--- /dev/null
+From 99a20a7771fc136525683a3ed27a5ea9f0b887ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2019 12:30:53 -0300
+Subject: cifs: Fix potential softlockups while refreshing DFS cache
+
+From: Paulo Alcantara (SUSE) <pc@cjr.nz>
+
+[ Upstream commit 84a1f5b1cc6fd7f6cd99fc5630c36f631b19fa60 ]
+
+We used to skip reconnects on all SMB2_IOCTL commands due to SMB3+
+FSCTL_VALIDATE_NEGOTIATE_INFO - which made sense since we're still
+establishing a SMB session.
+
+However, when refresh_cache_worker() calls smb2_get_dfs_refer() and
+we're under reconnect, SMB2_ioctl() will not be able to get a proper
+status error (e.g. -EHOSTDOWN in case we failed to reconnect) but an
+-EAGAIN from cifs_send_recv() thus looping forever in
+refresh_cache_worker().
+
+Fixes: e99c63e4d86d ("SMB3: Fix deadlock in validate negotiate hits reconnect")
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Suggested-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 41 +++++++++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 9194f17675c89..4563699bbe6ce 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -168,7 +168,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
+ if (tcon == NULL)
+ return 0;
+
+- if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL)
++ if (smb2_command == SMB2_TREE_CONNECT)
+ return 0;
+
+ if (tcon->tidStatus == CifsExiting) {
+@@ -335,16 +335,9 @@ fill_small_buf(__le16 smb2_command, struct cifs_tcon *tcon, void *buf,
+ * SMB information in the SMB header. If the return code is zero, this
+ * function must have filled in request_buf pointer.
+ */
+-static int
+-smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
+- void **request_buf, unsigned int *total_len)
++static int __smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
++ void **request_buf, unsigned int *total_len)
+ {
+- int rc;
+-
+- rc = smb2_reconnect(smb2_command, tcon);
+- if (rc)
+- return rc;
+-
+ /* BB eventually switch this to SMB2 specific small buf size */
+ if (smb2_command == SMB2_SET_INFO)
+ *request_buf = cifs_buf_get();
+@@ -365,7 +358,31 @@ smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
+ cifs_stats_inc(&tcon->num_smbs_sent);
+ }
+
+- return rc;
++ return 0;
++}
++
++static int smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
++ void **request_buf, unsigned int *total_len)
++{
++ int rc;
++
++ rc = smb2_reconnect(smb2_command, tcon);
++ if (rc)
++ return rc;
++
++ return __smb2_plain_req_init(smb2_command, tcon, request_buf,
++ total_len);
++}
++
++static int smb2_ioctl_req_init(u32 opcode, struct cifs_tcon *tcon,
++ void **request_buf, unsigned int *total_len)
++{
++ /* Skip reconnect only for FSCTL_VALIDATE_NEGOTIATE_INFO IOCTLs */
++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) {
++ return __smb2_plain_req_init(SMB2_IOCTL, tcon, request_buf,
++ total_len);
++ }
++ return smb2_plain_req_init(SMB2_IOCTL, tcon, request_buf, total_len);
+ }
+
+
+@@ -2386,7 +2403,7 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
+ if (!ses || !(ses->server))
+ return -EIO;
+
+- rc = smb2_plain_req_init(SMB2_IOCTL, tcon, (void **) &req, &total_len);
++ rc = smb2_ioctl_req_init(opcode, tcon, (void **) &req, &total_len);
+ if (rc)
+ return rc;
+
+--
+2.20.1
+
--- /dev/null
+From f045c89b687b8672a234a758d7a8ba3bb6b94628 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 23:54:09 +0800
+Subject: firmware: arm_scmi: Avoid double free in error flow
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+[ Upstream commit 8305e90a894f82c278c17e51a28459deee78b263 ]
+
+If device_register() fails, both put_device() and kfree() are called,
+ending with a double free of the scmi_dev.
+
+Calling kfree() is needed only when a failure happens between the
+allocation of the scmi_dev and its registration, so move it to there
+and remove it from the error flow.
+
+Fixes: 46edb8d1322c ("firmware: arm_scmi: provide the mandatory device release callback")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/bus.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/bus.c b/drivers/firmware/arm_scmi/bus.c
+index 92f843eaf1e01..7a30952b463d5 100644
+--- a/drivers/firmware/arm_scmi/bus.c
++++ b/drivers/firmware/arm_scmi/bus.c
+@@ -135,8 +135,10 @@ scmi_device_create(struct device_node *np, struct device *parent, int protocol)
+ return NULL;
+
+ id = ida_simple_get(&scmi_bus_id, 1, 0, GFP_KERNEL);
+- if (id < 0)
+- goto free_mem;
++ if (id < 0) {
++ kfree(scmi_dev);
++ return NULL;
++ }
+
+ scmi_dev->id = id;
+ scmi_dev->protocol_id = protocol;
+@@ -154,8 +156,6 @@ scmi_device_create(struct device_node *np, struct device *parent, int protocol)
+ put_dev:
+ put_device(&scmi_dev->dev);
+ ida_simple_remove(&scmi_bus_id, id);
+-free_mem:
+- kfree(scmi_dev);
+ return NULL;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 03239042c96899e5e6e0c17ebcfa5db56e2b828f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 09:49:11 -0500
+Subject: gfs2: fix glock reference problem in gfs2_trans_remove_revoke
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit fe5e7ba11fcf1d75af8173836309e8562aefedef ]
+
+Commit 9287c6452d2b fixed a situation in which gfs2 could use a glock
+after it had been freed. To do that, it temporarily added a new glock
+reference by calling gfs2_glock_hold in function gfs2_add_revoke.
+However, if the bd element was removed by gfs2_trans_remove_revoke, it
+failed to drop the additional reference.
+
+This patch adds logic to gfs2_trans_remove_revoke to properly drop the
+additional glock reference.
+
+Fixes: 9287c6452d2b ("gfs2: Fix occasional glock use-after-free")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/log.c | 8 ++++++++
+ fs/gfs2/log.h | 1 +
+ fs/gfs2/lops.c | 5 +----
+ fs/gfs2/trans.c | 2 ++
+ 4 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
+index 90b5c8d0c56ac..d3f0612e33471 100644
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@ -613,6 +613,14 @@ void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
+ list_add(&bd->bd_list, &sdp->sd_log_le_revoke);
+ }
+
++void gfs2_glock_remove_revoke(struct gfs2_glock *gl)
++{
++ if (atomic_dec_return(&gl->gl_revokes) == 0) {
++ clear_bit(GLF_LFLUSH, &gl->gl_flags);
++ gfs2_glock_queue_put(gl);
++ }
++}
++
+ void gfs2_write_revokes(struct gfs2_sbd *sdp)
+ {
+ struct gfs2_trans *tr;
+diff --git a/fs/gfs2/log.h b/fs/gfs2/log.h
+index 20241436126da..015766cd1f5d7 100644
+--- a/fs/gfs2/log.h
++++ b/fs/gfs2/log.h
+@@ -80,6 +80,7 @@ extern void gfs2_ail1_flush(struct gfs2_sbd *sdp, struct writeback_control *wbc)
+ extern void gfs2_log_shutdown(struct gfs2_sbd *sdp);
+ extern int gfs2_logd(void *data);
+ extern void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd);
++extern void gfs2_glock_remove_revoke(struct gfs2_glock *gl);
+ extern void gfs2_write_revokes(struct gfs2_sbd *sdp);
+
+ #endif /* __LOG_DOT_H__ */
+diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
+index 8f99b395d7bf6..2b3b755ee34cd 100644
+--- a/fs/gfs2/lops.c
++++ b/fs/gfs2/lops.c
+@@ -662,10 +662,7 @@ static void revoke_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)
+ bd = list_entry(head->next, struct gfs2_bufdata, bd_list);
+ list_del_init(&bd->bd_list);
+ gl = bd->bd_gl;
+- if (atomic_dec_return(&gl->gl_revokes) == 0) {
+- clear_bit(GLF_LFLUSH, &gl->gl_flags);
+- gfs2_glock_queue_put(gl);
+- }
++ gfs2_glock_remove_revoke(gl);
+ kmem_cache_free(gfs2_bufdata_cachep, bd);
+ }
+ }
+diff --git a/fs/gfs2/trans.c b/fs/gfs2/trans.c
+index 064c9a0ef0460..812b5d5978b27 100644
+--- a/fs/gfs2/trans.c
++++ b/fs/gfs2/trans.c
+@@ -266,6 +266,8 @@ void gfs2_trans_add_unrevoke(struct gfs2_sbd *sdp, u64 blkno, unsigned int len)
+ list_del_init(&bd->bd_list);
+ gfs2_assert_withdraw(sdp, sdp->sd_log_num_revoke);
+ sdp->sd_log_num_revoke--;
++ if (bd->bd_gl)
++ gfs2_glock_remove_revoke(bd->bd_gl);
+ kmem_cache_free(gfs2_bufdata_cachep, bd);
+ tr->tr_num_revoke_rm++;
+ if (--n == 0)
+--
+2.20.1
+
--- /dev/null
+From 0baf1ab8aefb7df86d3b7c11c336bca4ea911b07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2019 12:51:09 +0100
+Subject: gpiolib: acpi: Add Terra Pad 1061 to the
+ run_edge_events_on_boot_blacklist
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 2727315df3f5ffbebcb174eed3153944a858b66f ]
+
+The Terra Pad 1061 has the usual micro-USB-B id-pin handler, but instead
+of controlling the actual micro-USB-B it turns the 5V boost for the
+tablet's USB-A connector and its keyboard-cover connector off.
+
+The actual micro-USB-B connector on the tablet is wired for charging only,
+and its id pin is *not* connected to the GPIO which is used for the
+(broken) id-pin event handler in the DSDT.
+
+While at it not only add a comment why the Terra Pad 1061 is on the
+blacklist, but also fix the missing comment for the Minix Neo Z83-4 entry.
+
+Fixes: 61f7f7c8f978 ("gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-acpi.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
+index cf2604e635999..8edbb3f0c1013 100644
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -1265,11 +1265,28 @@ late_initcall_sync(acpi_gpio_handle_deferred_request_irqs);
+
+ static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = {
+ {
++ /*
++ * The Minix Neo Z83-4 has a micro-USB-B id-pin handler for
++ * a non existing micro-USB-B connector which puts the HDMI
++ * DDC pins in GPIO mode, breaking HDMI support.
++ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "MINIX"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"),
+ }
+ },
++ {
++ /*
++ * The Terra Pad 1061 has a micro-USB-B id-pin handler, which
++ * instead of controlling the actual micro-USB-B turns the 5V
++ * boost for its USB-A connector off. The actual micro-USB-B
++ * connector is wired for charging only.
++ */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"),
++ }
++ },
+ {} /* Terminating entry */
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 88af704c585690dd04570439c8444e7933734287 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 19:39:02 -0800
+Subject: gre: refetch erspan header from skb->data after pskb_may_pull()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 0e4940928c26527ce8f97237fef4c8a91cd34207 ]
+
+After pskb_may_pull() we should always refetch the header
+pointers from the skb->data in case it got reallocated.
+
+In gre_parse_header(), the erspan header is still fetched
+from the 'options' pointer which is fetched before
+pskb_may_pull().
+
+Found this during code review of a KMSAN bug report.
+
+Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup")
+Cc: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Acked-by: William Tu <u9012063@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/gre_demux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
+index 511b32ea25331..0eb4bfa2332ca 100644
+--- a/net/ipv4/gre_demux.c
++++ b/net/ipv4/gre_demux.c
+@@ -132,7 +132,7 @@ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ if (!pskb_may_pull(skb, nhs + hdr_len + sizeof(*ershdr)))
+ return -EINVAL;
+
+- ershdr = (struct erspan_base_hdr *)options;
++ ershdr = (struct erspan_base_hdr *)(skb->data + nhs + hdr_len);
+ tpi->key = cpu_to_be32(get_session_id(ershdr));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 00d0d3af213b96bdd29a3cbda6b8bb9f66563a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2019 21:36:39 -0400
+Subject: idr: Fix idr_get_next_ul race with idr_remove
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 5a74ac4c4a97bd8b7dba054304d598e2a882fea6 ]
+
+Commit 5c089fd0c734 ("idr: Fix idr_get_next race with idr_remove")
+neglected to fix idr_get_next_ul(). As far as I can tell, nobody's
+actually using this interface under the RCU read lock, but fix it now
+before anybody decides to use it.
+
+Fixes: 5c089fd0c734 ("idr: Fix idr_get_next race with idr_remove")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/idr.c | 31 +++++++++++--------------------
+ 1 file changed, 11 insertions(+), 20 deletions(-)
+
+diff --git a/lib/idr.c b/lib/idr.c
+index 61383564a6c54..6ff3b1c36e0a5 100644
+--- a/lib/idr.c
++++ b/lib/idr.c
+@@ -218,7 +218,7 @@ int idr_for_each(const struct idr *idr,
+ EXPORT_SYMBOL(idr_for_each);
+
+ /**
+- * idr_get_next() - Find next populated entry.
++ * idr_get_next_ul() - Find next populated entry.
+ * @idr: IDR handle.
+ * @nextid: Pointer to an ID.
+ *
+@@ -227,7 +227,7 @@ EXPORT_SYMBOL(idr_for_each);
+ * to the ID of the found value. To use in a loop, the value pointed to by
+ * nextid must be incremented by the user.
+ */
+-void *idr_get_next(struct idr *idr, int *nextid)
++void *idr_get_next_ul(struct idr *idr, unsigned long *nextid)
+ {
+ struct radix_tree_iter iter;
+ void __rcu **slot;
+@@ -249,18 +249,14 @@ void *idr_get_next(struct idr *idr, int *nextid)
+ }
+ if (!slot)
+ return NULL;
+- id = iter.index + base;
+-
+- if (WARN_ON_ONCE(id > INT_MAX))
+- return NULL;
+
+- *nextid = id;
++ *nextid = iter.index + base;
+ return entry;
+ }
+-EXPORT_SYMBOL(idr_get_next);
++EXPORT_SYMBOL(idr_get_next_ul);
+
+ /**
+- * idr_get_next_ul() - Find next populated entry.
++ * idr_get_next() - Find next populated entry.
+ * @idr: IDR handle.
+ * @nextid: Pointer to an ID.
+ *
+@@ -269,22 +265,17 @@ EXPORT_SYMBOL(idr_get_next);
+ * to the ID of the found value. To use in a loop, the value pointed to by
+ * nextid must be incremented by the user.
+ */
+-void *idr_get_next_ul(struct idr *idr, unsigned long *nextid)
++void *idr_get_next(struct idr *idr, int *nextid)
+ {
+- struct radix_tree_iter iter;
+- void __rcu **slot;
+- unsigned long base = idr->idr_base;
+ unsigned long id = *nextid;
++ void *entry = idr_get_next_ul(idr, &id);
+
+- id = (id < base) ? 0 : id - base;
+- slot = radix_tree_iter_find(&idr->idr_rt, &iter, id);
+- if (!slot)
++ if (WARN_ON_ONCE(id > INT_MAX))
+ return NULL;
+-
+- *nextid = iter.index + base;
+- return rcu_dereference_raw(*slot);
++ *nextid = id;
++ return entry;
+ }
+-EXPORT_SYMBOL(idr_get_next_ul);
++EXPORT_SYMBOL(idr_get_next);
+
+ /**
+ * idr_replace() - replace pointer for given ID.
+--
+2.20.1
+
--- /dev/null
+From beb7262f8dd7b8cd7b34e6b9f053a897e8015df7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2019 13:19:53 +0000
+Subject: iio: imu: mpu6050: add missing available scan masks
+
+From: Jean-Baptiste Maneyrol <JManeyrol@invensense.com>
+
+[ Upstream commit 1244a720572fd1680ac8d6b8a4235f2e8557b810 ]
+
+Driver only supports 3-axis gyro and/or 3-axis accel.
+For icm20602, temp data is mandatory for all configurations.
+
+Fix all single and double axis configurations (almost never used) and more
+importantly fix 3-axis gyro and 6-axis accel+gyro buffer on icm20602 when
+temp data is not enabled.
+
+Signed-off-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+Fixes: 1615fe41a195 ("iio: imu: mpu6050: Fix FIFO layout for ICM20602")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 43 ++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+index f965026f9a746..6b560d99f3851 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+@@ -860,6 +860,25 @@ static const struct iio_chan_spec inv_mpu_channels[] = {
+ INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Z, INV_MPU6050_SCAN_ACCL_Z),
+ };
+
++static const unsigned long inv_mpu_scan_masks[] = {
++ /* 3-axis accel */
++ BIT(INV_MPU6050_SCAN_ACCL_X)
++ | BIT(INV_MPU6050_SCAN_ACCL_Y)
++ | BIT(INV_MPU6050_SCAN_ACCL_Z),
++ /* 3-axis gyro */
++ BIT(INV_MPU6050_SCAN_GYRO_X)
++ | BIT(INV_MPU6050_SCAN_GYRO_Y)
++ | BIT(INV_MPU6050_SCAN_GYRO_Z),
++ /* 6-axis accel + gyro */
++ BIT(INV_MPU6050_SCAN_ACCL_X)
++ | BIT(INV_MPU6050_SCAN_ACCL_Y)
++ | BIT(INV_MPU6050_SCAN_ACCL_Z)
++ | BIT(INV_MPU6050_SCAN_GYRO_X)
++ | BIT(INV_MPU6050_SCAN_GYRO_Y)
++ | BIT(INV_MPU6050_SCAN_GYRO_Z),
++ 0,
++};
++
+ static const struct iio_chan_spec inv_icm20602_channels[] = {
+ IIO_CHAN_SOFT_TIMESTAMP(INV_ICM20602_SCAN_TIMESTAMP),
+ {
+@@ -886,6 +905,28 @@ static const struct iio_chan_spec inv_icm20602_channels[] = {
+ INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Z, INV_ICM20602_SCAN_ACCL_Z),
+ };
+
++static const unsigned long inv_icm20602_scan_masks[] = {
++ /* 3-axis accel + temp (mandatory) */
++ BIT(INV_ICM20602_SCAN_ACCL_X)
++ | BIT(INV_ICM20602_SCAN_ACCL_Y)
++ | BIT(INV_ICM20602_SCAN_ACCL_Z)
++ | BIT(INV_ICM20602_SCAN_TEMP),
++ /* 3-axis gyro + temp (mandatory) */
++ BIT(INV_ICM20602_SCAN_GYRO_X)
++ | BIT(INV_ICM20602_SCAN_GYRO_Y)
++ | BIT(INV_ICM20602_SCAN_GYRO_Z)
++ | BIT(INV_ICM20602_SCAN_TEMP),
++ /* 6-axis accel + gyro + temp (mandatory) */
++ BIT(INV_ICM20602_SCAN_ACCL_X)
++ | BIT(INV_ICM20602_SCAN_ACCL_Y)
++ | BIT(INV_ICM20602_SCAN_ACCL_Z)
++ | BIT(INV_ICM20602_SCAN_GYRO_X)
++ | BIT(INV_ICM20602_SCAN_GYRO_Y)
++ | BIT(INV_ICM20602_SCAN_GYRO_Z)
++ | BIT(INV_ICM20602_SCAN_TEMP),
++ 0,
++};
++
+ /*
+ * The user can choose any frequency between INV_MPU6050_MIN_FIFO_RATE and
+ * INV_MPU6050_MAX_FIFO_RATE, but only these frequencies are matched by the
+@@ -1090,9 +1131,11 @@ int inv_mpu_core_probe(struct regmap *regmap, int irq, const char *name,
+ if (chip_type == INV_ICM20602) {
+ indio_dev->channels = inv_icm20602_channels;
+ indio_dev->num_channels = ARRAY_SIZE(inv_icm20602_channels);
++ indio_dev->available_scan_masks = inv_icm20602_scan_masks;
+ } else {
+ indio_dev->channels = inv_mpu_channels;
+ indio_dev->num_channels = ARRAY_SIZE(inv_mpu_channels);
++ indio_dev->available_scan_masks = inv_mpu_scan_masks;
+ }
+
+ indio_dev->info = &mpu_info;
+--
+2.20.1
+
--- /dev/null
+From b25fb643080e4679ee49fc9be1f07cd567748839 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 12:29:50 +0300
+Subject: kernel/module.c: wakeup processes in module_wq on module unload
+
+From: Konstantin Khorenko <khorenko@virtuozzo.com>
+
+[ Upstream commit 5d603311615f612320bb77bd2a82553ef1ced5b7 ]
+
+Fix the race between load and unload a kernel module.
+
+sys_delete_module()
+ try_stop_module()
+ mod->state = _GOING
+ add_unformed_module()
+ old = find_module_all()
+ (old->state == _GOING =>
+ wait_event_interruptible())
+
+ During pre-condition
+ finished_loading() rets 0
+ schedule()
+ (never gets waken up later)
+ free_module()
+ mod->state = _UNFORMED
+ list_del_rcu(&mod->list)
+ (dels mod from "modules" list)
+
+return
+
+The race above leads to modprobe hanging forever on loading
+a module.
+
+Error paths on loading module call wake_up_all(&module_wq) after
+freeing module, so let's do the same on straight module unload.
+
+Fixes: 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for modules that have finished loading")
+Reviewed-by: Prarit Bhargava <prarit@redhat.com>
+Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/module.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/module.c b/kernel/module.c
+index 8257110bf599c..d3aaec62c1423 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1021,6 +1021,8 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
+ strlcpy(last_unloaded_module, mod->name, sizeof(last_unloaded_module));
+
+ free_module(mod);
++ /* someone could wait for the module in add_unformed_module() */
++ wake_up_all(&module_wq);
+ return 0;
+ out:
+ mutex_unlock(&module_mutex);
+--
+2.20.1
+
--- /dev/null
+From de8ec7f7a0d0081ce67fe95292394c307e1e8e7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 09:01:42 +0200
+Subject: leds: trigger: netdev: fix handling on interface rename
+
+From: Martin Schiller <ms@dev.tdt.de>
+
+[ Upstream commit 5f820ed52371b4f5d8c43c93f03408d0dbc01e5b ]
+
+The NETDEV_CHANGENAME code is not "unneeded" like it is stated in commit
+4cb6560514fa ("leds: trigger: netdev: fix refcnt leak on interface
+rename").
+
+The event was accidentally misinterpreted equivalent to
+NETDEV_UNREGISTER, but should be equivalent to NETDEV_REGISTER.
+
+This was the case in the original code from the openwrt project.
+
+Otherwise, you are unable to set netdev led triggers for (non-existent)
+netdevices, which has to be renamed. This is the case, for example, for
+ppp interfaces in openwrt.
+
+Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger")
+Fixes: 4cb6560514fa ("leds: trigger: netdev: fix refcnt leak on interface rename")
+Signed-off-by: Martin Schiller <ms@dev.tdt.de>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/trigger/ledtrig-netdev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c
+index 136f86a1627d1..d5e774d830215 100644
+--- a/drivers/leds/trigger/ledtrig-netdev.c
++++ b/drivers/leds/trigger/ledtrig-netdev.c
+@@ -302,10 +302,12 @@ static int netdev_trig_notify(struct notifier_block *nb,
+ container_of(nb, struct led_netdev_data, notifier);
+
+ if (evt != NETDEV_UP && evt != NETDEV_DOWN && evt != NETDEV_CHANGE
+- && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER)
++ && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER
++ && evt != NETDEV_CHANGENAME)
+ return NOTIFY_DONE;
+
+ if (!(dev == trigger_data->net_dev ||
++ (evt == NETDEV_CHANGENAME && !strcmp(dev->name, trigger_data->device_name)) ||
+ (evt == NETDEV_REGISTER && !strcmp(dev->name, trigger_data->device_name))))
+ return NOTIFY_DONE;
+
+@@ -315,6 +317,7 @@ static int netdev_trig_notify(struct notifier_block *nb,
+
+ clear_bit(NETDEV_LED_MODE_LINKUP, &trigger_data->mode);
+ switch (evt) {
++ case NETDEV_CHANGENAME:
+ case NETDEV_REGISTER:
+ if (trigger_data->net_dev)
+ dev_put(trigger_data->net_dev);
+--
+2.20.1
+
--- /dev/null
+From 25c4ea990f08c80561e2c320695fe6d589cbe511 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 10:30:22 +0200
+Subject: net/mlx5e: Fix SFF 8472 eeprom length
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit c431f8597863a91eea6024926e0c1b179cfa4852 ]
+
+SFF 8472 eeprom length is 512 bytes. Fix module info return value to
+support 512 bytes read.
+
+Fixes: ace329f4ab3b ("net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Reviewed-by: Aya Levin <ayal@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index 10d72c83714db..a383276eb816a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1320,7 +1320,7 @@ static int mlx5e_get_module_info(struct net_device *netdev,
+ break;
+ case MLX5_MODULE_ID_SFP:
+ modinfo->type = ETH_MODULE_SFF_8472;
+- modinfo->eeprom_len = MLX5_EEPROM_PAGE_LENGTH;
++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
+ break;
+ default:
+ netdev_err(priv->netdev, "%s: cable type not recognized:0x%x\n",
+--
+2.20.1
+
--- /dev/null
+From 5b65239660b6402faf86ebef957a574106e276c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 13:16:56 -0600
+Subject: of: overlay: add_changeset_property() memory leak
+
+From: Frank Rowand <frank.rowand@sony.com>
+
+[ Upstream commit 637392a8506a3a7dd24ab9094a14f7522adb73b4 ]
+
+No changeset entries are created for #address-cells and #size-cells
+properties, but the duplicated properties are never freed. This
+results in a memory leak which is detected by kmemleak:
+
+ unreferenced object 0x85887180 (size 64):
+ backtrace:
+ kmem_cache_alloc_trace+0x1fb/0x1fc
+ __of_prop_dup+0x25/0x7c
+ add_changeset_property+0x17f/0x370
+ build_changeset_next_level+0x29/0x20c
+ of_overlay_fdt_apply+0x32b/0x6b4
+ ...
+
+Fixes: 6f75118800ac ("of: overlay: validate overlay properties #address-cells and #size-cells")
+Reported-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Tested-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/overlay.c | 37 ++++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
+index 2edb59039b5f5..514528b3566ff 100644
+--- a/drivers/of/overlay.c
++++ b/drivers/of/overlay.c
+@@ -305,7 +305,6 @@ static int add_changeset_property(struct overlay_changeset *ovcs,
+ {
+ struct property *new_prop = NULL, *prop;
+ int ret = 0;
+- bool check_for_non_overlay_node = false;
+
+ if (target->in_livetree)
+ if (!of_prop_cmp(overlay_prop->name, "name") ||
+@@ -318,6 +317,25 @@ static int add_changeset_property(struct overlay_changeset *ovcs,
+ else
+ prop = NULL;
+
++ if (prop) {
++ if (!of_prop_cmp(prop->name, "#address-cells")) {
++ if (!of_prop_val_eq(prop, overlay_prop)) {
++ pr_err("ERROR: changing value of #address-cells is not allowed in %pOF\n",
++ target->np);
++ ret = -EINVAL;
++ }
++ return ret;
++
++ } else if (!of_prop_cmp(prop->name, "#size-cells")) {
++ if (!of_prop_val_eq(prop, overlay_prop)) {
++ pr_err("ERROR: changing value of #size-cells is not allowed in %pOF\n",
++ target->np);
++ ret = -EINVAL;
++ }
++ return ret;
++ }
++ }
++
+ if (is_symbols_prop) {
+ if (prop)
+ return -EINVAL;
+@@ -330,33 +348,18 @@ static int add_changeset_property(struct overlay_changeset *ovcs,
+ return -ENOMEM;
+
+ if (!prop) {
+- check_for_non_overlay_node = true;
+ if (!target->in_livetree) {
+ new_prop->next = target->np->deadprops;
+ target->np->deadprops = new_prop;
+ }
+ ret = of_changeset_add_property(&ovcs->cset, target->np,
+ new_prop);
+- } else if (!of_prop_cmp(prop->name, "#address-cells")) {
+- if (!of_prop_val_eq(prop, new_prop)) {
+- pr_err("ERROR: changing value of #address-cells is not allowed in %pOF\n",
+- target->np);
+- ret = -EINVAL;
+- }
+- } else if (!of_prop_cmp(prop->name, "#size-cells")) {
+- if (!of_prop_val_eq(prop, new_prop)) {
+- pr_err("ERROR: changing value of #size-cells is not allowed in %pOF\n",
+- target->np);
+- ret = -EINVAL;
+- }
+ } else {
+- check_for_non_overlay_node = true;
+ ret = of_changeset_update_property(&ovcs->cset, target->np,
+ new_prop);
+ }
+
+- if (check_for_non_overlay_node &&
+- !of_node_check_flag(target->np, OF_OVERLAY))
++ if (!of_node_check_flag(target->np, OF_OVERLAY))
+ pr_err("WARNING: memory leak will occur if overlay removed, property: %pOF/%s\n",
+ target->np, new_prop->name);
+
+--
+2.20.1
+
--- /dev/null
+From f065b5bcb66814cc3d43fd3d7717c8c0335be5c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2019 02:48:04 +0100
+Subject: of: unittest: fix memory leak in attach_node_and_children
+
+From: Erhard Furtner <erhard_f@mailbox.org>
+
+[ Upstream commit 2aacace6dbbb6b6ce4e177e6c7ea901f389c0472 ]
+
+In attach_node_and_children memory is allocated for full_name via
+kasprintf. If the condition of the 1st if is not met the function
+returns early without freeing the memory. Add a kfree() to fix that.
+
+This has been detected with kmemleak:
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=205327
+
+It looks like the leak was introduced by this commit:
+Fixes: 5babefb7f7ab ("of: unittest: allow base devicetree to have symbol metadata")
+
+Signed-off-by: Erhard Furtner <erhard_f@mailbox.org>
+Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index 68f52966bbc04..808571f7f6ef9 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -1133,8 +1133,10 @@ static void attach_node_and_children(struct device_node *np)
+ full_name = kasprintf(GFP_KERNEL, "%pOF", np);
+
+ if (!strcmp(full_name, "/__local_fixups__") ||
+- !strcmp(full_name, "/__fixups__"))
++ !strcmp(full_name, "/__fixups__")) {
++ kfree(full_name);
+ return;
++ }
+
+ dup = of_find_node_by_path(full_name);
+ kfree(full_name);
+--
+2.20.1
+
--- /dev/null
+From 3758aa76caa7f0bac620582e7cf68f30856edb02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 19:51:29 +0900
+Subject: PCI: rcar: Fix missing MACCTLR register setting in initialization
+ sequence
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 7c7e53e1c93df14690bd12c1f84730fef927a6f1 ]
+
+The R-Car Gen2/3 manual - available at:
+
+https://www.renesas.com/eu/en/products/microcontrollers-microprocessors/rz/rzg/rzg1m.html#documents
+
+"RZ/G Series User's Manual: Hardware" section
+
+strictly enforces the MACCTLR inizialization value - 39.3.1 - "Initial
+Setting of PCI Express":
+
+"Be sure to write the initial value (= H'80FF 0000) to MACCTLR before
+enabling PCIETCTLR.CFINIT".
+
+To avoid unexpected behavior and to match the SW initialization sequence
+guidelines, this patch programs the MACCTLR with the correct value.
+
+Note that the MACCTLR.SPCHG bit in the MACCTLR register description
+reports that "Only writing 1 is valid and writing 0 is invalid" but this
+"invalid" has to be interpreted as a write-ignore aka "ignored", not
+"prohibited".
+
+Reported-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Fixes: c25da4778803 ("PCI: rcar: Add Renesas R-Car PCIe driver")
+Fixes: be20bbcb0a8c ("PCI: rcar: Add the initialization of PCIe link in resume_noirq()")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: <stable@vger.kernel.org> # v5.2+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-rcar.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/pci/controller/pcie-rcar.c b/drivers/pci/controller/pcie-rcar.c
+index 9b9c677ad3a0b..333ab6092f174 100644
+--- a/drivers/pci/controller/pcie-rcar.c
++++ b/drivers/pci/controller/pcie-rcar.c
+@@ -93,8 +93,11 @@
+ #define LINK_SPEED_2_5GTS (1 << 16)
+ #define LINK_SPEED_5_0GTS (2 << 16)
+ #define MACCTLR 0x011058
++#define MACCTLR_NFTS_MASK GENMASK(23, 16) /* The name is from SH7786 */
+ #define SPEED_CHANGE BIT(24)
+ #define SCRAMBLE_DISABLE BIT(27)
++#define LTSMDIS BIT(31)
++#define MACCTLR_INIT_VAL (LTSMDIS | MACCTLR_NFTS_MASK)
+ #define PMSR 0x01105c
+ #define MACS2R 0x011078
+ #define MACCGSPSETR 0x011084
+@@ -615,6 +618,8 @@ static int rcar_pcie_hw_init(struct rcar_pcie *pcie)
+ if (IS_ENABLED(CONFIG_PCI_MSI))
+ rcar_pci_write_reg(pcie, 0x801f0000, PCIEMSITXR);
+
++ rcar_pci_write_reg(pcie, MACCTLR_INIT_VAL, MACCTLR);
++
+ /* Finish initialization - establish a PCI Express link */
+ rcar_pci_write_reg(pcie, CFINIT, PCIETCTLR);
+
+@@ -1237,6 +1242,7 @@ static int rcar_pcie_resume_noirq(struct device *dev)
+ return 0;
+
+ /* Re-establish the PCIe link */
++ rcar_pci_write_reg(pcie, MACCTLR_INIT_VAL, MACCTLR);
+ rcar_pci_write_reg(pcie, CFINIT, PCIETCTLR);
+ return rcar_pcie_wait_for_dl(pcie);
+ }
+--
+2.20.1
+
--- /dev/null
+From b07955b8d3876f9cb70b8a99e70a44aee0f1dc7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 16:25:38 +0200
+Subject: perf callchain: Fix segfault in thread__resolve_callchain_sample()
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit aceb98261ea7d9fe38f9c140c5531f0b13623832 ]
+
+Do not dereference 'chain' when it is NULL.
+
+ $ perf record -e intel_pt//u -e branch-misses:u uname
+ $ perf report --itrace=l --branch-history
+ perf: Segmentation fault
+
+Fixes: e9024d519d89 ("perf callchain: Honour the ordering of PERF_CONTEXT_{USER,KERNEL,etc}")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lore.kernel.org/lkml/20191114142538.4097-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index 003b70daf0bfc..21f867a543e02 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2276,7 +2276,7 @@ static int thread__resolve_callchain_sample(struct thread *thread,
+ }
+
+ check_calls:
+- if (callchain_param.order != ORDER_CALLEE) {
++ if (chain && callchain_param.order != ORDER_CALLEE) {
+ err = find_prev_cpumode(chain, thread, cursor, parent, root_al,
+ &cpumode, chain->nr - first_call);
+ if (err)
+--
+2.20.1
+
--- /dev/null
+From 902b5aed85af1061682ca007ed5f6caf0c06633c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 17:57:50 +0100
+Subject: raid5: need to set STRIPE_HANDLE for batch head
+
+From: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+
+[ Upstream commit a7ede3d16808b8f3915c8572d783530a82b2f027 ]
+
+With commit 6ce220dd2f8ea71d6afc29b9a7524c12e39f374a ("raid5: don't set
+STRIPE_HANDLE to stripe which is in batch list"), we don't want to set
+STRIPE_HANDLE flag for sh which is already in batch list.
+
+However, the stripe which is the head of batch list should set this flag,
+otherwise panic could happen inside init_stripe at BUG_ON(sh->batch_head),
+it is reproducible with raid5 on top of nvdimm devices per Xiao oberserved.
+
+Thanks for Xiao's effort to verify the change.
+
+Fixes: 6ce220dd2f8ea ("raid5: don't set STRIPE_HANDLE to stripe which is in batch list")
+Reported-by: Xiao Ni <xni@redhat.com>
+Tested-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 53c6434beda91..01021382131bc 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -5724,7 +5724,7 @@ static bool raid5_make_request(struct mddev *mddev, struct bio * bi)
+ do_flush = false;
+ }
+
+- if (!sh->batch_head)
++ if (!sh->batch_head || sh == sh->batch_head)
+ set_bit(STRIPE_HANDLE, &sh->state);
+ clear_bit(STRIPE_DELAYED, &sh->state);
+ if ((!sh->batch_head || sh == sh->batch_head) &&
+--
+2.20.1
+
--- /dev/null
+From cf2ddcbd09f8058d70cd52f5af93c451770fb014 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:54 +0300
+Subject: scsi: qla2xxx: Change discovery state before PLOGI
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 58e39a2ce4be08162c0368030cdc405f7fd849aa ]
+
+When a port sends PLOGI, discovery state should be changed to login
+pending, otherwise RELOGIN_NEEDED bit is set in
+qla24xx_handle_plogi_done_event(). RELOGIN_NEEDED triggers another PLOGI,
+and it never goes out of the loop until login timer expires.
+
+Fixes: 8777e4314d397 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine")
+Fixes: 8b5292bcfcacf ("scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag")
+Cc: Quinn Tran <qutran@marvell.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191125165702.1013-6-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index e6f3a0f5188c4..d734dcf517b92 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -433,6 +433,7 @@ int qla_post_els_plogi_work(struct scsi_qla_host *vha, fc_port_t *fcport)
+
+ e->u.fcport.fcport = fcport;
+ fcport->flags |= FCF_ASYNC_ACTIVE;
++ fcport->disc_state = DSC_LOGIN_PEND;
+ return qla2x00_post_work(vha, e);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 120e85375641d58c3a4edbc96d079d4caa53855b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2019 18:55:23 +0100
+Subject: scsi: zorro_esp: Limit DMA transfers to 65536 bytes (except on
+ Fastlane)
+
+From: Kars de Jong <jongk@linux-m68k.org>
+
+[ Upstream commit 02f7e9f351a9de95577eafdc3bd413ed1c3b589f ]
+
+When using this driver on a Blizzard 1260, there were failures whenever DMA
+transfers from the SCSI bus to memory of 65535 bytes were followed by a DMA
+transfer of 1 byte. This caused the byte at offset 65535 to be overwritten
+with 0xff. The Blizzard hardware can't handle single byte DMA transfers.
+
+Besides this issue, limiting the DMA length to something that is not a
+multiple of the page size is very inefficient on most file systems.
+
+It seems this limit was chosen because the DMA transfer counter of the ESP
+by default is 16 bits wide, thus limiting the length to 65535 bytes.
+However, the value 0 means 65536 bytes, which is handled by the ESP and the
+Blizzard just fine. It is also the default maximum used by esp_scsi when
+drivers don't provide their own dma_length_limit() function.
+
+The limit of 65536 bytes can be used by all boards except the Fastlane. The
+old driver used a limit of 65532 bytes (0xfffc), which is reintroduced in
+this patch.
+
+Fixes: b7ded0e8b0d1 ("scsi: zorro_esp: Limit DMA transfers to 65535 bytes")
+Link: https://lore.kernel.org/r/20191112175523.23145-1-jongk@linux-m68k.org
+Signed-off-by: Kars de Jong <jongk@linux-m68k.org>
+Reviewed-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/zorro_esp.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/zorro_esp.c b/drivers/scsi/zorro_esp.c
+index be79127db5946..6a5b547eae590 100644
+--- a/drivers/scsi/zorro_esp.c
++++ b/drivers/scsi/zorro_esp.c
+@@ -245,7 +245,14 @@ static int fastlane_esp_irq_pending(struct esp *esp)
+ static u32 zorro_esp_dma_length_limit(struct esp *esp, u32 dma_addr,
+ u32 dma_len)
+ {
+- return dma_len > 0xFFFF ? 0xFFFF : dma_len;
++ return dma_len > (1U << 16) ? (1U << 16) : dma_len;
++}
++
++static u32 fastlane_esp_dma_length_limit(struct esp *esp, u32 dma_addr,
++ u32 dma_len)
++{
++ /* The old driver used 0xfffc as limit, so do that here too */
++ return dma_len > 0xfffc ? 0xfffc : dma_len;
+ }
+
+ static void zorro_esp_reset_dma(struct esp *esp)
+@@ -818,7 +825,7 @@ static const struct esp_driver_ops fastlane_esp_ops = {
+ .unmap_single = zorro_esp_unmap_single,
+ .unmap_sg = zorro_esp_unmap_sg,
+ .irq_pending = fastlane_esp_irq_pending,
+- .dma_length_limit = zorro_esp_dma_length_limit,
++ .dma_length_limit = fastlane_esp_dma_length_limit,
+ .reset_dma = zorro_esp_reset_dma,
+ .dma_drain = zorro_esp_dma_drain,
+ .dma_invalidate = fastlane_esp_dma_invalidate,
+--
+2.20.1
+
s390-smp-vdso-fix-asce-handling.patch
blk-mq-make-sure-that-line-break-can-be-printed.patch
workqueue-fix-missing-kfree-rescuer-in-destroy_workqueue.patch
+perf-callchain-fix-segfault-in-thread__resolve_callc.patch
+gre-refetch-erspan-header-from-skb-data-after-pskb_m.patch
+firmware-arm_scmi-avoid-double-free-in-error-flow.patch
+sunrpc-fix-crash-when-cache_head-become-valid-before.patch
+net-mlx5e-fix-sff-8472-eeprom-length.patch
+leds-trigger-netdev-fix-handling-on-interface-rename.patch
+pci-rcar-fix-missing-macctlr-register-setting-in-ini.patch
+gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch
+of-overlay-add_changeset_property-memory-leak.patch
+kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch
+cifs-fix-potential-softlockups-while-refreshing-dfs-.patch
+gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch
+raid5-need-to-set-stripe_handle-for-batch-head.patch
+scsi-qla2xxx-change-discovery-state-before-plogi.patch
+iio-imu-mpu6050-add-missing-available-scan-masks.patch
+idr-fix-idr_get_next_ul-race-with-idr_remove.patch
+scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch
+of-unittest-fix-memory-leak-in-attach_node_and_child.patch
--- /dev/null
+From 226f98b71d629247d39a4006c4cb5086d008ee22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 11:03:59 +0300
+Subject: sunrpc: fix crash when cache_head become valid before update
+
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+
+[ Upstream commit 5fcaf6982d1167f1cd9b264704f6d1ef4c505d54 ]
+
+I was investigating a crash in our Virtuozzo7 kernel which happened in
+in svcauth_unix_set_client. I found out that we access m_client field
+in ip_map structure, which was received from sunrpc_cache_lookup (we
+have a bit older kernel, now the code is in sunrpc_cache_add_entry), and
+these field looks uninitialized (m_client == 0x74 don't look like a
+pointer) but in the cache_head in flags we see 0x1 which is CACHE_VALID.
+
+It looks like the problem appeared from our previous fix to sunrpc (1):
+commit 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued
+request")
+
+And we've also found a patch already fixing our patch (2):
+commit d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.")
+
+Though the crash is eliminated, I think the core of the problem is not
+completely fixed:
+
+Neil in the patch (2) makes cache_head CACHE_NEGATIVE, before
+cache_fresh_locked which was added in (1) to fix crash. These way
+cache_is_valid won't say the cache is valid anymore and in
+svcauth_unix_set_client the function cache_check will return error
+instead of 0, and we don't count entry as initialized.
+
+But it looks like we need to remove cache_fresh_locked completely in
+sunrpc_cache_lookup:
+
+In (1) we've only wanted to make cache_fresh_unlocked->cache_dequeue so
+that cache_requests with no readers also release corresponding
+cache_head, to fix their leak. We with Vasily were not sure if
+cache_fresh_locked and cache_fresh_unlocked should be used in pair or
+not, so we've guessed to use them in pair.
+
+Now we see that we don't want the CACHE_VALID bit set here by
+cache_fresh_locked, as "valid" means "initialized" and there is no
+initialization in sunrpc_cache_add_entry. Both expiry_time and
+last_refresh are not used in cache_fresh_unlocked code-path and also not
+required for the initial fix.
+
+So to conclude cache_fresh_locked was called by mistake, and we can just
+safely remove it instead of crutching it with CACHE_NEGATIVE. It looks
+ideologically better for me. Hope I don't miss something here.
+
+Here is our crash backtrace:
+[13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074
+[13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
+[13108726.326448] PGD 0
+[13108726.326468] Oops: 0002 [#1] SMP
+[13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4
+[13108726.327173] dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat
+[13108726.327817] ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1]
+[13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G W O ------------ 3.10.0-862.20.2.vz7.73.29 #1 73.29
+[13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018
+[13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000
+[13108726.328610] RIP: 0010:[<ffffffffc01f79eb>] [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
+[13108726.328706] RSP: 0018:ffffa0c2a74bfd80 EFLAGS: 00010246
+[13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000
+[13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0
+[13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001
+[13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000
+[13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4
+[13108726.329022] FS: 0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000
+[13108726.329081] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0
+[13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[13108726.338908] PKRU: 00000000
+[13108726.341047] Call Trace:
+[13108726.343074] [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110
+[13108726.344837] [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc]
+[13108726.346631] [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc]
+[13108726.348332] [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc]
+[13108726.350016] [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd]
+[13108726.351735] [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd]
+[13108726.353459] [<ffffffff8a2bf741>] kthread+0xd1/0xe0
+[13108726.355195] [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
+[13108726.356896] [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21
+[13108726.358577] [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
+[13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38
+[13108726.363769] RIP [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
+[13108726.365530] RSP <ffffa0c2a74bfd80>
+[13108726.367179] CR2: 0000000000000074
+
+Fixes: d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.")
+Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Acked-by: NeilBrown <neilb@suse.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/cache.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
+index 214440c5b14ef..3a28e150b2dcd 100644
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -54,9 +54,6 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail)
+ h->last_refresh = now;
+ }
+
+-static inline int cache_is_valid(struct cache_head *h);
+-static void cache_fresh_locked(struct cache_head *head, time_t expiry,
+- struct cache_detail *detail);
+ static void cache_fresh_unlocked(struct cache_head *head,
+ struct cache_detail *detail);
+
+@@ -101,9 +98,6 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
+ if (cache_is_expired(detail, tmp)) {
+ hlist_del_init(&tmp->cache_list);
+ detail->entries --;
+- if (cache_is_valid(tmp) == -EAGAIN)
+- set_bit(CACHE_NEGATIVE, &tmp->flags);
+- cache_fresh_locked(tmp, 0, detail);
+ freeme = tmp;
+ break;
+ }
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
