--- /dev/null
+From b6835ea77729e7faf4656ca637ba53f42b8ee3fd Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <abrodkin@synopsys.com>
+Date: Fri, 8 Feb 2019 13:55:19 +0300
+Subject: ARC: define ARCH_SLAB_MINALIGN = 8
+
+From: Alexey Brodkin <abrodkin@synopsys.com>
+
+commit b6835ea77729e7faf4656ca637ba53f42b8ee3fd upstream.
+
+The default value of ARCH_SLAB_MINALIGN in "include/linux/slab.h" is
+"__alignof__(unsigned long long)" which for ARC unexpectedly turns out
+to be 4. This is not a compiler bug, but as defined by ARC ABI [1]
+
+Thus slab allocator would allocate a struct which is 32-bit aligned,
+which is generally OK even if struct has long long members.
+There was however potetial problem when it had any atomic64_t which
+use LLOCKD/SCONDD instructions which are required by ISA to take
+64-bit addresses. This is the problem we ran into
+
+[ 4.015732] EXT4-fs (mmcblk0p2): re-mounted. Opts: (null)
+[ 4.167881] Misaligned Access
+[ 4.172356] Path: /bin/busybox.nosuid
+[ 4.176004] CPU: 2 PID: 171 Comm: rm Not tainted 4.19.14-yocto-standard #1
+[ 4.182851]
+[ 4.182851] [ECR ]: 0x000d0000 => Check Programmer's Manual
+[ 4.190061] [EFA ]: 0xbeaec3fc
+[ 4.190061] [BLINK ]: ext4_delete_entry+0x210/0x234
+[ 4.190061] [ERET ]: ext4_delete_entry+0x13e/0x234
+[ 4.202985] [STAT32]: 0x80080002 : IE K
+[ 4.207236] BTA: 0x9009329c SP: 0xbe5b1ec4 FP: 0x00000000
+[ 4.212790] LPS: 0x9074b118 LPE: 0x9074b120 LPC: 0x00000000
+[ 4.218348] r00: 0x00000040 r01: 0x00000021 r02: 0x00000001
+...
+...
+[ 4.270510] Stack Trace:
+[ 4.274510] ext4_delete_entry+0x13e/0x234
+[ 4.278695] ext4_rmdir+0xe0/0x238
+[ 4.282187] vfs_rmdir+0x50/0xf0
+[ 4.285492] do_rmdir+0x9e/0x154
+[ 4.288802] EV_Trap+0x110/0x114
+
+The fix is to make sure slab allocations are 64-bit aligned.
+
+Do note that atomic64_t is __attribute__((aligned(8)) which means gcc
+does generate 64-bit aligned references, relative to beginning of
+container struct. However the issue is if the container itself is not
+64-bit aligned, atomic64_t ends up unaligned which is what this patch
+ensures.
+
+[1] https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/wiki/files/ARCv2_ABI.pdf
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Cc: <stable@vger.kernel.org> # 4.8+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+[vgupta: reworked changelog, added dependency on LL64+LLSC]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/cache.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/arc/include/asm/cache.h
++++ b/arch/arc/include/asm/cache.h
+@@ -52,6 +52,17 @@
+ #define cache_line_size() SMP_CACHE_BYTES
+ #define ARCH_DMA_MINALIGN SMP_CACHE_BYTES
+
++/*
++ * Make sure slab-allocated buffers are 64-bit aligned when atomic64_t uses
++ * ARCv2 64-bit atomics (LLOCKD/SCONDD). This guarantess runtime 64-bit
++ * alignment for any atomic64_t embedded in buffer.
++ * Default ARCH_SLAB_MINALIGN is __alignof__(long long) which has a relaxed
++ * value of 4 (and not 8) in ARC ABI.
++ */
++#if defined(CONFIG_ARC_HAS_LL64) && defined(CONFIG_ARC_HAS_LLSC)
++#define ARCH_SLAB_MINALIGN 8
++#endif
++
+ extern void arc_cache_init(void);
+ extern char *arc_cache_mumbojumbo(int cpu_id, char *buf, int len);
+ extern void read_decode_cache_bcr(void);
--- /dev/null
+From a66f2e57bd566240d8b3884eedf503928fbbe557 Mon Sep 17 00:00:00 2001
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Thu, 14 Feb 2019 18:07:44 +0300
+Subject: ARC: U-boot: check arguments paranoidly
+
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+
+commit a66f2e57bd566240d8b3884eedf503928fbbe557 upstream.
+
+Handle U-boot arguments paranoidly:
+ * don't allow to pass unknown tag.
+ * try to use external device tree blob only if corresponding tag
+ (TAG_DTB) is set.
+ * don't check uboot_tag if kernel build with no ARC_UBOOT_SUPPORT.
+
+NOTE:
+If U-boot args are invalid we skip them and try to use embedded device
+tree blob. We can't panic on invalid U-boot args as we really pass
+invalid args due to bug in U-boot code.
+This happens if we don't provide external DTB to U-boot and
+don't set 'bootargs' U-boot environment variable (which is default
+case at least for HSDK board) In that case we will pass
+{r0 = 1 (bootargs in r2); r1 = 0; r2 = 0;} to linux which is invalid.
+
+While I'm at it refactor U-boot arguments handling code.
+
+Cc: stable@vger.kernel.org
+Tested-by: Corentin LABBE <clabbe@baylibre.com>
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/kernel/head.S | 4 +-
+ arch/arc/kernel/setup.c | 89 +++++++++++++++++++++++++++++++++---------------
+ 2 files changed, 65 insertions(+), 28 deletions(-)
+
+--- a/arch/arc/kernel/head.S
++++ b/arch/arc/kernel/head.S
+@@ -103,9 +103,9 @@ ENTRY(stext)
+ #ifdef CONFIG_ARC_UBOOT_SUPPORT
+ ; Uboot - kernel ABI
+ ; r0 = [0] No uboot interaction, [1] cmdline in r2, [2] DTB in r2
+- ; r1 = magic number (board identity, unused as of now
++ ; r1 = magic number (always zero as of now)
+ ; r2 = pointer to uboot provided cmdline or external DTB in mem
+- ; These are handled later in setup_arch()
++ ; These are handled later in handle_uboot_args()
+ st r0, [@uboot_tag]
+ st r2, [@uboot_arg]
+ #endif
+--- a/arch/arc/kernel/setup.c
++++ b/arch/arc/kernel/setup.c
+@@ -452,43 +452,80 @@ void setup_processor(void)
+ arc_chk_core_config();
+ }
+
+-static inline int is_kernel(unsigned long addr)
++static inline bool uboot_arg_invalid(unsigned long addr)
+ {
+- if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
+- return 1;
+- return 0;
++ /*
++ * Check that it is a untranslated address (although MMU is not enabled
++ * yet, it being a high address ensures this is not by fluke)
++ */
++ if (addr < PAGE_OFFSET)
++ return true;
++
++ /* Check that address doesn't clobber resident kernel image */
++ return addr >= (unsigned long)_stext && addr <= (unsigned long)_end;
+ }
+
+-void __init setup_arch(char **cmdline_p)
++#define IGNORE_ARGS "Ignore U-boot args: "
++
++/* uboot_tag values for U-boot - kernel ABI revision 0; see head.S */
++#define UBOOT_TAG_NONE 0
++#define UBOOT_TAG_CMDLINE 1
++#define UBOOT_TAG_DTB 2
++
++void __init handle_uboot_args(void)
+ {
++ bool use_embedded_dtb = true;
++ bool append_cmdline = false;
++
+ #ifdef CONFIG_ARC_UBOOT_SUPPORT
+- /* make sure that uboot passed pointer to cmdline/dtb is valid */
+- if (uboot_tag && is_kernel((unsigned long)uboot_arg))
+- panic("Invalid uboot arg\n");
+-
+- /* See if u-boot passed an external Device Tree blob */
+- machine_desc = setup_machine_fdt(uboot_arg); /* uboot_tag == 2 */
+- if (!machine_desc)
++ /* check that we know this tag */
++ if (uboot_tag != UBOOT_TAG_NONE &&
++ uboot_tag != UBOOT_TAG_CMDLINE &&
++ uboot_tag != UBOOT_TAG_DTB) {
++ pr_warn(IGNORE_ARGS "invalid uboot tag: '%08x'\n", uboot_tag);
++ goto ignore_uboot_args;
++ }
++
++ if (uboot_tag != UBOOT_TAG_NONE &&
++ uboot_arg_invalid((unsigned long)uboot_arg)) {
++ pr_warn(IGNORE_ARGS "invalid uboot arg: '%px'\n", uboot_arg);
++ goto ignore_uboot_args;
++ }
++
++ /* see if U-boot passed an external Device Tree blob */
++ if (uboot_tag == UBOOT_TAG_DTB) {
++ machine_desc = setup_machine_fdt((void *)uboot_arg);
++
++ /* external Device Tree blob is invalid - use embedded one */
++ use_embedded_dtb = !machine_desc;
++ }
++
++ if (uboot_tag == UBOOT_TAG_CMDLINE)
++ append_cmdline = true;
++
++ignore_uboot_args:
+ #endif
+- {
+- /* No, so try the embedded one */
++
++ if (use_embedded_dtb) {
+ machine_desc = setup_machine_fdt(__dtb_start);
+ if (!machine_desc)
+ panic("Embedded DT invalid\n");
++ }
+
+- /*
+- * If we are here, it is established that @uboot_arg didn't
+- * point to DT blob. Instead if u-boot says it is cmdline,
+- * append to embedded DT cmdline.
+- * setup_machine_fdt() would have populated @boot_command_line
+- */
+- if (uboot_tag == 1) {
+- /* Ensure a whitespace between the 2 cmdlines */
+- strlcat(boot_command_line, " ", COMMAND_LINE_SIZE);
+- strlcat(boot_command_line, uboot_arg,
+- COMMAND_LINE_SIZE);
+- }
++ /*
++ * NOTE: @boot_command_line is populated by setup_machine_fdt() so this
++ * append processing can only happen after.
++ */
++ if (append_cmdline) {
++ /* Ensure a whitespace between the 2 cmdlines */
++ strlcat(boot_command_line, " ", COMMAND_LINE_SIZE);
++ strlcat(boot_command_line, uboot_arg, COMMAND_LINE_SIZE);
+ }
++}
++
++void __init setup_arch(char **cmdline_p)
++{
++ handle_uboot_args();
+
+ /* Save unparsed command line copy for /proc/cmdline */
+ *cmdline_p = boot_command_line;
--- /dev/null
+From 252f6e8eae909bc075a1b1e3b9efb095ae4c0b56 Mon Sep 17 00:00:00 2001
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Wed, 16 Jan 2019 14:29:50 +0300
+Subject: ARCv2: Enable unaligned access in early ASM code
+
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+
+commit 252f6e8eae909bc075a1b1e3b9efb095ae4c0b56 upstream.
+
+It is currently done in arc_init_IRQ() which might be too late
+considering gcc 7.3.1 onwards (GNU 2018.03) generates unaligned
+memory accesses by default
+
+Cc: stable@vger.kernel.org #4.4+
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+[vgupta: rewrote changelog]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/kernel/head.S | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arc/kernel/head.S
++++ b/arch/arc/kernel/head.S
+@@ -17,6 +17,7 @@
+ #include <asm/entry.h>
+ #include <asm/arcregs.h>
+ #include <asm/cache.h>
++#include <asm/irqflags.h>
+
+ .macro CPU_EARLY_SETUP
+
+@@ -47,6 +48,15 @@
+ sr r5, [ARC_REG_DC_CTRL]
+
+ 1:
++
++#ifdef CONFIG_ISA_ARCV2
++ ; Unaligned access is disabled at reset, so re-enable early as
++ ; gcc 7.3.1 (ARC GNU 2018.03) onwards generates unaligned access
++ ; by default
++ lr r5, [status32]
++ bset r5, r5, STATUS_AD_BIT
++ kflag r5
++#endif
+ .endm
+
+ .section .init.text, "ax",@progbits
--- /dev/null
+From 1b328a2e095a009518ebac05e937cc0fc242fede Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Tue, 19 Feb 2019 17:51:14 +0100
+Subject: clk: at91: fix at91sam9x5 peripheral clock number
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+commit 1b328a2e095a009518ebac05e937cc0fc242fede upstream.
+
+nck() looks at the last id in an array and unfortunately,
+at91sam9x35_periphck has a sentinel, hence the id is 0 and the calculated
+number of peripheral clocks is 1 instead of a maximum of 31.
+
+Fixes: 1eabdc2f9dd8 ("clk: at91: add at91sam9x5 PMCs driver")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: <stable@vger.kernel.org> # v4.20+
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/at91/at91sam9x5.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/clk/at91/at91sam9x5.c
++++ b/drivers/clk/at91/at91sam9x5.c
+@@ -144,8 +144,7 @@ static void __init at91sam9x5_pmc_setup(
+ return;
+
+ at91sam9x5_pmc = pmc_data_allocate(PMC_MAIN + 1,
+- nck(at91sam9x5_systemck),
+- nck(at91sam9x35_periphck), 0);
++ nck(at91sam9x5_systemck), 31, 0);
+ if (!at91sam9x5_pmc)
+ return;
+
--- /dev/null
+From 65a91e2e597dea62a798a8b771edc44859037e7f Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Fri, 8 Feb 2019 15:40:59 +0100
+Subject: clk: at91: fix masterck name
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+commit 65a91e2e597dea62a798a8b771edc44859037e7f upstream.
+
+The master clock is actually named masterck earlier in the driver. Having
+"mck" in the parent list means that it can never be selected.
+
+Fixes: 1eabdc2f9dd8 ("clk: at91: add at91sam9x5 PMCs driver")
+Fixes: a2038077de9a ("clk: at91: add sama5d2 PMC driver")
+Fixes: 084b696bb509 ("clk: at91: add sama5d4 pmc driver")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: <stable@vger.kernel.org> # v4.20+
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/at91/at91sam9x5.c | 2 +-
+ drivers/clk/at91/sama5d2.c | 4 ++--
+ drivers/clk/at91/sama5d4.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/clk/at91/at91sam9x5.c
++++ b/drivers/clk/at91/at91sam9x5.c
+@@ -210,7 +210,7 @@ static void __init at91sam9x5_pmc_setup(
+ parent_names[1] = "mainck";
+ parent_names[2] = "plladivck";
+ parent_names[3] = "utmick";
+- parent_names[4] = "mck";
++ parent_names[4] = "masterck";
+ for (i = 0; i < 2; i++) {
+ char name[6];
+
+--- a/drivers/clk/at91/sama5d2.c
++++ b/drivers/clk/at91/sama5d2.c
+@@ -240,7 +240,7 @@ static void __init sama5d2_pmc_setup(str
+ parent_names[1] = "mainck";
+ parent_names[2] = "plladivck";
+ parent_names[3] = "utmick";
+- parent_names[4] = "mck";
++ parent_names[4] = "masterck";
+ for (i = 0; i < 3; i++) {
+ char name[6];
+
+@@ -291,7 +291,7 @@ static void __init sama5d2_pmc_setup(str
+ parent_names[1] = "mainck";
+ parent_names[2] = "plladivck";
+ parent_names[3] = "utmick";
+- parent_names[4] = "mck";
++ parent_names[4] = "masterck";
+ parent_names[5] = "audiopll_pmcck";
+ for (i = 0; i < ARRAY_SIZE(sama5d2_gck); i++) {
+ hw = at91_clk_register_generated(regmap, &pmc_pcr_lock,
+--- a/drivers/clk/at91/sama5d4.c
++++ b/drivers/clk/at91/sama5d4.c
+@@ -207,7 +207,7 @@ static void __init sama5d4_pmc_setup(str
+ parent_names[1] = "mainck";
+ parent_names[2] = "plladivck";
+ parent_names[3] = "utmick";
+- parent_names[4] = "mck";
++ parent_names[4] = "masterck";
+ for (i = 0; i < 3; i++) {
+ char name[6];
+
--- /dev/null
+From 8cbd468bdeb5ed3acac2d7a9f7494d5b77e46297 Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Sat, 16 Feb 2019 11:31:48 -0500
+Subject: cpufreq: scmi: Fix use-after-free in scmi_cpufreq_exit()
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+commit 8cbd468bdeb5ed3acac2d7a9f7494d5b77e46297 upstream.
+
+This issue was detected with the help of Coccinelle. So
+change the order of function calls to fix it.
+
+Fixes: 1690d8bb91e37 (cpufreq: scpi/scmi: Fix freeing of dynamic OPPs)
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/scmi-cpufreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/cpufreq/scmi-cpufreq.c
++++ b/drivers/cpufreq/scmi-cpufreq.c
+@@ -187,8 +187,8 @@ static int scmi_cpufreq_exit(struct cpuf
+
+ cpufreq_cooling_unregister(priv->cdev);
+ dev_pm_opp_free_cpufreq_table(priv->cpu_dev, &policy->freq_table);
+- kfree(priv);
+ dev_pm_opp_remove_all_dynamic(priv->cpu_dev);
++ kfree(priv);
+
+ return 0;
+ }
--- /dev/null
+From d2f0b53bda3193874f3905bc839888f895d1c0cf Mon Sep 17 00:00:00 2001
+From: "Leo (Hanghong) Ma" <hanghong.ma@amd.com>
+Date: Thu, 24 Jan 2019 15:07:52 -0500
+Subject: drm/amd/display: Fix MST reboot/poweroff sequence
+
+From: Leo (Hanghong) Ma <hanghong.ma@amd.com>
+
+commit d2f0b53bda3193874f3905bc839888f895d1c0cf upstream.
+
+[Why]
+
+drm_dp_mst_topology_mgr_suspend() is added into the new reboot
+sequence, which disables the UP request at the beginning.
+Therefore sideband messages are blocked.
+
+[How]
+
+Finish MST sideband message transaction before UP request is
+suppressed.
+
+Signed-off-by: Leo (Hanghong) Ma <hanghong.ma@amd.com>
+Reviewed-by: Roman Li <Roman.Li@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -704,12 +704,13 @@ static int dm_suspend(void *handle)
+ struct amdgpu_display_manager *dm = &adev->dm;
+ int ret = 0;
+
++ WARN_ON(adev->dm.cached_state);
++ adev->dm.cached_state = drm_atomic_helper_suspend(adev->ddev);
++
+ s3_handle_mst(adev->ddev, true);
+
+ amdgpu_dm_irq_suspend(adev);
+
+- WARN_ON(adev->dm.cached_state);
+- adev->dm.cached_state = drm_atomic_helper_suspend(adev->ddev);
+
+ dc_set_power_state(dm->dc, DC_ACPI_CM_POWER_STATE_D3);
+
--- /dev/null
+From a213c2c7e235cfc0e0a161a558f7fdf2fb3a624a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <ckoenig.leichtzumerken@gmail.com>
+Date: Wed, 20 Feb 2019 15:16:06 +0100
+Subject: drm/amdgpu: disable bulk moves for now
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <ckoenig.leichtzumerken@gmail.com>
+
+commit a213c2c7e235cfc0e0a161a558f7fdf2fb3a624a upstream.
+
+The changes to fix those are two invasive for backporting.
+
+Just disable the feature in 4.20 and 5.0.
+
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Cc: <stable@vger.kernel.org> [4.20+]
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+@@ -637,12 +637,14 @@ void amdgpu_vm_move_to_lru_tail(struct a
+ struct ttm_bo_global *glob = adev->mman.bdev.glob;
+ struct amdgpu_vm_bo_base *bo_base;
+
++#if 0
+ if (vm->bulk_moveable) {
+ spin_lock(&glob->lru_lock);
+ ttm_bo_bulk_move_lru_tail(&vm->lru_bulk_move);
+ spin_unlock(&glob->lru_lock);
+ return;
+ }
++#endif
+
+ memset(&vm->lru_bulk_move, 0, sizeof(vm->lru_bulk_move));
+
--- /dev/null
+From d33158530660bc89be3cc870a2152e4e9a76cac7 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 18 Feb 2019 17:11:38 -0500
+Subject: drm/amdgpu: Set DPM_FLAG_NEVER_SKIP when enabling PM-runtime
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit d33158530660bc89be3cc870a2152e4e9a76cac7 upstream.
+
+Based on a similar patch from Rafael for radeon.
+
+When using ATPX to control dGPU power, the state is not retained
+across suspend and resume cycles by default. This can probably
+be loosened for Hybrid Graphics (_PR3) laptops where I think the
+state is properly retained.
+
+Fixes: c62ec4610c40 ("PM / core: Fix direct_complete handling for devices with no callbacks")
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -212,6 +212,7 @@ int amdgpu_driver_load_kms(struct drm_de
+ }
+
+ if (amdgpu_device_is_px(dev)) {
++ dev_pm_set_driver_flags(dev->dev, DPM_FLAG_NEVER_SKIP);
+ pm_runtime_use_autosuspend(dev->dev);
+ pm_runtime_set_autosuspend_delay(dev->dev, 5000);
+ pm_runtime_set_active(dev->dev);
--- /dev/null
+From d179b88deb3bf6fed4991a31fd6f0f2cad21fab5 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Fri, 15 Feb 2019 12:30:19 +0000
+Subject: drm/i915/fbdev: Actually configure untiled displays
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit d179b88deb3bf6fed4991a31fd6f0f2cad21fab5 upstream.
+
+If we skipped all the connectors that were not part of a tile, we would
+leave conn_seq=0 and conn_configured=0, convincing ourselves that we
+had stagnated in our configuration attempts. Avoid this situation by
+starting conn_seq=ALL_CONNECTORS, and repeating until we find no more
+connectors to configure.
+
+Fixes: 754a76591b12 ("drm/i915/fbdev: Stop repeating tile configuration on stagnation")
+Reported-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190215123019.32283-1-chris@chris-wilson.co.uk
+Cc: <stable@vger.kernel.org> # v3.19+
+(cherry picked from commit d9b308b1f8a1acc0c3279f443d4fe0f9f663252e)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_fbdev.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_fbdev.c
++++ b/drivers/gpu/drm/i915/intel_fbdev.c
+@@ -336,8 +336,8 @@ static bool intel_fb_initial_config(stru
+ bool *enabled, int width, int height)
+ {
+ struct drm_i915_private *dev_priv = to_i915(fb_helper->dev);
+- unsigned long conn_configured, conn_seq, mask;
+ unsigned int count = min(fb_helper->connector_count, BITS_PER_LONG);
++ unsigned long conn_configured, conn_seq;
+ int i, j;
+ bool *save_enabled;
+ bool fallback = true, ret = true;
+@@ -355,10 +355,9 @@ static bool intel_fb_initial_config(stru
+ drm_modeset_backoff(&ctx);
+
+ memcpy(save_enabled, enabled, count);
+- mask = GENMASK(count - 1, 0);
++ conn_seq = GENMASK(count - 1, 0);
+ conn_configured = 0;
+ retry:
+- conn_seq = conn_configured;
+ for (i = 0; i < count; i++) {
+ struct drm_fb_helper_connector *fb_conn;
+ struct drm_connector *connector;
+@@ -371,7 +370,8 @@ retry:
+ if (conn_configured & BIT(i))
+ continue;
+
+- if (conn_seq == 0 && !connector->has_tile)
++ /* First pass, only consider tiled connectors */
++ if (conn_seq == GENMASK(count - 1, 0) && !connector->has_tile)
+ continue;
+
+ if (connector->status == connector_status_connected)
+@@ -475,8 +475,10 @@ retry:
+ conn_configured |= BIT(i);
+ }
+
+- if ((conn_configured & mask) != mask && conn_configured != conn_seq)
++ if (conn_configured != conn_seq) { /* repeat until no more are found */
++ conn_seq = conn_configured;
+ goto retry;
++ }
+
+ /*
+ * If the BIOS didn't enable everything it could, fall back to have the
--- /dev/null
+From 450d007d199e632a1a4c4b91302deacd7d56815f Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 14 Feb 2019 23:46:19 +0100
+Subject: gpu: drm: radeon: Set DPM_FLAG_NEVER_SKIP when enabling PM-runtime
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 450d007d199e632a1a4c4b91302deacd7d56815f upstream.
+
+On HP ProBook 4540s, if PM-runtime is enabled in the radeon driver
+and the direct-complete optimization is used for the radeon device
+during system-wide suspend, the system doesn't resume.
+
+Preventing direct-complete from being used with the radeon device by
+setting the DPM_FLAG_NEVER_SKIP driver flag for it makes the problem
+go away, which indicates that direct-complete is not safe for the
+radeon driver in general and should not be used with it (at least
+for now).
+
+This fixes a regression introduced by commit c62ec4610c40
+("PM / core: Fix direct_complete handling for devices with no
+callbacks") which allowed direct-complete to be applied to
+devices without PM callbacks (again) which in turn unlocked
+direct-complete for radeon on HP ProBook 4540s.
+
+Fixes: c62ec4610c40 ("PM / core: Fix direct_complete handling for devices with no callbacks")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=201519
+Reported-by: Ярослав Семченко <ukrkyi@gmail.com>
+Tested-by: Ярослав Семченко <ukrkyi@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_kms.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -172,6 +172,7 @@ int radeon_driver_load_kms(struct drm_de
+ }
+
+ if (radeon_is_px(dev)) {
++ dev_pm_set_driver_flags(dev->dev, DPM_FLAG_NEVER_SKIP);
+ pm_runtime_use_autosuspend(dev->dev);
+ pm_runtime_set_autosuspend_delay(dev->dev, 5000);
+ pm_runtime_set_active(dev->dev);
--- /dev/null
+From ede0fa98a900e657d1fcd80b50920efc896c1a4c Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 22 Feb 2019 15:36:18 +0000
+Subject: KEYS: always initialize keyring_index_key::desc_len
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit ede0fa98a900e657d1fcd80b50920efc896c1a4c upstream.
+
+syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin()
+called from construct_alloc_key() during sys_request_key(), because the
+length of the key description was never calculated.
+
+The problem is that we rely on ->desc_len being initialized by
+search_process_keyrings(), specifically by search_nested_keyrings().
+But, if the process isn't subscribed to any keyrings that never happens.
+
+Fix it by always initializing keyring_index_key::desc_len as soon as the
+description is set, like we already do in some places.
+
+The following program reproduces the BUG_ON() when it's run as root and
+no session keyring has been installed. If it doesn't work, try removing
+pam_keyinit.so from /etc/pam.d/login and rebooting.
+
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <keyutils.h>
+
+ int main(void)
+ {
+ int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING);
+
+ keyctl_setperm(id, KEY_OTH_WRITE);
+ setreuid(5000, 5000);
+ request_key("user", "desc", "", id);
+ }
+
+Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com
+Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyring.c | 4 +---
+ security/keys/proc.c | 3 +--
+ security/keys/request_key.c | 1 +
+ security/keys/request_key_auth.c | 2 +-
+ 4 files changed, 4 insertions(+), 6 deletions(-)
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -661,9 +661,6 @@ static bool search_nested_keyrings(struc
+ BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
+ (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
+
+- if (ctx->index_key.description)
+- ctx->index_key.desc_len = strlen(ctx->index_key.description);
+-
+ /* Check to see if this top-level keyring is what we are looking for
+ * and whether it is valid or not.
+ */
+@@ -914,6 +911,7 @@ key_ref_t keyring_search(key_ref_t keyri
+ struct keyring_search_context ctx = {
+ .index_key.type = type,
+ .index_key.description = description,
++ .index_key.desc_len = strlen(description),
+ .cred = current_cred(),
+ .match_data.cmp = key_default_cmp,
+ .match_data.raw_data = description,
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -166,8 +166,7 @@ static int proc_keys_show(struct seq_fil
+ int rc;
+
+ struct keyring_search_context ctx = {
+- .index_key.type = key->type,
+- .index_key.description = key->description,
++ .index_key = key->index_key,
+ .cred = m->file->f_cred,
+ .match_data.cmp = lookup_user_key_possessed,
+ .match_data.raw_data = key,
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -545,6 +545,7 @@ struct key *request_key_and_link(struct
+ struct keyring_search_context ctx = {
+ .index_key.type = type,
+ .index_key.description = description,
++ .index_key.desc_len = strlen(description),
+ .cred = current_cred(),
+ .match_data.cmp = key_default_cmp,
+ .match_data.raw_data = description,
+--- a/security/keys/request_key_auth.c
++++ b/security/keys/request_key_auth.c
+@@ -246,7 +246,7 @@ struct key *key_get_instantiation_authke
+ struct key *authkey;
+ key_ref_t authkey_ref;
+
+- sprintf(description, "%x", target_id);
++ ctx.index_key.desc_len = sprintf(description, "%x", target_id);
+
+ authkey_ref = search_process_keyrings(&ctx);
+
--- /dev/null
+From cc1780fc42c76c705dd07ea123f1143dc5057630 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 20 Feb 2019 13:32:11 +0000
+Subject: KEYS: user: Align the payload buffer
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit cc1780fc42c76c705dd07ea123f1143dc5057630 upstream.
+
+Align the payload of "user" and "logon" keys so that users of the
+keyrings service can access it as a struct that requires more than
+2-byte alignment. fscrypt currently does this which results in the read
+of fscrypt_key::size being misaligned as it needs 4-byte alignment.
+
+Align to __alignof__(u64) rather than __alignof__(long) since in the
+future it's conceivable that people would use structs beginning with
+u64, which on some platforms would require more than 'long' alignment.
+
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Fixes: 2aa349f6e37c ("[PATCH] Keys: Export user-defined keyring operations")
+Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/keys/user-type.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/keys/user-type.h
++++ b/include/keys/user-type.h
+@@ -31,7 +31,7 @@
+ struct user_key_payload {
+ struct rcu_head rcu; /* RCU destructor */
+ unsigned short datalen; /* length of this data */
+- char data[0]; /* actual data */
++ char data[0] __aligned(__alignof__(u64)); /* actual data */
+ };
+
+ extern struct key_type key_type_user;
--- /dev/null
+From b7dc5a071ddf69c0350396b203cba32fe5bab510 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Sat, 16 Feb 2019 16:10:39 +0300
+Subject: parisc: Fix ptrace syscall number modification
+
+From: Dmitry V. Levin <ldv@altlinux.org>
+
+commit b7dc5a071ddf69c0350396b203cba32fe5bab510 upstream.
+
+Commit 910cd32e552e ("parisc: Fix and enable seccomp filter support")
+introduced a regression in ptrace-based syscall tampering: when tracer
+changes syscall number to -1, the kernel fails to initialize %r28 with
+-ENOSYS and subsequently fails to return the error code of the failed
+syscall to userspace.
+
+This erroneous behaviour could be observed with a simple strace syscall
+fault injection command which is expected to print something like this:
+
+$ strace -a0 -ewrite -einject=write:error=enospc echo hello
+write(1, "hello\n", 6) = -1 ENOSPC (No space left on device) (INJECTED)
+write(2, "echo: ", 6) = -1 ENOSPC (No space left on device) (INJECTED)
+write(2, "write error", 11) = -1 ENOSPC (No space left on device) (INJECTED)
+write(2, "\n", 1) = -1 ENOSPC (No space left on device) (INJECTED)
++++ exited with 1 +++
+
+After commit 910cd32e552ea09caa89cdbe328e468979b030dd it loops printing
+something like this instead:
+
+write(1, "hello\n", 6../strace: Failed to tamper with process 12345: unexpectedly got no error (return value 0, error 0)
+) = 0 (INJECTED)
+
+This bug was found by strace test suite.
+
+Fixes: 910cd32e552e ("parisc: Fix and enable seccomp filter support")
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+Tested-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/ptrace.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/arch/parisc/kernel/ptrace.c
++++ b/arch/parisc/kernel/ptrace.c
+@@ -308,15 +308,29 @@ long compat_arch_ptrace(struct task_stru
+
+ long do_syscall_trace_enter(struct pt_regs *regs)
+ {
+- if (test_thread_flag(TIF_SYSCALL_TRACE) &&
+- tracehook_report_syscall_entry(regs)) {
++ if (test_thread_flag(TIF_SYSCALL_TRACE)) {
++ int rc = tracehook_report_syscall_entry(regs);
++
+ /*
+- * Tracing decided this syscall should not happen or the
+- * debugger stored an invalid system call number. Skip
+- * the system call and the system call restart handling.
++ * As tracesys_next does not set %r28 to -ENOSYS
++ * when %r20 is set to -1, initialize it here.
+ */
+- regs->gr[20] = -1UL;
+- goto out;
++ regs->gr[28] = -ENOSYS;
++
++ if (rc) {
++ /*
++ * A nonzero return code from
++ * tracehook_report_syscall_entry() tells us
++ * to prevent the syscall execution. Skip
++ * the syscall call and the syscall restart handling.
++ *
++ * Note that the tracer may also just change
++ * regs->gr[20] to an invalid syscall number,
++ * that is handled by tracesys_next.
++ */
++ regs->gr[20] = -1UL;
++ return -1;
++ }
+ }
+
+ /* Do the secure computing check after ptrace. */
+@@ -340,7 +354,6 @@ long do_syscall_trace_enter(struct pt_re
+ regs->gr[24] & 0xffffffff,
+ regs->gr[23] & 0xffffffff);
+
+-out:
+ /*
+ * Sign extend the syscall number to 64bit since it may have been
+ * modified by a compat ptrace call
--- /dev/null
+From 48396e80fb6526ea5ed267bd84f028bae56d2f9e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 30 Jan 2019 14:05:55 -0800
+Subject: RDMA/srp: Rework SCSI device reset handling
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 48396e80fb6526ea5ed267bd84f028bae56d2f9e upstream.
+
+Since .scsi_done() must only be called after scsi_queue_rq() has
+finished, make sure that the SRP initiator driver does not call
+.scsi_done() while scsi_queue_rq() is in progress. Although
+invoking sg_reset -d while I/O is in progress works fine with kernel
+v4.20 and before, that is not the case with kernel v5.0-rc1. This
+patch avoids that the following crash is triggered with kernel
+v5.0-rc1:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000138
+CPU: 0 PID: 360 Comm: kworker/0:1H Tainted: G B 5.0.0-rc1-dbg+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+Workqueue: kblockd blk_mq_run_work_fn
+RIP: 0010:blk_mq_dispatch_rq_list+0x116/0xb10
+Call Trace:
+ blk_mq_sched_dispatch_requests+0x2f7/0x300
+ __blk_mq_run_hw_queue+0xd6/0x180
+ blk_mq_run_work_fn+0x27/0x30
+ process_one_work+0x4f1/0xa20
+ worker_thread+0x67/0x5b0
+ kthread+0x1cf/0x1f0
+ ret_from_fork+0x24/0x30
+
+Cc: <stable@vger.kernel.org>
+Fixes: 94a9174c630c ("IB/srp: reduce lock coverage of command completion")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -2942,7 +2942,6 @@ static int srp_reset_device(struct scsi_
+ {
+ struct srp_target_port *target = host_to_target(scmnd->device->host);
+ struct srp_rdma_ch *ch;
+- int i, j;
+ u8 status;
+
+ shost_printk(KERN_ERR, target->scsi_host, "SRP reset_device called\n");
+@@ -2954,15 +2953,6 @@ static int srp_reset_device(struct scsi_
+ if (status)
+ return FAILED;
+
+- for (i = 0; i < target->ch_count; i++) {
+- ch = &target->ch[i];
+- for (j = 0; j < target->req_ring_size; ++j) {
+- struct srp_request *req = &ch->req_ring[j];
+-
+- srp_finish_req(ch, req, scmnd->device, DID_RESET << 16);
+- }
+- }
+-
+ return SUCCESS;
+ }
+
--- /dev/null
+From 515ce60613128be7a176a8b82b20c7624f3b440d Mon Sep 17 00:00:00 2001
+From: Masato Suzuki <masato.suzuki@wdc.com>
+Date: Thu, 14 Feb 2019 15:01:18 +0900
+Subject: scsi: sd_zbc: Fix sd_zbc_report_zones() buffer allocation
+
+From: Masato Suzuki <masato.suzuki@wdc.com>
+
+commit 515ce60613128be7a176a8b82b20c7624f3b440d upstream.
+
+The function sd_zbc_do_report_zones() issues a REPORT ZONES command with a
+buffer size calculated based on the number of zones requested by the
+caller. This value should however not exceed the capabilities of the
+hardware maximum command size, that is, should not exceed the
+max_hw_sectors limit of the device. This problem leads to failures of
+report zones commands when re-validating disks with some SAS HBAs.
+
+Fix this by limiting a report zone command buffer size to the minimum of
+the device max_hw_sectors and calculated value based on the requested
+number of zones. This does not change the semantic of the report_zones file
+operation as report zones can always return less zone reports than
+requested. Short reports are handled using a loop execution of the
+report_zones file operation in the function blk_report_zones().
+
+[Damien]
+Before patch 'e76239a3748c ("block: add a report_zones method")', report
+zones buffer allocation was limited to max_sectors when allocated in
+blk_report_zones(). This however does not consider the actual format of the
+device reply which is interface dependent. Limiting the allocation based
+on the size of the expected reply format rather than the size of the array
+of generic sturct blkzone passed by blk_report_zones() makes more sense.
+
+Fixes: e76239a3748c ("block: add a report_zones method")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masato Suzuki <masato.suzuki@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd_zbc.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/sd_zbc.c
++++ b/drivers/scsi/sd_zbc.c
+@@ -142,10 +142,12 @@ int sd_zbc_report_zones(struct gendisk *
+ return -EOPNOTSUPP;
+
+ /*
+- * Get a reply buffer for the number of requested zones plus a header.
+- * For ATA, buffers must be aligned to 512B.
++ * Get a reply buffer for the number of requested zones plus a header,
++ * without exceeding the device maximum command size. For ATA disks,
++ * buffers must be aligned to 512B.
+ */
+- buflen = roundup((nrz + 1) * 64, 512);
++ buflen = min(queue_max_hw_sectors(disk->queue) << 9,
++ roundup((nrz + 1) * 64, 512));
+ buf = kmalloc(buflen, gfp_mask);
+ if (!buf)
+ return -ENOMEM;
net_sched-fix-two-more-memory-leaks-in-cls_tcindex.patch
net-mlx5e-fpga-fix-innova-ipsec-tx-offload-data-path-performance.patch
net-mlx5e-xdp-fix-redirect-resources-availability-check.patch
+scsi-sd_zbc-fix-sd_zbc_report_zones-buffer-allocation.patch
+rdma-srp-rework-scsi-device-reset-handling.patch
+keys-user-align-the-payload-buffer.patch
+keys-always-initialize-keyring_index_key-desc_len.patch
+clk-at91-fix-masterck-name.patch
+clk-at91-fix-at91sam9x5-peripheral-clock-number.patch
+parisc-fix-ptrace-syscall-number-modification.patch
+arcv2-enable-unaligned-access-in-early-asm-code.patch
+arc-u-boot-check-arguments-paranoidly.patch
+arc-define-arch_slab_minalign-8.patch
+cpufreq-scmi-fix-use-after-free-in-scmi_cpufreq_exit.patch
+drm-amdgpu-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch
+gpu-drm-radeon-set-dpm_flag_never_skip-when-enabling-pm-runtime.patch
+drm-i915-fbdev-actually-configure-untiled-displays.patch
+drm-amdgpu-disable-bulk-moves-for-now.patch
+drm-amd-display-fix-mst-reboot-poweroff-sequence.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
