--- /dev/null
+From 4222384febcd2f34ceb2e972f1f61ca9ebc49af4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 10:31:20 -0700
+Subject: ACPICA: Do not increment operation_region reference counts for field
+ units
+
+From: Erik Kaneda <erik.kaneda@intel.com>
+
+[ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ]
+
+ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70
+
+Object reference counts are used as a part of ACPICA's garbage
+collection mechanism. This mechanism keeps track of references to
+heap-allocated structures such as the ACPI operand objects.
+
+Recent server firmware has revealed that this reference count can
+overflow on large servers that declare many field units under the
+same operation_region. This occurs because each field unit declaration
+will add a reference count to the source operation_region.
+
+This change solves the reference count overflow for operation_regions
+objects by preventing fieldunits from incrementing their
+operation_region's reference count. Each operation_region's reference
+count will not be changed by named objects declared under the Field
+operator. During namespace deletion, the operation_region namespace
+node will be deleted and each fieldunit will be deleted without
+touching the deleted operation_region object.
+
+Link: https://github.com/acpica/acpica/commit/e17b28cf
+Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/exprep.c | 4 ----
+ drivers/acpi/acpica/utdelete.c | 6 +-----
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c
+index aed8d34592209..c2c391d5c5a1c 100644
+--- a/drivers/acpi/acpica/exprep.c
++++ b/drivers/acpi/acpica/exprep.c
+@@ -507,10 +507,6 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info)
+ (u8)access_byte_width;
+ }
+ }
+- /* An additional reference for the container */
+-
+- acpi_ut_add_reference(obj_desc->field.region_obj);
+-
+ ACPI_DEBUG_PRINT((ACPI_DB_BFIELD,
+ "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n",
+ obj_desc->field.start_field_bit_offset,
+diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c
+index 529d6c38ea7ce..03a2282ceb9ca 100644
+--- a/drivers/acpi/acpica/utdelete.c
++++ b/drivers/acpi/acpica/utdelete.c
+@@ -591,11 +591,6 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action)
+ next_object = object->buffer_field.buffer_obj;
+ break;
+
+- case ACPI_TYPE_LOCAL_REGION_FIELD:
+-
+- next_object = object->field.region_obj;
+- break;
+-
+ case ACPI_TYPE_LOCAL_BANK_FIELD:
+
+ next_object = object->bank_field.bank_obj;
+@@ -636,6 +631,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action)
+ }
+ break;
+
++ case ACPI_TYPE_LOCAL_REGION_FIELD:
+ case ACPI_TYPE_REGION:
+ default:
+
+--
+2.25.1
+
--- /dev/null
+From 0ac47e7661a412ec6cd6f1025ffe8580c91ee8fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 09:34:51 +0100
+Subject: agp/intel: Fix a memory leak on module initialisation failure
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ]
+
+In intel_gtt_setup_scratch_page(), pointer "page" is not released if
+pci_dma_mapping_error() return an error, leading to a memory leak on
+module initialisation failure. Simply fix this issue by freeing "page"
+before return.
+
+Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/agp/intel-gtt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
+index 871e7f4994e8c..667882e996ecc 100644
+--- a/drivers/char/agp/intel-gtt.c
++++ b/drivers/char/agp/intel-gtt.c
+@@ -303,8 +303,10 @@ static int intel_gtt_setup_scratch_page(void)
+ if (intel_private.needs_dmar) {
+ dma_addr = pci_map_page(intel_private.pcidev, page, 0,
+ PAGE_SIZE, PCI_DMA_BIDIRECTIONAL);
+- if (pci_dma_mapping_error(intel_private.pcidev, dma_addr))
++ if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) {
++ __free_page(page);
+ return -EINVAL;
++ }
+
+ intel_private.scratch_page_dma = dma_addr;
+ } else
+--
+2.25.1
+
--- /dev/null
+From 8e0651b173cf006e5d6ed8ea79cb45dac5522d3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 20:33:01 +0800
+Subject: ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
+
+From: yu kuai <yukuai3@huawei.com>
+
+[ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ]
+
+if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have
+a corresponding put_device(). Thus add a jump target to fix the exception
+handling for this function implementation.
+
+Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM")
+Signed-off-by: yu kuai <yukuai3@huawei.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-at91/pm.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c
+index 8ba0e2e5ad97c..0efac1404418e 100644
+--- a/arch/arm/mach-at91/pm.c
++++ b/arch/arm/mach-at91/pm.c
+@@ -411,13 +411,13 @@ static void __init at91_pm_sram_init(void)
+ sram_pool = gen_pool_get(&pdev->dev, NULL);
+ if (!sram_pool) {
+ pr_warn("%s: sram pool unavailable!\n", __func__);
+- return;
++ goto out_put_device;
+ }
+
+ sram_base = gen_pool_alloc(sram_pool, at91_pm_suspend_in_sram_sz);
+ if (!sram_base) {
+ pr_warn("%s: unable to alloc sram!\n", __func__);
+- return;
++ goto out_put_device;
+ }
+
+ sram_pbase = gen_pool_virt_to_phys(sram_pool, sram_base);
+@@ -425,12 +425,17 @@ static void __init at91_pm_sram_init(void)
+ at91_pm_suspend_in_sram_sz, false);
+ if (!at91_suspend_sram_fn) {
+ pr_warn("SRAM: Could not map\n");
+- return;
++ goto out_put_device;
+ }
+
+ /* Copy the pm suspend handler to SRAM */
+ at91_suspend_sram_fn = fncpy(at91_suspend_sram_fn,
+ &at91_pm_suspend_in_sram, at91_pm_suspend_in_sram_sz);
++ return;
++
++out_put_device:
++ put_device(&pdev->dev);
++ return;
+ }
+
+ static const struct of_device_id atmel_pmc_ids[] __initconst = {
+--
+2.25.1
+
--- /dev/null
+From 930f6edd5cb7d172ef89c9c97ab394d4ab46089b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 21:45:51 +0800
+Subject: ARM: socfpga: PM: add missing put_device() call in
+ socfpga_setup_ocram_self_refresh()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ]
+
+if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh
+doesn't have a corresponding put_device(). Thus add a jump target to
+fix the exception handling for this function implementation.
+
+Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-socfpga/pm.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c
+index c378ab0c24317..93f2245c97750 100644
+--- a/arch/arm/mach-socfpga/pm.c
++++ b/arch/arm/mach-socfpga/pm.c
+@@ -60,14 +60,14 @@ static int socfpga_setup_ocram_self_refresh(void)
+ if (!ocram_pool) {
+ pr_warn("%s: ocram pool unavailable!\n", __func__);
+ ret = -ENODEV;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz);
+ if (!ocram_base) {
+ pr_warn("%s: unable to alloc ocram!\n", __func__);
+ ret = -ENOMEM;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base);
+@@ -78,7 +78,7 @@ static int socfpga_setup_ocram_self_refresh(void)
+ if (!suspend_ocram_base) {
+ pr_warn("%s: __arm_ioremap_exec failed!\n", __func__);
+ ret = -ENOMEM;
+- goto put_node;
++ goto put_device;
+ }
+
+ /* Copy the code that puts DDR in self refresh to ocram */
+@@ -92,6 +92,8 @@ static int socfpga_setup_ocram_self_refresh(void)
+ if (!socfpga_sdram_self_refresh_in_ocram)
+ ret = -EFAULT;
+
++put_device:
++ put_device(&pdev->dev);
+ put_node:
+ of_node_put(np);
+
+--
+2.25.1
+
--- /dev/null
+From 0ef7d5c4a7812a975c6ccb8eaff98a7b844cfc5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Jul 2020 12:39:17 +0530
+Subject: arm64: dts: exynos: Fix silent hang after boot on Espresso
+
+From: Alim Akhtar <alim.akhtar@samsung.com>
+
+[ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ]
+
+Once regulators are disabled after kernel boot, on Espresso board silent
+hang observed because of LDO7 being disabled. LDO7 actually provide
+power to CPU cores and non-cpu blocks circuitries. Keep this regulator
+always-on to fix this hang.
+
+Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso")
+Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts
+index c528dd52ba2d3..2f7d144d556da 100644
+--- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts
++++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts
+@@ -131,6 +131,7 @@ ldo7_reg: LDO7 {
+ regulator-min-microvolt = <700000>;
+ regulator-max-microvolt = <1150000>;
+ regulator-enable-ramp-delay = <125>;
++ regulator-always-on;
+ };
+
+ ldo8_reg: LDO8 {
+--
+2.25.1
+
--- /dev/null
+From 9e34f2ed94aadb2ea9acf1251ee38605a8e8a8ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 20:59:14 +0200
+Subject: arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 ]
+
+msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio
+pin configurations. This was likely copied from the qcom kernel fork
+where the same property was used for these audio pins.
+
+However, "bias-pull-none" actually does not exist at all - not in
+mainline and not in downstream. I can only guess that the original
+intention was to configure "no pull", i.e. bias-disable.
+
+Change it to that instead.
+
+Fixes: 143bb9ad85b7 ("arm64: dts: qcom: add audio pinctrls")
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200605185916.318494-2-stephan@gerhold.net
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi
+index 10c83e11c272f..fabc0cebe2aa2 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi
+@@ -542,7 +542,7 @@ pinconf {
+ pins = "gpio63", "gpio64", "gpio65", "gpio66",
+ "gpio67", "gpio68";
+ drive-strength = <8>;
+- bias-pull-none;
++ bias-disable;
+ };
+ };
+ cdc_pdm_lines_sus: pdm_lines_off {
+@@ -571,7 +571,7 @@ pinconf {
+ pins = "gpio113", "gpio114", "gpio115",
+ "gpio116";
+ drive-strength = <8>;
+- bias-pull-none;
++ bias-disable;
+ };
+ };
+
+@@ -599,7 +599,7 @@ pinmux {
+ pinconf {
+ pins = "gpio110";
+ drive-strength = <8>;
+- bias-pull-none;
++ bias-disable;
+ };
+ };
+
+@@ -625,7 +625,7 @@ pinmux {
+ pinconf {
+ pins = "gpio116";
+ drive-strength = <8>;
+- bias-pull-none;
++ bias-disable;
+ };
+ };
+ ext_mclk_tlmm_lines_sus: mclk_lines_off {
+@@ -653,7 +653,7 @@ pinconf {
+ pins = "gpio112", "gpio117", "gpio118",
+ "gpio119";
+ drive-strength = <8>;
+- bias-pull-none;
++ bias-disable;
+ };
+ };
+ ext_sec_tlmm_lines_sus: tlmm_lines_off {
+--
+2.25.1
+
--- /dev/null
+From 3edf3a92738e03b4ed789a3328cc2becc864037b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 20:00:26 +0800
+Subject: bcache: fix super block seq numbers comparision in
+ register_cache_set()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ]
+
+In register_cache_set(), c is pointer to struct cache_set, and ca is
+pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this
+registering cache has up to date version and other members, the in-
+memory version and other members should be updated to the newer value.
+
+But current implementation makes a cache set only has a single cache
+device, so the above assumption works well except for a special case.
+The execption is when a cache device new created and both ca->sb.seq and
+c->sb.seq are 0, because the super block is never flushed out yet. In
+the location for the following if() check,
+2156 if (ca->sb.seq > c->sb.seq) {
+2157 c->sb.version = ca->sb.version;
+2158 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16);
+2159 c->sb.flags = ca->sb.flags;
+2160 c->sb.seq = ca->sb.seq;
+2161 pr_debug("set version = %llu\n", c->sb.version);
+2162 }
+c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0,
+the if() check will fail (because both values are 0), and the cache set
+version, set_uuid, flags and seq won't be updated.
+
+The above problem is hiden for current code, because the bucket size is
+compatible among different super block version. And the next time when
+running cache set again, ca->sb.seq will be larger than 0 and cache set
+super block version will be updated properly.
+
+But if the large bucket feature is enabled, sb->bucket_size is the low
+16bits of the bucket size. For a power of 2 value, when the actual
+bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then
+read_super_common() will fail because the if() check to
+is_power_of_2(sb->bucket_size) is false. This is how the long time
+hidden bug is triggered.
+
+This patch modifies the if() check to the following way,
+2156 if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) {
+Then cache set's version, set_uuid, flags and seq will always be updated
+corectly including for a new created cache device.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 526e9d5a4fb16..2c976cf361984 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1778,7 +1778,14 @@ static const char *register_cache_set(struct cache *ca)
+ sysfs_create_link(&c->kobj, &ca->kobj, buf))
+ goto err;
+
+- if (ca->sb.seq > c->sb.seq) {
++ /*
++ * A special case is both ca->sb.seq and c->sb.seq are 0,
++ * such condition happens on a new created cache device whose
++ * super block is never flushed yet. In this case c->sb.version
++ * and other members should be updated too, otherwise we will
++ * have a mistaken super block version in cache set.
++ */
++ if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) {
+ c->sb.version = ca->sb.version;
+ memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16);
+ c->sb.flags = ca->sb.flags;
+--
+2.25.1
+
--- /dev/null
+From a6166b9c45574ca1c5b53cdd110009b6c2c15bc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jul 2020 13:07:42 -0400
+Subject: bdc: Fix bug causing crash after multiple disconnects
+
+From: Sasi Kumar <sasi.kumar@broadcom.com>
+
+[ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ]
+
+Multiple connects/disconnects can cause a crash on the second
+disconnect. The driver had a problem where it would try to send
+endpoint commands after it was disconnected which is not allowed
+by the hardware. The fix is to only allow the endpoint commands
+when the endpoint is connected. This will also fix issues that
+showed up when using configfs to create gadgets.
+
+Signed-off-by: Sasi Kumar <sasi.kumar@broadcom.com>
+Signed-off-by: Al Cooper <alcooperx@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/bdc/bdc_core.c | 4 ++++
+ drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 ++++++++++------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c
+index e9bd8d4abca00..f09a74d79c9eb 100644
+--- a/drivers/usb/gadget/udc/bdc/bdc_core.c
++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c
+@@ -286,6 +286,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit)
+ * in that case reinit is passed as 1
+ */
+ if (reinit) {
++ int i;
+ /* Enable interrupts */
+ temp = bdc_readl(bdc->regs, BDC_BDCSC);
+ temp |= BDC_GIE;
+@@ -295,6 +296,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit)
+ /* Initialize SRR to 0 */
+ memset(bdc->srr.sr_bds, 0,
+ NUM_SR_ENTRIES * sizeof(struct bdc_bd));
++ /* clear ep flags to avoid post disconnect stops/deconfigs */
++ for (i = 1; i < bdc->num_eps; ++i)
++ bdc->bdc_ep_array[i]->flags = 0;
+ } else {
+ /* One time initiaization only */
+ /* Enable status report function pointers */
+diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c
+index 303735c7990c8..8b1b48fa4ebfc 100644
+--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c
++++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c
+@@ -621,7 +621,6 @@ int bdc_ep_enable(struct bdc_ep *ep)
+ }
+ bdc_dbg_bd_list(bdc, ep);
+ /* only for ep0: config ep is called for ep0 from connect event */
+- ep->flags |= BDC_EP_ENABLED;
+ if (ep->ep_num == 1)
+ return ret;
+
+@@ -765,10 +764,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req)
+ __func__, ep->name, start_bdi, end_bdi);
+ dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n",
+ ep, (void *)ep->usb_ep.desc);
+- /* Stop the ep to see where the HW is ? */
+- ret = bdc_stop_ep(bdc, ep->ep_num);
+- /* if there is an issue with stopping ep, then no need to go further */
+- if (ret)
++ /* if still connected, stop the ep to see where the HW is ? */
++ if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) {
++ ret = bdc_stop_ep(bdc, ep->ep_num);
++ /* if there is an issue, then no need to go further */
++ if (ret)
++ return 0;
++ } else
+ return 0;
+
+ /*
+@@ -1917,7 +1919,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep)
+ __func__, ep->name, ep->flags);
+
+ if (!(ep->flags & BDC_EP_ENABLED)) {
+- dev_warn(bdc->dev, "%s is already disabled\n", ep->name);
++ if (bdc->gadget.speed != USB_SPEED_UNKNOWN)
++ dev_warn(bdc->dev, "%s is already disabled\n",
++ ep->name);
+ return 0;
+ }
+ spin_lock_irqsave(&bdc->lock, flags);
+--
+2.25.1
+
--- /dev/null
+From f57a578dda3dfbb5711297dcb26aa9006d06298f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 20:28:41 +0800
+Subject: Bluetooth: add a mutex lock to avoid UAF in do_enale_set
+
+From: Lihong Kou <koulihong@huawei.com>
+
+[ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]
+
+In the case we set or free the global value listen_chan in
+different threads, we can encounter the UAF problems because
+the method is not protected by any lock, add one to avoid
+this bug.
+
+BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
+net/bluetooth/l2cap_core.c:730
+Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868
+
+CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine,
+BIOS Google 01/01/2011
+Workqueue: events do_enable_set
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1fb/0x318 lib/dump_stack.c:118
+ print_address_description+0x74/0x5c0 mm/kasan/report.c:374
+ __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
+ kasan_report+0x26/0x50 mm/kasan/common.c:641
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
+ l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
+ do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
+ process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
+ worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
+ kthread+0x332/0x350 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+
+Allocated by task 2870:
+ save_stack mm/kasan/common.c:72 [inline]
+ set_track mm/kasan/common.c:80 [inline]
+ __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
+ kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
+ kmalloc include/linux/slab.h:555 [inline]
+ kzalloc include/linux/slab.h:669 [inline]
+ l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
+ chan_create net/bluetooth/6lowpan.c:640 [inline]
+ bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
+ do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
+ process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
+ worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
+ kthread+0x332/0x350 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+
+Freed by task 2870:
+ save_stack mm/kasan/common.c:72 [inline]
+ set_track mm/kasan/common.c:80 [inline]
+ kasan_set_free_info mm/kasan/common.c:337 [inline]
+ __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
+ __cache_free mm/slab.c:3426 [inline]
+ kfree+0x10d/0x220 mm/slab.c:3757
+ l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
+ do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
+ process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
+ worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
+ kthread+0x332/0x350 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+
+The buggy address belongs to the object at ffff888096950000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 0 bytes inside of
+ 2048-byte region [ffff888096950000, ffff888096950800)
+The buggy address belongs to the page:
+page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
+flags: 0xfffe0000000200(slab)
+raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
+raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
+Signed-off-by: Lihong Kou <koulihong@huawei.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index 21096c8822231..3bfd747aa515b 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -57,6 +57,7 @@ static bool enable_6lowpan;
+ /* We are listening incoming connections via this channel
+ */
+ static struct l2cap_chan *listen_chan;
++static DEFINE_MUTEX(set_lock);
+
+ struct lowpan_peer {
+ struct list_head list;
+@@ -1187,12 +1188,14 @@ static void do_enable_set(struct work_struct *work)
+
+ enable_6lowpan = set_enable->flag;
+
++ mutex_lock(&set_lock);
+ if (listen_chan) {
+ l2cap_chan_close(listen_chan, 0);
+ l2cap_chan_put(listen_chan);
+ }
+
+ listen_chan = bt_6lowpan_listen();
++ mutex_unlock(&set_lock);
+
+ kfree(set_enable);
+ }
+@@ -1244,11 +1247,13 @@ static ssize_t lowpan_control_write(struct file *fp,
+ if (ret == -EINVAL)
+ return ret;
+
++ mutex_lock(&set_lock);
+ if (listen_chan) {
+ l2cap_chan_close(listen_chan, 0);
+ l2cap_chan_put(listen_chan);
+ listen_chan = NULL;
+ }
++ mutex_unlock(&set_lock);
+
+ if (conn) {
+ struct lowpan_peer *peer;
+--
+2.25.1
+
--- /dev/null
+From d9e40c4ec2977aa4a7fd4c606f600510f77a0e7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 02:18:35 -0500
+Subject: brcmfmac: To fix Bss Info flag definition Bug
+
+From: Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com>
+
+[ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ]
+
+Bss info flag definition need to be fixed from 0x2 to 0x4
+This flag is for rssi info received on channel.
+All Firmware branches defined as 0x4 and this is bug in brcmfmac.
+
+Signed-off-by: Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com>
+Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+index 59013572fbe3f..d6a4a08fd3c44 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -30,7 +30,7 @@
+ #define BRCMF_ARP_OL_PEER_AUTO_REPLY 0x00000008
+
+ #define BRCMF_BSS_INFO_VERSION 109 /* curr ver of brcmf_bss_info_le struct */
+-#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0002
++#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0004
+
+ #define BRCMF_STA_WME 0x00000002 /* WMM association */
+ #define BRCMF_STA_AUTHE 0x00000008 /* Authenticated */
+--
+2.25.1
+
--- /dev/null
+From 5648159efd3218dc5580bb57a021e031141a6120 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 00:42:51 +0800
+Subject: console: newport_con: fix an issue about leak related system
+ resources
+
+From: Dejin Zheng <zhengdejin5@gmail.com>
+
+[ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ]
+
+A call of the function do_take_over_console() can fail here.
+The corresponding system resources were not released then.
+Thus add a call of iounmap() and release_mem_region()
+together with the check of a failure predicate. and also
+add release_mem_region() on device removal.
+
+Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding")
+Suggested-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/console/newport_con.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c
+index e3b9521e4ec3e..33bddf3f30406 100644
+--- a/drivers/video/console/newport_con.c
++++ b/drivers/video/console/newport_con.c
+@@ -31,6 +31,8 @@
+ #include <linux/linux_logo.h>
+ #include <linux/font.h>
+
++#define NEWPORT_LEN 0x10000
++
+ #define FONT_DATA ((unsigned char *)font_vga_8x16.data)
+
+ /* borrowed from fbcon.c */
+@@ -42,6 +44,7 @@
+ static unsigned char *font_data[MAX_NR_CONSOLES];
+
+ static struct newport_regs *npregs;
++static unsigned long newport_addr;
+
+ static int logo_active;
+ static int topscan;
+@@ -701,7 +704,6 @@ const struct consw newport_con = {
+ static int newport_probe(struct gio_device *dev,
+ const struct gio_device_id *id)
+ {
+- unsigned long newport_addr;
+ int err;
+
+ if (!dev->resource.start)
+@@ -711,7 +713,7 @@ static int newport_probe(struct gio_device *dev,
+ return -EBUSY; /* we only support one Newport as console */
+
+ newport_addr = dev->resource.start + 0xF0000;
+- if (!request_mem_region(newport_addr, 0x10000, "Newport"))
++ if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport"))
+ return -ENODEV;
+
+ npregs = (struct newport_regs *)/* ioremap cannot fail */
+@@ -719,6 +721,11 @@ static int newport_probe(struct gio_device *dev,
+ console_lock();
+ err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1);
+ console_unlock();
++
++ if (err) {
++ iounmap((void *)npregs);
++ release_mem_region(newport_addr, NEWPORT_LEN);
++ }
+ return err;
+ }
+
+@@ -726,6 +733,7 @@ static void newport_remove(struct gio_device *dev)
+ {
+ give_up_console(&newport_con);
+ iounmap((void *)npregs);
++ release_mem_region(newport_addr, NEWPORT_LEN);
+ }
+
+ static struct gio_device_id newport_ids[] = {
+--
+2.25.1
+
--- /dev/null
+From 869d95ff16a5e13c8c20a8e2415fb4556aff5bdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2020 20:07:33 +0800
+Subject: cxl: Fix kobject memleak
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ]
+
+Currently the error return path from kobject_init_and_add() is not
+followed by a call to kobject_put() - which means we are leaking
+the kobject.
+
+Fix it by adding a call to kobject_put() in the error path of
+kobject_init_and_add().
+
+Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/cxl/sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c
+index a8b6d6a635e96..e97b3b26805d1 100644
+--- a/drivers/misc/cxl/sysfs.c
++++ b/drivers/misc/cxl/sysfs.c
+@@ -598,7 +598,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c
+ rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type,
+ &afu->dev.kobj, "cr%i", cr->cr);
+ if (rc)
+- goto err;
++ goto err1;
+
+ rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr);
+ if (rc)
+--
+2.25.1
+
--- /dev/null
+From 308c78edc2da16638bda0f1f556bdd533f21b860 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 11:25:33 +0800
+Subject: dlm: Fix kobject memleak
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ]
+
+Currently the error return path from kobject_init_and_add() is not
+followed by a call to kobject_put() - which means we are leaking
+the kobject.
+
+Set do_unreg = 1 before kobject_init_and_add() to ensure that
+kobject_put() can be called in its error patch.
+
+Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index b14bb2c460426..499f54f99891c 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -626,6 +626,9 @@ static int new_lockspace(const char *name, const char *cluster,
+ wait_event(ls->ls_recover_lock_wait,
+ test_bit(LSFL_RECOVER_LOCK, &ls->ls_flags));
+
++ /* let kobject handle freeing of ls if there's an error */
++ do_unreg = 1;
++
+ ls->ls_kobj.kset = dlm_kset;
+ error = kobject_init_and_add(&ls->ls_kobj, &dlm_ktype, NULL,
+ "%s", ls->ls_name);
+@@ -633,9 +636,6 @@ static int new_lockspace(const char *name, const char *cluster,
+ goto out_recoverd;
+ kobject_uevent(&ls->ls_kobj, KOBJ_ADD);
+
+- /* let kobject handle freeing of ls if there's an error */
+- do_unreg = 1;
+-
+ /* This uevent triggers dlm_controld in userspace to add us to the
+ group of nodes that are members of this lockspace (managed by the
+ cluster infrastructure.) Once it's done that, it tells us who the
+--
+2.25.1
+
--- /dev/null
+From 5049782d037c7205aa318fb7bf1e73a72f916651 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2017 12:43:07 +0200
+Subject: drm/debugfs: fix plain echo to connector "force" attribute
+
+From: Michael Tretter <m.tretter@pengutronix.de>
+
+[ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ]
+
+Using plain echo to set the "force" connector attribute fails with
+-EINVAL, because echo appends a newline to the output.
+
+Replace strcmp with sysfs_streq to also accept strings that end with a
+newline.
+
+v2: use sysfs_streq instead of stripping trailing whitespace
+
+Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_debugfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c
+index 1205790ed960c..5ffe4b664cfbf 100644
+--- a/drivers/gpu/drm/drm_debugfs.c
++++ b/drivers/gpu/drm/drm_debugfs.c
+@@ -287,13 +287,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf,
+
+ buf[len] = '\0';
+
+- if (!strcmp(buf, "on"))
++ if (sysfs_streq(buf, "on"))
+ connector->force = DRM_FORCE_ON;
+- else if (!strcmp(buf, "digital"))
++ else if (sysfs_streq(buf, "digital"))
+ connector->force = DRM_FORCE_ON_DIGITAL;
+- else if (!strcmp(buf, "off"))
++ else if (sysfs_streq(buf, "off"))
+ connector->force = DRM_FORCE_OFF;
+- else if (!strcmp(buf, "unspecified"))
++ else if (sysfs_streq(buf, "unspecified"))
+ connector->force = DRM_FORCE_UNSPECIFIED;
+ else
+ return -EINVAL;
+--
+2.25.1
+
--- /dev/null
+From 1aff525911ba13e700f995dba887756a25a6786a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jun 2020 14:43:32 +0200
+Subject: drm/imx: tve: fix regulator_disable error path
+
+From: Marco Felsch <m.felsch@pengutronix.de>
+
+[ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ]
+
+Add missing regulator_disable() as devm_action to avoid dedicated
+unbind() callback and fix the missing error handling.
+
+Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)")
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/imx-tve.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c
+index 89cf0090feaca..9ae515f3171ec 100644
+--- a/drivers/gpu/drm/imx/imx-tve.c
++++ b/drivers/gpu/drm/imx/imx-tve.c
+@@ -511,6 +511,13 @@ static int imx_tve_register(struct drm_device *drm, struct imx_tve *tve)
+ return 0;
+ }
+
++static void imx_tve_disable_regulator(void *data)
++{
++ struct imx_tve *tve = data;
++
++ regulator_disable(tve->dac_reg);
++}
++
+ static bool imx_tve_readable_reg(struct device *dev, unsigned int reg)
+ {
+ return (reg % 4 == 0) && (reg <= 0xdc);
+@@ -635,6 +642,9 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data)
+ ret = regulator_enable(tve->dac_reg);
+ if (ret)
+ return ret;
++ ret = devm_add_action_or_reset(dev, imx_tve_disable_regulator, tve);
++ if (ret)
++ return ret;
+ }
+
+ tve->clk = devm_clk_get(dev, "tve");
+@@ -681,18 +691,8 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data)
+ return 0;
+ }
+
+-static void imx_tve_unbind(struct device *dev, struct device *master,
+- void *data)
+-{
+- struct imx_tve *tve = dev_get_drvdata(dev);
+-
+- if (!IS_ERR(tve->dac_reg))
+- regulator_disable(tve->dac_reg);
+-}
+-
+ static const struct component_ops imx_tve_ops = {
+ .bind = imx_tve_bind,
+- .unbind = imx_tve_unbind,
+ };
+
+ static int imx_tve_probe(struct platform_device *pdev)
+--
+2.25.1
+
--- /dev/null
+From 534dd289d3372685e4ef40c387830eaf245b0229 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 17:03:29 +0100
+Subject: drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline
+
+From: Emil Velikov <emil.velikov@collabora.com>
+
+[ Upstream commit 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 ]
+
+The helper uses the MIPI_DCS_SET_TEAR_SCANLINE, although it's currently
+using the generic write. This does not look right.
+
+Perhaps some platforms don't distinguish between the two writers?
+
+Cc: Robert Chiras <robert.chiras@nxp.com>
+Cc: Vinay Simha BN <simhavcs@gmail.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Thierry Reding <treding@nvidia.com>
+Fixes: e83950816367 ("drm/dsi: Implement set tear scanline")
+Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
+Reviewed-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200505160329.2976059-3-emil.l.velikov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_mipi_dsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
+index 1160a579e0dc0..99415808e9f91 100644
+--- a/drivers/gpu/drm/drm_mipi_dsi.c
++++ b/drivers/gpu/drm/drm_mipi_dsi.c
+@@ -1029,11 +1029,11 @@ EXPORT_SYMBOL(mipi_dsi_dcs_set_pixel_format);
+ */
+ int mipi_dsi_dcs_set_tear_scanline(struct mipi_dsi_device *dsi, u16 scanline)
+ {
+- u8 payload[3] = { MIPI_DCS_SET_TEAR_SCANLINE, scanline >> 8,
+- scanline & 0xff };
++ u8 payload[2] = { scanline >> 8, scanline & 0xff };
+ ssize_t err;
+
+- err = mipi_dsi_generic_write(dsi, payload, sizeof(payload));
++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_TEAR_SCANLINE, payload,
++ sizeof(payload));
+ if (err < 0)
+ return err;
+
+--
+2.25.1
+
--- /dev/null
+From ef39f79765bc077e93837bed0149bf1076f6c1d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 20:41:56 -0500
+Subject: drm/nouveau: fix multiple instances of reference count leaks
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ]
+
+On calling pm_runtime_get_sync() the reference count of the device
+is incremented. In case of failure, decrement the
+ref count before returning the error.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 8 ++++++--
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
+index 42829a942e33c..4e12d3d59651b 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -823,8 +823,10 @@ nouveau_drm_open(struct drm_device *dev, struct drm_file *fpriv)
+
+ /* need to bring up power immediately if opening device */
+ ret = pm_runtime_get_sync(dev->dev);
+- if (ret < 0 && ret != -EACCES)
++ if (ret < 0 && ret != -EACCES) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return ret;
++ }
+
+ get_task_comm(tmpname, current);
+ snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid));
+@@ -912,8 +914,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ long ret;
+
+ ret = pm_runtime_get_sync(dev->dev);
+- if (ret < 0 && ret != -EACCES)
++ if (ret < 0 && ret != -EACCES) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return ret;
++ }
+
+ switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) {
+ case DRM_NOUVEAU_NVIF:
+diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
+index 505dca48b9f80..be6672da33a65 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
+@@ -42,8 +42,10 @@ nouveau_gem_object_del(struct drm_gem_object *gem)
+ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+- if (WARN_ON(ret < 0 && ret != -EACCES))
++ if (WARN_ON(ret < 0 && ret != -EACCES)) {
++ pm_runtime_put_autosuspend(dev);
+ return;
++ }
+
+ if (gem->import_attach)
+ drm_prime_gem_destroy(gem, nvbo->bo.sg);
+--
+2.25.1
+
--- /dev/null
+From 0d830b1cd348b5d8a799045d601526173b23ae09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jul 2020 01:53:17 +0300
+Subject: drm: panel: simple: Fix bpc for LG LB070WV8 panel
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ]
+
+The LG LB070WV8 panel incorrectly reports a 16 bits per component value,
+while the panel uses 8 bits per component. Fix it.
+
+Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel")
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 68a2b25deb50d..57f32d1bb3127 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -1041,7 +1041,7 @@ static const struct drm_display_mode lg_lb070wv8_mode = {
+ static const struct panel_desc lg_lb070wv8 = {
+ .modes = &lg_lb070wv8_mode,
+ .num_modes = 1,
+- .bpc = 16,
++ .bpc = 8,
+ .size = {
+ .width = 151,
+ .height = 91,
+--
+2.25.1
+
--- /dev/null
+From 46bcbba49a0702056fc87d23b175aabf1b8f42e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 13:07:10 +0100
+Subject: drm/radeon: fix array out-of-bounds read and write issues
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ]
+
+There is an off-by-one bounds check on the index into arrays
+table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that
+can lead to reads and writes outside of arrays. Fix the bound checking
+off-by-one error.
+
+Addresses-Coverity: ("Out-of-bounds read/write")
+Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
+index be43582811dfc..50bad42527b1c 100644
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -4348,7 +4348,7 @@ static int ci_set_mc_special_registers(struct radeon_device *rdev,
+ table->mc_reg_table_entry[k].mc_data[j] |= 0x100;
+ }
+ j++;
+- if (j > SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
++ if (j >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
+
+ if (!pi->mem_gddr5) {
+--
+2.25.1
+
--- /dev/null
+From 4ca8b58b86d3a6904e00118d3d95010b7045d871 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 21:21:22 -0500
+Subject: drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ]
+
+On calling pm_runtime_get_sync() the reference count of the device
+is incremented. In case of failure, decrement the
+reference count before returning the error.
+
+Acked-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 4 +++-
+ drivers/gpu/drm/radeon/radeon_drv.c | 4 +++-
+ drivers/gpu/drm/radeon/radeon_kms.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index 432ad7d73cb9b..99e23800cadc7 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -639,8 +639,10 @@ radeon_crtc_set_config(struct drm_mode_set *set)
+ dev = set->crtc->dev;
+
+ ret = pm_runtime_get_sync(dev->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return ret;
++ }
+
+ ret = drm_crtc_helper_set_config(set);
+
+diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c
+index 30bd4a6a9d466..7648fd0d10751 100644
+--- a/drivers/gpu/drm/radeon/radeon_drv.c
++++ b/drivers/gpu/drm/radeon/radeon_drv.c
+@@ -496,8 +496,10 @@ long radeon_drm_ioctl(struct file *filp,
+ long ret;
+ dev = file_priv->minor->dev;
+ ret = pm_runtime_get_sync(dev->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return ret;
++ }
+
+ ret = drm_ioctl(filp, cmd, arg);
+
+diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
+index 4388ddeec8d24..96d2a564d9a3c 100644
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -634,8 +634,10 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
+ file_priv->driver_priv = NULL;
+
+ r = pm_runtime_get_sync(dev->dev);
+- if (r < 0)
++ if (r < 0) {
++ pm_runtime_put_autosuspend(dev->dev);
+ return r;
++ }
+
+ /* new gpu have virtual address space support */
+ if (rdev->family >= CHIP_CAYMAN) {
+--
+2.25.1
+
--- /dev/null
+From c2ada369a98e83e98a0a6f1d30174d197170a062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 13:42:32 +0300
+Subject: drm/tilcdc: fix leak & null ref in panel_connector_get_modes
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ]
+
+If videomode_from_timings() returns true, the mode allocated with
+drm_mode_create will be leaked.
+
+Also, the return value of drm_mode_create() is never checked, and thus
+could cause NULL deref.
+
+Fix these two issues.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com
+Reviewed-by: Jyri Sarha <jsarha@ti.com>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tilcdc/tilcdc_panel.c b/drivers/gpu/drm/tilcdc/tilcdc_panel.c
+index 2134bb20fbe9d..2836154dbb126 100644
+--- a/drivers/gpu/drm/tilcdc/tilcdc_panel.c
++++ b/drivers/gpu/drm/tilcdc/tilcdc_panel.c
+@@ -159,12 +159,16 @@ static int panel_connector_get_modes(struct drm_connector *connector)
+ int i;
+
+ for (i = 0; i < timings->num_timings; i++) {
+- struct drm_display_mode *mode = drm_mode_create(dev);
++ struct drm_display_mode *mode;
+ struct videomode vm;
+
+ if (videomode_from_timings(timings, &vm, i))
+ break;
+
++ mode = drm_mode_create(dev);
++ if (!mode)
++ break;
++
+ drm_display_mode_from_videomode(&vm, mode);
+
+ mode->type = DRM_MODE_TYPE_DRIVER;
+--
+2.25.1
+
--- /dev/null
+From 1a90d19b8f28737b504bdfd6a38caf099103cee6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jul 2020 17:10:47 -0600
+Subject: dyndbg: fix a BUG_ON in ddebug_describe_flags
+
+From: Jim Cromie <jim.cromie@gmail.com>
+
+[ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ]
+
+ddebug_describe_flags() currently fills a caller provided string buffer,
+after testing its size (also passed) in a BUG_ON. Fix this by
+replacing them with a known-big-enough string buffer wrapped in a
+struct, and passing that instead.
+
+Also simplify ddebug_describe_flags() flags parameter from a struct to
+a member in that struct, and hoist the member deref up to the caller.
+This makes the function reusable (soon) where flags are unpacked.
+
+Acked-by: <jbaron@akamai.com>
+Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
+Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/dynamic_debug.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
+index c7c96bc7654af..91c451e0f4741 100644
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -85,22 +85,22 @@ static struct { unsigned flag:8; char opt_char; } opt_array[] = {
+ { _DPRINTK_FLAGS_NONE, '_' },
+ };
+
++struct flagsbuf { char buf[ARRAY_SIZE(opt_array)+1]; };
++
+ /* format a string into buf[] which describes the _ddebug's flags */
+-static char *ddebug_describe_flags(struct _ddebug *dp, char *buf,
+- size_t maxlen)
++static char *ddebug_describe_flags(unsigned int flags, struct flagsbuf *fb)
+ {
+- char *p = buf;
++ char *p = fb->buf;
+ int i;
+
+- BUG_ON(maxlen < 6);
+ for (i = 0; i < ARRAY_SIZE(opt_array); ++i)
+- if (dp->flags & opt_array[i].flag)
++ if (flags & opt_array[i].flag)
+ *p++ = opt_array[i].opt_char;
+- if (p == buf)
++ if (p == fb->buf)
+ *p++ = '_';
+ *p = '\0';
+
+- return buf;
++ return fb->buf;
+ }
+
+ #define vpr_info(fmt, ...) \
+@@ -142,7 +142,7 @@ static int ddebug_change(const struct ddebug_query *query,
+ struct ddebug_table *dt;
+ unsigned int newflags;
+ unsigned int nfound = 0;
+- char flagbuf[10];
++ struct flagsbuf fbuf;
+
+ /* search for matching ddebugs */
+ mutex_lock(&ddebug_lock);
+@@ -199,8 +199,7 @@ static int ddebug_change(const struct ddebug_query *query,
+ vpr_info("changed %s:%d [%s]%s =%s\n",
+ trim_prefix(dp->filename), dp->lineno,
+ dt->mod_name, dp->function,
+- ddebug_describe_flags(dp, flagbuf,
+- sizeof(flagbuf)));
++ ddebug_describe_flags(dp->flags, &fbuf));
+ }
+ }
+ mutex_unlock(&ddebug_lock);
+@@ -779,7 +778,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p)
+ {
+ struct ddebug_iter *iter = m->private;
+ struct _ddebug *dp = p;
+- char flagsbuf[10];
++ struct flagsbuf flags;
+
+ vpr_info("called m=%p p=%p\n", m, p);
+
+@@ -792,7 +791,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p)
+ seq_printf(m, "%s:%u [%s]%s =%s \"",
+ trim_prefix(dp->filename), dp->lineno,
+ iter->table->mod_name, dp->function,
+- ddebug_describe_flags(dp, flagsbuf, sizeof(flagsbuf)));
++ ddebug_describe_flags(dp->flags, &flags));
+ seq_escape(m, dp->format, "\t\r\n\"");
+ seq_puts(m, "\"\n");
+
+--
+2.25.1
+
--- /dev/null
+From cc2883bdabef8c4ccfaa88b004d7d7c617d8ce1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 15:22:37 -0500
+Subject: EDAC: Fix reference count leaks
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ]
+
+When kobject_init_and_add() returns an error, it should be handled
+because kobject_init_and_add() takes a reference even when it fails. If
+this function returns an error, kobject_put() must be called to properly
+clean up the memory associated with the object.
+
+Therefore, replace calling kfree() and call kobject_put() and add a
+missing kobject_put() in the edac_device_register_sysfs_main_kobj()
+error path.
+
+ [ bp: Massage and merge into a single patch. ]
+
+Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu
+Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_device_sysfs.c | 1 +
+ drivers/edac/edac_pci_sysfs.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c
+index 93da1a45c7161..470b02fc2de96 100644
+--- a/drivers/edac/edac_device_sysfs.c
++++ b/drivers/edac/edac_device_sysfs.c
+@@ -275,6 +275,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev)
+
+ /* Error exit stack */
+ err_kobj_reg:
++ kobject_put(&edac_dev->kobj);
+ module_put(edac_dev->owner);
+
+ err_out:
+diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
+index 6e3428ba400f3..622d117e25335 100644
+--- a/drivers/edac/edac_pci_sysfs.c
++++ b/drivers/edac/edac_pci_sysfs.c
+@@ -386,7 +386,7 @@ static int edac_pci_main_kobj_setup(void)
+
+ /* Error unwind statck */
+ kobject_init_and_add_fail:
+- kfree(edac_pci_top_main_kobj);
++ kobject_put(edac_pci_top_main_kobj);
+
+ kzalloc_fail:
+ module_put(THIS_MODULE);
+--
+2.25.1
+
--- /dev/null
+From 2334ce1ec17b80b8b127089413acb817e26bce42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 14:15:37 -0700
+Subject: fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ]
+
+Very large I/Os can cause the following RCU CPU stall warning:
+
+RIP: 0010:rb_prev+0x8/0x50
+Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c =
+89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48
+RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13
+RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0
+RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630
+RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238
+R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001
+R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0
+ __lookup_extent_mapping+0xa0/0x110
+ try_release_extent_mapping+0xdc/0x220
+ btrfs_releasepage+0x45/0x70
+ shrink_page_list+0xa39/0xb30
+ shrink_inactive_list+0x18f/0x3b0
+ shrink_lruvec+0x38e/0x6b0
+ shrink_node+0x14d/0x690
+ do_try_to_free_pages+0xc6/0x3e0
+ try_to_free_mem_cgroup_pages+0xe6/0x1e0
+ reclaim_high.constprop.73+0x87/0xc0
+ mem_cgroup_handle_over_high+0x66/0x150
+ exit_to_usermode_loop+0x82/0xd0
+ do_syscall_64+0xd4/0x100
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+On a PREEMPT=n kernel, the try_release_extent_mapping() function's
+"while" loop might run for a very long time on a large I/O. This commit
+therefore adds a cond_resched() to this loop, providing RCU any needed
+quiescent states.
+
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent_io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index 8c0ff985c1919..fa22bb29eee6f 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -4340,6 +4340,8 @@ int try_release_extent_mapping(struct extent_map_tree *map,
+
+ /* once for us */
+ free_extent_map(em);
++
++ cond_resched(); /* Allow large-extent preemption. */
+ }
+ }
+ return try_release_extent_state(map, tree, page, mask);
+--
+2.25.1
+
--- /dev/null
+From 62819d4603a3e01d7e5d5dcf59c832ae04ce5ab9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 10:07:33 +0300
+Subject: fsl/fman: check dereferencing null pointer
+
+From: Florinel Iordache <florinel.iordache@nxp.com>
+
+[ Upstream commit cc5d229a122106733a85c279d89d7703f21e4d4f ]
+
+Add a safe check to avoid dereferencing null pointer
+
+Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support")
+Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/fman_dtsec.c | 4 ++--
+ drivers/net/ethernet/freescale/fman/fman_memac.c | 2 +-
+ drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fman/fman_dtsec.c b/drivers/net/ethernet/freescale/fman/fman_dtsec.c
+index 641b916f122ba..332b60f03d225 100644
+--- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c
++++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c
+@@ -1095,7 +1095,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr)
+ list_for_each(pos,
+ &dtsec->multicast_addr_hash->lsts[bucket]) {
+ hash_entry = ETH_HASH_ENTRY_OBJ(pos);
+- if (hash_entry->addr == addr) {
++ if (hash_entry && hash_entry->addr == addr) {
+ list_del_init(&hash_entry->node);
+ kfree(hash_entry);
+ break;
+@@ -1108,7 +1108,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr)
+ list_for_each(pos,
+ &dtsec->unicast_addr_hash->lsts[bucket]) {
+ hash_entry = ETH_HASH_ENTRY_OBJ(pos);
+- if (hash_entry->addr == addr) {
++ if (hash_entry && hash_entry->addr == addr) {
+ list_del_init(&hash_entry->node);
+ kfree(hash_entry);
+ break;
+diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c
+index 3e5b40c831558..4b0be0cebd199 100644
+--- a/drivers/net/ethernet/freescale/fman/fman_memac.c
++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c
+@@ -952,7 +952,7 @@ int memac_del_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr)
+
+ list_for_each(pos, &memac->multicast_addr_hash->lsts[hash]) {
+ hash_entry = ETH_HASH_ENTRY_OBJ(pos);
+- if (hash_entry->addr == addr) {
++ if (hash_entry && hash_entry->addr == addr) {
+ list_del_init(&hash_entry->node);
+ kfree(hash_entry);
+ break;
+diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c
+index e575259d20f40..c8ad9b8a75f8e 100644
+--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c
++++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c
+@@ -585,7 +585,7 @@ int tgec_del_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr)
+
+ list_for_each(pos, &tgec->multicast_addr_hash->lsts[hash]) {
+ hash_entry = ETH_HASH_ENTRY_OBJ(pos);
+- if (hash_entry->addr == addr) {
++ if (hash_entry && hash_entry->addr == addr) {
+ list_del_init(&hash_entry->node);
+ kfree(hash_entry);
+ break;
+--
+2.25.1
+
--- /dev/null
+From f9516b933f37e234dccfea53813cf2dcf1bde76b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 10:07:31 +0300
+Subject: fsl/fman: fix dereference null return value
+
+From: Florinel Iordache <florinel.iordache@nxp.com>
+
+[ Upstream commit 0572054617f32670abab4b4e89a876954d54b704 ]
+
+Check before using returned value to avoid dereferencing null pointer.
+
+Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support")
+Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/fman_port.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fman/fman_port.c b/drivers/net/ethernet/freescale/fman/fman_port.c
+index 9f3bb50a23651..4986f6ba278a3 100644
+--- a/drivers/net/ethernet/freescale/fman/fman_port.c
++++ b/drivers/net/ethernet/freescale/fman/fman_port.c
+@@ -1623,6 +1623,7 @@ static int fman_port_probe(struct platform_device *of_dev)
+ struct fman_port *port;
+ struct fman *fman;
+ struct device_node *fm_node, *port_node;
++ struct platform_device *fm_pdev;
+ struct resource res;
+ struct resource *dev_res;
+ u32 val;
+@@ -1647,8 +1648,14 @@ static int fman_port_probe(struct platform_device *of_dev)
+ goto return_err;
+ }
+
+- fman = dev_get_drvdata(&of_find_device_by_node(fm_node)->dev);
++ fm_pdev = of_find_device_by_node(fm_node);
+ of_node_put(fm_node);
++ if (!fm_pdev) {
++ err = -EINVAL;
++ goto return_err;
++ }
++
++ fman = dev_get_drvdata(&fm_pdev->dev);
+ if (!fman) {
+ err = -EINVAL;
+ goto return_err;
+--
+2.25.1
+
--- /dev/null
+From 243387c98ed5a16ba6d6bb8d0304bebdcb5760d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 10:07:34 +0300
+Subject: fsl/fman: fix eth hash table allocation
+
+From: Florinel Iordache <florinel.iordache@nxp.com>
+
+[ Upstream commit 3207f715c34317d08e798e11a10ce816feb53c0f ]
+
+Fix memory allocation for ethernet address hash table.
+The code was wrongly allocating an array for eth hash table which
+is incorrect because this is the main structure for eth hash table
+(struct eth_hash_t) that contains inside a number of elements.
+
+Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support")
+Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/fman_mac.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fman/fman_mac.h b/drivers/net/ethernet/freescale/fman/fman_mac.h
+index dd6d0526f6c1f..19f327efdaff3 100644
+--- a/drivers/net/ethernet/freescale/fman/fman_mac.h
++++ b/drivers/net/ethernet/freescale/fman/fman_mac.h
+@@ -252,7 +252,7 @@ static inline struct eth_hash_t *alloc_hash_table(u16 size)
+ struct eth_hash_t *hash;
+
+ /* Allocate address hash table */
+- hash = kmalloc_array(size, sizeof(struct eth_hash_t *), GFP_KERNEL);
++ hash = kmalloc(sizeof(*hash), GFP_KERNEL);
+ if (!hash)
+ return NULL;
+
+--
+2.25.1
+
--- /dev/null
+From edc10d43e0762d5c4b59964fd0ee863479a6479b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 10:07:32 +0300
+Subject: fsl/fman: fix unreachable code
+
+From: Florinel Iordache <florinel.iordache@nxp.com>
+
+[ Upstream commit cc79fd8f557767de90ff199d3b6fb911df43160a ]
+
+The parameter 'priority' is incorrectly forced to zero which ultimately
+induces logically dead code in the subsequent lines.
+
+Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support")
+Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/fman_memac.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c
+index c30994a09a7c2..3e5b40c831558 100644
+--- a/drivers/net/ethernet/freescale/fman/fman_memac.c
++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c
+@@ -851,7 +851,6 @@ int memac_set_tx_pause_frames(struct fman_mac *memac, u8 priority,
+
+ tmp = ioread32be(®s->command_config);
+ tmp &= ~CMD_CFG_PFC_MODE;
+- priority = 0;
+
+ iowrite32be(tmp, ®s->command_config);
+
+--
+2.25.1
+
--- /dev/null
+From 7bac1c942124c52fdc54e654cd78d9e35a63382e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 10:07:30 +0300
+Subject: fsl/fman: use 32-bit unsigned integer
+
+From: Florinel Iordache <florinel.iordache@nxp.com>
+
+[ Upstream commit 99f47abd9f7bf6e365820d355dc98f6955a562df ]
+
+Potentially overflowing expression (ts_freq << 16 and intgr << 16)
+declared as type u32 (32-bit unsigned) is evaluated using 32-bit
+arithmetic and then used in a context that expects an expression of
+type u64 (64-bit unsigned) which ultimately is used as 16-bit
+unsigned by typecasting to u16. Fixed by using an unsigned 32-bit
+integer since the value is truncated anyway in the end.
+
+Fixes: 414fd46e7762 ("fsl/fman: Add FMan support")
+Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/fman.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
+index 380c4a2f65161..6a11f9916116c 100644
+--- a/drivers/net/ethernet/freescale/fman/fman.c
++++ b/drivers/net/ethernet/freescale/fman/fman.c
+@@ -1446,8 +1446,7 @@ static void enable_time_stamp(struct fman *fman)
+ {
+ struct fman_fpm_regs __iomem *fpm_rg = fman->fpm_regs;
+ u16 fm_clk_freq = fman->state->fm_clk_freq;
+- u32 tmp, intgr, ts_freq;
+- u64 frac;
++ u32 tmp, intgr, ts_freq, frac;
+
+ ts_freq = (u32)(1 << fman->state->count1_micro_bit);
+ /* configure timestamp so that bit 8 will count 1 microsecond
+--
+2.25.1
+
--- /dev/null
+From 883203b9d693d74ef537811b14e12798105c7db9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 18:15:52 +0200
+Subject: iio: improve IIO_CONCENTRATION channel type description
+
+From: Tomasz Duszynski <tomasz.duszynski@octakon.com>
+
+[ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ]
+
+IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting
+raw concentrations of pollutants. Raw value should be meaningless
+before being properly scaled. Because of that description shouldn't
+mention raw value unit whatsoever.
+
+Fix this by rephrasing existing description so it follows conventions
+used throughout IIO ABI docs.
+
+Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type")
+Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-iio | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio
+index 0406076e44059..743ffbcc6b5f0 100644
+--- a/Documentation/ABI/testing/sysfs-bus-iio
++++ b/Documentation/ABI/testing/sysfs-bus-iio
+@@ -1491,7 +1491,8 @@ What: /sys/bus/iio/devices/iio:deviceX/in_concentrationX_voc_raw
+ KernelVersion: 4.3
+ Contact: linux-iio@vger.kernel.org
+ Description:
+- Raw (unscaled no offset etc.) percentage reading of a substance.
++ Raw (unscaled no offset etc.) reading of a substance. Units
++ after application of scale and offset are percents.
+
+ What: /sys/bus/iio/devices/iio:deviceX/in_resistance_raw
+ What: /sys/bus/iio/devices/iio:deviceX/in_resistanceX_raw
+--
+2.25.1
+
--- /dev/null
+From 184c72ec3d3d42f66148f2b4fb491c01bfb232f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jul 2020 19:55:27 +0200
+Subject: iwlegacy: Check the return value of pcie_capability_read_*()
+
+From: Bolarinwa Olayemi Saheed <refactormyself@gmail.com>
+
+[ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ]
+
+On failure pcie_capability_read_dword() sets it's last parameter, val
+to 0. However, with Patch 14/14, it is possible that val is set to ~0 on
+failure. This would introduce a bug because (x & x) == (~0 & x).
+
+This bug can be avoided without changing the function's behaviour if the
+return value of pcie_capability_read_dword is checked to confirm success.
+
+Check the return value of pcie_capability_read_dword() to ensure success.
+
+Suggested-by: Bjorn Helgaas <bjorn@helgaas.com>
+Signed-off-by: Bolarinwa Olayemi Saheed <refactormyself@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlegacy/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c
+index db2373fe8ac32..55573d090503b 100644
+--- a/drivers/net/wireless/intel/iwlegacy/common.c
++++ b/drivers/net/wireless/intel/iwlegacy/common.c
+@@ -4302,8 +4302,8 @@ il_apm_init(struct il_priv *il)
+ * power savings, even without L1.
+ */
+ if (il->cfg->set_l0s) {
+- pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl);
+- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) {
++ ret = pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl);
++ if (!ret && (lctl & PCI_EXP_LNKCTL_ASPM_L1)) {
+ /* L1-ASPM enabled; disable(!) L0S */
+ il_set_bit(il, CSR_GIO_REG,
+ CSR_GIO_REG_VAL_L0S_ENABLED);
+--
+2.25.1
+
--- /dev/null
+From f8c0bf35d061b84307bfee78133a19aa424d14b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 13:45:00 +0800
+Subject: leds: core: Flush scheduled work for system suspend
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ]
+
+Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon
+system suspend.
+
+led_set_brightness_nopm() uses schedule_work() to set LED brightness.
+However, there's no guarantee that the scheduled work gets executed
+because no one flushes the work.
+
+So flush the scheduled work to make sure LED gets turned off.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Acked-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Fixes: 81fe8e5b73e3 ("leds: core: Add led_set_brightness_nosleep{nopm} functions")
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/led-class.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c
+index aa84e5b375931..7d3f23bad88dd 100644
+--- a/drivers/leds/led-class.c
++++ b/drivers/leds/led-class.c
+@@ -110,6 +110,7 @@ void led_classdev_suspend(struct led_classdev *led_cdev)
+ {
+ led_cdev->flags |= LED_SUSPENDED;
+ led_set_brightness_nopm(led_cdev, 0);
++ flush_work(&led_cdev->set_brightness_work);
+ }
+ EXPORT_SYMBOL_GPL(led_classdev_suspend);
+
+--
+2.25.1
+
--- /dev/null
+From 0e283d88b3a05cf584456416b325776899363bef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 16:19:17 +0200
+Subject: leds: lm355x: avoid enum conversion warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ]
+
+clang points out that doing arithmetic between diffent enums is usually
+a mistake:
+
+drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion]
+ reg_val = pdata->pin_tx2 | pdata->ntc_pin;
+ ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
+drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion]
+ reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode;
+ ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
+
+In this driver, it is intentional, so add a cast to hide the false-positive
+warning. It appears to be the only instance of this warning at the moment.
+
+Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lm355x.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/leds/leds-lm355x.c b/drivers/leds/leds-lm355x.c
+index 6cb94f9a2f3f3..b9c60dd2b1327 100644
+--- a/drivers/leds/leds-lm355x.c
++++ b/drivers/leds/leds-lm355x.c
+@@ -168,18 +168,19 @@ static int lm355x_chip_init(struct lm355x_chip_data *chip)
+ /* input and output pins configuration */
+ switch (chip->type) {
+ case CHIP_LM3554:
+- reg_val = pdata->pin_tx2 | pdata->ntc_pin;
++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin;
+ ret = regmap_update_bits(chip->regmap, 0xE0, 0x28, reg_val);
+ if (ret < 0)
+ goto out;
+- reg_val = pdata->pass_mode;
++ reg_val = (u32)pdata->pass_mode;
+ ret = regmap_update_bits(chip->regmap, 0xA0, 0x04, reg_val);
+ if (ret < 0)
+ goto out;
+ break;
+
+ case CHIP_LM3556:
+- reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode;
++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin |
++ (u32)pdata->pass_mode;
+ ret = regmap_update_bits(chip->regmap, 0x0A, 0xC4, reg_val);
+ if (ret < 0)
+ goto out;
+--
+2.25.1
+
--- /dev/null
+From 0b39a5bbc420c8154b145fad4bb85dbade4dab34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 May 2020 09:12:13 +1000
+Subject: m68k: mac: Don't send IOP message until channel is idle
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ]
+
+In the following sequence of calls, iop_do_send() gets called when the
+"send" channel is not in the IOP_MSG_IDLE state:
+
+ iop_ism_irq()
+ iop_handle_send()
+ (msg->handler)()
+ iop_send_message()
+ iop_do_send()
+
+Avoid this by testing the channel state before calling iop_do_send().
+
+When sending, and iop_send_queue is empty, call iop_do_send() because
+the channel is idle. If iop_send_queue is not empty, iop_do_send() will
+get called later by iop_handle_send().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Cc: Joshua Thompson <funaho@jurai.org>
+Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/mac/iop.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c
+index 7990b6f50105b..8209a74fbdebc 100644
+--- a/arch/m68k/mac/iop.c
++++ b/arch/m68k/mac/iop.c
+@@ -416,7 +416,8 @@ static void iop_handle_send(uint iop_num, uint chan)
+ iop_free_msg(msg2);
+
+ iop_send_queue[iop_num][chan] = msg;
+- if (msg) iop_do_send(msg);
++ if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE)
++ iop_do_send(msg);
+ }
+
+ /*
+@@ -497,16 +498,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata,
+
+ if (!(q = iop_send_queue[iop_num][chan])) {
+ iop_send_queue[iop_num][chan] = msg;
++ iop_do_send(msg);
+ } else {
+ while (q->next) q = q->next;
+ q->next = msg;
+ }
+
+- if (iop_readb(iop_base[iop_num],
+- IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) {
+- iop_do_send(msg);
+- }
+-
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 348af00ae37d90bf15fdb23e1ed8c17db9acc874 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 May 2020 09:12:13 +1000
+Subject: m68k: mac: Fix IOP status/control register writes
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ]
+
+When writing values to the IOP status/control register make sure those
+values do not have any extraneous bits that will clear interrupt flags.
+
+To place the SCC IOP into bypass mode would be desirable but this is not
+achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS
+to the control register. Drop this ineffective register write.
+
+Remove the flawed and unused iop_bypass() function. Make use of the
+unused iop_stop() function.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Cc: Joshua Thompson <funaho@jurai.org>
+Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/mac/iop.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c
+index 8209a74fbdebc..cb516cacc819b 100644
+--- a/arch/m68k/mac/iop.c
++++ b/arch/m68k/mac/iop.c
+@@ -173,7 +173,7 @@ static __inline__ void iop_writeb(volatile struct mac_iop *iop, __u16 addr, __u8
+
+ static __inline__ void iop_stop(volatile struct mac_iop *iop)
+ {
+- iop->status_ctrl &= ~IOP_RUN;
++ iop->status_ctrl = IOP_AUTOINC;
+ }
+
+ static __inline__ void iop_start(volatile struct mac_iop *iop)
+@@ -181,14 +181,9 @@ static __inline__ void iop_start(volatile struct mac_iop *iop)
+ iop->status_ctrl = IOP_RUN | IOP_AUTOINC;
+ }
+
+-static __inline__ void iop_bypass(volatile struct mac_iop *iop)
+-{
+- iop->status_ctrl |= IOP_BYPASS;
+-}
+-
+ static __inline__ void iop_interrupt(volatile struct mac_iop *iop)
+ {
+- iop->status_ctrl |= IOP_IRQ;
++ iop->status_ctrl = IOP_IRQ | IOP_RUN | IOP_AUTOINC;
+ }
+
+ static int iop_alive(volatile struct mac_iop *iop)
+@@ -239,7 +234,6 @@ void __init iop_preinit(void)
+ } else {
+ iop_base[IOP_NUM_SCC] = (struct mac_iop *) SCC_IOP_BASE_QUADRA;
+ }
+- iop_base[IOP_NUM_SCC]->status_ctrl = 0x87;
+ iop_scc_present = 1;
+ } else {
+ iop_base[IOP_NUM_SCC] = NULL;
+@@ -251,7 +245,7 @@ void __init iop_preinit(void)
+ } else {
+ iop_base[IOP_NUM_ISM] = (struct mac_iop *) ISM_IOP_BASE_QUADRA;
+ }
+- iop_base[IOP_NUM_ISM]->status_ctrl = 0;
++ iop_stop(iop_base[IOP_NUM_ISM]);
+ iop_ism_present = 1;
+ } else {
+ iop_base[IOP_NUM_ISM] = NULL;
+--
+2.25.1
+
--- /dev/null
+From 43813930b76c66819c8a6f846743c95140a5c575 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 11:29:29 +0800
+Subject: md-cluster: fix wild pointer of unlock_all_bitmaps()
+
+From: Zhao Heming <heming.zhao@suse.com>
+
+[ Upstream commit 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 ]
+
+reproduction steps:
+```
+node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda
+/dev/sdb
+node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb
+node1 # mdadm -G /dev/md0 -b none
+mdadm: failed to remove clustered bitmap.
+node1 # mdadm -S --scan
+^C <==== mdadm hung & kernel crash
+```
+
+kernel stack:
+```
+[ 335.230657] general protection fault: 0000 [#1] SMP NOPTI
+[...]
+[ 335.230848] Call Trace:
+[ 335.230873] ? unlock_all_bitmaps+0x5/0x70 [md_cluster]
+[ 335.230886] unlock_all_bitmaps+0x3d/0x70 [md_cluster]
+[ 335.230899] leave+0x10f/0x190 [md_cluster]
+[ 335.230932] ? md_super_wait+0x93/0xa0 [md_mod]
+[ 335.230947] ? leave+0x5/0x190 [md_cluster]
+[ 335.230973] md_cluster_stop+0x1a/0x30 [md_mod]
+[ 335.230999] md_bitmap_free+0x142/0x150 [md_mod]
+[ 335.231013] ? _cond_resched+0x15/0x40
+[ 335.231025] ? mutex_lock+0xe/0x30
+[ 335.231056] __md_stop+0x1c/0xa0 [md_mod]
+[ 335.231083] do_md_stop+0x160/0x580 [md_mod]
+[ 335.231119] ? 0xffffffffc05fb078
+[ 335.231148] md_ioctl+0xa04/0x1930 [md_mod]
+[ 335.231165] ? filename_lookup+0xf2/0x190
+[ 335.231179] blkdev_ioctl+0x93c/0xa10
+[ 335.231205] ? _cond_resched+0x15/0x40
+[ 335.231214] ? __check_object_size+0xd4/0x1a0
+[ 335.231224] block_ioctl+0x39/0x40
+[ 335.231243] do_vfs_ioctl+0xa0/0x680
+[ 335.231253] ksys_ioctl+0x70/0x80
+[ 335.231261] __x64_sys_ioctl+0x16/0x20
+[ 335.231271] do_syscall_64+0x65/0x1f0
+[ 335.231278] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+```
+
+Signed-off-by: Zhao Heming <heming.zhao@suse.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-cluster.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c
+index e870b09b2c84d..d08c63aaf10bb 100644
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -1234,6 +1234,7 @@ static void unlock_all_bitmaps(struct mddev *mddev)
+ }
+ }
+ kfree(cinfo->other_bitmap_lockres);
++ cinfo->other_bitmap_lockres = NULL;
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From e1cc6730b8c1c62cefb6344ee112354a3c177181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 08:41:47 +0200
+Subject: media: exynos4-is: Add missed check for pinctrl_lookup_state()
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ]
+
+fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state().
+Add the missed check to fix it.
+
+Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/media-dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
+index ef6ccb5b89525..cdaf3a8e2555e 100644
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -1257,6 +1257,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd)
+
+ pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl,
+ PINCTRL_STATE_IDLE);
++ if (IS_ERR(pctl->state_idle))
++ return PTR_ERR(pctl->state_idle);
++
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 40f1b13ebd9cd79800eefae30288163dec685c54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 16:40:22 +0200
+Subject: media: firewire: Using uninitialized values in node_probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ]
+
+If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So
+then the "strlen(model_names[i]) <= name_len" is true because strlen()
+is unsigned and -ENOENT is type promoted to a very high positive value.
+Then the "strncmp(name, model_names[i], name_len)" uses uninitialized
+data because "name" is uninitialized.
+
+Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/firewire/firedtv-fw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c
+index 247f0e7cb5f7f..5d634706a7eaa 100644
+--- a/drivers/media/firewire/firedtv-fw.c
++++ b/drivers/media/firewire/firedtv-fw.c
+@@ -271,6 +271,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
+
+ name_len = fw_csr_string(unit->directory, CSR_MODEL,
+ name, sizeof(name));
++ if (name_len < 0)
++ return name_len;
+ for (i = ARRAY_SIZE(model_names); --i; )
+ if (strlen(model_names[i]) <= name_len &&
+ strncmp(name, model_names[i], name_len) == 0)
+--
+2.25.1
+
--- /dev/null
+From 6d3f2c1fac83574f57895f714773762ec90d977b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2020 18:41:22 +0200
+Subject: media: omap3isp: Add missed v4l2_ctrl_handler_free() for
+ preview_init_entities()
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ]
+
+preview_init_entities() does not call v4l2_ctrl_handler_free() when
+it fails.
+Add the missed function to fix it.
+
+Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/omap3isp/isppreview.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c
+index e981eb2330f18..ac005ae4d21b4 100644
+--- a/drivers/media/platform/omap3isp/isppreview.c
++++ b/drivers/media/platform/omap3isp/isppreview.c
+@@ -2290,7 +2290,7 @@ static int preview_init_entities(struct isp_prev_device *prev)
+ me->ops = &preview_media_ops;
+ ret = media_entity_pads_init(me, PREV_PADS_NUM, pads);
+ if (ret < 0)
+- return ret;
++ goto error_handler_free;
+
+ preview_init_formats(sd, NULL);
+
+@@ -2323,6 +2323,8 @@ static int preview_init_entities(struct isp_prev_device *prev)
+ omap3isp_video_cleanup(&prev->video_in);
+ error_video_in:
+ media_entity_cleanup(&prev->subdev.entity);
++error_handler_free:
++ v4l2_ctrl_handler_free(&prev->ctrls);
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 3f72d4b77f5eec8207f851790c09f0aefbbb6b67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 16:46:10 -0700
+Subject: mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ]
+
+A large process running on a heavily loaded system can encounter the
+following RCU CPU stall warning:
+
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190
+ (t=21013 jiffies g=1005461 q=132576)
+ NMI backtrace for cpu 3
+ CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1
+ Hardware name: Wiwynn HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016
+ Call Trace:
+ <IRQ>
+ dump_stack+0x46/0x60
+ nmi_cpu_backtrace.cold.3+0x13/0x50
+ ? lapic_can_unplug_cpu.cold.27+0x34/0x34
+ nmi_trigger_cpumask_backtrace+0xba/0xca
+ rcu_dump_cpu_stacks+0x99/0xc7
+ rcu_sched_clock_irq.cold.87+0x1aa/0x397
+ ? tick_sched_do_timer+0x60/0x60
+ update_process_times+0x28/0x60
+ tick_sched_timer+0x37/0x70
+ __hrtimer_run_queues+0xfe/0x270
+ hrtimer_interrupt+0xf4/0x210
+ smp_apic_timer_interrupt+0x5e/0x120
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+ RIP: 0010:kmem_cache_free+0x223/0x300
+ Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65
+ RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
+ RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030
+ RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18
+ RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff
+ R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f
+ R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00
+ ? remove_vma+0x4f/0x60
+ remove_vma+0x4f/0x60
+ exit_mmap+0xd6/0x160
+ mmput+0x4a/0x110
+ do_exit+0x278/0xae0
+ ? syscall_trace_enter+0x1d3/0x2b0
+ ? handle_mm_fault+0xaa/0x1c0
+ do_group_exit+0x3a/0xa0
+ __x64_sys_exit_group+0x14/0x20
+ do_syscall_64+0x42/0x100
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run
+for a very long time given a large process. This commit therefore adds
+a cond_resched() to this loop, providing RCU any needed quiescent states.
+
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: <linux-mm@kvack.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/mmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index d221266d100f4..7109f886e739e 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -3018,6 +3018,7 @@ void exit_mmap(struct mm_struct *mm)
+ if (vma->vm_flags & VM_ACCOUNT)
+ nr_accounted += vma_pages(vma);
+ vma = remove_vma(vma);
++ cond_resched();
+ }
+ vm_unacct_memory(nr_accounted);
+ }
+--
+2.25.1
+
--- /dev/null
+From dc2c8439ddab2c841c1307f0c0243b320f091e55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 14:58:57 +0300
+Subject: mwifiex: Prevent memory corruption handling keys
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ]
+
+The length of the key comes from the network and it's a 16 bit number. It
+needs to be capped to prevent a buffer overflow.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/marvell/mwifiex/sta_cmdresp.c | 22 +++++++++++++------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
+index 8548027abf71b..1e26936c0d727 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
+@@ -586,6 +586,11 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv,
+ {
+ struct host_cmd_ds_802_11_key_material *key =
+ &resp->params.key_material;
++ int len;
++
++ len = le16_to_cpu(key->key_param_set.key_len);
++ if (len > sizeof(key->key_param_set.key))
++ return -EINVAL;
+
+ if (le16_to_cpu(key->action) == HostCmd_ACT_GEN_SET) {
+ if ((le16_to_cpu(key->key_param_set.key_info) & KEY_MCAST)) {
+@@ -599,9 +604,8 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv,
+
+ memset(priv->aes_key.key_param_set.key, 0,
+ sizeof(key->key_param_set.key));
+- priv->aes_key.key_param_set.key_len = key->key_param_set.key_len;
+- memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key,
+- le16_to_cpu(priv->aes_key.key_param_set.key_len));
++ priv->aes_key.key_param_set.key_len = cpu_to_le16(len);
++ memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len);
+
+ return 0;
+ }
+@@ -616,9 +620,14 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
+ struct host_cmd_ds_command *resp)
+ {
+ struct host_cmd_ds_802_11_key_material_v2 *key_v2;
+- __le16 len;
++ int len;
+
+ key_v2 = &resp->params.key_material_v2;
++
++ len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len);
++ if (len > WLAN_KEY_LEN_CCMP)
++ return -EINVAL;
++
+ if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) {
+ if ((le16_to_cpu(key_v2->key_param_set.key_info) & KEY_MCAST)) {
+ mwifiex_dbg(priv->adapter, INFO, "info: key: GTK is set\n");
+@@ -634,10 +643,9 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
+ memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0,
+ WLAN_KEY_LEN_CCMP);
+ priv->aes_key_v2.key_param_set.key_params.aes.key_len =
+- key_v2->key_param_set.key_params.aes.key_len;
+- len = priv->aes_key_v2.key_param_set.key_params.aes.key_len;
++ cpu_to_le16(len);
+ memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
+- key_v2->key_param_set.key_params.aes.key, le16_to_cpu(len));
++ key_v2->key_param_set.key_params.aes.key, len);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 03443c0301fac38ace85f8c05d6e45dd0bab433f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 15:53:33 +0200
+Subject: net: spider_net: Fix the size used in a 'dma_free_coherent()' call
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ]
+
+Update the size used in 'dma_free_coherent()' in order to match the one
+used in the corresponding 'dma_alloc_coherent()', in
+'spider_net_init_chain()'.
+
+Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/spider_net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c
+index 1085987946212..9507ca2e02acd 100644
+--- a/drivers/net/ethernet/toshiba/spider_net.c
++++ b/drivers/net/ethernet/toshiba/spider_net.c
+@@ -296,8 +296,8 @@ spider_net_free_chain(struct spider_net_card *card,
+ descr = descr->next;
+ } while (descr != chain->ring);
+
+- dma_free_coherent(&card->pdev->dev, chain->num_desc,
+- chain->hwring, chain->dma_addr);
++ dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr),
++ chain->hwring, chain->dma_addr);
+ }
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From 7b029b7b0eb117378e935d72ce1c9e9fd9788fcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 15:59:25 +0800
+Subject: PCI/ASPM: Add missing newline in sysfs 'policy'
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ]
+
+When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a
+newline for easy reading. Other sysfs attributes already include a
+newline.
+
+ [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy
+ [default] performance powersave powersupersave [root@localhost ~]#
+
+Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support")
+Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/aspm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
+index 75551a781e887..5eae5f35dcc7b 100644
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -832,6 +832,7 @@ static int pcie_aspm_get_policy(char *buffer, struct kernel_param *kp)
+ cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]);
+ else
+ cnt += sprintf(buffer + cnt, "%s ", policy_str[i]);
++ cnt += sprintf(buffer + cnt, "\n");
+ return cnt;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 750fbabe53594a1d0e127d47db36674d0f05d336 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jun 2020 18:14:55 -0500
+Subject: PCI: Fix pci_cfg_wait queue locking problem
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb ]
+
+The pci_cfg_wait queue is used to prevent user-space config accesses to
+devices while they are recovering from reset.
+
+Previously we used these operations on pci_cfg_wait:
+
+ __add_wait_queue(&pci_cfg_wait, ...)
+ __remove_wait_queue(&pci_cfg_wait, ...)
+ wake_up_all(&pci_cfg_wait)
+
+The wake_up acquires the wait queue lock, but the add and remove do not.
+
+Originally these were all protected by the pci_lock, but cdcb33f98244
+("PCI: Avoid possible deadlock on pci_lock and p->pi_lock"), moved
+wake_up_all() outside pci_lock, so it could race with add/remove
+operations, which caused occasional kernel panics, e.g., during vfio-pci
+hotplug/unplug testing:
+
+ Unable to handle kernel read from unreadable memory at virtual address ffff802dac469000
+
+Resolve this by using wait_event() instead of __add_wait_queue() and
+__remove_wait_queue(). The wait queue lock is held by both wait_event()
+and wake_up_all(), so it provides mutual exclusion.
+
+Fixes: cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock")
+Link: https://lore.kernel.org/linux-pci/79827f2f-9b43-4411-1376-b9063b67aee3@huawei.com/T/#u
+Based-on: https://lore.kernel.org/linux-pci/20191210031527.40136-1-zhengxiang9@huawei.com/
+Based-on-patch-by: Xiang Zheng <zhengxiang9@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Xiang Zheng <zhengxiang9@huawei.com>
+Cc: Heyi Guo <guoheyi@huawei.com>
+Cc: Biaoxiang Ye <yebiaoxiang@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/access.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/access.c b/drivers/pci/access.c
+index 7b5cf6d1181a9..6f2a07567532d 100644
+--- a/drivers/pci/access.c
++++ b/drivers/pci/access.c
+@@ -185,17 +185,13 @@ EXPORT_SYMBOL(pci_bus_set_ops);
+ static DECLARE_WAIT_QUEUE_HEAD(pci_cfg_wait);
+
+ static noinline void pci_wait_cfg(struct pci_dev *dev)
++ __must_hold(&pci_lock)
+ {
+- DECLARE_WAITQUEUE(wait, current);
+-
+- __add_wait_queue(&pci_cfg_wait, &wait);
+ do {
+- set_current_state(TASK_UNINTERRUPTIBLE);
+ raw_spin_unlock_irq(&pci_lock);
+- schedule();
++ wait_event(pci_cfg_wait, !dev->block_cfg_access);
+ raw_spin_lock_irq(&pci_lock);
+ } while (dev->block_cfg_access);
+- __remove_wait_queue(&pci_cfg_wait, &wait);
+ }
+
+ /* Returns 0 on success, negative values indicate error. */
+--
+2.25.1
+
--- /dev/null
+From c46a0c6b3859d05a4d5942fb0ade354f2536f6af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2020 14:51:43 +0200
+Subject: pinctrl-single: fix pcs_parse_pinconf() return value
+
+From: Drew Fustini <drew@beagleboard.org>
+
+[ Upstream commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f ]
+
+This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no
+pinctrl_map is added. The current behavior is to return 0 when
+!PCS_HAS_PINCONF or !nconfs. Thus pcs_parse_one_pinctrl_entry()
+incorrectly assumes that a map was added and sets num_maps = 2.
+
+Analysis:
+=========
+The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf()
+if PCS_HAS_PINCONF is enabled. The function pcs_parse_pinconf()
+returns 0 to indicate there was no error and num_maps is then set to 2:
+
+ 980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs,
+ 981 struct device_node *np,
+ 982 struct pinctrl_map **map,
+ 983 unsigned *num_maps,
+ 984 const char **pgnames)
+ 985 {
+<snip>
+1053 (*map)->type = PIN_MAP_TYPE_MUX_GROUP;
+1054 (*map)->data.mux.group = np->name;
+1055 (*map)->data.mux.function = np->name;
+1056
+1057 if (PCS_HAS_PINCONF && function) {
+1058 res = pcs_parse_pinconf(pcs, np, function, map);
+1059 if (res)
+1060 goto free_pingroups;
+1061 *num_maps = 2;
+1062 } else {
+1063 *num_maps = 1;
+1064 }
+
+However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or
+!nconfs. I believe these conditions should indicate that no map was
+added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry()
+will set num_maps = 2 even though no maps were successfully added, as
+it does not reach "m++" on line 940:
+
+ 895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
+ 896 struct pcs_function *func,
+ 897 struct pinctrl_map **map)
+ 898
+ 899 {
+ 900 struct pinctrl_map *m = *map;
+<snip>
+ 917 /* If pinconf isn't supported, don't parse properties in below. */
+ 918 if (!PCS_HAS_PINCONF)
+ 919 return 0;
+ 920
+ 921 /* cacluate how much properties are supported in current node */
+ 922 for (i = 0; i < ARRAY_SIZE(prop2); i++) {
+ 923 if (of_find_property(np, prop2[i].name, NULL))
+ 924 nconfs++;
+ 925 }
+ 926 for (i = 0; i < ARRAY_SIZE(prop4); i++) {
+ 927 if (of_find_property(np, prop4[i].name, NULL))
+ 928 nconfs++;
+ 929 }
+ 930 if (!nconfs)
+ 919 return 0;
+ 932
+ 933 func->conf = devm_kcalloc(pcs->dev,
+ 934 nconfs, sizeof(struct pcs_conf_vals),
+ 935 GFP_KERNEL);
+ 936 if (!func->conf)
+ 937 return -ENOMEM;
+ 938 func->nconfs = nconfs;
+ 939 conf = &(func->conf[0]);
+ 940 m++;
+
+This situtation will cause a boot failure [0] on the BeagleBone Black
+(AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi
+has compatible = "pinconf-single" instead of "pinctrl-single".
+
+The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF
+or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no
+map was added.
+
+Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish
+between -ENOSUPP and other errors. In the case of -ENOSUPP, num_maps
+is set to 1 as it is valid for pinconf to be enabled and a given pin
+group to not any pinconf properties.
+
+[0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/
+
+Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf")
+Signed-off-by: Drew Fustini <drew@beagleboard.org>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
+index bfdf720db270d..8769a579ecb13 100644
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1078,7 +1078,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
+
+ /* If pinconf isn't supported, don't parse properties in below. */
+ if (!PCS_HAS_PINCONF)
+- return 0;
++ return -ENOTSUPP;
+
+ /* cacluate how much properties are supported in current node */
+ for (i = 0; i < ARRAY_SIZE(prop2); i++) {
+@@ -1090,7 +1090,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
+ nconfs++;
+ }
+ if (!nconfs)
+- return 0;
++ return -ENOTSUPP;
+
+ func->conf = devm_kzalloc(pcs->dev,
+ sizeof(struct pcs_conf_vals) * nconfs,
+@@ -1203,9 +1203,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs,
+
+ if (PCS_HAS_PINCONF) {
+ res = pcs_parse_pinconf(pcs, np, function, map);
+- if (res)
++ if (res == 0)
++ *num_maps = 2;
++ else if (res == -ENOTSUPP)
++ *num_maps = 1;
++ else
+ goto free_pingroups;
+- *num_maps = 2;
+ } else {
+ *num_maps = 1;
+ }
+--
+2.25.1
+
--- /dev/null
+From 8a1b801e6496ad989e02057a4c213c9c77f663e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 17:30:17 +0800
+Subject: platform/x86: intel-hid: Fix return value check in check_acpi_dev()
+
+From: Lu Wei <luwei32@huawei.com>
+
+[ Upstream commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 ]
+
+In the function check_acpi_dev(), if it fails to create
+platform device, the return value is ERR_PTR() or NULL.
+Thus it must use IS_ERR_OR_NULL() to check return value.
+
+Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Lu Wei <luwei32@huawei.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-hid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c
+index 12dbb50633761..a5c645b9e3f2a 100644
+--- a/drivers/platform/x86/intel-hid.c
++++ b/drivers/platform/x86/intel-hid.c
+@@ -264,7 +264,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv)
+ return AE_OK;
+
+ if (acpi_match_device_ids(dev, ids) == 0)
+- if (acpi_create_platform_device(dev, NULL))
++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL)))
+ dev_info(&dev->dev,
+ "intel-hid: created platform device\n");
+
+--
+2.25.1
+
--- /dev/null
+From f4aef07ec34ec823af2b46a0b7dbc37f415931bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 17:30:18 +0800
+Subject: platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()
+
+From: Lu Wei <luwei32@huawei.com>
+
+[ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ]
+
+In the function check_acpi_dev(), if it fails to create
+platform device, the return value is ERR_PTR() or NULL.
+Thus it must use IS_ERR_OR_NULL() to check return value.
+
+Fixes: 332e081225fc ("intel-vbtn: new driver for Intel Virtual Button")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Lu Wei <luwei32@huawei.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index a74340dff530e..1cf2a38add5f9 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -168,7 +168,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv)
+ return AE_OK;
+
+ if (acpi_match_device_ids(dev, ids) == 0)
+- if (acpi_create_platform_device(dev, NULL))
++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL)))
+ dev_info(&dev->dev,
+ "intel-vbtn: created platform device\n");
+
+--
+2.25.1
+
--- /dev/null
+From 7cb295a22fa38cf1a75194b3f7389c08dc85a4c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jul 2020 12:23:51 -0700
+Subject: power: supply: check if calc_soc succeeded in pm860x_init_battery
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ]
+
+clang static analysis flags this error
+
+88pm860x_battery.c:522:19: warning: Assigned value is
+ garbage or undefined [core.uninitialized.Assign]
+ info->start_soc = soc;
+ ^ ~~~
+soc is set by calling calc_soc.
+But calc_soc can return without setting soc.
+
+So check the return status and bail similarly to other
+checks in pm860x_init_battery and initialize soc to
+silence the warning.
+
+Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x")
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/88pm860x_battery.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/88pm860x_battery.c b/drivers/power/supply/88pm860x_battery.c
+index 63c57dc82ac1d..4eda5065b5bbc 100644
+--- a/drivers/power/supply/88pm860x_battery.c
++++ b/drivers/power/supply/88pm860x_battery.c
+@@ -436,7 +436,7 @@ static void pm860x_init_battery(struct pm860x_battery_info *info)
+ int ret;
+ int data;
+ int bat_remove;
+- int soc;
++ int soc = 0;
+
+ /* measure enable on GPADC1 */
+ data = MEAS1_GP1;
+@@ -499,7 +499,9 @@ static void pm860x_init_battery(struct pm860x_battery_info *info)
+ }
+ mutex_unlock(&info->lock);
+
+- calc_soc(info, OCV_MODE_ACTIVE, &soc);
++ ret = calc_soc(info, OCV_MODE_ACTIVE, &soc);
++ if (ret < 0)
++ goto out;
+
+ data = pm860x_reg_read(info->i2c, PM8607_POWER_UP_LOG);
+ bat_remove = data & BAT_WU_LOG;
+--
+2.25.1
+
--- /dev/null
+From 1d746fc8ca60906ad6772287be498913d6f47dba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jul 2020 09:37:04 +1000
+Subject: powerpc/vdso: Fix vdso cpu truncation
+
+From: Milton Miller <miltonm@us.ibm.com>
+
+[ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ]
+
+The code in vdso_cpu_init that exposes the cpu and numa node to
+userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means
+that any kernel running on a box with more than 4096 threads (NR_CPUS
+advertises a limit of of 8192 cpus) would expose userspace to two cpu
+contexts running at the same time with the same cpu number.
+
+Note: I'm not aware of any distro shipping a kernel with support for more
+than 4096 threads today, nor of any system image that currently exceeds
+4096 threads. Found via code browsing.
+
+Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu")
+Signed-off-by: Milton Miller <miltonm@us.ibm.com>
+Signed-off-by: Anton Blanchard <anton@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/vdso.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c
+index 4111d30badfad..d24aea160352b 100644
+--- a/arch/powerpc/kernel/vdso.c
++++ b/arch/powerpc/kernel/vdso.c
+@@ -704,7 +704,7 @@ int vdso_getcpu_init(void)
+ node = cpu_to_node(cpu);
+ WARN_ON_ONCE(node > 0xffff);
+
+- val = (cpu & 0xfff) | ((node & 0xffff) << 16);
++ val = (cpu & 0xffff) | ((node & 0xffff) << 16);
+ mtspr(SPRN_SPRG_VDSO_WRITE, val);
+ get_paca()->sprg_vdso = val;
+
+--
+2.25.1
+
--- /dev/null
+From 8bddf06df63dcfca9ae0c6ebd75bcd0ee02ae315 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 17:01:20 +0200
+Subject: s390/qeth: don't process empty bridge port events
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+[ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ]
+
+Discard events that don't contain any entries. This shouldn't happen,
+but subsequent code relies on being able to use entry 0. So better
+be safe than accessing garbage.
+
+Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_l2_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
+index 51152681aba6e..c878c87966163 100644
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -1675,6 +1675,10 @@ static void qeth_bridge_state_change(struct qeth_card *card,
+ int extrasize;
+
+ QETH_CARD_TEXT(card, 2, "brstchng");
++ if (qports->num_entries == 0) {
++ QETH_CARD_TEXT(card, 2, "BPempty");
++ return;
++ }
+ if (qports->entry_length != sizeof(struct qeth_sbp_port_entry)) {
+ QETH_CARD_TEXT_(card, 2, "BPsz%04x", qports->entry_length);
+ return;
+--
+2.25.1
+
--- /dev/null
+From 61a7d210e61e5d37a2c124626e1d84cd887189f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jun 2020 22:47:30 +0200
+Subject: scsi: cumana_2: Fix different dev_id between request_irq() and
+ free_irq()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ]
+
+The dev_id used in request_irq() and free_irq() should match. Use 'info'
+in both cases.
+
+Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Acked-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/arm/cumana_2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c
+index edce5f3cfdba0..93ba83e3148eb 100644
+--- a/drivers/scsi/arm/cumana_2.c
++++ b/drivers/scsi/arm/cumana_2.c
+@@ -454,7 +454,7 @@ static int cumanascsi2_probe(struct expansion_card *ec,
+
+ if (info->info.scsi.dma != NO_DMA)
+ free_dma(info->info.scsi.dma);
+- free_irq(ec->irq, host);
++ free_irq(ec->irq, info);
+
+ out_release:
+ fas216_release(host);
+--
+2.25.1
+
--- /dev/null
+From bd1c8abc7ad16a5836caa4772abfe94be0876399 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jun 2020 06:05:53 +0200
+Subject: scsi: eesox: Fix different dev_id between request_irq() and
+ free_irq()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ]
+
+The dev_id used in request_irq() and free_irq() should match. Use 'info' in
+both cases.
+
+Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/arm/eesox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c
+index e93e047f43165..65bb34ce93b94 100644
+--- a/drivers/scsi/arm/eesox.c
++++ b/drivers/scsi/arm/eesox.c
+@@ -575,7 +575,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id)
+
+ if (info->info.scsi.dma != NO_DMA)
+ free_dma(info->info.scsi.dma);
+- free_irq(ec->irq, host);
++ free_irq(ec->irq, info);
+
+ out_remove:
+ fas216_remove(host);
+--
+2.25.1
+
--- /dev/null
+From 0a72424e8300b13c10e61c5d736cfb8325a63112 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 09:25:51 +1000
+Subject: scsi: mesh: Fix panic after host or bus reset
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ]
+
+Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus
+results in EH measures and a panic:
+
+[ 25.499838] mesh: configured for synchronous 5 MB/s
+[ 25.787154] mesh: performing initial bus reset...
+[ 29.867115] scsi host0: MESH
+[ 29.929527] mesh: target 0 synchronous at 3.6 MB/s
+[ 29.998763] scsi 0:0:0:0: Direct-Access CONNER CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS
+[ 31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB)
+[ 32.070975] sd 0:0:0:0: [sda] Write Protect is off
+[ 32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08
+[ 32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
+[ 32.332708] sda: [mac] sda1 sda2 sda3
+[ 32.417733] sd 0:0:0:0: [sda] Attached SCSI disk
+... snip ...
+[ 76.687067] mesh_abort((ptrval))
+[ 76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval)
+[ 76.810798] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85
+[ 76.880720] dma stat=84e0 cmdptr=1f73d000
+[ 76.941387] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576
+[ 77.005567] dma_st=1 dma_ct=0 n_msgout=0
+[ 77.065456] target 0: req=(ptrval) goes_out=0 saved_ptr=0
+[ 77.130512] mesh_abort((ptrval))
+[ 77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval)
+[ 77.255594] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85
+[ 77.325778] dma stat=84e0 cmdptr=1f73d000
+[ 77.387239] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576
+[ 77.453665] dma_st=1 dma_ct=0 n_msgout=0
+[ 77.515900] target 0: req=(ptrval) goes_out=0 saved_ptr=0
+[ 77.582902] mesh_host_reset
+[ 88.187083] Kernel panic - not syncing: mesh: double DMA start !
+[ 88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1
+[ 88.323302] Call Trace:
+[ 88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable)
+[ 88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414
+[ 88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70
+[ 88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384
+[ 88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8
+[ 88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178
+[ 88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8
+[ 88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520
+[ 88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8
+[ 88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c
+[ 89.044112] Rebooting in 180 seconds..
+
+In theory, a panic can happen after a bus or host reset with dma_started
+flag set. Fix this by halting the DMA before reinitializing the host.
+Don't assume that ms->current_req is set when halt_dma() is invoked as it
+may not hold for bus or host reset.
+
+BTW, this particular Conner drive can be made to work by inhibiting
+disconnect/reselect with 'mesh.resel_targets=0'.
+
+Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Paul Mackerras <paulus@ozlabs.org>
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mesh.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mesh.c b/drivers/scsi/mesh.c
+index 1753e42826dd9..a880abf5abaad 100644
+--- a/drivers/scsi/mesh.c
++++ b/drivers/scsi/mesh.c
+@@ -1044,6 +1044,8 @@ static void handle_error(struct mesh_state *ms)
+ while ((in_8(&mr->bus_status1) & BS1_RST) != 0)
+ udelay(1);
+ printk("done\n");
++ if (ms->dma_started)
++ halt_dma(ms);
+ handle_reset(ms);
+ /* request_q is empty, no point in mesh_start() */
+ return;
+@@ -1356,7 +1358,8 @@ static void halt_dma(struct mesh_state *ms)
+ ms->conn_tgt, ms->data_ptr, scsi_bufflen(cmd),
+ ms->tgts[ms->conn_tgt].data_goes_out);
+ }
+- scsi_dma_unmap(cmd);
++ if (cmd)
++ scsi_dma_unmap(cmd);
+ ms->dma_started = 0;
+ }
+
+@@ -1711,6 +1714,9 @@ static int mesh_host_reset(struct scsi_cmnd *cmd)
+
+ spin_lock_irqsave(ms->host->host_lock, flags);
+
++ if (ms->dma_started)
++ halt_dma(ms);
++
+ /* Reset the controller & dbdma channel */
+ out_le32(&md->control, (RUN|PAUSE|FLUSH|WAKE) << 16); /* stop dma */
+ out_8(&mr->exception, 0xff); /* clear all exception bits */
+--
+2.25.1
+
--- /dev/null
+From 4c284f172215dcefee8d28949f44a58a9f02b6c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jun 2020 05:59:48 +0200
+Subject: scsi: powertec: Fix different dev_id between request_irq() and
+ free_irq()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ]
+
+The dev_id used in request_irq() and free_irq() should match. Use 'info' in
+both cases.
+
+Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/arm/powertec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/arm/powertec.c b/drivers/scsi/arm/powertec.c
+index 79aa88911b7f3..b5e4a25ea1ef3 100644
+--- a/drivers/scsi/arm/powertec.c
++++ b/drivers/scsi/arm/powertec.c
+@@ -382,7 +382,7 @@ static int powertecscsi_probe(struct expansion_card *ec,
+
+ if (info->info.scsi.dma != NO_DMA)
+ free_dma(info->info.scsi.dma);
+- free_irq(ec->irq, host);
++ free_irq(ec->irq, info);
+
+ out_release:
+ fas216_release(host);
+--
+2.25.1
+
--- /dev/null
+From d9e88d1f6e6027c2837303762b7a4a29fceddcf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 20:23:19 +0800
+Subject: scsi: scsi_debug: Add check for sdebug_max_queue during module init
+
+From: John Garry <john.garry@huawei.com>
+
+[ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ]
+
+sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like
+this can be triggered by passing an out-of-range value:
+
+Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
+ pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--)
+ pc : schedule_resp+0x2a4/0xa70 [scsi_debug]
+ lr : schedule_resp+0x52c/0xa70 [scsi_debug]
+ sp : ffff800022ab36f0
+ x29: ffff800022ab36f0 x28: ffff0023a935a610
+ x27: ffff800008e0a648 x26: 0000000000000003
+ x25: ffff0023e84f3200 x24: 00000000003d0900
+ x23: 0000000000000000 x22: 0000000000000000
+ x21: ffff0023be60a320 x20: ffff0023be60b538
+ x19: ffff800008e13000 x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000
+ x15: 0000000000000000 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000
+ x9 : 0000000000000001 x8 : 0000000000000000
+ x7 : 0000000000000000 x6 : 00000000000000c1
+ x5 : 0000020000200000 x4 : dead0000000000ff
+ x3 : 0000000000000200 x2 : 0000000000000200
+ x1 : ffff800008e13d88 x0 : 0000000000000000
+ Call trace:
+schedule_resp+0x2a4/0xa70 [scsi_debug]
+scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug]
+scsi_queue_rq+0x698/0x840
+__blk_mq_try_issue_directly+0x108/0x228
+blk_mq_request_issue_directly+0x58/0x98
+blk_mq_try_issue_list_directly+0x5c/0xf0
+blk_mq_sched_insert_requests+0x18c/0x200
+blk_mq_flush_plug_list+0x11c/0x190
+blk_flush_plug_list+0xdc/0x110
+blk_finish_plug+0x38/0x210
+blkdev_direct_IO+0x450/0x4d8
+generic_file_read_iter+0x84/0x180
+blkdev_read_iter+0x3c/0x50
+aio_read+0xc0/0x170
+io_submit_one+0x5c8/0xc98
+__arm64_sys_io_submit+0x1b0/0x258
+el0_svc_common.constprop.3+0x68/0x170
+do_el0_svc+0x24/0x90
+el0_sync_handler+0x13c/0x1a8
+el0_sync+0x158/0x180
+ Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340)
+
+In addition, it should not be less than 1.
+
+So add checks for these, and fail the module init for those cases.
+
+[mkp: changed if condition to match error message]
+
+Link: https://lore.kernel.org/r/1594297400-24756-2-git-send-email-john.garry@huawei.com
+Fixes: c483739430f1 ("scsi_debug: add multiple queue support")
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index d7118d3767c35..99bfb003be3fc 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -4986,6 +4986,12 @@ static int __init scsi_debug_init(void)
+ pr_err("submit_queues must be 1 or more\n");
+ return -EINVAL;
+ }
++
++ if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue < 1)) {
++ pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE);
++ return -EINVAL;
++ }
++
+ sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue),
+ GFP_KERNEL);
+ if (sdebug_q_arr == NULL)
+--
+2.25.1
+
--- /dev/null
+From c477625bb0166b6f862b4be9ea1f4e0bfa682e53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2020 13:44:23 +0530
+Subject: selftests/powerpc: Fix CPU affinity for child process
+
+From: Harish <harish@linux.ibm.com>
+
+[ Upstream commit 854eb5022be04f81e318765f089f41a57c8e5d83 ]
+
+On systems with large number of cpus, test fails trying to set
+affinity by calling sched_setaffinity() with smaller size for affinity
+mask. This patch fixes it by making sure that the size of allocated
+affinity mask is dependent on the number of CPUs as reported by
+get_nprocs().
+
+Fixes: 00b7ec5c9cf3 ("selftests/powerpc: Import Anton's context_switch2 benchmark")
+Reported-by: Shirisha Ganta <shiganta@in.ibm.com>
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Signed-off-by: Harish <harish@linux.ibm.com>
+Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Reviewed-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200609081423.529664-1-harish@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../powerpc/benchmarks/context_switch.c | 21 ++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/powerpc/benchmarks/context_switch.c b/tools/testing/selftests/powerpc/benchmarks/context_switch.c
+index a36883ad48a45..4b4d2ce912566 100644
+--- a/tools/testing/selftests/powerpc/benchmarks/context_switch.c
++++ b/tools/testing/selftests/powerpc/benchmarks/context_switch.c
+@@ -22,6 +22,7 @@
+ #include <limits.h>
+ #include <sys/time.h>
+ #include <sys/syscall.h>
++#include <sys/sysinfo.h>
+ #include <sys/types.h>
+ #include <sys/shm.h>
+ #include <linux/futex.h>
+@@ -97,8 +98,9 @@ static void start_thread_on(void *(*fn)(void *), void *arg, unsigned long cpu)
+
+ static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu)
+ {
+- int pid;
+- cpu_set_t cpuset;
++ int pid, ncpus;
++ cpu_set_t *cpuset;
++ size_t size;
+
+ pid = fork();
+ if (pid == -1) {
+@@ -109,14 +111,23 @@ static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu)
+ if (pid)
+ return;
+
+- CPU_ZERO(&cpuset);
+- CPU_SET(cpu, &cpuset);
++ ncpus = get_nprocs();
++ size = CPU_ALLOC_SIZE(ncpus);
++ cpuset = CPU_ALLOC(ncpus);
++ if (!cpuset) {
++ perror("malloc");
++ exit(1);
++ }
++ CPU_ZERO_S(size, cpuset);
++ CPU_SET_S(cpu, size, cpuset);
+
+- if (sched_setaffinity(0, sizeof(cpuset), &cpuset)) {
++ if (sched_setaffinity(0, size, cpuset)) {
+ perror("sched_setaffinity");
++ CPU_FREE(cpuset);
+ exit(1);
+ }
+
++ CPU_FREE(cpuset);
+ fn(arg);
+
+ exit(0);
+--
+2.25.1
+
--- /dev/null
+From ce6bf62907ffdc8e48799ffa2c3a23cc5768e6c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 10:38:46 +0530
+Subject: selftests/powerpc: Fix online CPU selection
+
+From: Sandipan Das <sandipan@linux.ibm.com>
+
+[ Upstream commit dfa03fff86027e58c8dba5c03ae68150d4e513ad ]
+
+The size of the CPU affinity mask must be large enough for
+systems with a very large number of CPUs. Otherwise, tests
+which try to determine the first online CPU by calling
+sched_getaffinity() will fail. This makes sure that the size
+of the allocated affinity mask is dependent on the number of
+CPUs as reported by get_nprocs_conf().
+
+Fixes: 3752e453f6ba ("selftests/powerpc: Add tests of PMU EBBs")
+Reported-by: Shirisha Ganta <shiganta@in.ibm.com>
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/a408c4b8e9a23bb39b539417a21eb0ff47bb5127.1596084858.git.sandipan@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/utils.c | 37 +++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/selftests/powerpc/utils.c b/tools/testing/selftests/powerpc/utils.c
+index dcf74184bfd0a..bafb70d0ee264 100644
+--- a/tools/testing/selftests/powerpc/utils.c
++++ b/tools/testing/selftests/powerpc/utils.c
+@@ -12,6 +12,7 @@
+ #include <sched.h>
+ #include <stdio.h>
+ #include <sys/stat.h>
++#include <sys/sysinfo.h>
+ #include <sys/types.h>
+ #include <unistd.h>
+
+@@ -62,26 +63,38 @@ void *get_auxv_entry(int type)
+
+ int pick_online_cpu(void)
+ {
+- cpu_set_t mask;
+- int cpu;
++ int ncpus, cpu = -1;
++ cpu_set_t *mask;
++ size_t size;
++
++ ncpus = get_nprocs_conf();
++ size = CPU_ALLOC_SIZE(ncpus);
++ mask = CPU_ALLOC(ncpus);
++ if (!mask) {
++ perror("malloc");
++ return -1;
++ }
+
+- CPU_ZERO(&mask);
++ CPU_ZERO_S(size, mask);
+
+- if (sched_getaffinity(0, sizeof(mask), &mask)) {
++ if (sched_getaffinity(0, size, mask)) {
+ perror("sched_getaffinity");
+- return -1;
++ goto done;
+ }
+
+ /* We prefer a primary thread, but skip 0 */
+- for (cpu = 8; cpu < CPU_SETSIZE; cpu += 8)
+- if (CPU_ISSET(cpu, &mask))
+- return cpu;
++ for (cpu = 8; cpu < ncpus; cpu += 8)
++ if (CPU_ISSET_S(cpu, size, mask))
++ goto done;
+
+ /* Search for anything, but in reverse */
+- for (cpu = CPU_SETSIZE - 1; cpu >= 0; cpu--)
+- if (CPU_ISSET(cpu, &mask))
+- return cpu;
++ for (cpu = ncpus - 1; cpu >= 0; cpu--)
++ if (CPU_ISSET_S(cpu, size, mask))
++ goto done;
+
+ printf("No cpus in affinity mask?!\n");
+- return -1;
++
++done:
++ CPU_FREE(mask);
++ return cpu;
+ }
+--
+2.25.1
+
tracepoint-mark-__tracepoint_string-s-__used.patch
gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch
cgroup-add-missing-skcd-no_refcnt-check-in-cgroup_sk.patch
+edac-fix-reference-count-leaks.patch
+arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch
+arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch
+m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch
+m68k-mac-fix-iop-status-control-register-writes.patch
+platform-x86-intel-hid-fix-return-value-check-in-che.patch
+platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch
+arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch
+arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch
+drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch
+bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch
+fs-btrfs-add-cond_resched-for-try_release_extent_map.patch
+drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch
+video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch
+md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch
+drm-nouveau-fix-multiple-instances-of-reference-coun.patch
+drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch
+mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch
+brcmfmac-to-fix-bss-info-flag-definition-bug.patch
+iwlegacy-check-the-return-value-of-pcie_capability_r.patch
+usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch
+bdc-fix-bug-causing-crash-after-multiple-disconnects.patch
+dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch
+bcache-fix-super-block-seq-numbers-comparision-in-re.patch
+acpica-do-not-increment-operation_region-reference-c.patch
+agp-intel-fix-a-memory-leak-on-module-initialisation.patch
+video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch
+console-newport_con-fix-an-issue-about-leak-related-.patch
+video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch
+iio-improve-iio_concentration-channel-type-descripti.patch
+leds-lm355x-avoid-enum-conversion-warning.patch
+media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch
+scsi-cumana_2-fix-different-dev_id-between-request_i.patch
+drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch
+cxl-fix-kobject-memleak.patch
+drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch
+scsi-powertec-fix-different-dev_id-between-request_i.patch
+scsi-eesox-fix-different-dev_id-between-request_irq-.patch
+media-firewire-using-uninitialized-values-in-node_pr.patch
+media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch
+xfs-fix-reflink-quota-reservation-accounting-error.patch
+pci-fix-pci_cfg_wait-queue-locking-problem.patch
+leds-core-flush-scheduled-work-for-system-suspend.patch
+drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch
+scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch
+mwifiex-prevent-memory-corruption-handling-keys.patch
+powerpc-vdso-fix-vdso-cpu-truncation.patch
+staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch
+pci-aspm-add-missing-newline-in-sysfs-policy.patch
+drm-imx-tve-fix-regulator_disable-error-path.patch
+usb-serial-iuu_phoenix-fix-led-activity-helpers.patch
+usb-dwc2-fix-error-path-in-gadget-registration.patch
+scsi-mesh-fix-panic-after-host-or-bus-reset.patch
+smack-fix-another-vsscanf-out-of-bounds.patch
+smack-prevent-underflow-in-smk_set_cipso.patch
+power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch
+selftests-powerpc-fix-cpu-affinity-for-child-process.patch
+selftests-powerpc-fix-online-cpu-selection.patch
+s390-qeth-don-t-process-empty-bridge-port-events.patch
+wl1251-fix-always-return-0-error.patch
+net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch
+fsl-fman-use-32-bit-unsigned-integer.patch
+fsl-fman-fix-dereference-null-return-value.patch
+fsl-fman-fix-unreachable-code.patch
+fsl-fman-check-dereferencing-null-pointer.patch
+fsl-fman-fix-eth-hash-table-allocation.patch
+dlm-fix-kobject-memleak.patch
+pinctrl-single-fix-pcs_parse_pinconf-return-value.patch
--- /dev/null
+From c828c4117f59bbfb6328fb3df92b05ff717a49ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 18:22:19 +0300
+Subject: Smack: fix another vsscanf out of bounds
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ]
+
+This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in
+vsscanf") where we added a bounds check on "rule".
+
+Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com
+Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 2bfec47b8d5c5..2eba7c1e66630 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -928,6 +928,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+
+ for (i = 0; i < catlen; i++) {
+ rule += SMK_DIGITLEN;
++ if (rule > data + count) {
++ rc = -EOVERFLOW;
++ goto out;
++ }
+ ret = sscanf(rule, "%u", &cat);
+ if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
+ goto out;
+--
+2.25.1
+
--- /dev/null
+From 20e0f876bc65964aa61c7fb37068358be5b4eb1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 18:23:05 +0300
+Subject: Smack: prevent underflow in smk_set_cipso()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ]
+
+We have an upper bound on "maplevel" but forgot to check for negative
+values.
+
+Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 2eba7c1e66630..4aecdc8f74b2a 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -907,7 +907,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+ }
+
+ ret = sscanf(rule, "%d", &maplevel);
+- if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
++ if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL)
+ goto out;
+
+ rule += SMK_DIGITLEN;
+--
+2.25.1
+
--- /dev/null
+From a978447b446427868bc22fc20d840077d3c6385e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jul 2020 16:47:20 +0100
+Subject: staging: rtl8192u: fix a dubious looking mask before a shift
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 ]
+
+Currently the masking of ret with 0xff and followed by a right shift
+of 8 bits always leaves a zero result. It appears the mask of 0xff
+is incorrect and should be 0xff00, but I don't have the hardware to
+test this. Fix this to mask the upper 8 bits before shifting.
+
+[ Not tested ]
+
+Addresses-Coverity: ("Operands don't affect result")
+Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20200716154720.1710252-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192u/r8192U_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
+index 6ec3790566504..fa4c47c7d2166 100644
+--- a/drivers/staging/rtl8192u/r8192U_core.c
++++ b/drivers/staging/rtl8192u/r8192U_core.c
+@@ -2522,7 +2522,7 @@ static int rtl8192_read_eeprom_info(struct net_device *dev)
+ ret = eprom_read(dev, (EEPROM_TxPwIndex_CCK >> 1));
+ if (ret < 0)
+ return ret;
+- priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff) >> 8;
++ priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff00) >> 8;
+ } else
+ priv->EEPROMTxPowerLevelCCK = 0x10;
+ RT_TRACE(COMP_EPROM, "CCK Tx Power Levl: 0x%02x\n", priv->EEPROMTxPowerLevelCCK);
+--
+2.25.1
+
--- /dev/null
+From fe0c8ba690088e5ad7e78a33a2eca630adbe95b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jul 2020 14:09:48 +0200
+Subject: usb: dwc2: Fix error path in gadget registration
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ]
+
+When gadget registration fails, one should not call usb_del_gadget_udc().
+Ensure this by setting gadget->udc to NULL. Also in case of a failure
+there is no need to disable low-level hardware, so return immiedetly
+instead of jumping to error_init label.
+
+This fixes the following kernel NULL ptr dereference on gadget failure
+(can be easily triggered with g_mass_storage without any module
+parameters):
+
+dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1
+dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024
+dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM
+Mass Storage Function, version: 2009/09/11
+LUN: removable file: (no medium)
+no file given for LUN0
+g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22
+8<--- cut here ---
+Unable to handle kernel NULL pointer dereference at virtual address 00000104
+pgd = (ptrval)
+[00000104] *pgd=00000000
+Internal error: Oops: 805 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133
+Hardware name: Samsung Exynos (Flattened Device Tree)
+Workqueue: events deferred_probe_work_func
+PC is at usb_del_gadget_udc+0x38/0xc4
+LR is at __mutex_lock+0x31c/0xb18
+...
+Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval))
+Stack: (0xef121db0 to 0xef122000)
+...
+[<c076bf3c>] (usb_del_gadget_udc) from [<c0726bec>] (dwc2_hsotg_remove+0x10/0x20)
+[<c0726bec>] (dwc2_hsotg_remove) from [<c0711208>] (dwc2_driver_probe+0x57c/0x69c)
+[<c0711208>] (dwc2_driver_probe) from [<c06247c0>] (platform_drv_probe+0x6c/0xa4)
+[<c06247c0>] (platform_drv_probe) from [<c0621df4>] (really_probe+0x200/0x48c)
+[<c0621df4>] (really_probe) from [<c06221e8>] (driver_probe_device+0x78/0x1fc)
+[<c06221e8>] (driver_probe_device) from [<c061fcd4>] (bus_for_each_drv+0x74/0xb8)
+[<c061fcd4>] (bus_for_each_drv) from [<c0621b54>] (__device_attach+0xd4/0x16c)
+[<c0621b54>] (__device_attach) from [<c0620c98>] (bus_probe_device+0x88/0x90)
+[<c0620c98>] (bus_probe_device) from [<c06211b0>] (deferred_probe_work_func+0x3c/0xd0)
+[<c06211b0>] (deferred_probe_work_func) from [<c0149280>] (process_one_work+0x234/0x7dc)
+[<c0149280>] (process_one_work) from [<c014986c>] (worker_thread+0x44/0x51c)
+[<c014986c>] (worker_thread) from [<c0150b1c>] (kthread+0x158/0x1a0)
+[<c0150b1c>] (kthread) from [<c0100114>] (ret_from_fork+0x14/0x20)
+Exception stack(0xef121fb0 to 0xef121ff8)
+...
+---[ end trace 9724c2fc7cc9c982 ]---
+
+While fixing this also fix the double call to dwc2_lowlevel_hw_disable()
+if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level
+hardware is already disabled before calling usb_add_gadget_udc(). That
+function correctly preserves low-level hardware state, there is no need
+for the second unconditional dwc2_lowlevel_hw_disable() call.
+
+Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver")
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/platform.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
+index 38926495c751d..f985315ebd3bd 100644
+--- a/drivers/usb/dwc2/platform.c
++++ b/drivers/usb/dwc2/platform.c
+@@ -668,6 +668,7 @@ static int dwc2_driver_probe(struct platform_device *dev)
+ if (hsotg->gadget_enabled) {
+ retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget);
+ if (retval) {
++ hsotg->gadget.udc = NULL;
+ dwc2_hsotg_remove(hsotg);
+ goto error;
+ }
+@@ -676,7 +677,8 @@ static int dwc2_driver_probe(struct platform_device *dev)
+ return 0;
+
+ error:
+- dwc2_lowlevel_hw_disable(hsotg);
++ if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL)
++ dwc2_lowlevel_hw_disable(hsotg);
+ return retval;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 648c8a5c680d80812a0ae92114a93476d25e1723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 23:15:58 +0300
+Subject: usb: gadget: net2280: fix memory leak on probe error handling paths
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ]
+
+Driver does not release memory for device on error handling paths in
+net2280_probe() when gadget_release() is not registered yet.
+
+The patch fixes the bug like in other similar drivers.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
+index dfaed8e8cc524..c8c45264e94cc 100644
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -3785,8 +3785,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ return 0;
+
+ done:
+- if (dev)
++ if (dev) {
+ net2280_remove(pdev);
++ kfree(dev);
++ }
+ return retval;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From fc748a2cbe3c492dec5f9e2abc250fb0a73b5be7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jul 2020 10:50:55 +0200
+Subject: USB: serial: iuu_phoenix: fix led-activity helpers
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c ]
+
+The set-led command is eight bytes long and starts with a command byte
+followed by six bytes of RGB data and ends with a byte encoding a
+frequency (see iuu_led() and iuu_rgbf_fill_buffer()).
+
+The led activity helpers had a few long-standing bugs which corrupted
+the command packets by inserting a second command byte and thereby
+offsetting the RGB data and dropping the frequency in non-xmas mode.
+
+In xmas mode, a related off-by-one error left the frequency field
+uninitialised.
+
+Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver")
+Reported-by: George Spelvin <lkml@sdf.org>
+Link: https://lore.kernel.org/r/20200716085056.31471-1-johan@kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/iuu_phoenix.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
+index d6ac1f472b779..bdeb2b2489549 100644
+--- a/drivers/usb/serial/iuu_phoenix.c
++++ b/drivers/usb/serial/iuu_phoenix.c
+@@ -369,10 +369,11 @@ static void iuu_led_activity_on(struct urb *urb)
+ struct usb_serial_port *port = urb->context;
+ int result;
+ char *buf_ptr = port->write_urb->transfer_buffer;
+- *buf_ptr++ = IUU_SET_LED;
++
+ if (xmas) {
+- get_random_bytes(buf_ptr, 6);
+- *(buf_ptr+7) = 1;
++ buf_ptr[0] = IUU_SET_LED;
++ get_random_bytes(buf_ptr + 1, 6);
++ buf_ptr[7] = 1;
+ } else {
+ iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255);
+ }
+@@ -390,13 +391,14 @@ static void iuu_led_activity_off(struct urb *urb)
+ struct usb_serial_port *port = urb->context;
+ int result;
+ char *buf_ptr = port->write_urb->transfer_buffer;
++
+ if (xmas) {
+ iuu_rxcmd(urb);
+ return;
+- } else {
+- *buf_ptr++ = IUU_SET_LED;
+- iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255);
+ }
++
++ iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255);
++
+ usb_fill_bulk_urb(port->write_urb, port->serial->dev,
+ usb_sndbulkpipe(port->serial->dev,
+ port->bulk_out_endpointAddress),
+--
+2.25.1
+
--- /dev/null
+From 0a4439a49cdf622f02a73f99d8040b587f615754 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 22:54:51 +0300
+Subject: video: fbdev: neofb: fix memory leak in neo_scan_monitor()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ]
+
+neofb_probe() calls neo_scan_monitor() that can successfully allocate a
+memory for info->monspecs.modedb and proceed to case 0x03. There it does
+not free the memory and returns -1. neofb_probe() goes to label
+err_scan_monitor, thus, it does not free this memory through calling
+fb_destroy_modedb() as well. We can not go to label err_init_hw since
+neo_scan_monitor() can fail during memory allocation. So, the patch frees
+the memory directly for case 0x03.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/neofb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c
+index db023a97d1eae..e243254a57214 100644
+--- a/drivers/video/fbdev/neofb.c
++++ b/drivers/video/fbdev/neofb.c
+@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info)
+ #else
+ printk(KERN_ERR
+ "neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n");
++ kfree(info->monspecs.modedb);
+ return -1;
+ #endif
+ default:
+--
+2.25.1
+
--- /dev/null
+From 13bf93a41f69760a9a0193c7ed95356e24331a0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 00:07:19 +0800
+Subject: video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
+
+From: Dejin Zheng <zhengdejin5@gmail.com>
+
+[ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ]
+
+the sfb->fb->screen_base is not save the value get by iounmap() when
+the chip id is 0x720. so iounmap() for address sfb->fb->screen_base
+is not right.
+
+Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev")
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Cc: Teddy Wang <teddy.wang@siliconmotion.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sm712fb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c
+index 0d92ff366a7b7..17efcdd4dc99b 100644
+--- a/drivers/video/fbdev/sm712fb.c
++++ b/drivers/video/fbdev/sm712fb.c
+@@ -1428,6 +1428,8 @@ static int smtc_map_smem(struct smtcfb_info *sfb,
+ static void smtc_unmap_smem(struct smtcfb_info *sfb)
+ {
+ if (sfb && sfb->fb->screen_base) {
++ if (sfb->chip_id == 0x720)
++ sfb->fb->screen_base -= 0x00200000;
+ iounmap(sfb->fb->screen_base);
+ sfb->fb->screen_base = NULL;
+ }
+--
+2.25.1
+
--- /dev/null
+From e9060072b1440f2631a73054c5c7883f9a1afd6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 10:45:05 +0200
+Subject: video: pxafb: Fix the function used to balance a
+ 'dma_alloc_coherent()' call
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 499a2c41b954518c372873202d5e7714e22010c4 ]
+
+'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()'
+not 'dma_free_wc()'.
+The correct dma_free_ function is already used in the error handling path
+of the probe function.
+
+Fixes: 77e196752bdd ("[ARM] pxafb: allow video memory size to be configurable")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Jani Nikula <jani.nikula@intel.com>
+cc: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Cc: Eric Miao <eric.miao@marvell.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200429084505.108897-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxafb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c
+index 8503310a38167..7f8b6af29aab4 100644
+--- a/drivers/video/fbdev/pxafb.c
++++ b/drivers/video/fbdev/pxafb.c
+@@ -2447,8 +2447,8 @@ static int pxafb_remove(struct platform_device *dev)
+
+ free_pages_exact(fbi->video_mem, fbi->video_mem_size);
+
+- dma_free_wc(&dev->dev, fbi->dma_buff_size, fbi->dma_buff,
+- fbi->dma_buff_phys);
++ dma_free_coherent(&dev->dev, fbi->dma_buff_size, fbi->dma_buff,
++ fbi->dma_buff_phys);
+
+ iounmap(fbi->mmio_base);
+
+--
+2.25.1
+
--- /dev/null
+From 2dc264bd305dd5868a83a4ff3e3358abe500b151 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 15:39:39 +0800
+Subject: wl1251: fix always return 0 error
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ]
+
+wl1251_event_ps_report() should not always return 0 because
+wl1251_ps_set_mode() may fail. Change it to return 'ret'.
+
+Fixes: f7ad1eed4d4b ("wl1251: retry power save entry")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/event.c b/drivers/net/wireless/ti/wl1251/event.c
+index d0593bc1f1a92..daddeaa66bf4a 100644
+--- a/drivers/net/wireless/ti/wl1251/event.c
++++ b/drivers/net/wireless/ti/wl1251/event.c
+@@ -84,7 +84,7 @@ static int wl1251_event_ps_report(struct wl1251 *wl,
+ break;
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static void wl1251_event_mbox_dump(struct event_mailbox *mbox)
+--
+2.25.1
+
--- /dev/null
+From e0c25157dde96cd3f4cf2f8691c707fb17c9fa7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 14:47:18 -0700
+Subject: xfs: fix reflink quota reservation accounting error
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ]
+
+Quota reservations are supposed to account for the blocks that might be
+allocated due to a bmap btree split. Reflink doesn't do this, so fix
+this to make the quota accounting more accurate before we start
+rearranging things.
+
+Fixes: 862bb360ef56 ("xfs: reflink extents from one file to another")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_reflink.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c
+index 6b753b969f7b8..aa99711a8ff96 100644
+--- a/fs/xfs/xfs_reflink.c
++++ b/fs/xfs/xfs_reflink.c
+@@ -1108,6 +1108,7 @@ xfs_reflink_remap_extent(
+ xfs_filblks_t rlen;
+ xfs_filblks_t unmap_len;
+ xfs_off_t newlen;
++ int64_t qres;
+ int error;
+
+ unmap_len = irec->br_startoff + irec->br_blockcount - destoff;
+@@ -1135,13 +1136,19 @@ xfs_reflink_remap_extent(
+ xfs_ilock(ip, XFS_ILOCK_EXCL);
+ xfs_trans_ijoin(tp, ip, 0);
+
+- /* If we're not just clearing space, then do we have enough quota? */
+- if (real_extent) {
+- error = xfs_trans_reserve_quota_nblks(tp, ip,
+- irec->br_blockcount, 0, XFS_QMOPT_RES_REGBLKS);
+- if (error)
+- goto out_cancel;
+- }
++ /*
++ * Reserve quota for this operation. We don't know if the first unmap
++ * in the dest file will cause a bmap btree split, so we always reserve
++ * at least enough blocks for that split. If the extent being mapped
++ * in is written, we need to reserve quota for that too.
++ */
++ qres = XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK);
++ if (real_extent)
++ qres += irec->br_blockcount;
++ error = xfs_trans_reserve_quota_nblks(tp, ip, qres, 0,
++ XFS_QMOPT_RES_REGBLKS);
++ if (error)
++ goto out_cancel;
+
+ trace_xfs_reflink_remap(ip, irec->br_startoff,
+ irec->br_blockcount, irec->br_startblock);
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
