--- /dev/null
+From 5cd4bd2b270c10a79143e42e7c5d3c0678ac1c22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 10:38:56 +0200
+Subject: ALSA: seq: oss: Avoid mutex lock for a long-time ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 2759caad2600d503c3b0ed800e7e03d2cd7a4c05 ]
+
+Recently we applied a fix to cover the whole OSS sequencer ioctls with
+the mutex for dealing with the possible races. This works fine in
+general, but in theory, this may lead to unexpectedly long stall if an
+ioctl like SNDCTL_SEQ_SYNC is issued and an event with the far future
+timestamp was queued.
+
+For fixing such a potential stall, this patch changes the mutex lock
+applied conditionally excluding such an ioctl command. Also, change
+the mutex_lock() with the interruptible version for user to allow
+escaping from the big-hammer mutex.
+
+Fixes: 80982c7e834e ("ALSA: seq: oss: Serialize ioctls")
+Suggested-by: Pavel Machek <pavel@ucw.cz>
+Link: https://lore.kernel.org/r/20200922083856.28572-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/oss/seq_oss.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c
+index 4b78979599131..ade880fe24a41 100644
+--- a/sound/core/seq/oss/seq_oss.c
++++ b/sound/core/seq/oss/seq_oss.c
+@@ -187,9 +187,12 @@ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ if (snd_BUG_ON(!dp))
+ return -ENXIO;
+
+- mutex_lock(®ister_mutex);
++ if (cmd != SNDCTL_SEQ_SYNC &&
++ mutex_lock_interruptible(®ister_mutex))
++ return -ERESTARTSYS;
+ rc = snd_seq_oss_ioctl(dp, cmd, arg);
+- mutex_unlock(®ister_mutex);
++ if (cmd != SNDCTL_SEQ_SYNC)
++ mutex_unlock(®ister_mutex);
+ return rc;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c4712c5bcd349cfe3325898678952ca8e1e12043 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 14:46:52 +0300
+Subject: arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+[ Upstream commit 63bcf87cb1c57956e1179f1a78dde625c7e3cba7 ]
+
+When ARC_SOC_HSDK is enabled and RESET_CONTROLLER is disabled, it results
+in the following Kbuild warning:
+
+WARNING: unmet direct dependencies detected for RESET_HSDK
+ Depends on [n]: RESET_CONTROLLER [=n] && HAS_IOMEM [=y] && (ARC_SOC_HSDK [=y] || COMPILE_TEST [=n])
+ Selected by [y]:
+ - ARC_SOC_HSDK [=y] && ISA_ARCV2 [=y]
+
+The reason is that ARC_SOC_HSDK selects RESET_HSDK without depending on or
+selecting RESET_CONTROLLER while RESET_HSDK is subordinate to
+RESET_CONTROLLER.
+
+Honor the kconfig menu hierarchy to remove kconfig dependency warnings.
+
+Fixes: a528629dfd3b ("ARC: [plat-hsdk] select CONFIG_RESET_HSDK from Kconfig")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/plat-hsdk/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arc/plat-hsdk/Kconfig b/arch/arc/plat-hsdk/Kconfig
+index 8fb1600b29b76..e5f65a044c7b9 100644
+--- a/arch/arc/plat-hsdk/Kconfig
++++ b/arch/arc/plat-hsdk/Kconfig
+@@ -11,4 +11,5 @@ menuconfig ARC_SOC_HSDK
+ select ARC_HAS_ACCL_REGS
+ select ARC_IRQ_NO_AUTOSAVE
+ select CLK_HSDK
++ select RESET_CONTROLLER
+ select RESET_HSDK
+--
+2.25.1
+
--- /dev/null
+From 598ba926a7b8fc24efbec7e9a79753d1d64e3631 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 16:58:06 +0100
+Subject: ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT
+ values
+
+From: Guillaume Tucker <guillaume.tucker@collabora.com>
+
+[ Upstream commit 8e007b367a59bcdf484c81f6df9bd5a4cc179ca6 ]
+
+The L310_PREFETCH_CTRL register bits 28 and 29 to enable data and
+instruction prefetch respectively can also be accessed via the
+L2X0_AUX_CTRL register. They appear to be actually wired together in
+hardware between the registers. Changing them in the prefetch
+register only will get undone when restoring the aux control register
+later on. For this reason, set these bits in both registers during
+initialisation according to the devicetree property values.
+
+Link: https://lore.kernel.org/lkml/76f2f3ad5e77e356e0a5b99ceee1e774a2842c25.1597061474.git.guillaume.tucker@collabora.com/
+
+Fixes: ec3bd0e68a67 ("ARM: 8391/1: l2c: add options to overwrite prefetching behavior")
+Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/cache-l2x0.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
+index 808efbb89b88c..02f613def40dc 100644
+--- a/arch/arm/mm/cache-l2x0.c
++++ b/arch/arm/mm/cache-l2x0.c
+@@ -1261,20 +1261,28 @@ static void __init l2c310_of_parse(const struct device_node *np,
+
+ ret = of_property_read_u32(np, "prefetch-data", &val);
+ if (ret == 0) {
+- if (val)
++ if (val) {
+ prefetch |= L310_PREFETCH_CTRL_DATA_PREFETCH;
+- else
++ *aux_val |= L310_PREFETCH_CTRL_DATA_PREFETCH;
++ } else {
+ prefetch &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
++ *aux_val &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
++ }
++ *aux_mask &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
+ } else if (ret != -EINVAL) {
+ pr_err("L2C-310 OF prefetch-data property value is missing\n");
+ }
+
+ ret = of_property_read_u32(np, "prefetch-instr", &val);
+ if (ret == 0) {
+- if (val)
++ if (val) {
+ prefetch |= L310_PREFETCH_CTRL_INSTR_PREFETCH;
+- else
++ *aux_val |= L310_PREFETCH_CTRL_INSTR_PREFETCH;
++ } else {
+ prefetch &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
++ *aux_val &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
++ }
++ *aux_mask &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
+ } else if (ret != -EINVAL) {
+ pr_err("L2C-310 OF prefetch-instr property value is missing\n");
+ }
+--
+2.25.1
+
--- /dev/null
+From 97563cfabdbcb2d8f5ca4dc6fe6d7f6bb6812145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 16:53:17 +0300
+Subject: ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+[ Upstream commit 55f6c9931f7c32f19cf221211f099dfd8dab3af9 ]
+
+The PPI interrupts for cortex-a9 were incorrectly specified, fix them.
+
+Fixes: fdfe7f4f9d85 ("ARM: dts: Add Actions Semi S500 and LeMaker Guitar")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Reviewed-by: Peter Korsgaard <peter@korsgaard.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/owl-s500.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/owl-s500.dtsi b/arch/arm/boot/dts/owl-s500.dtsi
+index 51a48741d4c01..2557ce026add2 100644
+--- a/arch/arm/boot/dts/owl-s500.dtsi
++++ b/arch/arm/boot/dts/owl-s500.dtsi
+@@ -82,21 +82,21 @@ scu: scu@b0020000 {
+ global_timer: timer@b0020200 {
+ compatible = "arm,cortex-a9-global-timer";
+ reg = <0xb0020200 0x100>;
+- interrupts = <GIC_PPI 0 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
++ interrupts = <GIC_PPI 11 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
+ status = "disabled";
+ };
+
+ twd_timer: timer@b0020600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0xb0020600 0x20>;
+- interrupts = <GIC_PPI 2 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
++ interrupts = <GIC_PPI 13 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
+ status = "disabled";
+ };
+
+ twd_wdt: wdt@b0020620 {
+ compatible = "arm,cortex-a9-twd-wdt";
+ reg = <0xb0020620 0xe0>;
+- interrupts = <GIC_PPI 3 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
++ interrupts = <GIC_PPI 14 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
+ status = "disabled";
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 5c311be176f39ede6fc8ee533bf670cae03b0333 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 09:12:11 +0200
+Subject: arm64: dts: qcom: msm8916: Fix MDP/DSI interrupts
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit 027cca9eb5b450c3f6bb916ba999144c2ec23cb7 ]
+
+The mdss node sets #interrupt-cells = <1>, so its interrupts
+should be referenced using a single cell (in this case: only the
+interrupt number).
+
+However, right now the mdp/dsi node both have two interrupt cells
+set, e.g. interrupts = <4 0>. The 0 is probably meant to say
+IRQ_TYPE_NONE (= 0), but with #interrupt-cells = <1> this is
+actually interpreted as a second interrupt line.
+
+Remove the IRQ flags from both interrupts to fix this.
+
+Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200915071221.72895-5-stephan@gerhold.net
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+index 3cc449425a038..02b7a44f790b5 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -818,7 +818,7 @@ mdp: mdp@1a01000 {
+ reg-names = "mdp_phys";
+
+ interrupt-parent = <&mdss>;
+- interrupts = <0 0>;
++ interrupts = <0>;
+
+ clocks = <&gcc GCC_MDSS_AHB_CLK>,
+ <&gcc GCC_MDSS_AXI_CLK>,
+@@ -850,7 +850,7 @@ dsi0: dsi@1a98000 {
+ reg-names = "dsi_ctrl";
+
+ interrupt-parent = <&mdss>;
+- interrupts = <4 0>;
++ interrupts = <4>;
+
+ assigned-clocks = <&gcc BYTE0_CLK_SRC>,
+ <&gcc PCLK0_CLK_SRC>;
+--
+2.25.1
+
--- /dev/null
+From 0d3fa277fbabd9dae4ae19d4d1c824dde8239337 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 10:59:14 +0200
+Subject: arm64: dts: zynqmp: Remove additional compatible string for i2c IPs
+
+From: Michal Simek <michal.simek@xilinx.com>
+
+[ Upstream commit 35292518cb0a626fcdcabf739aed75060a018ab5 ]
+
+DT binding permits only one compatible string which was decribed in past by
+commit 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq
+Ultrascale+ MPSoC").
+The commit aea37006e183 ("dt-bindings: i2c: cadence: Migrate i2c-cadence
+documentation to YAML") has converted binding to yaml and the following
+issues is reported:
+...: i2c@ff030000: compatible: Additional items are not allowed
+('cdns,i2c-r1p10' was unexpected)
+ From schema:
+.../Documentation/devicetree/bindings/i2c/cdns,i2c-r1p10.yaml fds
+...: i2c@ff030000: compatible: ['cdns,i2c-r1p14', 'cdns,i2c-r1p10'] is too
+long
+
+The commit c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string")
+has added the second compatible string but without removing origin one.
+The patch is only keeping one compatible string "cdns,i2c-r1p14".
+
+Fixes: c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string")
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Link: https://lore.kernel.org/r/cc294ae1a79ef845af6809ddb4049f0c0f5bb87a.1598259551.git.michal.simek@xilinx.com
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
+index 7665fbddff280..0531843117f46 100644
+--- a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
++++ b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
+@@ -410,7 +410,7 @@ gpio: gpio@ff0a0000 {
+ };
+
+ i2c0: i2c@ff020000 {
+- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10";
++ compatible = "cdns,i2c-r1p14";
+ status = "disabled";
+ interrupt-parent = <&gic>;
+ interrupts = <0 17 4>;
+@@ -420,7 +420,7 @@ i2c0: i2c@ff020000 {
+ };
+
+ i2c1: i2c@ff030000 {
+- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10";
++ compatible = "cdns,i2c-r1p14";
+ status = "disabled";
+ interrupt-parent = <&gic>;
+ interrupts = <0 18 4>;
+--
+2.25.1
+
--- /dev/null
+From dbb21b4bb0d7a7b460ca76ad035e94aeb7fd3720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 16:23:02 +0530
+Subject: ASoC: qcom: lpass-cpu: fix concurrency issue
+
+From: Rohit kumar <rohitkr@codeaurora.org>
+
+[ Upstream commit 753a6e17942f6f425ca622e1610625998312ad89 ]
+
+i2sctl register value is set to 0 during hw_free(). This
+impacts any ongoing concurrent session on the same i2s
+port. As trigger() stop already resets enable bit to 0,
+there is no need of explicit hw_free. Removing it to
+fix the issue.
+
+Fixes: 80beab8e1d86 ("ASoC: qcom: Add LPASS CPU DAI driver")
+Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/1597402388-14112-7-git-send-email-rohitkr@codeaurora.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/lpass-cpu.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/sound/soc/qcom/lpass-cpu.c b/sound/soc/qcom/lpass-cpu.c
+index 292b103abada9..475579a9830a3 100644
+--- a/sound/soc/qcom/lpass-cpu.c
++++ b/sound/soc/qcom/lpass-cpu.c
+@@ -182,21 +182,6 @@ static int lpass_cpu_daiops_hw_params(struct snd_pcm_substream *substream,
+ return 0;
+ }
+
+-static int lpass_cpu_daiops_hw_free(struct snd_pcm_substream *substream,
+- struct snd_soc_dai *dai)
+-{
+- struct lpass_data *drvdata = snd_soc_dai_get_drvdata(dai);
+- int ret;
+-
+- ret = regmap_write(drvdata->lpaif_map,
+- LPAIF_I2SCTL_REG(drvdata->variant, dai->driver->id),
+- 0);
+- if (ret)
+- dev_err(dai->dev, "error writing to i2sctl reg: %d\n", ret);
+-
+- return ret;
+-}
+-
+ static int lpass_cpu_daiops_prepare(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+@@ -277,7 +262,6 @@ const struct snd_soc_dai_ops asoc_qcom_lpass_cpu_dai_ops = {
+ .startup = lpass_cpu_daiops_startup,
+ .shutdown = lpass_cpu_daiops_shutdown,
+ .hw_params = lpass_cpu_daiops_hw_params,
+- .hw_free = lpass_cpu_daiops_hw_free,
+ .prepare = lpass_cpu_daiops_prepare,
+ .trigger = lpass_cpu_daiops_trigger,
+ };
+--
+2.25.1
+
--- /dev/null
+From 9cb6ba70dcc61bb106cc1e29070e0a7a6d25b989 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 16:23:00 +0530
+Subject: ASoC: qcom: lpass-platform: fix memory leak
+
+From: Rohit kumar <rohitkr@codeaurora.org>
+
+[ Upstream commit 5fd188215d4eb52703600d8986b22311099a5940 ]
+
+lpass_pcm_data is never freed. Free it in close
+ops to avoid memory leak.
+
+Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage")
+Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/1597402388-14112-5-git-send-email-rohitkr@codeaurora.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/lpass-platform.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/qcom/lpass-platform.c b/sound/soc/qcom/lpass-platform.c
+index e1945e1772cda..b8f8cb906d805 100644
+--- a/sound/soc/qcom/lpass-platform.c
++++ b/sound/soc/qcom/lpass-platform.c
+@@ -67,7 +67,7 @@ static int lpass_platform_pcmops_open(struct snd_pcm_substream *substream)
+ int ret, dma_ch, dir = substream->stream;
+ struct lpass_pcm_data *data;
+
+- data = devm_kzalloc(soc_runtime->dev, sizeof(*data), GFP_KERNEL);
++ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+@@ -127,6 +127,7 @@ static int lpass_platform_pcmops_close(struct snd_pcm_substream *substream)
+ if (v->free_dma_channel)
+ v->free_dma_channel(drvdata, data->dma_ch);
+
++ kfree(data);
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c1fdacabc06c11f13bdfe47ac07129fbabdfd2e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 13:39:12 +0300
+Subject: ASoC: topology: disable size checks for bytes_ext controls if needed
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 6788fc1a66a0c1d1cec7a0f84f94b517eae8611c ]
+
+When CONFIG_SND_CTL_VALIDATION is set, accesses to extended bytes
+control generate spurious error messages when the size exceeds 512
+bytes, such as
+
+[ 11.224223] sof_sdw sof_sdw: control 2:0:0:EQIIR5.0 eqiir_coef_5:0:
+invalid count 1024
+
+In addition the error check returns -EINVAL which has the nasty side
+effect of preventing applications accessing controls from working,
+e.g.
+
+root@plb:~# alsamixer
+cannot load mixer controls: Invalid argument
+
+It's agreed that the control interface has been abused since 2014, but
+forcing a check should not prevent existing solutions from working.
+
+This patch skips the checks conditionally if CONFIG_SND_CTL_VALIDATION
+is set and the byte array provided by topology is > 512. This
+preserves the checks for all other cases.
+
+Fixes: 1a3232d2f61d2 ('ASoC: topology: Add support for TLV bytes controls')
+BugLink: https://github.com/thesofproject/linux/issues/2430
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Jaska Uimonen <jaska.uimonen@intel.com>
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20200917103912.2565907-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-topology.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index 50aa45525be5a..174d923b5801d 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -613,6 +613,17 @@ static int soc_tplg_kcontrol_bind_io(struct snd_soc_tplg_ctl_hdr *hdr,
+ k->info = snd_soc_bytes_info_ext;
+ k->tlv.c = snd_soc_bytes_tlv_callback;
+
++ /*
++ * When a topology-based implementation abuses the
++ * control interface and uses bytes_ext controls of
++ * more than 512 bytes, we need to disable the size
++ * checks, otherwise accesses to such controls will
++ * return an -EINVAL error and prevent the card from
++ * being configured.
++ */
++ if (IS_ENABLED(CONFIG_SND_CTL_VALIDATION) && sbe->max > 512)
++ k->access |= SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK;
++
+ ext_ops = tplg->bytes_ext_ops;
+ num_ops = tplg->bytes_ext_ops_count;
+ for (i = 0; i < num_ops; i++) {
+--
+2.25.1
+
--- /dev/null
+From cea144cd3d37c64443f2a45a7a6651dbf758dbe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 18:11:05 -0400
+Subject: ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n()
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ]
+
+The idx in __ath10k_htt_rx_ring_fill_n function lives in
+consistent dma region writable by the device. Malfunctional
+or malicious device could manipulate such idx to have a OOB
+write. Either by
+ htt->rx_ring.netbufs_ring[idx] = skb;
+or by
+ ath10k_htt_set_paddrs_ring(htt, paddr, idx);
+
+The idx can also be negative as it's signed, giving a large
+memory space to write to.
+
+It's possibly exploitable by corruptting a legit pointer with
+a skb pointer. And then fill skb with payload as rougue object.
+
+Part of the log here. Sometimes it appears as UAF when writing
+to a freed memory by chance.
+
+ [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
+ [ 15.595483] #PF: supervisor write access in kernel mode
+ [ 15.596250] #PF: error_code(0x0002) - not-present page
+ [ 15.597013] PGD 0 P4D 0
+ [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI
+ [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
+ [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+ BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+ [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
+ [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
+ (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
+
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
+index 21642bab485a1..fd276e54bb7c2 100644
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -100,6 +100,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num)
+ BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2);
+
+ idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr);
++
++ if (idx < 0 || idx >= htt->rx_ring.size) {
++ ath10k_err(htt->ar, "rx ring index is not valid, firmware malfunctioning?\n");
++ idx &= htt->rx_ring.size_mask;
++ ret = -ENOMEM;
++ goto fail;
++ }
++
+ while (num > 0) {
+ skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN);
+ if (!skb) {
+--
+2.25.1
+
--- /dev/null
+From 7ba9c86e6e2412cb82d71b3538b2e5419a4e2028 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 20:29:03 +0300
+Subject: ath10k: provide survey info as accumulated data
+
+From: Venkateswara Naralasetty <vnaralas@codeaurora.org>
+
+[ Upstream commit 720e5c03e5cb26d33d97f55192b791bb48478aa5 ]
+
+It is expected that the returned counters by .get_survey are monotonic
+increasing. But the data from ath10k gets reset to zero regularly. Channel
+active/busy time are then showing incorrect values (less than previous or
+sometimes zero) for the currently active channel during successive survey
+dump commands.
+
+example:
+
+ $ iw dev wlan0 survey dump
+ Survey data from wlan0
+ frequency: 5180 MHz [in use]
+ channel active time: 54995 ms
+ channel busy time: 432 ms
+ channel receive time: 0 ms
+ channel transmit time: 59 ms
+ ...
+
+ $ iw dev wlan0 survey dump
+ Survey data from wlan0
+ frequency: 5180 MHz [in use]
+ channel active time: 32592 ms
+ channel busy time: 254 ms
+ channel receive time: 0 ms
+ channel transmit time: 0 ms
+ ...
+
+The correct way to handle this is to use the non-clearing
+WMI_BSS_SURVEY_REQ_TYPE_READ wmi_bss_survey_req_type. The firmware will
+then accumulate the survey data and handle wrap arounds.
+
+Tested-on: QCA9984 hw1.0 10.4-3.5.3-00057
+Tested-on: QCA988X hw2.0 10.2.4-1.0-00047
+Tested-on: QCA9888 hw2.0 10.4-3.9.0.2-00024
+Tested-on: QCA4019 hw1.0 10.4-3.6-00140
+
+Fixes: fa7937e3d5c2 ("ath10k: update bss channel survey information")
+Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
+Tested-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Tested-by: John Deere <24601deerej@gmail.com>
+[sven@narfation.org: adjust commit message]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1592232686-28712-1-git-send-email-kvalo@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index ea47ad4b2343b..be4420ff52b8a 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -6718,7 +6718,7 @@ ath10k_mac_update_bss_chan_survey(struct ath10k *ar,
+ struct ieee80211_channel *channel)
+ {
+ int ret;
+- enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ_CLEAR;
++ enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ;
+
+ lockdep_assert_held(&ar->conf_mutex);
+
+--
+2.25.1
+
--- /dev/null
+From 72ad3a7c3bcc4188f14f37874efd9e938632a4eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 17:13:15 +0300
+Subject: ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 54f9ab7b870934b70e5a21786d951fbcf663970f ]
+
+The value for "aid" comes from skb->data so Smatch marks it as
+untrusted. If it's invalid then it can result in an out of bounds array
+access in ath6kl_add_new_sta().
+
+Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200813141315.GB457408@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
+index b90c77ef792ef..1c542cf0fd058 100644
+--- a/drivers/net/wireless/ath/ath6kl/main.c
++++ b/drivers/net/wireless/ath/ath6kl/main.c
+@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr,
+
+ ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);
+
++ if (aid < 1 || aid > AP_MAX_NUM_STA)
++ return;
++
+ if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
+ struct ieee80211_mgmt *mgmt =
+ (struct ieee80211_mgmt *) assoc_info;
+--
+2.25.1
+
--- /dev/null
+From c2cba7ccc895553c5271249b35773e7bae52365b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Sep 2020 17:27:32 +0300
+Subject: ath6kl: wmi: prevent a shift wrapping bug in
+ ath6kl_wmi_delete_pstream_cmd()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 6a950755cec1a90ddaaff3e4acb5333617441c32 ]
+
+The "tsid" is a user controlled u8 which comes from debugfs. Values
+more than 15 are invalid because "active_tsids" is a 16 bit variable.
+If the value of "tsid" is more than 31 then that leads to a shift
+wrapping bug.
+
+Fixes: 8fffd9e5ec9e ("ath6kl: Implement support for QOS-enable and QOS-disable from userspace")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200918142732.GA909725@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/wmi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
+index d79c2bccf5822..f80f1757b58fc 100644
+--- a/drivers/net/wireless/ath/ath6kl/wmi.c
++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
+@@ -2648,6 +2648,11 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
+ return -EINVAL;
+ }
+
++ if (tsid >= 16) {
++ ath6kl_err("invalid tsid: %d\n", tsid);
++ return -EINVAL;
++ }
++
+ skb = ath6kl_wmi_get_new_buf(sizeof(*cmd));
+ if (!skb)
+ return -ENOMEM;
+--
+2.25.1
+
--- /dev/null
+From f435432741e106c18c2dc715829dd35eb3139e72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 17:12:53 +0300
+Subject: ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2705cd7558e718a7240c64eb0afb2edad5f8c190 ]
+
+The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks
+it as untrusted so we have to check it before using it as an array
+offset.
+
+This is similar to a bug that syzkaller found in commit e4ff08a4d727
+("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is
+probably a real issue.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200813141253.GA457408@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index f705f0e1cb5be..05fca38b38ed4 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -342,6 +342,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
+
+ if (skb) {
+ htc_hdr = (struct htc_frame_hdr *) skb->data;
++ if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint))
++ goto ret;
+ endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id];
+ skb_pull(skb, sizeof(struct htc_frame_hdr));
+
+--
+2.25.1
+
--- /dev/null
+From 38838c351b448eb98401d320658e0ad3ec43cbb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 03:14:27 -0400
+Subject: ath9k: hif_usb: fix race condition between usb_get_urb() and
+ usb_kill_anchored_urbs()
+
+From: Brooke Basile <brookebasile@gmail.com>
+
+[ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ]
+
+Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor
+systems create a race condition in which usb_kill_anchored_urbs() deallocates
+the URB before the completer callback is called in usb_kill_urb(), resulting
+in a use-after-free.
+To fix this, add proper lock protection to usb_kill_urb() calls that can
+possibly run concurrently with usb_kill_anchored_urbs().
+
+Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf
+Signed-off-by: Brooke Basile <brookebasile@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
+index e80d509bc5415..ce3a785212740 100644
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -447,10 +447,19 @@ static void hif_usb_stop(void *hif_handle)
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+ /* The pending URBs have to be canceled. */
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ list_for_each_entry_safe(tx_buf, tx_buf_tmp,
+ &hif_dev->tx.tx_pending, list) {
++ usb_get_urb(tx_buf->urb);
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+ usb_kill_urb(tx_buf->urb);
++ list_del(&tx_buf->list);
++ usb_free_urb(tx_buf->urb);
++ kfree(tx_buf->buf);
++ kfree(tx_buf);
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ }
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+ usb_kill_anchored_urbs(&hif_dev->mgmt_submitted);
+ }
+@@ -760,27 +769,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
+ struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL;
+ unsigned long flags;
+
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ list_for_each_entry_safe(tx_buf, tx_buf_tmp,
+ &hif_dev->tx.tx_buf, list) {
++ usb_get_urb(tx_buf->urb);
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+ usb_kill_urb(tx_buf->urb);
+ list_del(&tx_buf->list);
+ usb_free_urb(tx_buf->urb);
+ kfree(tx_buf->buf);
+ kfree(tx_buf);
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ }
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ hif_dev->tx.flags |= HIF_USB_TX_FLUSH;
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ list_for_each_entry_safe(tx_buf, tx_buf_tmp,
+ &hif_dev->tx.tx_pending, list) {
++ usb_get_urb(tx_buf->urb);
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+ usb_kill_urb(tx_buf->urb);
+ list_del(&tx_buf->list);
+ usb_free_urb(tx_buf->urb);
+ kfree(tx_buf->buf);
+ kfree(tx_buf);
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ }
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+ usb_kill_anchored_urbs(&hif_dev->mgmt_submitted);
+ }
+--
+2.25.1
+
--- /dev/null
+From 65c864098b6cfb7af2419ca6646d06b26f42897e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 14:38:17 +0800
+Subject: backlight: sky81452-backlight: Fix refcount imbalance on error
+
+From: dinghao.liu@zju.edu.cn <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit b7a4f80bc316a56d6ec8750e93e66f42431ed960 ]
+
+When of_property_read_u32_array() returns an error code, a
+pairing refcount decrement is needed to keep np's refcount
+balanced.
+
+Fixes: f705806c9f355 ("backlight: Add support Skyworks SKY81452 backlight driver")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/sky81452-backlight.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c
+index d414c7a3acf5a..a2f77625b7170 100644
+--- a/drivers/video/backlight/sky81452-backlight.c
++++ b/drivers/video/backlight/sky81452-backlight.c
+@@ -207,6 +207,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt(
+ num_entry);
+ if (ret < 0) {
+ dev_err(dev, "led-sources node is invalid.\n");
++ of_node_put(np);
+ return ERR_PTR(-EINVAL);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 19776d0f168cb8c5a6bec50f934ce2f9f5b390b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Aug 2020 11:29:56 -0500
+Subject: Bluetooth: hci_uart: Cancel init work before unregistering
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 3b799254cf6f481460719023d7a18f46651e5e7f ]
+
+If hci_uart_tty_close() or hci_uart_unregister_device() is called while
+hu->init_ready is scheduled, hci_register_dev() could be called after
+the hci_uart is torn down. Avoid this by ensuring the work is complete
+or canceled before checking the HCI_UART_REGISTERED flag.
+
+Fixes: 9f2aee848fe6 ("Bluetooth: Add delayed init sequence support for UART controllers")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 1 +
+ drivers/bluetooth/hci_serdev.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 43221def1d29f..f19606019eb01 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -541,6 +541,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ percpu_up_write(&hu->proto_lock);
+
++ cancel_work_sync(&hu->init_ready);
+ cancel_work_sync(&hu->write_work);
+
+ if (hdev) {
+diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c
+index 72cf2d97b682c..196b046658ff4 100644
+--- a/drivers/bluetooth/hci_serdev.c
++++ b/drivers/bluetooth/hci_serdev.c
+@@ -361,6 +361,8 @@ void hci_uart_unregister_device(struct hci_uart *hu)
+ struct hci_dev *hdev = hu->hdev;
+
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
++
++ cancel_work_sync(&hu->init_ready);
+ if (test_bit(HCI_UART_REGISTERED, &hu->flags))
+ hci_unregister_dev(hdev);
+ hci_free_dev(hdev);
+--
+2.25.1
+
--- /dev/null
+From bb1502ddd5c53f6d321e2c0f09b9801c14c76d6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 15:33:18 -0700
+Subject: Bluetooth: Only mark socket zapped after unlocking
+
+From: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+
+[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ]
+
+Since l2cap_sock_teardown_cb doesn't acquire the channel lock before
+setting the socket as zapped, it could potentially race with
+l2cap_sock_release which frees the socket. Thus, wait until the cleanup
+is complete before marking the socket as zapped.
+
+This race was reproduced on a JBL GO speaker after the remote device
+rejected L2CAP connection due to resource unavailability.
+
+Here is a dmesg log with debug logs from a repro of this bug:
+[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002
+[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0
+[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2
+[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001
+[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952
+[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c
+[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00
+[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4
+[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT
+[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT
+[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3
+[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6
+[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159
+[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053
+[ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
+[ 3465.430332] Causing a watchdog bite!
+
+Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
+Reviewed-by: Manish Mandlik <mmandlik@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 7ff82f97e42cc..f94b14beba2bc 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1342,8 +1342,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
+
+ parent = bt_sk(sk)->parent;
+
+- sock_set_flag(sk, SOCK_ZAPPED);
+-
+ switch (chan->state) {
+ case BT_OPEN:
+ case BT_BOUND:
+@@ -1370,8 +1368,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
+
+ break;
+ }
+-
+ release_sock(sk);
++
++ /* Only zap after cleanup to avoid use after free race */
++ sock_set_flag(sk, SOCK_ZAPPED);
++
+ }
+
+ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
+--
+2.25.1
+
--- /dev/null
+From f68e79d608e8cb0aab5f6156401339561ced2631 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 17:36:05 +0800
+Subject: brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ]
+
+When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL,
+we should destroy the workqueue.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1595237765-66238-1-git-send-email-wangyufen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+index 65e16e3646ecf..5f0af5fac343d 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -1538,6 +1538,8 @@ int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr)
+ BRCMF_TX_IOCTL_MAX_MSG_SIZE,
+ msgbuf->ioctbuf,
+ msgbuf->ioctbuf_handle);
++ if (msgbuf->txflow_wq)
++ destroy_workqueue(msgbuf->txflow_wq);
+ kfree(msgbuf);
+ }
+ return -ENOMEM;
+--
+2.25.1
+
--- /dev/null
+From 8fd031a8a7ec706ff957f24f85e53968f6cc106a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 09:18:04 -0700
+Subject: brcmfmac: check ndev pointer
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 9c9f015bc9f8839831c7ba0a6d731a3853c464e2 ]
+
+Clang static analysis reports this error
+
+brcmfmac/core.c:490:4: warning: Dereference of null pointer
+ (*ifp)->ndev->stats.rx_errors++;
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In this block of code
+
+ if (ret || !(*ifp) || !(*ifp)->ndev) {
+ if (ret != -ENODATA && *ifp)
+ (*ifp)->ndev->stats.rx_errors++;
+ brcmu_pkt_buf_free_skb(skb);
+ return -ENODATA;
+ }
+
+(*ifp)->ndev being NULL is caught as an error
+But then it is used to report the error.
+
+So add a check before using it.
+
+Fixes: 91b632803ee4 ("brcmfmac: Use net_device_stats from struct net_device")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200802161804.6126-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index bfc0e37b7f344..590bef2defb94 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -318,7 +318,7 @@ static int brcmf_rx_hdrpull(struct brcmf_pub *drvr, struct sk_buff *skb,
+ ret = brcmf_proto_hdrpull(drvr, true, skb, ifp);
+
+ if (ret || !(*ifp) || !(*ifp)->ndev) {
+- if (ret != -ENODATA && *ifp)
++ if (ret != -ENODATA && *ifp && (*ifp)->ndev)
+ (*ifp)->ndev->stats.rx_errors++;
+ brcmu_pkt_buf_free_skb(skb);
+ return -ENODATA;
+--
+2.25.1
+
--- /dev/null
+From a1b48f139153192468fb010c748b4611632d09c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 12:17:41 +0000
+Subject: brcmsmac: fix memory leak in wlc_phy_attach_lcnphy
+
+From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+
+[ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ]
+
+When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy,
+the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be
+freed in the caller function.
+
+Fix this by calling wlc_phy_detach_lcnphy in the error handler of
+wlc_phy_txpwr_srom_read_lcnphy before returning.
+
+Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200908121743.23108-1-keitasuzuki.park@sslab.ics.keio.ac.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
+index 93d4cde0eb313..c9f48ec46f4a1 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
+@@ -5090,8 +5090,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi)
+ pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft;
+ pi->pi_fptr.detach = wlc_phy_detach_lcnphy;
+
+- if (!wlc_phy_txpwr_srom_read_lcnphy(pi))
++ if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) {
++ kfree(pi->u.pi_lcnphy);
+ return false;
++ }
+
+ if (LCNREV_IS(pi->pubpi.phy_rev, 1)) {
+ if (pi_lcn->lcnphy_tempsense_option == 3) {
+--
+2.25.1
+
--- /dev/null
+From b3b544aaa8e950748a55f6cfbca526bcab8e3687 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 16:44:19 +0200
+Subject: can: flexcan: flexcan_chip_stop(): add error handling and propagate
+ error value
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit 9ad02c7f4f279504bdd38ab706fdc97d5f2b2a9c ]
+
+This patch implements error handling and propagates the error value of
+flexcan_chip_stop(). This function will be called from flexcan_suspend()
+in an upcoming patch in some SoCs which support LPSR mode.
+
+Add a new function flexcan_chip_stop_disable_on_error() that tries to
+disable the chip even in case of errors.
+
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+[mkl: introduce flexcan_chip_stop_disable_on_error() and use it in flexcan_close()]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Link: https://lore.kernel.org/r/20200922144429.2613631-11-mkl@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index 84dd79041285a..94468a883f369 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1055,18 +1055,23 @@ static int flexcan_chip_start(struct net_device *dev)
+ return err;
+ }
+
+-/* flexcan_chip_stop
++/* __flexcan_chip_stop
+ *
+- * this functions is entered with clocks enabled
++ * this function is entered with clocks enabled
+ */
+-static void flexcan_chip_stop(struct net_device *dev)
++static int __flexcan_chip_stop(struct net_device *dev, bool disable_on_error)
+ {
+ struct flexcan_priv *priv = netdev_priv(dev);
+ struct flexcan_regs __iomem *regs = priv->regs;
++ int err;
+
+ /* freeze + disable module */
+- flexcan_chip_freeze(priv);
+- flexcan_chip_disable(priv);
++ err = flexcan_chip_freeze(priv);
++ if (err && !disable_on_error)
++ return err;
++ err = flexcan_chip_disable(priv);
++ if (err && !disable_on_error)
++ goto out_chip_unfreeze;
+
+ /* Disable all interrupts */
+ flexcan_write(0, ®s->imask2);
+@@ -1076,6 +1081,23 @@ static void flexcan_chip_stop(struct net_device *dev)
+
+ flexcan_transceiver_disable(priv);
+ priv->can.state = CAN_STATE_STOPPED;
++
++ return 0;
++
++ out_chip_unfreeze:
++ flexcan_chip_unfreeze(priv);
++
++ return err;
++}
++
++static inline int flexcan_chip_stop_disable_on_error(struct net_device *dev)
++{
++ return __flexcan_chip_stop(dev, true);
++}
++
++static inline int flexcan_chip_stop(struct net_device *dev)
++{
++ return __flexcan_chip_stop(dev, false);
+ }
+
+ static int flexcan_open(struct net_device *dev)
+@@ -1129,7 +1151,7 @@ static int flexcan_close(struct net_device *dev)
+
+ netif_stop_queue(dev);
+ can_rx_offload_disable(&priv->offload);
+- flexcan_chip_stop(dev);
++ flexcan_chip_stop_disable_on_error(dev);
+
+ free_irq(dev->irq, dev);
+ clk_disable_unprepare(priv->clk_per);
+--
+2.25.1
+
--- /dev/null
+From 3da3180f77f0275f14e6049044de55dcd3f61cc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 09:59:10 +0300
+Subject: clk: at91: clk-main: update key before writing AT91_CKGR_MOR
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 85d071e7f19a6a9abf30476b90b3819642568756 ]
+
+SAMA5D2 datasheet specifies on chapter 33.22.8 (PMC Clock Generator
+Main Oscillator Register) that writing any value other than
+0x37 on KEY field aborts the write operation. Use the key when
+selecting main clock parent.
+
+Fixes: 27cb1c2083373 ("clk: at91: rework main clk implementation")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/1598338751-20607-3-git-send-email-claudiu.beznea@microchip.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/clk-main.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/at91/clk-main.c b/drivers/clk/at91/clk-main.c
+index 90988e7a5b47f..2e7da9b379d48 100644
+--- a/drivers/clk/at91/clk-main.c
++++ b/drivers/clk/at91/clk-main.c
+@@ -517,12 +517,17 @@ static int clk_sam9x5_main_set_parent(struct clk_hw *hw, u8 index)
+ return -EINVAL;
+
+ regmap_read(regmap, AT91_CKGR_MOR, &tmp);
+- tmp &= ~MOR_KEY_MASK;
+
+ if (index && !(tmp & AT91_PMC_MOSCSEL))
+- regmap_write(regmap, AT91_CKGR_MOR, tmp | AT91_PMC_MOSCSEL);
++ tmp = AT91_PMC_MOSCSEL;
+ else if (!index && (tmp & AT91_PMC_MOSCSEL))
+- regmap_write(regmap, AT91_CKGR_MOR, tmp & ~AT91_PMC_MOSCSEL);
++ tmp = 0;
++ else
++ return 0;
++
++ regmap_update_bits(regmap, AT91_CKGR_MOR,
++ AT91_PMC_MOSCSEL | MOR_KEY_MASK,
++ tmp | AT91_PMC_KEY);
+
+ while (!clk_sam9x5_main_ready(regmap))
+ cpu_relax();
+--
+2.25.1
+
--- /dev/null
+From 1b012b3a60e1e8253b137e4eb3b7beea2ad1523a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Aug 2020 18:11:58 -0500
+Subject: clk: bcm2835: add missing release if devm_clk_hw_register fails
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit f6c992ca7dd4f49042eec61f3fb426c94d901675 ]
+
+In the implementation of bcm2835_register_pll(), the allocated pll is
+leaked if devm_clk_hw_register() fails to register hw. Release pll if
+devm_clk_hw_register() fails.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Link: https://lore.kernel.org/r/20200809231202.15811-1-navid.emamdoost@gmail.com
+Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index 6db4204e5d5d5..98295b9703178 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -1354,8 +1354,10 @@ static struct clk_hw *bcm2835_register_pll(struct bcm2835_cprman *cprman,
+ pll->hw.init = &init;
+
+ ret = devm_clk_hw_register(cprman->dev, &pll->hw);
+- if (ret)
++ if (ret) {
++ kfree(pll);
+ return NULL;
++ }
+ return &pll->hw;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 7d55f17ec4821135f9df08f66cf98a87432fe887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 13:32:54 +0530
+Subject: cpufreq: powernv: Fix frame-size-overflow in
+ powernv_cpufreq_reboot_notifier
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit a2d0230b91f7e23ceb5d8fb6a9799f30517ec33a ]
+
+The patch avoids allocating cpufreq_policy on stack hence fixing frame
+size overflow in 'powernv_cpufreq_reboot_notifier':
+
+ drivers/cpufreq/powernv-cpufreq.c: In function powernv_cpufreq_reboot_notifier:
+ drivers/cpufreq/powernv-cpufreq.c:906:1: error: the frame size of 2064 bytes is larger than 2048 bytes
+
+Fixes: cf30af76 ("cpufreq: powernv: Set the cpus to nominal frequency during reboot/kexec")
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200922080254.41497-1-srikar@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/powernv-cpufreq.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
+index dc81fc2bf8015..56c3d86e5b9de 100644
+--- a/drivers/cpufreq/powernv-cpufreq.c
++++ b/drivers/cpufreq/powernv-cpufreq.c
+@@ -846,12 +846,15 @@ static int powernv_cpufreq_reboot_notifier(struct notifier_block *nb,
+ unsigned long action, void *unused)
+ {
+ int cpu;
+- struct cpufreq_policy cpu_policy;
++ struct cpufreq_policy *cpu_policy;
+
+ rebooting = true;
+ for_each_online_cpu(cpu) {
+- cpufreq_get_policy(&cpu_policy, cpu);
+- powernv_cpufreq_target_index(&cpu_policy, get_nominal_index());
++ cpu_policy = cpufreq_cpu_get(cpu);
++ if (!cpu_policy)
++ continue;
++ powernv_cpufreq_target_index(cpu_policy, get_nominal_index());
++ cpufreq_cpu_put(cpu_policy);
+ }
+
+ return NOTIFY_DONE;
+--
+2.25.1
+
--- /dev/null
+From e89a6c05413a5dc31fb28c1fc5499bb87d182118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jul 2020 17:03:27 +1000
+Subject: crypto: algif_skcipher - EBUSY on aio should be an error
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 2a05b029c1ee045b886ebf9efef9985ca23450de ]
+
+I removed the MAY_BACKLOG flag on the aio path a while ago but
+the error check still incorrectly interpreted EBUSY as success.
+This may cause the submitter to wait for a request that will never
+complete.
+
+Fixes: dad419970637 ("crypto: algif_skcipher - Do not set...")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_skcipher.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index d9ec5dca86729..a9dc4eeddcd53 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -133,7 +133,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
+ crypto_skcipher_decrypt(&areq->cra_u.skcipher_req);
+
+ /* AIO operation in progress */
+- if (err == -EINPROGRESS || err == -EBUSY)
++ if (err == -EINPROGRESS)
+ return -EIOCBQUEUED;
+
+ sock_put(sk);
+--
+2.25.1
+
--- /dev/null
+From f86840f007e260a981c95698d3e64ab84edc7b1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 13:34:35 +0200
+Subject: crypto: ccp - fix error handling
+
+From: Pavel Machek <pavel@denx.de>
+
+[ Upstream commit e356c49c6cf0db3f00e1558749170bd56e47652d ]
+
+Fix resource leak in error handling.
+
+Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>
+Acked-by: John Allen <john.allen@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/ccp-ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
+index 626b643d610eb..20ca9c9e109e0 100644
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -1752,7 +1752,7 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
+ break;
+ default:
+ ret = -EINVAL;
+- goto e_ctx;
++ goto e_data;
+ }
+ } else {
+ /* Stash the context */
+--
+2.25.1
+
--- /dev/null
+From f0b7e260c67542e9d59aa3c370c558c6159a7d63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 16:56:48 +0200
+Subject: crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit f7ade9aaf66bd5599690acf0597df2c0f6cd825a ]
+
+Update the size used in 'dma_free_coherent()' in order to match the one
+used in the corresponding 'dma_alloc_coherent()', in 'setup_crypt_desc()'.
+
+Fixes: 81bef0150074 ("crypto: ixp4xx - Hardware crypto support for IXP4xx CPUs")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ixp4xx_crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
+index dadc4a808df5a..4b6773c345ab7 100644
+--- a/drivers/crypto/ixp4xx_crypto.c
++++ b/drivers/crypto/ixp4xx_crypto.c
+@@ -531,7 +531,7 @@ static void release_ixp_crypto(struct device *dev)
+
+ if (crypt_virt) {
+ dma_free_coherent(dev,
+- NPE_QLEN_TOTAL * sizeof( struct crypt_ctl),
++ NPE_QLEN * sizeof(struct crypt_ctl),
+ crypt_virt, crypt_phys);
+ }
+ return;
+--
+2.25.1
+
--- /dev/null
+From fd11ae2eecfb5f2134392aa0c51070f67b6c2cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 19:15:32 +0800
+Subject: crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 8cbde6c6a6d2b1599ff90f932304aab7e32fce89 ]
+
+In case of memory allocation failure, a negative error code should
+be returned.
+
+Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips")
+Cc: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/mediatek/mtk-platform.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c
+index b182e941b0cd8..c58e708d30395 100644
+--- a/drivers/crypto/mediatek/mtk-platform.c
++++ b/drivers/crypto/mediatek/mtk-platform.c
+@@ -445,7 +445,7 @@ static void mtk_desc_dma_free(struct mtk_cryp *cryp)
+ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp)
+ {
+ struct mtk_ring **ring = cryp->ring;
+- int i, err = ENOMEM;
++ int i;
+
+ for (i = 0; i < MTK_RING_MAX; i++) {
+ ring[i] = kzalloc(sizeof(**ring), GFP_KERNEL);
+@@ -479,7 +479,7 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp)
+ ring[i]->cmd_base, ring[i]->cmd_dma);
+ kfree(ring[i]);
+ }
+- return err;
++ return -ENOMEM;
+ }
+
+ static int mtk_crypto_probe(struct platform_device *pdev)
+--
+2.25.1
+
--- /dev/null
+From 43f11b37d3ad1f4d1ffd49497105498c905912d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 10:56:24 +0300
+Subject: crypto: omap-sham - fix digcnt register handling with export/import
+
+From: Tero Kristo <t-kristo@ti.com>
+
+[ Upstream commit 3faf757bad75f3fc1b2736f0431e295a073a7423 ]
+
+Running export/import for hashes in peculiar order (mostly done by
+openssl) can mess up the internal book keeping of the OMAP SHA core.
+Fix by forcibly writing the correct DIGCNT back to hardware. This issue
+was noticed while transitioning to openssl 1.1 support.
+
+Fixes: 0d373d603202 ("crypto: omap-sham - Add OMAP4/AM33XX SHAM Support")
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/omap-sham.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c
+index 4e38b87c32284..e34e9561e77d6 100644
+--- a/drivers/crypto/omap-sham.c
++++ b/drivers/crypto/omap-sham.c
+@@ -455,6 +455,9 @@ static void omap_sham_write_ctrl_omap4(struct omap_sham_dev *dd, size_t length,
+ struct omap_sham_reqctx *ctx = ahash_request_ctx(dd->req);
+ u32 val, mask;
+
++ if (likely(ctx->digcnt))
++ omap_sham_write(dd, SHA_REG_DIGCNT(dd), ctx->digcnt);
++
+ /*
+ * Setting ALGO_CONST only for the first iteration and
+ * CLOSE_HASH only for the last one. Note that flags mode bits
+--
+2.25.1
+
--- /dev/null
+From 66b400eac621a8a7b2b975795384e079c8374aab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 11:00:51 +0800
+Subject: cypto: mediatek - fix leaks in mtk_desc_ring_alloc
+
+From: Xiaoliang Pang <dawning.pang@gmail.com>
+
+[ Upstream commit 228d284aac61283cde508a925d666f854b57af63 ]
+
+In the init loop, if an error occurs in function 'dma_alloc_coherent',
+then goto the err_cleanup section, after run i--,
+in the array ring, the struct mtk_ring with index i will not be released,
+causing memory leaks
+
+Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips")
+Cc: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Xiaoliang Pang <dawning.pang@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/mediatek/mtk-platform.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c
+index c58e708d30395..b2b1e90a3079d 100644
+--- a/drivers/crypto/mediatek/mtk-platform.c
++++ b/drivers/crypto/mediatek/mtk-platform.c
+@@ -472,13 +472,13 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp)
+ return 0;
+
+ err_cleanup:
+- for (; i--; ) {
++ do {
+ dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ,
+ ring[i]->res_base, ring[i]->res_dma);
+ dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ,
+ ring[i]->cmd_base, ring[i]->cmd_dma);
+ kfree(ring[i]);
+- }
++ } while (i--);
+ return -ENOMEM;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From ec0a334e72aa923a7bacca8324668f186e729062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 16:41:09 -0400
+Subject: drivers/perf: xgene_pmu: Fix uninitialized resource struct
+
+From: Mark Salter <msalter@redhat.com>
+
+[ Upstream commit a76b8236edcf5b785d044b930f9e14ad02b4a484 ]
+
+This splat was reported on newer Fedora kernels booting on certain
+X-gene based machines:
+
+ xgene-pmu APMC0D83:00: X-Gene PMU version 3
+ Unable to handle kernel read from unreadable memory at virtual \
+ address 0000000000004006
+ ...
+ Call trace:
+ string+0x50/0x100
+ vsnprintf+0x160/0x750
+ devm_kvasprintf+0x5c/0xb4
+ devm_kasprintf+0x54/0x60
+ __devm_ioremap_resource+0xdc/0x1a0
+ devm_ioremap_resource+0x14/0x20
+ acpi_get_pmu_hw_inf.isra.0+0x84/0x15c
+ acpi_pmu_dev_add+0xbc/0x21c
+ acpi_ns_walk_namespace+0x16c/0x1e4
+ acpi_walk_namespace+0xb4/0xfc
+ xgene_pmu_probe_pmu_dev+0x7c/0xe0
+ xgene_pmu_probe.part.0+0x2c0/0x310
+ xgene_pmu_probe+0x54/0x64
+ platform_drv_probe+0x60/0xb4
+ really_probe+0xe8/0x4a0
+ driver_probe_device+0xe4/0x100
+ device_driver_attach+0xcc/0xd4
+ __driver_attach+0xb0/0x17c
+ bus_for_each_dev+0x6c/0xb0
+ driver_attach+0x30/0x40
+ bus_add_driver+0x154/0x250
+ driver_register+0x84/0x140
+ __platform_driver_register+0x54/0x60
+ xgene_pmu_driver_init+0x28/0x34
+ do_one_initcall+0x40/0x204
+ do_initcalls+0x104/0x144
+ kernel_init_freeable+0x198/0x210
+ kernel_init+0x20/0x12c
+ ret_from_fork+0x10/0x18
+ Code: 91000400 110004e1 eb08009f 540000c0 (38646846)
+ ---[ end trace f08c10566496a703 ]---
+
+This is due to use of an uninitialized local resource struct in the xgene
+pmu driver. The thunderx2_pmu driver avoids this by using the resource list
+constructed by acpi_dev_get_resources() rather than using a callback from
+that function. The callback in the xgene driver didn't fully initialize
+the resource. So get rid of the callback and search the resource list as
+done by thunderx2.
+
+Fixes: 832c927d119b ("perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver")
+Signed-off-by: Mark Salter <msalter@redhat.com>
+Link: https://lore.kernel.org/r/20200915204110.326138-1-msalter@redhat.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/xgene_pmu.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/perf/xgene_pmu.c b/drivers/perf/xgene_pmu.c
+index 8b79c2f7931f1..806fb1f415c29 100644
+--- a/drivers/perf/xgene_pmu.c
++++ b/drivers/perf/xgene_pmu.c
+@@ -1474,17 +1474,6 @@ static char *xgene_pmu_dev_name(struct device *dev, u32 type, int id)
+ }
+
+ #if defined(CONFIG_ACPI)
+-static int acpi_pmu_dev_add_resource(struct acpi_resource *ares, void *data)
+-{
+- struct resource *res = data;
+-
+- if (ares->type == ACPI_RESOURCE_TYPE_FIXED_MEMORY32)
+- acpi_dev_resource_memory(ares, res);
+-
+- /* Always tell the ACPI core to skip this resource */
+- return 1;
+-}
+-
+ static struct
+ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu,
+ struct acpi_device *adev, u32 type)
+@@ -1496,6 +1485,7 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu,
+ struct hw_pmu_info *inf;
+ void __iomem *dev_csr;
+ struct resource res;
++ struct resource_entry *rentry;
+ int enable_bit;
+ int rc;
+
+@@ -1504,11 +1494,23 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu,
+ return NULL;
+
+ INIT_LIST_HEAD(&resource_list);
+- rc = acpi_dev_get_resources(adev, &resource_list,
+- acpi_pmu_dev_add_resource, &res);
++ rc = acpi_dev_get_resources(adev, &resource_list, NULL, NULL);
++ if (rc <= 0) {
++ dev_err(dev, "PMU type %d: No resources found\n", type);
++ return NULL;
++ }
++
++ list_for_each_entry(rentry, &resource_list, node) {
++ if (resource_type(rentry->res) == IORESOURCE_MEM) {
++ res = *rentry->res;
++ rentry = NULL;
++ break;
++ }
++ }
+ acpi_dev_free_resource_list(&resource_list);
+- if (rc < 0) {
+- dev_err(dev, "PMU type %d: No resource address found\n", type);
++
++ if (rentry) {
++ dev_err(dev, "PMU type %d: No memory resource found\n", type);
+ return NULL;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 79f42cd1bc0fb259132307fef2fadf08c48c1ff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 02:51:11 +0530
+Subject: drivers/virt/fsl_hypervisor: Fix error handling path
+
+From: Souptick Joarder <jrdr.linux@gmail.com>
+
+[ Upstream commit 7f360bec37857bfd5a48cef21d86f58a09a3df63 ]
+
+First, when memory allocation for sg_list_unaligned failed, there
+is a bug of calling put_pages() as we haven't pinned any pages.
+
+Second, if get_user_pages_fast() failed we should unpin num_pinned
+pages.
+
+This will address both.
+
+As part of these changes, minor update in documentation.
+
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Link: https://lore.kernel.org/r/1598995271-6755-1-git-send-email-jrdr.linux@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virt/fsl_hypervisor.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c
+index 2e1678d22f6ff..1799bfb382e50 100644
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -157,7 +157,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+
+ unsigned int i;
+ long ret = 0;
+- int num_pinned; /* return value from get_user_pages() */
++ int num_pinned = 0; /* return value from get_user_pages_fast() */
+ phys_addr_t remote_paddr; /* The next address in the remote buffer */
+ uint32_t count; /* The number of bytes left to copy */
+
+@@ -174,7 +174,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ return -EINVAL;
+
+ /*
+- * The array of pages returned by get_user_pages() covers only
++ * The array of pages returned by get_user_pages_fast() covers only
+ * page-aligned memory. Since the user buffer is probably not
+ * page-aligned, we need to handle the discrepancy.
+ *
+@@ -224,7 +224,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+
+ /*
+ * 'pages' is an array of struct page pointers that's initialized by
+- * get_user_pages().
++ * get_user_pages_fast().
+ */
+ pages = kzalloc(num_pages * sizeof(struct page *), GFP_KERNEL);
+ if (!pages) {
+@@ -241,7 +241,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ if (!sg_list_unaligned) {
+ pr_debug("fsl-hv: could not allocate S/G list\n");
+ ret = -ENOMEM;
+- goto exit;
++ goto free_pages;
+ }
+ sg_list = PTR_ALIGN(sg_list_unaligned, sizeof(struct fh_sg_list));
+
+@@ -250,7 +250,6 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ num_pages, pages, (param.source == -1) ? 0 : FOLL_WRITE);
+
+ if (num_pinned != num_pages) {
+- /* get_user_pages() failed */
+ pr_debug("fsl-hv: could not lock source buffer\n");
+ ret = (num_pinned < 0) ? num_pinned : -EFAULT;
+ goto exit;
+@@ -292,13 +291,13 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ virt_to_phys(sg_list), num_pages);
+
+ exit:
+- if (pages) {
+- for (i = 0; i < num_pages; i++)
+- if (pages[i])
+- put_page(pages[i]);
++ if (pages && (num_pinned > 0)) {
++ for (i = 0; i < num_pinned; i++)
++ put_page(pages[i]);
+ }
+
+ kfree(sg_list_unaligned);
++free_pages:
+ kfree(pages);
+
+ if (!ret)
+--
+2.25.1
+
--- /dev/null
+From b040a9411695dcbab322660ec8709f76c444cc56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 13:59:11 -0700
+Subject: drm/gma500: fix error check
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit cdd296cdae1af2d27dae3fcfbdf12c5252ab78cf ]
+
+Reviewing this block of code in cdv_intel_dp_init()
+
+ret = cdv_intel_dp_aux_native_read(gma_encoder, DP_DPCD_REV, ...
+
+cdv_intel_edp_panel_vdd_off(gma_encoder);
+if (ret == 0) {
+ /* if this fails, presume the device is a ghost */
+ DRM_INFO("failed to retrieve link info, disabling eDP\n");
+ drm_encoder_cleanup(encoder);
+ cdv_intel_dp_destroy(connector);
+ goto err_priv;
+} else {
+
+The (ret == 0) is not strict enough.
+cdv_intel_dp_aux_native_read() returns > 0 on success
+otherwise it is failure.
+
+So change to <=
+
+Fixes: d112a8163f83 ("gma500/cdv: Add eDP support")
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200805205911.20927-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c
+index c52f9adf5e04c..7ec4e3fbafd8c 100644
+--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c
++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c
+@@ -2121,7 +2121,7 @@ cdv_intel_dp_init(struct drm_device *dev, struct psb_intel_mode_device *mode_dev
+ intel_dp->dpcd,
+ sizeof(intel_dp->dpcd));
+ cdv_intel_edp_panel_vdd_off(gma_encoder);
+- if (ret == 0) {
++ if (ret <= 0) {
+ /* if this fails, presume the device is a ghost */
+ DRM_INFO("failed to retrieve link info, disabling eDP\n");
+ cdv_intel_dp_encoder_destroy(encoder);
+--
+2.25.1
+
--- /dev/null
+From cdc21838b5fdc9265493508402ec2f2dc64ecb38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 01:33:48 +0800
+Subject: drm/radeon: Prefer lower feedback dividers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 5150dd85bdfa08143cacf1b4249121651bed3c35 ]
+
+Commit 2e26ccb119bd ("drm/radeon: prefer lower reference dividers")
+fixed screen flicker for HP Compaq nx9420 but breaks other laptops like
+Asus X50SL.
+
+Turns out we also need to favor lower feedback dividers.
+
+Users confirmed this change fixes the regression and doesn't regress the
+original fix.
+
+Fixes: 2e26ccb119bd ("drm/radeon: prefer lower reference dividers")
+BugLink: https://bugs.launchpad.net/bugs/1791312
+BugLink: https://bugs.launchpad.net/bugs/1861554
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index b2334349799d1..f1de68340944b 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -928,7 +928,7 @@ static void avivo_get_fb_ref_div(unsigned nom, unsigned den, unsigned post_div,
+
+ /* get matching reference and feedback divider */
+ *ref_div = min(max(den/post_div, 1u), ref_div_max);
+- *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den);
++ *fb_div = max(nom * *ref_div * post_div / den, 1u);
+
+ /* limit fb divider to its maximum */
+ if (*fb_div > fb_div_max) {
+--
+2.25.1
+
--- /dev/null
+From fb64752abd596190d9525c0eba85f4e9458864c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 20:14:37 +0800
+Subject: EDAC/i5100: Fix error handling order in i5100_init_one()
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 857a3139bd8be4f702c030c8ca06f3fd69c1741a ]
+
+When pci_get_device_func() fails, the driver doesn't need to execute
+pci_dev_put(). mci should still be freed, though, to prevent a memory
+leak. When pci_enable_device() fails, the error injection PCI device
+"einj" doesn't need to be disabled either.
+
+ [ bp: Massage commit message, rename label to "bail_mc_free". ]
+
+Fixes: 52608ba205461 ("i5100_edac: probe for device 19 function 0")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200826121437.31606-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/i5100_edac.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/edac/i5100_edac.c b/drivers/edac/i5100_edac.c
+index b506eef6b146d..858ef4e15180b 100644
+--- a/drivers/edac/i5100_edac.c
++++ b/drivers/edac/i5100_edac.c
+@@ -1072,16 +1072,15 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ PCI_DEVICE_ID_INTEL_5100_19, 0);
+ if (!einj) {
+ ret = -ENODEV;
+- goto bail_einj;
++ goto bail_mc_free;
+ }
+
+ rc = pci_enable_device(einj);
+ if (rc < 0) {
+ ret = rc;
+- goto bail_disable_einj;
++ goto bail_einj;
+ }
+
+-
+ mci->pdev = &pdev->dev;
+
+ priv = mci->pvt_info;
+@@ -1147,14 +1146,14 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ bail_scrub:
+ priv->scrub_enable = 0;
+ cancel_delayed_work_sync(&(priv->i5100_scrubbing));
+- edac_mc_free(mci);
+-
+-bail_disable_einj:
+ pci_disable_device(einj);
+
+ bail_einj:
+ pci_dev_put(einj);
+
++bail_mc_free:
++ edac_mc_free(mci);
++
+ bail_disable_ch1:
+ pci_disable_device(ch1mm);
+
+--
+2.25.1
+
--- /dev/null
+From 85cb38cf6efce96abe2a2b6a39b02b303c3e5225 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Oct 2020 15:21:48 -0700
+Subject: ext4: limit entries returned when counting fsmap records
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit af8c53c8bc087459b1aadd4c94805d8272358d79 ]
+
+If userspace asked fsmap to try to count the number of entries, we cannot
+return more than UINT_MAX entries because fmh_entries is u32.
+Therefore, stop counting if we hit this limit or else we will waste time
+to return truncated results.
+
+Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Link: https://lore.kernel.org/r/20201001222148.GA49520@magnolia
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/fsmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ext4/fsmap.c b/fs/ext4/fsmap.c
+index 7ec3408985980..1a4d42a1b161d 100644
+--- a/fs/ext4/fsmap.c
++++ b/fs/ext4/fsmap.c
+@@ -121,6 +121,9 @@ static int ext4_getfsmap_helper(struct super_block *sb,
+
+ /* Are we just counting mappings? */
+ if (info->gfi_head->fmh_count == 0) {
++ if (info->gfi_head->fmh_entries == UINT_MAX)
++ return EXT4_QUERY_RANGE_ABORT;
++
+ if (rec_fsblk > info->gfi_next_fsblk)
+ info->gfi_head->fmh_entries++;
+
+--
+2.25.1
+
--- /dev/null
+From b78c105acbc20e3a71c446ccceb72a33ad992ecb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 14:09:48 +0100
+Subject: f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info
+
+From: Jamie Iles <jamie@nuviainc.com>
+
+[ Upstream commit ae284d87abade58c8db7760c808f311ef1ce693c ]
+
+syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an
+f2fs filesystem could result in the following splat:
+
+ kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250)
+ kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750)
+ ------------[ cut here ]------------
+ ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98
+ WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240
+ Kernel panic - not syncing: panic_on_warn set ...
+ CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S 5.9.0-rc8+ #101
+ Hardware name: linux,dummy-virt (DT)
+ Call trace:
+ dump_backtrace+0x0/0x4d8
+ show_stack+0x34/0x48
+ dump_stack+0x174/0x1f8
+ panic+0x360/0x7a0
+ __warn+0x244/0x2ec
+ report_bug+0x240/0x398
+ bug_handler+0x50/0xc0
+ call_break_hook+0x160/0x1d8
+ brk_handler+0x30/0xc0
+ do_debug_exception+0x184/0x340
+ el1_dbg+0x48/0xb0
+ el1_sync_handler+0x170/0x1c8
+ el1_sync+0x80/0x100
+ debug_print_object+0x180/0x240
+ debug_check_no_obj_freed+0x200/0x430
+ slab_free_freelist_hook+0x190/0x210
+ kfree+0x13c/0x460
+ f2fs_put_super+0x624/0xa58
+ generic_shutdown_super+0x120/0x300
+ kill_block_super+0x94/0xf8
+ kill_f2fs_super+0x244/0x308
+ deactivate_locked_super+0x104/0x150
+ deactivate_super+0x118/0x148
+ cleanup_mnt+0x27c/0x3c0
+ __cleanup_mnt+0x28/0x38
+ task_work_run+0x10c/0x248
+ do_notify_resume+0x9d4/0x1188
+ work_pending+0x8/0x34c
+
+Like the error handling for f2fs_register_sysfs(), we need to wait for
+the kobject to be destroyed before returning to prevent a potential
+use-after-free.
+
+Fixes: bf9e697ecd42 ("f2fs: expose features to sysfs entry")
+Cc: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Chao Yu <chao@kernel.org>
+Signed-off-by: Jamie Iles <jamie@nuviainc.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/sysfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
+index a55919eec0351..6a13099b3c823 100644
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -563,4 +563,5 @@ void f2fs_unregister_sysfs(struct f2fs_sb_info *sbi)
+ }
+ kobject_del(&sbi->s_kobj);
+ kobject_put(&sbi->s_kobj);
++ wait_for_completion(&sbi->s_kobj_unregister);
+ }
+--
+2.25.1
+
--- /dev/null
+From 2c7b5d129fa7fb2b238379bb3613a9171ada8c73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 14:08:25 -0700
+Subject: Fix use after free in get_capset_info callback.
+
+From: Doug Horn <doughorn@google.com>
+
+[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ]
+
+If a response to virtio_gpu_cmd_get_capset_info takes longer than
+five seconds to return, the callback will access freed kernel memory
+in vg->capsets.
+
+Signed-off-by: Doug Horn <doughorn@google.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_kms.c | 2 ++
+ drivers/gpu/drm/virtio/virtgpu_vq.c | 10 +++++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
+index 6400506a06b07..bed450fbb2168 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
+@@ -113,8 +113,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev,
+ vgdev->capsets[i].id > 0, 5 * HZ);
+ if (ret == 0) {
+ DRM_ERROR("timed out waiting for cap set %d\n", i);
++ spin_lock(&vgdev->display_info_lock);
+ kfree(vgdev->capsets);
+ vgdev->capsets = NULL;
++ spin_unlock(&vgdev->display_info_lock);
+ return;
+ }
+ DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",
+diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
+index a3be65e689fd2..a956c73ea85e5 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
+@@ -563,9 +563,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev,
+ int i = le32_to_cpu(cmd->capset_index);
+
+ spin_lock(&vgdev->display_info_lock);
+- vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
+- vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
+- vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
++ if (vgdev->capsets) {
++ vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
++ vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
++ vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
++ } else {
++ DRM_ERROR("invalid capset memory.");
++ }
+ spin_unlock(&vgdev->display_info_lock);
+ wake_up(&vgdev->resp_wq);
+ }
+--
+2.25.1
+
--- /dev/null
+From bb0a9bcee0e2fcd22f4864601e849dcfe9038b84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 15:02:51 -0400
+Subject: fs: dlm: fix configfs memory leak
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 3d2825c8c6105b0f36f3ff72760799fa2e71420e ]
+
+This patch fixes the following memory detected by kmemleak and umount
+gfs2 filesystem which removed the last lockspace:
+
+unreferenced object 0xffff9264f482f600 (size 192):
+ comm "dlm_controld", pid 325, jiffies 4294690276 (age 48.136s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 6e 6f 64 65 73 00 00 00 ........nodes...
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000060481d7>] make_space+0x41/0x130
+ [<000000008d905d46>] configfs_mkdir+0x1a2/0x5f0
+ [<00000000729502cf>] vfs_mkdir+0x155/0x210
+ [<000000000369bcf1>] do_mkdirat+0x6d/0x110
+ [<00000000cc478a33>] do_syscall_64+0x33/0x40
+ [<00000000ce9ccf01>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The patch just remembers the "nodes" entry pointer in space as I think
+it's created as subdirectory when parent "spaces" is created. In
+function drop_space() we will lost the pointer reference to nds because
+configfs_remove_default_groups(). However as this subdirectory is always
+available when "spaces" exists it will just be freed when "spaces" will be
+freed.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/config.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/dlm/config.c b/fs/dlm/config.c
+index 7211e826d90df..472f4f835d3e1 100644
+--- a/fs/dlm/config.c
++++ b/fs/dlm/config.c
+@@ -218,6 +218,7 @@ struct dlm_space {
+ struct list_head members;
+ struct mutex members_lock;
+ int members_count;
++ struct dlm_nodes *nds;
+ };
+
+ struct dlm_comms {
+@@ -426,6 +427,7 @@ static struct config_group *make_space(struct config_group *g, const char *name)
+ INIT_LIST_HEAD(&sp->members);
+ mutex_init(&sp->members_lock);
+ sp->members_count = 0;
++ sp->nds = nds;
+ return &sp->group;
+
+ fail:
+@@ -447,6 +449,7 @@ static void drop_space(struct config_group *g, struct config_item *i)
+ static void release_space(struct config_item *i)
+ {
+ struct dlm_space *sp = config_item_to_space(i);
++ kfree(sp->nds);
+ kfree(sp);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 050799865960bee3ee1ef447778d01ce1e4c006e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 16:35:52 -0700
+Subject: HID: hid-input: fix stylus battery reporting
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 505f394fa239cecb76d916aa858f87ed7ea7fde4 ]
+
+With commit 4f3882177240 hid-input started clearing of "ignored" usages
+to avoid using garbage that might have been left in them. However
+"battery strength" usages should not be ignored, as we do want to
+use them.
+
+Fixes: 4f3882177240 ("HID: hid-input: clear unmapped usages")
+Reported-by: Kenneth Albanowski <kenalba@google.com>
+Tested-by: Kenneth Albanowski <kenalba@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 3624d6e3384ff..07a043ae69f12 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -796,7 +796,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x3b: /* Battery Strength */
+ hidinput_setup_battery(device, HID_INPUT_REPORT, field);
+ usage->type = EV_PWR;
+- goto ignore;
++ return;
+
+ case 0x3c: /* Invert */
+ map_key_clear(BTN_TOOL_RUBBER);
+@@ -1043,7 +1043,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case HID_DC_BATTERYSTRENGTH:
+ hidinput_setup_battery(device, HID_INPUT_REPORT, field);
+ usage->type = EV_PWR;
+- goto ignore;
++ return;
+ }
+ goto unknown;
+
+--
+2.25.1
+
--- /dev/null
+From 26b2457ed5cfae40fd58020339b884ae1c39e1fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 11:57:35 +0300
+Subject: HID: roccat: add bounds checking in kone_sysfs_write_settings()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d4f98dbfe717490e771b6e701904bfcf4b4557f0 ]
+
+This code doesn't check if "settings->startup_profile" is within bounds
+and that could result in an out of bounds array access. What the code
+does do is it checks if the settings can be written to the firmware, so
+it's possible that the firmware has a bounds check? It's safer and
+easier to verify when the bounds checking is done in the kernel.
+
+Fixes: 14bf62cde794 ("HID: add driver for Roccat Kone gaming mouse")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat-kone.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c
+index bf4675a273965..9be8c31f613fd 100644
+--- a/drivers/hid/hid-roccat-kone.c
++++ b/drivers/hid/hid-roccat-kone.c
+@@ -297,31 +297,40 @@ static ssize_t kone_sysfs_write_settings(struct file *fp, struct kobject *kobj,
+ struct kone_device *kone = hid_get_drvdata(dev_get_drvdata(dev));
+ struct usb_device *usb_dev = interface_to_usbdev(to_usb_interface(dev));
+ int retval = 0, difference, old_profile;
++ struct kone_settings *settings = (struct kone_settings *)buf;
+
+ /* I need to get my data in one piece */
+ if (off != 0 || count != sizeof(struct kone_settings))
+ return -EINVAL;
+
+ mutex_lock(&kone->kone_lock);
+- difference = memcmp(buf, &kone->settings, sizeof(struct kone_settings));
++ difference = memcmp(settings, &kone->settings,
++ sizeof(struct kone_settings));
+ if (difference) {
+- retval = kone_set_settings(usb_dev,
+- (struct kone_settings const *)buf);
+- if (retval) {
+- mutex_unlock(&kone->kone_lock);
+- return retval;
++ if (settings->startup_profile < 1 ||
++ settings->startup_profile > 5) {
++ retval = -EINVAL;
++ goto unlock;
+ }
+
++ retval = kone_set_settings(usb_dev, settings);
++ if (retval)
++ goto unlock;
++
+ old_profile = kone->settings.startup_profile;
+- memcpy(&kone->settings, buf, sizeof(struct kone_settings));
++ memcpy(&kone->settings, settings, sizeof(struct kone_settings));
+
+ kone_profile_activated(kone, kone->settings.startup_profile);
+
+ if (kone->settings.startup_profile != old_profile)
+ kone_profile_report(kone, kone->settings.startup_profile);
+ }
++unlock:
+ mutex_unlock(&kone->kone_lock);
+
++ if (retval)
++ return retval;
++
+ return sizeof(struct kone_settings);
+ }
+ static BIN_ATTR(settings, 0660, kone_sysfs_read_settings,
+--
+2.25.1
+
--- /dev/null
+From 263d1bd8a5e0f3576f87381a8bc5c94b46662fd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 16:41:58 +0200
+Subject: i2c: core: Restore acpi_walk_dep_device_list() getting called after
+ registering the ACPI i2c devs
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 8058d69905058ec8f467a120b5ec5bb831ea67f3 ]
+
+Commit 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler()
+before i2c_acpi_register_devices()")'s intention was to only move the
+acpi_install_address_space_handler() call to the point before where
+the ACPI declared i2c-children of the adapter where instantiated by
+i2c_acpi_register_devices().
+
+But i2c_acpi_install_space_handler() had a call to
+acpi_walk_dep_device_list() hidden (that is I missed it) at the end
+of it, so as an unwanted side-effect now acpi_walk_dep_device_list()
+was also being called before i2c_acpi_register_devices().
+
+Move the acpi_walk_dep_device_list() call to the end of
+i2c_acpi_register_devices(), so that it is once again called *after*
+the i2c_client-s hanging of the adapter have been created.
+
+This fixes the Microsoft Surface Go 2 hanging at boot.
+
+Fixes: 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=209627
+Reported-by: Rainer Finke <rainer@finke.cc>
+Reported-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Suggested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-acpi.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index 0d4d5dcf94f39..52ae674ebf5bf 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -219,6 +219,7 @@ static acpi_status i2c_acpi_add_device(acpi_handle handle, u32 level,
+ void i2c_acpi_register_devices(struct i2c_adapter *adap)
+ {
+ acpi_status status;
++ acpi_handle handle;
+
+ if (!has_acpi_companion(&adap->dev))
+ return;
+@@ -229,6 +230,15 @@ void i2c_acpi_register_devices(struct i2c_adapter *adap)
+ adap, NULL);
+ if (ACPI_FAILURE(status))
+ dev_warn(&adap->dev, "failed to enumerate I2C slaves\n");
++
++ if (!adap->dev.parent)
++ return;
++
++ handle = ACPI_HANDLE(adap->dev.parent);
++ if (!handle)
++ return;
++
++ acpi_walk_dep_device_list(handle);
+ }
+
+ const struct acpi_device_id *
+@@ -684,7 +694,6 @@ int i2c_acpi_install_space_handler(struct i2c_adapter *adapter)
+ return -ENOMEM;
+ }
+
+- acpi_walk_dep_device_list(handle);
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 00162bee73e4a499aa5ea2fb0a00c1d6032a2d98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 11:23:30 +0200
+Subject: i2c: rcar: Auto select RESET_CONTROLLER
+
+From: Dirk Behme <dirk.behme@de.bosch.com>
+
+[ Upstream commit 5b9bacf28a973a6b16510493416baeefa2c06289 ]
+
+The i2c-rcar driver utilizes the Generic Reset Controller kernel
+feature, so select the RESET_CONTROLLER option when the I2C_RCAR
+option is selected with a Gen3 SoC.
+
+Fixes: 2b16fd63059ab9 ("i2c: rcar: handle RXDMA HW behaviour on Gen3")
+Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Andy Lowe <andy_lowe@mentor.com>
+[erosca: Add "if ARCH_RCAR_GEN3" per Wolfram's request]
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
+index b72a25585d52b..c457f65136f83 100644
+--- a/drivers/i2c/busses/Kconfig
++++ b/drivers/i2c/busses/Kconfig
+@@ -1095,6 +1095,7 @@ config I2C_RCAR
+ depends on HAS_DMA
+ depends on ARCH_RENESAS || COMPILE_TEST
+ select I2C_SLAVE
++ select RESET_CONTROLLER if ARCH_RCAR_GEN3
+ help
+ If you say yes to this option, support will be included for the
+ R-Car I2C controller.
+--
+2.25.1
+
--- /dev/null
+From b5bef8e3d140952126c08e464364d02b20fde9dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 08:19:41 +0200
+Subject: IB/mlx4: Adjust delayed work when a dup is observed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: HÃ¥kon Bugge <haakon.bugge@oracle.com>
+
+[ Upstream commit 785167a114855c5aa75efca97000e405c2cc85bf ]
+
+When scheduling delayed work to clean up the cache, if the entry already
+has been scheduled for deletion, we adjust the delay.
+
+Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization")
+Link: https://lore.kernel.org/r/20200803061941.1139994-7-haakon.bugge@oracle.com
+Signed-off-by: HÃ¥kon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/cm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c
+index 8c79a480f2b76..d3e11503e67ca 100644
+--- a/drivers/infiniband/hw/mlx4/cm.c
++++ b/drivers/infiniband/hw/mlx4/cm.c
+@@ -307,6 +307,9 @@ static void schedule_delayed(struct ib_device *ibdev, struct id_map_entry *id)
+ if (!sriov->is_going_down) {
+ id->scheduled_delete = 1;
+ schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT);
++ } else if (id->scheduled_delete) {
++ /* Adjust timeout if already scheduled */
++ mod_delayed_work(system_wq, &id->timeout, CM_CLEANUP_CACHE_TIMEOUT);
+ }
+ spin_unlock_irqrestore(&sriov->going_down_lock, flags);
+ spin_unlock(&sriov->id_map_lock);
+--
+2.25.1
+
--- /dev/null
+From 2bbb391f6dc8648c929a2ad15d50ae34b3c80449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 08:19:39 +0200
+Subject: IB/mlx4: Fix starvation in paravirt mux/demux
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: HÃ¥kon Bugge <haakon.bugge@oracle.com>
+
+[ Upstream commit 7fd1507df7cee9c533f38152fcd1dd769fcac6ce ]
+
+The mlx4 driver will proxy MAD packets through the PF driver. A VM or an
+instantiated VF will send its MAD packets to the PF driver using
+loop-back. The PF driver will be informed by an interrupt, but defer the
+handling and polling of CQEs to a worker thread running on an ordered
+work-queue.
+
+Consider the following scenario: the VMs will in short proximity in time,
+for example due to a network event, send many MAD packets to the PF
+driver. Lets say there are K VMs, each sending N packets.
+
+The interrupt from the first VM will start the worker thread, which will
+poll N CQEs. A common case here is where the PF driver will multiplex the
+packets received from the VMs out on the wire QP.
+
+But before the wire QP has returned a send CQE and associated interrupt,
+the other K - 1 VMs have sent their N packets as well.
+
+The PF driver has to multiplex K * N packets out on the wire QP. But the
+send-queue on the wire QP has a finite capacity.
+
+So, in this scenario, if K * N is larger than the send-queue capacity of
+the wire QP, we will get MAD packets dropped on the floor with this
+dynamic debug message:
+
+mlx4_ib_multiplex_mad: failed sending GSI to wire on behalf of slave 2 (-11)
+
+and this despite the fact that the wire send-queue could have capacity,
+but the PF driver isn't aware, because the wire send CQEs have not yet
+been polled.
+
+We can also have a similar scenario inbound, with a wire recv-queue larger
+than the tunnel QP's send-queue. If many remote peers send MAD packets to
+the very same VM, the tunnel send-queue destined to the VM could allegedly
+be construed to be full by the PF driver.
+
+This starvation is fixed by introducing separate work queues for the wire
+QPs vs. the tunnel QPs.
+
+With this fix, using a dual ported HCA, 8 VFs instantiated, we could run
+cmtime on each of the 18 interfaces towards a similar configured peer,
+each cmtime instance with 800 QPs (all in all 14400 QPs) without a single
+CM packet getting lost.
+
+Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization")
+Link: https://lore.kernel.org/r/20200803061941.1139994-5-haakon.bugge@oracle.com
+Signed-off-by: HÃ¥kon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/mad.c | 34 +++++++++++++++++++++++++---
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 ++
+ 2 files changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
+index c69158ccab822..60d4f2c9c24d8 100644
+--- a/drivers/infiniband/hw/mlx4/mad.c
++++ b/drivers/infiniband/hw/mlx4/mad.c
+@@ -1305,6 +1305,18 @@ static void mlx4_ib_tunnel_comp_handler(struct ib_cq *cq, void *arg)
+ spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags);
+ }
+
++static void mlx4_ib_wire_comp_handler(struct ib_cq *cq, void *arg)
++{
++ unsigned long flags;
++ struct mlx4_ib_demux_pv_ctx *ctx = cq->cq_context;
++ struct mlx4_ib_dev *dev = to_mdev(ctx->ib_dev);
++
++ spin_lock_irqsave(&dev->sriov.going_down_lock, flags);
++ if (!dev->sriov.is_going_down && ctx->state == DEMUX_PV_STATE_ACTIVE)
++ queue_work(ctx->wi_wq, &ctx->work);
++ spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags);
++}
++
+ static int mlx4_ib_post_pv_qp_buf(struct mlx4_ib_demux_pv_ctx *ctx,
+ struct mlx4_ib_demux_pv_qp *tun_qp,
+ int index)
+@@ -2012,7 +2024,8 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port,
+ cq_size *= 2;
+
+ cq_attr.cqe = cq_size;
+- ctx->cq = ib_create_cq(ctx->ib_dev, mlx4_ib_tunnel_comp_handler,
++ ctx->cq = ib_create_cq(ctx->ib_dev,
++ create_tun ? mlx4_ib_tunnel_comp_handler : mlx4_ib_wire_comp_handler,
+ NULL, ctx, &cq_attr);
+ if (IS_ERR(ctx->cq)) {
+ ret = PTR_ERR(ctx->cq);
+@@ -2049,6 +2062,7 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port,
+ INIT_WORK(&ctx->work, mlx4_ib_sqp_comp_worker);
+
+ ctx->wq = to_mdev(ibdev)->sriov.demux[port - 1].wq;
++ ctx->wi_wq = to_mdev(ibdev)->sriov.demux[port - 1].wi_wq;
+
+ ret = ib_req_notify_cq(ctx->cq, IB_CQ_NEXT_COMP);
+ if (ret) {
+@@ -2192,7 +2206,7 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev,
+ goto err_mcg;
+ }
+
+- snprintf(name, sizeof name, "mlx4_ibt%d", port);
++ snprintf(name, sizeof(name), "mlx4_ibt%d", port);
+ ctx->wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
+ if (!ctx->wq) {
+ pr_err("Failed to create tunnelling WQ for port %d\n", port);
+@@ -2200,7 +2214,15 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev,
+ goto err_wq;
+ }
+
+- snprintf(name, sizeof name, "mlx4_ibud%d", port);
++ snprintf(name, sizeof(name), "mlx4_ibwi%d", port);
++ ctx->wi_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
++ if (!ctx->wi_wq) {
++ pr_err("Failed to create wire WQ for port %d\n", port);
++ ret = -ENOMEM;
++ goto err_wiwq;
++ }
++
++ snprintf(name, sizeof(name), "mlx4_ibud%d", port);
+ ctx->ud_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
+ if (!ctx->ud_wq) {
+ pr_err("Failed to create up/down WQ for port %d\n", port);
+@@ -2211,6 +2233,10 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev,
+ return 0;
+
+ err_udwq:
++ destroy_workqueue(ctx->wi_wq);
++ ctx->wi_wq = NULL;
++
++err_wiwq:
+ destroy_workqueue(ctx->wq);
+ ctx->wq = NULL;
+
+@@ -2258,12 +2284,14 @@ static void mlx4_ib_free_demux_ctx(struct mlx4_ib_demux_ctx *ctx)
+ ctx->tun[i]->state = DEMUX_PV_STATE_DOWNING;
+ }
+ flush_workqueue(ctx->wq);
++ flush_workqueue(ctx->wi_wq);
+ for (i = 0; i < dev->dev->caps.sqp_demux; i++) {
+ destroy_pv_resources(dev, i, ctx->port, ctx->tun[i], 0);
+ free_pv_object(dev, i, ctx->port);
+ }
+ kfree(ctx->tun);
+ destroy_workqueue(ctx->ud_wq);
++ destroy_workqueue(ctx->wi_wq);
+ destroy_workqueue(ctx->wq);
+ }
+ }
+diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h
+index 1fa19820355af..ed72c09080c1d 100644
+--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h
++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h
+@@ -463,6 +463,7 @@ struct mlx4_ib_demux_pv_ctx {
+ struct ib_pd *pd;
+ struct work_struct work;
+ struct workqueue_struct *wq;
++ struct workqueue_struct *wi_wq;
+ struct mlx4_ib_demux_pv_qp qp[2];
+ };
+
+@@ -470,6 +471,7 @@ struct mlx4_ib_demux_ctx {
+ struct ib_device *ib_dev;
+ int port;
+ struct workqueue_struct *wq;
++ struct workqueue_struct *wi_wq;
+ struct workqueue_struct *ud_wq;
+ spinlock_t ud_lock;
+ atomic64_t subnet_prefix;
+--
+2.25.1
+
--- /dev/null
+From 390d11a72e800ee1776a88982cc27d0509c21b10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 10:52:04 +0100
+Subject: IB/rdmavt: Fix sizeof mismatch
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 8e71f694e0c819db39af2336f16eb9689f1ae53f ]
+
+An incorrect sizeof is being used, struct rvt_ibport ** is not correct, it
+should be struct rvt_ibport *. Note that since ** is the same size as
+* this is not causing any issues. Improve this fix by using
+sizeof(*rdi->ports) as this allows us to not even reference the type
+of the pointer. Also remove line breaks as the entire statement can
+fit on one line.
+
+Link: https://lore.kernel.org/r/20201008095204.82683-1-colin.king@canonical.com
+Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)")
+Fixes: ff6acd69518e ("IB/rdmavt: Add device structure allocation")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Acked-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rdmavt/vt.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c
+index 64bdd442078a1..03a367db38e6d 100644
+--- a/drivers/infiniband/sw/rdmavt/vt.c
++++ b/drivers/infiniband/sw/rdmavt/vt.c
+@@ -97,9 +97,7 @@ struct rvt_dev_info *rvt_alloc_device(size_t size, int nports)
+ if (!rdi)
+ return rdi;
+
+- rdi->ports = kcalloc(nports,
+- sizeof(struct rvt_ibport **),
+- GFP_KERNEL);
++ rdi->ports = kcalloc(nports, sizeof(*rdi->ports), GFP_KERNEL);
+ if (!rdi->ports)
+ ib_dealloc_device(&rdi->ibdev);
+
+--
+2.25.1
+
--- /dev/null
+From fb9f9d9573f5047c2c608a970f5684e7e3c0e937 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:51:05 -0700
+Subject: Input: ep93xx_keypad - fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 7d50f6656dacf085a00beeedbc48b19a37d17881 ]
+
+platform_get_irq() returns -ERRNO on error. In such case comparison
+to 0 would pass the check.
+
+Fixes: 60214f058f44 ("Input: ep93xx_keypad - update driver to new core support")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200828145744.3636-1-krzk@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/ep93xx_keypad.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/keyboard/ep93xx_keypad.c b/drivers/input/keyboard/ep93xx_keypad.c
+index f77b295e0123e..01788a78041b3 100644
+--- a/drivers/input/keyboard/ep93xx_keypad.c
++++ b/drivers/input/keyboard/ep93xx_keypad.c
+@@ -257,8 +257,8 @@ static int ep93xx_keypad_probe(struct platform_device *pdev)
+ }
+
+ keypad->irq = platform_get_irq(pdev, 0);
+- if (!keypad->irq) {
+- err = -ENXIO;
++ if (keypad->irq < 0) {
++ err = keypad->irq;
+ goto failed_free;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From be2a2d3166a0aea03e91a7233aa5fb0a8aafaef8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 10:17:01 -0700
+Subject: Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 30df23c5ecdfb8da5b0bc17ceef67eff9e1b0957 ]
+
+If imx6ul_tsc_init() fails then we need to clean up the clocks.
+
+I reversed the "if (input_dev->users) {" condition to make the code a
+bit simpler.
+
+Fixes: 6cc527b05847 ("Input: imx6ul_tsc - propagate the errors")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20200905124942.GC183976@mwanda
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/imx6ul_tsc.c | 27 +++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/input/touchscreen/imx6ul_tsc.c b/drivers/input/touchscreen/imx6ul_tsc.c
+index ee82a975bfd29..5759c1592a456 100644
+--- a/drivers/input/touchscreen/imx6ul_tsc.c
++++ b/drivers/input/touchscreen/imx6ul_tsc.c
+@@ -542,20 +542,25 @@ static int __maybe_unused imx6ul_tsc_resume(struct device *dev)
+
+ mutex_lock(&input_dev->mutex);
+
+- if (input_dev->users) {
+- retval = clk_prepare_enable(tsc->adc_clk);
+- if (retval)
+- goto out;
+-
+- retval = clk_prepare_enable(tsc->tsc_clk);
+- if (retval) {
+- clk_disable_unprepare(tsc->adc_clk);
+- goto out;
+- }
++ if (!input_dev->users)
++ goto out;
+
+- retval = imx6ul_tsc_init(tsc);
++ retval = clk_prepare_enable(tsc->adc_clk);
++ if (retval)
++ goto out;
++
++ retval = clk_prepare_enable(tsc->tsc_clk);
++ if (retval) {
++ clk_disable_unprepare(tsc->adc_clk);
++ goto out;
+ }
+
++ retval = imx6ul_tsc_init(tsc);
++ if (retval) {
++ clk_disable_unprepare(tsc->tsc_clk);
++ clk_disable_unprepare(tsc->adc_clk);
++ goto out;
++ }
+ out:
+ mutex_unlock(&input_dev->mutex);
+ return retval;
+--
+2.25.1
+
--- /dev/null
+From 28dc85c41bae247840d12849a794e7068bd0e5e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:52:15 -0700
+Subject: Input: omap4-keypad - fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 4738dd1992fa13acfbbd71800c71c612f466fa44 ]
+
+platform_get_irq() returns -ERRNO on error. In such case comparison
+to 0 would pass the check.
+
+Fixes: f3a1ba60dbdb ("Input: omap4-keypad - use platform device helpers")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200828145744.3636-2-krzk@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/omap4-keypad.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c
+index 616fdd94b0694..5480f1a5658ee 100644
+--- a/drivers/input/keyboard/omap4-keypad.c
++++ b/drivers/input/keyboard/omap4-keypad.c
+@@ -253,10 +253,8 @@ static int omap4_keypad_probe(struct platform_device *pdev)
+ }
+
+ irq = platform_get_irq(pdev, 0);
+- if (!irq) {
+- dev_err(&pdev->dev, "no keyboard irq assigned\n");
+- return -EINVAL;
+- }
++ if (irq < 0)
++ return irq;
+
+ keypad_data = kzalloc(sizeof(struct omap4_keypad), GFP_KERNEL);
+ if (!keypad_data) {
+--
+2.25.1
+
--- /dev/null
+From b0d61923c057a413c3757cd32a3926ad040f04f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 10:26:09 -0700
+Subject: Input: stmfts - fix a & vs && typo
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit d04afe14b23651e7a8bc89727a759e982a8458e4 ]
+
+In stmfts_sysfs_hover_enable_write(), we should check value and
+sdata->hover_enabled is all true.
+
+Fixes: 78bcac7b2ae1 ("Input: add support for the STMicroelectronics FingerTip touchscreen")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20200916141941.16684-1-yuehaibing@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/stmfts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/touchscreen/stmfts.c b/drivers/input/touchscreen/stmfts.c
+index c72662c979e79..d9e93dabbca21 100644
+--- a/drivers/input/touchscreen/stmfts.c
++++ b/drivers/input/touchscreen/stmfts.c
+@@ -484,7 +484,7 @@ static ssize_t stmfts_sysfs_hover_enable_write(struct device *dev,
+
+ mutex_lock(&sdata->mutex);
+
+- if (value & sdata->hover_enabled)
++ if (value && sdata->hover_enabled)
+ goto out;
+
+ if (sdata->running)
+--
+2.25.1
+
--- /dev/null
+From 3623ba363d6318062ea75905e24afe26a64d15e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:56:40 -0700
+Subject: Input: sun4i-ps2 - fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit cafb3abea6136e59ea534004e5773361e196bb94 ]
+
+platform_get_irq() returns -ERRNO on error. In such case comparison
+to 0 would pass the check.
+
+Fixes: e443631d20f5 ("Input: serio - add support for Alwinner A10/A20 PS/2 controller")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Link: https://lore.kernel.org/r/20200828145744.3636-4-krzk@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/sun4i-ps2.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/serio/sun4i-ps2.c b/drivers/input/serio/sun4i-ps2.c
+index 04b96fe393397..46512b4d686a8 100644
+--- a/drivers/input/serio/sun4i-ps2.c
++++ b/drivers/input/serio/sun4i-ps2.c
+@@ -210,7 +210,6 @@ static int sun4i_ps2_probe(struct platform_device *pdev)
+ struct sun4i_ps2data *drvdata;
+ struct serio *serio;
+ struct device *dev = &pdev->dev;
+- unsigned int irq;
+ int error;
+
+ drvdata = kzalloc(sizeof(struct sun4i_ps2data), GFP_KERNEL);
+@@ -263,14 +262,12 @@ static int sun4i_ps2_probe(struct platform_device *pdev)
+ writel(0, drvdata->reg_base + PS2_REG_GCTL);
+
+ /* Get IRQ for the device */
+- irq = platform_get_irq(pdev, 0);
+- if (!irq) {
+- dev_err(dev, "no IRQ found\n");
+- error = -ENXIO;
++ drvdata->irq = platform_get_irq(pdev, 0);
++ if (drvdata->irq < 0) {
++ error = drvdata->irq;
+ goto err_disable_clk;
+ }
+
+- drvdata->irq = irq;
+ drvdata->serio = serio;
+ drvdata->dev = dev;
+
+--
+2.25.1
+
--- /dev/null
+From dcd9280c19ca0142d2481818c71b39c336b75fde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:56:19 -0700
+Subject: Input: twl4030_keypad - fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit c277e1f0dc3c7d7b5b028e20dd414df241642036 ]
+
+platform_get_irq() returns -ERRNO on error. In such case casting to
+unsigned and comparing to 0 would pass the check.
+
+Fixes: 7abf38d6d13c ("Input: twl4030-keypad - add device tree support")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200828145744.3636-3-krzk@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/twl4030_keypad.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/input/keyboard/twl4030_keypad.c b/drivers/input/keyboard/twl4030_keypad.c
+index f9f98ef1d98e3..8677dbe0fd209 100644
+--- a/drivers/input/keyboard/twl4030_keypad.c
++++ b/drivers/input/keyboard/twl4030_keypad.c
+@@ -63,7 +63,7 @@ struct twl4030_keypad {
+ bool autorepeat;
+ unsigned int n_rows;
+ unsigned int n_cols;
+- unsigned int irq;
++ int irq;
+
+ struct device *dbg_dev;
+ struct input_dev *input;
+@@ -389,10 +389,8 @@ static int twl4030_kp_probe(struct platform_device *pdev)
+ }
+
+ kp->irq = platform_get_irq(pdev, 0);
+- if (!kp->irq) {
+- dev_err(&pdev->dev, "no keyboard irq assigned\n");
+- return -EINVAL;
+- }
++ if (kp->irq < 0)
++ return kp->irq;
+
+ error = matrix_keypad_build_keymap(keymap_data, NULL,
+ TWL4030_MAX_ROWS,
+--
+2.25.1
+
--- /dev/null
+From 6830117052130889c8a47f1fe4d0de97548c07e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 03:46:40 -0400
+Subject: ipvs: Fix uninit-value in do_ip_vs_set_ctl()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+[ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ]
+
+do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
+zero. Fix it.
+
+Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
+Suggested-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Reviewed-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 5ec80818ace2c..c1672ff009637 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2425,6 +2425,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ /* Set timeout values for (tcp tcpfin udp) */
+ ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg);
+ goto out_unlock;
++ } else if (!len) {
++ /* No more commands with len == 0 below */
++ ret = -EINVAL;
++ goto out_unlock;
+ }
+
+ usvc_compat = (struct ip_vs_service_user *)arg;
+@@ -2501,9 +2505,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ break;
+ case IP_VS_SO_SET_DELDEST:
+ ret = ip_vs_del_dest(svc, &udest);
+- break;
+- default:
+- ret = -EINVAL;
+ }
+
+ out_unlock:
+--
+2.25.1
+
--- /dev/null
+From 6e8a3b2da62f917c43bfc68fa987afe9ff9136e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Sep 2020 10:31:20 +0300
+Subject: iwlwifi: mvm: split a print to avoid a WARNING in ROC
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 903b3f9badf1d54f77b468b96706dab679b45b14 ]
+
+A print in the remain on channel code was too long and caused
+a WARNING, split it.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Fixes: dc28e12f2125 ("iwlwifi: mvm: ROC: Extend the ROC max delay duration & limit ROC duration")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20200930102759.58d57c0bdc68.Ib06008665e7bf1199c360aa92691d9c74fb84990@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index b86c7a36d3f17..ec2ecdd1cc4ec 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -3198,9 +3198,12 @@ static int iwl_mvm_send_aux_roc_cmd(struct iwl_mvm *mvm,
+ aux_roc_req.apply_time_max_delay = cpu_to_le32(delay);
+
+ IWL_DEBUG_TE(mvm,
+- "ROC: Requesting to remain on channel %u for %ums (requested = %ums, max_delay = %ums, dtim_interval = %ums)\n",
+- channel->hw_value, req_dur, duration, delay,
+- dtim_interval);
++ "ROC: Requesting to remain on channel %u for %ums\n",
++ channel->hw_value, req_dur);
++ IWL_DEBUG_TE(mvm,
++ "\t(requested = %ums, max_delay = %ums, dtim_interval = %ums)\n",
++ duration, delay, dtim_interval);
++
+ /* Set the node address */
+ memcpy(aux_roc_req.node_addr, vif->addr, ETH_ALEN);
+
+--
+2.25.1
+
--- /dev/null
+From 7042ce7a2ea48340899fcd12be7390a79bcc79a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 15:17:08 +0100
+Subject: kdb: Fix pager search for multi-line strings
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit d081a6e353168f15e63eb9e9334757f20343319f ]
+
+Currently using forward search doesn't handle multi-line strings correctly.
+The search routine replaces line breaks with \0 during the search and, for
+regular searches ("help | grep Common\n"), there is code after the line
+has been discarded or printed to replace the break character.
+
+However during a pager search ("help\n" followed by "/Common\n") when the
+string is matched we will immediately return to normal output and the code
+that should restore the \n becomes unreachable. Fix this by restoring the
+replaced character when we disable the search mode and update the comment
+accordingly.
+
+Fixes: fb6daa7520f9d ("kdb: Provide forward search at more prompt")
+Link: https://lore.kernel.org/r/20200909141708.338273-1-daniel.thompson@linaro.org
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/kdb/kdb_io.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
+index 6a4b41484afe6..b45576ca3b0da 100644
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -679,12 +679,16 @@ int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap)
+ size_avail = sizeof(kdb_buffer) - len;
+ goto kdb_print_out;
+ }
+- if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH)
++ if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) {
+ /*
+ * This was a interactive search (using '/' at more
+- * prompt) and it has completed. Clear the flag.
++ * prompt) and it has completed. Replace the \0 with
++ * its original value to ensure multi-line strings
++ * are handled properly, and return to normal mode.
+ */
++ *cphold = replaced_byte;
+ kdb_grepping_flag = 0;
++ }
+ /*
+ * at this point the string is a full line and
+ * should be printed, up to the null.
+--
+2.25.1
+
--- /dev/null
+From 00448159985303395f4af74a50e531b3eb3c3dd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 10:23:42 +0800
+Subject: KVM: x86: emulating RDPID failure shall return #UD rather than #GP
+
+From: Robert Hoo <robert.hu@linux.intel.com>
+
+[ Upstream commit a9e2e0ae686094571378c72d8146b5a1a92d0652 ]
+
+Per Intel's SDM, RDPID takes a #UD if it is unsupported, which is more or
+less what KVM is emulating when MSR_TSC_AUX is not available. In fact,
+there are no scenarios in which RDPID is supposed to #GP.
+
+Fixes: fb6d4d340e ("KVM: x86: emulate RDPID")
+Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
+Message-Id: <1598581422-76264-1-git-send-email-robert.hu@linux.intel.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/emulate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 4cc8a4a6f1d00..46559812da24e 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -3544,7 +3544,7 @@ static int em_rdpid(struct x86_emulate_ctxt *ctxt)
+ u64 tsc_aux = 0;
+
+ if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux))
+- return emulate_gp(ctxt, 0);
++ return emulate_ud(ctxt);
+ ctxt->dst.val = tsc_aux;
+ return X86EMUL_CONTINUE;
+ }
+--
+2.25.1
+
--- /dev/null
+From 51fcb312d97df2a94cb75a071fb3f60ba5c478dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:11:38 -0700
+Subject: lib/crc32.c: fix trivial typo in preprocessor condition
+
+From: Tobias Jordan <kernel@cdqe.de>
+
+[ Upstream commit 904542dc56524f921a6bab0639ff6249c01e775f ]
+
+Whether crc32_be needs a lookup table is chosen based on CRC_LE_BITS.
+Obviously, the _be function should be governed by the _BE_ define.
+
+This probably never pops up as it's hard to come up with a configuration
+where CRC_BE_BITS isn't the same as CRC_LE_BITS and as nobody is using
+bitwise CRC anyway.
+
+Fixes: 46c5801eaf86 ("crc32: bolt on crc32c")
+Signed-off-by: Tobias Jordan <kernel@cdqe.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Link: https://lkml.kernel.org/r/20200923182122.GA3338@agrajag.zerfleddert.de
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/crc32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/crc32.c b/lib/crc32.c
+index 6ddc92bc14609..a1ccb4a8a9950 100644
+--- a/lib/crc32.c
++++ b/lib/crc32.c
+@@ -327,7 +327,7 @@ static inline u32 __pure crc32_be_generic(u32 crc, unsigned char const *p,
+ return crc;
+ }
+
+-#if CRC_LE_BITS == 1
++#if CRC_BE_BITS == 1
+ u32 __pure crc32_be(u32 crc, unsigned char const *p, size_t len)
+ {
+ return crc32_be_generic(crc, p, len, NULL, CRCPOLY_BE);
+--
+2.25.1
+
--- /dev/null
+From 4551197a1ae639e4559dd591eac9425c82889d23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Oct 2020 09:45:21 -0700
+Subject: mac80211: handle lack of sband->bitrates in rates
+
+From: Thomas Pedersen <thomas@adapt-ip.com>
+
+[ Upstream commit 8b783d104e7f40684333d2ec155fac39219beb2f ]
+
+Even though a driver or mac80211 shouldn't produce a
+legacy bitrate if sband->bitrates doesn't exist, don't
+crash if that is the case either.
+
+This fixes a kernel panic if station dump is run before
+last_rate can be updated with a data frame when
+sband->bitrates is missing (eg. in S1G bands).
+
+Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
+Link: https://lore.kernel.org/r/20201005164522.18069-1-thomas@adapt-ip.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 3 ++-
+ net/mac80211/sta_info.c | 4 ++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index c883cb67b7311..0b82d8da4ab0a 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -661,7 +661,8 @@ void sta_set_rate_info_tx(struct sta_info *sta,
+ u16 brate;
+
+ sband = ieee80211_get_sband(sta->sdata);
+- if (sband) {
++ WARN_ON_ONCE(sband && !sband->bitrates);
++ if (sband && sband->bitrates) {
+ brate = sband->bitrates[rate->idx].bitrate;
+ rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift);
+ }
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index 6af5fda6461ce..2a18687019003 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -2004,6 +2004,10 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u16 rate,
+
+ rinfo->flags = 0;
+ sband = local->hw.wiphy->bands[band];
++
++ if (WARN_ON_ONCE(!sband->bitrates))
++ break;
++
+ brate = sband->bitrates[rate_idx].bitrate;
+ if (rinfo->bw == RATE_INFO_BW_5)
+ shift = 2;
+--
+2.25.1
+
--- /dev/null
+From 388f7faffe126bb50729876c3eb29b00926c024c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Oct 2020 12:20:56 -0500
+Subject: mailbox: avoid timer start from callback
+
+From: Jassi Brar <jaswinder.singh@linaro.org>
+
+[ Upstream commit c7dacf5b0f32957b24ef29df1207dc2cd8307743 ]
+
+If the txdone is done by polling, it is possible for msg_submit() to start
+the timer while txdone_hrtimer() callback is running. If the timer needs
+recheduling, it could already be enqueued by the time hrtimer_forward_now()
+is called, leading hrtimer to loudly complain.
+
+WARNING: CPU: 3 PID: 74 at kernel/time/hrtimer.c:932 hrtimer_forward+0xc4/0x110
+CPU: 3 PID: 74 Comm: kworker/u8:1 Not tainted 5.9.0-rc2-00236-gd3520067d01c-dirty #5
+Hardware name: Libre Computer AML-S805X-AC (DT)
+Workqueue: events_freezable_power_ thermal_zone_device_check
+pstate: 20000085 (nzCv daIf -PAN -UAO BTYPE=--)
+pc : hrtimer_forward+0xc4/0x110
+lr : txdone_hrtimer+0xf8/0x118
+[...]
+
+This can be fixed by not starting the timer from the callback path. Which
+requires the timer reloading as long as any message is queued on the
+channel, and not just when current tx is not done yet.
+
+Fixes: 0cc67945ea59 ("mailbox: switch to hrtimer for tx_complete polling")
+Reported-by: Da Xue <da@libre.computer>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Jerome Brunet <jbrunet@baylibre.com>
+Tested-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
+index 055c90b8253cb..10a559cfb7ea3 100644
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -85,9 +85,12 @@ static void msg_submit(struct mbox_chan *chan)
+ exit:
+ spin_unlock_irqrestore(&chan->lock, flags);
+
+- if (!err && (chan->txdone_method & TXDONE_BY_POLL))
+- /* kick start the timer immediately to avoid delays */
+- hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL);
++ /* kick start the timer immediately to avoid delays */
++ if (!err && (chan->txdone_method & TXDONE_BY_POLL)) {
++ /* but only if not already active */
++ if (!hrtimer_active(&chan->mbox->poll_hrt))
++ hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL);
++ }
+ }
+
+ static void tx_tick(struct mbox_chan *chan, int r)
+@@ -125,11 +128,10 @@ static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer)
+ struct mbox_chan *chan = &mbox->chans[i];
+
+ if (chan->active_req && chan->cl) {
++ resched = true;
+ txdone = chan->mbox->ops->last_tx_done(chan);
+ if (txdone)
+ tx_tick(chan, 0);
+- else
+- resched = true;
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 9bacf3457576a11eac12887bccd9348e3791b6a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 15:50:51 +0200
+Subject: media: ati_remote: sanity check for both endpoints
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ]
+
+If you do sanity checks, you should do them for both endpoints.
+Hence introduce checking for endpoint type for the output
+endpoint, too.
+
+Reported-by: syzbot+998261c2ae5932458f6c@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ati_remote.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c
+index d0871d60a7231..8e3af398a6c4e 100644
+--- a/drivers/media/rc/ati_remote.c
++++ b/drivers/media/rc/ati_remote.c
+@@ -845,6 +845,10 @@ static int ati_remote_probe(struct usb_interface *interface,
+ err("%s: endpoint_in message size==0? \n", __func__);
+ return -ENODEV;
+ }
++ if (!usb_endpoint_is_int_out(endpoint_out)) {
++ err("%s: Unexpected endpoint_out\n", __func__);
++ return -ENODEV;
++ }
+
+ ati_remote = kzalloc(sizeof (struct ati_remote), GFP_KERNEL);
+ rc_dev = rc_allocate_device(RC_DRIVER_SCANCODE);
+--
+2.25.1
+
--- /dev/null
+From 0a3f86b7d201a7919f53233b8307e13de8db28c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 12:00:21 +0200
+Subject: media: bdisp: Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit dbd2f2dc025f9be8ae063e4f270099677238f620 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+index 601ca2b2ecd34..79de7d413cf5e 100644
+--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+@@ -1367,7 +1367,7 @@ static int bdisp_probe(struct platform_device *pdev)
+ ret = pm_runtime_get_sync(dev);
+ if (ret < 0) {
+ dev_err(dev, "failed to set PM\n");
+- goto err_dbg;
++ goto err_pm;
+ }
+
+ /* Filters */
+@@ -1395,7 +1395,6 @@ static int bdisp_probe(struct platform_device *pdev)
+ bdisp_hw_free_filters(bdisp->dev);
+ err_pm:
+ pm_runtime_put(dev);
+-err_dbg:
+ bdisp_debugfs_remove(bdisp);
+ err_v4l2:
+ v4l2_device_unregister(&bdisp->v4l2_dev);
+--
+2.25.1
+
--- /dev/null
+From d6d37b394cb023e1215c9d5cca81342e72910bc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:10:58 +0200
+Subject: media: exynos4-is: Fix a reference count leak due to
+ pm_runtime_get_sync
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit c47f7c779ef0458a58583f00c9ed71b7f5a4d0a2 ]
+
+On calling pm_runtime_get_sync() the reference count of the device
+is incremented. In case of failure, decrement the
+reference count before returning the error.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/media-dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
+index d313f9078e714..24fb0f4b95e18 100644
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -479,8 +479,10 @@ static int fimc_md_register_sensor_entities(struct fimc_md *fmd)
+ return -ENXIO;
+
+ ret = pm_runtime_get_sync(fmd->pmf);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put(fmd->pmf);
+ return ret;
++ }
+
+ fmd->num_sensors = 0;
+
+--
+2.25.1
+
--- /dev/null
+From 3a2c625f99cea759ef67ff87057faffce877b584 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:01:11 +0200
+Subject: media: exynos4-is: Fix a reference count leak
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 64157b2cb1940449e7df2670e85781c690266588 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/mipi-csis.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c
+index 560aadabcb111..040d10df17c97 100644
+--- a/drivers/media/platform/exynos4-is/mipi-csis.c
++++ b/drivers/media/platform/exynos4-is/mipi-csis.c
+@@ -513,8 +513,10 @@ static int s5pcsis_s_stream(struct v4l2_subdev *sd, int enable)
+ if (enable) {
+ s5pcsis_clear_counters(state);
+ ret = pm_runtime_get_sync(&state->pdev->dev);
+- if (ret && ret != 1)
++ if (ret && ret != 1) {
++ pm_runtime_put_noidle(&state->pdev->dev);
+ return ret;
++ }
+ }
+
+ mutex_lock(&state->lock);
+--
+2.25.1
+
--- /dev/null
+From ebaf466b5e895a62aae7e015548396e8719faead Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:18:29 +0200
+Subject: media: exynos4-is: Fix several reference count leaks due to
+ pm_runtime_get_sync
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 7ef64ceea0008c17e94a8a2c60c5d6d46f481996 ]
+
+On calling pm_runtime_get_sync() the reference count of the device
+is incremented. In case of failure, decrement the
+reference count before returning the error.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/fimc-isp.c | 4 +++-
+ drivers/media/platform/exynos4-is/fimc-lite.c | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/exynos4-is/fimc-isp.c b/drivers/media/platform/exynos4-is/fimc-isp.c
+index fd793d3ac0725..89989b2961599 100644
+--- a/drivers/media/platform/exynos4-is/fimc-isp.c
++++ b/drivers/media/platform/exynos4-is/fimc-isp.c
+@@ -311,8 +311,10 @@ static int fimc_isp_subdev_s_power(struct v4l2_subdev *sd, int on)
+
+ if (on) {
+ ret = pm_runtime_get_sync(&is->pdev->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put(&is->pdev->dev);
+ return ret;
++ }
+ set_bit(IS_ST_PWR_ON, &is->state);
+
+ ret = fimc_is_start_firmware(is);
+diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c
+index 4a3c9948ca547..1cdca5ce48439 100644
+--- a/drivers/media/platform/exynos4-is/fimc-lite.c
++++ b/drivers/media/platform/exynos4-is/fimc-lite.c
+@@ -480,7 +480,7 @@ static int fimc_lite_open(struct file *file)
+ set_bit(ST_FLITE_IN_USE, &fimc->state);
+ ret = pm_runtime_get_sync(&fimc->pdev->dev);
+ if (ret < 0)
+- goto unlock;
++ goto err_pm;
+
+ ret = v4l2_fh_open(file);
+ if (ret < 0)
+--
+2.25.1
+
--- /dev/null
+From 9e7f98e7ec4a8aa99fd2a3090a941b80a105f3af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Sep 2020 11:01:37 +0200
+Subject: media: firewire: fix memory leak
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit b28e32798c78a346788d412f1958f36bb760ec03 ]
+
+Fix memory leak in node_probe.
+
+Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/firewire/firedtv-fw.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c
+index 5d634706a7eaa..382f290c3f4d5 100644
+--- a/drivers/media/firewire/firedtv-fw.c
++++ b/drivers/media/firewire/firedtv-fw.c
+@@ -271,8 +271,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
+
+ name_len = fw_csr_string(unit->directory, CSR_MODEL,
+ name, sizeof(name));
+- if (name_len < 0)
+- return name_len;
++ if (name_len < 0) {
++ err = name_len;
++ goto fail_free;
++ }
+ for (i = ARRAY_SIZE(model_names); --i; )
+ if (strlen(model_names[i]) <= name_len &&
+ strncmp(name, model_names[i], name_len) == 0)
+--
+2.25.1
+
--- /dev/null
+From 5f5ed5a5721b999e3ca7085c76e67a856ac7f6e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jul 2020 17:34:47 +0200
+Subject: media: m5mols: Check function pointer in m5mols_sensor_power
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 52438c4463ac904d14bf3496765e67750766f3a6 ]
+
+clang static analysis reports this error
+
+m5mols_core.c:767:4: warning: Called function pointer
+ is null (null dereference) [core.CallAndMessage]
+ info->set_power(&client->dev, 0);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In other places, the set_power ptr is checked.
+So add a check.
+
+Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/m5mols/m5mols_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c
+index 463534d44756e..9015ebc843b4e 100644
+--- a/drivers/media/i2c/m5mols/m5mols_core.c
++++ b/drivers/media/i2c/m5mols/m5mols_core.c
+@@ -755,7 +755,8 @@ static int m5mols_sensor_power(struct m5mols_info *info, bool enable)
+
+ ret = regulator_bulk_enable(ARRAY_SIZE(supplies), supplies);
+ if (ret) {
+- info->set_power(&client->dev, 0);
++ if (info->set_power)
++ info->set_power(&client->dev, 0);
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c2daa3058ce98d3e32ed22afcb65e975949145dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Apr 2020 11:52:30 +0200
+Subject: media: media/pci: prevent memory leak in bttv_probe
+
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+
+[ Upstream commit 7b817585b730665126b45df5508dd69526448bc8 ]
+
+In bttv_probe if some functions such as pci_enable_device,
+pci_set_dma_mask and request_mem_region fails the allocated
+ memory for btv should be released.
+
+Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/bt8xx/bttv-driver.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
+index 227086a2e99c8..9e38c8b3ea762 100644
+--- a/drivers/media/pci/bt8xx/bttv-driver.c
++++ b/drivers/media/pci/bt8xx/bttv-driver.c
+@@ -4055,11 +4055,13 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
+ btv->id = dev->device;
+ if (pci_enable_device(dev)) {
+ pr_warn("%d: Can't enable device\n", btv->c.nr);
+- return -EIO;
++ result = -EIO;
++ goto free_mem;
+ }
+ if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) {
+ pr_warn("%d: No suitable DMA available\n", btv->c.nr);
+- return -EIO;
++ result = -EIO;
++ goto free_mem;
+ }
+ if (!request_mem_region(pci_resource_start(dev,0),
+ pci_resource_len(dev,0),
+@@ -4067,7 +4069,8 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
+ pr_warn("%d: can't request iomem (0x%llx)\n",
+ btv->c.nr,
+ (unsigned long long)pci_resource_start(dev, 0));
+- return -EBUSY;
++ result = -EBUSY;
++ goto free_mem;
+ }
+ pci_set_master(dev);
+ pci_set_command(dev);
+@@ -4253,6 +4256,10 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
+ release_mem_region(pci_resource_start(btv->c.pci,0),
+ pci_resource_len(btv->c.pci,0));
+ pci_disable_device(btv->c.pci);
++
++free_mem:
++ bttvs[btv->c.nr] = NULL;
++ kfree(btv);
+ return result;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 2d06a7c5f64447228d3545522d50664ab0c06a01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 11:26:04 +0200
+Subject: media: mx2_emmaprp: Fix memleak in emmaprp_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 21d387b8d372f859d9e87fdcc7c3b4a432737f4d ]
+
+When platform_get_irq() fails, we should release
+vfd and unregister pcdev->v4l2_dev just like the
+subsequent error paths.
+
+Fixes: d4e192cc44914 ("media: mx2_emmaprp: Check for platform_get_irq() error")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mx2_emmaprp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c
+index 951f2fd415b0d..163e825bf1aac 100644
+--- a/drivers/media/platform/mx2_emmaprp.c
++++ b/drivers/media/platform/mx2_emmaprp.c
+@@ -942,8 +942,11 @@ static int emmaprp_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, pcdev);
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq < 0)
+- return irq;
++ if (irq < 0) {
++ ret = irq;
++ goto rel_vdev;
++ }
++
+ ret = devm_request_irq(&pdev->dev, irq, emmaprp_irq, 0,
+ dev_name(&pdev->dev), pcdev);
+ if (ret)
+--
+2.25.1
+
--- /dev/null
+From d22d5f7c9ed0a2dba06739c06da28a58e2ae654c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 08:53:52 +0200
+Subject: media: omap3isp: Fix memleak in isp_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit d8fc21c17099635e8ebd986d042be65a6c6b5bd0 ]
+
+When devm_ioremap_resource() fails, isp should be
+freed just like other error paths in isp_probe.
+
+Fixes: 8644cdf972dd6 ("[media] omap3isp: Replace many MMIO regions by two")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/omap3isp/isp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
+index b34b6a604f92f..c46402f3e88c1 100644
+--- a/drivers/media/platform/omap3isp/isp.c
++++ b/drivers/media/platform/omap3isp/isp.c
+@@ -2304,8 +2304,10 @@ static int isp_probe(struct platform_device *pdev)
+ mem = platform_get_resource(pdev, IORESOURCE_MEM, i);
+ isp->mmio_base[map_idx] =
+ devm_ioremap_resource(isp->dev, mem);
+- if (IS_ERR(isp->mmio_base[map_idx]))
+- return PTR_ERR(isp->mmio_base[map_idx]);
++ if (IS_ERR(isp->mmio_base[map_idx])) {
++ ret = PTR_ERR(isp->mmio_base[map_idx]);
++ goto error;
++ }
+ }
+
+ ret = isp_get_clocks(isp);
+--
+2.25.1
+
--- /dev/null
+From d7b57d732e07d1fd02154b212b14827aafa572f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 01:19:44 +0200
+Subject: media: platform: fcp: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 63e36a381d92a9cded97e90d481ee22566557dd1 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails.
+
+Fixes: 6eaafbdb668b ("[media] v4l: rcar-fcp: Keep the coding style consistent")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-fcp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/rcar-fcp.c b/drivers/media/platform/rcar-fcp.c
+index 0047d144c9326..19502a1860cf5 100644
+--- a/drivers/media/platform/rcar-fcp.c
++++ b/drivers/media/platform/rcar-fcp.c
+@@ -106,8 +106,10 @@ int rcar_fcp_enable(struct rcar_fcp_device *fcp)
+ return 0;
+
+ ret = pm_runtime_get_sync(fcp->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_noidle(fcp->dev);
+ return ret;
++ }
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From a1003cb16203c76b5ffd009c06de455fd844cd4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 15:29:33 +0200
+Subject: media: platform: s3c-camif: Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit dafa3605fe60d5a61239d670919b2a36e712481e ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced.
+
+Also, call pm_runtime_disable() when pm_runtime_get_sync() returns
+an error code.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Sylwester Nawrocki <snawrocki@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s3c-camif/camif-core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/s3c-camif/camif-core.c b/drivers/media/platform/s3c-camif/camif-core.c
+index c4ab63986c8f0..95b11f69555c3 100644
+--- a/drivers/media/platform/s3c-camif/camif-core.c
++++ b/drivers/media/platform/s3c-camif/camif-core.c
+@@ -475,7 +475,7 @@ static int s3c_camif_probe(struct platform_device *pdev)
+
+ ret = camif_media_dev_init(camif);
+ if (ret < 0)
+- goto err_alloc;
++ goto err_pm;
+
+ ret = camif_register_sensor(camif);
+ if (ret < 0)
+@@ -509,10 +509,9 @@ static int s3c_camif_probe(struct platform_device *pdev)
+ media_device_unregister(&camif->media_dev);
+ media_device_cleanup(&camif->media_dev);
+ camif_unregister_media_entities(camif);
+-err_alloc:
++err_pm:
+ pm_runtime_put(dev);
+ pm_runtime_disable(dev);
+-err_pm:
+ camif_clk_put(camif);
+ err_clk:
+ s3c_camif_unregister_subdev(camif);
+--
+2.25.1
+
--- /dev/null
+From 42917297670a76165819f842b38b942140c91050 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 12:05:02 +0200
+Subject: media: platform: sti: hva: Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit d912a1d9e9afe69c6066c1ceb6bfc09063074075 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/hva/hva-hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c
+index 8dce2ccc551cb..1185f6b6721e9 100644
+--- a/drivers/media/platform/sti/hva/hva-hw.c
++++ b/drivers/media/platform/sti/hva/hva-hw.c
+@@ -393,7 +393,7 @@ int hva_hw_probe(struct platform_device *pdev, struct hva_dev *hva)
+ ret = pm_runtime_get_sync(dev);
+ if (ret < 0) {
+ dev_err(dev, "%s failed to set PM\n", HVA_PREFIX);
+- goto err_clk;
++ goto err_pm;
+ }
+
+ /* check IP hardware version */
+--
+2.25.1
+
--- /dev/null
+From 1fddd9556d65e25ed92f80a9d230952ccbe69202 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Aug 2020 17:32:39 +0200
+Subject: media: Revert "media: exynos4-is: Add missed check for
+ pinctrl_lookup_state()"
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 00d21f325d58567d81d9172096692d0a9ea7f725 ]
+
+The "idle" pinctrl state is optional as documented in the DT binding.
+The change introduced by the commit being reverted makes that pinctrl state
+mandatory and breaks initialization of the whole media driver, since the
+"idle" state is not specified in any mainline dts.
+
+This reverts commit 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()")
+to fix the regression.
+
+Fixes: 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()")
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/media-dev.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
+index f772c9b92d9ba..d313f9078e714 100644
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -1256,11 +1256,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd)
+ if (IS_ERR(pctl->state_default))
+ return PTR_ERR(pctl->state_default);
+
++ /* PINCTRL_STATE_IDLE is optional */
+ pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl,
+ PINCTRL_STATE_IDLE);
+- if (IS_ERR(pctl->state_idle))
+- return PTR_ERR(pctl->state_idle);
+-
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 6b3084a1d8e5356b91814b09ec10e29c5732090f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 04:31:22 +0200
+Subject: media: s5p-mfc: Fix a reference count leak
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 78741ce98c2e36188e2343434406b0e0bc50b0e7 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails.
+
+Fixes: c5086f130a77 ("[media] s5p-mfc: Use clock gating only on MFC v5 hardware")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
+index 5e080f32b0e82..95abf2bd7ebae 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
+@@ -83,8 +83,10 @@ int s5p_mfc_power_on(void)
+ int i, ret = 0;
+
+ ret = pm_runtime_get_sync(pm->device);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_noidle(pm->device);
+ return ret;
++ }
+
+ /* clock control */
+ for (i = 0; i < pm->num_clocks; i++) {
+--
+2.25.1
+
--- /dev/null
+From d3e4ef97130b2beb662a98e9d284430d97cfb470 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 08:37:12 +0200
+Subject: media: saa7134: avoid a shift overflow
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 15a36aae1ec1c1f17149b6113b92631791830740 ]
+
+As reported by smatch:
+ drivers/media/pci/saa7134//saa7134-tvaudio.c:686 saa_dsp_writel() warn: should 'reg << 2' be a 64 bit type?
+
+On a 64-bits Kernel, the shift might be bigger than 32 bits.
+
+In real, this should never happen, but let's shut up the warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7134/saa7134-tvaudio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/saa7134/saa7134-tvaudio.c b/drivers/media/pci/saa7134/saa7134-tvaudio.c
+index 68d400e1e240e..8c3da6f7a60f1 100644
+--- a/drivers/media/pci/saa7134/saa7134-tvaudio.c
++++ b/drivers/media/pci/saa7134/saa7134-tvaudio.c
+@@ -693,7 +693,8 @@ int saa_dsp_writel(struct saa7134_dev *dev, int reg, u32 value)
+ {
+ int err;
+
+- audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", reg << 2, value);
++ audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n",
++ (reg << 2) & 0xffffffff, value);
+ err = saa_dsp_wait_bit(dev,SAA7135_DSP_RWSTATE_WRR);
+ if (err < 0)
+ return err;
+--
+2.25.1
+
--- /dev/null
+From 6a6de76bb1e91bf42b0b6800f52b5e3867594db4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:58:41 +0200
+Subject: media: st-delta: Fix reference count leak in delta_run_work
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit 57cc666d36adc7b45e37ba4cd7bc4e44ec4c43d7 ]
+
+delta_run_work() calls delta_get_sync() that increments
+the reference counter. In case of failure, decrement the reference
+count by calling delta_put_autosuspend().
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/delta/delta-v4l2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/sti/delta/delta-v4l2.c b/drivers/media/platform/sti/delta/delta-v4l2.c
+index b2dc3d223a9c9..7c925f309158d 100644
+--- a/drivers/media/platform/sti/delta/delta-v4l2.c
++++ b/drivers/media/platform/sti/delta/delta-v4l2.c
+@@ -970,8 +970,10 @@ static void delta_run_work(struct work_struct *work)
+ /* enable the hardware */
+ if (!dec->pm) {
+ ret = delta_get_sync(ctx);
+- if (ret)
++ if (ret) {
++ delta_put_autosuspend(ctx);
+ goto err;
++ }
+ }
+
+ /* decode this access unit */
+--
+2.25.1
+
--- /dev/null
+From 871d0e804a625656cabe83be01790f7b2161a338 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:31:06 +0200
+Subject: media: sti: Fix reference count leaks
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 6f4432bae9f2d12fc1815b5e26cc07e69bcad0df ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/hva/hva-hw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c
+index ec25bdcfa3d1e..8dce2ccc551cb 100644
+--- a/drivers/media/platform/sti/hva/hva-hw.c
++++ b/drivers/media/platform/sti/hva/hva-hw.c
+@@ -272,6 +272,7 @@ static unsigned long int hva_hw_get_ip_version(struct hva_dev *hva)
+
+ if (pm_runtime_get_sync(dev) < 0) {
+ dev_err(dev, "%s failed to get pm_runtime\n", HVA_PREFIX);
++ pm_runtime_put_noidle(dev);
+ mutex_unlock(&hva->protect_mutex);
+ return -EFAULT;
+ }
+@@ -557,6 +558,7 @@ void hva_hw_dump_regs(struct hva_dev *hva, struct seq_file *s)
+
+ if (pm_runtime_get_sync(dev) < 0) {
+ seq_puts(s, "Cannot wake up IP\n");
++ pm_runtime_put_noidle(dev);
+ mutex_unlock(&hva->protect_mutex);
+ return;
+ }
+--
+2.25.1
+
--- /dev/null
+From 3d005cdc8a626b5a835056dddf053c164cfd2ce9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Aug 2020 18:30:43 +0200
+Subject: media: tc358743: initialize variable
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 274cf92d5dff5c2fec1a518078542ffe70d07646 ]
+
+clang static analysis flags this error
+
+tc358743.c:1468:9: warning: Branch condition evaluates
+ to a garbage value
+ return handled ? IRQ_HANDLED : IRQ_NONE;
+ ^~~~~~~
+handled should be initialized to false.
+
+Fixes: d747b806abf4 ("[media] tc358743: add direct interrupt handling")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index c9647e24a4a3a..f74c4f6814ebb 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -1318,7 +1318,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled)
+ static irqreturn_t tc358743_irq_handler(int irq, void *dev_id)
+ {
+ struct tc358743_state *state = dev_id;
+- bool handled;
++ bool handled = false;
+
+ tc358743_isr(&state->sd, 0, &handled);
+
+--
+2.25.1
+
--- /dev/null
+From c56f0fc65d39643cfff4ed3dc94d18cea2803867 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 04:56:05 +0200
+Subject: media: ti-vpe: Fix a missing check and reference count leak
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 7dae2aaaf432767ca7aa11fa84643a7c2600dbdd ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+And also, when the call of function vpe_runtime_get() failed,
+we won't call vpe_runtime_put().
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails
+inside vpe_runtime_get().
+
+Fixes: 4571912743ac ("[media] v4l: ti-vpe: Add VPE mem to mem driver")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/ti-vpe/vpe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c
+index 2e8970c7e22da..bbd8bb611915c 100644
+--- a/drivers/media/platform/ti-vpe/vpe.c
++++ b/drivers/media/platform/ti-vpe/vpe.c
+@@ -2470,6 +2470,8 @@ static int vpe_runtime_get(struct platform_device *pdev)
+
+ r = pm_runtime_get_sync(&pdev->dev);
+ WARN_ON(r < 0);
++ if (r)
++ pm_runtime_put_noidle(&pdev->dev);
+ return r < 0 ? r : 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 592ade4062f344f4cd570b838cadf43e45cbe818 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Aug 2020 23:15:47 +0200
+Subject: media: tuner-simple: fix regression in simple_set_radio_freq
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 505bfc2a142f12ce7bc7a878b44abc3496f2e747 ]
+
+clang static analysis reports this problem
+
+tuner-simple.c:714:13: warning: Assigned value is
+ garbage or undefined
+ buffer[1] = buffer[3];
+ ^ ~~~~~~~~~
+In simple_set_radio_freq buffer[3] used to be done
+in-function with a switch of tuner type, now done
+by a call to simple_radio_bandswitch which has this case
+
+ case TUNER_TENA_9533_DI:
+ case TUNER_YMEC_TVF_5533MF:
+ tuner_dbg("This tuner doesn't ...
+ return 0;
+
+which does not set buffer[3]. In the old logic, this case
+would have returned 0 from simple_set_radio_freq.
+
+Recover this old behavior by returning an error for this
+codition. Since the old simple_set_radio_freq behavior
+returned a 0, do the same.
+
+Fixes: c7a9f3aa1e1b ("V4L/DVB (7129): tuner-simple: move device-specific code into three separate functions")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/tuner-simple.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/tuners/tuner-simple.c b/drivers/media/tuners/tuner-simple.c
+index cf44d3657f555..9b2501046bd14 100644
+--- a/drivers/media/tuners/tuner-simple.c
++++ b/drivers/media/tuners/tuner-simple.c
+@@ -499,7 +499,7 @@ static int simple_radio_bandswitch(struct dvb_frontend *fe, u8 *buffer)
+ case TUNER_TENA_9533_DI:
+ case TUNER_YMEC_TVF_5533MF:
+ tuner_dbg("This tuner doesn't have FM. Most cards have a TEA5767 for FM\n");
+- return 0;
++ return -EINVAL;
+ case TUNER_PHILIPS_FM1216ME_MK3:
+ case TUNER_PHILIPS_FM1236_MK3:
+ case TUNER_PHILIPS_FMD1216ME_MK3:
+@@ -700,7 +700,8 @@ static int simple_set_radio_freq(struct dvb_frontend *fe,
+ TUNER_RATIO_SELECT_50; /* 50 kHz step */
+
+ /* Bandswitch byte */
+- simple_radio_bandswitch(fe, &buffer[0]);
++ if (simple_radio_bandswitch(fe, &buffer[0]))
++ return 0;
+
+ /* Convert from 1/16 kHz V4L steps to 1/20 MHz (=50 kHz) PLL steps
+ freq * (1 Mhz / 16000 V4L steps) * (20 PLL steps / 1 MHz) =
+--
+2.25.1
+
--- /dev/null
+From 32834955a15b35051083d309da545dda4f2c68bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Aug 2020 03:21:33 +0200
+Subject: media: uvcvideo: Ensure all probed info is returned to v4l2
+
+From: Adam Goode <agoode@google.com>
+
+[ Upstream commit 8a652a17e3c005dcdae31b6c8fdf14382a29cbbe ]
+
+bFrameIndex and bFormatIndex can be negotiated by the camera during
+probing, resulting in the camera choosing a different format than
+expected. v4l2 can already accommodate such changes, but the code was
+not updating the proper fields.
+
+Without such a change, v4l2 would potentially interpret the payload
+incorrectly, causing corrupted output. This was happening on the
+Elgato HD60 S+, which currently always renegotiates to format 1.
+
+As an aside, the Elgato firmware is buggy and should not be renegotating,
+but it is still a valid thing for the camera to do. Both macOS and Windows
+will properly probe and read uncorrupted images from this camera.
+
+With this change, both qv4l2 and chromium can now read uncorrupted video
+from the Elgato HD60 S+.
+
+[Add blank lines, remove periods at the of messages]
+
+Signed-off-by: Adam Goode <agoode@google.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index 3e7e283a44a8e..644afd55c0f0f 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -252,11 +252,41 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream,
+ if (ret < 0)
+ goto done;
+
++ /* After the probe, update fmt with the values returned from
++ * negotiation with the device.
++ */
++ for (i = 0; i < stream->nformats; ++i) {
++ if (probe->bFormatIndex == stream->format[i].index) {
++ format = &stream->format[i];
++ break;
++ }
++ }
++
++ if (i == stream->nformats) {
++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n",
++ probe->bFormatIndex);
++ return -EINVAL;
++ }
++
++ for (i = 0; i < format->nframes; ++i) {
++ if (probe->bFrameIndex == format->frame[i].bFrameIndex) {
++ frame = &format->frame[i];
++ break;
++ }
++ }
++
++ if (i == format->nframes) {
++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n",
++ probe->bFrameIndex);
++ return -EINVAL;
++ }
++
+ fmt->fmt.pix.width = frame->wWidth;
+ fmt->fmt.pix.height = frame->wHeight;
+ fmt->fmt.pix.field = V4L2_FIELD_NONE;
+ fmt->fmt.pix.bytesperline = uvc_v4l2_get_bytesperline(format, frame);
+ fmt->fmt.pix.sizeimage = probe->dwMaxVideoFrameSize;
++ fmt->fmt.pix.pixelformat = format->fcc;
+ fmt->fmt.pix.colorspace = format->colorspace;
+ fmt->fmt.pix.priv = 0;
+
+--
+2.25.1
+
--- /dev/null
+From 9030f28b25d77661532b4361145e06874d303942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Jun 2020 04:05:49 +0200
+Subject: media: uvcvideo: Set media controller entity functions
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit d6834b4b58d110814aaf3469e7fd87d34ae5ae81 ]
+
+The media controller core prints a warning when an entity is registered
+without a function being set. This affects the uvcvideo driver, as the
+warning was added without first addressing the issue in existing
+drivers. The problem is harmless, but unnecessarily worries users. Fix
+it by mapping UVC entity types to MC entity functions as accurately as
+possible using the existing functions.
+
+Fixes: b50bde4e476d ("[media] v4l2-subdev: use MEDIA_ENT_T_UNKNOWN for new subdevs")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_entity.c | 35 ++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_entity.c b/drivers/media/usb/uvc/uvc_entity.c
+index 554063c07d7a2..f2457953f27c6 100644
+--- a/drivers/media/usb/uvc/uvc_entity.c
++++ b/drivers/media/usb/uvc/uvc_entity.c
+@@ -78,10 +78,45 @@ static int uvc_mc_init_entity(struct uvc_video_chain *chain,
+ int ret;
+
+ if (UVC_ENTITY_TYPE(entity) != UVC_TT_STREAMING) {
++ u32 function;
++
+ v4l2_subdev_init(&entity->subdev, &uvc_subdev_ops);
+ strlcpy(entity->subdev.name, entity->name,
+ sizeof(entity->subdev.name));
+
++ switch (UVC_ENTITY_TYPE(entity)) {
++ case UVC_VC_SELECTOR_UNIT:
++ function = MEDIA_ENT_F_VID_MUX;
++ break;
++ case UVC_VC_PROCESSING_UNIT:
++ case UVC_VC_EXTENSION_UNIT:
++ /* For lack of a better option. */
++ function = MEDIA_ENT_F_PROC_VIDEO_PIXEL_FORMATTER;
++ break;
++ case UVC_COMPOSITE_CONNECTOR:
++ case UVC_COMPONENT_CONNECTOR:
++ function = MEDIA_ENT_F_CONN_COMPOSITE;
++ break;
++ case UVC_SVIDEO_CONNECTOR:
++ function = MEDIA_ENT_F_CONN_SVIDEO;
++ break;
++ case UVC_ITT_CAMERA:
++ function = MEDIA_ENT_F_CAM_SENSOR;
++ break;
++ case UVC_TT_VENDOR_SPECIFIC:
++ case UVC_ITT_VENDOR_SPECIFIC:
++ case UVC_ITT_MEDIA_TRANSPORT_INPUT:
++ case UVC_OTT_VENDOR_SPECIFIC:
++ case UVC_OTT_DISPLAY:
++ case UVC_OTT_MEDIA_TRANSPORT_OUTPUT:
++ case UVC_EXTERNAL_VENDOR_SPECIFIC:
++ default:
++ function = MEDIA_ENT_F_V4L2_SUBDEV_UNKNOWN;
++ break;
++ }
++
++ entity->subdev.entity.function = function;
++
+ ret = media_entity_pads_init(&entity->subdev.entity,
+ entity->num_pads, entity->pads);
+
+--
+2.25.1
+
--- /dev/null
+From 7a8db63e8e83f6e3000ab9f6a65729b5c4a2c24f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jun 2020 07:55:23 +0200
+Subject: media: venus: core: Fix runtime PM imbalance in venus_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit bbe516e976fce538db96bd2b7287df942faa14a3 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced. For other error
+paths after this call, things are the same.
+
+Fix this by adding pm_runtime_put_noidle() after 'err_runtime_disable'
+label. But in this case, the error path after pm_runtime_put_sync()
+will decrease PM usage counter twice. Thus add an extra
+pm_runtime_get_noresume() in this path to balance PM counter.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c
+index 9360b36b82cd8..0a011b117a6db 100644
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -236,8 +236,10 @@ static int venus_probe(struct platform_device *pdev)
+ goto err_dev_unregister;
+
+ ret = pm_runtime_put_sync(dev);
+- if (ret)
++ if (ret) {
++ pm_runtime_get_noresume(dev);
+ goto err_dev_unregister;
++ }
+
+ return 0;
+
+@@ -248,6 +250,7 @@ static int venus_probe(struct platform_device *pdev)
+ err_venus_shutdown:
+ venus_shutdown(dev);
+ err_runtime_disable:
++ pm_runtime_put_noidle(dev);
+ pm_runtime_set_suspended(dev);
+ pm_runtime_disable(dev);
+ hfi_destroy(core);
+--
+2.25.1
+
--- /dev/null
+From 981b63d65cc1f91ef507009e681f979e8fe6144e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2020 07:29:19 +0200
+Subject: media: vsp1: Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 98fae901c8883640202802174a4bd70a1b9118bd ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vsp1/vsp1_drv.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/vsp1/vsp1_drv.c b/drivers/media/platform/vsp1/vsp1_drv.c
+index eed9516e25e1d..5836fb298de27 100644
+--- a/drivers/media/platform/vsp1/vsp1_drv.c
++++ b/drivers/media/platform/vsp1/vsp1_drv.c
+@@ -549,7 +549,12 @@ int vsp1_device_get(struct vsp1_device *vsp1)
+ int ret;
+
+ ret = pm_runtime_get_sync(vsp1->dev);
+- return ret < 0 ? ret : 0;
++ if (ret < 0) {
++ pm_runtime_put_noidle(vsp1->dev);
++ return ret;
++ }
++
++ return 0;
+ }
+
+ /*
+@@ -829,12 +834,12 @@ static int vsp1_probe(struct platform_device *pdev)
+ /* Configure device parameters based on the version register. */
+ pm_runtime_enable(&pdev->dev);
+
+- ret = pm_runtime_get_sync(&pdev->dev);
++ ret = vsp1_device_get(vsp1);
+ if (ret < 0)
+ goto done;
+
+ vsp1->version = vsp1_read(vsp1, VI6_IP_VERSION);
+- pm_runtime_put_sync(&pdev->dev);
++ vsp1_device_put(vsp1);
+
+ for (i = 0; i < ARRAY_SIZE(vsp1_device_infos); ++i) {
+ if ((vsp1->version & VI6_IP_VERSION_MODEL_MASK) ==
+--
+2.25.1
+
--- /dev/null
+From 99cff6e8334121d6b2b44be21c9903fde9da0b23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 09:33:15 +0200
+Subject: memory: fsl-corenet-cf: Fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit dd85345abca60a8916617e8d75c0f9ce334336dd ]
+
+platform_get_irq() returns -ERRNO on error. In such case comparison
+to 0 would pass the check.
+
+Fixes: 54afbec0d57f ("memory: Freescale CoreNet Coherency Fabric error reporting driver")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200827073315.29351-1-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/fsl-corenet-cf.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/memory/fsl-corenet-cf.c b/drivers/memory/fsl-corenet-cf.c
+index 662d050243bec..2fbf8d09af36b 100644
+--- a/drivers/memory/fsl-corenet-cf.c
++++ b/drivers/memory/fsl-corenet-cf.c
+@@ -215,10 +215,8 @@ static int ccf_probe(struct platform_device *pdev)
+ dev_set_drvdata(&pdev->dev, ccf);
+
+ irq = platform_get_irq(pdev, 0);
+- if (!irq) {
+- dev_err(&pdev->dev, "%s: no irq\n", __func__);
+- return -ENXIO;
+- }
++ if (irq < 0)
++ return irq;
+
+ ret = devm_request_irq(&pdev->dev, irq, ccf_irq, 0, pdev->name, ccf);
+ if (ret) {
+--
+2.25.1
+
--- /dev/null
+From 9acfad13f972d5b89a9f6d9718866bb5fdcdda0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 13:47:07 +0300
+Subject: memory: omap-gpmc: Fix a couple off by ones
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4c54228ac8fd55044195825873c50a524131fa53 ]
+
+These comparisons should be >= instead of > to prevent reading one
+element beyond the end of the gpmc_cs[] array.
+
+Fixes: cdd6928c589a ("ARM: OMAP2+: Add device-tree support for NOR flash")
+Fixes: f37e4580c409 ("ARM: OMAP2: Dynamic allocator for GPMC memory space")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Link: https://lore.kernel.org/r/20200825104707.GB278587@mwanda
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/omap-gpmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
+index 7059bbda2faca..cc0da96d07cae 100644
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -951,7 +951,7 @@ static int gpmc_cs_remap(int cs, u32 base)
+ int ret;
+ u32 old_base, size;
+
+- if (cs > gpmc_cs_num) {
++ if (cs >= gpmc_cs_num) {
+ pr_err("%s: requested chip-select is disabled\n", __func__);
+ return -ENODEV;
+ }
+@@ -986,7 +986,7 @@ int gpmc_cs_request(int cs, unsigned long size, unsigned long *base)
+ struct resource *res = &gpmc->mem;
+ int r = -1;
+
+- if (cs > gpmc_cs_num) {
++ if (cs >= gpmc_cs_num) {
+ pr_err("%s: requested chip-select is disabled\n", __func__);
+ return -ENODEV;
+ }
+--
+2.25.1
+
--- /dev/null
+From 470b3b5f63710963984afe742e23acf9edcc9c63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 14:33:26 +0300
+Subject: mfd: sm501: Fix leaks in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 8ce24f8967df2836b4557a23e74dc4bb098249f1 ]
+
+This code should clean up if sm501_init_dev() fails.
+
+Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/sm501.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
+index 3270b8dbc9498..4ca245518a199 100644
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -1425,8 +1425,14 @@ static int sm501_plat_probe(struct platform_device *dev)
+ goto err_claim;
+ }
+
+- return sm501_init_dev(sm);
++ ret = sm501_init_dev(sm);
++ if (ret)
++ goto err_unmap;
++
++ return 0;
+
++ err_unmap:
++ iounmap(sm->regs);
+ err_claim:
+ release_resource(sm->regs_claim);
+ kfree(sm->regs_claim);
+--
+2.25.1
+
--- /dev/null
+From bbaa23f371b2ac5025032405a55fc9c02f880e45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 17:11:06 +0800
+Subject: mic: vop: copy data to kernel space then write to io memory
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+[ Upstream commit 675f0ad4046946e80412896436164d172cd92238 ]
+
+Read and write io memory should address align on ARCH ARM. Change to use
+memcpy_toio to avoid kernel panic caused by the address un-align issue.
+
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Link: https://lore.kernel.org/r/20200929091106.24624-5-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mic/vop/vop_vringh.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c
+index fed992e2c2583..99bde52a3a256 100644
+--- a/drivers/misc/mic/vop/vop_vringh.c
++++ b/drivers/misc/mic/vop/vop_vringh.c
+@@ -611,6 +611,7 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf,
+ size_t partlen;
+ bool dma = VOP_USE_DMA;
+ int err = 0;
++ size_t offset = 0;
+
+ if (daddr & (dma_alignment - 1)) {
+ vdev->tx_dst_unaligned += len;
+@@ -659,13 +660,20 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf,
+ * We are copying to IO below and should ideally use something
+ * like copy_from_user_toio(..) if it existed.
+ */
+- if (copy_from_user((void __force *)dbuf, ubuf, len)) {
+- err = -EFAULT;
+- dev_err(vop_dev(vdev), "%s %d err %d\n",
+- __func__, __LINE__, err);
+- goto err;
++ while (len) {
++ partlen = min_t(size_t, len, VOP_INT_DMA_BUF_SIZE);
++
++ if (copy_from_user(vvr->buf, ubuf + offset, partlen)) {
++ err = -EFAULT;
++ dev_err(vop_dev(vdev), "%s %d err %d\n",
++ __func__, __LINE__, err);
++ goto err;
++ }
++ memcpy_toio(dbuf + offset, vvr->buf, partlen);
++ offset += partlen;
++ vdev->out_bytes += partlen;
++ len -= partlen;
+ }
+- vdev->out_bytes += len;
+ err = 0;
+ err:
+ vpdev->hw_ops->iounmap(vpdev, dbuf);
+--
+2.25.1
+
--- /dev/null
+From f6bbfc68bacdf5b27e31f42b376ae985e8d1d74c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Sep 2020 08:21:35 +0530
+Subject: misc: mic: scif: Fix error handling path
+
+From: Souptick Joarder <jrdr.linux@gmail.com>
+
+[ Upstream commit a81072a9c0ae734b7889929b0bc070fe3f353f0e ]
+
+Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it
+will call pin_user_pages_fast() to map nr_pages. However,
+pin_user_pages_fast() might fail with a return value -ERRNO.
+
+The return value is stored in pinned_pages->nr_pages. which in
+turn is passed to unpin_user_pages(), which expects
+pinned_pages->nr_pages >=0, else disaster.
+
+Fix this by assigning pinned_pages->nr_pages to 0 if
+pin_user_pages_fast() returns -ERRNO.
+
+Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and unregistration")
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
+Link: https://lore.kernel.org/r/1600570295-29546-1-git-send-email-jrdr.linux@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mic/scif/scif_rma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c
+index 95745dc4e0ecf..f282c2eaab29b 100644
+--- a/drivers/misc/mic/scif/scif_rma.c
++++ b/drivers/misc/mic/scif/scif_rma.c
+@@ -1404,6 +1404,8 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
+ NULL);
+ up_write(&mm->mmap_sem);
+ if (nr_pages != pinned_pages->nr_pages) {
++ if (pinned_pages->nr_pages < 0)
++ pinned_pages->nr_pages = 0;
+ if (try_upgrade) {
+ if (ulimit)
+ __scif_dec_pinned_vm_lock(mm,
+@@ -1424,7 +1426,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
+
+ if (pinned_pages->nr_pages < nr_pages) {
+ err = -EFAULT;
+- pinned_pages->nr_pages = nr_pages;
+ goto dec_pinned;
+ }
+
+@@ -1437,7 +1438,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
+ __scif_dec_pinned_vm_lock(mm, nr_pages, 0);
+ /* Something went wrong! Rollback */
+ error_unmap:
+- pinned_pages->nr_pages = nr_pages;
+ scif_destroy_pinned_pages(pinned_pages);
+ *pages = NULL;
+ dev_dbg(scif_info.mdev.this_device,
+--
+2.25.1
+
--- /dev/null
+From d51f4e84ef683ded96e19491ebaf3194f8bedfb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 07:18:51 +0000
+Subject: misc: rtsx: Fix memory leak in rtsx_pci_probe
+
+From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+
+[ Upstream commit bc28369c6189009b66d9619dd9f09bd8c684bb98 ]
+
+When mfd_add_devices() fail, pcr->slots should also be freed. However,
+the current implementation does not free the member, leading to a memory
+leak.
+
+Fix this by adding a new goto label that frees pcr->slots.
+
+Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+Link: https://lore.kernel.org/r/20200909071853.4053-1-keitasuzuki.park@sslab.ics.keio.ac.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/rtsx_pcr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/rtsx_pcr.c b/drivers/mfd/rtsx_pcr.c
+index 3cf69e5c57035..c9e45b6befacf 100644
+--- a/drivers/mfd/rtsx_pcr.c
++++ b/drivers/mfd/rtsx_pcr.c
+@@ -1268,12 +1268,14 @@ static int rtsx_pci_probe(struct pci_dev *pcidev,
+ ret = mfd_add_devices(&pcidev->dev, pcr->id, rtsx_pcr_cells,
+ ARRAY_SIZE(rtsx_pcr_cells), NULL, 0, NULL);
+ if (ret < 0)
+- goto disable_irq;
++ goto free_slots;
+
+ schedule_delayed_work(&pcr->idle_work, msecs_to_jiffies(200));
+
+ return 0;
+
++free_slots:
++ kfree(pcr->slots);
+ disable_irq:
+ free_irq(pcr->irq, (void *)pcr);
+ disable_msi:
+--
+2.25.1
+
--- /dev/null
+From 2c869903bb4b29f84fdc64f4ecf7d44aedcdf002 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 17:11:05 +0800
+Subject: misc: vop: add round_up(x,4) for vring_size to avoid kernel panic
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+[ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ]
+
+Since struct _mic_vring_info and vring are allocated together and follow
+vring, if the vring_size() is not four bytes aligned, which will cause
+the start address of struct _mic_vring_info is not four byte aligned.
+For example, when vring entries is 128, the vring_size() will be 5126
+bytes. The _mic_vring_info struct layout in ddr looks like:
+0x90002400: 00000000 00390000 EE010000 0000C0FF
+Here 0x39 is the avail_idx member, and 0xC0FFEE01 is the magic member.
+
+When EP use ioread32(magic) to reads the magic in RC's share memory, it
+will cause kernel panic on ARM64 platform due to the cross-byte io read.
+Here read magic in user space use le32toh(vr0->info->magic) will meet
+the same issue.
+So add round_up(x,4) for vring_size, then the struct _mic_vring_info
+will store in this way:
+0x90002400: 00000000 00000000 00000039 C0FFEE01
+Which will avoid kernel panic when read magic in struct _mic_vring_info.
+
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Link: https://lore.kernel.org/r/20200929091106.24624-4-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mic/vop/vop_main.c | 2 +-
+ drivers/misc/mic/vop/vop_vringh.c | 4 ++--
+ samples/mic/mpssd/mpssd.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/misc/mic/vop/vop_main.c b/drivers/misc/mic/vop/vop_main.c
+index a341938c7e2c6..e7cb57f8ddfe2 100644
+--- a/drivers/misc/mic/vop/vop_main.c
++++ b/drivers/misc/mic/vop/vop_main.c
+@@ -301,7 +301,7 @@ static struct virtqueue *vop_find_vq(struct virtio_device *dev,
+ /* First assign the vring's allocated in host memory */
+ vqconfig = _vop_vq_config(vdev->desc) + index;
+ memcpy_fromio(&config, vqconfig, sizeof(config));
+- _vr_size = vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN);
++ _vr_size = round_up(vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN), 4);
+ vr_size = PAGE_ALIGN(_vr_size + sizeof(struct _mic_vring_info));
+ va = vpdev->hw_ops->ioremap(vpdev, le64_to_cpu(config.address),
+ vr_size);
+diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c
+index 99bde52a3a256..49e7a7240469c 100644
+--- a/drivers/misc/mic/vop/vop_vringh.c
++++ b/drivers/misc/mic/vop/vop_vringh.c
+@@ -308,7 +308,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev,
+
+ num = le16_to_cpu(vqconfig[i].num);
+ mutex_init(&vvr->vr_mutex);
+- vr_size = PAGE_ALIGN(vring_size(num, MIC_VIRTIO_RING_ALIGN) +
++ vr_size = PAGE_ALIGN(round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4) +
+ sizeof(struct _mic_vring_info));
+ vr->va = (void *)
+ __get_free_pages(GFP_KERNEL | __GFP_ZERO,
+@@ -320,7 +320,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev,
+ goto err;
+ }
+ vr->len = vr_size;
+- vr->info = vr->va + vring_size(num, MIC_VIRTIO_RING_ALIGN);
++ vr->info = vr->va + round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4);
+ vr->info->magic = cpu_to_le32(MIC_MAGIC + vdev->virtio_id + i);
+ vr_addr = dma_map_single(&vpdev->dev, vr->va, vr_size,
+ DMA_BIDIRECTIONAL);
+diff --git a/samples/mic/mpssd/mpssd.c b/samples/mic/mpssd/mpssd.c
+index 49db1def1721c..84e583ab8fd0c 100644
+--- a/samples/mic/mpssd/mpssd.c
++++ b/samples/mic/mpssd/mpssd.c
+@@ -414,9 +414,9 @@ mic_virtio_copy(struct mic_info *mic, int fd,
+
+ static inline unsigned _vring_size(unsigned int num, unsigned long align)
+ {
+- return ((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num)
++ return _ALIGN_UP(((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num)
+ + align - 1) & ~(align - 1))
+- + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num;
++ + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num, 4);
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From b67f462e290292180b8084d835007dce1ab0deab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 16:53:13 -0700
+Subject: mm/memcg: fix device private memcg accounting
+
+From: Ralph Campbell <rcampbell@nvidia.com>
+
+[ Upstream commit 9a137153fc8798a89d8fce895cd0a06ea5b8e37c ]
+
+The code in mc_handle_swap_pte() checks for non_swap_entry() and returns
+NULL before checking is_device_private_entry() so device private pages are
+never handled. Fix this by checking for non_swap_entry() after handling
+device private swap PTEs.
+
+I assume the memory cgroup accounting would be off somehow when moving
+a process to another memory cgroup. Currently, the device private page
+is charged like a normal anonymous page when allocated and is uncharged
+when the page is freed so I think that path is OK.
+
+Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Link: https://lkml.kernel.org/r/20201009215952.2726-1-rcampbell@nvidia.com
+xFixes: c733a82874a7 ("mm/memcontrol: support MEMORY_DEVICE_PRIVATE")
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memcontrol.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 5cbcd4b81bf8f..70707d44a6903 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4514,7 +4514,7 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma,
+ struct page *page = NULL;
+ swp_entry_t ent = pte_to_swp_entry(ptent);
+
+- if (!(mc.flags & MOVE_ANON) || non_swap_entry(ent))
++ if (!(mc.flags & MOVE_ANON))
+ return NULL;
+
+ /*
+@@ -4533,6 +4533,9 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma,
+ return page;
+ }
+
++ if (non_swap_entry(ent))
++ return NULL;
++
+ /*
+ * Because lookup_swap_cache() updates some statistics counter,
+ * we call find_get_page() with swapper_space directly.
+--
+2.25.1
+
--- /dev/null
+From 1869cbe64ae4ba03ce0968af22531e5256f079cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 16:58:35 -0700
+Subject: mm, oom_adj: don't loop through tasks in __set_oom_adj when not
+ necessary
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+[ Upstream commit 67197a4f28d28d0b073ab0427b03cb2ee5382578 ]
+
+Currently __set_oom_adj loops through all processes in the system to keep
+oom_score_adj and oom_score_adj_min in sync between processes sharing
+their mm. This is done for any task with more that one mm_users, which
+includes processes with multiple threads (sharing mm and signals).
+However for such processes the loop is unnecessary because their signal
+structure is shared as well.
+
+Android updates oom_score_adj whenever a tasks changes its role
+(background/foreground/...) or binds to/unbinds from a service, making it
+more/less important. Such operation can happen frequently. We noticed
+that updates to oom_score_adj became more expensive and after further
+investigation found out that the patch mentioned in "Fixes" introduced a
+regression. Using Pixel 4 with a typical Android workload, write time to
+oom_score_adj increased from ~3.57us to ~362us. Moreover this regression
+linearly depends on the number of multi-threaded processes running on the
+system.
+
+Mark the mm with a new MMF_MULTIPROCESS flag bit when task is created with
+(CLONE_VM && !CLONE_THREAD && !CLONE_VFORK). Change __set_oom_adj to use
+MMF_MULTIPROCESS instead of mm_users to decide whether oom_score_adj
+update should be synchronized between multiple processes. To prevent
+races between clone() and __set_oom_adj(), when oom_score_adj of the
+process being cloned might be modified from userspace, we use
+oom_adj_mutex. Its scope is changed to global.
+
+The combination of (CLONE_VM && !CLONE_THREAD) is rarely used except for
+the case of vfork(). To prevent performance regressions of vfork(), we
+skip taking oom_adj_mutex and setting MMF_MULTIPROCESS when CLONE_VFORK is
+specified. Clearing the MMF_MULTIPROCESS flag (when the last process
+sharing the mm exits) is left out of this patch to keep it simple and
+because it is believed that this threading model is rare. Should there
+ever be a need for optimizing that case as well, it can be done by hooking
+into the exit path, likely following the mm_update_next_owner pattern.
+
+With the combination of (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK) being
+quite rare, the regression is gone after the change is applied.
+
+[surenb@google.com: v3]
+ Link: https://lkml.kernel.org/r/20200902012558.2335613-1-surenb@google.com
+
+Fixes: 44a70adec910 ("mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj")
+Reported-by: Tim Murray <timmurray@google.com>
+Suggested-by: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Eugene Syromiatnikov <esyr@redhat.com>
+Cc: Christian Kellner <christian@kellner.me>
+Cc: Adrian Reber <areber@redhat.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Aleksa Sarai <cyphar@cyphar.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Alexey Gladkov <gladkov.alexey@gmail.com>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
+Cc: Andrei Vagin <avagin@gmail.com>
+Cc: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Cc: John Johansen <john.johansen@canonical.com>
+Cc: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lkml.kernel.org/r/20200824153036.3201505-1-surenb@google.com
+Debugged-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 3 +--
+ include/linux/oom.h | 1 +
+ include/linux/sched/coredump.h | 1 +
+ kernel/fork.c | 21 +++++++++++++++++++++
+ mm/oom_kill.c | 2 ++
+ 5 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 64695dcf89f3b..eeb81d9648c67 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -1041,7 +1041,6 @@ static ssize_t oom_adj_read(struct file *file, char __user *buf, size_t count,
+
+ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy)
+ {
+- static DEFINE_MUTEX(oom_adj_mutex);
+ struct mm_struct *mm = NULL;
+ struct task_struct *task;
+ int err = 0;
+@@ -1081,7 +1080,7 @@ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy)
+ struct task_struct *p = find_lock_task_mm(task);
+
+ if (p) {
+- if (atomic_read(&p->mm->mm_users) > 1) {
++ if (test_bit(MMF_MULTIPROCESS, &p->mm->flags)) {
+ mm = p->mm;
+ mmgrab(mm);
+ }
+diff --git a/include/linux/oom.h b/include/linux/oom.h
+index 6adac113e96d2..c84597595cb41 100644
+--- a/include/linux/oom.h
++++ b/include/linux/oom.h
+@@ -45,6 +45,7 @@ struct oom_control {
+ };
+
+ extern struct mutex oom_lock;
++extern struct mutex oom_adj_mutex;
+
+ static inline void set_current_oom_origin(void)
+ {
+diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h
+index ecdc6542070f1..dfd82eab29025 100644
+--- a/include/linux/sched/coredump.h
++++ b/include/linux/sched/coredump.h
+@@ -72,6 +72,7 @@ static inline int get_dumpable(struct mm_struct *mm)
+ #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */
+ #define MMF_OOM_VICTIM 25 /* mm is the oom victim */
+ #define MMF_OOM_REAP_QUEUED 26 /* mm was queued for oom_reaper */
++#define MMF_MULTIPROCESS 27 /* mm is shared between processes */
+ #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP)
+
+ #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 0a328cf0cb136..535aeb7ca145c 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1544,6 +1544,25 @@ static __always_inline void delayed_free_task(struct task_struct *tsk)
+ free_task(tsk);
+ }
+
++static void copy_oom_score_adj(u64 clone_flags, struct task_struct *tsk)
++{
++ /* Skip if kernel thread */
++ if (!tsk->mm)
++ return;
++
++ /* Skip if spawning a thread or using vfork */
++ if ((clone_flags & (CLONE_VM | CLONE_THREAD | CLONE_VFORK)) != CLONE_VM)
++ return;
++
++ /* We need to synchronize with __set_oom_adj */
++ mutex_lock(&oom_adj_mutex);
++ set_bit(MMF_MULTIPROCESS, &tsk->mm->flags);
++ /* Update the values in case they were changed after copy_signal */
++ tsk->signal->oom_score_adj = current->signal->oom_score_adj;
++ tsk->signal->oom_score_adj_min = current->signal->oom_score_adj_min;
++ mutex_unlock(&oom_adj_mutex);
++}
++
+ /*
+ * This creates a new process as a copy of the old one,
+ * but does not actually start it yet.
+@@ -1952,6 +1971,8 @@ static __latent_entropy struct task_struct *copy_process(
+ trace_task_newtask(p, clone_flags);
+ uprobe_copy_process(p, clone_flags);
+
++ copy_oom_score_adj(clone_flags, p);
++
+ return p;
+
+ bad_fork_cancel_cgroup:
+diff --git a/mm/oom_kill.c b/mm/oom_kill.c
+index 7a5c0b229c6ae..6482d743c5c88 100644
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -53,6 +53,8 @@ int sysctl_oom_kill_allocating_task;
+ int sysctl_oom_dump_tasks = 1;
+
+ DEFINE_MUTEX(oom_lock);
++/* Serializes oom_score_adj and oom_score_adj_min updates */
++DEFINE_MUTEX(oom_adj_mutex);
+
+ #ifdef CONFIG_NUMA
+ /**
+--
+2.25.1
+
--- /dev/null
+From 0f87df463f419025a5111f0419eb87cf0d0ad99f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 15:38:34 +0200
+Subject: mmc: sdio: Check for CISTPL_VERS_1 buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ]
+
+Before parsing CISTPL_VERS_1 structure check that its size is at least two
+bytes to prevent buffer overflow.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20200727133837.19086-2-pali@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/sdio_cis.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c
+index f8c372839d244..2ca5cd79018b4 100644
+--- a/drivers/mmc/core/sdio_cis.c
++++ b/drivers/mmc/core/sdio_cis.c
+@@ -30,6 +30,9 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func,
+ unsigned i, nr_strings;
+ char **buffer, *string;
+
++ if (size < 2)
++ return 0;
++
+ /* Find all null-terminated (including zero length) strings in
+ the TPLLV1_INFO field. Trailing garbage is ignored. */
+ buf += 2;
+--
+2.25.1
+
--- /dev/null
+From 8ebfb9a397d9efe4f9a085112e2ed87fc60fa8fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 16:01:16 +0200
+Subject: mtd: lpddr: fix excessive stack usage with clang
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 3e1b6469f8324bee5927b063e2aca30d3e56b907 ]
+
+Building lpddr2_nvm with clang can result in a giant stack usage
+in one function:
+
+drivers/mtd/lpddr/lpddr2_nvm.c:399:12: error: stack frame size of 1144 bytes in function 'lpddr2_nvm_probe' [-Werror,-Wframe-larger-than=]
+
+The problem is that clang decides to build a copy of the mtd_info
+structure on the stack and then do a memcpy() into the actual version. It
+shouldn't really do it that way, but it's not strictly a bug either.
+
+As a workaround, use a static const version of the structure to assign
+most of the members upfront and then only set the few members that
+require runtime knowledge at probe time.
+
+Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200505140136.263461-1-arnd@arndb.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/lpddr/lpddr2_nvm.c | 35 ++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c
+index 2342277c9bcb0..5e36366d9b36d 100644
+--- a/drivers/mtd/lpddr/lpddr2_nvm.c
++++ b/drivers/mtd/lpddr/lpddr2_nvm.c
+@@ -408,6 +408,17 @@ static int lpddr2_nvm_lock(struct mtd_info *mtd, loff_t start_add,
+ return lpddr2_nvm_do_block_op(mtd, start_add, len, LPDDR2_NVM_LOCK);
+ }
+
++static const struct mtd_info lpddr2_nvm_mtd_info = {
++ .type = MTD_RAM,
++ .writesize = 1,
++ .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK),
++ ._read = lpddr2_nvm_read,
++ ._write = lpddr2_nvm_write,
++ ._erase = lpddr2_nvm_erase,
++ ._unlock = lpddr2_nvm_unlock,
++ ._lock = lpddr2_nvm_lock,
++};
++
+ /*
+ * lpddr2_nvm driver probe method
+ */
+@@ -448,6 +459,7 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
+ .pfow_base = OW_BASE_ADDRESS,
+ .fldrv_priv = pcm_data,
+ };
++
+ if (IS_ERR(map->virt))
+ return PTR_ERR(map->virt);
+
+@@ -459,22 +471,13 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
+ return PTR_ERR(pcm_data->ctl_regs);
+
+ /* Populate mtd_info data structure */
+- *mtd = (struct mtd_info) {
+- .dev = { .parent = &pdev->dev },
+- .name = pdev->dev.init_name,
+- .type = MTD_RAM,
+- .priv = map,
+- .size = resource_size(add_range),
+- .erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width,
+- .writesize = 1,
+- .writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width,
+- .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK),
+- ._read = lpddr2_nvm_read,
+- ._write = lpddr2_nvm_write,
+- ._erase = lpddr2_nvm_erase,
+- ._unlock = lpddr2_nvm_unlock,
+- ._lock = lpddr2_nvm_lock,
+- };
++ *mtd = lpddr2_nvm_mtd_info;
++ mtd->dev.parent = &pdev->dev;
++ mtd->name = pdev->dev.init_name;
++ mtd->priv = map;
++ mtd->size = resource_size(add_range);
++ mtd->erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width;
++ mtd->writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width;
+
+ /* Verify the presence of the device looking for PFOW string */
+ if (!lpddr2_nvm_pfow_present(map)) {
+--
+2.25.1
+
--- /dev/null
+From a98ea8b05faabd21be8b187f68a830352d5d3da9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 15:42:17 +1200
+Subject: mtd: mtdoops: Don't write panic data twice
+
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+
+[ Upstream commit c1cf1d57d1492235309111ea6a900940213a9166 ]
+
+If calling mtdoops_write, don't also schedule work to be done later.
+
+Although this appears to not be causing an issue, possibly because the
+scheduled work will never get done, it is confusing.
+
+Fixes: 016c1291ce70 ("mtd: mtdoops: do not use mtd->panic_write directly")
+Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200903034217.23079-1-mark.tomlinson@alliedtelesis.co.nz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdoops.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c
+index 97bb8f6304d4f..09165eaac7a15 100644
+--- a/drivers/mtd/mtdoops.c
++++ b/drivers/mtd/mtdoops.c
+@@ -313,12 +313,13 @@ static void mtdoops_do_dump(struct kmsg_dumper *dumper,
+ kmsg_dump_get_buffer(dumper, true, cxt->oops_buf + MTDOOPS_HEADER_SIZE,
+ record_size - MTDOOPS_HEADER_SIZE, NULL);
+
+- /* Panics must be written immediately */
+- if (reason != KMSG_DUMP_OOPS)
++ if (reason != KMSG_DUMP_OOPS) {
++ /* Panics must be written immediately */
+ mtdoops_write(cxt, 1);
+-
+- /* For other cases, schedule work to write it "nicely" */
+- schedule_work(&cxt->work_write);
++ } else {
++ /* For other cases, schedule work to write it "nicely" */
++ schedule_work(&cxt->work_write);
++ }
+ }
+
+ static void mtdoops_notify_add(struct mtd_info *mtd)
+--
+2.25.1
+
--- /dev/null
+From 924d692d42ef81a97759f350b901cf636903e234 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Aug 2020 11:29:06 +0200
+Subject: mwifiex: Do not use GFP_KERNEL in atomic context
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d2ab7f00f4321370a8ee14e5630d4349fdacc42e ]
+
+A possible call chain is as follow:
+ mwifiex_sdio_interrupt (sdio.c)
+ --> mwifiex_main_process (main.c)
+ --> mwifiex_process_cmdresp (cmdevt.c)
+ --> mwifiex_process_sta_cmdresp (sta_cmdresp.c)
+ --> mwifiex_ret_802_11_scan (scan.c)
+ --> mwifiex_parse_single_response_buf (scan.c)
+
+'mwifiex_sdio_interrupt()' is an interrupt function.
+
+Also note that 'mwifiex_ret_802_11_scan()' already uses GFP_ATOMIC.
+
+So use GFP_ATOMIC instead of GFP_KERNEL when memory is allocated in
+'mwifiex_parse_single_response_buf()'.
+
+Fixes: 7c6fa2a843c5 ("mwifiex: use cfg80211 dynamic scan table and cfg80211_get_bss API")
+or
+Fixes: 601216e12c65e ("mwifiex: process RX packets in SDIO IRQ thread directly")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200809092906.744621-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 0071c40afe81b..a95b1368dad71 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1890,7 +1890,7 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info,
+ chan, CFG80211_BSS_FTYPE_UNKNOWN,
+ bssid, timestamp,
+ cap_info_bitmap, beacon_period,
+- ie_buf, ie_len, rssi, GFP_KERNEL);
++ ie_buf, ie_len, rssi, GFP_ATOMIC);
+ if (bss) {
+ bss_priv = (struct mwifiex_bss_priv *)bss->priv;
+ bss_priv->band = band;
+--
+2.25.1
+
--- /dev/null
+From a789d0f2c924ea2c21edea120cd4c677784f46f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 17:27:19 +0900
+Subject: mwifiex: don't call del_timer_sync() on uninitialized timer
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 621a3a8b1c0ecf16e1e5667ea5756a76a082b738 ]
+
+syzbot is reporting that del_timer_sync() is called from
+mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without
+checking timer_setup() from mwifiex_usb_tx_init() was called [1].
+
+Ganapathi Bhat proposed a possibly cleaner fix, but it seems that
+that fix was forgotten [2].
+
+"grep -FrB1 'del_timer' drivers/ | grep -FA1 '.function)'" says that
+currently there are 28 locations which call del_timer[_sync]() only if
+that timer's function field was initialized (because timer_setup() sets
+that timer's function field). Therefore, let's use same approach here.
+
+[1] https://syzkaller.appspot.com/bug?id=26525f643f454dd7be0078423e3cdb0d57744959
+[2] https://lkml.kernel.org/r/CA+ASDXMHt2gq9Hy+iP_BYkWXsSreWdp3_bAfMkNcuqJ3K+-jbQ@mail.gmail.com
+
+Reported-by: syzbot <syzbot+dc4127f950da51639216@syzkaller.appspotmail.com>
+Cc: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200821082720.7716-1-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c
+index 50890cab8807b..44d5005188c93 100644
+--- a/drivers/net/wireless/marvell/mwifiex/usb.c
++++ b/drivers/net/wireless/marvell/mwifiex/usb.c
+@@ -1335,7 +1335,8 @@ static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter)
+ skb_dequeue(&port->tx_aggr.aggr_list)))
+ mwifiex_write_data_complete(adapter, skb_tmp,
+ 0, -1);
+- del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer);
++ if (port->tx_aggr.timer_cnxt.hold_timer.function)
++ del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer);
+ port->tx_aggr.timer_cnxt.is_hold_timer_set = false;
+ port->tx_aggr.timer_cnxt.hold_tmo_msecs = 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 3ad1faab31199deb26a1cda846b1e1338ea1a9d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Oct 2020 06:19:31 -0700
+Subject: mwifiex: fix double free
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 53708f4fd9cfe389beab5c8daa763bcd0e0b4aef ]
+
+clang static analysis reports this problem:
+
+sdio.c:2403:3: warning: Attempt to free released memory
+ kfree(card->mpa_rx.buf);
+ ^~~~~~~~~~~~~~~~~~~~~~~
+
+When mwifiex_init_sdio() fails in its first call to
+mwifiex_alloc_sdio_mpa_buffer, it falls back to calling it
+again. If the second alloc of mpa_tx.buf fails, the error
+handler will try to free the old, previously freed mpa_rx.buf.
+Reviewing the code, it looks like a second double free would
+happen with mwifiex_cleanup_sdio().
+
+So set both pointers to NULL when they are freed.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201004131931.29782-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/sdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
+index fd5183c10c4ed..0e858621eef32 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
+@@ -1973,6 +1973,8 @@ static int mwifiex_alloc_sdio_mpa_buffers(struct mwifiex_adapter *adapter,
+ kfree(card->mpa_rx.buf);
+ card->mpa_tx.buf_size = 0;
+ card->mpa_rx.buf_size = 0;
++ card->mpa_tx.buf = NULL;
++ card->mpa_rx.buf = NULL;
+ }
+
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From be91a8b84cecb696d6d575e3b43d456cd2eb2f24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 22:25:10 +0200
+Subject: net: enic: Cure the enic api locking trainwreck
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit a53b59ece86c86d16d12ccdaa1ad0c78250a9d96 ]
+
+enic_dev_wait() has a BUG_ON(in_interrupt()).
+
+Chasing the callers of enic_dev_wait() revealed the gems of enic_reset()
+and enic_tx_hang_reset() which are both invoked through work queues in
+order to be able to call rtnl_lock(). So far so good.
+
+After locking rtnl both functions acquire enic::enic_api_lock which
+serializes against the (ab)use from infiniband. This is where the
+trainwreck starts.
+
+enic::enic_api_lock is a spin_lock() which implicitly disables preemption,
+but both functions invoke a ton of functions under that lock which can
+sleep. The BUG_ON(in_interrupt()) does not trigger in that case because it
+can't detect the preempt disabled condition.
+
+This clearly has never been tested with any of the mandatory debug options
+for 7+ years, which would have caught that for sure.
+
+Cure it by adding a enic_api_busy member to struct enic, which is modified
+and evaluated with enic::enic_api_lock held.
+
+If enic_api_devcmd_proxy_by_index() observes enic::enic_api_busy as true,
+it drops enic::enic_api_lock and busy waits for enic::enic_api_busy to
+become false.
+
+It would be smarter to wait for a completion of that busy period, but
+enic_api_devcmd_proxy_by_index() is called with other spin locks held which
+obviously can't sleep.
+
+Remove the BUG_ON(in_interrupt()) check as well because it's incomplete and
+with proper debugging enabled the problem would have been caught from the
+debug checks in schedule_timeout().
+
+Fixes: 0b038566c0ea ("drivers/net: enic: Add an interface for USNIC to interact with firmware")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic.h | 1 +
+ drivers/net/ethernet/cisco/enic/enic_api.c | 6 +++++
+ drivers/net/ethernet/cisco/enic/enic_main.c | 27 ++++++++++++++++-----
+ 3 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h
+index ba032ac9ae86c..893c51a94abbd 100644
+--- a/drivers/net/ethernet/cisco/enic/enic.h
++++ b/drivers/net/ethernet/cisco/enic/enic.h
+@@ -168,6 +168,7 @@ struct enic {
+ u16 num_vfs;
+ #endif
+ spinlock_t enic_api_lock;
++ bool enic_api_busy;
+ struct enic_port_profile *pp;
+
+ /* work queue cache line section */
+diff --git a/drivers/net/ethernet/cisco/enic/enic_api.c b/drivers/net/ethernet/cisco/enic/enic_api.c
+index b161f24522b87..b028ea2dec2b9 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_api.c
++++ b/drivers/net/ethernet/cisco/enic/enic_api.c
+@@ -34,6 +34,12 @@ int enic_api_devcmd_proxy_by_index(struct net_device *netdev, int vf,
+ struct vnic_dev *vdev = enic->vdev;
+
+ spin_lock(&enic->enic_api_lock);
++ while (enic->enic_api_busy) {
++ spin_unlock(&enic->enic_api_lock);
++ cpu_relax();
++ spin_lock(&enic->enic_api_lock);
++ }
++
+ spin_lock_bh(&enic->devcmd_lock);
+
+ vnic_dev_cmd_proxy_by_index_start(vdev, vf);
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index 52a3b32390a9c..f0bbc0fdeddcb 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -2101,8 +2101,6 @@ static int enic_dev_wait(struct vnic_dev *vdev,
+ int done;
+ int err;
+
+- BUG_ON(in_interrupt());
+-
+ err = start(vdev, arg);
+ if (err)
+ return err;
+@@ -2279,6 +2277,13 @@ static int enic_set_rss_nic_cfg(struct enic *enic)
+ rss_hash_bits, rss_base_cpu, rss_enable);
+ }
+
++static void enic_set_api_busy(struct enic *enic, bool busy)
++{
++ spin_lock(&enic->enic_api_lock);
++ enic->enic_api_busy = busy;
++ spin_unlock(&enic->enic_api_lock);
++}
++
+ static void enic_reset(struct work_struct *work)
+ {
+ struct enic *enic = container_of(work, struct enic, reset);
+@@ -2288,7 +2293,9 @@ static void enic_reset(struct work_struct *work)
+
+ rtnl_lock();
+
+- spin_lock(&enic->enic_api_lock);
++ /* Stop any activity from infiniband */
++ enic_set_api_busy(enic, true);
++
+ enic_stop(enic->netdev);
+ enic_dev_soft_reset(enic);
+ enic_reset_addr_lists(enic);
+@@ -2296,7 +2303,10 @@ static void enic_reset(struct work_struct *work)
+ enic_set_rss_nic_cfg(enic);
+ enic_dev_set_ig_vlan_rewrite_mode(enic);
+ enic_open(enic->netdev);
+- spin_unlock(&enic->enic_api_lock);
++
++ /* Allow infiniband to fiddle with the device again */
++ enic_set_api_busy(enic, false);
++
+ call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev);
+
+ rtnl_unlock();
+@@ -2308,7 +2318,9 @@ static void enic_tx_hang_reset(struct work_struct *work)
+
+ rtnl_lock();
+
+- spin_lock(&enic->enic_api_lock);
++ /* Stop any activity from infiniband */
++ enic_set_api_busy(enic, true);
++
+ enic_dev_hang_notify(enic);
+ enic_stop(enic->netdev);
+ enic_dev_hang_reset(enic);
+@@ -2317,7 +2329,10 @@ static void enic_tx_hang_reset(struct work_struct *work)
+ enic_set_rss_nic_cfg(enic);
+ enic_dev_set_ig_vlan_rewrite_mode(enic);
+ enic_open(enic->netdev);
+- spin_unlock(&enic->enic_api_lock);
++
++ /* Allow infiniband to fiddle with the device again */
++ enic_set_api_busy(enic, false);
++
+ call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev);
+
+ rtnl_unlock();
+--
+2.25.1
+
--- /dev/null
+From 6fbdc2b1ad096794d9e1282419e29b866be0b329 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 00:03:29 +0200
+Subject: net: korina: fix kfree of rx/tx descriptor array
+
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+
+[ Upstream commit 3af5f0f5c74ecbaf757ef06c3f80d56751277637 ]
+
+kmalloc returns KSEG0 addresses so convert back from KSEG1
+in kfree. Also make sure array is freed when the driver is
+unloaded from the kernel.
+
+Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC")
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/korina.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c
+index 3c0a6451273df..1357d464e8c43 100644
+--- a/drivers/net/ethernet/korina.c
++++ b/drivers/net/ethernet/korina.c
+@@ -1188,7 +1188,7 @@ static int korina_probe(struct platform_device *pdev)
+ return rc;
+
+ probe_err_register:
+- kfree(lp->td_ring);
++ kfree(KSEG0ADDR(lp->td_ring));
+ probe_err_td_ring:
+ iounmap(lp->tx_dma_regs);
+ probe_err_dma_tx:
+@@ -1208,6 +1208,7 @@ static int korina_remove(struct platform_device *pdev)
+ iounmap(lp->eth_regs);
+ iounmap(lp->rx_dma_regs);
+ iounmap(lp->tx_dma_regs);
++ kfree(KSEG0ADDR(lp->td_ring));
+
+ unregister_netdev(bif->dev);
+ free_netdev(bif->dev);
+--
+2.25.1
+
--- /dev/null
+From f3bfbb6c123c90cbb963e9e06efdc2d83b306458 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 13:07:18 +0200
+Subject: nl80211: fix non-split wiphy information
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit ab10c22bc3b2024f0c9eafa463899a071eac8d97 ]
+
+When dumping wiphy information, we try to split the data into
+many submessages, but for old userspace we still support the
+old mode where this doesn't happen.
+
+However, in this case we were not resetting our state correctly
+and dumping multiple messages for each wiphy, which would have
+broken such older userspace.
+
+This was broken pretty much immediately afterwards because it
+only worked in the original commit where non-split dumps didn't
+have any more data than split dumps...
+
+Fixes: fe1abafd942f ("nl80211: re-add channel width and extended capa advertising")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20200928130717.3e6d9c6bada2.Ie0f151a8d0d00a8e1e18f6a8c9244dd02496af67@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index bf3caa376f9fe..6bd4f6c8fc2ef 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -1784,7 +1784,10 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
+ * case we'll continue with more data in the next round,
+ * but break unconditionally so unsplit data stops here.
+ */
+- state->split_start++;
++ if (state->split)
++ state->split_start++;
++ else
++ state->split_start = 0;
+ break;
+ case 9:
+ if (rdev->wiphy.extended_capabilities &&
+--
+2.25.1
+
--- /dev/null
+From 7a718e10bdf2a898f60e8851e0ea886cbc22f346 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 09:59:57 +0800
+Subject: NTB: hw: amd: fix an issue about leak system resources
+
+From: Kaige Li <likaige@loongson.cn>
+
+[ Upstream commit 44a0a3c17919db1498cebb02ecf3cf4abc1ade7b ]
+
+The related system resources were not released when pci_set_dma_mask(),
+pci_set_consistent_dma_mask(), or pci_iomap() return error in the
+amd_ntb_init_pci() function. Add pci_release_regions() to fix it.
+
+Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge")
+Signed-off-by: Kaige Li <likaige@loongson.cn>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/amd/ntb_hw_amd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c
+index f0788aae05c9c..72a7981ef73fb 100644
+--- a/drivers/ntb/hw/amd/ntb_hw_amd.c
++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c
+@@ -1032,6 +1032,7 @@ static int amd_ntb_init_pci(struct amd_ntb_dev *ndev,
+
+ err_dma_mask:
+ pci_clear_master(pdev);
++ pci_release_regions(pdev);
+ err_pci_regions:
+ pci_disable_device(pdev);
+ err_pci_enable:
+--
+2.25.1
+
--- /dev/null
+From 269458fd10d7f4111147dff01aee8105931d8290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 16:48:17 -0700
+Subject: ntfs: add check for mft record size in superblock
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+[ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ]
+
+Number of bytes allocated for mft record should be equal to the mft record
+size stored in ntfs superblock as reported by syzbot, userspace might
+trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find()
+
+Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
+Acked-by: Anton Altaparmakov <anton@tuxera.com>
+Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
+Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
+index 7c410f8794124..2aa073b82d30f 100644
+--- a/fs/ntfs/inode.c
++++ b/fs/ntfs/inode.c
+@@ -1844,6 +1844,12 @@ int ntfs_read_inode_mount(struct inode *vi)
+ brelse(bh);
+ }
+
++ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
++ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
++ le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
++ goto err_out;
++ }
++
+ /* Apply the mst fixups. */
+ if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
+ /* FIXME: Try to use the $MFTMirr now. */
+--
+2.25.1
+
--- /dev/null
+From fd27cef74483c2b9be99cb5bd0b8a6828e7bc431 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 09:51:40 +0800
+Subject: nvmet: fix uninitialized work for zero kato
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+[ Upstream commit 85bd23f3dc09a2ae9e56885420e52c54bf983713 ]
+
+When connecting a controller with a zero kato value using the following
+command line
+
+ nvme connect -t tcp -n NQN -a ADDR -s PORT --keep-alive-tmo=0
+
+the warning below can be reproduced:
+
+WARNING: CPU: 1 PID: 241 at kernel/workqueue.c:1627 __queue_delayed_work+0x6d/0x90
+with trace:
+ mod_delayed_work_on+0x59/0x90
+ nvmet_update_cc+0xee/0x100 [nvmet]
+ nvmet_execute_prop_set+0x72/0x80 [nvmet]
+ nvmet_tcp_try_recv_pdu+0x2f7/0x770 [nvmet_tcp]
+ nvmet_tcp_io_work+0x63f/0xb2d [nvmet_tcp]
+ ...
+
+This is caused by queuing up an uninitialized work. Althrough the
+keep-alive timer is disabled during allocating the controller (fixed in
+0d3b6a8d213a), ka_work still has a chance to run (called by
+nvmet_start_ctrl).
+
+Fixes: 0d3b6a8d213a ("nvmet: Disable keep-alive timer when kato is cleared to 0h")
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index d0be85d0c289a..7d6d30a2d7719 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -611,7 +611,8 @@ static void nvmet_start_ctrl(struct nvmet_ctrl *ctrl)
+ * in case a host died before it enabled the controller. Hence, simply
+ * reset the keep alive timer when the controller is enabled.
+ */
+- mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ);
++ if (ctrl->kato)
++ mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ);
+ }
+
+ static void nvmet_clear_ctrl(struct nvmet_ctrl *ctrl)
+--
+2.25.1
+
--- /dev/null
+From 00e158b8eaf09cbf7a8957a69b8c6d2d9679b146 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Sep 2020 13:29:28 +0300
+Subject: overflow: Include header file with SIZE_MAX declaration
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit a4947e84f23474803b62a2759b5808147e4e15f9 ]
+
+The various array_size functions use SIZE_MAX define, but missed limits.h
+causes to failure to compile code that needs overflow.h.
+
+ In file included from drivers/infiniband/core/uverbs_std_types_device.c:6:
+ ./include/linux/overflow.h: In function 'array_size':
+ ./include/linux/overflow.h:258:10: error: 'SIZE_MAX' undeclared (first use in this function)
+ 258 | return SIZE_MAX;
+ | ^~~~~~~~
+
+Fixes: 610b15c50e86 ("overflow.h: Add allocation size calculation helpers")
+Link: https://lore.kernel.org/r/20200913102928.134985-1-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/overflow.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/overflow.h b/include/linux/overflow.h
+index 40b48e2133cb8..38a47cc62cf3a 100644
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -3,6 +3,7 @@
+ #define __LINUX_OVERFLOW_H
+
+ #include <linux/compiler.h>
++#include <linux/limits.h>
+
+ /*
+ * In the fallback code below, we need to compute the minimum and
+--
+2.25.1
+
--- /dev/null
+From 5917834d006a2baf3109693f5b09053fb737057e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 15:52:40 +1200
+Subject: PCI: iproc: Set affinity mask on MSI interrupts
+
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+
+[ Upstream commit eb7eacaa5b9e4f665bd08d416c8f88e63d2f123c ]
+
+The core interrupt code expects the irq_set_affinity call to update the
+effective affinity for the interrupt. This was not being done, so update
+iproc_msi_irq_set_affinity() to do so.
+
+Link: https://lore.kernel.org/r/20200803035241.7737-1-mark.tomlinson@alliedtelesis.co.nz
+Fixes: 3bc2b2348835 ("PCI: iproc: Add iProc PCIe MSI support")
+Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Ray Jui <ray.jui@broadcom.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/host/pcie-iproc-msi.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/host/pcie-iproc-msi.c b/drivers/pci/host/pcie-iproc-msi.c
+index 2d0f535a2f69a..7e6f7b8504d2f 100644
+--- a/drivers/pci/host/pcie-iproc-msi.c
++++ b/drivers/pci/host/pcie-iproc-msi.c
+@@ -217,15 +217,20 @@ static int iproc_msi_irq_set_affinity(struct irq_data *data,
+ struct iproc_msi *msi = irq_data_get_irq_chip_data(data);
+ int target_cpu = cpumask_first(mask);
+ int curr_cpu;
++ int ret;
+
+ curr_cpu = hwirq_to_cpu(msi, data->hwirq);
+ if (curr_cpu == target_cpu)
+- return IRQ_SET_MASK_OK_DONE;
++ ret = IRQ_SET_MASK_OK_DONE;
++ else {
++ /* steer MSI to the target CPU */
++ data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu;
++ ret = IRQ_SET_MASK_OK;
++ }
+
+- /* steer MSI to the target CPU */
+- data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu;
++ irq_data_update_effective_affinity(data, cpumask_of(target_cpu));
+
+- return IRQ_SET_MASK_OK;
++ return ret;
+ }
+
+ static void iproc_msi_irq_compose_msi_msg(struct irq_data *data,
+--
+2.25.1
+
--- /dev/null
+From 78456f01b318f2d2c4ce66fd6588ff1d04c458a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 21:46:37 +0100
+Subject: perf: correct SNOOPX field offset
+
+From: Al Grant <al.grant@foss.arm.com>
+
+[ Upstream commit f3d301c1f2f5676465cdf3259737ea19cc82731f ]
+
+perf_event.h has macros that define the field offsets in the
+data_src bitmask in perf records. The SNOOPX and REMOTE offsets
+were both 37. These are distinct fields, and the bitfield layout
+in perf_mem_data_src confirms that SNOOPX should be at offset 38.
+
+Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings")
+Signed-off-by: Al Grant <al.grant@foss.arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Link: https://lkml.kernel.org/r/4ac9f5cc-4388-b34a-9999-418a4099415d@foss.arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/perf_event.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/perf_event.h b/include/uapi/linux/perf_event.h
+index 362493a2f950b..fc72a3839c9dc 100644
+--- a/include/uapi/linux/perf_event.h
++++ b/include/uapi/linux/perf_event.h
+@@ -1033,7 +1033,7 @@ union perf_mem_data_src {
+
+ #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */
+ /* 1 free */
+-#define PERF_MEM_SNOOPX_SHIFT 37
++#define PERF_MEM_SNOOPX_SHIFT 38
+
+ /* locked instruction */
+ #define PERF_MEM_LOCK_NA 0x01 /* not available */
+--
+2.25.1
+
--- /dev/null
+From b284e18324017c3e19efe0c6d0a1b83016bed104 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 11:49:23 +0300
+Subject: perf intel-pt: Fix "context_switch event has no tid" error
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 7d537a8d2e76bc4fc71e34545ceaa463ac2cd928 ]
+
+A context_switch event can have no tid because pids can be detached from
+a task while the task is still running (in do_exit()). Note this won't
+happen with per-task contexts because then tracing stops at
+perf_event_exit_task()
+
+If a task with no tid gets preempted, or a dying task gets preempted and
+its parent releases it, when it subsequently gets switched back in,
+Intel PT will not be able to determine what task is running and prints
+an error "context_switch event has no tid". However, it is not really an
+error because the task is in kernel space and the decoder can continue
+to decode successfully. Fix by changing the error to be only a logged
+message, and make allowance for tid == -1.
+
+Example:
+
+ Using 5.9-rc4 with Preemptible Kernel (Low-Latency Desktop) e.g.
+ $ uname -r
+ 5.9.0-rc4
+ $ grep PREEMPT .config
+ # CONFIG_PREEMPT_NONE is not set
+ # CONFIG_PREEMPT_VOLUNTARY is not set
+ CONFIG_PREEMPT=y
+ CONFIG_PREEMPT_COUNT=y
+ CONFIG_PREEMPTION=y
+ CONFIG_PREEMPT_RCU=y
+ CONFIG_PREEMPT_NOTIFIERS=y
+ CONFIG_DRM_I915_PREEMPT_TIMEOUT=640
+ CONFIG_DEBUG_PREEMPT=y
+ # CONFIG_PREEMPT_TRACER is not set
+ # CONFIG_PREEMPTIRQ_DELAY_TEST is not set
+
+Before:
+
+ $ cat forkit.c
+
+ #include <sys/types.h>
+ #include <unistd.h>
+ #include <sys/wait.h>
+
+ int main()
+ {
+ pid_t child;
+ int status = 0;
+
+ child = fork();
+ if (child == 0)
+ return 123;
+ wait(&status);
+ return 0;
+ }
+
+ $ gcc -o forkit forkit.c
+ $ sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k &
+ [1] 11016
+ $ taskset 2 ./forkit
+ $ sudo pkill perf
+ $ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 17.262 MB perf.data ]
+
+ [1]+ Terminated sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k
+ $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit
+ context_switch event has no tid
+ taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms])
+ taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019
+ forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019)
+ forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020
+ forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019
+ forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms])
+ forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019)
+ forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019
+ forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020
+ forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386)
+
+After:
+
+ $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit
+ taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms])
+ taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019
+ forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019)
+ forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020
+ forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019
+ forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms])
+ forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019)
+ forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019
+ forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020
+ forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386)
+ forkit 11019 [001] 66663.271688752: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: -1/-1
+ :-1 -1 [001] 66663.271692086: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019
+ :-1 -1 [001] 66663.271707466: 1 instructions:k: ffffffffb18eb096 update_load_avg+0x306 ([kernel.kallsyms])
+
+Fixes: 86c2786994bd7c ("perf intel-pt: Add support for PERF_RECORD_SWITCH")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
+Link: http://lore.kernel.org/lkml/20200909084923.9096-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index e8e05e7838b26..66591e8e26470 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -906,6 +906,8 @@ static void intel_pt_set_pid_tid_cpu(struct intel_pt *pt,
+
+ if (queue->tid == -1 || pt->have_sched_switch) {
+ ptq->tid = machine__get_current_tid(pt->machine, ptq->cpu);
++ if (ptq->tid == -1)
++ ptq->pid = -1;
+ thread__zput(ptq->thread);
+ }
+
+@@ -1948,10 +1950,8 @@ static int intel_pt_context_switch(struct intel_pt *pt, union perf_event *event,
+ tid = sample->tid;
+ }
+
+- if (tid == -1) {
+- pr_err("context_switch event has no tid\n");
+- return -EINVAL;
+- }
++ if (tid == -1)
++ intel_pt_log("context_switch event has no tid\n");
+
+ intel_pt_log("context_switch: cpu %d pid %d tid %d time %"PRIu64" tsc %#"PRIx64"\n",
+ cpu, pid, tid, sample->time, perf_time_to_tsc(sample->time,
+--
+2.25.1
+
--- /dev/null
+From 2a5687f6b8b1d39c5b07d6dc4ca5c0931cbad9e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 22:32:26 +0100
+Subject: pinctrl: mcp23s08: Fix mcp23x17 precious range
+
+From: Thomas Preston <thomas.preston@codethink.co.uk>
+
+[ Upstream commit b9b7fb29433b906635231d0a111224efa009198c ]
+
+On page 23 of the datasheet [0] it says "The register remains unchanged
+until the interrupt is cleared via a read of INTCAP or GPIO." Include
+INTCAPA and INTCAPB registers in precious range, so that they aren't
+accidentally cleared when we read via debugfs.
+
+[0] https://ww1.microchip.com/downloads/en/DeviceDoc/20001952C.pdf
+
+Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching")
+Signed-off-by: Thomas Preston <thomas.preston@codethink.co.uk>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20200828213226.1734264-3-thomas.preston@codethink.co.uk
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
+index 12e7f7c54ffaa..5971338c87572 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -141,7 +141,7 @@ static const struct regmap_access_table mcp23x17_volatile_table = {
+ };
+
+ static const struct regmap_range mcp23x17_precious_range = {
+- .range_min = MCP_GPIO << 1,
++ .range_min = MCP_INTCAP << 1,
+ .range_max = MCP_GPIO << 1,
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 3a969c57066ea6e5156f1ffb87aa339988f0f590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 22:32:25 +0100
+Subject: pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser
+
+From: Thomas Preston <thomas.preston@codethink.co.uk>
+
+[ Upstream commit b445f6237744df5e8d4f56f8733b2108c611220a ]
+
+The mcp23x17_regmap is initialised with structs named "mcp23x16".
+However, the mcp23s08 driver doesn't support the MCP23016 device yet, so
+this appears to be a typo.
+
+Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching")
+Signed-off-by: Thomas Preston <thomas.preston@codethink.co.uk>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20200828213226.1734264-2-thomas.preston@codethink.co.uk
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
+index 22558bf294246..12e7f7c54ffaa 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -119,7 +119,7 @@ static const struct regmap_config mcp23x08_regmap = {
+ .max_register = MCP_OLAT,
+ };
+
+-static const struct reg_default mcp23x16_defaults[] = {
++static const struct reg_default mcp23x17_defaults[] = {
+ {.reg = MCP_IODIR << 1, .def = 0xffff},
+ {.reg = MCP_IPOL << 1, .def = 0x0000},
+ {.reg = MCP_GPINTEN << 1, .def = 0x0000},
+@@ -130,23 +130,23 @@ static const struct reg_default mcp23x16_defaults[] = {
+ {.reg = MCP_OLAT << 1, .def = 0x0000},
+ };
+
+-static const struct regmap_range mcp23x16_volatile_range = {
++static const struct regmap_range mcp23x17_volatile_range = {
+ .range_min = MCP_INTF << 1,
+ .range_max = MCP_GPIO << 1,
+ };
+
+-static const struct regmap_access_table mcp23x16_volatile_table = {
+- .yes_ranges = &mcp23x16_volatile_range,
++static const struct regmap_access_table mcp23x17_volatile_table = {
++ .yes_ranges = &mcp23x17_volatile_range,
+ .n_yes_ranges = 1,
+ };
+
+-static const struct regmap_range mcp23x16_precious_range = {
++static const struct regmap_range mcp23x17_precious_range = {
+ .range_min = MCP_GPIO << 1,
+ .range_max = MCP_GPIO << 1,
+ };
+
+-static const struct regmap_access_table mcp23x16_precious_table = {
+- .yes_ranges = &mcp23x16_precious_range,
++static const struct regmap_access_table mcp23x17_precious_table = {
++ .yes_ranges = &mcp23x17_precious_range,
+ .n_yes_ranges = 1,
+ };
+
+@@ -156,10 +156,10 @@ static const struct regmap_config mcp23x17_regmap = {
+
+ .reg_stride = 2,
+ .max_register = MCP_OLAT << 1,
+- .volatile_table = &mcp23x16_volatile_table,
+- .precious_table = &mcp23x16_precious_table,
+- .reg_defaults = mcp23x16_defaults,
+- .num_reg_defaults = ARRAY_SIZE(mcp23x16_defaults),
++ .volatile_table = &mcp23x17_volatile_table,
++ .precious_table = &mcp23x17_precious_table,
++ .reg_defaults = mcp23x17_defaults,
++ .num_reg_defaults = ARRAY_SIZE(mcp23x17_defaults),
+ .cache_type = REGCACHE_FLAT,
+ .val_format_endian = REGMAP_ENDIAN_LITTLE,
+ };
+--
+2.25.1
+
--- /dev/null
+From da0ce0abeaeb95c6efa2ec5b6226c3ba5af65c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 18:14:47 +0200
+Subject: PM: hibernate: remove the bogus call to get_gendisk() in
+ software_resume()
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 428805c0c5e76ef643b1fbc893edfb636b3d8aef ]
+
+get_gendisk grabs a reference on the disk and file operation, so this
+code will leak both of them while having absolutely no use for the
+gendisk itself.
+
+This effectively reverts commit 2df83fa4bce421f ("PM / Hibernate: Use
+get_gendisk to verify partition if resume_file is integer format")
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/hibernate.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index 2e65aacfa1162..02df69a8ee3c0 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -833,17 +833,6 @@ static int software_resume(void)
+
+ /* Check if the device is there */
+ swsusp_resume_device = name_to_dev_t(resume_file);
+-
+- /*
+- * name_to_dev_t is ineffective to verify parition if resume_file is in
+- * integer format. (e.g. major:minor)
+- */
+- if (isdigit(resume_file[0]) && resume_wait) {
+- int partno;
+- while (!get_gendisk(swsusp_resume_device, &partno))
+- msleep(10);
+- }
+-
+ if (!swsusp_resume_device) {
+ /*
+ * Some device discovery might still be in progress; we need
+--
+2.25.1
+
--- /dev/null
+From 6878867f5fba152895b70199de823d1c5f6f539a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jul 2018 10:03:27 +0200
+Subject: powerpc/icp-hv: Fix missing of_node_put() in success path
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit d3e669f31ec35856f5e85df9224ede5bdbf1bc7b ]
+
+Both of_find_compatible_node() and of_find_node_by_type() will return
+a refcounted node on success - thus for the success path the node must
+be explicitly released with a of_node_put().
+
+Fixes: 0b05ac6e2480 ("powerpc/xics: Rewrite XICS driver")
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1530691407-3991-1-git-send-email-hofrat@osadl.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xics/icp-hv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/sysdev/xics/icp-hv.c b/arch/powerpc/sysdev/xics/icp-hv.c
+index bbc839a98c414..003deaabb5680 100644
+--- a/arch/powerpc/sysdev/xics/icp-hv.c
++++ b/arch/powerpc/sysdev/xics/icp-hv.c
+@@ -179,6 +179,7 @@ int icp_hv_init(void)
+
+ icp_ops = &icp_hv_ops;
+
++ of_node_put(np);
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 3aeb4d251caf6ad7985196040ff4cfce2d0280fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 03:10:04 -0400
+Subject: powerpc/perf: Exclude pmc5/6 from the irrelevant PMU group
+ constraints
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+[ Upstream commit 3b6c3adbb2fa42749c3d38cfc4d4d0b7e096bb7b ]
+
+PMU counter support functions enforces event constraints for group of
+events to check if all events in a group can be monitored. Incase of
+event codes using PMC5 and PMC6 ( 500fa and 600f4 respectively ), not
+all constraints are applicable, say the threshold or sample bits. But
+current code includes pmc5 and pmc6 in some group constraints (like
+IC_DC Qualifier bits) which is actually not applicable and hence
+results in those events not getting counted when scheduled along with
+group of other events. Patch fixes this by excluding PMC5/6 from
+constraints which are not relevant for it.
+
+Fixes: 7ffd948 ("powerpc/perf: factor out power8 pmu functions")
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Reviewed-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1600672204-1610-1-git-send-email-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/isa207-common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c
+index 7ecea7143e587..dd9f88fed63ce 100644
+--- a/arch/powerpc/perf/isa207-common.c
++++ b/arch/powerpc/perf/isa207-common.c
+@@ -275,6 +275,15 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp)
+
+ mask |= CNST_PMC_MASK(pmc);
+ value |= CNST_PMC_VAL(pmc);
++
++ /*
++ * PMC5 and PMC6 are used to count cycles and instructions and
++ * they do not support most of the constraint bits. Add a check
++ * to exclude PMC5/6 from most of the constraints except for
++ * EBB/BHRB.
++ */
++ if (pmc >= 5)
++ goto ebb_bhrb;
+ }
+
+ if (pmc <= 4) {
+@@ -333,6 +342,7 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp)
+ }
+ }
+
++ebb_bhrb:
+ if (!pmc && ebb)
+ /* EBB events must specify the PMC */
+ return -1;
+--
+2.25.1
+
--- /dev/null
+From dcc7395ae47a008a31825e4dfc515a5ebbbce5d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Oct 2020 13:19:39 +0530
+Subject: powerpc/perf/hv-gpci: Fix starting index value
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 0f9866f7e85765bbda86666df56c92f377c3bc10 ]
+
+Commit 9e9f60108423f ("powerpc/perf/{hv-gpci, hv-common}: generate
+requests with counters annotated") adds a framework for defining
+gpci counters.
+In this patch, they adds starting_index value as '0xffffffffffffffff'.
+which is wrong as starting_index is of size 32 bits.
+
+Because of this, incase we try to run hv-gpci event we get error.
+
+In power9 machine:
+
+command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/
+ -C 0 -I 1000
+event syntax error: '..bie_count_and_time_tlbie_instructions_issued/'
+ \___ value too big for format, maximum is 4294967295
+
+This patch fix this issue and changes starting_index value to '0xffffffff'
+
+After this patch:
+
+command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ -C 0 -I 1000
+ 1.000085786 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/
+ 2.000287818 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/
+ 2.439113909 17,408 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/
+
+Fixes: 9e9f60108423 ("powerpc/perf/{hv-gpci, hv-common}: generate requests with counters annotated")
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201003074943.338618-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/hv-gpci-requests.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h
+index e608f9db12ddc..8965b4463d433 100644
+--- a/arch/powerpc/perf/hv-gpci-requests.h
++++ b/arch/powerpc/perf/hv-gpci-requests.h
+@@ -95,7 +95,7 @@ REQUEST(__field(0, 8, partition_id)
+
+ #define REQUEST_NAME system_performance_capabilities
+ #define REQUEST_NUM 0x40
+-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
+ #include I(REQUEST_BEGIN)
+ REQUEST(__field(0, 1, perf_collect_privileged)
+ __field(0x1, 1, capability_mask)
+@@ -223,7 +223,7 @@ REQUEST(__field(0, 2, partition_id)
+
+ #define REQUEST_NAME system_hypervisor_times
+ #define REQUEST_NUM 0xF0
+-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
+ #include I(REQUEST_BEGIN)
+ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors)
+ __count(0x8, 8, time_spent_processing_virtual_processor_timers)
+@@ -234,7 +234,7 @@ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors)
+
+ #define REQUEST_NAME system_tlbie_count_and_time
+ #define REQUEST_NUM 0xF4
+-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
+ #include I(REQUEST_BEGIN)
+ REQUEST(__count(0, 8, tlbie_instructions_issued)
+ /*
+--
+2.25.1
+
--- /dev/null
+From 7307bbf5cbfce5b4ff7c4748464a426cb1d277c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Oct 2020 22:12:10 +0530
+Subject: powerpc/powernv/dump: Fix race while processing OPAL dump
+
+From: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+
+[ Upstream commit 0a43ae3e2beb77e3481d812834d33abe270768ab ]
+
+Every dump reported by OPAL is exported to userspace through a sysfs
+interface and notified using kobject_uevent(). The userspace daemon
+(opal_errd) then reads the dump and acknowledges that the dump is
+saved safely to disk. Once acknowledged the kernel removes the
+respective sysfs file entry causing respective resources to be
+released including kobject.
+
+However it's possible the userspace daemon may already be scanning
+dump entries when a new sysfs dump entry is created by the kernel.
+User daemon may read this new entry and ack it even before kernel can
+notify userspace about it through kobject_uevent() call. If that
+happens then we have a potential race between
+dump_ack_store->kobject_put() and kobject_uevent which can lead to
+use-after-free of a kernfs object resulting in a kernel crash.
+
+This patch fixes this race by protecting the sysfs file
+creation/notification by holding a reference count on kobject until we
+safely send kobject_uevent().
+
+The function create_dump_obj() returns the dump object which if used
+by caller function will end up in use-after-free problem again.
+However, the return value of create_dump_obj() function isn't being
+used today and there is no need as well. Hence change it to return
+void to make this fix complete.
+
+Fixes: c7e64b9ce04a ("powerpc/powernv Platform dump interface")
+Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201017164210.264619-1-hegdevasant@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/opal-dump.c | 41 +++++++++++++++-------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/arch/powerpc/platforms/powernv/opal-dump.c b/arch/powerpc/platforms/powernv/opal-dump.c
+index 4c827826c05eb..e21e2c0af69d2 100644
+--- a/arch/powerpc/platforms/powernv/opal-dump.c
++++ b/arch/powerpc/platforms/powernv/opal-dump.c
+@@ -319,15 +319,14 @@ static ssize_t dump_attr_read(struct file *filep, struct kobject *kobj,
+ return count;
+ }
+
+-static struct dump_obj *create_dump_obj(uint32_t id, size_t size,
+- uint32_t type)
++static void create_dump_obj(uint32_t id, size_t size, uint32_t type)
+ {
+ struct dump_obj *dump;
+ int rc;
+
+ dump = kzalloc(sizeof(*dump), GFP_KERNEL);
+ if (!dump)
+- return NULL;
++ return;
+
+ dump->kobj.kset = dump_kset;
+
+@@ -347,21 +346,39 @@ static struct dump_obj *create_dump_obj(uint32_t id, size_t size,
+ rc = kobject_add(&dump->kobj, NULL, "0x%x-0x%x", type, id);
+ if (rc) {
+ kobject_put(&dump->kobj);
+- return NULL;
++ return;
+ }
+
++ /*
++ * As soon as the sysfs file for this dump is created/activated there is
++ * a chance the opal_errd daemon (or any userspace) might read and
++ * acknowledge the dump before kobject_uevent() is called. If that
++ * happens then there is a potential race between
++ * dump_ack_store->kobject_put() and kobject_uevent() which leads to a
++ * use-after-free of a kernfs object resulting in a kernel crash.
++ *
++ * To avoid that, we need to take a reference on behalf of the bin file,
++ * so that our reference remains valid while we call kobject_uevent().
++ * We then drop our reference before exiting the function, leaving the
++ * bin file to drop the last reference (if it hasn't already).
++ */
++
++ /* Take a reference for the bin file */
++ kobject_get(&dump->kobj);
+ rc = sysfs_create_bin_file(&dump->kobj, &dump->dump_attr);
+- if (rc) {
++ if (rc == 0) {
++ kobject_uevent(&dump->kobj, KOBJ_ADD);
++
++ pr_info("%s: New platform dump. ID = 0x%x Size %u\n",
++ __func__, dump->id, dump->size);
++ } else {
++ /* Drop reference count taken for bin file */
+ kobject_put(&dump->kobj);
+- return NULL;
+ }
+
+- pr_info("%s: New platform dump. ID = 0x%x Size %u\n",
+- __func__, dump->id, dump->size);
+-
+- kobject_uevent(&dump->kobj, KOBJ_ADD);
+-
+- return dump;
++ /* Drop our reference */
++ kobject_put(&dump->kobj);
++ return;
+ }
+
+ static irqreturn_t process_dump(int irq, void *data)
+--
+2.25.1
+
--- /dev/null
+From 06e38cb3a253cbaf5ac4da24a9a2c732b59323ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jul 2018 11:08:16 +0200
+Subject: powerpc/pseries: Fix missing of_node_put() in rng_init()
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 67c3e59443f5fc77be39e2ce0db75fbfa78c7965 ]
+
+The call to of_find_compatible_node() returns a node pointer with
+refcount incremented thus it must be explicitly decremented here
+before returning.
+
+Fixes: a489043f4626 ("powerpc/pseries: Implement arch_get_random_long() based on H_RANDOM")
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1530522496-14816-1-git-send-email-hofrat@osadl.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/rng.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/pseries/rng.c b/arch/powerpc/platforms/pseries/rng.c
+index 31ca557af60bc..262b8c5e1b9d0 100644
+--- a/arch/powerpc/platforms/pseries/rng.c
++++ b/arch/powerpc/platforms/pseries/rng.c
+@@ -40,6 +40,7 @@ static __init int rng_init(void)
+
+ ppc_md.get_random_seed = pseries_get_random_long;
+
++ of_node_put(dn);
+ return 0;
+ }
+ machine_subsys_initcall(pseries, rng_init);
+--
+2.25.1
+
--- /dev/null
+From 5f957386c722bed7db9d676b226f9d8f0ff3257f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 09:02:20 +1000
+Subject: powerpc/tau: Disable TAU between measurements
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit e63d6fb5637e92725cf143559672a34b706bca4f ]
+
+Enabling CONFIG_TAU_INT causes random crashes:
+
+Unrecoverable exception 1700 at c0009414 (msr=1000)
+Oops: Unrecoverable exception, sig: 6 [#1]
+BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac
+Modules linked in:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac-00043-gd5f545e1a8593 #5
+NIP: c0009414 LR: c0009414 CTR: c00116fc
+REGS: c0799eb8 TRAP: 1700 Not tainted (5.7.0-pmac-00043-gd5f545e1a8593)
+MSR: 00001000 <ME> CR: 22000228 XER: 00000100
+
+GPR00: 00000000 c0799f70 c076e300 00800000 0291c0ac 00e00000 c076e300 00049032
+GPR08: 00000001 c00116fc 00000000 dfbd3200 ffffffff 007f80a8 00000000 00000000
+GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c075ce04
+GPR24: c075ce04 dfff8880 c07b0000 c075ce04 00080000 00000001 c079ef98 c079ef5c
+NIP [c0009414] arch_cpu_idle+0x24/0x6c
+LR [c0009414] arch_cpu_idle+0x24/0x6c
+Call Trace:
+[c0799f70] [00000001] 0x1 (unreliable)
+[c0799f80] [c0060990] do_idle+0xd8/0x17c
+[c0799fa0] [c0060ba4] cpu_startup_entry+0x20/0x28
+[c0799fb0] [c072d220] start_kernel+0x434/0x44c
+[c0799ff0] [00003860] 0x3860
+Instruction dump:
+XXXXXXXX XXXXXXXX XXXXXXXX 3d20c07b XXXXXXXX XXXXXXXX XXXXXXXX 7c0802a6
+XXXXXXXX XXXXXXXX XXXXXXXX 4e800421 XXXXXXXX XXXXXXXX XXXXXXXX 7d2000a6
+---[ end trace 3a0c9b5cb216db6b ]---
+
+Resolve this problem by disabling each THRMn comparator when handling
+the associated THRMn interrupt and by disabling the TAU entirely when
+updating THRMn thresholds.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/5a0ba3dc5612c7aac596727331284a3676c08472.1599260540.git.fthain@telegraphics.com.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/tau_6xx.c | 65 +++++++++++++---------------------
+ arch/powerpc/platforms/Kconfig | 9 ++---
+ 2 files changed, 26 insertions(+), 48 deletions(-)
+
+diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
+index 9e8b709a2aae4..2615cd66dad84 100644
+--- a/arch/powerpc/kernel/tau_6xx.c
++++ b/arch/powerpc/kernel/tau_6xx.c
+@@ -38,8 +38,6 @@ static struct tau_temp
+
+ struct timer_list tau_timer;
+
+-#undef DEBUG
+-
+ /* TODO: put these in a /proc interface, with some sanity checks, and maybe
+ * dynamic adjustment to minimize # of interrupts */
+ /* configurable values for step size and how much to expand the window when
+@@ -72,42 +70,33 @@ void set_thresholds(unsigned long cpu)
+
+ void TAUupdate(int cpu)
+ {
+- unsigned thrm;
+-
+-#ifdef DEBUG
+- printk("TAUupdate ");
+-#endif
++ u32 thrm;
++ u32 bits = THRM1_TIV | THRM1_TIN | THRM1_V;
+
+ /* if both thresholds are crossed, the step_sizes cancel out
+ * and the window winds up getting expanded twice. */
+- if((thrm = mfspr(SPRN_THRM1)) & THRM1_TIV){ /* is valid? */
+- if(thrm & THRM1_TIN){ /* crossed low threshold */
+- if (tau[cpu].low >= step_size){
+- tau[cpu].low -= step_size;
+- tau[cpu].high -= (step_size - window_expand);
+- }
+- tau[cpu].grew = 1;
+-#ifdef DEBUG
+- printk("low threshold crossed ");
+-#endif
++ thrm = mfspr(SPRN_THRM1);
++ if ((thrm & bits) == bits) {
++ mtspr(SPRN_THRM1, 0);
++
++ if (tau[cpu].low >= step_size) {
++ tau[cpu].low -= step_size;
++ tau[cpu].high -= (step_size - window_expand);
+ }
++ tau[cpu].grew = 1;
++ pr_debug("%s: low threshold crossed\n", __func__);
+ }
+- if((thrm = mfspr(SPRN_THRM2)) & THRM1_TIV){ /* is valid? */
+- if(thrm & THRM1_TIN){ /* crossed high threshold */
+- if (tau[cpu].high <= 127-step_size){
+- tau[cpu].low += (step_size - window_expand);
+- tau[cpu].high += step_size;
+- }
+- tau[cpu].grew = 1;
+-#ifdef DEBUG
+- printk("high threshold crossed ");
+-#endif
++ thrm = mfspr(SPRN_THRM2);
++ if ((thrm & bits) == bits) {
++ mtspr(SPRN_THRM2, 0);
++
++ if (tau[cpu].high <= 127 - step_size) {
++ tau[cpu].low += (step_size - window_expand);
++ tau[cpu].high += step_size;
+ }
++ tau[cpu].grew = 1;
++ pr_debug("%s: high threshold crossed\n", __func__);
+ }
+-
+-#ifdef DEBUG
+- printk("grew = %d\n", tau[cpu].grew);
+-#endif
+ }
+
+ #ifdef CONFIG_TAU_INT
+@@ -132,18 +121,18 @@ void TAUException(struct pt_regs * regs)
+ static void tau_timeout(void * info)
+ {
+ int cpu;
+- unsigned long flags;
+ int size;
+ int shrink;
+
+- /* disabling interrupts *should* be okay */
+- local_irq_save(flags);
+ cpu = smp_processor_id();
+
+ #ifndef CONFIG_TAU_INT
+ TAUupdate(cpu);
+ #endif
+
++ /* Stop thermal sensor comparisons and interrupts */
++ mtspr(SPRN_THRM3, 0);
++
+ size = tau[cpu].high - tau[cpu].low;
+ if (size > min_window && ! tau[cpu].grew) {
+ /* do an exponential shrink of half the amount currently over size */
+@@ -165,18 +154,12 @@ static void tau_timeout(void * info)
+
+ set_thresholds(cpu);
+
+- /*
+- * Do the enable every time, since otherwise a bunch of (relatively)
+- * complex sleep code needs to be added. One mtspr every time
+- * tau_timeout is called is probably not a big deal.
+- *
++ /* Restart thermal sensor comparisons and interrupts.
+ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet"
+ * recommends that "the maximum value be set in THRM3 under all
+ * conditions."
+ */
+ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E);
+-
+- local_irq_restore(flags);
+ }
+
+ static void tau_timeout_smp(unsigned long unused)
+diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig
+index d5e34ce5fd5d9..e06ccba351330 100644
+--- a/arch/powerpc/platforms/Kconfig
++++ b/arch/powerpc/platforms/Kconfig
+@@ -243,7 +243,7 @@ config TAU
+ temp is actually what /proc/cpuinfo says it is.
+
+ config TAU_INT
+- bool "Interrupt driven TAU driver (DANGEROUS)"
++ bool "Interrupt driven TAU driver (EXPERIMENTAL)"
+ depends on TAU
+ ---help---
+ The TAU supports an interrupt driven mode which causes an interrupt
+@@ -251,12 +251,7 @@ config TAU_INT
+ to get notified the temp has exceeded a range. With this option off,
+ a timer is used to re-check the temperature periodically.
+
+- However, on some cpus it appears that the TAU interrupt hardware
+- is buggy and can cause a situation which would lead unexplained hard
+- lockups.
+-
+- Unless you are extending the TAU driver, or enjoy kernel/hardware
+- debugging, leave this option off.
++ If in doubt, say N here.
+
+ config TAU_AVERAGE
+ bool "Average high and low temp"
+--
+2.25.1
+
--- /dev/null
+From d3963eb44e216c3701fc47d199797c2ef5f5d056 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 09:02:20 +1000
+Subject: powerpc/tau: Remove duplicated set_thresholds() call
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 420ab2bc7544d978a5d0762ee736412fe9c796ab ]
+
+The commentary at the call site seems to disagree with the code. The
+conditional prevents calling set_thresholds() via the exception handler,
+which appears to crash. Perhaps that's because it immediately triggers
+another TAU exception. Anyway, calling set_thresholds() from TAUupdate()
+is redundant because tau_timeout() does so.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/d7c7ee33232cf72a6a6bbb6ef05838b2e2b113c0.1599260540.git.fthain@telegraphics.com.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/tau_6xx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
+index 64a27b20cf55e..9e8b709a2aae4 100644
+--- a/arch/powerpc/kernel/tau_6xx.c
++++ b/arch/powerpc/kernel/tau_6xx.c
+@@ -108,11 +108,6 @@ void TAUupdate(int cpu)
+ #ifdef DEBUG
+ printk("grew = %d\n", tau[cpu].grew);
+ #endif
+-
+-#ifndef CONFIG_TAU_INT /* tau_timeout will do this if not using interrupts */
+- set_thresholds(cpu);
+-#endif
+-
+ }
+
+ #ifdef CONFIG_TAU_INT
+--
+2.25.1
+
--- /dev/null
+From a890d2b86a0f8148e72b2f59c3e65074172a2bca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 09:02:20 +1000
+Subject: powerpc/tau: Use appropriate temperature sample interval
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 66943005cc41f48e4d05614e8f76c0ca1812f0fd ]
+
+According to the MPC750 Users Manual, the SITV value in Thermal
+Management Register 3 is 13 bits long. The present code calculates the
+SITV value as 60 * 500 cycles. This would overflow to give 10 us on
+a 500 MHz CPU rather than the intended 60 us. (But according to the
+Microprocessor Datasheet, there is also a factor of 266 that has to be
+applied to this value on certain parts i.e. speed sort above 266 MHz.)
+Always use the maximum cycle count, as recommended by the Datasheet.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/896f542e5f0f1d6cf8218524c2b67d79f3d69b3c.1599260540.git.fthain@telegraphics.com.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/reg.h | 2 +-
+ arch/powerpc/kernel/tau_6xx.c | 12 ++++--------
+ 2 files changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
+index 05f3c2b3aa0ec..d6be5781a97ce 100644
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -753,7 +753,7 @@
+ #define THRM1_TIN (1 << 31)
+ #define THRM1_TIV (1 << 30)
+ #define THRM1_THRES(x) ((x&0x7f)<<23)
+-#define THRM3_SITV(x) ((x&0x3fff)<<1)
++#define THRM3_SITV(x) ((x & 0x1fff) << 1)
+ #define THRM1_TID (1<<2)
+ #define THRM1_TIE (1<<1)
+ #define THRM1_V (1<<0)
+diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
+index a3374e8a258c6..64a27b20cf55e 100644
+--- a/arch/powerpc/kernel/tau_6xx.c
++++ b/arch/powerpc/kernel/tau_6xx.c
+@@ -175,15 +175,11 @@ static void tau_timeout(void * info)
+ * complex sleep code needs to be added. One mtspr every time
+ * tau_timeout is called is probably not a big deal.
+ *
+- * Enable thermal sensor and set up sample interval timer
+- * need 20 us to do the compare.. until a nice 'cpu_speed' function
+- * call is implemented, just assume a 500 mhz clock. It doesn't really
+- * matter if we take too long for a compare since it's all interrupt
+- * driven anyway.
+- *
+- * use a extra long time.. (60 us @ 500 mhz)
++ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet"
++ * recommends that "the maximum value be set in THRM3 under all
++ * conditions."
+ */
+- mtspr(SPRN_THRM3, THRM3_SITV(500*60) | THRM3_E);
++ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E);
+
+ local_irq_restore(flags);
+ }
+--
+2.25.1
+
--- /dev/null
+From 0b560339fd6f6fa104ee9d332bb772e1fb7ee9bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 14:00:45 +0200
+Subject: pty: do tty_flip_buffer_push without port->lock in pty_write
+
+From: Artem Savkov <asavkov@redhat.com>
+
+[ Upstream commit 71a174b39f10b4b93223d374722aa894b5d8a82e ]
+
+b6da31b2c07c "tty: Fix data race in tty_insert_flip_string_fixed_flag"
+puts tty_flip_buffer_push under port->lock introducing the following
+possible circular locking dependency:
+
+[30129.876566] ======================================================
+[30129.876566] WARNING: possible circular locking dependency detected
+[30129.876567] 5.9.0-rc2+ #3 Tainted: G S W
+[30129.876568] ------------------------------------------------------
+[30129.876568] sysrq.sh/1222 is trying to acquire lock:
+[30129.876569] ffffffff92c39480 (console_owner){....}-{0:0}, at: console_unlock+0x3fe/0xa90
+
+[30129.876572] but task is already holding lock:
+[30129.876572] ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca
+
+[30129.876576] which lock already depends on the new lock.
+
+[30129.876577] the existing dependency chain (in reverse order) is:
+
+[30129.876578] -> #3 (&pool->lock/1){-.-.}-{2:2}:
+[30129.876581] _raw_spin_lock+0x30/0x70
+[30129.876581] __queue_work+0x1a3/0x10f0
+[30129.876582] queue_work_on+0x78/0x80
+[30129.876582] pty_write+0x165/0x1e0
+[30129.876583] n_tty_write+0x47f/0xf00
+[30129.876583] tty_write+0x3d6/0x8d0
+[30129.876584] vfs_write+0x1a8/0x650
+
+[30129.876588] -> #2 (&port->lock#2){-.-.}-{2:2}:
+[30129.876590] _raw_spin_lock_irqsave+0x3b/0x80
+[30129.876591] tty_port_tty_get+0x1d/0xb0
+[30129.876592] tty_port_default_wakeup+0xb/0x30
+[30129.876592] serial8250_tx_chars+0x3d6/0x970
+[30129.876593] serial8250_handle_irq.part.12+0x216/0x380
+[30129.876593] serial8250_default_handle_irq+0x82/0xe0
+[30129.876594] serial8250_interrupt+0xdd/0x1b0
+[30129.876595] __handle_irq_event_percpu+0xfc/0x850
+
+[30129.876602] -> #1 (&port->lock){-.-.}-{2:2}:
+[30129.876605] _raw_spin_lock_irqsave+0x3b/0x80
+[30129.876605] serial8250_console_write+0x12d/0x900
+[30129.876606] console_unlock+0x679/0xa90
+[30129.876606] register_console+0x371/0x6e0
+[30129.876607] univ8250_console_init+0x24/0x27
+[30129.876607] console_init+0x2f9/0x45e
+
+[30129.876609] -> #0 (console_owner){....}-{0:0}:
+[30129.876611] __lock_acquire+0x2f70/0x4e90
+[30129.876612] lock_acquire+0x1ac/0xad0
+[30129.876612] console_unlock+0x460/0xa90
+[30129.876613] vprintk_emit+0x130/0x420
+[30129.876613] printk+0x9f/0xc5
+[30129.876614] show_pwq+0x154/0x618
+[30129.876615] show_workqueue_state.cold.55+0x193/0x6ca
+[30129.876615] __handle_sysrq+0x244/0x460
+[30129.876616] write_sysrq_trigger+0x48/0x4a
+[30129.876616] proc_reg_write+0x1a6/0x240
+[30129.876617] vfs_write+0x1a8/0x650
+
+[30129.876619] other info that might help us debug this:
+
+[30129.876620] Chain exists of:
+[30129.876621] console_owner --> &port->lock#2 --> &pool->lock/1
+
+[30129.876625] Possible unsafe locking scenario:
+
+[30129.876626] CPU0 CPU1
+[30129.876626] ---- ----
+[30129.876627] lock(&pool->lock/1);
+[30129.876628] lock(&port->lock#2);
+[30129.876630] lock(&pool->lock/1);
+[30129.876631] lock(console_owner);
+
+[30129.876633] *** DEADLOCK ***
+
+[30129.876634] 5 locks held by sysrq.sh/1222:
+[30129.876634] #0: ffff8881d3ce0470 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x359/0x650
+[30129.876637] #1: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: __handle_sysrq+0x4d/0x460
+[30129.876640] #2: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: show_workqueue_state+0x5/0xf0
+[30129.876642] #3: ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca
+[30129.876645] #4: ffffffff92c39980 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x123/0x420
+
+[30129.876648] stack backtrace:
+[30129.876649] CPU: 3 PID: 1222 Comm: sysrq.sh Tainted: G S W 5.9.0-rc2+ #3
+[30129.876649] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012
+[30129.876650] Call Trace:
+[30129.876650] dump_stack+0x9d/0xe0
+[30129.876651] check_noncircular+0x34f/0x410
+[30129.876653] __lock_acquire+0x2f70/0x4e90
+[30129.876656] lock_acquire+0x1ac/0xad0
+[30129.876658] console_unlock+0x460/0xa90
+[30129.876660] vprintk_emit+0x130/0x420
+[30129.876660] printk+0x9f/0xc5
+[30129.876661] show_pwq+0x154/0x618
+[30129.876662] show_workqueue_state.cold.55+0x193/0x6ca
+[30129.876664] __handle_sysrq+0x244/0x460
+[30129.876665] write_sysrq_trigger+0x48/0x4a
+[30129.876665] proc_reg_write+0x1a6/0x240
+[30129.876666] vfs_write+0x1a8/0x650
+
+It looks like the commit was aimed to protect tty_insert_flip_string and
+there is no need for tty_flip_buffer_push to be under this lock.
+
+Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag")
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Acked-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20200902120045.3693075-1-asavkov@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/pty.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index b3208b1b1028d..bca47176db4c2 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -120,10 +120,10 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c)
+ spin_lock_irqsave(&to->port->lock, flags);
+ /* Stuff the data into the input queue of the other end */
+ c = tty_insert_flip_string(to->port, buf, c);
++ spin_unlock_irqrestore(&to->port->lock, flags);
+ /* And shovel */
+ if (c)
+ tty_flip_buffer_push(to->port);
+- spin_unlock_irqrestore(&to->port->lock, flags);
+ }
+ return c;
+ }
+--
+2.25.1
+
--- /dev/null
+From 2c9f9601f6340db79a1c25b09c9d813b6b41b2c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 13:23:24 +0200
+Subject: pwm: lpss: Add range limit check for the base_unit register value
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit ef9f60daab309558c8bb3e086a9a11ee40bd6061 ]
+
+When the user requests a high enough period ns value, then the
+calculations in pwm_lpss_prepare() might result in a base_unit value of 0.
+
+But according to the data-sheet the way the PWM controller works is that
+each input clock-cycle the base_unit gets added to a N bit counter and
+that counter overflowing determines the PWM output frequency. Adding 0
+to the counter is a no-op. The data-sheet even explicitly states that
+writing 0 to the base_unit bits will result in the PWM outputting a
+continuous 0 signal.
+
+When the user requestes a low enough period ns value, then the
+calculations in pwm_lpss_prepare() might result in a base_unit value
+which is bigger then base_unit_range - 1. Currently the codes for this
+deals with this by applying a mask:
+
+ base_unit &= (base_unit_range - 1);
+
+But this means that we let the value overflow the range, we throw away the
+higher bits and store whatever value is left in the lower bits into the
+register leading to a random output frequency, rather then clamping the
+output frequency to the highest frequency which the hardware can do.
+
+This commit fixes both issues by clamping the base_unit value to be
+between 1 and (base_unit_range - 1).
+
+Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-5-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lpss.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c
+index da63c029aa286..69f8be065919e 100644
+--- a/drivers/pwm/pwm-lpss.c
++++ b/drivers/pwm/pwm-lpss.c
+@@ -109,6 +109,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+ freq *= base_unit_range;
+
+ base_unit = DIV_ROUND_CLOSEST_ULL(freq, c);
++ /* base_unit must not be 0 and we also want to avoid overflowing it */
++ base_unit = clamp_val(base_unit, 1, base_unit_range - 1);
+
+ on_time_div = 255ULL * duty_ns;
+ do_div(on_time_div, period_ns);
+@@ -117,7 +119,6 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+ orig_ctrl = ctrl = pwm_lpss_read(pwm);
+ ctrl &= ~PWM_ON_TIME_DIV_MASK;
+ ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT);
+- base_unit &= (base_unit_range - 1);
+ ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT;
+ ctrl |= on_time_div;
+
+--
+2.25.1
+
--- /dev/null
+From 9229010cef195d250dd441c5c4f9913aa2d01d47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 13:23:23 +0200
+Subject: pwm: lpss: Fix off by one error in base_unit math in
+ pwm_lpss_prepare()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 181f4d2f44463fe09fe4df02e03095cb87151c29 ]
+
+According to the data-sheet the way the PWM controller works is that
+each input clock-cycle the base_unit gets added to a N bit counter and
+that counter overflowing determines the PWM output frequency.
+
+So assuming e.g. a 16 bit counter this means that if base_unit is set to 1,
+after 65535 input clock-cycles the counter has been increased from 0 to
+65535 and it will overflow on the next cycle, so it will overflow after
+every 65536 clock cycles and thus the calculations done in
+pwm_lpss_prepare() should use 65536 and not 65535.
+
+This commit fixes this. Note this also aligns the calculations in
+pwm_lpss_prepare() with those in pwm_lpss_get_state().
+
+Note this effectively reverts commit 684309e5043e ("pwm: lpss: Avoid
+potential overflow of base_unit"). The next patch in this series really
+fixes the potential overflow of the base_unit value.
+
+Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-4-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lpss.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c
+index 7a4a6406cf69a..da63c029aa286 100644
+--- a/drivers/pwm/pwm-lpss.c
++++ b/drivers/pwm/pwm-lpss.c
+@@ -105,7 +105,7 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+ * The equation is:
+ * base_unit = round(base_unit_range * freq / c)
+ */
+- base_unit_range = BIT(lpwm->info->base_unit_bits) - 1;
++ base_unit_range = BIT(lpwm->info->base_unit_bits);
+ freq *= base_unit_range;
+
+ base_unit = DIV_ROUND_CLOSEST_ULL(freq, c);
+@@ -116,8 +116,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+
+ orig_ctrl = ctrl = pwm_lpss_read(pwm);
+ ctrl &= ~PWM_ON_TIME_DIV_MASK;
+- ctrl &= ~(base_unit_range << PWM_BASE_UNIT_SHIFT);
+- base_unit &= base_unit_range;
++ ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT);
++ base_unit &= (base_unit_range - 1);
+ ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT;
+ ctrl |= on_time_div;
+
+--
+2.25.1
+
--- /dev/null
+From be461c4347836cc99178f0b2d4bd268e7791a783 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:22:24 +0100
+Subject: qtnfmac: fix resource leaks on unsupported iftype error return path
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 63f6982075d890d7563e2469643f05a37d193f01 ]
+
+Currently if an unsupported iftype is detected the error return path
+does not free the cmd_skb leading to a resource leak. Fix this by
+free'ing cmd_skb.
+
+Addresses-Coverity: ("Resource leak")
+Fixes: 805b28c05c8e ("qtnfmac: prepare for AP_VLAN interface type support")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200925132224.21638-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/quantenna/qtnfmac/commands.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c
+index ed087bbc6f631..f37fda2238acc 100644
+--- a/drivers/net/wireless/quantenna/qtnfmac/commands.c
++++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c
+@@ -796,6 +796,7 @@ int qtnf_cmd_send_del_intf(struct qtnf_vif *vif)
+ default:
+ pr_warn("VIF%u.%u: unsupported iftype %d\n", vif->mac->macid,
+ vif->vifid, vif->wdev.iftype);
++ dev_kfree_skb(cmd_skb);
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -1882,6 +1883,7 @@ int qtnf_cmd_send_change_sta(struct qtnf_vif *vif, const u8 *mac,
+ break;
+ default:
+ pr_err("unsupported iftype %d\n", vif->wdev.iftype);
++ dev_kfree_skb(cmd_skb);
+ ret = -EINVAL;
+ goto out;
+ }
+--
+2.25.1
+
--- /dev/null
+From 6d0ee6f5dca77b15fac70f327777d9cc1415608f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 11:36:19 -0700
+Subject: quota: clear padding in v2r1_mem2diskdqb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3d3dc274ce736227e3197868ff749cff2f175f63 ]
+
+Freshly allocated memory contains garbage, better make sure
+to init all struct v2r1_disk_dqblk fields to avoid KMSAN report:
+
+BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218
+CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x21c/0x280 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219
+ qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218
+ v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285
+ qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394
+ v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333
+ dquot_commit+0x4af/0x600 fs/quota/dquot.c:482
+ ext4_write_dquot fs/ext4/super.c:5934 [inline]
+ ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985
+ mark_dquot_dirty fs/quota/dquot.c:347 [inline]
+ mark_all_dquot_dirty fs/quota/dquot.c:385 [inline]
+ dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755
+ __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155
+ ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686
+ vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283
+ do_tmpfile fs/namei.c:3316 [inline]
+ path_openat+0x4035/0x6a90 fs/namei.c:3359
+ do_filp_open+0x2b8/0x710 fs/namei.c:3395
+ do_sys_openat2+0xa88/0x1140 fs/open.c:1168
+ do_sys_open fs/open.c:1184 [inline]
+ __do_compat_sys_openat fs/open.c:1242 [inline]
+ __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
+ __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
+ do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
+ __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
+ do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
+ do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
+ entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+RIP: 0023:0xf7ff4549
+Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127
+RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000
+RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
+ slab_alloc_node mm/slub.c:2907 [inline]
+ slab_alloc mm/slub.c:2916 [inline]
+ __kmalloc+0x2bb/0x4b0 mm/slub.c:3982
+ kmalloc include/linux/slab.h:559 [inline]
+ getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52
+ qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378
+ v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333
+ dquot_commit+0x4af/0x600 fs/quota/dquot.c:482
+ ext4_write_dquot fs/ext4/super.c:5934 [inline]
+ ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985
+ mark_dquot_dirty fs/quota/dquot.c:347 [inline]
+ mark_all_dquot_dirty fs/quota/dquot.c:385 [inline]
+ dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755
+ __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155
+ ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686
+ vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283
+ do_tmpfile fs/namei.c:3316 [inline]
+ path_openat+0x4035/0x6a90 fs/namei.c:3359
+ do_filp_open+0x2b8/0x710 fs/namei.c:3395
+ do_sys_openat2+0xa88/0x1140 fs/open.c:1168
+ do_sys_open fs/open.c:1184 [inline]
+ __do_compat_sys_openat fs/open.c:1242 [inline]
+ __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
+ __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
+ do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
+ __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
+ do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
+ do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
+ entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+
+Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits")
+Link: https://lore.kernel.org/r/20200924183619.4176790-1-edumazet@google.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jan Kara <jack@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/quota_v2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c
+index a73e5b34db418..5d4dc0f84f202 100644
+--- a/fs/quota/quota_v2.c
++++ b/fs/quota/quota_v2.c
+@@ -283,6 +283,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot)
+ d->dqb_curspace = cpu_to_le64(m->dqb_curspace);
+ d->dqb_btime = cpu_to_le64(m->dqb_btime);
+ d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id));
++ d->dqb_pad = 0;
+ if (qtree_entry_unused(info, dp))
+ d->dqb_itime = cpu_to_le64(1);
+ }
+--
+2.25.1
+
--- /dev/null
+From b01b10f94015dcb319b0f7ea6c2ab2fcc8a0dd3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:13:04 -0700
+Subject: ramfs: fix nommu mmap with gaps in the page cache
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 50b7d85680086126d7bd91dae81d57d4cb1ab6b7 ]
+
+ramfs needs to check that pages are both physically contiguous and
+contiguous in the file. If the page cache happens to have, eg, page A for
+index 0 of the file, no page for index 1, and page A+1 for index 2, then
+an mmap of the first two pages of the file will succeed when it should
+fail.
+
+Fixes: 642fb4d1f1dd ("[PATCH] NOMMU: Provide shared-writable mmap support on ramfs")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: David Howells <dhowells@redhat.com>
+Link: https://lkml.kernel.org/r/20200914122239.GO6583@casper.infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ramfs/file-nommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ramfs/file-nommu.c b/fs/ramfs/file-nommu.c
+index 3ac1f23870837..5e1ebbe639ebf 100644
+--- a/fs/ramfs/file-nommu.c
++++ b/fs/ramfs/file-nommu.c
+@@ -228,7 +228,7 @@ static unsigned long ramfs_nommu_get_unmapped_area(struct file *file,
+ if (!pages)
+ goto out_free;
+
+- nr = find_get_pages(inode->i_mapping, &pgoff, lpages, pages);
++ nr = find_get_pages_contig(inode->i_mapping, pgoff, lpages, pages);
+ if (nr != lpages)
+ goto out_free_pages; /* leave if some pages were missing */
+
+--
+2.25.1
+
--- /dev/null
+From 753c138c24b90f74e6b83dbb34d0ccf2b14f09f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:13:15 -0700
+Subject: rapidio: fix error handling path
+
+From: Souptick Joarder <jrdr.linux@gmail.com>
+
+[ Upstream commit fa63f083b3492b5ed5332b8d7c90b03b5ef24a1d ]
+
+rio_dma_transfer() attempts to clamp the return value of
+pin_user_pages_fast() to be >= 0. However, the attempt fails because
+nr_pages is overridden a few lines later, and restored to the undesirable
+-ERRNO value.
+
+The return value is ultimately stored in nr_pages, which in turn is passed
+to unpin_user_pages(), which expects nr_pages >= 0, else, disaster.
+
+Fix this by fixing the nesting of the assignment to nr_pages: nr_pages
+should be clamped to zero if pin_user_pages_fast() returns -ERRNO, or set
+to the return value of pin_user_pages_fast(), otherwise.
+
+[jhubbard@nvidia.com: new changelog]
+
+Fixes: e8de370188d09 ("rapidio: add mport char device driver")
+Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
+Cc: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lkml.kernel.org/r/1600227737-20785-1-git-send-email-jrdr.linux@gmail.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
+index f207f8725993c..171d6bcad5bc5 100644
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -900,15 +900,16 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
+ rmcd_error("get_user_pages_unlocked err=%ld",
+ pinned);
+ nr_pages = 0;
+- } else
++ } else {
+ rmcd_error("pinned %ld out of %ld pages",
+ pinned, nr_pages);
++ /*
++ * Set nr_pages up to mean "how many pages to unpin, in
++ * the error handler:
++ */
++ nr_pages = pinned;
++ }
+ ret = -EFAULT;
+- /*
+- * Set nr_pages up to mean "how many pages to unpin, in
+- * the error handler:
+- */
+- nr_pages = pinned;
+ goto err_pg;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From ee12619826966d129e3c6232b118949b88b2e321 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:13:18 -0700
+Subject: rapidio: fix the missed put_device() for rio_mport_add_riodev
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit 85094c05eeb47d195a74a25366a2db066f1c9d47 ]
+
+rio_mport_add_riodev() misses to call put_device() when the device already
+exists. Add the missed function call to fix it.
+
+Fixes: e8de370188d0 ("rapidio: add mport char device driver")
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+Link: https://lkml.kernel.org/r/20200922072525.42330-1-jingxiangfeng@huawei.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
+index 171d6bcad5bc5..a87c024d56700 100644
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -1739,6 +1739,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
+ struct rio_dev *rdev;
+ struct rio_switch *rswitch = NULL;
+ struct rio_mport *mport;
++ struct device *dev;
+ size_t size;
+ u32 rval;
+ u32 swpinfo = 0;
+@@ -1753,8 +1754,10 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
+ rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name,
+ dev_info.comptag, dev_info.destid, dev_info.hopcount);
+
+- if (bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name)) {
++ dev = bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name);
++ if (dev) {
+ rmcd_debug(RDEV, "device %s already exists", dev_info.name);
++ put_device(dev);
+ return -EEXIST;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From f06b8d960d8dfec156c5355282381510dc583695 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 21:50:15 +0800
+Subject: RDMA/hns: Set the unsupported wr opcode
+
+From: Lijun Ou <oulijun@huawei.com>
+
+[ Upstream commit 22d3e1ed2cc837af87f76c3c8a4ccf4455e225c5 ]
+
+hip06 does not support IB_WR_LOCAL_INV, so the ps_opcode should be set to
+an invalid value instead of being left uninitialized.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Fixes: a2f3d4479fe9 ("RDMA/hns: Avoid unncessary initialization")
+Link: https://lore.kernel.org/r/1600350615-115217-1-git-send-email-oulijun@huawei.com
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+index 8208c30f03c5a..bdfef9abe8f33 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+@@ -243,7 +243,6 @@ int hns_roce_v1_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
+ ps_opcode = HNS_ROCE_WQE_OPCODE_SEND;
+ break;
+ case IB_WR_LOCAL_INV:
+- break;
+ case IB_WR_ATOMIC_CMP_AND_SWP:
+ case IB_WR_ATOMIC_FETCH_AND_ADD:
+ case IB_WR_LSO:
+--
+2.25.1
+
--- /dev/null
+From eb92fe3d11cdc6461866f08a64fe57c72cbcfb3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 19:57:36 +0300
+Subject: RDMA/qedr: Fix use of uninitialized field
+
+From: Michal Kalderon <michal.kalderon@marvell.com>
+
+[ Upstream commit a379ad54e55a12618cae7f6333fd1b3071de9606 ]
+
+dev->attr.page_size_caps was used uninitialized when setting device
+attributes
+
+Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init")
+Link: https://lore.kernel.org/r/20200902165741.8355-4-michal.kalderon@marvell.com
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/qedr/main.c b/drivers/infiniband/hw/qedr/main.c
+index 3e48ed64760b7..8c9e23d1f434e 100644
+--- a/drivers/infiniband/hw/qedr/main.c
++++ b/drivers/infiniband/hw/qedr/main.c
+@@ -548,7 +548,7 @@ static int qedr_set_device_attr(struct qedr_dev *dev)
+ qed_attr = dev->ops->rdma_query_device(dev->rdma_ctx);
+
+ /* Part 2 - check capabilities */
+- page_size = ~dev->attr.page_size_caps + 1;
++ page_size = ~qed_attr->page_size_caps + 1;
+ if (page_size > PAGE_SIZE) {
+ DP_ERR(dev,
+ "Kernel PAGE_SIZE is %ld which is smaller than minimum page size (%d) required by qedr\n",
+--
+2.25.1
+
--- /dev/null
+From 7bbee82e8fa2a9e5e7489ed2e9776395f8ecbf11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Sep 2020 23:32:41 +0200
+Subject: regulator: resolve supply after creating regulator
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+[ Upstream commit aea6cb99703e17019e025aa71643b4d3e0a24413 ]
+
+When creating a new regulator its supply cannot create the sysfs link
+because the device is not yet published. Remove early supply resolving
+since it will be done later anyway. This makes the following error
+disappear and the symlinks get created instead.
+
+ DCDC_REG1: supplied by VSYS
+ VSYS: could not add device link regulator.3 err -2
+
+Note: It doesn't fix the problem for bypassed regulators, though.
+
+Fixes: 45389c47526d ("regulator: core: Add early supply resolution for regulators")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Link: https://lore.kernel.org/r/ba09e0a8617ffeeb25cb4affffe6f3149319cef8.1601155770.git.mirq-linux@rere.qmqm.pl
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index bd6991a99593d..a3c265177855d 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -4090,15 +4090,20 @@ regulator_register(const struct regulator_desc *regulator_desc,
+ else if (regulator_desc->supply_name)
+ rdev->supply_name = regulator_desc->supply_name;
+
+- /*
+- * Attempt to resolve the regulator supply, if specified,
+- * but don't return an error if we fail because we will try
+- * to resolve it again later as more regulators are added.
+- */
+- if (regulator_resolve_supply(rdev))
+- rdev_dbg(rdev, "unable to resolve supply\n");
+-
+ ret = set_machine_constraints(rdev, constraints);
++ if (ret == -EPROBE_DEFER) {
++ /* Regulator might be in bypass mode and so needs its supply
++ * to set the constraints */
++ /* FIXME: this currently triggers a chicken-and-egg problem
++ * when creating -SUPPLY symlink in sysfs to a regulator
++ * that is just being created */
++ ret = regulator_resolve_supply(rdev);
++ if (!ret)
++ ret = set_machine_constraints(rdev, constraints);
++ else
++ rdev_dbg(rdev, "unable to resolve supply early: %pe\n",
++ ERR_PTR(ret));
++ }
+ if (ret < 0)
+ goto wash;
+
+--
+2.25.1
+
--- /dev/null
+From 233319ccd5070d082c4fd88c2ae085d590734ed9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2020 14:01:44 +0100
+Subject: reiserfs: Fix memory leak in reiserfs_parse_options()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ]
+
+When a usrjquota or grpjquota mount option is used multiple times, we
+will leak memory allocated for the file name. Make sure the last setting
+is used and all the previous ones are properly freed.
+
+Reported-by: syzbot+c9e294bbe0333a6b7640@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/super.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
+index 9caf3948417c0..fbae5f4eea09c 100644
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -1264,6 +1264,10 @@ static int reiserfs_parse_options(struct super_block *s,
+ "turned on.");
+ return 0;
+ }
++ if (qf_names[qtype] !=
++ REISERFS_SB(s)->s_qf_names[qtype])
++ kfree(qf_names[qtype]);
++ qf_names[qtype] = NULL;
+ if (*arg) { /* Some filename specified? */
+ if (REISERFS_SB(s)->s_qf_names[qtype]
+ && strcmp(REISERFS_SB(s)->s_qf_names[qtype],
+@@ -1293,10 +1297,6 @@ static int reiserfs_parse_options(struct super_block *s,
+ else
+ *mount_options |= 1 << REISERFS_GRPQUOTA;
+ } else {
+- if (qf_names[qtype] !=
+- REISERFS_SB(s)->s_qf_names[qtype])
+- kfree(qf_names[qtype]);
+- qf_names[qtype] = NULL;
+ if (qtype == USRQUOTA)
+ *mount_options &= ~(1 << REISERFS_USRQUOTA);
+ else
+--
+2.25.1
+
--- /dev/null
+From e4f6e04ca9ffd9207e9467bc8479f9b6a8c65f52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jun 2020 00:00:57 -0700
+Subject: reiserfs: only call unlock_new_inode() if I_NEW
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit 8859bf2b1278d064a139e3031451524a49a56bd0 ]
+
+unlock_new_inode() is only meant to be called after a new inode has
+already been inserted into the hash table. But reiserfs_new_inode() can
+call it even before it has inserted the inode, triggering the WARNING in
+unlock_new_inode(). Fix this by only calling unlock_new_inode() if the
+inode has the I_NEW flag set, indicating that it's in the table.
+
+This addresses the syzbot report "WARNING in unlock_new_inode"
+(https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7).
+
+Link: https://lore.kernel.org/r/20200628070057.820213-1-ebiggers@kernel.org
+Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
+index 4b0fed69e0330..06c4d376b0e39 100644
+--- a/fs/reiserfs/inode.c
++++ b/fs/reiserfs/inode.c
+@@ -2160,7 +2160,8 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
+ out_inserted_sd:
+ clear_nlink(inode);
+ th->t_trans_id = 0; /* so the caller can't use this handle later */
+- unlock_new_inode(inode); /* OK to do even if we hadn't locked it */
++ if (inode->i_state & I_NEW)
++ unlock_new_inode(inode);
+ iput(inode);
+ return err;
+ }
+--
+2.25.1
+
--- /dev/null
+From c7cc67484329c5aea7dd7a2baf24ef20d42dfc24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Sep 2020 12:04:24 +0800
+Subject: rtl8xxxu: prevent potential memory leak
+
+From: Chris Chiu <chiu@endlessm.com>
+
+[ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ]
+
+Free the skb if usb_submit_urb fails on rx_urb. And free the urb
+no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb.
+
+Signed-off-by: Chris Chiu <chiu@endlessm.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200906040424.22022-1-chiu@endlessm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 63f37fa72e4ba..5cf61710ae2f1 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5453,7 +5453,6 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw)
+ ret = usb_submit_urb(urb, GFP_KERNEL);
+ if (ret) {
+ usb_unanchor_urb(urb);
+- usb_free_urb(urb);
+ goto error;
+ }
+
+@@ -5462,6 +5461,7 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw)
+ rtl8xxxu_write32(priv, REG_USB_HIMR, val32);
+
+ error:
++ usb_free_urb(urb);
+ return ret;
+ }
+
+@@ -5787,6 +5787,7 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw)
+ struct rtl8xxxu_priv *priv = hw->priv;
+ struct rtl8xxxu_rx_urb *rx_urb;
+ struct rtl8xxxu_tx_urb *tx_urb;
++ struct sk_buff *skb;
+ unsigned long flags;
+ int ret, i;
+
+@@ -5837,6 +5838,13 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw)
+ rx_urb->hw = hw;
+
+ ret = rtl8xxxu_submit_rx_urb(priv, rx_urb);
++ if (ret) {
++ if (ret != -ENOMEM) {
++ skb = (struct sk_buff *)rx_urb->urb.context;
++ dev_kfree_skb(skb);
++ }
++ rtl8xxxu_queue_rx_urb(priv, rx_urb);
++ }
+ }
+ exit:
+ /*
+--
+2.25.1
+
--- /dev/null
+From 226c06009ac6ca51044c53a7de80babdfd0db243 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 12:13:00 +0300
+Subject: scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 38b2db564d9ab7797192ef15d7aade30633ceeae ]
+
+The be_fill_queue() function can only fail when "eq_vaddress" is NULL and
+since it's non-NULL here that means the function call can't fail. But
+imagine if it could, then in that situation we would want to store the
+"paddr" so that dma memory can be released.
+
+Link: https://lore.kernel.org/r/20200928091300.GD377727@mwanda
+Fixes: bfead3b2cb46 ("[SCSI] be2iscsi: Adding msix and mcc_rings V3")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/be2iscsi/be_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
+index b4542e7e2ad5b..86e1eac3a4703 100644
+--- a/drivers/scsi/be2iscsi/be_main.c
++++ b/drivers/scsi/be2iscsi/be_main.c
+@@ -3013,6 +3013,7 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba,
+ goto create_eq_error;
+ }
+
++ mem->dma = paddr;
+ mem->va = eq_vaddress;
+ ret = be_fill_queue(eq, phba->params.num_eq_entries,
+ sizeof(struct be_eq_entry), eq_vaddress);
+@@ -3022,7 +3023,6 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba,
+ goto create_eq_error;
+ }
+
+- mem->dma = paddr;
+ ret = beiscsi_cmd_eq_create(&phba->ctrl, eq,
+ phwi_context->cur_eqd);
+ if (ret) {
+@@ -3079,6 +3079,7 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba,
+ goto create_cq_error;
+ }
+
++ mem->dma = paddr;
+ ret = be_fill_queue(cq, phba->params.num_cq_entries,
+ sizeof(struct sol_cqe), cq_vaddress);
+ if (ret) {
+@@ -3088,7 +3089,6 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba,
+ goto create_cq_error;
+ }
+
+- mem->dma = paddr;
+ ret = beiscsi_cmd_cq_create(&phba->ctrl, cq, eq, false,
+ false, 0);
+ if (ret) {
+--
+2.25.1
+
--- /dev/null
+From 054f81ff9e71d7cec902c5061ef8c59956fea261 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 19:15:31 +0800
+Subject: scsi: csiostor: Fix wrong return value in csio_hw_prep_fw()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 44f4daf8678ae5f08c93bbe70792f90cd88e4649 ]
+
+On an error exit path, a negative error code should be returned instead of
+a positive return value.
+
+Link: https://lore.kernel.org/r/20200802111531.5065-1-tianjia.zhang@linux.alibaba.com
+Fixes: f40e74ffa3de ("csiostor:firmware upgrade fix")
+Cc: Praveen Madhavan <praveenm@chelsio.com>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c
+index ab30db8c36c6f..bbcba3d08d495 100644
+--- a/drivers/scsi/csiostor/csio_hw.c
++++ b/drivers/scsi/csiostor/csio_hw.c
+@@ -1997,7 +1997,7 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info,
+ FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c),
+ FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k),
+ FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k));
+- ret = EINVAL;
++ ret = -EINVAL;
+ goto bye;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 9988824b4e5329d91cef70021bdce80d63f49d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 16:39:49 +0800
+Subject: scsi: ibmvfc: Fix error return in ibmvfc_probe()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit 5e48a084f4e824e1b624d3fd7ddcf53d2ba69e53 ]
+
+Fix to return error code PTR_ERR() from the error handling case instead of
+0.
+
+Link: https://lore.kernel.org/r/20200907083949.154251-1-jingxiangfeng@huawei.com
+Acked-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ibmvscsi/ibmvfc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
+index 34612add3829f..dbacd9830d3df 100644
+--- a/drivers/scsi/ibmvscsi/ibmvfc.c
++++ b/drivers/scsi/ibmvscsi/ibmvfc.c
+@@ -4797,6 +4797,7 @@ static int ibmvfc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+ if (IS_ERR(vhost->work_thread)) {
+ dev_err(dev, "Couldn't create kernel thread: %ld\n",
+ PTR_ERR(vhost->work_thread));
++ rc = PTR_ERR(vhost->work_thread);
+ goto free_host_mem;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 04007aa8b750a3753faf77fc8c6bb40a54c5af76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 20:38:48 +0800
+Subject: scsi: mvumi: Fix error return in mvumi_io_attach()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ]
+
+Return PTR_ERR() from the error handling case instead of 0.
+
+Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangfeng@huawei.com
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mvumi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c
+index fe97401ad1927..1fffa301c1b9f 100644
+--- a/drivers/scsi/mvumi.c
++++ b/drivers/scsi/mvumi.c
+@@ -2439,6 +2439,7 @@ static int mvumi_io_attach(struct mvumi_hba *mhba)
+ if (IS_ERR(mhba->dm_thread)) {
+ dev_err(&mhba->pdev->dev,
+ "failed to create device scan thread\n");
++ ret = PTR_ERR(mhba->dm_thread);
+ mutex_unlock(&mhba->sas_discovery_mutex);
+ goto fail_create_thread;
+ }
+--
+2.25.1
+
--- /dev/null
+From 5b05ba77948a12423e9ed3ecf96cb25d734d9aeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 02:56:52 -0700
+Subject: scsi: qedi: Fix list_del corruption while removing active I/O
+
+From: Nilesh Javali <njavali@marvell.com>
+
+[ Upstream commit 28b35d17f9f8573d4646dd8df08917a4076a6b63 ]
+
+While aborting the I/O, the firmware cleanup task timed out and driver
+deleted the I/O from active command list. Some time later the firmware
+sent the cleanup task response and driver again deleted the I/O from
+active command list causing firmware to send completion for non-existent
+I/O and list_del corruption of active command list.
+
+Add fix to check if I/O is present before deleting it from the active
+command list to ensure firmware sends valid I/O completion and protect
+against list_del corruption.
+
+Link: https://lore.kernel.org/r/20200908095657.26821-4-mrangankar@marvell.com
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_fw.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c
+index e688300faeefd..e8f2c662471e0 100644
+--- a/drivers/scsi/qedi/qedi_fw.c
++++ b/drivers/scsi/qedi/qedi_fw.c
+@@ -844,8 +844,11 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi,
+ qedi_clear_task_idx(qedi_conn->qedi, rtid);
+
+ spin_lock(&qedi_conn->list_lock);
+- list_del_init(&dbg_cmd->io_cmd);
+- qedi_conn->active_cmd_count--;
++ if (likely(dbg_cmd->io_cmd_in_list)) {
++ dbg_cmd->io_cmd_in_list = false;
++ list_del_init(&dbg_cmd->io_cmd);
++ qedi_conn->active_cmd_count--;
++ }
+ spin_unlock(&qedi_conn->list_lock);
+ qedi_cmd->state = CLEANUP_RECV;
+ wake_up_interruptible(&qedi_conn->wait_queue);
+@@ -1265,6 +1268,7 @@ int qedi_cleanup_all_io(struct qedi_ctx *qedi, struct qedi_conn *qedi_conn,
+ qedi_conn->cmd_cleanup_req++;
+ qedi_iscsi_cleanup_task(ctask, true);
+
++ cmd->io_cmd_in_list = false;
+ list_del_init(&cmd->io_cmd);
+ qedi_conn->active_cmd_count--;
+ QEDI_WARN(&qedi->dbg_ctx,
+@@ -1478,8 +1482,11 @@ static void qedi_tmf_work(struct work_struct *work)
+ spin_unlock_bh(&qedi_conn->tmf_work_lock);
+
+ spin_lock(&qedi_conn->list_lock);
+- list_del_init(&cmd->io_cmd);
+- qedi_conn->active_cmd_count--;
++ if (likely(cmd->io_cmd_in_list)) {
++ cmd->io_cmd_in_list = false;
++ list_del_init(&cmd->io_cmd);
++ qedi_conn->active_cmd_count--;
++ }
+ spin_unlock(&qedi_conn->list_lock);
+
+ clear_bit(QEDI_CONN_FW_CLEANUP, &qedi_conn->flags);
+--
+2.25.1
+
--- /dev/null
+From 98e2a1ec7d4b79f754dd5564d6d4cc84fc24cc11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 02:56:53 -0700
+Subject: scsi: qedi: Protect active command list to avoid list corruption
+
+From: Nilesh Javali <njavali@marvell.com>
+
+[ Upstream commit c0650e28448d606c84f76c34333dba30f61de993 ]
+
+Protect active command list for non-I/O commands like login response,
+logout response, text response, and recovery cleanup of active list to
+avoid list corruption.
+
+Link: https://lore.kernel.org/r/20200908095657.26821-5-mrangankar@marvell.com
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_fw.c | 8 ++++++++
+ drivers/scsi/qedi/qedi_iscsi.c | 2 ++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c
+index 2e5e04a7623fa..e688300faeefd 100644
+--- a/drivers/scsi/qedi/qedi_fw.c
++++ b/drivers/scsi/qedi/qedi_fw.c
+@@ -62,6 +62,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi,
+ "Freeing tid=0x%x for cid=0x%x\n",
+ cmd->task_id, qedi_conn->iscsi_conn_id);
+
++ spin_lock(&qedi_conn->list_lock);
+ if (likely(cmd->io_cmd_in_list)) {
+ cmd->io_cmd_in_list = false;
+ list_del_init(&cmd->io_cmd);
+@@ -72,6 +73,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi,
+ cmd->task_id, qedi_conn->iscsi_conn_id,
+ &cmd->io_cmd);
+ }
++ spin_unlock(&qedi_conn->list_lock);
+
+ cmd->state = RESPONSE_RECEIVED;
+ qedi_clear_task_idx(qedi, cmd->task_id);
+@@ -127,6 +129,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi,
+ "Freeing tid=0x%x for cid=0x%x\n",
+ cmd->task_id, qedi_conn->iscsi_conn_id);
+
++ spin_lock(&qedi_conn->list_lock);
+ if (likely(cmd->io_cmd_in_list)) {
+ cmd->io_cmd_in_list = false;
+ list_del_init(&cmd->io_cmd);
+@@ -137,6 +140,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi,
+ cmd->task_id, qedi_conn->iscsi_conn_id,
+ &cmd->io_cmd);
+ }
++ spin_unlock(&qedi_conn->list_lock);
+
+ cmd->state = RESPONSE_RECEIVED;
+ qedi_clear_task_idx(qedi, cmd->task_id);
+@@ -231,11 +235,13 @@ static void qedi_process_tmf_resp(struct qedi_ctx *qedi,
+
+ tmf_hdr = (struct iscsi_tm *)qedi_cmd->task->hdr;
+
++ spin_lock(&qedi_conn->list_lock);
+ if (likely(qedi_cmd->io_cmd_in_list)) {
+ qedi_cmd->io_cmd_in_list = false;
+ list_del_init(&qedi_cmd->io_cmd);
+ qedi_conn->active_cmd_count--;
+ }
++ spin_unlock(&qedi_conn->list_lock);
+
+ if (((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) ==
+ ISCSI_TM_FUNC_LOGICAL_UNIT_RESET) ||
+@@ -299,11 +305,13 @@ static void qedi_process_login_resp(struct qedi_ctx *qedi,
+ ISCSI_LOGIN_RESPONSE_HDR_DATA_SEG_LEN_MASK;
+ qedi_conn->gen_pdu.resp_wr_ptr = qedi_conn->gen_pdu.resp_buf + pld_len;
+
++ spin_lock(&qedi_conn->list_lock);
+ if (likely(cmd->io_cmd_in_list)) {
+ cmd->io_cmd_in_list = false;
+ list_del_init(&cmd->io_cmd);
+ qedi_conn->active_cmd_count--;
+ }
++ spin_unlock(&qedi_conn->list_lock);
+
+ memset(task_ctx, '\0', sizeof(*task_ctx));
+
+diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
+index 4d7971c3f339b..c55fb411c8a55 100644
+--- a/drivers/scsi/qedi/qedi_iscsi.c
++++ b/drivers/scsi/qedi/qedi_iscsi.c
+@@ -983,11 +983,13 @@ static void qedi_cleanup_active_cmd_list(struct qedi_conn *qedi_conn)
+ {
+ struct qedi_cmd *cmd, *cmd_tmp;
+
++ spin_lock(&qedi_conn->list_lock);
+ list_for_each_entry_safe(cmd, cmd_tmp, &qedi_conn->active_cmd_list,
+ io_cmd) {
+ list_del_init(&cmd->io_cmd);
+ qedi_conn->active_cmd_count--;
+ }
++ spin_unlock(&qedi_conn->list_lock);
+ }
+
+ static void qedi_ep_disconnect(struct iscsi_endpoint *ep)
+--
+2.25.1
+
--- /dev/null
+From f78cd12b70c6b314ba0faa6513a1aa074714ff54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 12:15:27 +0200
+Subject: scsi: qla4xxx: Fix an error handling path in
+ 'qla4xxx_get_host_stats()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 574918e69720fe62ab3eb42ec3750230c8d16b06 ]
+
+Update the size used in 'dma_free_coherent()' in order to match the one
+used in the corresponding 'dma_alloc_coherent()'.
+
+Link: https://lore.kernel.org/r/20200802101527.676054-1-christophe.jaillet@wanadoo.fr
+Fixes: 4161cee52df8 ("[SCSI] qla4xxx: Add host statistics support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index fb3abaf817a35..62022a66e9ee2 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -1223,7 +1223,7 @@ static int qla4xxx_get_host_stats(struct Scsi_Host *shost, char *buf, int len)
+ le64_to_cpu(ql_iscsi_stats->iscsi_sequence_error);
+ exit_host_stats:
+ if (ql_iscsi_stats)
+- dma_free_coherent(&ha->pdev->dev, host_stats_size,
++ dma_free_coherent(&ha->pdev->dev, stats_size,
+ ql_iscsi_stats, iscsi_stats_dma);
+
+ ql4_printk(KERN_INFO, ha, "%s: Get host stats done\n",
+--
+2.25.1
+
--- /dev/null
+From d51ad8a0134160a3da4fbec7668b5ef8d691d920 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 15:59:57 +0300
+Subject: scsi: target: core: Add CONTROL field for trace events
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 7010645ba7256992818b518163f46bd4cdf8002a ]
+
+trace-cmd report doesn't show events from target subsystem because
+scsi_command_size() leaks through event format string:
+
+ [target:target_sequencer_start] function scsi_command_size not defined
+ [target:target_cmd_complete] function scsi_command_size not defined
+
+Addition of scsi_command_size() to plugin_scsi.c in trace-cmd doesn't
+help because an expression is used inside TP_printk(). trace-cmd event
+parser doesn't understand minus sign inside [ ]:
+
+ Error: expected ']' but read '-'
+
+Rather than duplicating kernel code in plugin_scsi.c, provide a dedicated
+field for CONTROL byte.
+
+Link: https://lore.kernel.org/r/20200929125957.83069-1-r.bolshakov@yadro.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/scsi/scsi_common.h | 7 +++++++
+ include/trace/events/target.h | 12 ++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/scsi/scsi_common.h b/include/scsi/scsi_common.h
+index 731ac09ed2313..5b567b43e1b16 100644
+--- a/include/scsi/scsi_common.h
++++ b/include/scsi/scsi_common.h
+@@ -25,6 +25,13 @@ scsi_command_size(const unsigned char *cmnd)
+ scsi_varlen_cdb_length(cmnd) : COMMAND_SIZE(cmnd[0]);
+ }
+
++static inline unsigned char
++scsi_command_control(const unsigned char *cmnd)
++{
++ return (cmnd[0] == VARIABLE_LENGTH_CMD) ?
++ cmnd[1] : cmnd[COMMAND_SIZE(cmnd[0]) - 1];
++}
++
+ /* Returns a human-readable name for the device */
+ extern const char *scsi_device_type(unsigned type);
+
+diff --git a/include/trace/events/target.h b/include/trace/events/target.h
+index 914a872dd3435..e87a3716b0ac9 100644
+--- a/include/trace/events/target.h
++++ b/include/trace/events/target.h
+@@ -140,6 +140,7 @@ TRACE_EVENT(target_sequencer_start,
+ __field( unsigned int, opcode )
+ __field( unsigned int, data_length )
+ __field( unsigned int, task_attribute )
++ __field( unsigned char, control )
+ __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE )
+ __string( initiator, cmd->se_sess->se_node_acl->initiatorname )
+ ),
+@@ -149,6 +150,7 @@ TRACE_EVENT(target_sequencer_start,
+ __entry->opcode = cmd->t_task_cdb[0];
+ __entry->data_length = cmd->data_length;
+ __entry->task_attribute = cmd->sam_task_attr;
++ __entry->control = scsi_command_control(cmd->t_task_cdb);
+ memcpy(__entry->cdb, cmd->t_task_cdb, TCM_MAX_COMMAND_SIZE);
+ __assign_str(initiator, cmd->se_sess->se_node_acl->initiatorname);
+ ),
+@@ -158,9 +160,7 @@ TRACE_EVENT(target_sequencer_start,
+ show_opcode_name(__entry->opcode),
+ __entry->data_length, __print_hex(__entry->cdb, 16),
+ show_task_attribute_name(__entry->task_attribute),
+- scsi_command_size(__entry->cdb) <= 16 ?
+- __entry->cdb[scsi_command_size(__entry->cdb) - 1] :
+- __entry->cdb[1]
++ __entry->control
+ )
+ );
+
+@@ -175,6 +175,7 @@ TRACE_EVENT(target_cmd_complete,
+ __field( unsigned int, opcode )
+ __field( unsigned int, data_length )
+ __field( unsigned int, task_attribute )
++ __field( unsigned char, control )
+ __field( unsigned char, scsi_status )
+ __field( unsigned char, sense_length )
+ __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE )
+@@ -187,6 +188,7 @@ TRACE_EVENT(target_cmd_complete,
+ __entry->opcode = cmd->t_task_cdb[0];
+ __entry->data_length = cmd->data_length;
+ __entry->task_attribute = cmd->sam_task_attr;
++ __entry->control = scsi_command_control(cmd->t_task_cdb);
+ __entry->scsi_status = cmd->scsi_status;
+ __entry->sense_length = cmd->scsi_status == SAM_STAT_CHECK_CONDITION ?
+ min(18, ((u8 *) cmd->sense_buffer)[SPC_ADD_SENSE_LEN_OFFSET] + 8) : 0;
+@@ -203,9 +205,7 @@ TRACE_EVENT(target_cmd_complete,
+ show_opcode_name(__entry->opcode),
+ __entry->data_length, __print_hex(__entry->cdb, 16),
+ show_task_attribute_name(__entry->task_attribute),
+- scsi_command_size(__entry->cdb) <= 16 ?
+- __entry->cdb[scsi_command_size(__entry->cdb) - 1] :
+- __entry->cdb[1]
++ __entry->control
+ )
+ );
+
+--
+2.25.1
+
--- /dev/null
+From 912c59266dfc4e23f366bc92f1873578c09a9670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Aug 2020 05:15:48 -0700
+Subject: scsi: ufs: ufs-qcom: Fix race conditions caused by
+ ufs_qcom_testbus_config()
+
+From: Can Guo <cang@codeaurora.org>
+
+[ Upstream commit 89dd87acd40a44de8ff3358138aedf8f73f4efc6 ]
+
+If ufs_qcom_dump_dbg_regs() calls ufs_qcom_testbus_config() from
+ufshcd_suspend/resume and/or clk gate/ungate context, pm_runtime_get_sync()
+and ufshcd_hold() will cause a race condition. Fix this by removing the
+unnecessary calls of pm_runtime_get_sync() and ufshcd_hold().
+
+Link: https://lore.kernel.org/r/1596975355-39813-3-git-send-email-cang@codeaurora.org
+Reviewed-by: Hongwu Su <hongwus@codeaurora.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Asutosh Das <asutoshd@codeaurora.org>
+Signed-off-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c
+index ee3589ac64abf..6b6b8bf2ec929 100644
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -1595,9 +1595,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host)
+ */
+ }
+ mask <<= offset;
+-
+- pm_runtime_get_sync(host->hba->dev);
+- ufshcd_hold(host->hba, false);
+ ufshcd_rmwl(host->hba, TEST_BUS_SEL,
+ (u32)host->testbus.select_major << 19,
+ REG_UFS_CFG1);
+@@ -1610,8 +1607,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host)
+ * committed before returning.
+ */
+ mb();
+- ufshcd_release(host->hba);
+- pm_runtime_put_sync(host->hba->dev);
+
+ return 0;
+ }
+--
+2.25.1
+
kvm-svm-initialize-prev_ga_tag-before-use.patch
ima-don-t-ignore-errors-from-crypto_shash_update.patch
crypto-algif_aead-do-not-set-may_backlog-on-the-async-path.patch
+edac-i5100-fix-error-handling-order-in-i5100_init_on.patch
+x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch
+drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch
+crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch
+crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch
+crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch
+media-tuner-simple-fix-regression-in-simple_set_radi.patch
+media-revert-media-exynos4-is-add-missed-check-for-p.patch
+media-m5mols-check-function-pointer-in-m5mols_sensor.patch
+media-uvcvideo-set-media-controller-entity-functions.patch
+media-omap3isp-fix-memleak-in-isp_probe.patch
+crypto-omap-sham-fix-digcnt-register-handling-with-e.patch
+cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch
+media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch
+media-tc358743-initialize-variable.patch
+media-platform-fcp-fix-a-reference-count-leak.patch
+media-s5p-mfc-fix-a-reference-count-leak.patch
+media-ti-vpe-fix-a-missing-check-and-reference-count.patch
+regulator-resolve-supply-after-creating-regulator.patch
+ath10k-provide-survey-info-as-accumulated-data.patch
+bluetooth-hci_uart-cancel-init-work-before-unregiste.patch
+ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch
+ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch
+wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch
+asoc-qcom-lpass-platform-fix-memory-leak.patch
+asoc-qcom-lpass-cpu-fix-concurrency-issue.patch
+brcmfmac-check-ndev-pointer.patch
+mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch
+drm-gma500-fix-error-check.patch
+scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch
+scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch
+drm-radeon-prefer-lower-feedback-dividers.patch
+backlight-sky81452-backlight-fix-refcount-imbalance-.patch
+vmci-check-return-value-of-get_user_pages_fast-for-e.patch
+tty-serial-earlycon-dependency.patch
+tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch
+pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch
+pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch
+pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch
+drivers-virt-fsl_hypervisor-fix-error-handling-path.patch
+video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch
+video-fbdev-sis-fix-null-ptr-dereference.patch
+hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch
+pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch
+pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch
+asoc-topology-disable-size-checks-for-bytes_ext-cont.patch
+ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch
+misc-mic-scif-fix-error-handling-path.patch
+alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch
+usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch
+quota-clear-padding-in-v2r1_mem2diskdqb.patch
+hid-hid-input-fix-stylus-battery-reporting.patch
+qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch
+net-enic-cure-the-enic-api-locking-trainwreck.patch
+mfd-sm501-fix-leaks-in-probe.patch
+iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch
+usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch
+usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch
+nl80211-fix-non-split-wiphy-information.patch
+usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch
+scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch
+mwifiex-fix-double-free.patch
+net-korina-fix-kfree-of-rx-tx-descriptor-array.patch
+mm-memcg-fix-device-private-memcg-accounting.patch
+mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch
+ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch
+ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch
+powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch
+powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch
+mtd-lpddr-fix-excessive-stack-usage-with-clang.patch
+mtd-mtdoops-don-t-write-panic-data-twice.patch
+arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch
+arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch
+xfs-limit-entries-returned-when-counting-fsmap-recor.patch
+rdma-qedr-fix-use-of-uninitialized-field.patch
+powerpc-tau-use-appropriate-temperature-sample-inter.patch
+powerpc-tau-remove-duplicated-set_thresholds-call.patch
+powerpc-tau-disable-tau-between-measurements.patch
+perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch
+rdma-hns-set-the-unsupported-wr-opcode.patch
+kdb-fix-pager-search-for-multi-line-strings.patch
+overflow-include-header-file-with-size_max-declarati.patch
+powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch
+powerpc-perf-hv-gpci-fix-starting-index-value.patch
+cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch
+ib-rdmavt-fix-sizeof-mismatch.patch
+f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch
+lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch
+ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch
+rapidio-fix-error-handling-path.patch
+rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch
+mailbox-avoid-timer-start-from-callback.patch
+i2c-rcar-auto-select-reset_controller.patch
+pci-iproc-set-affinity-mask-on-msi-interrupts.patch
+clk-at91-clk-main-update-key-before-writing-at91_ckg.patch
+clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch
+ext4-limit-entries-returned-when-counting-fsmap-reco.patch
+vfio-pci-clear-token-on-bypass-registration-failure.patch
+vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch
+input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch
+input-stmfts-fix-a-vs-typo.patch
+input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch
+input-omap4-keypad-fix-handling-of-platform_get_irq-.patch
+input-twl4030_keypad-fix-handling-of-platform_get_ir.patch
+input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch
+kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch
+memory-omap-gpmc-fix-a-couple-off-by-ones.patch
+memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch
+arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch
+arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch
+arm64-dts-zynqmp-remove-additional-compatible-string.patch
+powerpc-powernv-dump-fix-race-while-processing-opal-.patch
+nvmet-fix-uninitialized-work-for-zero-kato.patch
+ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch
+perf-correct-snoopx-field-offset.patch
+i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch
+crypto-ccp-fix-error-handling.patch
+media-firewire-fix-memory-leak.patch
+media-ati_remote-sanity-check-for-both-endpoints.patch
+media-st-delta-fix-reference-count-leak-in-delta_run.patch
+media-sti-fix-reference-count-leaks.patch
+media-exynos4-is-fix-several-reference-count-leaks-d.patch
+media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch
+media-exynos4-is-fix-a-reference-count-leak.patch
+media-vsp1-fix-runtime-pm-imbalance-on-error.patch
+media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch
+media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch
+media-bdisp-fix-runtime-pm-imbalance-on-error.patch
+media-media-pci-prevent-memory-leak-in-bttv_probe.patch
+media-uvcvideo-ensure-all-probed-info-is-returned-to.patch
+mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch
+media-saa7134-avoid-a-shift-overflow.patch
+fs-dlm-fix-configfs-memory-leak.patch
+media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch
+ntfs-add-check-for-mft-record-size-in-superblock.patch
+mac80211-handle-lack-of-sband-bitrates-in-rates.patch
+pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch
+scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch
+scsi-target-core-add-control-field-for-trace-events.patch
+mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch
+misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch
+usb-gadget-function-printer-fix-use-after-free-in-__.patch
+udf-limit-sparing-table-size.patch
+udf-avoid-accessing-uninitialized-data-on-failed-ino.patch
+usb-cdc-acm-handle-broken-union-descriptors.patch
+can-flexcan-flexcan_chip_stop-add-error-handling-and.patch
+ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch
+misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch
+reiserfs-only-call-unlock_new_inode-if-i_new.patch
+xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch
+usb-ohci-default-to-per-port-over-current-protection.patch
+bluetooth-only-mark-socket-zapped-after-unlocking.patch
+scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch
+brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch
+rtl8xxxu-prevent-potential-memory-leak.patch
+fix-use-after-free-in-get_capset_info-callback.patch
+scsi-qedi-protect-active-command-list-to-avoid-list-.patch
+scsi-qedi-fix-list_del-corruption-while-removing-act.patch
+tty-ipwireless-fix-error-handling.patch
+ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch
+reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch
+mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch
+brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch
+usb-core-solve-race-condition-in-anchor-cleanup-func.patch
+scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch
+ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch
--- /dev/null
+From 868d78ff2e2a7289958a79b8f575dcaa16f661ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 18:46:38 -0500
+Subject: tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()
+
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+
+[ Upstream commit 63ffcbdad738e3d1c857027789a2273df3337624 ]
+
+The code currently NULLs tty->driver_data in hvcs_close() with the
+intent of informing the next call to hvcs_open() that device needs to be
+reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from
+tty->driver_data which was previoulsy NULLed by hvcs_close() and our
+call to tty_port_put(&hvcsd->port) doesn't actually do anything since
+&hvcsd->port ends up translating to NULL by chance. This has the side
+effect that when hvcs_remove() is called we have one too many port
+references preventing hvcs_destuct_port() from ever being called. This
+also prevents us from reusing the /dev/hvcsX node in a future
+hvcs_probe() and we can eventually run out of /dev/hvcsX devices.
+
+Fix this by waiting to NULL tty->driver_data in hvcs_cleanup().
+
+Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Link: https://lore.kernel.org/r/20200820234643.70412-1-tyreld@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/hvc/hvcs.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
+index 63c29fe9d21f1..f77d7f39c113c 100644
+--- a/drivers/tty/hvc/hvcs.c
++++ b/drivers/tty/hvc/hvcs.c
+@@ -1231,13 +1231,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
+
+ tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);
+
+- /*
+- * This line is important because it tells hvcs_open that this
+- * device needs to be re-configured the next time hvcs_open is
+- * called.
+- */
+- tty->driver_data = NULL;
+-
+ free_irq(irq, hvcsd);
+ return;
+ } else if (hvcsd->port.count < 0) {
+@@ -1252,6 +1245,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
+ {
+ struct hvcs_struct *hvcsd = tty->driver_data;
+
++ /*
++ * This line is important because it tells hvcs_open that this
++ * device needs to be re-configured the next time hvcs_open is
++ * called.
++ */
++ tty->driver_data = NULL;
++
+ tty_port_put(&hvcsd->port);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From cb9b35ff10f4b1aebed6ab346a6488ae55cb4aa7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 12:19:40 -0400
+Subject: tty: ipwireless: fix error handling
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit db332356222d9429731ab9395c89cca403828460 ]
+
+ipwireless_send_packet() can only return 0 on success and -ENOMEM on
+error, the caller should check non zero for error condition
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Acked-by: David Sterba <dsterba@suse.com>
+Link: https://lore.kernel.org/r/20200821161942.36589-1-ztong0001@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/ipwireless/network.c | 4 ++--
+ drivers/tty/ipwireless/tty.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/ipwireless/network.c b/drivers/tty/ipwireless/network.c
+index 695439c031474..abc737ae81d1c 100644
+--- a/drivers/tty/ipwireless/network.c
++++ b/drivers/tty/ipwireless/network.c
+@@ -117,7 +117,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel,
+ skb->len,
+ notify_packet_sent,
+ network);
+- if (ret == -1) {
++ if (ret < 0) {
+ skb_pull(skb, 2);
+ return 0;
+ }
+@@ -134,7 +134,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel,
+ notify_packet_sent,
+ network);
+ kfree(buf);
+- if (ret == -1)
++ if (ret < 0)
+ return 0;
+ }
+ kfree_skb(skb);
+diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c
+index 1ef751c27ac6d..cb04971843306 100644
+--- a/drivers/tty/ipwireless/tty.c
++++ b/drivers/tty/ipwireless/tty.c
+@@ -218,7 +218,7 @@ static int ipw_write(struct tty_struct *linux_tty,
+ ret = ipwireless_send_packet(tty->hardware, IPW_CHANNEL_RAS,
+ buf, count,
+ ipw_write_packet_sent_callback, tty);
+- if (ret == -1) {
++ if (ret < 0) {
+ mutex_unlock(&tty->ipw_tty_mutex);
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 4434765c68df1ca99b26dddd6a08e152bb987e99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 08:39:50 -0400
+Subject: tty: serial: earlycon dependency
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 0fb9342d06b0f667b915ba58bfefc030e534a218 ]
+
+parse_options() in drivers/tty/serial/earlycon.c calls uart_parse_earlycon
+in drivers/tty/serial/serial_core.c therefore selecting SERIAL_EARLYCON
+should automatically select SERIAL_CORE, otherwise will result in symbol
+not found error during linking if SERIAL_CORE is not configured as builtin
+
+Fixes: 9aac5887595b ("tty/serial: add generic serial earlycon")
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20200828123949.2642-1-ztong0001@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
+index b788fee54249d..3628d37773034 100644
+--- a/drivers/tty/serial/Kconfig
++++ b/drivers/tty/serial/Kconfig
+@@ -9,6 +9,7 @@ menu "Serial drivers"
+
+ config SERIAL_EARLYCON
+ bool
++ depends on SERIAL_CORE
+ help
+ Support for early consoles with the earlycon parameter. This enables
+ the console before standard serial driver is probed. The console is
+--
+2.25.1
+
--- /dev/null
+From d875e284d38bea0ec1af73174c0ef05e2ee396d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 12:14:03 +0200
+Subject: udf: Avoid accessing uninitialized data on failed inode read
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ]
+
+When we fail to read inode, some data accessed in udf_evict_inode() may
+be uninitialized. Move the accesses to !is_bad_inode() branch.
+
+Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/inode.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 3c1b54091d6cc..dd57bd446340c 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -132,21 +132,24 @@ void udf_evict_inode(struct inode *inode)
+ struct udf_inode_info *iinfo = UDF_I(inode);
+ int want_delete = 0;
+
+- if (!inode->i_nlink && !is_bad_inode(inode)) {
+- want_delete = 1;
+- udf_setsize(inode, 0);
+- udf_update_inode(inode, IS_SYNC(inode));
++ if (!is_bad_inode(inode)) {
++ if (!inode->i_nlink) {
++ want_delete = 1;
++ udf_setsize(inode, 0);
++ udf_update_inode(inode, IS_SYNC(inode));
++ }
++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
++ inode->i_size != iinfo->i_lenExtents) {
++ udf_warn(inode->i_sb,
++ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
++ inode->i_ino, inode->i_mode,
++ (unsigned long long)inode->i_size,
++ (unsigned long long)iinfo->i_lenExtents);
++ }
+ }
+ truncate_inode_pages_final(&inode->i_data);
+ invalidate_inode_buffers(inode);
+ clear_inode(inode);
+- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
+- inode->i_size != iinfo->i_lenExtents) {
+- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
+- inode->i_ino, inode->i_mode,
+- (unsigned long long)inode->i_size,
+- (unsigned long long)iinfo->i_lenExtents);
+- }
+ kfree(iinfo->i_ext.i_data);
+ iinfo->i_ext.i_data = NULL;
+ udf_clear_extent_cache(inode);
+--
+2.25.1
+
--- /dev/null
+From 4ead2f989ea94a67802695552a94f793081592d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:53:08 +0200
+Subject: udf: Limit sparing table size
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 44ac6b829c4e173fdf6df18e6dd86aecf9a3dc99 ]
+
+Although UDF standard allows it, we don't support sparing table larger
+than a single block. Check it during mount so that we don't try to
+access memory beyond end of buffer.
+
+Reported-by: syzbot+9991561e714f597095da@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 51de27685e185..2b8147ecd97fb 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1385,6 +1385,12 @@ static int udf_load_sparable_map(struct super_block *sb,
+ (int)spm->numSparingTables);
+ return -EIO;
+ }
++ if (le32_to_cpu(spm->sizeSparingTable) > sb->s_blocksize) {
++ udf_err(sb, "error loading logical volume descriptor: "
++ "Too big sparing table size (%u)\n",
++ le32_to_cpu(spm->sizeSparingTable));
++ return -EIO;
++ }
+
+ for (i = 0; i < spm->numSparingTables; i++) {
+ loc = le32_to_cpu(spm->locSparingTable[i]);
+--
+2.25.1
+
--- /dev/null
+From 774499d7ad56f0978abbaa3e288108786ac472b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 15:59:49 +0200
+Subject: USB: cdc-acm: handle broken union descriptors
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 960c7339de27c6d6fec13b54880501c3576bb08d ]
+
+Handle broken union functional descriptors where the master-interface
+doesn't exist or where its class is of neither Communication or Data
+type (as required by the specification) by falling back to
+"combined-interface" probing.
+
+Note that this still allows for handling union descriptors with switched
+interfaces.
+
+This specifically makes the Whistler radio scanners TRX series devices
+work with the driver without adding further quirks to the device-id
+table.
+
+Reported-by: Daniel Caujolle-Bert <f1rmb.daniel@gmail.com>
+Tested-by: Daniel Caujolle-Bert <f1rmb.daniel@gmail.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20200921135951.24045-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/class/cdc-acm.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index b3e4b014a1cc0..dff9860213624 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1287,9 +1287,21 @@ static int acm_probe(struct usb_interface *intf,
+ }
+ }
+ } else {
++ int class = -1;
++
+ data_intf_num = union_header->bSlaveInterface0;
+ control_interface = usb_ifnum_to_if(usb_dev, union_header->bMasterInterface0);
+ data_interface = usb_ifnum_to_if(usb_dev, data_intf_num);
++
++ if (control_interface)
++ class = control_interface->cur_altsetting->desc.bInterfaceClass;
++
++ if (class != USB_CLASS_COMM && class != USB_CLASS_CDC_DATA) {
++ dev_dbg(&intf->dev, "Broken union descriptor, assuming single interface\n");
++ combined_interfaces = 1;
++ control_interface = data_interface = intf;
++ goto look_for_collapsed_interface;
++ }
+ }
+
+ if (!control_interface || !data_interface) {
+--
+2.25.1
+
--- /dev/null
+From 0afda785b577c1bf48852b147fbe452085c37cb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jul 2020 08:46:50 +0300
+Subject: usb: core: Solve race condition in anchor cleanup functions
+
+From: Eli Billauer <eli.billauer@gmail.com>
+
+[ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ]
+
+usb_kill_anchored_urbs() is commonly used to cancel all URBs on an
+anchor just before releasing resources which the URBs rely on. By doing
+so, users of this function rely on that no completer callbacks will take
+place from any URB on the anchor after it returns.
+
+However if this function is called in parallel with __usb_hcd_giveback_urb
+processing a URB on the anchor, the latter may call the completer
+callback after usb_kill_anchored_urbs() returns. This can lead to a
+kernel panic due to use after release of memory in interrupt context.
+
+The race condition is that __usb_hcd_giveback_urb() first unanchors the URB
+and then makes the completer callback. Such URB is hence invisible to
+usb_kill_anchored_urbs(), allowing it to return before the completer has
+been called, since the anchor's urb_list is empty.
+
+Even worse, if the racing completer callback resubmits the URB, it may
+remain in the system long after usb_kill_anchored_urbs() returns.
+
+Hence list_empty(&anchor->urb_list), which is used in the existing
+while-loop, doesn't reliably ensure that all URBs of the anchor are gone.
+
+A similar problem exists with usb_poison_anchored_urbs() and
+usb_scuttle_anchored_urbs().
+
+This patch adds an external do-while loop, which ensures that all URBs
+are indeed handled before these three functions return. This change has
+no effect at all unless the race condition occurs, in which case the
+loop will busy-wait until the racing completer callback has finished.
+This is a rare condition, so the CPU waste of this spinning is
+negligible.
+
+The additional do-while loop relies on usb_anchor_check_wakeup(), which
+returns true iff the anchor list is empty, and there is no
+__usb_hcd_giveback_urb() in the system that is in the middle of the
+unanchor-before-complete phase. The @suspend_wakeups member of
+struct usb_anchor is used for this purpose, which was introduced to solve
+another problem which the same race condition causes, in commit
+6ec4147e7bdb ("usb-anchor: Delay usb_wait_anchor_empty_timeout wake up
+till completion is done").
+
+The surely_empty variable is necessary, because usb_anchor_check_wakeup()
+must be called with the lock held to prevent races. However the spinlock
+must be released and reacquired if the outer loop spins with an empty
+URB list while waiting for the unanchor-before-complete passage to finish:
+The completer callback may very well attempt to take the very same lock.
+
+To summarize, using usb_anchor_check_wakeup() means that the patched
+functions can return only when the anchor's list is empty, and there is
+no invisible URB being processed. Since the inner while loop finishes on
+the empty list condition, the new do-while loop will terminate as well,
+except for when the said race condition occurs.
+
+Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20200731054650.30644-1-eli.billauer@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/urb.c | 89 +++++++++++++++++++++++++-----------------
+ 1 file changed, 54 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
+index 83bd48734af58..bd6ebc9d17c8c 100644
+--- a/drivers/usb/core/urb.c
++++ b/drivers/usb/core/urb.c
+@@ -767,11 +767,12 @@ void usb_block_urb(struct urb *urb)
+ EXPORT_SYMBOL_GPL(usb_block_urb);
+
+ /**
+- * usb_kill_anchored_urbs - cancel transfer requests en masse
++ * usb_kill_anchored_urbs - kill all URBs associated with an anchor
+ * @anchor: anchor the requests are bound to
+ *
+- * this allows all outstanding URBs to be killed starting
+- * from the back of the queue
++ * This kills all outstanding URBs starting from the back of the queue,
++ * with guarantee that no completer callbacks will take place from the
++ * anchor after this function returns.
+ *
+ * This routine should not be called by a driver after its disconnect
+ * method has returned.
+@@ -779,20 +780,26 @@ EXPORT_SYMBOL_GPL(usb_block_urb);
+ void usb_kill_anchored_urbs(struct usb_anchor *anchor)
+ {
+ struct urb *victim;
++ int surely_empty;
+
+- spin_lock_irq(&anchor->lock);
+- while (!list_empty(&anchor->urb_list)) {
+- victim = list_entry(anchor->urb_list.prev, struct urb,
+- anchor_list);
+- /* we must make sure the URB isn't freed before we kill it*/
+- usb_get_urb(victim);
+- spin_unlock_irq(&anchor->lock);
+- /* this will unanchor the URB */
+- usb_kill_urb(victim);
+- usb_put_urb(victim);
++ do {
+ spin_lock_irq(&anchor->lock);
+- }
+- spin_unlock_irq(&anchor->lock);
++ while (!list_empty(&anchor->urb_list)) {
++ victim = list_entry(anchor->urb_list.prev,
++ struct urb, anchor_list);
++ /* make sure the URB isn't freed before we kill it */
++ usb_get_urb(victim);
++ spin_unlock_irq(&anchor->lock);
++ /* this will unanchor the URB */
++ usb_kill_urb(victim);
++ usb_put_urb(victim);
++ spin_lock_irq(&anchor->lock);
++ }
++ surely_empty = usb_anchor_check_wakeup(anchor);
++
++ spin_unlock_irq(&anchor->lock);
++ cpu_relax();
++ } while (!surely_empty);
+ }
+ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs);
+
+@@ -811,21 +818,27 @@ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs);
+ void usb_poison_anchored_urbs(struct usb_anchor *anchor)
+ {
+ struct urb *victim;
++ int surely_empty;
+
+- spin_lock_irq(&anchor->lock);
+- anchor->poisoned = 1;
+- while (!list_empty(&anchor->urb_list)) {
+- victim = list_entry(anchor->urb_list.prev, struct urb,
+- anchor_list);
+- /* we must make sure the URB isn't freed before we kill it*/
+- usb_get_urb(victim);
+- spin_unlock_irq(&anchor->lock);
+- /* this will unanchor the URB */
+- usb_poison_urb(victim);
+- usb_put_urb(victim);
++ do {
+ spin_lock_irq(&anchor->lock);
+- }
+- spin_unlock_irq(&anchor->lock);
++ anchor->poisoned = 1;
++ while (!list_empty(&anchor->urb_list)) {
++ victim = list_entry(anchor->urb_list.prev,
++ struct urb, anchor_list);
++ /* make sure the URB isn't freed before we kill it */
++ usb_get_urb(victim);
++ spin_unlock_irq(&anchor->lock);
++ /* this will unanchor the URB */
++ usb_poison_urb(victim);
++ usb_put_urb(victim);
++ spin_lock_irq(&anchor->lock);
++ }
++ surely_empty = usb_anchor_check_wakeup(anchor);
++
++ spin_unlock_irq(&anchor->lock);
++ cpu_relax();
++ } while (!surely_empty);
+ }
+ EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs);
+
+@@ -965,14 +978,20 @@ void usb_scuttle_anchored_urbs(struct usb_anchor *anchor)
+ {
+ struct urb *victim;
+ unsigned long flags;
++ int surely_empty;
++
++ do {
++ spin_lock_irqsave(&anchor->lock, flags);
++ while (!list_empty(&anchor->urb_list)) {
++ victim = list_entry(anchor->urb_list.prev,
++ struct urb, anchor_list);
++ __usb_unanchor_urb(victim, anchor);
++ }
++ surely_empty = usb_anchor_check_wakeup(anchor);
+
+- spin_lock_irqsave(&anchor->lock, flags);
+- while (!list_empty(&anchor->urb_list)) {
+- victim = list_entry(anchor->urb_list.prev, struct urb,
+- anchor_list);
+- __usb_unanchor_urb(victim, anchor);
+- }
+- spin_unlock_irqrestore(&anchor->lock, flags);
++ spin_unlock_irqrestore(&anchor->lock, flags);
++ cpu_relax();
++ } while (!surely_empty);
+ }
+
+ EXPORT_SYMBOL_GPL(usb_scuttle_anchored_urbs);
+--
+2.25.1
+
--- /dev/null
+From 268205cdac21e3b72ff677987398aa9c602d5653 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 18:08:39 +0400
+Subject: usb: dwc2: Fix INTR OUT transfers in DDMA mode.
+
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+
+[ Upstream commit b2c586eb07efab982419f32b7c3bd96829bc8bcd ]
+
+In DDMA mode if INTR OUT transfers mps not multiple of 4 then single packet
+corresponds to single descriptor.
+
+Descriptor limit set to mps and desc chain limit set to mps *
+MAX_DMA_DESC_NUM_GENERIC. On that descriptors complete, to calculate
+transfer size should be considered correction value for each descriptor.
+
+In start request function, if "continue" is true then dma buffer address
+should be incremmented by offset for all type of transfers, not only for
+Control DATA_OUT transfers.
+
+Fixes: cf77b5fb9b394 ("usb: dwc2: gadget: Transfer length limit checking for DDMA")
+Fixes: e02f9aa6119e0 ("usb: dwc2: gadget: EP 0 specific DDMA programming")
+Fixes: aa3e8bc81311e ("usb: dwc2: gadget: DDMA transfer start and complete")
+
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/gadget.c | 40 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
+index 03bc479d04e0d..d2d4067a1a5f4 100644
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -704,8 +704,11 @@ static u32 dwc2_hsotg_read_frameno(struct dwc2_hsotg *hsotg)
+ */
+ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep)
+ {
++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc;
+ int is_isoc = hs_ep->isochronous;
+ unsigned int maxsize;
++ u32 mps = hs_ep->ep.maxpacket;
++ int dir_in = hs_ep->dir_in;
+
+ if (is_isoc)
+ maxsize = hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT :
+@@ -716,6 +719,11 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep)
+ /* Above size of one descriptor was chosen, multiple it */
+ maxsize *= MAX_DMA_DESC_NUM_GENERIC;
+
++ /* Interrupt OUT EP with mps not multiple of 4 */
++ if (hs_ep->index)
++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4))
++ maxsize = mps * MAX_DMA_DESC_NUM_GENERIC;
++
+ return maxsize;
+ }
+
+@@ -731,11 +739,14 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep)
+ * Isochronous - descriptor rx/tx bytes bitfield limit,
+ * Control In/Bulk/Interrupt - multiple of mps. This will allow to not
+ * have concatenations from various descriptors within one packet.
++ * Interrupt OUT - if mps not multiple of 4 then a single packet corresponds
++ * to a single descriptor.
+ *
+ * Selects corresponding mask for RX/TX bytes as well.
+ */
+ static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask)
+ {
++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc;
+ u32 mps = hs_ep->ep.maxpacket;
+ int dir_in = hs_ep->dir_in;
+ u32 desc_size = 0;
+@@ -759,6 +770,13 @@ static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask)
+ desc_size -= desc_size % mps;
+ }
+
++ /* Interrupt OUT EP with mps not multiple of 4 */
++ if (hs_ep->index)
++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) {
++ desc_size = mps;
++ *mask = DEV_DMA_NBYTES_MASK;
++ }
++
+ return desc_size;
+ }
+
+@@ -1094,13 +1112,7 @@ static void dwc2_hsotg_start_req(struct dwc2_hsotg *hsotg,
+ length += (mps - (length % mps));
+ }
+
+- /*
+- * If more data to send, adjust DMA for EP0 out data stage.
+- * ureq->dma stays unchanged, hence increment it by already
+- * passed passed data count before starting new transaction.
+- */
+- if (!index && hsotg->ep0_state == DWC2_EP0_DATA_OUT &&
+- continuing)
++ if (continuing)
+ offset = ureq->actual;
+
+ /* Fill DDMA chain entries */
+@@ -2260,22 +2272,36 @@ static void dwc2_hsotg_change_ep_iso_parity(struct dwc2_hsotg *hsotg,
+ */
+ static unsigned int dwc2_gadget_get_xfersize_ddma(struct dwc2_hsotg_ep *hs_ep)
+ {
++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc;
+ struct dwc2_hsotg *hsotg = hs_ep->parent;
+ unsigned int bytes_rem = 0;
++ unsigned int bytes_rem_correction = 0;
+ struct dwc2_dma_desc *desc = hs_ep->desc_list;
+ int i;
+ u32 status;
++ u32 mps = hs_ep->ep.maxpacket;
++ int dir_in = hs_ep->dir_in;
+
+ if (!desc)
+ return -EINVAL;
+
++ /* Interrupt OUT EP with mps not multiple of 4 */
++ if (hs_ep->index)
++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4))
++ bytes_rem_correction = 4 - (mps % 4);
++
+ for (i = 0; i < hs_ep->desc_count; ++i) {
+ status = desc->status;
+ bytes_rem += status & DEV_DMA_NBYTES_MASK;
++ bytes_rem -= bytes_rem_correction;
+
+ if (status & DEV_DMA_STS_MASK)
+ dev_err(hsotg->dev, "descriptor %d closed with %x\n",
+ i, status & DEV_DMA_STS_MASK);
++
++ if (status & DEV_DMA_L)
++ break;
++
+ desc++;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From fc1a1139045151420d1ac6a37046794a72a68439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 23:03:54 -0700
+Subject: usb: dwc2: Fix parameter type in function pointer prototype
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 362b9398c962c9ec563653444e15ef9032ef3a90 ]
+
+When booting up on a Raspberry Pi 4 with Control Flow Integrity checking
+enabled, the following warning/panic happens:
+
+[ 1.626435] CFI failure (target: dwc2_set_bcm_params+0x0/0x4):
+[ 1.632408] WARNING: CPU: 0 PID: 32 at kernel/cfi.c:30 __cfi_check_fail+0x54/0x5c
+[ 1.640021] Modules linked in:
+[ 1.643137] CPU: 0 PID: 32 Comm: kworker/0:1 Not tainted 5.8.0-rc6-next-20200724-00051-g89ba619726de #1
+[ 1.652693] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
+[ 1.658637] Workqueue: events deferred_probe_work_func
+[ 1.663870] pstate: 60000005 (nZCv daif -PAN -UAO BTYPE=--)
+[ 1.669542] pc : __cfi_check_fail+0x54/0x5c
+[ 1.673798] lr : __cfi_check_fail+0x54/0x5c
+[ 1.678050] sp : ffff8000102bbaa0
+[ 1.681419] x29: ffff8000102bbaa0 x28: ffffab09e21c7000
+[ 1.686829] x27: 0000000000000402 x26: ffff0000f6e7c228
+[ 1.692238] x25: 00000000fb7cdb0d x24: 0000000000000005
+[ 1.697647] x23: ffffab09e2515000 x22: ffffab09e069a000
+[ 1.703055] x21: 4c550309df1cf4c1 x20: ffffab09e2433c60
+[ 1.708462] x19: ffffab09e160dc50 x18: ffff0000f6e8cc78
+[ 1.713870] x17: 0000000000000041 x16: ffffab09e0bce6f8
+[ 1.719278] x15: ffffab09e1c819b7 x14: 0000000000000003
+[ 1.724686] x13: 00000000ffffefff x12: 0000000000000000
+[ 1.730094] x11: 0000000000000000 x10: 00000000ffffffff
+[ 1.735501] x9 : c932f7abfc4bc600 x8 : c932f7abfc4bc600
+[ 1.740910] x7 : 077207610770075f x6 : ffff0000f6c38f00
+[ 1.746317] x5 : 0000000000000000 x4 : 0000000000000000
+[ 1.751723] x3 : 0000000000000000 x2 : 0000000000000000
+[ 1.757129] x1 : ffff8000102bb7d8 x0 : 0000000000000032
+[ 1.762539] Call trace:
+[ 1.765030] __cfi_check_fail+0x54/0x5c
+[ 1.768938] __cfi_check+0x5fa6c/0x66afc
+[ 1.772932] dwc2_init_params+0xd74/0xd78
+[ 1.777012] dwc2_driver_probe+0x484/0x6ec
+[ 1.781180] platform_drv_probe+0xb4/0x100
+[ 1.785350] really_probe+0x228/0x63c
+[ 1.789076] driver_probe_device+0x80/0xc0
+[ 1.793247] __device_attach_driver+0x114/0x160
+[ 1.797857] bus_for_each_drv+0xa8/0x128
+[ 1.801851] __device_attach.llvm.14901095709067289134+0xc0/0x170
+[ 1.808050] bus_probe_device+0x44/0x100
+[ 1.812044] deferred_probe_work_func+0x78/0xb8
+[ 1.816656] process_one_work+0x204/0x3c4
+[ 1.820736] worker_thread+0x2f0/0x4c4
+[ 1.824552] kthread+0x174/0x184
+[ 1.827837] ret_from_fork+0x10/0x18
+
+CFI validates that all indirect calls go to a function with the same
+exact function pointer prototype. In this case, dwc2_set_bcm_params
+is the target, which has a parameter of type 'struct dwc2_hsotg *',
+but it is being implicitly cast to have a parameter of type 'void *'
+because that is the set_params function pointer prototype. Make the
+function pointer protoype match the definitions so that there is no
+more violation.
+
+Fixes: 7de1debcd2de ("usb: dwc2: Remove platform static params")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1107
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/params.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c
+index a3ffe97170ffd..cf6ff8bfd7f61 100644
+--- a/drivers/usb/dwc2/params.c
++++ b/drivers/usb/dwc2/params.c
+@@ -711,7 +711,7 @@ int dwc2_get_hwparams(struct dwc2_hsotg *hsotg)
+ int dwc2_init_params(struct dwc2_hsotg *hsotg)
+ {
+ const struct of_device_id *match;
+- void (*set_params)(void *data);
++ void (*set_params)(struct dwc2_hsotg *data);
+
+ dwc2_set_default_params(hsotg);
+ dwc2_get_device_properties(hsotg);
+--
+2.25.1
+
--- /dev/null
+From 70addae2b7b26d952ce0c2b400240f0a648cf24d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 14:55:03 +0900
+Subject: usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lorenzo Colitti <lorenzo@google.com>
+
+[ Upstream commit 986499b1569af980a819817f17238015b27793f6 ]
+
+Currently, SuperSpeed NCM gadgets report a speed of 851 Mbps
+in USB_CDC_NOTIFY_SPEED_CHANGE. But the calculation appears to
+assume 16 packets per microframe, and USB 3 and above no longer
+use microframes.
+
+Maximum speed is actually much higher. On a direct connection,
+theoretical throughput is at most 3.86 Gbps for gen1x1 and
+9.36 Gbps for gen2x1, and I have seen gadget->host iperf
+throughput of >2 Gbps for gen1x1 and >4 Gbps for gen2x1.
+
+Unfortunately the ConnectionSpeedChange defined in the CDC spec
+only uses 32-bit values, so we can't report accurate numbers for
+10Gbps and above. So, report 3.75Gbps for SuperSpeed (which is
+roughly maximum theoretical performance) and 4.25Gbps for
+SuperSpeed Plus (which is close to the maximum that we can report
+in a 32-bit unsigned integer).
+
+This results in:
+
+[50879.191272] cdc_ncm 2-2:1.0 enx228b127e050c: renamed from usb0
+[50879.234778] cdc_ncm 2-2:1.0 enx228b127e050c: 3750 mbit/s downlink 3750 mbit/s uplink
+
+on SuperSpeed and:
+
+[50798.434527] cdc_ncm 8-2:1.0 enx228b127e050c: renamed from usb0
+[50798.524278] cdc_ncm 8-2:1.0 enx228b127e050c: 4250 mbit/s downlink 4250 mbit/s uplink
+
+on SuperSpeed Plus.
+
+Fixes: 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors for CDC NCM")
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_ncm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
+index f62cdf1238d77..fbf15ab700f49 100644
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -92,8 +92,10 @@ static inline struct f_ncm *func_to_ncm(struct usb_function *f)
+ /* peak (theoretical) bulk transfer rate in bits-per-second */
+ static inline unsigned ncm_bitrate(struct usb_gadget *g)
+ {
+- if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER)
+- return 13 * 1024 * 8 * 1000 * 8;
++ if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS)
++ return 4250000000U;
++ else if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER)
++ return 3750000000U;
+ else if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH)
+ return 13 * 512 * 8 * 1000 * 8;
+ else
+--
+2.25.1
+
--- /dev/null
+From 7964031feffac6a970eec42bffb54b0494783913 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 11:05:33 +0800
+Subject: usb: gadget: function: printer: fix use-after-free in __lock_acquire
+
+From: Zqiang <qiang.zhang@windriver.com>
+
+[ Upstream commit e8d5f92b8d30bb4ade76494490c3c065e12411b1 ]
+
+Fix this by increase object reference count.
+
+BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180
+kernel/locking/lockdep.c:3831
+Read of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377
+
+CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xce/0x128 lib/dump_stack.c:118
+ print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
+ __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:641
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
+ __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831
+ lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
+ printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ ksys_ioctl+0xfb/0x130 fs/ioctl.c:763
+ __do_sys_ioctl fs/ioctl.c:772 [inline]
+ __se_sys_ioctl fs/ioctl.c:770 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x4531a9
+Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48
+89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
+01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9
+RDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003
+RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61
+R13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff
+
+Allocated by task 2393:
+ save_stack+0x21/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
+ kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813
+ kmalloc include/linux/slab.h:555 [inline]
+ kzalloc include/linux/slab.h:669 [inline]
+ gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416
+ usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61
+ config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444
+ configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202
+ vfs_symlink+0x33d/0x5b0 fs/namei.c:4201
+ do_symlinkat+0x11b/0x1d0 fs/namei.c:4228
+ __do_sys_symlinkat fs/namei.c:4242 [inline]
+ __se_sys_symlinkat fs/namei.c:4239 [inline]
+ __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 3368:
+ save_stack+0x21/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ kasan_set_free_info mm/kasan/common.c:337 [inline]
+ __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
+ slab_free_hook mm/slub.c:1444 [inline]
+ slab_free_freelist_hook mm/slub.c:1477 [inline]
+ slab_free mm/slub.c:3034 [inline]
+ kfree+0xf7/0x410 mm/slub.c:3995
+ gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353
+ usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87
+ config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485
+ configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250
+ vfs_unlink+0x287/0x570 fs/namei.c:4073
+ do_unlinkat+0x4f9/0x620 fs/namei.c:4137
+ __do_sys_unlink fs/namei.c:4184 [inline]
+ __se_sys_unlink fs/namei.c:4182 [inline]
+ __x64_sys_unlink+0x42/0x50 fs/namei.c:4182
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8880683b0000
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 24 bytes inside of
+ 1024-byte region [ffff8880683b0000, ffff8880683b0400)
+The buggy address belongs to the page:
+page:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300
+index:0xffff8880683b1800 compound_mapcount: 0
+flags: 0x100000000010200(slab|head)
+raw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300
+raw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Signed-off-by: Zqiang <qiang.zhang@windriver.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_printer.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
+index e6d4fa5eeff10..b2b43a5518786 100644
+--- a/drivers/usb/gadget/function/f_printer.c
++++ b/drivers/usb/gadget/function/f_printer.c
+@@ -35,6 +35,7 @@
+ #include <linux/types.h>
+ #include <linux/ctype.h>
+ #include <linux/cdev.h>
++#include <linux/kref.h>
+
+ #include <asm/byteorder.h>
+ #include <linux/io.h>
+@@ -68,7 +69,7 @@ struct printer_dev {
+ struct usb_gadget *gadget;
+ s8 interface;
+ struct usb_ep *in_ep, *out_ep;
+-
++ struct kref kref;
+ struct list_head rx_reqs; /* List of free RX structs */
+ struct list_head rx_reqs_active; /* List of Active RX xfers */
+ struct list_head rx_buffers; /* List of completed xfers */
+@@ -222,6 +223,13 @@ static inline struct usb_endpoint_descriptor *ep_desc(struct usb_gadget *gadget,
+
+ /*-------------------------------------------------------------------------*/
+
++static void printer_dev_free(struct kref *kref)
++{
++ struct printer_dev *dev = container_of(kref, struct printer_dev, kref);
++
++ kfree(dev);
++}
++
+ static struct usb_request *
+ printer_req_alloc(struct usb_ep *ep, unsigned len, gfp_t gfp_flags)
+ {
+@@ -352,6 +360,7 @@ printer_open(struct inode *inode, struct file *fd)
+
+ spin_unlock_irqrestore(&dev->lock, flags);
+
++ kref_get(&dev->kref);
+ DBG(dev, "printer_open returned %x\n", ret);
+ return ret;
+ }
+@@ -369,6 +378,7 @@ printer_close(struct inode *inode, struct file *fd)
+ dev->printer_status &= ~PRINTER_SELECTED;
+ spin_unlock_irqrestore(&dev->lock, flags);
+
++ kref_put(&dev->kref, printer_dev_free);
+ DBG(dev, "printer_close\n");
+
+ return 0;
+@@ -1354,7 +1364,8 @@ static void gprinter_free(struct usb_function *f)
+ struct f_printer_opts *opts;
+
+ opts = container_of(f->fi, struct f_printer_opts, func_inst);
+- kfree(dev);
++
++ kref_put(&dev->kref, printer_dev_free);
+ mutex_lock(&opts->lock);
+ --opts->refcnt;
+ mutex_unlock(&opts->lock);
+@@ -1423,6 +1434,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi)
+ return ERR_PTR(-ENOMEM);
+ }
+
++ kref_init(&dev->kref);
+ ++opts->refcnt;
+ dev->minor = opts->minor;
+ dev->pnp_string = opts->pnp_string;
+--
+2.25.1
+
--- /dev/null
+From 20bbb93ed3ccbebfe861f9273a144009d5863f16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 01:19:49 +0900
+Subject: usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lorenzo Colitti <lorenzo@google.com>
+
+[ Upstream commit 4eea21dc67b0c6ba15ae41b1defa113a680a858e ]
+
+The u_ether driver has a qmult setting that multiplies the
+transmit queue length (which by default is 2).
+
+The intent is that it should be enabled at high/super speed, but
+because the code does not explicitly check for USB_SUPER_PLUS,
+it is disabled at that speed.
+
+Fix this by ensuring that the queue multiplier is enabled for any
+wired link at high speed or above. Using >= for USB_SPEED_*
+constants seems correct because it is what the gadget_is_xxxspeed
+functions do.
+
+The queue multiplier substantially helps performance at higher
+speeds. On a direct SuperSpeed Plus link to a Linux laptop,
+iperf3 single TCP stream:
+
+Before (qmult=1): 1.3 Gbps
+After (qmult=5): 3.2 Gbps
+
+Fixes: 04617db7aa68 ("usb: gadget: add SS descriptors to Ethernet gadget")
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
+index 81d84e0c3c6cd..716edd593a994 100644
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -97,7 +97,7 @@ struct eth_dev {
+ static inline int qlen(struct usb_gadget *gadget, unsigned qmult)
+ {
+ if (gadget_is_dualspeed(gadget) && (gadget->speed == USB_SPEED_HIGH ||
+- gadget->speed == USB_SPEED_SUPER))
++ gadget->speed >= USB_SPEED_SUPER))
+ return qmult * DEFAULT_QLEN;
+ else
+ return DEFAULT_QLEN;
+--
+2.25.1
+
--- /dev/null
+From c0cc93804282880081ee1cc24f0e74ea2a7dc3a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 09:25:11 +1200
+Subject: usb: ohci: Default to per-port over-current protection
+
+From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+
+[ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ]
+
+Some integrated OHCI controller hubs do not expose all ports of the hub
+to pins on the SoC. In some cases the unconnected ports generate
+spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC
+contains a nominally 3 port hub but only the first port is wired.
+
+Default behaviour for ohci-platform driver is to use global over-current
+protection mode (AKA "ganged"). This leads to the spurious over-current
+events affecting all ports in the hub.
+
+We now alter the default to use per-port over-current protection.
+
+This patch results in the following configuration changes depending
+on quirks:
+- For quirk OHCI_QUIRK_SUPERIO no changes. These systems remain set up
+ for ganged power switching and no over-current protection.
+- For quirk OHCI_QUIRK_AMD756 or OHCI_QUIRK_HUB_POWER power switching
+ remains at none, while over-current protection is now guaranteed to be
+ set to per-port rather than the previous behaviour where it was either
+ none or global over-current protection depending on the value at
+ function entry.
+
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20200910212512.16670-1-hamish.martin@alliedtelesis.co.nz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ohci-hcd.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
+index 4ea1530257e27..dfc24be376002 100644
+--- a/drivers/usb/host/ohci-hcd.c
++++ b/drivers/usb/host/ohci-hcd.c
+@@ -665,20 +665,24 @@ static int ohci_run (struct ohci_hcd *ohci)
+
+ /* handle root hub init quirks ... */
+ val = roothub_a (ohci);
+- val &= ~(RH_A_PSM | RH_A_OCPM);
++ /* Configure for per-port over-current protection by default */
++ val &= ~RH_A_NOCP;
++ val |= RH_A_OCPM;
+ if (ohci->flags & OHCI_QUIRK_SUPERIO) {
+- /* NSC 87560 and maybe others */
++ /* NSC 87560 and maybe others.
++ * Ganged power switching, no over-current protection.
++ */
+ val |= RH_A_NOCP;
+- val &= ~(RH_A_POTPGT | RH_A_NPS);
+- ohci_writel (ohci, val, &ohci->regs->roothub.a);
++ val &= ~(RH_A_POTPGT | RH_A_NPS | RH_A_PSM | RH_A_OCPM);
+ } else if ((ohci->flags & OHCI_QUIRK_AMD756) ||
+ (ohci->flags & OHCI_QUIRK_HUB_POWER)) {
+ /* hub power always on; required for AMD-756 and some
+- * Mac platforms. ganged overcurrent reporting, if any.
++ * Mac platforms.
+ */
+ val |= RH_A_NPS;
+- ohci_writel (ohci, val, &ohci->regs->roothub.a);
+ }
++ ohci_writel(ohci, val, &ohci->regs->roothub.a);
++
+ ohci_writel (ohci, RH_HS_LPSC, &ohci->regs->roothub.status);
+ ohci_writel (ohci, (val & RH_A_NPS) ? 0 : RH_B_PPCM,
+ &ohci->regs->roothub.b);
+--
+2.25.1
+
--- /dev/null
+From 9b1924038cb82df6fc7b450716e62ddf12852ae4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Oct 2020 17:35:58 +0800
+Subject: vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages
+
+From: Xiaoyang Xu <xuxiaoyang2@huawei.com>
+
+[ Upstream commit 2e6cfd496f5b57034cf2aec738799571b5a52124 ]
+
+pfn is not added to pfn_list when vfio_add_to_pfn_list fails.
+vfio_unpin_page_external will exit directly without calling
+vfio_iova_put_vfio_pfn. This will lead to a memory leak.
+
+Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices")
+Signed-off-by: Xiaoyang Xu <xuxiaoyang2@huawei.com>
+[aw: simplified logic, add Fixes]
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index 9c8ed9d7f9aa5..bfbe5236239bd 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -629,7 +629,8 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data,
+
+ ret = vfio_add_to_pfn_list(dma, iova, phys_pfn[i]);
+ if (ret) {
+- vfio_unpin_page_external(dma, iova, do_accounting);
++ if (put_pfn(phys_pfn[i], dma->prot) && do_accounting)
++ vfio_lock_acct(dma, -1, true);
+ goto pin_unwind;
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From ffd8fd7c43da46fa07fcd10a08537db748d22d4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Oct 2020 07:13:55 -0600
+Subject: vfio/pci: Clear token on bypass registration failure
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit 852b1beecb6ff9326f7ca4bc0fe69ae860ebdb9e ]
+
+The eventfd context is used as our irqbypass token, therefore if an
+eventfd is re-used, our token is the same. The irqbypass code will
+return an -EBUSY in this case, but we'll still attempt to unregister
+the producer, where if that duplicate token still exists, results in
+removing the wrong object. Clear the token of failed producers so
+that they harmlessly fall out when unregistered.
+
+Fixes: 6d7425f109d2 ("vfio: Register/unregister irq_bypass_producer")
+Reported-by: guomin chen <guomin_chen@sina.com>
+Tested-by: guomin chen <guomin_chen@sina.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_intrs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
+index bdfdd506bc588..c989f777bf771 100644
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -355,11 +355,13 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
+ vdev->ctx[vector].producer.token = trigger;
+ vdev->ctx[vector].producer.irq = irq;
+ ret = irq_bypass_register_producer(&vdev->ctx[vector].producer);
+- if (unlikely(ret))
++ if (unlikely(ret)) {
+ dev_info(&pdev->dev,
+ "irq bypass producer (token %p) registration fails: %d\n",
+ vdev->ctx[vector].producer.token, ret);
+
++ vdev->ctx[vector].producer.token = NULL;
++ }
+ vdev->ctx[vector].trigger = trigger;
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 50f4410d69780caa364222e5adfeaed19706dcdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 07:52:08 -0700
+Subject: video: fbdev: sis: fix null ptr dereference
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit ad6f93e9cd56f0b10e9b22e3e137d17a1a035242 ]
+
+Clang static analysis reports this representative error
+
+init.c:2501:18: warning: Array access (from variable 'queuedata') results
+ in a null pointer dereference
+ templ |= ((queuedata[i] & 0xc0) << 3);
+
+This is the problem block of code
+
+ if(ModeNo > 0x13) {
+ ...
+ if(SiS_Pr->ChipType == SIS_730) {
+ queuedata = &FQBQData730[0];
+ } else {
+ queuedata = &FQBQData[0];
+ }
+ } else {
+
+ }
+
+queuedata is not set in the else block
+
+Reviewing the old code, the arrays FQBQData730 and FQBQData were
+used directly.
+
+So hoist the setting of queuedata out of the if-else block.
+
+Fixes: 544393fe584d ("[PATCH] sisfb update")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Cc: Thomas Winischhofer <thomas@winischhofer.net>
+Cc: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200805145208.17727-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sis/init.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c
+index dfe3eb769638b..fde27feae5d0c 100644
+--- a/drivers/video/fbdev/sis/init.c
++++ b/drivers/video/fbdev/sis/init.c
+@@ -2428,6 +2428,11 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo,
+
+ i = 0;
+
++ if (SiS_Pr->ChipType == SIS_730)
++ queuedata = &FQBQData730[0];
++ else
++ queuedata = &FQBQData[0];
++
+ if(ModeNo > 0x13) {
+
+ /* Get VCLK */
+@@ -2445,12 +2450,6 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo,
+ /* Get half colordepth */
+ colorth = colortharray[(SiS_Pr->SiS_ModeType - ModeEGA)];
+
+- if(SiS_Pr->ChipType == SIS_730) {
+- queuedata = &FQBQData730[0];
+- } else {
+- queuedata = &FQBQData[0];
+- }
+-
+ do {
+ templ = SiS_CalcDelay2(SiS_Pr, queuedata[i]) * VCLK * colorth;
+
+--
+2.25.1
+
--- /dev/null
+From 5f6c599ef06c342a23bcebc9192870b59e9db6ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 18:02:27 +0100
+Subject: video: fbdev: vga16fb: fix setting of pixclock because a
+ pass-by-value error
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c72fab81ceaa54408b827a2f0486d9a0f4be34cf ]
+
+The pixclock is being set locally because it is being passed as a
+pass-by-value argument rather than pass-by-reference, so the computed
+pixclock is never being set in var->pixclock. Fix this by passing
+by reference.
+
+[This dates back to 2002, I found the offending commit from the git
+history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git ]
+
+Addresses-Coverity: ("Unused value")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@intel.com>
+[b.zolnierkie: minor patch summary fixup]
+[b.zolnierkie: removed "Fixes:" tag (not in upstream tree)]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200723170227.996229-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/vga16fb.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
+index ee6957a799bb6..aea8fd85cbf70 100644
+--- a/drivers/video/fbdev/vga16fb.c
++++ b/drivers/video/fbdev/vga16fb.c
+@@ -243,7 +243,7 @@ static void vga16fb_update_fix(struct fb_info *info)
+ }
+
+ static void vga16fb_clock_chip(struct vga16fb_par *par,
+- unsigned int pixclock,
++ unsigned int *pixclock,
+ const struct fb_info *info,
+ int mul, int div)
+ {
+@@ -259,14 +259,14 @@ static void vga16fb_clock_chip(struct vga16fb_par *par,
+ { 0 /* bad */, 0x00, 0x00}};
+ int err;
+
+- pixclock = (pixclock * mul) / div;
++ *pixclock = (*pixclock * mul) / div;
+ best = vgaclocks;
+- err = pixclock - best->pixclock;
++ err = *pixclock - best->pixclock;
+ if (err < 0) err = -err;
+ for (ptr = vgaclocks + 1; ptr->pixclock; ptr++) {
+ int tmp;
+
+- tmp = pixclock - ptr->pixclock;
++ tmp = *pixclock - ptr->pixclock;
+ if (tmp < 0) tmp = -tmp;
+ if (tmp < err) {
+ err = tmp;
+@@ -275,7 +275,7 @@ static void vga16fb_clock_chip(struct vga16fb_par *par,
+ }
+ par->misc |= best->misc;
+ par->clkdiv = best->seq_clock_mode;
+- pixclock = (best->pixclock * div) / mul;
++ *pixclock = (best->pixclock * div) / mul;
+ }
+
+ #define FAIL(X) return -EINVAL
+@@ -497,10 +497,10 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var,
+
+ if (mode & MODE_8BPP)
+ /* pixel clock == vga clock / 2 */
+- vga16fb_clock_chip(par, var->pixclock, info, 1, 2);
++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 2);
+ else
+ /* pixel clock == vga clock */
+- vga16fb_clock_chip(par, var->pixclock, info, 1, 1);
++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 1);
+
+ var->red.offset = var->green.offset = var->blue.offset =
+ var->transp.offset = 0;
+--
+2.25.1
+
--- /dev/null
+From 9a797556af80141f073de5dfb51c872017cd57e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 17:45:18 +0100
+Subject: VMCI: check return value of get_user_pages_fast() for errors
+
+From: Alex Dewar <alex.dewar90@gmail.com>
+
+[ Upstream commit 90ca6333fd65f318c47bff425e1ea36c0a5539f6 ]
+
+In a couple of places in qp_host_get_user_memory(),
+get_user_pages_fast() is called without properly checking for errors. If
+e.g. -EFAULT is returned, this negative value will then be passed on to
+qp_release_pages(), which expects a u64 as input.
+
+Fix this by only calling qp_release_pages() when we have a positive
+number returned.
+
+Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
+Signed-off-by: Alex Dewar <alex.dewar90@gmail.com>
+Link: https://lore.kernel.org/r/20200825164522.412392-1-alex.dewar90@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+index b4570d5c1fe7d..d6210bf92c1f2 100644
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -758,8 +758,9 @@ static int qp_host_get_user_memory(u64 produce_uva,
+ if (retval < (int)produce_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
+ retval);
+- qp_release_pages(produce_q->kernel_if->u.h.header_page,
+- retval, false);
++ if (retval > 0)
++ qp_release_pages(produce_q->kernel_if->u.h.header_page,
++ retval, false);
+ err = VMCI_ERROR_NO_MEM;
+ goto out;
+ }
+@@ -770,8 +771,9 @@ static int qp_host_get_user_memory(u64 produce_uva,
+ if (retval < (int)consume_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(consume) failed (retval=%d)",
+ retval);
+- qp_release_pages(consume_q->kernel_if->u.h.header_page,
+- retval, false);
++ if (retval > 0)
++ qp_release_pages(consume_q->kernel_if->u.h.header_page,
++ retval, false);
+ qp_release_pages(produce_q->kernel_if->u.h.header_page,
+ produce_q->kernel_if->num_pages, false);
+ err = VMCI_ERROR_NO_MEM;
+--
+2.25.1
+
--- /dev/null
+From 9cbdec24ff5eb4792704d66a8db23f182c6bef3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 01:48:24 +0100
+Subject: wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit 3b9fb6791e7113679b1eb472e6ce1659e80f5797 ]
+
+Qualcomm's document "80-WL007-1 Rev. J" states that the highest rx rate for
+the WCN3660 and WCN3680 on MCS 7 is 150 Mbps not the 72 Mbps stated here.
+
+This patch fixes the data-rate declared in the 5GHz table.
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680
+hardware")
+
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200802004824.1307124-1-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
+index 688152bcfc15c..2450f5f7f79f3 100644
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -162,7 +162,7 @@ static struct ieee80211_supported_band wcn_band_5ghz = {
+ .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16,
+ .mcs = {
+ .rx_mask = { 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, },
+- .rx_highest = cpu_to_le16(72),
++ .rx_highest = cpu_to_le16(150),
+ .tx_params = IEEE80211_HT_MCS_TX_DEFINED,
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 796547cd01b420320bad7b725a9317630815d8ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 17:39:19 -0400
+Subject: x86/fpu: Allow multiple bits in clearcpuid= parameter
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 0a4bb5e5507a585532cc413125b921c8546fc39f ]
+
+Commit
+
+ 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument")
+
+changed clearcpuid parsing from __setup() to cmdline_find_option().
+While the __setup() function would have been called for each clearcpuid=
+parameter on the command line, cmdline_find_option() will only return
+the last one, so the change effectively made it impossible to disable
+more than one bit.
+
+Allow a comma-separated list of bit numbers as the argument for
+clearcpuid to allow multiple bits to be disabled again. Log the bits
+being disabled for informational purposes.
+
+Also fix the check on the return value of cmdline_find_option(). It
+returns -1 when the option is not found, so testing as a boolean is
+incorrect.
+
+Fixes: 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument")
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200907213919.2423441-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/kernel-parameters.txt | 2 +-
+ arch/x86/kernel/fpu/init.c | 30 ++++++++++++++-----
+ 2 files changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index dc96e7f10ebcd..0a59fcf934f43 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -552,7 +552,7 @@
+ loops can be debugged more effectively on production
+ systems.
+
+- clearcpuid=BITNUM [X86]
++ clearcpuid=BITNUM[,BITNUM...] [X86]
+ Disable CPUID feature X for the kernel. See
+ arch/x86/include/asm/cpufeatures.h for the valid bit
+ numbers. Note the Linux specific bits are not necessarily
+diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c
+index 6abd83572b016..9692ccc583bb3 100644
+--- a/arch/x86/kernel/fpu/init.c
++++ b/arch/x86/kernel/fpu/init.c
+@@ -249,9 +249,9 @@ static void __init fpu__init_system_ctx_switch(void)
+ */
+ static void __init fpu__init_parse_early_param(void)
+ {
+- char arg[32];
++ char arg[128];
+ char *argptr = arg;
+- int bit;
++ int arglen, res, bit;
+
+ if (cmdline_find_option_bool(boot_command_line, "no387"))
+ setup_clear_cpu_cap(X86_FEATURE_FPU);
+@@ -271,12 +271,26 @@ static void __init fpu__init_parse_early_param(void)
+ if (cmdline_find_option_bool(boot_command_line, "noxsaves"))
+ setup_clear_cpu_cap(X86_FEATURE_XSAVES);
+
+- if (cmdline_find_option(boot_command_line, "clearcpuid", arg,
+- sizeof(arg)) &&
+- get_option(&argptr, &bit) &&
+- bit >= 0 &&
+- bit < NCAPINTS * 32)
+- setup_clear_cpu_cap(bit);
++ arglen = cmdline_find_option(boot_command_line, "clearcpuid", arg, sizeof(arg));
++ if (arglen <= 0)
++ return;
++
++ pr_info("Clearing CPUID bits:");
++ do {
++ res = get_option(&argptr, &bit);
++ if (res == 0 || res == 3)
++ break;
++
++ /* If the argument was too long, the last bit may be cut off */
++ if (res == 1 && arglen >= sizeof(arg))
++ break;
++
++ if (bit >= 0 && bit < NCAPINTS * 32) {
++ pr_cont(" " X86_CAP_FMT, x86_cap_flag(bit));
++ setup_clear_cpu_cap(bit);
++ }
++ } while (res == 2);
++ pr_cont("\n");
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From c28451509749050240f6ea27b525aba42c452856 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Oct 2020 10:56:07 -0700
+Subject: xfs: limit entries returned when counting fsmap records
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit acd1ac3aa22fd58803a12d26b1ab7f70232f8d8d ]
+
+If userspace asked fsmap to count the number of entries, we cannot
+return more than UINT_MAX entries because fmh_entries is u32.
+Therefore, stop counting if we hit this limit or else we will waste time
+to return truncated results.
+
+Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chandan Babu R <chandanrlinux@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_fsmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
+index 43cfc07996a43..e7622e0841868 100644
+--- a/fs/xfs/xfs_fsmap.c
++++ b/fs/xfs/xfs_fsmap.c
+@@ -273,6 +273,9 @@ xfs_getfsmap_helper(
+
+ /* Are we just counting mappings? */
+ if (info->head->fmh_count == 0) {
++ if (info->head->fmh_entries == UINT_MAX)
++ return -ECANCELED;
++
+ if (rec_daddr > info->next_daddr)
+ info->head->fmh_entries++;
+
+--
+2.25.1
+
--- /dev/null
+From 16aada0ffbcbd06fae18028467fbd8ce524c89b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 14:21:06 -0700
+Subject: xfs: make sure the rt allocator doesn't run off the end
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ]
+
+There's an overflow bug in the realtime allocator. If the rt volume is
+large enough to handle a single allocation request that is larger than
+the maximum bmap extent length and the rt bitmap ends exactly on a
+bitmap block boundary, it's possible that the near allocator will try to
+check the freeness of a range that extends past the end of the bitmap.
+This fails with a corruption error and shuts down the fs.
+
+Therefore, constrain maxlen so that the range scan cannot run off the
+end of the rt bitmap.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_rtalloc.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
+index cdcb7235e41ae..7d3b56872e563 100644
+--- a/fs/xfs/xfs_rtalloc.c
++++ b/fs/xfs/xfs_rtalloc.c
+@@ -257,6 +257,9 @@ xfs_rtallocate_extent_block(
+ end = XFS_BLOCKTOBIT(mp, bbno + 1) - 1;
+ i <= end;
+ i++) {
++ /* Make sure we don't scan off the end of the rt volume. */
++ maxlen = min(mp->m_sb.sb_rextents, i + maxlen) - i;
++
+ /*
+ * See if there's a free extent of maxlen starting at i.
+ * If it's not so then next will contain the first non-free.
+@@ -448,6 +451,14 @@ xfs_rtallocate_extent_near(
+ */
+ if (bno >= mp->m_sb.sb_rextents)
+ bno = mp->m_sb.sb_rextents - 1;
++
++ /* Make sure we don't run off the end of the rt volume. */
++ maxlen = min(mp->m_sb.sb_rextents, bno + maxlen) - bno;
++ if (maxlen < minlen) {
++ *rtblock = NULLRTBLOCK;
++ return 0;
++ }
++
+ /*
+ * Try the exact allocation first.
+ */
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
