--- /dev/null
+From 7f81675cb76acecf7e890ce0b24eb8a969f95447 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Aug 2020 22:24:25 +0800
+Subject: ACPI: Add out of bounds and numa_off protections to pxm_to_node()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 8a3decac087aa897df5af04358c2089e52e70ac4 ]
+
+The function should check the validity of the pxm value before using
+it to index the pxm_to_node_map[] array.
+
+Whilst hardening this code may be good in general, the main intent
+here is to enable following patches that use this function to replace
+acpi_map_pxm_to_node() for non SRAT usecases which should return
+NO_NUMA_NODE for PXM entries not matching with those in SRAT.
+
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Barry Song <song.bao.hua@hisilicon.com>
+Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/numa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/numa.c b/drivers/acpi/numa.c
+index eadbf90e65d14..85e01752fbe47 100644
+--- a/drivers/acpi/numa.c
++++ b/drivers/acpi/numa.c
+@@ -31,7 +31,7 @@ int acpi_numa __initdata;
+
+ int pxm_to_node(int pxm)
+ {
+- if (pxm < 0)
++ if (pxm < 0 || pxm >= MAX_PXM_DOMAINS || numa_off)
+ return NUMA_NO_NODE;
+ return pxm_to_node_map[pxm];
+ }
+--
+2.27.0
+
--- /dev/null
+From 97b675a977d9882cbf3084a48b730088b6fbfaad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Sep 2020 22:05:45 +0800
+Subject: ACPI: HMAT: Fix handling of changes from ACPI 6.2 to ACPI 6.3
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 2c5b9bde95c96942f2873cea6ef383c02800e4a8 ]
+
+In ACPI 6.3, the Memory Proximity Domain Attributes Structure
+changed substantially. One of those changes was that the flag
+for "Memory Proximity Domain field is valid" was deprecated.
+
+This was because the field "Proximity Domain for the Memory"
+became a required field and hence having a validity flag makes
+no sense.
+
+So the correct logic is to always assume the field is there.
+Current code assumes it never is.
+
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/hmat/hmat.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/hmat/hmat.c b/drivers/acpi/hmat/hmat.c
+index 8b0de8a3c6470..0f1c939b7e901 100644
+--- a/drivers/acpi/hmat/hmat.c
++++ b/drivers/acpi/hmat/hmat.c
+@@ -403,7 +403,8 @@ static int __init hmat_parse_proximity_domain(union acpi_subtable_headers *heade
+ pr_info("HMAT: Memory Flags:%04x Processor Domain:%d Memory Domain:%d\n",
+ p->flags, p->processor_PD, p->memory_PD);
+
+- if (p->flags & ACPI_HMAT_MEMORY_PD_VALID && hmat_revision == 1) {
++ if ((hmat_revision == 1 && p->flags & ACPI_HMAT_MEMORY_PD_VALID) ||
++ hmat_revision > 1) {
+ target = find_mem_target(p->memory_PD);
+ if (!target) {
+ pr_debug("HMAT: Memory Domain missing from SRAT\n");
+--
+2.27.0
+
--- /dev/null
+From 7a46597c96319ca74a17e32cb4ec34b1ec6db93c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 15:17:54 +0800
+Subject: ARC: [dts] fix the errors detected by dtbs_check
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 05b1be68c4d6d76970025e6139bfd735c2256ee5 ]
+
+xxx/arc/boot/dts/axs101.dt.yaml: dw-apb-ictl@e0012000: $nodename:0: \
+'dw-apb-ictl@e0012000' does not match '^interrupt-controller(@[0-9a-f,]+)*$'
+ From schema: xxx/interrupt-controller/snps,dw-apb-ictl.yaml
+
+The node name of the interrupt controller must start with
+"interrupt-controller" instead of "dw-apb-ictl".
+
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/boot/dts/axc001.dtsi | 2 +-
+ arch/arc/boot/dts/axc003.dtsi | 2 +-
+ arch/arc/boot/dts/axc003_idu.dtsi | 2 +-
+ arch/arc/boot/dts/vdk_axc003.dtsi | 2 +-
+ arch/arc/boot/dts/vdk_axc003_idu.dtsi | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arc/boot/dts/axc001.dtsi b/arch/arc/boot/dts/axc001.dtsi
+index 6ec1fcdfc0d7f..92247288d0562 100644
+--- a/arch/arc/boot/dts/axc001.dtsi
++++ b/arch/arc/boot/dts/axc001.dtsi
+@@ -85,7 +85,7 @@
+ * avoid duplicating the MB dtsi file given that IRQ from
+ * this intc to cpu intc are different for axs101 and axs103
+ */
+- mb_intc: dw-apb-ictl@e0012000 {
++ mb_intc: interrupt-controller@e0012000 {
+ #interrupt-cells = <1>;
+ compatible = "snps,dw-apb-ictl";
+ reg = < 0x0 0xe0012000 0x0 0x200 >;
+diff --git a/arch/arc/boot/dts/axc003.dtsi b/arch/arc/boot/dts/axc003.dtsi
+index ac8e1b463a709..cd1edcf4f95ef 100644
+--- a/arch/arc/boot/dts/axc003.dtsi
++++ b/arch/arc/boot/dts/axc003.dtsi
+@@ -129,7 +129,7 @@
+ * avoid duplicating the MB dtsi file given that IRQ from
+ * this intc to cpu intc are different for axs101 and axs103
+ */
+- mb_intc: dw-apb-ictl@e0012000 {
++ mb_intc: interrupt-controller@e0012000 {
+ #interrupt-cells = <1>;
+ compatible = "snps,dw-apb-ictl";
+ reg = < 0x0 0xe0012000 0x0 0x200 >;
+diff --git a/arch/arc/boot/dts/axc003_idu.dtsi b/arch/arc/boot/dts/axc003_idu.dtsi
+index 9da21e7fd246f..70779386ca796 100644
+--- a/arch/arc/boot/dts/axc003_idu.dtsi
++++ b/arch/arc/boot/dts/axc003_idu.dtsi
+@@ -135,7 +135,7 @@
+ * avoid duplicating the MB dtsi file given that IRQ from
+ * this intc to cpu intc are different for axs101 and axs103
+ */
+- mb_intc: dw-apb-ictl@e0012000 {
++ mb_intc: interrupt-controller@e0012000 {
+ #interrupt-cells = <1>;
+ compatible = "snps,dw-apb-ictl";
+ reg = < 0x0 0xe0012000 0x0 0x200 >;
+diff --git a/arch/arc/boot/dts/vdk_axc003.dtsi b/arch/arc/boot/dts/vdk_axc003.dtsi
+index f8be7ba8dad49..c21d0eb07bf67 100644
+--- a/arch/arc/boot/dts/vdk_axc003.dtsi
++++ b/arch/arc/boot/dts/vdk_axc003.dtsi
+@@ -46,7 +46,7 @@
+
+ };
+
+- mb_intc: dw-apb-ictl@e0012000 {
++ mb_intc: interrupt-controller@e0012000 {
+ #interrupt-cells = <1>;
+ compatible = "snps,dw-apb-ictl";
+ reg = < 0xe0012000 0x200 >;
+diff --git a/arch/arc/boot/dts/vdk_axc003_idu.dtsi b/arch/arc/boot/dts/vdk_axc003_idu.dtsi
+index 0afa3e53a4e39..4d348853ac7c5 100644
+--- a/arch/arc/boot/dts/vdk_axc003_idu.dtsi
++++ b/arch/arc/boot/dts/vdk_axc003_idu.dtsi
+@@ -54,7 +54,7 @@
+
+ };
+
+- mb_intc: dw-apb-ictl@e0012000 {
++ mb_intc: interrupt-controller@e0012000 {
+ #interrupt-cells = <1>;
+ compatible = "snps,dw-apb-ictl";
+ reg = < 0xe0012000 0x200 >;
+--
+2.27.0
+
--- /dev/null
+From 979df443bd55552f7ae9d57453e770fea7ec8e95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 23:24:35 +0100
+Subject: ARM: 8997/2: hw_breakpoint: Handle inexact watchpoint addresses
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 22c9e58299e5f18274788ce54c03d4fb761e3c5d ]
+
+This is commit fdfeff0f9e3d ("arm64: hw_breakpoint: Handle inexact
+watchpoint addresses") but ported to arm32, which has the same
+problem.
+
+This problem was found by Android CTS tests, notably the
+"watchpoint_imprecise" test [1]. I tested locally against a copycat
+(simplified) version of the test though.
+
+[1] https://android.googlesource.com/platform/bionic/+/master/tests/sys_ptrace_test.cpp
+
+Link: https://lkml.kernel.org/r/20191019111216.1.I82eae759ca6dc28a245b043f485ca490e3015321@changeid
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/hw_breakpoint.c | 100 +++++++++++++++++++++++---------
+ 1 file changed, 72 insertions(+), 28 deletions(-)
+
+diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
+index 5f95e4b911a0b..7021ef0b4e71b 100644
+--- a/arch/arm/kernel/hw_breakpoint.c
++++ b/arch/arm/kernel/hw_breakpoint.c
+@@ -680,6 +680,40 @@ static void disable_single_step(struct perf_event *bp)
+ arch_install_hw_breakpoint(bp);
+ }
+
++/*
++ * Arm32 hardware does not always report a watchpoint hit address that matches
++ * one of the watchpoints set. It can also report an address "near" the
++ * watchpoint if a single instruction access both watched and unwatched
++ * addresses. There is no straight-forward way, short of disassembling the
++ * offending instruction, to map that address back to the watchpoint. This
++ * function computes the distance of the memory access from the watchpoint as a
++ * heuristic for the likelyhood that a given access triggered the watchpoint.
++ *
++ * See this same function in the arm64 platform code, which has the same
++ * problem.
++ *
++ * The function returns the distance of the address from the bytes watched by
++ * the watchpoint. In case of an exact match, it returns 0.
++ */
++static u32 get_distance_from_watchpoint(unsigned long addr, u32 val,
++ struct arch_hw_breakpoint_ctrl *ctrl)
++{
++ u32 wp_low, wp_high;
++ u32 lens, lene;
++
++ lens = __ffs(ctrl->len);
++ lene = __fls(ctrl->len);
++
++ wp_low = val + lens;
++ wp_high = val + lene;
++ if (addr < wp_low)
++ return wp_low - addr;
++ else if (addr > wp_high)
++ return addr - wp_high;
++ else
++ return 0;
++}
++
+ static int watchpoint_fault_on_uaccess(struct pt_regs *regs,
+ struct arch_hw_breakpoint *info)
+ {
+@@ -689,23 +723,25 @@ static int watchpoint_fault_on_uaccess(struct pt_regs *regs,
+ static void watchpoint_handler(unsigned long addr, unsigned int fsr,
+ struct pt_regs *regs)
+ {
+- int i, access;
+- u32 val, ctrl_reg, alignment_mask;
++ int i, access, closest_match = 0;
++ u32 min_dist = -1, dist;
++ u32 val, ctrl_reg;
+ struct perf_event *wp, **slots;
+ struct arch_hw_breakpoint *info;
+ struct arch_hw_breakpoint_ctrl ctrl;
+
+ slots = this_cpu_ptr(wp_on_reg);
+
++ /*
++ * Find all watchpoints that match the reported address. If no exact
++ * match is found. Attribute the hit to the closest watchpoint.
++ */
++ rcu_read_lock();
+ for (i = 0; i < core_num_wrps; ++i) {
+- rcu_read_lock();
+-
+ wp = slots[i];
+-
+ if (wp == NULL)
+- goto unlock;
++ continue;
+
+- info = counter_arch_bp(wp);
+ /*
+ * The DFAR is an unknown value on debug architectures prior
+ * to 7.1. Since we only allow a single watchpoint on these
+@@ -714,33 +750,31 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr,
+ */
+ if (debug_arch < ARM_DEBUG_ARCH_V7_1) {
+ BUG_ON(i > 0);
++ info = counter_arch_bp(wp);
+ info->trigger = wp->attr.bp_addr;
+ } else {
+- if (info->ctrl.len == ARM_BREAKPOINT_LEN_8)
+- alignment_mask = 0x7;
+- else
+- alignment_mask = 0x3;
+-
+- /* Check if the watchpoint value matches. */
+- val = read_wb_reg(ARM_BASE_WVR + i);
+- if (val != (addr & ~alignment_mask))
+- goto unlock;
+-
+- /* Possible match, check the byte address select. */
+- ctrl_reg = read_wb_reg(ARM_BASE_WCR + i);
+- decode_ctrl_reg(ctrl_reg, &ctrl);
+- if (!((1 << (addr & alignment_mask)) & ctrl.len))
+- goto unlock;
+-
+ /* Check that the access type matches. */
+ if (debug_exception_updates_fsr()) {
+ access = (fsr & ARM_FSR_ACCESS_MASK) ?
+ HW_BREAKPOINT_W : HW_BREAKPOINT_R;
+ if (!(access & hw_breakpoint_type(wp)))
+- goto unlock;
++ continue;
+ }
+
++ val = read_wb_reg(ARM_BASE_WVR + i);
++ ctrl_reg = read_wb_reg(ARM_BASE_WCR + i);
++ decode_ctrl_reg(ctrl_reg, &ctrl);
++ dist = get_distance_from_watchpoint(addr, val, &ctrl);
++ if (dist < min_dist) {
++ min_dist = dist;
++ closest_match = i;
++ }
++ /* Is this an exact match? */
++ if (dist != 0)
++ continue;
++
+ /* We have a winner. */
++ info = counter_arch_bp(wp);
+ info->trigger = addr;
+ }
+
+@@ -762,13 +796,23 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr,
+ * we can single-step over the watchpoint trigger.
+ */
+ if (!is_default_overflow_handler(wp))
+- goto unlock;
+-
++ continue;
+ step:
+ enable_single_step(wp, instruction_pointer(regs));
+-unlock:
+- rcu_read_unlock();
+ }
++
++ if (min_dist > 0 && min_dist != -1) {
++ /* No exact match found. */
++ wp = slots[closest_match];
++ info = counter_arch_bp(wp);
++ info->trigger = addr;
++ pr_debug("watchpoint fired: address = 0x%x\n", info->trigger);
++ perf_bp_event(wp, regs);
++ if (is_default_overflow_handler(wp))
++ enable_single_step(wp, instruction_pointer(regs));
++ }
++
++ rcu_read_unlock();
+ }
+
+ static void watchpoint_single_step_handler(unsigned long pc)
+--
+2.27.0
+
--- /dev/null
+From 3e45ce8472968adc2dce04f2a64bdf2146424de0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2020 14:02:48 -0700
+Subject: ARM: dts: omap4: Fix sgx clock rate for 4430
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 19d3e9a0bdd57b90175f30390edeb06851f5f9f3 ]
+
+We currently have a different clock rate for droid4 compared to the
+stock v3.0.8 based Android Linux kernel:
+
+# cat /sys/kernel/debug/clk/dpll_*_m7x2_ck/clk_rate
+266666667
+307200000
+# cat /sys/kernel/debug/clk/l3_gfx_cm:clk:0000:0/clk_rate
+307200000
+
+Let's fix this by configuring sgx to use 153.6 MHz instead of 307.2 MHz.
+Looks like also at least duover needs this change to avoid hangs, so
+let's apply it for all 4430.
+
+This helps a bit with thermal issues that seem to be related to memory
+corruption when using sgx. It seems that other driver related issues
+still remain though.
+
+Cc: Arthur Demchenkov <spinal.by@gmail.com>
+Cc: Merlijn Wajer <merlijn@wizzup.org>
+Cc: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap4.dtsi | 2 +-
+ arch/arm/boot/dts/omap443x.dtsi | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/omap4.dtsi b/arch/arm/boot/dts/omap4.dtsi
+index e5506ab669fc6..904852006b9b1 100644
+--- a/arch/arm/boot/dts/omap4.dtsi
++++ b/arch/arm/boot/dts/omap4.dtsi
+@@ -328,7 +328,7 @@
+ status = "disabled";
+ };
+
+- target-module@56000000 {
++ sgx_module: target-module@56000000 {
+ compatible = "ti,sysc-omap4", "ti,sysc";
+ reg = <0x5600fe00 0x4>,
+ <0x5600fe10 0x4>;
+diff --git a/arch/arm/boot/dts/omap443x.dtsi b/arch/arm/boot/dts/omap443x.dtsi
+index cbcdcb4e7d1c2..86b9caf461dfa 100644
+--- a/arch/arm/boot/dts/omap443x.dtsi
++++ b/arch/arm/boot/dts/omap443x.dtsi
+@@ -74,3 +74,13 @@
+ };
+
+ /include/ "omap443x-clocks.dtsi"
++
++/*
++ * Use dpll_per for sgx at 153.6MHz like droid4 stock v3.0.8 Android kernel
++ */
++&sgx_module {
++ assigned-clocks = <&l3_gfx_clkctrl OMAP4_GPU_CLKCTRL 24>,
++ <&dpll_per_m7x2_ck>;
++ assigned-clock-rates = <0>, <153600000>;
++ assigned-clock-parents = <&dpll_per_m7x2_ck>;
++};
+--
+2.27.0
+
--- /dev/null
+From 4100f8eb87df7172b1542fea54fe9c2e8976c8a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 18:11:22 +0200
+Subject: ARM: dts: s5pv210: move fixed clocks under root node
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit d38cae370e5f2094cbc38db3082b8e9509ae52ce ]
+
+The fixed clocks are kept under dedicated 'external-clocks' node, thus a
+fake 'reg' was added. This is not correct with dtschema as fixed-clock
+binding does not have a 'reg' property. Moving fixed clocks out of
+'soc' to root node fixes multiple dtbs_check warnings:
+
+ external-clocks: $nodename:0: 'external-clocks' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$'
+ external-clocks: #size-cells:0:0: 0 is not one of [1, 2]
+ external-clocks: oscillator@0:reg:0: [0] is too short
+ external-clocks: oscillator@1:reg:0: [1] is too short
+ external-clocks: 'ranges' is a required property
+ oscillator@0: 'reg' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Tested-by: Jonathan Bakker <xc-racer2@live.ca>
+Link: https://lore.kernel.org/r/20200907161141.31034-7-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/s5pv210.dtsi | 36 +++++++++++++---------------------
+ 1 file changed, 14 insertions(+), 22 deletions(-)
+
+diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi
+index 8b194da334a5c..ec41e46edaced 100644
+--- a/arch/arm/boot/dts/s5pv210.dtsi
++++ b/arch/arm/boot/dts/s5pv210.dtsi
+@@ -52,34 +52,26 @@
+ };
+ };
+
++ xxti: oscillator-0 {
++ compatible = "fixed-clock";
++ clock-frequency = <0>;
++ clock-output-names = "xxti";
++ #clock-cells = <0>;
++ };
++
++ xusbxti: oscillator-1 {
++ compatible = "fixed-clock";
++ clock-frequency = <0>;
++ clock-output-names = "xusbxti";
++ #clock-cells = <0>;
++ };
++
+ soc {
+ compatible = "simple-bus";
+ #address-cells = <1>;
+ #size-cells = <1>;
+ ranges;
+
+- external-clocks {
+- compatible = "simple-bus";
+- #address-cells = <1>;
+- #size-cells = <0>;
+-
+- xxti: oscillator@0 {
+- compatible = "fixed-clock";
+- reg = <0>;
+- clock-frequency = <0>;
+- clock-output-names = "xxti";
+- #clock-cells = <0>;
+- };
+-
+- xusbxti: oscillator@1 {
+- compatible = "fixed-clock";
+- reg = <1>;
+- clock-frequency = <0>;
+- clock-output-names = "xusbxti";
+- #clock-cells = <0>;
+- };
+- };
+-
+ onenand: onenand@b0600000 {
+ compatible = "samsung,s5pv210-onenand";
+ reg = <0xb0600000 0x2000>,
+--
+2.27.0
+
--- /dev/null
+From 5e68ea6a3b27267db1e074c4081d538e79a355d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 18:11:23 +0200
+Subject: ARM: dts: s5pv210: move PMU node out of clock controller
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit bb98fff84ad1ea321823759edaba573a16fa02bd ]
+
+The Power Management Unit (PMU) is a separate device which has little
+common with clock controller. Moving it to one level up (from clock
+controller child to SoC) allows to remove fake simple-bus compatible and
+dtbs_check warnings like:
+
+ clock-controller@e0100000: $nodename:0:
+ 'clock-controller@e0100000' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$'
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Tested-by: Jonathan Bakker <xc-racer2@live.ca>
+Link: https://lore.kernel.org/r/20200907161141.31034-8-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/s5pv210.dtsi | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi
+index ec41e46edaced..f10139bd80a53 100644
+--- a/arch/arm/boot/dts/s5pv210.dtsi
++++ b/arch/arm/boot/dts/s5pv210.dtsi
+@@ -92,19 +92,16 @@
+ };
+
+ clocks: clock-controller@e0100000 {
+- compatible = "samsung,s5pv210-clock", "simple-bus";
++ compatible = "samsung,s5pv210-clock";
+ reg = <0xe0100000 0x10000>;
+ clock-names = "xxti", "xusbxti";
+ clocks = <&xxti>, <&xusbxti>;
+ #clock-cells = <1>;
+- #address-cells = <1>;
+- #size-cells = <1>;
+- ranges;
++ };
+
+- pmu_syscon: syscon@e0108000 {
+- compatible = "samsung-s5pv210-pmu", "syscon";
+- reg = <0xe0108000 0x8000>;
+- };
++ pmu_syscon: syscon@e0108000 {
++ compatible = "samsung-s5pv210-pmu", "syscon";
++ reg = <0xe0108000 0x8000>;
+ };
+
+ pinctrl0: pinctrl@e0200000 {
+--
+2.27.0
+
--- /dev/null
+From d15ea4719d490161a99cedf2569409e89679408e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 18:11:24 +0200
+Subject: ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 6c17a2974abf68a58517f75741b15c4aba42b4b8 ]
+
+The 'audio-subsystem' node is an artificial creation, not representing
+real hardware. The hardware is described by its nodes - AUDSS clock
+controller and I2S0.
+
+Remove the 'audio-subsystem' node along with its undocumented compatible
+to fix dtbs_check warnings like:
+
+ audio-subsystem: $nodename:0: 'audio-subsystem' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$'
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Tested-by: Jonathan Bakker <xc-racer2@live.ca>
+Link: https://lore.kernel.org/r/20200907161141.31034-9-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/s5pv210.dtsi | 65 +++++++++++++++-------------------
+ 1 file changed, 29 insertions(+), 36 deletions(-)
+
+diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi
+index f10139bd80a53..61822afa30ab3 100644
+--- a/arch/arm/boot/dts/s5pv210.dtsi
++++ b/arch/arm/boot/dts/s5pv210.dtsi
+@@ -211,43 +211,36 @@
+ status = "disabled";
+ };
+
+- audio-subsystem {
+- compatible = "samsung,s5pv210-audss", "simple-bus";
+- #address-cells = <1>;
+- #size-cells = <1>;
+- ranges;
+-
+- clk_audss: clock-controller@eee10000 {
+- compatible = "samsung,s5pv210-audss-clock";
+- reg = <0xeee10000 0x1000>;
+- clock-names = "hclk", "xxti",
+- "fout_epll",
+- "sclk_audio0";
+- clocks = <&clocks DOUT_HCLKP>, <&xxti>,
+- <&clocks FOUT_EPLL>,
+- <&clocks SCLK_AUDIO0>;
+- #clock-cells = <1>;
+- };
++ clk_audss: clock-controller@eee10000 {
++ compatible = "samsung,s5pv210-audss-clock";
++ reg = <0xeee10000 0x1000>;
++ clock-names = "hclk", "xxti",
++ "fout_epll",
++ "sclk_audio0";
++ clocks = <&clocks DOUT_HCLKP>, <&xxti>,
++ <&clocks FOUT_EPLL>,
++ <&clocks SCLK_AUDIO0>;
++ #clock-cells = <1>;
++ };
+
+- i2s0: i2s@eee30000 {
+- compatible = "samsung,s5pv210-i2s";
+- reg = <0xeee30000 0x1000>;
+- interrupt-parent = <&vic2>;
+- interrupts = <16>;
+- dma-names = "rx", "tx", "tx-sec";
+- dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>;
+- clock-names = "iis",
+- "i2s_opclk0",
+- "i2s_opclk1";
+- clocks = <&clk_audss CLK_I2S>,
+- <&clk_audss CLK_I2S>,
+- <&clk_audss CLK_DOUT_AUD_BUS>;
+- samsung,idma-addr = <0xc0010000>;
+- pinctrl-names = "default";
+- pinctrl-0 = <&i2s0_bus>;
+- #sound-dai-cells = <0>;
+- status = "disabled";
+- };
++ i2s0: i2s@eee30000 {
++ compatible = "samsung,s5pv210-i2s";
++ reg = <0xeee30000 0x1000>;
++ interrupt-parent = <&vic2>;
++ interrupts = <16>;
++ dma-names = "rx", "tx", "tx-sec";
++ dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>;
++ clock-names = "iis",
++ "i2s_opclk0",
++ "i2s_opclk1";
++ clocks = <&clk_audss CLK_I2S>,
++ <&clk_audss CLK_I2S>,
++ <&clk_audss CLK_DOUT_AUD_BUS>;
++ samsung,idma-addr = <0xc0010000>;
++ pinctrl-names = "default";
++ pinctrl-0 = <&i2s0_bus>;
++ #sound-dai-cells = <0>;
++ status = "disabled";
+ };
+
+ i2s1: i2s@e2100000 {
+--
+2.27.0
+
--- /dev/null
+From edc1fe1512b2e0e6557a71bd231622d16aebe4e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 18:11:21 +0200
+Subject: ARM: dts: s5pv210: remove DMA controller bus node name to fix
+ dtschema warnings
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit ea4e792f3c8931fffec4d700cf6197d84e9f35a6 ]
+
+There is no need to keep DMA controller nodes under AMBA bus node.
+Remove the "amba" node to fix dtschema warnings like:
+
+ amba: $nodename:0: 'amba' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$'
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Tested-by: Jonathan Bakker <xc-racer2@live.ca>
+Link: https://lore.kernel.org/r/20200907161141.31034-6-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/s5pv210.dtsi | 49 +++++++++++++++-------------------
+ 1 file changed, 21 insertions(+), 28 deletions(-)
+
+diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi
+index 2ad642f51fd92..8b194da334a5c 100644
+--- a/arch/arm/boot/dts/s5pv210.dtsi
++++ b/arch/arm/boot/dts/s5pv210.dtsi
+@@ -128,35 +128,28 @@
+ };
+ };
+
+- amba {
+- #address-cells = <1>;
+- #size-cells = <1>;
+- compatible = "simple-bus";
+- ranges;
+-
+- pdma0: dma@e0900000 {
+- compatible = "arm,pl330", "arm,primecell";
+- reg = <0xe0900000 0x1000>;
+- interrupt-parent = <&vic0>;
+- interrupts = <19>;
+- clocks = <&clocks CLK_PDMA0>;
+- clock-names = "apb_pclk";
+- #dma-cells = <1>;
+- #dma-channels = <8>;
+- #dma-requests = <32>;
+- };
++ pdma0: dma@e0900000 {
++ compatible = "arm,pl330", "arm,primecell";
++ reg = <0xe0900000 0x1000>;
++ interrupt-parent = <&vic0>;
++ interrupts = <19>;
++ clocks = <&clocks CLK_PDMA0>;
++ clock-names = "apb_pclk";
++ #dma-cells = <1>;
++ #dma-channels = <8>;
++ #dma-requests = <32>;
++ };
+
+- pdma1: dma@e0a00000 {
+- compatible = "arm,pl330", "arm,primecell";
+- reg = <0xe0a00000 0x1000>;
+- interrupt-parent = <&vic0>;
+- interrupts = <20>;
+- clocks = <&clocks CLK_PDMA1>;
+- clock-names = "apb_pclk";
+- #dma-cells = <1>;
+- #dma-channels = <8>;
+- #dma-requests = <32>;
+- };
++ pdma1: dma@e0a00000 {
++ compatible = "arm,pl330", "arm,primecell";
++ reg = <0xe0a00000 0x1000>;
++ interrupt-parent = <&vic0>;
++ interrupts = <20>;
++ clocks = <&clocks CLK_PDMA1>;
++ clock-names = "apb_pclk";
++ #dma-cells = <1>;
++ #dma-channels = <8>;
++ #dma-requests = <32>;
+ };
+
+ spi0: spi@e1300000 {
+--
+2.27.0
+
--- /dev/null
+From bb56c5e4201d8f2db643069c6a0725957351986c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 21:33:21 +0900
+Subject: arm64: dts: renesas: ulcb: add full-pwr-cycle-in-suspend into eMMC
+ nodes
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 992d7a8b88c83c05664b649fc54501ce58e19132 ]
+
+Add full-pwr-cycle-in-suspend property to do a graceful shutdown of
+the eMMC device in system suspend.
+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/1594989201-24228-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/ulcb.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/ulcb.dtsi b/arch/arm64/boot/dts/renesas/ulcb.dtsi
+index 3ef89171538ff..d8fccf3d4987a 100644
+--- a/arch/arm64/boot/dts/renesas/ulcb.dtsi
++++ b/arch/arm64/boot/dts/renesas/ulcb.dtsi
+@@ -470,6 +470,7 @@
+ mmc-hs200-1_8v;
+ mmc-hs400-1_8v;
+ non-removable;
++ full-pwr-cycle-in-suspend;
+ status = "okay";
+ };
+
+--
+2.27.0
+
--- /dev/null
+From f2bcda910e3167b7512128b1af597f439db69fc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 10:39:36 +0800
+Subject: arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE
+
+From: Zhengyuan Liu <liuzhengyuan@tj.kylinos.cn>
+
+[ Upstream commit a194c5f2d2b3a05428805146afcabe5140b5d378 ]
+
+The @node passed to cpumask_of_node() can be NUMA_NO_NODE, in that
+case it will trigger the following WARN_ON(node >= nr_node_ids) due to
+mismatched data types of @node and @nr_node_ids. Actually we should
+return cpu_all_mask just like most other architectures do if passed
+NUMA_NO_NODE.
+
+Also add a similar check to the inline cpumask_of_node() in numa.h.
+
+Signed-off-by: Zhengyuan Liu <liuzhengyuan@tj.kylinos.cn>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Link: https://lore.kernel.org/r/20200921023936.21846-1-liuzhengyuan@tj.kylinos.cn
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/numa.h | 3 +++
+ arch/arm64/mm/numa.c | 6 +++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/numa.h b/arch/arm64/include/asm/numa.h
+index 626ad01e83bf0..dd870390d639f 100644
+--- a/arch/arm64/include/asm/numa.h
++++ b/arch/arm64/include/asm/numa.h
+@@ -25,6 +25,9 @@ const struct cpumask *cpumask_of_node(int node);
+ /* Returns a pointer to the cpumask of CPUs on Node 'node'. */
+ static inline const struct cpumask *cpumask_of_node(int node)
+ {
++ if (node == NUMA_NO_NODE)
++ return cpu_all_mask;
++
+ return node_to_cpumask_map[node];
+ }
+ #endif
+diff --git a/arch/arm64/mm/numa.c b/arch/arm64/mm/numa.c
+index 4decf16597008..53ebb4babf3a7 100644
+--- a/arch/arm64/mm/numa.c
++++ b/arch/arm64/mm/numa.c
+@@ -46,7 +46,11 @@ EXPORT_SYMBOL(node_to_cpumask_map);
+ */
+ const struct cpumask *cpumask_of_node(int node)
+ {
+- if (WARN_ON(node >= nr_node_ids))
++
++ if (node == NUMA_NO_NODE)
++ return cpu_all_mask;
++
++ if (WARN_ON(node < 0 || node >= nr_node_ids))
+ return cpu_none_mask;
+
+ if (WARN_ON(node_to_cpumask_map[node] == NULL))
+--
+2.27.0
+
--- /dev/null
+From 19548ab894b1e9b50761030f68520dddf958e64e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Aug 2020 14:00:16 +0100
+Subject: arm64: topology: Stop using MPIDR for topology information
+
+From: Valentin Schneider <valentin.schneider@arm.com>
+
+[ Upstream commit 3102bc0e6ac752cc5df896acb557d779af4d82a1 ]
+
+In the absence of ACPI or DT topology data, we fallback to haphazardly
+decoding *something* out of MPIDR. Sadly, the contents of that register are
+mostly unusable due to the implementation leniancy and things like Aff0
+having to be capped to 15 (despite being encoded on 8 bits).
+
+Consider a simple system with a single package of 32 cores, all under the
+same LLC. We ought to be shoving them in the same core_sibling mask, but
+MPIDR is going to look like:
+
+ | CPU | 0 | ... | 15 | 16 | ... | 31 |
+ |------+---+-----+----+----+-----+----+
+ | Aff0 | 0 | ... | 15 | 0 | ... | 15 |
+ | Aff1 | 0 | ... | 0 | 1 | ... | 1 |
+ | Aff2 | 0 | ... | 0 | 0 | ... | 0 |
+
+Which will eventually yield
+
+ core_sibling(0-15) == 0-15
+ core_sibling(16-31) == 16-31
+
+NUMA woes
+=========
+
+If we try to play games with this and set up NUMA boundaries within those
+groups of 16 cores via e.g. QEMU:
+
+ # Node0: 0-9; Node1: 10-19
+ $ qemu-system-aarch64 <blah> \
+ -smp 20 -numa node,cpus=0-9,nodeid=0 -numa node,cpus=10-19,nodeid=1
+
+The scheduler's MC domain (all CPUs with same LLC) is going to be built via
+
+ arch_topology.c::cpu_coregroup_mask()
+
+In there we try to figure out a sensible mask out of the topology
+information we have. In short, here we'll pick the smallest of NUMA or
+core sibling mask.
+
+ node_mask(CPU9) == 0-9
+ core_sibling(CPU9) == 0-15
+
+MC mask for CPU9 will thus be 0-9, not a problem.
+
+ node_mask(CPU10) == 10-19
+ core_sibling(CPU10) == 0-15
+
+MC mask for CPU10 will thus be 10-19, not a problem.
+
+ node_mask(CPU16) == 10-19
+ core_sibling(CPU16) == 16-19
+
+MC mask for CPU16 will thus be 16-19... Uh oh. CPUs 16-19 are in two
+different unique MC spans, and the scheduler has no idea what to make of
+that. That triggers the WARN_ON() added by commit
+
+ ccf74128d66c ("sched/topology: Assert non-NUMA topology masks don't (partially) overlap")
+
+Fixing MPIDR-derived topology
+=============================
+
+We could try to come up with some cleverer scheme to figure out which of
+the available masks to pick, but really if one of those masks resulted from
+MPIDR then it should be discarded because it's bound to be bogus.
+
+I was hoping to give MPIDR a chance for SMT, to figure out which threads are
+in the same core using Aff1-3 as core ID, but Sudeep and Robin pointed out
+to me that there are systems out there where *all* cores have non-zero
+values in their higher affinity fields (e.g. RK3288 has "5" in all of its
+cores' MPIDR.Aff1), which would expose a bogus core ID to userspace.
+
+Stop using MPIDR for topology information. When no other source of topology
+information is available, mark each CPU as its own core and its NUMA node
+as its LLC domain.
+
+Signed-off-by: Valentin Schneider <valentin.schneider@arm.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Link: https://lore.kernel.org/r/20200829130016.26106-1-valentin.schneider@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/topology.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/arch/arm64/kernel/topology.c b/arch/arm64/kernel/topology.c
+index fa9528dfd0ce3..113903db666c0 100644
+--- a/arch/arm64/kernel/topology.c
++++ b/arch/arm64/kernel/topology.c
+@@ -35,21 +35,23 @@ void store_cpu_topology(unsigned int cpuid)
+ if (mpidr & MPIDR_UP_BITMASK)
+ return;
+
+- /* Create cpu topology mapping based on MPIDR. */
+- if (mpidr & MPIDR_MT_BITMASK) {
+- /* Multiprocessor system : Multi-threads per core */
+- cpuid_topo->thread_id = MPIDR_AFFINITY_LEVEL(mpidr, 0);
+- cpuid_topo->core_id = MPIDR_AFFINITY_LEVEL(mpidr, 1);
+- cpuid_topo->package_id = MPIDR_AFFINITY_LEVEL(mpidr, 2) |
+- MPIDR_AFFINITY_LEVEL(mpidr, 3) << 8;
+- } else {
+- /* Multiprocessor system : Single-thread per core */
+- cpuid_topo->thread_id = -1;
+- cpuid_topo->core_id = MPIDR_AFFINITY_LEVEL(mpidr, 0);
+- cpuid_topo->package_id = MPIDR_AFFINITY_LEVEL(mpidr, 1) |
+- MPIDR_AFFINITY_LEVEL(mpidr, 2) << 8 |
+- MPIDR_AFFINITY_LEVEL(mpidr, 3) << 16;
+- }
++ /*
++ * This would be the place to create cpu topology based on MPIDR.
++ *
++ * However, it cannot be trusted to depict the actual topology; some
++ * pieces of the architecture enforce an artificial cap on Aff0 values
++ * (e.g. GICv3's ICC_SGI1R_EL1 limits it to 15), leading to an
++ * artificial cycling of Aff1, Aff2 and Aff3 values. IOW, these end up
++ * having absolutely no relationship to the actual underlying system
++ * topology, and cannot be reasonably used as core / package ID.
++ *
++ * If the MT bit is set, Aff0 *could* be used to define a thread ID, but
++ * we still wouldn't be able to obtain a sane core ID. This means we
++ * need to entirely ignore MPIDR for any topology deduction.
++ */
++ cpuid_topo->thread_id = -1;
++ cpuid_topo->core_id = cpuid;
++ cpuid_topo->package_id = cpu_to_node(cpuid);
+
+ pr_debug("CPU%u: cluster %d core %d thread %d mpidr %#016llx\n",
+ cpuid, cpuid_topo->package_id, cpuid_topo->core_id,
+--
+2.27.0
+
--- /dev/null
+From e81ac1dbc3f674964e03a9e15e8019b47c6eb554 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 12:06:58 +0100
+Subject: asm-generic/io.h: Fix !CONFIG_GENERIC_IOMAP pci_iounmap()
+ implementation
+
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+
+[ Upstream commit f5810e5c329238b8553ebd98b914bdbefd8e6737 ]
+
+For arches that do not select CONFIG_GENERIC_IOMAP, the current
+pci_iounmap() function does nothing causing obvious memory leaks
+for mapped regions that are backed by MMIO physical space.
+
+In order to detect if a mapped pointer is IO vs MMIO, a check must made
+available to the pci_iounmap() function so that it can actually detect
+whether the pointer has to be unmapped.
+
+In configurations where CONFIG_HAS_IOPORT_MAP && !CONFIG_GENERIC_IOMAP,
+a mapped port is detected using an ioport_map() stub defined in
+asm-generic/io.h.
+
+Use the same logic to implement a stub (ie __pci_ioport_unmap()) that
+detects if the passed in pointer in pci_iounmap() is IO vs MMIO to
+iounmap conditionally and call it in pci_iounmap() fixing the issue.
+
+Leave __pci_ioport_unmap() as a NOP for all other config options.
+
+Tested-by: George Cherian <george.cherian@marvell.com>
+Link: https://lore.kernel.org/lkml/20200905024811.74701-1-yangyingliang@huawei.com
+Link: https://lore.kernel.org/lkml/20200824132046.3114383-1-george.cherian@marvell.com
+Link: https://lore.kernel.org/r/a9daf8d8444d0ebd00bc6d64e336ec49dbb50784.1600254147.git.lorenzo.pieralisi@arm.com
+Reported-by: George Cherian <george.cherian@marvell.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: George Cherian <george.cherian@marvell.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/asm-generic/io.h | 39 +++++++++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h
+index d02806513670c..5e6c4f375e0c3 100644
+--- a/include/asm-generic/io.h
++++ b/include/asm-generic/io.h
+@@ -887,18 +887,6 @@ static inline void iowrite64_rep(volatile void __iomem *addr,
+ #include <linux/vmalloc.h>
+ #define __io_virt(x) ((void __force *)(x))
+
+-#ifndef CONFIG_GENERIC_IOMAP
+-struct pci_dev;
+-extern void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long max);
+-
+-#ifndef pci_iounmap
+-#define pci_iounmap pci_iounmap
+-static inline void pci_iounmap(struct pci_dev *dev, void __iomem *p)
+-{
+-}
+-#endif
+-#endif /* CONFIG_GENERIC_IOMAP */
+-
+ /*
+ * Change virtual addresses to physical addresses and vv.
+ * These are pretty trivial
+@@ -1013,6 +1001,16 @@ static inline void __iomem *ioport_map(unsigned long port, unsigned int nr)
+ port &= IO_SPACE_LIMIT;
+ return (port > MMIO_UPPER_LIMIT) ? NULL : PCI_IOBASE + port;
+ }
++#define __pci_ioport_unmap __pci_ioport_unmap
++static inline void __pci_ioport_unmap(void __iomem *p)
++{
++ uintptr_t start = (uintptr_t) PCI_IOBASE;
++ uintptr_t addr = (uintptr_t) p;
++
++ if (addr >= start && addr < start + IO_SPACE_LIMIT)
++ return;
++ iounmap(p);
++}
+ #endif
+
+ #ifndef ioport_unmap
+@@ -1027,6 +1025,23 @@ extern void ioport_unmap(void __iomem *p);
+ #endif /* CONFIG_GENERIC_IOMAP */
+ #endif /* CONFIG_HAS_IOPORT_MAP */
+
++#ifndef CONFIG_GENERIC_IOMAP
++struct pci_dev;
++extern void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long max);
++
++#ifndef __pci_ioport_unmap
++static inline void __pci_ioport_unmap(void __iomem *p) {}
++#endif
++
++#ifndef pci_iounmap
++#define pci_iounmap pci_iounmap
++static inline void pci_iounmap(struct pci_dev *dev, void __iomem *p)
++{
++ __pci_ioport_unmap(p);
++}
++#endif
++#endif /* CONFIG_GENERIC_IOMAP */
++
+ /*
+ * Convert a virtual cached pointer to an uncached pointer
+ */
+--
+2.27.0
+
--- /dev/null
+From 23232970a8cb0aec67b14120c877cb71f65ab36a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 07:28:19 +0200
+Subject: ata: sata_nv: Fix retrieving of active qcs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+[ Upstream commit 8e4c309f9f33b76c09daa02b796ef87918eee494 ]
+
+ata_qc_complete_multiple() has to be called with the tags physically
+active, that is the hw tag is at bit 0. ap->qc_active has the same tag
+at bit ATA_TAG_INTERNAL instead, so call ata_qc_get_active() to fix that
+up. This is done in the vein of 8385d756e114 ("libata: Fix retrieving of
+active qcs").
+
+Fixes: 28361c403683 ("libata: add extra internal command")
+Tested-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_nv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/sata_nv.c b/drivers/ata/sata_nv.c
+index 18b147c182b96..0514aa7e80e39 100644
+--- a/drivers/ata/sata_nv.c
++++ b/drivers/ata/sata_nv.c
+@@ -2100,7 +2100,7 @@ static int nv_swncq_sdbfis(struct ata_port *ap)
+ pp->dhfis_bits &= ~done_mask;
+ pp->dmafis_bits &= ~done_mask;
+ pp->sdbfis_bits |= done_mask;
+- ata_qc_complete_multiple(ap, ap->qc_active ^ done_mask);
++ ata_qc_complete_multiple(ap, ata_qc_get_active(ap) ^ done_mask);
+
+ if (!ap->qc_active) {
+ DPRINTK("over\n");
+--
+2.27.0
+
--- /dev/null
+From 8ef1d0b9fc85594ac5cadc94be0f0ecdf4a3c563 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 13:46:11 +0530
+Subject: ath10k: fix VHT NSS calculation when STBC is enabled
+
+From: Sathishkumar Muruganandam <murugana@codeaurora.org>
+
+[ Upstream commit 99f41b8e43b8b4b31262adb8ac3e69088fff1289 ]
+
+When STBC is enabled, NSTS_SU value need to be accounted for VHT NSS
+calculation for SU case.
+
+Without this fix, 1SS + STBC enabled case was reported wrongly as 2SS
+in radiotap header on monitor mode capture.
+
+Tested-on: QCA9984 10.4-3.10-00047
+
+Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1597392971-3897-1-git-send-email-murugana@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
+index 8ca0a808a644d..04095f91d3014 100644
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -949,6 +949,7 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar,
+ u8 preamble = 0;
+ u8 group_id;
+ u32 info1, info2, info3;
++ u32 stbc, nsts_su;
+
+ info1 = __le32_to_cpu(rxd->ppdu_start.info1);
+ info2 = __le32_to_cpu(rxd->ppdu_start.info2);
+@@ -993,11 +994,16 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar,
+ */
+ bw = info2 & 3;
+ sgi = info3 & 1;
++ stbc = (info2 >> 3) & 1;
+ group_id = (info2 >> 4) & 0x3F;
+
+ if (GROUP_ID_IS_SU_MIMO(group_id)) {
+ mcs = (info3 >> 4) & 0x0F;
+- nss = ((info2 >> 10) & 0x07) + 1;
++ nsts_su = ((info2 >> 10) & 0x07);
++ if (stbc)
++ nss = (nsts_su >> 2) + 1;
++ else
++ nss = (nsts_su + 1);
+ } else {
+ /* Hardware doesn't decode VHT-SIG-B into Rx descriptor
+ * so it's impossible to decode MCS. Also since
+--
+2.27.0
+
--- /dev/null
+From d68ccfceb345437b1ed3654009b06fe7c6a3c549 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 18:17:08 +0300
+Subject: ath10k: start recovery process when payload length exceeds max htc
+ length for sdio
+
+From: Wen Gong <wgong@codeaurora.org>
+
+[ Upstream commit 2fd3c8f34d08af0a6236085f9961866ad92ef9ec ]
+
+When simulate random transfer fail for sdio write and read, it happened
+"payload length exceeds max htc length" and recovery later sometimes.
+
+Test steps:
+1. Add config and update kernel:
+CONFIG_FAIL_MMC_REQUEST=y
+CONFIG_FAULT_INJECTION=y
+CONFIG_FAULT_INJECTION_DEBUG_FS=y
+
+2. Run simulate fail:
+cd /sys/kernel/debug/mmc1/fail_mmc_request
+echo 10 > probability
+echo 10 > times # repeat until hitting issues
+
+3. It happened payload length exceeds max htc length.
+[ 199.935506] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088
+....
+[ 264.990191] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088
+
+4. after some time, such as 60 seconds, it start recovery which triggered
+by wmi command timeout for periodic scan.
+[ 269.229232] ieee80211 phy0: Hardware restart was requested
+[ 269.734693] ath10k_sdio mmc1:0001:1: device successfully recovered
+
+The simulate fail of sdio is not a real sdio transter fail, it only
+set an error status in mmc_should_fail_request after the transfer end,
+actually the transfer is success, then sdio_io_rw_ext_helper will
+return error status and stop transfer the left data. For example,
+the really RX len is 286 bytes, then it will split to 2 blocks in
+sdio_io_rw_ext_helper, one is 256 bytes, left is 30 bytes, if the
+first 256 bytes get an error status by mmc_should_fail_request,then
+the left 30 bytes will not read in this RX operation. Then when the
+next RX arrive, the left 30 bytes will be considered as the header
+of the read, the top 4 bytes of the 30 bytes will be considered as
+lookaheads, but actually the 4 bytes is not the lookaheads, so the len
+from this lookaheads is not correct, it exceeds max htc length 4088
+sometimes. When happened exceeds, the buffer chain is not matched between
+firmware and ath10k, then it need to start recovery ASAP. Recently then
+recovery will be started by wmi command timeout, but it will be long time
+later, for example, it is 60+ seconds later from the periodic scan, if
+it does not have periodic scan, it will be longer.
+
+Start recovery when it happened "payload length exceeds max htc length"
+will be reasonable.
+
+This patch only effect sdio chips.
+
+Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029.
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200108031957.22308-3-wgong@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
+index 8fe626deadeb0..24b1927a07518 100644
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -550,6 +550,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar,
+ le16_to_cpu(htc_hdr->len),
+ ATH10K_HTC_MBOX_MAX_PAYLOAD_LENGTH);
+ ret = -ENOMEM;
++
++ queue_work(ar->workqueue, &ar->restart_work);
++ ath10k_warn(ar, "exceeds length, start recovery\n");
++
+ goto err;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 724ff036fd8287b5ee3f7c329518b2c944bab840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 05:10:51 -0400
+Subject: bnxt_en: Log unknown link speed appropriately.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 8eddb3e7ce124dd6375d3664f1aae13873318b0f ]
+
+If the VF virtual link is set to always enabled, the speed may be
+unknown when the physical link is down. The driver currently logs
+the link speed as 4294967295 Mbps which is SPEED_UNKNOWN. Modify
+the link up log message as "speed unknown" which makes more sense.
+
+Reviewed-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Reviewed-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://lore.kernel.org/r/1602493854-29283-7-git-send-email-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index cdd3764760ed9..6f777e9b4b936 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -8375,6 +8375,11 @@ static void bnxt_report_link(struct bnxt *bp)
+ u16 fec;
+
+ netif_carrier_on(bp->dev);
++ speed = bnxt_fw_to_ethtool_speed(bp->link_info.link_speed);
++ if (speed == SPEED_UNKNOWN) {
++ netdev_info(bp->dev, "NIC Link is Up, speed unknown\n");
++ return;
++ }
+ if (bp->link_info.duplex == BNXT_LINK_DUPLEX_FULL)
+ duplex = "full";
+ else
+@@ -8387,7 +8392,6 @@ static void bnxt_report_link(struct bnxt *bp)
+ flow_ctrl = "ON - receive";
+ else
+ flow_ctrl = "none";
+- speed = bnxt_fw_to_ethtool_speed(bp->link_info.link_speed);
+ netdev_info(bp->dev, "NIC Link is Up, %u Mbps %s duplex, Flow control: %s\n",
+ speed, duplex, flow_ctrl);
+ if (bp->flags & BNXT_FLAG_EEE_CAP)
+--
+2.27.0
+
--- /dev/null
+From 01a516558d71db45d5c98ba2cbf7960371d8855b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 10:57:02 -0700
+Subject: bpf: Permit map_ptr arithmetic with opcode add and offset 0
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit 7c6967326267bd5c0dded0a99541357d70dd11ac ]
+
+Commit 41c48f3a98231 ("bpf: Support access
+to bpf map fields") added support to access map fields
+with CORE support. For example,
+
+ struct bpf_map {
+ __u32 max_entries;
+ } __attribute__((preserve_access_index));
+
+ struct bpf_array {
+ struct bpf_map map;
+ __u32 elem_size;
+ } __attribute__((preserve_access_index));
+
+ struct {
+ __uint(type, BPF_MAP_TYPE_ARRAY);
+ __uint(max_entries, 4);
+ __type(key, __u32);
+ __type(value, __u32);
+ } m_array SEC(".maps");
+
+ SEC("cgroup_skb/egress")
+ int cg_skb(void *ctx)
+ {
+ struct bpf_array *array = (struct bpf_array *)&m_array;
+
+ /* .. array->map.max_entries .. */
+ }
+
+In kernel, bpf_htab has similar structure,
+
+ struct bpf_htab {
+ struct bpf_map map;
+ ...
+ }
+
+In the above cg_skb(), to access array->map.max_entries, with CORE, the clang will
+generate two builtin's.
+ base = &m_array;
+ /* access array.map */
+ map_addr = __builtin_preserve_struct_access_info(base, 0, 0);
+ /* access array.map.max_entries */
+ max_entries_addr = __builtin_preserve_struct_access_info(map_addr, 0, 0);
+ max_entries = *max_entries_addr;
+
+In the current llvm, if two builtin's are in the same function or
+in the same function after inlining, the compiler is smart enough to chain
+them together and generates like below:
+ base = &m_array;
+ max_entries = *(base + reloc_offset); /* reloc_offset = 0 in this case */
+and we are fine.
+
+But if we force no inlining for one of functions in test_map_ptr() selftest, e.g.,
+check_default(), the above two __builtin_preserve_* will be in two different
+functions. In this case, we will have code like:
+ func check_hash():
+ reloc_offset_map = 0;
+ base = &m_array;
+ map_base = base + reloc_offset_map;
+ check_default(map_base, ...)
+ func check_default(map_base, ...):
+ max_entries = *(map_base + reloc_offset_max_entries);
+
+In kernel, map_ptr (CONST_PTR_TO_MAP) does not allow any arithmetic.
+The above "map_base = base + reloc_offset_map" will trigger a verifier failure.
+ ; VERIFY(check_default(&hash->map, map));
+ 0: (18) r7 = 0xffffb4fe8018a004
+ 2: (b4) w1 = 110
+ 3: (63) *(u32 *)(r7 +0) = r1
+ R1_w=invP110 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0
+ ; VERIFY_TYPE(BPF_MAP_TYPE_HASH, check_hash);
+ 4: (18) r1 = 0xffffb4fe8018a000
+ 6: (b4) w2 = 1
+ 7: (63) *(u32 *)(r1 +0) = r2
+ R1_w=map_value(id=0,off=0,ks=4,vs=8,imm=0) R2_w=invP1 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0
+ 8: (b7) r2 = 0
+ 9: (18) r8 = 0xffff90bcb500c000
+ 11: (18) r1 = 0xffff90bcb500c000
+ 13: (0f) r1 += r2
+ R1 pointer arithmetic on map_ptr prohibited
+
+To fix the issue, let us permit map_ptr + 0 arithmetic which will
+result in exactly the same map_ptr.
+
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/20200908175702.2463625-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 507474f79195f..a67bfa803d983 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -4427,6 +4427,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ dst, reg_type_str[ptr_reg->type]);
+ return -EACCES;
+ case CONST_PTR_TO_MAP:
++ /* smin_val represents the known value */
++ if (known && smin_val == 0 && opcode == BPF_ADD)
++ break;
++ /* fall-through */
+ case PTR_TO_PACKET_END:
+ case PTR_TO_SOCKET:
+ case PTR_TO_SOCKET_OR_NULL:
+--
+2.27.0
+
--- /dev/null
+From 0fc7270935bf39f41043537e5179697c7a22a270 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 00:49:22 -0500
+Subject: brcmfmac: Fix warning message after dongle setup failed
+
+From: Wright Feng <wright.feng@cypress.com>
+
+[ Upstream commit 6aa5a83a7ed8036c1388a811eb8bdfa77b21f19c ]
+
+Brcmfmac showed warning message in fweh.c when checking the size of event
+queue which is not initialized. Therefore, we only cancel the worker and
+reset event handler only when it is initialized.
+
+[ 145.505899] brcmfmac 0000:02:00.0: brcmf_pcie_setup: Dongle setup
+[ 145.929970] ------------[ cut here ]------------
+[ 145.929994] WARNING: CPU: 0 PID: 288 at drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c:312
+brcmf_fweh_detach+0xbc/0xd0 [brcmfmac]
+...
+[ 145.930029] Call Trace:
+[ 145.930036] brcmf_detach+0x77/0x100 [brcmfmac]
+[ 145.930043] brcmf_pcie_remove+0x79/0x130 [brcmfmac]
+[ 145.930046] pci_device_remove+0x39/0xc0
+[ 145.930048] device_release_driver_internal+0x141/0x200
+[ 145.930049] device_release_driver+0x12/0x20
+[ 145.930054] brcmf_pcie_setup+0x101/0x3c0 [brcmfmac]
+[ 145.930060] brcmf_fw_request_done+0x11d/0x1f0 [brcmfmac]
+[ 145.930062] ? lock_timer_base+0x7d/0xa0
+[ 145.930063] ? internal_add_timer+0x1f/0xa0
+[ 145.930064] ? add_timer+0x11a/0x1d0
+[ 145.930066] ? __kmalloc_track_caller+0x18c/0x230
+[ 145.930068] ? kstrdup_const+0x23/0x30
+[ 145.930069] ? add_dr+0x46/0x80
+[ 145.930070] ? devres_add+0x3f/0x50
+[ 145.930072] ? usermodehelper_read_unlock+0x15/0x20
+[ 145.930073] ? _request_firmware+0x288/0xa20
+[ 145.930075] request_firmware_work_func+0x36/0x60
+[ 145.930077] process_one_work+0x144/0x360
+[ 145.930078] worker_thread+0x4d/0x3c0
+[ 145.930079] kthread+0x112/0x150
+[ 145.930080] ? rescuer_thread+0x340/0x340
+[ 145.930081] ? kthread_park+0x60/0x60
+[ 145.930083] ret_from_fork+0x25/0x30
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200928054922.44580-3-wright.feng@cypress.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+index 79c8a858b6d6f..a30fcfbf2ee7c 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -304,10 +304,12 @@ void brcmf_fweh_detach(struct brcmf_pub *drvr)
+ {
+ struct brcmf_fweh_info *fweh = &drvr->fweh;
+
+- /* cancel the worker */
+- cancel_work_sync(&fweh->event_work);
+- WARN_ON(!list_empty(&fweh->event_q));
+- memset(fweh->evt_handler, 0, sizeof(fweh->evt_handler));
++ /* cancel the worker if initialized */
++ if (fweh->event_work.func) {
++ cancel_work_sync(&fweh->event_work);
++ WARN_ON(!list_empty(&fweh->event_q));
++ memset(fweh->evt_handler, 0, sizeof(fweh->evt_handler));
++ }
+ }
+
+ /**
+--
+2.27.0
+
--- /dev/null
+From d4a1f4c21e200361157f7adfdcbc66be2cbf6f63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 01:34:22 +0800
+Subject: btrfs: fix replace of seed device
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit c6a5d954950c5031444173ad2195efc163afcac9 ]
+
+If you replace a seed device in a sprouted fs, it appears to have
+successfully replaced the seed device, but if you look closely, it
+didn't. Here is an example.
+
+ $ mkfs.btrfs /dev/sda
+ $ btrfstune -S1 /dev/sda
+ $ mount /dev/sda /btrfs
+ $ btrfs device add /dev/sdb /btrfs
+ $ umount /btrfs
+ $ btrfs device scan --forget
+ $ mount -o device=/dev/sda /dev/sdb /btrfs
+ $ btrfs replace start -f /dev/sda /dev/sdc /btrfs
+ $ echo $?
+ 0
+
+ BTRFS info (device sdb): dev_replace from /dev/sda (devid 1) to /dev/sdc started
+ BTRFS info (device sdb): dev_replace from /dev/sda (devid 1) to /dev/sdc finished
+
+ $ btrfs fi show
+ Label: none uuid: ab2c88b7-be81-4a7e-9849-c3666e7f9f4f
+ Total devices 2 FS bytes used 256.00KiB
+ devid 1 size 3.00GiB used 520.00MiB path /dev/sdc
+ devid 2 size 3.00GiB used 896.00MiB path /dev/sdb
+
+ Label: none uuid: 10bd3202-0415-43af-96a8-d5409f310a7e
+ Total devices 1 FS bytes used 128.00KiB
+ devid 1 size 3.00GiB used 536.00MiB path /dev/sda
+
+So as per the replace start command and kernel log replace was successful.
+Now let's try to clean mount.
+
+ $ umount /btrfs
+ $ btrfs device scan --forget
+
+ $ mount -o device=/dev/sdc /dev/sdb /btrfs
+ mount: /btrfs: wrong fs type, bad option, bad superblock on /dev/sdb, missing codepage or helper program, or other error.
+
+ [ 636.157517] BTRFS error (device sdc): failed to read chunk tree: -2
+ [ 636.180177] BTRFS error (device sdc): open_ctree failed
+
+That's because per dev items it is still looking for the original seed
+device.
+
+ $ btrfs inspect-internal dump-tree -d /dev/sdb
+
+ item 0 key (DEV_ITEMS DEV_ITEM 1) itemoff 16185 itemsize 98
+ devid 1 total_bytes 3221225472 bytes_used 545259520
+ io_align 4096 io_width 4096 sector_size 4096 type 0
+ generation 6 start_offset 0 dev_group 0
+ seek_speed 0 bandwidth 0
+ uuid 59368f50-9af2-4b17-91da-8a783cc418d4 <--- seed uuid
+ fsid 10bd3202-0415-43af-96a8-d5409f310a7e <--- seed fsid
+ item 1 key (DEV_ITEMS DEV_ITEM 2) itemoff 16087 itemsize 98
+ devid 2 total_bytes 3221225472 bytes_used 939524096
+ io_align 4096 io_width 4096 sector_size 4096 type 0
+ generation 0 start_offset 0 dev_group 0
+ seek_speed 0 bandwidth 0
+ uuid 56a0a6bc-4630-4998-8daf-3c3030c4256a <- sprout uuid
+ fsid ab2c88b7-be81-4a7e-9849-c3666e7f9f4f <- sprout fsid
+
+But the replaced target has the following uuid+fsid in its superblock
+which doesn't match with the expected uuid+fsid in its devitem.
+
+ $ btrfs in dump-super /dev/sdc | egrep '^generation|dev_item.uuid|dev_item.fsid|devid'
+ generation 20
+ dev_item.uuid 59368f50-9af2-4b17-91da-8a783cc418d4
+ dev_item.fsid ab2c88b7-be81-4a7e-9849-c3666e7f9f4f [match]
+ dev_item.devid 1
+
+So if you provide the original seed device the mount shall be
+successful. Which so long happening in the test case btrfs/163.
+
+ $ btrfs device scan --forget
+ $ mount -o device=/dev/sda /dev/sdb /btrfs
+
+Fix in this patch:
+If a seed is not sprouted then there is no replacement of it, because of
+its read-only filesystem with a read-only device. Similarly, in the case
+of a sprouted filesystem, the seed device is still read only. So, mark
+it as you can't replace a seed device, you can only add a new device and
+then delete the seed device. If replace is attempted then returns
+-EINVAL.
+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/dev-replace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c
+index 196bd241e701a..34ddf2d75c1af 100644
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -190,7 +190,7 @@ static int btrfs_init_dev_replace_tgtdev(struct btrfs_fs_info *fs_info,
+ int ret = 0;
+
+ *device_out = NULL;
+- if (fs_info->fs_devices->seeding) {
++ if (srcdev->fs_devices->seeding) {
+ btrfs_err(fs_info, "the filesystem is a seed filesystem!");
+ return -EINVAL;
+ }
+--
+2.27.0
+
--- /dev/null
+From b1990b60e656d8d9953b9b80c6393f3f6d8df8cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 11:54:38 +0300
+Subject: bus/fsl_mc: Do not rely on caller to provide non NULL mc_io
+
+From: Diana Craciun <diana.craciun@oss.nxp.com>
+
+[ Upstream commit 5026cf605143e764e1785bbf9158559d17f8d260 ]
+
+Before destroying the mc_io, check first that it was
+allocated.
+
+Reviewed-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Acked-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Signed-off-by: Diana Craciun <diana.craciun@oss.nxp.com>
+Link: https://lore.kernel.org/r/20200929085441.17448-11-diana.craciun@oss.nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/fsl-mc/mc-io.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bus/fsl-mc/mc-io.c b/drivers/bus/fsl-mc/mc-io.c
+index d9629fc13a155..0a4a387b615d5 100644
+--- a/drivers/bus/fsl-mc/mc-io.c
++++ b/drivers/bus/fsl-mc/mc-io.c
+@@ -129,7 +129,12 @@ error_destroy_mc_io:
+ */
+ void fsl_destroy_mc_io(struct fsl_mc_io *mc_io)
+ {
+- struct fsl_mc_device *dpmcp_dev = mc_io->dpmcp_dev;
++ struct fsl_mc_device *dpmcp_dev;
++
++ if (!mc_io)
++ return;
++
++ dpmcp_dev = mc_io->dpmcp_dev;
+
+ if (dpmcp_dev)
+ fsl_mc_io_unset_dpmcp(mc_io);
+--
+2.27.0
+
--- /dev/null
+From d20e1cc6f50b40e4517989eb8a67c0e5d6f0f195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 09:00:13 +0000
+Subject: can: flexcan: disable clocks during stop mode
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit 02f71c6605e1f8259c07f16178330db766189a74 ]
+
+Disable clocks while CAN core is in stop mode.
+
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Tested-by: Sean Nyekjaer <sean@geanix.com>
+Link: https://lore.kernel.org/r/20191210085721.9853-2-qiangqing.zhang@nxp.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index aaa7ed1dc97ee..d59c6c87164f4 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1703,8 +1703,6 @@ static int __maybe_unused flexcan_suspend(struct device *device)
+ err = flexcan_chip_disable(priv);
+ if (err)
+ return err;
+-
+- err = pm_runtime_force_suspend(device);
+ }
+ netif_stop_queue(dev);
+ netif_device_detach(dev);
+@@ -1730,10 +1728,6 @@ static int __maybe_unused flexcan_resume(struct device *device)
+ if (err)
+ return err;
+ } else {
+- err = pm_runtime_force_resume(device);
+- if (err)
+- return err;
+-
+ err = flexcan_chip_enable(priv);
+ }
+ }
+@@ -1764,8 +1758,16 @@ static int __maybe_unused flexcan_noirq_suspend(struct device *device)
+ struct net_device *dev = dev_get_drvdata(device);
+ struct flexcan_priv *priv = netdev_priv(dev);
+
+- if (netif_running(dev) && device_may_wakeup(device))
+- flexcan_enable_wakeup_irq(priv, true);
++ if (netif_running(dev)) {
++ int err;
++
++ if (device_may_wakeup(device))
++ flexcan_enable_wakeup_irq(priv, true);
++
++ err = pm_runtime_force_suspend(device);
++ if (err)
++ return err;
++ }
+
+ return 0;
+ }
+@@ -1775,8 +1777,16 @@ static int __maybe_unused flexcan_noirq_resume(struct device *device)
+ struct net_device *dev = dev_get_drvdata(device);
+ struct flexcan_priv *priv = netdev_priv(dev);
+
+- if (netif_running(dev) && device_may_wakeup(device))
+- flexcan_enable_wakeup_irq(priv, false);
++ if (netif_running(dev)) {
++ int err;
++
++ err = pm_runtime_force_resume(device);
++ if (err)
++ return err;
++
++ if (device_may_wakeup(device))
++ flexcan_enable_wakeup_irq(priv, false);
++ }
+
+ return 0;
+ }
+--
+2.27.0
+
--- /dev/null
+From 0bbec844b0578cb736d5c540a2722c49a0a01210 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Oct 2020 09:32:56 +1000
+Subject: cifs: handle -EINTR in cifs_setattr
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit c6cc4c5a72505a0ecefc9b413f16bec512f38078 ]
+
+RHBZ: 1848178
+
+Some calls that set attributes, like utimensat(), are not supposed to return
+-EINTR and thus do not have handlers for this in glibc which causes us
+to leak -EINTR to the applications which are also unprepared to handle it.
+
+For example tar will break if utimensat() return -EINTR and abort unpacking
+the archive. Other applications may break too.
+
+To handle this we add checks, and retry, for -EINTR in cifs_setattr()
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/inode.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index 17df90b5f57a2..fd9e289f3e72a 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -2614,13 +2614,18 @@ cifs_setattr(struct dentry *direntry, struct iattr *attrs)
+ {
+ struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
+ struct cifs_tcon *pTcon = cifs_sb_master_tcon(cifs_sb);
++ int rc, retries = 0;
+
+- if (pTcon->unix_ext)
+- return cifs_setattr_unix(direntry, attrs);
+-
+- return cifs_setattr_nounix(direntry, attrs);
++ do {
++ if (pTcon->unix_ext)
++ rc = cifs_setattr_unix(direntry, attrs);
++ else
++ rc = cifs_setattr_nounix(direntry, attrs);
++ retries++;
++ } while (is_retryable_error(rc) && retries < 2);
+
+ /* BB: add cifs_setattr_legacy for really old servers */
++ return rc;
+ }
+
+ #if 0
+--
+2.27.0
+
--- /dev/null
+From cdbc99cf49ec15bf2feead77296a6febf87119ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 11:25:59 +0300
+Subject: clk: ti: clockdomain: fix static checker warning
+
+From: Tero Kristo <t-kristo@ti.com>
+
+[ Upstream commit b7a7943fe291b983b104bcbd2f16e8e896f56590 ]
+
+Fix a memory leak induced by not calling clk_put after doing of_clk_get.
+
+Reported-by: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Link: https://lore.kernel.org/r/20200907082600.454-3-t-kristo@ti.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/clockdomain.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/ti/clockdomain.c b/drivers/clk/ti/clockdomain.c
+index 423a99b9f10c7..8d0dea188a284 100644
+--- a/drivers/clk/ti/clockdomain.c
++++ b/drivers/clk/ti/clockdomain.c
+@@ -146,10 +146,12 @@ static void __init of_ti_clockdomain_setup(struct device_node *node)
+ if (!omap2_clk_is_hw_omap(clk_hw)) {
+ pr_warn("can't setup clkdm for basic clk %s\n",
+ __clk_get_name(clk));
++ clk_put(clk);
+ continue;
+ }
+ to_clk_hw_omap(clk_hw)->clkdm_name = clkdm_name;
+ omap2_init_clk_clkdm(clk_hw);
++ clk_put(clk);
+ }
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 519be7f4c3ad62d13020893ee82d8c4db2a9c7c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 13:17:35 -0600
+Subject: coresight: Make sysfs functional on topologies with per core sink
+
+From: Linu Cherian <lcherian@marvell.com>
+
+[ Upstream commit 6d578258b955fc8888e1bbd9a8fefe7b10065a84 ]
+
+Coresight driver assumes sink is common across all the ETMs,
+and tries to build a path between ETM and the first enabled
+sink found using bus based search. This breaks sysFS usage
+on implementations that has multiple per core sinks in
+enabled state.
+
+To fix this, coresight_get_enabled_sink API is updated to
+do a connection based search starting from the given source,
+instead of bus based search.
+With sink selection using sysfs depecrated for perf interface,
+provision for reset is removed as well in this API.
+
+Signed-off-by: Linu Cherian <lcherian@marvell.com>
+[Fixed indentation problem and removed obsolete comment]
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20200916191737.4001561-15-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-priv.h | 3 +-
+ drivers/hwtracing/coresight/coresight.c | 62 +++++++++-----------
+ 2 files changed, 29 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-priv.h b/drivers/hwtracing/coresight/coresight-priv.h
+index 82e563cdc8794..dfd24b85a5775 100644
+--- a/drivers/hwtracing/coresight/coresight-priv.h
++++ b/drivers/hwtracing/coresight/coresight-priv.h
+@@ -147,7 +147,8 @@ static inline void coresight_write_reg_pair(void __iomem *addr, u64 val,
+ void coresight_disable_path(struct list_head *path);
+ int coresight_enable_path(struct list_head *path, u32 mode, void *sink_data);
+ struct coresight_device *coresight_get_sink(struct list_head *path);
+-struct coresight_device *coresight_get_enabled_sink(bool reset);
++struct coresight_device *
++coresight_get_enabled_sink(struct coresight_device *source);
+ struct coresight_device *coresight_get_sink_by_id(u32 id);
+ struct list_head *coresight_build_path(struct coresight_device *csdev,
+ struct coresight_device *sink);
+diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c
+index 0bbce0d291582..90ecd04a2f20b 100644
+--- a/drivers/hwtracing/coresight/coresight.c
++++ b/drivers/hwtracing/coresight/coresight.c
+@@ -481,50 +481,46 @@ struct coresight_device *coresight_get_sink(struct list_head *path)
+ return csdev;
+ }
+
+-static int coresight_enabled_sink(struct device *dev, const void *data)
++static struct coresight_device *
++coresight_find_enabled_sink(struct coresight_device *csdev)
+ {
+- const bool *reset = data;
+- struct coresight_device *csdev = to_coresight_device(dev);
++ int i;
++ struct coresight_device *sink;
+
+ if ((csdev->type == CORESIGHT_DEV_TYPE_SINK ||
+ csdev->type == CORESIGHT_DEV_TYPE_LINKSINK) &&
+- csdev->activated) {
+- /*
+- * Now that we have a handle on the sink for this session,
+- * disable the sysFS "enable_sink" flag so that possible
+- * concurrent perf session that wish to use another sink don't
+- * trip on it. Doing so has no ramification for the current
+- * session.
+- */
+- if (*reset)
+- csdev->activated = false;
++ csdev->activated)
++ return csdev;
+
+- return 1;
++ /*
++ * Recursively explore each port found on this element.
++ */
++ for (i = 0; i < csdev->pdata->nr_outport; i++) {
++ struct coresight_device *child_dev;
++
++ child_dev = csdev->pdata->conns[i].child_dev;
++ if (child_dev)
++ sink = coresight_find_enabled_sink(child_dev);
++ if (sink)
++ return sink;
+ }
+
+- return 0;
++ return NULL;
+ }
+
+ /**
+- * coresight_get_enabled_sink - returns the first enabled sink found on the bus
+- * @deactivate: Whether the 'enable_sink' flag should be reset
++ * coresight_get_enabled_sink - returns the first enabled sink using
++ * connection based search starting from the source reference
+ *
+- * When operated from perf the deactivate parameter should be set to 'true'.
+- * That way the "enabled_sink" flag of the sink that was selected can be reset,
+- * allowing for other concurrent perf sessions to choose a different sink.
+- *
+- * When operated from sysFS users have full control and as such the deactivate
+- * parameter should be set to 'false', hence mandating users to explicitly
+- * clear the flag.
++ * @source: Coresight source device reference
+ */
+-struct coresight_device *coresight_get_enabled_sink(bool deactivate)
++struct coresight_device *
++coresight_get_enabled_sink(struct coresight_device *source)
+ {
+- struct device *dev = NULL;
+-
+- dev = bus_find_device(&coresight_bustype, NULL, &deactivate,
+- coresight_enabled_sink);
++ if (!source)
++ return NULL;
+
+- return dev ? to_coresight_device(dev) : NULL;
++ return coresight_find_enabled_sink(source);
+ }
+
+ static int coresight_sink_by_id(struct device *dev, const void *data)
+@@ -764,11 +760,7 @@ int coresight_enable(struct coresight_device *csdev)
+ goto out;
+ }
+
+- /*
+- * Search for a valid sink for this session but don't reset the
+- * "enable_sink" flag in sysFS. Users get to do that explicitly.
+- */
+- sink = coresight_get_enabled_sink(false);
++ sink = coresight_get_enabled_sink(csdev);
+ if (!sink) {
+ ret = -EINVAL;
+ goto out;
+--
+2.27.0
+
--- /dev/null
+From 3920412dd30173447e5c0f12ac96bcdf92f9553d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Aug 2020 08:10:11 +0200
+Subject: cpufreq: sti-cpufreq: add stih418 support
+
+From: Alain Volmat <avolmat@me.com>
+
+[ Upstream commit 01a163c52039e9426c7d3d3ab16ca261ad622597 ]
+
+The STiH418 can be controlled the same way as STiH407 &
+STiH410 regarding cpufreq.
+
+Signed-off-by: Alain Volmat <avolmat@me.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/sti-cpufreq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/sti-cpufreq.c b/drivers/cpufreq/sti-cpufreq.c
+index 8f16bbb164b84..2855b7878a204 100644
+--- a/drivers/cpufreq/sti-cpufreq.c
++++ b/drivers/cpufreq/sti-cpufreq.c
+@@ -141,7 +141,8 @@ static const struct reg_field sti_stih407_dvfs_regfields[DVFS_MAX_REGFIELDS] = {
+ static const struct reg_field *sti_cpufreq_match(void)
+ {
+ if (of_machine_is_compatible("st,stih407") ||
+- of_machine_is_compatible("st,stih410"))
++ of_machine_is_compatible("st,stih410") ||
++ of_machine_is_compatible("st,stih418"))
+ return sti_stih407_dvfs_regfields;
+
+ return NULL;
+@@ -258,7 +259,8 @@ static int sti_cpufreq_init(void)
+ int ret;
+
+ if ((!of_machine_is_compatible("st,stih407")) &&
+- (!of_machine_is_compatible("st,stih410")))
++ (!of_machine_is_compatible("st,stih410")) &&
++ (!of_machine_is_compatible("st,stih418")))
+ return -ENODEV;
+
+ ddata.cpu = get_cpu_device(0);
+--
+2.27.0
+
--- /dev/null
+From 066a276743195aed6a44ce5c9b3e310ae39b5023 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 05:56:43 -0700
+Subject: drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol
+ values
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit 8306266c1d51aac9aa7aa907fe99032a58c6382c ]
+
+The fr_hard_header function is used to prepend the header to skbs before
+transmission. It is used in 3 situations:
+1) When a control packet is generated internally in this driver;
+2) When a user sends an skb on an Ethernet-emulating PVC device;
+3) When a user sends an skb on a normal PVC device.
+
+These 3 situations need to be handled differently by fr_hard_header.
+Different headers should be prepended to the skb in different situations.
+
+Currently fr_hard_header distinguishes these 3 situations using
+skb->protocol. For situation 1 and 2, a special skb->protocol value
+will be assigned before calling fr_hard_header, so that it can recognize
+these 2 situations. All skb->protocol values other than these special ones
+are treated by fr_hard_header as situation 3.
+
+However, it is possible that in situation 3, the user sends an skb with
+one of the special skb->protocol values. In this case, fr_hard_header
+would incorrectly treat it as situation 1 or 2.
+
+This patch tries to solve this issue by using skb->dev instead of
+skb->protocol to distinguish between these 3 situations. For situation
+1, skb->dev would be NULL; for situation 2, skb->dev->type would be
+ARPHRD_ETHER; and for situation 3, skb->dev->type would be ARPHRD_DLCI.
+
+This way fr_hard_header would be able to distinguish these 3 situations
+correctly regardless what skb->protocol value the user tries to use in
+situation 3.
+
+Cc: Krzysztof Halasa <khc@pm.waw.pl>
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/hdlc_fr.c | 98 ++++++++++++++++++++-------------------
+ 1 file changed, 51 insertions(+), 47 deletions(-)
+
+diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c
+index d6cfd51613ed8..3a44dad87602d 100644
+--- a/drivers/net/wan/hdlc_fr.c
++++ b/drivers/net/wan/hdlc_fr.c
+@@ -273,63 +273,69 @@ static inline struct net_device **get_dev_p(struct pvc_device *pvc,
+
+ static int fr_hard_header(struct sk_buff **skb_p, u16 dlci)
+ {
+- u16 head_len;
+ struct sk_buff *skb = *skb_p;
+
+- switch (skb->protocol) {
+- case cpu_to_be16(NLPID_CCITT_ANSI_LMI):
+- head_len = 4;
+- skb_push(skb, head_len);
+- skb->data[3] = NLPID_CCITT_ANSI_LMI;
+- break;
+-
+- case cpu_to_be16(NLPID_CISCO_LMI):
+- head_len = 4;
+- skb_push(skb, head_len);
+- skb->data[3] = NLPID_CISCO_LMI;
+- break;
+-
+- case cpu_to_be16(ETH_P_IP):
+- head_len = 4;
+- skb_push(skb, head_len);
+- skb->data[3] = NLPID_IP;
+- break;
+-
+- case cpu_to_be16(ETH_P_IPV6):
+- head_len = 4;
+- skb_push(skb, head_len);
+- skb->data[3] = NLPID_IPV6;
+- break;
+-
+- case cpu_to_be16(ETH_P_802_3):
+- head_len = 10;
+- if (skb_headroom(skb) < head_len) {
+- struct sk_buff *skb2 = skb_realloc_headroom(skb,
+- head_len);
++ if (!skb->dev) { /* Control packets */
++ switch (dlci) {
++ case LMI_CCITT_ANSI_DLCI:
++ skb_push(skb, 4);
++ skb->data[3] = NLPID_CCITT_ANSI_LMI;
++ break;
++
++ case LMI_CISCO_DLCI:
++ skb_push(skb, 4);
++ skb->data[3] = NLPID_CISCO_LMI;
++ break;
++
++ default:
++ return -EINVAL;
++ }
++
++ } else if (skb->dev->type == ARPHRD_DLCI) {
++ switch (skb->protocol) {
++ case htons(ETH_P_IP):
++ skb_push(skb, 4);
++ skb->data[3] = NLPID_IP;
++ break;
++
++ case htons(ETH_P_IPV6):
++ skb_push(skb, 4);
++ skb->data[3] = NLPID_IPV6;
++ break;
++
++ default:
++ skb_push(skb, 10);
++ skb->data[3] = FR_PAD;
++ skb->data[4] = NLPID_SNAP;
++ /* OUI 00-00-00 indicates an Ethertype follows */
++ skb->data[5] = 0x00;
++ skb->data[6] = 0x00;
++ skb->data[7] = 0x00;
++ /* This should be an Ethertype: */
++ *(__be16 *)(skb->data + 8) = skb->protocol;
++ }
++
++ } else if (skb->dev->type == ARPHRD_ETHER) {
++ if (skb_headroom(skb) < 10) {
++ struct sk_buff *skb2 = skb_realloc_headroom(skb, 10);
+ if (!skb2)
+ return -ENOBUFS;
+ dev_kfree_skb(skb);
+ skb = *skb_p = skb2;
+ }
+- skb_push(skb, head_len);
++ skb_push(skb, 10);
+ skb->data[3] = FR_PAD;
+ skb->data[4] = NLPID_SNAP;
+- skb->data[5] = FR_PAD;
++ /* OUI 00-80-C2 stands for the 802.1 organization */
++ skb->data[5] = 0x00;
+ skb->data[6] = 0x80;
+ skb->data[7] = 0xC2;
++ /* PID 00-07 stands for Ethernet frames without FCS */
+ skb->data[8] = 0x00;
+- skb->data[9] = 0x07; /* bridged Ethernet frame w/out FCS */
+- break;
++ skb->data[9] = 0x07;
+
+- default:
+- head_len = 10;
+- skb_push(skb, head_len);
+- skb->data[3] = FR_PAD;
+- skb->data[4] = NLPID_SNAP;
+- skb->data[5] = FR_PAD;
+- skb->data[6] = FR_PAD;
+- skb->data[7] = FR_PAD;
+- *(__be16*)(skb->data + 8) = skb->protocol;
++ } else {
++ return -EINVAL;
+ }
+
+ dlci_to_q922(skb->data, dlci);
+@@ -425,8 +431,8 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev)
+ skb_put(skb, pad);
+ memset(skb->data + len, 0, pad);
+ }
+- skb->protocol = cpu_to_be16(ETH_P_802_3);
+ }
++ skb->dev = dev;
+ if (!fr_hard_header(&skb, pvc->dlci)) {
+ dev->stats.tx_bytes += skb->len;
+ dev->stats.tx_packets++;
+@@ -494,10 +500,8 @@ static void fr_lmi_send(struct net_device *dev, int fullrep)
+ memset(skb->data, 0, len);
+ skb_reserve(skb, 4);
+ if (lmi == LMI_CISCO) {
+- skb->protocol = cpu_to_be16(NLPID_CISCO_LMI);
+ fr_hard_header(&skb, LMI_CISCO_DLCI);
+ } else {
+- skb->protocol = cpu_to_be16(NLPID_CCITT_ANSI_LMI);
+ fr_hard_header(&skb, LMI_CCITT_ANSI_DLCI);
+ }
+ data = skb_tail_pointer(skb);
+--
+2.27.0
+
--- /dev/null
+From d08352bae5afd3a130e3a6bc594edab3cc10eafe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Aug 2020 16:59:02 +0530
+Subject: drivers: watchdog: rdc321x_wdt: Fix race condition bugs
+
+From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+
+[ Upstream commit 4b2e7f99cdd314263c9d172bc17193b8b6bba463 ]
+
+In rdc321x_wdt_probe(), rdc321x_wdt_device.queue is initialized
+after misc_register(), hence if ioctl is called before its
+initialization which can call rdc321x_wdt_start() function,
+it will see an uninitialized value of rdc321x_wdt_device.queue,
+hence initialize it before misc_register().
+Also, rdc321x_wdt_device.default_ticks is accessed in reset()
+function called from write callback, thus initialize it before
+misc_register().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20200807112902.28764-1-madhuparnabhowmik10@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/rdc321x_wdt.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/watchdog/rdc321x_wdt.c b/drivers/watchdog/rdc321x_wdt.c
+index 2e608ae6cbc78..e0efbc5831986 100644
+--- a/drivers/watchdog/rdc321x_wdt.c
++++ b/drivers/watchdog/rdc321x_wdt.c
+@@ -230,6 +230,8 @@ static int rdc321x_wdt_probe(struct platform_device *pdev)
+
+ rdc321x_wdt_device.sb_pdev = pdata->sb_pdev;
+ rdc321x_wdt_device.base_reg = r->start;
++ rdc321x_wdt_device.queue = 0;
++ rdc321x_wdt_device.default_ticks = ticks;
+
+ err = misc_register(&rdc321x_wdt_misc);
+ if (err < 0) {
+@@ -244,14 +246,11 @@ static int rdc321x_wdt_probe(struct platform_device *pdev)
+ rdc321x_wdt_device.base_reg, RDC_WDT_RST);
+
+ init_completion(&rdc321x_wdt_device.stop);
+- rdc321x_wdt_device.queue = 0;
+
+ clear_bit(0, &rdc321x_wdt_device.inuse);
+
+ timer_setup(&rdc321x_wdt_device.timer, rdc321x_wdt_trigger, 0);
+
+- rdc321x_wdt_device.default_ticks = ticks;
+-
+ dev_info(&pdev->dev, "watchdog init success\n");
+
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From 2bfa803a643acd01ede7e850839ffbbf1d4ea633 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 17:52:43 -0400
+Subject: drm/amd/display: HDMI remote sink need mode validation for Linux
+
+From: Fangzhi Zuo <Jerry.Zuo@amd.com>
+
+[ Upstream commit 95d620adb48f7728e67d82f56f756e8d451cf8d2 ]
+
+[Why]
+Currently mode validation is bypassed if remote sink exists. That
+leads to mode set issue when a BW bottle neck exists in the link path,
+e.g., a DP-to-HDMI converter that only supports HDMI 1.4.
+
+Any invalid mode passed to Linux user space will cause the modeset
+failure due to limitation of Linux user space implementation.
+
+[How]
+Mode validation is skipped only if in edid override. For real remote
+sink, clock limit check should be done for HDMI remote sink.
+
+Have HDMI related remote sink going through mode validation to
+elimiate modes which pixel clock exceeds BW limitation.
+
+Signed-off-by: Fangzhi Zuo <Jerry.Zuo@amd.com>
+Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
+Acked-by: Eryk Brol <eryk.brol@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+index 3efee7b3378a3..47cefc05fd3f5 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+@@ -2268,7 +2268,7 @@ enum dc_status dc_link_validate_mode_timing(
+ /* A hack to avoid failing any modes for EDID override feature on
+ * topology change such as lower quality cable for DP or different dongle
+ */
+- if (link->remote_sinks[0])
++ if (link->remote_sinks[0] && link->remote_sinks[0]->sink_signal == SIGNAL_TYPE_VIRTUAL)
+ return DC_OK;
+
+ /* Passive Dongle */
+--
+2.27.0
+
--- /dev/null
+From 2c2708b23371e866b77a21b93a058e2b7a88d815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jul 2020 21:42:34 +0200
+Subject: drm/bridge/synopsys: dsi: add support for non-continuous HS clock
+
+From: Antonio Borneo <antonio.borneo@st.com>
+
+[ Upstream commit c6d94e37bdbb6dfe7e581e937a915ab58399b8a5 ]
+
+Current code enables the HS clock when video mode is started or to
+send out a HS command, and disables the HS clock to send out a LP
+command. This is not what DSI spec specify.
+
+Enable HS clock either in command and in video mode.
+Set automatic HS clock management for panels and devices that
+support non-continuous HS clock.
+
+Signed-off-by: Antonio Borneo <antonio.borneo@st.com>
+Tested-by: Philippe Cornu <philippe.cornu@st.com>
+Reviewed-by: Philippe Cornu <philippe.cornu@st.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200701194234.18123-1-yannick.fertre@st.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c
+index 675442bfc1bd7..77384c49fb8dd 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c
+@@ -365,7 +365,6 @@ static void dw_mipi_message_config(struct dw_mipi_dsi *dsi,
+ if (lpm)
+ val |= CMD_MODE_ALL_LP;
+
+- dsi_write(dsi, DSI_LPCLK_CTRL, lpm ? 0 : PHY_TXREQUESTCLKHS);
+ dsi_write(dsi, DSI_CMD_MODE_CFG, val);
+ }
+
+@@ -541,16 +540,22 @@ static void dw_mipi_dsi_video_mode_config(struct dw_mipi_dsi *dsi)
+ static void dw_mipi_dsi_set_mode(struct dw_mipi_dsi *dsi,
+ unsigned long mode_flags)
+ {
++ u32 val;
++
+ dsi_write(dsi, DSI_PWR_UP, RESET);
+
+ if (mode_flags & MIPI_DSI_MODE_VIDEO) {
+ dsi_write(dsi, DSI_MODE_CFG, ENABLE_VIDEO_MODE);
+ dw_mipi_dsi_video_mode_config(dsi);
+- dsi_write(dsi, DSI_LPCLK_CTRL, PHY_TXREQUESTCLKHS);
+ } else {
+ dsi_write(dsi, DSI_MODE_CFG, ENABLE_CMD_MODE);
+ }
+
++ val = PHY_TXREQUESTCLKHS;
++ if (dsi->mode_flags & MIPI_DSI_CLOCK_NON_CONTINUOUS)
++ val |= AUTO_CLKLANE_CTRL;
++ dsi_write(dsi, DSI_LPCLK_CTRL, val);
++
+ dsi_write(dsi, DSI_PWR_UP, POWERUP);
+ }
+
+--
+2.27.0
+
--- /dev/null
+From cf6c0ac0d3c97d1084b05a64d59a66ee5d561152 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 17:37:56 +0300
+Subject: drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working
+ correctly
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+[ Upstream commit f688a345f0d7a6df4dd2aeca8e4f3c05e123a0ee ]
+
+If ge_b850v3_lvds_init() does not allocate memory for ge_b850v3_lvds_ptr,
+then a null pointer dereference is accessed.
+
+The patch adds checking of the return value of ge_b850v3_lvds_init().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200819143756.30626-1-lutovinova@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+index 6e81e5db57f25..b050fd1f3d201 100644
+--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+@@ -295,8 +295,12 @@ static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c,
+ const struct i2c_device_id *id)
+ {
+ struct device *dev = &stdp4028_i2c->dev;
++ int ret;
++
++ ret = ge_b850v3_lvds_init(dev);
+
+- ge_b850v3_lvds_init(dev);
++ if (ret)
++ return ret;
+
+ ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c;
+ i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr);
+@@ -354,8 +358,12 @@ static int stdp2690_ge_b850v3_fw_probe(struct i2c_client *stdp2690_i2c,
+ const struct i2c_device_id *id)
+ {
+ struct device *dev = &stdp2690_i2c->dev;
++ int ret;
++
++ ret = ge_b850v3_lvds_init(dev);
+
+- ge_b850v3_lvds_init(dev);
++ if (ret)
++ return ret;
+
+ ge_b850v3_lvds_ptr->stdp2690_i2c = stdp2690_i2c;
+ i2c_set_clientdata(stdp2690_i2c, ge_b850v3_lvds_ptr);
+--
+2.27.0
+
--- /dev/null
+From 7d372e5a0ed2f395cda1632169c39287411e16ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 13:03:30 +0200
+Subject: ext4: Detect already used quota file early
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit e0770e91424f694b461141cbc99adf6b23006b60 ]
+
+When we try to use file already used as a quota file again (for the same
+or different quota type), strange things can happen. At the very least
+lockdep annotations may be wrong but also inode flags may be wrongly set
+/ reset. When the file is used for two quota types at once we can even
+corrupt the file and likely crash the kernel. Catch all these cases by
+checking whether passed file is already used as quota file and bail
+early in that case.
+
+This fixes occasional generic/219 failure due to lockdep complaint.
+
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Reported-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20201015110330.28716-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/super.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 4aae7e3e89a12..2603537b1f66b 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5856,6 +5856,11 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id,
+ /* Quotafile not on the same filesystem? */
+ if (path->dentry->d_sb != sb)
+ return -EXDEV;
++
++ /* Quota already enabled for this file? */
++ if (IS_NOQUOTA(d_inode(path->dentry)))
++ return -EBUSY;
++
+ /* Journaling quota? */
+ if (EXT4_SB(sb)->s_qf_names[type]) {
+ /* Quotafile not in fs root? */
+--
+2.27.0
+
--- /dev/null
+From add577486509d21d17061a4ee572df2b00a4e942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 20:45:44 +0800
+Subject: f2fs: add trace exit in exception path
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 9b66482282888d02832b7d90239e1cdb18e4b431 ]
+
+Missing the trace exit in f2fs_sync_dirty_inodes
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/checkpoint.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
+index bbd07fe8a4921..3d7f9e20a54bd 100644
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -1044,8 +1044,12 @@ int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type)
+ get_pages(sbi, is_dir ?
+ F2FS_DIRTY_DENTS : F2FS_DIRTY_DATA));
+ retry:
+- if (unlikely(f2fs_cp_error(sbi)))
++ if (unlikely(f2fs_cp_error(sbi))) {
++ trace_f2fs_sync_dirty_inodes_exit(sbi->sb, is_dir,
++ get_pages(sbi, is_dir ?
++ F2FS_DIRTY_DENTS : F2FS_DIRTY_DATA));
+ return -EIO;
++ }
+
+ spin_lock(&sbi->inode_lock[type]);
+
+--
+2.27.0
+
--- /dev/null
+From 476cf30706fb47e0bc9a655a8d8234b4c97b5ff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 09:23:12 +0800
+Subject: f2fs: fix to check segment boundary during SIT page readahead
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 6a257471fa42c8c9c04a875cd3a2a22db148e0f0 ]
+
+As syzbot reported:
+
+kernel BUG at fs/f2fs/segment.h:657!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 16220 Comm: syz-executor.0 Not tainted 5.9.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:f2fs_ra_meta_pages+0xa51/0xdc0 fs/f2fs/segment.h:657
+Call Trace:
+ build_sit_entries fs/f2fs/segment.c:4195 [inline]
+ f2fs_build_segment_manager+0x4b8a/0xa3c0 fs/f2fs/segment.c:4779
+ f2fs_fill_super+0x377d/0x6b80 fs/f2fs/super.c:3633
+ mount_bdev+0x32e/0x3f0 fs/super.c:1417
+ legacy_get_tree+0x105/0x220 fs/fs_context.c:592
+ vfs_get_tree+0x89/0x2f0 fs/super.c:1547
+ do_new_mount fs/namespace.c:2875 [inline]
+ path_mount+0x1387/0x2070 fs/namespace.c:3192
+ do_mount fs/namespace.c:3205 [inline]
+ __do_sys_mount fs/namespace.c:3413 [inline]
+ __se_sys_mount fs/namespace.c:3390 [inline]
+ __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+@blkno in f2fs_ra_meta_pages could exceed max segment count, causing panic
+in following sanity check in current_sit_addr(), add check condition to
+avoid this issue.
+
+Reported-by: syzbot+3698081bcf0bb2d12174@syzkaller.appspotmail.com
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/checkpoint.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
+index 3d7f9e20a54bd..6d9be7783d25c 100644
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -243,6 +243,8 @@ int f2fs_ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages,
+ blkno * NAT_ENTRY_PER_BLOCK);
+ break;
+ case META_SIT:
++ if (unlikely(blkno >= TOTAL_SEGS(sbi)))
++ goto out;
+ /* get sit block addr */
+ fio.new_blkaddr = current_sit_addr(sbi,
+ blkno * SIT_ENTRY_PER_BLOCK);
+--
+2.27.0
+
--- /dev/null
+From ead1e355b152d83b96e6d6c4256b976550ca232a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 09:22:50 +0800
+Subject: f2fs: fix uninit-value in f2fs_lookup
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 6d7ab88a98c1b7a47c228f8ffb4f44d631eaf284 ]
+
+As syzbot reported:
+
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x21c/0x280 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219
+ f2fs_lookup+0xe05/0x1a80 fs/f2fs/namei.c:503
+ lookup_open fs/namei.c:3082 [inline]
+ open_last_lookups fs/namei.c:3177 [inline]
+ path_openat+0x2729/0x6a90 fs/namei.c:3365
+ do_filp_open+0x2b8/0x710 fs/namei.c:3395
+ do_sys_openat2+0xa88/0x1140 fs/open.c:1168
+ do_sys_open fs/open.c:1184 [inline]
+ __do_compat_sys_openat fs/open.c:1242 [inline]
+ __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
+ __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
+ do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
+ __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
+ do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
+ do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
+ entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+
+In f2fs_lookup(), @res_page could be used before being initialized,
+because in __f2fs_find_entry(), once F2FS_I(dir)->i_current_depth was
+been fuzzed to zero, then @res_page will never be initialized, causing
+this kmsan warning, relocating @res_page initialization place to fix
+this bug.
+
+Reported-by: syzbot+0eac6f0bbd558fd866d7@syzkaller.appspotmail.com
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/dir.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index e9af46dc06f72..78d041f9775a4 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -303,16 +303,15 @@ struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir,
+ unsigned int max_depth;
+ unsigned int level;
+
++ *res_page = NULL;
++
+ if (f2fs_has_inline_dentry(dir)) {
+- *res_page = NULL;
+ de = f2fs_find_in_inline_dir(dir, fname, res_page);
+ goto out;
+ }
+
+- if (npages == 0) {
+- *res_page = NULL;
++ if (npages == 0)
+ goto out;
+- }
+
+ max_depth = F2FS_I(dir)->i_current_depth;
+ if (unlikely(max_depth > MAX_DIR_HASH_DEPTH)) {
+@@ -323,7 +322,6 @@ struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir,
+ }
+
+ for (level = 0; level < max_depth; level++) {
+- *res_page = NULL;
+ de = find_in_level(dir, level, fname, res_page);
+ if (de || IS_ERR(*res_page))
+ break;
+--
+2.27.0
+
--- /dev/null
+From ab12118444c15d7fb46b9cc1193d6b07a5a34acd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 14:17:35 -0700
+Subject: f2fs: handle errors of f2fs_get_meta_page_nofail
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit 86f33603f8c51537265ff7ac0320638fd2cbdb1b ]
+
+First problem is we hit BUG_ON() in f2fs_get_sum_page given EIO on
+f2fs_get_meta_page_nofail().
+
+Quick fix was not to give any error with infinite loop, but syzbot caught
+a case where it goes to that loop from fuzzed image. In turned out we abused
+f2fs_get_meta_page_nofail() like in the below call stack.
+
+- f2fs_fill_super
+ - f2fs_build_segment_manager
+ - build_sit_entries
+ - get_current_sit_page
+
+INFO: task syz-executor178:6870 can't die for more than 143 seconds.
+task:syz-executor178 state:R
+ stack:26960 pid: 6870 ppid: 6869 flags:0x00004006
+Call Trace:
+
+Showing all locks held in the system:
+1 lock held by khungtaskd/1179:
+ #0: ffffffff8a554da0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6242
+1 lock held by systemd-journal/3920:
+1 lock held by in:imklog/6769:
+ #0: ffff88809eebc130 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:930
+1 lock held by syz-executor178/6870:
+ #0: ffff8880925120e0 (&type->s_umount_key#47/1){+.+.}-{3:3}, at: alloc_super+0x201/0xaf0 fs/super.c:229
+
+Actually, we didn't have to use _nofail in this case, since we could return
+error to mount(2) already with the error handler.
+
+As a result, this patch tries to 1) remove _nofail callers as much as possible,
+2) deal with error case in last remaining caller, f2fs_get_sum_page().
+
+Reported-by: syzbot+ee250ac8137be41d7b13@syzkaller.appspotmail.com
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/checkpoint.c | 2 +-
+ fs/f2fs/f2fs.h | 2 +-
+ fs/f2fs/node.c | 2 +-
+ fs/f2fs/segment.c | 12 +++++++++---
+ 4 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
+index 6d9be7783d25c..c966ccc44c157 100644
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -108,7 +108,7 @@ struct page *f2fs_get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index)
+ return __get_meta_page(sbi, index, true);
+ }
+
+-struct page *f2fs_get_meta_page_nofail(struct f2fs_sb_info *sbi, pgoff_t index)
++struct page *f2fs_get_meta_page_retry(struct f2fs_sb_info *sbi, pgoff_t index)
+ {
+ struct page *page;
+ int count = 0;
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index b3b7e63394be7..63440abe58c42 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3149,7 +3149,7 @@ enum rw_hint f2fs_io_type_to_rw_hint(struct f2fs_sb_info *sbi,
+ void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io);
+ struct page *f2fs_grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index);
+ struct page *f2fs_get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index);
+-struct page *f2fs_get_meta_page_nofail(struct f2fs_sb_info *sbi, pgoff_t index);
++struct page *f2fs_get_meta_page_retry(struct f2fs_sb_info *sbi, pgoff_t index);
+ struct page *f2fs_get_tmp_page(struct f2fs_sb_info *sbi, pgoff_t index);
+ bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi,
+ block_t blkaddr, int type);
+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
+index ed12e96681842..2a4a382f28fed 100644
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -109,7 +109,7 @@ static void clear_node_page_dirty(struct page *page)
+
+ static struct page *get_current_nat_page(struct f2fs_sb_info *sbi, nid_t nid)
+ {
+- return f2fs_get_meta_page_nofail(sbi, current_nat_addr(sbi, nid));
++ return f2fs_get_meta_page(sbi, current_nat_addr(sbi, nid));
+ }
+
+ static struct page *get_next_nat_page(struct f2fs_sb_info *sbi, nid_t nid)
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 7d85784012678..5ba677f85533c 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2310,7 +2310,9 @@ int f2fs_npages_for_summary_flush(struct f2fs_sb_info *sbi, bool for_ra)
+ */
+ struct page *f2fs_get_sum_page(struct f2fs_sb_info *sbi, unsigned int segno)
+ {
+- return f2fs_get_meta_page_nofail(sbi, GET_SUM_BLOCK(sbi, segno));
++ if (unlikely(f2fs_cp_error(sbi)))
++ return ERR_PTR(-EIO);
++ return f2fs_get_meta_page_retry(sbi, GET_SUM_BLOCK(sbi, segno));
+ }
+
+ void f2fs_update_meta_page(struct f2fs_sb_info *sbi,
+@@ -2582,7 +2584,11 @@ static void change_curseg(struct f2fs_sb_info *sbi, int type)
+ __next_free_blkoff(sbi, curseg, 0);
+
+ sum_page = f2fs_get_sum_page(sbi, new_segno);
+- f2fs_bug_on(sbi, IS_ERR(sum_page));
++ if (IS_ERR(sum_page)) {
++ /* GC won't be able to use stale summary pages by cp_error */
++ memset(curseg->sum_blk, 0, SUM_ENTRY_SIZE);
++ return;
++ }
+ sum_node = (struct f2fs_summary_block *)page_address(sum_page);
+ memcpy(curseg->sum_blk, sum_node, SUM_ENTRY_SIZE);
+ f2fs_put_page(sum_page, 1);
+@@ -3713,7 +3719,7 @@ int f2fs_lookup_journal_in_cursum(struct f2fs_journal *journal, int type,
+ static struct page *get_current_sit_page(struct f2fs_sb_info *sbi,
+ unsigned int segno)
+ {
+- return f2fs_get_meta_page_nofail(sbi, current_sit_addr(sbi, segno));
++ return f2fs_get_meta_page(sbi, current_sit_addr(sbi, segno));
+ }
+
+ static struct page *get_next_sit_page(struct f2fs_sb_info *sbi,
+--
+2.27.0
+
--- /dev/null
+From b2238d6c37656ef84e9ae82fa2b299a4f7101c5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 14:26:24 +0100
+Subject: firmware: arm_scmi: Add missing Rx size re-initialisation
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 9724722fde8f9bbd2b87340f00b9300c9284001e ]
+
+Few commands provide the list of description partially and require
+to be called consecutively until all the descriptors are fetched
+completely. In such cases, we don't release the buffers and reuse
+them for consecutive transmits.
+
+However, currently we don't reset the Rx size which will be set as
+per the response for the last transmit. This may result in incorrect
+response size being interpretted as the firmware may repond with size
+greater than the one set but we read only upto the size set by previous
+response.
+
+Let us reset the receive buffer size to max possible in such cases as
+we don't know the exact size of the response.
+
+Link: https://lore.kernel.org/r/20201012141746.32575-1-sudeep.holla@arm.com
+Fixes: b6f20ff8bd94 ("firmware: arm_scmi: add common infrastructure and support for base protocol")
+Reported-by: Etienne Carriere <etienne.carriere@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/base.c | 2 ++
+ drivers/firmware/arm_scmi/clock.c | 2 ++
+ drivers/firmware/arm_scmi/common.h | 2 ++
+ drivers/firmware/arm_scmi/driver.c | 8 ++++++++
+ drivers/firmware/arm_scmi/perf.c | 2 ++
+ drivers/firmware/arm_scmi/sensors.c | 2 ++
+ 6 files changed, 18 insertions(+)
+
+diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c
+index f804e8af6521b..f986ee8919f03 100644
+--- a/drivers/firmware/arm_scmi/base.c
++++ b/drivers/firmware/arm_scmi/base.c
+@@ -173,6 +173,8 @@ static int scmi_base_implementation_list_get(const struct scmi_handle *handle,
+ protocols_imp[tot_num_ret + loop] = *(list + loop);
+
+ tot_num_ret += loop_num_ret;
++
++ scmi_reset_rx_to_maxsz(handle, t);
+ } while (loop_num_ret);
+
+ scmi_xfer_put(handle, t);
+diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c
+index 32526a793f3ac..38400a8d0ca89 100644
+--- a/drivers/firmware/arm_scmi/clock.c
++++ b/drivers/firmware/arm_scmi/clock.c
+@@ -177,6 +177,8 @@ scmi_clock_describe_rates_get(const struct scmi_handle *handle, u32 clk_id,
+ }
+
+ tot_rate_cnt += num_returned;
++
++ scmi_reset_rx_to_maxsz(handle, t);
+ /*
+ * check for both returned and remaining to avoid infinite
+ * loop due to buggy firmware
+diff --git a/drivers/firmware/arm_scmi/common.h b/drivers/firmware/arm_scmi/common.h
+index 5237c2ff79fea..9a680b9af9e58 100644
+--- a/drivers/firmware/arm_scmi/common.h
++++ b/drivers/firmware/arm_scmi/common.h
+@@ -103,6 +103,8 @@ int scmi_do_xfer_with_response(const struct scmi_handle *h,
+ struct scmi_xfer *xfer);
+ int scmi_xfer_get_init(const struct scmi_handle *h, u8 msg_id, u8 prot_id,
+ size_t tx_size, size_t rx_size, struct scmi_xfer **p);
++void scmi_reset_rx_to_maxsz(const struct scmi_handle *handle,
++ struct scmi_xfer *xfer);
+ int scmi_handle_put(const struct scmi_handle *handle);
+ struct scmi_handle *scmi_handle_get(struct device *dev);
+ void scmi_set_handle(struct scmi_device *scmi_dev);
+diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
+index 3eb0382491ceb..11078199abed3 100644
+--- a/drivers/firmware/arm_scmi/driver.c
++++ b/drivers/firmware/arm_scmi/driver.c
+@@ -481,6 +481,14 @@ int scmi_do_xfer(const struct scmi_handle *handle, struct scmi_xfer *xfer)
+ return ret;
+ }
+
++void scmi_reset_rx_to_maxsz(const struct scmi_handle *handle,
++ struct scmi_xfer *xfer)
++{
++ struct scmi_info *info = handle_to_scmi_info(handle);
++
++ xfer->rx.len = info->desc->max_msg_size;
++}
++
+ #define SCMI_MAX_RESPONSE_TIMEOUT (2 * MSEC_PER_SEC)
+
+ /**
+diff --git a/drivers/firmware/arm_scmi/perf.c b/drivers/firmware/arm_scmi/perf.c
+index 601af4edad5e6..129a2887e964f 100644
+--- a/drivers/firmware/arm_scmi/perf.c
++++ b/drivers/firmware/arm_scmi/perf.c
+@@ -281,6 +281,8 @@ scmi_perf_describe_levels_get(const struct scmi_handle *handle, u32 domain,
+ }
+
+ tot_opp_cnt += num_returned;
++
++ scmi_reset_rx_to_maxsz(handle, t);
+ /*
+ * check for both returned and remaining to avoid infinite
+ * loop due to buggy firmware
+diff --git a/drivers/firmware/arm_scmi/sensors.c b/drivers/firmware/arm_scmi/sensors.c
+index a400ea805fc23..931208bc48f12 100644
+--- a/drivers/firmware/arm_scmi/sensors.c
++++ b/drivers/firmware/arm_scmi/sensors.c
+@@ -154,6 +154,8 @@ static int scmi_sensor_description_get(const struct scmi_handle *handle,
+ }
+
+ desc_index += num_returned;
++
++ scmi_reset_rx_to_maxsz(handle, t);
+ /*
+ * check for both returned and remaining to avoid infinite
+ * loop due to buggy firmware
+--
+2.27.0
+
--- /dev/null
+From dc38f40ff3f4b9bf8810384c19dc0076648f878a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 16:37:22 +0200
+Subject: firmware: arm_scmi: Fix ARCH_COLD_RESET
+
+From: Etienne Carriere <etienne.carriere@linaro.org>
+
+[ Upstream commit 45b9e04d5ba0b043783dfe2b19bb728e712cb32e ]
+
+The defination for ARCH_COLD_RESET is wrong. Let us fix it according to
+the SCMI specification.
+
+Link: https://lore.kernel.org/r/20201008143722.21888-5-etienne.carriere@linaro.org
+Fixes: 95a15d80aa0d ("firmware: arm_scmi: Add RESET protocol in SCMI v2.0")
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/reset.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/reset.c b/drivers/firmware/arm_scmi/reset.c
+index ab42c21c55175..6d223f345b6c9 100644
+--- a/drivers/firmware/arm_scmi/reset.c
++++ b/drivers/firmware/arm_scmi/reset.c
+@@ -35,9 +35,7 @@ struct scmi_msg_reset_domain_reset {
+ #define EXPLICIT_RESET_ASSERT BIT(1)
+ #define ASYNCHRONOUS_RESET BIT(2)
+ __le32 reset_state;
+-#define ARCH_RESET_TYPE BIT(31)
+-#define COLD_RESET_STATE BIT(0)
+-#define ARCH_COLD_RESET (ARCH_RESET_TYPE | COLD_RESET_STATE)
++#define ARCH_COLD_RESET 0
+ };
+
+ struct reset_dom_info {
+--
+2.27.0
+
--- /dev/null
+From afb1e495adfe1a3c8ddea75dc7e725725f6cdc1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Sep 2020 02:08:58 +0200
+Subject: futex: Fix incorrect should_fail_futex() handling
+
+From: Mateusz Nosek <mateusznosek0@gmail.com>
+
+[ Upstream commit 921c7ebd1337d1a46783d7e15a850e12aed2eaa0 ]
+
+If should_futex_fail() returns true in futex_wake_pi(), then the 'ret'
+variable is set to -EFAULT and then immediately overwritten. So the failure
+injection is non-functional.
+
+Fix it by actually leaving the function and returning -EFAULT.
+
+The Fixes tag is kinda blury because the initial commit which introduced
+failure injection was already sloppy, but the below mentioned commit broke
+it completely.
+
+[ tglx: Massaged changelog ]
+
+Fixes: 6b4f4bc9cb22 ("locking/futex: Allow low-level atomic operations to return -EAGAIN")
+Signed-off-by: Mateusz Nosek <mateusznosek0@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20200927000858.24219-1-mateusznosek0@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/futex.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/futex.c b/kernel/futex.c
+index 5660c02b01b05..17fba7a986e0f 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1594,8 +1594,10 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_
+ */
+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
+
+- if (unlikely(should_fail_futex(true)))
++ if (unlikely(should_fail_futex(true))) {
+ ret = -EFAULT;
++ goto out_unlock;
++ }
+
+ ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval);
+ if (!ret && (curval != uval)) {
+--
+2.27.0
+
--- /dev/null
+From 654256f595c17aa192f762c3c241c2aaee0f8dc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 22:01:09 +0530
+Subject: gfs2: add validation checks for size of superblock
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+[ Upstream commit 0ddc5154b24c96f20e94d653b0a814438de6032b ]
+
+In gfs2_check_sb(), no validation checks are performed with regards to
+the size of the superblock.
+syzkaller detected a slab-out-of-bounds bug that was primarily caused
+because the block size for a superblock was set to zero.
+A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE.
+Performing validation checks and ensuring that the size of the superblock
+is valid fixes this bug.
+
+Reported-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com
+Tested-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com
+Suggested-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+[Minor code reordering.]
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/ops_fstype.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
+index 338666a97fff6..29b27d769860c 100644
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -169,15 +169,19 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent)
+ return -EINVAL;
+ }
+
+- /* If format numbers match exactly, we're done. */
+-
+- if (sb->sb_fs_format == GFS2_FORMAT_FS &&
+- sb->sb_multihost_format == GFS2_FORMAT_MULTI)
+- return 0;
++ if (sb->sb_fs_format != GFS2_FORMAT_FS ||
++ sb->sb_multihost_format != GFS2_FORMAT_MULTI) {
++ fs_warn(sdp, "Unknown on-disk format, unable to mount\n");
++ return -EINVAL;
++ }
+
+- fs_warn(sdp, "Unknown on-disk format, unable to mount\n");
++ if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE ||
++ (sb->sb_bsize & (sb->sb_bsize - 1))) {
++ pr_warn("Invalid superblock size\n");
++ return -EINVAL;
++ }
+
+- return -EINVAL;
++ return 0;
+ }
+
+ static void end_bio_io_page(struct bio *bio)
+--
+2.27.0
+
--- /dev/null
+From 917a5634b5127c68c8288ebecfee3fb18e8ad410 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 14:13:09 +0100
+Subject: gfs2: use-after-free in sysfs deregistration
+
+From: Jamie Iles <jamie@nuviainc.com>
+
+[ Upstream commit c2a04b02c060c4858762edce4674d5cba3e5a96f ]
+
+syzkaller found the following splat with CONFIG_DEBUG_KOBJECT_RELEASE=y:
+
+ Read of size 1 at addr ffff000028e896b8 by task kworker/1:2/228
+
+ CPU: 1 PID: 228 Comm: kworker/1:2 Tainted: G S 5.9.0-rc8+ #101
+ Hardware name: linux,dummy-virt (DT)
+ Workqueue: events kobject_delayed_cleanup
+ Call trace:
+ dump_backtrace+0x0/0x4d8
+ show_stack+0x34/0x48
+ dump_stack+0x174/0x1f8
+ print_address_description.constprop.0+0x5c/0x550
+ kasan_report+0x13c/0x1c0
+ __asan_report_load1_noabort+0x34/0x60
+ memcmp+0xd0/0xd8
+ gfs2_uevent+0xc4/0x188
+ kobject_uevent_env+0x54c/0x1240
+ kobject_uevent+0x2c/0x40
+ __kobject_del+0x190/0x1d8
+ kobject_delayed_cleanup+0x2bc/0x3b8
+ process_one_work+0x96c/0x18c0
+ worker_thread+0x3f0/0xc30
+ kthread+0x390/0x498
+ ret_from_fork+0x10/0x18
+
+ Allocated by task 1110:
+ kasan_save_stack+0x28/0x58
+ __kasan_kmalloc.isra.0+0xc8/0xe8
+ kasan_kmalloc+0x10/0x20
+ kmem_cache_alloc_trace+0x1d8/0x2f0
+ alloc_super+0x64/0x8c0
+ sget_fc+0x110/0x620
+ get_tree_bdev+0x190/0x648
+ gfs2_get_tree+0x50/0x228
+ vfs_get_tree+0x84/0x2e8
+ path_mount+0x1134/0x1da8
+ do_mount+0x124/0x138
+ __arm64_sys_mount+0x164/0x238
+ el0_svc_common.constprop.0+0x15c/0x598
+ do_el0_svc+0x60/0x150
+ el0_svc+0x34/0xb0
+ el0_sync_handler+0xc8/0x5b4
+ el0_sync+0x15c/0x180
+
+ Freed by task 228:
+ kasan_save_stack+0x28/0x58
+ kasan_set_track+0x28/0x40
+ kasan_set_free_info+0x24/0x48
+ __kasan_slab_free+0x118/0x190
+ kasan_slab_free+0x14/0x20
+ slab_free_freelist_hook+0x6c/0x210
+ kfree+0x13c/0x460
+
+Use the same pattern as f2fs + ext4 where the kobject destruction must
+complete before allowing the FS itself to be freed. This means that we
+need an explicit free_sbd in the callers.
+
+Cc: Bob Peterson <rpeterso@redhat.com>
+Cc: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Jamie Iles <jamie@nuviainc.com>
+[Also go to fail_free when init_names fails.]
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/incore.h | 1 +
+ fs/gfs2/ops_fstype.c | 22 +++++-----------------
+ fs/gfs2/super.c | 1 +
+ fs/gfs2/sys.c | 5 ++++-
+ 4 files changed, 11 insertions(+), 18 deletions(-)
+
+diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h
+index 5f89c515f5bb7..33a6b074209da 100644
+--- a/fs/gfs2/incore.h
++++ b/fs/gfs2/incore.h
+@@ -694,6 +694,7 @@ struct gfs2_sbd {
+ struct super_block *sd_vfs;
+ struct gfs2_pcpu_lkstats __percpu *sd_lkstats;
+ struct kobject sd_kobj;
++ struct completion sd_kobj_unregister;
+ unsigned long sd_flags; /* SDF_... */
+ struct gfs2_sb_host sd_sb;
+
+diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
+index e0c55765b06d2..338666a97fff6 100644
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -1094,26 +1094,14 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc)
+ }
+
+ error = init_names(sdp, silent);
+- if (error) {
+- /* In this case, we haven't initialized sysfs, so we have to
+- manually free the sdp. */
+- free_sbd(sdp);
+- sb->s_fs_info = NULL;
+- return error;
+- }
++ if (error)
++ goto fail_free;
+
+ snprintf(sdp->sd_fsname, sizeof(sdp->sd_fsname), "%s", sdp->sd_table_name);
+
+ error = gfs2_sys_fs_add(sdp);
+- /*
+- * If we hit an error here, gfs2_sys_fs_add will have called function
+- * kobject_put which causes the sysfs usage count to go to zero, which
+- * causes sysfs to call function gfs2_sbd_release, which frees sdp.
+- * Subsequent error paths here will call gfs2_sys_fs_del, which also
+- * kobject_put to free sdp.
+- */
+ if (error)
+- return error;
++ goto fail_free;
+
+ gfs2_create_debugfs_file(sdp);
+
+@@ -1210,9 +1198,9 @@ fail_lm:
+ gfs2_lm_unmount(sdp);
+ fail_debug:
+ gfs2_delete_debugfs_file(sdp);
+- /* gfs2_sys_fs_del must be the last thing we do, since it causes
+- * sysfs to call function gfs2_sbd_release, which frees sdp. */
+ gfs2_sys_fs_del(sdp);
++fail_free:
++ free_sbd(sdp);
+ sb->s_fs_info = NULL;
+ return error;
+ }
+diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
+index 5fa1eec4fb4f5..5935ce5ae5636 100644
+--- a/fs/gfs2/super.c
++++ b/fs/gfs2/super.c
+@@ -695,6 +695,7 @@ restart:
+
+ /* At this point, we're through participating in the lockspace */
+ gfs2_sys_fs_del(sdp);
++ free_sbd(sdp);
+ }
+
+ /**
+diff --git a/fs/gfs2/sys.c b/fs/gfs2/sys.c
+index dd15b8e4af2ce..1c6e52dc878e3 100644
+--- a/fs/gfs2/sys.c
++++ b/fs/gfs2/sys.c
+@@ -302,7 +302,7 @@ static void gfs2_sbd_release(struct kobject *kobj)
+ {
+ struct gfs2_sbd *sdp = container_of(kobj, struct gfs2_sbd, sd_kobj);
+
+- free_sbd(sdp);
++ complete(&sdp->sd_kobj_unregister);
+ }
+
+ static struct kobj_type gfs2_ktype = {
+@@ -652,6 +652,7 @@ int gfs2_sys_fs_add(struct gfs2_sbd *sdp)
+ sprintf(ro, "RDONLY=%d", sb_rdonly(sb));
+ sprintf(spectator, "SPECTATOR=%d", sdp->sd_args.ar_spectator ? 1 : 0);
+
++ init_completion(&sdp->sd_kobj_unregister);
+ sdp->sd_kobj.kset = gfs2_kset;
+ error = kobject_init_and_add(&sdp->sd_kobj, &gfs2_ktype, NULL,
+ "%s", sdp->sd_table_name);
+@@ -682,6 +683,7 @@ fail_tune:
+ fail_reg:
+ fs_err(sdp, "error %d adding sysfs files\n", error);
+ kobject_put(&sdp->sd_kobj);
++ wait_for_completion(&sdp->sd_kobj_unregister);
+ sb->s_fs_info = NULL;
+ return error;
+ }
+@@ -692,6 +694,7 @@ void gfs2_sys_fs_del(struct gfs2_sbd *sdp)
+ sysfs_remove_group(&sdp->sd_kobj, &tune_group);
+ sysfs_remove_group(&sdp->sd_kobj, &lock_module_group);
+ kobject_put(&sdp->sd_kobj);
++ wait_for_completion(&sdp->sd_kobj_unregister);
+ }
+
+ static int gfs2_uevent(struct kset *kset, struct kobject *kobj,
+--
+2.27.0
+
--- /dev/null
+From 26de9400a916c5b63b7ec4f9b7d53a4a9a3e8333 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Aug 2020 22:01:09 +0900
+Subject: ia64: kprobes: Use generic kretprobe trampoline handler
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit e792ff804f49720ce003b3e4c618b5d996256a18 ]
+
+Use the generic kretprobe trampoline handler. Don't use
+framepointer verification.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/159870606883.1229682.12331813108378725668.stgit@devnote2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/kernel/kprobes.c | 77 +-------------------------------------
+ 1 file changed, 2 insertions(+), 75 deletions(-)
+
+diff --git a/arch/ia64/kernel/kprobes.c b/arch/ia64/kernel/kprobes.c
+index b8356edbde659..b3dc39050c1ad 100644
+--- a/arch/ia64/kernel/kprobes.c
++++ b/arch/ia64/kernel/kprobes.c
+@@ -396,83 +396,9 @@ static void kretprobe_trampoline(void)
+ {
+ }
+
+-/*
+- * At this point the target function has been tricked into
+- * returning into our trampoline. Lookup the associated instance
+- * and then:
+- * - call the handler function
+- * - cleanup by marking the instance as unused
+- * - long jump back to the original return address
+- */
+ int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
+ {
+- struct kretprobe_instance *ri = NULL;
+- struct hlist_head *head, empty_rp;
+- struct hlist_node *tmp;
+- unsigned long flags, orig_ret_address = 0;
+- unsigned long trampoline_address =
+- ((struct fnptr *)kretprobe_trampoline)->ip;
+-
+- INIT_HLIST_HEAD(&empty_rp);
+- kretprobe_hash_lock(current, &head, &flags);
+-
+- /*
+- * It is possible to have multiple instances associated with a given
+- * task either because an multiple functions in the call path
+- * have a return probe installed on them, and/or more than one return
+- * return probe was registered for a target function.
+- *
+- * We can handle this because:
+- * - instances are always inserted at the head of the list
+- * - when multiple return probes are registered for the same
+- * function, the first instance's ret_addr will point to the
+- * real return address, and all the rest will point to
+- * kretprobe_trampoline
+- */
+- hlist_for_each_entry_safe(ri, tmp, head, hlist) {
+- if (ri->task != current)
+- /* another task is sharing our hash bucket */
+- continue;
+-
+- orig_ret_address = (unsigned long)ri->ret_addr;
+- if (orig_ret_address != trampoline_address)
+- /*
+- * This is the real return address. Any other
+- * instances associated with this task are for
+- * other calls deeper on the call stack
+- */
+- break;
+- }
+-
+- regs->cr_iip = orig_ret_address;
+-
+- hlist_for_each_entry_safe(ri, tmp, head, hlist) {
+- if (ri->task != current)
+- /* another task is sharing our hash bucket */
+- continue;
+-
+- if (ri->rp && ri->rp->handler)
+- ri->rp->handler(ri, regs);
+-
+- orig_ret_address = (unsigned long)ri->ret_addr;
+- recycle_rp_inst(ri, &empty_rp);
+-
+- if (orig_ret_address != trampoline_address)
+- /*
+- * This is the real return address. Any other
+- * instances associated with this task are for
+- * other calls deeper on the call stack
+- */
+- break;
+- }
+- kretprobe_assert(ri, orig_ret_address, trampoline_address);
+-
+- kretprobe_hash_unlock(current, &flags);
+-
+- hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
+- hlist_del(&ri->hlist);
+- kfree(ri);
+- }
++ regs->cr_iip = __kretprobe_trampoline_handler(regs, kretprobe_trampoline, NULL);
+ /*
+ * By returning a non-zero value, we are telling
+ * kprobe_handler() that we don't want the post_handler
+@@ -485,6 +411,7 @@ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+ struct pt_regs *regs)
+ {
+ ri->ret_addr = (kprobe_opcode_t *)regs->b0;
++ ri->fp = NULL;
+
+ /* Replace the return addr with trampoline addr */
+ regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip;
+--
+2.27.0
+
--- /dev/null
+From ed3cb6e9dfa8c0118485db0ead4fbd141229ac4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 15:14:38 -0700
+Subject: kgdb: Make "kgdbcon" work properly with "kgdb_earlycon"
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit b18b099e04f450cdc77bec72acefcde7042bd1f3 ]
+
+On my system the kernel processes the "kgdb_earlycon" parameter before
+the "kgdbcon" parameter. When we setup "kgdb_earlycon" we'll end up
+in kgdb_register_callbacks() and "kgdb_use_con" won't have been set
+yet so we'll never get around to starting "kgdbcon". Let's remedy
+this by detecting that the IO module was already registered when
+setting "kgdb_use_con" and registering the console then.
+
+As part of this, to avoid pre-declaring things, move the handling of
+the "kgdbcon" further down in the file.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20200630151422.1.I4aa062751ff5e281f5116655c976dff545c09a46@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/debug_core.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
+index 2222f3225e53d..097ab02989f92 100644
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -96,14 +96,6 @@ int dbg_switch_cpu;
+ /* Use kdb or gdbserver mode */
+ int dbg_kdb_mode = 1;
+
+-static int __init opt_kgdb_con(char *str)
+-{
+- kgdb_use_con = 1;
+- return 0;
+-}
+-
+-early_param("kgdbcon", opt_kgdb_con);
+-
+ module_param(kgdb_use_con, int, 0644);
+ module_param(kgdbreboot, int, 0644);
+
+@@ -876,6 +868,20 @@ static struct console kgdbcons = {
+ .index = -1,
+ };
+
++static int __init opt_kgdb_con(char *str)
++{
++ kgdb_use_con = 1;
++
++ if (kgdb_io_module_registered && !kgdb_con_registered) {
++ register_console(&kgdbcons);
++ kgdb_con_registered = 1;
++ }
++
++ return 0;
++}
++
++early_param("kgdbcon", opt_kgdb_con);
++
+ #ifdef CONFIG_MAGIC_SYSRQ
+ static void sysrq_handle_dbg(int key)
+ {
+--
+2.27.0
+
--- /dev/null
+From 71681fcf2f4f38584e28c59d0c1820187536573c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 01:16:07 -0300
+Subject: KVM: PPC: Book3S HV: Do not allocate HPT for a nested guest
+
+From: Fabiano Rosas <farosas@linux.ibm.com>
+
+[ Upstream commit 05e6295dc7de859c9d56334805485c4d20bebf25 ]
+
+The current nested KVM code does not support HPT guests. This is
+informed/enforced in some ways:
+
+- Hosts < P9 will not be able to enable the nested HV feature;
+
+- The nested hypervisor MMU capabilities will not contain
+ KVM_CAP_PPC_MMU_HASH_V3;
+
+- QEMU reflects the MMU capabilities in the
+ 'ibm,arch-vec-5-platform-support' device-tree property;
+
+- The nested guest, at 'prom_parse_mmu_model' ignores the
+ 'disable_radix' kernel command line option if HPT is not supported;
+
+- The KVM_PPC_CONFIGURE_V3_MMU ioctl will fail if trying to use HPT.
+
+There is, however, still a way to start a HPT guest by using
+max-compat-cpu=power8 at the QEMU machine options. This leads to the
+guest being set to use hash after QEMU calls the KVM_PPC_ALLOCATE_HTAB
+ioctl.
+
+With the guest set to hash, the nested hypervisor goes through the
+entry path that has no knowledge of nesting (kvmppc_run_vcpu) and
+crashes when it tries to execute an hypervisor-privileged (mtspr
+HDEC) instruction at __kvmppc_vcore_entry:
+
+root@L1:~ $ qemu-system-ppc64 -machine pseries,max-cpu-compat=power8 ...
+
+<snip>
+[ 538.543303] CPU: 83 PID: 25185 Comm: CPU 0/KVM Not tainted 5.9.0-rc4 #1
+[ 538.543355] NIP: c00800000753f388 LR: c00800000753f368 CTR: c0000000001e5ec0
+[ 538.543417] REGS: c0000013e91e33b0 TRAP: 0700 Not tainted (5.9.0-rc4)
+[ 538.543470] MSR: 8000000002843033 <SF,VEC,VSX,FP,ME,IR,DR,RI,LE> CR: 22422882 XER: 20040000
+[ 538.543546] CFAR: c00800000753f4b0 IRQMASK: 3
+ GPR00: c0080000075397a0 c0000013e91e3640 c00800000755e600 0000000080000000
+ GPR04: 0000000000000000 c0000013eab19800 c000001394de0000 00000043a054db72
+ GPR08: 00000000003b1652 0000000000000000 0000000000000000 c0080000075502e0
+ GPR12: c0000000001e5ec0 c0000007ffa74200 c0000013eab19800 0000000000000008
+ GPR16: 0000000000000000 c00000139676c6c0 c000000001d23948 c0000013e91e38b8
+ GPR20: 0000000000000053 0000000000000000 0000000000000001 0000000000000000
+ GPR24: 0000000000000001 0000000000000001 0000000000000000 0000000000000001
+ GPR28: 0000000000000001 0000000000000053 c0000013eab19800 0000000000000001
+[ 538.544067] NIP [c00800000753f388] __kvmppc_vcore_entry+0x90/0x104 [kvm_hv]
+[ 538.544121] LR [c00800000753f368] __kvmppc_vcore_entry+0x70/0x104 [kvm_hv]
+[ 538.544173] Call Trace:
+[ 538.544196] [c0000013e91e3640] [c0000013e91e3680] 0xc0000013e91e3680 (unreliable)
+[ 538.544260] [c0000013e91e3820] [c0080000075397a0] kvmppc_run_core+0xbc8/0x19d0 [kvm_hv]
+[ 538.544325] [c0000013e91e39e0] [c00800000753d99c] kvmppc_vcpu_run_hv+0x404/0xc00 [kvm_hv]
+[ 538.544394] [c0000013e91e3ad0] [c0080000072da4fc] kvmppc_vcpu_run+0x34/0x48 [kvm]
+[ 538.544472] [c0000013e91e3af0] [c0080000072d61b8] kvm_arch_vcpu_ioctl_run+0x310/0x420 [kvm]
+[ 538.544539] [c0000013e91e3b80] [c0080000072c7450] kvm_vcpu_ioctl+0x298/0x778 [kvm]
+[ 538.544605] [c0000013e91e3ce0] [c0000000004b8c2c] sys_ioctl+0x1dc/0xc90
+[ 538.544662] [c0000013e91e3dc0] [c00000000002f9a4] system_call_exception+0xe4/0x1c0
+[ 538.544726] [c0000013e91e3e20] [c00000000000d140] system_call_common+0xf0/0x27c
+[ 538.544787] Instruction dump:
+[ 538.544821] f86d1098 60000000 60000000 48000099 e8ad0fe8 e8c500a0 e9264140 75290002
+[ 538.544886] 7d1602a6 7cec42a6 40820008 7d0807b4 <7d164ba6> 7d083a14 f90d10a0 480104fd
+[ 538.544953] ---[ end trace 74423e2b948c2e0c ]---
+
+This patch makes the KVM_PPC_ALLOCATE_HTAB ioctl fail when running in
+the nested hypervisor, causing QEMU to abort.
+
+Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index e2183fed947d4..dd9b19b1f459a 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -5191,6 +5191,12 @@ static long kvm_arch_vm_ioctl_hv(struct file *filp,
+ case KVM_PPC_ALLOCATE_HTAB: {
+ u32 htab_order;
+
++ /* If we're a nested hypervisor, we currently only support radix */
++ if (kvmhv_on_pseries()) {
++ r = -EOPNOTSUPP;
++ break;
++ }
++
+ r = -EFAULT;
+ if (get_user(htab_order, (u32 __user *)argp))
+ break;
+--
+2.27.0
+
--- /dev/null
+From 5ff9b1232dc2348c3cbf8151af57bb949fb90e83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Oct 2020 00:00:24 +0800
+Subject: md/bitmap: md_bitmap_get_counter returns wrong blocks
+
+From: Zhao Heming <heming.zhao@suse.com>
+
+[ Upstream commit d837f7277f56e70d82b3a4a037d744854e62f387 ]
+
+md_bitmap_get_counter() has code:
+
+```
+ if (bitmap->bp[page].hijacked ||
+ bitmap->bp[page].map == NULL)
+ csize = ((sector_t)1) << (bitmap->chunkshift +
+ PAGE_COUNTER_SHIFT - 1);
+```
+
+The minus 1 is wrong, this branch should report 2048 bits of space.
+With "-1" action, this only report 1024 bit of space.
+
+This bug code returns wrong blocks, but it doesn't inflence bitmap logic:
+1. Most callers focus this function return value (the counter of offset),
+ not the parameter blocks.
+2. The bug is only triggered when hijacked is true or map is NULL.
+ the hijacked true condition is very rare.
+ the "map == null" only true when array is creating or resizing.
+3. Even the caller gets wrong blocks, current code makes caller just to
+ call md_bitmap_get_counter() one more time.
+
+Signed-off-by: Zhao Heming <heming.zhao@suse.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-bitmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
+index 7227d03dbbea7..0a6c200e3dcb2 100644
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -1372,7 +1372,7 @@ __acquires(bitmap->lock)
+ if (bitmap->bp[page].hijacked ||
+ bitmap->bp[page].map == NULL)
+ csize = ((sector_t)1) << (bitmap->chunkshift +
+- PAGE_COUNTER_SHIFT - 1);
++ PAGE_COUNTER_SHIFT);
+ else
+ csize = ((sector_t)1) << bitmap->chunkshift;
+ *blocks = csize - (offset & (csize - 1));
+--
+2.27.0
+
--- /dev/null
+From 0a1ff90138e204e800f505dc9d2ae90cb9741c2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jul 2020 11:20:32 +0200
+Subject: media: imx274: fix frame interval handling
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+[ Upstream commit 49b20d981d723fae5a93843c617af2b2c23611ec ]
+
+1) the numerator and/or denominator might be 0, in that case
+ fall back to the default frame interval. This is per the spec
+ and this caused a v4l2-compliance failure.
+
+2) the updated frame interval wasn't returned in the s_frame_interval
+ subdev op.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/imx274.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c
+index 6011cec5e351d..e6aa9f32b6a83 100644
+--- a/drivers/media/i2c/imx274.c
++++ b/drivers/media/i2c/imx274.c
+@@ -1235,6 +1235,8 @@ static int imx274_s_frame_interval(struct v4l2_subdev *sd,
+ ret = imx274_set_frame_interval(imx274, fi->interval);
+
+ if (!ret) {
++ fi->interval = imx274->frame_interval;
++
+ /*
+ * exposure time range is decided by frame interval
+ * need to update it after frame interval changes
+@@ -1730,9 +1732,9 @@ static int imx274_set_frame_interval(struct stimx274 *priv,
+ __func__, frame_interval.numerator,
+ frame_interval.denominator);
+
+- if (frame_interval.numerator == 0) {
+- err = -EINVAL;
+- goto fail;
++ if (frame_interval.numerator == 0 || frame_interval.denominator == 0) {
++ frame_interval.denominator = IMX274_DEF_FRAME_RATE;
++ frame_interval.numerator = 1;
+ }
+
+ req_frame_rate = (u32)(frame_interval.denominator
+--
+2.27.0
+
--- /dev/null
+From 9c0d621162b63f690aeab96495346b441b80a004 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 09:11:35 +0200
+Subject: media: platform: Improve queue set up flow for bug fixing
+
+From: Xia Jiang <xia.jiang@mediatek.com>
+
+[ Upstream commit 5095a6413a0cf896ab468009b6142cb0fe617e66 ]
+
+Add checking created buffer size follow in mtk_jpeg_queue_setup().
+
+Reviewed-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Xia Jiang <xia.jiang@mediatek.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
+index ee802fc3bcdfc..9fa1bc5514f3e 100644
+--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
++++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
+@@ -571,6 +571,13 @@ static int mtk_jpeg_queue_setup(struct vb2_queue *q,
+ if (!q_data)
+ return -EINVAL;
+
++ if (*num_planes) {
++ for (i = 0; i < *num_planes; i++)
++ if (sizes[i] < q_data->sizeimage[i])
++ return -EINVAL;
++ return 0;
++ }
++
+ *num_planes = q_data->fmt->colplanes;
+ for (i = 0; i < q_data->fmt->colplanes; i++) {
+ sizes[i] = q_data->sizeimage[i];
+--
+2.27.0
+
--- /dev/null
+From ac6d4a5c3e6ed0a06d8f764da2030e62f1f1734b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Aug 2020 21:25:18 +0200
+Subject: media: tw5864: check status of tw5864_frameinterval_get
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 780d815dcc9b34d93ae69385a8465c38d423ff0f ]
+
+clang static analysis reports this problem
+
+tw5864-video.c:773:32: warning: The left expression of the compound
+ assignment is an uninitialized value.
+ The computed value will also be garbage
+ fintv->stepwise.max.numerator *= std_max_fps;
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
+
+stepwise.max is set with frameinterval, which comes from
+
+ ret = tw5864_frameinterval_get(input, &frameinterval);
+ fintv->stepwise.step = frameinterval;
+ fintv->stepwise.min = frameinterval;
+ fintv->stepwise.max = frameinterval;
+ fintv->stepwise.max.numerator *= std_max_fps;
+
+When tw5864_frameinterval_get() fails, frameinterval is not
+set. So check the status and fix another similar problem.
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/tw5864/tw5864-video.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/pci/tw5864/tw5864-video.c b/drivers/media/pci/tw5864/tw5864-video.c
+index 09732eed7eb4f..656142c7a2cc7 100644
+--- a/drivers/media/pci/tw5864/tw5864-video.c
++++ b/drivers/media/pci/tw5864/tw5864-video.c
+@@ -767,6 +767,9 @@ static int tw5864_enum_frameintervals(struct file *file, void *priv,
+ fintv->type = V4L2_FRMIVAL_TYPE_STEPWISE;
+
+ ret = tw5864_frameinterval_get(input, &frameinterval);
++ if (ret)
++ return ret;
++
+ fintv->stepwise.step = frameinterval;
+ fintv->stepwise.min = frameinterval;
+ fintv->stepwise.max = frameinterval;
+@@ -785,6 +788,9 @@ static int tw5864_g_parm(struct file *file, void *priv,
+ cp->capability = V4L2_CAP_TIMEPERFRAME;
+
+ ret = tw5864_frameinterval_get(input, &cp->timeperframe);
++ if (ret)
++ return ret;
++
+ cp->timeperframe.numerator *= input->frame_interval;
+ cp->capturemode = 0;
+ cp->readbuffers = 2;
+--
+2.27.0
+
--- /dev/null
+From e64a85d89881dbdd2b04e6637bb6ec9417c2440b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Aug 2020 10:35:30 +0200
+Subject: media: uvcvideo: Fix dereference of out-of-bound list iterator
+
+From: Daniel W. S. Almeida <dwlsalmeida@gmail.com>
+
+[ Upstream commit f875bcc375c738bf2f599ff2e1c5b918dbd07c45 ]
+
+Fixes the following coccinelle report:
+
+drivers/media/usb/uvc/uvc_ctrl.c:1860:5-11:
+ERROR: invalid reference to the index variable of the iterator on line 1854
+
+by adding a boolean variable to check if the loop has found the
+
+Found using - Coccinelle (http://coccinelle.lip6.fr)
+
+[Replace cursor variable with bool found]
+
+Signed-off-by: Daniel W. S. Almeida <dwlsalmeida@gmail.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index a30a8a731eda8..c13ed95cb06fe 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1848,30 +1848,35 @@ int uvc_xu_ctrl_query(struct uvc_video_chain *chain,
+ {
+ struct uvc_entity *entity;
+ struct uvc_control *ctrl;
+- unsigned int i, found = 0;
++ unsigned int i;
++ bool found;
+ u32 reqflags;
+ u16 size;
+ u8 *data = NULL;
+ int ret;
+
+ /* Find the extension unit. */
++ found = false;
+ list_for_each_entry(entity, &chain->entities, chain) {
+ if (UVC_ENTITY_TYPE(entity) == UVC_VC_EXTENSION_UNIT &&
+- entity->id == xqry->unit)
++ entity->id == xqry->unit) {
++ found = true;
+ break;
++ }
+ }
+
+- if (entity->id != xqry->unit) {
++ if (!found) {
+ uvc_trace(UVC_TRACE_CONTROL, "Extension unit %u not found.\n",
+ xqry->unit);
+ return -ENOENT;
+ }
+
+ /* Find the control and perform delayed initialization if needed. */
++ found = false;
+ for (i = 0; i < entity->ncontrols; ++i) {
+ ctrl = &entity->controls[i];
+ if (ctrl->index == xqry->selector - 1) {
+- found = 1;
++ found = true;
+ break;
+ }
+ }
+--
+2.27.0
+
--- /dev/null
+From 17eeb168a83c59599160d24ad622ecb35df0c01e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 12:47:16 +0200
+Subject: media: videodev2.h: RGB BT2020 and HSV are always full range
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit b305dfe2e93434b12d438434461b709641f62af4 ]
+
+The default RGB quantization range for BT.2020 is full range (just as for
+all the other RGB pixel encodings), not limited range.
+
+Update the V4L2_MAP_QUANTIZATION_DEFAULT macro and documentation
+accordingly.
+
+Also mention that HSV is always full range and cannot be limited range.
+
+When RGB BT2020 was introduced in V4L2 it was not clear whether it should
+be limited or full range, but full range is the right (and consistent)
+choice.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/uapi/v4l/colorspaces-defs.rst | 9 ++++-----
+ .../media/uapi/v4l/colorspaces-details.rst | 5 ++---
+ include/uapi/linux/videodev2.h | 17 ++++++++---------
+ 3 files changed, 14 insertions(+), 17 deletions(-)
+
+diff --git a/Documentation/media/uapi/v4l/colorspaces-defs.rst b/Documentation/media/uapi/v4l/colorspaces-defs.rst
+index e122bbe3d799d..aabb08130354a 100644
+--- a/Documentation/media/uapi/v4l/colorspaces-defs.rst
++++ b/Documentation/media/uapi/v4l/colorspaces-defs.rst
+@@ -36,8 +36,7 @@ whole range, 0-255, dividing the angular value by 1.41. The enum
+ :c:type:`v4l2_hsv_encoding` specifies which encoding is used.
+
+ .. note:: The default R'G'B' quantization is full range for all
+- colorspaces except for BT.2020 which uses limited range R'G'B'
+- quantization.
++ colorspaces. HSV formats are always full range.
+
+ .. tabularcolumns:: |p{6.7cm}|p{10.8cm}|
+
+@@ -169,8 +168,8 @@ whole range, 0-255, dividing the angular value by 1.41. The enum
+ - Details
+ * - ``V4L2_QUANTIZATION_DEFAULT``
+ - Use the default quantization encoding as defined by the
+- colorspace. This is always full range for R'G'B' (except for the
+- BT.2020 colorspace) and HSV. It is usually limited range for Y'CbCr.
++ colorspace. This is always full range for R'G'B' and HSV.
++ It is usually limited range for Y'CbCr.
+ * - ``V4L2_QUANTIZATION_FULL_RANGE``
+ - Use the full range quantization encoding. I.e. the range [0…1] is
+ mapped to [0…255] (with possible clipping to [1…254] to avoid the
+@@ -180,4 +179,4 @@ whole range, 0-255, dividing the angular value by 1.41. The enum
+ * - ``V4L2_QUANTIZATION_LIM_RANGE``
+ - Use the limited range quantization encoding. I.e. the range [0…1]
+ is mapped to [16…235]. Cb and Cr are mapped from [-0.5…0.5] to
+- [16…240].
++ [16…240]. Limited Range cannot be used with HSV.
+diff --git a/Documentation/media/uapi/v4l/colorspaces-details.rst b/Documentation/media/uapi/v4l/colorspaces-details.rst
+index 8b0ba3668101d..fd0cf57691d87 100644
+--- a/Documentation/media/uapi/v4l/colorspaces-details.rst
++++ b/Documentation/media/uapi/v4l/colorspaces-details.rst
+@@ -377,9 +377,8 @@ Colorspace BT.2020 (V4L2_COLORSPACE_BT2020)
+ The :ref:`itu2020` standard defines the colorspace used by Ultra-high
+ definition television (UHDTV). The default transfer function is
+ ``V4L2_XFER_FUNC_709``. The default Y'CbCr encoding is
+-``V4L2_YCBCR_ENC_BT2020``. The default R'G'B' quantization is limited
+-range (!), and so is the default Y'CbCr quantization. The chromaticities
+-of the primary colors and the white reference are:
++``V4L2_YCBCR_ENC_BT2020``. The default Y'CbCr quantization is limited range.
++The chromaticities of the primary colors and the white reference are:
+
+
+
+diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h
+index 530638dffd934..3210b3c82a4a2 100644
+--- a/include/uapi/linux/videodev2.h
++++ b/include/uapi/linux/videodev2.h
+@@ -371,9 +371,9 @@ enum v4l2_hsv_encoding {
+
+ enum v4l2_quantization {
+ /*
+- * The default for R'G'B' quantization is always full range, except
+- * for the BT2020 colorspace. For Y'CbCr the quantization is always
+- * limited range, except for COLORSPACE_JPEG: this is full range.
++ * The default for R'G'B' quantization is always full range.
++ * For Y'CbCr the quantization is always limited range, except
++ * for COLORSPACE_JPEG: this is full range.
+ */
+ V4L2_QUANTIZATION_DEFAULT = 0,
+ V4L2_QUANTIZATION_FULL_RANGE = 1,
+@@ -382,14 +382,13 @@ enum v4l2_quantization {
+
+ /*
+ * Determine how QUANTIZATION_DEFAULT should map to a proper quantization.
+- * This depends on whether the image is RGB or not, the colorspace and the
+- * Y'CbCr encoding.
++ * This depends on whether the image is RGB or not, the colorspace.
++ * The Y'CbCr encoding is not used anymore, but is still there for backwards
++ * compatibility.
+ */
+ #define V4L2_MAP_QUANTIZATION_DEFAULT(is_rgb_or_hsv, colsp, ycbcr_enc) \
+- (((is_rgb_or_hsv) && (colsp) == V4L2_COLORSPACE_BT2020) ? \
+- V4L2_QUANTIZATION_LIM_RANGE : \
+- (((is_rgb_or_hsv) || (colsp) == V4L2_COLORSPACE_JPEG) ? \
+- V4L2_QUANTIZATION_FULL_RANGE : V4L2_QUANTIZATION_LIM_RANGE))
++ (((is_rgb_or_hsv) || (colsp) == V4L2_COLORSPACE_JPEG) ? \
++ V4L2_QUANTIZATION_FULL_RANGE : V4L2_QUANTIZATION_LIM_RANGE)
+
+ /*
+ * Deprecated names for opRGB colorspace (IEC 61966-2-5)
+--
+2.27.0
+
--- /dev/null
+From b5465a79b4d506cb7c7cec1dbb1b46a662d91e2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 14:37:59 +0300
+Subject: memory: emif: Remove bogus debugfs error handling
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fd22781648080cc400772b3c68aa6b059d2d5420 ]
+
+Callers are generally not supposed to check the return values from
+debugfs functions. Debugfs functions never return NULL so this error
+handling will never trigger. (Historically debugfs functions used to
+return a mix of NULL and error pointers but it was eventually deemed too
+complicated for something which wasn't intended to be used in normal
+situations).
+
+Delete all the error handling.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Santosh Shilimkar <ssantosh@kernel.org>
+Link: https://lore.kernel.org/r/20200826113759.GF393664@mwanda
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/emif.c | 33 +++++----------------------------
+ 1 file changed, 5 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/memory/emif.c b/drivers/memory/emif.c
+index 402c6bc8e621d..af296b6fcbbdc 100644
+--- a/drivers/memory/emif.c
++++ b/drivers/memory/emif.c
+@@ -163,35 +163,12 @@ static const struct file_operations emif_mr4_fops = {
+
+ static int __init_or_module emif_debugfs_init(struct emif_data *emif)
+ {
+- struct dentry *dentry;
+- int ret;
+-
+- dentry = debugfs_create_dir(dev_name(emif->dev), NULL);
+- if (!dentry) {
+- ret = -ENOMEM;
+- goto err0;
+- }
+- emif->debugfs_root = dentry;
+-
+- dentry = debugfs_create_file("regcache_dump", S_IRUGO,
+- emif->debugfs_root, emif, &emif_regdump_fops);
+- if (!dentry) {
+- ret = -ENOMEM;
+- goto err1;
+- }
+-
+- dentry = debugfs_create_file("mr4", S_IRUGO,
+- emif->debugfs_root, emif, &emif_mr4_fops);
+- if (!dentry) {
+- ret = -ENOMEM;
+- goto err1;
+- }
+-
++ emif->debugfs_root = debugfs_create_dir(dev_name(emif->dev), NULL);
++ debugfs_create_file("regcache_dump", S_IRUGO, emif->debugfs_root, emif,
++ &emif_regdump_fops);
++ debugfs_create_file("mr4", S_IRUGO, emif->debugfs_root, emif,
++ &emif_mr4_fops);
+ return 0;
+-err1:
+- debugfs_remove_recursive(emif->debugfs_root);
+-err0:
+- return ret;
+ }
+
+ static void __exit emif_debugfs_exit(struct emif_data *emif)
+--
+2.27.0
+
--- /dev/null
+From 4ab9680ab88bb917bd3548d073b1f9c2edaf7447 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Oct 2020 16:37:33 +0300
+Subject: mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish()
+
+From: Amit Cohen <amcohen@nvidia.com>
+
+[ Upstream commit 0daf2bf5a2dcf33d446b76360908f109816e2e21 ]
+
+Each EMAD transaction stores the skb used to issue the EMAD request
+('trans->tx_skb') so that the request could be retried in case of a
+timeout. The skb can be freed when a corresponding response is received
+or as part of the retry logic (e.g., failed retransmit, exceeded maximum
+number of retries).
+
+The two tasks (i.e., response processing and retransmits) are
+synchronized by the atomic 'trans->active' field which ensures that
+responses to inactive transactions are ignored.
+
+In case of a failed retransmit the transaction is finished and all of
+its resources are freed. However, the current code does not mark it as
+inactive. Syzkaller was able to hit a race condition in which a
+concurrent response is processed while the transaction's resources are
+being freed, resulting in a use-after-free [1].
+
+Fix the issue by making sure to mark the transaction as inactive after a
+failed retransmit and free its resources only if a concurrent task did
+not already do that.
+
+[1]
+BUG: KASAN: use-after-free in consume_skb+0x30/0x370
+net/core/skbuff.c:833
+Read of size 4 at addr ffff88804f570494 by task syz-executor.0/1004
+
+CPU: 0 PID: 1004 Comm: syz-executor.0 Not tainted 5.8.0-rc7+ #68
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xf6/0x16e lib/dump_stack.c:118
+ print_address_description.constprop.0+0x1c/0x250
+mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ check_memory_region_inline mm/kasan/generic.c:186 [inline]
+ check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192
+ instrument_atomic_read include/linux/instrumented.h:56 [inline]
+ atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
+ refcount_read include/linux/refcount.h:147 [inline]
+ skb_unref include/linux/skbuff.h:1044 [inline]
+ consume_skb+0x30/0x370 net/core/skbuff.c:833
+ mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592
+ mlxsw_emad_process_response drivers/net/ethernet/mellanox/mlxsw/core.c:651 [inline]
+ mlxsw_emad_rx_listener_func+0x5c9/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:672
+ mlxsw_core_skb_receive+0x4df/0x770 drivers/net/ethernet/mellanox/mlxsw/core.c:2063
+ mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline]
+ mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651
+ tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550
+ __do_softirq+0x223/0x964 kernel/softirq.c:292
+ asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711
+
+Allocated by task 1006:
+ save_stack+0x1b/0x40 mm/kasan/common.c:48
+ set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc mm/kasan/common.c:494 [inline]
+ __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467
+ slab_post_alloc_hook mm/slab.h:586 [inline]
+ slab_alloc_node mm/slub.c:2824 [inline]
+ slab_alloc mm/slub.c:2832 [inline]
+ kmem_cache_alloc+0xcd/0x2e0 mm/slub.c:2837
+ __build_skb+0x21/0x60 net/core/skbuff.c:311
+ __netdev_alloc_skb+0x1e2/0x360 net/core/skbuff.c:464
+ netdev_alloc_skb include/linux/skbuff.h:2810 [inline]
+ mlxsw_emad_alloc drivers/net/ethernet/mellanox/mlxsw/core.c:756 [inline]
+ mlxsw_emad_reg_access drivers/net/ethernet/mellanox/mlxsw/core.c:787 [inline]
+ mlxsw_core_reg_access_emad+0x1ab/0x1420 drivers/net/ethernet/mellanox/mlxsw/core.c:1817
+ mlxsw_reg_trans_query+0x39/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:1831
+ mlxsw_sp_sb_pm_occ_clear drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:260 [inline]
+ mlxsw_sp_sb_occ_max_clear+0xbff/0x10a0 drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:1365
+ mlxsw_devlink_sb_occ_max_clear+0x76/0xb0 drivers/net/ethernet/mellanox/mlxsw/core.c:1037
+ devlink_nl_cmd_sb_occ_max_clear_doit+0x1ec/0x280 net/core/devlink.c:1765
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:669 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:714 [inline]
+ genl_rcv_msg+0x617/0x980 net/netlink/genetlink.c:731
+ netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2470
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:742
+ netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
+ netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1330
+ netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg+0x150/0x190 net/socket.c:671
+ ____sys_sendmsg+0x6d8/0x840 net/socket.c:2359
+ ___sys_sendmsg+0xff/0x170 net/socket.c:2413
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2446
+ do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 73:
+ save_stack+0x1b/0x40 mm/kasan/common.c:48
+ set_track mm/kasan/common.c:56 [inline]
+ kasan_set_free_info mm/kasan/common.c:316 [inline]
+ __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455
+ slab_free_hook mm/slub.c:1474 [inline]
+ slab_free_freelist_hook mm/slub.c:1507 [inline]
+ slab_free mm/slub.c:3072 [inline]
+ kmem_cache_free+0xbe/0x380 mm/slub.c:3088
+ kfree_skbmem net/core/skbuff.c:622 [inline]
+ kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:616
+ __kfree_skb net/core/skbuff.c:679 [inline]
+ consume_skb net/core/skbuff.c:837 [inline]
+ consume_skb+0xe1/0x370 net/core/skbuff.c:831
+ mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592
+ mlxsw_emad_transmit_retry.isra.0+0x9d/0xc0 drivers/net/ethernet/mellanox/mlxsw/core.c:613
+ mlxsw_emad_trans_timeout_work+0x43/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:625
+ process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
+ worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
+ kthread+0x355/0x470 kernel/kthread.c:291
+ ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
+
+The buggy address belongs to the object at ffff88804f5703c0
+ which belongs to the cache skbuff_head_cache of size 224
+The buggy address is located 212 bytes inside of
+ 224-byte region [ffff88804f5703c0, ffff88804f5704a0)
+The buggy address belongs to the page:
+page:ffffea00013d5c00 refcount:1 mapcount:0 mapping:0000000000000000
+index:0x0
+flags: 0x100000000000200(slab)
+raw: 0100000000000200 dead000000000100 dead000000000122 ffff88806c625400
+raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88804f570380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff88804f570400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88804f570480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88804f570500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88804f570580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
+
+Fixes: caf7297e7ab5f ("mlxsw: core: Introduce support for asynchronous EMAD register access")
+Signed-off-by: Amit Cohen <amcohen@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c
+index 7277706847b18..8f0eec9fb17bd 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
+@@ -493,6 +493,9 @@ static void mlxsw_emad_transmit_retry(struct mlxsw_core *mlxsw_core,
+ err = mlxsw_emad_transmit(trans->core, trans);
+ if (err == 0)
+ return;
++
++ if (!atomic_dec_and_test(&trans->active))
++ return;
+ } else {
+ err = -EIO;
+ }
+--
+2.27.0
+
--- /dev/null
+From 338d4aedaa113ee7f9b72ad805244316ba3b96a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 14:52:16 +1000
+Subject: mm: fix exec activate_mm vs TLB shootdown and lazy tlb switching race
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit d53c3dfb23c45f7d4f910c3a3ca84bf0a99c6143 ]
+
+Reading and modifying current->mm and current->active_mm and switching
+mm should be done with irqs off, to prevent races seeing an intermediate
+state.
+
+This is similar to commit 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB
+invalidate"). At exec-time when the new mm is activated, the old one
+should usually be single-threaded and no longer used, unless something
+else is holding an mm_users reference (which may be possible).
+
+Absent other mm_users, there is also a race with preemption and lazy tlb
+switching. Consider the kernel_execve case where the current thread is
+using a lazy tlb active mm:
+
+ call_usermodehelper()
+ kernel_execve()
+ old_mm = current->mm;
+ active_mm = current->active_mm;
+ *** preempt *** --------------------> schedule()
+ prev->active_mm = NULL;
+ mmdrop(prev active_mm);
+ ...
+ <-------------------- schedule()
+ current->mm = mm;
+ current->active_mm = mm;
+ if (!old_mm)
+ mmdrop(active_mm);
+
+If we switch back to the kernel thread from a different mm, there is a
+double free of the old active_mm, and a missing free of the new one.
+
+Closing this race only requires interrupts to be disabled while ->mm
+and ->active_mm are being switched, but the TLB problem requires also
+holding interrupts off over activate_mm. Unfortunately not all archs
+can do that yet, e.g., arm defers the switch if irqs are disabled and
+expects finish_arch_post_lock_switch() to be called to complete the
+flush; um takes a blocking lock in activate_mm().
+
+So as a first step, disable interrupts across the mm/active_mm updates
+to close the lazy tlb preempt race, and provide an arch option to
+extend that to activate_mm which allows architectures doing IPI based
+TLB shootdowns to close the second race.
+
+This is a bit ugly, but in the interest of fixing the bug and backporting
+before all architectures are converted this is a compromise.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200914045219.3736466-2-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/Kconfig | 7 +++++++
+ fs/exec.c | 17 +++++++++++++++--
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/arch/Kconfig b/arch/Kconfig
+index 238dccfa76910..84653a823d3b0 100644
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -405,6 +405,13 @@ config MMU_GATHER_NO_RANGE
+ config HAVE_MMU_GATHER_NO_GATHER
+ bool
+
++config ARCH_WANT_IRQS_OFF_ACTIVATE_MM
++ bool
++ help
++ Temporary select until all architectures can be converted to have
++ irqs disabled over activate_mm. Architectures that do IPI based TLB
++ shootdowns should enable this.
++
+ config ARCH_HAVE_NMI_SAFE_CMPXCHG
+ bool
+
+diff --git a/fs/exec.c b/fs/exec.c
+index de833553ae27d..2441eb1a1e2d0 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1044,11 +1044,24 @@ static int exec_mmap(struct mm_struct *mm)
+ }
+
+ task_lock(tsk);
+- active_mm = tsk->active_mm;
+ membarrier_exec_mmap(mm);
+- tsk->mm = mm;
++
++ local_irq_disable();
++ active_mm = tsk->active_mm;
+ tsk->active_mm = mm;
++ tsk->mm = mm;
++ /*
++ * This prevents preemption while active_mm is being loaded and
++ * it and mm are being updated, which could cause problems for
++ * lazy tlb mm refcounting when these are updated by context
++ * switches. Not all architectures can handle irqs off over
++ * activate_mm yet.
++ */
++ if (!IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM))
++ local_irq_enable();
+ activate_mm(active_mm, mm);
++ if (IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM))
++ local_irq_enable();
+ tsk->mm->vmacache_seqnum = 0;
+ vmacache_flush(tsk);
+ task_unlock(tsk);
+--
+2.27.0
+
--- /dev/null
+From a7d21b9957db2cadea53998f930b7d214c4f83d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Aug 2020 11:45:28 +0530
+Subject: mmc: via-sdmmc: Fix data race bug
+
+From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+
+[ Upstream commit 87d7ad089b318b4f319bf57f1daa64eb6d1d10ad ]
+
+via_save_pcictrlreg() should be called with host->lock held
+as it writes to pm_pcictrl_reg, otherwise there can be a race
+condition between via_sd_suspend() and via_sdc_card_detect().
+The same pattern is used in the function via_reset_pcictrl()
+as well, where via_save_pcictrlreg() is called with host->lock
+held.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+Link: https://lore.kernel.org/r/20200822061528.7035-1-madhuparnabhowmik10@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/via-sdmmc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
+index 8d96ecba1b553..d12a068b0f9ed 100644
+--- a/drivers/mmc/host/via-sdmmc.c
++++ b/drivers/mmc/host/via-sdmmc.c
+@@ -1259,11 +1259,14 @@ static void via_init_sdc_pm(struct via_crdr_mmc_host *host)
+ static int via_sd_suspend(struct pci_dev *pcidev, pm_message_t state)
+ {
+ struct via_crdr_mmc_host *host;
++ unsigned long flags;
+
+ host = pci_get_drvdata(pcidev);
+
++ spin_lock_irqsave(&host->lock, flags);
+ via_save_pcictrlreg(host);
+ via_save_sdcreg(host);
++ spin_unlock_irqrestore(&host->lock, flags);
+
+ pci_save_state(pcidev);
+ pci_enable_wake(pcidev, pci_choose_state(pcidev, state), 0);
+--
+2.27.0
+
--- /dev/null
+From f5587f44cff02fc4f90aa7397ba7ede3a193de71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 22:45:14 -0400
+Subject: nbd: make the config put is called before the notifying the waiter
+
+From: Xiubo Li <xiubli@redhat.com>
+
+[ Upstream commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 ]
+
+There has one race case for ceph's rbd-nbd tool. When do mapping
+it may fail with EBUSY from ioctl(nbd, NBD_DO_IT), but actually
+the nbd device has already unmaped.
+
+It dues to if just after the wake_up(), the recv_work() is scheduled
+out and defers calling the nbd_config_put(), though the map process
+has exited the "nbd->recv_task" is not cleared.
+
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 7c577cabb9c3b..742f8160b6e28 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -787,9 +787,9 @@ static void recv_work(struct work_struct *work)
+
+ blk_mq_complete_request(blk_mq_rq_from_pdu(cmd));
+ }
++ nbd_config_put(nbd);
+ atomic_dec(&config->recv_threads);
+ wake_up(&config->recv_wq);
+- nbd_config_put(nbd);
+ kfree(args);
+ }
+
+--
+2.27.0
+
--- /dev/null
+From e86af9de58f8c51b18f097cb2aca877cea272264 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 09:54:04 +0530
+Subject: net: 9p: initialize sun_server.sun_path to have addr's value only
+ when addr is valid
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+[ Upstream commit 7ca1db21ef8e0e6725b4d25deed1ca196f7efb28 ]
+
+In p9_fd_create_unix, checking is performed to see if the addr (passed
+as an argument) is NULL or not.
+However, no check is performed to see if addr is a valid address, i.e.,
+it doesn't entirely consist of only 0's.
+The initialization of sun_server.sun_path to be equal to this faulty
+addr value leads to an uninitialized variable, as detected by KMSAN.
+Checking for this (faulty addr) and returning a negative error number
+appropriately, resolves this issue.
+
+Link: http://lkml.kernel.org/r/20201012042404.2508-1-anant.thazhemadam@gmail.com
+Reported-by: syzbot+75d51fe5bf4ebe988518@syzkaller.appspotmail.com
+Tested-by: syzbot+75d51fe5bf4ebe988518@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index 12ecacf0c55fb..60eb9a2b209be 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -1023,7 +1023,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
+
+ csocket = NULL;
+
+- if (addr == NULL)
++ if (!addr || !strlen(addr))
+ return -EINVAL;
+
+ if (strlen(addr) >= UNIX_PATH_MAX) {
+--
+2.27.0
+
--- /dev/null
+From 9cfdc54049f082fd2b2d3a4b7f5c1315884c3f14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Aug 2020 12:11:47 -0400
+Subject: NFS4: Fix oops when copy_file_range is attempted with NFS4.0 source
+
+From: Dave Wysochanski <dwysocha@redhat.com>
+
+[ Upstream commit d8a6ad913c286d4763ae20b14c02fe6f39d7cd9f ]
+
+The following oops is seen during xfstest/565 when the 'test'
+(source of the copy) is NFS4.0 and 'scratch' (destination) is NFS4.2
+[ 59.692458] run fstests generic/565 at 2020-08-01 05:50:35
+[ 60.613588] BUG: kernel NULL pointer dereference, address: 0000000000000008
+[ 60.624970] #PF: supervisor read access in kernel mode
+[ 60.627671] #PF: error_code(0x0000) - not-present page
+[ 60.630347] PGD 0 P4D 0
+[ 60.631853] Oops: 0000 [#1] SMP PTI
+[ 60.634086] CPU: 6 PID: 2828 Comm: xfs_io Kdump: loaded Not tainted 5.8.0-rc3 #1
+[ 60.637676] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+[ 60.639901] RIP: 0010:nfs4_check_serverowner_major_id+0x5/0x30 [nfsv4]
+[ 60.642719] Code: 89 ff e8 3e b3 b8 e1 e9 71 fe ff ff 41 bc da d8 ff ff e9 c3 fe ff ff e8 e9 9d 08 e2 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <8b> 57 08 31 c0 3b 56 08 75 12 48 83 c6 0c 48 83 c7 0c e8 c4 97 bb
+[ 60.652629] RSP: 0018:ffffc265417f7e10 EFLAGS: 00010287
+[ 60.655379] RAX: ffffa0664b066400 RBX: 0000000000000000 RCX: 0000000000000001
+[ 60.658754] RDX: ffffa066725fb000 RSI: ffffa066725fd000 RDI: 0000000000000000
+[ 60.662292] RBP: 0000000000020000 R08: 0000000000020000 R09: 0000000000000000
+[ 60.666189] R10: 0000000000000003 R11: 0000000000000000 R12: ffffa06648258d00
+[ 60.669914] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa06648258100
+[ 60.673645] FS: 00007faa9fb35800(0000) GS:ffffa06677d80000(0000) knlGS:0000000000000000
+[ 60.677698] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 60.680773] CR2: 0000000000000008 CR3: 0000000203f14000 CR4: 00000000000406e0
+[ 60.684476] Call Trace:
+[ 60.685809] nfs4_copy_file_range+0xfc/0x230 [nfsv4]
+[ 60.688704] vfs_copy_file_range+0x2ee/0x310
+[ 60.691104] __x64_sys_copy_file_range+0xd6/0x210
+[ 60.693527] do_syscall_64+0x4d/0x90
+[ 60.695512] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 60.698006] RIP: 0033:0x7faa9febc1bd
+
+Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
+index 534b6fd70ffdb..6b31cb5f9c9db 100644
+--- a/fs/nfs/nfs4file.c
++++ b/fs/nfs/nfs4file.c
+@@ -138,7 +138,8 @@ static ssize_t __nfs4_copy_file_range(struct file *file_in, loff_t pos_in,
+ /* Only offload copy if superblock is the same */
+ if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb)
+ return -EXDEV;
+- if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY))
++ if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY) ||
++ !nfs_server_capable(file_inode(file_in), NFS_CAP_COPY))
+ return -EOPNOTSUPP;
+ if (file_inode(file_in) == file_inode(file_out))
+ return -EOPNOTSUPP;
+--
+2.27.0
+
--- /dev/null
+From 3d60426ae20f5f0021c4c50b6227ea684807445b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 16:10:40 +0800
+Subject: nvme-rdma: fix crash when connect rejected
+
+From: Chao Leng <lengchao@huawei.com>
+
+[ Upstream commit 43efdb8e870ee0f58633fd579aa5b5185bf5d39e ]
+
+A crash can happened when a connect is rejected. The host establishes
+the connection after received ConnectReply, and then continues to send
+the fabrics Connect command. If the controller does not receive the
+ReadyToUse capsule, host may receive a ConnectReject reply.
+
+Call nvme_rdma_destroy_queue_ib after the host received the
+RDMA_CM_EVENT_REJECTED event. Then when the fabrics Connect command
+times out, nvme_rdma_timeout calls nvme_rdma_complete_rq to fail the
+request. A crash happenes due to use after free in
+nvme_rdma_complete_rq.
+
+nvme_rdma_destroy_queue_ib is redundant when handling the
+RDMA_CM_EVENT_REJECTED event as nvme_rdma_destroy_queue_ib is already
+called in connection failure handler.
+
+Signed-off-by: Chao Leng <lengchao@huawei.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index abe4fe496d05c..a41ee9feab8e7 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -1679,7 +1679,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id,
+ complete(&queue->cm_done);
+ return 0;
+ case RDMA_CM_EVENT_REJECTED:
+- nvme_rdma_destroy_queue_ib(queue);
+ cm_error = nvme_rdma_conn_rejected(queue, ev);
+ break;
+ case RDMA_CM_EVENT_ROUTE_ERROR:
+--
+2.27.0
+
--- /dev/null
+From 0444b609ef1f5449df15a5818d4dfa5794495379 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Sep 2020 16:04:14 +0200
+Subject: power: supply: bq27xxx: report "not charging" on all types
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 7bf738ba110722b63e9dc8af760d3fb2aef25593 ]
+
+Commit 6f24ff97e323 ("power: supply: bq27xxx_battery: Add the
+BQ27Z561 Battery monitor") and commit d74534c27775 ("power:
+bq27xxx_battery: Add support for additional bq27xxx family devices")
+added support for new device types by copying most of the code and
+adding necessary quirks.
+
+However they did not copy the code in bq27xxx_battery_status()
+responsible for returning POWER_SUPPLY_STATUS_NOT_CHARGING.
+
+Unify the bq27xxx_battery_status() so for all types when charger is
+supplied, it will return "not charging" status.
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c
+index 664e50103eaaf..aff0a0a5e7f8c 100644
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1678,8 +1678,6 @@ static int bq27xxx_battery_status(struct bq27xxx_device_info *di,
+ status = POWER_SUPPLY_STATUS_FULL;
+ else if (di->cache.flags & BQ27000_FLAG_CHGS)
+ status = POWER_SUPPLY_STATUS_CHARGING;
+- else if (power_supply_am_i_supplied(di->bat) > 0)
+- status = POWER_SUPPLY_STATUS_NOT_CHARGING;
+ else
+ status = POWER_SUPPLY_STATUS_DISCHARGING;
+ } else {
+@@ -1691,6 +1689,10 @@ static int bq27xxx_battery_status(struct bq27xxx_device_info *di,
+ status = POWER_SUPPLY_STATUS_CHARGING;
+ }
+
++ if ((status == POWER_SUPPLY_STATUS_DISCHARGING) &&
++ (power_supply_am_i_supplied(di->bat) > 0))
++ status = POWER_SUPPLY_STATUS_NOT_CHARGING;
++
+ val->intval = status;
+
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From 167eb4c7e1f197f41cd334ea5bd81cf70f9992b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 14:09:58 +0800
+Subject: power: supply: test_power: add missing newlines when printing
+ parameters by sysfs
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit c07fa6c1631333f02750cf59f22b615d768b4d8f ]
+
+When I cat some module parameters by sysfs, it displays as follows.
+It's better to add a newline for easy reading.
+
+root@syzkaller:~# cd /sys/module/test_power/parameters/
+root@syzkaller:/sys/module/test_power/parameters# cat ac_online
+onroot@syzkaller:/sys/module/test_power/parameters# cat battery_present
+trueroot@syzkaller:/sys/module/test_power/parameters# cat battery_health
+goodroot@syzkaller:/sys/module/test_power/parameters# cat battery_status
+dischargingroot@syzkaller:/sys/module/test_power/parameters# cat battery_technology
+LIONroot@syzkaller:/sys/module/test_power/parameters# cat usb_online
+onroot@syzkaller:/sys/module/test_power/parameters#
+
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/test_power.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/power/supply/test_power.c b/drivers/power/supply/test_power.c
+index c3cad2b6dabae..1139ca7251952 100644
+--- a/drivers/power/supply/test_power.c
++++ b/drivers/power/supply/test_power.c
+@@ -341,6 +341,7 @@ static int param_set_ac_online(const char *key, const struct kernel_param *kp)
+ static int param_get_ac_online(char *buffer, const struct kernel_param *kp)
+ {
+ strcpy(buffer, map_get_key(map_ac_online, ac_online, "unknown"));
++ strcat(buffer, "\n");
+ return strlen(buffer);
+ }
+
+@@ -354,6 +355,7 @@ static int param_set_usb_online(const char *key, const struct kernel_param *kp)
+ static int param_get_usb_online(char *buffer, const struct kernel_param *kp)
+ {
+ strcpy(buffer, map_get_key(map_ac_online, usb_online, "unknown"));
++ strcat(buffer, "\n");
+ return strlen(buffer);
+ }
+
+@@ -368,6 +370,7 @@ static int param_set_battery_status(const char *key,
+ static int param_get_battery_status(char *buffer, const struct kernel_param *kp)
+ {
+ strcpy(buffer, map_get_key(map_status, battery_status, "unknown"));
++ strcat(buffer, "\n");
+ return strlen(buffer);
+ }
+
+@@ -382,6 +385,7 @@ static int param_set_battery_health(const char *key,
+ static int param_get_battery_health(char *buffer, const struct kernel_param *kp)
+ {
+ strcpy(buffer, map_get_key(map_health, battery_health, "unknown"));
++ strcat(buffer, "\n");
+ return strlen(buffer);
+ }
+
+@@ -397,6 +401,7 @@ static int param_get_battery_present(char *buffer,
+ const struct kernel_param *kp)
+ {
+ strcpy(buffer, map_get_key(map_present, battery_present, "unknown"));
++ strcat(buffer, "\n");
+ return strlen(buffer);
+ }
+
+@@ -414,6 +419,7 @@ static int param_get_battery_technology(char *buffer,
+ {
+ strcpy(buffer,
+ map_get_key(map_technology, battery_technology, "unknown"));
++ strcat(buffer, "\n");
+ return strlen(buffer);
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 0c8971ccc674e879e36c5880945e64103628d573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Aug 2020 10:54:05 +1000
+Subject: powerpc/powernv/smp: Fix spurious DBG() warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+[ Upstream commit f6bac19cf65c5be21d14a0c9684c8f560f2096dd ]
+
+When building with W=1 we get the following warning:
+
+ arch/powerpc/platforms/powernv/smp.c: In function ‘pnv_smp_cpu_kill_self’:
+ arch/powerpc/platforms/powernv/smp.c:276:16: error: suggest braces around
+ empty body in an ‘if’ statement [-Werror=empty-body]
+ 276 | cpu, srr1);
+ | ^
+ cc1: all warnings being treated as errors
+
+The full context is this block:
+
+ if (srr1 && !generic_check_cpu_restart(cpu))
+ DBG("CPU%d Unexpected exit while offline srr1=%lx!\n",
+ cpu, srr1);
+
+When building with DEBUG undefined DBG() expands to nothing and GCC emits
+the warning due to the lack of braces around an empty statement.
+
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200804005410.146094-2-oohall@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c
+index b2ba3e95bda73..bbf361f23ae86 100644
+--- a/arch/powerpc/platforms/powernv/smp.c
++++ b/arch/powerpc/platforms/powernv/smp.c
+@@ -43,7 +43,7 @@
+ #include <asm/udbg.h>
+ #define DBG(fmt...) udbg_printf(fmt)
+ #else
+-#define DBG(fmt...)
++#define DBG(fmt...) do { } while (0)
+ #endif
+
+ static void pnv_smp_setup_cpu(int cpu)
+--
+2.27.0
+
--- /dev/null
+From 172fe229ab013c00c725c5c1fc0caaeb4c7dad7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 14:52:17 +1000
+Subject: powerpc: select ARCH_WANT_IRQS_OFF_ACTIVATE_MM
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 66acd46080bd9e5ad2be4b0eb1d498d5145d058e ]
+
+powerpc uses IPIs in some situations to switch a kernel thread away
+from a lazy tlb mm, which is subject to the TLB flushing race
+described in the changelog introducing ARCH_WANT_IRQS_OFF_ACTIVATE_MM.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200914045219.3736466-3-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/Kconfig | 1 +
+ arch/powerpc/include/asm/mmu_context.h | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index ad620637cbd11..27ef333e96f6d 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -147,6 +147,7 @@ config PPC
+ select ARCH_USE_BUILTIN_BSWAP
+ select ARCH_USE_CMPXCHG_LOCKREF if PPC64
+ select ARCH_WANT_IPC_PARSE_VERSION
++ select ARCH_WANT_IRQS_OFF_ACTIVATE_MM
+ select ARCH_WEAK_RELEASE_ACQUIRE
+ select BINFMT_ELF
+ select BUILDTIME_EXTABLE_SORT
+diff --git a/arch/powerpc/include/asm/mmu_context.h b/arch/powerpc/include/asm/mmu_context.h
+index 58efca9343113..f132b418a8c7a 100644
+--- a/arch/powerpc/include/asm/mmu_context.h
++++ b/arch/powerpc/include/asm/mmu_context.h
+@@ -216,7 +216,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ */
+ static inline void activate_mm(struct mm_struct *prev, struct mm_struct *next)
+ {
+- switch_mm(prev, next, current);
++ switch_mm_irqs_off(prev, next, current);
+ }
+
+ /* We don't currently use enter_lazy_tlb() for anything */
+--
+2.27.0
+
--- /dev/null
+From fc792056b46b4b9562c20c6f98e6a75efcdb811f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Aug 2020 09:37:22 +0206
+Subject: printk: reduce LOG_BUF_SHIFT range for H8300
+
+From: John Ogness <john.ogness@linutronix.de>
+
+[ Upstream commit 550c10d28d21bd82a8bb48debbb27e6ed53262f6 ]
+
+The .bss section for the h8300 is relatively small. A value of
+CONFIG_LOG_BUF_SHIFT that is larger than 19 will create a static
+printk ringbuffer that is too large. Limit the range appropriately
+for the H8300.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20200812073122.25412-1-john.ogness@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 6db3e310a5e42..96fc45d1b686b 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -594,7 +594,8 @@ config IKHEADERS
+
+ config LOG_BUF_SHIFT
+ int "Kernel log buffer size (16 => 64KB, 17 => 128KB)"
+- range 12 25
++ range 12 25 if !H8300
++ range 12 19 if H8300
+ default 17
+ depends on PRINTK
+ help
+--
+2.27.0
+
--- /dev/null
+From c90b3365c214f12ccff87a2db631db98e8541ccd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Oct 2020 11:50:08 +0000
+Subject: RDMA/qedr: Fix memory leak in iWARP CM
+
+From: Alok Prasad <palok@marvell.com>
+
+[ Upstream commit a2267f8a52eea9096861affd463f691be0f0e8c9 ]
+
+Fixes memory leak in iWARP CM
+
+Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
+Link: https://lore.kernel.org/r/20201021115008.28138-1-palok@marvell.com
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Alok Prasad <palok@marvell.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/qedr_iw_cm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+index e521f3c3dbbf1..653ddf30973ec 100644
+--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+@@ -727,6 +727,7 @@ int qedr_iw_destroy_listen(struct iw_cm_id *cm_id)
+ listener->qed_handle);
+
+ cm_id->rem_ref(cm_id);
++ kfree(listener);
+ return rc;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 42e82a0d84d5c849260b27b84624f92b1d933a9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Aug 2020 15:33:49 +0800
+Subject: riscv: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
+
+From: Zong Li <zong.li@sifive.com>
+
+[ Upstream commit b5fca7c55f9fbab5ad732c3bce00f31af6ba5cfa ]
+
+AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
+NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
+for RISC-V at all even though ARCH_DLINFO will contain one NEW_AUX_ENT
+for the VDSO address.
+
+Signed-off-by: Zong Li <zong.li@sifive.com>
+Reviewed-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Reviewed-by: Pekka Enberg <penberg@kernel.org>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/uapi/asm/auxvec.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/riscv/include/uapi/asm/auxvec.h b/arch/riscv/include/uapi/asm/auxvec.h
+index d86cb17bbabe6..22e0ae8884061 100644
+--- a/arch/riscv/include/uapi/asm/auxvec.h
++++ b/arch/riscv/include/uapi/asm/auxvec.h
+@@ -10,4 +10,7 @@
+ /* vDSO location */
+ #define AT_SYSINFO_EHDR 33
+
++/* entries in ARCH_DLINFO */
++#define AT_VECTOR_SIZE_ARCH 1
++
+ #endif /* _UAPI_ASM_RISCV_AUXVEC_H */
+--
+2.27.0
+
--- /dev/null
+From a5a63f94b352eb8c77494cf072c82986d15114d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 22:15:18 +0530
+Subject: rpmsg: glink: Use complete_all for open states
+
+From: Chris Lew <clew@codeaurora.org>
+
+[ Upstream commit 4fcdaf6e28d11e2f3820d54dd23cd12a47ddd44e ]
+
+The open_req and open_ack completion variables are the state variables
+to represet a remote channel as open. Use complete_all so there are no
+races with waiters and using completion_done.
+
+Signed-off-by: Chris Lew <clew@codeaurora.org>
+Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
+Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
+Link: https://lore.kernel.org/r/1593017121-7953-2-git-send-email-deesin@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index 1995f5b3ea677..d5114abcde197 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -970,7 +970,7 @@ static int qcom_glink_rx_open_ack(struct qcom_glink *glink, unsigned int lcid)
+ return -EINVAL;
+ }
+
+- complete(&channel->open_ack);
++ complete_all(&channel->open_ack);
+
+ return 0;
+ }
+@@ -1178,7 +1178,7 @@ static int qcom_glink_announce_create(struct rpmsg_device *rpdev)
+ __be32 *val = defaults;
+ int size;
+
+- if (glink->intentless)
++ if (glink->intentless || !completion_done(&channel->open_ack))
+ return 0;
+
+ prop = of_find_property(np, "qcom,intents", NULL);
+@@ -1413,7 +1413,7 @@ static int qcom_glink_rx_open(struct qcom_glink *glink, unsigned int rcid,
+ channel->rcid = ret;
+ spin_unlock_irqrestore(&glink->idr_lock, flags);
+
+- complete(&channel->open_req);
++ complete_all(&channel->open_req);
+
+ if (create_device) {
+ rpdev = kzalloc(sizeof(*rpdev), GFP_KERNEL);
+--
+2.27.0
+
--- /dev/null
+From 33ff34e5fb4aa0ec0fd4d13f36dd502fad814b44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 19:07:04 +0200
+Subject: s390/startup: avoid save_area_sync overflow
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 2835c2ea95d50625108e47a459e1a47f6be836ce ]
+
+Currently we overflow save_area_sync and write over
+save_area_async. Although this is not a real problem make
+startup_pgm_check_handler consistent with late pgm check handler and
+store [%r0,%r7] directly into gpregs_save_area.
+
+Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/boot/head.S | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/arch/s390/boot/head.S b/arch/s390/boot/head.S
+index 4b86a8d3c1219..e6bf5f40bff34 100644
+--- a/arch/s390/boot/head.S
++++ b/arch/s390/boot/head.S
+@@ -360,22 +360,23 @@ ENTRY(startup_kdump)
+ # the save area and does disabled wait with a faulty address.
+ #
+ ENTRY(startup_pgm_check_handler)
+- stmg %r0,%r15,__LC_SAVE_AREA_SYNC
+- la %r1,4095
+- stctg %c0,%c15,__LC_CREGS_SAVE_AREA-4095(%r1)
+- mvc __LC_GPREGS_SAVE_AREA-4095(128,%r1),__LC_SAVE_AREA_SYNC
+- mvc __LC_PSW_SAVE_AREA-4095(16,%r1),__LC_PGM_OLD_PSW
++ stmg %r8,%r15,__LC_SAVE_AREA_SYNC
++ la %r8,4095
++ stctg %c0,%c15,__LC_CREGS_SAVE_AREA-4095(%r8)
++ stmg %r0,%r7,__LC_GPREGS_SAVE_AREA-4095(%r8)
++ mvc __LC_GPREGS_SAVE_AREA-4095+64(64,%r8),__LC_SAVE_AREA_SYNC
++ mvc __LC_PSW_SAVE_AREA-4095(16,%r8),__LC_PGM_OLD_PSW
+ mvc __LC_RETURN_PSW(16),__LC_PGM_OLD_PSW
+ ni __LC_RETURN_PSW,0xfc # remove IO and EX bits
+ ni __LC_RETURN_PSW+1,0xfb # remove MCHK bit
+ oi __LC_RETURN_PSW+1,0x2 # set wait state bit
+- larl %r2,.Lold_psw_disabled_wait
+- stg %r2,__LC_PGM_NEW_PSW+8
+- l %r15,.Ldump_info_stack-.Lold_psw_disabled_wait(%r2)
++ larl %r9,.Lold_psw_disabled_wait
++ stg %r9,__LC_PGM_NEW_PSW+8
++ l %r15,.Ldump_info_stack-.Lold_psw_disabled_wait(%r9)
+ brasl %r14,print_pgm_check_info
+ .Lold_psw_disabled_wait:
+- la %r1,4095
+- lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1)
++ la %r8,4095
++ lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r8)
+ lpswe __LC_RETURN_PSW # disabled wait
+ .Ldump_info_stack:
+ .long 0x5000 + PAGE_SIZE - STACK_FRAME_OVERHEAD
+--
+2.27.0
+
--- /dev/null
+From d6075304b875d161c1db7fbde8c5ffc4a1aa18a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 10:31:05 +0200
+Subject: samples/bpf: Fix possible deadlock in xdpsock
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 5a2a0dd88f0f267ac5953acd81050ae43a82201f ]
+
+Fix a possible deadlock in the l2fwd application in xdpsock that can
+occur when there is no space in the Tx ring. There are two ways to get
+the kernel to consume entries in the Tx ring: calling sendto() to make
+it send packets and freeing entries from the completion ring, as the
+kernel will not send a packet if there is no space for it to add a
+completion entry in the completion ring. The Tx loop in l2fwd only
+used to call sendto(). This patches adds cleaning the completion ring
+in that loop.
+
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/1599726666-8431-3-git-send-email-magnus.karlsson@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdpsock_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/samples/bpf/xdpsock_user.c b/samples/bpf/xdpsock_user.c
+index df011ac334022..79d1005ff2ee3 100644
+--- a/samples/bpf/xdpsock_user.c
++++ b/samples/bpf/xdpsock_user.c
+@@ -677,6 +677,7 @@ static void l2fwd(struct xsk_socket_info *xsk, struct pollfd *fds)
+ while (ret != rcvd) {
+ if (ret < 0)
+ exit_with_error(-ret);
++ complete_tx_l2fwd(xsk, fds);
+ if (xsk_ring_prod__needs_wakeup(&xsk->tx))
+ kick_tx(xsk);
+ ret = xsk_ring_prod__reserve(&xsk->tx, rcvd, &idx_tx);
+--
+2.27.0
+
--- /dev/null
+From dc1a85eb9d5fa054ca0799750012ccdfdd86ed51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 13:27:18 -0700
+Subject: selftests/bpf: Define string const as global for test_sysctl_prog.c
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit 6e057fc15a2da4ee03eb1fa6889cf687e690106e ]
+
+When tweaking llvm optimizations, I found that selftest build failed
+with the following error:
+ libbpf: elf: skipping unrecognized data section(6) .rodata.str1.1
+ libbpf: prog 'sysctl_tcp_mem': bad map relo against '.L__const.is_tcp_mem.tcp_mem_name'
+ in section '.rodata.str1.1'
+ Error: failed to open BPF object file: Relocation failed
+ make: *** [/work/net-next/tools/testing/selftests/bpf/test_sysctl_prog.skel.h] Error 255
+ make: *** Deleting file `/work/net-next/tools/testing/selftests/bpf/test_sysctl_prog.skel.h'
+
+The local string constant "tcp_mem_name" is put into '.rodata.str1.1' section
+which libbpf cannot handle. Using untweaked upstream llvm, "tcp_mem_name"
+is completely inlined after loop unrolling.
+
+Commit 7fb5eefd7639 ("selftests/bpf: Fix test_sysctl_loop{1, 2}
+failure due to clang change") solved a similar problem by defining
+the string const as a global. Let us do the same here
+for test_sysctl_prog.c so it can weather future potential llvm changes.
+
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/20200910202718.956042-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/test_sysctl_prog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_prog.c b/tools/testing/selftests/bpf/progs/test_sysctl_prog.c
+index 5cbbff416998c..4396faf33394a 100644
+--- a/tools/testing/selftests/bpf/progs/test_sysctl_prog.c
++++ b/tools/testing/selftests/bpf/progs/test_sysctl_prog.c
+@@ -19,11 +19,11 @@
+ #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+ #endif
+
++const char tcp_mem_name[] = "net/ipv4/tcp_mem";
+ static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx)
+ {
+- char tcp_mem_name[] = "net/ipv4/tcp_mem";
+ unsigned char i;
+- char name[64];
++ char name[sizeof(tcp_mem_name)];
+ int ret;
+
+ memset(name, 0, sizeof(name));
+--
+2.27.0
+
--- /dev/null
+From 5922d7c6607d088f9deca34ef58a21d92543e96f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 10:00:45 -0700
+Subject: selftests/x86/fsgsbase: Reap a forgotten child
+
+From: Andy Lutomirski <luto@kernel.org>
+
+[ Upstream commit ab2dd173330a3f07142e68cd65682205036cd00f ]
+
+The ptrace() test forgot to reap its child. Reap it.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/e7700a503f30e79ab35a63103938a19893dbeff2.1598461151.git.luto@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/x86/fsgsbase.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/testing/selftests/x86/fsgsbase.c b/tools/testing/selftests/x86/fsgsbase.c
+index 15a329da59fa3..5f3aea210e018 100644
+--- a/tools/testing/selftests/x86/fsgsbase.c
++++ b/tools/testing/selftests/x86/fsgsbase.c
+@@ -499,6 +499,9 @@ static void test_ptrace_write_gsbase(void)
+
+ END:
+ ptrace(PTRACE_CONT, child, NULL, NULL);
++ wait(&status);
++ if (!WIFEXITED(status))
++ printf("[WARN]\tChild didn't exit cleanly.\n");
+ }
+
+ int main()
+--
+2.27.0
+
--- /dev/null
+firmware-arm_scmi-fix-arch_cold_reset.patch
+firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch
+x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch
+mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch
+rdma-qedr-fix-memory-leak-in-iwarp-cm.patch
+ata-sata_nv-fix-retrieving-of-active-qcs.patch
+futex-fix-incorrect-should_fail_futex-handling.patch
+powerpc-powernv-smp-fix-spurious-dbg-warning.patch
+mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch
+powerpc-select-arch_want_irqs_off_activate_mm.patch
+sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch
+f2fs-add-trace-exit-in-exception-path.patch
+f2fs-fix-uninit-value-in-f2fs_lookup.patch
+f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch
+s390-startup-avoid-save_area_sync-overflow.patch
+um-change-sigio_spinlock-to-a-mutex.patch
+f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch
+arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch
+nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch
+power-supply-bq27xxx-report-not-charging-on-all-type.patch
+xfs-fix-realtime-bitmap-summary-file-truncation-when.patch
+video-fbdev-pvr2fb-initialize-variables.patch
+ath10k-start-recovery-process-when-payload-length-ex.patch
+ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch
+drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch
+selftests-x86-fsgsbase-reap-a-forgotten-child.patch
+media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch
+media-platform-improve-queue-set-up-flow-for-bug-fix.patch
+usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch
+media-tw5864-check-status-of-tw5864_frameinterval_ge.patch
+media-imx274-fix-frame-interval-handling.patch
+mmc-via-sdmmc-fix-data-race-bug.patch
+drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch
+arm64-topology-stop-using-mpidr-for-topology-informa.patch
+printk-reduce-log_buf_shift-range-for-h8300.patch
+ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch
+kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch
+bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch
+media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch
+selftests-bpf-define-string-const-as-global-for-test.patch
+samples-bpf-fix-possible-deadlock-in-xdpsock.patch
+riscv-define-at_vector_size_arch-for-arch_dlinfo.patch
+cpufreq-sti-cpufreq-add-stih418-support.patch
+usb-adutux-fix-debugging.patch
+uio-free-uio-id-after-uio-file-node-is-freed.patch
+coresight-make-sysfs-functional-on-topologies-with-p.patch
+usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch
+sunrpc-mitigate-cond_resched-in-xprt_transmit.patch
+arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch
+can-flexcan-disable-clocks-during-stop-mode.patch
+xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch
+acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch
+brcmfmac-fix-warning-message-after-dongle-setup-fail.patch
+drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch
+bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch
+acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch
+power-supply-test_power-add-missing-newlines-when-pr.patch
+drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch
+arc-dts-fix-the-errors-detected-by-dtbs_check.patch
+btrfs-fix-replace-of-seed-device.patch
+md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch
+bnxt_en-log-unknown-link-speed-appropriately.patch
+rpmsg-glink-use-complete_all-for-open-states.patch
+clk-ti-clockdomain-fix-static-checker-warning.patch
+asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch
+net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch
+drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch
+ext4-detect-already-used-quota-file-early.patch
+kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch
+gfs2-use-after-free-in-sysfs-deregistration.patch
+gfs2-add-validation-checks-for-size-of-superblock.patch
+cifs-handle-eintr-in-cifs_setattr.patch
+arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch
+arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch
+memory-emif-remove-bogus-debugfs-error-handling.patch
+arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch
+arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch
+arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch
+arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch
+nbd-make-the-config-put-is-called-before-the-notifyi.patch
+sgl_alloc_order-fix-memory-leak.patch
+nvme-rdma-fix-crash-when-connect-rejected.patch
--- /dev/null
+From c68b7ef5029a928870763d90a94bcc82ffabfbfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 14:57:35 -0400
+Subject: sgl_alloc_order: fix memory leak
+
+From: Douglas Gilbert <dgilbert@interlog.com>
+
+[ Upstream commit b2a182a40278bc5849730e66bca01a762188ed86 ]
+
+sgl_alloc_order() can fail when 'length' is large on a memory
+constrained system. When order > 0 it will potentially be
+making several multi-page allocations with the later ones more
+likely to fail than the earlier one. So it is important that
+sgl_alloc_order() frees up any pages it has obtained before
+returning NULL. In the case when order > 0 it calls the wrong
+free page function and leaks. In testing the leak was
+sufficient to bring down my 8 GiB laptop with OOM.
+
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/scatterlist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/scatterlist.c b/lib/scatterlist.c
+index 5813072bc5895..29346184fcf2e 100644
+--- a/lib/scatterlist.c
++++ b/lib/scatterlist.c
+@@ -514,7 +514,7 @@ struct scatterlist *sgl_alloc_order(unsigned long long length,
+ elem_len = min_t(u64, length, PAGE_SIZE << order);
+ page = alloc_pages(gfp, order);
+ if (!page) {
+- sgl_free(sgl);
++ sgl_free_order(sgl, order);
+ return NULL;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 426ee692c5fd2b7310ea522a3b30a4bb66016357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 14:52:18 +1000
+Subject: sparc64: remove mm_cpumask clearing to fix kthread_use_mm race
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bafb056ce27940c9994ea905336aa8f27b4f7275 ]
+
+The de facto (and apparently uncommented) standard for using an mm had,
+thanks to this code in sparc if nothing else, been that you must have a
+reference on mm_users *and that reference must have been obtained with
+mmget()*, i.e., from a thread with a reference to mm_users that had used
+the mm.
+
+The introduction of mmget_not_zero() in commit d2005e3f41d4
+("userfaultfd: don't pin the user memory in userfaultfd_file_create()")
+allowed mm_count holders to aoperate on user mappings asynchronously
+from the actual threads using the mm, but they were not to load those
+mappings into their TLB (i.e., walking vmas and page tables is okay,
+kthread_use_mm() is not).
+
+io_uring 2b188cc1bb857 ("Add io_uring IO interface") added code which
+does a kthread_use_mm() from a mmget_not_zero() refcount.
+
+The problem with this is code which previously assumed mm == current->mm
+and mm->mm_users == 1 implies the mm will remain single-threaded at
+least until this thread creates another mm_users reference, has now
+broken.
+
+arch/sparc/kernel/smp_64.c:
+
+ if (atomic_read(&mm->mm_users) == 1) {
+ cpumask_copy(mm_cpumask(mm), cpumask_of(cpu));
+ goto local_flush_and_out;
+ }
+
+vs fs/io_uring.c
+
+ if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) ||
+ !mmget_not_zero(ctx->sqo_mm)))
+ return -EFAULT;
+ kthread_use_mm(ctx->sqo_mm);
+
+mmget_not_zero() could come in right after the mm_users == 1 test, then
+kthread_use_mm() which sets its CPU in the mm_cpumask. That update could
+be lost if cpumask_copy() occurs afterward.
+
+I propose we fix this by allowing mmget_not_zero() to be a first-class
+reference, and not have this obscure undocumented and unchecked
+restriction.
+
+The basic fix for sparc64 is to remove its mm_cpumask clearing code. The
+optimisation could be effectively restored by sending IPIs to mm_cpumask
+members and having them remove themselves from mm_cpumask. This is more
+tricky so I leave it as an exercise for someone with a sparc64 SMP.
+powerpc has a (currently similarly broken) example.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200914045219.3736466-4-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/smp_64.c | 65 ++++++++------------------------------
+ 1 file changed, 14 insertions(+), 51 deletions(-)
+
+diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c
+index a8275fea4b70c..aa81c25b44cf3 100644
+--- a/arch/sparc/kernel/smp_64.c
++++ b/arch/sparc/kernel/smp_64.c
+@@ -1039,38 +1039,9 @@ void smp_fetch_global_pmu(void)
+ * are flush_tlb_*() routines, and these run after flush_cache_*()
+ * which performs the flushw.
+ *
+- * The SMP TLB coherency scheme we use works as follows:
+- *
+- * 1) mm->cpu_vm_mask is a bit mask of which cpus an address
+- * space has (potentially) executed on, this is the heuristic
+- * we use to avoid doing cross calls.
+- *
+- * Also, for flushing from kswapd and also for clones, we
+- * use cpu_vm_mask as the list of cpus to make run the TLB.
+- *
+- * 2) TLB context numbers are shared globally across all processors
+- * in the system, this allows us to play several games to avoid
+- * cross calls.
+- *
+- * One invariant is that when a cpu switches to a process, and
+- * that processes tsk->active_mm->cpu_vm_mask does not have the
+- * current cpu's bit set, that tlb context is flushed locally.
+- *
+- * If the address space is non-shared (ie. mm->count == 1) we avoid
+- * cross calls when we want to flush the currently running process's
+- * tlb state. This is done by clearing all cpu bits except the current
+- * processor's in current->mm->cpu_vm_mask and performing the
+- * flush locally only. This will force any subsequent cpus which run
+- * this task to flush the context from the local tlb if the process
+- * migrates to another cpu (again).
+- *
+- * 3) For shared address spaces (threads) and swapping we bite the
+- * bullet for most cases and perform the cross call (but only to
+- * the cpus listed in cpu_vm_mask).
+- *
+- * The performance gain from "optimizing" away the cross call for threads is
+- * questionable (in theory the big win for threads is the massive sharing of
+- * address space state across processors).
++ * mm->cpu_vm_mask is a bit mask of which cpus an address
++ * space has (potentially) executed on, this is the heuristic
++ * we use to limit cross calls.
+ */
+
+ /* This currently is only used by the hugetlb arch pre-fault
+@@ -1080,18 +1051,13 @@ void smp_fetch_global_pmu(void)
+ void smp_flush_tlb_mm(struct mm_struct *mm)
+ {
+ u32 ctx = CTX_HWBITS(mm->context);
+- int cpu = get_cpu();
+
+- if (atomic_read(&mm->mm_users) == 1) {
+- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu));
+- goto local_flush_and_out;
+- }
++ get_cpu();
+
+ smp_cross_call_masked(&xcall_flush_tlb_mm,
+ ctx, 0, 0,
+ mm_cpumask(mm));
+
+-local_flush_and_out:
+ __flush_tlb_mm(ctx, SECONDARY_CONTEXT);
+
+ put_cpu();
+@@ -1114,17 +1080,15 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long
+ {
+ u32 ctx = CTX_HWBITS(mm->context);
+ struct tlb_pending_info info;
+- int cpu = get_cpu();
++
++ get_cpu();
+
+ info.ctx = ctx;
+ info.nr = nr;
+ info.vaddrs = vaddrs;
+
+- if (mm == current->mm && atomic_read(&mm->mm_users) == 1)
+- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu));
+- else
+- smp_call_function_many(mm_cpumask(mm), tlb_pending_func,
+- &info, 1);
++ smp_call_function_many(mm_cpumask(mm), tlb_pending_func,
++ &info, 1);
+
+ __flush_tlb_pending(ctx, nr, vaddrs);
+
+@@ -1134,14 +1098,13 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long
+ void smp_flush_tlb_page(struct mm_struct *mm, unsigned long vaddr)
+ {
+ unsigned long context = CTX_HWBITS(mm->context);
+- int cpu = get_cpu();
+
+- if (mm == current->mm && atomic_read(&mm->mm_users) == 1)
+- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu));
+- else
+- smp_cross_call_masked(&xcall_flush_tlb_page,
+- context, vaddr, 0,
+- mm_cpumask(mm));
++ get_cpu();
++
++ smp_cross_call_masked(&xcall_flush_tlb_page,
++ context, vaddr, 0,
++ mm_cpumask(mm));
++
+ __flush_tlb_page(context, vaddr);
+
+ put_cpu();
+--
+2.27.0
+
--- /dev/null
+From 1bbc77e87c7b67f737df541ec6d5ca3bc4fcf065 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 16:09:53 -0400
+Subject: SUNRPC: Mitigate cond_resched() in xprt_transmit()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 6f9f17287e78e5049931af2037b15b26d134a32a ]
+
+The original purpose of this expensive call is to prevent a long
+queue of requests from blocking other work.
+
+The cond_resched() call is unnecessary after just a single send
+operation.
+
+For longer queues, instead of invoking the kernel scheduler, simply
+release the transport send lock and return to the RPC scheduler.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
+index 41df4c507193b..a6fee86f400ec 100644
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -1503,10 +1503,13 @@ xprt_transmit(struct rpc_task *task)
+ {
+ struct rpc_rqst *next, *req = task->tk_rqstp;
+ struct rpc_xprt *xprt = req->rq_xprt;
+- int status;
++ int counter, status;
+
+ spin_lock(&xprt->queue_lock);
++ counter = 0;
+ while (!list_empty(&xprt->xmit_queue)) {
++ if (++counter == 20)
++ break;
+ next = list_first_entry(&xprt->xmit_queue,
+ struct rpc_rqst, rq_xmit);
+ xprt_pin_rqst(next);
+@@ -1514,7 +1517,6 @@ xprt_transmit(struct rpc_task *task)
+ status = xprt_request_transmit(next, task);
+ if (status == -EBADMSG && next != req)
+ status = 0;
+- cond_resched();
+ spin_lock(&xprt->queue_lock);
+ xprt_unpin_rqst(next);
+ if (status == 0) {
+--
+2.27.0
+
--- /dev/null
+From 7a6aa307a01f67627bf3d3c37e7c98250dbc383d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 11:26:41 +0800
+Subject: uio: free uio id after uio file node is freed
+
+From: Lang Dai <lang.dai@intel.com>
+
+[ Upstream commit 8fd0e2a6df262539eaa28b0a2364cca10d1dc662 ]
+
+uio_register_device() do two things.
+1) get an uio id from a global pool, e.g. the id is <A>
+2) create file nodes like /sys/class/uio/uio<A>
+
+uio_unregister_device() do two things.
+1) free the uio id <A> and return it to the global pool
+2) free the file node /sys/class/uio/uio<A>
+
+There is a situation is that one worker is calling uio_unregister_device(),
+and another worker is calling uio_register_device().
+If the two workers are X and Y, they go as below sequence,
+1) X free the uio id <AAA>
+2) Y get an uio id <AAA>
+3) Y create file node /sys/class/uio/uio<AAA>
+4) X free the file note /sys/class/uio/uio<AAA>
+Then it will failed at the 3rd step and cause the phenomenon we saw as it
+is creating a duplicated file node.
+
+Failure reports as follows:
+sysfs: cannot create duplicate filename '/class/uio/uio10'
+Call Trace:
+ sysfs_do_create_link_sd.isra.2+0x9e/0xb0
+ sysfs_create_link+0x25/0x40
+ device_add+0x2c4/0x640
+ __uio_register_device+0x1c5/0x576 [uio]
+ adf_uio_init_bundle_dev+0x231/0x280 [intel_qat]
+ adf_uio_register+0x1c0/0x340 [intel_qat]
+ adf_dev_start+0x202/0x370 [intel_qat]
+ adf_dev_start_async+0x40/0xa0 [intel_qat]
+ process_one_work+0x14d/0x410
+ worker_thread+0x4b/0x460
+ kthread+0x105/0x140
+ ? process_one_work+0x410/0x410
+ ? kthread_bind+0x40/0x40
+ ret_from_fork+0x1f/0x40
+ Code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef
+ e8 ec c4 ff ff 4c 89 e2 48 89 de 48 c7 c7 e8 b4 ee b4 e8 6a d4 d7
+ ff <0f> 0b 48 89 df e8 20 fa f3 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84
+---[ end trace a7531c1ed5269e84 ]---
+ c6xxvf b002:00:00.0: Failed to register UIO devices
+ c6xxvf b002:00:00.0: Failed to register UIO devices
+
+Signed-off-by: Lang Dai <lang.dai@intel.com>
+
+Link: https://lore.kernel.org/r/1600054002-17722-1-git-send-email-lang.dai@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/uio/uio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
+index a57698985f9c4..8313f81968d51 100644
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -1010,8 +1010,6 @@ void uio_unregister_device(struct uio_info *info)
+
+ idev = info->uio_dev;
+
+- uio_free_minor(idev);
+-
+ mutex_lock(&idev->info_lock);
+ uio_dev_del_attributes(idev);
+
+@@ -1026,6 +1024,8 @@ void uio_unregister_device(struct uio_info *info)
+
+ device_unregister(&idev->dev);
+
++ uio_free_minor(idev);
++
+ return;
+ }
+ EXPORT_SYMBOL_GPL(uio_unregister_device);
+--
+2.27.0
+
--- /dev/null
+From da9b3738ec54c44c618db6261831f7b87a25383d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 13:23:17 +0200
+Subject: um: change sigio_spinlock to a mutex
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit f2d05059e15af3f70502074f4e3a504530af504a ]
+
+Lockdep complains at boot:
+
+=============================
+[ BUG: Invalid wait context ]
+5.7.0-05093-g46d91ecd597b #98 Not tainted
+-----------------------------
+swapper/1 is trying to lock:
+0000000060931b98 (&desc[i].request_mutex){+.+.}-{3:3}, at: __setup_irq+0x11d/0x623
+other info that might help us debug this:
+context-{4:4}
+1 lock held by swapper/1:
+ #0: 000000006074fed8 (sigio_spinlock){+.+.}-{2:2}, at: sigio_lock+0x1a/0x1c
+stack backtrace:
+CPU: 0 PID: 1 Comm: swapper Not tainted 5.7.0-05093-g46d91ecd597b #98
+Stack:
+ 7fa4fab0 6028dfd1 0000002a 6008bea5
+ 7fa50700 7fa50040 7fa4fac0 6028e016
+ 7fa4fb50 6007f6da 60959c18 00000000
+Call Trace:
+ [<60023a0e>] show_stack+0x13b/0x155
+ [<6028e016>] dump_stack+0x2a/0x2c
+ [<6007f6da>] __lock_acquire+0x515/0x15f2
+ [<6007eb50>] lock_acquire+0x245/0x273
+ [<6050d9f1>] __mutex_lock+0xbd/0x325
+ [<6050dc76>] mutex_lock_nested+0x1d/0x1f
+ [<6008e27e>] __setup_irq+0x11d/0x623
+ [<6008e8ed>] request_threaded_irq+0x169/0x1a6
+ [<60021eb0>] um_request_irq+0x1ee/0x24b
+ [<600234ee>] write_sigio_irq+0x3b/0x76
+ [<600383ca>] sigio_broken+0x146/0x2e4
+ [<60020bd8>] do_one_initcall+0xde/0x281
+
+Because we hold sigio_spinlock and then get into requesting
+an interrupt with a mutex.
+
+Change the spinlock to a mutex to avoid that.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/kernel/sigio.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/um/kernel/sigio.c b/arch/um/kernel/sigio.c
+index 10c99e058fcae..d1cffc2a7f212 100644
+--- a/arch/um/kernel/sigio.c
++++ b/arch/um/kernel/sigio.c
+@@ -35,14 +35,14 @@ int write_sigio_irq(int fd)
+ }
+
+ /* These are called from os-Linux/sigio.c to protect its pollfds arrays. */
+-static DEFINE_SPINLOCK(sigio_spinlock);
++static DEFINE_MUTEX(sigio_mutex);
+
+ void sigio_lock(void)
+ {
+- spin_lock(&sigio_spinlock);
++ mutex_lock(&sigio_mutex);
+ }
+
+ void sigio_unlock(void)
+ {
+- spin_unlock(&sigio_spinlock);
++ mutex_unlock(&sigio_mutex);
+ }
+--
+2.27.0
+
--- /dev/null
+From 104be76618f4ae0558e593ffcd45b0cabb4ba913 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 13:26:00 +0200
+Subject: USB: adutux: fix debugging
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit c56150c1bc8da5524831b1dac2eec3c67b89f587 ]
+
+Handling for removal of the controller was missing at one place.
+Add it.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20200917112600.26508-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/adutux.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c
+index d8d157c4c271d..96495fcd952aa 100644
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -209,6 +209,7 @@ static void adu_interrupt_out_callback(struct urb *urb)
+
+ if (status != 0) {
+ if ((status != -ENOENT) &&
++ (status != -ESHUTDOWN) &&
+ (status != -ECONNRESET)) {
+ dev_dbg(&dev->udev->dev,
+ "%s :nonzero status received: %d\n", __func__,
+--
+2.27.0
+
--- /dev/null
+From c60669fe73f0db6aed1957509d4682bf4abbae4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:38:27 -0700
+Subject: usb: typec: tcpm: During PR_SWAP, source caps should be sent only
+ after tSwapSourceStart
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+[ Upstream commit 6bbe2a90a0bb4af8dd99c3565e907fe9b5e7fd88 ]
+
+The patch addresses the compliance test failures while running
+TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 of the "Deterministic PD
+Compliance MOI" test plan published in https://www.usb.org/usbc.
+For a product to be Type-C compliant, it's expected that these tests
+are run on usb.org certified Type-C compliance tester as mentioned in
+https://www.usb.org/usbc.
+
+The purpose of the tests TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 is to
+verify the PR_SWAP response of the device. While doing so, the test
+asserts that Source Capabilities message is NOT received from the test
+device within tSwapSourceStart min (20 ms) from the time the last bit
+of GoodCRC corresponding to the RS_RDY message sent by the UUT was
+sent. If it does then the test fails.
+
+This is in line with the requirements from the USB Power Delivery
+Specification Revision 3.0, Version 1.2:
+"6.6.8.1 SwapSourceStartTimer
+The SwapSourceStartTimer Shall be used by the new Source, after a
+Power Role Swap or Fast Role Swap, to ensure that it does not send
+Source_Capabilities Message before the new Sink is ready to receive
+the
+Source_Capabilities Message. The new Source Shall Not send the
+Source_Capabilities Message earlier than tSwapSourceStart after the
+last bit of the EOP of GoodCRC Message sent in response to the PS_RDY
+Message sent by the new Source indicating that its power supply is
+ready."
+
+The patch makes sure that TCPM does not send the Source_Capabilities
+Message within tSwapSourceStart(20ms) by transitioning into
+SRC_STARTUP only after tSwapSourceStart(20ms).
+
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20200817183828.1895015-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 2 +-
+ include/linux/usb/pd.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
+index 355a2c7fac0b4..16e124753df72 100644
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -3482,7 +3482,7 @@ static void run_state_machine(struct tcpm_port *port)
+ */
+ tcpm_set_pwr_role(port, TYPEC_SOURCE);
+ tcpm_pd_send_control(port, PD_CTRL_PS_RDY);
+- tcpm_set_state(port, SRC_STARTUP, 0);
++ tcpm_set_state(port, SRC_STARTUP, PD_T_SWAP_SRC_START);
+ break;
+
+ case VCONN_SWAP_ACCEPT:
+diff --git a/include/linux/usb/pd.h b/include/linux/usb/pd.h
+index 145c38e351c25..6655ce32feff1 100644
+--- a/include/linux/usb/pd.h
++++ b/include/linux/usb/pd.h
+@@ -442,6 +442,7 @@ static inline unsigned int rdo_max_power(u32 rdo)
+ #define PD_T_ERROR_RECOVERY 100 /* minimum 25 is insufficient */
+ #define PD_T_SRCSWAPSTDBY 625 /* Maximum of 650ms */
+ #define PD_T_NEWSRC 250 /* Maximum of 275ms */
++#define PD_T_SWAP_SRC_START 20 /* Minimum of 20ms */
+
+ #define PD_T_DRP_TRY 100 /* 75 - 150 ms */
+ #define PD_T_DRP_TRYWAIT 600 /* 400 - 800 ms */
+--
+2.27.0
+
--- /dev/null
+From 3d40f60975b7d71789a988ac49bdb5f863949773 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Sep 2020 16:17:49 +0300
+Subject: usb: xhci: omit duplicate actions when suspending a runtime suspended
+ host.
+
+From: Peter Chen <peter.chen@nxp.com>
+
+[ Upstream commit 18a367e8947d72dd91b6fc401e88a2952c6363f7 ]
+
+If the xhci-plat.c is the platform driver, after the runtime pm is
+enabled, the xhci_suspend is called if nothing is connected on
+the port. When the system goes to suspend, it will call xhci_suspend again
+if USB wakeup is enabled.
+
+Since the runtime suspend wakeup setting is not always the same as
+system suspend wakeup setting, eg, at runtime suspend we always need
+wakeup if the controller is in low power mode; but at system suspend,
+we may not need wakeup. So, we move the judgement after changing
+wakeup setting.
+
+[commit message rewording -Mathias]
+
+Reviewed-by: Jun Li <jun.li@nxp.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20200918131752.16488-8-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 0d10ede581cbd..7123ab44671b2 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -982,12 +982,15 @@ int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup)
+ xhci->shared_hcd->state != HC_STATE_SUSPENDED)
+ return -EINVAL;
+
+- xhci_dbc_suspend(xhci);
+-
+ /* Clear root port wake on bits if wakeup not allowed. */
+ if (!do_wakeup)
+ xhci_disable_port_wake_on_bits(xhci);
+
++ if (!HCD_HW_ACCESSIBLE(hcd))
++ return 0;
++
++ xhci_dbc_suspend(xhci);
++
+ /* Don't poll the roothubs on bus suspend. */
+ xhci_dbg(xhci, "%s: stopping port polling.\n", __func__);
+ clear_bit(HCD_FLAG_POLL_RH, &hcd->flags);
+--
+2.27.0
+
--- /dev/null
+From 1a33d2083fcb81d74944628fbbd6c1e1b931a9e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 12:18:45 -0700
+Subject: video: fbdev: pvr2fb: initialize variables
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 8e1ba47c60bcd325fdd097cd76054639155e5d2e ]
+
+clang static analysis reports this repesentative error
+
+pvr2fb.c:1049:2: warning: 1st function call argument
+ is an uninitialized value [core.CallAndMessage]
+ if (*cable_arg)
+ ^~~~~~~~~~~~~~~
+
+Problem is that cable_arg depends on the input loop to
+set the cable_arg[0]. If it does not, then some random
+value from the stack is used.
+
+A similar problem exists for output_arg.
+
+So initialize cable_arg and output_arg.
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200720191845.20115-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pvr2fb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/pvr2fb.c b/drivers/video/fbdev/pvr2fb.c
+index 0a3b2b7c78912..c916e91614436 100644
+--- a/drivers/video/fbdev/pvr2fb.c
++++ b/drivers/video/fbdev/pvr2fb.c
+@@ -1016,6 +1016,8 @@ static int __init pvr2fb_setup(char *options)
+ if (!options || !*options)
+ return 0;
+
++ cable_arg[0] = output_arg[0] = 0;
++
+ while ((this_opt = strsep(&options, ","))) {
+ if (!*this_opt)
+ continue;
+--
+2.27.0
+
--- /dev/null
+From bd645b5d73d9576c8e95e83ca787941b195654cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 07:30:51 +0200
+Subject: x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC
+ 10 compiled kernels
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit f2ac57a4c49d40409c21c82d23b5706df9b438af ]
+
+GCC 10 optimizes the scheduler code differently than its predecessors.
+
+When CONFIG_DEBUG_SECTION_MISMATCH=y, the Makefile forces GCC not
+to inline some functions (-fno-inline-functions-called-once). Before GCC
+10, "no-inlined" __schedule() starts with the usual prologue:
+
+ push %bp
+ mov %sp, %bp
+
+So the ORC unwinder simply picks stack pointer from %bp and
+unwinds from __schedule() just perfectly:
+
+ $ cat /proc/1/stack
+ [<0>] ep_poll+0x3e9/0x450
+ [<0>] do_epoll_wait+0xaa/0xc0
+ [<0>] __x64_sys_epoll_wait+0x1a/0x20
+ [<0>] do_syscall_64+0x33/0x40
+ [<0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+But now, with GCC 10, there is no %bp prologue in __schedule():
+
+ $ cat /proc/1/stack
+ <nothing>
+
+The ORC entry of the point in __schedule() is:
+
+ sp:sp+88 bp:last_sp-48 type:call end:0
+
+In this case, nobody subtracts sizeof "struct inactive_task_frame" in
+__unwind_start(). The struct is put on the stack by __switch_to_asm() and
+only then __switch_to_asm() stores %sp to task->thread.sp. But we start
+unwinding from a point in __schedule() (stored in frame->ret_addr by
+'call') and not in __switch_to_asm().
+
+So for these example values in __unwind_start():
+
+ sp=ffff94b50001fdc8 bp=ffff8e1f41d29340 ip=__schedule+0x1f0
+
+The stack is:
+
+ ffff94b50001fdc8: ffff8e1f41578000 # struct inactive_task_frame
+ ffff94b50001fdd0: 0000000000000000
+ ffff94b50001fdd8: ffff8e1f41d29340
+ ffff94b50001fde0: ffff8e1f41611d40 # ...
+ ffff94b50001fde8: ffffffff93c41920 # bx
+ ffff94b50001fdf0: ffff8e1f41d29340 # bp
+ ffff94b50001fdf8: ffffffff9376cad0 # ret_addr (and end of the struct)
+
+0xffffffff9376cad0 is __schedule+0x1f0 (after the call to
+__switch_to_asm). Now follow those 88 bytes from the ORC entry (sp+88).
+The entry is correct, __schedule() really pushes 48 bytes (8*7) + 32 bytes
+via subq to store some local values (like 4U below). So to unwind, look
+at the offset 88-sizeof(long) = 0x50 from here:
+
+ ffff94b50001fe00: ffff8e1f41578618
+ ffff94b50001fe08: 00000cc000000255
+ ffff94b50001fe10: 0000000500000004
+ ffff94b50001fe18: 7793fab6956b2d00 # NOTE (see below)
+ ffff94b50001fe20: ffff8e1f41578000
+ ffff94b50001fe28: ffff8e1f41578000
+ ffff94b50001fe30: ffff8e1f41578000
+ ffff94b50001fe38: ffff8e1f41578000
+ ffff94b50001fe40: ffff94b50001fed8
+ ffff94b50001fe48: ffff8e1f41577ff0
+ ffff94b50001fe50: ffffffff9376cf12
+
+Here ^^^^^^^^^^^^^^^^ is the correct ret addr from
+__schedule(). It translates to schedule+0x42 (insn after a call to
+__schedule()).
+
+BUT, unwind_next_frame() tries to take the address starting from
+0xffff94b50001fdc8. That is exactly from thread.sp+88-sizeof(long) =
+0xffff94b50001fdc8+88-8 = 0xffff94b50001fe18, which is garbage marked as
+NOTE above. So this quits the unwinding as 7793fab6956b2d00 is obviously
+not a kernel address.
+
+There was a fix to skip 'struct inactive_task_frame' in
+unwind_get_return_address_ptr in the following commit:
+
+ 187b96db5ca7 ("x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks")
+
+But we need to skip the struct already in the unwinder proper. So
+subtract the size (increase the stack pointer) of the structure in
+__unwind_start() directly. This allows for removal of the code added by
+commit 187b96db5ca7 completely, as the address is now at
+'(unsigned long *)state->sp - 1', the same as in the generic case.
+
+[ mingo: Cleaned up the changelog a bit, for better readability. ]
+
+Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
+Bug: https://bugzilla.suse.com/show_bug.cgi?id=1176907
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20201014053051.24199-1-jslaby@suse.cz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/unwind_orc.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
+index 187a86e0e7531..f29f015a5e7f3 100644
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -311,19 +311,12 @@ EXPORT_SYMBOL_GPL(unwind_get_return_address);
+
+ unsigned long *unwind_get_return_address_ptr(struct unwind_state *state)
+ {
+- struct task_struct *task = state->task;
+-
+ if (unwind_done(state))
+ return NULL;
+
+ if (state->regs)
+ return &state->regs->ip;
+
+- if (task != current && state->sp == task->thread.sp) {
+- struct inactive_task_frame *frame = (void *)task->thread.sp;
+- return &frame->ret_addr;
+- }
+-
+ if (state->sp)
+ return (unsigned long *)state->sp - 1;
+
+@@ -653,7 +646,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+ } else {
+ struct inactive_task_frame *frame = (void *)task->thread.sp;
+
+- state->sp = task->thread.sp;
++ state->sp = task->thread.sp + sizeof(*frame);
+ state->bp = READ_ONCE_NOCHECK(frame->bp);
+ state->ip = READ_ONCE_NOCHECK(frame->ret_addr);
+ state->signal = (void *)state->ip == ret_from_fork;
+--
+2.27.0
+
--- /dev/null
+From 4ab3addac0b735ff54a698a82fc97ce1d5520d69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 09:15:08 -0700
+Subject: xfs: don't free rt blocks when we're doing a REMAP bunmapi call
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 8df0fa39bdd86ca81a8d706a6ed9d33cc65ca625 ]
+
+When callers pass XFS_BMAPI_REMAP into xfs_bunmapi, they want the extent
+to be unmapped from the given file fork without the extent being freed.
+We do this for non-rt files, but we forgot to do this for realtime
+files. So far this isn't a big deal since nobody makes a bunmapi call
+to a rt file with the REMAP flag set, but don't leave a logic bomb.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_bmap.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
+index f8db3fe616df9..c114d24be6193 100644
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -4985,20 +4985,25 @@ xfs_bmap_del_extent_real(
+
+ flags = XFS_ILOG_CORE;
+ if (whichfork == XFS_DATA_FORK && XFS_IS_REALTIME_INODE(ip)) {
+- xfs_fsblock_t bno;
+ xfs_filblks_t len;
+ xfs_extlen_t mod;
+
+- bno = div_u64_rem(del->br_startblock, mp->m_sb.sb_rextsize,
+- &mod);
+- ASSERT(mod == 0);
+ len = div_u64_rem(del->br_blockcount, mp->m_sb.sb_rextsize,
+ &mod);
+ ASSERT(mod == 0);
+
+- error = xfs_rtfree_extent(tp, bno, (xfs_extlen_t)len);
+- if (error)
+- goto done;
++ if (!(bflags & XFS_BMAPI_REMAP)) {
++ xfs_fsblock_t bno;
++
++ bno = div_u64_rem(del->br_startblock,
++ mp->m_sb.sb_rextsize, &mod);
++ ASSERT(mod == 0);
++
++ error = xfs_rtfree_extent(tp, bno, (xfs_extlen_t)len);
++ if (error)
++ goto done;
++ }
++
+ do_fx = 0;
+ nblks = len * mp->m_sb.sb_rextsize;
+ qfield = XFS_TRANS_DQ_RTBCOUNT;
+--
+2.27.0
+
--- /dev/null
+From 37dddca19d7c96d2a729abab2f8562f1b134b9ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Oct 2020 13:55:16 -0700
+Subject: xfs: fix realtime bitmap/summary file truncation when growing rt
+ volume
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit f4c32e87de7d66074d5612567c5eac7325024428 ]
+
+The realtime bitmap and summary files are regular files that are hidden
+away from the directory tree. Since they're regular files, inode
+inactivation will try to purge what it thinks are speculative
+preallocations beyond the incore size of the file. Unfortunately,
+xfs_growfs_rt forgets to update the incore size when it resizes the
+inodes, with the result that inactivating the rt inodes at unmount time
+will cause their contents to be truncated.
+
+Fix this by updating the incore size when we change the ondisk size as
+part of updating the superblock. Note that we don't do this when we're
+allocating blocks to the rt inodes because we actually want those blocks
+to get purged if the growfs fails.
+
+This fixes corruption complaints from the online rtsummary checker when
+running xfs/233. Since that test requires rmap, one can also trigger
+this by growing an rt volume, cycling the mount, and creating rt files.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Chandan Babu R <chandanrlinux@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_rtalloc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
+index b583669370825..6d5ddc4e5135a 100644
+--- a/fs/xfs/xfs_rtalloc.c
++++ b/fs/xfs/xfs_rtalloc.c
+@@ -1021,10 +1021,13 @@ xfs_growfs_rt(
+ xfs_ilock(mp->m_rbmip, XFS_ILOCK_EXCL);
+ xfs_trans_ijoin(tp, mp->m_rbmip, XFS_ILOCK_EXCL);
+ /*
+- * Update the bitmap inode's size.
++ * Update the bitmap inode's size ondisk and incore. We need
++ * to update the incore size so that inode inactivation won't
++ * punch what it thinks are "posteof" blocks.
+ */
+ mp->m_rbmip->i_d.di_size =
+ nsbp->sb_rbmblocks * nsbp->sb_blocksize;
++ i_size_write(VFS_I(mp->m_rbmip), mp->m_rbmip->i_d.di_size);
+ xfs_trans_log_inode(tp, mp->m_rbmip, XFS_ILOG_CORE);
+ /*
+ * Get the summary inode into the transaction.
+@@ -1032,9 +1035,12 @@ xfs_growfs_rt(
+ xfs_ilock(mp->m_rsumip, XFS_ILOCK_EXCL);
+ xfs_trans_ijoin(tp, mp->m_rsumip, XFS_ILOCK_EXCL);
+ /*
+- * Update the summary inode's size.
++ * Update the summary inode's size. We need to update the
++ * incore size so that inode inactivation won't punch what it
++ * thinks are "posteof" blocks.
+ */
+ mp->m_rsumip->i_d.di_size = nmp->m_rsumsize;
++ i_size_write(VFS_I(mp->m_rsumip), mp->m_rsumip->i_d.di_size);
+ xfs_trans_log_inode(tp, mp->m_rsumip, XFS_ILOG_CORE);
+ /*
+ * Copy summary data from old to new sizes.
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
