--- /dev/null
+From 78b122e00fbcf957ab007a2793ae56107b8e04e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2019 11:55:29 +0100
+Subject: ARM: dts: stm32: change joystick pinctrl definition on
+ stm32mp157c-ev1
+
+From: Amelie Delaunay <amelie.delaunay@st.com>
+
+[ Upstream commit f4d6e0f79bcde7810890563bac8e0f3479fe6d03 ]
+
+Pins used for joystick are all configured as input. "push-pull" is not a
+valid setting for an input pin.
+
+Fixes: a502b343ebd0 ("pinctrl: stmfx: update pinconf settings")
+Signed-off-by: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: Amelie Delaunay <amelie.delaunay@st.com>
+Signed-off-by: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/stm32mp157c-ev1.dts | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/stm32mp157c-ev1.dts b/arch/arm/boot/dts/stm32mp157c-ev1.dts
+index feb8f7727270b..541bad97248ab 100644
+--- a/arch/arm/boot/dts/stm32mp157c-ev1.dts
++++ b/arch/arm/boot/dts/stm32mp157c-ev1.dts
+@@ -206,7 +206,6 @@
+
+ joystick_pins: joystick {
+ pins = "gpio0", "gpio1", "gpio2", "gpio3", "gpio4";
+- drive-push-pull;
+ bias-pull-down;
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 76a9ddb7a0f1c96006ff186d071d18780bdada43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2019 11:12:29 +0200
+Subject: arm64: errata: Update stale comment
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 7a292b6c7c9c35afee01ce3b2248f705869d0ff1 ]
+
+Commit 73f381660959 ("arm64: Advertise mitigation of Spectre-v2, or lack
+thereof") renamed the caller of the install_bp_hardening_cb() function
+but forgot to update a comment, which can be confusing when trying to
+follow the code flow.
+
+Fixes: 73f381660959 ("arm64: Advertise mitigation of Spectre-v2, or lack thereof")
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/cpu_errata.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
+index ed4c2f28f1576..169549f939e25 100644
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -129,8 +129,8 @@ static void install_bp_hardening_cb(bp_hardening_cb_t fn,
+ int cpu, slot = -1;
+
+ /*
+- * enable_smccc_arch_workaround_1() passes NULL for the hyp_vecs
+- * start/end if we're a guest. Skip the hyp-vectors work.
++ * detect_harden_bp_fw() passes NULL for the hyp_vecs start/end if
++ * we're a guest. Skip the hyp-vectors work.
+ */
+ if (!hyp_vecs_start) {
+ __this_cpu_write(bp_hardening_data.fn, fn);
+--
+2.20.1
+
--- /dev/null
+From 6e43ac5d72556976c329b84d5511b9bebae4dffc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 17:15:38 -0500
+Subject: ASoC: SOF: Intel: hda-stream: fix the CONFIG_ prefix missing
+
+From: Keyon Jie <yang.jie@linux.intel.com>
+
+[ Upstream commit f792bd173a6fd51d1a4dde04263085ce67486aa3 ]
+
+We are missing the 'CONFIG_' prefix when using the kernel configure item
+SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1, here correct them.
+
+Fixes: 43b2ab9009b13b ('ASoC: SOF: Intel: hda: Disable DMI L1 entry during capture')
+Signed-off-by: Keyon Jie <yang.jie@linux.intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20191025221538.6668-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda-stream.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/intel/hda-stream.c b/sound/soc/sof/intel/hda-stream.c
+index 2c74471884025..0c11fceb28a7a 100644
+--- a/sound/soc/sof/intel/hda-stream.c
++++ b/sound/soc/sof/intel/hda-stream.c
+@@ -190,7 +190,7 @@ hda_dsp_stream_get(struct snd_sof_dev *sdev, int direction)
+ * Workaround to address a known issue with host DMA that results
+ * in xruns during pause/release in capture scenarios.
+ */
+- if (!IS_ENABLED(SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1))
++ if (!IS_ENABLED(CONFIG_SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1))
+ if (stream && direction == SNDRV_PCM_STREAM_CAPTURE)
+ snd_sof_dsp_update_bits(sdev, HDA_DSP_HDA_BAR,
+ HDA_VS_INTEL_EM2,
+@@ -228,7 +228,7 @@ int hda_dsp_stream_put(struct snd_sof_dev *sdev, int direction, int stream_tag)
+ spin_unlock_irq(&bus->reg_lock);
+
+ /* Enable DMI L1 entry if there are no capture streams open */
+- if (!IS_ENABLED(SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1))
++ if (!IS_ENABLED(CONFIG_SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1))
+ if (!active_capture_stream)
+ snd_sof_dsp_update_bits(sdev, HDA_DSP_HDA_BAR,
+ HDA_VS_INTEL_EM2,
+--
+2.20.1
+
--- /dev/null
+From fb62b84e97715d7ef8d26606f5cd096931bf2f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 09:12:32 +0000
+Subject: bonding: fix using uninitialized mode_lock
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit ad9bd8daf2f9938572b0604e1280fefa8f338581 ]
+
+When a bonding interface is being created, it setups its mode and options.
+At that moment, it uses mode_lock so mode_lock should be initialized
+before that moment.
+
+rtnl_newlink()
+ rtnl_create_link()
+ alloc_netdev_mqs()
+ ->setup() //bond_setup()
+ ->newlink //bond_newlink
+ bond_changelink()
+ register_netdevice()
+ ->ndo_init() //bond_init()
+
+After commit 089bca2caed0 ("bonding: use dynamic lockdep key instead of
+subclass"), mode_lock is initialized in bond_init().
+So in the bond_changelink(), un-initialized mode_lock can be used.
+mode_lock should be initialized in bond_setup().
+This patch partially reverts commit 089bca2caed0 ("bonding: use dynamic
+lockdep key instead of subclass")
+
+Test command:
+ ip link add bond0 type bond mode 802.3ad lacp_rate 0
+
+Splat looks like:
+[ 60.615127] INFO: trying to register non-static key.
+[ 60.615900] the code is fine but needs lockdep annotation.
+[ 60.616697] turning off the locking correctness validator.
+[ 60.617490] CPU: 1 PID: 957 Comm: ip Not tainted 5.4.0-rc3+ #109
+[ 60.618350] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 60.619481] Call Trace:
+[ 60.619918] dump_stack+0x7c/0xbb
+[ 60.620453] register_lock_class+0x1215/0x14d0
+[ 60.621131] ? alloc_netdev_mqs+0x7b3/0xcc0
+[ 60.621771] ? is_bpf_text_address+0x86/0xf0
+[ 60.622416] ? is_dynamic_key+0x230/0x230
+[ 60.623032] ? unwind_get_return_address+0x5f/0xa0
+[ 60.623757] ? create_prof_cpu_mask+0x20/0x20
+[ 60.624408] ? arch_stack_walk+0x83/0xb0
+[ 60.625023] __lock_acquire+0xd8/0x3de0
+[ 60.625616] ? stack_trace_save+0x82/0xb0
+[ 60.626225] ? stack_trace_consume_entry+0x160/0x160
+[ 60.626957] ? deactivate_slab.isra.80+0x2c5/0x800
+[ 60.627668] ? register_lock_class+0x14d0/0x14d0
+[ 60.628380] ? alloc_netdev_mqs+0x7b3/0xcc0
+[ 60.629020] ? save_stack+0x69/0x80
+[ 60.629574] ? save_stack+0x19/0x80
+[ 60.630121] ? __kasan_kmalloc.constprop.4+0xa0/0xd0
+[ 60.630859] ? __kmalloc_node+0x16f/0x480
+[ 60.631472] ? alloc_netdev_mqs+0x7b3/0xcc0
+[ 60.632121] ? rtnl_create_link+0x2ed/0xad0
+[ 60.634388] ? __rtnl_newlink+0xad4/0x11b0
+[ 60.635024] lock_acquire+0x164/0x3b0
+[ 60.635608] ? bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
+[ 60.636463] _raw_spin_lock_bh+0x38/0x70
+[ 60.637084] ? bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
+[ 60.637930] bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
+[ 60.638753] ? bond_3ad_lacpdu_recv+0xb30/0xb30 [bonding]
+[ 60.639552] ? bond_opt_get_val+0x180/0x180 [bonding]
+[ 60.640307] ? ___slab_alloc+0x5aa/0x610
+[ 60.640925] bond_option_lacp_rate_set+0x71/0x140 [bonding]
+[ 60.641751] __bond_opt_set+0x1ff/0xbb0 [bonding]
+[ 60.643217] ? kasan_unpoison_shadow+0x30/0x40
+[ 60.643924] bond_changelink+0x9a4/0x1700 [bonding]
+[ 60.644653] ? memset+0x1f/0x40
+[ 60.742941] ? bond_slave_changelink+0x1a0/0x1a0 [bonding]
+[ 60.752694] ? alloc_netdev_mqs+0x8ea/0xcc0
+[ 60.753330] ? rtnl_create_link+0x2ed/0xad0
+[ 60.753964] bond_newlink+0x1e/0x60 [bonding]
+[ 60.754612] __rtnl_newlink+0xb9f/0x11b0
+[ ... ]
+
+Reported-by: syzbot+8da67f407bcba2c72e6e@syzkaller.appspotmail.com
+Reported-by: syzbot+0d083911ab18b710da71@syzkaller.appspotmail.com
+Fixes: 089bca2caed0 ("bonding: use dynamic lockdep key instead of subclass")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index c3df99f8c3835..8550822095be6 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4297,6 +4297,7 @@ void bond_setup(struct net_device *bond_dev)
+ {
+ struct bonding *bond = netdev_priv(bond_dev);
+
++ spin_lock_init(&bond->mode_lock);
+ bond->params = bonding_defaults;
+
+ /* Initialize pointers */
+@@ -4772,7 +4773,6 @@ static int bond_init(struct net_device *bond_dev)
+ bond->nest_level = SINGLE_DEPTH_NESTING;
+ netdev_lockdep_set_classes(bond_dev);
+
+- spin_lock_init(&bond->mode_lock);
+ spin_lock_init(&bond->stats_lock);
+ lockdep_register_key(&bond->stats_lock_key);
+ lockdep_set_class(&bond->stats_lock, &bond->stats_lock_key);
+--
+2.20.1
+
--- /dev/null
+From 3bcba9a4421a682c0ce3423938dc8ed3ce4981ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Sep 2019 16:11:22 -0400
+Subject: net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run
+
+From: Juliet Kim <julietk@linux.vnet.ibm.com>
+
+[ Upstream commit b27507bb59ed504d7fa4d6a35f25a8cc39903b54 ]
+
+Commit a5681e20b541 ("net/ibmnvic: Fix deadlock problem in reset")
+made the change to hold the RTNL lock during a reset to avoid deadlock
+but linkwatch_event is fired during the reset and needs the RTNL lock.
+That keeps linkwatch_event process from proceeding until the reset
+is complete. The reset process cannot tolerate the linkwatch_event
+processing after reset completes, so release the RTNL lock during the
+process to allow a chance for linkwatch_event to run during reset.
+This does not guarantee that the linkwatch_event will be processed as
+soon as link state changes, but is an improvement over the current code
+where linkwatch_event processing is always delayed, which prevents
+transmissions on the device from being deactivated leading transmit
+watchdog timer to time-out.
+
+Release the RTNL lock before link state change and re-acquire after
+the link state change to allow linkwatch_event to grab the RTNL lock
+and run during the reset.
+
+Fixes: a5681e20b541 ("net/ibmnvic: Fix deadlock problem in reset")
+Signed-off-by: Juliet Kim <julietk@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 224 ++++++++++++++++++++---------
+ drivers/net/ethernet/ibm/ibmvnic.h | 1 +
+ 2 files changed, 157 insertions(+), 68 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 964e7d62f4b13..5ef7704cd98d8 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1723,6 +1723,86 @@ static int ibmvnic_set_mac(struct net_device *netdev, void *p)
+ return rc;
+ }
+
++/**
++ * do_change_param_reset returns zero if we are able to keep processing reset
++ * events, or non-zero if we hit a fatal error and must halt.
++ */
++static int do_change_param_reset(struct ibmvnic_adapter *adapter,
++ struct ibmvnic_rwi *rwi,
++ u32 reset_state)
++{
++ struct net_device *netdev = adapter->netdev;
++ int i, rc;
++
++ netdev_dbg(adapter->netdev, "Change param resetting driver (%d)\n",
++ rwi->reset_reason);
++
++ netif_carrier_off(netdev);
++ adapter->reset_reason = rwi->reset_reason;
++
++ ibmvnic_cleanup(netdev);
++
++ if (reset_state == VNIC_OPEN) {
++ rc = __ibmvnic_close(netdev);
++ if (rc)
++ return rc;
++ }
++
++ release_resources(adapter);
++ release_sub_crqs(adapter, 1);
++ release_crq_queue(adapter);
++
++ adapter->state = VNIC_PROBED;
++
++ rc = init_crq_queue(adapter);
++
++ if (rc) {
++ netdev_err(adapter->netdev,
++ "Couldn't initialize crq. rc=%d\n", rc);
++ return rc;
++ }
++
++ rc = ibmvnic_reset_init(adapter);
++ if (rc)
++ return IBMVNIC_INIT_FAILED;
++
++ /* If the adapter was in PROBE state prior to the reset,
++ * exit here.
++ */
++ if (reset_state == VNIC_PROBED)
++ return 0;
++
++ rc = ibmvnic_login(netdev);
++ if (rc) {
++ adapter->state = reset_state;
++ return rc;
++ }
++
++ rc = init_resources(adapter);
++ if (rc)
++ return rc;
++
++ ibmvnic_disable_irqs(adapter);
++
++ adapter->state = VNIC_CLOSED;
++
++ if (reset_state == VNIC_CLOSED)
++ return 0;
++
++ rc = __ibmvnic_open(netdev);
++ if (rc)
++ return IBMVNIC_OPEN_FAILED;
++
++ /* refresh device's multicast list */
++ ibmvnic_set_multi(netdev);
++
++ /* kick napi */
++ for (i = 0; i < adapter->req_rx_queues; i++)
++ napi_schedule(&adapter->napi[i]);
++
++ return 0;
++}
++
+ /**
+ * do_reset returns zero if we are able to keep processing reset events, or
+ * non-zero if we hit a fatal error and must halt.
+@@ -1738,6 +1818,8 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+ netdev_dbg(adapter->netdev, "Re-setting driver (%d)\n",
+ rwi->reset_reason);
+
++ rtnl_lock();
++
+ netif_carrier_off(netdev);
+ adapter->reset_reason = rwi->reset_reason;
+
+@@ -1751,16 +1833,25 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+ if (reset_state == VNIC_OPEN &&
+ adapter->reset_reason != VNIC_RESET_MOBILITY &&
+ adapter->reset_reason != VNIC_RESET_FAILOVER) {
+- rc = __ibmvnic_close(netdev);
++ adapter->state = VNIC_CLOSING;
++
++ /* Release the RTNL lock before link state change and
++ * re-acquire after the link state change to allow
++ * linkwatch_event to grab the RTNL lock and run during
++ * a reset.
++ */
++ rtnl_unlock();
++ rc = set_link_state(adapter, IBMVNIC_LOGICAL_LNK_DN);
++ rtnl_lock();
+ if (rc)
+- return rc;
+- }
++ goto out;
+
+- if (adapter->reset_reason == VNIC_RESET_CHANGE_PARAM ||
+- adapter->wait_for_reset) {
+- release_resources(adapter);
+- release_sub_crqs(adapter, 1);
+- release_crq_queue(adapter);
++ if (adapter->state != VNIC_CLOSING) {
++ rc = -1;
++ goto out;
++ }
++
++ adapter->state = VNIC_CLOSED;
+ }
+
+ if (adapter->reset_reason != VNIC_RESET_NON_FATAL) {
+@@ -1769,9 +1860,7 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+ */
+ adapter->state = VNIC_PROBED;
+
+- if (adapter->wait_for_reset) {
+- rc = init_crq_queue(adapter);
+- } else if (adapter->reset_reason == VNIC_RESET_MOBILITY) {
++ if (adapter->reset_reason == VNIC_RESET_MOBILITY) {
+ rc = ibmvnic_reenable_crq_queue(adapter);
+ release_sub_crqs(adapter, 1);
+ } else {
+@@ -1783,36 +1872,35 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+ if (rc) {
+ netdev_err(adapter->netdev,
+ "Couldn't initialize crq. rc=%d\n", rc);
+- return rc;
++ goto out;
+ }
+
+ rc = ibmvnic_reset_init(adapter);
+- if (rc)
+- return IBMVNIC_INIT_FAILED;
++ if (rc) {
++ rc = IBMVNIC_INIT_FAILED;
++ goto out;
++ }
+
+ /* If the adapter was in PROBE state prior to the reset,
+ * exit here.
+ */
+- if (reset_state == VNIC_PROBED)
+- return 0;
++ if (reset_state == VNIC_PROBED) {
++ rc = 0;
++ goto out;
++ }
+
+ rc = ibmvnic_login(netdev);
+ if (rc) {
+ adapter->state = reset_state;
+- return rc;
++ goto out;
+ }
+
+- if (adapter->reset_reason == VNIC_RESET_CHANGE_PARAM ||
+- adapter->wait_for_reset) {
+- rc = init_resources(adapter);
+- if (rc)
+- return rc;
+- } else if (adapter->req_rx_queues != old_num_rx_queues ||
+- adapter->req_tx_queues != old_num_tx_queues ||
+- adapter->req_rx_add_entries_per_subcrq !=
+- old_num_rx_slots ||
+- adapter->req_tx_entries_per_subcrq !=
+- old_num_tx_slots) {
++ if (adapter->req_rx_queues != old_num_rx_queues ||
++ adapter->req_tx_queues != old_num_tx_queues ||
++ adapter->req_rx_add_entries_per_subcrq !=
++ old_num_rx_slots ||
++ adapter->req_tx_entries_per_subcrq !=
++ old_num_tx_slots) {
+ release_rx_pools(adapter);
+ release_tx_pools(adapter);
+ release_napi(adapter);
+@@ -1820,32 +1908,30 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+
+ rc = init_resources(adapter);
+ if (rc)
+- return rc;
++ goto out;
+
+ } else {
+ rc = reset_tx_pools(adapter);
+ if (rc)
+- return rc;
++ goto out;
+
+ rc = reset_rx_pools(adapter);
+ if (rc)
+- return rc;
++ goto out;
+ }
+ ibmvnic_disable_irqs(adapter);
+ }
+ adapter->state = VNIC_CLOSED;
+
+- if (reset_state == VNIC_CLOSED)
+- return 0;
++ if (reset_state == VNIC_CLOSED) {
++ rc = 0;
++ goto out;
++ }
+
+ rc = __ibmvnic_open(netdev);
+ if (rc) {
+- if (list_empty(&adapter->rwi_list))
+- adapter->state = VNIC_CLOSED;
+- else
+- adapter->state = reset_state;
+-
+- return 0;
++ rc = IBMVNIC_OPEN_FAILED;
++ goto out;
+ }
+
+ /* refresh device's multicast list */
+@@ -1855,11 +1941,15 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+ for (i = 0; i < adapter->req_rx_queues; i++)
+ napi_schedule(&adapter->napi[i]);
+
+- if (adapter->reset_reason != VNIC_RESET_FAILOVER &&
+- adapter->reset_reason != VNIC_RESET_CHANGE_PARAM)
++ if (adapter->reset_reason != VNIC_RESET_FAILOVER)
+ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, netdev);
+
+- return 0;
++ rc = 0;
++
++out:
++ rtnl_unlock();
++
++ return rc;
+ }
+
+ static int do_hard_reset(struct ibmvnic_adapter *adapter,
+@@ -1919,14 +2009,8 @@ static int do_hard_reset(struct ibmvnic_adapter *adapter,
+ return 0;
+
+ rc = __ibmvnic_open(netdev);
+- if (rc) {
+- if (list_empty(&adapter->rwi_list))
+- adapter->state = VNIC_CLOSED;
+- else
+- adapter->state = reset_state;
+-
+- return 0;
+- }
++ if (rc)
++ return IBMVNIC_OPEN_FAILED;
+
+ return 0;
+ }
+@@ -1965,20 +2049,11 @@ static void __ibmvnic_reset(struct work_struct *work)
+ {
+ struct ibmvnic_rwi *rwi;
+ struct ibmvnic_adapter *adapter;
+- bool we_lock_rtnl = false;
+ u32 reset_state;
+ int rc = 0;
+
+ adapter = container_of(work, struct ibmvnic_adapter, ibmvnic_reset);
+
+- /* netif_set_real_num_xx_queues needs to take rtnl lock here
+- * unless wait_for_reset is set, in which case the rtnl lock
+- * has already been taken before initializing the reset
+- */
+- if (!adapter->wait_for_reset) {
+- rtnl_lock();
+- we_lock_rtnl = true;
+- }
+ reset_state = adapter->state;
+
+ rwi = get_next_rwi(adapter);
+@@ -1990,14 +2065,32 @@ static void __ibmvnic_reset(struct work_struct *work)
+ break;
+ }
+
+- if (adapter->force_reset_recovery) {
+- adapter->force_reset_recovery = false;
+- rc = do_hard_reset(adapter, rwi, reset_state);
++ if (rwi->reset_reason == VNIC_RESET_CHANGE_PARAM) {
++ /* CHANGE_PARAM requestor holds rtnl_lock */
++ rc = do_change_param_reset(adapter, rwi, reset_state);
++ } else if (adapter->force_reset_recovery) {
++ /* Transport event occurred during previous reset */
++ if (adapter->wait_for_reset) {
++ /* Previous was CHANGE_PARAM; caller locked */
++ adapter->force_reset_recovery = false;
++ rc = do_hard_reset(adapter, rwi, reset_state);
++ } else {
++ rtnl_lock();
++ adapter->force_reset_recovery = false;
++ rc = do_hard_reset(adapter, rwi, reset_state);
++ rtnl_unlock();
++ }
+ } else {
+ rc = do_reset(adapter, rwi, reset_state);
+ }
+ kfree(rwi);
+- if (rc && rc != IBMVNIC_INIT_FAILED &&
++ if (rc == IBMVNIC_OPEN_FAILED) {
++ if (list_empty(&adapter->rwi_list))
++ adapter->state = VNIC_CLOSED;
++ else
++ adapter->state = reset_state;
++ rc = 0;
++ } else if (rc && rc != IBMVNIC_INIT_FAILED &&
+ !adapter->force_reset_recovery)
+ break;
+
+@@ -2005,7 +2098,6 @@ static void __ibmvnic_reset(struct work_struct *work)
+ }
+
+ if (adapter->wait_for_reset) {
+- adapter->wait_for_reset = false;
+ adapter->reset_done_rc = rc;
+ complete(&adapter->reset_done);
+ }
+@@ -2016,8 +2108,6 @@ static void __ibmvnic_reset(struct work_struct *work)
+ }
+
+ adapter->resetting = false;
+- if (we_lock_rtnl)
+- rtnl_unlock();
+ }
+
+ static int ibmvnic_reset(struct ibmvnic_adapter *adapter,
+@@ -2078,8 +2168,6 @@ static int ibmvnic_reset(struct ibmvnic_adapter *adapter,
+
+ return 0;
+ err:
+- if (adapter->wait_for_reset)
+- adapter->wait_for_reset = false;
+ return -ret;
+ }
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h
+index 70bd286f89325..9d3d35cc91d6f 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.h
++++ b/drivers/net/ethernet/ibm/ibmvnic.h
+@@ -20,6 +20,7 @@
+ #define IBMVNIC_INVALID_MAP -1
+ #define IBMVNIC_STATS_TIMEOUT 1
+ #define IBMVNIC_INIT_FAILED 2
++#define IBMVNIC_OPEN_FAILED 3
+
+ /* basic structures plus 100 2k buffers */
+ #define IBMVNIC_IO_ENTITLEMENT_DEFAULT 610305
+--
+2.20.1
+
--- /dev/null
+From e2c06a16bf5457e54611d2111c12dfc14a128635 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2019 19:18:14 +0200
+Subject: netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit 97664bc2c77e2b65cdedddcae2643fc93291d958 ]
+
+Same as commit 1b4a75108d5b ("netfilter: ipset: Copy the right MAC
+address in bitmap:ip,mac and hash:ip,mac sets"), another copy and paste
+went wrong in commit 8cc4ccf58379 ("netfilter: ipset: Allow matching on
+destination MAC address for mac and ipmac sets").
+
+When I fixed this for IPv4 in 1b4a75108d5b, I didn't realise that
+hash:ip,mac sets also support IPv6 as family, and this is covered by a
+separate function, hash_ipmac6_kadt().
+
+In hash:ip,mac sets, the first dimension is the IP address, and the
+second dimension is the MAC address: check the IPSET_DIM_TWO_SRC flag
+in flags while deciding which MAC address to copy, destination or
+source.
+
+This way, mixing source and destination matches for the two dimensions
+of ip,mac hash type works as expected, also for IPv6. With this setup:
+
+ ip netns add A
+ ip link add veth1 type veth peer name veth2 netns A
+ ip addr add 2001:db8::1/64 dev veth1
+ ip -net A addr add 2001:db8::2/64 dev veth2
+ ip link set veth1 up
+ ip -net A link set veth2 up
+
+ dst=$(ip netns exec A cat /sys/class/net/veth2/address)
+
+ ip netns exec A ipset create test_hash hash:ip,mac family inet6
+ ip netns exec A ipset add test_hash 2001:db8::1,${dst}
+ ip netns exec A ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
+ ip netns exec A ip6tables -A INPUT -m set ! --match-set test_hash src,dst -j DROP
+
+ipset now correctly matches a test packet:
+
+ # ping -c1 2001:db8::2 >/dev/null
+ # echo $?
+ 0
+
+Reported-by: Chen, Yi <yiche@redhat.com>
+Fixes: 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_hash_ipmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
+index 24d8f4df4230c..4ce563eb927d4 100644
+--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
++++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
+@@ -209,7 +209,7 @@ hash_ipmac6_kadt(struct ip_set *set, const struct sk_buff *skb,
+ (skb_mac_header(skb) + ETH_HLEN) > skb->data)
+ return -EINVAL;
+
+- if (opt->flags & IPSET_DIM_ONE_SRC)
++ if (opt->flags & IPSET_DIM_TWO_SRC)
+ ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
+ else
+ ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
+--
+2.20.1
+
timekeeping-vsyscall-update-vdso-data-unconditionall.patch
mm-filemap.c-don-t-initiate-writeback-if-mapping-has-no-dirty-pages.patch
cgroup-writeback-don-t-switch-wbs-immediately-on-dead-wbs-if-the-memcg-is-dead.patch
+arm-dts-stm32-change-joystick-pinctrl-definition-on-.patch
+asoc-sof-intel-hda-stream-fix-the-config_-prefix-mis.patch
+usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch
+bonding-fix-using-uninitialized-mode_lock.patch
+netfilter-ipset-copy-the-right-mac-address-in-hash-i.patch
+arm64-errata-update-stale-comment.patch
+net-ibmvnic-unlock-rtnl_lock-in-reset-so-linkwatch_e.patch
--- /dev/null
+From 41782c303912a67f4cd8cebbc7c9a2f1b219e3e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2019 18:30:17 +0900
+Subject: usbip: Fix free of unallocated memory in vhci tx
+
+From: Suwan Kim <suwan.kim027@gmail.com>
+
+[ Upstream commit d4d8257754c3300ea2a465dadf8d2b02c713c920 ]
+
+iso_buffer should be set to NULL after use and free in the while loop.
+In the case of isochronous URB in the while loop, iso_buffer is
+allocated and after sending it to server, buffer is deallocated. And
+then, if the next URB in the while loop is not a isochronous pipe,
+iso_buffer still holds the previously deallocated buffer address and
+kfree tries to free wrong buffer address.
+
+Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver")
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: Suwan Kim <suwan.kim027@gmail.com>
+Reviewed-by: Julia Lawall <julia.lawall@lip6.fr>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20191022093017.8027-1-suwan.kim027@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/vhci_tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c
+index c3803785f6eff..0ae40a13a9fea 100644
+--- a/drivers/usb/usbip/vhci_tx.c
++++ b/drivers/usb/usbip/vhci_tx.c
+@@ -147,7 +147,10 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev)
+ }
+
+ kfree(iov);
++ /* This is only for isochronous case */
+ kfree(iso_buffer);
++ iso_buffer = NULL;
++
+ usbip_dbg_vhci_tx("send txdata\n");
+
+ total_size += txsize;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
