--- /dev/null
+From d891600f80220e622c0dfefd3c656956c551e859 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 18:41:03 +0000
+Subject: afs: Fix race in commit bulk status fetch
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit a28f239e296767ebf4ec4ae8a9ecb57d0d444b3f ]
+
+When a lookup is done, the afs filesystem will perform a bulk status-fetch
+operation on the requested vnode (file) plus the next 49 other vnodes from
+the directory list (in AFS, directory contents are downloaded as blobs and
+parsed locally). When the results are received, it will speculatively
+populate the inode cache from the extra data.
+
+However, if the lookup races with another lookup on the same directory, but
+for a different file - one that's in the 49 extra fetches, then if the bulk
+status-fetch operation finishes first, it will try and update the inode
+from the other lookup.
+
+If this other inode is still in the throes of being created, however, this
+will cause an assertion failure in afs_apply_status():
+
+ BUG_ON(test_bit(AFS_VNODE_UNSET, &vnode->flags));
+
+on or about fs/afs/inode.c:175 because it expects data to be there already
+that it can compare to.
+
+Fix this by skipping the update if the inode is being created as the
+creator will presumably set up the inode with the same information.
+
+Fixes: 39db9815da48 ("afs: Fix application of the results of a inline bulk status fetch")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dir.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/afs/dir.c b/fs/afs/dir.c
+index 139b4e3cc9464..f4fdf3eaa5709 100644
+--- a/fs/afs/dir.c
++++ b/fs/afs/dir.c
+@@ -803,7 +803,12 @@ success:
+ continue;
+
+ if (cookie->inodes[i]) {
+- afs_vnode_commit_status(&fc, AFS_FS_I(cookie->inodes[i]),
++ struct afs_vnode *iv = AFS_FS_I(cookie->inodes[i]);
++
++ if (test_bit(AFS_VNODE_UNSET, &iv->flags))
++ continue;
++
++ afs_vnode_commit_status(&fc, iv,
+ scb->cb_break, NULL, scb);
+ continue;
+ }
+--
+2.20.1
+
--- /dev/null
+From da691c3bb533e59afd59b054695dd2786219e0f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2019 05:38:20 +0200
+Subject: aio: Fix io_pgetevents() struct __compat_aio_sigset layout
+
+From: Guillem Jover <guillem@hadrons.org>
+
+[ Upstream commit 97eba80fcca754856d09e048f469db22773bec68 ]
+
+This type is used to pass the sigset_t from userland to the kernel,
+but it was using the kernel native pointer type for the member
+representing the compat userland pointer to the userland sigset_t.
+
+This messes up the layout, and makes the kernel eat up both the
+userland pointer and the size members into the kernel pointer, and
+then reads garbage into the kernel sigsetsize. Which makes the sigset_t
+size consistency check fail, and consequently the syscall always
+returns -EINVAL.
+
+This breaks both libaio and strace on 32-bit userland running on 64-bit
+kernels. And there are apparently no users in the wild of the current
+broken layout (at least according to codesearch.debian.org and a brief
+check over github.com search). So it looks safe to fix this directly
+in the kernel, instead of either letting userland deal with this
+permanently with the additional overhead or trying to make the syscall
+infer what layout userland used, even though this is also being worked
+around in libaio to temporarily cope with kernels that have not yet
+been fixed.
+
+We use a proper compat_uptr_t instead of a compat_sigset_t pointer.
+
+Fixes: 7a074e96dee6 ("aio: implement io_pgetevents")
+Signed-off-by: Guillem Jover <guillem@hadrons.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/aio.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 01e0fb9ae45ae..0d9a559d488c1 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -2179,7 +2179,7 @@ SYSCALL_DEFINE5(io_getevents_time32, __u32, ctx_id,
+ #ifdef CONFIG_COMPAT
+
+ struct __compat_aio_sigset {
+- compat_sigset_t __user *sigmask;
++ compat_uptr_t sigmask;
+ compat_size_t sigsetsize;
+ };
+
+@@ -2193,7 +2193,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents,
+ struct old_timespec32 __user *, timeout,
+ const struct __compat_aio_sigset __user *, usig)
+ {
+- struct __compat_aio_sigset ksig = { NULL, };
++ struct __compat_aio_sigset ksig = { 0, };
+ struct timespec64 t;
+ bool interrupted;
+ int ret;
+@@ -2204,7 +2204,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents,
+ if (usig && copy_from_user(&ksig, usig, sizeof(ksig)))
+ return -EFAULT;
+
+- ret = set_compat_user_sigmask(ksig.sigmask, ksig.sigsetsize);
++ ret = set_compat_user_sigmask(compat_ptr(ksig.sigmask), ksig.sigsetsize);
+ if (ret)
+ return ret;
+
+@@ -2228,7 +2228,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents_time64,
+ struct __kernel_timespec __user *, timeout,
+ const struct __compat_aio_sigset __user *, usig)
+ {
+- struct __compat_aio_sigset ksig = { NULL, };
++ struct __compat_aio_sigset ksig = { 0, };
+ struct timespec64 t;
+ bool interrupted;
+ int ret;
+@@ -2239,7 +2239,7 @@ COMPAT_SYSCALL_DEFINE6(io_pgetevents_time64,
+ if (usig && copy_from_user(&ksig, usig, sizeof(ksig)))
+ return -EFAULT;
+
+- ret = set_compat_user_sigmask(ksig.sigmask, ksig.sigsetsize);
++ ret = set_compat_user_sigmask(compat_ptr(ksig.sigmask), ksig.sigsetsize);
+ if (ret)
+ return ret;
+
+--
+2.20.1
+
--- /dev/null
+From 871b19d8c5d1b2df9277bde10c1d444d184099e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2019 15:13:49 +0800
+Subject: ALSA: hda: Add Cometlake-S PCI ID
+
+From: Chiou, Cooper <cooper.chiou@intel.com>
+
+[ Upstream commit b73a58549ea37a44434c7afab3c7ad9af210cfd9 ]
+
+Add HD Audio Device PCI ID for the Intel Cometlake-S platform
+
+Signed-off-by: Chiou, Cooper <cooper.chiou@intel.com>
+Link: https://lore.kernel.org/r/20191108071349.12840-1-cooper.chiou@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index e1791d01ccc01..46c2b1022495f 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2428,6 +2428,9 @@ static const struct pci_device_id azx_ids[] = {
+ /* CometLake-H */
+ { PCI_DEVICE(0x8086, 0x06C8),
+ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
++ /* CometLake-S */
++ { PCI_DEVICE(0x8086, 0xa3f0),
++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
+ /* Icelake */
+ { PCI_DEVICE(0x8086, 0x34c8),
+ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
+--
+2.20.1
+
--- /dev/null
+From adf17c8def113c975c652fac45a04ee1323b801e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 01:17:14 +0800
+Subject: ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
+
+From: paulhsia <paulhsia@chromium.org>
+
+[ Upstream commit f5cdc9d4003a2f66ea57b3edd3e04acc2b1a4439 ]
+
+If the nullity check for `substream->runtime` is outside of the lock
+region, it is possible to have a null runtime in the critical section
+if snd_pcm_detach_substream is called right before the lock.
+
+Signed-off-by: paulhsia <paulhsia@chromium.org>
+Link: https://lore.kernel.org/r/20191112171715.128727-2-paulhsia@chromium.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_lib.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
+index d80041ea4e01c..2236b5e0c1f25 100644
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1782,11 +1782,14 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
+ struct snd_pcm_runtime *runtime;
+ unsigned long flags;
+
+- if (PCM_RUNTIME_CHECK(substream))
++ if (snd_BUG_ON(!substream))
+ return;
+- runtime = substream->runtime;
+
+ snd_pcm_stream_lock_irqsave(substream, flags);
++ if (PCM_RUNTIME_CHECK(substream))
++ goto _unlock;
++ runtime = substream->runtime;
++
+ if (!snd_pcm_running(substream) ||
+ snd_pcm_update_hw_ptr0(substream, 1) < 0)
+ goto _end;
+@@ -1797,6 +1800,7 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
+ #endif
+ _end:
+ kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
++ _unlock:
+ snd_pcm_stream_unlock_irqrestore(substream, flags);
+ }
+ EXPORT_SYMBOL(snd_pcm_period_elapsed);
+--
+2.20.1
+
--- /dev/null
+From 8d0853a8997beba71105ab0294a4262c15bbb5c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Nov 2019 13:11:41 -0400
+Subject: audit_get_nd(): don't unlock parent too early
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 69924b89687a2923e88cc42144aea27868913d0e ]
+
+if the child has been negative and just went positive
+under us, we want coherent d_is_positive() and ->d_inode.
+Don't unlock the parent until we'd done that work...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/audit_watch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
+index 1f31c2f1e6fc1..4508d5e0cf696 100644
+--- a/kernel/audit_watch.c
++++ b/kernel/audit_watch.c
+@@ -351,12 +351,12 @@ static int audit_get_nd(struct audit_watch *watch, struct path *parent)
+ struct dentry *d = kern_path_locked(watch->path, parent);
+ if (IS_ERR(d))
+ return PTR_ERR(d);
+- inode_unlock(d_backing_inode(parent->dentry));
+ if (d_is_positive(d)) {
+ /* update watch filter fields */
+ watch->dev = d->d_sb->s_dev;
+ watch->ino = d_backing_inode(d)->i_ino;
+ }
++ inode_unlock(d_backing_inode(parent->dentry));
+ dput(d);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 09ddebfa8eb22ec34d98c1aa40982af74b8b4d7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 00:03:11 -0400
+Subject: autofs: fix a leak in autofs_expire_indirect()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 03ad0d703df75c43f78bd72e16124b5b94a95188 ]
+
+if the second call of should_expire() in there ends up
+grabbing and returning a new reference to dentry, we need
+to drop it before continuing.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/autofs/expire.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/autofs/expire.c b/fs/autofs/expire.c
+index cdff0567aacb3..2d01553a6d586 100644
+--- a/fs/autofs/expire.c
++++ b/fs/autofs/expire.c
+@@ -498,9 +498,10 @@ static struct dentry *autofs_expire_indirect(struct super_block *sb,
+ */
+ how &= ~AUTOFS_EXP_LEAVES;
+ found = should_expire(expired, mnt, timeout, how);
+- if (!found || found != expired)
+- /* Something has changed, continue */
++ if (found != expired) { // something has changed, continue
++ dput(found);
+ goto next;
++ }
+
+ if (expired != dentry)
+ dput(dentry);
+--
+2.20.1
+
--- /dev/null
+From 217a02cd87bc541baa1f79f5c2a2ca3fc33548e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2019 07:19:58 +0000
+Subject: block: check bi_size overflow before merge
+
+From: Junichi Nomura <j-nomura@ce.jp.nec.com>
+
+[ Upstream commit e3a5d8e386c3fb973fa75f2403622a8f3640ec06 ]
+
+__bio_try_merge_page() may merge a page to bio without bio_full() check
+and cause bi_size overflow.
+
+The overflow typically ends up with sd_init_command() warning on zero
+segment request with call trace like this:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 1986 at drivers/scsi/scsi_lib.c:1025 scsi_init_io+0x156/0x180
+ CPU: 2 PID: 1986 Comm: kworker/2:1H Kdump: loaded Not tainted 5.4.0-rc7 #1
+ Workqueue: kblockd blk_mq_run_work_fn
+ RIP: 0010:scsi_init_io+0x156/0x180
+ RSP: 0018:ffffa11487663bf0 EFLAGS: 00010246
+ RAX: 00000000002be0a0 RBX: ffff8e6e9ff30118 RCX: 0000000000000000
+ RDX: 00000000ffffffe1 RSI: 0000000000000000 RDI: ffff8e6e9ff30118
+ RBP: ffffa11487663c18 R08: ffffa11487663d28 R09: ffff8e6e9ff30150
+ R10: 0000000000000001 R11: 0000000000000000 R12: ffff8e6e9ff30000
+ R13: 0000000000000001 R14: ffff8e74a1cf1800 R15: ffff8e6e9ff30000
+ FS: 0000000000000000(0000) GS:ffff8e6ea7680000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fff18cf0fe8 CR3: 0000000659f0a001 CR4: 00000000001606e0
+ Call Trace:
+ sd_init_command+0x326/0xb40 [sd_mod]
+ scsi_queue_rq+0x502/0xaa0
+ ? blk_mq_get_driver_tag+0xe7/0x120
+ blk_mq_dispatch_rq_list+0x256/0x5a0
+ ? elv_rb_del+0x24/0x30
+ ? deadline_remove_request+0x7b/0xc0
+ blk_mq_do_dispatch_sched+0xa3/0x140
+ blk_mq_sched_dispatch_requests+0xfb/0x170
+ __blk_mq_run_hw_queue+0x81/0x130
+ blk_mq_run_work_fn+0x1b/0x20
+ process_one_work+0x179/0x390
+ worker_thread+0x4f/0x3e0
+ kthread+0x105/0x140
+ ? max_active_store+0x80/0x80
+ ? kthread_bind+0x20/0x20
+ ret_from_fork+0x35/0x40
+ ---[ end trace f9036abf5af4a4d3 ]---
+ blk_update_request: I/O error, dev sdd, sector 2875552 op 0x1:(WRITE) flags 0x0 phys_seg 0 prio class 0
+ XFS (sdd1): writeback error on sector 2875552
+
+__bio_try_merge_page() should check the overflow before actually doing
+merge.
+
+Fixes: 07173c3ec276c ("block: enable multipage bvecs")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bio.c b/block/bio.c
+index 299a0e7651ec0..31d56e7e2ce05 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -769,7 +769,7 @@ bool __bio_try_merge_page(struct bio *bio, struct page *page,
+ if (WARN_ON_ONCE(bio_flagged(bio, BIO_CLONED)))
+ return false;
+
+- if (bio->bi_vcnt > 0) {
++ if (bio->bi_vcnt > 0 && !bio_full(bio, len)) {
+ struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt - 1];
+
+ if (page_is_mergeable(bv, page, len, off, same_page)) {
+--
+2.20.1
+
--- /dev/null
+From 39475ab8f5905b1cb942655a71895fe099c38d0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Nov 2019 11:53:27 -0500
+Subject: cgroup: don't put ERR_PTR() into fc->root
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 630faf81b3e61bcc90dc6d8b497800657d2752a5 ]
+
+the caller of ->get_tree() expects NULL left there on error...
+
+Reported-by: Thibaut Sautereau <thibaut@sautereau.fr>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 8be1da1ebd9a4..f23862fa15146 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -2119,11 +2119,12 @@ int cgroup_do_get_tree(struct fs_context *fc)
+
+ nsdentry = kernfs_node_dentry(cgrp->kn, sb);
+ dput(fc->root);
+- fc->root = nsdentry;
+ if (IS_ERR(nsdentry)) {
+- ret = PTR_ERR(nsdentry);
+ deactivate_locked_super(sb);
++ ret = PTR_ERR(nsdentry);
++ nsdentry = NULL;
+ }
++ fc->root = nsdentry;
+ }
+
+ if (!ctx->kfc.new_sb_created)
+--
+2.20.1
+
--- /dev/null
+From 5d22fe7118450ff5b51def32fc370c685caea73e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 13:27:25 +0000
+Subject: drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.
+
+From: Yunhao Tian <t123yh@outlook.com>
+
+[ Upstream commit 0b8e7bbde5e7e2c419567e1ee29587dae3b78ee3 ]
+
+The datasheet of V3s (and various other chips) wrote
+that TCON0_DCLK_DIV can be >= 1 if only dclk is used,
+and must >= 6 if dclk1 or dclk2 is used. As currently
+neither dclk1 nor dclk2 is used (no writes to these
+bits), let's set minimal division to 1.
+
+If this minimal division is 6, some common dot clock
+frequencies can't be produced (e.g. 30MHz will not be
+possible and will fallback to 25MHz), which is
+obviously not an expected behaviour.
+
+Signed-off-by: Yunhao Tian <t123yh@outlook.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/linux-arm-kernel/MN2PR08MB57905AD8A00C08DA219377C989760@MN2PR08MB5790.namprd08.prod.outlook.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_tcon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+index df0cc8f46d7bd..3491c4c7659e4 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c
++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+@@ -486,7 +486,7 @@ static void sun4i_tcon0_mode_set_rgb(struct sun4i_tcon *tcon,
+
+ WARN_ON(!tcon->quirks->has_channel_0);
+
+- tcon->dclk_min_div = 6;
++ tcon->dclk_min_div = 1;
+ tcon->dclk_max_div = 127;
+ sun4i_tcon0_mode_set_common(tcon, mode);
+
+--
+2.20.1
+
--- /dev/null
+From 6a92e5c09664cf18c06fd627cc93cb82d06ca3a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Nov 2019 12:07:15 -0500
+Subject: ecryptfs: fix unlink and rmdir in face of underlying fs modifications
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit bcf0d9d4b76976f892154efdfc509b256fd898e8 ]
+
+A problem similar to the one caught in commit 74dd7c97ea2a ("ecryptfs_rename():
+verify that lower dentries are still OK after lock_rename()") exists for
+unlink/rmdir as well.
+
+Instead of playing with dget_parent() of underlying dentry of victim
+and hoping it's the same as underlying dentry of our directory,
+do the following:
+ * find the underlying dentry of victim
+ * find the underlying directory of victim's parent (stable
+since the victim is ecryptfs dentry and inode of its parent is
+held exclusive by the caller).
+ * lock the inode of dentry underlying the victim's parent
+ * check that underlying dentry of victim is still hashed and
+has the right parent - it can be moved, but it can't be moved to/from
+the directory we are holding exclusive. So while ->d_parent itself
+might not be stable, the result of comparison is.
+
+If the check passes, everything is fine - underlying directory is locked,
+underlying victim is still a child of that directory and we can go ahead
+and feed them to vfs_unlink(). As in the current mainline we need to
+pin the underlying dentry of victim, so that it wouldn't go negative under
+us, but that's the only temporary reference that needs to be grabbed there.
+Underlying dentry of parent won't go away (it's pinned by the parent,
+which is held by caller), so there's no need to grab it.
+
+The same problem (with the same solution) exists for rmdir. Moreover,
+rename gets simpler and more robust with the same "don't bother with
+dget_parent()" approach.
+
+Fixes: 74dd7c97ea2 "ecryptfs_rename(): verify that lower dentries are still OK after lock_rename()"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ecryptfs/inode.c | 65 ++++++++++++++++++++++++++++-----------------
+ 1 file changed, 40 insertions(+), 25 deletions(-)
+
+diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
+index 0c7ea4596202a..e23752d9a79f3 100644
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -128,13 +128,20 @@ static int ecryptfs_do_unlink(struct inode *dir, struct dentry *dentry,
+ struct inode *inode)
+ {
+ struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
+- struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir);
+ struct dentry *lower_dir_dentry;
++ struct inode *lower_dir_inode;
+ int rc;
+
+- dget(lower_dentry);
+- lower_dir_dentry = lock_parent(lower_dentry);
+- rc = vfs_unlink(lower_dir_inode, lower_dentry, NULL);
++ lower_dir_dentry = ecryptfs_dentry_to_lower(dentry->d_parent);
++ lower_dir_inode = d_inode(lower_dir_dentry);
++ inode_lock_nested(lower_dir_inode, I_MUTEX_PARENT);
++ dget(lower_dentry); // don't even try to make the lower negative
++ if (lower_dentry->d_parent != lower_dir_dentry)
++ rc = -EINVAL;
++ else if (d_unhashed(lower_dentry))
++ rc = -EINVAL;
++ else
++ rc = vfs_unlink(lower_dir_inode, lower_dentry, NULL);
+ if (rc) {
+ printk(KERN_ERR "Error in vfs_unlink; rc = [%d]\n", rc);
+ goto out_unlock;
+@@ -142,10 +149,11 @@ static int ecryptfs_do_unlink(struct inode *dir, struct dentry *dentry,
+ fsstack_copy_attr_times(dir, lower_dir_inode);
+ set_nlink(inode, ecryptfs_inode_to_lower(inode)->i_nlink);
+ inode->i_ctime = dir->i_ctime;
+- d_drop(dentry);
+ out_unlock:
+- unlock_dir(lower_dir_dentry);
+ dput(lower_dentry);
++ inode_unlock(lower_dir_inode);
++ if (!rc)
++ d_drop(dentry);
+ return rc;
+ }
+
+@@ -519,22 +527,30 @@ static int ecryptfs_rmdir(struct inode *dir, struct dentry *dentry)
+ {
+ struct dentry *lower_dentry;
+ struct dentry *lower_dir_dentry;
++ struct inode *lower_dir_inode;
+ int rc;
+
+ lower_dentry = ecryptfs_dentry_to_lower(dentry);
+- dget(dentry);
+- lower_dir_dentry = lock_parent(lower_dentry);
+- dget(lower_dentry);
+- rc = vfs_rmdir(d_inode(lower_dir_dentry), lower_dentry);
+- dput(lower_dentry);
+- if (!rc && d_really_is_positive(dentry))
++ lower_dir_dentry = ecryptfs_dentry_to_lower(dentry->d_parent);
++ lower_dir_inode = d_inode(lower_dir_dentry);
++
++ inode_lock_nested(lower_dir_inode, I_MUTEX_PARENT);
++ dget(lower_dentry); // don't even try to make the lower negative
++ if (lower_dentry->d_parent != lower_dir_dentry)
++ rc = -EINVAL;
++ else if (d_unhashed(lower_dentry))
++ rc = -EINVAL;
++ else
++ rc = vfs_rmdir(lower_dir_inode, lower_dentry);
++ if (!rc) {
+ clear_nlink(d_inode(dentry));
+- fsstack_copy_attr_times(dir, d_inode(lower_dir_dentry));
+- set_nlink(dir, d_inode(lower_dir_dentry)->i_nlink);
+- unlock_dir(lower_dir_dentry);
++ fsstack_copy_attr_times(dir, lower_dir_inode);
++ set_nlink(dir, lower_dir_inode->i_nlink);
++ }
++ dput(lower_dentry);
++ inode_unlock(lower_dir_inode);
+ if (!rc)
+ d_drop(dentry);
+- dput(dentry);
+ return rc;
+ }
+
+@@ -572,20 +588,22 @@ ecryptfs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ struct dentry *lower_new_dentry;
+ struct dentry *lower_old_dir_dentry;
+ struct dentry *lower_new_dir_dentry;
+- struct dentry *trap = NULL;
++ struct dentry *trap;
+ struct inode *target_inode;
+
+ if (flags)
+ return -EINVAL;
+
++ lower_old_dir_dentry = ecryptfs_dentry_to_lower(old_dentry->d_parent);
++ lower_new_dir_dentry = ecryptfs_dentry_to_lower(new_dentry->d_parent);
++
+ lower_old_dentry = ecryptfs_dentry_to_lower(old_dentry);
+ lower_new_dentry = ecryptfs_dentry_to_lower(new_dentry);
+- dget(lower_old_dentry);
+- dget(lower_new_dentry);
+- lower_old_dir_dentry = dget_parent(lower_old_dentry);
+- lower_new_dir_dentry = dget_parent(lower_new_dentry);
++
+ target_inode = d_inode(new_dentry);
++
+ trap = lock_rename(lower_old_dir_dentry, lower_new_dir_dentry);
++ dget(lower_new_dentry);
+ rc = -EINVAL;
+ if (lower_old_dentry->d_parent != lower_old_dir_dentry)
+ goto out_lock;
+@@ -613,11 +631,8 @@ ecryptfs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ if (new_dir != old_dir)
+ fsstack_copy_attr_all(old_dir, d_inode(lower_old_dir_dentry));
+ out_lock:
+- unlock_rename(lower_old_dir_dentry, lower_new_dir_dentry);
+- dput(lower_new_dir_dentry);
+- dput(lower_old_dir_dentry);
+ dput(lower_new_dentry);
+- dput(lower_old_dentry);
++ unlock_rename(lower_old_dir_dentry, lower_new_dir_dentry);
+ return rc;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 3dd2f011de395b359a52a7e42ffae784ea455bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2019 22:08:29 -0500
+Subject: exportfs_decode_fh(): negative pinned may become positive without the
+ parent locked
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit a2ece088882666e1dc7113744ac912eb161e3f87 ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exportfs/expfs.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
+index f0e549783caf9..ba6de72a3e34a 100644
+--- a/fs/exportfs/expfs.c
++++ b/fs/exportfs/expfs.c
+@@ -519,26 +519,33 @@ struct dentry *exportfs_decode_fh(struct vfsmount *mnt, struct fid *fid,
+ * inode is actually connected to the parent.
+ */
+ err = exportfs_get_name(mnt, target_dir, nbuf, result);
+- if (!err) {
+- inode_lock(target_dir->d_inode);
+- nresult = lookup_one_len(nbuf, target_dir,
+- strlen(nbuf));
+- inode_unlock(target_dir->d_inode);
+- if (!IS_ERR(nresult)) {
+- if (nresult->d_inode) {
+- dput(result);
+- result = nresult;
+- } else
+- dput(nresult);
+- }
++ if (err) {
++ dput(target_dir);
++ goto err_result;
+ }
+
++ inode_lock(target_dir->d_inode);
++ nresult = lookup_one_len(nbuf, target_dir, strlen(nbuf));
++ if (!IS_ERR(nresult)) {
++ if (unlikely(nresult->d_inode != result->d_inode)) {
++ dput(nresult);
++ nresult = ERR_PTR(-ESTALE);
++ }
++ }
++ inode_unlock(target_dir->d_inode);
+ /*
+ * At this point we are done with the parent, but it's pinned
+ * by the child dentry anyway.
+ */
+ dput(target_dir);
+
++ if (IS_ERR(nresult)) {
++ err = PTR_ERR(nresult);
++ goto err_result;
++ }
++ dput(result);
++ result = nresult;
++
+ /*
+ * And finally make sure the dentry is actually acceptable
+ * to NFSD.
+--
+2.20.1
+
--- /dev/null
+From 76b16e1fca0ee52197b918d3042dc1f694f0a126 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2019 16:36:48 +0800
+Subject: i2c: core: fix use after free in of_i2c_notify
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+[ Upstream commit a4c2fec16f5e6a5fee4865e6e0e91e2bc2d10f37 ]
+
+We can't use "adap->dev" after it has been freed.
+
+Fixes: 5bf4fa7daea6 ("i2c: break out OF support into separate file")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-of.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c
+index d1c48dec7118e..9b2fce4906c41 100644
+--- a/drivers/i2c/i2c-core-of.c
++++ b/drivers/i2c/i2c-core-of.c
+@@ -250,14 +250,14 @@ static int of_i2c_notify(struct notifier_block *nb, unsigned long action,
+ }
+
+ client = of_i2c_register_device(adap, rd->dn);
+- put_device(&adap->dev);
+-
+ if (IS_ERR(client)) {
+ dev_err(&adap->dev, "failed to create client for '%pOF'\n",
+ rd->dn);
++ put_device(&adap->dev);
+ of_node_clear_flag(rd->dn, OF_POPULATED);
+ return notifier_from_errno(PTR_ERR(client));
+ }
++ put_device(&adap->dev);
+ break;
+ case OF_RECONFIG_CHANGE_REMOVE:
+ /* already depopulated? */
+--
+2.20.1
+
--- /dev/null
+From 3abaeaecfe6bc6a74da3c3efcf29e1444625cfa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2019 17:04:54 -0800
+Subject: Input: cyttsp4_core - fix use after free bug
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 79aae6acbef16f720a7949f8fc6ac69816c79d62 ]
+
+The device md->input is used after it is released. Setting the device
+data to NULL is unnecessary as the device is never used again. Instead,
+md->input should be assigned NULL to avoid accessing the freed memory
+accidently. Besides, checking md->si against NULL is superfluous as it
+points to a variable address, which cannot be NULL.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/1572936379-6423-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/cyttsp4_core.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c
+index 4b22d49a0f49a..6bcffc930384a 100644
+--- a/drivers/input/touchscreen/cyttsp4_core.c
++++ b/drivers/input/touchscreen/cyttsp4_core.c
+@@ -1990,11 +1990,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd)
+
+ /* get sysinfo */
+ md->si = &cd->sysinfo;
+- if (!md->si) {
+- dev_err(dev, "%s: Fail get sysinfo pointer from core p=%p\n",
+- __func__, md->si);
+- goto error_get_sysinfo;
+- }
+
+ rc = cyttsp4_setup_input_device(cd);
+ if (rc)
+@@ -2004,8 +1999,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd)
+
+ error_init_input:
+ input_free_device(md->input);
+-error_get_sysinfo:
+- input_set_drvdata(md->input, NULL);
+ error_alloc_failed:
+ dev_err(dev, "%s failed.\n", __func__);
+ return rc;
+--
+2.20.1
+
--- /dev/null
+From e3967213ce45315781071a325ab79e204cc84018 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 13:51:47 +0200
+Subject: iwlwifi: pcie: don't consider IV len in A-MSDU
+
+From: Mordechay Goodstein <mordechay.goodstein@intel.com>
+
+[ Upstream commit cb1a4badf59275eb7221dcec621e8154917eabd1 ]
+
+From gen2 PN is totally offloaded to hardware (also the space for the
+IV isn't part of the skb). As you can see in mvm/mac80211.c:3545, the
+MAC for cipher types CCMP/GCMP doesn't set
+IEEE80211_KEY_FLAG_PUT_IV_SPACE for gen2 NICs.
+
+This causes all the AMSDU data to be corrupted with cipher enabled.
+
+Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 20 +++++++------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+index 9ef6b8fe03c1b..0fbf8c1d5c98b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+@@ -252,27 +252,23 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
+ struct ieee80211_hdr *hdr = (void *)skb->data;
+ unsigned int snap_ip_tcp_hdrlen, ip_hdrlen, total_len, hdr_room;
+ unsigned int mss = skb_shinfo(skb)->gso_size;
+- u16 length, iv_len, amsdu_pad;
++ u16 length, amsdu_pad;
+ u8 *start_hdr;
+ struct iwl_tso_hdr_page *hdr_page;
+ struct page **page_ptr;
+ struct tso_t tso;
+
+- /* if the packet is protected, then it must be CCMP or GCMP */
+- iv_len = ieee80211_has_protected(hdr->frame_control) ?
+- IEEE80211_CCMP_HDR_LEN : 0;
+-
+ trace_iwlwifi_dev_tx(trans->dev, skb, tfd, sizeof(*tfd),
+ &dev_cmd->hdr, start_len, 0);
+
+ ip_hdrlen = skb_transport_header(skb) - skb_network_header(skb);
+ snap_ip_tcp_hdrlen = 8 + ip_hdrlen + tcp_hdrlen(skb);
+- total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len - iv_len;
++ total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len;
+ amsdu_pad = 0;
+
+ /* total amount of header we may need for this A-MSDU */
+ hdr_room = DIV_ROUND_UP(total_len, mss) *
+- (3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr)) + iv_len;
++ (3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr));
+
+ /* Our device supports 9 segments at most, it will fit in 1 page */
+ hdr_page = get_page_hdr(trans, hdr_room);
+@@ -283,14 +279,12 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
+ start_hdr = hdr_page->pos;
+ page_ptr = (void *)((u8 *)skb->cb + trans_pcie->page_offs);
+ *page_ptr = hdr_page->page;
+- memcpy(hdr_page->pos, skb->data + hdr_len, iv_len);
+- hdr_page->pos += iv_len;
+
+ /*
+- * Pull the ieee80211 header + IV to be able to use TSO core,
++ * Pull the ieee80211 header to be able to use TSO core,
+ * we will restore it for the tx_status flow.
+ */
+- skb_pull(skb, hdr_len + iv_len);
++ skb_pull(skb, hdr_len);
+
+ /*
+ * Remove the length of all the headers that we don't actually
+@@ -365,8 +359,8 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
+ }
+ }
+
+- /* re -add the WiFi header and IV */
+- skb_push(skb, hdr_len + iv_len);
++ /* re -add the WiFi header */
++ skb_push(skb, hdr_len);
+
+ return 0;
+
+--
+2.20.1
+
--- /dev/null
+From 5452d0fb60540c7aa1e25f041413a1fff051f6e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 10:46:04 +0100
+Subject: MIPS: SGI-IP27: fix exception handler replication
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit 637346748245e94c877aa746e6fe0d7079b7736a ]
+
+Commit 775b089aeffa ("MIPS: tlbex: Remove cpu_has_local_ebase") removed
+generating tlb refill handlers for every CPU, which was needed for
+generating per node exception handlers on IP27. Instead of resurrecting
+(and fixing) refill handler generation, we simply copy all exception
+vectors from the boot node to the other nodes. Also remove the config
+option since the memory tradeoff for expection handler replication
+is just 8k per node.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Signed-off-by: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Burton <paul.burton@mips.com>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/sgi-ip27/Kconfig | 7 -------
+ arch/mips/sgi-ip27/ip27-init.c | 21 ++++++---------------
+ arch/mips/sgi-ip27/ip27-memory.c | 4 ----
+ 3 files changed, 6 insertions(+), 26 deletions(-)
+
+diff --git a/arch/mips/sgi-ip27/Kconfig b/arch/mips/sgi-ip27/Kconfig
+index ef3847e7aee02..e5b6cadbec857 100644
+--- a/arch/mips/sgi-ip27/Kconfig
++++ b/arch/mips/sgi-ip27/Kconfig
+@@ -38,10 +38,3 @@ config REPLICATE_KTEXT
+ Say Y here to enable replicating the kernel text across multiple
+ nodes in a NUMA cluster. This trades memory for speed.
+
+-config REPLICATE_EXHANDLERS
+- bool "Exception handler replication support"
+- depends on SGI_IP27
+- help
+- Say Y here to enable replicating the kernel exception handlers
+- across multiple nodes in a NUMA cluster. This trades memory for
+- speed.
+diff --git a/arch/mips/sgi-ip27/ip27-init.c b/arch/mips/sgi-ip27/ip27-init.c
+index 066b33f50bcc4..db58ebf02870f 100644
+--- a/arch/mips/sgi-ip27/ip27-init.c
++++ b/arch/mips/sgi-ip27/ip27-init.c
+@@ -69,23 +69,14 @@ static void per_hub_init(cnodeid_t cnode)
+
+ hub_rtc_init(cnode);
+
+-#ifdef CONFIG_REPLICATE_EXHANDLERS
+- /*
+- * If this is not a headless node initialization,
+- * copy over the caliased exception handlers.
+- */
+- if (get_compact_nodeid() == cnode) {
+- extern char except_vec2_generic, except_vec3_generic;
+- extern void build_tlb_refill_handler(void);
+-
+- memcpy((void *)(CKSEG0 + 0x100), &except_vec2_generic, 0x80);
+- memcpy((void *)(CKSEG0 + 0x180), &except_vec3_generic, 0x80);
+- build_tlb_refill_handler();
+- memcpy((void *)(CKSEG0 + 0x100), (void *) CKSEG0, 0x80);
+- memcpy((void *)(CKSEG0 + 0x180), &except_vec3_generic, 0x100);
++ if (nasid) {
++ /* copy exception handlers from first node to current node */
++ memcpy((void *)NODE_OFFSET_TO_K0(nasid, 0),
++ (void *)CKSEG0, 0x200);
+ __flush_cache_all();
++ /* switch to node local exception handlers */
++ REMOTE_HUB_S(nasid, PI_CALIAS_SIZE, PI_CALIAS_SIZE_8K);
+ }
+-#endif
+ }
+
+ void per_cpu_init(void)
+diff --git a/arch/mips/sgi-ip27/ip27-memory.c b/arch/mips/sgi-ip27/ip27-memory.c
+index fb077a9475756..8624a885d95bf 100644
+--- a/arch/mips/sgi-ip27/ip27-memory.c
++++ b/arch/mips/sgi-ip27/ip27-memory.c
+@@ -332,11 +332,7 @@ static void __init mlreset(void)
+ * thinks it is a node 0 address.
+ */
+ REMOTE_HUB_S(nasid, PI_REGION_PRESENT, (region_mask | 1));
+-#ifdef CONFIG_REPLICATE_EXHANDLERS
+- REMOTE_HUB_S(nasid, PI_CALIAS_SIZE, PI_CALIAS_SIZE_8K);
+-#else
+ REMOTE_HUB_S(nasid, PI_CALIAS_SIZE, PI_CALIAS_SIZE_0);
+-#endif
+
+ #ifdef LATER
+ /*
+--
+2.20.1
+
--- /dev/null
+From 6ddb5a439d580f171b2645c35ca9a082f7fdd4af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 23:43:24 +0800
+Subject: net: ep93xx_eth: fix mismatch of request_mem_region in remove
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 3df70afe8d33f4977d0e0891bdcfb639320b5257 ]
+
+The driver calls release_resource in remove to match request_mem_region
+in probe, which is incorrect.
+Fix it by using the right one, release_mem_region.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cirrus/ep93xx_eth.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cirrus/ep93xx_eth.c b/drivers/net/ethernet/cirrus/ep93xx_eth.c
+index f1a0c4dceda0c..f37c9a08c4cf5 100644
+--- a/drivers/net/ethernet/cirrus/ep93xx_eth.c
++++ b/drivers/net/ethernet/cirrus/ep93xx_eth.c
+@@ -763,6 +763,7 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
+ {
+ struct net_device *dev;
+ struct ep93xx_priv *ep;
++ struct resource *mem;
+
+ dev = platform_get_drvdata(pdev);
+ if (dev == NULL)
+@@ -778,8 +779,8 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
+ iounmap(ep->base_addr);
+
+ if (ep->res != NULL) {
+- release_resource(ep->res);
+- kfree(ep->res);
++ mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ release_mem_region(mem->start, resource_size(mem));
+ }
+
+ free_netdev(dev);
+--
+2.20.1
+
--- /dev/null
+From 5b972102e92bd9f4a68921cc05ae66429b3d8694 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 10:32:41 +0800
+Subject: net: hns3: fix ETS bandwidth validation bug
+
+From: Yonglong Liu <liuyonglong@huawei.com>
+
+[ Upstream commit c2d56897819338eb0ba8b93184f7d10329b36653 ]
+
+Some device only support 4 TCs, but the driver check the total
+bandwidth of 8 TCs, so may cause wrong configurations write to
+the hw.
+
+This patch uses hdev->tc_max to instead HNAE3_MAX_TC to fix it.
+
+Fixes: e432abfb99e5 ("net: hns3: add common validation in hclge_dcb")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
+index d9136a199d8db..f5c323e798343 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
+@@ -124,7 +124,7 @@ static int hclge_ets_validate(struct hclge_dev *hdev, struct ieee_ets *ets,
+ if (ret)
+ return ret;
+
+- for (i = 0; i < HNAE3_MAX_TC; i++) {
++ for (i = 0; i < hdev->tc_max; i++) {
+ switch (ets->tc_tsa[i]) {
+ case IEEE_8021QAZ_TSA_STRICT:
+ if (hdev->tm_info.tc_info[i].tc_sch_mode !=
+--
+2.20.1
+
--- /dev/null
+From 7694df1583a71a857913ae4e181b655aecf998be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 10:32:40 +0800
+Subject: net: hns3: reallocate SSU' buffer size when pfc_en changes
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit aea8cfb35a82d6c2f3517c86694933ba766635e5 ]
+
+When a TC's PFC is disabled or enabled, the RX private buffer for
+this TC need to be changed too, otherwise this may cause packet
+dropped problem.
+
+This patch fixes it by calling hclge_buffer_alloc to reallocate
+buffer when pfc_en changes.
+
+Fixes: cacde272dd00 ("net: hns3: Add hclge_dcb module for the support of DCB feature")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
+index bac4ce13f6ae4..d9136a199d8db 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
+@@ -302,6 +302,7 @@ static int hclge_ieee_setpfc(struct hnae3_handle *h, struct ieee_pfc *pfc)
+ struct hclge_vport *vport = hclge_get_vport(h);
+ struct hclge_dev *hdev = vport->back;
+ u8 i, j, pfc_map, *prio_tc;
++ int ret;
+
+ if (!(hdev->dcbx_cap & DCB_CAP_DCBX_VER_IEEE) ||
+ hdev->flag & HCLGE_FLAG_MQPRIO_ENABLE)
+@@ -327,7 +328,21 @@ static int hclge_ieee_setpfc(struct hnae3_handle *h, struct ieee_pfc *pfc)
+
+ hclge_tm_pfc_info_update(hdev);
+
+- return hclge_pause_setup_hw(hdev, false);
++ ret = hclge_pause_setup_hw(hdev, false);
++ if (ret)
++ return ret;
++
++ ret = hclge_notify_client(hdev, HNAE3_DOWN_CLIENT);
++ if (ret)
++ return ret;
++
++ ret = hclge_buffer_alloc(hdev);
++ if (ret) {
++ hclge_notify_client(hdev, HNAE3_UP_CLIENT);
++ return ret;
++ }
++
++ return hclge_notify_client(hdev, HNAE3_UP_CLIENT);
+ }
+
+ /* DCBX configuration */
+--
+2.20.1
+
--- /dev/null
+From 31a0c3fec77fb6e403d6e1d560f9070281a4905b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Nov 2019 17:19:15 +0100
+Subject: NFC: nxp-nci: Fix NULL pointer dereference after I2C communication
+ error
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit a71a29f50de1ef97ab55c151a1598eb12dde379d ]
+
+I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci
+result in a NULL pointer dereference at the moment:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ Oops: 0002 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1
+ RIP: 0010:skb_queue_tail+0x25/0x50
+ Call Trace:
+ nci_recv_frame+0x36/0x90 [nci]
+ nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c]
+ ? preempt_count_add+0x68/0xa0
+ ? irq_forced_thread_fn+0x80/0x80
+ irq_thread_fn+0x20/0x60
+ irq_thread+0xee/0x180
+ ? wake_threads_waitq+0x30/0x30
+ kthread+0xfb/0x130
+ ? irq_thread_check_affinity+0xd0/0xd0
+ ? kthread_park+0x90/0x90
+ ret_from_fork+0x1f/0x40
+
+Afterward the kernel must be rebooted to work properly again.
+
+This happens because it attempts to call nci_recv_frame() with skb == NULL.
+However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any
+NULL checks for skb, causing the NULL pointer dereference.
+
+Change the code to call only nxp_nci_fw_recv_frame() in case of an error.
+Make sure to log it so it is obvious that a communication error occurred.
+The error above then becomes:
+
+ nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
+ nci: __nci_request: wait_for_completion_interruptible_timeout failed 0
+ nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
+
+Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/nxp-nci/i2c.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
+index 4aeb3861b4095..6c468899f2ffe 100644
+--- a/drivers/nfc/nxp-nci/i2c.c
++++ b/drivers/nfc/nxp-nci/i2c.c
+@@ -225,8 +225,10 @@ static irqreturn_t nxp_nci_i2c_irq_thread_fn(int irq, void *phy_id)
+
+ if (r == -EREMOTEIO) {
+ phy->hard_fault = r;
+- skb = NULL;
+- } else if (r < 0) {
++ if (info->mode == NXP_NCI_MODE_FW)
++ nxp_nci_fw_recv_frame(phy->ndev, NULL);
++ }
++ if (r < 0) {
+ nfc_err(&client->dev, "Read failed with error %d\n", r);
+ goto exit_irq_handled;
+ }
+--
+2.20.1
+
--- /dev/null
+From 4b5171c667658449a2826f49b4aa7924fa14794b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 09:57:02 +0200
+Subject: perf/core: Consistently fail fork on allocation failures
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+[ Upstream commit 697d877849d4b34ab58d7078d6930bad0ef6fc66 ]
+
+Commit:
+
+ 313ccb9615948 ("perf: Allocate context task_ctx_data for child event")
+
+makes the inherit path skip over the current event in case of task_ctx_data
+allocation failure. This, however, is inconsistent with allocation failures
+in perf_event_alloc(), which would abort the fork.
+
+Correct this by returning an error code on task_ctx_data allocation
+failure and failing the fork in that case.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: https://lkml.kernel.org/r/20191105075702.60319-1-alexander.shishkin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 53173883513c1..25942e43b8d48 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -11719,7 +11719,7 @@ inherit_event(struct perf_event *parent_event,
+ GFP_KERNEL);
+ if (!child_ctx->task_ctx_data) {
+ free_event(child_event);
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 131ee6c91894f3b60cce725c217675a29aef3ee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 02:49:49 +0100
+Subject: ravb: implement MTU change while device is up
+
+From: Ulrich Hecht <uli+renesas@fpond.eu>
+
+[ Upstream commit 15fb35fa9ff456b81159033eba6397fcee85e671 ]
+
+Pre-allocates buffers sufficient for the maximum supported MTU (2026) in
+order to eliminate the possibility of resource exhaustion when changing the
+MTU while the device is up.
+
+Signed-off-by: Ulrich Hecht <uli+renesas@fpond.eu>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb.h | 3 ++-
+ drivers/net/ethernet/renesas/ravb_main.c | 26 +++++++++++++-----------
+ 2 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb.h b/drivers/net/ethernet/renesas/ravb.h
+index ac9195add8116..7090229398227 100644
+--- a/drivers/net/ethernet/renesas/ravb.h
++++ b/drivers/net/ethernet/renesas/ravb.h
+@@ -960,6 +960,8 @@ enum RAVB_QUEUE {
+ #define NUM_RX_QUEUE 2
+ #define NUM_TX_QUEUE 2
+
++#define RX_BUF_SZ (2048 - ETH_FCS_LEN + sizeof(__sum16))
++
+ /* TX descriptors per packet */
+ #define NUM_TX_DESC_GEN2 2
+ #define NUM_TX_DESC_GEN3 1
+@@ -1023,7 +1025,6 @@ struct ravb_private {
+ u32 dirty_rx[NUM_RX_QUEUE]; /* Producer ring indices */
+ u32 cur_tx[NUM_TX_QUEUE];
+ u32 dirty_tx[NUM_TX_QUEUE];
+- u32 rx_buf_sz; /* Based on MTU+slack. */
+ struct napi_struct napi[NUM_RX_QUEUE];
+ struct work_struct work;
+ /* MII transceiver section. */
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 6cacd5e893aca..393644833cd57 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -230,7 +230,7 @@ static void ravb_ring_free(struct net_device *ndev, int q)
+ le32_to_cpu(desc->dptr)))
+ dma_unmap_single(ndev->dev.parent,
+ le32_to_cpu(desc->dptr),
+- priv->rx_buf_sz,
++ RX_BUF_SZ,
+ DMA_FROM_DEVICE);
+ }
+ ring_size = sizeof(struct ravb_ex_rx_desc) *
+@@ -293,9 +293,9 @@ static void ravb_ring_format(struct net_device *ndev, int q)
+ for (i = 0; i < priv->num_rx_ring[q]; i++) {
+ /* RX descriptor */
+ rx_desc = &priv->rx_ring[q][i];
+- rx_desc->ds_cc = cpu_to_le16(priv->rx_buf_sz);
++ rx_desc->ds_cc = cpu_to_le16(RX_BUF_SZ);
+ dma_addr = dma_map_single(ndev->dev.parent, priv->rx_skb[q][i]->data,
+- priv->rx_buf_sz,
++ RX_BUF_SZ,
+ DMA_FROM_DEVICE);
+ /* We just set the data size to 0 for a failed mapping which
+ * should prevent DMA from happening...
+@@ -342,9 +342,6 @@ static int ravb_ring_init(struct net_device *ndev, int q)
+ int ring_size;
+ int i;
+
+- priv->rx_buf_sz = (ndev->mtu <= 1492 ? PKT_BUF_SZ : ndev->mtu) +
+- ETH_HLEN + VLAN_HLEN + sizeof(__sum16);
+-
+ /* Allocate RX and TX skb rings */
+ priv->rx_skb[q] = kcalloc(priv->num_rx_ring[q],
+ sizeof(*priv->rx_skb[q]), GFP_KERNEL);
+@@ -354,7 +351,7 @@ static int ravb_ring_init(struct net_device *ndev, int q)
+ goto error;
+
+ for (i = 0; i < priv->num_rx_ring[q]; i++) {
+- skb = netdev_alloc_skb(ndev, priv->rx_buf_sz + RAVB_ALIGN - 1);
++ skb = netdev_alloc_skb(ndev, RX_BUF_SZ + RAVB_ALIGN - 1);
+ if (!skb)
+ goto error;
+ ravb_set_buffer_align(skb);
+@@ -590,7 +587,7 @@ static bool ravb_rx(struct net_device *ndev, int *quota, int q)
+ skb = priv->rx_skb[q][entry];
+ priv->rx_skb[q][entry] = NULL;
+ dma_unmap_single(ndev->dev.parent, le32_to_cpu(desc->dptr),
+- priv->rx_buf_sz,
++ RX_BUF_SZ,
+ DMA_FROM_DEVICE);
+ get_ts &= (q == RAVB_NC) ?
+ RAVB_RXTSTAMP_TYPE_V2_L2_EVENT :
+@@ -623,11 +620,11 @@ static bool ravb_rx(struct net_device *ndev, int *quota, int q)
+ for (; priv->cur_rx[q] - priv->dirty_rx[q] > 0; priv->dirty_rx[q]++) {
+ entry = priv->dirty_rx[q] % priv->num_rx_ring[q];
+ desc = &priv->rx_ring[q][entry];
+- desc->ds_cc = cpu_to_le16(priv->rx_buf_sz);
++ desc->ds_cc = cpu_to_le16(RX_BUF_SZ);
+
+ if (!priv->rx_skb[q][entry]) {
+ skb = netdev_alloc_skb(ndev,
+- priv->rx_buf_sz +
++ RX_BUF_SZ +
+ RAVB_ALIGN - 1);
+ if (!skb)
+ break; /* Better luck next round. */
+@@ -1814,10 +1811,15 @@ static int ravb_do_ioctl(struct net_device *ndev, struct ifreq *req, int cmd)
+
+ static int ravb_change_mtu(struct net_device *ndev, int new_mtu)
+ {
+- if (netif_running(ndev))
+- return -EBUSY;
++ struct ravb_private *priv = netdev_priv(ndev);
+
+ ndev->mtu = new_mtu;
++
++ if (netif_running(ndev)) {
++ synchronize_irq(priv->emac_irq);
++ ravb_emac_init(ndev);
++ }
++
+ netdev_update_features(ndev);
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 60a4684da91299fb9d53adcc50a2b1a598a4e904 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 12:07:15 +0100
+Subject: rbd: silence bogus uninitialized warning in
+ rbd_object_map_update_finish()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+[ Upstream commit 633739b2fedb6617d782ca252797b7a8ad754347 ]
+
+Some versions of gcc (so far 6.3 and 7.4) throw a warning:
+
+ drivers/block/rbd.c: In function 'rbd_object_map_callback':
+ drivers/block/rbd.c:2124:21: warning: 'current_state' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ (current_state == OBJECT_EXISTS && state == OBJECT_EXISTS_CLEAN))
+ drivers/block/rbd.c:2092:23: note: 'current_state' was declared here
+ u8 state, new_state, current_state;
+ ^~~~~~~~~~~~~
+
+It's bogus because all current_state accesses are guarded by
+has_current_state.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Dongsheng Yang <dongsheng.yang@easystack.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
+index c8fb886aebd4e..64e364c4a0fb8 100644
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -2089,7 +2089,7 @@ static int rbd_object_map_update_finish(struct rbd_obj_request *obj_req,
+ struct rbd_device *rbd_dev = obj_req->img_request->rbd_dev;
+ struct ceph_osd_data *osd_data;
+ u64 objno;
+- u8 state, new_state, current_state;
++ u8 state, new_state, uninitialized_var(current_state);
+ bool has_current_state;
+ void *p;
+
+--
+2.20.1
+
--- /dev/null
+From 0860fb658e51c98d4c0692255322ce7c8d2379dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2019 10:33:29 +0800
+Subject: RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
+
+From: Sirong Wang <wangsirong@huawei.com>
+
+[ Upstream commit 531eb45b3da4267fc2a64233ba256c8ffb02edd2 ]
+
+Size of pointer to buf field of struct hns_roce_hem_chunk should be
+considered when calculating HNS_ROCE_HEM_CHUNK_LEN, or sg table size will
+be larger than expected when allocating hem.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Link: https://lore.kernel.org/r/1572575610-52530-2-git-send-email-liweihang@hisilicon.com
+Signed-off-by: Sirong Wang <wangsirong@huawei.com>
+Signed-off-by: Weihang Li <liweihang@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h
+index f1ccb8f35fe59..e41ebc25b1f90 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h
+@@ -59,7 +59,7 @@ enum {
+
+ #define HNS_ROCE_HEM_CHUNK_LEN \
+ ((256 - sizeof(struct list_head) - 2 * sizeof(int)) / \
+- (sizeof(struct scatterlist)))
++ (sizeof(struct scatterlist) + sizeof(void *)))
+
+ #define check_whether_bt_num_3(type, hop_num) \
+ (type < HEM_TYPE_MTT && hop_num == 2)
+--
+2.20.1
+
--- /dev/null
+From 1de4d41f1b40c9b57158e448fe9684756a784e13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2019 10:33:30 +0800
+Subject: RDMA/hns: Correct the value of srq_desc_size
+
+From: Wenpeng Liang <liangwenpeng@huawei.com>
+
+[ Upstream commit 411c1e6774e2e1f96b1ccce4f119376b94ade3e4 ]
+
+srq_desc_size should be rounded up to pow of two before used, or related
+calculation may cause allocating wrong size of memory for srq buffer.
+
+Fixes: c7bcb13442e1 ("RDMA/hns: Add SRQ support for hip08 kernel mode")
+Link: https://lore.kernel.org/r/1572575610-52530-3-git-send-email-liweihang@hisilicon.com
+Signed-off-by: Wenpeng Liang <liangwenpeng@huawei.com>
+Signed-off-by: Weihang Li <liweihang@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c
+index 38bb548eaa6d8..9768e377cd22c 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_srq.c
++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c
+@@ -221,7 +221,7 @@ int hns_roce_create_srq(struct ib_srq *ib_srq,
+ srq->max = roundup_pow_of_two(srq_init_attr->attr.max_wr + 1);
+ srq->max_gs = srq_init_attr->attr.max_sge;
+
+- srq_desc_size = max(16, 16 * srq->max_gs);
++ srq_desc_size = roundup_pow_of_two(max(16, 16 * srq->max_gs));
+
+ srq->wqe_shift = ilog2(srq_desc_size);
+
+--
+2.20.1
+
--- /dev/null
+From f02f0979f474872562e88feae925ef98796c571a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 14:38:47 +0800
+Subject: rsxx: add missed destroy_workqueue calls in remove
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit dcb77e4b274b8f13ac6482dfb09160cd2fae9a40 ]
+
+The driver misses calling destroy_workqueue in remove like what is done
+when probe fails.
+Add the missed calls to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rsxx/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
+index 76b73ddf8fd73..10f6368117d81 100644
+--- a/drivers/block/rsxx/core.c
++++ b/drivers/block/rsxx/core.c
+@@ -1000,8 +1000,10 @@ static void rsxx_pci_remove(struct pci_dev *dev)
+
+ cancel_work_sync(&card->event_work);
+
++ destroy_workqueue(card->event_wq);
+ rsxx_destroy_dev(card);
+ rsxx_dma_destroy(card);
++ destroy_workqueue(card->creg_ctrl.creg_wq);
+
+ spin_lock_irqsave(&card->irq_lock, flags);
+ rsxx_disable_ier_and_isr(card, CR_INTR_ALL);
+--
+2.20.1
+
--- /dev/null
+From 0bdebcea2882e30c12931f7edd7c58c5f1a4c7f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 11:18:37 +0200
+Subject: sched/core: Avoid spurious lock dependencies
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit ff51ff84d82aea5a889b85f2b9fb3aa2b8691668 ]
+
+While seemingly harmless, __sched_fork() does hrtimer_init(), which,
+when DEBUG_OBJETS, can end up doing allocations.
+
+This then results in the following lock order:
+
+ rq->lock
+ zone->lock.rlock
+ batched_entropy_u64.lock
+
+Which in turn causes deadlocks when we do wakeups while holding that
+batched_entropy lock -- as the random code does.
+
+Solve this by moving __sched_fork() out from under rq->lock. This is
+safe because nothing there relies on rq->lock, as also evident from the
+other __sched_fork() callsite.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Qian Cai <cai@lca.pw>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: akpm@linux-foundation.org
+Cc: bigeasy@linutronix.de
+Cc: cl@linux.com
+Cc: keescook@chromium.org
+Cc: penberg@kernel.org
+Cc: rientjes@google.com
+Cc: thgarnie@google.com
+Cc: tytso@mit.edu
+Cc: will@kernel.org
+Fixes: b7d5dc21072c ("random: add a spinlock_t to struct batched_entropy")
+Link: https://lkml.kernel.org/r/20191001091837.GK4536@hirez.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index fffe790d98bb2..9a839798851c2 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5874,10 +5874,11 @@ void init_idle(struct task_struct *idle, int cpu)
+ struct rq *rq = cpu_rq(cpu);
+ unsigned long flags;
+
++ __sched_fork(0, idle);
++
+ raw_spin_lock_irqsave(&idle->pi_lock, flags);
+ raw_spin_lock(&rq->lock);
+
+- __sched_fork(0, idle);
+ idle->state = TASK_RUNNING;
+ idle->se.exec_start = sched_clock();
+ idle->flags |= PF_IDLE;
+--
+2.20.1
+
--- /dev/null
+From 094ae803c9394558ba4f80c2bc29846b2ae08887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2019 12:18:29 +0100
+Subject: sched/pelt: Fix update of blocked PELT ordering
+
+From: Vincent Guittot <vincent.guittot@linaro.org>
+
+[ Upstream commit b90f7c9d2198d789709390280a43e0a46345682b ]
+
+update_cfs_rq_load_avg() can call cpufreq_update_util() to trigger an
+update of the frequency. Make sure that RT, DL and IRQ PELT signals have
+been updated before calling cpufreq.
+
+Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: dietmar.eggemann@arm.com
+Cc: dsmythies@telus.net
+Cc: juri.lelli@redhat.com
+Cc: mgorman@suse.de
+Cc: rostedt@goodmis.org
+Fixes: 371bf4273269 ("sched/rt: Add rt_rq utilization tracking")
+Fixes: 3727e0e16340 ("sched/dl: Add dl_rq utilization tracking")
+Fixes: 91c27493e78d ("sched/irq: Add IRQ utilization tracking")
+Link: https://lkml.kernel.org/r/1572434309-32512-1-git-send-email-vincent.guittot@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 649c6b60929e2..ba7cc68a39935 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -7530,6 +7530,19 @@ static void update_blocked_averages(int cpu)
+ rq_lock_irqsave(rq, &rf);
+ update_rq_clock(rq);
+
++ /*
++ * update_cfs_rq_load_avg() can call cpufreq_update_util(). Make sure
++ * that RT, DL and IRQ signals have been updated before updating CFS.
++ */
++ curr_class = rq->curr->sched_class;
++ update_rt_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &rt_sched_class);
++ update_dl_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &dl_sched_class);
++ update_irq_load_avg(rq, 0);
++
++ /* Don't need periodic decay once load/util_avg are null */
++ if (others_have_blocked(rq))
++ done = false;
++
+ /*
+ * Iterates the task_group tree in a bottom up fashion, see
+ * list_add_leaf_cfs_rq() for details.
+@@ -7557,14 +7570,6 @@ static void update_blocked_averages(int cpu)
+ done = false;
+ }
+
+- curr_class = rq->curr->sched_class;
+- update_rt_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &rt_sched_class);
+- update_dl_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &dl_sched_class);
+- update_irq_load_avg(rq, 0);
+- /* Don't need periodic decay once load/util_avg are null */
+- if (others_have_blocked(rq))
+- done = false;
+-
+ update_blocked_load_status(rq, !done);
+ rq_unlock_irqrestore(rq, &rf);
+ }
+@@ -7625,12 +7630,18 @@ static inline void update_blocked_averages(int cpu)
+
+ rq_lock_irqsave(rq, &rf);
+ update_rq_clock(rq);
+- update_cfs_rq_load_avg(cfs_rq_clock_pelt(cfs_rq), cfs_rq);
+
++ /*
++ * update_cfs_rq_load_avg() can call cpufreq_update_util(). Make sure
++ * that RT, DL and IRQ signals have been updated before updating CFS.
++ */
+ curr_class = rq->curr->sched_class;
+ update_rt_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &rt_sched_class);
+ update_dl_rq_load_avg(rq_clock_pelt(rq), rq, curr_class == &dl_sched_class);
+ update_irq_load_avg(rq, 0);
++
++ update_cfs_rq_load_avg(cfs_rq_clock_pelt(cfs_rq), cfs_rq);
++
+ update_blocked_load_status(rq, cfs_rq_has_blocked(cfs_rq) || others_have_blocked(rq));
+ rq_unlock_irqrestore(rq, &rf);
+ }
+--
+2.20.1
+
--- /dev/null
+From 8fec72f54425be633ba979e86172b9ee70f0ff05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 13:51:15 +0100
+Subject: selftests: kvm: fix build with glibc >= 2.30
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit e37f9f139f62deddff90c7298ae3a85026a71067 ]
+
+Glibc-2.30 gained gettid() wrapper, selftests fail to compile:
+
+lib/assert.c:58:14: error: static declaration of ‘gettid’ follows non-static declaration
+ 58 | static pid_t gettid(void)
+ | ^~~~~~
+In file included from /usr/include/unistd.h:1170,
+ from include/test_util.h:18,
+ from lib/assert.c:10:
+/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
+ 34 | extern __pid_t gettid (void) __THROW;
+ | ^~~~~~
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/lib/assert.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/kvm/lib/assert.c b/tools/testing/selftests/kvm/lib/assert.c
+index 4911fc77d0f6a..d1cf9f6e0e6bc 100644
+--- a/tools/testing/selftests/kvm/lib/assert.c
++++ b/tools/testing/selftests/kvm/lib/assert.c
+@@ -55,7 +55,7 @@ static void test_dump_stack(void)
+ #pragma GCC diagnostic pop
+ }
+
+-static pid_t gettid(void)
++static pid_t _gettid(void)
+ {
+ return syscall(SYS_gettid);
+ }
+@@ -72,7 +72,7 @@ test_assert(bool exp, const char *exp_str,
+ fprintf(stderr, "==== Test Assertion Failure ====\n"
+ " %s:%u: %s\n"
+ " pid=%d tid=%d - %s\n",
+- file, line, exp_str, getpid(), gettid(),
++ file, line, exp_str, getpid(), _gettid(),
+ strerror(errno));
+ test_dump_stack();
+ if (fmt) {
+--
+2.20.1
+
serial-serial_core-perform-null-checks-for-break_ctl-ops.patch
serial-stm32-fix-clearing-interrupt-error-flags.patch
serial-ifx6x60-add-missed-pm_runtime_disable.patch
+aio-fix-io_pgetevents-struct-__compat_aio_sigset-lay.patch
+autofs-fix-a-leak-in-autofs_expire_indirect.patch
+mips-sgi-ip27-fix-exception-handler-replication.patch
+rdma-hns-correct-the-value-of-hns_roce_hem_chunk_len.patch
+rdma-hns-correct-the-value-of-srq_desc_size.patch
+iwlwifi-pcie-don-t-consider-iv-len-in-a-msdu.patch
+cgroup-don-t-put-err_ptr-into-fc-root.patch
+exportfs_decode_fh-negative-pinned-may-become-positi.patch
+audit_get_nd-don-t-unlock-parent-too-early.patch
+ecryptfs-fix-unlink-and-rmdir-in-face-of-underlying-.patch
+alsa-hda-add-cometlake-s-pci-id.patch
+nfc-nxp-nci-fix-null-pointer-dereference-after-i2c-c.patch
+xfrm-release-device-reference-for-invalid-state.patch
+block-check-bi_size-overflow-before-merge.patch
+input-cyttsp4_core-fix-use-after-free-bug.patch
+sched-core-avoid-spurious-lock-dependencies.patch
+sched-pelt-fix-update-of-blocked-pelt-ordering.patch
+perf-core-consistently-fail-fork-on-allocation-failu.patch
+alsa-pcm-fix-stream-lock-usage-in-snd_pcm_period_ela.patch
+x86-resctrl-fix-potential-lockdep-warning.patch
+drm-sun4i-tcon-set-min-division-of-tcon0_dclk-to-1.patch
+selftests-kvm-fix-build-with-glibc-2.30.patch
+rbd-silence-bogus-uninitialized-warning-in-rbd_objec.patch
+rsxx-add-missed-destroy_workqueue-calls-in-remove.patch
+ravb-implement-mtu-change-while-device-is-up.patch
+net-hns3-reallocate-ssu-buffer-size-when-pfc_en-chan.patch
+net-hns3-fix-ets-bandwidth-validation-bug.patch
+afs-fix-race-in-commit-bulk-status-fetch.patch
+net-ep93xx_eth-fix-mismatch-of-request_mem_region-in.patch
+i2c-core-fix-use-after-free-in-of_i2c_notify.patch
--- /dev/null
+From 221e620f37324c9341695c417c6e9e53df992371 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 06:36:36 +0800
+Subject: x86/resctrl: Fix potential lockdep warning
+
+From: Xiaochen Shen <xiaochen.shen@intel.com>
+
+[ Upstream commit c8eafe1495303bfd0eedaa8156b1ee9082ee9642 ]
+
+rdtgroup_cpus_write() and mkdir_rdt_prepare() call
+rdtgroup_kn_lock_live() -> kernfs_to_rdtgroup() to get 'rdtgrp', and
+then call the rdt_last_cmd_{clear,puts,...}() functions which will check
+if rdtgroup_mutex is held/requires its caller to hold rdtgroup_mutex.
+
+But if 'rdtgrp' returned from kernfs_to_rdtgroup() is NULL,
+rdtgroup_mutex is not held and calling rdt_last_cmd_{clear,puts,...}()
+will result in a self-incurred, potential lockdep warning.
+
+Remove the rdt_last_cmd_{clear,puts,...}() calls in these two paths.
+Just returning error should be sufficient to report to the user that the
+entry doesn't exist any more.
+
+ [ bp: Massage. ]
+
+Fixes: 94457b36e8a5 ("x86/intel_rdt: Add diagnostics when writing the cpus file")
+Fixes: cfd0f34e4cd5 ("x86/intel_rdt: Add diagnostics when making directories")
+Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Fenghua Yu <fenghua.yu@intel.com>
+Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: pei.p.jia@intel.com
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/1573079796-11713-1-git-send-email-xiaochen.shen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/resctrl/rdtgroup.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+index a46dee8e78db4..2e3b06d6bbc6d 100644
+--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c
++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+@@ -461,10 +461,8 @@ static ssize_t rdtgroup_cpus_write(struct kernfs_open_file *of,
+ }
+
+ rdtgrp = rdtgroup_kn_lock_live(of->kn);
+- rdt_last_cmd_clear();
+ if (!rdtgrp) {
+ ret = -ENOENT;
+- rdt_last_cmd_puts("Directory was removed\n");
+ goto unlock;
+ }
+
+@@ -2648,10 +2646,8 @@ static int mkdir_rdt_prepare(struct kernfs_node *parent_kn,
+ int ret;
+
+ prdtgrp = rdtgroup_kn_lock_live(prgrp_kn);
+- rdt_last_cmd_clear();
+ if (!prdtgrp) {
+ ret = -ENODEV;
+- rdt_last_cmd_puts("Directory was removed\n");
+ goto out_unlock;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8d2ca75329373d196e928c3de4ea0d52d3852d31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2019 15:05:46 -0800
+Subject: xfrm: release device reference for invalid state
+
+From: Xiaodong Xu <stid.smth@gmail.com>
+
+[ Upstream commit 4944a4b1077f74d89073624bd286219d2fcbfce3 ]
+
+An ESP packet could be decrypted in async mode if the input handler for
+this packet returns -EINPROGRESS in xfrm_input(). At this moment the device
+reference in skb is held. Later xfrm_input() will be invoked again to
+resume the processing.
+If the transform state is still valid it would continue to release the
+device reference and there won't be a problem; however if the transform
+state is not valid when async resumption happens, the packet will be
+dropped while the device reference is still being held.
+When the device is deleted for some reason and the reference to this
+device is not properly released, the kernel will keep logging like:
+
+unregister_netdevice: waiting for ppp2 to become free. Usage count = 1
+
+The issue is observed when running IPsec traffic over a PPPoE device based
+on a bridge interface. By terminating the PPPoE connection on the server
+end for multiple times, the PPPoE device on the client side will eventually
+get stuck on the above warning message.
+
+This patch will check the async mode first and continue to release device
+reference in async resumption, before it is dropped due to invalid state.
+
+v2: Do not assign address family from outer_mode in the transform if the
+state is invalid
+
+v3: Release device reference in the error path instead of jumping to resume
+
+Fixes: 4ce3dbe397d7b ("xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)")
+Signed-off-by: Xiaodong Xu <stid.smth@gmail.com>
+Reported-by: Bo Chen <chenborfc@163.com>
+Tested-by: Bo Chen <chenborfc@163.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_input.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index 6088bc2dc11e3..fcd4b1f36e669 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -480,6 +480,9 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+ else
+ XFRM_INC_STATS(net,
+ LINUX_MIB_XFRMINSTATEINVALID);
++
++ if (encap_type == -1)
++ dev_put(skb->dev);
+ goto drop;
+ }
+
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
