--- /dev/null
+From 29cbcc1e9d856994c73f89407eefcae187f42be9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2020 12:59:12 +0100
+Subject: ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit e1de94380af588bdf6ad6f0cc1f75004c35bc096 ]
+
+Recent work with KASan exposed the folling hard-coded bitmask
+in arch/arm/mm/proc-macros.S:
+
+ bic rd, sp, #8128
+ bic rd, rd, #63
+
+This forms the bitmask 0x1FFF that is coinciding with
+(PAGE_SIZE << THREAD_SIZE_ORDER) - 1, this code was assuming
+that THREAD_SIZE is always 8K (8192).
+
+As KASan was increasing THREAD_SIZE_ORDER to 2, I ran into
+this bug.
+
+Fix it by this little oneline suggested by Ard:
+
+ bic rd, sp, #(THREAD_SIZE - 1) & ~63
+
+Where THREAD_SIZE is defined using THREAD_SIZE_ORDER.
+
+We have to also include <linux/const.h> since the THREAD_SIZE
+expands to use the _AC() macro.
+
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Suggested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/proc-macros.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/proc-macros.S b/arch/arm/mm/proc-macros.S
+index 5461d589a1e2..60ac7c5999a9 100644
+--- a/arch/arm/mm/proc-macros.S
++++ b/arch/arm/mm/proc-macros.S
+@@ -5,6 +5,7 @@
+ * VMA_VM_FLAGS
+ * VM_EXEC
+ */
++#include <linux/const.h>
+ #include <asm/asm-offsets.h>
+ #include <asm/thread_info.h>
+
+@@ -30,7 +31,7 @@
+ * act_mm - get current->active_mm
+ */
+ .macro act_mm, rd
+- bic \rd, sp, #8128
++ bic \rd, sp, #(THREAD_SIZE - 1) & ~63
+ bic \rd, \rd, #63
+ ldr \rd, [\rd, #TI_TASK]
+ .if (TSK_ACTIVE_MM > IMM12_MASK)
+--
+2.25.1
+
--- /dev/null
+From 914d84eda73466823b012ca9a24c18b5ffb2b8d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 18:05:18 +0100
+Subject: arm64: cacheflush: Fix KGDB trap detection
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit ab8ad279ceac4fc78ae4dcf1a26326e05695e537 ]
+
+flush_icache_range() contains a bodge to avoid issuing IPIs when the kgdb
+trap handler is running because issuing IPIs is unsafe (and not needed)
+in this execution context. However the current test, based on
+kgdb_connected is flawed: it both over-matches and under-matches.
+
+The over match occurs because kgdb_connected is set when gdb attaches
+to the stub and remains set during normal running. This is relatively
+harmelss because in almost all cases irq_disabled() will be false.
+
+The under match is more serious. When kdb is used instead of kgdb to access
+the debugger then kgdb_connected is not set in all the places that the
+debug core updates sw breakpoints (and hence flushes the icache). This
+can lead to deadlock.
+
+Fix by replacing the ad-hoc check with the proper kgdb macro. This also
+allows us to drop the #ifdef wrapper.
+
+Fixes: 3b8c9f1cdfc5 ("arm64: IPI each CPU after invalidating the I-cache for kernel mappings")
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20200504170518.2959478-1-daniel.thompson@linaro.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/cacheflush.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/include/asm/cacheflush.h b/arch/arm64/include/asm/cacheflush.h
+index 19844211a4e6..a449a1c602d3 100644
+--- a/arch/arm64/include/asm/cacheflush.h
++++ b/arch/arm64/include/asm/cacheflush.h
+@@ -90,7 +90,7 @@ static inline void flush_icache_range(unsigned long start, unsigned long end)
+ * IPI all online CPUs so that they undergo a context synchronization
+ * event and are forced to refetch the new instructions.
+ */
+-#ifdef CONFIG_KGDB
++
+ /*
+ * KGDB performs cache maintenance with interrupts disabled, so we
+ * will deadlock trying to IPI the secondary CPUs. In theory, we can
+@@ -100,9 +100,9 @@ static inline void flush_icache_range(unsigned long start, unsigned long end)
+ * the patching operation, so we don't need extra IPIs here anyway.
+ * In which case, add a KGDB-specific bodge and return early.
+ */
+- if (kgdb_connected && irqs_disabled())
++ if (in_dbg_master())
+ return;
+-#endif
++
+ kick_all_cpus_sync();
+ }
+
+--
+2.25.1
+
--- /dev/null
+From fbe14b2a520aaa916ea2e4177f606264cbdabb57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 11:15:44 -0700
+Subject: arm64: insn: Fix two bugs in encoding 32-bit logical immediates
+
+From: Luke Nelson <lukenels@cs.washington.edu>
+
+[ Upstream commit 579d1b3faa3735e781ff74aac0afd598515dbc63 ]
+
+This patch fixes two issues present in the current function for encoding
+arm64 logical immediates when using the 32-bit variants of instructions.
+
+First, the code does not correctly reject an all-ones 32-bit immediate,
+and returns an undefined instruction encoding.
+
+Second, the code incorrectly rejects some 32-bit immediates that are
+actually encodable as logical immediates. The root cause is that the code
+uses a default mask of 64-bit all-ones, even for 32-bit immediates.
+This causes an issue later on when the default mask is used to fill the
+top bits of the immediate with ones, shown here:
+
+ /*
+ * Pattern: 0..01..10..01..1
+ *
+ * Fill the unused top bits with ones, and check if
+ * the result is a valid immediate (all ones with a
+ * contiguous ranges of zeroes).
+ */
+ imm |= ~mask;
+ if (!range_of_ones(~imm))
+ return AARCH64_BREAK_FAULT;
+
+To see the problem, consider an immediate of the form 0..01..10..01..1,
+where the upper 32 bits are zero, such as 0x80000001. The code checks
+if ~(imm | ~mask) contains a range of ones: the incorrect mask yields
+1..10..01..10..0, which fails the check; the correct mask yields
+0..01..10..0, which succeeds.
+
+The fix for both issues is to generate a correct mask based on the
+instruction immediate size, and use the mask to check for all-ones,
+all-zeroes, and values wider than the mask.
+
+Currently, arch/arm64/kvm/va_layout.c is the only user of this function,
+which uses 64-bit immediates and therefore won't trigger these bugs.
+
+We tested the new code against llvm-mc with all 1,302 encodable 32-bit
+logical immediates and all 5,334 encodable 64-bit logical immediates.
+
+Fixes: ef3935eeebff ("arm64: insn: Add encoder for bitwise operations using literals")
+Suggested-by: Will Deacon <will@kernel.org>
+Co-developed-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20200508181547.24783-2-luke.r.nels@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/insn.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c
+index 3e6229e30109..cd37edbdedcb 100644
+--- a/arch/arm64/kernel/insn.c
++++ b/arch/arm64/kernel/insn.c
+@@ -1490,16 +1490,10 @@ static u32 aarch64_encode_immediate(u64 imm,
+ u32 insn)
+ {
+ unsigned int immr, imms, n, ones, ror, esz, tmp;
+- u64 mask = ~0UL;
+-
+- /* Can't encode full zeroes or full ones */
+- if (!imm || !~imm)
+- return AARCH64_BREAK_FAULT;
++ u64 mask;
+
+ switch (variant) {
+ case AARCH64_INSN_VARIANT_32BIT:
+- if (upper_32_bits(imm))
+- return AARCH64_BREAK_FAULT;
+ esz = 32;
+ break;
+ case AARCH64_INSN_VARIANT_64BIT:
+@@ -1511,6 +1505,12 @@ static u32 aarch64_encode_immediate(u64 imm,
+ return AARCH64_BREAK_FAULT;
+ }
+
++ mask = GENMASK(esz - 1, 0);
++
++ /* Can't encode full zeroes, full ones, or value wider than the mask */
++ if (!imm || imm == mask || imm & ~mask)
++ return AARCH64_BREAK_FAULT;
++
+ /*
+ * Inverse of Replicate(). Try to spot a repeating pattern
+ * with a pow2 stride.
+--
+2.25.1
+
--- /dev/null
+From 53defb7534215b7bc02a7571a4c7d49b0521de22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 05:55:18 +0300
+Subject: ath10k: Remove msdu from idr when management pkt send fails
+
+From: Rakesh Pillai <pillair@codeaurora.org>
+
+[ Upstream commit c730c477176ad4af86d9aae4d360a7ad840b073a ]
+
+Currently when the sending of any management pkt
+via wmi command fails, the packet is being unmapped
+freed in the error handling. But the idr entry added,
+which is used to track these packet is not getting removed.
+
+Hence, during unload, in wmi cleanup, all the entries
+in IDR are removed and the corresponding buffer is
+attempted to be freed. This can cause a situation where
+one packet is attempted to be freed twice.
+
+Fix this error by rmeoving the msdu from the idr
+list when the sending of a management packet over
+wmi fails.
+
+Tested HW: WCN3990
+Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
+
+Fixes: 1807da49733e ("ath10k: wmi: add management tx by reference support over wmi")
+Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1588667015-25490-1-git-send-email-pillair@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 3 +++
+ drivers/net/wireless/ath/ath10k/wmi-ops.h | 10 ++++++++++
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 15 +++++++++++++++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index a09d7a07e90a..81af403c19c2 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -3852,6 +3852,9 @@ void ath10k_mgmt_over_wmi_tx_work(struct work_struct *work)
+ if (ret) {
+ ath10k_warn(ar, "failed to transmit management frame by ref via WMI: %d\n",
+ ret);
++ /* remove this msdu from idr tracking */
++ ath10k_wmi_cleanup_mgmt_tx_send(ar, skb);
++
+ dma_unmap_single(ar->dev, paddr, skb->len,
+ DMA_TO_DEVICE);
+ ieee80211_free_txskb(ar->hw, skb);
+diff --git a/drivers/net/wireless/ath/ath10k/wmi-ops.h b/drivers/net/wireless/ath/ath10k/wmi-ops.h
+index 7fd63bbf8e24..b6cd33fa79f8 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h
++++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h
+@@ -139,6 +139,7 @@ struct wmi_ops {
+ struct sk_buff *(*gen_mgmt_tx_send)(struct ath10k *ar,
+ struct sk_buff *skb,
+ dma_addr_t paddr);
++ int (*cleanup_mgmt_tx_send)(struct ath10k *ar, struct sk_buff *msdu);
+ struct sk_buff *(*gen_dbglog_cfg)(struct ath10k *ar, u64 module_enable,
+ u32 log_level);
+ struct sk_buff *(*gen_pktlog_enable)(struct ath10k *ar, u32 filter);
+@@ -431,6 +432,15 @@ ath10k_wmi_get_txbf_conf_scheme(struct ath10k *ar)
+ return ar->wmi.ops->get_txbf_conf_scheme(ar);
+ }
+
++static inline int
++ath10k_wmi_cleanup_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu)
++{
++ if (!ar->wmi.ops->cleanup_mgmt_tx_send)
++ return -EOPNOTSUPP;
++
++ return ar->wmi.ops->cleanup_mgmt_tx_send(ar, msdu);
++}
++
+ static inline int
+ ath10k_wmi_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu,
+ dma_addr_t paddr)
+diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+index 248decb494c2..7f435fa29f75 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -2638,6 +2638,18 @@ ath10k_wmi_tlv_op_gen_request_stats(struct ath10k *ar, u32 stats_mask)
+ return skb;
+ }
+
++static int
++ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(struct ath10k *ar,
++ struct sk_buff *msdu)
++{
++ struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu);
++ struct ath10k_wmi *wmi = &ar->wmi;
++
++ idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
++
++ return 0;
++}
++
+ static int
+ ath10k_wmi_mgmt_tx_alloc_msdu_id(struct ath10k *ar, struct sk_buff *skb,
+ dma_addr_t paddr)
+@@ -2710,6 +2722,8 @@ ath10k_wmi_tlv_op_gen_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu,
+ if (desc_id < 0)
+ goto err_free_skb;
+
++ cb->msdu_id = desc_id;
++
+ ptr = (void *)skb->data;
+ tlv = ptr;
+ tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_MGMT_TX_CMD);
+@@ -3949,6 +3963,7 @@ static const struct wmi_ops wmi_tlv_ops = {
+ .gen_force_fw_hang = ath10k_wmi_tlv_op_gen_force_fw_hang,
+ /* .gen_mgmt_tx = not implemented; HTT is used */
+ .gen_mgmt_tx_send = ath10k_wmi_tlv_op_gen_mgmt_tx_send,
++ .cleanup_mgmt_tx_send = ath10k_wmi_tlv_op_cleanup_mgmt_tx_send,
+ .gen_dbglog_cfg = ath10k_wmi_tlv_op_gen_dbglog_cfg,
+ .gen_pktlog_enable = ath10k_wmi_tlv_op_gen_pktlog_enable,
+ .gen_pktlog_disable = ath10k_wmi_tlv_op_gen_pktlog_disable,
+--
+2.25.1
+
--- /dev/null
+From cb64a003ee5410860fb1810bdac492097ea50fcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 09:10:56 -0400
+Subject: audit: fix a net reference leak in audit_list_rules_send()
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit 3054d06719079388a543de6adb812638675ad8f5 ]
+
+If audit_list_rules_send() fails when trying to create a new thread
+to send the rules it also fails to cleanup properly, leaking a
+reference to a net structure. This patch fixes the error patch and
+renames audit_send_list() to audit_send_list_thread() to better
+match its cousin, audit_send_reply_thread().
+
+Reported-by: teroincn@gmail.com
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/audit.c | 2 +-
+ kernel/audit.h | 2 +-
+ kernel/auditfilter.c | 16 +++++++---------
+ 3 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 20c78480d632..45741c3c48a4 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -893,7 +893,7 @@ main_queue:
+ return 0;
+ }
+
+-int audit_send_list(void *_dest)
++int audit_send_list_thread(void *_dest)
+ {
+ struct audit_netlink_list *dest = _dest;
+ struct sk_buff *skb;
+diff --git a/kernel/audit.h b/kernel/audit.h
+index 214e14948370..99badd7ba56f 100644
+--- a/kernel/audit.h
++++ b/kernel/audit.h
+@@ -248,7 +248,7 @@ struct audit_netlink_list {
+ struct sk_buff_head q;
+ };
+
+-int audit_send_list(void *_dest);
++int audit_send_list_thread(void *_dest);
+
+ extern int selinux_audit_rule_update(void);
+
+diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
+index 1c8a48abda80..b2cc63ca0068 100644
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -1157,11 +1157,8 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
+ */
+ int audit_list_rules_send(struct sk_buff *request_skb, int seq)
+ {
+- u32 portid = NETLINK_CB(request_skb).portid;
+- struct net *net = sock_net(NETLINK_CB(request_skb).sk);
+ struct task_struct *tsk;
+ struct audit_netlink_list *dest;
+- int err = 0;
+
+ /* We can't just spew out the rules here because we might fill
+ * the available socket buffer space and deadlock waiting for
+@@ -1169,25 +1166,26 @@ int audit_list_rules_send(struct sk_buff *request_skb, int seq)
+ * happen if we're actually running in the context of auditctl
+ * trying to _send_ the stuff */
+
+- dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
++ dest = kmalloc(sizeof(*dest), GFP_KERNEL);
+ if (!dest)
+ return -ENOMEM;
+- dest->net = get_net(net);
+- dest->portid = portid;
++ dest->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
++ dest->portid = NETLINK_CB(request_skb).portid;
+ skb_queue_head_init(&dest->q);
+
+ mutex_lock(&audit_filter_mutex);
+ audit_list_rules(seq, &dest->q);
+ mutex_unlock(&audit_filter_mutex);
+
+- tsk = kthread_run(audit_send_list, dest, "audit_send_list");
++ tsk = kthread_run(audit_send_list_thread, dest, "audit_send_list");
+ if (IS_ERR(tsk)) {
+ skb_queue_purge(&dest->q);
++ put_net(dest->net);
+ kfree(dest);
+- err = PTR_ERR(tsk);
++ return PTR_ERR(tsk);
+ }
+
+- return err;
++ return 0;
+ }
+
+ int audit_comparator(u32 left, u32 op, u32 right)
+--
+2.25.1
+
--- /dev/null
+From 2d4f5e7f9e51e2bd597dcac9e29dfe27dbd618ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 10:09:29 -0400
+Subject: audit: fix a net reference leak in audit_send_reply()
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit a48b284b403a4a073d8beb72d2bb33e54df67fb6 ]
+
+If audit_send_reply() fails when trying to create a new thread to
+send the reply it also fails to cleanup properly, leaking a reference
+to a net structure. This patch fixes the error path and makes a
+handful of other cleanups that came up while fixing the code.
+
+Reported-by: teroincn@gmail.com
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/audit.c | 50 +++++++++++++++++++++++++++++---------------------
+ 1 file changed, 29 insertions(+), 21 deletions(-)
+
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 7afec5f43c63..20c78480d632 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -937,19 +937,30 @@ out_kfree_skb:
+ return NULL;
+ }
+
++static void audit_free_reply(struct audit_reply *reply)
++{
++ if (!reply)
++ return;
++
++ if (reply->skb)
++ kfree_skb(reply->skb);
++ if (reply->net)
++ put_net(reply->net);
++ kfree(reply);
++}
++
+ static int audit_send_reply_thread(void *arg)
+ {
+ struct audit_reply *reply = (struct audit_reply *)arg;
+- struct sock *sk = audit_get_sk(reply->net);
+
+ audit_ctl_lock();
+ audit_ctl_unlock();
+
+ /* Ignore failure. It'll only happen if the sender goes away,
+ because our timeout is set to infinite. */
+- netlink_unicast(sk, reply->skb, reply->portid, 0);
+- put_net(reply->net);
+- kfree(reply);
++ netlink_unicast(audit_get_sk(reply->net), reply->skb, reply->portid, 0);
++ reply->skb = NULL;
++ audit_free_reply(reply);
+ return 0;
+ }
+
+@@ -963,35 +974,32 @@ static int audit_send_reply_thread(void *arg)
+ * @payload: payload data
+ * @size: payload size
+ *
+- * Allocates an skb, builds the netlink message, and sends it to the port id.
+- * No failure notifications.
++ * Allocates a skb, builds the netlink message, and sends it to the port id.
+ */
+ static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done,
+ int multi, const void *payload, int size)
+ {
+- struct net *net = sock_net(NETLINK_CB(request_skb).sk);
+- struct sk_buff *skb;
+ struct task_struct *tsk;
+- struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
+- GFP_KERNEL);
++ struct audit_reply *reply;
+
++ reply = kzalloc(sizeof(*reply), GFP_KERNEL);
+ if (!reply)
+ return;
+
+- skb = audit_make_reply(seq, type, done, multi, payload, size);
+- if (!skb)
+- goto out;
+-
+- reply->net = get_net(net);
++ reply->skb = audit_make_reply(seq, type, done, multi, payload, size);
++ if (!reply->skb)
++ goto err;
++ reply->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
+ reply->portid = NETLINK_CB(request_skb).portid;
+- reply->skb = skb;
+
+ tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
+- if (!IS_ERR(tsk))
+- return;
+- kfree_skb(skb);
+-out:
+- kfree(reply);
++ if (IS_ERR(tsk))
++ goto err;
++
++ return;
++
++err:
++ audit_free_reply(reply);
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 30563b24214ee13950f5afd11b5ce5a81ac9af10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 10:46:50 +0100
+Subject: batman-adv: Revert "disable ethtool link speed detection when auto
+ negotiation off"
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 9ad346c90509ebd983f60da7d082f261ad329507 ]
+
+The commit 8c46fcd78308 ("batman-adv: disable ethtool link speed detection
+when auto negotiation off") disabled the usage of ethtool's link_ksetting
+when auto negotation was enabled due to invalid values when used with
+tun/tap virtual net_devices. According to the patch, automatic measurements
+should be used for these kind of interfaces.
+
+But there are major flaws with this argumentation:
+
+* automatic measurements are not implemented
+* auto negotiation has nothing to do with the validity of the retrieved
+ values
+
+The first point has to be fixed by a longer patch series. The "validity"
+part of the second point must be addressed in the same patch series by
+dropping the usage of ethtool's link_ksetting (thus always doing automatic
+measurements over ethernet).
+
+Drop the patch again to have more default values for various net_device
+types/configurations. The user can still overwrite them using the
+batadv_hardif's BATADV_ATTR_THROUGHPUT_OVERRIDE.
+
+Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_v_elp.c | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index 5da183b2f4c9..af3da6cdfc79 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -132,20 +132,7 @@ static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh)
+ rtnl_lock();
+ ret = __ethtool_get_link_ksettings(hard_iface->net_dev, &link_settings);
+ rtnl_unlock();
+-
+- /* Virtual interface drivers such as tun / tap interfaces, VLAN, etc
+- * tend to initialize the interface throughput with some value for the
+- * sake of having a throughput number to export via ethtool. This
+- * exported throughput leaves batman-adv to conclude the interface
+- * throughput is genuine (reflecting reality), thus no measurements
+- * are necessary.
+- *
+- * Based on the observation that those interface types also tend to set
+- * the link auto-negotiation to 'off', batman-adv shall check this
+- * setting to differentiate between genuine link throughput information
+- * and placeholders installed by virtual interfaces.
+- */
+- if (ret == 0 && link_settings.base.autoneg == AUTONEG_ENABLE) {
++ if (ret == 0) {
+ /* link characteristics might change over time */
+ if (link_settings.base.duplex == DUPLEX_FULL)
+ hard_iface->bat_v.flags |= BATADV_FULL_DUPLEX;
+--
+2.25.1
+
--- /dev/null
+From e5e751fcf1ef0a047d5fc9498eef460e936c2ef9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2020 12:01:53 +0800
+Subject: bcache: fix refcount underflow in bcache_device_free()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 86da9f736740eba602389908574dfbb0f517baa5 ]
+
+The problematic code piece in bcache_device_free() is,
+
+ 785 static void bcache_device_free(struct bcache_device *d)
+ 786 {
+ 787 struct gendisk *disk = d->disk;
+ [snipped]
+ 799 if (disk) {
+ 800 if (disk->flags & GENHD_FL_UP)
+ 801 del_gendisk(disk);
+ 802
+ 803 if (disk->queue)
+ 804 blk_cleanup_queue(disk->queue);
+ 805
+ 806 ida_simple_remove(&bcache_device_idx,
+ 807 first_minor_to_idx(disk->first_minor));
+ 808 put_disk(disk);
+ 809 }
+ [snipped]
+ 816 }
+
+At line 808, put_disk(disk) may encounter kobject refcount of 'disk'
+being underflow.
+
+Here is how to reproduce the issue,
+- Attche the backing device to a cache device and do random write to
+ make the cache being dirty.
+- Stop the bcache device while the cache device has dirty data of the
+ backing device.
+- Only register the backing device back, NOT register cache device.
+- The bcache device node /dev/bcache0 won't show up, because backing
+ device waits for the cache device shows up for the missing dirty
+ data.
+- Now echo 1 into /sys/fs/bcache/pendings_cleanup, to stop the pending
+ backing device.
+- After the pending backing device stopped, use 'dmesg' to check kernel
+ message, a use-after-free warning from KASA reported the refcount of
+ kobject linked to the 'disk' is underflow.
+
+The dropping refcount at line 808 in the above code piece is added by
+add_disk(d->disk) in bch_cached_dev_run(). But in the above condition
+the cache device is not registered, bch_cached_dev_run() has no chance
+to be called and the refcount is not added. The put_disk() for a non-
+added refcount of gendisk kobject triggers a underflow warning.
+
+This patch checks whether GENHD_FL_UP is set in disk->flags, if it is
+not set then the bcache device was not added, don't call put_disk()
+and the the underflow issue can be avoided.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 5b5cbfadd003..68ebc2759c2e 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -775,7 +775,9 @@ static void bcache_device_free(struct bcache_device *d)
+ bcache_device_detach(d);
+
+ if (disk) {
+- if (disk->flags & GENHD_FL_UP)
++ bool disk_added = (disk->flags & GENHD_FL_UP) != 0;
++
++ if (disk_added)
+ del_gendisk(disk);
+
+ if (disk->queue)
+@@ -783,7 +785,8 @@ static void bcache_device_free(struct bcache_device *d)
+
+ ida_simple_remove(&bcache_device_idx,
+ first_minor_to_idx(disk->first_minor));
+- put_disk(disk);
++ if (disk_added)
++ put_disk(disk);
+ }
+
+ bioset_exit(&d->bio_split);
+--
+2.25.1
+
--- /dev/null
+From 121da5b242b6d968dff047d49d3e2c2900f98844 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:27:04 +0800
+Subject: Bluetooth: Add SCO fallback for invalid LMP parameters error
+
+From: Hsin-Yu Chao <hychao@chromium.org>
+
+[ Upstream commit 56b5453a86203a44726f523b4133c1feca49ce7c ]
+
+Bluetooth PTS test case HFP/AG/ACC/BI-12-I accepts SCO connection
+with invalid parameter at the first SCO request expecting AG to
+attempt another SCO request with the use of "safe settings" for
+given codec, base on section 5.7.1.2 of HFP 1.7 specification.
+
+This patch addresses it by adding "Invalid LMP Parameters" (0x1e)
+to the SCO fallback case. Verified with below log:
+
+< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
+ Handle: 256
+ Transmit bandwidth: 8000
+ Receive bandwidth: 8000
+ Max latency: 13
+ Setting: 0x0003
+ Input Coding: Linear
+ Input Data Format: 1's complement
+ Input Sample Size: 8-bit
+ # of bits padding at MSB: 0
+ Air Coding Format: Transparent Data
+ Retransmission effort: Optimize for link quality (0x02)
+ Packet type: 0x0380
+ 3-EV3 may not be used
+ 2-EV5 may not be used
+ 3-EV5 may not be used
+> HCI Event: Command Status (0x0f) plen 4
+ Setup Synchronous Connection (0x01|0x0028) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Number of Completed Packets (0x13) plen 5
+ Num handles: 1
+ Handle: 256
+ Count: 1
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 1
+> HCI Event: Synchronous Connect Complete (0x2c) plen 17
+ Status: Invalid LMP Parameters / Invalid LL Parameters (0x1e)
+ Handle: 0
+ Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
+ Link type: eSCO (0x02)
+ Transmission interval: 0x00
+ Retransmission window: 0x02
+ RX packet length: 0
+ TX packet length: 0
+ Air mode: Transparent (0x03)
+< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
+ Handle: 256
+ Transmit bandwidth: 8000
+ Receive bandwidth: 8000
+ Max latency: 8
+ Setting: 0x0003
+ Input Coding: Linear
+ Input Data Format: 1's complement
+ Input Sample Size: 8-bit
+ # of bits padding at MSB: 0
+ Air Coding Format: Transparent Data
+ Retransmission effort: Optimize for link quality (0x02)
+ Packet type: 0x03c8
+ EV3 may be used
+ 2-EV3 may not be used
+ 3-EV3 may not be used
+ 2-EV5 may not be used
+ 3-EV5 may not be used
+> HCI Event: Command Status (0x0f) plen 4
+ Setup Synchronous Connection (0x01|0x0028) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 5
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 1
+> HCI Event: Synchronous Connect Complete (0x2c) plen 17
+ Status: Success (0x00)
+ Handle: 257
+ Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
+ Link type: eSCO (0x02)
+ Transmission interval: 0x06
+ Retransmission window: 0x04
+ RX packet length: 30
+ TX packet length: 30
+ Air mode: Transparent (0x03)
+
+Signed-off-by: Hsin-Yu Chao <hychao@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 3e7badb3ac2d..a044e6bb12b8 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4097,6 +4097,7 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
+ case 0x11: /* Unsupported Feature or Parameter Value */
+ case 0x1c: /* SCO interval rejected */
+ case 0x1a: /* Unsupported Remote Feature */
++ case 0x1e: /* Invalid LMP Parameters */
+ case 0x1f: /* Unspecified error */
+ case 0x20: /* Unsupported LMP Parameter value */
+ if (conn->out) {
+--
+2.25.1
+
--- /dev/null
+From c203ea298417bcef18fd065a2a52944aa263ed4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Apr 2020 19:15:32 +0200
+Subject: Bluetooth: btbcm: Add 2 missing models to subver tables
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit c03ee9af4e07112bd3fc688daca9e654f41eca93 ]
+
+Currently the bcm_uart_subver_ and bcm_usb_subver_table-s lack entries
+for the BCM4324B5 and BCM20703A1 chipsets. This makes the code use just
+"BCM" as prefix for the filename to pass to request-firmware, making it
+harder for users to figure out which firmware they need. This especially
+is problematic with the UART attached BCM4324B5 where this leads to the
+filename being just "BCM.hcd".
+
+Add the 2 missing devices to subver tables. This has been tested on:
+
+1. A Dell XPS15 9550 where this makes btbcm.c try to load
+"BCM20703A1-0a5c-6410.hcd" before it tries to load "BCM-0a5c-6410.hcd".
+
+2. A Thinkpad 8 where this makes btbcm.c try to load
+"BCM4324B5.hcd" before it tries to load "BCM.hcd"
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btbcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
+index e3e4d929e74f..ff6203c331ff 100644
+--- a/drivers/bluetooth/btbcm.c
++++ b/drivers/bluetooth/btbcm.c
+@@ -324,6 +324,7 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = {
+ { 0x4103, "BCM4330B1" }, /* 002.001.003 */
+ { 0x410e, "BCM43341B0" }, /* 002.001.014 */
+ { 0x4406, "BCM4324B3" }, /* 002.004.006 */
++ { 0x4606, "BCM4324B5" }, /* 002.006.006 */
+ { 0x6109, "BCM4335C0" }, /* 003.001.009 */
+ { 0x610c, "BCM4354" }, /* 003.001.012 */
+ { 0x2122, "BCM4343A0" }, /* 001.001.034 */
+@@ -334,6 +335,7 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = {
+ };
+
+ static const struct bcm_subver_table bcm_usb_subver_table[] = {
++ { 0x2105, "BCM20703A1" }, /* 001.001.005 */
+ { 0x210b, "BCM43142A0" }, /* 001.001.011 */
+ { 0x2112, "BCM4314A0" }, /* 001.001.018 */
+ { 0x2118, "BCM20702A0" }, /* 001.001.024 */
+--
+2.25.1
+
--- /dev/null
+From f4ad78f152e6bda172b3c30a9a70d86c6a393467 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2020 14:25:28 +0900
+Subject: brcmfmac: fix wrong location to get firmware feature
+
+From: Jaehoon Chung <jh80.chung@samsung.com>
+
+[ Upstream commit c57673852062428cdeabdd6501ac8b8e4c302067 ]
+
+sup_wpa feature is getting after setting feature_disable flag.
+If firmware is supported sup_wpa feature, it's always enabled
+regardless of feature_disable flag.
+
+Fixes: b8a64f0e96c2 ("brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK")
+Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200330052528.10503-1-jh80.chung@samsung.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+index 4c5a3995dc35..d7f41caa0b0b 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -281,13 +281,14 @@ void brcmf_feat_attach(struct brcmf_pub *drvr)
+ if (!err)
+ ifp->drvr->feat_flags |= BIT(BRCMF_FEAT_SCAN_RANDOM_MAC);
+
++ brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa");
++
+ if (drvr->settings->feature_disable) {
+ brcmf_dbg(INFO, "Features: 0x%02x, disable: 0x%02x\n",
+ ifp->drvr->feat_flags,
+ drvr->settings->feature_disable);
+ ifp->drvr->feat_flags &= ~drvr->settings->feature_disable;
+ }
+- brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa");
+
+ brcmf_feat_firmware_overrides(drvr);
+
+--
+2.25.1
+
--- /dev/null
+From 9a8810c9b133bc5e2fcf2817e305da4f9ebcc716 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 12:15:09 +0100
+Subject: btrfs: do not ignore error from btrfs_next_leaf() when inserting
+ checksums
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 7e4a3f7ed5d54926ec671bbb13e171cfe179cc50 ]
+
+We are currently treating any non-zero return value from btrfs_next_leaf()
+the same way, by going to the code that inserts a new checksum item in the
+tree. However if btrfs_next_leaf() returns an error (a value < 0), we
+should just stop and return the error, and not behave as if nothing has
+happened, since in that case we do not have a way to know if there is a
+next leaf or we are currently at the last leaf already.
+
+So fix that by returning the error from btrfs_next_leaf().
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/file-item.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c
+index f9e280d0b44f..1b8a04b767ff 100644
+--- a/fs/btrfs/file-item.c
++++ b/fs/btrfs/file-item.c
+@@ -785,10 +785,12 @@ again:
+ nritems = btrfs_header_nritems(path->nodes[0]);
+ if (!nritems || (path->slots[0] >= nritems - 1)) {
+ ret = btrfs_next_leaf(root, path);
+- if (ret == 1)
++ if (ret < 0) {
++ goto out;
++ } else if (ret > 0) {
+ found_next = 1;
+- if (ret != 0)
+ goto insert;
++ }
+ slot = path->slots[0];
+ }
+ btrfs_item_key_to_cpu(path->nodes[0], &found_key, slot);
+--
+2.25.1
+
--- /dev/null
+From 4ef8d6a4d54b41b0f4b4cbf994769ef970b05409 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2020 14:37:35 +0800
+Subject: btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot
+ to a new qgroup
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit cbab8ade585a18c4334b085564d9d046e01a3f70 ]
+
+[BUG]
+For the following operation, qgroup is guaranteed to be screwed up due
+to snapshot adding to a new qgroup:
+
+ # mkfs.btrfs -f $dev
+ # mount $dev $mnt
+ # btrfs qgroup en $mnt
+ # btrfs subv create $mnt/src
+ # xfs_io -f -c "pwrite 0 1m" $mnt/src/file
+ # sync
+ # btrfs qgroup create 1/0 $mnt/src
+ # btrfs subv snapshot -i 1/0 $mnt/src $mnt/snapshot
+ # btrfs qgroup show -prce $mnt/src
+ qgroupid rfer excl max_rfer max_excl parent child
+ -------- ---- ---- -------- -------- ------ -----
+ 0/5 16.00KiB 16.00KiB none none --- ---
+ 0/257 1.02MiB 16.00KiB none none --- ---
+ 0/258 1.02MiB 16.00KiB none none 1/0 ---
+ 1/0 0.00B 0.00B none none --- 0/258
+ ^^^^^^^^^^^^^^^^^^^^
+
+[CAUSE]
+The problem is in btrfs_qgroup_inherit(), we don't have good enough
+check to determine if the new relation would break the existing
+accounting.
+
+Unlike btrfs_add_qgroup_relation(), which has proper check to determine
+if we can do quick update without a rescan, in btrfs_qgroup_inherit() we
+can even assign a snapshot to multiple qgroups.
+
+[FIX]
+Fix it by manually marking qgroup inconsistent for snapshot inheritance.
+
+For subvolume creation, since all its extents are exclusively owned, we
+don't need to rescan.
+
+In theory, we should call relation check like quick_update_accounting()
+when doing qgroup inheritance and inform user about qgroup accounting
+inconsistency.
+
+But we don't have good mechanism to relay that back to the user in the
+snapshot creation context, thus we can only silently mark the qgroup
+inconsistent.
+
+Anyway, user shouldn't use qgroup inheritance during snapshot creation,
+and should add qgroup relationship after snapshot creation by 'btrfs
+qgroup assign', which has a much better UI to inform user about qgroup
+inconsistent and kick in rescan automatically.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index cbd40826f5dc..c8ed4db73b84 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2259,6 +2259,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ struct btrfs_root *quota_root;
+ struct btrfs_qgroup *srcgroup;
+ struct btrfs_qgroup *dstgroup;
++ bool need_rescan = false;
+ u32 level_size = 0;
+ u64 nums;
+
+@@ -2402,6 +2403,13 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ goto unlock;
+ }
+ ++i_qgroups;
++
++ /*
++ * If we're doing a snapshot, and adding the snapshot to a new
++ * qgroup, the numbers are guaranteed to be incorrect.
++ */
++ if (srcid)
++ need_rescan = true;
+ }
+
+ for (i = 0; i < inherit->num_ref_copies; ++i, i_qgroups += 2) {
+@@ -2421,6 +2429,9 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+
+ dst->rfer = src->rfer - level_size;
+ dst->rfer_cmpr = src->rfer_cmpr - level_size;
++
++ /* Manually tweaking numbers certainly needs a rescan */
++ need_rescan = true;
+ }
+ for (i = 0; i < inherit->num_excl_copies; ++i, i_qgroups += 2) {
+ struct btrfs_qgroup *src;
+@@ -2439,6 +2450,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+
+ dst->excl = src->excl + level_size;
+ dst->excl_cmpr = src->excl_cmpr + level_size;
++ need_rescan = true;
+ }
+
+ unlock:
+@@ -2446,6 +2458,8 @@ unlock:
+ out:
+ if (!committing)
+ mutex_unlock(&fs_info->qgroup_ioctl_lock);
++ if (need_rescan)
++ fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 8693a742c3af0e38ea937ee33bb8aae4f50f5127 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 23:48:13 +0300
+Subject: clocksource: dw_apb_timer: Make CPU-affiliation being optional
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit cee43dbf2ee3f430434e2b66994eff8a1aeda889 ]
+
+Currently the DW APB Timer driver binds each clockevent timers to a
+particular CPU. This isn't good for multiple reasons. First of all seeing
+the device is placed on APB bus (which makes it accessible from any CPU
+core), accessible over MMIO and having the DYNIRQ flag set we can be sure
+that manually binding the timer to any CPU just isn't correct. By doing
+so we just set an extra limitation on device usage. This also doesn't
+reflect the device actual capability, since by setting the IRQ affinity
+we can make it virtually local to any CPU. Secondly imagine if you had a
+real CPU-local timer with the same rating and the same CPU-affinity.
+In this case if DW APB timer was registered first, then due to the
+clockevent framework tick-timer selection procedure we'll end up with the
+real CPU-local timer being left unselected for clock-events tracking. But
+on most of the platforms (MIPS/ARM/etc) such timers are normally embedded
+into the CPU core and are accessible with much better performance then
+devices placed on APB. For instance in MIPS architectures there is
+r4k-timer, which is CPU-local, assigned with the same rating, and normally
+its clockevent device is registered after the platform-specific one.
+
+So in order to fix all of these issues let's make the DW APB Timer CPU
+affinity being optional and deactivated by passing a negative CPU id,
+which will effectively set the DW APB clockevent timer cpumask to
+'cpu_possible_mask'.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-rtc@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200521204818.25436-5-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/dw_apb_timer.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clocksource/dw_apb_timer.c b/drivers/clocksource/dw_apb_timer.c
+index 1f5f734e4919..a018199575e3 100644
+--- a/drivers/clocksource/dw_apb_timer.c
++++ b/drivers/clocksource/dw_apb_timer.c
+@@ -225,7 +225,8 @@ static int apbt_next_event(unsigned long delta,
+ /**
+ * dw_apb_clockevent_init() - use an APB timer as a clock_event_device
+ *
+- * @cpu: The CPU the events will be targeted at.
++ * @cpu: The CPU the events will be targeted at or -1 if CPU affiliation
++ * isn't required.
+ * @name: The name used for the timer and the IRQ for it.
+ * @rating: The rating to give the timer.
+ * @base: I/O base for the timer registers.
+@@ -260,7 +261,7 @@ dw_apb_clockevent_init(int cpu, const char *name, unsigned rating,
+ dw_ced->ced.max_delta_ticks = 0x7fffffff;
+ dw_ced->ced.min_delta_ns = clockevent_delta2ns(5000, &dw_ced->ced);
+ dw_ced->ced.min_delta_ticks = 5000;
+- dw_ced->ced.cpumask = cpumask_of(cpu);
++ dw_ced->ced.cpumask = cpu < 0 ? cpu_possible_mask : cpumask_of(cpu);
+ dw_ced->ced.features = CLOCK_EVT_FEAT_PERIODIC |
+ CLOCK_EVT_FEAT_ONESHOT | CLOCK_EVT_FEAT_DYNIRQ;
+ dw_ced->ced.set_state_shutdown = apbt_shutdown;
+--
+2.25.1
+
--- /dev/null
+From da4be9588c799db4cb9503c284f2d10126dfd6d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 23:48:15 +0300
+Subject: clocksource: dw_apb_timer_of: Fix missing clockevent timers
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 6d2e16a3181bafb77b535095c39ad1c8b9558c8c ]
+
+Commit 100214889973 ("clocksource: dw_apb_timer_of: use
+clocksource_of_init") replaced a publicly available driver
+initialization method with one called by the timer_probe() method
+available after CLKSRC_OF. In current implementation it traverses
+all the timers available in the system and calls their initialization
+methods if corresponding devices were either in dtb or in acpi. But
+if before the commit any number of available timers would be installed
+as clockevent and clocksource devices, after that there would be at most
+two. The rest are just ignored since default case branch doesn't do
+anything. I don't see a reason of such behaviour, neither the commit
+message explains it. Moreover this might be wrong if on some platforms
+these timers might be used for different purpose, as virtually CPU-local
+clockevent timers and as an independent broadcast timer. So in order
+to keep the compatibility with the platforms where the order of the
+timers detection has some meaning, lets add the secondly discovered
+timer to be of clocksource/sched_clock type, while the very first and
+the others would provide the clockevents service.
+
+Fixes: 100214889973 ("clocksource: dw_apb_timer_of: use clocksource_of_init")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-rtc@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200521204818.25436-7-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/dw_apb_timer_of.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clocksource/dw_apb_timer_of.c b/drivers/clocksource/dw_apb_timer_of.c
+index 69866cd8f4bb..3e4d0e5733d3 100644
+--- a/drivers/clocksource/dw_apb_timer_of.c
++++ b/drivers/clocksource/dw_apb_timer_of.c
+@@ -146,10 +146,6 @@ static int num_called;
+ static int __init dw_apb_timer_init(struct device_node *timer)
+ {
+ switch (num_called) {
+- case 0:
+- pr_debug("%s: found clockevent timer\n", __func__);
+- add_clockevent(timer);
+- break;
+ case 1:
+ pr_debug("%s: found clocksource timer\n", __func__);
+ add_clocksource(timer);
+@@ -160,6 +156,8 @@ static int __init dw_apb_timer_init(struct device_node *timer)
+ #endif
+ break;
+ default:
++ pr_debug("%s: found clockevent timer\n", __func__);
++ add_clockevent(timer);
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 4cfe13130a59ad533b0a1b318d4c6a49db406b53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 13:20:46 -0500
+Subject: cpuidle: Fix three reference count leaks
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit c343bf1ba5efcbf2266a1fe3baefec9cc82f867f ]
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object.
+
+Previous commit "b8eb718348b8" fixed a similar problem.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+[ rjw: Subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/sysfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
+index e754c7aae7f7..66979dc33680 100644
+--- a/drivers/cpuidle/sysfs.c
++++ b/drivers/cpuidle/sysfs.c
+@@ -467,7 +467,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device)
+ ret = kobject_init_and_add(&kobj->kobj, &ktype_state_cpuidle,
+ &kdev->kobj, "state%d", i);
+ if (ret) {
+- kfree(kobj);
++ kobject_put(&kobj->kobj);
+ goto error_state;
+ }
+ cpuidle_add_s2idle_attr_group(kobj);
+@@ -598,7 +598,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev)
+ ret = kobject_init_and_add(&kdrv->kobj, &ktype_driver_cpuidle,
+ &kdev->kobj, "driver");
+ if (ret) {
+- kfree(kdrv);
++ kobject_put(&kdrv->kobj);
+ return ret;
+ }
+
+@@ -692,7 +692,7 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
+ error = kobject_init_and_add(&kdev->kobj, &ktype_cpuidle, &cpu_dev->kobj,
+ "cpuidle");
+ if (error) {
+- kfree(kdev);
++ kobject_put(&kdev->kobj);
+ return error;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 604d69f1c96bb8d4f56c938256307a8209db72e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2020 18:26:48 +0200
+Subject: crypto: ccp -- don't "select" CONFIG_DMADEVICES
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit eebac678556d6927f09a992872f4464cf3aecc76 ]
+
+DMADEVICES is the top-level option for the slave DMA
+subsystem, and should not be selected by device drivers,
+as this can cause circular dependencies such as:
+
+drivers/net/ethernet/freescale/Kconfig:6:error: recursive dependency detected!
+drivers/net/ethernet/freescale/Kconfig:6: symbol NET_VENDOR_FREESCALE depends on PPC_BESTCOMM
+drivers/dma/bestcomm/Kconfig:6: symbol PPC_BESTCOMM depends on DMADEVICES
+drivers/dma/Kconfig:6: symbol DMADEVICES is selected by CRYPTO_DEV_SP_CCP
+drivers/crypto/ccp/Kconfig:10: symbol CRYPTO_DEV_SP_CCP depends on CRYPTO
+crypto/Kconfig:16: symbol CRYPTO is selected by LIBCRC32C
+lib/Kconfig:222: symbol LIBCRC32C is selected by LIQUIDIO
+drivers/net/ethernet/cavium/Kconfig:65: symbol LIQUIDIO depends on PTP_1588_CLOCK
+drivers/ptp/Kconfig:8: symbol PTP_1588_CLOCK is implied by FEC
+drivers/net/ethernet/freescale/Kconfig:23: symbol FEC depends on NET_VENDOR_FREESCALE
+
+The LIQUIDIO driver causing this problem is addressed in a
+separate patch, but this change is needed to prevent it from
+happening again.
+
+Using "depends on DMADEVICES" is what we do for all other
+implementations of slave DMA controllers as well.
+
+Fixes: b3c2fee5d66b ("crypto: ccp - Ensure all dependencies are specified")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/Kconfig | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/ccp/Kconfig b/drivers/crypto/ccp/Kconfig
+index b9dfae47aefd..7f5fc705503d 100644
+--- a/drivers/crypto/ccp/Kconfig
++++ b/drivers/crypto/ccp/Kconfig
+@@ -9,10 +9,9 @@ config CRYPTO_DEV_CCP_DD
+ config CRYPTO_DEV_SP_CCP
+ bool "Cryptographic Coprocessor device"
+ default y
+- depends on CRYPTO_DEV_CCP_DD
++ depends on CRYPTO_DEV_CCP_DD && DMADEVICES
+ select HW_RANDOM
+ select DMA_ENGINE
+- select DMADEVICES
+ select CRYPTO_SHA1
+ select CRYPTO_SHA256
+ help
+--
+2.25.1
+
--- /dev/null
+From f673733e3c3b8ff49f8da89d32d881c28199722c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 08:42:55 +0530
+Subject: Crypto/chcr: fix for ccm(aes) failed test
+
+From: Devulapally Shiva Krishna <shiva@chelsio.com>
+
+[ Upstream commit 10b0c75d7bc19606fa9a62c8ab9180e95c0e0385 ]
+
+The ccm(aes) test fails when req->assoclen > ~240bytes.
+
+The problem is the value assigned to auth_offset is wrong.
+As auth_offset is unsigned char, it can take max value as 255.
+So fix it by making it unsigned int.
+
+Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com>
+Signed-off-by: Devulapally Shiva Krishna <shiva@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/chelsio/chcr_algo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c
+index c435f89f34e3..9b3c259f081d 100644
+--- a/drivers/crypto/chelsio/chcr_algo.c
++++ b/drivers/crypto/chelsio/chcr_algo.c
+@@ -2764,7 +2764,7 @@ static void fill_sec_cpl_for_aead(struct cpl_tx_sec_pdu *sec_cpl,
+ unsigned int mac_mode = CHCR_SCMD_AUTH_MODE_CBCMAC;
+ unsigned int c_id = a_ctx(tfm)->dev->rx_channel_id;
+ unsigned int ccm_xtra;
+- unsigned char tag_offset = 0, auth_offset = 0;
++ unsigned int tag_offset = 0, auth_offset = 0;
+ unsigned int assoclen;
+
+ if (get_aead_subtype(tfm) == CRYPTO_ALG_SUB_TYPE_AEAD_RFC4309)
+--
+2.25.1
+
--- /dev/null
+From 61ca1eb1ea47efc3a3dc3174168d8111ec3ee545 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 16:11:09 +0200
+Subject: crypto: stm32/crc32 - fix ext4 chksum BUG_ON()
+
+From: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+
+[ Upstream commit 49c2c082e00e0bc4f5cbb7c21c7f0f873b35ab09 ]
+
+Allow use of crc_update without prior call to crc_init.
+And change (and fix) driver to use CRC device even on unaligned buffers.
+
+Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32_crc32.c | 98 +++++++++++++++---------------
+ 1 file changed, 48 insertions(+), 50 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32_crc32.c b/drivers/crypto/stm32/stm32_crc32.c
+index 29d2095d9dfd..749b51762b18 100644
+--- a/drivers/crypto/stm32/stm32_crc32.c
++++ b/drivers/crypto/stm32/stm32_crc32.c
+@@ -28,8 +28,10 @@
+
+ /* Registers values */
+ #define CRC_CR_RESET BIT(0)
+-#define CRC_CR_REVERSE (BIT(7) | BIT(6) | BIT(5))
+ #define CRC_INIT_DEFAULT 0xFFFFFFFF
++#define CRC_CR_REV_IN_WORD (BIT(6) | BIT(5))
++#define CRC_CR_REV_IN_BYTE BIT(5)
++#define CRC_CR_REV_OUT BIT(7)
+
+ #define CRC_AUTOSUSPEND_DELAY 50
+
+@@ -38,8 +40,6 @@ struct stm32_crc {
+ struct device *dev;
+ void __iomem *regs;
+ struct clk *clk;
+- u8 pending_data[sizeof(u32)];
+- size_t nb_pending_bytes;
+ };
+
+ struct stm32_crc_list {
+@@ -59,7 +59,6 @@ struct stm32_crc_ctx {
+
+ struct stm32_crc_desc_ctx {
+ u32 partial; /* crc32c: partial in first 4 bytes of that struct */
+- struct stm32_crc *crc;
+ };
+
+ static int stm32_crc32_cra_init(struct crypto_tfm *tfm)
+@@ -101,25 +100,22 @@ static int stm32_crc_init(struct shash_desc *desc)
+ struct stm32_crc *crc;
+
+ spin_lock_bh(&crc_list.lock);
+- list_for_each_entry(crc, &crc_list.dev_list, list) {
+- ctx->crc = crc;
+- break;
+- }
++ crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
+ spin_unlock_bh(&crc_list.lock);
+
+- pm_runtime_get_sync(ctx->crc->dev);
++ pm_runtime_get_sync(crc->dev);
+
+ /* Reset, set key, poly and configure in bit reverse mode */
+- writel_relaxed(bitrev32(mctx->key), ctx->crc->regs + CRC_INIT);
+- writel_relaxed(bitrev32(mctx->poly), ctx->crc->regs + CRC_POL);
+- writel_relaxed(CRC_CR_RESET | CRC_CR_REVERSE, ctx->crc->regs + CRC_CR);
++ writel_relaxed(bitrev32(mctx->key), crc->regs + CRC_INIT);
++ writel_relaxed(bitrev32(mctx->poly), crc->regs + CRC_POL);
++ writel_relaxed(CRC_CR_RESET | CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
+
+ /* Store partial result */
+- ctx->partial = readl_relaxed(ctx->crc->regs + CRC_DR);
+- ctx->crc->nb_pending_bytes = 0;
++ ctx->partial = readl_relaxed(crc->regs + CRC_DR);
+
+- pm_runtime_mark_last_busy(ctx->crc->dev);
+- pm_runtime_put_autosuspend(ctx->crc->dev);
++ pm_runtime_mark_last_busy(crc->dev);
++ pm_runtime_put_autosuspend(crc->dev);
+
+ return 0;
+ }
+@@ -128,31 +124,49 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8,
+ unsigned int length)
+ {
+ struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc);
+- struct stm32_crc *crc = ctx->crc;
+- u32 *d32;
+- unsigned int i;
++ struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm);
++ struct stm32_crc *crc;
++
++ spin_lock_bh(&crc_list.lock);
++ crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
++ spin_unlock_bh(&crc_list.lock);
+
+ pm_runtime_get_sync(crc->dev);
+
+- if (unlikely(crc->nb_pending_bytes)) {
+- while (crc->nb_pending_bytes != sizeof(u32) && length) {
+- /* Fill in pending data */
+- crc->pending_data[crc->nb_pending_bytes++] = *(d8++);
++ /*
++ * Restore previously calculated CRC for this context as init value
++ * Restore polynomial configuration
++ * Configure in register for word input data,
++ * Configure out register in reversed bit mode data.
++ */
++ writel_relaxed(bitrev32(ctx->partial), crc->regs + CRC_INIT);
++ writel_relaxed(bitrev32(mctx->poly), crc->regs + CRC_POL);
++ writel_relaxed(CRC_CR_RESET | CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
++
++ if (d8 != PTR_ALIGN(d8, sizeof(u32))) {
++ /* Configure for byte data */
++ writel_relaxed(CRC_CR_REV_IN_BYTE | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
++ while (d8 != PTR_ALIGN(d8, sizeof(u32)) && length) {
++ writeb_relaxed(*d8++, crc->regs + CRC_DR);
+ length--;
+ }
+-
+- if (crc->nb_pending_bytes == sizeof(u32)) {
+- /* Process completed pending data */
+- writel_relaxed(*(u32 *)crc->pending_data,
+- crc->regs + CRC_DR);
+- crc->nb_pending_bytes = 0;
+- }
++ /* Configure for word data */
++ writel_relaxed(CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
+ }
+
+- d32 = (u32 *)d8;
+- for (i = 0; i < length >> 2; i++)
+- /* Process 32 bits data */
+- writel_relaxed(*(d32++), crc->regs + CRC_DR);
++ for (; length >= sizeof(u32); d8 += sizeof(u32), length -= sizeof(u32))
++ writel_relaxed(*((u32 *)d8), crc->regs + CRC_DR);
++
++ if (length) {
++ /* Configure for byte data */
++ writel_relaxed(CRC_CR_REV_IN_BYTE | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
++ while (length--)
++ writeb_relaxed(*d8++, crc->regs + CRC_DR);
++ }
+
+ /* Store partial result */
+ ctx->partial = readl_relaxed(crc->regs + CRC_DR);
+@@ -160,22 +174,6 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8,
+ pm_runtime_mark_last_busy(crc->dev);
+ pm_runtime_put_autosuspend(crc->dev);
+
+- /* Check for pending data (non 32 bits) */
+- length &= 3;
+- if (likely(!length))
+- return 0;
+-
+- if ((crc->nb_pending_bytes + length) >= sizeof(u32)) {
+- /* Shall not happen */
+- dev_err(crc->dev, "Pending data overflow\n");
+- return -EINVAL;
+- }
+-
+- d8 = (const u8 *)d32;
+- for (i = 0; i < length; i++)
+- /* Store pending data */
+- crc->pending_data[crc->nb_pending_bytes++] = *(d8++);
+-
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b3359f834b65fcbec078db514952f10ea55a7d88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 16:11:11 +0200
+Subject: crypto: stm32/crc32 - fix multi-instance
+
+From: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+
+[ Upstream commit 10b89c43a64eb0d236903b79a3bc9d8f6cbfd9c7 ]
+
+Ensure CRC algorithm is registered only once in crypto framework when
+there are several instances of CRC devices.
+
+Update the CRC device list management to avoid that only the first CRC
+instance is used.
+
+Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32_crc32.c | 48 ++++++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32_crc32.c b/drivers/crypto/stm32/stm32_crc32.c
+index c5ad83ad2f72..47d31335c2d4 100644
+--- a/drivers/crypto/stm32/stm32_crc32.c
++++ b/drivers/crypto/stm32/stm32_crc32.c
+@@ -93,16 +93,29 @@ static int stm32_crc_setkey(struct crypto_shash *tfm, const u8 *key,
+ return 0;
+ }
+
+-static int stm32_crc_init(struct shash_desc *desc)
++static struct stm32_crc *stm32_crc_get_next_crc(void)
+ {
+- struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc);
+- struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm);
+ struct stm32_crc *crc;
+
+ spin_lock_bh(&crc_list.lock);
+ crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
++ if (crc)
++ list_move_tail(&crc->list, &crc_list.dev_list);
+ spin_unlock_bh(&crc_list.lock);
+
++ return crc;
++}
++
++static int stm32_crc_init(struct shash_desc *desc)
++{
++ struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc);
++ struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm);
++ struct stm32_crc *crc;
++
++ crc = stm32_crc_get_next_crc();
++ if (!crc)
++ return -ENODEV;
++
+ pm_runtime_get_sync(crc->dev);
+
+ /* Reset, set key, poly and configure in bit reverse mode */
+@@ -127,9 +140,9 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8,
+ struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm);
+ struct stm32_crc *crc;
+
+- spin_lock_bh(&crc_list.lock);
+- crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
+- spin_unlock_bh(&crc_list.lock);
++ crc = stm32_crc_get_next_crc();
++ if (!crc)
++ return -ENODEV;
+
+ pm_runtime_get_sync(crc->dev);
+
+@@ -202,6 +215,8 @@ static int stm32_crc_digest(struct shash_desc *desc, const u8 *data,
+ return stm32_crc_init(desc) ?: stm32_crc_finup(desc, data, length, out);
+ }
+
++static unsigned int refcnt;
++static DEFINE_MUTEX(refcnt_lock);
+ static struct shash_alg algs[] = {
+ /* CRC-32 */
+ {
+@@ -294,12 +309,18 @@ static int stm32_crc_probe(struct platform_device *pdev)
+ list_add(&crc->list, &crc_list.dev_list);
+ spin_unlock(&crc_list.lock);
+
+- ret = crypto_register_shashes(algs, ARRAY_SIZE(algs));
+- if (ret) {
+- dev_err(dev, "Failed to register\n");
+- clk_disable_unprepare(crc->clk);
+- return ret;
++ mutex_lock(&refcnt_lock);
++ if (!refcnt) {
++ ret = crypto_register_shashes(algs, ARRAY_SIZE(algs));
++ if (ret) {
++ mutex_unlock(&refcnt_lock);
++ dev_err(dev, "Failed to register\n");
++ clk_disable_unprepare(crc->clk);
++ return ret;
++ }
+ }
++ refcnt++;
++ mutex_unlock(&refcnt_lock);
+
+ dev_info(dev, "Initialized\n");
+
+@@ -320,7 +341,10 @@ static int stm32_crc_remove(struct platform_device *pdev)
+ list_del(&crc->list);
+ spin_unlock(&crc_list.lock);
+
+- crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
++ mutex_lock(&refcnt_lock);
++ if (!--refcnt)
++ crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
++ mutex_unlock(&refcnt_lock);
+
+ pm_runtime_disable(crc->dev);
+ pm_runtime_put_noidle(crc->dev);
+--
+2.25.1
+
--- /dev/null
+From b0f88751d8a08d7bf93ae9596f5b391e5868dd31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 16:11:10 +0200
+Subject: crypto: stm32/crc32 - fix run-time self test issue.
+
+From: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+
+[ Upstream commit a8cc3128bf2c01c4d448fe17149e87132113b445 ]
+
+Fix wrong crc32 initialisation value:
+"alg: shash: stm32_crc32 test failed (wrong result) on test vector 0,
+cfg="init+update+final aligned buffer"
+cra_name="crc32c" expects an init value of 0XFFFFFFFF,
+cra_name="crc32" expects an init value of 0.
+
+Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32_crc32.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32_crc32.c b/drivers/crypto/stm32/stm32_crc32.c
+index 749b51762b18..c5ad83ad2f72 100644
+--- a/drivers/crypto/stm32/stm32_crc32.c
++++ b/drivers/crypto/stm32/stm32_crc32.c
+@@ -28,10 +28,10 @@
+
+ /* Registers values */
+ #define CRC_CR_RESET BIT(0)
+-#define CRC_INIT_DEFAULT 0xFFFFFFFF
+ #define CRC_CR_REV_IN_WORD (BIT(6) | BIT(5))
+ #define CRC_CR_REV_IN_BYTE BIT(5)
+ #define CRC_CR_REV_OUT BIT(7)
++#define CRC32C_INIT_DEFAULT 0xFFFFFFFF
+
+ #define CRC_AUTOSUSPEND_DELAY 50
+
+@@ -65,7 +65,7 @@ static int stm32_crc32_cra_init(struct crypto_tfm *tfm)
+ {
+ struct stm32_crc_ctx *mctx = crypto_tfm_ctx(tfm);
+
+- mctx->key = CRC_INIT_DEFAULT;
++ mctx->key = 0;
+ mctx->poly = CRC32_POLY_LE;
+ return 0;
+ }
+@@ -74,7 +74,7 @@ static int stm32_crc32c_cra_init(struct crypto_tfm *tfm)
+ {
+ struct stm32_crc_ctx *mctx = crypto_tfm_ctx(tfm);
+
+- mctx->key = CRC_INIT_DEFAULT;
++ mctx->key = CRC32C_INIT_DEFAULT;
+ mctx->poly = CRC32C_POLY_LE;
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From d4304cbc3d39f5620ce916f11a5138be7013afd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 20:05:30 +0800
+Subject: drivers/perf: hisi: Fix typo in events attribute array
+
+From: Shaokun Zhang <zhangshaokun@hisilicon.com>
+
+[ Upstream commit 88562f06ebf56587788783e5420f25fde3ca36c8 ]
+
+Fix up one typo: wr_dr_64b -> wr_ddr_64b.
+
+Fixes: 2bab3cf9104c ("perf: hisi: Add support for HiSilicon SoC HHA PMU driver")
+Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1587643530-34357-1-git-send-email-zhangshaokun@hisilicon.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_uncore_hha_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c b/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c
+index 443906e0aff3..0393c4471227 100644
+--- a/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c
++++ b/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c
+@@ -290,7 +290,7 @@ static struct attribute *hisi_hha_pmu_events_attr[] = {
+ HISI_PMU_EVENT_ATTR(rx_wbip, 0x05),
+ HISI_PMU_EVENT_ATTR(rx_wtistash, 0x11),
+ HISI_PMU_EVENT_ATTR(rd_ddr_64b, 0x1c),
+- HISI_PMU_EVENT_ATTR(wr_dr_64b, 0x1d),
++ HISI_PMU_EVENT_ATTR(wr_ddr_64b, 0x1d),
+ HISI_PMU_EVENT_ATTR(rd_ddr_128b, 0x1e),
+ HISI_PMU_EVENT_ATTR(wr_ddr_128b, 0x1f),
+ HISI_PMU_EVENT_ATTR(spill_num, 0x20),
+--
+2.25.1
+
--- /dev/null
+From a0de38e3802e5749f3aac391fe80e2406fe41295 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 14:35:08 +0300
+Subject: drm: bridge: adv7511: Extend list of audio sample rates
+
+From: Bogdan Togorean <bogdan.togorean@analog.com>
+
+[ Upstream commit b97b6a1f6e14a25d1e1ca2a46c5fa3e2ca374e22 ]
+
+ADV7511 support sample rates up to 192kHz. CTS and N parameters should
+be computed accordingly so this commit extend the list up to maximum
+supported sample rate.
+
+Signed-off-by: Bogdan Togorean <bogdan.togorean@analog.com>
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200413113513.86091-2-bogdan.togorean@analog.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+index 1b4783d45c53..3a218b56a008 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+@@ -20,13 +20,15 @@ static void adv7511_calc_cts_n(unsigned int f_tmds, unsigned int fs,
+ {
+ switch (fs) {
+ case 32000:
+- *n = 4096;
++ case 48000:
++ case 96000:
++ case 192000:
++ *n = fs * 128 / 1000;
+ break;
+ case 44100:
+- *n = 6272;
+- break;
+- case 48000:
+- *n = 6144;
++ case 88200:
++ case 176400:
++ *n = fs * 128 / 900;
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 5325c5e39621adbeedd5732d2c53d09e65e6363a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Apr 2020 09:13:17 +0800
+Subject: dt-bindings: display: mediatek: control dpi pins mode to avoid
+ leakage
+
+From: Jitao Shi <jitao.shi@mediatek.com>
+
+[ Upstream commit b0ff9b590733079f7f9453e5976a9dd2630949e3 ]
+
+Add property "pinctrl-names" to swap pin mode between gpio and dpi mode.
+Set the dpi pins to gpio mode and output-low to avoid leakage current
+when dpi disabled.
+
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Jitao Shi <jitao.shi@mediatek.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/display/mediatek/mediatek,dpi.txt | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt b/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt
+index b6a7e7397b8b..b944fe067188 100644
+--- a/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt
++++ b/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt
+@@ -16,6 +16,9 @@ Required properties:
+ Documentation/devicetree/bindings/graph.txt. This port should be connected
+ to the input port of an attached HDMI or LVDS encoder chip.
+
++Optional properties:
++- pinctrl-names: Contain "default" and "sleep".
++
+ Example:
+
+ dpi0: dpi@1401d000 {
+@@ -26,6 +29,9 @@ dpi0: dpi@1401d000 {
+ <&mmsys CLK_MM_DPI_ENGINE>,
+ <&apmixedsys CLK_APMIXED_TVDPLL>;
+ clock-names = "pixel", "engine", "pll";
++ pinctrl-names = "default", "sleep";
++ pinctrl-0 = <&dpi_pin_func>;
++ pinctrl-1 = <&dpi_pin_idle>;
+
+ port {
+ dpi0_out: endpoint {
+--
+2.25.1
+
--- /dev/null
+From ffdbe05585c1d4d22b43feb271feb10d0a446cc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2020 22:23:02 -0800
+Subject: e1000: Distribute switch variables for initialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit a34c7f5156654ebaf7eaace102938be7ff7036cb ]
+
+Variables declared in a switch statement before any case statements
+cannot be automatically initialized with compiler instrumentation (as
+they are not part of any execution flow). With GCC's proposed automatic
+stack variable initialization feature, this triggers a warning (and they
+don't get initialized). Clang's automatic stack variable initialization
+(via CONFIG_INIT_STACK_ALL=y) doesn't throw a warning, but it also
+doesn't initialize such variables[1]. Note that these warnings (or silent
+skipping) happen before the dead-store elimination optimization phase,
+so even when the automatic initializations are later elided in favor of
+direct initializations, the warnings remain.
+
+To avoid these problems, move such variables into the "case" where
+they're used or lift them up into the main function body.
+
+drivers/net/ethernet/intel/e1000/e1000_main.c: In function ‘e1000_xmit_frame’:
+drivers/net/ethernet/intel/e1000/e1000_main.c:3143:18: warning: statement will never be executed [-Wswitch-unreachable]
+ 3143 | unsigned int pull_size;
+ | ^~~~~~~~~
+
+[1] https://bugs.llvm.org/show_bug.cgi?id=44916
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
+index 2110d5f2da19..47b867c64b14 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -3144,8 +3144,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ hdr_len = skb_transport_offset(skb) + tcp_hdrlen(skb);
+ if (skb->data_len && hdr_len == len) {
+ switch (hw->mac_type) {
++ case e1000_82544: {
+ unsigned int pull_size;
+- case e1000_82544:
++
+ /* Make sure we have room to chop off 4 bytes,
+ * and that the end alignment will work out to
+ * this hardware's requirements
+@@ -3166,6 +3167,7 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ }
+ len = skb_headlen(skb);
+ break;
++ }
+ default:
+ /* do nothing */
+ break;
+--
+2.25.1
+
--- /dev/null
+From 8464883403076b48e374d3dcd3745a41a9144f29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 10:06:29 +0200
+Subject: efi/libstub/x86: Work around LLVM ELF quirk build regression
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit f77767ed5f4d398b29119563155e4ece2dfeee13 ]
+
+When building the x86 EFI stub with Clang, the libstub Makefile rules
+that manipulate the ELF object files may throw an error like:
+
+ STUBCPY drivers/firmware/efi/libstub/efi-stub-helper.stub.o
+ strip: drivers/firmware/efi/libstub/efi-stub-helper.stub.o: Failed to find link section for section 10
+ objcopy: drivers/firmware/efi/libstub/efi-stub-helper.stub.o: Failed to find link section for section 10
+
+This is the result of a LLVM feature [0] where symbol references are
+stored in a LLVM specific .llvm_addrsig section in a non-transparent way,
+causing generic ELF tools such as strip or objcopy to choke on them.
+
+So force the compiler not to emit these sections, by passing the
+appropriate command line option.
+
+[0] https://sourceware.org/bugzilla/show_bug.cgi?id=23817
+
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Peter Collingbourne <pcc@google.com>
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Suggested-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
+index d9845099635e..d3777d754984 100644
+--- a/drivers/firmware/efi/libstub/Makefile
++++ b/drivers/firmware/efi/libstub/Makefile
+@@ -28,6 +28,7 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \
+ -D__NO_FORTIFY \
+ $(call cc-option,-ffreestanding) \
+ $(call cc-option,-fno-stack-protector) \
++ $(call cc-option,-fno-addrsig) \
+ -D__DISABLE_EXPORTS
+
+ GCOV_PROFILE := n
+--
+2.25.1
+
--- /dev/null
+From 7d2684c4848821098b6ee2aebfee74375e1a8232 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2020 23:06:57 +0100
+Subject: exit: Move preemption fixup up, move blocking operations down
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 586b58cac8b4683eb58a1446fbc399de18974e40 ]
+
+With CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_CGROUPS=y, kernel oopses in
+non-preemptible context look untidy; after the main oops, the kernel prints
+a "sleeping function called from invalid context" report because
+exit_signals() -> cgroup_threadgroup_change_begin() -> percpu_down_read()
+can sleep, and that happens before the preempt_count_set(PREEMPT_ENABLED)
+fixup.
+
+It looks like the same thing applies to profile_task_exit() and
+kcov_task_exit().
+
+Fix it by moving the preemption fixup up and the calls to
+profile_task_exit() and kcov_task_exit() down.
+
+Fixes: 1dc0fffc48af ("sched/core: Robustify preemption leak checks")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20200305220657.46800-1-jannh@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/exit.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 894fca56a38c..eeaafd4064c9 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -772,8 +772,12 @@ void __noreturn do_exit(long code)
+ struct task_struct *tsk = current;
+ int group_dead;
+
+- profile_task_exit(tsk);
+- kcov_task_exit(tsk);
++ /*
++ * We can get here from a kernel oops, sometimes with preemption off.
++ * Start by checking for critical errors.
++ * Then fix up important state like USER_DS and preemption.
++ * Then do everything else.
++ */
+
+ WARN_ON(blk_needs_flush_plug(tsk));
+
+@@ -791,6 +795,16 @@ void __noreturn do_exit(long code)
+ */
+ set_fs(USER_DS);
+
++ if (unlikely(in_atomic())) {
++ pr_info("note: %s[%d] exited with preempt_count %d\n",
++ current->comm, task_pid_nr(current),
++ preempt_count());
++ preempt_count_set(PREEMPT_ENABLED);
++ }
++
++ profile_task_exit(tsk);
++ kcov_task_exit(tsk);
++
+ ptrace_event(PTRACE_EVENT_EXIT, code);
+
+ validate_creds_for_do_exit(tsk);
+@@ -828,13 +842,6 @@ void __noreturn do_exit(long code)
+ raw_spin_lock_irq(&tsk->pi_lock);
+ raw_spin_unlock_irq(&tsk->pi_lock);
+
+- if (unlikely(in_atomic())) {
+- pr_info("note: %s[%d] exited with preempt_count %d\n",
+- current->comm, task_pid_nr(current),
+- preempt_count());
+- preempt_count_set(PREEMPT_ENABLED);
+- }
+-
+ /* sync mm's RSS info before statistics gathering */
+ if (tsk->mm)
+ sync_mm_rss(tsk->mm);
+--
+2.25.1
+
--- /dev/null
+From 1d9662780f9dd760194702ee3cbfeef79e03809a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 10:45:21 +0800
+Subject: ixgbe: fix signed-integer-overflow warning
+
+From: Xie XiuQi <xiexiuqi@huawei.com>
+
+[ Upstream commit 3b70683fc4d68f5d915d9dc7e5ba72c732c7315c ]
+
+ubsan report this warning, fix it by adding a unsigned suffix.
+
+UBSAN: signed-integer-overflow in
+drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:2246:26
+65535 * 65537 cannot be represented in type 'int'
+CPU: 21 PID: 7 Comm: kworker/u256:0 Not tainted 5.7.0-rc3-debug+ #39
+Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 03/27/2020
+Workqueue: ixgbe ixgbe_service_task [ixgbe]
+Call trace:
+ dump_backtrace+0x0/0x3f0
+ show_stack+0x28/0x38
+ dump_stack+0x154/0x1e4
+ ubsan_epilogue+0x18/0x60
+ handle_overflow+0xf8/0x148
+ __ubsan_handle_mul_overflow+0x34/0x48
+ ixgbe_fc_enable_generic+0x4d0/0x590 [ixgbe]
+ ixgbe_service_task+0xc20/0x1f78 [ixgbe]
+ process_one_work+0x8f0/0xf18
+ worker_thread+0x430/0x6d0
+ kthread+0x218/0x238
+ ret_from_fork+0x10/0x18
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+index 0bd1294ba517..39c5e6fdb72c 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+@@ -2243,7 +2243,7 @@ s32 ixgbe_fc_enable_generic(struct ixgbe_hw *hw)
+ }
+
+ /* Configure pause time (2 TCs per register) */
+- reg = hw->fc.pause_time * 0x00010001;
++ reg = hw->fc.pause_time * 0x00010001U;
+ for (i = 0; i < (MAX_TRAFFIC_CLASS / 2); i++)
+ IXGBE_WRITE_REG(hw, IXGBE_FCTTV(i), reg);
+
+--
+2.25.1
+
--- /dev/null
+From be9024d2ff01ce511cff6362e7d7138256bb594e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 May 2020 12:50:49 +0200
+Subject: ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit 88eb0ee17b2ece64fcf6689a4557a5c2e7a89c4b ]
+
+The ixgbe driver have another memory model when compiled on archs with
+PAGE_SIZE above 4096 bytes. In this mode it doesn't split the page in
+two halves, but instead increment rx_buffer->page_offset by truesize of
+packet (which include headroom and tailroom for skb_shared_info).
+
+This is done correctly in ixgbe_build_skb(), but in ixgbe_rx_buffer_flip
+which is currently only called on XDP_TX and XDP_REDIRECT, it forgets
+to add the tailroom for skb_shared_info. This breaks XDP_REDIRECT, for
+veth and cpumap. Fix by adding size of skb_shared_info tailroom.
+
+Maintainers notice: This fix have been queued to Jeff.
+
+Fixes: 6453073987ba ("ixgbe: add initial support for xdp redirect")
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Link: https://lore.kernel.org/bpf/158945344946.97035.17031588499266605743.stgit@firesoul
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 8177276500f5..7d723b70fcf6 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -2258,7 +2258,8 @@ static void ixgbe_rx_buffer_flip(struct ixgbe_ring *rx_ring,
+ rx_buffer->page_offset ^= truesize;
+ #else
+ unsigned int truesize = ring_uses_build_skb(rx_ring) ?
+- SKB_DATA_ALIGN(IXGBE_SKB_PAD + size) :
++ SKB_DATA_ALIGN(IXGBE_SKB_PAD + size) +
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) :
+ SKB_DATA_ALIGN(size);
+
+ rx_buffer->page_offset += truesize;
+--
+2.25.1
+
--- /dev/null
+From 649e1b78925e70cd02e10a77bb45d0ac8d6d89f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 13:08:39 -0700
+Subject: kgdb: Disable WARN_CONSOLE_UNLOCKED for all kgdb
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 202164fbfa2b2ffa3e66b504e0f126ba9a745006 ]
+
+In commit 81eaadcae81b ("kgdboc: disable the console lock when in
+kgdb") we avoided the WARN_CONSOLE_UNLOCKED() yell when we were in
+kgdboc. That still works fine, but it turns out that we get a similar
+yell when using other I/O drivers. One example is the "I/O driver"
+for the kgdb test suite (kgdbts). When I enabled that I again got the
+same yells.
+
+Even though "kgdbts" doesn't actually interact with the user over the
+console, using it still causes kgdb to print to the consoles. That
+trips the same warning:
+ con_is_visible+0x60/0x68
+ con_scroll+0x110/0x1b8
+ lf+0x4c/0xc8
+ vt_console_print+0x1b8/0x348
+ vkdb_printf+0x320/0x89c
+ kdb_printf+0x68/0x90
+ kdb_main_loop+0x190/0x860
+ kdb_stub+0x2cc/0x3ec
+ kgdb_cpu_enter+0x268/0x744
+ kgdb_handle_exception+0x1a4/0x200
+ kgdb_compiled_brk_fn+0x34/0x44
+ brk_handler+0x7c/0xb8
+ do_debug_exception+0x1b4/0x228
+
+Let's increment/decrement the "ignore_console_lock_warning" variable
+all the time when we enter the debugger.
+
+This will allow us to later revert commit 81eaadcae81b ("kgdboc:
+disable the console lock when in kgdb").
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20200507130644.v4.1.Ied2b058357152ebcc8bf68edd6f20a11d98d7d4e@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/debug_core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
+index 94aa9ae0007a..d2799767aab8 100644
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -577,6 +577,8 @@ return_normal:
+ if (kgdb_skipexception(ks->ex_vector, ks->linux_regs))
+ goto kgdb_restore;
+
++ atomic_inc(&ignore_console_lock_warning);
++
+ /* Call the I/O driver's pre_exception routine */
+ if (dbg_io_ops->pre_exception)
+ dbg_io_ops->pre_exception();
+@@ -649,6 +651,8 @@ cpu_master_loop:
+ if (dbg_io_ops->post_exception)
+ dbg_io_ops->post_exception();
+
++ atomic_dec(&ignore_console_lock_warning);
++
+ if (!kgdb_single_step) {
+ raw_spin_unlock(&dbg_slave_lock);
+ /* Wait till all the CPUs have quit from the debugger. */
+--
+2.25.1
+
--- /dev/null
+From 0158332aecf3d2a0b7aa78fdb400a9c9b188cdc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 17:42:23 +0100
+Subject: kgdb: Fix spurious true from in_dbg_master()
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit 3fec4aecb311995189217e64d725cfe84a568de3 ]
+
+Currently there is a small window where a badly timed migration could
+cause in_dbg_master() to spuriously return true. Specifically if we
+migrate to a new core after reading the processor id and the previous
+core takes a breakpoint then we will evaluate true if we read
+kgdb_active before we get the IPI to bring us to halt.
+
+Fix this by checking irqs_disabled() first. Interrupts are always
+disabled when we are executing the kgdb trap so this is an acceptable
+prerequisite. This also allows us to replace raw_smp_processor_id()
+with smp_processor_id() since the short circuit logic will prevent
+warnings from PREEMPT_DEBUG.
+
+Fixes: dcc7871128e9 ("kgdb: core changes to support kdb")
+Suggested-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20200506164223.2875760-1-daniel.thompson@linaro.org
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kgdb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h
+index e465bb15912d..6be5545d3584 100644
+--- a/include/linux/kgdb.h
++++ b/include/linux/kgdb.h
+@@ -317,7 +317,7 @@ extern void gdbstub_exit(int status);
+ extern int kgdb_single_step;
+ extern atomic_t kgdb_active;
+ #define in_dbg_master() \
+- (raw_smp_processor_id() == atomic_read(&kgdb_active))
++ (irqs_disabled() && (smp_processor_id() == atomic_read(&kgdb_active)))
+ extern bool dbg_is_early;
+ extern void __init dbg_late_init(void);
+ #else /* ! CONFIG_KGDB */
+--
+2.25.1
+
--- /dev/null
+From 804b2c8af9fc170e9c950089e3ee86435129596d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 13:08:44 -0700
+Subject: kgdb: Prevent infinite recursive entries to the debugger
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 3ca676e4ca60d1834bb77535dafe24169cadacef ]
+
+If we detect that we recursively entered the debugger we should hack
+our I/O ops to NULL so that the panic() in the next line won't
+actually cause another recursion into the debugger. The first line of
+kgdb_panic() will check this and return.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20200507130644.v4.6.I89de39f68736c9de610e6f241e68d8dbc44bc266@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/debug_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
+index d2799767aab8..6a1dc2613bb9 100644
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -444,6 +444,7 @@ static int kgdb_reenter_check(struct kgdb_state *ks)
+
+ if (exception_level > 1) {
+ dump_stack();
++ kgdb_io_module_registered = false;
+ panic("Recursive entry to debugger");
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 6c5af935bcb4222df93ac330005983bad80a39e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 14:47:04 -0700
+Subject: lib/mpi: Fix 64-bit MIPS build with Clang
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 18f1ca46858eac22437819937ae44aa9a8f9f2fa ]
+
+When building 64r6_defconfig with CONFIG_MIPS32_O32 disabled and
+CONFIG_CRYPTO_RSA enabled:
+
+lib/mpi/generic_mpih-mul1.c:37:24: error: invalid use of a cast in a
+inline asm context requiring an l-value: remove the cast
+or build with -fheinous-gnu-extensions
+ umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb);
+ ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+lib/mpi/longlong.h:664:22: note: expanded from macro 'umul_ppmm'
+ : "=d" ((UDItype)(w0))
+ ~~~~~~~~~~^~~
+lib/mpi/generic_mpih-mul1.c:37:13: error: invalid use of a cast in a
+inline asm context requiring an l-value: remove the cast
+or build with -fheinous-gnu-extensions
+ umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb);
+ ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+lib/mpi/longlong.h:668:22: note: expanded from macro 'umul_ppmm'
+ : "=d" ((UDItype)(w1))
+ ~~~~~~~~~~^~~
+2 errors generated.
+
+This special case for umul_ppmm for MIPS64r6 was added in
+commit bbc25bee37d2b ("lib/mpi: Fix umul_ppmm() for MIPS64r6"), due to
+GCC being inefficient and emitting a __multi3 intrinsic.
+
+There is no such issue with clang; with this patch applied, I can build
+this configuration without any problems and there are no link errors
+like mentioned in the commit above (which I can still reproduce with
+GCC 9.3.0 when that commit is reverted). Only use this definition when
+GCC is being used.
+
+This really should have been caught by commit b0c091ae04f67 ("lib/mpi:
+Eliminate unused umul_ppmm definitions for MIPS") when I was messing
+around in this area but I was not testing 64-bit MIPS at the time.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/885
+Reported-by: Dmitry Golovin <dima@golovin.in>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/mpi/longlong.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h
+index e01b705556aa..6c5229f98c9e 100644
+--- a/lib/mpi/longlong.h
++++ b/lib/mpi/longlong.h
+@@ -671,7 +671,7 @@ do { \
+ ************** MIPS/64 **************
+ ***************************************/
+ #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64
+-#if defined(__mips_isa_rev) && __mips_isa_rev >= 6
++#if defined(__mips_isa_rev) && __mips_isa_rev >= 6 && defined(CONFIG_CC_IS_GCC)
+ /*
+ * GCC ends up emitting a __multi3 intrinsic call for MIPS64r6 with the plain C
+ * code below, so we special case MIPS64r6 until the compiler can do better.
+--
+2.25.1
+
--- /dev/null
+From fb6aa3f6caf8700bb4d29bee7005c6bcb5449da4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2020 14:32:02 +1000
+Subject: m68k: mac: Don't call via_flush_cache() on Mac IIfx
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit bcc44f6b74106b31f0b0408b70305a40360d63b7 ]
+
+There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache().
+This avoids a boot crash which appeared in v5.4.
+
+printk: console [ttyS0] enabled
+printk: bootconsole [debug0] disabled
+printk: bootconsole [debug0] disabled
+Calibrating delay loop... 9.61 BogoMIPS (lpj=48064)
+pid_max: default: 32768 minimum: 301
+Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
+Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
+devtmpfs: initialized
+random: get_random_u32 called from bucket_table_alloc.isra.27+0x68/0x194 with crng_init=0
+clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
+futex hash table entries: 256 (order: -1, 3072 bytes, linear)
+NET: Registered protocol family 16
+Data read fault at 0x00000000 in Super Data (pc=0x8a6a)
+BAD KERNEL BUSERR
+Oops: 00000000
+Modules linked in:
+PC: [<00008a6a>] via_flush_cache+0x12/0x2c
+SR: 2700 SP: 01c1fe3c a2: 01c24000
+d0: 00001119 d1: 0000000c d2: 00012000 d3: 0000000f
+d4: 01c06840 d5: 00033b92 a0: 00000000 a1: 00000000
+Process swapper (pid: 1, task=01c24000)
+Frame format=B ssw=0755 isc=0200 isb=fff7 daddr=00000000 dobuf=01c1fed0
+baddr=00008a6e dibuf=0000004e ver=f
+Stack from 01c1fec4:
+ 01c1fed0 00007d7e 00010080 01c1fedc 0000792e 00000001 01c1fef4 00006b40
+ 01c80000 00040000 00000006 00000003 01c1ff1c 004a545e 004ff200 00040000
+ 00000000 00000003 01c06840 00033b92 004a5410 004b6c88 01c1ff84 000021e2
+ 00000073 00000003 01c06840 00033b92 0038507a 004bb094 004b6ca8 004b6c88
+ 004b6ca4 004b6c88 000021ae 00020002 00000000 01c0685d 00000000 01c1ffb4
+ 0049f938 00409c85 01c06840 0045bd40 00000073 00000002 00000002 00000000
+Call Trace: [<00007d7e>] mac_cache_card_flush+0x12/0x1c
+ [<00010080>] fix_dnrm+0x2/0x18
+ [<0000792e>] cache_push+0x46/0x5a
+ [<00006b40>] arch_dma_prep_coherent+0x60/0x6e
+ [<00040000>] switched_to_dl+0x76/0xd0
+ [<004a545e>] dma_atomic_pool_init+0x4e/0x188
+ [<00040000>] switched_to_dl+0x76/0xd0
+ [<00033b92>] parse_args+0x0/0x370
+ [<004a5410>] dma_atomic_pool_init+0x0/0x188
+ [<000021e2>] do_one_initcall+0x34/0x1be
+ [<00033b92>] parse_args+0x0/0x370
+ [<0038507a>] strcpy+0x0/0x1e
+ [<000021ae>] do_one_initcall+0x0/0x1be
+ [<00020002>] do_proc_dointvec_conv+0x54/0x74
+ [<0049f938>] kernel_init_freeable+0x126/0x190
+ [<0049f94c>] kernel_init_freeable+0x13a/0x190
+ [<004a5410>] dma_atomic_pool_init+0x0/0x188
+ [<00041798>] complete+0x0/0x3c
+ [<000b9b0c>] kfree+0x0/0x20a
+ [<0038df98>] schedule+0x0/0xd0
+ [<0038d604>] kernel_init+0x0/0xda
+ [<0038d610>] kernel_init+0xc/0xda
+ [<0038d604>] kernel_init+0x0/0xda
+ [<00002d38>] ret_from_kernel_thread+0xc/0x14
+Code: 0000 2079 0048 10da 2279 0048 10c8 d3c8 <1011> 0200 fff7 1280 d1f9 0048 10c8 1010 0000 0008 1080 4e5e 4e75 4e56 0000 2039
+Disabling lock debugging due to kernel taint
+Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+Thanks to Stan Johnson for capturing the console log and running git
+bisect.
+
+Git bisect said commit 8e3a68fb55e0 ("dma-mapping: make
+dma_atomic_pool_init self-contained") is the first "bad" commit. I don't
+know why. Perhaps mach_l2_flush first became reachable with that commit.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Cc: Joshua Thompson <funaho@jurai.org>
+Link: https://lore.kernel.org/r/b8bbeef197d6b3898e82ed0d231ad08f575a4b34.1589949122.git.fthain@telegraphics.com.au
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/mac_via.h | 1 +
+ arch/m68k/mac/config.c | 21 ++-------------------
+ arch/m68k/mac/via.c | 6 +++++-
+ 3 files changed, 8 insertions(+), 20 deletions(-)
+
+diff --git a/arch/m68k/include/asm/mac_via.h b/arch/m68k/include/asm/mac_via.h
+index de1470c4d829..1149251ea58d 100644
+--- a/arch/m68k/include/asm/mac_via.h
++++ b/arch/m68k/include/asm/mac_via.h
+@@ -257,6 +257,7 @@ extern int rbv_present,via_alt_mapping;
+
+ struct irq_desc;
+
++extern void via_l2_flush(int writeback);
+ extern void via_register_interrupts(void);
+ extern void via_irq_enable(int);
+ extern void via_irq_disable(int);
+diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
+index cd9317d53276..a4f91bea6c88 100644
+--- a/arch/m68k/mac/config.c
++++ b/arch/m68k/mac/config.c
+@@ -61,7 +61,6 @@ extern void iop_preinit(void);
+ extern void iop_init(void);
+ extern void via_init(void);
+ extern void via_init_clock(irq_handler_t func);
+-extern void via_flush_cache(void);
+ extern void oss_init(void);
+ extern void psc_init(void);
+ extern void baboon_init(void);
+@@ -132,21 +131,6 @@ int __init mac_parse_bootinfo(const struct bi_record *record)
+ return unknown;
+ }
+
+-/*
+- * Flip into 24bit mode for an instant - flushes the L2 cache card. We
+- * have to disable interrupts for this. Our IRQ handlers will crap
+- * themselves if they take an IRQ in 24bit mode!
+- */
+-
+-static void mac_cache_card_flush(int writeback)
+-{
+- unsigned long flags;
+-
+- local_irq_save(flags);
+- via_flush_cache();
+- local_irq_restore(flags);
+-}
+-
+ void __init config_mac(void)
+ {
+ if (!MACH_IS_MAC)
+@@ -178,9 +162,8 @@ void __init config_mac(void)
+ * not.
+ */
+
+- if (macintosh_config->ident == MAC_MODEL_IICI
+- || macintosh_config->ident == MAC_MODEL_IIFX)
+- mach_l2_flush = mac_cache_card_flush;
++ if (macintosh_config->ident == MAC_MODEL_IICI)
++ mach_l2_flush = via_l2_flush;
+ }
+
+
+diff --git a/arch/m68k/mac/via.c b/arch/m68k/mac/via.c
+index 038d5a1c4d48..8307da441a10 100644
+--- a/arch/m68k/mac/via.c
++++ b/arch/m68k/mac/via.c
+@@ -289,10 +289,14 @@ void via_debug_dump(void)
+ * the system into 24-bit mode for an instant.
+ */
+
+-void via_flush_cache(void)
++void via_l2_flush(int writeback)
+ {
++ unsigned long flags;
++
++ local_irq_save(flags);
+ via2[gBufB] &= ~VIA2B_vMode32;
+ via2[gBufB] |= VIA2B_vMode32;
++ local_irq_restore(flags);
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From f6b56c835d60a45418b624a306dfe1d23190c858 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 14:27:51 +0200
+Subject: macvlan: Skip loopback packets in RX handler
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+[ Upstream commit 81f3dc9349ce0bf7b8447f147f45e70f0a5b36a6 ]
+
+Ignore loopback-originatig packets soon enough and don't try to process L2
+header where it doesn't exist. The very similar br_handle_frame() in bridge
+code performs exactly the same check.
+
+This is an example of such ICMPv6 packet:
+
+skb len=96 headroom=40 headlen=96 tailroom=56
+mac=(40,0) net=(40,40) trans=80
+shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
+csum(0xae2e9a2f ip_summed=1 complete_sw=0 valid=0 level=0)
+hash(0xc97ebd88 sw=1 l4=1) proto=0x86dd pkttype=5 iif=24
+dev name=etha01.212 feat=0x0x0000000040005000
+skb headroom: 00000000: 00 7c 86 52 84 88 ff ff 00 00 00 00 00 00 08 00
+skb headroom: 00000010: 45 00 00 9e 5d 5c 40 00 40 11 33 33 00 00 00 01
+skb headroom: 00000020: 02 40 43 80 00 00 86 dd
+skb linear: 00000000: 60 09 88 bd 00 38 3a ff fe 80 00 00 00 00 00 00
+skb linear: 00000010: 00 40 43 ff fe 80 00 00 ff 02 00 00 00 00 00 00
+skb linear: 00000020: 00 00 00 00 00 00 00 01 86 00 61 00 40 00 00 2d
+skb linear: 00000030: 00 00 00 00 00 00 00 00 03 04 40 e0 00 00 01 2c
+skb linear: 00000040: 00 00 00 78 00 00 00 00 fd 5f 42 68 23 87 a8 81
+skb linear: 00000050: 00 00 00 00 00 00 00 00 01 01 02 40 43 80 00 00
+skb tailroom: 00000000: ...
+skb tailroom: 00000010: ...
+skb tailroom: 00000020: ...
+skb tailroom: 00000030: ...
+
+Call Trace, how it happens exactly:
+ ...
+ macvlan_handle_frame+0x321/0x425 [macvlan]
+ ? macvlan_forward_source+0x110/0x110 [macvlan]
+ __netif_receive_skb_core+0x545/0xda0
+ ? enqueue_task_fair+0xe5/0x8e0
+ ? __netif_receive_skb_one_core+0x36/0x70
+ __netif_receive_skb_one_core+0x36/0x70
+ process_backlog+0x97/0x140
+ net_rx_action+0x1eb/0x350
+ ? __hrtimer_run_queues+0x136/0x2e0
+ __do_softirq+0xe3/0x383
+ do_softirq_own_stack+0x2a/0x40
+ </IRQ>
+ do_softirq.part.4+0x4e/0x50
+ netif_rx_ni+0x60/0xd0
+ dev_loopback_xmit+0x83/0xf0
+ ip6_finish_output2+0x575/0x590 [ipv6]
+ ? ip6_cork_release.isra.1+0x64/0x90 [ipv6]
+ ? __ip6_make_skb+0x38d/0x680 [ipv6]
+ ? ip6_output+0x6c/0x140 [ipv6]
+ ip6_output+0x6c/0x140 [ipv6]
+ ip6_send_skb+0x1e/0x60 [ipv6]
+ rawv6_sendmsg+0xc4b/0xe10 [ipv6]
+ ? proc_put_long+0xd0/0xd0
+ ? rw_copy_check_uvector+0x4e/0x110
+ ? sock_sendmsg+0x36/0x40
+ sock_sendmsg+0x36/0x40
+ ___sys_sendmsg+0x2b6/0x2d0
+ ? proc_dointvec+0x23/0x30
+ ? addrconf_sysctl_forward+0x8d/0x250 [ipv6]
+ ? dev_forward_change+0x130/0x130 [ipv6]
+ ? _raw_spin_unlock+0x12/0x30
+ ? proc_sys_call_handler.isra.14+0x9f/0x110
+ ? __call_rcu+0x213/0x510
+ ? get_max_files+0x10/0x10
+ ? trace_hardirqs_on+0x2c/0xe0
+ ? __sys_sendmsg+0x63/0xa0
+ __sys_sendmsg+0x63/0xa0
+ do_syscall_64+0x6c/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 225bfc808112..349123592af0 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -451,6 +451,10 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
+ int ret;
+ rx_handler_result_t handle_res;
+
++ /* Packets from dev_loopback_xmit() do not have L2 header, bail out */
++ if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
++ return RX_HANDLER_PASS;
++
+ port = macvlan_port_get_rcu(skb->dev);
+ if (is_multicast_ether_addr(eth->h_dest)) {
+ unsigned int hash;
+--
+2.25.1
+
--- /dev/null
+From 5e725f149b4914dc77160ffc48fe14ad3e996886 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2020 23:57:09 +0200
+Subject: md: don't flush workqueue unconditionally in md_open
+
+From: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+
+[ Upstream commit f6766ff6afff70e2aaf39e1511e16d471de7c3ae ]
+
+We need to check mddev->del_work before flush workqueu since the purpose
+of flush is to ensure the previous md is disappeared. Otherwise the similar
+deadlock appeared if LOCKDEP is enabled, it is due to md_open holds the
+bdev->bd_mutex before flush workqueue.
+
+kernel: [ 154.522645] ======================================================
+kernel: [ 154.522647] WARNING: possible circular locking dependency detected
+kernel: [ 154.522650] 5.6.0-rc7-lp151.27-default #25 Tainted: G O
+kernel: [ 154.522651] ------------------------------------------------------
+kernel: [ 154.522653] mdadm/2482 is trying to acquire lock:
+kernel: [ 154.522655] ffff888078529128 ((wq_completion)md_misc){+.+.}, at: flush_workqueue+0x84/0x4b0
+kernel: [ 154.522673]
+kernel: [ 154.522673] but task is already holding lock:
+kernel: [ 154.522675] ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
+kernel: [ 154.522691]
+kernel: [ 154.522691] which lock already depends on the new lock.
+kernel: [ 154.522691]
+kernel: [ 154.522694]
+kernel: [ 154.522694] the existing dependency chain (in reverse order) is:
+kernel: [ 154.522696]
+kernel: [ 154.522696] -> #4 (&bdev->bd_mutex){+.+.}:
+kernel: [ 154.522704] __mutex_lock+0x87/0x950
+kernel: [ 154.522706] __blkdev_get+0x79/0x590
+kernel: [ 154.522708] blkdev_get+0x65/0x140
+kernel: [ 154.522709] blkdev_get_by_dev+0x2f/0x40
+kernel: [ 154.522716] lock_rdev+0x3d/0x90 [md_mod]
+kernel: [ 154.522719] md_import_device+0xd6/0x1b0 [md_mod]
+kernel: [ 154.522723] new_dev_store+0x15e/0x210 [md_mod]
+kernel: [ 154.522728] md_attr_store+0x7a/0xc0 [md_mod]
+kernel: [ 154.522732] kernfs_fop_write+0x117/0x1b0
+kernel: [ 154.522735] vfs_write+0xad/0x1a0
+kernel: [ 154.522737] ksys_write+0xa4/0xe0
+kernel: [ 154.522745] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522748] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522749]
+kernel: [ 154.522749] -> #3 (&mddev->reconfig_mutex){+.+.}:
+kernel: [ 154.522752] __mutex_lock+0x87/0x950
+kernel: [ 154.522756] new_dev_store+0xc9/0x210 [md_mod]
+kernel: [ 154.522759] md_attr_store+0x7a/0xc0 [md_mod]
+kernel: [ 154.522761] kernfs_fop_write+0x117/0x1b0
+kernel: [ 154.522763] vfs_write+0xad/0x1a0
+kernel: [ 154.522765] ksys_write+0xa4/0xe0
+kernel: [ 154.522767] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522769] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522770]
+kernel: [ 154.522770] -> #2 (kn->count#253){++++}:
+kernel: [ 154.522775] __kernfs_remove+0x253/0x2c0
+kernel: [ 154.522778] kernfs_remove+0x1f/0x30
+kernel: [ 154.522780] kobject_del+0x28/0x60
+kernel: [ 154.522783] mddev_delayed_delete+0x24/0x30 [md_mod]
+kernel: [ 154.522786] process_one_work+0x2a7/0x5f0
+kernel: [ 154.522788] worker_thread+0x2d/0x3d0
+kernel: [ 154.522793] kthread+0x117/0x130
+kernel: [ 154.522795] ret_from_fork+0x3a/0x50
+kernel: [ 154.522796]
+kernel: [ 154.522796] -> #1 ((work_completion)(&mddev->del_work)){+.+.}:
+kernel: [ 154.522800] process_one_work+0x27e/0x5f0
+kernel: [ 154.522802] worker_thread+0x2d/0x3d0
+kernel: [ 154.522804] kthread+0x117/0x130
+kernel: [ 154.522806] ret_from_fork+0x3a/0x50
+kernel: [ 154.522807]
+kernel: [ 154.522807] -> #0 ((wq_completion)md_misc){+.+.}:
+kernel: [ 154.522813] __lock_acquire+0x1392/0x1690
+kernel: [ 154.522816] lock_acquire+0xb4/0x1a0
+kernel: [ 154.522818] flush_workqueue+0xab/0x4b0
+kernel: [ 154.522821] md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522823] __blkdev_get+0xea/0x590
+kernel: [ 154.522825] blkdev_get+0x65/0x140
+kernel: [ 154.522828] do_dentry_open+0x1d1/0x380
+kernel: [ 154.522831] path_openat+0x567/0xcc0
+kernel: [ 154.522834] do_filp_open+0x9b/0x110
+kernel: [ 154.522836] do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522838] do_sys_open+0x57/0x80
+kernel: [ 154.522840] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522842] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522844]
+kernel: [ 154.522844] other info that might help us debug this:
+kernel: [ 154.522844]
+kernel: [ 154.522846] Chain exists of:
+kernel: [ 154.522846] (wq_completion)md_misc --> &mddev->reconfig_mutex --> &bdev->bd_mutex
+kernel: [ 154.522846]
+kernel: [ 154.522850] Possible unsafe locking scenario:
+kernel: [ 154.522850]
+kernel: [ 154.522852] CPU0 CPU1
+kernel: [ 154.522853] ---- ----
+kernel: [ 154.522854] lock(&bdev->bd_mutex);
+kernel: [ 154.522856] lock(&mddev->reconfig_mutex);
+kernel: [ 154.522858] lock(&bdev->bd_mutex);
+kernel: [ 154.522860] lock((wq_completion)md_misc);
+kernel: [ 154.522861]
+kernel: [ 154.522861] *** DEADLOCK ***
+kernel: [ 154.522861]
+kernel: [ 154.522864] 1 lock held by mdadm/2482:
+kernel: [ 154.522865] #0: ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
+kernel: [ 154.522868]
+kernel: [ 154.522868] stack backtrace:
+kernel: [ 154.522873] CPU: 1 PID: 2482 Comm: mdadm Tainted: G O 5.6.0-rc7-lp151.27-default #25
+kernel: [ 154.522875] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+kernel: [ 154.522878] Call Trace:
+kernel: [ 154.522881] dump_stack+0x8f/0xcb
+kernel: [ 154.522884] check_noncircular+0x194/0x1b0
+kernel: [ 154.522888] ? __lock_acquire+0x1392/0x1690
+kernel: [ 154.522890] __lock_acquire+0x1392/0x1690
+kernel: [ 154.522893] lock_acquire+0xb4/0x1a0
+kernel: [ 154.522895] ? flush_workqueue+0x84/0x4b0
+kernel: [ 154.522898] flush_workqueue+0xab/0x4b0
+kernel: [ 154.522900] ? flush_workqueue+0x84/0x4b0
+kernel: [ 154.522905] ? md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522908] md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522910] __blkdev_get+0xea/0x590
+kernel: [ 154.522912] ? bd_acquire+0xc0/0xc0
+kernel: [ 154.522914] blkdev_get+0x65/0x140
+kernel: [ 154.522916] ? bd_acquire+0xc0/0xc0
+kernel: [ 154.522918] do_dentry_open+0x1d1/0x380
+kernel: [ 154.522921] path_openat+0x567/0xcc0
+kernel: [ 154.522923] ? __lock_acquire+0x380/0x1690
+kernel: [ 154.522926] do_filp_open+0x9b/0x110
+kernel: [ 154.522929] ? __alloc_fd+0xe5/0x1f0
+kernel: [ 154.522935] ? kmem_cache_alloc+0x28c/0x630
+kernel: [ 154.522939] ? do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522941] do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522944] do_sys_open+0x57/0x80
+kernel: [ 154.522946] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522948] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522951] RIP: 0033:0x7f98d279d9ae
+
+And md_alloc also flushed the same workqueue, but the thing is different
+here. Because all the paths call md_alloc don't hold bdev->bd_mutex, and
+the flush is necessary to avoid race condition, so leave it as it is.
+
+Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 9426976e0860..a6db4fd267aa 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7438,7 +7438,8 @@ static int md_open(struct block_device *bdev, fmode_t mode)
+ */
+ mddev_put(mddev);
+ /* Wait until bdev->bd_disk is definitely gone */
+- flush_workqueue(md_misc_wq);
++ if (work_pending(&mddev->del_work))
++ flush_workqueue(md_misc_wq);
+ /* Then retry the open from the top */
+ return -ERESTARTSYS;
+ }
+--
+2.25.1
+
--- /dev/null
+From 0b97969daa2fd4317683e170aeadd74d08784bf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 10:25:56 +0200
+Subject: media: cec: silence shift wrapping warning in __cec_s_log_addrs()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 3b5af3171e2d5a73ae6f04965ed653d039904eb6 ]
+
+The log_addrs->log_addr_type[i] value is a u8 which is controlled by
+the user and comes from the ioctl. If it's over 31 then that results in
+undefined behavior (shift wrapping) and that leads to a Smatch static
+checker warning. We already cap the value later so we can silence the
+warning just by re-ordering the existing checks.
+
+I think the UBSan checker will also catch this bug at runtime and
+generate a warning. But otherwise the bug is harmless.
+
+Fixes: 9881fe0ca187 ("[media] cec: add HDMI CEC framework (adapter)")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/cec/cec-adap.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c
+index ba7e976bf6dc..60b20ae02b05 100644
+--- a/drivers/media/cec/cec-adap.c
++++ b/drivers/media/cec/cec-adap.c
+@@ -1668,6 +1668,10 @@ int __cec_s_log_addrs(struct cec_adapter *adap,
+ unsigned j;
+
+ log_addrs->log_addr[i] = CEC_LOG_ADDR_INVALID;
++ if (log_addrs->log_addr_type[i] > CEC_LOG_ADDR_TYPE_UNREGISTERED) {
++ dprintk(1, "unknown logical address type\n");
++ return -EINVAL;
++ }
+ if (type_mask & (1 << log_addrs->log_addr_type[i])) {
+ dprintk(1, "duplicate logical address type\n");
+ return -EINVAL;
+@@ -1688,10 +1692,6 @@ int __cec_s_log_addrs(struct cec_adapter *adap,
+ dprintk(1, "invalid primary device type\n");
+ return -EINVAL;
+ }
+- if (log_addrs->log_addr_type[i] > CEC_LOG_ADDR_TYPE_UNREGISTERED) {
+- dprintk(1, "unknown logical address type\n");
+- return -EINVAL;
+- }
+ for (j = 0; j < feature_sz; j++) {
+ if ((features[j] & 0x80) == 0) {
+ if (op_is_dev_features)
+--
+2.25.1
+
--- /dev/null
+From bcff98838ffcf013802755e8b0457acd117ffac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2020 18:51:33 +0100
+Subject: media: dvb: return -EREMOTEIO on i2c transfer failure.
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 96f3a9392799dd0f6472648a7366622ffd0989f3 ]
+
+Currently when i2c transfers fail the error return -EREMOTEIO
+is assigned to err but then later overwritten when the tuner
+attach call is made. Fix this by returning early with the
+error return code -EREMOTEIO on i2c transfer failure errors.
+
+If the transfer fails, an uninitialized value will be read from b2.
+
+Addresses-Coverity: ("Unused value")
+
+Fixes: fbfee8684ff2 ("V4L/DVB (5651): Dibusb-mb: convert pll handling to properly use dvb-pll")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dibusb-mb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dibusb-mb.c b/drivers/media/usb/dvb-usb/dibusb-mb.c
+index 408920577716..94f59c7765dc 100644
+--- a/drivers/media/usb/dvb-usb/dibusb-mb.c
++++ b/drivers/media/usb/dvb-usb/dibusb-mb.c
+@@ -84,7 +84,7 @@ static int dibusb_tuner_probe_and_attach(struct dvb_usb_adapter *adap)
+
+ if (i2c_transfer(&adap->dev->i2c_adap, msg, 2) != 2) {
+ err("tuner i2c write failed.");
+- ret = -EREMOTEIO;
++ return -EREMOTEIO;
+ }
+
+ if (adap->fe_adap[0].fe->ops.i2c_gate_ctrl)
+--
+2.25.1
+
--- /dev/null
+From 86cc1526f20f05f8bc0e4dc368f613dd0dcc41d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2020 17:44:17 +0200
+Subject: media: platform: fcp: Set appropriate DMA parameters
+
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+
+[ Upstream commit dd844fb8e50b12e65bbdc5746c9876c6735500df ]
+
+Enabling CONFIG_DMA_API_DEBUG=y and CONFIG_DMA_API_DEBUG_SG=y will
+enable extra validation on DMA operations ensuring that the size
+restraints are met.
+
+When using the FCP in conjunction with the VSP1/DU, and display frames,
+the size of the DMA operations is larger than the default maximum
+segment size reported by the DMA core (64K). With the DMA debug enabled,
+this produces a warning such as the following:
+
+"DMA-API: rcar-fcp fea27000.fcp: mapping sg segment longer than device
+claims to support [len=3145728] [max=65536]"
+
+We have no specific limitation on the segment size which isn't already
+handled by the VSP1/DU which actually handles the DMA allcoations and
+buffer management, so define a maximum segment size of up to 4GB (a 32
+bit mask).
+
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Fixes: 7b49235e83b2 ("[media] v4l: Add Renesas R-Car FCP driver")
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-fcp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/rcar-fcp.c b/drivers/media/platform/rcar-fcp.c
+index 43c78620c9d8..5c6b00737fe7 100644
+--- a/drivers/media/platform/rcar-fcp.c
++++ b/drivers/media/platform/rcar-fcp.c
+@@ -8,6 +8,7 @@
+ */
+
+ #include <linux/device.h>
++#include <linux/dma-mapping.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
+ #include <linux/mod_devicetable.h>
+@@ -21,6 +22,7 @@
+ struct rcar_fcp_device {
+ struct list_head list;
+ struct device *dev;
++ struct device_dma_parameters dma_parms;
+ };
+
+ static LIST_HEAD(fcp_devices);
+@@ -136,6 +138,9 @@ static int rcar_fcp_probe(struct platform_device *pdev)
+
+ fcp->dev = &pdev->dev;
+
++ fcp->dev->dma_parms = &fcp->dma_parms;
++ dma_set_max_seg_size(fcp->dev, DMA_BIT_MASK(32));
++
+ pm_runtime_enable(&pdev->dev);
+
+ mutex_lock(&fcp_lock);
+--
+2.25.1
+
--- /dev/null
+From 59133ccb8c2cccaa63f1971b72273f998a6e48f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 21:03:57 +0100
+Subject: media: si2157: Better check for running tuner in init
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit e955f959ac52e145f27ff2be9078b646d0352af0 ]
+
+Getting the Xtal trim property to check if running is less error prone.
+Reset if_frequency if state is unknown.
+
+Replaces the previous "garbage check".
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/si2157.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
+index a08d8fe2bb1b..13770b038048 100644
+--- a/drivers/media/tuners/si2157.c
++++ b/drivers/media/tuners/si2157.c
+@@ -84,24 +84,23 @@ static int si2157_init(struct dvb_frontend *fe)
+ struct si2157_cmd cmd;
+ const struct firmware *fw;
+ const char *fw_name;
+- unsigned int uitmp, chip_id;
++ unsigned int chip_id, xtal_trim;
+
+ dev_dbg(&client->dev, "\n");
+
+- /* Returned IF frequency is garbage when firmware is not running */
+- memcpy(cmd.args, "\x15\x00\x06\x07", 4);
++ /* Try to get Xtal trim property, to verify tuner still running */
++ memcpy(cmd.args, "\x15\x00\x04\x02", 4);
+ cmd.wlen = 4;
+ cmd.rlen = 4;
+ ret = si2157_cmd_execute(client, &cmd);
+- if (ret)
+- goto err;
+
+- uitmp = cmd.args[2] << 0 | cmd.args[3] << 8;
+- dev_dbg(&client->dev, "if_frequency kHz=%u\n", uitmp);
++ xtal_trim = cmd.args[2] | (cmd.args[3] << 8);
+
+- if (uitmp == dev->if_frequency / 1000)
++ if (ret == 0 && xtal_trim < 16)
+ goto warm;
+
++ dev->if_frequency = 0; /* we no longer know current tuner state */
++
+ /* power up */
+ if (dev->chiptype == SI2157_CHIPTYPE_SI2146) {
+ memcpy(cmd.args, "\xc0\x05\x01\x00\x00\x0b\x00\x00\x01", 9);
+--
+2.25.1
+
--- /dev/null
+From bb0438a633ffaf251942b770ec0fd87aa0d2aed1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 17:07:22 +0300
+Subject: mips: Add udelay lpj numbers adjustment
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit ed26aacfb5f71eecb20a51c4467da440cb719d66 ]
+
+Loops-per-jiffies is a special number which represents a number of
+noop-loop cycles per CPU-scheduler quantum - jiffies. As you
+understand aside from CPU-specific implementation it depends on
+the CPU frequency. So when a platform has the CPU frequency fixed,
+we have no problem and the current udelay interface will work
+just fine. But as soon as CPU-freq driver is enabled and the cores
+frequency changes, we'll end up with distorted udelay's. In order
+to fix this we have to accordinly adjust the per-CPU udelay_val
+(the same as the global loops_per_jiffy) number. This can be done
+in the CPU-freq transition event handler. We subscribe to that event
+in the MIPS arch time-inititalization method.
+
+Co-developed-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/time.c | 70 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 70 insertions(+)
+
+diff --git a/arch/mips/kernel/time.c b/arch/mips/kernel/time.c
+index bfe02ded25d1..1e631a484ddf 100644
+--- a/arch/mips/kernel/time.c
++++ b/arch/mips/kernel/time.c
+@@ -22,12 +22,82 @@
+ #include <linux/smp.h>
+ #include <linux/spinlock.h>
+ #include <linux/export.h>
++#include <linux/cpufreq.h>
++#include <linux/delay.h>
+
+ #include <asm/cpu-features.h>
+ #include <asm/cpu-type.h>
+ #include <asm/div64.h>
+ #include <asm/time.h>
+
++#ifdef CONFIG_CPU_FREQ
++
++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref);
++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref_freq);
++static unsigned long glb_lpj_ref;
++static unsigned long glb_lpj_ref_freq;
++
++static int cpufreq_callback(struct notifier_block *nb,
++ unsigned long val, void *data)
++{
++ struct cpufreq_freqs *freq = data;
++ struct cpumask *cpus = freq->policy->cpus;
++ unsigned long lpj;
++ int cpu;
++
++ /*
++ * Skip lpj numbers adjustment if the CPU-freq transition is safe for
++ * the loops delay. (Is this possible?)
++ */
++ if (freq->flags & CPUFREQ_CONST_LOOPS)
++ return NOTIFY_OK;
++
++ /* Save the initial values of the lpjes for future scaling. */
++ if (!glb_lpj_ref) {
++ glb_lpj_ref = boot_cpu_data.udelay_val;
++ glb_lpj_ref_freq = freq->old;
++
++ for_each_online_cpu(cpu) {
++ per_cpu(pcp_lpj_ref, cpu) =
++ cpu_data[cpu].udelay_val;
++ per_cpu(pcp_lpj_ref_freq, cpu) = freq->old;
++ }
++ }
++
++ /*
++ * Adjust global lpj variable and per-CPU udelay_val number in
++ * accordance with the new CPU frequency.
++ */
++ if ((val == CPUFREQ_PRECHANGE && freq->old < freq->new) ||
++ (val == CPUFREQ_POSTCHANGE && freq->old > freq->new)) {
++ loops_per_jiffy = cpufreq_scale(glb_lpj_ref,
++ glb_lpj_ref_freq,
++ freq->new);
++
++ for_each_cpu(cpu, cpus) {
++ lpj = cpufreq_scale(per_cpu(pcp_lpj_ref, cpu),
++ per_cpu(pcp_lpj_ref_freq, cpu),
++ freq->new);
++ cpu_data[cpu].udelay_val = (unsigned int)lpj;
++ }
++ }
++
++ return NOTIFY_OK;
++}
++
++static struct notifier_block cpufreq_notifier = {
++ .notifier_call = cpufreq_callback,
++};
++
++static int __init register_cpufreq_notifier(void)
++{
++ return cpufreq_register_notifier(&cpufreq_notifier,
++ CPUFREQ_TRANSITION_NOTIFIER);
++}
++core_initcall(register_cpufreq_notifier);
++
++#endif /* CONFIG_CPU_FREQ */
++
+ /*
+ * forward reference
+ */
+--
+2.25.1
+
--- /dev/null
+From 1a4037f09e3f7a04513ab22c80b81d4cca3893a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 20:42:22 +0300
+Subject: mips: cm: Fix an invalid error code of INTVN_*_ERR
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 8a0efb8b101665a843205eab3d67ab09cb2d9a8d ]
+
+Commit 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache
+errors") adds cm2_causes[] array with map of error type ID and
+pointers to the short description string. There is a mistake in
+the table, since according to MIPS32 manual CM2_ERROR_TYPE = {17,18}
+correspond to INTVN_WR_ERR and INTVN_RD_ERR, while the table
+claims they have {0x17,0x18} codes. This is obviously hex-dec
+copy-paste bug. Moreover codes {0x18 - 0x1a} indicate L2 ECC errors.
+
+Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-pm@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/mips-cm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c
+index 7f3f136572de..50d3d74001cb 100644
+--- a/arch/mips/kernel/mips-cm.c
++++ b/arch/mips/kernel/mips-cm.c
+@@ -123,9 +123,9 @@ static char *cm2_causes[32] = {
+ "COH_RD_ERR", "MMIO_WR_ERR", "MMIO_RD_ERR", "0x07",
+ "0x08", "0x09", "0x0a", "0x0b",
+ "0x0c", "0x0d", "0x0e", "0x0f",
+- "0x10", "0x11", "0x12", "0x13",
+- "0x14", "0x15", "0x16", "INTVN_WR_ERR",
+- "INTVN_RD_ERR", "0x19", "0x1a", "0x1b",
++ "0x10", "INTVN_WR_ERR", "INTVN_RD_ERR", "0x13",
++ "0x14", "0x15", "0x16", "0x17",
++ "0x18", "0x19", "0x1a", "0x1b",
+ "0x1c", "0x1d", "0x1e", "0x1f"
+ };
+
+--
+2.25.1
+
--- /dev/null
+From e593230bc53ae07419ae9043a1ccc57d05b4a90f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2020 14:11:30 +0800
+Subject: MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe()
+
+From: YuanJunQing <yuanjunqing66@163.com>
+
+[ Upstream commit 31e1b3efa802f97a17628dde280006c4cee4ce5e ]
+
+Register "a1" is unsaved in this function,
+ when CONFIG_TRACE_IRQFLAGS is enabled,
+ the TRACE_IRQS_OFF macro will call trace_hardirqs_off(),
+ and this may change register "a1".
+ The changed register "a1" as argument will be send
+ to do_fpe() and do_msa_fpe().
+
+Signed-off-by: YuanJunQing <yuanjunqing66@163.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/genex.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/kernel/genex.S b/arch/mips/kernel/genex.S
+index 6c257b52f57f..7fad007fe025 100644
+--- a/arch/mips/kernel/genex.S
++++ b/arch/mips/kernel/genex.S
+@@ -477,20 +477,20 @@ NESTED(nmi_handler, PT_SIZE, sp)
+ .endm
+
+ .macro __build_clear_fpe
++ CLI
++ TRACE_IRQS_OFF
+ .set push
+ /* gas fails to assemble cfc1 for some archs (octeon).*/ \
+ .set mips1
+ SET_HARDFLOAT
+ cfc1 a1, fcr31
+ .set pop
+- CLI
+- TRACE_IRQS_OFF
+ .endm
+
+ .macro __build_clear_msa_fpe
+- _cfcmsa a1, MSA_CSR
+ CLI
+ TRACE_IRQS_OFF
++ _cfcmsa a1, MSA_CSR
+ .endm
+
+ .macro __build_clear_ade
+--
+2.25.1
+
--- /dev/null
+From d1e88ad37541468fe2f5d60d145cf29182e1fab7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 May 2020 10:15:48 +0800
+Subject: MIPS: Loongson: Build ATI Radeon GPU driver as module
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit a44de7497f91834df0b8b6d459e259788ba66794 ]
+
+When ATI Radeon GPU driver has been compiled directly into the kernel
+instead of as a module, we should make sure the firmware for the model
+(check available ones in /lib/firmware/radeon) is built-in to the kernel
+as well, otherwise there exists the following fatal error during GPU init,
+change CONFIG_DRM_RADEON=y to CONFIG_DRM_RADEON=m to fix it.
+
+[ 1.900997] [drm] Loading RS780 Microcode
+[ 1.905077] radeon 0000:01:05.0: Direct firmware load for radeon/RS780_pfp.bin failed with error -2
+[ 1.914140] r600_cp: Failed to load firmware "radeon/RS780_pfp.bin"
+[ 1.920405] [drm:r600_init] *ERROR* Failed to load firmware!
+[ 1.926069] radeon 0000:01:05.0: Fatal error during GPU init
+[ 1.931729] [drm] radeon: finishing device.
+
+Fixes: 024e6a8b5bb1 ("MIPS: Loongson: Add a Loongson-3 default config file")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/configs/loongson3_defconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/configs/loongson3_defconfig b/arch/mips/configs/loongson3_defconfig
+index 324dfee23dfb..c871e40b8878 100644
+--- a/arch/mips/configs/loongson3_defconfig
++++ b/arch/mips/configs/loongson3_defconfig
+@@ -250,7 +250,7 @@ CONFIG_MEDIA_CAMERA_SUPPORT=y
+ CONFIG_MEDIA_USB_SUPPORT=y
+ CONFIG_USB_VIDEO_CLASS=m
+ CONFIG_DRM=y
+-CONFIG_DRM_RADEON=y
++CONFIG_DRM_RADEON=m
+ CONFIG_FB_RADEON=y
+ CONFIG_LCD_CLASS_DEVICE=y
+ CONFIG_LCD_PLATFORM=m
+--
+2.25.1
+
--- /dev/null
+From 13cf47d4555b00d9151c4475fcad4a9907f50ed5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 03:34:37 +0300
+Subject: mips: MAAR: Use more precise address mask
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit bbb5946eb545fab8ad8f46bce8a803e1c0c39d47 ]
+
+Indeed according to the MIPS32 Privileged Resource Architecgture the MAAR
+pair register address field either takes [12:31] bits for non-XPA systems
+and [12:55] otherwise. In any case the current address mask is just
+wrong for 64-bit and 32-bits XPA chips. So lets extend it to 59-bits
+of physical address value. This shall cover the 64-bits architecture and
+systems with XPA enabled, and won't cause any problem for non-XPA 32-bit
+systems, since address values exceeding the architecture specific MAAR
+mask will be just truncated with setting zeros in the unsupported upper
+bits.
+
+Co-developed-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mipsregs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h
+index 1bb9448777c5..f9a7c137be9f 100644
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -749,7 +749,7 @@
+
+ /* MAAR bit definitions */
+ #define MIPS_MAAR_VH (_U64CAST_(1) << 63)
+-#define MIPS_MAAR_ADDR ((BIT_ULL(BITS_PER_LONG - 12) - 1) << 12)
++#define MIPS_MAAR_ADDR GENMASK_ULL(55, 12)
+ #define MIPS_MAAR_ADDR_SHIFT 12
+ #define MIPS_MAAR_S (_ULCAST_(1) << 1)
+ #define MIPS_MAAR_VL (_ULCAST_(1) << 0)
+--
+2.25.1
+
--- /dev/null
+From abc53cf23a55df18601ab092806fe7e59170a0ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 19:59:46 +0800
+Subject: MIPS: Make sparse_init() using top-down allocation
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 269b3a9ac538c4ae87f84be640b9fa89914a2489 ]
+
+In the current code, if CONFIG_SWIOTLB is set, when failed to get IO TLB
+memory from the low pages by plat_swiotlb_setup(), it may lead to the boot
+process failed with kernel panic.
+
+(1) On the Loongson and SiByte platform
+arch/mips/loongson64/dma.c
+arch/mips/sibyte/common/dma.c
+void __init plat_swiotlb_setup(void)
+{
+ swiotlb_init(1);
+}
+
+kernel/dma/swiotlb.c
+void __init
+swiotlb_init(int verbose)
+{
+...
+ vstart = memblock_alloc_low(PAGE_ALIGN(bytes), PAGE_SIZE);
+ if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, verbose))
+ return;
+...
+ pr_warn("Cannot allocate buffer");
+ no_iotlb_memory = true;
+}
+
+phys_addr_t swiotlb_tbl_map_single()
+{
+...
+ if (no_iotlb_memory)
+ panic("Can not allocate SWIOTLB buffer earlier ...");
+...
+}
+
+(2) On the Cavium OCTEON platform
+arch/mips/cavium-octeon/dma-octeon.c
+void __init plat_swiotlb_setup(void)
+{
+...
+ octeon_swiotlb = memblock_alloc_low(swiotlbsize, PAGE_SIZE);
+ if (!octeon_swiotlb)
+ panic("%s: Failed to allocate %zu bytes align=%lx\n",
+ __func__, swiotlbsize, PAGE_SIZE);
+...
+}
+
+Because IO_TLB_DEFAULT_SIZE is 64M, if the rest size of low memory is less
+than 64M when call plat_swiotlb_setup(), we can easily reproduce the panic
+case.
+
+In order to reduce the possibility of kernel panic when failed to get IO
+TLB memory under CONFIG_SWIOTLB, it is better to allocate low memory as
+small as possible before plat_swiotlb_setup(), so make sparse_init() using
+top-down allocation.
+
+Reported-by: Juxin Gao <gaojuxin@loongson.cn>
+Co-developed-by: Juxin Gao <gaojuxin@loongson.cn>
+Signed-off-by: Juxin Gao <gaojuxin@loongson.cn>
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/setup.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
+index e87c98b8a72c..2c2480be3f36 100644
+--- a/arch/mips/kernel/setup.c
++++ b/arch/mips/kernel/setup.c
+@@ -933,7 +933,17 @@ static void __init arch_mem_init(char **cmdline_p)
+ BOOTMEM_DEFAULT);
+ #endif
+ device_tree_init();
++
++ /*
++ * In order to reduce the possibility of kernel panic when failed to
++ * get IO TLB memory under CONFIG_SWIOTLB, it is better to allocate
++ * low memory as small as possible before plat_swiotlb_setup(), so
++ * make sparse_init() using top-down allocation.
++ */
++ memblock_set_bottom_up(false);
+ sparse_init();
++ memblock_set_bottom_up(true);
++
+ plat_swiotlb_setup();
+
+ dma_contiguous_reserve(PFN_PHYS(max_low_pfn));
+--
+2.25.1
+
--- /dev/null
+From 12fe5e63a8b7f68f237941ee1c3af88789a37388 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 13:52:45 +0800
+Subject: MIPS: Truncate link address into 32bit for 32bit kernel
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit ff487d41036035376e47972c7c522490b839ab37 ]
+
+LLD failed to link vmlinux with 64bit load address for 32bit ELF
+while bfd will strip 64bit address into 32bit silently.
+To fix LLD build, we should truncate load address provided by platform
+into 32bit for 32bit kernel.
+
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/786
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=25784
+Reviewed-by: Fangrui Song <maskray@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Maciej W. Rozycki <macro@linux-mips.org>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Makefile | 13 ++++++++++++-
+ arch/mips/boot/compressed/Makefile | 2 +-
+ arch/mips/kernel/vmlinux.lds.S | 2 +-
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/Makefile b/arch/mips/Makefile
+index ad0a92f95af1..63e2ad43bd6a 100644
+--- a/arch/mips/Makefile
++++ b/arch/mips/Makefile
+@@ -290,12 +290,23 @@ ifdef CONFIG_64BIT
+ endif
+ endif
+
++# When linking a 32-bit executable the LLVM linker cannot cope with a
++# 32-bit load address that has been sign-extended to 64 bits. Simply
++# remove the upper 32 bits then, as it is safe to do so with other
++# linkers.
++ifdef CONFIG_64BIT
++ load-ld = $(load-y)
++else
++ load-ld = $(subst 0xffffffff,0x,$(load-y))
++endif
++
+ KBUILD_AFLAGS += $(cflags-y)
+ KBUILD_CFLAGS += $(cflags-y)
+-KBUILD_CPPFLAGS += -DVMLINUX_LOAD_ADDRESS=$(load-y)
++KBUILD_CPPFLAGS += -DVMLINUX_LOAD_ADDRESS=$(load-y) -DLINKER_LOAD_ADDRESS=$(load-ld)
+ KBUILD_CPPFLAGS += -DDATAOFFSET=$(if $(dataoffset-y),$(dataoffset-y),0)
+
+ bootvars-y = VMLINUX_LOAD_ADDRESS=$(load-y) \
++ LINKER_LOAD_ADDRESS=$(load-ld) \
+ VMLINUX_ENTRY_ADDRESS=$(entry-y) \
+ PLATFORM="$(platform-y)" \
+ ITS_INPUTS="$(its-y)"
+diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile
+index d859f079b771..378cbfb31ee7 100644
+--- a/arch/mips/boot/compressed/Makefile
++++ b/arch/mips/boot/compressed/Makefile
+@@ -90,7 +90,7 @@ ifneq ($(zload-y),)
+ VMLINUZ_LOAD_ADDRESS := $(zload-y)
+ else
+ VMLINUZ_LOAD_ADDRESS = $(shell $(obj)/calc_vmlinuz_load_addr \
+- $(obj)/vmlinux.bin $(VMLINUX_LOAD_ADDRESS))
++ $(obj)/vmlinux.bin $(LINKER_LOAD_ADDRESS))
+ endif
+ UIMAGE_LOADADDR = $(VMLINUZ_LOAD_ADDRESS)
+
+diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S
+index 36f2e860ba3e..be63fff95b2a 100644
+--- a/arch/mips/kernel/vmlinux.lds.S
++++ b/arch/mips/kernel/vmlinux.lds.S
+@@ -50,7 +50,7 @@ SECTIONS
+ /* . = 0xa800000000300000; */
+ . = 0xffffffff80300000;
+ #endif
+- . = VMLINUX_LOAD_ADDRESS;
++ . = LINKER_LOAD_ADDRESS;
+ /* read-only */
+ _text = .; /* Text and read-only data */
+ .text : {
+--
+2.25.1
+
--- /dev/null
+From 7d5c1559f8c0bd96e14ddfd639915d9cf63cd80c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 00:28:05 +0200
+Subject: mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 91995b904ec2e44b5c159ac6a5d3f154345a4de7 ]
+
+The vendor driver (from the 3.10 kernel) triggers a soft reset every
+time before starting a new command. While this fixes a problem where
+SDIO cards are not detected at all (because all commands simply
+timed out) this hurts SD card read performance a bit (in my tests
+between 10% to 20%).
+
+Trigger a soft reset after we got a CRC error or if the previous command
+timed out (just like the vendor driver from the same 3.10 kernel for the
+newer SDHC controller IP does). This fixes detection of SDIO cards and
+doesn't hurt SD card read performance at the same time.
+
+With this patch the initialization of an RTL8723BS SDIO card looks like
+this:
+ req done (CMD52): -110: 00000000 00000000 00000000 00000000
+ clock 400000Hz busmode 2 powermode 2 cs 1 Vdd 21 width 1 timing 0
+ starting CMD0 arg 00000000 flags 000000c0
+ req done (CMD0): 0: 00000000 00000000 00000000 00000000
+ clock 400000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 0
+ starting CMD8 arg 000001aa flags 000002f5
+ req done (CMD8): -110: 00000000 00000000 00000000 00000000
+ starting CMD5 arg 00000000 flags 000002e1
+ req done (CMD5): 0: 90ff0000 00000000 00000000 00000000
+ starting CMD5 arg 00200000 flags 000002e1
+ req done (CMD5): 0: 90ff0000 00000000 00000000 00000000
+ starting CMD3 arg 00000000 flags 00000075
+ req done (CMD3): 0: 00010000 00000000 00000000 00000000
+ starting CMD7 arg 00010000 flags 00000015
+ req done (CMD7): 0: 00001e00 00000000 00000000 00000000
+ starting CMD52 arg 00000000 flags 00000195
+ req done (CMD52): 0: 00001032 00000000 00000000 00000000
+ [... more CMD52 omitted ...]
+ clock 400000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 2
+ clock 50000000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 2
+ starting CMD52 arg 00000e00 flags 00000195
+ req done (CMD52): 0: 00001000 00000000 00000000 00000000
+ starting CMD52 arg 80000e02 flags 00000195
+ req done (CMD52): 0: 00001002 00000000 00000000 00000000
+ clock 50000000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 4 timing 2
+ starting CMD52 arg 00020000 flags 00000195
+ req done (CMD52): 0: 00001007 00000000 00000000 00000000
+ [... more CMD52 omitted ...]
+ new high speed SDIO card at address 0001
+
+Fixes: ed80a13bb4c4c9 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20200503222805.2668941-1-martin.blumenstingl@googlemail.com
+Tested-by: Tobias Baumann <017623705678@o2online.de>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/meson-mx-sdio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c
+index 1c062473b1c2..27837a794e7b 100644
+--- a/drivers/mmc/host/meson-mx-sdio.c
++++ b/drivers/mmc/host/meson-mx-sdio.c
+@@ -249,6 +249,9 @@ static void meson_mx_mmc_request_done(struct meson_mx_mmc_host *host)
+
+ mrq = host->mrq;
+
++ if (host->cmd->error)
++ meson_mx_mmc_soft_reset(host);
++
+ host->mrq = NULL;
+ host->cmd = NULL;
+
+--
+2.25.1
+
--- /dev/null
+From b625ff0bef18a95f8d607b7f18d1a8f36267e89a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 18:22:01 +0800
+Subject: mmc: sdhci-esdhc-imx: fix the mask for tuning start point
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 1194be8c949b8190b2882ad8335a5d98aa50c735 ]
+
+According the RM, the bit[6~0] of register ESDHC_TUNING_CTRL is
+TUNING_START_TAP, bit[7] of this register is to disable the command
+CRC check for standard tuning. So fix it here.
+
+Fixes: d87fc9663688 ("mmc: sdhci-esdhc-imx: support setting tuning start point")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Link: https://lore.kernel.org/r/1590488522-9292-1-git-send-email-haibo.chen@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index 629860f7327c..bd502f4f4704 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -82,7 +82,7 @@
+ #define ESDHC_STD_TUNING_EN (1 << 24)
+ /* NOTE: the minimum valid tuning start tap for mx6sl is 1 */
+ #define ESDHC_TUNING_START_TAP_DEFAULT 0x1
+-#define ESDHC_TUNING_START_TAP_MASK 0xff
++#define ESDHC_TUNING_START_TAP_MASK 0x7f
+ #define ESDHC_TUNING_STEP_MASK 0x00070000
+ #define ESDHC_TUNING_STEP_SHIFT 16
+
+--
+2.25.1
+
--- /dev/null
+From e8ac7c4b33f655cd8bb5848137b23a3aa4d52d92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 11:50:24 +0530
+Subject: mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk
+
+From: Veerabhadrarao Badiganti <vbadigan@codeaurora.org>
+
+[ Upstream commit d863cb03fb2aac07f017b2a1d923cdbc35021280 ]
+
+sdhci-msm can support auto cmd12.
+So enable SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk.
+
+Signed-off-by: Veerabhadrarao Badiganti <vbadigan@codeaurora.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/1587363626-20413-3-git-send-email-vbadigan@codeaurora.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
+index 4cff758767cb..643fd1a1b88b 100644
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -1706,7 +1706,9 @@ static const struct sdhci_ops sdhci_msm_ops = {
+ static const struct sdhci_pltfm_data sdhci_msm_pdata = {
+ .quirks = SDHCI_QUIRK_BROKEN_CARD_DETECTION |
+ SDHCI_QUIRK_SINGLE_POWER_WRITE |
+- SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN,
++ SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN |
++ SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
++
+ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
+ .ops = &sdhci_msm_ops,
+ };
+--
+2.25.1
+
--- /dev/null
+From 00fc65014b922962d2b11a932b414ceb37af798f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 18:14:10 +0200
+Subject: mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit 966244ccd2919e28f25555a77f204cd1c109cad8 ]
+
+Using a fixed 1s timeout for all commands (and data transfers) is a bit
+problematic.
+
+For some commands it means waiting longer than needed for the timer to
+expire, which may not a big issue, but still. For other commands, like for
+an erase (CMD38) that uses a R1B response, may require longer timeouts than
+1s. In these cases, we may end up treating the command as it failed, while
+it just needed some more time to complete successfully.
+
+Fix the problem by respecting the cmd->busy_timeout, which is provided by
+the mmc core.
+
+Cc: Bruce Chang <brucechang@via.com.tw>
+Cc: Harald Welte <HaraldWelte@viatech.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20200414161413.3036-17-ulf.hansson@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/via-sdmmc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
+index 32c4211506fc..246dc6255e69 100644
+--- a/drivers/mmc/host/via-sdmmc.c
++++ b/drivers/mmc/host/via-sdmmc.c
+@@ -323,6 +323,8 @@ struct via_crdr_mmc_host {
+ /* some devices need a very long delay for power to stabilize */
+ #define VIA_CRDR_QUIRK_300MS_PWRDELAY 0x0001
+
++#define VIA_CMD_TIMEOUT_MS 1000
++
+ static const struct pci_device_id via_ids[] = {
+ {PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_9530,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0,},
+@@ -555,14 +557,17 @@ static void via_sdc_send_command(struct via_crdr_mmc_host *host,
+ {
+ void __iomem *addrbase;
+ struct mmc_data *data;
++ unsigned int timeout_ms;
+ u32 cmdctrl = 0;
+
+ WARN_ON(host->cmd);
+
+ data = cmd->data;
+- mod_timer(&host->timer, jiffies + HZ);
+ host->cmd = cmd;
+
++ timeout_ms = cmd->busy_timeout ? cmd->busy_timeout : VIA_CMD_TIMEOUT_MS;
++ mod_timer(&host->timer, jiffies + msecs_to_jiffies(timeout_ms));
++
+ /*Command index*/
+ cmdctrl = cmd->opcode << 8;
+
+--
+2.25.1
+
--- /dev/null
+From 4d46089590469986cf66e5ffb2bb4720ef8e008f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Apr 2020 03:32:22 +0800
+Subject: mt76: avoid rx reorder buffer overflow
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+[ Upstream commit 7c4f744d6703757be959f521a7a441bf34745d99 ]
+
+Enlarge slot to support 11ax 256 BA (256 MPDUs in an AMPDU)
+
+Signed-off-by: Chih-Min Chen <chih-min.chen@mediatek.com>
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/agg-rx.c | 8 ++++----
+ drivers/net/wireless/mediatek/mt76/mt76.h | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c
+index 73c8b2805c97..d44d57e6eb27 100644
+--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c
++++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c
+@@ -154,8 +154,8 @@ void mt76_rx_aggr_reorder(struct sk_buff *skb, struct sk_buff_head *frames)
+ struct ieee80211_sta *sta;
+ struct mt76_rx_tid *tid;
+ bool sn_less;
+- u16 seqno, head, size;
+- u8 ackp, idx;
++ u16 seqno, head, size, idx;
++ u8 ackp;
+
+ __skb_queue_tail(frames, skb);
+
+@@ -240,7 +240,7 @@ out:
+ }
+
+ int mt76_rx_aggr_start(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tidno,
+- u16 ssn, u8 size)
++ u16 ssn, u16 size)
+ {
+ struct mt76_rx_tid *tid;
+
+@@ -264,7 +264,7 @@ EXPORT_SYMBOL_GPL(mt76_rx_aggr_start);
+
+ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid)
+ {
+- u8 size = tid->size;
++ u16 size = tid->size;
+ int i;
+
+ cancel_delayed_work(&tid->reorder_work);
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
+index 2eab35879163..7b1667ec619e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76.h
+@@ -193,8 +193,8 @@ struct mt76_rx_tid {
+ struct delayed_work reorder_work;
+
+ u16 head;
+- u8 size;
+- u8 nframes;
++ u16 size;
++ u16 nframes;
+
+ u8 started:1, stopped:1, timer_pending:1;
+
+@@ -537,7 +537,7 @@ int mt76_get_survey(struct ieee80211_hw *hw, int idx,
+ void mt76_set_stream_caps(struct mt76_dev *dev, bool vht);
+
+ int mt76_rx_aggr_start(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tid,
+- u16 ssn, u8 size);
++ u16 ssn, u16 size);
+ void mt76_rx_aggr_stop(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tid);
+
+ void mt76_wcid_key_setup(struct mt76_dev *dev, struct mt76_wcid *wcid,
+--
+2.25.1
+
--- /dev/null
+From d107999567737c71a51cd088b63f12e446427c91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 09:59:24 +0200
+Subject: mwifiex: Fix memory corruption in dump_station
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 ]
+
+The mwifiex_cfg80211_dump_station() uses static variable for iterating
+over a linked list of all associated stations (when the driver is in UAP
+role). This has a race condition if .dump_station is called in parallel
+for multiple interfaces. This corruption can be triggered by registering
+multiple SSIDs and calling, in parallel for multiple interfaces
+ iw dev <iface> station dump
+
+[16750.719775] Unable to handle kernel paging request at virtual address dead000000000110
+...
+[16750.899173] Call trace:
+[16750.901696] mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex]
+[16750.907824] nl80211_dump_station+0xbc/0x278 [cfg80211]
+[16750.913160] netlink_dump+0xe8/0x320
+[16750.916827] netlink_recvmsg+0x1b4/0x338
+[16750.920861] ____sys_recvmsg+0x7c/0x2b0
+[16750.924801] ___sys_recvmsg+0x70/0x98
+[16750.928564] __sys_recvmsg+0x58/0xa0
+[16750.932238] __arm64_sys_recvmsg+0x28/0x30
+[16750.936453] el0_svc_common.constprop.3+0x90/0x158
+[16750.941378] do_el0_svc+0x74/0x90
+[16750.944784] el0_sync_handler+0x12c/0x1a8
+[16750.948903] el0_sync+0x114/0x140
+[16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060)
+[16750.958583] ---[ end trace c8ad181c2f4b8576 ]---
+
+This patch drops the use of the static iterator, and instead every time
+the function is called iterates to the idx-th position of the
+linked-list.
+
+It would be better to convert the code not to use linked list for
+associated stations storage (since the chip has a limited number of
+associated stations anyway - it could just be an array). Such a change
+may be proposed in the future. In the meantime this patch can backported
+into stable kernels in this simple form.
+
+Fixes: 8baca1a34d4c ("mwifiex: dump station support in uap mode")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index 7b74ef71bef1..650191db25cb 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -1468,7 +1468,8 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev,
+ int idx, u8 *mac, struct station_info *sinfo)
+ {
+ struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
+- static struct mwifiex_sta_node *node;
++ struct mwifiex_sta_node *node;
++ int i;
+
+ if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) &&
+ priv->media_connected && idx == 0) {
+@@ -1478,13 +1479,10 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev,
+ mwifiex_send_cmd(priv, HOST_CMD_APCMD_STA_LIST,
+ HostCmd_ACT_GEN_GET, 0, NULL, true);
+
+- if (node && (&node->list == &priv->sta_list)) {
+- node = NULL;
+- return -ENOENT;
+- }
+-
+- node = list_prepare_entry(node, &priv->sta_list, list);
+- list_for_each_entry_continue(node, &priv->sta_list, list) {
++ i = 0;
++ list_for_each_entry(node, &priv->sta_list, list) {
++ if (i++ != idx)
++ continue;
+ ether_addr_copy(mac, node->mac_addr);
+ return mwifiex_dump_station_info(priv, node, sinfo);
+ }
+--
+2.25.1
+
--- /dev/null
+From a375ded02b41c5ef79f05658e170aedc4f2e9698 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 10:49:20 +0800
+Subject: net: allwinner: Fix use correct return type for ndo_start_xmit()
+
+From: Yunjian Wang <wangyunjian@huawei.com>
+
+[ Upstream commit 09f6c44aaae0f1bdb8b983d7762676d5018c53bc ]
+
+The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix
+the ndo function to use the correct type. And emac_start_xmit() can
+leak one skb if 'channel' == 3.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/allwinner/sun4i-emac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/allwinner/sun4i-emac.c b/drivers/net/ethernet/allwinner/sun4i-emac.c
+index 3143de45baaa..c458b81ba63a 100644
+--- a/drivers/net/ethernet/allwinner/sun4i-emac.c
++++ b/drivers/net/ethernet/allwinner/sun4i-emac.c
+@@ -433,7 +433,7 @@ static void emac_timeout(struct net_device *dev)
+ /* Hardware start transmission.
+ * Send a packet to media from the upper layer.
+ */
+-static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct emac_board_info *db = netdev_priv(dev);
+ unsigned long channel;
+@@ -441,7 +441,7 @@ static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ channel = db->tx_fifo_stat & 3;
+ if (channel == 3)
+- return 1;
++ return NETDEV_TX_BUSY;
+
+ channel = (channel == 1 ? 1 : 0);
+
+--
+2.25.1
+
--- /dev/null
+From afa4af5d271839c23a66d9b43051760ce2b9333e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 11:04:34 +0300
+Subject: net: atlantic: make hw_get_regs optional
+
+From: Mark Starovoytov <mstarovoitov@marvell.com>
+
+[ Upstream commit d0f23741c202c685447050713907f3be39a985ee ]
+
+This patch fixes potential crash in case if hw_get_regs is NULL.
+
+Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+index 15dcfb6704e5..adac5df0d6b4 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -620,6 +620,9 @@ int aq_nic_get_regs(struct aq_nic_s *self, struct ethtool_regs *regs, void *p)
+ u32 *regs_buff = p;
+ int err = 0;
+
++ if (unlikely(!self->aq_hw_ops->hw_get_regs))
++ return -EOPNOTSUPP;
++
+ regs->version = 1;
+
+ err = self->aq_hw_ops->hw_get_regs(self->aq_hw,
+@@ -634,6 +637,9 @@ err_exit:
+
+ int aq_nic_get_regs_count(struct aq_nic_s *self)
+ {
++ if (unlikely(!self->aq_hw_ops->hw_get_regs))
++ return 0;
++
+ return self->aq_nic_cfg.aq_hw_caps->mac_regs_count;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 206c8cc78b387c9fe391dc336c346dc6b47e15af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 13:02:00 -0700
+Subject: net: bcmgenet: set Rx mode before starting netif
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit 72f96347628e73dbb61b307f18dd19293cc6792a ]
+
+This commit explicitly calls the bcmgenet_set_rx_mode() function when
+the network interface is started. This function is normally called by
+ndo_set_rx_mode when the flags are changed, but apparently not when
+the driver is suspended and resumed.
+
+This change ensures that address filtering or promiscuous mode are
+properly restored by the driver after the MAC may have been reset.
+
+Fixes: b6e978e50444 ("net: bcmgenet: add suspend/resume callbacks")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 047fc0cf0263..40e8ef984b62 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -72,6 +72,9 @@
+ #define GENET_RDMA_REG_OFF (priv->hw_params->rdma_offset + \
+ TOTAL_DESC * DMA_DESC_SIZE)
+
++/* Forward declarations */
++static void bcmgenet_set_rx_mode(struct net_device *dev);
++
+ static inline void bcmgenet_writel(u32 value, void __iomem *offset)
+ {
+ /* MIPS chips strapped for BE will automagically configure the
+@@ -2859,6 +2862,7 @@ static void bcmgenet_netif_start(struct net_device *dev)
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+
+ /* Start the network engine */
++ bcmgenet_set_rx_mode(dev);
+ bcmgenet_enable_rx_napi(priv);
+
+ umac_enable_set(priv, CMD_TX_EN | CMD_RX_EN, true);
+--
+2.25.1
+
--- /dev/null
+From 57ac786dee1be77ec52f5a3a1203cb1de1f137ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 May 2020 09:52:11 +0000
+Subject: net: ena: fix error returning in ena_com_get_hash_function()
+
+From: Arthur Kiyanovski <akiyano@amazon.com>
+
+[ Upstream commit e9a1de378dd46375f9abfd8de1e6f59ee114a793 ]
+
+In case the "func" parameter is NULL we now return "-EINVAL".
+This shouldn't happen in general, but when it does happen, this is the
+proper way to handle it.
+
+We also check func for NULL in the beginning of the function, as there
+is no reason to do all the work and realize in the end of the function
+it was useless.
+
+Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_com.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
+index 3afc0e59a2bd..d07f7f65169a 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_com.c
++++ b/drivers/net/ethernet/amazon/ena/ena_com.c
+@@ -2137,6 +2137,9 @@ int ena_com_get_hash_function(struct ena_com_dev *ena_dev,
+ rss->hash_key;
+ int rc;
+
++ if (unlikely(!func))
++ return -EINVAL;
++
+ rc = ena_com_get_feature_ex(ena_dev, &get_resp,
+ ENA_ADMIN_RSS_HASH_FUNCTION,
+ rss->hash_key_dma_addr,
+@@ -2149,8 +2152,7 @@ int ena_com_get_hash_function(struct ena_com_dev *ena_dev,
+ if (rss->hash_func)
+ rss->hash_func--;
+
+- if (func)
+- *func = rss->hash_func;
++ *func = rss->hash_func;
+
+ if (key)
+ memcpy(key, hash_key->key, (size_t)(hash_key->keys_num) << 2);
+--
+2.25.1
+
--- /dev/null
+From 94c047ba0f334828fa522def4a0e7ba7eed8d1d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 00:27:10 +0800
+Subject: net: ethernet: fec: move GPR register offset and bit into DT
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit 8a448bf832af537d26aa557d183a16943dce4510 ]
+
+The commit da722186f654 (net: fec: set GPR bit on suspend by DT
+configuration) set the GPR reigster offset and bit in driver for
+wake on lan feature.
+
+But it introduces two issues here:
+- one SOC has two instances, they have different bit
+- different SOCs may have different offset and bit
+
+So to support wake-on-lan feature on other i.MX platforms, it should
+configure the GPR reigster offset and bit from DT.
+
+So the patch is to improve the commit da722186f654 (net: fec: set GPR
+bit on suspend by DT configuration) to support multiple ethernet
+instances on i.MX series.
+
+v2:
+ * switch back to store the quirks bitmask in driver_data
+v3:
+ * suggested by Sascha Hauer, use a struct fec_devinfo for
+ abstracting differences between different hardware variants,
+ it can give more freedom to describe the differences.
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 24 +++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 48c58f93b124..6702bc2dd92f 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -88,8 +88,6 @@ static void fec_enet_itr_coal_init(struct net_device *ndev);
+
+ struct fec_devinfo {
+ u32 quirks;
+- u8 stop_gpr_reg;
+- u8 stop_gpr_bit;
+ };
+
+ static const struct fec_devinfo fec_imx25_info = {
+@@ -112,8 +110,6 @@ static const struct fec_devinfo fec_imx6q_info = {
+ FEC_QUIRK_HAS_BUFDESC_EX | FEC_QUIRK_HAS_CSUM |
+ FEC_QUIRK_HAS_VLAN | FEC_QUIRK_ERR006358 |
+ FEC_QUIRK_HAS_RACC,
+- .stop_gpr_reg = 0x34,
+- .stop_gpr_bit = 27,
+ };
+
+ static const struct fec_devinfo fec_mvf600_info = {
+@@ -3401,19 +3397,23 @@ static int fec_enet_get_irq_cnt(struct platform_device *pdev)
+ }
+
+ static int fec_enet_init_stop_mode(struct fec_enet_private *fep,
+- struct fec_devinfo *dev_info,
+ struct device_node *np)
+ {
+ struct device_node *gpr_np;
++ u32 out_val[3];
+ int ret = 0;
+
+- if (!dev_info)
+- return 0;
+-
+- gpr_np = of_parse_phandle(np, "gpr", 0);
++ gpr_np = of_parse_phandle(np, "fsl,stop-mode", 0);
+ if (!gpr_np)
+ return 0;
+
++ ret = of_property_read_u32_array(np, "fsl,stop-mode", out_val,
++ ARRAY_SIZE(out_val));
++ if (ret) {
++ dev_dbg(&fep->pdev->dev, "no stop mode property\n");
++ return ret;
++ }
++
+ fep->stop_gpr.gpr = syscon_node_to_regmap(gpr_np);
+ if (IS_ERR(fep->stop_gpr.gpr)) {
+ dev_err(&fep->pdev->dev, "could not find gpr regmap\n");
+@@ -3422,8 +3422,8 @@ static int fec_enet_init_stop_mode(struct fec_enet_private *fep,
+ goto out;
+ }
+
+- fep->stop_gpr.reg = dev_info->stop_gpr_reg;
+- fep->stop_gpr.bit = dev_info->stop_gpr_bit;
++ fep->stop_gpr.reg = out_val[1];
++ fep->stop_gpr.bit = out_val[2];
+
+ out:
+ of_node_put(gpr_np);
+@@ -3501,7 +3501,7 @@ fec_probe(struct platform_device *pdev)
+ if (of_get_property(np, "fsl,magic-packet", NULL))
+ fep->wol_flag |= FEC_WOL_HAS_MAGIC_PACKET;
+
+- ret = fec_enet_init_stop_mode(fep, dev_info, np);
++ ret = fec_enet_init_stop_mode(fep, np);
+ if (ret)
+ goto failed_stop_mode;
+
+--
+2.25.1
+
--- /dev/null
+From 75fc5cf69e0cb467a109064569a01bd9a0c72a76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:15:07 +0000
+Subject: net: lpc-enet: fix error return code in lpc_mii_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 88ec7cb22ddde725ed4ce15991f0bd9dd817fd85 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: b7370112f519 ("lpc32xx: Added ethernet driver")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/nxp/lpc_eth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
+index 41d30f55c946..6bd6c261f2ba 100644
+--- a/drivers/net/ethernet/nxp/lpc_eth.c
++++ b/drivers/net/ethernet/nxp/lpc_eth.c
+@@ -845,7 +845,8 @@ static int lpc_mii_init(struct netdata_local *pldat)
+ if (mdiobus_register(pldat->mii_bus))
+ goto err_out_unregister_bus;
+
+- if (lpc_mii_probe(pldat->ndev) != 0)
++ err = lpc_mii_probe(pldat->ndev);
++ if (err)
+ goto err_out_unregister_bus;
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From aa91a9c8dd7c1bad8917e4dff00ed8a847794da4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 11:46:25 +0300
+Subject: net/mlx5e: IPoIB, Drop multicast packets that this interface sent
+
+From: Erez Shitrit <erezsh@mellanox.com>
+
+[ Upstream commit 8b46d424a743ddfef8056d5167f13ee7ebd1dcad ]
+
+After enabled loopback packets for IPoIB, we need to drop these packets
+that this HCA has replicated and came back to the same interface that
+sent them.
+
+Fixes: 4c6c615e3f30 ("net/mlx5e: IPoIB, Add PKEY child interface nic profile")
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+index 044687a1f27c..9d86e49a7f44 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -1314,6 +1314,7 @@ out:
+
+ #ifdef CONFIG_MLX5_CORE_IPOIB
+
++#define MLX5_IB_GRH_SGID_OFFSET 8
+ #define MLX5_IB_GRH_DGID_OFFSET 24
+ #define MLX5_GID_SIZE 16
+
+@@ -1327,6 +1328,7 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq,
+ struct net_device *netdev;
+ struct mlx5e_priv *priv;
+ char *pseudo_header;
++ u32 flags_rqpn;
+ u32 qpn;
+ u8 *dgid;
+ u8 g;
+@@ -1347,7 +1349,8 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq,
+ priv = mlx5i_epriv(netdev);
+ tstamp = &priv->tstamp;
+
+- g = (be32_to_cpu(cqe->flags_rqpn) >> 28) & 3;
++ flags_rqpn = be32_to_cpu(cqe->flags_rqpn);
++ g = (flags_rqpn >> 28) & 3;
+ dgid = skb->data + MLX5_IB_GRH_DGID_OFFSET;
+ if ((!g) || dgid[0] != 0xff)
+ skb->pkt_type = PACKET_HOST;
+@@ -1356,9 +1359,15 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq,
+ else
+ skb->pkt_type = PACKET_MULTICAST;
+
+- /* TODO: IB/ipoib: Allow mcast packets from other VFs
+- * 68996a6e760e5c74654723eeb57bf65628ae87f4
++ /* Drop packets that this interface sent, ie multicast packets
++ * that the HCA has replicated.
+ */
++ if (g && (qpn == (flags_rqpn & 0xffffff)) &&
++ (memcmp(netdev->dev_addr + 4, skb->data + MLX5_IB_GRH_SGID_OFFSET,
++ MLX5_GID_SIZE) == 0)) {
++ skb->dev = NULL;
++ return;
++ }
+
+ skb_pull(skb, MLX5_IB_GRH_BYTES);
+
+--
+2.25.1
+
--- /dev/null
+From bdbbfd303adb4d6b6e36bde7437b2a4e1d6b70bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2020 15:41:41 +0530
+Subject: net: qed*: Reduce RX and TX default ring count when running inside
+ kdump kernel
+
+From: Bhupesh Sharma <bhsharma@redhat.com>
+
+[ Upstream commit 73e030977f7884dbe1be0018bab517e8d02760f8 ]
+
+Normally kdump kernel(s) run under severe memory constraint with the
+basic idea being to save the crashdump vmcore reliably when the primary
+kernel panics/hangs.
+
+Currently the qed* ethernet driver ends up consuming a lot of memory in
+the kdump kernel, leading to kdump kernel panic when one tries to save
+the vmcore via ssh/nfs (thus utilizing the services of the underlying
+qed* network interfaces).
+
+An example OOM message log seen in the kdump kernel can be seen here
+[1], with crashkernel size reservation of 512M.
+
+Using tools like memstrack (see [2]), we can track the modules taking up
+the bulk of memory in the kdump kernel and organize the memory usage
+output as per 'highest allocator first'. An example log for the OOM case
+indicates that the qed* modules end up allocating approximately 216M
+memory, which is a large part of the total crashkernel size:
+
+ dracut-pre-pivot[676]: ======== Report format module_summary: ========
+ dracut-pre-pivot[676]: Module qed using 149.6MB (2394 pages), peak allocation 149.6MB (2394 pages)
+ dracut-pre-pivot[676]: Module qede using 65.3MB (1045 pages), peak allocation 65.3MB (1045 pages)
+
+This patch reduces the default RX and TX ring count from 1024 to 64
+when running inside kdump kernel, which leads to a significant memory
+saving.
+
+An example log with the patch applied shows the reduced memory
+allocation in the kdump kernel:
+ dracut-pre-pivot[674]: ======== Report format module_summary: ========
+ dracut-pre-pivot[674]: Module qed using 141.8MB (2268 pages), peak allocation 141.8MB (2268 pages)
+ <..snip..>
+[dracut-pre-pivot[674]: Module qede using 4.8MB (76 pages), peak allocation 4.9MB (78 pages)
+
+Tested crashdump vmcore save via ssh/nfs protocol using underlying qed*
+network interface after applying this patch.
+
+[1] OOM log:
+------------
+
+ kworker/0:6: page allocation failure: order:6,
+ mode:0x60c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null)
+ kworker/0:6 cpuset=/ mems_allowed=0
+ CPU: 0 PID: 145 Comm: kworker/0:6 Not tainted 4.18.0-109.el8.aarch64 #1
+ Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL025
+ 01/18/2019
+ Workqueue: events work_for_cpu_fn
+ Call trace:
+ dump_backtrace+0x0/0x188
+ show_stack+0x24/0x30
+ dump_stack+0x90/0xb4
+ warn_alloc+0xf4/0x178
+ __alloc_pages_nodemask+0xcac/0xd58
+ alloc_pages_current+0x8c/0xf8
+ kmalloc_order_trace+0x38/0x108
+ qed_iov_alloc+0x40/0x248 [qed]
+ qed_resc_alloc+0x224/0x518 [qed]
+ qed_slowpath_start+0x254/0x928 [qed]
+ __qede_probe+0xf8/0x5e0 [qede]
+ qede_probe+0x68/0xd8 [qede]
+ local_pci_probe+0x44/0xa8
+ work_for_cpu_fn+0x20/0x30
+ process_one_work+0x1ac/0x3e8
+ worker_thread+0x44/0x448
+ kthread+0x130/0x138
+ ret_from_fork+0x10/0x18
+ Cannot start slowpath
+ qede: probe of 0000:05:00.1 failed with error -12
+
+[2]. Memstrack tool: https://github.com/ryncsn/memstrack
+
+Cc: kexec@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Ariel Elior <aelior@marvell.com>
+Cc: GR-everest-linux-l2@marvell.com
+Cc: Manish Chopra <manishc@marvell.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Bhupesh Sharma <bhsharma@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede.h | 2 ++
+ drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +++++++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede.h b/drivers/net/ethernet/qlogic/qede/qede.h
+index dc3be8a4acf4..2bdc410d1144 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede.h
++++ b/drivers/net/ethernet/qlogic/qede/qede.h
+@@ -550,12 +550,14 @@ int qede_add_tc_flower_fltr(struct qede_dev *edev, __be16 proto,
+ #define RX_RING_SIZE ((u16)BIT(RX_RING_SIZE_POW))
+ #define NUM_RX_BDS_MAX (RX_RING_SIZE - 1)
+ #define NUM_RX_BDS_MIN 128
++#define NUM_RX_BDS_KDUMP_MIN 63
+ #define NUM_RX_BDS_DEF ((u16)BIT(10) - 1)
+
+ #define TX_RING_SIZE_POW 13
+ #define TX_RING_SIZE ((u16)BIT(TX_RING_SIZE_POW))
+ #define NUM_TX_BDS_MAX (TX_RING_SIZE - 1)
+ #define NUM_TX_BDS_MIN 128
++#define NUM_TX_BDS_KDUMP_MIN 63
+ #define NUM_TX_BDS_DEF NUM_TX_BDS_MAX
+
+ #define QEDE_MIN_PKT_LEN 64
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c
+index 0d8e39ffbcd1..1aabb2e7a38b 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
+@@ -29,6 +29,7 @@
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
++#include <linux/crash_dump.h>
+ #include <linux/module.h>
+ #include <linux/pci.h>
+ #include <linux/version.h>
+@@ -730,8 +731,14 @@ static struct qede_dev *qede_alloc_etherdev(struct qed_dev *cdev,
+ edev->dp_module = dp_module;
+ edev->dp_level = dp_level;
+ edev->ops = qed_ops;
+- edev->q_num_rx_buffers = NUM_RX_BDS_DEF;
+- edev->q_num_tx_buffers = NUM_TX_BDS_DEF;
++
++ if (is_kdump_kernel()) {
++ edev->q_num_rx_buffers = NUM_RX_BDS_KDUMP_MIN;
++ edev->q_num_tx_buffers = NUM_TX_BDS_KDUMP_MIN;
++ } else {
++ edev->q_num_rx_buffers = NUM_RX_BDS_DEF;
++ edev->q_num_tx_buffers = NUM_TX_BDS_DEF;
++ }
+
+ DP_INFO(edev, "Allocated netdev with %d tx queues and %d rx queues\n",
+ info->num_queues, info->num_queues);
+--
+2.25.1
+
--- /dev/null
+From 77845331d7a535153e87269d3fd66460af8c9c0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 10:41:50 +0800
+Subject: net: vmxnet3: fix possible buffer overflow caused by bad DMA value in
+ vmxnet3_get_rss()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 3e1c6846b9e108740ef8a37be80314053f5dd52a ]
+
+The value adapter->rss_conf is stored in DMA memory, and it is assigned
+to rssConf, so rssConf->indTableSize can be modified at anytime by
+malicious hardware. Because rssConf->indTableSize is assigned to n,
+buffer overflow may occur when the code "rssConf->indTable[n]" is
+executed.
+
+To fix this possible bug, n is checked after being used.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_ethtool.c b/drivers/net/vmxnet3/vmxnet3_ethtool.c
+index 559db051a500..88d18ab83e54 100644
+--- a/drivers/net/vmxnet3/vmxnet3_ethtool.c
++++ b/drivers/net/vmxnet3/vmxnet3_ethtool.c
+@@ -692,6 +692,8 @@ vmxnet3_get_rss(struct net_device *netdev, u32 *p, u8 *key, u8 *hfunc)
+ *hfunc = ETH_RSS_HASH_TOP;
+ if (!p)
+ return 0;
++ if (n > UPT1_RSS_MAX_IND_TABLE_SIZE)
++ return 0;
+ while (n--)
+ p[n] = rssConf->indTable[n];
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From b60994cce8423f29205dfe0014c5f6dd0106f8e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 21:55:34 +0200
+Subject: netfilter: nft_nat: return EOPNOTSUPP if type or flags are not
+ supported
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 0d7c83463fdf7841350f37960a7abadd3e650b41 ]
+
+Instead of EINVAL which should be used for malformed netlink messages.
+
+Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_nat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
+index c15807d10b91..3e82a7d0df2a 100644
+--- a/net/netfilter/nft_nat.c
++++ b/net/netfilter/nft_nat.c
+@@ -135,7 +135,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ priv->type = NF_NAT_MANIP_DST;
+ break;
+ default:
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ if (tb[NFTA_NAT_FAMILY] == NULL)
+@@ -202,7 +202,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ if (tb[NFTA_NAT_FLAGS]) {
+ priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS]));
+ if (priv->flags & ~NF_NAT_RANGE_MASK)
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ return nf_ct_netns_get(ctx->net, family);
+--
+2.25.1
+
--- /dev/null
+From 71e35e7ef105a0d8f09f4542015740ad411892f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2020 10:11:28 +0200
+Subject: nvme: refine the Qemu Identify CNS quirk
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit b9a5c3d4c34d8bd9fd75f7f28d18a57cb68da237 ]
+
+Add a helper to check if we can use Identify CNS values > 1, and refine
+the Qemu quirk to not apply to reported versions larger than 1.1, as the
+Qemu implementation had been fixed by then.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index d5359c7c811a..0d60f2f8f3ee 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -926,6 +926,19 @@ void nvme_stop_keep_alive(struct nvme_ctrl *ctrl)
+ }
+ EXPORT_SYMBOL_GPL(nvme_stop_keep_alive);
+
++/*
++ * In NVMe 1.0 the CNS field was just a binary controller or namespace
++ * flag, thus sending any new CNS opcodes has a big chance of not working.
++ * Qemu unfortunately had that bug after reporting a 1.1 version compliance
++ * (but not for any later version).
++ */
++static bool nvme_ctrl_limited_cns(struct nvme_ctrl *ctrl)
++{
++ if (ctrl->quirks & NVME_QUIRK_IDENTIFY_CNS)
++ return ctrl->vs < NVME_VS(1, 2, 0);
++ return ctrl->vs < NVME_VS(1, 1, 0);
++}
++
+ static int nvme_identify_ctrl(struct nvme_ctrl *dev, struct nvme_id_ctrl **id)
+ {
+ struct nvme_command c = { };
+@@ -3368,8 +3381,7 @@ static void nvme_scan_work(struct work_struct *work)
+
+ mutex_lock(&ctrl->scan_lock);
+ nn = le32_to_cpu(id->nn);
+- if (ctrl->vs >= NVME_VS(1, 1, 0) &&
+- !(ctrl->quirks & NVME_QUIRK_IDENTIFY_CNS)) {
++ if (!nvme_ctrl_limited_cns(ctrl)) {
+ if (!nvme_scan_ns_list(ctrl, nn))
+ goto out_free_id;
+ }
+--
+2.25.1
+
--- /dev/null
+From 5616e2870091251291cb7ce3c28090132c64f91a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2020 15:28:41 +0000
+Subject: objtool: Ignore empty alternatives
+
+From: Julien Thierry <jthierry@redhat.com>
+
+[ Upstream commit 7170cf47d16f1ba29eca07fd818870b7af0a93a5 ]
+
+The .alternatives section can contain entries with no original
+instructions. Objtool will currently crash when handling such an entry.
+
+Just skip that entry, but still give a warning to discourage useless
+entries.
+
+Signed-off-by: Julien Thierry <jthierry@redhat.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index 4d509734b695..fd3071d83dea 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -801,6 +801,12 @@ static int add_special_section_alts(struct objtool_file *file)
+ }
+
+ if (special_alt->group) {
++ if (!special_alt->orig_len) {
++ WARN_FUNC("empty alternative entry",
++ orig_insn->sec, orig_insn->offset);
++ continue;
++ }
++
+ ret = handle_group_alt(file, special_alt, orig_insn,
+ &new_insn);
+ if (ret)
+--
+2.25.1
+
--- /dev/null
+From 6ce37ed3271654f9a9ad9b994cc0bec3b96a2164 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 17:21:12 +0800
+Subject: PCI: Don't disable decoding when mmio_always_on is set
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit b6caa1d8c80cb71b6162cb1f1ec13aa655026c9f ]
+
+Don't disable MEM/IO decoding when a device have both non_compliant_bars
+and mmio_always_on.
+
+That would allow us quirk devices with junk in BARs but can't disable
+their decoding.
+
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Acked-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index fa4c386c8cd8..a21c04d8a40b 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1634,7 +1634,7 @@ int pci_setup_device(struct pci_dev *dev)
+ /* Device class may be changed after fixup */
+ class = dev->class >> 8;
+
+- if (dev->non_compliant_bars) {
++ if (dev->non_compliant_bars && !dev->mmio_always_on) {
+ pci_read_config_word(dev, PCI_COMMAND, &cmd);
+ if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) {
+ pci_info(dev, "device has non-compliant BARs; disabling IO/MEM decoding\n");
+--
+2.25.1
+
--- /dev/null
+From 864e414fc2dc2f282cd2d9cde721be03dcb100e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 16:27:04 +0300
+Subject: platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 5cdc45ed3948042f0d73c6fec5ee9b59e637d0d2 ]
+
+First of all, unsigned long can overflow u32 value on 64-bit machine.
+Second, simple_strtoul() doesn't check for overflow in the input.
+
+Convert simple_strtoul() to kstrtou32() to eliminate above issues.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp-wmi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c
+index 06a3c1ef8eee..952544ca0d84 100644
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -474,8 +474,14 @@ static ssize_t postcode_show(struct device *dev, struct device_attribute *attr,
+ static ssize_t als_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+ {
+- u32 tmp = simple_strtoul(buf, NULL, 10);
+- int ret = hp_wmi_perform_query(HPWMI_ALS_QUERY, HPWMI_WRITE, &tmp,
++ u32 tmp;
++ int ret;
++
++ ret = kstrtou32(buf, 10, &tmp);
++ if (ret)
++ return ret;
++
++ ret = hp_wmi_perform_query(HPWMI_ALS_QUERY, HPWMI_WRITE, &tmp,
+ sizeof(tmp), sizeof(tmp));
+ if (ret)
+ return ret < 0 ? ret : -EINVAL;
+--
+2.25.1
+
--- /dev/null
+From 7c37ec5a5688e6621c620bef64393ebf0b240007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 22:07:20 +0500
+Subject: platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015)
+
+From: Nickolai Kozachenko <daemongloom@gmail.com>
+
+[ Upstream commit 8fe63eb757ac6e661a384cc760792080bdc738dc ]
+
+HEBC method reports capabilities of 5 button array but HP Spectre X2 (2015)
+does not have this control method (the same was for Wacom MobileStudio Pro).
+Expand previous DMI quirk by Alex Hung to also enable 5 button array
+for this system.
+
+Signed-off-by: Nickolai Kozachenko <daemongloom@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-hid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c
+index 3201a83073b5..c514cb73bb50 100644
+--- a/drivers/platform/x86/intel-hid.c
++++ b/drivers/platform/x86/intel-hid.c
+@@ -87,6 +87,13 @@ static const struct dmi_system_id button_array_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Wacom MobileStudio Pro 16"),
+ },
+ },
++ {
++ .ident = "HP Spectre x2 (2015)",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Spectre x2 Detachable"),
++ },
++ },
+ { }
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 90bd52e84f3bf2938cfdce3f4fd7bf7e5245483a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 20:29:50 +0200
+Subject: platform/x86: intel-vbtn: Also handle tablet-mode switch on
+ "Detachable" and "Portable" chassis-types
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 1fac39fd0316b19c3e57a182524332332d1643ce ]
+
+Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode
+switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally
+reporting SW_TABLET_MODE = 1 to userspace on laptops.
+
+Some devices with a detachable keyboard and using the intel-vbnt (INT33D6)
+interface to report if they are in tablet mode (keyboard detached) or not,
+report 32 / "Detachable" as chassis-type, e.g. the HP Pavilion X2 series.
+
+Other devices with a detachable keyboard and using the intel-vbnt (INT33D6)
+interface to report SW_TABLET_MODE, report 8 / "Portable" as chassis-type.
+The Dell Venue 11 Pro 7130 is an example of this.
+
+Extend the DMI chassis-type check to also accept Portables and Detachables
+so that the intel-vbtn driver will report SW_TABLET_MODE on these devices.
+
+Note the chassis-type check was originally added to avoid a false-positive
+tablet-mode report on the Dell XPS 9360 laptop. To the best of my knowledge
+that laptop is using a chassis-type of 9 / "Laptop", so after this commit
+we still ignore the tablet-switch for that chassis-type.
+
+Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Mario Limonciello <Mario.limonciello@dell.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index 23cda7aa96cd..5f8120d12859 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -157,12 +157,22 @@ static void detect_tablet_mode(struct platform_device *device)
+ static bool intel_vbtn_has_switches(acpi_handle handle)
+ {
+ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
++ unsigned long chassis_type_int;
+ unsigned long long vgbs;
+ acpi_status status;
+
+- if (!(chassis_type && strcmp(chassis_type, "31") == 0))
++ if (kstrtoul(chassis_type, 10, &chassis_type_int))
+ return false;
+
++ switch (chassis_type_int) {
++ case 8: /* Portable */
++ case 31: /* Convertible */
++ case 32: /* Detachable */
++ break;
++ default:
++ return false;
++ }
++
+ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
+ return ACPI_SUCCESS(status);
+ }
+--
+2.25.1
+
--- /dev/null
+From 298f6ae8ae3902b82254af609db5fa833fe8081d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 20:29:49 +0200
+Subject: platform/x86: intel-vbtn: Do not advertise switches to userspace if
+ they are not there
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 990fbb48067bf8cfa34b7d1e6e1674eaaef2f450 ]
+
+Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode
+switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally
+reporting SW_TABLET_MODE = 1 to userspace on laptops (specifically on the
+Dell XPS 9360), to avoid e.g. userspace ignoring touchpad events because
+userspace thought the device was in tablet-mode.
+
+But if we are not getting the initial status of the switch because the
+device does not have a tablet mode, then we really should not advertise
+the presence of a tablet-mode switch to userspace at all, as userspace may
+use the mere presence of this switch for certain heuristics.
+
+Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index e42203776727..23cda7aa96cd 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -54,6 +54,7 @@ static const struct key_entry intel_vbtn_switchmap[] = {
+ struct intel_vbtn_priv {
+ struct key_entry keymap[KEYMAP_LEN];
+ struct input_dev *input_dev;
++ bool has_switches;
+ bool wakeup_mode;
+ };
+
+@@ -69,7 +70,7 @@ static int intel_vbtn_input_setup(struct platform_device *device)
+ keymap_len += ARRAY_SIZE(intel_vbtn_keymap);
+ }
+
+- if (true) {
++ if (priv->has_switches) {
+ memcpy(&priv->keymap[keymap_len], intel_vbtn_switchmap,
+ ARRAY_SIZE(intel_vbtn_switchmap) *
+ sizeof(struct key_entry));
+@@ -137,16 +138,12 @@ out_unknown:
+
+ static void detect_tablet_mode(struct platform_device *device)
+ {
+- const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
+ struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev);
+ acpi_handle handle = ACPI_HANDLE(&device->dev);
+ unsigned long long vgbs;
+ acpi_status status;
+ int m;
+
+- if (!(chassis_type && strcmp(chassis_type, "31") == 0))
+- return;
+-
+ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
+ if (ACPI_FAILURE(status))
+ return;
+@@ -157,6 +154,19 @@ static void detect_tablet_mode(struct platform_device *device)
+ input_report_switch(priv->input_dev, SW_DOCK, m);
+ }
+
++static bool intel_vbtn_has_switches(acpi_handle handle)
++{
++ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
++ unsigned long long vgbs;
++ acpi_status status;
++
++ if (!(chassis_type && strcmp(chassis_type, "31") == 0))
++ return false;
++
++ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
++ return ACPI_SUCCESS(status);
++}
++
+ static int intel_vbtn_probe(struct platform_device *device)
+ {
+ acpi_handle handle = ACPI_HANDLE(&device->dev);
+@@ -175,13 +185,16 @@ static int intel_vbtn_probe(struct platform_device *device)
+ return -ENOMEM;
+ dev_set_drvdata(&device->dev, priv);
+
++ priv->has_switches = intel_vbtn_has_switches(handle);
++
+ err = intel_vbtn_input_setup(device);
+ if (err) {
+ pr_err("Failed to setup Intel Virtual Button\n");
+ return err;
+ }
+
+- detect_tablet_mode(device);
++ if (priv->has_switches)
++ detect_tablet_mode(device);
+
+ status = acpi_install_notify_handler(handle,
+ ACPI_DEVICE_NOTIFY,
+--
+2.25.1
+
--- /dev/null
+From 36f3e84a6cb295b217a8bc58f4ebc96c8b53d615 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 20:39:16 +0200
+Subject: platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 /
+ "Laptop" chasis-type
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit cfae58ed681c5fe0185db843013ecc71cd265ebf ]
+
+The HP Stream x360 11-p000nd no longer report SW_TABLET_MODE state / events
+with recent kernels. This model reports a chassis-type of 10 / "Notebook"
+which is not on the recently introduced chassis-type whitelist
+
+Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode
+switch on 2-in-1's") added a chassis-type whitelist and only listed 31 /
+"Convertible" as being capable of generating valid SW_TABLET_MOD events.
+
+Commit 1fac39fd0316 ("platform/x86: intel-vbtn: Also handle tablet-mode
+switch on "Detachable" and "Portable" chassis-types") extended the
+whitelist with chassis-types 8 / "Portable" and 32 / "Detachable".
+
+And now we need to exten the whitelist again with 10 / "Notebook"...
+
+The issue original fixed by the whitelist is really a ACPI DSDT bug on
+the Dell XPS 9360 where it has a VGBS which reports it is in tablet mode
+even though it is not a 2-in-1 at all, but a regular laptop.
+
+So since this is a workaround for a DSDT issue on that specific model,
+instead of extending the whitelist over and over again, lets switch to
+a blacklist and only blacklist the chassis-type of the model for which
+the chassis-type check was added.
+
+Note this also fixes the current version of the code no longer checking
+if dmi_get_system_info(DMI_CHASSIS_TYPE) returns NULL.
+
+Fixes: 1fac39fd0316 ("platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Portable" chassis-types")
+Cc: Mario Limonciello <mario.limonciello@dell.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Mario Limonciello <Mario.limonciello@dell.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index 5f8120d12859..d122f33d43ac 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -157,21 +157,18 @@ static void detect_tablet_mode(struct platform_device *device)
+ static bool intel_vbtn_has_switches(acpi_handle handle)
+ {
+ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
+- unsigned long chassis_type_int;
+ unsigned long long vgbs;
+ acpi_status status;
+
+- if (kstrtoul(chassis_type, 10, &chassis_type_int))
+- return false;
+-
+- switch (chassis_type_int) {
+- case 8: /* Portable */
+- case 31: /* Convertible */
+- case 32: /* Detachable */
+- break;
+- default:
++ /*
++ * Some normal laptops have a VGBS method despite being non-convertible
++ * and their VGBS method always returns 0, causing detect_tablet_mode()
++ * to report SW_TABLET_MODE=1 to userspace, which causes issues.
++ * These laptops have a DMI chassis_type of 9 ("Laptop"), do not report
++ * switches on any devices with a DMI chassis_type of 9.
++ */
++ if (chassis_type && strcmp(chassis_type, "9") == 0)
+ return false;
+- }
+
+ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
+ return ACPI_SUCCESS(status);
+--
+2.25.1
+
--- /dev/null
+From 85587fcf3f7b3e0963693aafceb8bbaa8131a0b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 20:29:48 +0200
+Subject: platform/x86: intel-vbtn: Split keymap into buttons and switches
+ parts
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit f6ba524970c4b73b234bf41ecd6628f5803b1559 ]
+
+Split the sparse keymap into 2 separate keymaps, a buttons and a switches
+keymap and combine the 2 to a single map again in intel_vbtn_input_setup().
+
+This is a preparation patch for not telling userspace that we have switches
+when we do not have them (and for doing the same for the buttons).
+
+Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index 0bcfa20dd614..e42203776727 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -39,14 +39,20 @@ static const struct key_entry intel_vbtn_keymap[] = {
+ { KE_IGNORE, 0xC7, { KEY_VOLUMEDOWN } }, /* volume-down key release */
+ { KE_KEY, 0xC8, { KEY_ROTATE_LOCK_TOGGLE } }, /* rotate-lock key press */
+ { KE_KEY, 0xC9, { KEY_ROTATE_LOCK_TOGGLE } }, /* rotate-lock key release */
++};
++
++static const struct key_entry intel_vbtn_switchmap[] = {
+ { KE_SW, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */
+ { KE_SW, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */
+ { KE_SW, 0xCC, { .sw = { SW_TABLET_MODE, 1 } } }, /* Tablet */
+ { KE_SW, 0xCD, { .sw = { SW_TABLET_MODE, 0 } } }, /* Laptop */
+- { KE_END },
+ };
+
++#define KEYMAP_LEN \
++ (ARRAY_SIZE(intel_vbtn_keymap) + ARRAY_SIZE(intel_vbtn_switchmap) + 1)
++
+ struct intel_vbtn_priv {
++ struct key_entry keymap[KEYMAP_LEN];
+ struct input_dev *input_dev;
+ bool wakeup_mode;
+ };
+@@ -54,13 +60,29 @@ struct intel_vbtn_priv {
+ static int intel_vbtn_input_setup(struct platform_device *device)
+ {
+ struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev);
+- int ret;
++ int ret, keymap_len = 0;
++
++ if (true) {
++ memcpy(&priv->keymap[keymap_len], intel_vbtn_keymap,
++ ARRAY_SIZE(intel_vbtn_keymap) *
++ sizeof(struct key_entry));
++ keymap_len += ARRAY_SIZE(intel_vbtn_keymap);
++ }
++
++ if (true) {
++ memcpy(&priv->keymap[keymap_len], intel_vbtn_switchmap,
++ ARRAY_SIZE(intel_vbtn_switchmap) *
++ sizeof(struct key_entry));
++ keymap_len += ARRAY_SIZE(intel_vbtn_switchmap);
++ }
++
++ priv->keymap[keymap_len].type = KE_END;
+
+ priv->input_dev = devm_input_allocate_device(&device->dev);
+ if (!priv->input_dev)
+ return -ENOMEM;
+
+- ret = sparse_keymap_setup(priv->input_dev, intel_vbtn_keymap, NULL);
++ ret = sparse_keymap_setup(priv->input_dev, priv->keymap, NULL);
+ if (ret)
+ return ret;
+
+--
+2.25.1
+
--- /dev/null
+From 7c79f82eb86d7f0050b9ec307a8e994fe65a8cb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 20:29:47 +0200
+Subject: platform/x86: intel-vbtn: Use acpi_evaluate_integer()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 18937875a231d831c309716d6d8fc358f8381881 ]
+
+Use acpi_evaluate_integer() instead of open-coding it.
+
+This is a preparation patch for adding a intel_vbtn_has_switches()
+helper function.
+
+Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index a0d0cecff55f..0bcfa20dd614 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -118,28 +118,21 @@ static void detect_tablet_mode(struct platform_device *device)
+ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
+ struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev);
+ acpi_handle handle = ACPI_HANDLE(&device->dev);
+- struct acpi_buffer vgbs_output = { ACPI_ALLOCATE_BUFFER, NULL };
+- union acpi_object *obj;
++ unsigned long long vgbs;
+ acpi_status status;
+ int m;
+
+ if (!(chassis_type && strcmp(chassis_type, "31") == 0))
+- goto out;
++ return;
+
+- status = acpi_evaluate_object(handle, "VGBS", NULL, &vgbs_output);
++ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
+ if (ACPI_FAILURE(status))
+- goto out;
+-
+- obj = vgbs_output.pointer;
+- if (!(obj && obj->type == ACPI_TYPE_INTEGER))
+- goto out;
++ return;
+
+- m = !(obj->integer.value & TABLET_MODE_FLAG);
++ m = !(vgbs & TABLET_MODE_FLAG);
+ input_report_switch(priv->input_dev, SW_TABLET_MODE, m);
+- m = (obj->integer.value & DOCK_MODE_FLAG) ? 1 : 0;
++ m = (vgbs & DOCK_MODE_FLAG) ? 1 : 0;
+ input_report_switch(priv->input_dev, SW_DOCK, m);
+-out:
+- kfree(vgbs_output.pointer);
+ }
+
+ static int intel_vbtn_probe(struct platform_device *device)
+--
+2.25.1
+
--- /dev/null
+From bda23d5fc6e76679b6dfb567b985d78d727afe80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 12:12:50 +0200
+Subject: powerpc/spufs: fix copy_to_user while atomic
+
+From: Jeremy Kerr <jk@ozlabs.org>
+
+[ Upstream commit 88413a6bfbbe2f648df399b62f85c934460b7a4d ]
+
+Currently, we may perform a copy_to_user (through
+simple_read_from_buffer()) while holding a context's register_lock,
+while accessing the context save area.
+
+This change uses a temporary buffer for the context save area data,
+which we then pass to simple_read_from_buffer.
+
+Includes changes from Christoph Hellwig <hch@lst.de>.
+
+Fixes: bf1ab978be23 ("[POWERPC] coredump: Add SPU elf notes to coredump.")
+Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+[hch: renamed to function to avoid ___-prefixes]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/spufs/file.c | 113 +++++++++++++++--------
+ 1 file changed, 75 insertions(+), 38 deletions(-)
+
+diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
+index 43e7b93f27c7..d16adcd93921 100644
+--- a/arch/powerpc/platforms/cell/spufs/file.c
++++ b/arch/powerpc/platforms/cell/spufs/file.c
+@@ -1991,8 +1991,9 @@ static ssize_t __spufs_mbox_info_read(struct spu_context *ctx,
+ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+- int ret;
+ struct spu_context *ctx = file->private_data;
++ u32 stat, data;
++ int ret;
+
+ if (!access_ok(VERIFY_WRITE, buf, len))
+ return -EFAULT;
+@@ -2001,11 +2002,16 @@ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_mbox_info_read(ctx, buf, len, pos);
++ stat = ctx->csa.prob.mb_stat_R;
++ data = ctx->csa.prob.pu_mb_R;
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ /* EOF if there's no entry in the mbox */
++ if (!(stat & 0x0000ff))
++ return 0;
++
++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data));
+ }
+
+ static const struct file_operations spufs_mbox_info_fops = {
+@@ -2032,6 +2038,7 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ u32 stat, data;
+ int ret;
+
+ if (!access_ok(VERIFY_WRITE, buf, len))
+@@ -2041,11 +2048,16 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_ibox_info_read(ctx, buf, len, pos);
++ stat = ctx->csa.prob.mb_stat_R;
++ data = ctx->csa.priv2.puint_mb_R;
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ /* EOF if there's no entry in the ibox */
++ if (!(stat & 0xff0000))
++ return 0;
++
++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data));
+ }
+
+ static const struct file_operations spufs_ibox_info_fops = {
+@@ -2054,6 +2066,11 @@ static const struct file_operations spufs_ibox_info_fops = {
+ .llseek = generic_file_llseek,
+ };
+
++static size_t spufs_wbox_info_cnt(struct spu_context *ctx)
++{
++ return (4 - ((ctx->csa.prob.mb_stat_R & 0x00ff00) >> 8)) * sizeof(u32);
++}
++
+ static ssize_t __spufs_wbox_info_read(struct spu_context *ctx,
+ char __user *buf, size_t len, loff_t *pos)
+ {
+@@ -2062,7 +2079,7 @@ static ssize_t __spufs_wbox_info_read(struct spu_context *ctx,
+ u32 wbox_stat;
+
+ wbox_stat = ctx->csa.prob.mb_stat_R;
+- cnt = 4 - ((wbox_stat & 0x00ff00) >> 8);
++ cnt = spufs_wbox_info_cnt(ctx);
+ for (i = 0; i < cnt; i++) {
+ data[i] = ctx->csa.spu_mailbox_data[i];
+ }
+@@ -2075,7 +2092,8 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
+- int ret;
++ u32 data[ARRAY_SIZE(ctx->csa.spu_mailbox_data)];
++ int ret, count;
+
+ if (!access_ok(VERIFY_WRITE, buf, len))
+ return -EFAULT;
+@@ -2084,11 +2102,13 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_wbox_info_read(ctx, buf, len, pos);
++ count = spufs_wbox_info_cnt(ctx);
++ memcpy(&data, &ctx->csa.spu_mailbox_data, sizeof(data));
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &data,
++ count * sizeof(u32));
+ }
+
+ static const struct file_operations spufs_wbox_info_fops = {
+@@ -2097,27 +2117,33 @@ static const struct file_operations spufs_wbox_info_fops = {
+ .llseek = generic_file_llseek,
+ };
+
+-static ssize_t __spufs_dma_info_read(struct spu_context *ctx,
+- char __user *buf, size_t len, loff_t *pos)
++static void spufs_get_dma_info(struct spu_context *ctx,
++ struct spu_dma_info *info)
+ {
+- struct spu_dma_info info;
+- struct mfc_cq_sr *qp, *spuqp;
+ int i;
+
+- info.dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW;
+- info.dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0];
+- info.dma_info_status = ctx->csa.spu_chnldata_RW[24];
+- info.dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25];
+- info.dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27];
++ info->dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW;
++ info->dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0];
++ info->dma_info_status = ctx->csa.spu_chnldata_RW[24];
++ info->dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25];
++ info->dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27];
+ for (i = 0; i < 16; i++) {
+- qp = &info.dma_info_command_data[i];
+- spuqp = &ctx->csa.priv2.spuq[i];
++ struct mfc_cq_sr *qp = &info->dma_info_command_data[i];
++ struct mfc_cq_sr *spuqp = &ctx->csa.priv2.spuq[i];
+
+ qp->mfc_cq_data0_RW = spuqp->mfc_cq_data0_RW;
+ qp->mfc_cq_data1_RW = spuqp->mfc_cq_data1_RW;
+ qp->mfc_cq_data2_RW = spuqp->mfc_cq_data2_RW;
+ qp->mfc_cq_data3_RW = spuqp->mfc_cq_data3_RW;
+ }
++}
++
++static ssize_t __spufs_dma_info_read(struct spu_context *ctx,
++ char __user *buf, size_t len, loff_t *pos)
++{
++ struct spu_dma_info info;
++
++ spufs_get_dma_info(ctx, &info);
+
+ return simple_read_from_buffer(buf, len, pos, &info,
+ sizeof info);
+@@ -2127,6 +2153,7 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ struct spu_dma_info info;
+ int ret;
+
+ if (!access_ok(VERIFY_WRITE, buf, len))
+@@ -2136,11 +2163,12 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_dma_info_read(ctx, buf, len, pos);
++ spufs_get_dma_info(ctx, &info);
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &info,
++ sizeof(info));
+ }
+
+ static const struct file_operations spufs_dma_info_fops = {
+@@ -2149,13 +2177,31 @@ static const struct file_operations spufs_dma_info_fops = {
+ .llseek = no_llseek,
+ };
+
++static void spufs_get_proxydma_info(struct spu_context *ctx,
++ struct spu_proxydma_info *info)
++{
++ int i;
++
++ info->proxydma_info_type = ctx->csa.prob.dma_querytype_RW;
++ info->proxydma_info_mask = ctx->csa.prob.dma_querymask_RW;
++ info->proxydma_info_status = ctx->csa.prob.dma_tagstatus_R;
++
++ for (i = 0; i < 8; i++) {
++ struct mfc_cq_sr *qp = &info->proxydma_info_command_data[i];
++ struct mfc_cq_sr *puqp = &ctx->csa.priv2.puq[i];
++
++ qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW;
++ qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW;
++ qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW;
++ qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW;
++ }
++}
++
+ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
+ char __user *buf, size_t len, loff_t *pos)
+ {
+ struct spu_proxydma_info info;
+- struct mfc_cq_sr *qp, *puqp;
+ int ret = sizeof info;
+- int i;
+
+ if (len < ret)
+ return -EINVAL;
+@@ -2163,18 +2209,7 @@ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
+ if (!access_ok(VERIFY_WRITE, buf, len))
+ return -EFAULT;
+
+- info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW;
+- info.proxydma_info_mask = ctx->csa.prob.dma_querymask_RW;
+- info.proxydma_info_status = ctx->csa.prob.dma_tagstatus_R;
+- for (i = 0; i < 8; i++) {
+- qp = &info.proxydma_info_command_data[i];
+- puqp = &ctx->csa.priv2.puq[i];
+-
+- qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW;
+- qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW;
+- qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW;
+- qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW;
+- }
++ spufs_get_proxydma_info(ctx, &info);
+
+ return simple_read_from_buffer(buf, len, pos, &info,
+ sizeof info);
+@@ -2184,17 +2219,19 @@ static ssize_t spufs_proxydma_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ struct spu_proxydma_info info;
+ int ret;
+
+ ret = spu_acquire_saved(ctx);
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_proxydma_info_read(ctx, buf, len, pos);
++ spufs_get_proxydma_info(ctx, &info);
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &info,
++ sizeof(info));
+ }
+
+ static const struct file_operations spufs_proxydma_info_fops = {
+--
+2.25.1
+
--- /dev/null
+From 13c551b556101c1fb5bb56319b4eca33a6da456c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 May 2020 12:39:51 +0300
+Subject: rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit beb12813bc75d4a23de43b85ad1c7cb28d27631e ]
+
+Seven years ago we tried to fix a leak but actually introduced a double
+free instead. It was an understandable mistake because the code was a
+bit confusing and the free was done in the wrong place. The "skb"
+pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit().
+The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup()
+and I've cleaned the code up a bit to hopefully make it more clear.
+
+Fixes: 36ef0b473fbf ("rtlwifi: usb: add missing freeing of skbuff")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200513093951.GD347693@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index 1181b725f503..1893640555c1 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -910,10 +910,8 @@ static struct urb *_rtl_usb_tx_urb_setup(struct ieee80211_hw *hw,
+
+ WARN_ON(NULL == skb);
+ _urb = usb_alloc_urb(0, GFP_ATOMIC);
+- if (!_urb) {
+- kfree_skb(skb);
++ if (!_urb)
+ return NULL;
+- }
+ _rtl_install_trx_info(rtlusb, skb, ep_num);
+ usb_fill_bulk_urb(_urb, rtlusb->udev, usb_sndbulkpipe(rtlusb->udev,
+ ep_num), skb->data, skb->len, _rtl_tx_complete, skb);
+@@ -927,7 +925,6 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb,
+ struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw));
+ u32 ep_num;
+ struct urb *_urb = NULL;
+- struct sk_buff *_skb = NULL;
+
+ WARN_ON(NULL == rtlusb->usb_tx_aggregate_hdl);
+ if (unlikely(IS_USB_STOP(rtlusb))) {
+@@ -936,8 +933,7 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb,
+ return;
+ }
+ ep_num = rtlusb->ep_map.ep_mapping[qnum];
+- _skb = skb;
+- _urb = _rtl_usb_tx_urb_setup(hw, _skb, ep_num);
++ _urb = _rtl_usb_tx_urb_setup(hw, skb, ep_num);
+ if (unlikely(!_urb)) {
+ pr_err("Can't allocate urb. Drop skb!\n");
+ kfree_skb(skb);
+--
+2.25.1
+
--- /dev/null
+From 097fdd238fddb1abfdee5086cb4354987c1f3b37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2020 17:40:33 -0400
+Subject: sched/core: Fix illegal RCU from offline CPUs
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit bf2c59fce4074e55d622089b34be3a6bc95484fb ]
+
+In the CPU-offline process, it calls mmdrop() after idle entry and the
+subsequent call to cpuhp_report_idle_dead(). Once execution passes the
+call to rcu_report_dead(), RCU is ignoring the CPU, which results in
+lockdep complaining when mmdrop() uses RCU from either memcg or
+debugobjects below.
+
+Fix it by cleaning up the active_mm state from BP instead. Every arch
+which has CONFIG_HOTPLUG_CPU should have already called idle_task_exit()
+from AP. The only exception is parisc because it switches them to
+&init_mm unconditionally (see smp_boot_one_cpu() and smp_cpu_init()),
+but the patch will still work there because it calls mmgrab(&init_mm) in
+smp_cpu_init() and then should call mmdrop(&init_mm) in finish_cpu().
+
+ WARNING: suspicious RCU usage
+ -----------------------------
+ kernel/workqueue.c:710 RCU or wq_pool_mutex should be held!
+
+ other info that might help us debug this:
+
+ RCU used illegally from offline CPU!
+ Call Trace:
+ dump_stack+0xf4/0x164 (unreliable)
+ lockdep_rcu_suspicious+0x140/0x164
+ get_work_pool+0x110/0x150
+ __queue_work+0x1bc/0xca0
+ queue_work_on+0x114/0x120
+ css_release+0x9c/0xc0
+ percpu_ref_put_many+0x204/0x230
+ free_pcp_prepare+0x264/0x570
+ free_unref_page+0x38/0xf0
+ __mmdrop+0x21c/0x2c0
+ idle_task_exit+0x170/0x1b0
+ pnv_smp_cpu_kill_self+0x38/0x2e0
+ cpu_die+0x48/0x64
+ arch_cpu_idle_dead+0x30/0x50
+ do_idle+0x2f4/0x470
+ cpu_startup_entry+0x38/0x40
+ start_secondary+0x7a8/0xa80
+ start_secondary_resume+0x10/0x14
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Link: https://lkml.kernel.org/r/20200401214033.8448-1-cai@lca.pw
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/smp.c | 1 -
+ include/linux/sched/mm.h | 2 ++
+ kernel/cpu.c | 18 +++++++++++++++++-
+ kernel/sched/core.c | 5 +++--
+ 4 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c
+index 3d3c989e44dd..8d49ba370c50 100644
+--- a/arch/powerpc/platforms/powernv/smp.c
++++ b/arch/powerpc/platforms/powernv/smp.c
+@@ -171,7 +171,6 @@ static void pnv_smp_cpu_kill_self(void)
+ /* Standard hot unplug procedure */
+
+ idle_task_exit();
+- current->active_mm = NULL; /* for sanity */
+ cpu = smp_processor_id();
+ DBG("CPU%d offline\n", cpu);
+ generic_set_cpu_dead(cpu);
+diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h
+index e9d4e389aed9..766bbe813861 100644
+--- a/include/linux/sched/mm.h
++++ b/include/linux/sched/mm.h
+@@ -49,6 +49,8 @@ static inline void mmdrop(struct mm_struct *mm)
+ __mmdrop(mm);
+ }
+
++void mmdrop(struct mm_struct *mm);
++
+ /*
+ * This has to be called after a get_task_mm()/mmget_not_zero()
+ * followed by taking the mmap_sem for writing before modifying the
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 6d6c106a495c..08b9d6ba0807 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -3,6 +3,7 @@
+ *
+ * This code is licenced under the GPL.
+ */
++#include <linux/sched/mm.h>
+ #include <linux/proc_fs.h>
+ #include <linux/smp.h>
+ #include <linux/init.h>
+@@ -532,6 +533,21 @@ static int bringup_cpu(unsigned int cpu)
+ return bringup_wait_for_ap(cpu);
+ }
+
++static int finish_cpu(unsigned int cpu)
++{
++ struct task_struct *idle = idle_thread_get(cpu);
++ struct mm_struct *mm = idle->active_mm;
++
++ /*
++ * idle_task_exit() will have switched to &init_mm, now
++ * clean up any remaining active_mm state.
++ */
++ if (mm != &init_mm)
++ idle->active_mm = &init_mm;
++ mmdrop(mm);
++ return 0;
++}
++
+ /*
+ * Hotplug state machine related functions
+ */
+@@ -1379,7 +1395,7 @@ static struct cpuhp_step cpuhp_hp_states[] = {
+ [CPUHP_BRINGUP_CPU] = {
+ .name = "cpu:bringup",
+ .startup.single = bringup_cpu,
+- .teardown.single = NULL,
++ .teardown.single = finish_cpu,
+ .cant_stop = true,
+ },
+ /* Final state before CPU kills itself */
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 2befd2c4ce9e..0325ccf3a8e4 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5571,13 +5571,14 @@ void idle_task_exit(void)
+ struct mm_struct *mm = current->active_mm;
+
+ BUG_ON(cpu_online(smp_processor_id()));
++ BUG_ON(current != this_rq()->idle);
+
+ if (mm != &init_mm) {
+ switch_mm(mm, &init_mm, current);
+- current->active_mm = &init_mm;
+ finish_arch_post_lock_switch();
+ }
+- mmdrop(mm);
++
++ /* finish_cpu(), as ran on the BP, will clean up the active_mm state */
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 67b7fa9ae8f17021b64bb6abca696128427660a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:06 -0700
+Subject: selftests/bpf: Fix memory leak in extract_build_id()
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 9f56bb531a809ecaa7f0ddca61d2cf3adc1cb81a ]
+
+getline() allocates string, which has to be freed.
+
+Fixes: 81f77fd0deeb ("bpf: add selftest for stackmap with BPF_F_STACK_BUILD_ID")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-7-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index 89f8b0dae7ef..bad3505d66e0 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -1118,6 +1118,7 @@ static int extract_build_id(char *build_id, size_t size)
+ len = size;
+ memcpy(build_id, line, len);
+ build_id[len] = '\0';
++ free(line);
+ return 0;
+ err:
+ fclose(fp);
+--
+2.25.1
+
xen-pvcalls-back-test-for-errors-when-calling-backend_connect.patch
kvm-arm64-synchronize-sysreg-state-on-injecting-an-aarch32-exception.patch
acpi-ged-use-correct-trigger-type-field-in-_exx-_lxx-handling.patch
+drm-bridge-adv7511-extend-list-of-audio-sample-rates.patch
+crypto-ccp-don-t-select-config_dmadevices.patch
+media-si2157-better-check-for-running-tuner-in-init.patch
+objtool-ignore-empty-alternatives.patch
+spi-pxa2xx-apply-cs-clk-quirk-to-bxt.patch
+net-atlantic-make-hw_get_regs-optional.patch
+net-ena-fix-error-returning-in-ena_com_get_hash_func.patch
+efi-libstub-x86-work-around-llvm-elf-quirk-build-reg.patch
+arm64-cacheflush-fix-kgdb-trap-detection.patch
+spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch
+arm64-insn-fix-two-bugs-in-encoding-32-bit-logical-i.patch
+ixgbe-fix-xdp-redirect-on-archs-with-page_size-above.patch
+mips-loongson-build-ati-radeon-gpu-driver-as-module.patch
+bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch
+kgdb-disable-warn_console_unlocked-for-all-kgdb.patch
+kgdb-prevent-infinite-recursive-entries-to-the-debug.patch
+spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch
+clocksource-dw_apb_timer-make-cpu-affiliation-being-.patch
+clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch
+btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch
+arm-8978-1-mm-make-act_mm-respect-thread_size.patch
+batman-adv-revert-disable-ethtool-link-speed-detecti.patch
+mmc-meson-mx-sdio-trigger-a-soft-reset-after-a-timeo.patch
+spi-dw-fix-rx-only-dma-transfers.patch
+x86-kvm-hyper-v-explicitly-align-hcall-param-for-kvm.patch
+net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch
+staging-android-ion-use-vmap-instead-of-vm_map_ram.patch
+brcmfmac-fix-wrong-location-to-get-firmware-feature.patch
+tools-api-fs-make-xxx__mountpoint-more-scalable.patch
+e1000-distribute-switch-variables-for-initialization.patch
+dt-bindings-display-mediatek-control-dpi-pins-mode-t.patch
+audit-fix-a-net-reference-leak-in-audit_send_reply.patch
+media-dvb-return-eremoteio-on-i2c-transfer-failure.patch
+media-platform-fcp-set-appropriate-dma-parameters.patch
+mips-make-sparse_init-using-top-down-allocation.patch
+bluetooth-btbcm-add-2-missing-models-to-subver-table.patch
+audit-fix-a-net-reference-leak-in-audit_list_rules_s.patch
+netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch
+selftests-bpf-fix-memory-leak-in-extract_build_id.patch
+net-bcmgenet-set-rx-mode-before-starting-netif.patch
+lib-mpi-fix-64-bit-mips-build-with-clang.patch
+exit-move-preemption-fixup-up-move-blocking-operatio.patch
+sched-core-fix-illegal-rcu-from-offline-cpus.patch
+drivers-perf-hisi-fix-typo-in-events-attribute-array.patch
+net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch
+media-cec-silence-shift-wrapping-warning-in-__cec_s_.patch
+net-allwinner-fix-use-correct-return-type-for-ndo_st.patch
+powerpc-spufs-fix-copy_to_user-while-atomic.patch
+xfs-clean-up-the-error-handling-in-xfs_swap_extents.patch
+crypto-chcr-fix-for-ccm-aes-failed-test.patch
+mips-truncate-link-address-into-32bit-for-32bit-kern.patch
+mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch
+kgdb-fix-spurious-true-from-in_dbg_master.patch
+xfs-reset-buffer-write-failure-state-on-successful-c.patch
+xfs-fix-duplicate-verification-from-xfs_qm_dqflush.patch
+platform-x86-intel-vbtn-use-acpi_evaluate_integer.patch
+platform-x86-intel-vbtn-split-keymap-into-buttons-an.patch
+platform-x86-intel-vbtn-do-not-advertise-switches-to.patch
+platform-x86-intel-vbtn-also-handle-tablet-mode-swit.patch
+nvme-refine-the-qemu-identify-cns-quirk.patch
+ath10k-remove-msdu-from-idr-when-management-pkt-send.patch
+wcn36xx-fix-error-handling-path-in-wcn36xx_probe.patch
+net-qed-reduce-rx-and-tx-default-ring-count-when-run.patch
+mt76-avoid-rx-reorder-buffer-overflow.patch
+md-don-t-flush-workqueue-unconditionally-in-md_open.patch
+veth-adjust-hard_start-offset-on-redirect-xdp-frames.patch
+net-mlx5e-ipoib-drop-multicast-packets-that-this-int.patch
+rtlwifi-fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch
+mwifiex-fix-memory-corruption-in-dump_station.patch
+x86-boot-correct-relocation-destination-on-old-linke.patch
+mips-maar-use-more-precise-address-mask.patch
+mips-add-udelay-lpj-numbers-adjustment.patch
+crypto-stm32-crc32-fix-ext4-chksum-bug_on.patch
+crypto-stm32-crc32-fix-run-time-self-test-issue.patch
+crypto-stm32-crc32-fix-multi-instance.patch
+x86-mm-stop-printing-brk-addresses.patch
+m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch
+btrfs-qgroup-mark-qgroup-inconsistent-if-we-re-inher.patch
+net-ethernet-fec-move-gpr-register-offset-and-bit-in.patch
+macvlan-skip-loopback-packets-in-rx-handler.patch
+pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch
+mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch
+bcache-fix-refcount-underflow-in-bcache_device_free.patch
+mmc-sdhci-msm-set-sdhci_quirk_multiblock_read_acmd12.patch
+staging-greybus-sdio-respect-the-cmd-busy_timeout-fr.patch
+mmc-via-sdmmc-respect-the-cmd-busy_timeout-from-the-.patch
+ixgbe-fix-signed-integer-overflow-warning.patch
+mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch
+spi-dw-return-any-value-retrieved-from-the-dma_trans.patch
+cpuidle-fix-three-reference-count-leaks.patch
+platform-x86-hp-wmi-convert-simple_strtoul-to-kstrto.patch
+platform-x86-intel-hid-add-a-quirk-to-support-hp-spe.patch
+platform-x86-intel-vbtn-only-blacklist-sw_tablet_mod.patch
+string.h-fix-incompatibility-between-fortify_source-.patch
--- /dev/null
+From 180d25d8ef04c896123a86f88d04378f01dbb8ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 03:07:51 +0300
+Subject: spi: dw: Enable interrupts in accordance with DMA xfer mode
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 43dba9f3f98c2b184a19f856f06fe22817bfd9e0 ]
+
+It's pointless to track the Tx overrun interrupts if Rx-only SPI
+transfer is issued. Similarly there is no need in handling the Rx
+overrun/underrun interrupts if Tx-only SPI transfer is executed.
+So lets unmask the interrupts only if corresponding SPI
+transactions are implied.
+
+Co-developed-by: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Signed-off-by: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Link: https://lore.kernel.org/r/20200522000806.7381-3-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index f7ec8b98e6db..e1b34ef9a31c 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -228,19 +228,23 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws,
+
+ static int mid_spi_dma_setup(struct dw_spi *dws, struct spi_transfer *xfer)
+ {
+- u16 dma_ctrl = 0;
++ u16 imr = 0, dma_ctrl = 0;
+
+ dw_writel(dws, DW_SPI_DMARDLR, 0xf);
+ dw_writel(dws, DW_SPI_DMATDLR, 0x10);
+
+- if (xfer->tx_buf)
++ if (xfer->tx_buf) {
+ dma_ctrl |= SPI_DMA_TDMAE;
+- if (xfer->rx_buf)
++ imr |= SPI_INT_TXOI;
++ }
++ if (xfer->rx_buf) {
+ dma_ctrl |= SPI_DMA_RDMAE;
++ imr |= SPI_INT_RXUI | SPI_INT_RXOI;
++ }
+ dw_writel(dws, DW_SPI_DMACR, dma_ctrl);
+
+ /* Set the interrupt mask */
+- spi_umask_intr(dws, SPI_INT_TXOI | SPI_INT_RXUI | SPI_INT_RXOI);
++ spi_umask_intr(dws, imr);
+
+ dws->transfer_handler = dma_transfer;
+
+--
+2.25.1
+
--- /dev/null
+From af2292769a59792bf88ef93c3f2cf1223f3ef428 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 16:11:57 +0300
+Subject: spi: dw: Fix Rx-only DMA transfers
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 46164fde6b7890e7a3982d54549947c8394c0192 ]
+
+Tx-only DMA transfers are working perfectly fine since in this case
+the code just ignores the Rx FIFO overflow interrupts. But it turns
+out the SPI Rx-only transfers are broken since nothing pushing any
+data to the shift registers, so the Rx FIFO is left empty and the
+SPI core subsystems just returns a timeout error. Since DW DMAC
+driver doesn't support something like cyclic write operations of
+a single byte to a device register, the only way to support the
+Rx-only SPI transfers is to fake it by using a dummy Tx-buffer.
+This is what we intend to fix in this commit by setting the
+SPI_CONTROLLER_MUST_TX flag for DMA-capable platform.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Link: https://lore.kernel.org/r/20200529131205.31838-9-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index ac888a3d03aa..3fbd6f01fb10 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -533,6 +533,7 @@ int dw_spi_add_host(struct device *dev, struct dw_spi *dws)
+ dws->dma_inited = 0;
+ } else {
+ master->can_dma = dws->dma_ops->can_dma;
++ master->flags |= SPI_CONTROLLER_MUST_TX;
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 558f5fc6ef870a6506e28107d134b5915b1e2f12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 16:11:51 +0300
+Subject: spi: dw: Return any value retrieved from the dma_transfer callback
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit f0410bbf7d0fb80149e3b17d11d31f5b5197873e ]
+
+DW APB SSI DMA-part of the driver may need to perform the requested
+SPI-transfer synchronously. In that case the dma_transfer() callback
+will return 0 as a marker of the SPI transfer being finished so the
+SPI core doesn't need to wait and may proceed with the SPI message
+trasnfers pumping procedure. This will be needed to fix the problem
+when DMA transactions are finished, but there is still data left in
+the SPI Tx/Rx FIFOs being sent/received. But for now make dma_transfer
+to return 1 as the normal dw_spi_transfer_one() method.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Link: https://lore.kernel.org/r/20200529131205.31838-3-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 2 +-
+ drivers/spi/spi-dw.c | 7 ++-----
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index e1b34ef9a31c..10f328558d55 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -274,7 +274,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, struct spi_transfer *xfer)
+ dma_async_issue_pending(dws->txchan);
+ }
+
+- return 0;
++ return 1;
+ }
+
+ static void mid_spi_dma_stop(struct dw_spi *dws)
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index 3fbd6f01fb10..b1c137261d0f 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -383,11 +383,8 @@ static int dw_spi_transfer_one(struct spi_controller *master,
+
+ spi_enable_chip(dws, 1);
+
+- if (dws->dma_mapped) {
+- ret = dws->dma_ops->dma_transfer(dws, transfer);
+- if (ret < 0)
+- return ret;
+- }
++ if (dws->dma_mapped)
++ return dws->dma_ops->dma_transfer(dws, transfer);
+
+ if (chip->poll_mode)
+ return poll_transfer(dws);
+--
+2.25.1
+
--- /dev/null
+From 6e51268c5f9d39a0042ffeca6adad3fc98c4c6b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 18:30:18 +0300
+Subject: spi: dw: Zero DMA Tx and Rx configurations on stack
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 3cb97e223d277f84171cc4ccecab31e08b2ee7b5 ]
+
+Some DMA controller drivers do not tolerate non-zero values in
+the DMA configuration structures. Zero them to avoid issues with
+such DMA controller drivers. Even despite above this is a good
+practice per se.
+
+Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Feng Tang <feng.tang@intel.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Link: https://lore.kernel.org/r/20200506153025.21441-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index 3db905f5f345..f7ec8b98e6db 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -155,6 +155,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_tx(struct dw_spi *dws,
+ if (!xfer->tx_buf)
+ return NULL;
+
++ memset(&txconf, 0, sizeof(txconf));
+ txconf.direction = DMA_MEM_TO_DEV;
+ txconf.dst_addr = dws->dma_addr;
+ txconf.dst_maxburst = 16;
+@@ -201,6 +202,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws,
+ if (!xfer->rx_buf)
+ return NULL;
+
++ memset(&rxconf, 0, sizeof(rxconf));
+ rxconf.direction = DMA_DEV_TO_MEM;
+ rxconf.src_addr = dws->dma_addr;
+ rxconf.src_maxburst = 16;
+--
+2.25.1
+
--- /dev/null
+From 2cea164ec59dafc120a5222790d0685b13143516 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 16:32:48 -0700
+Subject: spi: pxa2xx: Apply CS clk quirk to BXT
+
+From: Evan Green <evgreen@chromium.org>
+
+[ Upstream commit 6eefaee4f2d366a389da0eb95e524ba82bf358c4 ]
+
+With a couple allies at Intel, and much badgering, I got confirmation
+from Intel that at least BXT suffers from the same SPI chip-select
+issue as Cannonlake (and beyond). The issue being that after going
+through runtime suspend/resume, toggling the chip-select line without
+also sending data does nothing.
+
+Add the quirk to BXT to briefly toggle dynamic clock gating off and
+on, forcing the fabric to wake up enough to notice the CS register
+change.
+
+Signed-off-by: Evan Green <evgreen@chromium.org>
+Cc: Shobhit Srivastava <shobhit.srivastava@intel.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20200427163238.1.Ib1faaabe236e37ea73be9b8dcc6aa034cb3c8804@changeid
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-pxa2xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
+index 2525fd9c8aa4..eafd0c2135a1 100644
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -156,6 +156,7 @@ static const struct lpss_config lpss_platforms[] = {
+ .tx_threshold_hi = 48,
+ .cs_sel_shift = 8,
+ .cs_sel_mask = 3 << 8,
++ .cs_clk_stays_gated = true,
+ },
+ { /* LPSS_CNL_SSP */
+ .offset = 0x200,
+--
+2.25.1
+
--- /dev/null
+From 001c55185ebaa65d40a9a8def933ffff7ee3b383 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 21:50:23 -0700
+Subject: staging: android: ion: use vmap instead of vm_map_ram
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 5bf9917452112694b2c774465ee4dbe441c84b77 ]
+
+vm_map_ram can keep mappings around after the vm_unmap_ram. Using that
+with non-PAGE_KERNEL mappings can lead to all kinds of aliasing issues.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Christophe Leroy <christophe.leroy@c-s.fr>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Gao Xiang <xiang@kernel.org>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Michael Kelley <mikelley@microsoft.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Nitin Gupta <ngupta@vflare.org>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: Wei Liu <wei.liu@kernel.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Paul Mackerras <paulus@ozlabs.org>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: http://lkml.kernel.org/r/20200414131348.444715-4-hch@lst.de
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/ion/ion_heap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
+index 31db510018a9..6babcdb4d7d2 100644
+--- a/drivers/staging/android/ion/ion_heap.c
++++ b/drivers/staging/android/ion/ion_heap.c
+@@ -97,12 +97,12 @@ int ion_heap_map_user(struct ion_heap *heap, struct ion_buffer *buffer,
+
+ static int ion_heap_clear_pages(struct page **pages, int num, pgprot_t pgprot)
+ {
+- void *addr = vm_map_ram(pages, num, -1, pgprot);
++ void *addr = vmap(pages, num, VM_MAP, pgprot);
+
+ if (!addr)
+ return -ENOMEM;
+ memset(addr, 0, PAGE_SIZE * num);
+- vm_unmap_ram(addr, num);
++ vunmap(addr);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From f7c0e121ffa7215e07547c972497f82022bcc3f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 18:14:13 +0200
+Subject: staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc
+ core
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit a389087ee9f195fcf2f31cd771e9ec5f02c16650 ]
+
+Using a fixed 1s timeout for all commands is a bit problematic.
+
+For some commands it means waiting longer than needed for the timeout to
+expire, which may not a big issue, but still. For other commands, like for
+an erase (CMD38) that uses a R1B response, may require longer timeouts than
+1s. In these cases, we may end up treating the command as it failed, while
+it just needed some more time to complete successfully.
+
+Fix the problem by respecting the cmd->busy_timeout, which is provided by
+the mmc core.
+
+Cc: Rui Miguel Silva <rmfrfs@gmail.com>
+Cc: Johan Hovold <johan@kernel.org>
+Cc: Alex Elder <elder@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: greybus-dev@lists.linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20200414161413.3036-20-ulf.hansson@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/sdio.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/greybus/sdio.c b/drivers/staging/greybus/sdio.c
+index 38e85033fc4b..afb2e5e5111a 100644
+--- a/drivers/staging/greybus/sdio.c
++++ b/drivers/staging/greybus/sdio.c
+@@ -411,6 +411,7 @@ static int gb_sdio_command(struct gb_sdio_host *host, struct mmc_command *cmd)
+ struct gb_sdio_command_request request = {0};
+ struct gb_sdio_command_response response;
+ struct mmc_data *data = host->mrq->data;
++ unsigned int timeout_ms;
+ u8 cmd_flags;
+ u8 cmd_type;
+ int i;
+@@ -469,9 +470,12 @@ static int gb_sdio_command(struct gb_sdio_host *host, struct mmc_command *cmd)
+ request.data_blksz = cpu_to_le16(data->blksz);
+ }
+
+- ret = gb_operation_sync(host->connection, GB_SDIO_TYPE_COMMAND,
+- &request, sizeof(request), &response,
+- sizeof(response));
++ timeout_ms = cmd->busy_timeout ? cmd->busy_timeout :
++ GB_OPERATION_TIMEOUT_DEFAULT;
++
++ ret = gb_operation_sync_timeout(host->connection, GB_SDIO_TYPE_COMMAND,
++ &request, sizeof(request), &response,
++ sizeof(response), timeout_ms);
+ if (ret < 0)
+ goto out;
+
+--
+2.25.1
+
--- /dev/null
+From 3d5908da4b094ce3f7fcc471c9c31212c797ef48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2020 15:56:46 -0700
+Subject: string.h: fix incompatibility between FORTIFY_SOURCE and KASAN
+
+From: Daniel Axtens <dja@axtens.net>
+
+[ Upstream commit 47227d27e2fcb01a9e8f5958d8997cf47a820afc ]
+
+The memcmp KASAN self-test fails on a kernel with both KASAN and
+FORTIFY_SOURCE.
+
+When FORTIFY_SOURCE is on, a number of functions are replaced with
+fortified versions, which attempt to check the sizes of the operands.
+However, these functions often directly invoke __builtin_foo() once they
+have performed the fortify check. Using __builtins may bypass KASAN
+checks if the compiler decides to inline it's own implementation as
+sequence of instructions, rather than emit a function call that goes out
+to a KASAN-instrumented implementation.
+
+Why is only memcmp affected?
+============================
+
+Of the string and string-like functions that kasan_test tests, only memcmp
+is replaced by an inline sequence of instructions in my testing on x86
+with gcc version 9.2.1 20191008 (Ubuntu 9.2.1-9ubuntu2).
+
+I believe this is due to compiler heuristics. For example, if I annotate
+kmalloc calls with the alloc_size annotation (and disable some fortify
+compile-time checking!), the compiler will replace every memset except the
+one in kmalloc_uaf_memset with inline instructions. (I have some WIP
+patches to add this annotation.)
+
+Does this affect other functions in string.h?
+=============================================
+
+Yes. Anything that uses __builtin_* rather than __real_* could be
+affected. This looks like:
+
+ - strncpy
+ - strcat
+ - strlen
+ - strlcpy maybe, under some circumstances?
+ - strncat under some circumstances
+ - memset
+ - memcpy
+ - memmove
+ - memcmp (as noted)
+ - memchr
+ - strcpy
+
+Whether a function call is emitted always depends on the compiler. Most
+bugs should get caught by FORTIFY_SOURCE, but the missed memcmp test shows
+that this is not always the case.
+
+Isn't FORTIFY_SOURCE disabled with KASAN?
+========================================-
+
+The string headers on all arches supporting KASAN disable fortify with
+kasan, but only when address sanitisation is _also_ disabled. For example
+from x86:
+
+ #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
+ /*
+ * For files that are not instrumented (e.g. mm/slub.c) we
+ * should use not instrumented version of mem* functions.
+ */
+ #define memcpy(dst, src, len) __memcpy(dst, src, len)
+ #define memmove(dst, src, len) __memmove(dst, src, len)
+ #define memset(s, c, n) __memset(s, c, n)
+
+ #ifndef __NO_FORTIFY
+ #define __NO_FORTIFY /* FORTIFY_SOURCE uses __builtin_memcpy, etc. */
+ #endif
+
+ #endif
+
+This comes from commit 6974f0c4555e ("include/linux/string.h: add the
+option of fortified string.h functions"), and doesn't work when KASAN is
+enabled and the file is supposed to be sanitised - as with test_kasan.c
+
+I'm pretty sure this is not wrong, but not as expansive it should be:
+
+ * we shouldn't use __builtin_memcpy etc in files where we don't have
+ instrumentation - it could devolve into a function call to memcpy,
+ which will be instrumented. Rather, we should use __memcpy which
+ by convention is not instrumented.
+
+ * we also shouldn't be using __builtin_memcpy when we have a KASAN
+ instrumented file, because it could be replaced with inline asm
+ that will not be instrumented.
+
+What is correct behaviour?
+==========================
+
+Firstly, there is some overlap between fortification and KASAN: both
+provide some level of _runtime_ checking. Only fortify provides
+compile-time checking.
+
+KASAN and fortify can pick up different things at runtime:
+
+ - Some fortify functions, notably the string functions, could easily be
+ modified to consider sub-object sizes (e.g. members within a struct),
+ and I have some WIP patches to do this. KASAN cannot detect these
+ because it cannot insert poision between members of a struct.
+
+ - KASAN can detect many over-reads/over-writes when the sizes of both
+ operands are unknown, which fortify cannot.
+
+So there are a couple of options:
+
+ 1) Flip the test: disable fortify in santised files and enable it in
+ unsanitised files. This at least stops us missing KASAN checking, but
+ we lose the fortify checking.
+
+ 2) Make the fortify code always call out to real versions. Do this only
+ for KASAN, for fear of losing the inlining opportunities we get from
+ __builtin_*.
+
+(We can't use kasan_check_{read,write}: because the fortify functions are
+_extern inline_, you can't include _static_ inline functions without a
+compiler warning. kasan_check_{read,write} are static inline so we can't
+use them even when they would otherwise be suitable.)
+
+Take approach 2 and call out to real versions when KASAN is enabled.
+
+Use __underlying_foo to distinguish from __real_foo: __real_foo always
+refers to the kernel's implementation of foo, __underlying_foo could be
+either the kernel implementation or the __builtin_foo implementation.
+
+This is sometimes enough to make the memcmp test succeed with
+FORTIFY_SOURCE enabled. It is at least enough to get the function call
+into the module. One more fix is needed to make it reliable: see the next
+patch.
+
+Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: David Gow <davidgow@google.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Daniel Micay <danielmicay@gmail.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Link: http://lkml.kernel.org/r/20200423154503.5103-3-dja@axtens.net
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/string.h | 60 +++++++++++++++++++++++++++++++++---------
+ 1 file changed, 48 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/string.h b/include/linux/string.h
+index f58e1ef76572..4db285b83f44 100644
+--- a/include/linux/string.h
++++ b/include/linux/string.h
+@@ -239,6 +239,31 @@ void __read_overflow3(void) __compiletime_error("detected read beyond size of ob
+ void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter");
+
+ #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
++
++#ifdef CONFIG_KASAN
++extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr);
++extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp);
++extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy);
++extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove);
++extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset);
++extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat);
++extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
++extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
++extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat);
++extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy);
++#else
++#define __underlying_memchr __builtin_memchr
++#define __underlying_memcmp __builtin_memcmp
++#define __underlying_memcpy __builtin_memcpy
++#define __underlying_memmove __builtin_memmove
++#define __underlying_memset __builtin_memset
++#define __underlying_strcat __builtin_strcat
++#define __underlying_strcpy __builtin_strcpy
++#define __underlying_strlen __builtin_strlen
++#define __underlying_strncat __builtin_strncat
++#define __underlying_strncpy __builtin_strncpy
++#endif
++
+ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
+ {
+ size_t p_size = __builtin_object_size(p, 0);
+@@ -246,14 +271,14 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
+ __write_overflow();
+ if (p_size < size)
+ fortify_panic(__func__);
+- return __builtin_strncpy(p, q, size);
++ return __underlying_strncpy(p, q, size);
+ }
+
+ __FORTIFY_INLINE char *strcat(char *p, const char *q)
+ {
+ size_t p_size = __builtin_object_size(p, 0);
+ if (p_size == (size_t)-1)
+- return __builtin_strcat(p, q);
++ return __underlying_strcat(p, q);
+ if (strlcat(p, q, p_size) >= p_size)
+ fortify_panic(__func__);
+ return p;
+@@ -267,7 +292,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p)
+ /* Work around gcc excess stack consumption issue */
+ if (p_size == (size_t)-1 ||
+ (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0'))
+- return __builtin_strlen(p);
++ return __underlying_strlen(p);
+ ret = strnlen(p, p_size);
+ if (p_size <= ret)
+ fortify_panic(__func__);
+@@ -300,7 +325,7 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
+ __write_overflow();
+ if (len >= p_size)
+ fortify_panic(__func__);
+- __builtin_memcpy(p, q, len);
++ __underlying_memcpy(p, q, len);
+ p[len] = '\0';
+ }
+ return ret;
+@@ -313,12 +338,12 @@ __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
+ size_t p_size = __builtin_object_size(p, 0);
+ size_t q_size = __builtin_object_size(q, 0);
+ if (p_size == (size_t)-1 && q_size == (size_t)-1)
+- return __builtin_strncat(p, q, count);
++ return __underlying_strncat(p, q, count);
+ p_len = strlen(p);
+ copy_len = strnlen(q, count);
+ if (p_size < p_len + copy_len + 1)
+ fortify_panic(__func__);
+- __builtin_memcpy(p + p_len, q, copy_len);
++ __underlying_memcpy(p + p_len, q, copy_len);
+ p[p_len + copy_len] = '\0';
+ return p;
+ }
+@@ -330,7 +355,7 @@ __FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size)
+ __write_overflow();
+ if (p_size < size)
+ fortify_panic(__func__);
+- return __builtin_memset(p, c, size);
++ return __underlying_memset(p, c, size);
+ }
+
+ __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
+@@ -345,7 +370,7 @@ __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
+ }
+ if (p_size < size || q_size < size)
+ fortify_panic(__func__);
+- return __builtin_memcpy(p, q, size);
++ return __underlying_memcpy(p, q, size);
+ }
+
+ __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
+@@ -360,7 +385,7 @@ __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
+ }
+ if (p_size < size || q_size < size)
+ fortify_panic(__func__);
+- return __builtin_memmove(p, q, size);
++ return __underlying_memmove(p, q, size);
+ }
+
+ extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
+@@ -386,7 +411,7 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
+ }
+ if (p_size < size || q_size < size)
+ fortify_panic(__func__);
+- return __builtin_memcmp(p, q, size);
++ return __underlying_memcmp(p, q, size);
+ }
+
+ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
+@@ -396,7 +421,7 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
+ __read_overflow();
+ if (p_size < size)
+ fortify_panic(__func__);
+- return __builtin_memchr(p, c, size);
++ return __underlying_memchr(p, c, size);
+ }
+
+ void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
+@@ -427,11 +452,22 @@ __FORTIFY_INLINE char *strcpy(char *p, const char *q)
+ size_t p_size = __builtin_object_size(p, 0);
+ size_t q_size = __builtin_object_size(q, 0);
+ if (p_size == (size_t)-1 && q_size == (size_t)-1)
+- return __builtin_strcpy(p, q);
++ return __underlying_strcpy(p, q);
+ memcpy(p, q, strlen(q) + 1);
+ return p;
+ }
+
++/* Don't use these outside the FORITFY_SOURCE implementation */
++#undef __underlying_memchr
++#undef __underlying_memcmp
++#undef __underlying_memcpy
++#undef __underlying_memmove
++#undef __underlying_memset
++#undef __underlying_strcat
++#undef __underlying_strcpy
++#undef __underlying_strlen
++#undef __underlying_strncat
++#undef __underlying_strncpy
+ #endif
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From 7b07c9584579bbb1085f49ba4147ed3d66bfc930 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2020 08:43:54 -0700
+Subject: tools api fs: Make xxx__mountpoint() more scalable
+
+From: Stephane Eranian <eranian@google.com>
+
+[ Upstream commit c6fddb28bad26e5472cb7acf7b04cd5126f1a4ab ]
+
+The xxx_mountpoint() interface provided by fs.c finds mount points for
+common pseudo filesystems. The first time xxx_mountpoint() is invoked,
+it scans the mount table (/proc/mounts) looking for a match. If found,
+it is cached. The price to scan /proc/mounts is paid once if the mount
+is found.
+
+When the mount point is not found, subsequent calls to xxx_mountpoint()
+scan /proc/mounts over and over again. There is no caching.
+
+This causes a scaling issue in perf record with hugeltbfs__mountpoint().
+The function is called for each process found in
+synthesize__mmap_events(). If the machine has thousands of processes
+and if the /proc/mounts has many entries this could cause major overhead
+in perf record. We have observed multi-second slowdowns on some
+configurations.
+
+As an example on a laptop:
+
+Before:
+
+ $ sudo umount /dev/hugepages
+ $ strace -e trace=openat -o /tmp/tt perf record -a ls
+ $ fgrep mounts /tmp/tt
+ 285
+
+After:
+
+ $ sudo umount /dev/hugepages
+ $ strace -e trace=openat -o /tmp/tt perf record -a ls
+ $ fgrep mounts /tmp/tt
+ 1
+
+One could argue that the non-caching in case the moint point is not
+found is intentional. That way subsequent calls may discover a moint
+point if the sysadmin mounts the filesystem. But the same argument could
+be made against caching the mount point. It could be unmounted causing
+errors. It all depends on the intent of the interface. This patch
+assumes it is expected to scan /proc/mounts once. The patch documents
+the caching behavior in the fs.h header file.
+
+An alternative would be to just fix perf record. But it would solve the
+problem with hugetlbs__mountpoint() but there could be similar issues
+(possibly down the line) with other xxx_mountpoint() calls in perf or
+other tools.
+
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrey Zhizhikin <andrey.z@gmail.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lore.kernel.org/lkml/20200402154357.107873-3-irogers@google.com
+Signed-off-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/api/fs/fs.c | 17 +++++++++++++++++
+ tools/lib/api/fs/fs.h | 12 ++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c
+index bd021a0eeef8..4cc69675c2a9 100644
+--- a/tools/lib/api/fs/fs.c
++++ b/tools/lib/api/fs/fs.c
+@@ -90,6 +90,7 @@ struct fs {
+ const char * const *mounts;
+ char path[PATH_MAX];
+ bool found;
++ bool checked;
+ long magic;
+ };
+
+@@ -111,31 +112,37 @@ static struct fs fs__entries[] = {
+ .name = "sysfs",
+ .mounts = sysfs__fs_known_mountpoints,
+ .magic = SYSFS_MAGIC,
++ .checked = false,
+ },
+ [FS__PROCFS] = {
+ .name = "proc",
+ .mounts = procfs__known_mountpoints,
+ .magic = PROC_SUPER_MAGIC,
++ .checked = false,
+ },
+ [FS__DEBUGFS] = {
+ .name = "debugfs",
+ .mounts = debugfs__known_mountpoints,
+ .magic = DEBUGFS_MAGIC,
++ .checked = false,
+ },
+ [FS__TRACEFS] = {
+ .name = "tracefs",
+ .mounts = tracefs__known_mountpoints,
+ .magic = TRACEFS_MAGIC,
++ .checked = false,
+ },
+ [FS__HUGETLBFS] = {
+ .name = "hugetlbfs",
+ .mounts = hugetlbfs__known_mountpoints,
+ .magic = HUGETLBFS_MAGIC,
++ .checked = false,
+ },
+ [FS__BPF_FS] = {
+ .name = "bpf",
+ .mounts = bpf_fs__known_mountpoints,
+ .magic = BPF_FS_MAGIC,
++ .checked = false,
+ },
+ };
+
+@@ -158,6 +165,7 @@ static bool fs__read_mounts(struct fs *fs)
+ }
+
+ fclose(fp);
++ fs->checked = true;
+ return fs->found = found;
+ }
+
+@@ -220,6 +228,7 @@ static bool fs__env_override(struct fs *fs)
+ return false;
+
+ fs->found = true;
++ fs->checked = true;
+ strncpy(fs->path, override_path, sizeof(fs->path) - 1);
+ fs->path[sizeof(fs->path) - 1] = '\0';
+ return true;
+@@ -246,6 +255,14 @@ static const char *fs__mountpoint(int idx)
+ if (fs->found)
+ return (const char *)fs->path;
+
++ /* the mount point was already checked for the mount point
++ * but and did not exist, so return NULL to avoid scanning again.
++ * This makes the found and not found paths cost equivalent
++ * in case of multiple calls.
++ */
++ if (fs->checked)
++ return NULL;
++
+ return fs__get_mountpoint(fs);
+ }
+
+diff --git a/tools/lib/api/fs/fs.h b/tools/lib/api/fs/fs.h
+index 92d03b8396b1..3b70003e7cfb 100644
+--- a/tools/lib/api/fs/fs.h
++++ b/tools/lib/api/fs/fs.h
+@@ -18,6 +18,18 @@
+ const char *name##__mount(void); \
+ bool name##__configured(void); \
+
++/*
++ * The xxxx__mountpoint() entry points find the first match mount point for each
++ * filesystems listed below, where xxxx is the filesystem type.
++ *
++ * The interface is as follows:
++ *
++ * - If a mount point is found on first call, it is cached and used for all
++ * subsequent calls.
++ *
++ * - If a mount point is not found, NULL is returned on first call and all
++ * subsequent calls.
++ */
+ FS(sysfs)
+ FS(procfs)
+ FS(debugfs)
+--
+2.25.1
+
--- /dev/null
+From f369592bf7d992dfae4738ab7eeef5629bcb64e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 May 2020 12:49:43 +0200
+Subject: veth: Adjust hard_start offset on redirect XDP frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit 5c8572251fabc5bb49fd623c064e95a9daf6a3e3 ]
+
+When native XDP redirect into a veth device, the frame arrives in the
+xdp_frame structure. It is then processed in veth_xdp_rcv_one(),
+which can run a new XDP bpf_prog on the packet. Doing so requires
+converting xdp_frame to xdp_buff, but the tricky part is that
+xdp_frame memory area is located in the top (data_hard_start) memory
+area that xdp_buff will point into.
+
+The current code tried to protect the xdp_frame area, by assigning
+xdp_buff.data_hard_start past this memory. This results in 32 bytes
+less headroom to expand into via BPF-helper bpf_xdp_adjust_head().
+
+This protect step is actually not needed, because BPF-helper
+bpf_xdp_adjust_head() already reserve this area, and don't allow
+BPF-prog to expand into it. Thus, it is safe to point data_hard_start
+directly at xdp_frame memory area.
+
+Fixes: 9fc8d518d9d5 ("veth: Handle xdp_frames in xdp napi ring")
+Reported-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/bpf/158945338331.97035.5923525383710752178.stgit@firesoul
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index 41a00cd76955..2abbad1abaf2 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -377,13 +377,15 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq,
+ unsigned int *xdp_xmit)
+ {
+ void *hard_start = frame->data - frame->headroom;
+- void *head = hard_start - sizeof(struct xdp_frame);
+ int len = frame->len, delta = 0;
+ struct xdp_frame orig_frame;
+ struct bpf_prog *xdp_prog;
+ unsigned int headroom;
+ struct sk_buff *skb;
+
++ /* bpf_xdp_adjust_head() assures BPF cannot access xdp_frame area */
++ hard_start -= sizeof(struct xdp_frame);
++
+ rcu_read_lock();
+ xdp_prog = rcu_dereference(rq->xdp_prog);
+ if (likely(xdp_prog)) {
+@@ -405,7 +407,6 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq,
+ break;
+ case XDP_TX:
+ orig_frame = *frame;
+- xdp.data_hard_start = head;
+ xdp.rxq->mem = frame->mem;
+ if (unlikely(veth_xdp_tx(rq->dev, &xdp) < 0)) {
+ trace_xdp_exception(rq->dev, xdp_prog, act);
+@@ -417,7 +418,6 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq,
+ goto xdp_xmit;
+ case XDP_REDIRECT:
+ orig_frame = *frame;
+- xdp.data_hard_start = head;
+ xdp.rxq->mem = frame->mem;
+ if (xdp_do_redirect(rq->dev, &xdp, xdp_prog)) {
+ frame = &orig_frame;
+@@ -437,7 +437,7 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq,
+ rcu_read_unlock();
+
+ headroom = sizeof(struct xdp_frame) + frame->headroom - delta;
+- skb = veth_build_skb(head, headroom, len, 0);
++ skb = veth_build_skb(hard_start, headroom, len, 0);
+ if (!skb) {
+ xdp_return_frame(frame);
+ goto err;
+--
+2.25.1
+
--- /dev/null
+From 52cc40ef2b47df3f3f3756962d3cab4b60e31ea1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 05:56:03 +0300
+Subject: wcn36xx: Fix error handling path in 'wcn36xx_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a86308fc534edeceaf64670c691e17485436a4f4 ]
+
+In case of error, 'qcom_wcnss_open_channel()' must be undone by a call to
+'rpmsg_destroy_ept()', as already done in the remove function.
+
+Fixes: 5052de8deff5 ("soc: qcom: smd: Transition client drivers from smd to rpmsg")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200507043619.200051-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
+index 79998a3ddb7a..ad051f34e65b 100644
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -1341,7 +1341,7 @@ static int wcn36xx_probe(struct platform_device *pdev)
+ if (addr && ret != ETH_ALEN) {
+ wcn36xx_err("invalid local-mac-address\n");
+ ret = -EINVAL;
+- goto out_wq;
++ goto out_destroy_ept;
+ } else if (addr) {
+ wcn36xx_info("mac address: %pM\n", addr);
+ SET_IEEE80211_PERM_ADDR(wcn->hw, addr);
+@@ -1349,7 +1349,7 @@ static int wcn36xx_probe(struct platform_device *pdev)
+
+ ret = wcn36xx_platform_get_resources(wcn, pdev);
+ if (ret)
+- goto out_wq;
++ goto out_destroy_ept;
+
+ wcn36xx_init_ieee80211(wcn);
+ ret = ieee80211_register_hw(wcn->hw);
+@@ -1361,6 +1361,8 @@ static int wcn36xx_probe(struct platform_device *pdev)
+ out_unmap:
+ iounmap(wcn->ccu_base);
+ iounmap(wcn->dxe_base);
++out_destroy_ept:
++ rpmsg_destroy_ept(wcn->smd_channel);
+ out_wq:
+ ieee80211_free_hw(hw);
+ out_err:
+--
+2.25.1
+
--- /dev/null
+From f07fdc1a8bec75c9f39cc1821f6814bfe0b3f2b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2020 16:49:26 -0500
+Subject: x86/boot: Correct relocation destination on old linkers
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 5214028dd89e49ba27007c3ee475279e584261f0 ]
+
+For the 32-bit kernel, as described in
+
+ 6d92bc9d483a ("x86/build: Build compressed x86 kernels as PIE"),
+
+pre-2.26 binutils generates R_386_32 relocations in PIE mode. Since the
+startup code does not perform relocation, any reloc entry with R_386_32
+will remain as 0 in the executing code.
+
+Commit
+
+ 974f221c84b0 ("x86/boot: Move compressed kernel to the end of the
+ decompression buffer")
+
+added a new symbol _end but did not mark it hidden, which doesn't give
+the correct offset on older linkers. This causes the compressed kernel
+to be copied beyond the end of the decompression buffer, rather than
+flush against it. This region of memory may be reserved or already
+allocated for other purposes by the bootloader.
+
+Mark _end as hidden to fix. This changes the relocation from R_386_32 to
+R_386_RELATIVE even on the pre-2.26 binutils.
+
+For 64-bit, this is not strictly necessary, as the 64-bit kernel is only
+built as PIE if the linker supports -z noreloc-overflow, which implies
+binutils-2.27+, but for consistency, mark _end as hidden here too.
+
+The below illustrates the before/after impact of the patch using
+binutils-2.25 and gcc-4.6.4 (locally compiled from source) and QEMU.
+
+ Disassembly before patch:
+ 48: 8b 86 60 02 00 00 mov 0x260(%esi),%eax
+ 4e: 2d 00 00 00 00 sub $0x0,%eax
+ 4f: R_386_32 _end
+ Disassembly after patch:
+ 48: 8b 86 60 02 00 00 mov 0x260(%esi),%eax
+ 4e: 2d 00 f0 76 00 sub $0x76f000,%eax
+ 4f: R_386_RELATIVE *ABS*
+
+Dump from extract_kernel before patch:
+ early console in extract_kernel
+ input_data: 0x0207c098 <--- this is at output + init_size
+ input_len: 0x0074fef1
+ output: 0x01000000
+ output_len: 0x00fa63d0
+ kernel_total_size: 0x0107c000
+ needed_size: 0x0107c000
+
+Dump from extract_kernel after patch:
+ early console in extract_kernel
+ input_data: 0x0190d098 <--- this is at output + init_size - _end
+ input_len: 0x0074fef1
+ output: 0x01000000
+ output_len: 0x00fa63d0
+ kernel_total_size: 0x0107c000
+ needed_size: 0x0107c000
+
+Fixes: 974f221c84b0 ("x86/boot: Move compressed kernel to the end of the decompression buffer")
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200207214926.3564079-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/boot/compressed/head_32.S | 5 +++--
+ arch/x86/boot/compressed/head_64.S | 1 +
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
+index 01d628ea3402..c6c4b877f3d2 100644
+--- a/arch/x86/boot/compressed/head_32.S
++++ b/arch/x86/boot/compressed/head_32.S
+@@ -49,16 +49,17 @@
+ * Position Independent Executable (PIE) so that linker won't optimize
+ * R_386_GOT32X relocation to its fixed symbol address. Older
+ * linkers generate R_386_32 relocations against locally defined symbols,
+- * _bss, _ebss, _got and _egot, in PIE. It isn't wrong, just less
++ * _bss, _ebss, _got, _egot and _end, in PIE. It isn't wrong, just less
+ * optimal than R_386_RELATIVE. But the x86 kernel fails to properly handle
+ * R_386_32 relocations when relocating the kernel. To generate
+- * R_386_RELATIVE relocations, we mark _bss, _ebss, _got and _egot as
++ * R_386_RELATIVE relocations, we mark _bss, _ebss, _got, _egot and _end as
+ * hidden:
+ */
+ .hidden _bss
+ .hidden _ebss
+ .hidden _got
+ .hidden _egot
++ .hidden _end
+
+ __HEAD
+ ENTRY(startup_32)
+diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
+index 9fa644c62839..474733f8b330 100644
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -42,6 +42,7 @@
+ .hidden _ebss
+ .hidden _got
+ .hidden _egot
++ .hidden _end
+
+ __HEAD
+ .code32
+--
+2.25.1
+
--- /dev/null
+From 244f1fa643e4fc29cd8c9a9749fdc686ec1252e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 14:37:40 +0300
+Subject: x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit
+
+From: Jon Doron <arilou@gmail.com>
+
+[ Upstream commit f7d31e65368aeef973fab788aa22c4f1d5a6af66 ]
+
+The problem the patch is trying to address is the fact that 'struct
+kvm_hyperv_exit' has different layout on when compiling in 32 and 64 bit
+modes.
+
+In 64-bit mode the default alignment boundary is 64 bits thus
+forcing extra gaps after 'type' and 'msr' but in 32-bit mode the
+boundary is at 32 bits thus no extra gaps.
+
+This is an issue as even when the kernel is 64 bit, the userspace using
+the interface can be both 32 and 64 bit but the same 32 bit userspace has
+to work with 32 bit kernel.
+
+The issue is fixed by forcing the 64 bit layout, this leads to ABI
+change for 32 bit builds and while we are obviously breaking '32 bit
+userspace with 32 bit kernel' case, we're fixing the '32 bit userspace
+with 64 bit kernel' one.
+
+As the interface has no (known) users and 32 bit KVM is rather baroque
+nowadays, this seems like a reasonable decision.
+
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Jon Doron <arilou@gmail.com>
+Message-Id: <20200424113746.3473563-2-arilou@gmail.com>
+Reviewed-by: Roman Kagan <rvkagan@yandex-team.ru>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/virtual/kvm/api.txt | 2 ++
+ include/uapi/linux/kvm.h | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
+index 8e16017ff397..d2f265a9dc0d 100644
+--- a/Documentation/virtual/kvm/api.txt
++++ b/Documentation/virtual/kvm/api.txt
+@@ -3999,9 +3999,11 @@ EOI was received.
+ #define KVM_EXIT_HYPERV_SYNIC 1
+ #define KVM_EXIT_HYPERV_HCALL 2
+ __u32 type;
++ __u32 pad1;
+ union {
+ struct {
+ __u32 msr;
++ __u32 pad2;
+ __u64 control;
+ __u64 evt_page;
+ __u64 msg_page;
+diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
+index 251be353f950..66ce6659ecb6 100644
+--- a/include/uapi/linux/kvm.h
++++ b/include/uapi/linux/kvm.h
+@@ -189,9 +189,11 @@ struct kvm_hyperv_exit {
+ #define KVM_EXIT_HYPERV_SYNIC 1
+ #define KVM_EXIT_HYPERV_HCALL 2
+ __u32 type;
++ __u32 pad1;
+ union {
+ struct {
+ __u32 msr;
++ __u32 pad2;
+ __u64 control;
+ __u64 evt_page;
+ __u64 msg_page;
+--
+2.25.1
+
--- /dev/null
+From 3276efbb82e2299691c52c664390f4ce4f254eed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Feb 2020 18:11:20 -0500
+Subject: x86/mm: Stop printing BRK addresses
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 67d631b7c05eff955ccff4139327f0f92a5117e5 ]
+
+This currently leaks kernel physical addresses into userspace.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Dave Hansen <dave.hansen@intel.com>
+Link: https://lkml.kernel.org/r/20200229231120.1147527-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/init.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
+index fb5f29c60019..b1dba0987565 100644
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -120,8 +120,6 @@ __ref void *alloc_low_pages(unsigned int num)
+ } else {
+ pfn = pgt_buf_end;
+ pgt_buf_end += num;
+- printk(KERN_DEBUG "BRK [%#010lx, %#010lx] PGTABLE\n",
+- pfn << PAGE_SHIFT, (pgt_buf_end << PAGE_SHIFT) - 1);
+ }
+
+ for (i = 0; i < num; i++) {
+--
+2.25.1
+
--- /dev/null
+From 66e95873cf2d069684856a957c4e38ddb2bc93f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 14:06:27 -0700
+Subject: xfs: clean up the error handling in xfs_swap_extents
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 8bc3b5e4b70d28f8edcafc3c9e4de515998eea9e ]
+
+Make sure we release resources properly if we cannot clean out the COW
+extents in preparation for an extent swap.
+
+Fixes: 96987eea537d6c ("xfs: cancel COW blocks before swapext")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_bmap_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
+index e638740f1681..3e1dd66bd676 100644
+--- a/fs/xfs/xfs_bmap_util.c
++++ b/fs/xfs/xfs_bmap_util.c
+@@ -1823,7 +1823,7 @@ xfs_swap_extents(
+ if (xfs_inode_has_cow_data(tip)) {
+ error = xfs_reflink_cancel_cow_range(tip, 0, NULLFILEOFF, true);
+ if (error)
+- return error;
++ goto out_unlock;
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From d1ce60d86698491f9f6a084927c7bd715c7622af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 13:25:22 -0700
+Subject: xfs: fix duplicate verification from xfs_qm_dqflush()
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 629dcb38dc351947ed6a26a997d4b587f3bd5c7e ]
+
+The pre-flush dquot verification in xfs_qm_dqflush() duplicates the
+read verifier by checking the dquot in the on-disk buffer. Instead,
+verify the in-core variant before it is flushed to the buffer.
+
+Fixes: 7224fa482a6d ("xfs: add full xfs_dqblk verifier")
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Allison Collins <allison.henderson@oracle.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_dquot.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/fs/xfs/xfs_dquot.c b/fs/xfs/xfs_dquot.c
+index a1af984e4913..59b2b29542f4 100644
+--- a/fs/xfs/xfs_dquot.c
++++ b/fs/xfs/xfs_dquot.c
+@@ -1120,13 +1120,12 @@ xfs_qm_dqflush(
+ dqb = bp->b_addr + dqp->q_bufoffset;
+ ddqp = &dqb->dd_diskdq;
+
+- /*
+- * A simple sanity check in case we got a corrupted dquot.
+- */
+- fa = xfs_dqblk_verify(mp, dqb, be32_to_cpu(ddqp->d_id), 0);
++ /* sanity check the in-core structure before we flush */
++ fa = xfs_dquot_verify(mp, &dqp->q_core, be32_to_cpu(dqp->q_core.d_id),
++ 0);
+ if (fa) {
+ xfs_alert(mp, "corrupt dquot ID 0x%x in memory at %pS",
+- be32_to_cpu(ddqp->d_id), fa);
++ be32_to_cpu(dqp->q_core.d_id), fa);
+ xfs_buf_relse(bp);
+ xfs_dqfunlock(dqp);
+ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+--
+2.25.1
+
--- /dev/null
+From 1046839b10354f3b4ca36dfd4344f6b0285ae236 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 13:25:20 -0700
+Subject: xfs: reset buffer write failure state on successful completion
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit b6983e80b03bd4fd42de71993b3ac7403edac758 ]
+
+The buffer write failure flag is intended to control the internal
+write retry that XFS has historically implemented to help mitigate
+the severity of transient I/O errors. The flag is set when a buffer
+is resubmitted from the I/O completion path due to a previous
+failure. It is checked on subsequent I/O completions to skip the
+internal retry and fall through to the higher level configurable
+error handling mechanism. The flag is cleared in the synchronous and
+delwri submission paths and also checked in various places to log
+write failure messages.
+
+There are a couple minor problems with the current usage of this
+flag. One is that we issue an internal retry after every submission
+from xfsaild due to how delwri submission clears the flag. This
+results in double the expected or configured number of write
+attempts when under sustained failures. Another more subtle issue is
+that the flag is never cleared on successful I/O completion. This
+can cause xfs_wait_buftarg() to suggest that dirty buffers are being
+thrown away due to the existence of the flag, when the reality is
+that the flag might still be set because the write succeeded on the
+retry.
+
+Clear the write failure flag on successful I/O completion to address
+both of these problems. This means that the internal retry attempt
+occurs once since the last time a buffer write failed and that
+various other contexts only see the flag set when the immediately
+previous write attempt has failed.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Allison Collins <allison.henderson@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_buf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index c1f7c0d5d608..b33a9cd4fe94 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -1202,8 +1202,10 @@ xfs_buf_ioend(
+ bp->b_ops->verify_read(bp);
+ }
+
+- if (!bp->b_error)
++ if (!bp->b_error) {
++ bp->b_flags &= ~XBF_WRITE_FAIL;
+ bp->b_flags |= XBF_DONE;
++ }
+
+ if (bp->b_iodone)
+ (*(bp->b_iodone))(bp);
+@@ -1263,7 +1265,7 @@ xfs_bwrite(
+
+ bp->b_flags |= XBF_WRITE;
+ bp->b_flags &= ~(XBF_ASYNC | XBF_READ | _XBF_DELWRI_Q |
+- XBF_WRITE_FAIL | XBF_DONE);
++ XBF_DONE);
+
+ error = xfs_buf_submit(bp);
+ if (error) {
+@@ -2000,7 +2002,7 @@ xfs_buf_delwri_submit_buffers(
+ * synchronously. Otherwise, drop the buffer from the delwri
+ * queue and submit async.
+ */
+- bp->b_flags &= ~(_XBF_DELWRI_Q | XBF_WRITE_FAIL);
++ bp->b_flags &= ~_XBF_DELWRI_Q;
+ bp->b_flags |= XBF_WRITE;
+ if (wait_list) {
+ bp->b_flags &= ~XBF_ASYNC;
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
