--- /dev/null
+From 7da3ac58b74f2a2a7a48e4631be4a72615dd268f Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 19 Jun 2019 14:18:31 +0200
+Subject: acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
+
+[ Upstream commit 2af22f3ec3ca452f1e79b967f634708ff01ced8a ]
+
+Some Qualcomm Snapdragon based laptops built to run Microsoft Windows
+are clearly ACPI 5.1 based, given that that is the first ACPI revision
+that supports ARM, and introduced the FADT 'arm_boot_flags' field,
+which has a non-zero field on those systems.
+
+So in these cases, infer from the ARM boot flags that the FADT must be
+5.1 or later, and treat it as 5.1.
+
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Lee Jones <lee.jones@linaro.org>
+Reviewed-by: Graeme Gregory <graeme.gregory@linaro.org>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/acpi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c
+index 2804330c95dc..3a58e9db5cfe 100644
+--- a/arch/arm64/kernel/acpi.c
++++ b/arch/arm64/kernel/acpi.c
+@@ -152,10 +152,14 @@ static int __init acpi_fadt_sanity_check(void)
+ */
+ if (table->revision < 5 ||
+ (table->revision == 5 && fadt->minor_revision < 1)) {
+- pr_err("Unsupported FADT revision %d.%d, should be 5.1+\n",
++ pr_err(FW_BUG "Unsupported FADT revision %d.%d, should be 5.1+\n",
+ table->revision, fadt->minor_revision);
+- ret = -EINVAL;
+- goto out;
++
++ if (!fadt->arm_boot_flags) {
++ ret = -EINVAL;
++ goto out;
++ }
++ pr_err("FADT has ARM boot flags set, assuming 5.1\n");
+ }
+
+ if (!(fadt->flags & ACPI_FADT_HW_REDUCED)) {
+--
+2.20.1
+
--- /dev/null
+From 36be4afbbfc9df627b02696334f5862db0d07b56 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Mon, 17 Jun 2019 13:31:45 +0200
+Subject: ACPICA: Clear status of GPEs on first direct enable
+
+[ Upstream commit 44758bafa53602f2581a6857bb20b55d4d8ad5b2 ]
+
+ACPI GPEs (other than the EC one) can be enabled in two situations.
+First, the GPEs with existing _Lxx and _Exx methods are enabled
+implicitly by ACPICA during system initialization. Second, the
+GPEs without these methods (like GPEs listed by _PRW objects for
+wakeup devices) need to be enabled directly by the code that is
+going to use them (e.g. ACPI power management or device drivers).
+
+In the former case, if the status of a given GPE is set to start
+with, its handler method (either _Lxx or _Exx) needs to be invoked
+to take care of the events (possibly) signaled before the GPE was
+enabled. In the latter case, however, the first caller of
+acpi_enable_gpe() for a given GPE should not be expected to care
+about any events that might be signaled through it earlier. In
+that case, it is better to clear the status of the GPE before
+enabling it, to prevent stale events from triggering unwanted
+actions (like spurious system resume, for example).
+
+For this reason, modify acpi_ev_add_gpe_reference() to take an
+additional boolean argument indicating whether or not the GPE
+status needs to be cleared when its reference counter changes from
+zero to one and make acpi_enable_gpe() pass TRUE to it through
+that new argument.
+
+Fixes: 18996f2db918 ("ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume")
+Reported-by: Furquan Shaikh <furquan@google.com>
+Tested-by: Furquan Shaikh <furquan@google.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/acevents.h | 3 ++-
+ drivers/acpi/acpica/evgpe.c | 8 +++++++-
+ drivers/acpi/acpica/evgpeblk.c | 2 +-
+ drivers/acpi/acpica/evxface.c | 2 +-
+ drivers/acpi/acpica/evxfgpe.c | 2 +-
+ 5 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/acpica/acevents.h b/drivers/acpi/acpica/acevents.h
+index 831660179662..c8652f91054e 100644
+--- a/drivers/acpi/acpica/acevents.h
++++ b/drivers/acpi/acpica/acevents.h
+@@ -69,7 +69,8 @@ acpi_status
+ acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked);
+
+ acpi_status
+-acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info);
++acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info,
++ u8 clear_on_enable);
+
+ acpi_status
+ acpi_ev_remove_gpe_reference(struct acpi_gpe_event_info *gpe_event_info);
+diff --git a/drivers/acpi/acpica/evgpe.c b/drivers/acpi/acpica/evgpe.c
+index 62d3aa74277b..344feba29063 100644
+--- a/drivers/acpi/acpica/evgpe.c
++++ b/drivers/acpi/acpica/evgpe.c
+@@ -146,6 +146,7 @@ acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked)
+ * FUNCTION: acpi_ev_add_gpe_reference
+ *
+ * PARAMETERS: gpe_event_info - Add a reference to this GPE
++ * clear_on_enable - Clear GPE status before enabling it
+ *
+ * RETURN: Status
+ *
+@@ -155,7 +156,8 @@ acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked)
+ ******************************************************************************/
+
+ acpi_status
+-acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info)
++acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info,
++ u8 clear_on_enable)
+ {
+ acpi_status status = AE_OK;
+
+@@ -170,6 +172,10 @@ acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info)
+
+ /* Enable on first reference */
+
++ if (clear_on_enable) {
++ (void)acpi_hw_clear_gpe(gpe_event_info);
++ }
++
+ status = acpi_ev_update_gpe_enable_mask(gpe_event_info);
+ if (ACPI_SUCCESS(status)) {
+ status = acpi_ev_enable_gpe(gpe_event_info);
+diff --git a/drivers/acpi/acpica/evgpeblk.c b/drivers/acpi/acpica/evgpeblk.c
+index 328d1d6123ad..fb15e9e2373b 100644
+--- a/drivers/acpi/acpica/evgpeblk.c
++++ b/drivers/acpi/acpica/evgpeblk.c
+@@ -453,7 +453,7 @@ acpi_ev_initialize_gpe_block(struct acpi_gpe_xrupt_info *gpe_xrupt_info,
+ continue;
+ }
+
+- status = acpi_ev_add_gpe_reference(gpe_event_info);
++ status = acpi_ev_add_gpe_reference(gpe_event_info, FALSE);
+ if (ACPI_FAILURE(status)) {
+ ACPI_EXCEPTION((AE_INFO, status,
+ "Could not enable GPE 0x%02X",
+diff --git a/drivers/acpi/acpica/evxface.c b/drivers/acpi/acpica/evxface.c
+index 3df00eb6621b..279ef0557aa3 100644
+--- a/drivers/acpi/acpica/evxface.c
++++ b/drivers/acpi/acpica/evxface.c
+@@ -971,7 +971,7 @@ acpi_remove_gpe_handler(acpi_handle gpe_device,
+ ACPI_GPE_DISPATCH_METHOD) ||
+ (ACPI_GPE_DISPATCH_TYPE(handler->original_flags) ==
+ ACPI_GPE_DISPATCH_NOTIFY)) && handler->originally_enabled) {
+- (void)acpi_ev_add_gpe_reference(gpe_event_info);
++ (void)acpi_ev_add_gpe_reference(gpe_event_info, FALSE);
+ if (ACPI_GPE_IS_POLLING_NEEDED(gpe_event_info)) {
+
+ /* Poll edge triggered GPEs to handle existing events */
+diff --git a/drivers/acpi/acpica/evxfgpe.c b/drivers/acpi/acpica/evxfgpe.c
+index 30a083902f52..710488ec59e9 100644
+--- a/drivers/acpi/acpica/evxfgpe.c
++++ b/drivers/acpi/acpica/evxfgpe.c
+@@ -108,7 +108,7 @@ acpi_status acpi_enable_gpe(acpi_handle gpe_device, u32 gpe_number)
+ if (gpe_event_info) {
+ if (ACPI_GPE_DISPATCH_TYPE(gpe_event_info->flags) !=
+ ACPI_GPE_DISPATCH_NONE) {
+- status = acpi_ev_add_gpe_reference(gpe_event_info);
++ status = acpi_ev_add_gpe_reference(gpe_event_info, TRUE);
+ if (ACPI_SUCCESS(status) &&
+ ACPI_GPE_IS_POLLING_NEEDED(gpe_event_info)) {
+
+--
+2.20.1
+
--- /dev/null
+From 90c08dabce288bcaf4617c6389b243d5fee283b6 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sat, 25 May 2019 19:09:35 +0100
+Subject: af_key: fix leaks in key_pol_get_resp and dump_sp.
+
+[ Upstream commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 ]
+
+In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
+allocated sk_buff. Free it on error.
+
+Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
+Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index a50dd6f34b91..fe5fc4bab7ee 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2438,8 +2438,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
+ goto out;
+ }
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ goto out;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = hdr->sadb_msg_version;
+@@ -2690,8 +2692,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
+ return PTR_ERR(out_skb);
+
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ return err;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = pfk->dump.msg_version;
+--
+2.20.1
+
--- /dev/null
+From b77b1275693e710827d311e6f4e95bfad647cf09 Mon Sep 17 00:00:00 2001
+From: Rander Wang <rander.wang@linux.intel.com>
+Date: Mon, 1 Jul 2019 15:46:30 +0800
+Subject: ALSA: hda: Fix a headphone detection issue when using SOF
+
+[ Upstream commit 7c2b3629d09ddec810dc4c1d3a6657c32def8f71 ]
+
+To save power, the hda hdmi driver in ASoC invokes snd_hdac_ext_bus_link_put
+to disable CORB/RIRB buffers DMA if there is no user of bus and invokes
+snd_hdac_ext_bus_link_get to set up CORB/RIRB buffers when it is used.
+Unsolicited responses is disabled in snd_hdac_bus_stop_cmd_io called by
+snd_hdac_ext_bus_link_put , but it is not enabled in snd_hdac_bus_init_cmd_io
+called by snd_hdac_ext_bus_link_get. So for put-get sequence, Unsolicited
+responses is disabled and headphone can't be detected by hda codecs.
+
+Now unsolicited responses is only enabled in snd_hdac_bus_reset_link
+which resets controller. The function is only called for setup of
+controller. This patch enables Unsolicited responses after RIRB is
+initialized in snd_hdac_bus_init_cmd_io which works together with
+snd_hdac_bus_reset_link to set up controller.
+
+Tested legacy hda driver and SOF driver on intel whiskeylake.
+
+Reviewed-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Rander Wang <rander.wang@linux.intel.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/hdac_controller.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sound/hda/hdac_controller.c b/sound/hda/hdac_controller.c
+index b02f74528b66..812dc144fb5b 100644
+--- a/sound/hda/hdac_controller.c
++++ b/sound/hda/hdac_controller.c
+@@ -79,6 +79,8 @@ void snd_hdac_bus_init_cmd_io(struct hdac_bus *bus)
+ snd_hdac_chip_writew(bus, RINTCNT, 1);
+ /* enable rirb dma and response irq */
+ snd_hdac_chip_writeb(bus, RIRBCTL, AZX_RBCTL_DMA_EN | AZX_RBCTL_IRQ_EN);
++ /* Accept unsolicited responses */
++ snd_hdac_chip_updatel(bus, GCTL, AZX_GCTL_UNSOL, AZX_GCTL_UNSOL);
+ spin_unlock_irq(&bus->reg_lock);
+ }
+ EXPORT_SYMBOL_GPL(snd_hdac_bus_init_cmd_io);
+@@ -415,9 +417,6 @@ int snd_hdac_bus_reset_link(struct hdac_bus *bus, bool full_reset)
+ return -EBUSY;
+ }
+
+- /* Accept unsolicited responses */
+- snd_hdac_chip_updatel(bus, GCTL, AZX_GCTL_UNSOL, AZX_GCTL_UNSOL);
+-
+ /* detect codecs */
+ if (!bus->codec_mask) {
+ bus->codec_mask = snd_hdac_chip_readw(bus, STATESTS);
+--
+2.20.1
+
--- /dev/null
+From 525d830a6ad8340988af1800995f70a88a173cfd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?=
+ <amadeuszx.slawinski@linux.intel.com>
+Date: Mon, 17 Jun 2019 13:36:35 +0200
+Subject: ALSA: hdac: Fix codec name after machine driver is unloaded and
+ reloaded
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 8a5b0177a7f6099ff534a4d9ce72673af5c3cade ]
+
+Currently on each driver reload internal counter is being increased. It
+causes failure to enumerate driver devices, as they have hardcoded:
+.codec_name = "ehdaudio0D2",
+As there is currently no devices with multiple hda codecs and there is
+currently no established way to reliably differentiate, between them,
+always assign bus->idx = 0;
+
+This fixes a problem when we unload and reload machine driver idx gets
+incremented, so .codec_name would've needed to be set to "ehdaudio1D2"
+after first reload and so on.
+
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/ext/hdac_ext_bus.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/sound/hda/ext/hdac_ext_bus.c b/sound/hda/ext/hdac_ext_bus.c
+index a3a113ef5d56..4f9f1d2a2ec5 100644
+--- a/sound/hda/ext/hdac_ext_bus.c
++++ b/sound/hda/ext/hdac_ext_bus.c
+@@ -85,7 +85,6 @@ int snd_hdac_ext_bus_init(struct hdac_bus *bus, struct device *dev,
+ const struct hdac_ext_bus_ops *ext_ops)
+ {
+ int ret;
+- static int idx;
+
+ /* check if io ops are provided, if not load the defaults */
+ if (io_ops == NULL)
+@@ -96,7 +95,12 @@ int snd_hdac_ext_bus_init(struct hdac_bus *bus, struct device *dev,
+ return ret;
+
+ bus->ext_ops = ext_ops;
+- bus->idx = idx++;
++ /* FIXME:
++ * Currently only one bus is supported, if there is device with more
++ * buses, bus->idx should be greater than 0, but there needs to be a
++ * reliable way to always assign same number.
++ */
++ bus->idx = 0;
+ bus->cmd_dma_state = true;
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 88c7c3774a84f54a1c5436592875a981e4aa0b4c Mon Sep 17 00:00:00 2001
+From: Julien Thierry <julien.thierry@arm.com>
+Date: Tue, 11 Jun 2019 10:38:06 +0100
+Subject: arm64: Do not enable IRQs for ct_user_exit
+
+[ Upstream commit 9034f6251572a4744597c51dea5ab73a55f2b938 ]
+
+For el0_dbg and el0_error, DAIF bits get explicitly cleared before
+calling ct_user_exit.
+
+When context tracking is disabled, DAIF gets set (almost) immediately
+after. When context tracking is enabled, among the first things done
+is disabling IRQs.
+
+What is actually needed is:
+- PSR.D = 0 so the system can be debugged (should be already the case)
+- PSR.A = 0 so async error can be handled during context tracking
+
+Do not clear PSR.I in those two locations.
+
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/entry.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index 2df8d0a1d980..dbe467686332 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -859,7 +859,7 @@ el0_dbg:
+ mov x1, x25
+ mov x2, sp
+ bl do_debug_exception
+- enable_daif
++ enable_da_f
+ ct_user_exit
+ b ret_to_user
+ el0_inv:
+@@ -911,7 +911,7 @@ el0_error_naked:
+ enable_dbg
+ mov x0, sp
+ bl do_serror
+- enable_daif
++ enable_da_f
+ ct_user_exit
+ b ret_to_user
+ ENDPROC(el0_error)
+--
+2.20.1
+
--- /dev/null
+From cab3a183af5c5420aff660e6c900dea62aabd890 Mon Sep 17 00:00:00 2001
+From: Miles Chen <miles.chen@mediatek.com>
+Date: Wed, 29 May 2019 00:08:20 +0800
+Subject: arm64: mm: make CONFIG_ZONE_DMA32 configurable
+
+[ Upstream commit 0c1f14ed12262f45a3af1d588e4d7bd12438b8f5 ]
+
+This change makes CONFIG_ZONE_DMA32 defuly y and allows users
+to overwrite it only when CONFIG_EXPERT=y.
+
+For the SoCs that do not need CONFIG_ZONE_DMA32, this is the
+first step to manage all available memory by a single
+zone(normal zone) to reduce the overhead of multiple zones.
+
+The change also fixes a build error when CONFIG_NUMA=y and
+CONFIG_ZONE_DMA32=n.
+
+arch/arm64/mm/init.c:195:17: error: use of undeclared identifier 'ZONE_DMA32'
+ max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys());
+
+Change since v1:
+1. only expose CONFIG_ZONE_DMA32 when CONFIG_EXPERT=y
+2. remove redundant IS_ENABLED(CONFIG_ZONE_DMA32)
+
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Miles Chen <miles.chen@mediatek.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 3 ++-
+ arch/arm64/mm/init.c | 5 +++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 697ea0510729..cf5f1dafcf74 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -260,7 +260,8 @@ config GENERIC_CALIBRATE_DELAY
+ def_bool y
+
+ config ZONE_DMA32
+- def_bool y
++ bool "Support DMA32 zone" if EXPERT
++ default y
+
+ config HAVE_GENERIC_GUP
+ def_bool y
+diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c
+index 749c9b269f08..f3c795278def 100644
+--- a/arch/arm64/mm/init.c
++++ b/arch/arm64/mm/init.c
+@@ -180,8 +180,9 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max)
+ {
+ unsigned long max_zone_pfns[MAX_NR_ZONES] = {0};
+
+- if (IS_ENABLED(CONFIG_ZONE_DMA32))
+- max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys());
++#ifdef CONFIG_ZONE_DMA32
++ max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys());
++#endif
+ max_zone_pfns[ZONE_NORMAL] = max;
+
+ free_area_init_nodes(max_zone_pfns);
+--
+2.20.1
+
--- /dev/null
+From 48338538c36eff4cb38dae737547fedeb5944f8a Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Thu, 4 Jul 2019 16:38:50 +0800
+Subject: ASoC: audio-graph-card: fix use-after-free in graph_for_each_link
+
+[ Upstream commit 1bcc1fd64e4dd903f4d868a9e053986e3b102713 ]
+
+After calling of_node_put() on the codec_ep and codec_port variables,
+they are still being used, which may result in use-after-free.
+We fix this issue by calling of_node_put() after the last usage.
+
+Fixes: fce9b90c1ab7 ("ASoC: audio-graph-card: cleanup DAI link loop method - step2")
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linux-kernel@vger.kernel.org
+Link: https://lore.kernel.org/r/1562229530-8121-1-git-send-email-wen.yang99@zte.com.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/generic/audio-graph-card.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
+index ec7e673ba475..70ed28d97d49 100644
+--- a/sound/soc/generic/audio-graph-card.c
++++ b/sound/soc/generic/audio-graph-card.c
+@@ -435,9 +435,6 @@ static int graph_for_each_link(struct asoc_simple_priv *priv,
+ codec_ep = of_graph_get_remote_endpoint(cpu_ep);
+ codec_port = of_get_parent(codec_ep);
+
+- of_node_put(codec_ep);
+- of_node_put(codec_port);
+-
+ /* get convert-xxx property */
+ memset(&adata, 0, sizeof(adata));
+ graph_parse_convert(dev, codec_ep, &adata);
+@@ -457,6 +454,9 @@ static int graph_for_each_link(struct asoc_simple_priv *priv,
+ else
+ ret = func_noml(priv, cpu_ep, codec_ep, li);
+
++ of_node_put(codec_ep);
++ of_node_put(codec_port);
++
+ if (ret < 0)
+ return ret;
+
+--
+2.20.1
+
--- /dev/null
+From 1c613caa70b62fc92734df4e418104acea85ecdb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?=
+ <amadeuszx.slawinski@linux.intel.com>
+Date: Mon, 17 Jun 2019 13:36:42 +0200
+Subject: ASoC: Intel: hdac_hdmi: Set ops to NULL on remove
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 0f6ff78540bd1b4df1e0f17806b0ce2e1dff0d78 ]
+
+When we unload Skylake driver we may end up calling
+hdac_component_master_unbind(), it uses acomp->audio_ops, which we set
+in hdmi_codec_probe(), so we need to set it to NULL in hdmi_codec_remove(),
+otherwise we will dereference no longer existing pointer.
+
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdac_hdmi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c
+index 1f57126708e7..c9f9820968bb 100644
+--- a/sound/soc/codecs/hdac_hdmi.c
++++ b/sound/soc/codecs/hdac_hdmi.c
+@@ -1859,6 +1859,12 @@ static void hdmi_codec_remove(struct snd_soc_component *component)
+ {
+ struct hdac_hdmi_priv *hdmi = snd_soc_component_get_drvdata(component);
+ struct hdac_device *hdev = hdmi->hdev;
++ int ret;
++
++ ret = snd_hdac_acomp_register_notifier(hdev->bus, NULL);
++ if (ret < 0)
++ dev_err(&hdev->dev, "notifier unregister failed: err: %d\n",
++ ret);
+
+ pm_runtime_disable(&hdev->dev);
+ }
+--
+2.20.1
+
--- /dev/null
+From 1a2808f317b46ca5ba00fefbb1481c74f7867986 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Tue, 28 May 2019 11:28:22 -0500
+Subject: ASoC: Intel: sof-rt5682: fix undefined references with Baytrail-only
+ support
+
+[ Upstream commit 17fc24875da1bef4650cf007edae3b2e26d2fa4e ]
+
+The sof-rt5682 machine driver supports both legacy Baytrail devices
+and more recent ApolloLake/CometLake platforms. When only Baytrail is
+selected, the compilation fails with the following errors:
+
+ERROR: "hdac_hdmi_jack_port_init"
+[sound/soc/intel/boards/snd-soc-sof_rt5682.ko] undefined!
+
+ERROR: "hdac_hdmi_jack_init"
+[sound/soc/intel/boards/snd-soc-sof_rt5682.ko] undefined!
+
+Fix by selecting SND_SOC_HDAC_HDMI unconditionally. The code for HDMI
+support is not reachable on Baytrail so this change has no functional
+impact.
+
+Fixes: f70abd75b7c6 ("ASoC: Intel: add sof-rt5682 machine driver")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/boards/Kconfig b/sound/soc/intel/boards/Kconfig
+index 5407d217228e..c0aef45d335a 100644
+--- a/sound/soc/intel/boards/Kconfig
++++ b/sound/soc/intel/boards/Kconfig
+@@ -392,7 +392,7 @@ config SND_SOC_INTEL_SOF_RT5682_MACH
+ (SND_SOC_SOF_BAYTRAIL && X86_INTEL_LPSS)
+ select SND_SOC_RT5682
+ select SND_SOC_DMIC
+- select SND_SOC_HDAC_HDMI if SND_SOC_SOF_HDA_COMMON
++ select SND_SOC_HDAC_HDMI
+ help
+ This adds support for ASoC machine driver for SOF platforms
+ with rt5682 codec.
+--
+2.20.1
+
--- /dev/null
+From 5ab6ef16a4dd5ab31ee49f55df37420d9ea2ca3d Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 13 Jun 2019 13:42:32 +0200
+Subject: ASoC: meson: axg-tdm: fix sample clock inversion
+
+[ Upstream commit cb36ff785e868992e96e8b9e5a0c2822b680a9e2 ]
+
+The content of SND_SOC_DAIFMT_FORMAT_MASK is a number, not a bitfield,
+so the test to check if the format is i2s is wrong. Because of this the
+clock setting may be wrong. For example, the sample clock gets inverted
+in DSP B mode, when it should not.
+
+Fix the lrclk invert helper function
+
+Fixes: 1a11d88f499c ("ASoC: meson: add tdm formatter base driver")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-tdm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/meson/axg-tdm.h b/sound/soc/meson/axg-tdm.h
+index e578b6f40a07..5774ce0916d4 100644
+--- a/sound/soc/meson/axg-tdm.h
++++ b/sound/soc/meson/axg-tdm.h
+@@ -40,7 +40,7 @@ struct axg_tdm_iface {
+
+ static inline bool axg_tdm_lrclk_invert(unsigned int fmt)
+ {
+- return (fmt & SND_SOC_DAIFMT_I2S) ^
++ return ((fmt & SND_SOC_DAIFMT_FORMAT_MASK) == SND_SOC_DAIFMT_I2S) ^
+ !!(fmt & (SND_SOC_DAIFMT_IB_IF | SND_SOC_DAIFMT_NB_IF));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 83584a6f734b815c9dd4d57e0ee5d19b52ba73d5 Mon Sep 17 00:00:00 2001
+From: Nilkanth Ahirrao <anilkanth@jp.adit-jv.com>
+Date: Tue, 18 Jun 2019 14:19:53 +0900
+Subject: ASoC: rsnd: fixup mod ID calculation in rsnd_ctu_probe_
+
+[ Upstream commit ac28ec07ae1c5c1e18ed6855eb105a328418da88 ]
+
+commit c16015f36cc1 ("ASoC: rsnd: add .get_id/.get_id_sub")
+introduces rsnd_ctu_id which calcualates and gives
+the main Device id of the CTU by dividing the id by 4.
+rsnd_mod_id uses this interface to get the CTU main
+Device id. But this commit forgets to revert the main
+Device id calcution previously done in rsnd_ctu_probe_
+which also divides the id by 4. This path corrects the
+same to get the correct main Device id.
+
+The issue is observered when rsnd_ctu_probe_ is done for CTU1
+
+Fixes: c16015f36cc1 ("ASoC: rsnd: add .get_id/.get_id_sub")
+
+Signed-off-by: Nilkanth Ahirrao <anilkanth@jp.adit-jv.com>
+Signed-off-by: Suresh Udipi <sudipi@jp.adit-jv.com>
+Signed-off-by: Jiada Wang <jiada_wang@mentor.com>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sh/rcar/ctu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sh/rcar/ctu.c b/sound/soc/sh/rcar/ctu.c
+index 8cb06dab234e..7647b3d4c0ba 100644
+--- a/sound/soc/sh/rcar/ctu.c
++++ b/sound/soc/sh/rcar/ctu.c
+@@ -108,7 +108,7 @@ static int rsnd_ctu_probe_(struct rsnd_mod *mod,
+ struct rsnd_dai_stream *io,
+ struct rsnd_priv *priv)
+ {
+- return rsnd_cmd_attach(io, rsnd_mod_id(mod) / 4);
++ return rsnd_cmd_attach(io, rsnd_mod_id(mod));
+ }
+
+ static void rsnd_ctu_value_init(struct rsnd_dai_stream *io,
+--
+2.20.1
+
--- /dev/null
+From b4cc36aa765bb7a87cc5d97d70bd705d44948135 Mon Sep 17 00:00:00 2001
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Wed, 19 Jun 2019 10:07:19 +0900
+Subject: ASoC: soc-core: call snd_soc_unbind_card() under mutex_lock;
+
+[ Upstream commit b545542a0b866f7975254e41c595836e9bc0ff2f ]
+
+commit 34ac3c3eb8f0c07 ("ASoC: core: lock client_mutex while removing
+link components") added mutex_lock() at soc_remove_link_components().
+
+Is is called from snd_soc_unbind_card()
+
+ snd_soc_unbind_card()
+=> soc_remove_link_components()
+ soc_cleanup_card_resources()
+ soc_remove_dai_links()
+=> soc_remove_link_components()
+
+And, there are 2 way to call it.
+
+(1)
+ snd_soc_unregister_component()
+** mutex_lock()
+ snd_soc_component_del_unlocked()
+=> snd_soc_unbind_card()
+** mutex_unlock()
+
+(2)
+ snd_soc_unregister_card()
+=> snd_soc_unbind_card()
+
+(1) case is already using mutex_lock() when it calles
+snd_soc_unbind_card(), thus, we will get lockdep warning.
+
+commit 495f926c68ddb90 ("ASoC: core: Fix deadlock in
+snd_soc_instantiate_card()") tried to fixup it, but still not
+enough. We still have lockdep warning when we try unbind/bind.
+
+We need mutex_lock() under snd_soc_unregister_card()
+instead of snd_remove_link_components()/snd_soc_unbind_card().
+
+Fixes: 34ac3c3eb8f0c07 ("ASoC: core: lock client_mutex while removing link components")
+Fixes: 495f926c68ddb90 ("ASoC: core: Fix deadlock in snd_soc_instantiate_card()")
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 41c0cfaf2db5..9138fcb15cd3 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2837,14 +2837,12 @@ static void snd_soc_unbind_card(struct snd_soc_card *card, bool unregister)
+ snd_soc_dapm_shutdown(card);
+ snd_soc_flush_all_delayed_work(card);
+
+- mutex_lock(&client_mutex);
+ /* remove all components used by DAI links on this card */
+ for_each_comp_order(order) {
+ for_each_card_rtds(card, rtd) {
+ soc_remove_link_components(card, rtd, order);
+ }
+ }
+- mutex_unlock(&client_mutex);
+
+ soc_cleanup_card_resources(card);
+ if (!unregister)
+@@ -2863,7 +2861,9 @@ static void snd_soc_unbind_card(struct snd_soc_card *card, bool unregister)
+ */
+ int snd_soc_unregister_card(struct snd_soc_card *card)
+ {
++ mutex_lock(&client_mutex);
+ snd_soc_unbind_card(card, true);
++ mutex_unlock(&client_mutex);
+ dev_dbg(card->dev, "ASoC: Unregistered card '%s'\n", card->name);
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 157c906887d678d2699064fccbf15cb8066b25b2 Mon Sep 17 00:00:00 2001
+From: Anilkumar Kolli <akolli@codeaurora.org>
+Date: Wed, 6 Mar 2019 23:06:11 +0530
+Subject: ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
+
+[ Upstream commit d8792393a783158cbb2c39939cb897dc5e5299b6 ]
+
+Increase pulse width range from 1-2usec to 0-4usec.
+During data traffic HW occasionally fails detecting radar pulses,
+so that SW cannot get enough radar reports to achieve the success rate.
+
+Tested ath10k hw and fw:
+ * QCA9888(10.4-3.5.1-00052)
+ * QCA4019(10.4-3.2.1.1-00017)
+ * QCA9984(10.4-3.6-00104)
+ * QCA988X(10.2.4-1.0-00041)
+
+Tested ath9k hw: AR9300
+
+Tested-by: Tamizh chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/dfs_pattern_detector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
+index d52b31b45df7..a274eb0d1968 100644
+--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
+@@ -111,7 +111,7 @@ static const struct radar_detector_specs jp_radar_ref_types[] = {
+ JP_PATTERN(0, 0, 1, 1428, 1428, 1, 18, 29, false),
+ JP_PATTERN(1, 2, 3, 3846, 3846, 1, 18, 29, false),
+ JP_PATTERN(2, 0, 1, 1388, 1388, 1, 18, 50, false),
+- JP_PATTERN(3, 1, 2, 4000, 4000, 1, 18, 50, false),
++ JP_PATTERN(3, 0, 4, 4000, 4000, 1, 18, 50, false),
+ JP_PATTERN(4, 0, 5, 150, 230, 1, 23, 50, false),
+ JP_PATTERN(5, 6, 10, 200, 500, 1, 16, 50, false),
+ JP_PATTERN(6, 11, 20, 200, 500, 1, 12, 50, false),
+--
+2.20.1
+
--- /dev/null
+From 4dbae54e783eedae2aa1a1f31e937cb8b9822b5f Mon Sep 17 00:00:00 2001
+From: Claire Chang <tientzu@chromium.org>
+Date: Thu, 23 May 2019 15:15:34 +0800
+Subject: ath10k: add missing error handling
+
+[ Upstream commit 4b553f3ca4cbde67399aa3a756c37eb92145b8a1 ]
+
+In function ath10k_sdio_mbox_rx_alloc() [sdio.c],
+ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases.
+This will make the driver think the allocation for skb is successful and
+try to access the skb. If we enable failslab, system will easily crash with
+NULL pointer dereferencing.
+
+Call trace of CONFIG_FAILSLAB:
+ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio]
+process_sdio_pending_irqs+0x4c/0x174
+sdio_run_irqs+0x3c/0x64
+sdio_irq_work+0x1c/0x28
+
+Fixes: d96db25d2025 ("ath10k: add initial SDIO support")
+Signed-off-by: Claire Chang <tientzu@chromium.org>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
+index fae56c67766f..73ef3e75d199 100644
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -602,6 +602,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar,
+ full_len,
+ last_in_bundle,
+ last_in_bundle);
++ if (ret) {
++ ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret);
++ goto err;
++ }
+ }
+
+ ar_sdio->n_rx_pkts = i;
+--
+2.20.1
+
--- /dev/null
+From 9098ed4bce8b41f361b0ace10e45f77127a82ac4 Mon Sep 17 00:00:00 2001
+From: Wen Gong <wgong@codeaurora.org>
+Date: Mon, 29 Apr 2019 19:17:12 +0800
+Subject: ath10k: add peer id check in ath10k_peer_find_by_id
+
+[ Upstream commit 49ed34b835e231aa941257394716bc689bc98d9f ]
+
+For some SDIO chip, the peer id is 65535 for MPDU with error status,
+then test_bit will trigger buffer overflow for peer's memory, if kasan
+enabled, it will report error.
+
+Reason is when station is in disconnecting status, firmware do not delete
+the peer info since it not disconnected completely, meanwhile some AP will
+still send data packet to station, then hardware will receive the packet
+and send to firmware, firmware's logic will report peer id of 65535 for
+MPDU with error status.
+
+Add check for overflow the size of peer's peer_ids will avoid the buffer
+overflow access.
+
+Call trace of kasan:
+dump_backtrace+0x0/0x2ec
+show_stack+0x20/0x2c
+__dump_stack+0x20/0x28
+dump_stack+0xc8/0xec
+print_address_description+0x74/0x240
+kasan_report+0x250/0x26c
+__asan_report_load8_noabort+0x20/0x2c
+ath10k_peer_find_by_id+0x180/0x1e4 [ath10k_core]
+ath10k_htt_t2h_msg_handler+0x100c/0x2fd4 [ath10k_core]
+ath10k_htt_htc_t2h_msg_handler+0x20/0x34 [ath10k_core]
+ath10k_sdio_irq_handler+0xcc8/0x1678 [ath10k_sdio]
+process_sdio_pending_irqs+0xec/0x370
+sdio_run_irqs+0x68/0xe4
+sdio_irq_work+0x1c/0x28
+process_one_work+0x3d8/0x8b0
+worker_thread+0x508/0x7cc
+kthread+0x24c/0x264
+ret_from_fork+0x10/0x18
+
+Tested with QCA6174 SDIO with firmware
+WLAN.RMH.4.4.1-00007-QCARMSWP-1.
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/txrx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
+index c5818d28f55a..4102df016931 100644
+--- a/drivers/net/wireless/ath/ath10k/txrx.c
++++ b/drivers/net/wireless/ath/ath10k/txrx.c
+@@ -150,6 +150,9 @@ struct ath10k_peer *ath10k_peer_find_by_id(struct ath10k *ar, int peer_id)
+ {
+ struct ath10k_peer *peer;
+
++ if (peer_id >= BITS_PER_TYPE(peer->peer_ids))
++ return NULL;
++
+ lockdep_assert_held(&ar->data_lock);
+
+ list_for_each_entry(peer, &ar->peers, list)
+--
+2.20.1
+
--- /dev/null
+From 98a2c56b3440255c3874973e99d99879f92ef4a7 Mon Sep 17 00:00:00 2001
+From: Yingying Tang <yintang@codeaurora.org>
+Date: Thu, 2 May 2019 21:36:50 +0800
+Subject: ath10k: Check tx_stats before use it
+
+[ Upstream commit 9e7251fa38978b85108c44743e1436d48e8d0d76 ]
+
+tx_stats will be freed and set to NULL before debugfs_sta node is
+removed in station disconnetion process. So if read the debugfs_sta
+node there may be NULL pointer error. Add check for tx_stats before
+use it to resove this issue.
+
+Signed-off-by: Yingying Tang <yintang@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/debugfs_sta.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
+index c704ae371c4d..42931a669b02 100644
+--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c
++++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
+@@ -663,6 +663,13 @@ static ssize_t ath10k_dbg_sta_dump_tx_stats(struct file *file,
+
+ mutex_lock(&ar->conf_mutex);
+
++ if (!arsta->tx_stats) {
++ ath10k_warn(ar, "failed to get tx stats");
++ mutex_unlock(&ar->conf_mutex);
++ kfree(buf);
++ return 0;
++ }
++
+ spin_lock_bh(&ar->data_lock);
+ for (k = 0; k < ATH10K_STATS_TYPE_MAX; k++) {
+ for (j = 0; j < ATH10K_COUNTER_TYPE_MAX; j++) {
+--
+2.20.1
+
--- /dev/null
+From 9833c3ef4e5dafbff02fb4e814a325971d30f08f Mon Sep 17 00:00:00 2001
+From: Wen Gong <wgong@codeaurora.org>
+Date: Thu, 27 Jun 2019 21:21:51 +0300
+Subject: ath10k: destroy sdio workqueue while remove sdio module
+
+[ Upstream commit 3ed39f8e747a7aafeec07bb244f2c3a1bdca5730 ]
+
+The workqueue need to flush and destory while remove sdio module,
+otherwise it will have thread which is not destory after remove
+sdio modules.
+
+Tested with QCA6174 SDIO with firmware
+WLAN.RMH.4.4.1-00007-QCARMSWP-1.
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/sdio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
+index 73ef3e75d199..28bdf0212538 100644
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -2081,6 +2081,9 @@ static void ath10k_sdio_remove(struct sdio_func *func)
+ cancel_work_sync(&ar_sdio->wr_async_work);
+ ath10k_core_unregister(ar);
+ ath10k_core_destroy(ar);
++
++ flush_workqueue(ar_sdio->workqueue);
++ destroy_workqueue(ar_sdio->workqueue);
+ }
+
+ static const struct sdio_device_id ath10k_sdio_devices[] = {
+--
+2.20.1
+
--- /dev/null
+From 547f410d3be7a408bc97590c20226919169cddda Mon Sep 17 00:00:00 2001
+From: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Date: Wed, 17 Apr 2019 14:01:46 +0530
+Subject: ath10k: Do not send probe response template for mesh
+
+[ Upstream commit 97354f2c432788e3163134df6bb144f4b6289d87 ]
+
+Currently mac80211 do not support probe response template for
+mesh point. When WMI_SERVICE_BEACON_OFFLOAD is enabled, host
+driver tries to configure probe response template for mesh, but
+it fails because the interface type is not NL80211_IFTYPE_AP but
+NL80211_IFTYPE_MESH_POINT.
+
+To avoid this failure, skip sending probe response template to
+firmware for mesh point.
+
+Tested HW: WCN3990/QCA6174/QCA9984
+
+Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index e8997e22ceec..b500fd427595 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -1630,6 +1630,10 @@ static int ath10k_mac_setup_prb_tmpl(struct ath10k_vif *arvif)
+ if (arvif->vdev_type != WMI_VDEV_TYPE_AP)
+ return 0;
+
++ /* For mesh, probe response and beacon share the same template */
++ if (ieee80211_vif_is_mesh(vif))
++ return 0;
++
+ prb = ieee80211_proberesp_get(hw, vif);
+ if (!prb) {
+ ath10k_warn(ar, "failed to get probe resp template from mac80211\n");
+--
+2.20.1
+
--- /dev/null
+From 74fe3210d9e9e2fa44192ffa4cc94124b11592e9 Mon Sep 17 00:00:00 2001
+From: Rakesh Pillai <pillair@codeaurora.org>
+Date: Tue, 2 Apr 2019 18:12:50 +0530
+Subject: ath10k: Fix encoding for protected management frames
+
+[ Upstream commit 42f1bc43e6a97b9ddbe976eba9bd05306c990c75 ]
+
+Currently the protected management frames are
+not appended with the MIC_LEN which results in
+the protected management frames being encoded
+incorrectly.
+
+Add the extra space at the end of the protected
+management frames to fix this encoding error for
+the protected management frames.
+
+Tested HW: WCN3990
+Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1
+
+Fixes: 1807da49733e ("ath10k: wmi: add management tx by reference support over wmi")
+Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+index 582fb11f648a..02709fc99034 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -2840,8 +2840,10 @@ ath10k_wmi_tlv_op_gen_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu,
+ if ((ieee80211_is_action(hdr->frame_control) ||
+ ieee80211_is_deauth(hdr->frame_control) ||
+ ieee80211_is_disassoc(hdr->frame_control)) &&
+- ieee80211_has_protected(hdr->frame_control))
++ ieee80211_has_protected(hdr->frame_control)) {
++ skb_put(msdu, IEEE80211_CCMP_MIC_LEN);
+ buf_len += IEEE80211_CCMP_MIC_LEN;
++ }
+
+ buf_len = min_t(u32, buf_len, WMI_TLV_MGMT_TX_FRAME_MAX_LEN);
+ buf_len = round_up(buf_len, 4);
+--
+2.20.1
+
--- /dev/null
+From 46a01228d1eee2bbf9c8a6a4e9ad81eb81a0b84a Mon Sep 17 00:00:00 2001
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Fri, 24 May 2019 11:16:22 +0800
+Subject: ath10k: fix fw crash by moving chip reset after napi disabled
+
+[ Upstream commit 08d80e4cd27ba19f9bee9e5f788f9a9fc440a22f ]
+
+On SMP platform, when continuously running wifi up/down, the napi
+poll can be scheduled during chip reset, which will call
+ath10k_pci_has_fw_crashed() to check the fw status. But in the reset
+period, the value from FW_INDICATOR_ADDRESS register will return
+0xdeadbeef, which also be treated as fw crash. Fix the issue by
+moving chip reset after napi disabled.
+
+ath10k_pci 0000:01:00.0: firmware crashed! (guid 73b30611-5b1e-4bdd-90b4-64c81eb947b6)
+ath10k_pci 0000:01:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe
+ath10k_pci 0000:01:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal otp max-sta 512 raw 0 hwcrypto 1
+ath10k_pci 0000:01:00.0: failed to get memcpy hi address for firmware address 4: -16
+ath10k_pci 0000:01:00.0: failed to read firmware dump area: -16
+ath10k_pci 0000:01:00.0: Copy Engine register dump:
+ath10k_pci 0000:01:00.0: [00]: 0x0004a000 0 0 0 0
+ath10k_pci 0000:01:00.0: [01]: 0x0004a400 0 0 0 0
+ath10k_pci 0000:01:00.0: [02]: 0x0004a800 0 0 0 0
+ath10k_pci 0000:01:00.0: [03]: 0x0004ac00 0 0 0 0
+ath10k_pci 0000:01:00.0: [04]: 0x0004b000 0 0 0 0
+ath10k_pci 0000:01:00.0: [05]: 0x0004b400 0 0 0 0
+ath10k_pci 0000:01:00.0: [06]: 0x0004b800 0 0 0 0
+ath10k_pci 0000:01:00.0: [07]: 0x0004bc00 1 0 1 0
+ath10k_pci 0000:01:00.0: [08]: 0x0004c000 0 0 0 0
+ath10k_pci 0000:01:00.0: [09]: 0x0004c400 0 0 0 0
+ath10k_pci 0000:01:00.0: [10]: 0x0004c800 0 0 0 0
+ath10k_pci 0000:01:00.0: [11]: 0x0004cc00 0 0 0 0
+
+Tested HW: QCA9984,QCA9887,WCN3990
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
+index 2c27f407a851..6e5f7ae00253 100644
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -2059,6 +2059,11 @@ static void ath10k_pci_hif_stop(struct ath10k *ar)
+
+ ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif stop\n");
+
++ ath10k_pci_irq_disable(ar);
++ ath10k_pci_irq_sync(ar);
++ napi_synchronize(&ar->napi);
++ napi_disable(&ar->napi);
++
+ /* Most likely the device has HTT Rx ring configured. The only way to
+ * prevent the device from accessing (and possible corrupting) host
+ * memory is to reset the chip now.
+@@ -2072,10 +2077,6 @@ static void ath10k_pci_hif_stop(struct ath10k *ar)
+ */
+ ath10k_pci_safe_chip_reset(ar);
+
+- ath10k_pci_irq_disable(ar);
+- ath10k_pci_irq_sync(ar);
+- napi_synchronize(&ar->napi);
+- napi_disable(&ar->napi);
+ ath10k_pci_flush(ar);
+
+ spin_lock_irqsave(&ar_pci->ps_lock, flags);
+--
+2.20.1
+
--- /dev/null
+From 6a38b948dd7b3032c2696ae75eb574744aa46d8b Mon Sep 17 00:00:00 2001
+From: Pradeep kumar Chitrapu <pradeepc@codeaurora.org>
+Date: Tue, 23 Apr 2019 16:43:28 +0300
+Subject: ath10k: fix incorrect multicast/broadcast rate setting
+
+[ Upstream commit 93ee3d108fc77e19efeac3ec5aa7d5886711bfef ]
+
+Invalid rate code is sent to firmware when multicast rate value of 0 is
+sent to driver indicating disabled case, causing broken mesh path.
+so fix that.
+
+Tested on QCA9984 with firmware 10.4-3.6.1-00827
+
+Sven tested on IPQ4019 with 10.4-3.5.3-00057 and QCA9888 with 10.4-3.5.3-00053
+(ath10k-firmware) and 10.4-3.6-00140 (linux-firmware 2018-12-16-211de167).
+
+Fixes: cd93b83ad92 ("ath10k: support for multicast rate control")
+Co-developed-by: Zhi Chen <zhichen@codeaurora.org>
+Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
+Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Tested-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 9c703d287333..e8997e22ceec 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -5588,8 +5588,8 @@ static void ath10k_bss_info_changed(struct ieee80211_hw *hw,
+ struct cfg80211_chan_def def;
+ u32 vdev_param, pdev_param, slottime, preamble;
+ u16 bitrate, hw_value;
+- u8 rate, basic_rate_idx;
+- int rateidx, ret = 0, hw_rate_code;
++ u8 rate, basic_rate_idx, rateidx;
++ int ret = 0, hw_rate_code, mcast_rate;
+ enum nl80211_band band;
+ const struct ieee80211_supported_band *sband;
+
+@@ -5776,7 +5776,11 @@ static void ath10k_bss_info_changed(struct ieee80211_hw *hw,
+ if (changed & BSS_CHANGED_MCAST_RATE &&
+ !ath10k_mac_vif_chan(arvif->vif, &def)) {
+ band = def.chan->band;
+- rateidx = vif->bss_conf.mcast_rate[band] - 1;
++ mcast_rate = vif->bss_conf.mcast_rate[band];
++ if (mcast_rate > 0)
++ rateidx = mcast_rate - 1;
++ else
++ rateidx = ffs(vif->bss_conf.basic_rates) - 1;
+
+ if (ar->phy_capability & WHAL_WLAN_11A_CAPABILITY)
+ rateidx += ATH10K_MAC_FIRST_OFDM_RATE_IDX;
+--
+2.20.1
+
--- /dev/null
+From 31cb010aee480baabe75d4ca2c28cc5416e90a6a Mon Sep 17 00:00:00 2001
+From: Dundi Raviteja <dundi@codeaurora.org>
+Date: Tue, 25 Jun 2019 19:55:48 +0530
+Subject: ath10k: Fix memory leak in qmi
+
+[ Upstream commit c709df58832c5f575f0255bea4b09ad477fc62ea ]
+
+Currently the memory allocated for qmi handle is
+not being freed during de-init which leads to memory leak.
+
+Free the allocated qmi memory in qmi deinit
+to avoid memory leak.
+
+Tested HW: WCN3990
+Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
+
+Fixes: fda6fee0001e ("ath10k: add QMI message handshake for wcn3990 client")
+Signed-off-by: Dundi Raviteja <dundi@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/qmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c
+index a7bc2c70d076..8f8f717a23ee 100644
+--- a/drivers/net/wireless/ath/ath10k/qmi.c
++++ b/drivers/net/wireless/ath/ath10k/qmi.c
+@@ -1002,6 +1002,7 @@ int ath10k_qmi_deinit(struct ath10k *ar)
+ qmi_handle_release(&qmi->qmi_hdl);
+ cancel_work_sync(&qmi->event_work);
+ destroy_workqueue(qmi->event_wq);
++ kfree(qmi);
+ ar_snoc->qmi = NULL;
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 4d4454ff18f61b90ceb50ae22a4c77c5d013dbf4 Mon Sep 17 00:00:00 2001
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Thu, 30 May 2019 09:49:20 +0800
+Subject: ath10k: fix PCIE device wake up failed
+
+[ Upstream commit 011d4111c8c602ea829fa4917af1818eb0500a90 ]
+
+Observed PCIE device wake up failed after ~120 iterations of
+soft-reboot test. The error message is
+"ath10k_pci 0000:01:00.0: failed to wake up device : -110"
+
+The call trace as below:
+ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait ->
+ath10k_pci_is_awake
+
+Once trigger the device to wake up, we will continuously check the RTC
+state until it returns RTC_STATE_V_ON or timeout.
+
+But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON.
+Occasionally, we get 0x7 on the fist read, we thought as a failure
+case, but actually is the right value, also verified with the spec.
+So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed
+~2000 iterations.
+
+Tested HW: QCA9984
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c
+index ad082b7d7643..b242085c3c16 100644
+--- a/drivers/net/wireless/ath/ath10k/hw.c
++++ b/drivers/net/wireless/ath/ath10k/hw.c
+@@ -158,7 +158,7 @@ const struct ath10k_hw_values qca6174_values = {
+ };
+
+ const struct ath10k_hw_values qca99x0_values = {
+- .rtc_state_val_on = 5,
++ .rtc_state_val_on = 7,
+ .ce_count = 12,
+ .msi_assign_ce_max = 12,
+ .num_target_ce_config_wlan = 10,
+--
+2.20.1
+
--- /dev/null
+From 9a1f607b3039698fb6ed8806a6700b5206e988cb Mon Sep 17 00:00:00 2001
+From: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Date: Tue, 9 Apr 2019 12:13:13 +0530
+Subject: ath10k: Fix the wrong value of enums for wmi tlv stats id
+
+[ Upstream commit 9280f4fc06f44d0b4dc9e831f72d97b3d7cd35d3 ]
+
+The enum value for WMI_TLV_STAT_PDEV, WMI_TLV_STAT_VDEV
+and WMI_TLV_STAT_PEER is wrong, due to which the vdev stats
+are not received from firmware in wmi_update_stats event.
+
+Fix the enum values for above stats to receive all stats
+from firmware in WMI_TLV_UPDATE_STATS_EVENTID.
+
+Tested HW: WCN3990
+Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1
+
+Fixes: f40a307eb92c ("ath10k: Fill rx duration for each peer in fw_stats for WCN3990)
+Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h
+index e1c40bb69932..12f57f9adbba 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.h
++++ b/drivers/net/wireless/ath/ath10k/wmi.h
+@@ -4535,9 +4535,10 @@ enum wmi_10_4_stats_id {
+ };
+
+ enum wmi_tlv_stats_id {
+- WMI_TLV_STAT_PDEV = BIT(0),
+- WMI_TLV_STAT_VDEV = BIT(1),
+- WMI_TLV_STAT_PEER = BIT(2),
++ WMI_TLV_STAT_PEER = BIT(0),
++ WMI_TLV_STAT_AP = BIT(1),
++ WMI_TLV_STAT_PDEV = BIT(2),
++ WMI_TLV_STAT_VDEV = BIT(3),
+ WMI_TLV_STAT_PEER_EXTD = BIT(10),
+ };
+
+--
+2.20.1
+
--- /dev/null
+From e92aaa7f6495b446ee067c79774dda2fea7a2549 Mon Sep 17 00:00:00 2001
+From: Alagu Sankar <alagusankar@silex-india.com>
+Date: Fri, 19 Apr 2019 10:28:49 +0300
+Subject: ath10k: htt: don't use txdone_fifo with SDIO
+
+[ Upstream commit e2a6b711282a371c5153239e0468a48254f17ca6 ]
+
+HTT High Latency (ATH10K_DEV_TYPE_HL) does not use txdone_fifo at all, we don't
+even initialise it by skipping ath10k_htt_tx_alloc_buf() in
+ath10k_htt_tx_start(). Because of this using QCA6174 SDIO
+ath10k_htt_rx_tx_compl_ind() will crash when it accesses unitialised
+txdone_fifo. So skip txdone_fifo when using High Latency mode.
+
+Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1.
+
+Co-developed-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Alagu Sankar <alagusankar@silex-india.com>
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
+index 1acc622d2183..f22840bbc389 100644
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -2277,7 +2277,9 @@ static void ath10k_htt_rx_tx_compl_ind(struct ath10k *ar,
+ * Note that with only one concurrent reader and one concurrent
+ * writer, you don't need extra locking to use these macro.
+ */
+- if (!kfifo_put(&htt->txdone_fifo, tx_done)) {
++ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) {
++ ath10k_txrx_tx_unref(htt, &tx_done);
++ } else if (!kfifo_put(&htt->txdone_fifo, tx_done)) {
+ ath10k_warn(ar, "txdone fifo overrun, msdu_id %d status %d\n",
+ tx_done.msdu_id, tx_done.status);
+ ath10k_txrx_tx_unref(htt, &tx_done);
+--
+2.20.1
+
--- /dev/null
+From 8250147bcae4523e1161f513770ba66c323e6c82 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Apr 2019 11:56:51 +0300
+Subject: ath6kl: add some bounds checking
+
+[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ]
+
+The "ev->traffic_class" and "reply->ac" variables come from the network
+and they're used as an offset into the wmi->stream_exist_for_ac[] array.
+Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[]
+array only has WMM_NUM_AC (4) elements. We need to add a couple bounds
+checks to prevent array overflows.
+
+I also modified one existing check from "if (traffic_class > 3) {" to
+"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent.
+
+Fixes: bdcd81707973 (" Add ath6kl cleaned up driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
+index 68854c45d0a4..9ab6aa9ded5c 100644
+--- a/drivers/net/wireless/ath/ath6kl/wmi.c
++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
+@@ -1176,6 +1176,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap,
+ return -EINVAL;
+
+ ev = (struct wmi_pstream_timeout_event *) datap;
++ if (ev->traffic_class >= WMM_NUM_AC) {
++ ath6kl_err("invalid traffic class: %d\n", ev->traffic_class);
++ return -EINVAL;
++ }
+
+ /*
+ * When the pstream (fat pipe == AC) timesout, it means there were
+@@ -1517,6 +1521,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len,
+ return -EINVAL;
+
+ reply = (struct wmi_cac_event *) datap;
++ if (reply->ac >= WMM_NUM_AC) {
++ ath6kl_err("invalid AC: %d\n", reply->ac);
++ return -EINVAL;
++ }
+
+ if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) &&
+ (reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) {
+@@ -2633,7 +2641,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
+ u16 active_tsids = 0;
+ int ret;
+
+- if (traffic_class > 3) {
++ if (traffic_class >= WMM_NUM_AC) {
+ ath6kl_err("invalid traffic class: %d\n", traffic_class);
+ return -EINVAL;
+ }
+--
+2.20.1
+
--- /dev/null
+From e0b0d208dfb9c4a4b0792d019d3e8161e756383d Mon Sep 17 00:00:00 2001
+From: Tim Schumacher <timschumi@gmx.de>
+Date: Mon, 18 Mar 2019 20:05:57 +0100
+Subject: ath9k: Check for errors when reading SREV register
+
+[ Upstream commit 2f90c7e5d09437a4d8d5546feaae9f1cf48cfbe1 ]
+
+Right now, if an error is encountered during the SREV register
+read (i.e. an EIO in ath9k_regread()), that error code gets
+passed all the way to __ath9k_hw_init(), where it is visible
+during the "Chip rev not supported" message.
+
+ ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
+ ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath9k_htc: Failed to initialize the device
+
+Check for -EIO explicitly in ath9k_hw_read_revisions() and return
+a boolean based on the success of the operation. Check for that in
+__ath9k_hw_init() and abort with a more debugging-friendly message
+if reading the revisions wasn't successful.
+
+ ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
+ ath: phy2: Failed to read SREV register
+ ath: phy2: Could not read hardware revision
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath9k_htc: Failed to initialize the device
+
+This helps when debugging by directly showing the first point of
+failure and it could prevent possible errors if a 0x0f.3 revision
+is ever supported.
+
+Signed-off-by: Tim Schumacher <timschumi@gmx.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hw.c | 32 +++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
+index 8581d917635a..b6773d613f0c 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -252,8 +252,9 @@ void ath9k_hw_get_channel_centers(struct ath_hw *ah,
+ /* Chip Revisions */
+ /******************/
+
+-static void ath9k_hw_read_revisions(struct ath_hw *ah)
++static bool ath9k_hw_read_revisions(struct ath_hw *ah)
+ {
++ u32 srev;
+ u32 val;
+
+ if (ah->get_mac_revision)
+@@ -269,25 +270,33 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah)
+ val = REG_READ(ah, AR_SREV);
+ ah->hw_version.macRev = MS(val, AR_SREV_REVISION2);
+ }
+- return;
++ return true;
+ case AR9300_DEVID_AR9340:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9340;
+- return;
++ return true;
+ case AR9300_DEVID_QCA955X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9550;
+- return;
++ return true;
+ case AR9300_DEVID_AR953X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9531;
+- return;
++ return true;
+ case AR9300_DEVID_QCA956X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9561;
+- return;
++ return true;
+ }
+
+- val = REG_READ(ah, AR_SREV) & AR_SREV_ID;
++ srev = REG_READ(ah, AR_SREV);
++
++ if (srev == -EIO) {
++ ath_err(ath9k_hw_common(ah),
++ "Failed to read SREV register");
++ return false;
++ }
++
++ val = srev & AR_SREV_ID;
+
+ if (val == 0xFF) {
+- val = REG_READ(ah, AR_SREV);
++ val = srev;
+ ah->hw_version.macVersion =
+ (val & AR_SREV_VERSION2) >> AR_SREV_TYPE2_S;
+ ah->hw_version.macRev = MS(val, AR_SREV_REVISION2);
+@@ -306,6 +315,8 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah)
+ if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCIE)
+ ah->is_pciexpress = true;
+ }
++
++ return true;
+ }
+
+ /************************************/
+@@ -559,7 +570,10 @@ static int __ath9k_hw_init(struct ath_hw *ah)
+ struct ath_common *common = ath9k_hw_common(ah);
+ int r = 0;
+
+- ath9k_hw_read_revisions(ah);
++ if (!ath9k_hw_read_revisions(ah)) {
++ ath_err(common, "Could not read hardware revisions");
++ return -EOPNOTSUPP;
++ }
+
+ switch (ah->hw_version.macVersion) {
+ case AR_SREV_VERSION_5416_PCI:
+--
+2.20.1
+
--- /dev/null
+From ed6e52aab228d66e343fbe167762ef189043014b Mon Sep 17 00:00:00 2001
+From: Zefir Kurtisi <zefir.kurtisi@neratec.com>
+Date: Tue, 11 Jun 2019 15:36:56 +0200
+Subject: ath9k: correctly handle short radar pulses
+
+[ Upstream commit df5c4150501ee7e86383be88f6490d970adcf157 ]
+
+In commit 3c0efb745a17 ("ath9k: discard undersized packets")
+the lower bound of RX packets was set to 10 (min ACK size) to
+filter those that would otherwise be treated as invalid at
+mac80211.
+
+Alas, short radar pulses are reported as PHY_ERROR frames
+with length set to 3. Therefore their detection stopped
+working after that commit.
+
+NOTE: ath9k drivers built thereafter will not pass DFS
+certification.
+
+This extends the criteria for short packets to explicitly
+handle PHY_ERROR frames.
+
+Fixes: 3c0efb745a17 ("ath9k: discard undersized packets")
+Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/recv.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
+index 4e97f7f3b2a3..06e660858766 100644
+--- a/drivers/net/wireless/ath/ath9k/recv.c
++++ b/drivers/net/wireless/ath/ath9k/recv.c
+@@ -815,6 +815,7 @@ static int ath9k_rx_skb_preprocess(struct ath_softc *sc,
+ struct ath_common *common = ath9k_hw_common(ah);
+ struct ieee80211_hdr *hdr;
+ bool discard_current = sc->rx.discard_next;
++ bool is_phyerr;
+
+ /*
+ * Discard corrupt descriptors which are marked in
+@@ -827,8 +828,11 @@ static int ath9k_rx_skb_preprocess(struct ath_softc *sc,
+
+ /*
+ * Discard zero-length packets and packets smaller than an ACK
++ * which are not PHY_ERROR (short radar pulses have a length of 3)
+ */
+- if (rx_stats->rs_datalen < 10) {
++ is_phyerr = rx_stats->rs_status & ATH9K_RXERR_PHY;
++ if (!rx_stats->rs_datalen ||
++ (rx_stats->rs_datalen < 10 && !is_phyerr)) {
+ RX_STAT_INC(sc, rx_len_err);
+ goto corrupt;
+ }
+--
+2.20.1
+
--- /dev/null
+From de9f1d75709e23cf47ccd860a4c44f623f39e40b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
+Date: Thu, 7 Mar 2019 19:39:44 +0100
+Subject: ath9k: Don't trust TX status TID number when reporting airtime
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 389b72e58259336c2d56d58b660b79cf4b9e0dcb ]
+
+As already noted a comment in ath_tx_complete_aggr(), the hardware will
+occasionally send a TX status with the wrong tid number. If we trust the
+value, airtime usage will be reported to the wrong AC, which can cause the
+deficit on that AC to become very low, blocking subsequent attempts to
+transmit.
+
+To fix this, account airtime usage to the TID number from the original skb,
+instead of the one in the hardware TX status report.
+
+Reported-by: Miguel Catalan Cid <miguel.catalan@i2cat.net>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/xmit.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
+index b17e1ca40995..3be0aeedb9b5 100644
+--- a/drivers/net/wireless/ath/ath9k/xmit.c
++++ b/drivers/net/wireless/ath/ath9k/xmit.c
+@@ -668,7 +668,8 @@ static bool bf_is_ampdu_not_probing(struct ath_buf *bf)
+ static void ath_tx_count_airtime(struct ath_softc *sc,
+ struct ieee80211_sta *sta,
+ struct ath_buf *bf,
+- struct ath_tx_status *ts)
++ struct ath_tx_status *ts,
++ u8 tid)
+ {
+ u32 airtime = 0;
+ int i;
+@@ -679,7 +680,7 @@ static void ath_tx_count_airtime(struct ath_softc *sc,
+ airtime += rate_dur * bf->rates[i].count;
+ }
+
+- ieee80211_sta_register_airtime(sta, ts->tid, airtime, 0);
++ ieee80211_sta_register_airtime(sta, tid, airtime, 0);
+ }
+
+ static void ath_tx_process_buffer(struct ath_softc *sc, struct ath_txq *txq,
+@@ -709,7 +710,7 @@ static void ath_tx_process_buffer(struct ath_softc *sc, struct ath_txq *txq,
+ if (sta) {
+ struct ath_node *an = (struct ath_node *)sta->drv_priv;
+ tid = ath_get_skb_tid(sc, an, bf->bf_mpdu);
+- ath_tx_count_airtime(sc, sta, bf, ts);
++ ath_tx_count_airtime(sc, sta, bf, ts, tid->tidno);
+ if (ts->ts_status & (ATH9K_TXERR_FILT | ATH9K_TXERR_XRETRY))
+ tid->clear_ps_filter = true;
+ }
+--
+2.20.1
+
--- /dev/null
+From e0a78c05faf6311344228e5afe1d55c85f1c9e0d Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 2 Jun 2019 10:57:31 +0200
+Subject: batman-adv: Fix duplicated OGMs on NETDEV_UP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 9e6b5648bbc4cd48fab62cecbb81e9cc3c6e7e88 ]
+
+The state of slave interfaces are handled differently depending on whether
+the interface is up or not. All active interfaces (IFF_UP) will transmit
+OGMs. But for B.A.T.M.A.N. IV, also non-active interfaces are scheduling
+(low TTL) OGMs on active interfaces. The code which setups and schedules
+the OGMs must therefore already be called when the interfaces gets added as
+slave interface and the transmit function must then check whether it has to
+send out the OGM or not on the specific slave interface.
+
+But the commit f0d97253fb5f ("batman-adv: remove ogm_emit and ogm_schedule
+API calls") moved the setup code from the enable function to the activate
+function. The latter is called either when the added slave was already up
+when batadv_hardif_enable_interface processed the new interface or when a
+NETDEV_UP event was received for this slave interfac. As result, each
+NETDEV_UP would schedule a new OGM worker for the interface and thus OGMs
+would be send a lot more than expected.
+
+Fixes: f0d97253fb5f ("batman-adv: remove ogm_emit and ogm_schedule API calls")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Tested-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 4 ++--
+ net/batman-adv/hard-interface.c | 3 +++
+ net/batman-adv/types.h | 3 +++
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index bd4138ddf7e0..240ed70912d6 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -2337,7 +2337,7 @@ batadv_iv_ogm_neigh_is_sob(struct batadv_neigh_node *neigh1,
+ return ret;
+ }
+
+-static void batadv_iv_iface_activate(struct batadv_hard_iface *hard_iface)
++static void batadv_iv_iface_enabled(struct batadv_hard_iface *hard_iface)
+ {
+ /* begin scheduling originator messages on that interface */
+ batadv_iv_ogm_schedule(hard_iface);
+@@ -2683,8 +2683,8 @@ static void batadv_iv_gw_dump(struct sk_buff *msg, struct netlink_callback *cb,
+ static struct batadv_algo_ops batadv_batman_iv __read_mostly = {
+ .name = "BATMAN_IV",
+ .iface = {
+- .activate = batadv_iv_iface_activate,
+ .enable = batadv_iv_ogm_iface_enable,
++ .enabled = batadv_iv_iface_enabled,
+ .disable = batadv_iv_ogm_iface_disable,
+ .update_mac = batadv_iv_ogm_iface_update_mac,
+ .primary_set = batadv_iv_ogm_primary_iface_set,
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index 79d1731b8306..3719cfd026f0 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -795,6 +795,9 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface,
+
+ batadv_hardif_recalc_extra_skbroom(soft_iface);
+
++ if (bat_priv->algo_ops->iface.enabled)
++ bat_priv->algo_ops->iface.enabled(hard_iface);
++
+ out:
+ return 0;
+
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index 74b644738a36..e0b25104cbfa 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -2129,6 +2129,9 @@ struct batadv_algo_iface_ops {
+ /** @enable: init routing info when hard-interface is enabled */
+ int (*enable)(struct batadv_hard_iface *hard_iface);
+
++ /** @enabled: notification when hard-interface was enabled (optional) */
++ void (*enabled)(struct batadv_hard_iface *hard_iface);
++
+ /** @disable: de-init routing info when hard-interface is disabled */
+ void (*disable)(struct batadv_hard_iface *hard_iface);
+
+--
+2.20.1
+
--- /dev/null
+From 105e3bdc8a6ba0df9afae601c35e4a56e9f41075 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Tue, 21 May 2019 20:58:57 +0100
+Subject: batman-adv: fix for leaked TVLV handler.
+
+[ Upstream commit 17f78dd1bd624a4dd78ed5db3284a63ee807fcc3 ]
+
+A handler for BATADV_TVLV_ROAM was being registered when the
+translation-table was initialized, but not unregistered when the
+translation-table was freed. Unregister it.
+
+Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets")
+Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 1ddfd5e011ee..8a482c5ec67b 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -3813,6 +3813,8 @@ static void batadv_tt_purge(struct work_struct *work)
+ */
+ void batadv_tt_free(struct batadv_priv *bat_priv)
+ {
++ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1);
++
+ batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1);
+ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1);
+
+--
+2.20.1
+
--- /dev/null
+From 1d1990a4a34c698a583d2e079754525bdce06f47 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:48 +0800
+Subject: bcache: acquire bch_register_lock later in cached_dev_free()
+
+[ Upstream commit 80265d8dfd77792e133793cef44a21323aac2908 ]
+
+When enable lockdep engine, a lockdep warning can be observed when
+reboot or shutdown system,
+
+[ 3142.764557][ T1] bcache: bcache_reboot() Stopping all devices:
+[ 3142.776265][ T2649]
+[ 3142.777159][ T2649] ======================================================
+[ 3142.780039][ T2649] WARNING: possible circular locking dependency detected
+[ 3142.782869][ T2649] 5.2.0-rc4-lp151.20-default+ #1 Tainted: G W
+[ 3142.785684][ T2649] ------------------------------------------------------
+[ 3142.788479][ T2649] kworker/3:67/2649 is trying to acquire lock:
+[ 3142.790738][ T2649] 00000000aaf02291 ((wq_completion)bcache_writeback_wq){+.+.}, at: flush_workqueue+0x87/0x4c0
+[ 3142.794678][ T2649]
+[ 3142.794678][ T2649] but task is already holding lock:
+[ 3142.797402][ T2649] 000000004fcf89c5 (&bch_register_lock){+.+.}, at: cached_dev_free+0x17/0x120 [bcache]
+[ 3142.801462][ T2649]
+[ 3142.801462][ T2649] which lock already depends on the new lock.
+[ 3142.801462][ T2649]
+[ 3142.805277][ T2649]
+[ 3142.805277][ T2649] the existing dependency chain (in reverse order) is:
+[ 3142.808902][ T2649]
+[ 3142.808902][ T2649] -> #2 (&bch_register_lock){+.+.}:
+[ 3142.812396][ T2649] __mutex_lock+0x7a/0x9d0
+[ 3142.814184][ T2649] cached_dev_free+0x17/0x120 [bcache]
+[ 3142.816415][ T2649] process_one_work+0x2a4/0x640
+[ 3142.818413][ T2649] worker_thread+0x39/0x3f0
+[ 3142.820276][ T2649] kthread+0x125/0x140
+[ 3142.822061][ T2649] ret_from_fork+0x3a/0x50
+[ 3142.823965][ T2649]
+[ 3142.823965][ T2649] -> #1 ((work_completion)(&cl->work)#2){+.+.}:
+[ 3142.827244][ T2649] process_one_work+0x277/0x640
+[ 3142.829160][ T2649] worker_thread+0x39/0x3f0
+[ 3142.830958][ T2649] kthread+0x125/0x140
+[ 3142.832674][ T2649] ret_from_fork+0x3a/0x50
+[ 3142.834915][ T2649]
+[ 3142.834915][ T2649] -> #0 ((wq_completion)bcache_writeback_wq){+.+.}:
+[ 3142.838121][ T2649] lock_acquire+0xb4/0x1c0
+[ 3142.840025][ T2649] flush_workqueue+0xae/0x4c0
+[ 3142.842035][ T2649] drain_workqueue+0xa9/0x180
+[ 3142.844042][ T2649] destroy_workqueue+0x17/0x250
+[ 3142.846142][ T2649] cached_dev_free+0x52/0x120 [bcache]
+[ 3142.848530][ T2649] process_one_work+0x2a4/0x640
+[ 3142.850663][ T2649] worker_thread+0x39/0x3f0
+[ 3142.852464][ T2649] kthread+0x125/0x140
+[ 3142.854106][ T2649] ret_from_fork+0x3a/0x50
+[ 3142.855880][ T2649]
+[ 3142.855880][ T2649] other info that might help us debug this:
+[ 3142.855880][ T2649]
+[ 3142.859663][ T2649] Chain exists of:
+[ 3142.859663][ T2649] (wq_completion)bcache_writeback_wq --> (work_completion)(&cl->work)#2 --> &bch_register_lock
+[ 3142.859663][ T2649]
+[ 3142.865424][ T2649] Possible unsafe locking scenario:
+[ 3142.865424][ T2649]
+[ 3142.868022][ T2649] CPU0 CPU1
+[ 3142.869885][ T2649] ---- ----
+[ 3142.871751][ T2649] lock(&bch_register_lock);
+[ 3142.873379][ T2649] lock((work_completion)(&cl->work)#2);
+[ 3142.876399][ T2649] lock(&bch_register_lock);
+[ 3142.879727][ T2649] lock((wq_completion)bcache_writeback_wq);
+[ 3142.882064][ T2649]
+[ 3142.882064][ T2649] *** DEADLOCK ***
+[ 3142.882064][ T2649]
+[ 3142.885060][ T2649] 3 locks held by kworker/3:67/2649:
+[ 3142.887245][ T2649] #0: 00000000e774cdd0 ((wq_completion)events){+.+.}, at: process_one_work+0x21e/0x640
+[ 3142.890815][ T2649] #1: 00000000f7df89da ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
+[ 3142.894884][ T2649] #2: 000000004fcf89c5 (&bch_register_lock){+.+.}, at: cached_dev_free+0x17/0x120 [bcache]
+[ 3142.898797][ T2649]
+[ 3142.898797][ T2649] stack backtrace:
+[ 3142.900961][ T2649] CPU: 3 PID: 2649 Comm: kworker/3:67 Tainted: G W 5.2.0-rc4-lp151.20-default+ #1
+[ 3142.904789][ T2649] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
+[ 3142.909168][ T2649] Workqueue: events cached_dev_free [bcache]
+[ 3142.911422][ T2649] Call Trace:
+[ 3142.912656][ T2649] dump_stack+0x85/0xcb
+[ 3142.914181][ T2649] print_circular_bug+0x19a/0x1f0
+[ 3142.916193][ T2649] __lock_acquire+0x16cd/0x1850
+[ 3142.917936][ T2649] ? __lock_acquire+0x6a8/0x1850
+[ 3142.919704][ T2649] ? lock_acquire+0xb4/0x1c0
+[ 3142.921335][ T2649] ? find_held_lock+0x34/0xa0
+[ 3142.923052][ T2649] lock_acquire+0xb4/0x1c0
+[ 3142.924635][ T2649] ? flush_workqueue+0x87/0x4c0
+[ 3142.926375][ T2649] flush_workqueue+0xae/0x4c0
+[ 3142.928047][ T2649] ? flush_workqueue+0x87/0x4c0
+[ 3142.929824][ T2649] ? drain_workqueue+0xa9/0x180
+[ 3142.931686][ T2649] drain_workqueue+0xa9/0x180
+[ 3142.933534][ T2649] destroy_workqueue+0x17/0x250
+[ 3142.935787][ T2649] cached_dev_free+0x52/0x120 [bcache]
+[ 3142.937795][ T2649] process_one_work+0x2a4/0x640
+[ 3142.939803][ T2649] worker_thread+0x39/0x3f0
+[ 3142.941487][ T2649] ? process_one_work+0x640/0x640
+[ 3142.943389][ T2649] kthread+0x125/0x140
+[ 3142.944894][ T2649] ? kthread_create_worker_on_cpu+0x70/0x70
+[ 3142.947744][ T2649] ret_from_fork+0x3a/0x50
+[ 3142.970358][ T2649] bcache: bcache_device_free() bcache0 stopped
+
+Here is how the deadlock happens.
+1) bcache_reboot() calls bcache_device_stop(), then inside
+ bcache_device_stop() BCACHE_DEV_CLOSING bit is set on d->flags.
+ Then closure_queue(&d->cl) is called to invoke cached_dev_flush().
+2) In cached_dev_flush(), cached_dev_free() is called by continu_at().
+3) In cached_dev_free(), when stopping the writeback kthread of the
+ cached device by kthread_stop(), dc->writeback_thread will be waken
+ up to quite the kthread while-loop, then cached_dev_put() is called
+ in bch_writeback_thread().
+4) Calling cached_dev_put() in writeback kthread may drop dc->count to
+ 0, then dc->detach kworker is scheduled, which is initialized as
+ cached_dev_detach_finish().
+5) Inside cached_dev_detach_finish(), the last line of code is to call
+ closure_put(&dc->disk.cl), which drops the last reference counter of
+ closrure dc->disk.cl, then the callback cached_dev_flush() gets
+ called.
+Now cached_dev_flush() is called for second time in the code path, the
+first time is in step 2). And again bch_register_lock will be acquired
+again, and a A-A lock (lockdep terminology) is happening.
+
+The root cause of the above A-A lock is in cached_dev_free(), mutex
+bch_register_lock is held before stopping writeback kthread and other
+kworkers. Fortunately now we have variable 'bcache_is_reboot', which may
+prevent device registration or unregistration during reboot/shutdown
+time, so it is unncessary to hold bch_register_lock such early now.
+
+This is how this patch fixes the reboot/shutdown time A-A lock issue:
+After moving mutex_lock(&bch_register_lock) to a later location where
+before atomic_read(&dc->running) in cached_dev_free(), such A-A lock
+problem can be solved without any reboot time registration race.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 1b63ac876169..0a25774e175a 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1190,8 +1190,6 @@ static void cached_dev_free(struct closure *cl)
+ {
+ struct cached_dev *dc = container_of(cl, struct cached_dev, disk.cl);
+
+- mutex_lock(&bch_register_lock);
+-
+ if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags))
+ cancel_writeback_rate_update_dwork(dc);
+
+@@ -1202,6 +1200,8 @@ static void cached_dev_free(struct closure *cl)
+ if (!IS_ERR_OR_NULL(dc->status_update_thread))
+ kthread_stop(dc->status_update_thread);
+
++ mutex_lock(&bch_register_lock);
++
+ if (atomic_read(&dc->running))
+ bd_unlink_disk_holder(dc->bdev, dc->disk.disk);
+ bcache_device_free(&dc->disk);
+--
+2.20.1
+
--- /dev/null
+From 429a8c758d3b14e8caf04dcc949f0fed955ba401 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:46 +0800
+Subject: bcache: avoid a deadlock in bcache_reboot()
+
+[ Upstream commit a59ff6ccc2bf2e2934b31bbf734f0bc04b5ec78a ]
+
+It is quite frequently to observe deadlock in bcache_reboot() happens
+and hang the system reboot process. The reason is, in bcache_reboot()
+when calling bch_cache_set_stop() and bcache_device_stop() the mutex
+bch_register_lock is held. But in the process to stop cache set and
+bcache device, bch_register_lock will be acquired again. If this mutex
+is held here, deadlock will happen inside the stopping process. The
+aftermath of the deadlock is, whole system reboot gets hung.
+
+The fix is to avoid holding bch_register_lock for the following loops
+in bcache_reboot(),
+ list_for_each_entry_safe(c, tc, &bch_cache_sets, list)
+ bch_cache_set_stop(c);
+
+ list_for_each_entry_safe(dc, tdc, &uncached_devices, list)
+ bcache_device_stop(&dc->disk);
+
+A module range variable 'bcache_is_reboot' is added, it sets to true
+in bcache_reboot(). In register_bcache(), if bcache_is_reboot is checked
+to be true, reject the registration by returning -EBUSY immediately.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 40 ++++++++++++++++++++++++++++++++++++++-
+ drivers/md/bcache/sysfs.c | 26 +++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 4cc8a300a557..dcd8b319a01e 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -40,6 +40,7 @@ static const char invalid_uuid[] = {
+
+ static struct kobject *bcache_kobj;
+ struct mutex bch_register_lock;
++bool bcache_is_reboot;
+ LIST_HEAD(bch_cache_sets);
+ static LIST_HEAD(uncached_devices);
+
+@@ -49,6 +50,7 @@ static wait_queue_head_t unregister_wait;
+ struct workqueue_struct *bcache_wq;
+ struct workqueue_struct *bch_journal_wq;
+
++
+ #define BTREE_MAX_PAGES (256 * 1024 / PAGE_SIZE)
+ /* limitation of partitions number on single bcache device */
+ #define BCACHE_MINORS 128
+@@ -2301,6 +2303,11 @@ static ssize_t register_bcache(struct kobject *k, struct kobj_attribute *attr,
+ if (!try_module_get(THIS_MODULE))
+ return -EBUSY;
+
++ /* For latest state of bcache_is_reboot */
++ smp_mb();
++ if (bcache_is_reboot)
++ return -EBUSY;
++
+ path = kstrndup(buffer, size, GFP_KERNEL);
+ if (!path)
+ goto err;
+@@ -2380,6 +2387,9 @@ static ssize_t register_bcache(struct kobject *k, struct kobj_attribute *attr,
+
+ static int bcache_reboot(struct notifier_block *n, unsigned long code, void *x)
+ {
++ if (bcache_is_reboot)
++ return NOTIFY_DONE;
++
+ if (code == SYS_DOWN ||
+ code == SYS_HALT ||
+ code == SYS_POWER_OFF) {
+@@ -2392,19 +2402,45 @@ static int bcache_reboot(struct notifier_block *n, unsigned long code, void *x)
+
+ mutex_lock(&bch_register_lock);
+
++ if (bcache_is_reboot)
++ goto out;
++
++ /* New registration is rejected since now */
++ bcache_is_reboot = true;
++ /*
++ * Make registering caller (if there is) on other CPU
++ * core know bcache_is_reboot set to true earlier
++ */
++ smp_mb();
++
+ if (list_empty(&bch_cache_sets) &&
+ list_empty(&uncached_devices))
+ goto out;
+
++ mutex_unlock(&bch_register_lock);
++
+ pr_info("Stopping all devices:");
+
++ /*
++ * The reason bch_register_lock is not held to call
++ * bch_cache_set_stop() and bcache_device_stop() is to
++ * avoid potential deadlock during reboot, because cache
++ * set or bcache device stopping process will acqurie
++ * bch_register_lock too.
++ *
++ * We are safe here because bcache_is_reboot sets to
++ * true already, register_bcache() will reject new
++ * registration now. bcache_is_reboot also makes sure
++ * bcache_reboot() won't be re-entered on by other thread,
++ * so there is no race in following list iteration by
++ * list_for_each_entry_safe().
++ */
+ list_for_each_entry_safe(c, tc, &bch_cache_sets, list)
+ bch_cache_set_stop(c);
+
+ list_for_each_entry_safe(dc, tdc, &uncached_devices, list)
+ bcache_device_stop(&dc->disk);
+
+- mutex_unlock(&bch_register_lock);
+
+ /*
+ * Give an early chance for other kthreads and
+@@ -2531,6 +2567,8 @@ static int __init bcache_init(void)
+ bch_debug_init();
+ closure_debug_init();
+
++ bcache_is_reboot = false;
++
+ return 0;
+ err:
+ bcache_exit();
+diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
+index bfb437ffb13c..327493f634bb 100644
+--- a/drivers/md/bcache/sysfs.c
++++ b/drivers/md/bcache/sysfs.c
+@@ -16,6 +16,8 @@
+ #include <linux/sort.h>
+ #include <linux/sched/clock.h>
+
++extern bool bcache_is_reboot;
++
+ /* Default is 0 ("writethrough") */
+ static const char * const bch_cache_modes[] = {
+ "writethrough",
+@@ -271,6 +273,10 @@ STORE(__cached_dev)
+ struct cache_set *c;
+ struct kobj_uevent_env *env;
+
++ /* no user space access if system is rebooting */
++ if (bcache_is_reboot)
++ return -EBUSY;
++
+ #define d_strtoul(var) sysfs_strtoul(var, dc->var)
+ #define d_strtoul_nonzero(var) sysfs_strtoul_clamp(var, dc->var, 1, INT_MAX)
+ #define d_strtoi_h(var) sysfs_hatoi(var, dc->var)
+@@ -408,6 +414,10 @@ STORE(bch_cached_dev)
+ struct cached_dev *dc = container_of(kobj, struct cached_dev,
+ disk.kobj);
+
++ /* no user space access if system is rebooting */
++ if (bcache_is_reboot)
++ return -EBUSY;
++
+ mutex_lock(&bch_register_lock);
+ size = __cached_dev_store(kobj, attr, buf, size);
+
+@@ -511,6 +521,10 @@ STORE(__bch_flash_dev)
+ kobj);
+ struct uuid_entry *u = &d->c->uuids[d->id];
+
++ /* no user space access if system is rebooting */
++ if (bcache_is_reboot)
++ return -EBUSY;
++
+ sysfs_strtoul(data_csum, d->data_csum);
+
+ if (attr == &sysfs_size) {
+@@ -746,6 +760,10 @@ STORE(__bch_cache_set)
+ struct cache_set *c = container_of(kobj, struct cache_set, kobj);
+ ssize_t v;
+
++ /* no user space access if system is rebooting */
++ if (bcache_is_reboot)
++ return -EBUSY;
++
+ if (attr == &sysfs_unregister)
+ bch_cache_set_unregister(c);
+
+@@ -865,6 +883,10 @@ STORE(bch_cache_set_internal)
+ {
+ struct cache_set *c = container_of(kobj, struct cache_set, internal);
+
++ /* no user space access if system is rebooting */
++ if (bcache_is_reboot)
++ return -EBUSY;
++
+ return bch_cache_set_store(&c->kobj, attr, buf, size);
+ }
+
+@@ -1050,6 +1072,10 @@ STORE(__bch_cache)
+ struct cache *ca = container_of(kobj, struct cache, kobj);
+ ssize_t v;
+
++ /* no user space access if system is rebooting */
++ if (bcache_is_reboot)
++ return -EBUSY;
++
+ if (attr == &sysfs_discard) {
+ bool v = strtoul_or_return(buf);
+
+--
+2.20.1
+
--- /dev/null
+From ece06c4448cc593407ee90efced92d7dd9f4ffde Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:25 +0800
+Subject: bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
+
+[ Upstream commit b387e9b58679c60f5b1e4313939bd4878204fc37 ]
+
+When system memory is in heavy pressure, bch_gc_thread_start() from
+run_cache_set() may fail due to out of memory. In such condition,
+c->gc_thread is assigned to -ENOMEM, not NULL pointer. Then in following
+failure code path bch_cache_set_error(), when cache_set_flush() gets
+called, the code piece to stop c->gc_thread is broken,
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+And KASAN catches such NULL pointer deference problem, with the warning
+information:
+
+[ 561.207881] ==================================================================
+[ 561.207900] BUG: KASAN: null-ptr-deref in kthread_stop+0x3b/0x440
+[ 561.207904] Write of size 4 at addr 000000000000001c by task kworker/15:1/313
+
+[ 561.207913] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G W 5.0.0-vanilla+ #3
+[ 561.207916] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
+[ 561.207935] Workqueue: events cache_set_flush [bcache]
+[ 561.207940] Call Trace:
+[ 561.207948] dump_stack+0x9a/0xeb
+[ 561.207955] ? kthread_stop+0x3b/0x440
+[ 561.207960] ? kthread_stop+0x3b/0x440
+[ 561.207965] kasan_report+0x176/0x192
+[ 561.207973] ? kthread_stop+0x3b/0x440
+[ 561.207981] kthread_stop+0x3b/0x440
+[ 561.207995] cache_set_flush+0xd4/0x6d0 [bcache]
+[ 561.208008] process_one_work+0x856/0x1620
+[ 561.208015] ? find_held_lock+0x39/0x1d0
+[ 561.208028] ? drain_workqueue+0x380/0x380
+[ 561.208048] worker_thread+0x87/0xb80
+[ 561.208058] ? __kthread_parkme+0xb6/0x180
+[ 561.208067] ? process_one_work+0x1620/0x1620
+[ 561.208072] kthread+0x326/0x3e0
+[ 561.208079] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 561.208090] ret_from_fork+0x3a/0x50
+[ 561.208110] ==================================================================
+[ 561.208113] Disabling lock debugging due to kernel taint
+[ 561.208115] irq event stamp: 11800231
+[ 561.208126] hardirqs last enabled at (11800231): [<ffffffff83008538>] do_syscall_64+0x18/0x410
+[ 561.208127] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
+[ 561.208129] #PF error: [WRITE]
+[ 561.312253] hardirqs last disabled at (11800230): [<ffffffff830052ff>] trace_hardirqs_off_thunk+0x1a/0x1c
+[ 561.312259] softirqs last enabled at (11799832): [<ffffffff850005c7>] __do_softirq+0x5c7/0x8c3
+[ 561.405975] PGD 0 P4D 0
+[ 561.442494] softirqs last disabled at (11799821): [<ffffffff831add2c>] irq_exit+0x1ac/0x1e0
+[ 561.791359] Oops: 0002 [#1] SMP KASAN NOPTI
+[ 561.791362] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G B W 5.0.0-vanilla+ #3
+[ 561.791363] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
+[ 561.791371] Workqueue: events cache_set_flush [bcache]
+[ 561.791374] RIP: 0010:kthread_stop+0x3b/0x440
+[ 561.791376] Code: 00 00 65 8b 05 26 d5 e0 7c 89 c0 48 0f a3 05 ec aa df 02 0f 82 dc 02 00 00 4c 8d 63 20 be 04 00 00 00 4c 89 e7 e8 65 c5 53 00 <f0> ff 43 20 48 8d 7b 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48
+[ 561.791377] RSP: 0018:ffff88872fc8fd10 EFLAGS: 00010286
+[ 561.838895] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838916] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838934] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838948] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838966] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838979] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838996] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 563.067028] RAX: 0000000000000000 RBX: fffffffffffffffc RCX: ffffffff832dd314
+[ 563.067030] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000297
+[ 563.067032] RBP: ffff88872fc8fe88 R08: fffffbfff0b8213d R09: fffffbfff0b8213d
+[ 563.067034] R10: 0000000000000001 R11: fffffbfff0b8213c R12: 000000000000001c
+[ 563.408618] R13: ffff88dc61cc0f68 R14: ffff888102b94900 R15: ffff88dc61cc0f68
+[ 563.408620] FS: 0000000000000000(0000) GS:ffff888f7dc00000(0000) knlGS:0000000000000000
+[ 563.408622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 563.408623] CR2: 000000000000001c CR3: 0000000f48a1a004 CR4: 00000000007606e0
+[ 563.408625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 563.408627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 563.904795] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 563.915796] PKRU: 55555554
+[ 563.915797] Call Trace:
+[ 563.915807] cache_set_flush+0xd4/0x6d0 [bcache]
+[ 563.915812] process_one_work+0x856/0x1620
+[ 564.001226] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.033563] ? find_held_lock+0x39/0x1d0
+[ 564.033567] ? drain_workqueue+0x380/0x380
+[ 564.033574] worker_thread+0x87/0xb80
+[ 564.062823] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.118042] ? __kthread_parkme+0xb6/0x180
+[ 564.118046] ? process_one_work+0x1620/0x1620
+[ 564.118048] kthread+0x326/0x3e0
+[ 564.118050] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 564.167066] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.252441] ret_from_fork+0x3a/0x50
+[ 564.252447] Modules linked in: msr rpcrdma sunrpc rdma_ucm ib_iser ib_umad rdma_cm ib_ipoib i40iw configfs iw_cm ib_cm libiscsi scsi_transport_iscsi mlx4_ib ib_uverbs mlx4_en ib_core nls_iso8859_1 nls_cp437 vfat fat intel_rapl skx_edac x86_pkg_temp_thermal coretemp iTCO_wdt iTCO_vendor_support crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ses raid0 aesni_intel cdc_ether enclosure usbnet ipmi_ssif joydev aes_x86_64 i40e scsi_transport_sas mii bcache md_mod crypto_simd mei_me ioatdma crc64 ptp cryptd pcspkr i2c_i801 mlx4_core glue_helper pps_core mei lpc_ich dca wmi ipmi_si ipmi_devintf nd_pmem dax_pmem nd_btt ipmi_msghandler device_dax pcc_cpufreq button hid_generic usbhid mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect xhci_pci sysimgblt fb_sys_fops xhci_hcd ttm megaraid_sas drm usbcore nfit libnvdimm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs
+[ 564.299390] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.348360] CR2: 000000000000001c
+[ 564.348362] ---[ end trace b7f0e5cc7b2103b0 ]---
+
+Therefore, it is not enough to only check whether c->gc_thread is NULL,
+we should use IS_ERR_OR_NULL() to check both NULL pointer and error
+value.
+
+This patch changes the above buggy code piece in this way,
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 0a25774e175a..4cc8a300a557 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1564,7 +1564,7 @@ static void cache_set_flush(struct closure *cl)
+ kobject_put(&c->internal);
+ kobject_del(&c->kobj);
+
+- if (c->gc_thread)
++ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+ if (!IS_ERR_OR_NULL(c->root))
+--
+2.20.1
+
--- /dev/null
+From 78def94dc89f41307be63f13c67a7f3c347d5291 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:36 +0800
+Subject: bcache: check CACHE_SET_IO_DISABLE bit in bch_journal()
+
+[ Upstream commit 383ff2183ad16a8842d1fbd9dd3e1cbd66813e64 ]
+
+When too many I/O errors happen on cache set and CACHE_SET_IO_DISABLE
+bit is set, bch_journal() may continue to work because the journaling
+bkey might be still in write set yet. The caller of bch_journal() may
+believe the journal still work but the truth is in-memory journal write
+set won't be written into cache device any more. This behavior may
+introduce potential inconsistent metadata status.
+
+This patch checks CACHE_SET_IO_DISABLE bit at the head of bch_journal(),
+if the bit is set, bch_journal() returns NULL immediately to notice
+caller to know journal does not work.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index 4e5fc05720fc..54f8886b6177 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -811,6 +811,10 @@ atomic_t *bch_journal(struct cache_set *c,
+ struct journal_write *w;
+ atomic_t *ret;
+
++ /* No journaling if CACHE_SET_IO_DISABLE set already */
++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &c->flags)))
++ return NULL;
++
+ if (!CACHE_SYNC(&c->sb))
+ return NULL;
+
+--
+2.20.1
+
--- /dev/null
+From 51f39a6a0a8dfa2ccc56b6c46dcf5f672f936380 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:35 +0800
+Subject: bcache: check CACHE_SET_IO_DISABLE in allocator code
+
+[ Upstream commit e775339e1ae1205b47d94881db124c11385e597c ]
+
+If CACHE_SET_IO_DISABLE of a cache set flag is set by too many I/O
+errors, currently allocator routines can still continue allocate
+space which may introduce inconsistent metadata state.
+
+This patch checkes CACHE_SET_IO_DISABLE bit in following allocator
+routines,
+- bch_bucket_alloc()
+- __bch_bucket_alloc_set()
+Once CACHE_SET_IO_DISABLE is set on cache set, the allocator routines
+may reject allocation request earlier to avoid potential inconsistent
+metadata.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/alloc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
+index f8986effcb50..6f776823b9ba 100644
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -393,6 +393,11 @@ long bch_bucket_alloc(struct cache *ca, unsigned int reserve, bool wait)
+ struct bucket *b;
+ long r;
+
++
++ /* No allocation if CACHE_SET_IO_DISABLE bit is set */
++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &ca->set->flags)))
++ return -1;
++
+ /* fastpath */
+ if (fifo_pop(&ca->free[RESERVE_NONE], r) ||
+ fifo_pop(&ca->free[reserve], r))
+@@ -484,6 +489,10 @@ int __bch_bucket_alloc_set(struct cache_set *c, unsigned int reserve,
+ {
+ int i;
+
++ /* No allocation if CACHE_SET_IO_DISABLE bit is set */
++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &c->flags)))
++ return -1;
++
+ lockdep_assert_held(&c->bucket_lock);
+ BUG_ON(!n || n > c->caches_loaded || n > MAX_CACHES_PER_SET);
+
+--
+2.20.1
+
--- /dev/null
+From 9fea9dfb974d9cc2fe705820ac4d6e8ab1da7b8b Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:49 +0800
+Subject: bcache: fix potential deadlock in cached_def_free()
+
+[ Upstream commit 7e865eba00a3df2dc8c4746173a8ca1c1c7f042e ]
+
+When enable lockdep and reboot system with a writeback mode bcache
+device, the following potential deadlock warning is reported by lockdep
+engine.
+
+[ 101.536569][ T401] kworker/2:2/401 is trying to acquire lock:
+[ 101.538575][ T401] 00000000bbf6e6c7 ((wq_completion)bcache_writeback_wq){+.+.}, at: flush_workqueue+0x87/0x4c0
+[ 101.542054][ T401]
+[ 101.542054][ T401] but task is already holding lock:
+[ 101.544587][ T401] 00000000f5f305b3 ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
+[ 101.548386][ T401]
+[ 101.548386][ T401] which lock already depends on the new lock.
+[ 101.548386][ T401]
+[ 101.551874][ T401]
+[ 101.551874][ T401] the existing dependency chain (in reverse order) is:
+[ 101.555000][ T401]
+[ 101.555000][ T401] -> #1 ((work_completion)(&cl->work)#2){+.+.}:
+[ 101.557860][ T401] process_one_work+0x277/0x640
+[ 101.559661][ T401] worker_thread+0x39/0x3f0
+[ 101.561340][ T401] kthread+0x125/0x140
+[ 101.562963][ T401] ret_from_fork+0x3a/0x50
+[ 101.564718][ T401]
+[ 101.564718][ T401] -> #0 ((wq_completion)bcache_writeback_wq){+.+.}:
+[ 101.567701][ T401] lock_acquire+0xb4/0x1c0
+[ 101.569651][ T401] flush_workqueue+0xae/0x4c0
+[ 101.571494][ T401] drain_workqueue+0xa9/0x180
+[ 101.573234][ T401] destroy_workqueue+0x17/0x250
+[ 101.575109][ T401] cached_dev_free+0x44/0x120 [bcache]
+[ 101.577304][ T401] process_one_work+0x2a4/0x640
+[ 101.579357][ T401] worker_thread+0x39/0x3f0
+[ 101.581055][ T401] kthread+0x125/0x140
+[ 101.582709][ T401] ret_from_fork+0x3a/0x50
+[ 101.584592][ T401]
+[ 101.584592][ T401] other info that might help us debug this:
+[ 101.584592][ T401]
+[ 101.588355][ T401] Possible unsafe locking scenario:
+[ 101.588355][ T401]
+[ 101.590974][ T401] CPU0 CPU1
+[ 101.592889][ T401] ---- ----
+[ 101.594743][ T401] lock((work_completion)(&cl->work)#2);
+[ 101.596785][ T401] lock((wq_completion)bcache_writeback_wq);
+[ 101.600072][ T401] lock((work_completion)(&cl->work)#2);
+[ 101.602971][ T401] lock((wq_completion)bcache_writeback_wq);
+[ 101.605255][ T401]
+[ 101.605255][ T401] *** DEADLOCK ***
+[ 101.605255][ T401]
+[ 101.608310][ T401] 2 locks held by kworker/2:2/401:
+[ 101.610208][ T401] #0: 00000000cf2c7d17 ((wq_completion)events){+.+.}, at: process_one_work+0x21e/0x640
+[ 101.613709][ T401] #1: 00000000f5f305b3 ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
+[ 101.617480][ T401]
+[ 101.617480][ T401] stack backtrace:
+[ 101.619539][ T401] CPU: 2 PID: 401 Comm: kworker/2:2 Tainted: G W 5.2.0-rc4-lp151.20-default+ #1
+[ 101.623225][ T401] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
+[ 101.627210][ T401] Workqueue: events cached_dev_free [bcache]
+[ 101.629239][ T401] Call Trace:
+[ 101.630360][ T401] dump_stack+0x85/0xcb
+[ 101.631777][ T401] print_circular_bug+0x19a/0x1f0
+[ 101.633485][ T401] __lock_acquire+0x16cd/0x1850
+[ 101.635184][ T401] ? __lock_acquire+0x6a8/0x1850
+[ 101.636863][ T401] ? lock_acquire+0xb4/0x1c0
+[ 101.638421][ T401] ? find_held_lock+0x34/0xa0
+[ 101.640015][ T401] lock_acquire+0xb4/0x1c0
+[ 101.641513][ T401] ? flush_workqueue+0x87/0x4c0
+[ 101.643248][ T401] flush_workqueue+0xae/0x4c0
+[ 101.644832][ T401] ? flush_workqueue+0x87/0x4c0
+[ 101.646476][ T401] ? drain_workqueue+0xa9/0x180
+[ 101.648303][ T401] drain_workqueue+0xa9/0x180
+[ 101.649867][ T401] destroy_workqueue+0x17/0x250
+[ 101.651503][ T401] cached_dev_free+0x44/0x120 [bcache]
+[ 101.653328][ T401] process_one_work+0x2a4/0x640
+[ 101.655029][ T401] worker_thread+0x39/0x3f0
+[ 101.656693][ T401] ? process_one_work+0x640/0x640
+[ 101.658501][ T401] kthread+0x125/0x140
+[ 101.660012][ T401] ? kthread_create_worker_on_cpu+0x70/0x70
+[ 101.661985][ T401] ret_from_fork+0x3a/0x50
+[ 101.691318][ T401] bcache: bcache_device_free() bcache0 stopped
+
+Here is how the above potential deadlock may happen in reboot/shutdown
+code path,
+1) bcache_reboot() is called firstly in the reboot/shutdown code path,
+ then in bcache_reboot(), bcache_device_stop() is called.
+2) bcache_device_stop() sets BCACHE_DEV_CLOSING on d->falgs, then call
+ closure_queue(&d->cl) to invoke cached_dev_flush(). And in turn
+ cached_dev_flush() calls cached_dev_free() via closure_at()
+3) In cached_dev_free(), after stopped writebach kthread
+ dc->writeback_thread, the kwork dc->writeback_write_wq is stopping by
+ destroy_workqueue().
+4) Inside destroy_workqueue(), drain_workqueue() is called. Inside
+ drain_workqueue(), flush_workqueue() is called. Then wq->lockdep_map
+ is acquired by lock_map_acquire() in flush_workqueue(). After the
+ lock acquired the rest part of flush_workqueue() just wait for the
+ workqueue to complete.
+5) Now we look back at writeback thread routine bch_writeback_thread(),
+ in the main while-loop, write_dirty() is called via continue_at() in
+ read_dirty_submit(), which is called via continue_at() in while-loop
+ level called function read_dirty(). Inside write_dirty() it may be
+ re-called on workqueeu dc->writeback_write_wq via continue_at().
+ It means when the writeback kthread is stopped in cached_dev_free()
+ there might be still one kworker queued on dc->writeback_write_wq
+ to execute write_dirty() again.
+6) Now this kworker is scheduled on dc->writeback_write_wq to run by
+ process_one_work() (which is called by worker_thread()). Before
+ calling the kwork routine, wq->lockdep_map is acquired.
+7) But wq->lockdep_map is acquired already in step 4), so a A-A lock
+ (lockdep terminology) scenario happens.
+
+Indeed on multiple cores syatem, the above deadlock is very rare to
+happen, just as the code comments in process_one_work() says,
+2263 * AFAICT there is no possible deadlock scenario between the
+2264 * flush_work() and complete() primitives (except for
+ single-threaded
+2265 * workqueues), so hiding them isn't a problem.
+
+But it is still good to fix such lockdep warning, even no one running
+bcache on single core system.
+
+The fix is simple. This patch solves the above potential deadlock by,
+- Do not destroy workqueue dc->writeback_write_wq in cached_dev_free().
+- Flush and destroy dc->writeback_write_wq in writebach kthread routine
+ bch_writeback_thread(), where after quit the thread main while-loop
+ and before cached_dev_put() is called.
+
+By this fix, dc->writeback_write_wq will be stopped and destroy before
+the writeback kthread stopped, so the chance for a A-A locking on
+wq->lockdep_map is disappeared, such A-A deadlock won't happen
+any more.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 2 --
+ drivers/md/bcache/writeback.c | 4 ++++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index dcd8b319a01e..4ccc5e5fe3a1 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1197,8 +1197,6 @@ static void cached_dev_free(struct closure *cl)
+
+ if (!IS_ERR_OR_NULL(dc->writeback_thread))
+ kthread_stop(dc->writeback_thread);
+- if (dc->writeback_write_wq)
+- destroy_workqueue(dc->writeback_write_wq);
+ if (!IS_ERR_OR_NULL(dc->status_update_thread))
+ kthread_stop(dc->status_update_thread);
+
+diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
+index 73f0efac2b9f..df0f4e5a051a 100644
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -735,6 +735,10 @@ static int bch_writeback_thread(void *arg)
+ }
+ }
+
++ if (dc->writeback_write_wq) {
++ flush_workqueue(dc->writeback_write_wq);
++ destroy_workqueue(dc->writeback_write_wq);
++ }
+ cached_dev_put(dc);
+ wait_for_kthread_stop();
+
+--
+2.20.1
+
--- /dev/null
+From 249fb06a76797cf7bd09c9b6a3171e57c0acdbbd Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:26 +0800
+Subject: bcache: fix return value error in bch_journal_read()
+
+[ Upstream commit 0ae49cb7aa005ed18fe8f4d6ccf73019b78ac7b2 ]
+
+When everything is OK in bch_journal_read(), finally the return value
+is returned by,
+ return ret;
+which assumes ret will be 0 here. This assumption is wrong when all
+journal buckets as are full and filled with valid journal entries. In
+such cache the last location referencess read_bucket() sets 'ret' to
+1, which means new jset added into jset list. The jset list is list
+'journal' in caller run_cache_set().
+
+Return 1 to run_cache_set() means something wrong and the cache set
+won't start, but indeed everything is OK.
+
+This patch changes the line at end of bch_journal_read() to directly
+return 0 since everything if verything is good. Then a bogus error
+is fixed.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index 12dae9348147..4e5fc05720fc 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -268,7 +268,7 @@ int bch_journal_read(struct cache_set *c, struct list_head *list)
+ struct journal_replay,
+ list)->j.seq;
+
+- return ret;
++ return 0;
+ #undef read_bucket
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 3fafc76400b412521d8a1d9a7ae5ff9dff565f37 Mon Sep 17 00:00:00 2001
+From: Dennis Zhou <dennis@kernel.org>
+Date: Fri, 5 Jul 2019 17:09:09 -0400
+Subject: blk-iolatency: fix STS_AGAIN handling
+
+[ Upstream commit c9b3007feca018d3f7061f5d5a14cb00766ffe9b ]
+
+The iolatency controller is based on rq_qos. It increments on
+rq_qos_throttle() and decrements on either rq_qos_cleanup() or
+rq_qos_done_bio(). a3fb01ba5af0 fixes the double accounting issue where
+blk_mq_make_request() may call both rq_qos_cleanup() and
+rq_qos_done_bio() on REQ_NO_WAIT. So checking STS_AGAIN prevents the
+double decrement.
+
+The above works upstream as the only way we can get STS_AGAIN is from
+blk_mq_get_request() failing. The STS_AGAIN handling isn't a real
+problem as bio_endio() skipping only happens on reserved tag allocation
+failures which can only be caused by driver bugs and already triggers
+WARN.
+
+However, the fix creates a not so great dependency on how STS_AGAIN can
+be propagated. Internally, we (Facebook) carry a patch that kills read
+ahead if a cgroup is io congested or a fatal signal is pending. This
+combined with chained bios progagate their bi_status to the parent is
+not already set can can cause the parent bio to not clean up properly
+even though it was successful. This consequently leaks the inflight
+counter and can hang all IOs under that blkg.
+
+To nip the adverse interaction early, this removes the rq_qos_cleanup()
+callback in iolatency in favor of cleaning up always on the
+rq_qos_done_bio() path.
+
+Fixes: a3fb01ba5af0 ("blk-iolatency: only account submitted bios")
+Debugged-by: Tejun Heo <tj@kernel.org>
+Debugged-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Dennis Zhou <dennis@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iolatency.c | 51 ++++++++++++-------------------------------
+ 1 file changed, 14 insertions(+), 37 deletions(-)
+
+diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c
+index c91b84bb9d0a..a1eb5e9ac904 100644
+--- a/block/blk-iolatency.c
++++ b/block/blk-iolatency.c
+@@ -600,10 +600,6 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos, struct bio *bio)
+ if (!blkg || !bio_flagged(bio, BIO_TRACKED))
+ return;
+
+- /* We didn't actually submit this bio, don't account it. */
+- if (bio->bi_status == BLK_STS_AGAIN)
+- return;
+-
+ iolat = blkg_to_lat(bio->bi_blkg);
+ if (!iolat)
+ return;
+@@ -622,40 +618,22 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos, struct bio *bio)
+
+ inflight = atomic_dec_return(&rqw->inflight);
+ WARN_ON_ONCE(inflight < 0);
+- if (iolat->min_lat_nsec == 0)
+- goto next;
+- iolatency_record_time(iolat, &bio->bi_issue, now,
+- issue_as_root);
+- window_start = atomic64_read(&iolat->window_start);
+- if (now > window_start &&
+- (now - window_start) >= iolat->cur_win_nsec) {
+- if (atomic64_cmpxchg(&iolat->window_start,
+- window_start, now) == window_start)
+- iolatency_check_latencies(iolat, now);
++ /*
++ * If bi_status is BLK_STS_AGAIN, the bio wasn't actually
++ * submitted, so do not account for it.
++ */
++ if (iolat->min_lat_nsec && bio->bi_status != BLK_STS_AGAIN) {
++ iolatency_record_time(iolat, &bio->bi_issue, now,
++ issue_as_root);
++ window_start = atomic64_read(&iolat->window_start);
++ if (now > window_start &&
++ (now - window_start) >= iolat->cur_win_nsec) {
++ if (atomic64_cmpxchg(&iolat->window_start,
++ window_start, now) == window_start)
++ iolatency_check_latencies(iolat, now);
++ }
+ }
+-next:
+- wake_up(&rqw->wait);
+- blkg = blkg->parent;
+- }
+-}
+-
+-static void blkcg_iolatency_cleanup(struct rq_qos *rqos, struct bio *bio)
+-{
+- struct blkcg_gq *blkg;
+-
+- blkg = bio->bi_blkg;
+- while (blkg && blkg->parent) {
+- struct rq_wait *rqw;
+- struct iolatency_grp *iolat;
+-
+- iolat = blkg_to_lat(blkg);
+- if (!iolat)
+- goto next;
+-
+- rqw = &iolat->rq_wait;
+- atomic_dec(&rqw->inflight);
+ wake_up(&rqw->wait);
+-next:
+ blkg = blkg->parent;
+ }
+ }
+@@ -671,7 +649,6 @@ static void blkcg_iolatency_exit(struct rq_qos *rqos)
+
+ static struct rq_qos_ops blkcg_iolatency_ops = {
+ .throttle = blkcg_iolatency_throttle,
+- .cleanup = blkcg_iolatency_cleanup,
+ .done_bio = blkcg_iolatency_done_bio,
+ .exit = blkcg_iolatency_exit,
+ };
+--
+2.20.1
+
--- /dev/null
+From 9667c839f8a5d04077cc358e27a66576c6dd4c19 Mon Sep 17 00:00:00 2001
+From: Dennis Zhou <dennis@kernel.org>
+Date: Thu, 23 May 2019 16:10:18 -0400
+Subject: blk-iolatency: only account submitted bios
+
+[ Upstream commit a3fb01ba5af066521f3f3421839e501bb2c71805 ]
+
+As is, iolatency recognizes done_bio and cleanup as ending paths. If a
+request is marked REQ_NOWAIT and fails to get a request, the bio is
+cleaned up via rq_qos_cleanup() and ended in bio_wouldblock_error().
+This results in underflowing the inflight counter. Fix this by only
+accounting bios that were actually submitted.
+
+Signed-off-by: Dennis Zhou <dennis@kernel.org>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iolatency.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c
+index d22e61bced86..c91b84bb9d0a 100644
+--- a/block/blk-iolatency.c
++++ b/block/blk-iolatency.c
+@@ -600,6 +600,10 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos, struct bio *bio)
+ if (!blkg || !bio_flagged(bio, BIO_TRACKED))
+ return;
+
++ /* We didn't actually submit this bio, don't account it. */
++ if (bio->bi_status == BLK_STS_AGAIN)
++ return;
++
+ iolat = blkg_to_lat(bio->bi_blkg);
+ if (!iolat)
+ return;
+--
+2.20.1
+
--- /dev/null
+From 0d87122f0b52890f117f22d2204ecc921cf29148 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 13 Jun 2019 15:30:41 -0700
+Subject: blkcg, writeback: dead memcgs shouldn't contribute to writeback
+ ownership arbitration
+
+[ Upstream commit 6631142229005e1b1c311a09efe9fb3cfdac8559 ]
+
+wbc_account_io() collects information on cgroup ownership of writeback
+pages to determine which cgroup should own the inode. Pages can stay
+associated with dead memcgs but we want to avoid attributing IOs to
+dead blkcgs as much as possible as the association is likely to be
+stale. However, currently, pages associated with dead memcgs
+contribute to the accounting delaying and/or confusing the
+arbitration.
+
+Fix it by ignoring pages associated with dead memcgs.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index e41cbe8e81b9..9ebfb1b28430 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -715,6 +715,7 @@ void wbc_detach_inode(struct writeback_control *wbc)
+ void wbc_account_io(struct writeback_control *wbc, struct page *page,
+ size_t bytes)
+ {
++ struct cgroup_subsys_state *css;
+ int id;
+
+ /*
+@@ -726,7 +727,12 @@ void wbc_account_io(struct writeback_control *wbc, struct page *page,
+ if (!wbc->wb)
+ return;
+
+- id = mem_cgroup_css_from_page(page)->id;
++ css = mem_cgroup_css_from_page(page);
++ /* dead cgroups shouldn't contribute to inode ownership arbitration */
++ if (!(css->flags & CSS_ONLINE))
++ return;
++
++ id = css->id;
+
+ if (id == wbc->wb_id) {
+ wbc->wb_bytes += bytes;
+--
+2.20.1
+
--- /dev/null
+From 8024c0ff19d479a93e5d6c69b180660e8a5b3d35 Mon Sep 17 00:00:00 2001
+From: Paolo Valente <paolo.valente@linaro.org>
+Date: Tue, 25 Jun 2019 07:12:44 +0200
+Subject: block, bfq: fix rq_in_driver check in bfq_update_inject_limit
+
+[ Upstream commit db599f9ed9bd31b018b6c48ad7c6b21d5b790ecf ]
+
+One of the cases where the parameters for injection may be updated is
+when there are no more in-flight I/O requests. The number of in-flight
+requests is stored in the field bfqd->rq_in_driver of the descriptor
+bfqd of the device. So, the controlled condition is
+bfqd->rq_in_driver == 0.
+
+Unfortunately, this is wrong because, the instruction that checks this
+condition is in the code path that handles the completion of a
+request, and, in particular, the instruction is executed before
+bfqd->rq_in_driver is decremented in such a code path.
+
+This commit fixes this issue by just replacing 0 with 1 in the
+comparison.
+
+Reported-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
+Tested-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
+Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index e5db3856b194..404e776aa36d 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5398,8 +5398,14 @@ static void bfq_update_inject_limit(struct bfq_data *bfqd,
+ * total service time, and there seem to be the right
+ * conditions to do it, or we can lower the last base value
+ * computed.
++ *
++ * NOTE: (bfqd->rq_in_driver == 1) means that there is no I/O
++ * request in flight, because this function is in the code
++ * path that handles the completion of a request of bfqq, and,
++ * in particular, this function is executed before
++ * bfqd->rq_in_driver is decremented in such a code path.
+ */
+- if ((bfqq->last_serv_time_ns == 0 && bfqd->rq_in_driver == 0) ||
++ if ((bfqq->last_serv_time_ns == 0 && bfqd->rq_in_driver == 1) ||
+ tot_time_ns < bfqq->last_serv_time_ns) {
+ bfqq->last_serv_time_ns = tot_time_ns;
+ /*
+--
+2.20.1
+
--- /dev/null
+From ae6bf0d35455b1005b01de5a20681ddcffc8ff21 Mon Sep 17 00:00:00 2001
+From: Bob Liu <bob.liu@oracle.com>
+Date: Sat, 15 Jun 2019 01:43:48 -0600
+Subject: block: null_blk: fix race condition for null_del_dev
+
+[ Upstream commit 7602843fd873cae43a444b83b14dfdd114a9659c ]
+
+Dulicate call of null_del_dev() will trigger null pointer error like below.
+The reason is a race condition between nullb_device_power_store() and
+nullb_group_drop_item().
+
+ CPU#0 CPU#1
+ ---------------- -----------------
+ do_rmdir()
+ >configfs_rmdir()
+ >client_drop_item()
+ >nullb_group_drop_item()
+ nullb_device_power_store()
+ >null_del_dev()
+
+ >test_and_clear_bit(NULLB_DEV_FL_UP
+ >null_del_dev()
+ ^^^^^
+ Duplicated null_dev_dev() triger null pointer error
+
+ >clear_bit(NULLB_DEV_FL_UP
+
+The fix could be keep the sequnce of clear NULLB_DEV_FL_UP and null_del_dev().
+
+[ 698.613600] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
+[ 698.613608] #PF error: [normal kernel read fault]
+[ 698.613611] PGD 0 P4D 0
+[ 698.613619] Oops: 0000 [#1] SMP PTI
+[ 698.613627] CPU: 3 PID: 6382 Comm: rmdir Not tainted 5.0.0+ #35
+[ 698.613631] Hardware name: LENOVO 20LJS2EV08/20LJS2EV08, BIOS R0SET33W (1.17 ) 07/18/2018
+[ 698.613644] RIP: 0010:null_del_dev+0xc/0x110 [null_blk]
+[ 698.613649] Code: 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b eb 97 e8 47 bb 2a e8 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 53 <8b> 77 18 48 89 fb 4c 8b 27 48 c7 c7 40 57 1e c1 e8 bf c7 cb e8 48
+[ 698.613654] RSP: 0018:ffffb887888bfde0 EFLAGS: 00010286
+[ 698.613659] RAX: 0000000000000000 RBX: ffff9d436d92bc00 RCX: ffff9d43a9184681
+[ 698.613663] RDX: ffffffffc11e5c30 RSI: 0000000068be6540 RDI: 0000000000000000
+[ 698.613667] RBP: ffffb887888bfdf0 R08: 0000000000000001 R09: 0000000000000000
+[ 698.613671] R10: ffffb887888bfdd8 R11: 0000000000000f16 R12: ffff9d436d92bc08
+[ 698.613675] R13: ffff9d436d94e630 R14: ffffffffc11e5088 R15: ffffffffc11e5000
+[ 698.613680] FS: 00007faa68be6540(0000) GS:ffff9d43d14c0000(0000) knlGS:0000000000000000
+[ 698.613685] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 698.613689] CR2: 0000000000000018 CR3: 000000042f70c002 CR4: 00000000003606e0
+[ 698.613693] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 698.613697] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 698.613700] Call Trace:
+[ 698.613712] nullb_group_drop_item+0x50/0x70 [null_blk]
+[ 698.613722] client_drop_item+0x29/0x40
+[ 698.613728] configfs_rmdir+0x1ed/0x300
+[ 698.613738] vfs_rmdir+0xb2/0x130
+[ 698.613743] do_rmdir+0x1c7/0x1e0
+[ 698.613750] __x64_sys_rmdir+0x17/0x20
+[ 698.613759] do_syscall_64+0x5a/0x110
+[ 698.613768] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Bob Liu <bob.liu@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk_main.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c
+index 447d635c79a2..2a4f8bc4f930 100644
+--- a/drivers/block/null_blk_main.c
++++ b/drivers/block/null_blk_main.c
+@@ -327,11 +327,12 @@ static ssize_t nullb_device_power_store(struct config_item *item,
+ set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
+ dev->power = newp;
+ } else if (dev->power && !newp) {
+- mutex_lock(&lock);
+- dev->power = newp;
+- null_del_dev(dev->nullb);
+- mutex_unlock(&lock);
+- clear_bit(NULLB_DEV_FL_UP, &dev->flags);
++ if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) {
++ mutex_lock(&lock);
++ dev->power = newp;
++ null_del_dev(dev->nullb);
++ mutex_unlock(&lock);
++ }
+ clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8793fc1799b944fb1f9d89de1724ccf45ca0ded4 Mon Sep 17 00:00:00 2001
+From: Josua Mayer <josua.mayer@jm0.eu>
+Date: Sat, 6 Jul 2019 17:54:46 +0200
+Subject: Bluetooth: 6lowpan: search for destination address in all peers
+
+[ Upstream commit b188b03270b7f8568fc714101ce82fbf5e811c5a ]
+
+Handle overlooked case where the target address is assigned to a peer
+and neither route nor gateway exist.
+
+For one peer, no checks are performed to see if it is meant to receive
+packets for a given address.
+
+As soon as there is a second peer however, checks are performed
+to deal with routes and gateways for handling complex setups with
+multiple hops to a target address.
+This logic assumed that no route and no gateway imply that the
+destination address can not be reached, which is false in case of a
+direct peer.
+
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Tested-by: Michael Scott <mike@foundries.io>
+Signed-off-by: Josua Mayer <josua.mayer@jm0.eu>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index 1555b0c6f7ec..9001bf331d56 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -180,10 +180,16 @@ static inline struct lowpan_peer *peer_lookup_dst(struct lowpan_btle_dev *dev,
+ }
+
+ if (!rt) {
+- nexthop = &lowpan_cb(skb)->gw;
+-
+- if (ipv6_addr_any(nexthop))
+- return NULL;
++ if (ipv6_addr_any(&lowpan_cb(skb)->gw)) {
++ /* There is neither route nor gateway,
++ * probably the destination is a direct peer.
++ */
++ nexthop = daddr;
++ } else {
++ /* There is a known gateway
++ */
++ nexthop = &lowpan_cb(skb)->gw;
++ }
+ } else {
+ nexthop = rt6_nexthop(rt, daddr);
+
+--
+2.20.1
+
--- /dev/null
+From c5426903768fc12e04502fb5eda6798024a0ae60 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= <jprvita@gmail.com>
+Date: Thu, 23 May 2019 13:32:01 -0700
+Subject: Bluetooth: Add new 13d3:3491 QCA_ROME device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 44d34af2e4cfd0c5357182f8b43f3e0a1fe30a2e ]
+
+Without the QCA ROME setup routine this adapter fails to establish a SCO
+connection.
+
+T: Bus=01 Lev=01 Prnt=01 Port=08 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3491 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 50aed5259c2b..21fa5c889857 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -264,6 +264,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x04ca, 0x3015), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x04ca, 0x3016), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x04ca, 0x301a), .driver_info = BTUSB_QCA_ROME },
++ { USB_DEVICE(0x13d3, 0x3491), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x13d3, 0x3496), .driver_info = BTUSB_QCA_ROME },
+
+ /* Broadcom BCM2035 */
+--
+2.20.1
+
--- /dev/null
+From 660b2c088ca85de59ad3facbf9433e3bd41c87c9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= <jprvita@gmail.com>
+Date: Thu, 23 May 2019 13:32:02 -0700
+Subject: Bluetooth: Add new 13d3:3501 QCA_ROME device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 881cec4f6b4da78e54b73c046a60f39315964c7d ]
+
+Without the QCA ROME setup routine this adapter fails to establish a SCO
+connection.
+
+T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3501 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 21fa5c889857..6d61f5aafc78 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -266,6 +266,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x04ca, 0x301a), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x13d3, 0x3491), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x13d3, 0x3496), .driver_info = BTUSB_QCA_ROME },
++ { USB_DEVICE(0x13d3, 0x3501), .driver_info = BTUSB_QCA_ROME },
+
+ /* Broadcom BCM2035 */
+ { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
+--
+2.20.1
+
--- /dev/null
+From 090ca79e77936742be4f0f439a3ff4773dae56d4 Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Tue, 21 May 2019 13:07:22 +0300
+Subject: Bluetooth: Check state in l2cap_disconnect_rsp
+
+[ Upstream commit 28261da8a26f4915aa257d12d506c6ba179d961f ]
+
+Because of both sides doing L2CAP disconnection at the same time, it
+was possible to receive L2CAP Disconnection Response with CID that was
+already freed. That caused problems if CID was already reused and L2CAP
+Connection Request with same CID was sent out. Before this patch kernel
+deleted channel context regardless of the state of the channel.
+
+Example where leftover Disconnection Response (frame #402) causes local
+device to delete L2CAP channel which was not yet connected. This in
+turn confuses remote device's stack because same CID is re-used without
+properly disconnecting.
+
+Btmon capture before patch:
+** snip **
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499
+ L2CAP: Disconnection Request (0x06) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548
+ L2CAP: Disconnection Response (0x07) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+= bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447
+> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397
+ L2CAP: Connection Request (0x02) ident 27 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441
+ L2CAP: Connection Response (0x03) ident 27 len 8
+ Destination CID: 65
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449
+ L2CAP: Configure Request (0x04) ident 19 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Similar case after the patch:
+*snip*
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143
+ L2CAP: Disconnection Request (0x06) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073
+ L2CAP: Connection Request (0x02) ident 12 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371
+ L2CAP: Disconnection Response (0x07) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196
+ L2CAP: Configure Request (0x04) ident 13 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804
+ L2CAP: Connection Response (0x03) ident 12 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Fix is to check that channel is in state BT_DISCONN before deleting the
+channel.
+
+This bug was found while fuzzing Bluez's OBEX implementation using
+Synopsys Defensics.
+
+Reported-by: Matti Kamunen <matti.kamunen@synopsys.com>
+Reported-by: Ari Timonen <ari.timonen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 5406d7cd46ad..771e3e17bb6a 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4394,6 +4394,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+
+ l2cap_chan_lock(chan);
+
++ if (chan->state != BT_DISCONN) {
++ l2cap_chan_unlock(chan);
++ mutex_unlock(&conn->chan_lock);
++ return 0;
++ }
++
+ l2cap_chan_hold(chan);
+ l2cap_chan_del(chan, 0);
+
+--
+2.20.1
+
--- /dev/null
+From d738ac52849200abdb98471fb68da5de946e7ef8 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Tue, 28 May 2019 15:42:58 +0200
+Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb
+
+[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ]
+
+Syzkaller found that it is possible to provoke a memory leak by
+never freeing rx_skb in struct bcsp_struct.
+
+Fix by freeing in bcsp_close()
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_bcsp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
+index 82b13faa9422..fe2e307009f4 100644
+--- a/drivers/bluetooth/hci_bcsp.c
++++ b/drivers/bluetooth/hci_bcsp.c
+@@ -744,6 +744,11 @@ static int bcsp_close(struct hci_uart *hu)
+ skb_queue_purge(&bcsp->rel);
+ skb_queue_purge(&bcsp->unrel);
+
++ if (bcsp->rx_skb) {
++ kfree_skb(bcsp->rx_skb);
++ bcsp->rx_skb = NULL;
++ }
++
+ kfree(bcsp);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From a3612c21b6a5d8adc3b7667ef58f6171497a2b82 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 16 May 2019 21:24:00 +0300
+Subject: Bluetooth: hidp: NUL terminate a string in the compat ioctl
+
+[ Upstream commit dcae9052ebb0c5b2614de620323d615fcbfda7f8 ]
+
+This change is similar to commit a1616a5ac99e ("Bluetooth: hidp: fix
+buffer overflow") but for the compat ioctl. We take a string from the
+user and forgot to ensure that it's NUL terminated.
+
+I have also changed the strncpy() in to strscpy() in hidp_setup_hid().
+The difference is the strncpy() doesn't necessarily NUL terminate the
+destination string. Either change would fix the problem but it's nice
+to take a belt and suspenders approach and do both.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 2 +-
+ net/bluetooth/hidp/sock.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index a442e21f3894..5abd423b55fa 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -775,7 +775,7 @@ static int hidp_setup_hid(struct hidp_session *session,
+ hid->version = req->version;
+ hid->country = req->country;
+
+- strncpy(hid->name, req->name, sizeof(hid->name));
++ strscpy(hid->name, req->name, sizeof(hid->name));
+
+ snprintf(hid->phys, sizeof(hid->phys), "%pMR",
+ &l2cap_pi(session->ctrl_sock->sk)->chan->src);
+diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
+index 2151913892ce..03be6a4baef3 100644
+--- a/net/bluetooth/hidp/sock.c
++++ b/net/bluetooth/hidp/sock.c
+@@ -192,6 +192,7 @@ static int hidp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigne
+ ca.version = ca32.version;
+ ca.flags = ca32.flags;
+ ca.idle_to = ca32.idle_to;
++ ca32.name[sizeof(ca32.name) - 1] = '\0';
+ memcpy(ca.name, ca32.name, 128);
+
+ csock = sockfd_lookup(ca.ctrl_sock, &err);
+--
+2.20.1
+
--- /dev/null
+From c68ee091d283bc6a0578797623f9042bdf960cb5 Mon Sep 17 00:00:00 2001
+From: csonsino <csonsino@gmail.com>
+Date: Wed, 12 Jun 2019 15:00:52 -0600
+Subject: Bluetooth: validate BLE connection interval updates
+
+[ Upstream commit c49a8682fc5d298d44e8d911f4fa14690ea9485e ]
+
+Problem: The Linux Bluetooth stack yields complete control over the BLE
+connection interval to the remote device.
+
+The Linux Bluetooth stack provides access to the BLE connection interval
+min and max values through /sys/kernel/debug/bluetooth/hci0/
+conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval.
+These values are used for initial BLE connections, but the remote device
+has the ability to request a connection parameter update. In the event
+that the remote side requests to change the connection interval, the Linux
+kernel currently only validates that the desired value is within the
+acceptable range in the Bluetooth specification (6 - 3200, corresponding to
+7.5ms - 4000ms). There is currently no validation that the desired value
+requested by the remote device is within the min/max limits specified in
+the conn_min_interval/conn_max_interval configurations. This essentially
+leads to Linux yielding complete control over the connection interval to
+the remote device.
+
+The proposed patch adds a verification step to the connection parameter
+update mechanism, ensuring that the desired value is within the min/max
+bounds of the current connection. If the desired value is outside of the
+current connection min/max values, then the connection parameter update
+request is rejected and the negative response is returned to the remote
+device. Recall that the initial connection is established using the local
+conn_min_interval/conn_max_interval values, so this allows the Linux
+administrator to retain control over the BLE connection interval.
+
+The one downside that I see is that the current default Linux values for
+conn_min_interval and conn_max_interval typically correspond to 30ms and
+50ms respectively. If this change were accepted, then it is feasible that
+some devices would no longer be able to negotiate to their desired
+connection interval values. This might be remedied by setting the default
+Linux conn_min_interval and conn_max_interval values to the widest
+supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same
+behavior as the current implementation, where the remote device could
+request to change the connection interval value to any value that is
+permitted by the Bluetooth specification, and Linux would accept the
+desired value.
+
+Signed-off-by: Carey Sonsino <csonsino@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 5 +++++
+ net/bluetooth/l2cap_core.c | 9 ++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 9e4fcf406d9c..17c50a98e7f7 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5588,6 +5588,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_UNKNOWN_CONN_ID);
+
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval)
++ return send_conn_param_neg_reply(hdev, handle,
++ HCI_ERROR_INVALID_LL_PARAMS);
++
+ if (hci_check_conn_params(min, max, latency, timeout))
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_INVALID_LL_PARAMS);
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 771e3e17bb6a..32d2be9d6858 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5297,7 +5297,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
+
+ memset(&rsp, 0, sizeof(rsp));
+
+- err = hci_check_conn_params(min, max, latency, to_multiplier);
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval) {
++ BT_DBG("requested connection interval exceeds current bounds.");
++ err = -EINVAL;
++ } else {
++ err = hci_check_conn_params(min, max, latency, to_multiplier);
++ }
++
+ if (err)
+ rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
+ else
+--
+2.20.1
+
--- /dev/null
+From 830e8b088d98fb4ba87ddc3153839df08a2f340e Mon Sep 17 00:00:00 2001
+From: "Guilherme G. Piccoli" <gpiccoli@canonical.com>
+Date: Thu, 27 Jun 2019 13:31:33 -0300
+Subject: bnx2x: Prevent ptp_task to be rescheduled indefinitely
+
+[ Upstream commit 3c91f25c2f72ba6001775a5932857c1d2131c531 ]
+
+Currently bnx2x ptp worker tries to read a register with timestamp
+information in case of TX packet timestamping and in case it fails,
+the routine reschedules itself indefinitely. This was reported as a
+kworker always at 100% of CPU usage, which was narrowed down to be
+bnx2x ptp_task.
+
+By following the ioctl handler, we could narrow down the problem to
+an NTP tool (chrony) requesting HW timestamping from bnx2x NIC with
+RX filter zeroed; this isn't reproducible for example with ptp4l
+(from linuxptp) since this tool requests a supported RX filter.
+It seems NIC FW timestamp mechanism cannot work well with
+RX_FILTER_NONE - driver's PTP filter init routine skips a register
+write to the adapter if there's not a supported filter request.
+
+This patch addresses the problem of bnx2x ptp thread's everlasting
+reschedule by retrying the register read 10 times; between the read
+attempts the thread sleeps for an increasing amount of time starting
+in 1ms to give FW some time to perform the timestamping. If it still
+fails after all retries, we bail out in order to prevent an unbound
+resource consumption from bnx2x.
+
+The patch also adds an ethtool statistic for accounting the skipped
+TX timestamp packets and it reduces the priority of timestamping
+error messages to prevent log flooding. The code was tested using
+both linuxptp and chrony.
+
+Reported-and-tested-by: Przemyslaw Hausman <przemyslaw.hausman@canonical.com>
+Suggested-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@canonical.com>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 ++-
+ .../ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 4 ++-
+ .../net/ethernet/broadcom/bnx2x/bnx2x_main.c | 33 ++++++++++++++-----
+ .../net/ethernet/broadcom/bnx2x/bnx2x_stats.h | 3 ++
+ 4 files changed, 34 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+index 008ad0ca89ba..c12c1bab0fe4 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -3857,9 +3857,12 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP)) {
+ if (!(bp->flags & TX_TIMESTAMPING_EN)) {
++ bp->eth_stats.ptp_skip_tx_ts++;
+ BNX2X_ERR("Tx timestamping was not enabled, this packet will not be timestamped\n");
+ } else if (bp->ptp_tx_skb) {
+- BNX2X_ERR("The device supports only a single outstanding packet to timestamp, this packet will not be timestamped\n");
++ bp->eth_stats.ptp_skip_tx_ts++;
++ netdev_err_once(bp->dev,
++ "Device supports only a single outstanding packet to timestamp, this packet won't be timestamped\n");
+ } else {
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+ /* schedule check for Tx timestamp */
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+index 51fc845de31a..4a0ba6801c9e 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+@@ -182,7 +182,9 @@ static const struct {
+ { STATS_OFFSET32(driver_filtered_tx_pkt),
+ 4, false, "driver_filtered_tx_pkt" },
+ { STATS_OFFSET32(eee_tx_lpi),
+- 4, true, "Tx LPI entry count"}
++ 4, true, "Tx LPI entry count"},
++ { STATS_OFFSET32(ptp_skip_tx_ts),
++ 4, false, "ptp_skipped_tx_tstamp" },
+ };
+
+ #define BNX2X_NUM_STATS ARRAY_SIZE(bnx2x_stats_arr)
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index 03ac10b1cd1e..2cc14db8f0ec 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -15214,11 +15214,24 @@ static void bnx2x_ptp_task(struct work_struct *work)
+ u32 val_seq;
+ u64 timestamp, ns;
+ struct skb_shared_hwtstamps shhwtstamps;
++ bool bail = true;
++ int i;
++
++ /* FW may take a while to complete timestamping; try a bit and if it's
++ * still not complete, may indicate an error state - bail out then.
++ */
++ for (i = 0; i < 10; i++) {
++ /* Read Tx timestamp registers */
++ val_seq = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_SEQID :
++ NIG_REG_P0_TLLH_PTP_BUF_SEQID);
++ if (val_seq & 0x10000) {
++ bail = false;
++ break;
++ }
++ msleep(1 << i);
++ }
+
+- /* Read Tx timestamp registers */
+- val_seq = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_SEQID :
+- NIG_REG_P0_TLLH_PTP_BUF_SEQID);
+- if (val_seq & 0x10000) {
++ if (!bail) {
+ /* There is a valid timestamp value */
+ timestamp = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_TS_MSB :
+ NIG_REG_P0_TLLH_PTP_BUF_TS_MSB);
+@@ -15233,16 +15246,18 @@ static void bnx2x_ptp_task(struct work_struct *work)
+ memset(&shhwtstamps, 0, sizeof(shhwtstamps));
+ shhwtstamps.hwtstamp = ns_to_ktime(ns);
+ skb_tstamp_tx(bp->ptp_tx_skb, &shhwtstamps);
+- dev_kfree_skb_any(bp->ptp_tx_skb);
+- bp->ptp_tx_skb = NULL;
+
+ DP(BNX2X_MSG_PTP, "Tx timestamp, timestamp cycles = %llu, ns = %llu\n",
+ timestamp, ns);
+ } else {
+- DP(BNX2X_MSG_PTP, "There is no valid Tx timestamp yet\n");
+- /* Reschedule to keep checking for a valid timestamp value */
+- schedule_work(&bp->ptp_task);
++ DP(BNX2X_MSG_PTP,
++ "Tx timestamp is not recorded (register read=%u)\n",
++ val_seq);
++ bp->eth_stats.ptp_skip_tx_ts++;
+ }
++
++ dev_kfree_skb_any(bp->ptp_tx_skb);
++ bp->ptp_tx_skb = NULL;
+ }
+
+ void bnx2x_set_rx_ts(struct bnx2x *bp, struct sk_buff *skb)
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h
+index b2644ed13d06..d55e63692cf3 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h
+@@ -207,6 +207,9 @@ struct bnx2x_eth_stats {
+ u32 driver_filtered_tx_pkt;
+ /* src: Clear-on-Read register; Will not survive PMF Migration */
+ u32 eee_tx_lpi;
++
++ /* PTP */
++ u32 ptp_skip_tx_ts;
+ };
+
+ struct bnx2x_eth_q_stats {
+--
+2.20.1
+
--- /dev/null
+From 3cda269c70417b3c89f944aeea6f89547ca84b58 Mon Sep 17 00:00:00 2001
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sat, 29 Jun 2019 11:16:47 -0400
+Subject: bnxt_en: Cap the returned MSIX vectors to the RDMA driver.
+
+[ Upstream commit 1dbc59fa4bbaa108b641cd65a54f662b75e4ed36 ]
+
+In an earlier commit to improve NQ reservations on 57500 chips, we
+set the resv_irqs on the 57500 VFs to the fixed value assigned by
+the PF regardless of how many are actually used. The current
+code assumes that resv_irqs minus the ones used by the network driver
+must be the ones for the RDMA driver. This is no longer true and
+we may return more MSIX vectors than requested, causing inconsistency.
+Fix it by capping the value.
+
+Fixes: 01989c6b69d9 ("bnxt_en: Improve NQ reservations.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+index bfa342a98d08..fc77caf0a076 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+@@ -157,8 +157,10 @@ static int bnxt_req_msix_vecs(struct bnxt_en_dev *edev, int ulp_id,
+
+ if (BNXT_NEW_RM(bp)) {
+ struct bnxt_hw_resc *hw_resc = &bp->hw_resc;
++ int resv_msix;
+
+- avail_msix = hw_resc->resv_irqs - bp->cp_nr_rings;
++ resv_msix = hw_resc->resv_irqs - bp->cp_nr_rings;
++ avail_msix = min_t(int, resv_msix, avail_msix);
+ edev->ulp_tbl[ulp_id].msix_requested = avail_msix;
+ }
+ bnxt_fill_msix_vecs(bp, ent);
+--
+2.20.1
+
--- /dev/null
+From 5e27ffc0ae8ab7c35812d02e48c2d3eef917757b Mon Sep 17 00:00:00 2001
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sat, 29 Jun 2019 11:16:44 -0400
+Subject: bnxt_en: Disable bus master during PCI shutdown and driver unload.
+
+[ Upstream commit c20dc142dd7b2884b8570eeab323bcd4a84294fa ]
+
+Some chips with older firmware can continue to perform DMA read from
+context memory even after the memory has been freed. In the PCI shutdown
+method, we need to call pci_disable_device() to shutdown DMA to prevent
+this DMA before we put the device into D3hot. DMA memory request in
+D3hot state will generate PCI fatal error. Similarly, in the driver
+remove method, the context memory should only be freed after DMA has
+been shutdown for correctness.
+
+Fixes: 98f04cf0f1fc ("bnxt_en: Check context memory requirements from firmware.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index f758b2e0591f..b9bc829aa9da 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -10262,10 +10262,10 @@ static void bnxt_remove_one(struct pci_dev *pdev)
+ bnxt_dcb_free(bp);
+ kfree(bp->edev);
+ bp->edev = NULL;
++ bnxt_cleanup_pci(bp);
+ bnxt_free_ctx_mem(bp);
+ kfree(bp->ctx);
+ bp->ctx = NULL;
+- bnxt_cleanup_pci(bp);
+ bnxt_free_port_stats(bp);
+ free_netdev(dev);
+ }
+@@ -10859,6 +10859,7 @@ static void bnxt_shutdown(struct pci_dev *pdev)
+
+ if (system_state == SYSTEM_POWER_OFF) {
+ bnxt_clear_int_mode(bp);
++ pci_disable_device(pdev);
+ pci_wake_from_d3(pdev, bp->wol);
+ pci_set_power_state(pdev, PCI_D3hot);
+ }
+--
+2.20.1
+
--- /dev/null
+From d2f47394636831f6b3fcf7c0505af8ceb8e02270 Mon Sep 17 00:00:00 2001
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sat, 29 Jun 2019 11:16:46 -0400
+Subject: bnxt_en: Fix statistics context reservation logic for RDMA driver.
+
+[ Upstream commit d77b1ad8e87dc5a6cd0d9158b097a4817946ca3b ]
+
+The current logic assumes that the RDMA driver uses one statistics
+context adjacent to the ones used by the network driver. This
+assumption is not true and the statistics context used by the
+RDMA driver is tied to its MSIX base vector. This wrong assumption
+can cause RDMA driver failure after changing ethtool rings on the
+network side. Fix the statistics reservation logic accordingly.
+
+Fixes: 780baad44f0f ("bnxt_en: Reserve 1 stat_ctx for RDMA driver.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index b9bc829aa9da..9090c79387c1 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -5508,7 +5508,16 @@ static int bnxt_cp_rings_in_use(struct bnxt *bp)
+
+ static int bnxt_get_func_stat_ctxs(struct bnxt *bp)
+ {
+- return bp->cp_nr_rings + bnxt_get_ulp_stat_ctxs(bp);
++ int ulp_stat = bnxt_get_ulp_stat_ctxs(bp);
++ int cp = bp->cp_nr_rings;
++
++ if (!ulp_stat)
++ return cp;
++
++ if (bnxt_nq_rings_in_use(bp) > cp + bnxt_get_ulp_msix_num(bp))
++ return bnxt_get_ulp_msix_base(bp) + ulp_stat;
++
++ return cp + ulp_stat;
+ }
+
+ static bool bnxt_need_reserve_rings(struct bnxt *bp)
+@@ -7477,11 +7486,7 @@ unsigned int bnxt_get_avail_cp_rings_for_en(struct bnxt *bp)
+
+ unsigned int bnxt_get_avail_stat_ctxs_for_en(struct bnxt *bp)
+ {
+- unsigned int stat;
+-
+- stat = bnxt_get_max_func_stat_ctxs(bp) - bnxt_get_ulp_stat_ctxs(bp);
+- stat -= bp->cp_nr_rings;
+- return stat;
++ return bnxt_get_max_func_stat_ctxs(bp) - bnxt_get_func_stat_ctxs(bp);
+ }
+
+ int bnxt_get_avail_msix(struct bnxt *bp, int num)
+--
+2.20.1
+
--- /dev/null
+From e1549f7aeb06b86126e0e97d91b766c8a52dbf7f Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 1 Jul 2019 20:40:24 -0700
+Subject: bonding: validate ip header before check IPPROTO_IGMP
+
+[ Upstream commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c ]
+
+bond_xmit_roundrobin() checks for IGMP packets but it parses
+the IP header even before checking skb->protocol.
+
+We should validate the IP header with pskb_may_pull() before
+using iph->protocol.
+
+Reported-and-tested-by: syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com
+Fixes: a2fd940f4cff ("bonding: fix broken multicast with round-robin mode")
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 37 ++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 799fc38c5c34..b0aab3a0a1bf 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3866,8 +3866,8 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb,
+ struct net_device *bond_dev)
+ {
+ struct bonding *bond = netdev_priv(bond_dev);
+- struct iphdr *iph = ip_hdr(skb);
+ struct slave *slave;
++ int slave_cnt;
+ u32 slave_id;
+
+ /* Start with the curr_active_slave that joined the bond as the
+@@ -3876,23 +3876,32 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb,
+ * send the join/membership reports. The curr_active_slave found
+ * will send all of this type of traffic.
+ */
+- if (iph->protocol == IPPROTO_IGMP && skb->protocol == htons(ETH_P_IP)) {
+- slave = rcu_dereference(bond->curr_active_slave);
+- if (slave)
+- bond_dev_queue_xmit(bond, skb, slave->dev);
+- else
+- bond_xmit_slave_id(bond, skb, 0);
+- } else {
+- int slave_cnt = READ_ONCE(bond->slave_cnt);
++ if (skb->protocol == htons(ETH_P_IP)) {
++ int noff = skb_network_offset(skb);
++ struct iphdr *iph;
+
+- if (likely(slave_cnt)) {
+- slave_id = bond_rr_gen_slave_id(bond);
+- bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);
+- } else {
+- bond_tx_drop(bond_dev, skb);
++ if (unlikely(!pskb_may_pull(skb, noff + sizeof(*iph))))
++ goto non_igmp;
++
++ iph = ip_hdr(skb);
++ if (iph->protocol == IPPROTO_IGMP) {
++ slave = rcu_dereference(bond->curr_active_slave);
++ if (slave)
++ bond_dev_queue_xmit(bond, skb, slave->dev);
++ else
++ bond_xmit_slave_id(bond, skb, 0);
++ return NETDEV_TX_OK;
+ }
+ }
+
++non_igmp:
++ slave_cnt = READ_ONCE(bond->slave_cnt);
++ if (likely(slave_cnt)) {
++ slave_id = bond_rr_gen_slave_id(bond);
++ bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);
++ } else {
++ bond_tx_drop(bond_dev, skb);
++ }
+ return NETDEV_TX_OK;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 5a893c3a0ada72dd06db1088bf9b1e6d00ebd408 Mon Sep 17 00:00:00 2001
+From: Jiong Wang <jiong.wang@netronome.com>
+Date: Tue, 25 Jun 2019 17:41:50 +0100
+Subject: bpf: fix BPF_ALU32 | BPF_ARSH on BE arches
+
+[ Upstream commit 75672dda27bd00109a84cd975c17949ad9c45663 ]
+
+Yauheni reported the following code do not work correctly on BE arches:
+
+ ALU_ARSH_X:
+ DST = (u64) (u32) ((*(s32 *) &DST) >> SRC);
+ CONT;
+ ALU_ARSH_K:
+ DST = (u64) (u32) ((*(s32 *) &DST) >> IMM);
+ CONT;
+
+and are causing failure of test_verifier test 'arsh32 on imm 2' on BE
+arches.
+
+The code is taking address and interpreting memory directly, so is not
+endianness neutral. We should instead perform standard C type casting on
+the variable. A u64 to s32 conversion will drop the high 32-bit and reserve
+the low 32-bit as signed integer, this is all we want.
+
+Fixes: 2dc6b100f928 ("bpf: interpreter support BPF_ALU | BPF_ARSH")
+Reported-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
+Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 080e2bb644cc..f2148db91439 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1364,10 +1364,10 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
+ insn++;
+ CONT;
+ ALU_ARSH_X:
+- DST = (u64) (u32) ((*(s32 *) &DST) >> SRC);
++ DST = (u64) (u32) (((s32) DST) >> SRC);
+ CONT;
+ ALU_ARSH_K:
+- DST = (u64) (u32) ((*(s32 *) &DST) >> IMM);
++ DST = (u64) (u32) (((s32) DST) >> IMM);
+ CONT;
+ ALU64_ARSH_X:
+ (*(s64 *) &DST) >>= SRC;
+--
+2.20.1
+
--- /dev/null
+From b23c8428068c2d1a4c0a38f9c15a7fb65a92061d Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Sat, 15 Jun 2019 12:12:21 -0700
+Subject: bpf: fix callees pruning callers
+
+[ Upstream commit eea1c227b9e9bad295e8ef984004a9acf12bb68c ]
+
+The commit 7640ead93924 partially resolved the issue of callees
+incorrectly pruning the callers.
+With introduction of bounded loops and jmps_processed heuristic
+single verifier state may contain multiple branches and calls.
+It's possible that new verifier state (for future pruning) will be
+allocated inside callee. Then callee will exit (still within the same
+verifier state). It will go back to the caller and there R6-R9 registers
+will be read and will trigger mark_reg_read. But the reg->live for all frames
+but the top frame is not set to LIVE_NONE. Hence mark_reg_read will fail
+to propagate liveness into parent and future walking will incorrectly
+conclude that the states are equivalent because LIVE_READ is not set.
+In other words the rule for parent/live should be:
+whenever register parentage chain is set the reg->live should be set to LIVE_NONE.
+is_state_visited logic already follows this rule for spilled registers.
+
+Fixes: 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences")
+Fixes: f4d7e40a5b71 ("bpf: introduce function calls (verification)")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index a5c369e60343..11528bdaa9dc 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -6456,17 +6456,18 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
+ * the state of the call instruction (with WRITTEN set), and r0 comes
+ * from callee with its full parentage chain, anyway.
+ */
+- for (j = 0; j <= cur->curframe; j++)
+- for (i = j < cur->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++)
+- cur->frame[j]->regs[i].parent = &new->frame[j]->regs[i];
+ /* clear write marks in current state: the writes we did are not writes
+ * our child did, so they don't screen off its reads from us.
+ * (There are no read marks in current state, because reads always mark
+ * their parent and current state never has children yet. Only
+ * explored_states can get read marks.)
+ */
+- for (i = 0; i < BPF_REG_FP; i++)
+- cur->frame[cur->curframe]->regs[i].live = REG_LIVE_NONE;
++ for (j = 0; j <= cur->curframe; j++) {
++ for (i = j < cur->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++)
++ cur->frame[j]->regs[i].parent = &new->frame[j]->regs[i];
++ for (i = 0; i < BPF_REG_FP; i++)
++ cur->frame[j]->regs[i].live = REG_LIVE_NONE;
++ }
+
+ /* all stack frames are accessible from callee, clear them all */
+ for (j = 0; j <= cur->curframe; j++) {
+--
+2.20.1
+
--- /dev/null
+From f968dc507e7b7d61e009c8048376d8be27f8dec9 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Fri, 28 Jun 2019 07:08:45 +0300
+Subject: bpf: fix uapi bpf_prog_info fields alignment
+
+[ Upstream commit 0472301a28f6cf53a6bc5783e48a2d0bbff4682f ]
+
+Merge commit 1c8c5a9d38f60 ("Merge
+git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next") undid the
+fix from commit 36f9814a494 ("bpf: fix uapi hole for 32 bit compat
+applications") by taking the gpl_compatible 1-bit field definition from
+commit b85fab0e67b162 ("bpf: Add gpl_compatible flag to struct
+bpf_prog_info") as is. That breaks architectures with 16-bit alignment
+like m68k. Add 31-bit pad after gpl_compatible to restore alignment of
+following fields.
+
+Thanks to Dmitry V. Levin his analysis of this bug history.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Acked-by: Song Liu <songliubraving@fb.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h | 1 +
+ tools/include/uapi/linux/bpf.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index a8b823c30b43..29a5bc3d5c66 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -3143,6 +3143,7 @@ struct bpf_prog_info {
+ char name[BPF_OBJ_NAME_LEN];
+ __u32 ifindex;
+ __u32 gpl_compatible:1;
++ __u32 :31; /* alignment pad */
+ __u64 netns_dev;
+ __u64 netns_ino;
+ __u32 nr_jited_ksyms;
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index a8b823c30b43..29a5bc3d5c66 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -3143,6 +3143,7 @@ struct bpf_prog_info {
+ char name[BPF_OBJ_NAME_LEN];
+ __u32 ifindex;
+ __u32 gpl_compatible:1;
++ __u32 :31; /* alignment pad */
+ __u64 netns_dev;
+ __u64 netns_ino;
+ __u32 nr_jited_ksyms;
+--
+2.20.1
+
--- /dev/null
+From cae12dddda2f1dbda1e0e93ab7b065c233ce22bd Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Tue, 2 Jul 2019 18:25:31 +0800
+Subject: bpf, libbpf, smatch: Fix potential NULL pointer dereference
+
+[ Upstream commit 33bae185f74d49a0d7b1bfaafb8e959efce0f243 ]
+
+Based on the following report from Smatch, fix the potential NULL
+pointer dereference check:
+
+ tools/lib/bpf/libbpf.c:3493
+ bpf_prog_load_xattr() warn: variable dereferenced before check 'attr'
+ (see line 3483)
+
+ 3479 int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
+ 3480 struct bpf_object **pobj, int *prog_fd)
+ 3481 {
+ 3482 struct bpf_object_open_attr open_attr = {
+ 3483 .file = attr->file,
+ 3484 .prog_type = attr->prog_type,
+ ^^^^^^
+ 3485 };
+
+At the head of function, it directly access 'attr' without checking
+if it's NULL pointer. This patch moves the values assignment after
+validating 'attr' and 'attr->file'.
+
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 151f7ac1882e..3865a5d27251 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -3487,10 +3487,7 @@ int bpf_prog_load(const char *file, enum bpf_prog_type type,
+ int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
+ struct bpf_object **pobj, int *prog_fd)
+ {
+- struct bpf_object_open_attr open_attr = {
+- .file = attr->file,
+- .prog_type = attr->prog_type,
+- };
++ struct bpf_object_open_attr open_attr = {};
+ struct bpf_program *prog, *first_prog = NULL;
+ enum bpf_attach_type expected_attach_type;
+ enum bpf_prog_type prog_type;
+@@ -3503,6 +3500,9 @@ int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
+ if (!attr->file)
+ return -EINVAL;
+
++ open_attr.file = attr->file;
++ open_attr.prog_type = attr->prog_type;
++
+ obj = bpf_object__open_xattr(&open_attr);
+ if (IS_ERR_OR_NULL(obj))
+ return -ENOENT;
+--
+2.20.1
+
--- /dev/null
+From 39e42c8a52ec2af560d4bdcf556228fb7d56ae7f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= <valdis.kletnieks@vt.edu>
+Date: Thu, 6 Jun 2019 22:39:27 -0400
+Subject: bpf: silence warning messages in core
+
+[ Upstream commit aee450cbe482a8c2f6fa5b05b178ef8b8ff107ca ]
+
+Compiling kernel/bpf/core.c with W=1 causes a flood of warnings:
+
+kernel/bpf/core.c:1198:65: warning: initialized field overwritten [-Woverride-init]
+ 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
+ | ^~~~
+kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL'
+ 1087 | INSN_3(ALU, ADD, X), \
+ | ^~~~~~
+kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP'
+ 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
+ | ^~~~~~~~~~~~
+kernel/bpf/core.c:1198:65: note: (near initialization for 'public_insntable[12]')
+ 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
+ | ^~~~
+kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL'
+ 1087 | INSN_3(ALU, ADD, X), \
+ | ^~~~~~
+kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP'
+ 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
+ | ^~~~~~~~~~~~
+
+98 copies of the above.
+
+The attached patch silences the warnings, because we *know* we're overwriting
+the default initializer. That leaves bpf/core.c with only 6 other warnings,
+which become more visible in comparison.
+
+Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile
+index 4c2fa3ac56f6..29d781061cd5 100644
+--- a/kernel/bpf/Makefile
++++ b/kernel/bpf/Makefile
+@@ -1,5 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ obj-y := core.o
++CFLAGS_core.o += $(call cc-disable-warning, override-init)
+
+ obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o
+ obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o
+--
+2.20.1
+
--- /dev/null
+From ed0abadbcdf2ea14541bcf0ce610c9eb68141e0b Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 30 May 2019 12:50:43 +0200
+Subject: clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
+
+[ Upstream commit 6282edb72bed5324352522d732080d4c1b9dfed6 ]
+
+Exynos SoCs based on CA7/CA15 have 2 timer interfaces: custom Exynos MCT
+(Multi Core Timer) and standard ARM Architected Timers.
+
+There are use cases, where both timer interfaces are used simultanously.
+One of such examples is using Exynos MCT for the main system timer and
+ARM Architected Timers for the KVM and virtualized guests (KVM requires
+arch timers).
+
+Exynos Multi-Core Timer driver (exynos_mct) must be however started
+before ARM Architected Timers (arch_timer), because they both share some
+common hardware blocks (global system counter) and turning on MCT is
+needed to get ARM Architected Timer working properly.
+
+To ensure selecting Exynos MCT as the main system timer, increase MCT
+timer rating. To ensure proper starting order of both timers during
+suspend/resume cycle, increase MCT hotplug priority over ARM Archictected
+Timers.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/exynos_mct.c | 4 ++--
+ include/linux/cpuhotplug.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
+index e8eab16b154b..74cb299f5089 100644
+--- a/drivers/clocksource/exynos_mct.c
++++ b/drivers/clocksource/exynos_mct.c
+@@ -206,7 +206,7 @@ static void exynos4_frc_resume(struct clocksource *cs)
+
+ static struct clocksource mct_frc = {
+ .name = "mct-frc",
+- .rating = 400,
++ .rating = 450, /* use value higher than ARM arch timer */
+ .read = exynos4_frc_read,
+ .mask = CLOCKSOURCE_MASK(32),
+ .flags = CLOCK_SOURCE_IS_CONTINUOUS,
+@@ -461,7 +461,7 @@ static int exynos4_mct_starting_cpu(unsigned int cpu)
+ evt->set_state_oneshot_stopped = set_state_shutdown;
+ evt->tick_resume = set_state_shutdown;
+ evt->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT;
+- evt->rating = 450;
++ evt->rating = 500; /* use value higher than ARM arch timer */
+
+ exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET);
+
+diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
+index 52ec0d9fa1f7..068793a619ca 100644
+--- a/include/linux/cpuhotplug.h
++++ b/include/linux/cpuhotplug.h
+@@ -116,10 +116,10 @@ enum cpuhp_state {
+ CPUHP_AP_PERF_ARM_ACPI_STARTING,
+ CPUHP_AP_PERF_ARM_STARTING,
+ CPUHP_AP_ARM_L2X0_STARTING,
++ CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING,
+ CPUHP_AP_ARM_ARCH_TIMER_STARTING,
+ CPUHP_AP_ARM_GLOBAL_TIMER_STARTING,
+ CPUHP_AP_JCORE_TIMER_STARTING,
+- CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING,
+ CPUHP_AP_ARM_TWD_STARTING,
+ CPUHP_AP_QCOM_TIMER_STARTING,
+ CPUHP_AP_TEGRA_TIMER_STARTING,
+--
+2.20.1
+
--- /dev/null
+From 2637b479e1b5a59638f70fc574385f3ecf769d75 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Mon, 3 Jun 2019 21:59:43 +0300
+Subject: clocksource/drivers/tegra: Release all IRQ's on request_irq() error
+
+[ Upstream commit 7a3916706e858ad0bc3b5629c68168e1449de26a ]
+
+Release all requested IRQ's on the request error to properly clean up
+allocated resources.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-tegra20.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clocksource/timer-tegra20.c b/drivers/clocksource/timer-tegra20.c
+index 1e7ece279730..fe5cc0963ac9 100644
+--- a/drivers/clocksource/timer-tegra20.c
++++ b/drivers/clocksource/timer-tegra20.c
+@@ -288,7 +288,7 @@ static int __init tegra_init_timer(struct device_node *np)
+ pr_err("%s: can't map IRQ for CPU%d\n",
+ __func__, cpu);
+ ret = -EINVAL;
+- goto out;
++ goto out_irq;
+ }
+
+ irq_set_status_flags(cpu_to->clkevt.irq, IRQ_NOAUTOEN);
+@@ -298,7 +298,8 @@ static int __init tegra_init_timer(struct device_node *np)
+ if (ret) {
+ pr_err("%s: cannot setup irq %d for CPU%d\n",
+ __func__, cpu_to->clkevt.irq, cpu);
+- ret = -EINVAL;
++ irq_dispose_mapping(cpu_to->clkevt.irq);
++ cpu_to->clkevt.irq = 0;
+ goto out_irq;
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From dd1783268f04b73cd8d3ef506ac7a4ef7749625c Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Tue, 18 Jun 2019 17:03:56 +0300
+Subject: clocksource/drivers/tegra: Restore base address before cleanup
+
+[ Upstream commit fc9babc2574691d3bbf0428f007b22261fed55c6 ]
+
+We're adjusting the timer's base for each per-CPU timer to point to the
+actual start of the timer since device-tree defines a compound registers
+range that includes all of the timers. In this case the original base
+need to be restore before calling iounmap to unmap the proper address.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-tegra20.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clocksource/timer-tegra20.c b/drivers/clocksource/timer-tegra20.c
+index fe5cc0963ac9..462be34b41c4 100644
+--- a/drivers/clocksource/timer-tegra20.c
++++ b/drivers/clocksource/timer-tegra20.c
+@@ -319,6 +319,8 @@ static int __init tegra_init_timer(struct device_node *np)
+ irq_dispose_mapping(cpu_to->clkevt.irq);
+ }
+ }
++
++ to->of_base.base = timer_reg_base;
+ out:
+ timer_of_cleanup(to);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From b2cc7baadbf7e7545d9b814eb0153767b7939888 Mon Sep 17 00:00:00 2001
+From: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Date: Wed, 29 May 2019 04:30:33 -0500
+Subject: cpupower : frequency-set -r option misses the last cpu in related cpu
+ list
+
+[ Upstream commit 04507c0a9385cc8280f794a36bfff567c8cc1042 ]
+
+To set frequency on specific cpus using cpupower, following syntax can
+be used :
+cpupower -c #i frequency-set -f #f -r
+
+While setting frequency using cpupower frequency-set command, if we use
+'-r' option, it is expected to set frequency for all cpus related to
+cpu #i. But it is observed to be missing the last cpu in related cpu
+list. This patch fixes the problem.
+
+Signed-off-by: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Reviewed-by: Thomas Renninger <trenn@suse.de>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/utils/cpufreq-set.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/power/cpupower/utils/cpufreq-set.c b/tools/power/cpupower/utils/cpufreq-set.c
+index f49bc4aa2a08..6ed82fba5aaa 100644
+--- a/tools/power/cpupower/utils/cpufreq-set.c
++++ b/tools/power/cpupower/utils/cpufreq-set.c
+@@ -305,6 +305,8 @@ int cmd_freq_set(int argc, char **argv)
+ bitmask_setbit(cpus_chosen, cpus->cpu);
+ cpus = cpus->next;
+ }
++ /* Set the last cpu in related cpus list */
++ bitmask_setbit(cpus_chosen, cpus->cpu);
+ cpufreq_put_related_cpus(cpus);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 337a8fdc4b43461381888262db1fc276b0878d4a Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 18 Jun 2019 14:13:47 +0200
+Subject: crypto: asymmetric_keys - select CRYPTO_HASH where needed
+
+[ Upstream commit 90acc0653d2bee203174e66d519fbaaa513502de ]
+
+Build testing with some core crypto options disabled revealed
+a few modules that are missing CRYPTO_HASH:
+
+crypto/asymmetric_keys/x509_public_key.o: In function `x509_get_sig_params':
+x509_public_key.c:(.text+0x4c7): undefined reference to `crypto_alloc_shash'
+x509_public_key.c:(.text+0x5e5): undefined reference to `crypto_shash_digest'
+crypto/asymmetric_keys/pkcs7_verify.o: In function `pkcs7_digest.isra.0':
+pkcs7_verify.c:(.text+0xab): undefined reference to `crypto_alloc_shash'
+pkcs7_verify.c:(.text+0x1b2): undefined reference to `crypto_shash_digest'
+pkcs7_verify.c:(.text+0x3c1): undefined reference to `crypto_shash_update'
+pkcs7_verify.c:(.text+0x411): undefined reference to `crypto_shash_finup'
+
+This normally doesn't show up in randconfig tests because there is
+a large number of other options that select CRYPTO_HASH.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/asymmetric_keys/Kconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
+index be70ca6c85d3..1f1f004dc757 100644
+--- a/crypto/asymmetric_keys/Kconfig
++++ b/crypto/asymmetric_keys/Kconfig
+@@ -15,6 +15,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select MPILIB
+ select CRYPTO_HASH_INFO
+ select CRYPTO_AKCIPHER
++ select CRYPTO_HASH
+ help
+ This option provides support for asymmetric public key type handling.
+ If signature generation and/or verification are to be used,
+@@ -65,6 +66,7 @@ config TPM_KEY_PARSER
+ config PKCS7_MESSAGE_PARSER
+ tristate "PKCS#7 message parser"
+ depends on X509_CERTIFICATE_PARSER
++ select CRYPTO_HASH
+ select ASN1
+ select OID_REGISTRY
+ help
+@@ -87,6 +89,7 @@ config SIGNED_PE_FILE_VERIFICATION
+ bool "Support for PE file signature verification"
+ depends on PKCS7_MESSAGE_PARSER=y
+ depends on SYSTEM_DATA_VERIFICATION
++ select CRYPTO_HASH
+ select ASN1
+ select OID_REGISTRY
+ help
+--
+2.20.1
+
--- /dev/null
+From 22a92c433fca074131134b361fe6b96fe18b7a77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Fri, 3 May 2019 17:17:37 +0300
+Subject: crypto: caam - avoid S/G table fetching for AEAD zero-length output
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit dcd9c76e5a183af4f793beb5141efcd260b8d09f ]
+
+When enabling IOMMU support, the following issue becomes visible
+in the AEAD zero-length case.
+
+Even though the output sequence length is set to zero, the crypto engine
+tries to prefetch 4 S/G table entries (since SGF bit is set
+in SEQ OUT PTR command - which is either generated in SW in case of
+caam/jr or in HW in case of caam/qi, caam/qi2).
+The DMA read operation will trigger an IOMMU fault since the address in
+the SEQ OUT PTR is "dummy" (set to zero / not obtained via DMA API
+mapping).
+
+1. In case of caam/jr, avoid the IOMMU fault by clearing the SGF bit
+in SEQ OUT PTR command.
+
+2. In case of caam/qi - setting address, bpid, length to zero for output
+entry in the compound frame has a special meaning (cf. CAAM RM):
+"Output frame = Unspecified, Input address = Y. A unspecified frame is
+indicated by an unused SGT entry (an entry in which the Address, Length,
+and BPID fields are all zero). SEC obtains output buffers from BMan as
+prescribed by the preheader."
+
+Since no output buffers are needed, modify the preheader by setting
+(ABS = 1, ADDBUF = 0):
+-"ABS = 1 means obtain the number of buffers in ADDBUF (0 or 1) from
+the pool POOL ID"
+-ADDBUF: "If ABS is set, ADD BUF specifies whether to allocate
+a buffer or not"
+
+3. In case of caam/qi2, since engine:
+-does not support FLE[FMT]=2'b11 ("unused" entry) mentioned in DPAA2 RM
+-requires output entry to be present, even if not used
+the solution chosen is to leave output frame list entry zeroized.
+
+Fixes: 763069ba49d3 ("crypto: caam - handle zero-length AEAD output")
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/caam/caamalg.c | 1 +
+ drivers/crypto/caam/caamalg_qi.c | 2 +-
+ drivers/crypto/caam/caamalg_qi2.c | 9 +++++++++
+ drivers/crypto/caam/qi.c | 3 +++
+ 4 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
+index c0ece44f303b..df416e6c1468 100644
+--- a/drivers/crypto/caam/caamalg.c
++++ b/drivers/crypto/caam/caamalg.c
+@@ -1106,6 +1106,7 @@ static void init_aead_job(struct aead_request *req,
+ if (unlikely(req->src != req->dst)) {
+ if (!edesc->mapped_dst_nents) {
+ dst_dma = 0;
++ out_options = 0;
+ } else if (edesc->mapped_dst_nents == 1) {
+ dst_dma = sg_dma_address(req->dst);
+ out_options = 0;
+diff --git a/drivers/crypto/caam/caamalg_qi.c b/drivers/crypto/caam/caamalg_qi.c
+index d290d6b41825..116cbc81fa8d 100644
+--- a/drivers/crypto/caam/caamalg_qi.c
++++ b/drivers/crypto/caam/caamalg_qi.c
+@@ -1109,7 +1109,7 @@ static struct aead_edesc *aead_edesc_alloc(struct aead_request *req,
+ dma_to_qm_sg_one_ext(&fd_sgt[0], qm_sg_dma +
+ (1 + !!ivsize) * sizeof(*sg_table),
+ out_len, 0);
+- } else if (mapped_dst_nents == 1) {
++ } else if (mapped_dst_nents <= 1) {
+ dma_to_qm_sg_one(&fd_sgt[0], sg_dma_address(req->dst), out_len,
+ 0);
+ } else {
+diff --git a/drivers/crypto/caam/caamalg_qi2.c b/drivers/crypto/caam/caamalg_qi2.c
+index 2b2980a8a9b9..b949944c8e55 100644
+--- a/drivers/crypto/caam/caamalg_qi2.c
++++ b/drivers/crypto/caam/caamalg_qi2.c
+@@ -559,6 +559,14 @@ static struct aead_edesc *aead_edesc_alloc(struct aead_request *req,
+ dpaa2_fl_set_addr(out_fle, qm_sg_dma +
+ (1 + !!ivsize) * sizeof(*sg_table));
+ }
++ } else if (!mapped_dst_nents) {
++ /*
++ * crypto engine requires the output entry to be present when
++ * "frame list" FD is used.
++ * Since engine does not support FMT=2'b11 (unused entry type),
++ * leaving out_fle zeroized is the best option.
++ */
++ goto skip_out_fle;
+ } else if (mapped_dst_nents == 1) {
+ dpaa2_fl_set_format(out_fle, dpaa2_fl_single);
+ dpaa2_fl_set_addr(out_fle, sg_dma_address(req->dst));
+@@ -570,6 +578,7 @@ static struct aead_edesc *aead_edesc_alloc(struct aead_request *req,
+
+ dpaa2_fl_set_len(out_fle, out_len);
+
++skip_out_fle:
+ return edesc;
+ }
+
+diff --git a/drivers/crypto/caam/qi.c b/drivers/crypto/caam/qi.c
+index 9f08f84cca59..2d9b0485141f 100644
+--- a/drivers/crypto/caam/qi.c
++++ b/drivers/crypto/caam/qi.c
+@@ -18,6 +18,7 @@
+ #include "desc_constr.h"
+
+ #define PREHDR_RSLS_SHIFT 31
++#define PREHDR_ABS BIT(25)
+
+ /*
+ * Use a reasonable backlog of frames (per CPU) as congestion threshold,
+@@ -346,6 +347,7 @@ int caam_drv_ctx_update(struct caam_drv_ctx *drv_ctx, u32 *sh_desc)
+ */
+ drv_ctx->prehdr[0] = cpu_to_caam32((1 << PREHDR_RSLS_SHIFT) |
+ num_words);
++ drv_ctx->prehdr[1] = cpu_to_caam32(PREHDR_ABS);
+ memcpy(drv_ctx->sh_desc, sh_desc, desc_bytes(sh_desc));
+ dma_sync_single_for_device(qidev, drv_ctx->context_a,
+ sizeof(drv_ctx->sh_desc) +
+@@ -401,6 +403,7 @@ struct caam_drv_ctx *caam_drv_ctx_init(struct device *qidev,
+ */
+ drv_ctx->prehdr[0] = cpu_to_caam32((1 << PREHDR_RSLS_SHIFT) |
+ num_words);
++ drv_ctx->prehdr[1] = cpu_to_caam32(PREHDR_ABS);
+ memcpy(drv_ctx->sh_desc, sh_desc, desc_bytes(sh_desc));
+ size = sizeof(drv_ctx->prehdr) + sizeof(drv_ctx->sh_desc);
+ hwdesc = dma_map_single(qidev, drv_ctx->prehdr, size,
+--
+2.20.1
+
--- /dev/null
+From 67056817c368d595820618874c941a86ddd73be4 Mon Sep 17 00:00:00 2001
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Mon, 27 May 2019 16:51:06 +0200
+Subject: crypto: inside-secure - do not rely on the hardware last bit for
+ result descriptors
+
+[ Upstream commit 89332590427235680236b9470e851afc49b3caa1 ]
+
+When performing a transformation the hardware is given result
+descriptors to save the result data. Those result descriptors are
+batched using a 'first' and a 'last' bit. There are cases were more
+descriptors than needed are given to the engine, leading to the engine
+only using some of them, and not setting the last bit on the last
+descriptor we gave. This causes issues were the driver and the hardware
+aren't in sync anymore about the number of result descriptors given (as
+the driver do not give a pool of descriptor to use for any
+transformation, but a pool of descriptors to use *per* transformation).
+
+This patch fixes it by attaching the number of given result descriptors
+to the requests, and by using this number instead of the 'last' bit
+found on the descriptors to process them.
+
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../crypto/inside-secure/safexcel_cipher.c | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/inside-secure/safexcel_cipher.c b/drivers/crypto/inside-secure/safexcel_cipher.c
+index de4be10b172f..ccacdcf07ffc 100644
+--- a/drivers/crypto/inside-secure/safexcel_cipher.c
++++ b/drivers/crypto/inside-secure/safexcel_cipher.c
+@@ -51,6 +51,8 @@ struct safexcel_cipher_ctx {
+
+ struct safexcel_cipher_req {
+ enum safexcel_cipher_direction direction;
++ /* Number of result descriptors associated to the request */
++ unsigned int rdescs;
+ bool needs_inv;
+ };
+
+@@ -333,7 +335,10 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv, int rin
+
+ *ret = 0;
+
+- do {
++ if (unlikely(!sreq->rdescs))
++ return 0;
++
++ while (sreq->rdescs--) {
+ rdesc = safexcel_ring_next_rptr(priv, &priv->ring[ring].rdr);
+ if (IS_ERR(rdesc)) {
+ dev_err(priv->dev,
+@@ -346,7 +351,7 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv, int rin
+ *ret = safexcel_rdesc_check_errors(priv, rdesc);
+
+ ndesc++;
+- } while (!rdesc->last_seg);
++ }
+
+ safexcel_complete(priv, ring);
+
+@@ -501,6 +506,7 @@ static int safexcel_send_req(struct crypto_async_request *base, int ring,
+ static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv,
+ int ring,
+ struct crypto_async_request *base,
++ struct safexcel_cipher_req *sreq,
+ bool *should_complete, int *ret)
+ {
+ struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(base->tfm);
+@@ -509,7 +515,10 @@ static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv,
+
+ *ret = 0;
+
+- do {
++ if (unlikely(!sreq->rdescs))
++ return 0;
++
++ while (sreq->rdescs--) {
+ rdesc = safexcel_ring_next_rptr(priv, &priv->ring[ring].rdr);
+ if (IS_ERR(rdesc)) {
+ dev_err(priv->dev,
+@@ -522,7 +531,7 @@ static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv,
+ *ret = safexcel_rdesc_check_errors(priv, rdesc);
+
+ ndesc++;
+- } while (!rdesc->last_seg);
++ }
+
+ safexcel_complete(priv, ring);
+
+@@ -564,7 +573,7 @@ static int safexcel_skcipher_handle_result(struct safexcel_crypto_priv *priv,
+
+ if (sreq->needs_inv) {
+ sreq->needs_inv = false;
+- err = safexcel_handle_inv_result(priv, ring, async,
++ err = safexcel_handle_inv_result(priv, ring, async, sreq,
+ should_complete, ret);
+ } else {
+ err = safexcel_handle_req_result(priv, ring, async, req->src,
+@@ -587,7 +596,7 @@ static int safexcel_aead_handle_result(struct safexcel_crypto_priv *priv,
+
+ if (sreq->needs_inv) {
+ sreq->needs_inv = false;
+- err = safexcel_handle_inv_result(priv, ring, async,
++ err = safexcel_handle_inv_result(priv, ring, async, sreq,
+ should_complete, ret);
+ } else {
+ err = safexcel_handle_req_result(priv, ring, async, req->src,
+@@ -633,6 +642,8 @@ static int safexcel_skcipher_send(struct crypto_async_request *async, int ring,
+ ret = safexcel_send_req(async, ring, sreq, req->src,
+ req->dst, req->cryptlen, 0, 0, req->iv,
+ commands, results);
++
++ sreq->rdescs = *results;
+ return ret;
+ }
+
+@@ -655,6 +666,7 @@ static int safexcel_aead_send(struct crypto_async_request *async, int ring,
+ req->cryptlen, req->assoclen,
+ crypto_aead_authsize(tfm), req->iv,
+ commands, results);
++ sreq->rdescs = *results;
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 3dc18158eeff82f519dd6b6322a90ddc0e5f0233 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 18 Jun 2019 13:19:42 +0200
+Subject: crypto: serpent - mark __serpent_setkey_sbox noinline
+
+[ Upstream commit 473971187d6727609951858c63bf12b0307ef015 ]
+
+The same bug that gcc hit in the past is apparently now showing
+up with clang, which decides to inline __serpent_setkey_sbox:
+
+crypto/serpent_generic.c:268:5: error: stack frame size of 2112 bytes in function '__serpent_setkey' [-Werror,-Wframe-larger-than=]
+
+Marking it 'noinline' reduces the stack usage from 2112 bytes to
+192 and 96 bytes, respectively, and seems to generate more
+useful object code.
+
+Fixes: c871c10e4ea7 ("crypto: serpent - improve __serpent_setkey with UBSAN")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/serpent_generic.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/serpent_generic.c b/crypto/serpent_generic.c
+index 16f612b6dbca..a9cc0b2aa0d6 100644
+--- a/crypto/serpent_generic.c
++++ b/crypto/serpent_generic.c
+@@ -225,7 +225,13 @@
+ x4 ^= x2; \
+ })
+
+-static void __serpent_setkey_sbox(u32 r0, u32 r1, u32 r2, u32 r3, u32 r4, u32 *k)
++/*
++ * both gcc and clang have misoptimized this function in the past,
++ * producing horrible object code from spilling temporary variables
++ * on the stack. Forcing this part out of line avoids that.
++ */
++static noinline void __serpent_setkey_sbox(u32 r0, u32 r1, u32 r2,
++ u32 r3, u32 r4, u32 *k)
+ {
+ k += 100;
+ S3(r3, r4, r0, r1, r2); store_and_load_keys(r1, r2, r4, r3, 28, 24);
+--
+2.20.1
+
--- /dev/null
+From 350a5e65483b8dc93b160a940619eb37f98b96a6 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 May 2019 13:34:18 +0000
+Subject: crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
+
+[ Upstream commit c9cca7034b34a2d82e9a03b757de2485c294851c ]
+
+The MPC885 reference manual states:
+
+SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but
+reads can occur on any byte boundary. Writing back a header read from a
+non-32-bit-word boundary will yield unpredictable results.
+
+In order to ensure that, cra_alignmask is set to 3 for SEC1.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index fb852727ee1a..710e09e28227 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -3261,7 +3261,10 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev,
+ alg->cra_priority = t_alg->algt.priority;
+ else
+ alg->cra_priority = TALITOS_CRA_PRIORITY;
+- alg->cra_alignmask = 0;
++ if (has_ftr_sec1(priv))
++ alg->cra_alignmask = 3;
++ else
++ alg->cra_alignmask = 0;
+ alg->cra_ctxsize = sizeof(struct talitos_ctx);
+ alg->cra_flags |= CRYPTO_ALG_KERN_DRIVER_ONLY;
+
+--
+2.20.1
+
--- /dev/null
+From a9c61dd52fcb95edd712505b914d44354d3e0007 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 15 May 2019 12:29:03 +0000
+Subject: crypto: talitos - fix skcipher failure due to wrong output IV
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3e03e792865ae48b8cfc69a0b4d65f02f467389f ]
+
+Selftests report the following:
+
+[ 2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41
+[ 3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.043185] 00000000: fe dc ba 98 76 54 32 10
+[ 3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.073818] 00000000: 7d 33 88 93 0f 93 b2 42
+
+This above dumps show that the actual output IV is indeed the input IV.
+This is due to the IV not being copied back into the request.
+
+This patch fixes that.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 8c57c5af0930..396199b2db7d 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1606,11 +1606,15 @@ static void ablkcipher_done(struct device *dev,
+ int err)
+ {
+ struct ablkcipher_request *areq = context;
++ struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq);
++ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++ unsigned int ivsize = crypto_ablkcipher_ivsize(cipher);
+ struct talitos_edesc *edesc;
+
+ edesc = container_of(desc, struct talitos_edesc, desc);
+
+ common_nonsnoop_unmap(dev, edesc, areq);
++ memcpy(areq->info, ctx->iv, ivsize);
+
+ kfree(edesc);
+
+--
+2.20.1
+
--- /dev/null
+From 562a4b56dbd7ca0334e7bd3d3e2f4cfa206a6b8d Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 May 2019 13:34:17 +0000
+Subject: crypto: talitos - properly handle split ICV.
+
+[ Upstream commit eae55a586c3c8b50982bad3c3426e9c9dd7a0075 ]
+
+The driver assumes that the ICV is as a single piece in the last
+element of the scatterlist. This assumption is wrong.
+
+This patch ensures that the ICV is properly handled regardless of
+the scatterlist layout.
+
+Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 396199b2db7d..fb852727ee1a 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1036,7 +1036,6 @@ static void ipsec_esp_encrypt_done(struct device *dev,
+ unsigned int authsize = crypto_aead_authsize(authenc);
+ unsigned int ivsize = crypto_aead_ivsize(authenc);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ void *icvdata;
+
+ edesc = container_of(desc, struct talitos_edesc, desc);
+@@ -1050,9 +1049,8 @@ static void ipsec_esp_encrypt_done(struct device *dev,
+ else
+ icvdata = &edesc->link_tbl[edesc->src_nents +
+ edesc->dst_nents + 2];
+- sg = sg_last(areq->dst, edesc->dst_nents);
+- memcpy((char *)sg_virt(sg) + sg->length - authsize,
+- icvdata, authsize);
++ sg_pcopy_from_buffer(areq->dst, edesc->dst_nents ? : 1, icvdata,
++ authsize, areq->assoclen + areq->cryptlen);
+ }
+
+ dma_unmap_single(dev, edesc->iv_dma, ivsize, DMA_TO_DEVICE);
+@@ -1070,7 +1068,6 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
+ struct crypto_aead *authenc = crypto_aead_reqtfm(req);
+ unsigned int authsize = crypto_aead_authsize(authenc);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ char *oicv, *icv;
+ struct talitos_private *priv = dev_get_drvdata(dev);
+ bool is_sec1 = has_ftr_sec1(priv);
+@@ -1080,9 +1077,18 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
+ ipsec_esp_unmap(dev, edesc, req);
+
+ if (!err) {
++ char icvdata[SHA512_DIGEST_SIZE];
++ int nents = edesc->dst_nents ? : 1;
++ unsigned int len = req->assoclen + req->cryptlen;
++
+ /* auth check */
+- sg = sg_last(req->dst, edesc->dst_nents ? : 1);
+- icv = (char *)sg_virt(sg) + sg->length - authsize;
++ if (nents > 1) {
++ sg_pcopy_to_buffer(req->dst, nents, icvdata, authsize,
++ len - authsize);
++ icv = icvdata;
++ } else {
++ icv = (char *)sg_virt(req->dst) + len - authsize;
++ }
+
+ if (edesc->dma_len) {
+ if (is_sec1)
+@@ -1498,7 +1504,6 @@ static int aead_decrypt(struct aead_request *req)
+ struct talitos_ctx *ctx = crypto_aead_ctx(authenc);
+ struct talitos_private *priv = dev_get_drvdata(ctx->dev);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ void *icvdata;
+
+ req->cryptlen -= authsize;
+@@ -1532,9 +1537,8 @@ static int aead_decrypt(struct aead_request *req)
+ else
+ icvdata = &edesc->link_tbl[0];
+
+- sg = sg_last(req->src, edesc->src_nents ? : 1);
+-
+- memcpy(icvdata, (char *)sg_virt(sg) + sg->length - authsize, authsize);
++ sg_pcopy_to_buffer(req->src, edesc->src_nents ? : 1, icvdata, authsize,
++ req->assoclen + req->cryptlen - authsize);
+
+ return ipsec_esp(edesc, req, ipsec_esp_decrypt_swauth_done);
+ }
+--
+2.20.1
+
--- /dev/null
+From 2beeaa84a74d8738e3c043cf6bdbf007282bae74 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 2 Jun 2019 22:42:33 -0700
+Subject: crypto: testmgr - add some more preemption points
+
+[ Upstream commit e63e1b0dd0003dc31f73d875907432be3a2abe5d ]
+
+Call cond_resched() after each fuzz test iteration. This avoids stall
+warnings if fuzz_iterations is set very high for testing purposes.
+
+While we're at it, also call cond_resched() after finishing testing each
+test vector.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/testmgr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/testmgr.c b/crypto/testmgr.c
+index 658a7eeebab2..292d28caf00f 100644
+--- a/crypto/testmgr.c
++++ b/crypto/testmgr.c
+@@ -1279,6 +1279,7 @@ static int test_hash_vec(const char *driver, const struct hash_testvec *vec,
+ req, tsgl, hashstate);
+ if (err)
+ return err;
++ cond_resched();
+ }
+ }
+ #endif
+@@ -1493,6 +1494,7 @@ static int __alg_test_hash(const struct hash_testvec *vecs,
+ err = test_hash_vec(driver, &vecs[i], i, req, tsgl, hashstate);
+ if (err)
+ goto out;
++ cond_resched();
+ }
+ err = test_hash_vs_generic_impl(driver, generic_driver, maxkeysize, req,
+ tsgl, hashstate);
+@@ -1755,6 +1757,7 @@ static int test_aead_vec(const char *driver, int enc,
+ &cfg, req, tsgls);
+ if (err)
+ return err;
++ cond_resched();
+ }
+ }
+ #endif
+@@ -1994,6 +1997,7 @@ static int test_aead(const char *driver, int enc,
+ tsgls);
+ if (err)
+ return err;
++ cond_resched();
+ }
+ return 0;
+ }
+@@ -2336,6 +2340,7 @@ static int test_skcipher_vec(const char *driver, int enc,
+ &cfg, req, tsgls);
+ if (err)
+ return err;
++ cond_resched();
+ }
+ }
+ #endif
+@@ -2535,6 +2540,7 @@ static int test_skcipher(const char *driver, int enc,
+ tsgls);
+ if (err)
+ return err;
++ cond_resched();
+ }
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 878c1a76efa30c78f46d31c94278167927874ba0 Mon Sep 17 00:00:00 2001
+From: Eiichi Tsukata <devel@etsukata.com>
+Date: Wed, 26 Jun 2019 14:40:11 +0900
+Subject: EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
+
+[ Upstream commit d8655e7630dafa88bc37f101640e39c736399771 ]
+
+Commit 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") assumes
+edac_mc_poll_msec to be unsigned long, but the type of the variable still
+remained as int. Setting edac_mc_poll_msec can trigger out-of-bounds
+write.
+
+Reproducer:
+
+ # echo 1001 > /sys/module/edac_core/parameters/edac_mc_poll_msec
+
+KASAN report:
+
+ BUG: KASAN: global-out-of-bounds in edac_set_poll_msec+0x140/0x150
+ Write of size 8 at addr ffffffffb91b2d00 by task bash/1996
+
+ CPU: 1 PID: 1996 Comm: bash Not tainted 5.2.0-rc6+ #23
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+ Call Trace:
+ dump_stack+0xca/0x13e
+ print_address_description.cold+0x5/0x246
+ __kasan_report.cold+0x75/0x9a
+ ? edac_set_poll_msec+0x140/0x150
+ kasan_report+0xe/0x20
+ edac_set_poll_msec+0x140/0x150
+ ? dimmdev_location_show+0x30/0x30
+ ? vfs_lock_file+0xe0/0xe0
+ ? _raw_spin_lock+0x87/0xe0
+ param_attr_store+0x1b5/0x310
+ ? param_array_set+0x4f0/0x4f0
+ module_attr_store+0x58/0x80
+ ? module_attr_show+0x80/0x80
+ sysfs_kf_write+0x13d/0x1a0
+ kernfs_fop_write+0x2bc/0x460
+ ? sysfs_kf_bin_read+0x270/0x270
+ ? kernfs_notify+0x1f0/0x1f0
+ __vfs_write+0x81/0x100
+ vfs_write+0x1e1/0x560
+ ksys_write+0x126/0x250
+ ? __ia32_sys_read+0xb0/0xb0
+ ? do_syscall_64+0x1f/0x390
+ do_syscall_64+0xc1/0x390
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fa7caa5e970
+ Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 04
+ RSP: 002b:00007fff6acfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa7caa5e970
+ RDX: 0000000000000005 RSI: 0000000000e95c08 RDI: 0000000000000001
+ RBP: 0000000000e95c08 R08: 00007fa7cad1e760 R09: 00007fa7cb36a700
+ R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000005
+ R13: 0000000000000001 R14: 00007fa7cad1d600 R15: 0000000000000005
+
+ The buggy address belongs to the variable:
+ edac_mc_poll_msec+0x0/0x40
+
+ Memory state around the buggy address:
+ ffffffffb91b2c00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ ffffffffb91b2c80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ >ffffffffb91b2d00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+ ^
+ ffffffffb91b2d80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+ ffffffffb91b2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fix it by changing the type of edac_mc_poll_msec to unsigned int.
+The reason why this patch adopts unsigned int rather than unsigned long
+is msecs_to_jiffies() assumes arg to be unsigned int. We can avoid
+integer conversion bugs and unsigned int will be large enough for
+edac_mc_poll_msec.
+
+Reviewed-by: James Morse <james.morse@arm.com>
+Fixes: 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2")
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 16 ++++++++--------
+ drivers/edac/edac_module.h | 2 +-
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index 7c01e1cc030c..4386ea4b9b5a 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -26,7 +26,7 @@
+ static int edac_mc_log_ue = 1;
+ static int edac_mc_log_ce = 1;
+ static int edac_mc_panic_on_ue;
+-static int edac_mc_poll_msec = 1000;
++static unsigned int edac_mc_poll_msec = 1000;
+
+ /* Getter functions for above */
+ int edac_mc_get_log_ue(void)
+@@ -45,30 +45,30 @@ int edac_mc_get_panic_on_ue(void)
+ }
+
+ /* this is temporary */
+-int edac_mc_get_poll_msec(void)
++unsigned int edac_mc_get_poll_msec(void)
+ {
+ return edac_mc_poll_msec;
+ }
+
+ static int edac_set_poll_msec(const char *val, const struct kernel_param *kp)
+ {
+- unsigned long l;
++ unsigned int i;
+ int ret;
+
+ if (!val)
+ return -EINVAL;
+
+- ret = kstrtoul(val, 0, &l);
++ ret = kstrtouint(val, 0, &i);
+ if (ret)
+ return ret;
+
+- if (l < 1000)
++ if (i < 1000)
+ return -EINVAL;
+
+- *((unsigned long *)kp->arg) = l;
++ *((unsigned int *)kp->arg) = i;
+
+ /* notify edac_mc engine to reset the poll period */
+- edac_mc_reset_delay_period(l);
++ edac_mc_reset_delay_period(i);
+
+ return 0;
+ }
+@@ -82,7 +82,7 @@ MODULE_PARM_DESC(edac_mc_log_ue,
+ module_param(edac_mc_log_ce, int, 0644);
+ MODULE_PARM_DESC(edac_mc_log_ce,
+ "Log correctable error to console: 0=off 1=on");
+-module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_int,
++module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_uint,
+ &edac_mc_poll_msec, 0644);
+ MODULE_PARM_DESC(edac_mc_poll_msec, "Polling period in milliseconds");
+
+diff --git a/drivers/edac/edac_module.h b/drivers/edac/edac_module.h
+index dd7d0b509aa3..75528f07abd5 100644
+--- a/drivers/edac/edac_module.h
++++ b/drivers/edac/edac_module.h
+@@ -36,7 +36,7 @@ extern int edac_mc_get_log_ue(void);
+ extern int edac_mc_get_log_ce(void);
+ extern int edac_mc_get_panic_on_ue(void);
+ extern int edac_get_poll_msec(void);
+-extern int edac_mc_get_poll_msec(void);
++extern unsigned int edac_mc_get_poll_msec(void);
+
+ unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf,
+ unsigned len);
+--
+2.20.1
+
--- /dev/null
+From 5afad0604ea369c421c7e866f6a86cf77db08e4a Mon Sep 17 00:00:00 2001
+From: Greg KH <gregkh@linuxfoundation.org>
+Date: Wed, 8 May 2019 12:40:42 +0200
+Subject: EDAC/sysfs: Drop device references properly
+
+[ Upstream commit 7adc05d2dc3af95e4e1534841d58f736262142cd ]
+
+Do put_device() if device_add() fails.
+
+ [ bp: do device_del() for the successfully created devices in
+ edac_create_csrow_objects(), on the unwind path. ]
+
+Signed-off-by: Greg KH <gregkh@linuxfoundation.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20190427214925.GE16338@kroah.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index 464174685589..bf9273437e3f 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -443,7 +443,8 @@ static int edac_create_csrow_objects(struct mem_ctl_info *mci)
+ csrow = mci->csrows[i];
+ if (!nr_pages_per_csrow(csrow))
+ continue;
+- put_device(&mci->csrows[i]->dev);
++
++ device_del(&mci->csrows[i]->dev);
+ }
+
+ return err;
+@@ -645,9 +646,11 @@ static int edac_create_dimm_object(struct mem_ctl_info *mci,
+ dev_set_drvdata(&dimm->dev, dimm);
+ pm_runtime_forbid(&mci->dev);
+
+- err = device_add(&dimm->dev);
++ err = device_add(&dimm->dev);
++ if (err)
++ put_device(&dimm->dev);
+
+- edac_dbg(0, "creating rank/dimm device %s\n", dev_name(&dimm->dev));
++ edac_dbg(0, "created rank/dimm device %s\n", dev_name(&dimm->dev));
+
+ return err;
+ }
+@@ -928,6 +931,7 @@ int edac_create_sysfs_mci_device(struct mem_ctl_info *mci,
+ err = device_add(&mci->dev);
+ if (err < 0) {
+ edac_dbg(1, "failure: create device %s\n", dev_name(&mci->dev));
++ put_device(&mci->dev);
+ goto out;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 0619c3097695de4c9bee7fe8b9f4be134c1c589c Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 18 Apr 2019 10:27:18 +0800
+Subject: EDAC/sysfs: Fix memory leak when creating a csrow object
+
+[ Upstream commit 585fb3d93d32dbe89e718b85009f9c322cc554cd ]
+
+In edac_create_csrow_object(), the reference to the object is not
+released when adding the device to the device hierarchy fails
+(device_add()). This may result in a memory leak.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: https://lkml.kernel.org/r/1555554438-103953-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index bf9273437e3f..7c01e1cc030c 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -404,6 +404,8 @@ static inline int nr_pages_per_csrow(struct csrow_info *csrow)
+ static int edac_create_csrow_object(struct mem_ctl_info *mci,
+ struct csrow_info *csrow, int index)
+ {
++ int err;
++
+ csrow->dev.type = &csrow_attr_type;
+ csrow->dev.groups = csrow_dev_groups;
+ device_initialize(&csrow->dev);
+@@ -415,7 +417,11 @@ static int edac_create_csrow_object(struct mem_ctl_info *mci,
+ edac_dbg(0, "creating (virtual) csrow node %s\n",
+ dev_name(&csrow->dev));
+
+- return device_add(&csrow->dev);
++ err = device_add(&csrow->dev);
++ if (err)
++ put_device(&csrow->dev);
++
++ return err;
+ }
+
+ /* Create a CSROW object under specifed edac_mc_device */
+--
+2.20.1
+
--- /dev/null
+From e33ad058138bf98ca567385a2e41352551b2d95c Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:20 +0300
+Subject: floppy: fix div-by-zero in setup_format_params
+
+[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ]
+
+This fixes a divide by zero error in the setup_format_params function of
+the floppy driver.
+
+Two consecutive ioctls can trigger the bug: The first one should set the
+drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
+to become zero. Next, the floppy format operation should be called.
+
+A floppy disk is not required to be inserted. An unprivileged user
+could trigger the bug if the device is accessible.
+
+The patch checks F_SECT_PER_TRACK for a non-zero value in the
+set_geometry function. The proper check should involve a reasonable
+upper limit for the .sect and .rate fields, but it could change the
+UAPI.
+
+The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
+cancels the formatting operation in case of zero.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 9fb9b312ab6b..51246bc9709a 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -2120,6 +2120,9 @@ static void setup_format_params(int track)
+ raw_cmd->kernel_data = floppy_track_buffer;
+ raw_cmd->length = 4 * F_SECT_PER_TRACK;
+
++ if (!F_SECT_PER_TRACK)
++ return;
++
+ /* allow for about 30ms for data transport per track */
+ head_shift = (F_SECT_PER_TRACK + 5) / 6;
+
+@@ -3232,6 +3235,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ /* sanity checking for parameters. */
+ if (g->sect <= 0 ||
+ g->head <= 0 ||
++ /* check for zero in F_SECT_PER_TRACK */
++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+ /* check if reserved bits are set */
+ (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
+--
+2.20.1
+
--- /dev/null
+From c03750848045ea831908e31c1f2b38a390e1fbfa Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:22 +0300
+Subject: floppy: fix invalid pointer dereference in drive_name
+
+[ Upstream commit 9b04609b784027968348796a18f601aed9db3789 ]
+
+This fixes the invalid pointer dereference in the drive_name function of
+the floppy driver.
+
+The native_format field of the struct floppy_drive_params is used as
+floppy_type array index in the drive_name function. Thus, the field
+should be checked the same way as the autodetect field.
+
+To trigger the bug, one could use a value out of range and set the drive
+parameters with the FDSETDRVPRM ioctl. Next, FDGETDRVTYP ioctl should
+be used to call the drive_name. A floppy disk is not required to be
+inserted.
+
+CAP_SYS_ADMIN is required to call FDSETDRVPRM.
+
+The patch adds the check for a value of the native_format field to be in
+the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array
+indices.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index b70d6e103a57..671a0ae434b4 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3380,7 +3380,8 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
+ return 0;
+ }
+
+-static bool valid_floppy_drive_params(const short autodetect[8])
++static bool valid_floppy_drive_params(const short autodetect[8],
++ int native_format)
+ {
+ size_t floppy_type_size = ARRAY_SIZE(floppy_type);
+ size_t i = 0;
+@@ -3391,6 +3392,9 @@ static bool valid_floppy_drive_params(const short autodetect[8])
+ return false;
+ }
+
++ if (native_format < 0 || native_format >= floppy_type_size)
++ return false;
++
+ return true;
+ }
+
+@@ -3520,7 +3524,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
+ SUPBOUND(size, strlen((const char *)outparam) + 1);
+ break;
+ case FDSETDRVPRM:
+- if (!valid_floppy_drive_params(inparam.dp.autodetect))
++ if (!valid_floppy_drive_params(inparam.dp.autodetect,
++ inparam.dp.native_format))
+ return -EINVAL;
+ *UDP = inparam.dp;
+ break;
+@@ -3719,7 +3724,7 @@ static int compat_setdrvprm(int drive,
+ return -EPERM;
+ if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params)))
+ return -EFAULT;
+- if (!valid_floppy_drive_params(v.autodetect))
++ if (!valid_floppy_drive_params(v.autodetect, v.native_format))
+ return -EINVAL;
+ mutex_lock(&floppy_mutex);
+ UDP->cmos = v.cmos;
+--
+2.20.1
+
--- /dev/null
+From 10c4d11a9e663f85b44636198303e47c1d1bd184 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:23 +0300
+Subject: floppy: fix out-of-bounds read in copy_buffer
+
+[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ]
+
+This fixes a global out-of-bounds read access in the copy_buffer
+function of the floppy driver.
+
+The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect
+and head fields (unsigned int) of the floppy_drive structure are used to
+compute the max_sector (int) in the make_raw_rw_request function. It is
+possible to overflow the max_sector. Next, max_sector is passed to the
+copy_buffer function and used in one of the memcpy calls.
+
+An unprivileged user could trigger the bug if the device is accessible,
+but requires a floppy disk to be inserted.
+
+The patch adds the check for the .sect * .head multiplication for not
+overflowing in the set_geometry function.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 671a0ae434b4..fee57f7f3821 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3233,8 +3233,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ int cnt;
+
+ /* sanity checking for parameters. */
+- if (g->sect <= 0 ||
+- g->head <= 0 ||
++ if ((int)g->sect <= 0 ||
++ (int)g->head <= 0 ||
++ /* check for overflow in max_sector */
++ (int)(g->sect * g->head) <= 0 ||
+ /* check for zero in F_SECT_PER_TRACK */
+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+--
+2.20.1
+
--- /dev/null
+From e6d16409471fbcaf58fae7b418da38a2381da844 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:21 +0300
+Subject: floppy: fix out-of-bounds read in next_valid_format
+
+[ Upstream commit 5635f897ed83fd539df78e98ba69ee91592f9bb8 ]
+
+This fixes a global out-of-bounds read access in the next_valid_format
+function of the floppy driver.
+
+The values from autodetect field of the struct floppy_drive_params are
+used as indices for the floppy_type array in the next_valid_format
+function 'floppy_type[DP->autodetect[probed_format]].sect'.
+
+To trigger the bug, one could use a value out of range and set the drive
+parameters with the FDSETDRVPRM ioctl. A floppy disk is not required to
+be inserted.
+
+CAP_SYS_ADMIN is required to call FDSETDRVPRM.
+
+The patch adds the check for values of the autodetect field to be in the
+'0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 51246bc9709a..b70d6e103a57 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3380,6 +3380,20 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
+ return 0;
+ }
+
++static bool valid_floppy_drive_params(const short autodetect[8])
++{
++ size_t floppy_type_size = ARRAY_SIZE(floppy_type);
++ size_t i = 0;
++
++ for (i = 0; i < 8; ++i) {
++ if (autodetect[i] < 0 ||
++ autodetect[i] >= floppy_type_size)
++ return false;
++ }
++
++ return true;
++}
++
+ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd,
+ unsigned long param)
+ {
+@@ -3506,6 +3520,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
+ SUPBOUND(size, strlen((const char *)outparam) + 1);
+ break;
+ case FDSETDRVPRM:
++ if (!valid_floppy_drive_params(inparam.dp.autodetect))
++ return -EINVAL;
+ *UDP = inparam.dp;
+ break;
+ case FDGETDRVPRM:
+@@ -3703,6 +3719,8 @@ static int compat_setdrvprm(int drive,
+ return -EPERM;
+ if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params)))
+ return -EFAULT;
++ if (!valid_floppy_drive_params(v.autodetect))
++ return -EINVAL;
+ mutex_lock(&floppy_mutex);
+ UDP->cmos = v.cmos;
+ UDP->max_dtr = v.max_dtr;
+--
+2.20.1
+
--- /dev/null
+From 5c9d5ef6e51c4f99201cac69ec1a703051aa7835 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 20 May 2019 09:29:42 -0700
+Subject: fscrypt: clean up some BUG_ON()s in block encryption/decryption
+
+[ Upstream commit eeacfdc68a104967162dfcba60f53f6f5b62a334 ]
+
+Replace some BUG_ON()s with WARN_ON_ONCE() and returning an error code,
+and move the check for len divisible by FS_CRYPTO_BLOCK_SIZE into
+fscrypt_crypt_block() so that it's done for both encryption and
+decryption, not just encryption.
+
+Reviewed-by: Chandan Rajendra <chandan@linux.ibm.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/crypto/crypto.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
+index 335a362ee446..6f753198eeef 100644
+--- a/fs/crypto/crypto.c
++++ b/fs/crypto/crypto.c
+@@ -154,7 +154,10 @@ int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
+ struct crypto_skcipher *tfm = ci->ci_ctfm;
+ int res = 0;
+
+- BUG_ON(len == 0);
++ if (WARN_ON_ONCE(len <= 0))
++ return -EINVAL;
++ if (WARN_ON_ONCE(len % FS_CRYPTO_BLOCK_SIZE != 0))
++ return -EINVAL;
+
+ fscrypt_generate_iv(&iv, lblk_num, ci);
+
+@@ -238,8 +241,6 @@ struct page *fscrypt_encrypt_page(const struct inode *inode,
+ struct page *ciphertext_page = page;
+ int err;
+
+- BUG_ON(len % FS_CRYPTO_BLOCK_SIZE != 0);
+-
+ if (inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES) {
+ /* with inplace-encryption we just encrypt the page */
+ err = fscrypt_do_page_crypto(inode, FS_ENCRYPT, lblk_num, page,
+@@ -251,7 +252,8 @@ struct page *fscrypt_encrypt_page(const struct inode *inode,
+ return ciphertext_page;
+ }
+
+- BUG_ON(!PageLocked(page));
++ if (WARN_ON_ONCE(!PageLocked(page)))
++ return ERR_PTR(-EINVAL);
+
+ ctx = fscrypt_get_ctx(gfp_flags);
+ if (IS_ERR(ctx))
+@@ -299,8 +301,9 @@ EXPORT_SYMBOL(fscrypt_encrypt_page);
+ int fscrypt_decrypt_page(const struct inode *inode, struct page *page,
+ unsigned int len, unsigned int offs, u64 lblk_num)
+ {
+- if (!(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES))
+- BUG_ON(!PageLocked(page));
++ if (WARN_ON_ONCE(!PageLocked(page) &&
++ !(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES)))
++ return -EINVAL;
+
+ return fscrypt_do_page_crypto(inode, FS_DECRYPT, lblk_num, page, page,
+ len, offs, GFP_NOFS);
+--
+2.20.1
+
--- /dev/null
+From e15fe618e1e277f61c1b8274d0be33f5466a3585 Mon Sep 17 00:00:00 2001
+From: Shijith Thotton <sthotton@marvell.com>
+Date: Fri, 5 Jul 2019 07:56:20 +0000
+Subject: genirq: Update irq stats from NMI handlers
+
+[ Upstream commit c09cb1293523dd786ae54a12fd88001542cba2f6 ]
+
+The NMI handlers handle_percpu_devid_fasteoi_nmi() and handle_fasteoi_nmi()
+do not update the interrupt counts. Due to that the NMI interrupt count
+does not show up correctly in /proc/interrupts.
+
+Add the statistics and treat the NMI handlers in the same way as per cpu
+interrupts and prevent them from updating irq_desc::tot_count as this might
+be corrupted due to concurrency.
+
+[ tglx: Massaged changelog ]
+
+Fixes: 2dcf1fbcad35 ("genirq: Provide NMI handlers")
+Signed-off-by: Shijith Thotton <sthotton@marvell.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/1562313336-11888-1-git-send-email-sthotton@marvell.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/chip.c | 4 ++++
+ kernel/irq/irqdesc.c | 8 +++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c
+index 3ff4a1260885..b76703b2c0af 100644
+--- a/kernel/irq/chip.c
++++ b/kernel/irq/chip.c
+@@ -754,6 +754,8 @@ void handle_fasteoi_nmi(struct irq_desc *desc)
+ unsigned int irq = irq_desc_get_irq(desc);
+ irqreturn_t res;
+
++ __kstat_incr_irqs_this_cpu(desc);
++
+ trace_irq_handler_entry(irq, action);
+ /*
+ * NMIs cannot be shared, there is only one action.
+@@ -968,6 +970,8 @@ void handle_percpu_devid_fasteoi_nmi(struct irq_desc *desc)
+ unsigned int irq = irq_desc_get_irq(desc);
+ irqreturn_t res;
+
++ __kstat_incr_irqs_this_cpu(desc);
++
+ trace_irq_handler_entry(irq, action);
+ res = action->handler(irq, raw_cpu_ptr(action->percpu_dev_id));
+ trace_irq_handler_exit(irq, action, res);
+diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
+index c52b737ab8e3..9149dde5a7b0 100644
+--- a/kernel/irq/irqdesc.c
++++ b/kernel/irq/irqdesc.c
+@@ -946,6 +946,11 @@ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu)
+ *per_cpu_ptr(desc->kstat_irqs, cpu) : 0;
+ }
+
++static bool irq_is_nmi(struct irq_desc *desc)
++{
++ return desc->istate & IRQS_NMI;
++}
++
+ /**
+ * kstat_irqs - Get the statistics for an interrupt
+ * @irq: The interrupt number
+@@ -963,7 +968,8 @@ unsigned int kstat_irqs(unsigned int irq)
+ if (!desc || !desc->kstat_irqs)
+ return 0;
+ if (!irq_settings_is_per_cpu_devid(desc) &&
+- !irq_settings_is_per_cpu(desc))
++ !irq_settings_is_per_cpu(desc) &&
++ !irq_is_nmi(desc))
+ return desc->tot_count;
+
+ for_each_possible_cpu(cpu)
+--
+2.20.1
+
--- /dev/null
+From 29aa6d3dda4762aec38385ce370657a0f9f52589 Mon Sep 17 00:00:00 2001
+From: Waibel Georg <Georg.Waibel@sensor-technik.de>
+Date: Thu, 20 Jun 2019 21:37:08 +0000
+Subject: gpio: Fix return value mismatch of function gpiod_get_from_of_node()
+
+[ Upstream commit 025bf37725f1929542361eef2245df30badf242e ]
+
+In case the requested gpio property is not found in the device tree, some
+callers of gpiod_get_from_of_node() expect a return value of NULL, others
+expect -ENOENT.
+In particular devm_fwnode_get_index_gpiod_from_child() expects -ENOENT.
+Currently it gets a NULL, which breaks the loop that tries all
+gpio_suffixes. The result is that a gpio property is not found, even
+though it is there.
+
+This patch changes gpiod_get_from_of_node() to return -ENOENT instead
+of NULL when the requested gpio property is not found in the device
+tree. Additionally it modifies all calling functions to properly
+evaluate the return value.
+
+Another approach would be to leave the return value of
+gpiod_get_from_of_node() as is and fix the bug in
+devm_fwnode_get_index_gpiod_from_child(). Other callers would still need
+to be reworked. The effort would be the same as with the chosen solution.
+
+Signed-off-by: Georg Waibel <georg.waibel@sensor-technik.de>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 6 +-----
+ drivers/regulator/da9211-regulator.c | 2 ++
+ drivers/regulator/s2mps11.c | 4 +++-
+ drivers/regulator/s5m8767.c | 4 +++-
+ drivers/regulator/tps65090-regulator.c | 7 ++++---
+ 5 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index e013d417a936..be1d1d2f8aaa 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -4244,8 +4244,7 @@ EXPORT_SYMBOL_GPL(gpiod_get_index);
+ *
+ * Returns:
+ * On successful request the GPIO pin is configured in accordance with
+- * provided @dflags. If the node does not have the requested GPIO
+- * property, NULL is returned.
++ * provided @dflags.
+ *
+ * In case of error an ERR_PTR() is returned.
+ */
+@@ -4267,9 +4266,6 @@ struct gpio_desc *gpiod_get_from_of_node(struct device_node *node,
+ index, &flags);
+
+ if (!desc || IS_ERR(desc)) {
+- /* If it is not there, just return NULL */
+- if (PTR_ERR(desc) == -ENOENT)
+- return NULL;
+ return desc;
+ }
+
+diff --git a/drivers/regulator/da9211-regulator.c b/drivers/regulator/da9211-regulator.c
+index da37b4ccd834..0309823d2c72 100644
+--- a/drivers/regulator/da9211-regulator.c
++++ b/drivers/regulator/da9211-regulator.c
+@@ -289,6 +289,8 @@ static struct da9211_pdata *da9211_parse_regulators_dt(
+ 0,
+ GPIOD_OUT_HIGH | GPIOD_FLAGS_BIT_NONEXCLUSIVE,
+ "da9211-enable");
++ if (IS_ERR(pdata->gpiod_ren[n]))
++ pdata->gpiod_ren[n] = NULL;
+ n++;
+ }
+
+diff --git a/drivers/regulator/s2mps11.c b/drivers/regulator/s2mps11.c
+index 134c62db36c5..b518a81f75a3 100644
+--- a/drivers/regulator/s2mps11.c
++++ b/drivers/regulator/s2mps11.c
+@@ -821,7 +821,9 @@ static void s2mps14_pmic_dt_parse_ext_control_gpio(struct platform_device *pdev,
+ 0,
+ GPIOD_OUT_HIGH | GPIOD_FLAGS_BIT_NONEXCLUSIVE,
+ "s2mps11-regulator");
+- if (IS_ERR(gpio[reg])) {
++ if (PTR_ERR(gpio[reg]) == -ENOENT)
++ gpio[reg] = NULL;
++ else if (IS_ERR(gpio[reg])) {
+ dev_err(&pdev->dev, "Failed to get control GPIO for %d/%s\n",
+ reg, rdata[reg].name);
+ continue;
+diff --git a/drivers/regulator/s5m8767.c b/drivers/regulator/s5m8767.c
+index bb9d1a083299..6ca27e9d5ef7 100644
+--- a/drivers/regulator/s5m8767.c
++++ b/drivers/regulator/s5m8767.c
+@@ -574,7 +574,9 @@ static int s5m8767_pmic_dt_parse_pdata(struct platform_device *pdev,
+ 0,
+ GPIOD_OUT_HIGH | GPIOD_FLAGS_BIT_NONEXCLUSIVE,
+ "s5m8767");
+- if (IS_ERR(rdata->ext_control_gpiod))
++ if (PTR_ERR(rdata->ext_control_gpiod) == -ENOENT)
++ rdata->ext_control_gpiod = NULL;
++ else if (IS_ERR(rdata->ext_control_gpiod))
+ return PTR_ERR(rdata->ext_control_gpiod);
+
+ rdata->id = i;
+diff --git a/drivers/regulator/tps65090-regulator.c b/drivers/regulator/tps65090-regulator.c
+index ca39b3d55123..10ea4b5a0f55 100644
+--- a/drivers/regulator/tps65090-regulator.c
++++ b/drivers/regulator/tps65090-regulator.c
+@@ -371,11 +371,12 @@ static struct tps65090_platform_data *tps65090_parse_dt_reg_data(
+ "dcdc-ext-control-gpios", 0,
+ gflags,
+ "tps65090");
+- if (IS_ERR(rpdata->gpiod))
+- return ERR_CAST(rpdata->gpiod);
+- if (!rpdata->gpiod)
++ if (PTR_ERR(rpdata->gpiod) == -ENOENT) {
+ dev_err(&pdev->dev,
+ "could not find DCDC external control GPIO\n");
++ rpdata->gpiod = NULL;
++ } else if (IS_ERR(rpdata->gpiod))
++ return ERR_CAST(rpdata->gpiod);
+ }
+
+ if (of_property_read_u32(tps65090_matches[idx].of_node,
+--
+2.20.1
+
--- /dev/null
+From 5678d6fe7854aeded02680ecacedb6da1aaf1282 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:44 +0300
+Subject: gpio: omap: ensure irq is enabled before wakeup
+
+[ Upstream commit c859e0d479b3b4f6132fc12637c51e01492f31f6 ]
+
+Documentation states:
+
+ NOTE: There must be a correlation between the wake-up enable and
+ interrupt-enable registers. If a GPIO pin has a wake-up configured
+ on it, it must also have the corresponding interrupt enabled (on
+ one of the two interrupt lines).
+
+Ensure that this condition is always satisfied by enabling the detection
+events after enabling the interrupt, and disabling the detection before
+disabling the interrupt. This ensures interrupt/wakeup events can not
+happen until both the wakeup and interrupt enables correlate.
+
+If we do any clearing, clear between the interrupt enable/disable and
+trigger setting.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index 7632c98aa3a4..746aa9caf934 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -829,9 +829,9 @@ static void omap_gpio_irq_shutdown(struct irq_data *d)
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+ bank->irq_usage &= ~(BIT(offset));
+- omap_set_gpio_irqenable(bank, offset, 0);
+- omap_clear_gpio_irqstatus(bank, offset);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_clear_gpio_irqstatus(bank, offset);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ if (!LINE_USED(bank->mod_usage, offset))
+ omap_clear_gpio_debounce(bank, offset);
+ omap_disable_gpio_module(bank, offset);
+@@ -867,8 +867,8 @@ static void omap_gpio_mask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- omap_set_gpio_irqenable(bank, offset, 0);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+@@ -880,9 +880,6 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- if (trigger)
+- omap_set_gpio_triggering(bank, offset, trigger);
+-
+ omap_set_gpio_irqenable(bank, offset, 1);
+
+ /*
+@@ -890,9 +887,13 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ * is cleared, thus after the handler has run. OMAP4 needs this done
+ * after enabing the interrupt to clear the wakeup status.
+ */
+- if (bank->level_mask & BIT(offset))
++ if (bank->regs->leveldetect0 && bank->regs->wkup_en &&
++ trigger & (IRQ_TYPE_LEVEL_HIGH | IRQ_TYPE_LEVEL_LOW))
+ omap_clear_gpio_irqstatus(bank, offset);
+
++ if (trigger)
++ omap_set_gpio_triggering(bank, offset, trigger);
++
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 4c7c094392724bd298c6ef0e7010e5d9db22dd8b Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:45 +0300
+Subject: gpio: omap: fix lack of irqstatus_raw0 for OMAP4
+
+[ Upstream commit 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 ]
+
+Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added
+the register definition tables to the gpio-omap driver. Subsequently to
+that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx()
+checks from *_runtime_resume()") added definitions for irqstatus_raw*
+registers to the legacy OMAP4 definitions, but missed the DT
+definitions.
+
+This causes an unintentional change of behaviour for the 1.101 errata
+workaround on OMAP4 platforms. Fix this oversight.
+
+Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index 9276ef616430..7632c98aa3a4 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -1453,6 +1453,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = {
+ .clr_dataout = OMAP4_GPIO_CLEARDATAOUT,
+ .irqstatus = OMAP4_GPIO_IRQSTATUS0,
+ .irqstatus2 = OMAP4_GPIO_IRQSTATUS1,
++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0,
++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1,
+ .irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+ .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1,
+ .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+--
+2.20.1
+
--- /dev/null
+From d7a3abae9cb5cffa4c6ac19b7a38dfab8a82e4f2 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 11 Jun 2019 23:33:52 -0700
+Subject: gpio: omap: Fix lost edge wake-up interrupts
+
+[ Upstream commit a522f1d0c381c42f3ace13b8bbeeccabdd6d2e5c ]
+
+If an edge interrupt triggers while entering idle just before we save
+GPIO datain register to saved_datain, the triggered GPIO will not be
+noticed on wake-up. This is because the saved_datain and GPIO datain
+are the same on wake-up in omap_gpio_unidle(). Let's fix this by
+ignoring any pending edge interrupts for saved_datain.
+
+This issue affects only idle states where the GPIO module internal
+wake-up path is operational. For deeper idle states where the GPIO
+module gets powered off, Linux generic wakeirqs must be used for
+the padconf wake-up events with pinctrl-single driver. For examples,
+please see "interrupts-extended" dts usage in many drivers.
+
+This issue can be somewhat easily reproduced by pinging an idle system
+with smsc911x Ethernet interface configured IRQ_TYPE_EDGE_FALLING. At
+some point the smsc911x interrupts will just stop triggering. Also if
+WLCORE WLAN is used with EDGE interrupt like it's documentation specifies,
+we can see lost interrupts without this patch.
+
+Note that in the long run we may be able to cancel entering idle by
+returning an error in gpio_omap_cpu_notifier() on pending interrupts.
+But let's fix the bug first.
+
+Also note that because of the recent clean-up efforts this patch does
+not apply directly to older kernels. This does fix a long term issue
+though, and can be backported as needed.
+
+Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: Grygorii Strashko <grygorii.strashko@ti.com>
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: Ladislav Michl <ladis@linux-mips.org>
+Cc: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Cc: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index 746aa9caf934..8591c410ecaa 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -1275,13 +1275,23 @@ static void omap_gpio_idle(struct gpio_bank *bank, bool may_lose_context)
+ {
+ struct device *dev = bank->chip.parent;
+ void __iomem *base = bank->base;
+- u32 nowake;
++ u32 mask, nowake;
+
+ bank->saved_datain = readl_relaxed(base + bank->regs->datain);
+
+ if (!bank->enabled_non_wakeup_gpios)
+ goto update_gpio_context_count;
+
++ /* Check for pending EDGE_FALLING, ignore EDGE_BOTH */
++ mask = bank->enabled_non_wakeup_gpios & bank->context.fallingdetect;
++ mask &= ~bank->context.risingdetect;
++ bank->saved_datain |= mask;
++
++ /* Check for pending EDGE_RISING, ignore EDGE_BOTH */
++ mask = bank->enabled_non_wakeup_gpios & bank->context.risingdetect;
++ mask &= ~bank->context.fallingdetect;
++ bank->saved_datain &= ~mask;
++
+ if (!may_lose_context)
+ goto update_gpio_context_count;
+
+--
+2.20.1
+
--- /dev/null
+From 40b11b7b78bdd9304bb9a13f4da52e7f92f2615e Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 1 Jul 2019 16:27:38 +0200
+Subject: gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
+
+[ Upstream commit 3285170f28a850638794cdfe712eb6d93e51e706 ]
+
+Commit 372e722ea4dd4ca1 ("gpiolib: use descriptors internally") renamed
+the functions to use a "gpiod" prefix, and commit 79a9becda8940deb
+("gpiolib: export descriptor-based GPIO interface") introduced the "raw"
+variants, but both changes forgot to update the comments.
+
+Readd a similar reference to gpiod_set_value(), which was accidentally
+removed by commit 1e77fc82110ac36f ("gpio: Add missing open drain/source
+handling to gpiod_set_value_cansleep()").
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20190701142738.25219-1-geert+renesas@glider.be
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index be1d1d2f8aaa..bb3104d2eb0c 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -3025,7 +3025,7 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep,
+ int gpiod_get_raw_value(const struct gpio_desc *desc)
+ {
+ VALIDATE_DESC(desc);
+- /* Should be using gpio_get_value_cansleep() */
++ /* Should be using gpiod_get_raw_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+ return gpiod_get_raw_value_commit(desc);
+ }
+@@ -3046,7 +3046,7 @@ int gpiod_get_value(const struct gpio_desc *desc)
+ int value;
+
+ VALIDATE_DESC(desc);
+- /* Should be using gpio_get_value_cansleep() */
++ /* Should be using gpiod_get_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+
+ value = gpiod_get_raw_value_commit(desc);
+@@ -3317,7 +3317,7 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep,
+ void gpiod_set_raw_value(struct gpio_desc *desc, int value)
+ {
+ VALIDATE_DESC_VOID(desc);
+- /* Should be using gpiod_set_value_cansleep() */
++ /* Should be using gpiod_set_raw_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+ gpiod_set_raw_value_commit(desc, value);
+ }
+@@ -3358,6 +3358,7 @@ static void gpiod_set_value_nocheck(struct gpio_desc *desc, int value)
+ void gpiod_set_value(struct gpio_desc *desc, int value)
+ {
+ VALIDATE_DESC_VOID(desc);
++ /* Should be using gpiod_set_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+ gpiod_set_value_nocheck(desc, value);
+ }
+--
+2.20.1
+
--- /dev/null
+From 058ce39e36b0306ab296ccca913b99c59182524d Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:24:04 +0900
+Subject: gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable()
+
+[ Upstream commit e30155fd23c9c141cbe7d99b786e10a83a328837 ]
+
+If an invalid role is sent from user space, gtp_encap_enable() will fail.
+Then, it should call gtp_encap_disable_sock() but current code doesn't.
+It makes memory leak.
+
+Fixes: 91ed81f9abc7 ("gtp: support SGSN-side tunnels")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index fc45b749db46..01fc51892e48 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -843,8 +843,13 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[])
+
+ if (data[IFLA_GTP_ROLE]) {
+ role = nla_get_u32(data[IFLA_GTP_ROLE]);
+- if (role > GTP_ROLE_SGSN)
++ if (role > GTP_ROLE_SGSN) {
++ if (sk0)
++ gtp_encap_disable_sock(sk0);
++ if (sk1u)
++ gtp_encap_disable_sock(sk1u);
+ return -EINVAL;
++ }
+ }
+
+ gtp->sk0 = sk0;
+--
+2.20.1
+
--- /dev/null
+From ee9daaae29e60b347304f1639f8d525887d964ba Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:23:13 +0900
+Subject: gtp: fix Illegal context switch in RCU read-side critical section.
+
+[ Upstream commit 3f167e1921865b379a9becf03828e7202c7b4917 ]
+
+ipv4_pdp_add() is called in RCU read-side critical section.
+So GFP_KERNEL should not be used in the function.
+This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL.
+
+Test commands:
+gtp-link add gtp1 &
+gtp-tunnel add gtp1 v1 100 200 1.1.1.1 2.2.2.2
+
+Splat looks like:
+[ 130.618881] =============================
+[ 130.626382] WARNING: suspicious RCU usage
+[ 130.626994] 5.2.0-rc6+ #50 Not tainted
+[ 130.627622] -----------------------------
+[ 130.628223] ./include/linux/rcupdate.h:266 Illegal context switch in RCU read-side critical section!
+[ 130.629684]
+[ 130.629684] other info that might help us debug this:
+[ 130.629684]
+[ 130.631022]
+[ 130.631022] rcu_scheduler_active = 2, debug_locks = 1
+[ 130.632136] 4 locks held by gtp-tunnel/1025:
+[ 130.632925] #0: 000000002b93c8b7 (cb_lock){++++}, at: genl_rcv+0x15/0x40
+[ 130.634159] #1: 00000000f17bc999 (genl_mutex){+.+.}, at: genl_rcv_msg+0xfb/0x130
+[ 130.635487] #2: 00000000c644ed8e (rtnl_mutex){+.+.}, at: gtp_genl_new_pdp+0x18c/0x1150 [gtp]
+[ 130.636936] #3: 0000000007a1cde7 (rcu_read_lock){....}, at: gtp_genl_new_pdp+0x187/0x1150 [gtp]
+[ 130.638348]
+[ 130.638348] stack backtrace:
+[ 130.639062] CPU: 1 PID: 1025 Comm: gtp-tunnel Not tainted 5.2.0-rc6+ #50
+[ 130.641318] Call Trace:
+[ 130.641707] dump_stack+0x7c/0xbb
+[ 130.642252] ___might_sleep+0x2c0/0x3b0
+[ 130.642862] kmem_cache_alloc_trace+0x1cd/0x2b0
+[ 130.643591] gtp_genl_new_pdp+0x6c5/0x1150 [gtp]
+[ 130.644371] genl_family_rcv_msg+0x63a/0x1030
+[ 130.645074] ? mutex_lock_io_nested+0x1090/0x1090
+[ 130.645845] ? genl_unregister_family+0x630/0x630
+[ 130.646592] ? debug_show_all_locks+0x2d0/0x2d0
+[ 130.647293] ? check_flags.part.40+0x440/0x440
+[ 130.648099] genl_rcv_msg+0xa3/0x130
+[ ... ]
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 61f19e66be55..b770335c03c1 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -954,7 +954,7 @@ static int ipv4_pdp_add(struct gtp_dev *gtp, struct sock *sk,
+
+ }
+
+- pctx = kmalloc(sizeof(struct pdp_ctx), GFP_KERNEL);
++ pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC);
+ if (pctx == NULL)
+ return -ENOMEM;
+
+--
+2.20.1
+
--- /dev/null
+From 121114891742be38bb6719ef681549deff7142f2 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:20:51 +0900
+Subject: gtp: fix suspicious RCU usage
+
+[ Upstream commit e198987e7dd7d3645a53875151cd6f8fc425b706 ]
+
+gtp_encap_enable_socket() and gtp_encap_destroy() are not protected
+by rcu_read_lock(). and it's not safe to write sk->sk_user_data.
+This patch make these functions to use lock_sock() instead of
+rcu_dereference_sk_user_data().
+
+Test commands:
+ gtp-link add gtp1
+
+Splat looks like:
+[ 83.238315] =============================
+[ 83.239127] WARNING: suspicious RCU usage
+[ 83.239702] 5.2.0-rc6+ #49 Not tainted
+[ 83.240268] -----------------------------
+[ 83.241205] drivers/net/gtp.c:799 suspicious rcu_dereference_check() usage!
+[ 83.243828]
+[ 83.243828] other info that might help us debug this:
+[ 83.243828]
+[ 83.246325]
+[ 83.246325] rcu_scheduler_active = 2, debug_locks = 1
+[ 83.247314] 1 lock held by gtp-link/1008:
+[ 83.248523] #0: 0000000017772c7f (rtnl_mutex){+.+.}, at: __rtnl_newlink+0x5f5/0x11b0
+[ 83.251503]
+[ 83.251503] stack backtrace:
+[ 83.252173] CPU: 0 PID: 1008 Comm: gtp-link Not tainted 5.2.0-rc6+ #49
+[ 83.253271] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 83.254562] Call Trace:
+[ 83.254995] dump_stack+0x7c/0xbb
+[ 83.255567] gtp_encap_enable_socket+0x2df/0x360 [gtp]
+[ 83.256415] ? gtp_find_dev+0x1a0/0x1a0 [gtp]
+[ 83.257161] ? memset+0x1f/0x40
+[ 83.257843] gtp_newlink+0x90/0xa21 [gtp]
+[ 83.258497] ? __netlink_ns_capable+0xc3/0xf0
+[ 83.259260] __rtnl_newlink+0xb9f/0x11b0
+[ 83.260022] ? rtnl_link_unregister+0x230/0x230
+[ ... ]
+
+Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 01fc51892e48..61f19e66be55 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -289,12 +289,14 @@ static void gtp_encap_destroy(struct sock *sk)
+ {
+ struct gtp_dev *gtp;
+
+- gtp = rcu_dereference_sk_user_data(sk);
++ lock_sock(sk);
++ gtp = sk->sk_user_data;
+ if (gtp) {
+ udp_sk(sk)->encap_type = 0;
+ rcu_assign_sk_user_data(sk, NULL);
+ sock_put(sk);
+ }
++ release_sock(sk);
+ }
+
+ static void gtp_encap_disable_sock(struct sock *sk)
+@@ -796,7 +798,8 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
+ goto out_sock;
+ }
+
+- if (rcu_dereference_sk_user_data(sock->sk)) {
++ lock_sock(sock->sk);
++ if (sock->sk->sk_user_data) {
+ sk = ERR_PTR(-EBUSY);
+ goto out_sock;
+ }
+@@ -812,6 +815,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
+ setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg);
+
+ out_sock:
++ release_sock(sock->sk);
+ sockfd_put(sock);
+ return sk;
+ }
+--
+2.20.1
+
--- /dev/null
+From fe1e43b0609aa0067880691aeeda3a1a17cc0990 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:22:25 +0900
+Subject: gtp: fix use-after-free in gtp_encap_destroy()
+
+[ Upstream commit 1788b8569f5de27da09087fa3f6580d2aa04cc75 ]
+
+gtp_encap_destroy() is called twice.
+1. When interface is deleted.
+2. When udp socket is destroyed.
+either gtp->sk0 or gtp->sk1u could be freed by sock_put() in
+gtp_encap_destroy(). so, when gtp_encap_destroy() is called again,
+it would uses freed sk pointer.
+
+patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to
+null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected
+by rtnl_lock. so, rtnl_lock() is added.
+
+Test command:
+ gtp-link add gtp1 &
+ killall gtp-link
+ ip link del gtp1
+
+Splat looks like:
+[ 83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0
+[ 83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008
+[ 83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50
+[ 83.188469] Call Trace:
+[ ... ]
+[ 83.200126] lock_acquire+0x141/0x380
+[ 83.200575] ? lock_sock_nested+0x3a/0xf0
+[ 83.201069] _raw_spin_lock_bh+0x38/0x70
+[ 83.201551] ? lock_sock_nested+0x3a/0xf0
+[ 83.202044] lock_sock_nested+0x3a/0xf0
+[ 83.202520] gtp_encap_destroy+0x18/0xe0 [gtp]
+[ 83.203065] gtp_encap_disable.isra.14+0x13/0x50 [gtp]
+[ 83.203687] gtp_dellink+0x56/0x170 [gtp]
+[ 83.204190] rtnl_delete_link+0xb4/0x100
+[ ... ]
+[ 83.236513] Allocated by task 976:
+[ 83.236925] save_stack+0x19/0x80
+[ 83.237332] __kasan_kmalloc.constprop.3+0xa0/0xd0
+[ 83.237894] kmem_cache_alloc+0xd8/0x280
+[ 83.238360] sk_prot_alloc.isra.42+0x50/0x200
+[ 83.238874] sk_alloc+0x32/0x940
+[ 83.239264] inet_create+0x283/0xc20
+[ 83.239684] __sock_create+0x2dd/0x540
+[ 83.240136] __sys_socket+0xca/0x1a0
+[ 83.240550] __x64_sys_socket+0x6f/0xb0
+[ 83.240998] do_syscall_64+0x9c/0x450
+[ 83.241466] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 83.242061]
+[ 83.242249] Freed by task 0:
+[ 83.242616] save_stack+0x19/0x80
+[ 83.243013] __kasan_slab_free+0x111/0x150
+[ 83.243498] kmem_cache_free+0x89/0x250
+[ 83.244444] __sk_destruct+0x38f/0x5a0
+[ 83.245366] rcu_core+0x7e9/0x1c20
+[ 83.245766] __do_softirq+0x213/0x8fa
+
+Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index b770335c03c1..5615cdb7202c 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -285,13 +285,17 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb)
+ return gtp_rx(pctx, skb, hdrlen, gtp->role);
+ }
+
+-static void gtp_encap_destroy(struct sock *sk)
++static void __gtp_encap_destroy(struct sock *sk)
+ {
+ struct gtp_dev *gtp;
+
+ lock_sock(sk);
+ gtp = sk->sk_user_data;
+ if (gtp) {
++ if (gtp->sk0 == sk)
++ gtp->sk0 = NULL;
++ else
++ gtp->sk1u = NULL;
+ udp_sk(sk)->encap_type = 0;
+ rcu_assign_sk_user_data(sk, NULL);
+ sock_put(sk);
+@@ -299,12 +303,19 @@ static void gtp_encap_destroy(struct sock *sk)
+ release_sock(sk);
+ }
+
++static void gtp_encap_destroy(struct sock *sk)
++{
++ rtnl_lock();
++ __gtp_encap_destroy(sk);
++ rtnl_unlock();
++}
++
+ static void gtp_encap_disable_sock(struct sock *sk)
+ {
+ if (!sk)
+ return;
+
+- gtp_encap_destroy(sk);
++ __gtp_encap_destroy(sk);
+ }
+
+ static void gtp_encap_disable(struct gtp_dev *gtp)
+@@ -1043,6 +1054,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info)
+ return -EINVAL;
+ }
+
++ rtnl_lock();
+ rcu_read_lock();
+
+ gtp = gtp_find_dev(sock_net(skb->sk), info->attrs);
+@@ -1067,6 +1079,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info)
+
+ out_unlock:
+ rcu_read_unlock();
++ rtnl_unlock();
+ return err;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8c040902cd2bd1c8d286ad50a4f719e114c176e4 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:23:42 +0900
+Subject: gtp: fix use-after-free in gtp_newlink()
+
+[ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ]
+
+Current gtp_newlink() could be called after unregister_pernet_subsys().
+gtp_newlink() uses gtp_net but it can be destroyed by
+unregister_pernet_subsys().
+So unregister_pernet_subsys() should be called after
+rtnl_link_unregister().
+
+Test commands:
+ #SHELL 1
+ while :
+ do
+ for i in {1..5}
+ do
+ ./gtp-link add gtp$i &
+ done
+ killall gtp-link
+ done
+
+ #SHELL 2
+ while :
+ do
+ modprobe -rv gtp
+ done
+
+Splat looks like:
+[ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126
+[ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50
+[ 753.185801] Call Trace:
+[ 753.186264] dump_stack+0x7c/0xbb
+[ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.187583] print_address_description+0xc7/0x240
+[ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.189846] __kasan_report+0x12a/0x16f
+[ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.191298] kasan_report+0xe/0x20
+[ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.192580] ? __netlink_ns_capable+0xc3/0xf0
+[ 753.193370] __rtnl_newlink+0xb9f/0x11b0
+[ ... ]
+[ 753.241201] Allocated by task 7186:
+[ 753.241844] save_stack+0x19/0x80
+[ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0
+[ 753.243192] __kmalloc+0x13e/0x300
+[ 753.243764] ops_init+0xd6/0x350
+[ 753.244314] register_pernet_operations+0x249/0x6f0
+[ ... ]
+[ 753.251770] Freed by task 7178:
+[ 753.252288] save_stack+0x19/0x80
+[ 753.252833] __kasan_slab_free+0x111/0x150
+[ 753.253962] kfree+0xc7/0x280
+[ 753.254509] ops_free_list.part.11+0x1c4/0x2d0
+[ 753.255241] unregister_pernet_operations+0x262/0x390
+[ ... ]
+[ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next.
+[ 753.287241] ------------[ cut here ]------------
+[ 753.287794] kernel BUG at lib/list_debug.c:25!
+[ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50
+[ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0
+[ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b
+[ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286
+[ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000
+[ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69
+[ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21
+[ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878
+[ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458
+[ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000
+[ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0
+[ 753.302183] Call Trace:
+[ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp]
+[ 753.303037] ? __netlink_ns_capable+0xc3/0xf0
+[ 753.303576] __rtnl_newlink+0xb9f/0x11b0
+[ 753.304092] ? rtnl_link_unregister+0x230/0x230
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 5615cdb7202c..607f38712b4e 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -1382,9 +1382,9 @@ late_initcall(gtp_init);
+
+ static void __exit gtp_fini(void)
+ {
+- unregister_pernet_subsys(>p_net_ops);
+ genl_unregister_family(>p_genl_family);
+ rtnl_link_unregister(>p_link_ops);
++ unregister_pernet_subsys(>p_net_ops);
+
+ pr_info("GTP module unloaded\n");
+ }
+--
+2.20.1
+
--- /dev/null
+From 8f8bfafb0d8dadc07097d5771ef692d226ffd9b2 Mon Sep 17 00:00:00 2001
+From: Mitch Williams <mitch.a.williams@intel.com>
+Date: Tue, 14 May 2019 10:37:09 -0700
+Subject: iavf: allow null RX descriptors
+
+[ Upstream commit efa14c3985828da3163f5372137cb64d992b0f79 ]
+
+In some circumstances, the hardware can hand us a null receive
+descriptor, with no data attached but otherwise valid. Unfortunately,
+the driver was ill-equipped to handle such an event, and would stop
+processing packets at that point.
+
+To fix this, use the Descriptor Done bit instead of the size to
+determine whether or not a descriptor is ready to be processed. Add some
+checks to allow for unused buffers.
+
+Signed-off-by: Mitch Williams <mitch.a.williams@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_txrx.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
+index 06d1509d57f7..c97b9ecf026a 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
+@@ -1236,6 +1236,9 @@ static void iavf_add_rx_frag(struct iavf_ring *rx_ring,
+ unsigned int truesize = SKB_DATA_ALIGN(size + iavf_rx_offset(rx_ring));
+ #endif
+
++ if (!size)
++ return;
++
+ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, rx_buffer->page,
+ rx_buffer->page_offset, size, truesize);
+
+@@ -1260,6 +1263,9 @@ static struct iavf_rx_buffer *iavf_get_rx_buffer(struct iavf_ring *rx_ring,
+ {
+ struct iavf_rx_buffer *rx_buffer;
+
++ if (!size)
++ return NULL;
++
+ rx_buffer = &rx_ring->rx_bi[rx_ring->next_to_clean];
+ prefetchw(rx_buffer->page);
+
+@@ -1299,6 +1305,8 @@ static struct sk_buff *iavf_construct_skb(struct iavf_ring *rx_ring,
+ unsigned int headlen;
+ struct sk_buff *skb;
+
++ if (!rx_buffer)
++ return NULL;
+ /* prefetch first cache line of first page */
+ prefetch(va);
+ #if L1_CACHE_BYTES < 128
+@@ -1363,6 +1371,8 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring,
+ #endif
+ struct sk_buff *skb;
+
++ if (!rx_buffer)
++ return NULL;
+ /* prefetch first cache line of first page */
+ prefetch(va);
+ #if L1_CACHE_BYTES < 128
+@@ -1398,6 +1408,9 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring,
+ static void iavf_put_rx_buffer(struct iavf_ring *rx_ring,
+ struct iavf_rx_buffer *rx_buffer)
+ {
++ if (!rx_buffer)
++ return;
++
+ if (iavf_can_reuse_rx_page(rx_buffer)) {
+ /* hand second half of page back to the ring */
+ iavf_reuse_rx_page(rx_ring, rx_buffer);
+@@ -1496,11 +1509,12 @@ static int iavf_clean_rx_irq(struct iavf_ring *rx_ring, int budget)
+ * verified the descriptor has been written back.
+ */
+ dma_rmb();
++#define IAVF_RXD_DD BIT(IAVF_RX_DESC_STATUS_DD_SHIFT)
++ if (!iavf_test_staterr(rx_desc, IAVF_RXD_DD))
++ break;
+
+ size = (qword & IAVF_RXD_QW1_LENGTH_PBUF_MASK) >>
+ IAVF_RXD_QW1_LENGTH_PBUF_SHIFT;
+- if (!size)
+- break;
+
+ iavf_trace(clean_rx_irq, rx_ring, rx_desc, skb);
+ rx_buffer = iavf_get_rx_buffer(rx_ring, size);
+@@ -1516,7 +1530,8 @@ static int iavf_clean_rx_irq(struct iavf_ring *rx_ring, int budget)
+ /* exit if we failed to retrieve a buffer */
+ if (!skb) {
+ rx_ring->rx_stats.alloc_buff_failed++;
+- rx_buffer->pagecnt_bias++;
++ if (rx_buffer)
++ rx_buffer->pagecnt_bias++;
+ break;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 51fd3d07be46e990fab8e0043ad0f748fa1232aa Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 19 Jun 2019 15:30:44 +0100
+Subject: iavf: fix dereference of null rx_buffer pointer
+
+[ Upstream commit 9fe06a51287b2d41baef7ece94df34b5abf19b90 ]
+
+A recent commit efa14c3985828d ("iavf: allow null RX descriptors") added
+a null pointer sanity check on rx_buffer, however, rx_buffer is being
+dereferenced before that check, which implies a null pointer dereference
+bug can potentially occur. Fix this by only dereferencing rx_buffer
+until after the null pointer check.
+
+Addresses-Coverity: ("Dereference before null check")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_txrx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
+index c97b9ecf026a..26422bc9ca8c 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
+@@ -1296,7 +1296,7 @@ static struct sk_buff *iavf_construct_skb(struct iavf_ring *rx_ring,
+ struct iavf_rx_buffer *rx_buffer,
+ unsigned int size)
+ {
+- void *va = page_address(rx_buffer->page) + rx_buffer->page_offset;
++ void *va;
+ #if (PAGE_SIZE < 8192)
+ unsigned int truesize = iavf_rx_pg_size(rx_ring) / 2;
+ #else
+@@ -1308,6 +1308,7 @@ static struct sk_buff *iavf_construct_skb(struct iavf_ring *rx_ring,
+ if (!rx_buffer)
+ return NULL;
+ /* prefetch first cache line of first page */
++ va = page_address(rx_buffer->page) + rx_buffer->page_offset;
+ prefetch(va);
+ #if L1_CACHE_BYTES < 128
+ prefetch(va + L1_CACHE_BYTES);
+@@ -1362,7 +1363,7 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring,
+ struct iavf_rx_buffer *rx_buffer,
+ unsigned int size)
+ {
+- void *va = page_address(rx_buffer->page) + rx_buffer->page_offset;
++ void *va;
+ #if (PAGE_SIZE < 8192)
+ unsigned int truesize = iavf_rx_pg_size(rx_ring) / 2;
+ #else
+@@ -1374,6 +1375,7 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring,
+ if (!rx_buffer)
+ return NULL;
+ /* prefetch first cache line of first page */
++ va = page_address(rx_buffer->page) + rx_buffer->page_offset;
+ prefetch(va);
+ #if L1_CACHE_BYTES < 128
+ prefetch(va + L1_CACHE_BYTES);
+--
+2.20.1
+
--- /dev/null
+From d4bd01139b58cdedcdba9f3f9106049c07393171 Mon Sep 17 00:00:00 2001
+From: Mitch Williams <mitch.a.williams@intel.com>
+Date: Tue, 16 Apr 2019 10:30:45 -0700
+Subject: ice: Check all VFs for MDD activity, don't disable
+
+[ Upstream commit 23c0112246b454e408fb0579b3f9089353d4d327 ]
+
+Don't use the mdd_detected variable as an exit condition for this loop;
+the first VF to NOT have an MDD event will cause the loop to terminate.
+
+Instead just look at all of the VFs, but don't disable them. This
+prevents proper release of resources if the VFs are rebooted or the VF
+driver reloaded. Instead, just log a message and call out repeat
+offenders.
+
+To make it clear what we are doing, use a differently-named variable in
+the loop.
+
+Signed-off-by: Mitch Williams <mitch.a.williams@intel.com>
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index dbf3d39ad8b1..1c803106e301 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -1161,16 +1161,16 @@ static void ice_handle_mdd_event(struct ice_pf *pf)
+ }
+ }
+
+- /* see if one of the VFs needs to be reset */
+- for (i = 0; i < pf->num_alloc_vfs && mdd_detected; i++) {
++ /* check to see if one of the VFs caused the MDD */
++ for (i = 0; i < pf->num_alloc_vfs; i++) {
+ struct ice_vf *vf = &pf->vf[i];
+
+- mdd_detected = false;
++ bool vf_mdd_detected = false;
+
+ reg = rd32(hw, VP_MDET_TX_PQM(i));
+ if (reg & VP_MDET_TX_PQM_VALID_M) {
+ wr32(hw, VP_MDET_TX_PQM(i), 0xFFFF);
+- mdd_detected = true;
++ vf_mdd_detected = true;
+ dev_info(&pf->pdev->dev, "TX driver issue detected on VF %d\n",
+ i);
+ }
+@@ -1178,7 +1178,7 @@ static void ice_handle_mdd_event(struct ice_pf *pf)
+ reg = rd32(hw, VP_MDET_TX_TCLAN(i));
+ if (reg & VP_MDET_TX_TCLAN_VALID_M) {
+ wr32(hw, VP_MDET_TX_TCLAN(i), 0xFFFF);
+- mdd_detected = true;
++ vf_mdd_detected = true;
+ dev_info(&pf->pdev->dev, "TX driver issue detected on VF %d\n",
+ i);
+ }
+@@ -1186,7 +1186,7 @@ static void ice_handle_mdd_event(struct ice_pf *pf)
+ reg = rd32(hw, VP_MDET_TX_TDPU(i));
+ if (reg & VP_MDET_TX_TDPU_VALID_M) {
+ wr32(hw, VP_MDET_TX_TDPU(i), 0xFFFF);
+- mdd_detected = true;
++ vf_mdd_detected = true;
+ dev_info(&pf->pdev->dev, "TX driver issue detected on VF %d\n",
+ i);
+ }
+@@ -1194,19 +1194,18 @@ static void ice_handle_mdd_event(struct ice_pf *pf)
+ reg = rd32(hw, VP_MDET_RX(i));
+ if (reg & VP_MDET_RX_VALID_M) {
+ wr32(hw, VP_MDET_RX(i), 0xFFFF);
+- mdd_detected = true;
++ vf_mdd_detected = true;
+ dev_info(&pf->pdev->dev, "RX driver issue detected on VF %d\n",
+ i);
+ }
+
+- if (mdd_detected) {
++ if (vf_mdd_detected) {
+ vf->num_mdd_events++;
+- dev_info(&pf->pdev->dev,
+- "Use PF Control I/F to re-enable the VF\n");
+- set_bit(ICE_VF_STATE_DIS, vf->vf_states);
++ if (vf->num_mdd_events > 1)
++ dev_info(&pf->pdev->dev, "VF %d has had %llu MDD events since last boot\n",
++ i, vf->num_mdd_events);
+ }
+ }
+-
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 2bcc54a869c0297c5ec91aa1760267c8d6bb55bc Mon Sep 17 00:00:00 2001
+From: Brett Creeley <brett.creeley@intel.com>
+Date: Tue, 16 Apr 2019 10:24:37 -0700
+Subject: ice: Fix couple of issues in ice_vsi_release
+
+[ Upstream commit aa6ccf3f2d7042f94c4e91538956ce7051e7856e ]
+
+Currently the driver is calling ice_napi_del() and then
+unregister_netdev(). The call to unregister_netdev() will result in a
+call to ice_stop() and then ice_vsi_close(). This is where we call
+napi_disable() for all the MSI-X vectors. This flow is reversed so make
+the changes to ensure napi_disable() happens prior to napi_del().
+
+Before calling napi_del() and free_netdev() make sure
+unregister_netdev() was called. This is done by making sure the
+__ICE_DOWN bit is set in the vsi->state for the interested VSI.
+
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice.h | 1 -
+ drivers/net/ethernet/intel/ice/ice_lib.c | 24 ++++++++++++-----------
+ drivers/net/ethernet/intel/ice/ice_main.c | 2 +-
+ 3 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h
+index 792e6e42030e..754c7080c3fc 100644
+--- a/drivers/net/ethernet/intel/ice/ice.h
++++ b/drivers/net/ethernet/intel/ice/ice.h
+@@ -451,7 +451,6 @@ int ice_set_rss(struct ice_vsi *vsi, u8 *seed, u8 *lut, u16 lut_size);
+ int ice_get_rss(struct ice_vsi *vsi, u8 *seed, u8 *lut, u16 lut_size);
+ void ice_fill_rss_lut(u8 *lut, u16 rss_table_size, u16 rss_size);
+ void ice_print_link_msg(struct ice_vsi *vsi, bool isup);
+-void ice_napi_del(struct ice_vsi *vsi);
+ #ifdef CONFIG_DCB
+ int ice_pf_ena_all_vsi(struct ice_pf *pf, bool locked);
+ void ice_pf_dis_all_vsi(struct ice_pf *pf, bool locked);
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index fbf1eba0cc2a..f14fa51cc704 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -2754,19 +2754,14 @@ int ice_vsi_release(struct ice_vsi *vsi)
+
+ if (vsi->type == ICE_VSI_VF)
+ vf = &pf->vf[vsi->vf_id];
+- /* do not unregister and free netdevs while driver is in the reset
+- * recovery pending state. Since reset/rebuild happens through PF
+- * service task workqueue, its not a good idea to unregister netdev
+- * that is associated to the PF that is running the work queue items
+- * currently. This is done to avoid check_flush_dependency() warning
+- * on this wq
++ /* do not unregister while driver is in the reset recovery pending
++ * state. Since reset/rebuild happens through PF service task workqueue,
++ * it's not a good idea to unregister netdev that is associated to the
++ * PF that is running the work queue items currently. This is done to
++ * avoid check_flush_dependency() warning on this wq
+ */
+- if (vsi->netdev && !ice_is_reset_in_progress(pf->state)) {
+- ice_napi_del(vsi);
++ if (vsi->netdev && !ice_is_reset_in_progress(pf->state))
+ unregister_netdev(vsi->netdev);
+- free_netdev(vsi->netdev);
+- vsi->netdev = NULL;
+- }
+
+ if (test_bit(ICE_FLAG_RSS_ENA, pf->flags))
+ ice_rss_clean(vsi);
+@@ -2799,6 +2794,13 @@ int ice_vsi_release(struct ice_vsi *vsi)
+ ice_rm_vsi_lan_cfg(vsi->port_info, vsi->idx);
+ ice_vsi_delete(vsi);
+ ice_vsi_free_q_vectors(vsi);
++
++ /* make sure unregister_netdev() was called by checking __ICE_DOWN */
++ if (vsi->netdev && test_bit(__ICE_DOWN, vsi->state)) {
++ free_netdev(vsi->netdev);
++ vsi->netdev = NULL;
++ }
++
+ ice_vsi_clear_rings(vsi);
+
+ ice_vsi_put_qs(vsi);
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 7843abf4d44d..dbf3d39ad8b1 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -1667,7 +1667,7 @@ static int ice_req_irq_msix_misc(struct ice_pf *pf)
+ * ice_napi_del - Remove NAPI handler for the VSI
+ * @vsi: VSI for which NAPI handler is to be removed
+ */
+-void ice_napi_del(struct ice_vsi *vsi)
++static void ice_napi_del(struct ice_vsi *vsi)
+ {
+ int v_idx;
+
+--
+2.20.1
+
--- /dev/null
+From 0cb66c7a38452ddec4fa8664213e4e8f1b19684b Mon Sep 17 00:00:00 2001
+From: Brett Creeley <brett.creeley@intel.com>
+Date: Tue, 16 Apr 2019 10:24:32 -0700
+Subject: ice: Gracefully handle reset failure in ice_alloc_vfs()
+
+[ Upstream commit 72f9c2039859e6303550f202d6cc6b8d8af0178c ]
+
+Currently if ice_reset_all_vfs() fails in ice_alloc_vfs() we fail to
+free some resources, reset variables, and return an error value.
+Fix this by adding another unroll case to free the pf->vf array, set
+the pf->num_alloc_vfs to 0, and return an error code.
+
+Without this, if ice_reset_all_vfs() fails in ice_alloc_vfs() we will
+not be able to do SRIOV without hard rebooting the system because
+rmmod'ing the driver does not work.
+
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index a805cbdd69be..81ea77978355 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -1134,7 +1134,7 @@ static int ice_alloc_vfs(struct ice_pf *pf, u16 num_alloc_vfs)
+ GFP_KERNEL);
+ if (!vfs) {
+ ret = -ENOMEM;
+- goto err_unroll_sriov;
++ goto err_pci_disable_sriov;
+ }
+ pf->vf = vfs;
+
+@@ -1154,12 +1154,19 @@ static int ice_alloc_vfs(struct ice_pf *pf, u16 num_alloc_vfs)
+ pf->num_alloc_vfs = num_alloc_vfs;
+
+ /* VF resources get allocated during reset */
+- if (!ice_reset_all_vfs(pf, true))
++ if (!ice_reset_all_vfs(pf, true)) {
++ ret = -EIO;
+ goto err_unroll_sriov;
++ }
+
+ goto err_unroll_intr;
+
+ err_unroll_sriov:
++ pf->vf = NULL;
++ devm_kfree(&pf->pdev->dev, vfs);
++ vfs = NULL;
++ pf->num_alloc_vfs = 0;
++err_pci_disable_sriov:
+ pci_disable_sriov(pf->pdev);
+ err_unroll_intr:
+ /* rearm interrupts here */
+--
+2.20.1
+
--- /dev/null
+From ec08c2de41333b0a6ee101b0c280aac2189eec1d Mon Sep 17 00:00:00 2001
+From: Vedang Patel <vedang.patel@intel.com>
+Date: Tue, 25 Jun 2019 15:07:12 -0700
+Subject: igb: clear out skb->tstamp after reading the txtime
+
+[ Upstream commit 1e08511d5d01884a3c9070afd52a47799312074a ]
+
+If a packet which is utilizing the launchtime feature (via SO_TXTIME socket
+option) also requests the hardware transmit timestamp, the hardware
+timestamp is not delivered to the userspace. This is because the value in
+skb->tstamp is mistaken as the software timestamp.
+
+Applications, like ptp4l, request a hardware timestamp by setting the
+SOF_TIMESTAMPING_TX_HARDWARE socket option. Whenever a new timestamp is
+detected by the driver (this work is done in igb_ptp_tx_work() which calls
+igb_ptp_tx_hwtstamps() in igb_ptp.c[1]), it will queue the timestamp in the
+ERR_QUEUE for the userspace to read. When the userspace is ready, it will
+issue a recvmsg() call to collect this timestamp. The problem is in this
+recvmsg() call. If the skb->tstamp is not cleared out, it will be
+interpreted as a software timestamp and the hardware tx timestamp will not
+be successfully sent to the userspace. Look at skb_is_swtx_tstamp() and the
+callee function __sock_recv_timestamp() in net/socket.c for more details.
+
+Signed-off-by: Vedang Patel <vedang.patel@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 39f33afc479c..005c1693efc8 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -5687,6 +5687,7 @@ static void igb_tx_ctxtdesc(struct igb_ring *tx_ring,
+ */
+ if (tx_ring->launchtime_enable) {
+ ts = ns_to_timespec64(first->skb->tstamp);
++ first->skb->tstamp = 0;
+ context_desc->seqnum_seed = cpu_to_le32(ts.tv_nsec / 32);
+ } else {
+ context_desc->seqnum_seed = 0;
+--
+2.20.1
+
--- /dev/null
+From ab2ce31ea65726be1c25c9e11c760a36b3b88638 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Mon, 17 Jun 2019 09:44:52 +0200
+Subject: integrity: Fix __integrity_init_keyring() section mismatch
+
+[ Upstream commit 8c655784e2cf59cb6140759b8b546d98261d1ad9 ]
+
+With gcc-4.6.3:
+
+ WARNING: vmlinux.o(.text.unlikely+0x24c64): Section mismatch in reference from the function __integrity_init_keyring() to the function .init.text:set_platform_trusted_keys()
+ The function __integrity_init_keyring() references
+ the function __init set_platform_trusted_keys().
+ This is often because __integrity_init_keyring lacks a __init
+ annotation or the annotation of set_platform_trusted_keys is wrong.
+
+Indeed, if the compiler decides not to inline __integrity_init_keyring(),
+a warning is issued.
+
+Fix this by adding the missing __init annotation.
+
+Fixes: 9dc92c45177ab70e ("integrity: Define a trusted platform keyring")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
+Reviewed-by: James Morris <jamorris@linux.microsoft.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/digsig.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
+index 4582bc26770a..868ade3e8970 100644
+--- a/security/integrity/digsig.c
++++ b/security/integrity/digsig.c
+@@ -69,8 +69,9 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
+ return -EOPNOTSUPP;
+ }
+
+-static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
+- struct key_restriction *restriction)
++static int __init __integrity_init_keyring(const unsigned int id,
++ key_perm_t perm,
++ struct key_restriction *restriction)
+ {
+ const struct cred *cred = current_cred();
+ int err = 0;
+--
+2.20.1
+
--- /dev/null
+From 55e445272833547f1df5cc5867ac68901caf6c74 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Wed, 3 Jul 2019 12:19:20 +0100
+Subject: iommu/arm-smmu-v3: Invalidate ATC when detaching a device
+
+[ Upstream commit 8dd8f005bdd45823fc153ef490239558caf6ff20 ]
+
+We make the invalid assumption in arm_smmu_detach_dev() that the ATC is
+clear after calling pci_disable_ats(). For one thing, only enabling the
+PCIe ATS capability constitutes an implicit invalidation event, so the
+comment was wrong. More importantly, the ATS capability isn't necessarily
+disabled by pci_disable_ats() in a PF, if the associated VFs have ATS
+enabled. Explicitly invalidate all ATC entries in arm_smmu_detach_dev().
+The endpoint cannot form new ATC entries because STE.EATS is clear.
+
+Fixes: 9ce27afc0830 ("iommu/arm-smmu-v3: Add support for PCI ATS")
+Reported-by: Manoj Kumar <Manoj.Kumar3@arm.com>
+Reported-by: Robin Murphy <Robin.Murphy@arm.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm-smmu-v3.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
+index 4d5a694f02c2..0fee8f7957ec 100644
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -1884,9 +1884,13 @@ static int arm_smmu_enable_ats(struct arm_smmu_master *master)
+
+ static void arm_smmu_disable_ats(struct arm_smmu_master *master)
+ {
++ struct arm_smmu_cmdq_ent cmd;
++
+ if (!master->ats_enabled || !dev_is_pci(master->dev))
+ return;
+
++ arm_smmu_atc_inv_to_cmd(0, 0, 0, &cmd);
++ arm_smmu_atc_inv_master(master, &cmd);
+ pci_disable_ats(to_pci_dev(master->dev));
+ master->ats_enabled = false;
+ }
+@@ -1906,7 +1910,6 @@ static void arm_smmu_detach_dev(struct arm_smmu_master *master)
+ master->domain = NULL;
+ arm_smmu_install_ste_for_dev(master);
+
+- /* Disabling ATS invalidates all ATC entries */
+ arm_smmu_disable_ats(master);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 52ccda300178a9c96ac29e0156d1d773cb4cb417 Mon Sep 17 00:00:00 2001
+From: Eric Auger <eric.auger@redhat.com>
+Date: Mon, 3 Jun 2019 08:53:30 +0200
+Subject: iommu: Fix a leak in iommu_insert_resv_region
+
+[ Upstream commit ad0834dedaa15c3a176f783c0373f836e44b4700 ]
+
+In case we expand an existing region, we unlink
+this latter and insert the larger one. In
+that case we should free the original region after
+the insertion. Also we can immediately return.
+
+Fixes: 6c65fb318e8b ("iommu: iommu_get_group_resv_regions")
+
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index 9f0a2844371c..30db41e9f15c 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -225,18 +225,21 @@ static int iommu_insert_resv_region(struct iommu_resv_region *new,
+ pos = pos->next;
+ } else if ((start >= a) && (end <= b)) {
+ if (new->type == type)
+- goto done;
++ return 0;
+ else
+ pos = pos->next;
+ } else {
+ if (new->type == type) {
+ phys_addr_t new_start = min(a, start);
+ phys_addr_t new_end = max(b, end);
++ int ret;
+
+ list_del(&entry->list);
+ entry->start = new_start;
+ entry->length = new_end - new_start + 1;
+- iommu_insert_resv_region(entry, regions);
++ ret = iommu_insert_resv_region(entry, regions);
++ kfree(entry);
++ return ret;
+ } else {
+ pos = pos->next;
+ }
+@@ -249,7 +252,6 @@ static int iommu_insert_resv_region(struct iommu_resv_region *new,
+ return -ENOMEM;
+
+ list_add_tail(®ion->list, pos);
+-done:
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 07f4afa68939b854d2c6913710c9259c867366f1 Mon Sep 17 00:00:00 2001
+From: Denis Kirjanov <kda@linux-powerpc.org>
+Date: Mon, 17 Jun 2019 10:53:40 +0200
+Subject: ipoib: correcly show a VF hardware address
+
+[ Upstream commit 64d701c608fea362881e823b666327f5d28d7ffd ]
+
+in the case of IPoIB with SRIOV enabled hardware
+ip link show command incorrecly prints
+0 instead of a VF hardware address.
+
+Before:
+11: ib1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast
+state UP mode DEFAULT group default qlen 256
+ link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
+ vf 0 MAC 00:00:00:00:00:00, spoof checking off, link-state disable,
+trust off, query_rss off
+...
+After:
+11: ib1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast
+state UP mode DEFAULT group default qlen 256
+ link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
+ vf 0 link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff, spoof
+checking off, link-state disable, trust off, query_rss off
+
+v1->v2: just copy an address without modifing ifla_vf_mac
+v2->v3: update the changelog
+
+Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
+Acked-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index 9b5e11d3fb85..04ea7db08e87 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -1998,6 +1998,7 @@ static int ipoib_get_vf_config(struct net_device *dev, int vf,
+ return err;
+
+ ivf->vf = vf;
++ memcpy(ivf->mac, dev->dev_addr, dev->addr_len);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From c5e2696b184e2c16f40febb126d0d4710f379d5c Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 18 Jun 2019 13:22:13 +0200
+Subject: ipsec: select crypto ciphers for xfrm_algo
+
+[ Upstream commit 597179b0ba550bd83fab1a9d57c42a9343c58514 ]
+
+kernelci.org reports failed builds on arc because of what looks
+like an old missed 'select' statement:
+
+net/xfrm/xfrm_algo.o: In function `xfrm_probe_algs':
+xfrm_algo.c:(.text+0x1e8): undefined reference to `crypto_has_ahash'
+
+I don't see this in randconfig builds on other architectures, but
+it's fairly clear we want to select the hash code for it, like we
+do for all its other users. As Herbert points out, CRYPTO_BLKCIPHER
+is also required even though it has not popped up in build tests.
+
+Fixes: 17bc19702221 ("ipsec: Use skcipher and ahash when probing algorithms")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
+index c967fc3c38c8..51bb6018f3bf 100644
+--- a/net/xfrm/Kconfig
++++ b/net/xfrm/Kconfig
+@@ -15,6 +15,8 @@ config XFRM_ALGO
+ tristate
+ select XFRM
+ select CRYPTO
++ select CRYPTO_HASH
++ select CRYPTO_BLKCIPHER
+
+ if INET
+ config XFRM_USER
+--
+2.20.1
+
--- /dev/null
+From ce6e7504ddf506856f0f817585243699c0b03d14 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Sun, 26 May 2019 23:14:06 +0200
+Subject: ipset: Fix memory accounting for hash types on resize
+
+[ Upstream commit 11921796f4799ca9c61c4b22cc54d84aa69f8a35 ]
+
+If a fresh array block is allocated during resize, the current in-memory
+set size should be increased by the size of the block, not replaced by it.
+
+Before the fix, adding entries to a hash set type, leading to a table
+resize, caused an inconsistent memory size to be reported. This becomes
+more obvious when swapping sets with similar sizes:
+
+ # cat hash_ip_size.sh
+ #!/bin/sh
+ FAIL_RETRIES=10
+
+ tries=0
+ while [ ${tries} -lt ${FAIL_RETRIES} ]; do
+ ipset create t1 hash:ip
+ for i in `seq 1 4345`; do
+ ipset add t1 1.2.$((i / 255)).$((i % 255))
+ done
+ t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
+
+ ipset create t2 hash:ip
+ for i in `seq 1 4360`; do
+ ipset add t2 1.2.$((i / 255)).$((i % 255))
+ done
+ t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
+
+ ipset swap t1 t2
+ t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
+ t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
+
+ ipset destroy t1
+ ipset destroy t2
+ tries=$((tries + 1))
+
+ if [ ${t1_init} -lt 10000 ] || [ ${t2_init} -lt 10000 ]; then
+ echo "FAIL after ${tries} tries:"
+ echo "T1 size ${t1_init}, after swap ${t1_swap}"
+ echo "T2 size ${t2_init}, after swap ${t2_swap}"
+ exit 1
+ fi
+ done
+ echo "PASS"
+ # echo -n 'func hash_ip4_resize +p' > /sys/kernel/debug/dynamic_debug/control
+ # ./hash_ip_size.sh
+ [ 2035.018673] attempt to resize set t1 from 10 to 11, t 00000000fe6551fa
+ [ 2035.078583] set t1 resized from 10 (00000000fe6551fa) to 11 (00000000172a0163)
+ [ 2035.080353] Table destroy by resize 00000000fe6551fa
+ FAIL after 4 tries:
+ T1 size 9064, after swap 71128
+ T2 size 71128, after swap 9064
+
+Reported-by: NOYB <JunkYardMail1@Frontier.com>
+Fixes: 9e41f26a505c ("netfilter: ipset: Count non-static extension memory for userspace")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
+index 10f619625abd..175f8fedcfaf 100644
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -622,7 +622,7 @@ mtype_resize(struct ip_set *set, bool retried)
+ goto cleanup;
+ }
+ m->size = AHASH_INIT_SIZE;
+- extsize = ext_size(AHASH_INIT_SIZE, dsize);
++ extsize += ext_size(AHASH_INIT_SIZE, dsize);
+ RCU_INIT_POINTER(hbucket(t, key), m);
+ } else if (m->pos >= m->size) {
+ struct hbucket *ht;
+--
+2.20.1
+
--- /dev/null
+From a917607b8d9bf5508b5b6688d11ce32431aa5a32 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Tue, 4 Jun 2019 21:56:35 +0300
+Subject: ipvs: defer hook registration to avoid leaks
+
+[ Upstream commit cf47a0b882a4e5f6b34c7949d7b293e9287f1972 ]
+
+syzkaller reports for memory leak when registering hooks [1]
+
+As we moved the nf_unregister_net_hooks() call into
+__ip_vs_dev_cleanup(), defer the nf_register_net_hooks()
+call, so that hooks are allocated and freed from same
+pernet_operations (ipvs_core_dev_ops).
+
+[1]
+BUG: memory leak
+unreferenced object 0xffff88810acd8a80 (size 96):
+ comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s)
+ hex dump (first 32 bytes):
+ 02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff ........P.......
+ 00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff .........w......
+ backtrace:
+ [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline]
+ [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597
+ [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline]
+ [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627
+ [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline]
+ [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431
+ [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline]
+ [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline]
+ [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60 net/netfilter/core.c:61
+ [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270 net/netfilter/core.c:128
+ [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170 net/netfilter/core.c:337
+ [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0 net/netfilter/core.c:464
+ [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0 net/netfilter/core.c:480
+ [<000000002ea868e0>] __ip_vs_init+0xe8/0x170 net/netfilter/ipvs/ip_vs_core.c:2280
+ [<000000002eb2d451>] ops_init+0x4c/0x140 net/core/net_namespace.c:130
+ [<000000000284ec48>] setup_net+0xde/0x230 net/core/net_namespace.c:316
+ [<00000000a70600fa>] copy_net_ns+0xf0/0x1e0 net/core/net_namespace.c:439
+ [<00000000ff26c15e>] create_new_namespaces+0x141/0x2a0 kernel/nsproxy.c:107
+ [<00000000b103dc79>] copy_namespaces+0xa1/0xe0 kernel/nsproxy.c:165
+ [<000000007cc008a2>] copy_process.part.0+0x11fd/0x2150 kernel/fork.c:2035
+ [<00000000c344af7c>] copy_process kernel/fork.c:1800 [inline]
+ [<00000000c344af7c>] _do_fork+0x121/0x4f0 kernel/fork.c:2369
+
+Reported-by: syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com
+Fixes: 719c7d563c17 ("ipvs: Fix use-after-free in ip_vs_in")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 7138556b206b..d5103a9eb302 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -2245,7 +2245,6 @@ static const struct nf_hook_ops ip_vs_ops[] = {
+ static int __net_init __ip_vs_init(struct net *net)
+ {
+ struct netns_ipvs *ipvs;
+- int ret;
+
+ ipvs = net_generic(net, ip_vs_net_id);
+ if (ipvs == NULL)
+@@ -2277,17 +2276,11 @@ static int __net_init __ip_vs_init(struct net *net)
+ if (ip_vs_sync_net_init(ipvs) < 0)
+ goto sync_fail;
+
+- ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
+- if (ret < 0)
+- goto hook_fail;
+-
+ return 0;
+ /*
+ * Error handling
+ */
+
+-hook_fail:
+- ip_vs_sync_net_cleanup(ipvs);
+ sync_fail:
+ ip_vs_conn_net_cleanup(ipvs);
+ conn_fail:
+@@ -2317,6 +2310,19 @@ static void __net_exit __ip_vs_cleanup(struct net *net)
+ net->ipvs = NULL;
+ }
+
++static int __net_init __ip_vs_dev_init(struct net *net)
++{
++ int ret;
++
++ ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
++ if (ret < 0)
++ goto hook_fail;
++ return 0;
++
++hook_fail:
++ return ret;
++}
++
+ static void __net_exit __ip_vs_dev_cleanup(struct net *net)
+ {
+ struct netns_ipvs *ipvs = net_ipvs(net);
+@@ -2336,6 +2342,7 @@ static struct pernet_operations ipvs_core_ops = {
+ };
+
+ static struct pernet_operations ipvs_core_dev_ops = {
++ .init = __ip_vs_dev_init,
+ .exit = __ip_vs_dev_cleanup,
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 5b825687a8afb7df88f52f086fefb69b7ec95570 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Tue, 18 Jun 2019 23:07:36 +0300
+Subject: ipvs: fix tinfo memory leak in start_sync_thread
+
+[ Upstream commit 5db7c8b9f9fc2aeec671ae3ca6375752c162e0e7 ]
+
+syzkaller reports for memory leak in start_sync_thread [1]
+
+As Eric points out, kthread may start and stop before the
+threadfn function is called, so there is no chance the
+data (tinfo in our case) to be released in thread.
+
+Fix this by releasing tinfo in the controlling code instead.
+
+[1]
+BUG: memory leak
+unreferenced object 0xffff8881206bf700 (size 32):
+ comm "syz-executor761", pid 7268, jiffies 4294943441 (age 20.470s)
+ hex dump (first 32 bytes):
+ 00 40 7c 09 81 88 ff ff 80 45 b8 21 81 88 ff ff .@|......E.!....
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000057619e23>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<0000000057619e23>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<0000000057619e23>] slab_alloc mm/slab.c:3326 [inline]
+ [<0000000057619e23>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
+ [<0000000086ce5479>] kmalloc include/linux/slab.h:547 [inline]
+ [<0000000086ce5479>] start_sync_thread+0x5d2/0xe10 net/netfilter/ipvs/ip_vs_sync.c:1862
+ [<000000001a9229cc>] do_ip_vs_set_ctl+0x4c5/0x780 net/netfilter/ipvs/ip_vs_ctl.c:2402
+ [<00000000ece457c8>] nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ [<00000000ece457c8>] nf_setsockopt+0x4c/0x80 net/netfilter/nf_sockopt.c:115
+ [<00000000942f62d4>] ip_setsockopt net/ipv4/ip_sockglue.c:1258 [inline]
+ [<00000000942f62d4>] ip_setsockopt+0x9b/0xb0 net/ipv4/ip_sockglue.c:1238
+ [<00000000a56a8ffd>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616
+ [<00000000fa895401>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130
+ [<0000000095eef4cf>] __sys_setsockopt+0x98/0x120 net/socket.c:2078
+ [<000000009747cf88>] __do_sys_setsockopt net/socket.c:2089 [inline]
+ [<000000009747cf88>] __se_sys_setsockopt net/socket.c:2086 [inline]
+ [<000000009747cf88>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086
+ [<00000000ded8ba80>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
+ [<00000000893b4ac8>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+7e2e50c8adfccd2e5041@syzkaller.appspotmail.com
+Suggested-by: Eric Biggers <ebiggers@kernel.org>
+Fixes: 998e7a76804b ("ipvs: Use kthread_run() instead of doing a double-fork via kernel_thread()")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_vs.h | 6 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 -
+ net/netfilter/ipvs/ip_vs_sync.c | 134 +++++++++++++++++---------------
+ 3 files changed, 76 insertions(+), 68 deletions(-)
+
+diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
+index 2ac40135b576..b36a1df93e7c 100644
+--- a/include/net/ip_vs.h
++++ b/include/net/ip_vs.h
+@@ -808,11 +808,12 @@ struct ipvs_master_sync_state {
+ struct ip_vs_sync_buff *sync_buff;
+ unsigned long sync_queue_len;
+ unsigned int sync_queue_delay;
+- struct task_struct *master_thread;
+ struct delayed_work master_wakeup_work;
+ struct netns_ipvs *ipvs;
+ };
+
++struct ip_vs_sync_thread_data;
++
+ /* How much time to keep dests in trash */
+ #define IP_VS_DEST_TRASH_PERIOD (120 * HZ)
+
+@@ -943,7 +944,8 @@ struct netns_ipvs {
+ spinlock_t sync_lock;
+ struct ipvs_master_sync_state *ms;
+ spinlock_t sync_buff_lock;
+- struct task_struct **backup_threads;
++ struct ip_vs_sync_thread_data *master_tinfo;
++ struct ip_vs_sync_thread_data *backup_tinfo;
+ int threads_mask;
+ volatile int sync_state;
+ struct mutex sync_mutex;
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 776c87ed4813..741d91aa4a8d 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2396,9 +2396,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+- mutex_lock(&ipvs->sync_mutex);
+ ret = stop_sync_thread(ipvs, dm->state);
+- mutex_unlock(&ipvs->sync_mutex);
+ }
+ goto out_dec;
+ }
+@@ -3515,10 +3513,8 @@ static int ip_vs_genl_del_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs)
+ if (!attrs[IPVS_DAEMON_ATTR_STATE])
+ return -EINVAL;
+
+- mutex_lock(&ipvs->sync_mutex);
+ ret = stop_sync_thread(ipvs,
+ nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
+- mutex_unlock(&ipvs->sync_mutex);
+ return ret;
+ }
+
+diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
+index 2526be6b3d90..a4a78c4b06de 100644
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -195,6 +195,7 @@ union ip_vs_sync_conn {
+ #define IPVS_OPT_F_PARAM (1 << (IPVS_OPT_PARAM-1))
+
+ struct ip_vs_sync_thread_data {
++ struct task_struct *task;
+ struct netns_ipvs *ipvs;
+ struct socket *sock;
+ char *buf;
+@@ -374,8 +375,11 @@ static inline void sb_queue_tail(struct netns_ipvs *ipvs,
+ max(IPVS_SYNC_SEND_DELAY, 1));
+ ms->sync_queue_len++;
+ list_add_tail(&sb->list, &ms->sync_queue);
+- if ((++ms->sync_queue_delay) == IPVS_SYNC_WAKEUP_RATE)
+- wake_up_process(ms->master_thread);
++ if ((++ms->sync_queue_delay) == IPVS_SYNC_WAKEUP_RATE) {
++ int id = (int)(ms - ipvs->ms);
++
++ wake_up_process(ipvs->master_tinfo[id].task);
++ }
+ } else
+ ip_vs_sync_buff_release(sb);
+ spin_unlock(&ipvs->sync_lock);
+@@ -1636,8 +1640,10 @@ static void master_wakeup_work_handler(struct work_struct *work)
+ spin_lock_bh(&ipvs->sync_lock);
+ if (ms->sync_queue_len &&
+ ms->sync_queue_delay < IPVS_SYNC_WAKEUP_RATE) {
++ int id = (int)(ms - ipvs->ms);
++
+ ms->sync_queue_delay = IPVS_SYNC_WAKEUP_RATE;
+- wake_up_process(ms->master_thread);
++ wake_up_process(ipvs->master_tinfo[id].task);
+ }
+ spin_unlock_bh(&ipvs->sync_lock);
+ }
+@@ -1703,10 +1709,6 @@ static int sync_thread_master(void *data)
+ if (sb)
+ ip_vs_sync_buff_release(sb);
+
+- /* release the sending multicast socket */
+- sock_release(tinfo->sock);
+- kfree(tinfo);
+-
+ return 0;
+ }
+
+@@ -1740,11 +1742,6 @@ static int sync_thread_backup(void *data)
+ }
+ }
+
+- /* release the sending multicast socket */
+- sock_release(tinfo->sock);
+- kfree(tinfo->buf);
+- kfree(tinfo);
+-
+ return 0;
+ }
+
+@@ -1752,8 +1749,8 @@ static int sync_thread_backup(void *data)
+ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ int state)
+ {
+- struct ip_vs_sync_thread_data *tinfo = NULL;
+- struct task_struct **array = NULL, *task;
++ struct ip_vs_sync_thread_data *ti = NULL, *tinfo;
++ struct task_struct *task;
+ struct net_device *dev;
+ char *name;
+ int (*threadfn)(void *data);
+@@ -1822,7 +1819,7 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ threadfn = sync_thread_master;
+ } else if (state == IP_VS_STATE_BACKUP) {
+ result = -EEXIST;
+- if (ipvs->backup_threads)
++ if (ipvs->backup_tinfo)
+ goto out_early;
+
+ ipvs->bcfg = *c;
+@@ -1849,28 +1846,22 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ master_wakeup_work_handler);
+ ms->ipvs = ipvs;
+ }
+- } else {
+- array = kcalloc(count, sizeof(struct task_struct *),
+- GFP_KERNEL);
+- result = -ENOMEM;
+- if (!array)
+- goto out;
+ }
++ result = -ENOMEM;
++ ti = kcalloc(count, sizeof(struct ip_vs_sync_thread_data),
++ GFP_KERNEL);
++ if (!ti)
++ goto out;
+
+ for (id = 0; id < count; id++) {
+- result = -ENOMEM;
+- tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL);
+- if (!tinfo)
+- goto out;
++ tinfo = &ti[id];
+ tinfo->ipvs = ipvs;
+- tinfo->sock = NULL;
+ if (state == IP_VS_STATE_BACKUP) {
++ result = -ENOMEM;
+ tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen,
+ GFP_KERNEL);
+ if (!tinfo->buf)
+ goto out;
+- } else {
+- tinfo->buf = NULL;
+ }
+ tinfo->id = id;
+ if (state == IP_VS_STATE_MASTER)
+@@ -1885,17 +1876,15 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ result = PTR_ERR(task);
+ goto out;
+ }
+- tinfo = NULL;
+- if (state == IP_VS_STATE_MASTER)
+- ipvs->ms[id].master_thread = task;
+- else
+- array[id] = task;
++ tinfo->task = task;
+ }
+
+ /* mark as active */
+
+- if (state == IP_VS_STATE_BACKUP)
+- ipvs->backup_threads = array;
++ if (state == IP_VS_STATE_MASTER)
++ ipvs->master_tinfo = ti;
++ else
++ ipvs->backup_tinfo = ti;
+ spin_lock_bh(&ipvs->sync_buff_lock);
+ ipvs->sync_state |= state;
+ spin_unlock_bh(&ipvs->sync_buff_lock);
+@@ -1910,29 +1899,31 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+
+ out:
+ /* We do not need RTNL lock anymore, release it here so that
+- * sock_release below and in the kthreads can use rtnl_lock
+- * to leave the mcast group.
++ * sock_release below can use rtnl_lock to leave the mcast group.
+ */
+ rtnl_unlock();
+- count = id;
+- while (count-- > 0) {
+- if (state == IP_VS_STATE_MASTER)
+- kthread_stop(ipvs->ms[count].master_thread);
+- else
+- kthread_stop(array[count]);
++ id = min(id, count - 1);
++ if (ti) {
++ for (tinfo = ti + id; tinfo >= ti; tinfo--) {
++ if (tinfo->task)
++ kthread_stop(tinfo->task);
++ }
+ }
+ if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) {
+ kfree(ipvs->ms);
+ ipvs->ms = NULL;
+ }
+ mutex_unlock(&ipvs->sync_mutex);
+- if (tinfo) {
+- if (tinfo->sock)
+- sock_release(tinfo->sock);
+- kfree(tinfo->buf);
+- kfree(tinfo);
++
++ /* No more mutexes, release socks */
++ if (ti) {
++ for (tinfo = ti + id; tinfo >= ti; tinfo--) {
++ if (tinfo->sock)
++ sock_release(tinfo->sock);
++ kfree(tinfo->buf);
++ }
++ kfree(ti);
+ }
+- kfree(array);
+ return result;
+
+ out_early:
+@@ -1944,15 +1935,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+
+ int stop_sync_thread(struct netns_ipvs *ipvs, int state)
+ {
+- struct task_struct **array;
++ struct ip_vs_sync_thread_data *ti, *tinfo;
+ int id;
+ int retc = -EINVAL;
+
+ IP_VS_DBG(7, "%s(): pid %d\n", __func__, task_pid_nr(current));
+
++ mutex_lock(&ipvs->sync_mutex);
+ if (state == IP_VS_STATE_MASTER) {
++ retc = -ESRCH;
+ if (!ipvs->ms)
+- return -ESRCH;
++ goto err;
++ ti = ipvs->master_tinfo;
+
+ /*
+ * The lock synchronizes with sb_queue_tail(), so that we don't
+@@ -1971,38 +1965,56 @@ int stop_sync_thread(struct netns_ipvs *ipvs, int state)
+ struct ipvs_master_sync_state *ms = &ipvs->ms[id];
+ int ret;
+
++ tinfo = &ti[id];
+ pr_info("stopping master sync thread %d ...\n",
+- task_pid_nr(ms->master_thread));
++ task_pid_nr(tinfo->task));
+ cancel_delayed_work_sync(&ms->master_wakeup_work);
+- ret = kthread_stop(ms->master_thread);
++ ret = kthread_stop(tinfo->task);
+ if (retc >= 0)
+ retc = ret;
+ }
+ kfree(ipvs->ms);
+ ipvs->ms = NULL;
++ ipvs->master_tinfo = NULL;
+ } else if (state == IP_VS_STATE_BACKUP) {
+- if (!ipvs->backup_threads)
+- return -ESRCH;
++ retc = -ESRCH;
++ if (!ipvs->backup_tinfo)
++ goto err;
++ ti = ipvs->backup_tinfo;
+
+ ipvs->sync_state &= ~IP_VS_STATE_BACKUP;
+- array = ipvs->backup_threads;
+ retc = 0;
+ for (id = ipvs->threads_mask; id >= 0; id--) {
+ int ret;
+
++ tinfo = &ti[id];
+ pr_info("stopping backup sync thread %d ...\n",
+- task_pid_nr(array[id]));
+- ret = kthread_stop(array[id]);
++ task_pid_nr(tinfo->task));
++ ret = kthread_stop(tinfo->task);
+ if (retc >= 0)
+ retc = ret;
+ }
+- kfree(array);
+- ipvs->backup_threads = NULL;
++ ipvs->backup_tinfo = NULL;
++ } else {
++ goto err;
+ }
++ id = ipvs->threads_mask;
++ mutex_unlock(&ipvs->sync_mutex);
++
++ /* No more mutexes, release socks */
++ for (tinfo = ti + id; tinfo >= ti; tinfo--) {
++ if (tinfo->sock)
++ sock_release(tinfo->sock);
++ kfree(tinfo->buf);
++ }
++ kfree(ti);
+
+ /* decrease the module use count */
+ ip_vs_use_count_dec();
++ return retc;
+
++err:
++ mutex_unlock(&ipvs->sync_mutex);
+ return retc;
+ }
+
+@@ -2021,7 +2033,6 @@ void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs)
+ {
+ int retc;
+
+- mutex_lock(&ipvs->sync_mutex);
+ retc = stop_sync_thread(ipvs, IP_VS_STATE_MASTER);
+ if (retc && retc != -ESRCH)
+ pr_err("Failed to stop Master Daemon\n");
+@@ -2029,5 +2040,4 @@ void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs)
+ retc = stop_sync_thread(ipvs, IP_VS_STATE_BACKUP);
+ if (retc && retc != -ESRCH)
+ pr_err("Failed to stop Backup Daemon\n");
+- mutex_unlock(&ipvs->sync_mutex);
+ }
+--
+2.20.1
+
--- /dev/null
+From 7923f2642b8a13e3ef315da6a9877629cff3a15e Mon Sep 17 00:00:00 2001
+From: Xingyu Chen <xingyu.chen@amlogic.com>
+Date: Sat, 8 Jun 2019 21:04:10 +0200
+Subject: irqchip/meson-gpio: Add support for Meson-G12A SoC
+
+[ Upstream commit c64a9e804ccf86eb202bfd1c6a8c5233c75a0431 ]
+
+The Meson-G12A SoC uses the same GPIO interrupt controller IP block as the
+other Meson SoCs, A totle of 100 pins can be spied on, which is the sum of:
+
+- 223:100 undefined (no interrupt)
+- 99:97 3 pins on bank GPIOE
+- 96:77 20 pins on bank GPIOX
+- 76:61 16 pins on bank GPIOA
+- 60:53 8 pins on bank GPIOC
+- 52:37 16 pins on bank BOOT
+- 36:28 9 pins on bank GPIOH
+- 27:12 16 pins on bank GPIOZ
+- 11:0 12 pins in the AO domain
+
+Signed-off-by: Xingyu Chen <xingyu.chen@amlogic.com>
+Signed-off-by: Jianxin Pan <jianxin.pan@amlogic.com>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-meson-gpio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/irq-meson-gpio.c b/drivers/irqchip/irq-meson-gpio.c
+index 8eb92eb98f54..dcdc23b9dce6 100644
+--- a/drivers/irqchip/irq-meson-gpio.c
++++ b/drivers/irqchip/irq-meson-gpio.c
+@@ -60,6 +60,7 @@ static const struct of_device_id meson_irq_gpio_matches[] = {
+ { .compatible = "amlogic,meson-gxbb-gpio-intc", .data = &gxbb_params },
+ { .compatible = "amlogic,meson-gxl-gpio-intc", .data = &gxl_params },
+ { .compatible = "amlogic,meson-axg-gpio-intc", .data = &axg_params },
++ { .compatible = "amlogic,meson-g12a-gpio-intc", .data = &axg_params },
+ { }
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 9f415856a345aa8f7cb9ea0287d1b7c1dc0bda98 Mon Sep 17 00:00:00 2001
+From: Shahar S Matityahu <shahar.s.matityahu@intel.com>
+Date: Thu, 16 May 2019 10:31:17 +0300
+Subject: iwlwifi: dbg: fix debug monitor stop and restart delays
+
+[ Upstream commit fc838c775f35e272e5cc7ef43853f0b55babbe37 ]
+
+The driver should delay only in recording stop flow between writing to
+DBGC_IN_SAMPLE register and DBGC_OUT_CTRL register. Any other delay is
+not needed.
+
+Change the following:
+1. Remove any unnecessary delays in the flow
+2. Increase the delay in the stop recording flow since 100 micro is
+ not enough
+3. Use usleep_range instead of delay since the driver is allowed to
+ sleep in this flow.
+
+Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
+Fixes: 5cfe79c8d92a ("iwlwifi: fw: stop and start debugging using host command")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 2 --
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.h | 6 ++++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+index 33d7bc5500db..c875e173771c 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -2303,8 +2303,6 @@ void iwl_fw_dbg_collect_sync(struct iwl_fw_runtime *fwrt)
+ /* start recording again if the firmware is not crashed */
+ if (!test_bit(STATUS_FW_ERROR, &fwrt->trans->status) &&
+ fwrt->fw->dbg.dest_tlv) {
+- /* wait before we collect the data till the DBGC stop */
+- udelay(500);
+ iwl_fw_dbg_restart_recording(fwrt, ¶ms);
+ }
+ }
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.h b/drivers/net/wireless/intel/iwlwifi/fw/dbg.h
+index fd0ad220e961..c5c015a66106 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.h
+@@ -294,7 +294,10 @@ _iwl_fw_dbg_stop_recording(struct iwl_trans *trans,
+ }
+
+ iwl_write_umac_prph(trans, DBGC_IN_SAMPLE, 0);
+- udelay(100);
++ /* wait for the DBGC to finish writing the internal buffer to DRAM to
++ * avoid halting the HW while writing
++ */
++ usleep_range(700, 1000);
+ iwl_write_umac_prph(trans, DBGC_OUT_CTRL, 0);
+ #ifdef CONFIG_IWLWIFI_DEBUGFS
+ trans->dbg_rec_on = false;
+@@ -324,7 +327,6 @@ _iwl_fw_dbg_restart_recording(struct iwl_trans *trans,
+ iwl_set_bits_prph(trans, MON_BUFF_SAMPLE_CTL, 0x1);
+ } else {
+ iwl_write_umac_prph(trans, DBGC_IN_SAMPLE, params->in_sample);
+- udelay(100);
+ iwl_write_umac_prph(trans, DBGC_OUT_CTRL, params->out_ctrl);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 9e6d068970296c72f0ba8bd1239c8c0556e3619b Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Mon, 15 Apr 2019 16:45:04 +0300
+Subject: iwlwifi: mvm: Drop large non sta frames
+
+[ Upstream commit ac70499ee97231a418dc1a4d6c9dc102e8f64631 ]
+
+In some buggy scenarios we could possible attempt to transmit frames larger
+than maximum MSDU size. Since our devices don't know how to handle this,
+it may result in asserts, hangs etc.
+This can happen, for example, when we receive a large multicast frame
+and try to transmit it back to the air in AP mode.
+Since in a legal scenario this should never happen, drop such frames and
+warn about it.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index 0c2aabc842f9..96f8d38ea321 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -726,6 +726,9 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb)
+
+ memcpy(&info, skb->cb, sizeof(info));
+
++ if (WARN_ON_ONCE(skb->len > IEEE80211_MAX_DATA_LEN + hdrlen))
++ return -1;
++
+ if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU))
+ return -1;
+
+--
+2.20.1
+
--- /dev/null
+From 19c9a88fb2924a35868a94f24166e1395b3e6212 Mon Sep 17 00:00:00 2001
+From: Dann Frazier <dann.frazier@canonical.com>
+Date: Wed, 22 May 2019 17:22:58 -0600
+Subject: ixgbe: Avoid NULL pointer dereference with VF on non-IPsec hw
+
+[ Upstream commit 92924064106e410cdc015f1dbfc0499309f9f5b1 ]
+
+An ipsec structure will not be allocated if the hardware does not support
+offload. Fixes the following Oops:
+
+[ 191.045452] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+[ 191.054232] Mem abort info:
+[ 191.057014] ESR = 0x96000004
+[ 191.060057] Exception class = DABT (current EL), IL = 32 bits
+[ 191.065963] SET = 0, FnV = 0
+[ 191.069004] EA = 0, S1PTW = 0
+[ 191.072132] Data abort info:
+[ 191.074999] ISV = 0, ISS = 0x00000004
+[ 191.078822] CM = 0, WnR = 0
+[ 191.081780] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000043d9e467
+[ 191.088382] [0000000000000000] pgd=0000000000000000
+[ 191.093252] Internal error: Oops: 96000004 [#1] SMP
+[ 191.098119] Modules linked in: vhost_net vhost tap vfio_pci vfio_virqfd vfio_iommu_type1 vfio xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter devlink ebtables ip6table_filter ip6_tables iptable_filter bpfilter ipmi_ssif nls_iso8859_1 input_leds joydev ipmi_si hns_roce_hw_v2 ipmi_devintf hns_roce ipmi_msghandler cppc_cpufreq sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 ses enclosure btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor hid_generic usbhid hid raid6_pq libcrc32c raid1 raid0 multipath linear ixgbevf hibmc_drm ttm
+[ 191.168607] drm_kms_helper aes_ce_blk aes_ce_cipher syscopyarea crct10dif_ce sysfillrect ghash_ce qla2xxx sysimgblt sha2_ce sha256_arm64 hisi_sas_v3_hw fb_sys_fops sha1_ce uas nvme_fc mpt3sas ixgbe drm hisi_sas_main nvme_fabrics usb_storage hclge scsi_transport_fc ahci libsas hnae3 raid_class libahci xfrm_algo scsi_transport_sas mdio aes_neon_bs aes_neon_blk crypto_simd cryptd aes_arm64
+[ 191.202952] CPU: 94 PID: 0 Comm: swapper/94 Not tainted 4.19.0-rc1+ #11
+[ 191.209553] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.20.01 04/26/2019
+[ 191.218064] pstate: 20400089 (nzCv daIf +PAN -UAO)
+[ 191.222873] pc : ixgbe_ipsec_vf_clear+0x60/0xd0 [ixgbe]
+[ 191.228093] lr : ixgbe_msg_task+0x2d0/0x1088 [ixgbe]
+[ 191.233044] sp : ffff000009b3bcd0
+[ 191.236346] x29: ffff000009b3bcd0 x28: 0000000000000000
+[ 191.241647] x27: ffff000009628000 x26: 0000000000000000
+[ 191.246946] x25: ffff803f652d7600 x24: 0000000000000004
+[ 191.252246] x23: ffff803f6a718900 x22: 0000000000000000
+[ 191.257546] x21: 0000000000000000 x20: 0000000000000000
+[ 191.262845] x19: 0000000000000000 x18: 0000000000000000
+[ 191.268144] x17: 0000000000000000 x16: 0000000000000000
+[ 191.273443] x15: 0000000000000000 x14: 0000000100000026
+[ 191.278742] x13: 0000000100000025 x12: ffff8a5f7fbe0df0
+[ 191.284042] x11: 000000010000000b x10: 0000000000000040
+[ 191.289341] x9 : 0000000000001100 x8 : ffff803f6a824fd8
+[ 191.294640] x7 : ffff803f6a825098 x6 : 0000000000000001
+[ 191.299939] x5 : ffff000000f0ffc0 x4 : 0000000000000000
+[ 191.305238] x3 : ffff000028c00000 x2 : ffff803f652d7600
+[ 191.310538] x1 : 0000000000000000 x0 : ffff000000f205f0
+[ 191.315838] Process swapper/94 (pid: 0, stack limit = 0x00000000addfed5a)
+[ 191.322613] Call trace:
+[ 191.325055] ixgbe_ipsec_vf_clear+0x60/0xd0 [ixgbe]
+[ 191.329927] ixgbe_msg_task+0x2d0/0x1088 [ixgbe]
+[ 191.334536] ixgbe_msix_other+0x274/0x330 [ixgbe]
+[ 191.339233] __handle_irq_event_percpu+0x78/0x270
+[ 191.343924] handle_irq_event_percpu+0x40/0x98
+[ 191.348355] handle_irq_event+0x50/0xa8
+[ 191.352180] handle_fasteoi_irq+0xbc/0x148
+[ 191.356263] generic_handle_irq+0x34/0x50
+[ 191.360259] __handle_domain_irq+0x68/0xc0
+[ 191.364343] gic_handle_irq+0x84/0x180
+[ 191.368079] el1_irq+0xe8/0x180
+[ 191.371208] arch_cpu_idle+0x30/0x1a8
+[ 191.374860] do_idle+0x1dc/0x2a0
+[ 191.378077] cpu_startup_entry+0x2c/0x30
+[ 191.381988] secondary_start_kernel+0x150/0x1e0
+[ 191.386506] Code: 6b15003f 54000320 f1404a9f 54000060 (79400260)
+
+Fixes: eda0333ac2930 ("ixgbe: add VF IPsec management")
+Signed-off-by: Dann Frazier <dann.frazier@canonical.com>
+Acked-by: Shannon Nelson <snelson@pensando.io>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+index ff85ce5791a3..31629fc7e820 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+@@ -842,6 +842,9 @@ void ixgbe_ipsec_vf_clear(struct ixgbe_adapter *adapter, u32 vf)
+ struct ixgbe_ipsec *ipsec = adapter->ipsec;
+ int i;
+
++ if (!ipsec)
++ return;
++
+ /* search rx sa table */
+ for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT && ipsec->num_rx_sa; i++) {
+ if (!ipsec->rx_tbl[i].used)
+--
+2.20.1
+
--- /dev/null
+From 8b963c0e6940a300d5e23aef4615cf9c7db0f2d5 Mon Sep 17 00:00:00 2001
+From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Date: Thu, 23 May 2019 16:11:12 -0300
+Subject: ixgbe: Check DDM existence in transceiver before access
+
+[ Upstream commit 655c91414579d7bb115a4f7898ee726fc18e0984 ]
+
+Some transceivers may comply with SFF-8472 but not implement the Digital
+Diagnostic Monitoring (DDM) interface described in it. The existence of
+such area is specified by bit 6 of byte 92, set to 1 if implemented.
+
+Currently, due to not checking this bit ixgbe fails trying to read SFP
+module's eeprom with the follow message:
+
+ethtool -m enP51p1s0f0
+Cannot get Module EEPROM data: Input/output error
+
+Because it fails to read the additional 256 bytes in which it was assumed
+to exist the DDM data.
+
+This issue was noticed using a Mellanox Passive DAC PN 01FT738. The eeprom
+data was confirmed by Mellanox as correct and present in other Passive
+DACs in from other manufacturers.
+
+Signed-off-by: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 3 ++-
+ drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index acba067cc15a..7c52ae8ac005 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -3226,7 +3226,8 @@ static int ixgbe_get_module_info(struct net_device *dev,
+ page_swap = true;
+ }
+
+- if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap) {
++ if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap ||
++ !(addr_mode & IXGBE_SFF_DDM_IMPLEMENTED)) {
+ /* We have a SFP, but it does not support SFF-8472 */
+ modinfo->type = ETH_MODULE_SFF_8079;
+ modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN;
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+index 214b01085718..6544c4539c0d 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+@@ -45,6 +45,7 @@
+ #define IXGBE_SFF_SOFT_RS_SELECT_10G 0x8
+ #define IXGBE_SFF_SOFT_RS_SELECT_1G 0x0
+ #define IXGBE_SFF_ADDRESSING_MODE 0x4
++#define IXGBE_SFF_DDM_IMPLEMENTED 0x40
+ #define IXGBE_SFF_QSFP_DA_ACTIVE_CABLE 0x1
+ #define IXGBE_SFF_QSFP_DA_PASSIVE_CABLE 0x8
+ #define IXGBE_SFF_QSFP_CONNECTOR_NOT_SEPARABLE 0x23
+--
+2.20.1
+
--- /dev/null
+From 664dc5e025a3543285f846b98c4400bc3bf6073b Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 24 Jun 2019 09:32:50 -0700
+Subject: libata: don't request sense data on !ZAC ATA devices
+
+[ Upstream commit ca156e006add67e4beea7896be395160735e09b0 ]
+
+ZAC support added sense data requesting on error for both ZAC and ATA
+devices. This seems to cause erratic error handling behaviors on some
+SSDs where the device reports sense data availability and then
+delivers the wrong content making EH take the wrong actions. The
+failure mode was sporadic on a LITE-ON ssd and couldn't be reliably
+reproduced.
+
+There is no value in requesting sense data from non-ZAC ATA devices
+while there's a significant risk of introducing EH misbehaviors which
+are difficult to reproduce and fix. Let's do the sense data dancing
+only for ZAC devices.
+
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Tested-by: Masato Suzuki <masato.suzuki@wdc.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-eh.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 9d687e1d4325..3bfd9da58473 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -1469,7 +1469,7 @@ static int ata_eh_read_log_10h(struct ata_device *dev,
+ tf->hob_lbah = buf[10];
+ tf->nsect = buf[12];
+ tf->hob_nsect = buf[13];
+- if (ata_id_has_ncq_autosense(dev->id))
++ if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id))
+ tf->auxiliary = buf[14] << 16 | buf[15] << 8 | buf[16];
+
+ return 0;
+@@ -1716,7 +1716,8 @@ void ata_eh_analyze_ncq_error(struct ata_link *link)
+ memcpy(&qc->result_tf, &tf, sizeof(tf));
+ qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48;
+ qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ;
+- if ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary) {
++ if (dev->class == ATA_DEV_ZAC &&
++ ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary)) {
+ char sense_key, asc, ascq;
+
+ sense_key = (qc->result_tf.auxiliary >> 16) & 0xff;
+@@ -1770,10 +1771,11 @@ static unsigned int ata_eh_analyze_tf(struct ata_queued_cmd *qc,
+ }
+
+ switch (qc->dev->class) {
+- case ATA_DEV_ATA:
+ case ATA_DEV_ZAC:
+ if (stat & ATA_SENSE)
+ ata_eh_request_sense(qc, qc->scsicmd);
++ /* fall through */
++ case ATA_DEV_ATA:
+ if (err & ATA_ICRC)
+ qc->err_mask |= AC_ERR_ATA_BUS;
+ if (err & (ATA_UNC | ATA_AMNF))
+--
+2.20.1
+
--- /dev/null
+From b3a0ecbb82a6410af5408b7b6b38b1aa59d3a77a Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Mon, 15 Jul 2019 20:57:03 -0700
+Subject: libbpf: fix another GCC8 warning for strncpy
+
+[ Upstream commit 763ff0e7d9c72e7094b31e7fb84a859be9325635 ]
+
+Similar issue was fixed in cdfc7f888c2a ("libbpf: fix GCC8 warning for
+strncpy") already. This one was missed. Fixing now.
+
+Cc: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/xsk.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c
+index 8a7a05bc657d..ca272c5b67f4 100644
+--- a/tools/lib/bpf/xsk.c
++++ b/tools/lib/bpf/xsk.c
+@@ -562,7 +562,8 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname,
+ err = -errno;
+ goto out_socket;
+ }
+- strncpy(xsk->ifname, ifname, IFNAMSIZ);
++ strncpy(xsk->ifname, ifname, IFNAMSIZ - 1);
++ xsk->ifname[IFNAMSIZ - 1] = '\0';
+
+ err = xsk_set_xdp_socket_config(&xsk->config, usr_config);
+ if (err)
+--
+2.20.1
+
--- /dev/null
+From cfb0c49ec3d4cb09a1bff6c5fd857ebc51a8e6a3 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Tue, 2 Jul 2019 08:16:20 -0700
+Subject: libbpf: fix GCC8 warning for strncpy
+
+[ Upstream commit cdfc7f888c2a355b01308e97c6df108f1c2b64e8 ]
+
+GCC8 started emitting warning about using strncpy with number of bytes
+exactly equal destination size, which is generally unsafe, as can lead
+to non-zero terminated string being copied. Use IFNAMSIZ - 1 as number
+of bytes to ensure name is always zero-terminated.
+
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Cc: Magnus Karlsson <magnus.karlsson@intel.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/xsk.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c
+index 38667b62f1fe..8a7a05bc657d 100644
+--- a/tools/lib/bpf/xsk.c
++++ b/tools/lib/bpf/xsk.c
+@@ -337,7 +337,8 @@ static int xsk_get_max_queues(struct xsk_socket *xsk)
+
+ channels.cmd = ETHTOOL_GCHANNELS;
+ ifr.ifr_data = (void *)&channels;
+- strncpy(ifr.ifr_name, xsk->ifname, IFNAMSIZ);
++ strncpy(ifr.ifr_name, xsk->ifname, IFNAMSIZ - 1);
++ ifr.ifr_name[IFNAMSIZ - 1] = '\0';
+ err = ioctl(fd, SIOCETHTOOL, &ifr);
+ if (err && errno != EOPNOTSUPP) {
+ ret = -errno;
+--
+2.20.1
+
--- /dev/null
+From 8d3ac26376a5d454debba756a838eee530d6a395 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Fri, 21 Jun 2019 11:12:00 +0200
+Subject: lightnvm: fix uninitialized pointer in nvm_remove_tgt()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 2f5af4ab7de14bd35f3435e6a47300276bbb6c17 ]
+
+With gcc 4.1:
+
+ drivers/lightnvm/core.c: In function ‘nvm_remove_tgt’:
+ drivers/lightnvm/core.c:510: warning: ‘t’ is used uninitialized in this function
+
+Indeed, if no NVM devices have been registered, t will be an
+uninitialized pointer, and may be dereferenced later. A call to
+nvm_remove_tgt() can be triggered from userspace by issuing the
+NVM_DEV_REMOVE ioctl on the lightnvm control device.
+
+Fix this by preinitializing t to NULL.
+
+Fixes: 843f2edbdde085b4 ("lightnvm: do not remove instance under global lock")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Matias Bjørling <mb@lightnvm.io>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/lightnvm/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
+index 7d555b110ecd..a600934fdd9c 100644
+--- a/drivers/lightnvm/core.c
++++ b/drivers/lightnvm/core.c
+@@ -478,7 +478,7 @@ static void __nvm_remove_target(struct nvm_target *t, bool graceful)
+ */
+ static int nvm_remove_tgt(struct nvm_ioctl_remove *remove)
+ {
+- struct nvm_target *t;
++ struct nvm_target *t = NULL;
+ struct nvm_dev *dev;
+
+ down_read(&nvm_lock);
+--
+2.20.1
+
--- /dev/null
+From 93f2a35fb8bdd03fdb9f2605528a3375fd850f2c Mon Sep 17 00:00:00 2001
+From: Heiner Litz <hlitz@ucsc.edu>
+Date: Fri, 21 Jun 2019 11:11:59 +0200
+Subject: lightnvm: pblk: fix freeing of merged pages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 510fd8ea98fcb586c01aef93d87c060a159ac30a ]
+
+bio_add_pc_page() may merge pages when a bio is padded due to a flush.
+Fix iteration over the bio to free the correct pages in case of a merge.
+
+Signed-off-by: Heiner Litz <hlitz@ucsc.edu>
+Reviewed-by: Javier González <javier@javigon.com>
+Signed-off-by: Matias Bjørling <mb@lightnvm.io>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/lightnvm/pblk-core.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/lightnvm/pblk-core.c b/drivers/lightnvm/pblk-core.c
+index 773537804319..f546e6f28b8a 100644
+--- a/drivers/lightnvm/pblk-core.c
++++ b/drivers/lightnvm/pblk-core.c
+@@ -323,14 +323,16 @@ void pblk_free_rqd(struct pblk *pblk, struct nvm_rq *rqd, int type)
+ void pblk_bio_free_pages(struct pblk *pblk, struct bio *bio, int off,
+ int nr_pages)
+ {
+- struct bio_vec bv;
+- int i;
+-
+- WARN_ON(off + nr_pages != bio->bi_vcnt);
+-
+- for (i = off; i < nr_pages + off; i++) {
+- bv = bio->bi_io_vec[i];
+- mempool_free(bv.bv_page, &pblk->page_bio_pool);
++ struct bio_vec *bv;
++ struct page *page;
++ int i, e, nbv = 0;
++
++ for (i = 0; i < bio->bi_vcnt; i++) {
++ bv = &bio->bi_io_vec[i];
++ page = bv->bv_page;
++ for (e = 0; e < bv->bv_len; e += PBLK_EXPOSED_PAGE_SIZE, nbv++)
++ if (nbv >= off)
++ mempool_free(page++, &pblk->page_bio_pool);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From a077a8cd1e2f214ec64f0ed7d70a3db1c3c2b012 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 24 May 2019 23:15:09 +0300
+Subject: locking/lockdep: Fix merging of hlocks with non-zero references
+
+[ Upstream commit d9349850e188b8b59e5322fda17ff389a1c0cd7d ]
+
+The sequence
+
+ static DEFINE_WW_CLASS(test_ww_class);
+
+ struct ww_acquire_ctx ww_ctx;
+ struct ww_mutex ww_lock_a;
+ struct ww_mutex ww_lock_b;
+ struct ww_mutex ww_lock_c;
+ struct mutex lock_c;
+
+ ww_acquire_init(&ww_ctx, &test_ww_class);
+
+ ww_mutex_init(&ww_lock_a, &test_ww_class);
+ ww_mutex_init(&ww_lock_b, &test_ww_class);
+ ww_mutex_init(&ww_lock_c, &test_ww_class);
+
+ mutex_init(&lock_c);
+
+ ww_mutex_lock(&ww_lock_a, &ww_ctx);
+
+ mutex_lock(&lock_c);
+
+ ww_mutex_lock(&ww_lock_b, &ww_ctx);
+ ww_mutex_lock(&ww_lock_c, &ww_ctx);
+
+ mutex_unlock(&lock_c); (*)
+
+ ww_mutex_unlock(&ww_lock_c);
+ ww_mutex_unlock(&ww_lock_b);
+ ww_mutex_unlock(&ww_lock_a);
+
+ ww_acquire_fini(&ww_ctx); (**)
+
+will trigger the following error in __lock_release() when calling
+mutex_release() at **:
+
+ DEBUG_LOCKS_WARN_ON(depth <= 0)
+
+The problem is that the hlock merging happening at * updates the
+references for test_ww_class incorrectly to 3 whereas it should've
+updated it to 4 (representing all the instances for ww_ctx and
+ww_lock_[abc]).
+
+Fix this by updating the references during merging correctly taking into
+account that we can have non-zero references (both for the hlock that we
+merge into another hlock or for the hlock we are merging into).
+
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 82361e1bce0f..dbc936ccf149 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -3703,17 +3703,17 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
+ if (depth) {
+ hlock = curr->held_locks + depth - 1;
+ if (hlock->class_idx == class_idx && nest_lock) {
+- if (hlock->references) {
+- /*
+- * Check: unsigned int references:12, overflow.
+- */
+- if (DEBUG_LOCKS_WARN_ON(hlock->references == (1 << 12)-1))
+- return 0;
++ if (!references)
++ references++;
+
++ if (!hlock->references)
+ hlock->references++;
+- } else {
+- hlock->references = 2;
+- }
++
++ hlock->references += references;
++
++ /* Overflow */
++ if (DEBUG_LOCKS_WARN_ON(hlock->references < references))
++ return 0;
+
+ return 2;
+ }
+--
+2.20.1
+
--- /dev/null
+From 3274df13ba8648c958795688d7221bf3833f6256 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 24 May 2019 23:15:08 +0300
+Subject: locking/lockdep: Fix OOO unlock when hlocks need merging
+
+[ Upstream commit 8c8889d8eaf4501ae4aaf870b6f8f55db5d5109a ]
+
+The sequence
+
+ static DEFINE_WW_CLASS(test_ww_class);
+
+ struct ww_acquire_ctx ww_ctx;
+ struct ww_mutex ww_lock_a;
+ struct ww_mutex ww_lock_b;
+ struct mutex lock_c;
+ struct mutex lock_d;
+
+ ww_acquire_init(&ww_ctx, &test_ww_class);
+
+ ww_mutex_init(&ww_lock_a, &test_ww_class);
+ ww_mutex_init(&ww_lock_b, &test_ww_class);
+
+ mutex_init(&lock_c);
+
+ ww_mutex_lock(&ww_lock_a, &ww_ctx);
+
+ mutex_lock(&lock_c);
+
+ ww_mutex_lock(&ww_lock_b, &ww_ctx);
+
+ mutex_unlock(&lock_c); (*)
+
+ ww_mutex_unlock(&ww_lock_b);
+ ww_mutex_unlock(&ww_lock_a);
+
+ ww_acquire_fini(&ww_ctx);
+
+triggers the following WARN in __lock_release() when doing the unlock at *:
+
+ DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth - 1);
+
+The problem is that the WARN check doesn't take into account the merging
+of ww_lock_a and ww_lock_b which results in decreasing curr->lockdep_depth
+by 2 not only 1.
+
+Note that the following sequence doesn't trigger the WARN, since there
+won't be any hlock merging.
+
+ ww_acquire_init(&ww_ctx, &test_ww_class);
+
+ ww_mutex_init(&ww_lock_a, &test_ww_class);
+ ww_mutex_init(&ww_lock_b, &test_ww_class);
+
+ mutex_init(&lock_c);
+ mutex_init(&lock_d);
+
+ ww_mutex_lock(&ww_lock_a, &ww_ctx);
+
+ mutex_lock(&lock_c);
+ mutex_lock(&lock_d);
+
+ ww_mutex_lock(&ww_lock_b, &ww_ctx);
+
+ mutex_unlock(&lock_d);
+
+ ww_mutex_unlock(&ww_lock_b);
+ ww_mutex_unlock(&ww_lock_a);
+
+ mutex_unlock(&lock_c);
+
+ ww_acquire_fini(&ww_ctx);
+
+In general both of the above two sequences are valid and shouldn't
+trigger any lockdep warning.
+
+Fix this by taking the decrement due to the hlock merging into account
+during lock release and hlock class re-setting. Merging can't happen
+during lock downgrading since there won't be a new possibility to merge
+hlocks in that case, so add a WARN if merging still happens then.
+
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: ville.syrjala@linux.intel.com
+Link: https://lkml.kernel.org/r/20190524201509.9199-1-imre.deak@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 41 ++++++++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index c47788fa85f9..82361e1bce0f 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -3715,7 +3715,7 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
+ hlock->references = 2;
+ }
+
+- return 1;
++ return 2;
+ }
+ }
+
+@@ -3921,22 +3921,33 @@ static struct held_lock *find_held_lock(struct task_struct *curr,
+ }
+
+ static int reacquire_held_locks(struct task_struct *curr, unsigned int depth,
+- int idx)
++ int idx, unsigned int *merged)
+ {
+ struct held_lock *hlock;
++ int first_idx = idx;
+
+ if (DEBUG_LOCKS_WARN_ON(!irqs_disabled()))
+ return 0;
+
+ for (hlock = curr->held_locks + idx; idx < depth; idx++, hlock++) {
+- if (!__lock_acquire(hlock->instance,
++ switch (__lock_acquire(hlock->instance,
+ hlock_class(hlock)->subclass,
+ hlock->trylock,
+ hlock->read, hlock->check,
+ hlock->hardirqs_off,
+ hlock->nest_lock, hlock->acquire_ip,
+- hlock->references, hlock->pin_count))
++ hlock->references, hlock->pin_count)) {
++ case 0:
+ return 1;
++ case 1:
++ break;
++ case 2:
++ *merged += (idx == first_idx);
++ break;
++ default:
++ WARN_ON(1);
++ return 0;
++ }
+ }
+ return 0;
+ }
+@@ -3947,9 +3958,9 @@ __lock_set_class(struct lockdep_map *lock, const char *name,
+ unsigned long ip)
+ {
+ struct task_struct *curr = current;
++ unsigned int depth, merged = 0;
+ struct held_lock *hlock;
+ struct lock_class *class;
+- unsigned int depth;
+ int i;
+
+ if (unlikely(!debug_locks))
+@@ -3974,14 +3985,14 @@ __lock_set_class(struct lockdep_map *lock, const char *name,
+ curr->lockdep_depth = i;
+ curr->curr_chain_key = hlock->prev_chain_key;
+
+- if (reacquire_held_locks(curr, depth, i))
++ if (reacquire_held_locks(curr, depth, i, &merged))
+ return 0;
+
+ /*
+ * I took it apart and put it back together again, except now I have
+ * these 'spare' parts.. where shall I put them.
+ */
+- if (DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth))
++ if (DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth - merged))
+ return 0;
+ return 1;
+ }
+@@ -3989,8 +4000,8 @@ __lock_set_class(struct lockdep_map *lock, const char *name,
+ static int __lock_downgrade(struct lockdep_map *lock, unsigned long ip)
+ {
+ struct task_struct *curr = current;
++ unsigned int depth, merged = 0;
+ struct held_lock *hlock;
+- unsigned int depth;
+ int i;
+
+ if (unlikely(!debug_locks))
+@@ -4015,7 +4026,11 @@ static int __lock_downgrade(struct lockdep_map *lock, unsigned long ip)
+ hlock->read = 1;
+ hlock->acquire_ip = ip;
+
+- if (reacquire_held_locks(curr, depth, i))
++ if (reacquire_held_locks(curr, depth, i, &merged))
++ return 0;
++
++ /* Merging can't happen with unchanged classes.. */
++ if (DEBUG_LOCKS_WARN_ON(merged))
+ return 0;
+
+ /*
+@@ -4024,6 +4039,7 @@ static int __lock_downgrade(struct lockdep_map *lock, unsigned long ip)
+ */
+ if (DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth))
+ return 0;
++
+ return 1;
+ }
+
+@@ -4038,8 +4054,8 @@ static int
+ __lock_release(struct lockdep_map *lock, int nested, unsigned long ip)
+ {
+ struct task_struct *curr = current;
++ unsigned int depth, merged = 1;
+ struct held_lock *hlock;
+- unsigned int depth;
+ int i;
+
+ if (unlikely(!debug_locks))
+@@ -4094,14 +4110,15 @@ __lock_release(struct lockdep_map *lock, int nested, unsigned long ip)
+ if (i == depth-1)
+ return 1;
+
+- if (reacquire_held_locks(curr, depth, i + 1))
++ if (reacquire_held_locks(curr, depth, i + 1, &merged))
+ return 0;
+
+ /*
+ * We had N bottles of beer on the wall, we drank one, but now
+ * there's not N-1 bottles of beer left on the wall...
++ * Pouring two of the bottles together is acceptable.
+ */
+- DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth-1);
++ DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth - merged);
+
+ /*
+ * Since reacquire_held_locks() would have called check_chain_key()
+--
+2.20.1
+
--- /dev/null
+From b2a929b7f409cc0f18c62d684cf142b7f9492d87 Mon Sep 17 00:00:00 2001
+From: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+Date: Fri, 31 May 2019 18:15:41 -0400
+Subject: media: aspeed: change irq to threaded irq
+
+[ Upstream commit 12ae1c1bf5db2f33fcd9092a96f630291c4b181a ]
+
+Differently from other Aspeed drivers, this driver calls clock
+control APIs in interrupt context. Since ECLK is coupled with a
+reset bit in clk-aspeed module, aspeed_clk_enable will make 10ms of
+busy waiting delay for triggering the reset and it will eventually
+disturb other drivers' interrupt handling. To fix this issue, this
+commit changes this driver's irq to threaded irq so that the delay
+can be happened in a thread context.
+
+Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+Reviewed-by: Eddie James <eajames@linux.ibm.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/aspeed-video.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c
+index 8144fe36ad48..76d7512c82a3 100644
+--- a/drivers/media/platform/aspeed-video.c
++++ b/drivers/media/platform/aspeed-video.c
+@@ -1589,8 +1589,9 @@ static int aspeed_video_init(struct aspeed_video *video)
+ return -ENODEV;
+ }
+
+- rc = devm_request_irq(dev, irq, aspeed_video_irq, IRQF_SHARED,
+- DEVICE_NAME, video);
++ rc = devm_request_threaded_irq(dev, irq, NULL, aspeed_video_irq,
++ IRQF_ONESHOT | IRQF_SHARED, DEVICE_NAME,
++ video);
+ if (rc < 0) {
+ dev_err(dev, "Unable to request IRQ %d\n", irq);
+ return rc;
+--
+2.20.1
+
--- /dev/null
+From 27d2f83982a24cefacc30fc1e9f508f4be26c5b7 Mon Sep 17 00:00:00 2001
+From: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+Date: Fri, 31 May 2019 18:15:39 -0400
+Subject: media: aspeed: fix a kernel warning on clk control
+
+[ Upstream commit 9698ed4d4a2993ce54b9f7d71a2891e972caa117 ]
+
+Video engine clock control can be double disabled and eventually
+it causes a kernel warning with stack dump printing out like below:
+
+[ 515.540498] ------------[ cut here ]------------
+[ 515.545174] WARNING: CPU: 0 PID: 1310 at drivers/clk/clk.c:684 clk_core_unprepare+0x13c/0x170
+[ 515.553806] vclk-gate already unprepared
+[ 515.557841] CPU: 0 PID: 1310 Comm: obmc-ikvm Tainted: G W 5.0.6-df66fbc97853fbba90a0bfa44de32f3d5f7602b4 #1
+[ 515.568973] Hardware name: Generic DT based system
+[ 515.573777] Backtrace:
+[ 515.576272] [<80107cdc>] (dump_backtrace) from [<80107f10>] (show_stack+0x20/0x24)
+[ 515.583930] r7:803a5614 r6:00000009 r5:00000000 r4:9d88fe1c
+[ 515.589712] [<80107ef0>] (show_stack) from [<80690184>] (dump_stack+0x20/0x28)
+[ 515.597053] [<80690164>] (dump_stack) from [<80116044>] (__warn.part.3+0xb4/0xdc)
+[ 515.604557] [<80115f90>] (__warn.part.3) from [<801160d8>] (warn_slowpath_fmt+0x6c/0x90)
+[ 515.612734] r6:000002ac r5:8080befc r4:80a07008
+[ 515.617463] [<80116070>] (warn_slowpath_fmt) from [<803a5614>] (clk_core_unprepare+0x13c/0x170)
+[ 515.626167] r3:8080cdf4 r2:8080bfc0
+[ 515.629834] r7:98d682a8 r6:9d8a9200 r5:9e5151a0 r4:97abd620
+[ 515.635530] [<803a54d8>] (clk_core_unprepare) from [<803a76a4>] (clk_unprepare+0x34/0x3c)
+[ 515.643812] r5:9e5151a0 r4:97abd620
+[ 515.647529] [<803a7670>] (clk_unprepare) from [<804f36ec>] (aspeed_video_off+0x38/0x50)
+[ 515.655539] r5:9e5151a0 r4:9e504000
+[ 515.659242] [<804f36b4>] (aspeed_video_off) from [<804f4358>] (aspeed_video_release+0x90/0x114)
+[ 515.668036] r5:9e5044b0 r4:9e504000
+[ 515.671643] [<804f42c8>] (aspeed_video_release) from [<804d302c>] (v4l2_release+0xd4/0xe8)
+[ 515.679999] r7:98d682a8 r6:9d087810 r5:9d8a9200 r4:9e504318
+[ 515.685695] [<804d2f58>] (v4l2_release) from [<80236454>] (__fput+0x98/0x1c4)
+[ 515.692914] r5:9e51b608 r4:9d8a9200
+[ 515.696597] [<802363bc>] (__fput) from [<802365e8>] (____fput+0x18/0x1c)
+[ 515.703315] r9:80a0700c r8:801011e4 r7:00000000 r6:80a64b9c r5:9d8e35a0 r4:9d8e38dc
+[ 515.711167] [<802365d0>] (____fput) from [<80131ca4>] (task_work_run+0x7c/0xa0)
+[ 515.718596] [<80131c28>] (task_work_run) from [<80106884>] (do_work_pending+0x4a8/0x578)
+[ 515.726777] r7:801011e4 r6:80a07008 r5:9d88ffb0 r4:ffffe000
+[ 515.732466] [<801063dc>] (do_work_pending) from [<8010106c>] (slow_work_pending+0xc/0x20)
+[ 515.740727] Exception stack(0x9d88ffb0 to 0x9d88fff8)
+[ 515.745840] ffa0: 00000000 76f18094 00000000 00000000
+[ 515.754122] ffc0: 00000007 00176778 7eda4c20 00000006 00000000 00000000 48e20fa4 00000000
+[ 515.762386] ffe0: 00000002 7eda4b08 00000000 48f91efc 80000010 00000007
+[ 515.769097] r10:00000000 r9:9d88e000 r8:801011e4 r7:00000006 r6:7eda4c20 r5:00176778
+[ 515.777006] r4:00000007
+[ 515.779558] ---[ end trace 12c04aadef8afbbb ]---
+[ 515.784176] ------------[ cut here ]------------
+[ 515.788817] WARNING: CPU: 0 PID: 1310 at drivers/clk/clk.c:825 clk_core_disable+0x18c/0x204
+[ 515.797161] eclk-gate already disabled
+[ 515.800916] CPU: 0 PID: 1310 Comm: obmc-ikvm Tainted: G W 5.0.6-df66fbc97853fbba90a0bfa44de32f3d5f7602b4 #1
+[ 515.811945] Hardware name: Generic DT based system
+[ 515.816730] Backtrace:
+[ 515.819210] [<80107cdc>] (dump_backtrace) from [<80107f10>] (show_stack+0x20/0x24)
+[ 515.826782] r7:803a5900 r6:00000009 r5:00000000 r4:9d88fe04
+[ 515.832454] [<80107ef0>] (show_stack) from [<80690184>] (dump_stack+0x20/0x28)
+[ 515.839687] [<80690164>] (dump_stack) from [<80116044>] (__warn.part.3+0xb4/0xdc)
+[ 515.847170] [<80115f90>] (__warn.part.3) from [<801160d8>] (warn_slowpath_fmt+0x6c/0x90)
+[ 515.855247] r6:00000339 r5:8080befc r4:80a07008
+[ 515.859868] [<80116070>] (warn_slowpath_fmt) from [<803a5900>] (clk_core_disable+0x18c/0x204)
+[ 515.868385] r3:8080cdd0 r2:8080c00c
+[ 515.871957] r7:98d682a8 r6:9d8a9200 r5:97abd560 r4:97abd560
+[ 515.877615] [<803a5774>] (clk_core_disable) from [<803a59a0>] (clk_core_disable_lock+0x28/0x34)
+[ 515.886301] r7:98d682a8 r6:9d8a9200 r5:97abd560 r4:a0000013
+[ 515.891960] [<803a5978>] (clk_core_disable_lock) from [<803a7714>] (clk_disable+0x2c/0x30)
+[ 515.900216] r5:9e5151a0 r4:9e515f60
+[ 515.903816] [<803a76e8>] (clk_disable) from [<804f36f8>] (aspeed_video_off+0x44/0x50)
+[ 515.911656] [<804f36b4>] (aspeed_video_off) from [<804f4358>] (aspeed_video_release+0x90/0x114)
+[ 515.920341] r5:9e5044b0 r4:9e504000
+[ 515.923921] [<804f42c8>] (aspeed_video_release) from [<804d302c>] (v4l2_release+0xd4/0xe8)
+[ 515.932184] r7:98d682a8 r6:9d087810 r5:9d8a9200 r4:9e504318
+[ 515.937851] [<804d2f58>] (v4l2_release) from [<80236454>] (__fput+0x98/0x1c4)
+[ 515.944980] r5:9e51b608 r4:9d8a9200
+[ 515.948559] [<802363bc>] (__fput) from [<802365e8>] (____fput+0x18/0x1c)
+[ 515.955257] r9:80a0700c r8:801011e4 r7:00000000 r6:80a64b9c r5:9d8e35a0 r4:9d8e38dc
+[ 515.963008] [<802365d0>] (____fput) from [<80131ca4>] (task_work_run+0x7c/0xa0)
+[ 515.970333] [<80131c28>] (task_work_run) from [<80106884>] (do_work_pending+0x4a8/0x578)
+[ 515.978421] r7:801011e4 r6:80a07008 r5:9d88ffb0 r4:ffffe000
+[ 515.984086] [<801063dc>] (do_work_pending) from [<8010106c>] (slow_work_pending+0xc/0x20)
+[ 515.992247] Exception stack(0x9d88ffb0 to 0x9d88fff8)
+[ 515.997296] ffa0: 00000000 76f18094 00000000 00000000
+[ 516.005473] ffc0: 00000007 00176778 7eda4c20 00000006 00000000 00000000 48e20fa4 00000000
+[ 516.013642] ffe0: 00000002 7eda4b08 00000000 48f91efc 80000010 00000007
+[ 516.020257] r10:00000000 r9:9d88e000 r8:801011e4 r7:00000006 r6:7eda4c20 r5:00176778
+[ 516.028072] r4:00000007
+[ 516.030606] ---[ end trace 12c04aadef8afbbc ]---
+
+To prevent this issue, this commit adds clock status checking
+logic into the Aspeed video engine driver.
+
+Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+Reviewed-by: Eddie James <eajames@linux.ibm.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/aspeed-video.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c
+index 76d7512c82a3..de0f192afa8b 100644
+--- a/drivers/media/platform/aspeed-video.c
++++ b/drivers/media/platform/aspeed-video.c
+@@ -187,6 +187,7 @@ enum {
+ VIDEO_STREAMING,
+ VIDEO_FRAME_INPRG,
+ VIDEO_STOPPED,
++ VIDEO_CLOCKS_ON,
+ };
+
+ struct aspeed_video_addr {
+@@ -483,19 +484,29 @@ static void aspeed_video_enable_mode_detect(struct aspeed_video *video)
+
+ static void aspeed_video_off(struct aspeed_video *video)
+ {
++ if (!test_bit(VIDEO_CLOCKS_ON, &video->flags))
++ return;
++
+ /* Disable interrupts */
+ aspeed_video_write(video, VE_INTERRUPT_CTRL, 0);
+
+ /* Turn off the relevant clocks */
+ clk_disable_unprepare(video->vclk);
+ clk_disable_unprepare(video->eclk);
++
++ clear_bit(VIDEO_CLOCKS_ON, &video->flags);
+ }
+
+ static void aspeed_video_on(struct aspeed_video *video)
+ {
++ if (test_bit(VIDEO_CLOCKS_ON, &video->flags))
++ return;
++
+ /* Turn on the relevant clocks */
+ clk_prepare_enable(video->eclk);
+ clk_prepare_enable(video->vclk);
++
++ set_bit(VIDEO_CLOCKS_ON, &video->flags);
+ }
+
+ static void aspeed_video_bufs_done(struct aspeed_video *video,
+--
+2.20.1
+
--- /dev/null
+From 8274284dba761676fff23878c7ea63b754277cc6 Mon Sep 17 00:00:00 2001
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:11 -0400
+Subject: media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP
+
+[ Upstream commit f3775f89852d167990b0d718587774cf00d22ac2 ]
+
+coda_encoder_cmd() is racy, as the last scheduled picture run worker can
+still be in-flight while the ENC_CMD_STOP command is issued. Depending
+on the exact timing the sequence numbers might already be changed, but
+the last buffer might not have been put on the destination queue yet.
+
+In this case the current implementation would prematurely wake the
+destination queue with last_buffer_dequeued=true, causing userspace to
+call streamoff before the last buffer is handled.
+
+Close this race window by synchronizing with the pic_run_worker before
+doing the sequence check.
+
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+[l.stach@pengutronix.de: switch to flush_work, reword commit message]
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c
+index 6238047273f2..68a585d3af91 100644
+--- a/drivers/media/platform/coda/coda-common.c
++++ b/drivers/media/platform/coda/coda-common.c
+@@ -1024,6 +1024,8 @@ static int coda_encoder_cmd(struct file *file, void *fh,
+ /* Set the stream-end flag on this context */
+ ctx->bit_stream_param |= CODA_BIT_STREAM_END_FLAG;
+
++ flush_work(&ctx->pic_run_work);
++
+ /* If there is no buffer in flight, wake up */
+ if (!ctx->streamon_out || ctx->qsequence == ctx->osequence) {
+ dst_vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx,
+--
+2.20.1
+
--- /dev/null
+From 0dca3e84c386198c13a4ab64b2069a1b9fe0dc01 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:10 -0400
+Subject: media: coda: fix mpeg2 sequence number handling
+
+[ Upstream commit 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba ]
+
+Sequence number handling assumed that the BIT processor frame number
+starts counting at 1, but this is not true for the MPEG-2 decoder,
+which starts at 0. Fix the sequence counter offset detection to handle
+this.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index 976f6aa69f41..1eeed34f300d 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1739,6 +1739,7 @@ static int __coda_start_decoding(struct coda_ctx *ctx)
+ v4l2_err(&dev->v4l2_dev, "CODA_COMMAND_SEQ_INIT timeout\n");
+ return ret;
+ }
++ ctx->sequence_offset = ~0U;
+ ctx->initialized = 1;
+
+ /* Update kfifo out pointer from coda bitstream read pointer */
+@@ -2151,7 +2152,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ v4l2_err(&dev->v4l2_dev,
+ "decoded frame index out of range: %d\n", decoded_idx);
+ } else {
+- val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM) - 1;
++ val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM);
++ if (ctx->sequence_offset == -1)
++ ctx->sequence_offset = val;
+ val -= ctx->sequence_offset;
+ spin_lock(&ctx->buffer_meta_lock);
+ if (!list_empty(&ctx->buffer_meta_list)) {
+--
+2.20.1
+
--- /dev/null
+From 6ec4a6db89d664818bade7d4536907470cec4f6b Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:22 -0400
+Subject: media: coda: increment sequence offset for the last returned frame
+
+[ Upstream commit b3b7d96817cdb8b6fc353867705275dce8f41ccc ]
+
+If no more frames are decoded in bitstream end mode, and a previously
+decoded frame has been returned, the firmware still increments the frame
+number. To avoid a sequence number mismatch after decoder restart,
+increment the sequence_offset correction parameter.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index 1eeed34f300d..8c9743e067cf 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -2147,6 +2147,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ else if (ctx->display_idx < 0)
+ ctx->hold = true;
+ } else if (decoded_idx == -2) {
++ if (ctx->display_idx >= 0 &&
++ ctx->display_idx < ctx->num_internal_frames)
++ ctx->sequence_offset++;
+ /* no frame was decoded, we still return remaining buffers */
+ } else if (decoded_idx < 0 || decoded_idx >= ctx->num_internal_frames) {
+ v4l2_err(&dev->v4l2_dev,
+--
+2.20.1
+
--- /dev/null
+From 0626490624d7c20fba04b66a412ffacc010e054e Mon Sep 17 00:00:00 2001
+From: Young Xiao <92siuyang@gmail.com>
+Date: Tue, 4 Jun 2019 08:26:33 -0400
+Subject: media: davinci: vpif_capture: fix memory leak in vpif_probe()
+
+[ Upstream commit 64f883cd98c6d43013fb0cea788b63e50ebc068c ]
+
+If vpif_probe() fails on v4l2_device_register() and vpif_probe_complete(),
+then memory allocated at initialize_vpif() for global vpif_obj.dev[i]
+become unreleased.
+
+The patch adds deallocation of vpif_obj.dev[i] on the error path.
+
+Signed-off-by: Young Xiao <92siuyang@gmail.com>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/davinci/vpif_capture.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/davinci/vpif_capture.c b/drivers/media/platform/davinci/vpif_capture.c
+index 61809d2050fa..f0f7ef638c56 100644
+--- a/drivers/media/platform/davinci/vpif_capture.c
++++ b/drivers/media/platform/davinci/vpif_capture.c
+@@ -1376,6 +1376,14 @@ static int initialize_vpif(void)
+ return err;
+ }
+
++static inline void free_vpif_objs(void)
++{
++ int i;
++
++ for (i = 0; i < VPIF_CAPTURE_MAX_DEVICES; i++)
++ kfree(vpif_obj.dev[i]);
++}
++
+ static int vpif_async_bound(struct v4l2_async_notifier *notifier,
+ struct v4l2_subdev *subdev,
+ struct v4l2_async_subdev *asd)
+@@ -1645,7 +1653,7 @@ static __init int vpif_probe(struct platform_device *pdev)
+ err = v4l2_device_register(vpif_dev, &vpif_obj.v4l2_dev);
+ if (err) {
+ v4l2_err(vpif_dev->driver, "Error registering v4l2 device\n");
+- goto cleanup;
++ goto vpif_free;
+ }
+
+ while ((res = platform_get_resource(pdev, IORESOURCE_IRQ, res_idx))) {
+@@ -1692,7 +1700,9 @@ static __init int vpif_probe(struct platform_device *pdev)
+ "registered sub device %s\n",
+ subdevdata->name);
+ }
+- vpif_probe_complete();
++ err = vpif_probe_complete();
++ if (err)
++ goto probe_subdev_out;
+ } else {
+ vpif_obj.notifier.ops = &vpif_async_ops;
+ err = v4l2_async_notifier_register(&vpif_obj.v4l2_dev,
+@@ -1711,6 +1721,8 @@ static __init int vpif_probe(struct platform_device *pdev)
+ kfree(vpif_obj.sd);
+ vpif_unregister:
+ v4l2_device_unregister(&vpif_obj.v4l2_dev);
++vpif_free:
++ free_vpif_objs();
+ cleanup:
+ v4l2_async_notifier_cleanup(&vpif_obj.notifier);
+
+--
+2.20.1
+
--- /dev/null
+From 4601b8b89003a7a4c3791cb7ca94dad30f7df031 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 30 Apr 2019 09:07:36 -0400
+Subject: media: dvb: usb: fix use after free in dvb_usb_device_exit
+
+[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ]
+
+dvb_usb_device_exit() frees and uses the device name in that order.
+Fix by storing the name in a buffer before freeing it.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index e97f6edc98de..65f2b1a20ca1 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -284,12 +284,15 @@ EXPORT_SYMBOL(dvb_usb_device_init);
+ void dvb_usb_device_exit(struct usb_interface *intf)
+ {
+ struct dvb_usb_device *d = usb_get_intfdata(intf);
+- const char *name = "generic DVB-USB module";
++ const char *default_name = "generic DVB-USB module";
++ char name[40];
+
+ usb_set_intfdata(intf, NULL);
+ if (d != NULL && d->desc != NULL) {
+- name = d->desc->name;
++ strscpy(name, d->desc->name, sizeof(name));
+ dvb_usb_exit(d);
++ } else {
++ strscpy(name, default_name, sizeof(name));
+ }
+ info("%s successfully deinitialized and disconnected.", name);
+
+--
+2.20.1
+
--- /dev/null
+From 12668554f59e9faa82e5819f8500c86e9a8e3dfb Mon Sep 17 00:00:00 2001
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Date: Wed, 15 May 2019 11:39:12 -0400
+Subject: media: fdp1: Support M3N and E3 platforms
+
+[ Upstream commit 4e8c120de9268fc26f583268b9d22e7d37c4595f ]
+
+New Gen3 R-Car platforms incorporate the FDP1 with an updated version
+register. No code change is required to support these targets, but they
+will currently report an error stating that the device can not be
+identified.
+
+Update the driver to match against the new device types.
+
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar_fdp1.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/platform/rcar_fdp1.c b/drivers/media/platform/rcar_fdp1.c
+index 6a90bc4c476e..b8615a288e2b 100644
+--- a/drivers/media/platform/rcar_fdp1.c
++++ b/drivers/media/platform/rcar_fdp1.c
+@@ -257,6 +257,8 @@ MODULE_PARM_DESC(debug, "activate debug info");
+ #define FD1_IP_H3_ES1 0x02010101
+ #define FD1_IP_M3W 0x02010202
+ #define FD1_IP_H3 0x02010203
++#define FD1_IP_M3N 0x02010204
++#define FD1_IP_E3 0x02010205
+
+ /* LUTs */
+ #define FD1_LUT_DIF_ADJ 0x1000
+@@ -2365,6 +2367,12 @@ static int fdp1_probe(struct platform_device *pdev)
+ case FD1_IP_H3:
+ dprintk(fdp1, "FDP1 Version R-Car H3\n");
+ break;
++ case FD1_IP_M3N:
++ dprintk(fdp1, "FDP1 Version R-Car M3N\n");
++ break;
++ case FD1_IP_E3:
++ dprintk(fdp1, "FDP1 Version R-Car E3\n");
++ break;
+ default:
+ dev_err(fdp1->dev, "FDP1 Unidentifiable (0x%08x)\n",
+ hw_version);
+--
+2.20.1
+
--- /dev/null
+From 3896a8394bc68248bbb24a6a648f53b73ee1fcfa Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 20 Jun 2019 07:43:41 -0400
+Subject: media: hdpvr: fix locking and a missing msleep
+
+[ Upstream commit 6bc5a4a1927556ff9adce1aa95ea408c95453225 ]
+
+This driver has three locking issues:
+
+- The wait_event_interruptible() condition calls hdpvr_get_next_buffer(dev)
+ which uses a mutex, which is not allowed. Rewrite with list_empty_careful()
+ that doesn't need locking.
+
+- In hdpvr_read() the call to hdpvr_stop_streaming() didn't lock io_mutex,
+ but it should have since stop_streaming expects that.
+
+- In hdpvr_device_release() io_mutex was locked when calling flush_work(),
+ but there it shouldn't take that mutex since the work done by flush_work()
+ also wants to lock that mutex.
+
+There are also two other changes (suggested by Keith):
+
+- msecs_to_jiffies(4000); (a NOP) should have been msleep(4000).
+- Change v4l2_dbg to v4l2_info to always log if streaming had to be restarted.
+
+Reported-by: Keith Pyle <kpyle@austin.rr.com>
+Suggested-by: Keith Pyle <kpyle@austin.rr.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/hdpvr/hdpvr-video.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c
+index 7580fc5f2f12..6a6405b80797 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-video.c
++++ b/drivers/media/usb/hdpvr/hdpvr-video.c
+@@ -435,7 +435,7 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count,
+ /* wait for the first buffer */
+ if (!(file->f_flags & O_NONBLOCK)) {
+ if (wait_event_interruptible(dev->wait_data,
+- hdpvr_get_next_buffer(dev)))
++ !list_empty_careful(&dev->rec_buff_list)))
+ return -ERESTARTSYS;
+ }
+
+@@ -461,10 +461,17 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count,
+ goto err;
+ }
+ if (!err) {
+- v4l2_dbg(MSG_INFO, hdpvr_debug, &dev->v4l2_dev,
+- "timeout: restart streaming\n");
++ v4l2_info(&dev->v4l2_dev,
++ "timeout: restart streaming\n");
++ mutex_lock(&dev->io_mutex);
+ hdpvr_stop_streaming(dev);
+- msecs_to_jiffies(4000);
++ mutex_unlock(&dev->io_mutex);
++ /*
++ * The FW needs about 4 seconds after streaming
++ * stopped before it is ready to restart
++ * streaming.
++ */
++ msleep(4000);
+ err = hdpvr_start_streaming(dev);
+ if (err) {
+ ret = err;
+@@ -1127,9 +1134,7 @@ static void hdpvr_device_release(struct video_device *vdev)
+ struct hdpvr_device *dev = video_get_drvdata(vdev);
+
+ hdpvr_delete(dev);
+- mutex_lock(&dev->io_mutex);
+ flush_work(&dev->worker);
+- mutex_unlock(&dev->io_mutex);
+
+ v4l2_device_unregister(&dev->v4l2_dev);
+ v4l2_ctrl_handler_free(&dev->hdl);
+--
+2.20.1
+
--- /dev/null
+From 92bdc033addbf796a52d06088366bdbe04e19305 Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Wed, 12 Jun 2019 12:19:35 -0400
+Subject: media: i2c: fix warning same module names
+
+[ Upstream commit b2ce5617dad254230551feda3599f2cc68e53ad8 ]
+
+When building with CONFIG_VIDEO_ADV7511 and CONFIG_DRM_I2C_ADV7511
+enabled as loadable modules, we see the following warning:
+
+ drivers/gpu/drm/bridge/adv7511/adv7511.ko
+ drivers/media/i2c/adv7511.ko
+
+Rework so that the file is named adv7511-v4l2.c.
+
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/Makefile | 2 +-
+ drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+ rename drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} (99%)
+
+diff --git a/drivers/media/i2c/Makefile b/drivers/media/i2c/Makefile
+index d8ad9dad495d..fd4ea86dedd5 100644
+--- a/drivers/media/i2c/Makefile
++++ b/drivers/media/i2c/Makefile
+@@ -35,7 +35,7 @@ obj-$(CONFIG_VIDEO_ADV748X) += adv748x/
+ obj-$(CONFIG_VIDEO_ADV7604) += adv7604.o
+ obj-$(CONFIG_VIDEO_ADV7842) += adv7842.o
+ obj-$(CONFIG_VIDEO_AD9389B) += ad9389b.o
+-obj-$(CONFIG_VIDEO_ADV7511) += adv7511.o
++obj-$(CONFIG_VIDEO_ADV7511) += adv7511-v4l2.o
+ obj-$(CONFIG_VIDEO_VPX3220) += vpx3220.o
+ obj-$(CONFIG_VIDEO_VS6624) += vs6624.o
+ obj-$(CONFIG_VIDEO_BT819) += bt819.o
+diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511-v4l2.c
+similarity index 99%
+rename from drivers/media/i2c/adv7511.c
+rename to drivers/media/i2c/adv7511-v4l2.c
+index cec5ebb1c9e6..2ad6bdf1a9fc 100644
+--- a/drivers/media/i2c/adv7511.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -5,6 +5,11 @@
+ * Copyright 2013 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ */
+
++/*
++ * This file is named adv7511-v4l2.c so it doesn't conflict with the Analog
++ * Device ADV7511 (config fragment CONFIG_DRM_I2C_ADV7511).
++ */
++
+
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+--
+2.20.1
+
--- /dev/null
+From c7f260415e0039781551cea3d9dcd9dfd3ae62db Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Fri, 31 May 2019 13:45:04 -0400
+Subject: media: imx7-mipi-csis: Propagate the error if clock enabling fails
+
+[ Upstream commit 2b393f91c651c16d5c09f5c7aa689e58a79df34e ]
+
+Currently the return value from clk_bulk_prepare_enable() is checked,
+but it is not propagate it in the case of failure.
+
+Fix it and also move the error message to the caller of
+mipi_csis_clk_enable().
+
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx7-mipi-csis.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx7-mipi-csis.c b/drivers/staging/media/imx/imx7-mipi-csis.c
+index 19455f425416..7d7bdfdd852a 100644
+--- a/drivers/staging/media/imx/imx7-mipi-csis.c
++++ b/drivers/staging/media/imx/imx7-mipi-csis.c
+@@ -456,13 +456,9 @@ static void mipi_csis_set_params(struct csi_state *state)
+ MIPI_CSIS_CMN_CTRL_UPDATE_SHADOW_CTRL);
+ }
+
+-static void mipi_csis_clk_enable(struct csi_state *state)
++static int mipi_csis_clk_enable(struct csi_state *state)
+ {
+- int ret;
+-
+- ret = clk_bulk_prepare_enable(state->num_clks, state->clks);
+- if (ret < 0)
+- dev_err(state->dev, "failed to enable clocks\n");
++ return clk_bulk_prepare_enable(state->num_clks, state->clks);
+ }
+
+ static void mipi_csis_clk_disable(struct csi_state *state)
+@@ -973,7 +969,11 @@ static int mipi_csis_probe(struct platform_device *pdev)
+ if (ret < 0)
+ return ret;
+
+- mipi_csis_clk_enable(state);
++ ret = mipi_csis_clk_enable(state);
++ if (ret < 0) {
++ dev_err(state->dev, "failed to enable clocks: %d\n", ret);
++ return ret;
++ }
+
+ ret = devm_request_irq(dev, state->irq, mipi_csis_irq_handler,
+ 0, dev_name(dev), state);
+--
+2.20.1
+
--- /dev/null
+From 7ea4858e1ac4839a7455832e48e05f5800ae7283 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sun, 5 May 2019 10:00:23 -0400
+Subject: media: marvell-ccic: fix DMA s/g desc number calculation
+
+[ Upstream commit 0c7aa32966dab0b8a7424e1b34c7f206817953ec ]
+
+The commit d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here")
+left dma_desc_nent unset. It previously contained the number of DMA
+descriptors as returned from dma_map_sg().
+
+We can now (since the commit referred to above) obtain the same value from
+the sg_table and drop dma_desc_nent altogether.
+
+Tested on OLPC XO-1.75 machine. Doesn't affect the OLPC XO-1's Cafe
+driver, since that one doesn't do DMA.
+
+[mchehab+samsung@kernel.org: fix a checkpatch warning]
+
+Fixes: d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here")
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/marvell-ccic/mcam-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c
+index f1b301810260..0a6411b877e9 100644
+--- a/drivers/media/platform/marvell-ccic/mcam-core.c
++++ b/drivers/media/platform/marvell-ccic/mcam-core.c
+@@ -200,7 +200,6 @@ struct mcam_vb_buffer {
+ struct list_head queue;
+ struct mcam_dma_desc *dma_desc; /* Descriptor virtual address */
+ dma_addr_t dma_desc_pa; /* Descriptor physical address */
+- int dma_desc_nent; /* Number of mapped descriptors */
+ };
+
+ static inline struct mcam_vb_buffer *vb_to_mvb(struct vb2_v4l2_buffer *vb)
+@@ -608,9 +607,11 @@ static void mcam_dma_contig_done(struct mcam_camera *cam, int frame)
+ static void mcam_sg_next_buffer(struct mcam_camera *cam)
+ {
+ struct mcam_vb_buffer *buf;
++ struct sg_table *sg_table;
+
+ buf = list_first_entry(&cam->buffers, struct mcam_vb_buffer, queue);
+ list_del_init(&buf->queue);
++ sg_table = vb2_dma_sg_plane_desc(&buf->vb_buf.vb2_buf, 0);
+ /*
+ * Very Bad Not Good Things happen if you don't clear
+ * C1_DESC_ENA before making any descriptor changes.
+@@ -618,7 +619,7 @@ static void mcam_sg_next_buffer(struct mcam_camera *cam)
+ mcam_reg_clear_bit(cam, REG_CTRL1, C1_DESC_ENA);
+ mcam_reg_write(cam, REG_DMA_DESC_Y, buf->dma_desc_pa);
+ mcam_reg_write(cam, REG_DESC_LEN_Y,
+- buf->dma_desc_nent*sizeof(struct mcam_dma_desc));
++ sg_table->nents * sizeof(struct mcam_dma_desc));
+ mcam_reg_write(cam, REG_DESC_LEN_U, 0);
+ mcam_reg_write(cam, REG_DESC_LEN_V, 0);
+ mcam_reg_set_bit(cam, REG_CTRL1, C1_DESC_ENA);
+--
+2.20.1
+
--- /dev/null
+From 14259fd3245728f7943ce64bd1cf246b2a3d2b73 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Mon, 27 May 2019 05:31:13 -0400
+Subject: media: mc-device.c: don't memset __user pointer contents
+
+[ Upstream commit 518fa4e0e0da97ea2e17c95ab57647ce748a96e2 ]
+
+You can't memset the contents of a __user pointer. Instead, call copy_to_user to
+copy links.reserved (which is zeroed) to the user memory.
+
+This fixes this sparse warning:
+
+SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16: warning: incorrect type in argument 1 (different address spaces)
+
+Fixes: f49308878d720 ("media: media_device_enum_links32: clean a reserved field")
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/media-device.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
+index b9bb4904bba1..e19df5165e78 100644
+--- a/drivers/media/media-device.c
++++ b/drivers/media/media-device.c
+@@ -510,8 +510,9 @@ static long media_device_enum_links32(struct media_device *mdev,
+ if (ret)
+ return ret;
+
+- memset(ulinks->reserved, 0, sizeof(ulinks->reserved));
+-
++ if (copy_to_user(ulinks->reserved, links.reserved,
++ sizeof(ulinks->reserved)))
++ return -EFAULT;
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 5cc10e0bd13150e378098efcaaff83ad164e222b Mon Sep 17 00:00:00 2001
+From: Jungo Lin <jungo.lin@mediatek.com>
+Date: Tue, 2 Apr 2019 21:44:27 -0400
+Subject: media: media_device_enum_links32: clean a reserved field
+
+[ Upstream commit f49308878d7202e07d8761238e01bd0e5fce2750 ]
+
+In v4l2-compliance utility, test MEDIA_IOC_ENUM_ENTITIES
+will check whether reserved field of media_links_enum filled
+with zero.
+
+However, for 32 bit program, the reserved field is missing
+copy from kernel space to user space in media_device_enum_links32
+function.
+
+This patch adds the cleaning a reserved field logic in
+media_device_enum_links32 function.
+
+Signed-off-by: Jungo Lin <jungo.lin@mediatek.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/media-device.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
+index 9ae481ddd975..b9bb4904bba1 100644
+--- a/drivers/media/media-device.c
++++ b/drivers/media/media-device.c
+@@ -494,6 +494,7 @@ static long media_device_enum_links32(struct media_device *mdev,
+ {
+ struct media_links_enum links;
+ compat_uptr_t pads_ptr, links_ptr;
++ int ret;
+
+ memset(&links, 0, sizeof(links));
+
+@@ -505,7 +506,13 @@ static long media_device_enum_links32(struct media_device *mdev,
+ links.pads = compat_ptr(pads_ptr);
+ links.links = compat_ptr(links_ptr);
+
+- return media_device_enum_links(mdev, &links);
++ ret = media_device_enum_links(mdev, &links);
++ if (ret)
++ return ret;
++
++ memset(ulinks->reserved, 0, sizeof(ulinks->reserved));
++
++ return 0;
+ }
+
+ #define MEDIA_IOC_ENUM_LINKS32 _IOWR('|', 0x02, struct media_links_enum32)
+--
+2.20.1
+
--- /dev/null
+From 7db7df326427d9bd252888d34b2bbdaeaf9e69ef Mon Sep 17 00:00:00 2001
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Mon, 3 Jun 2019 16:01:55 -0400
+Subject: media: mt9m111: fix fw-node refactoring
+
+[ Upstream commit 8d4e29a51a954b43e06d916772fa4f50b7e5bbd6 ]
+
+In the patch refactoring the fw-node, the mt9m111 was broken for all
+platform_data based platforms, which were the first aim of this
+driver. Only the devicetree platform are still functional, probably
+because the testing was done on these.
+
+The result is that -EINVAL is systematically return for such platforms,
+what this patch fixes.
+
+[Sakari Ailus: Rework this to resolve a merge conflict and use dev_fwnode]
+
+Fixes: 98480d65c48c ("media: mt9m111: allow to setup pixclk polarity")
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/mt9m111.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/i2c/mt9m111.c b/drivers/media/i2c/mt9m111.c
+index 362c3b93636e..5a642b5ad076 100644
+--- a/drivers/media/i2c/mt9m111.c
++++ b/drivers/media/i2c/mt9m111.c
+@@ -1245,9 +1245,11 @@ static int mt9m111_probe(struct i2c_client *client,
+ if (!mt9m111)
+ return -ENOMEM;
+
+- ret = mt9m111_probe_fw(client, mt9m111);
+- if (ret)
+- return ret;
++ if (dev_fwnode(&client->dev)) {
++ ret = mt9m111_probe_fw(client, mt9m111);
++ if (ret)
++ return ret;
++ }
+
+ mt9m111->clk = v4l2_clk_get(&client->dev, "mclk");
+ if (IS_ERR(mt9m111->clk))
+--
+2.20.1
+
--- /dev/null
+From 0e1aae231eecafec511e8b0dedf036c4815d42a0 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Wed, 17 Apr 2019 10:06:39 -0400
+Subject: media: ov7740: avoid invalid framesize setting
+
+[ Upstream commit 6e4ab830ac6d6a0d7cd7f87dc5d6536369bf24a8 ]
+
+If the requested framesize by VIDIOC_SUBDEV_S_FMT is larger than supported
+framesizes, it causes an out of bounds array access and the resulting
+framesize is unexpected.
+
+Avoid out of bounds array access and select the default framesize.
+
+Cc: Wenyou Yang <wenyou.yang@microchip.com>
+Cc: Eugen Hristev <eugen.hristev@microchip.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov7740.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/ov7740.c b/drivers/media/i2c/ov7740.c
+index 54e80a60aa57..63011d4b4738 100644
+--- a/drivers/media/i2c/ov7740.c
++++ b/drivers/media/i2c/ov7740.c
+@@ -785,7 +785,11 @@ static int ov7740_try_fmt_internal(struct v4l2_subdev *sd,
+
+ fsize++;
+ }
+-
++ if (i >= ARRAY_SIZE(ov7740_framesizes)) {
++ fsize = &ov7740_framesizes[0];
++ fmt->width = fsize->width;
++ fmt->height = fsize->height;
++ }
+ if (ret_frmsize != NULL)
+ *ret_frmsize = fsize;
+
+--
+2.20.1
+
--- /dev/null
+From df57baf28ad40ddd0b56837e337f6f138abd3173 Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Fri, 31 May 2019 06:33:15 -0400
+Subject: media: platform: ao-cec-g12a: disable regmap fast_io for cec bus
+ regmap
+
+[ Upstream commit 9f7406d6b56b4b71a12480b68221755ea7b3e0ee ]
+
+With fast_io enabled, spinlock_irq is used for read/write operations,
+thus leading to :
+BUG: sleeping function called from invalid context at [snip]/ao-cec-g12a.c:379
+ in_atomic(): 1, irqs_disabled(): 128, pid: 1451, name: irq/14-ff800280
+[snip]
+Call trace:
+ dump_backtrace+0x0/0x180
+ show_stack+0x14/0x1c
+ dump_stack+0xa8/0xe0
+ ___might_sleep+0xf4/0x104
+ __might_sleep+0x4c/0x80
+ meson_ao_cec_g12a_read+0x7c/0x164
+ regmap_read+0x16c/0x1b0
+ meson_ao_cec_g12a_irq_thread+0xcc/0x200
+ irq_thread_fn+0x2c/0x60
+ irq_thread+0x14c/0x1fc
+ kthread+0x11c/0x12c
+ ret_from_fork+0x10/0x18
+
+Simply remove fast_io to use mutexes instead.
+
+Fixes: b7778c46683c ("media: platform: meson: Add Amlogic Meson G12A AO CEC Controller driver")
+
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/meson/ao-cec-g12a.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/platform/meson/ao-cec-g12a.c b/drivers/media/platform/meson/ao-cec-g12a.c
+index 3620a1e310f5..ddfd060625da 100644
+--- a/drivers/media/platform/meson/ao-cec-g12a.c
++++ b/drivers/media/platform/meson/ao-cec-g12a.c
+@@ -415,7 +415,6 @@ static const struct regmap_config meson_ao_cec_g12a_cec_regmap_conf = {
+ .reg_read = meson_ao_cec_g12a_read,
+ .reg_write = meson_ao_cec_g12a_write,
+ .max_register = 0xffff,
+- .fast_io = true,
+ };
+
+ static inline void
+--
+2.20.1
+
--- /dev/null
+From 67df62ea4a388f9af19b46c076d29c1665b5e423 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 12 Jun 2019 09:57:57 -0400
+Subject: media: s5p-mfc: fix reading min scratch buffer size on MFC v6/v7
+
+[ Upstream commit be22203aec440c1761ce8542c2636ac6c8951e3a ]
+
+MFC v6 and v7 has no register to read min scratch buffer size, so it has
+to be read conditionally only if hardware supports it. This fixes following
+NULL pointer exception on SoCs with MFC v6/v7:
+
+8<--- cut here ---
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = f25837f9
+[00000000] *pgd=bd93d835
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+Modules linked in: btmrvl_sdio btmrvl bluetooth mwifiex_sdio mwifiex ecdh_generic ecc
+Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+PC is at s5p_mfc_get_min_scratch_buf_size+0x30/0x3c
+LR is at s5p_mfc_get_min_scratch_buf_size+0x28/0x3c
+...
+[<c074f998>] (s5p_mfc_get_min_scratch_buf_size) from [<c0745bc0>] (s5p_mfc_irq+0x814/0xa5c)
+[<c0745bc0>] (s5p_mfc_irq) from [<c019a218>] (__handle_irq_event_percpu+0x64/0x3f8)
+[<c019a218>] (__handle_irq_event_percpu) from [<c019a5d8>] (handle_irq_event_percpu+0x2c/0x7c)
+[<c019a5d8>] (handle_irq_event_percpu) from [<c019a660>] (handle_irq_event+0x38/0x5c)
+[<c019a660>] (handle_irq_event) from [<c019ebc4>] (handle_fasteoi_irq+0xc4/0x180)
+[<c019ebc4>] (handle_fasteoi_irq) from [<c0199270>] (generic_handle_irq+0x24/0x34)
+[<c0199270>] (generic_handle_irq) from [<c0199888>] (__handle_domain_irq+0x7c/0xec)
+[<c0199888>] (__handle_domain_irq) from [<c04ac298>] (gic_handle_irq+0x58/0x9c)
+[<c04ac298>] (gic_handle_irq) from [<c0101ab0>] (__irq_svc+0x70/0xb0)
+Exception stack(0xe73ddc60 to 0xe73ddca8)
+...
+[<c0101ab0>] (__irq_svc) from [<c01967d8>] (console_unlock+0x5a8/0x6a8)
+[<c01967d8>] (console_unlock) from [<c01981d0>] (vprintk_emit+0x118/0x2d8)
+[<c01981d0>] (vprintk_emit) from [<c01983b0>] (vprintk_default+0x20/0x28)
+[<c01983b0>] (vprintk_default) from [<c01989b4>] (printk+0x30/0x54)
+[<c01989b4>] (printk) from [<c07500b8>] (s5p_mfc_init_decode_v6+0x1d4/0x284)
+[<c07500b8>] (s5p_mfc_init_decode_v6) from [<c07230d0>] (vb2_start_streaming+0x24/0x150)
+[<c07230d0>] (vb2_start_streaming) from [<c0724e4c>] (vb2_core_streamon+0x11c/0x15c)
+[<c0724e4c>] (vb2_core_streamon) from [<c07478b8>] (vidioc_streamon+0x64/0xa0)
+[<c07478b8>] (vidioc_streamon) from [<c0709640>] (__video_do_ioctl+0x28c/0x45c)
+[<c0709640>] (__video_do_ioctl) from [<c0709bc8>] (video_usercopy+0x260/0x8a4)
+[<c0709bc8>] (video_usercopy) from [<c02b3820>] (do_vfs_ioctl+0xb0/0x9fc)
+[<c02b3820>] (do_vfs_ioctl) from [<c02b41a0>] (ksys_ioctl+0x34/0x58)
+[<c02b41a0>] (ksys_ioctl) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xe73ddfa8 to 0xe73ddff0)
+...
+---[ end trace 376cf5ba6e0bee93 ]---
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+index 4e936b95018a..481088a83212 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -523,7 +523,8 @@ static void s5p_mfc_handle_seq_done(struct s5p_mfc_ctx *ctx,
+ dev);
+ ctx->mv_count = s5p_mfc_hw_call(dev->mfc_ops, get_mv_count,
+ dev);
+- ctx->scratch_buf_size = s5p_mfc_hw_call(dev->mfc_ops,
++ if (FW_HAS_E_MIN_SCRATCH_BUF(dev))
++ ctx->scratch_buf_size = s5p_mfc_hw_call(dev->mfc_ops,
+ get_min_scratch_buf_size, dev);
+ if (ctx->img_width == 0 || ctx->img_height == 0)
+ ctx->state = MFCINST_ERROR;
+--
+2.20.1
+
--- /dev/null
+From 53fb1e57efcfb624f4ac4b0a2984984a0ea7555f Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 13 Jun 2019 06:48:34 -0400
+Subject: media: s5p-mfc: Make additional clocks optional
+
+[ Upstream commit e08efef8fe7db87206314c19b341612c719f891a ]
+
+Since the beginning the second clock ('special', 'sclk') was optional and
+it is not available on some variants of Exynos SoCs (i.e. Exynos5420 with
+v7 of MFC hardware).
+
+However commit 1bce6fb3edf1 ("[media] s5p-mfc: Rework clock handling")
+made handling of all specified clocks mandatory. This patch restores
+original behavior of the driver and fixes its operation on
+Exynos5420 SoCs.
+
+Fixes: 1bce6fb3edf1 ("[media] s5p-mfc: Rework clock handling")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
+index 2e62f8721fa5..7d52431c2c83 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
+@@ -34,6 +34,11 @@ int s5p_mfc_init_pm(struct s5p_mfc_dev *dev)
+ for (i = 0; i < pm->num_clocks; i++) {
+ pm->clocks[i] = devm_clk_get(pm->device, pm->clk_names[i]);
+ if (IS_ERR(pm->clocks[i])) {
++ /* additional clocks are optional */
++ if (i && PTR_ERR(pm->clocks[i]) == -ENOENT) {
++ pm->clocks[i] = NULL;
++ continue;
++ }
+ mfc_err("Failed to get clock: %s\n",
+ pm->clk_names[i]);
+ return PTR_ERR(pm->clocks[i]);
+--
+2.20.1
+
--- /dev/null
+From 2938c7df9aa13951753ee30bdd5fae7ccb07f7e1 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Mon, 27 May 2019 08:14:55 -0400
+Subject: media: saa7164: fix remove_proc_entry warning
+
+[ Upstream commit 50710eeefbc1ed25375942aad0c4d1eb4af0f330 ]
+
+if saa7164_proc_create() fails, saa7164_fini() will trigger a warning,
+
+name 'saa7164'
+WARNING: CPU: 1 PID: 6311 at fs/proc/generic.c:672 remove_proc_entry+0x1e8/0x3a0
+ ? remove_proc_entry+0x1e8/0x3a0
+ ? try_stop_module+0x7b/0x240
+ ? proc_readdir+0x70/0x70
+ ? rcu_read_lock_sched_held+0xd7/0x100
+ saa7164_fini+0x13/0x1f [saa7164]
+ __x64_sys_delete_module+0x30c/0x480
+ ? __ia32_sys_delete_module+0x480/0x480
+ ? __x64_sys_clock_gettime+0x11e/0x1c0
+ ? __x64_sys_timer_create+0x1a0/0x1a0
+ ? trace_hardirqs_off_caller+0x40/0x180
+ ? do_syscall_64+0x18/0x450
+ do_syscall_64+0x9f/0x450
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fix it by checking the return of proc_create_single() before
+calling remove_proc_entry().
+
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: use 0444 instead of S_IRUGO]
+[hverkuil-cisco@xs4all.nl: use pr_info instead of KERN_INFO]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7164/saa7164-core.c | 33 ++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-core.c b/drivers/media/pci/saa7164/saa7164-core.c
+index c594aff92e70..9ae04e18e6c6 100644
+--- a/drivers/media/pci/saa7164/saa7164-core.c
++++ b/drivers/media/pci/saa7164/saa7164-core.c
+@@ -1112,16 +1112,25 @@ static int saa7164_proc_show(struct seq_file *m, void *v)
+ return 0;
+ }
+
++static struct proc_dir_entry *saa7164_pe;
++
+ static int saa7164_proc_create(void)
+ {
+- struct proc_dir_entry *pe;
+-
+- pe = proc_create_single("saa7164", S_IRUGO, NULL, saa7164_proc_show);
+- if (!pe)
++ saa7164_pe = proc_create_single("saa7164", 0444, NULL, saa7164_proc_show);
++ if (!saa7164_pe)
+ return -ENOMEM;
+
+ return 0;
+ }
++
++static void saa7164_proc_destroy(void)
++{
++ if (saa7164_pe)
++ remove_proc_entry("saa7164", NULL);
++}
++#else
++static int saa7164_proc_create(void) { return 0; }
++static void saa7164_proc_destroy(void) {}
+ #endif
+
+ static int saa7164_thread_function(void *data)
+@@ -1493,19 +1502,21 @@ static struct pci_driver saa7164_pci_driver = {
+
+ static int __init saa7164_init(void)
+ {
+- printk(KERN_INFO "saa7164 driver loaded\n");
++ int ret = pci_register_driver(&saa7164_pci_driver);
++
++ if (ret)
++ return ret;
+
+-#ifdef CONFIG_PROC_FS
+ saa7164_proc_create();
+-#endif
+- return pci_register_driver(&saa7164_pci_driver);
++
++ pr_info("saa7164 driver loaded\n");
++
++ return 0;
+ }
+
+ static void __exit saa7164_fini(void)
+ {
+-#ifdef CONFIG_PROC_FS
+- remove_proc_entry("saa7164", NULL);
+-#endif
++ saa7164_proc_destroy();
+ pci_unregister_driver(&saa7164_pci_driver);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 61c308c75ce2d2edb473ff678750ee26b85fcaa0 Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 15:10:20 -0400
+Subject: media: spi: IR LED: add missing of table registration
+
+[ Upstream commit 24e4cf770371df6ad49ed873f21618d9878f64c8 ]
+
+MODULE_DEVICE_TABLE(of, <of_match_table> should be called to complete DT
+OF mathing mechanism and register it.
+
+Before this patch:
+modinfo drivers/media/rc/ir-spi.ko | grep alias
+
+After this patch:
+modinfo drivers/media/rc/ir-spi.ko | grep alias
+alias: of:N*T*Cir-spi-ledC*
+alias: of:N*T*Cir-spi-led
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ir-spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/rc/ir-spi.c b/drivers/media/rc/ir-spi.c
+index 66334e8d63ba..c58f2d38a458 100644
+--- a/drivers/media/rc/ir-spi.c
++++ b/drivers/media/rc/ir-spi.c
+@@ -161,6 +161,7 @@ static const struct of_device_id ir_spi_of_match[] = {
+ { .compatible = "ir-spi-led" },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, ir_spi_of_match);
+
+ static struct spi_driver ir_spi_driver = {
+ .probe = ir_spi_probe,
+--
+2.20.1
+
--- /dev/null
+From 7aeebd0f78e87935553fae1d910e6e0122228ace Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 8 Jun 2019 07:27:25 -0400
+Subject: media: staging: davinci: fix memory leaks and check for allocation
+ failure
+
+[ Upstream commit a84e355ecd3ed9759d7aaa40170aab78e2a68a06 ]
+
+There are three error return paths that don't kfree params causing a
+memory leak. Fix this by adding an error return path that kfree's
+params before returning. Also add a check to see params failed to
+be allocated.
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/davinci_vpfe/dm365_ipipe.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/staging/media/davinci_vpfe/dm365_ipipe.c b/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
+index 30e2edc0cec5..b88855c7ffe8 100644
+--- a/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
++++ b/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
+@@ -1251,10 +1251,10 @@ static int ipipe_s_config(struct v4l2_subdev *sd, struct vpfe_ipipe_config *cfg)
+ struct vpfe_ipipe_device *ipipe = v4l2_get_subdevdata(sd);
+ unsigned int i;
+ int rval = 0;
++ struct ipipe_module_params *params;
+
+ for (i = 0; i < ARRAY_SIZE(ipipe_modules); i++) {
+ const struct ipipe_module_if *module_if;
+- struct ipipe_module_params *params;
+ void *from, *to;
+ size_t size;
+
+@@ -1265,25 +1265,30 @@ static int ipipe_s_config(struct v4l2_subdev *sd, struct vpfe_ipipe_config *cfg)
+ from = *(void **)((void *)cfg + module_if->config_offset);
+
+ params = kmalloc(sizeof(*params), GFP_KERNEL);
++ if (!params)
++ return -ENOMEM;
+ to = (void *)params + module_if->param_offset;
+ size = module_if->param_size;
+
+ if (to && from && size) {
+ if (copy_from_user(to, (void __user *)from, size)) {
+ rval = -EFAULT;
+- break;
++ goto error_free;
+ }
+ rval = module_if->set(ipipe, to);
+ if (rval)
+- goto error;
++ goto error_free;
+ } else if (to && !from && size) {
+ rval = module_if->set(ipipe, NULL);
+ if (rval)
+- goto error;
++ goto error_free;
+ }
+ kfree(params);
+ }
+-error:
++ return rval;
++
++error_free:
++ kfree(params);
+ return rval;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 215134793f9aa5b389e87452660bcf3b42c417cb Mon Sep 17 00:00:00 2001
+From: Shailendra Verma <shailendra.v@samsung.com>
+Date: Thu, 24 Nov 2016 23:57:34 -0500
+Subject: media: staging: media: davinci_vpfe: - Fix for memory leak if decoder
+ initialization fails.
+
+[ Upstream commit 6995a659101bd4effa41cebb067f9dc18d77520d ]
+
+Fix to avoid possible memory leak if the decoder initialization
+got failed.Free the allocated memory for file handle object
+before return in case decoder initialization fails.
+
+Signed-off-by: Shailendra Verma <shailendra.v@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/davinci_vpfe/vpfe_video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+index 510202a3b091..84cca18e3e9d 100644
+--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c
++++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+@@ -419,6 +419,9 @@ static int vpfe_open(struct file *file)
+ /* If decoder is not initialized. initialize it */
+ if (!video->initialized && vpfe_update_pipe_state(video)) {
+ mutex_unlock(&video->lock);
++ v4l2_fh_del(&handle->vfh);
++ v4l2_fh_exit(&handle->vfh);
++ kfree(handle);
+ return -ENODEV;
+ }
+ /* Increment device users counter */
+--
+2.20.1
+
--- /dev/null
+From ec718a882bf5d80366155f39e512f0754257bcc8 Mon Sep 17 00:00:00 2001
+From: Vandana BN <bnvandana@gmail.com>
+Date: Wed, 22 May 2019 04:34:15 -0400
+Subject: media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in
+ zr364xx_vidioc_querycap
+
+[ Upstream commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e ]
+
+SyzKaller hit the null pointer deref while reading from uninitialized
+udev->product in zr364xx_vidioc_querycap().
+
+==================================================================
+BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
+include/linux/compiler.h:274
+Read of size 1 at addr 0000000000000000 by task v4l_id/5287
+
+CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe8/0x16e lib/dump_stack.c:113
+ kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
+ read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
+ strscpy+0x8a/0x280 lib/string.c:207
+ zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
+ v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
+ __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
+ video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
+ v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
+ ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f3b56d8b347
+Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
+ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
+RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
+RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
+R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
+==================================================================
+
+For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
+
+The fix is to check for NULL before strscpy() and copy empty string, if
+product is NULL
+
+Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
+Signed-off-by: Vandana BN <bnvandana@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c
+index 37a7992585df..48803eb773ed 100644
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -694,7 +694,8 @@ static int zr364xx_vidioc_querycap(struct file *file, void *priv,
+ struct zr364xx_camera *cam = video_drvdata(file);
+
+ strscpy(cap->driver, DRIVER_DESC, sizeof(cap->driver));
+- strscpy(cap->card, cam->udev->product, sizeof(cap->card));
++ if (cam->udev->product)
++ strscpy(cap->card, cam->udev->product, sizeof(cap->card));
+ strscpy(cap->bus_info, dev_name(&cam->udev->dev),
+ sizeof(cap->bus_info));
+ cap->device_caps = V4L2_CAP_VIDEO_CAPTURE |
+--
+2.20.1
+
--- /dev/null
+From 8ea70f40d1bce9339135483a88fe54591ebb19f9 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 30 Apr 2019 08:28:14 -0400
+Subject: media: uvcvideo: Fix access to uninitialized fields on probe error
+
+[ Upstream commit 11a087f484bf15ff65f0a9f277aa5a61fd07ed2a ]
+
+We need to check whether this work we are canceling actually is
+initialized.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+2e1ef9188251d9cc7944@syzkaller.appspotmail.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index 26163a5bde7d..e399b9fad757 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -2345,7 +2345,9 @@ void uvc_ctrl_cleanup_device(struct uvc_device *dev)
+ struct uvc_entity *entity;
+ unsigned int i;
+
+- cancel_work_sync(&dev->async_ctrl.work);
++ /* Can be uninitialized if we are aborting on probe error. */
++ if (dev->async_ctrl.work.func)
++ cancel_work_sync(&dev->async_ctrl.work);
+
+ /* Free controls and control mappings for all entities. */
+ list_for_each_entry(entity, &dev->entities, list) {
+--
+2.20.1
+
--- /dev/null
+From 33456cd97b288f0ea26b812ea9d675dc29e9a4bc Mon Sep 17 00:00:00 2001
+From: sumitg <sumitg@nvidia.com>
+Date: Fri, 17 May 2019 09:53:42 -0400
+Subject: media: v4l2-core: fix use-after-free error
+
+[ Upstream commit 3e0f724346e96daae7792262c6767449795ac3b5 ]
+
+Fixing use-after-free within __v4l2_ctrl_handler_setup().
+Memory is being freed with kfree(new_ref) for duplicate
+control reference entry but ctrl->cluster pointer is still
+referring to freed duplicate entry resulting in error on
+access. Change done to update cluster pointer only when new
+control reference is added.
+
+ ==================================================================
+ BUG: KASAN: use-after-free in __v4l2_ctrl_handler_setup+0x388/0x428
+ Read of size 8 at addr ffffffc324e78618 by task systemd-udevd/312
+
+ Allocated by task 312:
+
+ Freed by task 312:
+
+ The buggy address belongs to the object at ffffffc324e78600
+ which belongs to the cache kmalloc-64 of size 64
+ The buggy address is located 24 bytes inside of
+ 64-byte region [ffffffc324e78600, ffffffc324e78640)
+ The buggy address belongs to the page:
+ page:ffffffbf0c939e00 count:1 mapcount:0 mapping:
+ (null) index:0xffffffc324e78f80
+ flags: 0x4000000000000100(slab)
+ raw: 4000000000000100 0000000000000000 ffffffc324e78f80 000000018020001a
+ raw: 0000000000000000 0000000100000001 ffffffc37040fb80 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffffffc324e78500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffffffc324e78580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ >ffffffc324e78600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ^
+ ffffffc324e78680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffffffc324e78700: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+ ==================================================================
+
+Suggested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c
+index 7d3a33258748..3c720f54efa8 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -2149,15 +2149,6 @@ static int handler_new_ref(struct v4l2_ctrl_handler *hdl,
+ if (size_extra_req)
+ new_ref->p_req.p = &new_ref[1];
+
+- if (ctrl->handler == hdl) {
+- /* By default each control starts in a cluster of its own.
+- new_ref->ctrl is basically a cluster array with one
+- element, so that's perfect to use as the cluster pointer.
+- But only do this for the handler that owns the control. */
+- ctrl->cluster = &new_ref->ctrl;
+- ctrl->ncontrols = 1;
+- }
+-
+ INIT_LIST_HEAD(&new_ref->node);
+
+ mutex_lock(hdl->lock);
+@@ -2190,6 +2181,15 @@ static int handler_new_ref(struct v4l2_ctrl_handler *hdl,
+ hdl->buckets[bucket] = new_ref;
+ if (ctrl_ref)
+ *ctrl_ref = new_ref;
++ if (ctrl->handler == hdl) {
++ /* By default each control starts in a cluster of its own.
++ * new_ref->ctrl is basically a cluster array with one
++ * element, so that's perfect to use as the cluster pointer.
++ * But only do this for the handler that owns the control.
++ */
++ ctrl->cluster = &new_ref->ctrl;
++ ctrl->ncontrols = 1;
++ }
+
+ unlock:
+ mutex_unlock(hdl->lock);
+--
+2.20.1
+
--- /dev/null
+From 041b7d7deccb910fd293ab00fb40b07b0d85ea14 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 6 May 2019 03:05:15 -0400
+Subject: media: venus: firmware: fix leaked of_node references
+
+[ Upstream commit 2c41cc0be07b5ee2f1167f41cd8a86fc5b53d82c ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+drivers/media/platform/qcom/venus/firmware.c:90:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 82, but without a corresponding object release within this function.
+drivers/media/platform/qcom/venus/firmware.c:94:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 82, but without a corresponding object release within this function.
+drivers/media/platform/qcom/venus/firmware.c:128:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 82, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Acked-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/firmware.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/firmware.c b/drivers/media/platform/qcom/venus/firmware.c
+index 1eba23409ff3..d3d1748a7ef6 100644
+--- a/drivers/media/platform/qcom/venus/firmware.c
++++ b/drivers/media/platform/qcom/venus/firmware.c
+@@ -78,11 +78,11 @@ static int venus_load_fw(struct venus_core *core, const char *fwname,
+
+ ret = of_address_to_resource(node, 0, &r);
+ if (ret)
+- return ret;
++ goto err_put_node;
+
+ ret = request_firmware(&mdt, fwname, dev);
+ if (ret < 0)
+- return ret;
++ goto err_put_node;
+
+ fw_size = qcom_mdt_get_size(mdt);
+ if (fw_size < 0) {
+@@ -116,6 +116,8 @@ static int venus_load_fw(struct venus_core *core, const char *fwname,
+ memunmap(mem_va);
+ err_release_fw:
+ release_firmware(mdt);
++err_put_node:
++ of_node_put(node);
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 69bb5d5d555e9a6b9572145eeb93e65445969fcf Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Mon, 13 May 2019 03:18:29 -0400
+Subject: media: vim2m: fix two double-free issues
+
+[ Upstream commit 20059cbbf981ca954be56f7963ae494d18e2dda1 ]
+
+vim2m_device_release() will be called by video_unregister_device() to release
+various objects.
+
+There are two double-free issue,
+1. dev->m2m_dev will be freed twice in error_m2m path/vim2m_device_release
+2. the error_v4l2 and error_free path in vim2m_probe() will release
+ same objects, since vim2m_device_release has done.
+
+Fixes: ea6c7e34f3b2 ("media: vim2m: replace devm_kzalloc by kzalloc")
+
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vim2m.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/vim2m.c b/drivers/media/platform/vim2m.c
+index 243c82b5d537..acd3bd48c7e2 100644
+--- a/drivers/media/platform/vim2m.c
++++ b/drivers/media/platform/vim2m.c
+@@ -1359,7 +1359,7 @@ static int vim2m_probe(struct platform_device *pdev)
+ MEDIA_ENT_F_PROC_VIDEO_SCALER);
+ if (ret) {
+ v4l2_err(&dev->v4l2_dev, "Failed to init mem2mem media controller\n");
+- goto error_m2m;
++ goto error_dev;
+ }
+
+ ret = media_device_register(&dev->mdev);
+@@ -1373,11 +1373,11 @@ static int vim2m_probe(struct platform_device *pdev)
+ #ifdef CONFIG_MEDIA_CONTROLLER
+ error_m2m_mc:
+ v4l2_m2m_unregister_media_controller(dev->m2m_dev);
+-error_m2m:
+- v4l2_m2m_release(dev->m2m_dev);
+ #endif
+ error_dev:
+ video_unregister_device(&dev->vfd);
++ /* vim2m_device_release called by video_unregister_device to release various objects */
++ return ret;
+ error_v4l2:
+ v4l2_device_unregister(&dev->v4l2_dev);
+ error_free:
+--
+2.20.1
+
--- /dev/null
+From 95929ef4681ba5152d71e052016e38f937f46b5a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Almeida?= <andrealmeid@collabora.com>
+Date: Mon, 17 Jun 2019 12:28:02 -0400
+Subject: media: vimc: cap: check v4l2_fill_pixfmt return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 77ae46e11df5c96bb4582633851f838f5d954df4 ]
+
+v4l2_fill_pixfmt() returns -EINVAL if the pixelformat used as parameter is
+invalid or if the user is trying to use a multiplanar format with the
+singleplanar API. Currently, the vimc_cap_try_fmt_vid_cap() returns such
+value, but vimc_cap_s_fmt_vid_cap() is ignoring it. Fix that and returns
+an error value if vimc_cap_try_fmt_vid_cap() has failed.
+
+Signed-off-by: André Almeida <andrealmeid@collabora.com>
+Suggested-by: Helen Koike <helen.koike@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vimc/vimc-capture.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/vimc/vimc-capture.c b/drivers/media/platform/vimc/vimc-capture.c
+index 946dc0908566..664855708fdf 100644
+--- a/drivers/media/platform/vimc/vimc-capture.c
++++ b/drivers/media/platform/vimc/vimc-capture.c
+@@ -142,12 +142,15 @@ static int vimc_cap_s_fmt_vid_cap(struct file *file, void *priv,
+ struct v4l2_format *f)
+ {
+ struct vimc_cap_device *vcap = video_drvdata(file);
++ int ret;
+
+ /* Do not change the format while stream is on */
+ if (vb2_is_busy(&vcap->queue))
+ return -EBUSY;
+
+- vimc_cap_try_fmt_vid_cap(file, priv, f);
++ ret = vimc_cap_try_fmt_vid_cap(file, priv, f);
++ if (ret)
++ return ret;
+
+ dev_dbg(vcap->dev, "%s: format update: "
+ "old:%dx%d (0x%x, %d, %d, %d, %d) "
+--
+2.20.1
+
--- /dev/null
+From bb0c3f6019fba32483f3c58ca7ed5ae7639fed53 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 22 Mar 2019 22:51:06 -0400
+Subject: media: vpss: fix a potential NULL pointer dereference
+
+[ Upstream commit e08f0761234def47961d3252eac09ccedfe4c6a0 ]
+
+In case ioremap fails, the fix returns -ENOMEM to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/davinci/vpss.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c
+index 3f079ac1b080..be91b0c7d20b 100644
+--- a/drivers/media/platform/davinci/vpss.c
++++ b/drivers/media/platform/davinci/vpss.c
+@@ -509,6 +509,11 @@ static int __init vpss_init(void)
+ return -EBUSY;
+
+ oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4);
++ if (unlikely(!oper_cfg.vpss_regs_base2)) {
++ release_mem_region(VPSS_CLK_CTRL, 4);
++ return -ENOMEM;
++ }
++
+ writel(VPSS_CLK_CTRL_VENCCLKEN |
+ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2);
+
+--
+2.20.1
+
--- /dev/null
+From 2095110286179d7f53664938541a1a2997abdcb6 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 30 May 2019 03:25:49 -0400
+Subject: media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
+
+[ Upstream commit 69fbb3f47327d959830c94bf31893972b8c8f700 ]
+
+X-Originating-IP: [10.175.113.25]
+X-CFilter-Loop: Reflected
+The fm_v4l2_init_video_device() forget to unregister v4l2/video device
+in the error path, it could lead to UAF issue, eg,
+
+ BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659
+
+ CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xa9/0x10e lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ fm_v4l2_fops_open+0xac/0x120 [fm_drv]
+ v4l2_open+0x191/0x390 [videodev]
+ chrdev_open+0x20d/0x570 fs/char_dev.c:417
+ do_dentry_open+0x700/0xf30 fs/open.c:777
+ do_last fs/namei.c:3416 [inline]
+ path_openat+0x7c4/0x2a90 fs/namei.c:3532
+ do_filp_open+0x1a5/0x2b0 fs/namei.c:3563
+ do_sys_open+0x302/0x490 fs/open.c:1069
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f8180c17c8e
+ ...
+ Allocated by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
+ fm_drv_init+0x13/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ Freed by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
+ slab_free_hook mm/slub.c:1429 [inline]
+ slab_free_freelist_hook mm/slub.c:1456 [inline]
+ slab_free mm/slub.c:3003 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3958
+ fm_drv_init+0x1e6/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Add relevant unregister functions to fix it.
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/wl128x/fmdrv_v4l2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/radio/wl128x/fmdrv_v4l2.c b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+index c80a6df47f5e..469366dae1d5 100644
+--- a/drivers/media/radio/wl128x/fmdrv_v4l2.c
++++ b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+@@ -541,6 +541,7 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+
+ /* Register with V4L2 subsystem as RADIO device */
+ if (video_register_device(&gradio_dev, VFL_TYPE_RADIO, radio_nr)) {
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ fmerr("Could not register video device\n");
+ return -ENOMEM;
+ }
+@@ -554,6 +555,8 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+ if (ret < 0) {
+ fmerr("(fmdev): Can't init ctrl handler\n");
+ v4l2_ctrl_handler_free(&fmdev->ctrl_handler);
++ video_unregister_device(fmdev->radio_dev);
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ return -EBUSY;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 16a3661a4571f114d663f27ef26fe7aede003b30 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Tue, 14 May 2019 11:18:52 +0200
+Subject: mt76: mt7615: do not process rx packets if the device is not
+ initialized
+
+[ Upstream commit 2dcb79cde6129d948a237ef7b48a73a0c82f1e01 ]
+
+Fix following crash that occurs when the driver is processing rx packets
+while the device is not initialized yet
+
+$ rmmod mt7615e
+[ 67.210261] mt7615e 0000:01:00.0: Message -239 (seq 2) timeout
+$ modprobe mt7615e
+[ 72.406937] bus=0x1, slot = 0x0, irq=0x16
+[ 72.436590] CPU 0 Unable to handle kernel paging request at virtual address 00000004, epc == 8eec4240, ra == 8eec41e0
+[ 72.450291] mt7615e 0000:01:00.0: Firmware is not ready for download
+[ 72.457724] Oops[#1]:
+[ 72.470494] mt7615e: probe of 0000:01:00.0 failed with error -5
+[ 72.474829] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.114 #0
+[ 72.498702] task: 805769e0 task.stack: 80564000
+[ 72.507709] $ 0 : 00000000 00000001 00000000 00000001
+[ 72.518106] $ 4 : 8f704dbc 00000000 00000000 8f7046c0
+[ 72.528500] $ 8 : 00000024 8045e98c 81210008 11000000
+[ 72.538895] $12 : 8fc09f60 00000008 00000019 00000033
+[ 72.549289] $16 : 8f704d80 e00000ff 8f0c7800 3c182406
+[ 72.559684] $20 : 00000006 8ee615a0 4e000108 00000000
+[ 72.570078] $24 : 0000004c 8000cf94
+[ 72.580474] $28 : 80564000 8fc09e38 00000001 8eec41e0
+[ 72.590869] Hi : 00000001
+[ 72.596582] Lo : 00000000
+[ 72.602319] epc : 8eec4240 mt7615_mac_fill_rx+0xac/0x494 [mt7615e]
+[ 72.614953] ra : 8eec41e0 mt7615_mac_fill_rx+0x4c/0x494 [mt7615e]
+[ 72.627580] Status: 11008403 KERNEL EXL IE
+[ 72.635899] Cause : 40800008 (ExcCode 02)
+[ 72.643860] BadVA : 00000004
+[ 72.649573] PrId : 0001992f (MIPS 1004Kc)
+[ 72.657704] Modules linked in: mt7615e pppoe ppp_async pppox ppp_generic nf_conntrack_ipv6 mt76x2e mt76x2_common mt76x02_lib mt7603e mt76 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_mu]
+[ 72.792717] Process swapper/0 (pid: 0, threadinfo=80564000, task=805769e0, tls=00000000)
+[ 72.808799] Stack : 8f0c7800 00000800 8f0c7800 8032b874 00000000 40000000 8f704d80 8ee615a0
+[ 72.825428] 8dc88010 00000001 8ee615e0 8eec09b0 8dc88010 8032b914 8f3aee80 80567d20
+[ 72.842055] 00000000 8ee615e0 40000000 8f0c7800 00000108 8eec9944 00000000 00000000
+[ 72.858682] 80508f10 80510000 00000001 80567d20 8ee615a0 00000000 00000000 8ee61c00
+[ 72.875308] 8ee61c40 00000040 80610000 80580000 00000000 8ee615dc 8ee61a68 00000001
+[ 72.891936] ...
+[ 72.896793] Call Trace:
+[ 72.901649] [<8eec4240>] mt7615_mac_fill_rx+0xac/0x494 [mt7615e]
+[ 72.913602] [<8eec09b0>] mt7615_queue_rx_skb+0xe4/0x12c [mt7615e]
+[ 72.925734] [<8eec9944>] mt76_dma_cleanup+0x390/0x42c [mt76]
+[ 72.936988] Code: ae020018 8ea20004 24030001 <94420004> a602002a 8ea20004 90420000 14430003 a2020034
+[ 72.956390]
+[ 72.959676] ---[ end trace f176967739edb19f ]---
+
+Fixes: 04b8e65922f6 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+index b8f48d10f27a..a27bc6791aa7 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -96,6 +96,9 @@ int mt7615_mac_fill_rx(struct mt7615_dev *dev, struct sk_buff *skb)
+ bool unicast, remove_pad, insert_ccmp_hdr = false;
+ int i, idx;
+
++ if (!test_bit(MT76_STATE_RUNNING, &dev->mt76.state))
++ return -EINVAL;
++
+ memset(status, 0, sizeof(*status));
+
+ unicast = (rxd1 & MT_RXD1_NORMAL_ADDR_TYPE) == MT_RXD1_NORMAL_U2M;
+--
+2.20.1
+
--- /dev/null
+From e2213b5e680624f877d3858d099de8b2c19c51c5 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Fri, 7 Jun 2019 13:48:09 +0200
+Subject: mt7601u: do not schedule rx_tasklet when the device has been
+ disconnected
+
+[ Upstream commit 4079e8ccabc3b6d1b503f2376123cb515d14921f ]
+
+Do not schedule rx_tasklet when the usb dongle is disconnected.
+Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb
+can run concurrently with urb completion and we can unlink urbs from rx
+ring in any order.
+This patch fixes the common kernel warning reported when
+the device is removed.
+
+[ 24.921354] usb 3-14: USB disconnect, device number 7
+[ 24.921593] ------------[ cut here ]------------
+[ 24.921594] RX urb mismatch
+[ 24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
+[ 24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G OE 4.19.31-041931-generic #201903231635
+[ 24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014
+[ 24.921782] Workqueue: usb_hub_wq hub_event
+[ 24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
+[ 24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086
+[ 24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006
+[ 24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420
+[ 24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8
+[ 24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c
+[ 24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000
+[ 24.921807] FS: 0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000
+[ 24.921808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0
+[ 24.921809] Call Trace:
+[ 24.921812] <IRQ>
+[ 24.921819] __usb_hcd_giveback_urb+0x8b/0x140
+[ 24.921821] usb_hcd_giveback_urb+0xca/0xe0
+[ 24.921828] xhci_giveback_urb_in_irq.isra.42+0x82/0xf0
+[ 24.921834] handle_cmd_completion+0xe02/0x10d0
+[ 24.921837] xhci_irq+0x274/0x4a0
+[ 24.921838] xhci_msi_irq+0x11/0x20
+[ 24.921851] __handle_irq_event_percpu+0x44/0x190
+[ 24.921856] handle_irq_event_percpu+0x32/0x80
+[ 24.921861] handle_irq_event+0x3b/0x5a
+[ 24.921867] handle_edge_irq+0x80/0x190
+[ 24.921874] handle_irq+0x20/0x30
+[ 24.921889] do_IRQ+0x4e/0xe0
+[ 24.921891] common_interrupt+0xf/0xf
+[ 24.921892] </IRQ>
+[ 24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180
+[ 24.921354] usb 3-14: USB disconnect, device number 7
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c | 33 +++++++++++----------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
+index 66d60283e456..0faa3db6fde4 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -185,10 +185,23 @@ static void mt7601u_complete_rx(struct urb *urb)
+ struct mt7601u_rx_queue *q = &dev->rx_q;
+ unsigned long flags;
+
+- spin_lock_irqsave(&dev->rx_lock, flags);
++ /* do no schedule rx tasklet if urb has been unlinked
++ * or the device has been removed
++ */
++ switch (urb->status) {
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ case -ENOENT:
++ return;
++ default:
++ dev_err_ratelimited(dev->dev, "rx urb failed: %d\n",
++ urb->status);
++ /* fall through */
++ case 0:
++ break;
++ }
+
+- if (mt7601u_urb_has_error(urb))
+- dev_err(dev->dev, "Error: RX urb failed:%d\n", urb->status);
++ spin_lock_irqsave(&dev->rx_lock, flags);
+ if (WARN_ONCE(q->e[q->end].urb != urb, "RX urb mismatch"))
+ goto out;
+
+@@ -355,19 +368,9 @@ int mt7601u_dma_enqueue_tx(struct mt7601u_dev *dev, struct sk_buff *skb,
+ static void mt7601u_kill_rx(struct mt7601u_dev *dev)
+ {
+ int i;
+- unsigned long flags;
+
+- spin_lock_irqsave(&dev->rx_lock, flags);
+-
+- for (i = 0; i < dev->rx_q.entries; i++) {
+- int next = dev->rx_q.end;
+-
+- spin_unlock_irqrestore(&dev->rx_lock, flags);
+- usb_poison_urb(dev->rx_q.e[next].urb);
+- spin_lock_irqsave(&dev->rx_lock, flags);
+- }
+-
+- spin_unlock_irqrestore(&dev->rx_lock, flags);
++ for (i = 0; i < dev->rx_q.entries; i++)
++ usb_poison_urb(dev->rx_q.e[i].urb);
+ }
+
+ static int mt7601u_submit_rx_buf(struct mt7601u_dev *dev,
+--
+2.20.1
+
--- /dev/null
+From ed046078c058580ea44cc86861ddb7eabab0b7f5 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Fri, 7 Jun 2019 13:48:10 +0200
+Subject: mt7601u: fix possible memory leak when the device is disconnected
+
+[ Upstream commit 23377c200b2eb48a60d0f228b2a2e75ed6ee6060 ]
+
+When the device is disconnected while passing traffic it is possible
+to receive out of order urbs causing a memory leak since the skb linked
+to the current tx urb is not removed. Fix the issue deallocating the skb
+cleaning up the tx ring. Moreover this patch fixes the following kernel
+warning
+
+[ 57.480771] usb 1-1: USB disconnect, device number 2
+[ 57.483451] ------------[ cut here ]------------
+[ 57.483462] TX urb mismatch
+[ 57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00
+[ 57.483483] Modules linked in:
+[ 57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72
+[ 57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
+[ 57.483502] Workqueue: usb_hub_wq hub_event
+[ 57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0
+[ 57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f
+[ 57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092
+[ 57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c
+[ 57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371
+[ 57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001
+[ 57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046
+[ 57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078
+[ 57.483548] FS: 0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000
+[ 57.483550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0
+[ 57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 57.483559] Call Trace:
+[ 57.483561] <IRQ>
+[ 57.483565] __usb_hcd_giveback_urb+0x77/0xe0
+[ 57.483570] xhci_giveback_urb_in_irq.isra.0+0x8b/0x140
+[ 57.483574] handle_cmd_completion+0xf5b/0x12c0
+[ 57.483577] xhci_irq+0x1f6/0x1810
+[ 57.483581] ? lockdep_hardirqs_on+0x9e/0x180
+[ 57.483584] ? _raw_spin_unlock_irq+0x24/0x30
+[ 57.483588] __handle_irq_event_percpu+0x3a/0x260
+[ 57.483592] handle_irq_event_percpu+0x1c/0x60
+[ 57.483595] handle_irq_event+0x2f/0x4c
+[ 57.483599] handle_edge_irq+0x7e/0x1a0
+[ 57.483603] handle_irq+0x17/0x20
+[ 57.483607] do_IRQ+0x54/0x110
+[ 57.483610] common_interrupt+0xf/0xf
+[ 57.483612] </IRQ>
+
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c | 21 ++++++++++++++++-----
+ drivers/net/wireless/mediatek/mt7601u/tx.c | 4 ++--
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
+index 0faa3db6fde4..f6a0454abe04 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -233,14 +233,25 @@ static void mt7601u_complete_tx(struct urb *urb)
+ struct sk_buff *skb;
+ unsigned long flags;
+
+- spin_lock_irqsave(&dev->tx_lock, flags);
++ switch (urb->status) {
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ case -ENOENT:
++ return;
++ default:
++ dev_err_ratelimited(dev->dev, "tx urb failed: %d\n",
++ urb->status);
++ /* fall through */
++ case 0:
++ break;
++ }
+
+- if (mt7601u_urb_has_error(urb))
+- dev_err(dev->dev, "Error: TX urb failed:%d\n", urb->status);
++ spin_lock_irqsave(&dev->tx_lock, flags);
+ if (WARN_ONCE(q->e[q->start].urb != urb, "TX urb mismatch"))
+ goto out;
+
+ skb = q->e[q->start].skb;
++ q->e[q->start].skb = NULL;
+ trace_mt_tx_dma_done(dev, skb);
+
+ __skb_queue_tail(&dev->tx_skb_done, skb);
+@@ -440,10 +451,10 @@ static void mt7601u_free_tx_queue(struct mt7601u_tx_queue *q)
+ {
+ int i;
+
+- WARN_ON(q->used);
+-
+ for (i = 0; i < q->entries; i++) {
+ usb_poison_urb(q->e[i].urb);
++ if (q->e[i].skb)
++ mt7601u_tx_status(q->dev, q->e[i].skb);
+ usb_free_urb(q->e[i].urb);
+ }
+ }
+diff --git a/drivers/net/wireless/mediatek/mt7601u/tx.c b/drivers/net/wireless/mediatek/mt7601u/tx.c
+index 906e19c5f628..f3dff8319a4c 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/tx.c
++++ b/drivers/net/wireless/mediatek/mt7601u/tx.c
+@@ -109,9 +109,9 @@ void mt7601u_tx_status(struct mt7601u_dev *dev, struct sk_buff *skb)
+ info->status.rates[0].idx = -1;
+ info->flags |= IEEE80211_TX_STAT_ACK;
+
+- spin_lock(&dev->mac_lock);
++ spin_lock_bh(&dev->mac_lock);
+ ieee80211_tx_status(dev->hw, skb);
+- spin_unlock(&dev->mac_lock);
++ spin_unlock_bh(&dev->mac_lock);
+ }
+
+ static int mt7601u_skb_rooms(struct mt7601u_dev *dev, struct sk_buff *skb)
+--
+2.20.1
+
--- /dev/null
+From 5ca9cb869f1aa31e074077c2ab30b053485329bb Mon Sep 17 00:00:00 2001
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Thu, 6 Jun 2019 16:28:17 -0600
+Subject: net: axienet: Fix race condition causing TX hang
+
+[ Upstream commit 7de44285c1f69ccfbe8be1d6a16fcd956681fee6 ]
+
+It is possible that the interrupt handler fires and frees up space in
+the TX ring in between checking for sufficient TX ring space and
+stopping the TX queue in axienet_start_xmit. If this happens, the
+queue wake from the interrupt handler will occur before the queue is
+stopped, causing a lost wakeup and the adapter's transmit hanging.
+
+To avoid this, after stopping the queue, check again whether there is
+sufficient space in the TX ring. If so, wake up the queue again.
+
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/xilinx/xilinx_axienet_main.c | 20 ++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 831967f6eff8..65c16772e589 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -615,6 +615,10 @@ static void axienet_start_xmit_done(struct net_device *ndev)
+
+ ndev->stats.tx_packets += packets;
+ ndev->stats.tx_bytes += size;
++
++ /* Matches barrier in axienet_start_xmit */
++ smp_mb();
++
+ netif_wake_queue(ndev);
+ }
+
+@@ -670,9 +674,19 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ cur_p = &lp->tx_bd_v[lp->tx_bd_tail];
+
+ if (axienet_check_tx_bd_space(lp, num_frag)) {
+- if (!netif_queue_stopped(ndev))
+- netif_stop_queue(ndev);
+- return NETDEV_TX_BUSY;
++ if (netif_queue_stopped(ndev))
++ return NETDEV_TX_BUSY;
++
++ netif_stop_queue(ndev);
++
++ /* Matches barrier in axienet_start_xmit_done */
++ smp_mb();
++
++ /* Space might have just been freed - check again */
++ if (axienet_check_tx_bd_space(lp, num_frag))
++ return NETDEV_TX_BUSY;
++
++ netif_wake_queue(ndev);
+ }
+
+ if (skb->ip_summed == CHECKSUM_PARTIAL) {
+--
+2.20.1
+
--- /dev/null
+From 8c91a5724dba8b42b9868950dbaace4d5243d095 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <olteanv@gmail.com>
+Date: Tue, 28 May 2019 20:38:17 +0300
+Subject: net: dsa: sja1105: Fix broken fixed-link interfaces on user ports
+
+[ Upstream commit af7cd0366ee994e8b35985d407261dc0ed9dfb4d ]
+
+PHYLIB and PHYLINK handle fixed-link interfaces differently. PHYLIB
+wraps them in a software PHY ("pseudo fixed link") phydev construct such
+that .adjust_link driver callbacks see an unified API. Whereas PHYLINK
+simply creates a phylink_link_state structure and passes it to
+.mac_config.
+
+At the time the driver was introduced, DSA was using PHYLIB for the
+CPU/cascade ports (the ones with no net devices) and PHYLINK for
+everything else.
+
+As explained below:
+
+commit aab9c4067d2389d0adfc9c53806437df7b0fe3d5
+Author: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu May 10 13:17:36 2018 -0700
+
+ net: dsa: Plug in PHYLINK support
+
+ Drivers that utilize fixed links for user-facing ports (e.g: bcm_sf2)
+ will need to implement phylink_mac_ops from now on to preserve
+ functionality, since PHYLINK *does not* create a phy_device instance
+ for fixed links.
+
+In the above patch, DSA guards the .phylink_mac_config callback against
+a NULL phydev pointer. Therefore, .adjust_link is not called in case of
+a fixed-link user port.
+
+This patch fixes the situation by converting the driver from using
+.adjust_link to .phylink_mac_config. This can be done now in a unified
+fashion for both slave and CPU/cascade ports because DSA now uses
+PHYLINK for all ports.
+
+Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index 1c3959efebc4..844e038f3dc6 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -734,15 +734,16 @@ static int sja1105_adjust_port_config(struct sja1105_private *priv, int port,
+ return sja1105_clocking_setup_port(priv, port);
+ }
+
+-static void sja1105_adjust_link(struct dsa_switch *ds, int port,
+- struct phy_device *phydev)
++static void sja1105_mac_config(struct dsa_switch *ds, int port,
++ unsigned int link_an_mode,
++ const struct phylink_link_state *state)
+ {
+ struct sja1105_private *priv = ds->priv;
+
+- if (!phydev->link)
++ if (!state->link)
+ sja1105_adjust_port_config(priv, port, 0, false);
+ else
+- sja1105_adjust_port_config(priv, port, phydev->speed, true);
++ sja1105_adjust_port_config(priv, port, state->speed, true);
+ }
+
+ static void sja1105_phylink_validate(struct dsa_switch *ds, int port,
+@@ -1515,9 +1516,9 @@ static int sja1105_set_ageing_time(struct dsa_switch *ds,
+ static const struct dsa_switch_ops sja1105_switch_ops = {
+ .get_tag_protocol = sja1105_get_tag_protocol,
+ .setup = sja1105_setup,
+- .adjust_link = sja1105_adjust_link,
+ .set_ageing_time = sja1105_set_ageing_time,
+ .phylink_validate = sja1105_phylink_validate,
++ .phylink_mac_config = sja1105_mac_config,
+ .get_strings = sja1105_get_strings,
+ .get_ethtool_stats = sja1105_get_ethtool_stats,
+ .get_sset_count = sja1105_get_sset_count,
+--
+2.20.1
+
--- /dev/null
+From 7d9c5c4b3ab22d329a010ccd23cddadf85a76e61 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Sun, 23 Jun 2019 14:11:43 +0200
+Subject: net: ethernet: ti: cpsw: Assign OF node to slave devices
+
+[ Upstream commit 337d1727a3895775b5e5ef67d3ca0fea2e2ae768 ]
+
+Assign OF node to CPSW slave devices, otherwise it is not possible to
+bind e.g. DSA switch to them. Without this patch, the DSA code tries
+to find the ethernet device by OF match, but fails to do so because
+the slave device has NULL OF node.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 3 +++
+ drivers/net/ethernet/ti/cpsw_priv.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
+index 634fc484a0b3..4e3026f9abed 100644
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -2179,6 +2179,7 @@ static int cpsw_probe_dt(struct cpsw_platform_data *data,
+ return ret;
+ }
+
++ slave_data->slave_node = slave_node;
+ slave_data->phy_node = of_parse_phandle(slave_node,
+ "phy-handle", 0);
+ parp = of_get_property(slave_node, "phy_id", &lenp);
+@@ -2330,6 +2331,7 @@ static int cpsw_probe_dual_emac(struct cpsw_priv *priv)
+
+ /* register the network device */
+ SET_NETDEV_DEV(ndev, cpsw->dev);
++ ndev->dev.of_node = cpsw->slaves[1].data->slave_node;
+ ret = register_netdev(ndev);
+ if (ret)
+ dev_err(cpsw->dev, "cpsw: error registering net device\n");
+@@ -2507,6 +2509,7 @@ static int cpsw_probe(struct platform_device *pdev)
+
+ /* register the network device */
+ SET_NETDEV_DEV(ndev, dev);
++ ndev->dev.of_node = cpsw->slaves[0].data->slave_node;
+ ret = register_netdev(ndev);
+ if (ret) {
+ dev_err(dev, "error registering net device\n");
+diff --git a/drivers/net/ethernet/ti/cpsw_priv.h b/drivers/net/ethernet/ti/cpsw_priv.h
+index 04795b97ee71..e32f11da2dce 100644
+--- a/drivers/net/ethernet/ti/cpsw_priv.h
++++ b/drivers/net/ethernet/ti/cpsw_priv.h
+@@ -272,6 +272,7 @@ struct cpsw_host_regs {
+ };
+
+ struct cpsw_slave_data {
++ struct device_node *slave_node;
+ struct device_node *phy_node;
+ char phy_id[MII_BUS_ID_SIZE];
+ int phy_if;
+--
+2.20.1
+
--- /dev/null
+From 79607556b89ecc4d77cfd6256f8c8171f3a9daad Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 6 Jun 2019 09:40:33 -0300
+Subject: net: fec: Do not use netdev messages too early
+
+[ Upstream commit a19a0582363b9a5f8ba812f34f1b8df394898780 ]
+
+When a valid MAC address is not found the current messages
+are shown:
+
+fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00
+fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa
+
+Since the network device has not been registered at this point, it is better
+to use dev_err()/dev_info() instead, which will provide cleaner log
+messages like these:
+
+fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00
+fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa
+
+Tested on a imx6dl-pico-pi board.
+
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 38f10f7dcbc3..831bb709e783 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1689,10 +1689,10 @@ static void fec_get_mac(struct net_device *ndev)
+ */
+ if (!is_valid_ether_addr(iap)) {
+ /* Report it and use a random ethernet address instead */
+- netdev_err(ndev, "Invalid MAC address: %pM\n", iap);
++ dev_err(&fep->pdev->dev, "Invalid MAC address: %pM\n", iap);
+ eth_hw_addr_random(ndev);
+- netdev_info(ndev, "Using random MAC address: %pM\n",
+- ndev->dev_addr);
++ dev_info(&fep->pdev->dev, "Using random MAC address: %pM\n",
++ ndev->dev_addr);
+ return;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 65ec62f8b8f0f14e32be2b6a842dbc346256c9af Mon Sep 17 00:00:00 2001
+From: Weihang Li <liweihang@hisilicon.com>
+Date: Mon, 3 Jun 2019 10:09:17 +0800
+Subject: net: hns3: add a check to pointer in error_detected and slot_reset
+
+[ Upstream commit 661262bc3e0ecc9a1aed39c6b2a99766da2c22e2 ]
+
+If we add a VF without loading hclgevf.ko and then there is a RAS error
+occurs, PCIe AER will call error_detected and slot_reset of all functions,
+and will get a NULL pointer when we check ad_dev->ops->handle_hw_ras_error.
+This will cause a call trace and failures on handling of follow-up RAS
+errors.
+
+This patch check ae_dev and ad_dev->ops at first to solve above issues.
+
+Signed-off-by: Weihang Li <liweihang@hisilicon.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index cd59c0cc636a..5611b990ac34 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -1916,9 +1916,9 @@ static pci_ers_result_t hns3_error_detected(struct pci_dev *pdev,
+ if (state == pci_channel_io_perm_failure)
+ return PCI_ERS_RESULT_DISCONNECT;
+
+- if (!ae_dev) {
++ if (!ae_dev || !ae_dev->ops) {
+ dev_err(&pdev->dev,
+- "Can't recover - error happened during device init\n");
++ "Can't recover - error happened before device initialized\n");
+ return PCI_ERS_RESULT_NONE;
+ }
+
+@@ -1937,6 +1937,9 @@ static pci_ers_result_t hns3_slot_reset(struct pci_dev *pdev)
+
+ dev_info(dev, "requesting reset due to PCI error\n");
+
++ if (!ae_dev || !ae_dev->ops)
++ return PCI_ERS_RESULT_NONE;
++
+ /* request the reset */
+ if (ae_dev->ops->reset_event) {
+ if (!ae_dev->override_pci_need_reset)
+--
+2.20.1
+
--- /dev/null
+From e0cd50c13019e89e79c2b1328633398db73265b7 Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Fri, 28 Jun 2019 19:50:12 +0800
+Subject: net: hns3: add Asym Pause support to fix autoneg problem
+
+[ Upstream commit bc3781edcea017aa1a29abd953b776cdba298ce2 ]
+
+Local device and link partner config auto-negotiation on both,
+local device config pause frame use as: rx on/tx off,
+link partner config pause frame use as: rx off/tx on.
+
+We except the result is:
+Local device:
+Autonegotiate: on
+RX: on
+TX: off
+RX negotiated: on
+TX negotiated: off
+
+Link partner:
+Autonegotiate: on
+RX: off
+TX: on
+RX negotiated: off
+TX negotiated: on
+
+But actually, the result of Local device and link partner is both:
+Autonegotiate: on
+RX: off
+TX: off
+RX negotiated: off
+TX negotiated: off
+
+The root cause is that the supported flag is has only Pause,
+reference to the function genphy_config_advert():
+static int genphy_config_advert(struct phy_device *phydev)
+{
+ ...
+ linkmode_and(phydev->advertising, phydev->advertising,
+ phydev->supported);
+ ...
+}
+The pause frame use of link partner is rx off/tx on, so its
+advertising only set the bit Asym_Pause, and the supported is
+only set the bit Pause, so the result of linkmode_and(), is
+rx off/tx off.
+
+This patch adds Asym_Pause to the supported flag to fix it.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 1 +
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index f661281de36b..bab04d2d674a 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -1057,6 +1057,7 @@ static void hclge_parse_copper_link_mode(struct hclge_dev *hdev,
+ linkmode_set_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, supported);
+ linkmode_set_bit(ETHTOOL_LINK_MODE_TP_BIT, supported);
+ linkmode_set_bit(ETHTOOL_LINK_MODE_Pause_BIT, supported);
++ linkmode_set_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, supported);
+ }
+
+ static void hclge_parse_link_mode(struct hclge_dev *hdev, u8 speed_ability)
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+index 1e8134892d77..32d6a59b731a 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -224,6 +224,13 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle)
+ linkmode_and(phydev->supported, phydev->supported, mask);
+ linkmode_copy(phydev->advertising, phydev->supported);
+
++ /* supported flag is Pause and Asym Pause, but default advertising
++ * should be rx on, tx on, so need clear Asym Pause in advertising
++ * flag
++ */
++ linkmode_clear_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT,
++ phydev->advertising);
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 1ac32bbc93a92436d45dc449ea0fa514bbea1366 Mon Sep 17 00:00:00 2001
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Fri, 28 Jun 2019 19:50:10 +0800
+Subject: net: hns3: add some error checking in hclge_tm module
+
+[ Upstream commit 04f25edb48c441fc278ecc154c270f16966cbb90 ]
+
+When hdev->tx_sch_mode is HCLGE_FLAG_VNET_BASE_SCH_MODE, the
+hclge_tm_schd_mode_vnet_base_cfg calls hclge_tm_pri_schd_mode_cfg
+with vport->vport_id as pri_id, which is used as index for
+hdev->tm_info.tc_info, it will cause out of bound access issue
+if vport_id is equal to or larger than HNAE3_MAX_TC.
+
+Also hardware only support maximum speed of HCLGE_ETHER_MAX_RATE.
+
+So this patch adds two checks for above cases.
+
+Fixes: 848440544b41 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+index a7bbb6d3091a..0d53062f7bb5 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+@@ -54,7 +54,8 @@ static int hclge_shaper_para_calc(u32 ir, u8 shaper_level,
+ u32 tick;
+
+ /* Calc tick */
+- if (shaper_level >= HCLGE_SHAPER_LVL_CNT)
++ if (shaper_level >= HCLGE_SHAPER_LVL_CNT ||
++ ir > HCLGE_ETHER_MAX_RATE)
+ return -EINVAL;
+
+ tick = tick_array[shaper_level];
+@@ -1124,6 +1125,9 @@ static int hclge_tm_schd_mode_vnet_base_cfg(struct hclge_vport *vport)
+ int ret;
+ u8 i;
+
++ if (vport->vport_id >= HNAE3_MAX_TC)
++ return -EINVAL;
++
+ ret = hclge_tm_pri_schd_mode_cfg(hdev, vport->vport_id);
+ if (ret)
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 09f1e6842a7349f2a018a144fae04471a6cb312d Mon Sep 17 00:00:00 2001
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Thu, 13 Jun 2019 17:12:31 +0800
+Subject: net: hns3: delay ring buffer clearing during reset
+
+[ Upstream commit 3a30964a2eef6aabd3ab18b979ea0eacf1147731 ]
+
+The driver may not be able to disable the ring through firmware
+when downing the netdev during reset process, which may cause
+hardware accessing freed buffer problem.
+
+This patch delays the ring buffer clearing to reset uninit
+process because hardware will not access the ring buffer after
+hardware reset is completed.
+
+Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3_enet.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index d18ad7b48a31..e0d3e2f9801d 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -28,7 +28,7 @@
+ #define hns3_tx_bd_count(S) DIV_ROUND_UP(S, HNS3_MAX_BD_SIZE)
+
+ static void hns3_clear_all_ring(struct hnae3_handle *h);
+-static void hns3_force_clear_all_rx_ring(struct hnae3_handle *h);
++static void hns3_force_clear_all_ring(struct hnae3_handle *h);
+ static void hns3_remove_hw_addr(struct net_device *netdev);
+
+ static const char hns3_driver_name[] = "hns3";
+@@ -491,7 +491,12 @@ static void hns3_nic_net_down(struct net_device *netdev)
+ /* free irq resources */
+ hns3_nic_uninit_irq(priv);
+
+- hns3_clear_all_ring(priv->ae_handle);
++ /* delay ring buffer clearing to hns3_reset_notify_uninit_enet
++ * during reset process, because driver may not be able
++ * to disable the ring through firmware when downing the netdev.
++ */
++ if (!hns3_nic_resetting(netdev))
++ hns3_clear_all_ring(priv->ae_handle);
+ }
+
+ static int hns3_nic_net_stop(struct net_device *netdev)
+@@ -3883,7 +3888,7 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset)
+
+ hns3_del_all_fd_rules(netdev, true);
+
+- hns3_force_clear_all_rx_ring(handle);
++ hns3_force_clear_all_ring(handle);
+
+ hns3_uninit_phy(netdev);
+
+@@ -4055,7 +4060,7 @@ static void hns3_force_clear_rx_ring(struct hns3_enet_ring *ring)
+ }
+ }
+
+-static void hns3_force_clear_all_rx_ring(struct hnae3_handle *h)
++static void hns3_force_clear_all_ring(struct hnae3_handle *h)
+ {
+ struct net_device *ndev = h->kinfo.netdev;
+ struct hns3_nic_priv *priv = netdev_priv(ndev);
+@@ -4063,6 +4068,9 @@ static void hns3_force_clear_all_rx_ring(struct hnae3_handle *h)
+ u32 i;
+
+ for (i = 0; i < h->kinfo.num_tqps; i++) {
++ ring = priv->ring_data[i].ring;
++ hns3_clear_tx_ring(ring);
++
+ ring = priv->ring_data[i + h->kinfo.num_tqps].ring;
+ hns3_force_clear_rx_ring(ring);
+ }
+@@ -4297,7 +4305,8 @@ static int hns3_reset_notify_uninit_enet(struct hnae3_handle *handle)
+ return 0;
+ }
+
+- hns3_force_clear_all_rx_ring(handle);
++ hns3_clear_all_ring(handle);
++ hns3_force_clear_all_ring(handle);
+
+ hns3_nic_uninit_vector_data(priv);
+
+--
+2.20.1
+
--- /dev/null
+From 36074011509ec8c5c2e72cf8b67ef278cd58d2e3 Mon Sep 17 00:00:00 2001
+From: Jian Shen <shenjian15@huawei.com>
+Date: Thu, 4 Jul 2019 22:04:20 +0800
+Subject: net: hns3: enable broadcast promisc mode when initializing VF
+
+[ Upstream commit 2d5066fc175ea77a733d84df9ef414b34f311641 ]
+
+For revision 0x20, the broadcast promisc is enabled by firmware,
+it's unnecessary to enable it when initializing VF.
+
+For revision 0x21, it's necessary to enable broadcast promisc mode
+when initializing or re-initializing VF, otherwise, it will be
+unable to send and receive promisc packets.
+
+Fixes: f01f5559cac8 ("net: hns3: don't allow vf to enable promisc mode")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 5d53467ee2d2..3b02745605d4 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2512,6 +2512,12 @@ static int hclgevf_reset_hdev(struct hclgevf_dev *hdev)
+ return ret;
+ }
+
++ if (pdev->revision >= 0x21) {
++ ret = hclgevf_set_promisc_mode(hdev, true);
++ if (ret)
++ return ret;
++ }
++
+ dev_info(&hdev->pdev->dev, "Reset done\n");
+
+ return 0;
+@@ -2591,9 +2597,11 @@ static int hclgevf_init_hdev(struct hclgevf_dev *hdev)
+ * firmware makes sure broadcast packets can be accepted.
+ * For revision 0x21, default to enable broadcast promisc mode.
+ */
+- ret = hclgevf_set_promisc_mode(hdev, true);
+- if (ret)
+- goto err_config;
++ if (pdev->revision >= 0x21) {
++ ret = hclgevf_set_promisc_mode(hdev, true);
++ if (ret)
++ goto err_config;
++ }
+
+ /* Initialize RSS for this VF */
+ ret = hclgevf_rss_init_hw(hdev);
+--
+2.20.1
+
--- /dev/null
+From ca52bd7778b45e9339ba45ab2d0c2f0d3c80f177 Mon Sep 17 00:00:00 2001
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Fri, 28 Jun 2019 19:50:07 +0800
+Subject: net: hns3: fix __QUEUE_STATE_STACK_XOFF not cleared issue
+
+[ Upstream commit f96315f2f17e7b2580d2fec7c4d6a706a131d904 ]
+
+When change MTU or other operations, which just calling .reset_notify
+to do HNAE3_DOWN_CLIENT and HNAE3_UP_CLIENT, then
+the netdev_tx_reset_queue() in the hns3_clear_all_ring() will be
+ignored. So the dev_watchdog() may misdiagnose a TX timeout.
+
+This patch separates netdev_tx_reset_queue() from
+hns3_clear_all_ring(), and unifies hns3_clear_all_ring() and
+hns3_force_clear_all_ring into one, since they are doing
+similar things.
+
+Fixes: 3a30964a2eef ("net: hns3: delay ring buffer clearing during reset")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3_enet.c | 54 +++++++++----------
+ 1 file changed, 26 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index e0d3e2f9801d..66b691b7221f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -27,8 +27,7 @@
+ #define hns3_set_field(origin, shift, val) ((origin) |= ((val) << (shift)))
+ #define hns3_tx_bd_count(S) DIV_ROUND_UP(S, HNS3_MAX_BD_SIZE)
+
+-static void hns3_clear_all_ring(struct hnae3_handle *h);
+-static void hns3_force_clear_all_ring(struct hnae3_handle *h);
++static void hns3_clear_all_ring(struct hnae3_handle *h, bool force);
+ static void hns3_remove_hw_addr(struct net_device *netdev);
+
+ static const char hns3_driver_name[] = "hns3";
+@@ -466,6 +465,20 @@ static int hns3_nic_net_open(struct net_device *netdev)
+ return 0;
+ }
+
++static void hns3_reset_tx_queue(struct hnae3_handle *h)
++{
++ struct net_device *ndev = h->kinfo.netdev;
++ struct hns3_nic_priv *priv = netdev_priv(ndev);
++ struct netdev_queue *dev_queue;
++ u32 i;
++
++ for (i = 0; i < h->kinfo.num_tqps; i++) {
++ dev_queue = netdev_get_tx_queue(ndev,
++ priv->ring_data[i].queue_index);
++ netdev_tx_reset_queue(dev_queue);
++ }
++}
++
+ static void hns3_nic_net_down(struct net_device *netdev)
+ {
+ struct hns3_nic_priv *priv = netdev_priv(netdev);
+@@ -496,7 +509,9 @@ static void hns3_nic_net_down(struct net_device *netdev)
+ * to disable the ring through firmware when downing the netdev.
+ */
+ if (!hns3_nic_resetting(netdev))
+- hns3_clear_all_ring(priv->ae_handle);
++ hns3_clear_all_ring(priv->ae_handle, false);
++
++ hns3_reset_tx_queue(priv->ae_handle);
+ }
+
+ static int hns3_nic_net_stop(struct net_device *netdev)
+@@ -3888,7 +3903,7 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset)
+
+ hns3_del_all_fd_rules(netdev, true);
+
+- hns3_force_clear_all_ring(handle);
++ hns3_clear_all_ring(handle, true);
+
+ hns3_uninit_phy(netdev);
+
+@@ -4060,43 +4075,26 @@ static void hns3_force_clear_rx_ring(struct hns3_enet_ring *ring)
+ }
+ }
+
+-static void hns3_force_clear_all_ring(struct hnae3_handle *h)
+-{
+- struct net_device *ndev = h->kinfo.netdev;
+- struct hns3_nic_priv *priv = netdev_priv(ndev);
+- struct hns3_enet_ring *ring;
+- u32 i;
+-
+- for (i = 0; i < h->kinfo.num_tqps; i++) {
+- ring = priv->ring_data[i].ring;
+- hns3_clear_tx_ring(ring);
+-
+- ring = priv->ring_data[i + h->kinfo.num_tqps].ring;
+- hns3_force_clear_rx_ring(ring);
+- }
+-}
+-
+-static void hns3_clear_all_ring(struct hnae3_handle *h)
++static void hns3_clear_all_ring(struct hnae3_handle *h, bool force)
+ {
+ struct net_device *ndev = h->kinfo.netdev;
+ struct hns3_nic_priv *priv = netdev_priv(ndev);
+ u32 i;
+
+ for (i = 0; i < h->kinfo.num_tqps; i++) {
+- struct netdev_queue *dev_queue;
+ struct hns3_enet_ring *ring;
+
+ ring = priv->ring_data[i].ring;
+ hns3_clear_tx_ring(ring);
+- dev_queue = netdev_get_tx_queue(ndev,
+- priv->ring_data[i].queue_index);
+- netdev_tx_reset_queue(dev_queue);
+
+ ring = priv->ring_data[i + h->kinfo.num_tqps].ring;
+ /* Continue to clear other rings even if clearing some
+ * rings failed.
+ */
+- hns3_clear_rx_ring(ring);
++ if (force)
++ hns3_force_clear_rx_ring(ring);
++ else
++ hns3_clear_rx_ring(ring);
+ }
+ }
+
+@@ -4305,8 +4303,8 @@ static int hns3_reset_notify_uninit_enet(struct hnae3_handle *handle)
+ return 0;
+ }
+
+- hns3_clear_all_ring(handle);
+- hns3_force_clear_all_ring(handle);
++ hns3_clear_all_ring(handle, true);
++ hns3_reset_tx_queue(priv->ae_handle);
+
+ hns3_nic_uninit_vector_data(priv);
+
+--
+2.20.1
+
--- /dev/null
+From f0679a2ada9894eddd2988ec6f785f4d8e1a0b42 Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Fri, 28 Jun 2019 19:50:11 +0800
+Subject: net: hns3: fix a -Wformat-nonliteral compile warning
+
+[ Upstream commit 18d219b783da61a6cc77581f55fc4af2fa16bc36 ]
+
+When setting -Wformat=2, there is a compiler warning like this:
+
+hclge_main.c:xxx:x: warning: format not a string literal and no
+format arguments [-Wformat-nonliteral]
+strs[i].desc);
+^~~~
+
+This patch adds missing format parameter "%s" to snprintf() to
+fix it.
+
+Fixes: 46a3df9f9718 ("Add HNS3 Acceleration Engine & Compatibility Layer Support")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 645b9b3e0256..f661281de36b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -552,8 +552,7 @@ static u8 *hclge_comm_get_strings(u32 stringset,
+ return buff;
+
+ for (i = 0; i < size; i++) {
+- snprintf(buff, ETH_GSTRING_LEN,
+- strs[i].desc);
++ snprintf(buff, ETH_GSTRING_LEN, "%s", strs[i].desc);
+ buff = buff + ETH_GSTRING_LEN;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 7395f68f2c6387070f2f6f71bc78c6b76334d8ac Mon Sep 17 00:00:00 2001
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Thu, 13 Jun 2019 17:12:29 +0800
+Subject: net: hns3: fix for dereferencing before null checking
+
+[ Upstream commit 757188005f905664b0186b88cf26a7e844190a63 ]
+
+The netdev is dereferenced before null checking in the function
+hns3_setup_tc.
+
+This patch moves the dereferencing after the null checking.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 5611b990ac34..d18ad7b48a31 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -1514,12 +1514,12 @@ static void hns3_nic_get_stats64(struct net_device *netdev,
+ static int hns3_setup_tc(struct net_device *netdev, void *type_data)
+ {
+ struct tc_mqprio_qopt_offload *mqprio_qopt = type_data;
+- struct hnae3_handle *h = hns3_get_handle(netdev);
+- struct hnae3_knic_private_info *kinfo = &h->kinfo;
+ u8 *prio_tc = mqprio_qopt->qopt.prio_tc_map;
++ struct hnae3_knic_private_info *kinfo;
+ u8 tc = mqprio_qopt->qopt.num_tc;
+ u16 mode = mqprio_qopt->mode;
+ u8 hw = mqprio_qopt->qopt.hw;
++ struct hnae3_handle *h;
+
+ if (!((hw == TC_MQPRIO_HW_OFFLOAD_TCS &&
+ mode == TC_MQPRIO_MODE_CHANNEL) || (!hw && tc == 0)))
+@@ -1531,6 +1531,9 @@ static int hns3_setup_tc(struct net_device *netdev, void *type_data)
+ if (!netdev)
+ return -EINVAL;
+
++ h = hns3_get_handle(netdev);
++ kinfo = &h->kinfo;
++
+ return (kinfo->dcb_ops && kinfo->dcb_ops->setup_tc) ?
+ kinfo->dcb_ops->setup_tc(h, tc, prio_tc) : -EOPNOTSUPP;
+ }
+--
+2.20.1
+
--- /dev/null
+From 031e0f758798504d48f11adf12a7e8638ab60b79 Mon Sep 17 00:00:00 2001
+From: Jian Shen <shenjian15@huawei.com>
+Date: Fri, 24 May 2019 19:19:48 +0800
+Subject: net: hns3: fix for FEC configuration
+
+[ Upstream commit f438bfe9d4fe2e491505abfbf04d7c506e00d146 ]
+
+The FEC capbility may be changed with port speed changes. Driver
+needs to read the active FEC mode, and update FEC capability
+when port speed changes.
+
+Fixes: 7e6ec9148a1d ("net: hns3: add support for FEC encoding control")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index d3b1f8cb1155..4d9bcad26f06 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -2508,6 +2508,9 @@ static void hclge_update_link_status(struct hclge_dev *hdev)
+
+ static void hclge_update_port_capability(struct hclge_mac *mac)
+ {
++ /* update fec ability by speed */
++ hclge_convert_setting_fec(mac);
++
+ /* firmware can not identify back plane type, the media type
+ * read from configuration can help deal it
+ */
+@@ -2580,6 +2583,10 @@ static int hclge_get_sfp_info(struct hclge_dev *hdev, struct hclge_mac *mac)
+ mac->speed_ability = le32_to_cpu(resp->speed_ability);
+ mac->autoneg = resp->autoneg;
+ mac->support_autoneg = resp->autoneg_ability;
++ if (!resp->active_fec)
++ mac->fec_mode = 0;
++ else
++ mac->fec_mode = BIT(resp->active_fec);
+ } else {
+ mac->speed_type = QUERY_SFP_SPEED;
+ }
+--
+2.20.1
+
--- /dev/null
+From 56e7d11b607a4f34d3d7ecaba9cd17634728bb20 Mon Sep 17 00:00:00 2001
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Thu, 13 Jun 2019 17:12:30 +0800
+Subject: net: hns3: fix for skb leak when doing selftest
+
+[ Upstream commit 8f9eed1a8791b83eb1c54c261d68424717e4111e ]
+
+If hns3_nic_net_xmit does not return NETDEV_TX_BUSY when doing
+a loopback selftest, the skb is not freed in hns3_clean_tx_ring
+or hns3_nic_net_xmit, which causes skb not freed problem.
+
+This patch fixes it by freeing skb when hns3_nic_net_xmit does
+not return NETDEV_TX_OK.
+
+Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver")
+
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+index d1588ea6132c..24fce343e7fc 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -243,11 +243,13 @@ static int hns3_lp_run_test(struct net_device *ndev, enum hnae3_loop mode)
+
+ skb_get(skb);
+ tx_ret = hns3_nic_net_xmit(skb, ndev);
+- if (tx_ret == NETDEV_TX_OK)
++ if (tx_ret == NETDEV_TX_OK) {
+ good_cnt++;
+- else
++ } else {
++ kfree_skb(skb);
+ netdev_err(ndev, "hns3_lb_run_test xmit failed: %d\n",
+ tx_ret);
++ }
+ }
+ if (good_cnt != HNS3_NIC_LB_TEST_PKT_NUM) {
+ ret_val = HNS3_NIC_LB_TEST_TX_CNT_ERR;
+--
+2.20.1
+
--- /dev/null
+From c5a8b01bb23ca67ced58bb2889ea2c56908775aa Mon Sep 17 00:00:00 2001
+From: Jian Shen <shenjian15@huawei.com>
+Date: Thu, 4 Jul 2019 22:04:22 +0800
+Subject: net: hns3: fix port capbility updating issue
+
+[ Upstream commit 49b1255603de5183c5e377200be3b3afe0dcdb86 ]
+
+Currently, the driver queries the media port information, and
+updates the port capability periodically. But it sets an error
+mac->speed_type value, which stops update port capability.
+
+Fixes: 88d10bd6f730 ("net: hns3: add support for multiple media type")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index bab04d2d674a..f2bffc05e902 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -2592,6 +2592,7 @@ static int hclge_get_sfp_info(struct hclge_dev *hdev, struct hclge_mac *mac)
+ mac->speed_ability = le32_to_cpu(resp->speed_ability);
+ mac->autoneg = resp->autoneg;
+ mac->support_autoneg = resp->autoneg_ability;
++ mac->speed_type = QUERY_ACTIVE_SPEED;
+ if (!resp->active_fec)
+ mac->fec_mode = 0;
+ else
+--
+2.20.1
+
--- /dev/null
+From 361f69ca92f8138664d980bdf8f7459bba877a43 Mon Sep 17 00:00:00 2001
+From: Jian Shen <shenjian15@huawei.com>
+Date: Fri, 24 May 2019 19:19:45 +0800
+Subject: net: hns3: initialize CPU reverse mapping
+
+[ Upstream commit ffab9691bcb2fe2594f4c38bfceb4d9685b93b87 ]
+
+Allocate CPU rmap and add entry for each irq. CPU rmap is
+used in aRFS to get the queue number of the rx completion
+interrupts.
+
+In additional, remove the calling of
+irq_set_affinity_notifier() in hns3_nic_init_irq(), because
+we have registered notifier in irq_cpu_rmap_add() for each
+vector, otherwise it may cause use-after-free issue.
+
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3_enet.c | 77 ++++++++++++-------
+ 1 file changed, 48 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index f326805543a4..cd59c0cc636a 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -4,6 +4,9 @@
+ #include <linux/dma-mapping.h>
+ #include <linux/etherdevice.h>
+ #include <linux/interrupt.h>
++#ifdef CONFIG_RFS_ACCEL
++#include <linux/cpu_rmap.h>
++#endif
+ #include <linux/if_vlan.h>
+ #include <linux/ip.h>
+ #include <linux/ipv6.h>
+@@ -79,23 +82,6 @@ static irqreturn_t hns3_irq_handle(int irq, void *vector)
+ return IRQ_HANDLED;
+ }
+
+-/* This callback function is used to set affinity changes to the irq affinity
+- * masks when the irq_set_affinity_notifier function is used.
+- */
+-static void hns3_nic_irq_affinity_notify(struct irq_affinity_notify *notify,
+- const cpumask_t *mask)
+-{
+- struct hns3_enet_tqp_vector *tqp_vectors =
+- container_of(notify, struct hns3_enet_tqp_vector,
+- affinity_notify);
+-
+- tqp_vectors->affinity_mask = *mask;
+-}
+-
+-static void hns3_nic_irq_affinity_release(struct kref *ref)
+-{
+-}
+-
+ static void hns3_nic_uninit_irq(struct hns3_nic_priv *priv)
+ {
+ struct hns3_enet_tqp_vector *tqp_vectors;
+@@ -107,8 +93,7 @@ static void hns3_nic_uninit_irq(struct hns3_nic_priv *priv)
+ if (tqp_vectors->irq_init_flag != HNS3_VECTOR_INITED)
+ continue;
+
+- /* clear the affinity notifier and affinity mask */
+- irq_set_affinity_notifier(tqp_vectors->vector_irq, NULL);
++ /* clear the affinity mask */
+ irq_set_affinity_hint(tqp_vectors->vector_irq, NULL);
+
+ /* release the irq resource */
+@@ -161,12 +146,6 @@ static int hns3_nic_init_irq(struct hns3_nic_priv *priv)
+ return ret;
+ }
+
+- tqp_vectors->affinity_notify.notify =
+- hns3_nic_irq_affinity_notify;
+- tqp_vectors->affinity_notify.release =
+- hns3_nic_irq_affinity_release;
+- irq_set_affinity_notifier(tqp_vectors->vector_irq,
+- &tqp_vectors->affinity_notify);
+ irq_set_affinity_hint(tqp_vectors->vector_irq,
+ &tqp_vectors->affinity_mask);
+
+@@ -340,6 +319,40 @@ static void hns3_tqp_disable(struct hnae3_queue *tqp)
+ hns3_write_dev(tqp, HNS3_RING_EN_REG, rcb_reg);
+ }
+
++static void hns3_free_rx_cpu_rmap(struct net_device *netdev)
++{
++#ifdef CONFIG_RFS_ACCEL
++ free_irq_cpu_rmap(netdev->rx_cpu_rmap);
++ netdev->rx_cpu_rmap = NULL;
++#endif
++}
++
++static int hns3_set_rx_cpu_rmap(struct net_device *netdev)
++{
++#ifdef CONFIG_RFS_ACCEL
++ struct hns3_nic_priv *priv = netdev_priv(netdev);
++ struct hns3_enet_tqp_vector *tqp_vector;
++ int i, ret;
++
++ if (!netdev->rx_cpu_rmap) {
++ netdev->rx_cpu_rmap = alloc_irq_cpu_rmap(priv->vector_num);
++ if (!netdev->rx_cpu_rmap)
++ return -ENOMEM;
++ }
++
++ for (i = 0; i < priv->vector_num; i++) {
++ tqp_vector = &priv->tqp_vector[i];
++ ret = irq_cpu_rmap_add(netdev->rx_cpu_rmap,
++ tqp_vector->vector_irq);
++ if (ret) {
++ hns3_free_rx_cpu_rmap(netdev);
++ return ret;
++ }
++ }
++#endif
++ return 0;
++}
++
+ static int hns3_nic_net_up(struct net_device *netdev)
+ {
+ struct hns3_nic_priv *priv = netdev_priv(netdev);
+@@ -351,11 +364,16 @@ static int hns3_nic_net_up(struct net_device *netdev)
+ if (ret)
+ return ret;
+
++ /* the device can work without cpu rmap, only aRFS needs it */
++ ret = hns3_set_rx_cpu_rmap(netdev);
++ if (ret)
++ netdev_warn(netdev, "set rx cpu rmap fail, ret=%d!\n", ret);
++
+ /* get irq resource for all vectors */
+ ret = hns3_nic_init_irq(priv);
+ if (ret) {
+ netdev_err(netdev, "hns init irq failed! ret=%d\n", ret);
+- return ret;
++ goto free_rmap;
+ }
+
+ clear_bit(HNS3_NIC_STATE_DOWN, &priv->state);
+@@ -384,7 +402,8 @@ static int hns3_nic_net_up(struct net_device *netdev)
+ hns3_vector_disable(&priv->tqp_vector[j]);
+
+ hns3_nic_uninit_irq(priv);
+-
++free_rmap:
++ hns3_free_rx_cpu_rmap(netdev);
+ return ret;
+ }
+
+@@ -467,6 +486,8 @@ static void hns3_nic_net_down(struct net_device *netdev)
+ if (ops->stop)
+ ops->stop(priv->ae_handle);
+
++ hns3_free_rx_cpu_rmap(netdev);
++
+ /* free irq resources */
+ hns3_nic_uninit_irq(priv);
+
+@@ -3331,8 +3352,6 @@ static void hns3_nic_uninit_vector_data(struct hns3_nic_priv *priv)
+ hns3_free_vector_ring_chain(tqp_vector, &vector_ring_chain);
+
+ if (tqp_vector->irq_init_flag == HNS3_VECTOR_INITED) {
+- irq_set_affinity_notifier(tqp_vector->vector_irq,
+- NULL);
+ irq_set_affinity_hint(tqp_vector->vector_irq, NULL);
+ free_irq(tqp_vector->vector_irq, tqp_vector);
+ tqp_vector->irq_init_flag = HNS3_VECTOR_NOT_INITED;
+--
+2.20.1
+
--- /dev/null
+From 75bdd1ce6f9697ebe911c0d9f361accccea12880 Mon Sep 17 00:00:00 2001
+From: Jian Shen <shenjian15@huawei.com>
+Date: Thu, 20 Jun 2019 16:52:38 +0800
+Subject: net: hns3: restore the MAC autoneg state after reset
+
+[ Upstream commit d736fc6c68a5f76e89a6c2c4100e3678706003a3 ]
+
+When doing global reset, the MAC autoneg state of fibre
+port is set to default, which may cause user configuration
+lost. This patch fixes it by restore the MAC autoneg state
+after reset.
+
+Fixes: 22f48e24a23d ("net: hns3: add autoneg and change speed support for fibre port")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 4d9bcad26f06..645b9b3e0256 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -2389,6 +2389,15 @@ static int hclge_mac_init(struct hclge_dev *hdev)
+ return ret;
+ }
+
++ if (hdev->hw.mac.support_autoneg) {
++ ret = hclge_set_autoneg_en(hdev, hdev->hw.mac.autoneg);
++ if (ret) {
++ dev_err(&hdev->pdev->dev,
++ "Config mac autoneg fail ret=%d\n", ret);
++ return ret;
++ }
++ }
++
+ mac->link = 0;
+
+ if (mac->user_fec_mode & BIT(HNAE3_FEC_USER_DEF)) {
+--
+2.20.1
+
--- /dev/null
+From d4f759eb65e7bab40ccf1fe8a84c07cd45edd837 Mon Sep 17 00:00:00 2001
+From: Weihang Li <liweihang@hisilicon.com>
+Date: Mon, 3 Jun 2019 10:09:18 +0800
+Subject: net: hns3: set ops to null when unregister ad_dev
+
+[ Upstream commit 594a81b39525f0a17e92c2e0b167ae1400650380 ]
+
+The hclge/hclgevf and hns3 module can be unloaded independently,
+when hclge/hclgevf unloaded firstly, the ops of ae_dev should
+be set to NULL, otherwise it will cause an use-after-free problem.
+
+Fixes: 38caee9d3ee8 ("net: hns3: Add support of the HNAE3 framework")
+Signed-off-by: Weihang Li <liweihang@hisilicon.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hnae3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+index fa8b8506b120..738e01393b68 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+@@ -251,6 +251,7 @@ void hnae3_unregister_ae_algo(struct hnae3_ae_algo *ae_algo)
+
+ ae_algo->ops->uninit_ae_dev(ae_dev);
+ hnae3_set_bit(ae_dev->flag, HNAE3_DEV_INITED_B, 0);
++ ae_dev->ops = NULL;
+ }
+
+ list_del(&ae_algo->node);
+@@ -351,6 +352,7 @@ void hnae3_unregister_ae_dev(struct hnae3_ae_dev *ae_dev)
+
+ ae_algo->ops->uninit_ae_dev(ae_dev);
+ hnae3_set_bit(ae_dev->flag, HNAE3_DEV_INITED_B, 0);
++ ae_dev->ops = NULL;
+ }
+
+ list_del(&ae_dev->node);
+--
+2.20.1
+
--- /dev/null
+From b8e5d5eb40a3370144a2344ca41426417b5c0609 Mon Sep 17 00:00:00 2001
+From: Jianbo Liu <jianbol@mellanox.com>
+Date: Tue, 25 Jun 2019 17:47:52 +0000
+Subject: net/mlx5: Get vport ACL namespace by vport index
+
+[ Upstream commit f53297d67800feb5fafd94abd926c889aefee690 ]
+
+The ingress and egress ACL root namespaces are created per vport and
+stored into arrays. However, the vport number is not the same as the
+index. Passing the array index, instead of vport number, to get the
+correct ingress and egress acl namespace.
+
+Fixes: 9b93ab981e3b ("net/mlx5: Separate ingress/egress namespaces for each vport")
+Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
+Reviewed-by: Oz Shlomo <ozsh@mellanox.com>
+Reviewed-by: Eli Britstein <elibr@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 6a921e24cd5e..acab26b88261 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -939,7 +939,7 @@ int esw_vport_enable_egress_acl(struct mlx5_eswitch *esw,
+ vport->vport, MLX5_CAP_ESW_EGRESS_ACL(dev, log_max_ft_size));
+
+ root_ns = mlx5_get_flow_vport_acl_namespace(dev, MLX5_FLOW_NAMESPACE_ESW_EGRESS,
+- vport->vport);
++ mlx5_eswitch_vport_num_to_index(esw, vport->vport));
+ if (!root_ns) {
+ esw_warn(dev, "Failed to get E-Switch egress flow namespace for vport (%d)\n", vport->vport);
+ return -EOPNOTSUPP;
+@@ -1057,7 +1057,7 @@ int esw_vport_enable_ingress_acl(struct mlx5_eswitch *esw,
+ vport->vport, MLX5_CAP_ESW_INGRESS_ACL(dev, log_max_ft_size));
+
+ root_ns = mlx5_get_flow_vport_acl_namespace(dev, MLX5_FLOW_NAMESPACE_ESW_INGRESS,
+- vport->vport);
++ mlx5_eswitch_vport_num_to_index(esw, vport->vport));
+ if (!root_ns) {
+ esw_warn(dev, "Failed to get E-Switch ingress flow namespace for vport (%d)\n", vport->vport);
+ return -EOPNOTSUPP;
+--
+2.20.1
+
--- /dev/null
+From 9b09e4a4ad9976911809605429de14813f1fbbd8 Mon Sep 17 00:00:00 2001
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+Date: Wed, 26 Jun 2019 17:35:23 +0300
+Subject: net/mlx5e: Attach/detach XDP program safely
+
+[ Upstream commit e18953240de8b46360a67090c87ee1ef8160b35d ]
+
+When an XDP program is set, a full reopen of all channels happens in two
+cases:
+
+1. When there was no program set, and a new one is being set.
+
+2. When there was a program set, but it's being unset.
+
+The full reopen is necessary, because the channel parameters may change
+if XDP is enabled or disabled. However, it's performed in an unsafe way:
+if the new channels fail to open, the old ones are already closed, and
+the interface goes down. Use the safe way to switch channels instead.
+The same way is already used for other configuration changes.
+
+Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 31 ++++++++++++-------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index a8e8350b38aa..8db9fdbc03ea 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4192,8 +4192,6 @@ static int mlx5e_xdp_set(struct net_device *netdev, struct bpf_prog *prog)
+ /* no need for full reset when exchanging programs */
+ reset = (!priv->channels.params.xdp_prog || !prog);
+
+- if (was_opened && reset)
+- mlx5e_close_locked(netdev);
+ if (was_opened && !reset) {
+ /* num_channels is invariant here, so we can take the
+ * batched reference right upfront.
+@@ -4205,20 +4203,31 @@ static int mlx5e_xdp_set(struct net_device *netdev, struct bpf_prog *prog)
+ }
+ }
+
+- /* exchange programs, extra prog reference we got from caller
+- * as long as we don't fail from this point onwards.
+- */
+- old_prog = xchg(&priv->channels.params.xdp_prog, prog);
++ if (was_opened && reset) {
++ struct mlx5e_channels new_channels = {};
++
++ new_channels.params = priv->channels.params;
++ new_channels.params.xdp_prog = prog;
++ mlx5e_set_rq_type(priv->mdev, &new_channels.params);
++ old_prog = priv->channels.params.xdp_prog;
++
++ err = mlx5e_safe_switch_channels(priv, &new_channels, NULL);
++ if (err)
++ goto unlock;
++ } else {
++ /* exchange programs, extra prog reference we got from caller
++ * as long as we don't fail from this point onwards.
++ */
++ old_prog = xchg(&priv->channels.params.xdp_prog, prog);
++ }
++
+ if (old_prog)
+ bpf_prog_put(old_prog);
+
+- if (reset) /* change RQ type according to priv->xdp_prog */
++ if (!was_opened && reset) /* change RQ type according to priv->xdp_prog */
+ mlx5e_set_rq_type(priv->mdev, &priv->channels.params);
+
+- if (was_opened && reset)
+- err = mlx5e_open_locked(netdev);
+-
+- if (!test_bit(MLX5E_STATE_OPENED, &priv->state) || reset)
++ if (!was_opened || reset)
+ goto unlock;
+
+ /* exchanging programs w/o reset, we update ref counts on behalf
+--
+2.20.1
+
--- /dev/null
+From 54fce2084c93bc66ae57017c9722b8ef3dba267e Mon Sep 17 00:00:00 2001
+From: Josua Mayer <josua@solid-run.com>
+Date: Tue, 9 Jul 2019 15:01:01 +0200
+Subject: net: mvmdio: defer probe of orion-mdio if a clock is not ready
+
+[ Upstream commit 433a06d7d74e677c40b1148c70c48677ff62fb6b ]
+
+Defer probing of the orion-mdio interface when getting a clock returns
+EPROBE_DEFER. This avoids locking up the Armada 8k SoC when mdio is used
+before all clocks have been enabled.
+
+Signed-off-by: Josua Mayer <josua@solid-run.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvmdio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c
+index c5dac6bd2be4..903836e334d8 100644
+--- a/drivers/net/ethernet/marvell/mvmdio.c
++++ b/drivers/net/ethernet/marvell/mvmdio.c
+@@ -321,6 +321,10 @@ static int orion_mdio_probe(struct platform_device *pdev)
+
+ for (i = 0; i < ARRAY_SIZE(dev->clk); i++) {
+ dev->clk[i] = of_clk_get(pdev->dev.of_node, i);
++ if (PTR_ERR(dev->clk[i]) == -EPROBE_DEFER) {
++ ret = -EPROBE_DEFER;
++ goto out_clk;
++ }
+ if (IS_ERR(dev->clk[i]))
+ break;
+ clk_prepare_enable(dev->clk[i]);
+@@ -362,6 +366,7 @@ static int orion_mdio_probe(struct platform_device *pdev)
+ if (dev->err_interrupt > 0)
+ writel(0, dev->regs + MVMDIO_ERR_INT_MASK);
+
++out_clk:
+ for (i = 0; i < ARRAY_SIZE(dev->clk); i++) {
+ if (IS_ERR(dev->clk[i]))
+ break;
+--
+2.20.1
+
--- /dev/null
+From 77e243f2e37c3c0c672963e1746bf85480a09fee Mon Sep 17 00:00:00 2001
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Fri, 24 May 2019 12:05:53 +0200
+Subject: net: mvpp2: cls: Extract the RSS context when parsing the ethtool
+ rule
+
+[ Upstream commit c561da68038a738f30eca21456534c2d1872d13d ]
+
+ethtool_rx_flow_rule_create takes into parameter the ethtool flow spec,
+which doesn't contain the rss context id. We therefore need to extract
+it ourself before parsing the ethtool rule.
+
+The FLOW_RSS flag is only set in info->fs.flow_type, and not
+info->flow_type.
+
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+index a57d17ab91f0..fb06c0aa620a 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+@@ -1242,6 +1242,12 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port,
+
+ input.fs = &info->fs;
+
++ /* We need to manually set the rss_ctx, since this info isn't present
++ * in info->fs
++ */
++ if (info->fs.flow_type & FLOW_RSS)
++ input.rss_ctx = info->rss_context;
++
+ ethtool_rule = ethtool_rx_flow_rule_create(&input);
+ if (IS_ERR(ethtool_rule)) {
+ ret = PTR_ERR(ethtool_rule);
+--
+2.20.1
+
--- /dev/null
+From e7ba718dab2dde4b4710a769819dfbe34b1c7047 Mon Sep 17 00:00:00 2001
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Thu, 20 Jun 2019 11:42:45 +0200
+Subject: net: mvpp2: prs: Don't override the sign bit in SRAM parser shift
+
+[ Upstream commit 8ec3ede559956f8ad58db7b57d25ac724bab69e9 ]
+
+The Header Parser allows identifying various fields in the packet
+headers, used for various kind of filtering and classification
+steps.
+
+This is a re-entrant process, where the offset in the packet header
+depends on the previous lookup results. This offset is represented in
+the SRAM results of the TCAM, as a shift to be operated.
+
+This shift can be negative in some cases, such as in IPv6 parsing.
+
+This commit prevents overriding the sign bit when setting the shift
+value, which could cause instabilities when parsing IPv6 flows.
+
+Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
+Suggested-by: Alan Winkowski <walan@marvell.com>
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+index ae2240074d8e..5692c6087bbb 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+@@ -312,7 +312,8 @@ static void mvpp2_prs_sram_shift_set(struct mvpp2_prs_entry *pe, int shift,
+ }
+
+ /* Set value */
+- pe->sram[MVPP2_BIT_TO_WORD(MVPP2_PRS_SRAM_SHIFT_OFFS)] = shift & MVPP2_PRS_SRAM_SHIFT_MASK;
++ pe->sram[MVPP2_BIT_TO_WORD(MVPP2_PRS_SRAM_SHIFT_OFFS)] |=
++ shift & MVPP2_PRS_SRAM_SHIFT_MASK;
+
+ /* Reset and set operation */
+ mvpp2_prs_sram_bits_clear(pe, MVPP2_PRS_SRAM_OP_SEL_SHIFT_OFFS,
+--
+2.20.1
+
--- /dev/null
+From d62852dd9fc9f39f466f6c197a776a298a7ff3db Mon Sep 17 00:00:00 2001
+From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Date: Wed, 19 Jun 2019 13:04:00 +0300
+Subject: net: netsec: initialize tx ring on ndo_open
+
+[ Upstream commit 39e3622edeffa63c2871153d8743c5825b139968 ]
+
+Since we changed the Tx ring handling and now depends on bit31 to figure
+out the owner of the descriptor, we should initialize this every time
+the device goes down-up instead of doing it once on driver init. If the
+value is not correctly initialized the device won't have any available
+descriptors
+
+Changes since v1:
+- Typo fixes
+
+Fixes: 35e07d234739 ("net: socionext: remove mmio reads on Tx")
+Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/socionext/netsec.c | 32 ++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/socionext/netsec.c b/drivers/net/ethernet/socionext/netsec.c
+index cba5881b2746..a10ef700f16d 100644
+--- a/drivers/net/ethernet/socionext/netsec.c
++++ b/drivers/net/ethernet/socionext/netsec.c
+@@ -1029,7 +1029,6 @@ static void netsec_free_dring(struct netsec_priv *priv, int id)
+ static int netsec_alloc_dring(struct netsec_priv *priv, enum ring_id id)
+ {
+ struct netsec_desc_ring *dring = &priv->desc_ring[id];
+- int i;
+
+ dring->vaddr = dma_alloc_coherent(priv->dev, DESC_SZ * DESC_NUM,
+ &dring->desc_dma, GFP_KERNEL);
+@@ -1040,19 +1039,6 @@ static int netsec_alloc_dring(struct netsec_priv *priv, enum ring_id id)
+ if (!dring->desc)
+ goto err;
+
+- if (id == NETSEC_RING_TX) {
+- for (i = 0; i < DESC_NUM; i++) {
+- struct netsec_de *de;
+-
+- de = dring->vaddr + (DESC_SZ * i);
+- /* de->attr is not going to be accessed by the NIC
+- * until netsec_set_tx_de() is called.
+- * No need for a dma_wmb() here
+- */
+- de->attr = 1U << NETSEC_TX_SHIFT_OWN_FIELD;
+- }
+- }
+-
+ return 0;
+ err:
+ netsec_free_dring(priv, id);
+@@ -1060,6 +1046,23 @@ static int netsec_alloc_dring(struct netsec_priv *priv, enum ring_id id)
+ return -ENOMEM;
+ }
+
++static void netsec_setup_tx_dring(struct netsec_priv *priv)
++{
++ struct netsec_desc_ring *dring = &priv->desc_ring[NETSEC_RING_TX];
++ int i;
++
++ for (i = 0; i < DESC_NUM; i++) {
++ struct netsec_de *de;
++
++ de = dring->vaddr + (DESC_SZ * i);
++ /* de->attr is not going to be accessed by the NIC
++ * until netsec_set_tx_de() is called.
++ * No need for a dma_wmb() here
++ */
++ de->attr = 1U << NETSEC_TX_SHIFT_OWN_FIELD;
++ }
++}
++
+ static int netsec_setup_rx_dring(struct netsec_priv *priv)
+ {
+ struct netsec_desc_ring *dring = &priv->desc_ring[NETSEC_RING_RX];
+@@ -1361,6 +1364,7 @@ static int netsec_netdev_open(struct net_device *ndev)
+
+ pm_runtime_get_sync(priv->dev);
+
++ netsec_setup_tx_dring(priv);
+ ret = netsec_setup_rx_dring(priv);
+ if (ret) {
+ netif_err(priv, probe, priv->ndev,
+--
+2.20.1
+
--- /dev/null
+From 46f03be5e66ff3f7d1d3dd211d929ee08fa0ffc5 Mon Sep 17 00:00:00 2001
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+Date: Tue, 28 May 2019 20:38:09 +0300
+Subject: net: phy: Check against net_device being NULL
+
+[ Upstream commit 82c76aca81187b3d28a6fb3062f6916450ce955e ]
+
+In general, we don't want MAC drivers calling phy_attach_direct with the
+net_device being NULL. Add checks against this in all the functions
+calling it: phy_attach() and phy_connect_direct().
+
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index dcc93a873174..a3f8740c6163 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -948,6 +948,9 @@ int phy_connect_direct(struct net_device *dev, struct phy_device *phydev,
+ {
+ int rc;
+
++ if (!dev)
++ return -EINVAL;
++
+ rc = phy_attach_direct(dev, phydev, phydev->dev_flags, interface);
+ if (rc)
+ return rc;
+@@ -1290,6 +1293,9 @@ struct phy_device *phy_attach(struct net_device *dev, const char *bus_id,
+ struct device *d;
+ int rc;
+
++ if (!dev)
++ return ERR_PTR(-EINVAL);
++
+ /* Search the list of PHY devices on the mdio bus for the
+ * PHY with the requested name
+ */
+--
+2.20.1
+
--- /dev/null
+From 602a8a5f5be611777f576e7c727d66b8a206cc4b Mon Sep 17 00:00:00 2001
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Fri, 7 Jun 2019 10:42:36 -0600
+Subject: net: sfp: add mutex to prevent concurrent state checks
+
+[ Upstream commit 2158e856f56bb762ef90f3ec244d41a519826f75 ]
+
+sfp_check_state can potentially be called by both a threaded IRQ handler
+and delayed work. If it is concurrently called, it could result in
+incorrect state management. Add a st_mutex to protect the state - this
+lock gets taken outside of code that checks and handle state changes, and
+the existing sm_mutex nests inside of it.
+
+Suggested-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/sfp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
+index 71812be0ac64..b6efd2d41dce 100644
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -186,10 +186,11 @@ struct sfp {
+ struct gpio_desc *gpio[GPIO_MAX];
+
+ bool attached;
++ struct mutex st_mutex; /* Protects state */
+ unsigned int state;
+ struct delayed_work poll;
+ struct delayed_work timeout;
+- struct mutex sm_mutex;
++ struct mutex sm_mutex; /* Protects state machine */
+ unsigned char sm_mod_state;
+ unsigned char sm_dev_state;
+ unsigned short sm_state;
+@@ -1719,6 +1720,7 @@ static void sfp_check_state(struct sfp *sfp)
+ {
+ unsigned int state, i, changed;
+
++ mutex_lock(&sfp->st_mutex);
+ state = sfp_get_state(sfp);
+ changed = state ^ sfp->state;
+ changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT;
+@@ -1744,6 +1746,7 @@ static void sfp_check_state(struct sfp *sfp)
+ sfp_sm_event(sfp, state & SFP_F_LOS ?
+ SFP_E_LOS_HIGH : SFP_E_LOS_LOW);
+ rtnl_unlock();
++ mutex_unlock(&sfp->st_mutex);
+ }
+
+ static irqreturn_t sfp_irq(int irq, void *data)
+@@ -1774,6 +1777,7 @@ static struct sfp *sfp_alloc(struct device *dev)
+ sfp->dev = dev;
+
+ mutex_init(&sfp->sm_mutex);
++ mutex_init(&sfp->st_mutex);
+ INIT_DELAYED_WORK(&sfp->poll, sfp_poll);
+ INIT_DELAYED_WORK(&sfp->timeout, sfp_timeout);
+
+--
+2.20.1
+
--- /dev/null
+From 86447547471fa6622397b74770c8fbc3484c8735 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Fri, 24 May 2019 10:20:21 +0200
+Subject: net: stmmac: dwmac1000: Clear unused address entries
+
+[ Upstream commit 9463c445590091202659cdfdd44b236acadfbd84 ]
+
+In case we don't use a given address entry we need to clear it because
+it could contain previous values that are no longer valid.
+
+Found out while running stmmac selftests.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+index 9fff81170163..54f4ffb36d60 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -206,6 +206,12 @@ static void dwmac1000_set_filter(struct mac_device_info *hw,
+ GMAC_ADDR_LOW(reg));
+ reg++;
+ }
++
++ while (reg <= perfect_addr_number) {
++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg));
++ writel(0, ioaddr + GMAC_ADDR_LOW(reg));
++ reg++;
++ }
+ }
+
+ #ifdef FRAME_FILTER_DEBUG
+--
+2.20.1
+
--- /dev/null
+From f2102fc4578f57e68af06539fee6ddb7f3c4c682 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Fri, 24 May 2019 10:20:25 +0200
+Subject: net: stmmac: dwmac4/5: Clear unused address entries
+
+[ Upstream commit 0620ec6c62a5a07625b65f699adc5d1b90394ee6 ]
+
+In case we don't use a given address entry we need to clear it because
+it could contain previous values that are no longer valid.
+
+Found out while running stmmac selftests.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index 99d772517242..206170d0bf81 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -443,14 +443,20 @@ static void dwmac4_set_filter(struct mac_device_info *hw,
+ * are required
+ */
+ value |= GMAC_PACKET_FILTER_PR;
+- } else if (!netdev_uc_empty(dev)) {
+- int reg = 1;
++ } else {
+ struct netdev_hw_addr *ha;
++ int reg = 1;
+
+ netdev_for_each_uc_addr(ha, dev) {
+ dwmac4_set_umac_addr(hw, ha->addr, reg);
+ reg++;
+ }
++
++ while (reg <= GMAC_MAX_PERFECT_ADDRESSES) {
++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg));
++ writel(0, ioaddr + GMAC_ADDR_LOW(reg));
++ reg++;
++ }
+ }
+
+ writel(value, ioaddr + GMAC_PACKET_FILTER);
+--
+2.20.1
+
--- /dev/null
+From 334d78c49ee008c9b58a5c2685fbac21df0311cc Mon Sep 17 00:00:00 2001
+From: Biao Huang <biao.huang@mediatek.com>
+Date: Mon, 3 Jun 2019 09:58:06 +0800
+Subject: net: stmmac: dwmac4: fix flow control issue
+
+[ Upstream commit ee326fd01e79dfa42014d55931260b68b9fa3273 ]
+
+Current dwmac4_flow_ctrl will not clear
+GMAC_RX_FLOW_CTRL_RFE/GMAC_RX_FLOW_CTRL_RFE bits,
+so MAC hw will keep flow control on although expecting
+flow control off by ethtool. Add codes to fix it.
+
+Fixes: 477286b53f55 ("stmmac: add GMAC4 core support")
+Signed-off-by: Biao Huang <biao.huang@mediatek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index 206170d0bf81..e3850938cf2f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -474,8 +474,9 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex,
+ if (fc & FLOW_RX) {
+ pr_debug("\tReceive Flow-Control ON\n");
+ flow |= GMAC_RX_FLOW_CTRL_RFE;
+- writel(flow, ioaddr + GMAC_RX_FLOW_CTRL);
+ }
++ writel(flow, ioaddr + GMAC_RX_FLOW_CTRL);
++
+ if (fc & FLOW_TX) {
+ pr_debug("\tTransmit Flow-Control ON\n");
+
+@@ -483,7 +484,7 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex,
+ pr_debug("\tduplex mode: PAUSE %d\n", pause_time);
+
+ for (queue = 0; queue < tx_cnt; queue++) {
+- flow |= GMAC_TX_FLOW_CTRL_TFE;
++ flow = GMAC_TX_FLOW_CTRL_TFE;
+
+ if (duplex)
+ flow |=
+@@ -491,6 +492,9 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex,
+
+ writel(flow, ioaddr + GMAC_QX_TX_FLOW_CTRL(queue));
+ }
++ } else {
++ for (queue = 0; queue < tx_cnt; queue++)
++ writel(0, ioaddr + GMAC_QX_TX_FLOW_CTRL(queue));
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From dee5906012f884ea36918ae61a7f17c2f5c39ed8 Mon Sep 17 00:00:00 2001
+From: Biao Huang <biao.huang@mediatek.com>
+Date: Mon, 3 Jun 2019 09:58:05 +0800
+Subject: net: stmmac: modify default value of tx-frames
+
+[ Upstream commit d2facb4b3983425f6776c24dd678a82dbe673773 ]
+
+the default value of tx-frames is 25, it's too late when
+passing tstamp to stack, then the ptp4l will fail:
+
+ptp4l -i eth0 -f gPTP.cfg -m
+ptp4l: selected /dev/ptp0 as PTP clock
+ptp4l: port 1: INITIALIZING to LISTENING on INITIALIZE
+ptp4l: port 0: INITIALIZING to LISTENING on INITIALIZE
+ptp4l: port 1: link up
+ptp4l: timed out while polling for tx timestamp
+ptp4l: increasing tx_timestamp_timeout may correct this issue,
+ but it is likely caused by a driver bug
+ptp4l: port 1: send peer delay response failed
+ptp4l: port 1: LISTENING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED)
+
+ptp4l tests pass when changing the tx-frames from 25 to 1 with
+ethtool -C option.
+It should be fine to set tx-frames default value to 1, so ptp4l will pass
+by default.
+
+Signed-off-by: Biao Huang <biao.huang@mediatek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/common.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h
+index ceb0d23f5041..c265cc5770e8 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/common.h
++++ b/drivers/net/ethernet/stmicro/stmmac/common.h
+@@ -251,7 +251,7 @@ struct stmmac_safety_stats {
+ #define STMMAC_COAL_TX_TIMER 1000
+ #define STMMAC_MAX_COAL_TX_TICK 100000
+ #define STMMAC_TX_MAX_FRAMES 256
+-#define STMMAC_TX_FRAMES 25
++#define STMMAC_TX_FRAMES 1
+
+ /* Packets types */
+ enum packets_types {
+--
+2.20.1
+
--- /dev/null
+From 341c8a0463eb571ef0450e669865d03745eb6162 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Fri, 24 May 2019 10:20:26 +0200
+Subject: net: stmmac: Prevent missing interrupts when running NAPI
+
+[ Upstream commit a976ca79e23f13bff79c14e7266cea4a0ea51e67 ]
+
+When we trigger NAPI we are disabling interrupts but in case we receive
+or send a packet in the meantime, as interrupts are disabled, we will
+miss this event.
+
+Trigger both NAPI instances (RX and TX) when at least one event happens
+so that we don't miss any interrupts.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 06358fe5b245..dbee9b0113e3 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2048,6 +2048,9 @@ static int stmmac_napi_check(struct stmmac_priv *priv, u32 chan)
+ &priv->xstats, chan);
+ struct stmmac_channel *ch = &priv->channel[chan];
+
++ if (status)
++ status |= handle_rx | handle_tx;
++
+ if ((status & handle_rx) && (chan < priv->plat->rx_queues_to_use)) {
+ stmmac_disable_dma_irq(priv, priv->ioaddr, chan);
+ napi_schedule_irqoff(&ch->rx_napi);
+--
+2.20.1
+
--- /dev/null
+From 29a3db81ed9fd3e2ae92a736339e0b6489a0c33b Mon Sep 17 00:00:00 2001
+From: Icenowy Zheng <icenowy@aosc.io>
+Date: Thu, 20 Jun 2019 15:47:44 +0200
+Subject: net: stmmac: sun8i: force select external PHY when no internal one
+
+[ Upstream commit 0fec7e72ae1391bb2d7527efb54fe6ae88acabce ]
+
+The PHY selection bit also exists on SoCs without an internal PHY; if it's
+set to 1 (internal PHY, default value) then the MAC will not make use of
+any PHY on such SoCs.
+
+This problem appears when adapting for H6, which has no real internal PHY
+(the "internal PHY" on H6 is not on-die, but on a co-packaged AC200 chip,
+connected via RMII interface at GPIO bank A).
+
+Force the PHY selection bit to 0 when the SOC doesn't have an internal PHY,
+to address the problem of a wrong default value.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Signed-off-by: Ondrej Jirman <megous@megous.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+index a69c34f605b1..98a15ba8be9f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+@@ -884,6 +884,11 @@ static int sun8i_dwmac_set_syscon(struct stmmac_priv *priv)
+ * address. No need to mask it again.
+ */
+ reg |= 1 << H3_EPHY_ADDR_SHIFT;
++ } else {
++ /* For SoCs without internal PHY the PHY selection bit should be
++ * set to 0 (external PHY).
++ */
++ reg &= ~H3_EPHY_SELECT;
+ }
+
+ if (!of_property_read_u32(node, "allwinner,tx-delay-ps", &val)) {
+--
+2.20.1
+
--- /dev/null
+From 5bbdc2a9c1032940a680e1dcbe0af3bbcc2db9a0 Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Tue, 2 Jul 2019 07:10:08 +0700
+Subject: net: usb: asix: init MAC address buffers
+
+[ Upstream commit 78226f6eaac80bf30256a33a4926c194ceefdf36 ]
+
+This is for fixing bug KMSAN: uninit-value in ax88772_bind
+
+Tested by
+https://groups.google.com/d/msg/syzkaller-bugs/aFQurGotng4/eB_HlNhhCwAJ
+
+Reported-by: syzbot+8a3fc6674bbc3978ed4e@syzkaller.appspotmail.com
+
+syzbot found the following crash on:
+
+HEAD commit: f75e4cfe kmsan: use kmsan_handle_urb() in urb.c
+git tree: kmsan
+console output: https://syzkaller.appspot.com/x/log.txt?x=136d720ea00000
+kernel config:
+https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a
+dashboard link:
+https://syzkaller.appspot.com/bug?extid=8a3fc6674bbc3978ed4e
+compiler: clang version 9.0.0 (/home/glider/llvm/clang
+06d00afa61eef8f7f501ebdb4e8612ea43ec2d78)
+syz repro:
+https://syzkaller.appspot.com/x/repro.syz?x=12788316a00000
+C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120359aaa00000
+
+==================================================================
+BUG: KMSAN: uninit-value in is_valid_ether_addr
+include/linux/etherdevice.h:200 [inline]
+BUG: KMSAN: uninit-value in asix_set_netdev_dev_addr
+drivers/net/usb/asix_devices.c:73 [inline]
+BUG: KMSAN: uninit-value in ax88772_bind+0x93d/0x11e0
+drivers/net/usb/asix_devices.c:724
+CPU: 0 PID: 3348 Comm: kworker/0:2 Not tainted 5.1.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
+ is_valid_ether_addr include/linux/etherdevice.h:200 [inline]
+ asix_set_netdev_dev_addr drivers/net/usb/asix_devices.c:73 [inline]
+ ax88772_bind+0x93d/0x11e0 drivers/net/usb/asix_devices.c:724
+ usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728
+ usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361
+ really_probe+0xdae/0x1d80 drivers/base/dd.c:513
+ driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
+ __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
+ bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
+ __device_attach+0x454/0x730 drivers/base/dd.c:844
+ device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
+ bus_probe_device+0x137/0x390 drivers/base/bus.c:514
+ device_add+0x288d/0x30e0 drivers/base/core.c:2106
+ usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027
+ generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210
+ usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266
+ really_probe+0xdae/0x1d80 drivers/base/dd.c:513
+ driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
+ __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
+ bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
+ __device_attach+0x454/0x730 drivers/base/dd.c:844
+ device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
+ bus_probe_device+0x137/0x390 drivers/base/bus.c:514
+ device_add+0x288d/0x30e0 drivers/base/core.c:2106
+ usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534
+ hub_port_connect drivers/usb/core/hub.c:5089 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
+ port_event drivers/usb/core/hub.c:5350 [inline]
+ hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432
+ process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269
+ process_scheduled_works kernel/workqueue.c:2331 [inline]
+ worker_thread+0x189c/0x2460 kernel/workqueue.c:2417
+ kthread+0x4b5/0x4f0 kernel/kthread.c:254
+ ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_devices.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
+index c9bc96310ed4..ef548beba684 100644
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -226,7 +226,7 @@ static void asix_phy_reset(struct usbnet *dev, unsigned int reset_bits)
+ static int ax88172_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret = 0;
+- u8 buf[ETH_ALEN];
++ u8 buf[ETH_ALEN] = {0};
+ int i;
+ unsigned long gpio_bits = dev->driver_info->data;
+
+@@ -677,7 +677,7 @@ static int asix_resume(struct usb_interface *intf)
+ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret, i;
+- u8 buf[ETH_ALEN], chipcode = 0;
++ u8 buf[ETH_ALEN] = {0}, chipcode = 0;
+ u32 phyid;
+ struct asix_common_private *priv;
+
+@@ -1061,7 +1061,7 @@ static const struct net_device_ops ax88178_netdev_ops = {
+ static int ax88178_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret;
+- u8 buf[ETH_ALEN];
++ u8 buf[ETH_ALEN] = {0};
+
+ usbnet_get_endpoints(dev,intf);
+
+--
+2.20.1
+
--- /dev/null
+From e6e2c6dc558f872a9744eac9cb42a396767beced Mon Sep 17 00:00:00 2001
+From: Felix Kaechele <felix@kaechele.ca>
+Date: Tue, 25 Jun 2019 16:48:59 -0400
+Subject: netfilter: ctnetlink: Fix regression in conntrack entry deletion
+
+[ Upstream commit e7600865db32b69deb0109b8254244dca592adcf ]
+
+Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack
+L3-protocol flush regression") introduced a regression in which deletion
+of conntrack entries would fail because the L3 protocol information
+is replaced by AF_UNSPEC. As a result the search for the entry to be
+deleted would turn up empty due to the tuple used to perform the search
+is now different from the tuple used to initially set up the entry.
+
+For flushing the conntrack table we do however want to keep the option
+for nfgenmsg->version to have a non-zero value to allow for newer
+user-space tools to request treatment under the new behavior. With that
+it is possible to independently flush tables for a defined L3 protocol.
+This was introduced with the enhancements in in commit 59c08c69c278
+("netfilter: ctnetlink: Support L3 protocol-filter on flush").
+
+Older user-space tools will retain the behavior of flushing all tables
+regardless of defined L3 protocol.
+
+Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression")
+Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Felix Kaechele <felix@kaechele.ca>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 7db79c1b8084..1b77444d5b52 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_tuple tuple;
+ struct nf_conn *ct;
+ struct nfgenmsg *nfmsg = nlmsg_data(nlh);
+- u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
+ struct nf_conntrack_zone zone;
+ int err;
+
+@@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
+
+ if (cda[CTA_TUPLE_ORIG])
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
+- u3, &zone);
++ nfmsg->nfgen_family, &zone);
+ else if (cda[CTA_TUPLE_REPLY])
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
+- u3, &zone);
++ nfmsg->nfgen_family, &zone);
+ else {
++ u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
++
+ return ctnetlink_flush_conntrack(net, cda,
+ NETLINK_CB(skb).portid,
+ nlmsg_report(nlh), u3);
+--
+2.20.1
+
--- /dev/null
+From 23d1666a738c1736a47d5c17da728a7a1f9c5140 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Mon, 24 Jun 2019 11:17:38 +0800
+Subject: netfilter: Fix remainder of pseudo-header protocol 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8 ]
+
+Since v5.1-rc1, some types of packets do not get unreachable reply with the
+following iptables setting. Fox example,
+
+$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
+$ ping 127.0.0.1 -c 1
+PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
+— 127.0.0.1 ping statistics —
+1 packets transmitted, 0 received, 100% packet loss, time 0ms
+
+We should have got the following reply from command line, but we did not.
+From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
+
+Yi Zhao reported it and narrowed it down to:
+7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"),
+
+This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
+packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
+treated as TCP/UDP.
+
+This patch corrects the conditions in nf_ip_checksum and all other places that
+still call it with protocol 0.
+
+Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it")
+Reported-by: Yi Zhao <yi.zhao@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
+ net/netfilter/nf_nat_proto.c | 2 +-
+ net/netfilter/utils.c | 5 +++--
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
+index a824367ed518..dd53e2b20f6b 100644
+--- a/net/netfilter/nf_conntrack_proto_icmp.c
++++ b/net/netfilter/nf_conntrack_proto_icmp.c
+@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
+ /* See ip_conntrack_proto_tcp.c */
+ if (state->net->ct.sysctl_checksum &&
+ state->hook == NF_INET_PRE_ROUTING &&
+- nf_ip_checksum(skb, state->hook, dataoff, 0)) {
++ nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
+ icmp_error_log(skb, state, "bad hw icmp checksum");
+ return -NF_ACCEPT;
+ }
+diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
+index 07da07788f6b..83a24cc5753b 100644
+--- a/net/netfilter/nf_nat_proto.c
++++ b/net/netfilter/nf_nat_proto.c
+@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
+
+ if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
+ return 0;
+- if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
++ if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
+ return 0;
+
+ inside = (void *)skb->data + hdrlen;
+diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
+index 06dc55590441..51b454d8fa9c 100644
+--- a/net/netfilter/utils.c
++++ b/net/netfilter/utils.c
+@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ case CHECKSUM_COMPLETE:
+ if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
+ break;
+- if ((protocol == 0 && !csum_fold(skb->csum)) ||
++ if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
++ !csum_fold(skb->csum)) ||
+ !csum_tcpudp_magic(iph->saddr, iph->daddr,
+ skb->len - dataoff, protocol,
+ skb->csum)) {
+@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ }
+ /* fall through */
+ case CHECKSUM_NONE:
+- if (protocol == 0)
++ if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
+ skb->csum = 0;
+ else
+ skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
+--
+2.20.1
+
--- /dev/null
+From 7523acc8d6c5db3293c8dcdd86ce14984790d709 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Mon, 10 Jun 2019 12:47:37 +0200
+Subject: netfilter: ipset: fix a missing check of nla_parse
+
+[ Upstream commit f4f5748bfec94cf418e49bf05f0c81a1b9ebc950 ]
+
+When nla_parse fails, we should not use the results (the first
+argument). The fix checks if it fails, and if so, returns its error code
+upstream.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 3cdf171cd468..16afa0df4004 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1541,10 +1541,14 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
+ memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
+ cmdattr = (void *)&errmsg->msg + min_len;
+
+- nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, cmdattr,
+- nlh->nlmsg_len - min_len,
+- ip_set_adt_policy, NULL);
++ ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, cmdattr,
++ nlh->nlmsg_len - min_len,
++ ip_set_adt_policy, NULL);
+
++ if (ret) {
++ nlmsg_free(skb2);
++ return ret;
++ }
+ errline = nla_data(cda[IPSET_ATTR_LINENO]);
+
+ *errline = lineno;
+--
+2.20.1
+
--- /dev/null
+From c18bee6f57c29d00f4aa13b55e979124321d7a11 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Tue, 18 Jun 2019 17:47:13 +0200
+Subject: ntp: Limit TAI-UTC offset
+
+[ Upstream commit d897a4ab11dc8a9fda50d2eccc081a96a6385998 ]
+
+Don't allow the TAI-UTC offset of the system clock to be set by adjtimex()
+to a value larger than 100000 seconds.
+
+This prevents an overflow in the conversion to int, prevents the CLOCK_TAI
+clock from getting too far ahead of the CLOCK_REALTIME clock, and it is
+still large enough to allow leap seconds to be inserted at the maximum rate
+currently supported by the kernel (once per day) for the next ~270 years,
+however unlikely it is that someone can survive a catastrophic event which
+slowed down the rotation of the Earth so much.
+
+Reported-by: Weikang shi <swkhack@gmail.com>
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Prarit Bhargava <prarit@redhat.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Link: https://lkml.kernel.org/r/20190618154713.20929-1-mlichvar@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/ntp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index 8de4f789dc1b..65eb796610dc 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -43,6 +43,7 @@ static u64 tick_length_base;
+ #define MAX_TICKADJ 500LL /* usecs */
+ #define MAX_TICKADJ_SCALED \
+ (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ)
++#define MAX_TAI_OFFSET 100000
+
+ /*
+ * phase-lock loop variables
+@@ -691,7 +692,8 @@ static inline void process_adjtimex_modes(const struct __kernel_timex *txc,
+ time_constant = max(time_constant, 0l);
+ }
+
+- if (txc->modes & ADJ_TAI && txc->constant >= 0)
++ if (txc->modes & ADJ_TAI &&
++ txc->constant >= 0 && txc->constant <= MAX_TAI_OFFSET)
+ *time_tai = txc->constant;
+
+ if (txc->modes & ADJ_OFFSET)
+--
+2.20.1
+
--- /dev/null
+From 6511b053294f9bf8abdbd2956a53c7ee45d56c2f Mon Sep 17 00:00:00 2001
+From: Anton Eidelman <anton@lightbitslabs.com>
+Date: Thu, 20 Jun 2019 08:48:10 +0200
+Subject: nvme: fix possible io failures when removing multipathed ns
+
+[ Upstream commit 2181e455612a8db2761eabbf126640552a451e96 ]
+
+When a shared namespace is removed, we call blk_cleanup_queue()
+when the device can still be accessed as the current path and this can
+result in submission to a dying queue. Hence, direct_make_request()
+called by our mpath device may fail (propagating the failure to userspace).
+Instead, we want to failover this I/O to a different path if one exists.
+Thus, before we cleanup the request queue, we make sure that the device is
+cleared from the current path nor it can be selected again as such.
+
+Fix this by:
+- clear the ns from the head->list and synchronize rcu to make sure there is
+ no concurrent path search that restores it as the current path
+- clear the mpath current path in order to trigger a subsequent path search
+ and sync srcu to wait for any ongoing request submissions
+- safely continue to namespace removal and blk_cleanup_queue
+
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 120fb593d1da..22c68e3b71d5 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3344,6 +3344,14 @@ static void nvme_ns_remove(struct nvme_ns *ns)
+ return;
+
+ nvme_fault_inject_fini(ns);
++
++ mutex_lock(&ns->ctrl->subsys->lock);
++ list_del_rcu(&ns->siblings);
++ mutex_unlock(&ns->ctrl->subsys->lock);
++ synchronize_rcu(); /* guarantee not available in head->list */
++ nvme_mpath_clear_current_path(ns);
++ synchronize_srcu(&ns->head->srcu); /* wait for concurrent submissions */
++
+ if (ns->disk && ns->disk->flags & GENHD_FL_UP) {
+ del_gendisk(ns->disk);
+ blk_cleanup_queue(ns->queue);
+@@ -3351,16 +3359,10 @@ static void nvme_ns_remove(struct nvme_ns *ns)
+ blk_integrity_unregister(ns->disk);
+ }
+
+- mutex_lock(&ns->ctrl->subsys->lock);
+- list_del_rcu(&ns->siblings);
+- nvme_mpath_clear_current_path(ns);
+- mutex_unlock(&ns->ctrl->subsys->lock);
+-
+ down_write(&ns->ctrl->namespaces_rwsem);
+ list_del_init(&ns->list);
+ up_write(&ns->ctrl->namespaces_rwsem);
+
+- synchronize_srcu(&ns->head->srcu);
+ nvme_mpath_check_last_path(ns);
+ nvme_put_ns(ns);
+ }
+--
+2.20.1
+
--- /dev/null
+From 3803431ce00b02aa9cf5da547851ebd480cd564c Mon Sep 17 00:00:00 2001
+From: Minwoo Im <minwoo.im.dev@gmail.com>
+Date: Sun, 9 Jun 2019 03:02:19 +0900
+Subject: nvme-pci: adjust irq max_vector using num_possible_cpus()
+
+[ Upstream commit dad77d63903e91a2e97a0c984cabe5d36e91ba60 ]
+
+If the "irq_queues" are greater than num_possible_cpus(),
+nvme_calc_irq_sets() can have irq set_size for HCTX_TYPE_DEFAULT greater
+than it can be afforded.
+2039 affd->set_size[HCTX_TYPE_DEFAULT] = nrirqs - nr_read_queues;
+
+It might cause a WARN() from the irq_build_affinity_masks() like [1]:
+220 if (nr_present < numvecs)
+221 WARN_ON(nr_present + nr_others < numvecs);
+
+This patch prevents it from the WARN() by adjusting the max_vector value
+from the nvme_setup_irqs().
+
+[1] WARN messages when modprobe nvme write_queues=32 poll_queues=0:
+root@target:~/nvme# nproc
+8
+root@target:~/nvme# modprobe nvme write_queues=32 poll_queues=0
+[ 17.925326] nvme nvme0: pci function 0000:00:04.0
+[ 17.940601] WARNING: CPU: 3 PID: 1030 at kernel/irq/affinity.c:221 irq_create_affinity_masks+0x222/0x330
+[ 17.940602] Modules linked in: nvme nvme_core [last unloaded: nvme]
+[ 17.940605] CPU: 3 PID: 1030 Comm: kworker/u17:4 Tainted: G W 5.1.0+ #156
+[ 17.940605] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+[ 17.940608] Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+[ 17.940609] RIP: 0010:irq_create_affinity_masks+0x222/0x330
+[ 17.940611] Code: 4c 8d 4c 24 28 4c 8d 44 24 30 e8 c9 fa ff ff 89 44 24 18 e8 c0 38 fa ff 8b 44 24 18 44 8b 54 24 1c 5a 44 01 d0 41 39 c4 76 02 <0f> 0b 48 89 df 44 01 e5 e8 f1 ce 10 00 48 8b 34 24 44 89 f0 44 01
+[ 17.940611] RSP: 0018:ffffc90002277c50 EFLAGS: 00010216
+[ 17.940612] RAX: 0000000000000008 RBX: ffff88807ca48860 RCX: 0000000000000000
+[ 17.940612] RDX: ffff88807bc03800 RSI: 0000000000000020 RDI: 0000000000000000
+[ 17.940613] RBP: 0000000000000001 R08: ffffc90002277c78 R09: ffffc90002277c70
+[ 17.940613] R10: 0000000000000008 R11: 0000000000000001 R12: 0000000000000020
+[ 17.940614] R13: 0000000000025d08 R14: 0000000000000001 R15: ffff88807bc03800
+[ 17.940614] FS: 0000000000000000(0000) GS:ffff88807db80000(0000) knlGS:0000000000000000
+[ 17.940616] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 17.940617] CR2: 00005635e583f790 CR3: 000000000240a000 CR4: 00000000000006e0
+[ 17.940617] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 17.940618] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 17.940618] Call Trace:
+[ 17.940622] __pci_enable_msix_range+0x215/0x540
+[ 17.940623] ? kernfs_put+0x117/0x160
+[ 17.940625] pci_alloc_irq_vectors_affinity+0x74/0x110
+[ 17.940626] nvme_reset_work+0xc30/0x1397 [nvme]
+[ 17.940628] ? __switch_to_asm+0x34/0x70
+[ 17.940628] ? __switch_to_asm+0x40/0x70
+[ 17.940629] ? __switch_to_asm+0x34/0x70
+[ 17.940630] ? __switch_to_asm+0x40/0x70
+[ 17.940630] ? __switch_to_asm+0x34/0x70
+[ 17.940631] ? __switch_to_asm+0x40/0x70
+[ 17.940632] ? nvme_irq_check+0x30/0x30 [nvme]
+[ 17.940633] process_one_work+0x20b/0x3e0
+[ 17.940634] worker_thread+0x1f9/0x3d0
+[ 17.940635] ? cancel_delayed_work+0xa0/0xa0
+[ 17.940636] kthread+0x117/0x120
+[ 17.940637] ? kthread_stop+0xf0/0xf0
+[ 17.940638] ret_from_fork+0x3a/0x50
+[ 17.940639] ---[ end trace aca8a131361cd42a ]---
+[ 17.942124] nvme nvme0: 7/1/0 default/read/poll queues
+
+Signed-off-by: Minwoo Im <minwoo.im.dev@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 544d095d44e5..f5bc1c30cef5 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2068,6 +2068,7 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues)
+ .priv = dev,
+ };
+ unsigned int irq_queues, this_p_queues;
++ unsigned int nr_cpus = num_possible_cpus();
+
+ /*
+ * Poll queues don't need interrupts, but we need at least one IO
+@@ -2078,7 +2079,10 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues)
+ this_p_queues = nr_io_queues - 1;
+ irq_queues = 1;
+ } else {
+- irq_queues = nr_io_queues - this_p_queues + 1;
++ if (nr_cpus < nr_io_queues - this_p_queues)
++ irq_queues = nr_cpus + 1;
++ else
++ irq_queues = nr_io_queues - this_p_queues + 1;
+ }
+ dev->io_queues[HCTX_TYPE_POLL] = this_p_queues;
+
+--
+2.20.1
+
--- /dev/null
+From ed24ddadbfbef875789c78e56f1a3d5132c7a5f3 Mon Sep 17 00:00:00 2001
+From: Minwoo Im <minwoo.im.dev@gmail.com>
+Date: Sun, 9 Jun 2019 03:35:20 +0900
+Subject: nvme-pci: properly report state change failure in nvme_reset_work
+
+[ Upstream commit cee6c269b016ba89c62e34d6bccb103ee2c7de4f ]
+
+If the state change to NVME_CTRL_CONNECTING fails, the dmesg is going to
+be like:
+
+ [ 293.689160] nvme nvme0: failed to mark controller CONNECTING
+ [ 293.689160] nvme nvme0: Removing after probe failure status: 0
+
+Even it prints the first line to indicate the situation, the second line
+is not proper because the status is 0 which means normally success of
+the previous operation.
+
+This patch makes it indicate the proper error value when it fails.
+ [ 25.932367] nvme nvme0: failed to mark controller CONNECTING
+ [ 25.932369] nvme nvme0: Removing after probe failure status: -16
+
+This situation is able to be easily reproduced by:
+ root@target:~# rmmod nvme && modprobe nvme && rmmod nvme
+
+Signed-off-by: Minwoo Im <minwoo.im.dev@gmail.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 524d6bd6d095..385ba7a1e23b 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2528,6 +2528,7 @@ static void nvme_reset_work(struct work_struct *work)
+ if (!nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_CONNECTING)) {
+ dev_warn(dev->ctrl.device,
+ "failed to mark controller CONNECTING\n");
++ result = -EBUSY;
+ goto out;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 4eededf3d46ca4f6a51ae6affe5fc30b6b1dc7b0 Mon Sep 17 00:00:00 2001
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Date: Sat, 8 Jun 2019 13:01:02 -0700
+Subject: nvme-pci: set the errno on ctrl state change error
+
+[ Upstream commit e71afda49335620e3d9adf56015676db33a3bd86 ]
+
+This patch removes the confusing assignment of the variable result at
+the time of declaration and sets the value in error cases next to the
+places where the actual error is happening.
+
+Here we also set the result value to -ENODEV when we fail at the final
+ctrl state transition in nvme_reset_work(). Without this assignment
+result will hold 0 from nvme_setup_io_queue() and on failure 0 will be
+passed to he nvme_remove_dead_ctrl() from final state transition.
+
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 385ba7a1e23b..544d095d44e5 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2480,11 +2480,13 @@ static void nvme_reset_work(struct work_struct *work)
+ struct nvme_dev *dev =
+ container_of(work, struct nvme_dev, ctrl.reset_work);
+ bool was_suspend = !!(dev->ctrl.ctrl_config & NVME_CC_SHN_NORMAL);
+- int result = -ENODEV;
++ int result;
+ enum nvme_ctrl_state new_state = NVME_CTRL_LIVE;
+
+- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING))
++ if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) {
++ result = -ENODEV;
+ goto out;
++ }
+
+ /*
+ * If we're called to reset a live controller first shut it down before
+@@ -2589,6 +2591,7 @@ static void nvme_reset_work(struct work_struct *work)
+ if (!nvme_change_ctrl_state(&dev->ctrl, new_state)) {
+ dev_warn(dev->ctrl.device,
+ "failed to mark controller state %d\n", new_state);
++ result = -ENODEV;
+ goto out;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From dd208de41fe5d9112c409aa3a2567354f5657c2e Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 12 Jun 2019 13:57:38 +0300
+Subject: PCI: Add missing link delays required by the PCIe spec
+
+[ Upstream commit c2bf1fc212f7e6f25ace1af8f0b3ac061ea48ba5 ]
+
+Currently Linux does not follow PCIe spec regarding the required delays
+after reset. A concrete example is a Thunderbolt add-in-card that
+consists of a PCIe switch and two PCIe endpoints:
+
+ +-1b.0-[01-6b]----00.0-[02-6b]--+-00.0-[03]----00.0 TBT controller
+ +-01.0-[04-36]-- DS hotplug port
+ +-02.0-[37]----00.0 xHCI controller
+ \-04.0-[38-6b]-- DS hotplug port
+
+The root port (1b.0) and the PCIe switch downstream ports are all PCIe
+gen3 so they support 8GT/s link speeds.
+
+We wait for the PCIe hierarchy to enter D3cold (runtime):
+
+ pcieport 0000:00:1b.0: power state changed by ACPI to D3cold
+
+When it wakes up from D3cold, according to the PCIe 4.0 section 5.8 the
+PCIe switch is put to reset and its power is re-applied. This means that
+we must follow the rules in PCIe 4.0 section 6.6.1.
+
+For the PCIe gen3 ports we are dealing with here, the following applies:
+
+ With a Downstream Port that supports Link speeds greater than 5.0
+ GT/s, software must wait a minimum of 100 ms after Link training
+ completes before sending a Configuration Request to the device
+ immediately below that Port. Software can determine when Link training
+ completes by polling the Data Link Layer Link Active bit or by setting
+ up an associated interrupt (see Section 6.7.3.3).
+
+Translating this into the above topology we would need to do this (DLLLA
+stands for Data Link Layer Link Active):
+
+ pcieport 0000:00:1b.0: wait for 100ms after DLLLA is set before access to 0000:01:00.0
+ pcieport 0000:02:00.0: wait for 100ms after DLLLA is set before access to 0000:03:00.0
+ pcieport 0000:02:02.0: wait for 100ms after DLLLA is set before access to 0000:37:00.0
+
+I've instrumented the kernel with additional logging so we can see the
+actual delays the kernel performs:
+
+ pcieport 0000:00:1b.0: power state changed by ACPI to D0
+ pcieport 0000:00:1b.0: waiting for D3cold delay of 100 ms
+ pcieport 0000:00:1b.0: waking up bus
+ pcieport 0000:00:1b.0: waiting for D3hot delay of 10 ms
+ pcieport 0000:00:1b.0: restoring config space at offset 0x2c (was 0x60, writing 0x60)
+ ...
+ pcieport 0000:00:1b.0: PME# disabled
+ pcieport 0000:01:00.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ ...
+ pcieport 0000:01:00.0: PME# disabled
+ pcieport 0000:02:00.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ ...
+ pcieport 0000:02:00.0: PME# disabled
+ pcieport 0000:02:01.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ ...
+ pcieport 0000:02:01.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407)
+ pcieport 0000:02:01.0: PME# disabled
+ pcieport 0000:02:02.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ ...
+ pcieport 0000:02:02.0: PME# disabled
+ pcieport 0000:02:04.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ ...
+ pcieport 0000:02:04.0: PME# disabled
+ pcieport 0000:02:01.0: PME# enabled
+ pcieport 0000:02:01.0: waiting for D3hot delay of 10 ms
+ pcieport 0000:02:04.0: PME# enabled
+ pcieport 0000:02:04.0: waiting for D3hot delay of 10 ms
+ thunderbolt 0000:03:00.0: restoring config space at offset 0x14 (was 0x0, writing 0x8a040000)
+ ...
+ thunderbolt 0000:03:00.0: PME# disabled
+ xhci_hcd 0000:37:00.0: restoring config space at offset 0x10 (was 0x0, writing 0x73f00000)
+ ...
+ xhci_hcd 0000:37:00.0: PME# disabled
+
+For the switch upstream port (01:00.0) we wait for 100ms but not taking
+into account the DLLLA requirement. We then wait 10ms for D3hot -> D0
+transition of the root port and the two downstream hotplug ports. This
+means that we deviate from what the spec requires.
+
+Performing the same check for system sleep (s2idle) transitions we can
+see following when resuming from s2idle:
+
+ pcieport 0000:00:1b.0: power state changed by ACPI to D0
+ pcieport 0000:00:1b.0: restoring config space at offset 0x2c (was 0x60, writing 0x60)
+ ...
+ pcieport 0000:01:00.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ ...
+ pcieport 0000:02:02.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ pcieport 0000:02:02.0: restoring config space at offset 0x2c (was 0x0, writing 0x0)
+ pcieport 0000:02:01.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ pcieport 0000:02:04.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ pcieport 0000:02:02.0: restoring config space at offset 0x28 (was 0x0, writing 0x0)
+ pcieport 0000:02:00.0: restoring config space at offset 0x3c (was 0x1ff, writing 0x201ff)
+ pcieport 0000:02:02.0: restoring config space at offset 0x24 (was 0x10001, writing 0x1fff1)
+ pcieport 0000:02:01.0: restoring config space at offset 0x2c (was 0x0, writing 0x60)
+ pcieport 0000:02:02.0: restoring config space at offset 0x20 (was 0x0, writing 0x73f073f0)
+ pcieport 0000:02:04.0: restoring config space at offset 0x2c (was 0x0, writing 0x60)
+ pcieport 0000:02:01.0: restoring config space at offset 0x28 (was 0x0, writing 0x60)
+ pcieport 0000:02:00.0: restoring config space at offset 0x2c (was 0x0, writing 0x0)
+ pcieport 0000:02:02.0: restoring config space at offset 0x1c (was 0x101, writing 0x1f1)
+ pcieport 0000:02:04.0: restoring config space at offset 0x28 (was 0x0, writing 0x60)
+ pcieport 0000:02:01.0: restoring config space at offset 0x24 (was 0x10001, writing 0x1ff10001)
+ pcieport 0000:02:00.0: restoring config space at offset 0x28 (was 0x0, writing 0x0)
+ pcieport 0000:02:02.0: restoring config space at offset 0x18 (was 0x0, writing 0x373702)
+ pcieport 0000:02:04.0: restoring config space at offset 0x24 (was 0x10001, writing 0x49f12001)
+ pcieport 0000:02:01.0: restoring config space at offset 0x20 (was 0x0, writing 0x73e05c00)
+ pcieport 0000:02:00.0: restoring config space at offset 0x24 (was 0x10001, writing 0x1fff1)
+ pcieport 0000:02:04.0: restoring config space at offset 0x20 (was 0x0, writing 0x89f07400)
+ pcieport 0000:02:01.0: restoring config space at offset 0x1c (was 0x101, writing 0x5151)
+ pcieport 0000:02:00.0: restoring config space at offset 0x20 (was 0x0, writing 0x8a008a00)
+ pcieport 0000:02:02.0: restoring config space at offset 0xc (was 0x10000, writing 0x10020)
+ pcieport 0000:02:04.0: restoring config space at offset 0x1c (was 0x101, writing 0x6161)
+ pcieport 0000:02:01.0: restoring config space at offset 0x18 (was 0x0, writing 0x360402)
+ pcieport 0000:02:00.0: restoring config space at offset 0x1c (was 0x101, writing 0x1f1)
+ pcieport 0000:02:04.0: restoring config space at offset 0x18 (was 0x0, writing 0x6b3802)
+ pcieport 0000:02:02.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407)
+ pcieport 0000:02:00.0: restoring config space at offset 0x18 (was 0x0, writing 0x30302)
+ pcieport 0000:02:01.0: restoring config space at offset 0xc (was 0x10000, writing 0x10020)
+ pcieport 0000:02:04.0: restoring config space at offset 0xc (was 0x10000, writing 0x10020)
+ pcieport 0000:02:00.0: restoring config space at offset 0xc (was 0x10000, writing 0x10020)
+ pcieport 0000:02:01.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407)
+ pcieport 0000:02:04.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407)
+ pcieport 0000:02:00.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100407)
+ xhci_hcd 0000:37:00.0: restoring config space at offset 0x10 (was 0x0, writing 0x73f00000)
+ ...
+ thunderbolt 0000:03:00.0: restoring config space at offset 0x14 (was 0x0, writing 0x8a040000)
+
+This is even worse. None of the mandatory delays are performed. If this
+would be S3 instead of s2idle then according to PCI FW spec 3.2 section
+4.6.8. there is a specific _DSM that allows the OS to skip the delays
+but this platform does not provide the _DSM and does not go to S3 anyway
+so no firmware is involved that could already handle these delays.
+
+In this particular Intel Coffee Lake platform these delays are not
+actually needed because there is an additional delay as part of the ACPI
+power resource that is used to turn on power to the hierarchy but since
+that additional delay is not required by any of standards (PCIe, ACPI)
+it is not present in the Intel Ice Lake, for example where missing the
+mandatory delays causes pciehp to start tearing down the stack too early
+(links are not yet trained).
+
+For this reason, change the PCIe portdrv PM resume hooks so that they
+perform the mandatory delays before the downstream component gets
+resumed. We perform the delays before port services are resumed because
+otherwise pciehp might find that the link is not up (even if it is just
+training) and tears-down the hierarchy.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 29 ++++++++++-----
+ drivers/pci/pci.h | 1 +
+ drivers/pci/pcie/portdrv_core.c | 66 +++++++++++++++++++++++++++++++++
+ 3 files changed, 86 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 8abc843b1615..87a1f902fa8e 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1004,15 +1004,10 @@ static void __pci_start_power_transition(struct pci_dev *dev, pci_power_t state)
+ if (state == PCI_D0) {
+ pci_platform_power_transition(dev, PCI_D0);
+ /*
+- * Mandatory power management transition delays, see
+- * PCI Express Base Specification Revision 2.0 Section
+- * 6.6.1: Conventional Reset. Do not delay for
+- * devices powered on/off by corresponding bridge,
+- * because have already delayed for the bridge.
++ * Mandatory power management transition delays are
++ * handled in the PCIe portdrv resume hooks.
+ */
+ if (dev->runtime_d3cold) {
+- if (dev->d3cold_delay && !dev->imm_ready)
+- msleep(dev->d3cold_delay);
+ /*
+ * When powering on a bridge from D3cold, the
+ * whole hierarchy may be powered on into
+@@ -4568,14 +4563,16 @@ static int pci_pm_reset(struct pci_dev *dev, int probe)
+
+ return pci_dev_wait(dev, "PM D3->D0", PCIE_RESET_READY_POLL_MS);
+ }
++
+ /**
+- * pcie_wait_for_link - Wait until link is active or inactive
++ * pcie_wait_for_link_delay - Wait until link is active or inactive
+ * @pdev: Bridge device
+ * @active: waiting for active or inactive?
++ * @delay: Delay to wait after link has become active (in ms)
+ *
+ * Use this to wait till link becomes active or inactive.
+ */
+-bool pcie_wait_for_link(struct pci_dev *pdev, bool active)
++bool pcie_wait_for_link_delay(struct pci_dev *pdev, bool active, int delay)
+ {
+ int timeout = 1000;
+ bool ret;
+@@ -4612,13 +4609,25 @@ bool pcie_wait_for_link(struct pci_dev *pdev, bool active)
+ timeout -= 10;
+ }
+ if (active && ret)
+- msleep(100);
++ msleep(delay);
+ else if (ret != active)
+ pci_info(pdev, "Data Link Layer Link Active not %s in 1000 msec\n",
+ active ? "set" : "cleared");
+ return ret == active;
+ }
+
++/**
++ * pcie_wait_for_link - Wait until link is active or inactive
++ * @pdev: Bridge device
++ * @active: waiting for active or inactive?
++ *
++ * Use this to wait till link becomes active or inactive.
++ */
++bool pcie_wait_for_link(struct pci_dev *pdev, bool active)
++{
++ return pcie_wait_for_link_delay(pdev, active, 100);
++}
++
+ void pci_reset_secondary_bus(struct pci_dev *dev)
+ {
+ u16 ctrl;
+diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
+index 9cb99380c61e..59802b3def4b 100644
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -493,6 +493,7 @@ static inline int pci_dev_specific_disable_acs_redir(struct pci_dev *dev)
+ void pcie_do_recovery(struct pci_dev *dev, enum pci_channel_state state,
+ u32 service);
+
++bool pcie_wait_for_link_delay(struct pci_dev *pdev, bool active, int delay);
+ bool pcie_wait_for_link(struct pci_dev *pdev, bool active);
+ #ifdef CONFIG_PCIEASPM
+ void pcie_aspm_init_link_state(struct pci_dev *pdev);
+diff --git a/drivers/pci/pcie/portdrv_core.c b/drivers/pci/pcie/portdrv_core.c
+index 1b330129089f..308c3e0c4a34 100644
+--- a/drivers/pci/pcie/portdrv_core.c
++++ b/drivers/pci/pcie/portdrv_core.c
+@@ -9,6 +9,7 @@
+ #include <linux/module.h>
+ #include <linux/pci.h>
+ #include <linux/kernel.h>
++#include <linux/delay.h>
+ #include <linux/errno.h>
+ #include <linux/pm.h>
+ #include <linux/pm_runtime.h>
+@@ -378,6 +379,67 @@ static int pm_iter(struct device *dev, void *data)
+ return 0;
+ }
+
++static int get_downstream_delay(struct pci_bus *bus)
++{
++ struct pci_dev *pdev;
++ int min_delay = 100;
++ int max_delay = 0;
++
++ list_for_each_entry(pdev, &bus->devices, bus_list) {
++ if (!pdev->imm_ready)
++ min_delay = 0;
++ else if (pdev->d3cold_delay < min_delay)
++ min_delay = pdev->d3cold_delay;
++ if (pdev->d3cold_delay > max_delay)
++ max_delay = pdev->d3cold_delay;
++ }
++
++ return max(min_delay, max_delay);
++}
++
++/*
++ * wait_for_downstream_link - Wait for downstream link to establish
++ * @pdev: PCIe port whose downstream link is waited
++ *
++ * Handle delays according to PCIe 4.0 section 6.6.1 before configuration
++ * access to the downstream component is permitted.
++ *
++ * This blocks PCI core resume of the hierarchy below this port until the
++ * link is trained. Should be called before resuming port services to
++ * prevent pciehp from starting to tear-down the hierarchy too soon.
++ */
++static void wait_for_downstream_link(struct pci_dev *pdev)
++{
++ int delay;
++
++ if (pci_pcie_type(pdev) != PCI_EXP_TYPE_ROOT_PORT &&
++ pci_pcie_type(pdev) != PCI_EXP_TYPE_DOWNSTREAM)
++ return;
++
++ if (pci_dev_is_disconnected(pdev))
++ return;
++
++ if (!pdev->subordinate || list_empty(&pdev->subordinate->devices) ||
++ !pdev->bridge_d3)
++ return;
++
++ delay = get_downstream_delay(pdev->subordinate);
++ if (!delay)
++ return;
++
++ dev_dbg(&pdev->dev, "waiting downstream link for %d ms\n", delay);
++
++ /*
++ * If downstream port does not support speeds greater than 5 GT/s
++ * need to wait 100ms. For higher speeds (gen3) we need to wait
++ * first for the data link layer to become active.
++ */
++ if (pcie_get_speed_cap(pdev) <= PCIE_SPEED_5_0GT)
++ msleep(delay);
++ else
++ pcie_wait_for_link_delay(pdev, true, delay);
++}
++
+ /**
+ * pcie_port_device_suspend - suspend port services associated with a PCIe port
+ * @dev: PCI Express port to handle
+@@ -391,6 +453,8 @@ int pcie_port_device_suspend(struct device *dev)
+ int pcie_port_device_resume_noirq(struct device *dev)
+ {
+ size_t off = offsetof(struct pcie_port_service_driver, resume_noirq);
++
++ wait_for_downstream_link(to_pci_dev(dev));
+ return device_for_each_child(dev, &off, pm_iter);
+ }
+
+@@ -421,6 +485,8 @@ int pcie_port_device_runtime_suspend(struct device *dev)
+ int pcie_port_device_runtime_resume(struct device *dev)
+ {
+ size_t off = offsetof(struct pcie_port_service_driver, runtime_resume);
++
++ wait_for_downstream_link(to_pci_dev(dev));
+ return device_for_each_child(dev, &off, pm_iter);
+ }
+ #endif /* PM */
+--
+2.20.1
+
--- /dev/null
+From 5cf4eb14837ab9cf711772d7d46c3eb3db72d68b Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Tue, 28 May 2019 16:02:56 -0300
+Subject: perf annotate TUI browser: Do not use member from variable within its
+ own initialization
+
+[ Upstream commit da2019633f0b5c105ce658aada333422d8cb28fe ]
+
+Some compilers will complain when using a member of a struct to
+initialize another member, in the same struct initialization.
+
+For instance:
+
+ debian:8 Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
+ oraclelinux:7 clang version 3.4.2 (tags/RELEASE_34/dot2-final)
+
+Produce:
+
+ ui/browsers/annotate.c:104:12: error: variable 'ops' is uninitialized when used within its own initialization [-Werror,-Wuninitialized]
+ (!ops.current_entry ||
+ ^~~
+ 1 error generated.
+
+So use an extra variable, initialized just before that struct, to have
+the value used in the expressions used to init two of the struct
+members.
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Fixes: c298304bd747 ("perf annotate: Use a ops table for annotation_line__write()")
+Link: https://lkml.kernel.org/n/tip-f9nexro58q62l3o9hez8hr0i@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/browsers/annotate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/ui/browsers/annotate.c b/tools/perf/ui/browsers/annotate.c
+index 98d934a36d86..b0d089a95dac 100644
+--- a/tools/perf/ui/browsers/annotate.c
++++ b/tools/perf/ui/browsers/annotate.c
+@@ -97,11 +97,12 @@ static void annotate_browser__write(struct ui_browser *browser, void *entry, int
+ struct annotate_browser *ab = container_of(browser, struct annotate_browser, b);
+ struct annotation *notes = browser__annotation(browser);
+ struct annotation_line *al = list_entry(entry, struct annotation_line, node);
++ const bool is_current_entry = ui_browser__is_current_entry(browser, row);
+ struct annotation_write_ops ops = {
+ .first_line = row == 0,
+- .current_entry = ui_browser__is_current_entry(browser, row),
++ .current_entry = is_current_entry,
+ .change_color = (!notes->options->hide_src_code &&
+- (!ops.current_entry ||
++ (!is_current_entry ||
+ (browser->use_navkeypressed &&
+ !browser->navkeypressed))),
+ .width = browser->width,
+--
+2.20.1
+
--- /dev/null
+From f8503e1f82e34a268c0bb9278389d3ea02c4214e Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Tue, 18 Jun 2019 17:48:12 -0300
+Subject: perf build: Handle slang being in /usr/include and in
+ /usr/include/slang/
+
+[ Upstream commit 78d6ccce03e86de34c7000bcada493ed0679e350 ]
+
+In some distros slang.h may be in a /usr/include 'slang' subdir, so use
+the if slang is not explicitely disabled (by using NO_SLANG=1) and its
+feature test for the common case (having /usr/include/slang.h) failed,
+use the results for the test that checks if it is in slang/slang.h.
+
+Change the only file in perf that includes slang.h to use
+HAVE_SLANG_INCLUDE_SUBDIR and forget about this for good.
+
+On a rhel6 system now we have:
+
+ $ /tmp/build/perf/perf -vv | grep slang
+ libslang: [ on ] # HAVE_SLANG_SUPPORT
+ $ ldd /tmp/build/perf/perf | grep libslang
+ libslang.so.2 => /usr/lib64/libslang.so.2 (0x00007fa2d5a8d000)
+ $ grep slang /tmp/build/perf/FEATURE-DUMP
+ feature-libslang=0
+ feature-libslang-include-subdir=1
+ $ cat /etc/redhat-release
+ CentOS release 6.10 (Final)
+ $
+
+While on fedora:29:
+
+ $ /tmp/build/perf/perf -vv | grep slang
+ libslang: [ on ] # HAVE_SLANG_SUPPORT
+ $ ldd /tmp/build/perf/perf | grep slang
+ libslang.so.2 => /lib64/libslang.so.2 (0x00007f8eb11a7000)
+ $ grep slang /tmp/build/perf/FEATURE-DUMP
+ feature-libslang=1
+ feature-libslang-include-subdir=1
+ $
+ $ cat /etc/fedora-release
+ Fedora release 29 (Twenty Nine)
+ $
+
+The feature-libslang-include-subdir=1 line is because the 'gettid()'
+test was added to test-all.c as the new glibc has an implementation for
+that, so we soon should have it not failing, i.e. should be the common
+case soon. Perhaps I should move it out till it becomes the norm...
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Fixes: 1955c8cf5e26 ("perf tools: Don't hardcode host include path for libslang")
+Link: https://lkml.kernel.org/n/tip-bkgtpsu3uit821fuwsdhj9gd@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/Makefile.config | 11 ++++++++---
+ tools/perf/ui/libslang.h | 5 +++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
+index 85fbcd265351..17b81bc403e4 100644
+--- a/tools/perf/Makefile.config
++++ b/tools/perf/Makefile.config
+@@ -637,9 +637,14 @@ endif
+
+ ifndef NO_SLANG
+ ifneq ($(feature-libslang), 1)
+- msg := $(warning slang not found, disables TUI support. Please install slang-devel, libslang-dev or libslang2-dev);
+- NO_SLANG := 1
+- else
++ ifneq ($(feature-libslang-include-subdir), 1)
++ msg := $(warning slang not found, disables TUI support. Please install slang-devel, libslang-dev or libslang2-dev);
++ NO_SLANG := 1
++ else
++ CFLAGS += -DHAVE_SLANG_INCLUDE_SUBDIR
++ endif
++ endif
++ ifndef NO_SLANG
+ # Fedora has /usr/include/slang/slang.h, but ubuntu /usr/include/slang.h
+ CFLAGS += -I/usr/include/slang
+ CFLAGS += -DHAVE_SLANG_SUPPORT
+diff --git a/tools/perf/ui/libslang.h b/tools/perf/ui/libslang.h
+index c0686cda39a5..991e692b9b46 100644
+--- a/tools/perf/ui/libslang.h
++++ b/tools/perf/ui/libslang.h
+@@ -10,7 +10,12 @@
+ #ifndef HAVE_LONG_LONG
+ #define HAVE_LONG_LONG __GLIBC_HAVE_LONG_LONG
+ #endif
++
++#ifdef HAVE_SLANG_INCLUDE_SUBDIR
++#include <slang/slang.h>
++#else
+ #include <slang.h>
++#endif
+
+ #if SLANG_VERSION < 20104
+ #define slsmg_printf(msg, args...) \
+--
+2.20.1
+
--- /dev/null
+From acfbf13bee6fedb9682d6e05387354bdba86aaa9 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Wed, 5 Jun 2019 10:16:33 -0600
+Subject: perf cs-etm: Properly set the value of 'old' and 'head' in snapshot
+ mode
+
+[ Upstream commit e45c48a9a4d20ebc7b639a62c3ef8f4b08007027 ]
+
+This patch adds the necessary intelligence to properly compute the value
+of 'old' and 'head' when operating in snapshot mode. That way we can
+get the latest information in the AUX buffer and be compatible with the
+generic AUX ring buffer mechanic.
+
+Tester notes:
+
+> Leo, have you had the chance to test/review this one? Suzuki?
+
+Sure. I applied this patch on the perf/core branch (with latest
+commit 3e4fbf36c1e3 'perf augmented_raw_syscalls: Move reading
+filename to the loop') and passed testing with below steps:
+
+ # perf record -e cs_etm/@tmc_etr0/ -S -m,64 --per-thread ./sort &
+ [1] 19097
+ Bubble sorting array of 30000 elements
+
+ # kill -USR2 19097
+ # kill -USR2 19097
+ # kill -USR2 19097
+ [ perf record: Woken up 4 times to write data ]
+ [ perf record: Captured and wrote 0.753 MB perf.data ]
+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Tested-by: Leo Yan <leo.yan@linaro.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/20190605161633.12245-1-mathieu.poirier@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/arm/util/cs-etm.c | 127 +++++++++++++++++++++++++++++-
+ 1 file changed, 123 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/arch/arm/util/cs-etm.c b/tools/perf/arch/arm/util/cs-etm.c
+index 911426721170..0a278bbcaba6 100644
+--- a/tools/perf/arch/arm/util/cs-etm.c
++++ b/tools/perf/arch/arm/util/cs-etm.c
+@@ -31,6 +31,8 @@ struct cs_etm_recording {
+ struct auxtrace_record itr;
+ struct perf_pmu *cs_etm_pmu;
+ struct perf_evlist *evlist;
++ int wrapped_cnt;
++ bool *wrapped;
+ bool snapshot_mode;
+ size_t snapshot_size;
+ };
+@@ -536,16 +538,131 @@ static int cs_etm_info_fill(struct auxtrace_record *itr,
+ return 0;
+ }
+
+-static int cs_etm_find_snapshot(struct auxtrace_record *itr __maybe_unused,
++static int cs_etm_alloc_wrapped_array(struct cs_etm_recording *ptr, int idx)
++{
++ bool *wrapped;
++ int cnt = ptr->wrapped_cnt;
++
++ /* Make @ptr->wrapped as big as @idx */
++ while (cnt <= idx)
++ cnt++;
++
++ /*
++ * Free'ed in cs_etm_recording_free(). Using realloc() to avoid
++ * cross compilation problems where the host's system supports
++ * reallocarray() but not the target.
++ */
++ wrapped = realloc(ptr->wrapped, cnt * sizeof(bool));
++ if (!wrapped)
++ return -ENOMEM;
++
++ wrapped[cnt - 1] = false;
++ ptr->wrapped_cnt = cnt;
++ ptr->wrapped = wrapped;
++
++ return 0;
++}
++
++static bool cs_etm_buffer_has_wrapped(unsigned char *buffer,
++ size_t buffer_size, u64 head)
++{
++ u64 i, watermark;
++ u64 *buf = (u64 *)buffer;
++ size_t buf_size = buffer_size;
++
++ /*
++ * We want to look the very last 512 byte (chosen arbitrarily) in
++ * the ring buffer.
++ */
++ watermark = buf_size - 512;
++
++ /*
++ * @head is continuously increasing - if its value is equal or greater
++ * than the size of the ring buffer, it has wrapped around.
++ */
++ if (head >= buffer_size)
++ return true;
++
++ /*
++ * The value of @head is somewhere within the size of the ring buffer.
++ * This can be that there hasn't been enough data to fill the ring
++ * buffer yet or the trace time was so long that @head has numerically
++ * wrapped around. To find we need to check if we have data at the very
++ * end of the ring buffer. We can reliably do this because mmap'ed
++ * pages are zeroed out and there is a fresh mapping with every new
++ * session.
++ */
++
++ /* @head is less than 512 byte from the end of the ring buffer */
++ if (head > watermark)
++ watermark = head;
++
++ /*
++ * Speed things up by using 64 bit transactions (see "u64 *buf" above)
++ */
++ watermark >>= 3;
++ buf_size >>= 3;
++
++ /*
++ * If we find trace data at the end of the ring buffer, @head has
++ * been there and has numerically wrapped around at least once.
++ */
++ for (i = watermark; i < buf_size; i++)
++ if (buf[i])
++ return true;
++
++ return false;
++}
++
++static int cs_etm_find_snapshot(struct auxtrace_record *itr,
+ int idx, struct auxtrace_mmap *mm,
+- unsigned char *data __maybe_unused,
++ unsigned char *data,
+ u64 *head, u64 *old)
+ {
++ int err;
++ bool wrapped;
++ struct cs_etm_recording *ptr =
++ container_of(itr, struct cs_etm_recording, itr);
++
++ /*
++ * Allocate memory to keep track of wrapping if this is the first
++ * time we deal with this *mm.
++ */
++ if (idx >= ptr->wrapped_cnt) {
++ err = cs_etm_alloc_wrapped_array(ptr, idx);
++ if (err)
++ return err;
++ }
++
++ /*
++ * Check to see if *head has wrapped around. If it hasn't only the
++ * amount of data between *head and *old is snapshot'ed to avoid
++ * bloating the perf.data file with zeros. But as soon as *head has
++ * wrapped around the entire size of the AUX ring buffer it taken.
++ */
++ wrapped = ptr->wrapped[idx];
++ if (!wrapped && cs_etm_buffer_has_wrapped(data, mm->len, *head)) {
++ wrapped = true;
++ ptr->wrapped[idx] = true;
++ }
++
+ pr_debug3("%s: mmap index %d old head %zu new head %zu size %zu\n",
+ __func__, idx, (size_t)*old, (size_t)*head, mm->len);
+
+- *old = *head;
+- *head += mm->len;
++ /* No wrap has occurred, we can just use *head and *old. */
++ if (!wrapped)
++ return 0;
++
++ /*
++ * *head has wrapped around - adjust *head and *old to pickup the
++ * entire content of the AUX buffer.
++ */
++ if (*head >= mm->len) {
++ *old = *head - mm->len;
++ } else {
++ *head += mm->len;
++ *old = *head - mm->len;
++ }
+
+ return 0;
+ }
+@@ -586,6 +703,8 @@ static void cs_etm_recording_free(struct auxtrace_record *itr)
+ {
+ struct cs_etm_recording *ptr =
+ container_of(itr, struct cs_etm_recording, itr);
++
++ zfree(&ptr->wrapped);
+ free(ptr);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 113fb51fe88160cbb2869b1e83bbd48936368ea1 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Mon, 17 Jun 2019 14:32:53 -0300
+Subject: perf evsel: Make perf_evsel__name() accept a NULL argument
+
+[ Upstream commit fdbdd7e8580eac9bdafa532746c865644d125e34 ]
+
+In which case it simply returns "unknown", like when it can't figure out
+the evsel->name value.
+
+This makes this code more robust and fixes a problem in 'perf trace'
+where a NULL evsel was being passed to a routine that only used the
+evsel for printing its name when a invalid syscall id was passed.
+
+Reported-by: Leo Yan <leo.yan@linaro.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lkml.kernel.org/n/tip-f30ztaasku3z935cn3ak3h53@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/evsel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index 4a5947625c5c..2c46f9aa416c 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -589,6 +589,9 @@ const char *perf_evsel__name(struct perf_evsel *evsel)
+ {
+ char bf[128];
+
++ if (!evsel)
++ goto out_unknown;
++
+ if (evsel->name)
+ return evsel->name;
+
+@@ -628,7 +631,10 @@ const char *perf_evsel__name(struct perf_evsel *evsel)
+
+ evsel->name = strdup(bf);
+
+- return evsel->name ?: "unknown";
++ if (evsel->name)
++ return evsel->name;
++out_unknown:
++ return "unknown";
+ }
+
+ const char *perf_evsel__group_name(struct perf_evsel *evsel)
+--
+2.20.1
+
--- /dev/null
+From 2d377d37bd1c3844cab978f253d903cfc7f7514b Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Fri, 31 May 2019 15:13:21 +0200
+Subject: perf jvmti: Address gcc string overflow warning for strncpy()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 279ab04dbea1370d2eac0f854270369ccaef8a44 ]
+
+We are getting false positive gcc warning when we compile with gcc9 (9.1.1):
+
+ CC jvmti/libjvmti.o
+ In file included from /usr/include/string.h:494,
+ from jvmti/libjvmti.c:5:
+ In function ‘strncpy’,
+ inlined from ‘copy_class_filename.constprop’ at jvmti/libjvmti.c:166:3:
+ /usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=]
+ 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ jvmti/libjvmti.c: In function ‘copy_class_filename.constprop’:
+ jvmti/libjvmti.c:165:26: note: length computed here
+ 165 | size_t file_name_len = strlen(file_name);
+ | ^~~~~~~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+As per Arnaldo's suggestion use strlcpy(), which does the same thing and keeps
+gcc silent.
+
+Suggested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ben Gainey <ben.gainey@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lkml.kernel.org/r/20190531131321.GB1281@krava
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/jvmti/libjvmti.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/jvmti/libjvmti.c b/tools/perf/jvmti/libjvmti.c
+index aea7b1fe85aa..c441a34cb1c0 100644
+--- a/tools/perf/jvmti/libjvmti.c
++++ b/tools/perf/jvmti/libjvmti.c
+@@ -1,5 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/compiler.h>
++#include <linux/string.h>
+ #include <sys/types.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -162,8 +163,7 @@ copy_class_filename(const char * class_sign, const char * file_name, char * resu
+ result[i] = '\0';
+ } else {
+ /* fallback case */
+- size_t file_name_len = strlen(file_name);
+- strncpy(result, file_name, file_name_len < max_length ? file_name_len : max_length);
++ strlcpy(result, file_name, max_length);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From b7a5ba70b3b0f25b6b19ec023b306d21d09d7d4e Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Thu, 23 May 2019 10:25:21 +0200
+Subject: perf report: Fix OOM error in TUI mode on s390
+
+[ Upstream commit 8a07aa4e9b7b0222129c07afff81634a884b2866 ]
+
+Debugging a OOM error using the TUI interface revealed this issue
+on s390:
+
+[tmricht@m83lp54 perf]$ cat /proc/kallsyms |sort
+....
+00000001119b7158 B radix_tree_node_cachep
+00000001119b8000 B __bss_stop
+00000001119b8000 B _end
+000003ff80002850 t autofs_mount [autofs4]
+000003ff80002868 t autofs_show_options [autofs4]
+000003ff80002a98 t autofs_evict_inode [autofs4]
+....
+
+There is a huge gap between the last kernel symbol
+__bss_stop/_end and the first kernel module symbol
+autofs_mount (from autofs4 module).
+
+After reading the kernel symbol table via functions:
+
+ dso__load()
+ +--> dso__load_kernel_sym()
+ +--> dso__load_kallsyms()
+ +--> __dso_load_kallsyms()
+ +--> symbols__fixup_end()
+
+the symbol __bss_stop has a start address of 1119b8000 and
+an end address of 3ff80002850, as can be seen by this debug statement:
+
+ symbols__fixup_end __bss_stop start:0x1119b8000 end:0x3ff80002850
+
+The size of symbol __bss_stop is 0x3fe6e64a850 bytes!
+It is the last kernel symbol and fills up the space until
+the first kernel module symbol.
+
+This size kills the TUI interface when executing the following
+code:
+
+ process_sample_event()
+ hist_entry_iter__add()
+ hist_iter__report_callback()
+ hist_entry__inc_addr_samples()
+ symbol__inc_addr_samples(symbol = __bss_stop)
+ symbol__cycles_hist()
+ annotated_source__alloc_histograms(...,
+ symbol__size(sym),
+ ...)
+
+This function allocates memory to save sample histograms.
+The symbol_size() marco is defined as sym->end - sym->start, which
+results in above value of 0x3fe6e64a850 bytes and
+the call to calloc() in annotated_source__alloc_histograms() fails.
+
+The histgram memory allocation might fail, make this failure
+no-fatal and continue processing.
+
+Output before:
+[tmricht@m83lp54 perf]$ ./perf --debug stderr=1 report -vvvvv \
+ -i ~/slow.data 2>/tmp/2
+[tmricht@m83lp54 perf]$ tail -5 /tmp/2
+ __symbol__inc_addr_samples(875): ENOMEM! sym->name=__bss_stop,
+ start=0x1119b8000, addr=0x2aa0005eb08, end=0x3ff80002850,
+ func: 0
+problem adding hist entry, skipping event
+0x938b8 [0x8]: failed to process type: 68 [Cannot allocate memory]
+[tmricht@m83lp54 perf]$
+
+Output after:
+[tmricht@m83lp54 perf]$ ./perf --debug stderr=1 report -vvvvv \
+ -i ~/slow.data 2>/tmp/2
+[tmricht@m83lp54 perf]$ tail -5 /tmp/2
+ symbol__inc_addr_samples map:0x1597830 start:0x110730000 end:0x3ff80002850
+ symbol__hists notes->src:0x2aa2a70 nr_hists:1
+ symbol__inc_addr_samples sym:unlink_anon_vmas src:0x2aa2a70
+ __symbol__inc_addr_samples: addr=0x11094c69e
+ 0x11094c670 unlink_anon_vmas: period++ [addr: 0x11094c69e, 0x2e, evidx=0]
+ => nr_samples: 1, period: 526008
+[tmricht@m83lp54 perf]$
+
+There is no error about failed memory allocation and the TUI interface
+shows all entries.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/90cb5607-3e12-5167-682d-978eba7dafa8@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index 79db038b56f2..c8ce13419d9b 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -931,9 +931,8 @@ static int symbol__inc_addr_samples(struct symbol *sym, struct map *map,
+ if (sym == NULL)
+ return 0;
+ src = symbol__hists(sym, evsel->evlist->nr_entries);
+- if (src == NULL)
+- return -ENOMEM;
+- return __symbol__inc_addr_samples(sym, map, src, evsel->idx, addr, sample);
++ return (src) ? __symbol__inc_addr_samples(sym, map, src, evsel->idx,
++ addr, sample) : 0;
+ }
+
+ static int symbol__account_cycles(u64 addr, u64 start,
+--
+2.20.1
+
--- /dev/null
+From cb50a40a12e69f5dacbcb3e8e41ad9c6d8160a52 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Mon, 24 Jun 2019 12:37:09 -0700
+Subject: perf stat: Don't merge events in the same PMU
+
+[ Upstream commit 6c5f4e5cb35b4694dc035d91092d23f596ecd06a ]
+
+Event merging is mainly to collapse similar events in lots of different
+duplicated PMUs.
+
+It can break metric displaying. It's possible for two metrics to have
+the same event, and when the two events happen in a row the second
+wouldn't be displayed. This would also not show the second metric.
+
+To avoid this don't merge events in the same PMU. This makes sense, if
+we have multiple events in the same PMU there is likely some reason for
+it (e.g. using multiple groups) and we better not merge them.
+
+While in theory it would be possible to construct metrics that have
+events with the same name in different PMU no current metrics have this
+problem.
+
+This is the fix for perf stat -M UPI,IPC (needs also another bug fix to
+completely work)
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Fixes: 430daf2dc7af ("perf stat: Collapse identically named events")
+Link: http://lkml.kernel.org/r/20190624193711.35241-3-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-display.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c
+index 4c53bae5644b..94bed4031def 100644
+--- a/tools/perf/util/stat-display.c
++++ b/tools/perf/util/stat-display.c
+@@ -542,7 +542,8 @@ static void collect_all_aliases(struct perf_stat_config *config, struct perf_evs
+ alias->scale != counter->scale ||
+ alias->cgrp != counter->cgrp ||
+ strcmp(alias->unit, counter->unit) ||
+- perf_evsel__is_clock(alias) != perf_evsel__is_clock(counter))
++ perf_evsel__is_clock(alias) != perf_evsel__is_clock(counter) ||
++ !strcmp(alias->pmu_name, counter->pmu_name))
+ break;
+ alias->merged_stat = true;
+ cb(config, alias, data, false);
+--
+2.20.1
+
--- /dev/null
+From aa7936409310e4d2d0d5835b247bfaa12915af2f Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Mon, 24 Jun 2019 12:37:10 -0700
+Subject: perf stat: Fix group lookup for metric group
+
+[ Upstream commit 2f87f33f4226523df9c9cc28f9874ea02fcc3d3f ]
+
+The metric group code tries to find a group it added earlier in the
+evlist. Fix the lookup to handle groups with partially overlaps
+correctly. When a sub string match fails and we reset the match, we have
+to compare the first element again.
+
+I also renamed the find_evsel function to find_evsel_group to make its
+purpose clearer.
+
+With the earlier changes this fixes:
+
+Before:
+
+ % perf stat -M UPI,IPC sleep 1
+ ...
+ 1,032,922 uops_retired.retire_slots # 1.1 UPI
+ 1,896,096 inst_retired.any
+ 1,896,096 inst_retired.any
+ 1,177,254 cpu_clk_unhalted.thread
+
+After:
+
+ % perf stat -M UPI,IPC sleep 1
+ ...
+ 1,013,193 uops_retired.retire_slots # 1.1 UPI
+ 932,033 inst_retired.any
+ 932,033 inst_retired.any # 0.9 IPC
+ 1,091,245 cpu_clk_unhalted.thread
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Fixes: b18f3e365019 ("perf stat: Support JSON metrics in perf stat")
+Link: http://lkml.kernel.org/r/20190624193711.35241-4-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/metricgroup.c | 47 ++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 12 deletions(-)
+
+diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c
+index 699e020737d9..fabdb6dde88e 100644
+--- a/tools/perf/util/metricgroup.c
++++ b/tools/perf/util/metricgroup.c
+@@ -85,26 +85,49 @@ struct egroup {
+ const char *metric_expr;
+ };
+
+-static struct perf_evsel *find_evsel(struct perf_evlist *perf_evlist,
+- const char **ids,
+- int idnum,
+- struct perf_evsel **metric_events)
++static bool record_evsel(int *ind, struct perf_evsel **start,
++ int idnum,
++ struct perf_evsel **metric_events,
++ struct perf_evsel *ev)
++{
++ metric_events[*ind] = ev;
++ if (*ind == 0)
++ *start = ev;
++ if (++*ind == idnum) {
++ metric_events[*ind] = NULL;
++ return true;
++ }
++ return false;
++}
++
++static struct perf_evsel *find_evsel_group(struct perf_evlist *perf_evlist,
++ const char **ids,
++ int idnum,
++ struct perf_evsel **metric_events)
+ {
+ struct perf_evsel *ev, *start = NULL;
+ int ind = 0;
+
+ evlist__for_each_entry (perf_evlist, ev) {
++ if (ev->collect_stat)
++ continue;
+ if (!strcmp(ev->name, ids[ind])) {
+- metric_events[ind] = ev;
+- if (ind == 0)
+- start = ev;
+- if (++ind == idnum) {
+- metric_events[ind] = NULL;
++ if (record_evsel(&ind, &start, idnum,
++ metric_events, ev))
+ return start;
+- }
+ } else {
++ /*
++ * We saw some other event that is not
++ * in our list of events. Discard
++ * the whole match and start again.
++ */
+ ind = 0;
+ start = NULL;
++ if (!strcmp(ev->name, ids[ind])) {
++ if (record_evsel(&ind, &start, idnum,
++ metric_events, ev))
++ return start;
++ }
+ }
+ }
+ /*
+@@ -134,8 +157,8 @@ static int metricgroup__setup_events(struct list_head *groups,
+ ret = -ENOMEM;
+ break;
+ }
+- evsel = find_evsel(perf_evlist, eg->ids, eg->idnum,
+- metric_events);
++ evsel = find_evsel_group(perf_evlist, eg->ids, eg->idnum,
++ metric_events);
+ if (!evsel) {
+ pr_debug("Cannot resolve %s: %s\n",
+ eg->metric_name, eg->metric_expr);
+--
+2.20.1
+
--- /dev/null
+From 8feea3c664306c02c4168461a0676ad999a769a8 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Mon, 24 Jun 2019 12:37:11 -0700
+Subject: perf stat: Fix metrics with --no-merge
+
+[ Upstream commit e3a9427323a53ceee540276a74af7706f350d052 ]
+
+Since Fixes: 8c5421c016a4 ("perf pmu: Display pmu name when printing
+unmerged events in stat") using --no-merge adds the PMU name to the
+evsel name.
+
+This breaks the metric value lookup because the parser doesn't know
+about this.
+
+Remove the extra postfixes for the metric evaluation.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Agustin Vega-Frias <agustinv@codeaurora.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Fixes: 8c5421c016a4 ("perf pmu: Display pmu name when printing unmerged events in stat")
+Link: http://lkml.kernel.org/r/20190624193711.35241-5-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-shadow.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c
+index e545e2a8ae71..0ef98e991ade 100644
+--- a/tools/perf/util/stat-shadow.c
++++ b/tools/perf/util/stat-shadow.c
+@@ -723,6 +723,7 @@ static void generic_metric(struct perf_stat_config *config,
+ double ratio;
+ int i;
+ void *ctxp = out->ctx;
++ char *n, *pn;
+
+ expr__ctx_init(&pctx);
+ expr__add_id(&pctx, name, avg);
+@@ -742,7 +743,19 @@ static void generic_metric(struct perf_stat_config *config,
+ stats = &v->stats;
+ scale = 1.0;
+ }
+- expr__add_id(&pctx, metric_events[i]->name, avg_stats(stats)*scale);
++
++ n = strdup(metric_events[i]->name);
++ if (!n)
++ return;
++ /*
++ * This display code with --no-merge adds [cpu] postfixes.
++ * These are not supported by the parser. Remove everything
++ * after the space.
++ */
++ pn = strchr(n, ' ');
++ if (pn)
++ *pn = 0;
++ expr__add_id(&pctx, n, avg_stats(stats)*scale);
+ }
+ if (!metric_events[i]) {
+ const char *p = metric_expr;
+@@ -759,6 +772,9 @@ static void generic_metric(struct perf_stat_config *config,
+ (metric_name ? metric_name : name) : "", 0);
+ } else
+ print_metric(config, ctxp, NULL, NULL, "", 0);
++
++ for (i = 1; i < pctx.num_ids; i++)
++ free((void *)pctx.ids[i].name);
+ }
+
+ void perf_stat__print_shadow_stats(struct perf_stat_config *config,
+--
+2.20.1
+
--- /dev/null
+From dd448a65cd52a52d54302de706f4f864e6363e9d Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Mon, 24 Jun 2019 12:37:08 -0700
+Subject: perf stat: Make metric event lookup more robust
+
+[ Upstream commit 145c407c808352acd625be793396fd4f33c794f8 ]
+
+After setting up metric groups through the event parser, the metricgroup
+code looks them up again in the event list.
+
+Make sure we only look up events that haven't been used by some other
+metric. The data structures currently cannot handle more than one metric
+per event. This avoids problems with multiple events partially
+overlapping.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Link: http://lkml.kernel.org/r/20190624193711.35241-2-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-shadow.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c
+index 83d8094be4fe..e545e2a8ae71 100644
+--- a/tools/perf/util/stat-shadow.c
++++ b/tools/perf/util/stat-shadow.c
+@@ -303,7 +303,7 @@ static struct perf_evsel *perf_stat__find_event(struct perf_evlist *evsel_list,
+ struct perf_evsel *c2;
+
+ evlist__for_each_entry (evsel_list, c2) {
+- if (!strcasecmp(c2->name, name))
++ if (!strcasecmp(c2->name, name) && !c2->collect_stat)
+ return c2;
+ }
+ return NULL;
+@@ -342,7 +342,8 @@ void perf_stat__collect_metric_expr(struct perf_evlist *evsel_list)
+ if (leader) {
+ /* Search in group */
+ for_each_group_member (oc, leader) {
+- if (!strcasecmp(oc->name, metric_names[i])) {
++ if (!strcasecmp(oc->name, metric_names[i]) &&
++ !oc->collect_stat) {
+ found = true;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 162af4badceed79c9e6435320eda877c4330d01f Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Tue, 4 Jun 2019 07:35:04 +0200
+Subject: perf test 6: Fix missing kvm module load for s390
+
+[ Upstream commit 53fe307dfd309e425b171f6272d64296a54f4dff ]
+
+Command
+
+ # perf test -Fv 6
+
+fails with error
+
+ running test 100 'kvm-s390:kvm_s390_create_vm' failed to parse
+ event 'kvm-s390:kvm_s390_create_vm', err -1, str 'unknown tracepoint'
+ event syntax error: 'kvm-s390:kvm_s390_create_vm'
+ \___ unknown tracepoint
+
+when the kvm module is not loaded or not built in.
+
+Fix this by adding a valid function which tests if the module
+is loaded. Loaded modules (or builtin KVM support) have a
+directory named
+ /sys/kernel/debug/tracing/events/kvm-s390
+for this tracepoint.
+
+Check for existence of this directory.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/20190604053504.43073-1-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/parse-events.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/perf/tests/parse-events.c b/tools/perf/tests/parse-events.c
+index 4a69c07f4101..8f3c80e13584 100644
+--- a/tools/perf/tests/parse-events.c
++++ b/tools/perf/tests/parse-events.c
+@@ -18,6 +18,32 @@
+ #define PERF_TP_SAMPLE_TYPE (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | \
+ PERF_SAMPLE_CPU | PERF_SAMPLE_PERIOD)
+
++#if defined(__s390x__)
++/* Return true if kvm module is available and loaded. Test this
++ * and retun success when trace point kvm_s390_create_vm
++ * exists. Otherwise this test always fails.
++ */
++static bool kvm_s390_create_vm_valid(void)
++{
++ char *eventfile;
++ bool rc = false;
++
++ eventfile = get_events_file("kvm-s390");
++
++ if (eventfile) {
++ DIR *mydir = opendir(eventfile);
++
++ if (mydir) {
++ rc = true;
++ closedir(mydir);
++ }
++ put_events_file(eventfile);
++ }
++
++ return rc;
++}
++#endif
++
+ static int test__checkevent_tracepoint(struct perf_evlist *evlist)
+ {
+ struct perf_evsel *evsel = perf_evlist__first(evlist);
+@@ -1642,6 +1668,7 @@ static struct evlist_test test__events[] = {
+ {
+ .name = "kvm-s390:kvm_s390_create_vm",
+ .check = test__checkevent_tracepoint,
++ .valid = kvm_s390_create_vm_valid,
+ .id = 100,
+ },
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 2e6ef064c6815005c4276e6d1393a851de55ea3c Mon Sep 17 00:00:00 2001
+From: Seeteena Thoufeek <s1seetee@linux.vnet.ibm.com>
+Date: Thu, 27 Jun 2019 15:46:54 +0530
+Subject: perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64
+
+[ Upstream commit bff5a556c149804de29347a88a884d25e4e4e3a2 ]
+
+'probe libc's inet_pton & backtrace it with ping' testcase sometimes
+fails on powerpc because distro ping binary does not have symbol
+information and thus it prints "[unknown]" function name in the
+backtrace.
+
+Accept "[unknown]" as valid function name for powerpc as well.
+
+ # perf test -v "probe libc's inet_pton & backtrace it with ping"
+
+Before:
+
+ 59: probe libc's inet_pton & backtrace it with ping :
+ --- start ---
+ test child forked, pid 79695
+ ping 79718 [077] 96483.787025: probe_libc:inet_pton: (7fff83a754c8)
+ 7fff83a754c8 __GI___inet_pton+0x8 (/usr/lib64/power9/libc-2.28.so)
+ 7fff83a2b7a0 gaih_inet.constprop.7+0x1020
+ (/usr/lib64/power9/libc-2.28.so)
+ 7fff83a2c170 getaddrinfo+0x160 (/usr/lib64/power9/libc-2.28.so)
+ 1171830f4 [unknown] (/usr/bin/ping)
+ FAIL: expected backtrace entry
+ ".*\+0x[[:xdigit:]]+[[:space:]]\(.*/bin/ping.*\)$"
+ got "1171830f4 [unknown] (/usr/bin/ping)"
+ test child finished with -1
+ ---- end ----
+ probe libc's inet_pton & backtrace it with ping: FAILED!
+
+After:
+
+ 59: probe libc's inet_pton & backtrace it with ping :
+ --- start ---
+ test child forked, pid 79085
+ ping 79108 [045] 96400.214177: probe_libc:inet_pton: (7fffbb9654c8)
+ 7fffbb9654c8 __GI___inet_pton+0x8 (/usr/lib64/power9/libc-2.28.so)
+ 7fffbb91b7a0 gaih_inet.constprop.7+0x1020
+ (/usr/lib64/power9/libc-2.28.so)
+ 7fffbb91c170 getaddrinfo+0x160 (/usr/lib64/power9/libc-2.28.so)
+ 132e830f4 [unknown] (/usr/bin/ping)
+ test child finished with 0
+ ---- end ----
+ probe libc's inet_pton & backtrace it with ping: Ok
+
+Signed-off-by: Seeteena Thoufeek <s1seetee@linux.vnet.ibm.com>
+Reviewed-by: Kim Phillips <kim.phillips@amd.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Michael Petlan <mpetlan@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sandipan Das <sandipan@linux.ibm.com>
+Fixes: 1632936480a5 ("perf tests: Fix record+probe_libc_inet_pton.sh without ping's debuginfo")
+Link: http://lkml.kernel.org/r/1561630614-3216-1-git-send-email-s1seetee@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/shell/record+probe_libc_inet_pton.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/shell/record+probe_libc_inet_pton.sh b/tools/perf/tests/shell/record+probe_libc_inet_pton.sh
+index 61c9f8fc6fa1..58a99a292930 100755
+--- a/tools/perf/tests/shell/record+probe_libc_inet_pton.sh
++++ b/tools/perf/tests/shell/record+probe_libc_inet_pton.sh
+@@ -44,7 +44,7 @@ trace_libc_inet_pton_backtrace() {
+ eventattr='max-stack=4'
+ echo "gaih_inet.*\+0x[[:xdigit:]]+[[:space:]]\($libc\)$" >> $expected
+ echo "getaddrinfo\+0x[[:xdigit:]]+[[:space:]]\($libc\)$" >> $expected
+- echo ".*\+0x[[:xdigit:]]+[[:space:]]\(.*/bin/ping.*\)$" >> $expected
++ echo ".*(\+0x[[:xdigit:]]+|\[unknown\])[[:space:]]\(.*/bin/ping.*\)$" >> $expected
+ ;;
+ *)
+ eventattr='max-stack=3'
+--
+2.20.1
+
--- /dev/null
+From 2be805818e269ef320c0a8518bafc64a2e0e2822 Mon Sep 17 00:00:00 2001
+From: Kyle Meyer <kyle.meyer@hpe.com>
+Date: Thu, 20 Jun 2019 14:36:30 -0500
+Subject: perf tools: Increase MAX_NR_CPUS and MAX_CACHES
+
+[ Upstream commit 9f94c7f947e919c343b30f080285af53d0fa9902 ]
+
+Attempting to profile 1024 or more CPUs with perf causes two errors:
+
+ perf record -a
+ [ perf record: Woken up X times to write data ]
+ way too many cpu caches..
+ [ perf record: Captured and wrote X MB perf.data (X samples) ]
+
+ perf report -C 1024
+ Error: failed to set cpu bitmap
+ Requested CPU 1024 too large. Consider raising MAX_NR_CPUS
+
+ Increasing MAX_NR_CPUS from 1024 to 2048 and redefining MAX_CACHES as
+ MAX_NR_CPUS * 4 returns normal functionality to perf:
+
+ perf record -a
+ [ perf record: Woken up X times to write data ]
+ [ perf record: Captured and wrote X MB perf.data (X samples) ]
+
+ perf report -C 1024
+ ...
+
+Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20190620193630.154025-1-meyerk@stormcage.eag.rdlabs.hpecorp.net
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/perf.h | 2 +-
+ tools/perf/util/header.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/perf.h b/tools/perf/perf.h
+index d59dee61b64d..a26555baf692 100644
+--- a/tools/perf/perf.h
++++ b/tools/perf/perf.h
+@@ -26,7 +26,7 @@ static inline unsigned long long rdclock(void)
+ }
+
+ #ifndef MAX_NR_CPUS
+-#define MAX_NR_CPUS 1024
++#define MAX_NR_CPUS 2048
+ #endif
+
+ extern const char *input_name;
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index fb0aa661644b..b82d4577d969 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -1100,7 +1100,7 @@ static int build_caches(struct cpu_cache_level caches[], u32 size, u32 *cntp)
+ return 0;
+ }
+
+-#define MAX_CACHES 2000
++#define MAX_CACHES (MAX_NR_CPUS * 4)
+
+ static int write_cache(struct feat_fd *ff,
+ struct perf_evlist *evlist __maybe_unused)
+--
+2.20.1
+
--- /dev/null
+From eadab15515db210dabed3061ea2cd1878f970700 Mon Sep 17 00:00:00 2001
+From: Rajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
+Date: Fri, 14 Jun 2019 13:47:01 +0530
+Subject: perf/x86: Add Intel Ice Lake NNPI uncore support
+
+[ Upstream commit 5f4318c1b1d23a9290e4def78ee76017c288bf60 ]
+
+Intel Ice Lake uncore support already included IMC PCI ID but ICL-NNPI
+CPUID is missing so add it to fix the probe function.
+
+Fixes: e39875d15ad6 ("perf/x86: add Intel Icelake uncore support")
+Signed-off-by: Rajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: alexander.shishkin@linux.intel.com
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Linux PM <linux-pm@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190614081701.13828-1-rajneesh.bhardwaj@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
+index 9e3fbd47cb56..089bfcdf2f7f 100644
+--- a/arch/x86/events/intel/uncore.c
++++ b/arch/x86/events/intel/uncore.c
+@@ -1400,6 +1400,7 @@ static const struct x86_cpu_id intel_uncore_match[] __initconst = {
+ X86_UNCORE_MODEL_MATCH(INTEL_FAM6_KABYLAKE_MOBILE, skl_uncore_init),
+ X86_UNCORE_MODEL_MATCH(INTEL_FAM6_KABYLAKE_DESKTOP, skl_uncore_init),
+ X86_UNCORE_MODEL_MATCH(INTEL_FAM6_ICELAKE_MOBILE, icl_uncore_init),
++ X86_UNCORE_MODEL_MATCH(INTEL_FAM6_ICELAKE_NNPI, icl_uncore_init),
+ {},
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 7974bdbf97ae12b99d51cc4b6aba32a45165d964 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 3 Jun 2019 06:41:21 -0700
+Subject: perf/x86/intel: Add more Icelake CPUIDs
+
+[ Upstream commit faaeff98666c24376cebd0b106504d05a36881d1 ]
+
+Add new model number for Icelake desktop and server to perf.
+
+The data source encoding for Icelake server is the same as Skylake
+server.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: qiuxu.zhuo@intel.com
+Cc: rui.zhang@intel.com
+Cc: tony.luck@intel.com
+Link: https://lkml.kernel.org/r/20190603134122.13853-2-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/core.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index a5436cee20b1..b6cae65aa7ef 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -4439,6 +4439,7 @@ __init int intel_pmu_init(void)
+ struct event_constraint *c;
+ unsigned int unused;
+ struct extra_reg *er;
++ bool pmem = false;
+ int version, i;
+ char *name;
+
+@@ -4890,9 +4891,10 @@ __init int intel_pmu_init(void)
+ name = "knights-landing";
+ break;
+
++ case INTEL_FAM6_SKYLAKE_X:
++ pmem = true;
+ case INTEL_FAM6_SKYLAKE_MOBILE:
+ case INTEL_FAM6_SKYLAKE_DESKTOP:
+- case INTEL_FAM6_SKYLAKE_X:
+ case INTEL_FAM6_KABYLAKE_MOBILE:
+ case INTEL_FAM6_KABYLAKE_DESKTOP:
+ x86_add_quirk(intel_pebs_isolation_quirk);
+@@ -4925,8 +4927,7 @@ __init int intel_pmu_init(void)
+ x86_pmu.cpu_events = hsw_events_attrs;
+ mem_attr = hsw_mem_events_attrs;
+ tsx_attr = hsw_tsx_events_attrs;
+- intel_pmu_pebs_data_source_skl(
+- boot_cpu_data.x86_model == INTEL_FAM6_SKYLAKE_X);
++ intel_pmu_pebs_data_source_skl(pmem);
+
+ if (boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT)) {
+ x86_pmu.flags |= PMU_FL_TFA;
+@@ -4940,7 +4941,11 @@ __init int intel_pmu_init(void)
+ name = "skylake";
+ break;
+
++ case INTEL_FAM6_ICELAKE_X:
++ case INTEL_FAM6_ICELAKE_XEON_D:
++ pmem = true;
+ case INTEL_FAM6_ICELAKE_MOBILE:
++ case INTEL_FAM6_ICELAKE_DESKTOP:
+ x86_pmu.late_ack = true;
+ memcpy(hw_cache_event_ids, skl_hw_cache_event_ids, sizeof(hw_cache_event_ids));
+ memcpy(hw_cache_extra_regs, skl_hw_cache_extra_regs, sizeof(hw_cache_extra_regs));
+@@ -4963,7 +4968,7 @@ __init int intel_pmu_init(void)
+ x86_pmu.cpu_events = get_icl_events_attrs();
+ x86_pmu.rtm_abort_event = X86_CONFIG(.event=0xca, .umask=0x02);
+ x86_pmu.lbr_pt_coexist = true;
+- intel_pmu_pebs_data_source_skl(false);
++ intel_pmu_pebs_data_source_skl(pmem);
+ pr_cont("Icelake events, ");
+ name = "icelake";
+ break;
+--
+2.20.1
+
--- /dev/null
+From 5c70c55ec976ebfe64d70ff42b6c65fcf8adf9a1 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Sun, 16 Jun 2019 16:13:13 +0200
+Subject: perf/x86/intel: Disable check_msr for real HW
+
+[ Upstream commit d0e1a507bdc761a14906f03399d933ea639a1756 ]
+
+Tom Vaden reported false failure of the check_msr() function, because
+some servers can do POST tracing and enable LBR tracing during
+bootup.
+
+Kan confirmed that check_msr patch was to fix a bug report in
+guest, so it's ok to disable it for real HW.
+
+Reported-by: Tom Vaden <tom.vaden@hpe.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Tom Vaden <tom.vaden@hpe.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Liang Kan <kan.liang@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190616141313.GD2500@krava
+[ Readability edits. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/core.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index b6cae65aa7ef..f0c14665893b 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -20,6 +20,7 @@
+ #include <asm/intel-family.h>
+ #include <asm/apic.h>
+ #include <asm/cpu_device_id.h>
++#include <asm/hypervisor.h>
+
+ #include "../perf_event.h"
+
+@@ -4054,6 +4055,13 @@ static bool check_msr(unsigned long msr, u64 mask)
+ {
+ u64 val_old, val_new, val_tmp;
+
++ /*
++ * Disable the check for real HW, so we don't
++ * mess with potentionaly enabled registers:
++ */
++ if (hypervisor_is_type(X86_HYPER_NATIVE))
++ return true;
++
+ /*
+ * Read the current value, change it and read it back to see if it
+ * matches, this is needed to detect certain hardware emulators
+--
+2.20.1
+
--- /dev/null
+From f8848b0b1992f9504af25c1c00ab85573d112743 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 30 Apr 2019 17:53:43 -0700
+Subject: perf/x86/intel/uncore: Handle invalid event coding for free-running
+ counter
+
+[ Upstream commit 543ac280b3576c0009e8c0fcd4d6bfc9978d7bd0 ]
+
+Counting with invalid event coding for free-running counter may cause
+OOPs, e.g. uncore_iio_free_running_0/event=1/.
+
+Current code only validate the event with free-running event format,
+event=0xff,umask=0xXY. Non-free-running event format never be checked
+for the PMU with free-running counters.
+
+Add generic hw_config() to check and reject the invalid event coding
+for free-running PMU.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: acme@kernel.org
+Cc: eranian@google.com
+Fixes: 0f519f0352e3 ("perf/x86/intel/uncore: Support IIO free-running counters on SKX")
+Link: https://lkml.kernel.org/r/1556672028-119221-2-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore.h | 10 ++++++++++
+ arch/x86/events/intel/uncore_snbep.c | 1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/arch/x86/events/intel/uncore.h b/arch/x86/events/intel/uncore.h
+index 79eb2e21e4f0..28499e39679f 100644
+--- a/arch/x86/events/intel/uncore.h
++++ b/arch/x86/events/intel/uncore.h
+@@ -419,6 +419,16 @@ static inline bool is_freerunning_event(struct perf_event *event)
+ (((cfg >> 8) & 0xff) >= UNCORE_FREERUNNING_UMASK_START);
+ }
+
++/* Check and reject invalid config */
++static inline int uncore_freerunning_hw_config(struct intel_uncore_box *box,
++ struct perf_event *event)
++{
++ if (is_freerunning_event(event))
++ return 0;
++
++ return -EINVAL;
++}
++
+ static inline void uncore_disable_box(struct intel_uncore_box *box)
+ {
+ if (box->pmu->type->ops->disable_box)
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index b10e04387f38..8e4e8e423839 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -3585,6 +3585,7 @@ static struct uncore_event_desc skx_uncore_iio_freerunning_events[] = {
+
+ static struct intel_uncore_ops skx_uncore_iio_freerunning_ops = {
+ .read_counter = uncore_msr_read_counter,
++ .hw_config = uncore_freerunning_hw_config,
+ };
+
+ static struct attribute *skx_uncore_iio_freerunning_formats_attr[] = {
+--
+2.20.1
+
--- /dev/null
+From f0c3f812aca9d6a61f9f312a241d5a6057fdd21b Mon Sep 17 00:00:00 2001
+From: Michal Kalderon <michal.kalderon@marvell.com>
+Date: Thu, 13 Jun 2019 11:29:42 +0300
+Subject: qed: iWARP - Fix tc for MPA ll2 connection
+
+[ Upstream commit cb94d52b93c74fe1f2595734fabeda9f8ae891ee ]
+
+The driver needs to assign a lossless traffic class for the MPA ll2
+connection to ensure no packets are dropped when returning from the
+driver as they will never be re-transmitted by the peer.
+
+Fixes: ae3488ff37dc ("qed: Add ll2 connection for processing unaligned MPA packets")
+Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+index ded556b7bab5..eeea8683d99b 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+@@ -2708,6 +2708,8 @@ qed_iwarp_ll2_start(struct qed_hwfn *p_hwfn,
+ data.input.rx_num_desc = n_ooo_bufs * 2;
+ data.input.tx_num_desc = data.input.rx_num_desc;
+ data.input.tx_max_bds_per_packet = QED_IWARP_MAX_BDS_PER_FPDU;
++ data.input.tx_tc = PKT_LB_TC;
++ data.input.tx_dest = QED_LL2_TX_DEST_LB;
+ data.p_connection_handle = &iwarp_info->ll2_mpa_handle;
+ data.input.secondary_queue = true;
+ data.cbs = &cbs;
+--
+2.20.1
+
--- /dev/null
+From e6a2075d0c4ee80e0134768a33988716c8bb883f Mon Sep 17 00:00:00 2001
+From: Michal Kalderon <michal.kalderon@marvell.com>
+Date: Sun, 26 May 2019 15:22:25 +0300
+Subject: qed: Set the doorbell address correctly
+
+[ Upstream commit 8366d520019f366fabd6c7a13032bdcd837e18d4 ]
+
+In 100g mode the doorbell bar is united for both engines. Set
+the correct offset in the hwfn so that the doorbell returned
+for RoCE is in the affined hwfn.
+
+Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
+Signed-off-by: Denis Bolotin <denis.bolotin@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 29 ++++++++++++++--------
+ drivers/net/ethernet/qlogic/qed/qed_rdma.c | 2 +-
+ 2 files changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index fccdb06fc5c5..8c40739e0d1b 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -3443,6 +3443,7 @@ static void qed_nvm_info_free(struct qed_hwfn *p_hwfn)
+ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn,
+ void __iomem *p_regview,
+ void __iomem *p_doorbells,
++ u64 db_phys_addr,
+ enum qed_pci_personality personality)
+ {
+ struct qed_dev *cdev = p_hwfn->cdev;
+@@ -3451,6 +3452,7 @@ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn,
+ /* Split PCI bars evenly between hwfns */
+ p_hwfn->regview = p_regview;
+ p_hwfn->doorbells = p_doorbells;
++ p_hwfn->db_phys_addr = db_phys_addr;
+
+ if (IS_VF(p_hwfn->cdev))
+ return qed_vf_hw_prepare(p_hwfn);
+@@ -3546,7 +3548,9 @@ int qed_hw_prepare(struct qed_dev *cdev,
+ /* Initialize the first hwfn - will learn number of hwfns */
+ rc = qed_hw_prepare_single(p_hwfn,
+ cdev->regview,
+- cdev->doorbells, personality);
++ cdev->doorbells,
++ cdev->db_phys_addr,
++ personality);
+ if (rc)
+ return rc;
+
+@@ -3555,22 +3559,25 @@ int qed_hw_prepare(struct qed_dev *cdev,
+ /* Initialize the rest of the hwfns */
+ if (cdev->num_hwfns > 1) {
+ void __iomem *p_regview, *p_doorbell;
+- u8 __iomem *addr;
++ u64 db_phys_addr;
++ u32 offset;
+
+ /* adjust bar offset for second engine */
+- addr = cdev->regview +
+- qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt,
+- BAR_ID_0) / 2;
+- p_regview = addr;
++ offset = qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt,
++ BAR_ID_0) / 2;
++ p_regview = cdev->regview + offset;
+
+- addr = cdev->doorbells +
+- qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt,
+- BAR_ID_1) / 2;
+- p_doorbell = addr;
++ offset = qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt,
++ BAR_ID_1) / 2;
++
++ p_doorbell = cdev->doorbells + offset;
++
++ db_phys_addr = cdev->db_phys_addr + offset;
+
+ /* prepare second hw function */
+ rc = qed_hw_prepare_single(&cdev->hwfns[1], p_regview,
+- p_doorbell, personality);
++ p_doorbell, db_phys_addr,
++ personality);
+
+ /* in case of error, need to free the previously
+ * initiliazed hwfn 0.
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+index 7873d6dfd91f..13802b825d65 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+@@ -803,7 +803,7 @@ static int qed_rdma_add_user(void *rdma_cxt,
+ dpi_start_offset +
+ ((out_params->dpi) * p_hwfn->dpi_size));
+
+- out_params->dpi_phys_addr = p_hwfn->cdev->db_phys_addr +
++ out_params->dpi_phys_addr = p_hwfn->db_phys_addr +
+ dpi_start_offset +
+ ((out_params->dpi) * p_hwfn->dpi_size);
+
+--
+2.20.1
+
--- /dev/null
+From 5d365632ffc820a1d3da682ddd106efd6fb82ca9 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Sat, 20 Apr 2019 12:53:05 +0200
+Subject: RAS/CEC: Fix pfn insertion
+
+[ Upstream commit 6d8e294bf5f0e85c34e8b14b064e2965f53f38b0 ]
+
+When inserting random PFNs for debugging the CEC through
+(debugfs)/ras/cec/pfn, depending on the return value of pfn_set(),
+multiple values get inserted per a single write.
+
+That is because simple_attr_write() interprets a retval of 0 as
+success and claims the whole input. However, pfn_set() returns the
+cec_add_elem() value, which, if > 0 and smaller than the whole input
+length, makes glibc continue issuing the write syscall until there's
+input left:
+
+ pfn_set
+ simple_attr_write
+ debugfs_attr_write
+ full_proxy_write
+ vfs_write
+ ksys_write
+ do_syscall_64
+ entry_SYSCALL_64_after_hwframe
+
+leading to those repeated calls.
+
+Return 0 to fix that.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ras/cec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ras/cec.c b/drivers/ras/cec.c
+index 673f8a128397..f5795adc5a6e 100644
+--- a/drivers/ras/cec.c
++++ b/drivers/ras/cec.c
+@@ -369,7 +369,9 @@ static int pfn_set(void *data, u64 val)
+ {
+ *(u64 *)data = val;
+
+- return cec_add_elem(val);
++ cec_add_elem(val);
++
++ return 0;
+ }
+
+ DEFINE_DEBUGFS_ATTRIBUTE(pfn_ops, u64_get, pfn_set, "0x%llx\n");
+--
+2.20.1
+
--- /dev/null
+From 9cdb3172f81b0ff1d2d15b0ba56b763ac68b3708 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Tue, 21 May 2019 16:48:43 -0400
+Subject: rcu: Force inlining of rcu_read_lock()
+
+[ Upstream commit 6da9f775175e516fc7229ceaa9b54f8f56aa7924 ]
+
+When debugging options are turned on, the rcu_read_lock() function
+might not be inlined. This results in lockdep's print_lock() function
+printing "rcu_read_lock+0x0/0x70" instead of rcu_read_lock()'s caller.
+For example:
+
+[ 10.579995] =============================
+[ 10.584033] WARNING: suspicious RCU usage
+[ 10.588074] 4.18.0.memcg_v2+ #1 Not tainted
+[ 10.593162] -----------------------------
+[ 10.597203] include/linux/rcupdate.h:281 Illegal context switch in
+RCU read-side critical section!
+[ 10.606220]
+[ 10.606220] other info that might help us debug this:
+[ 10.606220]
+[ 10.614280]
+[ 10.614280] rcu_scheduler_active = 2, debug_locks = 1
+[ 10.620853] 3 locks held by systemd/1:
+[ 10.624632] #0: (____ptrval____) (&type->i_mutex_dir_key#5){.+.+}, at: lookup_slow+0x42/0x70
+[ 10.633232] #1: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70
+[ 10.640954] #2: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70
+
+These "rcu_read_lock+0x0/0x70" strings are not providing any useful
+information. This commit therefore forces inlining of the rcu_read_lock()
+function so that rcu_read_lock()'s caller is instead shown.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rcupdate.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index b25d20822e75..3508f4508a11 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -586,7 +586,7 @@ static inline void rcu_preempt_sleep_check(void) { }
+ * read-side critical sections may be preempted and they may also block, but
+ * only when acquiring spinlocks that are subject to priority inheritance.
+ */
+-static inline void rcu_read_lock(void)
++static __always_inline void rcu_read_lock(void)
+ {
+ __rcu_read_lock();
+ __acquire(RCU);
+--
+2.20.1
+
--- /dev/null
+From 805823959849b2be7576a5d55561e0a4924a0adb Mon Sep 17 00:00:00 2001
+From: Daniel Baluta <daniel.baluta@nxp.com>
+Date: Fri, 17 May 2019 13:23:49 +0000
+Subject: regmap: debugfs: Fix memory leak in regmap_debugfs_init
+
+[ Upstream commit 2899872b627e99b7586fe3b6c9f861da1b4d5072 ]
+
+As detected by kmemleak running on i.MX6ULL board:
+
+nreferenced object 0xd8366600 (size 64):
+ comm "swapper/0", pid 1, jiffies 4294937370 (age 933.220s)
+ hex dump (first 32 bytes):
+ 64 75 6d 6d 79 2d 69 6f 6d 75 78 63 2d 67 70 72 dummy-iomuxc-gpr
+ 40 32 30 65 34 30 30 30 00 e3 f3 ab fe d1 1b dd @20e4000........
+ backtrace:
+ [<b0402aec>] kasprintf+0x2c/0x54
+ [<a6fbad2c>] regmap_debugfs_init+0x7c/0x31c
+ [<9c8d91fa>] __regmap_init+0xb5c/0xcf4
+ [<5b1c3d2a>] of_syscon_register+0x164/0x2c4
+ [<596a5d80>] syscon_node_to_regmap+0x64/0x90
+ [<49bd597b>] imx6ul_init_machine+0x34/0xa0
+ [<250a4dac>] customize_machine+0x1c/0x30
+ [<2d19fdaf>] do_one_initcall+0x7c/0x398
+ [<e6084469>] kernel_init_freeable+0x328/0x448
+ [<168c9101>] kernel_init+0x8/0x114
+ [<913268aa>] ret_from_fork+0x14/0x20
+ [<ce7b131a>] 0x0
+
+Root cause is that map->debugfs_name is allocated using kasprintf
+and then the pointer is lost by assigning it other memory address.
+
+Reported-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-debugfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c
+index 263f82516ff4..e5e1b3a01b1a 100644
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -579,6 +579,8 @@ void regmap_debugfs_init(struct regmap *map, const char *name)
+ }
+
+ if (!strcmp(name, "dummy")) {
++ kfree(map->debugfs_name);
++
+ map->debugfs_name = kasprintf(GFP_KERNEL, "dummy%d",
+ dummy_index);
+ name = map->debugfs_name;
+--
+2.20.1
+
--- /dev/null
+From 013ecfde2693c6566474c419220c6fa2c4a916ed Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Wed, 12 Jun 2019 12:03:43 +0100
+Subject: regmap: fix bulk writes on paged registers
+
+[ Upstream commit db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b ]
+
+On buses like SlimBus and SoundWire which does not support
+gather_writes yet in regmap, A bulk write on paged register
+would be silently ignored after programming page.
+This is because local variable 'ret' value in regmap_raw_write_impl()
+gets reset to 0 once page register is written successfully and the
+code below checks for 'ret' value to be -ENOTSUPP before linearising
+the write buffer to send to bus->write().
+
+Fix this by resetting the 'ret' value to -ENOTSUPP in cases where
+gather_writes() is not supported or single register write is
+not possible.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index f1025452bb39..19f57ccfbe1d 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1637,6 +1637,8 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg,
+ map->format.reg_bytes +
+ map->format.pad_bytes,
+ val, val_len);
++ else
++ ret = -ENOTSUPP;
+
+ /* If that didn't work fall back on linearising by hand. */
+ if (ret == -ENOTSUPP) {
+--
+2.20.1
+
--- /dev/null
+From dd70636db6268053602788245af437244ac540e1 Mon Sep 17 00:00:00 2001
+From: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Date: Thu, 20 Jun 2019 17:10:34 +0300
+Subject: rslib: Fix decoding of shortened codes
+
+[ Upstream commit 2034a42d1747fc1e1eeef2c6f1789c4d0762cb9c ]
+
+The decoding of shortenend codes is broken. It only works as expected if
+there are no erasures.
+
+When decoding with erasures, Lambda (the error and erasure locator
+polynomial) is initialized from the given erasure positions. The pad
+parameter is not accounted for by the initialisation code, and hence
+Lambda is initialized from incorrect erasure positions.
+
+The fix is to adjust the erasure positions by the supplied pad.
+
+Signed-off-by: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190620141039.9874-3-ferdinand.blomqvist@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/reed_solomon/decode_rs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c
+index 1db74eb098d0..3313bf944ff1 100644
+--- a/lib/reed_solomon/decode_rs.c
++++ b/lib/reed_solomon/decode_rs.c
+@@ -99,9 +99,9 @@
+ if (no_eras > 0) {
+ /* Init lambda to be the erasure locator polynomial */
+ lambda[1] = alpha_to[rs_modnn(rs,
+- prim * (nn - 1 - eras_pos[0]))];
++ prim * (nn - 1 - (eras_pos[0] + pad)))];
+ for (i = 1; i < no_eras; i++) {
+- u = rs_modnn(rs, prim * (nn - 1 - eras_pos[i]));
++ u = rs_modnn(rs, prim * (nn - 1 - (eras_pos[i] + pad)));
+ for (j = i + 1; j > 0; j--) {
+ tmp = index_of[lambda[j - 1]];
+ if (tmp != nn) {
+--
+2.20.1
+
--- /dev/null
+From 12a0c85e10b5d28f64324faf9773e293bb02e81e Mon Sep 17 00:00:00 2001
+From: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Date: Thu, 20 Jun 2019 17:10:37 +0300
+Subject: rslib: Fix handling of of caller provided syndrome
+
+[ Upstream commit ef4d6a8556b637ad27c8c2a2cff1dda3da38e9a9 ]
+
+Check if the syndrome provided by the caller is zero, and act
+accordingly.
+
+Signed-off-by: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190620141039.9874-6-ferdinand.blomqvist@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/reed_solomon/decode_rs.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c
+index 3313bf944ff1..121beb2f0930 100644
+--- a/lib/reed_solomon/decode_rs.c
++++ b/lib/reed_solomon/decode_rs.c
+@@ -42,8 +42,18 @@
+ BUG_ON(pad < 0 || pad >= nn);
+
+ /* Does the caller provide the syndrome ? */
+- if (s != NULL)
+- goto decode;
++ if (s != NULL) {
++ for (i = 0; i < nroots; i++) {
++ /* The syndrome is in index form,
++ * so nn represents zero
++ */
++ if (s[i] != nn)
++ goto decode;
++ }
++
++ /* syndrome is zero, no errors to correct */
++ return 0;
++ }
+
+ /* form the syndromes; i.e., evaluate data(x) at roots of
+ * g(x) */
+--
+2.20.1
+
--- /dev/null
+From 7d6d6ecf596b0f1772df5baaaced02fb5b46baf1 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Wed, 29 May 2019 14:57:30 +0800
+Subject: rtlwifi: rtl8192cu: fix error handle when usb probe failed
+
+[ Upstream commit 6c0ed66f1a5b84e2a812c7c2d6571a5621bf3396 ]
+
+rtl_usb_probe() must do error handle rtl_deinit_core() only if
+rtl_init_core() is done, otherwise goto error_out2.
+
+| usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
+| rtl_usb: reg 0xf0, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
+| rtl8192cu: Chip version 0x10
+| rtl_usb: reg 0xa, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
+| rtl_usb: Too few input end points found
+| INFO: trying to register non-static key.
+| the code is fine but needs lockdep annotation.
+| turning off the locking correctness validator.
+| CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
+| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+| Google 01/01/2011
+| Workqueue: usb_hub_wq hub_event
+| Call Trace:
+| __dump_stack lib/dump_stack.c:77 [inline]
+| dump_stack+0xe8/0x16e lib/dump_stack.c:113
+| assign_lock_key kernel/locking/lockdep.c:786 [inline]
+| register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
+| __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
+| lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
+| __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+| _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
+| rtl_c2hcmd_launcher+0xd1/0x390
+| drivers/net/wireless/realtek/rtlwifi/base.c:2344
+| rtl_deinit_core+0x25/0x2d0 drivers/net/wireless/realtek/rtlwifi/base.c:574
+| rtl_usb_probe.cold+0x861/0xa70
+| drivers/net/wireless/realtek/rtlwifi/usb.c:1093
+| usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
+| really_probe+0x2da/0xb10 drivers/base/dd.c:509
+| driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
+| __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
+| bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
+| __device_attach+0x223/0x3a0 drivers/base/dd.c:844
+| bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
+| device_add+0xad2/0x16e0 drivers/base/core.c:2106
+| usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
+| generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
+| usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
+| really_probe+0x2da/0xb10 drivers/base/dd.c:509
+| driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
+| __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
+| bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
+| __device_attach+0x223/0x3a0 drivers/base/dd.c:844
+| bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
+| device_add+0xad2/0x16e0 drivers/base/core.c:2106
+| usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
+| hub_port_connect drivers/usb/core/hub.c:5089 [inline]
+| hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
+| port_event drivers/usb/core/hub.c:5350 [inline]
+| hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
+| process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
+| worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
+| kthread+0x313/0x420 kernel/kthread.c:253
+| ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+
+Reported-by: syzbot+1fcc5ef45175fc774231@syzkaller.appspotmail.com
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index e24fda5e9087..34d68dbf4b4c 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1064,13 +1064,13 @@ int rtl_usb_probe(struct usb_interface *intf,
+ rtlpriv->cfg->ops->read_eeprom_info(hw);
+ err = _rtl_usb_init(hw);
+ if (err)
+- goto error_out;
++ goto error_out2;
+ rtl_usb_init_sw(hw);
+ /* Init mac80211 sw */
+ err = rtl_init_core(hw);
+ if (err) {
+ pr_err("Can't allocate sw for mac80211\n");
+- goto error_out;
++ goto error_out2;
+ }
+ if (rtlpriv->cfg->ops->init_sw_vars(hw)) {
+ pr_err("Can't init_sw_vars\n");
+@@ -1091,6 +1091,7 @@ int rtl_usb_probe(struct usb_interface *intf,
+
+ error_out:
+ rtl_deinit_core(hw);
++error_out2:
+ _rtl_usb_io_handler_release(hw);
+ usb_put_dev(udev);
+ complete(&rtlpriv->firmware_loading_complete);
+--
+2.20.1
+
--- /dev/null
+From 12bde01db14492655b6da14988fea174874196b1 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 2 Jul 2019 16:04:19 +0100
+Subject: rxrpc: Fix oops in tracepoint
+
+[ Upstream commit 99f0eae653b2db64917d0b58099eb51e300b311d ]
+
+If the rxrpc_eproto tracepoint is enabled, an oops will be cause by the
+trace line that rxrpc_extract_header() tries to emit when a protocol error
+occurs (typically because the packet is short) because the call argument is
+NULL.
+
+Fix this by using ?: to assume 0 as the debug_id if call is NULL.
+
+This can then be induced by:
+
+ echo -e '\0\0\0\0\0\0\0\0' | ncat -4u --send-only <addr> 20001
+
+where addr has the following program running on it:
+
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
+ #include <sys/socket.h>
+ #include <arpa/inet.h>
+ #include <linux/rxrpc.h>
+ int main(void)
+ {
+ struct sockaddr_rxrpc srx;
+ int fd;
+ memset(&srx, 0, sizeof(srx));
+ srx.srx_family = AF_RXRPC;
+ srx.srx_service = 0;
+ srx.transport_type = AF_INET;
+ srx.transport_len = sizeof(srx.transport.sin);
+ srx.transport.sin.sin_family = AF_INET;
+ srx.transport.sin.sin_port = htons(0x4e21);
+ fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET6);
+ bind(fd, (struct sockaddr *)&srx, sizeof(srx));
+ sleep(20);
+ return 0;
+ }
+
+It results in the following oops.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000340
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ ...
+ RIP: 0010:trace_event_raw_event_rxrpc_rx_eproto+0x47/0xac
+ ...
+ Call Trace:
+ <IRQ>
+ rxrpc_extract_header+0x86/0x171
+ ? rcu_read_lock_sched_held+0x5d/0x63
+ ? rxrpc_new_skb+0xd4/0x109
+ rxrpc_input_packet+0xef/0x14fc
+ ? rxrpc_input_data+0x986/0x986
+ udp_queue_rcv_one_skb+0xbf/0x3d0
+ udp_unicast_rcv_skb.isra.8+0x64/0x71
+ ip_protocol_deliver_rcu+0xe4/0x1b4
+ ip_local_deliver+0xf0/0x154
+ __netif_receive_skb_one_core+0x50/0x6c
+ netif_receive_skb_internal+0x26b/0x2e9
+ napi_gro_receive+0xf8/0x1da
+ rtl8169_poll+0x303/0x4c4
+ net_rx_action+0x10e/0x333
+ __do_softirq+0x1a5/0x38f
+ irq_exit+0x54/0xc4
+ do_IRQ+0xda/0xf8
+ common_interrupt+0xf/0xf
+ </IRQ>
+ ...
+ ? cpuidle_enter_state+0x23c/0x34d
+ cpuidle_enter+0x2a/0x36
+ do_idle+0x163/0x1ea
+ cpu_startup_entry+0x1d/0x1f
+ start_secondary+0x157/0x172
+ secondary_startup_64+0xa4/0xb0
+
+Fixes: a25e21f0bcd2 ("rxrpc, afs: Use debug_ids rather than pointers in traces")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/rxrpc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
+index d85816878a52..cc1d060cbf13 100644
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -1379,7 +1379,7 @@ TRACE_EVENT(rxrpc_rx_eproto,
+ ),
+
+ TP_fast_assign(
+- __entry->call = call->debug_id;
++ __entry->call = call ? call->debug_id : 0;
+ __entry->serial = serial;
+ __entry->why = why;
+ ),
+--
+2.20.1
+
--- /dev/null
+From f2182e545b0d008888110227931dbf0ce6a1bc2f Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 3 Jun 2019 07:47:04 +0200
+Subject: s390/qdio: handle PENDING state for QEBSM devices
+
+[ Upstream commit 04310324c6f482921c071444833e70fe861b73d9 ]
+
+When a CQ-enabled device uses QEBSM for SBAL state inspection,
+get_buf_states() can return the PENDING state for an Output Queue.
+get_outbound_buffer_frontier() isn't prepared for this, and any PENDING
+buffer will permanently stall all further completion processing on this
+Queue.
+
+This isn't a concern for non-QEBSM devices, as get_buf_states() for such
+devices will manually turn PENDING buffers into EMPTY ones.
+
+Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/qdio_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
+index 7b7620de2acd..730c4e68094b 100644
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -736,6 +736,7 @@ static int get_outbound_buffer_frontier(struct qdio_q *q, unsigned int start)
+
+ switch (state) {
+ case SLSB_P_OUTPUT_EMPTY:
++ case SLSB_P_OUTPUT_PENDING:
+ /* the adapter got it */
+ DBF_DEV_EVENT(DBF_INFO, q->irq_ptr,
+ "out empty:%1d %02x", q->nr, count);
+--
+2.20.1
+
--- /dev/null
+From c0e7b1ec6f840718936ad5b24a9b7d240c53b41e Mon Sep 17 00:00:00 2001
+From: Gao Xiang <gaoxiang25@huawei.com>
+Date: Mon, 3 Jun 2019 17:13:38 +0800
+Subject: sched/core: Add __sched tag for io_schedule()
+
+[ Upstream commit e3b929b0a184edb35531153c5afcaebb09014f9d ]
+
+Non-inline io_schedule() was introduced in:
+
+ commit 10ab56434f2f ("sched/core: Separate out io_schedule_prepare() and io_schedule_finish()")
+
+Keep in line with io_schedule_timeout(), otherwise "/proc/<pid>/wchan" will
+report io_schedule() rather than its callers when waiting for IO.
+
+Reported-by: Jilong Kou <koujilong@huawei.com>
+Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Miao Xie <miaoxie@huawei.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 10ab56434f2f ("sched/core: Separate out io_schedule_prepare() and io_schedule_finish()")
+Link: https://lkml.kernel.org/r/20190603091338.2695-1-gaoxiang25@huawei.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 874c427742a9..4d5962232a55 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5123,7 +5123,7 @@ long __sched io_schedule_timeout(long timeout)
+ }
+ EXPORT_SYMBOL(io_schedule_timeout);
+
+-void io_schedule(void)
++void __sched io_schedule(void)
+ {
+ int token;
+
+--
+2.20.1
+
--- /dev/null
+From 8231a89f3a60d7f4ade900e123deba8939cef8b7 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Mon, 3 Jun 2019 17:11:44 -0400
+Subject: sched/fair: Fix "runnable_avg_yN_inv" not used warnings
+
+[ Upstream commit 509466b7d480bc5d22e90b9fbe6122ae0e2fbe39 ]
+
+runnable_avg_yN_inv[] is only used in kernel/sched/pelt.c but was
+included in several other places because they need other macros all
+came from kernel/sched/sched-pelt.h which was generated by
+Documentation/scheduler/sched-pelt. As the result, it causes compilation
+a lot of warnings,
+
+ kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=]
+ kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=]
+ kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=]
+ ...
+
+Silence it by appending the __maybe_unused attribute for it, so all
+generated variables and macros can still be kept in the same file.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/1559596304-31581-1-git-send-email-cai@lca.pw
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/scheduler/sched-pelt.c | 3 ++-
+ kernel/sched/sched-pelt.h | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/scheduler/sched-pelt.c b/Documentation/scheduler/sched-pelt.c
+index e4219139386a..7238b355919c 100644
+--- a/Documentation/scheduler/sched-pelt.c
++++ b/Documentation/scheduler/sched-pelt.c
+@@ -20,7 +20,8 @@ void calc_runnable_avg_yN_inv(void)
+ int i;
+ unsigned int x;
+
+- printf("static const u32 runnable_avg_yN_inv[] = {");
++ /* To silence -Wunused-but-set-variable warnings. */
++ printf("static const u32 runnable_avg_yN_inv[] __maybe_unused = {");
+ for (i = 0; i < HALFLIFE; i++) {
+ x = ((1UL<<32)-1)*pow(y, i);
+
+diff --git a/kernel/sched/sched-pelt.h b/kernel/sched/sched-pelt.h
+index a26473674fb7..c529706bed11 100644
+--- a/kernel/sched/sched-pelt.h
++++ b/kernel/sched/sched-pelt.h
+@@ -1,7 +1,7 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ /* Generated by Documentation/scheduler/sched-pelt; do not modify. */
+
+-static const u32 runnable_avg_yN_inv[] = {
++static const u32 runnable_avg_yN_inv[] __maybe_unused = {
+ 0xffffffff, 0xfa83b2da, 0xf5257d14, 0xefe4b99a, 0xeac0c6e6, 0xe5b906e6,
+ 0xe0ccdeeb, 0xdbfbb796, 0xd744fcc9, 0xd2a81d91, 0xce248c14, 0xc9b9bd85,
+ 0xc5672a10, 0xc12c4cc9, 0xbd08a39e, 0xb8fbaf46, 0xb504f333, 0xb123f581,
+--
+2.20.1
+
--- /dev/null
+From f15bcc1e7efa455708703c95fe0c84b835c0054b Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Tue, 21 May 2019 20:14:20 -0700
+Subject: selftests/bpf: adjust verifier scale test
+
+[ Upstream commit 7c0c6095d48dcd0e67c917aa73cdbb2715aafc36 ]
+
+Adjust scale tests to check for new jmp sequence limit.
+
+BPF_JGT had to be changed to BPF_JEQ because the verifier was
+too smart. It tracked the known safe range of R0 values
+and pruned the search earlier before hitting exact 8192 limit.
+bpf_semi_rand_get() was too (un)?lucky.
+
+k = 0; was missing in bpf_fill_scale2.
+It was testing a bit shorter sequence of jumps than intended.
+
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_verifier.c | 31 +++++++++++----------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
+index 288cb740e005..6438d4dc8ae1 100644
+--- a/tools/testing/selftests/bpf/test_verifier.c
++++ b/tools/testing/selftests/bpf/test_verifier.c
+@@ -207,33 +207,35 @@ static void bpf_fill_rand_ld_dw(struct bpf_test *self)
+ self->retval = (uint32_t)res;
+ }
+
+-/* test the sequence of 1k jumps */
++#define MAX_JMP_SEQ 8192
++
++/* test the sequence of 8k jumps */
+ static void bpf_fill_scale1(struct bpf_test *self)
+ {
+ struct bpf_insn *insn = self->fill_insns;
+ int i = 0, k = 0;
+
+ insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
+- /* test to check that the sequence of 1024 jumps is acceptable */
+- while (k++ < 1024) {
++ /* test to check that the long sequence of jumps is acceptable */
++ while (k++ < MAX_JMP_SEQ) {
+ insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+ BPF_FUNC_get_prandom_u32);
+- insn[i++] = BPF_JMP_IMM(BPF_JGT, BPF_REG_0, bpf_semi_rand_get(), 2);
++ insn[i++] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, bpf_semi_rand_get(), 2);
+ insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10);
+ insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6,
+ -8 * (k % 64 + 1));
+ }
+- /* every jump adds 1024 steps to insn_processed, so to stay exactly
+- * within 1m limit add MAX_TEST_INSNS - 1025 MOVs and 1 EXIT
++ /* every jump adds 1 step to insn_processed, so to stay exactly
++ * within 1m limit add MAX_TEST_INSNS - MAX_JMP_SEQ - 1 MOVs and 1 EXIT
+ */
+- while (i < MAX_TEST_INSNS - 1025)
++ while (i < MAX_TEST_INSNS - MAX_JMP_SEQ - 1)
+ insn[i++] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 42);
+ insn[i] = BPF_EXIT_INSN();
+ self->prog_len = i + 1;
+ self->retval = 42;
+ }
+
+-/* test the sequence of 1k jumps in inner most function (function depth 8)*/
++/* test the sequence of 8k jumps in inner most function (function depth 8)*/
+ static void bpf_fill_scale2(struct bpf_test *self)
+ {
+ struct bpf_insn *insn = self->fill_insns;
+@@ -245,19 +247,20 @@ static void bpf_fill_scale2(struct bpf_test *self)
+ insn[i++] = BPF_EXIT_INSN();
+ }
+ insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
+- /* test to check that the sequence of 1024 jumps is acceptable */
+- while (k++ < 1024) {
++ /* test to check that the long sequence of jumps is acceptable */
++ k = 0;
++ while (k++ < MAX_JMP_SEQ) {
+ insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+ BPF_FUNC_get_prandom_u32);
+- insn[i++] = BPF_JMP_IMM(BPF_JGT, BPF_REG_0, bpf_semi_rand_get(), 2);
++ insn[i++] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, bpf_semi_rand_get(), 2);
+ insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10);
+ insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6,
+ -8 * (k % (64 - 4 * FUNC_NEST) + 1));
+ }
+- /* every jump adds 1024 steps to insn_processed, so to stay exactly
+- * within 1m limit add MAX_TEST_INSNS - 1025 MOVs and 1 EXIT
++ /* every jump adds 1 step to insn_processed, so to stay exactly
++ * within 1m limit add MAX_TEST_INSNS - MAX_JMP_SEQ - 1 MOVs and 1 EXIT
+ */
+- while (i < MAX_TEST_INSNS - 1025)
++ while (i < MAX_TEST_INSNS - MAX_JMP_SEQ - 1)
+ insn[i++] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 42);
+ insn[i] = BPF_EXIT_INSN();
+ self->prog_len = i + 1;
+--
+2.20.1
+
--- /dev/null
+From 9c1f2a8b45a29c947f25cbab503650f340c913cd Mon Sep 17 00:00:00 2001
+From: Hechao Li <hechaol@fb.com>
+Date: Mon, 10 Jun 2019 17:43:07 -0700
+Subject: selftests/bpf : clean up feature/ when make clean
+
+[ Upstream commit 89cceaa939171fafa153d4bf637b39e396bbd785 ]
+
+An error "implicit declaration of function 'reallocarray'" can be thrown
+with the following steps:
+
+$ cd tools/testing/selftests/bpf
+$ make clean && make CC=<Path to GCC 4.8.5>
+$ make clean && make CC=<Path to GCC 7.x>
+
+The cause is that the feature folder generated by GCC 4.8.5 is not
+removed, leaving feature-reallocarray being 1, which causes reallocarray
+not defined when re-compliing with GCC 7.x. This diff adds feature
+folder to EXTRA_CLEAN to avoid this problem.
+
+v2: Rephrase the commit message.
+
+Signed-off-by: Hechao Li <hechaol@fb.com>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index e36356e2377e..1c9511262947 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -275,4 +275,5 @@ $(OUTPUT)/verifier/tests.h: $(VERIFIER_TESTS_DIR) $(VERIFIER_TEST_FILES)
+ ) > $(VERIFIER_TESTS_H))
+
+ EXTRA_CLEAN := $(TEST_CUSTOM_PROGS) $(ALU32_BUILD_DIR) \
+- $(VERIFIER_TESTS_H) $(PROG_TESTS_H) $(MAP_TESTS_H)
++ $(VERIFIER_TESTS_H) $(PROG_TESTS_H) $(MAP_TESTS_H) \
++ feature
+--
+2.20.1
+
--- /dev/null
+From da85cec9c6e58f6ea5c93cac6c8594bbe533c70e Mon Sep 17 00:00:00 2001
+From: Jiri Benc <jbenc@redhat.com>
+Date: Tue, 2 Jul 2019 19:40:31 +0200
+Subject: selftests: bpf: fix inlines in test_lwt_seg6local
+
+[ Upstream commit 11aca65ec4db09527d3e9b6b41a0615b7da4386b ]
+
+Selftests are reporting this failure in test_lwt_seg6local.sh:
+
++ ip netns exec ns2 ip -6 route add fb00::6 encap bpf in obj test_lwt_seg6local.o sec encap_srh dev veth2
+Error fetching program/map!
+Failed to parse eBPF program: Operation not permitted
+
+The problem is __attribute__((always_inline)) alone is not enough to prevent
+clang from inserting those functions in .text. In that case, .text is not
+marked as relocateable.
+
+See the output of objdump -h test_lwt_seg6local.o:
+
+Idx Name Size VMA LMA File off Algn
+ 0 .text 00003530 0000000000000000 0000000000000000 00000040 2**3
+ CONTENTS, ALLOC, LOAD, READONLY, CODE
+
+This causes the iproute bpf loader to fail in bpf_fetch_prog_sec:
+bpf_has_call_data returns true but bpf_fetch_prog_relo fails as there's no
+relocateable .text section in the file.
+
+To fix this, convert to 'static __always_inline'.
+
+v2: Use 'static __always_inline' instead of 'static inline
+ __attribute__((always_inline))'
+
+Fixes: c99a84eac026 ("selftests/bpf: test for seg6local End.BPF action")
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/bpf/progs/test_lwt_seg6local.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c b/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c
+index 0575751bc1bc..e2f6ed0a583d 100644
+--- a/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c
++++ b/tools/testing/selftests/bpf/progs/test_lwt_seg6local.c
+@@ -61,7 +61,7 @@ struct sr6_tlv_t {
+ unsigned char value[0];
+ } BPF_PACKET_HEADER;
+
+-__attribute__((always_inline)) struct ip6_srh_t *get_srh(struct __sk_buff *skb)
++static __always_inline struct ip6_srh_t *get_srh(struct __sk_buff *skb)
+ {
+ void *cursor, *data_end;
+ struct ip6_srh_t *srh;
+@@ -95,7 +95,7 @@ __attribute__((always_inline)) struct ip6_srh_t *get_srh(struct __sk_buff *skb)
+ return srh;
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int update_tlv_pad(struct __sk_buff *skb, uint32_t new_pad,
+ uint32_t old_pad, uint32_t pad_off)
+ {
+@@ -125,7 +125,7 @@ int update_tlv_pad(struct __sk_buff *skb, uint32_t new_pad,
+ return 0;
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int is_valid_tlv_boundary(struct __sk_buff *skb, struct ip6_srh_t *srh,
+ uint32_t *tlv_off, uint32_t *pad_size,
+ uint32_t *pad_off)
+@@ -184,7 +184,7 @@ int is_valid_tlv_boundary(struct __sk_buff *skb, struct ip6_srh_t *srh,
+ return 0;
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int add_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off,
+ struct sr6_tlv_t *itlv, uint8_t tlv_size)
+ {
+@@ -228,7 +228,7 @@ int add_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off,
+ return update_tlv_pad(skb, new_pad, pad_size, pad_off);
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int delete_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh,
+ uint32_t tlv_off)
+ {
+@@ -266,7 +266,7 @@ int delete_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh,
+ return update_tlv_pad(skb, new_pad, pad_size, pad_off);
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int has_egr_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh)
+ {
+ int tlv_offset = sizeof(struct ip6_t) + sizeof(struct ip6_srh_t) +
+--
+2.20.1
+
--- /dev/null
+From d86c5f8a939716237fc1a6c3b04d1b60fa116e7d Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 12 Jun 2019 10:12:26 +0200
+Subject: selinux: fix empty write to keycreate file
+
+[ Upstream commit 464c258aa45b09f16aa0f05847ed8895873262d9 ]
+
+When sid == 0 (we are resetting keycreate_sid to the default value), we
+should skip the KEY__CREATE check.
+
+Before this patch, doing a zero-sized write to /proc/self/keycreate
+would check if the current task can create unlabeled keys (which would
+usually fail with -EACCESS and generate an AVC). Now it skips the check
+and correctly sets the task's keycreate_sid to 0.
+
+Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1719067
+
+Tested using the reproducer from the report above.
+
+Fixes: 4eb582cf1fbd ("[PATCH] keys: add a way to store the appropriate context for newly-created keys")
+Reported-by: Kir Kolyshkin <kir@sacred.ru>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/hooks.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 94de51628fdc..3ec7ac70c313 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -6351,11 +6351,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
+ } else if (!strcmp(name, "fscreate")) {
+ tsec->create_sid = sid;
+ } else if (!strcmp(name, "keycreate")) {
+- error = avc_has_perm(&selinux_state,
+- mysid, sid, SECCLASS_KEY, KEY__CREATE,
+- NULL);
+- if (error)
+- goto abort_change;
++ if (sid) {
++ error = avc_has_perm(&selinux_state, mysid, sid,
++ SECCLASS_KEY, KEY__CREATE, NULL);
++ if (error)
++ goto abort_change;
++ }
+ tsec->keycreate_sid = sid;
+ } else if (!strcmp(name, "sockcreate")) {
+ tsec->sockcreate_sid = sid;
+--
+2.20.1
+
--- /dev/null
+ath10k-check-tx_stats-before-use-it.patch
+ath10k-htt-don-t-use-txdone_fifo-with-sdio.patch
+ath10k-fix-incorrect-multicast-broadcast-rate-settin.patch
+ath9k-don-t-trust-tx-status-tid-number-when-reportin.patch
+wil6210-fix-potential-out-of-bounds-read.patch
+ath10k-do-not-send-probe-response-template-for-mesh.patch
+spi-rockchip-turn-down-tx-dma-bursts.patch
+ath9k-check-for-errors-when-reading-srev-register.patch
+ath10k-fix-the-wrong-value-of-enums-for-wmi-tlv-stat.patch
+wil6210-fix-missed-misc-mbox-interrupt.patch
+ath6kl-add-some-bounds-checking.patch
+ath10k-add-peer-id-check-in-ath10k_peer_find_by_id.patch
+wil6210-fix-spurious-interrupts-in-3-msi.patch
+ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch
+ath10k-fix-encoding-for-protected-management-frames.patch
+regmap-debugfs-fix-memory-leak-in-regmap_debugfs_ini.patch
+batman-adv-fix-for-leaked-tvlv-handler.patch
+media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch
+media-spi-ir-led-add-missing-of-table-registration.patch
+crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch
+media-ov7740-avoid-invalid-framesize-setting.patch
+media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch
+selftests-bpf-adjust-verifier-scale-test.patch
+media-vpss-fix-a-potential-null-pointer-dereference.patch
+media-media_device_enum_links32-clean-a-reserved-fie.patch
+ice-gracefully-handle-reset-failure-in-ice_alloc_vfs.patch
+media-venus-firmware-fix-leaked-of_node-references.patch
+crypto-caam-avoid-s-g-table-fetching-for-aead-zero-l.patch
+net-stmmac-dwmac1000-clear-unused-address-entries.patch
+net-stmmac-dwmac4-5-clear-unused-address-entries.patch
+net-stmmac-prevent-missing-interrupts-when-running-n.patch
+ice-fix-couple-of-issues-in-ice_vsi_release.patch
+net-mvpp2-cls-extract-the-rss-context-when-parsing-t.patch
+net-hns3-initialize-cpu-reverse-mapping.patch
+net-hns3-fix-for-fec-configuration.patch
+qed-set-the-doorbell-address-correctly.patch
+signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch
+signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch
+af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch
+xfrm-fix-xfrm-sel-prefix-length-validation.patch
+media-vim2m-fix-two-double-free-issues.patch
+media-v4l2-core-fix-use-after-free-error.patch
+fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch
+media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-z.patch
+perf-annotate-tui-browser-do-not-use-member-from-var.patch
+ice-check-all-vfs-for-mdd-activity-don-t-disable.patch
+media-mc-device.c-don-t-memset-__user-pointer-conten.patch
+media-saa7164-fix-remove_proc_entry-warning.patch
+asoc-intel-sof-rt5682-fix-undefined-references-with-.patch
+media-staging-media-davinci_vpfe-fix-for-memory-leak.patch
+net-phy-check-against-net_device-being-null.patch
+net-dsa-sja1105-fix-broken-fixed-link-interfaces-on-.patch
+crypto-talitos-properly-handle-split-icv.patch
+crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch
+tua6100-avoid-build-warnings.patch
+batman-adv-fix-duplicated-ogms-on-netdev_up.patch
+locking-lockdep-fix-ooo-unlock-when-hlocks-need-merg.patch
+locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch
+media-platform-ao-cec-g12a-disable-regmap-fast_io-fo.patch
+media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch
+net-hns3-add-a-check-to-pointer-in-error_detected-an.patch
+net-hns3-set-ops-to-null-when-unregister-ad_dev.patch
+cpupower-frequency-set-r-option-misses-the-last-cpu-.patch
+arm64-mm-make-config_zone_dma32-configurable.patch
+media-imx7-mipi-csis-propagate-the-error-if-clock-en.patch
+perf-jvmti-address-gcc-string-overflow-warning-for-s.patch
+media-aspeed-change-irq-to-threaded-irq.patch
+media-aspeed-fix-a-kernel-warning-on-clk-control.patch
+net-stmmac-dwmac4-fix-flow-control-issue.patch
+net-stmmac-modify-default-value-of-tx-frames.patch
+crypto-inside-secure-do-not-rely-on-the-hardware-las.patch
+net-fec-do-not-use-netdev-messages-too-early.patch
+net-axienet-fix-race-condition-causing-tx-hang.patch
+s390-qdio-handle-pending-state-for-qebsm-devices.patch
+ras-cec-fix-pfn-insertion.patch
+net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch
+netfilter-ipset-fix-a-missing-check-of-nla_parse.patch
+ipset-fix-memory-accounting-for-hash-types-on-resize.patch
+perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch
+perf-test-6-fix-missing-kvm-module-load-for-s390.patch
+perf-report-fix-oom-error-in-tui-mode-on-s390.patch
+selftests-bpf-clean-up-feature-when-make-clean.patch
+irqchip-meson-gpio-add-support-for-meson-g12a-soc.patch
+media-uvcvideo-fix-access-to-uninitialized-fields-on.patch
+media-fdp1-support-m3n-and-e3-platforms.patch
+iommu-fix-a-leak-in-iommu_insert_resv_region.patch
+gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch
+gpio-omap-ensure-irq-is-enabled-before-wakeup.patch
+regmap-fix-bulk-writes-on-paged-registers.patch
+gpio-omap-fix-lost-edge-wake-up-interrupts.patch
+media-davinci-vpif_capture-fix-memory-leak-in-vpif_p.patch
+bpf-silence-warning-messages-in-core.patch
+media-s5p-mfc-fix-reading-min-scratch-buffer-size-on.patch
+selinux-fix-empty-write-to-keycreate-file.patch
+crypto-testmgr-add-some-more-preemption-points.patch
+x86-cpu-add-ice-lake-nnpi-to-intel-family.patch
+asoc-meson-axg-tdm-fix-sample-clock-inversion.patch
+rcu-force-inlining-of-rcu_read_lock.patch
+perf-x86-add-intel-ice-lake-nnpi-uncore-support.patch
+x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch
+qed-iwarp-fix-tc-for-mpa-ll2-connection.patch
+net-hns3-fix-for-dereferencing-before-null-checking.patch
+net-hns3-fix-for-skb-leak-when-doing-selftest.patch
+net-hns3-delay-ring-buffer-clearing-during-reset.patch
+block-null_blk-fix-race-condition-for-null_del_dev.patch
+blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch
+xfrm-fix-sa-selector-validation.patch
+sched-core-add-__sched-tag-for-io_schedule.patch
+perf-x86-intel-add-more-icelake-cpuids.patch
+sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch
+perf-x86-intel-disable-check_msr-for-real-hw.patch
+perf-x86-intel-uncore-handle-invalid-event-coding-fo.patch
+integrity-fix-__integrity_init_keyring-section-misma.patch
+x86-atomic-fix-smp_mb__-before-after-_atomic.patch
+perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch
+vhost_net-disable-zerocopy-by-default.patch
+iavf-allow-null-rx-descriptors.patch
+ipoib-correcly-show-a-vf-hardware-address.patch
+asoc-rsnd-fixup-mod-id-calculation-in-rsnd_ctu_probe.patch
+tools-build-fix-the-zstd-test-in-the-test-all.c-comm.patch
+bpf-fix-callees-pruning-callers.patch
+perf-build-handle-slang-being-in-usr-include-and-in-.patch
+pci-add-missing-link-delays-required-by-the-pcie-spe.patch
+net-netsec-initialize-tx-ring-on-ndo_open.patch
+x86-cacheinfo-fix-a-wtype-limits-warning.patch
+blk-iolatency-only-account-submitted-bios.patch
+acpica-clear-status-of-gpes-on-first-direct-enable.patch
+spi-fix-ctrl-num_chipselect-constraint.patch
+edac-sysfs-drop-device-references-properly.patch
+edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch
+nvme-fix-possible-io-failures-when-removing-multipat.patch
+nvme-pci-properly-report-state-change-failure-in-nvm.patch
+nvme-pci-set-the-errno-on-ctrl-state-change-error.patch
+lightnvm-pblk-fix-freeing-of-merged-pages.patch
+lightnvm-fix-uninitialized-pointer-in-nvm_remove_tgt.patch
+nvme-pci-adjust-irq-max_vector-using-num_possible_cp.patch
+arm64-do-not-enable-irqs-for-ct_user_exit.patch
+ipsec-select-crypto-ciphers-for-xfrm_algo.patch
+media-staging-davinci-fix-memory-leaks-and-check-for.patch
+ipvs-defer-hook-registration-to-avoid-leaks.patch
+media-s5p-mfc-make-additional-clocks-optional.patch
+media-i2c-fix-warning-same-module-names.patch
+ntp-limit-tai-utc-offset.patch
+timer_list-guard-procfs-specific-code.patch
+media-mt9m111-fix-fw-node-refactoring.patch
+asoc-soc-core-call-snd_soc_unbind_card-under-mutex_l.patch
+acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch
+media-coda-fix-mpeg2-sequence-number-handling.patch
+media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch
+media-coda-increment-sequence-offset-for-the-last-re.patch
+media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch
+media-hdpvr-fix-locking-and-a-missing-msleep.patch
+net-stmmac-sun8i-force-select-external-phy-when-no-i.patch
+rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch
+mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch
+x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch
+mt7601u-fix-possible-memory-leak-when-the-device-is-.patch
+ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch
+mt76-mt7615-do-not-process-rx-packets-if-the-device-.patch
+ath10k-add-missing-error-handling.patch
+ath10k-fix-fw-crash-by-moving-chip-reset-after-napi-.patch
+ath10k-fix-pcie-device-wake-up-failed.patch
+alsa-hdac-fix-codec-name-after-machine-driver-is-unl.patch
+perf-tools-increase-max_nr_cpus-and-max_caches.patch
+asoc-intel-hdac_hdmi-set-ops-to-null-on-remove.patch
+block-bfq-fix-rq_in_driver-check-in-bfq_update_injec.patch
+clocksource-drivers-tegra-release-all-irq-s-on-reque.patch
+libata-don-t-request-sense-data-on-zac-ata-devices.patch
+clocksource-drivers-tegra-restore-base-address-befor.patch
+clocksource-drivers-exynos_mct-increase-priority-ove.patch
+netfilter-ctnetlink-fix-regression-in-conntrack-entr.patch
+xsk-properly-terminate-assignment-in-xskq_produce_fl.patch
+rslib-fix-decoding-of-shortened-codes.patch
+bpf-fix-bpf_alu32-bpf_arsh-on-be-arches.patch
+rslib-fix-handling-of-of-caller-provided-syndrome.patch
+gpio-fix-return-value-mismatch-of-function-gpiod_get.patch
+net-hns3-restore-the-mac-autoneg-state-after-reset.patch
+net-mlx5-get-vport-acl-namespace-by-vport-index.patch
+ixgbe-check-ddm-existence-in-transceiver-before-acce.patch
+crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch
+crypto-asymmetric_keys-select-crypto_hash-where-need.patch
+ath9k-correctly-handle-short-radar-pulses.patch
+wil6210-drop-old-event-after-wmi_call-timeout.patch
+edac-fix-global-out-of-bounds-write-when-setting-eda.patch
+net-mlx5e-attach-detach-xdp-program-safely.patch
+bcache-fix-return-value-error-in-bch_journal_read.patch
+bcache-check-cache_set_io_disable-in-allocator-code.patch
+bcache-check-cache_set_io_disable-bit-in-bch_journal.patch
+bcache-acquire-bch_register_lock-later-in-cached_dev.patch
+bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch
+bcache-avoid-a-deadlock-in-bcache_reboot.patch
+bcache-fix-potential-deadlock-in-cached_def_free.patch
+net-hns3-fix-a-wformat-nonliteral-compile-warning.patch
+net-hns3-add-some-error-checking-in-hclge_tm-module.patch
+ath10k-fix-memory-leak-in-qmi.patch
+ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch
+net-mvpp2-prs-don-t-override-the-sign-bit-in-sram-pa.patch
+igb-clear-out-skb-tstamp-after-reading-the-txtime.patch
+net-hns3-add-asym-pause-support-to-fix-autoneg-probl.patch
+net-ethernet-ti-cpsw-assign-of-node-to-slave-devices.patch
+ixgbe-avoid-null-pointer-dereference-with-vf-on-non-.patch
+iwlwifi-mvm-drop-large-non-sta-frames.patch
+bpf-fix-uapi-bpf_prog_info-fields-alignment.patch
+netfilter-fix-remainder-of-pseudo-header-protocol-0.patch
+iwlwifi-dbg-fix-debug-monitor-stop-and-restart-delay.patch
+bnxt_en-disable-bus-master-during-pci-shutdown-and-d.patch
+bnxt_en-fix-statistics-context-reservation-logic-for.patch
+bnxt_en-cap-the-returned-msix-vectors-to-the-rdma-dr.patch
+alsa-hda-fix-a-headphone-detection-issue-when-using-.patch
+perf-stat-make-metric-event-lookup-more-robust.patch
+perf-stat-fix-metrics-with-no-merge.patch
+perf-stat-don-t-merge-events-in-the-same-pmu.patch
+perf-stat-fix-group-lookup-for-metric-group.patch
+vxlan-do-not-destroy-fdb-if-register_netdevice-is-fa.patch
+bnx2x-prevent-ptp_task-to-be-rescheduled-indefinitel.patch
+net-usb-asix-init-mac-address-buffers.patch
+rxrpc-fix-oops-in-tracepoint.patch
+libbpf-fix-gcc8-warning-for-strncpy.patch
+bpf-libbpf-smatch-fix-potential-null-pointer-derefer.patch
+selftests-bpf-fix-inlines-in-test_lwt_seg6local.patch
+bonding-validate-ip-header-before-check-ipproto_igmp.patch
+gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch
+iommu-arm-smmu-v3-invalidate-atc-when-detaching-a-de.patch
+asoc-audio-graph-card-fix-use-after-free-in-graph_fo.patch
+tools-bpftool-fix-json-dump-crash-on-powerpc.patch
+net-hns3-enable-broadcast-promisc-mode-when-initiali.patch
+net-hns3-fix-port-capbility-updating-issue.patch
+bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch
+bluetooth-add-new-13d3-3491-qca_rome-device.patch
+bluetooth-add-new-13d3-3501-qca_rome-device.patch
+bluetooth-6lowpan-search-for-destination-address-in-.patch
+genirq-update-irq-stats-from-nmi-handlers.patch
+perf-tests-fix-record-probe_libc_inet_pton.sh-for-po.patch
+bluetooth-check-state-in-l2cap_disconnect_rsp.patch
+bluetooth-hidp-nul-terminate-a-string-in-the-compat-.patch
+gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch
+bluetooth-validate-ble-connection-interval-updates.patch
+gtp-fix-suspicious-rcu-usage.patch
+gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch
+gtp-fix-use-after-free-in-gtp_encap_destroy.patch
+gtp-fix-use-after-free-in-gtp_newlink.patch
+xdp-fix-race-on-generic-receive-path.patch
+net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch
+net-hns3-fix-__queue_state_stack_xoff-not-cleared-is.patch
+iavf-fix-dereference-of-null-rx_buffer-pointer.patch
+blk-iolatency-fix-sts_again-handling.patch
+libbpf-fix-another-gcc8-warning-for-strncpy.patch
+floppy-fix-div-by-zero-in-setup_format_params.patch
+floppy-fix-out-of-bounds-read-in-next_valid_format.patch
+floppy-fix-invalid-pointer-dereference-in-drive_name.patch
+floppy-fix-out-of-bounds-read-in-copy_buffer.patch
--- /dev/null
+From 3db07012788baaf57549ce57cfb81871d1d9fd22 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 May 2019 12:33:50 -0500
+Subject: signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of
+ force_sig
+
+[ Upstream commit 72abe3bcf0911d69b46c1e8bdb5612675e0ac42c ]
+
+The locking in force_sig_info is not prepared to deal with a task that
+exits or execs (as sighand may change). The is not a locking problem
+in force_sig as force_sig is only built to handle synchronous
+exceptions.
+
+Further the function force_sig_info changes the signal state if the
+signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
+delivery of the signal. The signal SIGKILL can not be ignored and can
+not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
+delivered.
+
+So using force_sig rather than send_sig for SIGKILL is confusing
+and pointless.
+
+Because it won't impact the sending of the signal and and because
+using force_sig is wrong, replace force_sig with send_sig.
+
+Cc: Namjae Jeon <namjae.jeon@samsung.com>
+Cc: Jeff Layton <jlayton@primarydata.com>
+Cc: Steve French <smfrench@gmail.com>
+Fixes: a5c3e1c725af ("Revert "cifs: No need to send SIGKILL to demux_thread during umount"")
+Fixes: e7ddee9037e7 ("cifs: disable sharing session and tcon and add new TCP sharing code")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 8dd6637a3cbb..714a359c7c8d 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2631,7 +2631,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
+
+ task = xchg(&server->tsk, NULL);
+ if (task)
+- force_sig(SIGKILL, task);
++ send_sig(SIGKILL, task, 1);
+ }
+
+ static struct TCP_Server_Info *
+--
+2.20.1
+
--- /dev/null
+From 76bedeb99d286033254a017372943edccd3dd6b8 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 May 2019 12:29:52 -0500
+Subject: signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
+
+[ Upstream commit f9070dc94542093fd516ae4ccea17ef46a4362c5 ]
+
+The locking in force_sig_info is not prepared to deal with a task that
+exits or execs (as sighand may change). The is not a locking problem
+in force_sig as force_sig is only built to handle synchronous
+exceptions.
+
+Further the function force_sig_info changes the signal state if the
+signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
+delivery of the signal. The signal SIGKILL can not be ignored and can
+not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
+delivered.
+
+So using force_sig rather than send_sig for SIGKILL is confusing
+and pointless.
+
+Because it won't impact the sending of the signal and and because
+using force_sig is wrong, replace force_sig with send_sig.
+
+Cc: Daniel Lezcano <daniel.lezcano@free.fr>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Fixes: cf3f89214ef6 ("pidns: add reboot_pid_ns() to handle the reboot syscall")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/pid_namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
+index f54bc7cb6c2d..6d726cef241c 100644
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -326,7 +326,7 @@ int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd)
+ }
+
+ read_lock(&tasklist_lock);
+- force_sig(SIGKILL, pid_ns->child_reaper);
++ send_sig(SIGKILL, pid_ns->child_reaper, 1);
+ read_unlock(&tasklist_lock);
+
+ do_exit(0);
+--
+2.20.1
+
--- /dev/null
+From 95a98fe45ef7a1c267c83af3ee0dde4ba7f5e9da Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+Date: Wed, 19 Jun 2019 14:38:28 +0000
+Subject: spi: fix ctrl->num_chipselect constraint
+
+[ Upstream commit f9481b08220d7dc1ff21e296a330ee8b721b44e4 ]
+
+at91sam9g25ek showed the following error at probe:
+atmel_spi f0000000.spi: Using dma0chan2 (tx) and dma0chan3 (rx)
+for DMA transfers
+atmel_spi: probe of f0000000.spi failed with error -22
+
+Commit 0a919ae49223 ("spi: Don't call spi_get_gpio_descs() before device name is set")
+moved the calling of spi_get_gpio_descs() after ctrl->dev is set,
+but didn't move the !ctrl->num_chipselect check. When there are
+chip selects in the device tree, the spi-atmel driver lets the
+SPI core discover them when registering the SPI master.
+The ctrl->num_chipselect is thus expected to be set by
+spi_get_gpio_descs().
+
+Move the !ctlr->num_chipselect after spi_get_gpio_descs() as it was
+before the aforementioned commit. While touching this block, get rid
+of the explicit comparison with 0 and update the commenting style.
+
+Fixes: 0a919ae49223 ("spi: Don't call spi_get_gpio_descs() before device name is set")
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index 5e4654032bfa..29916e446143 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -2286,11 +2286,6 @@ int spi_register_controller(struct spi_controller *ctlr)
+ if (status)
+ return status;
+
+- /* even if it's just one always-selected device, there must
+- * be at least one chipselect
+- */
+- if (ctlr->num_chipselect == 0)
+- return -EINVAL;
+ if (ctlr->bus_num >= 0) {
+ /* devices with a fixed bus num must check-in with the num */
+ mutex_lock(&board_lock);
+@@ -2361,6 +2356,13 @@ int spi_register_controller(struct spi_controller *ctlr)
+ }
+ }
+
++ /*
++ * Even if it's just one always-selected device, there must
++ * be at least one chipselect.
++ */
++ if (!ctlr->num_chipselect)
++ return -EINVAL;
++
+ status = device_add(&ctlr->dev);
+ if (status < 0) {
+ /* free bus id */
+--
+2.20.1
+
--- /dev/null
+From b08b2861a408d479b114273a6dced8bc5b3a34e7 Mon Sep 17 00:00:00 2001
+From: Emil Renner Berthing <kernel@esmil.dk>
+Date: Fri, 12 Apr 2019 12:53:20 +0200
+Subject: spi: rockchip: turn down tx dma bursts
+
+[ Upstream commit 47300728fb213486a830565d2af49da967c9d16a ]
+
+This fixes tx and bi-directional dma transfers on rk3399-gru-kevin.
+
+It seems the SPI fifo must have room for 2 bursts when the dma_tx_req
+signal is generated or it might skip some words. This in turn makes
+the rx dma channel never complete for bi-directional transfers.
+
+Fix it by setting tx burst length to fifo_len / 4 and the dma
+watermark to fifo_len / 2.
+
+However the rk3399 TRM says (sic):
+"DMAC support incrementing-address burst and fixed-address burst. But in
+the case of access SPI and UART at byte or halfword size, DMAC only
+support fixed-address burst and the address must be aligned to word."
+
+So this relies on fifo_len being a multiple of 16 such that the
+burst length (= fifo_len / 4) is a multiple of 4 and the addresses
+will be word-aligned.
+
+Fixes: dcfc861d24ec ("spi: rockchip: adjust dma watermark and burstlen")
+Signed-off-by: Emil Renner Berthing <kernel@esmil.dk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-rockchip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c
+index 9b91188a85f9..2cc6d9951b52 100644
+--- a/drivers/spi/spi-rockchip.c
++++ b/drivers/spi/spi-rockchip.c
+@@ -417,7 +417,7 @@ static int rockchip_spi_prepare_dma(struct rockchip_spi *rs,
+ .direction = DMA_MEM_TO_DEV,
+ .dst_addr = rs->dma_addr_tx,
+ .dst_addr_width = rs->n_bytes,
+- .dst_maxburst = rs->fifo_len / 2,
++ .dst_maxburst = rs->fifo_len / 4,
+ };
+
+ dmaengine_slave_config(master->dma_tx, &txconf);
+@@ -518,7 +518,7 @@ static void rockchip_spi_config(struct rockchip_spi *rs,
+ else
+ writel_relaxed(rs->fifo_len / 2 - 1, rs->regs + ROCKCHIP_SPI_RXFTLR);
+
+- writel_relaxed(rs->fifo_len / 2 - 1, rs->regs + ROCKCHIP_SPI_DMATDLR);
++ writel_relaxed(rs->fifo_len / 2, rs->regs + ROCKCHIP_SPI_DMATDLR);
+ writel_relaxed(0, rs->regs + ROCKCHIP_SPI_DMARDLR);
+ writel_relaxed(dmacr, rs->regs + ROCKCHIP_SPI_DMACR);
+
+--
+2.20.1
+
--- /dev/null
+From 6adef5a9630328e3179a91b865390c76be0048ab Mon Sep 17 00:00:00 2001
+From: Nathan Huckleberry <nhuck@google.com>
+Date: Fri, 14 Jun 2019 11:16:04 -0700
+Subject: timer_list: Guard procfs specific code
+
+[ Upstream commit a9314773a91a1d3b36270085246a6715a326ff00 ]
+
+With CONFIG_PROC_FS=n the following warning is emitted:
+
+kernel/time/timer_list.c:361:36: warning: unused variable
+'timer_list_sops' [-Wunused-const-variable]
+ static const struct seq_operations timer_list_sops = {
+
+Add #ifdef guard around procfs specific code.
+
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: john.stultz@linaro.org
+Cc: sboyd@kernel.org
+Cc: clang-built-linux@googlegroups.com
+Link: https://github.com/ClangBuiltLinux/linux/issues/534
+Link: https://lkml.kernel.org/r/20190614181604.112297-1-nhuck@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timer_list.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
+index 98ba50dcb1b2..acb326f5f50a 100644
+--- a/kernel/time/timer_list.c
++++ b/kernel/time/timer_list.c
+@@ -282,23 +282,6 @@ static inline void timer_list_header(struct seq_file *m, u64 now)
+ SEQ_printf(m, "\n");
+ }
+
+-static int timer_list_show(struct seq_file *m, void *v)
+-{
+- struct timer_list_iter *iter = v;
+-
+- if (iter->cpu == -1 && !iter->second_pass)
+- timer_list_header(m, iter->now);
+- else if (!iter->second_pass)
+- print_cpu(m, iter->cpu, iter->now);
+-#ifdef CONFIG_GENERIC_CLOCKEVENTS
+- else if (iter->cpu == -1 && iter->second_pass)
+- timer_list_show_tickdevices_header(m);
+- else
+- print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu);
+-#endif
+- return 0;
+-}
+-
+ void sysrq_timer_list_show(void)
+ {
+ u64 now = ktime_to_ns(ktime_get());
+@@ -317,6 +300,24 @@ void sysrq_timer_list_show(void)
+ return;
+ }
+
++#ifdef CONFIG_PROC_FS
++static int timer_list_show(struct seq_file *m, void *v)
++{
++ struct timer_list_iter *iter = v;
++
++ if (iter->cpu == -1 && !iter->second_pass)
++ timer_list_header(m, iter->now);
++ else if (!iter->second_pass)
++ print_cpu(m, iter->cpu, iter->now);
++#ifdef CONFIG_GENERIC_CLOCKEVENTS
++ else if (iter->cpu == -1 && iter->second_pass)
++ timer_list_show_tickdevices_header(m);
++ else
++ print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu);
++#endif
++ return 0;
++}
++
+ static void *move_iter(struct timer_list_iter *iter, loff_t offset)
+ {
+ for (; offset; offset--) {
+@@ -376,3 +377,4 @@ static int __init init_timer_list_procfs(void)
+ return 0;
+ }
+ __initcall(init_timer_list_procfs);
++#endif
+--
+2.20.1
+
--- /dev/null
+From baece494e9f3a1b0d3fa1eb5d2ca7ed7d8e2ef3f Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Fri, 5 Jul 2019 14:10:31 +0200
+Subject: tools: bpftool: Fix json dump crash on powerpc
+
+[ Upstream commit aa52bcbe0e72fac36b1862db08b9c09c4caefae3 ]
+
+Michael reported crash with by bpf program in json mode on powerpc:
+
+ # bpftool prog -p dump jited id 14
+ [{
+ "name": "0xd00000000a9aa760",
+ "insns": [{
+ "pc": "0x0",
+ "operation": "nop",
+ "operands": [null
+ ]
+ },{
+ "pc": "0x4",
+ "operation": "nop",
+ "operands": [null
+ ]
+ },{
+ "pc": "0x8",
+ "operation": "mflr",
+ Segmentation fault (core dumped)
+
+The code is assuming char pointers in format, which is not always
+true at least for powerpc. Fixing this by dumping the whole string
+into buffer based on its format.
+
+Please note that libopcodes code does not check return values from
+fprintf callback, but as per Jakub suggestion returning -1 on allocation
+failure so we do the best effort to propagate the error.
+
+Fixes: 107f041212c1 ("tools: bpftool: add JSON output for `bpftool prog dump jited *` command")
+Reported-by: Michael Petlan <mpetlan@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/jit_disasm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tools/bpf/bpftool/jit_disasm.c b/tools/bpf/bpftool/jit_disasm.c
+index 3ef3093560ba..bfed711258ce 100644
+--- a/tools/bpf/bpftool/jit_disasm.c
++++ b/tools/bpf/bpftool/jit_disasm.c
+@@ -11,6 +11,8 @@
+ * Licensed under the GNU General Public License, version 2.0 (GPLv2)
+ */
+
++#define _GNU_SOURCE
++#include <stdio.h>
+ #include <stdarg.h>
+ #include <stdint.h>
+ #include <stdio.h>
+@@ -44,11 +46,13 @@ static int fprintf_json(void *out, const char *fmt, ...)
+ char *s;
+
+ va_start(ap, fmt);
++ if (vasprintf(&s, fmt, ap) < 0)
++ return -1;
++ va_end(ap);
++
+ if (!oper_count) {
+ int i;
+
+- s = va_arg(ap, char *);
+-
+ /* Strip trailing spaces */
+ i = strlen(s) - 1;
+ while (s[i] == ' ')
+@@ -61,11 +65,10 @@ static int fprintf_json(void *out, const char *fmt, ...)
+ } else if (!strcmp(fmt, ",")) {
+ /* Skip */
+ } else {
+- s = va_arg(ap, char *);
+ jsonw_string(json_wtr, s);
+ oper_count++;
+ }
+- va_end(ap);
++ free(s);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From cee68e81c74f8354b14f1c15d489ddd1fbc7cc62 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Tue, 18 Jun 2019 17:59:16 -0300
+Subject: tools build: Fix the zstd test in the test-all.c common case feature
+ test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3469fa84c1631face938efc42b3f488a2c2504e0 ]
+
+We were renanimg 'main' to 'main_zstd' but then using 'main_libzstd();'
+in the main() for test-all.c, causing this:
+
+ $ cat /tmp/build/perf/feature/test-all.make.output
+ test-all.c: In function ‘main’:
+ test-all.c:236:2: error: implicit declaration of function ‘main_test_libzstd’; did you mean ‘main_test_zstd’? [-Werror=implicit-function-declaration]
+ main_test_libzstd();
+ ^~~~~~~~~~~~~~~~~
+ main_test_zstd
+ cc1: all warnings being treated as errors
+ $
+
+I.e. what was supposed to be the fast path feature test was _always_
+failing, duh, fix it.
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Fixes: 3b1c5d965971 ("tools build: Implement libzstd feature check, LIBZSTD_DIR and NO_LIBZSTD defines")
+Link: https://lkml.kernel.org/n/tip-ma4abk0utroiw4mwpmvnjlru@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/build/feature/test-all.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/build/feature/test-all.c b/tools/build/feature/test-all.c
+index a59c53705093..939ac2fcc783 100644
+--- a/tools/build/feature/test-all.c
++++ b/tools/build/feature/test-all.c
+@@ -182,7 +182,7 @@
+ # include "test-disassembler-four-args.c"
+ #undef main
+
+-#define main main_test_zstd
++#define main main_test_libzstd
+ # include "test-libzstd.c"
+ #undef main
+
+--
+2.20.1
+
--- /dev/null
+From 49b3dcc5cc589ab53938172740b03e7449224c04 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 30 May 2019 11:36:15 -0700
+Subject: tua6100: Avoid build warnings.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 621ccc6cc5f8d6730b740d31d4818227866c93c9 ]
+
+Rename _P to _P_VAL and _R to _R_VAL to avoid global
+namespace conflicts:
+
+drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’:
+drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined
+ #define _P 32
+
+In file included from ./include/acpi/platform/aclinux.h:54,
+ from ./include/acpi/platform/acenv.h:152,
+ from ./include/acpi/acpi.h:22,
+ from ./include/linux/acpi.h:34,
+ from ./include/linux/i2c.h:17,
+ from drivers/media/dvb-frontends/tua6100.h:30,
+ from drivers/media/dvb-frontends/tua6100.c:32:
+./include/linux/ctype.h:14: note: this is the location of the previous definition
+ #define _P 0x10 /* punct */
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/tua6100.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/tua6100.c b/drivers/media/dvb-frontends/tua6100.c
+index f7c3e6be8e4d..2483f614d0e7 100644
+--- a/drivers/media/dvb-frontends/tua6100.c
++++ b/drivers/media/dvb-frontends/tua6100.c
+@@ -67,8 +67,8 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ struct i2c_msg msg1 = { .addr = priv->i2c_address, .flags = 0, .buf = reg1, .len = 4 };
+ struct i2c_msg msg2 = { .addr = priv->i2c_address, .flags = 0, .buf = reg2, .len = 3 };
+
+-#define _R 4
+-#define _P 32
++#define _R_VAL 4
++#define _P_VAL 32
+ #define _ri 4000000
+
+ // setup register 0
+@@ -83,14 +83,14 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ else
+ reg1[1] = 0x0c;
+
+- if (_P == 64)
++ if (_P_VAL == 64)
+ reg1[1] |= 0x40;
+ if (c->frequency >= 1525000)
+ reg1[1] |= 0x80;
+
+ // register 2
+- reg2[1] = (_R >> 8) & 0x03;
+- reg2[2] = _R;
++ reg2[1] = (_R_VAL >> 8) & 0x03;
++ reg2[2] = _R_VAL;
+ if (c->frequency < 1455000)
+ reg2[1] |= 0x1c;
+ else if (c->frequency < 1630000)
+@@ -102,18 +102,18 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ * The N divisor ratio (note: c->frequency is in kHz, but we
+ * need it in Hz)
+ */
+- prediv = (c->frequency * _R) / (_ri / 1000);
+- div = prediv / _P;
++ prediv = (c->frequency * _R_VAL) / (_ri / 1000);
++ div = prediv / _P_VAL;
+ reg1[1] |= (div >> 9) & 0x03;
+ reg1[2] = div >> 1;
+ reg1[3] = (div << 7);
+- priv->frequency = ((div * _P) * (_ri / 1000)) / _R;
++ priv->frequency = ((div * _P_VAL) * (_ri / 1000)) / _R_VAL;
+
+ // Finally, calculate and store the value for A
+- reg1[3] |= (prediv - (div*_P)) & 0x7f;
++ reg1[3] |= (prediv - (div*_P_VAL)) & 0x7f;
+
+-#undef _R
+-#undef _P
++#undef _R_VAL
++#undef _P_VAL
+ #undef _ri
+
+ if (fe->ops.i2c_gate_ctrl)
+--
+2.20.1
+
--- /dev/null
+From 62e989da4e60428470e0de70eaf154d63b669fca Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 17 Jun 2019 05:20:54 -0400
+Subject: vhost_net: disable zerocopy by default
+
+[ Upstream commit 098eadce3c622c07b328d0a43dda379b38cf7c5e ]
+
+Vhost_net was known to suffer from HOL[1] issues which is not easy to
+fix. Several downstream disable the feature by default. What's more,
+the datapath was split and datacopy path got the support of batching
+and XDP support recently which makes it faster than zerocopy part for
+small packets transmission.
+
+It looks to me that disable zerocopy by default is more
+appropriate. It cold be enabled by default again in the future if we
+fix the above issues.
+
+[1] https://patchwork.kernel.org/patch/3787671/
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index d57ebdd616d9..247e5585af5d 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -35,7 +35,7 @@
+
+ #include "vhost.h"
+
+-static int experimental_zcopytx = 1;
++static int experimental_zcopytx = 0;
+ module_param(experimental_zcopytx, int, 0444);
+ MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
+ " 1 -Enable; 0 - Disable");
+--
+2.20.1
+
--- /dev/null
+From 405d1d03583f7363dd3cee4ae013bccad1d589cb Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 28 Jun 2019 14:07:25 +0900
+Subject: vxlan: do not destroy fdb if register_netdevice() is failed
+
+[ Upstream commit 7c31e54aeee517d1318dfc0bde9fa7de75893dc6 ]
+
+__vxlan_dev_create() destroys FDB using specific pointer which indicates
+a fdb when error occurs.
+But that pointer should not be used when register_netdevice() fails because
+register_netdevice() internally destroys fdb when error occurs.
+
+This patch makes vxlan_fdb_create() to do not link fdb entry to vxlan dev
+internally.
+Instead, a new function vxlan_fdb_insert() is added to link fdb to vxlan
+dev.
+
+vxlan_fdb_insert() is called after calling register_netdevice().
+This routine can avoid situation that ->ndo_uninit() destroys fdb entry
+in error path of register_netdevice().
+Hence, error path of __vxlan_dev_create() routine can have an opportunity
+to destroy default fdb entry by hand.
+
+Test command
+ ip link add bonding_masters type vxlan id 0 group 239.1.1.1 \
+ dev enp0s9 dstport 4789
+
+Splat looks like:
+[ 213.392816] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 213.401257] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 213.402178] CPU: 0 PID: 1414 Comm: ip Not tainted 5.2.0-rc5+ #256
+[ 213.402178] RIP: 0010:vxlan_fdb_destroy+0x120/0x220 [vxlan]
+[ 213.402178] Code: df 48 8b 2b 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 06 01 00 00 4c 8b 63 08 48 b8 00 00 00 00 00 fc d
+[ 213.402178] RSP: 0018:ffff88810cb9f0a0 EFLAGS: 00010202
+[ 213.402178] RAX: dffffc0000000000 RBX: ffff888101d4a8c8 RCX: 0000000000000000
+[ 213.402178] RDX: 1bd5a00000000040 RSI: ffff888101d4a8c8 RDI: ffff888101d4a8d0
+[ 213.402178] RBP: 0000000000000000 R08: fffffbfff22b72d9 R09: 0000000000000000
+[ 213.402178] R10: 00000000ffffffef R11: 0000000000000000 R12: dead000000000200
+[ 213.402178] R13: ffff88810cb9f1f8 R14: ffff88810efccda0 R15: ffff88810efccda0
+[ 213.402178] FS: 00007f7f6621a0c0(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
+[ 213.402178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 213.402178] CR2: 000055746f0807d0 CR3: 00000001123e0000 CR4: 00000000001006f0
+[ 213.402178] Call Trace:
+[ 213.402178] __vxlan_dev_create+0x3a9/0x7d0 [vxlan]
+[ 213.402178] ? vxlan_changelink+0x740/0x740 [vxlan]
+[ 213.402178] ? rcu_read_unlock+0x60/0x60 [vxlan]
+[ 213.402178] ? __kasan_kmalloc.constprop.3+0xa0/0xd0
+[ 213.402178] vxlan_newlink+0x8d/0xc0 [vxlan]
+[ 213.402178] ? __vxlan_dev_create+0x7d0/0x7d0 [vxlan]
+[ 213.554119] ? __netlink_ns_capable+0xc3/0xf0
+[ 213.554119] __rtnl_newlink+0xb75/0x1180
+[ 213.554119] ? rtnl_link_unregister+0x230/0x230
+[ ... ]
+
+Fixes: 0241b836732f ("vxlan: fix default fdb entry netlink notify ordering during netdev create")
+Suggested-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan.c | 37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index 083f3f0bf37f..b4283f52a09d 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -804,6 +804,14 @@ static struct vxlan_fdb *vxlan_fdb_alloc(struct vxlan_dev *vxlan,
+ return f;
+ }
+
++static void vxlan_fdb_insert(struct vxlan_dev *vxlan, const u8 *mac,
++ __be32 src_vni, struct vxlan_fdb *f)
++{
++ ++vxlan->addrcnt;
++ hlist_add_head_rcu(&f->hlist,
++ vxlan_fdb_head(vxlan, mac, src_vni));
++}
++
+ static int vxlan_fdb_create(struct vxlan_dev *vxlan,
+ const u8 *mac, union vxlan_addr *ip,
+ __u16 state, __be16 port, __be32 src_vni,
+@@ -829,18 +837,13 @@ static int vxlan_fdb_create(struct vxlan_dev *vxlan,
+ return rc;
+ }
+
+- ++vxlan->addrcnt;
+- hlist_add_head_rcu(&f->hlist,
+- vxlan_fdb_head(vxlan, mac, src_vni));
+-
+ *fdb = f;
+
+ return 0;
+ }
+
+-static void vxlan_fdb_free(struct rcu_head *head)
++static void __vxlan_fdb_free(struct vxlan_fdb *f)
+ {
+- struct vxlan_fdb *f = container_of(head, struct vxlan_fdb, rcu);
+ struct vxlan_rdst *rd, *nd;
+
+ list_for_each_entry_safe(rd, nd, &f->remotes, list) {
+@@ -850,6 +853,13 @@ static void vxlan_fdb_free(struct rcu_head *head)
+ kfree(f);
+ }
+
++static void vxlan_fdb_free(struct rcu_head *head)
++{
++ struct vxlan_fdb *f = container_of(head, struct vxlan_fdb, rcu);
++
++ __vxlan_fdb_free(f);
++}
++
+ static void vxlan_fdb_destroy(struct vxlan_dev *vxlan, struct vxlan_fdb *f,
+ bool do_notify, bool swdev_notify)
+ {
+@@ -977,6 +987,7 @@ static int vxlan_fdb_update_create(struct vxlan_dev *vxlan,
+ if (rc < 0)
+ return rc;
+
++ vxlan_fdb_insert(vxlan, mac, src_vni, f);
+ rc = vxlan_fdb_notify(vxlan, f, first_remote_rtnl(f), RTM_NEWNEIGH,
+ swdev_notify, extack);
+ if (rc)
+@@ -3571,12 +3582,17 @@ static int __vxlan_dev_create(struct net *net, struct net_device *dev,
+ if (err)
+ goto errout;
+
+- /* notify default fdb entry */
+ if (f) {
++ vxlan_fdb_insert(vxlan, all_zeros_mac,
++ vxlan->default_dst.remote_vni, f);
++
++ /* notify default fdb entry */
+ err = vxlan_fdb_notify(vxlan, f, first_remote_rtnl(f),
+ RTM_NEWNEIGH, true, extack);
+- if (err)
+- goto errout;
++ if (err) {
++ vxlan_fdb_destroy(vxlan, f, false, false);
++ goto unregister;
++ }
+ }
+
+ list_add(&vxlan->next, &vn->vxlan_list);
+@@ -3588,7 +3604,8 @@ static int __vxlan_dev_create(struct net *net, struct net_device *dev,
+ * destroy the entry by hand here.
+ */
+ if (f)
+- vxlan_fdb_destroy(vxlan, f, false, false);
++ __vxlan_fdb_free(f);
++unregister:
+ if (unregister)
+ unregister_netdevice(dev);
+ return err;
+--
+2.20.1
+
--- /dev/null
+From 798cc03802e139fbffaf344ab26242521f5b4ba1 Mon Sep 17 00:00:00 2001
+From: Ahmad Masri <amasri@codeaurora.org>
+Date: Sun, 16 Jun 2019 10:26:07 +0300
+Subject: wil6210: drop old event after wmi_call timeout
+
+[ Upstream commit 1a276003111c0404f6bfeffe924c5a21f482428b ]
+
+This change fixes a rare race condition of handling WMI events after
+wmi_call expires.
+
+wmi_recv_cmd immediately handles an event when reply_buf is defined and
+a wmi_call is waiting for the event.
+However, in case the wmi_call has already timed-out, there will be no
+waiting/running wmi_call and the event will be queued in WMI queue and
+will be handled later in wmi_event_handle.
+Meanwhile, a new similar wmi_call for the same command and event may
+be issued. In this case, when handling the queued event we got WARN_ON
+printed.
+
+Fixing this case as a valid timeout and drop the unexpected event.
+
+Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/wmi.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
+index d89cd41e78ac..89a75ff29410 100644
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -3220,7 +3220,18 @@ static void wmi_event_handle(struct wil6210_priv *wil,
+ /* check if someone waits for this event */
+ if (wil->reply_id && wil->reply_id == id &&
+ wil->reply_mid == mid) {
+- WARN_ON(wil->reply_buf);
++ if (wil->reply_buf) {
++ /* event received while wmi_call is waiting
++ * with a buffer. Such event should be handled
++ * in wmi_recv_cmd function. Handling the event
++ * here means a previous wmi_call was timeout.
++ * Drop the event and do not handle it.
++ */
++ wil_err(wil,
++ "Old event (%d, %s) while wmi_call is waiting. Drop it and Continue waiting\n",
++ id, eventid2name(id));
++ return;
++ }
+
+ wmi_evt_call_handler(vif, id, evt_data,
+ len - sizeof(*wmi));
+--
+2.20.1
+
--- /dev/null
+From 778c0f1e09143a408d144155f1fd2acc53c1fdb8 Mon Sep 17 00:00:00 2001
+From: Maya Erez <merez@codeaurora.org>
+Date: Fri, 26 Apr 2019 18:43:35 +0300
+Subject: wil6210: fix missed MISC mbox interrupt
+
+[ Upstream commit 7441be71ba7e07791fd4fa2b07c932dff14ff4d9 ]
+
+When MISC interrupt is triggered due to HALP bit, in parallel
+to mbox events handling by the MISC threaded IRQ, new mbox
+interrupt can be missed in the following scenario:
+1. MISC ICR is read in the IRQ handler
+2. Threaded IRQ is completed and all MISC interrupts are unmasked
+3. mbox interrupt is set by FW
+4. HALP is masked
+The mbox interrupt in step 3 can be missed due to constant high level
+of ICM.
+Masking all MISC IRQs instead of masking only HALP bit in step 4
+will guarantee that ICM will drop to 0 and interrupt will be triggered
+once MISC interrupts will be unmasked.
+
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/interrupt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/interrupt.c b/drivers/net/wireless/ath/wil6210/interrupt.c
+index 3f5bd177d55f..e41ba24011d8 100644
+--- a/drivers/net/wireless/ath/wil6210/interrupt.c
++++ b/drivers/net/wireless/ath/wil6210/interrupt.c
+@@ -580,7 +580,7 @@ static irqreturn_t wil6210_irq_misc(int irq, void *cookie)
+ /* no need to handle HALP ICRs until next vote */
+ wil->halp.handle_icr = false;
+ wil_dbg_irq(wil, "irq_misc: HALP IRQ invoked\n");
+- wil6210_mask_halp(wil);
++ wil6210_mask_irq_misc(wil, true);
+ complete(&wil->halp.comp);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 3ed8cba7d583d4d646b3ac72185fdf26101b8cd7 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 15 Apr 2019 09:56:46 -0500
+Subject: wil6210: fix potential out-of-bounds read
+
+[ Upstream commit bfabdd6997323adbedccb13a3fed1967fb8cf8f5 ]
+
+Notice that *rc* can evaluate to up to 5, include/linux/netdevice.h:
+
+enum gro_result {
+ GRO_MERGED,
+ GRO_MERGED_FREE,
+ GRO_HELD,
+ GRO_NORMAL,
+ GRO_DROP,
+ GRO_CONSUMED,
+};
+typedef enum gro_result gro_result_t;
+
+In case *rc* evaluates to 5, we end up having an out-of-bounds read
+at drivers/net/wireless/ath/wil6210/txrx.c:821:
+
+ wil_dbg_txrx(wil, "Rx complete %d bytes => %s\n",
+ len, gro_res_str[rc]);
+
+Fix this by adding element "GRO_CONSUMED" to array gro_res_str.
+
+Addresses-Coverity-ID: 1444666 ("Out-of-bounds read")
+Fixes: 194b482b5055 ("wil6210: Debug print GRO Rx result")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/txrx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
+index 4ccfd1404458..d74837cce67f 100644
+--- a/drivers/net/wireless/ath/wil6210/txrx.c
++++ b/drivers/net/wireless/ath/wil6210/txrx.c
+@@ -750,6 +750,7 @@ void wil_netif_rx_any(struct sk_buff *skb, struct net_device *ndev)
+ [GRO_HELD] = "GRO_HELD",
+ [GRO_NORMAL] = "GRO_NORMAL",
+ [GRO_DROP] = "GRO_DROP",
++ [GRO_CONSUMED] = "GRO_CONSUMED",
+ };
+
+ wil->txrx_ops.get_netif_rx_params(skb, &cid, &security);
+--
+2.20.1
+
--- /dev/null
+From 1ea934d3482882d0a90507040324a4b80c694641 Mon Sep 17 00:00:00 2001
+From: Maya Erez <merez@codeaurora.org>
+Date: Fri, 26 Apr 2019 18:43:29 +0300
+Subject: wil6210: fix spurious interrupts in 3-msi
+
+[ Upstream commit e10b0eddd5235aa5aef4e40b970e34e735611a80 ]
+
+Interrupt is set in ICM (ICR & ~IMV) rising trigger.
+As the driver masks the IRQ after clearing it, there can
+be a race where an additional spurious interrupt is triggered
+when the driver unmask the IRQ.
+This can happen in case HW triggers an interrupt after the clear
+and before the mask.
+
+To prevent the second spurious interrupt the driver needs to mask the
+IRQ before reading and clearing it.
+
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/interrupt.c | 65 ++++++++++++--------
+ 1 file changed, 40 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/interrupt.c b/drivers/net/wireless/ath/wil6210/interrupt.c
+index e41ba24011d8..b00a13d6d530 100644
+--- a/drivers/net/wireless/ath/wil6210/interrupt.c
++++ b/drivers/net/wireless/ath/wil6210/interrupt.c
+@@ -296,21 +296,24 @@ void wil_configure_interrupt_moderation(struct wil6210_priv *wil)
+ static irqreturn_t wil6210_irq_rx(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_DMA_EP_RX_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
+ bool need_unmask = true;
+
++ wil6210_mask_irq_rx(wil);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_DMA_EP_RX_ICR) +
++ offsetof(struct RGF_ICR, ICR));
++
+ trace_wil6210_irq_rx(isr);
+ wil_dbg_irq(wil, "ISR RX 0x%08x\n", isr);
+
+ if (unlikely(!isr)) {
+ wil_err_ratelimited(wil, "spurious IRQ: RX\n");
++ wil6210_unmask_irq_rx(wil);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_rx(wil);
+-
+ /* RX_DONE and RX_HTRSH interrupts are the same if interrupt
+ * moderation is not used. Interrupt moderation may cause RX
+ * buffer overflow while RX_DONE is delayed. The required
+@@ -355,21 +358,24 @@ static irqreturn_t wil6210_irq_rx(int irq, void *cookie)
+ static irqreturn_t wil6210_irq_rx_edma(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_INT_GEN_RX_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
+ bool need_unmask = true;
+
++ wil6210_mask_irq_rx_edma(wil);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_INT_GEN_RX_ICR) +
++ offsetof(struct RGF_ICR, ICR));
++
+ trace_wil6210_irq_rx(isr);
+ wil_dbg_irq(wil, "ISR RX 0x%08x\n", isr);
+
+ if (unlikely(!isr)) {
+ wil_err(wil, "spurious IRQ: RX\n");
++ wil6210_unmask_irq_rx_edma(wil);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_rx_edma(wil);
+-
+ if (likely(isr & BIT_RX_STATUS_IRQ)) {
+ wil_dbg_irq(wil, "RX status ring\n");
+ isr &= ~BIT_RX_STATUS_IRQ;
+@@ -403,21 +409,24 @@ static irqreturn_t wil6210_irq_rx_edma(int irq, void *cookie)
+ static irqreturn_t wil6210_irq_tx_edma(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_INT_GEN_TX_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
+ bool need_unmask = true;
+
++ wil6210_mask_irq_tx_edma(wil);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_INT_GEN_TX_ICR) +
++ offsetof(struct RGF_ICR, ICR));
++
+ trace_wil6210_irq_tx(isr);
+ wil_dbg_irq(wil, "ISR TX 0x%08x\n", isr);
+
+ if (unlikely(!isr)) {
+ wil_err(wil, "spurious IRQ: TX\n");
++ wil6210_unmask_irq_tx_edma(wil);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_tx_edma(wil);
+-
+ if (likely(isr & BIT_TX_STATUS_IRQ)) {
+ wil_dbg_irq(wil, "TX status ring\n");
+ isr &= ~BIT_TX_STATUS_IRQ;
+@@ -446,21 +455,24 @@ static irqreturn_t wil6210_irq_tx_edma(int irq, void *cookie)
+ static irqreturn_t wil6210_irq_tx(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_DMA_EP_TX_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
+ bool need_unmask = true;
+
++ wil6210_mask_irq_tx(wil);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_DMA_EP_TX_ICR) +
++ offsetof(struct RGF_ICR, ICR));
++
+ trace_wil6210_irq_tx(isr);
+ wil_dbg_irq(wil, "ISR TX 0x%08x\n", isr);
+
+ if (unlikely(!isr)) {
+ wil_err_ratelimited(wil, "spurious IRQ: TX\n");
++ wil6210_unmask_irq_tx(wil);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_tx(wil);
+-
+ if (likely(isr & BIT_DMA_EP_TX_ICR_TX_DONE)) {
+ wil_dbg_irq(wil, "TX done\n");
+ isr &= ~BIT_DMA_EP_TX_ICR_TX_DONE;
+@@ -532,20 +544,23 @@ static bool wil_validate_mbox_regs(struct wil6210_priv *wil)
+ static irqreturn_t wil6210_irq_misc(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_DMA_EP_MISC_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
++
++ wil6210_mask_irq_misc(wil, false);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_DMA_EP_MISC_ICR) +
++ offsetof(struct RGF_ICR, ICR));
+
+ trace_wil6210_irq_misc(isr);
+ wil_dbg_irq(wil, "ISR MISC 0x%08x\n", isr);
+
+ if (!isr) {
+ wil_err(wil, "spurious IRQ: MISC\n");
++ wil6210_unmask_irq_misc(wil, false);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_misc(wil, false);
+-
+ if (isr & ISR_MISC_FW_ERROR) {
+ u32 fw_assert_code = wil_r(wil, wil->rgf_fw_assert_code_addr);
+ u32 ucode_assert_code =
+--
+2.20.1
+
--- /dev/null
+From dfb7e63f41d168a5ddcb05df1f36ae42fd3216a0 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 24 Apr 2019 13:38:23 +0200
+Subject: x86/atomic: Fix smp_mb__{before,after}_atomic()
+
+[ Upstream commit 69d927bba39517d0980462efc051875b7f4db185 ]
+
+Recent probing at the Linux Kernel Memory Model uncovered a
+'surprise'. Strongly ordered architectures where the atomic RmW
+primitive implies full memory ordering and
+smp_mb__{before,after}_atomic() are a simple barrier() (such as x86)
+fail for:
+
+ *x = 1;
+ atomic_inc(u);
+ smp_mb__after_atomic();
+ r0 = *y;
+
+Because, while the atomic_inc() implies memory order, it
+(surprisingly) does not provide a compiler barrier. This then allows
+the compiler to re-order like so:
+
+ atomic_inc(u);
+ *x = 1;
+ smp_mb__after_atomic();
+ r0 = *y;
+
+Which the CPU is then allowed to re-order (under TSO rules) like:
+
+ atomic_inc(u);
+ r0 = *y;
+ *x = 1;
+
+And this very much was not intended. Therefore strengthen the atomic
+RmW ops to include a compiler barrier.
+
+NOTE: atomic_{or,and,xor} and the bitops already had the compiler
+barrier.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/atomic_t.txt | 3 +++
+ arch/x86/include/asm/atomic.h | 8 ++++----
+ arch/x86/include/asm/atomic64_64.h | 8 ++++----
+ arch/x86/include/asm/barrier.h | 4 ++--
+ 4 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/Documentation/atomic_t.txt b/Documentation/atomic_t.txt
+index dca3fb0554db..65bb09a29324 100644
+--- a/Documentation/atomic_t.txt
++++ b/Documentation/atomic_t.txt
+@@ -194,6 +194,9 @@ These helper barriers exist because architectures have varying implicit
+ ordering on their SMP atomic primitives. For example our TSO architectures
+ provide full ordered atomics and these barriers are no-ops.
+
++NOTE: when the atomic RmW ops are fully ordered, they should also imply a
++compiler barrier.
++
+ Thus:
+
+ atomic_fetch_add();
+diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
+index ea3d95275b43..115127c7ad28 100644
+--- a/arch/x86/include/asm/atomic.h
++++ b/arch/x86/include/asm/atomic.h
+@@ -54,7 +54,7 @@ static __always_inline void arch_atomic_add(int i, atomic_t *v)
+ {
+ asm volatile(LOCK_PREFIX "addl %1,%0"
+ : "+m" (v->counter)
+- : "ir" (i));
++ : "ir" (i) : "memory");
+ }
+
+ /**
+@@ -68,7 +68,7 @@ static __always_inline void arch_atomic_sub(int i, atomic_t *v)
+ {
+ asm volatile(LOCK_PREFIX "subl %1,%0"
+ : "+m" (v->counter)
+- : "ir" (i));
++ : "ir" (i) : "memory");
+ }
+
+ /**
+@@ -95,7 +95,7 @@ static __always_inline bool arch_atomic_sub_and_test(int i, atomic_t *v)
+ static __always_inline void arch_atomic_inc(atomic_t *v)
+ {
+ asm volatile(LOCK_PREFIX "incl %0"
+- : "+m" (v->counter));
++ : "+m" (v->counter) :: "memory");
+ }
+ #define arch_atomic_inc arch_atomic_inc
+
+@@ -108,7 +108,7 @@ static __always_inline void arch_atomic_inc(atomic_t *v)
+ static __always_inline void arch_atomic_dec(atomic_t *v)
+ {
+ asm volatile(LOCK_PREFIX "decl %0"
+- : "+m" (v->counter));
++ : "+m" (v->counter) :: "memory");
+ }
+ #define arch_atomic_dec arch_atomic_dec
+
+diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h
+index dadc20adba21..5e86c0d68ac1 100644
+--- a/arch/x86/include/asm/atomic64_64.h
++++ b/arch/x86/include/asm/atomic64_64.h
+@@ -45,7 +45,7 @@ static __always_inline void arch_atomic64_add(long i, atomic64_t *v)
+ {
+ asm volatile(LOCK_PREFIX "addq %1,%0"
+ : "=m" (v->counter)
+- : "er" (i), "m" (v->counter));
++ : "er" (i), "m" (v->counter) : "memory");
+ }
+
+ /**
+@@ -59,7 +59,7 @@ static inline void arch_atomic64_sub(long i, atomic64_t *v)
+ {
+ asm volatile(LOCK_PREFIX "subq %1,%0"
+ : "=m" (v->counter)
+- : "er" (i), "m" (v->counter));
++ : "er" (i), "m" (v->counter) : "memory");
+ }
+
+ /**
+@@ -87,7 +87,7 @@ static __always_inline void arch_atomic64_inc(atomic64_t *v)
+ {
+ asm volatile(LOCK_PREFIX "incq %0"
+ : "=m" (v->counter)
+- : "m" (v->counter));
++ : "m" (v->counter) : "memory");
+ }
+ #define arch_atomic64_inc arch_atomic64_inc
+
+@@ -101,7 +101,7 @@ static __always_inline void arch_atomic64_dec(atomic64_t *v)
+ {
+ asm volatile(LOCK_PREFIX "decq %0"
+ : "=m" (v->counter)
+- : "m" (v->counter));
++ : "m" (v->counter) : "memory");
+ }
+ #define arch_atomic64_dec arch_atomic64_dec
+
+diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
+index 14de0432d288..84f848c2541a 100644
+--- a/arch/x86/include/asm/barrier.h
++++ b/arch/x86/include/asm/barrier.h
+@@ -80,8 +80,8 @@ do { \
+ })
+
+ /* Atomic operations are already serializing on x86 */
+-#define __smp_mb__before_atomic() barrier()
+-#define __smp_mb__after_atomic() barrier()
++#define __smp_mb__before_atomic() do { } while (0)
++#define __smp_mb__after_atomic() do { } while (0)
+
+ #include <asm-generic/barrier.h>
+
+--
+2.20.1
+
--- /dev/null
+From ce3b962779d8bb339337e9665064b1cc32eefabf Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Tue, 25 Jun 2019 16:26:22 +0900
+Subject: x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
+
+[ Upstream commit bc53d3d777f81385c1bb08b07bd1c06450ecc2c1 ]
+
+Without 'set -e', shell scripts continue running even after any
+error occurs. The missed 'set -e' is a typical bug in shell scripting.
+
+For example, when a disk space shortage occurs while this script is
+running, it actually ends up with generating a truncated capflags.c.
+
+Yet, mkcapflags.sh continues running and exits with 0. So, the build
+system assumes it has succeeded.
+
+It will not be re-generated in the next invocation of Make since its
+timestamp is newer than that of any of the source files.
+
+Add 'set -e' so that any error in this script is caught and propagated
+to the build system.
+
+Since 9c2af1c7377a ("kbuild: add .DELETE_ON_ERROR special target"),
+make automatically deletes the target on any failure. So, the broken
+capflags.c will be deleted automatically.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Link: https://lkml.kernel.org/r/20190625072622.17679-1-yamada.masahiro@socionext.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mkcapflags.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh
+index d0dfb892c72f..aed45b8895d5 100644
+--- a/arch/x86/kernel/cpu/mkcapflags.sh
++++ b/arch/x86/kernel/cpu/mkcapflags.sh
+@@ -4,6 +4,8 @@
+ # Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h
+ #
+
++set -e
++
+ IN=$1
+ OUT=$2
+
+--
+2.20.1
+
--- /dev/null
+From 374ff27a0f6132e87ddfd0f7648101dee8bdcf2f Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Wed, 19 Jun 2019 10:32:53 -0400
+Subject: x86/cacheinfo: Fix a -Wtype-limits warning
+
+[ Upstream commit 1b7aebf0487613033aff26420e32fa2076d52846 ]
+
+cpuinfo_x86.x86_model is an unsigned type, so comparing against zero
+will generate a compilation warning:
+
+ arch/x86/kernel/cpu/cacheinfo.c: In function 'cacheinfo_amd_init_llc_id':
+ arch/x86/kernel/cpu/cacheinfo.c:662:19: warning: comparison is always true \
+ due to limited range of data type [-Wtype-limits]
+
+Remove the unnecessary lower bound check.
+
+ [ bp: Massage. ]
+
+Fixes: 68091ee7ac3c ("x86/CPU/AMD: Calculate last level cache ID from number of sharing threads")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Pu Wen <puwen@hygon.cn>
+Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/1560954773-11967-1-git-send-email-cai@lca.pw
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/cacheinfo.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/cacheinfo.c b/arch/x86/kernel/cpu/cacheinfo.c
+index 395d46f78582..c7503be92f35 100644
+--- a/arch/x86/kernel/cpu/cacheinfo.c
++++ b/arch/x86/kernel/cpu/cacheinfo.c
+@@ -658,8 +658,7 @@ void cacheinfo_amd_init_llc_id(struct cpuinfo_x86 *c, int cpu, u8 node_id)
+ if (c->x86 < 0x17) {
+ /* LLC is at the node level. */
+ per_cpu(cpu_llc_id, cpu) = node_id;
+- } else if (c->x86 == 0x17 &&
+- c->x86_model >= 0 && c->x86_model <= 0x1F) {
++ } else if (c->x86 == 0x17 && c->x86_model <= 0x1F) {
+ /*
+ * LLC is at the core complex level.
+ * Core complex ID is ApicId[3] for these processors.
+--
+2.20.1
+
--- /dev/null
+From bebddda2c2796817b8e5b6de3ae3652c9f6ed0cb Mon Sep 17 00:00:00 2001
+From: Rajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
+Date: Thu, 6 Jun 2019 06:54:19 +0530
+Subject: x86/cpu: Add Ice Lake NNPI to Intel family
+
+[ Upstream commit e32d045cd4ba06b59878323e434bad010e78e658 ]
+
+Add the CPUID model number of Ice Lake Neural Network Processor for Deep
+Learning Inference (ICL-NNPI) to the Intel family list. Ice Lake NNPI uses
+model number 0x9D and this will be documented in a future version of Intel
+Software Development Manual.
+
+Signed-off-by: Rajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@suse.de
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: platform-driver-x86@vger.kernel.org
+Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Linux PM <linux-pm@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190606012419.13250-1-rajneesh.bhardwaj@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/intel-family.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
+index 310118805f57..f60ddd655c78 100644
+--- a/arch/x86/include/asm/intel-family.h
++++ b/arch/x86/include/asm/intel-family.h
+@@ -56,6 +56,7 @@
+ #define INTEL_FAM6_ICELAKE_XEON_D 0x6C
+ #define INTEL_FAM6_ICELAKE_DESKTOP 0x7D
+ #define INTEL_FAM6_ICELAKE_MOBILE 0x7E
++#define INTEL_FAM6_ICELAKE_NNPI 0x9D
+
+ /* "Small Core" Processors (Atom) */
+
+--
+2.20.1
+
--- /dev/null
+From 43a7c1f39417d9e29cbcb42cdb64eedf5c185a22 Mon Sep 17 00:00:00 2001
+From: Aaron Lewis <aaronlewis@google.com>
+Date: Wed, 5 Jun 2019 15:02:52 -0700
+Subject: x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS
+
+[ Upstream commit cbb99c0f588737ec98c333558922ce47e9a95827 ]
+
+Add the CPUID enumeration for Intel's de-feature bits to accommodate
+passing these de-features through to kvm guests.
+
+These de-features are (from SDM vol 1, section 8.1.8):
+ - X86_FEATURE_FDP_EXCPTN_ONLY: If CPUID.(EAX=07H,ECX=0H):EBX[bit 6] = 1, the
+ data pointer (FDP) is updated only for the x87 non-control instructions that
+ incur unmasked x87 exceptions.
+ - X86_FEATURE_ZERO_FCS_FDS: If CPUID.(EAX=07H,ECX=0H):EBX[bit 13] = 1, the
+ processor deprecates FCS and FDS; it saves each as 0000H.
+
+Signed-off-by: Aaron Lewis <aaronlewis@google.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: marcorr@google.com
+Cc: Peter Feiner <pfeiner@google.com>
+Cc: pshier@google.com
+Cc: Robert Hoo <robert.hu@linux.intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Thomas Lendacky <Thomas.Lendacky@amd.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190605220252.103406-1-aaronlewis@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
+index 75f27ee2c263..1017b9c7dfe0 100644
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -239,12 +239,14 @@
+ #define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */
+ #define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */
+ #define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */
++#define X86_FEATURE_FDP_EXCPTN_ONLY ( 9*32+ 6) /* "" FPU data pointer updated only on x87 exceptions */
+ #define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */
+ #define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */
+ #define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB instructions */
+ #define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */
+ #define X86_FEATURE_RTM ( 9*32+11) /* Restricted Transactional Memory */
+ #define X86_FEATURE_CQM ( 9*32+12) /* Cache QoS Monitoring */
++#define X86_FEATURE_ZERO_FCS_FDS ( 9*32+13) /* "" Zero out FPU CS and FPU DS */
+ #define X86_FEATURE_MPX ( 9*32+14) /* Memory Protection Extension */
+ #define X86_FEATURE_RDT_A ( 9*32+15) /* Resource Director Technology Allocation */
+ #define X86_FEATURE_AVX512F ( 9*32+16) /* AVX-512 Foundation */
+--
+2.20.1
+
--- /dev/null
+From 0dee61a79ad6a85e71b610708f9d1bf397f56f49 Mon Sep 17 00:00:00 2001
+From: Ilya Maximets <i.maximets@samsung.com>
+Date: Wed, 3 Jul 2019 15:09:16 +0300
+Subject: xdp: fix race on generic receive path
+
+[ Upstream commit bf0bdd1343efbbf65b4d53aef1fce14acbd79d50 ]
+
+Unlike driver mode, generic xdp receive could be triggered
+by different threads on different CPU cores at the same time
+leading to the fill and rx queue breakage. For example, this
+could happen while sending packets from two processes to the
+first interface of veth pair while the second part of it is
+open with AF_XDP socket.
+
+Need to take a lock for each generic receive to avoid race.
+
+Fixes: c497176cb2e4 ("xsk: add Rx receive functions and poll support")
+Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: William Tu <u9012063@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock.h | 2 ++
+ net/xdp/xsk.c | 31 ++++++++++++++++++++++---------
+ 2 files changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h
+index d074b6d60f8a..ac3c047d058c 100644
+--- a/include/net/xdp_sock.h
++++ b/include/net/xdp_sock.h
+@@ -67,6 +67,8 @@ struct xdp_sock {
+ * in the SKB destructor callback.
+ */
+ spinlock_t tx_completion_lock;
++ /* Protects generic receive. */
++ spinlock_t rx_lock;
+ u64 rx_dropped;
+ };
+
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index a14e8864e4fa..5e0637db92ea 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -123,13 +123,17 @@ int xsk_generic_rcv(struct xdp_sock *xs, struct xdp_buff *xdp)
+ u64 addr;
+ int err;
+
+- if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index)
+- return -EINVAL;
++ spin_lock_bh(&xs->rx_lock);
++
++ if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) {
++ err = -EINVAL;
++ goto out_unlock;
++ }
+
+ if (!xskq_peek_addr(xs->umem->fq, &addr) ||
+ len > xs->umem->chunk_size_nohr - XDP_PACKET_HEADROOM) {
+- xs->rx_dropped++;
+- return -ENOSPC;
++ err = -ENOSPC;
++ goto out_drop;
+ }
+
+ addr += xs->umem->headroom;
+@@ -138,13 +142,21 @@ int xsk_generic_rcv(struct xdp_sock *xs, struct xdp_buff *xdp)
+ memcpy(buffer, xdp->data_meta, len + metalen);
+ addr += metalen;
+ err = xskq_produce_batch_desc(xs->rx, addr, len);
+- if (!err) {
+- xskq_discard_addr(xs->umem->fq);
+- xsk_flush(xs);
+- return 0;
+- }
++ if (err)
++ goto out_drop;
++
++ xskq_discard_addr(xs->umem->fq);
++ xskq_produce_flush_desc(xs->rx);
+
++ spin_unlock_bh(&xs->rx_lock);
++
++ xs->sk.sk_data_ready(&xs->sk);
++ return 0;
++
++out_drop:
+ xs->rx_dropped++;
++out_unlock:
++ spin_unlock_bh(&xs->rx_lock);
+ return err;
+ }
+
+@@ -765,6 +777,7 @@ static int xsk_create(struct net *net, struct socket *sock, int protocol,
+
+ xs = xdp_sk(sk);
+ mutex_init(&xs->mutex);
++ spin_lock_init(&xs->rx_lock);
+ spin_lock_init(&xs->tx_completion_lock);
+
+ mutex_lock(&net->xdp.lock);
+--
+2.20.1
+
--- /dev/null
+From b6d1f43a596edd6e05c2eb48919859e83d08c348 Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 14 Jun 2019 11:13:55 +0200
+Subject: xfrm: fix sa selector validation
+
+[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ]
+
+After commit b38ff4075a80, the following command does not work anymore:
+$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
+ mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
+ 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
+
+In fact, the selector is not mandatory, allow the user to provide an empty
+selector.
+
+Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
+CC: Anirudh Gupta <anirudh.gupta@sophos.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 76ad7e201626..b88ba45ff1ac 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -167,6 +167,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ }
+
+ switch (p->sel.family) {
++ case AF_UNSPEC:
++ break;
++
+ case AF_INET:
+ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+ goto out;
+--
+2.20.1
+
--- /dev/null
+From baa70265dd31a3ed60c5eff8fd2d0e5fd9aa11c8 Mon Sep 17 00:00:00 2001
+From: Anirudh Gupta <anirudhrudr@gmail.com>
+Date: Tue, 21 May 2019 20:59:47 +0530
+Subject: xfrm: Fix xfrm sel prefix length validation
+
+[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ]
+
+Family of src/dst can be different from family of selector src/dst.
+Use xfrm selector family to validate address prefix length,
+while verifying new sa from userspace.
+
+Validated patch with this command:
+ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
+reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
+0x1111016400000000000000000000000044440001 128 \
+sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
+
+Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
+Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 173477211e40..76ad7e201626 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -151,6 +151,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+
+ err = -EINVAL;
+ switch (p->family) {
++ case AF_INET:
++ break;
++
++ case AF_INET6:
++#if IS_ENABLED(CONFIG_IPV6)
++ break;
++#else
++ err = -EAFNOSUPPORT;
++ goto out;
++#endif
++
++ default:
++ goto out;
++ }
++
++ switch (p->sel.family) {
+ case AF_INET:
+ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+ goto out;
+--
+2.20.1
+
--- /dev/null
+From 369279eedf25a9fd3efa472833a45054ddb2cbaf Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Tue, 25 Jun 2019 11:23:52 -0700
+Subject: xsk: Properly terminate assignment in xskq_produce_flush_desc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit f7019b7b0ad14bde732b8953161994edfc384953 ]
+
+Clang warns:
+
+In file included from net/xdp/xsk_queue.c:10:
+net/xdp/xsk_queue.h:292:2: warning: expression result unused
+[-Wunused-value]
+ WRITE_ONCE(q->ring->producer, q->prod_tail);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+include/linux/compiler.h:284:6: note: expanded from macro 'WRITE_ONCE'
+ __u.__val; \
+ ~~~ ^~~~~
+1 warning generated.
+
+The q->prod_tail assignment has a comma at the end, not a semi-colon.
+Fix that so clang no longer warns and everything works as expected.
+
+Fixes: c497176cb2e4 ("xsk: add Rx receive functions and poll support")
+Link: https://github.com/ClangBuiltLinux/linux/issues/544
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Nick Desaulniers <ndesaulniers@google.com>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Acked-by: Björn Töpel <bjorn.topel@intel.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_queue.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h
+index 88b9ae24658d..cba4a640d5e8 100644
+--- a/net/xdp/xsk_queue.h
++++ b/net/xdp/xsk_queue.h
+@@ -288,7 +288,7 @@ static inline void xskq_produce_flush_desc(struct xsk_queue *q)
+ /* Order producer and data */
+ smp_wmb(); /* B, matches C */
+
+- q->prod_tail = q->prod_head,
++ q->prod_tail = q->prod_head;
+ WRITE_ONCE(q->ring->producer, q->prod_tail);
+ }
+
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
