--- /dev/null
+From 2d510ae90e4ced0d2b593f02758fc6473233c3e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 May 2020 12:40:11 +0300
+Subject: ALSA: isa/wavefront: prevent out of bounds write in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7f0d5053c5a9d23fe5c2d337495a9d79038d267b ]
+
+The "header->number" comes from the ioctl and it needs to be clamped to
+prevent out of bounds writes.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20200501094011.GA960082@mwanda
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/wavefront/wavefront_synth.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
+index 718d5e3b7806f..6c06d06457796 100644
+--- a/sound/isa/wavefront/wavefront_synth.c
++++ b/sound/isa/wavefront/wavefront_synth.c
+@@ -1174,7 +1174,10 @@ wavefront_send_alias (snd_wavefront_t *dev, wavefront_patch_info *header)
+ "alias for %d\n",
+ header->number,
+ header->hdr.a.OriginalSample);
+-
++
++ if (header->number >= WF_MAX_SAMPLE)
++ return -EINVAL;
++
+ munge_int32 (header->number, &alias_hdr[0], 2);
+ munge_int32 (header->hdr.a.OriginalSample, &alias_hdr[2], 2);
+ munge_int32 (*((unsigned int *)&header->hdr.a.sampleStartOffset),
+@@ -1205,6 +1208,9 @@ wavefront_send_multisample (snd_wavefront_t *dev, wavefront_patch_info *header)
+ int num_samples;
+ unsigned char *msample_hdr;
+
++ if (header->number >= WF_MAX_SAMPLE)
++ return -EINVAL;
++
+ msample_hdr = kmalloc(WF_MSAMPLE_BYTES, GFP_KERNEL);
+ if (! msample_hdr)
+ return -ENOMEM;
+--
+2.25.1
+
--- /dev/null
+From 333a6a79ab416d981c7799c9a042f479f77eb242 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 05:24:48 +0300
+Subject: ALSA: usb-audio: Improve frames size computation
+
+From: Alexander Tsoy <alexander@tsoy.me>
+
+[ Upstream commit f0bd62b64016508938df9babe47f65c2c727d25c ]
+
+For computation of the the next frame size current value of fs/fps and
+accumulated fractional parts of fs/fps are used, where values are stored
+in Q16.16 format. This is quite natural for computing frame size for
+asynchronous endpoints driven by explicit feedback, since in this case
+fs/fps is a value provided by the feedback endpoint and it's already in
+the Q format. If an error is accumulated over time, the device can
+adjust fs/fps value to prevent buffer overruns/underruns.
+
+But for synchronous endpoints the accuracy provided by these computations
+is not enough. Due to accumulated error the driver periodically produces
+frames with incorrect size (+/- 1 audio sample).
+
+This patch fixes this issue by implementing a different algorithm for
+frame size computation. It is based on accumulating of the remainders
+from division fs/fps and it doesn't accumulate errors over time. This
+new method is enabled for synchronous and adaptive playback endpoints.
+
+Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
+Link: https://lore.kernel.org/r/20200424022449.14972-1-alexander@tsoy.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/card.h | 4 ++++
+ sound/usb/endpoint.c | 43 ++++++++++++++++++++++++++++++++++++++-----
+ sound/usb/endpoint.h | 1 +
+ sound/usb/pcm.c | 2 ++
+ 4 files changed, 45 insertions(+), 5 deletions(-)
+
+diff --git a/sound/usb/card.h b/sound/usb/card.h
+index 71778ca4b26aa..844c688638105 100644
+--- a/sound/usb/card.h
++++ b/sound/usb/card.h
+@@ -80,6 +80,10 @@ struct snd_usb_endpoint {
+ dma_addr_t sync_dma; /* DMA address of syncbuf */
+
+ unsigned int pipe; /* the data i/o pipe */
++ unsigned int framesize[2]; /* small/large frame sizes in samples */
++ unsigned int sample_rem; /* remainder from division fs/fps */
++ unsigned int sample_accum; /* sample accumulator */
++ unsigned int fps; /* frames per second */
+ unsigned int freqn; /* nominal sampling rate in fs/fps in Q16.16 format */
+ unsigned int freqm; /* momentary sampling rate in fs/fps in Q16.16 format */
+ int freqshift; /* how much to shift the feedback value to get Q16.16 */
+diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
+index 66648b4bdd289..666731317b332 100644
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -137,12 +137,12 @@ int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep)
+
+ /*
+ * For streaming based on information derived from sync endpoints,
+- * prepare_outbound_urb_sizes() will call next_packet_size() to
++ * prepare_outbound_urb_sizes() will call slave_next_packet_size() to
+ * determine the number of samples to be sent in the next packet.
+ *
+- * For implicit feedback, next_packet_size() is unused.
++ * For implicit feedback, slave_next_packet_size() is unused.
+ */
+-int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep)
++int snd_usb_endpoint_slave_next_packet_size(struct snd_usb_endpoint *ep)
+ {
+ unsigned long flags;
+ int ret;
+@@ -159,6 +159,29 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep)
+ return ret;
+ }
+
++/*
++ * For adaptive and synchronous endpoints, prepare_outbound_urb_sizes()
++ * will call next_packet_size() to determine the number of samples to be
++ * sent in the next packet.
++ */
++int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep)
++{
++ int ret;
++
++ if (ep->fill_max)
++ return ep->maxframesize;
++
++ ep->sample_accum += ep->sample_rem;
++ if (ep->sample_accum >= ep->fps) {
++ ep->sample_accum -= ep->fps;
++ ret = ep->framesize[1];
++ } else {
++ ret = ep->framesize[0];
++ }
++
++ return ret;
++}
++
+ static void retire_outbound_urb(struct snd_usb_endpoint *ep,
+ struct snd_urb_ctx *urb_ctx)
+ {
+@@ -203,6 +226,8 @@ static void prepare_silent_urb(struct snd_usb_endpoint *ep,
+
+ if (ctx->packet_size[i])
+ counts = ctx->packet_size[i];
++ else if (ep->sync_master)
++ counts = snd_usb_endpoint_slave_next_packet_size(ep);
+ else
+ counts = snd_usb_endpoint_next_packet_size(ep);
+
+@@ -879,10 +904,17 @@ int snd_usb_endpoint_set_params(struct snd_usb_endpoint *ep,
+ ep->maxpacksize = fmt->maxpacksize;
+ ep->fill_max = !!(fmt->attributes & UAC_EP_CS_ATTR_FILL_MAX);
+
+- if (snd_usb_get_speed(ep->chip->dev) == USB_SPEED_FULL)
++ if (snd_usb_get_speed(ep->chip->dev) == USB_SPEED_FULL) {
+ ep->freqn = get_usb_full_speed_rate(rate);
+- else
++ ep->fps = 1000;
++ } else {
+ ep->freqn = get_usb_high_speed_rate(rate);
++ ep->fps = 8000;
++ }
++
++ ep->sample_rem = rate % ep->fps;
++ ep->framesize[0] = rate / ep->fps;
++ ep->framesize[1] = (rate + (ep->fps - 1)) / ep->fps;
+
+ /* calculate the frequency in 16.16 format */
+ ep->freqm = ep->freqn;
+@@ -941,6 +973,7 @@ int snd_usb_endpoint_start(struct snd_usb_endpoint *ep)
+ ep->active_mask = 0;
+ ep->unlink_mask = 0;
+ ep->phase = 0;
++ ep->sample_accum = 0;
+
+ snd_usb_endpoint_start_quirk(ep);
+
+diff --git a/sound/usb/endpoint.h b/sound/usb/endpoint.h
+index 584f295d7c773..4aad49cbeb5f1 100644
+--- a/sound/usb/endpoint.h
++++ b/sound/usb/endpoint.h
+@@ -27,6 +27,7 @@ void snd_usb_endpoint_release(struct snd_usb_endpoint *ep);
+ void snd_usb_endpoint_free(struct snd_usb_endpoint *ep);
+
+ int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep);
++int snd_usb_endpoint_slave_next_packet_size(struct snd_usb_endpoint *ep);
+ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep);
+
+ void snd_usb_handle_sync_urb(struct snd_usb_endpoint *ep,
+diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
+index f84c55ecd0fb4..53d91cae86f96 100644
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -1473,6 +1473,8 @@ static void prepare_playback_urb(struct snd_usb_substream *subs,
+ for (i = 0; i < ctx->packets; i++) {
+ if (ctx->packet_size[i])
+ counts = ctx->packet_size[i];
++ else if (ep->sync_master)
++ counts = snd_usb_endpoint_slave_next_packet_size(ep);
+ else
+ counts = snd_usb_endpoint_next_packet_size(ep);
+
+--
+2.25.1
+
--- /dev/null
+From cd382348f9dc6ff8e334ab76ff519262006c81db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2020 22:12:46 +0800
+Subject: ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit 36124fb19f1ae68a500cd76a76d40c6e81bee346 ]
+
+fsl_asrc_dma_hw_params() invokes dma_request_channel() or
+fsl_asrc_get_dma_channel(), which returns a reference of the specified
+dma_chan object to "pair->dma_chan[dir]" with increased refcnt.
+
+The reference counting issue happens in one exception handling path of
+fsl_asrc_dma_hw_params(). When config DMA channel failed for Back-End,
+the function forgets to decrease the refcnt increased by
+dma_request_channel() or fsl_asrc_get_dma_channel(), causing a refcnt
+leak.
+
+Fix this issue by calling dma_release_channel() when config DMA channel
+failed.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Link: https://lore.kernel.org/r/1590415966-52416-1-git-send-email-xiyuyang19@fudan.edu.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_asrc_dma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/fsl/fsl_asrc_dma.c b/sound/soc/fsl/fsl_asrc_dma.c
+index ffc000bc1f15b..56a873ba08e47 100644
+--- a/sound/soc/fsl/fsl_asrc_dma.c
++++ b/sound/soc/fsl/fsl_asrc_dma.c
+@@ -243,6 +243,7 @@ static int fsl_asrc_dma_hw_params(struct snd_pcm_substream *substream,
+ ret = dmaengine_slave_config(pair->dma_chan[dir], &config_be);
+ if (ret) {
+ dev_err(dev, "failed to config DMA channel for Back-End\n");
++ dma_release_channel(pair->dma_chan[dir]);
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From d30a67b08497cf7fbcc04b692f70059891788c35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 00:53:30 +0800
+Subject: bcache: fix potential deadlock problem in btree_gc_coalesce
+
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+
+[ Upstream commit be23e837333a914df3f24bf0b32e87b0331ab8d1 ]
+
+coccicheck reports:
+ drivers/md//bcache/btree.c:1538:1-7: preceding lock on line 1417
+
+In btree_gc_coalesce func, if the coalescing process fails, we will goto
+to out_nocoalesce tag directly without releasing new_nodes[i]->write_lock.
+Then, it will cause a deadlock when trying to acquire new_nodes[i]->
+write_lock for freeing new_nodes[i] before return.
+
+btree_gc_coalesce func details as follows:
+ if alloc new_nodes[i] fails:
+ goto out_nocoalesce;
+ // obtain new_nodes[i]->write_lock
+ mutex_lock(&new_nodes[i]->write_lock)
+ // main coalescing process
+ for (i = nodes - 1; i > 0; --i)
+ [snipped]
+ if coalescing process fails:
+ // Here, directly goto out_nocoalesce
+ // tag will cause a deadlock
+ goto out_nocoalesce;
+ [snipped]
+ // release new_nodes[i]->write_lock
+ mutex_unlock(&new_nodes[i]->write_lock)
+ // coalesing succ, return
+ return;
+out_nocoalesce:
+ btree_node_free(new_nodes[i]) // free new_nodes[i]
+ // obtain new_nodes[i]->write_lock
+ mutex_lock(&new_nodes[i]->write_lock);
+ // set flag for reuse
+ clear_bit(BTREE_NODE_dirty, &ew_nodes[i]->flags);
+ // release new_nodes[i]->write_lock
+ mutex_unlock(&new_nodes[i]->write_lock);
+
+To fix the problem, we add a new tag 'out_unlock_nocoalesce' for
+releasing new_nodes[i]->write_lock before out_nocoalesce tag. If
+coalescing process fails, we will go to out_unlock_nocoalesce tag
+for releasing new_nodes[i]->write_lock before free new_nodes[i] in
+out_nocoalesce tag.
+
+(Coly Li helps to clean up commit log format.)
+
+Fixes: 2a285686c109816 ("bcache: btree locking rework")
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/btree.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
+index 5c93582c71cc6..634e9284b7bee 100644
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1375,7 +1375,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op,
+ if (__set_blocks(n1, n1->keys + n2->keys,
+ block_bytes(b->c)) >
+ btree_blocks(new_nodes[i]))
+- goto out_nocoalesce;
++ goto out_unlock_nocoalesce;
+
+ keys = n2->keys;
+ /* Take the key of the node we're getting rid of */
+@@ -1404,7 +1404,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op,
+
+ if (__bch_keylist_realloc(&keylist,
+ bkey_u64s(&new_nodes[i]->key)))
+- goto out_nocoalesce;
++ goto out_unlock_nocoalesce;
+
+ bch_btree_node_write(new_nodes[i], &cl);
+ bch_keylist_add(&keylist, &new_nodes[i]->key);
+@@ -1450,6 +1450,10 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op,
+ /* Invalidated our iterator */
+ return -EINTR;
+
++out_unlock_nocoalesce:
++ for (i = 0; i < nodes; i++)
++ mutex_unlock(&new_nodes[i]->write_lock);
++
+ out_nocoalesce:
+ closure_sync(&cl);
+ bch_keylist_free(&keylist);
+--
+2.25.1
+
--- /dev/null
+From 263d6b51ebac1b915881d3cd1c90390f55f04d68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 20:16:55 +0800
+Subject: block: Fix use-after-free in blkdev_get()
+
+From: Jason Yan <yanaijie@huawei.com>
+
+[ Upstream commit 2d3a8e2deddea6c89961c422ec0c5b851e648c14 ]
+
+In blkdev_get() we call __blkdev_get() to do some internal jobs and if
+there is some errors in __blkdev_get(), the bdput() is called which
+means we have released the refcount of the bdev (actually the refcount of
+the bdev inode). This means we cannot access bdev after that point. But
+acctually bdev is still accessed in blkdev_get() after calling
+__blkdev_get(). This results in use-after-free if the refcount is the
+last one we released in __blkdev_get(). Let's take a look at the
+following scenerio:
+
+ CPU0 CPU1 CPU2
+blkdev_open blkdev_open Remove disk
+ bd_acquire
+ blkdev_get
+ __blkdev_get del_gendisk
+ bdev_unhash_inode
+ bd_acquire bdev_get_gendisk
+ bd_forget failed because of unhashed
+ bdput
+ bdput (the last one)
+ bdev_evict_inode
+
+ access bdev => use after free
+
+[ 459.350216] BUG: KASAN: use-after-free in __lock_acquire+0x24c1/0x31b0
+[ 459.351190] Read of size 8 at addr ffff88806c815a80 by task syz-executor.0/20132
+[ 459.352347]
+[ 459.352594] CPU: 0 PID: 20132 Comm: syz-executor.0 Not tainted 4.19.90 #2
+[ 459.353628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+[ 459.354947] Call Trace:
+[ 459.355337] dump_stack+0x111/0x19e
+[ 459.355879] ? __lock_acquire+0x24c1/0x31b0
+[ 459.356523] print_address_description+0x60/0x223
+[ 459.357248] ? __lock_acquire+0x24c1/0x31b0
+[ 459.357887] kasan_report.cold+0xae/0x2d8
+[ 459.358503] __lock_acquire+0x24c1/0x31b0
+[ 459.359120] ? _raw_spin_unlock_irq+0x24/0x40
+[ 459.359784] ? lockdep_hardirqs_on+0x37b/0x580
+[ 459.360465] ? _raw_spin_unlock_irq+0x24/0x40
+[ 459.361123] ? finish_task_switch+0x125/0x600
+[ 459.361812] ? finish_task_switch+0xee/0x600
+[ 459.362471] ? mark_held_locks+0xf0/0xf0
+[ 459.363108] ? __schedule+0x96f/0x21d0
+[ 459.363716] lock_acquire+0x111/0x320
+[ 459.364285] ? blkdev_get+0xce/0xbe0
+[ 459.364846] ? blkdev_get+0xce/0xbe0
+[ 459.365390] __mutex_lock+0xf9/0x12a0
+[ 459.365948] ? blkdev_get+0xce/0xbe0
+[ 459.366493] ? bdev_evict_inode+0x1f0/0x1f0
+[ 459.367130] ? blkdev_get+0xce/0xbe0
+[ 459.367678] ? destroy_inode+0xbc/0x110
+[ 459.368261] ? mutex_trylock+0x1a0/0x1a0
+[ 459.368867] ? __blkdev_get+0x3e6/0x1280
+[ 459.369463] ? bdev_disk_changed+0x1d0/0x1d0
+[ 459.370114] ? blkdev_get+0xce/0xbe0
+[ 459.370656] blkdev_get+0xce/0xbe0
+[ 459.371178] ? find_held_lock+0x2c/0x110
+[ 459.371774] ? __blkdev_get+0x1280/0x1280
+[ 459.372383] ? lock_downgrade+0x680/0x680
+[ 459.373002] ? lock_acquire+0x111/0x320
+[ 459.373587] ? bd_acquire+0x21/0x2c0
+[ 459.374134] ? do_raw_spin_unlock+0x4f/0x250
+[ 459.374780] blkdev_open+0x202/0x290
+[ 459.375325] do_dentry_open+0x49e/0x1050
+[ 459.375924] ? blkdev_get_by_dev+0x70/0x70
+[ 459.376543] ? __x64_sys_fchdir+0x1f0/0x1f0
+[ 459.377192] ? inode_permission+0xbe/0x3a0
+[ 459.377818] path_openat+0x148c/0x3f50
+[ 459.378392] ? kmem_cache_alloc+0xd5/0x280
+[ 459.379016] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 459.379802] ? path_lookupat.isra.0+0x900/0x900
+[ 459.380489] ? __lock_is_held+0xad/0x140
+[ 459.381093] do_filp_open+0x1a1/0x280
+[ 459.381654] ? may_open_dev+0xf0/0xf0
+[ 459.382214] ? find_held_lock+0x2c/0x110
+[ 459.382816] ? lock_downgrade+0x680/0x680
+[ 459.383425] ? __lock_is_held+0xad/0x140
+[ 459.384024] ? do_raw_spin_unlock+0x4f/0x250
+[ 459.384668] ? _raw_spin_unlock+0x1f/0x30
+[ 459.385280] ? __alloc_fd+0x448/0x560
+[ 459.385841] do_sys_open+0x3c3/0x500
+[ 459.386386] ? filp_open+0x70/0x70
+[ 459.386911] ? trace_hardirqs_on_thunk+0x1a/0x1c
+[ 459.387610] ? trace_hardirqs_off_caller+0x55/0x1c0
+[ 459.388342] ? do_syscall_64+0x1a/0x520
+[ 459.388930] do_syscall_64+0xc3/0x520
+[ 459.389490] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 459.390248] RIP: 0033:0x416211
+[ 459.390720] Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83
+04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f
+ 05 <48> 8b 3c 24 48 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d
+ 01
+[ 459.393483] RSP: 002b:00007fe45dfe9a60 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
+[ 459.394610] RAX: ffffffffffffffda RBX: 00007fe45dfea6d4 RCX: 0000000000416211
+[ 459.395678] RDX: 00007fe45dfe9b0a RSI: 0000000000000002 RDI: 00007fe45dfe9b00
+[ 459.396758] RBP: 000000000076bf20 R08: 0000000000000000 R09: 000000000000000a
+[ 459.397930] R10: 0000000000000075 R11: 0000000000000293 R12: 00000000ffffffff
+[ 459.399022] R13: 0000000000000bd9 R14: 00000000004cdb80 R15: 000000000076bf2c
+[ 459.400168]
+[ 459.400430] Allocated by task 20132:
+[ 459.401038] kasan_kmalloc+0xbf/0xe0
+[ 459.401652] kmem_cache_alloc+0xd5/0x280
+[ 459.402330] bdev_alloc_inode+0x18/0x40
+[ 459.402970] alloc_inode+0x5f/0x180
+[ 459.403510] iget5_locked+0x57/0xd0
+[ 459.404095] bdget+0x94/0x4e0
+[ 459.404607] bd_acquire+0xfa/0x2c0
+[ 459.405113] blkdev_open+0x110/0x290
+[ 459.405702] do_dentry_open+0x49e/0x1050
+[ 459.406340] path_openat+0x148c/0x3f50
+[ 459.406926] do_filp_open+0x1a1/0x280
+[ 459.407471] do_sys_open+0x3c3/0x500
+[ 459.408010] do_syscall_64+0xc3/0x520
+[ 459.408572] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 459.409415]
+[ 459.409679] Freed by task 1262:
+[ 459.410212] __kasan_slab_free+0x129/0x170
+[ 459.410919] kmem_cache_free+0xb2/0x2a0
+[ 459.411564] rcu_process_callbacks+0xbb2/0x2320
+[ 459.412318] __do_softirq+0x225/0x8ac
+
+Fix this by delaying bdput() to the end of blkdev_get() which means we
+have finished accessing bdev.
+
+Fixes: 77ea887e433a ("implement in-kernel gendisk events handling")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/block_dev.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index 26bbaaefdff48..b2ebfd96785b7 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -1181,10 +1181,8 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
+ */
+ if (!for_part) {
+ ret = devcgroup_inode_permission(bdev->bd_inode, perm);
+- if (ret != 0) {
+- bdput(bdev);
++ if (ret != 0)
+ return ret;
+- }
+ }
+
+ restart:
+@@ -1253,8 +1251,10 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
+ goto out_clear;
+ BUG_ON(for_part);
+ ret = __blkdev_get(whole, mode, 1);
+- if (ret)
++ if (ret) {
++ bdput(whole);
+ goto out_clear;
++ }
+ bdev->bd_contains = whole;
+ bdev->bd_part = disk_get_part(disk, partno);
+ if (!(disk->flags & GENHD_FL_UP) ||
+@@ -1311,7 +1311,6 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
+ put_disk(disk);
+ module_put(owner);
+ out:
+- bdput(bdev);
+
+ return ret;
+ }
+@@ -1397,6 +1396,9 @@ int blkdev_get(struct block_device *bdev, fmode_t mode, void *holder)
+ bdput(whole);
+ }
+
++ if (res)
++ bdput(bdev);
++
+ return res;
+ }
+ EXPORT_SYMBOL(blkdev_get);
+--
+2.25.1
+
--- /dev/null
+From 68921457d934b387fd6b41fc8ba36fe1a5aecf4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Mar 2020 13:41:16 +0100
+Subject: clk: qcom: msm8916: Fix the address location of pll->config_reg
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit f47ab3c2f5338828a67e89d5f688d2cef9605245 ]
+
+During the process of debugging a processor derived from the msm8916 which
+we found the new processor was not starting one of its PLLs.
+
+After tracing the addresses and writes that downstream was doing and
+comparing to upstream it became obvious that we were writing to a different
+register location than downstream when trying to configure the PLL.
+
+This error is also present in upstream msm8916.
+
+As an example clk-pll.c::clk_pll_recalc_rate wants to write to
+pll->config_reg updating the bit-field POST_DIV_RATIO. That bit-field is
+defined in PLL_USER_CTL not in PLL_CONFIG_CTL. Taking the BIMC PLL as an
+example
+
+lm80-p0436-13_c_qc_snapdragon_410_processor_hrd.pdf
+
+0x01823010 GCC_BIMC_PLL_USER_CTL
+0x01823014 GCC_BIMC_PLL_CONFIG_CTL
+
+This pattern is repeated for gpll0, gpll1, gpll2 and bimc_pll.
+
+This error is likely not apparent since the bootloader will already have
+initialized these PLLs.
+
+This patch corrects the location of config_reg from PLL_CONFIG_CTL to
+PLL_USER_CTL for all relevant PLLs on msm8916.
+
+Fixes commit 3966fab8b6ab ("clk: qcom: Add MSM8916 Global Clock Controller support")
+
+Cc: Georgi Djakov <georgi.djakov@linaro.org>
+Cc: Andy Gross <agross@kernel.org>
+Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: Michael Turquette <mturquette@baylibre.com>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lkml.kernel.org/r/20200329124116.4185447-1-bryan.odonoghue@linaro.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-msm8916.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clk/qcom/gcc-msm8916.c b/drivers/clk/qcom/gcc-msm8916.c
+index 95a4dd290f35a..d7dd0417ef5e8 100644
+--- a/drivers/clk/qcom/gcc-msm8916.c
++++ b/drivers/clk/qcom/gcc-msm8916.c
+@@ -270,7 +270,7 @@ static struct clk_pll gpll0 = {
+ .l_reg = 0x21004,
+ .m_reg = 0x21008,
+ .n_reg = 0x2100c,
+- .config_reg = 0x21014,
++ .config_reg = 0x21010,
+ .mode_reg = 0x21000,
+ .status_reg = 0x2101c,
+ .status_bit = 17,
+@@ -297,7 +297,7 @@ static struct clk_pll gpll1 = {
+ .l_reg = 0x20004,
+ .m_reg = 0x20008,
+ .n_reg = 0x2000c,
+- .config_reg = 0x20014,
++ .config_reg = 0x20010,
+ .mode_reg = 0x20000,
+ .status_reg = 0x2001c,
+ .status_bit = 17,
+@@ -324,7 +324,7 @@ static struct clk_pll gpll2 = {
+ .l_reg = 0x4a004,
+ .m_reg = 0x4a008,
+ .n_reg = 0x4a00c,
+- .config_reg = 0x4a014,
++ .config_reg = 0x4a010,
+ .mode_reg = 0x4a000,
+ .status_reg = 0x4a01c,
+ .status_bit = 17,
+@@ -351,7 +351,7 @@ static struct clk_pll bimc_pll = {
+ .l_reg = 0x23004,
+ .m_reg = 0x23008,
+ .n_reg = 0x2300c,
+- .config_reg = 0x23014,
++ .config_reg = 0x23010,
+ .mode_reg = 0x23000,
+ .status_reg = 0x2301c,
+ .status_bit = 17,
+--
+2.25.1
+
--- /dev/null
+From e7a025efa4ea8a57bfc538cf0bb009b067ce0598 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2020 12:26:52 +0200
+Subject: clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 25bdae0f1c6609ceaf55fe6700654f0be2253d8e ]
+
+Mark the SCLK clock for Exynos5433 I2S1 device with IGNORE_UNUSED flag to
+match its behaviour with SCLK clock for AUD_I2S (I2S0) device until
+a proper fix for Exynos I2S driver is ready.
+
+This fixes the following synchronous abort issue revealed by the probe
+order change caused by the commit 93d2e4322aa7 ("of: platform: Batch
+fwnode parsing when adding all top level devices")
+
+Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 0 PID: 50 Comm: kworker/0:1 Not tainted 5.7.0-rc5+ #701
+Hardware name: Samsung TM2E board (DT)
+Workqueue: events deferred_probe_work_func
+pstate: 60000005 (nZCv daif -PAN -UAO)
+pc : samsung_i2s_probe+0x768/0x8f0
+lr : samsung_i2s_probe+0x688/0x8f0
+...
+Call trace:
+ samsung_i2s_probe+0x768/0x8f0
+ platform_drv_probe+0x50/0xa8
+ really_probe+0x108/0x370
+ driver_probe_device+0x54/0xb8
+ __device_attach_driver+0x90/0xc0
+ bus_for_each_drv+0x70/0xc8
+ __device_attach+0xdc/0x140
+ device_initial_probe+0x10/0x18
+ bus_probe_device+0x94/0xa0
+ deferred_probe_work_func+0x70/0xa8
+ process_one_work+0x2a8/0x718
+ worker_thread+0x48/0x470
+ kthread+0x134/0x160
+ ret_from_fork+0x10/0x1c
+Code: 17ffffaf d503201f f94086c0 91003000 (88dffc00)
+---[ end trace ccf721c9400ddbd6 ]---
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/samsung/clk-exynos5433.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/samsung/clk-exynos5433.c b/drivers/clk/samsung/clk-exynos5433.c
+index 91c89ac193b9a..77ae2d21c4882 100644
+--- a/drivers/clk/samsung/clk-exynos5433.c
++++ b/drivers/clk/samsung/clk-exynos5433.c
+@@ -1708,7 +1708,8 @@ static struct samsung_gate_clock peric_gate_clks[] __initdata = {
+ GATE(CLK_SCLK_PCM1, "sclk_pcm1", "sclk_pcm1_peric",
+ ENABLE_SCLK_PERIC, 7, CLK_SET_RATE_PARENT, 0),
+ GATE(CLK_SCLK_I2S1, "sclk_i2s1", "sclk_i2s1_peric",
+- ENABLE_SCLK_PERIC, 6, CLK_SET_RATE_PARENT, 0),
++ ENABLE_SCLK_PERIC, 6,
++ CLK_SET_RATE_PARENT | CLK_IGNORE_UNUSED, 0),
+ GATE(CLK_SCLK_SPI2, "sclk_spi2", "sclk_spi2_peric", ENABLE_SCLK_PERIC,
+ 5, CLK_SET_RATE_PARENT, 0),
+ GATE(CLK_SCLK_SPI1, "sclk_spi1", "sclk_spi1_peric", ENABLE_SCLK_PERIC,
+--
+2.25.1
+
--- /dev/null
+From 5b831e302e77e0c10487c2943c6ae1dd9ee57dbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2020 22:13:32 +0100
+Subject: clk: sunxi: Fix incorrect usage of round_down()
+
+From: Rikard Falkeborn <rikard.falkeborn@gmail.com>
+
+[ Upstream commit ee25d9742dabed3fd18158b518f846abeb70f319 ]
+
+round_down() can only round to powers of 2. If round_down() is asked
+to round to something that is not a power of 2, incorrect results are
+produced. The incorrect results can be both too large and too small.
+
+Instead, use rounddown() which can round to any number.
+
+Fixes: 6a721db180a2 ("clk: sunxi: Add A31 clocks support")
+Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi/clk-sunxi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sunxi/clk-sunxi.c b/drivers/clk/sunxi/clk-sunxi.c
+index 9c79af0c03b21..2cec9e83831fd 100644
+--- a/drivers/clk/sunxi/clk-sunxi.c
++++ b/drivers/clk/sunxi/clk-sunxi.c
+@@ -311,7 +311,7 @@ static void sun6i_a31_get_pll1_factors(u32 *freq, u32 parent_rate,
+ * Round down the frequency to the closest multiple of either
+ * 6 or 16
+ */
+- u32 round_freq_6 = round_down(freq_mhz, 6);
++ u32 round_freq_6 = rounddown(freq_mhz, 6);
+ u32 round_freq_16 = round_down(freq_mhz, 16);
+
+ if (round_freq_6 > round_freq_16)
+--
+2.25.1
+
--- /dev/null
+From 840dac9f4b52396c03d14997297ec0dcaf1695e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 16:13:39 +0300
+Subject: clk: ti: composite: fix memory leak
+
+From: Tero Kristo <t-kristo@ti.com>
+
+[ Upstream commit c7c1cbbc9217ebb5601b88d138d4a5358548de9d ]
+
+The parent_names is never released for a component clock definition,
+causing some memory leak. Fix by releasing it once it is no longer
+needed.
+
+Reported-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Link: https://lkml.kernel.org/r/20200429131341.4697-2-t-kristo@ti.com
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/composite.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/ti/composite.c b/drivers/clk/ti/composite.c
+index dbef218fe5ecd..14201c52b44bc 100644
+--- a/drivers/clk/ti/composite.c
++++ b/drivers/clk/ti/composite.c
+@@ -228,6 +228,7 @@ cleanup:
+ if (!cclk->comp_clks[i])
+ continue;
+ list_del(&cclk->comp_clks[i]->link);
++ kfree(cclk->comp_clks[i]->parent_names);
+ kfree(cclk->comp_clks[i]);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 21c890fcda3c63327015ea7ad187bba65e383c48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 23:34:28 +0200
+Subject: dlm: remove BUG() before panic()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit fe204591cc9480347af7d2d6029b24a62e449486 ]
+
+Building a kernel with clang sometimes fails with an objtool error in dlm:
+
+fs/dlm/lock.o: warning: objtool: revert_lock_pc()+0xbd: can't find jump dest instruction at .text+0xd7fc
+
+The problem is that BUG() never returns and the compiler knows
+that anything after it is unreachable, however the panic still
+emits some code that does not get fully eliminated.
+
+Having both BUG() and panic() is really pointless as the BUG()
+kills the current process and the subsequent panic() never hits.
+In most cases, we probably don't really want either and should
+replace the DLM_ASSERT() statements with WARN_ON(), as has
+been done for some of them.
+
+Remove the BUG() here so the user at least sees the panic message
+and we can reliably build randconfig kernels.
+
+Fixes: e7fd41792fc0 ("[DLM] The core of the DLM for GFS2/CLVM")
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: clang-built-linux@googlegroups.com
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/dlm_internal.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/dlm/dlm_internal.h b/fs/dlm/dlm_internal.h
+index 5eff6ea3e27f1..63e856d90ed05 100644
+--- a/fs/dlm/dlm_internal.h
++++ b/fs/dlm/dlm_internal.h
+@@ -92,7 +92,6 @@ do { \
+ __LINE__, __FILE__, #x, jiffies); \
+ {do} \
+ printk("\n"); \
+- BUG(); \
+ panic("DLM: Record message above and reboot.\n"); \
+ } \
+ }
+--
+2.25.1
+
--- /dev/null
+From 6774fd4d13bac66eb78533ee34c7ed265e945aa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2020 14:40:03 -0700
+Subject: drivers: base: Fix NULL pointer exception in
+ __platform_driver_probe() if a driver developer is foolish
+
+From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+
+[ Upstream commit 388bcc6ecc609fca1b4920de7dc3806c98ec535e ]
+
+If platform bus driver registration is failed then, accessing
+platform bus spin lock (&drv->driver.bus->p->klist_drivers.k_lock)
+in __platform_driver_probe() without verifying the return value
+__platform_driver_register() can lead to NULL pointer exception.
+
+So check the return value before attempting the spin lock.
+
+One such example is below:
+
+For a custom usecase, I have intentionally failed the platform bus
+registration and I expected all the platform device/driver
+registrations to fail gracefully. But I came across this panic
+issue.
+
+[ 1.331067] BUG: kernel NULL pointer dereference, address: 00000000000000c8
+[ 1.331118] #PF: supervisor write access in kernel mode
+[ 1.331163] #PF: error_code(0x0002) - not-present page
+[ 1.331208] PGD 0 P4D 0
+[ 1.331233] Oops: 0002 [#1] PREEMPT SMP
+[ 1.331268] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 5.6.0-00049-g670d35fb0144 #165
+[ 1.331341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+[ 1.331406] RIP: 0010:_raw_spin_lock+0x15/0x30
+[ 1.331588] RSP: 0000:ffffc9000001be70 EFLAGS: 00010246
+[ 1.331632] RAX: 0000000000000000 RBX: 00000000000000c8 RCX: 0000000000000001
+[ 1.331696] RDX: 0000000000000001 RSI: 0000000000000092 RDI: 0000000000000000
+[ 1.331754] RBP: 00000000ffffffed R08: 0000000000000501 R09: 0000000000000001
+[ 1.331817] R10: ffff88817abcc520 R11: 0000000000000670 R12: 00000000ffffffed
+[ 1.331881] R13: ffffffff82dbc268 R14: ffffffff832f070a R15: 0000000000000000
+[ 1.331945] FS: 0000000000000000(0000) GS:ffff88817bd80000(0000) knlGS:0000000000000000
+[ 1.332008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.332062] CR2: 00000000000000c8 CR3: 000000000681e001 CR4: 00000000003606e0
+[ 1.332126] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1.332189] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 1.332252] Call Trace:
+[ 1.332281] __platform_driver_probe+0x92/0xee
+[ 1.332323] ? rtc_dev_init+0x2b/0x2b
+[ 1.332358] cmos_init+0x37/0x67
+[ 1.332396] do_one_initcall+0x7d/0x168
+[ 1.332428] kernel_init_freeable+0x16c/0x1c9
+[ 1.332473] ? rest_init+0xc0/0xc0
+[ 1.332508] kernel_init+0x5/0x100
+[ 1.332543] ret_from_fork+0x1f/0x30
+[ 1.332579] CR2: 00000000000000c8
+[ 1.332616] ---[ end trace 3bd87f12e9010b87 ]---
+[ 1.333549] note: swapper/0[1] exited with preempt_count 1
+[ 1.333592] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+[ 1.333736] Kernel Offset: disabled
+
+Note, this can only be triggered if a driver errors out from this call,
+which should never happen. If it does, the driver needs to be fixed.
+
+Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Link: https://lore.kernel.org/r/20200408214003.3356-1-sathyanarayanan.kuppuswamy@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index 065fcc4be263a..f89cb143f1cdf 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -638,6 +638,8 @@ int __init_or_module __platform_driver_probe(struct platform_driver *drv,
+ /* temporary section violation during probe() */
+ drv->probe = probe;
+ retval = code = __platform_driver_register(drv, module);
++ if (retval)
++ return retval;
+
+ /*
+ * Fixup that section violation, being paranoid about code scanning
+--
+2.25.1
+
--- /dev/null
+From 79d0523baa9ec5721d29793def5b7fe1fe6b7951 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 09:58:10 +0200
+Subject: drm: encoder_slave: fix refcouting error for modules
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit f78d4032de60f50fd4afaa0fb68ea03b985f820a ]
+
+module_put() balances try_module_get(), not request_module(). Fix the
+error path to match that.
+
+Fixes: 2066facca4c7 ("drm/kms: slave encoder interface.")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_encoder_slave.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_encoder_slave.c b/drivers/gpu/drm/drm_encoder_slave.c
+index d18b88b755c34..5c595d9f7e8f2 100644
+--- a/drivers/gpu/drm/drm_encoder_slave.c
++++ b/drivers/gpu/drm/drm_encoder_slave.c
+@@ -84,7 +84,7 @@ int drm_i2c_encoder_init(struct drm_device *dev,
+
+ err = encoder_drv->encoder_init(client, dev, encoder);
+ if (err)
+- goto fail_unregister;
++ goto fail_module_put;
+
+ if (info->platform_data)
+ encoder->slave_funcs->set_config(&encoder->base,
+@@ -92,9 +92,10 @@ int drm_i2c_encoder_init(struct drm_device *dev,
+
+ return 0;
+
++fail_module_put:
++ module_put(module);
+ fail_unregister:
+ i2c_unregister_device(client);
+- module_put(module);
+ fail:
+ return err;
+ }
+--
+2.25.1
+
--- /dev/null
+From 8a28fc6fe035574591bdb52b17946d199b6e0d24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 16:50:49 -0700
+Subject: elfnote: mark all .note sections SHF_ALLOC
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+[ Upstream commit 51da9dfb7f20911ae4e79e9b412a9c2d4c373d4b ]
+
+ELFNOTE_START allows callers to specify flags for .pushsection assembler
+directives. All callsites but ELF_NOTE use "a" for SHF_ALLOC. For vdso's
+that explicitly use ELF_NOTE_START and BUILD_SALT, the same section is
+specified twice after preprocessing, once with "a" flag, once without.
+Example:
+
+.pushsection .note.Linux, "a", @note ;
+.pushsection .note.Linux, "", @note ;
+
+While GNU as allows this ordering, it warns for the opposite ordering,
+making these directives position dependent. We'd prefer not to precisely
+match this behavior in Clang's integrated assembler. Instead, the non
+__ASSEMBLY__ definition of ELF_NOTE uses
+__attribute__((section(".note.Linux"))) which is created with SHF_ALLOC,
+so let's make the __ASSEMBLY__ definition of ELF_NOTE consistent with C
+and just always use "a" flag.
+
+This allows Clang to assemble a working mainline (5.6) kernel via:
+$ make CC=clang AS=clang
+
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Fangrui Song <maskray@google.com>
+Cc: Jeremy Fitzhardinge <jeremy@goop.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/913
+Link: http://lkml.kernel.org/r/20200325231250.99205-1-ndesaulniers@google.com
+Debugged-by: Ilie Halip <ilie.halip@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/elfnote.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/elfnote.h b/include/linux/elfnote.h
+index 278e3ef053369..56c6d9031663d 100644
+--- a/include/linux/elfnote.h
++++ b/include/linux/elfnote.h
+@@ -53,7 +53,7 @@
+ .popsection ;
+
+ #define ELFNOTE(name, type, desc) \
+- ELFNOTE_START(name, type, "") \
++ ELFNOTE_START(name, type, "a") \
+ desc ; \
+ ELFNOTE_END
+
+--
+2.25.1
+
--- /dev/null
+From 7ba1887d98136a7ddc074685068414df50468c15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 08:45:54 -0500
+Subject: gfs2: Allow lock_nolock mount to specify jid=X
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit ea22eee4e6027d8927099de344f7fff43c507ef9 ]
+
+Before this patch, a simple typo accidentally added \n to the jid=
+string for lock_nolock mounts. This made it impossible to mount a
+gfs2 file system with a journal other than journal0. Thus:
+
+mount -tgfs2 -o hostdata="jid=1" <device> <mount pt>
+
+Resulted in:
+mount: wrong fs type, bad option, bad superblock on <device>
+
+In most cases this is not a problem. However, for debugging and
+testing purposes we sometimes want to test the integrity of other
+journals. This patch removes the unnecessary \n and thus allows
+lock_nolock users to specify an alternate journal.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/ops_fstype.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
+index de7143e2b361a..b7b43d00cc6d7 100644
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -916,7 +916,7 @@ fail:
+ }
+
+ static const match_table_t nolock_tokens = {
+- { Opt_jid, "jid=%d\n", },
++ { Opt_jid, "jid=%d", },
+ { Opt_err, NULL },
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 1346be28a2ef5cdb60c7207dcdae48619b1cf58d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Apr 2020 15:48:44 -0500
+Subject: i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets
+
+From: Adam Honse <calcprogrammer1@gmail.com>
+
+[ Upstream commit f27237c174fd9653033330e4e532cd9d153ce824 ]
+
+The AMD X370 and other AM4 chipsets (A/B/X 3/4/5 parts) and Threadripper
+equivalents have a secondary SMBus controller at I/O port address
+0x0B20. This bus is used by several manufacturers to control
+motherboard RGB lighting via embedded controllers. I have been using
+this bus in my OpenRGB project to control the Aura RGB on many
+motherboards and ASRock also uses this bus for their Polychrome RGB
+controller.
+
+I am not aware of any CZ-compatible platforms which do not have the
+second SMBus channel. All of AMD's AM4- and Threadripper- series
+chipsets that OpenRGB users have tested appear to have this secondary
+bus. I also noticed this secondary bus is present on older AMD
+platforms including my FM1 home server.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202587
+Signed-off-by: Adam Honse <calcprogrammer1@gmail.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-piix4.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-piix4.c b/drivers/i2c/busses/i2c-piix4.c
+index b61db9db3ca5d..c85ac178c4838 100644
+--- a/drivers/i2c/busses/i2c-piix4.c
++++ b/drivers/i2c/busses/i2c-piix4.c
+@@ -647,7 +647,8 @@ static int piix4_probe(struct pci_dev *dev, const struct pci_device_id *id)
+ }
+
+ if (dev->vendor == PCI_VENDOR_ID_AMD &&
+- dev->device == PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) {
++ (dev->device == PCI_DEVICE_ID_AMD_HUDSON2_SMBUS ||
++ dev->device == PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)) {
+ retval = piix4_setup_sb800(dev, id, 1);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From e968eb4c30ffba4ce06cecec2030ea4cc173687c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 10:36:38 +0100
+Subject: i2c: pxa: clear all master action bits in i2c_pxa_stop_message()
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit e81c979f4e071d516aa27cf5a0c3939da00dc1ca ]
+
+If we timeout during a message transfer, the control register may
+contain bits that cause an action to be set. Read-modify-writing the
+register leaving these bits set may trigger the hardware to attempt
+one of these actions unintentionally.
+
+Always clear these bits when cleaning up after a message or after
+a timeout.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-pxa.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-pxa.c b/drivers/i2c/busses/i2c-pxa.c
+index 0d351954db02b..3264b50311ff0 100644
+--- a/drivers/i2c/busses/i2c-pxa.c
++++ b/drivers/i2c/busses/i2c-pxa.c
+@@ -691,11 +691,9 @@ static inline void i2c_pxa_stop_message(struct pxa_i2c *i2c)
+ {
+ u32 icr;
+
+- /*
+- * Clear the STOP and ACK flags
+- */
++ /* Clear the START, STOP, ACK, TB and MA flags */
+ icr = readl(_ICR(i2c));
+- icr &= ~(ICR_STOP | ICR_ACKNAK);
++ icr &= ~(ICR_START | ICR_STOP | ICR_ACKNAK | ICR_TB | ICR_MA);
+ writel(icr, _ICR(i2c));
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 0ce487c533872768053a40b455aaa03e0d71142a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 19:49:22 +0100
+Subject: i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 88b73ee7ca4c90baf136ed5a8377fc5a9b73ac08 ]
+
+The IRQ log output is supposed to appear on a single line. However,
+commit 3a2dc1677b60 ("i2c: pxa: Update debug function to dump more info
+on error") resulted in it being printed one-entry-per-line, which is
+excessively long.
+
+Fixing this is not a trivial matter; using pr_cont() doesn't work as
+the previous dev_dbg() may not have been compiled in, or may be
+dynamic.
+
+Since the rest of this function output is at error level, and is also
+debug output, promote this to error level as well to avoid this
+problem.
+
+Reduce the number of always zero prefix digits to save screen real-
+estate.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-pxa.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-pxa.c b/drivers/i2c/busses/i2c-pxa.c
+index 3264b50311ff0..8fca6e3dd7504 100644
+--- a/drivers/i2c/busses/i2c-pxa.c
++++ b/drivers/i2c/busses/i2c-pxa.c
+@@ -297,11 +297,10 @@ static void i2c_pxa_scream_blue_murder(struct pxa_i2c *i2c, const char *why)
+ dev_err(dev, "IBMR: %08x IDBR: %08x ICR: %08x ISR: %08x\n",
+ readl(_IBMR(i2c)), readl(_IDBR(i2c)), readl(_ICR(i2c)),
+ readl(_ISR(i2c)));
+- dev_dbg(dev, "log: ");
++ dev_err(dev, "log:");
+ for (i = 0; i < i2c->irqlogidx; i++)
+- pr_debug("[%08x:%08x] ", i2c->isrlog[i], i2c->icrlog[i]);
+-
+- pr_debug("\n");
++ pr_cont(" [%03x:%05x]", i2c->isrlog[i], i2c->icrlog[i]);
++ pr_cont("\n");
+ }
+
+ #else /* ifdef DEBUG */
+--
+2.25.1
+
--- /dev/null
+From 9f685bb365c8358650ba983a79d6832710bd8f67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 16:50:30 -0700
+Subject: include/linux/bitops.h: avoid clang shift-count-overflow warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit bd93f003b7462ae39a43c531abca37fe7073b866 ]
+
+Clang normally does not warn about certain issues in inline functions when
+it only happens in an eliminated code path. However if something else
+goes wrong, it does tend to complain about the definition of hweight_long()
+on 32-bit targets:
+
+ include/linux/bitops.h:75:41: error: shift count >= width of type [-Werror,-Wshift-count-overflow]
+ return sizeof(w) == 4 ? hweight32(w) : hweight64(w);
+ ^~~~~~~~~~~~
+ include/asm-generic/bitops/const_hweight.h:29:49: note: expanded from macro 'hweight64'
+ define hweight64(w) (__builtin_constant_p(w) ? __const_hweight64(w) : __arch_hweight64(w))
+ ^~~~~~~~~~~~~~~~~~~~
+ include/asm-generic/bitops/const_hweight.h:21:76: note: expanded from macro '__const_hweight64'
+ define __const_hweight64(w) (__const_hweight32(w) + __const_hweight32((w) >> 32))
+ ^ ~~
+ include/asm-generic/bitops/const_hweight.h:20:49: note: expanded from macro '__const_hweight32'
+ define __const_hweight32(w) (__const_hweight16(w) + __const_hweight16((w) >> 16))
+ ^
+ include/asm-generic/bitops/const_hweight.h:19:72: note: expanded from macro '__const_hweight16'
+ define __const_hweight16(w) (__const_hweight8(w) + __const_hweight8((w) >> 8 ))
+ ^
+ include/asm-generic/bitops/const_hweight.h:12:9: note: expanded from macro '__const_hweight8'
+ (!!((w) & (1ULL << 2))) + \
+
+Adding an explicit cast to __u64 avoids that warning and makes it easier
+to read other output.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Link: http://lkml.kernel.org/r/20200505135513.65265-1-arnd@arndb.de
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bitops.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/bitops.h b/include/linux/bitops.h
+index ce2bb045b3fdd..9b9711ea267a4 100644
+--- a/include/linux/bitops.h
++++ b/include/linux/bitops.h
+@@ -59,7 +59,7 @@ static inline int get_count_order(unsigned int count)
+
+ static __always_inline unsigned long hweight_long(unsigned long w)
+ {
+- return sizeof(w) == 4 ? hweight32(w) : hweight64(w);
++ return sizeof(w) == 4 ? hweight32(w) : hweight64((__u64)w);
+ }
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From aedfac9ea62bdb49877a89b29bda0948c88465ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 16:50:17 -0700
+Subject: lib/zlib: remove outdated and incorrect pre-increment optimization
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit acaab7335bd6f0c0b54ce3a00bd7f18222ce0f5f ]
+
+The zlib inflate code has an old micro-optimization based on the
+assumption that for pre-increment memory accesses, the compiler will
+generate code that fits better into the processor's pipeline than what
+would be generated for post-increment memory accesses.
+
+This optimization was already removed in upstream zlib in 2016:
+https://github.com/madler/zlib/commit/9aaec95e8211
+
+This optimization causes UB according to C99, which says in section 6.5.6
+"Additive operators": "If both the pointer operand and the result point to
+elements of the same array object, or one past the last element of the
+array object, the evaluation shall not produce an overflow; otherwise, the
+behavior is undefined".
+
+This UB is not only a theoretical concern, but can also cause trouble for
+future work on compiler-based sanitizers.
+
+According to the zlib commit, this optimization also is not optimal
+anymore with modern compilers.
+
+Replace uses of OFF, PUP and UP_UNALIGNED with their definitions in the
+POSTINC case, and remove the macro definitions, just like in the upstream
+patch.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Link: http://lkml.kernel.org/r/20200507123112.252723-1-jannh@google.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/zlib_inflate/inffast.c | 91 +++++++++++++++-----------------------
+ 1 file changed, 35 insertions(+), 56 deletions(-)
+
+diff --git a/lib/zlib_inflate/inffast.c b/lib/zlib_inflate/inffast.c
+index 2c13ecc5bb2c7..ed1f3df272602 100644
+--- a/lib/zlib_inflate/inffast.c
++++ b/lib/zlib_inflate/inffast.c
+@@ -10,17 +10,6 @@
+
+ #ifndef ASMINF
+
+-/* Allow machine dependent optimization for post-increment or pre-increment.
+- Based on testing to date,
+- Pre-increment preferred for:
+- - PowerPC G3 (Adler)
+- - MIPS R5000 (Randers-Pehrson)
+- Post-increment preferred for:
+- - none
+- No measurable difference:
+- - Pentium III (Anderson)
+- - M68060 (Nikl)
+- */
+ union uu {
+ unsigned short us;
+ unsigned char b[2];
+@@ -38,16 +27,6 @@ get_unaligned16(const unsigned short *p)
+ return mm.us;
+ }
+
+-#ifdef POSTINC
+-# define OFF 0
+-# define PUP(a) *(a)++
+-# define UP_UNALIGNED(a) get_unaligned16((a)++)
+-#else
+-# define OFF 1
+-# define PUP(a) *++(a)
+-# define UP_UNALIGNED(a) get_unaligned16(++(a))
+-#endif
+-
+ /*
+ Decode literal, length, and distance codes and write out the resulting
+ literal and match bytes until either not enough input or output is
+@@ -115,9 +94,9 @@ void inflate_fast(z_streamp strm, unsigned start)
+
+ /* copy state to local variables */
+ state = (struct inflate_state *)strm->state;
+- in = strm->next_in - OFF;
++ in = strm->next_in;
+ last = in + (strm->avail_in - 5);
+- out = strm->next_out - OFF;
++ out = strm->next_out;
+ beg = out - (start - strm->avail_out);
+ end = out + (strm->avail_out - 257);
+ #ifdef INFLATE_STRICT
+@@ -138,9 +117,9 @@ void inflate_fast(z_streamp strm, unsigned start)
+ input data or output space */
+ do {
+ if (bits < 15) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ this = lcode[hold & lmask];
+@@ -150,14 +129,14 @@ void inflate_fast(z_streamp strm, unsigned start)
+ bits -= op;
+ op = (unsigned)(this.op);
+ if (op == 0) { /* literal */
+- PUP(out) = (unsigned char)(this.val);
++ *out++ = (unsigned char)(this.val);
+ }
+ else if (op & 16) { /* length base */
+ len = (unsigned)(this.val);
+ op &= 15; /* number of extra bits */
+ if (op) {
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ len += (unsigned)hold & ((1U << op) - 1);
+@@ -165,9 +144,9 @@ void inflate_fast(z_streamp strm, unsigned start)
+ bits -= op;
+ }
+ if (bits < 15) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ this = dcode[hold & dmask];
+@@ -180,10 +159,10 @@ void inflate_fast(z_streamp strm, unsigned start)
+ dist = (unsigned)(this.val);
+ op &= 15; /* number of extra bits */
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ }
+@@ -205,13 +184,13 @@ void inflate_fast(z_streamp strm, unsigned start)
+ state->mode = BAD;
+ break;
+ }
+- from = window - OFF;
++ from = window;
+ if (write == 0) { /* very common case */
+ from += wsize - op;
+ if (op < len) { /* some from window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+@@ -222,14 +201,14 @@ void inflate_fast(z_streamp strm, unsigned start)
+ if (op < len) { /* some from end of window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+- from = window - OFF;
++ from = window;
+ if (write < len) { /* some from start of window */
+ op = write;
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+@@ -240,21 +219,21 @@ void inflate_fast(z_streamp strm, unsigned start)
+ if (op < len) { /* some from window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+ }
+ while (len > 2) {
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
++ *out++ = *from++;
++ *out++ = *from++;
++ *out++ = *from++;
+ len -= 3;
+ }
+ if (len) {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ if (len > 1)
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ }
+ }
+ else {
+@@ -264,29 +243,29 @@ void inflate_fast(z_streamp strm, unsigned start)
+ from = out - dist; /* copy direct from output */
+ /* minimum length is three */
+ /* Align out addr */
+- if (!((long)(out - 1 + OFF) & 1)) {
+- PUP(out) = PUP(from);
++ if (!((long)(out - 1) & 1)) {
++ *out++ = *from++;
+ len--;
+ }
+- sout = (unsigned short *)(out - OFF);
++ sout = (unsigned short *)(out);
+ if (dist > 2) {
+ unsigned short *sfrom;
+
+- sfrom = (unsigned short *)(from - OFF);
++ sfrom = (unsigned short *)(from);
+ loops = len >> 1;
+ do
+ #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+- PUP(sout) = PUP(sfrom);
++ *sout++ = *sfrom++;
+ #else
+- PUP(sout) = UP_UNALIGNED(sfrom);
++ *sout++ = get_unaligned16(sfrom++);
+ #endif
+ while (--loops);
+- out = (unsigned char *)sout + OFF;
+- from = (unsigned char *)sfrom + OFF;
++ out = (unsigned char *)sout;
++ from = (unsigned char *)sfrom;
+ } else { /* dist == 1 or dist == 2 */
+ unsigned short pat16;
+
+- pat16 = *(sout-1+OFF);
++ pat16 = *(sout-1);
+ if (dist == 1) {
+ union uu mm;
+ /* copy one char pattern to both bytes */
+@@ -296,12 +275,12 @@ void inflate_fast(z_streamp strm, unsigned start)
+ }
+ loops = len >> 1;
+ do
+- PUP(sout) = pat16;
++ *sout++ = pat16;
+ while (--loops);
+- out = (unsigned char *)sout + OFF;
++ out = (unsigned char *)sout;
+ }
+ if (len & 1)
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ }
+ }
+ else if ((op & 64) == 0) { /* 2nd level distance code */
+@@ -336,8 +315,8 @@ void inflate_fast(z_streamp strm, unsigned start)
+ hold &= (1U << bits) - 1;
+
+ /* update state and return */
+- strm->next_in = in + OFF;
+- strm->next_out = out + OFF;
++ strm->next_in = in;
++ strm->next_out = out;
+ strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
+ strm->avail_out = (unsigned)(out < end ?
+ 257 + (end - out) : 257 - (out - end));
+--
+2.25.1
+
--- /dev/null
+From c1ced1985729c2c1d2500ae5ecffeb5ca35438a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2020 15:48:19 +0800
+Subject: libata: Use per port sync for detach
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit b5292111de9bb70cba3489075970889765302136 ]
+
+Commit 130f4caf145c ("libata: Ensure ata_port probe has completed before
+detach") may cause system freeze during suspend.
+
+Using async_synchronize_full() in PM callbacks is wrong, since async
+callbacks that are already scheduled may wait for not-yet-scheduled
+callbacks, causes a circular dependency.
+
+Instead of using big hammer like async_synchronize_full(), use async
+cookie to make sure port probe are synced, without affecting other
+scheduled PM callbacks.
+
+Fixes: 130f4caf145c ("libata: Ensure ata_port probe has completed before detach")
+Suggested-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: John Garry <john.garry@huawei.com>
+BugLink: https://bugs.launchpad.net/bugs/1867983
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 11 +++++------
+ include/linux/libata.h | 3 +++
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index fc4bf8ff40ead..17cebfe5acc82 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -56,7 +56,6 @@
+ #include <linux/workqueue.h>
+ #include <linux/scatterlist.h>
+ #include <linux/io.h>
+-#include <linux/async.h>
+ #include <linux/log2.h>
+ #include <linux/slab.h>
+ #include <linux/glob.h>
+@@ -6222,7 +6221,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
+ /* perform each probe asynchronously */
+ for (i = 0; i < host->n_ports; i++) {
+ struct ata_port *ap = host->ports[i];
+- async_schedule(async_port_probe, ap);
++ ap->cookie = async_schedule(async_port_probe, ap);
+ }
+
+ return 0;
+@@ -6355,11 +6354,11 @@ void ata_host_detach(struct ata_host *host)
+ {
+ int i;
+
+- /* Ensure ata_port probe has completed */
+- async_synchronize_full();
+-
+- for (i = 0; i < host->n_ports; i++)
++ for (i = 0; i < host->n_ports; i++) {
++ /* Ensure ata_port probe has completed */
++ async_synchronize_cookie(host->ports[i]->cookie + 1);
+ ata_port_detach(host->ports[i]);
++ }
+
+ /* the host is dead now, dissociate ACPI */
+ ata_acpi_dissociate(host);
+diff --git a/include/linux/libata.h b/include/linux/libata.h
+index 6428ac4746dee..af561d33221d6 100644
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -38,6 +38,7 @@
+ #include <linux/acpi.h>
+ #include <linux/cdrom.h>
+ #include <linux/sched.h>
++#include <linux/async.h>
+
+ /*
+ * Define if arch has non-standard setup. This is a _PCI_ standard
+@@ -872,6 +873,8 @@ struct ata_port {
+ struct timer_list fastdrain_timer;
+ unsigned long fastdrain_cnt;
+
++ async_cookie_t cookie;
++
+ int em_message_type;
+ void *private_data;
+
+--
+2.25.1
+
--- /dev/null
+From 1a4c0d3066f4b6c2b7014f10ed1d04adc5f7bb80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 09:48:29 +0200
+Subject: mfd: wm8994: Fix driver operation if loaded as modules
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit d4f9b5428b53dd67f49ee8deed8d4366ed6b1933 ]
+
+WM8994 chip has built-in regulators, which might be used for chip
+operation. They are controlled by a separate wm8994-regulator driver,
+which should be loaded before this driver calls regulator_get(), because
+that driver also provides consumer-supply mapping for the them. If that
+driver is not yet loaded, regulator core substitute them with dummy
+regulator, what breaks chip operation, because the built-in regulators are
+never enabled. Fix this by annotating this driver with MODULE_SOFTDEP()
+"pre" dependency to "wm8994_regulator" module.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/wm8994-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mfd/wm8994-core.c b/drivers/mfd/wm8994-core.c
+index 7eec619a6023c..3d1457189fa21 100644
+--- a/drivers/mfd/wm8994-core.c
++++ b/drivers/mfd/wm8994-core.c
+@@ -690,3 +690,4 @@ module_i2c_driver(wm8994_i2c_driver);
+ MODULE_DESCRIPTION("Core support for the WM8994 audio CODEC");
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Mark Brown <broonie@opensource.wolfsonmicro.com>");
++MODULE_SOFTDEP("pre: wm8994_regulator");
+--
+2.25.1
+
--- /dev/null
+From aff4c3324cf42c85c8e79db3f3cc89a728a46882 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2020 15:45:17 +0800
+Subject: mksysmap: Fix the mismatch of '.L' symbols in System.map
+
+From: ashimida <ashimida@linux.alibaba.com>
+
+[ Upstream commit 72d24accf02add25e08733f0ecc93cf10fcbd88c ]
+
+When System.map was generated, the kernel used mksysmap to
+filter the kernel symbols, but all the symbols with the
+second letter 'L' in the kernel were filtered out, not just
+the symbols starting with 'dot + L'.
+
+For example:
+ashimida@ubuntu:~/linux$ cat System.map |grep ' .L'
+ashimida@ubuntu:~/linux$ nm -n vmlinux |grep ' .L'
+ffff0000088028e0 t bLength_show
+......
+ffff0000092e0408 b PLLP_OUTC_lock
+ffff0000092e0410 b PLLP_OUTA_lock
+
+The original intent should be to filter out all local symbols
+starting with '.L', so the dot should be escaped.
+
+Fixes: 00902e984732 ("mksysmap: Add h8300 local symbol pattern")
+Signed-off-by: ashimida <ashimida@linux.alibaba.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mksysmap | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mksysmap b/scripts/mksysmap
+index a35acc0d0b827..9aa23d15862a0 100755
+--- a/scripts/mksysmap
++++ b/scripts/mksysmap
+@@ -41,4 +41,4 @@
+ # so we just ignore them to let readprofile continue to work.
+ # (At least sparc64 has __crc_ in the middle).
+
+-$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( .L\)' > $2
++$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)' > $2
+--
+2.25.1
+
--- /dev/null
+From dcb0eb8f1df2db9fb6b6bcac84335ccd5ad7d429 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Mar 2020 14:56:55 +0300
+Subject: net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'
+
+From: Fedor Tokarev <ftokarev@gmail.com>
+
+[ Upstream commit 118917d696dc59fd3e1741012c2f9db2294bed6f ]
+
+Fix off-by-one issues in 'rpc_ntop6':
+ - 'snprintf' returns the number of characters which would have been
+ written if enough space had been available, excluding the terminating
+ null byte. Thus, a return value of 'sizeof(scopebuf)' means that the
+ last character was dropped.
+ - 'strcat' adds a terminating null byte to the string, thus if len ==
+ buflen, the null byte is written past the end of the buffer.
+
+Signed-off-by: Fedor Tokarev <ftokarev@gmail.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/addr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c
+index 2e0a6f92e563d..8391c27855501 100644
+--- a/net/sunrpc/addr.c
++++ b/net/sunrpc/addr.c
+@@ -81,11 +81,11 @@ static size_t rpc_ntop6(const struct sockaddr *sap,
+
+ rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u",
+ IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id);
+- if (unlikely((size_t)rc > sizeof(scopebuf)))
++ if (unlikely((size_t)rc >= sizeof(scopebuf)))
+ return 0;
+
+ len += rc;
+- if (unlikely(len > buflen))
++ if (unlikely(len >= buflen))
+ return 0;
+
+ strcat(buf, scopebuf);
+--
+2.25.1
+
--- /dev/null
+From 13c8d2de913702e58fbbe3242f35fdf96ac950db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2020 22:15:41 +0800
+Subject: nfsd: Fix svc_xprt refcnt leak when setup callback client failed
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit a4abc6b12eb1f7a533c2e7484cfa555454ff0977 ]
+
+nfsd4_process_cb_update() invokes svc_xprt_get(), which increases the
+refcount of the "c->cn_xprt".
+
+The reference counting issue happens in one exception handling path of
+nfsd4_process_cb_update(). When setup callback client failed, the
+function forgets to decrease the refcnt increased by svc_xprt_get(),
+causing a refcnt leak.
+
+Fix this issue by calling svc_xprt_put() when setup callback client
+failed.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4callback.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
+index 4fa3f0ba9ab3c..0a0b41071ed77 100644
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -1096,6 +1096,8 @@ static void nfsd4_process_cb_update(struct nfsd4_callback *cb)
+ err = setup_callback_client(clp, &conn, ses);
+ if (err) {
+ nfsd4_mark_cb_down(clp, err);
++ if (c)
++ svc_xprt_put(c->cn_xprt);
+ return;
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 0543c6b29df04da770ae57a12da1ea57b1a3cba3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Apr 2020 20:24:11 +0900
+Subject: openrisc: Fix issue with argument clobbering for clone/fork
+
+From: Stafford Horne <shorne@gmail.com>
+
+[ Upstream commit 6bd140e14d9aaa734ec37985b8b20a96c0ece948 ]
+
+Working on the OpenRISC glibc port I found that sometimes clone was
+working strange. That the tls data argument sent in r7 was always
+wrong. Further investigation revealed that the arguments were getting
+clobbered in the entry code. This patch removes the code that writes to
+the argument registers. This was likely due to some old code hanging
+around.
+
+This patch fixes this up for clone and fork. This fork clobber is
+harmless but also useless so remove.
+
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/entry.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/openrisc/kernel/entry.S b/arch/openrisc/kernel/entry.S
+index c17e8451d9978..3fbe420f49c43 100644
+--- a/arch/openrisc/kernel/entry.S
++++ b/arch/openrisc/kernel/entry.S
+@@ -1092,13 +1092,13 @@ ENTRY(__sys_clone)
+ l.movhi r29,hi(sys_clone)
+ l.ori r29,r29,lo(sys_clone)
+ l.j _fork_save_extra_regs_and_call
+- l.addi r7,r1,0
++ l.nop
+
+ ENTRY(__sys_fork)
+ l.movhi r29,hi(sys_fork)
+ l.ori r29,r29,lo(sys_fork)
+ l.j _fork_save_extra_regs_and_call
+- l.addi r3,r1,0
++ l.nop
+
+ ENTRY(sys_rt_sigreturn)
+ l.j _sys_rt_sigreturn
+--
+2.25.1
+
--- /dev/null
+From 7bad31692587d428886937590896b2b2ded96352 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 01:34:21 +0800
+Subject: PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 66ff14e59e8a30690755b08bc3042359703fb07a ]
+
+7d715a6c1ae5 ("PCI: add PCI Express ASPM support") added the ability for
+Linux to enable ASPM, but for some undocumented reason, it didn't enable
+ASPM on links where the downstream component is a PCIe-to-PCI/PCI-X Bridge.
+
+Remove this exclusion so we can enable ASPM on these links.
+
+The Dell OptiPlex 7080 mentioned in the bugzilla has a TI XIO2001
+PCIe-to-PCI Bridge. Enabling ASPM on the link leading to it allows the
+Intel SoC to enter deeper Package C-states, which is a significant power
+savings.
+
+[bhelgaas: commit log]
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207571
+Link: https://lore.kernel.org/r/20200505173423.26968-1-kai.heng.feng@canonical.com
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/aspm.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
+index c6a012b5ba390..966b6947e5656 100644
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -388,16 +388,6 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist)
+
+ /* Setup initial capable state. Will be updated later */
+ link->aspm_capable = link->aspm_support;
+- /*
+- * If the downstream component has pci bridge function, don't
+- * do ASPM for now.
+- */
+- list_for_each_entry(child, &linkbus->devices, bus_list) {
+- if (pci_pcie_type(child) == PCI_EXP_TYPE_PCI_BRIDGE) {
+- link->aspm_disable = ASPM_STATE_ALL;
+- break;
+- }
+- }
+
+ /* Get and check endpoint acceptable latencies */
+ list_for_each_entry(child, &linkbus->devices, bus_list) {
+--
+2.25.1
+
--- /dev/null
+From 9d6676eceef440423d34bb9307aa3dff1a38580a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2020 13:18:17 -0300
+Subject: perf report: Fix NULL pointer dereference in
+ hists__fprintf_nr_sample_events()
+
+From: Gaurav Singh <gaurav1086@gmail.com>
+
+[ Upstream commit 11b6e5482e178055ec1f2444b55f2518713809d1 ]
+
+The 'evname' variable can be NULL, as it is checked a few lines back,
+check it before using.
+
+Fixes: 9e207ddfa207 ("perf report: Show call graph from reference events")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/
+Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index f256fac1e7225..74dd196acdac3 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -334,8 +334,7 @@ static size_t hists__fprintf_nr_sample_events(struct hists *hists, struct report
+ if (evname != NULL)
+ ret += fprintf(fp, " of event '%s'", evname);
+
+- if (symbol_conf.show_ref_callgraph &&
+- strstr(evname, "call-graph=no")) {
++ if (symbol_conf.show_ref_callgraph && evname && strstr(evname, "call-graph=no")) {
+ ret += fprintf(fp, ", show reference callgraph");
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 9fbf594299b1119ce0e3af8b8d5150d7946790ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Mar 2020 18:15:44 +0200
+Subject: power: supply: smb347-charger: IRQSTAT_D is volatile
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit c32ea07a30630ace950e07ffe7a18bdcc25898e1 ]
+
+Fix failure when USB cable is connected:
+smb347 2-006a: reading IRQSTAT_D failed
+
+Fixes: 1502cfe19bac ("smb347-charger: Fix battery status reporting logic for charger faults")
+
+Tested-by: David Heidelberg <david@ixit.cz>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: David Heidelberg <david@ixit.cz>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/smb347-charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/smb347-charger.c b/drivers/power/smb347-charger.c
+index 072c5189bd6d1..0655dbdc7000d 100644
+--- a/drivers/power/smb347-charger.c
++++ b/drivers/power/smb347-charger.c
+@@ -1141,6 +1141,7 @@ static bool smb347_volatile_reg(struct device *dev, unsigned int reg)
+ switch (reg) {
+ case IRQSTAT_A:
+ case IRQSTAT_C:
++ case IRQSTAT_D:
+ case IRQSTAT_E:
+ case IRQSTAT_F:
+ case STAT_A:
+--
+2.25.1
+
--- /dev/null
+From 5b7f677ba4e5b71d657bb24fbacfd778eaa3a954 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2020 22:00:44 +0800
+Subject: powerpc/crashkernel: Take "mem=" option into account
+
+From: Pingfan Liu <kernelfans@gmail.com>
+
+[ Upstream commit be5470e0c285a68dc3afdea965032f5ddc8269d7 ]
+
+'mem=" option is an easy way to put high pressure on memory during
+some test. Hence after applying the memory limit, instead of total
+mem, the actual usable memory should be considered when reserving mem
+for crashkernel. Otherwise the boot up may experience OOM issue.
+
+E.g. it would reserve 4G prior to the change and 512M afterward, if
+passing
+crashkernel="2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G",
+and mem=5G on a 256G machine.
+
+This issue is powerpc specific because it puts higher priority on
+fadump and kdump reservation than on "mem=". Referring the following
+code:
+ if (fadump_reserve_mem() == 0)
+ reserve_crashkernel();
+ ...
+ /* Ensure that total memory size is page-aligned. */
+ limit = ALIGN(memory_limit ?: memblock_phys_mem_size(), PAGE_SIZE);
+ memblock_enforce_memory_limit(limit);
+
+While on other arches, the effect of "mem=" takes a higher priority
+and pass through memblock_phys_mem_size() before calling
+reserve_crashkernel().
+
+Signed-off-by: Pingfan Liu <kernelfans@gmail.com>
+Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1585749644-4148-1-git-send-email-kernelfans@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/machine_kexec.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/machine_kexec.c b/arch/powerpc/kernel/machine_kexec.c
+index 8dff2b3712190..a14d9b008f744 100644
+--- a/arch/powerpc/kernel/machine_kexec.c
++++ b/arch/powerpc/kernel/machine_kexec.c
+@@ -113,11 +113,12 @@ void machine_kexec(struct kimage *image)
+
+ void __init reserve_crashkernel(void)
+ {
+- unsigned long long crash_size, crash_base;
++ unsigned long long crash_size, crash_base, total_mem_sz;
+ int ret;
+
++ total_mem_sz = memory_limit ? memory_limit : memblock_phys_mem_size();
+ /* use common parsing */
+- ret = parse_crashkernel(boot_command_line, memblock_phys_mem_size(),
++ ret = parse_crashkernel(boot_command_line, total_mem_sz,
+ &crash_size, &crash_base);
+ if (ret == 0 && crash_size > 0) {
+ crashk_res.start = crash_base;
+@@ -176,6 +177,7 @@ void __init reserve_crashkernel(void)
+ /* Crash kernel trumps memory limit */
+ if (memory_limit && memory_limit <= crashk_res.end) {
+ memory_limit = crashk_res.end + 1;
++ total_mem_sz = memory_limit;
+ printk("Adjusted memory limit for crashkernel, now 0x%llx\n",
+ memory_limit);
+ }
+@@ -184,7 +186,7 @@ void __init reserve_crashkernel(void)
+ "for crashkernel (System RAM: %ldMB)\n",
+ (unsigned long)(crash_size >> 20),
+ (unsigned long)(crashk_res.start >> 20),
+- (unsigned long)(memblock_phys_mem_size() >> 20));
++ (unsigned long)(total_mem_sz >> 20));
+
+ if (!memblock_is_region_memory(crashk_res.start, crash_size) ||
+ memblock_reserve(crashk_res.start, crash_size)) {
+--
+2.25.1
+
--- /dev/null
+From 6b47211ab69008f287b3ea6589dfb4577360ad4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 May 2020 18:58:32 +0000
+Subject: powerpc/ps3: Fix kexec shutdown hang
+
+From: Geoff Levand <geoff@infradead.org>
+
+[ Upstream commit 126554465d93b10662742128918a5fc338cda4aa ]
+
+The ps3_mm_region_destroy() and ps3_mm_vas_destroy() routines
+are called very late in the shutdown via kexec's mmu_cleanup_all
+routine. By the time mmu_cleanup_all runs it is too late to use
+udbg_printf, and calling it will cause PS3 systems to hang.
+
+Remove all debugging statements from ps3_mm_region_destroy() and
+ps3_mm_vas_destroy() and replace any error reporting with calls
+to lv1_panic.
+
+With this change builds with 'DEBUG' defined will not cause kexec
+reboots to hang, and builds with 'DEBUG' defined or not will end
+in lv1_panic if an error is encountered.
+
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/7325c4af2b4c989c19d6a26b90b1fec9c0615ddf.1589049250.git.geoff@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/ps3/mm.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/arch/powerpc/platforms/ps3/mm.c b/arch/powerpc/platforms/ps3/mm.c
+index b0f34663b1aec..19bae78b1f25b 100644
+--- a/arch/powerpc/platforms/ps3/mm.c
++++ b/arch/powerpc/platforms/ps3/mm.c
+@@ -212,13 +212,14 @@ void ps3_mm_vas_destroy(void)
+ {
+ int result;
+
+- DBG("%s:%d: map.vas_id = %llu\n", __func__, __LINE__, map.vas_id);
+-
+ if (map.vas_id) {
+ result = lv1_select_virtual_address_space(0);
+- BUG_ON(result);
+- result = lv1_destruct_virtual_address_space(map.vas_id);
+- BUG_ON(result);
++ result += lv1_destruct_virtual_address_space(map.vas_id);
++
++ if (result) {
++ lv1_panic(0);
++ }
++
+ map.vas_id = 0;
+ }
+ }
+@@ -316,19 +317,20 @@ static void ps3_mm_region_destroy(struct mem_region *r)
+ int result;
+
+ if (!r->destroy) {
+- pr_info("%s:%d: Not destroying high region: %llxh %llxh\n",
+- __func__, __LINE__, r->base, r->size);
+ return;
+ }
+
+- DBG("%s:%d: r->base = %llxh\n", __func__, __LINE__, r->base);
+-
+ if (r->base) {
+ result = lv1_release_memory(r->base);
+- BUG_ON(result);
++
++ if (result) {
++ lv1_panic(0);
++ }
++
+ r->size = r->base = r->offset = 0;
+ map.total = map.rm.size;
+ }
++
+ ps3_mm_set_repository_highmem(NULL);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 4f421bec8353789af70801cc5f1c725d07fc092d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 14:33:58 +1000
+Subject: powerpc/pseries/ras: Fix FWNMI_VALID off by one
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit deb70f7a35a22dffa55b2c3aac71bc6fb0f486ce ]
+
+This was discovered developing qemu fwnmi sreset support. This
+off-by-one bug means the last 16 bytes of the rtas area can not
+be used for a 16 byte save area.
+
+It's not a serious bug, and QEMU implementation has to retain a
+workaround for old kernels, but it's good to tighten it.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+Link: https://lore.kernel.org/r/20200508043408.886394-7-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/ras.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c
+index 9795e52bab3d3..9e817c1b78087 100644
+--- a/arch/powerpc/platforms/pseries/ras.c
++++ b/arch/powerpc/platforms/pseries/ras.c
+@@ -265,10 +265,11 @@ static irqreturn_t ras_error_interrupt(int irq, void *dev_id)
+ /*
+ * Some versions of FWNMI place the buffer inside the 4kB page starting at
+ * 0x7000. Other versions place it inside the rtas buffer. We check both.
++ * Minimum size of the buffer is 16 bytes.
+ */
+ #define VALID_FWNMI_BUFFER(A) \
+- ((((A) >= 0x7000) && ((A) < 0x7ff0)) || \
+- (((A) >= rtas.base) && ((A) < (rtas.base + rtas.size - 16))))
++ ((((A) >= 0x7000) && ((A) <= 0x8000 - 16)) || \
++ (((A) >= rtas.base) && ((A) <= (rtas.base + rtas.size - 16))))
+
+ /*
+ * Get the error information for errors coming through the
+--
+2.25.1
+
--- /dev/null
+From 7fb81b435f7646e758b424504d3b627e45ac160c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2020 16:13:07 +0530
+Subject: powerpc/pseries: Update hv-24x7 information after migration
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 373b373053384f12951ae9f916043d955501d482 ]
+
+Function 'read_sys_info_pseries()' is added to get system parameter
+values like number of sockets and chips per socket.
+and it gets these details via rtas_call with token
+"PROCESSOR_MODULE_INFO".
+
+Incase lpar migrate from one system to another, system
+parameter details like chips per sockets or number of sockets might
+change. So, it needs to be re-initialized otherwise, these values
+corresponds to previous system values.
+This patch adds a call to 'read_sys_info_pseries()' from
+'post-mobility_fixup()' to re-init the physsockets and physchips values
+
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200525104308.9814-6-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/mobility.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c
+index 8d30a425a88ab..58ddc4389a511 100644
+--- a/arch/powerpc/platforms/pseries/mobility.c
++++ b/arch/powerpc/platforms/pseries/mobility.c
+@@ -326,6 +326,9 @@ void post_mobility_fixup(void)
+ /* Possibly switch to a new RFI flush type */
+ pseries_setup_rfi_flush();
+
++ /* Reinitialise system information for hv-24x7 */
++ read_24x7_sys_info();
++
+ return;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 32a54cf994a5540df4cc92e3e98800838cc48ed7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 May 2020 18:58:32 +0000
+Subject: ps3disk: use the default segment boundary
+
+From: Emmanuel Nicolet <emmanuel.nicolet@gmail.com>
+
+[ Upstream commit 720bc316690bd27dea9d71510b50f0cd698ffc32 ]
+
+Since commit dcebd755926b ("block: use bio_for_each_bvec() to compute
+multi-page bvec count"), the kernel will bug_on on the PS3 because
+bio_split() is called with sectors == 0:
+
+ kernel BUG at block/bio.c:1853!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ BE PAGE_SIZE=4K MMU=Hash PREEMPT SMP NR_CPUS=8 NUMA PS3
+ Modules linked in: firewire_sbp2 rtc_ps3(+) soundcore ps3_gelic(+) \
+ ps3rom(+) firewire_core ps3vram(+) usb_common crc_itu_t
+ CPU: 0 PID: 97 Comm: blkid Not tainted 5.3.0-rc4 #1
+ NIP: c00000000027d0d0 LR: c00000000027d0b0 CTR: 0000000000000000
+ REGS: c00000000135ae90 TRAP: 0700 Not tainted (5.3.0-rc4)
+ MSR: 8000000000028032 <SF,EE,IR,DR,RI> CR: 44008240 XER: 20000000
+ IRQMASK: 0
+ GPR00: c000000000289368 c00000000135b120 c00000000084a500 c000000004ff8300
+ GPR04: 0000000000000c00 c000000004c905e0 c000000004c905e0 000000000000ffff
+ GPR08: 0000000000000000 0000000000000001 0000000000000000 000000000000ffff
+ GPR12: 0000000000000000 c0000000008ef000 000000000000003e 0000000000080001
+ GPR16: 0000000000000100 000000000000ffff 0000000000000000 0000000000000004
+ GPR20: c00000000062fd7e 0000000000000001 000000000000ffff 0000000000000080
+ GPR24: c000000000781788 c00000000135b350 0000000000000080 c000000004c905e0
+ GPR28: c00000000135b348 c000000004ff8300 0000000000000000 c000000004c90000
+ NIP [c00000000027d0d0] .bio_split+0x28/0xac
+ LR [c00000000027d0b0] .bio_split+0x8/0xac
+ Call Trace:
+ [c00000000135b120] [c00000000027d130] .bio_split+0x88/0xac (unreliable)
+ [c00000000135b1b0] [c000000000289368] .__blk_queue_split+0x11c/0x53c
+ [c00000000135b2d0] [c00000000028f614] .blk_mq_make_request+0x80/0x7d4
+ [c00000000135b3d0] [c000000000283a8c] .generic_make_request+0x118/0x294
+ [c00000000135b4b0] [c000000000283d34] .submit_bio+0x12c/0x174
+ [c00000000135b580] [c000000000205a44] .mpage_bio_submit+0x3c/0x4c
+ [c00000000135b600] [c000000000206184] .mpage_readpages+0xa4/0x184
+ [c00000000135b750] [c0000000001ff8fc] .blkdev_readpages+0x24/0x38
+ [c00000000135b7c0] [c0000000001589f0] .read_pages+0x6c/0x1a8
+ [c00000000135b8b0] [c000000000158c74] .__do_page_cache_readahead+0x118/0x184
+ [c00000000135b9b0] [c0000000001591a8] .force_page_cache_readahead+0xe4/0xe8
+ [c00000000135ba50] [c00000000014fc24] .generic_file_read_iter+0x1d8/0x830
+ [c00000000135bb50] [c0000000001ffadc] .blkdev_read_iter+0x40/0x5c
+ [c00000000135bbc0] [c0000000001b9e00] .new_sync_read+0x144/0x1a0
+ [c00000000135bcd0] [c0000000001bc454] .vfs_read+0xa0/0x124
+ [c00000000135bd70] [c0000000001bc7a4] .ksys_read+0x70/0xd8
+ [c00000000135be20] [c00000000000a524] system_call+0x5c/0x70
+ Instruction dump:
+ 7fe3fb78 482e30dc 7c0802a6 482e3085 7c9e2378 f821ff71 7ca42b78 7d3e00d0
+ 7c7d1b78 79290fe0 7cc53378 69290001 <0b090000> 81230028 7bca0020 7929ba62
+ [ end trace 313fec760f30aa1f ]---
+
+The problem originates from setting the segment boundary of the
+request queue to -1UL. This makes get_max_segment_size() return zero
+when offset is zero, whatever the max segment size. The test with
+BLK_SEG_BOUNDARY_MASK fails and 'mask - (mask & offset) + 1' overflows
+to zero in the return statement.
+
+Not setting the segment boundary and using the default
+value (BLK_SEG_BOUNDARY_MASK) fixes the problem.
+
+Signed-off-by: Emmanuel Nicolet <emmanuel.nicolet@gmail.com>
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/060a416c43138f45105c0540eff1a45539f7e2fc.1589049250.git.geoff@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ps3disk.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/block/ps3disk.c b/drivers/block/ps3disk.c
+index c120d70d3fb3b..fc7a20286090d 100644
+--- a/drivers/block/ps3disk.c
++++ b/drivers/block/ps3disk.c
+@@ -464,7 +464,6 @@ static int ps3disk_probe(struct ps3_system_bus_device *_dev)
+ blk_queue_bounce_limit(queue, BLK_BOUNCE_HIGH);
+
+ blk_queue_max_hw_sectors(queue, dev->bounce_size >> 9);
+- blk_queue_segment_boundary(queue, -1UL);
+ blk_queue_dma_alignment(queue, dev->blk_size-1);
+ blk_queue_logical_block_size(queue, dev->blk_size);
+
+--
+2.25.1
+
--- /dev/null
+From 13a10a7955d2fceb3083841d83b313e424bbedff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 09:59:39 +0200
+Subject: s390/qdio: put thinint indicator after early error
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+[ Upstream commit 75e82bec6b2622c6f455b7a543fb5476a5d0eed7 ]
+
+qdio_establish() calls qdio_setup_thinint() via qdio_setup_irq().
+If the subsequent qdio_establish_thinint() fails, we miss to put the
+DSCI again. Thus the DSCI isn't available for re-use. Given enough of
+such errors, we could end up with having only the shared DSCI available.
+
+Merge qdio_setup_thinint() into qdio_establish_thinint(), and deal with
+such an error internally.
+
+Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/qdio.h | 1 -
+ drivers/s390/cio/qdio_setup.c | 1 -
+ drivers/s390/cio/qdio_thinint.c | 14 ++++++++------
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/s390/cio/qdio.h b/drivers/s390/cio/qdio.h
+index 7e70f9298cc13..11f6ebd045456 100644
+--- a/drivers/s390/cio/qdio.h
++++ b/drivers/s390/cio/qdio.h
+@@ -376,7 +376,6 @@ static inline int multicast_outbound(struct qdio_q *q)
+ extern u64 last_ai_time;
+
+ /* prototypes for thin interrupt */
+-void qdio_setup_thinint(struct qdio_irq *irq_ptr);
+ int qdio_establish_thinint(struct qdio_irq *irq_ptr);
+ void qdio_shutdown_thinint(struct qdio_irq *irq_ptr);
+ void tiqdio_add_input_queues(struct qdio_irq *irq_ptr);
+diff --git a/drivers/s390/cio/qdio_setup.c b/drivers/s390/cio/qdio_setup.c
+index d0090c5c88e74..a64615a10352b 100644
+--- a/drivers/s390/cio/qdio_setup.c
++++ b/drivers/s390/cio/qdio_setup.c
+@@ -479,7 +479,6 @@ int qdio_setup_irq(struct qdio_initialize *init_data)
+ setup_queues(irq_ptr, init_data);
+
+ setup_qib(irq_ptr, init_data);
+- qdio_setup_thinint(irq_ptr);
+ set_impl_params(irq_ptr, init_data->qib_param_field_format,
+ init_data->qib_param_field,
+ init_data->input_slib_elements,
+diff --git a/drivers/s390/cio/qdio_thinint.c b/drivers/s390/cio/qdio_thinint.c
+index debe69adfc705..aecb6445a5671 100644
+--- a/drivers/s390/cio/qdio_thinint.c
++++ b/drivers/s390/cio/qdio_thinint.c
+@@ -268,17 +268,19 @@ int __init tiqdio_register_thinints(void)
+
+ int qdio_establish_thinint(struct qdio_irq *irq_ptr)
+ {
++ int rc;
++
+ if (!is_thinint_irq(irq_ptr))
+ return 0;
+- return set_subchannel_ind(irq_ptr, 0);
+-}
+
+-void qdio_setup_thinint(struct qdio_irq *irq_ptr)
+-{
+- if (!is_thinint_irq(irq_ptr))
+- return;
+ irq_ptr->dsci = get_indicator();
+ DBF_HEX(&irq_ptr->dsci, sizeof(void *));
++
++ rc = set_subchannel_ind(irq_ptr, 0);
++ if (rc)
++ put_indicator(irq_ptr->dsci);
++
++ return rc;
+ }
+
+ void qdio_shutdown_thinint(struct qdio_irq *irq_ptr)
+--
+2.25.1
+
--- /dev/null
+From cab71db15f734c42220fef9c6e81f06f3f186cea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 10:16:22 +0200
+Subject: scsi: acornscsi: Fix an error handling path in acornscsi_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 42c76c9848e13dbe0538d7ae0147a269dfa859cb ]
+
+'ret' is known to be 0 at this point. Explicitly return -ENOMEM if one of
+the 'ecardm_iomap()' calls fail.
+
+Link: https://lore.kernel.org/r/20200530081622.577888-1-christophe.jaillet@wanadoo.fr
+Fixes: e95a1b656a98 ("[ARM] rpc: acornscsi: update to new style ecard driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/arm/acornscsi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arm/acornscsi.c b/drivers/scsi/arm/acornscsi.c
+index deaaf84989cd1..be595add8026b 100644
+--- a/drivers/scsi/arm/acornscsi.c
++++ b/drivers/scsi/arm/acornscsi.c
+@@ -2912,8 +2912,10 @@ static int acornscsi_probe(struct expansion_card *ec, const struct ecard_id *id)
+
+ ashost->base = ecardm_iomap(ec, ECARD_RES_MEMC, 0, 0);
+ ashost->fast = ecardm_iomap(ec, ECARD_RES_IOCFAST, 0, 0);
+- if (!ashost->base || !ashost->fast)
++ if (!ashost->base || !ashost->fast) {
++ ret = -ENOMEM;
+ goto out_put;
++ }
+
+ host->irq = ec->irq;
+ ashost->host = host;
+--
+2.25.1
+
--- /dev/null
+From 52b52ee75a11cd6c7913b8ee325e93af9c24c762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2020 15:36:32 -0500
+Subject: scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM
+
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+
+[ Upstream commit 4919b33b63c8b69d8dcf2b867431d0e3b6dc6d28 ]
+
+The adapter info MAD is used to send the client info and receive the host
+info as a response. A persistent buffer is used and as such the client info
+is overwritten after the response. During the course of a normal adapter
+reset the client info is refreshed in the buffer in preparation for sending
+the adapter info MAD.
+
+However, in the special case of LPM where we reenable the CRQ instead of a
+full CRQ teardown and reset we fail to refresh the client info in the
+adapter info buffer. As a result, after Live Partition Migration (LPM) we
+erroneously report the host's info as our own.
+
+[mkp: typos]
+
+Link: https://lore.kernel.org/r/20200603203632.18426-1-tyreld@linux.ibm.com
+Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ibmvscsi/ibmvscsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c
+index e26747a1b35a1..e7075aae15daa 100644
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
+@@ -427,6 +427,8 @@ static int ibmvscsi_reenable_crq_queue(struct crq_queue *queue,
+ int rc = 0;
+ struct vio_dev *vdev = to_vio_dev(hostdata->dev);
+
++ set_adapter_info(hostdata);
++
+ /* Re-enable the CRQ */
+ do {
+ if (rc)
+--
+2.25.1
+
--- /dev/null
+From c32a5851a6d2497a1bd027943a725e6132941b39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 15:13:53 -0500
+Subject: scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 0267ffce562c8bbf9b57ebe0e38445ad04972890 ]
+
+kobject_init_and_add() takes reference even when it fails. If this
+function returns an error, kobject_put() must be called to properly
+clean up the memory associated with the object.
+
+Link: https://lore.kernel.org/r/20200528201353.14849-1-wu000273@umn.edu
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_boot_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/iscsi_boot_sysfs.c b/drivers/scsi/iscsi_boot_sysfs.c
+index 680bf6f0ce767..476f46aad54cb 100644
+--- a/drivers/scsi/iscsi_boot_sysfs.c
++++ b/drivers/scsi/iscsi_boot_sysfs.c
+@@ -319,7 +319,7 @@ iscsi_boot_create_kobj(struct iscsi_boot_kset *boot_kset,
+ boot_kobj->kobj.kset = boot_kset->kset;
+ if (kobject_init_and_add(&boot_kobj->kobj, &iscsi_boot_ktype,
+ NULL, name, index)) {
+- kfree(boot_kobj);
++ kobject_put(&boot_kobj->kobj);
+ return NULL;
+ }
+ boot_kobj->data = data;
+--
+2.25.1
+
--- /dev/null
+From ab06f9fb055e4a1d23dab29affe2bcd32d6e7394 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2020 22:16:24 +0800
+Subject: scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit 7217e6e694da3aae6d17db8a7f7460c8d4817ebf ]
+
+In order to create or activate a new node, lpfc_els_unsol_buffer() invokes
+lpfc_nlp_init() or lpfc_enable_node() or lpfc_nlp_get(), all of them will
+return a reference of the specified lpfc_nodelist object to "ndlp" with
+increased refcnt.
+
+When lpfc_els_unsol_buffer() returns, local variable "ndlp" becomes
+invalid, so the refcount should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+lpfc_els_unsol_buffer(). When "ndlp" in DEV_LOSS, the function forgets to
+decrease the refcnt increased by lpfc_nlp_init() or lpfc_enable_node() or
+lpfc_nlp_get(), causing a refcnt leak.
+
+Fix this issue by calling lpfc_nlp_put() when "ndlp" in DEV_LOSS.
+
+Link: https://lore.kernel.org/r/1590416184-52592-1-git-send-email-xiyuyang19@fudan.edu.cn
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index 530b7df21322a..315dd25a0c44e 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -7315,6 +7315,8 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+ spin_lock_irq(shost->host_lock);
+ if (ndlp->nlp_flag & NLP_IN_DEV_LOSS) {
+ spin_unlock_irq(shost->host_lock);
++ if (newnode)
++ lpfc_nlp_put(ndlp);
+ goto dropit;
+ }
+ spin_unlock_irq(shost->host_lock);
+--
+2.25.1
+
--- /dev/null
+From 69619e3ddbce0edcbbcdb2717cd086f3101927d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 07:07:38 -0400
+Subject: scsi: mpt3sas: Fix double free warnings
+
+From: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+
+[ Upstream commit cbbfdb2a2416c9f0cde913cf09670097ac281282 ]
+
+Fix following warning from Smatch static analyser:
+
+drivers/scsi/mpt3sas/mpt3sas_base.c:5256 _base_allocate_memory_pools()
+warn: 'ioc->hpr_lookup' double freed
+
+drivers/scsi/mpt3sas/mpt3sas_base.c:5256 _base_allocate_memory_pools()
+warn: 'ioc->internal_lookup' double freed
+
+Link: https://lore.kernel.org/r/20200508110738.30732-1-suganath-prabu.subramani@broadcom.com
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
+index 7af7a08594785..8d52afd1f71db 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -3136,7 +3136,9 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
+ ioc->scsi_lookup = NULL;
+ }
+ kfree(ioc->hpr_lookup);
++ ioc->hpr_lookup = NULL;
+ kfree(ioc->internal_lookup);
++ ioc->internal_lookup = NULL;
+ if (ioc->chain_lookup) {
+ for (i = 0; i < ioc->chain_depth; i++) {
+ if (ioc->chain_lookup[i].chain_buffer)
+--
+2.25.1
+
--- /dev/null
+From a59b7f9a8c417f34af1a22b10cf4cd9cfce709f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Apr 2020 13:55:52 +0300
+Subject: scsi: qla2xxx: Fix issue with adapter's stopping state
+
+From: Viacheslav Dubeyko <v.dubeiko@yadro.com>
+
+[ Upstream commit 803e45550b11c8e43d89812356fe6f105adebdf9 ]
+
+The goal of the following command sequence is to restart the adapter.
+However, the tgt_stop flag remains set, indicating that the adapter is
+still in stopping state even after re-enabling it.
+
+echo 0x7fffffff > /sys/module/qla2xxx/parameters/logging
+modprobe target_core_mod
+modprobe tcm_qla2xxx
+mkdir /sys/kernel/config/target/qla2xxx
+mkdir /sys/kernel/config/target/qla2xxx/<port-name>
+mkdir /sys/kernel/config/target/qla2xxx/<port-name>/tpgt_1
+echo 1 > /sys/kernel/config/target/qla2xxx/<port-name>/tpgt_1/enable
+echo 0 > /sys/kernel/config/target/qla2xxx/<port-name>/tpgt_1/enable
+echo 1 > /sys/kernel/config/target/qla2xxx/<port-name>/tpgt_1/enable
+
+kernel: PID 1396:qla_target.c:1555 qlt_stop_phase1(): tgt_stop 0x0, tgt_stopped 0x0
+kernel: qla2xxx [0001:00:02.0]-e803:1: PID 1396:qla_target.c:1567: Stopping target for host 1(c0000000033557e8)
+kernel: PID 1396:qla_target.c:1579 qlt_stop_phase1(): tgt_stop 0x1, tgt_stopped 0x0
+kernel: PID 1396:qla_target.c:1266 qlt_schedule_sess_for_deletion(): tgt_stop 0x1, tgt_stopped 0x0
+kernel: qla2xxx [0001:00:02.0]-e801:1: PID 1396:qla_target.c:1316: Scheduling sess c00000002d5cd800 for deletion 21:00:00:24:ff:7f:35:c7
+<skipped>
+kernel: qla2xxx [0001:00:02.0]-290a:1: PID 340:qla_target.c:1187: qlt_unreg_sess sess c00000002d5cd800 for deletion 21:00:00:24:ff:7f:35:c7
+<skipped>
+kernel: qla2xxx [0001:00:02.0]-f801:1: PID 340:qla_target.c:1145: Unregistration of sess c00000002d5cd800 21:00:00:24:ff:7f:35:c7 finished fcp_cnt 0
+kernel: PID 340:qla_target.c:1155 qlt_free_session_done(): tgt_stop 0x1, tgt_stopped 0x0
+kernel: qla2xxx [0001:00:02.0]-4807:1: PID 346:qla_os.c:6329: ISP abort scheduled.
+<skipped>
+kernel: qla2xxx [0001:00:02.0]-28f1:1: PID 346:qla_os.c:3956: Mark all dev lost
+kernel: PID 346:qla_target.c:1266 qlt_schedule_sess_for_deletion(): tgt_stop 0x1, tgt_stopped 0x0
+kernel: qla2xxx [0001:00:02.0]-4808:1: PID 346:qla_os.c:6338: ISP abort end.
+<skipped>
+kernel: PID 1396:qla_target.c:6812 qlt_enable_vha(): tgt_stop 0x1, tgt_stopped 0x0
+<skipped>
+kernel: qla2xxx [0001:00:02.0]-4807:1: PID 346:qla_os.c:6329: ISP abort scheduled.
+<skipped>
+kernel: qla2xxx [0001:00:02.0]-4808:1: PID 346:qla_os.c:6338: ISP abort end.
+
+qlt_handle_cmd_for_atio() rejects the request to send commands because the
+adapter is in the stopping state:
+
+kernel: PID 0:qla_target.c:4442 qlt_handle_cmd_for_atio(): tgt_stop 0x1, tgt_stopped 0x0
+kernel: qla2xxx [0001:00:02.0]-3861:1: PID 0:qla_target.c:4447: New command while device c000000005314600 is shutting down
+kernel: qla2xxx [0001:00:02.0]-e85f:1: PID 0:qla_target.c:5728: qla_target: Unable to send command to target
+
+This patch calls qla_stop_phase2() in addition to qlt_stop_phase1() in
+tcm_qla2xxx_tpg_enable_store() and tcm_qla2xxx_npiv_tpg_enable_store(). The
+qlt_stop_phase1() marks adapter as stopping (tgt_stop == 0x1, tgt_stopped
+== 0x0) but qlt_stop_phase2() marks adapter as stopped (tgt_stop == 0x0,
+tgt_stopped == 0x1).
+
+Link: https://lore.kernel.org/r/52be1e8a3537f6c5407eae3edd4c8e08a9545ea5.camel@yadro.com
+Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Viacheslav Dubeyko <v.dubeiko@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index b1233ce6cb475..1cef25ea0da13 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -827,6 +827,7 @@ static ssize_t tcm_qla2xxx_tpg_enable_store(struct config_item *item,
+
+ atomic_set(&tpg->lport_tpg_enabled, 0);
+ qlt_stop_phase1(vha->vha_tgt.qla_tgt);
++ qlt_stop_phase2(vha->vha_tgt.qla_tgt);
+ }
+
+ return count;
+@@ -990,6 +991,7 @@ static ssize_t tcm_qla2xxx_npiv_tpg_enable_store(struct config_item *item,
+
+ atomic_set(&tpg->lport_tpg_enabled, 0);
+ qlt_stop_phase1(vha->vha_tgt.qla_tgt);
++ qlt_stop_phase2(vha->vha_tgt.qla_tgt);
+ }
+
+ return count;
+--
+2.25.1
+
--- /dev/null
+From bf560bf4db155dce4f7c71e981d8a450d42321e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 18:59:44 +0100
+Subject: scsi: sr: Fix sr_probe() missing deallocate of device minor
+
+From: Simon Arlott <simon@octiron.net>
+
+[ Upstream commit 6555781b3fdec5e94e6914511496144241df7dee ]
+
+If the cdrom fails to be registered then the device minor should be
+deallocated.
+
+Link: https://lore.kernel.org/r/072dac4b-8402-4de8-36bd-47e7588969cd@0882a8b5-c6c3-11e9-b005-00805fc181fe
+Signed-off-by: Simon Arlott <simon@octiron.net>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
+index 5dc288fecace4..7dd4d9ded2491 100644
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -746,7 +746,7 @@ static int sr_probe(struct device *dev)
+ cd->cdi.disk = disk;
+
+ if (register_cdrom(&cd->cdi))
+- goto fail_put;
++ goto fail_minor;
+
+ /*
+ * Initialize block layer runtime PM stuffs before the
+@@ -764,6 +764,10 @@ static int sr_probe(struct device *dev)
+
+ return 0;
+
++fail_minor:
++ spin_lock(&sr_index_lock);
++ clear_bit(minor, sr_index_bits);
++ spin_unlock(&sr_index_lock);
+ fail_put:
+ put_disk(disk);
+ fail_free:
+--
+2.25.1
+
--- /dev/null
+From 5ae0b5f609a0c70a2989498f17c4e95743d7828a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2020 15:37:15 -0400
+Subject: selftests/net: in timestamping, strncpy needs to preserve null byte
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: tannerlove <tannerlove@google.com>
+
+[ Upstream commit 8027bc0307ce59759b90679fa5d8b22949586d20 ]
+
+If user passed an interface option longer than 15 characters, then
+device.ifr_name and hwtstamp.ifr_name became non-null-terminated
+strings. The compiler warned about this:
+
+timestamping.c:353:2: warning: ‘strncpy’ specified bound 16 equals \
+destination size [-Wstringop-truncation]
+ 353 | strncpy(device.ifr_name, interface, sizeof(device.ifr_name));
+
+Fixes: cb9eff097831 ("net: new user space API for time stamping of incoming and outgoing packets")
+Signed-off-by: Tanner Love <tannerlove@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/networking/timestamping/timestamping.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/networking/timestamping/timestamping.c b/tools/testing/selftests/networking/timestamping/timestamping.c
+index 5cdfd743447b7..900ed4b478996 100644
+--- a/tools/testing/selftests/networking/timestamping/timestamping.c
++++ b/tools/testing/selftests/networking/timestamping/timestamping.c
+@@ -332,10 +332,16 @@ int main(int argc, char **argv)
+ int val;
+ socklen_t len;
+ struct timeval next;
++ size_t if_len;
+
+ if (argc < 2)
+ usage(0);
+ interface = argv[1];
++ if_len = strlen(interface);
++ if (if_len >= IFNAMSIZ) {
++ printf("interface name exceeds IFNAMSIZ\n");
++ exit(1);
++ }
+
+ for (i = 2; i < argc; i++) {
+ if (!strcasecmp(argv[i], "SO_TIMESTAMP"))
+@@ -369,12 +375,12 @@ int main(int argc, char **argv)
+ bail("socket");
+
+ memset(&device, 0, sizeof(device));
+- strncpy(device.ifr_name, interface, sizeof(device.ifr_name));
++ memcpy(device.ifr_name, interface, if_len + 1);
+ if (ioctl(sock, SIOCGIFADDR, &device) < 0)
+ bail("getting interface IP address");
+
+ memset(&hwtstamp, 0, sizeof(hwtstamp));
+- strncpy(hwtstamp.ifr_name, interface, sizeof(hwtstamp.ifr_name));
++ memcpy(hwtstamp.ifr_name, interface, if_len + 1);
+ hwtstamp.ifr_data = (void *)&hwconfig;
+ memset(&hwconfig, 0, sizeof(hwconfig));
+ hwconfig.tx_type =
+--
+2.25.1
+
--- /dev/null
+From 083033eacbe99d89817a0cc746916f1b84d1651b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:40:50 +0000
+Subject: serial: amba-pl011: Make sure we initialize the port.lock spinlock
+
+From: John Stultz <john.stultz@linaro.org>
+
+[ Upstream commit 8508f4cba308f785b2fd4b8c38849c117b407297 ]
+
+Valentine reported seeing:
+
+[ 3.626638] INFO: trying to register non-static key.
+[ 3.626639] the code is fine but needs lockdep annotation.
+[ 3.626640] turning off the locking correctness validator.
+[ 3.626644] CPU: 7 PID: 51 Comm: kworker/7:1 Not tainted 5.7.0-rc2-00115-g8c2e9790f196 #116
+[ 3.626646] Hardware name: HiKey960 (DT)
+[ 3.626656] Workqueue: events deferred_probe_work_func
+[ 3.632476] sd 0:0:0:0: [sda] Optimal transfer size 8192 bytes not a multiple of physical block size (16384 bytes)
+[ 3.640220] Call trace:
+[ 3.640225] dump_backtrace+0x0/0x1b8
+[ 3.640227] show_stack+0x20/0x30
+[ 3.640230] dump_stack+0xec/0x158
+[ 3.640234] register_lock_class+0x598/0x5c0
+[ 3.640235] __lock_acquire+0x80/0x16c0
+[ 3.640236] lock_acquire+0xf4/0x4a0
+[ 3.640241] _raw_spin_lock_irqsave+0x70/0xa8
+[ 3.640245] uart_add_one_port+0x388/0x4b8
+[ 3.640248] pl011_register_port+0x70/0xf0
+[ 3.640250] pl011_probe+0x184/0x1b8
+[ 3.640254] amba_probe+0xdc/0x180
+[ 3.640256] really_probe+0xe0/0x338
+[ 3.640257] driver_probe_device+0x60/0xf8
+[ 3.640259] __device_attach_driver+0x8c/0xd0
+[ 3.640260] bus_for_each_drv+0x84/0xd8
+[ 3.640261] __device_attach+0xe4/0x140
+[ 3.640263] device_initial_probe+0x1c/0x28
+[ 3.640265] bus_probe_device+0xa4/0xb0
+[ 3.640266] deferred_probe_work_func+0x7c/0xb8
+[ 3.640269] process_one_work+0x2c0/0x768
+[ 3.640271] worker_thread+0x4c/0x498
+[ 3.640272] kthread+0x14c/0x158
+[ 3.640275] ret_from_fork+0x10/0x1c
+
+Which seems to be due to the fact that after allocating the uap
+structure, nothing initializes the spinlock.
+
+Its a little confusing, as uart_port_spin_lock_init() is one
+place where the lock is supposed to be initialized, but it has
+an exception for the case where the port is a console.
+
+This makes it seem like a deeper fix is needed to properly
+register the console, but I'm not sure what that entails, and
+Andy suggested that this approach is less invasive.
+
+Thus, this patch resolves the issue by initializing the spinlock
+in the driver, and resolves the resulting warning.
+
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: linux-serial@vger.kernel.org
+Reported-by: Valentin Schneider <valentin.schneider@arm.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Reviewed-and-tested-by: Valentin Schneider <valentin.schneider@arm.com>
+Link: https://lore.kernel.org/r/20200428184050.6501-1-john.stultz@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/amba-pl011.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
+index 899a77187bdea..c5da46f7b9093 100644
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -2323,6 +2323,7 @@ static int pl011_setup_port(struct device *dev, struct uart_amba_port *uap,
+ uap->port.fifosize = uap->fifosize;
+ uap->port.flags = UPF_BOOT_AUTOCONF;
+ uap->port.line = index;
++ spin_lock_init(&uap->port.lock);
+
+ amba_ports[index] = uap;
+
+--
+2.25.1
+
--- /dev/null
+clk-sunxi-fix-incorrect-usage-of-round_down.patch
+i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch
+clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch
+alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch
+scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch
+i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch
+usblp-poison-urbs-upon-disconnect.patch
+ps3disk-use-the-default-segment-boundary.patch
+vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch
+mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch
+scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch
+powerpc-pseries-update-hv-24x7-information-after-mig.patch
+nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch
+powerpc-crashkernel-take-mem-option-into-account.patch
+yam-fix-possible-memory-leak-in-yam_init_driver.patch
+mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch
+scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch
+scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch
+staging-rtl8712-fix-multiline-derefernce-warnings.patch
+alsa-usb-audio-improve-frames-size-computation.patch
+s390-qdio-put-thinint-indicator-after-early-error.patch
+tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch
+staging-sm750fb-add-missing-case-while-setting-fb_vi.patch
+i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch
+serial-amba-pl011-make-sure-we-initialize-the-port.l.patch
+drivers-base-fix-null-pointer-exception-in-__platfor.patch
+pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch
+power-supply-smb347-charger-irqstat_d-is-volatile.patch
+scsi-mpt3sas-fix-double-free-warnings.patch
+dlm-remove-bug-before-panic.patch
+clk-ti-composite-fix-memory-leak.patch
+tty-n_gsm-fix-sof-skipping.patch
+tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch
+powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch
+powerpc-ps3-fix-kexec-shutdown-hang.patch
+vfio-pci-mask-cap-zero.patch
+usb-ohci-platform-fix-a-warning-when-hibernating.patch
+usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch
+tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch
+clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch
+watchdog-da9062-no-need-to-ping-manually-before-sett.patch
+usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch
+usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch
+usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch
+usb-gadget-fix-potential-double-free-in-m66592_probe.patch
+net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch
+asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch
+openrisc-fix-issue-with-argument-clobbering-for-clon.patch
+gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch
+scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch
+lib-zlib-remove-outdated-and-incorrect-pre-increment.patch
+include-linux-bitops.h-avoid-clang-shift-count-overf.patch
+elfnote-mark-all-.note-sections-shf_alloc.patch
+selftests-net-in-timestamping-strncpy-needs-to-prese.patch
+scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch
+usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch
+usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch
+perf-report-fix-null-pointer-dereference-in-hists__f.patch
+bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch
+block-fix-use-after-free-in-blkdev_get.patch
+libata-use-per-port-sync-for-detach.patch
+drm-encoder_slave-fix-refcouting-error-for-modules.patch
--- /dev/null
+From e57d07be798de1feb15dbfb69de95f11f42086ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Mar 2020 14:57:47 -0400
+Subject: staging: rtl8712: fix multiline derefernce warnings
+
+From: Aiman Najjar <aiman.najjar@hurranet.com>
+
+[ Upstream commit 269da10b1477c31c660288633c8d613e421b131f ]
+
+This patch fixes remaining checkpatch warnings
+in rtl871x_xmit.c:
+
+WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->PrivacyKeyIndex'
+636: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:636:
++ (u8)psecuritypriv->
++ PrivacyKeyIndex);
+
+WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->XGrpKeyid'
+643: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:643:
++ (u8)psecuritypriv->
++ XGrpKeyid);
+
+WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->XGrpKeyid'
+652: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:652:
++ (u8)psecuritypriv->
++ XGrpKeyid);
+
+Signed-off-by: Aiman Najjar <aiman.najjar@hurranet.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/98805a72b92e9bbf933e05b827d27944663b7bc1.1585508171.git.aiman.najjar@hurranet.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8712/rtl871x_xmit.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/staging/rtl8712/rtl871x_xmit.c b/drivers/staging/rtl8712/rtl871x_xmit.c
+index d3ad89c7b8afd..f82bbbe82244f 100644
+--- a/drivers/staging/rtl8712/rtl871x_xmit.c
++++ b/drivers/staging/rtl8712/rtl871x_xmit.c
+@@ -593,7 +593,7 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt,
+ addr_t addr;
+ u8 *pframe, *mem_start, *ptxdesc;
+ struct sta_info *psta;
+- struct security_priv *psecuritypriv = &padapter->securitypriv;
++ struct security_priv *psecpriv = &padapter->securitypriv;
+ struct mlme_priv *pmlmepriv = &padapter->mlmepriv;
+ struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
+ struct pkt_attrib *pattrib = &pxmitframe->attrib;
+@@ -636,15 +636,13 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt,
+ case _WEP40_:
+ case _WEP104_:
+ WEP_IV(pattrib->iv, psta->txpn,
+- (u8)psecuritypriv->
+- PrivacyKeyIndex);
++ (u8)psecpriv->PrivacyKeyIndex);
+ break;
+ case _TKIP_:
+ if (bmcst)
+ TKIP_IV(pattrib->iv,
+ psta->txpn,
+- (u8)psecuritypriv->
+- XGrpKeyid);
++ (u8)psecpriv->XGrpKeyid);
+ else
+ TKIP_IV(pattrib->iv, psta->txpn,
+ 0);
+@@ -652,8 +650,7 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt,
+ case _AES_:
+ if (bmcst)
+ AES_IV(pattrib->iv, psta->txpn,
+- (u8)psecuritypriv->
+- XGrpKeyid);
++ (u8)psecpriv->XGrpKeyid);
+ else
+ AES_IV(pattrib->iv, psta->txpn,
+ 0);
+--
+2.25.1
+
--- /dev/null
+From 81130b6aea46b762d2a6b988da0989efc8d6a16e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 22:09:24 +0200
+Subject: staging: sm750fb: add missing case while setting FB_VISUAL
+
+From: Matej Dujava <mdujava@kocurkovo.cz>
+
+[ Upstream commit fa90133377f4a7f15a937df6ad55133bb57c5665 ]
+
+Switch statement does not contain all cases: 8, 16, 24, 32.
+This patch will add missing one (24)
+
+Fixes: 81dee67e215b ("staging: sm750fb: add sm750 to staging")
+Signed-off-by: Matej Dujava <mdujava@kocurkovo.cz>
+Link: https://lore.kernel.org/r/1588277366-19354-2-git-send-email-mdujava@kocurkovo.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/sm750fb/sm750.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
+index 860e1c288ad5e..75b47d61318a1 100644
+--- a/drivers/staging/sm750fb/sm750.c
++++ b/drivers/staging/sm750fb/sm750.c
+@@ -894,6 +894,7 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
+ fix->visual = FB_VISUAL_PSEUDOCOLOR;
+ break;
+ case 16:
++ case 24:
+ case 32:
+ fix->visual = FB_VISUAL_TRUECOLOR;
+ break;
+--
+2.25.1
+
--- /dev/null
+From 1afb32eb305c0c5fa51772b009e5b75c26c98250 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 20:26:01 -0700
+Subject: tty: hvc: Fix data abort due to race in hvc_open
+
+From: Raghavendra Rao Ananta <rananta@codeaurora.org>
+
+[ Upstream commit e2bd1dcbe1aa34ff5570b3427c530e4332ecf0fe ]
+
+Potentially, hvc_open() can be called in parallel when two tasks calls
+open() on /dev/hvcX. In such a scenario, if the hp->ops->notifier_add()
+callback in the function fails, where it sets the tty->driver_data to
+NULL, the parallel hvc_open() can see this NULL and cause a memory abort.
+Hence, serialize hvc_open and check if tty->private_data is NULL before
+proceeding ahead.
+
+The issue can be easily reproduced by launching two tasks simultaneously
+that does nothing but open() and close() on /dev/hvcX.
+For example:
+$ ./simple_open_close /dev/hvc0 & ./simple_open_close /dev/hvc0 &
+
+Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
+Link: https://lore.kernel.org/r/20200428032601.22127-1-rananta@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/hvc/hvc_console.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
+index acf6d143c7531..81f23af8beca9 100644
+--- a/drivers/tty/hvc/hvc_console.c
++++ b/drivers/tty/hvc/hvc_console.c
+@@ -89,6 +89,8 @@ static LIST_HEAD(hvc_structs);
+ */
+ static DEFINE_SPINLOCK(hvc_structs_lock);
+
++/* Mutex to serialize hvc_open */
++static DEFINE_MUTEX(hvc_open_mutex);
+ /*
+ * This value is used to assign a tty->index value to a hvc_struct based
+ * upon order of exposure via hvc_probe(), when we can not match it to
+@@ -333,16 +335,24 @@ static int hvc_install(struct tty_driver *driver, struct tty_struct *tty)
+ */
+ static int hvc_open(struct tty_struct *tty, struct file * filp)
+ {
+- struct hvc_struct *hp = tty->driver_data;
++ struct hvc_struct *hp;
+ unsigned long flags;
+ int rc = 0;
+
++ mutex_lock(&hvc_open_mutex);
++
++ hp = tty->driver_data;
++ if (!hp) {
++ rc = -EIO;
++ goto out;
++ }
++
+ spin_lock_irqsave(&hp->port.lock, flags);
+ /* Check and then increment for fast path open. */
+ if (hp->port.count++ > 0) {
+ spin_unlock_irqrestore(&hp->port.lock, flags);
+ hvc_kick();
+- return 0;
++ goto out;
+ } /* else count == 0 */
+ spin_unlock_irqrestore(&hp->port.lock, flags);
+
+@@ -371,6 +381,8 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
+ /* Force wakeup of the polling thread */
+ hvc_kick();
+
++out:
++ mutex_unlock(&hvc_open_mutex);
+ return rc;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 150c81021020bfcb16c4c80ec1b5c6deafa3458c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 10:45:13 +0200
+Subject: tty: n_gsm: Fix bogus i++ in gsm_data_kick
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit 4dd31f1ffec6c370c3c2e0c605628bf5e16d5c46 ]
+
+When submitting the previous fix "tty: n_gsm: Fix waking up upper tty
+layer when room available". It was suggested to switch from a while to
+a for loop, but when doing it, there was a remaining bogus i++.
+
+This patch removes this i++ and also reorganizes the code making it more
+compact.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Link: https://lore.kernel.org/r/20200518084517.2173242-3-gregory.clement@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_gsm.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 0020de4fe66f5..9b2beada2ff3b 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -719,17 +719,9 @@ static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci)
+ } else {
+ int i = 0;
+
+- for (i = 0; i < NUM_DLCI; i++) {
+- struct gsm_dlci *dlci;
+-
+- dlci = gsm->dlci[i];
+- if (dlci == NULL) {
+- i++;
+- continue;
+- }
+-
+- tty_port_tty_wakeup(&dlci->port);
+- }
++ for (i = 0; i < NUM_DLCI; i++)
++ if (gsm->dlci[i])
++ tty_port_tty_wakeup(&gsm->dlci[i]->port);
+ }
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 59961277baad2a030903cf0c51667da3369a500a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 13:53:22 +0200
+Subject: tty: n_gsm: Fix SOF skipping
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit 84d6f81c1fb58b56eba81ff0a36cf31946064b40 ]
+
+For at least some modems like the TELIT LE910, skipping SOF makes
+transfers blocking indefinitely after a short amount of data
+transferred.
+
+Given the small improvement provided by skipping the SOF (just one
+byte on about 100 bytes), it seems better to completely remove this
+"feature" than make it optional.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Link: https://lore.kernel.org/r/20200512115323.1447922-3-gregory.clement@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_gsm.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 6060c3e8925ef..08aaf993221e7 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -685,7 +685,6 @@ static void gsm_data_kick(struct gsm_mux *gsm)
+ {
+ struct gsm_msg *msg, *nmsg;
+ int len;
+- int skip_sof = 0;
+
+ list_for_each_entry_safe(msg, nmsg, &gsm->tx_list, list) {
+ if (gsm->constipated && msg->addr)
+@@ -707,15 +706,10 @@ static void gsm_data_kick(struct gsm_mux *gsm)
+ print_hex_dump_bytes("gsm_data_kick: ",
+ DUMP_PREFIX_OFFSET,
+ gsm->txframe, len);
+-
+- if (gsm->output(gsm, gsm->txframe + skip_sof,
+- len - skip_sof) < 0)
++ if (gsm->output(gsm, gsm->txframe, len) < 0)
+ break;
+ /* FIXME: Can eliminate one SOF in many more cases */
+ gsm->tx_bytes -= msg->len;
+- /* For a burst of frames skip the extra SOF within the
+- burst */
+- skip_sof = 1;
+
+ list_del(&msg->list);
+ kfree(msg);
+--
+2.25.1
+
--- /dev/null
+From 790cd3c2f56e77b291f1f5830eeeeba76d6e1952 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 13:53:23 +0200
+Subject: tty: n_gsm: Fix waking up upper tty layer when room available
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit 01dbb362f0a114fbce19c8abe4cd6f4710e934d5 ]
+
+Warn the upper layer when n_gms is ready to receive data
+again. Without this the associated virtual tty remains blocked
+indefinitely.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Link: https://lore.kernel.org/r/20200512115323.1447922-4-gregory.clement@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_gsm.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 08aaf993221e7..0020de4fe66f5 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -681,7 +681,7 @@ static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len,
+ * FIXME: lock against link layer control transmissions
+ */
+
+-static void gsm_data_kick(struct gsm_mux *gsm)
++static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci)
+ {
+ struct gsm_msg *msg, *nmsg;
+ int len;
+@@ -713,6 +713,24 @@ static void gsm_data_kick(struct gsm_mux *gsm)
+
+ list_del(&msg->list);
+ kfree(msg);
++
++ if (dlci) {
++ tty_port_tty_wakeup(&dlci->port);
++ } else {
++ int i = 0;
++
++ for (i = 0; i < NUM_DLCI; i++) {
++ struct gsm_dlci *dlci;
++
++ dlci = gsm->dlci[i];
++ if (dlci == NULL) {
++ i++;
++ continue;
++ }
++
++ tty_port_tty_wakeup(&dlci->port);
++ }
++ }
+ }
+ }
+
+@@ -764,7 +782,7 @@ static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
+ /* Add to the actual output queue */
+ list_add_tail(&msg->list, &gsm->tx_list);
+ gsm->tx_bytes += msg->len;
+- gsm_data_kick(gsm);
++ gsm_data_kick(gsm, dlci);
+ }
+
+ /**
+@@ -1225,7 +1243,7 @@ static void gsm_control_message(struct gsm_mux *gsm, unsigned int command,
+ gsm_control_reply(gsm, CMD_FCON, NULL, 0);
+ /* Kick the link in case it is idling */
+ spin_lock_irqsave(&gsm->tx_lock, flags);
+- gsm_data_kick(gsm);
++ gsm_data_kick(gsm, NULL);
+ spin_unlock_irqrestore(&gsm->tx_lock, flags);
+ break;
+ case CMD_FCOFF:
+@@ -2423,7 +2441,7 @@ static void gsmld_write_wakeup(struct tty_struct *tty)
+ /* Queue poll */
+ clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
+ spin_lock_irqsave(&gsm->tx_lock, flags);
+- gsm_data_kick(gsm);
++ gsm_data_kick(gsm, NULL);
+ if (gsm->tx_bytes < TX_THRESH_LO) {
+ gsm_dlci_data_sweep(gsm);
+ }
+--
+2.25.1
+
--- /dev/null
+From 9a03d6c5e23e8995bfa3c958612ba557fb8a2801 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 13:55:53 +0200
+Subject: usb: dwc2: gadget: move gadget resume after the core is in L0 state
+
+From: Fabrice Gasnier <fabrice.gasnier@st.com>
+
+[ Upstream commit 8c935deacebb8fac8f41378701eb79d12f3c2e2d ]
+
+When the remote wakeup interrupt is triggered, lx_state is resumed from L2
+to L0 state. But when the gadget resume is called, lx_state is still L2.
+This prevents the resume callback to queue any request. Any attempt
+to queue a request from resume callback will result in:
+- "submit request only in active state" debug message to be issued
+- dwc2_hsotg_ep_queue() returns -EAGAIN
+
+Call the gadget resume routine after the core is in L0 state.
+
+Fixes: f81f46e1f530 ("usb: dwc2: implement hibernation during bus suspend/resume")
+
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/core_intr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/dwc2/core_intr.c b/drivers/usb/dwc2/core_intr.c
+index 27daa42788b1a..796d60d49ac5f 100644
+--- a/drivers/usb/dwc2/core_intr.c
++++ b/drivers/usb/dwc2/core_intr.c
+@@ -363,10 +363,13 @@ static void dwc2_handle_wakeup_detected_intr(struct dwc2_hsotg *hsotg)
+ if (ret && (ret != -ENOTSUPP))
+ dev_err(hsotg->dev, "exit hibernation failed\n");
+
++ /* Change to L0 state */
++ hsotg->lx_state = DWC2_L0;
+ call_gadget(hsotg, resume);
++ } else {
++ /* Change to L0 state */
++ hsotg->lx_state = DWC2_L0;
+ }
+- /* Change to L0 state */
+- hsotg->lx_state = DWC2_L0;
+ } else {
+ if (hsotg->core_params->hibernation) {
+ dwc2_writel(GINTSTS_WKUPINT, hsotg->regs + GINTSTS);
+--
+2.25.1
+
--- /dev/null
+From eb34c99e1a1121f7d41bd8761293eed2ab14a7e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 16:49:31 +0100
+Subject: usb/ehci-platform: Set PM runtime as active on resume
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit 16bdc04cc98ab0c74392ceef2475ecc5e73fcf49 ]
+
+Follow suit of ohci-platform.c and perform pm_runtime_set_active() on
+resume.
+
+ohci-platform.c had a warning reported due to the missing
+pm_runtime_set_active() [1].
+
+[1] https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+CC: Tony Prisk <linux@prisktech.co.nz>
+CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+CC: Mathias Nyman <mathias.nyman@intel.com>
+CC: Oliver Neukum <oneukum@suse.de>
+CC: linux-arm-kernel@lists.infradead.org
+CC: linux-usb@vger.kernel.org
+CC: linux-kernel@vger.kernel.org
+Link: https://lore.kernel.org/r/20200518154931.6144-3-qais.yousef@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ehci-platform.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/host/ehci-platform.c b/drivers/usb/host/ehci-platform.c
+index bd7082f297bbe..56200650b46b4 100644
+--- a/drivers/usb/host/ehci-platform.c
++++ b/drivers/usb/host/ehci-platform.c
+@@ -375,6 +375,11 @@ static int ehci_platform_resume(struct device *dev)
+ }
+
+ ehci_resume(hcd, priv->reset_on_resume);
++
++ pm_runtime_disable(dev);
++ pm_runtime_set_active(dev);
++ pm_runtime_enable(dev);
++
+ return 0;
+ }
+ #endif /* CONFIG_PM_SLEEP */
+--
+2.25.1
+
--- /dev/null
+From 1aa91c86f37a0fb28da35f3ba39b14105222a334 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 23:06:25 -0500
+Subject: usb: gadget: fix potential double-free in m66592_probe.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 44734a594196bf1d474212f38fe3a0d37a73278b ]
+
+m66592_free_request() is called under label "err_add_udc"
+and "clean_up", and m66592->ep0_req is not set to NULL after
+first free, leading to a double-free. Fix this issue by
+setting m66592->ep0_req to NULL after the first free.
+
+Fixes: 0f91349b89f3 ("usb: gadget: convert all users to the new udc infrastructure")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/m66592-udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/m66592-udc.c b/drivers/usb/gadget/udc/m66592-udc.c
+index b1cfa96cc88f8..db95eab8b4328 100644
+--- a/drivers/usb/gadget/udc/m66592-udc.c
++++ b/drivers/usb/gadget/udc/m66592-udc.c
+@@ -1684,7 +1684,7 @@ static int m66592_probe(struct platform_device *pdev)
+
+ err_add_udc:
+ m66592_free_request(&m66592->ep[0].ep, m66592->ep0_req);
+-
++ m66592->ep0_req = NULL;
+ clean_up3:
+ if (m66592->pdata->on_chip) {
+ clk_disable(m66592->clk);
+--
+2.25.1
+
--- /dev/null
+From 1c8f424484d10864d70c2c3373f3cbb7f2c3a6b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 16:13:00 +0100
+Subject: usb: gadget: lpc32xx_udc: don't dereference ep pointer before null
+ check
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit eafa80041645cd7604c4357b1a0cd4a3c81f2227 ]
+
+Currently pointer ep is being dereferenced before it is null checked
+leading to a null pointer dereference issue. Fix this by only assigning
+pointer udc once ep is known to be not null. Also remove a debug
+message that requires a valid udc which may not be possible at that
+point.
+
+Addresses-Coverity: ("Dereference before null check")
+Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/lpc32xx_udc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
+index ea43cb74a6f27..c9590949e4f0a 100644
+--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
+@@ -1662,17 +1662,17 @@ static int lpc32xx_ep_enable(struct usb_ep *_ep,
+ const struct usb_endpoint_descriptor *desc)
+ {
+ struct lpc32xx_ep *ep = container_of(_ep, struct lpc32xx_ep, ep);
+- struct lpc32xx_udc *udc = ep->udc;
++ struct lpc32xx_udc *udc;
+ u16 maxpacket;
+ u32 tmp;
+ unsigned long flags;
+
+ /* Verify EP data */
+ if ((!_ep) || (!ep) || (!desc) ||
+- (desc->bDescriptorType != USB_DT_ENDPOINT)) {
+- dev_dbg(udc->dev, "bad ep or descriptor\n");
++ (desc->bDescriptorType != USB_DT_ENDPOINT))
+ return -EINVAL;
+- }
++
++ udc = ep->udc;
+ maxpacket = usb_endpoint_maxp(desc);
+ if ((maxpacket == 0) || (maxpacket > ep->maxpacket)) {
+ dev_dbg(udc->dev, "bad ep descriptor's packet size\n");
+@@ -1920,7 +1920,7 @@ static int lpc32xx_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+ static int lpc32xx_ep_set_halt(struct usb_ep *_ep, int value)
+ {
+ struct lpc32xx_ep *ep = container_of(_ep, struct lpc32xx_ep, ep);
+- struct lpc32xx_udc *udc = ep->udc;
++ struct lpc32xx_udc *udc;
+ unsigned long flags;
+
+ if ((!ep) || (ep->hwep_num <= 1))
+@@ -1930,6 +1930,7 @@ static int lpc32xx_ep_set_halt(struct usb_ep *_ep, int value)
+ if (ep->is_in)
+ return -EAGAIN;
+
++ udc = ep->udc;
+ spin_lock_irqsave(&udc->lock, flags);
+
+ if (value == 1) {
+--
+2.25.1
+
--- /dev/null
+From 9995aac34f863464b0333b3ad76e1e3d2ac2d800 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 09:29:24 -0700
+Subject: USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in
+ s3c2410_udc_nuke
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 7a0fbcf7c308920bc6116b3a5fb21c8cc5fec128 ]
+
+Clang warns:
+
+drivers/usb/gadget/udc/s3c2410_udc.c:255:11: warning: comparison of
+address of 'ep->queue' equal to a null pointer is always false
+[-Wtautological-pointer-compare]
+ if (&ep->queue == NULL)
+ ~~~~^~~~~ ~~~~
+1 warning generated.
+
+It is not wrong, queue is not a pointer so if ep is not NULL, the
+address of queue cannot be NULL. No other driver does a check like this
+and this check has been around since the driver was first introduced,
+presumably with no issues so it does not seem like this check should be
+something else. Just remove it.
+
+Commit afe956c577b2d ("kbuild: Enable -Wtautological-compare") exposed
+this but it is not the root cause of the warning.
+
+Fixes: 3fc154b6b8134 ("USB Gadget driver for Samsung s3c2410 ARM SoC")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1004
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/s3c2410_udc.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/s3c2410_udc.c b/drivers/usb/gadget/udc/s3c2410_udc.c
+index eb3571ee59e3c..08153a48704bb 100644
+--- a/drivers/usb/gadget/udc/s3c2410_udc.c
++++ b/drivers/usb/gadget/udc/s3c2410_udc.c
+@@ -269,10 +269,6 @@ static void s3c2410_udc_done(struct s3c2410_ep *ep,
+ static void s3c2410_udc_nuke(struct s3c2410_udc *udc,
+ struct s3c2410_ep *ep, int status)
+ {
+- /* Sanity check */
+- if (&ep->queue == NULL)
+- return;
+-
+ while (!list_empty(&ep->queue)) {
+ struct s3c2410_request *req;
+ req = list_entry(ep->queue.next, struct s3c2410_request,
+--
+2.25.1
+
--- /dev/null
+From 9c222c412ee85eb7a3d1c04194939ef39466c81b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 May 2020 21:26:47 +0800
+Subject: USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe()
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+[ Upstream commit d49292025f79693d3348f8e2029a8b4703be0f0a ]
+
+The function ehci_mxc_drv_probe() does not perform sufficient error
+checking after executing platform_get_irq(), thus fix it.
+
+Fixes: 7e8d5cd93fac ("USB: Add EHCI support for MX27 and MX31 based boards")
+Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Link: https://lore.kernel.org/r/20200513132647.5456-1-tangbin@cmss.chinamobile.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ehci-mxc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/host/ehci-mxc.c b/drivers/usb/host/ehci-mxc.c
+index c7a9b31eeaeff..637079a350032 100644
+--- a/drivers/usb/host/ehci-mxc.c
++++ b/drivers/usb/host/ehci-mxc.c
+@@ -63,6 +63,8 @@ static int ehci_mxc_drv_probe(struct platform_device *pdev)
+ }
+
+ irq = platform_get_irq(pdev, 0);
++ if (irq < 0)
++ return irq;
+
+ hcd = usb_create_hcd(&ehci_mxc_hc_driver, dev, dev_name(dev));
+ if (!hcd)
+--
+2.25.1
+
--- /dev/null
+From b8ab68e119b4c4086e5a229bdb2eb9082fa7eca8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 16:49:29 +0100
+Subject: usb/ohci-platform: Fix a warning when hibernating
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit 1cb3b0095c3d0bb96912bfbbce4fc006d41f367c ]
+
+The following warning was observed when attempting to suspend to disk
+using a USB flash as a swap device.
+
+[ 111.779649] ------------[ cut here ]------------
+[ 111.788382] URB (____ptrval____) submitted while active
+[ 111.796646] WARNING: CPU: 3 PID: 365 at drivers/usb/core/urb.c:363 usb_submit_urb+0x3d8/0x590
+[ 111.805417] Modules linked in:
+[ 111.808584] CPU: 3 PID: 365 Comm: kworker/3:2 Not tainted 5.6.0-rc6-00002-gdfd1731f9a3e-dirty #545
+[ 111.817796] Hardware name: ARM Juno development board (r2) (DT)
+[ 111.823896] Workqueue: usb_hub_wq hub_event
+[ 111.828217] pstate: 60000005 (nZCv daif -PAN -UAO)
+[ 111.833156] pc : usb_submit_urb+0x3d8/0x590
+[ 111.837471] lr : usb_submit_urb+0x3d8/0x590
+[ 111.841783] sp : ffff800018de38b0
+[ 111.845205] x29: ffff800018de38b0 x28: 0000000000000003
+[ 111.850682] x27: ffff000970530b20 x26: ffff8000133fd000
+[ 111.856159] x25: ffff8000133fd000 x24: ffff800018de3b38
+[ 111.861635] x23: 0000000000000004 x22: 0000000000000c00
+[ 111.867112] x21: 0000000000000000 x20: 00000000fffffff0
+[ 111.872589] x19: ffff0009704e7a00 x18: ffffffffffffffff
+[ 111.878065] x17: 00000000a7c8f4bc x16: 000000002af33de8
+[ 111.883542] x15: ffff8000133fda88 x14: 0720072007200720
+[ 111.889019] x13: 0720072007200720 x12: 0720072007200720
+[ 111.894496] x11: 0000000000000000 x10: 00000000a5286134
+[ 111.899973] x9 : 0000000000000002 x8 : ffff000970c837a0
+[ 111.905449] x7 : 0000000000000000 x6 : ffff800018de3570
+[ 111.910926] x5 : 0000000000000001 x4 : 0000000000000003
+[ 111.916401] x3 : 0000000000000000 x2 : ffff800013427118
+[ 111.921879] x1 : 9d4e965b4b7d7c00 x0 : 0000000000000000
+[ 111.927356] Call trace:
+[ 111.929892] usb_submit_urb+0x3d8/0x590
+[ 111.933852] hub_activate+0x108/0x7f0
+[ 111.937633] hub_resume+0xac/0x148
+[ 111.941149] usb_resume_interface.isra.10+0x60/0x138
+[ 111.946265] usb_resume_both+0xe4/0x140
+[ 111.950225] usb_runtime_resume+0x24/0x30
+[ 111.954365] __rpm_callback+0xdc/0x138
+[ 111.958236] rpm_callback+0x34/0x98
+[ 111.961841] rpm_resume+0x4a8/0x720
+[ 111.965445] rpm_resume+0x50c/0x720
+[ 111.969049] __pm_runtime_resume+0x4c/0xb8
+[ 111.973276] usb_autopm_get_interface+0x28/0x60
+[ 111.977948] hub_event+0x80/0x16d8
+[ 111.981466] process_one_work+0x2a4/0x748
+[ 111.985604] worker_thread+0x48/0x498
+[ 111.989387] kthread+0x13c/0x140
+[ 111.992725] ret_from_fork+0x10/0x18
+[ 111.996415] irq event stamp: 354
+[ 111.999756] hardirqs last enabled at (353): [<ffff80001019ea1c>] console_unlock+0x504/0x5b8
+[ 112.008441] hardirqs last disabled at (354): [<ffff8000100a95d0>] do_debug_exception+0x1a8/0x258
+[ 112.017479] softirqs last enabled at (350): [<ffff8000100818a4>] __do_softirq+0x4bc/0x568
+[ 112.025984] softirqs last disabled at (343): [<ffff8000101145a4>] irq_exit+0x144/0x150
+[ 112.034129] ---[ end trace dc96030b9cf6c8a3 ]---
+
+The problem was tracked down to a missing call to
+pm_runtime_set_active() on resume in ohci-platform.
+
+Link: https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+CC: Tony Prisk <linux@prisktech.co.nz>
+CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+CC: Mathias Nyman <mathias.nyman@intel.com>
+CC: Oliver Neukum <oneukum@suse.de>
+CC: linux-arm-kernel@lists.infradead.org
+CC: linux-usb@vger.kernel.org
+CC: linux-kernel@vger.kernel.org
+Link: https://lore.kernel.org/r/20200518154931.6144-1-qais.yousef@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ohci-platform.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/host/ohci-platform.c b/drivers/usb/host/ohci-platform.c
+index c2669f185f658..0e5580e6f35cb 100644
+--- a/drivers/usb/host/ohci-platform.c
++++ b/drivers/usb/host/ohci-platform.c
+@@ -339,6 +339,11 @@ static int ohci_platform_resume(struct device *dev)
+ }
+
+ ohci_resume(hcd, false);
++
++ pm_runtime_disable(dev);
++ pm_runtime_set_active(dev);
++ pm_runtime_enable(dev);
++
+ return 0;
+ }
+ #endif /* CONFIG_PM_SLEEP */
+--
+2.25.1
+
--- /dev/null
+From 7ac70ece8a945f0c3acecf9c76f6cb9aff561e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 16:49:30 +0100
+Subject: usb/xhci-plat: Set PM runtime as active on resume
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit 79112cc3c29f4a8c73a21428fbcbcb0afb005e3e ]
+
+Follow suit of ohci-platform.c and perform pm_runtime_set_active() on
+resume.
+
+ohci-platform.c had a warning reported due to the missing
+pm_runtime_set_active() [1].
+
+[1] https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/
+
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+CC: Tony Prisk <linux@prisktech.co.nz>
+CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+CC: Mathias Nyman <mathias.nyman@intel.com>
+CC: Oliver Neukum <oneukum@suse.de>
+CC: linux-arm-kernel@lists.infradead.org
+CC: linux-usb@vger.kernel.org
+CC: linux-kernel@vger.kernel.org
+Link: https://lore.kernel.org/r/20200518154931.6144-2-qais.yousef@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-plat.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index c4c40e9d42471..510fb7853f92a 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -249,8 +249,17 @@ static int xhci_plat_resume(struct device *dev)
+ {
+ struct usb_hcd *hcd = dev_get_drvdata(dev);
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
++ int ret;
++
++ ret = xhci_resume(xhci, 0);
++ if (ret)
++ return ret;
+
+- return xhci_resume(xhci, 0);
++ pm_runtime_disable(dev);
++ pm_runtime_set_active(dev);
++ pm_runtime_enable(dev);
++
++ return 0;
+ }
+
+ static const struct dev_pm_ops xhci_plat_pm_ops = {
+--
+2.25.1
+
--- /dev/null
+From 71a14de65d2046b0e165060f5e9a0ae16120685c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 10:58:06 +0200
+Subject: usblp: poison URBs upon disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 296a193b06120aa6ae7cf5c0d7b5e5b55968026e ]
+
+syzkaller reported an URB that should have been killed to be active.
+We do not understand it, but this should fix the issue if it is real.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20200507085806.5793-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/class/usblp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
+index 07c3c3449147f..c578d64edc153 100644
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -481,7 +481,8 @@ static int usblp_release(struct inode *inode, struct file *file)
+ usb_autopm_put_interface(usblp->intf);
+
+ if (!usblp->present) /* finish cleanup from disconnect */
+- usblp_cleanup(usblp);
++ usblp_cleanup(usblp); /* any URBs must be dead */
++
+ mutex_unlock(&usblp_mutex);
+ return 0;
+ }
+@@ -1397,9 +1398,11 @@ static void usblp_disconnect(struct usb_interface *intf)
+
+ usblp_unlink_urbs(usblp);
+ mutex_unlock(&usblp->mut);
++ usb_poison_anchored_urbs(&usblp->urbs);
+
+ if (!usblp->used)
+ usblp_cleanup(usblp);
++
+ mutex_unlock(&usblp_mutex);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 6a9dbf4f18852fe6fdbfe9af583f49df3e472155 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 May 2020 12:16:56 -0400
+Subject: vfio/pci: fix memory leaks in alloc_perm_bits()
+
+From: Qian Cai <cai@lca.pw>
+
+[ Upstream commit 3e63b94b6274324ff2e7d8615df31586de827c4e ]
+
+vfio_pci_disable() calls vfio_config_free() but forgets to call
+free_perm_bits() resulting in memory leaks,
+
+unreferenced object 0xc000000c4db2dee0 (size 16):
+ comm "qemu-kvm", pid 4305, jiffies 4295020272 (age 3463.780s)
+ hex dump (first 16 bytes):
+ 00 00 ff 00 ff ff ff ff ff ff ff ff ff ff 00 00 ................
+ backtrace:
+ [<00000000a6a4552d>] alloc_perm_bits+0x58/0xe0 [vfio_pci]
+ [<00000000ac990549>] vfio_config_init+0xdf0/0x11b0 [vfio_pci]
+ init_pci_cap_msi_perm at drivers/vfio/pci/vfio_pci_config.c:1125
+ (inlined by) vfio_msi_cap_len at drivers/vfio/pci/vfio_pci_config.c:1180
+ (inlined by) vfio_cap_len at drivers/vfio/pci/vfio_pci_config.c:1241
+ (inlined by) vfio_cap_init at drivers/vfio/pci/vfio_pci_config.c:1468
+ (inlined by) vfio_config_init at drivers/vfio/pci/vfio_pci_config.c:1707
+ [<000000006db873a1>] vfio_pci_open+0x234/0x700 [vfio_pci]
+ [<00000000630e1906>] vfio_group_fops_unl_ioctl+0x8e0/0xb84 [vfio]
+ [<000000009e34c54f>] ksys_ioctl+0xd8/0x130
+ [<000000006577923d>] sys_ioctl+0x28/0x40
+ [<000000006d7b1cf2>] system_call_exception+0x114/0x1e0
+ [<0000000008ea7dd5>] system_call_common+0xf0/0x278
+unreferenced object 0xc000000c4db2e330 (size 16):
+ comm "qemu-kvm", pid 4305, jiffies 4295020272 (age 3463.780s)
+ hex dump (first 16 bytes):
+ 00 ff ff 00 ff ff ff ff ff ff ff ff ff ff 00 00 ................
+ backtrace:
+ [<000000004c71914f>] alloc_perm_bits+0x44/0xe0 [vfio_pci]
+ [<00000000ac990549>] vfio_config_init+0xdf0/0x11b0 [vfio_pci]
+ [<000000006db873a1>] vfio_pci_open+0x234/0x700 [vfio_pci]
+ [<00000000630e1906>] vfio_group_fops_unl_ioctl+0x8e0/0xb84 [vfio]
+ [<000000009e34c54f>] ksys_ioctl+0xd8/0x130
+ [<000000006577923d>] sys_ioctl+0x28/0x40
+ [<000000006d7b1cf2>] system_call_exception+0x114/0x1e0
+ [<0000000008ea7dd5>] system_call_common+0xf0/0x278
+
+Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver")
+Signed-off-by: Qian Cai <cai@lca.pw>
+[aw: rolled in follow-up patch]
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_config.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
+index 98a12be76c9cf..bf65572f47a8f 100644
+--- a/drivers/vfio/pci/vfio_pci_config.c
++++ b/drivers/vfio/pci/vfio_pci_config.c
+@@ -1644,8 +1644,11 @@ void vfio_config_free(struct vfio_pci_device *vdev)
+ vdev->vconfig = NULL;
+ kfree(vdev->pci_config_map);
+ vdev->pci_config_map = NULL;
+- kfree(vdev->msi_perm);
+- vdev->msi_perm = NULL;
++ if (vdev->msi_perm) {
++ free_perm_bits(vdev->msi_perm);
++ kfree(vdev->msi_perm);
++ vdev->msi_perm = NULL;
++ }
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From daab111f93f7520d86abeb65a4666f25b93f4c14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2020 11:45:28 -0600
+Subject: vfio-pci: Mask cap zero
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit bc138db1b96264b9c1779cf18d5a3b186aa90066 ]
+
+The PCI Code and ID Assignment Specification changed capability ID 0
+from reserved to a NULL capability in the v1.1 revision. The NULL
+capability is defined to include only the 16-bit capability header,
+ie. only the ID and next pointer. Unfortunately vfio-pci creates a
+map of config space, where ID 0 is used to reserve the standard type
+0 header. Finding an actual capability with this ID therefore results
+in a bogus range marked in that map and conflicts with subsequent
+capabilities. As this seems to be a dummy capability anyway and we
+already support dropping capabilities, let's hide this one rather than
+delving into the potentially subtle dependencies within our map.
+
+Seen on an NVIDIA Tesla T4.
+
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_config.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
+index bf65572f47a8f..666b234acca0a 100644
+--- a/drivers/vfio/pci/vfio_pci_config.c
++++ b/drivers/vfio/pci/vfio_pci_config.c
+@@ -1405,7 +1405,12 @@ static int vfio_cap_init(struct vfio_pci_device *vdev)
+ if (ret)
+ return ret;
+
+- if (cap <= PCI_CAP_ID_MAX) {
++ /*
++ * ID 0 is a NULL capability, conflicting with our fake
++ * PCI_CAP_ID_BASIC. As it has no content, consider it
++ * hidden for now.
++ */
++ if (cap && cap <= PCI_CAP_ID_MAX) {
+ len = pci_cap_length[cap];
+ if (len == 0xFF) { /* Variable length */
+ len = vfio_cap_len(vdev, cap, pos);
+--
+2.25.1
+
--- /dev/null
+From 5dece24da314e5da86526fd709912e21d74424a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2020 15:07:28 +0200
+Subject: watchdog: da9062: No need to ping manually before setting timeout
+
+From: Stefan Riedmueller <s.riedmueller@phytec.de>
+
+[ Upstream commit a0948ddba65f4f6d3cfb5e2b84685485d0452966 ]
+
+There is actually no need to ping the watchdog before disabling it
+during timeout change. Disabling the watchdog already takes care of
+resetting the counter.
+
+This fixes an issue during boot when the userspace watchdog handler takes
+over and the watchdog is already running. Opening the watchdog in this case
+leads to the first ping and directly after that without the required
+heartbeat delay a second ping issued by the set_timeout call. Due to the
+missing delay this resulted in a reset.
+
+Signed-off-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Link: https://lore.kernel.org/r/20200403130728.39260-3-s.riedmueller@phytec.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/da9062_wdt.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/watchdog/da9062_wdt.c b/drivers/watchdog/da9062_wdt.c
+index daeb645fcea8a..519419136ce8f 100644
+--- a/drivers/watchdog/da9062_wdt.c
++++ b/drivers/watchdog/da9062_wdt.c
+@@ -94,11 +94,6 @@ static int da9062_wdt_update_timeout_register(struct da9062_watchdog *wdt,
+ unsigned int regval)
+ {
+ struct da9062 *chip = wdt->hw;
+- int ret;
+-
+- ret = da9062_reset_watchdog_timer(wdt);
+- if (ret)
+- return ret;
+
+ return regmap_update_bits(chip->regmap,
+ DA9062AA_CONTROL_D,
+--
+2.25.1
+
--- /dev/null
+From 01cad0f096479cf3c054a33bca297a969c87ffab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 20:18:51 +0800
+Subject: yam: fix possible memory leak in yam_init_driver
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 98749b7188affbf2900c2aab704a8853901d1139 ]
+
+If register_netdev(dev) fails, free_netdev(dev) needs
+to be called, otherwise a memory leak will occur.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/yam.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c
+index 1a4729c36aa49..623e4225e7c84 100644
+--- a/drivers/net/hamradio/yam.c
++++ b/drivers/net/hamradio/yam.c
+@@ -1160,6 +1160,7 @@ static int __init yam_init_driver(void)
+ err = register_netdev(dev);
+ if (err) {
+ printk(KERN_WARNING "yam: cannot register net device %s\n", dev->name);
++ free_netdev(dev);
+ goto error;
+ }
+ yam_devs[i] = dev;
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
