--- /dev/null
+From 709aaf4194afe261c815152949e0eff305899967 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 11:39:48 +0200
+Subject: ARM: dts: am437x-gp/epos-evm: fix panel compatible
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit c6b16761c6908d3dc167a0a566578b4b0b972905 ]
+
+The LCD panel on AM4 GP EVMs and ePOS boards seems to be
+osd070t1718-19ts. The current dts files say osd057T0559-34ts. Possibly
+the panel has changed since the early EVMs, or there has been a mistake
+with the panel type.
+
+Update the DT files accordingly.
+
+Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am437x-gp-evm.dts | 2 +-
+ arch/arm/boot/dts/am43x-epos-evm.dts | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/am437x-gp-evm.dts b/arch/arm/boot/dts/am437x-gp-evm.dts
+index afb8eb0a0a16..051823b7e5a1 100644
+--- a/arch/arm/boot/dts/am437x-gp-evm.dts
++++ b/arch/arm/boot/dts/am437x-gp-evm.dts
+@@ -83,7 +83,7 @@
+ };
+
+ lcd0: display {
+- compatible = "osddisplays,osd057T0559-34ts", "panel-dpi";
++ compatible = "osddisplays,osd070t1718-19ts", "panel-dpi";
+ label = "lcd";
+
+ panel-timing {
+diff --git a/arch/arm/boot/dts/am43x-epos-evm.dts b/arch/arm/boot/dts/am43x-epos-evm.dts
+index 081fa68b6f98..c4279b0b9f12 100644
+--- a/arch/arm/boot/dts/am43x-epos-evm.dts
++++ b/arch/arm/boot/dts/am43x-epos-evm.dts
+@@ -45,7 +45,7 @@
+ };
+
+ lcd0: display {
+- compatible = "osddisplays,osd057T0559-34ts", "panel-dpi";
++ compatible = "osddisplays,osd070t1718-19ts", "panel-dpi";
+ label = "lcd";
+
+ panel-timing {
+--
+2.20.1
+
--- /dev/null
+From 37285b62e671a49ff9240de22b263748a11c21bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2019 13:31:13 +0100
+Subject: ARM: dts: bcm283x: Fix critical trip point
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit 30e647a764d446723a7e0fb08d209e0104f16173 ]
+
+During definition of the CPU thermal zone of BCM283x SoC family there
+was a misunderstanding of the meaning "criticial trip point" and the
+thermal throttling range of the VideoCore firmware. The latter one takes
+effect when the core temperature is at least 85 degree celsius or higher
+
+So the current critical trip point doesn't make sense, because the
+thermal shutdown appears before the firmware has a chance to throttle
+the ARM core(s).
+
+Fix these unwanted shutdowns by increasing the critical trip point
+to a value which shouldn't be reached with working thermal throttling.
+
+Fixes: 0fe4d2181cc4 ("ARM: dts: bcm283x: Add CPU thermal zone with 1 trip point")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm283x.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/bcm283x.dtsi b/arch/arm/boot/dts/bcm283x.dtsi
+index 4745e3c7806b..fdb018e1278f 100644
+--- a/arch/arm/boot/dts/bcm283x.dtsi
++++ b/arch/arm/boot/dts/bcm283x.dtsi
+@@ -38,7 +38,7 @@
+
+ trips {
+ cpu-crit {
+- temperature = <80000>;
++ temperature = <90000>;
+ hysteresis = <0>;
+ type = "critical";
+ };
+--
+2.20.1
+
--- /dev/null
+From 9aee3740cb00989c4b48e3a8bbed861a738f8750 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 10:19:09 -0800
+Subject: ARM: dts: Cygnus: Fix MDIO node address/size cells
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit fac2c2da3596d77c343988bb0d41a8c533b2e73c ]
+
+The MDIO node on Cygnus had an reversed #address-cells and
+ #size-cells properties, correct those.
+
+Fixes: 40c26d3af60a ("ARM: dts: Cygnus: Add the ethernet switch and ethernet PHY")
+Reported-by: Simon Horman <simon.horman@netronome.com>
+Reviewed-by: Ray Jui <ray.jui@broadcom.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm-cygnus.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/bcm-cygnus.dtsi b/arch/arm/boot/dts/bcm-cygnus.dtsi
+index 8b2c65cd61a2..b822952c29f8 100644
+--- a/arch/arm/boot/dts/bcm-cygnus.dtsi
++++ b/arch/arm/boot/dts/bcm-cygnus.dtsi
+@@ -165,8 +165,8 @@
+ mdio: mdio@18002000 {
+ compatible = "brcm,iproc-mdio";
+ reg = <0x18002000 0x8>;
+- #size-cells = <1>;
+- #address-cells = <0>;
++ #size-cells = <0>;
++ #address-cells = <1>;
+ status = "disabled";
+
+ gphy0: ethernet-phy@0 {
+--
+2.20.1
+
--- /dev/null
+From 4119c33deeaaf36b0cef95a2dfe03795c31d3445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 15:56:40 +0000
+Subject: ARM: vexpress: Set-up shared OPP table instead of individual for each
+ CPU
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 2a76352ad2cc6b78e58f737714879cc860903802 ]
+
+Currently we add individual copy of same OPP table for each CPU within
+the cluster. This is redundant and doesn't reflect the reality.
+
+We can't use core cpumask to set policy->cpus in ve_spc_cpufreq_init()
+anymore as it gets called via cpuhp_cpufreq_online()->cpufreq_online()
+->cpufreq_driver->init() and the cpumask gets updated upon CPU hotplug
+operations. It also may cause issues when the vexpress_spc_cpufreq
+driver is built as a module.
+
+Since ve_spc_clk_init is built-in device initcall, we should be able to
+use the same topology_core_cpumask to set the opp sharing cpumask via
+dev_pm_opp_set_sharing_cpus and use the same later in the driver via
+dev_pm_opp_get_sharing_cpus.
+
+Cc: Liviu Dudau <liviu.dudau@arm.com>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-vexpress/spc.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c
+index fe488523694c..635b0d549487 100644
+--- a/arch/arm/mach-vexpress/spc.c
++++ b/arch/arm/mach-vexpress/spc.c
+@@ -555,8 +555,9 @@ static struct clk *ve_spc_clk_register(struct device *cpu_dev)
+
+ static int __init ve_spc_clk_init(void)
+ {
+- int cpu;
++ int cpu, cluster;
+ struct clk *clk;
++ bool init_opp_table[MAX_CLUSTERS] = { false };
+
+ if (!info)
+ return 0; /* Continue only if SPC is initialised */
+@@ -582,8 +583,17 @@ static int __init ve_spc_clk_init(void)
+ continue;
+ }
+
++ cluster = topology_physical_package_id(cpu_dev->id);
++ if (init_opp_table[cluster])
++ continue;
++
+ if (ve_init_opp_table(cpu_dev))
+ pr_warn("failed to initialise cpu%d opp table\n", cpu);
++ else if (dev_pm_opp_set_sharing_cpus(cpu_dev,
++ topology_core_cpumask(cpu_dev->id)))
++ pr_warn("failed to mark OPPs shared for cpu%d\n", cpu);
++ else
++ init_opp_table[cluster] = true;
+ }
+
+ platform_device_register_simple("vexpress-spc-cpufreq", -1, NULL, 0);
+--
+2.20.1
+
--- /dev/null
+From ddb2e959c92a484e930193e6bfa470a5c85e6730 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 18:39:39 -0600
+Subject: ASoC: topology: Check return value for soc_tplg_pcm_create()
+
+From: Dragos Tarcatu <dragos_tarcatu@mentor.com>
+
+[ Upstream commit a3039aef52d9ffeb67e9211899cd3e8a2953a01f ]
+
+The return value of soc_tplg_pcm_create() is currently not checked
+in soc_tplg_pcm_elems_load(). If an error is to occur there, the
+topology ignores it and continues loading.
+
+Fix that by checking the status and rejecting the topology on error.
+
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20191210003939.15752-3-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-topology.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index 2d5cf263515b..72301bcad3bd 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1921,6 +1921,7 @@ static int soc_tplg_pcm_elems_load(struct soc_tplg *tplg,
+ int count = hdr->count;
+ int i;
+ bool abi_match;
++ int ret;
+
+ if (tplg->pass != SOC_TPLG_PASS_PCM_DAI)
+ return 0;
+@@ -1957,7 +1958,12 @@ static int soc_tplg_pcm_elems_load(struct soc_tplg *tplg,
+ }
+
+ /* create the FE DAIs and DAI links */
+- soc_tplg_pcm_create(tplg, _pcm);
++ ret = soc_tplg_pcm_create(tplg, _pcm);
++ if (ret < 0) {
++ if (!abi_match)
++ kfree(_pcm);
++ return ret;
++ }
+
+ /* offset by version-specific struct size and
+ * real priv data size
+--
+2.20.1
+
--- /dev/null
+From dee19a23f0156d9ff8a8cbacc00e15e37eed528f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 19:57:22 +0800
+Subject: ASoC: wm8962: fix lambda value
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 556672d75ff486e0b6786056da624131679e0576 ]
+
+According to user manual, it is required that FLL_LAMBDA > 0
+in all cases (Integer and Franctional modes).
+
+Fixes: 9a76f1ff6e29 ("ASoC: Add initial WM8962 CODEC driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/1576065442-19763-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm8962.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
+index fd2731d171dd..0e8008d38161 100644
+--- a/sound/soc/codecs/wm8962.c
++++ b/sound/soc/codecs/wm8962.c
+@@ -2791,7 +2791,7 @@ static int fll_factors(struct _fll_div *fll_div, unsigned int Fref,
+
+ if (target % Fref == 0) {
+ fll_div->theta = 0;
+- fll_div->lambda = 0;
++ fll_div->lambda = 1;
+ } else {
+ gcd_fll = gcd(target, fratio * Fref);
+
+@@ -2861,7 +2861,7 @@ static int wm8962_set_fll(struct snd_soc_codec *codec, int fll_id, int source,
+ return -EINVAL;
+ }
+
+- if (fll_div.theta || fll_div.lambda)
++ if (fll_div.theta)
+ fll1 |= WM8962_FLL_FRAC;
+
+ /* Stop the FLL while we reconfigure */
+--
+2.20.1
+
--- /dev/null
+From a1a4fd11ba823986311e2d52135ecfb721886006 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 16:44:04 +0800
+Subject: block: fix memleak when __blk_rq_map_user_iov() is failed
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3b7995a98ad76da5597b488fa84aa5a56d43b608 ]
+
+When I doing fuzzy test, get the memleak report:
+
+BUG: memory leak
+unreferenced object 0xffff88837af80000 (size 4096):
+ comm "memleak", pid 3557, jiffies 4294817681 (age 112.499s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 20 00 00 00 10 01 00 00 00 00 00 00 01 00 00 00 ...............
+ backtrace:
+ [<000000001c894df8>] bio_alloc_bioset+0x393/0x590
+ [<000000008b139a3c>] bio_copy_user_iov+0x300/0xcd0
+ [<00000000a998bd8c>] blk_rq_map_user_iov+0x2f1/0x5f0
+ [<000000005ceb7f05>] blk_rq_map_user+0xf2/0x160
+ [<000000006454da92>] sg_common_write.isra.21+0x1094/0x1870
+ [<00000000064bb208>] sg_write.part.25+0x5d9/0x950
+ [<000000004fc670f6>] sg_write+0x5f/0x8c
+ [<00000000b0d05c7b>] __vfs_write+0x7c/0x100
+ [<000000008e177714>] vfs_write+0x1c3/0x500
+ [<0000000087d23f34>] ksys_write+0xf9/0x200
+ [<000000002c8dbc9d>] do_syscall_64+0x9f/0x4f0
+ [<00000000678d8e9a>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+If __blk_rq_map_user_iov() is failed in blk_rq_map_user_iov(),
+the bio(s) which is allocated before this failing will leak. The
+refcount of the bio(s) is init to 1 and increased to 2 by calling
+bio_get(), but __blk_rq_unmap_user() only decrease it to 1, so
+the bio cannot be freed. Fix it by calling blk_rq_unmap_user().
+
+Reviewed-by: Bob Liu <bob.liu@oracle.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-map.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index e31be14da8ea..f72a3af689b6 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -152,7 +152,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ return 0;
+
+ unmap_rq:
+- __blk_rq_unmap_user(bio);
++ blk_rq_unmap_user(bio);
+ fail:
+ rq->bio = NULL;
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 531fd39d73b6d53a85788e1442f37c30380aca1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 09:59:55 -0800
+Subject: bnx2x: Do not handle requests from VFs after parity
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit 7113f796bbbced2470cd6d7379d50d7a7a78bf34 ]
+
+Parity error from the hardware will cause PF to lose the state
+of their VFs due to PF's internal reload and hardware reset following
+the parity error. Restrict any configuration request from the VFs after
+the parity as it could cause unexpected hardware behavior, only way
+for VFs to recover would be to trigger FLR on VFs and reload them.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 12 ++++++++++--
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 +
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 12 ++++++++++++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index dbe8feec456c..b0ada7eac652 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -9995,10 +9995,18 @@ static void bnx2x_recovery_failed(struct bnx2x *bp)
+ */
+ static void bnx2x_parity_recover(struct bnx2x *bp)
+ {
+- bool global = false;
+ u32 error_recovered, error_unrecovered;
+- bool is_parity;
++ bool is_parity, global = false;
++#ifdef CONFIG_BNX2X_SRIOV
++ int vf_idx;
++
++ for (vf_idx = 0; vf_idx < bp->requested_nr_virtfn; vf_idx++) {
++ struct bnx2x_virtf *vf = BP_VF(bp, vf_idx);
+
++ if (vf)
++ vf->state = VF_LOST;
++ }
++#endif
+ DP(NETIF_MSG_HW, "Handling parity\n");
+ while (1) {
+ switch (bp->recovery_state) {
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
+index 53466f6cebab..a887bfa24c88 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
+@@ -139,6 +139,7 @@ struct bnx2x_virtf {
+ #define VF_ACQUIRED 1 /* VF acquired, but not initialized */
+ #define VF_ENABLED 2 /* VF Enabled */
+ #define VF_RESET 3 /* VF FLR'd, pending cleanup */
++#define VF_LOST 4 /* Recovery while VFs are loaded */
+
+ bool flr_clnup_stage; /* true during flr cleanup */
+ bool malicious; /* true if FW indicated so, until FLR */
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
+index 76a4668c50fe..6d5b81a971e3 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
+@@ -2112,6 +2112,18 @@ static void bnx2x_vf_mbx_request(struct bnx2x *bp, struct bnx2x_virtf *vf,
+ {
+ int i;
+
++ if (vf->state == VF_LOST) {
++ /* Just ack the FW and return if VFs are lost
++ * in case of parity error. VFs are supposed to be timedout
++ * on waiting for PF response.
++ */
++ DP(BNX2X_MSG_IOV,
++ "VF 0x%x lost, not handling the request\n", vf->abs_vfid);
++
++ storm_memset_vf_mbx_ack(bp, vf->abs_vfid);
++ return;
++ }
++
+ /* check if tlv type is known */
+ if (bnx2x_tlv_supported(mbx->first_tlv.tl.type)) {
+ /* Lock the per vf op mutex and note the locker's identity.
+--
+2.20.1
+
--- /dev/null
+From 4c65a82cea1f4ab725c5570bf618b6043e7c193c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 09:59:56 -0800
+Subject: bnx2x: Fix logic to get total no. of PFs per engine
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit ee699f89bdbaa19c399804504241b5c531b48888 ]
+
+Driver doesn't calculate total number of PFs configured on a
+given engine correctly which messed up resources in the PFs
+loaded on that engine, leading driver to exceed configuration
+of resources (like vlan filters etc.) beyond the limit per
+engine, which ended up with asserts from the firmware.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+index 4e091a11daaf..52bce009d096 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+@@ -1112,7 +1112,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp)
+ for (i = 0; i < E1H_FUNC_MAX / 2; i++) {
+ u32 func_config =
+ MF_CFG_RD(bp,
+- func_mf_config[BP_PORT(bp) + 2 * i].
++ func_mf_config[BP_PATH(bp) + 2 * i].
+ config);
+ func_num +=
+ ((func_config & FUNC_MF_CFG_FUNC_HIDE) ? 0 : 1);
+--
+2.20.1
+
--- /dev/null
+From c2bbcd04eb508e647163ae8cf8beb91b62b97439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 19:52:52 +0100
+Subject: bpf, mips: Limit to 33 tail calls
+
+From: Paul Chaignon <paul.chaignon@orange.com>
+
+[ Upstream commit e49e6f6db04e915dccb494ae10fa14888fea6f89 ]
+
+All BPF JIT compilers except RISC-V's and MIPS' enforce a 33-tail calls
+limit at runtime. In addition, a test was recently added, in tailcalls2,
+to check this limit.
+
+This patch updates the tail call limit in MIPS' JIT compiler to allow
+33 tail calls.
+
+Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
+Reported-by: Mahshid Khezri <khezri.mahshid@gmail.com>
+Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/b8eb2caac1c25453c539248e56ca22f74b5316af.1575916815.git.paul.chaignon@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/net/ebpf_jit.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/net/ebpf_jit.c b/arch/mips/net/ebpf_jit.c
+index 42faa95ce664..57a7a9d68475 100644
+--- a/arch/mips/net/ebpf_jit.c
++++ b/arch/mips/net/ebpf_jit.c
+@@ -612,6 +612,7 @@ static void emit_const_to_reg(struct jit_ctx *ctx, int dst, u64 value)
+ static int emit_bpf_tail_call(struct jit_ctx *ctx, int this_idx)
+ {
+ int off, b_off;
++ int tcc_reg;
+
+ ctx->flags |= EBPF_SEEN_TC;
+ /*
+@@ -624,14 +625,14 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx, int this_idx)
+ b_off = b_imm(this_idx + 1, ctx);
+ emit_instr(ctx, bne, MIPS_R_AT, MIPS_R_ZERO, b_off);
+ /*
+- * if (--TCC < 0)
++ * if (TCC-- < 0)
+ * goto out;
+ */
+ /* Delay slot */
+- emit_instr(ctx, daddiu, MIPS_R_T5,
+- (ctx->flags & EBPF_TCC_IN_V1) ? MIPS_R_V1 : MIPS_R_S4, -1);
++ tcc_reg = (ctx->flags & EBPF_TCC_IN_V1) ? MIPS_R_V1 : MIPS_R_S4;
++ emit_instr(ctx, daddiu, MIPS_R_T5, tcc_reg, -1);
+ b_off = b_imm(this_idx + 1, ctx);
+- emit_instr(ctx, bltz, MIPS_R_T5, b_off);
++ emit_instr(ctx, bltz, tcc_reg, b_off);
+ /*
+ * prog = array->ptrs[index];
+ * if (prog == NULL)
+--
+2.20.1
+
--- /dev/null
+From 0774b924fa6a55cfd702683e999436bf6a370c11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 16:55:40 +0000
+Subject: efi/gop: Fix memory leak in __gop_query32/64()
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit ff397be685e410a59c34b21ce0c55d4daa466bb7 ]
+
+efi_graphics_output_protocol::query_mode() returns info in
+callee-allocated memory which must be freed by the caller, which
+we aren't doing.
+
+We don't actually need to call query_mode() in order to obtain the
+info for the current graphics mode, which is already there in
+gop->mode->info, so just access it directly in the setup_gop32/64()
+functions.
+
+Also nothing uses the size of the info structure, so don't update the
+passed-in size (which is the size of the gop_handle table in bytes)
+unnecessarily.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191206165542.31469-5-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/gop.c | 66 ++++++------------------------
+ 1 file changed, 12 insertions(+), 54 deletions(-)
+
+diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c
+index 81ffda5d1e48..fd8053f9556e 100644
+--- a/drivers/firmware/efi/libstub/gop.c
++++ b/drivers/firmware/efi/libstub/gop.c
+@@ -85,30 +85,6 @@ setup_pixel_info(struct screen_info *si, u32 pixels_per_scan_line,
+ }
+ }
+
+-static efi_status_t
+-__gop_query32(efi_system_table_t *sys_table_arg,
+- struct efi_graphics_output_protocol_32 *gop32,
+- struct efi_graphics_output_mode_info **info,
+- unsigned long *size, u64 *fb_base)
+-{
+- struct efi_graphics_output_protocol_mode_32 *mode;
+- efi_graphics_output_protocol_query_mode query_mode;
+- efi_status_t status;
+- unsigned long m;
+-
+- m = gop32->mode;
+- mode = (struct efi_graphics_output_protocol_mode_32 *)m;
+- query_mode = (void *)(unsigned long)gop32->query_mode;
+-
+- status = __efi_call_early(query_mode, (void *)gop32, mode->mode, size,
+- info);
+- if (status != EFI_SUCCESS)
+- return status;
+-
+- *fb_base = mode->frame_buffer_base;
+- return status;
+-}
+-
+ static efi_status_t
+ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ efi_guid_t *proto, unsigned long size, void **gop_handle)
+@@ -130,6 +106,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ nr_gops = size / sizeof(u32);
+ for (i = 0; i < nr_gops; i++) {
++ struct efi_graphics_output_protocol_mode_32 *mode;
+ struct efi_graphics_output_mode_info *info = NULL;
+ efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID;
+ bool conout_found = false;
+@@ -147,9 +124,11 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ if (status == EFI_SUCCESS)
+ conout_found = true;
+
+- status = __gop_query32(sys_table_arg, gop32, &info, &size,
+- ¤t_fb_base);
+- if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
++ mode = (void *)(unsigned long)gop32->mode;
++ info = (void *)(unsigned long)mode->info;
++ current_fb_base = mode->frame_buffer_base;
++
++ if ((!first_gop || conout_found) &&
+ info->pixel_format != PIXEL_BLT_ONLY) {
+ /*
+ * Systems that use the UEFI Console Splitter may
+@@ -203,30 +182,6 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ return EFI_SUCCESS;
+ }
+
+-static efi_status_t
+-__gop_query64(efi_system_table_t *sys_table_arg,
+- struct efi_graphics_output_protocol_64 *gop64,
+- struct efi_graphics_output_mode_info **info,
+- unsigned long *size, u64 *fb_base)
+-{
+- struct efi_graphics_output_protocol_mode_64 *mode;
+- efi_graphics_output_protocol_query_mode query_mode;
+- efi_status_t status;
+- unsigned long m;
+-
+- m = gop64->mode;
+- mode = (struct efi_graphics_output_protocol_mode_64 *)m;
+- query_mode = (void *)(unsigned long)gop64->query_mode;
+-
+- status = __efi_call_early(query_mode, (void *)gop64, mode->mode, size,
+- info);
+- if (status != EFI_SUCCESS)
+- return status;
+-
+- *fb_base = mode->frame_buffer_base;
+- return status;
+-}
+-
+ static efi_status_t
+ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ efi_guid_t *proto, unsigned long size, void **gop_handle)
+@@ -248,6 +203,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ nr_gops = size / sizeof(u64);
+ for (i = 0; i < nr_gops; i++) {
++ struct efi_graphics_output_protocol_mode_64 *mode;
+ struct efi_graphics_output_mode_info *info = NULL;
+ efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID;
+ bool conout_found = false;
+@@ -265,9 +221,11 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ if (status == EFI_SUCCESS)
+ conout_found = true;
+
+- status = __gop_query64(sys_table_arg, gop64, &info, &size,
+- ¤t_fb_base);
+- if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
++ mode = (void *)(unsigned long)gop64->mode;
++ info = (void *)(unsigned long)mode->info;
++ current_fb_base = mode->frame_buffer_base;
++
++ if ((!first_gop || conout_found) &&
+ info->pixel_format != PIXEL_BLT_ONLY) {
+ /*
+ * Systems that use the UEFI Console Splitter may
+--
+2.20.1
+
--- /dev/null
+From a51d20131b6fb28d1c73a67bbc942e54c31fae5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 16:55:38 +0000
+Subject: efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 6fc3cec30dfeee7d3c5db8154016aff9d65503c5 ]
+
+If we don't find a usable instance of the Graphics Output Protocol
+(GOP) because none of them have a framebuffer (i.e. they were all
+PIXEL_BLT_ONLY), but all the EFI calls succeeded, we will return
+EFI_SUCCESS even though we didn't find a usable GOP.
+
+Fix this by explicitly returning EFI_NOT_FOUND if no usable GOPs are
+found, allowing the caller to probe for UGA instead.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191206165542.31469-3-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/gop.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c
+index 24c461dea7af..16ed61c023e8 100644
+--- a/drivers/firmware/efi/libstub/gop.c
++++ b/drivers/firmware/efi/libstub/gop.c
+@@ -121,7 +121,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ u64 fb_base;
+ struct efi_pixel_bitmask pixel_info;
+ int pixel_format;
+- efi_status_t status = EFI_NOT_FOUND;
++ efi_status_t status;
+ u32 *handles = (u32 *)(unsigned long)gop_handle;
+ int i;
+
+@@ -177,7 +177,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ /* Did we find any GOPs? */
+ if (!first_gop)
+- goto out;
++ return EFI_NOT_FOUND;
+
+ /* EFI framebuffer */
+ si->orig_video_isVGA = VIDEO_TYPE_EFI;
+@@ -199,7 +199,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ si->lfb_size = si->lfb_linelength * si->lfb_height;
+
+ si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS;
+-out:
++
+ return status;
+ }
+
+@@ -239,7 +239,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ u64 fb_base;
+ struct efi_pixel_bitmask pixel_info;
+ int pixel_format;
+- efi_status_t status = EFI_NOT_FOUND;
++ efi_status_t status;
+ u64 *handles = (u64 *)(unsigned long)gop_handle;
+ int i;
+
+@@ -295,7 +295,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ /* Did we find any GOPs? */
+ if (!first_gop)
+- goto out;
++ return EFI_NOT_FOUND;
+
+ /* EFI framebuffer */
+ si->orig_video_isVGA = VIDEO_TYPE_EFI;
+@@ -317,7 +317,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ si->lfb_size = si->lfb_linelength * si->lfb_height;
+
+ si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS;
+-out:
++
+ return status;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From a921082aae68e949b51c035f14a19bb214e8236e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 16:55:39 +0000
+Subject: efi/gop: Return EFI_SUCCESS if a usable GOP was found
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit dbd89c303b4420f6cdb689fd398349fc83b059dd ]
+
+If we've found a usable instance of the Graphics Output Protocol
+(GOP) with a framebuffer, it is possible that one of the later EFI
+calls fails while checking if any support console output. In this
+case status may be an EFI error code even though we found a usable
+GOP.
+
+Fix this by explicitly return EFI_SUCCESS if a usable GOP has been
+located.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191206165542.31469-4-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/gop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c
+index 16ed61c023e8..81ffda5d1e48 100644
+--- a/drivers/firmware/efi/libstub/gop.c
++++ b/drivers/firmware/efi/libstub/gop.c
+@@ -200,7 +200,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS;
+
+- return status;
++ return EFI_SUCCESS;
+ }
+
+ static efi_status_t
+@@ -318,7 +318,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS;
+
+- return status;
++ return EFI_SUCCESS;
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From afc6c4b96f0f851f1ad009bfb2015205ecbc9b81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 10:54:23 -0600
+Subject: fs: avoid softlockups in s_inodes iterators
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit 04646aebd30b99f2cfa0182435a2ec252fcb16d0 ]
+
+Anything that walks all inodes on sb->s_inodes list without rescheduling
+risks softlockups.
+
+Previous efforts were made in 2 functions, see:
+
+c27d82f fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
+ac05fbb inode: don't softlockup when evicting inodes
+
+but there hasn't been an audit of all walkers, so do that now. This
+also consistently moves the cond_resched() calls to the bottom of each
+loop in cases where it already exists.
+
+One loop remains: remove_dquot_ref(), because I'm not quite sure how
+to deal with that one w/o taking the i_lock.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/drop_caches.c | 2 +-
+ fs/inode.c | 7 +++++++
+ fs/notify/fsnotify.c | 1 +
+ fs/quota/dquot.c | 1 +
+ 4 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/fs/drop_caches.c b/fs/drop_caches.c
+index d31b6c72b476..dc1a1d5d825b 100644
+--- a/fs/drop_caches.c
++++ b/fs/drop_caches.c
+@@ -35,11 +35,11 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused)
+ spin_unlock(&inode->i_lock);
+ spin_unlock(&sb->s_inode_list_lock);
+
+- cond_resched();
+ invalidate_mapping_pages(inode->i_mapping, 0, -1);
+ iput(toput_inode);
+ toput_inode = inode;
+
++ cond_resched();
+ spin_lock(&sb->s_inode_list_lock);
+ }
+ spin_unlock(&sb->s_inode_list_lock);
+diff --git a/fs/inode.c b/fs/inode.c
+index 76f7535fe754..d2a700c5efce 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -656,6 +656,7 @@ int invalidate_inodes(struct super_block *sb, bool kill_dirty)
+ struct inode *inode, *next;
+ LIST_HEAD(dispose);
+
++again:
+ spin_lock(&sb->s_inode_list_lock);
+ list_for_each_entry_safe(inode, next, &sb->s_inodes, i_sb_list) {
+ spin_lock(&inode->i_lock);
+@@ -678,6 +679,12 @@ int invalidate_inodes(struct super_block *sb, bool kill_dirty)
+ inode_lru_list_del(inode);
+ spin_unlock(&inode->i_lock);
+ list_add(&inode->i_lru, &dispose);
++ if (need_resched()) {
++ spin_unlock(&sb->s_inode_list_lock);
++ cond_resched();
++ dispose_list(&dispose);
++ goto again;
++ }
+ }
+ spin_unlock(&sb->s_inode_list_lock);
+
+diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c
+index 506da82ff3f1..a308f7a7e577 100644
+--- a/fs/notify/fsnotify.c
++++ b/fs/notify/fsnotify.c
+@@ -90,6 +90,7 @@ void fsnotify_unmount_inodes(struct super_block *sb)
+
+ iput_inode = inode;
+
++ cond_resched();
+ spin_lock(&sb->s_inode_list_lock);
+ }
+ spin_unlock(&sb->s_inode_list_lock);
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 3fdbdd29702b..30f5da8f4aff 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -976,6 +976,7 @@ static int add_dquot_ref(struct super_block *sb, int type)
+ * later.
+ */
+ old_inode = inode;
++ cond_resched();
+ spin_lock(&sb->s_inode_list_lock);
+ }
+ spin_unlock(&sb->s_inode_list_lock);
+--
+2.20.1
+
--- /dev/null
+From af19ead418f617c46d65a8e41078e70e86617676 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 18:28:10 -0800
+Subject: hv_netvsc: Fix unwanted rx_table reset
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit b0689faa8efc5a3391402d7ae93bd373b7248e51 ]
+
+In existing code, the receive indirection table, rx_table, is in
+struct rndis_device, which will be reset when changing MTU, ringparam,
+etc. User configured receive indirection table values will be lost.
+
+To fix this, move rx_table to struct net_device_context, and check
+netif_is_rxfh_configured(), so rx_table will be set to default only
+if no user configured value.
+
+Fixes: ff4a44199012 ("netvsc: allow get/set of RSS indirection table")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/hyperv_net.h | 3 ++-
+ drivers/net/hyperv/netvsc_drv.c | 4 ++--
+ drivers/net/hyperv/rndis_filter.c | 10 +++++++---
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
+index 0f07b5978fa1..fc794e69e6a1 100644
+--- a/drivers/net/hyperv/hyperv_net.h
++++ b/drivers/net/hyperv/hyperv_net.h
+@@ -179,7 +179,6 @@ struct rndis_device {
+
+ u8 hw_mac_adr[ETH_ALEN];
+ u8 rss_key[NETVSC_HASH_KEYLEN];
+- u16 rx_table[ITAB_NUM];
+ };
+
+
+@@ -741,6 +740,8 @@ struct net_device_context {
+
+ u32 tx_table[VRSS_SEND_TAB_SIZE];
+
++ u16 rx_table[ITAB_NUM];
++
+ /* Ethtool settings */
+ bool udp4_l4_hash;
+ bool udp6_l4_hash;
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index 5a44b9795266..a89de5752a8c 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1528,7 +1528,7 @@ static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key,
+ rndis_dev = ndev->extension;
+ if (indir) {
+ for (i = 0; i < ITAB_NUM; i++)
+- indir[i] = rndis_dev->rx_table[i];
++ indir[i] = ndc->rx_table[i];
+ }
+
+ if (key)
+@@ -1558,7 +1558,7 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir,
+ return -EINVAL;
+
+ for (i = 0; i < ITAB_NUM; i++)
+- rndis_dev->rx_table[i] = indir[i];
++ ndc->rx_table[i] = indir[i];
+ }
+
+ if (!key) {
+diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
+index fc1d5e14d83e..b19557c035f2 100644
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -715,6 +715,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev,
+ const u8 *rss_key, u16 flag)
+ {
+ struct net_device *ndev = rdev->ndev;
++ struct net_device_context *ndc = netdev_priv(ndev);
+ struct rndis_request *request;
+ struct rndis_set_request *set;
+ struct rndis_set_complete *set_complete;
+@@ -754,7 +755,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev,
+ /* Set indirection table entries */
+ itab = (u32 *)(rssp + 1);
+ for (i = 0; i < ITAB_NUM; i++)
+- itab[i] = rdev->rx_table[i];
++ itab[i] = ndc->rx_table[i];
+
+ /* Set hask key values */
+ keyp = (u8 *)((unsigned long)rssp + rssp->kashkey_offset);
+@@ -1204,6 +1205,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
+ struct netvsc_device_info *device_info)
+ {
+ struct net_device *net = hv_get_drvdata(dev);
++ struct net_device_context *ndc = netdev_priv(net);
+ struct netvsc_device *net_device;
+ struct rndis_device *rndis_device;
+ struct ndis_recv_scale_cap rsscap;
+@@ -1286,9 +1288,11 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
+ /* We will use the given number of channels if available. */
+ net_device->num_chn = min(net_device->max_chn, device_info->num_chn);
+
+- for (i = 0; i < ITAB_NUM; i++)
+- rndis_device->rx_table[i] = ethtool_rxfh_indir_default(
++ if (!netif_is_rxfh_configured(net)) {
++ for (i = 0; i < ITAB_NUM; i++)
++ ndc->rx_table[i] = ethtool_rxfh_indir_default(
+ i, net_device->num_chn);
++ }
+
+ atomic_set(&net_device->open_chn, 1);
+ vmbus_set_sc_create_callback(dev->channel, netvsc_sc_open);
+--
+2.20.1
+
--- /dev/null
+From 6e3f6b3300c31faa139ea45ea785fca101859c9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 00:19:17 -0800
+Subject: kconfig: don't crash on NULL expressions in expr_eq()
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+[ Upstream commit 272a72103012862e3a24ea06635253ead0b6e808 ]
+
+NULL expressions are taken to always be true, as implemented by the
+expr_is_yes() macro and by several other functions in expr.c. As such,
+they ought to be valid inputs to expr_eq(), which compares two
+expressions.
+
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/expr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c
+index ed29bad1f03a..96420b620963 100644
+--- a/scripts/kconfig/expr.c
++++ b/scripts/kconfig/expr.c
+@@ -201,6 +201,13 @@ static int expr_eq(struct expr *e1, struct expr *e2)
+ {
+ int res, old_count;
+
++ /*
++ * A NULL expr is taken to be yes, but there's also a different way to
++ * represent yes. expr_is_yes() checks for either representation.
++ */
++ if (!e1 || !e2)
++ return expr_is_yes(e1) && expr_is_yes(e2);
++
+ if (e1->type != e2->type)
+ return 0;
+ switch (e1->type) {
+--
+2.20.1
+
--- /dev/null
+From d599a3cf283b13d42611cd522bb3000f09f34430 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 11:36:09 +0000
+Subject: libtraceevent: Fix lib installation with O=
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+[ Upstream commit 587db8ebdac2c5eb3a8851e16b26f2e2711ab797 ]
+
+When we use 'O=' with make to build libtraceevent in a separate folder
+it fails to install libtraceevent.a and libtraceevent.so.1.1.0 with the
+error:
+
+ INSTALL /home/sudip/linux/obj-trace/libtraceevent.a
+ INSTALL /home/sudip/linux/obj-trace/libtraceevent.so.1.1.0
+
+ cp: cannot stat 'libtraceevent.a': No such file or directory
+ Makefile:225: recipe for target 'install_lib' failed
+ make: *** [install_lib] Error 1
+
+I used the command:
+
+ make O=../../../obj-trace DESTDIR=~/test prefix==/usr install
+
+It turns out libtraceevent Makefile, even though it builds in a separate
+folder, searches for libtraceevent.a and libtraceevent.so.1.1.0 in its
+source folder.
+
+So, add the 'OUTPUT' prefix to the source path so that 'make' looks for
+the files in the correct place.
+
+Signed-off-by: Sudipm Mukherjee <sudipm.mukherjee@gmail.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: linux-trace-devel@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20191115113610.21493-1-sudipm.mukherjee@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/traceevent/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/traceevent/Makefile b/tools/lib/traceevent/Makefile
+index 8107f060fa84..a0ac01c647f5 100644
+--- a/tools/lib/traceevent/Makefile
++++ b/tools/lib/traceevent/Makefile
+@@ -115,6 +115,7 @@ EVENT_PARSE_VERSION = $(EP_VERSION).$(EP_PATCHLEVEL).$(EP_EXTRAVERSION)
+
+ LIB_TARGET = libtraceevent.a libtraceevent.so.$(EVENT_PARSE_VERSION)
+ LIB_INSTALL = libtraceevent.a libtraceevent.so*
++LIB_INSTALL := $(addprefix $(OUTPUT),$(LIB_INSTALL))
+
+ INCLUDES = -I. -I $(srctree)/tools/include $(CONFIG_INCLUDES)
+
+--
+2.20.1
+
--- /dev/null
+From 4335b61d98250aaed99e655a2005fe98c0028993 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 14:16:18 +0800
+Subject: llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and
+ _test_c)
+
+From: Chan Shu Tak, Alex <alexchan@task.com.hk>
+
+[ Upstream commit af1c0e4e00f3cc76cb136ebf2e2c04e8b6446285 ]
+
+When a frame with NULL DSAP is received, llc_station_rcv is called.
+In turn, llc_stat_ev_rx_null_dsap_xid_c is called to check if it is a NULL
+XID frame. The return statement of llc_stat_ev_rx_null_dsap_xid_c returns 1
+when the incoming frame is not a NULL XID frame and 0 otherwise. Hence, a
+NULL XID response is returned unexpectedly, e.g. when the incoming frame is
+a NULL TEST command.
+
+To fix the error, simply remove the conditional operator.
+
+A similar error in llc_stat_ev_rx_null_dsap_test_c is also fixed.
+
+Signed-off-by: Chan Shu Tak, Alex <alexchan@task.com.hk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/llc/llc_station.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
+index 204a8351efff..c29170e767a8 100644
+--- a/net/llc/llc_station.c
++++ b/net/llc/llc_station.c
+@@ -32,7 +32,7 @@ static int llc_stat_ev_rx_null_dsap_xid_c(struct sk_buff *skb)
+ return LLC_PDU_IS_CMD(pdu) && /* command PDU */
+ LLC_PDU_TYPE_IS_U(pdu) && /* U type PDU */
+ LLC_U_PDU_CMD(pdu) == LLC_1_PDU_CMD_XID &&
+- !pdu->dsap ? 0 : 1; /* NULL DSAP value */
++ !pdu->dsap; /* NULL DSAP value */
+ }
+
+ static int llc_stat_ev_rx_null_dsap_test_c(struct sk_buff *skb)
+@@ -42,7 +42,7 @@ static int llc_stat_ev_rx_null_dsap_test_c(struct sk_buff *skb)
+ return LLC_PDU_IS_CMD(pdu) && /* command PDU */
+ LLC_PDU_TYPE_IS_U(pdu) && /* U type PDU */
+ LLC_U_PDU_CMD(pdu) == LLC_1_PDU_CMD_TEST &&
+- !pdu->dsap ? 0 : 1; /* NULL DSAP */
++ !pdu->dsap; /* NULL DSAP */
+ }
+
+ static int llc_station_ac_send_xid_r(struct sk_buff *skb)
+--
+2.20.1
+
--- /dev/null
+From 98206811ac0422c2fa609761d64da7a4f13a28fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2019 16:57:15 +0100
+Subject: locking/spinlock/debug: Fix various data races
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 1a365e822372ba24c9da0822bc583894f6f3d821 ]
+
+This fixes various data races in spinlock_debug. By testing with KCSAN,
+it is observable that the console gets spammed with data races reports,
+suggesting these are extremely frequent.
+
+Example data race report:
+
+ read to 0xffff8ab24f403c48 of 4 bytes by task 221 on cpu 2:
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
+ do_raw_spin_lock+0x9b/0x210 kernel/locking/spinlock_debug.c:112
+ __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
+ _raw_spin_lock+0x39/0x40 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:338 [inline]
+ get_partial_node.isra.0.part.0+0x32/0x2f0 mm/slub.c:1873
+ get_partial_node mm/slub.c:1870 [inline]
+ <snip>
+
+ write to 0xffff8ab24f403c48 of 4 bytes by task 167 on cpu 3:
+ debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline]
+ do_raw_spin_unlock+0xc9/0x1a0 kernel/locking/spinlock_debug.c:138
+ __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:159 [inline]
+ _raw_spin_unlock_irqrestore+0x2d/0x50 kernel/locking/spinlock.c:191
+ spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
+ free_debug_processing+0x1b3/0x210 mm/slub.c:1214
+ __slab_free+0x292/0x400 mm/slub.c:2864
+ <snip>
+
+As a side-effect, with KCSAN, this eventually locks up the console, most
+likely due to deadlock, e.g. .. -> printk lock -> spinlock_debug ->
+KCSAN detects data race -> kcsan_print_report() -> printk lock ->
+deadlock.
+
+This fix will 1) avoid the data races, and 2) allow using lock debugging
+together with KCSAN.
+
+Reported-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Marco Elver <elver@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Link: https://lkml.kernel.org/r/20191120155715.28089-1-elver@google.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/spinlock_debug.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c
+index 9aa0fccd5d43..03595c29c566 100644
+--- a/kernel/locking/spinlock_debug.c
++++ b/kernel/locking/spinlock_debug.c
+@@ -51,19 +51,19 @@ EXPORT_SYMBOL(__rwlock_init);
+
+ static void spin_dump(raw_spinlock_t *lock, const char *msg)
+ {
+- struct task_struct *owner = NULL;
++ struct task_struct *owner = READ_ONCE(lock->owner);
+
+- if (lock->owner && lock->owner != SPINLOCK_OWNER_INIT)
+- owner = lock->owner;
++ if (owner == SPINLOCK_OWNER_INIT)
++ owner = NULL;
+ printk(KERN_EMERG "BUG: spinlock %s on CPU#%d, %s/%d\n",
+ msg, raw_smp_processor_id(),
+ current->comm, task_pid_nr(current));
+ printk(KERN_EMERG " lock: %pS, .magic: %08x, .owner: %s/%d, "
+ ".owner_cpu: %d\n",
+- lock, lock->magic,
++ lock, READ_ONCE(lock->magic),
+ owner ? owner->comm : "<none>",
+ owner ? task_pid_nr(owner) : -1,
+- lock->owner_cpu);
++ READ_ONCE(lock->owner_cpu));
+ dump_stack();
+ }
+
+@@ -80,16 +80,16 @@ static void spin_bug(raw_spinlock_t *lock, const char *msg)
+ static inline void
+ debug_spin_lock_before(raw_spinlock_t *lock)
+ {
+- SPIN_BUG_ON(lock->magic != SPINLOCK_MAGIC, lock, "bad magic");
+- SPIN_BUG_ON(lock->owner == current, lock, "recursion");
+- SPIN_BUG_ON(lock->owner_cpu == raw_smp_processor_id(),
++ SPIN_BUG_ON(READ_ONCE(lock->magic) != SPINLOCK_MAGIC, lock, "bad magic");
++ SPIN_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion");
++ SPIN_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(),
+ lock, "cpu recursion");
+ }
+
+ static inline void debug_spin_lock_after(raw_spinlock_t *lock)
+ {
+- lock->owner_cpu = raw_smp_processor_id();
+- lock->owner = current;
++ WRITE_ONCE(lock->owner_cpu, raw_smp_processor_id());
++ WRITE_ONCE(lock->owner, current);
+ }
+
+ static inline void debug_spin_unlock(raw_spinlock_t *lock)
+@@ -99,8 +99,8 @@ static inline void debug_spin_unlock(raw_spinlock_t *lock)
+ SPIN_BUG_ON(lock->owner != current, lock, "wrong owner");
+ SPIN_BUG_ON(lock->owner_cpu != raw_smp_processor_id(),
+ lock, "wrong CPU");
+- lock->owner = SPINLOCK_OWNER_INIT;
+- lock->owner_cpu = -1;
++ WRITE_ONCE(lock->owner, SPINLOCK_OWNER_INIT);
++ WRITE_ONCE(lock->owner_cpu, -1);
+ }
+
+ /*
+@@ -183,8 +183,8 @@ static inline void debug_write_lock_before(rwlock_t *lock)
+
+ static inline void debug_write_lock_after(rwlock_t *lock)
+ {
+- lock->owner_cpu = raw_smp_processor_id();
+- lock->owner = current;
++ WRITE_ONCE(lock->owner_cpu, raw_smp_processor_id());
++ WRITE_ONCE(lock->owner, current);
+ }
+
+ static inline void debug_write_unlock(rwlock_t *lock)
+@@ -193,8 +193,8 @@ static inline void debug_write_unlock(rwlock_t *lock)
+ RWLOCK_BUG_ON(lock->owner != current, lock, "wrong owner");
+ RWLOCK_BUG_ON(lock->owner_cpu != raw_smp_processor_id(),
+ lock, "wrong CPU");
+- lock->owner = SPINLOCK_OWNER_INIT;
+- lock->owner_cpu = -1;
++ WRITE_ONCE(lock->owner, SPINLOCK_OWNER_INIT);
++ WRITE_ONCE(lock->owner_cpu, -1);
+ }
+
+ void do_raw_write_lock(rwlock_t *lock)
+--
+2.20.1
+
--- /dev/null
+From 84ab7c7e26c23f989b7792a41c9aab4a381cc4bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2019 18:10:54 +0800
+Subject: mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: qize wang <wangqize888888888@gmail.com>
+
+[ Upstream commit 1e58252e334dc3f3756f424a157d1b7484464c40 ]
+
+mwifiex_process_tdls_action_frame() without checking
+the incoming tdls infomation element's vality before use it,
+this may cause multi heap buffer overflows.
+
+Fix them by putting vality check before use it.
+
+IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct.
+the origin marvell driver code is wrong:
+
+memcpy(&sta_ptr->tdls_cap.ht_oper, pos,....
+memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,...
+
+Fix the bug by changing pos(the address of IE) to
+pos+2 ( the address of IE value ).
+
+Signed-off-by: qize wang <wangqize888888888@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/tdls.c | 70 +++++++++++++++++++--
+ 1 file changed, 64 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
+index e76af2866a19..b5340af9fa5e 100644
+--- a/drivers/net/wireless/marvell/mwifiex/tdls.c
++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
+@@ -956,59 +956,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
+
+ switch (*pos) {
+ case WLAN_EID_SUPP_RATES:
++ if (pos[1] > 32)
++ return;
+ sta_ptr->tdls_cap.rates_len = pos[1];
+ for (i = 0; i < pos[1]; i++)
+ sta_ptr->tdls_cap.rates[i] = pos[i + 2];
+ break;
+
+ case WLAN_EID_EXT_SUPP_RATES:
++ if (pos[1] > 32)
++ return;
+ basic = sta_ptr->tdls_cap.rates_len;
++ if (pos[1] > 32 - basic)
++ return;
+ for (i = 0; i < pos[1]; i++)
+ sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
+ sta_ptr->tdls_cap.rates_len += pos[1];
+ break;
+ case WLAN_EID_HT_CAPABILITY:
+- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
++ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_ht_cap))
++ return;
++ /* copy the ie's value into ht_capb*/
++ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
+ sizeof(struct ieee80211_ht_cap));
+ sta_ptr->is_11n_enabled = 1;
+ break;
+ case WLAN_EID_HT_OPERATION:
+- memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
++ if (pos > end -
++ sizeof(struct ieee80211_ht_operation) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_ht_operation))
++ return;
++ /* copy the ie's value into ht_oper*/
++ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
+ sizeof(struct ieee80211_ht_operation));
+ break;
+ case WLAN_EID_BSS_COEX_2040:
++ if (pos > end - 3)
++ return;
++ if (pos[1] != 1)
++ return;
+ sta_ptr->tdls_cap.coex_2040 = pos[2];
+ break;
+ case WLAN_EID_EXT_CAPABILITY:
++ if (pos > end - sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] < sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] > 8)
++ return;
+ memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
+ sizeof(struct ieee_types_header) +
+ min_t(u8, pos[1], 8));
+ break;
+ case WLAN_EID_RSN:
++ if (pos > end - sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] < sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] > IEEE_MAX_IE_SIZE -
++ sizeof(struct ieee_types_header))
++ return;
+ memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
+ sizeof(struct ieee_types_header) +
+ min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
+ sizeof(struct ieee_types_header)));
+ break;
+ case WLAN_EID_QOS_CAPA:
++ if (pos > end - 3)
++ return;
++ if (pos[1] != 1)
++ return;
+ sta_ptr->tdls_cap.qos_info = pos[2];
+ break;
+ case WLAN_EID_VHT_OPERATION:
+- if (priv->adapter->is_hw_11ac_capable)
+- memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
++ if (priv->adapter->is_hw_11ac_capable) {
++ if (pos > end -
++ sizeof(struct ieee80211_vht_operation) - 2)
++ return;
++ if (pos[1] !=
++ sizeof(struct ieee80211_vht_operation))
++ return;
++ /* copy the ie's value into vhtoper*/
++ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
+ sizeof(struct ieee80211_vht_operation));
++ }
+ break;
+ case WLAN_EID_VHT_CAPABILITY:
+ if (priv->adapter->is_hw_11ac_capable) {
+- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
++ if (pos > end -
++ sizeof(struct ieee80211_vht_cap) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_vht_cap))
++ return;
++ /* copy the ie's value into vhtcap*/
++ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
+ sizeof(struct ieee80211_vht_cap));
+ sta_ptr->is_11ac_enabled = 1;
+ }
+ break;
+ case WLAN_EID_AID:
+- if (priv->adapter->is_hw_11ac_capable)
++ if (priv->adapter->is_hw_11ac_capable) {
++ if (pos > end - 4)
++ return;
++ if (pos[1] != 2)
++ return;
+ sta_ptr->tdls_cap.aid =
+ get_unaligned_le16((pos + 2));
++ }
++ break;
+ default:
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 637c226b0fa1421a605503f000b19c00af0dba6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:17:37 +0100
+Subject: net: stmmac: Do not accept invalid MTU values
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit eaf4fac478077d4ed57cbca2c044c4b58a96bd98 ]
+
+The maximum MTU value is determined by the maximum size of TX FIFO so
+that a full packet can fit in the FIFO. Add a check for this in the MTU
+change callback.
+
+Also check if provided and rounded MTU does not passes the maximum limit
+of 16K.
+
+Changes from v2:
+- Align MTU before checking if its valid
+
+Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index e6d16c48ffef..4ef923f1094a 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3597,12 +3597,24 @@ static void stmmac_set_rx_mode(struct net_device *dev)
+ static int stmmac_change_mtu(struct net_device *dev, int new_mtu)
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
++ int txfifosz = priv->plat->tx_fifo_size;
++
++ if (txfifosz == 0)
++ txfifosz = priv->dma_cap.tx_fifo_size;
++
++ txfifosz /= priv->plat->tx_queues_to_use;
+
+ if (netif_running(dev)) {
+ netdev_err(priv->dev, "must be stopped to change its MTU\n");
+ return -EBUSY;
+ }
+
++ new_mtu = STMMAC_ALIGN(new_mtu);
++
++ /* If condition true, FIFO is too small or MTU too large */
++ if ((txfifosz < new_mtu) || (new_mtu > BUF_SIZE_16KiB))
++ return -EINVAL;
++
+ dev->mtu = new_mtu;
+
+ netdev_update_features(dev);
+--
+2.20.1
+
--- /dev/null
+From 015b30c20d0ca1c147ceaa1fdf001a428e83f592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:17:40 +0100
+Subject: net: stmmac: RX buffer size must be 16 byte aligned
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit 8d558f0294fe92e04af192e221d0d0f6a180ee7b ]
+
+We need to align the RX buffer size to at least 16 byte so that IP
+doesn't mis-behave. This is required by HW.
+
+Changes from v2:
+- Align UP and not DOWN (David)
+
+Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 4ef923f1094a..e89466bd432d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -51,7 +51,7 @@
+ #include <linux/of_mdio.h>
+ #include "dwmac1000.h"
+
+-#define STMMAC_ALIGN(x) __ALIGN_KERNEL(x, SMP_CACHE_BYTES)
++#define STMMAC_ALIGN(x) ALIGN(ALIGN(x, SMP_CACHE_BYTES), 16)
+ #define TSO_MAX_BUFF_SIZE (SZ_16K - 1)
+
+ /* Module parameters */
+--
+2.20.1
+
--- /dev/null
+From 87951238aabe69e4b4c8b822004f6254c463c675 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2019 18:33:11 +0200
+Subject: net: usb: lan78xx: Fix error message format specifier
+
+From: Cristian Birsan <cristian.birsan@microchip.com>
+
+[ Upstream commit 858ce8ca62ea1530f2779d0e3f934b0176e663c3 ]
+
+Display the return code as decimal integer.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Cristian Birsan <cristian.birsan@microchip.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index 7d1d5b30ecc3..0aa6f3a5612d 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -497,7 +497,7 @@ static int lan78xx_read_stats(struct lan78xx_net *dev,
+ }
+ } else {
+ netdev_warn(dev->net,
+- "Failed to read stat ret = 0x%x", ret);
++ "Failed to read stat ret = %d", ret);
+ }
+
+ kfree(stats);
+--
+2.20.1
+
--- /dev/null
+From c07e4bb8226a30abfeb8aeb5c509c8649bca28be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 12:39:23 +0100
+Subject: netfilter: ctnetlink: netns exit must wait for callbacks
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 18a110b022a5c02e7dc9f6109d0bd93e58ac6ebb ]
+
+Curtis Taylor and Jon Maxwell reported and debugged a crash on 3.10
+based kernel.
+
+Crash occurs in ctnetlink_conntrack_events because net->nfnl socket is
+NULL. The nfnl socket was set to NULL by netns destruction running on
+another cpu.
+
+The exiting network namespace calls the relevant destructors in the
+following order:
+
+1. ctnetlink_net_exit_batch
+
+This nulls out the event callback pointer in struct netns.
+
+2. nfnetlink_net_exit_batch
+
+This nulls net->nfnl socket and frees it.
+
+3. nf_conntrack_cleanup_net_list
+
+This removes all remaining conntrack entries.
+
+This is order is correct. The only explanation for the crash so ar is:
+
+cpu1: conntrack is dying, eviction occurs:
+ -> nf_ct_delete()
+ -> nf_conntrack_event_report \
+ -> nf_conntrack_eventmask_report
+ -> notify->fcn() (== ctnetlink_conntrack_events).
+
+cpu1: a. fetches rcu protected pointer to obtain ctnetlink event callback.
+ b. gets interrupted.
+ cpu2: runs netns exit handlers:
+ a runs ctnetlink destructor, event cb pointer set to NULL.
+ b runs nfnetlink destructor, nfnl socket is closed and set to NULL.
+cpu1: c. resumes and trips over NULL net->nfnl.
+
+Problem appears to be that ctnetlink_net_exit_batch only prevents future
+callers of nf_conntrack_eventmask_report() from obtaining the callback.
+It doesn't wait of other cpus that might have already obtained the
+callbacks address.
+
+I don't see anything in upstream kernels that would prevent similar
+crash: We need to wait for all cpus to have exited the event callback.
+
+Fixes: 9592a5c01e79dbc59eb56fa ("netfilter: ctnetlink: netns support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index c781c9a1a697..39a32edaa92c 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3422,6 +3422,9 @@ static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
+
+ list_for_each_entry(net, net_exit_list, exit_list)
+ ctnetlink_net_exit(net);
++
++ /* wait for other cpus until they are done with ctnl_notifiers */
++ synchronize_rcu();
+ }
+
+ static struct pernet_operations ctnetlink_net_ops = {
+--
+2.20.1
+
--- /dev/null
+From e7354dcb258e90f90884bbe407ec7f03a0d48e6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 21:55:20 +0100
+Subject: netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit bffc124b6fe37d0ae9b428d104efb426403bb5c9 ]
+
+Only NFTA_SET_ELEM_KEY and NFTA_SET_ELEM_FLAGS make sense for elements
+whose NFT_SET_ELEM_INTERVAL_END flag is set on.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 7ef126489d4e..91490446ebb4 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3917,14 +3917,20 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (nla[NFTA_SET_ELEM_DATA] == NULL &&
+ !(flags & NFT_SET_ELEM_INTERVAL_END))
+ return -EINVAL;
+- if (nla[NFTA_SET_ELEM_DATA] != NULL &&
+- flags & NFT_SET_ELEM_INTERVAL_END)
+- return -EINVAL;
+ } else {
+ if (nla[NFTA_SET_ELEM_DATA] != NULL)
+ return -EINVAL;
+ }
+
++ if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
++ (nla[NFTA_SET_ELEM_DATA] ||
++ nla[NFTA_SET_ELEM_OBJREF] ||
++ nla[NFTA_SET_ELEM_TIMEOUT] ||
++ nla[NFTA_SET_ELEM_EXPIRATION] ||
++ nla[NFTA_SET_ELEM_USERDATA] ||
++ nla[NFTA_SET_ELEM_EXPR]))
++ return -EINVAL;
++
+ timeout = 0;
+ if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
+ if (!(set->flags & NFT_SET_TIMEOUT))
+--
+2.20.1
+
--- /dev/null
+From e19745afca367256665de90e78586ba1af981480 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 13:35:11 +0100
+Subject: netfilter: uapi: Avoid undefined left-shift in xt_sctp.h
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 164166558aacea01b99c8c8ffb710d930405ba69 ]
+
+With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is
+undefined for the signed 32-bit value 1. Avoid this by declaring 1 as
+unsigned.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/netfilter/xt_sctp.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h
+index 4bc6d1a08781..b4d804a9fccb 100644
+--- a/include/uapi/linux/netfilter/xt_sctp.h
++++ b/include/uapi/linux/netfilter/xt_sctp.h
+@@ -41,19 +41,19 @@ struct xt_sctp_info {
+ #define SCTP_CHUNKMAP_SET(chunkmap, type) \
+ do { \
+ (chunkmap)[type / bytes(__u32)] |= \
+- 1 << (type % bytes(__u32)); \
++ 1u << (type % bytes(__u32)); \
+ } while (0)
+
+ #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
+ do { \
+ (chunkmap)[type / bytes(__u32)] &= \
+- ~(1 << (type % bytes(__u32))); \
++ ~(1u << (type % bytes(__u32))); \
+ } while (0)
+
+ #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
+ ({ \
+ ((chunkmap)[type / bytes (__u32)] & \
+- (1 << (type % bytes (__u32)))) ? 1: 0; \
++ (1u << (type % bytes (__u32)))) ? 1: 0; \
+ })
+
+ #define SCTP_CHUNKMAP_RESET(chunkmap) \
+--
+2.20.1
+
--- /dev/null
+From 9dfb287fbf62b4171aa6fca6b24d3f222b662cd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2019 21:00:19 +0100
+Subject: parisc: Fix compiler warnings in debug_core.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 75cf9797006a3a9f29a3a25c1febd6842a4a9eb2 ]
+
+Fix this compiler warning:
+kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’:
+arch/parisc/include/asm/cmpxchg.h:48:3: warning: value computed is not used [-Wunused-value]
+ 48 | ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr))))
+arch/parisc/include/asm/atomic.h:78:30: note: in expansion of macro ‘xchg’
+ 78 | #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
+ | ^~~~
+kernel/debug/debug_core.c:596:4: note: in expansion of macro ‘atomic_xchg’
+ 596 | atomic_xchg(&kgdb_active, cpu);
+ | ^~~~~~~~~~~
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/include/asm/cmpxchg.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h
+index f627c37dad9c..ab5c215cf46c 100644
+--- a/arch/parisc/include/asm/cmpxchg.h
++++ b/arch/parisc/include/asm/cmpxchg.h
+@@ -44,8 +44,14 @@ __xchg(unsigned long x, __volatile__ void *ptr, int size)
+ ** if (((unsigned long)p & 0xf) == 0)
+ ** return __ldcw(p);
+ */
+-#define xchg(ptr, x) \
+- ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr))))
++#define xchg(ptr, x) \
++({ \
++ __typeof__(*(ptr)) __ret; \
++ __typeof__(*(ptr)) _x_ = (x); \
++ __ret = (__typeof__(*(ptr))) \
++ __xchg((unsigned long)_x_, (ptr), sizeof(*(ptr))); \
++ __ret; \
++})
+
+ /* bug catcher for when unsupported size is used - won't link */
+ extern void __cmpxchg_called_with_bad_pointer(void);
+--
+2.20.1
+
--- /dev/null
+From f137080ad4e0a7a0f633f94a761faf44bbc361cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 12:51:01 +0200
+Subject: perf/x86/intel: Fix PT PMI handling
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+[ Upstream commit 92ca7da4bdc24d63bb0bcd241c11441ddb63b80a ]
+
+Commit:
+
+ ccbebba4c6bf ("perf/x86/intel/pt: Bypass PT vs. LBR exclusivity if the core supports it")
+
+skips the PT/LBR exclusivity check on CPUs where PT and LBRs coexist, but
+also inadvertently skips the active_events bump for PT in that case, which
+is a bug. If there aren't any hardware events at the same time as PT, the
+PMI handler will ignore PT PMIs, as active_events reads zero in that case,
+resulting in the "Uhhuh" spurious NMI warning and PT data loss.
+
+Fix this by always increasing active_events for PT events.
+
+Fixes: ccbebba4c6bf ("perf/x86/intel/pt: Bypass PT vs. LBR exclusivity if the core supports it")
+Reported-by: Vitaly Slobodskoy <vitaly.slobodskoy@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lkml.kernel.org/r/20191210105101.77210-1-alexander.shishkin@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/core.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
+index 6ed99de2ddf5..c1f7b3cb84a9 100644
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -375,7 +375,7 @@ int x86_add_exclusive(unsigned int what)
+ * LBR and BTS are still mutually exclusive.
+ */
+ if (x86_pmu.lbr_pt_coexist && what == x86_lbr_exclusive_pt)
+- return 0;
++ goto out;
+
+ if (!atomic_inc_not_zero(&x86_pmu.lbr_exclusive[what])) {
+ mutex_lock(&pmc_reserve_mutex);
+@@ -387,6 +387,7 @@ int x86_add_exclusive(unsigned int what)
+ mutex_unlock(&pmc_reserve_mutex);
+ }
+
++out:
+ atomic_inc(&active_events);
+ return 0;
+
+@@ -397,11 +398,15 @@ int x86_add_exclusive(unsigned int what)
+
+ void x86_del_exclusive(unsigned int what)
+ {
++ atomic_dec(&active_events);
++
++ /*
++ * See the comment in x86_add_exclusive().
++ */
+ if (x86_pmu.lbr_pt_coexist && what == x86_lbr_exclusive_pt)
+ return;
+
+ atomic_dec(&x86_pmu.lbr_exclusive[what]);
+- atomic_dec(&active_events);
+ }
+
+ int x86_setup_perfctr(struct perf_event *event)
+--
+2.20.1
+
--- /dev/null
+From ab1c37ff22826f8523644d44807401788c63a2b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 14:35:24 +0200
+Subject: powerpc: Ensure that swiotlb buffer is allocated from low memory
+
+From: Mike Rapoport <rppt@linux.ibm.com>
+
+[ Upstream commit 8fabc623238e68b3ac63c0dd1657bf86c1fa33af ]
+
+Some powerpc platforms (e.g. 85xx) limit DMA-able memory way below 4G.
+If a system has more physical memory than this limit, the swiotlb
+buffer is not addressable because it is allocated from memblock using
+top-down mode.
+
+Force memblock to bottom-up mode before calling swiotlb_init() to
+ensure that the swiotlb buffer is DMA-able.
+
+Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de>
+Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191204123524.22919-1-rppt@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/mem.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
+index 30bf13b72e5e..3c5abfbbe60e 100644
+--- a/arch/powerpc/mm/mem.c
++++ b/arch/powerpc/mm/mem.c
+@@ -353,6 +353,14 @@ void __init mem_init(void)
+ BUILD_BUG_ON(MMU_PAGE_COUNT > 16);
+
+ #ifdef CONFIG_SWIOTLB
++ /*
++ * Some platforms (e.g. 85xx) limit DMA-able memory way below
++ * 4G. We force memblock to bottom-up mode to ensure that the
++ * memory allocated in swiotlb_init() is DMA-able.
++ * As it's the last memblock allocation, no need to reset it
++ * back to to-down.
++ */
++ memblock_set_bottom_up(true);
+ swiotlb_init(0);
+ #endif
+
+--
+2.20.1
+
--- /dev/null
+From 23cb7ca1c739f6d15b5b93294b46f43a51b167e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 23:16:00 +0100
+Subject: regulator: rn5t618: fix module aliases
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+[ Upstream commit 62a1923cc8fe095912e6213ed5de27abbf1de77e ]
+
+platform device aliases were missing, preventing
+autoloading of module.
+
+Fixes: 811b700630ff ("regulator: rn5t618: add driver for Ricoh RN5T618 regulators")
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Link: https://lore.kernel.org/r/20191211221600.29438-1-andreas@kemnade.info
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/rn5t618-regulator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/rn5t618-regulator.c b/drivers/regulator/rn5t618-regulator.c
+index 790a4a73ea2c..40b74648bd31 100644
+--- a/drivers/regulator/rn5t618-regulator.c
++++ b/drivers/regulator/rn5t618-regulator.c
+@@ -154,6 +154,7 @@ static struct platform_driver rn5t618_regulator_driver = {
+
+ module_platform_driver(rn5t618_regulator_driver);
+
++MODULE_ALIAS("platform:rn5t618-regulator");
+ MODULE_AUTHOR("Beniamino Galvani <b.galvani@gmail.com>");
+ MODULE_DESCRIPTION("RN5T618 regulator driver");
+ MODULE_LICENSE("GPL v2");
+--
+2.20.1
+
--- /dev/null
+From 123e12f4f2dcb20da71f1e09c6d84deb7f19de33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Dec 2019 09:34:08 -0600
+Subject: rfkill: Fix incorrect check to avoid NULL pointer dereference
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit 6fc232db9e8cd50b9b83534de9cd91ace711b2d7 ]
+
+In rfkill_register, the struct rfkill pointer is first derefernced
+and then checked for NULL. This patch removes the BUG_ON and returns
+an error to the caller in case rfkill is NULL.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Link: https://lore.kernel.org/r/20191215153409.21696-1-pakki001@umn.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rfkill/core.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/rfkill/core.c b/net/rfkill/core.c
+index 99a2e55b01cf..e31b4288f32c 100644
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -998,10 +998,13 @@ static void rfkill_sync_work(struct work_struct *work)
+ int __must_check rfkill_register(struct rfkill *rfkill)
+ {
+ static unsigned long rfkill_no;
+- struct device *dev = &rfkill->dev;
++ struct device *dev;
+ int error;
+
+- BUG_ON(!rfkill);
++ if (!rfkill)
++ return -EINVAL;
++
++ dev = &rfkill->dev;
+
+ mutex_lock(&rfkill_global_mutex);
+
+--
+2.20.1
+
--- /dev/null
+From fab227330bbf185969ea290d6b7868fd6156ca4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 09:43:50 +0100
+Subject: s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jan Höppner <hoeppner@linux.ibm.com>
+
+[ Upstream commit dd4b3c83b9efac10d48a94c61372119fc555a077 ]
+
+The max data count (mdc) is an unsigned 16-bit integer value as per AR
+documentation and is received via ccw_device_get_mdc() for a specific
+path mask from the CIO layer. The function itself also always returns a
+positive mdc value or 0 in case mdc isn't supported or couldn't be
+determined.
+
+Though, the comment for this function describes a negative return value
+to indicate failures.
+
+As a result, the DASD device driver interprets the return value of
+ccw_device_get_mdc() incorrectly. The error case is essentially a dead
+code path.
+
+To fix this behaviour, check explicitly for a return value of 0 and
+change the comment for ccw_device_get_mdc() accordingly.
+
+This fix merely enables the error code path in the DASD functions
+get_fcx_max_data() and verify_fcx_max_data(). The actual functionality
+stays the same and is still correct.
+
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+Acked-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 9 +++++----
+ drivers/s390/cio/device_ops.c | 2 +-
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index 0d5e2d92e05b..81359312a987 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -1133,7 +1133,8 @@ static u32 get_fcx_max_data(struct dasd_device *device)
+ {
+ struct dasd_eckd_private *private = device->private;
+ int fcx_in_css, fcx_in_gneq, fcx_in_features;
+- int tpm, mdc;
++ unsigned int mdc;
++ int tpm;
+
+ if (dasd_nofcx)
+ return 0;
+@@ -1147,7 +1148,7 @@ static u32 get_fcx_max_data(struct dasd_device *device)
+ return 0;
+
+ mdc = ccw_device_get_mdc(device->cdev, 0);
+- if (mdc < 0) {
++ if (mdc == 0) {
+ dev_warn(&device->cdev->dev, "Detecting the maximum supported data size for zHPF requests failed\n");
+ return 0;
+ } else {
+@@ -1158,12 +1159,12 @@ static u32 get_fcx_max_data(struct dasd_device *device)
+ static int verify_fcx_max_data(struct dasd_device *device, __u8 lpm)
+ {
+ struct dasd_eckd_private *private = device->private;
+- int mdc;
++ unsigned int mdc;
+ u32 fcx_max_data;
+
+ if (private->fcx_max_data) {
+ mdc = ccw_device_get_mdc(device->cdev, lpm);
+- if ((mdc < 0)) {
++ if (mdc == 0) {
+ dev_warn(&device->cdev->dev,
+ "Detecting the maximum data size for zHPF "
+ "requests failed (rc=%d) for a new path %x\n",
+diff --git a/drivers/s390/cio/device_ops.c b/drivers/s390/cio/device_ops.c
+index b22922ec32d1..474afec9ab87 100644
+--- a/drivers/s390/cio/device_ops.c
++++ b/drivers/s390/cio/device_ops.c
+@@ -595,7 +595,7 @@ EXPORT_SYMBOL(ccw_device_tm_start_timeout);
+ * @mask: mask of paths to use
+ *
+ * Return the number of 64K-bytes blocks all paths at least support
+- * for a transport command. Return values <= 0 indicate failures.
++ * for a transport command. Return value 0 indicates failure.
+ */
+ int ccw_device_get_mdc(struct ccw_device *cdev, u8 mask)
+ {
+--
+2.20.1
+
--- /dev/null
+From 98ee1326de3f70b31bf545d45c5ae47791cfc3a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 09:43:51 +0100
+Subject: s390/dasd: fix memleak in path handling error case
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 00b39f698a4f1ee897227cace2e3937fc4412270 ]
+
+If for whatever reason the dasd_eckd_check_characteristics() function
+exits after at least some paths have their configuration data
+allocated those data is never freed again. In the error case the
+device->private pointer is set to NULL and dasd_eckd_uncheck_device()
+will exit without freeing the path data because of this NULL pointer.
+
+Fix by calling dasd_eckd_clear_conf_data() for error cases.
+
+Also use dasd_eckd_clear_conf_data() in dasd_eckd_uncheck_device()
+to avoid code duplication.
+
+Reported-by: Qian Cai <cai@lca.pw>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index 81359312a987..aa651403546f 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -1768,7 +1768,7 @@ dasd_eckd_check_characteristics(struct dasd_device *device)
+ dasd_free_block(device->block);
+ device->block = NULL;
+ out_err1:
+- kfree(private->conf_data);
++ dasd_eckd_clear_conf_data(device);
+ kfree(device->private);
+ device->private = NULL;
+ return rc;
+@@ -1777,7 +1777,6 @@ dasd_eckd_check_characteristics(struct dasd_device *device)
+ static void dasd_eckd_uncheck_device(struct dasd_device *device)
+ {
+ struct dasd_eckd_private *private = device->private;
+- int i;
+
+ if (!private)
+ return;
+@@ -1787,21 +1786,7 @@ static void dasd_eckd_uncheck_device(struct dasd_device *device)
+ private->sneq = NULL;
+ private->vdsneq = NULL;
+ private->gneq = NULL;
+- private->conf_len = 0;
+- for (i = 0; i < 8; i++) {
+- kfree(device->path[i].conf_data);
+- if ((__u8 *)device->path[i].conf_data ==
+- private->conf_data) {
+- private->conf_data = NULL;
+- private->conf_len = 0;
+- }
+- device->path[i].conf_data = NULL;
+- device->path[i].cssid = 0;
+- device->path[i].ssid = 0;
+- device->path[i].chpid = 0;
+- }
+- kfree(private->conf_data);
+- private->conf_data = NULL;
++ dasd_eckd_clear_conf_data(device);
+ }
+
+ static struct dasd_ccw_req *
+--
+2.20.1
+
--- /dev/null
+From 3d3e4476af048689ccb91d3a7b0df631e469a9ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 17:01:14 +0900
+Subject: samples: bpf: fix syscall_tp due to unused syscall
+
+From: Daniel T. Lee <danieltimlee@gmail.com>
+
+[ Upstream commit fe3300897cbfd76c6cb825776e5ac0ca50a91ca4 ]
+
+Currently, open() is called from the user program and it calls the syscall
+'sys_openat', not the 'sys_open'. This leads to an error of the program
+of user side, due to the fact that the counter maps are zero since no
+function such 'sys_open' is called.
+
+This commit adds the kernel bpf program which are attached to the
+tracepoint 'sys_enter_openat' and 'sys_enter_openat'.
+
+Fixes: 1da236b6be963 ("bpf: add a test case for syscalls/sys_{enter|exit}_* tracepoints")
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/syscall_tp_kern.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/samples/bpf/syscall_tp_kern.c b/samples/bpf/syscall_tp_kern.c
+index 9149c524d279..8833aacb9c8c 100644
+--- a/samples/bpf/syscall_tp_kern.c
++++ b/samples/bpf/syscall_tp_kern.c
+@@ -50,13 +50,27 @@ static __always_inline void count(void *map)
+ SEC("tracepoint/syscalls/sys_enter_open")
+ int trace_enter_open(struct syscalls_enter_open_args *ctx)
+ {
+- count((void *)&enter_open_map);
++ count(&enter_open_map);
++ return 0;
++}
++
++SEC("tracepoint/syscalls/sys_enter_openat")
++int trace_enter_open_at(struct syscalls_enter_open_args *ctx)
++{
++ count(&enter_open_map);
+ return 0;
+ }
+
+ SEC("tracepoint/syscalls/sys_exit_open")
+ int trace_enter_exit(struct syscalls_exit_open_args *ctx)
+ {
+- count((void *)&exit_open_map);
++ count(&exit_open_map);
++ return 0;
++}
++
++SEC("tracepoint/syscalls/sys_exit_openat")
++int trace_enter_exit_at(struct syscalls_exit_open_args *ctx)
++{
++ count(&exit_open_map);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 06b296d762c6720973489ef0b823c12dd367fc48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 17:01:13 +0900
+Subject: samples: bpf: Replace symbol compare of trace_event
+
+From: Daniel T. Lee <danieltimlee@gmail.com>
+
+[ Upstream commit bba1b2a890253528c45aa66cf856f289a215bfbc ]
+
+Previously, when this sample is added, commit 1c47910ef8013
+("samples/bpf: add perf_event+bpf example"), a symbol 'sys_read' and
+'sys_write' has been used without no prefixes. But currently there are
+no exact symbols with these under kallsyms and this leads to failure.
+
+This commit changes exact compare to substring compare to keep compatible
+with exact symbol or prefixed symbol.
+
+Fixes: 1c47910ef8013 ("samples/bpf: add perf_event+bpf example")
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20191205080114.19766-2-danieltimlee@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/trace_event_user.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/samples/bpf/trace_event_user.c b/samples/bpf/trace_event_user.c
+index c7d525e5696e..8c7445874662 100644
+--- a/samples/bpf/trace_event_user.c
++++ b/samples/bpf/trace_event_user.c
+@@ -34,9 +34,9 @@ static void print_ksym(__u64 addr)
+ return;
+ sym = ksym_search(addr);
+ printf("%s;", sym->name);
+- if (!strcmp(sym->name, "sys_read"))
++ if (!strstr(sym->name, "sys_read"))
+ sys_read_seen = true;
+- else if (!strcmp(sym->name, "sys_write"))
++ else if (!strstr(sym->name, "sys_write"))
+ sys_write_seen = true;
+ }
+
+--
+2.20.1
+
usb-dummy-hcd-use-usb_urb_dir_in-instead-of-usb_pipein.patch
usb-dummy-hcd-increase-max-number-of-devices-to-32.patch
+locking-spinlock-debug-fix-various-data-races.patch
+netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch
+mwifiex-fix-heap-overflow-in-mmwifiex_process_tdls_a.patch
+libtraceevent-fix-lib-installation-with-o.patch
+x86-efi-update-e820-with-reserved-efi-boot-services-.patch
+efi-gop-return-efi_not_found-if-there-are-no-usable-.patch
+efi-gop-return-efi_success-if-a-usable-gop-was-found.patch
+efi-gop-fix-memory-leak-in-__gop_query32-64.patch
+arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch
+netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch
+netfilter-nf_tables-validate-nft_set_elem_interval_e.patch
+arm-dts-cygnus-fix-mdio-node-address-size-cells.patch
+spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch
+asoc-topology-check-return-value-for-soc_tplg_pcm_cr.patch
+arm-dts-bcm283x-fix-critical-trip-point.patch
+bpf-mips-limit-to-33-tail-calls.patch
+arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch
+samples-bpf-replace-symbol-compare-of-trace_event.patch
+samples-bpf-fix-syscall_tp-due-to-unused-syscall.patch
+powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch
+bnx2x-do-not-handle-requests-from-vfs-after-parity.patch
+bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch
+net-usb-lan78xx-fix-error-message-format-specifier.patch
+rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch
+asoc-wm8962-fix-lambda-value.patch
+regulator-rn5t618-fix-module-aliases.patch
+kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch
+perf-x86-intel-fix-pt-pmi-handling.patch
+fs-avoid-softlockups-in-s_inodes-iterators.patch
+net-stmmac-do-not-accept-invalid-mtu-values.patch
+net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch
+s390-dasd-cio-interpret-ccw_device_get_mdc-return-va.patch
+s390-dasd-fix-memleak-in-path-handling-error-case.patch
+block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch
+parisc-fix-compiler-warnings-in-debug_core.c.patch
+llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch
+hv_netvsc-fix-unwanted-rx_table-reset.patch
--- /dev/null
+From db0367bf2b46d13ae70a61ea9a32a92fe42cf723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 15:55:00 +0800
+Subject: spi: spi-cavium-thunderx: Add missing pci_release_regions()
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit a841e2853e1afecc2ee692b8cc5bff606bc84e4c ]
+
+The driver forgets to call pci_release_regions() in probe failure
+and remove.
+Add the missed calls to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Link: https://lore.kernel.org/r/20191206075500.18525-1-hslester96@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cavium-thunderx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi-cavium-thunderx.c b/drivers/spi/spi-cavium-thunderx.c
+index 877937706240..828fbbebc3c4 100644
+--- a/drivers/spi/spi-cavium-thunderx.c
++++ b/drivers/spi/spi-cavium-thunderx.c
+@@ -81,6 +81,7 @@ static int thunderx_spi_probe(struct pci_dev *pdev,
+
+ error:
+ clk_disable_unprepare(p->clk);
++ pci_release_regions(pdev);
+ spi_master_put(master);
+ return ret;
+ }
+@@ -95,6 +96,7 @@ static void thunderx_spi_remove(struct pci_dev *pdev)
+ return;
+
+ clk_disable_unprepare(p->clk);
++ pci_release_regions(pdev);
+ /* Put everything in a known state. */
+ writeq(0, p->register_base + OCTEON_SPI_CFG(p));
+ }
+--
+2.20.1
+
--- /dev/null
+From 54b20104bee5a7f55f0782362c4c44d6461634da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 15:52:33 +0800
+Subject: x86/efi: Update e820 with reserved EFI boot services data to fix
+ kexec breakage
+
+From: Dave Young <dyoung@redhat.com>
+
+[ Upstream commit af164898482817a1d487964b68f3c21bae7a1beb ]
+
+Michael Weiser reported that he got this error during a kexec rebooting:
+
+ esrt: Unsupported ESRT version 2904149718861218184.
+
+The ESRT memory stays in EFI boot services data, and it was reserved
+in kernel via efi_mem_reserve(). The initial purpose of the reservation
+is to reuse the EFI boot services data across kexec reboot. For example
+the BGRT image data and some ESRT memory like Michael reported.
+
+But although the memory is reserved it is not updated in the X86 E820 table,
+and kexec_file_load() iterates system RAM in the IO resource list to find places
+for kernel, initramfs and other stuff. In Michael's case the kexec loaded
+initramfs overwrote the ESRT memory and then the failure happened.
+
+Since kexec_file_load() depends on the E820 table being updated, just fix this
+by updating the reserved EFI boot services memory as reserved type in E820.
+
+Originally any memory descriptors with EFI_MEMORY_RUNTIME attribute are
+bypassed in the reservation code path because they are assumed as reserved.
+
+But the reservation is still needed for multiple kexec reboots,
+and it is the only possible case we come here thus just drop the code
+chunk, then everything works without side effects.
+
+On my machine the ESRT memory sits in an EFI runtime data range, it does
+not trigger the problem, but I successfully tested with BGRT instead.
+both kexec_load() and kexec_file_load() work and kdump works as well.
+
+[ mingo: Edited the changelog. ]
+
+Reported-by: Michael Weiser <michael@weiser.dinsnail.net>
+Tested-by: Michael Weiser <michael@weiser.dinsnail.net>
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: kexec@lists.infradead.org
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191204075233.GA10520@dhcp-128-65.nay.redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/quirks.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c
+index 5b513ccffde4..cadd7fd290fa 100644
+--- a/arch/x86/platform/efi/quirks.c
++++ b/arch/x86/platform/efi/quirks.c
+@@ -257,10 +257,6 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size)
+ return;
+ }
+
+- /* No need to reserve regions that will never be freed. */
+- if (md.attribute & EFI_MEMORY_RUNTIME)
+- return;
+-
+ size += addr % EFI_PAGE_SIZE;
+ size = round_up(size, EFI_PAGE_SIZE);
+ addr = round_down(addr, EFI_PAGE_SIZE);
+@@ -290,6 +286,8 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size)
+ early_memunmap(new, new_size);
+
+ efi_memmap_install(new_phys, num_entries);
++ e820__range_update(addr, size, E820_TYPE_RAM, E820_TYPE_RESERVED);
++ e820__update_table(e820_table);
+ }
+
+ /*
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
