--- /dev/null
+From 4d8d6c67a042c3ec1ad9ce90b6b9ace1dec2bf87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 08:09:51 -0800
+Subject: blkcg: make blkcg_print_stat() print stats only for online blkgs
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit b0814361a25cba73a224548843ed92d8ea78715a ]
+
+blkcg_print_stat() iterates blkgs under RCU and doesn't test whether
+the blkg is online. This can call into pd_stat_fn() on a pd which is
+still being initialized leading to an oops.
+
+The heaviest operation - recursively summing up rwstat counters - is
+already done while holding the queue_lock. Expand queue_lock to cover
+the other operations and skip the blkg if it isn't online yet. The
+online state is protected by both blkcg and queue locks, so this
+guarantees that only online blkgs are processed.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Roman Gushchin <guro@fb.com>
+Cc: Josef Bacik <jbacik@fb.com>
+Fixes: 903d23f0a354 ("blk-cgroup: allow controllers to output their own stats")
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-cgroup.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index 5275241346930..a06547fe6f6b4 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -955,9 +955,14 @@ static int blkcg_print_stat(struct seq_file *sf, void *v)
+ int i;
+ bool has_stats = false;
+
++ spin_lock_irq(blkg->q->queue_lock);
++
++ if (!blkg->online)
++ goto skip;
++
+ dname = blkg_dev_name(blkg);
+ if (!dname)
+- continue;
++ goto skip;
+
+ /*
+ * Hooray string manipulation, count is the size written NOT
+@@ -967,8 +972,6 @@ static int blkcg_print_stat(struct seq_file *sf, void *v)
+ */
+ off += scnprintf(buf+off, size-off, "%s ", dname);
+
+- spin_lock_irq(blkg->q->queue_lock);
+-
+ rwstat = blkg_rwstat_recursive_sum(blkg, NULL,
+ offsetof(struct blkcg_gq, stat_bytes));
+ rbytes = atomic64_read(&rwstat.aux_cnt[BLKG_RWSTAT_READ]);
+@@ -981,8 +984,6 @@ static int blkcg_print_stat(struct seq_file *sf, void *v)
+ wios = atomic64_read(&rwstat.aux_cnt[BLKG_RWSTAT_WRITE]);
+ dios = atomic64_read(&rwstat.aux_cnt[BLKG_RWSTAT_DISCARD]);
+
+- spin_unlock_irq(blkg->q->queue_lock);
+-
+ if (rbytes || wbytes || rios || wios) {
+ has_stats = true;
+ off += scnprintf(buf+off, size-off,
+@@ -1023,6 +1024,8 @@ next:
+ seq_commit(sf, -1);
+ }
+ }
++ skip:
++ spin_unlock_irq(blkg->q->queue_lock);
+ }
+
+ rcu_read_unlock();
+--
+2.20.1
+
--- /dev/null
+From a61f07688d3d512a5cc10d378f3eff0606ce06b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 18:47:52 +0000
+Subject: bonding: fix unexpected IFF_BONDING bit unset
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 65de65d9033750d2cf1b336c9d6e9da3a8b5cc6e ]
+
+The IFF_BONDING means bonding master or bonding slave device.
+->ndo_add_slave() sets IFF_BONDING flag and ->ndo_del_slave() unsets
+IFF_BONDING flag.
+
+bond0<--bond1
+
+Both bond0 and bond1 are bonding device and these should keep having
+IFF_BONDING flag until they are removed.
+But bond1 would lose IFF_BONDING at ->ndo_del_slave() because that routine
+do not check whether the slave device is the bonding type or not.
+This patch adds the interface type check routine before removing
+IFF_BONDING flag.
+
+Test commands:
+ ip link add bond0 type bond
+ ip link add bond1 type bond
+ ip link set bond1 master bond0
+ ip link set bond1 nomaster
+ ip link del bond1 type bond
+ ip link add bond1 type bond
+
+Splat looks like:
+[ 226.665555] proc_dir_entry 'bonding/bond1' already registered
+[ 226.666440] WARNING: CPU: 0 PID: 737 at fs/proc/generic.c:361 proc_register+0x2a9/0x3e0
+[ 226.667571] Modules linked in: bonding af_packet sch_fq_codel ip_tables x_tables unix
+[ 226.668662] CPU: 0 PID: 737 Comm: ip Not tainted 5.4.0-rc3+ #96
+[ 226.669508] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 226.670652] RIP: 0010:proc_register+0x2a9/0x3e0
+[ 226.671612] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 39 01 00 00 48 8b 04 24 48 89 ea 48 c7 c7 a0 0b 14 9f 48 8b b0 e
+0 00 00 00 e8 07 e7 88 ff <0f> 0b 48 c7 c7 40 2d a5 9f e8 59 d6 23 01 48 8b 4c 24 10 48 b8 00
+[ 226.675007] RSP: 0018:ffff888050e17078 EFLAGS: 00010282
+[ 226.675761] RAX: dffffc0000000008 RBX: ffff88805fdd0f10 RCX: ffffffff9dd344e2
+[ 226.676757] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806c9f6b8c
+[ 226.677751] RBP: ffff8880507160f3 R08: ffffed100d940019 R09: ffffed100d940019
+[ 226.678761] R10: 0000000000000001 R11: ffffed100d940018 R12: ffff888050716008
+[ 226.679757] R13: ffff8880507160f2 R14: dffffc0000000000 R15: ffffed100a0e2c1e
+[ 226.680758] FS: 00007fdc217cc0c0(0000) GS:ffff88806c800000(0000) knlGS:0000000000000000
+[ 226.681886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 226.682719] CR2: 00007f49313424d0 CR3: 0000000050e46001 CR4: 00000000000606f0
+[ 226.683727] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 226.684725] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 226.685681] Call Trace:
+[ 226.687089] proc_create_seq_private+0xb3/0xf0
+[ 226.687778] bond_create_proc_entry+0x1b3/0x3f0 [bonding]
+[ 226.691458] bond_netdev_event+0x433/0x970 [bonding]
+[ 226.692139] ? __module_text_address+0x13/0x140
+[ 226.692779] notifier_call_chain+0x90/0x160
+[ 226.693401] register_netdevice+0x9b3/0xd80
+[ 226.694010] ? alloc_netdev_mqs+0x854/0xc10
+[ 226.694629] ? netdev_change_features+0xa0/0xa0
+[ 226.695278] ? rtnl_create_link+0x2ed/0xad0
+[ 226.695849] bond_newlink+0x2a/0x60 [bonding]
+[ 226.696422] __rtnl_newlink+0xb9f/0x11b0
+[ 226.696968] ? rtnl_link_unregister+0x220/0x220
+[ ... ]
+
+Fixes: 0b680e753724 ("[PATCH] bonding: Add priv_flag to avoid event mishandling")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 136a972ea903a..9b8143dca5123 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1798,7 +1798,8 @@ err_detach:
+ slave_disable_netpoll(new_slave);
+
+ err_close:
+- slave_dev->priv_flags &= ~IFF_BONDING;
++ if (!netif_is_bond_master(slave_dev))
++ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
+
+ err_restore_mac:
+@@ -2004,7 +2005,8 @@ static int __bond_release_one(struct net_device *bond_dev,
+ else
+ dev_set_mtu(slave_dev, slave->original_mtu);
+
+- slave_dev->priv_flags &= ~IFF_BONDING;
++ if (!netif_is_bond_master(slave_dev))
++ slave_dev->priv_flags &= ~IFF_BONDING;
+
+ bond_free_slave(slave);
+
+--
+2.20.1
+
--- /dev/null
+From f45f3cd6c1c1bb30625cb5f640525ac779c24934 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 17:11:30 +0800
+Subject: dmaengine: sprd: Fix the possible memory leak issue
+
+From: Baolin Wang <baolin.wang@linaro.org>
+
+[ Upstream commit ec1ac309596a7bdf206743b092748205f6cd5720 ]
+
+If we terminate the channel to free all descriptors associated with this
+channel, we will leak the memory of current descriptor if the current
+descriptor is not completed, since it had been deteled from the desc_issued
+list and have not been added into the desc_completed list.
+
+Thus we should check if current descriptor is completed or not, when freeing
+the descriptors associated with one channel, if not, we should free it to
+avoid this issue.
+
+Fixes: 9b3b8171f7f4 ("dmaengine: sprd: Add Spreadtrum DMA driver")
+Reported-by: Zhenfang Wang <zhenfang.wang@unisoc.com>
+Tested-by: Zhenfang Wang <zhenfang.wang@unisoc.com>
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Link: https://lore.kernel.org/r/170dbbc6d5366b6fa974ce2d366652e23a334251.1570609788.git.baolin.wang@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/sprd-dma.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
+index 1ed1c7efa2885..9e8ce56a83d8a 100644
+--- a/drivers/dma/sprd-dma.c
++++ b/drivers/dma/sprd-dma.c
+@@ -181,6 +181,7 @@ struct sprd_dma_dev {
+ struct sprd_dma_chn channels[0];
+ };
+
++static void sprd_dma_free_desc(struct virt_dma_desc *vd);
+ static bool sprd_dma_filter_fn(struct dma_chan *chan, void *param);
+ static struct of_dma_filter_info sprd_dma_info = {
+ .filter_fn = sprd_dma_filter_fn,
+@@ -493,12 +494,19 @@ static int sprd_dma_alloc_chan_resources(struct dma_chan *chan)
+ static void sprd_dma_free_chan_resources(struct dma_chan *chan)
+ {
+ struct sprd_dma_chn *schan = to_sprd_dma_chan(chan);
++ struct virt_dma_desc *cur_vd = NULL;
+ unsigned long flags;
+
+ spin_lock_irqsave(&schan->vc.lock, flags);
++ if (schan->cur_desc)
++ cur_vd = &schan->cur_desc->vd;
++
+ sprd_dma_stop(schan);
+ spin_unlock_irqrestore(&schan->vc.lock, flags);
+
++ if (cur_vd)
++ sprd_dma_free_desc(cur_vd);
++
+ vchan_free_chan_resources(&schan->vc);
+ pm_runtime_put(chan->device->dev);
+ }
+@@ -814,15 +822,22 @@ static int sprd_dma_resume(struct dma_chan *chan)
+ static int sprd_dma_terminate_all(struct dma_chan *chan)
+ {
+ struct sprd_dma_chn *schan = to_sprd_dma_chan(chan);
++ struct virt_dma_desc *cur_vd = NULL;
+ unsigned long flags;
+ LIST_HEAD(head);
+
+ spin_lock_irqsave(&schan->vc.lock, flags);
++ if (schan->cur_desc)
++ cur_vd = &schan->cur_desc->vd;
++
+ sprd_dma_stop(schan);
+
+ vchan_get_all_descriptors(&schan->vc, &head);
+ spin_unlock_irqrestore(&schan->vc.lock, flags);
+
++ if (cur_vd)
++ sprd_dma_free_desc(cur_vd);
++
+ vchan_dma_desc_free_list(&schan->vc, &head);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From b01e87130f5632e0ab17440c78a058ab61022818 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2019 16:20:58 +0530
+Subject: dmaengine: xilinx_dma: Fix control reg update in
+ vdma_channel_set_config
+
+From: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+
+[ Upstream commit 6c6de1ddb1be3840f2ed5cc9d009a622720940c9 ]
+
+In vdma_channel_set_config clear the delay, frame count and master mask
+before updating their new values. It avoids programming incorrect state
+when input parameters are different from default.
+
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+Acked-by: Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Link: https://lore.kernel.org/r/1569495060-18117-3-git-send-email-radhey.shyam.pandey@xilinx.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index c124423125951..8aec137b4fcaa 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -72,6 +72,9 @@
+ #define XILINX_DMA_DMACR_CIRC_EN BIT(1)
+ #define XILINX_DMA_DMACR_RUNSTOP BIT(0)
+ #define XILINX_DMA_DMACR_FSYNCSRC_MASK GENMASK(6, 5)
++#define XILINX_DMA_DMACR_DELAY_MASK GENMASK(31, 24)
++#define XILINX_DMA_DMACR_FRAME_COUNT_MASK GENMASK(23, 16)
++#define XILINX_DMA_DMACR_MASTER_MASK GENMASK(11, 8)
+
+ #define XILINX_DMA_REG_DMASR 0x0004
+ #define XILINX_DMA_DMASR_EOL_LATE_ERR BIT(15)
+@@ -2112,8 +2115,10 @@ int xilinx_vdma_channel_set_config(struct dma_chan *dchan,
+ chan->config.gen_lock = cfg->gen_lock;
+ chan->config.master = cfg->master;
+
++ dmacr &= ~XILINX_DMA_DMACR_GENLOCK_EN;
+ if (cfg->gen_lock && chan->genlock) {
+ dmacr |= XILINX_DMA_DMACR_GENLOCK_EN;
++ dmacr &= ~XILINX_DMA_DMACR_MASTER_MASK;
+ dmacr |= cfg->master << XILINX_DMA_DMACR_MASTER_SHIFT;
+ }
+
+@@ -2129,11 +2134,13 @@ int xilinx_vdma_channel_set_config(struct dma_chan *dchan,
+ chan->config.delay = cfg->delay;
+
+ if (cfg->coalesc <= XILINX_DMA_DMACR_FRAME_COUNT_MAX) {
++ dmacr &= ~XILINX_DMA_DMACR_FRAME_COUNT_MASK;
+ dmacr |= cfg->coalesc << XILINX_DMA_DMACR_FRAME_COUNT_SHIFT;
+ chan->config.coalesc = cfg->coalesc;
+ }
+
+ if (cfg->delay <= XILINX_DMA_DMACR_DELAY_MAX) {
++ dmacr &= ~XILINX_DMA_DMACR_DELAY_MASK;
+ dmacr |= cfg->delay << XILINX_DMA_DMACR_DELAY_SHIFT;
+ chan->config.delay = cfg->delay;
+ }
+--
+2.20.1
+
--- /dev/null
+From 839193b3daddcdc191d77c6a2594a66391bdb64b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 11:54:15 -0400
+Subject: drm/amd/display: Passive DP->HDMI dongle detection fix
+
+From: Michael Strauss <michael.strauss@amd.com>
+
+[ Upstream commit bc2fde42e2418808dbfc04de1a6da91d7d31cf1a ]
+
+[WHY]
+i2c_read is called to differentiate passive DP->HDMI and DP->DVI-D dongles
+The call is expected to fail in DVI-D case but pass in HDMI case
+Some HDMI dongles have a chance to fail as well, causing misdetection as DVI-D
+
+[HOW]
+Retry i2c_read to ensure failed result is valid
+
+Signed-off-by: Michael Strauss <michael.strauss@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/core/dc_link_ddc.c | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c
+index 8def0d9fa0ff0..46c9cb47a96e5 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c
+@@ -433,6 +433,7 @@ void dal_ddc_service_i2c_query_dp_dual_mode_adaptor(
+ enum display_dongle_type *dongle = &sink_cap->dongle_type;
+ uint8_t type2_dongle_buf[DP_ADAPTOR_TYPE2_SIZE];
+ bool is_type2_dongle = false;
++ int retry_count = 2;
+ struct dp_hdmi_dongle_signature_data *dongle_signature;
+
+ /* Assume we have no valid DP passive dongle connected */
+@@ -445,13 +446,24 @@ void dal_ddc_service_i2c_query_dp_dual_mode_adaptor(
+ DP_HDMI_DONGLE_ADDRESS,
+ type2_dongle_buf,
+ sizeof(type2_dongle_buf))) {
+- *dongle = DISPLAY_DONGLE_DP_DVI_DONGLE;
+- sink_cap->max_hdmi_pixel_clock = DP_ADAPTOR_DVI_MAX_TMDS_CLK;
++ /* Passive HDMI dongles can sometimes fail here without retrying*/
++ while (retry_count > 0) {
++ if (i2c_read(ddc,
++ DP_HDMI_DONGLE_ADDRESS,
++ type2_dongle_buf,
++ sizeof(type2_dongle_buf)))
++ break;
++ retry_count--;
++ }
++ if (retry_count == 0) {
++ *dongle = DISPLAY_DONGLE_DP_DVI_DONGLE;
++ sink_cap->max_hdmi_pixel_clock = DP_ADAPTOR_DVI_MAX_TMDS_CLK;
+
+- CONN_DATA_DETECT(ddc->link, type2_dongle_buf, sizeof(type2_dongle_buf),
+- "DP-DVI passive dongle %dMhz: ",
+- DP_ADAPTOR_DVI_MAX_TMDS_CLK / 1000);
+- return;
++ CONN_DATA_DETECT(ddc->link, type2_dongle_buf, sizeof(type2_dongle_buf),
++ "DP-DVI passive dongle %dMhz: ",
++ DP_ADAPTOR_DVI_MAX_TMDS_CLK / 1000);
++ return;
++ }
+ }
+
+ /* Check if Type 2 dongle.*/
+--
+2.20.1
+
--- /dev/null
+From e49856fcde4d62bbc4d59b7b2625ddbb6515faaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 15:44:10 -0400
+Subject: drm/amdgpu: If amdgpu_ib_schedule fails return back the error.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+[ Upstream commit 57c0f58e9f562089de5f0b60da103677d232374c ]
+
+Use ERR_PTR to return back the error happened during amdgpu_ib_schedule.
+
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
+index f823d4baf044d..cf582cc46d53e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
+@@ -203,7 +203,7 @@ static struct dma_fence *amdgpu_job_run(struct drm_sched_job *sched_job)
+ struct amdgpu_ring *ring = to_amdgpu_ring(sched_job->sched);
+ struct dma_fence *fence = NULL, *finished;
+ struct amdgpu_job *job;
+- int r;
++ int r = 0;
+
+ job = to_amdgpu_job(sched_job);
+ finished = &job->base.s_fence->finished;
+@@ -228,6 +228,8 @@ static struct dma_fence *amdgpu_job_run(struct drm_sched_job *sched_job)
+ job->fence = dma_fence_get(fence);
+
+ amdgpu_job_free_resources(job);
++
++ fence = r ? ERR_PTR(r) : fence;
+ return fence;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 0ab00c5ccbce70bf0d65c8e3b93015e6e977150c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2019 00:59:21 -0500
+Subject: e1000: fix memory leaks
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 8472ba62154058b64ebb83d5f57259a352d28697 ]
+
+In e1000_set_ringparam(), 'tx_old' and 'rx_old' are not deallocated if
+e1000_up() fails, leading to memory leaks. Refactor the code to fix this
+issue.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index 2569a168334cb..903b0a902cb95 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -607,6 +607,7 @@ static int e1000_set_ringparam(struct net_device *netdev,
+ for (i = 0; i < adapter->num_rx_queues; i++)
+ rxdr[i].count = rxdr->count;
+
++ err = 0;
+ if (netif_running(adapter->netdev)) {
+ /* Try to get new resources before deleting old */
+ err = e1000_setup_all_rx_resources(adapter);
+@@ -627,14 +628,13 @@ static int e1000_set_ringparam(struct net_device *netdev,
+ adapter->rx_ring = rxdr;
+ adapter->tx_ring = txdr;
+ err = e1000_up(adapter);
+- if (err)
+- goto err_setup;
+ }
+ kfree(tx_old);
+ kfree(rx_old);
+
+ clear_bit(__E1000_RESETTING, &adapter->flags);
+- return 0;
++ return err;
++
+ err_setup_tx:
+ e1000_free_all_rx_resources(adapter);
+ err_setup_rx:
+@@ -646,7 +646,6 @@ err_alloc_rx:
+ err_alloc_tx:
+ if (netif_running(adapter->netdev))
+ e1000_up(adapter);
+-err_setup:
+ clear_bit(__E1000_RESETTING, &adapter->flags);
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 9afd82299c6fe5ea07595cd5ee1de897f1787851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 12:06:02 +0100
+Subject: fjes: Handle workqueue allocation failure
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit 85ac30fa2e24f628e9f4f9344460f4015d33fd7d ]
+
+In the highly unlikely event that we fail to allocate either of the
+"/txrx" or "/control" workqueues, we should bail cleanly rather than
+blindly march on with NULL queue pointer(s) installed in the
+'fjes_adapter' instance.
+
+Cc: "David S. Miller" <davem@davemloft.net>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Link: https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/fjes/fjes_main.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c
+index d3eae12390457..61a9843346ad7 100644
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -1252,8 +1252,17 @@ static int fjes_probe(struct platform_device *plat_dev)
+ adapter->open_guard = false;
+
+ adapter->txrx_wq = alloc_workqueue(DRV_NAME "/txrx", WQ_MEM_RECLAIM, 0);
++ if (unlikely(!adapter->txrx_wq)) {
++ err = -ENOMEM;
++ goto err_free_netdev;
++ }
++
+ adapter->control_wq = alloc_workqueue(DRV_NAME "/control",
+ WQ_MEM_RECLAIM, 0);
++ if (unlikely(!adapter->control_wq)) {
++ err = -ENOMEM;
++ goto err_free_txrx_wq;
++ }
+
+ INIT_WORK(&adapter->tx_stall_task, fjes_tx_stall_task);
+ INIT_WORK(&adapter->raise_intr_rxdata_task,
+@@ -1270,7 +1279,7 @@ static int fjes_probe(struct platform_device *plat_dev)
+ hw->hw_res.irq = platform_get_irq(plat_dev, 0);
+ err = fjes_hw_init(&adapter->hw);
+ if (err)
+- goto err_free_netdev;
++ goto err_free_control_wq;
+
+ /* setup MAC address (02:00:00:00:00:[epid])*/
+ netdev->dev_addr[0] = 2;
+@@ -1292,6 +1301,10 @@ static int fjes_probe(struct platform_device *plat_dev)
+
+ err_hw_exit:
+ fjes_hw_exit(&adapter->hw);
++err_free_control_wq:
++ destroy_workqueue(adapter->control_wq);
++err_free_txrx_wq:
++ destroy_workqueue(adapter->txrx_wq);
+ err_free_netdev:
+ free_netdev(netdev);
+ err_out:
+--
+2.20.1
+
--- /dev/null
+From fa479ec42a1d83210b35d6e6253c11fb1a2fe646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 11:17:59 +0800
+Subject: HID: google: add magnemite/masterball USB ids
+
+From: Nicolas Boichat <drinkcat@chromium.org>
+
+[ Upstream commit 9e4dbc4646a84b2562ea7c64a542740687ff7daf ]
+
+Add 2 additional hammer-like devices.
+
+Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-google-hammer.c | 4 ++++
+ drivers/hid/hid-ids.h | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/hid/hid-google-hammer.c b/drivers/hid/hid-google-hammer.c
+index 6bf4da7ad63a5..8cb63ea9977d6 100644
+--- a/drivers/hid/hid-google-hammer.c
++++ b/drivers/hid/hid-google-hammer.c
+@@ -120,6 +120,10 @@ static int hammer_input_configured(struct hid_device *hdev,
+ static const struct hid_device_id hammer_devices[] = {
+ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_HAMMER) },
++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
++ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_MAGNEMITE) },
++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
++ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_MASTERBALL) },
+ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_STAFF) },
+ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 6b33117ca60e5..02c263a4c0836 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -466,6 +466,8 @@
+ #define USB_DEVICE_ID_GOOGLE_STAFF 0x502b
+ #define USB_DEVICE_ID_GOOGLE_WAND 0x502d
+ #define USB_DEVICE_ID_GOOGLE_WHISKERS 0x5030
++#define USB_DEVICE_ID_GOOGLE_MASTERBALL 0x503c
++#define USB_DEVICE_ID_GOOGLE_MAGNEMITE 0x503d
+
+ #define USB_VENDOR_ID_GOTOP 0x08f2
+ #define USB_DEVICE_ID_SUPER_Q2 0x007f
+--
+2.20.1
+
--- /dev/null
+From 2967bc426577262d020bf379fa68d63e67b6b02a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 08:15:59 +0800
+Subject: HID: intel-ish-hid: fix wrong error handling in
+ ishtp_cl_alloc_tx_ring()
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 16ff7bf6dbcc6f77d2eec1ac9120edf44213c2f1 ]
+
+When allocating tx ring buffers failed, should free tx buffers, not rx buffers.
+
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-ish-hid/ishtp/client-buffers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/intel-ish-hid/ishtp/client-buffers.c b/drivers/hid/intel-ish-hid/ishtp/client-buffers.c
+index b9b917d2d50db..c41dbb167c91b 100644
+--- a/drivers/hid/intel-ish-hid/ishtp/client-buffers.c
++++ b/drivers/hid/intel-ish-hid/ishtp/client-buffers.c
+@@ -90,7 +90,7 @@ int ishtp_cl_alloc_tx_ring(struct ishtp_cl *cl)
+ return 0;
+ out:
+ dev_err(&cl->device->dev, "error in allocating Tx pool\n");
+- ishtp_cl_free_rx_ring(cl);
++ ishtp_cl_free_tx_ring(cl);
+ return -ENOMEM;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 363d33984cd41436393ca844eda67a66cfcb4d3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2019 15:32:13 +0000
+Subject: hv_netvsc: Fix error handling in netvsc_attach()
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit 719b85c336ed35565d0f3982269d6f684087bb00 ]
+
+If rndis_filter_open() fails, we need to remove the rndis device created
+in earlier steps, before returning an error code. Otherwise, the retry of
+netvsc_attach() from its callers will fail and hang.
+
+Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index 6f6c0dbd91fc8..b7a71c203aa37 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -993,7 +993,7 @@ static int netvsc_attach(struct net_device *ndev,
+ if (netif_running(ndev)) {
+ ret = rndis_filter_open(nvdev);
+ if (ret)
+- return ret;
++ goto err;
+
+ rdev = nvdev->extension;
+ if (!rdev->link_state)
+@@ -1001,6 +1001,13 @@ static int netvsc_attach(struct net_device *ndev,
+ }
+
+ return 0;
++
++err:
++ netif_device_detach(ndev);
++
++ rndis_filter_device_remove(hdev, nvdev);
++
++ return ret;
+ }
+
+ static int netvsc_set_channels(struct net_device *net,
+--
+2.20.1
+
--- /dev/null
+From 902a399825c7bb3bc97519f8d9958bcb5ea5c65c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2019 13:55:20 -0700
+Subject: igb: Fix constant media auto sense switching when no cable is
+ connected
+
+From: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
+
+[ Upstream commit 8d5cfd7f76a2414e23c74bb8858af7540365d985 ]
+
+At least on the i350 there is an annoying behavior that is maybe also
+present on 82580 devices, but was probably not noticed yet as MAS is not
+widely used.
+
+If no cable is connected on both fiber/copper ports the media auto sense
+code will constantly swap between them as part of the watchdog task and
+produce many unnecessary kernel log messages.
+
+The swap code responsible for this behavior (switching to fiber) should
+not be executed if the current media type is copper and there is no signal
+detected on the fiber port. In this case we can safely wait until the
+AUTOSENSE_EN bit is cleared.
+
+Signed-off-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index ab76a5f77cd0e..36db874f3c928 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -2064,7 +2064,8 @@ static void igb_check_swap_media(struct igb_adapter *adapter)
+ if ((hw->phy.media_type == e1000_media_type_copper) &&
+ (!(connsw & E1000_CONNSW_AUTOSENSE_EN))) {
+ swap_now = true;
+- } else if (!(connsw & E1000_CONNSW_SERDESD)) {
++ } else if ((hw->phy.media_type != e1000_media_type_copper) &&
++ !(connsw & E1000_CONNSW_SERDESD)) {
+ /* copper signal takes time to appear */
+ if (adapter->copper_tries < 4) {
+ adapter->copper_tries++;
+--
+2.20.1
+
--- /dev/null
+From e2eb2be0d3ba0cca1655ddf80a64a50d31ca07d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 14:43:28 +0000
+Subject: iio: imu: inv_mpu6050: fix no data on MPU6050
+
+From: Jean-Baptiste Maneyrol <JManeyrol@invensense.com>
+
+[ Upstream commit 6e82ae6b8d11b948b74e71396efd8e074c415f44 ]
+
+Some chips have a fifo overflow bit issue where the bit is always
+set. The result is that every data is dropped.
+
+Change fifo overflow management by checking fifo count against
+a maximum value.
+
+Add fifo size in chip hardware set of values.
+
+Fixes: f5057e7b2dba ("iio: imu: inv_mpu6050: better fifo overflow handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 9 +++++++++
+ drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 ++
+ drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 15 ++++++++++++---
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+index cb80c9e49fc7b..ea099523e0355 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+@@ -121,54 +121,63 @@ static const struct inv_mpu6050_hw hw_info[] = {
+ .name = "MPU6050",
+ .reg = ®_set_6050,
+ .config = &chip_config_6050,
++ .fifo_size = 1024,
+ },
+ {
+ .whoami = INV_MPU6500_WHOAMI_VALUE,
+ .name = "MPU6500",
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
++ .fifo_size = 512,
+ },
+ {
+ .whoami = INV_MPU6515_WHOAMI_VALUE,
+ .name = "MPU6515",
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
++ .fifo_size = 512,
+ },
+ {
+ .whoami = INV_MPU6000_WHOAMI_VALUE,
+ .name = "MPU6000",
+ .reg = ®_set_6050,
+ .config = &chip_config_6050,
++ .fifo_size = 1024,
+ },
+ {
+ .whoami = INV_MPU9150_WHOAMI_VALUE,
+ .name = "MPU9150",
+ .reg = ®_set_6050,
+ .config = &chip_config_6050,
++ .fifo_size = 1024,
+ },
+ {
+ .whoami = INV_MPU9250_WHOAMI_VALUE,
+ .name = "MPU9250",
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
++ .fifo_size = 512,
+ },
+ {
+ .whoami = INV_MPU9255_WHOAMI_VALUE,
+ .name = "MPU9255",
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
++ .fifo_size = 512,
+ },
+ {
+ .whoami = INV_ICM20608_WHOAMI_VALUE,
+ .name = "ICM20608",
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
++ .fifo_size = 512,
+ },
+ {
+ .whoami = INV_ICM20602_WHOAMI_VALUE,
+ .name = "ICM20602",
+ .reg = ®_set_icm20602,
+ .config = &chip_config_6050,
++ .fifo_size = 1008,
+ },
+ };
+
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
+index bdbaf6e01ce3e..e56c1d191ae46 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
+@@ -108,12 +108,14 @@ struct inv_mpu6050_chip_config {
+ * @name: name of the chip.
+ * @reg: register map of the chip.
+ * @config: configuration of the chip.
++ * @fifo_size: size of the FIFO in bytes.
+ */
+ struct inv_mpu6050_hw {
+ u8 whoami;
+ u8 *name;
+ const struct inv_mpu6050_reg_map *reg;
+ const struct inv_mpu6050_chip_config *config;
++ size_t fifo_size;
+ };
+
+ /*
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c
+index 548e042f7b5bd..4f9c2765aa23f 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c
+@@ -188,9 +188,6 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p)
+ "failed to ack interrupt\n");
+ goto flush_fifo;
+ }
+- /* handle fifo overflow by reseting fifo */
+- if (int_status & INV_MPU6050_BIT_FIFO_OVERFLOW_INT)
+- goto flush_fifo;
+ if (!(int_status & INV_MPU6050_BIT_RAW_DATA_RDY_INT)) {
+ dev_warn(regmap_get_device(st->map),
+ "spurious interrupt with status 0x%x\n", int_status);
+@@ -216,6 +213,18 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p)
+ if (result)
+ goto end_session;
+ fifo_count = get_unaligned_be16(&data[0]);
++
++ /*
++ * Handle fifo overflow by resetting fifo.
++ * Reset if there is only 3 data set free remaining to mitigate
++ * possible delay between reading fifo count and fifo data.
++ */
++ nb = 3 * bytes_per_datum;
++ if (fifo_count >= st->hw->fifo_size - nb) {
++ dev_warn(regmap_get_device(st->map), "fifo overflow reset\n");
++ goto flush_fifo;
++ }
++
+ /* compute and process all complete datum */
+ nb = fifo_count / bytes_per_datum;
+ inv_mpu6050_update_period(st, pf->timestamp, nb);
+--
+2.20.1
+
--- /dev/null
+From 357678950ccea9bff8f402a2857f420427f7a3af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jan 2019 19:50:03 +0100
+Subject: iio: imu: mpu6050: Add support for the ICM 20602 IMU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randolph Maaßen <gaireg@gaireg.de>
+
+[ Upstream commit 22904bdff97839960bd98b3452a583b1daee628b ]
+
+The Invensense ICM-20602 is a 6-axis MotionTracking device that
+combines a 3-axis gyroscope and an 3-axis accelerometer. It is very
+similar to the ICM-20608 imu which is already supported by the mpu6050
+driver. The main difference is that the ICM-20602 has the i2c bus
+disable bit in a separate register.
+
+Signed-off-by: Randolph Maaßen <gaireg@gaireg.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/inv_mpu6050/Kconfig | 8 +++---
+ drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 31 ++++++++++++++++++++++
+ drivers/iio/imu/inv_mpu6050/inv_mpu_i2c.c | 6 +++++
+ drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 8 ++++++
+ drivers/iio/imu/inv_mpu6050/inv_mpu_spi.c | 12 ++++++---
+ 5 files changed, 58 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iio/imu/inv_mpu6050/Kconfig b/drivers/iio/imu/inv_mpu6050/Kconfig
+index 5483b2ea754dd..d2fe9dbddda74 100644
+--- a/drivers/iio/imu/inv_mpu6050/Kconfig
++++ b/drivers/iio/imu/inv_mpu6050/Kconfig
+@@ -13,8 +13,8 @@ config INV_MPU6050_I2C
+ select INV_MPU6050_IIO
+ select REGMAP_I2C
+ help
+- This driver supports the Invensense MPU6050/6500/9150 and ICM20608
+- motion tracking devices over I2C.
++ This driver supports the Invensense MPU6050/6500/9150 and
++ ICM20608/20602 motion tracking devices over I2C.
+ This driver can be built as a module. The module will be called
+ inv-mpu6050-i2c.
+
+@@ -24,7 +24,7 @@ config INV_MPU6050_SPI
+ select INV_MPU6050_IIO
+ select REGMAP_SPI
+ help
+- This driver supports the Invensense MPU6050/6500/9150 and ICM20608
+- motion tracking devices over SPI.
++ This driver supports the Invensense MPU6050/6500/9150 and
++ ICM20608/20602 motion tracking devices over SPI.
+ This driver can be built as a module. The module will be called
+ inv-mpu6050-spi.
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+index d80ef468508a1..cb80c9e49fc7b 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+@@ -37,6 +37,29 @@ static const int gyro_scale_6050[] = {133090, 266181, 532362, 1064724};
+ */
+ static const int accel_scale[] = {598, 1196, 2392, 4785};
+
++static const struct inv_mpu6050_reg_map reg_set_icm20602 = {
++ .sample_rate_div = INV_MPU6050_REG_SAMPLE_RATE_DIV,
++ .lpf = INV_MPU6050_REG_CONFIG,
++ .accel_lpf = INV_MPU6500_REG_ACCEL_CONFIG_2,
++ .user_ctrl = INV_MPU6050_REG_USER_CTRL,
++ .fifo_en = INV_MPU6050_REG_FIFO_EN,
++ .gyro_config = INV_MPU6050_REG_GYRO_CONFIG,
++ .accl_config = INV_MPU6050_REG_ACCEL_CONFIG,
++ .fifo_count_h = INV_MPU6050_REG_FIFO_COUNT_H,
++ .fifo_r_w = INV_MPU6050_REG_FIFO_R_W,
++ .raw_gyro = INV_MPU6050_REG_RAW_GYRO,
++ .raw_accl = INV_MPU6050_REG_RAW_ACCEL,
++ .temperature = INV_MPU6050_REG_TEMPERATURE,
++ .int_enable = INV_MPU6050_REG_INT_ENABLE,
++ .int_status = INV_MPU6050_REG_INT_STATUS,
++ .pwr_mgmt_1 = INV_MPU6050_REG_PWR_MGMT_1,
++ .pwr_mgmt_2 = INV_MPU6050_REG_PWR_MGMT_2,
++ .int_pin_cfg = INV_MPU6050_REG_INT_PIN_CFG,
++ .accl_offset = INV_MPU6500_REG_ACCEL_OFFSET,
++ .gyro_offset = INV_MPU6050_REG_GYRO_OFFSET,
++ .i2c_if = INV_ICM20602_REG_I2C_IF,
++};
++
+ static const struct inv_mpu6050_reg_map reg_set_6500 = {
+ .sample_rate_div = INV_MPU6050_REG_SAMPLE_RATE_DIV,
+ .lpf = INV_MPU6050_REG_CONFIG,
+@@ -57,6 +80,7 @@ static const struct inv_mpu6050_reg_map reg_set_6500 = {
+ .int_pin_cfg = INV_MPU6050_REG_INT_PIN_CFG,
+ .accl_offset = INV_MPU6500_REG_ACCEL_OFFSET,
+ .gyro_offset = INV_MPU6050_REG_GYRO_OFFSET,
++ .i2c_if = 0,
+ };
+
+ static const struct inv_mpu6050_reg_map reg_set_6050 = {
+@@ -77,6 +101,7 @@ static const struct inv_mpu6050_reg_map reg_set_6050 = {
+ .int_pin_cfg = INV_MPU6050_REG_INT_PIN_CFG,
+ .accl_offset = INV_MPU6050_REG_ACCEL_OFFSET,
+ .gyro_offset = INV_MPU6050_REG_GYRO_OFFSET,
++ .i2c_if = 0,
+ };
+
+ static const struct inv_mpu6050_chip_config chip_config_6050 = {
+@@ -139,6 +164,12 @@ static const struct inv_mpu6050_hw hw_info[] = {
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
+ },
++ {
++ .whoami = INV_ICM20602_WHOAMI_VALUE,
++ .name = "ICM20602",
++ .reg = ®_set_icm20602,
++ .config = &chip_config_6050,
++ },
+ };
+
+ int inv_mpu6050_switch_engine(struct inv_mpu6050_state *st, bool en, u32 mask)
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_i2c.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_i2c.c
+index dd758e3d403da..e46eb4ddea210 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_i2c.c
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_i2c.c
+@@ -127,6 +127,7 @@ static int inv_mpu_probe(struct i2c_client *client,
+ st = iio_priv(dev_get_drvdata(&client->dev));
+ switch (st->chip_type) {
+ case INV_ICM20608:
++ case INV_ICM20602:
+ /* no i2c auxiliary bus on the chip */
+ break;
+ default:
+@@ -179,6 +180,7 @@ static const struct i2c_device_id inv_mpu_id[] = {
+ {"mpu9250", INV_MPU9250},
+ {"mpu9255", INV_MPU9255},
+ {"icm20608", INV_ICM20608},
++ {"icm20602", INV_ICM20602},
+ {}
+ };
+
+@@ -213,6 +215,10 @@ static const struct of_device_id inv_of_match[] = {
+ .compatible = "invensense,icm20608",
+ .data = (void *)INV_ICM20608
+ },
++ {
++ .compatible = "invensense,icm20602",
++ .data = (void *)INV_ICM20602
++ },
+ { }
+ };
+ MODULE_DEVICE_TABLE(of, inv_of_match);
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
+index e69a59659dbcf..bdbaf6e01ce3e 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
+@@ -44,6 +44,7 @@
+ * @int_pin_cfg; Controls interrupt pin configuration.
+ * @accl_offset: Controls the accelerometer calibration offset.
+ * @gyro_offset: Controls the gyroscope calibration offset.
++ * @i2c_if: Controls the i2c interface
+ */
+ struct inv_mpu6050_reg_map {
+ u8 sample_rate_div;
+@@ -65,6 +66,7 @@ struct inv_mpu6050_reg_map {
+ u8 int_pin_cfg;
+ u8 accl_offset;
+ u8 gyro_offset;
++ u8 i2c_if;
+ };
+
+ /*device enum */
+@@ -77,6 +79,7 @@ enum inv_devices {
+ INV_MPU9250,
+ INV_MPU9255,
+ INV_ICM20608,
++ INV_ICM20602,
+ INV_NUM_PARTS
+ };
+
+@@ -193,6 +196,10 @@ struct inv_mpu6050_state {
+ #define INV_MPU6050_BIT_PWR_ACCL_STBY 0x38
+ #define INV_MPU6050_BIT_PWR_GYRO_STBY 0x07
+
++/* ICM20602 register */
++#define INV_ICM20602_REG_I2C_IF 0x70
++#define INV_ICM20602_BIT_I2C_IF_DIS 0x40
++
+ #define INV_MPU6050_REG_FIFO_COUNT_H 0x72
+ #define INV_MPU6050_REG_FIFO_R_W 0x74
+
+@@ -259,6 +266,7 @@ struct inv_mpu6050_state {
+ #define INV_MPU9255_WHOAMI_VALUE 0x73
+ #define INV_MPU6515_WHOAMI_VALUE 0x74
+ #define INV_ICM20608_WHOAMI_VALUE 0xAF
++#define INV_ICM20602_WHOAMI_VALUE 0x12
+
+ /* scan element definition */
+ enum inv_mpu6050_scan {
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_spi.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_spi.c
+index 227f50afff22f..a112c3f45f748 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_spi.c
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_spi.c
+@@ -31,9 +31,14 @@ static int inv_mpu_i2c_disable(struct iio_dev *indio_dev)
+ if (ret)
+ return ret;
+
+- st->chip_config.user_ctrl |= INV_MPU6050_BIT_I2C_IF_DIS;
+- ret = regmap_write(st->map, st->reg->user_ctrl,
+- st->chip_config.user_ctrl);
++ if (st->reg->i2c_if) {
++ ret = regmap_write(st->map, st->reg->i2c_if,
++ INV_ICM20602_BIT_I2C_IF_DIS);
++ } else {
++ st->chip_config.user_ctrl |= INV_MPU6050_BIT_I2C_IF_DIS;
++ ret = regmap_write(st->map, st->reg->user_ctrl,
++ st->chip_config.user_ctrl);
++ }
+ if (ret) {
+ inv_mpu6050_set_power_itg(st, false);
+ return ret;
+@@ -81,6 +86,7 @@ static const struct spi_device_id inv_mpu_id[] = {
+ {"mpu9250", INV_MPU9250},
+ {"mpu9255", INV_MPU9255},
+ {"icm20608", INV_ICM20608},
++ {"icm20602", INV_ICM20602},
+ {}
+ };
+
+--
+2.20.1
+
--- /dev/null
+From a3790020b3239f13a4a4645efa7644f829b73a55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 17:17:21 +0200
+Subject: iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire
+ A315-41
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ad3e8da2d422c63c13819a53d3c5ea9312cc0b9d ]
+
+Acer Aspire A315-41 requires the very same workaround as the existing
+quirk for Dell Latitude 5495. Add the new entry for that.
+
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1137799
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu_quirks.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/iommu/amd_iommu_quirks.c b/drivers/iommu/amd_iommu_quirks.c
+index c235f79b7a200..5120ce4fdce32 100644
+--- a/drivers/iommu/amd_iommu_quirks.c
++++ b/drivers/iommu/amd_iommu_quirks.c
+@@ -73,6 +73,19 @@ static const struct dmi_system_id ivrs_quirks[] __initconst = {
+ },
+ .driver_data = (void *)&ivrs_ioapic_quirks[DELL_LATITUDE_5495],
+ },
++ {
++ /*
++ * Acer Aspire A315-41 requires the very same workaround as
++ * Dell Latitude 5495
++ */
++ .callback = ivrs_ioapic_quirk_cb,
++ .ident = "Acer Aspire A315-41",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A315-41"),
++ },
++ .driver_data = (void *)&ivrs_ioapic_quirks[DELL_LATITUDE_5495],
++ },
+ {
+ .callback = ivrs_ioapic_quirk_cb,
+ .ident = "Lenovo ideapad 330S-15ARR",
+--
+2.20.1
+
--- /dev/null
+From af94aaac07bca4f2739f167b28e686a66a1bc72c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Oct 2019 17:34:35 +0200
+Subject: ipvs: don't ignore errors in case refcounting ip_vs module fails
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 62931f59ce9cbabb934a431f48f2f1f441c605ac ]
+
+if the IPVS module is removed while the sync daemon is starting, there is
+a small gap where try_module_get() might fail getting the refcount inside
+ip_vs_use_count_inc(). Then, the refcounts of IPVS module are unbalanced,
+and the subsequent call to stop_sync_thread() causes the following splat:
+
+ WARNING: CPU: 0 PID: 4013 at kernel/module.c:1146 module_put.part.44+0x15b/0x290
+ Modules linked in: ip_vs(-) nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 veth ip6table_filter ip6_tables iptable_filter binfmt_misc intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul ext4 mbcache jbd2 ghash_clmulni_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd cryptd glue_helper joydev pcspkr snd_timer virtio_balloon snd soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk failover virtio_console qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ata_piix ttm crc32c_intel serio_raw drm virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv6]
+ CPU: 0 PID: 4013 Comm: modprobe Tainted: G W 5.4.0-rc1.upstream+ #741
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:module_put.part.44+0x15b/0x290
+ Code: 04 25 28 00 00 00 0f 85 18 01 00 00 48 83 c4 68 5b 5d 41 5c 41 5d 41 5e 41 5f c3 89 44 24 28 83 e8 01 89 c5 0f 89 57 ff ff ff <0f> 0b e9 78 ff ff ff 65 8b 1d 67 83 26 4a 89 db be 08 00 00 00 48
+ RSP: 0018:ffff888050607c78 EFLAGS: 00010297
+ RAX: 0000000000000003 RBX: ffffffffc1420590 RCX: ffffffffb5db0ef9
+ RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffc1420590
+ RBP: 00000000ffffffff R08: fffffbfff82840b3 R09: fffffbfff82840b3
+ R10: 0000000000000001 R11: fffffbfff82840b2 R12: 1ffff1100a0c0f90
+ R13: ffffffffc1420200 R14: ffff88804f533300 R15: ffff88804f533ca0
+ FS: 00007f8ea9720740(0000) GS:ffff888053800000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f3245abe000 CR3: 000000004c28a006 CR4: 00000000001606f0
+ Call Trace:
+ stop_sync_thread+0x3a3/0x7c0 [ip_vs]
+ ip_vs_sync_net_cleanup+0x13/0x50 [ip_vs]
+ ops_exit_list.isra.5+0x94/0x140
+ unregister_pernet_operations+0x29d/0x460
+ unregister_pernet_device+0x26/0x60
+ ip_vs_cleanup+0x11/0x38 [ip_vs]
+ __x64_sys_delete_module+0x2d5/0x400
+ do_syscall_64+0xa5/0x4e0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f8ea8bf0db7
+ Code: 73 01 c3 48 8b 0d b9 80 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 80 2c 00 f7 d8 64 89 01 48
+ RSP: 002b:00007ffcd38d2fe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+ RAX: ffffffffffffffda RBX: 0000000002436240 RCX: 00007f8ea8bf0db7
+ RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00000000024362a8
+ RBP: 0000000000000000 R08: 00007f8ea8eba060 R09: 00007f8ea8c658a0
+ R10: 00007ffcd38d2a60 R11: 0000000000000206 R12: 0000000000000000
+ R13: 0000000000000001 R14: 00000000024362a8 R15: 0000000000000000
+ irq event stamp: 4538
+ hardirqs last enabled at (4537): [<ffffffffb6193dde>] quarantine_put+0x9e/0x170
+ hardirqs last disabled at (4538): [<ffffffffb5a0556a>] trace_hardirqs_off_thunk+0x1a/0x20
+ softirqs last enabled at (4522): [<ffffffffb6f8ebe9>] sk_common_release+0x169/0x2d0
+ softirqs last disabled at (4520): [<ffffffffb6f8eb3e>] sk_common_release+0xbe/0x2d0
+
+Check the return value of ip_vs_use_count_inc() and let its caller return
+proper error. Inside do_ip_vs_set_ctl() the module is already refcounted,
+we don't need refcount/derefcount there. Finally, in register_ip_vs_app()
+and start_sync_thread(), take the module refcount earlier and ensure it's
+released in the error path.
+
+Change since v1:
+ - better return values in case of failure of ip_vs_use_count_inc(),
+ thanks to Julian Anastasov
+ - no need to increase/decrease the module refcount in ip_vs_set_ctl(),
+ thanks to Julian Anastasov
+
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_app.c | 12 ++++++++++--
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 ++++----------
+ net/netfilter/ipvs/ip_vs_pe.c | 3 ++-
+ net/netfilter/ipvs/ip_vs_sched.c | 3 ++-
+ net/netfilter/ipvs/ip_vs_sync.c | 13 ++++++++++---
+ 5 files changed, 28 insertions(+), 17 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_app.c b/net/netfilter/ipvs/ip_vs_app.c
+index 7588aeaa605ff..80759aadd3e06 100644
+--- a/net/netfilter/ipvs/ip_vs_app.c
++++ b/net/netfilter/ipvs/ip_vs_app.c
+@@ -198,21 +198,29 @@ struct ip_vs_app *register_ip_vs_app(struct netns_ipvs *ipvs, struct ip_vs_app *
+
+ mutex_lock(&__ip_vs_app_mutex);
+
++ /* increase the module use count */
++ if (!ip_vs_use_count_inc()) {
++ err = -ENOENT;
++ goto out_unlock;
++ }
++
+ list_for_each_entry(a, &ipvs->app_list, a_list) {
+ if (!strcmp(app->name, a->name)) {
+ err = -EEXIST;
++ /* decrease the module use count */
++ ip_vs_use_count_dec();
+ goto out_unlock;
+ }
+ }
+ a = kmemdup(app, sizeof(*app), GFP_KERNEL);
+ if (!a) {
+ err = -ENOMEM;
++ /* decrease the module use count */
++ ip_vs_use_count_dec();
+ goto out_unlock;
+ }
+ INIT_LIST_HEAD(&a->incs_list);
+ list_add(&a->a_list, &ipvs->app_list);
+- /* increase the module use count */
+- ip_vs_use_count_inc();
+
+ out_unlock:
+ mutex_unlock(&__ip_vs_app_mutex);
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 3df94a4991266..b2134c3894289 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1204,7 +1204,8 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
+ struct ip_vs_service *svc = NULL;
+
+ /* increase the module use count */
+- ip_vs_use_count_inc();
++ if (!ip_vs_use_count_inc())
++ return -ENOPROTOOPT;
+
+ /* Lookup the scheduler by 'u->sched_name' */
+ if (strcmp(u->sched_name, "none")) {
+@@ -2363,9 +2364,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ if (copy_from_user(arg, user, len) != 0)
+ return -EFAULT;
+
+- /* increase the module use count */
+- ip_vs_use_count_inc();
+-
+ /* Handle daemons since they have another lock */
+ if (cmd == IP_VS_SO_SET_STARTDAEMON ||
+ cmd == IP_VS_SO_SET_STOPDAEMON) {
+@@ -2378,13 +2376,13 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ ret = -EINVAL;
+ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,
+ sizeof(cfg.mcast_ifn)) <= 0)
+- goto out_dec;
++ return ret;
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+ ret = stop_sync_thread(ipvs, dm->state);
+ }
+- goto out_dec;
++ return ret;
+ }
+
+ mutex_lock(&__ip_vs_mutex);
+@@ -2479,10 +2477,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+
+ out_unlock:
+ mutex_unlock(&__ip_vs_mutex);
+- out_dec:
+- /* decrease the module use count */
+- ip_vs_use_count_dec();
+-
+ return ret;
+ }
+
+diff --git a/net/netfilter/ipvs/ip_vs_pe.c b/net/netfilter/ipvs/ip_vs_pe.c
+index 0df17caa8af6c..714e7e05c1021 100644
+--- a/net/netfilter/ipvs/ip_vs_pe.c
++++ b/net/netfilter/ipvs/ip_vs_pe.c
+@@ -67,7 +67,8 @@ int register_ip_vs_pe(struct ip_vs_pe *pe)
+ struct ip_vs_pe *tmp;
+
+ /* increase the module use count */
+- ip_vs_use_count_inc();
++ if (!ip_vs_use_count_inc())
++ return -ENOENT;
+
+ mutex_lock(&ip_vs_pe_mutex);
+ /* Make sure that the pe with this name doesn't exist
+diff --git a/net/netfilter/ipvs/ip_vs_sched.c b/net/netfilter/ipvs/ip_vs_sched.c
+index a2ff7d746ebf4..3bd0ff36dc41b 100644
+--- a/net/netfilter/ipvs/ip_vs_sched.c
++++ b/net/netfilter/ipvs/ip_vs_sched.c
+@@ -184,7 +184,8 @@ int register_ip_vs_scheduler(struct ip_vs_scheduler *scheduler)
+ }
+
+ /* increase the module use count */
+- ip_vs_use_count_inc();
++ if (!ip_vs_use_count_inc())
++ return -ENOENT;
+
+ mutex_lock(&ip_vs_sched_mutex);
+
+diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
+index ecb71062fcb3c..5acd99f83166b 100644
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -1762,6 +1762,10 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %zd bytes\n",
+ sizeof(struct ip_vs_sync_conn_v0));
+
++ /* increase the module use count */
++ if (!ip_vs_use_count_inc())
++ return -ENOPROTOOPT;
++
+ /* Do not hold one mutex and then to block on another */
+ for (;;) {
+ rtnl_lock();
+@@ -1892,9 +1896,6 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ mutex_unlock(&ipvs->sync_mutex);
+ rtnl_unlock();
+
+- /* increase the module use count */
+- ip_vs_use_count_inc();
+-
+ return 0;
+
+ out:
+@@ -1924,11 +1925,17 @@ out:
+ }
+ kfree(ti);
+ }
++
++ /* decrease the module use count */
++ ip_vs_use_count_dec();
+ return result;
+
+ out_early:
+ mutex_unlock(&ipvs->sync_mutex);
+ rtnl_unlock();
++
++ /* decrease the module use count */
++ ip_vs_use_count_dec();
+ return result;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 61f0f017ad6b110d91578b8e87cfdc694a427d74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Oct 2019 09:53:03 -0700
+Subject: ipvs: move old_secure_tcp into struct netns_ipvs
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c24b75e0f9239e78105f81c5f03a751641eb07ef ]
+
+syzbot reported the following issue :
+
+BUG: KCSAN: data-race in update_defense_level / update_defense_level
+
+read to 0xffffffff861a6260 of 4 bytes by task 3006 on cpu 1:
+ update_defense_level+0x621/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:177
+ defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+write to 0xffffffff861a6260 of 4 bytes by task 7333 on cpu 0:
+ update_defense_level+0xa62/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:205
+ defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 7333 Comm: kworker/0:5 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events defense_work_handler
+
+Indeed, old_secure_tcp is currently a static variable, while it
+needs to be a per netns variable.
+
+Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_vs.h | 1 +
+ net/netfilter/ipvs/ip_vs_ctl.c | 15 +++++++--------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
+index 0e3c0d83bd991..af0ede9ad4d0b 100644
+--- a/include/net/ip_vs.h
++++ b/include/net/ip_vs.h
+@@ -885,6 +885,7 @@ struct netns_ipvs {
+ struct delayed_work defense_work; /* Work handler */
+ int drop_rate;
+ int drop_counter;
++ int old_secure_tcp;
+ atomic_t dropentry;
+ /* locks in ctl.c */
+ spinlock_t dropentry_lock; /* drop entry handling */
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index b2134c3894289..c339b5e386b78 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -98,7 +98,6 @@ static bool __ip_vs_addr_is_local_v6(struct net *net,
+ static void update_defense_level(struct netns_ipvs *ipvs)
+ {
+ struct sysinfo i;
+- static int old_secure_tcp = 0;
+ int availmem;
+ int nomem;
+ int to_change = -1;
+@@ -179,35 +178,35 @@ static void update_defense_level(struct netns_ipvs *ipvs)
+ spin_lock(&ipvs->securetcp_lock);
+ switch (ipvs->sysctl_secure_tcp) {
+ case 0:
+- if (old_secure_tcp >= 2)
++ if (ipvs->old_secure_tcp >= 2)
+ to_change = 0;
+ break;
+ case 1:
+ if (nomem) {
+- if (old_secure_tcp < 2)
++ if (ipvs->old_secure_tcp < 2)
+ to_change = 1;
+ ipvs->sysctl_secure_tcp = 2;
+ } else {
+- if (old_secure_tcp >= 2)
++ if (ipvs->old_secure_tcp >= 2)
+ to_change = 0;
+ }
+ break;
+ case 2:
+ if (nomem) {
+- if (old_secure_tcp < 2)
++ if (ipvs->old_secure_tcp < 2)
+ to_change = 1;
+ } else {
+- if (old_secure_tcp >= 2)
++ if (ipvs->old_secure_tcp >= 2)
+ to_change = 0;
+ ipvs->sysctl_secure_tcp = 1;
+ }
+ break;
+ case 3:
+- if (old_secure_tcp < 2)
++ if (ipvs->old_secure_tcp < 2)
+ to_change = 1;
+ break;
+ }
+- old_secure_tcp = ipvs->sysctl_secure_tcp;
++ ipvs->old_secure_tcp = ipvs->sysctl_secure_tcp;
+ if (to_change >= 0)
+ ip_vs_protocol_timeout_change(ipvs,
+ ipvs->sysctl_secure_tcp > 1);
+--
+2.20.1
+
--- /dev/null
+From 223359c644280969383230a48b89ec1969570c7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 16:13:53 +0530
+Subject: iw_cxgb4: fix ECN check on the passive accept
+
+From: Potnuri Bharat Teja <bharat@chelsio.com>
+
+[ Upstream commit 612e0486ad0845c41ac10492e78144f99e326375 ]
+
+pass_accept_req() is using the same skb for handling accept request and
+sending accept reply to HW. Here req and rpl structures are pointing to
+same skb->data which is over written by INIT_TP_WR() and leads to
+accessing corrupt req fields in accept_cr() while checking for ECN flags.
+Reordered code in accept_cr() to fetch correct req fields.
+
+Fixes: 92e7ae7172 ("iw_cxgb4: Choose appropriate hw mtu index and ISS for iWARP connections")
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Link: https://lore.kernel.org/r/20191003104353.11590-1-bharat@chelsio.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index 3be6405d9855e..566bfcc6add0d 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -2380,20 +2380,6 @@ static int accept_cr(struct c4iw_ep *ep, struct sk_buff *skb,
+ enum chip_type adapter_type = ep->com.dev->rdev.lldi.adapter_type;
+
+ pr_debug("ep %p tid %u\n", ep, ep->hwtid);
+-
+- skb_get(skb);
+- rpl = cplhdr(skb);
+- if (!is_t4(adapter_type)) {
+- skb_trim(skb, roundup(sizeof(*rpl5), 16));
+- rpl5 = (void *)rpl;
+- INIT_TP_WR(rpl5, ep->hwtid);
+- } else {
+- skb_trim(skb, sizeof(*rpl));
+- INIT_TP_WR(rpl, ep->hwtid);
+- }
+- OPCODE_TID(rpl) = cpu_to_be32(MK_OPCODE_TID(CPL_PASS_ACCEPT_RPL,
+- ep->hwtid));
+-
+ cxgb_best_mtu(ep->com.dev->rdev.lldi.mtus, ep->mtu, &mtu_idx,
+ enable_tcp_timestamps && req->tcpopt.tstamp,
+ (ep->com.remote_addr.ss_family == AF_INET) ? 0 : 1);
+@@ -2439,6 +2425,20 @@ static int accept_cr(struct c4iw_ep *ep, struct sk_buff *skb,
+ if (tcph->ece && tcph->cwr)
+ opt2 |= CCTRL_ECN_V(1);
+ }
++
++ skb_get(skb);
++ rpl = cplhdr(skb);
++ if (!is_t4(adapter_type)) {
++ skb_trim(skb, roundup(sizeof(*rpl5), 16));
++ rpl5 = (void *)rpl;
++ INIT_TP_WR(rpl5, ep->hwtid);
++ } else {
++ skb_trim(skb, sizeof(*rpl));
++ INIT_TP_WR(rpl, ep->hwtid);
++ }
++ OPCODE_TID(rpl) = cpu_to_be32(MK_OPCODE_TID(CPL_PASS_ACCEPT_RPL,
++ ep->hwtid));
++
+ if (CHELSIO_CHIP_VERSION(adapter_type) > CHELSIO_T4) {
+ u32 isn = (prandom_u32() & ~7UL) - 1;
+ opt2 |= T5_OPT_2_VALID_F;
+--
+2.20.1
+
--- /dev/null
+From 75c43d9fea788e61b54a2c6368194b7acdd5002d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 18:47:55 +0000
+Subject: macsec: fix refcnt leak in module exit routine
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 ]
+
+When a macsec interface is created, it increases a refcnt to a lower
+device(real device). when macsec interface is deleted, the refcnt is
+decreased in macsec_free_netdev(), which is ->priv_destructor() of
+macsec interface.
+
+The problem scenario is this.
+When nested macsec interfaces are exiting, the exit routine of the
+macsec module makes refcnt leaks.
+
+Test commands:
+ ip link add dummy0 type dummy
+ ip link add macsec0 link dummy0 type macsec
+ ip link add macsec1 link macsec0 type macsec
+ modprobe -rv macsec
+
+[ 208.629433] unregister_netdevice: waiting for macsec0 to become free. Usage count = 1
+
+Steps of exit routine of macsec module are below.
+1. Calls ->dellink() in __rtnl_link_unregister().
+2. Checks refcnt and wait refcnt to be 0 if refcnt is not 0 in
+netdev_run_todo().
+3. Calls ->priv_destruvtor() in netdev_run_todo().
+
+Step2 checks refcnt, but step3 decreases refcnt.
+So, step2 waits forever.
+
+This patch makes the macsec module do not hold a refcnt of the lower
+device because it already holds a refcnt of the lower device with
+netdev_upper_dev_link().
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 0dc92d2faa64d..05115fb0c97a9 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3008,12 +3008,10 @@ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
+ static void macsec_free_netdev(struct net_device *dev)
+ {
+ struct macsec_dev *macsec = macsec_priv(dev);
+- struct net_device *real_dev = macsec->real_dev;
+
+ free_percpu(macsec->stats);
+ free_percpu(macsec->secy.tx_sc.stats);
+
+- dev_put(real_dev);
+ }
+
+ static void macsec_setup(struct net_device *dev)
+@@ -3268,8 +3266,6 @@ static int macsec_newlink(struct net *net, struct net_device *dev,
+ if (err < 0)
+ return err;
+
+- dev_hold(real_dev);
+-
+ macsec->nest_level = dev_get_nest_level(real_dev) + 1;
+ netdev_lockdep_set_classes(dev);
+ lockdep_set_class_and_subclass(&dev->addr_list_lock,
+--
+2.20.1
+
--- /dev/null
+From 34cabf5b2042c42dcf4a193d63ba52184392eae2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2019 20:17:25 +0800
+Subject: net: ethernet: arc: add the missed clk_disable_unprepare
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 4202e219edd6cc164c042e16fa327525410705ae ]
+
+The remove misses to disable and unprepare priv->macclk like what is done
+when probe fails.
+Add the missed call in remove.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/arc/emac_rockchip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/arc/emac_rockchip.c b/drivers/net/ethernet/arc/emac_rockchip.c
+index 0f65768026072..a1df2ebab07f0 100644
+--- a/drivers/net/ethernet/arc/emac_rockchip.c
++++ b/drivers/net/ethernet/arc/emac_rockchip.c
+@@ -265,6 +265,9 @@ static int emac_rockchip_remove(struct platform_device *pdev)
+ if (priv->regulator)
+ regulator_disable(priv->regulator);
+
++ if (priv->soc_data->need_div_macclk)
++ clk_disable_unprepare(priv->macclk);
++
+ free_netdev(ndev);
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 201b0288526e526da9b07ffebb51af27abcbebb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 21:48:22 +0800
+Subject: net: hisilicon: Fix "Trying to free already-free IRQ"
+
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+
+[ Upstream commit 63a41746827cb16dc6ad0d4d761ab4e7dda7a0c3 ]
+
+When rmmod hip04_eth.ko, we can get the following warning:
+
+Task track: rmmod(1623)>bash(1591)>login(1581)>init(1)
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1623 at kernel/irq/manage.c:1557 __free_irq+0xa4/0x2ac()
+Trying to free already-free IRQ 200
+Modules linked in: ping(O) pramdisk(O) cpuinfo(O) rtos_snapshot(O) interrupt_ctrl(O) mtdblock mtd_blkdevrtfs nfs_acl nfs lockd grace sunrpc xt_tcpudp ipt_REJECT iptable_filter ip_tables x_tables nf_reject_ipv
+CPU: 0 PID: 1623 Comm: rmmod Tainted: G O 4.4.193 #1
+Hardware name: Hisilicon A15
+[<c020b408>] (rtos_unwind_backtrace) from [<c0206624>] (show_stack+0x10/0x14)
+[<c0206624>] (show_stack) from [<c03f2be4>] (dump_stack+0xa0/0xd8)
+[<c03f2be4>] (dump_stack) from [<c021a780>] (warn_slowpath_common+0x84/0xb0)
+[<c021a780>] (warn_slowpath_common) from [<c021a7e8>] (warn_slowpath_fmt+0x3c/0x68)
+[<c021a7e8>] (warn_slowpath_fmt) from [<c026876c>] (__free_irq+0xa4/0x2ac)
+[<c026876c>] (__free_irq) from [<c0268a14>] (free_irq+0x60/0x7c)
+[<c0268a14>] (free_irq) from [<c0469e80>] (release_nodes+0x1c4/0x1ec)
+[<c0469e80>] (release_nodes) from [<c0466924>] (__device_release_driver+0xa8/0x104)
+[<c0466924>] (__device_release_driver) from [<c0466a80>] (driver_detach+0xd0/0xf8)
+[<c0466a80>] (driver_detach) from [<c0465e18>] (bus_remove_driver+0x64/0x8c)
+[<c0465e18>] (bus_remove_driver) from [<c02935b0>] (SyS_delete_module+0x198/0x1e0)
+[<c02935b0>] (SyS_delete_module) from [<c0202ed0>] (__sys_trace_return+0x0/0x10)
+---[ end trace bb25d6123d849b44 ]---
+
+Currently "rmmod hip04_eth.ko" call free_irq more than once
+as devres_release_all and hip04_remove both call free_irq.
+This results in a 'Trying to free already-free IRQ' warning.
+To solve the problem free_irq has been moved out of hip04_remove.
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 2f8f03e0db81e..644ad78d00515 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -945,7 +945,6 @@ static int hip04_remove(struct platform_device *pdev)
+
+ hip04_free_ring(ndev, d);
+ unregister_netdev(ndev);
+- free_irq(ndev->irq, ndev);
+ of_node_put(priv->phy_node);
+ cancel_work_sync(&priv->tx_timeout_task);
+ free_netdev(ndev);
+--
+2.20.1
+
--- /dev/null
+From fec27768fff40a7c8de9dc6ad525d926a46076fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2019 22:20:34 -0500
+Subject: net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit c8c2a057fdc7de1cd16f4baa51425b932a42eb39 ]
+
+In mlx5_fpga_conn_create_cq if mlx5_vector2eqn fails the allocated
+memory should be released.
+
+Fixes: 537a50574175 ("net/mlx5: FPGA, Add high-speed connection routines")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
+index 8ca1d1949d930..d8d0b6bd5c5ae 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
+@@ -462,8 +462,10 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size)
+ }
+
+ err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn, &irqn);
+- if (err)
++ if (err) {
++ kvfree(in);
+ goto err_cqwq;
++ }
+
+ cqc = MLX5_ADDR_OF(create_cq_in, in, cq_context);
+ MLX5_SET(cqc, cqc, log_cq_size, ilog2(cq_size));
+--
+2.20.1
+
--- /dev/null
+From 8ab22cf3a8d56df8255c20f85705e96d915ba013 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2019 11:29:09 +0300
+Subject: net/mlx5e: TX, Fix consumer index of error cqe dump
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 61ea02d2c13106116c6e4916ac5d9dd41151c959 ]
+
+The completion queue consumer index increments upon a call to
+mlx5_cqwq_pop().
+When dumping an error CQE, the index is already incremented.
+Decrease one for the print command.
+
+Fixes: 16cc14d81733 ("net/mlx5e: Dump xmit error completions")
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+index 0b03d65474e93..73dce92c41c44 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+@@ -462,7 +462,10 @@ netdev_tx_t mlx5e_xmit(struct sk_buff *skb, struct net_device *dev)
+ static void mlx5e_dump_error_cqe(struct mlx5e_txqsq *sq,
+ struct mlx5_err_cqe *err_cqe)
+ {
+- u32 ci = mlx5_cqwq_get_ci(&sq->cq.wq);
++ struct mlx5_cqwq *wq = &sq->cq.wq;
++ u32 ci;
++
++ ci = mlx5_cqwq_ctr2ix(wq, wq->cc - 1);
+
+ netdev_err(sq->channel->netdev,
+ "Error cqe on cqn 0x%x, ci 0x%x, sqn 0x%x, syndrome 0x%x, vendor syndrome 0x%x\n",
+--
+2.20.1
+
--- /dev/null
+From 665cfe6e76b3fb171fdaf4b8839a1f62aeacd079 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2019 21:04:26 +0300
+Subject: net: mscc: ocelot: fix vlan_filtering when enslaving to bridge before
+ link is up
+
+From: Vladimir Oltean <olteanv@gmail.com>
+
+[ Upstream commit 1c44ce560b4de639f237b458be1729489ff44d0a ]
+
+Background information: the driver operates the hardware in a mode where
+a single VLAN can be transmitted as untagged on a particular egress
+port. That is the "native VLAN on trunk port" use case. Its value is
+held in port->vid.
+
+Consider the following command sequence (no network manager, all
+interfaces are down, debugging prints added by me):
+
+$ ip link add dev br0 type bridge vlan_filtering 1
+$ ip link set dev swp0 master br0
+
+Kernel code path during last command:
+
+br_add_slave -> ocelot_netdevice_port_event (NETDEV_CHANGEUPPER):
+[ 21.401901] ocelot_vlan_port_apply: port 0 vlan aware 0 pvid 0 vid 0
+
+br_add_slave -> nbp_vlan_init -> switchdev_port_attr_set -> ocelot_port_attr_set (SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING):
+[ 21.413335] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 0 vid 0
+
+br_add_slave -> nbp_vlan_init -> nbp_vlan_add -> br_switchdev_port_vlan_add -> switchdev_port_obj_add -> ocelot_port_obj_add -> ocelot_vlan_vid_add
+[ 21.667421] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 1
+
+So far so good. The bridge has replaced the driver's default pvid used
+in standalone mode (0) with its own default_pvid (1). The port's vid
+(native VLAN) has also changed from 0 to 1.
+
+$ ip link set dev swp0 up
+
+[ 31.722956] 8021q: adding VLAN 0 to HW filter on device swp0
+do_setlink -> dev_change_flags -> vlan_vid_add -> ocelot_vlan_rx_add_vid -> ocelot_vlan_vid_add:
+[ 31.728700] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 0
+
+The 8021q module uses the .ndo_vlan_rx_add_vid API on .ndo_open to make
+ports be able to transmit and receive 802.1p-tagged traffic by default.
+This API is supposed to offload a VLAN sub-interface, which for a switch
+port means to add a VLAN that is not a pvid, and tagged on egress.
+
+But the driver implementation of .ndo_vlan_rx_add_vid is wrong: it adds
+back vid 0 as "egress untagged". Now back to the initial paragraph:
+there is a single untagged VID that the driver keeps track of, and that
+has just changed from 1 (the pvid) to 0. So this breaks the bridge
+core's expectation, because it has changed vid 1 from untagged to
+tagged, when what the user sees is.
+
+$ bridge vlan
+port vlan ids
+swp0 1 PVID Egress Untagged
+
+br0 1 PVID Egress Untagged
+
+But curiously, instead of manifesting itself as "untagged and
+pvid-tagged traffic gets sent as tagged on egress", the bug:
+
+- is hidden when vlan_filtering=0
+- manifests as dropped traffic when vlan_filtering=1, due to this setting:
+
+ if (port->vlan_aware && !port->vid)
+ /* If port is vlan-aware and tagged, drop untagged and priority
+ * tagged frames.
+ */
+ val |= ANA_PORT_DROP_CFG_DROP_UNTAGGED_ENA |
+ ANA_PORT_DROP_CFG_DROP_PRIO_S_TAGGED_ENA |
+ ANA_PORT_DROP_CFG_DROP_PRIO_C_TAGGED_ENA;
+
+which would have made sense if it weren't for this bug. The setting's
+intention was "this is a trunk port with no native VLAN, so don't accept
+untagged traffic". So the driver was never expecting to set VLAN 0 as
+the value of the native VLAN, 0 was just encoding for "invalid".
+
+So the fix is to not send 802.1p traffic as untagged, because that would
+change the port's native vlan to 0, unbeknownst to the bridge, and
+trigger unexpected code paths in the driver.
+
+Cc: Antoine Tenart <antoine.tenart@bootlin.com>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Fixes: 7142529f1688 ("net: mscc: ocelot: add VLAN filtering")
+Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
+index e05a59ae9a593..965f13944c76b 100644
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -886,7 +886,7 @@ end:
+ static int ocelot_vlan_rx_add_vid(struct net_device *dev, __be16 proto,
+ u16 vid)
+ {
+- return ocelot_vlan_vid_add(dev, vid, false, true);
++ return ocelot_vlan_vid_add(dev, vid, false, false);
+ }
+
+ static int ocelot_vlan_rx_kill_vid(struct net_device *dev, __be16 proto,
+--
+2.20.1
+
--- /dev/null
+From 27f9a5b1ada40006b4e0f6fe1e0a2c0d55b1a9db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2019 21:04:27 +0300
+Subject: net: mscc: ocelot: refuse to overwrite the port's native vlan
+
+From: Vladimir Oltean <olteanv@gmail.com>
+
+[ Upstream commit b9cd75e6689560140dadaed98eb4b41aad75d55d ]
+
+The switch driver keeps a "vid" variable per port, which signifies _the_
+VLAN ID that is stripped on that port's egress (aka the native VLAN on a
+trunk port).
+
+That is the way the hardware is designed (mostly). The port->vid is
+programmed into REW:PORT:PORT_VLAN_CFG:PORT_VID and the rewriter is told
+to send all traffic as tagged except the one having port->vid.
+
+There exists a possibility of finer-grained egress untagging decisions:
+using the VCAP IS1 engine, one rule can be added to match every
+VLAN-tagged frame whose VLAN should be untagged, and set POP_CNT=1 as
+action. However, the IS1 can hold at most 512 entries, and the VLANs are
+in the order of 6 * 4096.
+
+So the code is fine for now. But this sequence of commands:
+
+$ bridge vlan add dev swp0 vid 1 pvid untagged
+$ bridge vlan add dev swp0 vid 2 untagged
+
+makes untagged and pvid-tagged traffic be sent out of swp0 as tagged
+with VID 1, despite user's request.
+
+Prevent that from happening. The user should temporarily remove the
+existing untagged VLAN (1 in this case), add it back as tagged, and then
+add the new untagged VLAN (2 in this case).
+
+Cc: Antoine Tenart <antoine.tenart@bootlin.com>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Fixes: 7142529f1688 ("net: mscc: ocelot: add VLAN filtering")
+Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
+index 965f13944c76b..a29a6a618110e 100644
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -253,8 +253,15 @@ static int ocelot_vlan_vid_add(struct net_device *dev, u16 vid, bool pvid,
+ port->pvid = vid;
+
+ /* Untagged egress vlan clasification */
+- if (untagged)
++ if (untagged && port->vid != vid) {
++ if (port->vid) {
++ dev_err(ocelot->dev,
++ "Port already has a native VLAN: %d\n",
++ port->vid);
++ return -EBUSY;
++ }
+ port->vid = vid;
++ }
+
+ ocelot_vlan_port_apply(ocelot, port);
+
+--
+2.20.1
+
--- /dev/null
+From eb9ad3873fb09641b27c410368bdc35b217c3656 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 12:01:57 +0200
+Subject: net: openvswitch: free vport unless register_netdevice() succeeds
+
+From: Hillf Danton <hdanton@sina.com>
+
+[ Upstream commit 9464cc37f3671ee69cb1c00662b5e1f113a96b23 ]
+
+syzbot found the following crash on:
+
+HEAD commit: 1e78030e Merge tag 'mmc-v5.3-rc1' of git://git.kernel.org/..
+git tree: upstream
+console output: https://syzkaller.appspot.com/x/log.txt?x=148d3d1a600000
+kernel config: https://syzkaller.appspot.com/x/.config?x=30cef20daf3e9977
+dashboard link: https://syzkaller.appspot.com/bug?extid=13210896153522fe1ee5
+compiler: gcc (GCC) 9.0.0 20181231 (experimental)
+syz repro: https://syzkaller.appspot.com/x/repro.syz?x=136aa8c4600000
+C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109ba792600000
+
+=====================================================================
+BUG: memory leak
+unreferenced object 0xffff8881207e4100 (size 128):
+ comm "syz-executor032", pid 7014, jiffies 4294944027 (age 13.830s)
+ hex dump (first 32 bytes):
+ 00 70 16 18 81 88 ff ff 80 af 8c 22 81 88 ff ff .p........."....
+ 00 b6 23 17 81 88 ff ff 00 00 00 00 00 00 00 00 ..#.............
+ backtrace:
+ [<000000000eb78212>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+ [<000000000eb78212>] slab_post_alloc_hook mm/slab.h:522 [inline]
+ [<000000000eb78212>] slab_alloc mm/slab.c:3319 [inline]
+ [<000000000eb78212>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
+ [<00000000006ea6c6>] kmalloc include/linux/slab.h:552 [inline]
+ [<00000000006ea6c6>] kzalloc include/linux/slab.h:748 [inline]
+ [<00000000006ea6c6>] ovs_vport_alloc+0x37/0xf0 net/openvswitch/vport.c:130
+ [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164
+ [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199
+ [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194
+ [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614
+ [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629
+ [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654
+ [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
+ [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665
+ [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328
+ [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917
+ [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline]
+ [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657
+ [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311
+ [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356
+ [<00000000c10abb2d>] __do_sys_sendmsg net/socket.c:2365 [inline]
+ [<00000000c10abb2d>] __se_sys_sendmsg net/socket.c:2363 [inline]
+ [<00000000c10abb2d>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2363
+
+BUG: memory leak
+unreferenced object 0xffff88811723b600 (size 64):
+ comm "syz-executor032", pid 7014, jiffies 4294944027 (age 13.830s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 02 00 00 00 05 35 82 c1 .............5..
+ backtrace:
+ [<00000000352f46d8>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+ [<00000000352f46d8>] slab_post_alloc_hook mm/slab.h:522 [inline]
+ [<00000000352f46d8>] slab_alloc mm/slab.c:3319 [inline]
+ [<00000000352f46d8>] __do_kmalloc mm/slab.c:3653 [inline]
+ [<00000000352f46d8>] __kmalloc+0x169/0x300 mm/slab.c:3664
+ [<000000008e48f3d1>] kmalloc include/linux/slab.h:557 [inline]
+ [<000000008e48f3d1>] ovs_vport_set_upcall_portids+0x54/0xd0 net/openvswitch/vport.c:343
+ [<00000000541e4f4a>] ovs_vport_alloc+0x7f/0xf0 net/openvswitch/vport.c:139
+ [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164
+ [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199
+ [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194
+ [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614
+ [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629
+ [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654
+ [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
+ [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665
+ [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328
+ [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917
+ [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline]
+ [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657
+ [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311
+ [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356
+
+BUG: memory leak
+unreferenced object 0xffff8881228ca500 (size 128):
+ comm "syz-executor032", pid 7015, jiffies 4294944622 (age 7.880s)
+ hex dump (first 32 bytes):
+ 00 f0 27 18 81 88 ff ff 80 ac 8c 22 81 88 ff ff ..'........"....
+ 40 b7 23 17 81 88 ff ff 00 00 00 00 00 00 00 00 @.#.............
+ backtrace:
+ [<000000000eb78212>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+ [<000000000eb78212>] slab_post_alloc_hook mm/slab.h:522 [inline]
+ [<000000000eb78212>] slab_alloc mm/slab.c:3319 [inline]
+ [<000000000eb78212>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
+ [<00000000006ea6c6>] kmalloc include/linux/slab.h:552 [inline]
+ [<00000000006ea6c6>] kzalloc include/linux/slab.h:748 [inline]
+ [<00000000006ea6c6>] ovs_vport_alloc+0x37/0xf0 net/openvswitch/vport.c:130
+ [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164
+ [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199
+ [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194
+ [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614
+ [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629
+ [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654
+ [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
+ [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665
+ [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328
+ [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917
+ [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline]
+ [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657
+ [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311
+ [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356
+ [<00000000c10abb2d>] __do_sys_sendmsg net/socket.c:2365 [inline]
+ [<00000000c10abb2d>] __se_sys_sendmsg net/socket.c:2363 [inline]
+ [<00000000c10abb2d>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2363
+=====================================================================
+
+The function in net core, register_netdevice(), may fail with vport's
+destruction callback either invoked or not. After commit 309b66970ee2
+("net: openvswitch: do not free vport if register_netdevice() is failed."),
+the duty to destroy vport is offloaded from the driver OTOH, which ends
+up in the memory leak reported.
+
+It is fixed by releasing vport unless device is registered successfully.
+To do that, the callback assignment is defered until device is registered.
+
+Reported-by: syzbot+13210896153522fe1ee5@syzkaller.appspotmail.com
+Fixes: 309b66970ee2 ("net: openvswitch: do not free vport if register_netdevice() is failed.")
+Cc: Taehee Yoo <ap420073@gmail.com>
+Cc: Greg Rose <gvrose8192@gmail.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+[sbrivio: this was sent to dev@openvswitch.org and never made its way
+ to netdev -- resending original patch]
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Greg Rose <gvrose8192@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/vport-internal_dev.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
+index 5a304cfc84233..d2356a284646c 100644
+--- a/net/openvswitch/vport-internal_dev.c
++++ b/net/openvswitch/vport-internal_dev.c
+@@ -149,7 +149,7 @@ static void do_setup(struct net_device *netdev)
+ netdev->priv_flags |= IFF_LIVE_ADDR_CHANGE | IFF_OPENVSWITCH |
+ IFF_NO_QUEUE;
+ netdev->needs_free_netdev = true;
+- netdev->priv_destructor = internal_dev_destructor;
++ netdev->priv_destructor = NULL;
+ netdev->ethtool_ops = &internal_dev_ethtool_ops;
+ netdev->rtnl_link_ops = &internal_dev_link_ops;
+
+@@ -171,7 +171,6 @@ static struct vport *internal_dev_create(const struct vport_parms *parms)
+ struct internal_dev *internal_dev;
+ struct net_device *dev;
+ int err;
+- bool free_vport = true;
+
+ vport = ovs_vport_alloc(0, &ovs_internal_vport_ops, parms);
+ if (IS_ERR(vport)) {
+@@ -202,10 +201,9 @@ static struct vport *internal_dev_create(const struct vport_parms *parms)
+
+ rtnl_lock();
+ err = register_netdevice(vport->dev);
+- if (err) {
+- free_vport = false;
++ if (err)
+ goto error_unlock;
+- }
++ vport->dev->priv_destructor = internal_dev_destructor;
+
+ dev_set_promiscuity(vport->dev, 1);
+ rtnl_unlock();
+@@ -219,8 +217,7 @@ error_unlock:
+ error_free_netdev:
+ free_netdev(dev);
+ error_free_vport:
+- if (free_vport)
+- ovs_vport_free(vport);
++ ovs_vport_free(vport);
+ error:
+ return ERR_PTR(err);
+ }
+--
+2.20.1
+
--- /dev/null
+From 96e7e8b5fcc7d1c847d8e9983bb66d0d556a948d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2019 11:03:15 +0200
+Subject: netfilter: nf_flow_table: set timeout before insertion into hashes
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit daf61b026f4686250e6afa619e6d7b49edc61df7 ]
+
+Other garbage collector might remove an entry not fully set up yet.
+
+[570953.958293] RIP: 0010:memcmp+0x9/0x50
+[...]
+[570953.958567] flow_offload_hash_cmp+0x1e/0x30 [nf_flow_table]
+[570953.958585] flow_offload_lookup+0x8c/0x110 [nf_flow_table]
+[570953.958606] nf_flow_offload_ip_hook+0x135/0xb30 [nf_flow_table]
+[570953.958624] nf_flow_offload_inet_hook+0x35/0x37 [nf_flow_table_inet]
+[570953.958646] nf_hook_slow+0x3c/0xb0
+[570953.958664] __netif_receive_skb_core+0x90f/0xb10
+[570953.958678] ? ip_rcv_finish+0x82/0xa0
+[570953.958692] __netif_receive_skb_one_core+0x3b/0x80
+[570953.958711] __netif_receive_skb+0x18/0x60
+[570953.958727] netif_receive_skb_internal+0x45/0xf0
+[570953.958741] napi_gro_receive+0xcd/0xf0
+[570953.958764] ixgbe_clean_rx_irq+0x432/0xe00 [ixgbe]
+[570953.958782] ixgbe_poll+0x27b/0x700 [ixgbe]
+[570953.958796] net_rx_action+0x284/0x3c0
+[570953.958817] __do_softirq+0xcc/0x27c
+[570953.959464] irq_exit+0xe8/0x100
+[570953.960097] do_IRQ+0x59/0xe0
+[570953.960734] common_interrupt+0xf/0xf
+
+Fixes: 43c8f131184f ("netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_flow_table_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
+index 8ade405129444..70bd730ca0597 100644
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -187,6 +187,8 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
+ {
+ int err;
+
++ flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
++
+ err = rhashtable_insert_fast(&flow_table->rhashtable,
+ &flow->tuplehash[0].node,
+ nf_flow_offload_rhash_params);
+@@ -203,7 +205,6 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
+ return err;
+ }
+
+- flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(flow_offload_add);
+--
+2.20.1
+
--- /dev/null
+From 8d9f14182990a78ad9a930fb9b4b84202618c1ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 18:40:32 -0400
+Subject: NFSv4: Don't allow a cached open with a revoked delegation
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+[ Upstream commit be3df3dd4c70ee020587a943a31b98a0fb4b6424 ]
+
+If the delegation is marked as being revoked, we must not use it
+for cached opens.
+
+Fixes: 869f9dfa4d6d ("NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/delegation.c | 10 ++++++++++
+ fs/nfs/delegation.h | 1 +
+ fs/nfs/nfs4proc.c | 7 ++-----
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
+index 825a8c52165a2..c5c3394148f72 100644
+--- a/fs/nfs/delegation.c
++++ b/fs/nfs/delegation.c
+@@ -54,6 +54,16 @@ nfs4_is_valid_delegation(const struct nfs_delegation *delegation,
+ return false;
+ }
+
++struct nfs_delegation *nfs4_get_valid_delegation(const struct inode *inode)
++{
++ struct nfs_delegation *delegation;
++
++ delegation = rcu_dereference(NFS_I(inode)->delegation);
++ if (nfs4_is_valid_delegation(delegation, 0))
++ return delegation;
++ return NULL;
++}
++
+ static int
+ nfs4_do_check_delegation(struct inode *inode, fmode_t flags, bool mark)
+ {
+diff --git a/fs/nfs/delegation.h b/fs/nfs/delegation.h
+index c95477823fa6b..dd0f3eed3890d 100644
+--- a/fs/nfs/delegation.h
++++ b/fs/nfs/delegation.h
+@@ -66,6 +66,7 @@ int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state,
+ bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags, nfs4_stateid *dst, struct rpc_cred **cred);
+ bool nfs4_refresh_delegation_stateid(nfs4_stateid *dst, struct inode *inode);
+
++struct nfs_delegation *nfs4_get_valid_delegation(const struct inode *inode);
+ void nfs_mark_delegation_referenced(struct nfs_delegation *delegation);
+ int nfs4_have_delegation(struct inode *inode, fmode_t flags);
+ int nfs4_check_delegation(struct inode *inode, fmode_t flags);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 75faef7af22d3..792f8821b5d6b 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1393,8 +1393,6 @@ static int can_open_delegated(struct nfs_delegation *delegation, fmode_t fmode,
+ return 0;
+ if ((delegation->type & fmode) != fmode)
+ return 0;
+- if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags))
+- return 0;
+ switch (claim) {
+ case NFS4_OPEN_CLAIM_NULL:
+ case NFS4_OPEN_CLAIM_FH:
+@@ -1751,7 +1749,6 @@ static void nfs4_return_incompatible_delegation(struct inode *inode, fmode_t fmo
+ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
+ {
+ struct nfs4_state *state = opendata->state;
+- struct nfs_inode *nfsi = NFS_I(state->inode);
+ struct nfs_delegation *delegation;
+ int open_mode = opendata->o_arg.open_flags;
+ fmode_t fmode = opendata->o_arg.fmode;
+@@ -1768,7 +1765,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
+ }
+ spin_unlock(&state->owner->so_lock);
+ rcu_read_lock();
+- delegation = rcu_dereference(nfsi->delegation);
++ delegation = nfs4_get_valid_delegation(state->inode);
+ if (!can_open_delegated(delegation, fmode, claim)) {
+ rcu_read_unlock();
+ break;
+@@ -2293,7 +2290,7 @@ static void nfs4_open_prepare(struct rpc_task *task, void *calldata)
+ data->o_arg.open_flags, claim))
+ goto out_no_action;
+ rcu_read_lock();
+- delegation = rcu_dereference(NFS_I(data->state->inode)->delegation);
++ delegation = nfs4_get_valid_delegation(data->state->inode);
+ if (can_open_delegated(delegation, data->o_arg.fmode, claim))
+ goto unlock_no_action;
+ rcu_read_unlock();
+--
+2.20.1
+
--- /dev/null
+From 485713f3fe1ab703fc53ad03ac311c12cf9a055f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2019 11:32:50 -0700
+Subject: nvme-multipath: fix possible io hang after ctrl reconnect
+
+From: Anton Eidelman <anton@lightbitslabs.com>
+
+[ Upstream commit af8fd0424713a2adb812d10d55e86718152cf656 ]
+
+The following scenario results in an IO hang:
+1) ctrl completes a request with NVME_SC_ANA_TRANSITION.
+ NVME_NS_ANA_PENDING bit in ns->flags is set and ana_work is triggered.
+2) ana_work: nvme_read_ana_log() tries to get the ANA log page from the ctrl.
+ This fails because ctrl disconnects.
+ Therefore nvme_update_ns_ana_state() is not called
+ and NVME_NS_ANA_PENDING bit in ns->flags is not cleared.
+3) ctrl reconnects: nvme_mpath_init(ctrl,...) calls
+ nvme_read_ana_log(ctrl, groups_only=true).
+ However, nvme_update_ana_state() does not update namespaces
+ because nr_nsids = 0 (due to groups_only mode).
+4) scan_work calls nvme_validate_ns() finds the ns and re-validates OK.
+
+Result:
+The ctrl is now live but NVME_NS_ANA_PENDING bit in ns->flags is still set.
+Consequently ctrl will never be considered a viable path by __nvme_find_path().
+IO will hang if ctrl is the only or the last path to the namespace.
+
+More generally, while ctrl is reconnecting, its ANA state may change.
+And because nvme_mpath_init() requests ANA log in groups_only mode,
+these changes are not propagated to the existing ctrl namespaces.
+This may result in a mal-function or an IO hang.
+
+Solution:
+nvme_mpath_init() will nvme_read_ana_log() with groups_only set to false.
+This will not harm the new ctrl case (no namespaces present),
+and will make sure the ANA state of namespaces gets updated after reconnect.
+
+Note: Another option would be for nvme_mpath_init() to invoke
+nvme_parse_ana_log(..., nvme_set_ns_ana_state) for each existing namespace.
+
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 892ef52122329..838ee58d80cda 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -575,7 +575,7 @@ int nvme_mpath_init(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id)
+ goto out;
+ }
+
+- error = nvme_read_ana_log(ctrl, true);
++ error = nvme_read_ana_log(ctrl, false);
+ if (error)
+ goto out_free_ana_log_buf;
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 125507d891f46b7f96dcc16e9243183de1172db9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 21:16:34 -0800
+Subject: ocfs2: protect extent tree in ocfs2_prepare_inode_for_write()
+
+From: Shuning Zhang <sunny.s.zhang@oracle.com>
+
+[ Upstream commit e74540b285569d2b1e14fe7aee92297078f235ce ]
+
+When the extent tree is modified, it should be protected by inode
+cluster lock and ip_alloc_sem.
+
+The extent tree is accessed and modified in the
+ocfs2_prepare_inode_for_write, but isn't protected by ip_alloc_sem.
+
+The following is a case. The function ocfs2_fiemap is accessing the
+extent tree, which is modified at the same time.
+
+ kernel BUG at fs/ocfs2/extent_map.c:475!
+ invalid opcode: 0000 [#1] SMP
+ Modules linked in: tun ocfs2 ocfs2_nodemanager configfs ocfs2_stackglue [...]
+ CPU: 16 PID: 14047 Comm: o2info Not tainted 4.1.12-124.23.1.el6uek.x86_64 #2
+ Hardware name: Oracle Corporation ORACLE SERVER X7-2L/ASM, MB MECH, X7-2L, BIOS 42040600 10/19/2018
+ task: ffff88019487e200 ti: ffff88003daa4000 task.ti: ffff88003daa4000
+ RIP: ocfs2_get_clusters_nocache.isra.11+0x390/0x550 [ocfs2]
+ Call Trace:
+ ocfs2_fiemap+0x1e3/0x430 [ocfs2]
+ do_vfs_ioctl+0x155/0x510
+ SyS_ioctl+0x81/0xa0
+ system_call_fastpath+0x18/0xd8
+ Code: 18 48 c7 c6 60 7f 65 a0 31 c0 bb e2 ff ff ff 48 8b 4a 40 48 8b 7a 28 48 c7 c2 78 2d 66 a0 e8 38 4f 05 00 e9 28 fe ff ff 0f 1f 00 <0f> 0b 66 0f 1f 44 00 00 bb 86 ff ff ff e9 13 fe ff ff 66 0f 1f
+ RIP ocfs2_get_clusters_nocache.isra.11+0x390/0x550 [ocfs2]
+ ---[ end trace c8aa0c8180e869dc ]---
+ Kernel panic - not syncing: Fatal exception
+ Kernel Offset: disabled
+
+This issue can be reproduced every week in a production environment.
+
+This issue is related to the usage mode. If others use ocfs2 in this
+mode, the kernel will panic frequently.
+
+[akpm@linux-foundation.org: coding style fixes]
+[Fix new warning due to unused function by removing said function - Linus ]
+Link: http://lkml.kernel.org/r/1568772175-2906-2-git-send-email-sunny.s.zhang@oracle.com
+Signed-off-by: Shuning Zhang <sunny.s.zhang@oracle.com>
+Reviewed-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Gang He <ghe@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/file.c | 134 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 90 insertions(+), 44 deletions(-)
+
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 9fa35cb6f6e0b..a847fe52c56ee 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2106,54 +2106,90 @@ static int ocfs2_is_io_unaligned(struct inode *inode, size_t count, loff_t pos)
+ return 0;
+ }
+
+-static int ocfs2_prepare_inode_for_refcount(struct inode *inode,
+- struct file *file,
+- loff_t pos, size_t count,
+- int *meta_level)
++static int ocfs2_inode_lock_for_extent_tree(struct inode *inode,
++ struct buffer_head **di_bh,
++ int meta_level,
++ int overwrite_io,
++ int write_sem,
++ int wait)
+ {
+- int ret;
+- struct buffer_head *di_bh = NULL;
+- u32 cpos = pos >> OCFS2_SB(inode->i_sb)->s_clustersize_bits;
+- u32 clusters =
+- ocfs2_clusters_for_bytes(inode->i_sb, pos + count) - cpos;
++ int ret = 0;
+
+- ret = ocfs2_inode_lock(inode, &di_bh, 1);
+- if (ret) {
+- mlog_errno(ret);
++ if (wait)
++ ret = ocfs2_inode_lock(inode, NULL, meta_level);
++ else
++ ret = ocfs2_try_inode_lock(inode,
++ overwrite_io ? NULL : di_bh, meta_level);
++ if (ret < 0)
+ goto out;
++
++ if (wait) {
++ if (write_sem)
++ down_write(&OCFS2_I(inode)->ip_alloc_sem);
++ else
++ down_read(&OCFS2_I(inode)->ip_alloc_sem);
++ } else {
++ if (write_sem)
++ ret = down_write_trylock(&OCFS2_I(inode)->ip_alloc_sem);
++ else
++ ret = down_read_trylock(&OCFS2_I(inode)->ip_alloc_sem);
++
++ if (!ret) {
++ ret = -EAGAIN;
++ goto out_unlock;
++ }
+ }
+
+- *meta_level = 1;
++ return ret;
+
+- ret = ocfs2_refcount_cow(inode, di_bh, cpos, clusters, UINT_MAX);
+- if (ret)
+- mlog_errno(ret);
++out_unlock:
++ brelse(*di_bh);
++ ocfs2_inode_unlock(inode, meta_level);
+ out:
+- brelse(di_bh);
+ return ret;
+ }
+
++static void ocfs2_inode_unlock_for_extent_tree(struct inode *inode,
++ struct buffer_head **di_bh,
++ int meta_level,
++ int write_sem)
++{
++ if (write_sem)
++ up_write(&OCFS2_I(inode)->ip_alloc_sem);
++ else
++ up_read(&OCFS2_I(inode)->ip_alloc_sem);
++
++ brelse(*di_bh);
++ *di_bh = NULL;
++
++ if (meta_level >= 0)
++ ocfs2_inode_unlock(inode, meta_level);
++}
++
+ static int ocfs2_prepare_inode_for_write(struct file *file,
+ loff_t pos, size_t count, int wait)
+ {
+ int ret = 0, meta_level = 0, overwrite_io = 0;
++ int write_sem = 0;
+ struct dentry *dentry = file->f_path.dentry;
+ struct inode *inode = d_inode(dentry);
+ struct buffer_head *di_bh = NULL;
+ loff_t end;
++ u32 cpos;
++ u32 clusters;
+
+ /*
+ * We start with a read level meta lock and only jump to an ex
+ * if we need to make modifications here.
+ */
+ for(;;) {
+- if (wait)
+- ret = ocfs2_inode_lock(inode, NULL, meta_level);
+- else
+- ret = ocfs2_try_inode_lock(inode,
+- overwrite_io ? NULL : &di_bh, meta_level);
++ ret = ocfs2_inode_lock_for_extent_tree(inode,
++ &di_bh,
++ meta_level,
++ overwrite_io,
++ write_sem,
++ wait);
+ if (ret < 0) {
+- meta_level = -1;
+ if (ret != -EAGAIN)
+ mlog_errno(ret);
+ goto out;
+@@ -2165,15 +2201,8 @@ static int ocfs2_prepare_inode_for_write(struct file *file,
+ */
+ if (!wait && !overwrite_io) {
+ overwrite_io = 1;
+- if (!down_read_trylock(&OCFS2_I(inode)->ip_alloc_sem)) {
+- ret = -EAGAIN;
+- goto out_unlock;
+- }
+
+ ret = ocfs2_overwrite_io(inode, di_bh, pos, count);
+- brelse(di_bh);
+- di_bh = NULL;
+- up_read(&OCFS2_I(inode)->ip_alloc_sem);
+ if (ret < 0) {
+ if (ret != -EAGAIN)
+ mlog_errno(ret);
+@@ -2192,7 +2221,10 @@ static int ocfs2_prepare_inode_for_write(struct file *file,
+ * set inode->i_size at the end of a write. */
+ if (should_remove_suid(dentry)) {
+ if (meta_level == 0) {
+- ocfs2_inode_unlock(inode, meta_level);
++ ocfs2_inode_unlock_for_extent_tree(inode,
++ &di_bh,
++ meta_level,
++ write_sem);
+ meta_level = 1;
+ continue;
+ }
+@@ -2208,18 +2240,32 @@ static int ocfs2_prepare_inode_for_write(struct file *file,
+
+ ret = ocfs2_check_range_for_refcount(inode, pos, count);
+ if (ret == 1) {
+- ocfs2_inode_unlock(inode, meta_level);
+- meta_level = -1;
+-
+- ret = ocfs2_prepare_inode_for_refcount(inode,
+- file,
+- pos,
+- count,
+- &meta_level);
++ ocfs2_inode_unlock_for_extent_tree(inode,
++ &di_bh,
++ meta_level,
++ write_sem);
++ ret = ocfs2_inode_lock_for_extent_tree(inode,
++ &di_bh,
++ meta_level,
++ overwrite_io,
++ 1,
++ wait);
++ write_sem = 1;
++ if (ret < 0) {
++ if (ret != -EAGAIN)
++ mlog_errno(ret);
++ goto out;
++ }
++
++ cpos = pos >> OCFS2_SB(inode->i_sb)->s_clustersize_bits;
++ clusters =
++ ocfs2_clusters_for_bytes(inode->i_sb, pos + count) - cpos;
++ ret = ocfs2_refcount_cow(inode, di_bh, cpos, clusters, UINT_MAX);
+ }
+
+ if (ret < 0) {
+- mlog_errno(ret);
++ if (ret != -EAGAIN)
++ mlog_errno(ret);
+ goto out_unlock;
+ }
+
+@@ -2230,10 +2276,10 @@ out_unlock:
+ trace_ocfs2_prepare_inode_for_write(OCFS2_I(inode)->ip_blkno,
+ pos, count, wait);
+
+- brelse(di_bh);
+-
+- if (meta_level >= 0)
+- ocfs2_inode_unlock(inode, meta_level);
++ ocfs2_inode_unlock_for_extent_tree(inode,
++ &di_bh,
++ meta_level,
++ write_sem);
+
+ out:
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 4e54b3813a65a42298de5ddc61004705c888f25c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Oct 2019 10:09:54 -0500
+Subject: perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus
+ precise RIP validity
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+[ Upstream commit 317b96bb14303c7998dbcd5bc606bd8038fdd4b4 ]
+
+The loop that reads all the IBS MSRs into *buf stopped one MSR short of
+reading the IbsOpData register, which contains the RipInvalid status bit.
+
+Fix the offset_max assignment so the MSR gets read, so the RIP invalid
+evaluation is based on what the IBS h/w output, instead of what was
+left in memory.
+
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: d47e8238cd76 ("perf/x86-ibs: Take instruction pointer from ibs sample")
+Link: https://lkml.kernel.org/r/20191023150955.30292-1-kim.phillips@amd.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/ibs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
+index 80c6d84cad67b..fac0867907d4d 100644
+--- a/arch/x86/events/amd/ibs.c
++++ b/arch/x86/events/amd/ibs.c
+@@ -625,7 +625,7 @@ fail:
+ if (event->attr.sample_type & PERF_SAMPLE_RAW)
+ offset_max = perf_ibs->offset_max;
+ else if (check_rip)
+- offset_max = 2;
++ offset_max = 3;
+ else
+ offset_max = 1;
+ do {
+--
+2.20.1
+
--- /dev/null
+From 77fc732532e83b75b4f8b887ed7cdcb6cd926c44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Oct 2019 10:09:55 -0500
+Subject: perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family
+ (10h)
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+[ Upstream commit e431e79b60603079d269e0c2a5177943b95fa4b6 ]
+
+This saves us writing the IBS control MSR twice when disabling the
+event.
+
+I searched revision guides for all families since 10h, and did not
+find occurrence of erratum #420, nor anything remotely similar:
+so we isolate the secondary MSR write to family 10h only.
+
+Also unconditionally update the count mask for IBS Op implementations
+that have read & writeable current count (CurCnt) fields in addition
+to the MaxCnt field. These bits were reserved on prior
+implementations, and therefore shouldn't have negative impact.
+
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: c9574fe0bdb9 ("perf/x86-ibs: Implement workaround for IBS erratum #420")
+Link: https://lkml.kernel.org/r/20191023150955.30292-2-kim.phillips@amd.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/ibs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
+index fac0867907d4d..07bf5517d9d8b 100644
+--- a/arch/x86/events/amd/ibs.c
++++ b/arch/x86/events/amd/ibs.c
+@@ -389,7 +389,8 @@ static inline void perf_ibs_disable_event(struct perf_ibs *perf_ibs,
+ struct hw_perf_event *hwc, u64 config)
+ {
+ config &= ~perf_ibs->cnt_mask;
+- wrmsrl(hwc->config_base, config);
++ if (boot_cpu_data.x86 == 0x10)
++ wrmsrl(hwc->config_base, config);
+ config &= ~perf_ibs->enable_mask;
+ wrmsrl(hwc->config_base, config);
+ }
+@@ -564,7 +565,8 @@ static struct perf_ibs perf_ibs_op = {
+ },
+ .msr = MSR_AMD64_IBSOPCTL,
+ .config_mask = IBS_OP_CONFIG_MASK,
+- .cnt_mask = IBS_OP_MAX_CNT,
++ .cnt_mask = IBS_OP_MAX_CNT | IBS_OP_CUR_CNT |
++ IBS_OP_CUR_CNT_RAND,
+ .enable_mask = IBS_OP_ENABLE,
+ .valid_mask = IBS_OP_VAL,
+ .max_period = IBS_OP_MAX_CNT << 4,
+--
+2.20.1
+
--- /dev/null
+From 04ab912310d13c2557a28cbaf9f5f2f39a77a343 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 07:43:13 -0700
+Subject: perf/x86/uncore: Fix event group support
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 75be6f703a141b048590d659a3954c4fedd30bba ]
+
+The events in the same group don't start or stop simultaneously.
+Here is the ftrace when enabling event group for uncore_iio_0:
+
+ # perf stat -e "{uncore_iio_0/event=0x1/,uncore_iio_0/event=0xe/}"
+
+ <idle>-0 [000] d.h. 8959.064832: read_msr: a41, value
+ b2b0b030 //Read counter reg of IIO unit0 counter0
+ <idle>-0 [000] d.h. 8959.064835: write_msr: a48, value
+ 400001 //Write Ctrl reg of IIO unit0 counter0 to enable
+ counter0. <------ Although counter0 is enabled, Unit Ctrl is still
+ freezed. Nothing will count. We are still good here.
+ <idle>-0 [000] d.h. 8959.064836: read_msr: a40, value
+ 30100 //Read Unit Ctrl reg of IIO unit0
+ <idle>-0 [000] d.h. 8959.064838: write_msr: a40, value
+ 30000 //Write Unit Ctrl reg of IIO unit0 to enable all
+ counters in the unit by clear Freeze bit <------Unit0 is un-freezed.
+ Counter0 has been enabled. Now it starts counting. But counter1 has not
+ been enabled yet. The issue starts here.
+ <idle>-0 [000] d.h. 8959.064846: read_msr: a42, value 0
+ //Read counter reg of IIO unit0 counter1
+ <idle>-0 [000] d.h. 8959.064847: write_msr: a49, value
+ 40000e //Write Ctrl reg of IIO unit0 counter1 to enable
+ counter1. <------ Now, counter1 just starts to count. Counter0 has
+ been running for a while.
+
+Current code un-freezes the Unit Ctrl right after the first counter is
+enabled. The subsequent group events always loses some counter values.
+
+Implement pmu_enable and pmu_disable support for uncore, which can help
+to batch hardware accesses.
+
+No one uses uncore_enable_box and uncore_disable_box. Remove them.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: linux-drivers-review@eclists.intel.com
+Cc: linux-perf@eclists.intel.com
+Fixes: 087bfbb03269 ("perf/x86: Add generic Intel uncore PMU support")
+Link: https://lkml.kernel.org/r/1572014593-31591-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore.c | 44 +++++++++++++++++++++++++++++-----
+ arch/x86/events/intel/uncore.h | 12 ----------
+ 2 files changed, 38 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
+index 2690135bf83f0..7098b9b05d566 100644
+--- a/arch/x86/events/intel/uncore.c
++++ b/arch/x86/events/intel/uncore.c
+@@ -485,10 +485,8 @@ void uncore_pmu_event_start(struct perf_event *event, int flags)
+ local64_set(&event->hw.prev_count, uncore_read_counter(box, event));
+ uncore_enable_event(box, event);
+
+- if (box->n_active == 1) {
+- uncore_enable_box(box);
++ if (box->n_active == 1)
+ uncore_pmu_start_hrtimer(box);
+- }
+ }
+
+ void uncore_pmu_event_stop(struct perf_event *event, int flags)
+@@ -512,10 +510,8 @@ void uncore_pmu_event_stop(struct perf_event *event, int flags)
+ WARN_ON_ONCE(hwc->state & PERF_HES_STOPPED);
+ hwc->state |= PERF_HES_STOPPED;
+
+- if (box->n_active == 0) {
+- uncore_disable_box(box);
++ if (box->n_active == 0)
+ uncore_pmu_cancel_hrtimer(box);
+- }
+ }
+
+ if ((flags & PERF_EF_UPDATE) && !(hwc->state & PERF_HES_UPTODATE)) {
+@@ -769,6 +765,40 @@ static int uncore_pmu_event_init(struct perf_event *event)
+ return ret;
+ }
+
++static void uncore_pmu_enable(struct pmu *pmu)
++{
++ struct intel_uncore_pmu *uncore_pmu;
++ struct intel_uncore_box *box;
++
++ uncore_pmu = container_of(pmu, struct intel_uncore_pmu, pmu);
++ if (!uncore_pmu)
++ return;
++
++ box = uncore_pmu_to_box(uncore_pmu, smp_processor_id());
++ if (!box)
++ return;
++
++ if (uncore_pmu->type->ops->enable_box)
++ uncore_pmu->type->ops->enable_box(box);
++}
++
++static void uncore_pmu_disable(struct pmu *pmu)
++{
++ struct intel_uncore_pmu *uncore_pmu;
++ struct intel_uncore_box *box;
++
++ uncore_pmu = container_of(pmu, struct intel_uncore_pmu, pmu);
++ if (!uncore_pmu)
++ return;
++
++ box = uncore_pmu_to_box(uncore_pmu, smp_processor_id());
++ if (!box)
++ return;
++
++ if (uncore_pmu->type->ops->disable_box)
++ uncore_pmu->type->ops->disable_box(box);
++}
++
+ static ssize_t uncore_get_attr_cpumask(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+@@ -794,6 +824,8 @@ static int uncore_pmu_register(struct intel_uncore_pmu *pmu)
+ pmu->pmu = (struct pmu) {
+ .attr_groups = pmu->type->attr_groups,
+ .task_ctx_nr = perf_invalid_context,
++ .pmu_enable = uncore_pmu_enable,
++ .pmu_disable = uncore_pmu_disable,
+ .event_init = uncore_pmu_event_init,
+ .add = uncore_pmu_event_add,
+ .del = uncore_pmu_event_del,
+diff --git a/arch/x86/events/intel/uncore.h b/arch/x86/events/intel/uncore.h
+index 42fa3974c421c..40e040ec31b50 100644
+--- a/arch/x86/events/intel/uncore.h
++++ b/arch/x86/events/intel/uncore.h
+@@ -412,18 +412,6 @@ static inline int uncore_freerunning_hw_config(struct intel_uncore_box *box,
+ return -EINVAL;
+ }
+
+-static inline void uncore_disable_box(struct intel_uncore_box *box)
+-{
+- if (box->pmu->type->ops->disable_box)
+- box->pmu->type->ops->disable_box(box);
+-}
+-
+-static inline void uncore_enable_box(struct intel_uncore_box *box)
+-{
+- if (box->pmu->type->ops->enable_box)
+- box->pmu->type->ops->enable_box(box);
+-}
+-
+ static inline void uncore_disable_event(struct intel_uncore_box *box,
+ struct perf_event *event)
+ {
+--
+2.20.1
+
--- /dev/null
+From 68d0066cbe41f4e53305e29b5c4fc591cde2dbe2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2019 11:08:42 +0200
+Subject: pinctrl: cherryview: Fix irq_valid_mask calculation
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 63bdef6cd6941917c823b9cc9aa0219d19fcb716 ]
+
+Commit 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux
+GPIO translation") has made the cherryview gpio numbers sparse, to get
+a 1:1 mapping between ACPI pin numbers and gpio numbers in Linux.
+
+This has greatly simplified things, but the code setting the
+irq_valid_mask was not updated for this, so the valid mask is still in
+the old "compressed" numbering with the gaps in the pin numbers skipped,
+which is wrong as irq_valid_mask needs to be expressed in gpio numbers.
+
+This results in the following error on devices using pin 24 (0x0018) on
+the north GPIO controller as an ACPI event source:
+
+[ 0.422452] cherryview-pinctrl INT33FF:01: Failed to translate GPIO to IRQ
+
+This has been reported (by email) to be happening on a Caterpillar CAT T20
+tablet and I've reproduced this myself on a Medion Akoya e2215t 2-in-1.
+
+This commit uses the pin number instead of the compressed index into
+community->pins to clear the correct bits in irq_valid_mask for GPIOs
+using GPEs for interrupts, fixing these errors and in case of the
+Medion Akoya e2215t also fixing the LID switch not working.
+
+Cc: stable@vger.kernel.org
+Fixes: 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
+index 227646eb817c8..9eab508395814 100644
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1595,7 +1595,7 @@ static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq)
+ intsel >>= CHV_PADCTRL0_INTSEL_SHIFT;
+
+ if (need_valid_mask && intsel >= community->nirqs)
+- clear_bit(i, chip->irq.valid_mask);
++ clear_bit(desc->number, chip->irq.valid_mask);
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 6b798b9ceef4f26e10cca65b9c38c01ca11d11c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2019 12:51:04 +0300
+Subject: pinctrl: intel: Avoid potential glitches if pin is in GPIO mode
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 29c2c6aa32405dfee4a29911a51ba133edcedb0f ]
+
+When consumer requests a pin, in order to be on the safest side,
+we switch it first to GPIO mode followed by immediate transition
+to the input state. Due to posted writes it's luckily to be a single
+I/O transaction.
+
+However, if firmware or boot loader already configures the pin
+to the GPIO mode, user expects no glitches for the requested pin.
+We may check if the pin is pre-configured and leave it as is
+till the actual consumer toggles its state to avoid glitches.
+
+Fixes: 7981c0015af2 ("pinctrl: intel: Add Intel Sunrisepoint pin controller and GPIO support")
+Depends-on: f5a26acf0162 ("pinctrl: intel: Initialize GPIO properly when used through irqchip")
+Cc: stable@vger.kernel.org
+Cc: fei.yang@intel.com
+Reported-by: Oliver Barta <oliver.barta@aptiv.com>
+Reported-by: Malin Jonsson <malin.jonsson@ericsson.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-intel.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
+index 1ea3438ea67e9..89ff2795a8b55 100644
+--- a/drivers/pinctrl/intel/pinctrl-intel.c
++++ b/drivers/pinctrl/intel/pinctrl-intel.c
+@@ -49,6 +49,7 @@
+ #define PADCFG0_GPIROUTNMI BIT(17)
+ #define PADCFG0_PMODE_SHIFT 10
+ #define PADCFG0_PMODE_MASK (0xf << PADCFG0_PMODE_SHIFT)
++#define PADCFG0_PMODE_GPIO 0
+ #define PADCFG0_GPIORXDIS BIT(9)
+ #define PADCFG0_GPIOTXDIS BIT(8)
+ #define PADCFG0_GPIORXSTATE BIT(1)
+@@ -301,7 +302,7 @@ static void intel_pin_dbg_show(struct pinctrl_dev *pctldev, struct seq_file *s,
+ cfg1 = readl(intel_get_padcfg(pctrl, pin, PADCFG1));
+
+ mode = (cfg0 & PADCFG0_PMODE_MASK) >> PADCFG0_PMODE_SHIFT;
+- if (!mode)
++ if (mode == PADCFG0_PMODE_GPIO)
+ seq_puts(s, "GPIO ");
+ else
+ seq_printf(s, "mode %d ", mode);
+@@ -422,6 +423,11 @@ static void __intel_gpio_set_direction(void __iomem *padcfg0, bool input)
+ writel(value, padcfg0);
+ }
+
++static int intel_gpio_get_gpio_mode(void __iomem *padcfg0)
++{
++ return (readl(padcfg0) & PADCFG0_PMODE_MASK) >> PADCFG0_PMODE_SHIFT;
++}
++
+ static void intel_gpio_set_gpio_mode(void __iomem *padcfg0)
+ {
+ u32 value;
+@@ -450,7 +456,20 @@ static int intel_gpio_request_enable(struct pinctrl_dev *pctldev,
+ }
+
+ padcfg0 = intel_get_padcfg(pctrl, pin, PADCFG0);
++
++ /*
++ * If pin is already configured in GPIO mode, we assume that
++ * firmware provides correct settings. In such case we avoid
++ * potential glitches on the pin. Otherwise, for the pin in
++ * alternative mode, consumer has to supply respective flags.
++ */
++ if (intel_gpio_get_gpio_mode(padcfg0) == PADCFG0_PMODE_GPIO) {
++ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ return 0;
++ }
++
+ intel_gpio_set_gpio_mode(padcfg0);
++
+ /* Disable TX buffer and enable RX (this will be input) */
+ __intel_gpio_set_direction(padcfg0, true);
+
+--
+2.20.1
+
--- /dev/null
+From 43e0cf6a4d9b3359b1180a8ad41f8bd4766a6a12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2019 14:56:35 +0800
+Subject: RDMA/hns: Prevent memory leaks of eq->buf_list
+
+From: Lijun Ou <oulijun@huawei.com>
+
+[ Upstream commit b681a0529968d2261aa15d7a1e78801b2c06bb07 ]
+
+eq->buf_list->buf and eq->buf_list should also be freed when eqe_hop_num
+is set to 0, or there will be memory leaks.
+
+Fixes: a5073d6054f7 ("RDMA/hns: Add eq support of hip08")
+Link: https://lore.kernel.org/r/1572072995-11277-3-git-send-email-liweihang@hisilicon.com
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Weihang Li <liweihang@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index a442b29e76119..cf878e1b71fc1 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -4572,9 +4572,9 @@ static void hns_roce_v2_free_eq(struct hns_roce_dev *hr_dev,
+ return;
+ }
+
+- if (eq->buf_list)
+- dma_free_coherent(hr_dev->dev, buf_chk_sz,
+- eq->buf_list->buf, eq->buf_list->map);
++ dma_free_coherent(hr_dev->dev, buf_chk_sz, eq->buf_list->buf,
++ eq->buf_list->map);
++ kfree(eq->buf_list);
+ }
+
+ static void hns_roce_config_eqc(struct hns_roce_dev *hr_dev,
+--
+2.20.1
+
--- /dev/null
+From 5324d08c2553842faab2df7b15edb8c1a5035e48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 18:04:40 +0530
+Subject: RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case
+
+From: Potnuri Bharat Teja <bharat@chelsio.com>
+
+[ Upstream commit d4934f45693651ea15357dd6c7c36be28b6da884 ]
+
+_put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by
+process_work(). fix double free by freeing the skb only in process_work().
+
+Fixes: 1dad0ebeea1c ("iw_cxgb4: Avoid touch after free error in ARP failure handlers")
+Link: https://lore.kernel.org/r/1572006880-5800-1-git-send-email-bharat@chelsio.com
+Signed-off-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index 566bfcc6add0d..a5ff1f0f2073e 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -493,7 +493,6 @@ static int _put_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb)
+
+ ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *)));
+ release_ep_resources(ep);
+- kfree_skb(skb);
+ return 0;
+ }
+
+@@ -504,7 +503,6 @@ static int _put_pass_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb)
+ ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *)));
+ c4iw_put_ep(&ep->parent_ep->com);
+ release_ep_resources(ep);
+- kfree_skb(skb);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 4b486d68d42c22fc2cc6bedeb7cc7eb4b728bf1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 15:02:43 +0300
+Subject: RDMA/mlx5: Clear old rate limit when closing QP
+
+From: Rafi Wiener <rafiw@mellanox.com>
+
+[ Upstream commit c8973df2da677f375f8b12b6eefca2f44c8884d5 ]
+
+Before QP is closed it changes to ERROR state, when this happens
+the QP was left with old rate limit that was already removed from
+the table.
+
+Fixes: 7d29f349a4b9 ("IB/mlx5: Properly adjust rate limit on QP state transitions")
+Signed-off-by: Rafi Wiener <rafiw@mellanox.com>
+Signed-off-by: Oleg Kuporosov <olegk@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20191002120243.16971-1-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index 77b1f3fd086ad..900f85ce0fb08 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -2828,10 +2828,12 @@ static int modify_raw_packet_qp_sq(struct mlx5_core_dev *dev,
+ }
+
+ /* Only remove the old rate after new rate was set */
+- if ((old_rl.rate &&
+- !mlx5_rl_are_equal(&old_rl, &new_rl)) ||
+- (new_state != MLX5_SQC_STATE_RDY))
++ if ((old_rl.rate && !mlx5_rl_are_equal(&old_rl, &new_rl)) ||
++ (new_state != MLX5_SQC_STATE_RDY)) {
+ mlx5_rl_remove_rate(dev, &old_rl);
++ if (new_state != MLX5_SQC_STATE_RDY)
++ memset(&new_rl, 0, sizeof(new_rl));
++ }
+
+ ibqp->rl = new_rl;
+ sq->state = new_state;
+--
+2.20.1
+
--- /dev/null
+From b5abb321ee8230441a9f6de5ccf16cd76a7b69b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2019 00:07:30 +0300
+Subject: RDMA/qedr: Fix reported firmware version
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit b806c94ee44e53233b8ce6c92d9078d9781786a5 ]
+
+Remove spaces from the reported firmware version string.
+Actual value:
+$ cat /sys/class/infiniband/qedr0/fw_ver
+8. 37. 7. 0
+
+Expected value:
+$ cat /sys/class/infiniband/qedr0/fw_ver
+8.37.7.0
+
+Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init")
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Acked-by: Michal Kalderon <michal.kalderon@marvell.com>
+Link: https://lore.kernel.org/r/20191007210730.7173-1-kamalheib1@gmail.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/qedr/main.c b/drivers/infiniband/hw/qedr/main.c
+index a0af6d424aeda..d1680d3b58250 100644
+--- a/drivers/infiniband/hw/qedr/main.c
++++ b/drivers/infiniband/hw/qedr/main.c
+@@ -77,7 +77,7 @@ static void qedr_get_dev_fw_str(struct ib_device *ibdev, char *str)
+ struct qedr_dev *qedr = get_qedr_dev(ibdev);
+ u32 fw_ver = (u32)qedr->attr.fw_ver;
+
+- snprintf(str, IB_FW_VERSION_NAME_MAX, "%d. %d. %d. %d",
++ snprintf(str, IB_FW_VERSION_NAME_MAX, "%d.%d.%d.%d",
+ (fw_ver >> 24) & 0xFF, (fw_ver >> 16) & 0xFF,
+ (fw_ver >> 8) & 0xFF, fw_ver & 0xFF);
+ }
+--
+2.20.1
+
--- /dev/null
+From d6e3feabda936f77daba10521989d8cbb61a7ef7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2019 16:34:19 +0300
+Subject: RDMA/uverbs: Prevent potential underflow
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a9018adfde809d44e71189b984fa61cc89682b5e ]
+
+The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the
+UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function. We check that:
+
+ if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) {
+
+But we don't check if "attr.comp_vector" is negative. It could
+potentially lead to an array underflow. My concern would be where
+cq->vector is used in the create_cq() function from the cxgb4 driver.
+
+And really "attr.comp_vector" is appears as a u32 to user space so that's
+the right type to use.
+
+Fixes: 9ee79fce3642 ("IB/core: Add completion queue (cq) object actions")
+Link: https://lore.kernel.org/r/20191011133419.GA22905@mwanda
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/uverbs.h | 2 +-
+ include/rdma/ib_verbs.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/uverbs.h b/drivers/infiniband/core/uverbs.h
+index 5df8e548cc146..4a14de2d8c716 100644
+--- a/drivers/infiniband/core/uverbs.h
++++ b/drivers/infiniband/core/uverbs.h
+@@ -98,7 +98,7 @@ ib_uverbs_init_udata_buf_or_null(struct ib_udata *udata,
+
+ struct ib_uverbs_device {
+ atomic_t refcount;
+- int num_comp_vectors;
++ u32 num_comp_vectors;
+ struct completion comp;
+ struct device *dev;
+ struct ib_device __rcu *ib_dev;
+diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
+index b7d63c3970d18..f3d475024d376 100644
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -310,7 +310,7 @@ struct ib_tm_caps {
+
+ struct ib_cq_init_attr {
+ unsigned int cqe;
+- int comp_vector;
++ u32 comp_vector;
+ u32 flags;
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 53b37f7594e4e162560ea311b1bf0b5ad81afa9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2019 09:21:12 +0200
+Subject: scsi: lpfc: Honor module parameter lpfc_use_adisc
+
+From: Daniel Wagner <dwagner@suse.de>
+
+[ Upstream commit 0fd103ccfe6a06e40e2d9d8c91d96332cc9e1239 ]
+
+The initial lpfc_desc_set_adisc implementation in commit
+dea3101e0a5c ("lpfc: add Emulex FC driver version 8.0.28") enabled ADISC if
+
+ cfg_use_adisc && RSCN_MODE && FCP_2_DEVICE
+
+In commit 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of
+SLI-3") this changed to
+
+ (cfg_use_adisc && RSC_MODE) || FCP_2_DEVICE
+
+and later in commit ffc954936b13 ("[SCSI] lpfc 8.3.13: FC Discovery Fixes
+and enhancements.") to
+
+ (cfg_use_adisc && RSC_MODE) || (FCP_2_DEVICE && FCP_TARGET)
+
+A customer reports that after a devloss, an ADISC failure is logged. It
+turns out the ADISC flag is set even the user explicitly set lpfc_use_adisc
+= 0.
+
+[Sat Dec 22 22:55:58 2018] lpfc 0000:82:00.0: 2:(0):0203 Devloss timeout on WWPN 50:01:43:80:12:8e:40:20 NPort x05df00 Data: x82000000 x8 xa
+[Sat Dec 22 23:08:20 2018] lpfc 0000:82:00.0: 2:(0):2755 ADISC failure DID:05DF00 Status:x9/x70000
+
+[mkp: fixed Hannes' email]
+
+Fixes: 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of SLI-3")
+Cc: Dick Kennedy <dick.kennedy@broadcom.com>
+Cc: James Smart <james.smart@broadcom.com>
+Link: https://lore.kernel.org/r/20191022072112.132268-1-dwagner@suse.de
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Daniel Wagner <dwagner@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index a6619fd8238c1..ae6301c796785 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -844,9 +844,9 @@ lpfc_disc_set_adisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
+
+ if (!(vport->fc_flag & FC_PT2PT)) {
+ /* Check config parameter use-adisc or FCP-2 */
+- if ((vport->cfg_use_adisc && (vport->fc_flag & FC_RSCN_MODE)) ||
++ if (vport->cfg_use_adisc && ((vport->fc_flag & FC_RSCN_MODE) ||
+ ((ndlp->nlp_fcp_info & NLP_FCP_2_DEVICE) &&
+- (ndlp->nlp_type & NLP_FCP_TARGET))) {
++ (ndlp->nlp_type & NLP_FCP_TARGET)))) {
+ spin_lock_irq(shost->host_lock);
+ ndlp->nlp_flag |= NLP_NPR_ADISC;
+ spin_unlock_irq(shost->host_lock);
+--
+2.20.1
+
--- /dev/null
+From 3969af685d44fc3956b91b99f5cbac2285736f5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2019 16:04:58 +0200
+Subject: scsi: qla2xxx: fixup incorrect usage of host_byte
+
+From: Hannes Reinecke <hare@suse.com>
+
+[ Upstream commit 66cf50e65b183c863825f5c28a818e3f47a72e40 ]
+
+DRIVER_ERROR is a a driver byte setting, not a host byte. The qla2xxx
+driver should rather return DID_ERROR here to be in line with the other
+drivers.
+
+Link: https://lore.kernel.org/r/20191018140458.108278-1-hare@suse.de
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
+index 4a9fd8d944d60..85b03a7f473c1 100644
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -258,7 +258,7 @@ qla2x00_process_els(struct bsg_job *bsg_job)
+ srb_t *sp;
+ const char *type;
+ int req_sg_cnt, rsp_sg_cnt;
+- int rval = (DRIVER_ERROR << 16);
++ int rval = (DID_ERROR << 16);
+ uint16_t nextlid = 0;
+
+ if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
+@@ -433,7 +433,7 @@ qla2x00_process_ct(struct bsg_job *bsg_job)
+ struct Scsi_Host *host = fc_bsg_to_shost(bsg_job);
+ scsi_qla_host_t *vha = shost_priv(host);
+ struct qla_hw_data *ha = vha->hw;
+- int rval = (DRIVER_ERROR << 16);
++ int rval = (DID_ERROR << 16);
+ int req_sg_cnt, rsp_sg_cnt;
+ uint16_t loop_id;
+ struct fc_port *fcport;
+@@ -1948,7 +1948,7 @@ qlafx00_mgmt_cmd(struct bsg_job *bsg_job)
+ struct Scsi_Host *host = fc_bsg_to_shost(bsg_job);
+ scsi_qla_host_t *vha = shost_priv(host);
+ struct qla_hw_data *ha = vha->hw;
+- int rval = (DRIVER_ERROR << 16);
++ int rval = (DID_ERROR << 16);
+ struct qla_mt_iocb_rqst_fx00 *piocb_rqst;
+ srb_t *sp;
+ int req_sg_cnt = 0, rsp_sg_cnt = 0;
+--
+2.20.1
+
--- /dev/null
+From accf966707a464d77d669e5efc312a31917c3401 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2019 12:36:42 -0700
+Subject: scsi: qla2xxx: Initialized mailbox to prevent driver load failure
+
+From: Himanshu Madhani <hmadhani@marvell.com>
+
+[ Upstream commit c2ff2a36eff60efb5e123c940115216d6bf65684 ]
+
+This patch fixes issue with Gen7 adapter in a blade environment where one
+of the ports will not be detected by driver. Firmware expects mailbox 11 to
+be set or cleared by driver for newer ISP.
+
+Following message is seen in the log file:
+
+[ 18.810892] qla2xxx [0000:d8:00.0]-1820:1: **** Failed=102 mb[0]=4005 mb[1]=37 mb[2]=20 mb[3]=8
+[ 18.819596] cmd=2 ****
+
+[mkp: typos]
+
+Link: https://lore.kernel.org/r/20191022193643.7076-2-hmadhani@marvell.com
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 84f57f075455e..128fcff24f1be 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -684,6 +684,7 @@ qla2x00_execute_fw(scsi_qla_host_t *vha, uint32_t risc_addr)
+ mcp->mb[2] = LSW(risc_addr);
+ mcp->mb[3] = 0;
+ mcp->mb[4] = 0;
++ mcp->mb[11] = 0;
+ ha->flags.using_lr_setting = 0;
+ if (IS_QLA25XX(ha) || IS_QLA81XX(ha) || IS_QLA83XX(ha) ||
+ IS_QLA27XX(ha)) {
+@@ -727,7 +728,7 @@ qla2x00_execute_fw(scsi_qla_host_t *vha, uint32_t risc_addr)
+ if (ha->flags.exchoffld_enabled)
+ mcp->mb[4] |= ENABLE_EXCHANGE_OFFLD;
+
+- mcp->out_mb |= MBX_4|MBX_3|MBX_2|MBX_1;
++ mcp->out_mb |= MBX_4 | MBX_3 | MBX_2 | MBX_1 | MBX_11;
+ mcp->in_mb |= MBX_3 | MBX_2 | MBX_1;
+ } else {
+ mcp->mb[1] = LSW(risc_addr);
+--
+2.20.1
+
--- /dev/null
+From 32414ded4b4a3a6e6f0771fbcd5908eab24f23ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 16:38:04 +1000
+Subject: scsi: qla2xxx: stop timer in shutdown path
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit d3566abb1a1e7772116e4d50fb6a58d19c9802e5 ]
+
+In shutdown/reboot paths, the timer is not stopped:
+
+ qla2x00_shutdown
+ pci_device_shutdown
+ device_shutdown
+ kernel_restart_prepare
+ kernel_restart
+ sys_reboot
+
+This causes lockups (on powerpc) when firmware config space access calls
+are interrupted by smp_send_stop later in reboot.
+
+Fixes: e30d1756480dc ("[SCSI] qla2xxx: Addition of shutdown callback handler.")
+Link: https://lore.kernel.org/r/20191024063804.14538-1-npiggin@gmail.com
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 856a7ceb9a041..18ee614fe07f5 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3496,6 +3496,10 @@ qla2x00_shutdown(struct pci_dev *pdev)
+ qla2x00_try_to_stop_firmware(vha);
+ }
+
++ /* Disable timer */
++ if (vha->timer_active)
++ qla2x00_stop_timer(vha);
++
+ /* Turn adapter off line */
+ vha->flags.online = 0;
+
+--
+2.20.1
+
usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch
usbip-implement-sg-support-to-vhci-hcd-and-stub-driver.patch
pci-tegra-enable-relaxed-ordering-only-for-tegra20-tegra30.patch
+hid-google-add-magnemite-masterball-usb-ids.patch
+dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch
+dmaengine-sprd-fix-the-possible-memory-leak-issue.patch
+hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch
+rdma-mlx5-clear-old-rate-limit-when-closing-qp.patch
+iw_cxgb4-fix-ecn-check-on-the-passive-accept.patch
+rdma-qedr-fix-reported-firmware-version.patch
+net-mlx5e-tx-fix-consumer-index-of-error-cqe-dump.patch
+net-mlx5-prevent-memory-leak-in-mlx5_fpga_conn_creat.patch
+scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch
+rdma-uverbs-prevent-potential-underflow.patch
+net-openvswitch-free-vport-unless-register_netdevice.patch
+scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch
+scsi-qla2xxx-initialized-mailbox-to-prevent-driver-l.patch
+netfilter-nf_flow_table-set-timeout-before-insertion.patch
+ipvs-don-t-ignore-errors-in-case-refcounting-ip_vs-m.patch
+ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch
+bonding-fix-unexpected-iff_bonding-bit-unset.patch
+macsec-fix-refcnt-leak-in-module-exit-routine.patch
+usb-fsl-check-memory-resource-before-releasing-it.patch
+usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch
+usb-gadget-composite-fix-possible-double-free-memory.patch
+usb-dwc3-pci-prevent-memory-leak-in-dwc3_pci_probe.patch
+usb-gadget-configfs-fix-concurrent-issue-between-com.patch
+usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch
+perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch
+perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch
+perf-x86-uncore-fix-event-group-support.patch
+usb-skip-endpoints-with-0-maxpacket-length.patch
+usb-ldusb-use-unsigned-size-format-specifiers.patch
+usbip-tools-fix-read_usb_vudc_device-error-path-hand.patch
+rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch
+rdma-hns-prevent-memory-leaks-of-eq-buf_list.patch
+scsi-qla2xxx-stop-timer-in-shutdown-path.patch
+nvme-multipath-fix-possible-io-hang-after-ctrl-recon.patch
+fjes-handle-workqueue-allocation-failure.patch
+net-hisilicon-fix-trying-to-free-already-free-irq.patch
+net-mscc-ocelot-fix-vlan_filtering-when-enslaving-to.patch
+net-mscc-ocelot-refuse-to-overwrite-the-port-s-nativ.patch
+iommu-amd-apply-the-same-ivrs-ioapic-workaround-to-a.patch
+drm-amdgpu-if-amdgpu_ib_schedule-fails-return-back-t.patch
+drm-amd-display-passive-dp-hdmi-dongle-detection-fix.patch
+hv_netvsc-fix-error-handling-in-netvsc_attach.patch
+usb-dwc3-gadget-fix-race-when-disabling-ep-with-canc.patch
+nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch
+net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch
+igb-fix-constant-media-auto-sense-switching-when-no-.patch
+e1000-fix-memory-leaks.patch
+pinctrl-intel-avoid-potential-glitches-if-pin-is-in-.patch
+ocfs2-protect-extent-tree-in-ocfs2_prepare_inode_for.patch
+pinctrl-cherryview-fix-irq_valid_mask-calculation.patch
+blkcg-make-blkcg_print_stat-print-stats-only-for-onl.patch
+iio-imu-mpu6050-add-support-for-the-icm-20602-imu.patch
+iio-imu-inv_mpu6050-fix-no-data-on-mpu6050.patch
--- /dev/null
+From 71af093daf010face06393b6fea0086eb9a1f064 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 11:07:13 +0200
+Subject: usb: dwc3: gadget: fix race when disabling ep with cancelled xfers
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+[ Upstream commit d8eca64eec7103ab1fbabc0a187dbf6acfb2af93 ]
+
+When disabling an endpoint which has cancelled requests, we should
+make sure to giveback requests that are currently pending in the
+cancelled list, otherwise we may fall into a situation where command
+completion interrupt fires after endpoint has been disabled, therefore
+causing a splat.
+
+Fixes: fec9095bdef4 "usb: dwc3: gadget: remove wait_end_transfer"
+Reported-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Link: https://lore.kernel.org/r/20191031090713.1452818-1-felipe.balbi@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 54de732550648..8398c33d08e7c 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -698,6 +698,12 @@ static void dwc3_remove_requests(struct dwc3 *dwc, struct dwc3_ep *dep)
+
+ dwc3_gadget_giveback(dep, req, -ESHUTDOWN);
+ }
++
++ while (!list_empty(&dep->cancelled_list)) {
++ req = next_request(&dep->cancelled_list);
++
++ dwc3_gadget_giveback(dep, req, -ESHUTDOWN);
++ }
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 634e9b513a8dc99132035d2b9bbf93ae86b75941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Sep 2019 21:41:45 -0500
+Subject: usb: dwc3: pci: prevent memory leak in dwc3_pci_probe
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 9bbfceea12a8f145097a27d7c7267af25893c060 ]
+
+In dwc3_pci_probe a call to platform_device_alloc allocates a device
+which is correctly put in case of error except one case: when the call to
+platform_device_add_properties fails it directly returns instead of
+going to error handling. This commit replaces return with the goto.
+
+Fixes: 1a7b12f69a94 ("usb: dwc3: pci: Supply device properties via driver data")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
+index 8cced3609e243..b4e42d597211a 100644
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -256,7 +256,7 @@ static int dwc3_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+
+ ret = platform_device_add_properties(dwc->dwc3, p);
+ if (ret < 0)
+- return ret;
++ goto err;
+
+ ret = dwc3_pci_quirks(dwc);
+ if (ret)
+--
+2.20.1
+
--- /dev/null
+From 120bbbd40b8719682a59171b7b281efd891d3b4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2019 14:46:07 +0800
+Subject: usb: dwc3: remove the call trace of USBx_GFLADJ
+
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+
+[ Upstream commit a7d9874c6f3fbc8d25cd9ceba35b6822612c4ebf ]
+
+layerscape board sometimes reported some usb call trace, that is due to
+kernel sent LPM tokerns automatically when it has no pending transfers
+and think that the link is idle enough to enter L1, which procedure will
+ask usb register has a recovery,then kernel will compare USBx_GFLADJ and
+set GFLADJ_30MHZ, GFLADJ_30MHZ_REG until GFLADJ_30MHZ is equal 0x20, if
+the conditions were met then issue occur, but whatever the conditions
+whether were met that usb is all need keep GFLADJ_30MHZ of value is 0x20
+(xhci spec ask use GFLADJ_30MHZ to adjust any offset from clock source
+that generates the clock that drives the SOF counter, 0x20 is default
+value of it)That is normal logic, so need remove the call trace.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 05b9ccff7447a..aca7e7fa5e47d 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -299,8 +299,7 @@ static void dwc3_frame_length_adjustment(struct dwc3 *dwc)
+
+ reg = dwc3_readl(dwc->regs, DWC3_GFLADJ);
+ dft = reg & DWC3_GFLADJ_30MHZ_MASK;
+- if (!dev_WARN_ONCE(dwc->dev, dft == dwc->fladj,
+- "request value same as default, ignoring\n")) {
++ if (dft != dwc->fladj) {
+ reg &= ~DWC3_GFLADJ_30MHZ_MASK;
+ reg |= DWC3_GFLADJ_30MHZ_SDBND_SEL | dwc->fladj;
+ dwc3_writel(dwc->regs, DWC3_GFLADJ, reg);
+--
+2.20.1
+
--- /dev/null
+From a4c7dc8eb7df880594567ace625b602cd83566a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 18:21:51 +0800
+Subject: usb: fsl: Check memory resource before releasing it
+
+From: Nikhil Badola <nikhil.badola@freescale.com>
+
+[ Upstream commit bc1e3a2dd0c9954fd956ac43ca2876bbea018c01 ]
+
+Check memory resource existence before releasing it to avoid NULL
+pointer dereference
+
+Signed-off-by: Nikhil Badola <nikhil.badola@freescale.com>
+Reviewed-by: Ran Wang <ran.wang_1@nxp.com>
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
+index be59309e848c3..d44b26d5b2a2c 100644
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -2552,7 +2552,7 @@ static int fsl_udc_remove(struct platform_device *pdev)
+ dma_pool_destroy(udc_controller->td_pool);
+ free_irq(udc_controller->irq, udc_controller);
+ iounmap(dr_regs);
+- if (pdata->operating_mode == FSL_USB2_DR_DEVICE)
++ if (res && (pdata->operating_mode == FSL_USB2_DR_DEVICE))
+ release_mem_region(res->start, resource_size(res));
+
+ /* free udc --wait for the release() finished */
+--
+2.20.1
+
--- /dev/null
+From 1a2a93f9cc0cafe35317911614e6a0d117a76d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 13:16:48 +0530
+Subject: usb: gadget: composite: Fix possible double free memory bug
+
+From: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
+
+[ Upstream commit 1c20c89b0421b52b2417bb0f62a611bc669eda1d ]
+
+composite_dev_cleanup call from the failure of configfs_composite_bind
+frees up the cdev->os_desc_req and cdev->req. If the previous calls of
+bind and unbind is successful these will carry stale values.
+
+Consider the below sequence of function calls:
+configfs_composite_bind()
+ composite_dev_prepare()
+ - Allocate cdev->req, cdev->req->buf
+ composite_os_desc_req_prepare()
+ - Allocate cdev->os_desc_req, cdev->os_desc_req->buf
+configfs_composite_unbind()
+ composite_dev_cleanup()
+ - free the cdev->os_desc_req->buf and cdev->req->buf
+Next composition switch
+configfs_composite_bind()
+ - If it fails goto err_comp_cleanup will call the
+ composite_dev_cleanup() function
+ composite_dev_cleanup()
+ - calls kfree up with the stale values of cdev->req->buf and
+ cdev->os_desc_req from the previous configfs_composite_bind
+ call. The free call on these stale values leads to double free.
+
+Hence, Fix this issue by setting request and buffer pointer to NULL after
+kfree.
+
+Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index dfcabadeed01b..33115e19756c6 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2156,14 +2156,18 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev)
+ usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req);
+
+ kfree(cdev->os_desc_req->buf);
++ cdev->os_desc_req->buf = NULL;
+ usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);
++ cdev->os_desc_req = NULL;
+ }
+ if (cdev->req) {
+ if (cdev->setup_pending)
+ usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
+
+ kfree(cdev->req->buf);
++ cdev->req->buf = NULL;
+ usb_ep_free_request(cdev->gadget->ep0, cdev->req);
++ cdev->req = NULL;
+ }
+ cdev->next_string_id = 0;
+ device_remove_file(&cdev->gadget->dev, &dev_attr_suspended);
+--
+2.20.1
+
--- /dev/null
+From c1dca3f0776143c4bffdff296b1c6a095b222525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2019 15:10:55 -0400
+Subject: usb: gadget: configfs: fix concurrent issue between composite APIs
+
+From: Peter Chen <peter.chen@nxp.com>
+
+[ Upstream commit 1a1c851bbd706ea9f3a9756c2d3db28523506d3b ]
+
+We meet several NULL pointer issues if configfs_composite_unbind
+and composite_setup (or composite_disconnect) are running together.
+These issues occur when do the function switch stress test, the
+configfs_compsoite_unbind is called from user mode by
+echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt
+or disconnect interrupt occurs by hardware. The composite_setup
+will get the cdev from get_gadget_data, but configfs_composite_unbind
+will set gadget data as NULL, so the NULL pointer issue occurs.
+This concurrent is hard to reproduce by native kernel, but can be
+reproduced by android kernel.
+
+In this commit, we introduce one spinlock belongs to structure
+gadget_info since we can't use the same spinlock in usb_composite_dev
+due to exclusive running together between composite_setup and
+configfs_composite_unbind. And one bit flag 'unbind' to indicate the
+code is at unbind routine, this bit is needed due to we release the
+lock at during configfs_composite_unbind sometimes, and composite_setup
+may be run at that time.
+
+Several oops:
+
+oops 1:
+android_work: sent uevent USB_STATE=CONNECTED
+configfs-gadget gadget: super-speed config #1: b
+android_work: sent uevent USB_STATE=CONFIGURED
+init: Received control message 'start' for 'adbd' from pid: 3515 (system_server)
+Unable to handle kernel NULL pointer dereference at virtual address 0000002a
+init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic)
+Mem abort info:
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+user pgtable: 4k pages, 48-bit VAs, pgd = ffff8008f1b7f000
+[000000000000002a] *pgd=0000000000000000
+Internal error: Oops: 96000004 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16
+Hardware name: Freescale i.MX8QM MEK (DT)
+task: ffff8008f2a98000 task.stack: ffff00000b7b8000
+PC is at composite_setup+0x44/0x1508
+LR is at android_setup+0xb8/0x13c
+pc : [<ffff0000089ffb3c>] lr : [<ffff000008a032fc>] pstate: 800001c5
+sp : ffff00000b7bbb80
+x29: ffff00000b7bbb80 x28: ffff8008f2a3c010
+x27: 0000000000000001 x26: 0000000000000000 [1232/1897]
+audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64
+x25: 00000000ffffffa1 x24: ffff8008f2a3c010
+audit: rate limit exceeded
+x23: 0000000000000409 x22: ffff000009c8e000
+x21: ffff8008f7a8b428 x20: ffff00000afae000
+x19: ffff0000089ff000 x18: 0000000000000000
+x17: 0000000000000000 x16: ffff0000082b7c9c
+x15: 0000000000000000 x14: f1866f5b952aca46
+x13: e35502e30d44349c x12: 0000000000000008
+x11: 0000000000000008 x10: 0000000000000a30
+x9 : ffff00000b7bbd00 x8 : ffff8008f2a98a90
+x7 : ffff8008f27a9c90 x6 : 0000000000000001
+x5 : 0000000000000000 x4 : 0000000000000001
+x3 : 0000000000000000 x2 : 0000000000000006
+x1 : ffff0000089ff8d0 x0 : 732a010310b9ed00
+
+X7: 0xffff8008f27a9c10:
+9c10 00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040
+9c30 00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000
+9c50 00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078
+9c70 00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000
+9c90 00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008
+9cb0 f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001
+9cd0 870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000
+using random self ethernet address
+9cf0 019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000
+using random host ethernet address
+ 00000000
+
+X8: 0xffff8008f2a98a10:
+8a10 00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000
+8a30 eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000
+8a50 f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000
+8a70 fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000
+8a90 080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000
+8ab0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+8ad0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+8af0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+
+X21: 0xffff8008f7a8b3a8:
+b3a8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+b3c8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+b3e8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+b408 00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000
+b428 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+b448 0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003
+b468 e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008
+b488 f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000
+
+X24: 0xffff8008f2a3bf90:
+bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
+c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
+c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
+c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
+c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
+
+X28: 0xffff8008f2a3bf90:
+bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
+c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
+c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
+c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
+c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
+
+Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000)
+Call trace:
+Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80)
+ba40: 732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000
+ba60: 0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90
+ba80: ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008
+baa0: 0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000
+bac0: ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000
+bae0: ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409
+bb00: ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001
+bb20: ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80
+bb40: ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00
+bb60: ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c
+[<ffff0000089ffb3c>] composite_setup+0x44/0x1508
+[<ffff000008a032fc>] android_setup+0xb8/0x13c
+[<ffff0000089bd9a8>] cdns3_ep0_delegate_req+0x44/0x70
+[<ffff0000089bdff4>] cdns3_check_ep0_interrupt_proceed+0x33c/0x654
+[<ffff0000089bca44>] cdns3_device_thread_irq_handler+0x4b0/0x4bc
+[<ffff0000089b77b4>] cdns3_thread_irq+0x48/0x68
+[<ffff000008145bf0>] irq_thread_fn+0x28/0x88
+[<ffff000008145e38>] irq_thread+0x13c/0x228
+[<ffff0000080fed70>] kthread+0x104/0x130
+[<ffff000008085064>] ret_from_fork+0x10/0x18
+
+oops2:
+composite_disconnect: Calling disconnect on a Gadget that is not connected
+android_work: did not send uevent (0 0 (null))
+init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
+init: Sending signal 9 to service 'adbd' (pid 22343) process group...
+------------[ cut here ]------------
+audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64
+audit: rate limit exceeded
+WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88
+Modules linked in:
+CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16
+Hardware name: Freescale i.MX8QM MEK (DT)
+task: ffff8008f2349c00 task.stack: ffff00000b0a8000
+PC is at composite_disconnect+0x80/0x88
+LR is at composite_disconnect+0x80/0x88
+pc : [<ffff0000089ff9b0>] lr : [<ffff0000089ff9b0>] pstate: 600001c5
+sp : ffff000008003dd0
+x29: ffff000008003dd0 x28: ffff8008f2349c00
+x27: ffff000009885018 x26: ffff000008004000
+Timeout for IPC response!
+x25: ffff000009885018 x24: ffff000009c8e280
+x23: ffff8008f2d98010 x22: 00000000000001c0
+x21: ffff8008f2d98394 x20: ffff8008f2d98010
+x19: 0000000000000000 x18: 0000e3956f4f075a
+fxos8700 4-001e: i2c block read acc failed
+x17: 0000e395735727e8 x16: ffff00000829f4d4
+x15: ffffffffffffffff x14: 7463656e6e6f6320
+x13: 746f6e2009090920 x12: 7369207461687420
+x11: 7465676461472061 x10: 206e6f207463656e
+x9 : 6e6f637369642067 x8 : ffff000009c8e280
+x7 : ffff0000086ca6cc x6 : ffff000009f15e78
+x5 : 0000000000000000 x4 : 0000000000000000
+x3 : ffffffffffffffff x2 : c3f28b86000c3900
+x1 : c3f28b86000c3900 x0 : 000000000000004e
+
+X20: 0xffff8008f2d97f90:
+7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain
+7fd0
+Timeout for IPC response!
+ 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+using random self ethernet address
+7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
+8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc
+using random host ethernet address
+ ffff0000
+8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
+8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
+8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
+
+X21: 0xffff8008f2d98314:
+8314 ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+8334 00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000
+8354 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+8374 00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000
+8394 e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400
+Timeout for IPC response!
+83b4 ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018
+83d4 ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918
+83f4 ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000
+
+X23: 0xffff8008f2d97f90:
+7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
+8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000
+8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
+8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
+8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
+
+X28: 0xffff8008f2349b80:
+9b80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9ba0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9bc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9be0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9c00 00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000
+9c20 0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000
+9c40 00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008
+9c60 00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000
+
+Call trace:
+Exception stack(0xffff000008003c90 to 0xffff000008003dd0)
+3c80: 000000000000004e c3f28b86000c3900
+3ca0: c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000
+3cc0: ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067
+3ce0: 206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920
+3d00: 7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8
+3d20: 0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394
+3d40: 00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018
+3d60: ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0
+3d80: ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5
+3da0: ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000
+init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
+3dc0: ffff000008003dd0 ffff0000089ff9b0
+[<ffff0000089ff9b0>] composite_disconnect+0x80/0x88
+[<ffff000008a044d4>] android_disconnect+0x3c/0x68
+[<ffff0000089ba9f8>] cdns3_device_irq_handler+0xfc/0x2c8
+[<ffff0000089b84c0>] cdns3_irq+0x44/0x94
+[<ffff00000814494c>] __handle_irq_event_percpu+0x60/0x24c
+[<ffff000008144c0c>] handle_irq_event+0x58/0xc0
+[<ffff00000814873c>] handle_fasteoi_irq+0x98/0x180
+[<ffff000008143a10>] generic_handle_irq+0x24/0x38
+[<ffff000008144170>] __handle_domain_irq+0x60/0xac
+[<ffff0000080819c4>] gic_handle_irq+0xd4/0x17c
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/configfs.c | 110 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 105 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
+index 0251299428946..33852c2b29d1a 100644
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -61,6 +61,8 @@ struct gadget_info {
+ bool use_os_desc;
+ char b_vendor_code;
+ char qw_sign[OS_STRING_QW_SIGN_LEN];
++ spinlock_t spinlock;
++ bool unbind;
+ };
+
+ static inline struct gadget_info *to_gadget_info(struct config_item *item)
+@@ -1244,6 +1246,7 @@ static int configfs_composite_bind(struct usb_gadget *gadget,
+ int ret;
+
+ /* the gi->lock is hold by the caller */
++ gi->unbind = 0;
+ cdev->gadget = gadget;
+ set_gadget_data(gadget, cdev);
+ ret = composite_dev_prepare(composite, cdev);
+@@ -1376,31 +1379,128 @@ static void configfs_composite_unbind(struct usb_gadget *gadget)
+ {
+ struct usb_composite_dev *cdev;
+ struct gadget_info *gi;
++ unsigned long flags;
+
+ /* the gi->lock is hold by the caller */
+
+ cdev = get_gadget_data(gadget);
+ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ gi->unbind = 1;
++ spin_unlock_irqrestore(&gi->spinlock, flags);
+
+ kfree(otg_desc[0]);
+ otg_desc[0] = NULL;
+ purge_configs_funcs(gi);
+ composite_dev_cleanup(cdev);
+ usb_ep_autoconfig_reset(cdev->gadget);
++ spin_lock_irqsave(&gi->spinlock, flags);
+ cdev->gadget = NULL;
+ set_gadget_data(gadget, NULL);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++}
++
++static int configfs_composite_setup(struct usb_gadget *gadget,
++ const struct usb_ctrlrequest *ctrl)
++{
++ struct usb_composite_dev *cdev;
++ struct gadget_info *gi;
++ unsigned long flags;
++ int ret;
++
++ cdev = get_gadget_data(gadget);
++ if (!cdev)
++ return 0;
++
++ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ cdev = get_gadget_data(gadget);
++ if (!cdev || gi->unbind) {
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return 0;
++ }
++
++ ret = composite_setup(gadget, ctrl);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return ret;
++}
++
++static void configfs_composite_disconnect(struct usb_gadget *gadget)
++{
++ struct usb_composite_dev *cdev;
++ struct gadget_info *gi;
++ unsigned long flags;
++
++ cdev = get_gadget_data(gadget);
++ if (!cdev)
++ return;
++
++ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ cdev = get_gadget_data(gadget);
++ if (!cdev || gi->unbind) {
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return;
++ }
++
++ composite_disconnect(gadget);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++}
++
++static void configfs_composite_suspend(struct usb_gadget *gadget)
++{
++ struct usb_composite_dev *cdev;
++ struct gadget_info *gi;
++ unsigned long flags;
++
++ cdev = get_gadget_data(gadget);
++ if (!cdev)
++ return;
++
++ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ cdev = get_gadget_data(gadget);
++ if (!cdev || gi->unbind) {
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return;
++ }
++
++ composite_suspend(gadget);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++}
++
++static void configfs_composite_resume(struct usb_gadget *gadget)
++{
++ struct usb_composite_dev *cdev;
++ struct gadget_info *gi;
++ unsigned long flags;
++
++ cdev = get_gadget_data(gadget);
++ if (!cdev)
++ return;
++
++ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ cdev = get_gadget_data(gadget);
++ if (!cdev || gi->unbind) {
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return;
++ }
++
++ composite_resume(gadget);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
+ }
+
+ static const struct usb_gadget_driver configfs_driver_template = {
+ .bind = configfs_composite_bind,
+ .unbind = configfs_composite_unbind,
+
+- .setup = composite_setup,
+- .reset = composite_disconnect,
+- .disconnect = composite_disconnect,
++ .setup = configfs_composite_setup,
++ .reset = configfs_composite_disconnect,
++ .disconnect = configfs_composite_disconnect,
+
+- .suspend = composite_suspend,
+- .resume = composite_resume,
++ .suspend = configfs_composite_suspend,
++ .resume = configfs_composite_resume,
+
+ .max_speed = USB_SPEED_SUPER,
+ .driver = {
+--
+2.20.1
+
--- /dev/null
+From ff08688818d237a77e26ba0f0568019063b7bb40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2019 20:10:54 +0300
+Subject: usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode.
+
+From: Cristian Birsan <cristian.birsan@microchip.com>
+
+[ Upstream commit ba3a1a915c49cc3023e4ddfc88f21e7514e82aa4 ]
+
+Fix interrupt storm generated by endpoints when working in FIFO mode.
+The TX_COMPLETE interrupt is used only by control endpoints processing.
+Do not enable it for other types of endpoints.
+
+Fixes: 914a3f3b3754 ("USB: add atmel_usba_udc driver")
+Signed-off-by: Cristian Birsan <cristian.birsan@microchip.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/atmel_usba_udc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
+index 8f267be1745d8..a4ab230335786 100644
+--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
+@@ -436,9 +436,11 @@ static void submit_request(struct usba_ep *ep, struct usba_request *req)
+ next_fifo_transaction(ep, req);
+ if (req->last_transaction) {
+ usba_ep_writel(ep, CTL_DIS, USBA_TX_PK_RDY);
+- usba_ep_writel(ep, CTL_ENB, USBA_TX_COMPLETE);
++ if (ep_is_control(ep))
++ usba_ep_writel(ep, CTL_ENB, USBA_TX_COMPLETE);
+ } else {
+- usba_ep_writel(ep, CTL_DIS, USBA_TX_COMPLETE);
++ if (ep_is_control(ep))
++ usba_ep_writel(ep, CTL_DIS, USBA_TX_COMPLETE);
+ usba_ep_writel(ep, CTL_ENB, USBA_TX_PK_RDY);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 639e78bb8b550a5be8f6227bfa87e2aed9c775d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2019 16:32:03 +0200
+Subject: USB: ldusb: use unsigned size format specifiers
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 88f6bf3846ee90bf33aa1ce848cd3bfb3229f4a4 ]
+
+A recent info-leak bug manifested itself along with warning about a
+negative buffer overflow:
+
+ ldusb 1-1:0.28: Read buffer overflow, -131383859965943 bytes dropped
+
+when it was really a rather large positive one.
+
+A sanity check that prevents this has now been put in place, but let's
+fix up the size format specifiers, which should all be unsigned.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191022143203.5260-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/ldusb.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/misc/ldusb.c b/drivers/usb/misc/ldusb.c
+index 320b06e0724b1..67c1b8f5d54d6 100644
+--- a/drivers/usb/misc/ldusb.c
++++ b/drivers/usb/misc/ldusb.c
+@@ -487,7 +487,7 @@ static ssize_t ld_usb_read(struct file *file, char __user *buffer, size_t count,
+ }
+ bytes_to_read = min(count, *actual_buffer);
+ if (bytes_to_read < *actual_buffer)
+- dev_warn(&dev->intf->dev, "Read buffer overflow, %zd bytes dropped\n",
++ dev_warn(&dev->intf->dev, "Read buffer overflow, %zu bytes dropped\n",
+ *actual_buffer-bytes_to_read);
+
+ /* copy one interrupt_in_buffer from ring_buffer into userspace */
+@@ -562,8 +562,9 @@ static ssize_t ld_usb_write(struct file *file, const char __user *buffer,
+ /* write the data into interrupt_out_buffer from userspace */
+ bytes_to_write = min(count, write_buffer_size*dev->interrupt_out_endpoint_size);
+ if (bytes_to_write < count)
+- dev_warn(&dev->intf->dev, "Write buffer overflow, %zd bytes dropped\n", count-bytes_to_write);
+- dev_dbg(&dev->intf->dev, "%s: count = %zd, bytes_to_write = %zd\n",
++ dev_warn(&dev->intf->dev, "Write buffer overflow, %zu bytes dropped\n",
++ count - bytes_to_write);
++ dev_dbg(&dev->intf->dev, "%s: count = %zu, bytes_to_write = %zu\n",
+ __func__, count, bytes_to_write);
+
+ if (copy_from_user(dev->interrupt_out_buffer, buffer, bytes_to_write)) {
+--
+2.20.1
+
--- /dev/null
+From 3927d11134796ccd3a4c11a52d71c5d16b8f6557 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Oct 2019 10:52:35 -0400
+Subject: USB: Skip endpoints with 0 maxpacket length
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+[ Upstream commit d482c7bb0541d19dea8bff437a9f3c5563b5b2d2 ]
+
+Endpoints with a maxpacket length of 0 are probably useless. They
+can't transfer any data, and it's not at all unlikely that an HCD will
+crash or hang when trying to handle an URB for such an endpoint.
+
+Currently the USB core does not check for endpoints having a maxpacket
+value of 0. This patch adds a check, printing a warning and skipping
+over any endpoints it catches.
+
+Now, the USB spec does not rule out endpoints having maxpacket = 0.
+But since they wouldn't have any practical use, there doesn't seem to
+be any good reason for us to accept them.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281050420.1485-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/config.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 921ad6998dec7..1eb72be75fb7b 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -348,6 +348,11 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
+
+ /* Validate the wMaxPacketSize field */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
++ if (maxp == 0) {
++ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has wMaxPacketSize 0, skipping\n",
++ cfgno, inum, asnum, d->bEndpointAddress);
++ goto skip_to_next_endpoint_or_interface_descriptor;
++ }
+
+ /* Find the highest legal maxpacket size for this endpoint */
+ i = 0; /* additional transactions per microframe */
+--
+2.20.1
+
--- /dev/null
+From c6672746947e65e9e6d07e73bc294bae6e6c77e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2019 03:22:23 +0000
+Subject: usbip: tools: Fix read_usb_vudc_device() error path handling
+
+From: GwanYeong Kim <gy741.kim@gmail.com>
+
+[ Upstream commit 28df0642abbf6d66908a2858922a7e4b21cdd8c2 ]
+
+This isn't really accurate right. fread() doesn't always
+return 0 in error. It could return < number of elements
+and set errno.
+
+Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20191018032223.4644-1-gy741.kim@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/usb/usbip/libsrc/usbip_device_driver.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/usb/usbip/libsrc/usbip_device_driver.c b/tools/usb/usbip/libsrc/usbip_device_driver.c
+index ec3a0b794f159..67ae6c1557b8c 100644
+--- a/tools/usb/usbip/libsrc/usbip_device_driver.c
++++ b/tools/usb/usbip/libsrc/usbip_device_driver.c
+@@ -81,7 +81,7 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
+ FILE *fd = NULL;
+ struct udev_device *plat;
+ const char *speed;
+- int ret = 0;
++ size_t ret;
+
+ plat = udev_device_get_parent(sdev);
+ path = udev_device_get_syspath(plat);
+@@ -91,8 +91,10 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
+ if (!fd)
+ return -1;
+ ret = fread((char *) &descr, sizeof(descr), 1, fd);
+- if (ret < 0)
++ if (ret != 1) {
++ err("Cannot read vudc device descr file: %s", strerror(errno));
+ goto err;
++ }
+ fclose(fd);
+
+ copy_descr_attr(dev, &descr, bDeviceClass);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
