--- /dev/null
+From 2a5c7da533af2284cee17e542144b463e8d22cc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2019 18:21:20 -0600
+Subject: ACPI / CPPC: do not require the _PSD method
+
+From: Al Stone <ahs3@redhat.com>
+
+[ Upstream commit 4c4cdc4c63853fee48c02e25c8605fb65a6c9924 ]
+
+According to the ACPI 6.3 specification, the _PSD method is optional
+when using CPPC. The underlying assumption is that each CPU can change
+frequency independently from all other CPUs; _PSD is provided to tell
+the OS that some processors can NOT do that.
+
+However, the acpi_get_psd() function returns ENODEV if there is no _PSD
+method present, or an ACPI error status if an error occurs when evaluating
+_PSD, if present. This makes _PSD mandatory when using CPPC, in violation
+of the specification, and only on Linux.
+
+This has forced some firmware writers to provide a dummy _PSD, even though
+it is irrelevant, but only because Linux requires it; other OSPMs follow
+the spec. We really do not want to have OS specific ACPI tables, though.
+
+So, correct acpi_get_psd() so that it does not return an error if there
+is no _PSD method present, but does return a failure when the method can
+not be executed properly. This allows _PSD to be optional as it should
+be.
+
+Signed-off-by: Al Stone <ahs3@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/cppc_acpi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
+index 0afd1981e350b..43c27c04c40ae 100644
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -137,8 +137,10 @@ static int acpi_get_psd(struct cpc_desc *cpc_ptr, acpi_handle handle)
+ union acpi_object *psd = NULL;
+ struct acpi_psd_package *pdomain;
+
+- status = acpi_evaluate_object_typed(handle, "_PSD", NULL, &buffer,
+- ACPI_TYPE_PACKAGE);
++ status = acpi_evaluate_object_typed(handle, "_PSD", NULL,
++ &buffer, ACPI_TYPE_PACKAGE);
++ if (status == AE_NOT_FOUND) /* _PSD is optional */
++ return 0;
+ if (ACPI_FAILURE(status))
+ return -ENODEV;
+
+--
+2.20.1
+
--- /dev/null
+From e2457e2284b20643eb04e455857369d8e6cde599 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2019 00:08:27 -0500
+Subject: ACPI: custom_method: fix memory leaks
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 03d1571d9513369c17e6848476763ebbd10ec2cb ]
+
+In cm_write(), 'buf' is allocated through kzalloc(). In the following
+execution, if an error occurs, 'buf' is not deallocated, leading to memory
+leaks. To fix this issue, free 'buf' before returning the error.
+
+Fixes: 526b4af47f44 ("ACPI: Split out custom_method functionality into an own driver")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/custom_method.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
+index c68e72414a67a..435bd0ffc8c02 100644
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -48,8 +48,10 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
+ if ((*ppos > max_size) ||
+ (*ppos + count > max_size) ||
+ (*ppos + count < count) ||
+- (count > uncopied_bytes))
++ (count > uncopied_bytes)) {
++ kfree(buf);
+ return -EINVAL;
++ }
+
+ if (copy_from_user(buf + (*ppos), user_buf, count)) {
+ kfree(buf);
+@@ -69,6 +71,7 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
+ add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
+ }
+
++ kfree(buf);
+ return count;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From b939e372618207211b531eb03c916feca2b0f886 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Jul 2019 12:33:37 +0100
+Subject: ALSA: hda: Flush interrupts on disabling
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit caa8422d01e983782548648e125fd617cadcec3f ]
+
+I was looking at
+
+<4> [241.835158] general protection fault: 0000 [#1] PREEMPT SMP PTI
+<4> [241.835181] CPU: 1 PID: 214 Comm: kworker/1:3 Tainted: G U 5.2.0-CI-CI_DRM_6509+ #1
+<4> [241.835199] Hardware name: Dell Inc. OptiPlex 745 /0GW726, BIOS 2.3.1 05/21/2007
+<4> [241.835234] Workqueue: events snd_hdac_bus_process_unsol_events [snd_hda_core]
+<4> [241.835256] RIP: 0010:input_handle_event+0x16d/0x5e0
+<4> [241.835270] Code: 48 8b 93 58 01 00 00 8b 52 08 89 50 04 8b 83 f8 06 00 00 48 8b 93 00 07 00 00 8d 70 01 48 8d 04 c2 83 e1 08 89 b3 f8 06 00 00 <66> 89 28 66 44 89 60 02 44 89 68 04 8b 93 f8 06 00 00 0f 84 fd fe
+<4> [241.835304] RSP: 0018:ffffc9000019fda0 EFLAGS: 00010046
+<4> [241.835317] RAX: 6b6b6b6ec6c6c6c3 RBX: ffff8880290fefc8 RCX: 0000000000000000
+<4> [241.835332] RDX: 000000006b6b6b6b RSI: 000000006b6b6b6c RDI: 0000000000000046
+<4> [241.835347] RBP: 0000000000000005 R08: 0000000000000000 R09: 0000000000000001
+<4> [241.835362] R10: ffffc9000019faa0 R11: 0000000000000000 R12: 0000000000000004
+<4> [241.835377] R13: 0000000000000000 R14: ffff8880290ff1d0 R15: 0000000000000293
+<4> [241.835392] FS: 0000000000000000(0000) GS:ffff88803de80000(0000) knlGS:0000000000000000
+<4> [241.835409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4> [241.835422] CR2: 00007ffe9a99e9b7 CR3: 000000002f588000 CR4: 00000000000006e0
+<4> [241.835436] Call Trace:
+<4> [241.835449] input_event+0x45/0x70
+<4> [241.835464] snd_jack_report+0xdc/0x100
+<4> [241.835490] snd_hda_jack_report_sync+0x83/0xc0 [snd_hda_codec]
+<4> [241.835512] snd_hdac_bus_process_unsol_events+0x5a/0x70 [snd_hda_core]
+<4> [241.835530] process_one_work+0x245/0x610
+
+which has the hallmarks of a worker queued from interrupt after it was
+supposedly cancelled (note the POISON_FREE), and I could not see where
+the interrupt would be flushed on shutdown so added the likely suspects.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111174
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/hdac_controller.c | 2 ++
+ sound/pci/hda/hda_intel.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/hda/hdac_controller.c b/sound/hda/hdac_controller.c
+index 4727f5b80e76d..acc2c7dbfb151 100644
+--- a/sound/hda/hdac_controller.c
++++ b/sound/hda/hdac_controller.c
+@@ -340,6 +340,8 @@ static void azx_int_disable(struct hdac_bus *bus)
+ list_for_each_entry(azx_dev, &bus->stream_list, list)
+ snd_hdac_stream_updateb(azx_dev, SD_CTL, SD_INT_MASK, 0);
+
++ synchronize_irq(bus->irq);
++
+ /* disable SIE for all streams */
+ snd_hdac_chip_writeb(bus, INTCTL, 0);
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index ef8955abd9186..96ccab15da836 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1274,9 +1274,9 @@ static int azx_free(struct azx *chip)
+ }
+
+ if (bus->chip_init) {
++ azx_stop_chip(chip);
+ azx_clear_irq_pending(chip);
+ azx_stop_all_streams(chip);
+- azx_stop_chip(chip);
+ }
+
+ if (bus->irq >= 0)
+--
+2.20.1
+
--- /dev/null
+From 0932af042912d979c2d2cfbbd6067ce604922cdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2019 09:58:07 +0200
+Subject: ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 051c78af14fcd74a22b5af45548ad9d588247cc7 ]
+
+Lenovo ThinkCentre M73 and M93 don't seem to have a proper beep
+although the driver tries to probe and set up blindly.
+Blacklist these machines for suppressing the beep creation.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204635
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index d5ca16048ce0d..55bae9e6de27d 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -977,6 +977,9 @@ static const struct snd_pci_quirk beep_white_list[] = {
+ SND_PCI_QUIRK(0x1043, 0x834a, "EeePC", 1),
+ SND_PCI_QUIRK(0x1458, 0xa002, "GA-MA790X", 1),
+ SND_PCI_QUIRK(0x8086, 0xd613, "Intel", 1),
++ /* blacklist -- no beep available */
++ SND_PCI_QUIRK(0x17aa, 0x309e, "Lenovo ThinkCentre M73", 0),
++ SND_PCI_QUIRK(0x17aa, 0x30a3, "Lenovo ThinkCentre M93", 0),
+ {}
+ };
+
+--
+2.20.1
+
--- /dev/null
+From b36bfe57027853fb8bd3002d9e8eff6fd500e4ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2019 11:42:34 +0200
+Subject: ALSA: hda - Show the fatal CORB/RIRB error more clearly
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit dd65f7e19c6961ba6a69f7c925021b7a270cb950 ]
+
+The last fallback of CORB/RIRB communication error recovery is to turn
+on the single command mode, and this last resort usually means that
+something is really screwed up. Instead of a normal dev_err(), show
+the error more clearly with dev_WARN() with the caller stack trace.
+
+Also, show the bus-reset fallback also as an error, too.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_controller.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
+index 273364c39171c..9cdf86f04e037 100644
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -667,10 +667,13 @@ static int azx_rirb_get_response(struct hdac_bus *bus, unsigned int addr,
+ */
+ if (hbus->allow_bus_reset && !hbus->response_reset && !hbus->in_reset) {
+ hbus->response_reset = 1;
++ dev_err(chip->card->dev,
++ "No response from codec, resetting bus: last cmd=0x%08x\n",
++ bus->last_cmd[addr]);
+ return -EAGAIN; /* give a chance to retry */
+ }
+
+- dev_err(chip->card->dev,
++ dev_WARN(chip->card->dev,
+ "azx_get_response timeout, switching to single_cmd mode: last cmd=0x%08x\n",
+ bus->last_cmd[addr]);
+ chip->single_cmd = 1;
+--
+2.20.1
+
--- /dev/null
+From 391a53daf16a7bf41bf35de7394bf8e78d8ae3f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2019 10:14:42 +0800
+Subject: ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in
+ build_adc_controls()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 2127c01b7f63b06a21559f56a8c81a3c6535bd1a ]
+
+In build_adc_controls(), there is an if statement on line 773 to check
+whether ak->adc_info is NULL:
+ if (! ak->adc_info ||
+ ! ak->adc_info[mixer_ch].switch_name)
+
+When ak->adc_info is NULL, it is used on line 792:
+ knew.name = ak->adc_info[mixer_ch].selector_name;
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, referring to lines 773 and 774, ak->adc_info
+and ak->adc_info[mixer_ch].selector_name are checked before being used.
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/i2c/other/ak4xxx-adda.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sound/i2c/other/ak4xxx-adda.c b/sound/i2c/other/ak4xxx-adda.c
+index bf377dc192aa7..d33e02c317129 100644
+--- a/sound/i2c/other/ak4xxx-adda.c
++++ b/sound/i2c/other/ak4xxx-adda.c
+@@ -789,11 +789,12 @@ static int build_adc_controls(struct snd_akm4xxx *ak)
+ return err;
+
+ memset(&knew, 0, sizeof(knew));
+- knew.name = ak->adc_info[mixer_ch].selector_name;
+- if (!knew.name) {
++ if (!ak->adc_info ||
++ !ak->adc_info[mixer_ch].selector_name) {
+ knew.name = "Capture Channel";
+ knew.index = mixer_ch + ak->idx_offset * 2;
+- }
++ } else
++ knew.name = ak->adc_info[mixer_ch].selector_name;
+
+ knew.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
+ knew.info = ak4xxx_capture_source_info;
+--
+2.20.1
+
--- /dev/null
+From a02249474dfd89cf94c9bcc3e76077d8385be67a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2019 13:52:14 +0200
+Subject: ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid
+
+From: Ard van Breemen <ard@kwaak.net>
+
+[ Upstream commit 1b34121d9f26d272b0b2334209af6b6fc82d4bf1 ]
+
+The Linux kernel assumes that get_endpoint(alts,0) and
+get_endpoint(alts,1) are eachothers feedback endpoints.
+To reassure that validity it will test bsynchaddress to comply with that
+assumption. But if the bsyncaddress is 0 (invalid), it will flag that as
+a wrong assumption and return an error.
+Fix: Skip the test if bSynchAddress is 0.
+Note: those with a valid bSynchAddress should have a code quirck added.
+
+Signed-off-by: Ard van Breemen <ard@kwaak.net>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/pcm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
+index 1ea1384bc2369..f84c55ecd0fb4 100644
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -460,6 +460,7 @@ static int set_sync_endpoint(struct snd_usb_substream *subs,
+ }
+ ep = get_endpoint(alts, 1)->bEndpointAddress;
+ if (get_endpoint(alts, 0)->bLength >= USB_DT_ENDPOINT_AUDIO_SIZE &&
++ get_endpoint(alts, 0)->bSynchAddress != 0 &&
+ ((is_playback && ep != (unsigned int)(get_endpoint(alts, 0)->bSynchAddress | USB_DIR_IN)) ||
+ (!is_playback && ep != (unsigned int)(get_endpoint(alts, 0)->bSynchAddress & ~USB_DIR_IN)))) {
+ dev_err(&dev->dev,
+--
+2.20.1
+
--- /dev/null
+From 5280342a4039dfb88e5b7850e31e397f39d0f791 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2019 08:55:24 +0300
+Subject: ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is
+ not set
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+[ Upstream commit 2ec42f3147e1610716f184b02e65d7f493eed925 ]
+
+Some tools use the snd_pcm_info_get_name() to try to identify PCMs or for
+other purposes.
+
+Currently it is left empty with the dmaengine-pcm, in this case copy the
+pcm->id string as pcm->name.
+
+For example IGT is using this to find the HDMI PCM for testing audio on it.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reported-by: Arthur She <arthur.she@linaro.org>
+Link: https://lore.kernel.org/r/20190906055524.7393-1-peter.ujfalusi@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-generic-dmaengine-pcm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/soc/soc-generic-dmaengine-pcm.c b/sound/soc/soc-generic-dmaengine-pcm.c
+index 6fd1906af3873..fe65754c2e504 100644
+--- a/sound/soc/soc-generic-dmaengine-pcm.c
++++ b/sound/soc/soc-generic-dmaengine-pcm.c
+@@ -301,6 +301,12 @@ static int dmaengine_pcm_new(struct snd_soc_pcm_runtime *rtd)
+
+ if (!dmaengine_pcm_can_report_residue(dev, pcm->chan[i]))
+ pcm->flags |= SND_DMAENGINE_PCM_FLAG_NO_RESIDUE;
++
++ if (rtd->pcm->streams[i].pcm->name[0] == '\0') {
++ strncpy(rtd->pcm->streams[i].pcm->name,
++ rtd->pcm->streams[i].pcm->id,
++ sizeof(rtd->pcm->streams[i].pcm->name));
++ }
+ }
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From e5e85c86290b272da8bed91a70b1e0276d593c4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2019 10:05:37 +0000
+Subject: ASoC: sgtl5000: Fix charge pump source assignment
+
+From: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
+
+[ Upstream commit b6319b061ba279577fd7030a9848fbd6a17151e3 ]
+
+If VDDA != VDDIO and any of them is greater than 3.1V, charge pump
+source can be assigned automatically [1].
+
+[1] https://www.nxp.com/docs/en/data-sheet/SGTL5000.pdf
+
+Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
+Reviewed-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Reviewed-by: Igor Opaniuk <igor.opaniuk@toradex.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Link: https://lore.kernel.org/r/20190719100524.23300-7-oleksandr.suvorov@toradex.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/sgtl5000.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c
+index 08b40460663c2..549f853c40924 100644
+--- a/sound/soc/codecs/sgtl5000.c
++++ b/sound/soc/codecs/sgtl5000.c
+@@ -1166,12 +1166,17 @@ static int sgtl5000_set_power_regs(struct snd_soc_codec *codec)
+ SGTL5000_INT_OSC_EN);
+ /* Enable VDDC charge pump */
+ ana_pwr |= SGTL5000_VDDC_CHRGPMP_POWERUP;
+- } else if (vddio >= 3100 && vdda >= 3100) {
++ } else {
+ ana_pwr &= ~SGTL5000_VDDC_CHRGPMP_POWERUP;
+- /* VDDC use VDDIO rail */
+- lreg_ctrl |= SGTL5000_VDDC_ASSN_OVRD;
+- lreg_ctrl |= SGTL5000_VDDC_MAN_ASSN_VDDIO <<
+- SGTL5000_VDDC_MAN_ASSN_SHIFT;
++ /*
++ * if vddio == vdda the source of charge pump should be
++ * assigned manually to VDDIO
++ */
++ if (vddio == vdda) {
++ lreg_ctrl |= SGTL5000_VDDC_ASSN_OVRD;
++ lreg_ctrl |= SGTL5000_VDDC_MAN_ASSN_VDDIO <<
++ SGTL5000_VDDC_MAN_ASSN_SHIFT;
++ }
+ }
+
+ snd_soc_write(codec, SGTL5000_CHIP_LINREG_CTRL, lreg_ctrl);
+--
+2.20.1
+
--- /dev/null
+From 01c1fed7b55aac8b7578e5d72cb0cdea4a761334 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2019 04:05:12 +0530
+Subject: base: soc: Export soc_device_register/unregister APIs
+
+From: Vinod Koul <vkoul@kernel.org>
+
+[ Upstream commit f7ccc7a397cf2ef64aebb2f726970b93203858d2 ]
+
+Qcom Socinfo driver can be built as a module, so
+export these two APIs.
+
+Tested-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Vaishali Thakkar <vaishali.thakkar@linaro.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/soc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/soc.c b/drivers/base/soc.c
+index 75b98aad6fafd..84242e6b2897f 100644
+--- a/drivers/base/soc.c
++++ b/drivers/base/soc.c
+@@ -146,6 +146,7 @@ struct soc_device *soc_device_register(struct soc_device_attribute *soc_dev_attr
+ out1:
+ return ERR_PTR(ret);
+ }
++EXPORT_SYMBOL_GPL(soc_device_register);
+
+ /* Ensure soc_dev->attr is freed prior to calling soc_device_unregister. */
+ void soc_device_unregister(struct soc_device *soc_dev)
+@@ -154,6 +155,7 @@ void soc_device_unregister(struct soc_device *soc_dev)
+
+ device_unregister(&soc_dev->dev);
+ }
++EXPORT_SYMBOL_GPL(soc_device_unregister);
+
+ static int __init soc_bus_register(void)
+ {
+--
+2.20.1
+
--- /dev/null
+From c9c7d9f643059132a4eddaafee85045cd24db786 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2019 17:00:33 +0800
+Subject: btrfs: extent-tree: Make sure we only allocate extents from block
+ groups with the same type
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 2a28468e525f3924efed7f29f2bc5a2926e7e19a ]
+
+[BUG]
+With fuzzed image and MIXED_GROUPS super flag, we can hit the following
+BUG_ON():
+
+ kernel BUG at fs/btrfs/delayed-ref.c:491!
+ invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 0 PID: 1849 Comm: sync Tainted: G O 5.2.0-custom #27
+ RIP: 0010:update_existing_head_ref.cold+0x44/0x46 [btrfs]
+ Call Trace:
+ add_delayed_ref_head+0x20c/0x2d0 [btrfs]
+ btrfs_add_delayed_tree_ref+0x1fc/0x490 [btrfs]
+ btrfs_free_tree_block+0x123/0x380 [btrfs]
+ __btrfs_cow_block+0x435/0x500 [btrfs]
+ btrfs_cow_block+0x110/0x240 [btrfs]
+ btrfs_search_slot+0x230/0xa00 [btrfs]
+ ? __lock_acquire+0x105e/0x1e20
+ btrfs_insert_empty_items+0x67/0xc0 [btrfs]
+ alloc_reserved_file_extent+0x9e/0x340 [btrfs]
+ __btrfs_run_delayed_refs+0x78e/0x1240 [btrfs]
+ ? kvm_clock_read+0x18/0x30
+ ? __sched_clock_gtod_offset+0x21/0x50
+ btrfs_run_delayed_refs.part.0+0x4e/0x180 [btrfs]
+ btrfs_run_delayed_refs+0x23/0x30 [btrfs]
+ btrfs_commit_transaction+0x53/0x9f0 [btrfs]
+ btrfs_sync_fs+0x7c/0x1c0 [btrfs]
+ ? __ia32_sys_fdatasync+0x20/0x20
+ sync_fs_one_sb+0x23/0x30
+ iterate_supers+0x95/0x100
+ ksys_sync+0x62/0xb0
+ __ia32_sys_sync+0xe/0x20
+ do_syscall_64+0x65/0x240
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+[CAUSE]
+This situation is caused by several factors:
+- Fuzzed image
+ The extent tree of this fs missed one backref for extent tree root.
+ So we can allocated space from that slot.
+
+- MIXED_BG feature
+ Super block has MIXED_BG flag.
+
+- No mixed block groups exists
+ All block groups are just regular ones.
+
+This makes data space_info->block_groups[] contains metadata block
+groups. And when we reserve space for data, we can use space in
+metadata block group.
+
+Then we hit the following file operations:
+
+- fallocate
+ We need to allocate data extents.
+ find_free_extent() choose to use the metadata block to allocate space
+ from, and choose the space of extent tree root, since its backref is
+ missing.
+
+ This generate one delayed ref head with is_data = 1.
+
+- extent tree update
+ We need to update extent tree at run_delayed_ref time.
+
+ This generate one delayed ref head with is_data = 0, for the same
+ bytenr of old extent tree root.
+
+Then we trigger the BUG_ON().
+
+[FIX]
+The quick fix here is to check block_group->flags before using it.
+
+The problem can only happen for MIXED_GROUPS fs. Regular filesystems
+won't have space_info with DATA|METADATA flag, and no way to hit the
+bug.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203255
+Reported-by: Jungyeon Yoon <jungyeon.yoon@gmail.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index df2bb4b61a00d..4c316ca3ee785 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -7168,6 +7168,14 @@ static noinline int find_free_extent(struct btrfs_root *orig_root,
+ */
+ if ((flags & extra) && !(block_group->flags & extra))
+ goto loop;
++
++ /*
++ * This block group has different flags than we want.
++ * It's possible that we have MIXED_GROUP flag but no
++ * block group is mixed. Just skip such block group.
++ */
++ btrfs_release_block_group(block_group, delalloc);
++ continue;
+ }
+
+ have_block_group:
+--
+2.20.1
+
--- /dev/null
+From ef259b47daea9d8d72d20459806d25feb22768a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2019 19:15:18 +0200
+Subject: dmaengine: bcm2835: Print error in case setting DMA mask fails
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit 72503b25ee363827aafffc3e8d872e6a92a7e422 ]
+
+During enabling of the RPi 4, we found out that the driver doesn't provide
+a helpful error message in case setting DMA mask fails. So add one.
+
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/1563297318-4900-1-git-send-email-wahrenst@gmx.net
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/bcm2835-dma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/bcm2835-dma.c b/drivers/dma/bcm2835-dma.c
+index 996c4b00d323e..d6cdc3be03fcc 100644
+--- a/drivers/dma/bcm2835-dma.c
++++ b/drivers/dma/bcm2835-dma.c
+@@ -595,8 +595,10 @@ static int bcm2835_dma_probe(struct platform_device *pdev)
+ pdev->dev.dma_mask = &pdev->dev.coherent_dma_mask;
+
+ rc = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32));
+- if (rc)
++ if (rc) {
++ dev_err(&pdev->dev, "Unable to set DMA mask\n");
+ return rc;
++ }
+
+ od = devm_kzalloc(&pdev->dev, sizeof(*od), GFP_KERNEL);
+ if (!od)
+--
+2.20.1
+
--- /dev/null
+From 6f730afc1e3051f762ba79f9a266d9cdd50ee6c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2019 18:33:17 +0200
+Subject: dmaengine: iop-adma: use correct printk format strings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 00c9755524fbaa28117be774d7c92fddb5ca02f3 ]
+
+When compile-testing on other architectures, we get lots of warnings
+about incorrect format strings, like:
+
+ drivers/dma/iop-adma.c: In function 'iop_adma_alloc_slots':
+ drivers/dma/iop-adma.c:307:6: warning: format '%x' expects argument of type 'unsigned int', but argument 6 has type 'dma_addr_t {aka long long unsigned int}' [-Wformat=]
+
+ drivers/dma/iop-adma.c: In function 'iop_adma_prep_dma_memcpy':
+>> drivers/dma/iop-adma.c:518:40: warning: format '%u' expects argument of type 'unsigned int', but argument 5 has type 'size_t {aka long unsigned int}' [-Wformat=]
+
+Use %zu for printing size_t as required, and cast the dma_addr_t
+arguments to 'u64' for printing with %llx. Ideally this should use
+the %pad format string, but that requires an lvalue argument that
+doesn't work here.
+
+Link: https://lore.kernel.org/r/20190809163334.489360-3-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/iop-adma.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/dma/iop-adma.c b/drivers/dma/iop-adma.c
+index e4f43125e0fbb..a390415c97a86 100644
+--- a/drivers/dma/iop-adma.c
++++ b/drivers/dma/iop-adma.c
+@@ -126,9 +126,9 @@ static void __iop_adma_slot_cleanup(struct iop_adma_chan *iop_chan)
+ list_for_each_entry_safe(iter, _iter, &iop_chan->chain,
+ chain_node) {
+ pr_debug("\tcookie: %d slot: %d busy: %d "
+- "this_desc: %#x next_desc: %#x ack: %d\n",
++ "this_desc: %#x next_desc: %#llx ack: %d\n",
+ iter->async_tx.cookie, iter->idx, busy,
+- iter->async_tx.phys, iop_desc_get_next_desc(iter),
++ iter->async_tx.phys, (u64)iop_desc_get_next_desc(iter),
+ async_tx_test_ack(&iter->async_tx));
+ prefetch(_iter);
+ prefetch(&_iter->async_tx);
+@@ -316,9 +316,9 @@ iop_adma_alloc_slots(struct iop_adma_chan *iop_chan, int num_slots,
+ int i;
+ dev_dbg(iop_chan->device->common.dev,
+ "allocated slot: %d "
+- "(desc %p phys: %#x) slots_per_op %d\n",
++ "(desc %p phys: %#llx) slots_per_op %d\n",
+ iter->idx, iter->hw_desc,
+- iter->async_tx.phys, slots_per_op);
++ (u64)iter->async_tx.phys, slots_per_op);
+
+ /* pre-ack all but the last descriptor */
+ if (num_slots != slots_per_op)
+@@ -526,7 +526,7 @@ iop_adma_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dma_dest,
+ return NULL;
+ BUG_ON(len > IOP_ADMA_MAX_BYTE_COUNT);
+
+- dev_dbg(iop_chan->device->common.dev, "%s len: %u\n",
++ dev_dbg(iop_chan->device->common.dev, "%s len: %zu\n",
+ __func__, len);
+
+ spin_lock_bh(&iop_chan->lock);
+@@ -559,7 +559,7 @@ iop_adma_prep_dma_xor(struct dma_chan *chan, dma_addr_t dma_dest,
+ BUG_ON(len > IOP_ADMA_XOR_MAX_BYTE_COUNT);
+
+ dev_dbg(iop_chan->device->common.dev,
+- "%s src_cnt: %d len: %u flags: %lx\n",
++ "%s src_cnt: %d len: %zu flags: %lx\n",
+ __func__, src_cnt, len, flags);
+
+ spin_lock_bh(&iop_chan->lock);
+@@ -592,7 +592,7 @@ iop_adma_prep_dma_xor_val(struct dma_chan *chan, dma_addr_t *dma_src,
+ if (unlikely(!len))
+ return NULL;
+
+- dev_dbg(iop_chan->device->common.dev, "%s src_cnt: %d len: %u\n",
++ dev_dbg(iop_chan->device->common.dev, "%s src_cnt: %d len: %zu\n",
+ __func__, src_cnt, len);
+
+ spin_lock_bh(&iop_chan->lock);
+@@ -630,7 +630,7 @@ iop_adma_prep_dma_pq(struct dma_chan *chan, dma_addr_t *dst, dma_addr_t *src,
+ BUG_ON(len > IOP_ADMA_XOR_MAX_BYTE_COUNT);
+
+ dev_dbg(iop_chan->device->common.dev,
+- "%s src_cnt: %d len: %u flags: %lx\n",
++ "%s src_cnt: %d len: %zu flags: %lx\n",
+ __func__, src_cnt, len, flags);
+
+ if (dmaf_p_disabled_continue(flags))
+@@ -693,7 +693,7 @@ iop_adma_prep_dma_pq_val(struct dma_chan *chan, dma_addr_t *pq, dma_addr_t *src,
+ return NULL;
+ BUG_ON(len > IOP_ADMA_XOR_MAX_BYTE_COUNT);
+
+- dev_dbg(iop_chan->device->common.dev, "%s src_cnt: %d len: %u\n",
++ dev_dbg(iop_chan->device->common.dev, "%s src_cnt: %d len: %zu\n",
+ __func__, src_cnt, len);
+
+ spin_lock_bh(&iop_chan->lock);
+--
+2.20.1
+
--- /dev/null
+From 1547e3c7bec100d397b3d969d01d1b599e6c5fec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Aug 2019 15:56:14 +0300
+Subject: dmaengine: ti: edma: Do not reset reserved paRAM slots
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+[ Upstream commit c5dbe60664b3660f5ac5854e21273ea2e7ff698f ]
+
+Skip resetting paRAM slots marked as reserved as they might be used by
+other cores.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Link: https://lore.kernel.org/r/20190823125618.8133-2-peter.ujfalusi@ti.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/edma.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/edma.c b/drivers/dma/edma.c
+index 85674a8d04368..e508c8c5f3fde 100644
+--- a/drivers/dma/edma.c
++++ b/drivers/dma/edma.c
+@@ -2218,9 +2218,6 @@ static int edma_probe(struct platform_device *pdev)
+
+ ecc->default_queue = info->default_queue;
+
+- for (i = 0; i < ecc->num_slots; i++)
+- edma_write_slot(ecc, i, &dummy_paramset);
+-
+ if (info->rsv) {
+ /* Set the reserved slots in inuse list */
+ rsv_slots = info->rsv->rsv_slots;
+@@ -2233,6 +2230,12 @@ static int edma_probe(struct platform_device *pdev)
+ }
+ }
+
++ for (i = 0; i < ecc->num_slots; i++) {
++ /* Reset only unused - not reserved - paRAM slots */
++ if (!test_bit(i, ecc->slot_inuse))
++ edma_write_slot(ecc, i, &dummy_paramset);
++ }
++
+ /* Clear the xbar mapped channels in unused list */
+ xbar_chans = info->xbar_chans;
+ if (xbar_chans) {
+--
+2.20.1
+
--- /dev/null
+From 2390cf38cf1c681152c76a13b2ea4bdd0323b6d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2019 09:43:37 +0800
+Subject: efi: cper: print AER info of PCIe fatal error
+
+From: Xiaofei Tan <tanxiaofei@huawei.com>
+
+[ Upstream commit b194a77fcc4001dc40aecdd15d249648e8a436d1 ]
+
+AER info of PCIe fatal error is not printed in the current driver.
+Because APEI driver will panic directly for fatal error, and can't
+run to the place of printing AER info.
+
+An example log is as following:
+{763}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 11
+{763}[Hardware Error]: event severity: fatal
+{763}[Hardware Error]: Error 0, type: fatal
+{763}[Hardware Error]: section_type: PCIe error
+{763}[Hardware Error]: port_type: 0, PCIe end point
+{763}[Hardware Error]: version: 4.0
+{763}[Hardware Error]: command: 0x0000, status: 0x0010
+{763}[Hardware Error]: device_id: 0000:82:00.0
+{763}[Hardware Error]: slot: 0
+{763}[Hardware Error]: secondary_bus: 0x00
+{763}[Hardware Error]: vendor_id: 0x8086, device_id: 0x10fb
+{763}[Hardware Error]: class_code: 000002
+Kernel panic - not syncing: Fatal hardware error!
+
+This issue was imported by the patch, '37448adfc7ce ("aerdrv: Move
+cper_print_aer() call out of interrupt context")'. To fix this issue,
+this patch adds print of AER info in cper_print_pcie() for fatal error.
+
+Here is the example log after this patch applied:
+{24}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 10
+{24}[Hardware Error]: event severity: fatal
+{24}[Hardware Error]: Error 0, type: fatal
+{24}[Hardware Error]: section_type: PCIe error
+{24}[Hardware Error]: port_type: 0, PCIe end point
+{24}[Hardware Error]: version: 4.0
+{24}[Hardware Error]: command: 0x0546, status: 0x4010
+{24}[Hardware Error]: device_id: 0000:01:00.0
+{24}[Hardware Error]: slot: 0
+{24}[Hardware Error]: secondary_bus: 0x00
+{24}[Hardware Error]: vendor_id: 0x15b3, device_id: 0x1019
+{24}[Hardware Error]: class_code: 000002
+{24}[Hardware Error]: aer_uncor_status: 0x00040000, aer_uncor_mask: 0x00000000
+{24}[Hardware Error]: aer_uncor_severity: 0x00062010
+{24}[Hardware Error]: TLP Header: 000000c0 01010000 00000001 00000000
+Kernel panic - not syncing: Fatal hardware error!
+
+Fixes: 37448adfc7ce ("aerdrv: Move cper_print_aer() call out of interrupt context")
+Signed-off-by: Xiaofei Tan <tanxiaofei@huawei.com>
+Reviewed-by: James Morse <james.morse@arm.com>
+[ardb: put parens around terms of && operator]
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index d425374254384..f40f7df4b7344 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -384,6 +384,21 @@ static void cper_print_pcie(const char *pfx, const struct cper_sec_pcie *pcie,
+ printk(
+ "%s""bridge: secondary_status: 0x%04x, control: 0x%04x\n",
+ pfx, pcie->bridge.secondary_status, pcie->bridge.control);
++
++ /* Fatal errors call __ghes_panic() before AER handler prints this */
++ if ((pcie->validation_bits & CPER_PCIE_VALID_AER_INFO) &&
++ (gdata->error_severity & CPER_SEV_FATAL)) {
++ struct aer_capability_regs *aer;
++
++ aer = (struct aer_capability_regs *)pcie->aer_info;
++ printk("%saer_uncor_status: 0x%08x, aer_uncor_mask: 0x%08x\n",
++ pfx, aer->uncor_status, aer->uncor_mask);
++ printk("%saer_uncor_severity: 0x%08x\n",
++ pfx, aer->uncor_severity);
++ printk("%sTLP Header: %08x %08x %08x %08x\n", pfx,
++ aer->header_log.dw0, aer->header_log.dw1,
++ aer->header_log.dw2, aer->header_log.dw3);
++ }
+ }
+
+ static void cper_estatus_print_section(
+--
+2.20.1
+
--- /dev/null
+From 1796e7b11155d2ce5b8454ad7a211a569433925c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2019 11:01:10 +0300
+Subject: hwmon: (acpi_power_meter) Change log level for 'unsafe software power
+ cap'
+
+From: Wang Shenran <shenran268@gmail.com>
+
+[ Upstream commit 6e4d91aa071810deac2cd052161aefb376ecf04e ]
+
+At boot time, the acpi_power_meter driver logs the following error level
+message: "Ignoring unsafe software power cap". Having read about it from
+a few sources, it seems that the error message can be quite misleading.
+
+While the message can imply that Linux is ignoring the fact that the
+system is operating in potentially dangerous conditions, the truth is
+the driver found an ACPI_PMC object that supports software power
+capping. The driver simply decides not to use it, perhaps because it
+doesn't support the object.
+
+The best solution is probably changing the log level from error to warning.
+All sources I have found, regarding the error, have downplayed its
+significance. There is not much of a reason for it to be on error level,
+while causing potential confusions or misinterpretations.
+
+Signed-off-by: Wang Shenran <shenran268@gmail.com>
+Link: https://lore.kernel.org/r/20190724080110.6952-1-shenran268@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/acpi_power_meter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/acpi_power_meter.c b/drivers/hwmon/acpi_power_meter.c
+index 579bdf93be433..e27f7e12c05bb 100644
+--- a/drivers/hwmon/acpi_power_meter.c
++++ b/drivers/hwmon/acpi_power_meter.c
+@@ -693,8 +693,8 @@ static int setup_attrs(struct acpi_power_meter_resource *resource)
+
+ if (resource->caps.flags & POWER_METER_CAN_CAP) {
+ if (!can_cap_in_hardware()) {
+- dev_err(&resource->acpi_dev->dev,
+- "Ignoring unsafe software power cap!\n");
++ dev_warn(&resource->acpi_dev->dev,
++ "Ignoring unsafe software power cap!\n");
+ goto skip_unsafe_cap;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From c182ee340b8c88ea6e2d0b94e0014f3af58d4ba1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2019 15:46:33 +0800
+Subject: ia64:unwind: fix double free for mod->arch.init_unw_table
+
+From: chenzefeng <chenzefeng2@huawei.com>
+
+[ Upstream commit c5e5c48c16422521d363c33cfb0dcf58f88c119b ]
+
+The function free_module in file kernel/module.c as follow:
+
+void free_module(struct module *mod) {
+ ......
+ module_arch_cleanup(mod);
+ ......
+ module_arch_freeing_init(mod);
+ ......
+}
+
+Both module_arch_cleanup and module_arch_freeing_init function
+would free the mod->arch.init_unw_table, which cause double free.
+
+Here, set mod->arch.init_unw_table = NULL after remove the unwind
+table to avoid double free.
+
+Signed-off-by: chenzefeng <chenzefeng2@huawei.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/kernel/module.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
+index 36b2c94a8eb5d..14c7184daaf64 100644
+--- a/arch/ia64/kernel/module.c
++++ b/arch/ia64/kernel/module.c
+@@ -912,8 +912,12 @@ module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mo
+ void
+ module_arch_cleanup (struct module *mod)
+ {
+- if (mod->arch.init_unw_table)
++ if (mod->arch.init_unw_table) {
+ unw_remove_unwind_table(mod->arch.init_unw_table);
+- if (mod->arch.core_unw_table)
++ mod->arch.init_unw_table = NULL;
++ }
++ if (mod->arch.core_unw_table) {
+ unw_remove_unwind_table(mod->arch.core_unw_table);
++ mod->arch.core_unw_table = NULL;
++ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 8a2afff32ff5a0c22e2b2f68ef019185470cce8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2019 20:08:21 +0900
+Subject: kprobes: Prohibit probing on BUG() and WARN() address
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit e336b4027775cb458dc713745e526fa1a1996b2a ]
+
+Since BUG() and WARN() may use a trap (e.g. UD2 on x86) to
+get the address where the BUG() has occurred, kprobes can not
+do single-step out-of-line that instruction. So prohibit
+probing on such address.
+
+Without this fix, if someone put a kprobe on WARN(), the
+kernel will crash with invalid opcode error instead of
+outputing warning message, because kernel can not find
+correct bug address.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
+Cc: David S . Miller <davem@davemloft.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Naveen N . Rao <naveen.n.rao@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/156750890133.19112.3393666300746167111.stgit@devnote2
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bug.h | 5 +++++
+ kernel/kprobes.c | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/bug.h b/include/linux/bug.h
+index 7f4818673c41f..581a53dfbd310 100644
+--- a/include/linux/bug.h
++++ b/include/linux/bug.h
+@@ -102,6 +102,11 @@ int is_valid_bugaddr(unsigned long addr);
+
+ #else /* !CONFIG_GENERIC_BUG */
+
++static inline void *find_bug(unsigned long bugaddr)
++{
++ return NULL;
++}
++
+ static inline enum bug_trap_type report_bug(unsigned long bug_addr,
+ struct pt_regs *regs)
+ {
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index a53998cba804c..fdde50d39a46d 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1454,7 +1454,8 @@ static int check_kprobe_address_safe(struct kprobe *p,
+ /* Ensure it is not in reserved area nor out of text */
+ if (!kernel_text_address((unsigned long) p->addr) ||
+ within_kprobe_blacklist((unsigned long) p->addr) ||
+- jump_label_text_reserved(p->addr, p->addr)) {
++ jump_label_text_reserved(p->addr, p->addr) ||
++ find_bug((unsigned long)p->addr)) {
+ ret = -EINVAL;
+ goto out;
+ }
+--
+2.20.1
+
--- /dev/null
+From a144de8f2ad632acdd9623920d656ba82a769a18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2019 14:56:06 -0700
+Subject: leds: leds-lp5562 allow firmware files up to the maximum length
+
+From: Nick Stoughton <nstoughton@logitech.com>
+
+[ Upstream commit ed2abfebb041473092b41527903f93390d38afa7 ]
+
+Firmware files are in ASCII, using 2 hex characters per byte. The
+maximum length of a firmware string is therefore
+
+16 (commands) * 2 (bytes per command) * 2 (characters per byte) = 64
+
+Fixes: ff45262a85db ("leds: add new LP5562 LED driver")
+Signed-off-by: Nick Stoughton <nstoughton@logitech.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lp5562.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/leds-lp5562.c b/drivers/leds/leds-lp5562.c
+index 0360c59dbdc91..fc8b2e7bcfef6 100644
+--- a/drivers/leds/leds-lp5562.c
++++ b/drivers/leds/leds-lp5562.c
+@@ -263,7 +263,11 @@ static void lp5562_firmware_loaded(struct lp55xx_chip *chip)
+ {
+ const struct firmware *fw = chip->fw;
+
+- if (fw->size > LP5562_PROGRAM_LENGTH) {
++ /*
++ * the firmware is encoded in ascii hex character, with 2 chars
++ * per byte
++ */
++ if (fw->size > (LP5562_PROGRAM_LENGTH * 2)) {
+ dev_err(&chip->cl->dev, "firmware data size overflow: %zu\n",
+ fw->size);
+ return;
+--
+2.20.1
+
--- /dev/null
+From 288cdcc373f05876de878092d4a00c168805e14f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jul 2019 13:31:38 +0000
+Subject: libertas: Add missing sentinel at end of if_usb.c fw_table
+
+From: Kevin Easton <kevin@guarana.org>
+
+[ Upstream commit 764f3f1ecffc434096e0a2b02f1a6cc964a89df6 ]
+
+This sentinel tells the firmware loading process when to stop.
+
+Reported-and-tested-by: syzbot+98156c174c5a2cad9f8f@syzkaller.appspotmail.com
+Signed-off-by: Kevin Easton <kevin@guarana.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/libertas/if_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/libertas/if_usb.c b/drivers/net/wireless/libertas/if_usb.c
+index dff08a2896a38..d271eaf1f9499 100644
+--- a/drivers/net/wireless/libertas/if_usb.c
++++ b/drivers/net/wireless/libertas/if_usb.c
+@@ -49,7 +49,8 @@ static const struct lbs_fw_table fw_table[] = {
+ { MODEL_8388, "libertas/usb8388_v5.bin", NULL },
+ { MODEL_8388, "libertas/usb8388.bin", NULL },
+ { MODEL_8388, "usb8388.bin", NULL },
+- { MODEL_8682, "libertas/usb8682.bin", NULL }
++ { MODEL_8682, "libertas/usb8682.bin", NULL },
++ { 0, NULL, NULL }
+ };
+
+ static struct usb_device_id if_usb_table[] = {
+--
+2.20.1
+
--- /dev/null
+From 9aa1e4b98332d76303ea955be2b776ee27bc902b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2019 16:43:15 -0400
+Subject: libtraceevent: Change users plugin directory
+
+From: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+
+[ Upstream commit e97fd1383cd77c467d2aed7fa4e596789df83977 ]
+
+To be compliant with XDG user directory layout, the user's plugin
+directory is changed from ~/.traceevent/plugins to
+~/.local/lib/traceevent/plugins/
+
+Suggested-by: Patrick McLean <chutzpah@gentoo.org>
+Signed-off-by: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Patrick McLean <chutzpah@gentoo.org>
+Cc: linux-trace-devel@vger.kernel.org
+Link: https://lore.kernel.org/linux-trace-devel/20190313144206.41e75cf8@patrickm/
+Link: http://lore.kernel.org/linux-trace-devel/20190801074959.22023-4-tz.stoyanov@gmail.com
+Link: http://lore.kernel.org/lkml/20190805204355.344622683@goodmis.org
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/traceevent/Makefile | 6 +++---
+ tools/lib/traceevent/event-plugin.c | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/traceevent/Makefile b/tools/lib/traceevent/Makefile
+index 7851df1490e0a..cc3315da6dc39 100644
+--- a/tools/lib/traceevent/Makefile
++++ b/tools/lib/traceevent/Makefile
+@@ -54,15 +54,15 @@ set_plugin_dir := 1
+
+ # Set plugin_dir to preffered global plugin location
+ # If we install under $HOME directory we go under
+-# $(HOME)/.traceevent/plugins
++# $(HOME)/.local/lib/traceevent/plugins
+ #
+ # We dont set PLUGIN_DIR in case we install under $HOME
+ # directory, because by default the code looks under:
+-# $(HOME)/.traceevent/plugins by default.
++# $(HOME)/.local/lib/traceevent/plugins by default.
+ #
+ ifeq ($(plugin_dir),)
+ ifeq ($(prefix),$(HOME))
+-override plugin_dir = $(HOME)/.traceevent/plugins
++override plugin_dir = $(HOME)/.local/lib/traceevent/plugins
+ set_plugin_dir := 0
+ else
+ override plugin_dir = $(libdir)/traceevent/plugins
+diff --git a/tools/lib/traceevent/event-plugin.c b/tools/lib/traceevent/event-plugin.c
+index a16756ae35267..5fe7889606a23 100644
+--- a/tools/lib/traceevent/event-plugin.c
++++ b/tools/lib/traceevent/event-plugin.c
+@@ -30,7 +30,7 @@
+ #include "event-parse.h"
+ #include "event-utils.h"
+
+-#define LOCAL_PLUGIN_DIR ".traceevent/plugins"
++#define LOCAL_PLUGIN_DIR ".local/lib/traceevent/plugins/"
+
+ static struct registered_plugin_options {
+ struct registered_plugin_options *next;
+--
+2.20.1
+
--- /dev/null
+From 4f0c4414307e0c09cb04c66a66be42d2b6201e51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2019 11:09:21 +0200
+Subject: md: don't call spare_active in md_reap_sync_thread if all member
+ devices can't work
+
+From: Guoqing Jiang <jgq516@gmail.com>
+
+[ Upstream commit 0d8ed0e9bf9643f27f4816dca61081784dedb38d ]
+
+When add one disk to array, the md_reap_sync_thread is responsible
+to activate the spare and set In_sync flag for the new member in
+spare_active().
+
+But if raid1 has one member disk A, and disk B is added to the array.
+Then we offline A before all the datas are synchronized from A to B,
+obviously B doesn't have the latest data as A, but B is still marked
+with In_sync flag.
+
+So let's not call spare_active under the condition, otherwise B is
+still showed with 'U' state which is not correct.
+
+Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 067af77bb729a..d1b09657c1939 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8445,7 +8445,8 @@ void md_reap_sync_thread(struct mddev *mddev)
+ /* resync has finished, collect result */
+ md_unregister_thread(&mddev->sync_thread);
+ if (!test_bit(MD_RECOVERY_INTR, &mddev->recovery) &&
+- !test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery)) {
++ !test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery) &&
++ mddev->degraded != mddev->raid_disks) {
+ /* success...*/
+ /* activate any spares */
+ if (mddev->pers->spare_active(mddev)) {
+--
+2.20.1
+
--- /dev/null
+From 0352bc02fa5b42cf59b92982ad390ede0e9ba4a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2019 11:09:20 +0200
+Subject: md: don't set In_sync if array is frozen
+
+From: Guoqing Jiang <jgq516@gmail.com>
+
+[ Upstream commit 062f5b2ae12a153644c765e7ba3b0f825427be1d ]
+
+When a disk is added to array, the following path is called in mdadm.
+
+Manage_subdevs -> sysfs_freeze_array
+ -> Manage_add
+ -> sysfs_set_str(&info, NULL, "sync_action","idle")
+
+Then from kernel side, Manage_add invokes the path (add_new_disk ->
+validate_super = super_1_validate) to set In_sync flag.
+
+Since In_sync means "device is in_sync with rest of array", and the new
+added disk need to resync thread to help the synchronization of data.
+And md_reap_sync_thread would call spare_active to set In_sync for the
+new added disk finally. So don't set In_sync if array is in frozen.
+
+Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index d1b09657c1939..d59d79b77fd69 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -1667,8 +1667,15 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev)
+ if (!(le32_to_cpu(sb->feature_map) &
+ MD_FEATURE_RECOVERY_BITMAP))
+ rdev->saved_raid_disk = -1;
+- } else
+- set_bit(In_sync, &rdev->flags);
++ } else {
++ /*
++ * If the array is FROZEN, then the device can't
++ * be in_sync with rest of array.
++ */
++ if (!test_bit(MD_RECOVERY_FROZEN,
++ &mddev->recovery))
++ set_bit(In_sync, &rdev->flags);
++ }
+ rdev->raid_disk = role;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 0799a8e76cddc00095fe8d4feb888320f01cdb69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2019 21:12:41 +0800
+Subject: md/raid1: fail run raid1 array when active disk less than one
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+[ Upstream commit 07f1a6850c5d5a65c917c3165692b5179ac4cb6b ]
+
+When run test case:
+ mdadm -CR /dev/md1 -l 1 -n 4 /dev/sd[a-d] --assume-clean --bitmap=internal
+ mdadm -S /dev/md1
+ mdadm -A /dev/md1 /dev/sd[b-c] --run --force
+
+ mdadm --zero /dev/sda
+ mdadm /dev/md1 -a /dev/sda
+
+ echo offline > /sys/block/sdc/device/state
+ echo offline > /sys/block/sdb/device/state
+ sleep 5
+ mdadm -S /dev/md1
+
+ echo running > /sys/block/sdb/device/state
+ echo running > /sys/block/sdc/device/state
+ mdadm -A /dev/md1 /dev/sd[a-c] --run --force
+
+mdadm run fail with kernel message as follow:
+[ 172.986064] md: kicking non-fresh sdb from array!
+[ 173.004210] md: kicking non-fresh sdc from array!
+[ 173.022383] md/raid1:md1: active with 0 out of 4 mirrors
+[ 173.022406] md1: failed to create bitmap (-5)
+
+In fact, when active disk in raid1 array less than one, we
+need to return fail in raid1_run().
+
+Reviewed-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 82e284d2b202b..abb99515068b1 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2958,6 +2958,13 @@ static int run(struct mddev *mddev)
+ !test_bit(In_sync, &conf->mirrors[i].rdev->flags) ||
+ test_bit(Faulty, &conf->mirrors[i].rdev->flags))
+ mddev->degraded++;
++ /*
++ * RAID1 needs at least one disk in active
++ */
++ if (conf->raid_disks - mddev->degraded < 1) {
++ ret = -EINVAL;
++ goto abort;
++ }
+
+ if (conf->raid_disks - mddev->degraded == 1)
+ mddev->recovery_cp = MaxSector;
+@@ -2992,8 +2999,12 @@ static int run(struct mddev *mddev)
+ ret = md_integrity_register(mddev);
+ if (ret) {
+ md_unregister_thread(&mddev->thread);
+- raid1_free(mddev, conf);
++ goto abort;
+ }
++ return 0;
++
++abort:
++ raid1_free(mddev, conf);
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From ecf2ab00ee7f84d92be71051e8d5644b9322e768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Aug 2019 02:27:46 -0300
+Subject: media: cpia2_usb: fix memory leaks
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 1c770f0f52dca1a2323c594f01f5ec6f1dddc97f ]
+
+In submit_urbs(), 'cam->sbuf[i].data' is allocated through kmalloc_array().
+However, it is not deallocated if the following allocation for urbs fails.
+To fix this issue, free 'cam->sbuf[i].data' if usb_alloc_urb() fails.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/cpia2/cpia2_usb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c
+index 41ea00ac3a873..76b9cb940b871 100644
+--- a/drivers/media/usb/cpia2/cpia2_usb.c
++++ b/drivers/media/usb/cpia2/cpia2_usb.c
+@@ -665,6 +665,10 @@ static int submit_urbs(struct camera_data *cam)
+ ERR("%s: usb_alloc_urb error!\n", __func__);
+ for (j = 0; j < i; j++)
+ usb_free_urb(cam->sbuf[j].urb);
++ for (j = 0; j < NUM_SBUF; j++) {
++ kfree(cam->sbuf[j].data);
++ cam->sbuf[j].data = NULL;
++ }
+ return -ENOMEM;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 877a8ee2a506e906a43606d46a18f36e711024a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jun 2019 08:14:53 -0400
+Subject: media: dib0700: fix link error for dibx000_i2c_set_speed
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 765bb8610d305ee488b35d07e2a04ae52fb2df9c ]
+
+When CONFIG_DVB_DIB9000 is disabled, we can still compile code that
+now fails to link against dibx000_i2c_set_speed:
+
+drivers/media/usb/dvb-usb/dib0700_devices.o: In function `dib01x0_pmu_update.constprop.7':
+dib0700_devices.c:(.text.unlikely+0x1c9c): undefined reference to `dibx000_i2c_set_speed'
+
+The call sites are both through dib01x0_pmu_update(), which gets passed
+an 'i2c' pointer from dib9000_get_i2c_master(), which has returned
+NULL. Checking this pointer seems to be a good idea anyway, and it avoids
+the link failure in most cases.
+
+Sean Young found another case that is not fixed by that, where certain
+gcc versions leave an unused function in place that causes the link error,
+but adding an explict IS_ENABLED() check also solves this.
+
+Fixes: b7f54910ce01 ("V4L/DVB (4647): Added module for DiB0700 based devices")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dib0700_devices.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c
+index 38c03283a4417..e1316c7b7c2e5 100644
+--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
+@@ -2418,9 +2418,13 @@ static int dib9090_tuner_attach(struct dvb_usb_adapter *adap)
+ 8, 0x0486,
+ };
+
++ if (!IS_ENABLED(CONFIG_DVB_DIB9000))
++ return -ENODEV;
+ if (dvb_attach(dib0090_fw_register, adap->fe_adap[0].fe, i2c, &dib9090_dib0090_config) == NULL)
+ return -ENODEV;
+ i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_1_2, 0);
++ if (!i2c)
++ return -ENODEV;
+ if (dib01x0_pmu_update(i2c, data_dib190, 10) != 0)
+ return -ENODEV;
+ dib0700_set_i2c_speed(adap->dev, 1500);
+@@ -2496,10 +2500,14 @@ static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap)
+ 0, 0x00ef,
+ 8, 0x0406,
+ };
++ if (!IS_ENABLED(CONFIG_DVB_DIB9000))
++ return -ENODEV;
+ i2c = dib9000_get_tuner_interface(adap->fe_adap[0].fe);
+ if (dvb_attach(dib0090_fw_register, adap->fe_adap[0].fe, i2c, &nim9090md_dib0090_config[0]) == NULL)
+ return -ENODEV;
+ i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_1_2, 0);
++ if (!i2c)
++ return -ENODEV;
+ if (dib01x0_pmu_update(i2c, data_dib190, 10) < 0)
+ return -ENODEV;
+
+--
+2.20.1
+
--- /dev/null
+From 263c8b938df986af42c787f9c993c9401d1424a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2019 03:38:13 -0300
+Subject: media: gspca: zero usb_buf on error
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4843a543fad3bf8221cf14e5d5f32d15cee89e84 ]
+
+If reg_r() fails, then gspca_dev->usb_buf was left uninitialized,
+and some drivers used the contents of that buffer in logic.
+
+This caused several syzbot errors:
+
+https://syzkaller.appspot.com/bug?extid=397fd082ce5143e2f67d
+https://syzkaller.appspot.com/bug?extid=1a35278dd0ebfb3a038a
+https://syzkaller.appspot.com/bug?extid=06ddf1788cfd048c5e82
+
+I analyzed the gspca drivers and zeroed the buffer where needed.
+
+Reported-and-tested-by: syzbot+1a35278dd0ebfb3a038a@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+397fd082ce5143e2f67d@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+06ddf1788cfd048c5e82@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/konica.c | 5 +++++
+ drivers/media/usb/gspca/nw80x.c | 5 +++++
+ drivers/media/usb/gspca/ov519.c | 10 ++++++++++
+ drivers/media/usb/gspca/ov534.c | 5 +++++
+ drivers/media/usb/gspca/ov534_9.c | 1 +
+ drivers/media/usb/gspca/se401.c | 5 +++++
+ drivers/media/usb/gspca/sn9c20x.c | 5 +++++
+ drivers/media/usb/gspca/sonixb.c | 5 +++++
+ drivers/media/usb/gspca/sonixj.c | 5 +++++
+ drivers/media/usb/gspca/spca1528.c | 5 +++++
+ drivers/media/usb/gspca/sq930x.c | 5 +++++
+ drivers/media/usb/gspca/sunplus.c | 5 +++++
+ drivers/media/usb/gspca/vc032x.c | 5 +++++
+ drivers/media/usb/gspca/w996Xcf.c | 5 +++++
+ 14 files changed, 71 insertions(+)
+
+diff --git a/drivers/media/usb/gspca/konica.c b/drivers/media/usb/gspca/konica.c
+index 0f6d57fbf91b7..624b4d24716dd 100644
+--- a/drivers/media/usb/gspca/konica.c
++++ b/drivers/media/usb/gspca/konica.c
+@@ -127,6 +127,11 @@ static void reg_r(struct gspca_dev *gspca_dev, u16 value, u16 index)
+ if (ret < 0) {
+ pr_err("reg_r err %d\n", ret);
+ gspca_dev->usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, 2);
+ }
+ }
+
+diff --git a/drivers/media/usb/gspca/nw80x.c b/drivers/media/usb/gspca/nw80x.c
+index 599f755e75b86..7ebeee98dc1bb 100644
+--- a/drivers/media/usb/gspca/nw80x.c
++++ b/drivers/media/usb/gspca/nw80x.c
+@@ -1584,6 +1584,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
+ if (ret < 0) {
+ pr_err("reg_r err %d\n", ret);
+ gspca_dev->usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
+ return;
+ }
+ if (len == 1)
+diff --git a/drivers/media/usb/gspca/ov519.c b/drivers/media/usb/gspca/ov519.c
+index c95f32a0c02b4..c7aafdbb57384 100644
+--- a/drivers/media/usb/gspca/ov519.c
++++ b/drivers/media/usb/gspca/ov519.c
+@@ -2116,6 +2116,11 @@ static int reg_r(struct sd *sd, u16 index)
+ } else {
+ PERR("reg_r %02x failed %d\n", index, ret);
+ sd->gspca_dev.usb_err = ret;
++ /*
++ * Make sure the result is zeroed to avoid uninitialized
++ * values.
++ */
++ gspca_dev->usb_buf[0] = 0;
+ }
+
+ return ret;
+@@ -2142,6 +2147,11 @@ static int reg_r8(struct sd *sd,
+ } else {
+ PERR("reg_r8 %02x failed %d\n", index, ret);
+ sd->gspca_dev.usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, 8);
+ }
+
+ return ret;
+diff --git a/drivers/media/usb/gspca/ov534.c b/drivers/media/usb/gspca/ov534.c
+index bfff1d1c70ab0..466f984312ddb 100644
+--- a/drivers/media/usb/gspca/ov534.c
++++ b/drivers/media/usb/gspca/ov534.c
+@@ -644,6 +644,11 @@ static u8 ov534_reg_read(struct gspca_dev *gspca_dev, u16 reg)
+ if (ret < 0) {
+ pr_err("read failed %d\n", ret);
+ gspca_dev->usb_err = ret;
++ /*
++ * Make sure the result is zeroed to avoid uninitialized
++ * values.
++ */
++ gspca_dev->usb_buf[0] = 0;
+ }
+ return gspca_dev->usb_buf[0];
+ }
+diff --git a/drivers/media/usb/gspca/ov534_9.c b/drivers/media/usb/gspca/ov534_9.c
+index 47085cf2d7236..f2dca06069355 100644
+--- a/drivers/media/usb/gspca/ov534_9.c
++++ b/drivers/media/usb/gspca/ov534_9.c
+@@ -1157,6 +1157,7 @@ static u8 reg_r(struct gspca_dev *gspca_dev, u16 reg)
+ if (ret < 0) {
+ pr_err("reg_r err %d\n", ret);
+ gspca_dev->usb_err = ret;
++ return 0;
+ }
+ return gspca_dev->usb_buf[0];
+ }
+diff --git a/drivers/media/usb/gspca/se401.c b/drivers/media/usb/gspca/se401.c
+index 5102cea504710..6adbb0eca71fe 100644
+--- a/drivers/media/usb/gspca/se401.c
++++ b/drivers/media/usb/gspca/se401.c
+@@ -115,6 +115,11 @@ static void se401_read_req(struct gspca_dev *gspca_dev, u16 req, int silent)
+ pr_err("read req failed req %#04x error %d\n",
+ req, err);
+ gspca_dev->usb_err = err;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, READ_REQ_SIZE);
+ }
+ }
+
+diff --git a/drivers/media/usb/gspca/sn9c20x.c b/drivers/media/usb/gspca/sn9c20x.c
+index d0ee899584a9f..e5bd1e84fd875 100644
+--- a/drivers/media/usb/gspca/sn9c20x.c
++++ b/drivers/media/usb/gspca/sn9c20x.c
+@@ -924,6 +924,11 @@ static void reg_r(struct gspca_dev *gspca_dev, u16 reg, u16 length)
+ if (unlikely(result < 0 || result != length)) {
+ pr_err("Read register %02x failed %d\n", reg, result);
+ gspca_dev->usb_err = result;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
+ }
+ }
+
+diff --git a/drivers/media/usb/gspca/sonixb.c b/drivers/media/usb/gspca/sonixb.c
+index 6696b2ec34e96..83e98b85ab6a1 100644
+--- a/drivers/media/usb/gspca/sonixb.c
++++ b/drivers/media/usb/gspca/sonixb.c
+@@ -466,6 +466,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
+ dev_err(gspca_dev->v4l2_dev.dev,
+ "Error reading register %02x: %d\n", value, res);
+ gspca_dev->usb_err = res;
++ /*
++ * Make sure the result is zeroed to avoid uninitialized
++ * values.
++ */
++ gspca_dev->usb_buf[0] = 0;
+ }
+ }
+
+diff --git a/drivers/media/usb/gspca/sonixj.c b/drivers/media/usb/gspca/sonixj.c
+index fd1c8706d86a8..67e23557a1a94 100644
+--- a/drivers/media/usb/gspca/sonixj.c
++++ b/drivers/media/usb/gspca/sonixj.c
+@@ -1175,6 +1175,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
+ if (ret < 0) {
+ pr_err("reg_r err %d\n", ret);
+ gspca_dev->usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
+ }
+ }
+
+diff --git a/drivers/media/usb/gspca/spca1528.c b/drivers/media/usb/gspca/spca1528.c
+index f38fd8949609f..ee93bd443df5d 100644
+--- a/drivers/media/usb/gspca/spca1528.c
++++ b/drivers/media/usb/gspca/spca1528.c
+@@ -84,6 +84,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
+ if (ret < 0) {
+ pr_err("reg_r err %d\n", ret);
+ gspca_dev->usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
+ }
+ }
+
+diff --git a/drivers/media/usb/gspca/sq930x.c b/drivers/media/usb/gspca/sq930x.c
+index e274cf19a3ea2..b236e9dcd4685 100644
+--- a/drivers/media/usb/gspca/sq930x.c
++++ b/drivers/media/usb/gspca/sq930x.c
+@@ -438,6 +438,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
+ if (ret < 0) {
+ pr_err("reg_r %04x failed %d\n", value, ret);
+ gspca_dev->usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
+ }
+ }
+
+diff --git a/drivers/media/usb/gspca/sunplus.c b/drivers/media/usb/gspca/sunplus.c
+index 46c9f2229a186..cc3e1478c5a09 100644
+--- a/drivers/media/usb/gspca/sunplus.c
++++ b/drivers/media/usb/gspca/sunplus.c
+@@ -268,6 +268,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
+ if (ret < 0) {
+ pr_err("reg_r err %d\n", ret);
+ gspca_dev->usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
+ }
+ }
+
+diff --git a/drivers/media/usb/gspca/vc032x.c b/drivers/media/usb/gspca/vc032x.c
+index b4efb2fb36fa3..5032b9d7d9bb2 100644
+--- a/drivers/media/usb/gspca/vc032x.c
++++ b/drivers/media/usb/gspca/vc032x.c
+@@ -2919,6 +2919,11 @@ static void reg_r_i(struct gspca_dev *gspca_dev,
+ if (ret < 0) {
+ pr_err("reg_r err %d\n", ret);
+ gspca_dev->usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
+ }
+ }
+ static void reg_r(struct gspca_dev *gspca_dev,
+diff --git a/drivers/media/usb/gspca/w996Xcf.c b/drivers/media/usb/gspca/w996Xcf.c
+index fb9fe2ef3a6f6..a74ac595656f7 100644
+--- a/drivers/media/usb/gspca/w996Xcf.c
++++ b/drivers/media/usb/gspca/w996Xcf.c
+@@ -139,6 +139,11 @@ static int w9968cf_read_sb(struct sd *sd)
+ } else {
+ pr_err("Read SB reg [01] failed\n");
+ sd->gspca_dev.usb_err = ret;
++ /*
++ * Make sure the buffer is zeroed to avoid uninitialized
++ * values.
++ */
++ memset(sd->gspca_dev.usb_buf, 0, 2);
+ }
+
+ udelay(W9968CF_I2C_BUS_DELAY);
+--
+2.20.1
+
--- /dev/null
+From 4b0cfa9473c171a7cc045497deb5af944b92c216 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2019 10:19:46 -0400
+Subject: media: hdpvr: Add device num check and handling
+
+From: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+
+[ Upstream commit d4a6a9537bc32811486282206ecfb7c53754b74d ]
+
+Add hdpvr device num check and error handling
+
+We need to increment the device count atomically before we checkout a
+device to make sure that we do not reach the max count, otherwise we get
+out-of-bounds errors as reported by syzbot.
+
+Reported-and-tested-by: syzbot+aac8d0d7205f112045d2@syzkaller.appspotmail.com
+
+Signed-off-by: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/hdpvr/hdpvr-core.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
+index 08f0ca7aa012e..924517b09fc9f 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-core.c
++++ b/drivers/media/usb/hdpvr/hdpvr-core.c
+@@ -278,6 +278,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ #endif
+ size_t buffer_size;
+ int i;
++ int dev_num;
+ int retval = -ENOMEM;
+
+ /* allocate memory for our device state and initialize it */
+@@ -386,8 +387,17 @@ static int hdpvr_probe(struct usb_interface *interface,
+ }
+ #endif
+
++ dev_num = atomic_inc_return(&dev_nr);
++ if (dev_num >= HDPVR_MAX) {
++ v4l2_err(&dev->v4l2_dev,
++ "max device number reached, device register failed\n");
++ atomic_dec(&dev_nr);
++ retval = -ENODEV;
++ goto reg_fail;
++ }
++
+ retval = hdpvr_register_videodev(dev, &interface->dev,
+- video_nr[atomic_inc_return(&dev_nr)]);
++ video_nr[dev_num]);
+ if (retval < 0) {
+ v4l2_err(&dev->v4l2_dev, "registering videodev failed\n");
+ goto reg_fail;
+--
+2.20.1
+
--- /dev/null
+From f71be868b52f56e2e2c83ecb2717755f5d09583c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2019 10:00:33 -0300
+Subject: media: hdpvr: add terminating 0 at end of string
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 8b8900b729e4f31f12ac1127bde137c775c327e6 ]
+
+dev->usbc_buf was passed as argument for %s, but it was not safeguarded
+by a terminating 0.
+
+This caused this syzbot issue:
+
+https://syzkaller.appspot.com/bug?extid=79d18aac4bf1770dd050
+
+Reported-and-tested-by: syzbot+79d18aac4bf1770dd050@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/hdpvr/hdpvr-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
+index 924517b09fc9f..7b5c493f02b0a 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-core.c
++++ b/drivers/media/usb/hdpvr/hdpvr-core.c
+@@ -143,6 +143,7 @@ static int device_authorization(struct hdpvr_device *dev)
+
+ dev->fw_ver = dev->usbc_buf[1];
+
++ dev->usbc_buf[46] = '\0';
+ v4l2_info(&dev->v4l2_dev, "firmware version 0x%x dated %s\n",
+ dev->fw_ver, &dev->usbc_buf[2]);
+
+--
+2.20.1
+
--- /dev/null
+From 3cd1305eaad4dc73d618674579ff53b3430c046f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2019 05:50:44 -0300
+Subject: media: iguanair: add sanity checks
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit ab1cbdf159beba7395a13ab70bc71180929ca064 ]
+
+The driver needs to check the endpoint types, too, as opposed
+to the number of endpoints. This also requires moving the check earlier.
+
+Reported-by: syzbot+01a77b82edaa374068e1@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/iguanair.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c
+index ee60e17fba05d..cda4ce612dcf5 100644
+--- a/drivers/media/rc/iguanair.c
++++ b/drivers/media/rc/iguanair.c
+@@ -430,6 +430,10 @@ static int iguanair_probe(struct usb_interface *intf,
+ int ret, pipein, pipeout;
+ struct usb_host_interface *idesc;
+
++ idesc = intf->altsetting;
++ if (idesc->desc.bNumEndpoints < 2)
++ return -ENODEV;
++
+ ir = kzalloc(sizeof(*ir), GFP_KERNEL);
+ rc = rc_allocate_device();
+ if (!ir || !rc) {
+@@ -444,18 +448,13 @@ static int iguanair_probe(struct usb_interface *intf,
+ ir->urb_in = usb_alloc_urb(0, GFP_KERNEL);
+ ir->urb_out = usb_alloc_urb(0, GFP_KERNEL);
+
+- if (!ir->buf_in || !ir->packet || !ir->urb_in || !ir->urb_out) {
++ if (!ir->buf_in || !ir->packet || !ir->urb_in || !ir->urb_out ||
++ !usb_endpoint_is_int_in(&idesc->endpoint[0].desc) ||
++ !usb_endpoint_is_int_out(&idesc->endpoint[1].desc)) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+- idesc = intf->altsetting;
+-
+- if (idesc->desc.bNumEndpoints < 2) {
+- ret = -ENODEV;
+- goto out;
+- }
+-
+ ir->rc = rc;
+ ir->dev = &intf->dev;
+ ir->udev = udev;
+--
+2.20.1
+
--- /dev/null
+From b82dededdc757069b8b62a6bf2557bf4abd830b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2019 11:21:27 -0300
+Subject: media: omap3isp: Don't set streaming state on random subdevs
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+[ Upstream commit 7ef57be07ac146e70535747797ef4aee0f06e9f9 ]
+
+The streaming state should be set to the first upstream sub-device only,
+not everywhere, for a sub-device driver itself knows how to best control
+the streaming state of its own upstream sub-devices.
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/omap3isp/isp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
+index 136ea1848701d..f41e0d08de93e 100644
+--- a/drivers/media/platform/omap3isp/isp.c
++++ b/drivers/media/platform/omap3isp/isp.c
+@@ -917,6 +917,10 @@ static int isp_pipeline_enable(struct isp_pipeline *pipe,
+ s_stream, mode);
+ pipe->do_propagation = true;
+ }
++
++ /* Stop at the first external sub-device. */
++ if (subdev->dev != isp->dev)
++ break;
+ }
+
+ return 0;
+@@ -1031,6 +1035,10 @@ static int isp_pipeline_disable(struct isp_pipeline *pipe)
+ isp->crashed |= 1U << subdev->entity.id;
+ failure = -ETIMEDOUT;
+ }
++
++ /* Stop at the first external sub-device. */
++ if (subdev->dev != isp->dev)
++ break;
+ }
+
+ return failure;
+--
+2.20.1
+
--- /dev/null
+From 4b1d3ee3f3a9213a5f2a2c6937796a5f6a4649ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2019 11:19:00 -0300
+Subject: media: omap3isp: Set device on omap3isp subdevs
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+[ Upstream commit e9eb103f027725053a4b02f93d7f2858b56747ce ]
+
+The omap3isp driver registered subdevs without the dev field being set. Do
+that now.
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/omap3isp/ispccdc.c | 1 +
+ drivers/media/platform/omap3isp/ispccp2.c | 1 +
+ drivers/media/platform/omap3isp/ispcsi2.c | 1 +
+ drivers/media/platform/omap3isp/isppreview.c | 1 +
+ drivers/media/platform/omap3isp/ispresizer.c | 1 +
+ drivers/media/platform/omap3isp/ispstat.c | 2 ++
+ 6 files changed, 7 insertions(+)
+
+diff --git a/drivers/media/platform/omap3isp/ispccdc.c b/drivers/media/platform/omap3isp/ispccdc.c
+index a6a61cce43dda..e349f5d990b73 100644
+--- a/drivers/media/platform/omap3isp/ispccdc.c
++++ b/drivers/media/platform/omap3isp/ispccdc.c
+@@ -2603,6 +2603,7 @@ int omap3isp_ccdc_register_entities(struct isp_ccdc_device *ccdc,
+ int ret;
+
+ /* Register the subdev and video node. */
++ ccdc->subdev.dev = vdev->mdev->dev;
+ ret = v4l2_device_register_subdev(vdev, &ccdc->subdev);
+ if (ret < 0)
+ goto error;
+diff --git a/drivers/media/platform/omap3isp/ispccp2.c b/drivers/media/platform/omap3isp/ispccp2.c
+index 38e6a974c5b1e..e6b19b785c2f4 100644
+--- a/drivers/media/platform/omap3isp/ispccp2.c
++++ b/drivers/media/platform/omap3isp/ispccp2.c
+@@ -1025,6 +1025,7 @@ int omap3isp_ccp2_register_entities(struct isp_ccp2_device *ccp2,
+ int ret;
+
+ /* Register the subdev and video nodes. */
++ ccp2->subdev.dev = vdev->mdev->dev;
+ ret = v4l2_device_register_subdev(vdev, &ccp2->subdev);
+ if (ret < 0)
+ goto error;
+diff --git a/drivers/media/platform/omap3isp/ispcsi2.c b/drivers/media/platform/omap3isp/ispcsi2.c
+index a78338d012b4d..029b434b76094 100644
+--- a/drivers/media/platform/omap3isp/ispcsi2.c
++++ b/drivers/media/platform/omap3isp/ispcsi2.c
+@@ -1201,6 +1201,7 @@ int omap3isp_csi2_register_entities(struct isp_csi2_device *csi2,
+ int ret;
+
+ /* Register the subdev and video nodes. */
++ csi2->subdev.dev = vdev->mdev->dev;
+ ret = v4l2_device_register_subdev(vdev, &csi2->subdev);
+ if (ret < 0)
+ goto error;
+diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c
+index 13803270d1045..c9e8845de1b1d 100644
+--- a/drivers/media/platform/omap3isp/isppreview.c
++++ b/drivers/media/platform/omap3isp/isppreview.c
+@@ -2223,6 +2223,7 @@ int omap3isp_preview_register_entities(struct isp_prev_device *prev,
+ int ret;
+
+ /* Register the subdev and video nodes. */
++ prev->subdev.dev = vdev->mdev->dev;
+ ret = v4l2_device_register_subdev(vdev, &prev->subdev);
+ if (ret < 0)
+ goto error;
+diff --git a/drivers/media/platform/omap3isp/ispresizer.c b/drivers/media/platform/omap3isp/ispresizer.c
+index 7cfb43dc0ffd7..d4e53cbe91936 100644
+--- a/drivers/media/platform/omap3isp/ispresizer.c
++++ b/drivers/media/platform/omap3isp/ispresizer.c
+@@ -1679,6 +1679,7 @@ int omap3isp_resizer_register_entities(struct isp_res_device *res,
+ int ret;
+
+ /* Register the subdev and video nodes. */
++ res->subdev.dev = vdev->mdev->dev;
+ ret = v4l2_device_register_subdev(vdev, &res->subdev);
+ if (ret < 0)
+ goto error;
+diff --git a/drivers/media/platform/omap3isp/ispstat.c b/drivers/media/platform/omap3isp/ispstat.c
+index 94d4c295d3d00..c54c5c494b751 100644
+--- a/drivers/media/platform/omap3isp/ispstat.c
++++ b/drivers/media/platform/omap3isp/ispstat.c
+@@ -1010,6 +1010,8 @@ void omap3isp_stat_unregister_entities(struct ispstat *stat)
+ int omap3isp_stat_register_entities(struct ispstat *stat,
+ struct v4l2_device *vdev)
+ {
++ stat->subdev.dev = vdev->mdev->dev;
++
+ return v4l2_device_register_subdev(vdev, &stat->subdev);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6c52e2829351693a28caf9f5904e978fa14626a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2019 11:55:07 -0300
+Subject: media: ov9650: add a sanity check
+
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+
+[ Upstream commit 093347abc7a4e0490e3c962ecbde2dc272a8f708 ]
+
+As pointed by cppcheck:
+
+ [drivers/media/i2c/ov9650.c:706]: (error) Shifting by a negative value is undefined behaviour
+ [drivers/media/i2c/ov9650.c:707]: (error) Shifting by a negative value is undefined behaviour
+ [drivers/media/i2c/ov9650.c:721]: (error) Shifting by a negative value is undefined behaviour
+
+Prevent mangling with gains with invalid values.
+
+As pointed by Sylvester, this should never happen in practice,
+as min value of V4L2_CID_GAIN control is 16 (gain is always >= 16
+and m is always >= 0), but it is too hard for a static analyzer
+to get this, as the logic with validates control min/max is
+elsewhere inside V4L2 core.
+
+Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov9650.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/i2c/ov9650.c b/drivers/media/i2c/ov9650.c
+index 1ee6a5527c384..d11de02ecb63e 100644
+--- a/drivers/media/i2c/ov9650.c
++++ b/drivers/media/i2c/ov9650.c
+@@ -707,6 +707,11 @@ static int ov965x_set_gain(struct ov965x *ov965x, int auto_gain)
+ for (m = 6; m >= 0; m--)
+ if (gain >= (1 << m) * 16)
+ break;
++
++ /* Sanity check: don't adjust the gain with a negative value */
++ if (m < 0)
++ return -EINVAL;
++
+ rgain = (gain - ((1 << m) * 16)) / (1 << m);
+ rgain |= (((1 << m) - 1) << 4);
+
+--
+2.20.1
+
--- /dev/null
+From 1cad0863eba3d8f926dae1bb8b059d37e4e16e3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2019 09:40:52 -0300
+Subject: media: radio/si470x: kill urb on error
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 0d616f2a3fdbf1304db44d451d9f07008556923b ]
+
+In the probe() function radio->int_in_urb was not killed if an
+error occurred in the probe sequence. It was also missing in
+the disconnect.
+
+This caused this syzbot issue:
+
+https://syzkaller.appspot.com/bug?extid=2d4fc2a0c45ad8da7e99
+
+Reported-and-tested-by: syzbot+2d4fc2a0c45ad8da7e99@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/si470x/radio-si470x-usb.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
+index 091d793f65836..c9347d5aac04f 100644
+--- a/drivers/media/radio/si470x/radio-si470x-usb.c
++++ b/drivers/media/radio/si470x/radio-si470x-usb.c
+@@ -743,7 +743,7 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
+ /* start radio */
+ retval = si470x_start_usb(radio);
+ if (retval < 0)
+- goto err_all;
++ goto err_buf;
+
+ /* set initial frequency */
+ si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
+@@ -758,6 +758,8 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
+
+ return 0;
+ err_all:
++ usb_kill_urb(radio->int_in_urb);
++err_buf:
+ kfree(radio->buffer);
+ err_ctrl:
+ v4l2_ctrl_handler_free(&radio->hdl);
+@@ -831,6 +833,7 @@ static void si470x_usb_driver_disconnect(struct usb_interface *intf)
+ mutex_lock(&radio->lock);
+ v4l2_device_disconnect(&radio->v4l2_dev);
+ video_unregister_device(&radio->videodev);
++ usb_kill_urb(radio->int_in_urb);
+ usb_set_intfdata(intf, NULL);
+ mutex_unlock(&radio->lock);
+ v4l2_device_put(&radio->v4l2_dev);
+--
+2.20.1
+
--- /dev/null
+From 30245ebdcf03b774a153e5b9ed655271f6db962c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2019 19:05:55 -0300
+Subject: media: saa7134: fix terminology around
+ saa7134_i2c_eeprom_md7134_gate()
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+[ Upstream commit 9d802222a3405599d6e1984d9324cddf592ea1f4 ]
+
+saa7134_i2c_eeprom_md7134_gate() function and the associated comment uses
+an inverted i2c gate open / closed terminology.
+Let's fix this.
+
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix alignment checkpatch warning]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7134/saa7134-i2c.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/pci/saa7134/saa7134-i2c.c b/drivers/media/pci/saa7134/saa7134-i2c.c
+index bc957528f69ff..e636fca36e3da 100644
+--- a/drivers/media/pci/saa7134/saa7134-i2c.c
++++ b/drivers/media/pci/saa7134/saa7134-i2c.c
+@@ -355,7 +355,11 @@ static struct i2c_client saa7134_client_template = {
+
+ /* ----------------------------------------------------------- */
+
+-/* On Medion 7134 reading EEPROM needs DVB-T demod i2c gate open */
++/*
++ * On Medion 7134 reading the SAA7134 chip config EEPROM needs DVB-T
++ * demod i2c gate closed due to an address clash between this EEPROM
++ * and the demod one.
++ */
+ static void saa7134_i2c_eeprom_md7134_gate(struct saa7134_dev *dev)
+ {
+ u8 subaddr = 0x7, dmdregval;
+@@ -372,14 +376,14 @@ static void saa7134_i2c_eeprom_md7134_gate(struct saa7134_dev *dev)
+
+ ret = i2c_transfer(&dev->i2c_adap, i2cgatemsg_r, 2);
+ if ((ret == 2) && (dmdregval & 0x2)) {
+- pr_debug("%s: DVB-T demod i2c gate was left closed\n",
++ pr_debug("%s: DVB-T demod i2c gate was left open\n",
+ dev->name);
+
+ data[0] = subaddr;
+ data[1] = (dmdregval & ~0x2);
+ if (i2c_transfer(&dev->i2c_adap, i2cgatemsg_w, 1) != 1)
+- pr_err("%s: EEPROM i2c gate open failure\n",
+- dev->name);
++ pr_err("%s: EEPROM i2c gate close failure\n",
++ dev->name);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 5cd53ae869749c8a24b521d36c6969e35f2a1866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Aug 2019 02:40:14 -0300
+Subject: media: saa7146: add cleanup in hexium_attach()
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 42e64117d3b4a759013f77bbcf25ab6700e55de7 ]
+
+If saa7146_register_device() fails, no cleanup is executed, leading to
+memory/resource leaks. To fix this issue, perform necessary cleanup work
+before returning the error.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7146/hexium_gemini.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
+index d4b3ce8282856..343cd75fcd8d1 100644
+--- a/drivers/media/pci/saa7146/hexium_gemini.c
++++ b/drivers/media/pci/saa7146/hexium_gemini.c
+@@ -304,6 +304,9 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
+ ret = saa7146_register_device(&hexium->video_dev, dev, "hexium gemini", VFL_TYPE_GRABBER);
+ if (ret < 0) {
+ pr_err("cannot register capture v4l2 device. skipping.\n");
++ saa7146_vv_release(dev);
++ i2c_del_adapter(&hexium->i2c_adapter);
++ kfree(hexium);
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e42b928ce3ba2b5cb3a9695e194c7794a5ad6793 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2019 12:19:05 -0300
+Subject: media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+[ Upstream commit a10feaf8c464c3f9cfdd3a8a7ce17e1c0d498da1 ]
+
+The function at issue does not always initialize each byte allocated
+for 'b' and can therefore leak uninitialized memory to a USB device in
+the call to usb_bulk_msg()
+
+Use kzalloc() instead of kmalloc()
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+0522702e9d67142379f1@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/ttusb-dec/ttusb_dec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
+index a5de46f04247f..f9b5de7ace01c 100644
+--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
++++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
+@@ -272,7 +272,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command,
+
+ dprintk("%s\n", __func__);
+
+- b = kmalloc(COMMAND_PACKET_SIZE + 4, GFP_KERNEL);
++ b = kzalloc(COMMAND_PACKET_SIZE + 4, GFP_KERNEL);
+ if (!b)
+ return -ENOMEM;
+
+--
+2.20.1
+
--- /dev/null
+From f3f779b3d292f50917657001db8a6c32c8a55762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2019 07:51:14 -0400
+Subject: mmc: sdhci: Fix incorrect switch to HS mode
+
+From: Al Cooper <alcooperx@gmail.com>
+
+[ Upstream commit c894e33ddc1910e14d6f2a2016f60ab613fd8b37 ]
+
+When switching from any MMC speed mode that requires 1.8v
+(HS200, HS400 and HS400ES) to High Speed (HS) mode, the system
+ends up configured for SDR12 with a 50MHz clock which is an illegal
+mode.
+
+This happens because the SDHCI_CTRL_VDD_180 bit in the
+SDHCI_HOST_CONTROL2 register is left set and when this bit is
+set, the speed mode is controlled by the SDHCI_CTRL_UHS field
+in the SDHCI_HOST_CONTROL2 register. The SDHCI_CTRL_UHS field
+will end up being set to 0 (SDR12) by sdhci_set_uhs_signaling()
+because there is no UHS mode being set.
+
+The fix is to change sdhci_set_uhs_signaling() to set the
+SDHCI_CTRL_UHS field to SDR25 (which is the same as HS) for
+any switch to HS mode.
+
+This was found on a new eMMC controller that does strict checking
+of the speed mode and the corresponding clock rate. It caused the
+switch to HS400 mode to fail because part of the sequence to switch
+to HS400 requires a switch from HS200 to HS before going to HS400.
+
+Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Al Cooper <alcooperx@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
+index 62d37d2ac557b..1d6dfde1104d1 100644
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -1452,7 +1452,9 @@ void sdhci_set_uhs_signaling(struct sdhci_host *host, unsigned timing)
+ ctrl_2 |= SDHCI_CTRL_UHS_SDR104;
+ else if (timing == MMC_TIMING_UHS_SDR12)
+ ctrl_2 |= SDHCI_CTRL_UHS_SDR12;
+- else if (timing == MMC_TIMING_UHS_SDR25)
++ else if (timing == MMC_TIMING_SD_HS ||
++ timing == MMC_TIMING_MMC_HS ||
++ timing == MMC_TIMING_UHS_SDR25)
+ ctrl_2 |= SDHCI_CTRL_UHS_SDR25;
+ else if (timing == MMC_TIMING_UHS_SDR50)
+ ctrl_2 |= SDHCI_CTRL_UHS_SDR50;
+--
+2.20.1
+
--- /dev/null
+From 38f47a06fe0ad0fd5d2b93b62ae1d9ad6690f91c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2019 16:40:35 +0200
+Subject: net: lpc-enet: fix printk format strings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit de6f97b2bace0e2eb6c3a86e124d1e652a587b56 ]
+
+compile-testing this driver on other architectures showed
+multiple warnings:
+
+ drivers/net/ethernet/nxp/lpc_eth.c: In function 'lpc_eth_drv_probe':
+ drivers/net/ethernet/nxp/lpc_eth.c:1337:19: warning: format '%d' expects argument of type 'int', but argument 4 has type 'resource_size_t {aka long long unsigned int}' [-Wformat=]
+
+ drivers/net/ethernet/nxp/lpc_eth.c:1342:19: warning: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'dma_addr_t {aka long long unsigned int}' [-Wformat=]
+
+Use format strings that work on all architectures.
+
+Link: https://lore.kernel.org/r/20190809144043.476786-10-arnd@arndb.de
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/nxp/lpc_eth.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
+index 057665180f13f..ba14bad81a21f 100644
+--- a/drivers/net/ethernet/nxp/lpc_eth.c
++++ b/drivers/net/ethernet/nxp/lpc_eth.c
+@@ -1417,13 +1417,14 @@ static int lpc_eth_drv_probe(struct platform_device *pdev)
+ pldat->dma_buff_base_p = dma_handle;
+
+ netdev_dbg(ndev, "IO address space :%pR\n", res);
+- netdev_dbg(ndev, "IO address size :%d\n", resource_size(res));
++ netdev_dbg(ndev, "IO address size :%zd\n",
++ (size_t)resource_size(res));
+ netdev_dbg(ndev, "IO address (mapped) :0x%p\n",
+ pldat->net_base);
+ netdev_dbg(ndev, "IRQ number :%d\n", ndev->irq);
+- netdev_dbg(ndev, "DMA buffer size :%d\n", pldat->dma_buff_size);
+- netdev_dbg(ndev, "DMA buffer P address :0x%08x\n",
+- pldat->dma_buff_base_p);
++ netdev_dbg(ndev, "DMA buffer size :%zd\n", pldat->dma_buff_size);
++ netdev_dbg(ndev, "DMA buffer P address :%pad\n",
++ &pldat->dma_buff_base_p);
+ netdev_dbg(ndev, "DMA buffer V address :0x%p\n",
+ pldat->dma_buff_base_v);
+
+@@ -1470,8 +1471,8 @@ static int lpc_eth_drv_probe(struct platform_device *pdev)
+ if (ret)
+ goto err_out_unregister_netdev;
+
+- netdev_info(ndev, "LPC mac at 0x%08x irq %d\n",
+- res->start, ndev->irq);
++ netdev_info(ndev, "LPC mac at 0x%08lx irq %d\n",
++ (unsigned long)res->start, ndev->irq);
+
+ phydev = pldat->phy_dev;
+
+--
+2.20.1
+
--- /dev/null
+From 83c7edbda570f3a7bf375e0b812c1603ceffbd84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2019 08:34:55 +0200
+Subject: sched/core: Fix CPU controller for !RT_GROUP_SCHED
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit a07db5c0865799ebed1f88be0df50c581fb65029 ]
+
+On !CONFIG_RT_GROUP_SCHED configurations it is currently not possible to
+move RT tasks between cgroups to which CPU controller has been attached;
+but it is oddly possible to first move tasks around and then make them
+RT (setschedule to FIFO/RR).
+
+E.g.:
+
+ # mkdir /sys/fs/cgroup/cpu,cpuacct/group1
+ # chrt -fp 10 $$
+ # echo $$ > /sys/fs/cgroup/cpu,cpuacct/group1/tasks
+ bash: echo: write error: Invalid argument
+ # chrt -op 0 $$
+ # echo $$ > /sys/fs/cgroup/cpu,cpuacct/group1/tasks
+ # chrt -fp 10 $$
+ # cat /sys/fs/cgroup/cpu,cpuacct/group1/tasks
+ 2345
+ 2598
+ # chrt -p 2345
+ pid 2345's current scheduling policy: SCHED_FIFO
+ pid 2345's current scheduling priority: 10
+
+Also, as Michal noted, it is currently not possible to enable CPU
+controller on unified hierarchy with !CONFIG_RT_GROUP_SCHED (if there
+are any kernel RT threads in root cgroup, they can't be migrated to the
+newly created CPU controller's root in cgroup_update_dfl_csses()).
+
+Existing code comes with a comment saying the "we don't support RT-tasks
+being in separate groups". Such comment is however stale and belongs to
+pre-RT_GROUP_SCHED times. Also, it doesn't make much sense for
+!RT_GROUP_ SCHED configurations, since checks related to RT bandwidth
+are not performed at all in these cases.
+
+Make moving RT tasks between CPU controller groups viable by removing
+special case check for RT (and DEADLINE) tasks.
+
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: lizefan@huawei.com
+Cc: longman@redhat.com
+Cc: luca.abeni@santannapisa.it
+Cc: rostedt@goodmis.org
+Link: https://lkml.kernel.org/r/20190719063455.27328-1-juri.lelli@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 0e70bfeded7fd..d81bcc6362fff 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8339,10 +8339,6 @@ static int cpu_cgroup_can_attach(struct cgroup_taskset *tset)
+ #ifdef CONFIG_RT_GROUP_SCHED
+ if (!sched_rt_can_attach(css_tg(css), task))
+ return -EINVAL;
+-#else
+- /* We don't support RT-tasks being in separate groups */
+- if (task->sched_class != &fair_sched_class)
+- return -EINVAL;
+ #endif
+ }
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 13c7eea970fc006f8690acb67a189c53f251a0cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2019 17:47:02 +0200
+Subject: sched/fair: Fix imbalance due to CPU affinity
+
+From: Vincent Guittot <vincent.guittot@linaro.org>
+
+[ Upstream commit f6cad8df6b30a5d2bbbd2e698f74b4cafb9fb82b ]
+
+The load_balance() has a dedicated mecanism to detect when an imbalance
+is due to CPU affinity and must be handled at parent level. In this case,
+the imbalance field of the parent's sched_group is set.
+
+The description of sg_imbalanced() gives a typical example of two groups
+of 4 CPUs each and 4 tasks each with a cpumask covering 1 CPU of the first
+group and 3 CPUs of the second group. Something like:
+
+ { 0 1 2 3 } { 4 5 6 7 }
+ * * * *
+
+But the load_balance fails to fix this UC on my octo cores system
+made of 2 clusters of quad cores.
+
+Whereas the load_balance is able to detect that the imbalanced is due to
+CPU affinity, it fails to fix it because the imbalance field is cleared
+before letting parent level a chance to run. In fact, when the imbalance is
+detected, the load_balance reruns without the CPU with pinned tasks. But
+there is no other running tasks in the situation described above and
+everything looks balanced this time so the imbalance field is immediately
+cleared.
+
+The imbalance field should not be cleared if there is no other task to move
+when the imbalance is detected.
+
+Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/1561996022-28829-1-git-send-email-vincent.guittot@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 19d735ab44db4..cd2fb8384fbe3 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -7313,9 +7313,10 @@ static int load_balance(int this_cpu, struct rq *this_rq,
+ out_balanced:
+ /*
+ * We reach balance although we may have faced some affinity
+- * constraints. Clear the imbalance flag if it was set.
++ * constraints. Clear the imbalance flag only if other tasks got
++ * a chance to move and fix the imbalance.
+ */
+- if (sd_parent) {
++ if (sd_parent && !(env.flags & LBF_ALL_PINNED)) {
+ int *group_imbalance = &sd_parent->groups->sgc->imbalance;
+
+ if (*group_imbalance)
+--
+2.20.1
+
ax25-enforce-cap_net_raw-for-raw-sockets.patch
ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
nfc-enforce-cap_net_raw-for-raw-sockets.patch
+alsa-hda-flush-interrupts-on-disabling.patch
+asoc-sgtl5000-fix-charge-pump-source-assignment.patch
+dmaengine-bcm2835-print-error-in-case-setting-dma-ma.patch
+leds-leds-lp5562-allow-firmware-files-up-to-the-maxi.patch
+media-dib0700-fix-link-error-for-dibx000_i2c_set_spe.patch
+media-hdpvr-add-device-num-check-and-handling.patch
+sched-fair-fix-imbalance-due-to-cpu-affinity.patch
+sched-core-fix-cpu-controller-for-rt_group_sched.patch
+x86-reboot-always-use-nmi-fallback-when-shutdown-via.patch
+x86-apic-soft-disable-apic-before-initializing-it.patch
+alsa-hda-show-the-fatal-corb-rirb-error-more-clearly.patch
+alsa-i2c-ak4xxx-adda-fix-a-possible-null-pointer-der.patch
+media-iguanair-add-sanity-checks.patch
+base-soc-export-soc_device_register-unregister-apis.patch
+alsa-usb-audio-skip-bsynchaddress-endpoint-check-if-.patch
+ia64-unwind-fix-double-free-for-mod-arch.init_unw_ta.patch
+md-don-t-call-spare_active-in-md_reap_sync_thread-if.patch
+md-don-t-set-in_sync-if-array-is-frozen.patch
+efi-cper-print-aer-info-of-pcie-fatal-error.patch
+media-gspca-zero-usb_buf-on-error.patch
+dmaengine-iop-adma-use-correct-printk-format-strings.patch
+media-omap3isp-don-t-set-streaming-state-on-random-s.patch
+net-lpc-enet-fix-printk-format-strings.patch
+media-radio-si470x-kill-urb-on-error.patch
+media-hdpvr-add-terminating-0-at-end-of-string.patch
+media-saa7146-add-cleanup-in-hexium_attach.patch
+media-cpia2_usb-fix-memory-leaks.patch
+media-saa7134-fix-terminology-around-saa7134_i2c_eep.patch
+media-ov9650-add-a-sanity-check.patch
+acpi-cppc-do-not-require-the-_psd-method.patch
+libtraceevent-change-users-plugin-directory.patch
+acpi-custom_method-fix-memory-leaks.patch
+hwmon-acpi_power_meter-change-log-level-for-unsafe-s.patch
+md-raid1-fail-run-raid1-array-when-active-disk-less-.patch
+dmaengine-ti-edma-do-not-reset-reserved-param-slots.patch
+kprobes-prohibit-probing-on-bug-and-warn-address.patch
+asoc-dmaengine-make-the-pcm-name-equal-to-pcm-id-if-.patch
+mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch
+libertas-add-missing-sentinel-at-end-of-if_usb.c-fw_.patch
+media-ttusb-dec-fix-info-leak-in-ttusb_dec_send_comm.patch
+alsa-hda-realtek-blacklist-pc-beep-for-lenovo-thinkc.patch
+btrfs-extent-tree-make-sure-we-only-allocate-extents.patch
+media-omap3isp-set-device-on-omap3isp-subdevs.patch
--- /dev/null
+From 1bb3e0cc416fccade4cad173d1b308a567f0bd45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2019 20:47:08 +0200
+Subject: x86/apic: Soft disable APIC before initializing it
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 2640da4cccf5cc613bf26f0998b9e340f4b5f69c ]
+
+If the APIC was already enabled on entry of setup_local_APIC() then
+disabling it soft via the SPIV register makes a lot of sense.
+
+That masks all LVT entries and brings it into a well defined state.
+
+Otherwise previously enabled LVTs which are not touched in the setup
+function stay unmasked and might surprise the just booting kernel.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20190722105219.068290579@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/apic.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index 834d1b5b43557..be3d4dcf3a10a 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1265,6 +1265,14 @@ void setup_local_APIC(void)
+ return;
+ }
+
++ /*
++ * If this comes from kexec/kcrash the APIC might be enabled in
++ * SPIV. Soft disable it before doing further initialization.
++ */
++ value = apic_read(APIC_SPIV);
++ value &= ~APIC_SPIV_APIC_ENABLED;
++ apic_write(APIC_SPIV, value);
++
+ #ifdef CONFIG_X86_32
+ /* Pound the ESR really hard over the head with a big hammer - mbligh */
+ if (lapic_is_integrated() && apic->disable_esr) {
+--
+2.20.1
+
--- /dev/null
+From ab28a53ea62fdc562301714f17cfbaf68e4cb609 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jun 2019 14:28:13 +0200
+Subject: x86/reboot: Always use NMI fallback when shutdown via reboot vector
+ IPI fails
+
+From: Grzegorz Halat <ghalat@redhat.com>
+
+[ Upstream commit 747d5a1bf293dcb33af755a6d285d41b8c1ea010 ]
+
+A reboot request sends an IPI via the reboot vector and waits for all other
+CPUs to stop. If one or more CPUs are in critical regions with interrupts
+disabled then the IPI is not handled on those CPUs and the shutdown hangs
+if native_stop_other_cpus() is called with the wait argument set.
+
+Such a situation can happen when one CPU was stopped within a lock held
+section and another CPU is trying to acquire that lock with interrupts
+disabled. There are other scenarios which can cause such a lockup as well.
+
+In theory the shutdown should be attempted by an NMI IPI after the timeout
+period elapsed. Though the wait loop after sending the reboot vector IPI
+prevents this. It checks the wait request argument and the timeout. If wait
+is set, which is true for sys_reboot() then it won't fall through to the
+NMI shutdown method after the timeout period has finished.
+
+This was an oversight when the NMI shutdown mechanism was added to handle
+the 'reboot IPI is not working' situation. The mechanism was added to deal
+with stuck panic shutdowns, which do not have the wait request set, so the
+'wait request' case was probably not considered.
+
+Remove the wait check from the post reboot vector IPI wait loop and enforce
+that the wait loop in the NMI fallback path is invoked even if NMI IPIs are
+disabled or the registration of the NMI handler fails. That second wait
+loop will then hang if not all CPUs shutdown and the wait argument is set.
+
+[ tglx: Avoid the hard to parse line break in the NMI fallback path,
+ add comments and massage the changelog ]
+
+Fixes: 7d007d21e539 ("x86/reboot: Use NMI to assist in shutting down if IRQ fails")
+Signed-off-by: Grzegorz Halat <ghalat@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Don Zickus <dzickus@redhat.com>
+Link: https://lkml.kernel.org/r/20190628122813.15500-1-ghalat@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/smp.c | 46 +++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 19 deletions(-)
+
+diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
+index 12c8286206ce2..6a0ba9d09b0ed 100644
+--- a/arch/x86/kernel/smp.c
++++ b/arch/x86/kernel/smp.c
+@@ -176,6 +176,12 @@ asmlinkage __visible void smp_reboot_interrupt(void)
+ irq_exit();
+ }
+
++static int register_stop_handler(void)
++{
++ return register_nmi_handler(NMI_LOCAL, smp_stop_nmi_callback,
++ NMI_FLAG_FIRST, "smp_stop");
++}
++
+ static void native_stop_other_cpus(int wait)
+ {
+ unsigned long flags;
+@@ -209,39 +215,41 @@ static void native_stop_other_cpus(int wait)
+ apic->send_IPI_allbutself(REBOOT_VECTOR);
+
+ /*
+- * Don't wait longer than a second if the caller
+- * didn't ask us to wait.
++ * Don't wait longer than a second for IPI completion. The
++ * wait request is not checked here because that would
++ * prevent an NMI shutdown attempt in case that not all
++ * CPUs reach shutdown state.
+ */
+ timeout = USEC_PER_SEC;
+- while (num_online_cpus() > 1 && (wait || timeout--))
++ while (num_online_cpus() > 1 && timeout--)
+ udelay(1);
+ }
+-
+- /* if the REBOOT_VECTOR didn't work, try with the NMI */
+- if ((num_online_cpus() > 1) && (!smp_no_nmi_ipi)) {
+- if (register_nmi_handler(NMI_LOCAL, smp_stop_nmi_callback,
+- NMI_FLAG_FIRST, "smp_stop"))
+- /* Note: we ignore failures here */
+- /* Hope the REBOOT_IRQ is good enough */
+- goto finish;
+-
+- /* sync above data before sending IRQ */
+- wmb();
+
+- pr_emerg("Shutting down cpus with NMI\n");
++ /* if the REBOOT_VECTOR didn't work, try with the NMI */
++ if (num_online_cpus() > 1) {
++ /*
++ * If NMI IPI is enabled, try to register the stop handler
++ * and send the IPI. In any case try to wait for the other
++ * CPUs to stop.
++ */
++ if (!smp_no_nmi_ipi && !register_stop_handler()) {
++ /* Sync above data before sending IRQ */
++ wmb();
+
+- apic->send_IPI_allbutself(NMI_VECTOR);
++ pr_emerg("Shutting down cpus with NMI\n");
+
++ apic->send_IPI_allbutself(NMI_VECTOR);
++ }
+ /*
+- * Don't wait longer than a 10 ms if the caller
+- * didn't ask us to wait.
++ * Don't wait longer than 10 ms if the caller didn't
++ * reqeust it. If wait is true, the machine hangs here if
++ * one or more CPUs do not reach shutdown state.
+ */
+ timeout = USEC_PER_MSEC * 10;
+ while (num_online_cpus() > 1 && (wait || timeout--))
+ udelay(1);
+ }
+
+-finish:
+ local_irq_save(flags);
+ disable_local_APIC();
+ mcheck_cpu_clear(this_cpu_ptr(&cpu_info));
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
