--- /dev/null
+From a7583e72a5f22470d3e6fd3b6ba912892242339f Mon Sep 17 00:00:00 2001
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+Date: Thu, 14 Nov 2019 15:16:24 +0800
+Subject: ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100
+
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+
+commit a7583e72a5f22470d3e6fd3b6ba912892242339f upstream.
+
+The commit 0f27cff8597d ("ACPI: sysfs: Make ACPI GPE mask kernel
+parameter cover all GPEs") says:
+ "Use a bitmap of size 0xFF instead of a u64 for the GPE mask so 256
+ GPEs can be masked"
+
+But the masking of GPE 0xFF it not supported and the check condition
+"gpe > ACPI_MASKABLE_GPE_MAX" is not valid because the type of gpe is
+u8.
+
+So modify the macro ACPI_MASKABLE_GPE_MAX to 0x100, and drop the "gpe >
+ACPI_MASKABLE_GPE_MAX" check. In addition, update the docs "Format" for
+acpi_mask_gpe parameter.
+
+Fixes: 0f27cff8597d ("ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs")
+Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
+[ rjw: Use u16 as gpe data type in acpi_gpe_apply_masked_gpes() ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/admin-guide/kernel-parameters.txt | 2 +-
+ drivers/acpi/sysfs.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -113,7 +113,7 @@
+ the GPE dispatcher.
+ This facility can be used to prevent such uncontrolled
+ GPE floodings.
+- Format: <int>
++ Format: <byte>
+
+ acpi_no_auto_serialize [HW,ACPI]
+ Disable auto-serialization of AML methods
+--- a/drivers/acpi/sysfs.c
++++ b/drivers/acpi/sysfs.c
+@@ -819,14 +819,14 @@ end:
+ * interface:
+ * echo unmask > /sys/firmware/acpi/interrupts/gpe00
+ */
+-#define ACPI_MASKABLE_GPE_MAX 0xFF
++#define ACPI_MASKABLE_GPE_MAX 0x100
+ static DECLARE_BITMAP(acpi_masked_gpes_map, ACPI_MASKABLE_GPE_MAX) __initdata;
+
+ static int __init acpi_gpe_set_masked_gpes(char *val)
+ {
+ u8 gpe;
+
+- if (kstrtou8(val, 0, &gpe) || gpe > ACPI_MASKABLE_GPE_MAX)
++ if (kstrtou8(val, 0, &gpe))
+ return -EINVAL;
+ set_bit(gpe, acpi_masked_gpes_map);
+
+@@ -838,7 +838,7 @@ void __init acpi_gpe_apply_masked_gpes(v
+ {
+ acpi_handle handle;
+ acpi_status status;
+- u8 gpe;
++ u16 gpe;
+
+ for_each_set_bit(gpe, acpi_masked_gpes_map, ACPI_MASKABLE_GPE_MAX) {
+ status = acpi_get_gpe_device(gpe, &handle);
--- /dev/null
+From b40dd23f9a8987c8336df0a00e33f52b1f3f19ad Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Date: Wed, 2 Oct 2019 12:07:56 -0700
+Subject: arm64: dts: qcom: msm8998-clamshell: Remove retention idle state
+
+From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+
+commit b40dd23f9a8987c8336df0a00e33f52b1f3f19ad upstream.
+
+The retention idle state does not appear to be supported by the firmware
+present on the msm8998 laptops since the state is advertised as disabled
+in ACPI, and attempting to enable the state in DT is observed to result
+in boot hangs. Therefore, remove the state from use to address the
+observed issues.
+
+Reviewed-by: Amit Kucheria <amit.kucheria@linaro.org>
+Fixes: 2c6d2d3a580a (arm64: dts: qcom: Add Lenovo Miix 630)
+Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/qcom/msm8998-clamshell.dtsi | 37 ++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+--- a/arch/arm64/boot/dts/qcom/msm8998-clamshell.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8998-clamshell.dtsi
+@@ -23,6 +23,43 @@
+ };
+ };
+
++/*
++ * The laptop FW does not appear to support the retention state as it is
++ * not advertised as enabled in ACPI, and enabling it in DT can cause boot
++ * hangs.
++ */
++&CPU0 {
++ cpu-idle-states = <&LITTLE_CPU_SLEEP_1>;
++};
++
++&CPU1 {
++ cpu-idle-states = <&LITTLE_CPU_SLEEP_1>;
++};
++
++&CPU2 {
++ cpu-idle-states = <&LITTLE_CPU_SLEEP_1>;
++};
++
++&CPU3 {
++ cpu-idle-states = <&LITTLE_CPU_SLEEP_1>;
++};
++
++&CPU4 {
++ cpu-idle-states = <&BIG_CPU_SLEEP_1>;
++};
++
++&CPU5 {
++ cpu-idle-states = <&BIG_CPU_SLEEP_1>;
++};
++
++&CPU6 {
++ cpu-idle-states = <&BIG_CPU_SLEEP_1>;
++};
++
++&CPU7 {
++ cpu-idle-states = <&BIG_CPU_SLEEP_1>;
++};
++
+ &qusb2phy {
+ status = "okay";
+
--- /dev/null
+From 84a1f5b1cc6fd7f6cd99fc5630c36f631b19fa60 Mon Sep 17 00:00:00 2001
+From: "Paulo Alcantara (SUSE)" <pc@cjr.nz>
+Date: Fri, 22 Nov 2019 12:30:53 -0300
+Subject: cifs: Fix potential softlockups while refreshing DFS cache
+
+From: Paulo Alcantara (SUSE) <pc@cjr.nz>
+
+commit 84a1f5b1cc6fd7f6cd99fc5630c36f631b19fa60 upstream.
+
+We used to skip reconnects on all SMB2_IOCTL commands due to SMB3+
+FSCTL_VALIDATE_NEGOTIATE_INFO - which made sense since we're still
+establishing a SMB session.
+
+However, when refresh_cache_worker() calls smb2_get_dfs_refer() and
+we're under reconnect, SMB2_ioctl() will not be able to get a proper
+status error (e.g. -EHOSTDOWN in case we failed to reconnect) but an
+-EAGAIN from cifs_send_recv() thus looping forever in
+refresh_cache_worker().
+
+Fixes: e99c63e4d86d ("SMB3: Fix deadlock in validate negotiate hits reconnect")
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Suggested-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 41 +++++++++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -252,7 +252,7 @@ smb2_reconnect(__le16 smb2_command, stru
+ if (tcon == NULL)
+ return 0;
+
+- if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL)
++ if (smb2_command == SMB2_TREE_CONNECT)
+ return 0;
+
+ if (tcon->tidStatus == CifsExiting) {
+@@ -426,16 +426,9 @@ fill_small_buf(__le16 smb2_command, stru
+ * SMB information in the SMB header. If the return code is zero, this
+ * function must have filled in request_buf pointer.
+ */
+-static int
+-smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
+- void **request_buf, unsigned int *total_len)
++static int __smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
++ void **request_buf, unsigned int *total_len)
+ {
+- int rc;
+-
+- rc = smb2_reconnect(smb2_command, tcon);
+- if (rc)
+- return rc;
+-
+ /* BB eventually switch this to SMB2 specific small buf size */
+ if (smb2_command == SMB2_SET_INFO)
+ *request_buf = cifs_buf_get();
+@@ -456,7 +449,31 @@ smb2_plain_req_init(__le16 smb2_command,
+ cifs_stats_inc(&tcon->num_smbs_sent);
+ }
+
+- return rc;
++ return 0;
++}
++
++static int smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon,
++ void **request_buf, unsigned int *total_len)
++{
++ int rc;
++
++ rc = smb2_reconnect(smb2_command, tcon);
++ if (rc)
++ return rc;
++
++ return __smb2_plain_req_init(smb2_command, tcon, request_buf,
++ total_len);
++}
++
++static int smb2_ioctl_req_init(u32 opcode, struct cifs_tcon *tcon,
++ void **request_buf, unsigned int *total_len)
++{
++ /* Skip reconnect only for FSCTL_VALIDATE_NEGOTIATE_INFO IOCTLs */
++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) {
++ return __smb2_plain_req_init(SMB2_IOCTL, tcon, request_buf,
++ total_len);
++ }
++ return smb2_plain_req_init(SMB2_IOCTL, tcon, request_buf, total_len);
+ }
+
+ /* For explanation of negotiate contexts see MS-SMB2 section 2.2.3.1 */
+@@ -2661,7 +2678,7 @@ SMB2_ioctl_init(struct cifs_tcon *tcon,
+ int rc;
+ char *in_data_buf;
+
+- rc = smb2_plain_req_init(SMB2_IOCTL, tcon, (void **) &req, &total_len);
++ rc = smb2_ioctl_req_init(opcode, tcon, (void **) &req, &total_len);
+ if (rc)
+ return rc;
+
--- /dev/null
+From 4268ac6ae5870af10a7417b22990d615f72f77e2 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 19 Nov 2019 17:35:36 +0100
+Subject: dma-direct: don't check swiotlb=force in dma_direct_map_resource
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 4268ac6ae5870af10a7417b22990d615f72f77e2 upstream.
+
+When mapping resources we can't just use swiotlb ram for bounce
+buffering. Switch to a direct dma_capable check instead.
+
+Fixes: cfced786969c ("dma-mapping: remove the default map_resource implementation")
+Reported-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/dma/direct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/dma/direct.c
++++ b/kernel/dma/direct.c
+@@ -375,7 +375,7 @@ dma_addr_t dma_direct_map_resource(struc
+ {
+ dma_addr_t dma_addr = paddr;
+
+- if (unlikely(!dma_direct_possible(dev, dma_addr, size))) {
++ if (unlikely(!dma_capable(dev, dma_addr, size))) {
+ report_addr(dev, dma_addr, size);
+ return DMA_MAPPING_ERROR;
+ }
--- /dev/null
+From 68a33b1794665ba8a1d1ef1d3bfcc7c587d380a6 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 19 Nov 2019 17:38:58 +0100
+Subject: dma-direct: exclude dma_direct_map_resource from the min_low_pfn check
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 68a33b1794665ba8a1d1ef1d3bfcc7c587d380a6 upstream.
+
+The valid memory address check in dma_capable only makes sense when mapping
+normal memory, not when using dma_map_resource to map a device resource.
+Add a new boolean argument to dma_capable to exclude that check for the
+dma_map_resource case.
+
+Fixes: b12d66278dd6 ("dma-direct: check for overflows on 32 bit DMA addresses")
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/amd_gart_64.c | 4 ++--
+ drivers/xen/swiotlb-xen.c | 4 ++--
+ include/linux/dma-direct.h | 5 +++--
+ kernel/dma/direct.c | 4 ++--
+ kernel/dma/swiotlb.c | 2 +-
+ 5 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kernel/amd_gart_64.c
++++ b/arch/x86/kernel/amd_gart_64.c
+@@ -185,13 +185,13 @@ static void iommu_full(struct device *de
+ static inline int
+ need_iommu(struct device *dev, unsigned long addr, size_t size)
+ {
+- return force_iommu || !dma_capable(dev, addr, size);
++ return force_iommu || !dma_capable(dev, addr, size, true);
+ }
+
+ static inline int
+ nonforced_iommu(struct device *dev, unsigned long addr, size_t size)
+ {
+- return !dma_capable(dev, addr, size);
++ return !dma_capable(dev, addr, size, true);
+ }
+
+ /* Map a single continuous physical area into the IOMMU.
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -375,7 +375,7 @@ static dma_addr_t xen_swiotlb_map_page(s
+ * we can safely return the device addr and not worry about bounce
+ * buffering it.
+ */
+- if (dma_capable(dev, dev_addr, size) &&
++ if (dma_capable(dev, dev_addr, size, true) &&
+ !range_straddles_page_boundary(phys, size) &&
+ !xen_arch_need_swiotlb(dev, phys, dev_addr) &&
+ swiotlb_force != SWIOTLB_FORCE)
+@@ -397,7 +397,7 @@ static dma_addr_t xen_swiotlb_map_page(s
+ /*
+ * Ensure that the address returned is DMA'ble
+ */
+- if (unlikely(!dma_capable(dev, dev_addr, size))) {
++ if (unlikely(!dma_capable(dev, dev_addr, size, true))) {
+ swiotlb_tbl_unmap_single(dev, map, size, size, dir,
+ attrs | DMA_ATTR_SKIP_CPU_SYNC);
+ return DMA_MAPPING_ERROR;
+--- a/include/linux/dma-direct.h
++++ b/include/linux/dma-direct.h
+@@ -25,14 +25,15 @@ static inline phys_addr_t __dma_to_phys(
+ return paddr + ((phys_addr_t)dev->dma_pfn_offset << PAGE_SHIFT);
+ }
+
+-static inline bool dma_capable(struct device *dev, dma_addr_t addr, size_t size)
++static inline bool dma_capable(struct device *dev, dma_addr_t addr, size_t size,
++ bool is_ram)
+ {
+ dma_addr_t end = addr + size - 1;
+
+ if (!dev->dma_mask)
+ return false;
+
+- if (!IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT) &&
++ if (is_ram && !IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT) &&
+ min(addr, end) < phys_to_dma(dev, PFN_PHYS(min_low_pfn)))
+ return false;
+
+--- a/kernel/dma/direct.c
++++ b/kernel/dma/direct.c
+@@ -326,7 +326,7 @@ static inline bool dma_direct_possible(s
+ size_t size)
+ {
+ return swiotlb_force != SWIOTLB_FORCE &&
+- dma_capable(dev, dma_addr, size);
++ dma_capable(dev, dma_addr, size, true);
+ }
+
+ dma_addr_t dma_direct_map_page(struct device *dev, struct page *page,
+@@ -375,7 +375,7 @@ dma_addr_t dma_direct_map_resource(struc
+ {
+ dma_addr_t dma_addr = paddr;
+
+- if (unlikely(!dma_capable(dev, dma_addr, size))) {
++ if (unlikely(!dma_capable(dev, dma_addr, size, false))) {
+ report_addr(dev, dma_addr, size);
+ return DMA_MAPPING_ERROR;
+ }
+--- a/kernel/dma/swiotlb.c
++++ b/kernel/dma/swiotlb.c
+@@ -678,7 +678,7 @@ bool swiotlb_map(struct device *dev, phy
+
+ /* Ensure that the address returned is DMA'ble */
+ *dma_addr = __phys_to_dma(dev, *phys);
+- if (unlikely(!dma_capable(dev, *dma_addr, size))) {
++ if (unlikely(!dma_capable(dev, *dma_addr, size, true))) {
+ swiotlb_tbl_unmap_single(dev, *phys, size, size, dir,
+ attrs | DMA_ATTR_SKIP_CPU_SYNC);
+ return false;
--- /dev/null
+From 70082a52f96a45650dfc3d8cdcd2c42bdac9f6f0 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 18 Sep 2019 21:57:07 +0200
+Subject: drm/msm: include linux/sched/task.h
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 70082a52f96a45650dfc3d8cdcd2c42bdac9f6f0 upstream.
+
+Without this header file, compile-testing may run into a missing
+declaration:
+
+drivers/gpu/drm/msm/msm_gpu.c:444:4: error: implicit declaration of function 'put_task_struct' [-Werror,-Wimplicit-function-declaration]
+
+Fixes: 482f96324a4e ("drm/msm: Fix task dump in gpu recovery")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/msm/msm_gpu.c
++++ b/drivers/gpu/drm/msm/msm_gpu.c
+@@ -16,6 +16,7 @@
+ #include <linux/pm_opp.h>
+ #include <linux/devfreq.h>
+ #include <linux/devcoredump.h>
++#include <linux/sched/task.h>
+
+ /*
+ * Power Management:
--- /dev/null
+From 8305e90a894f82c278c17e51a28459deee78b263 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wenyang@linux.alibaba.com>
+Date: Mon, 25 Nov 2019 23:54:09 +0800
+Subject: firmware: arm_scmi: Avoid double free in error flow
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+commit 8305e90a894f82c278c17e51a28459deee78b263 upstream.
+
+If device_register() fails, both put_device() and kfree() are called,
+ending with a double free of the scmi_dev.
+
+Calling kfree() is needed only when a failure happens between the
+allocation of the scmi_dev and its registration, so move it to there
+and remove it from the error flow.
+
+Fixes: 46edb8d1322c ("firmware: arm_scmi: provide the mandatory device release callback")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/arm_scmi/bus.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/bus.c
++++ b/drivers/firmware/arm_scmi/bus.c
+@@ -135,8 +135,10 @@ scmi_device_create(struct device_node *n
+ return NULL;
+
+ id = ida_simple_get(&scmi_bus_id, 1, 0, GFP_KERNEL);
+- if (id < 0)
+- goto free_mem;
++ if (id < 0) {
++ kfree(scmi_dev);
++ return NULL;
++ }
+
+ scmi_dev->id = id;
+ scmi_dev->protocol_id = protocol;
+@@ -154,8 +156,6 @@ scmi_device_create(struct device_node *n
+ put_dev:
+ put_device(&scmi_dev->dev);
+ ida_simple_remove(&scmi_bus_id, id);
+-free_mem:
+- kfree(scmi_dev);
+ return NULL;
+ }
+
--- /dev/null
+From fd70466d37bf3fe0118d18c56ddde85b428f86cf Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 7 Nov 2019 22:28:11 +0800
+Subject: HID: i2c-hid: Reset ALPS touchpads on resume
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit fd70466d37bf3fe0118d18c56ddde85b428f86cf upstream.
+
+Commit 52cf93e63ee6 ("HID: i2c-hid: Don't reset device upon system
+resume") fixes many touchpads and touchscreens, however ALPS touchpads
+start to trigger IRQ storm after system resume.
+
+Since it's total silence from ALPS, let's bring the old behavior back
+to ALPS touchpads.
+
+Fixes: 52cf93e63ee6 ("HID: i2c-hid: Don't reset device upon system resume")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid-core.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -48,6 +48,7 @@
+ #define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV BIT(0)
+ #define I2C_HID_QUIRK_NO_IRQ_AFTER_RESET BIT(1)
+ #define I2C_HID_QUIRK_BOGUS_IRQ BIT(4)
++#define I2C_HID_QUIRK_RESET_ON_RESUME BIT(5)
+
+ /* flags */
+ #define I2C_HID_STARTED 0
+@@ -174,6 +175,8 @@ static const struct i2c_hid_quirks {
+ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET },
+ { USB_VENDOR_ID_ELAN, HID_ANY_ID,
+ I2C_HID_QUIRK_BOGUS_IRQ },
++ { USB_VENDOR_ID_ALPS_JP, HID_ANY_ID,
++ I2C_HID_QUIRK_RESET_ON_RESUME },
+ { 0, 0 }
+ };
+
+@@ -1214,8 +1217,15 @@ static int i2c_hid_resume(struct device
+ * solves "incomplete reports" on Raydium devices 2386:3118 and
+ * 2386:4B33 and fixes various SIS touchscreens no longer sending
+ * data after a suspend/resume.
++ *
++ * However some ALPS touchpads generate IRQ storm without reset, so
++ * let's still reset them here.
+ */
+- ret = i2c_hid_set_power(client, I2C_HID_PWR_ON);
++ if (ihid->quirks & I2C_HID_QUIRK_RESET_ON_RESUME)
++ ret = i2c_hid_hwreset(client);
++ else
++ ret = i2c_hid_set_power(client, I2C_HID_PWR_ON);
++
+ if (ret)
+ return ret;
+
--- /dev/null
+From f81b846dcd9a1e6d120f73970a9a98b7fcaaffba Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Wed, 20 Nov 2019 14:10:16 +0800
+Subject: iommu/vt-d: Remove incorrect PSI capability check
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit f81b846dcd9a1e6d120f73970a9a98b7fcaaffba upstream.
+
+The PSI (Page Selective Invalidation) bit in the capability register
+is only valid for second-level translation. Intel IOMMU supporting
+scalable mode must support page/address selective IOTLB invalidation
+for first-level translation. Remove the PSI capability check in SVA
+cache invalidation code.
+
+Fixes: 8744daf4b0699 ("iommu/vt-d: Remove global page flush support")
+Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-svm.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/iommu/intel-svm.c
++++ b/drivers/iommu/intel-svm.c
+@@ -104,11 +104,7 @@ static void intel_flush_svm_range_dev (s
+ {
+ struct qi_desc desc;
+
+- /*
+- * Do PASID granu IOTLB invalidation if page selective capability is
+- * not available.
+- */
+- if (pages == -1 || !cap_pgsel_inv(svm->iommu->cap)) {
++ if (pages == -1) {
+ desc.qw0 = QI_EIOTLB_PASID(svm->pasid) |
+ QI_EIOTLB_DID(sdev->did) |
+ QI_EIOTLB_GRAN(QI_GRAN_NONG_PASID) |
--- /dev/null
+From 5d603311615f612320bb77bd2a82553ef1ced5b7 Mon Sep 17 00:00:00 2001
+From: Konstantin Khorenko <khorenko@virtuozzo.com>
+Date: Wed, 13 Nov 2019 12:29:50 +0300
+Subject: kernel/module.c: wakeup processes in module_wq on module unload
+
+From: Konstantin Khorenko <khorenko@virtuozzo.com>
+
+commit 5d603311615f612320bb77bd2a82553ef1ced5b7 upstream.
+
+Fix the race between load and unload a kernel module.
+
+sys_delete_module()
+ try_stop_module()
+ mod->state = _GOING
+ add_unformed_module()
+ old = find_module_all()
+ (old->state == _GOING =>
+ wait_event_interruptible())
+
+ During pre-condition
+ finished_loading() rets 0
+ schedule()
+ (never gets waken up later)
+ free_module()
+ mod->state = _UNFORMED
+ list_del_rcu(&mod->list)
+ (dels mod from "modules" list)
+
+return
+
+The race above leads to modprobe hanging forever on loading
+a module.
+
+Error paths on loading module call wake_up_all(&module_wq) after
+freeing module, so let's do the same on straight module unload.
+
+Fixes: 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for modules that have finished loading")
+Reviewed-by: Prarit Bhargava <prarit@redhat.com>
+Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/module.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1033,6 +1033,8 @@ SYSCALL_DEFINE2(delete_module, const cha
+ strlcpy(last_unloaded_module, mod->name, sizeof(last_unloaded_module));
+
+ free_module(mod);
++ /* someone could wait for the module in add_unformed_module() */
++ wake_up_all(&module_wq);
+ return 0;
+ out:
+ mutex_unlock(&module_mutex);
--- /dev/null
+From 90b2be27bb0e56483f335cc10fb59ec66882b949 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 8 Nov 2019 08:45:23 -0800
+Subject: net/sched: annotate lockless accesses to qdisc->empty
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 90b2be27bb0e56483f335cc10fb59ec66882b949 upstream.
+
+KCSAN reported the following race [1]
+
+BUG: KCSAN: data-race in __dev_queue_xmit / net_tx_action
+
+read to 0xffff8880ba403508 of 1 bytes by task 21814 on cpu 1:
+ __dev_xmit_skb net/core/dev.c:3389 [inline]
+ __dev_queue_xmit+0x9db/0x1b40 net/core/dev.c:3761
+ dev_queue_xmit+0x21/0x30 net/core/dev.c:3825
+ neigh_hh_output include/net/neighbour.h:500 [inline]
+ neigh_output include/net/neighbour.h:509 [inline]
+ ip6_finish_output2+0x873/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+ dst_output include/net/dst.h:436 [inline]
+ ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
+ ip6_send_skb+0x53/0x110 net/ipv6/ip6_output.c:1795
+ udp_v6_send_skb.isra.0+0x3ec/0xa70 net/ipv6/udp.c:1173
+ udpv6_sendmsg+0x1906/0x1c20 net/ipv6/udp.c:1471
+ inet6_sendmsg+0x6d/0x90 net/ipv6/af_inet6.c:576
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0x9f/0xc0 net/socket.c:657
+ ___sys_sendmsg+0x2b7/0x5d0 net/socket.c:2311
+ __sys_sendmmsg+0x123/0x350 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg net/socket.c:2439 [inline]
+ __x64_sys_sendmmsg+0x64/0x80 net/socket.c:2439
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+write to 0xffff8880ba403508 of 1 bytes by interrupt on cpu 0:
+ qdisc_run_begin include/net/sch_generic.h:160 [inline]
+ qdisc_run include/net/pkt_sched.h:120 [inline]
+ net_tx_action+0x2b1/0x6c0 net/core/dev.c:4551
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
+ do_softirq.part.0+0x6b/0x80 kernel/softirq.c:337
+ do_softirq kernel/softirq.c:329 [inline]
+ __local_bh_enable_ip+0x76/0x80 kernel/softirq.c:189
+ local_bh_enable include/linux/bottom_half.h:32 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
+ ip6_finish_output2+0x7bb/0xec0 net/ipv6/ip6_output.c:117
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+ dst_output include/net/dst.h:436 [inline]
+ ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
+ ip6_send_skb+0x53/0x110 net/ipv6/ip6_output.c:1795
+ udp_v6_send_skb.isra.0+0x3ec/0xa70 net/ipv6/udp.c:1173
+ udpv6_sendmsg+0x1906/0x1c20 net/ipv6/udp.c:1471
+ inet6_sendmsg+0x6d/0x90 net/ipv6/af_inet6.c:576
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0x9f/0xc0 net/socket.c:657
+ ___sys_sendmsg+0x2b7/0x5d0 net/socket.c:2311
+ __sys_sendmmsg+0x123/0x350 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg net/socket.c:2439 [inline]
+ __x64_sys_sendmmsg+0x64/0x80 net/socket.c:2439
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 21817 Comm: syz-executor.2 Not tainted 5.4.0-rc6+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: d518d2ed8640 ("net/sched: fix race between deactivation and dequeue for NOLOCK qdisc")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/sch_generic.h | 6 +++---
+ net/core/dev.c | 2 +-
+ net/sched/sch_generic.c | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -149,8 +149,8 @@ static inline bool qdisc_is_percpu_stats
+ static inline bool qdisc_is_empty(const struct Qdisc *qdisc)
+ {
+ if (qdisc_is_percpu_stats(qdisc))
+- return qdisc->empty;
+- return !qdisc->q.qlen;
++ return READ_ONCE(qdisc->empty);
++ return !READ_ONCE(qdisc->q.qlen);
+ }
+
+ static inline bool qdisc_run_begin(struct Qdisc *qdisc)
+@@ -158,7 +158,7 @@ static inline bool qdisc_run_begin(struc
+ if (qdisc->flags & TCQ_F_NOLOCK) {
+ if (!spin_trylock(&qdisc->seqlock))
+ return false;
+- qdisc->empty = false;
++ WRITE_ONCE(qdisc->empty, false);
+ } else if (qdisc_is_running(qdisc)) {
+ return false;
+ }
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3386,7 +3386,7 @@ static inline int __dev_xmit_skb(struct
+ qdisc_calculate_pkt_len(skb, q);
+
+ if (q->flags & TCQ_F_NOLOCK) {
+- if ((q->flags & TCQ_F_CAN_BYPASS) && q->empty &&
++ if ((q->flags & TCQ_F_CAN_BYPASS) && READ_ONCE(q->empty) &&
+ qdisc_run_begin(q)) {
+ if (unlikely(test_bit(__QDISC_STATE_DEACTIVATED,
+ &q->state))) {
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -657,7 +657,7 @@ static struct sk_buff *pfifo_fast_dequeu
+ if (likely(skb)) {
+ qdisc_update_stats_at_dequeue(qdisc, skb);
+ } else {
+- qdisc->empty = true;
++ WRITE_ONCE(qdisc->empty, true);
+ }
+
+ return skb;
--- /dev/null
+From 1148f9adbe71415836a18a36c1b4ece999ab0973 Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alobakin@dlink.ru>
+Date: Wed, 18 Dec 2019 12:18:21 +0300
+Subject: net, sysctl: Fix compiler warning when only cBPF is present
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexander Lobakin <alobakin@dlink.ru>
+
+commit 1148f9adbe71415836a18a36c1b4ece999ab0973 upstream.
+
+proc_dointvec_minmax_bpf_restricted() has been firstly introduced
+in commit 2e4a30983b0f ("bpf: restrict access to core bpf sysctls")
+under CONFIG_HAVE_EBPF_JIT. Then, this ifdef has been removed in
+ede95a63b5e8 ("bpf: add bpf_jit_limit knob to restrict unpriv
+allocations"), because a new sysctl, bpf_jit_limit, made use of it.
+Finally, this parameter has become long instead of integer with
+fdadd04931c2 ("bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K")
+and thus, a new proc_dolongvec_minmax_bpf_restricted() has been
+added.
+
+With this last change, we got back to that
+proc_dointvec_minmax_bpf_restricted() is used only under
+CONFIG_HAVE_EBPF_JIT, but the corresponding ifdef has not been
+brought back.
+
+So, in configurations like CONFIG_BPF_JIT=y && CONFIG_HAVE_EBPF_JIT=n
+since v4.20 we have:
+
+ CC net/core/sysctl_net_core.o
+net/core/sysctl_net_core.c:292:1: warning: ‘proc_dointvec_minmax_bpf_restricted’ defined but not used [-Wunused-function]
+ 292 | proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Suppress this by guarding it with CONFIG_HAVE_EBPF_JIT again.
+
+Fixes: fdadd04931c2 ("bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K")
+Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20191218091821.7080-1-alobakin@dlink.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/sysctl_net_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -288,6 +288,7 @@ static int proc_dointvec_minmax_bpf_enab
+ return ret;
+ }
+
++# ifdef CONFIG_HAVE_EBPF_JIT
+ static int
+ proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+@@ -298,6 +299,7 @@ proc_dointvec_minmax_bpf_restricted(stru
+
+ return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ }
++# endif /* CONFIG_HAVE_EBPF_JIT */
+
+ static int
+ proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write,
--- /dev/null
+From 0b9173f4688dfa7c5d723426be1d979c24ce3d51 Mon Sep 17 00:00:00 2001
+From: Marco Oliverio <marco.oliverio@tanaza.com>
+Date: Mon, 2 Dec 2019 19:54:30 +0100
+Subject: netfilter: nf_queue: enqueue skbs with NULL dst
+
+From: Marco Oliverio <marco.oliverio@tanaza.com>
+
+commit 0b9173f4688dfa7c5d723426be1d979c24ce3d51 upstream.
+
+Bridge packets that are forwarded have skb->dst == NULL and get
+dropped by the check introduced by
+b60a77386b1d4868f72f6353d35dabe5fbe981f2 (net: make skb_dst_force
+return true when dst is refcounted).
+
+To fix this we check skb_dst() before skb_dst_force(), so we don't
+drop skb packet with dst == NULL. This holds also for skb at the
+PRE_ROUTING hook so we remove the second check.
+
+Fixes: b60a77386b1d ("net: make skb_dst_force return true when dst is refcounted")
+Signed-off-by: Marco Oliverio <marco.oliverio@tanaza.com>
+Signed-off-by: Rocco Folino <rocco.folino@tanaza.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -189,7 +189,7 @@ static int __nf_queue(struct sk_buff *sk
+ goto err;
+ }
+
+- if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) {
++ if (skb_dst(skb) && !skb_dst_force(skb)) {
+ status = -ENETDOWN;
+ goto err;
+ }
--- /dev/null
+From 6e73e92b155c868ff7fce9d108839668caf1d9be Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Wed, 9 Oct 2019 15:11:37 -0400
+Subject: nfsd4: fix up replay_matches_cache()
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit 6e73e92b155c868ff7fce9d108839668caf1d9be upstream.
+
+When running an nfs stress test, I see quite a few cached replies that
+don't match up with the actual request. The first comment in
+replay_matches_cache() makes sense, but the code doesn't seem to
+match... fix it.
+
+This isn't exactly a bugfix, as the server isn't required to catch every
+case of a false retry. So, we may as well do this, but if this is
+fixing a problem then that suggests there's a client bug.
+
+Fixes: 53da6a53e1d4 ("nfsd4: catch some false session retries")
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3548,12 +3548,17 @@ static bool replay_matches_cache(struct
+ (bool)seq->cachethis)
+ return false;
+ /*
+- * If there's an error than the reply can have fewer ops than
+- * the call. But if we cached a reply with *more* ops than the
+- * call you're sending us now, then this new call is clearly not
+- * really a replay of the old one:
++ * If there's an error then the reply can have fewer ops than
++ * the call.
+ */
+- if (slot->sl_opcnt < argp->opcnt)
++ if (slot->sl_opcnt < argp->opcnt && !slot->sl_status)
++ return false;
++ /*
++ * But if we cached a reply with *more* ops than the call you're
++ * sending us now, then this new call is clearly not really a
++ * replay of the old one:
++ */
++ if (slot->sl_opcnt > argp->opcnt)
+ return false;
+ /* This is the only check explicitly called by spec: */
+ if (!same_creds(&rqstp->rq_cred, &slot->sl_cred))
--- /dev/null
+From 637392a8506a3a7dd24ab9094a14f7522adb73b4 Mon Sep 17 00:00:00 2001
+From: Frank Rowand <frank.rowand@sony.com>
+Date: Thu, 21 Nov 2019 13:16:56 -0600
+Subject: of: overlay: add_changeset_property() memory leak
+
+From: Frank Rowand <frank.rowand@sony.com>
+
+commit 637392a8506a3a7dd24ab9094a14f7522adb73b4 upstream.
+
+No changeset entries are created for #address-cells and #size-cells
+properties, but the duplicated properties are never freed. This
+results in a memory leak which is detected by kmemleak:
+
+ unreferenced object 0x85887180 (size 64):
+ backtrace:
+ kmem_cache_alloc_trace+0x1fb/0x1fc
+ __of_prop_dup+0x25/0x7c
+ add_changeset_property+0x17f/0x370
+ build_changeset_next_level+0x29/0x20c
+ of_overlay_fdt_apply+0x32b/0x6b4
+ ...
+
+Fixes: 6f75118800ac ("of: overlay: validate overlay properties #address-cells and #size-cells")
+Reported-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Tested-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/overlay.c | 37 ++++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+--- a/drivers/of/overlay.c
++++ b/drivers/of/overlay.c
+@@ -305,7 +305,6 @@ static int add_changeset_property(struct
+ {
+ struct property *new_prop = NULL, *prop;
+ int ret = 0;
+- bool check_for_non_overlay_node = false;
+
+ if (target->in_livetree)
+ if (!of_prop_cmp(overlay_prop->name, "name") ||
+@@ -318,6 +317,25 @@ static int add_changeset_property(struct
+ else
+ prop = NULL;
+
++ if (prop) {
++ if (!of_prop_cmp(prop->name, "#address-cells")) {
++ if (!of_prop_val_eq(prop, overlay_prop)) {
++ pr_err("ERROR: changing value of #address-cells is not allowed in %pOF\n",
++ target->np);
++ ret = -EINVAL;
++ }
++ return ret;
++
++ } else if (!of_prop_cmp(prop->name, "#size-cells")) {
++ if (!of_prop_val_eq(prop, overlay_prop)) {
++ pr_err("ERROR: changing value of #size-cells is not allowed in %pOF\n",
++ target->np);
++ ret = -EINVAL;
++ }
++ return ret;
++ }
++ }
++
+ if (is_symbols_prop) {
+ if (prop)
+ return -EINVAL;
+@@ -330,33 +348,18 @@ static int add_changeset_property(struct
+ return -ENOMEM;
+
+ if (!prop) {
+- check_for_non_overlay_node = true;
+ if (!target->in_livetree) {
+ new_prop->next = target->np->deadprops;
+ target->np->deadprops = new_prop;
+ }
+ ret = of_changeset_add_property(&ovcs->cset, target->np,
+ new_prop);
+- } else if (!of_prop_cmp(prop->name, "#address-cells")) {
+- if (!of_prop_val_eq(prop, new_prop)) {
+- pr_err("ERROR: changing value of #address-cells is not allowed in %pOF\n",
+- target->np);
+- ret = -EINVAL;
+- }
+- } else if (!of_prop_cmp(prop->name, "#size-cells")) {
+- if (!of_prop_val_eq(prop, new_prop)) {
+- pr_err("ERROR: changing value of #size-cells is not allowed in %pOF\n",
+- target->np);
+- ret = -EINVAL;
+- }
+ } else {
+- check_for_non_overlay_node = true;
+ ret = of_changeset_update_property(&ovcs->cset, target->np,
+ new_prop);
+ }
+
+- if (check_for_non_overlay_node &&
+- !of_node_check_flag(target->np, OF_OVERLAY))
++ if (!of_node_check_flag(target->np, OF_OVERLAY))
+ pr_err("WARNING: memory leak will occur if overlay removed, property: %pOF/%s\n",
+ target->np, new_prop->name);
+
--- /dev/null
+From aceb98261ea7d9fe38f9c140c5531f0b13623832 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 14 Nov 2019 16:25:38 +0200
+Subject: perf callchain: Fix segfault in thread__resolve_callchain_sample()
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit aceb98261ea7d9fe38f9c140c5531f0b13623832 upstream.
+
+Do not dereference 'chain' when it is NULL.
+
+ $ perf record -e intel_pt//u -e branch-misses:u uname
+ $ perf report --itrace=l --branch-history
+ perf: Segmentation fault
+
+Fixes: e9024d519d89 ("perf callchain: Honour the ordering of PERF_CONTEXT_{USER,KERNEL,etc}")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lore.kernel.org/lkml/20191114142538.4097-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/machine.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2403,7 +2403,7 @@ static int thread__resolve_callchain_sam
+ }
+
+ check_calls:
+- if (callchain_param.order != ORDER_CALLEE) {
++ if (chain && callchain_param.order != ORDER_CALLEE) {
+ err = find_prev_cpumode(chain, thread, cursor, parent, root_al,
+ &cpumode, chain->nr - first_call);
+ if (err)
--- /dev/null
+From e8796c6c69d129420ee94a1906b18d86b84644d4 Mon Sep 17 00:00:00 2001
+From: Michael Haener <michael.haener@siemens.com>
+Date: Fri, 29 Nov 2019 10:16:49 +0100
+Subject: platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table
+
+From: Michael Haener <michael.haener@siemens.com>
+
+commit e8796c6c69d129420ee94a1906b18d86b84644d4 upstream.
+
+The CONNECT X300 uses the PMC clock for on-board components and gets
+stuck during boot if the clock is disabled. Therefore, add this
+device to the critical systems list.
+Tested on CONNECT X300.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Signed-off-by: Michael Haener <michael.haener@siemens.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/pmc_atom.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -429,6 +429,14 @@ static const struct dmi_system_id critcl
+ DMI_MATCH(DMI_PRODUCT_VERSION, "6AV7882-0"),
+ },
+ },
++ {
++ .ident = "CONNECT X300",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "SIEMENS AG"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "A5E45074588"),
++ },
++ },
++
+ { /*sentinel*/ }
+ };
+
--- /dev/null
+From d68adc8f85cd757bd33c8d7b2660ad6f16f7f3dc Mon Sep 17 00:00:00 2001
+From: Leonard Crestez <leonard.crestez@nxp.com>
+Date: Tue, 24 Sep 2019 10:26:53 +0300
+Subject: PM / devfreq: Check NULL governor in available_governors_show
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+commit d68adc8f85cd757bd33c8d7b2660ad6f16f7f3dc upstream.
+
+The governor is initialized after sysfs attributes become visible so in
+theory the governor field can be NULL here.
+
+Fixes: bcf23c79c4e46 ("PM / devfreq: Fix available_governor sysfs")
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/devfreq/devfreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -1196,7 +1196,7 @@ static ssize_t available_governors_show(
+ * The devfreq with immutable governor (e.g., passive) shows
+ * only own governor.
+ */
+- if (df->governor->immutable) {
++ if (df->governor && df->governor->immutable) {
+ count = scnprintf(&buf[count], DEVFREQ_NAME_LEN,
+ "%s ", df->governor_name);
+ /*
--- /dev/null
+From 076265907cf9633bbef861c7c2a1c26a8209f283 Mon Sep 17 00:00:00 2001
+From: Alastair D'Silva <alastair@d-silva.org>
+Date: Mon, 4 Nov 2019 13:32:57 +1100
+Subject: powerpc: Chunk calls to flush_dcache_range in arch_*_memory
+
+From: Alastair D'Silva <alastair@d-silva.org>
+
+commit 076265907cf9633bbef861c7c2a1c26a8209f283 upstream.
+
+When presented with large amounts of memory being hotplugged
+(in my test case, ~890GB), the call to flush_dcache_range takes
+a while (~50 seconds), triggering RCU stalls.
+
+This patch breaks up the call into 1GB chunks, calling
+cond_resched() inbetween to allow the scheduler to run.
+
+Fixes: fb5924fddf9e ("powerpc/mm: Flush cache on memory hot(un)plug")
+Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191104023305.9581-6-alastair@au1.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/mem.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/mm/mem.c
++++ b/arch/powerpc/mm/mem.c
+@@ -104,6 +104,27 @@ int __weak remove_section_mapping(unsign
+ return -ENODEV;
+ }
+
++#define FLUSH_CHUNK_SIZE SZ_1G
++/**
++ * flush_dcache_range_chunked(): Write any modified data cache blocks out to
++ * memory and invalidate them, in chunks of up to FLUSH_CHUNK_SIZE
++ * Does not invalidate the corresponding instruction cache blocks.
++ *
++ * @start: the start address
++ * @stop: the stop address (exclusive)
++ * @chunk: the max size of the chunks
++ */
++static void flush_dcache_range_chunked(unsigned long start, unsigned long stop,
++ unsigned long chunk)
++{
++ unsigned long i;
++
++ for (i = start; i < stop; i += chunk) {
++ flush_dcache_range(i, min(stop, start + chunk));
++ cond_resched();
++ }
++}
++
+ int __ref arch_add_memory(int nid, u64 start, u64 size,
+ struct mhp_restrictions *restrictions)
+ {
+@@ -120,7 +141,8 @@ int __ref arch_add_memory(int nid, u64 s
+ start, start + size, rc);
+ return -EFAULT;
+ }
+- flush_dcache_range(start, start + size);
++
++ flush_dcache_range_chunked(start, start + size, FLUSH_CHUNK_SIZE);
+
+ return __add_pages(nid, start_pfn, nr_pages, restrictions);
+ }
+@@ -136,7 +158,8 @@ void __ref arch_remove_memory(int nid, u
+
+ /* Remove htab bolted mappings for this section of memory */
+ start = (unsigned long)__va(start);
+- flush_dcache_range(start, start + size);
++ flush_dcache_range_chunked(start, start + size, FLUSH_CHUNK_SIZE);
++
+ ret = remove_section_mapping(start, start + size);
+ WARN_ON_ONCE(ret);
+
arm64-revert-support-for-execute-only-user-mappings.patch
ftrace-avoid-potential-division-by-zero-in-function-profiler.patch
spi-spi-fsl-dspi-fix-16-bit-word-order-in-32-bit-xspi-mode.patch
+drm-msm-include-linux-sched-task.h.patch
+pm-devfreq-check-null-governor-in-available_governors_show.patch
+sunrpc-fix-crash-when-cache_head-become-valid-before-update.patch
+arm64-dts-qcom-msm8998-clamshell-remove-retention-idle-state.patch
+nfsd4-fix-up-replay_matches_cache.patch
+powerpc-chunk-calls-to-flush_dcache_range-in-arch_-_memory.patch
+hid-i2c-hid-reset-alps-touchpads-on-resume.patch
+net-sched-annotate-lockless-accesses-to-qdisc-empty.patch
+kernel-module.c-wakeup-processes-in-module_wq-on-module-unload.patch
+acpi-sysfs-change-acpi_maskable_gpe_max-to-0x100.patch
+perf-callchain-fix-segfault-in-thread__resolve_callchain_sample.patch
+dma-direct-don-t-check-swiotlb-force-in-dma_direct_map_resource.patch
+dma-direct-exclude-dma_direct_map_resource-from-the-min_low_pfn-check.patch
+iommu-vt-d-remove-incorrect-psi-capability-check.patch
+of-overlay-add_changeset_property-memory-leak.patch
+cifs-fix-potential-softlockups-while-refreshing-dfs-cache.patch
+firmware-arm_scmi-avoid-double-free-in-error-flow.patch
+xfs-don-t-check-for-ag-deadlock-for-realtime-files-in-bunmapi.patch
+platform-x86-pmc_atom-add-siemens-connect-x300-to-critclk_systems-dmi-table.patch
+netfilter-nf_queue-enqueue-skbs-with-null-dst.patch
+net-sysctl-fix-compiler-warning-when-only-cbpf-is-present.patch
--- /dev/null
+From 5fcaf6982d1167f1cd9b264704f6d1ef4c505d54 Mon Sep 17 00:00:00 2001
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Date: Tue, 1 Oct 2019 11:03:59 +0300
+Subject: sunrpc: fix crash when cache_head become valid before update
+
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+
+commit 5fcaf6982d1167f1cd9b264704f6d1ef4c505d54 upstream.
+
+I was investigating a crash in our Virtuozzo7 kernel which happened in
+in svcauth_unix_set_client. I found out that we access m_client field
+in ip_map structure, which was received from sunrpc_cache_lookup (we
+have a bit older kernel, now the code is in sunrpc_cache_add_entry), and
+these field looks uninitialized (m_client == 0x74 don't look like a
+pointer) but in the cache_head in flags we see 0x1 which is CACHE_VALID.
+
+It looks like the problem appeared from our previous fix to sunrpc (1):
+commit 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued
+request")
+
+And we've also found a patch already fixing our patch (2):
+commit d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.")
+
+Though the crash is eliminated, I think the core of the problem is not
+completely fixed:
+
+Neil in the patch (2) makes cache_head CACHE_NEGATIVE, before
+cache_fresh_locked which was added in (1) to fix crash. These way
+cache_is_valid won't say the cache is valid anymore and in
+svcauth_unix_set_client the function cache_check will return error
+instead of 0, and we don't count entry as initialized.
+
+But it looks like we need to remove cache_fresh_locked completely in
+sunrpc_cache_lookup:
+
+In (1) we've only wanted to make cache_fresh_unlocked->cache_dequeue so
+that cache_requests with no readers also release corresponding
+cache_head, to fix their leak. We with Vasily were not sure if
+cache_fresh_locked and cache_fresh_unlocked should be used in pair or
+not, so we've guessed to use them in pair.
+
+Now we see that we don't want the CACHE_VALID bit set here by
+cache_fresh_locked, as "valid" means "initialized" and there is no
+initialization in sunrpc_cache_add_entry. Both expiry_time and
+last_refresh are not used in cache_fresh_unlocked code-path and also not
+required for the initial fix.
+
+So to conclude cache_fresh_locked was called by mistake, and we can just
+safely remove it instead of crutching it with CACHE_NEGATIVE. It looks
+ideologically better for me. Hope I don't miss something here.
+
+Here is our crash backtrace:
+[13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074
+[13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
+[13108726.326448] PGD 0
+[13108726.326468] Oops: 0002 [#1] SMP
+[13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4
+[13108726.327173] dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat
+[13108726.327817] ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1]
+[13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G W O ------------ 3.10.0-862.20.2.vz7.73.29 #1 73.29
+[13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018
+[13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000
+[13108726.328610] RIP: 0010:[<ffffffffc01f79eb>] [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
+[13108726.328706] RSP: 0018:ffffa0c2a74bfd80 EFLAGS: 00010246
+[13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000
+[13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0
+[13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001
+[13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000
+[13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4
+[13108726.329022] FS: 0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000
+[13108726.329081] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0
+[13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[13108726.338908] PKRU: 00000000
+[13108726.341047] Call Trace:
+[13108726.343074] [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110
+[13108726.344837] [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc]
+[13108726.346631] [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc]
+[13108726.348332] [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc]
+[13108726.350016] [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd]
+[13108726.351735] [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd]
+[13108726.353459] [<ffffffff8a2bf741>] kthread+0xd1/0xe0
+[13108726.355195] [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
+[13108726.356896] [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21
+[13108726.358577] [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
+[13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38
+[13108726.363769] RIP [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
+[13108726.365530] RSP <ffffa0c2a74bfd80>
+[13108726.367179] CR2: 0000000000000074
+
+Fixes: d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.")
+Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Acked-by: NeilBrown <neilb@suse.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/cache.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -53,9 +53,6 @@ static void cache_init(struct cache_head
+ h->last_refresh = now;
+ }
+
+-static inline int cache_is_valid(struct cache_head *h);
+-static void cache_fresh_locked(struct cache_head *head, time_t expiry,
+- struct cache_detail *detail);
+ static void cache_fresh_unlocked(struct cache_head *head,
+ struct cache_detail *detail);
+
+@@ -105,9 +102,6 @@ static struct cache_head *sunrpc_cache_a
+ if (cache_is_expired(detail, tmp)) {
+ hlist_del_init_rcu(&tmp->cache_list);
+ detail->entries --;
+- if (cache_is_valid(tmp) == -EAGAIN)
+- set_bit(CACHE_NEGATIVE, &tmp->flags);
+- cache_fresh_locked(tmp, 0, detail);
+ freeme = tmp;
+ break;
+ }
--- /dev/null
+From 69ffe5960df16938bccfe1b65382af0b3de51265 Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Tue, 26 Nov 2019 16:58:08 -0800
+Subject: xfs: don't check for AG deadlock for realtime files in bunmapi
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit 69ffe5960df16938bccfe1b65382af0b3de51265 upstream.
+
+Commit 5b094d6dac04 ("xfs: fix multi-AG deadlock in xfs_bunmapi") added
+a check in __xfs_bunmapi() to stop early if we would touch multiple AGs
+in the wrong order. However, this check isn't applicable for realtime
+files. In most cases, it just makes us do unnecessary commits. However,
+without the fix from the previous commit ("xfs: fix realtime file data
+space leak"), if the last and second-to-last extents also happen to have
+different "AG numbers", then the break actually causes __xfs_bunmapi()
+to return without making any progress, which sends
+xfs_itruncate_extents_flags() into an infinite loop.
+
+Fixes: 5b094d6dac04 ("xfs: fix multi-AG deadlock in xfs_bunmapi")
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/libxfs/xfs_bmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -5300,7 +5300,7 @@ __xfs_bunmapi(
+ * Make sure we don't touch multiple AGF headers out of order
+ * in a single transaction, as that could cause AB-BA deadlocks.
+ */
+- if (!wasdel) {
++ if (!wasdel && !isrt) {
+ agno = XFS_FSB_TO_AGNO(mp, del.br_startblock);
+ if (prev_agno != NULLAGNUMBER && prev_agno > agno)
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
