--- /dev/null
+From ec41c15dabef073629b696a8f7f2d3b81b324a27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 11:39:48 +0200
+Subject: ARM: dts: am437x-gp/epos-evm: fix panel compatible
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit c6b16761c6908d3dc167a0a566578b4b0b972905 ]
+
+The LCD panel on AM4 GP EVMs and ePOS boards seems to be
+osd070t1718-19ts. The current dts files say osd057T0559-34ts. Possibly
+the panel has changed since the early EVMs, or there has been a mistake
+with the panel type.
+
+Update the DT files accordingly.
+
+Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am437x-gp-evm.dts | 2 +-
+ arch/arm/boot/dts/am43x-epos-evm.dts | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/am437x-gp-evm.dts b/arch/arm/boot/dts/am437x-gp-evm.dts
+index 5b97c20c5ed4..8a17eca2bc97 100644
+--- a/arch/arm/boot/dts/am437x-gp-evm.dts
++++ b/arch/arm/boot/dts/am437x-gp-evm.dts
+@@ -83,7 +83,7 @@
+ };
+
+ lcd0: display {
+- compatible = "osddisplays,osd057T0559-34ts", "panel-dpi";
++ compatible = "osddisplays,osd070t1718-19ts", "panel-dpi";
+ label = "lcd";
+
+ backlight = <&lcd_bl>;
+diff --git a/arch/arm/boot/dts/am43x-epos-evm.dts b/arch/arm/boot/dts/am43x-epos-evm.dts
+index 6502d3397653..12735cf9674b 100644
+--- a/arch/arm/boot/dts/am43x-epos-evm.dts
++++ b/arch/arm/boot/dts/am43x-epos-evm.dts
+@@ -45,7 +45,7 @@
+ };
+
+ lcd0: display {
+- compatible = "osddisplays,osd057T0559-34ts", "panel-dpi";
++ compatible = "osddisplays,osd070t1718-19ts", "panel-dpi";
+ label = "lcd";
+
+ backlight = <&lcd_bl>;
+--
+2.20.1
+
--- /dev/null
+From 7ab3cf94c9b92b9a4d58ba0337d3c1bc99c7d666 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2019 13:31:13 +0100
+Subject: ARM: dts: bcm283x: Fix critical trip point
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit 30e647a764d446723a7e0fb08d209e0104f16173 ]
+
+During definition of the CPU thermal zone of BCM283x SoC family there
+was a misunderstanding of the meaning "criticial trip point" and the
+thermal throttling range of the VideoCore firmware. The latter one takes
+effect when the core temperature is at least 85 degree celsius or higher
+
+So the current critical trip point doesn't make sense, because the
+thermal shutdown appears before the firmware has a chance to throttle
+the ARM core(s).
+
+Fix these unwanted shutdowns by increasing the critical trip point
+to a value which shouldn't be reached with working thermal throttling.
+
+Fixes: 0fe4d2181cc4 ("ARM: dts: bcm283x: Add CPU thermal zone with 1 trip point")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm283x.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/bcm283x.dtsi b/arch/arm/boot/dts/bcm283x.dtsi
+index 31b29646b14c..c9322a56300d 100644
+--- a/arch/arm/boot/dts/bcm283x.dtsi
++++ b/arch/arm/boot/dts/bcm283x.dtsi
+@@ -39,7 +39,7 @@
+
+ trips {
+ cpu-crit {
+- temperature = <80000>;
++ temperature = <90000>;
+ hysteresis = <0>;
+ type = "critical";
+ };
+--
+2.20.1
+
--- /dev/null
+From 57ded4ffccfb3359b2cccce1812a39ecafef9b0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 16:01:20 -0800
+Subject: ARM: dts: BCM5301X: Fix MDIO node address/size cells
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 093c3f94e922d83a734fc4da08cc5814990f32c6 ]
+
+The MDIO node on BCM5301X had an reversed #address-cells and
+ #size-cells properties, correct those, silencing checker warnings:
+
+.../linux/arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dt.yaml: mdio@18003000: #address-cells:0:0: 1 was expected
+
+Reported-by: Simon Horman <simon.horman@netronome.com>
+Fixes: 23f1eca6d59b ("ARM: dts: BCM5301X: Specify MDIO bus in the DT")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm5301x.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi
+index bc607d11eef8..a678fb7c9e3b 100644
+--- a/arch/arm/boot/dts/bcm5301x.dtsi
++++ b/arch/arm/boot/dts/bcm5301x.dtsi
+@@ -350,8 +350,8 @@
+ mdio: mdio@18003000 {
+ compatible = "brcm,iproc-mdio";
+ reg = <0x18003000 0x8>;
+- #size-cells = <1>;
+- #address-cells = <0>;
++ #size-cells = <0>;
++ #address-cells = <1>;
+ };
+
+ mdio-bus-mux {
+--
+2.20.1
+
--- /dev/null
+From 130a773e19280d5975c85fd79862818753907211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 10:19:09 -0800
+Subject: ARM: dts: Cygnus: Fix MDIO node address/size cells
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit fac2c2da3596d77c343988bb0d41a8c533b2e73c ]
+
+The MDIO node on Cygnus had an reversed #address-cells and
+ #size-cells properties, correct those.
+
+Fixes: 40c26d3af60a ("ARM: dts: Cygnus: Add the ethernet switch and ethernet PHY")
+Reported-by: Simon Horman <simon.horman@netronome.com>
+Reviewed-by: Ray Jui <ray.jui@broadcom.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm-cygnus.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/bcm-cygnus.dtsi b/arch/arm/boot/dts/bcm-cygnus.dtsi
+index 253df7170a4e..887a60c317e9 100644
+--- a/arch/arm/boot/dts/bcm-cygnus.dtsi
++++ b/arch/arm/boot/dts/bcm-cygnus.dtsi
+@@ -169,8 +169,8 @@
+ mdio: mdio@18002000 {
+ compatible = "brcm,iproc-mdio";
+ reg = <0x18002000 0x8>;
+- #size-cells = <1>;
+- #address-cells = <0>;
++ #size-cells = <0>;
++ #address-cells = <1>;
+ status = "disabled";
+
+ gphy0: ethernet-phy@0 {
+--
+2.20.1
+
--- /dev/null
+From 1a66d42a5be1a9fdb78681ba96e3032d1b1cd848 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 14:04:56 +0100
+Subject: ARM: dts: imx6ul: imx6ul-14x14-evk.dtsi: Fix SPI NOR probing
+
+From: Stefan Roese <sr@denx.de>
+
+[ Upstream commit 0aeb1f2b74f3402e9cdb7c0b8e2c369c9767301e ]
+
+Without this "jedec,spi-nor" compatible property, probing of the SPI NOR
+does not work on the NXP i.MX6ULL EVK. Fix this by adding this
+compatible property to the DT.
+
+Fixes: 7d77b8505aa9 ("ARM: dts: imx6ull: fix the imx6ull-14x14-evk configuration")
+Signed-off-by: Stefan Roese <sr@denx.de>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6ul-14x14-evk.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6ul-14x14-evk.dtsi b/arch/arm/boot/dts/imx6ul-14x14-evk.dtsi
+index 818021126559..695303435003 100644
+--- a/arch/arm/boot/dts/imx6ul-14x14-evk.dtsi
++++ b/arch/arm/boot/dts/imx6ul-14x14-evk.dtsi
+@@ -175,7 +175,7 @@
+ flash0: n25q256a@0 {
+ #address-cells = <1>;
+ #size-cells = <1>;
+- compatible = "micron,n25q256a";
++ compatible = "micron,n25q256a", "jedec,spi-nor";
+ spi-max-frequency = <29000000>;
+ reg = <0>;
+ };
+--
+2.20.1
+
--- /dev/null
+From 623dfdf38b313d0a23d6e6628f1c336d89e8f191 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 11:13:27 +0100
+Subject: ARM: shmobile: defconfig: Restore debugfs support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit fa2cdb1762d15f701b83efa60b04f0d04e71bf89 ]
+
+Since commit 0e4a459f56c32d3e ("tracing: Remove unnecessary DEBUG_FS
+dependency"), CONFIG_DEBUG_FS is no longer auto-enabled. This breaks
+booting Debian 9, as systemd needs debugfs:
+
+ [FAILED] Failed to mount /sys/kernel/debug.
+ See 'systemctl status sys-kernel-debug.mount' for details.
+ [DEPEND] Dependency failed for Local File Systems.
+ ...
+ You are in emergGive root password for maintenance
+ (or press Control-D to continue):
+
+Fix this by enabling CONFIG_DEBUG_FS explicitly.
+
+See also commit 18977008f44c66bd ("ARM: multi_v7_defconfig: Restore
+debugfs support").
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://lore.kernel.org/r/20191209101327.26571-1-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/configs/shmobile_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/configs/shmobile_defconfig b/arch/arm/configs/shmobile_defconfig
+index f8faf3729464..a0e487e95d69 100644
+--- a/arch/arm/configs/shmobile_defconfig
++++ b/arch/arm/configs/shmobile_defconfig
+@@ -211,5 +211,6 @@ CONFIG_NLS_ISO8859_1=y
+ CONFIG_PRINTK_TIME=y
+ # CONFIG_ENABLE_WARN_DEPRECATED is not set
+ # CONFIG_ENABLE_MUST_CHECK is not set
++CONFIG_DEBUG_FS=y
+ CONFIG_DEBUG_KERNEL=y
+ # CONFIG_ARM_UNWIND is not set
+--
+2.20.1
+
--- /dev/null
+From 79e8613ff71ea6a1c932caf284744b127c512d26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 15:56:40 +0000
+Subject: ARM: vexpress: Set-up shared OPP table instead of individual for each
+ CPU
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 2a76352ad2cc6b78e58f737714879cc860903802 ]
+
+Currently we add individual copy of same OPP table for each CPU within
+the cluster. This is redundant and doesn't reflect the reality.
+
+We can't use core cpumask to set policy->cpus in ve_spc_cpufreq_init()
+anymore as it gets called via cpuhp_cpufreq_online()->cpufreq_online()
+->cpufreq_driver->init() and the cpumask gets updated upon CPU hotplug
+operations. It also may cause issues when the vexpress_spc_cpufreq
+driver is built as a module.
+
+Since ve_spc_clk_init is built-in device initcall, we should be able to
+use the same topology_core_cpumask to set the opp sharing cpumask via
+dev_pm_opp_set_sharing_cpus and use the same later in the driver via
+dev_pm_opp_get_sharing_cpus.
+
+Cc: Liviu Dudau <liviu.dudau@arm.com>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-vexpress/spc.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c
+index 0f5381d13494..55bbbc3b328f 100644
+--- a/arch/arm/mach-vexpress/spc.c
++++ b/arch/arm/mach-vexpress/spc.c
+@@ -551,8 +551,9 @@ static struct clk *ve_spc_clk_register(struct device *cpu_dev)
+
+ static int __init ve_spc_clk_init(void)
+ {
+- int cpu;
++ int cpu, cluster;
+ struct clk *clk;
++ bool init_opp_table[MAX_CLUSTERS] = { false };
+
+ if (!info)
+ return 0; /* Continue only if SPC is initialised */
+@@ -578,8 +579,17 @@ static int __init ve_spc_clk_init(void)
+ continue;
+ }
+
++ cluster = topology_physical_package_id(cpu_dev->id);
++ if (init_opp_table[cluster])
++ continue;
++
+ if (ve_init_opp_table(cpu_dev))
+ pr_warn("failed to initialise cpu%d opp table\n", cpu);
++ else if (dev_pm_opp_set_sharing_cpus(cpu_dev,
++ topology_core_cpumask(cpu_dev->id)))
++ pr_warn("failed to mark OPPs shared for cpu%d\n", cpu);
++ else
++ init_opp_table[cluster] = true;
+ }
+
+ platform_device_register_simple("vexpress-spc-cpufreq", -1, NULL, 0);
+--
+2.20.1
+
--- /dev/null
+From 20bb3225dcdb0d5165a7048843b773fccb1428c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 23:14:42 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Update quirk for Teclast X89
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 7eccc05c7101f34cc36afe9405d15de6d4099fb4 ]
+
+When the Teclast X89 quirk was added we did not have jack-detection
+support yet.
+
+Note the over-current detection limit is set to 2mA instead of the usual
+1.5mA because this tablet tends to give false-positive button-presses
+when it is set to 1.5mA.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20191203221442.2657-1-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index 6acd5dd599dc..e58240e18b30 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -677,13 +677,17 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
+ BYT_RT5640_MCLK_EN),
+ },
+ {
++ /* Teclast X89 */
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"),
+ DMI_MATCH(DMI_BOARD_NAME, "tPAD"),
+ },
+ .driver_data = (void *)(BYT_RT5640_IN3_MAP |
+- BYT_RT5640_MCLK_EN |
+- BYT_RT5640_SSP0_AIF1),
++ BYT_RT5640_JD_SRC_JD1_IN4P |
++ BYT_RT5640_OVCD_TH_2000UA |
++ BYT_RT5640_OVCD_SF_1P0 |
++ BYT_RT5640_SSP0_AIF1 |
++ BYT_RT5640_MCLK_EN),
+ },
+ { /* Toshiba Satellite Click Mini L9W-B */
+ .matches = {
+--
+2.20.1
+
--- /dev/null
+From 16787b9dfa5e07dea752c55ee624c70575125cbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2019 15:31:14 +0800
+Subject: ASoC: max98090: fix possible race conditions
+
+From: Tzung-Bi Shih <tzungbi@google.com>
+
+[ Upstream commit 45dfbf56975994822cce00b7475732a49f8aefed ]
+
+max98090_interrupt() and max98090_pll_work() run in 2 different threads.
+There are 2 possible races:
+
+Note: M98090_REG_DEVICE_STATUS = 0x01.
+Note: ULK == 0, PLL is locked; ULK == 1, PLL is unlocked.
+
+max98090_interrupt max98090_pll_work
+----------------------------------------------
+schedule max98090_pll_work
+ restart max98090 codec
+receive ULK INT
+ assert ULK == 0
+schedule max98090_pll_work (1).
+
+In the case (1), the PLL is locked but max98090_interrupt unnecessarily
+schedules another max98090_pll_work.
+
+max98090_interrupt max98090_pll_work max98090 codec
+----------------------------------------------------------------------
+ ULK = 1
+receive ULK INT
+read 0x01
+ ULK = 0 (clear on read)
+schedule max98090_pll_work
+ restart max98090 codec
+ ULK = 1
+receive ULK INT
+read 0x01
+ ULK = 0 (clear on read)
+ read 0x01
+ assert ULK == 0 (2).
+
+In the case (2), both max98090_interrupt and max98090_pll_work read
+the same clear-on-read register. max98090_pll_work would falsely
+thought PLL is locked.
+Note: the case (2) race is introduced by the previous commit ("ASoC:
+max98090: exit workaround earlier if PLL is locked") to check the status
+and exit the loop earlier in max98090_pll_work.
+
+There are 2 possible solution options:
+A. turn off ULK interrupt before scheduling max98090_pll_work; and turn
+on again before exiting max98090_pll_work.
+B. remove the second thread of execution.
+
+Option A cannot fix the case (2) race because it still has 2 threads
+access the same clear-on-read register simultaneously. Although we
+could suppose the register is volatile and read the status via I2C could
+be much slower than the hardware raises the bits.
+
+Option B introduces a maximum 10~12 msec penalty delay in the interrupt
+handler. However, it could only punish the jack detection by extra
+10~12 msec.
+
+Adopts option B which is the better solution overall.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Link: https://lore.kernel.org/r/20191122073114.219945-4-tzungbi@google.com
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/max98090.c | 8 ++------
+ sound/soc/codecs/max98090.h | 1 -
+ 2 files changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c
+index c3b28b2f4b10..89b6e187ac23 100644
+--- a/sound/soc/codecs/max98090.c
++++ b/sound/soc/codecs/max98090.c
+@@ -2121,10 +2121,8 @@ static void max98090_pll_det_disable_work(struct work_struct *work)
+ M98090_IULK_MASK, 0);
+ }
+
+-static void max98090_pll_work(struct work_struct *work)
++static void max98090_pll_work(struct max98090_priv *max98090)
+ {
+- struct max98090_priv *max98090 =
+- container_of(work, struct max98090_priv, pll_work);
+ struct snd_soc_component *component = max98090->component;
+
+ if (!snd_soc_component_is_active(component))
+@@ -2277,7 +2275,7 @@ static irqreturn_t max98090_interrupt(int irq, void *data)
+
+ if (active & M98090_ULK_MASK) {
+ dev_dbg(component->dev, "M98090_ULK_MASK\n");
+- schedule_work(&max98090->pll_work);
++ max98090_pll_work(max98090);
+ }
+
+ if (active & M98090_JDET_MASK) {
+@@ -2440,7 +2438,6 @@ static int max98090_probe(struct snd_soc_component *component)
+ max98090_pll_det_enable_work);
+ INIT_WORK(&max98090->pll_det_disable_work,
+ max98090_pll_det_disable_work);
+- INIT_WORK(&max98090->pll_work, max98090_pll_work);
+
+ /* Enable jack detection */
+ snd_soc_component_write(component, M98090_REG_JACK_DETECT,
+@@ -2493,7 +2490,6 @@ static void max98090_remove(struct snd_soc_component *component)
+ cancel_delayed_work_sync(&max98090->jack_work);
+ cancel_delayed_work_sync(&max98090->pll_det_enable_work);
+ cancel_work_sync(&max98090->pll_det_disable_work);
+- cancel_work_sync(&max98090->pll_work);
+ max98090->component = NULL;
+ }
+
+diff --git a/sound/soc/codecs/max98090.h b/sound/soc/codecs/max98090.h
+index b1572a2d19da..388d2f74674b 100644
+--- a/sound/soc/codecs/max98090.h
++++ b/sound/soc/codecs/max98090.h
+@@ -1533,7 +1533,6 @@ struct max98090_priv {
+ struct delayed_work jack_work;
+ struct delayed_work pll_det_enable_work;
+ struct work_struct pll_det_disable_work;
+- struct work_struct pll_work;
+ struct snd_soc_jack *jack;
+ unsigned int dai_fmt;
+ int tdm_slots;
+--
+2.20.1
+
--- /dev/null
+From 78f06583b99c560bb137e8b9bd17bbdc6bf51ebe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 18:39:39 -0600
+Subject: ASoC: topology: Check return value for soc_tplg_pcm_create()
+
+From: Dragos Tarcatu <dragos_tarcatu@mentor.com>
+
+[ Upstream commit a3039aef52d9ffeb67e9211899cd3e8a2953a01f ]
+
+The return value of soc_tplg_pcm_create() is currently not checked
+in soc_tplg_pcm_elems_load(). If an error is to occur there, the
+topology ignores it and continues loading.
+
+Fix that by checking the status and rejecting the topology on error.
+
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20191210003939.15752-3-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-topology.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index 88a7e860b175..069f38fbf07b 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1890,6 +1890,7 @@ static int soc_tplg_pcm_elems_load(struct soc_tplg *tplg,
+ int count = hdr->count;
+ int i;
+ bool abi_match;
++ int ret;
+
+ if (tplg->pass != SOC_TPLG_PASS_PCM_DAI)
+ return 0;
+@@ -1926,7 +1927,12 @@ static int soc_tplg_pcm_elems_load(struct soc_tplg *tplg,
+ }
+
+ /* create the FE DAIs and DAI links */
+- soc_tplg_pcm_create(tplg, _pcm);
++ ret = soc_tplg_pcm_create(tplg, _pcm);
++ if (ret < 0) {
++ if (!abi_match)
++ kfree(_pcm);
++ return ret;
++ }
+
+ /* offset by version-specific struct size and
+ * real priv data size
+--
+2.20.1
+
--- /dev/null
+From 947aa4c06509b768b8bea6fc7dac938af2a2bff6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 19:57:22 +0800
+Subject: ASoC: wm8962: fix lambda value
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 556672d75ff486e0b6786056da624131679e0576 ]
+
+According to user manual, it is required that FLL_LAMBDA > 0
+in all cases (Integer and Franctional modes).
+
+Fixes: 9a76f1ff6e29 ("ASoC: Add initial WM8962 CODEC driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/1576065442-19763-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm8962.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
+index efd8910b1ff7..dde015fd70a4 100644
+--- a/sound/soc/codecs/wm8962.c
++++ b/sound/soc/codecs/wm8962.c
+@@ -2792,7 +2792,7 @@ static int fll_factors(struct _fll_div *fll_div, unsigned int Fref,
+
+ if (target % Fref == 0) {
+ fll_div->theta = 0;
+- fll_div->lambda = 0;
++ fll_div->lambda = 1;
+ } else {
+ gcd_fll = gcd(target, fratio * Fref);
+
+@@ -2862,7 +2862,7 @@ static int wm8962_set_fll(struct snd_soc_component *component, int fll_id, int s
+ return -EINVAL;
+ }
+
+- if (fll_div.theta || fll_div.lambda)
++ if (fll_div.theta)
+ fll1 |= WM8962_FLL_FRAC;
+
+ /* Stop the FLL while we reconfigure */
+--
+2.20.1
+
--- /dev/null
+From d492656ca25c24f97131d4d46dc1bb78828d3521 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 16:44:04 +0800
+Subject: block: fix memleak when __blk_rq_map_user_iov() is failed
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3b7995a98ad76da5597b488fa84aa5a56d43b608 ]
+
+When I doing fuzzy test, get the memleak report:
+
+BUG: memory leak
+unreferenced object 0xffff88837af80000 (size 4096):
+ comm "memleak", pid 3557, jiffies 4294817681 (age 112.499s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 20 00 00 00 10 01 00 00 00 00 00 00 01 00 00 00 ...............
+ backtrace:
+ [<000000001c894df8>] bio_alloc_bioset+0x393/0x590
+ [<000000008b139a3c>] bio_copy_user_iov+0x300/0xcd0
+ [<00000000a998bd8c>] blk_rq_map_user_iov+0x2f1/0x5f0
+ [<000000005ceb7f05>] blk_rq_map_user+0xf2/0x160
+ [<000000006454da92>] sg_common_write.isra.21+0x1094/0x1870
+ [<00000000064bb208>] sg_write.part.25+0x5d9/0x950
+ [<000000004fc670f6>] sg_write+0x5f/0x8c
+ [<00000000b0d05c7b>] __vfs_write+0x7c/0x100
+ [<000000008e177714>] vfs_write+0x1c3/0x500
+ [<0000000087d23f34>] ksys_write+0xf9/0x200
+ [<000000002c8dbc9d>] do_syscall_64+0x9f/0x4f0
+ [<00000000678d8e9a>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+If __blk_rq_map_user_iov() is failed in blk_rq_map_user_iov(),
+the bio(s) which is allocated before this failing will leak. The
+refcount of the bio(s) is init to 1 and increased to 2 by calling
+bio_get(), but __blk_rq_unmap_user() only decrease it to 1, so
+the bio cannot be freed. Fix it by calling blk_rq_unmap_user().
+
+Reviewed-by: Bob Liu <bob.liu@oracle.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-map.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index db9373bd31ac..9d8627acc2f5 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -145,7 +145,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ return 0;
+
+ unmap_rq:
+- __blk_rq_unmap_user(bio);
++ blk_rq_unmap_user(bio);
+ fail:
+ rq->bio = NULL;
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 02ff49bcf2ccf9ca9a5c2e146d134956ae0afc2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 09:59:55 -0800
+Subject: bnx2x: Do not handle requests from VFs after parity
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit 7113f796bbbced2470cd6d7379d50d7a7a78bf34 ]
+
+Parity error from the hardware will cause PF to lose the state
+of their VFs due to PF's internal reload and hardware reset following
+the parity error. Restrict any configuration request from the VFs after
+the parity as it could cause unexpected hardware behavior, only way
+for VFs to recover would be to trigger FLR on VFs and reload them.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 12 ++++++++++--
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 +
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 12 ++++++++++++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index af57568c922e..df4f77ad95c4 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -9995,10 +9995,18 @@ static void bnx2x_recovery_failed(struct bnx2x *bp)
+ */
+ static void bnx2x_parity_recover(struct bnx2x *bp)
+ {
+- bool global = false;
+ u32 error_recovered, error_unrecovered;
+- bool is_parity;
++ bool is_parity, global = false;
++#ifdef CONFIG_BNX2X_SRIOV
++ int vf_idx;
++
++ for (vf_idx = 0; vf_idx < bp->requested_nr_virtfn; vf_idx++) {
++ struct bnx2x_virtf *vf = BP_VF(bp, vf_idx);
+
++ if (vf)
++ vf->state = VF_LOST;
++ }
++#endif
+ DP(NETIF_MSG_HW, "Handling parity\n");
+ while (1) {
+ switch (bp->recovery_state) {
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
+index eb814c65152f..4dc34de1a09a 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
+@@ -139,6 +139,7 @@ struct bnx2x_virtf {
+ #define VF_ACQUIRED 1 /* VF acquired, but not initialized */
+ #define VF_ENABLED 2 /* VF Enabled */
+ #define VF_RESET 3 /* VF FLR'd, pending cleanup */
++#define VF_LOST 4 /* Recovery while VFs are loaded */
+
+ bool flr_clnup_stage; /* true during flr cleanup */
+ bool malicious; /* true if FW indicated so, until FLR */
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
+index 8e0a317b31f7..152758a45150 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
+@@ -2114,6 +2114,18 @@ static void bnx2x_vf_mbx_request(struct bnx2x *bp, struct bnx2x_virtf *vf,
+ {
+ int i;
+
++ if (vf->state == VF_LOST) {
++ /* Just ack the FW and return if VFs are lost
++ * in case of parity error. VFs are supposed to be timedout
++ * on waiting for PF response.
++ */
++ DP(BNX2X_MSG_IOV,
++ "VF 0x%x lost, not handling the request\n", vf->abs_vfid);
++
++ storm_memset_vf_mbx_ack(bp, vf->abs_vfid);
++ return;
++ }
++
+ /* check if tlv type is known */
+ if (bnx2x_tlv_supported(mbx->first_tlv.tl.type)) {
+ /* Lock the per vf op mutex and note the locker's identity.
+--
+2.20.1
+
--- /dev/null
+From 0e1c37e9b0d7694593a51306852ba09bda0fdf7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 09:59:56 -0800
+Subject: bnx2x: Fix logic to get total no. of PFs per engine
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit ee699f89bdbaa19c399804504241b5c531b48888 ]
+
+Driver doesn't calculate total number of PFs configured on a
+given engine correctly which messed up resources in the PFs
+loaded on that engine, leading driver to exceed configuration
+of resources (like vlan filters etc.) beyond the limit per
+engine, which ended up with asserts from the firmware.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+index ee5159ef837e..df5e8c2e8eaf 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+@@ -1113,7 +1113,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp)
+ for (i = 0; i < E1H_FUNC_MAX / 2; i++) {
+ u32 func_config =
+ MF_CFG_RD(bp,
+- func_mf_config[BP_PORT(bp) + 2 * i].
++ func_mf_config[BP_PATH(bp) + 2 * i].
+ config);
+ func_num +=
+ ((func_config & FUNC_MF_CFG_FUNC_HIDE) ? 0 : 1);
+--
+2.20.1
+
--- /dev/null
+From 4b44fd60923ea3e6331f663e7c7d8f771b2636d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 02:49:09 -0500
+Subject: bnxt_en: Return error if FW returns more data than dump length
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b ]
+
+If any change happened in the configuration of VF in VM while
+collecting live dump, there could be a race and firmware can return
+more data than allocated dump length. Fix it by keeping track of
+the accumulated core dump length copied so far and abort the copy
+with error code if the next chunk of core dump will exceed the
+original dump length.
+
+Fixes: 6c5657d085ae ("bnxt_en: Add support for ethtool get dump.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 38 +++++++++++++++----
+ .../net/ethernet/broadcom/bnxt/bnxt_ethtool.h | 4 ++
+ 2 files changed, 34 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+index 2240c23b0a4c..0a409ba4012a 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -2778,8 +2778,15 @@ static int bnxt_hwrm_dbg_dma_data(struct bnxt *bp, void *msg, int msg_len,
+ }
+ }
+
+- if (info->dest_buf)
+- memcpy(info->dest_buf + off, dma_buf, len);
++ if (info->dest_buf) {
++ if ((info->seg_start + off + len) <=
++ BNXT_COREDUMP_BUF_LEN(info->buf_len)) {
++ memcpy(info->dest_buf + off, dma_buf, len);
++ } else {
++ rc = -ENOBUFS;
++ break;
++ }
++ }
+
+ if (cmn_req->req_type ==
+ cpu_to_le16(HWRM_DBG_COREDUMP_RETRIEVE))
+@@ -2833,7 +2840,7 @@ static int bnxt_hwrm_dbg_coredump_initiate(struct bnxt *bp, u16 component_id,
+
+ static int bnxt_hwrm_dbg_coredump_retrieve(struct bnxt *bp, u16 component_id,
+ u16 segment_id, u32 *seg_len,
+- void *buf, u32 offset)
++ void *buf, u32 buf_len, u32 offset)
+ {
+ struct hwrm_dbg_coredump_retrieve_input req = {0};
+ struct bnxt_hwrm_dbg_dma_info info = {NULL};
+@@ -2848,8 +2855,11 @@ static int bnxt_hwrm_dbg_coredump_retrieve(struct bnxt *bp, u16 component_id,
+ seq_no);
+ info.data_len_off = offsetof(struct hwrm_dbg_coredump_retrieve_output,
+ data_len);
+- if (buf)
++ if (buf) {
+ info.dest_buf = buf + offset;
++ info.buf_len = buf_len;
++ info.seg_start = offset;
++ }
+
+ rc = bnxt_hwrm_dbg_dma_data(bp, &req, sizeof(req), &info);
+ if (!rc)
+@@ -2939,14 +2949,17 @@ bnxt_fill_coredump_record(struct bnxt *bp, struct bnxt_coredump_record *record,
+ static int bnxt_get_coredump(struct bnxt *bp, void *buf, u32 *dump_len)
+ {
+ u32 ver_get_resp_len = sizeof(struct hwrm_ver_get_output);
++ u32 offset = 0, seg_hdr_len, seg_record_len, buf_len = 0;
+ struct coredump_segment_record *seg_record = NULL;
+- u32 offset = 0, seg_hdr_len, seg_record_len;
+ struct bnxt_coredump_segment_hdr seg_hdr;
+ struct bnxt_coredump coredump = {NULL};
+ time64_t start_time;
+ u16 start_utc;
+ int rc = 0, i;
+
++ if (buf)
++ buf_len = *dump_len;
++
+ start_time = ktime_get_real_seconds();
+ start_utc = sys_tz.tz_minuteswest * 60;
+ seg_hdr_len = sizeof(seg_hdr);
+@@ -2979,6 +2992,12 @@ static int bnxt_get_coredump(struct bnxt *bp, void *buf, u32 *dump_len)
+ u32 duration = 0, seg_len = 0;
+ unsigned long start, end;
+
++ if (buf && ((offset + seg_hdr_len) >
++ BNXT_COREDUMP_BUF_LEN(buf_len))) {
++ rc = -ENOBUFS;
++ goto err;
++ }
++
+ start = jiffies;
+
+ rc = bnxt_hwrm_dbg_coredump_initiate(bp, comp_id, seg_id);
+@@ -2991,9 +3010,11 @@ static int bnxt_get_coredump(struct bnxt *bp, void *buf, u32 *dump_len)
+
+ /* Write segment data into the buffer */
+ rc = bnxt_hwrm_dbg_coredump_retrieve(bp, comp_id, seg_id,
+- &seg_len, buf,
++ &seg_len, buf, buf_len,
+ offset + seg_hdr_len);
+- if (rc)
++ if (rc && rc == -ENOBUFS)
++ goto err;
++ else if (rc)
+ netdev_err(bp->dev,
+ "Failed to retrieve coredump for seg = %d\n",
+ seg_record->segment_id);
+@@ -3023,7 +3044,8 @@ static int bnxt_get_coredump(struct bnxt *bp, void *buf, u32 *dump_len)
+ rc);
+ kfree(coredump.data);
+ *dump_len += sizeof(struct bnxt_coredump_record);
+-
++ if (rc == -ENOBUFS)
++ netdev_err(bp->dev, "Firmware returned large coredump buffer");
+ return rc;
+ }
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.h
+index b5b65b3f8534..3998f6e809a9 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.h
+@@ -31,6 +31,8 @@ struct bnxt_coredump {
+ u16 total_segs;
+ };
+
++#define BNXT_COREDUMP_BUF_LEN(len) ((len) - sizeof(struct bnxt_coredump_record))
++
+ struct bnxt_hwrm_dbg_dma_info {
+ void *dest_buf;
+ int dest_buf_size;
+@@ -38,6 +40,8 @@ struct bnxt_hwrm_dbg_dma_info {
+ u16 seq_off;
+ u16 data_len_off;
+ u16 segs;
++ u32 seg_start;
++ u32 buf_len;
+ };
+
+ struct hwrm_dbg_cmn_input {
+--
+2.20.1
+
--- /dev/null
+From 4aecff5af7106cc7de122d9a563a642ba6946480 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2019 18:08:17 +0000
+Subject: bpf: Clear skb->tstamp in bpf_redirect when necessary
+
+From: Lorenz Bauer <lmb@cloudflare.com>
+
+[ Upstream commit 5133498f4ad1123a5ffd4c08df6431dab882cc32 ]
+
+Redirecting a packet from ingress to egress by using bpf_redirect
+breaks if the egress interface has an fq qdisc installed. This is the same
+problem as fixed in 'commit 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths")
+
+Clear skb->tstamp when redirecting into the egress path.
+
+Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.")
+Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC")
+Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/bpf/20191213180817.2510-1-lmb@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index e6fa88506c00..91b950261975 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2007,6 +2007,7 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb)
+ }
+
+ skb->dev = dev;
++ skb->tstamp = 0;
+
+ __this_cpu_inc(xmit_recursion);
+ ret = dev_queue_xmit(skb);
+--
+2.20.1
+
--- /dev/null
+From b23ab90fe8647fb72830b36736c8f747b3b7b861 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 19:52:52 +0100
+Subject: bpf, mips: Limit to 33 tail calls
+
+From: Paul Chaignon <paul.chaignon@orange.com>
+
+[ Upstream commit e49e6f6db04e915dccb494ae10fa14888fea6f89 ]
+
+All BPF JIT compilers except RISC-V's and MIPS' enforce a 33-tail calls
+limit at runtime. In addition, a test was recently added, in tailcalls2,
+to check this limit.
+
+This patch updates the tail call limit in MIPS' JIT compiler to allow
+33 tail calls.
+
+Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
+Reported-by: Mahshid Khezri <khezri.mahshid@gmail.com>
+Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/b8eb2caac1c25453c539248e56ca22f74b5316af.1575916815.git.paul.chaignon@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/net/ebpf_jit.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/net/ebpf_jit.c b/arch/mips/net/ebpf_jit.c
+index 9bda82ed75eb..3832c4628608 100644
+--- a/arch/mips/net/ebpf_jit.c
++++ b/arch/mips/net/ebpf_jit.c
+@@ -586,6 +586,7 @@ static void emit_const_to_reg(struct jit_ctx *ctx, int dst, u64 value)
+ static int emit_bpf_tail_call(struct jit_ctx *ctx, int this_idx)
+ {
+ int off, b_off;
++ int tcc_reg;
+
+ ctx->flags |= EBPF_SEEN_TC;
+ /*
+@@ -598,14 +599,14 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx, int this_idx)
+ b_off = b_imm(this_idx + 1, ctx);
+ emit_instr(ctx, bne, MIPS_R_AT, MIPS_R_ZERO, b_off);
+ /*
+- * if (--TCC < 0)
++ * if (TCC-- < 0)
+ * goto out;
+ */
+ /* Delay slot */
+- emit_instr(ctx, daddiu, MIPS_R_T5,
+- (ctx->flags & EBPF_TCC_IN_V1) ? MIPS_R_V1 : MIPS_R_S4, -1);
++ tcc_reg = (ctx->flags & EBPF_TCC_IN_V1) ? MIPS_R_V1 : MIPS_R_S4;
++ emit_instr(ctx, daddiu, MIPS_R_T5, tcc_reg, -1);
+ b_off = b_imm(this_idx + 1, ctx);
+- emit_instr(ctx, bltz, MIPS_R_T5, b_off);
++ emit_instr(ctx, bltz, tcc_reg, b_off);
+ /*
+ * prog = array->ptrs[index];
+ * if (prog == NULL)
+--
+2.20.1
+
--- /dev/null
+From 193635654cfb62ee045c5284a1c0240d005df36e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2019 14:16:44 +0200
+Subject: btrfs: Fix error messages in qgroup_rescan_init
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+[ Upstream commit 37d02592f11bb76e4ab1dcaa5b8a2a0715403207 ]
+
+The branch of qgroup_rescan_init which is executed from the mount
+path prints wrong errors messages. The textual print out in case
+BTRFS_QGROUP_STATUS_FLAG_RESCAN/BTRFS_QGROUP_STATUS_FLAG_ON are not
+set are transposed. Fix it by exchanging their place.
+
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index cdd6d5021000..7916f711daf5 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2862,12 +2862,12 @@ qgroup_rescan_init(struct btrfs_fs_info *fs_info, u64 progress_objectid,
+ if (!(fs_info->qgroup_flags &
+ BTRFS_QGROUP_STATUS_FLAG_RESCAN)) {
+ btrfs_warn(fs_info,
+- "qgroup rescan init failed, qgroup is not enabled");
++ "qgroup rescan init failed, qgroup rescan is not queued");
+ ret = -EINVAL;
+ } else if (!(fs_info->qgroup_flags &
+ BTRFS_QGROUP_STATUS_FLAG_ON)) {
+ btrfs_warn(fs_info,
+- "qgroup rescan init failed, qgroup rescan is not queued");
++ "qgroup rescan init failed, qgroup is not enabled");
+ ret = -EINVAL;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f39f36c9b17c270f59b09184db962a91e02ad6f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2019 06:39:39 +0530
+Subject: cxgb4: Fix kernel panic while accessing sge_info
+
+From: Vishal Kulkarni <vishal@chelsio.com>
+
+[ Upstream commit 479a0d1376f6d97c60871442911f1394d4446a25 ]
+
+The sge_info debugfs collects offload queue info even when offload
+capability is disabled and leads to panic.
+
+[ 144.139871] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 144.139874] CR2: 0000000000000000 CR3: 000000082d456005 CR4: 00000000001606e0
+[ 144.139876] Call Trace:
+[ 144.139887] sge_queue_start+0x12/0x30 [cxgb4]
+[ 144.139897] seq_read+0x1d4/0x3d0
+[ 144.139906] full_proxy_read+0x50/0x70
+[ 144.139913] vfs_read+0x89/0x140
+[ 144.139916] ksys_read+0x55/0xd0
+[ 144.139924] do_syscall_64+0x5b/0x1d0
+[ 144.139933] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 144.139936] RIP: 0033:0x7f4b01493990
+
+Fix this crash by skipping the offload queue access in sge_qinfo when
+offload capability is disabled
+
+Signed-off-by: Herat Ramani <herat@chelsio.com>
+Signed-off-by: Vishal Kulkarni <vishal@chelsio.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
+index b429b726b987..d320e9afab88 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
+@@ -3035,6 +3035,9 @@ static int sge_queue_entries(const struct adapter *adap)
+ int tot_uld_entries = 0;
+ int i;
+
++ if (!is_uld(adap))
++ goto lld_only;
++
+ mutex_lock(&uld_mutex);
+ for (i = 0; i < CXGB4_TX_MAX; i++)
+ tot_uld_entries += sge_qinfo_uld_txq_entries(adap, i);
+@@ -3045,6 +3048,7 @@ static int sge_queue_entries(const struct adapter *adap)
+ }
+ mutex_unlock(&uld_mutex);
+
++lld_only:
+ return DIV_ROUND_UP(adap->sge.ethqsets, 4) +
+ tot_uld_entries +
+ DIV_ROUND_UP(MAX_CTRL_QUEUES, 4) + 1;
+--
+2.20.1
+
--- /dev/null
+From 9d58cdceb740e7e3942c6d91b21dc4314bff6245 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2019 19:39:55 +0800
+Subject: drm/exynos: gsc: add missed component_del
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 84c92365b20a44c363b95390ea00dfbdd786f031 ]
+
+The driver forgets to call component_del in remove to match component_add
+in probe.
+Add the missed call to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_gsc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_gsc.c b/drivers/gpu/drm/exynos/exynos_drm_gsc.c
+index 7ba414b52faa..d71188b982cb 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_gsc.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_gsc.c
+@@ -1292,6 +1292,7 @@ static int gsc_remove(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+
++ component_del(dev, &gsc_component_ops);
+ pm_runtime_dont_use_autosuspend(dev);
+ pm_runtime_disable(dev);
+
+--
+2.20.1
+
--- /dev/null
+From a09d2f6d9fcbfdc622c10188c160124a51807730 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 16:55:40 +0000
+Subject: efi/gop: Fix memory leak in __gop_query32/64()
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit ff397be685e410a59c34b21ce0c55d4daa466bb7 ]
+
+efi_graphics_output_protocol::query_mode() returns info in
+callee-allocated memory which must be freed by the caller, which
+we aren't doing.
+
+We don't actually need to call query_mode() in order to obtain the
+info for the current graphics mode, which is already there in
+gop->mode->info, so just access it directly in the setup_gop32/64()
+functions.
+
+Also nothing uses the size of the info structure, so don't update the
+passed-in size (which is the size of the gop_handle table in bytes)
+unnecessarily.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191206165542.31469-5-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/gop.c | 66 ++++++------------------------
+ 1 file changed, 12 insertions(+), 54 deletions(-)
+
+diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c
+index 81ffda5d1e48..fd8053f9556e 100644
+--- a/drivers/firmware/efi/libstub/gop.c
++++ b/drivers/firmware/efi/libstub/gop.c
+@@ -85,30 +85,6 @@ setup_pixel_info(struct screen_info *si, u32 pixels_per_scan_line,
+ }
+ }
+
+-static efi_status_t
+-__gop_query32(efi_system_table_t *sys_table_arg,
+- struct efi_graphics_output_protocol_32 *gop32,
+- struct efi_graphics_output_mode_info **info,
+- unsigned long *size, u64 *fb_base)
+-{
+- struct efi_graphics_output_protocol_mode_32 *mode;
+- efi_graphics_output_protocol_query_mode query_mode;
+- efi_status_t status;
+- unsigned long m;
+-
+- m = gop32->mode;
+- mode = (struct efi_graphics_output_protocol_mode_32 *)m;
+- query_mode = (void *)(unsigned long)gop32->query_mode;
+-
+- status = __efi_call_early(query_mode, (void *)gop32, mode->mode, size,
+- info);
+- if (status != EFI_SUCCESS)
+- return status;
+-
+- *fb_base = mode->frame_buffer_base;
+- return status;
+-}
+-
+ static efi_status_t
+ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ efi_guid_t *proto, unsigned long size, void **gop_handle)
+@@ -130,6 +106,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ nr_gops = size / sizeof(u32);
+ for (i = 0; i < nr_gops; i++) {
++ struct efi_graphics_output_protocol_mode_32 *mode;
+ struct efi_graphics_output_mode_info *info = NULL;
+ efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID;
+ bool conout_found = false;
+@@ -147,9 +124,11 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ if (status == EFI_SUCCESS)
+ conout_found = true;
+
+- status = __gop_query32(sys_table_arg, gop32, &info, &size,
+- ¤t_fb_base);
+- if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
++ mode = (void *)(unsigned long)gop32->mode;
++ info = (void *)(unsigned long)mode->info;
++ current_fb_base = mode->frame_buffer_base;
++
++ if ((!first_gop || conout_found) &&
+ info->pixel_format != PIXEL_BLT_ONLY) {
+ /*
+ * Systems that use the UEFI Console Splitter may
+@@ -203,30 +182,6 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ return EFI_SUCCESS;
+ }
+
+-static efi_status_t
+-__gop_query64(efi_system_table_t *sys_table_arg,
+- struct efi_graphics_output_protocol_64 *gop64,
+- struct efi_graphics_output_mode_info **info,
+- unsigned long *size, u64 *fb_base)
+-{
+- struct efi_graphics_output_protocol_mode_64 *mode;
+- efi_graphics_output_protocol_query_mode query_mode;
+- efi_status_t status;
+- unsigned long m;
+-
+- m = gop64->mode;
+- mode = (struct efi_graphics_output_protocol_mode_64 *)m;
+- query_mode = (void *)(unsigned long)gop64->query_mode;
+-
+- status = __efi_call_early(query_mode, (void *)gop64, mode->mode, size,
+- info);
+- if (status != EFI_SUCCESS)
+- return status;
+-
+- *fb_base = mode->frame_buffer_base;
+- return status;
+-}
+-
+ static efi_status_t
+ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ efi_guid_t *proto, unsigned long size, void **gop_handle)
+@@ -248,6 +203,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ nr_gops = size / sizeof(u64);
+ for (i = 0; i < nr_gops; i++) {
++ struct efi_graphics_output_protocol_mode_64 *mode;
+ struct efi_graphics_output_mode_info *info = NULL;
+ efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID;
+ bool conout_found = false;
+@@ -265,9 +221,11 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ if (status == EFI_SUCCESS)
+ conout_found = true;
+
+- status = __gop_query64(sys_table_arg, gop64, &info, &size,
+- ¤t_fb_base);
+- if (status == EFI_SUCCESS && (!first_gop || conout_found) &&
++ mode = (void *)(unsigned long)gop64->mode;
++ info = (void *)(unsigned long)mode->info;
++ current_fb_base = mode->frame_buffer_base;
++
++ if ((!first_gop || conout_found) &&
+ info->pixel_format != PIXEL_BLT_ONLY) {
+ /*
+ * Systems that use the UEFI Console Splitter may
+--
+2.20.1
+
--- /dev/null
+From a212119d39539d09bcd5af724007bd78e1a02861 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 16:55:38 +0000
+Subject: efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 6fc3cec30dfeee7d3c5db8154016aff9d65503c5 ]
+
+If we don't find a usable instance of the Graphics Output Protocol
+(GOP) because none of them have a framebuffer (i.e. they were all
+PIXEL_BLT_ONLY), but all the EFI calls succeeded, we will return
+EFI_SUCCESS even though we didn't find a usable GOP.
+
+Fix this by explicitly returning EFI_NOT_FOUND if no usable GOPs are
+found, allowing the caller to probe for UGA instead.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191206165542.31469-3-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/gop.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c
+index 24c461dea7af..16ed61c023e8 100644
+--- a/drivers/firmware/efi/libstub/gop.c
++++ b/drivers/firmware/efi/libstub/gop.c
+@@ -121,7 +121,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ u64 fb_base;
+ struct efi_pixel_bitmask pixel_info;
+ int pixel_format;
+- efi_status_t status = EFI_NOT_FOUND;
++ efi_status_t status;
+ u32 *handles = (u32 *)(unsigned long)gop_handle;
+ int i;
+
+@@ -177,7 +177,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ /* Did we find any GOPs? */
+ if (!first_gop)
+- goto out;
++ return EFI_NOT_FOUND;
+
+ /* EFI framebuffer */
+ si->orig_video_isVGA = VIDEO_TYPE_EFI;
+@@ -199,7 +199,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ si->lfb_size = si->lfb_linelength * si->lfb_height;
+
+ si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS;
+-out:
++
+ return status;
+ }
+
+@@ -239,7 +239,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ u64 fb_base;
+ struct efi_pixel_bitmask pixel_info;
+ int pixel_format;
+- efi_status_t status = EFI_NOT_FOUND;
++ efi_status_t status;
+ u64 *handles = (u64 *)(unsigned long)gop_handle;
+ int i;
+
+@@ -295,7 +295,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ /* Did we find any GOPs? */
+ if (!first_gop)
+- goto out;
++ return EFI_NOT_FOUND;
+
+ /* EFI framebuffer */
+ si->orig_video_isVGA = VIDEO_TYPE_EFI;
+@@ -317,7 +317,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+ si->lfb_size = si->lfb_linelength * si->lfb_height;
+
+ si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS;
+-out:
++
+ return status;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From dc803558dd4d354dca53acced8098b8c3f604821 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 16:55:39 +0000
+Subject: efi/gop: Return EFI_SUCCESS if a usable GOP was found
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit dbd89c303b4420f6cdb689fd398349fc83b059dd ]
+
+If we've found a usable instance of the Graphics Output Protocol
+(GOP) with a framebuffer, it is possible that one of the later EFI
+calls fails while checking if any support console output. In this
+case status may be an EFI error code even though we found a usable
+GOP.
+
+Fix this by explicitly return EFI_SUCCESS if a usable GOP has been
+located.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191206165542.31469-4-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/gop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c
+index 16ed61c023e8..81ffda5d1e48 100644
+--- a/drivers/firmware/efi/libstub/gop.c
++++ b/drivers/firmware/efi/libstub/gop.c
+@@ -200,7 +200,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS;
+
+- return status;
++ return EFI_SUCCESS;
+ }
+
+ static efi_status_t
+@@ -318,7 +318,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si,
+
+ si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS;
+
+- return status;
++ return EFI_SUCCESS;
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From cb6675eb940e35235a73ca17059d85e8d4fc9bb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 10:54:23 -0600
+Subject: fs: avoid softlockups in s_inodes iterators
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit 04646aebd30b99f2cfa0182435a2ec252fcb16d0 ]
+
+Anything that walks all inodes on sb->s_inodes list without rescheduling
+risks softlockups.
+
+Previous efforts were made in 2 functions, see:
+
+c27d82f fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
+ac05fbb inode: don't softlockup when evicting inodes
+
+but there hasn't been an audit of all walkers, so do that now. This
+also consistently moves the cond_resched() calls to the bottom of each
+loop in cases where it already exists.
+
+One loop remains: remove_dquot_ref(), because I'm not quite sure how
+to deal with that one w/o taking the i_lock.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/drop_caches.c | 2 +-
+ fs/inode.c | 7 +++++++
+ fs/notify/fsnotify.c | 1 +
+ fs/quota/dquot.c | 1 +
+ 4 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/fs/drop_caches.c b/fs/drop_caches.c
+index d31b6c72b476..dc1a1d5d825b 100644
+--- a/fs/drop_caches.c
++++ b/fs/drop_caches.c
+@@ -35,11 +35,11 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused)
+ spin_unlock(&inode->i_lock);
+ spin_unlock(&sb->s_inode_list_lock);
+
+- cond_resched();
+ invalidate_mapping_pages(inode->i_mapping, 0, -1);
+ iput(toput_inode);
+ toput_inode = inode;
+
++ cond_resched();
+ spin_lock(&sb->s_inode_list_lock);
+ }
+ spin_unlock(&sb->s_inode_list_lock);
+diff --git a/fs/inode.c b/fs/inode.c
+index 5c63693326bb..9c50521c9fe4 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -660,6 +660,7 @@ int invalidate_inodes(struct super_block *sb, bool kill_dirty)
+ struct inode *inode, *next;
+ LIST_HEAD(dispose);
+
++again:
+ spin_lock(&sb->s_inode_list_lock);
+ list_for_each_entry_safe(inode, next, &sb->s_inodes, i_sb_list) {
+ spin_lock(&inode->i_lock);
+@@ -682,6 +683,12 @@ int invalidate_inodes(struct super_block *sb, bool kill_dirty)
+ inode_lru_list_del(inode);
+ spin_unlock(&inode->i_lock);
+ list_add(&inode->i_lru, &dispose);
++ if (need_resched()) {
++ spin_unlock(&sb->s_inode_list_lock);
++ cond_resched();
++ dispose_list(&dispose);
++ goto again;
++ }
+ }
+ spin_unlock(&sb->s_inode_list_lock);
+
+diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c
+index 170a733454f7..e8ee4263d7b2 100644
+--- a/fs/notify/fsnotify.c
++++ b/fs/notify/fsnotify.c
+@@ -90,6 +90,7 @@ void fsnotify_unmount_inodes(struct super_block *sb)
+
+ iput_inode = inode;
+
++ cond_resched();
+ spin_lock(&sb->s_inode_list_lock);
+ }
+ spin_unlock(&sb->s_inode_list_lock);
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 154f175066b3..1d1d393f4208 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -980,6 +980,7 @@ static int add_dquot_ref(struct super_block *sb, int type)
+ * later.
+ */
+ old_inode = inode;
++ cond_resched();
+ spin_lock(&sb->s_inode_list_lock);
+ }
+ spin_unlock(&sb->s_inode_list_lock);
+--
+2.20.1
+
--- /dev/null
+From 9be789b32a344579a6e75360f342174cbe05abf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 18:28:10 -0800
+Subject: hv_netvsc: Fix unwanted rx_table reset
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit b0689faa8efc5a3391402d7ae93bd373b7248e51 ]
+
+In existing code, the receive indirection table, rx_table, is in
+struct rndis_device, which will be reset when changing MTU, ringparam,
+etc. User configured receive indirection table values will be lost.
+
+To fix this, move rx_table to struct net_device_context, and check
+netif_is_rxfh_configured(), so rx_table will be set to default only
+if no user configured value.
+
+Fixes: ff4a44199012 ("netvsc: allow get/set of RSS indirection table")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/hyperv_net.h | 3 ++-
+ drivers/net/hyperv/netvsc_drv.c | 4 ++--
+ drivers/net/hyperv/rndis_filter.c | 10 +++++++---
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
+index 31d8d83c25ac..50709c76b672 100644
+--- a/drivers/net/hyperv/hyperv_net.h
++++ b/drivers/net/hyperv/hyperv_net.h
+@@ -181,7 +181,6 @@ struct rndis_device {
+
+ u8 hw_mac_adr[ETH_ALEN];
+ u8 rss_key[NETVSC_HASH_KEYLEN];
+- u16 rx_table[ITAB_NUM];
+ };
+
+
+@@ -933,6 +932,8 @@ struct net_device_context {
+
+ u32 tx_table[VRSS_SEND_TAB_SIZE];
+
++ u16 rx_table[ITAB_NUM];
++
+ /* Ethtool settings */
+ u8 duplex;
+ u32 speed;
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index b7a71c203aa3..1f9f7fcdb0eb 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1688,7 +1688,7 @@ static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key,
+ rndis_dev = ndev->extension;
+ if (indir) {
+ for (i = 0; i < ITAB_NUM; i++)
+- indir[i] = rndis_dev->rx_table[i];
++ indir[i] = ndc->rx_table[i];
+ }
+
+ if (key)
+@@ -1718,7 +1718,7 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir,
+ return -EINVAL;
+
+ for (i = 0; i < ITAB_NUM; i++)
+- rndis_dev->rx_table[i] = indir[i];
++ ndc->rx_table[i] = indir[i];
+ }
+
+ if (!key) {
+diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
+index 53c6039bffb6..f47e36ac42a7 100644
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -719,6 +719,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev,
+ const u8 *rss_key, u16 flag)
+ {
+ struct net_device *ndev = rdev->ndev;
++ struct net_device_context *ndc = netdev_priv(ndev);
+ struct rndis_request *request;
+ struct rndis_set_request *set;
+ struct rndis_set_complete *set_complete;
+@@ -758,7 +759,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev,
+ /* Set indirection table entries */
+ itab = (u32 *)(rssp + 1);
+ for (i = 0; i < ITAB_NUM; i++)
+- itab[i] = rdev->rx_table[i];
++ itab[i] = ndc->rx_table[i];
+
+ /* Set hask key values */
+ keyp = (u8 *)((unsigned long)rssp + rssp->hashkey_offset);
+@@ -1244,6 +1245,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
+ struct netvsc_device_info *device_info)
+ {
+ struct net_device *net = hv_get_drvdata(dev);
++ struct net_device_context *ndc = netdev_priv(net);
+ struct netvsc_device *net_device;
+ struct rndis_device *rndis_device;
+ struct ndis_recv_scale_cap rsscap;
+@@ -1330,9 +1332,11 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
+ /* We will use the given number of channels if available. */
+ net_device->num_chn = min(net_device->max_chn, device_info->num_chn);
+
+- for (i = 0; i < ITAB_NUM; i++)
+- rndis_device->rx_table[i] = ethtool_rxfh_indir_default(
++ if (!netif_is_rxfh_configured(net)) {
++ for (i = 0; i < ITAB_NUM; i++)
++ ndc->rx_table[i] = ethtool_rxfh_indir_default(
+ i, net_device->num_chn);
++ }
+
+ atomic_set(&net_device->open_chn, 1);
+ vmbus_set_sc_create_callback(dev->channel, netvsc_sc_open);
+--
+2.20.1
+
--- /dev/null
+From 5dbd1dd62518bd8a271b6b5d15a9fec1eaa4cad0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 12:27:04 +0800
+Subject: iommu/iova: Init the struct iova to fix the possible memleak
+
+From: Xiaotao Yin <xiaotao.yin@windriver.com>
+
+[ Upstream commit 472d26df5e8075eda677b6be730e0fbf434ff2a8 ]
+
+During ethernet(Marvell octeontx2) set ring buffer test:
+ethtool -G eth1 rx <rx ring size> tx <tx ring size>
+following kmemleak will happen sometimes:
+
+unreferenced object 0xffff000b85421340 (size 64):
+ comm "ethtool", pid 867, jiffies 4295323539 (age 550.500s)
+ hex dump (first 64 bytes):
+ 80 13 42 85 0b 00 ff ff ff ff ff ff ff ff ff ff ..B.............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000001b204ddf>] kmem_cache_alloc+0x1b0/0x350
+ [<00000000d9ef2e50>] alloc_iova+0x3c/0x168
+ [<00000000ea30f99d>] alloc_iova_fast+0x7c/0x2d8
+ [<00000000b8bb2f1f>] iommu_dma_alloc_iova.isra.0+0x12c/0x138
+ [<000000002f1a43b5>] __iommu_dma_map+0x8c/0xf8
+ [<00000000ecde7899>] iommu_dma_map_page+0x98/0xf8
+ [<0000000082004e59>] otx2_alloc_rbuf+0xf4/0x158
+ [<000000002b107f6b>] otx2_rq_aura_pool_init+0x110/0x270
+ [<00000000c3d563c7>] otx2_open+0x15c/0x734
+ [<00000000a2f5f3a8>] otx2_dev_open+0x3c/0x68
+ [<00000000456a98b5>] otx2_set_ringparam+0x1ac/0x1d4
+ [<00000000f2fbb819>] dev_ethtool+0xb84/0x2028
+ [<0000000069b67c5a>] dev_ioctl+0x248/0x3a0
+ [<00000000af38663a>] sock_ioctl+0x280/0x638
+ [<000000002582384c>] do_vfs_ioctl+0x8b0/0xa80
+ [<000000004e1a2c02>] ksys_ioctl+0x84/0xb8
+
+The reason:
+When alloc_iova_mem() without initial with Zero, sometimes fpn_lo will
+equal to IOVA_ANCHOR by chance, so when return with -ENOMEM(iova32_full)
+from __alloc_and_insert_iova_range(), the new_iova will not be freed in
+free_iova_mem().
+
+Fixes: bb68b2fbfbd6 ("iommu/iova: Add rbtree anchor node")
+Signed-off-by: Xiaotao Yin <xiaotao.yin@windriver.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iova.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
+index da4516fbf542..34c058c24b9d 100644
+--- a/drivers/iommu/iova.c
++++ b/drivers/iommu/iova.c
+@@ -236,7 +236,7 @@ static DEFINE_MUTEX(iova_cache_mutex);
+
+ struct iova *alloc_iova_mem(void)
+ {
+- return kmem_cache_alloc(iova_cache, GFP_ATOMIC);
++ return kmem_cache_zalloc(iova_cache, GFP_ATOMIC);
+ }
+ EXPORT_SYMBOL(alloc_iova_mem);
+
+--
+2.20.1
+
--- /dev/null
+From ee386e5e41267df6f0e3ac8f37a56ce2e0e870db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 00:19:17 -0800
+Subject: kconfig: don't crash on NULL expressions in expr_eq()
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+[ Upstream commit 272a72103012862e3a24ea06635253ead0b6e808 ]
+
+NULL expressions are taken to always be true, as implemented by the
+expr_is_yes() macro and by several other functions in expr.c. As such,
+they ought to be valid inputs to expr_eq(), which compares two
+expressions.
+
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/expr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c
+index e1a39e90841d..7e38070ee523 100644
+--- a/scripts/kconfig/expr.c
++++ b/scripts/kconfig/expr.c
+@@ -252,6 +252,13 @@ static int expr_eq(struct expr *e1, struct expr *e2)
+ {
+ int res, old_count;
+
++ /*
++ * A NULL expr is taken to be yes, but there's also a different way to
++ * represent yes. expr_is_yes() checks for either representation.
++ */
++ if (!e1 || !e2)
++ return expr_is_yes(e1) && expr_is_yes(e2);
++
+ if (e1->type != e2->type)
+ return 0;
+ switch (e1->type) {
+--
+2.20.1
+
--- /dev/null
+From da550b82db427c6fc8bc933aeb6d2d2aa83c5483 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 11:36:09 +0000
+Subject: libtraceevent: Fix lib installation with O=
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+[ Upstream commit 587db8ebdac2c5eb3a8851e16b26f2e2711ab797 ]
+
+When we use 'O=' with make to build libtraceevent in a separate folder
+it fails to install libtraceevent.a and libtraceevent.so.1.1.0 with the
+error:
+
+ INSTALL /home/sudip/linux/obj-trace/libtraceevent.a
+ INSTALL /home/sudip/linux/obj-trace/libtraceevent.so.1.1.0
+
+ cp: cannot stat 'libtraceevent.a': No such file or directory
+ Makefile:225: recipe for target 'install_lib' failed
+ make: *** [install_lib] Error 1
+
+I used the command:
+
+ make O=../../../obj-trace DESTDIR=~/test prefix==/usr install
+
+It turns out libtraceevent Makefile, even though it builds in a separate
+folder, searches for libtraceevent.a and libtraceevent.so.1.1.0 in its
+source folder.
+
+So, add the 'OUTPUT' prefix to the source path so that 'make' looks for
+the files in the correct place.
+
+Signed-off-by: Sudipm Mukherjee <sudipm.mukherjee@gmail.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: linux-trace-devel@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20191115113610.21493-1-sudipm.mukherjee@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/traceevent/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/traceevent/Makefile b/tools/lib/traceevent/Makefile
+index bca0c9e5452c..05f8a0f27121 100644
+--- a/tools/lib/traceevent/Makefile
++++ b/tools/lib/traceevent/Makefile
+@@ -115,6 +115,7 @@ EVENT_PARSE_VERSION = $(EP_VERSION).$(EP_PATCHLEVEL).$(EP_EXTRAVERSION)
+
+ LIB_TARGET = libtraceevent.a libtraceevent.so.$(EVENT_PARSE_VERSION)
+ LIB_INSTALL = libtraceevent.a libtraceevent.so*
++LIB_INSTALL := $(addprefix $(OUTPUT),$(LIB_INSTALL))
+
+ INCLUDES = -I. -I $(srctree)/tools/include $(CONFIG_INCLUDES)
+
+--
+2.20.1
+
--- /dev/null
+From 07751de0c00d22eb36f7628f3066bddf07d26cc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 14:16:18 +0800
+Subject: llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and
+ _test_c)
+
+From: Chan Shu Tak, Alex <alexchan@task.com.hk>
+
+[ Upstream commit af1c0e4e00f3cc76cb136ebf2e2c04e8b6446285 ]
+
+When a frame with NULL DSAP is received, llc_station_rcv is called.
+In turn, llc_stat_ev_rx_null_dsap_xid_c is called to check if it is a NULL
+XID frame. The return statement of llc_stat_ev_rx_null_dsap_xid_c returns 1
+when the incoming frame is not a NULL XID frame and 0 otherwise. Hence, a
+NULL XID response is returned unexpectedly, e.g. when the incoming frame is
+a NULL TEST command.
+
+To fix the error, simply remove the conditional operator.
+
+A similar error in llc_stat_ev_rx_null_dsap_test_c is also fixed.
+
+Signed-off-by: Chan Shu Tak, Alex <alexchan@task.com.hk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/llc/llc_station.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
+index 204a8351efff..c29170e767a8 100644
+--- a/net/llc/llc_station.c
++++ b/net/llc/llc_station.c
+@@ -32,7 +32,7 @@ static int llc_stat_ev_rx_null_dsap_xid_c(struct sk_buff *skb)
+ return LLC_PDU_IS_CMD(pdu) && /* command PDU */
+ LLC_PDU_TYPE_IS_U(pdu) && /* U type PDU */
+ LLC_U_PDU_CMD(pdu) == LLC_1_PDU_CMD_XID &&
+- !pdu->dsap ? 0 : 1; /* NULL DSAP value */
++ !pdu->dsap; /* NULL DSAP value */
+ }
+
+ static int llc_stat_ev_rx_null_dsap_test_c(struct sk_buff *skb)
+@@ -42,7 +42,7 @@ static int llc_stat_ev_rx_null_dsap_test_c(struct sk_buff *skb)
+ return LLC_PDU_IS_CMD(pdu) && /* command PDU */
+ LLC_PDU_TYPE_IS_U(pdu) && /* U type PDU */
+ LLC_U_PDU_CMD(pdu) == LLC_1_PDU_CMD_TEST &&
+- !pdu->dsap ? 0 : 1; /* NULL DSAP */
++ !pdu->dsap; /* NULL DSAP */
+ }
+
+ static int llc_station_ac_send_xid_r(struct sk_buff *skb)
+--
+2.20.1
+
--- /dev/null
+From c4d0d36d6c7ec6e8708f9a635cff87e10831fa67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2019 16:57:15 +0100
+Subject: locking/spinlock/debug: Fix various data races
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 1a365e822372ba24c9da0822bc583894f6f3d821 ]
+
+This fixes various data races in spinlock_debug. By testing with KCSAN,
+it is observable that the console gets spammed with data races reports,
+suggesting these are extremely frequent.
+
+Example data race report:
+
+ read to 0xffff8ab24f403c48 of 4 bytes by task 221 on cpu 2:
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
+ do_raw_spin_lock+0x9b/0x210 kernel/locking/spinlock_debug.c:112
+ __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
+ _raw_spin_lock+0x39/0x40 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:338 [inline]
+ get_partial_node.isra.0.part.0+0x32/0x2f0 mm/slub.c:1873
+ get_partial_node mm/slub.c:1870 [inline]
+ <snip>
+
+ write to 0xffff8ab24f403c48 of 4 bytes by task 167 on cpu 3:
+ debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline]
+ do_raw_spin_unlock+0xc9/0x1a0 kernel/locking/spinlock_debug.c:138
+ __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:159 [inline]
+ _raw_spin_unlock_irqrestore+0x2d/0x50 kernel/locking/spinlock.c:191
+ spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
+ free_debug_processing+0x1b3/0x210 mm/slub.c:1214
+ __slab_free+0x292/0x400 mm/slub.c:2864
+ <snip>
+
+As a side-effect, with KCSAN, this eventually locks up the console, most
+likely due to deadlock, e.g. .. -> printk lock -> spinlock_debug ->
+KCSAN detects data race -> kcsan_print_report() -> printk lock ->
+deadlock.
+
+This fix will 1) avoid the data races, and 2) allow using lock debugging
+together with KCSAN.
+
+Reported-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Marco Elver <elver@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Link: https://lkml.kernel.org/r/20191120155715.28089-1-elver@google.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/spinlock_debug.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c
+index 9aa0fccd5d43..03595c29c566 100644
+--- a/kernel/locking/spinlock_debug.c
++++ b/kernel/locking/spinlock_debug.c
+@@ -51,19 +51,19 @@ EXPORT_SYMBOL(__rwlock_init);
+
+ static void spin_dump(raw_spinlock_t *lock, const char *msg)
+ {
+- struct task_struct *owner = NULL;
++ struct task_struct *owner = READ_ONCE(lock->owner);
+
+- if (lock->owner && lock->owner != SPINLOCK_OWNER_INIT)
+- owner = lock->owner;
++ if (owner == SPINLOCK_OWNER_INIT)
++ owner = NULL;
+ printk(KERN_EMERG "BUG: spinlock %s on CPU#%d, %s/%d\n",
+ msg, raw_smp_processor_id(),
+ current->comm, task_pid_nr(current));
+ printk(KERN_EMERG " lock: %pS, .magic: %08x, .owner: %s/%d, "
+ ".owner_cpu: %d\n",
+- lock, lock->magic,
++ lock, READ_ONCE(lock->magic),
+ owner ? owner->comm : "<none>",
+ owner ? task_pid_nr(owner) : -1,
+- lock->owner_cpu);
++ READ_ONCE(lock->owner_cpu));
+ dump_stack();
+ }
+
+@@ -80,16 +80,16 @@ static void spin_bug(raw_spinlock_t *lock, const char *msg)
+ static inline void
+ debug_spin_lock_before(raw_spinlock_t *lock)
+ {
+- SPIN_BUG_ON(lock->magic != SPINLOCK_MAGIC, lock, "bad magic");
+- SPIN_BUG_ON(lock->owner == current, lock, "recursion");
+- SPIN_BUG_ON(lock->owner_cpu == raw_smp_processor_id(),
++ SPIN_BUG_ON(READ_ONCE(lock->magic) != SPINLOCK_MAGIC, lock, "bad magic");
++ SPIN_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion");
++ SPIN_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(),
+ lock, "cpu recursion");
+ }
+
+ static inline void debug_spin_lock_after(raw_spinlock_t *lock)
+ {
+- lock->owner_cpu = raw_smp_processor_id();
+- lock->owner = current;
++ WRITE_ONCE(lock->owner_cpu, raw_smp_processor_id());
++ WRITE_ONCE(lock->owner, current);
+ }
+
+ static inline void debug_spin_unlock(raw_spinlock_t *lock)
+@@ -99,8 +99,8 @@ static inline void debug_spin_unlock(raw_spinlock_t *lock)
+ SPIN_BUG_ON(lock->owner != current, lock, "wrong owner");
+ SPIN_BUG_ON(lock->owner_cpu != raw_smp_processor_id(),
+ lock, "wrong CPU");
+- lock->owner = SPINLOCK_OWNER_INIT;
+- lock->owner_cpu = -1;
++ WRITE_ONCE(lock->owner, SPINLOCK_OWNER_INIT);
++ WRITE_ONCE(lock->owner_cpu, -1);
+ }
+
+ /*
+@@ -183,8 +183,8 @@ static inline void debug_write_lock_before(rwlock_t *lock)
+
+ static inline void debug_write_lock_after(rwlock_t *lock)
+ {
+- lock->owner_cpu = raw_smp_processor_id();
+- lock->owner = current;
++ WRITE_ONCE(lock->owner_cpu, raw_smp_processor_id());
++ WRITE_ONCE(lock->owner, current);
+ }
+
+ static inline void debug_write_unlock(rwlock_t *lock)
+@@ -193,8 +193,8 @@ static inline void debug_write_unlock(rwlock_t *lock)
+ RWLOCK_BUG_ON(lock->owner != current, lock, "wrong owner");
+ RWLOCK_BUG_ON(lock->owner_cpu != raw_smp_processor_id(),
+ lock, "wrong CPU");
+- lock->owner = SPINLOCK_OWNER_INIT;
+- lock->owner_cpu = -1;
++ WRITE_ONCE(lock->owner, SPINLOCK_OWNER_INIT);
++ WRITE_ONCE(lock->owner_cpu, -1);
+ }
+
+ void do_raw_write_lock(rwlock_t *lock)
+--
+2.20.1
+
--- /dev/null
+From f87b2b9071b1c17edb7fbb9cd13d789d0e2bfac1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2019 18:10:54 +0800
+Subject: mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: qize wang <wangqize888888888@gmail.com>
+
+[ Upstream commit 1e58252e334dc3f3756f424a157d1b7484464c40 ]
+
+mwifiex_process_tdls_action_frame() without checking
+the incoming tdls infomation element's vality before use it,
+this may cause multi heap buffer overflows.
+
+Fix them by putting vality check before use it.
+
+IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct.
+the origin marvell driver code is wrong:
+
+memcpy(&sta_ptr->tdls_cap.ht_oper, pos,....
+memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,...
+
+Fix the bug by changing pos(the address of IE) to
+pos+2 ( the address of IE value ).
+
+Signed-off-by: qize wang <wangqize888888888@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/tdls.c | 70 +++++++++++++++++++--
+ 1 file changed, 64 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
+index 27779d7317fd..6058c48d56dc 100644
+--- a/drivers/net/wireless/marvell/mwifiex/tdls.c
++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
+@@ -956,59 +956,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
+
+ switch (*pos) {
+ case WLAN_EID_SUPP_RATES:
++ if (pos[1] > 32)
++ return;
+ sta_ptr->tdls_cap.rates_len = pos[1];
+ for (i = 0; i < pos[1]; i++)
+ sta_ptr->tdls_cap.rates[i] = pos[i + 2];
+ break;
+
+ case WLAN_EID_EXT_SUPP_RATES:
++ if (pos[1] > 32)
++ return;
+ basic = sta_ptr->tdls_cap.rates_len;
++ if (pos[1] > 32 - basic)
++ return;
+ for (i = 0; i < pos[1]; i++)
+ sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
+ sta_ptr->tdls_cap.rates_len += pos[1];
+ break;
+ case WLAN_EID_HT_CAPABILITY:
+- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
++ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_ht_cap))
++ return;
++ /* copy the ie's value into ht_capb*/
++ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
+ sizeof(struct ieee80211_ht_cap));
+ sta_ptr->is_11n_enabled = 1;
+ break;
+ case WLAN_EID_HT_OPERATION:
+- memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
++ if (pos > end -
++ sizeof(struct ieee80211_ht_operation) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_ht_operation))
++ return;
++ /* copy the ie's value into ht_oper*/
++ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
+ sizeof(struct ieee80211_ht_operation));
+ break;
+ case WLAN_EID_BSS_COEX_2040:
++ if (pos > end - 3)
++ return;
++ if (pos[1] != 1)
++ return;
+ sta_ptr->tdls_cap.coex_2040 = pos[2];
+ break;
+ case WLAN_EID_EXT_CAPABILITY:
++ if (pos > end - sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] < sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] > 8)
++ return;
+ memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
+ sizeof(struct ieee_types_header) +
+ min_t(u8, pos[1], 8));
+ break;
+ case WLAN_EID_RSN:
++ if (pos > end - sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] < sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] > IEEE_MAX_IE_SIZE -
++ sizeof(struct ieee_types_header))
++ return;
+ memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
+ sizeof(struct ieee_types_header) +
+ min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
+ sizeof(struct ieee_types_header)));
+ break;
+ case WLAN_EID_QOS_CAPA:
++ if (pos > end - 3)
++ return;
++ if (pos[1] != 1)
++ return;
+ sta_ptr->tdls_cap.qos_info = pos[2];
+ break;
+ case WLAN_EID_VHT_OPERATION:
+- if (priv->adapter->is_hw_11ac_capable)
+- memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
++ if (priv->adapter->is_hw_11ac_capable) {
++ if (pos > end -
++ sizeof(struct ieee80211_vht_operation) - 2)
++ return;
++ if (pos[1] !=
++ sizeof(struct ieee80211_vht_operation))
++ return;
++ /* copy the ie's value into vhtoper*/
++ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
+ sizeof(struct ieee80211_vht_operation));
++ }
+ break;
+ case WLAN_EID_VHT_CAPABILITY:
+ if (priv->adapter->is_hw_11ac_capable) {
+- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
++ if (pos > end -
++ sizeof(struct ieee80211_vht_cap) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_vht_cap))
++ return;
++ /* copy the ie's value into vhtcap*/
++ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
+ sizeof(struct ieee80211_vht_cap));
+ sta_ptr->is_11ac_enabled = 1;
+ }
+ break;
+ case WLAN_EID_AID:
+- if (priv->adapter->is_hw_11ac_capable)
++ if (priv->adapter->is_hw_11ac_capable) {
++ if (pos > end - 4)
++ return;
++ if (pos[1] != 2)
++ return;
+ sta_ptr->tdls_cap.aid =
+ get_unaligned_le16((pos + 2));
++ }
++ break;
+ default:
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 1bbc7f80ba2f852b9773e175db5b573e125191b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:17:43 +0100
+Subject: net: stmmac: Always arm TX Timer at end of transmission start
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit 4772f26db8d1fb568c4862c538344a1b5fb52081 ]
+
+If TX Coalesce timer is enabled we should always arm it, otherwise we
+may hit the case where an interrupt is missed and the TX Queue will
+timeout.
+
+Arming the timer does not necessarly mean it will run the tx_clean()
+because this function is wrapped around NAPI launcher.
+
+Fixes: 9125cdd1be11 ("stmmac: add the initial tx coalesce schema")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 437b1b2b3e6b..7ee0e46539c0 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2997,6 +2997,7 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ tx_q->tx_tail_addr = tx_q->dma_tx_phy + (tx_q->cur_tx * sizeof(*desc));
+ stmmac_set_tx_tail_ptr(priv, priv->ioaddr, tx_q->tx_tail_addr, queue);
++ stmmac_tx_timer_arm(priv, queue);
+
+ return NETDEV_TX_OK;
+
+@@ -3210,6 +3211,7 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ tx_q->tx_tail_addr = tx_q->dma_tx_phy + (tx_q->cur_tx * sizeof(*desc));
+ stmmac_set_tx_tail_ptr(priv, priv->ioaddr, tx_q->tx_tail_addr, queue);
++ stmmac_tx_timer_arm(priv, queue);
+
+ return NETDEV_TX_OK;
+
+--
+2.20.1
+
--- /dev/null
+From f899fd85db6d9a919e3193dfef0f26079e4b6db2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:17:37 +0100
+Subject: net: stmmac: Do not accept invalid MTU values
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit eaf4fac478077d4ed57cbca2c044c4b58a96bd98 ]
+
+The maximum MTU value is determined by the maximum size of TX FIFO so
+that a full packet can fit in the FIFO. Add a check for this in the MTU
+change callback.
+
+Also check if provided and rounded MTU does not passes the maximum limit
+of 16K.
+
+Changes from v2:
+- Align MTU before checking if its valid
+
+Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 014fe93ed2d8..ec37ef7521e9 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3604,12 +3604,24 @@ static void stmmac_set_rx_mode(struct net_device *dev)
+ static int stmmac_change_mtu(struct net_device *dev, int new_mtu)
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
++ int txfifosz = priv->plat->tx_fifo_size;
++
++ if (txfifosz == 0)
++ txfifosz = priv->dma_cap.tx_fifo_size;
++
++ txfifosz /= priv->plat->tx_queues_to_use;
+
+ if (netif_running(dev)) {
+ netdev_err(priv->dev, "must be stopped to change its MTU\n");
+ return -EBUSY;
+ }
+
++ new_mtu = STMMAC_ALIGN(new_mtu);
++
++ /* If condition true, FIFO is too small or MTU too large */
++ if ((txfifosz < new_mtu) || (new_mtu > BUF_SIZE_16KiB))
++ return -EINVAL;
++
+ dev->mtu = new_mtu;
+
+ netdev_update_features(dev);
+--
+2.20.1
+
--- /dev/null
+From 894f6ab5ab1ef980ffe1be07d4d19de7fa23e567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:17:40 +0100
+Subject: net: stmmac: RX buffer size must be 16 byte aligned
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit 8d558f0294fe92e04af192e221d0d0f6a180ee7b ]
+
+We need to align the RX buffer size to at least 16 byte so that IP
+doesn't mis-behave. This is required by HW.
+
+Changes from v2:
+- Align UP and not DOWN (David)
+
+Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index ec37ef7521e9..437b1b2b3e6b 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -54,7 +54,7 @@
+ #include "dwxgmac2.h"
+ #include "hwif.h"
+
+-#define STMMAC_ALIGN(x) __ALIGN_KERNEL(x, SMP_CACHE_BYTES)
++#define STMMAC_ALIGN(x) ALIGN(ALIGN(x, SMP_CACHE_BYTES), 16)
+ #define TSO_MAX_BUFF_SIZE (SZ_16K - 1)
+
+ /* Module parameters */
+--
+2.20.1
+
--- /dev/null
+From 343d59523f24651bdbcf3d91d29e2438da61027a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:17:39 +0100
+Subject: net: stmmac: xgmac: Clear previous RX buffer size
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit 11d55fd9975f8e46a0e5e19c14899544e81e1e15 ]
+
+When switching between buffer sizes we need to clear the previous value.
+
+Fixes: d6ddfacd95c7 ("net: stmmac: Add DMA related callbacks for XGMAC2")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 2 ++
+ drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h
+index 0a80fa25afe3..209745294751 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h
+@@ -169,6 +169,8 @@
+ #define XGMAC_DMA_CH_RX_CONTROL(x) (0x00003108 + (0x80 * (x)))
+ #define XGMAC_RxPBL GENMASK(21, 16)
+ #define XGMAC_RxPBL_SHIFT 16
++#define XGMAC_RBSZ GENMASK(14, 1)
++#define XGMAC_RBSZ_SHIFT 1
+ #define XGMAC_RXST BIT(0)
+ #define XGMAC_DMA_CH_TxDESC_LADDR(x) (0x00003114 + (0x80 * (x)))
+ #define XGMAC_DMA_CH_RxDESC_LADDR(x) (0x0000311c + (0x80 * (x)))
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+index 1c3930527444..27942c53b567 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+@@ -379,7 +379,8 @@ static void dwxgmac2_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan)
+ u32 value;
+
+ value = readl(ioaddr + XGMAC_DMA_CH_RX_CONTROL(chan));
+- value |= bfsize << 1;
++ value &= ~XGMAC_RBSZ;
++ value |= bfsize << XGMAC_RBSZ_SHIFT;
+ writel(value, ioaddr + XGMAC_DMA_CH_RX_CONTROL(chan));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 793a412d7336d4638e77076c50a875ff76c7f72f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2019 18:33:11 +0200
+Subject: net: usb: lan78xx: Fix error message format specifier
+
+From: Cristian Birsan <cristian.birsan@microchip.com>
+
+[ Upstream commit 858ce8ca62ea1530f2779d0e3f934b0176e663c3 ]
+
+Display the return code as decimal integer.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Cristian Birsan <cristian.birsan@microchip.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index 6dd24a1ca10d..0f6b8d4689b3 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -522,7 +522,7 @@ static int lan78xx_read_stats(struct lan78xx_net *dev,
+ }
+ } else {
+ netdev_warn(dev->net,
+- "Failed to read stat ret = 0x%x", ret);
++ "Failed to read stat ret = %d", ret);
+ }
+
+ kfree(stats);
+--
+2.20.1
+
--- /dev/null
+From 7b2581bb6ace6861fe010e10d79ae49711823923 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 12:39:23 +0100
+Subject: netfilter: ctnetlink: netns exit must wait for callbacks
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 18a110b022a5c02e7dc9f6109d0bd93e58ac6ebb ]
+
+Curtis Taylor and Jon Maxwell reported and debugged a crash on 3.10
+based kernel.
+
+Crash occurs in ctnetlink_conntrack_events because net->nfnl socket is
+NULL. The nfnl socket was set to NULL by netns destruction running on
+another cpu.
+
+The exiting network namespace calls the relevant destructors in the
+following order:
+
+1. ctnetlink_net_exit_batch
+
+This nulls out the event callback pointer in struct netns.
+
+2. nfnetlink_net_exit_batch
+
+This nulls net->nfnl socket and frees it.
+
+3. nf_conntrack_cleanup_net_list
+
+This removes all remaining conntrack entries.
+
+This is order is correct. The only explanation for the crash so ar is:
+
+cpu1: conntrack is dying, eviction occurs:
+ -> nf_ct_delete()
+ -> nf_conntrack_event_report \
+ -> nf_conntrack_eventmask_report
+ -> notify->fcn() (== ctnetlink_conntrack_events).
+
+cpu1: a. fetches rcu protected pointer to obtain ctnetlink event callback.
+ b. gets interrupted.
+ cpu2: runs netns exit handlers:
+ a runs ctnetlink destructor, event cb pointer set to NULL.
+ b runs nfnetlink destructor, nfnl socket is closed and set to NULL.
+cpu1: c. resumes and trips over NULL net->nfnl.
+
+Problem appears to be that ctnetlink_net_exit_batch only prevents future
+callers of nf_conntrack_eventmask_report() from obtaining the callback.
+It doesn't wait of other cpus that might have already obtained the
+callbacks address.
+
+I don't see anything in upstream kernels that would prevent similar
+crash: We need to wait for all cpus to have exited the event callback.
+
+Fixes: 9592a5c01e79dbc59eb56fa ("netfilter: ctnetlink: netns support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 47e5a076522d..7ba9ea55816a 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3576,6 +3576,9 @@ static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
+
+ list_for_each_entry(net, net_exit_list, exit_list)
+ ctnetlink_net_exit(net);
++
++ /* wait for other cpus until they are done with ctnl_notifiers */
++ synchronize_rcu();
+ }
+
+ static struct pernet_operations ctnetlink_net_ops = {
+--
+2.20.1
+
--- /dev/null
+From 8edbf077b2023a4b6381c70aa9a3042739cd9a6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 22:09:14 +0100
+Subject: netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 0d2c96af797ba149e559c5875c0151384ab6dd14 ]
+
+Userspace might bogusly sent NFT_DATA_VERDICT in several netlink
+attributes that assume NFT_DATA_VALUE. Moreover, make sure that error
+path invokes nft_data_release() to decrement the reference count on the
+chain object.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 +++-
+ net/netfilter/nft_bitwise.c | 4 ++--
+ net/netfilter/nft_cmp.c | 6 ++++++
+ net/netfilter/nft_range.c | 10 ++++++++++
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 42f79f9532c6..4711a8b56f32 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4117,8 +4117,10 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ return err;
+
+ err = -EINVAL;
+- if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
++ if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
++ nft_data_release(&elem.key.val, desc.type);
+ return err;
++ }
+
+ priv = set->ops->get(ctx->net, set, &elem, flags);
+ if (IS_ERR(priv))
+diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
+index fff8073e2a56..058ee84ea531 100644
+--- a/net/netfilter/nft_bitwise.c
++++ b/net/netfilter/nft_bitwise.c
+@@ -83,7 +83,7 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
+ tb[NFTA_BITWISE_MASK]);
+ if (err < 0)
+ return err;
+- if (d1.len != priv->len) {
++ if (d1.type != NFT_DATA_VALUE || d1.len != priv->len) {
+ err = -EINVAL;
+ goto err1;
+ }
+@@ -92,7 +92,7 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
+ tb[NFTA_BITWISE_XOR]);
+ if (err < 0)
+ goto err1;
+- if (d2.len != priv->len) {
++ if (d2.type != NFT_DATA_VALUE || d2.len != priv->len) {
+ err = -EINVAL;
+ goto err2;
+ }
+diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
+index 79d48c1d06f4..7007045c0849 100644
+--- a/net/netfilter/nft_cmp.c
++++ b/net/netfilter/nft_cmp.c
+@@ -82,6 +82,12 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ if (err < 0)
+ return err;
+
++ if (desc.type != NFT_DATA_VALUE) {
++ err = -EINVAL;
++ nft_data_release(&priv->data, desc.type);
++ return err;
++ }
++
+ priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]);
+ err = nft_validate_register_load(priv->sreg, desc.len);
+ if (err < 0)
+diff --git a/net/netfilter/nft_range.c b/net/netfilter/nft_range.c
+index cedb96c3619f..2e1d2ec2f52a 100644
+--- a/net/netfilter/nft_range.c
++++ b/net/netfilter/nft_range.c
+@@ -70,11 +70,21 @@ static int nft_range_init(const struct nft_ctx *ctx, const struct nft_expr *expr
+ if (err < 0)
+ return err;
+
++ if (desc_from.type != NFT_DATA_VALUE) {
++ err = -EINVAL;
++ goto err1;
++ }
++
+ err = nft_data_init(NULL, &priv->data_to, sizeof(priv->data_to),
+ &desc_to, tb[NFTA_RANGE_TO_DATA]);
+ if (err < 0)
+ goto err1;
+
++ if (desc_to.type != NFT_DATA_VALUE) {
++ err = -EINVAL;
++ goto err2;
++ }
++
+ if (desc_from.len != desc_to.len) {
+ err = -EINVAL;
+ goto err2;
+--
+2.20.1
+
--- /dev/null
+From ae33f199eacfca2785fab9c0bcb02a5156176a59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 21:55:20 +0100
+Subject: netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit bffc124b6fe37d0ae9b428d104efb426403bb5c9 ]
+
+Only NFTA_SET_ELEM_KEY and NFTA_SET_ELEM_FLAGS make sense for elements
+whose NFT_SET_ELEM_INTERVAL_END flag is set on.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 0e1b1f7f4745..42f79f9532c6 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4351,14 +4351,20 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (nla[NFTA_SET_ELEM_DATA] == NULL &&
+ !(flags & NFT_SET_ELEM_INTERVAL_END))
+ return -EINVAL;
+- if (nla[NFTA_SET_ELEM_DATA] != NULL &&
+- flags & NFT_SET_ELEM_INTERVAL_END)
+- return -EINVAL;
+ } else {
+ if (nla[NFTA_SET_ELEM_DATA] != NULL)
+ return -EINVAL;
+ }
+
++ if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
++ (nla[NFTA_SET_ELEM_DATA] ||
++ nla[NFTA_SET_ELEM_OBJREF] ||
++ nla[NFTA_SET_ELEM_TIMEOUT] ||
++ nla[NFTA_SET_ELEM_EXPIRATION] ||
++ nla[NFTA_SET_ELEM_USERDATA] ||
++ nla[NFTA_SET_ELEM_EXPR]))
++ return -EINVAL;
++
+ timeout = 0;
+ if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
+ if (!(set->flags & NFT_SET_TIMEOUT))
+--
+2.20.1
+
--- /dev/null
+From 02dfc33431265ad50a670fbe5284fe59999573bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 20:23:29 +0100
+Subject: netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements
+ in named sets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit db3b665dd77b34e34df00e17d7b299c98fcfb2c5 ]
+
+The existing rbtree implementation might store consecutive elements
+where the closing element and the opening element might overlap, eg.
+
+ [ a, a+1) [ a+1, a+2)
+
+This patch removes the optimization for non-anonymous sets in the exact
+matching case, where it is assumed to stop searching in case that the
+closing element is found. Instead, invalidate candidate interval and
+keep looking further in the tree.
+
+The lookup/get operation might return false, while there is an element
+in the rbtree. Moreover, the get operation returns true as if a+2 would
+be in the tree. This happens with named sets after several set updates.
+
+The existing lookup optimization (that only works for the anonymous
+sets) might not reach the opening [ a+1,... element if the closing
+...,a+1) is found in first place when walking over the rbtree. Hence,
+walking the full tree in that case is needed.
+
+This patch fixes the lookup and get operations.
+
+Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
+Fixes: ba0e4d9917b4 ("netfilter: nf_tables: get set elements via netlink")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_rbtree.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
+index b3e75f9cb686..0221510328d4 100644
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -77,8 +77,13 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
+ parent = rcu_dereference_raw(parent->rb_left);
+ continue;
+ }
+- if (nft_rbtree_interval_end(rbe))
+- goto out;
++ if (nft_rbtree_interval_end(rbe)) {
++ if (nft_set_is_anonymous(set))
++ return false;
++ parent = rcu_dereference_raw(parent->rb_left);
++ interval = NULL;
++ continue;
++ }
+
+ *ext = &rbe->ext;
+ return true;
+@@ -91,7 +96,7 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
+ *ext = &interval->ext;
+ return true;
+ }
+-out:
++
+ return false;
+ }
+
+@@ -139,8 +144,10 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set,
+ } else if (d > 0) {
+ parent = rcu_dereference_raw(parent->rb_right);
+ } else {
+- if (!nft_set_elem_active(&rbe->ext, genmask))
++ if (!nft_set_elem_active(&rbe->ext, genmask)) {
+ parent = rcu_dereference_raw(parent->rb_left);
++ continue;
++ }
+
+ if (!nft_set_ext_exists(&rbe->ext, NFT_SET_EXT_FLAGS) ||
+ (*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END) ==
+@@ -148,7 +155,11 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set,
+ *elem = rbe;
+ return true;
+ }
+- return false;
++
++ if (nft_rbtree_interval_end(rbe))
++ interval = NULL;
++
++ parent = rcu_dereference_raw(parent->rb_left);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8eb40303811e461b3ffa93f577edbfb65cbc9c24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 13:35:11 +0100
+Subject: netfilter: uapi: Avoid undefined left-shift in xt_sctp.h
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 164166558aacea01b99c8c8ffb710d930405ba69 ]
+
+With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is
+undefined for the signed 32-bit value 1. Avoid this by declaring 1 as
+unsigned.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/netfilter/xt_sctp.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h
+index 4bc6d1a08781..b4d804a9fccb 100644
+--- a/include/uapi/linux/netfilter/xt_sctp.h
++++ b/include/uapi/linux/netfilter/xt_sctp.h
+@@ -41,19 +41,19 @@ struct xt_sctp_info {
+ #define SCTP_CHUNKMAP_SET(chunkmap, type) \
+ do { \
+ (chunkmap)[type / bytes(__u32)] |= \
+- 1 << (type % bytes(__u32)); \
++ 1u << (type % bytes(__u32)); \
+ } while (0)
+
+ #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
+ do { \
+ (chunkmap)[type / bytes(__u32)] &= \
+- ~(1 << (type % bytes(__u32))); \
++ ~(1u << (type % bytes(__u32))); \
+ } while (0)
+
+ #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
+ ({ \
+ ((chunkmap)[type / bytes (__u32)] & \
+- (1 << (type % bytes (__u32)))) ? 1: 0; \
++ (1u << (type % bytes (__u32)))) ? 1: 0; \
+ })
+
+ #define SCTP_CHUNKMAP_RESET(chunkmap) \
+--
+2.20.1
+
--- /dev/null
+From e93c15f74f6a17ba64f6dc176c4a6bbc2f3ecaa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Dec 2019 20:09:27 +0100
+Subject: parisc: add missing __init annotation
+
+From: Sven Schnelle <svens@stackframe.org>
+
+[ Upstream commit aeea5eae4fd54e94d820ed17ea3b238160be723e ]
+
+compilation failed with:
+
+MODPOST vmlinux.o
+WARNING: vmlinux.o(.text.unlikely+0xa0c): Section mismatch in reference from the function walk_lower_bus() to the function .init.text:walk_native_bus()
+The function walk_lower_bus() references
+the function __init walk_native_bus().
+This is often because walk_lower_bus lacks a __init
+annotation or the annotation of walk_native_bus is wrong.
+
+FATAL: modpost: Section mismatches detected.
+Set CONFIG_SECTION_MISMATCH_WARN_ONLY=y to allow them.
+make[2]: *** [/home/svens/linux/parisc-linux/src/scripts/Makefile.modpost:64: __modpost] Error 1
+make[1]: *** [/home/svens/linux/parisc-linux/src/Makefile:1077: vmlinux] Error 2
+make[1]: Leaving directory '/home/svens/linux/parisc-linux/build'
+make: *** [Makefile:179: sub-make] Error 2
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/drivers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
+index 5eb979d04b90..a1a5e4c59e6b 100644
+--- a/arch/parisc/kernel/drivers.c
++++ b/arch/parisc/kernel/drivers.c
+@@ -789,7 +789,7 @@ EXPORT_SYMBOL(device_to_hwpath);
+ static void walk_native_bus(unsigned long io_io_low, unsigned long io_io_high,
+ struct device *parent);
+
+-static void walk_lower_bus(struct parisc_device *dev)
++static void __init walk_lower_bus(struct parisc_device *dev)
+ {
+ unsigned long io_io_low, io_io_high;
+
+--
+2.20.1
+
--- /dev/null
+From abf3614f95cc5c47c1699ef980ebaeb8a187201e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2019 21:00:19 +0100
+Subject: parisc: Fix compiler warnings in debug_core.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 75cf9797006a3a9f29a3a25c1febd6842a4a9eb2 ]
+
+Fix this compiler warning:
+kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’:
+arch/parisc/include/asm/cmpxchg.h:48:3: warning: value computed is not used [-Wunused-value]
+ 48 | ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr))))
+arch/parisc/include/asm/atomic.h:78:30: note: in expansion of macro ‘xchg’
+ 78 | #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
+ | ^~~~
+kernel/debug/debug_core.c:596:4: note: in expansion of macro ‘atomic_xchg’
+ 596 | atomic_xchg(&kgdb_active, cpu);
+ | ^~~~~~~~~~~
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/include/asm/cmpxchg.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h
+index f627c37dad9c..ab5c215cf46c 100644
+--- a/arch/parisc/include/asm/cmpxchg.h
++++ b/arch/parisc/include/asm/cmpxchg.h
+@@ -44,8 +44,14 @@ __xchg(unsigned long x, __volatile__ void *ptr, int size)
+ ** if (((unsigned long)p & 0xf) == 0)
+ ** return __ldcw(p);
+ */
+-#define xchg(ptr, x) \
+- ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr))))
++#define xchg(ptr, x) \
++({ \
++ __typeof__(*(ptr)) __ret; \
++ __typeof__(*(ptr)) _x_ = (x); \
++ __ret = (__typeof__(*(ptr))) \
++ __xchg((unsigned long)_x_, (ptr), sizeof(*(ptr))); \
++ __ret; \
++})
+
+ /* bug catcher for when unsupported size is used - won't link */
+ extern void __cmpxchg_called_with_bad_pointer(void);
+--
+2.20.1
+
--- /dev/null
+From 9763fa2a147feb1ecda2cb0e6a16493e0da6e53c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 12:51:01 +0200
+Subject: perf/x86/intel: Fix PT PMI handling
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+[ Upstream commit 92ca7da4bdc24d63bb0bcd241c11441ddb63b80a ]
+
+Commit:
+
+ ccbebba4c6bf ("perf/x86/intel/pt: Bypass PT vs. LBR exclusivity if the core supports it")
+
+skips the PT/LBR exclusivity check on CPUs where PT and LBRs coexist, but
+also inadvertently skips the active_events bump for PT in that case, which
+is a bug. If there aren't any hardware events at the same time as PT, the
+PMI handler will ignore PT PMIs, as active_events reads zero in that case,
+resulting in the "Uhhuh" spurious NMI warning and PT data loss.
+
+Fix this by always increasing active_events for PT events.
+
+Fixes: ccbebba4c6bf ("perf/x86/intel/pt: Bypass PT vs. LBR exclusivity if the core supports it")
+Reported-by: Vitaly Slobodskoy <vitaly.slobodskoy@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lkml.kernel.org/r/20191210105101.77210-1-alexander.shishkin@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/core.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
+index c9625bff4328..429389489eed 100644
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -375,7 +375,7 @@ int x86_add_exclusive(unsigned int what)
+ * LBR and BTS are still mutually exclusive.
+ */
+ if (x86_pmu.lbr_pt_coexist && what == x86_lbr_exclusive_pt)
+- return 0;
++ goto out;
+
+ if (!atomic_inc_not_zero(&x86_pmu.lbr_exclusive[what])) {
+ mutex_lock(&pmc_reserve_mutex);
+@@ -387,6 +387,7 @@ int x86_add_exclusive(unsigned int what)
+ mutex_unlock(&pmc_reserve_mutex);
+ }
+
++out:
+ atomic_inc(&active_events);
+ return 0;
+
+@@ -397,11 +398,15 @@ int x86_add_exclusive(unsigned int what)
+
+ void x86_del_exclusive(unsigned int what)
+ {
++ atomic_dec(&active_events);
++
++ /*
++ * See the comment in x86_add_exclusive().
++ */
+ if (x86_pmu.lbr_pt_coexist && what == x86_lbr_exclusive_pt)
+ return;
+
+ atomic_dec(&x86_pmu.lbr_exclusive[what]);
+- atomic_dec(&active_events);
+ }
+
+ int x86_setup_perfctr(struct perf_event *event)
+--
+2.20.1
+
--- /dev/null
+From 81c7d824572952132dcdfe644a7ec7a776ac55c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 14:35:24 +0200
+Subject: powerpc: Ensure that swiotlb buffer is allocated from low memory
+
+From: Mike Rapoport <rppt@linux.ibm.com>
+
+[ Upstream commit 8fabc623238e68b3ac63c0dd1657bf86c1fa33af ]
+
+Some powerpc platforms (e.g. 85xx) limit DMA-able memory way below 4G.
+If a system has more physical memory than this limit, the swiotlb
+buffer is not addressable because it is allocated from memblock using
+top-down mode.
+
+Force memblock to bottom-up mode before calling swiotlb_init() to
+ensure that the swiotlb buffer is DMA-able.
+
+Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de>
+Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191204123524.22919-1-rppt@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/mem.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
+index 04ccb274a620..9a6afd9f3f9b 100644
+--- a/arch/powerpc/mm/mem.c
++++ b/arch/powerpc/mm/mem.c
+@@ -344,6 +344,14 @@ void __init mem_init(void)
+ BUILD_BUG_ON(MMU_PAGE_COUNT > 16);
+
+ #ifdef CONFIG_SWIOTLB
++ /*
++ * Some platforms (e.g. 85xx) limit DMA-able memory way below
++ * 4G. We force memblock to bottom-up mode to ensure that the
++ * memory allocated in swiotlb_init() is DMA-able.
++ * As it's the last memblock allocation, no need to reset it
++ * back to to-down.
++ */
++ memblock_set_bottom_up(true);
+ swiotlb_init(0);
+ #endif
+
+--
+2.20.1
+
--- /dev/null
+From db66d17d2ce678481a408b73e996fba8426e1dc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Nov 2019 22:58:35 +0800
+Subject: regulator: fix use after free issue
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+[ Upstream commit 4affd79a125ac91e6a53be843ea3960a8fc00cbb ]
+
+This is caused by dereferencing 'rdev' after put_device() in
+the _regulator_get()/_regulator_put() functions.
+This patch just moves the put_device() down a bit to avoid the
+issue.
+
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: linux-kernel@vger.kernel.org
+Link: https://lore.kernel.org/r/20191124145835.25999-1-wenyang@linux.alibaba.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index f312764660e6..4bab758d14b1 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1724,8 +1724,8 @@ struct regulator *_regulator_get(struct device *dev, const char *id,
+ regulator = create_regulator(rdev, dev, id);
+ if (regulator == NULL) {
+ regulator = ERR_PTR(-ENOMEM);
+- put_device(&rdev->dev);
+ module_put(rdev->owner);
++ put_device(&rdev->dev);
+ return regulator;
+ }
+
+@@ -1851,13 +1851,13 @@ static void _regulator_put(struct regulator *regulator)
+
+ rdev->open_count--;
+ rdev->exclusive = 0;
+- put_device(&rdev->dev);
+ regulator_unlock(rdev);
+
+ kfree_const(regulator->supply_name);
+ kfree(regulator);
+
+ module_put(rdev->owner);
++ put_device(&rdev->dev);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 4b78be9bf3317267e8226fcc2ef3416af900f623 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 23:16:00 +0100
+Subject: regulator: rn5t618: fix module aliases
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+[ Upstream commit 62a1923cc8fe095912e6213ed5de27abbf1de77e ]
+
+platform device aliases were missing, preventing
+autoloading of module.
+
+Fixes: 811b700630ff ("regulator: rn5t618: add driver for Ricoh RN5T618 regulators")
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Link: https://lore.kernel.org/r/20191211221600.29438-1-andreas@kemnade.info
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/rn5t618-regulator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/rn5t618-regulator.c b/drivers/regulator/rn5t618-regulator.c
+index 790a4a73ea2c..40b74648bd31 100644
+--- a/drivers/regulator/rn5t618-regulator.c
++++ b/drivers/regulator/rn5t618-regulator.c
+@@ -154,6 +154,7 @@ static struct platform_driver rn5t618_regulator_driver = {
+
+ module_platform_driver(rn5t618_regulator_driver);
+
++MODULE_ALIAS("platform:rn5t618-regulator");
+ MODULE_AUTHOR("Beniamino Galvani <b.galvani@gmail.com>");
+ MODULE_DESCRIPTION("RN5T618 regulator driver");
+ MODULE_LICENSE("GPL v2");
+--
+2.20.1
+
--- /dev/null
+From 8e8ef58d2c7848495e8a1fc0850ba3bbd5e82fbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Dec 2019 09:34:08 -0600
+Subject: rfkill: Fix incorrect check to avoid NULL pointer dereference
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit 6fc232db9e8cd50b9b83534de9cd91ace711b2d7 ]
+
+In rfkill_register, the struct rfkill pointer is first derefernced
+and then checked for NULL. This patch removes the BUG_ON and returns
+an error to the caller in case rfkill is NULL.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Link: https://lore.kernel.org/r/20191215153409.21696-1-pakki001@umn.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rfkill/core.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/rfkill/core.c b/net/rfkill/core.c
+index 7fbc8314f626..d6467cbf5c4f 100644
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -1014,10 +1014,13 @@ static void rfkill_sync_work(struct work_struct *work)
+ int __must_check rfkill_register(struct rfkill *rfkill)
+ {
+ static unsigned long rfkill_no;
+- struct device *dev = &rfkill->dev;
++ struct device *dev;
+ int error;
+
+- BUG_ON(!rfkill);
++ if (!rfkill)
++ return -EINVAL;
++
++ dev = &rfkill->dev;
+
+ mutex_lock(&rfkill_global_mutex);
+
+--
+2.20.1
+
--- /dev/null
+From 19c2386020fc06e4aa9964ff5335d9c823db536a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 09:43:50 +0100
+Subject: s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jan Höppner <hoeppner@linux.ibm.com>
+
+[ Upstream commit dd4b3c83b9efac10d48a94c61372119fc555a077 ]
+
+The max data count (mdc) is an unsigned 16-bit integer value as per AR
+documentation and is received via ccw_device_get_mdc() for a specific
+path mask from the CIO layer. The function itself also always returns a
+positive mdc value or 0 in case mdc isn't supported or couldn't be
+determined.
+
+Though, the comment for this function describes a negative return value
+to indicate failures.
+
+As a result, the DASD device driver interprets the return value of
+ccw_device_get_mdc() incorrectly. The error case is essentially a dead
+code path.
+
+To fix this behaviour, check explicitly for a return value of 0 and
+change the comment for ccw_device_get_mdc() accordingly.
+
+This fix merely enables the error code path in the DASD functions
+get_fcx_max_data() and verify_fcx_max_data(). The actual functionality
+stays the same and is still correct.
+
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+Acked-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 9 +++++----
+ drivers/s390/cio/device_ops.c | 2 +-
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index f89f9d02e788..108fb1c77e1d 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -1135,7 +1135,8 @@ static u32 get_fcx_max_data(struct dasd_device *device)
+ {
+ struct dasd_eckd_private *private = device->private;
+ int fcx_in_css, fcx_in_gneq, fcx_in_features;
+- int tpm, mdc;
++ unsigned int mdc;
++ int tpm;
+
+ if (dasd_nofcx)
+ return 0;
+@@ -1149,7 +1150,7 @@ static u32 get_fcx_max_data(struct dasd_device *device)
+ return 0;
+
+ mdc = ccw_device_get_mdc(device->cdev, 0);
+- if (mdc < 0) {
++ if (mdc == 0) {
+ dev_warn(&device->cdev->dev, "Detecting the maximum supported data size for zHPF requests failed\n");
+ return 0;
+ } else {
+@@ -1160,12 +1161,12 @@ static u32 get_fcx_max_data(struct dasd_device *device)
+ static int verify_fcx_max_data(struct dasd_device *device, __u8 lpm)
+ {
+ struct dasd_eckd_private *private = device->private;
+- int mdc;
++ unsigned int mdc;
+ u32 fcx_max_data;
+
+ if (private->fcx_max_data) {
+ mdc = ccw_device_get_mdc(device->cdev, lpm);
+- if ((mdc < 0)) {
++ if (mdc == 0) {
+ dev_warn(&device->cdev->dev,
+ "Detecting the maximum data size for zHPF "
+ "requests failed (rc=%d) for a new path %x\n",
+diff --git a/drivers/s390/cio/device_ops.c b/drivers/s390/cio/device_ops.c
+index 4435ae0b3027..f0cae1973f78 100644
+--- a/drivers/s390/cio/device_ops.c
++++ b/drivers/s390/cio/device_ops.c
+@@ -624,7 +624,7 @@ EXPORT_SYMBOL(ccw_device_tm_start_timeout);
+ * @mask: mask of paths to use
+ *
+ * Return the number of 64K-bytes blocks all paths at least support
+- * for a transport command. Return values <= 0 indicate failures.
++ * for a transport command. Return value 0 indicates failure.
+ */
+ int ccw_device_get_mdc(struct ccw_device *cdev, u8 mask)
+ {
+--
+2.20.1
+
--- /dev/null
+From b8c447968abdb69b0a732d8a9d4df8972672bf5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 09:43:51 +0100
+Subject: s390/dasd: fix memleak in path handling error case
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 00b39f698a4f1ee897227cace2e3937fc4412270 ]
+
+If for whatever reason the dasd_eckd_check_characteristics() function
+exits after at least some paths have their configuration data
+allocated those data is never freed again. In the error case the
+device->private pointer is set to NULL and dasd_eckd_uncheck_device()
+will exit without freeing the path data because of this NULL pointer.
+
+Fix by calling dasd_eckd_clear_conf_data() for error cases.
+
+Also use dasd_eckd_clear_conf_data() in dasd_eckd_uncheck_device()
+to avoid code duplication.
+
+Reported-by: Qian Cai <cai@lca.pw>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index 108fb1c77e1d..a2e34c853ca9 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -1770,7 +1770,7 @@ dasd_eckd_check_characteristics(struct dasd_device *device)
+ dasd_free_block(device->block);
+ device->block = NULL;
+ out_err1:
+- kfree(private->conf_data);
++ dasd_eckd_clear_conf_data(device);
+ kfree(device->private);
+ device->private = NULL;
+ return rc;
+@@ -1779,7 +1779,6 @@ dasd_eckd_check_characteristics(struct dasd_device *device)
+ static void dasd_eckd_uncheck_device(struct dasd_device *device)
+ {
+ struct dasd_eckd_private *private = device->private;
+- int i;
+
+ if (!private)
+ return;
+@@ -1789,21 +1788,7 @@ static void dasd_eckd_uncheck_device(struct dasd_device *device)
+ private->sneq = NULL;
+ private->vdsneq = NULL;
+ private->gneq = NULL;
+- private->conf_len = 0;
+- for (i = 0; i < 8; i++) {
+- kfree(device->path[i].conf_data);
+- if ((__u8 *)device->path[i].conf_data ==
+- private->conf_data) {
+- private->conf_data = NULL;
+- private->conf_len = 0;
+- }
+- device->path[i].conf_data = NULL;
+- device->path[i].cssid = 0;
+- device->path[i].ssid = 0;
+- device->path[i].chpid = 0;
+- }
+- kfree(private->conf_data);
+- private->conf_data = NULL;
++ dasd_eckd_clear_conf_data(device);
+ }
+
+ static struct dasd_ccw_req *
+--
+2.20.1
+
--- /dev/null
+From a392fb19006f3be3a6f3c719ccc9f189d73a249f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 09:34:57 +0100
+Subject: s390/purgatory: do not build purgatory with kcov, kasan and friends
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+[ Upstream commit c23587c92f6e3260fe3b82bb75b38aa2553b9468 ]
+
+the purgatory must not rely on functions from the "old" kernel,
+so we must disable kasan and friends. We also need to have a
+separate copy of string.c as the default does not build memcmp
+with KASAN.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/purgatory/Makefile | 6 ++++--
+ arch/s390/purgatory/string.c | 3 +++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+ create mode 100644 arch/s390/purgatory/string.c
+
+diff --git a/arch/s390/purgatory/Makefile b/arch/s390/purgatory/Makefile
+index ce6a3f75065b..fdccb7689bb9 100644
+--- a/arch/s390/purgatory/Makefile
++++ b/arch/s390/purgatory/Makefile
+@@ -13,8 +13,10 @@ $(obj)/sha256.o: $(srctree)/lib/sha256.c FORCE
+ $(obj)/mem.o: $(srctree)/arch/s390/lib/mem.S FORCE
+ $(call if_changed_rule,as_o_S)
+
+-$(obj)/string.o: $(srctree)/arch/s390/lib/string.c FORCE
+- $(call if_changed_rule,cc_o_c)
++KCOV_INSTRUMENT := n
++GCOV_PROFILE := n
++UBSAN_SANITIZE := n
++KASAN_SANITIZE := n
+
+ LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined -nostdlib
+ LDFLAGS_purgatory.ro += -z nodefaultlib
+diff --git a/arch/s390/purgatory/string.c b/arch/s390/purgatory/string.c
+new file mode 100644
+index 000000000000..c98c22a72db7
+--- /dev/null
++++ b/arch/s390/purgatory/string.c
+@@ -0,0 +1,3 @@
++// SPDX-License-Identifier: GPL-2.0
++#define __HAVE_ARCH_MEMCMP /* arch function */
++#include "../lib/string.c"
+--
+2.20.1
+
--- /dev/null
+From 6b91d3637e72dc0874932fffd3e723aaaf8989b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 17:01:14 +0900
+Subject: samples: bpf: fix syscall_tp due to unused syscall
+
+From: Daniel T. Lee <danieltimlee@gmail.com>
+
+[ Upstream commit fe3300897cbfd76c6cb825776e5ac0ca50a91ca4 ]
+
+Currently, open() is called from the user program and it calls the syscall
+'sys_openat', not the 'sys_open'. This leads to an error of the program
+of user side, due to the fact that the counter maps are zero since no
+function such 'sys_open' is called.
+
+This commit adds the kernel bpf program which are attached to the
+tracepoint 'sys_enter_openat' and 'sys_enter_openat'.
+
+Fixes: 1da236b6be963 ("bpf: add a test case for syscalls/sys_{enter|exit}_* tracepoints")
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/syscall_tp_kern.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/samples/bpf/syscall_tp_kern.c b/samples/bpf/syscall_tp_kern.c
+index 9149c524d279..8833aacb9c8c 100644
+--- a/samples/bpf/syscall_tp_kern.c
++++ b/samples/bpf/syscall_tp_kern.c
+@@ -50,13 +50,27 @@ static __always_inline void count(void *map)
+ SEC("tracepoint/syscalls/sys_enter_open")
+ int trace_enter_open(struct syscalls_enter_open_args *ctx)
+ {
+- count((void *)&enter_open_map);
++ count(&enter_open_map);
++ return 0;
++}
++
++SEC("tracepoint/syscalls/sys_enter_openat")
++int trace_enter_open_at(struct syscalls_enter_open_args *ctx)
++{
++ count(&enter_open_map);
+ return 0;
+ }
+
+ SEC("tracepoint/syscalls/sys_exit_open")
+ int trace_enter_exit(struct syscalls_exit_open_args *ctx)
+ {
+- count((void *)&exit_open_map);
++ count(&exit_open_map);
++ return 0;
++}
++
++SEC("tracepoint/syscalls/sys_exit_openat")
++int trace_enter_exit_at(struct syscalls_exit_open_args *ctx)
++{
++ count(&exit_open_map);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From ab6db1eef888b501d8ce18a63df70d6157d340c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 17:01:13 +0900
+Subject: samples: bpf: Replace symbol compare of trace_event
+
+From: Daniel T. Lee <danieltimlee@gmail.com>
+
+[ Upstream commit bba1b2a890253528c45aa66cf856f289a215bfbc ]
+
+Previously, when this sample is added, commit 1c47910ef8013
+("samples/bpf: add perf_event+bpf example"), a symbol 'sys_read' and
+'sys_write' has been used without no prefixes. But currently there are
+no exact symbols with these under kallsyms and this leads to failure.
+
+This commit changes exact compare to substring compare to keep compatible
+with exact symbol or prefixed symbol.
+
+Fixes: 1c47910ef8013 ("samples/bpf: add perf_event+bpf example")
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20191205080114.19766-2-danieltimlee@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/trace_event_user.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/samples/bpf/trace_event_user.c b/samples/bpf/trace_event_user.c
+index d08046ab81f0..d33022447d6b 100644
+--- a/samples/bpf/trace_event_user.c
++++ b/samples/bpf/trace_event_user.c
+@@ -35,9 +35,9 @@ static void print_ksym(__u64 addr)
+ return;
+ sym = ksym_search(addr);
+ printf("%s;", sym->name);
+- if (!strcmp(sym->name, "sys_read"))
++ if (!strstr(sym->name, "sys_read"))
+ sys_read_seen = true;
+- else if (!strcmp(sym->name, "sys_write"))
++ else if (!strstr(sym->name, "sys_write"))
+ sys_write_seen = true;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6e50d41fec1e219d35b3e60da1f2e904d20d2011 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2019 17:34:42 +0900
+Subject: selftests/ftrace: Fix multiple kprobe testcase
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 5cc6c8d4a99d0ee4d5466498e258e593df1d3eb6 ]
+
+Fix multiple kprobe event testcase to work it correctly.
+There are 2 bugfixes.
+ - Since `wc -l FILE` returns not only line number but also
+ FILE filename, following "if" statement always failed.
+ Fix this bug by replacing it with 'cat FILE | wc -l'
+ - Since "while do-done loop" block with pipeline becomes a
+ subshell, $N local variable is not update outside of
+ the loop.
+ Fix this bug by using actual target number (256) instead
+ of $N.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/ftrace/test.d/kprobe/multiple_kprobes.tc | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/multiple_kprobes.tc b/tools/testing/selftests/ftrace/test.d/kprobe/multiple_kprobes.tc
+index ce361b9d62cf..da298f191086 100644
+--- a/tools/testing/selftests/ftrace/test.d/kprobe/multiple_kprobes.tc
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/multiple_kprobes.tc
+@@ -25,9 +25,9 @@ while read i; do
+ test $N -eq 256 && break
+ done
+
+-L=`wc -l kprobe_events`
+-if [ $L -ne $N ]; then
+- echo "The number of kprobes events ($L) is not $N"
++L=`cat kprobe_events | wc -l`
++if [ $L -ne 256 ]; then
++ echo "The number of kprobes events ($L) is not 256"
+ exit_fail
+ fi
+
+--
+2.20.1
+
usb-dummy-hcd-use-usb_urb_dir_in-instead-of-usb_pipein.patch
usb-dummy-hcd-increase-max-number-of-devices-to-32.patch
bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch
+regulator-fix-use-after-free-issue.patch
+asoc-max98090-fix-possible-race-conditions.patch
+locking-spinlock-debug-fix-various-data-races.patch
+netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch
+mwifiex-fix-heap-overflow-in-mmwifiex_process_tdls_a.patch
+libtraceevent-fix-lib-installation-with-o.patch
+x86-efi-update-e820-with-reserved-efi-boot-services-.patch
+asoc-intel-bytcr_rt5640-update-quirk-for-teclast-x89.patch
+efi-gop-return-efi_not_found-if-there-are-no-usable-.patch
+efi-gop-return-efi_success-if-a-usable-gop-was-found.patch
+efi-gop-fix-memory-leak-in-__gop_query32-64.patch
+arm-dts-imx6ul-imx6ul-14x14-evk.dtsi-fix-spi-nor-pro.patch
+arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch
+netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch
+netfilter-nft_set_rbtree-bogus-lookup-get-on-consecu.patch
+netfilter-nf_tables-validate-nft_set_elem_interval_e.patch
+netfilter-nf_tables-validate-nft_data_value-after-nf.patch
+arm-dts-bcm5301x-fix-mdio-node-address-size-cells.patch
+selftests-ftrace-fix-multiple-kprobe-testcase.patch
+arm-dts-cygnus-fix-mdio-node-address-size-cells.patch
+spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch
+asoc-topology-check-return-value-for-soc_tplg_pcm_cr.patch
+arm-dts-bcm283x-fix-critical-trip-point.patch
+bnxt_en-return-error-if-fw-returns-more-data-than-du.patch
+bpf-mips-limit-to-33-tail-calls.patch
+spi-spi-ti-qspi-fix-a-bug-when-accessing-non-default.patch
+arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch
+samples-bpf-replace-symbol-compare-of-trace_event.patch
+samples-bpf-fix-syscall_tp-due-to-unused-syscall.patch
+powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch
+btrfs-fix-error-messages-in-qgroup_rescan_init.patch
+arm-shmobile-defconfig-restore-debugfs-support.patch
+bpf-clear-skb-tstamp-in-bpf_redirect-when-necessary.patch
+bnx2x-do-not-handle-requests-from-vfs-after-parity.patch
+bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch
+cxgb4-fix-kernel-panic-while-accessing-sge_info.patch
+net-usb-lan78xx-fix-error-message-format-specifier.patch
+parisc-add-missing-__init-annotation.patch
+rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch
+asoc-wm8962-fix-lambda-value.patch
+regulator-rn5t618-fix-module-aliases.patch
+iommu-iova-init-the-struct-iova-to-fix-the-possible-.patch
+kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch
+perf-x86-intel-fix-pt-pmi-handling.patch
+fs-avoid-softlockups-in-s_inodes-iterators.patch
+net-stmmac-do-not-accept-invalid-mtu-values.patch
+net-stmmac-xgmac-clear-previous-rx-buffer-size.patch
+net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch
+net-stmmac-always-arm-tx-timer-at-end-of-transmissio.patch
+s390-purgatory-do-not-build-purgatory-with-kcov-kasa.patch
+drm-exynos-gsc-add-missed-component_del.patch
+s390-dasd-cio-interpret-ccw_device_get_mdc-return-va.patch
+s390-dasd-fix-memleak-in-path-handling-error-case.patch
+block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch
+parisc-fix-compiler-warnings-in-debug_core.c.patch
+llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch
+hv_netvsc-fix-unwanted-rx_table-reset.patch
--- /dev/null
+From 0539429bbd0a32130028fa032b2e46c9d76bd38c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 15:55:00 +0800
+Subject: spi: spi-cavium-thunderx: Add missing pci_release_regions()
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit a841e2853e1afecc2ee692b8cc5bff606bc84e4c ]
+
+The driver forgets to call pci_release_regions() in probe failure
+and remove.
+Add the missed calls to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Link: https://lore.kernel.org/r/20191206075500.18525-1-hslester96@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cavium-thunderx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi-cavium-thunderx.c b/drivers/spi/spi-cavium-thunderx.c
+index 877937706240..828fbbebc3c4 100644
+--- a/drivers/spi/spi-cavium-thunderx.c
++++ b/drivers/spi/spi-cavium-thunderx.c
+@@ -81,6 +81,7 @@ static int thunderx_spi_probe(struct pci_dev *pdev,
+
+ error:
+ clk_disable_unprepare(p->clk);
++ pci_release_regions(pdev);
+ spi_master_put(master);
+ return ret;
+ }
+@@ -95,6 +96,7 @@ static void thunderx_spi_remove(struct pci_dev *pdev)
+ return;
+
+ clk_disable_unprepare(p->clk);
++ pci_release_regions(pdev);
+ /* Put everything in a known state. */
+ writeq(0, p->register_base + OCTEON_SPI_CFG(p));
+ }
+--
+2.20.1
+
--- /dev/null
+From e9e75488b29e7b70fed36f21f410d21a046850d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 21:22:16 +0530
+Subject: spi: spi-ti-qspi: Fix a bug when accessing non default CS
+
+From: Vignesh Raghavendra <vigneshr@ti.com>
+
+[ Upstream commit c52c91bb9aa6bd8c38dbf9776158e33038aedd43 ]
+
+When switching ChipSelect from default CS0 to any other CS, driver fails
+to update the bits in system control module register that control which
+CS is mapped for MMIO access. This causes reads to fail when driver
+tries to access QSPI flash on CS1/2/3.
+
+Fix this by updating appropriate bits whenever active CS changes.
+
+Reported-by: Andreas Dannenberg <dannenberg@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20191211155216.30212-1-vigneshr@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ti-qspi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-ti-qspi.c b/drivers/spi/spi-ti-qspi.c
+index b9fb6493cd6b..95c28abaa027 100644
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -69,6 +69,7 @@ struct ti_qspi {
+ u32 dc;
+
+ bool mmap_enabled;
++ int current_cs;
+ };
+
+ #define QSPI_PID (0x0)
+@@ -494,6 +495,7 @@ static void ti_qspi_enable_memory_map(struct spi_device *spi)
+ MEM_CS_EN(spi->chip_select));
+ }
+ qspi->mmap_enabled = true;
++ qspi->current_cs = spi->chip_select;
+ }
+
+ static void ti_qspi_disable_memory_map(struct spi_device *spi)
+@@ -505,6 +507,7 @@ static void ti_qspi_disable_memory_map(struct spi_device *spi)
+ regmap_update_bits(qspi->ctrl_base, qspi->ctrl_reg,
+ MEM_CS_MASK, 0);
+ qspi->mmap_enabled = false;
++ qspi->current_cs = -1;
+ }
+
+ static void ti_qspi_setup_mmap_read(struct spi_device *spi, u8 opcode,
+@@ -550,7 +553,7 @@ static int ti_qspi_exec_mem_op(struct spi_mem *mem,
+
+ mutex_lock(&qspi->list_lock);
+
+- if (!qspi->mmap_enabled)
++ if (!qspi->mmap_enabled || qspi->current_cs != mem->spi->chip_select)
+ ti_qspi_enable_memory_map(mem->spi);
+ ti_qspi_setup_mmap_read(mem->spi, op->cmd.opcode, op->data.buswidth,
+ op->addr.nbytes, op->dummy.nbytes);
+@@ -807,6 +810,7 @@ static int ti_qspi_probe(struct platform_device *pdev)
+ }
+ }
+ qspi->mmap_enabled = false;
++ qspi->current_cs = -1;
+
+ ret = devm_spi_register_master(&pdev->dev, master);
+ if (!ret)
+--
+2.20.1
+
--- /dev/null
+From e15fbf2e63a9da99f980c2b6dcd81cdff4c7846e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 15:52:33 +0800
+Subject: x86/efi: Update e820 with reserved EFI boot services data to fix
+ kexec breakage
+
+From: Dave Young <dyoung@redhat.com>
+
+[ Upstream commit af164898482817a1d487964b68f3c21bae7a1beb ]
+
+Michael Weiser reported that he got this error during a kexec rebooting:
+
+ esrt: Unsupported ESRT version 2904149718861218184.
+
+The ESRT memory stays in EFI boot services data, and it was reserved
+in kernel via efi_mem_reserve(). The initial purpose of the reservation
+is to reuse the EFI boot services data across kexec reboot. For example
+the BGRT image data and some ESRT memory like Michael reported.
+
+But although the memory is reserved it is not updated in the X86 E820 table,
+and kexec_file_load() iterates system RAM in the IO resource list to find places
+for kernel, initramfs and other stuff. In Michael's case the kexec loaded
+initramfs overwrote the ESRT memory and then the failure happened.
+
+Since kexec_file_load() depends on the E820 table being updated, just fix this
+by updating the reserved EFI boot services memory as reserved type in E820.
+
+Originally any memory descriptors with EFI_MEMORY_RUNTIME attribute are
+bypassed in the reservation code path because they are assumed as reserved.
+
+But the reservation is still needed for multiple kexec reboots,
+and it is the only possible case we come here thus just drop the code
+chunk, then everything works without side effects.
+
+On my machine the ESRT memory sits in an EFI runtime data range, it does
+not trigger the problem, but I successfully tested with BGRT instead.
+both kexec_load() and kexec_file_load() work and kdump works as well.
+
+[ mingo: Edited the changelog. ]
+
+Reported-by: Michael Weiser <michael@weiser.dinsnail.net>
+Tested-by: Michael Weiser <michael@weiser.dinsnail.net>
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: kexec@lists.infradead.org
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191204075233.GA10520@dhcp-128-65.nay.redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/quirks.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c
+index 844d31cb8a0c..c9873c9168ad 100644
+--- a/arch/x86/platform/efi/quirks.c
++++ b/arch/x86/platform/efi/quirks.c
+@@ -259,10 +259,6 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size)
+ return;
+ }
+
+- /* No need to reserve regions that will never be freed. */
+- if (md.attribute & EFI_MEMORY_RUNTIME)
+- return;
+-
+ size += addr % EFI_PAGE_SIZE;
+ size = round_up(size, EFI_PAGE_SIZE);
+ addr = round_down(addr, EFI_PAGE_SIZE);
+@@ -292,6 +288,8 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size)
+ early_memunmap(new, new_size);
+
+ efi_memmap_install(new_phys, num_entries);
++ e820__range_update(addr, size, E820_TYPE_RAM, E820_TYPE_RESERVED);
++ e820__update_table(e820_table);
+ }
+
+ /*
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
