--- /dev/null
+From e49aa3f8a2933eac7b0740c415967cb9d16b3892 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2019 16:42:57 +0100
+Subject: ALSA: timer: Limit max amount of slave instances
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit fdea53fe5de532969a332d6e5e727f2ad8bf084d ]
+
+The fuzzer tries to open the timer instances as much as possible, and
+this may cause a system hiccup easily. We've already introduced the
+cap for the max number of available instances for the h/w timers, and
+we should put such a limit also to the slave timers, too.
+
+This patch introduces the limit to the multiple opened slave timers.
+The upper limit is hard-coded to 1000 for now, which should suffice
+for any practical usages up to now.
+
+Link: https://lore.kernel.org/r/20191106154257.5853-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/timer.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index e944d27f79c3..f8a4b2a2f8f6 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -87,6 +87,9 @@ static LIST_HEAD(snd_timer_slave_list);
+ /* lock for slave active lists */
+ static DEFINE_SPINLOCK(slave_active_lock);
+
++#define MAX_SLAVE_INSTANCES 1000
++static int num_slaves;
++
+ static DEFINE_MUTEX(register_mutex);
+
+ static int snd_timer_free(struct snd_timer *timer);
+@@ -265,6 +268,10 @@ int snd_timer_open(struct snd_timer_instance **ti,
+ err = -EINVAL;
+ goto unlock;
+ }
++ if (num_slaves >= MAX_SLAVE_INSTANCES) {
++ err = -EBUSY;
++ goto unlock;
++ }
+ timeri = snd_timer_instance_new(owner, NULL);
+ if (!timeri) {
+ err = -ENOMEM;
+@@ -274,6 +281,7 @@ int snd_timer_open(struct snd_timer_instance **ti,
+ timeri->slave_id = tid->device;
+ timeri->flags |= SNDRV_TIMER_IFLG_SLAVE;
+ list_add_tail(&timeri->open_list, &snd_timer_slave_list);
++ num_slaves++;
+ err = snd_timer_check_slave(timeri);
+ if (err < 0) {
+ snd_timer_close_locked(timeri, &card_dev_to_put);
+@@ -363,6 +371,8 @@ static int snd_timer_close_locked(struct snd_timer_instance *timeri,
+ struct snd_timer_instance *slave, *tmp;
+
+ list_del(&timeri->open_list);
++ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
++ num_slaves--;
+
+ /* force to stop the timer */
+ snd_timer_stop(timeri);
+--
+2.20.1
+
--- /dev/null
+From 87d3892f4c323ed3dde3101f5765e0ea95dfedd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 19:31:21 +0800
+Subject: arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill()
+
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+
+[ Upstream commit bfcef4ab1d7ee8921bc322109b1692036cc6cbe0 ]
+
+In cases like suspend-to-disk and suspend-to-ram, a large number of CPU
+cores need to be shut down. At present, the CPU hotplug operation is
+serialised, and the CPU cores can only be shut down one by one. In this
+process, if PSCI affinity_info() does not return LEVEL_OFF quickly,
+cpu_psci_cpu_kill() needs to wait for 10ms. If hundreds of CPU cores
+need to be shut down, it will take a long time.
+
+Normally, there is no need to wait 10ms in cpu_psci_cpu_kill(). So
+change the wait interval from 10 ms to max 1 ms and use usleep_range()
+instead of msleep() for more accurate timer.
+
+In addition, reducing the time interval will increase the messages
+output, so remove the "Retry ..." message, instead, track time and
+output to the the sucessful message.
+
+Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/psci.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/kernel/psci.c b/arch/arm64/kernel/psci.c
+index 42816bebb1e0..e3713d6fb8e0 100644
+--- a/arch/arm64/kernel/psci.c
++++ b/arch/arm64/kernel/psci.c
+@@ -83,7 +83,8 @@ static void cpu_psci_cpu_die(unsigned int cpu)
+
+ static int cpu_psci_cpu_kill(unsigned int cpu)
+ {
+- int err, i;
++ int err;
++ unsigned long start, end;
+
+ if (!psci_ops.affinity_info)
+ return 0;
+@@ -93,16 +94,18 @@ static int cpu_psci_cpu_kill(unsigned int cpu)
+ * while it is dying. So, try again a few times.
+ */
+
+- for (i = 0; i < 10; i++) {
++ start = jiffies;
++ end = start + msecs_to_jiffies(100);
++ do {
+ err = psci_ops.affinity_info(cpu_logical_map(cpu), 0);
+ if (err == PSCI_0_2_AFFINITY_LEVEL_OFF) {
+- pr_info("CPU%d killed.\n", cpu);
++ pr_info("CPU%d killed (polled %d ms)\n", cpu,
++ jiffies_to_msecs(jiffies - start));
+ return 0;
+ }
+
+- msleep(10);
+- pr_info("Retrying again to check for CPU kill\n");
+- }
++ usleep_range(100, 1000);
++ } while (time_before(jiffies, end));
+
+ pr_warn("CPU%d may not have shut down cleanly (AFFINITY_INFO reports %d)\n",
+ cpu, err);
+--
+2.20.1
+
--- /dev/null
+From 9f6b17fe99901e4518c706cc9e905a597b07403b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 17:13:30 -0800
+Subject: ASoC: rt5677: Mark reg RT5677_PWR_ANLG2 as volatile
+
+From: Ben Zhang <benzh@chromium.org>
+
+[ Upstream commit eabf424f7b60246c76dcb0ea6f1e83ef9abbeaa6 ]
+
+The codec dies when RT5677_PWR_ANLG2(MX-64h) is set to 0xACE1
+while it's streaming audio over SPI. The DSP firmware turns
+on PLL2 (MX-64 bit 8) when SPI streaming starts. However regmap
+does not believe that register can change by itself. When
+BST1 (bit 15) is turned on with regmap_update_bits(), it doesn't
+read the register first before write, so PLL2 power bit is
+cleared by accident.
+
+Marking MX-64h as volatile in regmap solved the issue.
+
+Signed-off-by: Ben Zhang <benzh@chromium.org>
+Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
+Link: https://lore.kernel.org/r/20191106011335.223061-6-cujomalainey@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5677.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/rt5677.c b/sound/soc/codecs/rt5677.c
+index 65ac4518ad06..49ab26e69f2f 100644
+--- a/sound/soc/codecs/rt5677.c
++++ b/sound/soc/codecs/rt5677.c
+@@ -305,6 +305,7 @@ static bool rt5677_volatile_register(struct device *dev, unsigned int reg)
+ case RT5677_I2C_MASTER_CTRL7:
+ case RT5677_I2C_MASTER_CTRL8:
+ case RT5677_HAP_GENE_CTRL2:
++ case RT5677_PWR_ANLG2: /* Modified by DSP firmware */
+ case RT5677_PWR_DSP_ST:
+ case RT5677_PRIV_DATA:
+ case RT5677_ASRC_22:
+--
+2.20.1
+
--- /dev/null
+From 0ea12f77eb1f49f976ccc7a504550ba0a917c723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2019 20:04:37 +0200
+Subject: ath10k: fix get invalid tx rate for Mesh metric
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+[ Upstream commit 05a11003a56507023f18d3249a4d4d119c0a3e9c ]
+
+ath10k does not provide transmit rate info per MSDU
+in tx completion, mark that as -1 so mac80211
+will ignore the rates. This fixes mac80211 update Mesh
+link metric with invalid transmit rate info.
+
+Tested HW: QCA9984
+Tested FW: 10.4-3.9.0.2-00035
+
+Signed-off-by: Hou Bao Hou <houbao@codeaurora.org>
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/txrx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
+index 9852c5d51139..beeb6be06939 100644
+--- a/drivers/net/wireless/ath/ath10k/txrx.c
++++ b/drivers/net/wireless/ath/ath10k/txrx.c
+@@ -99,6 +99,8 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt,
+
+ info = IEEE80211_SKB_CB(msdu);
+ memset(&info->status, 0, sizeof(info->status));
++ info->status.rates[0].idx = -1;
++
+ trace_ath10k_txrx_tx_unref(ar, tx_done->msdu_id);
+
+ if (tx_done->status == HTT_TX_COMPL_STATE_DISCARD) {
+--
+2.20.1
+
--- /dev/null
+From 4168dd2f8bca7b9405cb65690de7d01b9ced513b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Nov 2019 23:58:15 +0200
+Subject: Bluetooth: Fix advertising duplicated flags
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 6012b9346d8959194c239fd60a62dfec98d43048 ]
+
+Instances may have flags set as part of its data in which case the code
+should not attempt to add it again otherwise it can cause duplication:
+
+< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35
+ Handle: 0x00
+ Operation: Complete extended advertising data (0x03)
+ Fragment preference: Minimize fragmentation (0x01)
+ Data length: 0x06
+ Flags: 0x04
+ BR/EDR Not Supported
+ Flags: 0x06
+ LE General Discoverable Mode
+ BR/EDR Not Supported
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_request.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
+index 1015d9c8d97d..4a89e121d662 100644
+--- a/net/bluetooth/hci_request.c
++++ b/net/bluetooth/hci_request.c
+@@ -1093,6 +1093,14 @@ static u8 create_instance_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr)
+
+ instance_flags = get_adv_instance_flags(hdev, instance);
+
++ /* If instance already has the flags set skip adding it once
++ * again.
++ */
++ if (adv_instance && eir_get_data(adv_instance->adv_data,
++ adv_instance->adv_data_len, EIR_FLAGS,
++ NULL))
++ goto skip_flags;
++
+ /* The Add Advertising command allows userspace to set both the general
+ * and limited discoverable flags.
+ */
+@@ -1125,6 +1133,7 @@ static u8 create_instance_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr)
+ }
+ }
+
++skip_flags:
+ if (adv_instance) {
+ memcpy(ptr, adv_instance->adv_data,
+ adv_instance->adv_data_len);
+--
+2.20.1
+
--- /dev/null
+From 1d02c955ba91df1daf3622daff6aa822fbc024b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 20:20:39 -0700
+Subject: Bluetooth: hci_core: fix init for HCI_USER_CHANNEL
+
+From: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+
+[ Upstream commit eb8c101e28496888a0dcfe16ab86a1bee369e820 ]
+
+During the setup() stage, HCI device drivers expect the chip to
+acknowledge its setup() completion via vendor specific frames.
+
+If userspace opens() such HCI device in HCI_USER_CHANNEL [1] mode,
+the vendor specific frames are never tranmitted to the driver, as
+they are filtered in hci_rx_work().
+
+Allow HCI devices which operate in HCI_USER_CHANNEL mode to receive
+frames if the HCI device is is HCI_INIT state.
+
+[1] https://www.spinics.net/lists/linux-bluetooth/msg37345.html
+
+Fixes: 23500189d7e0 ("Bluetooth: Introduce new HCI socket channel for user operation")
+Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 4bd72d2fe415..a70b078ceb3c 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -4180,7 +4180,14 @@ static void hci_rx_work(struct work_struct *work)
+ hci_send_to_sock(hdev, skb);
+ }
+
+- if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
++ /* If the device has been opened in HCI_USER_CHANNEL,
++ * the userspace has exclusive access to device.
++ * When device is HCI_INIT, we still need to process
++ * the data packets to the driver in order
++ * to complete its setup().
++ */
++ if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
++ !test_bit(HCI_INIT, &hdev->flags)) {
+ kfree_skb(skb);
+ continue;
+ }
+--
+2.20.1
+
--- /dev/null
+From 680dbcd0b12eee85dd814219e79bfea9b2f63d57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2019 21:51:11 -0800
+Subject: bnx2x: Fix PF-VF communication over multi-cos queues.
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit dc5a3d79c345871439ffe72550b604fcde9770e1 ]
+
+PF driver doesn't enable tx-switching for all cos queues/clients,
+which causes packets drop from PF to VF. Fix this by enabling
+tx-switching on all cos queues/clients.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
+index c6e059119b22..e8a09d0afe1c 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
+@@ -2376,15 +2376,21 @@ static int bnx2x_set_pf_tx_switching(struct bnx2x *bp, bool enable)
+ /* send the ramrod on all the queues of the PF */
+ for_each_eth_queue(bp, i) {
+ struct bnx2x_fastpath *fp = &bp->fp[i];
++ int tx_idx;
+
+ /* Set the appropriate Queue object */
+ q_params.q_obj = &bnx2x_sp_obj(bp, fp).q_obj;
+
+- /* Update the Queue state */
+- rc = bnx2x_queue_state_change(bp, &q_params);
+- if (rc) {
+- BNX2X_ERR("Failed to configure Tx switching\n");
+- return rc;
++ for (tx_idx = FIRST_TX_COS_INDEX;
++ tx_idx < fp->max_cos; tx_idx++) {
++ q_params.params.update.cid_index = tx_idx;
++
++ /* Update the Queue state */
++ rc = bnx2x_queue_state_change(bp, &q_params);
++ if (rc) {
++ BNX2X_ERR("Failed to configure Tx switching\n");
++ return rc;
++ }
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From c3a4e975eae8b17a73214dbda79e3eb90b947806 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2019 11:30:54 -0700
+Subject: btrfs: don't prematurely free work in end_workqueue_fn()
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit 9be490f1e15c34193b1aae17da58e14dd9f55a95 ]
+
+Currently, end_workqueue_fn() frees the end_io_wq entry (which embeds
+the work item) and then calls bio_endio(). This is another potential
+instance of the bug in "btrfs: don't prematurely free work in
+run_ordered_work()".
+
+In particular, the endio call may depend on other work items. For
+example, btrfs_end_dio_bio() can call btrfs_subio_endio_read() ->
+__btrfs_correct_data_nocsum() -> dio_read_error() ->
+submit_dio_repair_bio(), which submits a bio that is also completed
+through a end_workqueue_fn() work item. However,
+__btrfs_correct_data_nocsum() waits for the newly submitted bio to
+complete, thus it depends on another work item.
+
+This example currently usually works because we use different workqueue
+helper functions for BTRFS_WQ_ENDIO_DATA and BTRFS_WQ_ENDIO_DIO_REPAIR.
+However, it may deadlock with stacked filesystems and is fragile
+overall. The proper fix is to free the work item at the very end of the
+work function, so let's do that.
+
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 9d3352fe8dc9..b37519241eb1 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1712,8 +1712,8 @@ static void end_workqueue_fn(struct btrfs_work *work)
+ bio->bi_error = end_io_wq->error;
+ bio->bi_private = end_io_wq->private;
+ bio->bi_end_io = end_io_wq->end_io;
+- kmem_cache_free(btrfs_end_io_wq_cache, end_io_wq);
+ bio_endio(bio);
++ kmem_cache_free(btrfs_end_io_wq_cache, end_io_wq);
+ }
+
+ static int cleaner_kthread(void *arg)
+--
+2.20.1
+
--- /dev/null
+From c1606b16ad2ef060272ddc88b3727c23e09ea618 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2019 11:30:55 -0700
+Subject: btrfs: don't prematurely free work in reada_start_machine_worker()
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit e732fe95e4cad35fc1df278c23a32903341b08b3 ]
+
+Currently, reada_start_machine_worker() frees the reada_machine_work and
+then calls __reada_start_machine() to do readahead. This is another
+potential instance of the bug in "btrfs: don't prematurely free work in
+run_ordered_work()".
+
+There _might_ already be a deadlock here: reada_start_machine_worker()
+can depend on itself through stacked filesystems (__read_start_machine()
+-> reada_start_machine_dev() -> reada_tree_block_flagged() ->
+read_extent_buffer_pages() -> submit_one_bio() ->
+btree_submit_bio_hook() -> btrfs_map_bio() -> submit_stripe_bio() ->
+submit_bio() onto a loop device can trigger readahead on the lower
+filesystem).
+
+Either way, let's fix it by freeing the work at the end.
+
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/reada.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/btrfs/reada.c b/fs/btrfs/reada.c
+index 94441fdb1ecf..0d1565d71231 100644
+--- a/fs/btrfs/reada.c
++++ b/fs/btrfs/reada.c
+@@ -734,21 +734,19 @@ static int reada_start_machine_dev(struct btrfs_fs_info *fs_info,
+ static void reada_start_machine_worker(struct btrfs_work *work)
+ {
+ struct reada_machine_work *rmw;
+- struct btrfs_fs_info *fs_info;
+ int old_ioprio;
+
+ rmw = container_of(work, struct reada_machine_work, work);
+- fs_info = rmw->fs_info;
+-
+- kfree(rmw);
+
+ old_ioprio = IOPRIO_PRIO_VALUE(task_nice_ioclass(current),
+ task_nice_ioprio(current));
+ set_task_ioprio(current, BTRFS_IOPRIO_READA);
+- __reada_start_machine(fs_info);
++ __reada_start_machine(rmw->fs_info);
+ set_task_ioprio(current, old_ioprio);
+
+- atomic_dec(&fs_info->reada_works_cnt);
++ atomic_dec(&rmw->fs_info->reada_works_cnt);
++
++ kfree(rmw);
+ }
+
+ static void __reada_start_machine(struct btrfs_fs_info *fs_info)
+--
+2.20.1
+
--- /dev/null
+From e1f7a37ffecbe6cef2cc5f32f70db8895e7371b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2019 11:30:53 -0700
+Subject: btrfs: don't prematurely free work in run_ordered_work()
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit c495dcd6fbe1dce51811a76bb85b4675f6494938 ]
+
+We hit the following very strange deadlock on a system with Btrfs on a
+loop device backed by another Btrfs filesystem:
+
+1. The top (loop device) filesystem queues an async_cow work item from
+ cow_file_range_async(). We'll call this work X.
+2. Worker thread A starts work X (normal_work_helper()).
+3. Worker thread A executes the ordered work for the top filesystem
+ (run_ordered_work()).
+4. Worker thread A finishes the ordered work for work X and frees X
+ (work->ordered_free()).
+5. Worker thread A executes another ordered work and gets blocked on I/O
+ to the bottom filesystem (still in run_ordered_work()).
+6. Meanwhile, the bottom filesystem allocates and queues an async_cow
+ work item which happens to be the recently-freed X.
+7. The workqueue code sees that X is already being executed by worker
+ thread A, so it schedules X to be executed _after_ worker thread A
+ finishes (see the find_worker_executing_work() call in
+ process_one_work()).
+
+Now, the top filesystem is waiting for I/O on the bottom filesystem, but
+the bottom filesystem is waiting for the top filesystem to finish, so we
+deadlock.
+
+This happens because we are breaking the workqueue assumption that a
+work item cannot be recycled while it still depends on other work. Fix
+it by waiting to free the work item until we are done with all of the
+related ordered work.
+
+P.S.:
+
+One might ask why the workqueue code doesn't try to detect a recycled
+work item. It actually does try by checking whether the work item has
+the same work function (find_worker_executing_work()), but in our case
+the function is the same. This is the only key that the workqueue code
+has available to compare, short of adding an additional, layer-violating
+"custom key". Considering that we're the only ones that have ever hit
+this, we should just play by the rules.
+
+Unfortunately, we haven't been able to create a minimal reproducer other
+than our full container setup using a compress-force=zstd filesystem on
+top of another compress-force=zstd filesystem.
+
+Suggested-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/async-thread.c | 56 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 44 insertions(+), 12 deletions(-)
+
+diff --git a/fs/btrfs/async-thread.c b/fs/btrfs/async-thread.c
+index ff0b0be92d61..a3de11d52ad0 100644
+--- a/fs/btrfs/async-thread.c
++++ b/fs/btrfs/async-thread.c
+@@ -265,16 +265,17 @@ out:
+ }
+ }
+
+-static void run_ordered_work(struct __btrfs_workqueue *wq)
++static void run_ordered_work(struct __btrfs_workqueue *wq,
++ struct btrfs_work *self)
+ {
+ struct list_head *list = &wq->ordered_list;
+ struct btrfs_work *work;
+ spinlock_t *lock = &wq->list_lock;
+ unsigned long flags;
++ void *wtag;
++ bool free_self = false;
+
+ while (1) {
+- void *wtag;
+-
+ spin_lock_irqsave(lock, flags);
+ if (list_empty(list))
+ break;
+@@ -300,16 +301,47 @@ static void run_ordered_work(struct __btrfs_workqueue *wq)
+ list_del(&work->ordered_list);
+ spin_unlock_irqrestore(lock, flags);
+
+- /*
+- * We don't want to call the ordered free functions with the
+- * lock held though. Save the work as tag for the trace event,
+- * because the callback could free the structure.
+- */
+- wtag = work;
+- work->ordered_free(work);
+- trace_btrfs_all_work_done(wq->fs_info, wtag);
++ if (work == self) {
++ /*
++ * This is the work item that the worker is currently
++ * executing.
++ *
++ * The kernel workqueue code guarantees non-reentrancy
++ * of work items. I.e., if a work item with the same
++ * address and work function is queued twice, the second
++ * execution is blocked until the first one finishes. A
++ * work item may be freed and recycled with the same
++ * work function; the workqueue code assumes that the
++ * original work item cannot depend on the recycled work
++ * item in that case (see find_worker_executing_work()).
++ *
++ * Note that the work of one Btrfs filesystem may depend
++ * on the work of another Btrfs filesystem via, e.g., a
++ * loop device. Therefore, we must not allow the current
++ * work item to be recycled until we are really done,
++ * otherwise we break the above assumption and can
++ * deadlock.
++ */
++ free_self = true;
++ } else {
++ /*
++ * We don't want to call the ordered free functions with
++ * the lock held though. Save the work as tag for the
++ * trace event, because the callback could free the
++ * structure.
++ */
++ wtag = work;
++ work->ordered_free(work);
++ trace_btrfs_all_work_done(wq->fs_info, wtag);
++ }
+ }
+ spin_unlock_irqrestore(lock, flags);
++
++ if (free_self) {
++ wtag = self;
++ self->ordered_free(self);
++ trace_btrfs_all_work_done(wq->fs_info, wtag);
++ }
+ }
+
+ static void normal_work_helper(struct btrfs_work *work)
+@@ -337,7 +369,7 @@ static void normal_work_helper(struct btrfs_work *work)
+ work->func(work);
+ if (need_order) {
+ set_bit(WORK_DONE_BIT, &work->flags);
+- run_ordered_work(wq);
++ run_ordered_work(wq, work);
+ }
+ if (!need_order)
+ trace_btrfs_all_work_done(wq->fs_info, wtag);
+--
+2.20.1
+
--- /dev/null
+From fac4d94e8828bcd1d7adc8ce470d068e2414b295 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 09:06:17 +0530
+Subject: cpufreq: Register drivers only after CPU devices have been registered
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit 46770be0cf94149ca48be87719bda1d951066644 ]
+
+The cpufreq core heavily depends on the availability of the struct
+device for CPUs and if they aren't available at the time cpufreq driver
+is registered, we will never succeed in making cpufreq work.
+
+This happens due to following sequence of events:
+
+- cpufreq_register_driver()
+ - subsys_interface_register()
+ - return 0; //successful registration of driver
+
+... at a later point of time
+
+- register_cpu();
+ - device_register();
+ - bus_probe_device();
+ - sif->add_dev();
+ - cpufreq_add_dev();
+ - get_cpu_device(); //FAILS
+ - per_cpu(cpu_sys_devices, num) = &cpu->dev; //used by get_cpu_device()
+ - return 0; //CPU registered successfully
+
+Because the per-cpu variable cpu_sys_devices is set only after the CPU
+device is regsitered, cpufreq will never be able to get it when
+cpufreq_add_dev() is called.
+
+This patch avoids this failure by making sure device structure of at
+least CPU0 is available when the cpufreq driver is registered, else
+return -EPROBE_DEFER.
+
+Reported-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Co-developed-by: Amit Kucheria <amit.kucheria@linaro.org>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Tested-by: Amit Kucheria <amit.kucheria@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 063ce77df619..86d48f8c6a2e 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2449,6 +2449,13 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+ if (cpufreq_disabled())
+ return -ENODEV;
+
++ /*
++ * The cpufreq core depends heavily on the availability of device
++ * structure, make sure they are available before proceeding further.
++ */
++ if (!get_cpu_device(0))
++ return -EPROBE_DEFER;
++
+ if (!driver_data || !driver_data->verify || !driver_data->init ||
+ !(driver_data->setpolicy || driver_data->target_index ||
+ driver_data->target) ||
+--
+2.20.1
+
--- /dev/null
+From f248817a5671a739f011e1e3487d06ea3b7df8f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 11:49:06 +0100
+Subject: crypto: sun4i-ss - Fix 64-bit size_t warnings on sun4i-ss-hash.c
+
+From: Corentin Labbe <clabbe.montjoie@gmail.com>
+
+[ Upstream commit a7126603d46fe8f01aeedf589e071c6aaa6c6c39 ]
+
+If you try to compile this driver on a 64-bit platform then you
+will get warnings because it mixes size_t with unsigned int which
+only works on 32-bit.
+
+This patch fixes all of the warnings on sun4i-ss-hash.c.
+Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
+index ec16ec2e284d..b2e683713539 100644
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
+@@ -286,8 +286,8 @@ static int sun4i_hash(struct ahash_request *areq)
+ */
+ while (op->len < 64 && i < end) {
+ /* how many bytes we can read from current SG */
+- in_r = min3(mi.length - in_i, end - i,
+- 64 - op->len);
++ in_r = min(end - i, 64 - op->len);
++ in_r = min_t(size_t, mi.length - in_i, in_r);
+ memcpy(op->buf + op->len, mi.addr + in_i, in_r);
+ op->len += in_r;
+ i += in_r;
+@@ -307,8 +307,8 @@ static int sun4i_hash(struct ahash_request *areq)
+ }
+ if (mi.length - in_i > 3 && i < end) {
+ /* how many bytes we can read from current SG */
+- in_r = min3(mi.length - in_i, areq->nbytes - i,
+- ((mi.length - in_i) / 4) * 4);
++ in_r = min_t(size_t, mi.length - in_i, areq->nbytes - i);
++ in_r = min_t(size_t, ((mi.length - in_i) / 4) * 4, in_r);
+ /* how many bytes we can write in the device*/
+ todo = min3((u32)(end - i) / 4, rx_cnt, (u32)in_r / 4);
+ writesl(ss->base + SS_RXFIFO, mi.addr + in_i, todo);
+@@ -334,8 +334,8 @@ static int sun4i_hash(struct ahash_request *areq)
+ if ((areq->nbytes - i) < 64) {
+ while (i < areq->nbytes && in_i < mi.length && op->len < 64) {
+ /* how many bytes we can read from current SG */
+- in_r = min3(mi.length - in_i, areq->nbytes - i,
+- 64 - op->len);
++ in_r = min(areq->nbytes - i, 64 - op->len);
++ in_r = min_t(size_t, mi.length - in_i, in_r);
+ memcpy(op->buf + op->len, mi.addr + in_i, in_r);
+ op->len += in_r;
+ i += in_r;
+--
+2.20.1
+
--- /dev/null
+From 7d193ddaf64bfcbd8a3851ad65b848aa655cd3e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2019 22:27:38 +1100
+Subject: crypto: vmx - Avoid weird build failures
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 4ee812f6143d78d8ba1399671d78c8d78bf2817c ]
+
+In the vmx crypto Makefile we assign to a variable called TARGET and
+pass that to the aesp8-ppc.pl and ghashp8-ppc.pl scripts.
+
+The variable is meant to describe what flavour of powerpc we're
+building for, eg. either 32 or 64-bit, and big or little endian.
+
+Unfortunately TARGET is a fairly common name for a make variable, and
+if it happens that TARGET is specified as a command line parameter to
+make, the value specified on the command line will override our value.
+
+In particular this can happen if the kernel Makefile is driven by an
+external Makefile that uses TARGET for something.
+
+This leads to weird build failures, eg:
+ nonsense at /build/linux/drivers/crypto/vmx/ghashp8-ppc.pl line 45.
+ /linux/drivers/crypto/vmx/Makefile:20: recipe for target 'drivers/crypto/vmx/ghashp8-ppc.S' failed
+
+Which shows that we passed an empty value for $(TARGET) to the perl
+script, confirmed with make V=1:
+
+ perl /linux/drivers/crypto/vmx/ghashp8-ppc.pl > drivers/crypto/vmx/ghashp8-ppc.S
+
+We can avoid this confusion by using override, to tell make that we
+don't want anything to override our variable, even a value specified
+on the command line. We can also use a less common name, given the
+script calls it "flavour", let's use that.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/vmx/Makefile | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/vmx/Makefile b/drivers/crypto/vmx/Makefile
+index de6e241b0866..957377c309a9 100644
+--- a/drivers/crypto/vmx/Makefile
++++ b/drivers/crypto/vmx/Makefile
+@@ -2,13 +2,13 @@ obj-$(CONFIG_CRYPTO_DEV_VMX_ENCRYPT) += vmx-crypto.o
+ vmx-crypto-objs := vmx.o aesp8-ppc.o ghashp8-ppc.o aes.o aes_cbc.o aes_ctr.o aes_xts.o ghash.o
+
+ ifeq ($(CONFIG_CPU_LITTLE_ENDIAN),y)
+-TARGET := linux-ppc64le
++override flavour := linux-ppc64le
+ else
+-TARGET := linux-ppc64
++override flavour := linux-ppc64
+ endif
+
+ quiet_cmd_perl = PERL $@
+- cmd_perl = $(PERL) $(<) $(TARGET) > $(@)
++ cmd_perl = $(PERL) $(<) $(flavour) > $(@)
+
+ $(src)/aesp8-ppc.S: $(src)/aesp8-ppc.pl
+ $(call cmd,perl)
+--
+2.20.1
+
--- /dev/null
+From 59662a9bdb677aeeffcdd2d190babe255477d42a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2019 20:48:46 -0400
+Subject: drm/bridge: analogix-anx78xx: silence -EPROBE_DEFER warnings
+
+From: Brian Masney <masneyb@onstation.org>
+
+[ Upstream commit 2708e876272d89bbbff811d12834adbeef85f022 ]
+
+Silence two warning messages that occur due to -EPROBE_DEFER errors to
+help cleanup the system boot log.
+
+Signed-off-by: Brian Masney <masneyb@onstation.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190815004854.19860-4-masneyb@onstation.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/analogix-anx78xx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/analogix-anx78xx.c b/drivers/gpu/drm/bridge/analogix-anx78xx.c
+index a2a82366a771..eb97e88a103c 100644
+--- a/drivers/gpu/drm/bridge/analogix-anx78xx.c
++++ b/drivers/gpu/drm/bridge/analogix-anx78xx.c
+@@ -725,7 +725,9 @@ static int anx78xx_init_pdata(struct anx78xx *anx78xx)
+ /* 1.0V digital core power regulator */
+ pdata->dvdd10 = devm_regulator_get(dev, "dvdd10");
+ if (IS_ERR(pdata->dvdd10)) {
+- DRM_ERROR("DVDD10 regulator not found\n");
++ if (PTR_ERR(pdata->dvdd10) != -EPROBE_DEFER)
++ DRM_ERROR("DVDD10 regulator not found\n");
++
+ return PTR_ERR(pdata->dvdd10);
+ }
+
+@@ -1344,7 +1346,9 @@ static int anx78xx_i2c_probe(struct i2c_client *client,
+
+ err = anx78xx_init_pdata(anx78xx);
+ if (err) {
+- DRM_ERROR("Failed to initialize pdata: %d\n", err);
++ if (err != -EPROBE_DEFER)
++ DRM_ERROR("Failed to initialize pdata: %d\n", err);
++
+ return err;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 9e9043332a964a49f3d69dc1f2104325cbaa72f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2019 23:41:50 -0500
+Subject: drm/gma500: fix memory disclosures due to uninitialized bytes
+
+From: Kangjie Lu <kjlu@umn.edu>
+
+[ Upstream commit ec3b7b6eb8c90b52f61adff11b6db7a8db34de19 ]
+
+"clock" may be copied to "best_clock". Initializing best_clock
+is not sufficient. The fix initializes clock as well to avoid
+memory disclosures and informaiton leaks.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191018044150.1899-1-kjlu@umn.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_crtc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_crtc.c b/drivers/gpu/drm/gma500/oaktrail_crtc.c
+index da9fd34b9550..caa6da02206a 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_crtc.c
++++ b/drivers/gpu/drm/gma500/oaktrail_crtc.c
+@@ -139,6 +139,7 @@ static bool mrst_sdvo_find_best_pll(const struct gma_limit_t *limit,
+ s32 freq_error, min_error = 100000;
+
+ memset(best_clock, 0, sizeof(*best_clock));
++ memset(&clock, 0, sizeof(clock));
+
+ for (clock.m = limit->m.min; clock.m <= limit->m.max; clock.m++) {
+ for (clock.n = limit->n.min; clock.n <= limit->n.max;
+@@ -195,6 +196,7 @@ static bool mrst_lvds_find_best_pll(const struct gma_limit_t *limit,
+ int err = target;
+
+ memset(best_clock, 0, sizeof(*best_clock));
++ memset(&clock, 0, sizeof(clock));
+
+ for (clock.m = limit->m.min; clock.m <= limit->m.max; clock.m++) {
+ for (clock.p1 = limit->p1.min; clock.p1 <= limit->p1.max;
+--
+2.20.1
+
--- /dev/null
+From b035d4931309b3f847b52ac79b838674ffb7b4ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2019 12:52:19 -0400
+Subject: drm: mst: Fix query_payload ack reply struct
+
+From: Sean Paul <seanpaul@chromium.org>
+
+[ Upstream commit 268de6530aa18fe5773062367fd119f0045f6e88 ]
+
+Spec says[1] Allocated_PBN is 16 bits
+
+[1]- DisplayPort 1.2 Spec, Section 2.11.9.8, Table 2-98
+
+Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Todd Previte <tprevite@gmail.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <maxime.ripard@bootlin.com>
+Cc: Sean Paul <sean@poorly.run>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: dri-devel@lists.freedesktop.org
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190829165223.129662-1-sean@poorly.run
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/drm/drm_dp_mst_helper.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/drm/drm_dp_mst_helper.h b/include/drm/drm_dp_mst_helper.h
+index 003207670597..c0542de64690 100644
+--- a/include/drm/drm_dp_mst_helper.h
++++ b/include/drm/drm_dp_mst_helper.h
+@@ -312,7 +312,7 @@ struct drm_dp_resource_status_notify {
+
+ struct drm_dp_query_payload_ack_reply {
+ u8 port_number;
+- u8 allocated_pbn;
++ u16 allocated_pbn;
+ };
+
+ struct drm_dp_sideband_msg_req_body {
+--
+2.20.1
+
--- /dev/null
+From 036c1534d1898d19af5cb2b627a17a29c7736e02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2019 09:33:23 +0000
+Subject: EDAC/ghes: Fix grain calculation
+
+From: Robert Richter <rrichter@marvell.com>
+
+[ Upstream commit 7088e29e0423d3195e09079b4f849ec4837e5a75 ]
+
+The current code to convert a physical address mask to a grain
+(defined as granularity in bytes) is:
+
+ e->grain = ~(mem_err->physical_addr_mask & ~PAGE_MASK);
+
+This is broken in several ways:
+
+1) It calculates to wrong grain values. E.g., a physical address mask
+of ~0xfff should give a grain of 0x1000. Without considering
+PAGE_MASK, there is an off-by-one. Things are worse when also
+filtering it with ~PAGE_MASK. This will calculate to a grain with the
+upper bits set. In the example it even calculates to ~0.
+
+2) The grain does not depend on and is unrelated to the kernel's
+page-size. The page-size only matters when unmapping memory in
+memory_failure(). Smaller grains are wrongly rounded up to the
+page-size, on architectures with a configurable page-size (e.g. arm64)
+this could round up to the even bigger page-size of the hypervisor.
+
+Fix this with:
+
+ e->grain = ~mem_err->physical_addr_mask + 1;
+
+The grain_bits are defined as:
+
+ grain = 1 << grain_bits;
+
+Change also the grain_bits calculation accordingly, it is the same
+formula as in edac_mc.c now and the code can be unified.
+
+The value in ->physical_addr_mask coming from firmware is assumed to
+be contiguous, but this is not sanity-checked. However, in case the
+mask is non-contiguous, a conversion to grain_bits effectively
+converts the grain bit mask to a power of 2 by rounding it up.
+
+Suggested-by: James Morse <james.morse@arm.com>
+Signed-off-by: Robert Richter <rrichter@marvell.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Cc: "linux-edac@vger.kernel.org" <linux-edac@vger.kernel.org>
+Cc: Tony Luck <tony.luck@intel.com>
+Link: https://lkml.kernel.org/r/20191106093239.25517-11-rrichter@marvell.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ghes_edac.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/ghes_edac.c b/drivers/edac/ghes_edac.c
+index e3fa4390f846..4ddbf6604e2a 100644
+--- a/drivers/edac/ghes_edac.c
++++ b/drivers/edac/ghes_edac.c
+@@ -189,6 +189,7 @@ void ghes_edac_report_mem_error(struct ghes *ghes, int sev,
+ /* Cleans the error report buffer */
+ memset(e, 0, sizeof (*e));
+ e->error_count = 1;
++ e->grain = 1;
+ strcpy(e->label, "unknown label");
+ e->msg = pvt->msg;
+ e->other_detail = pvt->other_detail;
+@@ -284,7 +285,7 @@ void ghes_edac_report_mem_error(struct ghes *ghes, int sev,
+
+ /* Error grain */
+ if (mem_err->validation_bits & CPER_MEM_VALID_PA_MASK)
+- e->grain = ~(mem_err->physical_addr_mask & ~PAGE_MASK);
++ e->grain = ~mem_err->physical_addr_mask + 1;
+
+ /* Memory error location, mapped on e->location */
+ p = e->location;
+@@ -391,8 +392,13 @@ void ghes_edac_report_mem_error(struct ghes *ghes, int sev,
+ if (p > pvt->other_detail)
+ *(p - 1) = '\0';
+
++ /* Sanity-check driver-supplied grain value. */
++ if (WARN_ON_ONCE(!e->grain))
++ e->grain = 1;
++
++ grain_bits = fls_long(e->grain - 1);
++
+ /* Generate the trace event */
+- grain_bits = fls_long(e->grain);
+ snprintf(pvt->detail_location, sizeof(pvt->detail_location),
+ "APEI location: %s %s", e->location, e->other_detail);
+ trace_mc_event(type, e->msg, e->label, e->error_count,
+--
+2.20.1
+
--- /dev/null
+From fad9eaf4525b678c2e5f9f5ec5cf762364b46219 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2019 17:47:20 +0200
+Subject: extcon: sm5502: Reset registers during initialization
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit 6942635032cfd3e003e980d2dfa4e6323a3ce145 ]
+
+On some devices (e.g. Samsung Galaxy A5 (2015)), the bootloader
+seems to keep interrupts enabled for SM5502 when booting Linux.
+Changing the cable state (i.e. plugging in a cable) - until the driver
+is loaded - will therefore produce an interrupt that is never read.
+
+In this situation, the cable state will be stuck forever on the
+initial state because SM5502 stops sending interrupts.
+This can be avoided by clearing those pending interrupts after
+the driver has been loaded.
+
+One way to do this is to reset all registers to default state
+by writing to SM5502_REG_RESET. This ensures that we start from
+a clean state, with all interrupts disabled.
+
+Suggested-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-sm5502.c | 4 ++++
+ drivers/extcon/extcon-sm5502.h | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/extcon/extcon-sm5502.c b/drivers/extcon/extcon-sm5502.c
+index b22325688503..9d2d8a6673c8 100644
+--- a/drivers/extcon/extcon-sm5502.c
++++ b/drivers/extcon/extcon-sm5502.c
+@@ -69,6 +69,10 @@ struct sm5502_muic_info {
+ /* Default value of SM5502 register to bring up MUIC device. */
+ static struct reg_data sm5502_reg_data[] = {
+ {
++ .reg = SM5502_REG_RESET,
++ .val = SM5502_REG_RESET_MASK,
++ .invert = true,
++ }, {
+ .reg = SM5502_REG_CONTROL,
+ .val = SM5502_REG_CONTROL_MASK_INT_MASK,
+ .invert = false,
+diff --git a/drivers/extcon/extcon-sm5502.h b/drivers/extcon/extcon-sm5502.h
+index 974b53222f56..12f8b01e5753 100644
+--- a/drivers/extcon/extcon-sm5502.h
++++ b/drivers/extcon/extcon-sm5502.h
+@@ -241,6 +241,8 @@ enum sm5502_reg {
+ #define DM_DP_SWITCH_UART ((DM_DP_CON_SWITCH_UART <<SM5502_REG_MANUAL_SW1_DP_SHIFT) \
+ | (DM_DP_CON_SWITCH_UART <<SM5502_REG_MANUAL_SW1_DM_SHIFT))
+
++#define SM5502_REG_RESET_MASK (0x1)
++
+ /* SM5502 Interrupts */
+ enum sm5502_irq {
+ /* INT1 */
+--
+2.20.1
+
--- /dev/null
+From de561c771a92e71a9e9cfdec77e7652db9f65413 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2019 11:57:12 +0200
+Subject: fbtft: Make sure string is NULL terminated
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 21f585480deb4bcf0d92b08879c35d066dfee030 ]
+
+New GCC warns about inappropriate use of strncpy():
+
+drivers/staging/fbtft/fbtft-core.c: In function ‘fbtft_framebuffer_alloc’:
+drivers/staging/fbtft/fbtft-core.c:665:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
+ 665 | strncpy(info->fix.id, dev->driver->name, 16);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Later on the copy is being used with the assumption to be NULL terminated.
+Make sure string is NULL terminated by switching to snprintf().
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20191120095716.26628-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/fbtft/fbtft-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
+index d9ba8c0f1353..ece713d02660 100644
+--- a/drivers/staging/fbtft/fbtft-core.c
++++ b/drivers/staging/fbtft/fbtft-core.c
+@@ -766,7 +766,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
+ fbdefio->deferred_io = fbtft_deferred_io;
+ fb_deferred_io_init(info);
+
+- strncpy(info->fix.id, dev->driver->name, 16);
++ snprintf(info->fix.id, sizeof(info->fix.id), "%s", dev->driver->name);
+ info->fix.type = FB_TYPE_PACKED_PIXELS;
+ info->fix.visual = FB_VISUAL_TRUECOLOR;
+ info->fix.xpanstep = 0;
+--
+2.20.1
+
--- /dev/null
+From d90463c37177c83eafb95334c2374a64977e055f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Sep 2019 14:02:56 -0700
+Subject: hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not
+ idled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit eaecce12f5f0d2c35d278e41e1bc4522393861ab ]
+
+When unloading omap3-rom-rng, we'll get the following:
+
+WARNING: CPU: 0 PID: 100 at drivers/clk/clk.c:948 clk_core_disable
+
+This is because the clock may be already disabled by omap3_rom_rng_idle().
+Let's fix the issue by checking for rng_idle on exit.
+
+Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: Adam Ford <aford173@gmail.com>
+Cc: Pali Rohár <pali.rohar@gmail.com>
+Cc: Sebastian Reichel <sre@kernel.org>
+Cc: Tero Kristo <t-kristo@ti.com>
+Fixes: 1c6b7c2108bd ("hwrng: OMAP3 ROM Random Number Generator support")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/omap3-rom-rng.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/hw_random/omap3-rom-rng.c b/drivers/char/hw_random/omap3-rom-rng.c
+index 37a58d78aab3..3324a7f4bee3 100644
+--- a/drivers/char/hw_random/omap3-rom-rng.c
++++ b/drivers/char/hw_random/omap3-rom-rng.c
+@@ -114,7 +114,8 @@ static int omap3_rom_rng_remove(struct platform_device *pdev)
+ {
+ cancel_delayed_work_sync(&idle_work);
+ hwrng_unregister(&omap3_rom_rng_ops);
+- clk_disable_unprepare(rng_clk);
++ if (!rng_idle)
++ clk_disable_unprepare(rng_clk);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From be297319b9275febe06f28b71bc164d6a358d7dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 00:03:47 +0300
+Subject: IB/iser: bound protection_sg size by data_sg size
+
+From: Max Gurtovoy <maxg@mellanox.com>
+
+[ Upstream commit 7718cf03c3ce4b6ebd90107643ccd01c952a1fce ]
+
+In case we don't set the sg_prot_tablesize, the scsi layer assign the
+default size (65535 entries). We should limit this size since we should
+take into consideration the underlaying device capability. This cap is
+considered when calculating the sg_tablesize. Otherwise, for example,
+we can get that /sys/block/sdb/queue/max_segments is 128 and
+/sys/block/sdb/queue/max_integrity_segments is 65535.
+
+Link: https://lore.kernel.org/r/1569359027-10987-1-git-send-email-maxg@mellanox.com
+Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/iser/iscsi_iser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.c b/drivers/infiniband/ulp/iser/iscsi_iser.c
+index e46e2b095c18..fdf5179a81c1 100644
+--- a/drivers/infiniband/ulp/iser/iscsi_iser.c
++++ b/drivers/infiniband/ulp/iser/iscsi_iser.c
+@@ -649,6 +649,7 @@ iscsi_iser_session_create(struct iscsi_endpoint *ep,
+ if (ib_conn->pi_support) {
+ u32 sig_caps = ib_conn->device->ib_device->attrs.sig_prot_cap;
+
++ shost->sg_prot_tablesize = shost->sg_tablesize;
+ scsi_host_set_prot(shost, iser_dif_prot_caps(sig_caps));
+ scsi_host_set_guard(shost, SHOST_DIX_GUARD_IP |
+ SHOST_DIX_GUARD_CRC);
+--
+2.20.1
+
--- /dev/null
+From 79a845d14b7d62a8653613b48fba6632031e1927 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2019 16:43:42 +0200
+Subject: iio: adc: max1027: Reset the device at probe time
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit db033831b4f5589f9fcbadb837614a7c4eac0308 ]
+
+All the registers are configured by the driver, let's reset the chip
+at probe time, avoiding any conflict with a possible earlier
+configuration.
+
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/max1027.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/iio/adc/max1027.c b/drivers/iio/adc/max1027.c
+index 712fbd2b1f16..ec3f7bc70b75 100644
+--- a/drivers/iio/adc/max1027.c
++++ b/drivers/iio/adc/max1027.c
+@@ -471,6 +471,14 @@ static int max1027_probe(struct spi_device *spi)
+ goto fail_dev_register;
+ }
+
++ /* Internal reset */
++ st->reg = MAX1027_RST_REG;
++ ret = spi_write(st->spi, &st->reg, 1);
++ if (ret < 0) {
++ dev_err(&indio_dev->dev, "Failed to reset the ADC\n");
++ return ret;
++ }
++
+ /* Disable averaging */
+ st->reg = MAX1027_AVG_REG;
+ ret = spi_write(st->spi, &st->reg, 1);
+--
+2.20.1
+
--- /dev/null
+From a8621e9c3126d388c723fc6f13d7b9516b414323 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2019 22:24:13 +0200
+Subject: iio: light: bh1750: Resolve compiler warning and make code more
+ readable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Wilczynski <kw@linux.com>
+
+[ Upstream commit f552fde983d378e7339f9ea74a25f918563bf0d3 ]
+
+Separate the declaration of struct bh1750_chip_info from definition
+of bh1750_chip_info_tbl[] in a single statement as it makes the code
+hard to read, and with the extra newline it makes it look as if the
+bh1750_chip_info_tbl[] had no explicit type.
+
+This change also resolves the following compiler warning about the
+unusual position of the static keyword that can be seen when building
+with warnings enabled (W=1):
+
+drivers/iio/light/bh1750.c:64:1: warning:
+ ‘static’ is not at beginning of declaration [-Wold-style-declaration]
+
+Related to commit 3a11fbb037a1 ("iio: light: add support for ROHM
+BH1710/BH1715/BH1721/BH1750/BH1751 ambient light sensors").
+
+Signed-off-by: Krzysztof Wilczynski <kw@linux.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/bh1750.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/light/bh1750.c b/drivers/iio/light/bh1750.c
+index b05946604f80..6d5bb11594dc 100644
+--- a/drivers/iio/light/bh1750.c
++++ b/drivers/iio/light/bh1750.c
+@@ -62,9 +62,9 @@ struct bh1750_chip_info {
+
+ u16 int_time_low_mask;
+ u16 int_time_high_mask;
+-}
++};
+
+-static const bh1750_chip_info_tbl[] = {
++static const struct bh1750_chip_info bh1750_chip_info_tbl[] = {
+ [BH1710] = { 140, 1022, 300, 400, 250000000, 2, 0x001F, 0x03E0 },
+ [BH1721] = { 140, 1020, 300, 400, 250000000, 2, 0x0010, 0x03E0 },
+ [BH1750] = { 31, 254, 69, 1740, 57500000, 1, 0x001F, 0x00E0 },
+--
+2.20.1
+
--- /dev/null
+From 2f02eb57804089aef874f75340525822d0738c99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 14:50:32 +0100
+Subject: iwlwifi: check kasprintf() return value
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 5974fbb5e10b018fdbe3c3b81cb4cc54e1105ab9 ]
+
+kasprintf() can fail, we should check the return value.
+
+Fixes: 5ed540aecc2a ("iwlwifi: use mac80211 throughput trigger")
+Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/led.c | 3 +++
+ drivers/net/wireless/intel/iwlwifi/mvm/led.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/led.c b/drivers/net/wireless/intel/iwlwifi/dvm/led.c
+index 1bbd17ada974..20e16c423990 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/led.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/led.c
+@@ -185,6 +185,9 @@ void iwl_leds_init(struct iwl_priv *priv)
+
+ priv->led.name = kasprintf(GFP_KERNEL, "%s-led",
+ wiphy_name(priv->hw->wiphy));
++ if (!priv->led.name)
++ return;
++
+ priv->led.brightness_set = iwl_led_brightness_set;
+ priv->led.blink_set = iwl_led_blink_set;
+ priv->led.max_brightness = 1;
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/led.c b/drivers/net/wireless/intel/iwlwifi/mvm/led.c
+index 1e51fbe95f7c..73c351a64187 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/led.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/led.c
+@@ -109,6 +109,9 @@ int iwl_mvm_leds_init(struct iwl_mvm *mvm)
+
+ mvm->led.name = kasprintf(GFP_KERNEL, "%s-led",
+ wiphy_name(mvm->hw->wiphy));
++ if (!mvm->led.name)
++ return -ENOMEM;
++
+ mvm->led.brightness_set = iwl_led_brightness_set;
+ mvm->led.max_brightness = 1;
+
+--
+2.20.1
+
--- /dev/null
+From 1d7ba329ead9dbd65ab8d30e832df416d543208d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 09:28:02 +0200
+Subject: iwlwifi: mvm: fix unaligned read of rx_pkt_status
+
+From: Wang Xuerui <wangxuerui@qiniu.com>
+
+[ Upstream commit c5aaa8be29b25dfe1731e9a8b19fd91b7b789ee3 ]
+
+This is present since the introduction of iwlmvm.
+Example stack trace on MIPS:
+
+[<ffffffffc0789328>] iwl_mvm_rx_rx_mpdu+0xa8/0xb88 [iwlmvm]
+[<ffffffffc0632b40>] iwl_pcie_rx_handle+0x420/0xc48 [iwlwifi]
+
+Tested with a Wireless AC 7265 for ~6 months, confirmed to fix the
+problem. No other unaligned accesses are spotted yet.
+
+Signed-off-by: Wang Xuerui <wangxuerui@qiniu.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
+index b78e60eb600f..d0aa4d0a5537 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
+@@ -62,6 +62,7 @@
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *****************************************************************************/
++#include <asm/unaligned.h>
+ #include <linux/etherdevice.h>
+ #include <linux/skbuff.h>
+ #include "iwl-trans.h"
+@@ -289,7 +290,7 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct napi_struct *napi,
+ rx_res = (struct iwl_rx_mpdu_res_start *)pkt->data;
+ hdr = (struct ieee80211_hdr *)(pkt->data + sizeof(*rx_res));
+ len = le16_to_cpu(rx_res->byte_count);
+- rx_pkt_status = le32_to_cpup((__le32 *)
++ rx_pkt_status = get_unaligned_le32((__le32 *)
+ (pkt->data + sizeof(*rx_res) + len));
+
+ /* Dont use dev_alloc_skb(), we'll have enough headroom once
+--
+2.20.1
+
--- /dev/null
+From 552661b167d3324a8ec0f20359b33fc5cf5279f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 18:19:52 +0800
+Subject: libata: Ensure ata_port probe has completed before detach
+
+From: John Garry <john.garry@huawei.com>
+
+[ Upstream commit 130f4caf145c3562108b245a576db30b916199d2 ]
+
+With CONFIG_DEBUG_TEST_DRIVER_REMOVE set, we may find the following WARN:
+
+[ 23.452574] ------------[ cut here ]------------
+[ 23.457190] WARNING: CPU: 59 PID: 1 at drivers/ata/libata-core.c:6676 ata_host_detach+0x15c/0x168
+[ 23.466047] Modules linked in:
+[ 23.469092] CPU: 59 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00010-g5b83fd27752b-dirty #296
+[ 23.477776] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
+[ 23.486286] pstate: a0c00009 (NzCv daif +PAN +UAO)
+[ 23.491065] pc : ata_host_detach+0x15c/0x168
+[ 23.495322] lr : ata_host_detach+0x88/0x168
+[ 23.499491] sp : ffff800011cabb50
+[ 23.502792] x29: ffff800011cabb50 x28: 0000000000000007
+[ 23.508091] x27: ffff80001137f068 x26: ffff8000112c0c28
+[ 23.513390] x25: 0000000000003848 x24: ffff0023ea185300
+[ 23.518689] x23: 0000000000000001 x22: 00000000000014c0
+[ 23.523987] x21: 0000000000013740 x20: ffff0023bdc20000
+[ 23.529286] x19: 0000000000000000 x18: 0000000000000004
+[ 23.534584] x17: 0000000000000001 x16: 00000000000000f0
+[ 23.539883] x15: ffff0023eac13790 x14: ffff0023eb76c408
+[ 23.545181] x13: 0000000000000000 x12: ffff0023eac13790
+[ 23.550480] x11: ffff0023eb76c228 x10: 0000000000000000
+[ 23.555779] x9 : ffff0023eac13798 x8 : 0000000040000000
+[ 23.561077] x7 : 0000000000000002 x6 : 0000000000000001
+[ 23.566376] x5 : 0000000000000002 x4 : 0000000000000000
+[ 23.571674] x3 : ffff0023bf08a0bc x2 : 0000000000000000
+[ 23.576972] x1 : 3099674201f72700 x0 : 0000000000400284
+[ 23.582272] Call trace:
+[ 23.584706] ata_host_detach+0x15c/0x168
+[ 23.588616] ata_pci_remove_one+0x10/0x18
+[ 23.592615] ahci_remove_one+0x20/0x40
+[ 23.596356] pci_device_remove+0x3c/0xe0
+[ 23.600267] really_probe+0xdc/0x3e0
+[ 23.603830] driver_probe_device+0x58/0x100
+[ 23.608000] device_driver_attach+0x6c/0x90
+[ 23.612169] __driver_attach+0x84/0xc8
+[ 23.615908] bus_for_each_dev+0x74/0xc8
+[ 23.619730] driver_attach+0x20/0x28
+[ 23.623292] bus_add_driver+0x148/0x1f0
+[ 23.627115] driver_register+0x60/0x110
+[ 23.630938] __pci_register_driver+0x40/0x48
+[ 23.635199] ahci_pci_driver_init+0x20/0x28
+[ 23.639372] do_one_initcall+0x5c/0x1b0
+[ 23.643199] kernel_init_freeable+0x1a4/0x24c
+[ 23.647546] kernel_init+0x10/0x108
+[ 23.651023] ret_from_fork+0x10/0x18
+[ 23.654590] ---[ end trace 634a14b675b71c13 ]---
+
+With KASAN also enabled, we may also get many use-after-free reports.
+
+The issue is that when CONFIG_DEBUG_TEST_DRIVER_REMOVE is set, we may
+attempt to detach the ata_port before it has been probed.
+
+This is because the ata_ports are async probed, meaning that there is no
+guarantee that the ata_port has probed prior to detach. When the ata_port
+does probe in this scenario, we get all sorts of issues as the detach may
+have already happened.
+
+Fix by ensuring synchronisation with async_synchronize_full(). We could
+alternatively use the cookie returned from the ata_port probe
+async_schedule() call, but that means managing the cookie, so more
+complicated.
+
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index da1a987c622a..b1582f161171 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6550,6 +6550,9 @@ void ata_host_detach(struct ata_host *host)
+ {
+ int i;
+
++ /* Ensure ata_port probe has completed */
++ async_synchronize_full();
++
+ for (i = 0; i < host->n_ports; i++)
+ ata_port_detach(host->ports[i]);
+
+--
+2.20.1
+
--- /dev/null
+From 3a4e2c32b1a776ee6984fe0b76a48068e4bf9158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2019 22:05:00 +0530
+Subject: libertas: fix a potential NULL pointer dereference
+
+From: Allen Pais <allen.pais@oracle.com>
+
+[ Upstream commit 7da413a18583baaf35dd4a8eb414fa410367d7f2 ]
+
+alloc_workqueue is not checked for errors and as a result,
+a potential NULL dereference could occur.
+
+Signed-off-by: Allen Pais <allen.pais@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/if_sdio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c
+index 06a57c708992..44da911c9a1a 100644
+--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
+@@ -1229,6 +1229,10 @@ static int if_sdio_probe(struct sdio_func *func,
+
+ spin_lock_init(&card->lock);
+ card->workqueue = alloc_workqueue("libertas_sdio", WQ_MEM_RECLAIM, 0);
++ if (unlikely(!card->workqueue)) {
++ ret = -ENOMEM;
++ goto err_queue;
++ }
+ INIT_WORK(&card->packet_worker, if_sdio_host_to_card_worker);
+ init_waitqueue_head(&card->pwron_waitq);
+
+@@ -1282,6 +1286,7 @@ err_activate_card:
+ lbs_remove_card(priv);
+ free:
+ destroy_workqueue(card->workqueue);
++err_queue:
+ while (card->packets) {
+ packet = card->packets;
+ card->packets = card->packets->next;
+--
+2.20.1
+
--- /dev/null
+From 7e0c8b2362e4ab89a1dc01cc9842db9f7ddb4797 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2019 20:44:15 -0500
+Subject: libtraceevent: Fix memory leakage in copy_filter_type
+
+From: Hewenliang <hewenliang4@huawei.com>
+
+[ Upstream commit 10992af6bf46a2048ad964985a5b77464e5563b1 ]
+
+It is necessary to free the memory that we have allocated when error occurs.
+
+Fixes: ef3072cd1d5c ("tools lib traceevent: Get rid of die in add_filter_type()")
+Signed-off-by: Hewenliang <hewenliang4@huawei.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+Link: http://lore.kernel.org/lkml/20191119014415.57210-1-hewenliang4@huawei.com
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/traceevent/parse-filter.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/traceevent/parse-filter.c b/tools/lib/traceevent/parse-filter.c
+index 5e10ba796a6f..569bceff5f51 100644
+--- a/tools/lib/traceevent/parse-filter.c
++++ b/tools/lib/traceevent/parse-filter.c
+@@ -1492,8 +1492,10 @@ static int copy_filter_type(struct event_filter *filter,
+ if (strcmp(str, "TRUE") == 0 || strcmp(str, "FALSE") == 0) {
+ /* Add trivial event */
+ arg = allocate_arg();
+- if (arg == NULL)
++ if (arg == NULL) {
++ free(str);
+ return -1;
++ }
+
+ arg->type = FILTER_ARG_BOOLEAN;
+ if (strcmp(str, "TRUE") == 0)
+@@ -1502,8 +1504,11 @@ static int copy_filter_type(struct event_filter *filter,
+ arg->boolean.value = 0;
+
+ filter_type = add_filter_type(filter, event->id);
+- if (filter_type == NULL)
++ if (filter_type == NULL) {
++ free(str);
++ free_arg(arg);
+ return -1;
++ }
+
+ filter_type->filter = arg;
+
+--
+2.20.1
+
--- /dev/null
+From c993ef81c227c1fd7e5d47bf1b800bb33a444d8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Sep 2019 14:05:48 -0300
+Subject: media: am437x-vpfe: Setting STD to current value is not an error
+
+From: Benoit Parrot <bparrot@ti.com>
+
+[ Upstream commit 13aa21cfe92ce9ebb51824029d89f19c33f81419 ]
+
+VIDIOC_S_STD should not return an error if the value is identical
+to the current one.
+This error was highlighted by the v4l2-compliance test.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Acked-by: Lad Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/am437x/am437x-vpfe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/platform/am437x/am437x-vpfe.c b/drivers/media/platform/am437x/am437x-vpfe.c
+index 05489a401c5c..bd500f12d0f7 100644
+--- a/drivers/media/platform/am437x/am437x-vpfe.c
++++ b/drivers/media/platform/am437x/am437x-vpfe.c
+@@ -1847,6 +1847,10 @@ static int vpfe_s_std(struct file *file, void *priv, v4l2_std_id std_id)
+ if (!(sdinfo->inputs[0].capabilities & V4L2_IN_CAP_STD))
+ return -ENODATA;
+
++ /* if trying to set the same std then nothing to do */
++ if (vpfe_standards[vpfe->std_index].std_id == std_id)
++ return 0;
++
+ /* If streaming is started, return error */
+ if (vb2_is_busy(&vpfe->buffer_queue)) {
+ vpfe_err(vpfe, "%s device busy\n", __func__);
+--
+2.20.1
+
--- /dev/null
+From 28db2b618effaee986753e47aab0138d010f4483 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 04:56:38 -0300
+Subject: media: cec-funcs.h: add status_req checks
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 9b211f9c5a0b67afc435b86f75d78273b97db1c5 ]
+
+The CEC_MSG_GIVE_DECK_STATUS and CEC_MSG_GIVE_TUNER_DEVICE_STATUS commands
+both have a status_req argument: ON, OFF, ONCE. If ON or ONCE, then the
+follower will reply with a STATUS message. Either once or whenever the
+status changes (status_req == ON).
+
+If status_req == OFF, then it will stop sending continuous status updates,
+but the follower will *not* send a STATUS message in that case.
+
+This means that if status_req == OFF, then msg->reply should be 0 as well
+since no reply is expected in that case.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/cec-funcs.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/cec-funcs.h b/include/linux/cec-funcs.h
+index 138bbf721e70..a844749a2855 100644
+--- a/include/linux/cec-funcs.h
++++ b/include/linux/cec-funcs.h
+@@ -956,7 +956,8 @@ static inline void cec_msg_give_deck_status(struct cec_msg *msg,
+ msg->len = 3;
+ msg->msg[1] = CEC_MSG_GIVE_DECK_STATUS;
+ msg->msg[2] = status_req;
+- msg->reply = reply ? CEC_MSG_DECK_STATUS : 0;
++ msg->reply = (reply && status_req != CEC_OP_STATUS_REQ_OFF) ?
++ CEC_MSG_DECK_STATUS : 0;
+ }
+
+ static inline void cec_ops_give_deck_status(const struct cec_msg *msg,
+@@ -1060,7 +1061,8 @@ static inline void cec_msg_give_tuner_device_status(struct cec_msg *msg,
+ msg->len = 3;
+ msg->msg[1] = CEC_MSG_GIVE_TUNER_DEVICE_STATUS;
+ msg->msg[2] = status_req;
+- msg->reply = reply ? CEC_MSG_TUNER_DEVICE_STATUS : 0;
++ msg->reply = (reply && status_req != CEC_OP_STATUS_REQ_OFF) ?
++ CEC_MSG_TUNER_DEVICE_STATUS : 0;
+ }
+
+ static inline void cec_ops_give_tuner_device_status(const struct cec_msg *msg,
+--
+2.20.1
+
--- /dev/null
+From 1e93ce758b37d3064bd154d43c68ed053cb46ae7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2019 06:49:04 -0300
+Subject: media: flexcop-usb: fix NULL-ptr deref in flexcop_usb_transfer_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 649cd16c438f51d4cd777e71ca1f47f6e0c5e65d ]
+
+If usb_set_interface() failed, iface->cur_altsetting will
+not be assigned and it will be used in flexcop_usb_transfer_init()
+It may lead a NULL pointer dereference.
+
+Check usb_set_interface() return value in flexcop_usb_init()
+and return failed to avoid using this NULL pointer.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/b2c2/flexcop-usb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
+index 1fc3c8d7dd9b..2594d6a7393f 100644
+--- a/drivers/media/usb/b2c2/flexcop-usb.c
++++ b/drivers/media/usb/b2c2/flexcop-usb.c
+@@ -504,7 +504,13 @@ urb_error:
+ static int flexcop_usb_init(struct flexcop_usb *fc_usb)
+ {
+ /* use the alternate setting with the larges buffer */
+- usb_set_interface(fc_usb->udev,0,1);
++ int ret = usb_set_interface(fc_usb->udev, 0, 1);
++
++ if (ret) {
++ err("set interface failed.");
++ return ret;
++ }
++
+ switch (fc_usb->udev->speed) {
+ case USB_SPEED_LOW:
+ err("cannot handle USB speed because it is too slow.");
+--
+2.20.1
+
--- /dev/null
+From 212c6eedf69f21686c8360cd5eac602fbf1a5a46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 10:06:43 -0300
+Subject: media: i2c: ov2659: Fix missing 720p register config
+
+From: Benoit Parrot <bparrot@ti.com>
+
+[ Upstream commit 9d669fbfca20e6035ead814e55d9ef1a6b500540 ]
+
+The initial registers sequence is only loaded at probe
+time. Afterward only the resolution and format specific
+register are modified. Care must be taken to make sure
+registers modified by one resolution setting are reverted
+back when another resolution is programmed.
+
+This was not done properly for the 720p case.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov2659.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c
+index 49196afd15a8..ade3c48e2e0c 100644
+--- a/drivers/media/i2c/ov2659.c
++++ b/drivers/media/i2c/ov2659.c
+@@ -419,10 +419,14 @@ static struct sensor_register ov2659_720p[] = {
+ { REG_TIMING_YINC, 0x11 },
+ { REG_TIMING_VERT_FORMAT, 0x80 },
+ { REG_TIMING_HORIZ_FORMAT, 0x00 },
++ { 0x370a, 0x12 },
+ { 0x3a03, 0xe8 },
+ { 0x3a09, 0x6f },
+ { 0x3a0b, 0x5d },
+ { 0x3a15, 0x9a },
++ { REG_VFIFO_READ_START_H, 0x00 },
++ { REG_VFIFO_READ_START_L, 0x80 },
++ { REG_ISP_CTRL02, 0x00 },
+ { REG_NULL, 0x00 },
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 60b7ae3c896f75c848556f891bc9f85642b69ce8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 10:06:40 -0300
+Subject: media: i2c: ov2659: fix s_stream return value
+
+From: Benoit Parrot <bparrot@ti.com>
+
+[ Upstream commit 85c4043f1d403c222d481dfc91846227d66663fb ]
+
+In ov2659_s_stream() return value for invoked function should be checked
+and propagated.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov2659.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c
+index 3554eea77e04..49196afd15a8 100644
+--- a/drivers/media/i2c/ov2659.c
++++ b/drivers/media/i2c/ov2659.c
+@@ -1204,11 +1204,15 @@ static int ov2659_s_stream(struct v4l2_subdev *sd, int on)
+ goto unlock;
+ }
+
+- ov2659_set_pixel_clock(ov2659);
+- ov2659_set_frame_size(ov2659);
+- ov2659_set_format(ov2659);
+- ov2659_set_streaming(ov2659, 1);
+- ov2659->streaming = on;
++ ret = ov2659_set_pixel_clock(ov2659);
++ if (!ret)
++ ret = ov2659_set_frame_size(ov2659);
++ if (!ret)
++ ret = ov2659_set_format(ov2659);
++ if (!ret) {
++ ov2659_set_streaming(ov2659, 1);
++ ov2659->streaming = on;
++ }
+
+ unlock:
+ mutex_unlock(&ov2659->lock);
+--
+2.20.1
+
--- /dev/null
+From 948c5d9c0c9faaba284a3a6a15cec7943b08c2fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2019 17:11:43 -0300
+Subject: media: ov6650: Fix stored frame format not in sync with hardware
+
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+
+[ Upstream commit 3143b459de4cdcce67b36827476c966e93c1cf01 ]
+
+The driver stores frame format settings supposed to be in line with
+hardware state in a device private structure. Since the driver initial
+submission, those settings are updated before they are actually applied
+on hardware. If an error occurs on device update, the stored settings
+my not reflect hardware state anymore and consecutive calls to
+.get_fmt() may return incorrect information. That in turn may affect
+ability of a bridge device to use correct DMA transfer settings if such
+incorrect informmation on active frame format returned by .get_fmt() is
+used.
+
+Assuming a failed device update means its state hasn't changed, update
+frame format related settings stored in the device private structure
+only after they are successfully applied so the stored values always
+reflect hardware state as closely as possible.
+
+Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor")
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/soc_camera/ov6650.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/i2c/soc_camera/ov6650.c b/drivers/media/i2c/soc_camera/ov6650.c
+index fc187c5aeb1e..7a119466f973 100644
+--- a/drivers/media/i2c/soc_camera/ov6650.c
++++ b/drivers/media/i2c/soc_camera/ov6650.c
+@@ -612,7 +612,6 @@ static int ov6650_s_fmt(struct v4l2_subdev *sd, struct v4l2_mbus_framefmt *mf)
+ dev_err(&client->dev, "Pixel format not handled: 0x%x\n", code);
+ return -EINVAL;
+ }
+- priv->code = code;
+
+ if (code == MEDIA_BUS_FMT_Y8_1X8 ||
+ code == MEDIA_BUS_FMT_SBGGR8_1X8) {
+@@ -638,7 +637,6 @@ static int ov6650_s_fmt(struct v4l2_subdev *sd, struct v4l2_mbus_framefmt *mf)
+ dev_dbg(&client->dev, "max resolution: CIF\n");
+ coma_mask |= COMA_QCIF;
+ }
+- priv->half_scale = half_scale;
+
+ if (sense) {
+ if (sense->master_clock == 8000000) {
+@@ -678,8 +676,13 @@ static int ov6650_s_fmt(struct v4l2_subdev *sd, struct v4l2_mbus_framefmt *mf)
+ ret = ov6650_reg_rmw(client, REG_COMA, coma_set, coma_mask);
+ if (!ret)
+ ret = ov6650_reg_write(client, REG_CLKRC, clkrc);
+- if (!ret)
++ if (!ret) {
++ priv->half_scale = half_scale;
++
+ ret = ov6650_reg_rmw(client, REG_COML, coml_set, coml_mask);
++ }
++ if (!ret)
++ priv->code = code;
+
+ if (!ret) {
+ mf->colorspace = priv->colorspace;
+--
+2.20.1
+
--- /dev/null
+From c86af6945f9ca1bce4ce233babd51bbd3d9b9780 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2019 12:11:14 +0100
+Subject: media: pvrusb2: Fix oops on tear-down when radio support is not
+ present
+
+From: Mike Isely <isely@pobox.com>
+
+[ Upstream commit 7f404ae9cf2a285f73b3c18ab9303d54b7a3d8e1 ]
+
+In some device configurations there's no radio or radio support in the
+driver. That's OK, as the driver sets itself up accordingly. However
+on tear-down in these caes it's still trying to tear down radio
+related context when there isn't anything there, leading to
+dereferences through a null pointer and chaos follows.
+
+How this bug survived unfixed for 11 years in the pvrusb2 driver is a
+mystery to me.
+
+[hverkuil: fix two checkpatch warnings]
+
+Signed-off-by: Mike Isely <isely@pobox.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+index 2cc4d2b6f810..d18ced28797d 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+@@ -919,8 +919,12 @@ static void pvr2_v4l2_internal_check(struct pvr2_channel *chp)
+ pvr2_v4l2_dev_disassociate_parent(vp->dev_video);
+ pvr2_v4l2_dev_disassociate_parent(vp->dev_radio);
+ if (!list_empty(&vp->dev_video->devbase.fh_list) ||
+- !list_empty(&vp->dev_radio->devbase.fh_list))
++ (vp->dev_radio &&
++ !list_empty(&vp->dev_radio->devbase.fh_list))) {
++ pvr2_trace(PVR2_TRACE_STRUCT,
++ "pvr2_v4l2 internal_check exit-empty id=%p", vp);
+ return;
++ }
+ pvr2_v4l2_destroy_no_lock(vp);
+ }
+
+@@ -994,7 +998,8 @@ static int pvr2_v4l2_release(struct file *file)
+ kfree(fhp);
+ if (vp->channel.mc_head->disconnect_flag &&
+ list_empty(&vp->dev_video->devbase.fh_list) &&
+- list_empty(&vp->dev_radio->devbase.fh_list)) {
++ (!vp->dev_radio ||
++ list_empty(&vp->dev_radio->devbase.fh_list))) {
+ pvr2_v4l2_destroy_no_lock(vp);
+ }
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From d4250aec774add26976e42952fb6f58e59289d1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Nov 2019 07:28:15 +0100
+Subject: media: si470x-i2c: add missed operations in remove
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 2df200ab234a86836a8879a05a8007d6b884eb14 ]
+
+The driver misses calling v4l2_ctrl_handler_free and
+v4l2_device_unregister in remove like what is done in probe failure.
+Add the calls to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/si470x/radio-si470x-i2c.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c
+index f218886c504d..fb69534a8b56 100644
+--- a/drivers/media/radio/si470x/radio-si470x-i2c.c
++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c
+@@ -460,6 +460,8 @@ static int si470x_i2c_remove(struct i2c_client *client)
+ video_unregister_device(&radio->videodev);
+ kfree(radio);
+
++ v4l2_ctrl_handler_free(&radio->hdl);
++ v4l2_device_unregister(&radio->v4l2_dev);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 816ca1f04acc9319100edf5798c4f208549b3376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2019 12:10:00 -0300
+Subject: media: ti-vpe: vpe: fix a v4l2-compliance failure about frame
+ sequence number
+
+From: Benoit Parrot <bparrot@ti.com>
+
+[ Upstream commit 2444846c0dbfa4ead21b621e4300ec32c90fbf38 ]
+
+v4l2-compliance fails with this message:
+
+ fail: v4l2-test-buffers.cpp(294): \
+ (int)g_sequence() < seq.last_seq + 1
+ fail: v4l2-test-buffers.cpp(740): \
+ buf.check(m2m_q, last_m2m_seq)
+ fail: v4l2-test-buffers.cpp(974): \
+ captureBufs(node, q, m2m_q, frame_count, true)
+ test MMAP: FAIL
+
+The driver is failing to update the source frame sequence number in the
+vb2 buffer object. Only the destination frame sequence was being
+updated.
+
+This is only a reporting issue if the user space app actually cares
+about the frame sequence number. But it is fixed nonetheless.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/ti-vpe/vpe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c
+index da308fa6561f..067548e14e11 100644
+--- a/drivers/media/platform/ti-vpe/vpe.c
++++ b/drivers/media/platform/ti-vpe/vpe.c
+@@ -1298,6 +1298,7 @@ static irqreturn_t vpe_irq(int irq_vpe, void *data)
+ d_vb->timecode = s_vb->timecode;
+
+ d_vb->sequence = ctx->sequence;
++ s_vb->sequence = ctx->sequence;
+
+ d_q_data = &ctx->q_data[Q_DATA_DST];
+ if (d_q_data->flags & Q_DATA_INTERLACED) {
+--
+2.20.1
+
--- /dev/null
+From 59ef97fb0f7193bcfe2ad4b13a5da490145525cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2019 12:09:57 -0300
+Subject: media: ti-vpe: vpe: fix a v4l2-compliance warning about invalid pixel
+ format
+
+From: Benoit Parrot <bparrot@ti.com>
+
+[ Upstream commit 06bec72b250b2cb3ba96fa45c2b8e0fb83745517 ]
+
+v4l2-compliance warns with this message:
+
+ warn: v4l2-test-formats.cpp(717): \
+ TRY_FMT cannot handle an invalid pixelformat.
+ warn: v4l2-test-formats.cpp(718): \
+ This may or may not be a problem. For more information see:
+ warn: v4l2-test-formats.cpp(719): \
+ http://www.mail-archive.com/linux-media@vger.kernel.org/msg56550.html
+ ...
+ test VIDIOC_TRY_FMT: FAIL
+
+We need to make sure that the returns a valid pixel format in all
+instance. Based on the v4l2 framework convention drivers must return a
+valid pixel format when the requested pixel format is either invalid or
+not supported.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/ti-vpe/vpe.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c
+index 0189f7f7cb03..da308fa6561f 100644
+--- a/drivers/media/platform/ti-vpe/vpe.c
++++ b/drivers/media/platform/ti-vpe/vpe.c
+@@ -330,20 +330,25 @@ enum {
+ };
+
+ /* find our format description corresponding to the passed v4l2_format */
+-static struct vpe_fmt *find_format(struct v4l2_format *f)
++static struct vpe_fmt *__find_format(u32 fourcc)
+ {
+ struct vpe_fmt *fmt;
+ unsigned int k;
+
+ for (k = 0; k < ARRAY_SIZE(vpe_formats); k++) {
+ fmt = &vpe_formats[k];
+- if (fmt->fourcc == f->fmt.pix.pixelformat)
++ if (fmt->fourcc == fourcc)
+ return fmt;
+ }
+
+ return NULL;
+ }
+
++static struct vpe_fmt *find_format(struct v4l2_format *f)
++{
++ return __find_format(f->fmt.pix.pixelformat);
++}
++
+ /*
+ * there is one vpe_dev structure in the driver, it is shared by
+ * all instances.
+@@ -1433,9 +1438,9 @@ static int __vpe_try_fmt(struct vpe_ctx *ctx, struct v4l2_format *f,
+ int i, depth, depth_bytes;
+
+ if (!fmt || !(fmt->types & type)) {
+- vpe_err(ctx->dev, "Fourcc format (0x%08x) invalid.\n",
++ vpe_dbg(ctx->dev, "Fourcc format (0x%08x) invalid.\n",
+ pix->pixelformat);
+- return -EINVAL;
++ fmt = __find_format(V4L2_PIX_FMT_YUYV);
+ }
+
+ if (pix->field != V4L2_FIELD_NONE && pix->field != V4L2_FIELD_ALTERNATE)
+--
+2.20.1
+
--- /dev/null
+From 396d05c60f2a54675b746ced1f5ff87c1fefe3b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2019 12:09:58 -0300
+Subject: media: ti-vpe: vpe: Make sure YUYV is set as default format
+
+From: Benoit Parrot <bparrot@ti.com>
+
+[ Upstream commit e20b248051ca0f90d84b4d9378e4780bc31f16c6 ]
+
+v4l2-compliance fails with this message:
+
+ fail: v4l2-test-formats.cpp(672): \
+ Video Capture Multiplanar: TRY_FMT(G_FMT) != G_FMT
+ fail: v4l2-test-formats.cpp(672): \
+ Video Output Multiplanar: TRY_FMT(G_FMT) != G_FMT
+ ...
+ test VIDIOC_TRY_FMT: FAIL
+
+The default pixel format was setup as pointing to a specific offset in
+the vpe_formats table assuming it was pointing to the V4L2_PIX_FMT_YUYV
+entry. This became false after the addition on the NV21 format (see
+above commid-id)
+
+So instead of hard-coding an offset which might change over time we need
+to use a lookup helper instead so we know the default will always be what
+we intended.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Fixes: 40cc823f7005 ("media: ti-vpe: Add support for NV21 format")
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/ti-vpe/vpe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c
+index 067548e14e11..dbb4829acc43 100644
+--- a/drivers/media/platform/ti-vpe/vpe.c
++++ b/drivers/media/platform/ti-vpe/vpe.c
+@@ -1998,7 +1998,7 @@ static int vpe_open(struct file *file)
+ v4l2_ctrl_handler_setup(hdl);
+
+ s_q_data = &ctx->q_data[Q_DATA_SRC];
+- s_q_data->fmt = &vpe_formats[2];
++ s_q_data->fmt = __find_format(V4L2_PIX_FMT_YUYV);
+ s_q_data->width = 1920;
+ s_q_data->height = 1080;
+ s_q_data->bytesperline[VPE_LUMA] = (s_q_data->width *
+--
+2.20.1
+
--- /dev/null
+From e7b39c7afc23d169037265904a74aa4292af34ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 14:44:30 +0100
+Subject: mmc: tmio: Add MMC_CAP_ERASE to allow erase/discard/trim requests
+
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+
+[ Upstream commit c91843463e9e821dc3b48fe37e3155fa38299f6e ]
+
+Isolated initially to renesas_sdhi_internal_dmac [1], Ulf suggested
+adding MMC_CAP_ERASE to the TMIO mmc core:
+
+On Fri, Nov 15, 2019 at 10:27:25AM +0100, Ulf Hansson wrote:
+ -- snip --
+ This test and due to the discussions with Wolfram and you in this
+ thread, I would actually suggest that you enable MMC_CAP_ERASE for all
+ tmio variants, rather than just for this particular one.
+
+ In other words, set the cap in tmio_mmc_host_probe() should be fine,
+ as it seems none of the tmio variants supports HW busy detection at
+ this point.
+ -- snip --
+
+Testing on R-Car H3ULCB-KF doesn't reveal any issues (v5.4-rc7):
+
+root@rcar-gen3:~# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+mmcblk0 179:0 0 59.2G 0 disk <--- eMMC
+mmcblk0boot0 179:8 0 4M 1 disk
+mmcblk0boot1 179:16 0 4M 1 disk
+mmcblk1 179:24 0 30G 0 disk <--- SD card
+
+root@rcar-gen3:~# time blkdiscard /dev/mmcblk0
+real 0m8.659s
+user 0m0.001s
+sys 0m1.920s
+
+root@rcar-gen3:~# time blkdiscard /dev/mmcblk1
+real 0m1.176s
+user 0m0.001s
+sys 0m0.124s
+
+[1] https://lore.kernel.org/linux-renesas-soc/20191112134808.23546-1-erosca@de.adit-jv.com/
+
+Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Originally-by: Harish Jenny K N <harish_kandiga@mentor.com>
+Suggested-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/tmio_mmc_pio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/tmio_mmc_pio.c b/drivers/mmc/host/tmio_mmc_pio.c
+index 0fc1f73b0d23..3e025766181b 100644
+--- a/drivers/mmc/host/tmio_mmc_pio.c
++++ b/drivers/mmc/host/tmio_mmc_pio.c
+@@ -1076,7 +1076,7 @@ int tmio_mmc_host_probe(struct tmio_mmc_host *_host,
+ tmio_mmc_ops.start_signal_voltage_switch = _host->start_signal_voltage_switch;
+ mmc->ops = &tmio_mmc_ops;
+
+- mmc->caps |= MMC_CAP_4_BIT_DATA | pdata->capabilities;
++ mmc->caps |= MMC_CAP_ERASE | MMC_CAP_4_BIT_DATA | pdata->capabilities;
+ mmc->caps2 |= pdata->capabilities2;
+ mmc->max_segs = 32;
+ mmc->max_blk_size = 512;
+--
+2.20.1
+
--- /dev/null
+From ba08b98613d17d38bc179644ec3340be02d4be85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2019 15:16:48 -0500
+Subject: mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit d10dcb615c8e29d403a24d35f8310a7a53e3050c ]
+
+In mwifiex_pcie_init_evt_ring, a new skb is allocated which should be
+released if mwifiex_map_pci_memory() fails. The release for skb and
+card->evtbd_ring_vbase is added.
+
+Fixes: 0732484b47b5 ("mwifiex: separate ring initialization and ring creation routines")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Ganapathi Bhat <gbhat@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/pcie.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
+index cb681b265b10..38d45a77c06b 100644
+--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
+@@ -632,8 +632,11 @@ static int mwifiex_pcie_init_evt_ring(struct mwifiex_adapter *adapter)
+ skb_put(skb, MAX_EVENT_SIZE);
+
+ if (mwifiex_map_pci_memory(adapter, skb, MAX_EVENT_SIZE,
+- PCI_DMA_FROMDEVICE))
++ PCI_DMA_FROMDEVICE)) {
++ kfree_skb(skb);
++ kfree(card->evtbd_ring_vbase);
+ return -1;
++ }
+
+ buf_pa = MWIFIEX_SKB_DMA_ADDR(skb);
+
+--
+2.20.1
+
--- /dev/null
+From 08c29d94f076a99c6b5c2a72e5c7ff5b9081c13e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2019 15:23:23 +0000
+Subject: net: phy: initialise phydev speed and duplex sanely
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit a5d66f810061e2dd70fb7a108dcd14e535bc639f ]
+
+When a phydev is created, the speed and duplex are set to zero and
+-1 respectively, rather than using the predefined SPEED_UNKNOWN and
+DUPLEX_UNKNOWN constants.
+
+There is a window at initialisation time where we may report link
+down using the 0/-1 values. Tidy this up and use the predefined
+constants, so debug doesn't complain with:
+
+"Unsupported (update phy-core.c)/Unsupported (update phy-core.c)"
+
+when the speed and duplex settings are printed.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 5c2c72b1ef8b..3289fd910c4a 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -324,8 +324,8 @@ struct phy_device *phy_device_create(struct mii_bus *bus, int addr, int phy_id,
+ mdiodev->device_free = phy_mdio_device_free;
+ mdiodev->device_remove = phy_mdio_device_remove;
+
+- dev->speed = 0;
+- dev->duplex = -1;
++ dev->speed = SPEED_UNKNOWN;
++ dev->duplex = DUPLEX_UNKNOWN;
+ dev->pause = 0;
+ dev->asym_pause = 0;
+ dev->link = 1;
+--
+2.20.1
+
--- /dev/null
+From 32896fadde93d70b8d368c632ed3f8ca699f78b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 15:45:39 +0100
+Subject: parport: load lowlevel driver if ports not found
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+[ Upstream commit 231ec2f24dad18d021b361045bbd618ba62a274e ]
+
+Usually all the distro will load the parport low level driver as part
+of their initialization. But we can get into a situation where all the
+parallel port drivers are built as module and we unload all the modules
+at a later time. Then if we just do "modprobe parport" it will only
+load the parport module and will not load the low level driver which
+will actually register the ports. So, check the bus if there is any
+parport registered, if not, load the low level driver.
+
+We can get into the above situation with all distro but only Suse has
+setup the alias for "parport_lowlevel" and so it only works in Suse.
+Users of Debian based distro will need to load the lowlevel module
+manually.
+
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/20191016144540.18810-3-sudipm.mukherjee@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/parport/share.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/parport/share.c b/drivers/parport/share.c
+index daa2eb3050df..a7ceed7182ac 100644
+--- a/drivers/parport/share.c
++++ b/drivers/parport/share.c
+@@ -230,6 +230,18 @@ static int port_check(struct device *dev, void *dev_drv)
+ return 0;
+ }
+
++/*
++ * Iterates through all the devices connected to the bus and return 1
++ * if the device is a parallel port.
++ */
++
++static int port_detect(struct device *dev, void *dev_drv)
++{
++ if (is_parport(dev))
++ return 1;
++ return 0;
++}
++
+ /**
+ * parport_register_driver - register a parallel port device driver
+ * @drv: structure describing the driver
+@@ -282,6 +294,15 @@ int __parport_register_driver(struct parport_driver *drv, struct module *owner,
+ if (ret)
+ return ret;
+
++ /*
++ * check if bus has any parallel port registered, if
++ * none is found then load the lowlevel driver.
++ */
++ ret = bus_for_each_dev(&parport_bus_type, NULL, NULL,
++ port_detect);
++ if (!ret)
++ get_lowlevel_driver();
++
+ mutex_lock(®istration_lock);
+ if (drv->match_port)
+ bus_for_each_dev(&parport_bus_type, NULL, drv,
+--
+2.20.1
+
--- /dev/null
+From e0e5dc019e71919e17968f5d4946f7a39a38c2a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 14:42:25 +0200
+Subject: perf intel-bts: Does not support AUX area sampling
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 32a1ece4bdbde24734ab16484bad7316f03fc42d ]
+
+Add an error message because Intel BTS does not support AUX area
+sampling.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lore.kernel.org/lkml/20191115124225.5247-16-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/x86/util/auxtrace.c | 2 ++
+ tools/perf/arch/x86/util/intel-bts.c | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/tools/perf/arch/x86/util/auxtrace.c b/tools/perf/arch/x86/util/auxtrace.c
+index cc1d865e31f1..429a0b04d737 100644
+--- a/tools/perf/arch/x86/util/auxtrace.c
++++ b/tools/perf/arch/x86/util/auxtrace.c
+@@ -35,6 +35,8 @@ struct auxtrace_record *auxtrace_record__init_intel(struct perf_evlist *evlist,
+
+ intel_pt_pmu = perf_pmu__find(INTEL_PT_PMU_NAME);
+ intel_bts_pmu = perf_pmu__find(INTEL_BTS_PMU_NAME);
++ if (intel_bts_pmu)
++ intel_bts_pmu->auxtrace = true;
+
+ if (evlist) {
+ evlist__for_each_entry(evlist, evsel) {
+diff --git a/tools/perf/arch/x86/util/intel-bts.c b/tools/perf/arch/x86/util/intel-bts.c
+index 5132775a044f..400bb1a52d04 100644
+--- a/tools/perf/arch/x86/util/intel-bts.c
++++ b/tools/perf/arch/x86/util/intel-bts.c
+@@ -121,6 +121,11 @@ static int intel_bts_recording_options(struct auxtrace_record *itr,
+ const struct cpu_map *cpus = evlist->cpus;
+ bool privileged = geteuid() == 0 || perf_event_paranoid() < 0;
+
++ if (opts->auxtrace_sample_mode) {
++ pr_err("Intel BTS does not support AUX area sampling\n");
++ return -EINVAL;
++ }
++
+ btsr->evlist = evlist;
+ btsr->snapshot_mode = opts->auxtrace_snapshot_mode;
+
+--
+2.20.1
+
--- /dev/null
+From ec3e191b015144fe77fb717da3a5721defdf3c1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2019 10:09:25 -0800
+Subject: perf parse: Fix potential memory leak when handling tracepoint errors
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 4584f084aa9d8033d5911935837dbee7b082d0e9 ]
+
+An error may be in place when tracepoint_error is called, use
+parse_events__handle_error to avoid a memory leak and to capture the
+first and last error. Error detected by LLVM's libFuzzer using the
+following event:
+
+$ perf stat -e 'msr/event/,f:e'
+event syntax error: 'msr/event/,f:e'
+ \___ can't access trace events
+
+Error: No permissions to read /sys/kernel/debug/tracing/events/f/e
+Hint: Try 'sudo mount -o remount,mode=755 /sys/kernel/debug/tracing/'
+
+Initial error:
+event syntax error: 'msr/event/,f:e'
+ \___ no value assigned for term
+Run 'perf list' for a list of valid events
+
+ Usage: perf stat [<options>] [<command>]
+
+ -e, --event <event> event selector. use 'perf list' to list available events
+
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: clang-built-linux@googlegroups.com
+Link: http://lore.kernel.org/lkml/20191120180925.21787-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/parse-events.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
+index 6193be6d7639..cfb64369a18d 100644
+--- a/tools/perf/util/parse-events.c
++++ b/tools/perf/util/parse-events.c
+@@ -440,6 +440,7 @@ int parse_events_add_cache(struct list_head *list, int *idx,
+ static void tracepoint_error(struct parse_events_error *e, int err,
+ const char *sys, const char *name)
+ {
++ const char *str;
+ char help[BUFSIZ];
+
+ if (!e)
+@@ -453,18 +454,18 @@ static void tracepoint_error(struct parse_events_error *e, int err,
+
+ switch (err) {
+ case EACCES:
+- e->str = strdup("can't access trace events");
++ str = "can't access trace events";
+ break;
+ case ENOENT:
+- e->str = strdup("unknown tracepoint");
++ str = "unknown tracepoint";
+ break;
+ default:
+- e->str = strdup("failed to add tracepoint");
++ str = "failed to add tracepoint";
+ break;
+ }
+
+ tracing_path__strerror_open_tp(err, help, sizeof(help), sys, name);
+- e->help = strdup(help);
++ parse_events__handle_error(e, 0, strdup(str), strdup(help));
+ }
+
+ static int add_tracepoint(struct list_head *list, int *idx,
+--
+2.20.1
+
--- /dev/null
+From d9118868b932284f8f9832e2bd3c2a6b540419a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2019 16:09:30 +0900
+Subject: perf probe: Filter out instances except for inlined subroutine and
+ subprogram
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit da6cb952a89efe24bb76c4971370d485737a2d85 ]
+
+Filter out instances except for inlined_subroutine and subprogram DIE in
+die_walk_instances() and die_is_func_instance().
+
+This fixes an issue that perf probe sets some probes on calling address
+instead of a target function itself.
+
+When perf probe walks on instances of an abstruct origin (a kind of
+function prototype of inlined function), die_walk_instances() can also
+pass a GNU_call_site (a GNU extension for call site) to callback. Since
+it is not an inlined instance of target function, we have to filter out
+when searching a probe point.
+
+Without this patch, perf probe sets probes on call site address too.This
+can happen on some function which is marked "inlined", but has actual
+symbol. (I'm not sure why GCC mark it "inlined"):
+
+ # perf probe -D vfs_read
+ p:probe/vfs_read _text+2500017
+ p:probe/vfs_read_1 _text+2499468
+ p:probe/vfs_read_2 _text+2499563
+ p:probe/vfs_read_3 _text+2498876
+ p:probe/vfs_read_4 _text+2498512
+ p:probe/vfs_read_5 _text+2498627
+
+With this patch:
+
+Slightly different results, similar tho:
+
+ # perf probe -D vfs_read
+ p:probe/vfs_read _text+2498512
+
+Committer testing:
+
+ # uname -a
+ Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+
+Before:
+
+ # perf probe -D vfs_read
+ p:probe/vfs_read _text+3131557
+ p:probe/vfs_read_1 _text+3130975
+ p:probe/vfs_read_2 _text+3131047
+ p:probe/vfs_read_3 _text+3130380
+ p:probe/vfs_read_4 _text+3130000
+ # uname -a
+ Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ #
+
+After:
+
+ # perf probe -D vfs_read
+ p:probe/vfs_read _text+3130000
+ #
+
+Fixes: db0d2c6420ee ("perf probe: Search concrete out-of-line instances")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157241937063.32002.11024544873990816590.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 7eec3ae7b3c5..9b482477ddfe 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -322,18 +322,22 @@ bool die_is_func_def(Dwarf_Die *dw_die)
+ * @dw_die: a DIE
+ *
+ * Ensure that this DIE is an instance (which has an entry address).
+- * This returns true if @dw_die is a function instance. If not, you need to
+- * call die_walk_instances() to find actual instances.
++ * This returns true if @dw_die is a function instance. If not, the @dw_die
++ * must be a prototype. You can use die_walk_instances() to find actual
++ * instances.
+ **/
+ bool die_is_func_instance(Dwarf_Die *dw_die)
+ {
+ Dwarf_Addr tmp;
+ Dwarf_Attribute attr_mem;
++ int tag = dwarf_tag(dw_die);
+
+- /* Actually gcc optimizes non-inline as like as inlined */
+- return !dwarf_func_inline(dw_die) &&
+- (dwarf_entrypc(dw_die, &tmp) == 0 ||
+- dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL);
++ if (tag != DW_TAG_subprogram &&
++ tag != DW_TAG_inlined_subroutine)
++ return false;
++
++ return dwarf_entrypc(dw_die, &tmp) == 0 ||
++ dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL;
+ }
+
+ /**
+@@ -612,6 +616,9 @@ static int __die_walk_instances_cb(Dwarf_Die *inst, void *data)
+ Dwarf_Die *origin;
+ int tmp;
+
++ if (!die_is_func_instance(inst))
++ return DIE_FIND_CB_CONTINUE;
++
+ attr = dwarf_attr(inst, DW_AT_abstract_origin, &attr_mem);
+ if (attr == NULL)
+ return DIE_FIND_CB_CONTINUE;
+--
+2.20.1
+
--- /dev/null
+From c8f22c89bf251344667795845328e59f0946068c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 18:12:36 +0900
+Subject: perf probe: Fix to find range-only function instance
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit b77afa1f810f37bd8a36cb1318178dfe2d7af6b6 ]
+
+Fix die_is_func_instance() to find range-only function instance.
+
+In some case, a function instance can be made without any low PC or
+entry PC, but only with address ranges by optimization. (e.g. cold text
+partially in "text.unlikely" section) To find such function instance, we
+have to check the range attribute too.
+
+Fixes: e1ecbbc3fa83 ("perf probe: Fix to handle optimized not-inlined functions")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157190835669.1859.8368628035930950596.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 41e068e94349..3d0a9e09d00a 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -328,10 +328,14 @@ bool die_is_func_def(Dwarf_Die *dw_die)
+ bool die_is_func_instance(Dwarf_Die *dw_die)
+ {
+ Dwarf_Addr tmp;
++ Dwarf_Attribute attr_mem;
+
+ /* Actually gcc optimizes non-inline as like as inlined */
+- return !dwarf_func_inline(dw_die) && dwarf_entrypc(dw_die, &tmp) == 0;
++ return !dwarf_func_inline(dw_die) &&
++ (dwarf_entrypc(dw_die, &tmp) == 0 ||
++ dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL);
+ }
++
+ /**
+ * die_get_data_member_location - Get the data-member offset
+ * @mb_die: a DIE of a member of a data structure
+--
+2.20.1
+
--- /dev/null
+From b765e96a1e9f71527b6f1949f16bf896e84f925e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 17:46:52 +0900
+Subject: perf probe: Fix to list probe event with correct line number
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 3895534dd78f0fd4d3f9e05ee52b9cdd444a743e ]
+
+Since debuginfo__find_probe_point() uses dwarf_entrypc() for finding the
+entry address of the function on which a probe is, it will fail when the
+function DIE has only ranges attribute.
+
+To fix this issue, use die_entrypc() instead of dwarf_entrypc().
+
+Without this fix, perf probe -l shows incorrect offset:
+
+ # perf probe -l
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask+18446744071579263632@work/linux/linux/kernel/cpu.c)
+ probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask+18446744071579263752@work/linux/linux/kernel/cpu.c)
+
+With this:
+
+ # perf probe -l
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@work/linux/linux/kernel/cpu.c)
+ probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:21@work/linux/linux/kernel/cpu.c)
+
+Committer testing:
+
+Before:
+
+ [root@quaco ~]# perf probe -l
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask+18446744071579765152@kernel/cpu.c)
+ [root@quaco ~]#
+
+After:
+
+ [root@quaco ~]# perf probe -l
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c)
+ [root@quaco ~]#
+
+Fixes: 1d46ea2a6a40 ("perf probe: Fix listing incorrect line number with inline function")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157199321227.8075.14655572419136993015.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 0d9d6e0803b8..248d3ff7e345 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1567,7 +1567,7 @@ int debuginfo__find_probe_point(struct debuginfo *dbg, unsigned long addr,
+ /* Get function entry information */
+ func = basefunc = dwarf_diename(&spdie);
+ if (!func ||
+- dwarf_entrypc(&spdie, &baseaddr) != 0 ||
++ die_entrypc(&spdie, &baseaddr) != 0 ||
+ dwarf_decl_line(&spdie, &baseline) != 0) {
+ lineno = 0;
+ goto post;
+@@ -1584,7 +1584,7 @@ int debuginfo__find_probe_point(struct debuginfo *dbg, unsigned long addr,
+ while (die_find_top_inlinefunc(&spdie, (Dwarf_Addr)addr,
+ &indie)) {
+ /* There is an inline function */
+- if (dwarf_entrypc(&indie, &_addr) == 0 &&
++ if (die_entrypc(&indie, &_addr) == 0 &&
+ _addr == addr) {
+ /*
+ * addr is at an inline function entry.
+--
+2.20.1
+
--- /dev/null
+From 0572e044903909e22c3019fa224f6d0288a08b38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 17:46:34 +0900
+Subject: perf probe: Fix to probe a function which has no entry pc
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 5d16dbcc311d91267ddb45c6da4f187be320ecee ]
+
+Fix 'perf probe' to probe a function which has no entry pc or low pc but
+only has ranges attribute.
+
+probe_point_search_cb() uses dwarf_entrypc() to get the probe address,
+but that doesn't work for the function DIE which has only ranges
+attribute. Use die_entrypc() instead.
+
+Without this fix:
+
+ # perf probe -k ../build-x86_64/vmlinux -D clear_tasks_mm_cpumask:0
+ Probe point 'clear_tasks_mm_cpumask' not found.
+ Error: Failed to add events.
+
+With this:
+
+ # perf probe -k ../build-x86_64/vmlinux -D clear_tasks_mm_cpumask:0
+ p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0
+
+Committer testing:
+
+Before:
+
+ [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0
+ Probe point 'clear_tasks_mm_cpumask' not found.
+ Error: Failed to add events.
+ [root@quaco ~]#
+
+After:
+
+ [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0
+ Added new event:
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1
+
+ [root@quaco ~]#
+
+Using it with 'perf trace':
+
+ [root@quaco ~]# perf trace -e probe:clear_tasks_mm_cpumask
+
+Doesn't seem to be used in x86_64:
+
+ $ find . -name "*.c" | xargs grep clear_tasks_mm_cpumask
+ ./kernel/cpu.c: * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
+ ./kernel/cpu.c:void clear_tasks_mm_cpumask(int cpu)
+ ./arch/xtensa/kernel/smp.c: clear_tasks_mm_cpumask(cpu);
+ ./arch/csky/kernel/smp.c: clear_tasks_mm_cpumask(cpu);
+ ./arch/sh/kernel/smp.c: clear_tasks_mm_cpumask(cpu);
+ ./arch/arm/kernel/smp.c: clear_tasks_mm_cpumask(cpu);
+ ./arch/powerpc/mm/nohash/mmu_context.c: clear_tasks_mm_cpumask(cpu);
+ $ find . -name "*.h" | xargs grep clear_tasks_mm_cpumask
+ ./include/linux/cpu.h:void clear_tasks_mm_cpumask(int cpu);
+ $ find . -name "*.S" | xargs grep clear_tasks_mm_cpumask
+ $
+
+Fixes: e1ecbbc3fa83 ("perf probe: Fix to handle optimized not-inlined functions")
+Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157199319438.8075.4695576954550638618.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 9fc6fedcfa1a..cfc2e1e7cca4 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1002,7 +1002,7 @@ static int probe_point_search_cb(Dwarf_Die *sp_die, void *data)
+ param->retval = find_probe_point_by_line(pf);
+ } else if (die_is_func_instance(sp_die)) {
+ /* Instances always have the entry address */
+- dwarf_entrypc(sp_die, &pf->addr);
++ die_entrypc(sp_die, &pf->addr);
+ /* But in some case the entry address is 0 */
+ if (pf->addr == 0) {
+ pr_debug("%s has no entry PC. Skipped\n",
+--
+2.20.1
+
--- /dev/null
+From 4dc518b37706642774fc7c6529a4c375ea96c082 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 17:46:43 +0900
+Subject: perf probe: Fix to probe an inline function which has no entry pc
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit eb6933b29d20bf2c3053883d409a53f462c1a3ac ]
+
+Fix perf probe to probe an inlne function which has no entry pc
+or low pc but only has ranges attribute.
+
+This seems very rare case, but I could find a few examples, as
+same as probe_point_search_cb(), use die_entrypc() to get the
+entry address in probe_point_inline_cb() too.
+
+Without this patch:
+
+ # perf probe -D __amd_put_nb_event_constraints
+ Failed to get entry address of __amd_put_nb_event_constraints.
+ Probe point '__amd_put_nb_event_constraints' not found.
+ Error: Failed to add events.
+
+With this patch:
+
+ # perf probe -D __amd_put_nb_event_constraints
+ p:probe/__amd_put_nb_event_constraints amd_put_event_constraints+43
+
+Committer testing:
+
+Before:
+
+ [root@quaco ~]# perf probe -D __amd_put_nb_event_constraints
+ Failed to get entry address of __amd_put_nb_event_constraints.
+ Probe point '__amd_put_nb_event_constraints' not found.
+ Error: Failed to add events.
+ [root@quaco ~]#
+
+After:
+
+ [root@quaco ~]# perf probe -D __amd_put_nb_event_constraints
+ p:probe/__amd_put_nb_event_constraints _text+33789
+ [root@quaco ~]#
+
+Fixes: 4ea42b181434 ("perf: Add perf probe subcommand, a kprobe-event setup helper")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157199320336.8075.16189530425277588587.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 248d3ff7e345..9fc6fedcfa1a 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -950,7 +950,7 @@ static int probe_point_inline_cb(Dwarf_Die *in_die, void *data)
+ ret = find_probe_point_lazy(in_die, pf);
+ else {
+ /* Get probe address */
+- if (dwarf_entrypc(in_die, &addr) != 0) {
++ if (die_entrypc(in_die, &addr) != 0) {
+ pr_warning("Failed to get entry address of %s.\n",
+ dwarf_diename(in_die));
+ return -ENOENT;
+--
+2.20.1
+
--- /dev/null
+From 06065b0c03088cc902b333b51e72ebc27380e66f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2019 16:09:40 +0900
+Subject: perf probe: Fix to show calling lines of inlined functions
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 86c0bf8539e7f46d91bd105e55eda96e0064caef ]
+
+Fix to show calling lines of inlined functions (where an inline function
+is called).
+
+die_walk_lines() filtered out the lines inside inlined functions based
+on the address. However this also filtered out the lines which call
+those inlined functions from the target function.
+
+To solve this issue, check the call_file and call_line attributes and do
+not filter out if it matches to the line information.
+
+Without this fix, perf probe -L doesn't show some lines correctly.
+(don't see the lines after 17)
+
+ # perf probe -L vfs_read
+ <vfs_read@/home/mhiramat/ksrc/linux/fs/read_write.c:0>
+ 0 ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
+ 1 {
+ 2 ssize_t ret;
+
+ 4 if (!(file->f_mode & FMODE_READ))
+ return -EBADF;
+ 6 if (!(file->f_mode & FMODE_CAN_READ))
+ return -EINVAL;
+ 8 if (unlikely(!access_ok(buf, count)))
+ return -EFAULT;
+
+ 11 ret = rw_verify_area(READ, file, pos, count);
+ 12 if (!ret) {
+ 13 if (count > MAX_RW_COUNT)
+ count = MAX_RW_COUNT;
+ 15 ret = __vfs_read(file, buf, count, pos);
+ 16 if (ret > 0) {
+ fsnotify_access(file);
+ add_rchar(current, ret);
+ }
+
+With this fix:
+
+ # perf probe -L vfs_read
+ <vfs_read@/home/mhiramat/ksrc/linux/fs/read_write.c:0>
+ 0 ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
+ 1 {
+ 2 ssize_t ret;
+
+ 4 if (!(file->f_mode & FMODE_READ))
+ return -EBADF;
+ 6 if (!(file->f_mode & FMODE_CAN_READ))
+ return -EINVAL;
+ 8 if (unlikely(!access_ok(buf, count)))
+ return -EFAULT;
+
+ 11 ret = rw_verify_area(READ, file, pos, count);
+ 12 if (!ret) {
+ 13 if (count > MAX_RW_COUNT)
+ count = MAX_RW_COUNT;
+ 15 ret = __vfs_read(file, buf, count, pos);
+ 16 if (ret > 0) {
+ 17 fsnotify_access(file);
+ 18 add_rchar(current, ret);
+ }
+ 20 inc_syscr(current);
+ }
+
+Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157241937995.32002.17899884017011512577.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 3aea343c7179..41bfb4c977d0 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -765,7 +765,7 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data)
+ Dwarf_Lines *lines;
+ Dwarf_Line *line;
+ Dwarf_Addr addr;
+- const char *fname, *decf = NULL;
++ const char *fname, *decf = NULL, *inf = NULL;
+ int lineno, ret = 0;
+ int decl = 0, inl;
+ Dwarf_Die die_mem, *cu_die;
+@@ -809,13 +809,21 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data)
+ */
+ if (!dwarf_haspc(rt_die, addr))
+ continue;
++
+ if (die_find_inlinefunc(rt_die, addr, &die_mem)) {
++ /* Call-site check */
++ inf = die_get_call_file(&die_mem);
++ if ((inf && !strcmp(inf, decf)) &&
++ die_get_call_lineno(&die_mem) == lineno)
++ goto found;
++
+ dwarf_decl_line(&die_mem, &inl);
+ if (inl != decl ||
+ decf != dwarf_decl_file(&die_mem))
+ continue;
+ }
+ }
++found:
+ /* Get source line */
+ fname = dwarf_linesrc(line, NULL, NULL);
+
+--
+2.20.1
+
--- /dev/null
+From b98c340ba40a640d67011dd29aae414ab6047ab5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 17:47:01 +0900
+Subject: perf probe: Fix to show inlined function callsite without entry_pc
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 18e21eb671dc87a4f0546ba505a89ea93598a634 ]
+
+Fix 'perf probe --line' option to show inlined function callsite lines
+even if the function DIE has only ranges.
+
+Without this:
+
+ # perf probe -L amd_put_event_constraints
+ ...
+ 2 {
+ 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw))
+ __amd_put_nb_event_constraints(cpuc, event);
+ 5 }
+
+With this patch:
+
+ # perf probe -L amd_put_event_constraints
+ ...
+ 2 {
+ 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw))
+ 4 __amd_put_nb_event_constraints(cpuc, event);
+ 5 }
+
+Committer testing:
+
+Before:
+
+ [root@quaco ~]# perf probe -L amd_put_event_constraints
+ <amd_put_event_constraints@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/arch/x86/events/amd/core.c:0>
+ 0 static void amd_put_event_constraints(struct cpu_hw_events *cpuc,
+ struct perf_event *event)
+ 2 {
+ 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw))
+ __amd_put_nb_event_constraints(cpuc, event);
+ 5 }
+
+ PMU_FORMAT_ATTR(event, "config:0-7,32-35");
+ PMU_FORMAT_ATTR(umask, "config:8-15" );
+
+ [root@quaco ~]#
+
+After:
+
+ [root@quaco ~]# perf probe -L amd_put_event_constraints
+ <amd_put_event_constraints@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/arch/x86/events/amd/core.c:0>
+ 0 static void amd_put_event_constraints(struct cpu_hw_events *cpuc,
+ struct perf_event *event)
+ 2 {
+ 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw))
+ 4 __amd_put_nb_event_constraints(cpuc, event);
+ 5 }
+
+ PMU_FORMAT_ATTR(event, "config:0-7,32-35");
+ PMU_FORMAT_ATTR(umask, "config:8-15" );
+
+ [root@quaco ~]# perf probe amd_put_event_constraints:4
+ Added new event:
+ probe:amd_put_event_constraints (on amd_put_event_constraints:4)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:amd_put_event_constraints -aR sleep 1
+
+ [root@quaco ~]#
+
+ [root@quaco ~]# perf probe -l
+ probe:amd_put_event_constraints (on amd_put_event_constraints:4@arch/x86/events/amd/core.c)
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c)
+ [root@quaco ~]#
+
+Using it:
+
+ [root@quaco ~]# perf trace -e probe:*
+ ^C[root@quaco ~]#
+
+Ok, Intel system here... :-)
+
+Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157199322107.8075.12659099000567865708.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 574ba3ac4fba..3aea343c7179 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -683,7 +683,7 @@ static int __die_walk_funclines_cb(Dwarf_Die *in_die, void *data)
+ if (dwarf_tag(in_die) == DW_TAG_inlined_subroutine) {
+ fname = die_get_call_file(in_die);
+ lineno = die_get_call_lineno(in_die);
+- if (fname && lineno > 0 && dwarf_entrypc(in_die, &addr) == 0) {
++ if (fname && lineno > 0 && die_entrypc(in_die, &addr) == 0) {
+ lw->retval = lw->callback(fname, lineno, addr, lw->data);
+ if (lw->retval != 0)
+ return DIE_FIND_CB_END;
+--
+2.20.1
+
--- /dev/null
+From 10006f4ae09250c10e1cdf090802538c4c4e1a1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 17:47:10 +0900
+Subject: perf probe: Fix to show ranges of variables in functions without
+ entry_pc
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit af04dd2f8ebaa8fbd46f698714acbf43da14da45 ]
+
+Fix to show ranges of variables (--range and --vars option) in functions
+which DIE has only ranges but no entry_pc attribute.
+
+Without this fix:
+
+ # perf probe --range -V clear_tasks_mm_cpumask
+ Available variables at clear_tasks_mm_cpumask
+ @<clear_tasks_mm_cpumask+0>
+ (No matched variables)
+
+With this fix:
+
+ # perf probe --range -V clear_tasks_mm_cpumask
+ Available variables at clear_tasks_mm_cpumask
+ @<clear_tasks_mm_cpumask+0>
+ [VAL] int cpu @<clear_tasks_mm_cpumask+[0-35,317-317,2052-2059]>
+
+Committer testing:
+
+Before:
+
+ [root@quaco ~]# perf probe --range -V clear_tasks_mm_cpumask
+ Available variables at clear_tasks_mm_cpumask
+ @<clear_tasks_mm_cpumask+0>
+ (No matched variables)
+ [root@quaco ~]#
+
+After:
+
+ [root@quaco ~]# perf probe --range -V clear_tasks_mm_cpumask
+ Available variables at clear_tasks_mm_cpumask
+ @<clear_tasks_mm_cpumask+0>
+ [VAL] int cpu @<clear_tasks_mm_cpumask+[0-23,23-105,105-106,106-106,1843-1850,1850-1862]>
+ [root@quaco ~]#
+
+Using it:
+
+ [root@quaco ~]# perf probe clear_tasks_mm_cpumask cpu
+ Added new event:
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask with cpu)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1
+
+ [root@quaco ~]# perf probe -l
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c with cpu)
+ [root@quaco ~]#
+ [root@quaco ~]# perf trace -e probe:*cpumask
+ ^C[root@quaco ~]#
+
+Fixes: 349e8d261131 ("perf probe: Add --range option to show a variable's location range")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157199323018.8075.8179744380479673672.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 7e7e57208323..574ba3ac4fba 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1007,7 +1007,7 @@ static int die_get_var_innermost_scope(Dwarf_Die *sp_die, Dwarf_Die *vr_die,
+ bool first = true;
+ const char *name;
+
+- ret = dwarf_entrypc(sp_die, &entry);
++ ret = die_entrypc(sp_die, &entry);
+ if (ret)
+ return ret;
+
+@@ -1070,7 +1070,7 @@ int die_get_var_range(Dwarf_Die *sp_die, Dwarf_Die *vr_die, struct strbuf *buf)
+ bool first = true;
+ const char *name;
+
+- ret = dwarf_entrypc(sp_die, &entry);
++ ret = die_entrypc(sp_die, &entry);
+ if (ret)
+ return ret;
+
+--
+2.20.1
+
--- /dev/null
+From accf4b77dd4575ba33efc17897be2241a4d71727 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 09:16:49 +0900
+Subject: perf probe: Return a better scope DIE if there is no best scope
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit c701636aeec4c173208697d68da6e4271125564b ]
+
+Make find_best_scope() returns innermost DIE at given address if there
+is no best matched scope DIE. Since Gcc sometimes generates intuitively
+strange line info which is out of inlined function address range, we
+need this fixup.
+
+Without this, sometimes perf probe failed to probe on a line inside an
+inlined function:
+
+ # perf probe -D ksys_open:3
+ Failed to find scope of probe point.
+ Error: Failed to add events.
+
+With this fix, 'perf probe' can probe it:
+
+ # perf probe -D ksys_open:3
+ p:probe/ksys_open _text+25707308
+ p:probe/ksys_open_1 _text+25710596
+ p:probe/ksys_open_2 _text+25711114
+ p:probe/ksys_open_3 _text+25711343
+ p:probe/ksys_open_4 _text+25714058
+ p:probe/ksys_open_5 _text+2819653
+ p:probe/ksys_open_6 _text+2819701
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
+Link: http://lore.kernel.org/lkml/157291300887.19771.14936015360963292236.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 440f0a92ade6..6ca804a01cf9 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -764,6 +764,16 @@ static int find_best_scope_cb(Dwarf_Die *fn_die, void *data)
+ return 0;
+ }
+
++/* Return innermost DIE */
++static int find_inner_scope_cb(Dwarf_Die *fn_die, void *data)
++{
++ struct find_scope_param *fsp = data;
++
++ memcpy(fsp->die_mem, fn_die, sizeof(Dwarf_Die));
++ fsp->found = true;
++ return 1;
++}
++
+ /* Find an appropriate scope fits to given conditions */
+ static Dwarf_Die *find_best_scope(struct probe_finder *pf, Dwarf_Die *die_mem)
+ {
+@@ -775,8 +785,13 @@ static Dwarf_Die *find_best_scope(struct probe_finder *pf, Dwarf_Die *die_mem)
+ .die_mem = die_mem,
+ .found = false,
+ };
++ int ret;
+
+- cu_walk_functions_at(&pf->cu_die, pf->addr, find_best_scope_cb, &fsp);
++ ret = cu_walk_functions_at(&pf->cu_die, pf->addr, find_best_scope_cb,
++ &fsp);
++ if (!ret && !fsp.found)
++ cu_walk_functions_at(&pf->cu_die, pf->addr,
++ find_inner_scope_cb, &fsp);
+
+ return fsp.found ? die_mem : NULL;
+ }
+--
+2.20.1
+
--- /dev/null
+From d548da459c211f73b6195a0296a5c3d6d3d1bb71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2019 16:09:21 +0900
+Subject: perf probe: Skip end-of-sequence and non statement lines
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit f4d99bdfd124823a81878b44b5e8750b97f73902 ]
+
+Skip end-of-sequence and non-statement lines while walking through lines
+list.
+
+The "end-of-sequence" line information means:
+
+ "the current address is that of the first byte after the
+ end of a sequence of target machine instructions."
+ (DWARF version 4 spec 6.2.2)
+
+This actually means out of scope and we can not probe on it.
+
+On the other hand, the statement lines (is_stmt) means:
+
+ "the current instruction is a recommended breakpoint location.
+ A recommended breakpoint location is intended to “represent”
+ a line, a statement and/or a semantically distinct subpart
+ of a statement."
+
+ (DWARF version 4 spec 6.2.2)
+
+So, non-statement line info also should be skipped.
+
+These can reduce unneeded probe points and also avoid an error.
+
+E.g. without this patch:
+
+ # perf probe -a "clear_tasks_mm_cpumask:1"
+ Added new events:
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1)
+ probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:1)
+ probe:clear_tasks_mm_cpumask_2 (on clear_tasks_mm_cpumask:1)
+ probe:clear_tasks_mm_cpumask_3 (on clear_tasks_mm_cpumask:1)
+ probe:clear_tasks_mm_cpumask_4 (on clear_tasks_mm_cpumask:1)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:clear_tasks_mm_cpumask_4 -aR sleep 1
+
+ #
+
+This puts 5 probes on one line, but acutally it's not inlined function.
+This is because there are many non statement instructions at the
+function prologue.
+
+With this patch:
+
+ # perf probe -a "clear_tasks_mm_cpumask:1"
+ Added new event:
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1
+
+ #
+
+Now perf-probe skips unneeded addresses.
+
+Committer testing:
+
+Slightly different results, but similar:
+
+Before:
+
+ # uname -a
+ Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ #
+ # perf probe -a "clear_tasks_mm_cpumask:1"
+ Added new events:
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1)
+ probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:1)
+ probe:clear_tasks_mm_cpumask_2 (on clear_tasks_mm_cpumask:1)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:clear_tasks_mm_cpumask_2 -aR sleep 1
+
+ #
+
+After:
+
+ # perf probe -a "clear_tasks_mm_cpumask:1"
+ Added new event:
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1
+
+ # perf probe -l
+ probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c)
+ #
+
+Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157241936090.32002.12156347518596111660.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 41bfb4c977d0..7eec3ae7b3c5 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -770,6 +770,7 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data)
+ int decl = 0, inl;
+ Dwarf_Die die_mem, *cu_die;
+ size_t nlines, i;
++ bool flag;
+
+ /* Get the CU die */
+ if (dwarf_tag(rt_die) != DW_TAG_compile_unit) {
+@@ -800,6 +801,12 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data)
+ "Possible error in debuginfo.\n");
+ continue;
+ }
++ /* Skip end-of-sequence */
++ if (dwarf_lineendsequence(line, &flag) != 0 || flag)
++ continue;
++ /* Skip Non statement line-info */
++ if (dwarf_linebeginstatement(line, &flag) != 0 || !flag)
++ continue;
+ /* Filter lines based on address */
+ if (rt_die != cu_die) {
+ /*
+--
+2.20.1
+
--- /dev/null
+From b2a11cf0f3463ee94e918bf39e820421440cee51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2019 16:09:49 +0900
+Subject: perf probe: Skip overlapped location on searching variables
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit dee36a2abb67c175265d49b9a8c7dfa564463d9a ]
+
+Since debuginfo__find_probes() callback function can be called with the
+location which already passed, the callback function must filter out
+such overlapped locations.
+
+add_probe_trace_event() has already done it by commit 1a375ae7659a
+("perf probe: Skip same probe address for a given line"), but
+add_available_vars() doesn't. Thus perf probe -v shows same address
+repeatedly as below:
+
+ # perf probe -V vfs_read:18
+ Available variables at vfs_read:18
+ @<vfs_read+217>
+ char* buf
+ loff_t* pos
+ ssize_t ret
+ struct file* file
+ @<vfs_read+217>
+ char* buf
+ loff_t* pos
+ ssize_t ret
+ struct file* file
+ @<vfs_read+226>
+ char* buf
+ loff_t* pos
+ ssize_t ret
+ struct file* file
+
+With this fix, perf probe -V shows it correctly:
+
+ # perf probe -V vfs_read:18
+ Available variables at vfs_read:18
+ @<vfs_read+217>
+ char* buf
+ loff_t* pos
+ ssize_t ret
+ struct file* file
+ @<vfs_read+226>
+ char* buf
+ loff_t* pos
+ ssize_t ret
+ struct file* file
+
+Fixes: cf6eb489e5c0 ("perf probe: Show accessible local variables")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157241938927.32002.4026859017790562751.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index cfc2e1e7cca4..440f0a92ade6 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1414,6 +1414,18 @@ error:
+ return DIE_FIND_CB_END;
+ }
+
++static bool available_var_finder_overlap(struct available_var_finder *af)
++{
++ int i;
++
++ for (i = 0; i < af->nvls; i++) {
++ if (af->pf.addr == af->vls[i].point.address)
++ return true;
++ }
++ return false;
++
++}
++
+ /* Add a found vars into available variables list */
+ static int add_available_vars(Dwarf_Die *sc_die, struct probe_finder *pf)
+ {
+@@ -1424,6 +1436,14 @@ static int add_available_vars(Dwarf_Die *sc_die, struct probe_finder *pf)
+ Dwarf_Die die_mem;
+ int ret;
+
++ /*
++ * For some reason (e.g. different column assigned to same address),
++ * this callback can be called with the address which already passed.
++ * Ignore it first.
++ */
++ if (available_var_finder_overlap(af))
++ return 0;
++
+ /* Check number of tevs */
+ if (af->nvls == af->max_vls) {
+ pr_warning("Too many( > %d) probe point found.\n", af->max_vls);
+--
+2.20.1
+
--- /dev/null
+From 67256bae0c9bc1aeddbe113c246e0f4f33e01948 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 18:12:45 +0900
+Subject: perf probe: Walk function lines in lexical blocks
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit acb6a7047ac2146b723fef69ee1ab6b7143546bf ]
+
+Since some inlined functions are in lexical blocks of given function, we
+have to recursively walk through the DIE tree. Without this fix,
+perf-probe -L can miss the inlined functions which is in a lexical block
+(like if (..) { func() } case.)
+
+However, even though, to walk the lines in a given function, we don't
+need to follow the children DIE of inlined functions because those do
+not have any lines in the specified function.
+
+We need to walk though whole trees only if we walk all lines in a given
+file, because an inlined function can include another inlined function
+in the same file.
+
+Fixes: b0e9cb2802d4 ("perf probe: Fix to search nested inlined functions in CU")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/157190836514.1859.15996864849678136353.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 3d0a9e09d00a..7e7e57208323 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -688,10 +688,9 @@ static int __die_walk_funclines_cb(Dwarf_Die *in_die, void *data)
+ if (lw->retval != 0)
+ return DIE_FIND_CB_END;
+ }
++ if (!lw->recursive)
++ return DIE_FIND_CB_SIBLING;
+ }
+- if (!lw->recursive)
+- /* Don't need to search recursively */
+- return DIE_FIND_CB_SIBLING;
+
+ if (addr) {
+ fname = dwarf_decl_file(in_die);
+@@ -738,6 +737,10 @@ static int __die_walk_culines_cb(Dwarf_Die *sp_die, void *data)
+ {
+ struct __line_walk_param *lw = data;
+
++ /*
++ * Since inlined function can include another inlined function in
++ * the same file, we need to walk in it recursively.
++ */
+ lw->retval = __die_walk_funclines(sp_die, true, lw->callback, lw->data);
+ if (lw->retval != 0)
+ return DWARF_CB_ABORT;
+@@ -827,8 +830,9 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data)
+ */
+ if (rt_die != cu_die)
+ /*
+- * Don't need walk functions recursively, because nested
+- * inlined functions don't have lines of the specified DIE.
++ * Don't need walk inlined functions recursively, because
++ * inner inlined functions don't have the lines of the
++ * specified function.
+ */
+ ret = __die_walk_funclines(rt_die, false, callback, data);
+ else {
+--
+2.20.1
+
--- /dev/null
+From b29aaa75d5aaddd41a65fac8ada4842a32c74c08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2019 10:21:22 +0800
+Subject: perf report: Add warning when libunwind not compiled in
+
+From: Jin Yao <yao.jin@linux.intel.com>
+
+[ Upstream commit 800d3f561659b5436f8c57e7c26dd1f6928b5615 ]
+
+We received a user report that call-graph DWARF mode was enabled in
+'perf record' but 'perf report' didn't unwind the callstack correctly.
+The reason was, libunwind was not compiled in.
+
+We can use 'perf -vv' to check the compiled libraries but it would be
+valuable to report a warning to user directly (especially valuable for
+a perf newbie).
+
+The warning is:
+
+Warning:
+Please install libunwind development packages during the perf build.
+
+Both TUI and stdio are supported.
+
+Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/20191011022122.26369-1-yao.jin@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index 6e88460cd13d..33ff5c843346 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -292,6 +292,13 @@ static int report__setup_sample_type(struct report *rep)
+ PERF_SAMPLE_BRANCH_ANY))
+ rep->nonany_branch_mode = true;
+
++#ifndef HAVE_LIBUNWIND_SUPPORT
++ if (dwarf_callchain_users) {
++ ui__warning("Please install libunwind development packages "
++ "during the perf build.\n");
++ }
++#endif
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 4b88b6b7a2710385b1614b7a7ee6a07fee326350 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2019 17:19:41 +0800
+Subject: perf test: Report failure for mmap events
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit 6add129c5d9210ada25217abc130df0b7096ee02 ]
+
+When fail to mmap events in task exit case, it misses to set 'err' to
+-1; thus the testing will not report failure for it.
+
+This patch sets 'err' to -1 when fails to mmap events, thus Perf tool
+can report correct result.
+
+Fixes: d723a55096b8 ("perf test: Add test case for checking number of EXIT events")
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lore.kernel.org/lkml/20191011091942.29841-1-leo.yan@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/task-exit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/task-exit.c b/tools/perf/tests/task-exit.c
+index b0d005d295a9..de2ddfe0f7c3 100644
+--- a/tools/perf/tests/task-exit.c
++++ b/tools/perf/tests/task-exit.c
+@@ -98,6 +98,7 @@ int test__task_exit(int subtest __maybe_unused)
+ if (perf_evlist__mmap(evlist, 128, true) < 0) {
+ pr_debug("failed to mmap events: %d (%s)\n", errno,
+ str_error_r(errno, sbuf, sizeof(sbuf)));
++ err = -1;
+ goto out_delete_evlist;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 3dffa05fc6874cb83f5dd0b1361e5066965ba9ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 15:13:08 +0200
+Subject: pinctrl: sh-pfc: sh7734: Fix duplicate TCLK1_B
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 884caadad128efad8e00c1cdc3177bc8912ee8ec ]
+
+The definitions for bit field [19:18] of the Peripheral Function Select
+Register 3 were accidentally copied from bit field [20], leading to
+duplicates for the TCLK1_B function, and missing TCLK0, CAN_CLK_B, and
+ET0_ETXD4 functions.
+
+Fix this by adding the missing GPIO_FN_CAN_CLK_B and GPIO_FN_ET0_ETXD4
+enum values, and correcting the functions.
+
+Reported-by: Ben Dooks <ben.dooks@codethink.co.uk>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191024131308.16659-1-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/cpu-sh4/cpu/sh7734.h | 2 +-
+ drivers/pinctrl/sh-pfc/pfc-sh7734.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/sh/include/cpu-sh4/cpu/sh7734.h b/arch/sh/include/cpu-sh4/cpu/sh7734.h
+index 2fb9a7b71b41..a2667c9b5819 100644
+--- a/arch/sh/include/cpu-sh4/cpu/sh7734.h
++++ b/arch/sh/include/cpu-sh4/cpu/sh7734.h
+@@ -133,7 +133,7 @@ enum {
+ GPIO_FN_EX_WAIT1, GPIO_FN_SD1_DAT0_A, GPIO_FN_DREQ2, GPIO_FN_CAN1_TX_C,
+ GPIO_FN_ET0_LINK_C, GPIO_FN_ET0_ETXD5_A,
+ GPIO_FN_EX_WAIT0, GPIO_FN_TCLK1_B,
+- GPIO_FN_RD_WR, GPIO_FN_TCLK0,
++ GPIO_FN_RD_WR, GPIO_FN_TCLK0, GPIO_FN_CAN_CLK_B, GPIO_FN_ET0_ETXD4,
+ GPIO_FN_EX_CS5, GPIO_FN_SD1_CMD_A, GPIO_FN_ATADIR, GPIO_FN_QSSL_B,
+ GPIO_FN_ET0_ETXD3_A,
+ GPIO_FN_EX_CS4, GPIO_FN_SD1_WP_A, GPIO_FN_ATAWR, GPIO_FN_QMI_QIO1_B,
+diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7734.c b/drivers/pinctrl/sh-pfc/pfc-sh7734.c
+index 33232041ee86..3eccc9b3ca84 100644
+--- a/drivers/pinctrl/sh-pfc/pfc-sh7734.c
++++ b/drivers/pinctrl/sh-pfc/pfc-sh7734.c
+@@ -1453,7 +1453,7 @@ static const struct pinmux_func pinmux_func_gpios[] = {
+ GPIO_FN(ET0_ETXD2_A),
+ GPIO_FN(EX_CS5), GPIO_FN(SD1_CMD_A), GPIO_FN(ATADIR), GPIO_FN(QSSL_B),
+ GPIO_FN(ET0_ETXD3_A),
+- GPIO_FN(RD_WR), GPIO_FN(TCLK1_B),
++ GPIO_FN(RD_WR), GPIO_FN(TCLK0), GPIO_FN(CAN_CLK_B), GPIO_FN(ET0_ETXD4),
+ GPIO_FN(EX_WAIT0), GPIO_FN(TCLK1_B),
+ GPIO_FN(EX_WAIT1), GPIO_FN(SD1_DAT0_A), GPIO_FN(DREQ2),
+ GPIO_FN(CAN1_TX_C), GPIO_FN(ET0_LINK_C), GPIO_FN(ET0_ETXD5_A),
+@@ -1949,7 +1949,7 @@ static const struct pinmux_cfg_reg pinmux_config_regs[] = {
+ /* IP3_20 [1] */
+ FN_EX_WAIT0, FN_TCLK1_B,
+ /* IP3_19_18 [2] */
+- FN_RD_WR, FN_TCLK1_B, 0, 0,
++ FN_RD_WR, FN_TCLK0, FN_CAN_CLK_B, FN_ET0_ETXD4,
+ /* IP3_17_15 [3] */
+ FN_EX_CS5, FN_SD1_CMD_A, FN_ATADIR, FN_QSSL_B,
+ FN_ET0_ETXD3_A, 0, 0, 0,
+--
+2.20.1
+
--- /dev/null
+From 3d157c367b4701919ce10e0b5ac665f20c60a519 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 10:58:13 -0700
+Subject: regulator: max8907: Fix the usage of uninitialized variable in
+ max8907_regulator_probe()
+
+From: Yizhuo <yzhai003@ucr.edu>
+
+[ Upstream commit 472b39c3d1bba0616eb0e9a8fa3ad0f56927c7d7 ]
+
+Inside function max8907_regulator_probe(), variable val could
+be uninitialized if regmap_read() fails. However, val is used
+later in the if statement to decide the content written to
+"pmic", which is potentially unsafe.
+
+Signed-off-by: Yizhuo <yzhai003@ucr.edu>
+Link: https://lore.kernel.org/r/20191003175813.16415-1-yzhai003@ucr.edu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/max8907-regulator.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/regulator/max8907-regulator.c b/drivers/regulator/max8907-regulator.c
+index 5e941db5ccaf..c7e70cfb581f 100644
+--- a/drivers/regulator/max8907-regulator.c
++++ b/drivers/regulator/max8907-regulator.c
+@@ -299,7 +299,10 @@ static int max8907_regulator_probe(struct platform_device *pdev)
+ memcpy(pmic->desc, max8907_regulators, sizeof(pmic->desc));
+
+ /* Backwards compatibility with MAX8907B; SD1 uses different voltages */
+- regmap_read(max8907->regmap_gen, MAX8907_REG_II2RR, &val);
++ ret = regmap_read(max8907->regmap_gen, MAX8907_REG_II2RR, &val);
++ if (ret)
++ return ret;
++
+ if ((val & MAX8907_II2RR_VERSION_MASK) ==
+ MAX8907_II2RR_VERSION_REV_B) {
+ pmic->desc[MAX8907_SD1].min_uV = 637500;
+@@ -336,14 +339,20 @@ static int max8907_regulator_probe(struct platform_device *pdev)
+ }
+
+ if (pmic->desc[i].ops == &max8907_ldo_ops) {
+- regmap_read(config.regmap, pmic->desc[i].enable_reg,
++ ret = regmap_read(config.regmap, pmic->desc[i].enable_reg,
+ &val);
++ if (ret)
++ return ret;
++
+ if ((val & MAX8907_MASK_LDO_SEQ) !=
+ MAX8907_MASK_LDO_SEQ)
+ pmic->desc[i].ops = &max8907_ldo_hwctl_ops;
+ } else if (pmic->desc[i].ops == &max8907_out5v_ops) {
+- regmap_read(config.regmap, pmic->desc[i].enable_reg,
++ ret = regmap_read(config.regmap, pmic->desc[i].enable_reg,
+ &val);
++ if (ret)
++ return ret;
++
+ if ((val & (MAX8907_MASK_OUT5V_VINEN |
+ MAX8907_MASK_OUT5V_ENSRC)) !=
+ MAX8907_MASK_OUT5V_ENSRC)
+--
+2.20.1
+
--- /dev/null
+From e7a709be2b68c088d447e0e1d036800a1d352577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 09:54:08 +0800
+Subject: rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot
+
+From: Chris Chiu <chiu@endlessm.com>
+
+[ Upstream commit 0eeb91ade90ce06d2fa1e2fcb55e3316b64c203c ]
+
+The RTL8723BU has problems connecting to AP after each warm reboot.
+Sometimes it returns no scan result, and in most cases, it fails
+the authentication for unknown reason. However, it works totally
+fine after cold reboot.
+
+Compare the value of register SYS_CR and SYS_CLK_MAC_CLK_ENABLE
+for cold reboot and warm reboot, the registers imply that the MAC
+is already powered and thus some procedures are skipped during
+driver initialization. Double checked the vendor driver, it reads
+the SYS_CR and SYS_CLK_MAC_CLK_ENABLE also but doesn't skip any
+during initialization based on them. This commit only tells the
+RTL8723BU to do full initialization without checking MAC status.
+
+Signed-off-by: Chris Chiu <chiu@endlessm.com>
+Signed-off-by: Jes Sorensen <Jes.Sorensen@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 1 +
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c | 1 +
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 3 +++
+ 3 files changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+index 08d587a342d3..9143b173935d 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+@@ -1348,6 +1348,7 @@ struct rtl8xxxu_fileops {
+ u8 has_s0s1:1;
+ u8 has_tx_report:1;
+ u8 gen2_thermal_meter:1;
++ u8 needs_full_init:1;
+ u32 adda_1t_init;
+ u32 adda_1t_path_on;
+ u32 adda_2t_path_on_a;
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c
+index 02b8ddd98a95..f51ee88d692b 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c
+@@ -1673,6 +1673,7 @@ struct rtl8xxxu_fileops rtl8723bu_fops = {
+ .has_s0s1 = 1,
+ .has_tx_report = 1,
+ .gen2_thermal_meter = 1,
++ .needs_full_init = 1,
+ .adda_1t_init = 0x01c00014,
+ .adda_1t_path_on = 0x01c00014,
+ .adda_2t_path_on_a = 0x01c00014,
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index e78545d4add3..6d34d442294a 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -3905,6 +3905,9 @@ static int rtl8xxxu_init_device(struct ieee80211_hw *hw)
+ else
+ macpower = true;
+
++ if (fops->needs_full_init)
++ macpower = false;
++
+ ret = fops->power_on(priv);
+ if (ret < 0) {
+ dev_warn(dev, "%s: Failed power on\n", __func__);
+--
+2.20.1
+
--- /dev/null
+From 033f6ab107e19f3ed64e056aeed5cbdb64240ceb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 10:18:38 +0800
+Subject: rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt()
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 5174f1e41074b5186608badc2e89441d021e8c08 ]
+
+This leak was found by testing the EDIMAX EW-7612 on Raspberry Pi 3B+ with
+Linux 5.4-rc5 (multi_v7_defconfig + rtlwifi + kmemleak) and noticed a
+single memory leak during probe:
+
+unreferenced object 0xec13ee40 (size 176):
+ comm "kworker/u8:1", pid 36, jiffies 4294939321 (age 5580.790s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<fc1bbb3e>] __netdev_alloc_skb+0x9c/0x164
+ [<863dfa6e>] rtl92c_set_fw_rsvdpagepkt+0x254/0x340 [rtl8192c_common]
+ [<9572be0d>] rtl92cu_set_hw_reg+0xf48/0xfa4 [rtl8192cu]
+ [<116df4d8>] rtl_op_bss_info_changed+0x234/0x96c [rtlwifi]
+ [<8933575f>] ieee80211_bss_info_change_notify+0xb8/0x264 [mac80211]
+ [<d4061e86>] ieee80211_assoc_success+0x934/0x1798 [mac80211]
+ [<e55adb56>] ieee80211_rx_mgmt_assoc_resp+0x174/0x314 [mac80211]
+ [<5974629e>] ieee80211_sta_rx_queued_mgmt+0x3f4/0x7f0 [mac80211]
+ [<d91091c6>] ieee80211_iface_work+0x208/0x318 [mac80211]
+ [<ac5fcae4>] process_one_work+0x22c/0x564
+ [<f5e6d3b6>] worker_thread+0x44/0x5d8
+ [<82c7b073>] kthread+0x150/0x154
+ [<b43e1b7d>] ret_from_fork+0x14/0x2c
+ [<794dff30>] 0x0
+
+It is because 8192cu doesn't implement usb_cmd_send_packet(), and this
+patch just frees the skb within the function to resolve memleak problem
+by now. Since 8192cu doesn't turn on fwctrl_lps that needs to download
+command packet for firmware via the function, applying this patch doesn't
+affect driver behavior.
+
+Reported-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
+index ae8f055483fa..39a6bd314ca3 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
+@@ -1576,6 +1576,8 @@ static bool usb_cmd_send_packet(struct ieee80211_hw *hw, struct sk_buff *skb)
+ * This is maybe necessary:
+ * rtlpriv->cfg->ops->fill_tx_cmddesc(hw, buffer, 1, 1, skb);
+ */
++ dev_kfree_skb(skb);
++
+ return true;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 103fbc13821ee57a8b4be0e29751ef23a4c70796 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2019 20:20:21 -0500
+Subject: rtlwifi: prevent memory leak in rtl_usb_probe
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 3f93616951138a598d930dcaec40f2bfd9ce43bb ]
+
+In rtl_usb_probe if allocation for usb_data fails the allocated hw
+should be released. In addition the allocated rtlpriv->usb_data should
+be released on error handling path.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index ae0c48f3c2bc..1f02461de261 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1088,8 +1088,10 @@ int rtl_usb_probe(struct usb_interface *intf,
+ rtlpriv->hw = hw;
+ rtlpriv->usb_data = kzalloc(RTL_USB_MAX_RX_COUNT * sizeof(u32),
+ GFP_KERNEL);
+- if (!rtlpriv->usb_data)
++ if (!rtlpriv->usb_data) {
++ ieee80211_free_hw(hw);
+ return -ENOMEM;
++ }
+
+ /* this spin lock must be initialized early */
+ spin_lock_init(&rtlpriv->locks.usb_lock);
+@@ -1152,6 +1154,7 @@ error_out:
+ _rtl_usb_io_handler_release(hw);
+ usb_put_dev(udev);
+ complete(&rtlpriv->firmware_loading_complete);
++ kfree(rtlpriv->usb_data);
+ return -ENODEV;
+ }
+ EXPORT_SYMBOL(rtl_usb_probe);
+--
+2.20.1
+
--- /dev/null
+From ce2d98b72ca02a4f59da2d819c79075dc09f8bb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 18:25:16 +0100
+Subject: s390/disassembler: don't hide instruction addresses
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit 544f1d62e3e6c6e6d17a5e56f6139208acb5ff46 ]
+
+Due to kptr_restrict, JITted BPF code is now displayed like this:
+
+000000000b6ed1b2: ebdff0800024 stmg %r13,%r15,128(%r15)
+000000004cde2ba0: 41d0f040 la %r13,64(%r15)
+00000000fbad41b0: a7fbffa0 aghi %r15,-96
+
+Leaking kernel addresses to dmesg is not a concern in this case, because
+this happens only when JIT debugging is explicitly activated, which only
+root can do.
+
+Use %px in this particular instance, and also to print an instruction
+address in show_code and PCREL (e.g. brasl) arguments in print_insn.
+While at present functionally equivalent to %016lx, %px is recommended
+by Documentation/core-api/printk-formats.rst for such cases.
+
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/dis.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/arch/s390/kernel/dis.c b/arch/s390/kernel/dis.c
+index aaf9dab3c193..f9dca1aed9a4 100644
+--- a/arch/s390/kernel/dis.c
++++ b/arch/s390/kernel/dis.c
+@@ -1930,10 +1930,11 @@ static int print_insn(char *buffer, unsigned char *code, unsigned long addr)
+ ptr += sprintf(ptr, "%%c%i", value);
+ else if (operand->flags & OPERAND_VR)
+ ptr += sprintf(ptr, "%%v%i", value);
+- else if (operand->flags & OPERAND_PCREL)
+- ptr += sprintf(ptr, "%lx", (signed int) value
+- + addr);
+- else if (operand->flags & OPERAND_SIGNED)
++ else if (operand->flags & OPERAND_PCREL) {
++ void *pcrel = (void *)((int)value + addr);
++
++ ptr += sprintf(ptr, "%px", pcrel);
++ } else if (operand->flags & OPERAND_SIGNED)
+ ptr += sprintf(ptr, "%i", value);
+ else
+ ptr += sprintf(ptr, "%u", value);
+@@ -2005,7 +2006,7 @@ void show_code(struct pt_regs *regs)
+ else
+ *ptr++ = ' ';
+ addr = regs->psw.addr + start - 32;
+- ptr += sprintf(ptr, "%016lx: ", addr);
++ ptr += sprintf(ptr, "%px: ", (void *)addr);
+ if (start + opsize >= end)
+ break;
+ for (i = 0; i < opsize; i++)
+@@ -2033,7 +2034,7 @@ void print_fn_code(unsigned char *code, unsigned long len)
+ opsize = insn_length(*code);
+ if (opsize > len)
+ break;
+- ptr += sprintf(ptr, "%p: ", code);
++ ptr += sprintf(ptr, "%px: ", code);
+ for (i = 0; i < opsize; i++)
+ ptr += sprintf(ptr, "%02x", code[i]);
+ *ptr++ = '\t';
+--
+2.20.1
+
--- /dev/null
+From f61e772061292a2c621ed04476e9ec0031b86de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Oct 2019 17:25:07 +0900
+Subject: samples: pktgen: fix proc_cmd command result check logic
+
+From: Daniel T. Lee <danieltimlee@gmail.com>
+
+[ Upstream commit 3cad8f911575191fb3b81d8ed0e061e30f922223 ]
+
+Currently, proc_cmd is used to dispatch command to 'pg_ctrl', 'pg_thread',
+'pg_set'. proc_cmd is designed to check command result with grep the
+"Result:", but this might fail since this string is only shown in
+'pg_thread' and 'pg_set'.
+
+This commit fixes this logic by grep-ing the "Result:" string only when
+the command is not for 'pg_ctrl'.
+
+For clarity of an execution flow, 'errexit' flag has been set.
+
+To cleanup pktgen on exit, trap has been added for EXIT signal.
+
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/pktgen/functions.sh | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/samples/pktgen/functions.sh b/samples/pktgen/functions.sh
+index 205e4cde4601..065a7e296ee3 100644
+--- a/samples/pktgen/functions.sh
++++ b/samples/pktgen/functions.sh
+@@ -5,6 +5,8 @@
+ # Author: Jesper Dangaaard Brouer
+ # License: GPL
+
++set -o errexit
++
+ ## -- General shell logging cmds --
+ function err() {
+ local exitcode=$1
+@@ -58,6 +60,7 @@ function pg_set() {
+ function proc_cmd() {
+ local result
+ local proc_file=$1
++ local status=0
+ # after shift, the remaining args are contained in $@
+ shift
+ local proc_ctrl=${PROC_DIR}/$proc_file
+@@ -73,13 +76,13 @@ function proc_cmd() {
+ echo "cmd: $@ > $proc_ctrl"
+ fi
+ # Quoting of "$@" is important for space expansion
+- echo "$@" > "$proc_ctrl"
+- local status=$?
++ echo "$@" > "$proc_ctrl" || status=$?
+
+- result=$(grep "Result: OK:" $proc_ctrl)
+- # Due to pgctrl, cannot use exit code $? from grep
+- if [[ "$result" == "" ]]; then
+- grep "Result:" $proc_ctrl >&2
++ if [[ "$proc_file" != "pgctrl" ]]; then
++ result=$(grep "Result: OK:" $proc_ctrl) || true
++ if [[ "$result" == "" ]]; then
++ grep "Result:" $proc_ctrl >&2
++ fi
+ fi
+ if (( $status != 0 )); then
+ err 5 "Write error($status) occurred cmd: \"$@ > $proc_ctrl\""
+@@ -105,6 +108,8 @@ function pgset() {
+ fi
+ }
+
++[[ $EUID -eq 0 ]] && trap 'pg_ctrl "reset"' EXIT
++
+ ## -- General shell tricks --
+
+ function root_check_run_with_sudo() {
+--
+2.20.1
+
--- /dev/null
+drm-mst-fix-query_payload-ack-reply-struct.patch
+drm-bridge-analogix-anx78xx-silence-eprobe_defer-war.patch
+iio-light-bh1750-resolve-compiler-warning-and-make-c.patch
+spi-add-call-to-spi_slave_abort-function-when-spidev.patch
+staging-rtl8192u-fix-multiple-memory-leaks-on-error-.patch
+staging-rtl8188eu-fix-possible-null-dereference.patch
+rtlwifi-prevent-memory-leak-in-rtl_usb_probe.patch
+libertas-fix-a-potential-null-pointer-dereference.patch
+ib-iser-bound-protection_sg-size-by-data_sg-size.patch
+media-am437x-vpfe-setting-std-to-current-value-is-no.patch
+media-i2c-ov2659-fix-s_stream-return-value.patch
+media-i2c-ov2659-fix-missing-720p-register-config.patch
+media-ov6650-fix-stored-frame-format-not-in-sync-wit.patch
+tools-power-cpupower-fix-initializer-override-in-hsw.patch
+usb-renesas_usbhs-add-suspend-event-support-in-gadge.patch
+hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-o.patch
+regulator-max8907-fix-the-usage-of-uninitialized-var.patch
+media-flexcop-usb-fix-null-ptr-deref-in-flexcop_usb_.patch
+media-cec-funcs.h-add-status_req-checks.patch
+samples-pktgen-fix-proc_cmd-command-result-check-log.patch
+mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_init_ev.patch
+media-ti-vpe-vpe-fix-a-v4l2-compliance-warning-about.patch
+media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch
+media-ti-vpe-vpe-make-sure-yuyv-is-set-as-default-fo.patch
+extcon-sm5502-reset-registers-during-initialization.patch
+x86-mm-use-the-correct-function-type-for-native_set_.patch
+perf-test-report-failure-for-mmap-events.patch
+perf-report-add-warning-when-libunwind-not-compiled-.patch
+usb-usbfs-suppress-problematic-bind-and-unbind-ueven.patch
+iio-adc-max1027-reset-the-device-at-probe-time.patch
+bluetooth-hci_core-fix-init-for-hci_user_channel.patch
+x86-mce-lower-throttling-mce-messages-priority-to-wa.patch
+drm-gma500-fix-memory-disclosures-due-to-uninitializ.patch
+rtl8xxxu-fix-rtl8723bu-connection-failure-issue-afte.patch
+x86-ioapic-prevent-inconsistent-state-when-moving-an.patch
+arm64-psci-reduce-the-waiting-time-for-cpu_psci_cpu_.patch
+libata-ensure-ata_port-probe-has-completed-before-de.patch
+pinctrl-sh-pfc-sh7734-fix-duplicate-tclk1_b.patch
+bluetooth-fix-advertising-duplicated-flags.patch
+bnx2x-fix-pf-vf-communication-over-multi-cos-queues.patch
+spi-img-spfi-fix-potential-double-release.patch
+alsa-timer-limit-max-amount-of-slave-instances.patch
+rtlwifi-fix-memory-leak-in-rtl92c_set_fw_rsvdpagepkt.patch
+perf-probe-fix-to-find-range-only-function-instance.patch
+perf-probe-fix-to-list-probe-event-with-correct-line.patch
+perf-probe-walk-function-lines-in-lexical-blocks.patch
+perf-probe-fix-to-probe-an-inline-function-which-has.patch
+perf-probe-fix-to-show-ranges-of-variables-in-functi.patch
+perf-probe-fix-to-show-inlined-function-callsite-wit.patch
+perf-probe-fix-to-probe-a-function-which-has-no-entr.patch
+perf-probe-skip-overlapped-location-on-searching-var.patch
+perf-probe-return-a-better-scope-die-if-there-is-no-.patch
+perf-probe-fix-to-show-calling-lines-of-inlined-func.patch
+perf-probe-skip-end-of-sequence-and-non-statement-li.patch
+perf-probe-filter-out-instances-except-for-inlined-s.patch
+ath10k-fix-get-invalid-tx-rate-for-mesh-metric.patch
+media-pvrusb2-fix-oops-on-tear-down-when-radio-suppo.patch
+media-si470x-i2c-add-missed-operations-in-remove.patch
+edac-ghes-fix-grain-calculation.patch
+spi-pxa2xx-add-missed-security-checks.patch
+asoc-rt5677-mark-reg-rt5677_pwr_anlg2-as-volatile.patch
+s390-disassembler-don-t-hide-instruction-addresses.patch
+parport-load-lowlevel-driver-if-ports-not-found.patch
+cpufreq-register-drivers-only-after-cpu-devices-have.patch
+x86-crash-add-a-forward-declaration-of-struct-kimage.patch
+iwlwifi-mvm-fix-unaligned-read-of-rx_pkt_status.patch
+spi-tegra20-slink-add-missed-clk_unprepare.patch
+mmc-tmio-add-mmc_cap_erase-to-allow-erase-discard-tr.patch
+btrfs-don-t-prematurely-free-work-in-end_workqueue_f.patch
+btrfs-don-t-prematurely-free-work-in-run_ordered_wor.patch
+spi-st-ssc4-add-missed-pm_runtime_disable.patch
+x86-insn-add-some-intel-instructions-to-the-opcode-m.patch
+iwlwifi-check-kasprintf-return-value.patch
+fbtft-make-sure-string-is-null-terminated.patch
+crypto-sun4i-ss-fix-64-bit-size_t-warnings-on-sun4i-.patch
+crypto-vmx-avoid-weird-build-failures.patch
+libtraceevent-fix-memory-leakage-in-copy_filter_type.patch
+perf-parse-fix-potential-memory-leak-when-handling-t.patch
+perf-intel-bts-does-not-support-aux-area-sampling.patch
+net-phy-initialise-phydev-speed-and-duplex-sanely.patch
+btrfs-don-t-prematurely-free-work-in-reada_start_mac.patch
--- /dev/null
+From c0f6bf7f159a5ef7329d1fd587e324678365912b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 11:11:42 +0200
+Subject: spi: Add call to spi_slave_abort() function when spidev driver is
+ released
+
+From: Lukasz Majewski <lukma@denx.de>
+
+[ Upstream commit 9f918a728cf86b2757b6a7025e1f46824bfe3155 ]
+
+This change is necessary for spidev devices (e.g. /dev/spidev3.0) working
+in the slave mode (like NXP's dspi driver for Vybrid SoC).
+
+When SPI HW works in this mode - the master is responsible for providing
+CS and CLK signals. However, when some fault happens - like for example
+distortion on SPI lines - the SPI Linux driver needs a chance to recover
+from this abnormal situation and prepare itself for next (correct)
+transmission.
+
+This change doesn't pose any threat on drivers working in master mode as
+spi_slave_abort() function checks if SPI slave mode is supported.
+
+Signed-off-by: Lukasz Majewski <lukma@denx.de>
+Link: https://lore.kernel.org/r/20190924110547.14770-2-lukma@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Reported-by: kbuild test robot <lkp@intel.com>
+Link: https://lore.kernel.org/r/20190925091143.15468-2-lukma@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spidev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index f4ea286b0121..a685c6114a8d 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -663,6 +663,9 @@ static int spidev_release(struct inode *inode, struct file *filp)
+ if (dofree)
+ kfree(spidev);
+ }
++#ifdef CONFIG_SPI_SLAVE
++ spi_slave_abort(spidev->spi);
++#endif
+ mutex_unlock(&device_list_lock);
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 272d5d5a8bb0ad2383f53a4b31935ba692f524d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2019 10:36:09 +0800
+Subject: spi: img-spfi: fix potential double release
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit e9a8ba9769a0e354341bc6cc01b98aadcea1dfe9 ]
+
+The channels spfi->tx_ch and spfi->rx_ch are not set to NULL after they
+are released. As a result, they will be released again, either on the
+error handling branch in the same function or in the corresponding
+remove function, i.e. img_spfi_remove(). This patch fixes the bug by
+setting the two members to NULL.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/1573007769-20131-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-img-spfi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi-img-spfi.c b/drivers/spi/spi-img-spfi.c
+index 7a37090dabbe..2e65b70c7879 100644
+--- a/drivers/spi/spi-img-spfi.c
++++ b/drivers/spi/spi-img-spfi.c
+@@ -673,6 +673,8 @@ static int img_spfi_probe(struct platform_device *pdev)
+ dma_release_channel(spfi->tx_ch);
+ if (spfi->rx_ch)
+ dma_release_channel(spfi->rx_ch);
++ spfi->tx_ch = NULL;
++ spfi->rx_ch = NULL;
+ dev_warn(spfi->dev, "Failed to get DMA channels, falling back to PIO mode\n");
+ } else {
+ master->dma_tx = spfi->tx_ch;
+--
+2.20.1
+
--- /dev/null
+From ff7c24c83a1dbf850075e886b1b8824ef2113dad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Nov 2019 16:09:43 +0800
+Subject: spi: pxa2xx: Add missed security checks
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 5eb263ef08b5014cfc2539a838f39d2fd3531423 ]
+
+pxa2xx_spi_init_pdata misses checks for devm_clk_get and
+platform_get_irq.
+Add checks for them to fix the bugs.
+
+Since ssp->clk and ssp->irq are used in probe, they are mandatory here.
+So we cannot use _optional() for devm_clk_get and platform_get_irq.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Link: https://lore.kernel.org/r/20191109080943.30428-1-hslester96@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-pxa2xx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
+index 6dd195b94c57..2f84d7653afd 100644
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -1529,7 +1529,13 @@ pxa2xx_spi_init_pdata(struct platform_device *pdev)
+ }
+
+ ssp->clk = devm_clk_get(&pdev->dev, NULL);
++ if (IS_ERR(ssp->clk))
++ return NULL;
++
+ ssp->irq = platform_get_irq(pdev, 0);
++ if (ssp->irq < 0)
++ return NULL;
++
+ ssp->type = type;
+ ssp->pdev = pdev;
+ ssp->port_id = pxa2xx_spi_get_port_id(adev);
+--
+2.20.1
+
--- /dev/null
+From 50f5de487ac2babcd5f6350baae1bb518048382c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2019 10:48:48 +0800
+Subject: spi: st-ssc4: add missed pm_runtime_disable
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit cd050abeba2a95fe5374eec28ad2244617bcbab6 ]
+
+The driver forgets to call pm_runtime_disable in probe failure
+and remove.
+Add the missed calls to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Link: https://lore.kernel.org/r/20191118024848.21645-1-hslester96@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-st-ssc4.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/spi/spi-st-ssc4.c b/drivers/spi/spi-st-ssc4.c
+index e54b59638458..710adbc2485f 100644
+--- a/drivers/spi/spi-st-ssc4.c
++++ b/drivers/spi/spi-st-ssc4.c
+@@ -385,6 +385,7 @@ static int spi_st_probe(struct platform_device *pdev)
+ return 0;
+
+ clk_disable:
++ pm_runtime_disable(&pdev->dev);
+ clk_disable_unprepare(spi_st->clk);
+ put_master:
+ spi_master_put(master);
+@@ -396,6 +397,8 @@ static int spi_st_remove(struct platform_device *pdev)
+ struct spi_master *master = platform_get_drvdata(pdev);
+ struct spi_st *spi_st = spi_master_get_devdata(master);
+
++ pm_runtime_disable(&pdev->dev);
++
+ clk_disable_unprepare(spi_st->clk);
+
+ pinctrl_pm_select_sleep_state(&pdev->dev);
+--
+2.20.1
+
--- /dev/null
+From 613026a9f6536a626b563e5df9d034ac10dc8456 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 16:31:22 +0800
+Subject: spi: tegra20-slink: add missed clk_unprepare
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 04358e40ba96d687c0811c21d9dede73f5244a98 ]
+
+The driver misses calling clk_unprepare in probe failure and remove.
+Add the calls to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Link: https://lore.kernel.org/r/20191115083122.12278-1-hslester96@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra20-slink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c
+index af2880d0c112..cf2a329fd895 100644
+--- a/drivers/spi/spi-tegra20-slink.c
++++ b/drivers/spi/spi-tegra20-slink.c
+@@ -1078,7 +1078,7 @@ static int tegra_slink_probe(struct platform_device *pdev)
+ ret = clk_enable(tspi->clk);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Clock enable failed %d\n", ret);
+- goto exit_free_master;
++ goto exit_clk_unprepare;
+ }
+
+ spi_irq = platform_get_irq(pdev, 0);
+@@ -1151,6 +1151,8 @@ exit_free_irq:
+ free_irq(spi_irq, tspi);
+ exit_clk_disable:
+ clk_disable(tspi->clk);
++exit_clk_unprepare:
++ clk_unprepare(tspi->clk);
+ exit_free_master:
+ spi_master_put(master);
+ return ret;
+@@ -1164,6 +1166,7 @@ static int tegra_slink_remove(struct platform_device *pdev)
+ free_irq(tspi->irq, tspi);
+
+ clk_disable(tspi->clk);
++ clk_unprepare(tspi->clk);
+
+ if (tspi->tx_dma_chan)
+ tegra_slink_deinit_dma_param(tspi, false);
+--
+2.20.1
+
--- /dev/null
+From ee31e97b54ec08255f59452c59dc2671fe7fc274 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2019 08:03:17 -0700
+Subject: staging: rtl8188eu: fix possible null dereference
+
+From: Connor Kuehl <connor.kuehl@canonical.com>
+
+[ Upstream commit 228241944a48113470d3c3b46c88ba7fbe0a274b ]
+
+Inside a nested 'else' block at the beginning of this function is a
+call that assigns 'psta' to the return value of 'rtw_get_stainfo()'.
+If 'rtw_get_stainfo()' returns NULL and the flow of control reaches
+the 'else if' where 'psta' is dereferenced, then we will dereference
+a NULL pointer.
+
+Fix this by checking if 'psta' is not NULL before reading its
+'psta->qos_option' data member.
+
+Addresses-Coverity: ("Dereference null return value")
+
+Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Link: https://lore.kernel.org/r/20190926150317.5894-1-connor.kuehl@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8188eu/core/rtw_xmit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/rtl8188eu/core/rtw_xmit.c b/drivers/staging/rtl8188eu/core/rtw_xmit.c
+index 0f8b8e0bffdf..dedc313e9dea 100644
+--- a/drivers/staging/rtl8188eu/core/rtw_xmit.c
++++ b/drivers/staging/rtl8188eu/core/rtw_xmit.c
+@@ -805,7 +805,7 @@ s32 rtw_make_wlanhdr(struct adapter *padapter, u8 *hdr, struct pkt_attrib *pattr
+ memcpy(pwlanhdr->addr2, get_bssid(pmlmepriv), ETH_ALEN);
+ memcpy(pwlanhdr->addr3, pattrib->src, ETH_ALEN);
+
+- if (psta->qos_option)
++ if (psta && psta->qos_option)
+ qos_option = true;
+ } else if (check_fwstate(pmlmepriv, WIFI_ADHOC_STATE) ||
+ check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE)) {
+@@ -813,7 +813,7 @@ s32 rtw_make_wlanhdr(struct adapter *padapter, u8 *hdr, struct pkt_attrib *pattr
+ memcpy(pwlanhdr->addr2, pattrib->src, ETH_ALEN);
+ memcpy(pwlanhdr->addr3, get_bssid(pmlmepriv), ETH_ALEN);
+
+- if (psta->qos_option)
++ if (psta && psta->qos_option)
+ qos_option = true;
+ } else {
+ RT_TRACE(_module_rtl871x_xmit_c_, _drv_err_, ("fw_state:%x is not allowed to xmit frame\n", get_fwstate(pmlmepriv)));
+--
+2.20.1
+
--- /dev/null
+From 712f03cc5ed127b1d3edebc51ff922b3b57fed08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2019 21:51:33 -0500
+Subject: staging: rtl8192u: fix multiple memory leaks on error path
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit ca312438cf176a16d4b89350cade8789ba8d7133 ]
+
+In rtl8192_tx on error handling path allocated urbs and also skb should
+be released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Link: https://lore.kernel.org/r/20190920025137.29407-1-navid.emamdoost@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192u/r8192U_core.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
+index 5fe95937d811..6ec379056650 100644
+--- a/drivers/staging/rtl8192u/r8192U_core.c
++++ b/drivers/staging/rtl8192u/r8192U_core.c
+@@ -1509,7 +1509,7 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff *skb)
+ (tx_fwinfo_819x_usb *)(skb->data + USB_HWDESC_HEADER_LEN);
+ struct usb_device *udev = priv->udev;
+ int pend;
+- int status;
++ int status, rt = -1;
+ struct urb *tx_urb = NULL, *tx_urb_zero = NULL;
+ unsigned int idx_pipe;
+
+@@ -1653,8 +1653,10 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff *skb)
+ }
+ if (bSend0Byte) {
+ tx_urb_zero = usb_alloc_urb(0, GFP_ATOMIC);
+- if (!tx_urb_zero)
+- return -ENOMEM;
++ if (!tx_urb_zero) {
++ rt = -ENOMEM;
++ goto error;
++ }
+ usb_fill_bulk_urb(tx_urb_zero, udev,
+ usb_sndbulkpipe(udev, idx_pipe),
+ &zero, 0, tx_zero_isr, dev);
+@@ -1664,7 +1666,7 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff *skb)
+ "Error TX URB for zero byte %d, error %d",
+ atomic_read(&priv->tx_pending[tcb_desc->queue_index]),
+ status);
+- return -1;
++ goto error;
+ }
+ }
+ netif_trans_update(dev);
+@@ -1675,7 +1677,12 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff *skb)
+ RT_TRACE(COMP_ERR, "Error TX URB %d, error %d",
+ atomic_read(&priv->tx_pending[tcb_desc->queue_index]),
+ status);
+- return -1;
++
++error:
++ dev_kfree_skb_any(skb);
++ usb_free_urb(tx_urb);
++ usb_free_urb(tx_urb_zero);
++ return rt;
+ }
+
+ static short rtl8192_usb_initendpoints(struct net_device *dev)
+--
+2.20.1
+
--- /dev/null
+From 62d64e667dd188399f1dbf3c8cf695f0404e7731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2019 09:26:42 -0700
+Subject: tools/power/cpupower: Fix initializer override in hsw_ext_cstates
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 7e5705c635ecfccde559ebbbe1eaf05b5cc60529 ]
+
+When building cpupower with clang, the following warning appears:
+
+ utils/idle_monitor/hsw_ext_idle.c:42:16: warning: initializer overrides
+ prior initialization of this subobject [-Winitializer-overrides]
+ .desc = N_("Processor Package C2"),
+ ^~~~~~~~~~~~~~~~~~~~~~
+ ./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_'
+ #define N_(String) gettext_noop(String)
+ ^~~~~~
+ ./utils/helpers/helpers.h:23:30: note: expanded from macro
+ 'gettext_noop'
+ #define gettext_noop(String) String
+ ^~~~~~
+ utils/idle_monitor/hsw_ext_idle.c:41:16: note: previous initialization
+ is here
+ .desc = N_("Processor Package C9"),
+ ^~~~~~~~~~~~~~~~~~~~~~
+ ./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_'
+ #define N_(String) gettext_noop(String)
+ ^~~~~~
+ ./utils/helpers/helpers.h:23:30: note: expanded from macro
+ 'gettext_noop'
+ #define gettext_noop(String) String
+ ^~~~~~
+ 1 warning generated.
+
+This appears to be a copy and paste or merge mistake because the name
+and id fields both have PC9 in them, not PC2. Remove the second
+assignment to fix the warning.
+
+Fixes: 7ee767b69b68 ("cpupower: Add Haswell family 0x45 specific idle monitor to show PC8,9,10 states")
+Link: https://github.com/ClangBuiltLinux/linux/issues/718
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c b/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c
+index ebeaba6571a3..475e18e04318 100644
+--- a/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c
++++ b/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c
+@@ -40,7 +40,6 @@ static cstate_t hsw_ext_cstates[HSW_EXT_CSTATE_COUNT] = {
+ {
+ .name = "PC9",
+ .desc = N_("Processor Package C9"),
+- .desc = N_("Processor Package C2"),
+ .id = PC9,
+ .range = RANGE_PACKAGE,
+ .get_count_percent = hsw_ext_get_count_percent,
+--
+2.20.1
+
--- /dev/null
+From 3fab48d2b2eae6b2f9f69ea53688069b39b94ab7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2019 15:15:56 +0200
+Subject: usb: renesas_usbhs: add suspend event support in gadget mode
+
+From: Veeraiyan Chidambaram <veeraiyan.chidambaram@in.bosch.com>
+
+[ Upstream commit 39abcc84846bbc0538f13c190b6a9c7e36890cd2 ]
+
+When R-Car Gen3 USB 2.0 is in Gadget mode, if host is detached an interrupt
+will be generated and Suspended state bit is set in interrupt status
+register. Interrupt handler will call driver->suspend(composite_suspend)
+if suspended state bit is set. composite_suspend will call
+ffs_func_suspend which will post FUNCTIONFS_SUSPEND and will be consumed
+by user space application via /dev/ep0.
+
+To be able to detect host detach, extend the DVSQ_MASK to cover the
+Suspended bit of the DVSQ[2:0] bitfield from the Interrupt Status
+Register 0 (INTSTS0) register and perform appropriate action in the
+DVST interrupt handler (usbhsg_irq_dev_state).
+
+Without this commit, disconnection of the phone from R-Car-H3 ES2.0
+Salvator-X CN9 port is not recognized and reverse role switch does
+not happen. If phone is connected again it does not enumerate.
+
+With this commit, disconnection will be recognized and reverse role
+switch will happen by a user space application. If phone is connected
+again it will enumerate properly and will become visible in the output
+of 'lsusb'.
+
+Signed-off-by: Veeraiyan Chidambaram <veeraiyan.chidambaram@in.bosch.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/1568207756-22325-3-git-send-email-external.veeraiyan.c@de.adit-jv.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/renesas_usbhs/common.h | 3 ++-
+ drivers/usb/renesas_usbhs/mod_gadget.c | 12 +++++++++---
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/renesas_usbhs/common.h b/drivers/usb/renesas_usbhs/common.h
+index b8620aa6b72e..8424c165f732 100644
+--- a/drivers/usb/renesas_usbhs/common.h
++++ b/drivers/usb/renesas_usbhs/common.h
+@@ -163,11 +163,12 @@ struct usbhs_priv;
+ #define VBSTS (1 << 7) /* VBUS_0 and VBUSIN_0 Input Status */
+ #define VALID (1 << 3) /* USB Request Receive */
+
+-#define DVSQ_MASK (0x3 << 4) /* Device State */
++#define DVSQ_MASK (0x7 << 4) /* Device State */
+ #define POWER_STATE (0 << 4)
+ #define DEFAULT_STATE (1 << 4)
+ #define ADDRESS_STATE (2 << 4)
+ #define CONFIGURATION_STATE (3 << 4)
++#define SUSPENDED_STATE (4 << 4)
+
+ #define CTSQ_MASK (0x7) /* Control Transfer Stage */
+ #define IDLE_SETUP_STAGE 0 /* Idle stage or setup stage */
+diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
+index 6898ca1ef98c..b0397bcfe1f6 100644
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -465,12 +465,18 @@ static int usbhsg_irq_dev_state(struct usbhs_priv *priv,
+ {
+ struct usbhsg_gpriv *gpriv = usbhsg_priv_to_gpriv(priv);
+ struct device *dev = usbhsg_gpriv_to_dev(gpriv);
++ int state = usbhs_status_get_device_state(irq_state);
+
+ gpriv->gadget.speed = usbhs_bus_get_speed(priv);
+
+- dev_dbg(dev, "state = %x : speed : %d\n",
+- usbhs_status_get_device_state(irq_state),
+- gpriv->gadget.speed);
++ dev_dbg(dev, "state = %x : speed : %d\n", state, gpriv->gadget.speed);
++
++ if (gpriv->gadget.speed != USB_SPEED_UNKNOWN &&
++ (state & SUSPENDED_STATE)) {
++ if (gpriv->driver && gpriv->driver->suspend)
++ gpriv->driver->suspend(&gpriv->gadget);
++ usb_gadget_set_state(&gpriv->gadget, USB_STATE_SUSPENDED);
++ }
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From ec0dd7547b5e714a1181e05c5842e8e7a2f8e46b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2019 13:55:18 +0200
+Subject: usb: usbfs: Suppress problematic bind and unbind uevents.
+
+From: Ingo Rohloff <ingo.rohloff@lauterbach.com>
+
+[ Upstream commit abb0b3d96a1f9407dd66831ae33985a386d4200d ]
+
+commit 1455cf8dbfd0 ("driver core: emit uevents when device is bound
+to a driver") added bind and unbind uevents when a driver is bound or
+unbound to a physical device.
+
+For USB devices which are handled via the generic usbfs layer (via
+libusb for example), this is problematic:
+Each time a user space program calls
+ ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
+and then later
+ ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
+The kernel will now produce a bind or unbind event, which does not
+really contain any useful information.
+
+This allows a user space program to run a DoS attack against programs
+which listen to uevents (in particular systemd/eudev/upowerd):
+A malicious user space program just has to call in a tight loop
+
+ ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
+ ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
+
+With this loop the malicious user space program floods the kernel and
+all programs listening to uevents with tons of bind and unbind
+events.
+
+This patch suppresses uevents for ioctls USBDEVFS_CLAIMINTERFACE and
+USBDEVFS_RELEASEINTERFACE.
+
+Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com>
+Link: https://lore.kernel.org/r/20191011115518.2801-1-ingo.rohloff@lauterbach.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/devio.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 06a8f645106b..059e71d71b66 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -754,8 +754,15 @@ static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
+ intf = usb_ifnum_to_if(dev, ifnum);
+ if (!intf)
+ err = -ENOENT;
+- else
++ else {
++ unsigned int old_suppress;
++
++ /* suppress uevents while claiming interface */
++ old_suppress = dev_get_uevent_suppress(&intf->dev);
++ dev_set_uevent_suppress(&intf->dev, 1);
+ err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
++ dev_set_uevent_suppress(&intf->dev, old_suppress);
++ }
+ if (err == 0)
+ set_bit(ifnum, &ps->ifclaimed);
+ return err;
+@@ -775,7 +782,13 @@ static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
+ if (!intf)
+ err = -ENOENT;
+ else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
++ unsigned int old_suppress;
++
++ /* suppress uevents while releasing interface */
++ old_suppress = dev_get_uevent_suppress(&intf->dev);
++ dev_set_uevent_suppress(&intf->dev, 1);
+ usb_driver_release_interface(&usbfs_driver, intf);
++ dev_set_uevent_suppress(&intf->dev, old_suppress);
+ err = 0;
+ }
+ return err;
+--
+2.20.1
+
--- /dev/null
+From 69cedc1991ef28249aa4fe33757dc974e62070dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2019 17:00:27 +0800
+Subject: x86/crash: Add a forward declaration of struct kimage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lianbo Jiang <lijiang@redhat.com>
+
+[ Upstream commit 112eee5d06007dae561f14458bde7f2a4879ef4e ]
+
+Add a forward declaration of struct kimage to the crash.h header because
+future changes will invoke a crash-specific function from the realmode
+init path and the compiler will complain otherwise like this:
+
+ In file included from arch/x86/realmode/init.c:11:
+ ./arch/x86/include/asm/crash.h:5:32: warning: ‘struct kimage’ declared inside\
+ parameter list will not be visible outside of this definition or declaration
+ 5 | int crash_load_segments(struct kimage *image);
+ | ^~~~~~
+ ./arch/x86/include/asm/crash.h:6:37: warning: ‘struct kimage’ declared inside\
+ parameter list will not be visible outside of this definition or declaration
+ 6 | int crash_copy_backup_region(struct kimage *image);
+ | ^~~~~~
+ ./arch/x86/include/asm/crash.h:7:39: warning: ‘struct kimage’ declared inside\
+ parameter list will not be visible outside of this definition or declaration
+ 7 | int crash_setup_memmap_entries(struct kimage *image,
+ |
+
+ [ bp: Rewrite the commit message. ]
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Lianbo Jiang <lijiang@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: bhe@redhat.com
+Cc: d.hatayama@fujitsu.com
+Cc: dhowells@redhat.com
+Cc: dyoung@redhat.com
+Cc: ebiederm@xmission.com
+Cc: horms@verge.net.au
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jürgen Gross <jgross@suse.com>
+Cc: kexec@lists.infradead.org
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: vgoyal@redhat.com
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20191108090027.11082-4-lijiang@redhat.com
+Link: https://lkml.kernel.org/r/201910310233.EJRtTMWP%25lkp@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/crash.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/include/asm/crash.h b/arch/x86/include/asm/crash.h
+index f498411f2500..1b15304dd098 100644
+--- a/arch/x86/include/asm/crash.h
++++ b/arch/x86/include/asm/crash.h
+@@ -1,6 +1,8 @@
+ #ifndef _ASM_X86_CRASH_H
+ #define _ASM_X86_CRASH_H
+
++struct kimage;
++
+ int crash_load_segments(struct kimage *image);
+ int crash_copy_backup_region(struct kimage *image);
+ int crash_setup_memmap_entries(struct kimage *image,
+--
+2.20.1
+
--- /dev/null
+From 240f8695ef69a52d657b65db5579f5e2776076ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 15:54:47 +0200
+Subject: x86/insn: Add some Intel instructions to the opcode map
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit b980be189c9badba50634671e2303e92bf28e35a ]
+
+Add to the opcode map the following instructions:
+ cldemote
+ tpause
+ umonitor
+ umwait
+ movdiri
+ movdir64b
+ enqcmd
+ enqcmds
+ encls
+ enclu
+ enclv
+ pconfig
+ wbnoinvd
+
+For information about the instructions, refer Intel SDM May 2019
+(325462-070US) and Intel Architecture Instruction Set Extensions
+May 2019 (319433-037).
+
+The instruction decoding can be tested using the perf tools'
+"x86 instruction decoder - new instructions" test as folllows:
+
+ $ perf test -v "new " 2>&1 | grep -i cldemote
+ Decoded ok: 0f 1c 00 cldemote (%eax)
+ Decoded ok: 0f 1c 05 78 56 34 12 cldemote 0x12345678
+ Decoded ok: 0f 1c 84 c8 78 56 34 12 cldemote 0x12345678(%eax,%ecx,8)
+ Decoded ok: 0f 1c 00 cldemote (%rax)
+ Decoded ok: 41 0f 1c 00 cldemote (%r8)
+ Decoded ok: 0f 1c 04 25 78 56 34 12 cldemote 0x12345678
+ Decoded ok: 0f 1c 84 c8 78 56 34 12 cldemote 0x12345678(%rax,%rcx,8)
+ Decoded ok: 41 0f 1c 84 c8 78 56 34 12 cldemote 0x12345678(%r8,%rcx,8)
+ $ perf test -v "new " 2>&1 | grep -i tpause
+ Decoded ok: 66 0f ae f3 tpause %ebx
+ Decoded ok: 66 0f ae f3 tpause %ebx
+ Decoded ok: 66 41 0f ae f0 tpause %r8d
+ $ perf test -v "new " 2>&1 | grep -i umonitor
+ Decoded ok: 67 f3 0f ae f0 umonitor %ax
+ Decoded ok: f3 0f ae f0 umonitor %eax
+ Decoded ok: 67 f3 0f ae f0 umonitor %eax
+ Decoded ok: f3 0f ae f0 umonitor %rax
+ Decoded ok: 67 f3 41 0f ae f0 umonitor %r8d
+ $ perf test -v "new " 2>&1 | grep -i umwait
+ Decoded ok: f2 0f ae f0 umwait %eax
+ Decoded ok: f2 0f ae f0 umwait %eax
+ Decoded ok: f2 41 0f ae f0 umwait %r8d
+ $ perf test -v "new " 2>&1 | grep -i movdiri
+ Decoded ok: 0f 38 f9 03 movdiri %eax,(%ebx)
+ Decoded ok: 0f 38 f9 88 78 56 34 12 movdiri %ecx,0x12345678(%eax)
+ Decoded ok: 48 0f 38 f9 03 movdiri %rax,(%rbx)
+ Decoded ok: 48 0f 38 f9 88 78 56 34 12 movdiri %rcx,0x12345678(%rax)
+ $ perf test -v "new " 2>&1 | grep -i movdir64b
+ Decoded ok: 66 0f 38 f8 18 movdir64b (%eax),%ebx
+ Decoded ok: 66 0f 38 f8 88 78 56 34 12 movdir64b 0x12345678(%eax),%ecx
+ Decoded ok: 67 66 0f 38 f8 1c movdir64b (%si),%bx
+ Decoded ok: 67 66 0f 38 f8 8c 34 12 movdir64b 0x1234(%si),%cx
+ Decoded ok: 66 0f 38 f8 18 movdir64b (%rax),%rbx
+ Decoded ok: 66 0f 38 f8 88 78 56 34 12 movdir64b 0x12345678(%rax),%rcx
+ Decoded ok: 67 66 0f 38 f8 18 movdir64b (%eax),%ebx
+ Decoded ok: 67 66 0f 38 f8 88 78 56 34 12 movdir64b 0x12345678(%eax),%ecx
+ $ perf test -v "new " 2>&1 | grep -i enqcmd
+ Decoded ok: f2 0f 38 f8 18 enqcmd (%eax),%ebx
+ Decoded ok: f2 0f 38 f8 88 78 56 34 12 enqcmd 0x12345678(%eax),%ecx
+ Decoded ok: 67 f2 0f 38 f8 1c enqcmd (%si),%bx
+ Decoded ok: 67 f2 0f 38 f8 8c 34 12 enqcmd 0x1234(%si),%cx
+ Decoded ok: f3 0f 38 f8 18 enqcmds (%eax),%ebx
+ Decoded ok: f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%eax),%ecx
+ Decoded ok: 67 f3 0f 38 f8 1c enqcmds (%si),%bx
+ Decoded ok: 67 f3 0f 38 f8 8c 34 12 enqcmds 0x1234(%si),%cx
+ Decoded ok: f2 0f 38 f8 18 enqcmd (%rax),%rbx
+ Decoded ok: f2 0f 38 f8 88 78 56 34 12 enqcmd 0x12345678(%rax),%rcx
+ Decoded ok: 67 f2 0f 38 f8 18 enqcmd (%eax),%ebx
+ Decoded ok: 67 f2 0f 38 f8 88 78 56 34 12 enqcmd 0x12345678(%eax),%ecx
+ Decoded ok: f3 0f 38 f8 18 enqcmds (%rax),%rbx
+ Decoded ok: f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%rax),%rcx
+ Decoded ok: 67 f3 0f 38 f8 18 enqcmds (%eax),%ebx
+ Decoded ok: 67 f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%eax),%ecx
+ $ perf test -v "new " 2>&1 | grep -i enqcmds
+ Decoded ok: f3 0f 38 f8 18 enqcmds (%eax),%ebx
+ Decoded ok: f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%eax),%ecx
+ Decoded ok: 67 f3 0f 38 f8 1c enqcmds (%si),%bx
+ Decoded ok: 67 f3 0f 38 f8 8c 34 12 enqcmds 0x1234(%si),%cx
+ Decoded ok: f3 0f 38 f8 18 enqcmds (%rax),%rbx
+ Decoded ok: f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%rax),%rcx
+ Decoded ok: 67 f3 0f 38 f8 18 enqcmds (%eax),%ebx
+ Decoded ok: 67 f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%eax),%ecx
+ $ perf test -v "new " 2>&1 | grep -i encls
+ Decoded ok: 0f 01 cf encls
+ Decoded ok: 0f 01 cf encls
+ $ perf test -v "new " 2>&1 | grep -i enclu
+ Decoded ok: 0f 01 d7 enclu
+ Decoded ok: 0f 01 d7 enclu
+ $ perf test -v "new " 2>&1 | grep -i enclv
+ Decoded ok: 0f 01 c0 enclv
+ Decoded ok: 0f 01 c0 enclv
+ $ perf test -v "new " 2>&1 | grep -i pconfig
+ Decoded ok: 0f 01 c5 pconfig
+ Decoded ok: 0f 01 c5 pconfig
+ $ perf test -v "new " 2>&1 | grep -i wbnoinvd
+ Decoded ok: f3 0f 09 wbnoinvd
+ Decoded ok: f3 0f 09 wbnoinvd
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86@kernel.org
+Link: http://lore.kernel.org/lkml/20191115135447.6519-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/lib/x86-opcode-map.txt | 18 ++++++++++++------
+ tools/objtool/arch/x86/lib/x86-opcode-map.txt | 18 ++++++++++++------
+ 2 files changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt
+index 1754e094bc28..0f7eb4f5bdb7 100644
+--- a/arch/x86/lib/x86-opcode-map.txt
++++ b/arch/x86/lib/x86-opcode-map.txt
+@@ -333,7 +333,7 @@ AVXcode: 1
+ 06: CLTS
+ 07: SYSRET (o64)
+ 08: INVD
+-09: WBINVD
++09: WBINVD | WBNOINVD (F3)
+ 0a:
+ 0b: UD2 (1B)
+ 0c:
+@@ -364,7 +364,7 @@ AVXcode: 1
+ # a ModR/M byte.
+ 1a: BNDCL Gv,Ev (F3) | BNDCU Gv,Ev (F2) | BNDMOV Gv,Ev (66) | BNDLDX Gv,Ev
+ 1b: BNDCN Gv,Ev (F2) | BNDMOV Ev,Gv (66) | BNDMK Gv,Ev (F3) | BNDSTX Ev,Gv
+-1c:
++1c: Grp20 (1A),(1C)
+ 1d:
+ 1e:
+ 1f: NOP Ev
+@@ -792,6 +792,8 @@ f3: Grp17 (1A)
+ f5: BZHI Gy,Ey,By (v) | PEXT Gy,By,Ey (F3),(v) | PDEP Gy,By,Ey (F2),(v)
+ f6: ADCX Gy,Ey (66) | ADOX Gy,Ey (F3) | MULX By,Gy,rDX,Ey (F2),(v)
+ f7: BEXTR Gy,Ey,By (v) | SHLX Gy,Ey,By (66),(v) | SARX Gy,Ey,By (F3),(v) | SHRX Gy,Ey,By (F2),(v)
++f8: MOVDIR64B Gv,Mdqq (66) | ENQCMD Gv,Mdqq (F2) | ENQCMDS Gv,Mdqq (F3)
++f9: MOVDIRI My,Gy
+ EndTable
+
+ Table: 3-byte opcode 2 (0x0f 0x3a)
+@@ -943,9 +945,9 @@ GrpTable: Grp6
+ EndTable
+
+ GrpTable: Grp7
+-0: SGDT Ms | VMCALL (001),(11B) | VMLAUNCH (010),(11B) | VMRESUME (011),(11B) | VMXOFF (100),(11B)
+-1: SIDT Ms | MONITOR (000),(11B) | MWAIT (001),(11B) | CLAC (010),(11B) | STAC (011),(11B)
+-2: LGDT Ms | XGETBV (000),(11B) | XSETBV (001),(11B) | VMFUNC (100),(11B) | XEND (101)(11B) | XTEST (110)(11B)
++0: SGDT Ms | VMCALL (001),(11B) | VMLAUNCH (010),(11B) | VMRESUME (011),(11B) | VMXOFF (100),(11B) | PCONFIG (101),(11B) | ENCLV (000),(11B)
++1: SIDT Ms | MONITOR (000),(11B) | MWAIT (001),(11B) | CLAC (010),(11B) | STAC (011),(11B) | ENCLS (111),(11B)
++2: LGDT Ms | XGETBV (000),(11B) | XSETBV (001),(11B) | VMFUNC (100),(11B) | XEND (101)(11B) | XTEST (110)(11B) | ENCLU (111),(11B)
+ 3: LIDT Ms
+ 4: SMSW Mw/Rv
+ 5: rdpkru (110),(11B) | wrpkru (111),(11B)
+@@ -1011,7 +1013,7 @@ GrpTable: Grp15
+ 3: vstmxcsr Md (v1) | WRGSBASE Ry (F3),(11B)
+ 4: XSAVE
+ 5: XRSTOR | lfence (11B)
+-6: XSAVEOPT | clwb (66) | mfence (11B)
++6: XSAVEOPT | clwb (66) | mfence (11B) | TPAUSE Rd (66),(11B) | UMONITOR Rv (F3),(11B) | UMWAIT Rd (F2),(11B)
+ 7: clflush | clflushopt (66) | sfence (11B)
+ EndTable
+
+@@ -1042,6 +1044,10 @@ GrpTable: Grp19
+ 6: vscatterpf1qps/d Wx (66),(ev)
+ EndTable
+
++GrpTable: Grp20
++0: cldemote Mb
++EndTable
++
+ # AMD's Prefetch Group
+ GrpTable: GrpP
+ 0: PREFETCH
+diff --git a/tools/objtool/arch/x86/lib/x86-opcode-map.txt b/tools/objtool/arch/x86/lib/x86-opcode-map.txt
+index 1754e094bc28..0f7eb4f5bdb7 100644
+--- a/tools/objtool/arch/x86/lib/x86-opcode-map.txt
++++ b/tools/objtool/arch/x86/lib/x86-opcode-map.txt
+@@ -333,7 +333,7 @@ AVXcode: 1
+ 06: CLTS
+ 07: SYSRET (o64)
+ 08: INVD
+-09: WBINVD
++09: WBINVD | WBNOINVD (F3)
+ 0a:
+ 0b: UD2 (1B)
+ 0c:
+@@ -364,7 +364,7 @@ AVXcode: 1
+ # a ModR/M byte.
+ 1a: BNDCL Gv,Ev (F3) | BNDCU Gv,Ev (F2) | BNDMOV Gv,Ev (66) | BNDLDX Gv,Ev
+ 1b: BNDCN Gv,Ev (F2) | BNDMOV Ev,Gv (66) | BNDMK Gv,Ev (F3) | BNDSTX Ev,Gv
+-1c:
++1c: Grp20 (1A),(1C)
+ 1d:
+ 1e:
+ 1f: NOP Ev
+@@ -792,6 +792,8 @@ f3: Grp17 (1A)
+ f5: BZHI Gy,Ey,By (v) | PEXT Gy,By,Ey (F3),(v) | PDEP Gy,By,Ey (F2),(v)
+ f6: ADCX Gy,Ey (66) | ADOX Gy,Ey (F3) | MULX By,Gy,rDX,Ey (F2),(v)
+ f7: BEXTR Gy,Ey,By (v) | SHLX Gy,Ey,By (66),(v) | SARX Gy,Ey,By (F3),(v) | SHRX Gy,Ey,By (F2),(v)
++f8: MOVDIR64B Gv,Mdqq (66) | ENQCMD Gv,Mdqq (F2) | ENQCMDS Gv,Mdqq (F3)
++f9: MOVDIRI My,Gy
+ EndTable
+
+ Table: 3-byte opcode 2 (0x0f 0x3a)
+@@ -943,9 +945,9 @@ GrpTable: Grp6
+ EndTable
+
+ GrpTable: Grp7
+-0: SGDT Ms | VMCALL (001),(11B) | VMLAUNCH (010),(11B) | VMRESUME (011),(11B) | VMXOFF (100),(11B)
+-1: SIDT Ms | MONITOR (000),(11B) | MWAIT (001),(11B) | CLAC (010),(11B) | STAC (011),(11B)
+-2: LGDT Ms | XGETBV (000),(11B) | XSETBV (001),(11B) | VMFUNC (100),(11B) | XEND (101)(11B) | XTEST (110)(11B)
++0: SGDT Ms | VMCALL (001),(11B) | VMLAUNCH (010),(11B) | VMRESUME (011),(11B) | VMXOFF (100),(11B) | PCONFIG (101),(11B) | ENCLV (000),(11B)
++1: SIDT Ms | MONITOR (000),(11B) | MWAIT (001),(11B) | CLAC (010),(11B) | STAC (011),(11B) | ENCLS (111),(11B)
++2: LGDT Ms | XGETBV (000),(11B) | XSETBV (001),(11B) | VMFUNC (100),(11B) | XEND (101)(11B) | XTEST (110)(11B) | ENCLU (111),(11B)
+ 3: LIDT Ms
+ 4: SMSW Mw/Rv
+ 5: rdpkru (110),(11B) | wrpkru (111),(11B)
+@@ -1011,7 +1013,7 @@ GrpTable: Grp15
+ 3: vstmxcsr Md (v1) | WRGSBASE Ry (F3),(11B)
+ 4: XSAVE
+ 5: XRSTOR | lfence (11B)
+-6: XSAVEOPT | clwb (66) | mfence (11B)
++6: XSAVEOPT | clwb (66) | mfence (11B) | TPAUSE Rd (66),(11B) | UMONITOR Rv (F3),(11B) | UMWAIT Rd (F2),(11B)
+ 7: clflush | clflushopt (66) | sfence (11B)
+ EndTable
+
+@@ -1042,6 +1044,10 @@ GrpTable: Grp19
+ 6: vscatterpf1qps/d Wx (66),(ev)
+ EndTable
+
++GrpTable: Grp20
++0: cldemote Mb
++EndTable
++
+ # AMD's Prefetch Group
+ GrpTable: GrpP
+ 0: PREFETCH
+--
+2.20.1
+
--- /dev/null
+From 67913286fad1be47357e44d74949dd189b5c3c85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2019 12:19:01 +0200
+Subject: x86/ioapic: Prevent inconsistent state when moving an interrupt
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit df4393424af3fbdcd5c404077176082a8ce459c4 ]
+
+There is an issue with threaded interrupts which are marked ONESHOT
+and using the fasteoi handler:
+
+ if (IS_ONESHOT())
+ mask_irq();
+ ....
+ cond_unmask_eoi_irq()
+ chip->irq_eoi();
+ if (setaffinity_pending) {
+ mask_ioapic();
+ ...
+ move_affinity();
+ unmask_ioapic();
+ }
+
+So if setaffinity is pending the interrupt will be moved and then
+unconditionally unmasked at the ioapic level, which is wrong in two
+aspects:
+
+ 1) It should be kept masked up to the point where the threaded handler
+ finished.
+
+ 2) The physical chip state and the software masked state are inconsistent
+
+Guard both the mask and the unmask with a check for the software masked
+state. If the line is marked masked then the ioapic line is also masked, so
+both mask_ioapic() and unmask_ioapic() can be skipped safely.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Fixes: 3aa551c9b4c4 ("genirq: add threaded interrupt handler support")
+Link: https://lkml.kernel.org/r/20191017101938.321393687@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/io_apic.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
+index 09dd95cabfc2..3401b28f1312 100644
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -1712,9 +1712,10 @@ static bool io_apic_level_ack_pending(struct mp_chip_data *data)
+
+ static inline bool ioapic_irqd_mask(struct irq_data *data)
+ {
+- /* If we are moving the irq we need to mask it */
++ /* If we are moving the IRQ we need to mask it */
+ if (unlikely(irqd_is_setaffinity_pending(data))) {
+- mask_ioapic_irq(data);
++ if (!irqd_irq_masked(data))
++ mask_ioapic_irq(data);
+ return true;
+ }
+ return false;
+@@ -1751,7 +1752,9 @@ static inline void ioapic_irqd_unmask(struct irq_data *data, bool masked)
+ */
+ if (!io_apic_level_ack_pending(data->chip_data))
+ irq_move_masked_irq(data);
+- unmask_ioapic_irq(data);
++ /* If the IRQ is masked in the core, leave it: */
++ if (!irqd_irq_masked(data))
++ unmask_ioapic_irq(data);
+ }
+ }
+ #else
+--
+2.20.1
+
--- /dev/null
+From 2f2bc46c1251a8f565f992001062678c5f77e57e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 17:54:24 +0200
+Subject: x86/mce: Lower throttling MCE messages' priority to warning
+
+From: Benjamin Berg <bberg@redhat.com>
+
+[ Upstream commit 9c3bafaa1fd88e4dd2dba3735a1f1abb0f2c7bb7 ]
+
+On modern CPUs it is quite normal that the temperature limits are
+reached and the CPU is throttled. In fact, often the thermal design is
+not sufficient to cool the CPU at full load and limits can quickly be
+reached when a burst in load happens. This will even happen with
+technologies like RAPL limitting the long term power consumption of
+the package.
+
+Also, these limits are "softer", as Srinivas explains:
+
+"CPU temperature doesn't have to hit max(TjMax) to get these warnings.
+OEMs ha[ve] an ability to program a threshold where a thermal interrupt
+can be generated. In some systems the offset is 20C+ (Read only value).
+
+In recent systems, there is another offset on top of it which can be
+programmed by OS, once some agent can adjust power limits dynamically.
+By default this is set to low by the firmware, which I guess the
+prime motivation of Benjamin to submit the patch."
+
+So these messages do not usually indicate a hardware issue (e.g.
+insufficient cooling). Log them as warnings to avoid confusion about
+their severity.
+
+ [ bp: Massage commit mesage. ]
+
+Signed-off-by: Benjamin Berg <bberg@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Christian Kellner <ckellner@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20191009155424.249277-1-bberg@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c
+index c460c91d0c8f..be2439592b0e 100644
+--- a/arch/x86/kernel/cpu/mcheck/therm_throt.c
++++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c
+@@ -190,7 +190,7 @@ static int therm_throt_process(bool new_event, int event, int level)
+ /* if we just entered the thermal event */
+ if (new_event) {
+ if (event == THERMAL_THROTTLING_EVENT)
+- pr_crit("CPU%d: %s temperature above threshold, cpu clock throttled (total events = %lu)\n",
++ pr_warn("CPU%d: %s temperature above threshold, cpu clock throttled (total events = %lu)\n",
+ this_cpu,
+ level == CORE_LEVEL ? "Core" : "Package",
+ state->count);
+--
+2.20.1
+
--- /dev/null
+From be4d6d0710e7cf200b3c6a071278c8f2d6bf1541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2019 14:14:02 -0700
+Subject: x86/mm: Use the correct function type for native_set_fixmap()
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+[ Upstream commit f53e2cd0b8ab7d9e390414470bdbd830f660133f ]
+
+We call native_set_fixmap indirectly through the function pointer
+struct pv_mmu_ops::set_fixmap, which expects the first parameter to be
+'unsigned' instead of 'enum fixed_addresses'. This patch changes the
+function type for native_set_fixmap to match the pointer, which fixes
+indirect call mismatches with Control-Flow Integrity (CFI) checking.
+
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: H . Peter Anvin <hpa@zytor.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190913211402.193018-1-samitolvanen@google.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/fixmap.h | 2 +-
+ arch/x86/mm/pgtable.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/fixmap.h b/arch/x86/include/asm/fixmap.h
+index 8554f960e21b..61d6f2c05757 100644
+--- a/arch/x86/include/asm/fixmap.h
++++ b/arch/x86/include/asm/fixmap.h
+@@ -142,7 +142,7 @@ extern pte_t *kmap_pte;
+ extern pte_t *pkmap_page_table;
+
+ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte);
+-void native_set_fixmap(enum fixed_addresses idx,
++void native_set_fixmap(unsigned /* enum fixed_addresses */ idx,
+ phys_addr_t phys, pgprot_t flags);
+
+ #ifndef CONFIG_PARAVIRT
+diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
+index dff8ac2d255c..08e0380414a9 100644
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -544,8 +544,8 @@ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
+ fixmaps_set++;
+ }
+
+-void native_set_fixmap(enum fixed_addresses idx, phys_addr_t phys,
+- pgprot_t flags)
++void native_set_fixmap(unsigned /* enum fixed_addresses */ idx,
++ phys_addr_t phys, pgprot_t flags)
+ {
+ __native_set_fixmap(idx, pfn_pte(phys >> PAGE_SHIFT, flags));
+ }
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
