--- /dev/null
+From 815c81ecf08c54adfd11e13be93a08eb0ae4c5e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 10:31:20 -0700
+Subject: ACPICA: Do not increment operation_region reference counts for field
+ units
+
+From: Erik Kaneda <erik.kaneda@intel.com>
+
+[ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ]
+
+ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70
+
+Object reference counts are used as a part of ACPICA's garbage
+collection mechanism. This mechanism keeps track of references to
+heap-allocated structures such as the ACPI operand objects.
+
+Recent server firmware has revealed that this reference count can
+overflow on large servers that declare many field units under the
+same operation_region. This occurs because each field unit declaration
+will add a reference count to the source operation_region.
+
+This change solves the reference count overflow for operation_regions
+objects by preventing fieldunits from incrementing their
+operation_region's reference count. Each operation_region's reference
+count will not be changed by named objects declared under the Field
+operator. During namespace deletion, the operation_region namespace
+node will be deleted and each fieldunit will be deleted without
+touching the deleted operation_region object.
+
+Link: https://github.com/acpica/acpica/commit/e17b28cf
+Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/exprep.c | 4 ----
+ drivers/acpi/acpica/utdelete.c | 6 +-----
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c
+index 4c2836dc825be..47d8a85c90ff5 100644
+--- a/drivers/acpi/acpica/exprep.c
++++ b/drivers/acpi/acpica/exprep.c
+@@ -502,10 +502,6 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info)
+ (u8)access_byte_width;
+ }
+ }
+- /* An additional reference for the container */
+-
+- acpi_ut_add_reference(obj_desc->field.region_obj);
+-
+ ACPI_DEBUG_PRINT((ACPI_DB_BFIELD,
+ "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n",
+ obj_desc->field.start_field_bit_offset,
+diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c
+index 1638312e3d8f9..9f8b088e21d7e 100644
+--- a/drivers/acpi/acpica/utdelete.c
++++ b/drivers/acpi/acpica/utdelete.c
+@@ -590,11 +590,6 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action)
+ next_object = object->buffer_field.buffer_obj;
+ break;
+
+- case ACPI_TYPE_LOCAL_REGION_FIELD:
+-
+- next_object = object->field.region_obj;
+- break;
+-
+ case ACPI_TYPE_LOCAL_BANK_FIELD:
+
+ next_object = object->bank_field.bank_obj;
+@@ -635,6 +630,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action)
+ }
+ break;
+
++ case ACPI_TYPE_LOCAL_REGION_FIELD:
+ case ACPI_TYPE_REGION:
+ default:
+
+--
+2.25.1
+
--- /dev/null
+From 625c112477f4b50aa731b81dd96b33dc335afcc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 09:34:51 +0100
+Subject: agp/intel: Fix a memory leak on module initialisation failure
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ]
+
+In intel_gtt_setup_scratch_page(), pointer "page" is not released if
+pci_dma_mapping_error() return an error, leading to a memory leak on
+module initialisation failure. Simply fix this issue by freeing "page"
+before return.
+
+Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/agp/intel-gtt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
+index 76afc841232cf..3d11f5adb355e 100644
+--- a/drivers/char/agp/intel-gtt.c
++++ b/drivers/char/agp/intel-gtt.c
+@@ -303,8 +303,10 @@ static int intel_gtt_setup_scratch_page(void)
+ if (intel_private.needs_dmar) {
+ dma_addr = pci_map_page(intel_private.pcidev, page, 0,
+ PAGE_SIZE, PCI_DMA_BIDIRECTIONAL);
+- if (pci_dma_mapping_error(intel_private.pcidev, dma_addr))
++ if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) {
++ __free_page(page);
+ return -EINVAL;
++ }
+
+ intel_private.scratch_page_dma = dma_addr;
+ } else
+--
+2.25.1
+
--- /dev/null
+From 571cf66875b5b634bd1dbd281ab921346c599198 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 20:33:01 +0800
+Subject: ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
+
+From: yu kuai <yukuai3@huawei.com>
+
+[ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ]
+
+if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have
+a corresponding put_device(). Thus add a jump target to fix the exception
+handling for this function implementation.
+
+Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM")
+Signed-off-by: yu kuai <yukuai3@huawei.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-at91/pm.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c
+index 84eefbc2b4f93..5923f2ca510be 100644
+--- a/arch/arm/mach-at91/pm.c
++++ b/arch/arm/mach-at91/pm.c
+@@ -393,13 +393,13 @@ static void __init at91_pm_sram_init(void)
+ sram_pool = gen_pool_get(&pdev->dev, NULL);
+ if (!sram_pool) {
+ pr_warn("%s: sram pool unavailable!\n", __func__);
+- return;
++ goto out_put_device;
+ }
+
+ sram_base = gen_pool_alloc(sram_pool, at91_pm_suspend_in_sram_sz);
+ if (!sram_base) {
+ pr_warn("%s: unable to alloc sram!\n", __func__);
+- return;
++ goto out_put_device;
+ }
+
+ sram_pbase = gen_pool_virt_to_phys(sram_pool, sram_base);
+@@ -407,12 +407,17 @@ static void __init at91_pm_sram_init(void)
+ at91_pm_suspend_in_sram_sz, false);
+ if (!at91_suspend_sram_fn) {
+ pr_warn("SRAM: Could not map\n");
+- return;
++ goto out_put_device;
+ }
+
+ /* Copy the pm suspend handler to SRAM */
+ at91_suspend_sram_fn = fncpy(at91_suspend_sram_fn,
+ &at91_pm_suspend_in_sram, at91_pm_suspend_in_sram_sz);
++ return;
++
++out_put_device:
++ put_device(&pdev->dev);
++ return;
+ }
+
+ static void __init at91_pm_init(void)
+--
+2.25.1
+
--- /dev/null
+From f180d55ec8ff4feaa79eff6700574cc0b1bdccc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 21:45:51 +0800
+Subject: ARM: socfpga: PM: add missing put_device() call in
+ socfpga_setup_ocram_self_refresh()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ]
+
+if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh
+doesn't have a corresponding put_device(). Thus add a jump target to
+fix the exception handling for this function implementation.
+
+Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-socfpga/pm.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c
+index c378ab0c24317..93f2245c97750 100644
+--- a/arch/arm/mach-socfpga/pm.c
++++ b/arch/arm/mach-socfpga/pm.c
+@@ -60,14 +60,14 @@ static int socfpga_setup_ocram_self_refresh(void)
+ if (!ocram_pool) {
+ pr_warn("%s: ocram pool unavailable!\n", __func__);
+ ret = -ENODEV;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz);
+ if (!ocram_base) {
+ pr_warn("%s: unable to alloc ocram!\n", __func__);
+ ret = -ENOMEM;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base);
+@@ -78,7 +78,7 @@ static int socfpga_setup_ocram_self_refresh(void)
+ if (!suspend_ocram_base) {
+ pr_warn("%s: __arm_ioremap_exec failed!\n", __func__);
+ ret = -ENOMEM;
+- goto put_node;
++ goto put_device;
+ }
+
+ /* Copy the code that puts DDR in self refresh to ocram */
+@@ -92,6 +92,8 @@ static int socfpga_setup_ocram_self_refresh(void)
+ if (!socfpga_sdram_self_refresh_in_ocram)
+ ret = -EFAULT;
+
++put_device:
++ put_device(&pdev->dev);
+ put_node:
+ of_node_put(np);
+
+--
+2.25.1
+
--- /dev/null
+From 968b8b3e68dacac3fa5d441acd0096b52bb882da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 20:00:26 +0800
+Subject: bcache: fix super block seq numbers comparision in
+ register_cache_set()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ]
+
+In register_cache_set(), c is pointer to struct cache_set, and ca is
+pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this
+registering cache has up to date version and other members, the in-
+memory version and other members should be updated to the newer value.
+
+But current implementation makes a cache set only has a single cache
+device, so the above assumption works well except for a special case.
+The execption is when a cache device new created and both ca->sb.seq and
+c->sb.seq are 0, because the super block is never flushed out yet. In
+the location for the following if() check,
+2156 if (ca->sb.seq > c->sb.seq) {
+2157 c->sb.version = ca->sb.version;
+2158 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16);
+2159 c->sb.flags = ca->sb.flags;
+2160 c->sb.seq = ca->sb.seq;
+2161 pr_debug("set version = %llu\n", c->sb.version);
+2162 }
+c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0,
+the if() check will fail (because both values are 0), and the cache set
+version, set_uuid, flags and seq won't be updated.
+
+The above problem is hiden for current code, because the bucket size is
+compatible among different super block version. And the next time when
+running cache set again, ca->sb.seq will be larger than 0 and cache set
+super block version will be updated properly.
+
+But if the large bucket feature is enabled, sb->bucket_size is the low
+16bits of the bucket size. For a power of 2 value, when the actual
+bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then
+read_super_common() will fail because the if() check to
+is_power_of_2(sb->bucket_size) is false. This is how the long time
+hidden bug is triggered.
+
+This patch modifies the if() check to the following way,
+2156 if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) {
+Then cache set's version, set_uuid, flags and seq will always be updated
+corectly including for a new created cache device.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index df8f1e69077f6..23ffd4469dabb 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1778,7 +1778,14 @@ static const char *register_cache_set(struct cache *ca)
+ sysfs_create_link(&c->kobj, &ca->kobj, buf))
+ goto err;
+
+- if (ca->sb.seq > c->sb.seq) {
++ /*
++ * A special case is both ca->sb.seq and c->sb.seq are 0,
++ * such condition happens on a new created cache device whose
++ * super block is never flushed yet. In this case c->sb.version
++ * and other members should be updated too, otherwise we will
++ * have a mistaken super block version in cache set.
++ */
++ if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) {
+ c->sb.version = ca->sb.version;
+ memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16);
+ c->sb.flags = ca->sb.flags;
+--
+2.25.1
+
--- /dev/null
+From 89b98416110c0196f7b692b367d908a5ef10df30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jul 2020 13:07:42 -0400
+Subject: bdc: Fix bug causing crash after multiple disconnects
+
+From: Sasi Kumar <sasi.kumar@broadcom.com>
+
+[ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ]
+
+Multiple connects/disconnects can cause a crash on the second
+disconnect. The driver had a problem where it would try to send
+endpoint commands after it was disconnected which is not allowed
+by the hardware. The fix is to only allow the endpoint commands
+when the endpoint is connected. This will also fix issues that
+showed up when using configfs to create gadgets.
+
+Signed-off-by: Sasi Kumar <sasi.kumar@broadcom.com>
+Signed-off-by: Al Cooper <alcooperx@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/bdc/bdc_core.c | 4 ++++
+ drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 ++++++++++------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c
+index e9bd8d4abca00..f09a74d79c9eb 100644
+--- a/drivers/usb/gadget/udc/bdc/bdc_core.c
++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c
+@@ -286,6 +286,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit)
+ * in that case reinit is passed as 1
+ */
+ if (reinit) {
++ int i;
+ /* Enable interrupts */
+ temp = bdc_readl(bdc->regs, BDC_BDCSC);
+ temp |= BDC_GIE;
+@@ -295,6 +296,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit)
+ /* Initialize SRR to 0 */
+ memset(bdc->srr.sr_bds, 0,
+ NUM_SR_ENTRIES * sizeof(struct bdc_bd));
++ /* clear ep flags to avoid post disconnect stops/deconfigs */
++ for (i = 1; i < bdc->num_eps; ++i)
++ bdc->bdc_ep_array[i]->flags = 0;
+ } else {
+ /* One time initiaization only */
+ /* Enable status report function pointers */
+diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c
+index 3a65272fbed86..9f5f18891ba85 100644
+--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c
++++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c
+@@ -621,7 +621,6 @@ int bdc_ep_enable(struct bdc_ep *ep)
+ }
+ bdc_dbg_bd_list(bdc, ep);
+ /* only for ep0: config ep is called for ep0 from connect event */
+- ep->flags |= BDC_EP_ENABLED;
+ if (ep->ep_num == 1)
+ return ret;
+
+@@ -767,10 +766,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req)
+ __func__, ep->name, start_bdi, end_bdi);
+ dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n",
+ ep, (void *)ep->usb_ep.desc);
+- /* Stop the ep to see where the HW is ? */
+- ret = bdc_stop_ep(bdc, ep->ep_num);
+- /* if there is an issue with stopping ep, then no need to go further */
+- if (ret)
++ /* if still connected, stop the ep to see where the HW is ? */
++ if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) {
++ ret = bdc_stop_ep(bdc, ep->ep_num);
++ /* if there is an issue, then no need to go further */
++ if (ret)
++ return 0;
++ } else
+ return 0;
+
+ /*
+@@ -1921,7 +1923,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep)
+ __func__, ep->name, ep->flags);
+
+ if (!(ep->flags & BDC_EP_ENABLED)) {
+- dev_warn(bdc->dev, "%s is already disabled\n", ep->name);
++ if (bdc->gadget.speed != USB_SPEED_UNKNOWN)
++ dev_warn(bdc->dev, "%s is already disabled\n",
++ ep->name);
+ return 0;
+ }
+ spin_lock_irqsave(&bdc->lock, flags);
+--
+2.25.1
+
--- /dev/null
+From b22154c5d02bc5c2ca7204861af9ffa99e48ef35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 20:28:41 +0800
+Subject: Bluetooth: add a mutex lock to avoid UAF in do_enale_set
+
+From: Lihong Kou <koulihong@huawei.com>
+
+[ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]
+
+In the case we set or free the global value listen_chan in
+different threads, we can encounter the UAF problems because
+the method is not protected by any lock, add one to avoid
+this bug.
+
+BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
+net/bluetooth/l2cap_core.c:730
+Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868
+
+CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine,
+BIOS Google 01/01/2011
+Workqueue: events do_enable_set
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1fb/0x318 lib/dump_stack.c:118
+ print_address_description+0x74/0x5c0 mm/kasan/report.c:374
+ __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
+ kasan_report+0x26/0x50 mm/kasan/common.c:641
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
+ l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
+ do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
+ process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
+ worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
+ kthread+0x332/0x350 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+
+Allocated by task 2870:
+ save_stack mm/kasan/common.c:72 [inline]
+ set_track mm/kasan/common.c:80 [inline]
+ __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
+ kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
+ kmalloc include/linux/slab.h:555 [inline]
+ kzalloc include/linux/slab.h:669 [inline]
+ l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
+ chan_create net/bluetooth/6lowpan.c:640 [inline]
+ bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
+ do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
+ process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
+ worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
+ kthread+0x332/0x350 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+
+Freed by task 2870:
+ save_stack mm/kasan/common.c:72 [inline]
+ set_track mm/kasan/common.c:80 [inline]
+ kasan_set_free_info mm/kasan/common.c:337 [inline]
+ __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
+ __cache_free mm/slab.c:3426 [inline]
+ kfree+0x10d/0x220 mm/slab.c:3757
+ l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
+ do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
+ process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
+ worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
+ kthread+0x332/0x350 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+
+The buggy address belongs to the object at ffff888096950000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 0 bytes inside of
+ 2048-byte region [ffff888096950000, ffff888096950800)
+The buggy address belongs to the page:
+page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
+flags: 0xfffe0000000200(slab)
+raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
+raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
+Signed-off-by: Lihong Kou <koulihong@huawei.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index 4cd6b8d811ffa..11602902884ba 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -57,6 +57,7 @@ static bool enable_6lowpan;
+ /* We are listening incoming connections via this channel
+ */
+ static struct l2cap_chan *listen_chan;
++static DEFINE_MUTEX(set_lock);
+
+ struct lowpan_peer {
+ struct list_head list;
+@@ -1195,12 +1196,14 @@ static void do_enable_set(struct work_struct *work)
+
+ enable_6lowpan = set_enable->flag;
+
++ mutex_lock(&set_lock);
+ if (listen_chan) {
+ l2cap_chan_close(listen_chan, 0);
+ l2cap_chan_put(listen_chan);
+ }
+
+ listen_chan = bt_6lowpan_listen();
++ mutex_unlock(&set_lock);
+
+ kfree(set_enable);
+ }
+@@ -1252,11 +1255,13 @@ static ssize_t lowpan_control_write(struct file *fp,
+ if (ret == -EINVAL)
+ return ret;
+
++ mutex_lock(&set_lock);
+ if (listen_chan) {
+ l2cap_chan_close(listen_chan, 0);
+ l2cap_chan_put(listen_chan);
+ listen_chan = NULL;
+ }
++ mutex_unlock(&set_lock);
+
+ if (conn) {
+ struct lowpan_peer *peer;
+--
+2.25.1
+
--- /dev/null
+From 17caef5e9852e7338957ffcbd358bd44064363a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 02:18:35 -0500
+Subject: brcmfmac: To fix Bss Info flag definition Bug
+
+From: Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com>
+
+[ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ]
+
+Bss info flag definition need to be fixed from 0x2 to 0x4
+This flag is for rssi info received on channel.
+All Firmware branches defined as 0x4 and this is bug in brcmfmac.
+
+Signed-off-by: Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com>
+Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h
+index 4320c4cae53e1..7eb9f31dde1a2 100644
+--- a/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h
+@@ -30,7 +30,7 @@
+ #define BRCMF_ARP_OL_PEER_AUTO_REPLY 0x00000008
+
+ #define BRCMF_BSS_INFO_VERSION 109 /* curr ver of brcmf_bss_info_le struct */
+-#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0002
++#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0004
+
+ #define BRCMF_STA_WME 0x00000002 /* WMM association */
+ #define BRCMF_STA_AUTHE 0x00000008 /* Authenticated */
+--
+2.25.1
+
--- /dev/null
+From b25bae93b294d9ce16825eb33be92cf15441ec5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 00:42:51 +0800
+Subject: console: newport_con: fix an issue about leak related system
+ resources
+
+From: Dejin Zheng <zhengdejin5@gmail.com>
+
+[ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ]
+
+A call of the function do_take_over_console() can fail here.
+The corresponding system resources were not released then.
+Thus add a call of iounmap() and release_mem_region()
+together with the check of a failure predicate. and also
+add release_mem_region() on device removal.
+
+Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding")
+Suggested-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/console/newport_con.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c
+index bb4e96255974a..bd0c6e53bec19 100644
+--- a/drivers/video/console/newport_con.c
++++ b/drivers/video/console/newport_con.c
+@@ -31,6 +31,8 @@
+ #include <linux/linux_logo.h>
+ #include <linux/font.h>
+
++#define NEWPORT_LEN 0x10000
++
+ #define FONT_DATA ((unsigned char *)font_vga_8x16.data)
+
+ /* borrowed from fbcon.c */
+@@ -42,6 +44,7 @@
+ static unsigned char *font_data[MAX_NR_CONSOLES];
+
+ static struct newport_regs *npregs;
++static unsigned long newport_addr;
+
+ static int logo_active;
+ static int topscan;
+@@ -743,7 +746,6 @@ const struct consw newport_con = {
+ static int newport_probe(struct gio_device *dev,
+ const struct gio_device_id *id)
+ {
+- unsigned long newport_addr;
+ int err;
+
+ if (!dev->resource.start)
+@@ -753,7 +755,7 @@ static int newport_probe(struct gio_device *dev,
+ return -EBUSY; /* we only support one Newport as console */
+
+ newport_addr = dev->resource.start + 0xF0000;
+- if (!request_mem_region(newport_addr, 0x10000, "Newport"))
++ if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport"))
+ return -ENODEV;
+
+ npregs = (struct newport_regs *)/* ioremap cannot fail */
+@@ -761,6 +763,11 @@ static int newport_probe(struct gio_device *dev,
+ console_lock();
+ err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1);
+ console_unlock();
++
++ if (err) {
++ iounmap((void *)npregs);
++ release_mem_region(newport_addr, NEWPORT_LEN);
++ }
+ return err;
+ }
+
+@@ -768,6 +775,7 @@ static void newport_remove(struct gio_device *dev)
+ {
+ give_up_console(&newport_con);
+ iounmap((void *)npregs);
++ release_mem_region(newport_addr, NEWPORT_LEN);
+ }
+
+ static struct gio_device_id newport_ids[] = {
+--
+2.25.1
+
--- /dev/null
+From 5f936529eee86906de3b0dba0d40ddc29bb8bac1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2020 20:07:33 +0800
+Subject: cxl: Fix kobject memleak
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ]
+
+Currently the error return path from kobject_init_and_add() is not
+followed by a call to kobject_put() - which means we are leaking
+the kobject.
+
+Fix it by adding a call to kobject_put() in the error path of
+kobject_init_and_add().
+
+Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/cxl/sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c
+index 02006f7109a80..349955982081b 100644
+--- a/drivers/misc/cxl/sysfs.c
++++ b/drivers/misc/cxl/sysfs.c
+@@ -539,7 +539,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c
+ rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type,
+ &afu->dev.kobj, "cr%i", cr->cr);
+ if (rc)
+- goto err;
++ goto err1;
+
+ rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr);
+ if (rc)
+--
+2.25.1
+
--- /dev/null
+From fd95ace18ba536356b3020d6c558022848b578b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 11:25:33 +0800
+Subject: dlm: Fix kobject memleak
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ]
+
+Currently the error return path from kobject_init_and_add() is not
+followed by a call to kobject_put() - which means we are leaking
+the kobject.
+
+Set do_unreg = 1 before kobject_init_and_add() to ensure that
+kobject_put() can be called in its error patch.
+
+Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index b14bb2c460426..499f54f99891c 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -626,6 +626,9 @@ static int new_lockspace(const char *name, const char *cluster,
+ wait_event(ls->ls_recover_lock_wait,
+ test_bit(LSFL_RECOVER_LOCK, &ls->ls_flags));
+
++ /* let kobject handle freeing of ls if there's an error */
++ do_unreg = 1;
++
+ ls->ls_kobj.kset = dlm_kset;
+ error = kobject_init_and_add(&ls->ls_kobj, &dlm_ktype, NULL,
+ "%s", ls->ls_name);
+@@ -633,9 +636,6 @@ static int new_lockspace(const char *name, const char *cluster,
+ goto out_recoverd;
+ kobject_uevent(&ls->ls_kobj, KOBJ_ADD);
+
+- /* let kobject handle freeing of ls if there's an error */
+- do_unreg = 1;
+-
+ /* This uevent triggers dlm_controld in userspace to add us to the
+ group of nodes that are members of this lockspace (managed by the
+ cluster infrastructure.) Once it's done that, it tells us who the
+--
+2.25.1
+
--- /dev/null
+From 7c3a1e971ad75c56d3ba4a98130ff5f27754a5fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2017 12:43:07 +0200
+Subject: drm/debugfs: fix plain echo to connector "force" attribute
+
+From: Michael Tretter <m.tretter@pengutronix.de>
+
+[ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ]
+
+Using plain echo to set the "force" connector attribute fails with
+-EINVAL, because echo appends a newline to the output.
+
+Replace strcmp with sysfs_streq to also accept strings that end with a
+newline.
+
+v2: use sysfs_streq instead of stripping trailing whitespace
+
+Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_debugfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c
+index 3bcf8e6a85b35..5b0fdcd0b63fd 100644
+--- a/drivers/gpu/drm/drm_debugfs.c
++++ b/drivers/gpu/drm/drm_debugfs.c
+@@ -290,13 +290,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf,
+
+ buf[len] = '\0';
+
+- if (!strcmp(buf, "on"))
++ if (sysfs_streq(buf, "on"))
+ connector->force = DRM_FORCE_ON;
+- else if (!strcmp(buf, "digital"))
++ else if (sysfs_streq(buf, "digital"))
+ connector->force = DRM_FORCE_ON_DIGITAL;
+- else if (!strcmp(buf, "off"))
++ else if (sysfs_streq(buf, "off"))
+ connector->force = DRM_FORCE_OFF;
+- else if (!strcmp(buf, "unspecified"))
++ else if (sysfs_streq(buf, "unspecified"))
+ connector->force = DRM_FORCE_UNSPECIFIED;
+ else
+ return -EINVAL;
+--
+2.25.1
+
--- /dev/null
+From bc573391022e1f28868b261411771ae382eab34e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 20:41:56 -0500
+Subject: drm/nouveau: fix multiple instances of reference count leaks
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ]
+
+On calling pm_runtime_get_sync() the reference count of the device
+is incremented. In case of failure, decrement the
+ref count before returning the error.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 8 ++++++--
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
+index 91a61d2cca889..a90840e391100 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -805,8 +805,10 @@ nouveau_drm_open(struct drm_device *dev, struct drm_file *fpriv)
+
+ /* need to bring up power immediately if opening device */
+ ret = pm_runtime_get_sync(dev->dev);
+- if (ret < 0 && ret != -EACCES)
++ if (ret < 0 && ret != -EACCES) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return ret;
++ }
+
+ get_task_comm(tmpname, current);
+ snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid));
+@@ -894,8 +896,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ long ret;
+
+ ret = pm_runtime_get_sync(dev->dev);
+- if (ret < 0 && ret != -EACCES)
++ if (ret < 0 && ret != -EACCES) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return ret;
++ }
+
+ switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) {
+ case DRM_NOUVEAU_NVIF:
+diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
+index ae560f5977fca..e5db2a385cb65 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
+@@ -42,8 +42,10 @@ nouveau_gem_object_del(struct drm_gem_object *gem)
+ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+- if (WARN_ON(ret < 0 && ret != -EACCES))
++ if (WARN_ON(ret < 0 && ret != -EACCES)) {
++ pm_runtime_put_autosuspend(dev);
+ return;
++ }
+
+ if (gem->import_attach)
+ drm_prime_gem_destroy(gem, nvbo->bo.sg);
+--
+2.25.1
+
--- /dev/null
+From f678d08d8dd8736ced52c185472214179aff38db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jul 2020 01:53:17 +0300
+Subject: drm: panel: simple: Fix bpc for LG LB070WV8 panel
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ]
+
+The LG LB070WV8 panel incorrectly reports a 16 bits per component value,
+while the panel uses 8 bits per component. Fix it.
+
+Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel")
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index ecad4d7c6cd17..64b23bdebd1d1 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -920,7 +920,7 @@ static const struct drm_display_mode lg_lb070wv8_mode = {
+ static const struct panel_desc lg_lb070wv8 = {
+ .modes = &lg_lb070wv8_mode,
+ .num_modes = 1,
+- .bpc = 16,
++ .bpc = 8,
+ .size = {
+ .width = 151,
+ .height = 91,
+--
+2.25.1
+
--- /dev/null
+From 6f33dfd24693a35750042dcd717a737b66ead109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 13:07:10 +0100
+Subject: drm/radeon: fix array out-of-bounds read and write issues
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ]
+
+There is an off-by-one bounds check on the index into arrays
+table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that
+can lead to reads and writes outside of arrays. Fix the bound checking
+off-by-one error.
+
+Addresses-Coverity: ("Out-of-bounds read/write")
+Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
+index e7a245d7bdbcb..8e1bf9ed8efff 100644
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -4345,7 +4345,7 @@ static int ci_set_mc_special_registers(struct radeon_device *rdev,
+ table->mc_reg_table_entry[k].mc_data[j] |= 0x100;
+ }
+ j++;
+- if (j > SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
++ if (j >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
+
+ if (!pi->mem_gddr5) {
+--
+2.25.1
+
--- /dev/null
+From e9d5ff51d5c898fcd7e87d8ad76ef2b9a4393bbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 21:21:22 -0500
+Subject: drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ]
+
+On calling pm_runtime_get_sync() the reference count of the device
+is incremented. In case of failure, decrement the
+reference count before returning the error.
+
+Acked-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 4 +++-
+ drivers/gpu/drm/radeon/radeon_drv.c | 4 +++-
+ drivers/gpu/drm/radeon/radeon_kms.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index 4572bfba017c5..17c73b8c90e71 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -660,8 +660,10 @@ radeon_crtc_set_config(struct drm_mode_set *set)
+ dev = set->crtc->dev;
+
+ ret = pm_runtime_get_sync(dev->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return ret;
++ }
+
+ ret = drm_crtc_helper_set_config(set);
+
+diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c
+index 5b6a6f5b3619e..401403a3ea50c 100644
+--- a/drivers/gpu/drm/radeon/radeon_drv.c
++++ b/drivers/gpu/drm/radeon/radeon_drv.c
+@@ -527,8 +527,10 @@ long radeon_drm_ioctl(struct file *filp,
+ long ret;
+ dev = file_priv->minor->dev;
+ ret = pm_runtime_get_sync(dev->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return ret;
++ }
+
+ ret = drm_ioctl(filp, cmd, arg);
+
+diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
+index d290a8a09036e..41caf7da90548 100644
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -631,8 +631,10 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
+ file_priv->driver_priv = NULL;
+
+ r = pm_runtime_get_sync(dev->dev);
+- if (r < 0)
++ if (r < 0) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return r;
++ }
+
+ /* new gpu have virtual address space support */
+ if (rdev->family >= CHIP_CAYMAN) {
+--
+2.25.1
+
--- /dev/null
+From 689fe870d9a6675f4a9b36a8fd6b6f8f589b898c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 13:42:32 +0300
+Subject: drm/tilcdc: fix leak & null ref in panel_connector_get_modes
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ]
+
+If videomode_from_timings() returns true, the mode allocated with
+drm_mode_create will be leaked.
+
+Also, the return value of drm_mode_create() is never checked, and thus
+could cause NULL deref.
+
+Fix these two issues.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com
+Reviewed-by: Jyri Sarha <jsarha@ti.com>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tilcdc/tilcdc_panel.c b/drivers/gpu/drm/tilcdc/tilcdc_panel.c
+index 0af8bed7ce1ee..08d8f608be632 100644
+--- a/drivers/gpu/drm/tilcdc/tilcdc_panel.c
++++ b/drivers/gpu/drm/tilcdc/tilcdc_panel.c
+@@ -177,12 +177,16 @@ static int panel_connector_get_modes(struct drm_connector *connector)
+ int i;
+
+ for (i = 0; i < timings->num_timings; i++) {
+- struct drm_display_mode *mode = drm_mode_create(dev);
++ struct drm_display_mode *mode;
+ struct videomode vm;
+
+ if (videomode_from_timings(timings, &vm, i))
+ break;
+
++ mode = drm_mode_create(dev);
++ if (!mode)
++ break;
++
+ drm_display_mode_from_videomode(&vm, mode);
+
+ mode->type = DRM_MODE_TYPE_DRIVER;
+--
+2.25.1
+
--- /dev/null
+From ee07ad4f5536930f1c1c8509a15b9113841d0de9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jul 2020 17:10:47 -0600
+Subject: dyndbg: fix a BUG_ON in ddebug_describe_flags
+
+From: Jim Cromie <jim.cromie@gmail.com>
+
+[ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ]
+
+ddebug_describe_flags() currently fills a caller provided string buffer,
+after testing its size (also passed) in a BUG_ON. Fix this by
+replacing them with a known-big-enough string buffer wrapped in a
+struct, and passing that instead.
+
+Also simplify ddebug_describe_flags() flags parameter from a struct to
+a member in that struct, and hoist the member deref up to the caller.
+This makes the function reusable (soon) where flags are unpacked.
+
+Acked-by: <jbaron@akamai.com>
+Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
+Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/dynamic_debug.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
+index c6368ae93fe6e..f50d63f67899a 100644
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -85,22 +85,22 @@ static struct { unsigned flag:8; char opt_char; } opt_array[] = {
+ { _DPRINTK_FLAGS_NONE, '_' },
+ };
+
++struct flagsbuf { char buf[ARRAY_SIZE(opt_array)+1]; };
++
+ /* format a string into buf[] which describes the _ddebug's flags */
+-static char *ddebug_describe_flags(struct _ddebug *dp, char *buf,
+- size_t maxlen)
++static char *ddebug_describe_flags(unsigned int flags, struct flagsbuf *fb)
+ {
+- char *p = buf;
++ char *p = fb->buf;
+ int i;
+
+- BUG_ON(maxlen < 6);
+ for (i = 0; i < ARRAY_SIZE(opt_array); ++i)
+- if (dp->flags & opt_array[i].flag)
++ if (flags & opt_array[i].flag)
+ *p++ = opt_array[i].opt_char;
+- if (p == buf)
++ if (p == fb->buf)
+ *p++ = '_';
+ *p = '\0';
+
+- return buf;
++ return fb->buf;
+ }
+
+ #define vpr_info(fmt, ...) \
+@@ -142,7 +142,7 @@ static int ddebug_change(const struct ddebug_query *query,
+ struct ddebug_table *dt;
+ unsigned int newflags;
+ unsigned int nfound = 0;
+- char flagbuf[10];
++ struct flagsbuf fbuf;
+
+ /* search for matching ddebugs */
+ mutex_lock(&ddebug_lock);
+@@ -192,8 +192,7 @@ static int ddebug_change(const struct ddebug_query *query,
+ vpr_info("changed %s:%d [%s]%s =%s\n",
+ trim_prefix(dp->filename), dp->lineno,
+ dt->mod_name, dp->function,
+- ddebug_describe_flags(dp, flagbuf,
+- sizeof(flagbuf)));
++ ddebug_describe_flags(dp->flags, &fbuf));
+ }
+ }
+ mutex_unlock(&ddebug_lock);
+@@ -777,7 +776,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p)
+ {
+ struct ddebug_iter *iter = m->private;
+ struct _ddebug *dp = p;
+- char flagsbuf[10];
++ struct flagsbuf flags;
+
+ vpr_info("called m=%p p=%p\n", m, p);
+
+@@ -790,7 +789,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p)
+ seq_printf(m, "%s:%u [%s]%s =%s \"",
+ trim_prefix(dp->filename), dp->lineno,
+ iter->table->mod_name, dp->function,
+- ddebug_describe_flags(dp, flagsbuf, sizeof(flagsbuf)));
++ ddebug_describe_flags(dp->flags, &flags));
+ seq_escape(m, dp->format, "\t\r\n\"");
+ seq_puts(m, "\"\n");
+
+--
+2.25.1
+
--- /dev/null
+From f805a7f99feffaf4c8f8f13cd92da8f8f260be5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 15:22:37 -0500
+Subject: EDAC: Fix reference count leaks
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ]
+
+When kobject_init_and_add() returns an error, it should be handled
+because kobject_init_and_add() takes a reference even when it fails. If
+this function returns an error, kobject_put() must be called to properly
+clean up the memory associated with the object.
+
+Therefore, replace calling kfree() and call kobject_put() and add a
+missing kobject_put() in the edac_device_register_sysfs_main_kobj()
+error path.
+
+ [ bp: Massage and merge into a single patch. ]
+
+Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu
+Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_device_sysfs.c | 1 +
+ drivers/edac/edac_pci_sysfs.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c
+index fb68a06ad6837..18991cfec2af4 100644
+--- a/drivers/edac/edac_device_sysfs.c
++++ b/drivers/edac/edac_device_sysfs.c
+@@ -280,6 +280,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev)
+
+ /* Error exit stack */
+ err_kobj_reg:
++ kobject_put(&edac_dev->kobj);
+ module_put(edac_dev->owner);
+
+ err_mod_get:
+diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
+index 24d877f6e5775..c56128402bc67 100644
+--- a/drivers/edac/edac_pci_sysfs.c
++++ b/drivers/edac/edac_pci_sysfs.c
+@@ -394,7 +394,7 @@ static int edac_pci_main_kobj_setup(void)
+
+ /* Error unwind statck */
+ kobject_init_and_add_fail:
+- kfree(edac_pci_top_main_kobj);
++ kobject_put(edac_pci_top_main_kobj);
+
+ kzalloc_fail:
+ module_put(THIS_MODULE);
+--
+2.25.1
+
--- /dev/null
+From 494a97c0bd1c0f079cb217c7c1400c57345eaa5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 14:15:37 -0700
+Subject: fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ]
+
+Very large I/Os can cause the following RCU CPU stall warning:
+
+RIP: 0010:rb_prev+0x8/0x50
+Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c =
+89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48
+RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13
+RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0
+RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630
+RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238
+R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001
+R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0
+ __lookup_extent_mapping+0xa0/0x110
+ try_release_extent_mapping+0xdc/0x220
+ btrfs_releasepage+0x45/0x70
+ shrink_page_list+0xa39/0xb30
+ shrink_inactive_list+0x18f/0x3b0
+ shrink_lruvec+0x38e/0x6b0
+ shrink_node+0x14d/0x690
+ do_try_to_free_pages+0xc6/0x3e0
+ try_to_free_mem_cgroup_pages+0xe6/0x1e0
+ reclaim_high.constprop.73+0x87/0xc0
+ mem_cgroup_handle_over_high+0x66/0x150
+ exit_to_usermode_loop+0x82/0xd0
+ do_syscall_64+0xd4/0x100
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+On a PREEMPT=n kernel, the try_release_extent_mapping() function's
+"while" loop might run for a very long time on a large I/O. This commit
+therefore adds a cond_resched() to this loop, providing RCU any needed
+quiescent states.
+
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent_io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index 42b7409d4cc55..2f9f738ecf84a 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -4437,6 +4437,8 @@ int try_release_extent_mapping(struct extent_map_tree *map,
+
+ /* once for us */
+ free_extent_map(em);
++
++ cond_resched(); /* Allow large-extent preemption. */
+ }
+ }
+ return try_release_extent_state(map, tree, page, mask);
+--
+2.25.1
+
--- /dev/null
+From e74346c5f85ff85bfa5f1626e3430d3a8153287b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 18:15:52 +0200
+Subject: iio: improve IIO_CONCENTRATION channel type description
+
+From: Tomasz Duszynski <tomasz.duszynski@octakon.com>
+
+[ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ]
+
+IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting
+raw concentrations of pollutants. Raw value should be meaningless
+before being properly scaled. Because of that description shouldn't
+mention raw value unit whatsoever.
+
+Fix this by rephrasing existing description so it follows conventions
+used throughout IIO ABI docs.
+
+Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type")
+Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-iio | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio
+index 0439c2aaf7419..f20c783cb5c03 100644
+--- a/Documentation/ABI/testing/sysfs-bus-iio
++++ b/Documentation/ABI/testing/sysfs-bus-iio
+@@ -1470,7 +1470,8 @@ What: /sys/bus/iio/devices/iio:deviceX/in_concentrationX_voc_raw
+ KernelVersion: 4.3
+ Contact: linux-iio@vger.kernel.org
+ Description:
+- Raw (unscaled no offset etc.) percentage reading of a substance.
++ Raw (unscaled no offset etc.) reading of a substance. Units
++ after application of scale and offset are percents.
+
+ What: /sys/bus/iio/devices/iio:deviceX/in_resistance_raw
+ What: /sys/bus/iio/devices/iio:deviceX/in_resistanceX_raw
+--
+2.25.1
+
--- /dev/null
+From 53d28409bc03fcd837c35694aa7dca4f3c8ae818 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jul 2020 19:55:27 +0200
+Subject: iwlegacy: Check the return value of pcie_capability_read_*()
+
+From: Bolarinwa Olayemi Saheed <refactormyself@gmail.com>
+
+[ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ]
+
+On failure pcie_capability_read_dword() sets it's last parameter, val
+to 0. However, with Patch 14/14, it is possible that val is set to ~0 on
+failure. This would introduce a bug because (x & x) == (~0 & x).
+
+This bug can be avoided without changing the function's behaviour if the
+return value of pcie_capability_read_dword is checked to confirm success.
+
+Check the return value of pcie_capability_read_dword() to ensure success.
+
+Suggested-by: Bjorn Helgaas <bjorn@helgaas.com>
+Signed-off-by: Bolarinwa Olayemi Saheed <refactormyself@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/iwlegacy/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c
+index 544ab3750ea6e..c56febdae1349 100644
+--- a/drivers/net/wireless/iwlegacy/common.c
++++ b/drivers/net/wireless/iwlegacy/common.c
+@@ -4294,8 +4294,8 @@ il_apm_init(struct il_priv *il)
+ * power savings, even without L1.
+ */
+ if (il->cfg->set_l0s) {
+- pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl);
+- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) {
++ ret = pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl);
++ if (!ret && (lctl & PCI_EXP_LNKCTL_ASPM_L1)) {
+ /* L1-ASPM enabled; disable(!) L0S */
+ il_set_bit(il, CSR_GIO_REG,
+ CSR_GIO_REG_VAL_L0S_ENABLED);
+--
+2.25.1
+
--- /dev/null
+From 66280f4d6ac6d8e92679a6ddb768bb5f4b91072e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 16:19:17 +0200
+Subject: leds: lm355x: avoid enum conversion warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ]
+
+clang points out that doing arithmetic between diffent enums is usually
+a mistake:
+
+drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion]
+ reg_val = pdata->pin_tx2 | pdata->ntc_pin;
+ ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
+drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion]
+ reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode;
+ ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
+
+In this driver, it is intentional, so add a cast to hide the false-positive
+warning. It appears to be the only instance of this warning at the moment.
+
+Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lm355x.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/leds/leds-lm355x.c b/drivers/leds/leds-lm355x.c
+index 48872997d6b4b..533b255c27cd6 100644
+--- a/drivers/leds/leds-lm355x.c
++++ b/drivers/leds/leds-lm355x.c
+@@ -177,18 +177,19 @@ static int lm355x_chip_init(struct lm355x_chip_data *chip)
+ /* input and output pins configuration */
+ switch (chip->type) {
+ case CHIP_LM3554:
+- reg_val = pdata->pin_tx2 | pdata->ntc_pin;
++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin;
+ ret = regmap_update_bits(chip->regmap, 0xE0, 0x28, reg_val);
+ if (ret < 0)
+ goto out;
+- reg_val = pdata->pass_mode;
++ reg_val = (u32)pdata->pass_mode;
+ ret = regmap_update_bits(chip->regmap, 0xA0, 0x04, reg_val);
+ if (ret < 0)
+ goto out;
+ break;
+
+ case CHIP_LM3556:
+- reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode;
++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin |
++ (u32)pdata->pass_mode;
+ ret = regmap_update_bits(chip->regmap, 0x0A, 0xC4, reg_val);
+ if (ret < 0)
+ goto out;
+--
+2.25.1
+
--- /dev/null
+From 044a76cfbf25014015994fc8001e44082744f42b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 May 2020 09:12:13 +1000
+Subject: m68k: mac: Don't send IOP message until channel is idle
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ]
+
+In the following sequence of calls, iop_do_send() gets called when the
+"send" channel is not in the IOP_MSG_IDLE state:
+
+ iop_ism_irq()
+ iop_handle_send()
+ (msg->handler)()
+ iop_send_message()
+ iop_do_send()
+
+Avoid this by testing the channel state before calling iop_do_send().
+
+When sending, and iop_send_queue is empty, call iop_do_send() because
+the channel is idle. If iop_send_queue is not empty, iop_do_send() will
+get called later by iop_handle_send().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Cc: Joshua Thompson <funaho@jurai.org>
+Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/mac/iop.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c
+index 4d2adfb32a2ab..c89ed66908f91 100644
+--- a/arch/m68k/mac/iop.c
++++ b/arch/m68k/mac/iop.c
+@@ -416,7 +416,8 @@ static void iop_handle_send(uint iop_num, uint chan)
+ iop_free_msg(msg2);
+
+ iop_send_queue[iop_num][chan] = msg;
+- if (msg) iop_do_send(msg);
++ if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE)
++ iop_do_send(msg);
+ }
+
+ /*
+@@ -497,16 +498,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata,
+
+ if (!(q = iop_send_queue[iop_num][chan])) {
+ iop_send_queue[iop_num][chan] = msg;
++ iop_do_send(msg);
+ } else {
+ while (q->next) q = q->next;
+ q->next = msg;
+ }
+
+- if (iop_readb(iop_base[iop_num],
+- IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) {
+- iop_do_send(msg);
+- }
+-
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 3b09500b8bb33ff470906689cf57be722578e029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 May 2020 09:12:13 +1000
+Subject: m68k: mac: Fix IOP status/control register writes
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ]
+
+When writing values to the IOP status/control register make sure those
+values do not have any extraneous bits that will clear interrupt flags.
+
+To place the SCC IOP into bypass mode would be desirable but this is not
+achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS
+to the control register. Drop this ineffective register write.
+
+Remove the flawed and unused iop_bypass() function. Make use of the
+unused iop_stop() function.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Cc: Joshua Thompson <funaho@jurai.org>
+Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/mac/iop.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c
+index c89ed66908f91..358ca965cf824 100644
+--- a/arch/m68k/mac/iop.c
++++ b/arch/m68k/mac/iop.c
+@@ -173,7 +173,7 @@ static __inline__ void iop_writeb(volatile struct mac_iop *iop, __u16 addr, __u8
+
+ static __inline__ void iop_stop(volatile struct mac_iop *iop)
+ {
+- iop->status_ctrl &= ~IOP_RUN;
++ iop->status_ctrl = IOP_AUTOINC;
+ }
+
+ static __inline__ void iop_start(volatile struct mac_iop *iop)
+@@ -181,14 +181,9 @@ static __inline__ void iop_start(volatile struct mac_iop *iop)
+ iop->status_ctrl = IOP_RUN | IOP_AUTOINC;
+ }
+
+-static __inline__ void iop_bypass(volatile struct mac_iop *iop)
+-{
+- iop->status_ctrl |= IOP_BYPASS;
+-}
+-
+ static __inline__ void iop_interrupt(volatile struct mac_iop *iop)
+ {
+- iop->status_ctrl |= IOP_IRQ;
++ iop->status_ctrl = IOP_IRQ | IOP_RUN | IOP_AUTOINC;
+ }
+
+ static int iop_alive(volatile struct mac_iop *iop)
+@@ -239,7 +234,6 @@ void __init iop_preinit(void)
+ } else {
+ iop_base[IOP_NUM_SCC] = (struct mac_iop *) SCC_IOP_BASE_QUADRA;
+ }
+- iop_base[IOP_NUM_SCC]->status_ctrl = 0x87;
+ iop_scc_present = 1;
+ } else {
+ iop_base[IOP_NUM_SCC] = NULL;
+@@ -251,7 +245,7 @@ void __init iop_preinit(void)
+ } else {
+ iop_base[IOP_NUM_ISM] = (struct mac_iop *) ISM_IOP_BASE_QUADRA;
+ }
+- iop_base[IOP_NUM_ISM]->status_ctrl = 0;
++ iop_stop(iop_base[IOP_NUM_ISM]);
+ iop_ism_present = 1;
+ } else {
+ iop_base[IOP_NUM_ISM] = NULL;
+--
+2.25.1
+
--- /dev/null
+From d17d04cdb76f99c5af7813764ff18764b3ec374b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 08:41:47 +0200
+Subject: media: exynos4-is: Add missed check for pinctrl_lookup_state()
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ]
+
+fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state().
+Add the missed check to fix it.
+
+Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/media-dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
+index 4f5586a4cbffa..31cc7d94064e3 100644
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -1172,6 +1172,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd)
+
+ pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl,
+ PINCTRL_STATE_IDLE);
++ if (IS_ERR(pctl->state_idle))
++ return PTR_ERR(pctl->state_idle);
++
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From ddfb0401f47f5c06f1a5f0fc21f049fabe7e0406 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 16:40:22 +0200
+Subject: media: firewire: Using uninitialized values in node_probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ]
+
+If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So
+then the "strlen(model_names[i]) <= name_len" is true because strlen()
+is unsigned and -ENOENT is type promoted to a very high positive value.
+Then the "strncmp(name, model_names[i], name_len)" uses uninitialized
+data because "name" is uninitialized.
+
+Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/firewire/firedtv-fw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c
+index 247f0e7cb5f7f..5d634706a7eaa 100644
+--- a/drivers/media/firewire/firedtv-fw.c
++++ b/drivers/media/firewire/firedtv-fw.c
+@@ -271,6 +271,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
+
+ name_len = fw_csr_string(unit->directory, CSR_MODEL,
+ name, sizeof(name));
++ if (name_len < 0)
++ return name_len;
+ for (i = ARRAY_SIZE(model_names); --i; )
+ if (strlen(model_names[i]) <= name_len &&
+ strncmp(name, model_names[i], name_len) == 0)
+--
+2.25.1
+
--- /dev/null
+From 66412891a5c4ee738993acecd666d9419003028c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2020 18:41:22 +0200
+Subject: media: omap3isp: Add missed v4l2_ctrl_handler_free() for
+ preview_init_entities()
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ]
+
+preview_init_entities() does not call v4l2_ctrl_handler_free() when
+it fails.
+Add the missed function to fix it.
+
+Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/omap3isp/isppreview.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c
+index c9e8845de1b1d..c3336a2cbe145 100644
+--- a/drivers/media/platform/omap3isp/isppreview.c
++++ b/drivers/media/platform/omap3isp/isppreview.c
+@@ -2285,7 +2285,7 @@ static int preview_init_entities(struct isp_prev_device *prev)
+ me->ops = &preview_media_ops;
+ ret = media_entity_init(me, PREV_PADS_NUM, pads, 0);
+ if (ret < 0)
+- return ret;
++ goto error_handler_free;
+
+ preview_init_formats(sd, NULL);
+
+@@ -2331,6 +2331,8 @@ static int preview_init_entities(struct isp_prev_device *prev)
+ omap3isp_video_cleanup(&prev->video_in);
+ error_video_in:
+ media_entity_cleanup(&prev->subdev.entity);
++error_handler_free:
++ v4l2_ctrl_handler_free(&prev->ctrls);
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c58951e0720f1c8a109941b40f99bedc923e936c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 16:46:10 -0700
+Subject: mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ]
+
+A large process running on a heavily loaded system can encounter the
+following RCU CPU stall warning:
+
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190
+ (t=21013 jiffies g=1005461 q=132576)
+ NMI backtrace for cpu 3
+ CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1
+ Hardware name: Wiwynn HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016
+ Call Trace:
+ <IRQ>
+ dump_stack+0x46/0x60
+ nmi_cpu_backtrace.cold.3+0x13/0x50
+ ? lapic_can_unplug_cpu.cold.27+0x34/0x34
+ nmi_trigger_cpumask_backtrace+0xba/0xca
+ rcu_dump_cpu_stacks+0x99/0xc7
+ rcu_sched_clock_irq.cold.87+0x1aa/0x397
+ ? tick_sched_do_timer+0x60/0x60
+ update_process_times+0x28/0x60
+ tick_sched_timer+0x37/0x70
+ __hrtimer_run_queues+0xfe/0x270
+ hrtimer_interrupt+0xf4/0x210
+ smp_apic_timer_interrupt+0x5e/0x120
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+ RIP: 0010:kmem_cache_free+0x223/0x300
+ Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65
+ RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
+ RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030
+ RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18
+ RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff
+ R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f
+ R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00
+ ? remove_vma+0x4f/0x60
+ remove_vma+0x4f/0x60
+ exit_mmap+0xd6/0x160
+ mmput+0x4a/0x110
+ do_exit+0x278/0xae0
+ ? syscall_trace_enter+0x1d3/0x2b0
+ ? handle_mm_fault+0xaa/0x1c0
+ do_group_exit+0x3a/0xa0
+ __x64_sys_exit_group+0x14/0x20
+ do_syscall_64+0x42/0x100
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run
+for a very long time given a large process. This commit therefore adds
+a cond_resched() to this loop, providing RCU any needed quiescent states.
+
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: <linux-mm@kvack.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/mmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index a24e424770012..135cccce41f88 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2954,6 +2954,7 @@ void exit_mmap(struct mm_struct *mm)
+ if (vma->vm_flags & VM_ACCOUNT)
+ nr_accounted += vma_pages(vma);
+ vma = remove_vma(vma);
++ cond_resched();
+ }
+ vm_unacct_memory(nr_accounted);
+ }
+--
+2.25.1
+
--- /dev/null
+From 721e7a5b23bc002087cba24f32f514a243430721 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 14:58:57 +0300
+Subject: mwifiex: Prevent memory corruption handling keys
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ]
+
+The length of the key comes from the network and it's a 16 bit number. It
+needs to be capped to prevent a buffer overflow.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mwifiex/sta_cmdresp.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mwifiex/sta_cmdresp.c b/drivers/net/wireless/mwifiex/sta_cmdresp.c
+index 9ac7aa2431b41..9e3853c8a22da 100644
+--- a/drivers/net/wireless/mwifiex/sta_cmdresp.c
++++ b/drivers/net/wireless/mwifiex/sta_cmdresp.c
+@@ -592,6 +592,11 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv,
+ {
+ struct host_cmd_ds_802_11_key_material *key =
+ &resp->params.key_material;
++ int len;
++
++ len = le16_to_cpu(key->key_param_set.key_len);
++ if (len > sizeof(key->key_param_set.key))
++ return -EINVAL;
+
+ if (le16_to_cpu(key->action) == HostCmd_ACT_GEN_SET) {
+ if ((le16_to_cpu(key->key_param_set.key_info) & KEY_MCAST)) {
+@@ -605,9 +610,8 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv,
+
+ memset(priv->aes_key.key_param_set.key, 0,
+ sizeof(key->key_param_set.key));
+- priv->aes_key.key_param_set.key_len = key->key_param_set.key_len;
+- memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key,
+- le16_to_cpu(priv->aes_key.key_param_set.key_len));
++ priv->aes_key.key_param_set.key_len = cpu_to_le16(len);
++ memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len);
+
+ return 0;
+ }
+@@ -622,9 +626,14 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
+ struct host_cmd_ds_command *resp)
+ {
+ struct host_cmd_ds_802_11_key_material_v2 *key_v2;
+- __le16 len;
++ int len;
+
+ key_v2 = &resp->params.key_material_v2;
++
++ len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len);
++ if (len > WLAN_KEY_LEN_CCMP)
++ return -EINVAL;
++
+ if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) {
+ if ((le16_to_cpu(key_v2->key_param_set.key_info) & KEY_MCAST)) {
+ mwifiex_dbg(priv->adapter, INFO, "info: key: GTK is set\n");
+@@ -640,10 +649,9 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
+ memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0,
+ WLAN_KEY_LEN_CCMP);
+ priv->aes_key_v2.key_param_set.key_params.aes.key_len =
+- key_v2->key_param_set.key_params.aes.key_len;
+- len = priv->aes_key_v2.key_param_set.key_params.aes.key_len;
++ cpu_to_le16(len);
+ memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
+- key_v2->key_param_set.key_params.aes.key, le16_to_cpu(len));
++ key_v2->key_param_set.key_params.aes.key, len);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 4dccd05e43da7a09af2a1e6c9bf85a4cc9c3aa35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 15:53:33 +0200
+Subject: net: spider_net: Fix the size used in a 'dma_free_coherent()' call
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ]
+
+Update the size used in 'dma_free_coherent()' in order to match the one
+used in the corresponding 'dma_alloc_coherent()', in
+'spider_net_init_chain()'.
+
+Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/spider_net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c
+index 8e53211aedd82..53600e28d93b7 100644
+--- a/drivers/net/ethernet/toshiba/spider_net.c
++++ b/drivers/net/ethernet/toshiba/spider_net.c
+@@ -297,8 +297,8 @@ spider_net_free_chain(struct spider_net_card *card,
+ descr = descr->next;
+ } while (descr != chain->ring);
+
+- dma_free_coherent(&card->pdev->dev, chain->num_desc,
+- chain->hwring, chain->dma_addr);
++ dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr),
++ chain->hwring, chain->dma_addr);
+ }
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From 627604268c00456370bdcbb459071c0cca8f7c64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 15:59:25 +0800
+Subject: PCI/ASPM: Add missing newline in sysfs 'policy'
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ]
+
+When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a
+newline for easy reading. Other sysfs attributes already include a
+newline.
+
+ [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy
+ [default] performance powersave powersupersave [root@localhost ~]#
+
+Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support")
+Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/aspm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
+index 966b6947e5656..a098f8324afd0 100644
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -807,6 +807,7 @@ static int pcie_aspm_get_policy(char *buffer, struct kernel_param *kp)
+ cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]);
+ else
+ cnt += sprintf(buffer + cnt, "%s ", policy_str[i]);
++ cnt += sprintf(buffer + cnt, "\n");
+ return cnt;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 517550f651234b0e27057d8108908f58f07fa357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2020 14:51:43 +0200
+Subject: pinctrl-single: fix pcs_parse_pinconf() return value
+
+From: Drew Fustini <drew@beagleboard.org>
+
+[ Upstream commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f ]
+
+This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no
+pinctrl_map is added. The current behavior is to return 0 when
+!PCS_HAS_PINCONF or !nconfs. Thus pcs_parse_one_pinctrl_entry()
+incorrectly assumes that a map was added and sets num_maps = 2.
+
+Analysis:
+=========
+The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf()
+if PCS_HAS_PINCONF is enabled. The function pcs_parse_pinconf()
+returns 0 to indicate there was no error and num_maps is then set to 2:
+
+ 980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs,
+ 981 struct device_node *np,
+ 982 struct pinctrl_map **map,
+ 983 unsigned *num_maps,
+ 984 const char **pgnames)
+ 985 {
+<snip>
+1053 (*map)->type = PIN_MAP_TYPE_MUX_GROUP;
+1054 (*map)->data.mux.group = np->name;
+1055 (*map)->data.mux.function = np->name;
+1056
+1057 if (PCS_HAS_PINCONF && function) {
+1058 res = pcs_parse_pinconf(pcs, np, function, map);
+1059 if (res)
+1060 goto free_pingroups;
+1061 *num_maps = 2;
+1062 } else {
+1063 *num_maps = 1;
+1064 }
+
+However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or
+!nconfs. I believe these conditions should indicate that no map was
+added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry()
+will set num_maps = 2 even though no maps were successfully added, as
+it does not reach "m++" on line 940:
+
+ 895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
+ 896 struct pcs_function *func,
+ 897 struct pinctrl_map **map)
+ 898
+ 899 {
+ 900 struct pinctrl_map *m = *map;
+<snip>
+ 917 /* If pinconf isn't supported, don't parse properties in below. */
+ 918 if (!PCS_HAS_PINCONF)
+ 919 return 0;
+ 920
+ 921 /* cacluate how much properties are supported in current node */
+ 922 for (i = 0; i < ARRAY_SIZE(prop2); i++) {
+ 923 if (of_find_property(np, prop2[i].name, NULL))
+ 924 nconfs++;
+ 925 }
+ 926 for (i = 0; i < ARRAY_SIZE(prop4); i++) {
+ 927 if (of_find_property(np, prop4[i].name, NULL))
+ 928 nconfs++;
+ 929 }
+ 930 if (!nconfs)
+ 919 return 0;
+ 932
+ 933 func->conf = devm_kcalloc(pcs->dev,
+ 934 nconfs, sizeof(struct pcs_conf_vals),
+ 935 GFP_KERNEL);
+ 936 if (!func->conf)
+ 937 return -ENOMEM;
+ 938 func->nconfs = nconfs;
+ 939 conf = &(func->conf[0]);
+ 940 m++;
+
+This situtation will cause a boot failure [0] on the BeagleBone Black
+(AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi
+has compatible = "pinconf-single" instead of "pinctrl-single".
+
+The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF
+or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no
+map was added.
+
+Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish
+between -ENOSUPP and other errors. In the case of -ENOSUPP, num_maps
+is set to 1 as it is valid for pinconf to be enabled and a given pin
+group to not any pinconf properties.
+
+[0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/
+
+Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf")
+Signed-off-by: Drew Fustini <drew@beagleboard.org>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
+index 73d8d47ea465a..17714793c08e4 100644
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1071,7 +1071,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
+
+ /* If pinconf isn't supported, don't parse properties in below. */
+ if (!PCS_HAS_PINCONF)
+- return 0;
++ return -ENOTSUPP;
+
+ /* cacluate how much properties are supported in current node */
+ for (i = 0; i < ARRAY_SIZE(prop2); i++) {
+@@ -1083,7 +1083,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
+ nconfs++;
+ }
+ if (!nconfs)
+- return 0;
++ return -ENOTSUPP;
+
+ func->conf = devm_kzalloc(pcs->dev,
+ sizeof(struct pcs_conf_vals) * nconfs,
+@@ -1196,9 +1196,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs,
+
+ if (PCS_HAS_PINCONF) {
+ res = pcs_parse_pinconf(pcs, np, function, map);
+- if (res)
++ if (res == 0)
++ *num_maps = 2;
++ else if (res == -ENOTSUPP)
++ *num_maps = 1;
++ else
+ goto free_pingroups;
+- *num_maps = 2;
+ } else {
+ *num_maps = 1;
+ }
+--
+2.25.1
+
--- /dev/null
+From 85de1a4905fbae4bb1beddf49b7696b3a8a54848 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jul 2020 12:23:51 -0700
+Subject: power: supply: check if calc_soc succeeded in pm860x_init_battery
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ]
+
+clang static analysis flags this error
+
+88pm860x_battery.c:522:19: warning: Assigned value is
+ garbage or undefined [core.uninitialized.Assign]
+ info->start_soc = soc;
+ ^ ~~~
+soc is set by calling calc_soc.
+But calc_soc can return without setting soc.
+
+So check the return status and bail similarly to other
+checks in pm860x_init_battery and initialize soc to
+silence the warning.
+
+Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x")
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/88pm860x_battery.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/88pm860x_battery.c b/drivers/power/88pm860x_battery.c
+index 63c57dc82ac1d..4eda5065b5bbc 100644
+--- a/drivers/power/88pm860x_battery.c
++++ b/drivers/power/88pm860x_battery.c
+@@ -436,7 +436,7 @@ static void pm860x_init_battery(struct pm860x_battery_info *info)
+ int ret;
+ int data;
+ int bat_remove;
+- int soc;
++ int soc = 0;
+
+ /* measure enable on GPADC1 */
+ data = MEAS1_GP1;
+@@ -499,7 +499,9 @@ static void pm860x_init_battery(struct pm860x_battery_info *info)
+ }
+ mutex_unlock(&info->lock);
+
+- calc_soc(info, OCV_MODE_ACTIVE, &soc);
++ ret = calc_soc(info, OCV_MODE_ACTIVE, &soc);
++ if (ret < 0)
++ goto out;
+
+ data = pm860x_reg_read(info->i2c, PM8607_POWER_UP_LOG);
+ bat_remove = data & BAT_WU_LOG;
+--
+2.25.1
+
--- /dev/null
+From 070a941f36fc7d51892f69c7a604ab7f54fd939b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jul 2020 09:37:04 +1000
+Subject: powerpc/vdso: Fix vdso cpu truncation
+
+From: Milton Miller <miltonm@us.ibm.com>
+
+[ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ]
+
+The code in vdso_cpu_init that exposes the cpu and numa node to
+userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means
+that any kernel running on a box with more than 4096 threads (NR_CPUS
+advertises a limit of of 8192 cpus) would expose userspace to two cpu
+contexts running at the same time with the same cpu number.
+
+Note: I'm not aware of any distro shipping a kernel with support for more
+than 4096 threads today, nor of any system image that currently exceeds
+4096 threads. Found via code browsing.
+
+Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu")
+Signed-off-by: Milton Miller <miltonm@us.ibm.com>
+Signed-off-by: Anton Blanchard <anton@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/vdso.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c
+index b457bfa284360..05c17429e5442 100644
+--- a/arch/powerpc/kernel/vdso.c
++++ b/arch/powerpc/kernel/vdso.c
+@@ -702,7 +702,7 @@ int vdso_getcpu_init(void)
+ node = cpu_to_node(cpu);
+ WARN_ON_ONCE(node > 0xffff);
+
+- val = (cpu & 0xfff) | ((node & 0xffff) << 16);
++ val = (cpu & 0xffff) | ((node & 0xffff) << 16);
+ mtspr(SPRN_SPRG_VDSO_WRITE, val);
+ get_paca()->sprg_vdso = val;
+
+--
+2.25.1
+
--- /dev/null
+From 59e3864fc0bbd55617c655813654a21e1c7738ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 17:01:20 +0200
+Subject: s390/qeth: don't process empty bridge port events
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+[ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ]
+
+Discard events that don't contain any entries. This shouldn't happen,
+but subsequent code relies on being able to use entry 0. So better
+be safe than accessing garbage.
+
+Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_l2_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
+index 97211f7f0cf02..ed4b0f6e2d6ad 100644
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -1669,6 +1669,10 @@ static void qeth_bridge_state_change(struct qeth_card *card,
+ int extrasize;
+
+ QETH_CARD_TEXT(card, 2, "brstchng");
++ if (qports->num_entries == 0) {
++ QETH_CARD_TEXT(card, 2, "BPempty");
++ return;
++ }
+ if (qports->entry_length != sizeof(struct qeth_sbp_port_entry)) {
+ QETH_CARD_TEXT_(card, 2, "BPsz%04x", qports->entry_length);
+ return;
+--
+2.25.1
+
--- /dev/null
+From 2f7689b6af0739c680fe9d7253c7b2b3c3a11111 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jun 2020 22:47:30 +0200
+Subject: scsi: cumana_2: Fix different dev_id between request_irq() and
+ free_irq()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ]
+
+The dev_id used in request_irq() and free_irq() should match. Use 'info'
+in both cases.
+
+Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Acked-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/arm/cumana_2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c
+index faa1bee07c8ac..0c83a155ceebc 100644
+--- a/drivers/scsi/arm/cumana_2.c
++++ b/drivers/scsi/arm/cumana_2.c
+@@ -454,7 +454,7 @@ static int cumanascsi2_probe(struct expansion_card *ec,
+
+ if (info->info.scsi.dma != NO_DMA)
+ free_dma(info->info.scsi.dma);
+- free_irq(ec->irq, host);
++ free_irq(ec->irq, info);
+
+ out_release:
+ fas216_release(host);
+--
+2.25.1
+
--- /dev/null
+From 16584d17693fe8d457a9e9338391a7e5cc9dab7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jun 2020 06:05:53 +0200
+Subject: scsi: eesox: Fix different dev_id between request_irq() and
+ free_irq()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ]
+
+The dev_id used in request_irq() and free_irq() should match. Use 'info' in
+both cases.
+
+Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/arm/eesox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c
+index a8ad6880dd914..cf01442d91363 100644
+--- a/drivers/scsi/arm/eesox.c
++++ b/drivers/scsi/arm/eesox.c
+@@ -575,7 +575,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id)
+
+ if (info->info.scsi.dma != NO_DMA)
+ free_dma(info->info.scsi.dma);
+- free_irq(ec->irq, host);
++ free_irq(ec->irq, info);
+
+ out_remove:
+ fas216_remove(host);
+--
+2.25.1
+
--- /dev/null
+From 5e6358909799aecab2fcca74614ed83dbc699a34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 09:25:51 +1000
+Subject: scsi: mesh: Fix panic after host or bus reset
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ]
+
+Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus
+results in EH measures and a panic:
+
+[ 25.499838] mesh: configured for synchronous 5 MB/s
+[ 25.787154] mesh: performing initial bus reset...
+[ 29.867115] scsi host0: MESH
+[ 29.929527] mesh: target 0 synchronous at 3.6 MB/s
+[ 29.998763] scsi 0:0:0:0: Direct-Access CONNER CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS
+[ 31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB)
+[ 32.070975] sd 0:0:0:0: [sda] Write Protect is off
+[ 32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08
+[ 32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
+[ 32.332708] sda: [mac] sda1 sda2 sda3
+[ 32.417733] sd 0:0:0:0: [sda] Attached SCSI disk
+... snip ...
+[ 76.687067] mesh_abort((ptrval))
+[ 76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval)
+[ 76.810798] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85
+[ 76.880720] dma stat=84e0 cmdptr=1f73d000
+[ 76.941387] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576
+[ 77.005567] dma_st=1 dma_ct=0 n_msgout=0
+[ 77.065456] target 0: req=(ptrval) goes_out=0 saved_ptr=0
+[ 77.130512] mesh_abort((ptrval))
+[ 77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval)
+[ 77.255594] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85
+[ 77.325778] dma stat=84e0 cmdptr=1f73d000
+[ 77.387239] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576
+[ 77.453665] dma_st=1 dma_ct=0 n_msgout=0
+[ 77.515900] target 0: req=(ptrval) goes_out=0 saved_ptr=0
+[ 77.582902] mesh_host_reset
+[ 88.187083] Kernel panic - not syncing: mesh: double DMA start !
+[ 88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1
+[ 88.323302] Call Trace:
+[ 88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable)
+[ 88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414
+[ 88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70
+[ 88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384
+[ 88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8
+[ 88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178
+[ 88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8
+[ 88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520
+[ 88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8
+[ 88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c
+[ 89.044112] Rebooting in 180 seconds..
+
+In theory, a panic can happen after a bus or host reset with dma_started
+flag set. Fix this by halting the DMA before reinitializing the host.
+Don't assume that ms->current_req is set when halt_dma() is invoked as it
+may not hold for bus or host reset.
+
+BTW, this particular Conner drive can be made to work by inhibiting
+disconnect/reselect with 'mesh.resel_targets=0'.
+
+Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Paul Mackerras <paulus@ozlabs.org>
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mesh.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mesh.c b/drivers/scsi/mesh.c
+index 555367f002282..18ed4b44bc513 100644
+--- a/drivers/scsi/mesh.c
++++ b/drivers/scsi/mesh.c
+@@ -1044,6 +1044,8 @@ static void handle_error(struct mesh_state *ms)
+ while ((in_8(&mr->bus_status1) & BS1_RST) != 0)
+ udelay(1);
+ printk("done\n");
++ if (ms->dma_started)
++ halt_dma(ms);
+ handle_reset(ms);
+ /* request_q is empty, no point in mesh_start() */
+ return;
+@@ -1356,7 +1358,8 @@ static void halt_dma(struct mesh_state *ms)
+ ms->conn_tgt, ms->data_ptr, scsi_bufflen(cmd),
+ ms->tgts[ms->conn_tgt].data_goes_out);
+ }
+- scsi_dma_unmap(cmd);
++ if (cmd)
++ scsi_dma_unmap(cmd);
+ ms->dma_started = 0;
+ }
+
+@@ -1711,6 +1714,9 @@ static int mesh_host_reset(struct scsi_cmnd *cmd)
+
+ spin_lock_irqsave(ms->host->host_lock, flags);
+
++ if (ms->dma_started)
++ halt_dma(ms);
++
+ /* Reset the controller & dbdma channel */
+ out_le32(&md->control, (RUN|PAUSE|FLUSH|WAKE) << 16); /* stop dma */
+ out_8(&mr->exception, 0xff); /* clear all exception bits */
+--
+2.25.1
+
--- /dev/null
+From 8f3d808230f29dd720588736bf94cbe7fef28eee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jun 2020 05:59:48 +0200
+Subject: scsi: powertec: Fix different dev_id between request_irq() and
+ free_irq()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ]
+
+The dev_id used in request_irq() and free_irq() should match. Use 'info' in
+both cases.
+
+Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/arm/powertec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arm/powertec.c b/drivers/scsi/arm/powertec.c
+index 5e1b73e1b743e..b6724ba9b36e7 100644
+--- a/drivers/scsi/arm/powertec.c
++++ b/drivers/scsi/arm/powertec.c
+@@ -382,7 +382,7 @@ static int powertecscsi_probe(struct expansion_card *ec,
+
+ if (info->info.scsi.dma != NO_DMA)
+ free_dma(info->info.scsi.dma);
+- free_irq(ec->irq, host);
++ free_irq(ec->irq, info);
+
+ out_release:
+ fas216_release(host);
+--
+2.25.1
+
tracepoint-mark-__tracepoint_string-s-__used.patch
udp-drop-corrupt-packets-earlier-to-avoid-data-corru.patch
gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch
+edac-fix-reference-count-leaks.patch
+m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch
+m68k-mac-fix-iop-status-control-register-writes.patch
+arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch
+arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch
+drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch
+bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch
+fs-btrfs-add-cond_resched-for-try_release_extent_map.patch
+drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch
+video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch
+drm-nouveau-fix-multiple-instances-of-reference-coun.patch
+drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch
+mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch
+brcmfmac-to-fix-bss-info-flag-definition-bug.patch
+iwlegacy-check-the-return-value-of-pcie_capability_r.patch
+usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch
+bdc-fix-bug-causing-crash-after-multiple-disconnects.patch
+dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch
+bcache-fix-super-block-seq-numbers-comparision-in-re.patch
+acpica-do-not-increment-operation_region-reference-c.patch
+agp-intel-fix-a-memory-leak-on-module-initialisation.patch
+video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch
+console-newport_con-fix-an-issue-about-leak-related-.patch
+iio-improve-iio_concentration-channel-type-descripti.patch
+leds-lm355x-avoid-enum-conversion-warning.patch
+media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch
+scsi-cumana_2-fix-different-dev_id-between-request_i.patch
+cxl-fix-kobject-memleak.patch
+drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch
+scsi-powertec-fix-different-dev_id-between-request_i.patch
+scsi-eesox-fix-different-dev_id-between-request_irq-.patch
+media-firewire-using-uninitialized-values-in-node_pr.patch
+media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch
+drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch
+mwifiex-prevent-memory-corruption-handling-keys.patch
+powerpc-vdso-fix-vdso-cpu-truncation.patch
+pci-aspm-add-missing-newline-in-sysfs-policy.patch
+usb-dwc2-fix-error-path-in-gadget-registration.patch
+scsi-mesh-fix-panic-after-host-or-bus-reset.patch
+smack-fix-another-vsscanf-out-of-bounds.patch
+smack-prevent-underflow-in-smk_set_cipso.patch
+power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch
+s390-qeth-don-t-process-empty-bridge-port-events.patch
+wl1251-fix-always-return-0-error.patch
+net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch
+dlm-fix-kobject-memleak.patch
+pinctrl-single-fix-pcs_parse_pinconf-return-value.patch
--- /dev/null
+From e4721b5df563005e6f4bc446c24ef9d3cacfcdb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 18:22:19 +0300
+Subject: Smack: fix another vsscanf out of bounds
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ]
+
+This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in
+vsscanf") where we added a bounds check on "rule".
+
+Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com
+Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index bd4d0f5a79aa3..2e2ef3a525ecb 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -939,6 +939,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+
+ for (i = 0; i < catlen; i++) {
+ rule += SMK_DIGITLEN;
++ if (rule > data + count) {
++ rc = -EOVERFLOW;
++ goto out;
++ }
+ ret = sscanf(rule, "%u", &cat);
+ if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
+ goto out;
+--
+2.25.1
+
--- /dev/null
+From e4d4c1ace30718305318b03a8b7580a566be6926 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 18:23:05 +0300
+Subject: Smack: prevent underflow in smk_set_cipso()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ]
+
+We have an upper bound on "maplevel" but forgot to check for negative
+values.
+
+Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 2e2ef3a525ecb..df082648eb0aa 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -918,7 +918,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+ }
+
+ ret = sscanf(rule, "%d", &maplevel);
+- if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
++ if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL)
+ goto out;
+
+ rule += SMK_DIGITLEN;
+--
+2.25.1
+
--- /dev/null
+From cbeb649a6eda8e5f0b08721cd89aac193dd44c38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jul 2020 14:09:48 +0200
+Subject: usb: dwc2: Fix error path in gadget registration
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ]
+
+When gadget registration fails, one should not call usb_del_gadget_udc().
+Ensure this by setting gadget->udc to NULL. Also in case of a failure
+there is no need to disable low-level hardware, so return immiedetly
+instead of jumping to error_init label.
+
+This fixes the following kernel NULL ptr dereference on gadget failure
+(can be easily triggered with g_mass_storage without any module
+parameters):
+
+dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1
+dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024
+dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM
+Mass Storage Function, version: 2009/09/11
+LUN: removable file: (no medium)
+no file given for LUN0
+g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22
+8<--- cut here ---
+Unable to handle kernel NULL pointer dereference at virtual address 00000104
+pgd = (ptrval)
+[00000104] *pgd=00000000
+Internal error: Oops: 805 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133
+Hardware name: Samsung Exynos (Flattened Device Tree)
+Workqueue: events deferred_probe_work_func
+PC is at usb_del_gadget_udc+0x38/0xc4
+LR is at __mutex_lock+0x31c/0xb18
+...
+Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval))
+Stack: (0xef121db0 to 0xef122000)
+...
+[<c076bf3c>] (usb_del_gadget_udc) from [<c0726bec>] (dwc2_hsotg_remove+0x10/0x20)
+[<c0726bec>] (dwc2_hsotg_remove) from [<c0711208>] (dwc2_driver_probe+0x57c/0x69c)
+[<c0711208>] (dwc2_driver_probe) from [<c06247c0>] (platform_drv_probe+0x6c/0xa4)
+[<c06247c0>] (platform_drv_probe) from [<c0621df4>] (really_probe+0x200/0x48c)
+[<c0621df4>] (really_probe) from [<c06221e8>] (driver_probe_device+0x78/0x1fc)
+[<c06221e8>] (driver_probe_device) from [<c061fcd4>] (bus_for_each_drv+0x74/0xb8)
+[<c061fcd4>] (bus_for_each_drv) from [<c0621b54>] (__device_attach+0xd4/0x16c)
+[<c0621b54>] (__device_attach) from [<c0620c98>] (bus_probe_device+0x88/0x90)
+[<c0620c98>] (bus_probe_device) from [<c06211b0>] (deferred_probe_work_func+0x3c/0xd0)
+[<c06211b0>] (deferred_probe_work_func) from [<c0149280>] (process_one_work+0x234/0x7dc)
+[<c0149280>] (process_one_work) from [<c014986c>] (worker_thread+0x44/0x51c)
+[<c014986c>] (worker_thread) from [<c0150b1c>] (kthread+0x158/0x1a0)
+[<c0150b1c>] (kthread) from [<c0100114>] (ret_from_fork+0x14/0x20)
+Exception stack(0xef121fb0 to 0xef121ff8)
+...
+---[ end trace 9724c2fc7cc9c982 ]---
+
+While fixing this also fix the double call to dwc2_lowlevel_hw_disable()
+if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level
+hardware is already disabled before calling usb_add_gadget_udc(). That
+function correctly preserves low-level hardware state, there is no need
+for the second unconditional dwc2_lowlevel_hw_disable() call.
+
+Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver")
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/platform.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
+index 5e554b1d5a8f9..d9fafd6a7927f 100644
+--- a/drivers/usb/dwc2/platform.c
++++ b/drivers/usb/dwc2/platform.c
+@@ -458,6 +458,7 @@ static int dwc2_driver_probe(struct platform_device *dev)
+ if (hsotg->gadget_enabled) {
+ retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget);
+ if (retval) {
++ hsotg->gadget.udc = NULL;
+ dwc2_hsotg_remove(hsotg);
+ goto error;
+ }
+@@ -466,7 +467,8 @@ static int dwc2_driver_probe(struct platform_device *dev)
+ return 0;
+
+ error:
+- dwc2_lowlevel_hw_disable(hsotg);
++ if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL)
++ dwc2_lowlevel_hw_disable(hsotg);
+ return retval;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From a1a7209b7f4f87b97ae456adfa829b590c358aed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 23:15:58 +0300
+Subject: usb: gadget: net2280: fix memory leak on probe error handling paths
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ]
+
+Driver does not release memory for device on error handling paths in
+net2280_probe() when gadget_release() is not registered yet.
+
+The patch fixes the bug like in other similar drivers.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
+index 3a8d056a5d16b..48dd0da21e2b4 100644
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -3712,8 +3712,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ return 0;
+
+ done:
+- if (dev)
++ if (dev) {
+ net2280_remove(pdev);
++ kfree(dev);
++ }
+ return retval;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 5604444e09b84883303411e7988a9837cbabb335 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 22:54:51 +0300
+Subject: video: fbdev: neofb: fix memory leak in neo_scan_monitor()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ]
+
+neofb_probe() calls neo_scan_monitor() that can successfully allocate a
+memory for info->monspecs.modedb and proceed to case 0x03. There it does
+not free the memory and returns -1. neofb_probe() goes to label
+err_scan_monitor, thus, it does not free this memory through calling
+fb_destroy_modedb() as well. We can not go to label err_init_hw since
+neo_scan_monitor() can fail during memory allocation. So, the patch frees
+the memory directly for case 0x03.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/neofb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c
+index db023a97d1eae..e243254a57214 100644
+--- a/drivers/video/fbdev/neofb.c
++++ b/drivers/video/fbdev/neofb.c
+@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info)
+ #else
+ printk(KERN_ERR
+ "neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n");
++ kfree(info->monspecs.modedb);
+ return -1;
+ #endif
+ default:
+--
+2.25.1
+
--- /dev/null
+From d0473aaf1154dc613c2a0275b7d3def85eb6ef16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 00:07:19 +0800
+Subject: video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
+
+From: Dejin Zheng <zhengdejin5@gmail.com>
+
+[ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ]
+
+the sfb->fb->screen_base is not save the value get by iounmap() when
+the chip id is 0x720. so iounmap() for address sfb->fb->screen_base
+is not right.
+
+Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev")
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Cc: Teddy Wang <teddy.wang@siliconmotion.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sm712fb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c
+index 589ac7e754130..c8ee58e0ae3ec 100644
+--- a/drivers/video/fbdev/sm712fb.c
++++ b/drivers/video/fbdev/sm712fb.c
+@@ -1428,6 +1428,8 @@ static int smtc_map_smem(struct smtcfb_info *sfb,
+ static void smtc_unmap_smem(struct smtcfb_info *sfb)
+ {
+ if (sfb && sfb->fb->screen_base) {
++ if (sfb->chip_id == 0x720)
++ sfb->fb->screen_base -= 0x00200000;
+ iounmap(sfb->fb->screen_base);
+ sfb->fb->screen_base = NULL;
+ }
+--
+2.25.1
+
--- /dev/null
+From 89c1ab06f6747364f30b4fd96453b38abf557e1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 15:39:39 +0800
+Subject: wl1251: fix always return 0 error
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ]
+
+wl1251_event_ps_report() should not always return 0 because
+wl1251_ps_set_mode() may fail. Change it to return 'ret'.
+
+Fixes: f7ad1eed4d4b ("wl1251: retry power save entry")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/event.c b/drivers/net/wireless/ti/wl1251/event.c
+index c98630394a1a2..26bf3e2b750d6 100644
+--- a/drivers/net/wireless/ti/wl1251/event.c
++++ b/drivers/net/wireless/ti/wl1251/event.c
+@@ -80,7 +80,7 @@ static int wl1251_event_ps_report(struct wl1251 *wl,
+ break;
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static void wl1251_event_mbox_dump(struct event_mailbox *mbox)
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
