start_full_bio(struct dm_snap_pending_exception *pe,
+ pe->full_bio = bio;
+ pe->full_bio_end_io = bio->bi_end_io;
+
+- down(&s->cow_count);
++ account_start_copy(s);
+ callback_data = dm_kcopyd_prepare_callback(s->kcopyd_client,
+ copy_callback, pe);
+
+--
+2.20.1
+
--- /dev/null
+From 8909f7b68e2713f62140a6257d72487a909ebbcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 06:15:53 -0400
+Subject: dm snapshot: rework COW throttling to fix deadlock
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit b21555786f18cd77f2311ad89074533109ae3ffa ]
+
+Commit 721b1d98fb517a ("dm snapshot: Fix excessive memory usage and
+workqueue stalls") introduced a semaphore to limit the maximum number of
+in-flight kcopyd (COW) jobs.
+
+The implementation of this throttling mechanism is prone to a deadlock:
+
+1. One or more threads write to the origin device causing COW, which is
+ performed by kcopyd.
+
+2. At some point some of these threads might reach the s->cow_count
+ semaphore limit and block in down(&s->cow_count), holding a read lock
+ on _origins_lock.
+
+3. Someone tries to acquire a write lock on _origins_lock, e.g.,
+ snapshot_ctr(), which blocks because the threads at step (2) already
+ hold a read lock on it.
+
+4. A COW operation completes and kcopyd runs dm-snapshot's completion
+ callback, which ends up calling pending_complete().
+ pending_complete() tries to resubmit any deferred origin bios. This
+ requires acquiring a read lock on _origins_lock, which blocks.
+
+ This happens because the read-write semaphore implementation gives
+ priority to writers, meaning that as soon as a writer tries to enter
+ the critical section, no readers will be allowed in, until all
+ writers have completed their work.
+
+ So, pending_complete() waits for the writer at step (3) to acquire
+ and release the lock. This writer waits for the readers at step (2)
+ to release the read lock and those readers wait for
+ pending_complete() (the kcopyd thread) to signal the s->cow_count
+ semaphore: DEADLOCK.
+
+The above was thoroughly analyzed and documented by Nikos Tsironis as
+part of his initial proposal for fixing this deadlock, see:
+https://www.redhat.com/archives/dm-devel/2019-October/msg00001.html
+
+Fix this deadlock by reworking COW throttling so that it waits without
+holding any locks. Add a variable 'in_progress' that counts how many
+kcopyd jobs are running. A function wait_for_in_progress() will sleep if
+'in_progress' is over the limit. It drops _origins_lock in order to
+avoid the deadlock.
+
+Reported-by: Guruswamy Basavaiah <guru2018@gmail.com>
+Reported-by: Nikos Tsironis <ntsironis@arrikto.com>
+Reviewed-by: Nikos Tsironis <ntsironis@arrikto.com>
+Tested-by: Nikos Tsironis <ntsironis@arrikto.com>
+Fixes: 721b1d98fb51 ("dm snapshot: Fix excessive memory usage and workqueue stalls")
+Cc: stable@vger.kernel.org # v5.0+
+Depends-on: 4a3f111a73a8c ("dm snapshot: introduce account_start_copy() and account_end_copy()")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-snap.c | 80 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 64 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
+index a9575122a0c6e..95c564b60d79a 100644
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -19,7 +19,6 @@
+ #include <linux/vmalloc.h>
+ #include <linux/log2.h>
+ #include <linux/dm-kcopyd.h>
+-#include <linux/semaphore.h>
+
+ #include "dm.h"
+
+@@ -106,8 +105,8 @@ struct dm_snapshot {
+ /* The on disk metadata handler */
+ struct dm_exception_store *store;
+
+- /* Maximum number of in-flight COW jobs. */
+- struct semaphore cow_count;
++ unsigned in_progress;
++ struct wait_queue_head in_progress_wait;
+
+ struct dm_kcopyd_client *kcopyd_client;
+
+@@ -158,8 +157,8 @@ struct dm_snapshot {
+ */
+ #define DEFAULT_COW_THRESHOLD 2048
+
+-static int cow_threshold = DEFAULT_COW_THRESHOLD;
+-module_param_named(snapshot_cow_threshold, cow_threshold, int, 0644);
++static unsigned cow_threshold = DEFAULT_COW_THRESHOLD;
++module_param_named(snapshot_cow_threshold, cow_threshold, uint, 0644);
+ MODULE_PARM_DESC(snapshot_cow_threshold, "Maximum number of chunks being copied on write");
+
+ DECLARE_DM_KCOPYD_THROTTLE_WITH_MODULE_PARM(snapshot_copy_throttle,
+@@ -1206,7 +1205,7 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ goto bad_hash_tables;
+ }
+
+- sema_init(&s->cow_count, (cow_threshold > 0) ? cow_threshold : INT_MAX);
++ init_waitqueue_head(&s->in_progress_wait);
+
+ s->kcopyd_client = dm_kcopyd_client_create(&dm_kcopyd_throttle);
+ if (IS_ERR(s->kcopyd_client)) {
+@@ -1396,17 +1395,54 @@ static void snapshot_dtr(struct dm_target *ti)
+
+ dm_put_device(ti, s->origin);
+
++ WARN_ON(s->in_progress);
++
+ kfree(s);
+ }
+
+ static void account_start_copy(struct dm_snapshot *s)
+ {
+- down(&s->cow_count);
++ spin_lock(&s->in_progress_wait.lock);
++ s->in_progress++;
++ spin_unlock(&s->in_progress_wait.lock);
+ }
+
+ static void account_end_copy(struct dm_snapshot *s)
+ {
+- up(&s->cow_count);
++ spin_lock(&s->in_progress_wait.lock);
++ BUG_ON(!s->in_progress);
++ s->in_progress--;
++ if (likely(s->in_progress <= cow_threshold) &&
++ unlikely(waitqueue_active(&s->in_progress_wait)))
++ wake_up_locked(&s->in_progress_wait);
++ spin_unlock(&s->in_progress_wait.lock);
++}
++
++static bool wait_for_in_progress(struct dm_snapshot *s, bool unlock_origins)
++{
++ if (unlikely(s->in_progress > cow_threshold)) {
++ spin_lock(&s->in_progress_wait.lock);
++ if (likely(s->in_progress > cow_threshold)) {
++ /*
++ * NOTE: this throttle doesn't account for whether
++ * the caller is servicing an IO that will trigger a COW
++ * so excess throttling may result for chunks not required
++ * to be COW'd. But if cow_threshold was reached, extra
++ * throttling is unlikely to negatively impact performance.
++ */
++ DECLARE_WAITQUEUE(wait, current);
++ __add_wait_queue(&s->in_progress_wait, &wait);
++ __set_current_state(TASK_UNINTERRUPTIBLE);
++ spin_unlock(&s->in_progress_wait.lock);
++ if (unlock_origins)
++ up_read(&_origins_lock);
++ io_schedule();
++ remove_wait_queue(&s->in_progress_wait, &wait);
++ return false;
++ }
++ spin_unlock(&s->in_progress_wait.lock);
++ }
++ return true;
+ }
+
+ /*
+@@ -1424,7 +1460,7 @@ static void flush_bios(struct bio *bio)
+ }
+ }
+
+-static int do_origin(struct dm_dev *origin, struct bio *bio);
++static int do_origin(struct dm_dev *origin, struct bio *bio, bool limit);
+
+ /*
+ * Flush a list of buffers.
+@@ -1437,7 +1473,7 @@ static void retry_origin_bios(struct dm_snapshot *s, struct bio *bio)
+ while (bio) {
+ n = bio->bi_next;
+ bio->bi_next = NULL;
+- r = do_origin(s->origin, bio);
++ r = do_origin(s->origin, bio, false);
+ if (r == DM_MAPIO_REMAPPED)
+ generic_make_request(bio);
+ bio = n;
+@@ -1726,8 +1762,11 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio)
+ if (!s->valid)
+ return DM_MAPIO_KILL;
+
+- /* FIXME: should only take write lock if we need
+- * to copy an exception */
++ if (bio_data_dir(bio) == WRITE) {
++ while (unlikely(!wait_for_in_progress(s, false)))
++ ; /* wait_for_in_progress() has slept */
++ }
++
+ mutex_lock(&s->lock);
+
+ if (!s->valid || (unlikely(s->snapshot_overflowed) &&
+@@ -1876,7 +1915,7 @@ redirect_to_origin:
+
+ if (bio_data_dir(bio) == WRITE) {
+ mutex_unlock(&s->lock);
+- return do_origin(s->origin, bio);
++ return do_origin(s->origin, bio, false);
+ }
+
+ out_unlock:
+@@ -2213,15 +2252,24 @@ next_snapshot:
+ /*
+ * Called on a write from the origin driver.
+ */
+-static int do_origin(struct dm_dev *origin, struct bio *bio)
++static int do_origin(struct dm_dev *origin, struct bio *bio, bool limit)
+ {
+ struct origin *o;
+ int r = DM_MAPIO_REMAPPED;
+
++again:
+ down_read(&_origins_lock);
+ o = __lookup_origin(origin->bdev);
+- if (o)
++ if (o) {
++ if (limit) {
++ struct dm_snapshot *s;
++ list_for_each_entry(s, &o->snapshots, list)
++ if (unlikely(!wait_for_in_progress(s, true)))
++ goto again;
++ }
++
+ r = __origin_write(&o->snapshots, bio->bi_iter.bi_sector, bio);
++ }
+ up_read(&_origins_lock);
+
+ return r;
+@@ -2334,7 +2382,7 @@ static int origin_map(struct dm_target *ti, struct bio *bio)
+ dm_accept_partial_bio(bio, available_sectors);
+
+ /* Only tell snapshots if this is a write */
+- return do_origin(o->dev, bio);
++ return do_origin(o->dev, bio, true);
+ }
+
+ static long origin_dax_direct_access(struct dm_target *ti, pgoff_t pgoff,
+--
+2.20.1
+
--- /dev/null
+From 149328674b2c089eeb1ba902392be054e121d266 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2017 16:15:43 -0500
+Subject: dm snapshot: use mutex instead of rw_semaphore
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit ae1093be5a0ef997833e200a0dafb9ed0b1ff4fe ]
+
+The rw_semaphore is acquired for read only in two places, neither is
+performance-critical. So replace it with a mutex -- which is more
+efficient.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-snap.c | 84 +++++++++++++++++++++++---------------------
+ 1 file changed, 43 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
+index b502debc6df3f..8b1556e77a0a0 100644
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -48,7 +48,7 @@ struct dm_exception_table {
+ };
+
+ struct dm_snapshot {
+- struct rw_semaphore lock;
++ struct mutex lock;
+
+ struct dm_dev *origin;
+ struct dm_dev *cow;
+@@ -456,9 +456,9 @@ static int __find_snapshots_sharing_cow(struct dm_snapshot *snap,
+ if (!bdev_equal(s->cow->bdev, snap->cow->bdev))
+ continue;
+
+- down_read(&s->lock);
++ mutex_lock(&s->lock);
+ active = s->active;
+- up_read(&s->lock);
++ mutex_unlock(&s->lock);
+
+ if (active) {
+ if (snap_src)
+@@ -926,7 +926,7 @@ static int remove_single_exception_chunk(struct dm_snapshot *s)
+ int r;
+ chunk_t old_chunk = s->first_merging_chunk + s->num_merging_chunks - 1;
+
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+
+ /*
+ * Process chunks (and associated exceptions) in reverse order
+@@ -941,7 +941,7 @@ static int remove_single_exception_chunk(struct dm_snapshot *s)
+ b = __release_queued_bios_after_merge(s);
+
+ out:
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ if (b)
+ flush_bios(b);
+
+@@ -1000,9 +1000,9 @@ static void snapshot_merge_next_chunks(struct dm_snapshot *s)
+ if (linear_chunks < 0) {
+ DMERR("Read error in exception store: "
+ "shutting down merge");
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+ s->merge_failed = 1;
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ }
+ goto shut;
+ }
+@@ -1043,10 +1043,10 @@ static void snapshot_merge_next_chunks(struct dm_snapshot *s)
+ previous_count = read_pending_exceptions_done_count();
+ }
+
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+ s->first_merging_chunk = old_chunk;
+ s->num_merging_chunks = linear_chunks;
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+
+ /* Wait until writes to all 'linear_chunks' drain */
+ for (i = 0; i < linear_chunks; i++)
+@@ -1088,10 +1088,10 @@ static void merge_callback(int read_err, unsigned long write_err, void *context)
+ return;
+
+ shut:
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+ s->merge_failed = 1;
+ b = __release_queued_bios_after_merge(s);
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ error_bios(b);
+
+ merge_shutdown(s);
+@@ -1190,7 +1190,7 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ s->exception_start_sequence = 0;
+ s->exception_complete_sequence = 0;
+ INIT_LIST_HEAD(&s->out_of_order_list);
+- init_rwsem(&s->lock);
++ mutex_init(&s->lock);
+ INIT_LIST_HEAD(&s->list);
+ spin_lock_init(&s->pe_lock);
+ s->state_bits = 0;
+@@ -1357,9 +1357,9 @@ static void snapshot_dtr(struct dm_target *ti)
+ /* Check whether exception handover must be cancelled */
+ (void) __find_snapshots_sharing_cow(s, &snap_src, &snap_dest, NULL);
+ if (snap_src && snap_dest && (s == snap_src)) {
+- down_write(&snap_dest->lock);
++ mutex_lock(&snap_dest->lock);
+ snap_dest->valid = 0;
+- up_write(&snap_dest->lock);
++ mutex_unlock(&snap_dest->lock);
+ DMERR("Cancelling snapshot handover.");
+ }
+ up_read(&_origins_lock);
+@@ -1390,6 +1390,8 @@ static void snapshot_dtr(struct dm_target *ti)
+
+ dm_exception_store_destroy(s->store);
+
++ mutex_destroy(&s->lock);
++
+ dm_put_device(ti, s->cow);
+
+ dm_put_device(ti, s->origin);
+@@ -1477,7 +1479,7 @@ static void pending_complete(void *context, int success)
+
+ if (!success) {
+ /* Read/write error - snapshot is unusable */
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+ __invalidate_snapshot(s, -EIO);
+ error = 1;
+ goto out;
+@@ -1485,14 +1487,14 @@ static void pending_complete(void *context, int success)
+
+ e = alloc_completed_exception(GFP_NOIO);
+ if (!e) {
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+ __invalidate_snapshot(s, -ENOMEM);
+ error = 1;
+ goto out;
+ }
+ *e = pe->e;
+
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+ if (!s->valid) {
+ free_completed_exception(e);
+ error = 1;
+@@ -1517,7 +1519,7 @@ out:
+ full_bio->bi_end_io = pe->full_bio_end_io;
+ increment_pending_exceptions_done_count();
+
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+
+ /* Submit any pending write bios */
+ if (error) {
+@@ -1716,7 +1718,7 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio)
+
+ /* FIXME: should only take write lock if we need
+ * to copy an exception */
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+
+ if (!s->valid || (unlikely(s->snapshot_overflowed) &&
+ bio_data_dir(bio) == WRITE)) {
+@@ -1739,9 +1741,9 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio)
+ if (bio_data_dir(bio) == WRITE) {
+ pe = __lookup_pending_exception(s, chunk);
+ if (!pe) {
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ pe = alloc_pending_exception(s);
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+
+ if (!s->valid || s->snapshot_overflowed) {
+ free_pending_exception(pe);
+@@ -1776,7 +1778,7 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio)
+ bio->bi_iter.bi_size ==
+ (s->store->chunk_size << SECTOR_SHIFT)) {
+ pe->started = 1;
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ start_full_bio(pe, bio);
+ goto out;
+ }
+@@ -1786,7 +1788,7 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio)
+ if (!pe->started) {
+ /* this is protected by snap->lock */
+ pe->started = 1;
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ start_copy(pe);
+ goto out;
+ }
+@@ -1796,7 +1798,7 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio)
+ }
+
+ out_unlock:
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ out:
+ return r;
+ }
+@@ -1832,7 +1834,7 @@ static int snapshot_merge_map(struct dm_target *ti, struct bio *bio)
+
+ chunk = sector_to_chunk(s->store, bio->bi_iter.bi_sector);
+
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+
+ /* Full merging snapshots are redirected to the origin */
+ if (!s->valid)
+@@ -1863,12 +1865,12 @@ redirect_to_origin:
+ bio_set_dev(bio, s->origin->bdev);
+
+ if (bio_data_dir(bio) == WRITE) {
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ return do_origin(s->origin, bio);
+ }
+
+ out_unlock:
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+
+ return r;
+ }
+@@ -1900,7 +1902,7 @@ static int snapshot_preresume(struct dm_target *ti)
+ down_read(&_origins_lock);
+ (void) __find_snapshots_sharing_cow(s, &snap_src, &snap_dest, NULL);
+ if (snap_src && snap_dest) {
+- down_read(&snap_src->lock);
++ mutex_lock(&snap_src->lock);
+ if (s == snap_src) {
+ DMERR("Unable to resume snapshot source until "
+ "handover completes.");
+@@ -1910,7 +1912,7 @@ static int snapshot_preresume(struct dm_target *ti)
+ "source is suspended.");
+ r = -EINVAL;
+ }
+- up_read(&snap_src->lock);
++ mutex_unlock(&snap_src->lock);
+ }
+ up_read(&_origins_lock);
+
+@@ -1956,11 +1958,11 @@ static void snapshot_resume(struct dm_target *ti)
+
+ (void) __find_snapshots_sharing_cow(s, &snap_src, &snap_dest, NULL);
+ if (snap_src && snap_dest) {
+- down_write(&snap_src->lock);
+- down_write_nested(&snap_dest->lock, SINGLE_DEPTH_NESTING);
++ mutex_lock(&snap_src->lock);
++ mutex_lock_nested(&snap_dest->lock, SINGLE_DEPTH_NESTING);
+ __handover_exceptions(snap_src, snap_dest);
+- up_write(&snap_dest->lock);
+- up_write(&snap_src->lock);
++ mutex_unlock(&snap_dest->lock);
++ mutex_unlock(&snap_src->lock);
+ }
+
+ up_read(&_origins_lock);
+@@ -1975,9 +1977,9 @@ static void snapshot_resume(struct dm_target *ti)
+ /* Now we have correct chunk size, reregister */
+ reregister_snapshot(s);
+
+- down_write(&s->lock);
++ mutex_lock(&s->lock);
+ s->active = 1;
+- up_write(&s->lock);
++ mutex_unlock(&s->lock);
+ }
+
+ static uint32_t get_origin_minimum_chunksize(struct block_device *bdev)
+@@ -2017,7 +2019,7 @@ static void snapshot_status(struct dm_target *ti, status_type_t type,
+ switch (type) {
+ case STATUSTYPE_INFO:
+
+- down_write(&snap->lock);
++ mutex_lock(&snap->lock);
+
+ if (!snap->valid)
+ DMEMIT("Invalid");
+@@ -2042,7 +2044,7 @@ static void snapshot_status(struct dm_target *ti, status_type_t type,
+ DMEMIT("Unknown");
+ }
+
+- up_write(&snap->lock);
++ mutex_unlock(&snap->lock);
+
+ break;
+
+@@ -2108,7 +2110,7 @@ static int __origin_write(struct list_head *snapshots, sector_t sector,
+ if (dm_target_is_snapshot_merge(snap->ti))
+ continue;
+
+- down_write(&snap->lock);
++ mutex_lock(&snap->lock);
+
+ /* Only deal with valid and active snapshots */
+ if (!snap->valid || !snap->active)
+@@ -2135,9 +2137,9 @@ static int __origin_write(struct list_head *snapshots, sector_t sector,
+
+ pe = __lookup_pending_exception(snap, chunk);
+ if (!pe) {
+- up_write(&snap->lock);
++ mutex_unlock(&snap->lock);
+ pe = alloc_pending_exception(snap);
+- down_write(&snap->lock);
++ mutex_lock(&snap->lock);
+
+ if (!snap->valid) {
+ free_pending_exception(pe);
+@@ -2180,7 +2182,7 @@ static int __origin_write(struct list_head *snapshots, sector_t sector,
+ }
+
+ next_snapshot:
+- up_write(&snap->lock);
++ mutex_unlock(&snap->lock);
+
+ if (pe_to_start_now) {
+ start_copy(pe_to_start_now);
+--
+2.20.1
+
--- /dev/null
+From 888e32b47a3e5dbefc7a38cf4335ba7abf943d58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jun 2018 05:26:33 -0400
+Subject: dm: Use kzalloc for all structs with embedded biosets/mempools
+
+From: Kent Overstreet <kent.overstreet@gmail.com>
+
+[ Upstream commit d377535405686f735b90a8ad4ba269484cd7c96e ]
+
+mempool_init()/bioset_init() require that the mempools/biosets be zeroed
+first; they probably should not _require_ this, but not allocating those
+structs with kzalloc is a fairly nonsensical thing to do (calling
+mempool_exit()/bioset_exit() on an uninitialized mempool/bioset is legal
+and safe, but only works if said memory was zeroed.)
+
+Acked-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-bio-prison-v1.c | 2 +-
+ drivers/md/dm-bio-prison-v2.c | 2 +-
+ drivers/md/dm-io.c | 2 +-
+ drivers/md/dm-kcopyd.c | 2 +-
+ drivers/md/dm-region-hash.c | 2 +-
+ drivers/md/dm-snap.c | 2 +-
+ drivers/md/dm-thin.c | 2 +-
+ 7 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/md/dm-bio-prison-v1.c b/drivers/md/dm-bio-prison-v1.c
+index 874841f0fc837..10532a76688ea 100644
+--- a/drivers/md/dm-bio-prison-v1.c
++++ b/drivers/md/dm-bio-prison-v1.c
+@@ -33,7 +33,7 @@ static struct kmem_cache *_cell_cache;
+ */
+ struct dm_bio_prison *dm_bio_prison_create(void)
+ {
+- struct dm_bio_prison *prison = kmalloc(sizeof(*prison), GFP_KERNEL);
++ struct dm_bio_prison *prison = kzalloc(sizeof(*prison), GFP_KERNEL);
+
+ if (!prison)
+ return NULL;
+diff --git a/drivers/md/dm-bio-prison-v2.c b/drivers/md/dm-bio-prison-v2.c
+index 8ce3a1a588cfd..c34ec615420f2 100644
+--- a/drivers/md/dm-bio-prison-v2.c
++++ b/drivers/md/dm-bio-prison-v2.c
+@@ -35,7 +35,7 @@ static struct kmem_cache *_cell_cache;
+ */
+ struct dm_bio_prison_v2 *dm_bio_prison_create_v2(struct workqueue_struct *wq)
+ {
+- struct dm_bio_prison_v2 *prison = kmalloc(sizeof(*prison), GFP_KERNEL);
++ struct dm_bio_prison_v2 *prison = kzalloc(sizeof(*prison), GFP_KERNEL);
+
+ if (!prison)
+ return NULL;
+diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
+index b4357ed4d5416..56e2c0e079d78 100644
+--- a/drivers/md/dm-io.c
++++ b/drivers/md/dm-io.c
+@@ -50,7 +50,7 @@ struct dm_io_client *dm_io_client_create(void)
+ struct dm_io_client *client;
+ unsigned min_ios = dm_get_reserved_bio_based_ios();
+
+- client = kmalloc(sizeof(*client), GFP_KERNEL);
++ client = kzalloc(sizeof(*client), GFP_KERNEL);
+ if (!client)
+ return ERR_PTR(-ENOMEM);
+
+diff --git a/drivers/md/dm-kcopyd.c b/drivers/md/dm-kcopyd.c
+index bd9a45b94b552..7ca2b1aaa79d4 100644
+--- a/drivers/md/dm-kcopyd.c
++++ b/drivers/md/dm-kcopyd.c
+@@ -892,7 +892,7 @@ struct dm_kcopyd_client *dm_kcopyd_client_create(struct dm_kcopyd_throttle *thro
+ int r = -ENOMEM;
+ struct dm_kcopyd_client *kc;
+
+- kc = kmalloc(sizeof(*kc), GFP_KERNEL);
++ kc = kzalloc(sizeof(*kc), GFP_KERNEL);
+ if (!kc)
+ return ERR_PTR(-ENOMEM);
+
+diff --git a/drivers/md/dm-region-hash.c b/drivers/md/dm-region-hash.c
+index 85c32b22a420a..91c6f6d72eeec 100644
+--- a/drivers/md/dm-region-hash.c
++++ b/drivers/md/dm-region-hash.c
+@@ -179,7 +179,7 @@ struct dm_region_hash *dm_region_hash_create(
+ ;
+ nr_buckets >>= 1;
+
+- rh = kmalloc(sizeof(*rh), GFP_KERNEL);
++ rh = kzalloc(sizeof(*rh), GFP_KERNEL);
+ if (!rh) {
+ DMERR("unable to allocate region hash memory");
+ return ERR_PTR(-ENOMEM);
+diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
+index 95c564b60d79a..2170f6c118b89 100644
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -1136,7 +1136,7 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ origin_mode = FMODE_WRITE;
+ }
+
+- s = kmalloc(sizeof(*s), GFP_KERNEL);
++ s = kzalloc(sizeof(*s), GFP_KERNEL);
+ if (!s) {
+ ti->error = "Cannot allocate private snapshot structure";
+ r = -ENOMEM;
+diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
+index aa77959909894..0ee5eae716909 100644
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -2962,7 +2962,7 @@ static struct pool *pool_create(struct mapped_device *pool_md,
+ return (struct pool *)pmd;
+ }
+
+- pool = kmalloc(sizeof(*pool), GFP_KERNEL);
++ pool = kzalloc(sizeof(*pool), GFP_KERNEL);
+ if (!pool) {
+ *error = "Error allocating memory for pool";
+ err_p = ERR_PTR(-ENOMEM);
+--
+2.20.1
+
--- /dev/null
+From 57beef6e12eeb34ed757425eda7638920351ba9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 18:58:58 +0200
+Subject: efi/cper: Fix endianness of PCIe class code
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit 6fb9367a15d1a126d222d738b2702c7958594a5f ]
+
+The CPER parser assumes that the class code is big endian, but at least
+on this edk2-derived Intel Purley platform it's little endian:
+
+ efi: EFI v2.50 by EDK II BIOS ID:PLYDCRB1.86B.0119.R05.1701181843
+ DMI: Intel Corporation PURLEY/PURLEY, BIOS PLYDCRB1.86B.0119.R05.1701181843 01/18/2017
+
+ {1}[Hardware Error]: device_id: 0000:5d:00.0
+ {1}[Hardware Error]: slot: 0
+ {1}[Hardware Error]: secondary_bus: 0x5e
+ {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2030
+ {1}[Hardware Error]: class_code: 000406
+ ^^^^^^ (should be 060400)
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Cc: Jerry Snitselaar <jsnitsel@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Matthew Garrett <mjg59@google.com>
+Cc: Octavian Purdila <octavian.purdila@intel.com>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Scott Talbert <swt@techie.net>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Cc: linux-integrity@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191002165904.8819-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index db404aab82b2a..209dc5aefc310 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -498,7 +498,7 @@ static void cper_print_pcie(const char *pfx, const struct cper_sec_pcie *pcie,
+ printk("%s""vendor_id: 0x%04x, device_id: 0x%04x\n", pfx,
+ pcie->device_id.vendor_id, pcie->device_id.device_id);
+ p = pcie->device_id.class_code;
+- printk("%s""class_code: %02x%02x%02x\n", pfx, p[0], p[1], p[2]);
++ printk("%s""class_code: %02x%02x%02x\n", pfx, p[2], p[1], p[0]);
+ }
+ if (pcie->validation_bits & CPER_PCIE_VALID_SERIAL_NUMBER)
+ printk("%s""serial number: 0x%04x, 0x%04x\n", pfx,
+--
+2.20.1
+
--- /dev/null
+From a69930044a061b472f37680de5d6b3ccd0348b04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 18:59:04 +0200
+Subject: efi/x86: Do not clean dummy variable in kexec path
+
+From: Dave Young <dyoung@redhat.com>
+
+[ Upstream commit 2ecb7402cfc7f22764e7bbc80790e66eadb20560 ]
+
+kexec reboot fails randomly in UEFI based KVM guest. The firmware
+just resets while calling efi_delete_dummy_variable(); Unfortunately
+I don't know how to debug the firmware, it is also possible a potential
+problem on real hardware as well although nobody reproduced it.
+
+The intention of the efi_delete_dummy_variable is to trigger garbage collection
+when entering virtual mode. But SetVirtualAddressMap can only run once
+for each physical reboot, thus kexec_enter_virtual_mode() is not necessarily
+a good place to clean a dummy object.
+
+Drop the efi_delete_dummy_variable so that kexec reboot can work.
+
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Matthew Garrett <mjg59@google.com>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Cc: Jerry Snitselaar <jsnitsel@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Lukas Wunner <lukas@wunner.de>
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Octavian Purdila <octavian.purdila@intel.com>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Scott Talbert <swt@techie.net>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Cc: linux-integrity@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191002165904.8819-8-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/efi.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 9061babfbc83d..335a62e74a2e9 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -893,9 +893,6 @@ static void __init kexec_enter_virtual_mode(void)
+
+ if (efi_enabled(EFI_OLD_MEMMAP) && (__supported_pte_mask & _PAGE_NX))
+ runtime_code_page_mkexec();
+-
+- /* clean DUMMY object */
+- efi_delete_dummy_variable();
+ #endif
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f1380967d3c4843872393a9126c919280b45c71c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Feb 2019 16:36:48 -0800
+Subject: exec: load_script: Do not exec truncated interpreter path
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit b5372fe5dc84235dbe04998efdede3c4daa866a9 ]
+
+Commit 8099b047ecc4 ("exec: load_script: don't blindly truncate
+shebang string") was trying to protect against a confused exec of a
+truncated interpreter path. However, it was overeager and also refused
+to truncate arguments as well, which broke userspace, and it was
+reverted. This attempts the protection again, but allows arguments to
+remain truncated. In an effort to improve readability, helper functions
+and comments have been added.
+
+Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Samuel Dionne-Riel <samuel@dionne-riel.com>
+Cc: Richard Weinberger <richard.weinberger@gmail.com>
+Cc: Graham Christensen <graham@grahamc.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_script.c | 57 ++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 48 insertions(+), 9 deletions(-)
+
+diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
+index 7cde3f46ad263..e996174cbfc02 100644
+--- a/fs/binfmt_script.c
++++ b/fs/binfmt_script.c
+@@ -14,13 +14,30 @@
+ #include <linux/err.h>
+ #include <linux/fs.h>
+
++static inline bool spacetab(char c) { return c == ' ' || c == '\t'; }
++static inline char *next_non_spacetab(char *first, const char *last)
++{
++ for (; first <= last; first++)
++ if (!spacetab(*first))
++ return first;
++ return NULL;
++}
++static inline char *next_terminator(char *first, const char *last)
++{
++ for (; first <= last; first++)
++ if (spacetab(*first) || !*first)
++ return first;
++ return NULL;
++}
++
+ static int load_script(struct linux_binprm *bprm)
+ {
+ const char *i_arg, *i_name;
+- char *cp;
++ char *cp, *buf_end;
+ struct file *file;
+ int retval;
+
++ /* Not ours to exec if we don't start with "#!". */
+ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
+ return -ENOEXEC;
+
+@@ -33,18 +50,40 @@ static int load_script(struct linux_binprm *bprm)
+ if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)
+ return -ENOENT;
+
+- /*
+- * This section does the #! interpretation.
+- * Sorta complicated, but hopefully it will work. -TYT
+- */
+-
++ /* Release since we are not mapping a binary into memory. */
+ allow_write_access(bprm->file);
+ fput(bprm->file);
+ bprm->file = NULL;
+
+- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
+- if ((cp = strchr(bprm->buf, '\n')) == NULL)
+- cp = bprm->buf+BINPRM_BUF_SIZE-1;
++ /*
++ * This section handles parsing the #! line into separate
++ * interpreter path and argument strings. We must be careful
++ * because bprm->buf is not yet guaranteed to be NUL-terminated
++ * (though the buffer will have trailing NUL padding when the
++ * file size was smaller than the buffer size).
++ *
++ * We do not want to exec a truncated interpreter path, so either
++ * we find a newline (which indicates nothing is truncated), or
++ * we find a space/tab/NUL after the interpreter path (which
++ * itself may be preceded by spaces/tabs). Truncating the
++ * arguments is fine: the interpreter can re-read the script to
++ * parse them on its own.
++ */
++ buf_end = bprm->buf + sizeof(bprm->buf) - 1;
++ cp = strnchr(bprm->buf, sizeof(bprm->buf), '\n');
++ if (!cp) {
++ cp = next_non_spacetab(bprm->buf + 2, buf_end);
++ if (!cp)
++ return -ENOEXEC; /* Entire buf is spaces/tabs */
++ /*
++ * If there is no later space/tab/NUL we must assume the
++ * interpreter path is truncated.
++ */
++ if (!next_terminator(cp, buf_end))
++ return -ENOEXEC;
++ cp = buf_end;
++ }
++ /* NUL-terminate the buffer and any trailing spaces/tabs. */
+ *cp = '\0';
+ while (cp > bprm->buf) {
+ cp--;
+--
+2.20.1
+
--- /dev/null
+From 5e1f5362953eaf2317e10e561f179be739c6b83a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jan 2019 17:59:53 -0800
+Subject: f2fs: flush quota blocks after turnning it off
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit 0e0667b625cf64243df83171bff61f9d350b9ca5 ]
+
+After quota_off, we'll get some dirty blocks. If put_super don't have a chance
+to flush them by checkpoint, it causes NULL pointer exception in end_io after
+iput(node_inode). (e.g., by checkpoint=disable)
+
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index e70975ca723b7..0f3209b23c940 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1523,6 +1523,12 @@ void f2fs_quota_off_umount(struct super_block *sb)
+ set_sbi_flag(F2FS_SB(sb), SBI_NEED_FSCK);
+ }
+ }
++ /*
++ * In case of checkpoint=disable, we must flush quota blocks.
++ * This can cause NULL exception for node_inode in end_io, since
++ * put_super already dropped it.
++ */
++ sync_filesystem(sb);
+ }
+
+ int f2fs_get_projid(struct inode *inode, kprojid_t *projid)
+--
+2.20.1
+
--- /dev/null
+From e660c08dcbb7d4b9c9315bc5054023f3dbd6c9d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 16:34:13 +0900
+Subject: fs: cifs: mute -Wunused-const-variable message
+
+From: Austin Kim <austindh.kim@gmail.com>
+
+[ Upstream commit dd19c106a36690b47bb1acc68372f2b472b495b8 ]
+
+After 'Initial git repository build' commit,
+'mapping_table_ERRHRD' variable has not been used.
+
+So 'mapping_table_ERRHRD' const variable could be removed
+to mute below warning message:
+
+ fs/cifs/netmisc.c:120:40: warning: unused variable 'mapping_table_ERRHRD' [-Wunused-const-variable]
+ static const struct smb_to_posix_error mapping_table_ERRHRD[] = {
+ ^
+Signed-off-by: Austin Kim <austindh.kim@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/netmisc.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
+index cc88f4f0325ef..bed9733302279 100644
+--- a/fs/cifs/netmisc.c
++++ b/fs/cifs/netmisc.c
+@@ -130,10 +130,6 @@ static const struct smb_to_posix_error mapping_table_ERRSRV[] = {
+ {0, 0}
+ };
+
+-static const struct smb_to_posix_error mapping_table_ERRHRD[] = {
+- {0, 0}
+-};
+-
+ /*
+ * Convert a string containing text IPv4 or IPv6 address to binary form.
+ *
+--
+2.20.1
+
--- /dev/null
+From 08b63b7f022f50c88587dfc9dd707dfee2d32730 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 17:57:54 -0700
+Subject: fs: ocfs2: fix a possible null-pointer dereference in
+ ocfs2_write_end_nolock()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 583fee3e12df0e6f1f66f063b989d8e7fed0e65a ]
+
+In ocfs2_write_end_nolock(), there are an if statement on lines 1976,
+2047 and 2058, to check whether handle is NULL:
+
+ if (handle)
+
+When handle is NULL, it is used on line 2045:
+
+ ocfs2_update_inode_fsync_trans(handle, inode, 1);
+ oi->i_sync_tid = handle->h_transaction->t_tid;
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, handle is checked before calling
+ocfs2_update_inode_fsync_trans().
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Link: http://lkml.kernel.org/r/20190726033705.32307-1-baijiaju1990@gmail.com
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/aops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
+index ebeec7530cb60..7de0c9562b707 100644
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -2054,7 +2054,8 @@ out_write_size:
+ inode->i_mtime = inode->i_ctime = current_time(inode);
+ di->i_mtime = di->i_ctime = cpu_to_le64(inode->i_mtime.tv_sec);
+ di->i_mtime_nsec = di->i_ctime_nsec = cpu_to_le32(inode->i_mtime.tv_nsec);
+- ocfs2_update_inode_fsync_trans(handle, inode, 1);
++ if (handle)
++ ocfs2_update_inode_fsync_trans(handle, inode, 1);
+ }
+ if (handle)
+ ocfs2_journal_dirty(handle, wc->w_di_bh);
+--
+2.20.1
+
--- /dev/null
+From b759de4240785bdc852f30267780d6a203d084bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 17:57:57 -0700
+Subject: fs: ocfs2: fix a possible null-pointer dereference in
+ ocfs2_info_scan_inode_alloc()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 2abb7d3b12d007c30193f48bebed781009bebdd2 ]
+
+In ocfs2_info_scan_inode_alloc(), there is an if statement on line 283
+to check whether inode_alloc is NULL:
+
+ if (inode_alloc)
+
+When inode_alloc is NULL, it is used on line 287:
+
+ ocfs2_inode_lock(inode_alloc, &bh, 0);
+ ocfs2_inode_lock_full_nested(inode, ...)
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, inode_alloc is checked on line 286.
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Link: http://lkml.kernel.org/r/20190726033717.32359-1-baijiaju1990@gmail.com
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c
+index ab30c005cc4bc..9fa98abecfc6b 100644
+--- a/fs/ocfs2/ioctl.c
++++ b/fs/ocfs2/ioctl.c
+@@ -290,7 +290,7 @@ static int ocfs2_info_scan_inode_alloc(struct ocfs2_super *osb,
+ if (inode_alloc)
+ inode_lock(inode_alloc);
+
+- if (o2info_coherent(&fi->ifi_req)) {
++ if (inode_alloc && o2info_coherent(&fi->ifi_req)) {
+ status = ocfs2_inode_lock(inode_alloc, &bh, 0);
+ if (status < 0) {
+ mlog_errno(status);
+--
+2.20.1
+
--- /dev/null
+From 8f2a542eb417acc714e4c94cd698bec59128e15a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 17:57:50 -0700
+Subject: fs: ocfs2: fix possible null-pointer dereferences in
+ ocfs2_xa_prepare_entry()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 56e94ea132bb5c2c1d0b60a6aeb34dcb7d71a53d ]
+
+In ocfs2_xa_prepare_entry(), there is an if statement on line 2136 to
+check whether loc->xl_entry is NULL:
+
+ if (loc->xl_entry)
+
+When loc->xl_entry is NULL, it is used on line 2158:
+
+ ocfs2_xa_add_entry(loc, name_hash);
+ loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash);
+ loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size);
+
+and line 2164:
+
+ ocfs2_xa_add_namevalue(loc, xi);
+ loc->xl_entry->xe_value_size = cpu_to_le64(xi->xi_value_len);
+ loc->xl_entry->xe_name_len = xi->xi_name_len;
+
+Thus, possible null-pointer dereferences may occur.
+
+To fix these bugs, if loc-xl_entry is NULL, ocfs2_xa_prepare_entry()
+abnormally returns with -EINVAL.
+
+These bugs are found by a static analysis tool STCheck written by us.
+
+[akpm@linux-foundation.org: remove now-unused ocfs2_xa_add_entry()]
+Link: http://lkml.kernel.org/r/20190726101447.9153-1-baijiaju1990@gmail.com
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/xattr.c | 56 ++++++++++++++++++++----------------------------
+ 1 file changed, 23 insertions(+), 33 deletions(-)
+
+diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
+index 77740ef5a8e85..eca49da6d7e0d 100644
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -1497,18 +1497,6 @@ static int ocfs2_xa_check_space(struct ocfs2_xa_loc *loc,
+ return loc->xl_ops->xlo_check_space(loc, xi);
+ }
+
+-static void ocfs2_xa_add_entry(struct ocfs2_xa_loc *loc, u32 name_hash)
+-{
+- loc->xl_ops->xlo_add_entry(loc, name_hash);
+- loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash);
+- /*
+- * We can't leave the new entry's xe_name_offset at zero or
+- * add_namevalue() will go nuts. We set it to the size of our
+- * storage so that it can never be less than any other entry.
+- */
+- loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size);
+-}
+-
+ static void ocfs2_xa_add_namevalue(struct ocfs2_xa_loc *loc,
+ struct ocfs2_xattr_info *xi)
+ {
+@@ -2140,29 +2128,31 @@ static int ocfs2_xa_prepare_entry(struct ocfs2_xa_loc *loc,
+ if (rc)
+ goto out;
+
+- if (loc->xl_entry) {
+- if (ocfs2_xa_can_reuse_entry(loc, xi)) {
+- orig_value_size = loc->xl_entry->xe_value_size;
+- rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
+- if (rc)
+- goto out;
+- goto alloc_value;
+- }
++ if (!loc->xl_entry) {
++ rc = -EINVAL;
++ goto out;
++ }
+
+- if (!ocfs2_xattr_is_local(loc->xl_entry)) {
+- orig_clusters = ocfs2_xa_value_clusters(loc);
+- rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
+- if (rc) {
+- mlog_errno(rc);
+- ocfs2_xa_cleanup_value_truncate(loc,
+- "overwriting",
+- orig_clusters);
+- goto out;
+- }
++ if (ocfs2_xa_can_reuse_entry(loc, xi)) {
++ orig_value_size = loc->xl_entry->xe_value_size;
++ rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
++ if (rc)
++ goto out;
++ goto alloc_value;
++ }
++
++ if (!ocfs2_xattr_is_local(loc->xl_entry)) {
++ orig_clusters = ocfs2_xa_value_clusters(loc);
++ rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
++ if (rc) {
++ mlog_errno(rc);
++ ocfs2_xa_cleanup_value_truncate(loc,
++ "overwriting",
++ orig_clusters);
++ goto out;
+ }
+- ocfs2_xa_wipe_namevalue(loc);
+- } else
+- ocfs2_xa_add_entry(loc, name_hash);
++ }
++ ocfs2_xa_wipe_namevalue(loc);
+
+ /*
+ * If we get here, we have a blank entry. Fill it. We grow our
+--
+2.20.1
+
--- /dev/null
+From 7ffafb3e33ae3f4b0e63f7cc3569852d85006a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 14:28:23 +0200
+Subject: gpio: max77620: Use correct unit for debounce times
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit fffa6af94894126994a7600c6f6f09b892e89fa9 ]
+
+The gpiod_set_debounce() function takes the debounce time in
+microseconds. Adjust the switch/case values in the MAX77620 GPIO to use
+the correct unit.
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20191002122825.3948322-1-thierry.reding@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-max77620.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpio-max77620.c b/drivers/gpio/gpio-max77620.c
+index 538bce4b5b427..ac6c1c0548b69 100644
+--- a/drivers/gpio/gpio-max77620.c
++++ b/drivers/gpio/gpio-max77620.c
+@@ -163,13 +163,13 @@ static int max77620_gpio_set_debounce(struct max77620_gpio *mgpio,
+ case 0:
+ val = MAX77620_CNFG_GPIO_DBNC_None;
+ break;
+- case 1 ... 8:
++ case 1000 ... 8000:
+ val = MAX77620_CNFG_GPIO_DBNC_8ms;
+ break;
+- case 9 ... 16:
++ case 9000 ... 16000:
+ val = MAX77620_CNFG_GPIO_DBNC_16ms;
+ break;
+- case 17 ... 32:
++ case 17000 ... 32000:
+ val = MAX77620_CNFG_GPIO_DBNC_32ms;
+ break;
+ default:
+--
+2.20.1
+
--- /dev/null
+From c866a63009d0a49a2f0fd5c34de4107d983b2094 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jan 2019 13:31:05 +0900
+Subject: HID: Add ASUS T100CHI keyboard dock battery quirks
+
+From: NOGUCHI Hiroshi <drvlabo@gmail.com>
+
+[ Upstream commit a767ffea05d2737f6542cd78458a84a157fa216d ]
+
+Add ASUS Transbook T100CHI/T90CHI keyboard dock into battery quirk list, in
+order to add specific implementation in hid-asus.
+
+Signed-off-by: NOGUCHI Hiroshi <drvlabo@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index d723185de3ba2..9d24fb0715ba3 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -328,6 +328,9 @@ static const struct hid_device_id hid_battery_quirks[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_SYMBOL,
+ USB_DEVICE_ID_SYMBOL_SCANNER_3),
+ HID_BATTERY_QUIRK_IGNORE },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ASUSTEK,
++ USB_DEVICE_ID_ASUSTEK_T100CHI_KEYBOARD),
++ HID_BATTERY_QUIRK_IGNORE },
+ {}
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 8a77f9b1fffb6559344b7d3912657a4b84c22129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2019 02:56:34 +0000
+Subject: HID: hyperv: Use in-place iterator API in the channel callback
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 6a297c90efa68b2864483193b8bfb0d19478600c ]
+
+Simplify the ring buffer handling with the in-place API.
+
+Also avoid the dynamic allocation and the memory leak in the channel
+callback function.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Acked-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-hyperv.c | 56 +++++++---------------------------------
+ 1 file changed, 10 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c
+index 5f1de24206ab2..220b3e5c9c39d 100644
+--- a/drivers/hid/hid-hyperv.c
++++ b/drivers/hid/hid-hyperv.c
+@@ -322,60 +322,24 @@ static void mousevsc_on_receive(struct hv_device *device,
+
+ static void mousevsc_on_channel_callback(void *context)
+ {
+- const int packet_size = 0x100;
+- int ret;
+ struct hv_device *device = context;
+- u32 bytes_recvd;
+- u64 req_id;
+ struct vmpacket_descriptor *desc;
+- unsigned char *buffer;
+- int bufferlen = packet_size;
+-
+- buffer = kmalloc(bufferlen, GFP_ATOMIC);
+- if (!buffer)
+- return;
+-
+- do {
+- ret = vmbus_recvpacket_raw(device->channel, buffer,
+- bufferlen, &bytes_recvd, &req_id);
+-
+- switch (ret) {
+- case 0:
+- if (bytes_recvd <= 0) {
+- kfree(buffer);
+- return;
+- }
+- desc = (struct vmpacket_descriptor *)buffer;
+-
+- switch (desc->type) {
+- case VM_PKT_COMP:
+- break;
+-
+- case VM_PKT_DATA_INBAND:
+- mousevsc_on_receive(device, desc);
+- break;
+-
+- default:
+- pr_err("unhandled packet type %d, tid %llx len %d\n",
+- desc->type, req_id, bytes_recvd);
+- break;
+- }
+
++ foreach_vmbus_pkt(desc, device->channel) {
++ switch (desc->type) {
++ case VM_PKT_COMP:
+ break;
+
+- case -ENOBUFS:
+- kfree(buffer);
+- /* Handle large packet */
+- bufferlen = bytes_recvd;
+- buffer = kmalloc(bytes_recvd, GFP_ATOMIC);
+-
+- if (!buffer)
+- return;
++ case VM_PKT_DATA_INBAND:
++ mousevsc_on_receive(device, desc);
++ break;
+
++ default:
++ pr_err("Unhandled packet type %d, tid %llx len %d\n",
++ desc->type, desc->trans_id, desc->len8 * 8);
+ break;
+ }
+- } while (1);
+-
++ }
+ }
+
+ static int mousevsc_connect_to_vsp(struct hv_device *device)
+--
+2.20.1
+
--- /dev/null
+From 3ca0cf6fdd78c18c3445b240ab4d4f0c576c1a01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 22:40:26 +0200
+Subject: HID: i2c-hid: add Direkt-Tek DTLAPY133-1 to descriptor override
+
+From: Julian Sax <jsbc@gmx.de>
+
+[ Upstream commit 399474e4c1100bca264ed14fa3ad0d68fab484d8 ]
+
+This device uses the SIPODEV SP1064 touchpad, which does not
+supply descriptors, so it has to be added to the override list.
+
+Reported-by: Tim Aldridge <taldridge@mac.com>
+Signed-off-by: Julian Sax <jsbc@gmx.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+index cac262a912c12..89f2976f9c534 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+@@ -330,6 +330,14 @@ static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = {
+ },
+ .driver_data = (void *)&sipodev_desc
+ },
++ {
++ .ident = "Direkt-Tek DTLAPY133-1",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Direkt-Tek"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "DTLAPY133-1"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ },
+ {
+ .ident = "Mediacom Flexbook Edge 11",
+ .matches = {
+--
+2.20.1
+
--- /dev/null
+From b0a9d31828d2e78d6e97a0617a9a0c7cc43ec640 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Dec 2018 15:31:56 +0100
+Subject: HID: i2c-hid: Add Odys Winbook 13 to descriptor override
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit f8f807441eefddc3c6d8a378421f0ede6361d565 ]
+
+The Odys Winbook 13 uses a SIPODEV SP1064 touchpad, which does not
+supply descriptors, add this to the DMI descriptor override list, fixing
+the touchpad not working.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1526312
+Reported-by: Rene Wagner <redhatbugzilla@callerid.de>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+index 89f2976f9c534..fd1b6eea6d2fd 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+@@ -346,6 +346,14 @@ static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = {
+ },
+ .driver_data = (void *)&sipodev_desc
+ },
++ {
++ .ident = "Odys Winbook 13",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AXDIA International GmbH"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "WINBOOK 13"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ },
+ { } /* Terminate list */
+ };
+
+--
+2.20.1
+
--- /dev/null
+From dd2a9129a4feabc31814a5d2416997f8c642233f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2019 12:54:10 +0200
+Subject: iio: adc: meson_saradc: Fix memory allocation order
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit de10ac47597e7a3596b27631d0d5ce5f48d2c099 ]
+
+meson_saradc's irq handler uses priv->regmap so make sure that it is
+allocated before the irq get enabled.
+
+This also fixes crash when CONFIG_DEBUG_SHIRQ is enabled, as device
+managed resources are freed in the inverted order they had been
+allocated, priv->regmap was freed before the spurious fake irq that
+CONFIG_DEBUG_SHIRQ adds called the handler.
+
+Fixes: 3af109131b7eb8 ("iio: adc: meson-saradc: switch from polling to interrupt mode")
+Reported-by: Elie Roudninski <xademax@gmail.com>
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Tested-by: Elie ROUDNINSKI <xademax@gmail.com>
+Reviewed-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/meson_saradc.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/adc/meson_saradc.c b/drivers/iio/adc/meson_saradc.c
+index 2515badf8b280..9b2121f249263 100644
+--- a/drivers/iio/adc/meson_saradc.c
++++ b/drivers/iio/adc/meson_saradc.c
+@@ -976,6 +976,11 @@ static int meson_sar_adc_probe(struct platform_device *pdev)
+ if (IS_ERR(base))
+ return PTR_ERR(base);
+
++ priv->regmap = devm_regmap_init_mmio(&pdev->dev, base,
++ priv->data->regmap_config);
++ if (IS_ERR(priv->regmap))
++ return PTR_ERR(priv->regmap);
++
+ irq = irq_of_parse_and_map(pdev->dev.of_node, 0);
+ if (!irq)
+ return -EINVAL;
+@@ -985,11 +990,6 @@ static int meson_sar_adc_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
+- priv->regmap = devm_regmap_init_mmio(&pdev->dev, base,
+- priv->data->regmap_config);
+- if (IS_ERR(priv->regmap))
+- return PTR_ERR(priv->regmap);
+-
+ priv->clkin = devm_clk_get(&pdev->dev, "clkin");
+ if (IS_ERR(priv->clkin)) {
+ dev_err(&pdev->dev, "failed to get clkin\n");
+--
+2.20.1
+
--- /dev/null
+From 5ba5d200db0686dcb29477665035ad8fb9ac73bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2019 07:29:41 +0200
+Subject: iio: fix center temperature of bmc150-accel-core
+
+From: Pascal Bouwmann <bouwmann@tau-tec.de>
+
+[ Upstream commit 6c59a962e081df6d8fe43325bbfabec57e0d4751 ]
+
+The center temperature of the supported devices stored in the constant
+BMC150_ACCEL_TEMP_CENTER_VAL is not 24 degrees but 23 degrees.
+
+It seems that some datasheets were inconsistent on this value leading
+to the error. For most usecases will only make minor difference so
+not queued for stable.
+
+Signed-off-by: Pascal Bouwmann <bouwmann@tau-tec.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/bmc150-accel-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/accel/bmc150-accel-core.c b/drivers/iio/accel/bmc150-accel-core.c
+index 807299dd45ebf..7e86a5b7ec4e8 100644
+--- a/drivers/iio/accel/bmc150-accel-core.c
++++ b/drivers/iio/accel/bmc150-accel-core.c
+@@ -125,7 +125,7 @@
+ #define BMC150_ACCEL_SLEEP_1_SEC 0x0F
+
+ #define BMC150_ACCEL_REG_TEMP 0x08
+-#define BMC150_ACCEL_TEMP_CENTER_VAL 24
++#define BMC150_ACCEL_TEMP_CENTER_VAL 23
+
+ #define BMC150_ACCEL_AXIS_TO_REG(axis) (BMC150_ACCEL_REG_XOUT_L + (axis * 2))
+ #define BMC150_AUTO_SUSPEND_DELAY_MS 2000
+--
+2.20.1
+
--- /dev/null
+From 8cce408279dcdb7f4026b175686c1d5d40c85c56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 12:59:23 -0700
+Subject: libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 4b0b2b096da9d296e0e5668cdfba8613bd6f5bc8 ]
+
+Unconditionally defining _FORTIFY_SOURCE can break tools that don't work
+with it, such as memory sanitizers:
+
+ https://github.com/google/sanitizers/wiki/AddressSanitizer#faq
+
+Fixes: 4b6ab94eabe4 ("perf subcmd: Create subcmd library")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lore.kernel.org/lkml/20190925195924.152834-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/subcmd/Makefile | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/subcmd/Makefile b/tools/lib/subcmd/Makefile
+index ed61fb3a46c08..5b2cd5e58df09 100644
+--- a/tools/lib/subcmd/Makefile
++++ b/tools/lib/subcmd/Makefile
+@@ -20,7 +20,13 @@ MAKEFLAGS += --no-print-directory
+ LIBFILE = $(OUTPUT)libsubcmd.a
+
+ CFLAGS := $(EXTRA_WARNINGS) $(EXTRA_CFLAGS)
+-CFLAGS += -ggdb3 -Wall -Wextra -std=gnu99 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIC
++CFLAGS += -ggdb3 -Wall -Wextra -std=gnu99 -fPIC
++
++ifeq ($(DEBUG),0)
++ ifeq ($(feature-fortify-source), 1)
++ CFLAGS += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
++ endif
++endif
+
+ ifeq ($(CC_NO_CLANG), 0)
+ CFLAGS += -O3
+--
+2.20.1
+
--- /dev/null
+From 6fcff5eff0cbe78d879a77ac7b9059b5d7fe36f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Feb 2019 18:59:41 -0500
+Subject: media: vimc: Remove unused but set variables
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lucas A. M. Magalhães <lucmaga@gmail.com>
+
+[ Upstream commit 5515e414f42bf2769caae15b634004d456658284 ]
+
+Remove unused but set variables to clean up the code and avoid
+warning.
+
+Signed-off-by: Lucas A. M. Magalhães <lucmaga@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vimc/vimc-sensor.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/drivers/media/platform/vimc/vimc-sensor.c b/drivers/media/platform/vimc/vimc-sensor.c
+index 70cee5c0c89a5..29a16f8a4123c 100644
+--- a/drivers/media/platform/vimc/vimc-sensor.c
++++ b/drivers/media/platform/vimc/vimc-sensor.c
+@@ -200,13 +200,6 @@ static void *vimc_sen_process_frame(struct vimc_ent_device *ved,
+ {
+ struct vimc_sen_device *vsen = container_of(ved, struct vimc_sen_device,
+ ved);
+- const struct vimc_pix_map *vpix;
+- unsigned int frame_size;
+-
+- /* Calculate the frame size */
+- vpix = vimc_pix_map_by_code(vsen->mbus_format.code);
+- frame_size = vsen->mbus_format.width * vpix->bpp *
+- vsen->mbus_format.height;
+
+ tpg_fill_plane_buffer(&vsen->tpg, 0, 0, vsen->frame);
+ return vsen->frame;
+--
+2.20.1
+
--- /dev/null
+From 6cfc7d1a4aae8bdebf4a73850506c8ccde01a00f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 17:10:56 +0200
+Subject: MIPS: fw: sni: Fix out of bounds init of o32 stack
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit efcb529694c3b707dc0471b312944337ba16e4dd ]
+
+Use ARRAY_SIZE to caluculate the top of the o32 stack.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/fw/sni/sniprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/fw/sni/sniprom.c b/arch/mips/fw/sni/sniprom.c
+index 6aa264b9856ac..7c6151d412bd7 100644
+--- a/arch/mips/fw/sni/sniprom.c
++++ b/arch/mips/fw/sni/sniprom.c
+@@ -42,7 +42,7 @@
+
+ /* O32 stack has to be 8-byte aligned. */
+ static u64 o32_stk[4096];
+-#define O32_STK &o32_stk[sizeof(o32_stk)]
++#define O32_STK (&o32_stk[ARRAY_SIZE(o32_stk)])
+
+ #define __PROM_O32(fun, arg) fun arg __asm__(#fun); \
+ __asm__(#fun " = call_o32")
+--
+2.20.1
+
--- /dev/null
+From 07f44940bcf6edce85118d51544fcde67d9e9fe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 15:12:32 +0200
+Subject: MIPS: include: Mark __cmpxchg as __always_inline
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit 88356d09904bc606182c625575237269aeece22e ]
+
+Commit ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING
+forcibly") allows compiler to uninline functions marked as 'inline'.
+In cace of cmpxchg this would cause to reference function
+__cmpxchg_called_with_bad_pointer, which is a error case
+for catching bugs and will not happen for correct code, if
+__cmpxchg is inlined.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+[paul.burton@mips.com: s/__cmpxchd/__cmpxchg in subject]
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/cmpxchg.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/cmpxchg.h b/arch/mips/include/asm/cmpxchg.h
+index 89e9fb7976fe6..895f91b9e89c3 100644
+--- a/arch/mips/include/asm/cmpxchg.h
++++ b/arch/mips/include/asm/cmpxchg.h
+@@ -146,8 +146,9 @@ static inline unsigned long __xchg(volatile void *ptr, unsigned long x,
+ extern unsigned long __cmpxchg_small(volatile void *ptr, unsigned long old,
+ unsigned long new, unsigned int size);
+
+-static inline unsigned long __cmpxchg(volatile void *ptr, unsigned long old,
+- unsigned long new, unsigned int size)
++static __always_inline
++unsigned long __cmpxchg(volatile void *ptr, unsigned long old,
++ unsigned long new, unsigned int size)
+ {
+ switch (size) {
+ case 1:
+--
+2.20.1
+
--- /dev/null
+From cdfba07b47301536fa62014d74e3b7f08f8b06e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 12:06:00 +0200
+Subject: MIPS: include: Mark __xchg as __always_inline
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit 46f1619500d022501a4f0389f9f4c349ab46bb86 ]
+
+Commit ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING
+forcibly") allows compiler to uninline functions marked as 'inline'.
+In cace of __xchg this would cause to reference function
+__xchg_called_with_bad_pointer, which is an error case
+for catching bugs and will not happen for correct code, if
+__xchg is inlined.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/cmpxchg.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/cmpxchg.h b/arch/mips/include/asm/cmpxchg.h
+index 895f91b9e89c3..520ca166cbed5 100644
+--- a/arch/mips/include/asm/cmpxchg.h
++++ b/arch/mips/include/asm/cmpxchg.h
+@@ -73,8 +73,8 @@ extern unsigned long __xchg_called_with_bad_pointer(void)
+ extern unsigned long __xchg_small(volatile void *ptr, unsigned long val,
+ unsigned int size);
+
+-static inline unsigned long __xchg(volatile void *ptr, unsigned long x,
+- int size)
++static __always_inline
++unsigned long __xchg(volatile void *ptr, unsigned long x, int size)
+ {
+ switch (size) {
+ case 1:
+--
+2.20.1
+
--- /dev/null
+From 3ed7d80234dc0814f1d9deaf94a396cb2b19c069 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Feb 2019 16:29:51 +0000
+Subject: mlxsw: spectrum: Set LAG port collector only when active
+
+From: Nir Dotan <nird@mellanox.com>
+
+[ Upstream commit 48ebab31d424fbdb8ede8914923bec671a933246 ]
+
+The LAG port collecting (receive) function was mistakenly set when the
+port was registered as a LAG member, while it should be set only when
+the port collection state is set to true. Set LAG port to collecting
+when it is set to distributing, as described in the IEEE link
+aggregation standard coupled control mux machine state diagram.
+
+Signed-off-by: Nir Dotan <nird@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlxsw/spectrum.c | 62 ++++++++++++++-----
+ 1 file changed, 45 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+index 5c74787f903b7..a909aa315a92a 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -4077,9 +4077,6 @@ static int mlxsw_sp_port_lag_join(struct mlxsw_sp_port *mlxsw_sp_port,
+ err = mlxsw_sp_lag_col_port_add(mlxsw_sp_port, lag_id, port_index);
+ if (err)
+ goto err_col_port_add;
+- err = mlxsw_sp_lag_col_port_enable(mlxsw_sp_port, lag_id);
+- if (err)
+- goto err_col_port_enable;
+
+ mlxsw_core_lag_mapping_set(mlxsw_sp->core, lag_id, port_index,
+ mlxsw_sp_port->local_port);
+@@ -4094,8 +4091,6 @@ static int mlxsw_sp_port_lag_join(struct mlxsw_sp_port *mlxsw_sp_port,
+
+ return 0;
+
+-err_col_port_enable:
+- mlxsw_sp_lag_col_port_remove(mlxsw_sp_port, lag_id);
+ err_col_port_add:
+ if (!lag->ref_count)
+ mlxsw_sp_lag_destroy(mlxsw_sp, lag_id);
+@@ -4114,7 +4109,6 @@ static void mlxsw_sp_port_lag_leave(struct mlxsw_sp_port *mlxsw_sp_port,
+ lag = mlxsw_sp_lag_get(mlxsw_sp, lag_id);
+ WARN_ON(lag->ref_count == 0);
+
+- mlxsw_sp_lag_col_port_disable(mlxsw_sp_port, lag_id);
+ mlxsw_sp_lag_col_port_remove(mlxsw_sp_port, lag_id);
+
+ /* Any VLANs configured on the port are no longer valid */
+@@ -4159,21 +4153,56 @@ static int mlxsw_sp_lag_dist_port_remove(struct mlxsw_sp_port *mlxsw_sp_port,
+ return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(sldr), sldr_pl);
+ }
+
+-static int mlxsw_sp_port_lag_tx_en_set(struct mlxsw_sp_port *mlxsw_sp_port,
+- bool lag_tx_enabled)
++static int
++mlxsw_sp_port_lag_col_dist_enable(struct mlxsw_sp_port *mlxsw_sp_port)
+ {
+- if (lag_tx_enabled)
+- return mlxsw_sp_lag_dist_port_add(mlxsw_sp_port,
+- mlxsw_sp_port->lag_id);
+- else
+- return mlxsw_sp_lag_dist_port_remove(mlxsw_sp_port,
+- mlxsw_sp_port->lag_id);
++ int err;
++
++ err = mlxsw_sp_lag_col_port_enable(mlxsw_sp_port,
++ mlxsw_sp_port->lag_id);
++ if (err)
++ return err;
++
++ err = mlxsw_sp_lag_dist_port_add(mlxsw_sp_port, mlxsw_sp_port->lag_id);
++ if (err)
++ goto err_dist_port_add;
++
++ return 0;
++
++err_dist_port_add:
++ mlxsw_sp_lag_col_port_disable(mlxsw_sp_port, mlxsw_sp_port->lag_id);
++ return err;
++}
++
++static int
++mlxsw_sp_port_lag_col_dist_disable(struct mlxsw_sp_port *mlxsw_sp_port)
++{
++ int err;
++
++ err = mlxsw_sp_lag_dist_port_remove(mlxsw_sp_port,
++ mlxsw_sp_port->lag_id);
++ if (err)
++ return err;
++
++ err = mlxsw_sp_lag_col_port_disable(mlxsw_sp_port,
++ mlxsw_sp_port->lag_id);
++ if (err)
++ goto err_col_port_disable;
++
++ return 0;
++
++err_col_port_disable:
++ mlxsw_sp_lag_dist_port_add(mlxsw_sp_port, mlxsw_sp_port->lag_id);
++ return err;
+ }
+
+ static int mlxsw_sp_port_lag_changed(struct mlxsw_sp_port *mlxsw_sp_port,
+ struct netdev_lag_lower_state_info *info)
+ {
+- return mlxsw_sp_port_lag_tx_en_set(mlxsw_sp_port, info->tx_enabled);
++ if (info->tx_enabled)
++ return mlxsw_sp_port_lag_col_dist_enable(mlxsw_sp_port);
++ else
++ return mlxsw_sp_port_lag_col_dist_disable(mlxsw_sp_port);
+ }
+
+ static int mlxsw_sp_port_stp_set(struct mlxsw_sp_port *mlxsw_sp_port,
+@@ -4309,8 +4338,7 @@ static int mlxsw_sp_netdevice_port_upper_event(struct net_device *lower_dev,
+ err = mlxsw_sp_port_lag_join(mlxsw_sp_port,
+ upper_dev);
+ } else {
+- mlxsw_sp_port_lag_tx_en_set(mlxsw_sp_port,
+- false);
++ mlxsw_sp_port_lag_col_dist_disable(mlxsw_sp_port);
+ mlxsw_sp_port_lag_leave(mlxsw_sp_port,
+ upper_dev);
+ }
+--
+2.20.1
+
--- /dev/null
+From aaee5fa3769f0d6462dd95c79361a968caa7a389 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2019 11:44:27 +0530
+Subject: nbd: fix possible sysfs duplicate warning
+
+From: Xiubo Li <xiubli@redhat.com>
+
+[ Upstream commit 862488105b84ca744b3d8ff131e0fcfe10644be1 ]
+
+1. nbd_put takes the mutex and drops nbd->ref to 0. It then does
+idr_remove and drops the mutex.
+
+2. nbd_genl_connect takes the mutex. idr_find/idr_for_each fails
+to find an existing device, so it does nbd_dev_add.
+
+3. just before the nbd_put could call nbd_dev_remove or not finished
+totally, but if nbd_dev_add try to add_disk, we can hit:
+
+debugfs: Directory 'nbd1' with parent 'block' already present!
+
+This patch will make sure all the disk add/remove stuff are done
+by holding the nbd_index_mutex lock.
+
+Reported-by: Mike Christie <mchristi@redhat.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index a234600849558..3e45004407963 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -228,8 +228,8 @@ static void nbd_put(struct nbd_device *nbd)
+ if (refcount_dec_and_mutex_lock(&nbd->refs,
+ &nbd_index_mutex)) {
+ idr_remove(&nbd_index_idr, nbd->index);
+- mutex_unlock(&nbd_index_mutex);
+ nbd_dev_remove(nbd);
++ mutex_unlock(&nbd_index_mutex);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 0230030b379fbdb03b8a70bf166f2f078441ea0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2019 14:29:38 +0800
+Subject: nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
+
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 33ea5aaa87cdae0f9af4d6b7ee4f650a1a36fd1d ]
+
+When xfstests testing, there are some WARNING as below:
+
+WARNING: CPU: 0 PID: 6235 at fs/nfs/inode.c:122 nfs_clear_inode+0x9c/0xd8
+Modules linked in:
+CPU: 0 PID: 6235 Comm: umount.nfs
+Hardware name: linux,dummy-virt (DT)
+pstate: 60000005 (nZCv daif -PAN -UAO)
+pc : nfs_clear_inode+0x9c/0xd8
+lr : nfs_evict_inode+0x60/0x78
+sp : fffffc000f68fc00
+x29: fffffc000f68fc00 x28: fffffe00c53155c0
+x27: fffffe00c5315000 x26: fffffc0009a63748
+x25: fffffc000f68fd18 x24: fffffc000bfaaf40
+x23: fffffc000936d3c0 x22: fffffe00c4ff5e20
+x21: fffffc000bfaaf40 x20: fffffe00c4ff5d10
+x19: fffffc000c056000 x18: 000000000000003c
+x17: 0000000000000000 x16: 0000000000000000
+x15: 0000000000000040 x14: 0000000000000228
+x13: fffffc000c3a2000 x12: 0000000000000045
+x11: 0000000000000000 x10: 0000000000000000
+x9 : 0000000000000000 x8 : 0000000000000000
+x7 : 0000000000000000 x6 : fffffc00084b027c
+x5 : fffffc0009a64000 x4 : fffffe00c0e77400
+x3 : fffffc000c0563a8 x2 : fffffffffffffffb
+x1 : 000000000000764e x0 : 0000000000000001
+Call trace:
+ nfs_clear_inode+0x9c/0xd8
+ nfs_evict_inode+0x60/0x78
+ evict+0x108/0x380
+ dispose_list+0x70/0xa0
+ evict_inodes+0x194/0x210
+ generic_shutdown_super+0xb0/0x220
+ nfs_kill_super+0x40/0x88
+ deactivate_locked_super+0xb4/0x120
+ deactivate_super+0x144/0x160
+ cleanup_mnt+0x98/0x148
+ __cleanup_mnt+0x38/0x50
+ task_work_run+0x114/0x160
+ do_notify_resume+0x2f8/0x308
+ work_pending+0x8/0x14
+
+The nrequest should be increased/decreased only if PG_INODE_REF flag
+was setted.
+
+But in the nfs_inode_remove_request function, it maybe decrease when
+no PG_INODE_REF flag, this maybe lead nrequests count error.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/write.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 3c1e46f4bce32..01b9d9341b541 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -783,7 +783,6 @@ static void nfs_inode_remove_request(struct nfs_page *req)
+ struct nfs_inode *nfsi = NFS_I(inode);
+ struct nfs_page *head;
+
+- atomic_long_dec(&nfsi->nrequests);
+ if (nfs_page_group_sync_on_bit(req, PG_REMOVE)) {
+ head = req->wb_head;
+
+@@ -796,8 +795,10 @@ static void nfs_inode_remove_request(struct nfs_page *req)
+ spin_unlock(&mapping->private_lock);
+ }
+
+- if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags))
++ if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags)) {
+ nfs_release_request(req);
++ atomic_long_dec(&nfsi->nrequests);
++ }
+ }
+
+ static void
+--
+2.20.1
+
--- /dev/null
+From ce3f8a9180700605e5a38476eb787cb988f75c22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2019 09:58:54 -0400
+Subject: NFSv4: Fix leak of clp->cl_acceptor string
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 1047ec868332034d1fbcb2fae19fe6d4cb869ff2 ]
+
+Our client can issue multiple SETCLIENTID operations to the same
+server in some circumstances. Ensure that calls to
+nfs4_proc_setclientid() after the first one do not overwrite the
+previously allocated cl_acceptor string.
+
+unreferenced object 0xffff888461031800 (size 32):
+ comm "mount.nfs", pid 2227, jiffies 4294822467 (age 1407.749s)
+ hex dump (first 32 bytes):
+ 6e 66 73 40 6b 6c 69 6d 74 2e 69 62 2e 31 30 31 nfs@klimt.ib.101
+ 35 67 72 61 6e 67 65 72 2e 6e 65 74 00 00 00 00 5granger.net....
+ backtrace:
+ [<00000000ab820188>] __kmalloc+0x128/0x176
+ [<00000000eeaf4ec8>] gss_stringify_acceptor+0xbd/0x1a7 [auth_rpcgss]
+ [<00000000e85e3382>] nfs4_proc_setclientid+0x34e/0x46c [nfsv4]
+ [<000000003d9cf1fa>] nfs40_discover_server_trunking+0x7a/0xed [nfsv4]
+ [<00000000b81c3787>] nfs4_discover_server_trunking+0x81/0x244 [nfsv4]
+ [<000000000801b55f>] nfs4_init_client+0x1b0/0x238 [nfsv4]
+ [<00000000977daf7f>] nfs4_set_client+0xfe/0x14d [nfsv4]
+ [<0000000053a68a2a>] nfs4_create_server+0x107/0x1db [nfsv4]
+ [<0000000088262019>] nfs4_remote_mount+0x2c/0x59 [nfsv4]
+ [<00000000e84a2fd0>] legacy_get_tree+0x2d/0x4c
+ [<00000000797e947c>] vfs_get_tree+0x20/0xc7
+ [<00000000ecabaaa8>] fc_mount+0xe/0x36
+ [<00000000f15fafc2>] vfs_kern_mount+0x74/0x8d
+ [<00000000a3ff4e26>] nfs_do_root_mount+0x8a/0xa3 [nfsv4]
+ [<00000000d1c2b337>] nfs4_try_mount+0x58/0xad [nfsv4]
+ [<000000004c9bddee>] nfs_fs_mount+0x820/0x869 [nfs]
+
+Fixes: f11b2a1cfbf5 ("nfs4: copy acceptor name from context ... ")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 6409ff4876cb5..af062e9f45803 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -5655,6 +5655,7 @@ int nfs4_proc_setclientid(struct nfs_client *clp, u32 program,
+ }
+ status = task->tk_status;
+ if (setclientid.sc_cred) {
++ kfree(clp->cl_acceptor);
+ clp->cl_acceptor = rpcauth_stringify_acceptor(setclientid.sc_cred);
+ put_rpccred(setclientid.sc_cred);
+ }
+--
+2.20.1
+
--- /dev/null
+From 4b7fb7340b7656e205f4bdee5fc25279fe234160 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 17:57:47 -0700
+Subject: ocfs2: clear zero in unaligned direct IO
+
+From: Jia Guo <guojia12@huawei.com>
+
+[ Upstream commit 7a243c82ea527cd1da47381ad9cd646844f3b693 ]
+
+Unused portion of a part-written fs-block-sized block is not set to zero
+in unaligned append direct write.This can lead to serious data
+inconsistencies.
+
+Ocfs2 manage disk with cluster size(for example, 1M), part-written in
+one cluster will change the cluster state from UN-WRITTEN to WRITTEN,
+VFS(function dio_zero_block) doesn't do the cleaning because bh's state
+is not set to NEW in function ocfs2_dio_wr_get_block when we write a
+WRITTEN cluster. For example, the cluster size is 1M, file size is 8k
+and we direct write from 14k to 15k, then 12k~14k and 15k~16k will
+contain dirty data.
+
+We have to deal with two cases:
+ 1.The starting position of direct write is outside the file.
+ 2.The starting position of direct write is located in the file.
+
+We need set bh's state to NEW in the first case. In the second case, we
+need mapped twice because bh's state of area out file should be set to
+NEW while area in file not.
+
+[akpm@linux-foundation.org: coding style fixes]
+Link: http://lkml.kernel.org/r/5292e287-8f1a-fd4a-1a14-661e555e0bed@huawei.com
+Signed-off-by: Jia Guo <guojia12@huawei.com>
+Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <joseph.qi@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/aops.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
+index 99550f4bd159a..ebeec7530cb60 100644
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -2151,13 +2151,30 @@ static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock,
+ struct ocfs2_dio_write_ctxt *dwc = NULL;
+ struct buffer_head *di_bh = NULL;
+ u64 p_blkno;
+- loff_t pos = iblock << inode->i_sb->s_blocksize_bits;
++ unsigned int i_blkbits = inode->i_sb->s_blocksize_bits;
++ loff_t pos = iblock << i_blkbits;
++ sector_t endblk = (i_size_read(inode) - 1) >> i_blkbits;
+ unsigned len, total_len = bh_result->b_size;
+ int ret = 0, first_get_block = 0;
+
+ len = osb->s_clustersize - (pos & (osb->s_clustersize - 1));
+ len = min(total_len, len);
+
++ /*
++ * bh_result->b_size is count in get_more_blocks according to write
++ * "pos" and "end", we need map twice to return different buffer state:
++ * 1. area in file size, not set NEW;
++ * 2. area out file size, set NEW.
++ *
++ * iblock endblk
++ * |--------|---------|---------|---------
++ * |<-------area in file------->|
++ */
++
++ if ((iblock <= endblk) &&
++ ((iblock + ((len - 1) >> i_blkbits)) > endblk))
++ len = (endblk - iblock + 1) << i_blkbits;
++
+ mlog(0, "get block of %lu at %llu:%u req %u\n",
+ inode->i_ino, pos, len, total_len);
+
+@@ -2241,6 +2258,9 @@ static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock,
+ if (desc->c_needs_zero)
+ set_buffer_new(bh_result);
+
++ if (iblock > endblk)
++ set_buffer_new(bh_result);
++
+ /* May sleep in end_io. It should not happen in a irq context. So defer
+ * it to dio work queue. */
+ set_buffer_defer_completion(bh_result);
+--
+2.20.1
+
--- /dev/null
+From 567a8dce78742c3e8bd0ebf921bf3db4347a573d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2019 11:54:19 -0500
+Subject: PCI/PME: Fix possible use-after-free on remove
+
+From: Sven Van Asbroeck <thesven73@gmail.com>
+
+[ Upstream commit 7cf58b79b3072029af127ae865ffc6f00f34b1f8 ]
+
+In remove(), ensure that the PME work cannot run after kfree() is called.
+Otherwise, this could result in a use-after-free.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Sinan Kaya <okaya@kernel.org>
+Cc: Frederick Lawler <fred@fredlawl.com>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/pme.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c
+index c2e6e3d1073f8..5500660bbb104 100644
+--- a/drivers/pci/pcie/pme.c
++++ b/drivers/pci/pcie/pme.c
+@@ -441,6 +441,7 @@ static void pcie_pme_remove(struct pcie_device *srv)
+
+ pcie_pme_disable_interrupt(srv->port, data);
+ free_irq(srv->irq, srv);
++ cancel_work_sync(&data->work);
+ kfree(data);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 078b0c8c696c4059695d934be967d6bf70588962 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2019 16:35:45 -0700
+Subject: perf jevents: Fix period for Intel fixed counters
+
+From: Andi Kleen <ak@linux.intel.com>
+
+[ Upstream commit 6bdfd9f118bd59cf0f85d3bf4b72b586adea17c1 ]
+
+The Intel fixed counters use a special table to override the JSON
+information.
+
+During this override the period information from the JSON file got
+dropped, which results in inst_retired.any and similar running with
+frequency mode instead of a period.
+
+Just specify the expected period in the table.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Link: http://lore.kernel.org/lkml/20190927233546.11533-2-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/pmu-events/jevents.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
+index 94a7cabe9b824..6f9f247b45162 100644
+--- a/tools/perf/pmu-events/jevents.c
++++ b/tools/perf/pmu-events/jevents.c
+@@ -342,12 +342,12 @@ static struct fixed {
+ const char *name;
+ const char *event;
+ } fixed[] = {
+- { "inst_retired.any", "event=0xc0" },
+- { "inst_retired.any_p", "event=0xc0" },
+- { "cpu_clk_unhalted.ref", "event=0x0,umask=0x03" },
+- { "cpu_clk_unhalted.thread", "event=0x3c" },
+- { "cpu_clk_unhalted.core", "event=0x3c" },
+- { "cpu_clk_unhalted.thread_any", "event=0x3c,any=1" },
++ { "inst_retired.any", "event=0xc0,period=2000003" },
++ { "inst_retired.any_p", "event=0xc0,period=2000003" },
++ { "cpu_clk_unhalted.ref", "event=0x0,umask=0x03,period=2000003" },
++ { "cpu_clk_unhalted.thread", "event=0x3c,period=2000003" },
++ { "cpu_clk_unhalted.core", "event=0x3c,period=2000003" },
++ { "cpu_clk_unhalted.thread_any", "event=0x3c,any=1,period=2000003" },
+ { NULL, NULL},
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 3eae4e6beb56d2d897ea02ca0cb2d7e7a58bab2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Sep 2019 01:39:00 +0000
+Subject: perf map: Fix overlapped map handling
+
+From: Steve MacLean <Steve.MacLean@microsoft.com>
+
+[ Upstream commit ee212d6ea20887c0ef352be8563ca13dbf965906 ]
+
+Whenever an mmap/mmap2 event occurs, the map tree must be updated to add a new
+entry. If a new map overlaps a previous map, the overlapped section of the
+previous map is effectively unmapped, but the non-overlapping sections are
+still valid.
+
+maps__fixup_overlappings() is responsible for creating any new map entries from
+the previously overlapped map. It optionally creates a before and an after map.
+
+When creating the after map the existing code failed to adjust the map.pgoff.
+This meant the new after map would incorrectly calculate the file offset
+for the ip. This results in incorrect symbol name resolution for any ip in the
+after region.
+
+Make maps__fixup_overlappings() correctly populate map.pgoff.
+
+Add an assert that new mapping matches old mapping at the beginning of
+the after map.
+
+Committer-testing:
+
+Validated correct parsing of libcoreclr.so symbols from .NET Core 3.0 preview9
+(which didn't strip symbols).
+
+Preparation:
+
+ ~/dotnet3.0-preview9/dotnet new webapi -o perfSymbol
+ cd perfSymbol
+ ~/dotnet3.0-preview9/dotnet publish
+ perf record ~/dotnet3.0-preview9/dotnet \
+ bin/Debug/netcoreapp3.0/publish/perfSymbol.dll
+ ^C
+
+Before:
+
+ perf script --show-mmap-events 2>&1 | grep -e MMAP -e unknown |\
+ grep libcoreclr.so | head -n 4
+ dotnet 1907 373352.698780: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615726000(0x768000) @ 0 08:02 5510620 765057155]: \
+ r-xp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.701091: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615974000(0x1000) @ 0x24e000 08:02 5510620 765057155]: \
+ rwxp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.701241: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615c42000(0x1000) @ 0x51c000 08:02 5510620 765057155]: \
+ rwxp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.705249: 250000 cpu-clock: \
+ 7fe6159a1f99 [unknown] \
+ (.../3.0.0-preview9-19423-09/libcoreclr.so)
+
+After:
+
+ perf script --show-mmap-events 2>&1 | grep -e MMAP -e unknown |\
+ grep libcoreclr.so | head -n 4
+ dotnet 1907 373352.698780: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615726000(0x768000) @ 0 08:02 5510620 765057155]: \
+ r-xp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.701091: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615974000(0x1000) @ 0x24e000 08:02 5510620 765057155]: \
+ rwxp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.701241: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615c42000(0x1000) @ 0x51c000 08:02 5510620 765057155]: \
+ rwxp .../3.0.0-preview9-19423-09/libcoreclr.so
+
+All the [unknown] symbols were resolved.
+
+Signed-off-by: Steve MacLean <Steve.MacLean@Microsoft.com>
+Tested-by: Brian Robbins <brianrob@microsoft.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Eric Saint-Etienne <eric.saint.etienne@oracle.com>
+Cc: John Keeping <john@metanate.com>
+Cc: John Salem <josalem@microsoft.com>
+Cc: Leo Yan <leo.yan@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Tom McDonald <thomas.mcdonald@microsoft.com>
+Link: http://lore.kernel.org/lkml/BN8PR21MB136270949F22A6A02335C238F7800@BN8PR21MB1362.namprd21.prod.outlook.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/map.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
+index 4e7bd27501224..63db9872c8808 100644
+--- a/tools/perf/util/map.c
++++ b/tools/perf/util/map.c
+@@ -1,5 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include "symbol.h"
++#include <assert.h>
+ #include <errno.h>
+ #include <inttypes.h>
+ #include <limits.h>
+@@ -737,6 +738,8 @@ static int maps__fixup_overlappings(struct maps *maps, struct map *map, FILE *fp
+ }
+
+ after->start = map->end;
++ after->pgoff += map->end - pos->start;
++ assert(pos->map_ip(pos, map->end) == after->map_ip(after, map->end));
+ __map_groups__insert(pos->groups, after);
+ if (verbose >= 2 && !use_browser)
+ map__fprintf(after, fp);
+--
+2.20.1
+
--- /dev/null
+From 96676d4cb0ced73597a1f75ae44bbf40d382a056 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 12:59:24 -0700
+Subject: perf tests: Avoid raising SEGV using an obvious NULL dereference
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit e3e2cf3d5b1fe800b032e14c0fdcd9a6fb20cf3b ]
+
+An optimized build such as:
+
+ make -C tools/perf CLANG=1 CC=clang EXTRA_CFLAGS="-O3
+
+will turn the dereference operation into a ud2 instruction, raising a
+SIGILL rather than a SIGSEGV. Use raise(..) for correctness and clarity.
+
+Similar issues were addressed in Numfor Mbiziwo-Tiapo's patch:
+
+ https://lkml.org/lkml/2019/7/8/1234
+
+Committer testing:
+
+Before:
+
+ [root@quaco ~]# perf test hooks
+ 55: perf hooks : Ok
+ [root@quaco ~]# perf test -v hooks
+ 55: perf hooks :
+ --- start ---
+ test child forked, pid 17092
+ SIGSEGV is observed as expected, try to recover.
+ Fatal error (SEGFAULT) in perf hook 'test'
+ test child finished with 0
+ ---- end ----
+ perf hooks: Ok
+ [root@quaco ~]#
+
+After:
+
+ [root@quaco ~]# perf test hooks
+ 55: perf hooks : Ok
+ [root@quaco ~]# perf test -v hooks
+ 55: perf hooks :
+ --- start ---
+ test child forked, pid 17909
+ SIGSEGV is observed as expected, try to recover.
+ Fatal error (SEGFAULT) in perf hook 'test'
+ test child finished with 0
+ ---- end ----
+ perf hooks: Ok
+ [root@quaco ~]#
+
+Fixes: a074865e60ed ("perf tools: Introduce perf hooks")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Link: http://lore.kernel.org/lkml/20190925195924.152834-2-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/perf-hooks.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/perf/tests/perf-hooks.c b/tools/perf/tests/perf-hooks.c
+index a693bcf017ea2..44c16fd11bf6e 100644
+--- a/tools/perf/tests/perf-hooks.c
++++ b/tools/perf/tests/perf-hooks.c
+@@ -20,12 +20,11 @@ static void sigsegv_handler(int sig __maybe_unused)
+ static void the_hook(void *_hook_flags)
+ {
+ int *hook_flags = _hook_flags;
+- int *p = NULL;
+
+ *hook_flags = 1234;
+
+ /* Generate a segfault, test perf_hooks__recover */
+- *p = 0;
++ raise(SIGSEGV);
+ }
+
+ int test__perf_hooks(struct test *test __maybe_unused, int subtest __maybe_unused)
+--
+2.20.1
+
--- /dev/null
+From 6fff9d8db7a5e1515dbd0e955828cf98c0079b09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2019 18:57:41 +0000
+Subject: perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+[ Upstream commit df4d29732fdad43a51284f826bec3e6ded177540 ]
+
+It turns out that the NMI latency workaround from commit:
+
+ 6d3edaae16c6 ("x86/perf/amd: Resolve NMI latency issues for active PMCs")
+
+ends up being too conservative and results in the perf NMI handler claiming
+NMIs too easily on AMD hardware when the NMI watchdog is active.
+
+This has an impact, for example, on the hpwdt (HPE watchdog timer) module.
+This module can produce an NMI that is used to reset the system. It
+registers an NMI handler for the NMI_UNKNOWN type and relies on the fact
+that nothing has claimed an NMI so that its handler will be invoked when
+the watchdog device produces an NMI. After the referenced commit, the
+hpwdt module is unable to process its generated NMI if the NMI watchdog is
+active, because the current NMI latency mitigation results in the NMI
+being claimed by the perf NMI handler.
+
+Update the AMD perf NMI latency mitigation workaround to, instead, use a
+window of time. Whenever a PMC is handled in the perf NMI handler, set a
+timestamp which will act as a perf NMI window. Any NMIs arriving within
+that window will be claimed by perf. Anything outside that window will
+not be claimed by perf. The value for the NMI window is set to 100 msecs.
+This is a conservative value that easily covers any NMI latency in the
+hardware. While this still results in a window in which the hpwdt module
+will not receive its NMI, the window is now much, much smaller.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Jerry Hoemann <jerry.hoemann@hpe.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 6d3edaae16c6 ("x86/perf/amd: Resolve NMI latency issues for active PMCs")
+Link: https://lkml.kernel.org/r/Message-ID:
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/core.c | 30 +++++++++++++++++-------------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
+index 27ade3cb6482c..defb536aebce2 100644
+--- a/arch/x86/events/amd/core.c
++++ b/arch/x86/events/amd/core.c
+@@ -4,12 +4,14 @@
+ #include <linux/init.h>
+ #include <linux/slab.h>
+ #include <linux/delay.h>
++#include <linux/jiffies.h>
+ #include <asm/apicdef.h>
+ #include <asm/nmi.h>
+
+ #include "../perf_event.h"
+
+-static DEFINE_PER_CPU(unsigned int, perf_nmi_counter);
++static DEFINE_PER_CPU(unsigned long, perf_nmi_tstamp);
++static unsigned long perf_nmi_window;
+
+ static __initconst const u64 amd_hw_cache_event_ids
+ [PERF_COUNT_HW_CACHE_MAX]
+@@ -640,11 +642,12 @@ static void amd_pmu_disable_event(struct perf_event *event)
+ * handler when multiple PMCs are active or PMC overflow while handling some
+ * other source of an NMI.
+ *
+- * Attempt to mitigate this by using the number of active PMCs to determine
+- * whether to return NMI_HANDLED if the perf NMI handler did not handle/reset
+- * any PMCs. The per-CPU perf_nmi_counter variable is set to a minimum of the
+- * number of active PMCs or 2. The value of 2 is used in case an NMI does not
+- * arrive at the LAPIC in time to be collapsed into an already pending NMI.
++ * Attempt to mitigate this by creating an NMI window in which un-handled NMIs
++ * received during this window will be claimed. This prevents extending the
++ * window past when it is possible that latent NMIs should be received. The
++ * per-CPU perf_nmi_tstamp will be set to the window end time whenever perf has
++ * handled a counter. When an un-handled NMI is received, it will be claimed
++ * only if arriving within that window.
+ */
+ static int amd_pmu_handle_irq(struct pt_regs *regs)
+ {
+@@ -662,21 +665,19 @@ static int amd_pmu_handle_irq(struct pt_regs *regs)
+ handled = x86_pmu_handle_irq(regs);
+
+ /*
+- * If a counter was handled, record the number of possible remaining
+- * NMIs that can occur.
++ * If a counter was handled, record a timestamp such that un-handled
++ * NMIs will be claimed if arriving within that window.
+ */
+ if (handled) {
+- this_cpu_write(perf_nmi_counter,
+- min_t(unsigned int, 2, active));
++ this_cpu_write(perf_nmi_tstamp,
++ jiffies + perf_nmi_window);
+
+ return handled;
+ }
+
+- if (!this_cpu_read(perf_nmi_counter))
++ if (time_after(jiffies, this_cpu_read(perf_nmi_tstamp)))
+ return NMI_DONE;
+
+- this_cpu_dec(perf_nmi_counter);
+-
+ return NMI_HANDLED;
+ }
+
+@@ -908,6 +909,9 @@ static int __init amd_core_pmu_init(void)
+ if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE))
+ return 0;
+
++ /* Avoid calulating the value each time in the NMI handler */
++ perf_nmi_window = msecs_to_jiffies(100);
++
+ switch (boot_cpu_data.x86) {
+ case 0x15:
+ pr_cont("Fam15h ");
+--
+2.20.1
+
--- /dev/null
+From 05c9406717a5ae87b469f1ef9f664edbd8008bcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Feb 2019 16:43:03 -0500
+Subject: power: supply: max14656: fix potential use-after-free
+
+From: Sven Van Asbroeck <thesven73@gmail.com>
+
+[ Upstream commit 252fbeb86ceffa549af9842cefca2412d53a7653 ]
+
+Explicitly cancel/sync the irq_work delayed work, otherwise
+there's a chance that it will run after the device is removed,
+which would result in a use-after-free.
+
+Note that cancel/sync should happen:
+- after irq's have been disabled, as the isr re-schedules the work
+- before the power supply is unregistered, because the work func
+ uses the power supply handle.
+
+Cc: Alexander Kurz <akurz@blala.de>
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../power/supply/max14656_charger_detector.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/max14656_charger_detector.c b/drivers/power/supply/max14656_charger_detector.c
+index d19307f791c68..9e6472834e373 100644
+--- a/drivers/power/supply/max14656_charger_detector.c
++++ b/drivers/power/supply/max14656_charger_detector.c
+@@ -240,6 +240,14 @@ static enum power_supply_property max14656_battery_props[] = {
+ POWER_SUPPLY_PROP_MANUFACTURER,
+ };
+
++static void stop_irq_work(void *data)
++{
++ struct max14656_chip *chip = data;
++
++ cancel_delayed_work_sync(&chip->irq_work);
++}
++
++
+ static int max14656_probe(struct i2c_client *client,
+ const struct i2c_device_id *id)
+ {
+@@ -278,8 +286,6 @@ static int max14656_probe(struct i2c_client *client,
+ if (ret)
+ return -ENODEV;
+
+- INIT_DELAYED_WORK(&chip->irq_work, max14656_irq_worker);
+-
+ chip->detect_psy = devm_power_supply_register(dev,
+ &chip->psy_desc, &psy_cfg);
+ if (IS_ERR(chip->detect_psy)) {
+@@ -287,6 +293,13 @@ static int max14656_probe(struct i2c_client *client,
+ return -EINVAL;
+ }
+
++ INIT_DELAYED_WORK(&chip->irq_work, max14656_irq_worker);
++ ret = devm_add_action(dev, stop_irq_work, chip);
++ if (ret) {
++ dev_err(dev, "devm_add_action %d failed\n", ret);
++ return ret;
++ }
++
+ ret = devm_request_irq(dev, chip->irq, max14656_irq,
+ IRQF_TRIGGER_FALLING,
+ MAX14656_NAME, chip);
+--
+2.20.1
+
--- /dev/null
+From b3b8e1db9156713875b348e57a40292b039fa8af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:10:39 -0700
+Subject: powerpc/powernv: hold device_hotplug_lock when calling
+ memtrace_offline_pages()
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit 5666848774ef43d3db5151ec518f1deb63515c20 ]
+
+Let's perform all checking + offlining + removing under
+device_hotplug_lock, so nobody can mess with these devices via sysfs
+concurrently.
+
+[david@redhat.com: take device_hotplug_lock outside of loop]
+ Link: http://lkml.kernel.org/r/20180927092554.13567-6-david@redhat.com
+Link: http://lkml.kernel.org/r/20180925091457.28651-6-david@redhat.com
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Rashmica Gupta <rashmica.g@gmail.com>
+Cc: Michael Neuling <mikey@neuling.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: John Allen <jallen@linux.vnet.ibm.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Mathieu Malaterre <malat@debian.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/memtrace.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/powernv/memtrace.c b/arch/powerpc/platforms/powernv/memtrace.c
+index c9a6d4f3403ce..cfbd242c3e011 100644
+--- a/arch/powerpc/platforms/powernv/memtrace.c
++++ b/arch/powerpc/platforms/powernv/memtrace.c
+@@ -99,6 +99,7 @@ static int change_memblock_state(struct memory_block *mem, void *arg)
+ return 0;
+ }
+
++/* called with device_hotplug_lock held */
+ static bool memtrace_offline_pages(u32 nid, u64 start_pfn, u64 nr_pages)
+ {
+ u64 end_pfn = start_pfn + nr_pages - 1;
+@@ -139,6 +140,7 @@ static u64 memtrace_alloc_node(u32 nid, u64 size)
+ /* Trace memory needs to be aligned to the size */
+ end_pfn = round_down(end_pfn - nr_pages, nr_pages);
+
++ lock_device_hotplug();
+ for (base_pfn = end_pfn; base_pfn > start_pfn; base_pfn -= nr_pages) {
+ if (memtrace_offline_pages(nid, base_pfn, nr_pages) == true) {
+ /*
+@@ -147,7 +149,6 @@ static u64 memtrace_alloc_node(u32 nid, u64 size)
+ * we never try to remove memory that spans two iomem
+ * resources.
+ */
+- lock_device_hotplug();
+ end_pfn = base_pfn + nr_pages;
+ for (pfn = base_pfn; pfn < end_pfn; pfn += bytes>> PAGE_SHIFT) {
+ remove_memory(nid, pfn << PAGE_SHIFT, bytes);
+@@ -156,6 +157,7 @@ static u64 memtrace_alloc_node(u32 nid, u64 size)
+ return base_pfn << PAGE_SHIFT;
+ }
+ }
++ unlock_device_hotplug();
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 484038c5e9950e2f152688da6bbf01bfb0f4463f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 09:45:42 -0500
+Subject: RDMA/hfi1: Prevent memory leak in sdma_init
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 34b3be18a04ecdc610aae4c48e5d1b799d8689f6 ]
+
+In sdma_init if rhashtable_init fails the allocated memory for
+tmp_sdma_rht should be released.
+
+Fixes: 5a52a7acf7e2 ("IB/hfi1: NULL pointer dereference when freeing rhashtable")
+Link: https://lore.kernel.org/r/20190925144543.10141-1-navid.emamdoost@gmail.com
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/sdma.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
+index 6781bcdb10b31..741938409f8e3 100644
+--- a/drivers/infiniband/hw/hfi1/sdma.c
++++ b/drivers/infiniband/hw/hfi1/sdma.c
+@@ -1529,8 +1529,11 @@ int sdma_init(struct hfi1_devdata *dd, u8 port)
+ }
+
+ ret = rhashtable_init(tmp_sdma_rht, &sdma_rht_params);
+- if (ret < 0)
++ if (ret < 0) {
++ kfree(tmp_sdma_rht);
+ goto bail;
++ }
++
+ dd->sdma_rht = tmp_sdma_rht;
+
+ dd_dev_info(dd, "SDMA num_sdma: %u\n", dd->num_sdma);
+--
+2.20.1
+
--- /dev/null
+From 8db7f807877c43bbe36d0b6fdc3f4324f00e6ce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 16:16:54 -0700
+Subject: RDMA/iwcm: Fix a lock inversion issue
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit b66f31efbdad95ec274345721d99d1d835e6de01 ]
+
+This patch fixes the lock inversion complaint:
+
+============================================
+WARNING: possible recursive locking detected
+5.3.0-rc7-dbg+ #1 Not tainted
+--------------------------------------------
+kworker/u16:6/171 is trying to acquire lock:
+00000000035c6e6c (&id_priv->handler_mutex){+.+.}, at: rdma_destroy_id+0x78/0x4a0 [rdma_cm]
+
+but task is already holding lock:
+00000000bc7c307d (&id_priv->handler_mutex){+.+.}, at: iw_conn_req_handler+0x151/0x680 [rdma_cm]
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&id_priv->handler_mutex);
+ lock(&id_priv->handler_mutex);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+3 locks held by kworker/u16:6/171:
+ #0: 00000000e2eaa773 ((wq_completion)iw_cm_wq){+.+.}, at: process_one_work+0x472/0xac0
+ #1: 000000001efd357b ((work_completion)(&work->work)#3){+.+.}, at: process_one_work+0x476/0xac0
+ #2: 00000000bc7c307d (&id_priv->handler_mutex){+.+.}, at: iw_conn_req_handler+0x151/0x680 [rdma_cm]
+
+stack backtrace:
+CPU: 3 PID: 171 Comm: kworker/u16:6 Not tainted 5.3.0-rc7-dbg+ #1
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Workqueue: iw_cm_wq cm_work_handler [iw_cm]
+Call Trace:
+ dump_stack+0x8a/0xd6
+ __lock_acquire.cold+0xe1/0x24d
+ lock_acquire+0x106/0x240
+ __mutex_lock+0x12e/0xcb0
+ mutex_lock_nested+0x1f/0x30
+ rdma_destroy_id+0x78/0x4a0 [rdma_cm]
+ iw_conn_req_handler+0x5c9/0x680 [rdma_cm]
+ cm_work_handler+0xe62/0x1100 [iw_cm]
+ process_one_work+0x56d/0xac0
+ worker_thread+0x7a/0x5d0
+ kthread+0x1bc/0x210
+ ret_from_fork+0x24/0x30
+
+This is not a bug as there are actually two lock classes here.
+
+Link: https://lore.kernel.org/r/20190930231707.48259-3-bvanassche@acm.org
+Fixes: de910bd92137 ("RDMA/cma: Simplify locking needed for serialization of callbacks")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 7c5eca312aa88..f698c6a28c142 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -2212,9 +2212,10 @@ static int iw_conn_req_handler(struct iw_cm_id *cm_id,
+ conn_id->cm_id.iw = NULL;
+ cma_exch(conn_id, RDMA_CM_DESTROYING);
+ mutex_unlock(&conn_id->handler_mutex);
++ mutex_unlock(&listen_id->handler_mutex);
+ cma_deref_id(conn_id);
+ rdma_destroy_id(&conn_id->id);
+- goto out;
++ return ret;
+ }
+
+ mutex_unlock(&conn_id->handler_mutex);
+--
+2.20.1
+
--- /dev/null
+From 6ff64eb49bc81824a1bf5d8d6a7fb18aaab39d10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jan 2019 10:00:30 +0100
+Subject: rtc: pcf8523: set xtal load capacitance from DT
+
+From: Sam Ravnborg <sam@ravnborg.org>
+
+[ Upstream commit 189927e719e36ceefbb8037f23d3849e47833aef ]
+
+Add support for specifying the xtal load capacitance in the DT node.
+The pcf8523 supports xtal load capacitance of 7pF or 12.5pF.
+If the rtc has the wrong configuration the time will
+drift several hours/week.
+
+The driver use the default value 12.5pF.
+
+The DT may specify either 7000fF or 12500fF.
+(The DT uses femto Farad to avoid decimal numbers).
+Other values are warned and the driver uses the default value.
+
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf8523.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/rtc/rtc-pcf8523.c b/drivers/rtc/rtc-pcf8523.c
+index 3c8c6f942e67f..a06792966ea90 100644
+--- a/drivers/rtc/rtc-pcf8523.c
++++ b/drivers/rtc/rtc-pcf8523.c
+@@ -94,8 +94,9 @@ static int pcf8523_voltage_low(struct i2c_client *client)
+ return !!(value & REG_CONTROL3_BLF);
+ }
+
+-static int pcf8523_select_capacitance(struct i2c_client *client, bool high)
++static int pcf8523_load_capacitance(struct i2c_client *client)
+ {
++ u32 load;
+ u8 value;
+ int err;
+
+@@ -103,14 +104,24 @@ static int pcf8523_select_capacitance(struct i2c_client *client, bool high)
+ if (err < 0)
+ return err;
+
+- if (!high)
+- value &= ~REG_CONTROL1_CAP_SEL;
+- else
++ load = 12500;
++ of_property_read_u32(client->dev.of_node, "quartz-load-femtofarads",
++ &load);
++
++ switch (load) {
++ default:
++ dev_warn(&client->dev, "Unknown quartz-load-femtofarads value: %d. Assuming 12500",
++ load);
++ /* fall through */
++ case 12500:
+ value |= REG_CONTROL1_CAP_SEL;
++ break;
++ case 7000:
++ value &= ~REG_CONTROL1_CAP_SEL;
++ break;
++ }
+
+ err = pcf8523_write(client, REG_CONTROL1, value);
+- if (err < 0)
+- return err;
+
+ return err;
+ }
+@@ -307,9 +318,10 @@ static int pcf8523_probe(struct i2c_client *client,
+ if (!pcf)
+ return -ENOMEM;
+
+- err = pcf8523_select_capacitance(client, true);
++ err = pcf8523_load_capacitance(client);
+ if (err < 0)
+- return err;
++ dev_warn(&client->dev, "failed to set xtal load capacitance: %d",
++ err);
+
+ err = pcf8523_set_pm(client, 0);
+ if (err < 0)
+--
+2.20.1
+
--- /dev/null
+From ee7b38b7bab77f8537e4acea249d2e825fda6953 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2019 17:02:32 +0200
+Subject: s390/uaccess: avoid (false positive) compiler warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+[ Upstream commit 062795fcdcb2d22822fb42644b1d76a8ad8439b3 ]
+
+Depending on inlining decisions by the compiler, __get/put_user_fn
+might become out of line. Then the compiler is no longer able to tell
+that size can only be 1,2,4 or 8 due to the check in __get/put_user
+resulting in false positives like
+
+./arch/s390/include/asm/uaccess.h: In function ‘__put_user_fn’:
+./arch/s390/include/asm/uaccess.h:113:9: warning: ‘rc’ may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 113 | return rc;
+ | ^~
+./arch/s390/include/asm/uaccess.h: In function ‘__get_user_fn’:
+./arch/s390/include/asm/uaccess.h:143:9: warning: ‘rc’ may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 143 | return rc;
+ | ^~
+
+These functions are supposed to be always inlined. Mark it as such.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/uaccess.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
+index 689eae8d38591..bd7a19a0aecf7 100644
+--- a/arch/s390/include/asm/uaccess.h
++++ b/arch/s390/include/asm/uaccess.h
+@@ -95,7 +95,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n);
+ __rc; \
+ })
+
+-static inline int __put_user_fn(void *x, void __user *ptr, unsigned long size)
++static __always_inline int __put_user_fn(void *x, void __user *ptr, unsigned long size)
+ {
+ unsigned long spec = 0x810000UL;
+ int rc;
+@@ -125,7 +125,7 @@ static inline int __put_user_fn(void *x, void __user *ptr, unsigned long size)
+ return rc;
+ }
+
+-static inline int __get_user_fn(void *x, const void __user *ptr, unsigned long size)
++static __always_inline int __get_user_fn(void *x, const void __user *ptr, unsigned long size)
+ {
+ unsigned long spec = 0x81UL;
+ int rc;
+--
+2.20.1
+
--- /dev/null
+From 419c567274555a9705962df37294fdd3c3fc6ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Sep 2018 15:31:56 +0100
+Subject: sc16is7xx: Fix for "Unexpected interrupt: 8"
+
+From: Phil Elwell <phil@raspberrypi.org>
+
+[ Upstream commit 30ec514d440cf2c472c8e4b0079af2c731f71a3e ]
+
+The SC16IS752 has an Enhanced Feature Register which is aliased at the
+same address as the Interrupt Identification Register; accessing it
+requires that a magic value is written to the Line Configuration
+Register. If an interrupt is raised while the EFR is mapped in then
+the ISR won't be able to access the IIR, leading to the "Unexpected
+interrupt" error messages.
+
+Avoid the problem by claiming a mutex around accesses to the EFR
+register, also claiming the mutex in the interrupt handler work
+item (this is equivalent to disabling interrupts to interlock against
+a non-threaded interrupt handler).
+
+See: https://github.com/raspberrypi/linux/issues/2529
+
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index e48523da47ac9..c1655aba131f6 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -333,6 +333,7 @@ struct sc16is7xx_port {
+ struct kthread_worker kworker;
+ struct task_struct *kworker_task;
+ struct kthread_work irq_work;
++ struct mutex efr_lock;
+ struct sc16is7xx_one p[0];
+ };
+
+@@ -504,6 +505,21 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
+ div /= 4;
+ }
+
++ /* In an amazing feat of design, the Enhanced Features Register shares
++ * the address of the Interrupt Identification Register, and is
++ * switched in by writing a magic value (0xbf) to the Line Control
++ * Register. Any interrupt firing during this time will see the EFR
++ * where it expects the IIR to be, leading to "Unexpected interrupt"
++ * messages.
++ *
++ * Prevent this possibility by claiming a mutex while accessing the
++ * EFR, and claiming the same mutex from within the interrupt handler.
++ * This is similar to disabling the interrupt, but that doesn't work
++ * because the bulk of the interrupt processing is run as a workqueue
++ * job in thread context.
++ */
++ mutex_lock(&s->efr_lock);
++
+ lcr = sc16is7xx_port_read(port, SC16IS7XX_LCR_REG);
+
+ /* Open the LCR divisors for configuration */
+@@ -519,6 +535,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
+ /* Put LCR back to the normal mode */
+ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr);
+
++ mutex_unlock(&s->efr_lock);
++
+ sc16is7xx_port_update(port, SC16IS7XX_MCR_REG,
+ SC16IS7XX_MCR_CLKSEL_BIT,
+ prescaler);
+@@ -701,6 +719,8 @@ static void sc16is7xx_ist(struct kthread_work *ws)
+ {
+ struct sc16is7xx_port *s = to_sc16is7xx_port(ws, irq_work);
+
++ mutex_lock(&s->efr_lock);
++
+ while (1) {
+ bool keep_polling = false;
+ int i;
+@@ -710,6 +730,8 @@ static void sc16is7xx_ist(struct kthread_work *ws)
+ if (!keep_polling)
+ break;
+ }
++
++ mutex_unlock(&s->efr_lock);
+ }
+
+ static irqreturn_t sc16is7xx_irq(int irq, void *dev_id)
+@@ -904,6 +926,9 @@ static void sc16is7xx_set_termios(struct uart_port *port,
+ if (!(termios->c_cflag & CREAD))
+ port->ignore_status_mask |= SC16IS7XX_LSR_BRK_ERROR_MASK;
+
++ /* As above, claim the mutex while accessing the EFR. */
++ mutex_lock(&s->efr_lock);
++
+ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG,
+ SC16IS7XX_LCR_CONF_MODE_B);
+
+@@ -925,6 +950,8 @@ static void sc16is7xx_set_termios(struct uart_port *port,
+ /* Update LCR register */
+ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr);
+
++ mutex_unlock(&s->efr_lock);
++
+ /* Get baud rate generator configuration */
+ baud = uart_get_baud_rate(port, termios, old,
+ port->uartclk / 16 / 4 / 0xffff,
+@@ -1187,6 +1214,7 @@ static int sc16is7xx_probe(struct device *dev,
+ s->regmap = regmap;
+ s->devtype = devtype;
+ dev_set_drvdata(dev, s);
++ mutex_init(&s->efr_lock);
+
+ kthread_init_worker(&s->kworker);
+ kthread_init_work(&s->irq_work, sc16is7xx_ist);
+--
+2.20.1
+
--- /dev/null
+From 9d9e37c312c289df4c43a12ec71096dcba3535d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 23:42:42 +0200
+Subject: sched/vtime: Fix guest/system mis-accounting on task switch
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit 68e7a4d66b0ce04bf18ff2ffded5596ab3618585 ]
+
+vtime_account_system() assumes that the target task to account cputime
+to is always the current task. This is most often true indeed except on
+task switch where we call:
+
+ vtime_common_task_switch(prev)
+ vtime_account_system(prev)
+
+Here prev is the scheduling-out task where we account the cputime to. It
+doesn't match current that is already the scheduling-in task at this
+stage of the context switch.
+
+So we end up checking the wrong task flags to determine if we are
+accounting guest or system time to the previous task.
+
+As a result the wrong task is used to check if the target is running in
+guest mode. We may then spuriously account or leak either system or
+guest time on task switch.
+
+Fix this assumption and also turn vtime_guest_enter/exit() to use the
+task passed in parameter as well to avoid future similar issues.
+
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wanpeng Li <wanpengli@tencent.com>
+Fixes: 2a42eb9594a1 ("sched/cputime: Accumulate vtime on top of nsec clocksource")
+Link: https://lkml.kernel.org/r/20190925214242.21873-1-frederic@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cputime.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/cputime.c b/kernel/sched/cputime.c
+index 14d2dbf97c531..45c2cd37fe6b0 100644
+--- a/kernel/sched/cputime.c
++++ b/kernel/sched/cputime.c
+@@ -738,7 +738,7 @@ void vtime_account_system(struct task_struct *tsk)
+
+ write_seqcount_begin(&vtime->seqcount);
+ /* We might have scheduled out from guest path */
+- if (current->flags & PF_VCPU)
++ if (tsk->flags & PF_VCPU)
+ vtime_account_guest(tsk, vtime);
+ else
+ __vtime_account_system(tsk, vtime);
+@@ -781,7 +781,7 @@ void vtime_guest_enter(struct task_struct *tsk)
+ */
+ write_seqcount_begin(&vtime->seqcount);
+ __vtime_account_system(tsk, vtime);
+- current->flags |= PF_VCPU;
++ tsk->flags |= PF_VCPU;
+ write_seqcount_end(&vtime->seqcount);
+ }
+ EXPORT_SYMBOL_GPL(vtime_guest_enter);
+@@ -792,7 +792,7 @@ void vtime_guest_exit(struct task_struct *tsk)
+
+ write_seqcount_begin(&vtime->seqcount);
+ vtime_account_guest(tsk, vtime);
+- current->flags &= ~PF_VCPU;
++ tsk->flags &= ~PF_VCPU;
+ write_seqcount_end(&vtime->seqcount);
+ }
+ EXPORT_SYMBOL_GPL(vtime_guest_exit);
+--
+2.20.1
+
--- /dev/null
+From 45c9d3fcf2f8543a8376fc3622ebc35e313f9d3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Nov 2018 18:11:18 -0800
+Subject: scripts/setlocalversion: Improve -dirty check with git-status
+ --no-optional-locks
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit ff64dd4857303dd5550faed9fd598ac90f0f2238 ]
+
+git-diff-index does not refresh the index for you, so using it for a
+"-dirty" check can give misleading results. Commit 6147b1cf19651
+("scripts/setlocalversion: git: Make -dirty check more robust") tried to
+fix this by switching to git-status, but it overlooked the fact that
+git-status also writes to the .git directory of the source tree, which
+is definitely not kosher for an out-of-tree (O=) build. That is getting
+reverted.
+
+Fortunately, git-status now supports avoiding writing to the index via
+the --no-optional-locks flag, as of git 2.14. It still calculates an
+up-to-date index, but it avoids writing it out to the .git directory.
+
+So, let's retry the solution from commit 6147b1cf19651 using this new
+flag first, and if it fails, we assume this is an older version of git
+and just use the old git-diff-index method.
+
+It's hairy to get the 'grep -vq' (inverted matching) correct by stashing
+the output of git-status (you have to be careful about the difference
+betwen "empty stdin" and "blank line on stdin"), so just pipe the output
+directly to grep and use a regex that's good enough for both the
+git-status and git-diff-index version.
+
+Cc: Christian Kujau <lists@nerdbynature.de>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Suggested-by: Alexander Kapshuk <alexander.kapshuk@gmail.com>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Tested-by: Genki Sky <sky@genki.is>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/setlocalversion | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/setlocalversion b/scripts/setlocalversion
+index 71f39410691b6..365b3c2b8f431 100755
+--- a/scripts/setlocalversion
++++ b/scripts/setlocalversion
+@@ -73,8 +73,16 @@ scm_version()
+ printf -- '-svn%s' "`git svn find-rev $head`"
+ fi
+
+- # Check for uncommitted changes
+- if git diff-index --name-only HEAD | grep -qv "^scripts/package"; then
++ # Check for uncommitted changes.
++ # First, with git-status, but --no-optional-locks is only
++ # supported in git >= 2.14, so fall back to git-diff-index if
++ # it fails. Note that git-diff-index does not refresh the
++ # index, so it may give misleading results. See
++ # git-update-index(1), git-diff-index(1), and git-status(1).
++ if {
++ git --no-optional-locks status -uno --porcelain 2>/dev/null ||
++ git diff-index --name-only HEAD
++ } | grep -qvE '^(.. )?scripts/package'; then
+ printf '%s' -dirty
+ fi
+
+--
+2.20.1
+
--- /dev/null
+From 83481d37594febfb84324b463810549fe6e4db8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Nov 2018 16:09:31 -0800
+Subject: scsi: lpfc: Fix a duplicate 0711 log message number.
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 2c4c91415a05677acc5c8131a5eb472d4aa96ae1 ]
+
+Renumber one of the 0711 log messages so there isn't a duplication.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_scsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
+index 4ade13d72deb3..07cb671bb8550 100644
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -4152,7 +4152,7 @@ lpfc_scsi_cmd_iocb_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pIocbIn,
+ /* If pCmd was set to NULL from abort path, do not call scsi_done */
+ if (xchg(&lpfc_cmd->pCmd, NULL) == NULL) {
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_FCP,
+- "0711 FCP cmd already NULL, sid: 0x%06x, "
++ "5688 FCP cmd already NULL, sid: 0x%06x, "
+ "did: 0x%06x, oxid: 0x%04x\n",
+ vport->fc_myDID,
+ (pnode) ? pnode->nlp_DID : 0,
+--
+2.20.1
+
--- /dev/null
+From b6ef32c62b318dad57d96b4256a9e1d734497cfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 11:33:11 -0500
+Subject: serial: mctrl_gpio: Check for NULL pointer
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 37e3ab00e4734acc15d96b2926aab55c894f4d9c ]
+
+When using mctrl_gpio_to_gpiod, it dereferences gpios into a single
+requested GPIO. This dereferencing can break if gpios is NULL,
+so this patch adds a NULL check before dereferencing it. If
+gpios is NULL, this function will also return NULL.
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
+Link: https://lore.kernel.org/r/20191006163314.23191-1-aford173@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/serial_mctrl_gpio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/serial/serial_mctrl_gpio.c b/drivers/tty/serial/serial_mctrl_gpio.c
+index 42e42e3e7a6e6..388f710468490 100644
+--- a/drivers/tty/serial/serial_mctrl_gpio.c
++++ b/drivers/tty/serial/serial_mctrl_gpio.c
+@@ -69,6 +69,9 @@ EXPORT_SYMBOL_GPL(mctrl_gpio_set);
+ struct gpio_desc *mctrl_gpio_to_gpiod(struct mctrl_gpios *gpios,
+ enum mctrl_gpio_idx gidx)
+ {
++ if (gpios == NULL)
++ return NULL;
++
+ return gpios->gpio[gidx];
+ }
+ EXPORT_SYMBOL_GPL(mctrl_gpio_to_gpiod);
+--
+2.20.1
+
--- /dev/null
+zram-fix-race-between-backing_dev_show-and-backing_d.patch
+dm-snapshot-use-mutex-instead-of-rw_semaphore.patch
+dm-snapshot-introduce-account_start_copy-and-account.patch
+dm-snapshot-rework-cow-throttling-to-fix-deadlock.patch
+dm-use-kzalloc-for-all-structs-with-embedded-biosets.patch
+f2fs-flush-quota-blocks-after-turnning-it-off.patch
+scsi-lpfc-fix-a-duplicate-0711-log-message-number.patch
+sc16is7xx-fix-for-unexpected-interrupt-8.patch
+powerpc-powernv-hold-device_hotplug_lock-when-callin.patch
+hid-i2c-hid-add-direkt-tek-dtlapy133-1-to-descriptor.patch
+x86-cpu-add-atom-tremont-jacobsville.patch
+hid-i2c-hid-add-odys-winbook-13-to-descriptor-overri.patch
+clk-boston-unregister-clks-on-failure-in-clk_boston_.patch
+scripts-setlocalversion-improve-dirty-check-with-git.patch
+hid-add-asus-t100chi-keyboard-dock-battery-quirks.patch
+usb-handle-warm-reset-port-requests-on-hub-resume.patch
+rtc-pcf8523-set-xtal-load-capacitance-from-dt.patch
+mlxsw-spectrum-set-lag-port-collector-only-when-acti.patch
+alsa-hda-realtek-apply-alc294-hp-init-also-for-s4-re.patch
+media-vimc-remove-unused-but-set-variables.patch
+exec-load_script-do-not-exec-truncated-interpreter-p.patch
+pci-pme-fix-possible-use-after-free-on-remove.patch
+power-supply-max14656-fix-potential-use-after-free.patch
+iio-adc-meson_saradc-fix-memory-allocation-order.patch
+iio-fix-center-temperature-of-bmc150-accel-core.patch
+libsubcmd-make-_fortify_source-defines-dependent-on-.patch
+perf-tests-avoid-raising-segv-using-an-obvious-null-.patch
+perf-map-fix-overlapped-map-handling.patch
+perf-jevents-fix-period-for-intel-fixed-counters.patch
+staging-rtl8188eu-fix-null-dereference-when-kzalloc-.patch
+rdma-hfi1-prevent-memory-leak-in-sdma_init.patch
+rdma-iwcm-fix-a-lock-inversion-issue.patch
+hid-hyperv-use-in-place-iterator-api-in-the-channel-.patch
+nfs-fix-nfsi-nrequests-count-error-on-nfs_inode_remo.patch
+arm64-ftrace-ensure-synchronisation-in-plt-setup-for.patch
+tty-serial-owl-fix-the-link-time-qualifier-of-owl_ua.patch
+tty-n_hdlc-fix-build-on-sparc.patch
+gpio-max77620-use-correct-unit-for-debounce-times.patch
+fs-cifs-mute-wunused-const-variable-message.patch
+serial-mctrl_gpio-check-for-null-pointer.patch
+efi-cper-fix-endianness-of-pcie-class-code.patch
+efi-x86-do-not-clean-dummy-variable-in-kexec-path.patch
+mips-include-mark-__cmpxchg-as-__always_inline.patch
+x86-xen-return-from-panic-notifier.patch
+ocfs2-clear-zero-in-unaligned-direct-io.patch
+fs-ocfs2-fix-possible-null-pointer-dereferences-in-o.patch
+fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch
+fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch-2862
+sched-vtime-fix-guest-system-mis-accounting-on-task-.patch
+perf-x86-amd-change-fix-nmi-latency-mitigation-to-us.patch
+mips-include-mark-__xchg-as-__always_inline.patch
+mips-fw-sni-fix-out-of-bounds-init-of-o32-stack.patch
+nbd-fix-possible-sysfs-duplicate-warning.patch
+nfsv4-fix-leak-of-clp-cl_acceptor-string.patch
+s390-uaccess-avoid-false-positive-compiler-warnings.patch
+tracing-initialize-iter-seq-after-zeroing-in-tracing.patch
--- /dev/null
+From 83bf1c3fa40fd08885c458049fd8eeac928440f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2019 14:44:15 -0700
+Subject: staging: rtl8188eu: fix null dereference when kzalloc fails
+
+From: Connor Kuehl <connor.kuehl@canonical.com>
+
+[ Upstream commit 955c1532a34305f2f780b47f0c40cc7c65500810 ]
+
+If kzalloc() returns NULL, the error path doesn't stop the flow of
+control from entering rtw_hal_read_chip_version() which dereferences the
+null pointer. Fix this by adding a 'goto' to the error path to more
+gracefully handle the issue and avoid proceeding with initialization
+steps that we're no longer prepared to handle.
+
+Also update the debug message to be more consistent with the other debug
+messages in this function.
+
+Addresses-Coverity: ("Dereference after null check")
+
+Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
+Link: https://lore.kernel.org/r/20190927214415.899-1-connor.kuehl@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+index 2fc7056cbff74..77c339a935258 100644
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -357,8 +357,10 @@ static struct adapter *rtw_usb_if1_init(struct dvobj_priv *dvobj,
+ }
+
+ padapter->HalData = kzalloc(sizeof(struct hal_data_8188e), GFP_KERNEL);
+- if (!padapter->HalData)
+- DBG_88E("cant not alloc memory for HAL DATA\n");
++ if (!padapter->HalData) {
++ DBG_88E("Failed to allocate memory for HAL data\n");
++ goto free_adapter;
++ }
+
+ /* step read_chip_version */
+ rtw_hal_read_chip_version(padapter);
+--
+2.20.1
+
--- /dev/null
+From 901432a25b1bdad567a36df273c48c3faf9f552e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2019 16:21:34 +0200
+Subject: tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
+
+From: Petr Mladek <pmladek@suse.com>
+
+[ Upstream commit d303de1fcf344ff7c15ed64c3f48a991c9958775 ]
+
+A customer reported the following softlockup:
+
+[899688.160002] NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [test.sh:16464]
+[899688.160002] CPU: 0 PID: 16464 Comm: test.sh Not tainted 4.12.14-6.23-azure #1 SLE12-SP4
+[899688.160002] RIP: 0010:up_write+0x1a/0x30
+[899688.160002] Kernel panic - not syncing: softlockup: hung tasks
+[899688.160002] RIP: 0010:up_write+0x1a/0x30
+[899688.160002] RSP: 0018:ffffa86784d4fde8 EFLAGS: 00000257 ORIG_RAX: ffffffffffffff12
+[899688.160002] RAX: ffffffff970fea00 RBX: 0000000000000001 RCX: 0000000000000000
+[899688.160002] RDX: ffffffff00000001 RSI: 0000000000000080 RDI: ffffffff970fea00
+[899688.160002] RBP: ffffffffffffffff R08: ffffffffffffffff R09: 0000000000000000
+[899688.160002] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8b59014720d8
+[899688.160002] R13: ffff8b59014720c0 R14: ffff8b5901471090 R15: ffff8b5901470000
+[899688.160002] tracing_read_pipe+0x336/0x3c0
+[899688.160002] __vfs_read+0x26/0x140
+[899688.160002] vfs_read+0x87/0x130
+[899688.160002] SyS_read+0x42/0x90
+[899688.160002] do_syscall_64+0x74/0x160
+
+It caught the process in the middle of trace_access_unlock(). There is
+no loop. So, it must be looping in the caller tracing_read_pipe()
+via the "waitagain" label.
+
+Crashdump analyze uncovered that iter->seq was completely zeroed
+at this point, including iter->seq.seq.size. It means that
+print_trace_line() was never able to print anything and
+there was no forward progress.
+
+The culprit seems to be in the code:
+
+ /* reset all but tr, trace, and overruns */
+ memset(&iter->seq, 0,
+ sizeof(struct trace_iterator) -
+ offsetof(struct trace_iterator, seq));
+
+It was added by the commit 53d0aa773053ab182877 ("ftrace:
+add logic to record overruns"). It was v2.6.27-rc1.
+It was the time when iter->seq looked like:
+
+ struct trace_seq {
+ unsigned char buffer[PAGE_SIZE];
+ unsigned int len;
+ };
+
+There was no "size" variable and zeroing was perfectly fine.
+
+The solution is to reinitialize the structure after or without
+zeroing.
+
+Link: http://lkml.kernel.org/r/20191011142134.11997-1-pmladek@suse.com
+
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index bbe5a857c082a..286bbad7681bf 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -5764,6 +5764,7 @@ waitagain:
+ sizeof(struct trace_iterator) -
+ offsetof(struct trace_iterator, seq));
+ cpumask_clear(iter->started);
++ trace_seq_init(&iter->seq);
+ iter->pos = -1;
+
+ trace_event_read_lock();
+--
+2.20.1
+
--- /dev/null
+From 21d883a79aca63451357cd3efa64b2fe2a283558 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 19:15:12 -0700
+Subject: tty: n_hdlc: fix build on SPARC
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 47a7e5e97d4edd7b14974d34f0e5a5560fad2915 ]
+
+Fix tty driver build on SPARC by not using __exitdata.
+It appears that SPARC does not support section .exit.data.
+
+Fixes these build errors:
+
+`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o
+`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o
+`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o
+`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Fixes: 063246641d4a ("format-security: move static strings to const")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/675e7bd9-955b-3ff3-1101-a973b58b5b75@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_hdlc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
+index 08bd6b965847f..e83dea8d6633a 100644
+--- a/drivers/tty/n_hdlc.c
++++ b/drivers/tty/n_hdlc.c
+@@ -969,6 +969,11 @@ static int __init n_hdlc_init(void)
+
+ } /* end of init_module() */
+
++#ifdef CONFIG_SPARC
++#undef __exitdata
++#define __exitdata
++#endif
++
+ static const char hdlc_unregister_ok[] __exitdata =
+ KERN_INFO "N_HDLC: line discipline unregistered\n";
+ static const char hdlc_unregister_fail[] __exitdata =
+--
+2.20.1
+
--- /dev/null
+From 1366d1acd9e87d65684d5dc1706dc71e1121ef1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2019 06:11:29 +0200
+Subject: tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6264dab6efd6069f0387efb078a9960b5642377b ]
+
+'exit' functions should be marked as __exit, not __init.
+
+Fixes: fc60a8b675bd ("tty: serial: owl: Implement console driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20190910041129.6978-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/owl-uart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/owl-uart.c b/drivers/tty/serial/owl-uart.c
+index b9c8593653347..d774f6013d7b6 100644
+--- a/drivers/tty/serial/owl-uart.c
++++ b/drivers/tty/serial/owl-uart.c
+@@ -754,7 +754,7 @@ static int __init owl_uart_init(void)
+ return ret;
+ }
+
+-static void __init owl_uart_exit(void)
++static void __exit owl_uart_exit(void)
+ {
+ platform_driver_unregister(&owl_uart_platform_driver);
+ uart_unregister_driver(&owl_uart_driver);
+--
+2.20.1
+
--- /dev/null
+From a20b9b4333849e4400af5f14227727b8f6027497 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Feb 2019 13:52:31 +0100
+Subject: usb: handle warm-reset port requests on hub resume
+
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+
+[ Upstream commit 4fdc1790e6a9ef22399c6bc6e63b80f4609f3b7e ]
+
+On plug-in of my USB-C device, its USB_SS_PORT_LS_SS_INACTIVE
+link state bit is set. Greping all the kernel for this bit shows
+that the port status requests a warm-reset this way.
+
+This just happens, if its the only device on the root hub, the hub
+therefore resumes and the HCDs status_urb isn't yet available.
+If a warm-reset request is detected, this sets the hubs event_bits,
+which will prevent any auto-suspend and allows the hubs workqueue
+to warm-reset the port later in port_event.
+
+Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hub.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index b543a4730ef24..bb20aa433e984 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -104,6 +104,8 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
+ static void hub_release(struct kref *kref);
+ static int usb_reset_and_verify_device(struct usb_device *udev);
+ static int hub_port_disable(struct usb_hub *hub, int port1, int set_state);
++static bool hub_port_warm_reset_required(struct usb_hub *hub, int port1,
++ u16 portstatus);
+
+ static inline char *portspeed(struct usb_hub *hub, int portstatus)
+ {
+@@ -1110,6 +1112,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ USB_PORT_FEAT_ENABLE);
+ }
+
++ /* Make sure a warm-reset request is handled by port_event */
++ if (type == HUB_RESUME &&
++ hub_port_warm_reset_required(hub, port1, portstatus))
++ set_bit(port1, hub->event_bits);
++
+ /*
+ * Add debounce if USB3 link is in polling/link training state.
+ * Link will automatically transition to Enabled state after
+--
+2.20.1
+
--- /dev/null
+From 8a700a5396cebca3346ed4557dca2bc798ce5605 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jan 2019 11:59:01 -0800
+Subject: x86/cpu: Add Atom Tremont (Jacobsville)
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 00ae831dfe4474ef6029558f5eb3ef0332d80043 ]
+
+Add the Atom Tremont model number to the Intel family list.
+
+[ Tony: Also update comment at head of file to say "_X" suffix is
+ also used for microserver parts. ]
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Aristeu Rozanski <aris@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Megha Dey <megha.dey@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Cc: Rajneesh Bhardwaj <rajneesh.bhardwaj@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190125195902.17109-4-tony.luck@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/intel-family.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
+index 038e4b63b56b5..5cd7d4e1579d0 100644
+--- a/arch/x86/include/asm/intel-family.h
++++ b/arch/x86/include/asm/intel-family.h
+@@ -6,7 +6,7 @@
+ * "Big Core" Processors (Branded as Core, Xeon, etc...)
+ *
+ * The "_X" parts are generally the EP and EX Xeons, or the
+- * "Extreme" ones, like Broadwell-E.
++ * "Extreme" ones, like Broadwell-E, or Atom microserver.
+ *
+ * Things ending in "2" are usually because we have no better
+ * name for them. There's no processor called "SILVERMONT2".
+@@ -68,6 +68,7 @@
+ #define INTEL_FAM6_ATOM_GOLDMONT 0x5C /* Apollo Lake */
+ #define INTEL_FAM6_ATOM_GOLDMONT_X 0x5F /* Denverton */
+ #define INTEL_FAM6_ATOM_GOLDMONT_PLUS 0x7A /* Gemini Lake */
++#define INTEL_FAM6_ATOM_TREMONT_X 0x86 /* Jacobsville */
+
+ /* Xeon Phi */
+
+--
+2.20.1
+
--- /dev/null
+From 02b966295545dfa7d09c9e39a165ec3aaf5405fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 16:44:41 -0400
+Subject: x86/xen: Return from panic notifier
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+[ Upstream commit c6875f3aacf2a5a913205accddabf0bfb75cac76 ]
+
+Currently execution of panic() continues until Xen's panic notifier
+(xen_panic_event()) is called at which point we make a hypercall that
+never returns.
+
+This means that any notifier that is supposed to be called later as
+well as significant part of panic() code (such as pstore writes from
+kmsg_dump()) is never executed.
+
+There is no reason for xen_panic_event() to be this last point in
+execution since panic()'s emergency_restart() will call into
+xen_emergency_restart() from where we can perform our hypercall.
+
+Nevertheless, we will provide xen_legacy_crash boot option that will
+preserve original behavior during crash. This option could be used,
+for example, if running kernel dumper (which happens after panic
+notifiers) is undesirable.
+
+Reported-by: James Dingwall <james@dingwall.me.uk>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/kernel-parameters.txt | 4 +++
+ arch/x86/xen/enlighten.c | 28 +++++++++++++++++--
+ 2 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index b67a6cd08ca16..671f518b09eeb 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -4875,6 +4875,10 @@
+ the unplug protocol
+ never -- do not unplug even if version check succeeds
+
++ xen_legacy_crash [X86,XEN]
++ Crash from Xen panic notifier, without executing late
++ panic() code such as dumping handler.
++
+ xen_nopvspin [X86,XEN]
+ Disables the ticketlock slowpath using Xen PV
+ optimizations.
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 515d5e4414c29..00fc683a20110 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -259,19 +259,41 @@ void xen_reboot(int reason)
+ BUG();
+ }
+
++static int reboot_reason = SHUTDOWN_reboot;
++static bool xen_legacy_crash;
+ void xen_emergency_restart(void)
+ {
+- xen_reboot(SHUTDOWN_reboot);
++ xen_reboot(reboot_reason);
+ }
+
+ static int
+ xen_panic_event(struct notifier_block *this, unsigned long event, void *ptr)
+ {
+- if (!kexec_crash_loaded())
+- xen_reboot(SHUTDOWN_crash);
++ if (!kexec_crash_loaded()) {
++ if (xen_legacy_crash)
++ xen_reboot(SHUTDOWN_crash);
++
++ reboot_reason = SHUTDOWN_crash;
++
++ /*
++ * If panic_timeout==0 then we are supposed to wait forever.
++ * However, to preserve original dom0 behavior we have to drop
++ * into hypervisor. (domU behavior is controlled by its
++ * config file)
++ */
++ if (panic_timeout == 0)
++ panic_timeout = -1;
++ }
+ return NOTIFY_DONE;
+ }
+
++static int __init parse_xen_legacy_crash(char *arg)
++{
++ xen_legacy_crash = true;
++ return 0;
++}
++early_param("xen_legacy_crash", parse_xen_legacy_crash);
++
+ static struct notifier_block xen_panic_block = {
+ .notifier_call = xen_panic_event,
+ .priority = INT_MIN
+--
+2.20.1
+
--- /dev/null
+From 9dbec61fa20e9201d030ba5117662203e7e7c137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Oct 2019 04:59:17 -0400
+Subject: zram: fix race between backing_dev_show and backing_dev_store
+
+[ Upstream commit f7daefe4231e57381d92c2e2ad905a899c28e402 ]
+
+CPU0: CPU1:
+backing_dev_show backing_dev_store
+ ...... ......
+ file = zram->backing_dev;
+ down_read(&zram->init_lock); down_read(&zram->init_init_lock)
+ file_path(file, ...); zram->backing_dev = backing_dev;
+ up_read(&zram->init_lock); up_read(&zram->init_lock);
+
+gets the value of zram->backing_dev too early in backing_dev_show, which
+resultin the value being NULL at the beginning, and not NULL later.
+
+backtrace:
+ d_path+0xcc/0x174
+ file_path+0x10/0x18
+ backing_dev_show+0x40/0xb4
+ dev_attr_show+0x20/0x54
+ sysfs_kf_seq_show+0x9c/0x10c
+ kernfs_seq_show+0x28/0x30
+ seq_read+0x184/0x488
+ kernfs_fop_read+0x5c/0x1a4
+ __vfs_read+0x44/0x128
+ vfs_read+0xa0/0x138
+ SyS_read+0x54/0xb4
+
+Link: http://lkml.kernel.org/r/1571046839-16814-1-git-send-email-chenwandun@huawei.com
+Signed-off-by: Chenwandun <chenwandun@huawei.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: <stable@vger.kernel.org> [4.14+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/zram/zram_drv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
+index 133178c9b2cf3..1b4e195c0d3c9 100644
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -291,13 +291,14 @@ static void reset_bdev(struct zram *zram)
+ static ssize_t backing_dev_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
++ struct file *file;
+ struct zram *zram = dev_to_zram(dev);
+- struct file *file = zram->backing_dev;
+ char *p;
+ ssize_t ret;
+
+ down_read(&zram->init_lock);
+- if (!zram_wb_enabled(zram)) {
++ file = zram->backing_dev;
++ if (!file) {
+ memcpy(buf, "none\n", 5);
+ up_read(&zram->init_lock);
+ return 5;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
