--- /dev/null
+From 2b47cc1ee0a0d8cd5352a95741d2bc2db6fa2fe1 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Mon, 8 Apr 2019 23:21:12 +0800
+Subject: ACPI/IORT: Reject platform device creation on NUMA node mapping
+ failure
+
+[ Upstream commit 36a2ba07757df790b4a874efb1a105b9330a9ae7 ]
+
+In a system where, through IORT firmware mappings, the SMMU device is
+mapped to a NUMA node that is not online, the kernel bootstrap results
+in the following crash:
+
+ Unable to handle kernel paging request at virtual address 0000000000001388
+ Mem abort info:
+ ESR = 0x96000004
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+ [0000000000001388] user address but active_mm is swapper
+ Internal error: Oops: 96000004 [#1] SMP
+ Modules linked in:
+ CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0 #15
+ pstate: 80c00009 (Nzcv daif +PAN +UAO)
+ pc : __alloc_pages_nodemask+0x13c/0x1068
+ lr : __alloc_pages_nodemask+0xdc/0x1068
+ ...
+ Process swapper/0 (pid: 1, stack limit = 0x(____ptrval____))
+ Call trace:
+ __alloc_pages_nodemask+0x13c/0x1068
+ new_slab+0xec/0x570
+ ___slab_alloc+0x3e0/0x4f8
+ __slab_alloc+0x60/0x80
+ __kmalloc_node_track_caller+0x10c/0x478
+ devm_kmalloc+0x44/0xb0
+ pinctrl_bind_pins+0x4c/0x188
+ really_probe+0x78/0x2b8
+ driver_probe_device+0x64/0x110
+ device_driver_attach+0x74/0x98
+ __driver_attach+0x9c/0xe8
+ bus_for_each_dev+0x84/0xd8
+ driver_attach+0x30/0x40
+ bus_add_driver+0x170/0x218
+ driver_register+0x64/0x118
+ __platform_driver_register+0x54/0x60
+ arm_smmu_driver_init+0x24/0x2c
+ do_one_initcall+0xbc/0x328
+ kernel_init_freeable+0x304/0x3ac
+ kernel_init+0x18/0x110
+ ret_from_fork+0x10/0x1c
+ Code: f90013b5 b9410fa1 1a9f0694 b50014c2 (b9400804)
+ ---[ end trace dfeaed4c373a32da ]--
+
+Change the dev_set_proximity() hook prototype so that it returns a
+value and make it return failure if the PXM->NUMA-node mapping
+corresponds to an offline node, fixing the crash.
+
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Link: https://lore.kernel.org/linux-arm-kernel/20190315021940.86905-1-wangkefeng.wang@huawei.com/
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/arm64/iort.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
+index e48894e002ba8..a46c2c162c03e 100644
+--- a/drivers/acpi/arm64/iort.c
++++ b/drivers/acpi/arm64/iort.c
+@@ -1232,18 +1232,24 @@ static bool __init arm_smmu_v3_is_coherent(struct acpi_iort_node *node)
+ /*
+ * set numa proximity domain for smmuv3 device
+ */
+-static void __init arm_smmu_v3_set_proximity(struct device *dev,
++static int __init arm_smmu_v3_set_proximity(struct device *dev,
+ struct acpi_iort_node *node)
+ {
+ struct acpi_iort_smmu_v3 *smmu;
+
+ smmu = (struct acpi_iort_smmu_v3 *)node->node_data;
+ if (smmu->flags & ACPI_IORT_SMMU_V3_PXM_VALID) {
+- set_dev_node(dev, acpi_map_pxm_to_node(smmu->pxm));
++ int node = acpi_map_pxm_to_node(smmu->pxm);
++
++ if (node != NUMA_NO_NODE && !node_online(node))
++ return -EINVAL;
++
++ set_dev_node(dev, node);
+ pr_info("SMMU-v3[%llx] Mapped to Proximity domain %d\n",
+ smmu->base_address,
+ smmu->pxm);
+ }
++ return 0;
+ }
+ #else
+ #define arm_smmu_v3_set_proximity NULL
+@@ -1318,7 +1324,7 @@ struct iort_dev_config {
+ int (*dev_count_resources)(struct acpi_iort_node *node);
+ void (*dev_init_resources)(struct resource *res,
+ struct acpi_iort_node *node);
+- void (*dev_set_proximity)(struct device *dev,
++ int (*dev_set_proximity)(struct device *dev,
+ struct acpi_iort_node *node);
+ };
+
+@@ -1369,8 +1375,11 @@ static int __init iort_add_platform_device(struct acpi_iort_node *node,
+ if (!pdev)
+ return -ENOMEM;
+
+- if (ops->dev_set_proximity)
+- ops->dev_set_proximity(&pdev->dev, node);
++ if (ops->dev_set_proximity) {
++ ret = ops->dev_set_proximity(&pdev->dev, node);
++ if (ret)
++ goto dev_put;
++ }
+
+ count = ops->dev_count_resources(node);
+
+--
+2.20.1
+
--- /dev/null
+From fd7f51abb0a6cefd79a4fca77da2bfde0f0d7c2d Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Tue, 30 Apr 2019 10:52:29 -0500
+Subject: ACPI / property: fix handling of data_nodes in
+ acpi_get_next_subnode()
+
+[ Upstream commit 23583f7795025e3c783b680d906509366b0906ad ]
+
+When the DSDT tables expose devices with subdevices and a set of
+hierarchical _DSD properties, the data returned by
+acpi_get_next_subnode() is incorrect, with the results suggesting a bad
+pointer assignment. The parser works fine with device_nodes or
+data_nodes, but not with a combination of the two.
+
+The problem is traced to an invalid pointer used when jumping from
+handling device_nodes to data nodes. The existing code looks for data
+nodes below the last subdevice found instead of the common root. Fix
+by forcing the acpi_device pointer to be derived from the same fwnode
+for the two types of subnodes.
+
+This same problem of handling device and data nodes was already fixed
+in a similar way by 'commit bf4703fdd166 ("ACPI / property: fix data
+node parsing in acpi_get_next_subnode()")' but broken later by 'commit
+34055190b19 ("ACPI / property: Add fwnode_get_next_child_node()")', so
+this should probably go to linux-stable all the way to 4.12
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/property.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c
+index 77abe0ec40431..bd533f68b1dec 100644
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -1031,6 +1031,14 @@ struct fwnode_handle *acpi_get_next_subnode(const struct fwnode_handle *fwnode,
+ const struct acpi_data_node *data = to_acpi_data_node(fwnode);
+ struct acpi_data_node *dn;
+
++ /*
++ * We can have a combination of device and data nodes, e.g. with
++ * hierarchical _DSD properties. Make sure the adev pointer is
++ * restored before going through data nodes, otherwise we will
++ * be looking for data_nodes below the last device found instead
++ * of the common fwnode shared by device_nodes and data_nodes.
++ */
++ adev = to_acpi_device_node(fwnode);
+ if (adev)
+ head = &adev->data.subnodes;
+ else if (data)
+--
+2.20.1
+
--- /dev/null
+From 66bba2339a6b1df781996c7f788e7b90be401578 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 1 May 2019 15:58:24 +0100
+Subject: afs: Fix getting the afs.fid xattr
+
+[ Upstream commit a2f611a3dc317d8ea1c98ad6c54b911cf7f93193 ]
+
+The AFS3 FID is three 32-bit unsigned numbers and is represented as three
+up-to-8-hex-digit numbers separated by colons to the afs.fid xattr.
+However, with the advent of support for YFS, the FID is now a 64-bit volume
+number, a 96-bit vnode/inode number and a 32-bit uniquifier (as before).
+Whilst the sprintf in afs_xattr_get_fid() has been partially updated (it
+currently ignores the upper 32 bits of the 96-bit vnode number), the size
+of the stack-based buffer has not been increased to match, thereby allowing
+stack corruption to occur.
+
+Fix this by increasing the buffer size appropriately and conditionally
+including the upper part of the vnode number if it is non-zero. The latter
+requires the lower part to be zero-padded if the upper part is non-zero.
+
+Fixes: 3b6492df4153 ("afs: Increase to 64-bit volume ID and 96-bit vnode ID for YFS")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/xattr.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c
+index a2cdf25573e24..706801c6c4c4c 100644
+--- a/fs/afs/xattr.c
++++ b/fs/afs/xattr.c
+@@ -69,11 +69,20 @@ static int afs_xattr_get_fid(const struct xattr_handler *handler,
+ void *buffer, size_t size)
+ {
+ struct afs_vnode *vnode = AFS_FS_I(inode);
+- char text[8 + 1 + 8 + 1 + 8 + 1];
++ char text[16 + 1 + 24 + 1 + 8 + 1];
+ size_t len;
+
+- len = sprintf(text, "%llx:%llx:%x",
+- vnode->fid.vid, vnode->fid.vnode, vnode->fid.unique);
++ /* The volume ID is 64-bit, the vnode ID is 96-bit and the
++ * uniquifier is 32-bit.
++ */
++ len = sprintf(text, "%llx:", vnode->fid.vid);
++ if (vnode->fid.vnode_hi)
++ len += sprintf(text + len, "%x%016llx",
++ vnode->fid.vnode_hi, vnode->fid.vnode);
++ else
++ len += sprintf(text + len, "%llx", vnode->fid.vnode);
++ len += sprintf(text + len, ":%x", vnode->fid.unique);
++
+ if (size == 0)
+ return len;
+ if (len > size)
+--
+2.20.1
+
--- /dev/null
+From 561708574711cb9515faefe3c9c4ca754540f9c3 Mon Sep 17 00:00:00 2001
+From: Bard liao <yung-chuan.liao@linux.intel.com>
+Date: Sun, 28 Apr 2019 04:53:39 +0800
+Subject: ALSA: hda: fix unregister device twice on ASoC driver
+
+[ Upstream commit 4d95c51776b2edb4d4ebcea00b6e5a1fe538ce66 ]
+
+snd_hda_codec_device_new() is used by both legacy HDA and ASoC
+driver. However, we will call snd_hdac_device_unregister() in
+snd_hdac_ext_bus_device_remove() for ASoC device. This patch uses
+the type flag in hdac_device struct to determine is it a ASoC device
+or legacy HDA device and call snd_hdac_device_unregister() in
+snd_hda_codec_dev_free() only if it is a legacy HDA device.
+
+Signed-off-by: Bard liao <yung-chuan.liao@linux.intel.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_codec.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 701a69d856f5f..b20eb7fc83eb2 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -832,7 +832,13 @@ static int snd_hda_codec_dev_free(struct snd_device *device)
+ struct hda_codec *codec = device->device_data;
+
+ codec->in_freeing = 1;
+- snd_hdac_device_unregister(&codec->core);
++ /*
++ * snd_hda_codec_device_new() is used by legacy HDA and ASoC driver.
++ * We can't unregister ASoC device since it will be unregistered in
++ * snd_hdac_ext_bus_device_remove().
++ */
++ if (codec->core.type == HDA_DEV_LEGACY)
++ snd_hdac_device_unregister(&codec->core);
+ codec_display_power(codec, false);
+ put_device(hda_codec_dev(codec));
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 849513b6b731e068cb40362a21120fbd53b5ef9d Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Mon, 8 Apr 2019 16:49:01 +0100
+Subject: ARM: vdso: Remove dependency with the arch_timer driver internals
+
+[ Upstream commit 1f5b62f09f6b314c8d70b9de5182dae4de1f94da ]
+
+The VDSO code uses the kernel helper that was originally designed
+to abstract the access between 32 and 64bit systems. It worked so
+far because this function is declared as 'inline'.
+
+As we're about to revamp that part of the code, the VDSO would
+break. Let's fix it by doing what should have been done from
+the start, a proper system register access.
+
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/cp15.h | 2 ++
+ arch/arm/vdso/vgettimeofday.c | 5 +++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/include/asm/cp15.h b/arch/arm/include/asm/cp15.h
+index 07e27f212dc75..d2453e2d3f1f3 100644
+--- a/arch/arm/include/asm/cp15.h
++++ b/arch/arm/include/asm/cp15.h
+@@ -68,6 +68,8 @@
+ #define BPIALL __ACCESS_CP15(c7, 0, c5, 6)
+ #define ICIALLU __ACCESS_CP15(c7, 0, c5, 0)
+
++#define CNTVCT __ACCESS_CP15_64(1, c14)
++
+ extern unsigned long cr_alignment; /* defined in entry-armv.S */
+
+ static inline unsigned long get_cr(void)
+diff --git a/arch/arm/vdso/vgettimeofday.c b/arch/arm/vdso/vgettimeofday.c
+index a9dd619c6c290..7bdbf5d5c47d3 100644
+--- a/arch/arm/vdso/vgettimeofday.c
++++ b/arch/arm/vdso/vgettimeofday.c
+@@ -18,9 +18,9 @@
+ #include <linux/compiler.h>
+ #include <linux/hrtimer.h>
+ #include <linux/time.h>
+-#include <asm/arch_timer.h>
+ #include <asm/barrier.h>
+ #include <asm/bug.h>
++#include <asm/cp15.h>
+ #include <asm/page.h>
+ #include <asm/unistd.h>
+ #include <asm/vdso_datapage.h>
+@@ -123,7 +123,8 @@ static notrace u64 get_ns(struct vdso_data *vdata)
+ u64 cycle_now;
+ u64 nsec;
+
+- cycle_now = arch_counter_get_cntvct();
++ isb();
++ cycle_now = read_sysreg(CNTVCT);
+
+ cycle_delta = (cycle_now - vdata->cs_cycle_last) & vdata->cs_mask;
+
+--
+2.20.1
+
--- /dev/null
+From 9341c0012c134aba69508eb0e59e1086e2249d93 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 5 Mar 2019 19:34:05 +0800
+Subject: arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
+
+[ Upstream commit 92606ec9285fb84cd9b5943df23f07d741384bfc ]
+
+The call to of_get_next_child returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+ ./arch/arm64/kernel/cpu_ops.c:102:1-7: ERROR: missing of_node_put;
+ acquired a node pointer with refcount incremented on line 69, but
+ without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/cpu_ops.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kernel/cpu_ops.c b/arch/arm64/kernel/cpu_ops.c
+index ea001241bdd47..00f8b8612b69f 100644
+--- a/arch/arm64/kernel/cpu_ops.c
++++ b/arch/arm64/kernel/cpu_ops.c
+@@ -85,6 +85,7 @@ static const char *__init cpu_read_enable_method(int cpu)
+ pr_err("%pOF: missing enable-method property\n",
+ dn);
+ }
++ of_node_put(dn);
+ } else {
+ enable_method = acpi_get_enable_method(cpu);
+ if (!enable_method) {
+--
+2.20.1
+
--- /dev/null
+From 162af7a789d403dfec069a3af8804388d30793cb Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Mon, 29 Apr 2019 13:37:01 -0400
+Subject: arm64: Fix compiler warning from pte_unmap() with
+ -Wunused-but-set-variable
+
+[ Upstream commit 74dd022f9e6260c3b5b8d15901d27ebcc5f21eda ]
+
+When building with -Wunused-but-set-variable, the compiler shouts about
+a number of pte_unmap() users, since this expands to an empty macro on
+arm64:
+
+ | mm/gup.c: In function 'gup_pte_range':
+ | mm/gup.c:1727:16: warning: variable 'ptem' set but not used
+ | [-Wunused-but-set-variable]
+ | mm/gup.c: At top level:
+ | mm/memory.c: In function 'copy_pte_range':
+ | mm/memory.c:821:24: warning: variable 'orig_dst_pte' set but not used
+ | [-Wunused-but-set-variable]
+ | mm/memory.c:821:9: warning: variable 'orig_src_pte' set but not used
+ | [-Wunused-but-set-variable]
+ | mm/swap_state.c: In function 'swap_ra_info':
+ | mm/swap_state.c:641:15: warning: variable 'orig_pte' set but not used
+ | [-Wunused-but-set-variable]
+ | mm/madvise.c: In function 'madvise_free_pte_range':
+ | mm/madvise.c:318:9: warning: variable 'orig_pte' set but not used
+ | [-Wunused-but-set-variable]
+
+Rewrite pte_unmap() as a static inline function, which silences the
+warnings.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/pgtable.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index de70c1eabf336..74ebe96937141 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -478,6 +478,8 @@ static inline phys_addr_t pmd_page_paddr(pmd_t pmd)
+ return __pmd_to_phys(pmd);
+ }
+
++static inline void pte_unmap(pte_t *pte) { }
++
+ /* Find an entry in the third-level page table. */
+ #define pte_index(addr) (((addr) >> PAGE_SHIFT) & (PTRS_PER_PTE - 1))
+
+@@ -486,7 +488,6 @@ static inline phys_addr_t pmd_page_paddr(pmd_t pmd)
+
+ #define pte_offset_map(dir,addr) pte_offset_kernel((dir), (addr))
+ #define pte_offset_map_nested(dir,addr) pte_offset_kernel((dir), (addr))
+-#define pte_unmap(pte) do { } while (0)
+ #define pte_unmap_nested(pte) do { } while (0)
+
+ #define pte_set_fixmap(addr) ((pte_t *)set_fixmap_offset(FIX_PTE, addr))
+--
+2.20.1
+
--- /dev/null
+From f72b99c4e8f7637ad38af8bb33e13c7a4b47dfc0 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 8 Apr 2019 12:45:09 +0100
+Subject: arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value
+
+[ Upstream commit 84ff7a09c371bc7417eabfda19bf7f113ec917b6 ]
+
+Rather embarrassingly, our futex() FUTEX_WAKE_OP implementation doesn't
+explicitly set the return value on the non-faulting path and instead
+leaves it holding the result of the underlying atomic operation. This
+means that any FUTEX_WAKE_OP atomic operation which computes a non-zero
+value will be reported as having failed. Regrettably, I wrote the buggy
+code back in 2011 and it was upstreamed as part of the initial arm64
+support in 2012.
+
+The reasons we appear to get away with this are:
+
+ 1. FUTEX_WAKE_OP is rarely used and therefore doesn't appear to get
+ exercised by futex() test applications
+
+ 2. If the result of the atomic operation is zero, the system call
+ behaves correctly
+
+ 3. Prior to version 2.25, the only operation used by GLIBC set the
+ futex to zero, and therefore worked as expected. From 2.25 onwards,
+ FUTEX_WAKE_OP is not used by GLIBC at all.
+
+Fix the implementation by ensuring that the return value is either 0
+to indicate that the atomic operation completed successfully, or -EFAULT
+if we encountered a fault when accessing the user mapping.
+
+Cc: <stable@kernel.org>
+Fixes: 6170a97460db ("arm64: Atomic operations")
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/futex.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h
+index 6fb2214333a24..2d78ea6932b7b 100644
+--- a/arch/arm64/include/asm/futex.h
++++ b/arch/arm64/include/asm/futex.h
+@@ -58,7 +58,7 @@ do { \
+ static inline int
+ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr)
+ {
+- int oldval = 0, ret, tmp;
++ int oldval, ret, tmp;
+ u32 __user *uaddr = __uaccess_mask_ptr(_uaddr);
+
+ pagefault_disable();
+--
+2.20.1
+
--- /dev/null
+From 57cea971366a9b4a94bafd32aa2b857aa960516f Mon Sep 17 00:00:00 2001
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Date: Tue, 16 Apr 2019 17:14:30 +0100
+Subject: arm64: vdso: Fix clock_getres() for CLOCK_REALTIME
+
+[ Upstream commit 81fb8736dd81da3fe94f28968dac60f392ec6746 ]
+
+clock_getres() in the vDSO library has to preserve the same behaviour
+of posix_get_hrtimer_res().
+
+In particular, posix_get_hrtimer_res() does:
+
+ sec = 0;
+ ns = hrtimer_resolution;
+
+where 'hrtimer_resolution' depends on whether or not high resolution
+timers are enabled, which is a runtime decision.
+
+The vDSO incorrectly returns the constant CLOCK_REALTIME_RES. Fix this
+by exposing 'hrtimer_resolution' in the vDSO datapage and returning that
+instead.
+
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+[will: Use WRITE_ONCE(), move adr off COARSE path, renumber labels, use 'w' reg]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/vdso_datapage.h | 1 +
+ arch/arm64/kernel/asm-offsets.c | 2 +-
+ arch/arm64/kernel/vdso.c | 3 +++
+ arch/arm64/kernel/vdso/gettimeofday.S | 7 +++----
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/include/asm/vdso_datapage.h b/arch/arm64/include/asm/vdso_datapage.h
+index 2b9a63771eda8..f89263c8e11af 100644
+--- a/arch/arm64/include/asm/vdso_datapage.h
++++ b/arch/arm64/include/asm/vdso_datapage.h
+@@ -38,6 +38,7 @@ struct vdso_data {
+ __u32 tz_minuteswest; /* Whacky timezone stuff */
+ __u32 tz_dsttime;
+ __u32 use_syscall;
++ __u32 hrtimer_res;
+ };
+
+ #endif /* !__ASSEMBLY__ */
+diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c
+index 7f40dcbdd51d0..e10e2a5d9ddcf 100644
+--- a/arch/arm64/kernel/asm-offsets.c
++++ b/arch/arm64/kernel/asm-offsets.c
+@@ -94,7 +94,7 @@ int main(void)
+ DEFINE(CLOCK_REALTIME, CLOCK_REALTIME);
+ DEFINE(CLOCK_MONOTONIC, CLOCK_MONOTONIC);
+ DEFINE(CLOCK_MONOTONIC_RAW, CLOCK_MONOTONIC_RAW);
+- DEFINE(CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC);
++ DEFINE(CLOCK_REALTIME_RES, offsetof(struct vdso_data, hrtimer_res));
+ DEFINE(CLOCK_REALTIME_COARSE, CLOCK_REALTIME_COARSE);
+ DEFINE(CLOCK_MONOTONIC_COARSE,CLOCK_MONOTONIC_COARSE);
+ DEFINE(CLOCK_COARSE_RES, LOW_RES_NSEC);
+diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c
+index 2d419006ad433..ec0bb588d7553 100644
+--- a/arch/arm64/kernel/vdso.c
++++ b/arch/arm64/kernel/vdso.c
+@@ -232,6 +232,9 @@ void update_vsyscall(struct timekeeper *tk)
+ vdso_data->wtm_clock_sec = tk->wall_to_monotonic.tv_sec;
+ vdso_data->wtm_clock_nsec = tk->wall_to_monotonic.tv_nsec;
+
++ /* Read without the seqlock held by clock_getres() */
++ WRITE_ONCE(vdso_data->hrtimer_res, hrtimer_resolution);
++
+ if (!use_syscall) {
+ /* tkr_mono.cycle_last == tkr_raw.cycle_last */
+ vdso_data->cs_cycle_last = tk->tkr_mono.cycle_last;
+diff --git a/arch/arm64/kernel/vdso/gettimeofday.S b/arch/arm64/kernel/vdso/gettimeofday.S
+index e8f60112818fc..856fee6d35129 100644
+--- a/arch/arm64/kernel/vdso/gettimeofday.S
++++ b/arch/arm64/kernel/vdso/gettimeofday.S
+@@ -308,13 +308,14 @@ ENTRY(__kernel_clock_getres)
+ ccmp w0, #CLOCK_MONOTONIC_RAW, #0x4, ne
+ b.ne 1f
+
+- ldr x2, 5f
++ adr vdso_data, _vdso_data
++ ldr w2, [vdso_data, #CLOCK_REALTIME_RES]
+ b 2f
+ 1:
+ cmp w0, #CLOCK_REALTIME_COARSE
+ ccmp w0, #CLOCK_MONOTONIC_COARSE, #0x4, ne
+ b.ne 4f
+- ldr x2, 6f
++ ldr x2, 5f
+ 2:
+ cbz x1, 3f
+ stp xzr, x2, [x1]
+@@ -328,8 +329,6 @@ ENTRY(__kernel_clock_getres)
+ svc #0
+ ret
+ 5:
+- .quad CLOCK_REALTIME_RES
+-6:
+ .quad CLOCK_COARSE_RES
+ .cfi_endproc
+ ENDPROC(__kernel_clock_getres)
+--
+2.20.1
+
--- /dev/null
+From f540f4328800b784a8d74e0a14faa515f9880efe Mon Sep 17 00:00:00 2001
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Date: Thu, 4 Apr 2019 17:30:40 -0700
+Subject: ASoC: core: remove link components before cleaning up card resources
+
+[ Upstream commit f96fb7d198ca624fe33c4145a004eb5a3d0eddec ]
+
+When the card is registered by the machine driver,
+dai link components are probed after the snd_card is
+created. This is done in snd_soc_bind_card() which calls
+snd_soc_instantiate_card() to first create the snd_card
+and then probes the link components by calling
+soc_probe_link_components(). The snd_card is used by the
+component driver to add the kcontrols associated
+with dapm widgets to the card.
+
+When the machine driver is unregistered, the snd_card
+is freed when the card resources are cleaned up.
+But the snd_card needs to be valid while unloading the
+topology dapm widgets in order to remove the kcontrols
+from the card.
+
+Since, unloading topology is done when the component
+driver is removed, the link components should be removed
+in snd_soc_unbind_card(). This will ensure that the kcontrols
+are removed before the card resources are cleaned up and
+the snd_card itself is freed.
+
+Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 46e3ab0fced47..fe99b02bbf171 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2828,10 +2828,21 @@ EXPORT_SYMBOL_GPL(snd_soc_register_card);
+
+ static void snd_soc_unbind_card(struct snd_soc_card *card, bool unregister)
+ {
++ struct snd_soc_pcm_runtime *rtd;
++ int order;
++
+ if (card->instantiated) {
+ card->instantiated = false;
+ snd_soc_dapm_shutdown(card);
+ snd_soc_flush_all_delayed_work(card);
++
++ /* remove all components used by DAI links on this card */
++ for_each_comp_order(order) {
++ for_each_card_rtds(card, rtd) {
++ soc_remove_link_components(card, rtd, order);
++ }
++ }
++
+ soc_cleanup_card_resources(card);
+ if (!unregister)
+ list_add(&card->list, &unbind_card_list);
+--
+2.20.1
+
--- /dev/null
+From 6d07bc1f4350530b02bdecb8986994a03e345a17 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 7 Mar 2019 11:11:30 +0100
+Subject: ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
+
+[ Upstream commit 8ca5104715cfd14254ea5aecc390ae583b707607 ]
+
+Building with clang shows a variable that is only used by the
+suspend/resume functions but defined outside of their #ifdef block:
+
+sound/soc/ti/davinci-mcasp.c:48:12: error: variable 'context_regs' is not needed and will not be emitted
+
+We commonly fix these by marking the PM functions as __maybe_unused,
+but here that would grow the davinci_mcasp structure, so instead
+add another #ifdef here.
+
+Fixes: 1cc0c054f380 ("ASoC: davinci-mcasp: Convert the context save/restore to use array")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/ti/davinci-mcasp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/ti/davinci-mcasp.c b/sound/soc/ti/davinci-mcasp.c
+index a3a67a8f0f543..9fbc759fdefe1 100644
+--- a/sound/soc/ti/davinci-mcasp.c
++++ b/sound/soc/ti/davinci-mcasp.c
+@@ -45,6 +45,7 @@
+
+ #define MCASP_MAX_AFIFO_DEPTH 64
+
++#ifdef CONFIG_PM
+ static u32 context_regs[] = {
+ DAVINCI_MCASP_TXFMCTL_REG,
+ DAVINCI_MCASP_RXFMCTL_REG,
+@@ -68,6 +69,7 @@ struct davinci_mcasp_context {
+ u32 *xrsr_regs; /* for serializer configuration */
+ bool pm_state;
+ };
++#endif
+
+ struct davinci_mcasp_ruledata {
+ struct davinci_mcasp *mcasp;
+--
+2.20.1
+
--- /dev/null
+From 510f8898818a910e3052115c935395f50c0cd809 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:51 +0800
+Subject: ASoC: eukrea-tlv320: fix a leaked reference by adding missing
+ of_node_put
+
+[ Upstream commit b820d52e7eed7b30b2dfef5f4213a2bc3cbea6f3 ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
+./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/eukrea-tlv320.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c
+index 191426a6d9adf..30a3d68b5c033 100644
+--- a/sound/soc/fsl/eukrea-tlv320.c
++++ b/sound/soc/fsl/eukrea-tlv320.c
+@@ -118,13 +118,13 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(&pdev->dev,
+ "fsl,mux-int-port node missing or invalid.\n");
+- return ret;
++ goto err;
+ }
+ ret = of_property_read_u32(np, "fsl,mux-ext-port", &ext_port);
+ if (ret) {
+ dev_err(&pdev->dev,
+ "fsl,mux-ext-port node missing or invalid.\n");
+- return ret;
++ goto err;
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 330d96303163c31021afc3ce3ea2de61e50f2ce6 Mon Sep 17 00:00:00 2001
+From: Daniel Baluta <daniel.baluta@nxp.com>
+Date: Sun, 21 Apr 2019 19:39:08 +0000
+Subject: ASoC: fsl_sai: Update is_slave_mode with correct value
+
+[ Upstream commit ddb351145a967ee791a0fb0156852ec2fcb746ba ]
+
+is_slave_mode defaults to false because sai structure
+that contains it is kzalloc'ed.
+
+Anyhow, if we decide to set the following configuration
+SAI slave -> SAI master, is_slave_mode will remain set on true
+although SAI being master it should be set to false.
+
+Fix this by updating is_slave_mode for each call of
+fsl_sai_set_dai_fmt.
+
+Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index db9e0872f73db..7549b74e464e9 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -268,12 +268,14 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
+ case SND_SOC_DAIFMT_CBS_CFS:
+ val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
+ val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
++ sai->is_slave_mode = false;
+ break;
+ case SND_SOC_DAIFMT_CBM_CFM:
+ sai->is_slave_mode = true;
+ break;
+ case SND_SOC_DAIFMT_CBS_CFM:
+ val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
++ sai->is_slave_mode = false;
+ break;
+ case SND_SOC_DAIFMT_CBM_CFS:
+ val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
+--
+2.20.1
+
--- /dev/null
+From 8944eed2656268cde9909e9b2fddc294954a4ae5 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:50 +0800
+Subject: ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
+
+[ Upstream commit c705247136a523488eac806bd357c3e5d79a7acd ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Timur Tabi <timur@kernel.org>
+Cc: Nicolin Chen <nicoleotsuka@gmail.com>
+Cc: Xiubo Li <Xiubo.Lee@gmail.com>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/fsl/fsl_utils.c b/sound/soc/fsl/fsl_utils.c
+index 9981668ab5909..040d06b89f00a 100644
+--- a/sound/soc/fsl/fsl_utils.c
++++ b/sound/soc/fsl/fsl_utils.c
+@@ -71,6 +71,7 @@ int fsl_asoc_get_dma_channel(struct device_node *ssi_np,
+ iprop = of_get_property(dma_np, "cell-index", NULL);
+ if (!iprop) {
+ of_node_put(dma_np);
++ of_node_put(dma_channel_np);
+ return -EINVAL;
+ }
+ *dma_id = be32_to_cpup(iprop);
+--
+2.20.1
+
--- /dev/null
+From eca25d1bf57f905f5ff39d486ac34270c25801f3 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Mon, 29 Apr 2019 15:29:39 +0200
+Subject: ASoC: hdmi-codec: unlock the device on startup errors
+
+[ Upstream commit 30180e8436046344b12813dc954b2e01dfdcd22d ]
+
+If the hdmi codec startup fails, it should clear the current_substream
+pointer to free the device. This is properly done for the audio_startup()
+callback but for snd_pcm_hw_constraint_eld().
+
+Make sure the pointer cleared if an error is reported.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdmi-codec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/hdmi-codec.c b/sound/soc/codecs/hdmi-codec.c
+index 35df73e42cbc5..fb2f0ac1f16f3 100644
+--- a/sound/soc/codecs/hdmi-codec.c
++++ b/sound/soc/codecs/hdmi-codec.c
+@@ -439,8 +439,12 @@ static int hdmi_codec_startup(struct snd_pcm_substream *substream,
+ if (!ret) {
+ ret = snd_pcm_hw_constraint_eld(substream->runtime,
+ hcp->eld);
+- if (ret)
++ if (ret) {
++ mutex_lock(&hcp->current_stream_lock);
++ hcp->current_stream = NULL;
++ mutex_unlock(&hcp->current_stream_lock);
+ return ret;
++ }
+ }
+ /* Select chmap supported */
+ hdmi_codec_eld_chmap(hcp);
+--
+2.20.1
+
--- /dev/null
+From 8d389c488f7556fb0e0fda1be588a3fc57a21a44 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 16 Apr 2019 15:12:23 +0200
+Subject: ASoC: imx: fix fiq dependencies
+
+[ Upstream commit ea751227c813ab833609afecfeedaf0aa26f327e ]
+
+During randconfig builds, I occasionally run into an invalid configuration
+of the freescale FIQ sound support:
+
+WARNING: unmet direct dependencies detected for SND_SOC_IMX_PCM_FIQ
+ Depends on [m]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]
+ Selected by [y]:
+ - SND_SOC_FSL_SPDIF [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]!=n && (MXC_TZIC [=n] || MXC_AVIC [=y])
+
+sound/soc/fsl/imx-ssi.o: In function `imx_ssi_remove':
+imx-ssi.c:(.text+0x28): undefined reference to `imx_pcm_fiq_exit'
+sound/soc/fsl/imx-ssi.o: In function `imx_ssi_probe':
+imx-ssi.c:(.text+0xa64): undefined reference to `imx_pcm_fiq_init'
+
+The Kconfig warning is a result of the symbol being defined inside of
+the "if SND_IMX_SOC" block, and is otherwise harmless. The link error
+is more tricky and happens with SND_SOC_IMX_SSI=y, which may or may not
+imply FIQ support. However, if SND_SOC_FSL_SSI is set to =m at the same
+time, that selects SND_SOC_IMX_PCM_FIQ as a loadable module dependency,
+which then causes a link failure from imx-ssi.
+
+The solution here is to make SND_SOC_IMX_PCM_FIQ built-in whenever
+one of its potential users is built-in.
+
+Fixes: ff40260f79dc ("ASoC: fsl: refine DMA/FIQ dependencies")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/Kconfig | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig
+index 7b1d9970be8b3..1f65cf555ebe0 100644
+--- a/sound/soc/fsl/Kconfig
++++ b/sound/soc/fsl/Kconfig
+@@ -182,16 +182,17 @@ config SND_MPC52xx_SOC_EFIKA
+
+ endif # SND_POWERPC_SOC
+
++config SND_SOC_IMX_PCM_FIQ
++ tristate
++ default y if SND_SOC_IMX_SSI=y && (SND_SOC_FSL_SSI=m || SND_SOC_FSL_SPDIF=m) && (MXC_TZIC || MXC_AVIC)
++ select FIQ
++
+ if SND_IMX_SOC
+
+ config SND_SOC_IMX_SSI
+ tristate
+ select SND_SOC_FSL_UTILS
+
+-config SND_SOC_IMX_PCM_FIQ
+- tristate
+- select FIQ
+-
+ comment "SoC Audio support for Freescale i.MX boards:"
+
+ config SND_MXC_SOC_WM1133_EV1
+--
+2.20.1
+
--- /dev/null
+From 6b1ca0ef38f1235cbe882260ae5fdbff691f22e8 Mon Sep 17 00:00:00 2001
+From: Mac Chiang <mac.chiang@intel.com>
+Date: Thu, 2 May 2019 14:12:04 +0800
+Subject: ASoC: Intel: kbl_da7219_max98357a: Map BTN_0 to KEY_PLAYPAUSE
+
+[ Upstream commit 16ec5dfe0327ddcf279957bffe4c8fe527088c63 ]
+
+On kbl_rt5663_max98927, commit 38a5882e4292
+ ("ASoC: Intel: kbl_rt5663_max98927: Map BTN_0 to KEY_PLAYPAUSE")
+ This key pair mapping to play/pause when playing Youtube
+
+The Android 3.5mm Headset jack specification mentions that BTN_0 should
+be mapped to KEY_MEDIA, but this is less logical than KEY_PLAYPAUSE,
+which has much broader userspace support.
+
+For example, the Chrome OS userspace now supports KEY_PLAYPAUSE to toggle
+play/pause of videos and audio, but does not handle KEY_MEDIA.
+
+Furthermore, Android itself now supports KEY_PLAYPAUSE equivalently, as the
+new USB headset spec requires KEY_PLAYPAUSE for BTN_0.
+https://source.android.com/devices/accessories/headset/usb-headset-spec
+
+The same fix is required on Chrome kbl_da7219_max98357a.
+
+Signed-off-by: Mac Chiang <mac.chiang@intel.com>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/kbl_da7219_max98357a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/boards/kbl_da7219_max98357a.c b/sound/soc/intel/boards/kbl_da7219_max98357a.c
+index 38f6ab74709d0..07491a0f8fb8b 100644
+--- a/sound/soc/intel/boards/kbl_da7219_max98357a.c
++++ b/sound/soc/intel/boards/kbl_da7219_max98357a.c
+@@ -188,7 +188,7 @@ static int kabylake_da7219_codec_init(struct snd_soc_pcm_runtime *rtd)
+
+ jack = &ctx->kabylake_headset;
+
+- snd_jack_set_key(jack->jack, SND_JACK_BTN_0, KEY_MEDIA);
++ snd_jack_set_key(jack->jack, SND_JACK_BTN_0, KEY_PLAYPAUSE);
+ snd_jack_set_key(jack->jack, SND_JACK_BTN_1, KEY_VOLUMEUP);
+ snd_jack_set_key(jack->jack, SND_JACK_BTN_2, KEY_VOLUMEDOWN);
+ snd_jack_set_key(jack->jack, SND_JACK_BTN_3, KEY_VOICECOMMAND);
+--
+2.20.1
+
--- /dev/null
+From c341e5a25c0d6502e8d0a5c243a233520baf71ee Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 4 Mar 2019 21:30:50 +0100
+Subject: ASoC: ti: fix davinci_mcasp_probe dependencies
+
+[ Upstream commit 7d7b25d05ef1c5a1a9320190e1eeb55534847558 ]
+
+The SND_SOC_DAVINCI_MCASP driver can use either edma or sdma as
+a back-end, and it takes the presence of the respective dma engine
+drivers in the configuration as an indication to which ones should be
+built. However, this is flawed in multiple ways:
+
+- With CONFIG_TI_EDMA=m and CONFIG_SND_SOC_DAVINCI_MCASP=y,
+ is enabled as =m, and we get a link error:
+ sound/soc/ti/davinci-mcasp.o: In function `davinci_mcasp_probe':
+ davinci-mcasp.c:(.text+0x930): undefined reference to `edma_pcm_platform_register'
+
+- When CONFIG_SND_SOC_DAVINCI_MCASP=m has already been selected by
+ another driver, the same link error appears even if CONFIG_TI_EDMA
+ is disabled
+
+There are possibly other issues here, but it seems that the only reasonable
+solution is to always build both SND_SOC_TI_EDMA_PCM and
+SND_SOC_TI_SDMA_PCM as a dependency here. Both are fairly small and
+do not have any other compile-time dependencies, so the cost is
+very small, and makes the configuration stage much more consistent.
+
+Fixes: f2055e145f29 ("ASoC: ti: Merge davinci and omap directories")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/ti/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/ti/Kconfig b/sound/soc/ti/Kconfig
+index 4bf3c15d4e514..ee7c202c69b77 100644
+--- a/sound/soc/ti/Kconfig
++++ b/sound/soc/ti/Kconfig
+@@ -21,8 +21,8 @@ config SND_SOC_DAVINCI_ASP
+
+ config SND_SOC_DAVINCI_MCASP
+ tristate "Multichannel Audio Serial Port (McASP) support"
+- select SND_SOC_TI_EDMA_PCM if TI_EDMA
+- select SND_SOC_TI_SDMA_PCM if DMA_OMAP
++ select SND_SOC_TI_EDMA_PCM
++ select SND_SOC_TI_SDMA_PCM
+ help
+ Say Y or M here if you want to have support for McASP IP found in
+ various Texas Instruments SoCs like:
+--
+2.20.1
+
--- /dev/null
+From a74e77dfd295b3069cf36992a36e671497078cac Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:49 +0800
+Subject: ASoC: wcd9335: fix a leaked reference by adding missing of_node_put
+
+[ Upstream commit 64b92de9603f22b5455da925ee57268ef7fb4e80 ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/codecs/wcd9335.c:5193:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 5183, but without a correspon ding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com> (commit_signer:1/11=9%,authored:1/11=9%)
+Cc: alsa-devel@alsa-project.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index 981f88a5f6154..a04a7cedd99de 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -5188,6 +5188,7 @@ static int wcd9335_slim_status(struct slim_device *sdev,
+
+ wcd->slim = sdev;
+ wcd->slim_ifc_dev = of_slim_get_device(sdev->ctrl, ifc_dev_np);
++ of_node_put(ifc_dev_np);
+ if (!wcd->slim_ifc_dev) {
+ dev_err(dev, "Unable to get SLIM Interface device\n");
+ return -EINVAL;
+--
+2.20.1
+
--- /dev/null
+From eb09405438b2e28123b6392fb97dc1152c4e8235 Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Thu, 7 Mar 2019 09:16:24 +0800
+Subject: audit: fix a memleak caused by auditing load module
+
+[ Upstream commit 95e0b46fcebd7dbf6850dee96046e4c4ddc7f69c ]
+
+module.name will be allocated unconditionally when auditing load
+module, and audit_log_start() can fail with other reasons, or
+audit_log_exit maybe not called, caused module.name is not freed
+
+so free module.name in audit_free_context and __audit_syscall_exit
+
+unreferenced object 0xffff88af90837d20 (size 8):
+ comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
+ hex dump (first 8 bytes):
+ 69 78 67 62 65 00 ff ff ixgbe...
+ backtrace:
+ [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
+ [<00000000c1491e61>] load_module+0x64f/0x3850
+ [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
+ [<0000000000d4a478>] do_syscall_64+0x117/0x400
+ [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<000000007dc331dd>] 0xffffffffffffffff
+
+Fixes: ca86cad7380e3 ("audit: log module name on init_module")
+Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+[PM: manual merge fixup in __audit_syscall_exit()]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/auditsc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index d1eab1d4a930e..fa7b8047aab89 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -840,6 +840,13 @@ static inline void audit_proctitle_free(struct audit_context *context)
+ context->proctitle.len = 0;
+ }
+
++static inline void audit_free_module(struct audit_context *context)
++{
++ if (context->type == AUDIT_KERN_MODULE) {
++ kfree(context->module.name);
++ context->module.name = NULL;
++ }
++}
+ static inline void audit_free_names(struct audit_context *context)
+ {
+ struct audit_names *n, *next;
+@@ -923,6 +930,7 @@ int audit_alloc(struct task_struct *tsk)
+
+ static inline void audit_free_context(struct audit_context *context)
+ {
++ audit_free_module(context);
+ audit_free_names(context);
+ unroll_tree_refs(context, NULL, 0);
+ free_tree_refs(context);
+@@ -1266,7 +1274,6 @@ static void show_special(struct audit_context *context, int *call_panic)
+ audit_log_format(ab, "name=");
+ if (context->module.name) {
+ audit_log_untrustedstring(ab, context->module.name);
+- kfree(context->module.name);
+ } else
+ audit_log_format(ab, "(null)");
+
+@@ -1697,6 +1704,7 @@ void __audit_syscall_exit(int success, long return_code)
+ context->in_syscall = 0;
+ context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
+
++ audit_free_module(context);
+ audit_free_names(context);
+ unroll_tree_refs(context, NULL, 0);
+ audit_free_aux(context);
+--
+2.20.1
+
--- /dev/null
+From 7593cfb16c000c5f4d68c552267ad6a5f67ce74b Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 19 Apr 2019 20:49:29 -0500
+Subject: audit: fix a memory leak bug
+
+[ Upstream commit 70c4cf17e445264453bc5323db3e50aa0ac9e81f ]
+
+In audit_rule_change(), audit_data_to_entry() is firstly invoked to
+translate the payload data to the kernel's rule representation. In
+audit_data_to_entry(), depending on the audit field type, an audit tree may
+be created in audit_make_tree(), which eventually invokes kmalloc() to
+allocate the tree. Since this tree is a temporary tree, it will be then
+freed in the following execution, e.g., audit_add_rule() if the message
+type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
+AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
+AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
+temporary tree is not freed.
+
+To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
+or AUDIT_DEL_RULE.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/auditfilter.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
+index 63f8b3f26fab4..3ac71c4fda49a 100644
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -1114,22 +1114,24 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
+ int err = 0;
+ struct audit_entry *entry;
+
+- entry = audit_data_to_entry(data, datasz);
+- if (IS_ERR(entry))
+- return PTR_ERR(entry);
+-
+ switch (type) {
+ case AUDIT_ADD_RULE:
++ entry = audit_data_to_entry(data, datasz);
++ if (IS_ERR(entry))
++ return PTR_ERR(entry);
+ err = audit_add_rule(entry);
+ audit_log_rule_change("add_rule", &entry->rule, !err);
+ break;
+ case AUDIT_DEL_RULE:
++ entry = audit_data_to_entry(data, datasz);
++ if (IS_ERR(entry))
++ return PTR_ERR(entry);
+ err = audit_del_rule(entry);
+ audit_log_rule_change("remove_rule", &entry->rule, !err);
+ break;
+ default:
+- err = -EINVAL;
+ WARN_ON(1);
++ return -EINVAL;
+ }
+
+ if (err || type == AUDIT_DEL_RULE) {
+--
+2.20.1
+
--- /dev/null
+From 14994673c6ceddbc065bb4ac417e8906c5ba16b9 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2019 15:37:02 +0100
+Subject: b43: shut up clang -Wuninitialized variable warning
+
+[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]
+
+Clang warns about what is clearly a case of passing an uninitalized
+variable into a static function:
+
+drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
+ [-Werror,-Wuninitialized]
+ lpphy_papd_cal(dev, gains, 0, 1, 30);
+ ^~~~~
+drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
+ struct lpphy_tx_gains gains, oldgains;
+ ^
+1 error generated.
+
+However, this function is empty, and its arguments are never evaluated,
+so gcc in contrast does not warn here. Both compilers behave in a
+reasonable way as far as I can tell, so we should change the code
+to avoid the warning everywhere.
+
+We could just eliminate the lpphy_papd_cal() function entirely,
+given that it has had the TODO comment in it for 10 years now
+and is rather unlikely to ever get done. I'm doing a simpler
+change here, and just pass the 'oldgains' variable in that has
+been initialized, based on the guess that this is what was
+originally meant.
+
+Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration & software RFKILL support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/phy_lp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c
+index 46408a560814c..aedee026c5e24 100644
+--- a/drivers/net/wireless/broadcom/b43/phy_lp.c
++++ b/drivers/net/wireless/broadcom/b43/phy_lp.c
+@@ -1835,7 +1835,7 @@ static void lpphy_papd_cal(struct b43_wldev *dev, struct lpphy_tx_gains gains,
+ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev)
+ {
+ struct b43_phy_lp *lpphy = dev->phy.lp;
+- struct lpphy_tx_gains gains, oldgains;
++ struct lpphy_tx_gains oldgains;
+ int old_txpctl, old_afe_ovr, old_rf, old_bbmult;
+
+ lpphy_read_tx_pctl_mode_from_hardware(dev);
+@@ -1849,9 +1849,9 @@ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev)
+ lpphy_set_tx_power_control(dev, B43_LPPHY_TXPCTL_OFF);
+
+ if (dev->dev->chip_id == 0x4325 && dev->dev->chip_rev == 0)
+- lpphy_papd_cal(dev, gains, 0, 1, 30);
++ lpphy_papd_cal(dev, oldgains, 0, 1, 30);
+ else
+- lpphy_papd_cal(dev, gains, 0, 1, 65);
++ lpphy_papd_cal(dev, oldgains, 0, 1, 65);
+
+ if (old_afe_ovr)
+ lpphy_set_tx_gains(dev, oldgains);
+--
+2.20.1
+
--- /dev/null
+From 440c562421ff37ac9e6c6a1d3b3e17e900134c68 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Thu, 14 Feb 2019 16:52:43 +0100
+Subject: batman-adv: allow updating DAT entry timeouts on incoming ARP Replies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 099e6cc1582dc2903fecb898bbeae8f7cf4262c7 ]
+
+Currently incoming ARP Replies, for example via a DHT-PUT message, do
+not update the timeout for an already existing DAT entry. These ARP
+Replies are dropped instead.
+
+This however defeats the purpose of the DHCPACK snooping, for instance.
+Right now, a DAT entry in the DHT will be purged every five minutes,
+likely leading to a mesh-wide ARP Request broadcast after this timeout.
+Which then recreates the entry. The idea of the DHCPACK snooping is to
+be able to update an entry before a timeout happens, to avoid ARP Request
+flooding.
+
+This patch fixes this issue by updating a DAT entry on incoming
+ARP Replies even if a matching DAT entry already exists. While still
+filtering the ARP Reply towards the soft-interface, to avoid duplicate
+messages on the client device side.
+
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/distributed-arp-table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index 310a4f353008d..8d290da0d5967 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -1444,7 +1444,6 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ hw_src, &ip_src, hw_dst, &ip_dst,
+ dat_entry->mac_addr, &dat_entry->ip);
+ dropped = true;
+- goto out;
+ }
+
+ /* Update our internal cache with both the IP addresses the node got
+@@ -1453,6 +1452,9 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ batadv_dat_entry_add(bat_priv, ip_src, hw_src, vid);
+ batadv_dat_entry_add(bat_priv, ip_dst, hw_dst, vid);
+
++ if (dropped)
++ goto out;
++
+ /* If BLA is enabled, only forward ARP replies if we have claimed the
+ * source of the ARP reply or if no one else of the same backbone has
+ * already claimed that client. This prevents that different gateways
+--
+2.20.1
+
--- /dev/null
+From d54bc4aaec84d197cc48f514b1f3d430122be3a4 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Thu, 25 Apr 2019 00:48:34 +0800
+Subject: bcache: add failure check to run_cache_set() for journal replay
+
+[ Upstream commit ce3e4cfb59cb382f8e5ce359238aa580d4ae7778 ]
+
+Currently run_cache_set() has no return value, if there is failure in
+bch_journal_replay(), the caller of run_cache_set() has no idea about
+such failure and just continue to execute following code after
+run_cache_set(). The internal failure is triggered inside
+bch_journal_replay() and being handled in async way. This behavior is
+inefficient, while failure handling inside bch_journal_replay(), cache
+register code is still running to start the cache set. Registering and
+unregistering code running as same time may introduce some rare race
+condition, and make the code to be more hard to be understood.
+
+This patch adds return value to run_cache_set(), and returns -EIO if
+bch_journal_rreplay() fails. Then caller of run_cache_set() may detect
+such failure and stop registering code flow immedidately inside
+register_cache_set().
+
+If journal replay fails, run_cache_set() can report error immediately
+to register_cache_set(). This patch makes the failure handling for
+bch_journal_replay() be in synchronized way, easier to understand and
+debug, and avoid poetential race condition for register-and-unregister
+in same time.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 5c9751e9a76a4..e489d2459569f 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1775,7 +1775,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
+ return NULL;
+ }
+
+-static void run_cache_set(struct cache_set *c)
++static int run_cache_set(struct cache_set *c)
+ {
+ const char *err = "cannot allocate memory";
+ struct cached_dev *dc, *t;
+@@ -1871,7 +1871,9 @@ static void run_cache_set(struct cache_set *c)
+ if (j->version < BCACHE_JSET_VERSION_UUID)
+ __uuid_write(c);
+
+- bch_journal_replay(c, &journal);
++ err = "bcache: replay journal failed";
++ if (bch_journal_replay(c, &journal))
++ goto err;
+ } else {
+ pr_notice("invalidating existing data");
+
+@@ -1939,7 +1941,7 @@ static void run_cache_set(struct cache_set *c)
+ flash_devs_run(c);
+
+ set_bit(CACHE_SET_RUNNING, &c->flags);
+- return;
++ return 0;
+ err:
+ while (!list_empty(&journal)) {
+ l = list_first_entry(&journal, struct journal_replay, list);
+@@ -1950,6 +1952,8 @@ static void run_cache_set(struct cache_set *c)
+ closure_sync(&cl);
+ /* XXX: test this, it's broken */
+ bch_cache_set_error(c, "%s", err);
++
++ return -EIO;
+ }
+
+ static bool can_attach_cache(struct cache *ca, struct cache_set *c)
+@@ -2013,8 +2017,11 @@ static const char *register_cache_set(struct cache *ca)
+ ca->set->cache[ca->sb.nr_this_dev] = ca;
+ c->cache_by_alloc[c->caches_loaded++] = ca;
+
+- if (c->caches_loaded == c->sb.nr_in_set)
+- run_cache_set(c);
++ if (c->caches_loaded == c->sb.nr_in_set) {
++ err = "failed to run cache set";
++ if (run_cache_set(c) < 0)
++ goto err;
++ }
+
+ return NULL;
+ err:
+--
+2.20.1
+
--- /dev/null
+From 1ef36b0e7c77477b1d7f58fb12ed4532ba7d31a8 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 25 Apr 2019 00:48:28 +0800
+Subject: bcache: avoid clang -Wunintialized warning
+
+[ Upstream commit 78d4eb8ad9e1d413449d1b7a060f50b6efa81ebd ]
+
+clang has identified a code path in which it thinks a
+variable may be unused:
+
+drivers/md/bcache/alloc.c:333:4: error: variable 'bucket' is used uninitialized whenever 'if' condition is false
+ [-Werror,-Wsometimes-uninitialized]
+ fifo_pop(&ca->free_inc, bucket);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
+ #define fifo_pop(fifo, i) fifo_pop_front(fifo, (i))
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/md/bcache/util.h:189:6: note: expanded from macro 'fifo_pop_front'
+ if (_r) { \
+ ^~
+drivers/md/bcache/alloc.c:343:46: note: uninitialized use occurs here
+ allocator_wait(ca, bch_allocator_push(ca, bucket));
+ ^~~~~~
+drivers/md/bcache/alloc.c:287:7: note: expanded from macro 'allocator_wait'
+ if (cond) \
+ ^~~~
+drivers/md/bcache/alloc.c:333:4: note: remove the 'if' if its condition is always true
+ fifo_pop(&ca->free_inc, bucket);
+ ^
+drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
+ #define fifo_pop(fifo, i) fifo_pop_front(fifo, (i))
+ ^
+drivers/md/bcache/util.h:189:2: note: expanded from macro 'fifo_pop_front'
+ if (_r) { \
+ ^
+drivers/md/bcache/alloc.c:331:15: note: initialize the variable 'bucket' to silence this warning
+ long bucket;
+ ^
+
+This cannot happen in practice because we only enter the loop
+if there is at least one element in the list.
+
+Slightly rearranging the code makes this clearer to both the
+reader and the compiler, which avoids the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/alloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
+index 5002838ea4760..f8986effcb501 100644
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -327,10 +327,11 @@ static int bch_allocator_thread(void *arg)
+ * possibly issue discards to them, then we add the bucket to
+ * the free list:
+ */
+- while (!fifo_empty(&ca->free_inc)) {
++ while (1) {
+ long bucket;
+
+- fifo_pop(&ca->free_inc, bucket);
++ if (!fifo_pop(&ca->free_inc, bucket))
++ break;
+
+ if (ca->discard) {
+ mutex_unlock(&ca->set->bucket_lock);
+--
+2.20.1
+
--- /dev/null
+From 4aaa0d1c3d3809d4e501451291510ef836cd6c51 Mon Sep 17 00:00:00 2001
+From: Shenghui Wang <shhuiw@foxmail.com>
+Date: Thu, 25 Apr 2019 00:48:43 +0800
+Subject: bcache: avoid potential memleak of list of journal_replay(s) in the
+ CACHE_SYNC branch of run_cache_set
+
+[ Upstream commit 95f18c9d1310730d075499a75aaf13bcd60405a7 ]
+
+In the CACHE_SYNC branch of run_cache_set(), LIST_HEAD(journal) is used
+to collect journal_replay(s) and filled by bch_journal_read().
+
+If all goes well, bch_journal_replay() will release the list of
+jounal_replay(s) at the end of the branch.
+
+If something goes wrong, code flow will jump to the label "err:" and leave
+the list unreleased.
+
+This patch will release the list of journal_replay(s) in the case of
+error detected.
+
+v1 -> v2:
+* Move the release code to the location after label 'err:' to
+ simply the change.
+
+Signed-off-by: Shenghui Wang <shhuiw@foxmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 171d5e0f698ba..5c9751e9a76a4 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1782,6 +1782,8 @@ static void run_cache_set(struct cache_set *c)
+ struct cache *ca;
+ struct closure cl;
+ unsigned int i;
++ LIST_HEAD(journal);
++ struct journal_replay *l;
+
+ closure_init_stack(&cl);
+
+@@ -1939,6 +1941,12 @@ static void run_cache_set(struct cache_set *c)
+ set_bit(CACHE_SET_RUNNING, &c->flags);
+ return;
+ err:
++ while (!list_empty(&journal)) {
++ l = list_first_entry(&journal, struct journal_replay, list);
++ list_del(&l->list);
++ kfree(l);
++ }
++
+ closure_sync(&cl);
+ /* XXX: test this, it's broken */
+ bch_cache_set_error(c, "%s", err);
+--
+2.20.1
+
--- /dev/null
+From decf498ad7beacad029e49685a44478e68e7a295 Mon Sep 17 00:00:00 2001
+From: Tang Junhui <tang.junhui.linux@gmail.com>
+Date: Thu, 25 Apr 2019 00:48:41 +0800
+Subject: bcache: fix failure in journal relplay
+
+[ Upstream commit 631207314d88e9091be02fbdd1fdadb1ae2ed79a ]
+
+journal replay failed with messages:
+Sep 10 19:10:43 ceph kernel: bcache: error on
+bb379a64-e44e-4812-b91d-a5599871a3b1: bcache: journal entries
+2057493-2057567 missing! (replaying 2057493-2076601), disabling
+caching
+
+The reason is in journal_reclaim(), when discard is enabled, we send
+discard command and reclaim those journal buckets whose seq is old
+than the last_seq_now, but before we write a journal with last_seq_now,
+the machine is restarted, so the journal with the last_seq_now is not
+written to the journal bucket, and the last_seq_wrote in the newest
+journal is old than last_seq_now which we expect to be, so when we doing
+replay, journals from last_seq_wrote to last_seq_now are missing.
+
+It's hard to write a journal immediately after journal_reclaim(),
+and it harmless if those missed journal are caused by discarding
+since those journals are already wrote to btree node. So, if miss
+seqs are started from the beginning journal, we treat it as normal,
+and only print a message to show the miss journal, and point out
+it maybe caused by discarding.
+
+Patch v2 add a judgement condition to ignore the missed journal
+only when discard enabled as Coly suggested.
+
+(Coly Li: rebase the patch with other changes in bch_journal_replay())
+
+Signed-off-by: Tang Junhui <tang.junhui.linux@gmail.com>
+Tested-by: Dennis Schridde <devurandom@gmx.net>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index 9e557164209c1..6c94fa0077968 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -317,6 +317,18 @@ void bch_journal_mark(struct cache_set *c, struct list_head *list)
+ }
+ }
+
++bool is_discard_enabled(struct cache_set *s)
++{
++ struct cache *ca;
++ unsigned int i;
++
++ for_each_cache(ca, s, i)
++ if (ca->discard)
++ return true;
++
++ return false;
++}
++
+ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ {
+ int ret = 0, keys = 0, entries = 0;
+@@ -331,10 +343,15 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ BUG_ON(i->pin && atomic_read(i->pin) != 1);
+
+ if (n != i->j.seq) {
+- pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
+- n, i->j.seq - 1, start, end);
+- ret = -EIO;
+- goto err;
++ if (n == start && is_discard_enabled(s))
++ pr_info("bcache: journal entries %llu-%llu may be discarded! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ else {
++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ ret = -EIO;
++ goto err;
++ }
+ }
+
+ for (k = i->j.start;
+--
+2.20.1
+
--- /dev/null
+From 595f90f5a6e855b7863f88ee2a21679934faab8b Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Thu, 25 Apr 2019 00:48:36 +0800
+Subject: bcache: return error immediately in bch_journal_replay()
+
+[ Upstream commit 68d10e6979a3b59e3cd2e90bfcafed79c4cf180a ]
+
+When failure happens inside bch_journal_replay(), calling
+cache_set_err_on() and handling the failure in async way is not a good
+idea. Because after bch_journal_replay() returns, registering code will
+continue to execute following steps, and unregistering code triggered
+by cache_set_err_on() is running in same time. First it is unnecessary
+to handle failure and unregister cache set in an async way, second there
+might be potential race condition to run register and unregister code
+for same cache set.
+
+So in this patch, if failure happens in bch_journal_replay(), we don't
+call cache_set_err_on(), and just print out the same error message to
+kernel message buffer, then return -EIO immediately caller. Then caller
+can detect such failure and handle it in synchrnozied way.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index d3725c17ce3a6..9e557164209c1 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -330,9 +330,12 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ list_for_each_entry(i, list, list) {
+ BUG_ON(i->pin && atomic_read(i->pin) != 1);
+
+- cache_set_err_on(n != i->j.seq, s,
+-"bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
+- n, i->j.seq - 1, start, end);
++ if (n != i->j.seq) {
++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ ret = -EIO;
++ goto err;
++ }
+
+ for (k = i->j.start;
+ k < bset_bkey_last(&i->j);
+--
+2.20.1
+
--- /dev/null
+From 905379de488d87226809e5b35ecbe00727714a72 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 30 Apr 2019 09:52:23 +0800
+Subject: blk-mq: grab .q_usage_counter when queuing request from plug code
+ path
+
+[ Upstream commit e87eb301bee183d82bb3d04bd71b6660889a2588 ]
+
+Just like aio/io_uring, we need to grab 2 refcount for queuing one
+request, one is for submission, another is for completion.
+
+If the request isn't queued from plug code path, the refcount grabbed
+in generic_make_request() serves for submission. In theroy, this
+refcount should have been released after the sumission(async run queue)
+is done. blk_freeze_queue() works with blk_sync_queue() together
+for avoiding race between cleanup queue and IO submission, given async
+run queue activities are canceled because hctx->run_work is scheduled with
+the refcount held, so it is fine to not hold the refcount when
+running the run queue work function for dispatch IO.
+
+However, if request is staggered into plug list, and finally queued
+from plug code path, the refcount in submission side is actually missed.
+And we may start to run queue after queue is removed because the queue's
+kobject refcount isn't guaranteed to be grabbed in flushing plug list
+context, then kernel oops is triggered, see the following race:
+
+blk_mq_flush_plug_list():
+ blk_mq_sched_insert_requests()
+ insert requests to sw queue or scheduler queue
+ blk_mq_run_hw_queue
+
+Because of concurrent run queue, all requests inserted above may be
+completed before calling the above blk_mq_run_hw_queue. Then queue can
+be freed during the above blk_mq_run_hw_queue().
+
+Fixes the issue by grab .q_usage_counter before calling
+blk_mq_sched_insert_requests() in blk_mq_flush_plug_list(). This way is
+safe because the queue is absolutely alive before inserting request.
+
+Cc: Dongli Zhang <dongli.zhang@oracle.com>
+Cc: James Smart <james.smart@broadcom.com>
+Cc: linux-scsi@vger.kernel.org,
+Cc: Martin K . Petersen <martin.petersen@oracle.com>,
+Cc: Christoph Hellwig <hch@lst.de>,
+Cc: James E . J . Bottomley <jejb@linux.vnet.ibm.com>,
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq-sched.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c
+index aa6bc5c026438..c59babca6857a 100644
+--- a/block/blk-mq-sched.c
++++ b/block/blk-mq-sched.c
+@@ -413,6 +413,14 @@ void blk_mq_sched_insert_requests(struct blk_mq_hw_ctx *hctx,
+ struct list_head *list, bool run_queue_async)
+ {
+ struct elevator_queue *e;
++ struct request_queue *q = hctx->queue;
++
++ /*
++ * blk_mq_sched_insert_requests() is called from flush plug
++ * context only, and hold one usage counter to prevent queue
++ * from being released.
++ */
++ percpu_ref_get(&q->q_usage_counter);
+
+ e = hctx->queue->elevator;
+ if (e && e->type->ops.insert_requests)
+@@ -426,12 +434,14 @@ void blk_mq_sched_insert_requests(struct blk_mq_hw_ctx *hctx,
+ if (!hctx->dispatch_busy && !e && !run_queue_async) {
+ blk_mq_try_issue_list_directly(hctx, list);
+ if (list_empty(list))
+- return;
++ goto out;
+ }
+ blk_mq_insert_requests(hctx, ctx, list);
+ }
+
+ blk_mq_run_hw_queue(hctx, run_queue_async);
++ out:
++ percpu_ref_put(&q->q_usage_counter);
+ }
+
+ static void blk_mq_sched_free_tags(struct blk_mq_tag_set *set,
+--
+2.20.1
+
--- /dev/null
+From be5d0f799fb3b150e9cf1998a22f405566ee2458 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 30 Apr 2019 09:52:26 +0800
+Subject: blk-mq: split blk_mq_alloc_and_init_hctx into two parts
+
+[ Upstream commit 7c6c5b7c9186e3fb5b10afb8e5f710ae661144c6 ]
+
+Split blk_mq_alloc_and_init_hctx into two parts, and one is
+blk_mq_alloc_hctx() for allocating all hctx resources, another
+is blk_mq_init_hctx() for initializing hctx, which serves as
+counter-part of blk_mq_exit_hctx().
+
+Cc: Dongli Zhang <dongli.zhang@oracle.com>
+Cc: James Smart <james.smart@broadcom.com>
+Cc: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: linux-scsi@vger.kernel.org
+Cc: Martin K . Petersen <martin.petersen@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: James E . J . Bottomley <jejb@linux.vnet.ibm.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Tested-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 139 ++++++++++++++++++++++++++-----------------------
+ 1 file changed, 75 insertions(+), 64 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index b0e5e67e20a28..8a41cc5974fe1 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2284,15 +2284,65 @@ static void blk_mq_exit_hw_queues(struct request_queue *q,
+ }
+ }
+
++static int blk_mq_hw_ctx_size(struct blk_mq_tag_set *tag_set)
++{
++ int hw_ctx_size = sizeof(struct blk_mq_hw_ctx);
++
++ BUILD_BUG_ON(ALIGN(offsetof(struct blk_mq_hw_ctx, srcu),
++ __alignof__(struct blk_mq_hw_ctx)) !=
++ sizeof(struct blk_mq_hw_ctx));
++
++ if (tag_set->flags & BLK_MQ_F_BLOCKING)
++ hw_ctx_size += sizeof(struct srcu_struct);
++
++ return hw_ctx_size;
++}
++
+ static int blk_mq_init_hctx(struct request_queue *q,
+ struct blk_mq_tag_set *set,
+ struct blk_mq_hw_ctx *hctx, unsigned hctx_idx)
+ {
+- int node;
++ hctx->queue_num = hctx_idx;
++
++ cpuhp_state_add_instance_nocalls(CPUHP_BLK_MQ_DEAD, &hctx->cpuhp_dead);
++
++ hctx->tags = set->tags[hctx_idx];
++
++ if (set->ops->init_hctx &&
++ set->ops->init_hctx(hctx, set->driver_data, hctx_idx))
++ goto unregister_cpu_notifier;
+
+- node = hctx->numa_node;
++ if (blk_mq_init_request(set, hctx->fq->flush_rq, hctx_idx,
++ hctx->numa_node))
++ goto exit_hctx;
++ return 0;
++
++ exit_hctx:
++ if (set->ops->exit_hctx)
++ set->ops->exit_hctx(hctx, hctx_idx);
++ unregister_cpu_notifier:
++ blk_mq_remove_cpuhp(hctx);
++ return -1;
++}
++
++static struct blk_mq_hw_ctx *
++blk_mq_alloc_hctx(struct request_queue *q, struct blk_mq_tag_set *set,
++ int node)
++{
++ struct blk_mq_hw_ctx *hctx;
++ gfp_t gfp = GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY;
++
++ hctx = kzalloc_node(blk_mq_hw_ctx_size(set), gfp, node);
++ if (!hctx)
++ goto fail_alloc_hctx;
++
++ if (!zalloc_cpumask_var_node(&hctx->cpumask, gfp, node))
++ goto free_hctx;
++
++ atomic_set(&hctx->nr_active, 0);
+ if (node == NUMA_NO_NODE)
+- node = hctx->numa_node = set->numa_node;
++ node = set->numa_node;
++ hctx->numa_node = node;
+
+ INIT_DELAYED_WORK(&hctx->run_work, blk_mq_run_work_fn);
+ spin_lock_init(&hctx->lock);
+@@ -2300,58 +2350,45 @@ static int blk_mq_init_hctx(struct request_queue *q,
+ hctx->queue = q;
+ hctx->flags = set->flags & ~BLK_MQ_F_TAG_SHARED;
+
+- cpuhp_state_add_instance_nocalls(CPUHP_BLK_MQ_DEAD, &hctx->cpuhp_dead);
+-
+- hctx->tags = set->tags[hctx_idx];
+-
+ /*
+ * Allocate space for all possible cpus to avoid allocation at
+ * runtime
+ */
+ hctx->ctxs = kmalloc_array_node(nr_cpu_ids, sizeof(void *),
+- GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY, node);
++ gfp, node);
+ if (!hctx->ctxs)
+- goto unregister_cpu_notifier;
++ goto free_cpumask;
+
+ if (sbitmap_init_node(&hctx->ctx_map, nr_cpu_ids, ilog2(8),
+- GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY, node))
++ gfp, node))
+ goto free_ctxs;
+-
+ hctx->nr_ctx = 0;
+
+ spin_lock_init(&hctx->dispatch_wait_lock);
+ init_waitqueue_func_entry(&hctx->dispatch_wait, blk_mq_dispatch_wake);
+ INIT_LIST_HEAD(&hctx->dispatch_wait.entry);
+
+- if (set->ops->init_hctx &&
+- set->ops->init_hctx(hctx, set->driver_data, hctx_idx))
+- goto free_bitmap;
+-
+ hctx->fq = blk_alloc_flush_queue(q, hctx->numa_node, set->cmd_size,
+- GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY);
++ gfp);
+ if (!hctx->fq)
+- goto exit_hctx;
+-
+- if (blk_mq_init_request(set, hctx->fq->flush_rq, hctx_idx, node))
+- goto free_fq;
++ goto free_bitmap;
+
+ if (hctx->flags & BLK_MQ_F_BLOCKING)
+ init_srcu_struct(hctx->srcu);
++ blk_mq_hctx_kobj_init(hctx);
+
+- return 0;
++ return hctx;
+
+- free_fq:
+- blk_free_flush_queue(hctx->fq);
+- exit_hctx:
+- if (set->ops->exit_hctx)
+- set->ops->exit_hctx(hctx, hctx_idx);
+ free_bitmap:
+ sbitmap_free(&hctx->ctx_map);
+ free_ctxs:
+ kfree(hctx->ctxs);
+- unregister_cpu_notifier:
+- blk_mq_remove_cpuhp(hctx);
+- return -1;
++ free_cpumask:
++ free_cpumask_var(hctx->cpumask);
++ free_hctx:
++ kfree(hctx);
++ fail_alloc_hctx:
++ return NULL;
+ }
+
+ static void blk_mq_init_cpu_queues(struct request_queue *q,
+@@ -2695,51 +2732,25 @@ struct request_queue *blk_mq_init_sq_queue(struct blk_mq_tag_set *set,
+ }
+ EXPORT_SYMBOL(blk_mq_init_sq_queue);
+
+-static int blk_mq_hw_ctx_size(struct blk_mq_tag_set *tag_set)
+-{
+- int hw_ctx_size = sizeof(struct blk_mq_hw_ctx);
+-
+- BUILD_BUG_ON(ALIGN(offsetof(struct blk_mq_hw_ctx, srcu),
+- __alignof__(struct blk_mq_hw_ctx)) !=
+- sizeof(struct blk_mq_hw_ctx));
+-
+- if (tag_set->flags & BLK_MQ_F_BLOCKING)
+- hw_ctx_size += sizeof(struct srcu_struct);
+-
+- return hw_ctx_size;
+-}
+-
+ static struct blk_mq_hw_ctx *blk_mq_alloc_and_init_hctx(
+ struct blk_mq_tag_set *set, struct request_queue *q,
+ int hctx_idx, int node)
+ {
+ struct blk_mq_hw_ctx *hctx;
+
+- hctx = kzalloc_node(blk_mq_hw_ctx_size(set),
+- GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY,
+- node);
++ hctx = blk_mq_alloc_hctx(q, set, node);
+ if (!hctx)
+- return NULL;
+-
+- if (!zalloc_cpumask_var_node(&hctx->cpumask,
+- GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY,
+- node)) {
+- kfree(hctx);
+- return NULL;
+- }
+-
+- atomic_set(&hctx->nr_active, 0);
+- hctx->numa_node = node;
+- hctx->queue_num = hctx_idx;
++ goto fail;
+
+- if (blk_mq_init_hctx(q, set, hctx, hctx_idx)) {
+- free_cpumask_var(hctx->cpumask);
+- kfree(hctx);
+- return NULL;
+- }
+- blk_mq_hctx_kobj_init(hctx);
++ if (blk_mq_init_hctx(q, set, hctx, hctx_idx))
++ goto free_hctx;
+
+ return hctx;
++
++ free_hctx:
++ kobject_put(&hctx->kobj);
++ fail:
++ return NULL;
+ }
+
+ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
+--
+2.20.1
+
--- /dev/null
+From d24a6e0ab5f763ac9f19669d47bf2f2cac6c4b10 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Sun, 17 Mar 2019 18:01:04 +0800
+Subject: block: avoid to break XEN by multi-page bvec
+
+[ Upstream commit db5ebd6edd2627d7e81a031643cf43587f63e66c ]
+
+XEN has special page merge requirement, see xen_biovec_phys_mergeable().
+We can't merge pages into one bvec simply for XEN.
+
+So move XEN's specific check on page merge into __bio_try_merge_page(),
+then abvoid to break XEN by multi-page bvec.
+
+Cc: ris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/block/bio.c b/block/bio.c
+index 716510ecd7ffa..a3c80a6c1fe51 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -776,6 +776,8 @@ bool __bio_try_merge_page(struct bio *bio, struct page *page,
+
+ if (vec_end_addr + 1 != page_addr + off)
+ return false;
++ if (xen_domain() && !xen_biovec_phys_mergeable(bv, page))
++ return false;
+ if (same_page && (vec_end_addr & PAGE_MASK) != page_addr)
+ return false;
+
+--
+2.20.1
+
--- /dev/null
+From 20e57e22ae4d7506f30778d0a8e1b33da4d1110b Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 2 Apr 2019 20:06:34 +0800
+Subject: block: fix use-after-free on gendisk
+
+[ Upstream commit 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd ]
+
+commit 2da78092dda "block: Fix dev_t minor allocation lifetime"
+specifically moved blk_free_devt(dev->devt) call to part_release()
+to avoid reallocating device number before the device is fully
+shutdown.
+
+However, it can cause use-after-free on gendisk in get_gendisk().
+We use md device as example to show the race scenes:
+
+Process1 Worker Process2
+md_free
+ blkdev_open
+del_gendisk
+ add delete_partition_work_fn() to wq
+ __blkdev_get
+ get_gendisk
+put_disk
+ disk_release
+ kfree(disk)
+ find part from ext_devt_idr
+ get_disk_and_module(disk)
+ cause use after free
+
+ delete_partition_work_fn
+ put_device(part)
+ part_release
+ remove part from ext_devt_idr
+
+Before <devt, hd_struct pointer> is removed from ext_devt_idr by
+delete_partition_work_fn(), we can find the devt and then access
+gendisk by hd_struct pointer. But, if we access the gendisk after
+it have been freed, it can cause in use-after-freeon gendisk in
+get_gendisk().
+
+We fix this by adding a new helper blk_invalidate_devt() in
+delete_partition() and del_gendisk(). It replaces hd_struct
+pointer in idr with value 'NULL', and deletes the entry from
+idr in part_release() as we do now.
+
+Thanks to Jan Kara for providing the solution and more clear comments
+for the code.
+
+Fixes: 2da78092dda1 ("block: Fix dev_t minor allocation lifetime")
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/genhd.c | 19 +++++++++++++++++++
+ block/partition-generic.c | 7 +++++++
+ include/linux/genhd.h | 1 +
+ 3 files changed, 27 insertions(+)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 703267865f14d..d8dff0b21f7d1 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -531,6 +531,18 @@ void blk_free_devt(dev_t devt)
+ }
+ }
+
++/**
++ * We invalidate devt by assigning NULL pointer for devt in idr.
++ */
++void blk_invalidate_devt(dev_t devt)
++{
++ if (MAJOR(devt) == BLOCK_EXT_MAJOR) {
++ spin_lock_bh(&ext_devt_lock);
++ idr_replace(&ext_devt_idr, NULL, blk_mangle_minor(MINOR(devt)));
++ spin_unlock_bh(&ext_devt_lock);
++ }
++}
++
+ static char *bdevt_str(dev_t devt, char *buf)
+ {
+ if (MAJOR(devt) <= 0xff && MINOR(devt) <= 0xff) {
+@@ -793,6 +805,13 @@ void del_gendisk(struct gendisk *disk)
+
+ if (!(disk->flags & GENHD_FL_HIDDEN))
+ blk_unregister_region(disk_devt(disk), disk->minors);
++ /*
++ * Remove gendisk pointer from idr so that it cannot be looked up
++ * while RCU period before freeing gendisk is running to prevent
++ * use-after-free issues. Note that the device number stays
++ * "in-use" until we really free the gendisk.
++ */
++ blk_invalidate_devt(disk_devt(disk));
+
+ kobject_put(disk->part0.holder_dir);
+ kobject_put(disk->slave_dir);
+diff --git a/block/partition-generic.c b/block/partition-generic.c
+index 8e596a8dff321..aee643ce13d15 100644
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -285,6 +285,13 @@ void delete_partition(struct gendisk *disk, int partno)
+ kobject_put(part->holder_dir);
+ device_del(part_to_dev(part));
+
++ /*
++ * Remove gendisk pointer from idr so that it cannot be looked up
++ * while RCU period before freeing gendisk is running to prevent
++ * use-after-free issues. Note that the device number stays
++ * "in-use" until we really free the gendisk.
++ */
++ blk_invalidate_devt(part_devt(part));
+ hd_struct_kill(part);
+ }
+
+diff --git a/include/linux/genhd.h b/include/linux/genhd.h
+index 06c0fd594097d..69db1affedb0b 100644
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -610,6 +610,7 @@ struct unixware_disklabel {
+
+ extern int blk_alloc_devt(struct hd_struct *part, dev_t *devt);
+ extern void blk_free_devt(dev_t devt);
++extern void blk_invalidate_devt(dev_t devt);
+ extern dev_t blk_lookup_devt(const char *name, int partno);
+ extern char *disk_name (struct gendisk *hd, int partno, char *buf);
+
+--
+2.20.1
+
--- /dev/null
+From a7e5cfdf2877ab5bdcab34941cc27b6efcddb630 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Fri, 29 Mar 2019 15:07:54 +0800
+Subject: block: pass page to xen_biovec_phys_mergeable
+
+[ Upstream commit 0383ad4374f7ad7edd925a2ee4753035c3f5508a ]
+
+xen_biovec_phys_mergeable() only needs .bv_page of the 2nd bio bvec
+for checking if the two bvecs can be merged, so pass page to
+xen_biovec_phys_mergeable() directly.
+
+No function change.
+
+Cc: ris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk.h | 2 +-
+ drivers/xen/biomerge.c | 5 +++--
+ include/xen/xen.h | 4 +++-
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/block/blk.h b/block/blk.h
+index 5d636ee416630..e27fd1512e4bb 100644
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -75,7 +75,7 @@ static inline bool biovec_phys_mergeable(struct request_queue *q,
+
+ if (addr1 + vec1->bv_len != addr2)
+ return false;
+- if (xen_domain() && !xen_biovec_phys_mergeable(vec1, vec2))
++ if (xen_domain() && !xen_biovec_phys_mergeable(vec1, vec2->bv_page))
+ return false;
+ if ((addr1 | mask) != ((addr2 + vec2->bv_len - 1) | mask))
+ return false;
+diff --git a/drivers/xen/biomerge.c b/drivers/xen/biomerge.c
+index f3fbb700f5697..05a286d24f148 100644
+--- a/drivers/xen/biomerge.c
++++ b/drivers/xen/biomerge.c
+@@ -4,12 +4,13 @@
+ #include <xen/xen.h>
+ #include <xen/page.h>
+
++/* check if @page can be merged with 'vec1' */
+ bool xen_biovec_phys_mergeable(const struct bio_vec *vec1,
+- const struct bio_vec *vec2)
++ const struct page *page)
+ {
+ #if XEN_PAGE_SIZE == PAGE_SIZE
+ unsigned long bfn1 = pfn_to_bfn(page_to_pfn(vec1->bv_page));
+- unsigned long bfn2 = pfn_to_bfn(page_to_pfn(vec2->bv_page));
++ unsigned long bfn2 = pfn_to_bfn(page_to_pfn(page));
+
+ return bfn1 + PFN_DOWN(vec1->bv_offset + vec1->bv_len) == bfn2;
+ #else
+diff --git a/include/xen/xen.h b/include/xen/xen.h
+index 19d032373de5a..19a72f591e2bd 100644
+--- a/include/xen/xen.h
++++ b/include/xen/xen.h
+@@ -43,8 +43,10 @@ extern struct hvm_start_info pvh_start_info;
+ #endif /* CONFIG_XEN_DOM0 */
+
+ struct bio_vec;
++struct page;
++
+ bool xen_biovec_phys_mergeable(const struct bio_vec *vec1,
+- const struct bio_vec *vec2);
++ const struct page *page);
+
+ #if defined(CONFIG_MEMORY_HOTPLUG) && defined(CONFIG_XEN_BALLOON)
+ extern u64 xen_saved_max_mem_size;
+--
+2.20.1
+
--- /dev/null
+From c897793ee80861aef5ec6eb6c23c2a87dd89d2b0 Mon Sep 17 00:00:00 2001
+From: David Kozub <zub@linux.fjfi.cvut.cz>
+Date: Thu, 14 Feb 2019 01:15:53 +0100
+Subject: block: sed-opal: fix IOC_OPAL_ENABLE_DISABLE_MBR
+
+[ Upstream commit 78bf47353b0041865564deeed257a54f047c2fdc ]
+
+The implementation of IOC_OPAL_ENABLE_DISABLE_MBR handled the value
+opal_mbr_data.enable_disable incorrectly: enable_disable is expected
+to be one of OPAL_MBR_ENABLE(0) or OPAL_MBR_DISABLE(1). enable_disable
+was passed directly to set_mbr_done and set_mbr_enable_disable where
+is was interpreted as either OPAL_TRUE(1) or OPAL_FALSE(0). The end
+result was that calling IOC_OPAL_ENABLE_DISABLE_MBR with OPAL_MBR_ENABLE
+actually disabled the shadow MBR and vice versa.
+
+This patch adds correct conversion from OPAL_MBR_DISABLE/ENABLE to
+OPAL_FALSE/TRUE. The change affects existing programs using
+IOC_OPAL_ENABLE_DISABLE_MBR but this is typically used only once when
+setting up an Opal drive.
+
+Acked-by: Jon Derrick <jonathan.derrick@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Scott Bauer <sbauer@plzdonthack.me>
+Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/sed-opal.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/block/sed-opal.c b/block/sed-opal.c
+index e0de4dd448b3c..1196408972937 100644
+--- a/block/sed-opal.c
++++ b/block/sed-opal.c
+@@ -2095,13 +2095,16 @@ static int opal_erase_locking_range(struct opal_dev *dev,
+ static int opal_enable_disable_shadow_mbr(struct opal_dev *dev,
+ struct opal_mbr_data *opal_mbr)
+ {
++ u8 enable_disable = opal_mbr->enable_disable == OPAL_MBR_ENABLE ?
++ OPAL_TRUE : OPAL_FALSE;
++
+ const struct opal_step mbr_steps[] = {
+ { opal_discovery0, },
+ { start_admin1LSP_opal_session, &opal_mbr->key },
+- { set_mbr_done, &opal_mbr->enable_disable },
++ { set_mbr_done, &enable_disable },
+ { end_opal_session, },
+ { start_admin1LSP_opal_session, &opal_mbr->key },
+- { set_mbr_enable_disable, &opal_mbr->enable_disable },
++ { set_mbr_enable_disable, &enable_disable },
+ { end_opal_session, },
+ { NULL, }
+ };
+@@ -2221,7 +2224,7 @@ static int __opal_lock_unlock(struct opal_dev *dev,
+
+ static int __opal_set_mbr_done(struct opal_dev *dev, struct opal_key *key)
+ {
+- u8 mbr_done_tf = 1;
++ u8 mbr_done_tf = OPAL_TRUE;
+ const struct opal_step mbrdone_step [] = {
+ { opal_discovery0, },
+ { start_admin1LSP_opal_session, key },
+--
+2.20.1
+
--- /dev/null
+From a3596553814bc9ebd3c683ca797ff8ef5cf3fd26 Mon Sep 17 00:00:00 2001
+From: Ferry Toth <ftoth@exalondelft.nl>
+Date: Tue, 9 Apr 2019 16:15:50 +0200
+Subject: Bluetooth: btbcm: Add default address for BCM43341B
+
+[ Upstream commit 5035726128cd2e3813ee44deedb9898509edb232 ]
+
+The BCM43341B has the default MAC address 43:34:1B:00:1F:AC if none
+is given. This address was found when enabling Bluetooth on multiple
+Intel Edison modules. It also contains the sequence 43341B, the name
+the chip identifies itself as. Using the same BD_ADDR is problematic
+when having multiple Intel Edison modules in each others range.
+The default address also has the LAA (locally administered address)
+bit set which prevents a BNEP device from being created, needed for
+BT tethering.
+
+Add this to the list of black listed default MAC addresses and let
+the user configure a valid one using f.i.
+`btmgmt -i hci0 public-addr xx:xx:xx:xx:xx:xx`
+
+Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btbcm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
+index d5d6e6e5da3bf..62d3aa2b26f60 100644
+--- a/drivers/bluetooth/btbcm.c
++++ b/drivers/bluetooth/btbcm.c
+@@ -37,6 +37,7 @@
+ #define BDADDR_BCM43430A0 (&(bdaddr_t) {{0xac, 0x1f, 0x12, 0xa0, 0x43, 0x43}})
+ #define BDADDR_BCM4324B3 (&(bdaddr_t) {{0x00, 0x00, 0x00, 0xb3, 0x24, 0x43}})
+ #define BDADDR_BCM4330B1 (&(bdaddr_t) {{0x00, 0x00, 0x00, 0xb1, 0x30, 0x43}})
++#define BDADDR_BCM43341B (&(bdaddr_t) {{0xac, 0x1f, 0x00, 0x1b, 0x34, 0x43}})
+
+ int btbcm_check_bdaddr(struct hci_dev *hdev)
+ {
+@@ -82,7 +83,8 @@ int btbcm_check_bdaddr(struct hci_dev *hdev)
+ !bacmp(&bda->bdaddr, BDADDR_BCM20702A1) ||
+ !bacmp(&bda->bdaddr, BDADDR_BCM4324B3) ||
+ !bacmp(&bda->bdaddr, BDADDR_BCM4330B1) ||
+- !bacmp(&bda->bdaddr, BDADDR_BCM43430A0)) {
++ !bacmp(&bda->bdaddr, BDADDR_BCM43430A0) ||
++ !bacmp(&bda->bdaddr, BDADDR_BCM43341B)) {
+ bt_dev_info(hdev, "BCM: Using default device address (%pMR)",
+ &bda->bdaddr);
+ set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
+--
+2.20.1
+
--- /dev/null
+From d6d509563c4a21cf1c4819daa9e52f3fe12a44d0 Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Tue, 23 Apr 2019 11:16:52 -0700
+Subject: Bluetooth: hci_qca: Fix crash with non-serdev devices
+
+[ Upstream commit ecf2b768bd11e2ff09ecbe621b387d0d58e970cf ]
+
+qca_set_baudrate() calls serdev_device_wait_until_sent() assuming that
+the HCI is always associated with a serdev device. This isn't true for
+ROME controllers instantiated through ldisc, where the call causes a
+crash due to a NULL pointer dereferentiation. Only call the function
+when we have a serdev device. The timeout for ROME devices at the end
+of qca_set_baudrate() is long enough to be reasonably sure that the
+command was sent.
+
+Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990")
+Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
+Reported-by: Rocky Liao <rjliao@codeaurora.org>
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Rocky Liao <rjliao@codeaurora.org>
+Tested-by: Rocky Liao <rjliao@codeaurora.org>
+Reviewed-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_qca.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 237aea34b69f1..340c3c750b180 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -992,7 +992,8 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate)
+ while (!skb_queue_empty(&qca->txq))
+ usleep_range(100, 200);
+
+- serdev_device_wait_until_sent(hu->serdev,
++ if (hu->serdev)
++ serdev_device_wait_until_sent(hu->serdev,
+ msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+
+ /* Give the controller time to process the request */
+--
+2.20.1
+
--- /dev/null
+From 785345451cf9f8364cbbecc531626ab3d0754b67 Mon Sep 17 00:00:00 2001
+From: Balakrishna Godavarthi <bgodavar@codeaurora.org>
+Date: Mon, 1 Apr 2019 15:19:08 +0530
+Subject: Bluetooth: hci_qca: Give enough time to ROME controller to bootup.
+
+[ Upstream commit 7f09d5a6c33be66a5ca19bf9dd1c2d90c5dfcf0d ]
+
+This patch enables enough time to ROME controller to bootup
+after we bring the enable pin out of reset.
+
+Fixes: 05ba533c5c11 ("Bluetooth: hci_qca: Add serdev support").
+Signed-off-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
+Reviewed-by: Rocky Liao <rjliao@codeaurora.org>
+Tested-by: Rocky Liao <rjliao@codeaurora.org>
+Tested-by: Claire Chang <tientzu@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_qca.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 340c3c750b180..d3b467792eb3d 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -508,6 +508,8 @@ static int qca_open(struct hci_uart *hu)
+ qcadev = serdev_device_get_drvdata(hu->serdev);
+ if (qcadev->btsoc_type != QCA_WCN3990) {
+ gpiod_set_value_cansleep(qcadev->bt_en, 1);
++ /* Controller needs time to bootup. */
++ msleep(150);
+ } else {
+ hu->init_speed = qcadev->init_speed;
+ hu->oper_speed = qcadev->oper_speed;
+--
+2.20.1
+
--- /dev/null
+From 40616ed88d973917e96ea7f4169c68d85b0d2044 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= <jprvita@gmail.com>
+Date: Thu, 2 May 2019 10:01:52 +0800
+Subject: Bluetooth: Ignore CC events not matching the last HCI command
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit f80c5dad7b6467b884c445ffea45985793b4b2d0 ]
+
+This commit makes the kernel not send the next queued HCI command until
+a command complete arrives for the last HCI command sent to the
+controller. This change avoids a problem with some buggy controllers
+(seen on two SKUs of QCA9377) that send an extra command complete event
+for the previous command after the kernel had already sent a new HCI
+command to the controller.
+
+The problem was reproduced when starting an active scanning procedure,
+where an extra command complete event arrives for the LE_SET_RANDOM_ADDR
+command. When this happends the kernel ends up not processing the
+command complete for the following commmand, LE_SET_SCAN_PARAM, and
+ultimately behaving as if a passive scanning procedure was being
+performed, when in fact controller is performing an active scanning
+procedure. This makes it impossible to discover BLE devices as no device
+found events are sent to userspace.
+
+This problem is reproducible on 100% of the attempts on the affected
+controllers. The extra command complete event can be seen at timestamp
+27.420131 on the btmon logs bellow.
+
+Bluetooth monitor ver 5.50
+= Note: Linux version 5.0.0+ (x86_64) 0.352340
+= Note: Bluetooth subsystem version 2.22 0.352343
+= New Index: 80:C5:F2:8F:87:84 (Primary,USB,hci0) [hci0] 0.352344
+= Open Index: 80:C5:F2:8F:87:84 [hci0] 0.352345
+= Index Info: 80:C5:F2:8F:87:84 (Qualcomm) [hci0] 0.352346
+@ MGMT Open: bluetoothd (privileged) version 1.14 {0x0001} 0.352347
+@ MGMT Open: btmon (privileged) version 1.14 {0x0002} 0.352366
+@ MGMT Open: btmgmt (privileged) version 1.14 {0x0003} 27.302164
+@ MGMT Command: Start Discovery (0x0023) plen 1 {0x0003} [hci0] 27.302310
+ Address type: 0x06
+ LE Public
+ LE Random
+< HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #1 [hci0] 27.302496
+ Address: 15:60:F2:91:B2:24 (Non-Resolvable)
+> HCI Event: Command Complete (0x0e) plen 4 #2 [hci0] 27.419117
+ LE Set Random Address (0x08|0x0005) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #3 [hci0] 27.419244
+ Type: Active (0x01)
+ Interval: 11.250 msec (0x0012)
+ Window: 11.250 msec (0x0012)
+ Own address type: Random (0x01)
+ Filter policy: Accept all advertisement (0x00)
+> HCI Event: Command Complete (0x0e) plen 4 #4 [hci0] 27.420131
+ LE Set Random Address (0x08|0x0005) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #5 [hci0] 27.420259
+ Scanning: Enabled (0x01)
+ Filter duplicates: Enabled (0x01)
+> HCI Event: Command Complete (0x0e) plen 4 #6 [hci0] 27.420969
+ LE Set Scan Parameters (0x08|0x000b) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Command Complete (0x0e) plen 4 #7 [hci0] 27.421983
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+@ MGMT Event: Command Complete (0x0001) plen 4 {0x0003} [hci0] 27.422059
+ Start Discovery (0x0023) plen 1
+ Status: Success (0x00)
+ Address type: 0x06
+ LE Public
+ LE Random
+@ MGMT Event: Discovering (0x0013) plen 2 {0x0003} [hci0] 27.422067
+ Address type: 0x06
+ LE Public
+ LE Random
+ Discovery: Enabled (0x01)
+@ MGMT Event: Discovering (0x0013) plen 2 {0x0002} [hci0] 27.422067
+ Address type: 0x06
+ LE Public
+ LE Random
+ Discovery: Enabled (0x01)
+@ MGMT Event: Discovering (0x0013) plen 2 {0x0001} [hci0] 27.422067
+ Address type: 0x06
+ LE Public
+ LE Random
+ Discovery: Enabled (0x01)
+
+Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 1 +
+ net/bluetooth/hci_core.c | 5 +++++
+ net/bluetooth/hci_event.c | 12 ++++++++++++
+ net/bluetooth/hci_request.c | 5 +++++
+ net/bluetooth/hci_request.h | 1 +
+ 5 files changed, 24 insertions(+)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index fbba43e9bef5b..9a5330eed7944 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -282,6 +282,7 @@ enum {
+ HCI_FORCE_BREDR_SMP,
+ HCI_FORCE_STATIC_ADDR,
+ HCI_LL_RPA_RESOLUTION,
++ HCI_CMD_PENDING,
+
+ __HCI_NUM_FLAGS,
+ };
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index d6b2540ba7f8b..f275c99056507 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -4383,6 +4383,9 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
+ return;
+ }
+
++ /* If we reach this point this event matches the last command sent */
++ hci_dev_clear_flag(hdev, HCI_CMD_PENDING);
++
+ /* If the command succeeded and there's still more commands in
+ * this request the request is not yet complete.
+ */
+@@ -4493,6 +4496,8 @@ static void hci_cmd_work(struct work_struct *work)
+
+ hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
+ if (hdev->sent_cmd) {
++ if (hci_req_status_pend(hdev))
++ hci_dev_set_flag(hdev, HCI_CMD_PENDING);
+ atomic_dec(&hdev->cmd_cnt);
+ hci_send_frame(hdev, skb);
+ if (test_bit(HCI_RESET, &hdev->flags))
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 609fd6871c5ad..8b893baf9bbe2 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3404,6 +3404,12 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
+ hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
+ req_complete_skb);
+
++ if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
++ bt_dev_err(hdev,
++ "unexpected event for opcode 0x%4.4x", *opcode);
++ return;
++ }
++
+ if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
+ queue_work(hdev->workqueue, &hdev->cmd_work);
+ }
+@@ -3511,6 +3517,12 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
+ hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
+ req_complete_skb);
+
++ if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
++ bt_dev_err(hdev,
++ "unexpected event for opcode 0x%4.4x", *opcode);
++ return;
++ }
++
+ if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
+ queue_work(hdev->workqueue, &hdev->cmd_work);
+ }
+diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
+index ca73d36cc1494..e9a95ed654915 100644
+--- a/net/bluetooth/hci_request.c
++++ b/net/bluetooth/hci_request.c
+@@ -46,6 +46,11 @@ void hci_req_purge(struct hci_request *req)
+ skb_queue_purge(&req->cmd_q);
+ }
+
++bool hci_req_status_pend(struct hci_dev *hdev)
++{
++ return hdev->req_status == HCI_REQ_PEND;
++}
++
+ static int req_run(struct hci_request *req, hci_req_complete_t complete,
+ hci_req_complete_skb_t complete_skb)
+ {
+diff --git a/net/bluetooth/hci_request.h b/net/bluetooth/hci_request.h
+index 692cc8b133682..55b2050cc9ff0 100644
+--- a/net/bluetooth/hci_request.h
++++ b/net/bluetooth/hci_request.h
+@@ -37,6 +37,7 @@ struct hci_request {
+
+ void hci_req_init(struct hci_request *req, struct hci_dev *hdev);
+ void hci_req_purge(struct hci_request *req);
++bool hci_req_status_pend(struct hci_dev *hdev);
+ int hci_req_run(struct hci_request *req, hci_req_complete_t complete);
+ int hci_req_run_skb(struct hci_request *req, hci_req_complete_skb_t complete);
+ void hci_req_add(struct hci_request *req, u16 opcode, u32 plen,
+--
+2.20.1
+
--- /dev/null
+From 085f414b6dfc5160ea73ac89403dcef36325410b Mon Sep 17 00:00:00 2001
+From: Sean Wang <sean.wang@mediatek.com>
+Date: Tue, 5 Mar 2019 08:14:25 +0800
+Subject: Bluetooth: mediatek: Fixed incorrect type in assignment
+
+[ Upstream commit cac63f9b163700fb70a609ad220697c61b797d6b ]
+
+Fixed warning: incorrect type in assignment reported by kbuild test robot.
+The detailed warning is shown as below.
+
+make ARCH=x86_64 allmodconfig
+make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
+
+All warnings (new ones prefixed by >>):
+
+btmtkuart.c:671:18: sparse: warning: incorrect type in assignment
+ (different base types)
+btmtkuart.c:671:18: sparse: expected unsigned int [usertype] baudrate
+btmtkuart.c:671:18: sparse: got restricted __le32 [usertype]
+
+sparse warnings: (new ones prefixed by >>)
+btmtkuart.c:671:18: sparse: warning: incorrect type in assignment
+ (different base types)
+btmtkuart.c:671:18: sparse: expected unsigned int [usertype] baudrate
+btmtkuart.c:671:18: sparse: got restricted __le32 [usertype]
+
+vim +671 drivers/bluetooth/btmtkuart.c
+
+ 659
+ 660 static int btmtkuart_change_baudrate(struct hci_dev *hdev)
+ 661 {
+ 662 struct btmtkuart_dev *bdev = hci_get_drvdata(hdev);
+ 663 struct btmtk_hci_wmt_params wmt_params;
+ 664 u32 baudrate;
+ 665 u8 param;
+ 666 int err;
+ 667
+ 668 /* Indicate the device to enter the probe state the host is
+ 669 * ready to change a new baudrate.
+ 670 */
+ > 671 baudrate = cpu_to_le32(bdev->desired_speed);
+ 672 wmt_params.op = MTK_WMT_HIF;
+
+Fixes: 22eaf6c9946a ("Bluetooth: mediatek: add support for MediaTek MT7663U and MT7668U UART devices")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtkuart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c
+index b0b680dd69f49..f5dbeec8e2748 100644
+--- a/drivers/bluetooth/btmtkuart.c
++++ b/drivers/bluetooth/btmtkuart.c
+@@ -661,7 +661,7 @@ static int btmtkuart_change_baudrate(struct hci_dev *hdev)
+ {
+ struct btmtkuart_dev *bdev = hci_get_drvdata(hdev);
+ struct btmtk_hci_wmt_params wmt_params;
+- u32 baudrate;
++ __le32 baudrate;
+ u8 param;
+ int err;
+
+--
+2.20.1
+
--- /dev/null
+From abb84c50c2f45a4c70ae959bf594b14b2539326b Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Wed, 1 May 2019 22:45:59 +0900
+Subject: bpftool: exclude bash-completion/bpftool from .gitignore pattern
+
+[ Upstream commit a7d006714724de4334c5e3548701b33f7b12ca96 ]
+
+tools/bpf/bpftool/.gitignore has the "bpftool" pattern, which is
+intended to ignore the following build artifact:
+
+ tools/bpf/bpftool/bpftool
+
+However, the .gitignore entry is effective not only for the current
+directory, but also for any sub-directories.
+
+So, from the point of .gitignore grammar, the following check-in file
+is also considered to be ignored:
+
+ tools/bpf/bpftool/bash-completion/bpftool
+
+As the manual gitignore(5) says "Files already tracked by Git are not
+affected", this is not a problem as far as Git is concerned.
+
+However, Git is not the only program that parses .gitignore because
+.gitignore is useful to distinguish build artifacts from source files.
+
+For example, tar(1) supports the --exclude-vcs-ignore option. As of
+writing, this option does not work perfectly, but it intends to create
+a tarball excluding files specified by .gitignore.
+
+So, I believe it is better to fix this issue.
+
+You can fix it by prefixing the pattern with a slash; the leading slash
+means the specified pattern is relative to the current directory.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/.gitignore | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/bpf/bpftool/.gitignore b/tools/bpf/bpftool/.gitignore
+index 67167e44b7266..8248b8dd89d4b 100644
+--- a/tools/bpf/bpftool/.gitignore
++++ b/tools/bpf/bpftool/.gitignore
+@@ -1,5 +1,5 @@
+ *.d
+-bpftool
++/bpftool
+ bpftool*.8
+ bpf-helpers.*
+ FEATURE-DUMP.bpftool
+--
+2.20.1
+
--- /dev/null
+From 9177f2be21b9606417deefc9e806f21e459efa17 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 12:52:18 +0300
+Subject: brcm80211: potential NULL dereference in
+ brcmf_cfg80211_vndr_cmds_dcmd_handler()
+
+[ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ]
+
+If "ret_len" is negative then it could lead to a NULL dereference.
+
+The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
+then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to
+brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
+Most of the functions in that call tree check whether the buffer we pass
+is NULL but there are at least a couple places which don't such as
+brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and
+from the buffer so it would result in a NULL dereference.
+
+The fix is to change the types so that "ret_len" can't be negative. (If
+we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
+issue).
+
+Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
+index 8eff2753abade..d493021f60318 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
+@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
+ struct brcmf_if *ifp;
+ const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
+ struct sk_buff *reply;
+- int ret, payload, ret_len;
++ unsigned int payload, ret_len;
+ void *dcmd_buf = NULL, *wr_pointer;
+ u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
++ int ret;
+
+ if (len < sizeof(*cmdhdr)) {
+ brcmf_err("vendor command too short: %d\n", len);
+@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
+ brcmf_err("oversize return buffer %d\n", ret_len);
+ ret_len = BRCMF_DCMD_MAXLEN;
+ }
+- payload = max(ret_len, len) + 1;
++ payload = max_t(unsigned int, ret_len, len) + 1;
+ dcmd_buf = vzalloc(payload);
+ if (NULL == dcmd_buf)
+ return -ENOMEM;
+--
+2.20.1
+
--- /dev/null
+From 4fffb79e3061d6749b82d9c9ab0b6b74e419755d Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:42 +0000
+Subject: brcmfmac: convert dev_init_lock mutex to completion
+
+[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]
+
+Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
+kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
+which silences those warnings and improves code readability.
+
+Fix below errors when connecting the USB WiFi dongle:
+
+brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
+BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
+ last function: hub_event
+1 lock held by kworker/0:2/434:
+ #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: usb_hub_wq hub_event
+[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
+[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
+[<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808)
+[<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xed1d9fb0 to 0xed1d9ff8)
+9fa0: 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+======================================================
+WARNING: possible circular locking dependency detected
+4.19.23-00084-g454a789-dirty #123 Not tainted
+------------------------------------------------------
+kworker/0:2/434 is trying to acquire lock:
+e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808
+
+but task is already holding lock:
+18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (&devinfo->dev_init_lock){+.+.}:
+ mutex_lock_nested+0x1c/0x24
+ brcmf_usb_probe+0x78/0x550 [brcmfmac]
+ usb_probe_interface+0xc0/0x1bc
+ really_probe+0x228/0x2c0
+ __driver_attach+0xe4/0xe8
+ bus_for_each_dev+0x68/0xb4
+ bus_add_driver+0x19c/0x214
+ driver_register+0x78/0x110
+ usb_register_driver+0x84/0x148
+ process_one_work+0x228/0x808
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+-> #1 (brcmf_driver_work){+.+.}:
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+-> #0 ((wq_completion)"events"){+.+.}:
+ process_one_work+0x1b8/0x808
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+other info that might help us debug this:
+
+Chain exists of:
+ (wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&devinfo->dev_init_lock);
+ lock(brcmf_driver_work);
+ lock(&devinfo->dev_init_lock);
+ lock((wq_completion)"events");
+
+ *** DEADLOCK ***
+
+1 lock held by kworker/0:2/434:
+ #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+
+stack backtrace:
+CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: events request_firmware_work_func
+[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
+[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
+[<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330)
+[<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30)
+[<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268)
+[<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808)
+[<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xed1d9fb0 to 0xed1d9ff8)
+9fa0: 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/usb.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+index e9cbfd077710a..a513990cd1d6a 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -160,7 +160,7 @@ struct brcmf_usbdev_info {
+
+ struct usb_device *usbdev;
+ struct device *dev;
+- struct mutex dev_init_lock;
++ struct completion dev_init_done;
+
+ int ctl_in_pipe, ctl_out_pipe;
+ struct urb *ctl_urb; /* URB for control endpoint */
+@@ -1193,11 +1193,11 @@ static void brcmf_usb_probe_phase2(struct device *dev, int ret,
+ if (ret)
+ goto error;
+
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ return;
+ error:
+ brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ device_release_driver(dev);
+ }
+
+@@ -1265,7 +1265,7 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
+ if (ret)
+ goto fail;
+ /* we are done */
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ return 0;
+ }
+ bus->chip = bus_pub->devid;
+@@ -1325,11 +1325,10 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+
+ devinfo->usbdev = usb;
+ devinfo->dev = &usb->dev;
+- /* Take an init lock, to protect for disconnect while still loading.
++ /* Init completion, to protect for disconnect while still loading.
+ * Necessary because of the asynchronous firmware load construction
+ */
+- mutex_init(&devinfo->dev_init_lock);
+- mutex_lock(&devinfo->dev_init_lock);
++ init_completion(&devinfo->dev_init_done);
+
+ usb_set_intfdata(intf, devinfo);
+
+@@ -1407,7 +1406,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+ return 0;
+
+ fail:
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ kfree(devinfo);
+ usb_set_intfdata(intf, NULL);
+ return ret;
+@@ -1422,7 +1421,7 @@ brcmf_usb_disconnect(struct usb_interface *intf)
+ devinfo = (struct brcmf_usbdev_info *)usb_get_intfdata(intf);
+
+ if (devinfo) {
+- mutex_lock(&devinfo->dev_init_lock);
++ wait_for_completion(&devinfo->dev_init_done);
+ /* Make sure that devinfo still exists. Firmware probe routines
+ * may have released the device and cleared the intfdata.
+ */
+--
+2.20.1
+
--- /dev/null
+From 8cfe3bf68e2af21db3c03021187c0e3fe35c316a Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 12:04:32 -0500
+Subject: brcmfmac: fix missing checks for kmemdup
+
+[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]
+
+In case kmemdup fails, the fix sets conn_info->req_ie_len and
+conn_info->resp_ie_len to zero to avoid buffer overflows.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index e92f6351bd224..8ee8af4e7ec4f 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5464,6 +5464,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
+ conn_info->req_ie =
+ kmemdup(cfg->extra_buf, conn_info->req_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->req_ie)
++ conn_info->req_ie_len = 0;
+ } else {
+ conn_info->req_ie_len = 0;
+ conn_info->req_ie = NULL;
+@@ -5480,6 +5482,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
+ conn_info->resp_ie =
+ kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->resp_ie)
++ conn_info->resp_ie_len = 0;
+ } else {
+ conn_info->resp_ie_len = 0;
+ conn_info->resp_ie = NULL;
+--
+2.20.1
+
--- /dev/null
+From bc273fba0d19729453973073dd3269c1db22c39a Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:01 +0000
+Subject: brcmfmac: fix Oops when bringing up interface during USB disconnect
+
+[ Upstream commit 24d413a31afaee9bbbf79226052c386b01780ce2 ]
+
+Fix a race which leads to an Oops with NULL pointer dereference. The
+dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
+net_device structure of interface with index 0 via if2bss mapping. This
+shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
+but it's not synchronised with USB disconnect and there is a race: after
+the check the bus can be marked down and the mapping for interface 0 may be
+gone.
+
+Solve this by modifying disconnect handling so that the removal of mapping
+of ifidx to brcmf_if structure happens after netdev removal (which is
+synchronous with brcmf_netdev_open() thanks to rtln being locked in
+devinet_ioctl()). This assures brcmf_netdev_open() returns before the
+mapping is removed during disconnect.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = bcae2612
+[00000008] *pgd=8be73831
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
+iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
+nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
+u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
+usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
+udc_core [last unloaded: brcmutil]
+CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
+LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
+pc : [<7f26a91c>] lr : [<7f26a914>] psr: a0070013
+sp : eca99d28 ip : 00000000 fp : ee9c6c00
+r10: 00000036 r9 : 00000000 r8 : ece4002c
+r7 : edb5b800 r6 : 00000000 r5 : 80f08448 r4 : edb5b968
+r3 : ffffffff r2 : 00000000 r1 : 00000002 r0 : 00000000
+Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 7ca0c04a DAC: 00000051
+Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
+Stack: (0xeca99d28 to 0xeca9a000)
+9d20: 00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
+9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
+9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
+9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
+9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
+9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
+9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
+9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
+9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
+9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
+9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
+9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
+9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
+9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
+9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
+9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
+9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
+9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
+9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
+9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
+9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
+[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
+[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150)
+[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4)
+[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48)
+[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c)
+[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4)
+[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524)
+[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0)
+[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c)
+[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xeca99fa8 to 0xeca99ff0)
+9fa0: 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
+Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
+---[ end trace 5cbac2333f3ac5df ]---
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index 4fbe8791f6749..24ed19ed116ea 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -841,17 +841,17 @@ static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx,
+ bool rtnl_locked)
+ {
+ struct brcmf_if *ifp;
++ int ifidx;
+
+ ifp = drvr->iflist[bsscfgidx];
+- drvr->iflist[bsscfgidx] = NULL;
+ if (!ifp) {
+ bphy_err(drvr, "Null interface, bsscfgidx=%d\n", bsscfgidx);
+ return;
+ }
+ brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx,
+ ifp->ifidx);
+- if (drvr->if2bss[ifp->ifidx] == bsscfgidx)
+- drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID;
++ ifidx = ifp->ifidx;
++
+ if (ifp->ndev) {
+ if (bsscfgidx == 0) {
+ if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
+@@ -879,6 +879,10 @@ static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx,
+ brcmf_p2p_ifp_removed(ifp, rtnl_locked);
+ kfree(ifp);
+ }
++
++ drvr->iflist[bsscfgidx] = NULL;
++ if (drvr->if2bss[ifidx] == bsscfgidx)
++ drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID;
+ }
+
+ void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked)
+--
+2.20.1
+
--- /dev/null
+From f7f5d344769cf8342f7911d48f3115583207115c Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Fri, 8 Mar 2019 15:25:04 +0000
+Subject: brcmfmac: fix race during disconnect when USB completion is in
+ progress
+
+[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]
+
+It was observed that rarely during USB disconnect happening shortly after
+connect (before full initialization completes) usb_hub_wq would wait
+forever for the dev_init_lock to be unlocked. dev_init_lock would remain
+locked though because of infinite wait during usb_kill_urb:
+
+[ 2730.656472] kworker/0:2 D 0 260 2 0x00000000
+[ 2730.660700] Workqueue: events request_firmware_work_func
+[ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
+[ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
+[ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
+[ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
+[ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
+[ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
+[ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
+[ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+[ 2733.099695] kworker/0:3 D 0 1065 2 0x00000000
+[ 2733.103926] Workqueue: usb_hub_wq hub_event
+[ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
+[ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
+[ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
+[ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
+[ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
+[ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
+[ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
+[ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
+[ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
+[ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
+[ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+It was traced down to a case where usb_kill_urb would be called on an URB
+structure containing more or less random data, including large number in
+its use_count. During the debugging it appeared that in brcmf_usb_free_q()
+the traversal over URBs' lists is not synchronized with operations on those
+lists in brcmf_usb_rx_complete() leading to handling
+brcmf_usbdev_info structure (holding lists' head) as lists' element and in
+result causing above problem.
+
+Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
+arrays of requests instead of linked lists.
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+index a513990cd1d6a..81e1842f1d8c1 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -682,12 +682,18 @@ static int brcmf_usb_up(struct device *dev)
+
+ static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo)
+ {
++ int i;
++
+ if (devinfo->ctl_urb)
+ usb_kill_urb(devinfo->ctl_urb);
+ if (devinfo->bulk_urb)
+ usb_kill_urb(devinfo->bulk_urb);
+- brcmf_usb_free_q(&devinfo->tx_postq, true);
+- brcmf_usb_free_q(&devinfo->rx_postq, true);
++ if (devinfo->tx_reqs)
++ for (i = 0; i < devinfo->bus_pub.ntxq; i++)
++ usb_kill_urb(devinfo->tx_reqs[i].urb);
++ if (devinfo->rx_reqs)
++ for (i = 0; i < devinfo->bus_pub.nrxq; i++)
++ usb_kill_urb(devinfo->rx_reqs[i].urb);
+ }
+
+ static void brcmf_usb_down(struct device *dev)
+--
+2.20.1
+
--- /dev/null
+From 29b66a82de4b7c2c2d256b7f0079cb617a3b5bd7 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Mon, 4 Mar 2019 15:42:49 +0000
+Subject: brcmfmac: fix WARNING during USB disconnect in case of unempty psq
+
+[ Upstream commit c80d26e81ef1802f30364b4ad1955c1443a592b9 ]
+
+brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
+which is part of any queue. After USB disconnect this may have happened
+when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
+cleaned when removing the interface.
+Change brcmf_fws_macdesc_cleanup() in a way that it removes the
+corresponding packets from hanger table (to avoid double-free when
+brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
+interface specific packet queue.
+
+Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
+running in AP mode. This was reproducible when the interface was
+transmitting during the disconnect and is fixed with this commit.
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
+Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
+CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: usb_hub_wq hub_event
+[<8010ff84>] (unwind_backtrace) from [<8010bb64>] (show_stack+0x10/0x14)
+[<8010bb64>] (show_stack) from [<80840278>] (dump_stack+0x88/0x9c)
+[<80840278>] (dump_stack) from [<8011f5ec>] (__warn+0xfc/0x114)
+[<8011f5ec>] (__warn) from [<8011f71c>] (warn_slowpath_null+0x40/0x48)
+[<8011f71c>] (warn_slowpath_null) from [<805a476c>] (brcmu_pkt_buf_free_skb+0x3c/0x40)
+[<805a476c>] (brcmu_pkt_buf_free_skb) from [<805bb6c4>] (brcmf_fws_cleanup+0x1e4/0x22c)
+[<805bb6c4>] (brcmf_fws_cleanup) from [<805bc854>] (brcmf_fws_del_interface+0x58/0x68)
+[<805bc854>] (brcmf_fws_del_interface) from [<805b66ac>] (brcmf_remove_interface+0x40/0x150)
+[<805b66ac>] (brcmf_remove_interface) from [<805b6870>] (brcmf_detach+0x6c/0xb0)
+[<805b6870>] (brcmf_detach) from [<805bdbb8>] (brcmf_usb_disconnect+0x30/0x4c)
+[<805bdbb8>] (brcmf_usb_disconnect) from [<805e5d64>] (usb_unbind_interface+0x5c/0x1e0)
+[<805e5d64>] (usb_unbind_interface) from [<804aab10>] (device_release_driver_internal+0x154/0x1ec)
+[<804aab10>] (device_release_driver_internal) from [<804a97f4>] (bus_remove_device+0xcc/0xf8)
+[<804a97f4>] (bus_remove_device) from [<804a6fc0>] (device_del+0x118/0x308)
+[<804a6fc0>] (device_del) from [<805e488c>] (usb_disable_device+0xa0/0x1c8)
+[<805e488c>] (usb_disable_device) from [<805dcf98>] (usb_disconnect+0x70/0x1d8)
+[<805dcf98>] (usb_disconnect) from [<805ddd84>] (hub_event+0x464/0xf50)
+[<805ddd84>] (hub_event) from [<80135a70>] (process_one_work+0x138/0x3f8)
+[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
+[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
+[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
+Exception stack(0xecf8dfb0 to 0xecf8dff8)
+dfa0: 00000000 00000000 00000000 00000000
+dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+---[ end trace 38d234018e9e2a90 ]---
+------------[ cut here ]------------
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmfmac/fwsignal.c | 42 +++++++++++--------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+index abeb305492e01..d48b8b2d946fe 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+@@ -580,24 +580,6 @@ static bool brcmf_fws_ifidx_match(struct sk_buff *skb, void *arg)
+ return ifidx == *(int *)arg;
+ }
+
+-static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
+- int ifidx)
+-{
+- bool (*matchfn)(struct sk_buff *, void *) = NULL;
+- struct sk_buff *skb;
+- int prec;
+-
+- if (ifidx != -1)
+- matchfn = brcmf_fws_ifidx_match;
+- for (prec = 0; prec < q->num_prec; prec++) {
+- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
+- while (skb) {
+- brcmu_pkt_buf_free_skb(skb);
+- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
+- }
+- }
+-}
+-
+ static void brcmf_fws_hanger_init(struct brcmf_fws_hanger *hanger)
+ {
+ int i;
+@@ -669,6 +651,28 @@ static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h,
+ return 0;
+ }
+
++static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
++ int ifidx)
++{
++ bool (*matchfn)(struct sk_buff *, void *) = NULL;
++ struct sk_buff *skb;
++ int prec;
++ u32 hslot;
++
++ if (ifidx != -1)
++ matchfn = brcmf_fws_ifidx_match;
++ for (prec = 0; prec < q->num_prec; prec++) {
++ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
++ while (skb) {
++ hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT);
++ brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb,
++ true);
++ brcmu_pkt_buf_free_skb(skb);
++ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
++ }
++ }
++}
++
+ static int brcmf_fws_hanger_mark_suppressed(struct brcmf_fws_hanger *h,
+ u32 slot_id)
+ {
+@@ -2200,6 +2204,8 @@ void brcmf_fws_del_interface(struct brcmf_if *ifp)
+ brcmf_fws_lock(fws);
+ ifp->fws_desc = NULL;
+ brcmf_dbg(TRACE, "deleting %s\n", entry->name);
++ brcmf_fws_macdesc_cleanup(fws, &fws->desc.iface[ifp->ifidx],
++ ifp->ifidx);
+ brcmf_fws_macdesc_deinit(entry);
+ brcmf_fws_cleanup(fws, ifp->ifidx);
+ brcmf_fws_unlock(fws);
+--
+2.20.1
+
--- /dev/null
+From 902c5de9cc45c2b1d9bcb92b5648323da66e1b96 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 26 Feb 2019 16:33:56 +0800
+Subject: btrfs: Don't panic when we can't find a root key
+
+[ Upstream commit 7ac1e464c4d473b517bb784f30d40da1f842482e ]
+
+When we failed to find a root key in btrfs_update_root(), we just panic.
+
+That's definitely not cool, fix it by outputting an unique error
+message, aborting current transaction and return -EUCLEAN. This should
+not normally happen as the root has been used by the callers in some
+way.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/root-tree.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c
+index 1a92ad546f912..22124122728cd 100644
+--- a/fs/btrfs/root-tree.c
++++ b/fs/btrfs/root-tree.c
+@@ -135,11 +135,14 @@ int btrfs_update_root(struct btrfs_trans_handle *trans, struct btrfs_root
+ if (ret < 0)
+ goto out;
+
+- if (ret != 0) {
+- btrfs_print_leaf(path->nodes[0]);
+- btrfs_crit(fs_info, "unable to update root key %llu %u %llu",
+- key->objectid, key->type, key->offset);
+- BUG_ON(1);
++ if (ret > 0) {
++ btrfs_crit(fs_info,
++ "unable to find root key (%llu %u %llu) in tree %llu",
++ key->objectid, key->type, key->offset,
++ root->root_key.objectid);
++ ret = -EUCLEAN;
++ btrfs_abort_transaction(trans, ret);
++ goto out;
+ }
+
+ l = path->nodes[0];
+--
+2.20.1
+
--- /dev/null
+From 8aa468e7e51f448a31c6b728103d90798f15cbc6 Mon Sep 17 00:00:00 2001
+From: Robbie Ko <robbieko@synology.com>
+Date: Tue, 26 Mar 2019 11:56:11 +0800
+Subject: Btrfs: fix data bytes_may_use underflow with fallocate due to failed
+ quota reserve
+
+[ Upstream commit 39ad317315887c2cb9a4347a93a8859326ddf136 ]
+
+When doing fallocate, we first add the range to the reserve_list and
+then reserve the quota. If quota reservation fails, we'll release all
+reserved parts of reserve_list.
+
+However, cur_offset is not updated to indicate that this range is
+already been inserted into the list. Therefore, the same range is freed
+twice. Once at list_for_each_entry loop, and once at the end of the
+function. This will result in WARN_ON on bytes_may_use when we free the
+remaining space.
+
+At the end, under the 'out' label we have a call to:
+
+ btrfs_free_reserved_data_space(inode, data_reserved, alloc_start, alloc_end - cur_offset);
+
+The start offset, third argument, should be cur_offset.
+
+Everything from alloc_start to cur_offset was freed by the
+list_for_each_entry_safe_loop.
+
+Fixes: 18513091af94 ("btrfs: update btrfs_space_info's bytes_may_use timely")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Robbie Ko <robbieko@synology.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index 27decfd33ad92..ef11808b592bb 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -3142,6 +3142,7 @@ static long btrfs_fallocate(struct file *file, int mode,
+ ret = btrfs_qgroup_reserve_data(inode, &data_reserved,
+ cur_offset, last_byte - cur_offset);
+ if (ret < 0) {
++ cur_offset = last_byte;
+ free_extent_map(em);
+ break;
+ }
+@@ -3191,7 +3192,7 @@ static long btrfs_fallocate(struct file *file, int mode,
+ /* Let go of our reservation. */
+ if (ret != 0 && !(mode & FALLOC_FL_ZERO_RANGE))
+ btrfs_free_reserved_data_space(inode, data_reserved,
+- alloc_start, alloc_end - cur_offset);
++ cur_offset, alloc_end - cur_offset);
+ extent_changeset_free(data_reserved);
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From d34ee836d7fe13b10467ab704b100ad531b6484c Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 25 Feb 2019 11:14:45 -0500
+Subject: btrfs: fix panic during relocation after ENOSPC before writeback
+ happens
+
+[ Upstream commit ff612ba7849964b1898fd3ccd1f56941129c6aab ]
+
+We've been seeing the following sporadically throughout our fleet
+
+panic: kernel BUG at fs/btrfs/relocation.c:4584!
+netversion: 5.0-0
+Backtrace:
+ #0 [ffffc90003adb880] machine_kexec at ffffffff81041da8
+ #1 [ffffc90003adb8c8] __crash_kexec at ffffffff8110396c
+ #2 [ffffc90003adb988] crash_kexec at ffffffff811048ad
+ #3 [ffffc90003adb9a0] oops_end at ffffffff8101c19a
+ #4 [ffffc90003adb9c0] do_trap at ffffffff81019114
+ #5 [ffffc90003adba00] do_error_trap at ffffffff810195d0
+ #6 [ffffc90003adbab0] invalid_op at ffffffff81a00a9b
+ [exception RIP: btrfs_reloc_cow_block+692]
+ RIP: ffffffff8143b614 RSP: ffffc90003adbb68 RFLAGS: 00010246
+ RAX: fffffffffffffff7 RBX: ffff8806b9c32000 RCX: ffff8806aad00690
+ RDX: ffff880850b295e0 RSI: ffff8806b9c32000 RDI: ffff88084f205bd0
+ RBP: ffff880849415000 R8: ffffc90003adbbe0 R9: ffff88085ac90000
+ R10: ffff8805f7369140 R11: 0000000000000000 R12: ffff880850b295e0
+ R13: ffff88084f205bd0 R14: 0000000000000000 R15: 0000000000000000
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ #7 [ffffc90003adbbb0] __btrfs_cow_block at ffffffff813bf1cd
+ #8 [ffffc90003adbc28] btrfs_cow_block at ffffffff813bf4b3
+ #9 [ffffc90003adbc78] btrfs_search_slot at ffffffff813c2e6c
+
+The way relocation moves data extents is by creating a reloc inode and
+preallocating extents in this inode and then copying the data into these
+preallocated extents. Once we've done this for all of our extents,
+we'll write out these dirty pages, which marks the extent written, and
+goes into btrfs_reloc_cow_block(). From here we get our current
+reloc_control, which _should_ match the reloc_control for the current
+block group we're relocating.
+
+However if we get an ENOSPC in this path at some point we'll bail out,
+never initiating writeback on this inode. Not a huge deal, unless we
+happen to be doing relocation on a different block group, and this block
+group is now rc->stage == UPDATE_DATA_PTRS. This trips the BUG_ON() in
+btrfs_reloc_cow_block(), because we expect to be done modifying the data
+inode. We are in fact done modifying the metadata for the data inode
+we're currently using, but not the one from the failed block group, and
+thus we BUG_ON().
+
+(This happens when writeback finishes for extents from the previous
+group, when we are at btrfs_finish_ordered_io() which updates the data
+reloc tree (inode item, drops/adds extent items, etc).)
+
+Fix this by writing out the reloc data inode always, and then breaking
+out of the loop after that point to keep from tripping this BUG_ON()
+later.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+[ add note from Filipe ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/relocation.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 351fa506dc9bf..1d82ee4883eb3 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -4330,27 +4330,36 @@ int btrfs_relocate_block_group(struct btrfs_fs_info *fs_info, u64 group_start)
+ mutex_lock(&fs_info->cleaner_mutex);
+ ret = relocate_block_group(rc);
+ mutex_unlock(&fs_info->cleaner_mutex);
+- if (ret < 0) {
++ if (ret < 0)
+ err = ret;
+- goto out;
+- }
+-
+- if (rc->extents_found == 0)
+- break;
+-
+- btrfs_info(fs_info, "found %llu extents", rc->extents_found);
+
++ /*
++ * We may have gotten ENOSPC after we already dirtied some
++ * extents. If writeout happens while we're relocating a
++ * different block group we could end up hitting the
++ * BUG_ON(rc->stage == UPDATE_DATA_PTRS) in
++ * btrfs_reloc_cow_block. Make sure we write everything out
++ * properly so we don't trip over this problem, and then break
++ * out of the loop if we hit an error.
++ */
+ if (rc->stage == MOVE_DATA_EXTENTS && rc->found_file_extent) {
+ ret = btrfs_wait_ordered_range(rc->data_inode, 0,
+ (u64)-1);
+- if (ret) {
++ if (ret)
+ err = ret;
+- goto out;
+- }
+ invalidate_mapping_pages(rc->data_inode->i_mapping,
+ 0, -1);
+ rc->stage = UPDATE_DATA_PTRS;
+ }
++
++ if (err < 0)
++ goto out;
++
++ if (rc->extents_found == 0)
++ break;
++
++ btrfs_info(fs_info, "found %llu extents", rc->extents_found);
++
+ }
+
+ WARN_ON(rc->block_group->pinned > 0);
+--
+2.20.1
+
--- /dev/null
+From 94e7d5fd1c5b15190907cb185fa724148b066f31 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 19 Apr 2019 10:03:03 -0700
+Subject: cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock
+
+[ Upstream commit 4dcabece4c3a9f9522127be12cc12cc120399b2f ]
+
+The number of descendant cgroups and the number of dying
+descendant cgroups are currently synchronized using the cgroup_mutex.
+
+The number of descendant cgroups will be required by the cgroup v2
+freezer, which will use it to determine if a cgroup is frozen
+(depending on total number of descendants and number of frozen
+descendants). It's not always acceptable to grab the cgroup_mutex,
+especially from quite hot paths (e.g. exit()).
+
+To avoid this, let's additionally synchronize these counters using
+the css_set_lock.
+
+So, it's safe to read these counters with either cgroup_mutex or
+css_set_lock locked, and for changing both locks should be acquired.
+
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: kernel-team@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/cgroup-defs.h | 5 +++++
+ kernel/cgroup/cgroup.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
+index 1c70803e9f770..7d57890cec671 100644
+--- a/include/linux/cgroup-defs.h
++++ b/include/linux/cgroup-defs.h
+@@ -349,6 +349,11 @@ struct cgroup {
+ * Dying cgroups are cgroups which were deleted by a user,
+ * but are still existing because someone else is holding a reference.
+ * max_descendants is a maximum allowed number of descent cgroups.
++ *
++ * nr_descendants and nr_dying_descendants are protected
++ * by cgroup_mutex and css_set_lock. It's fine to read them holding
++ * any of cgroup_mutex and css_set_lock; for writing both locks
++ * should be held.
+ */
+ int nr_descendants;
+ int nr_dying_descendants;
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 3f2b4bde0f9c3..9fcf6338ea5f9 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -4781,9 +4781,11 @@ static void css_release_work_fn(struct work_struct *work)
+ if (cgroup_on_dfl(cgrp))
+ cgroup_rstat_flush(cgrp);
+
++ spin_lock_irq(&css_set_lock);
+ for (tcgrp = cgroup_parent(cgrp); tcgrp;
+ tcgrp = cgroup_parent(tcgrp))
+ tcgrp->nr_dying_descendants--;
++ spin_unlock_irq(&css_set_lock);
+
+ cgroup_idr_remove(&cgrp->root->cgroup_idr, cgrp->id);
+ cgrp->id = -1;
+@@ -5001,12 +5003,14 @@ static struct cgroup *cgroup_create(struct cgroup *parent)
+ if (ret)
+ goto out_psi_free;
+
++ spin_lock_irq(&css_set_lock);
+ for (tcgrp = cgrp; tcgrp; tcgrp = cgroup_parent(tcgrp)) {
+ cgrp->ancestor_ids[tcgrp->level] = tcgrp->id;
+
+ if (tcgrp != cgrp)
+ tcgrp->nr_descendants++;
+ }
++ spin_unlock_irq(&css_set_lock);
+
+ if (notify_on_release(parent))
+ set_bit(CGRP_NOTIFY_ON_RELEASE, &cgrp->flags);
+@@ -5291,10 +5295,12 @@ static int cgroup_destroy_locked(struct cgroup *cgrp)
+ if (parent && cgroup_is_threaded(cgrp))
+ parent->nr_threaded_children--;
+
++ spin_lock_irq(&css_set_lock);
+ for (tcgrp = cgroup_parent(cgrp); tcgrp; tcgrp = cgroup_parent(tcgrp)) {
+ tcgrp->nr_descendants--;
+ tcgrp->nr_dying_descendants++;
+ }
++ spin_unlock_irq(&css_set_lock);
+
+ cgroup1_check_for_release(parent);
+
+--
+2.20.1
+
--- /dev/null
+From c976eb9cbc83d65550bfbe71d102cff50e7fc805 Mon Sep 17 00:00:00 2001
+From: Chengguang Xu <cgxu519@gmx.com>
+Date: Fri, 15 Feb 2019 20:27:11 +0800
+Subject: chardev: add additional check for minor range overlap
+
+[ Upstream commit de36e16d1557a0b6eb328bc3516359a12ba5c25c ]
+
+Current overlap checking cannot correctly handle
+a case which is baseminor < existing baseminor &&
+baseminor + minorct > existing baseminor + minorct.
+
+Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/char_dev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/char_dev.c b/fs/char_dev.c
+index a279c58fe3606..8a63cfa290053 100644
+--- a/fs/char_dev.c
++++ b/fs/char_dev.c
+@@ -159,6 +159,12 @@ __register_chrdev_region(unsigned int major, unsigned int baseminor,
+ ret = -EBUSY;
+ goto out;
+ }
++
++ if (new_min < old_min && new_max > old_max) {
++ ret = -EBUSY;
++ goto out;
++ }
++
+ }
+
+ cd->next = *cp;
+--
+2.20.1
+
--- /dev/null
+From 32864848050dde9e0932456a382619078c46705c Mon Sep 17 00:00:00 2001
+From: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+Date: Fri, 28 Sep 2018 16:33:06 +0900
+Subject: clk: renesas: rcar-gen3: Correct parent clock of Audio-DMAC
+
+[ Upstream commit b9df2ea2b8d09ad850afe4d4a0403cb23d9e0c02 ]
+
+The clock sources of the AXI-bus clock (266.66 MHz) used for Audio-DMAC
+DMA transfers are:
+
+ Channel R-Car H3 R-Car M3-W R-Car M3-N R-Car E3
+ ---------------------------------------------------------------
+ Audio-DMAC0 S1D2 S1D2 S1D2 S1D2
+ Audio-DMAC1 S1D2 S1D2 S1D2 -
+
+As a result, change the parent clocks of the Audio-DMAC{0,1} module
+clocks on R-Car H3, R-Car M3-W, and R-Car M3-N to S1D2, and change the
+parent clock of the Audio-DMAC0 module on R-Car E3 to S1D2.
+
+NOTE: This information will be reflected in a future revision of the
+ R-Car Gen3 Hardware Manual.
+
+Signed-off-by: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+[geert: Update R-Car D3, RZ/G2M, and RZ/G2E]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/r8a774a1-cpg-mssr.c | 4 ++--
+ drivers/clk/renesas/r8a774c0-cpg-mssr.c | 2 +-
+ drivers/clk/renesas/r8a7795-cpg-mssr.c | 4 ++--
+ drivers/clk/renesas/r8a7796-cpg-mssr.c | 4 ++--
+ drivers/clk/renesas/r8a77965-cpg-mssr.c | 4 ++--
+ drivers/clk/renesas/r8a77990-cpg-mssr.c | 2 +-
+ drivers/clk/renesas/r8a77995-cpg-mssr.c | 2 +-
+ 7 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/clk/renesas/r8a774a1-cpg-mssr.c b/drivers/clk/renesas/r8a774a1-cpg-mssr.c
+index 047599579c651..7a4c5957939a5 100644
+--- a/drivers/clk/renesas/r8a774a1-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a774a1-cpg-mssr.c
+@@ -143,8 +143,8 @@ static const struct mssr_mod_clk r8a774a1_mod_clks[] __initconst = {
+ DEF_MOD("rwdt", 402, R8A774A1_CLK_R),
+ DEF_MOD("intc-ex", 407, R8A774A1_CLK_CP),
+ DEF_MOD("intc-ap", 408, R8A774A1_CLK_S0D3),
+- DEF_MOD("audmac1", 501, R8A774A1_CLK_S0D3),
+- DEF_MOD("audmac0", 502, R8A774A1_CLK_S0D3),
++ DEF_MOD("audmac1", 501, R8A774A1_CLK_S1D2),
++ DEF_MOD("audmac0", 502, R8A774A1_CLK_S1D2),
+ DEF_MOD("hscif4", 516, R8A774A1_CLK_S3D1),
+ DEF_MOD("hscif3", 517, R8A774A1_CLK_S3D1),
+ DEF_MOD("hscif2", 518, R8A774A1_CLK_S3D1),
+diff --git a/drivers/clk/renesas/r8a774c0-cpg-mssr.c b/drivers/clk/renesas/r8a774c0-cpg-mssr.c
+index 34e274f2a273a..93dacd826fd04 100644
+--- a/drivers/clk/renesas/r8a774c0-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a774c0-cpg-mssr.c
+@@ -157,7 +157,7 @@ static const struct mssr_mod_clk r8a774c0_mod_clks[] __initconst = {
+ DEF_MOD("intc-ex", 407, R8A774C0_CLK_CP),
+ DEF_MOD("intc-ap", 408, R8A774C0_CLK_S0D3),
+
+- DEF_MOD("audmac0", 502, R8A774C0_CLK_S3D4),
++ DEF_MOD("audmac0", 502, R8A774C0_CLK_S1D2),
+ DEF_MOD("hscif4", 516, R8A774C0_CLK_S3D1C),
+ DEF_MOD("hscif3", 517, R8A774C0_CLK_S3D1C),
+ DEF_MOD("hscif2", 518, R8A774C0_CLK_S3D1C),
+diff --git a/drivers/clk/renesas/r8a7795-cpg-mssr.c b/drivers/clk/renesas/r8a7795-cpg-mssr.c
+index eade38e9ed36b..0825cd0ff2866 100644
+--- a/drivers/clk/renesas/r8a7795-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a7795-cpg-mssr.c
+@@ -153,8 +153,8 @@ static struct mssr_mod_clk r8a7795_mod_clks[] __initdata = {
+ DEF_MOD("rwdt", 402, R8A7795_CLK_R),
+ DEF_MOD("intc-ex", 407, R8A7795_CLK_CP),
+ DEF_MOD("intc-ap", 408, R8A7795_CLK_S0D3),
+- DEF_MOD("audmac1", 501, R8A7795_CLK_S0D3),
+- DEF_MOD("audmac0", 502, R8A7795_CLK_S0D3),
++ DEF_MOD("audmac1", 501, R8A7795_CLK_S1D2),
++ DEF_MOD("audmac0", 502, R8A7795_CLK_S1D2),
+ DEF_MOD("drif7", 508, R8A7795_CLK_S3D2),
+ DEF_MOD("drif6", 509, R8A7795_CLK_S3D2),
+ DEF_MOD("drif5", 510, R8A7795_CLK_S3D2),
+diff --git a/drivers/clk/renesas/r8a7796-cpg-mssr.c b/drivers/clk/renesas/r8a7796-cpg-mssr.c
+index 654f3ea88f335..997cd956f12bc 100644
+--- a/drivers/clk/renesas/r8a7796-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a7796-cpg-mssr.c
+@@ -146,8 +146,8 @@ static const struct mssr_mod_clk r8a7796_mod_clks[] __initconst = {
+ DEF_MOD("rwdt", 402, R8A7796_CLK_R),
+ DEF_MOD("intc-ex", 407, R8A7796_CLK_CP),
+ DEF_MOD("intc-ap", 408, R8A7796_CLK_S0D3),
+- DEF_MOD("audmac1", 501, R8A7796_CLK_S0D3),
+- DEF_MOD("audmac0", 502, R8A7796_CLK_S0D3),
++ DEF_MOD("audmac1", 501, R8A7796_CLK_S1D2),
++ DEF_MOD("audmac0", 502, R8A7796_CLK_S1D2),
+ DEF_MOD("drif7", 508, R8A7796_CLK_S3D2),
+ DEF_MOD("drif6", 509, R8A7796_CLK_S3D2),
+ DEF_MOD("drif5", 510, R8A7796_CLK_S3D2),
+diff --git a/drivers/clk/renesas/r8a77965-cpg-mssr.c b/drivers/clk/renesas/r8a77965-cpg-mssr.c
+index 13d1f88be04a5..afc9c72fa0940 100644
+--- a/drivers/clk/renesas/r8a77965-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a77965-cpg-mssr.c
+@@ -146,8 +146,8 @@ static const struct mssr_mod_clk r8a77965_mod_clks[] __initconst = {
+ DEF_MOD("intc-ex", 407, R8A77965_CLK_CP),
+ DEF_MOD("intc-ap", 408, R8A77965_CLK_S0D3),
+
+- DEF_MOD("audmac1", 501, R8A77965_CLK_S0D3),
+- DEF_MOD("audmac0", 502, R8A77965_CLK_S0D3),
++ DEF_MOD("audmac1", 501, R8A77965_CLK_S1D2),
++ DEF_MOD("audmac0", 502, R8A77965_CLK_S1D2),
+ DEF_MOD("drif7", 508, R8A77965_CLK_S3D2),
+ DEF_MOD("drif6", 509, R8A77965_CLK_S3D2),
+ DEF_MOD("drif5", 510, R8A77965_CLK_S3D2),
+diff --git a/drivers/clk/renesas/r8a77990-cpg-mssr.c b/drivers/clk/renesas/r8a77990-cpg-mssr.c
+index 9a278c75c918c..03f445d47ef69 100644
+--- a/drivers/clk/renesas/r8a77990-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a77990-cpg-mssr.c
+@@ -152,7 +152,7 @@ static const struct mssr_mod_clk r8a77990_mod_clks[] __initconst = {
+ DEF_MOD("intc-ex", 407, R8A77990_CLK_CP),
+ DEF_MOD("intc-ap", 408, R8A77990_CLK_S0D3),
+
+- DEF_MOD("audmac0", 502, R8A77990_CLK_S3D4),
++ DEF_MOD("audmac0", 502, R8A77990_CLK_S1D2),
+ DEF_MOD("drif7", 508, R8A77990_CLK_S3D2),
+ DEF_MOD("drif6", 509, R8A77990_CLK_S3D2),
+ DEF_MOD("drif5", 510, R8A77990_CLK_S3D2),
+diff --git a/drivers/clk/renesas/r8a77995-cpg-mssr.c b/drivers/clk/renesas/r8a77995-cpg-mssr.c
+index eee3874865a95..68707277b17b4 100644
+--- a/drivers/clk/renesas/r8a77995-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a77995-cpg-mssr.c
+@@ -133,7 +133,7 @@ static const struct mssr_mod_clk r8a77995_mod_clks[] __initconst = {
+ DEF_MOD("rwdt", 402, R8A77995_CLK_R),
+ DEF_MOD("intc-ex", 407, R8A77995_CLK_CP),
+ DEF_MOD("intc-ap", 408, R8A77995_CLK_S1D2),
+- DEF_MOD("audmac0", 502, R8A77995_CLK_S3D1),
++ DEF_MOD("audmac0", 502, R8A77995_CLK_S1D2),
+ DEF_MOD("hscif3", 517, R8A77995_CLK_S3D1C),
+ DEF_MOD("hscif0", 520, R8A77995_CLK_S3D1C),
+ DEF_MOD("thermal", 522, R8A77995_CLK_CP),
+--
+2.20.1
+
--- /dev/null
+From 570f886375e502e3f5ca5b2c50d7e6284714d846 Mon Sep 17 00:00:00 2001
+From: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+Date: Fri, 28 Sep 2018 16:18:00 +0900
+Subject: clk: renesas: rcar-gen3: Correct parent clock of SYS-DMAC
+
+[ Upstream commit 3c772f71a552d343a96868ed9a809f9047be94f5 ]
+
+The clock sources of the AXI BUS clock (266.66 MHz) used for SYS-DMAC
+DMA transfers are:
+
+ Channel R-Car H3 R-Car M3-W R-Car M3-N
+ -------------------------------------------------
+ SYS-DMAC0 S0D3 S0D3 S0D3
+ SYS-DMAC1 S3D1 S3D1 S3D1
+ SYS-DMAC2 S3D1 S3D1 S3D1
+
+As a result, change the parent clocks of the SYS-DMAC{1,2} module clocks
+on R-Car H3, R-Car M3-W, and R-Car M3-N to S3D1.
+
+NOTE: This information will be reflected in a future revision of the
+ R-Car Gen3 Hardware Manual.
+
+Signed-off-by: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+[geert: Update RZ/G2M]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/r8a774a1-cpg-mssr.c | 4 ++--
+ drivers/clk/renesas/r8a7795-cpg-mssr.c | 4 ++--
+ drivers/clk/renesas/r8a7796-cpg-mssr.c | 4 ++--
+ drivers/clk/renesas/r8a77965-cpg-mssr.c | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/clk/renesas/r8a774a1-cpg-mssr.c b/drivers/clk/renesas/r8a774a1-cpg-mssr.c
+index 4d92b27a61538..047599579c651 100644
+--- a/drivers/clk/renesas/r8a774a1-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a774a1-cpg-mssr.c
+@@ -123,8 +123,8 @@ static const struct mssr_mod_clk r8a774a1_mod_clks[] __initconst = {
+ DEF_MOD("msiof2", 209, R8A774A1_CLK_MSO),
+ DEF_MOD("msiof1", 210, R8A774A1_CLK_MSO),
+ DEF_MOD("msiof0", 211, R8A774A1_CLK_MSO),
+- DEF_MOD("sys-dmac2", 217, R8A774A1_CLK_S0D3),
+- DEF_MOD("sys-dmac1", 218, R8A774A1_CLK_S0D3),
++ DEF_MOD("sys-dmac2", 217, R8A774A1_CLK_S3D1),
++ DEF_MOD("sys-dmac1", 218, R8A774A1_CLK_S3D1),
+ DEF_MOD("sys-dmac0", 219, R8A774A1_CLK_S0D3),
+ DEF_MOD("cmt3", 300, R8A774A1_CLK_R),
+ DEF_MOD("cmt2", 301, R8A774A1_CLK_R),
+diff --git a/drivers/clk/renesas/r8a7795-cpg-mssr.c b/drivers/clk/renesas/r8a7795-cpg-mssr.c
+index 86842c9fd314e..eade38e9ed36b 100644
+--- a/drivers/clk/renesas/r8a7795-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a7795-cpg-mssr.c
+@@ -129,8 +129,8 @@ static struct mssr_mod_clk r8a7795_mod_clks[] __initdata = {
+ DEF_MOD("msiof2", 209, R8A7795_CLK_MSO),
+ DEF_MOD("msiof1", 210, R8A7795_CLK_MSO),
+ DEF_MOD("msiof0", 211, R8A7795_CLK_MSO),
+- DEF_MOD("sys-dmac2", 217, R8A7795_CLK_S0D3),
+- DEF_MOD("sys-dmac1", 218, R8A7795_CLK_S0D3),
++ DEF_MOD("sys-dmac2", 217, R8A7795_CLK_S3D1),
++ DEF_MOD("sys-dmac1", 218, R8A7795_CLK_S3D1),
+ DEF_MOD("sys-dmac0", 219, R8A7795_CLK_S0D3),
+ DEF_MOD("sceg-pub", 229, R8A7795_CLK_CR),
+ DEF_MOD("cmt3", 300, R8A7795_CLK_R),
+diff --git a/drivers/clk/renesas/r8a7796-cpg-mssr.c b/drivers/clk/renesas/r8a7796-cpg-mssr.c
+index 12c455859f2c2..654f3ea88f335 100644
+--- a/drivers/clk/renesas/r8a7796-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a7796-cpg-mssr.c
+@@ -126,8 +126,8 @@ static const struct mssr_mod_clk r8a7796_mod_clks[] __initconst = {
+ DEF_MOD("msiof2", 209, R8A7796_CLK_MSO),
+ DEF_MOD("msiof1", 210, R8A7796_CLK_MSO),
+ DEF_MOD("msiof0", 211, R8A7796_CLK_MSO),
+- DEF_MOD("sys-dmac2", 217, R8A7796_CLK_S0D3),
+- DEF_MOD("sys-dmac1", 218, R8A7796_CLK_S0D3),
++ DEF_MOD("sys-dmac2", 217, R8A7796_CLK_S3D1),
++ DEF_MOD("sys-dmac1", 218, R8A7796_CLK_S3D1),
+ DEF_MOD("sys-dmac0", 219, R8A7796_CLK_S0D3),
+ DEF_MOD("cmt3", 300, R8A7796_CLK_R),
+ DEF_MOD("cmt2", 301, R8A7796_CLK_R),
+diff --git a/drivers/clk/renesas/r8a77965-cpg-mssr.c b/drivers/clk/renesas/r8a77965-cpg-mssr.c
+index eb1cca58a1e1f..13d1f88be04a5 100644
+--- a/drivers/clk/renesas/r8a77965-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a77965-cpg-mssr.c
+@@ -123,8 +123,8 @@ static const struct mssr_mod_clk r8a77965_mod_clks[] __initconst = {
+ DEF_MOD("msiof2", 209, R8A77965_CLK_MSO),
+ DEF_MOD("msiof1", 210, R8A77965_CLK_MSO),
+ DEF_MOD("msiof0", 211, R8A77965_CLK_MSO),
+- DEF_MOD("sys-dmac2", 217, R8A77965_CLK_S0D3),
+- DEF_MOD("sys-dmac1", 218, R8A77965_CLK_S0D3),
++ DEF_MOD("sys-dmac2", 217, R8A77965_CLK_S3D1),
++ DEF_MOD("sys-dmac1", 218, R8A77965_CLK_S3D1),
+ DEF_MOD("sys-dmac0", 219, R8A77965_CLK_S0D3),
+
+ DEF_MOD("cmt3", 300, R8A77965_CLK_R),
+--
+2.20.1
+
--- /dev/null
+From 77d65eb57325a154a9c608d6260ce6091323b16f Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 11 Apr 2019 06:55:55 -0700
+Subject: clk: rockchip: Fix video codec clocks on rk3288
+
+[ Upstream commit 00c0cd9e59d265b393553e9afa54fee8b10e8158 ]
+
+It appears that there is a typo in the rk3288 TRM. For
+GRF_SOC_CON0[7] it says that 0 means "vepu" and 1 means "vdpu". It's
+the other way around.
+
+How do I know? Here's my evidence:
+
+1. Prior to commit 4d3e84f99628 ("clk: rockchip: describe aclk_vcodec
+ using the new muxgrf type on rk3288") we always pretended that we
+ were using "aclk_vdpu" and the comment in the code said that this
+ matched the default setting in the system. In fact the default
+ setting is 0 according to the TRM and according to reading memory
+ at bootup. In addition rk3288-based Chromebooks ran like this and
+ the video codecs worked.
+2. With the existing clock code if you boot up and try to enable the
+ new VIDEO_ROCKCHIP_VPU as a module (and without "clk_ignore_unused"
+ on the command line), you get errors like "failed to get ack on
+ domain 'pd_video', val=0x80208". After flipping vepu/vdpu things
+ init OK.
+3. If I export and add both the vepu and vdpu to the list of clocks
+ for RK3288_PD_VIDEO I can get past the power domain errors, but now
+ I freeze when the vpu_mmu gets initted.
+4. If I just mark the "vdpu" as IGNORE_UNUSED then everything boots up
+ and probes OK showing that somehow the "vdpu" was important to keep
+ enabled. This is because we were actually using it as a parent.
+5. After this change I can hack "aclk_vcodec_pre" to parent from
+ "aclk_vepu" using assigned-clocks and the video codec still probes
+ OK.
+6. Rockchip has said so on the mailing list [1].
+
+...so let's fix it.
+
+Let's also add CLK_SET_RATE_PARENT to "aclk_vcodec_pre" as suggested
+by Jonas Karlman. Prior to the same commit you could do
+clk_set_rate() on "aclk_vcodec" and it would change "aclk_vdpu".
+That's because "aclk_vcodec" was a simple gate clock (always gets
+CLK_SET_RATE_PARENT) and its direct parent was "aclk_vdpu". After
+that commit "aclk_vcodec_pre" gets in the way so we need to add
+CLK_SET_RATE_PARENT to it too.
+
+[1] https://lkml.kernel.org/r/1d17b015-9e17-34b9-baf8-c285dc1957aa@rock-chips.com
+
+Fixes: 4d3e84f99628 ("clk: rockchip: describe aclk_vcodec using the new muxgrf type on rk3288")
+Suggested-by: Jonas Karlman <jonas@kwiboo.se>
+Suggested-by: Randy Li <ayaka@soulik.info>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3288.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c
+index f3bbcdfa88ead..623c5f684987c 100644
+--- a/drivers/clk/rockchip/clk-rk3288.c
++++ b/drivers/clk/rockchip/clk-rk3288.c
+@@ -219,7 +219,7 @@ PNAME(mux_hsadcout_p) = { "hsadc_src", "ext_hsadc" };
+ PNAME(mux_edp_24m_p) = { "ext_edp_24m", "xin24m" };
+ PNAME(mux_tspout_p) = { "cpll", "gpll", "npll", "xin27m" };
+
+-PNAME(mux_aclk_vcodec_pre_p) = { "aclk_vepu", "aclk_vdpu" };
++PNAME(mux_aclk_vcodec_pre_p) = { "aclk_vdpu", "aclk_vepu" };
+ PNAME(mux_usbphy480m_p) = { "sclk_otgphy1_480m", "sclk_otgphy2_480m",
+ "sclk_otgphy0_480m" };
+ PNAME(mux_hsicphy480m_p) = { "cpll", "gpll", "usbphy480m_src" };
+@@ -420,7 +420,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ COMPOSITE(0, "aclk_vdpu", mux_pll_src_cpll_gpll_usb480m_p, 0,
+ RK3288_CLKSEL_CON(32), 14, 2, MFLAGS, 8, 5, DFLAGS,
+ RK3288_CLKGATE_CON(3), 11, GFLAGS),
+- MUXGRF(0, "aclk_vcodec_pre", mux_aclk_vcodec_pre_p, 0,
++ MUXGRF(0, "aclk_vcodec_pre", mux_aclk_vcodec_pre_p, CLK_SET_RATE_PARENT,
+ RK3288_GRF_SOC_CON(0), 7, 1, MFLAGS),
+ GATE(ACLK_VCODEC, "aclk_vcodec", "aclk_vcodec_pre", 0,
+ RK3288_CLKGATE_CON(9), 0, GFLAGS),
+--
+2.20.1
+
--- /dev/null
+From 30750927e1ffde90d7ddbd3e630cf7d03068575e Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 9 Apr 2019 13:47:06 -0700
+Subject: clk: rockchip: Make rkpwm a critical clock on rk3288
+
+[ Upstream commit dfe7fb21cd9e730230d55a79bc72cf2ece67cdd5 ]
+
+Most rk3288-based boards are derived from the EVB and thus use a PWM
+regulator for the logic rail. However, most rk3288-based boards don't
+specify the PWM regulator in their device tree. We'll deal with that
+by making it critical.
+
+NOTE: it's important to make it critical and not just IGNORE_UNUSED
+because all PWMs in the system share the same clock. We don't want
+another PWM user to turn the clock on and off and kill the logic rail.
+
+This change is in preparation for actually having the PWMs in the
+rk3288 device tree actually point to the proper PWM clock. Up until
+now they've all pointed to the clock for the old IP block and they've
+all worked due to the fact that rkpwm was IGNORE_UNUSED and that the
+clock rates for both clocks were the same.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3288.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c
+index 623c5f684987c..355d6a3611dbf 100644
+--- a/drivers/clk/rockchip/clk-rk3288.c
++++ b/drivers/clk/rockchip/clk-rk3288.c
+@@ -697,7 +697,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ GATE(PCLK_TZPC, "pclk_tzpc", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 3, GFLAGS),
+ GATE(PCLK_UART2, "pclk_uart2", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 9, GFLAGS),
+ GATE(PCLK_EFUSE256, "pclk_efuse_256", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 10, GFLAGS),
+- GATE(PCLK_RKPWM, "pclk_rkpwm", "pclk_cpu", CLK_IGNORE_UNUSED, RK3288_CLKGATE_CON(11), 11, GFLAGS),
++ GATE(PCLK_RKPWM, "pclk_rkpwm", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 11, GFLAGS),
+
+ /* ddrctrl [DDR Controller PHY clock] gates */
+ GATE(0, "nclk_ddrupctl0", "ddrphy", CLK_IGNORE_UNUSED, RK3288_CLKGATE_CON(11), 4, GFLAGS),
+@@ -838,6 +838,8 @@ static const char *const rk3288_critical_clocks[] __initconst = {
+ "pclk_pd_pmu",
+ "pclk_pmu_niu",
+ "pmu_hclk_otg0",
++ /* pwm-regulators on some boards, so handoff-critical later */
++ "pclk_rkpwm",
+ };
+
+ static void __iomem *rk3288_cru_base;
+--
+2.20.1
+
--- /dev/null
+From f37453e62214e35c45d1c32e1a461f09b375c352 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 12 Apr 2019 09:17:47 -0700
+Subject: clk: rockchip: undo several noc and special clocks as critical on
+ rk3288
+
+[ Upstream commit f4033db5b84ebe4b32c25ba2ed65ab20b628996a ]
+
+This is mostly a revert of commit 55bb6a633c33 ("clk: rockchip: mark
+noc and some special clk as critical on rk3288") except that we're
+keeping "pmu_hclk_otg0" as critical still.
+
+NOTE: turning these clocks off doesn't seem to do a whole lot in terms
+of power savings (checking the power on the logic rail). It appears
+to save maybe 1-2mW. ...but still it seems like we should turn the
+clocks off if they aren't needed.
+
+About "pmu_hclk_otg0" (the one clock from the original commit we're
+still keeping critical) from an email thread:
+
+> pmu ahb clock
+>
+> Function: Clock to pmu module when hibernation and/or ADP is
+> enabled. Must be greater than or equal to 30 MHz.
+>
+> If the SOC design does not support hibernation/ADP function, only have
+> hclk_otg, this clk can be switched according to the usage of otg.
+> If the SOC design support hibernation/ADP, has two clocks, hclk_otg and
+> pmu_hclk_otg0.
+> Hclk_otg belongs to the closed part of otg logic, which can be switched
+> according to the use of otg.
+>
+> pmu_hclk_otg0 belongs to the always on part.
+>
+> As for whether pmu_hclk_otg0 can be turned off when otg is not in use,
+> we have not tested. IC suggest make pmu_hclk_otg0 always on.
+
+For the rest of the clocks:
+
+atclk: No documentation about this clock other than that it goes to
+the CPU. CPU functions fine without it on. Maybe needed for JTAG?
+
+jtag: Presumably this clock is only needed if you're debugging with
+JTAG. It doesn't seem like it makes sense to waste power for every
+rk3288 user. In any case to do JTAG you'd need private patches to
+adjust the pinctrl the mux the JTAG out anyway.
+
+pclk_dbg, pclk_core_niu: On veyron Chromebooks we turn these two
+clocks on only during kernel panics in order to access some coresight
+registers. Since nothing in the upstream kernel does this we should
+be able to leave them off safely. Maybe also needed for JTAG?
+
+hsicphy12m_xin12m: There is no indication of why this clock would need
+to be turned on for boards that don't use HSIC.
+
+pclk_ddrupctl[0-1], pclk_publ0[0-1]: On veyron Chromebooks we turn
+these 4 clocks on only when doing DDR transitions and they are off
+otherwise. I see no reason why they'd need to be on in the upstream
+kernel which doesn't support DDRFreq.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Elaine Zhang <zhangqing@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3288.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c
+index 5a67b7869960e..f3bbcdfa88ead 100644
+--- a/drivers/clk/rockchip/clk-rk3288.c
++++ b/drivers/clk/rockchip/clk-rk3288.c
+@@ -313,13 +313,13 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ COMPOSITE_NOMUX(0, "aclk_core_mp", "armclk", CLK_IGNORE_UNUSED,
+ RK3288_CLKSEL_CON(0), 4, 4, DFLAGS | CLK_DIVIDER_READ_ONLY,
+ RK3288_CLKGATE_CON(12), 6, GFLAGS),
+- COMPOSITE_NOMUX(0, "atclk", "armclk", CLK_IGNORE_UNUSED,
++ COMPOSITE_NOMUX(0, "atclk", "armclk", 0,
+ RK3288_CLKSEL_CON(37), 4, 5, DFLAGS | CLK_DIVIDER_READ_ONLY,
+ RK3288_CLKGATE_CON(12), 7, GFLAGS),
+ COMPOSITE_NOMUX(0, "pclk_dbg_pre", "armclk", CLK_IGNORE_UNUSED,
+ RK3288_CLKSEL_CON(37), 9, 5, DFLAGS | CLK_DIVIDER_READ_ONLY,
+ RK3288_CLKGATE_CON(12), 8, GFLAGS),
+- GATE(0, "pclk_dbg", "pclk_dbg_pre", CLK_IGNORE_UNUSED,
++ GATE(0, "pclk_dbg", "pclk_dbg_pre", 0,
+ RK3288_CLKGATE_CON(12), 9, GFLAGS),
+ GATE(0, "cs_dbg", "pclk_dbg_pre", CLK_IGNORE_UNUSED,
+ RK3288_CLKGATE_CON(12), 10, GFLAGS),
+@@ -647,7 +647,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ INVERTER(SCLK_HSADC, "sclk_hsadc", "sclk_hsadc_out",
+ RK3288_CLKSEL_CON(22), 7, IFLAGS),
+
+- GATE(0, "jtag", "ext_jtag", CLK_IGNORE_UNUSED,
++ GATE(0, "jtag", "ext_jtag", 0,
+ RK3288_CLKGATE_CON(4), 14, GFLAGS),
+
+ COMPOSITE_NODIV(SCLK_USBPHY480M_SRC, "usbphy480m_src", mux_usbphy480m_p, 0,
+@@ -656,7 +656,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = {
+ COMPOSITE_NODIV(SCLK_HSICPHY480M, "sclk_hsicphy480m", mux_hsicphy480m_p, 0,
+ RK3288_CLKSEL_CON(29), 0, 2, MFLAGS,
+ RK3288_CLKGATE_CON(3), 6, GFLAGS),
+- GATE(0, "hsicphy12m_xin12m", "xin12m", CLK_IGNORE_UNUSED,
++ GATE(0, "hsicphy12m_xin12m", "xin12m", 0,
+ RK3288_CLKGATE_CON(13), 9, GFLAGS),
+ DIV(0, "hsicphy12m_usbphy", "sclk_hsicphy480m", 0,
+ RK3288_CLKSEL_CON(11), 8, 6, DFLAGS),
+@@ -837,11 +837,6 @@ static const char *const rk3288_critical_clocks[] __initconst = {
+ "pclk_alive_niu",
+ "pclk_pd_pmu",
+ "pclk_pmu_niu",
+- "pclk_core_niu",
+- "pclk_ddrupctl0",
+- "pclk_publ0",
+- "pclk_ddrupctl1",
+- "pclk_publ1",
+ "pmu_hclk_otg0",
+ };
+
+--
+2.20.1
+
--- /dev/null
+From b911d7a57d07d5c0b6d29db9091efc1127afadf3 Mon Sep 17 00:00:00 2001
+From: Michael Tretter <m.tretter@pengutronix.de>
+Date: Tue, 19 Mar 2019 11:01:46 +0100
+Subject: clk: zynqmp: fix check for fractional clock
+
+[ Upstream commit c06e64407e031e71c67f45f07981510ca4c880a1 ]
+
+The firmware sets BIT(13) in clkflag to mark a divider as fractional
+divider. The clock driver copies the clkflag straight to the flags of
+the common clock framework. In the common clk framework flags, BIT(13)
+is defined as CLK_DUTY_CYCLE_PARENT.
+
+Add a new field to the zynqmp_clk_divider to specify if a divider is a
+fractional devider. Set this field based on the clkflag when registering
+a divider.
+
+At the same time, unset BIT(13) from clkflag when copying the flags to
+the common clk framework flags.
+
+Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/zynqmp/divider.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/zynqmp/divider.c b/drivers/clk/zynqmp/divider.c
+index a371c66e72ef6..bd9b5fbc443b3 100644
+--- a/drivers/clk/zynqmp/divider.c
++++ b/drivers/clk/zynqmp/divider.c
+@@ -31,12 +31,14 @@
+ * struct zynqmp_clk_divider - adjustable divider clock
+ * @hw: handle between common and hardware-specific interfaces
+ * @flags: Hardware specific flags
++ * @is_frac: The divider is a fractional divider
+ * @clk_id: Id of clock
+ * @div_type: divisor type (TYPE_DIV1 or TYPE_DIV2)
+ */
+ struct zynqmp_clk_divider {
+ struct clk_hw hw;
+ u8 flags;
++ bool is_frac;
+ u32 clk_id;
+ u32 div_type;
+ };
+@@ -116,8 +118,7 @@ static long zynqmp_clk_divider_round_rate(struct clk_hw *hw,
+
+ bestdiv = zynqmp_divider_get_val(*prate, rate);
+
+- if ((clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT) &&
+- (divider->flags & CLK_FRAC))
++ if ((clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT) && divider->is_frac)
+ bestdiv = rate % *prate ? 1 : bestdiv;
+ *prate = rate * bestdiv;
+
+@@ -195,11 +196,13 @@ struct clk_hw *zynqmp_clk_register_divider(const char *name,
+
+ init.name = name;
+ init.ops = &zynqmp_clk_divider_ops;
+- init.flags = nodes->flag;
++ /* CLK_FRAC is not defined in the common clk framework */
++ init.flags = nodes->flag & ~CLK_FRAC;
+ init.parent_names = parents;
+ init.num_parents = 1;
+
+ /* struct clk_divider assignments */
++ div->is_frac = !!(nodes->flag & CLK_FRAC);
+ div->flags = nodes->type_flag;
+ div->hw.init = &init;
+ div->clk_id = clk_id;
+--
+2.20.1
+
--- /dev/null
+From 013ddf0ccebd14b58bf5dbba29f6e39cf9ccc042 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:48 +0800
+Subject: cpufreq: ap806: fix possible object reference leak
+
+[ Upstream commit b623fa320f8360f049a6f3c3ccc487cb85af4c5b ]
+
+The call to of_find_compatible_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/armada-8k-cpufreq.c:187:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 130, but without a corresponding object release within this function.
+./drivers/cpufreq/armada-8k-cpufreq.c:191:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 130, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Gregory Clement <gregory.clement@bootlin.com>
+Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/armada-8k-cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/armada-8k-cpufreq.c b/drivers/cpufreq/armada-8k-cpufreq.c
+index b3f4bd647e9b3..988ebc326bdbb 100644
+--- a/drivers/cpufreq/armada-8k-cpufreq.c
++++ b/drivers/cpufreq/armada-8k-cpufreq.c
+@@ -132,6 +132,7 @@ static int __init armada_8k_cpufreq_init(void)
+ of_node_put(node);
+ return -ENODEV;
+ }
++ of_node_put(node);
+
+ nb_cpus = num_possible_cpus();
+ freq_tables = kcalloc(nb_cpus, sizeof(*freq_tables), GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From 65b4559ff63e76a4c94faf47b82bf8d592a0b135 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Tue, 30 Apr 2019 11:35:52 +0530
+Subject: cpufreq: Fix kobject memleak
+
+[ Upstream commit 4ebe36c94aed95de71a8ce6a6762226d31c938ee ]
+
+Currently the error return path from kobject_init_and_add() is not
+followed by a call to kobject_put() - which means we are leaking the
+kobject.
+
+Fix it by adding a call to kobject_put() in the error path of
+kobject_init_and_add().
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Tobin C. Harding <tobin@kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 1 +
+ drivers/cpufreq/cpufreq_governor.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index e10922709d139..bbf79544d0ad8 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1098,6 +1098,7 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
+ cpufreq_global_kobject, "policy%u", cpu);
+ if (ret) {
+ pr_err("%s: failed to init policy->kobj: %d\n", __func__, ret);
++ kobject_put(&policy->kobj);
+ goto err_free_real_cpus;
+ }
+
+diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
+index ffa9adeaba31b..9d1d9bf02710b 100644
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -459,6 +459,8 @@ int cpufreq_dbs_governor_init(struct cpufreq_policy *policy)
+ /* Failure, so roll back. */
+ pr_err("initialization failed (dbs_data kobject init error %d)\n", ret);
+
++ kobject_put(&dbs_data->attr_set.kobj);
++
+ policy->governor_data = NULL;
+
+ if (!have_governor_per_policy())
+--
+2.20.1
+
--- /dev/null
+From 43a9582fbef8434a49aa4bcb529992b112a999fb Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:49 +0800
+Subject: cpufreq: imx6q: fix possible object reference leak
+
+[ Upstream commit ddb64c5db3cc8fb9c1242214d5798b2c2865681c ]
+
+The call to of_node_get returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/imx6q-cpufreq.c:391:4-10: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 348, but without a corresponding object release within this function.
+./drivers/cpufreq/imx6q-cpufreq.c:395:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 348, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: linux-pm@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/imx6q-cpufreq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c
+index a4ff09f91c8f8..3e17560b1efe3 100644
+--- a/drivers/cpufreq/imx6q-cpufreq.c
++++ b/drivers/cpufreq/imx6q-cpufreq.c
+@@ -388,11 +388,11 @@ static int imx6q_cpufreq_probe(struct platform_device *pdev)
+ ret = imx6ul_opp_check_speed_grading(cpu_dev);
+ if (ret) {
+ if (ret == -EPROBE_DEFER)
+- return ret;
++ goto put_node;
+
+ dev_err(cpu_dev, "failed to read ocotp: %d\n",
+ ret);
+- return ret;
++ goto put_node;
+ }
+ } else {
+ imx6q_opp_check_speed_grading(cpu_dev);
+--
+2.20.1
+
--- /dev/null
+From 08394fa9cf3e4bc1313c00b1acb68c65dd0b0fb6 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:50 +0800
+Subject: cpufreq: kirkwood: fix possible object reference leak
+
+[ Upstream commit 7c468966f05ac9c17bb5948275283d34e6fe0660 ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/kirkwood-cpufreq.c:127:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 118, but without a corresponding object release within this function.
+./drivers/cpufreq/kirkwood-cpufreq.c:133:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 118, but without a corresponding object release within this function.
+
+and also do some cleanup:
+- of_node_put(np);
+- np = NULL;
+...
+of_node_put(np);
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/kirkwood-cpufreq.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/cpufreq/kirkwood-cpufreq.c b/drivers/cpufreq/kirkwood-cpufreq.c
+index c2dd43f3f5d8a..8d63a6dc8383c 100644
+--- a/drivers/cpufreq/kirkwood-cpufreq.c
++++ b/drivers/cpufreq/kirkwood-cpufreq.c
+@@ -124,13 +124,14 @@ static int kirkwood_cpufreq_probe(struct platform_device *pdev)
+ priv.cpu_clk = of_clk_get_by_name(np, "cpu_clk");
+ if (IS_ERR(priv.cpu_clk)) {
+ dev_err(priv.dev, "Unable to get cpuclk\n");
+- return PTR_ERR(priv.cpu_clk);
++ err = PTR_ERR(priv.cpu_clk);
++ goto out_node;
+ }
+
+ err = clk_prepare_enable(priv.cpu_clk);
+ if (err) {
+ dev_err(priv.dev, "Unable to prepare cpuclk\n");
+- return err;
++ goto out_node;
+ }
+
+ kirkwood_freq_table[0].frequency = clk_get_rate(priv.cpu_clk) / 1000;
+@@ -161,20 +162,22 @@ static int kirkwood_cpufreq_probe(struct platform_device *pdev)
+ goto out_ddr;
+ }
+
+- of_node_put(np);
+- np = NULL;
+-
+ err = cpufreq_register_driver(&kirkwood_cpufreq_driver);
+- if (!err)
+- return 0;
++ if (err) {
++ dev_err(priv.dev, "Failed to register cpufreq driver\n");
++ goto out_powersave;
++ }
+
+- dev_err(priv.dev, "Failed to register cpufreq driver\n");
++ of_node_put(np);
++ return 0;
+
++out_powersave:
+ clk_disable_unprepare(priv.powersave_clk);
+ out_ddr:
+ clk_disable_unprepare(priv.ddr_clk);
+ out_cpu:
+ clk_disable_unprepare(priv.cpu_clk);
++out_node:
+ of_node_put(np);
+
+ return err;
+--
+2.20.1
+
--- /dev/null
+From 534170f427cf4c4500ec61cf5283e01e866cc774 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:52 +0800
+Subject: cpufreq/pasemi: fix possible object reference leak
+
+[ Upstream commit a9acc26b75f652f697e02a9febe2ab0da648a571 ]
+
+The call to of_get_cpu_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/pasemi-cpufreq.c:212:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function.
+./drivers/cpufreq/pasemi-cpufreq.c:220:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/pasemi-cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
+index 75dfbd2a58ea6..c7710c149de85 100644
+--- a/drivers/cpufreq/pasemi-cpufreq.c
++++ b/drivers/cpufreq/pasemi-cpufreq.c
+@@ -146,6 +146,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
+
+ cpu = of_get_cpu_node(policy->cpu, NULL);
+
++ of_node_put(cpu);
+ if (!cpu)
+ goto out;
+
+--
+2.20.1
+
--- /dev/null
+From 49006c5cc483b64ac7d284a70a331aa65df20051 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:53 +0800
+Subject: cpufreq: pmac32: fix possible object reference leak
+
+[ Upstream commit 8d10dc28a9ea6e8c02e825dab28699f3c72b02d9 ]
+
+The call to of_find_node_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/pmac32-cpufreq.c:557:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function.
+./drivers/cpufreq/pmac32-cpufreq.c:569:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function.
+./drivers/cpufreq/pmac32-cpufreq.c:598:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 587, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linux-pm@vger.kernel.org
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/pmac32-cpufreq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/cpufreq/pmac32-cpufreq.c b/drivers/cpufreq/pmac32-cpufreq.c
+index 52f0d91d30c17..9b4ce2eb8222c 100644
+--- a/drivers/cpufreq/pmac32-cpufreq.c
++++ b/drivers/cpufreq/pmac32-cpufreq.c
+@@ -552,6 +552,7 @@ static int pmac_cpufreq_init_7447A(struct device_node *cpunode)
+ volt_gpio_np = of_find_node_by_name(NULL, "cpu-vcore-select");
+ if (volt_gpio_np)
+ voltage_gpio = read_gpio(volt_gpio_np);
++ of_node_put(volt_gpio_np);
+ if (!voltage_gpio){
+ pr_err("missing cpu-vcore-select gpio\n");
+ return 1;
+@@ -588,6 +589,7 @@ static int pmac_cpufreq_init_750FX(struct device_node *cpunode)
+ if (volt_gpio_np)
+ voltage_gpio = read_gpio(volt_gpio_np);
+
++ of_node_put(volt_gpio_np);
+ pvr = mfspr(SPRN_PVR);
+ has_cpu_l2lve = !((pvr & 0xf00) == 0x100);
+
+--
+2.20.1
+
--- /dev/null
+From 1dd018e31d0064814a2a80be366cc85ecd55c813 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:54 +0800
+Subject: cpufreq: ppc_cbe: fix possible object reference leak
+
+[ Upstream commit 233298032803f2802fe99892d0de4ab653bfece4 ]
+
+The call to of_get_cpu_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function.
+./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/ppc_cbe_cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/ppc_cbe_cpufreq.c b/drivers/cpufreq/ppc_cbe_cpufreq.c
+index 41a0f0be3f9ff..8414c3a4ea08c 100644
+--- a/drivers/cpufreq/ppc_cbe_cpufreq.c
++++ b/drivers/cpufreq/ppc_cbe_cpufreq.c
+@@ -86,6 +86,7 @@ static int cbe_cpufreq_cpu_init(struct cpufreq_policy *policy)
+ if (!cbe_get_cpu_pmd_regs(policy->cpu) ||
+ !cbe_get_cpu_mic_tm_regs(policy->cpu)) {
+ pr_info("invalid CBE regs pointers for cpufreq\n");
++ of_node_put(cpu);
+ return -EINVAL;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 006c4a8a6763932808821fc3ba38fbecc59e0267 Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe.montjoie@gmail.com>
+Date: Thu, 18 Apr 2019 10:17:34 +0200
+Subject: crypto: sun4i-ss - Fix invalid calculation of hash end
+
+[ Upstream commit f87391558acf816b48f325a493d81d45dec40da0 ]
+
+When nbytes < 4, end is wronlgy set to a negative value which, due to
+uint, is then interpreted to a large value leading to a deadlock in the
+following code.
+
+This patch fix this problem.
+
+Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
+index a4b5ff2b72f87..f6936bb3b7be4 100644
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c
+@@ -240,7 +240,10 @@ static int sun4i_hash(struct ahash_request *areq)
+ }
+ } else {
+ /* Since we have the flag final, we can go up to modulo 4 */
+- end = ((areq->nbytes + op->len) / 4) * 4 - op->len;
++ if (areq->nbytes < 4)
++ end = 0;
++ else
++ end = ((areq->nbytes + op->len) / 4) * 4 - op->len;
+ }
+
+ /* TODO if SGlen % 4 and !op->len then DMA */
+--
+2.20.1
+
--- /dev/null
+From f860e1baa816d3be4ec0d14210b59f0f9c499dd6 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 29 Mar 2019 10:27:26 -0500
+Subject: cxgb3/l2t: Fix undefined behaviour
+
+[ Upstream commit 76497732932f15e7323dc805e8ea8dc11bb587cf ]
+
+The use of zero-sized array causes undefined behaviour when it is not
+the last member in a structure. As it happens to be in this case.
+
+Also, the current code makes use of a language extension to the C90
+standard, but the preferred mechanism to declare variable-length
+types such as this one is a flexible array member, introduced in
+C99:
+
+struct foo {
+ int stuff;
+ struct boo array[];
+};
+
+By making use of the mechanism above, we will get a compiler warning
+in case the flexible array does not occur last. Which is beneficial
+to cultivate a high-quality code.
+
+Fixes: e48f129c2f20 ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+index c2fd323c40782..ea75f275023ff 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
++++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+@@ -75,8 +75,8 @@ struct l2t_data {
+ struct l2t_entry *rover; /* starting point for next allocation */
+ atomic_t nfree; /* number of free entries */
+ rwlock_t lock;
+- struct l2t_entry l2tab[0];
+ struct rcu_head rcu_head; /* to handle rcu cleanup */
++ struct l2t_entry l2tab[];
+ };
+
+ typedef void (*arp_failure_handler_func)(struct t3cdev * dev,
+--
+2.20.1
+
--- /dev/null
+From 573b9d3eb5bd2e19ecd83d8236cd917a13eae1ab Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 6 May 2019 23:57:54 +0800
+Subject: cxgb4: Fix error path in cxgb4_init_module
+
+[ Upstream commit a3147770bea76c8dbad73eca3a24c2118da5e719 ]
+
+BUG: unable to handle kernel paging request at ffffffffa016a270
+PGD 3270067 P4D 3270067 PUD 3271063 PMD 230bbd067 PTE 0
+Oops: 0000 [#1
+CPU: 0 PID: 6134 Comm: modprobe Not tainted 5.1.0+ #33
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+RIP: 0010:atomic_notifier_chain_register+0x24/0x60
+Code: 1f 80 00 00 00 00 55 48 89 e5 41 54 49 89 f4 53 48 89 fb e8 ae b4 38 01 48 8b 53 38 48 8d 4b 38 48 85 d2 74 20 45 8b 44 24 10 <44> 3b 42 10 7e 08 eb 13 44 39 42 10 7c 0d 48 8d 4a 08 48 8b 52 08
+RSP: 0018:ffffc90000e2bc60 EFLAGS: 00010086
+RAX: 0000000000000292 RBX: ffffffff83467240 RCX: ffffffff83467278
+RDX: ffffffffa016a260 RSI: ffffffff83752140 RDI: ffffffff83467240
+RBP: ffffc90000e2bc70 R08: 0000000000000000 R09: 0000000000000001
+R10: 0000000000000000 R11: 00000000014fa61f R12: ffffffffa01c8260
+R13: ffff888231091e00 R14: 0000000000000000 R15: ffffc90000e2be78
+FS: 00007fbd8d7cd540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffa016a270 CR3: 000000022c7e3000 CR4: 00000000000006f0
+Call Trace:
+ register_inet6addr_notifier+0x13/0x20
+ cxgb4_init_module+0x6c/0x1000 [cxgb4
+ ? 0xffffffffa01d7000
+ do_one_initcall+0x6c/0x3cc
+ ? do_init_module+0x22/0x1f1
+ ? rcu_read_lock_sched_held+0x97/0xb0
+ ? kmem_cache_alloc_trace+0x325/0x3b0
+ do_init_module+0x5b/0x1f1
+ load_module+0x1db1/0x2690
+ ? m_show+0x1d0/0x1d0
+ __do_sys_finit_module+0xc5/0xd0
+ __x64_sys_finit_module+0x15/0x20
+ do_syscall_64+0x6b/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+If pci_register_driver fails, register inet6addr_notifier is
+pointless. This patch fix the error path in cxgb4_init_module.
+
+Fixes: b5a02f503caa ("cxgb4 : Update ipv6 address handling api")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+index 89179e3166878..4bc0c357cb8ea 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -6161,15 +6161,24 @@ static int __init cxgb4_init_module(void)
+
+ ret = pci_register_driver(&cxgb4_driver);
+ if (ret < 0)
+- debugfs_remove(cxgb4_debugfs_root);
++ goto err_pci;
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (!inet6addr_registered) {
+- register_inet6addr_notifier(&cxgb4_inet6addr_notifier);
+- inet6addr_registered = true;
++ ret = register_inet6addr_notifier(&cxgb4_inet6addr_notifier);
++ if (ret)
++ pci_unregister_driver(&cxgb4_driver);
++ else
++ inet6addr_registered = true;
+ }
+ #endif
+
++ if (ret == 0)
++ return ret;
++
++err_pci:
++ debugfs_remove(cxgb4_debugfs_root);
++
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 45a718447c879e214a9452919bbe8356f0dc00a5 Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+Date: Wed, 3 Apr 2019 12:23:57 +0200
+Subject: dmaengine: at_xdmac: remove BUG_ON macro in tasklet
+
+[ Upstream commit e2c114c06da2d9ffad5b16690abf008d6696f689 ]
+
+Even if this case shouldn't happen when controller is properly programmed,
+it's still better to avoid dumping a kernel Oops for this.
+As the sequence may happen only for debugging purposes, log the error and
+just finish the tasklet call.
+
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index fe69dccfa0c05..37a2694204351 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -1606,7 +1606,11 @@ static void at_xdmac_tasklet(unsigned long data)
+ struct at_xdmac_desc,
+ xfer_node);
+ dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, desc);
+- BUG_ON(!desc->active_xfer);
++ if (!desc->active_xfer) {
++ dev_err(chan2dev(&atchan->chan), "Xfer not active: exiting");
++ spin_unlock_bh(&atchan->lock);
++ return;
++ }
+
+ txd = &desc->tx_dma_desc;
+
+--
+2.20.1
+
--- /dev/null
+From 0a59811e19787a9cd15cb4e866637cf49d5740c3 Mon Sep 17 00:00:00 2001
+From: Sugar Zhang <sugar.zhang@rock-chips.com>
+Date: Wed, 3 Apr 2019 19:06:22 +0800
+Subject: dmaengine: pl330: _stop: clear interrupt status
+
+[ Upstream commit 2da254cc7908105a60a6bb219d18e8dced03dcb9 ]
+
+This patch kill instructs the DMAC to immediately terminate
+execution of a thread. and then clear the interrupt status,
+at last, stop generating interrupts for DMA_SEV. to guarantee
+the next dma start is clean. otherwise, one interrupt maybe leave
+to next start and make some mistake.
+
+we can reporduce the problem as follows:
+
+DMASEV: modify the event-interrupt resource, and if the INTEN sets
+function as interrupt, the DMAC will set irq<event_num> HIGH to
+generate interrupt. write INTCLR to clear interrupt.
+
+ DMA EXECUTING INSTRUCTS DMA TERMINATE
+ | |
+ | |
+ ... _stop
+ | |
+ | spin_lock_irqsave
+ DMASEV |
+ | |
+ | mask INTEN
+ | |
+ | DMAKILL
+ | |
+ | spin_unlock_irqrestore
+
+in above case, a interrupt was left, and if we unmask INTEN, the DMAC
+will set irq<event_num> HIGH to generate interrupt.
+
+to fix this, do as follows:
+
+ DMA EXECUTING INSTRUCTS DMA TERMINATE
+ | |
+ | |
+ ... _stop
+ | |
+ | spin_lock_irqsave
+ DMASEV |
+ | |
+ | DMAKILL
+ | |
+ | clear INTCLR
+ | mask INTEN
+ | |
+ | spin_unlock_irqrestore
+
+Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pl330.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
+index eec79fdf27a5b..56695ffb5d377 100644
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -966,6 +966,7 @@ static void _stop(struct pl330_thread *thrd)
+ {
+ void __iomem *regs = thrd->dmac->base;
+ u8 insn[6] = {0, 0, 0, 0, 0, 0};
++ u32 inten = readl(regs + INTEN);
+
+ if (_state(thrd) == PL330_STATE_FAULT_COMPLETING)
+ UNTIL(thrd, PL330_STATE_FAULTING | PL330_STATE_KILLING);
+@@ -978,10 +979,13 @@ static void _stop(struct pl330_thread *thrd)
+
+ _emit_KILL(0, insn);
+
+- /* Stop generating interrupts for SEV */
+- writel(readl(regs + INTEN) & ~(1 << thrd->ev), regs + INTEN);
+-
+ _execute_DBGINSN(thrd, insn, is_manager(thrd));
++
++ /* clear the event */
++ if (inten & (1 << thrd->ev))
++ writel(1 << thrd->ev, regs + INTCLR);
++ /* Stop generating interrupts for SEV */
++ writel(inten & ~(1 << thrd->ev), regs + INTEN);
+ }
+
+ /* Start doing req 'idx' of thread 'thrd' */
+--
+2.20.1
+
--- /dev/null
+From 2b9a51f13924f5bd2bb87a1146cb8deffc1d0fa5 Mon Sep 17 00:00:00 2001
+From: Sameer Pujar <spujar@nvidia.com>
+Date: Wed, 13 Mar 2019 17:02:36 +0530
+Subject: dmaengine: tegra210-adma: use devm_clk_*() helpers
+
+[ Upstream commit f6ed6491d565c336a360471e0c29228e34f4380e ]
+
+adma driver is using pm_clk_*() interface for managing clock resources.
+With this it is observed that clocks remain ON always. This happens on
+Tegra devices which use BPMP co-processor to manage clock resources,
+where clocks are enabled during prepare phase. This is necessary because
+clocks to BPMP are always blocking. When pm_clk_*() interface is used on
+such Tegra devices, clock prepare count is not balanced till remove call
+happens for the driver and hence clocks are seen ON always. Thus this
+patch replaces pm_clk_*() with devm_clk_*() framework.
+
+Suggested-by: Mohan Kumar D <mkumard@nvidia.com>
+Reviewed-by: Jonathan Hunter <jonathanh@nvidia.com>
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index 9aa35a7f13692..1477cce33dbe5 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -22,7 +22,6 @@
+ #include <linux/of_device.h>
+ #include <linux/of_dma.h>
+ #include <linux/of_irq.h>
+-#include <linux/pm_clock.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/slab.h>
+
+@@ -141,6 +140,7 @@ struct tegra_adma {
+ struct dma_device dma_dev;
+ struct device *dev;
+ void __iomem *base_addr;
++ struct clk *ahub_clk;
+ unsigned int nr_channels;
+ unsigned long rx_requests_reserved;
+ unsigned long tx_requests_reserved;
+@@ -637,8 +637,9 @@ static int tegra_adma_runtime_suspend(struct device *dev)
+ struct tegra_adma *tdma = dev_get_drvdata(dev);
+
+ tdma->global_cmd = tdma_read(tdma, ADMA_GLOBAL_CMD);
++ clk_disable_unprepare(tdma->ahub_clk);
+
+- return pm_clk_suspend(dev);
++ return 0;
+ }
+
+ static int tegra_adma_runtime_resume(struct device *dev)
+@@ -646,10 +647,11 @@ static int tegra_adma_runtime_resume(struct device *dev)
+ struct tegra_adma *tdma = dev_get_drvdata(dev);
+ int ret;
+
+- ret = pm_clk_resume(dev);
+- if (ret)
++ ret = clk_prepare_enable(tdma->ahub_clk);
++ if (ret) {
++ dev_err(dev, "ahub clk_enable failed: %d\n", ret);
+ return ret;
+-
++ }
+ tdma_write(tdma, ADMA_GLOBAL_CMD, tdma->global_cmd);
+
+ return 0;
+@@ -693,13 +695,11 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ if (IS_ERR(tdma->base_addr))
+ return PTR_ERR(tdma->base_addr);
+
+- ret = pm_clk_create(&pdev->dev);
+- if (ret)
+- return ret;
+-
+- ret = of_pm_clk_add_clk(&pdev->dev, "d_audio");
+- if (ret)
+- goto clk_destroy;
++ tdma->ahub_clk = devm_clk_get(&pdev->dev, "d_audio");
++ if (IS_ERR(tdma->ahub_clk)) {
++ dev_err(&pdev->dev, "Error: Missing ahub controller clock\n");
++ return PTR_ERR(tdma->ahub_clk);
++ }
+
+ pm_runtime_enable(&pdev->dev);
+
+@@ -776,8 +776,6 @@ static int tegra_adma_probe(struct platform_device *pdev)
+ pm_runtime_put_sync(&pdev->dev);
+ rpm_disable:
+ pm_runtime_disable(&pdev->dev);
+-clk_destroy:
+- pm_clk_destroy(&pdev->dev);
+
+ return ret;
+ }
+@@ -795,7 +793,6 @@ static int tegra_adma_remove(struct platform_device *pdev)
+
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+- pm_clk_destroy(&pdev->dev);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From b490870059cd5b2ed2555b75ad086b5479a746a9 Mon Sep 17 00:00:00 2001
+From: Sameer Pujar <spujar@nvidia.com>
+Date: Thu, 2 May 2019 18:25:16 +0530
+Subject: dmaengine: tegra210-dma: free dma controller in remove()
+
+[ Upstream commit f030e419501cb95e961e9ed35c493b5d46a04eca ]
+
+Following kernel panic is seen during DMA driver unload->load sequence
+==========================================================================
+Unable to handle kernel paging request at virtual address ffffff8001198880
+Internal error: Oops: 86000007 [#1] PREEMPT SMP
+CPU: 0 PID: 5907 Comm: HwBinder:4123_1 Tainted: G C 4.9.128-tegra-g065839f
+Hardware name: galen (DT)
+task: ffffffc3590d1a80 task.stack: ffffffc3d0678000
+PC is at 0xffffff8001198880
+LR is at of_dma_request_slave_channel+0xd8/0x1f8
+pc : [<ffffff8001198880>] lr : [<ffffff8008746f30>] pstate: 60400045
+sp : ffffffc3d067b710
+x29: ffffffc3d067b710 x28: 000000000000002f
+x27: ffffff800949e000 x26: ffffff800949e750
+x25: ffffff800949e000 x24: ffffffbefe817d84
+x23: ffffff8009f77cb0 x22: 0000000000000028
+x21: ffffffc3ffda49c8 x20: 0000000000000029
+x19: 0000000000000001 x18: ffffffffffffffff
+x17: 0000000000000000 x16: ffffff80082b66a0
+x15: ffffff8009e78250 x14: 000000000000000a
+x13: 0000000000000038 x12: 0101010101010101
+x11: 0000000000000030 x10: 0101010101010101
+x9 : fffffffffffffffc x8 : 7f7f7f7f7f7f7f7f
+x7 : 62ff726b6b64622c x6 : 0000000000008064
+x5 : 6400000000000000 x4 : ffffffbefe817c44
+x3 : ffffffc3ffda3e08 x2 : ffffff8001198880
+x1 : ffffffc3d48323c0 x0 : ffffffc3d067b788
+
+Process HwBinder:4123_1 (pid: 5907, stack limit = 0xffffffc3d0678028)
+Call trace:
+[<ffffff8001198880>] 0xffffff8001198880
+[<ffffff80087459f8>] dma_request_chan+0x50/0x1f0
+[<ffffff8008745bc0>] dma_request_slave_channel+0x28/0x40
+[<ffffff8001552c44>] tegra_alt_pcm_open+0x114/0x170
+[<ffffff8008d65fa4>] soc_pcm_open+0x10c/0x878
+[<ffffff8008d18618>] snd_pcm_open_substream+0xc0/0x170
+[<ffffff8008d1878c>] snd_pcm_open+0xc4/0x240
+[<ffffff8008d189e0>] snd_pcm_playback_open+0x58/0x80
+[<ffffff8008cfc6d4>] snd_open+0xb4/0x178
+[<ffffff8008250628>] chrdev_open+0xb8/0x1d0
+[<ffffff8008246fdc>] do_dentry_open+0x214/0x318
+[<ffffff80082485d0>] vfs_open+0x58/0x88
+[<ffffff800825bce0>] do_last+0x450/0xde0
+[<ffffff800825c718>] path_openat+0xa8/0x368
+[<ffffff800825dd84>] do_filp_open+0x8c/0x110
+[<ffffff8008248a74>] do_sys_open+0x164/0x220
+[<ffffff80082b66dc>] compat_SyS_openat+0x3c/0x50
+[<ffffff8008083040>] el0_svc_naked+0x34/0x38
+---[ end trace 67e6d544e65b5145 ]---
+Kernel panic - not syncing: Fatal exception
+==========================================================================
+
+In device probe(), of_dma_controller_register() registers DMA controller.
+But when driver is removed, this is not freed. During driver reload this
+results in data abort and kernel panic. Add of_dma_controller_free() in
+driver remove path to fix the issue.
+
+Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra210-adma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
+index 5ec0dd97b3971..9aa35a7f13692 100644
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -787,6 +787,7 @@ static int tegra_adma_remove(struct platform_device *pdev)
+ struct tegra_adma *tdma = platform_get_drvdata(pdev);
+ int i;
+
++ of_dma_controller_free(pdev->dev.of_node);
+ dma_async_device_unregister(&tdma->dma_dev);
+
+ for (i = 0; i < tdma->nr_channels; ++i)
+--
+2.20.1
+
--- /dev/null
+From 9d65e42410483132243770c272eaa7e7da6e9b0f Mon Sep 17 00:00:00 2001
+From: Ioana Ciocoi Radulescu <ruxandra.radulescu@nxp.com>
+Date: Tue, 16 Apr 2019 17:13:28 +0000
+Subject: dpaa2-eth: Fix Rx classification status
+
+[ Upstream commit df8e249be866e2f762be11b14a9e7a94752614d4 ]
+
+Set the Rx flow classification enable flag only if key config
+operation is successful.
+
+Fixes 3f9b5c9 ("dpaa2-eth: Configure Rx flow classification key")
+
+Signed-off-by: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+index dc339dc1adb21..57cbaa38d2477 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -2796,6 +2796,7 @@ int dpaa2_eth_set_hash(struct net_device *net_dev, u64 flags)
+ static int dpaa2_eth_set_cls(struct dpaa2_eth_priv *priv)
+ {
+ struct device *dev = priv->net_dev->dev.parent;
++ int err;
+
+ /* Check if we actually support Rx flow classification */
+ if (dpaa2_eth_has_legacy_dist(priv)) {
+@@ -2814,9 +2815,13 @@ static int dpaa2_eth_set_cls(struct dpaa2_eth_priv *priv)
+ return -EOPNOTSUPP;
+ }
+
++ err = dpaa2_eth_set_dist_key(priv->net_dev, DPAA2_ETH_RX_DIST_CLS, 0);
++ if (err)
++ return err;
++
+ priv->rx_cls_enabled = 1;
+
+- return dpaa2_eth_set_dist_key(priv->net_dev, DPAA2_ETH_RX_DIST_CLS, 0);
++ return 0;
+ }
+
+ /* Bind the DPNI to its needed objects and resources: buffer pool, DPIOs,
+--
+2.20.1
+
--- /dev/null
+From 6dba7c672176773390f20a1cdc6dea34d9b7f335 Mon Sep 17 00:00:00 2001
+From: Wenjing Liu <Wenjing.Liu@amd.com>
+Date: Wed, 20 Feb 2019 14:00:55 -0500
+Subject: drm/amd/display: add pipe lock during stream update
+
+[ Upstream commit e6bddf6c67f9a3abf6f1ef75e52bc1cd228dfe4d ]
+
+[why]
+Stream update will adjust both info packets and stream params,
+need to make sure all things are applied togather.
+
+[how]
+add pipe lock during stream update
+
+Signed-off-by: Wenjing Liu <Wenjing.Liu@amd.com>
+Reviewed-by: Jun Lei <Jun.Lei@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
+index c1a308c1dcbea..88fe4fb43bfd5 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -1677,6 +1677,7 @@ static void commit_planes_do_stream_update(struct dc *dc,
+ continue;
+
+ if (stream_update->dpms_off) {
++ dc->hwss.pipe_control_lock(dc, pipe_ctx, true);
+ if (*stream_update->dpms_off) {
+ core_link_disable_stream(pipe_ctx, KEEP_ACQUIRED_RESOURCE);
+ dc->hwss.optimize_bandwidth(dc, dc->current_state);
+@@ -1684,6 +1685,7 @@ static void commit_planes_do_stream_update(struct dc *dc,
+ dc->hwss.prepare_bandwidth(dc, dc->current_state);
+ core_link_enable_stream(dc->current_state, pipe_ctx);
+ }
++ dc->hwss.pipe_control_lock(dc, pipe_ctx, false);
+ }
+
+ if (stream_update->abm_level && pipe_ctx->stream_res.abm) {
+--
+2.20.1
+
--- /dev/null
+From 5b1d2dc153f48acf8985fbd3f1b5d2bc5e842e32 Mon Sep 17 00:00:00 2001
+From: Murton Liu <murton.liu@amd.com>
+Date: Fri, 15 Feb 2019 15:05:43 -0500
+Subject: drm/amd/display: Fix Divide by 0 in memory calculations
+
+[ Upstream commit 59979bf8be1784ebfc44215031c6c88ca22ae65d ]
+
+Check if we get any values equal to 0, and set to 1 if so.
+
+Signed-off-by: Murton Liu <murton.liu@amd.com>
+Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Acked-by: Sivapiriyan Kumarasamy <Sivapiriyan.Kumarasamy@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c | 20 ++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
+index c7642e7482970..ce21a290bf3e4 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
+@@ -406,15 +406,25 @@ void dpp1_dscl_calc_lb_num_partitions(
+ int *num_part_y,
+ int *num_part_c)
+ {
++ int lb_memory_size, lb_memory_size_c, lb_memory_size_a, num_partitions_a,
++ lb_bpc, memory_line_size_y, memory_line_size_c, memory_line_size_a;
++
+ int line_size = scl_data->viewport.width < scl_data->recout.width ?
+ scl_data->viewport.width : scl_data->recout.width;
+ int line_size_c = scl_data->viewport_c.width < scl_data->recout.width ?
+ scl_data->viewport_c.width : scl_data->recout.width;
+- int lb_bpc = dpp1_dscl_get_lb_depth_bpc(scl_data->lb_params.depth);
+- int memory_line_size_y = (line_size * lb_bpc + 71) / 72; /* +71 to ceil */
+- int memory_line_size_c = (line_size_c * lb_bpc + 71) / 72; /* +71 to ceil */
+- int memory_line_size_a = (line_size + 5) / 6; /* +5 to ceil */
+- int lb_memory_size, lb_memory_size_c, lb_memory_size_a, num_partitions_a;
++
++ if (line_size == 0)
++ line_size = 1;
++
++ if (line_size_c == 0)
++ line_size_c = 1;
++
++
++ lb_bpc = dpp1_dscl_get_lb_depth_bpc(scl_data->lb_params.depth);
++ memory_line_size_y = (line_size * lb_bpc + 71) / 72; /* +71 to ceil */
++ memory_line_size_c = (line_size_c * lb_bpc + 71) / 72; /* +71 to ceil */
++ memory_line_size_a = (line_size + 5) / 6; /* +5 to ceil */
+
+ if (lb_config == LB_MEMORY_CONFIG_1) {
+ lb_memory_size = 816;
+--
+2.20.1
+
--- /dev/null
+From 13b897a79fcf7dbe00046fb80b3c5313422be1a6 Mon Sep 17 00:00:00 2001
+From: Anthony Koo <Anthony.Koo@amd.com>
+Date: Wed, 6 Feb 2019 11:45:42 -0500
+Subject: drm/amd/display: Fix exception from AUX acquire failure
+
+[ Upstream commit dcf1a988678e2e39ce2b4115b8ce14d208c8c481 ]
+
+[Why]
+AUX arbitration occurs between SW and FW components.
+When AUX acquire fails, it causes engine->ddc to be NULL,
+which leads to an exception when we try to release the AUX
+engine.
+
+[How]
+When AUX engine acquire fails, it should return from the
+function without trying to continue the operation.
+The upper level will determine if it wants to retry.
+i.e. dce_aux_transfer_with_retries will be used and retry.
+
+Signed-off-by: Anthony Koo <Anthony.Koo@amd.com>
+Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce/dce_aux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c
+index 4fe3664fb4950..5ecfcb9ee8a0c 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c
++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c
+@@ -377,7 +377,6 @@ static bool acquire(
+ struct dce_aux *engine,
+ struct ddc *ddc)
+ {
+-
+ enum gpio_result result;
+
+ if (!is_engine_available(engine))
+@@ -458,7 +457,8 @@ int dce_aux_transfer(struct ddc_service *ddc,
+ memset(&aux_rep, 0, sizeof(aux_rep));
+
+ aux_engine = ddc->ctx->dc->res_pool->engines[ddc_pin->pin_data->en];
+- acquire(aux_engine, ddc_pin);
++ if (!acquire(aux_engine, ddc_pin))
++ return -1;
+
+ if (payload->i2c_over_aux)
+ aux_req.type = AUX_TRANSACTION_TYPE_I2C;
+--
+2.20.1
+
--- /dev/null
+From 8b2f129cd10085ca03f4e10dced219dd8e94aff5 Mon Sep 17 00:00:00 2001
+From: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Date: Thu, 7 Mar 2019 13:26:13 -0500
+Subject: drm/amd/display: fix releasing planes when exiting odm
+
+[ Upstream commit bc2193992b00488f5734613ac95b78ef2d2803ab ]
+
+Releasing planes should not release the 2nd odm pipe right away,
+this change leaves us with 2 pipes with null planes and same stream
+when planes are released during odm.
+
+Signed-off-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+index 349ab80177761..4c06eb52ab734 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+@@ -1266,10 +1266,12 @@ bool dc_remove_plane_from_context(
+ * For head pipe detach surfaces from pipe for tail
+ * pipe just zero it out
+ */
+- if (!pipe_ctx->top_pipe) {
++ if (!pipe_ctx->top_pipe ||
++ (!pipe_ctx->top_pipe->top_pipe &&
++ pipe_ctx->top_pipe->stream_res.opp != pipe_ctx->stream_res.opp)) {
+ pipe_ctx->plane_state = NULL;
+ pipe_ctx->bottom_pipe = NULL;
+- } else {
++ } else {
+ memset(pipe_ctx, 0, sizeof(*pipe_ctx));
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 64fd76135c5b0e58275ea83cf25f941293720819 Mon Sep 17 00:00:00 2001
+From: Martin Leung <martin.leung@amd.com>
+Date: Wed, 13 Feb 2019 17:06:31 -0500
+Subject: drm/amd/display: half bandwidth for YCbCr420 during validation
+
+[ Upstream commit 162f807858d15bde60cf373a3ad46e03200ad9d8 ]
+
+[Why]
+used to be unable to run 4:2:0 if using a dongle because 4k60 bandwidth
+exceeded dongle caps
+
+[How]
+half pixel clock during comparison to dongle cap. *Could get stuck on black
+screen on monitor that don't support 420 but will be selecting 420 as
+preferred mode*
+
+Signed-off-by: Martin Leung <martin.leung@amd.com>
+Reviewed-by: Wenjing Liu <Wenjing.Liu@amd.com>
+Acked-by: Aidan Wood <Aidan.Wood@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link.c | 33 +++++++++++--------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+index ea2f271e234bd..419e8de8c0f48 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+@@ -2074,11 +2074,28 @@ static void disable_link(struct dc_link *link, enum signal_type signal)
+ }
+ }
+
++static uint32_t get_timing_pixel_clock_100hz(const struct dc_crtc_timing *timing)
++{
++
++ uint32_t pxl_clk = timing->pix_clk_100hz;
++
++ if (timing->pixel_encoding == PIXEL_ENCODING_YCBCR420)
++ pxl_clk /= 2;
++ else if (timing->pixel_encoding == PIXEL_ENCODING_YCBCR422)
++ pxl_clk = pxl_clk * 2 / 3;
++
++ if (timing->display_color_depth == COLOR_DEPTH_101010)
++ pxl_clk = pxl_clk * 10 / 8;
++ else if (timing->display_color_depth == COLOR_DEPTH_121212)
++ pxl_clk = pxl_clk * 12 / 8;
++
++ return pxl_clk;
++}
++
+ static bool dp_active_dongle_validate_timing(
+ const struct dc_crtc_timing *timing,
+ const struct dpcd_caps *dpcd_caps)
+ {
+- unsigned int required_pix_clk_100hz = timing->pix_clk_100hz;
+ const struct dc_dongle_caps *dongle_caps = &dpcd_caps->dongle_caps;
+
+ switch (dpcd_caps->dongle_type) {
+@@ -2115,13 +2132,6 @@ static bool dp_active_dongle_validate_timing(
+ return false;
+ }
+
+-
+- /* Check Color Depth and Pixel Clock */
+- if (timing->pixel_encoding == PIXEL_ENCODING_YCBCR420)
+- required_pix_clk_100hz /= 2;
+- else if (timing->pixel_encoding == PIXEL_ENCODING_YCBCR422)
+- required_pix_clk_100hz = required_pix_clk_100hz * 2 / 3;
+-
+ switch (timing->display_color_depth) {
+ case COLOR_DEPTH_666:
+ case COLOR_DEPTH_888:
+@@ -2130,14 +2140,11 @@ static bool dp_active_dongle_validate_timing(
+ case COLOR_DEPTH_101010:
+ if (dongle_caps->dp_hdmi_max_bpc < 10)
+ return false;
+- required_pix_clk_100hz = required_pix_clk_100hz * 10 / 8;
+ break;
+ case COLOR_DEPTH_121212:
+ if (dongle_caps->dp_hdmi_max_bpc < 12)
+ return false;
+- required_pix_clk_100hz = required_pix_clk_100hz * 12 / 8;
+ break;
+-
+ case COLOR_DEPTH_141414:
+ case COLOR_DEPTH_161616:
+ default:
+@@ -2145,7 +2152,7 @@ static bool dp_active_dongle_validate_timing(
+ return false;
+ }
+
+- if (required_pix_clk_100hz > (dongle_caps->dp_hdmi_max_pixel_clk * 10))
++ if (get_timing_pixel_clock_100hz(timing) > (dongle_caps->dp_hdmi_max_pixel_clk * 10))
+ return false;
+
+ return true;
+@@ -2166,7 +2173,7 @@ enum dc_status dc_link_validate_mode_timing(
+ return DC_OK;
+
+ /* Passive Dongle */
+- if (0 != max_pix_clk && timing->pix_clk_100hz > max_pix_clk)
++ if (max_pix_clk != 0 && get_timing_pixel_clock_100hz(timing) > max_pix_clk)
+ return DC_EXCEED_DONGLE_CAP;
+
+ /* Active Dongle*/
+--
+2.20.1
+
--- /dev/null
+From 881bb870298d9ae02660bbe8cb9b832e523e42d1 Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Fri, 22 Mar 2019 09:59:32 -0400
+Subject: drm/amd/display: Initialize stream_update with memset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 2aa632c5ffbedb2ee0e68857683466ea788f17eb ]
+
+The brace initialization used here generates warnings on some
+compilers. For example, on GCC 4.9:
+
+[...] In function ‘dm_determine_update_type_for_commit’:
+[...] error: missing braces around initializer [-Werror=missing-braces]
+ struct dc_stream_update stream_update = { 0 };
+ ^
+
+Use memset to make this more portable.
+
+v2: Specify the compiler / diagnostic in the commit message (Paul)
+
+Cc: Sun peng Li <Sunpeng.Li@amd.com>
+Cc: Harry Wentland <Harry.Wentland@amd.com>
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 3082b55b1e774..66f19d1864b17 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -5858,7 +5858,9 @@ dm_determine_update_type_for_commit(struct dc *dc,
+ }
+
+ for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) {
+- struct dc_stream_update stream_update = { 0 };
++ struct dc_stream_update stream_update;
++
++ memset(&stream_update, 0, sizeof(stream_update));
+
+ new_dm_crtc_state = to_dm_crtc_state(new_crtc_state);
+ old_dm_crtc_state = to_dm_crtc_state(old_crtc_state);
+--
+2.20.1
+
--- /dev/null
+From d7e71ef4be01d854e3bc656c4448534ece5b1895 Mon Sep 17 00:00:00 2001
+From: Samson Tam <Samson.Tam@amd.com>
+Date: Mon, 4 Mar 2019 16:21:06 -0500
+Subject: drm/amd/display: Link train only when link is DP and backend is
+ enabled
+
+[ Upstream commit 66acd4418d7de131ef3831e52a8af3d2480e5b15 ]
+
+[Why]
+In certain cases we do link training when we don't have a backend.
+
+[How]
+In dc_link_set_preferred_link_settings(), store preferred link settings
+first and then verify that the link is DP and the link stream's backend is
+enabled. If either is false, then we will not do any link retraining.
+
+Signed-off-by: Samson Tam <Samson.Tam@amd.com>
+Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
+Acked-by: Anthony Koo <Anthony.Koo@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
+index a6cda201c964c..c1a308c1dcbea 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -524,6 +524,14 @@ void dc_link_set_preferred_link_settings(struct dc *dc,
+ struct dc_stream_state *link_stream;
+ struct dc_link_settings store_settings = *link_setting;
+
++ link->preferred_link_setting = store_settings;
++
++ /* Retrain with preferred link settings only relevant for
++ * DP signal type
++ */
++ if (!dc_is_dp_signal(link->connector_signal))
++ return;
++
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe = &dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe->stream && pipe->stream->link) {
+@@ -538,7 +546,10 @@ void dc_link_set_preferred_link_settings(struct dc *dc,
+
+ link_stream = link->dc->current_state->res_ctx.pipe_ctx[i].stream;
+
+- link->preferred_link_setting = store_settings;
++ /* Cannot retrain link if backend is off */
++ if (link_stream->dpms_off)
++ return;
++
+ if (link_stream)
+ decide_link_settings(link_stream, &store_settings);
+
+--
+2.20.1
+
--- /dev/null
+From 303b3f031b010cc41e5d573a153d65a8699a9057 Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Mon, 11 Mar 2019 10:33:35 -0400
+Subject: drm/amd/display: Prevent cursor hotspot overflow for RV overlay
+ planes
+
+[ Upstream commit 6752bea8b03e77c98be7d8d25b0a9d86a00b3cf7 ]
+
+[Why]
+The actual position for the cursor on the screen is essentially:
+
+x_out = x - x_plane - x_hotspot
+y_out = y - y_plane - y_hotspot
+
+The register values for cursor position and cursor hotspot need to be
+greater than zero when programmed, but we also need to subtract off
+the plane position to display the cursor at the correct position.
+
+Since we don't want x or y to be less than zero, we add the plane
+position as a positive value to x_hotspot or y_hotspot. However, what
+this doesn't take into account is that the hotspot registers are limited
+by the maximum cursor size.
+
+On DCN10 the cursor hotspot regitsers are masked to 0xFF, so they have
+a maximum value of 0-255. Values greater this will wrap, causing the
+cursor to display in the wrong position.
+
+In practice this means that for sufficiently large plane positions, the
+cursor will be drawn twice on the screen, and can cause screen flashes
+or p-state WARNS depending on what the wrapped value is.
+
+So we need a way to remove the value from x_plane and y_plane without
+exceeding the maximum cursor size.
+
+[How]
+Subtract as much as x_plane/y_plane as possible from x and y and place
+the remainder in the cursor hotspot register.
+
+The value for x_hotspot and y_hotspot can still wrap around but it
+won't happen in a case where the cursor is actually enabled.
+
+The cursor plane needs to intersect at least one pixel of the plane's
+rectangle to be enabled, so the cursor position + hotspot provided by
+userspace must always be strictly less than the maximum cursor size for
+the cursor to actually be enabled.
+
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Sun peng Li <Sunpeng.Li@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+index d1a8f1c302a96..401ea9561618e 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+@@ -2692,9 +2692,15 @@ static void dcn10_set_cursor_position(struct pipe_ctx *pipe_ctx)
+ .rotation = pipe_ctx->plane_state->rotation,
+ .mirror = pipe_ctx->plane_state->horizontal_mirror
+ };
+-
+- pos_cpy.x_hotspot += pipe_ctx->plane_state->dst_rect.x;
+- pos_cpy.y_hotspot += pipe_ctx->plane_state->dst_rect.y;
++ uint32_t x_plane = pipe_ctx->plane_state->dst_rect.x;
++ uint32_t y_plane = pipe_ctx->plane_state->dst_rect.y;
++ uint32_t x_offset = min(x_plane, pos_cpy.x);
++ uint32_t y_offset = min(y_plane, pos_cpy.y);
++
++ pos_cpy.x -= x_offset;
++ pos_cpy.y -= y_offset;
++ pos_cpy.x_hotspot += (x_plane - x_offset);
++ pos_cpy.y_hotspot += (y_plane - y_offset);
+
+ if (pipe_ctx->plane_state->address.type
+ == PLN_ADDR_TYPE_VIDEO_PROGRESSIVE)
+--
+2.20.1
+
--- /dev/null
+From 584fc1012e21eb3d86a0c9a573a329673867528f Mon Sep 17 00:00:00 2001
+From: David Francis <David.Francis@amd.com>
+Date: Mon, 11 Feb 2019 14:15:19 -0500
+Subject: drm/amd/display: Re-add custom degamma support
+
+[ Upstream commit f91813992c343272813e707343b50f8d06383659 ]
+
+[Why]
+The dc_gamma_type CUSTOM_GAMMA is used to represent degamma
+mappings passed in by drm. This type of gamma must be interpolated
+into a transfer function by apply_1d_lut. The line in
+mod_color_calculate_degamma_params that handled this case
+was erroneously removed.
+
+[How]
+For CUSTOM_GAMMA degamma, calculate the lut as before.
+
+Signed-off-by: David Francis <David.Francis@amd.com>
+Reviewed-by: Krunoslav Kovac <Krunoslav.Kovac@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/modules/color/color_gamma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c
+index 0fbc8fbc35416..a1055413bade6 100644
+--- a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c
++++ b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c
+@@ -1854,6 +1854,8 @@ bool mod_color_calculate_degamma_params(struct dc_transfer_func *input_tf,
+ coordinates_x, axis_x, curve,
+ MAX_HW_POINTS, tf_pts,
+ mapUserRamp && ramp && ramp->type == GAMMA_RGB_256);
++ if (ramp->type == GAMMA_CUSTOM)
++ apply_lut_1d(ramp, MAX_HW_POINTS, tf_pts);
+
+ ret = true;
+
+--
+2.20.1
+
--- /dev/null
+From 7653fd13b952ad03f2e79c2c464f9ed0f07f4506 Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Thu, 28 Feb 2019 12:57:59 -0500
+Subject: drm/amd/display: Reset alpha state for planes to the correct values
+
+[ Upstream commit eec3d5efd16d13984a88396b685ae17462fb6d87 ]
+
+[Why]
+The plane_reset callback is subclassed but hasn't been updated since
+the drm helper got updated to include resetting alpha related state
+(state->alpha and state->pixel_blend_mode). The overlay planes
+exposed by amdgpu_dm were therefore being rendered as invisible by
+default ever since supported was exposed for alpha blending properties
+on overlays.
+
+This caused regressions in igt@kms_plane_multiple@atomic-tiling-none
+and igt@kms_plane@plane-position-covered-pipe tests.
+
+[How]
+Reset the plane state values to their correct values as defined in
+the drm helper.
+
+This fixes the IGT test regression.
+
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index c212bff457eec..b14369ab151f6 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -3587,6 +3587,8 @@ static void dm_drm_plane_reset(struct drm_plane *plane)
+ plane->state = &amdgpu_state->base;
+ plane->state->plane = plane;
+ plane->state->rotation = DRM_MODE_ROTATE_0;
++ plane->state->alpha = DRM_BLEND_ALPHA_OPAQUE;
++ plane->state->pixel_blend_mode = DRM_MODE_BLEND_PREMULTI;
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 90615fd793ea6a07f241058a268ea4ff35bcb9c7 Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Wed, 6 Feb 2019 10:18:17 -0500
+Subject: drm/amd/display: Reset planes that were disabled in init_pipes
+
+[ Upstream commit 4bc46da4a3aeeb4d55e83dd276cf72756e908286 ]
+
+[Why]
+Seamless boot tries to reuse planes that were enabled for the first
+commit applied.
+
+In the case where Raven is booting with two monitors connected and the
+first commit contains two streams the screen corruption would occur
+because the second stream was trying to re-use a tg and plane that
+weren't previously enabled.
+
+The state on the first commit looks something like the following:
+
+TG0: enabled=1
+TG1: enabled=0
+TG2: enabled=0
+TG3: enabled=0
+
+New state: pipe=0, stream=0, plane=0, new_tg=0
+New state: pipe=1, stream=1, plane=1, new_tg=1
+New state: pipe=2, stream=NULL, plane=NULL, new_tg=NULL
+New state: pipe=3, stream=NULL, plane=NULL, new_tg=NULL
+
+Only one plane/tg is setup before we enter accelerated mode so
+we really want to disabling everything but that first plane.
+
+[How]
+
+Check if the stream is not NULL and if the tg is enabled before
+deciding whether to skip the plane disable.
+
+Also ensure we're also disabling on the current state's pipe_ctx so
+we don't overwrite the fields in the new pending state.
+
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Anthony Koo <Anthony.Koo@amd.com>
+Acked-by: Harry Wentland <Harry.Wentland@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+index 401ea9561618e..5b551a544e82d 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+@@ -1008,9 +1008,14 @@ static void dcn10_init_pipes(struct dc *dc, struct dc_state *context)
+ * to non-preferred front end. If pipe_ctx->stream is not NULL,
+ * we will use the pipe, so don't disable
+ */
+- if (pipe_ctx->stream != NULL)
++ if (pipe_ctx->stream != NULL &&
++ pipe_ctx->stream_res.tg->funcs->is_tg_enabled(
++ pipe_ctx->stream_res.tg))
+ continue;
+
++ /* Disable on the current state so the new one isn't cleared. */
++ pipe_ctx = &dc->current_state->res_ctx.pipe_ctx[i];
++
+ dpp->funcs->dpp_reset(dpp);
+
+ pipe_ctx->stream_res.tg = tg;
+--
+2.20.1
+
--- /dev/null
+From a568c3fa2ac563f6e518ac51ba2a0fb51d994368 Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Fri, 8 Feb 2019 13:21:05 -0500
+Subject: drm/amd/display: Set stream->mode_changed when connectors change
+
+[ Upstream commit b9952f93cd2cf5fca82b06a8179c0f5f7b769e83 ]
+
+[Why]
+The kms_plane@plane-position-covered-pipe-*-planes subtests can produce
+a sequence of atomic commits such that neither active_changed nor
+mode_changed but connectors_changed.
+
+When this happens we remove the old stream from the context and add
+a new stream but the new stream doesn't have mode_changed=true set.
+
+This incorrect programming sequence causes CRC mismatches to occur in
+the test.
+
+The stream->mode_changed value should be set whenever a new stream
+is created.
+
+[How]
+A new stream is created whenever drm_atomic_crtc_needs_modeset is true.
+We previously covered the active_changed and mode_changed conditions
+for the CRTC but connectors_changed is also checked within
+drm_atomic_crtc_needs_modeset.
+
+So just use drm_atomic_crtc_needs_modeset directly to determine the
+mode_changed flag.
+
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Sun peng Li <Sunpeng.Li@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index b14369ab151f6..0886b36c23447 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -4955,8 +4955,7 @@ static void amdgpu_dm_commit_planes(struct drm_atomic_state *state,
+ static void amdgpu_dm_crtc_copy_transient_flags(struct drm_crtc_state *crtc_state,
+ struct dc_stream_state *stream_state)
+ {
+- stream_state->mode_changed =
+- crtc_state->mode_changed || crtc_state->active_changed;
++ stream_state->mode_changed = drm_atomic_crtc_needs_modeset(crtc_state);
+ }
+
+ static int amdgpu_dm_atomic_commit(struct drm_device *dev,
+--
+2.20.1
+
--- /dev/null
+From cb93b8a2ceb57b5b8c58fff43b0262714a67d4b1 Mon Sep 17 00:00:00 2001
+From: David Francis <David.Francis@amd.com>
+Date: Mon, 4 Mar 2019 10:31:31 -0500
+Subject: drm/amd/display: Update ABM crtc state on non-modeset
+
+[ Upstream commit b05e2c5e81f9a0be4a145e0926b1dfe62f6347d4 ]
+
+[Why]
+Somewhere in the atomic check reshuffle ABM got lost.
+ABM is a crtc property (copied from a connector property).
+It can change without a modeset, just like underscan.
+
+[How]
+In the skip_modeset branch of atomic check crtc updates,
+copy over the abm property.
+
+Signed-off-by: David Francis <David.Francis@amd.com>
+Reviewed-by: Nicholas Kazlauskas <Nicholas.Kazlauskas@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 66f19d1864b17..c212bff457eec 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -5661,6 +5661,9 @@ static int dm_update_crtc_state(struct amdgpu_display_manager *dm,
+ update_stream_scaling_settings(
+ &new_crtc_state->mode, dm_new_conn_state, dm_new_crtc_state->stream);
+
++ /* ABM settings */
++ dm_new_crtc_state->abm_level = dm_new_conn_state->abm_level;
++
+ /*
+ * Color management settings. We also update color properties
+ * when a modeset is needed, to ensure it gets reprogrammed.
+--
+2.20.1
+
--- /dev/null
+From 7c6a4536e269d802e9582dcb8b0cab6be6bde2ea Mon Sep 17 00:00:00 2001
+From: Wenjing Liu <Wenjing.Liu@amd.com>
+Date: Thu, 21 Mar 2019 13:05:36 -0400
+Subject: drm/amd/display: use proper formula to calculate bandwidth from
+ timing
+
+[ Upstream commit e49f69363adf8920883fff7e8ffecb802d897c6b ]
+
+[why]
+The existing calculation uses a wrong formula to
+calculate bandwidth from timing.
+
+[how]
+Expose the existing proper function that calculates the bandwidth,
+so dc_link can use it to calculate timing bandwidth correctly.
+
+Signed-off-by: Wenjing Liu <Wenjing.Liu@amd.com>
+Reviewed-by: Jun Lei <Jun.Lei@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link.c | 48 ++++++++++++++++-
+ .../gpu/drm/amd/display/dc/core/dc_link_dp.c | 51 +------------------
+ drivers/gpu/drm/amd/display/dc/dc_link.h | 2 +
+ 3 files changed, 51 insertions(+), 50 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+index ea18e9c2d8cea..ea2f271e234bd 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+@@ -2316,7 +2316,7 @@ static struct fixed31_32 get_pbn_from_timing(struct pipe_ctx *pipe_ctx)
+ uint32_t denominator;
+
+ bpc = get_color_depth(pipe_ctx->stream_res.pix_clk_params.color_depth);
+- kbps = pipe_ctx->stream_res.pix_clk_params.requested_pix_clk_100hz / 10 * bpc * 3;
++ kbps = dc_bandwidth_in_kbps_from_timing(&pipe_ctx->stream->timing);
+
+ /*
+ * margin 5300ppm + 300ppm ~ 0.6% as per spec, factor is 1.006
+@@ -2736,3 +2736,49 @@ void dc_link_enable_hpd_filter(struct dc_link *link, bool enable)
+ }
+ }
+
++uint32_t dc_bandwidth_in_kbps_from_timing(
++ const struct dc_crtc_timing *timing)
++{
++ uint32_t bits_per_channel = 0;
++ uint32_t kbps;
++
++ switch (timing->display_color_depth) {
++ case COLOR_DEPTH_666:
++ bits_per_channel = 6;
++ break;
++ case COLOR_DEPTH_888:
++ bits_per_channel = 8;
++ break;
++ case COLOR_DEPTH_101010:
++ bits_per_channel = 10;
++ break;
++ case COLOR_DEPTH_121212:
++ bits_per_channel = 12;
++ break;
++ case COLOR_DEPTH_141414:
++ bits_per_channel = 14;
++ break;
++ case COLOR_DEPTH_161616:
++ bits_per_channel = 16;
++ break;
++ default:
++ break;
++ }
++
++ ASSERT(bits_per_channel != 0);
++
++ kbps = timing->pix_clk_100hz / 10;
++ kbps *= bits_per_channel;
++
++ if (timing->flags.Y_ONLY != 1) {
++ /*Only YOnly make reduce bandwidth by 1/3 compares to RGB*/
++ kbps *= 3;
++ if (timing->pixel_encoding == PIXEL_ENCODING_YCBCR420)
++ kbps /= 2;
++ else if (timing->pixel_encoding == PIXEL_ENCODING_YCBCR422)
++ kbps = kbps * 2 / 3;
++ }
++
++ return kbps;
++
++}
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+index 09d3012160763..6809932e80bec 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+@@ -1520,53 +1520,6 @@ static bool decide_fallback_link_setting(
+ return true;
+ }
+
+-static uint32_t bandwidth_in_kbps_from_timing(
+- const struct dc_crtc_timing *timing)
+-{
+- uint32_t bits_per_channel = 0;
+- uint32_t kbps;
+-
+- switch (timing->display_color_depth) {
+- case COLOR_DEPTH_666:
+- bits_per_channel = 6;
+- break;
+- case COLOR_DEPTH_888:
+- bits_per_channel = 8;
+- break;
+- case COLOR_DEPTH_101010:
+- bits_per_channel = 10;
+- break;
+- case COLOR_DEPTH_121212:
+- bits_per_channel = 12;
+- break;
+- case COLOR_DEPTH_141414:
+- bits_per_channel = 14;
+- break;
+- case COLOR_DEPTH_161616:
+- bits_per_channel = 16;
+- break;
+- default:
+- break;
+- }
+-
+- ASSERT(bits_per_channel != 0);
+-
+- kbps = timing->pix_clk_100hz / 10;
+- kbps *= bits_per_channel;
+-
+- if (timing->flags.Y_ONLY != 1) {
+- /*Only YOnly make reduce bandwidth by 1/3 compares to RGB*/
+- kbps *= 3;
+- if (timing->pixel_encoding == PIXEL_ENCODING_YCBCR420)
+- kbps /= 2;
+- else if (timing->pixel_encoding == PIXEL_ENCODING_YCBCR422)
+- kbps = kbps * 2 / 3;
+- }
+-
+- return kbps;
+-
+-}
+-
+ static uint32_t bandwidth_in_kbps_from_link_settings(
+ const struct dc_link_settings *link_setting)
+ {
+@@ -1607,7 +1560,7 @@ bool dp_validate_mode_timing(
+ link_setting = &link->verified_link_cap;
+ */
+
+- req_bw = bandwidth_in_kbps_from_timing(timing);
++ req_bw = dc_bandwidth_in_kbps_from_timing(timing);
+ max_bw = bandwidth_in_kbps_from_link_settings(link_setting);
+
+ if (req_bw <= max_bw) {
+@@ -1641,7 +1594,7 @@ void decide_link_settings(struct dc_stream_state *stream,
+ uint32_t req_bw;
+ uint32_t link_bw;
+
+- req_bw = bandwidth_in_kbps_from_timing(&stream->timing);
++ req_bw = dc_bandwidth_in_kbps_from_timing(&stream->timing);
+
+ link = stream->link;
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dc_link.h b/drivers/gpu/drm/amd/display/dc/dc_link.h
+index 8fc223defed4a..a83e1c60f9db2 100644
+--- a/drivers/gpu/drm/amd/display/dc/dc_link.h
++++ b/drivers/gpu/drm/amd/display/dc/dc_link.h
+@@ -252,4 +252,6 @@ bool dc_submit_i2c(
+ uint32_t link_index,
+ struct i2c_command *cmd);
+
++uint32_t dc_bandwidth_in_kbps_from_timing(
++ const struct dc_crtc_timing *timing);
+ #endif /* DC_LINK_H_ */
+--
+2.20.1
+
--- /dev/null
+From ab3f718f95dd63e96c1f85de373985487e6c4a88 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Fri, 29 Mar 2019 19:30:23 +0100
+Subject: drm/amdgpu: fix old fence check in amdgpu_fence_emit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3d2aca8c8620346abdba96c6300d2c0b90a1d0cc ]
+
+We don't hold a reference to the old fence, so it can go away
+any time we are waiting for it to signal.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Chunming Zhou <david1.zhou@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 24 ++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+index ee47c11e92ce7..4dee2326b29c3 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+@@ -136,8 +136,9 @@ int amdgpu_fence_emit(struct amdgpu_ring *ring, struct dma_fence **f,
+ {
+ struct amdgpu_device *adev = ring->adev;
+ struct amdgpu_fence *fence;
+- struct dma_fence *old, **ptr;
++ struct dma_fence __rcu **ptr;
+ uint32_t seq;
++ int r;
+
+ fence = kmem_cache_alloc(amdgpu_fence_slab, GFP_KERNEL);
+ if (fence == NULL)
+@@ -153,15 +154,24 @@ int amdgpu_fence_emit(struct amdgpu_ring *ring, struct dma_fence **f,
+ seq, flags | AMDGPU_FENCE_FLAG_INT);
+
+ ptr = &ring->fence_drv.fences[seq & ring->fence_drv.num_fences_mask];
++ if (unlikely(rcu_dereference_protected(*ptr, 1))) {
++ struct dma_fence *old;
++
++ rcu_read_lock();
++ old = dma_fence_get_rcu_safe(ptr);
++ rcu_read_unlock();
++
++ if (old) {
++ r = dma_fence_wait(old, false);
++ dma_fence_put(old);
++ if (r)
++ return r;
++ }
++ }
++
+ /* This function can't be called concurrently anyway, otherwise
+ * emitting the fence would mess up the hardware ring buffer.
+ */
+- old = rcu_dereference_protected(*ptr, 1);
+- if (old && !dma_fence_is_signaled(old)) {
+- DRM_INFO("rcu slot is busy\n");
+- dma_fence_wait(old, false);
+- }
+-
+ rcu_assign_pointer(*ptr, dma_fence_get(&fence->base));
+
+ *f = &fence->base;
+--
+2.20.1
+
--- /dev/null
+From da54a525b9154efc294a14fac73efa97966c0d03 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Mon, 25 Feb 2019 15:42:26 +0100
+Subject: drm/drv: Hold ref on parent device during drm_device lifetime
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 56be6503aab2bc3a30beae408071b9be5e1bae51 ]
+
+This makes it safe to access drm_device->dev after the parent device has
+been removed/unplugged.
+
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190225144232.20761-2-noralf@tronnes.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
+index 05bbc2b622fc1..04aa6ccdfb242 100644
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -497,7 +497,7 @@ int drm_dev_init(struct drm_device *dev,
+ BUG_ON(!parent);
+
+ kref_init(&dev->ref);
+- dev->dev = parent;
++ dev->dev = get_device(parent);
+ dev->driver = driver;
+
+ /* no per-device feature limits by default */
+@@ -567,6 +567,7 @@ int drm_dev_init(struct drm_device *dev,
+ drm_minor_free(dev, DRM_MINOR_RENDER);
+ drm_fs_inode_free(dev->anon_inode);
+ err_free:
++ put_device(dev->dev);
+ mutex_destroy(&dev->master_mutex);
+ mutex_destroy(&dev->ctxlist_mutex);
+ mutex_destroy(&dev->clientlist_mutex);
+@@ -602,6 +603,8 @@ void drm_dev_fini(struct drm_device *dev)
+ drm_minor_free(dev, DRM_MINOR_PRIMARY);
+ drm_minor_free(dev, DRM_MINOR_RENDER);
+
++ put_device(dev->dev);
++
+ mutex_destroy(&dev->master_mutex);
+ mutex_destroy(&dev->ctxlist_mutex);
+ mutex_destroy(&dev->clientlist_mutex);
+--
+2.20.1
+
--- /dev/null
+From 585f739b8fff7c83c75de62527dde16f9e79af1b Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 25 Feb 2019 10:51:30 +0000
+Subject: drm: etnaviv: avoid DMA API warning when importing buffers
+
+[ Upstream commit 1262cc8893ecb0eb2c21e042d0d268cc180edb61 ]
+
+During boot, I get this kernel warning:
+
+WARNING: CPU: 0 PID: 19001 at kernel/dma/debug.c:1301 debug_dma_map_sg+0x284/0x3dc
+etnaviv etnaviv: DMA-API: mapping sg segment longer than device claims to support [len=3145728] [max=65536]
+Modules linked in: ip6t_REJECT nf_reject_ipv6 ip6t_rpfilter xt_tcpudp ipt_REJECT nf_reject_ipv4 xt_conntrack ip_set nfnetlink ebtable_broute ebtable_nat ip6table_raw ip6table_nat nf_nat_ipv6 ip6table_mangle iptable_raw iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv4 nf_defrag_ipv6 libcrc32c iptable_mangle ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter caam_jr error snd_soc_imx_spdif imx_thermal snd_soc_imx_audmux nvmem_imx_ocotp snd_soc_sgtl5000
+caam imx_sdma virt_dma coda rc_cec v4l2_mem2mem snd_soc_fsl_ssi snd_soc_fsl_spdif imx_vdoa imx_pcm_dma videobuf2_dma_contig etnaviv dw_hdmi_cec gpu_sched dw_hdmi_ahb_audio imx6q_cpufreq nfsd sch_fq_codel ip_tables x_tables
+CPU: 0 PID: 19001 Comm: Xorg Not tainted 4.20.0+ #307
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+[<c0019658>] (unwind_backtrace) from [<c001489c>] (show_stack+0x10/0x14)
+[<c001489c>] (show_stack) from [<c07fb420>] (dump_stack+0x9c/0xd4)
+[<c07fb420>] (dump_stack) from [<c00312dc>] (__warn+0xf8/0x124)
+[<c00312dc>] (__warn) from [<c00313d0>] (warn_slowpath_fmt+0x38/0x48)
+[<c00313d0>] (warn_slowpath_fmt) from [<c00b14e8>] (debug_dma_map_sg+0x284/0x3dc)
+[<c00b14e8>] (debug_dma_map_sg) from [<c046eb40>] (drm_gem_map_dma_buf+0xc4/0x13c)
+[<c046eb40>] (drm_gem_map_dma_buf) from [<c04c3314>] (dma_buf_map_attachment+0x38/0x5c)
+[<c04c3314>] (dma_buf_map_attachment) from [<c046e728>] (drm_gem_prime_import_dev+0x74/0x104)
+[<c046e728>] (drm_gem_prime_import_dev) from [<c046e5bc>] (drm_gem_prime_fd_to_handle+0x84/0x17c)
+[<c046e5bc>] (drm_gem_prime_fd_to_handle) from [<c046edd0>] (drm_prime_fd_to_handle_ioctl+0x38/0x4c)
+[<c046edd0>] (drm_prime_fd_to_handle_ioctl) from [<c0460efc>] (drm_ioctl_kernel+0x90/0xc8)
+[<c0460efc>] (drm_ioctl_kernel) from [<c0461114>] (drm_ioctl+0x1e0/0x3b0)
+[<c0461114>] (drm_ioctl) from [<c01cae20>] (do_vfs_ioctl+0x90/0xa48)
+[<c01cae20>] (do_vfs_ioctl) from [<c01cb80c>] (ksys_ioctl+0x34/0x60)
+[<c01cb80c>] (ksys_ioctl) from [<c0009000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xd81a9fa8 to 0xd81a9ff0)
+9fa0: b6c69c88 bec613f8 00000009 c00c642e bec613f8 b86c4600
+9fc0: b6c69c88 bec613f8 c00c642e 00000036 012762e0 01276348 00000300 012d91f8
+9fe0: b6989f18 bec613dc b697185c b667be5c
+irq event stamp: 47905
+hardirqs last enabled at (47913): [<c0098824>] console_unlock+0x46c/0x680
+hardirqs last disabled at (47922): [<c0098470>] console_unlock+0xb8/0x680
+softirqs last enabled at (47754): [<c000a484>] __do_softirq+0x344/0x540
+softirqs last disabled at (47701): [<c0038700>] irq_exit+0x124/0x144
+---[ end trace af477747acbcc642 ]---
+
+The reason is the contiguous buffer exceeds the default maximum segment
+size of 64K as specified by dma_get_max_seg_size() in
+linux/dma-mapping.h. Fix this by providing our own segment size, which
+is set to 2GiB to cover the window found in MMUv1 GPUs.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_drv.c | 5 +++++
+ drivers/gpu/drm/etnaviv/etnaviv_drv.h | 1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+index 18c27f795cf61..3156450723bad 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+@@ -515,6 +515,9 @@ static int etnaviv_bind(struct device *dev)
+ }
+ drm->dev_private = priv;
+
++ dev->dma_parms = &priv->dma_parms;
++ dma_set_max_seg_size(dev, SZ_2G);
++
+ mutex_init(&priv->gem_lock);
+ INIT_LIST_HEAD(&priv->gem_list);
+ priv->num_gpus = 0;
+@@ -552,6 +555,8 @@ static void etnaviv_unbind(struct device *dev)
+
+ component_unbind_all(dev, drm);
+
++ dev->dma_parms = NULL;
++
+ drm->dev_private = NULL;
+ kfree(priv);
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.h b/drivers/gpu/drm/etnaviv/etnaviv_drv.h
+index a6a7ded37ef1d..6a4ea127c4f1a 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.h
+@@ -42,6 +42,7 @@ struct etnaviv_file_private {
+
+ struct etnaviv_drm_private {
+ int num_gpus;
++ struct device_dma_parameters dma_parms;
+ struct etnaviv_gpu *gpu[ETNA_MAX_PIPES];
+
+ /* list of GEM objects: */
+--
+2.20.1
+
--- /dev/null
+From 93b10c46755d28d2a36e3b5d6265c7db5ad9ce30 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Thu, 4 Apr 2019 00:04:11 +0800
+Subject: drm/msm: a5xx: fix possible object reference leak
+
+[ Upstream commit 6cd5235c3135ea84b32469ea51b2aae384eda8af ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
+drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: Sean Paul <sean@poorly.run>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Jordan Crouse <jcrouse@codeaurora.org>
+Cc: Mamta Shukla <mamtashukla555@gmail.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Sharat Masetty <smasetty@codeaurora.org>
+Cc: linux-arm-msm@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: freedreno@lists.freedesktop.org
+Cc: linux-kernel@vger.kernel.org (open list)
+Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index d5f5e56422f57..270da14cba673 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -34,7 +34,7 @@ static int zap_shader_load_mdt(struct msm_gpu *gpu, const char *fwname)
+ {
+ struct device *dev = &gpu->pdev->dev;
+ const struct firmware *fw;
+- struct device_node *np;
++ struct device_node *np, *mem_np;
+ struct resource r;
+ phys_addr_t mem_phys;
+ ssize_t mem_size;
+@@ -48,11 +48,13 @@ static int zap_shader_load_mdt(struct msm_gpu *gpu, const char *fwname)
+ if (!np)
+ return -ENODEV;
+
+- np = of_parse_phandle(np, "memory-region", 0);
+- if (!np)
++ mem_np = of_parse_phandle(np, "memory-region", 0);
++ of_node_put(np);
++ if (!mem_np)
+ return -EINVAL;
+
+- ret = of_address_to_resource(np, 0, &r);
++ ret = of_address_to_resource(mem_np, 0, &r);
++ of_node_put(mem_np);
+ if (ret)
+ return ret;
+
+--
+2.20.1
+
--- /dev/null
+From 823171f9baf3c8cefd2e62d5624c2bda3822136a Mon Sep 17 00:00:00 2001
+From: Sean Paul <seanpaul@chromium.org>
+Date: Wed, 30 Jan 2019 11:32:12 -0500
+Subject: drm/msm: dpu: Don't set frame_busy_mask for async updates
+
+[ Upstream commit f98baa3109cea46083d2361ab14a0207d1b1bd16 ]
+
+The frame_busy mask is used in frame_done event handling, which is not
+invoked for async commits. So an async commit will leave the
+frame_busy mask populated after it completes and future commits will start
+with the busy mask incorrect.
+
+This showed up on disable after cursor move. I was hitting the "this should
+not happen" comment in the frame event worker since frame_busy was set,
+we queued the event, but there were no frames pending (since async
+also doesn't set that).
+
+Reviewed-by: Fritz Koenig <frkoenig@google.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190130163220.138637-1-sean@poorly.run
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+index f59c00191a2a2..dd2c4d11d0e1d 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+@@ -1550,8 +1550,14 @@ static void _dpu_encoder_kickoff_phys(struct dpu_encoder_virt *dpu_enc,
+ if (!ctl)
+ continue;
+
+- if (phys->split_role != ENC_ROLE_SLAVE)
++ /*
++ * This is cleared in frame_done worker, which isn't invoked
++ * for async commits. So don't set this for async, since it'll
++ * roll over to the next commit.
++ */
++ if (!async && phys->split_role != ENC_ROLE_SLAVE)
+ set_bit(i, dpu_enc->frame_busy_mask);
++
+ if (!phys->ops.needs_single_flush ||
+ !phys->ops.needs_single_flush(phys))
+ _dpu_encoder_trigger_flush(&dpu_enc->base, phys, 0x0,
+--
+2.20.1
+
--- /dev/null
+From af026efd965a1b6d5a3a72a6b13fb0f952d91d3d Mon Sep 17 00:00:00 2001
+From: Jeykumar Sankaran <jsanka@codeaurora.org>
+Date: Wed, 13 Feb 2019 17:19:12 -0800
+Subject: drm/msm/dpu: release resources on modeset failure
+
+[ Upstream commit a7fcc3237f31a4e206953bb73cf41bd429442f09 ]
+
+release resources allocated in mode_set if any of
+the hw check fails. Most of these checks are not
+necessary and they will be removed in the follow up
+patches with state based resource allocations.
+
+Signed-off-by: Jeykumar Sankaran <jsanka@codeaurora.org>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1550107156-17625-4-git-send-email-jsanka@codeaurora.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+index 5aa3307f3f0c5..f59c00191a2a2 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+@@ -1023,13 +1023,13 @@ static void dpu_encoder_virt_mode_set(struct drm_encoder *drm_enc,
+ if (!dpu_enc->hw_pp[i]) {
+ DPU_ERROR_ENC(dpu_enc, "no pp block assigned"
+ "at idx: %d\n", i);
+- return;
++ goto error;
+ }
+
+ if (!hw_ctl[i]) {
+ DPU_ERROR_ENC(dpu_enc, "no ctl block assigned"
+ "at idx: %d\n", i);
+- return;
++ goto error;
+ }
+
+ phys->hw_pp = dpu_enc->hw_pp[i];
+@@ -1042,6 +1042,9 @@ static void dpu_encoder_virt_mode_set(struct drm_encoder *drm_enc,
+ }
+
+ dpu_enc->mode_set_complete = true;
++
++error:
++ dpu_rm_release(&dpu_kms->rm, drm_enc);
+ }
+
+ static void _dpu_encoder_virt_enable_helper(struct drm_encoder *drm_enc)
+--
+2.20.1
+
--- /dev/null
+From b21fd5a0032c8409e9ab94959f8434d8f1b5b9e9 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <luca@z3ntu.xyz>
+Date: Sat, 2 Mar 2019 13:35:29 +0100
+Subject: drm/msm: Fix NULL pointer dereference
+
+[ Upstream commit 7603df38cc8c1e5d540b18ec9eb9d62d823197d0 ]
+
+[ 3.707412] Unable to handle kernel NULL pointer dereference at virtual address 0000009c
+[ 3.714511] pgd = (ptrval)
+[ 3.722742] [0000009c] *pgd=00000000
+[ 3.725238] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+[ 3.728968] Modules linked in:
+[ 3.734265] CPU: 3 PID: 112 Comm: kworker/3:2 Tainted: G W 5.0.0-rc7-00183-g06a1c31df9eb #4
+[ 3.737142] Hardware name: Generic DT based system
+[ 3.746778] Workqueue: events deferred_probe_work_func
+[ 3.751542] PC is at msm_gem_map_vma+0x3c/0xac
+[ 3.756669] LR is at msm_gem_get_and_pin_iova+0xd8/0x134
+[ 3.761086] pc : [<c07d3b7c>] lr : [<c07d14f8>] psr: 60000013
+[ 3.766560] sp : ee297be8 ip : ed9ab1c0 fp : ed93b800
+[ 3.772546] r10: ee35e180 r9 : 00000000 r8 : ee297c80
+[ 3.777752] r7 : 00000000 r6 : 7c100000 r5 : 00000000 r4 : ee35e180
+[ 3.782968] r3 : 00000001 r2 : 00000003 r1 : ee35e180 r0 : 00000000
+[ 3.789562] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+[ 3.796079] Control: 10c5787d Table: 2e3a806a DAC: 00000051
+[ 3.803282] Process kworker/3:2 (pid: 112, stack limit = 0x(ptrval))
+[ 3.809006] Stack: (0xee297be8 to 0xee298000)
+[ 3.815445] 7be0: 00000000 c1108c48 eda8c000 00000003 eda8c0fc c1108c48
+[ 3.819715] 7c00: eda8c000 00000003 eda8c0fc c07d14f8 00000001 c07d1100 7c100000 00000000
+[ 3.827873] 7c20: eda8c000 bb7ffb78 00000000 eda8c000 00000000 00000000 c0c8b1d4 ee3bfa00
+[ 3.836037] 7c40: ee3b9800 c07d1684 00000000 c1108c48 ee0d7810 ee3b9800 c0c8b1d4 c07d222c
+[ 3.844193] 7c60: ee3bfd84 ee297c80 00000000 c0b1d5b0 ee3bfc40 c07dcfd8 ee3bfd84 ee297c80
+[ 3.852357] 7c80: 0000006d ee3bfc40 ee0d7810 bb7ffb78 c0c8b1d4 00000000 ee3bfc40 c07ddb48
+[ 3.860516] 7ca0: 00002004 c0eba384 ee3bfc40 c079eba0 ee3bd040 ee3b9800 00000001 ed93b800
+[ 3.868673] 7cc0: ed9aa100 c07db7e8 ee3bf240 ed9a6500 00000001 ee3b9800 ee3bf2d4 c07a0a30
+[ 3.876834] 7ce0: ed93b800 7d100000 c1108c48 ee0d7610 ee3b9800 ed93b800 c1108c48 00000000
+[ 3.884991] 7d00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 3.893151] 7d20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bb7ffb78
+[ 3.901310] 7d40: c12113c4 ed93b800 ee3b9800 c1108c48 ee9eec10 00000000 ed93b800 7d100000
+[ 3.909472] 7d60: eff7b000 c07cf748 7d100000 00000000 c0e9a350 c0b1d5b0 c12113c4 c0961e40
+[ 3.917633] 7d80: c12113c4 40000113 eeff4bec c0ebe004 00000019 c0b1d230 ee9eeda8 60000113
+[ 3.925791] 7da0: ee35d300 ee9eeda8 c07ce260 bb7ffb78 c07ce260 ee35d2c0 00000028 00000002
+[ 3.933950] 7dc0: eeb76280 c118f884 ee0be640 c11c6128 c07ce260 c07ea4ac 00000000 c0962b48
+[ 3.942108] 7de0: c118f868 00000001 c0ebbc98 ee35d2c0 00000000 eeb76280 00000000 c118f87c
+[ 3.950270] 7e00: ee35d2c0 00000000 c11c63e0 c118f694 00000019 c07ea5d0 ee0d7810 00000000
+[ 3.958430] 7e20: c118f694 00000000 00000000 c07f2b0c c120f55c ee0d7810 c120f560 00000000
+[ 3.966590] 7e40: 00000000 c07f08c4 c07f0e8c ee0d7810 c11ba3d0 ee0d7810 c118f694 c07f0e8c
+[ 3.974748] 7e60: c1108c48 00000001 c0ebc3cc c11c63f8 c11ba3d0 c07f0c08 00000001 c07f2f8c
+[ 3.982908] 7e80: c118f694 00000000 ee297ed4 c07f0e8c c1108c48 00000001 c0ebc3cc c11c63f8
+[ 3.991068] 7ea0: c11ba3d0 c07ee8a0 c11ba3d0 ee82686c ee0baf38 bb7ffb78 ee0d7810 ee0d7810
+[ 3.999227] 7ec0: c1108c48 ee0d7844 c118faac c07f05b0 ee0d7810 ee0d7810 00000001 bb7ffb78
+[ 4.007389] 7ee0: ee0d7810 ee0d7810 c118fd18 c118faac c11c63e0 c07ef7d0 ee0d7810 c118fa90
+[ 4.015548] 7f00: c118fa90 c07efd68 c118fac8 ee27fe00 eefd9c80 eefdcd00 00000000 c118facc
+[ 4.023708] 7f20: 00000000 c033c038 eefd9c80 eefd9c80 00000008 ee27fe00 ee27fe14 eefd9c80
+[ 4.031866] 7f40: 00000008 c1103d00 eefd9c98 ee296000 eefd9c80 c033ce54 ee907eac c0b1d230
+[ 4.040026] 7f60: ee907eac eea24440 ee285000 00000000 ee296000 ee27fe00 c033ce24 eea2445c
+[ 4.048188] 7f80: ee907eac c0341db0 00000000 ee285000 c0341c8c 00000000 00000000 00000000
+[ 4.056346] 7fa0: 00000000 00000000 00000000 c03010e8 00000000 00000000 00000000 00000000
+[ 4.064505] 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 4.072665] 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[ 4.080828] [<c07d3b7c>] (msm_gem_map_vma) from [<c07d14f8>] (msm_gem_get_and_pin_iova+0xd8/0x134)
+[ 4.088983] [<c07d14f8>] (msm_gem_get_and_pin_iova) from [<c07d1684>] (_msm_gem_kernel_new+0x38/0xac)
+[ 4.097839] [<c07d1684>] (_msm_gem_kernel_new) from [<c07d222c>] (msm_gem_kernel_new+0x24/0x2c)
+[ 4.107130] [<c07d222c>] (msm_gem_kernel_new) from [<c07dcfd8>] (dsi_tx_buf_alloc_6g+0x44/0x90)
+[ 4.115631] [<c07dcfd8>] (dsi_tx_buf_alloc_6g) from [<c07ddb48>] (msm_dsi_host_modeset_init+0x80/0x104)
+[ 4.124313] [<c07ddb48>] (msm_dsi_host_modeset_init) from [<c07db7e8>] (msm_dsi_modeset_init+0x34/0x1c0)
+[ 4.133691] [<c07db7e8>] (msm_dsi_modeset_init) from [<c07a0a30>] (mdp5_kms_init+0x764/0x7e0)
+[ 4.143409] [<c07a0a30>] (mdp5_kms_init) from [<c07cf748>] (msm_drm_bind+0x56c/0x740)
+[ 4.151824] [<c07cf748>] (msm_drm_bind) from [<c07ea4ac>] (try_to_bring_up_master+0x238/0x2b4)
+[ 4.159636] [<c07ea4ac>] (try_to_bring_up_master) from [<c07ea5d0>] (component_add+0xa8/0x170)
+[ 4.168146] [<c07ea5d0>] (component_add) from [<c07f2b0c>] (platform_drv_probe+0x48/0x9c)
+[ 4.176737] [<c07f2b0c>] (platform_drv_probe) from [<c07f08c4>] (really_probe+0x278/0x404)
+[ 4.184981] [<c07f08c4>] (really_probe) from [<c07f0c08>] (driver_probe_device+0x78/0x1c0)
+[ 4.193147] [<c07f0c08>] (driver_probe_device) from [<c07ee8a0>] (bus_for_each_drv+0x74/0xb8)
+[ 4.201389] [<c07ee8a0>] (bus_for_each_drv) from [<c07f05b0>] (__device_attach+0xd0/0x164)
+[ 4.209984] [<c07f05b0>] (__device_attach) from [<c07ef7d0>] (bus_probe_device+0x84/0x8c)
+[ 4.218143] [<c07ef7d0>] (bus_probe_device) from [<c07efd68>] (deferred_probe_work_func+0x48/0xc4)
+[ 4.226398] [<c07efd68>] (deferred_probe_work_func) from [<c033c038>] (process_one_work+0x204/0x574)
+[ 4.235254] [<c033c038>] (process_one_work) from [<c033ce54>] (worker_thread+0x30/0x560)
+[ 4.244534] [<c033ce54>] (worker_thread) from [<c0341db0>] (kthread+0x124/0x154)
+[ 4.252606] [<c0341db0>] (kthread) from [<c03010e8>] (ret_from_fork+0x14/0x2c)
+[ 4.259966] Exception stack(0xee297fb0 to 0xee297ff8)
+[ 4.266998] 7fa0: 00000000 00000000 00000000 00000000
+[ 4.272143] 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 4.280297] 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[ 4.288451] Code: e5813080 1a000013 e3a03001 e5c4307c (e590009c)
+[ 4.294933] ---[ end trace 18729cc2bca2b4b3 ]---
+
+Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_vma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
+index 49c04829cf344..fcf7a83f0e6fe 100644
+--- a/drivers/gpu/drm/msm/msm_gem_vma.c
++++ b/drivers/gpu/drm/msm/msm_gem_vma.c
+@@ -85,7 +85,7 @@ msm_gem_map_vma(struct msm_gem_address_space *aspace,
+
+ vma->mapped = true;
+
+- if (aspace->mmu)
++ if (aspace && aspace->mmu)
+ ret = aspace->mmu->funcs->map(aspace->mmu, vma->iova, sgt,
+ size, prot);
+
+--
+2.20.1
+
--- /dev/null
+From c09c44958a4aab5397e26de647adb30e9f4a85fe Mon Sep 17 00:00:00 2001
+From: Jon Derrick <jonathan.derrick@intel.com>
+Date: Fri, 15 Mar 2019 18:05:16 -0600
+Subject: drm/nouveau/bar/nv50: ensure BAR is mapped
+
+[ Upstream commit f10b83de1fd49216a4c657816f48001437e4bdd5 ]
+
+If the BAR is zero size, it indicates it was never successfully mapped.
+Ensure that the BAR is valid during initialization before attempting to
+use it.
+
+Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c
+index 157b076a12723..38c9c086754b6 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c
+@@ -109,7 +109,7 @@ nv50_bar_oneinit(struct nvkm_bar *base)
+ struct nvkm_device *device = bar->base.subdev.device;
+ static struct lock_class_key bar1_lock;
+ static struct lock_class_key bar2_lock;
+- u64 start, limit;
++ u64 start, limit, size;
+ int ret;
+
+ ret = nvkm_gpuobj_new(device, 0x20000, 0, false, NULL, &bar->mem);
+@@ -127,7 +127,10 @@ nv50_bar_oneinit(struct nvkm_bar *base)
+
+ /* BAR2 */
+ start = 0x0100000000ULL;
+- limit = start + device->func->resource_size(device, 3);
++ size = device->func->resource_size(device, 3);
++ if (!size)
++ return -ENOMEM;
++ limit = start + size;
+
+ ret = nvkm_vmm_new(device, start, limit-- - start, NULL, 0,
+ &bar2_lock, "bar2", &bar->bar2_vmm);
+@@ -164,7 +167,10 @@ nv50_bar_oneinit(struct nvkm_bar *base)
+
+ /* BAR1 */
+ start = 0x0000000000ULL;
+- limit = start + device->func->resource_size(device, 1);
++ size = device->func->resource_size(device, 1);
++ if (!size)
++ return -ENOMEM;
++ limit = start + size;
+
+ ret = nvkm_vmm_new(device, start, limit-- - start, NULL, 0,
+ &bar1_lock, "bar1", &bar->bar1_vmm);
+--
+2.20.1
+
--- /dev/null
+From ddad763406920fe5b525f51961b8b3792f10c47f Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Thu, 7 Feb 2019 07:45:16 -0800
+Subject: drm/omap: dsi: Fix PM for display blank with paired dss_pll calls
+
+[ Upstream commit fe4ed1b457943113ee1138c939fbdeede4af6cf3 ]
+
+Currently dsi_display_init_dsi() calls dss_pll_enable() but it is not
+paired with dss_pll_disable() in dsi_display_uninit_dsi(). This leaves
+the DSS clocks enabled when the display is blanked wasting about extra
+5mW of power while idle.
+
+The clock that is left on by not calling dss_pll_disable() is
+DSS_CLKCTRL bit 10 OPTFCLKEN_SYS_CLK that is the source clock for
+DSI PLL.
+
+We can fix this issue by by making the current dsi_pll_uninit() into
+dsi_pll_disable(). This way we can just call dss_pll_disable() from
+dsi_display_uninit_dsi() and the code becomes a bit easier to follow.
+
+However, we need to also consider that DSI PLL can be muxed for DVI too
+as pointed out by Tomi Valkeinen <tomi.valkeinen@ti.com>. In the DVI
+case, we want to unconditionally disable the clocks. To get around this
+issue, we separate out the DSI lane handling from dsi_pll_enable() and
+dsi_pll_disable() as suggested by Tomi in an earlier experimental patch.
+
+So we must only toggle the DSI regulator based on the vdds_dsi_enabled
+flag from dsi_display_init_dsi() and dsi_display_uninit_dsi().
+
+We need to make these two changes together to avoid breaking things
+for DVI when fixing the DSI clock handling. And this all causes a
+slight renumbering of the error path for dsi_display_init_dsi().
+
+Suggested-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/omapdrm/dss/dsi.c | 60 ++++++++++++++++---------------
+ 1 file changed, 31 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/gpu/drm/omapdrm/dss/dsi.c b/drivers/gpu/drm/omapdrm/dss/dsi.c
+index 64fb788b66474..f0fe975ed46c7 100644
+--- a/drivers/gpu/drm/omapdrm/dss/dsi.c
++++ b/drivers/gpu/drm/omapdrm/dss/dsi.c
+@@ -1342,12 +1342,9 @@ static int dsi_pll_enable(struct dss_pll *pll)
+ */
+ dsi_enable_scp_clk(dsi);
+
+- if (!dsi->vdds_dsi_enabled) {
+- r = regulator_enable(dsi->vdds_dsi_reg);
+- if (r)
+- goto err0;
+- dsi->vdds_dsi_enabled = true;
+- }
++ r = regulator_enable(dsi->vdds_dsi_reg);
++ if (r)
++ goto err0;
+
+ /* XXX PLL does not come out of reset without this... */
+ dispc_pck_free_enable(dsi->dss->dispc, 1);
+@@ -1372,36 +1369,25 @@ static int dsi_pll_enable(struct dss_pll *pll)
+
+ return 0;
+ err1:
+- if (dsi->vdds_dsi_enabled) {
+- regulator_disable(dsi->vdds_dsi_reg);
+- dsi->vdds_dsi_enabled = false;
+- }
++ regulator_disable(dsi->vdds_dsi_reg);
+ err0:
+ dsi_disable_scp_clk(dsi);
+ dsi_runtime_put(dsi);
+ return r;
+ }
+
+-static void dsi_pll_uninit(struct dsi_data *dsi, bool disconnect_lanes)
++static void dsi_pll_disable(struct dss_pll *pll)
+ {
++ struct dsi_data *dsi = container_of(pll, struct dsi_data, pll);
++
+ dsi_pll_power(dsi, DSI_PLL_POWER_OFF);
+- if (disconnect_lanes) {
+- WARN_ON(!dsi->vdds_dsi_enabled);
+- regulator_disable(dsi->vdds_dsi_reg);
+- dsi->vdds_dsi_enabled = false;
+- }
++
++ regulator_disable(dsi->vdds_dsi_reg);
+
+ dsi_disable_scp_clk(dsi);
+ dsi_runtime_put(dsi);
+
+- DSSDBG("PLL uninit done\n");
+-}
+-
+-static void dsi_pll_disable(struct dss_pll *pll)
+-{
+- struct dsi_data *dsi = container_of(pll, struct dsi_data, pll);
+-
+- dsi_pll_uninit(dsi, true);
++ DSSDBG("PLL disable done\n");
+ }
+
+ static int dsi_dump_dsi_clocks(struct seq_file *s, void *p)
+@@ -4096,11 +4082,11 @@ static int dsi_display_init_dsi(struct dsi_data *dsi)
+
+ r = dss_pll_enable(&dsi->pll);
+ if (r)
+- goto err0;
++ return r;
+
+ r = dsi_configure_dsi_clocks(dsi);
+ if (r)
+- goto err1;
++ goto err0;
+
+ dss_select_dsi_clk_source(dsi->dss, dsi->module_id,
+ dsi->module_id == 0 ?
+@@ -4108,6 +4094,14 @@ static int dsi_display_init_dsi(struct dsi_data *dsi)
+
+ DSSDBG("PLL OK\n");
+
++ if (!dsi->vdds_dsi_enabled) {
++ r = regulator_enable(dsi->vdds_dsi_reg);
++ if (r)
++ goto err1;
++
++ dsi->vdds_dsi_enabled = true;
++ }
++
+ r = dsi_cio_init(dsi);
+ if (r)
+ goto err2;
+@@ -4136,10 +4130,13 @@ static int dsi_display_init_dsi(struct dsi_data *dsi)
+ err3:
+ dsi_cio_uninit(dsi);
+ err2:
+- dss_select_dsi_clk_source(dsi->dss, dsi->module_id, DSS_CLK_SRC_FCK);
++ regulator_disable(dsi->vdds_dsi_reg);
++ dsi->vdds_dsi_enabled = false;
+ err1:
+- dss_pll_disable(&dsi->pll);
++ dss_select_dsi_clk_source(dsi->dss, dsi->module_id, DSS_CLK_SRC_FCK);
+ err0:
++ dss_pll_disable(&dsi->pll);
++
+ return r;
+ }
+
+@@ -4158,7 +4155,12 @@ static void dsi_display_uninit_dsi(struct dsi_data *dsi, bool disconnect_lanes,
+
+ dss_select_dsi_clk_source(dsi->dss, dsi->module_id, DSS_CLK_SRC_FCK);
+ dsi_cio_uninit(dsi);
+- dsi_pll_uninit(dsi, disconnect_lanes);
++ dss_pll_disable(&dsi->pll);
++
++ if (disconnect_lanes) {
++ regulator_disable(dsi->vdds_dsi_reg);
++ dsi->vdds_dsi_enabled = false;
++ }
+ }
+
+ static int dsi_display_enable(struct omap_dss_device *dssdev)
+--
+2.20.1
+
--- /dev/null
+From 2eca46fd2846b819af1c82b1cb28aa321b42a44b Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Thu, 13 Sep 2018 03:45:06 +0300
+Subject: drm/omap: Notify all devices in the pipeline of output disconnection
+
+[ Upstream commit 27a7e3e18419869cdcc414a404f3fe66f1b4e644 ]
+
+For HDMI pipelines, when the output gets disconnected the device
+handling CEC needs to be notified. Instead of guessing which device that
+would be (and sometimes getting it wrong), notify all devices in the
+pipeline.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/omapdrm/omap_connector.c | 28 ++++++++++++++----------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpu/drm/omapdrm/omap_connector.c b/drivers/gpu/drm/omapdrm/omap_connector.c
+index 9da94d10782a8..d37e3c001e24c 100644
+--- a/drivers/gpu/drm/omapdrm/omap_connector.c
++++ b/drivers/gpu/drm/omapdrm/omap_connector.c
+@@ -36,18 +36,22 @@ struct omap_connector {
+ };
+
+ static void omap_connector_hpd_notify(struct drm_connector *connector,
+- struct omap_dss_device *src,
+ enum drm_connector_status status)
+ {
+- if (status == connector_status_disconnected) {
+- /*
+- * If the source is an HDMI encoder, notify it of disconnection.
+- * This is required to let the HDMI encoder reset any internal
+- * state related to connection status, such as the CEC address.
+- */
+- if (src && src->type == OMAP_DISPLAY_TYPE_HDMI &&
+- src->ops->hdmi.lost_hotplug)
+- src->ops->hdmi.lost_hotplug(src);
++ struct omap_connector *omap_connector = to_omap_connector(connector);
++ struct omap_dss_device *dssdev;
++
++ if (status != connector_status_disconnected)
++ return;
++
++ /*
++ * Notify all devics in the pipeline of disconnection. This is required
++ * to let the HDMI encoders reset their internal state related to
++ * connection status, such as the CEC address.
++ */
++ for (dssdev = omap_connector->output; dssdev; dssdev = dssdev->next) {
++ if (dssdev->ops && dssdev->ops->hdmi.lost_hotplug)
++ dssdev->ops->hdmi.lost_hotplug(dssdev);
+ }
+ }
+
+@@ -67,7 +71,7 @@ static void omap_connector_hpd_cb(void *cb_data,
+ if (old_status == status)
+ return;
+
+- omap_connector_hpd_notify(connector, omap_connector->hpd, status);
++ omap_connector_hpd_notify(connector, status);
+
+ drm_kms_helper_hotplug_event(dev);
+ }
+@@ -128,7 +132,7 @@ static enum drm_connector_status omap_connector_detect(
+ ? connector_status_connected
+ : connector_status_disconnected;
+
+- omap_connector_hpd_notify(connector, dssdev->src, status);
++ omap_connector_hpd_notify(connector, status);
+ } else {
+ switch (omap_connector->display->type) {
+ case OMAP_DISPLAY_TYPE_DPI:
+--
+2.20.1
+
--- /dev/null
+From 35a652a6591a16bdc6b86f48821f6de1f646f90e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Yannick=20Fertr=C3=A9?= <yannick.fertre@st.com>
+Date: Thu, 21 Mar 2019 09:04:05 +0100
+Subject: drm/panel: otm8009a: Add delay at the end of initialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 0084c3c71126fc878c6dab8a6ab8ecc484c2be02 ]
+
+At the end of initialization, a delay is required by the panel. Without
+this delay, the panel could received a frame early & generate a crash of
+panel (black screen).
+
+Signed-off-by: Yannick Fertré <yannick.fertre@st.com>
+Reviewed-by: Philippe Cornu <philippe.cornu@st.com>
+Tested-by: Philippe Cornu <philippe.cornu@st.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1553155445-13407-1-git-send-email-yannick.fertre@st.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-orisetech-otm8009a.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c
+index 87fa316e1d7b0..58ccf648b70fb 100644
+--- a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c
++++ b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c
+@@ -248,6 +248,9 @@ static int otm8009a_init_sequence(struct otm8009a *ctx)
+ /* Send Command GRAM memory write (no parameters) */
+ dcs_write_seq(ctx, MIPI_DCS_WRITE_MEMORY_START);
+
++ /* Wait a short while to let the panel be ready before the 1st frame */
++ mdelay(10);
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 503239d8266304f40fecc88330dbb926014590e2 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Thu, 4 Apr 2019 00:04:13 +0800
+Subject: drm/pl111: fix possible object reference leak
+
+[ Upstream commit bc29d3a69d4c1bd1a103e8b3c1ed81b807c1870b ]
+
+The call to of_find_matching_node_and_match returns a node pointer with
+refcount incremented thus it must be explicitly decremented after the
+last usage.
+
+Detected by coccinelle with the following warnings:
+drivers/gpu/drm/pl111/pl111_versatile.c:333:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function.
+drivers/gpu/drm/pl111/pl111_versatile.c:340:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function.
+drivers/gpu/drm/pl111/pl111_versatile.c:346:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function.
+drivers/gpu/drm/pl111/pl111_versatile.c:354:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function.
+drivers/gpu/drm/pl111/pl111_versatile.c:395:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function.
+drivers/gpu/drm/pl111/pl111_versatile.c:402:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Eric Anholt <eric@anholt.net> (supporter:DRM DRIVER FOR ARM PL111 CLCD)
+Cc: David Airlie <airlied@linux.ie> (maintainer:DRM DRIVERS)
+Cc: Daniel Vetter <daniel@ffwll.ch> (maintainer:DRM DRIVERS)
+Cc: dri-devel@lists.freedesktop.org (open list:DRM DRIVERS)
+Cc: linux-kernel@vger.kernel.org (open list)
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/1554307455-40361-6-git-send-email-wen.yang99@zte.com.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/pl111/pl111_versatile.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/pl111/pl111_versatile.c b/drivers/gpu/drm/pl111/pl111_versatile.c
+index b9baefdba38a1..1c318ad32a8cd 100644
+--- a/drivers/gpu/drm/pl111/pl111_versatile.c
++++ b/drivers/gpu/drm/pl111/pl111_versatile.c
+@@ -330,6 +330,7 @@ int pl111_versatile_init(struct device *dev, struct pl111_drm_dev_private *priv)
+ ret = vexpress_muxfpga_init();
+ if (ret) {
+ dev_err(dev, "unable to initialize muxfpga driver\n");
++ of_node_put(np);
+ return ret;
+ }
+
+@@ -337,17 +338,20 @@ int pl111_versatile_init(struct device *dev, struct pl111_drm_dev_private *priv)
+ pdev = of_find_device_by_node(np);
+ if (!pdev) {
+ dev_err(dev, "can't find the sysreg device, deferring\n");
++ of_node_put(np);
+ return -EPROBE_DEFER;
+ }
+ map = dev_get_drvdata(&pdev->dev);
+ if (!map) {
+ dev_err(dev, "sysreg has not yet probed\n");
+ platform_device_put(pdev);
++ of_node_put(np);
+ return -EPROBE_DEFER;
+ }
+ } else {
+ map = syscon_node_to_regmap(np);
+ }
++ of_node_put(np);
+
+ if (IS_ERR(map)) {
+ dev_err(dev, "no Versatile syscon regmap\n");
+--
+2.20.1
+
--- /dev/null
+From 897cdd048953d83bcaa80b880776713fa493590d Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Fri, 29 Mar 2019 20:32:41 +0900
+Subject: drm: prefix header search paths with $(srctree)/
+
+[ Upstream commit 43068cb7ba1f6ceb1523e947c84002b2a61fd6d4 ]
+
+Currently, the Kbuild core manipulates header search paths in a crazy
+way [1].
+
+To fix this mess, I want all Makefiles to add explicit $(srctree)/ to
+the search paths in the srctree. Some Makefiles are already written in
+that way, but not all. The goal of this work is to make the notation
+consistent, and finally get rid of the gross hacks.
+
+Having whitespaces after -I does not matter since commit 48f6e3cf5bc6
+("kbuild: do not drop -I without parameter").
+
+[1]: https://patchwork.kernel.org/patch/9632347/
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Reviewed-by: James Qian Wang (Arm Technology China) <james.qian.wang@arm.com>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/1553859161-2628-1-git-send-email-yamada.masahiro@socionext.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/Makefile | 2 +-
+ drivers/gpu/drm/arm/display/komeda/Makefile | 4 ++--
+ drivers/gpu/drm/i915/gvt/Makefile | 2 +-
+ drivers/gpu/drm/msm/Makefile | 6 +++---
+ drivers/gpu/drm/nouveau/Kbuild | 8 ++++----
+ 5 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/Makefile b/drivers/gpu/drm/amd/amdgpu/Makefile
+index 466da5954a682..62bf9da25e4b3 100644
+--- a/drivers/gpu/drm/amd/amdgpu/Makefile
++++ b/drivers/gpu/drm/amd/amdgpu/Makefile
+@@ -23,7 +23,7 @@
+ # Makefile for the drm device driver. This driver provides support for the
+ # Direct Rendering Infrastructure (DRI) in XFree86 4.1.0 and higher.
+
+-FULL_AMD_PATH=$(src)/..
++FULL_AMD_PATH=$(srctree)/$(src)/..
+ DISPLAY_FOLDER_NAME=display
+ FULL_AMD_DISPLAY_PATH = $(FULL_AMD_PATH)/$(DISPLAY_FOLDER_NAME)
+
+diff --git a/drivers/gpu/drm/arm/display/komeda/Makefile b/drivers/gpu/drm/arm/display/komeda/Makefile
+index 1b875e5dc0f6f..a72e30c0e03d3 100644
+--- a/drivers/gpu/drm/arm/display/komeda/Makefile
++++ b/drivers/gpu/drm/arm/display/komeda/Makefile
+@@ -1,8 +1,8 @@
+ # SPDX-License-Identifier: GPL-2.0
+
+ ccflags-y := \
+- -I$(src)/../include \
+- -I$(src)
++ -I $(srctree)/$(src)/../include \
++ -I $(srctree)/$(src)
+
+ komeda-y := \
+ komeda_drv.o \
+diff --git a/drivers/gpu/drm/i915/gvt/Makefile b/drivers/gpu/drm/i915/gvt/Makefile
+index 271fb46d4dd0d..ea8324abc784a 100644
+--- a/drivers/gpu/drm/i915/gvt/Makefile
++++ b/drivers/gpu/drm/i915/gvt/Makefile
+@@ -5,5 +5,5 @@ GVT_SOURCE := gvt.o aperture_gm.o handlers.o vgpu.o trace_points.o firmware.o \
+ execlist.o scheduler.o sched_policy.o mmio_context.o cmd_parser.o debugfs.o \
+ fb_decoder.o dmabuf.o page_track.o
+
+-ccflags-y += -I$(src) -I$(src)/$(GVT_DIR)
++ccflags-y += -I $(srctree)/$(src) -I $(srctree)/$(src)/$(GVT_DIR)/
+ i915-y += $(addprefix $(GVT_DIR)/, $(GVT_SOURCE))
+diff --git a/drivers/gpu/drm/msm/Makefile b/drivers/gpu/drm/msm/Makefile
+index 56a70c74af4ed..b7b1ebdc81902 100644
+--- a/drivers/gpu/drm/msm/Makefile
++++ b/drivers/gpu/drm/msm/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+-ccflags-y := -Idrivers/gpu/drm/msm
+-ccflags-y += -Idrivers/gpu/drm/msm/disp/dpu1
+-ccflags-$(CONFIG_DRM_MSM_DSI) += -Idrivers/gpu/drm/msm/dsi
++ccflags-y := -I $(srctree)/$(src)
++ccflags-y += -I $(srctree)/$(src)/disp/dpu1
++ccflags-$(CONFIG_DRM_MSM_DSI) += -I $(srctree)/$(src)/dsi
+
+ msm-y := \
+ adreno/adreno_device.o \
+diff --git a/drivers/gpu/drm/nouveau/Kbuild b/drivers/gpu/drm/nouveau/Kbuild
+index 581404e6544d4..378c5dd692b0b 100644
+--- a/drivers/gpu/drm/nouveau/Kbuild
++++ b/drivers/gpu/drm/nouveau/Kbuild
+@@ -1,7 +1,7 @@
+-ccflags-y += -I$(src)/include
+-ccflags-y += -I$(src)/include/nvkm
+-ccflags-y += -I$(src)/nvkm
+-ccflags-y += -I$(src)
++ccflags-y += -I $(srctree)/$(src)/include
++ccflags-y += -I $(srctree)/$(src)/include/nvkm
++ccflags-y += -I $(srctree)/$(src)/nvkm
++ccflags-y += -I $(srctree)/$(src)
+
+ # NVKM - HW resource manager
+ #- code also used by various userspace tools/tests
+--
+2.20.1
+
--- /dev/null
+From d29fb19931c596af4937aba09e4152bdf433f679 Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Tue, 12 Mar 2019 18:18:17 +0200
+Subject: drm: rcar-du: lvds: Fix post-DLL divider calculation
+
+[ Upstream commit 167e535438ecc73d299340bb1269616432020dfb ]
+
+The PLL parameters are computed by looping over the range of acceptable
+M, N and E values, and selecting the combination that produces the
+output frequency closest to the target. The internal frequency
+constraints are taken into account by restricting the tested values for
+the PLL parameters, reducing the search space. The target frequency,
+however, is only taken into account when computing the post-PLL divider,
+which can result in a 0 value for the divider when the PLL output
+frequency being tested is lower than half of the target frequency.
+Subsequent loops will produce a better set of PLL parameters, but for
+some of the iterations this can result in a division by 0.
+
+Fix it by clamping the divider value. We could instead restrict the E
+values being tested in the inner loop, but that would require additional
+calculation that would likely be less efficient as the E parameter can
+only take three different values.
+
+Fixes: c25c01361199 ("drm: rcar-du: lvds: D3/E3 support")
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_lvds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/rcar_lvds.c b/drivers/gpu/drm/rcar-du/rcar_lvds.c
+index f0314790333ba..033f44e46daf4 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_lvds.c
++++ b/drivers/gpu/drm/rcar-du/rcar_lvds.c
+@@ -283,7 +283,7 @@ static void rcar_lvds_d3_e3_pll_calc(struct rcar_lvds *lvds, struct clk *clk,
+ * divider.
+ */
+ fout = fvco / (1 << e) / div7;
+- div = DIV_ROUND_CLOSEST(fout, target);
++ div = max(1UL, DIV_ROUND_CLOSEST(fout, target));
+ diff = abs(fout / div - target);
+
+ if (diff < pll->diff) {
+--
+2.20.1
+
--- /dev/null
+From 954030c9867b5ae1c4c28e6809f6fa462689989a Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Wed, 6 Mar 2019 22:48:35 +0200
+Subject: drm: rcar-du: lvds: Set LVEN and LVRES bits together on D3
+
+[ Upstream commit 00d082cc4ea6e42ec4fed832a1020231bb1ca150 ]
+
+On the D3 SoC the LVDS PHY must be enabled in the same register write
+that enables the LVDS output. Skip writing the LVEN bit independently
+on that platform, it will be set by the write that sets LVRES.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_lvds.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/rcar_lvds.c b/drivers/gpu/drm/rcar-du/rcar_lvds.c
+index 7ef97b2a6edaa..f0314790333ba 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_lvds.c
++++ b/drivers/gpu/drm/rcar-du/rcar_lvds.c
+@@ -485,9 +485,13 @@ static void rcar_lvds_enable(struct drm_bridge *bridge)
+ }
+
+ if (lvds->info->quirks & RCAR_LVDS_QUIRK_GEN3_LVEN) {
+- /* Turn on the LVDS PHY. */
++ /*
++ * Turn on the LVDS PHY. On D3, the LVEN and LVRES bit must be
++ * set at the same time, so don't write the register yet.
++ */
+ lvdcr0 |= LVDCR0_LVEN;
+- rcar_lvds_write(lvds, LVDCR0, lvdcr0);
++ if (!(lvds->info->quirks & RCAR_LVDS_QUIRK_PWD))
++ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
+ }
+
+ if (!(lvds->info->quirks & RCAR_LVDS_QUIRK_EXT_PLL)) {
+--
+2.20.1
+
--- /dev/null
+From 8c86027ad3db60a274d0e826f6fc58253735b647 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@bootlin.com>
+Date: Mon, 11 Feb 2019 15:41:23 +0100
+Subject: drm/sun4i: dsi: Change the start delay calculation
+
+[ Upstream commit da676c6aa6413d59ab0a80c97bbc273025e640b2 ]
+
+The current calculation for the video start delay in the current DSI driver
+is that it is the total vertical size, minus the front porch and sync length,
+plus 1. This equals to the active vertical size plus the back porch plus 1.
+
+That 1 is coming in the Allwinner BSP from an variable that is set to 1.
+However, if we look at the Allwinner BSP more closely, and especially in
+the "legacy" code for the display (in drivers/video/sunxi/legacy/), we can
+see that this variable is actually computed from the porches and the sync
+minus 10, clamped between 8 and 100.
+
+This fixes the start delay symptom we've seen on some panels (vblank
+timeouts with vertical white stripes at the bottom of the panel).
+
+Reviewed-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/6e5f72e68f47ca0223877464bf12f0c3f3978de8.1549896081.git-series.maxime.ripard@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c
+index 318994cd1b851..25d8cb9f92661 100644
+--- a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c
++++ b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c
+@@ -358,7 +358,9 @@ static void sun6i_dsi_inst_init(struct sun6i_dsi *dsi,
+ static u16 sun6i_dsi_get_video_start_delay(struct sun6i_dsi *dsi,
+ struct drm_display_mode *mode)
+ {
+- return mode->vtotal - (mode->vsync_end - mode->vdisplay) + 1;
++ u16 start = clamp(mode->vtotal - mode->vdisplay - 10, 8, 100);
++
++ return mode->vtotal - (mode->vsync_end - mode->vdisplay) + start;
+ }
+
+ static void sun6i_dsi_setup_burst(struct sun6i_dsi *dsi,
+--
+2.20.1
+
--- /dev/null
+From e9fbbd1a334c00b99aa72c7dc6ae3a7d5eea2984 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@bootlin.com>
+Date: Mon, 11 Feb 2019 15:41:24 +0100
+Subject: drm/sun4i: dsi: Enforce boundaries on the start delay
+
+[ Upstream commit efa31801203ac2f5c6a82a28cb991c7163ee0f1d ]
+
+The Allwinner BSP makes sure that we don't end up with a null start delay
+or with a delay larger than vtotal.
+
+The former condition is likely to happen now with the reworked start delay,
+so make sure we enforce the same boundaries.
+
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Reviewed-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/c9889cf5f7a3d101ef380905900b45a182596f56.1549896081.git-series.maxime.ripard@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c
+index 25d8cb9f92661..869e0aedf3434 100644
+--- a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c
++++ b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c
+@@ -359,8 +359,12 @@ static u16 sun6i_dsi_get_video_start_delay(struct sun6i_dsi *dsi,
+ struct drm_display_mode *mode)
+ {
+ u16 start = clamp(mode->vtotal - mode->vdisplay - 10, 8, 100);
++ u16 delay = mode->vtotal - (mode->vsync_end - mode->vdisplay) + start;
+
+- return mode->vtotal - (mode->vsync_end - mode->vdisplay) + start;
++ if (delay > mode->vtotal)
++ delay = delay % mode->vtotal;
++
++ return max_t(u16, delay, 1);
+ }
+
+ static void sun6i_dsi_setup_burst(struct sun6i_dsi *dsi,
+--
+2.20.1
+
--- /dev/null
+From e0b10db4e6d05beb4671a8a4262622e9ac9666a1 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@bootlin.com>
+Date: Mon, 11 Feb 2019 15:41:22 +0100
+Subject: drm/sun4i: dsi: Restrict DSI tcon clock divider
+
+[ Upstream commit 85fb352666732a9e5caf6027b9c253b3d7881d8f ]
+
+The current code allows the TCON clock divider to have a range between 4
+and 127 when feeding the DSI controller.
+
+The only display supported so far had a display clock rate that ended up
+using a divider of 4, but testing with other displays show that only 4
+seems to be functional.
+
+This also aligns with what Allwinner is doing in their BSP, so let's just
+hardcode that we want a divider of 4 when using the DSI output.
+
+Reviewed-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/074e88ae472f5e0492e26939c74b44fb4125ffbd.1549896081.git-series.maxime.ripard@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_tcon.c | 4 ++--
+ drivers/gpu/drm/sun4i/sun6i_mipi_dsi.h | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+index 7136fc91c6036..e75f77ff8e0fc 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c
++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+@@ -341,8 +341,8 @@ static void sun4i_tcon0_mode_set_cpu(struct sun4i_tcon *tcon,
+ u32 block_space, start_delay;
+ u32 tcon_div;
+
+- tcon->dclk_min_div = 4;
+- tcon->dclk_max_div = 127;
++ tcon->dclk_min_div = SUN6I_DSI_TCON_DIV;
++ tcon->dclk_max_div = SUN6I_DSI_TCON_DIV;
+
+ sun4i_tcon0_mode_set_common(tcon, mode);
+
+diff --git a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.h b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.h
+index a07090579f84b..5c3ad5be06901 100644
+--- a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.h
++++ b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.h
+@@ -13,6 +13,8 @@
+ #include <drm/drm_encoder.h>
+ #include <drm/drm_mipi_dsi.h>
+
++#define SUN6I_DSI_TCON_DIV 4
++
+ struct sun6i_dsi {
+ struct drm_connector connector;
+ struct drm_encoder encoder;
+--
+2.20.1
+
--- /dev/null
+From b19e2374889be93c1094a41683a67e586ed53e22 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Fri, 8 Mar 2019 09:43:35 -0800
+Subject: drm/v3d: Handle errors from IRQ setup.
+
+[ Upstream commit fc22771547e7e8a63679f0218e943d72b107de65 ]
+
+Noted in review by Dave Emett for V3D 4.2 support.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190308174336.7866-1-eric@anholt.net
+Reviewed-by: Dave Emett <david.emett@broadcom.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/v3d/v3d_drv.c | 8 ++++++--
+ drivers/gpu/drm/v3d/v3d_drv.h | 2 +-
+ drivers/gpu/drm/v3d/v3d_irq.c | 13 +++++++++++--
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/v3d/v3d_drv.c b/drivers/gpu/drm/v3d/v3d_drv.c
+index f0afcec72c348..30ae1c74edaa8 100644
+--- a/drivers/gpu/drm/v3d/v3d_drv.c
++++ b/drivers/gpu/drm/v3d/v3d_drv.c
+@@ -312,14 +312,18 @@ static int v3d_platform_drm_probe(struct platform_device *pdev)
+ if (ret)
+ goto dev_destroy;
+
+- v3d_irq_init(v3d);
++ ret = v3d_irq_init(v3d);
++ if (ret)
++ goto gem_destroy;
+
+ ret = drm_dev_register(drm, 0);
+ if (ret)
+- goto gem_destroy;
++ goto irq_disable;
+
+ return 0;
+
++irq_disable:
++ v3d_irq_disable(v3d);
+ gem_destroy:
+ v3d_gem_destroy(drm);
+ dev_destroy:
+diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h
+index fdda3037f7af7..2fdb456b72d32 100644
+--- a/drivers/gpu/drm/v3d/v3d_drv.h
++++ b/drivers/gpu/drm/v3d/v3d_drv.h
+@@ -310,7 +310,7 @@ void v3d_reset(struct v3d_dev *v3d);
+ void v3d_invalidate_caches(struct v3d_dev *v3d);
+
+ /* v3d_irq.c */
+-void v3d_irq_init(struct v3d_dev *v3d);
++int v3d_irq_init(struct v3d_dev *v3d);
+ void v3d_irq_enable(struct v3d_dev *v3d);
+ void v3d_irq_disable(struct v3d_dev *v3d);
+ void v3d_irq_reset(struct v3d_dev *v3d);
+diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c
+index 69338da70ddce..29d746cfce572 100644
+--- a/drivers/gpu/drm/v3d/v3d_irq.c
++++ b/drivers/gpu/drm/v3d/v3d_irq.c
+@@ -156,7 +156,7 @@ v3d_hub_irq(int irq, void *arg)
+ return status;
+ }
+
+-void
++int
+ v3d_irq_init(struct v3d_dev *v3d)
+ {
+ int ret, core;
+@@ -173,13 +173,22 @@ v3d_irq_init(struct v3d_dev *v3d)
+ ret = devm_request_irq(v3d->dev, platform_get_irq(v3d->pdev, 0),
+ v3d_hub_irq, IRQF_SHARED,
+ "v3d_hub", v3d);
++ if (ret)
++ goto fail;
++
+ ret = devm_request_irq(v3d->dev, platform_get_irq(v3d->pdev, 1),
+ v3d_irq, IRQF_SHARED,
+ "v3d_core0", v3d);
+ if (ret)
+- dev_err(v3d->dev, "IRQ setup failed: %d\n", ret);
++ goto fail;
+
+ v3d_irq_enable(v3d);
++ return 0;
++
++fail:
++ if (ret != -EPROBE_DEFER)
++ dev_err(v3d->dev, "IRQ setup failed: %d\n", ret);
++ return ret;
+ }
+
+ void
+--
+2.20.1
+
--- /dev/null
+From 9cbb5d3ca6a9ad311765c63710a4fda6d0995a8c Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Fri, 4 Aug 2017 09:23:28 +0100
+Subject: drm: Wake up next in drm_read() chain if we are forced to putback the
+ event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 60b801999c48b6c1dd04e653a38e2e613664264e ]
+
+After an event is sent, we try to copy it into the user buffer of the
+first waiter in drm_read() and if the user buffer doesn't have enough
+room we put it back onto the list. However, we didn't wake up any
+subsequent waiter, so that event may sit on the list until either a new
+vblank event is sent or a new waiter appears. Rare, but in the worst
+case may lead to a stuck process.
+
+Testcase: igt/drm_read/short-buffer-wakeup
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170804082328.17173-1-chris@chris-wilson.co.uk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
+index 7caa3c7ed9789..9701469a6e933 100644
+--- a/drivers/gpu/drm/drm_file.c
++++ b/drivers/gpu/drm/drm_file.c
+@@ -577,6 +577,7 @@ ssize_t drm_read(struct file *filp, char __user *buffer,
+ file_priv->event_space -= length;
+ list_add(&e->link, &file_priv->event_list);
+ spin_unlock_irq(&dev->event_lock);
++ wake_up_interruptible(&file_priv->event_wait);
+ break;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6d2b885f7b80cb1939c0c5320c62824ea1e74ec7 Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Thu, 21 Feb 2019 02:51:37 +0200
+Subject: drm: writeback: Fix leak of writeback job
+
+[ Upstream commit e482ae9b5fdc01a343f22f52930e85a6cfdf85eb ]
+
+Writeback jobs are allocated when the WRITEBACK_FB_ID is set, and
+deleted when the jobs complete. This results in both a memory leak of
+the job and a leak of the framebuffer if the atomic commit returns
+before the job is queued for processing, for instance if the atomic
+check fails or if the commit runs in test-only mode.
+
+Fix this by implementing the drm_writeback_cleanup_job() function and
+calling it from __drm_atomic_helper_connector_destroy_state(). As
+writeback jobs are removed from the state when they're queued for
+processing, any job left in the state when the state gets destroyed
+needs to be cleaned up.
+
+The existing declaration of the drm_writeback_cleanup_job() function
+without an implementation hints that this problem was considered, but
+never addressed.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Brian Starkey <brian.starkey@arm.com>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_atomic_state_helper.c | 4 ++++
+ drivers/gpu/drm/drm_writeback.c | 14 +++++++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c
+index 4985384e51f6e..59ffb6b9c7453 100644
+--- a/drivers/gpu/drm/drm_atomic_state_helper.c
++++ b/drivers/gpu/drm/drm_atomic_state_helper.c
+@@ -30,6 +30,7 @@
+ #include <drm/drm_connector.h>
+ #include <drm/drm_atomic.h>
+ #include <drm/drm_device.h>
++#include <drm/drm_writeback.h>
+
+ #include <linux/slab.h>
+ #include <linux/dma-fence.h>
+@@ -412,6 +413,9 @@ __drm_atomic_helper_connector_destroy_state(struct drm_connector_state *state)
+
+ if (state->commit)
+ drm_crtc_commit_put(state->commit);
++
++ if (state->writeback_job)
++ drm_writeback_cleanup_job(state->writeback_job);
+ }
+ EXPORT_SYMBOL(__drm_atomic_helper_connector_destroy_state);
+
+diff --git a/drivers/gpu/drm/drm_writeback.c b/drivers/gpu/drm/drm_writeback.c
+index c20e6fe00cb38..2d75032f81591 100644
+--- a/drivers/gpu/drm/drm_writeback.c
++++ b/drivers/gpu/drm/drm_writeback.c
+@@ -268,6 +268,15 @@ void drm_writeback_queue_job(struct drm_writeback_connector *wb_connector,
+ }
+ EXPORT_SYMBOL(drm_writeback_queue_job);
+
++void drm_writeback_cleanup_job(struct drm_writeback_job *job)
++{
++ if (job->fb)
++ drm_framebuffer_put(job->fb);
++
++ kfree(job);
++}
++EXPORT_SYMBOL(drm_writeback_cleanup_job);
++
+ /*
+ * @cleanup_work: deferred cleanup of a writeback job
+ *
+@@ -280,10 +289,9 @@ static void cleanup_work(struct work_struct *work)
+ struct drm_writeback_job *job = container_of(work,
+ struct drm_writeback_job,
+ cleanup_work);
+- drm_framebuffer_put(job->fb);
+- kfree(job);
+-}
+
++ drm_writeback_cleanup_job(job);
++}
+
+ /**
+ * drm_writeback_signal_completion - Signal the completion of a writeback job
+--
+2.20.1
+
--- /dev/null
+From fe42e673156bb70c036048f0d965398f60c03158 Mon Sep 17 00:00:00 2001
+From: Evan Green <evgreen@chromium.org>
+Date: Thu, 21 Mar 2019 10:17:54 -0700
+Subject: dt-bindings: phy-qcom-qmp: Add UFS PHY reset
+
+[ Upstream commit 95cee0b4e30a09a411a17e9a3bc6b72ed92063da ]
+
+Add a required reset to the SDM845 UFS phy to express the PHY reset
+bit inside the UFS controller register space. Before this change, this
+reset was not expressed in the DT, and the driver utilized two different
+callbacks (phy_init and phy_poweron) to implement a two-phase
+initialization procedure that involved deasserting this reset between
+init and poweron. This abused the two callbacks and diluted their
+purpose.
+
+That scheme does not work as regulators cannot be turned off in
+phy_poweroff because they were turned on in init, rather than poweron.
+The net result is that regulators are left on in suspend that shouldn't
+be.
+
+This new scheme gives the UFS reset to the PHY, so that it can fully
+initialize itself in a single callback. We can then turn regulators on
+during poweron and off during poweroff.
+
+Signed-off-by: Evan Green <evgreen@chromium.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/phy/qcom-qmp-phy.txt | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/phy/qcom-qmp-phy.txt b/Documentation/devicetree/bindings/phy/qcom-qmp-phy.txt
+index 5d181fc3cc182..4a78ba8b85bc0 100644
+--- a/Documentation/devicetree/bindings/phy/qcom-qmp-phy.txt
++++ b/Documentation/devicetree/bindings/phy/qcom-qmp-phy.txt
+@@ -59,7 +59,8 @@ Required properties:
+ one for each entry in reset-names.
+ - reset-names: "phy" for reset of phy block,
+ "common" for phy common block reset,
+- "cfg" for phy's ahb cfg block reset.
++ "cfg" for phy's ahb cfg block reset,
++ "ufsphy" for the PHY reset in the UFS controller.
+
+ For "qcom,ipq8074-qmp-pcie-phy" must contain:
+ "phy", "common".
+@@ -74,7 +75,8 @@ Required properties:
+ "phy", "common".
+ For "qcom,sdm845-qmp-usb3-uni-phy" must contain:
+ "phy", "common".
+- For "qcom,sdm845-qmp-ufs-phy": no resets are listed.
++ For "qcom,sdm845-qmp-ufs-phy": must contain:
++ "ufsphy".
+
+ - vdda-phy-supply: Phandle to a regulator supply to PHY core block.
+ - vdda-pll-supply: Phandle to 1.8V regulator supply to PHY refclk pll block.
+--
+2.20.1
+
--- /dev/null
+From 1852c176c4879e6c2a0fa7f291377cd6046633ea Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Sun, 3 Feb 2019 01:40:16 +0800
+Subject: e1000e: Disable runtime PM on CNP+
+
+[ Upstream commit 459d69c407f9ba122f12216555c3012284dc9fd7 ]
+
+There are some new e1000e devices can only be woken up from D3 one time,
+by plugging Ethernet cable. Subsequent cable plugging does set PME bit
+correctly, but it still doesn't get woken up.
+
+Since e1000e connects to the root complex directly, we rely on ACPI to
+wake it up. In this case, the GPE from _PRW only works once and stops
+working after that. Though it appears to be a platform bug, e1000e
+maintainers confirmed that I219 does not support D3.
+
+So disable runtime PM on CNP+ chips. We may need to disable earlier
+generations if this bug also hit older platforms.
+
+Bugzilla: https://bugzilla.kernel.org/attachment.cgi?id=280819
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 7acc61e4f6456..c10c9d7eadaac 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -7350,7 +7350,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ dev_pm_set_driver_flags(&pdev->dev, DPM_FLAG_NEVER_SKIP);
+
+- if (pci_dev_run_wake(pdev))
++ if (pci_dev_run_wake(pdev) && hw->mac.type < e1000_pch_cnp)
+ pm_runtime_put_noidle(&pdev->dev);
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 97f757c2e85f29bfc94dc887ef8672caaf5226e6 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 28 Mar 2019 20:34:26 +0100
+Subject: efifb: Omit memory map check on legacy boot
+
+[ Upstream commit c2999c281ea2d2ebbdfce96cecc7b52e2ae7c406 ]
+
+Since the following commit:
+
+ 38ac0287b7f4 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB")
+
+efifb_probe() checks its memory range via efi_mem_desc_lookup(),
+and this leads to a spurious error message:
+
+ EFI_MEMMAP is not enabled
+
+at every boot on KVM. This is quite annoying since the error message
+appears even if you set "quiet" boot option.
+
+Since this happens on legacy boot, which strangely enough exposes
+a EFI framebuffer via screen_info, let's double check that we are
+doing an EFI boot before attempting to access the EFI memory map.
+
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Tested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20190328193429.21373-3-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/efifb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
+index fd02e8a4841d6..9f39f0c360e0c 100644
+--- a/drivers/video/fbdev/efifb.c
++++ b/drivers/video/fbdev/efifb.c
+@@ -464,7 +464,8 @@ static int efifb_probe(struct platform_device *dev)
+ info->apertures->ranges[0].base = efifb_fix.smem_start;
+ info->apertures->ranges[0].size = size_remap;
+
+- if (!efi_mem_desc_lookup(efifb_fix.smem_start, &md)) {
++ if (efi_enabled(EFI_BOOT) &&
++ !efi_mem_desc_lookup(efifb_fix.smem_start, &md)) {
+ if ((efifb_fix.smem_start + efifb_fix.smem_len) >
+ (md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT))) {
+ pr_err("efifb: video memory @ 0x%lx spans multiple EFI memory regions\n",
+--
+2.20.1
+
--- /dev/null
+From 232f2549db7a8ae7aa4a054630778d0e9b91d997 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Thu, 4 Apr 2019 17:33:56 +0100
+Subject: extcon: arizona: Disable mic detect if running when driver is removed
+
+[ Upstream commit 00053de52231117ddc154042549f2256183ffb86 ]
+
+Microphone detection provides the button detection features on the
+Arizona CODECs as such it will be running if the jack is currently
+inserted. If the driver is unbound whilst the jack is still inserted
+this will cause warnings from the regulator framework as the MICVDD
+regulator is put but was never disabled.
+
+Correct this by disabling microphone detection on driver removal and if
+the microphone detection was running disable the regulator and put the
+runtime reference that was currently held.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-arizona.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index da0e9bc4262fa..9327479c719c2 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -1726,6 +1726,16 @@ static int arizona_extcon_remove(struct platform_device *pdev)
+ struct arizona_extcon_info *info = platform_get_drvdata(pdev);
+ struct arizona *arizona = info->arizona;
+ int jack_irq_rise, jack_irq_fall;
++ bool change;
++
++ regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1,
++ ARIZONA_MICD_ENA, 0,
++ &change);
++
++ if (change) {
++ regulator_disable(info->micvdd);
++ pm_runtime_put(info->dev);
++ }
+
+ gpiod_put(info->micd_pol_gpio);
+
+--
+2.20.1
+
--- /dev/null
+From decd8ae59241c4369e1c8771af1b0dc0589c9b84 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 4 Apr 2019 22:17:48 +0800
+Subject: extcon: axp288: Add a depends on ACPI to the Kconfig entry
+
+[ Upstream commit fa3c098c2d52a268f6372fa053932e11f50cecb1 ]
+
+As Hans de Goede pointed, using this driver without ACPI
+makes little sense, so add ACPI dependency to Kconfig entry
+to fix a build error while CONFIG_ACPI is not set.
+
+drivers/extcon/extcon-axp288.c: In function 'axp288_extcon_probe':
+drivers/extcon/extcon-axp288.c:363:20: error: dereferencing pointer to incomplete type
+ put_device(&adev->dev);
+
+Fixes: 0cf064db948a ("extcon: axp288: Convert to use acpi_dev_get_first_match_dev()")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Suggested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/extcon/Kconfig b/drivers/extcon/Kconfig
+index 540e8cd16ee6e..db3bcf96b98fb 100644
+--- a/drivers/extcon/Kconfig
++++ b/drivers/extcon/Kconfig
+@@ -30,7 +30,7 @@ config EXTCON_ARIZONA
+
+ config EXTCON_AXP288
+ tristate "X-Power AXP288 EXTCON support"
+- depends on MFD_AXP20X && USB_SUPPORT && X86
++ depends on MFD_AXP20X && USB_SUPPORT && X86 && ACPI
+ select USB_ROLE_SWITCH
+ help
+ Say Y here to enable support for USB peripheral detection
+--
+2.20.1
+
--- /dev/null
+From b2b9ff44580b4184f82bf0df2a7b285a993fb8de Mon Sep 17 00:00:00 2001
+From: Xiaoli Feng <fengxiaoli0714@gmail.com>
+Date: Sat, 16 Mar 2019 09:43:30 +0800
+Subject: Fix nfs4.2 return -EINVAL when do dedupe operation
+
+[ Upstream commit ce96e888fe48ecfa868c9a39adc03292c78a80ff ]
+
+dedupe_file_range operations is combiled into remap_file_range.
+But in nfs42_remap_file_range, it's skiped for dedupe operations.
+Before this patch:
+ # dd if=/dev/zero of=nfs/file bs=1M count=1
+ # xfs_io -c "dedupe nfs/file 4k 64k 4k" nfs/file
+ XFS_IOC_FILE_EXTENT_SAME: Invalid argument
+After this patch:
+ # dd if=/dev/zero of=nfs/file bs=1M count=1
+ # xfs_io -c "dedupe nfs/file 4k 64k 4k" nfs/file
+ deduped 4096/4096 bytes at offset 65536
+ 4 KiB, 1 ops; 0.0046 sec (865.988 KiB/sec and 216.4971 ops/sec)
+
+Signed-off-by: Xiaoli Feng <fengxiaoli0714@gmail.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
+index 00d17198ee12a..f10b660805fc4 100644
+--- a/fs/nfs/nfs4file.c
++++ b/fs/nfs/nfs4file.c
+@@ -187,7 +187,7 @@ static loff_t nfs42_remap_file_range(struct file *src_file, loff_t src_off,
+ bool same_inode = false;
+ int ret;
+
+- if (remap_flags & ~REMAP_FILE_ADVISORY)
++ if (remap_flags & ~(REMAP_FILE_DEDUP | REMAP_FILE_ADVISORY))
+ return -EINVAL;
+
+ /* check alignment w.r.t. clone_blksize */
+--
+2.20.1
+
--- /dev/null
+From 0487d26e0d088ecd617b9aa84bd4b6741923f0dc Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 11 Apr 2019 14:32:15 -0700
+Subject: fscrypt: use READ_ONCE() to access ->i_crypt_info
+
+[ Upstream commit e37a784d8b6a1e726de5ddc7b4809c086a08db09 ]
+
+->i_crypt_info starts out NULL and may later be locklessly set to a
+non-NULL value by the cmpxchg() in fscrypt_get_encryption_info().
+
+But ->i_crypt_info is used directly, which technically is incorrect.
+It's a data race, and it doesn't include the data dependency barrier
+needed to safely dereference the pointer on at least one architecture.
+
+Fix this by using READ_ONCE() instead. Note: we don't need to use
+smp_load_acquire(), since dereferencing the pointer only requires a data
+dependency barrier, which is already included in READ_ONCE(). We also
+don't need READ_ONCE() in places where ->i_crypt_info is unconditionally
+dereferenced, since it must have already been checked.
+
+Also downgrade the cmpxchg() to cmpxchg_release(), since RELEASE
+semantics are sufficient on the write side.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/crypto/crypto.c | 2 +-
+ fs/crypto/fname.c | 4 ++--
+ fs/crypto/keyinfo.c | 4 ++--
+ fs/crypto/policy.c | 6 +++---
+ include/linux/fscrypt.h | 3 ++-
+ 5 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
+index 4dc788e3bc96b..fe38b53060454 100644
+--- a/fs/crypto/crypto.c
++++ b/fs/crypto/crypto.c
+@@ -334,7 +334,7 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
+ spin_lock(&dentry->d_lock);
+ cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
+ spin_unlock(&dentry->d_lock);
+- dir_has_key = (d_inode(dir)->i_crypt_info != NULL);
++ dir_has_key = fscrypt_has_encryption_key(d_inode(dir));
+ dput(dir);
+
+ /*
+diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
+index 7ff40a73dbece..050384c79f40e 100644
+--- a/fs/crypto/fname.c
++++ b/fs/crypto/fname.c
+@@ -269,7 +269,7 @@ int fscrypt_fname_disk_to_usr(struct inode *inode,
+ if (iname->len < FS_CRYPTO_BLOCK_SIZE)
+ return -EUCLEAN;
+
+- if (inode->i_crypt_info)
++ if (fscrypt_has_encryption_key(inode))
+ return fname_decrypt(inode, iname, oname);
+
+ if (iname->len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE) {
+@@ -336,7 +336,7 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
+ if (ret)
+ return ret;
+
+- if (dir->i_crypt_info) {
++ if (fscrypt_has_encryption_key(dir)) {
+ if (!fscrypt_fname_encrypted_size(dir, iname->len,
+ dir->i_sb->s_cop->max_namelen,
+ &fname->crypto_buf.len))
+diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
+index 322ce9686bdba..bf291c10c682f 100644
+--- a/fs/crypto/keyinfo.c
++++ b/fs/crypto/keyinfo.c
+@@ -509,7 +509,7 @@ int fscrypt_get_encryption_info(struct inode *inode)
+ u8 *raw_key = NULL;
+ int res;
+
+- if (inode->i_crypt_info)
++ if (fscrypt_has_encryption_key(inode))
+ return 0;
+
+ res = fscrypt_initialize(inode->i_sb->s_cop->flags);
+@@ -573,7 +573,7 @@ int fscrypt_get_encryption_info(struct inode *inode)
+ if (res)
+ goto out;
+
+- if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL)
++ if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL)
+ crypt_info = NULL;
+ out:
+ if (res == -ENOKEY)
+diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
+index bd7eaf9b3f003..d536889ac31bf 100644
+--- a/fs/crypto/policy.c
++++ b/fs/crypto/policy.c
+@@ -194,8 +194,8 @@ int fscrypt_has_permitted_context(struct inode *parent, struct inode *child)
+ res = fscrypt_get_encryption_info(child);
+ if (res)
+ return 0;
+- parent_ci = parent->i_crypt_info;
+- child_ci = child->i_crypt_info;
++ parent_ci = READ_ONCE(parent->i_crypt_info);
++ child_ci = READ_ONCE(child->i_crypt_info);
+
+ if (parent_ci && child_ci) {
+ return memcmp(parent_ci->ci_master_key_descriptor,
+@@ -246,7 +246,7 @@ int fscrypt_inherit_context(struct inode *parent, struct inode *child,
+ if (res < 0)
+ return res;
+
+- ci = parent->i_crypt_info;
++ ci = READ_ONCE(parent->i_crypt_info);
+ if (ci == NULL)
+ return -ENOKEY;
+
+diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h
+index e5194fc3983e9..08246f068fd89 100644
+--- a/include/linux/fscrypt.h
++++ b/include/linux/fscrypt.h
+@@ -79,7 +79,8 @@ struct fscrypt_ctx {
+
+ static inline bool fscrypt_has_encryption_key(const struct inode *inode)
+ {
+- return (inode->i_crypt_info != NULL);
++ /* pairs with cmpxchg_release() in fscrypt_get_encryption_info() */
++ return READ_ONCE(inode->i_crypt_info) != NULL;
+ }
+
+ static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
+--
+2.20.1
+
--- /dev/null
+From 8ad6d6b5349fff9db71d63cb643346ec119287ca Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Wed, 27 Mar 2019 17:09:17 +0000
+Subject: gfs2: Fix lru_count going negative
+
+[ Upstream commit 7881ef3f33bb80f459ea6020d1e021fc524a6348 ]
+
+Under certain conditions, lru_count may drop below zero resulting in
+a large amount of log spam like this:
+
+vmscan: shrink_slab: gfs2_dump_glock+0x3b0/0x630 [gfs2] \
+ negative objects to delete nr=-1
+
+This happens as follows:
+1) A glock is moved from lru_list to the dispose list and lru_count is
+ decremented.
+2) The dispose function calls cond_resched() and drops the lru lock.
+3) Another thread takes the lru lock and tries to add the same glock to
+ lru_list, checking if the glock is on an lru list.
+4) It is on a list (actually the dispose list) and so it avoids
+ incrementing lru_count.
+5) The glock is moved to lru_list.
+5) The original thread doesn't dispose it because it has been re-added
+ to the lru list but the lru_count has still decreased by one.
+
+Fix by checking if the LRU flag is set on the glock rather than checking
+if the glock is on some list and rearrange the code so that the LRU flag
+is added/removed precisely when the glock is added/removed from lru_list.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index d32964cd11176..e4f6d39500bcc 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -183,15 +183,19 @@ static int demote_ok(const struct gfs2_glock *gl)
+
+ void gfs2_glock_add_to_lru(struct gfs2_glock *gl)
+ {
++ if (!(gl->gl_ops->go_flags & GLOF_LRU))
++ return;
++
+ spin_lock(&lru_lock);
+
+- if (!list_empty(&gl->gl_lru))
+- list_del_init(&gl->gl_lru);
+- else
++ list_del(&gl->gl_lru);
++ list_add_tail(&gl->gl_lru, &lru_list);
++
++ if (!test_bit(GLF_LRU, &gl->gl_flags)) {
++ set_bit(GLF_LRU, &gl->gl_flags);
+ atomic_inc(&lru_count);
++ }
+
+- list_add_tail(&gl->gl_lru, &lru_list);
+- set_bit(GLF_LRU, &gl->gl_flags);
+ spin_unlock(&lru_lock);
+ }
+
+@@ -201,7 +205,7 @@ static void gfs2_glock_remove_from_lru(struct gfs2_glock *gl)
+ return;
+
+ spin_lock(&lru_lock);
+- if (!list_empty(&gl->gl_lru)) {
++ if (test_bit(GLF_LRU, &gl->gl_flags)) {
+ list_del_init(&gl->gl_lru);
+ atomic_dec(&lru_count);
+ clear_bit(GLF_LRU, &gl->gl_flags);
+@@ -1159,8 +1163,7 @@ void gfs2_glock_dq(struct gfs2_holder *gh)
+ !test_bit(GLF_DEMOTE, &gl->gl_flags))
+ fast_path = 1;
+ }
+- if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl) &&
+- (glops->go_flags & GLOF_LRU))
++ if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl))
+ gfs2_glock_add_to_lru(gl);
+
+ trace_gfs2_glock_queue(gh, 0);
+@@ -1456,6 +1459,7 @@ __acquires(&lru_lock)
+ if (!spin_trylock(&gl->gl_lockref.lock)) {
+ add_back_to_lru:
+ list_add(&gl->gl_lru, &lru_list);
++ set_bit(GLF_LRU, &gl->gl_flags);
+ atomic_inc(&lru_count);
+ continue;
+ }
+@@ -1463,7 +1467,6 @@ __acquires(&lru_lock)
+ spin_unlock(&gl->gl_lockref.lock);
+ goto add_back_to_lru;
+ }
+- clear_bit(GLF_LRU, &gl->gl_flags);
+ gl->gl_lockref.count++;
+ if (demote_ok(gl))
+ handle_callback(gl, LM_ST_UNLOCKED, 0, false);
+@@ -1498,6 +1501,7 @@ static long gfs2_scan_glock_lru(int nr)
+ if (!test_bit(GLF_LOCK, &gl->gl_flags)) {
+ list_move(&gl->gl_lru, &dispose);
+ atomic_dec(&lru_count);
++ clear_bit(GLF_LRU, &gl->gl_flags);
+ freed++;
+ continue;
+ }
+--
+2.20.1
+
--- /dev/null
+From 397dd83381b22a2c23069af776dde78d58ee6f0d Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Thu, 4 Apr 2019 21:11:11 +0100
+Subject: gfs2: Fix occasional glock use-after-free
+
+[ Upstream commit 9287c6452d2b1f24ea8e84bd3cf6f3c6f267f712 ]
+
+This patch has to do with the life cycle of glocks and buffers. When
+gfs2 metadata or journaled data is queued to be written, a gfs2_bufdata
+object is assigned to track the buffer, and that is queued to various
+lists, including the glock's gl_ail_list to indicate it's on the active
+items list. Once the page associated with the buffer has been written,
+it is removed from the ail list, but its life isn't over until a revoke
+has been successfully written.
+
+So after the block is written, its bufdata object is moved from the
+glock's gl_ail_list to a file-system-wide list of pending revokes,
+sd_log_le_revoke. At that point the glock still needs to track how many
+revokes it contributed to that list (in gl_revokes) so that things like
+glock go_sync can ensure all the metadata has been not only written, but
+also revoked before the glock is granted to a different node. This is
+to guarantee journal replay doesn't replay the block once the glock has
+been granted to another node.
+
+Ross Lagerwall recently discovered a race in which an inode could be
+evicted, and its glock freed after its ail list had been synced, but
+while it still had unwritten revokes on the sd_log_le_revoke list. The
+evict decremented the glock reference count to zero, which allowed the
+glock to be freed. After the revoke was written, function
+revoke_lo_after_commit tried to adjust the glock's gl_revokes counter
+and clear its GLF_LFLUSH flag, at which time it referenced the freed
+glock.
+
+This patch fixes the problem by incrementing the glock reference count
+in gfs2_add_revoke when the glock's first bufdata object is moved from
+the glock to the global revokes list. Later, when the glock's last such
+bufdata object is freed, the reference count is decremented. This
+guarantees that whichever process finishes last (the revoke writing or
+the evict) will properly free the glock, and neither will reference the
+glock after it has been freed.
+
+Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 1 +
+ fs/gfs2/log.c | 3 ++-
+ fs/gfs2/lops.c | 6 ++++--
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index e4f6d39500bcc..71c28ff98b564 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -140,6 +140,7 @@ void gfs2_glock_free(struct gfs2_glock *gl)
+ {
+ struct gfs2_sbd *sdp = gl->gl_name.ln_sbd;
+
++ BUG_ON(atomic_read(&gl->gl_revokes));
+ rhashtable_remove_fast(&gl_hash_table, &gl->gl_node, ht_parms);
+ smp_mb();
+ wake_up_glock(gl);
+diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
+index b8830fda51e8f..0e04f87a7dddb 100644
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@ -606,7 +606,8 @@ void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
+ gfs2_remove_from_ail(bd); /* drops ref on bh */
+ bd->bd_bh = NULL;
+ sdp->sd_log_num_revoke++;
+- atomic_inc(&gl->gl_revokes);
++ if (atomic_inc_return(&gl->gl_revokes) == 1)
++ gfs2_glock_hold(gl);
+ set_bit(GLF_LFLUSH, &gl->gl_flags);
+ list_add(&bd->bd_list, &sdp->sd_log_le_revoke);
+ }
+diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
+index 8722c60b11feb..4b280611246df 100644
+--- a/fs/gfs2/lops.c
++++ b/fs/gfs2/lops.c
+@@ -669,8 +669,10 @@ static void revoke_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)
+ bd = list_entry(head->next, struct gfs2_bufdata, bd_list);
+ list_del_init(&bd->bd_list);
+ gl = bd->bd_gl;
+- atomic_dec(&gl->gl_revokes);
+- clear_bit(GLF_LFLUSH, &gl->gl_flags);
++ if (atomic_dec_return(&gl->gl_revokes) == 0) {
++ clear_bit(GLF_LFLUSH, &gl->gl_flags);
++ gfs2_glock_queue_put(gl);
++ }
+ kmem_cache_free(gfs2_bufdata_cachep, bd);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 0ac1aa6fa53dacab3e1a3d92607ea22045498a1b Mon Sep 17 00:00:00 2001
+From: Abhi Das <adas@redhat.com>
+Date: Tue, 30 Apr 2019 16:53:47 -0500
+Subject: gfs2: fix race between gfs2_freeze_func and unmount
+
+[ Upstream commit 8f91821990fd6f170a5dca79697a441181a41b16 ]
+
+As part of the freeze operation, gfs2_freeze_func() is left blocking
+on a request to hold the sd_freeze_gl in SH. This glock is held in EX
+by the gfs2_freeze() code.
+
+A subsequent call to gfs2_unfreeze() releases the EXclusively held
+sd_freeze_gl, which allows gfs2_freeze_func() to acquire it in SH and
+resume its operation.
+
+gfs2_unfreeze(), however, doesn't wait for gfs2_freeze_func() to complete.
+If a umount is issued right after unfreeze, it could result in an
+inconsistent filesystem because some journal data (statfs update) isn't
+written out.
+
+Refer to commit 24972557b12c for a more detailed explanation of how
+freeze/unfreeze work.
+
+This patch causes gfs2_unfreeze() to wait for gfs2_freeze_func() to
+complete before returning to the user.
+
+Signed-off-by: Abhi Das <adas@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/incore.h | 1 +
+ fs/gfs2/super.c | 8 +++++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h
+index cdf07b408f54c..539e8dc5a3f6c 100644
+--- a/fs/gfs2/incore.h
++++ b/fs/gfs2/incore.h
+@@ -621,6 +621,7 @@ enum {
+ SDF_SKIP_DLM_UNLOCK = 8,
+ SDF_FORCE_AIL_FLUSH = 9,
+ SDF_AIL1_IO_ERROR = 10,
++ SDF_FS_FROZEN = 11,
+ };
+
+ enum gfs2_freeze_state {
+diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
+index ca71163ff7cfd..360206704a14c 100644
+--- a/fs/gfs2/super.c
++++ b/fs/gfs2/super.c
+@@ -973,8 +973,7 @@ void gfs2_freeze_func(struct work_struct *work)
+ if (error) {
+ printk(KERN_INFO "GFS2: couldn't get freeze lock : %d\n", error);
+ gfs2_assert_withdraw(sdp, 0);
+- }
+- else {
++ } else {
+ atomic_set(&sdp->sd_freeze_state, SFS_UNFROZEN);
+ error = thaw_super(sb);
+ if (error) {
+@@ -987,6 +986,8 @@ void gfs2_freeze_func(struct work_struct *work)
+ gfs2_glock_dq_uninit(&freeze_gh);
+ }
+ deactivate_super(sb);
++ clear_bit_unlock(SDF_FS_FROZEN, &sdp->sd_flags);
++ wake_up_bit(&sdp->sd_flags, SDF_FS_FROZEN);
+ return;
+ }
+
+@@ -1029,6 +1030,7 @@ static int gfs2_freeze(struct super_block *sb)
+ msleep(1000);
+ }
+ error = 0;
++ set_bit(SDF_FS_FROZEN, &sdp->sd_flags);
+ out:
+ mutex_unlock(&sdp->sd_freeze_mutex);
+ return error;
+@@ -1053,7 +1055,7 @@ static int gfs2_unfreeze(struct super_block *sb)
+
+ gfs2_glock_dq_uninit(&sdp->sd_freeze_gh);
+ mutex_unlock(&sdp->sd_freeze_mutex);
+- return 0;
++ return wait_on_bit(&sdp->sd_flags, SDF_FS_FROZEN, TASK_INTERRUPTIBLE);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 284cf3e4c61802631b233807b4b11229545d5bb7 Mon Sep 17 00:00:00 2001
+From: Oded Gabbay <oded.gabbay@gmail.com>
+Date: Sat, 6 Apr 2019 13:23:54 +0300
+Subject: habanalabs: all FD must be closed before removing device
+
+[ Upstream commit caa3c8e52582fc4d2ed82afd5e7ea164c18ef4fe ]
+
+This patch fixes a bug in the implementation of the function that removes
+the device.
+
+The bug can happen when the device is removed but not the driver itself
+(e.g. remove by the OS due to PCI freeze in Power architecture).
+
+In that case, there maybe open users that are calling IOCTLs while the
+device is removed. This is a possible race condition that the driver must
+handle. Otherwise, a kernel panic may occur.
+
+This race is prevented in the hard-reset flow, because the driver makes
+sure the users are closed before continuing with the hard-reset. This
+race can not occur when the driver itself is removed because the OS makes
+sure all the file descriptors are closed.
+
+The fix is to make sure the open users close their file descriptors and if
+they don't (after a certain amount of time), the driver sends them a
+SIGKILL, because the remove of the device can't be stopped.
+
+The patch re-uses the same code that is called from the hard-reset flow.
+
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/device.c | 32 +++++++++++++++++++++++++++-----
+ 1 file changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/device.c b/drivers/misc/habanalabs/device.c
+index 77d51be66c7e8..652c8edb2164c 100644
+--- a/drivers/misc/habanalabs/device.c
++++ b/drivers/misc/habanalabs/device.c
+@@ -498,11 +498,8 @@ int hl_device_resume(struct hl_device *hdev)
+ return rc;
+ }
+
+-static void hl_device_hard_reset_pending(struct work_struct *work)
++static void device_kill_open_processes(struct hl_device *hdev)
+ {
+- struct hl_device_reset_work *device_reset_work =
+- container_of(work, struct hl_device_reset_work, reset_work);
+- struct hl_device *hdev = device_reset_work->hdev;
+ u16 pending_total, pending_cnt;
+ struct task_struct *task = NULL;
+
+@@ -537,6 +534,12 @@ static void hl_device_hard_reset_pending(struct work_struct *work)
+ }
+ }
+
++ /* We killed the open users, but because the driver cleans up after the
++ * user contexts are closed (e.g. mmu mappings), we need to wait again
++ * to make sure the cleaning phase is finished before continuing with
++ * the reset
++ */
++
+ pending_cnt = pending_total;
+
+ while ((atomic_read(&hdev->fd_open_cnt)) && (pending_cnt)) {
+@@ -552,6 +555,16 @@ static void hl_device_hard_reset_pending(struct work_struct *work)
+
+ mutex_unlock(&hdev->fd_open_cnt_lock);
+
++}
++
++static void device_hard_reset_pending(struct work_struct *work)
++{
++ struct hl_device_reset_work *device_reset_work =
++ container_of(work, struct hl_device_reset_work, reset_work);
++ struct hl_device *hdev = device_reset_work->hdev;
++
++ device_kill_open_processes(hdev);
++
+ hl_device_reset(hdev, true, true);
+
+ kfree(device_reset_work);
+@@ -635,7 +648,7 @@ int hl_device_reset(struct hl_device *hdev, bool hard_reset,
+ * from a dedicated work
+ */
+ INIT_WORK(&device_reset_work->reset_work,
+- hl_device_hard_reset_pending);
++ device_hard_reset_pending);
+ device_reset_work->hdev = hdev;
+ schedule_work(&device_reset_work->reset_work);
+
+@@ -1035,6 +1048,15 @@ void hl_device_fini(struct hl_device *hdev)
+ /* Mark device as disabled */
+ hdev->disabled = true;
+
++ /*
++ * Flush anyone that is inside the critical section of enqueue
++ * jobs to the H/W
++ */
++ hdev->asic_funcs->hw_queues_lock(hdev);
++ hdev->asic_funcs->hw_queues_unlock(hdev);
++
++ device_kill_open_processes(hdev);
++
+ hl_hwmon_fini(hdev);
+
+ device_late_fini(hdev);
+--
+2.20.1
+
--- /dev/null
+From b63f751b52eecd629f92d4c53cf24bca48c946ce Mon Sep 17 00:00:00 2001
+From: Oded Gabbay <oded.gabbay@gmail.com>
+Date: Sun, 31 Mar 2019 21:37:42 +0300
+Subject: habanalabs: prevent CPU soft lockup on Palladium
+
+[ Upstream commit e850b89f50d2c1439f58d547b888ee6e43312dea ]
+
+Unmapping ptes in the device MMU on Palladium can take a long time, which
+can cause a kernel BUG of CPU soft lockup.
+
+This patch minimize the chances for this bug by sleeping a little between
+unmapping ptes.
+
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/memory.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/memory.c b/drivers/misc/habanalabs/memory.c
+index ce1fda40a8b81..fadaf557603f5 100644
+--- a/drivers/misc/habanalabs/memory.c
++++ b/drivers/misc/habanalabs/memory.c
+@@ -1046,10 +1046,17 @@ static int unmap_device_va(struct hl_ctx *ctx, u64 vaddr)
+
+ mutex_lock(&ctx->mmu_lock);
+
+- for (i = 0 ; i < phys_pg_pack->npages ; i++, next_vaddr += page_size)
++ for (i = 0 ; i < phys_pg_pack->npages ; i++, next_vaddr += page_size) {
+ if (hl_mmu_unmap(ctx, next_vaddr, page_size))
+ dev_warn_ratelimited(hdev->dev,
+- "unmap failed for vaddr: 0x%llx\n", next_vaddr);
++ "unmap failed for vaddr: 0x%llx\n", next_vaddr);
++
++ /* unmapping on Palladium can be really long, so avoid a CPU
++ * soft lockup bug by sleeping a little between unmapping pages
++ */
++ if (hdev->pldm)
++ usleep_range(500, 1000);
++ }
+
+ hdev->asic_funcs->mmu_invalidate_cache(hdev, true);
+
+--
+2.20.1
+
--- /dev/null
+From 2953c003a0f1d1138a34babc196fbfd820d9ec0e Mon Sep 17 00:00:00 2001
+From: Oded Gabbay <oded.gabbay@gmail.com>
+Date: Sat, 6 Apr 2019 15:33:38 +0300
+Subject: habanalabs: prevent device PTE read/write during hard-reset
+
+[ Upstream commit 9f201aba56b92c3daa4b76efae056ddbb80d91e6 ]
+
+During hard-reset, contexts are closed as part of the tear-down process.
+After a context is closed, the driver cleans up the page tables of that
+context in the device's DRAM. This action is both dangerous and
+unnecessary.
+
+It is unnecessary, because the device is going through a hard-reset, which
+means the device's DRAM contents are no longer valid and the device's MMU
+is being reset.
+
+It is dangerous, because if the hard-reset came as a result of a PCI
+freeze, this action may cause the entire host machine to hang.
+
+Therefore, prevent all device PTE updates when a hard-reset operation is
+pending.
+
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/goya/goya.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c
+index 3c509e19d69dc..1533cb3205400 100644
+--- a/drivers/misc/habanalabs/goya/goya.c
++++ b/drivers/misc/habanalabs/goya/goya.c
+@@ -4407,6 +4407,9 @@ static u64 goya_read_pte(struct hl_device *hdev, u64 addr)
+ {
+ struct goya_device *goya = hdev->asic_specific;
+
++ if (hdev->hard_reset_pending)
++ return U64_MAX;
++
+ return readq(hdev->pcie_bar[DDR_BAR_ID] +
+ (addr - goya->ddr_bar_cur_addr));
+ }
+@@ -4415,6 +4418,9 @@ static void goya_write_pte(struct hl_device *hdev, u64 addr, u64 val)
+ {
+ struct goya_device *goya = hdev->asic_specific;
+
++ if (hdev->hard_reset_pending)
++ return;
++
+ writeq(val, hdev->pcie_bar[DDR_BAR_ID] +
+ (addr - goya->ddr_bar_cur_addr));
+ }
+--
+2.20.1
+
--- /dev/null
+From c048946d99e992bd56c3480a2335275dc9f5b5ac Mon Sep 17 00:00:00 2001
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Date: Wed, 27 Mar 2019 11:18:48 +0100
+Subject: HID: core: move Usage Page concatenation to Main item
+
+[ Upstream commit 58e75155009cc800005629955d3482f36a1e0eec ]
+
+As seen on some USB wireless keyboards manufactured by Primax, the HID
+parser was using some assumptions that are not always true. In this case
+it's s the fact that, inside the scope of a main item, an Usage Page
+will always precede an Usage.
+
+The spec is not pretty clear as 6.2.2.7 states "Any usage that follows
+is interpreted as a Usage ID and concatenated with the Usage Page".
+While 6.2.2.8 states "When the parser encounters a main item it
+concatenates the last declared Usage Page with a Usage to form a
+complete usage value." Being somewhat contradictory it was decided to
+match Window's implementation, which follows 6.2.2.8.
+
+In summary, the patch moves the Usage Page concatenation from the local
+item parsing function to the main item parsing function.
+
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Reviewed-by: Terry Junge <terry.junge@poly.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 36 ++++++++++++++++++++++++------------
+ include/linux/hid.h | 1 +
+ 2 files changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 860e21ec6a492..63a43726cce0f 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -218,13 +218,14 @@ static unsigned hid_lookup_collection(struct hid_parser *parser, unsigned type)
+ * Add a usage to the temporary parser table.
+ */
+
+-static int hid_add_usage(struct hid_parser *parser, unsigned usage)
++static int hid_add_usage(struct hid_parser *parser, unsigned usage, u8 size)
+ {
+ if (parser->local.usage_index >= HID_MAX_USAGES) {
+ hid_err(parser->device, "usage index exceeded\n");
+ return -1;
+ }
+ parser->local.usage[parser->local.usage_index] = usage;
++ parser->local.usage_size[parser->local.usage_index] = size;
+ parser->local.collection_index[parser->local.usage_index] =
+ parser->collection_stack_ptr ?
+ parser->collection_stack[parser->collection_stack_ptr - 1] : 0;
+@@ -486,10 +487,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+- return hid_add_usage(parser, data);
++ return hid_add_usage(parser, data, item->size);
+
+ case HID_LOCAL_ITEM_TAG_USAGE_MINIMUM:
+
+@@ -498,9 +496,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+ parser->local.usage_minimum = data;
+ return 0;
+
+@@ -511,9 +506,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+ count = data - parser->local.usage_minimum;
+ if (count + parser->local.usage_index >= HID_MAX_USAGES) {
+ /*
+@@ -533,7 +525,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ }
+
+ for (n = parser->local.usage_minimum; n <= data; n++)
+- if (hid_add_usage(parser, n)) {
++ if (hid_add_usage(parser, n, item->size)) {
+ dbg_hid("hid_add_usage failed\n");
+ return -1;
+ }
+@@ -547,6 +539,22 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
++/*
++ * Concatenate Usage Pages into Usages where relevant:
++ * As per specification, 6.2.2.8: "When the parser encounters a main item it
++ * concatenates the last declared Usage Page with a Usage to form a complete
++ * usage value."
++ */
++
++static void hid_concatenate_usage_page(struct hid_parser *parser)
++{
++ int i;
++
++ for (i = 0; i < parser->local.usage_index; i++)
++ if (parser->local.usage_size[i] <= 2)
++ parser->local.usage[i] += parser->global.usage_page << 16;
++}
++
+ /*
+ * Process a main item.
+ */
+@@ -556,6 +564,8 @@ static int hid_parser_main(struct hid_parser *parser, struct hid_item *item)
+ __u32 data;
+ int ret;
+
++ hid_concatenate_usage_page(parser);
++
+ data = item_udata(item);
+
+ switch (item->tag) {
+@@ -765,6 +775,8 @@ static int hid_scan_main(struct hid_parser *parser, struct hid_item *item)
+ __u32 data;
+ int i;
+
++ hid_concatenate_usage_page(parser);
++
+ data = item_udata(item);
+
+ switch (item->tag) {
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index f9707d1dcb584..ac0c70b4ce10a 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -417,6 +417,7 @@ struct hid_global {
+
+ struct hid_local {
+ unsigned usage[HID_MAX_USAGES]; /* usage array */
++ u8 usage_size[HID_MAX_USAGES]; /* usage size array */
+ unsigned collection_index[HID_MAX_USAGES]; /* collection index array */
+ unsigned usage_index;
+ unsigned usage_minimum;
+--
+2.20.1
+
--- /dev/null
+From 973f4b2811d29886f8137bfa64c1219b6128d8c5 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 22 Mar 2019 08:41:40 +0100
+Subject: HID: logitech-hidpp: change low battery level threshold from 31 to 30
+ percent
+
+[ Upstream commit 1f87b0cd32b3456d7efdfb017fcf74d0bfe3ec29 ]
+
+According to hidpp20_batterylevel_get_battery_info my Logitech K270
+keyboard reports only 2 battery levels. This matches with what I've seen
+after testing with batteries at varying level of fullness, it always
+reports either 5% or 30%.
+
+Windows reports "battery good" for the 30% level. I've captured an USB
+trace of Windows reading the battery and it is getting the same info
+as the Linux hidpp code gets.
+
+Now that Linux handles these devices as hidpp devices, it reports the
+battery as being low as it treats anything under 31% as low, this leads
+to the user constantly getting a "Keyboard battery is low" warning from
+GNOME3, which is very annoying.
+
+This commit fixes this by changing the low threshold to anything under
+30%, which I assume is what Windows does.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index ffd30c7492df8..e74fa990ba133 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -1021,7 +1021,11 @@ static int hidpp_map_battery_level(int capacity)
+ {
+ if (capacity < 11)
+ return POWER_SUPPLY_CAPACITY_LEVEL_CRITICAL;
+- else if (capacity < 31)
++ /*
++ * The spec says this should be < 31 but some devices report 30
++ * with brand new batteries and Windows reports 30 as "Good".
++ */
++ else if (capacity < 30)
+ return POWER_SUPPLY_CAPACITY_LEVEL_LOW;
+ else if (capacity < 81)
+ return POWER_SUPPLY_CAPACITY_LEVEL_NORMAL;
+--
+2.20.1
+
--- /dev/null
+From 6a7916ba6df84843e1791d6d198acb01c23f85b9 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 20 Apr 2019 13:22:10 +0200
+Subject: HID: logitech-hidpp: use RAP instead of FAP to get the protocol
+ version
+
+[ Upstream commit 096377525cdb8251e4656085efc988bdf733fb4c ]
+
+According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc:
+https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf
+
+We should use a register-access-protocol request using the short input /
+output report ids. This is necessary because 27MHz HID++ receivers have
+a max-packetsize on their HIP++ endpoint of 8, so they cannot support
+long reports. Using a feature-access-protocol request (which is always
+long or very-long) with these will cause a timeout error, followed by
+the hidpp driver treating the device as not being HID++ capable.
+
+This commit fixes this by switching to using a rap request to get the
+protocol version.
+
+Besides being tested with a (046d:c517) 27MHz receiver with various
+27MHz keyboards and mice, this has also been tested to not cause
+regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with
+k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver
+(046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index 199cc256e9d9d..ffd30c7492df8 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -836,13 +836,16 @@ static int hidpp_root_get_feature(struct hidpp_device *hidpp, u16 feature,
+
+ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
+ {
++ const u8 ping_byte = 0x5a;
++ u8 ping_data[3] = { 0, 0, ping_byte };
+ struct hidpp_report response;
+ int ret;
+
+- ret = hidpp_send_fap_command_sync(hidpp,
++ ret = hidpp_send_rap_command_sync(hidpp,
++ REPORT_ID_HIDPP_SHORT,
+ HIDPP_PAGE_ROOT_IDX,
+ CMD_ROOT_GET_PROTOCOL_VERSION,
+- NULL, 0, &response);
++ ping_data, sizeof(ping_data), &response);
+
+ if (ret == HIDPP_ERROR_INVALID_SUBID) {
+ hidpp->protocol_major = 1;
+@@ -862,8 +865,14 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
+ if (ret)
+ return ret;
+
+- hidpp->protocol_major = response.fap.params[0];
+- hidpp->protocol_minor = response.fap.params[1];
++ if (response.rap.params[2] != ping_byte) {
++ hid_err(hidpp->hid_dev, "%s: ping mismatch 0x%02x != 0x%02x\n",
++ __func__, response.rap.params[2], ping_byte);
++ return -EPROTO;
++ }
++
++ hidpp->protocol_major = response.rap.params[0];
++ hidpp->protocol_minor = response.rap.params[1];
+
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 97f23b787f84794d5ba5d941edb5ddb80b829cbd Mon Sep 17 00:00:00 2001
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Tue, 30 Apr 2019 19:29:07 +0000
+Subject: hv_netvsc: fix race that may miss tx queue wakeup
+
+[ Upstream commit 93aa4792c3908eac87ddd368ee0fe0564148232b ]
+
+When the ring buffer is almost full due to RX completion messages, a
+TX packet may reach the "low watermark" and cause the queue stopped.
+If the TX completion arrives earlier than queue stopping, the wakeup
+may be missed.
+
+This patch moves the check for the last pending packet to cover both
+EAGAIN and success cases, so the queue will be reliably waked up when
+necessary.
+
+Reported-and-tested-by: Stephan Klein <stephan.klein@wegfinder.at>
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
+index e0dce373cdd9d..3d4a166a49d58 100644
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -875,12 +875,6 @@ static inline int netvsc_send_pkt(
+ } else if (ret == -EAGAIN) {
+ netif_tx_stop_queue(txq);
+ ndev_ctx->eth_stats.stop_queue++;
+- if (atomic_read(&nvchan->queue_sends) < 1 &&
+- !net_device->tx_disable) {
+- netif_tx_wake_queue(txq);
+- ndev_ctx->eth_stats.wake_queue++;
+- ret = -ENOSPC;
+- }
+ } else {
+ netdev_err(ndev,
+ "Unable to send packet pages %u len %u, ret %d\n",
+@@ -888,6 +882,15 @@ static inline int netvsc_send_pkt(
+ ret);
+ }
+
++ if (netif_tx_queue_stopped(txq) &&
++ atomic_read(&nvchan->queue_sends) < 1 &&
++ !net_device->tx_disable) {
++ netif_tx_wake_queue(txq);
++ ndev_ctx->eth_stats.wake_queue++;
++ if (ret == -EAGAIN)
++ ret = -ENOSPC;
++ }
++
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 65633777e617756ee80a57773bb5be07f026c6a6 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 10:52:43 -0700
+Subject: hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 73e6ff71a7ea924fb7121d576a2d41e3be3fc6b5 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Unable to handle kernel paging request at virtual address ffffffbffee0002e
+pgd = ffffffc1d68d4000
+[ffffffbffee0002e] *pgd=0000000000000000, *pud=0000000000000000
+Internal error: Oops: 94000046 [#1] PREEMPT SMP
+Modules linked in: f71805f(+) hwmon
+CPU: 3 PID: 1659 Comm: insmod Not tainted 4.5.0+ #88
+Hardware name: linux,dummy-virt (DT)
+task: ffffffc1f6665400 ti: ffffffc1d6418000 task.ti: ffffffc1d6418000
+PC is at f71805f_find+0x6c/0x358 [f71805f]
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple
+drivers is synchronized.
+
+Fixes: e53004e20a58e ("hwmon: New f71805f driver")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/f71805f.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwmon/f71805f.c b/drivers/hwmon/f71805f.c
+index 73c681162653b..623736d2a7c1d 100644
+--- a/drivers/hwmon/f71805f.c
++++ b/drivers/hwmon/f71805f.c
+@@ -96,17 +96,23 @@ superio_select(int base, int ld)
+ outb(ld, base + 1);
+ }
+
+-static inline void
++static inline int
+ superio_enter(int base)
+ {
++ if (!request_muxed_region(base, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x87, base);
+ outb(0x87, base);
++
++ return 0;
+ }
+
+ static inline void
+ superio_exit(int base)
+ {
+ outb(0xaa, base);
++ release_region(base, 2);
+ }
+
+ /*
+@@ -1561,7 +1567,7 @@ static int __init f71805f_device_add(unsigned short address,
+ static int __init f71805f_find(int sioaddr, unsigned short *address,
+ struct f71805f_sio_data *sio_data)
+ {
+- int err = -ENODEV;
++ int err;
+ u16 devid;
+
+ static const char * const names[] = {
+@@ -1569,8 +1575,11 @@ static int __init f71805f_find(int sioaddr, unsigned short *address,
+ "F71872F/FG or F71806F/FG",
+ };
+
+- superio_enter(sioaddr);
++ err = superio_enter(sioaddr);
++ if (err)
++ return err;
+
++ err = -ENODEV;
+ devid = superio_inw(sioaddr, SIO_REG_MANID);
+ if (devid != SIO_FINTEK_ID)
+ goto exit;
+--
+2.20.1
+
--- /dev/null
+From 131f3deff121d90174ad0e4eae35eaccd47462fb Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:16:20 -0700
+Subject: hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 755a9b0f8aaa5639ba5671ca50080852babb89ce ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: ba224e2c4f0a7 ("hwmon: New PC87427 hardware monitoring driver")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pc87427.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/pc87427.c b/drivers/hwmon/pc87427.c
+index d1a3f2040c007..58eee8fa3e6d6 100644
+--- a/drivers/hwmon/pc87427.c
++++ b/drivers/hwmon/pc87427.c
+@@ -106,6 +106,13 @@ static const char *logdev_str[2] = { DRVNAME " FMC", DRVNAME " HMC" };
+ #define LD_IN 1
+ #define LD_TEMP 1
+
++static inline int superio_enter(int sioaddr)
++{
++ if (!request_muxed_region(sioaddr, 2, DRVNAME))
++ return -EBUSY;
++ return 0;
++}
++
+ static inline void superio_outb(int sioaddr, int reg, int val)
+ {
+ outb(reg, sioaddr);
+@@ -122,6 +129,7 @@ static inline void superio_exit(int sioaddr)
+ {
+ outb(0x02, sioaddr);
+ outb(0x02, sioaddr + 1);
++ release_region(sioaddr, 2);
+ }
+
+ /*
+@@ -1195,7 +1203,11 @@ static int __init pc87427_find(int sioaddr, struct pc87427_sio_data *sio_data)
+ {
+ u16 val;
+ u8 cfg, cfg_b;
+- int i, err = 0;
++ int i, err;
++
++ err = superio_enter(sioaddr);
++ if (err)
++ return err;
+
+ /* Identify device */
+ val = force_id ? force_id : superio_inb(sioaddr, SIOREG_DEVID);
+--
+2.20.1
+
--- /dev/null
+From 40544b2e27434c44b856a1a45056438178948635 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:22:42 -0700
+Subject: hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 8c0826756744c0ac1df600a5e4cca1a341b13101 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/smsc47b397.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/smsc47b397.c b/drivers/hwmon/smsc47b397.c
+index c0775084dde00..60e193f2e9707 100644
+--- a/drivers/hwmon/smsc47b397.c
++++ b/drivers/hwmon/smsc47b397.c
+@@ -72,14 +72,19 @@ static inline void superio_select(int ld)
+ superio_outb(0x07, ld);
+ }
+
+-static inline void superio_enter(void)
++static inline int superio_enter(void)
+ {
++ if (!request_muxed_region(REG, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x55, REG);
++ return 0;
+ }
+
+ static inline void superio_exit(void)
+ {
+ outb(0xAA, REG);
++ release_region(REG, 2);
+ }
+
+ #define SUPERIO_REG_DEVID 0x20
+@@ -300,8 +305,12 @@ static int __init smsc47b397_find(void)
+ u8 id, rev;
+ char *name;
+ unsigned short addr;
++ int err;
++
++ err = superio_enter();
++ if (err)
++ return err;
+
+- superio_enter();
+ id = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID);
+
+ switch (id) {
+--
+2.20.1
+
--- /dev/null
+From 66fd2ce4bd8a9dd8f75b3ad91e88ae3d9dacb0d6 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:28:37 -0700
+Subject: hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit d6410408ad2a798c4cc685252c1baa713be0ad69 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/smsc47m1.c | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/hwmon/smsc47m1.c b/drivers/hwmon/smsc47m1.c
+index c7b6a425e2c02..5eeac9853d0ae 100644
+--- a/drivers/hwmon/smsc47m1.c
++++ b/drivers/hwmon/smsc47m1.c
+@@ -73,16 +73,21 @@ superio_inb(int reg)
+ /* logical device for fans is 0x0A */
+ #define superio_select() superio_outb(0x07, 0x0A)
+
+-static inline void
++static inline int
+ superio_enter(void)
+ {
++ if (!request_muxed_region(REG, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x55, REG);
++ return 0;
+ }
+
+ static inline void
+ superio_exit(void)
+ {
+ outb(0xAA, REG);
++ release_region(REG, 2);
+ }
+
+ #define SUPERIO_REG_ACT 0x30
+@@ -531,8 +536,12 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data)
+ {
+ u8 val;
+ unsigned short addr;
++ int err;
++
++ err = superio_enter();
++ if (err)
++ return err;
+
+- superio_enter();
+ val = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID);
+
+ /*
+@@ -608,13 +617,14 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data)
+ static void smsc47m1_restore(const struct smsc47m1_sio_data *sio_data)
+ {
+ if ((sio_data->activate & 0x01) == 0) {
+- superio_enter();
+- superio_select();
+-
+- pr_info("Disabling device\n");
+- superio_outb(SUPERIO_REG_ACT, sio_data->activate);
+-
+- superio_exit();
++ if (!superio_enter()) {
++ superio_select();
++ pr_info("Disabling device\n");
++ superio_outb(SUPERIO_REG_ACT, sio_data->activate);
++ superio_exit();
++ } else {
++ pr_warn("Failed to disable device\n");
++ }
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8a2f0343234198a83d0d3c890bb30447f96599e7 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 5 Apr 2019 08:53:08 -0700
+Subject: hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 14b97ba5c20056102b3dd22696bf17b057e60976 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 2219cd81a6cd ("hwmon/vt1211: Add probing of alternate config index port")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/vt1211.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwmon/vt1211.c b/drivers/hwmon/vt1211.c
+index 3a6bfa51cb94f..95d5e8ec8b7fc 100644
+--- a/drivers/hwmon/vt1211.c
++++ b/drivers/hwmon/vt1211.c
+@@ -226,15 +226,21 @@ static inline void superio_select(int sio_cip, int ldn)
+ outb(ldn, sio_cip + 1);
+ }
+
+-static inline void superio_enter(int sio_cip)
++static inline int superio_enter(int sio_cip)
+ {
++ if (!request_muxed_region(sio_cip, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x87, sio_cip);
+ outb(0x87, sio_cip);
++
++ return 0;
+ }
+
+ static inline void superio_exit(int sio_cip)
+ {
+ outb(0xaa, sio_cip);
++ release_region(sio_cip, 2);
+ }
+
+ /* ---------------------------------------------------------------------
+@@ -1282,11 +1288,14 @@ static int __init vt1211_device_add(unsigned short address)
+
+ static int __init vt1211_find(int sio_cip, unsigned short *address)
+ {
+- int err = -ENODEV;
++ int err;
+ int devid;
+
+- superio_enter(sio_cip);
++ err = superio_enter(sio_cip);
++ if (err)
++ return err;
+
++ err = -ENODEV;
+ devid = force_id ? force_id : superio_inb(sio_cip, SIO_VT1211_DEVID);
+ if (devid != SIO_VT1211_ID)
+ goto EXIT;
+--
+2.20.1
+
--- /dev/null
+From 64f9b9fb9ed465665e49df3b2f22c19373d52085 Mon Sep 17 00:00:00 2001
+From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Date: Mon, 11 Mar 2019 11:58:57 +0100
+Subject: hwrng: omap - Set default quality
+
+[ Upstream commit 62f95ae805fa9e1e84d47d3219adddd97b2654b7 ]
+
+Newer combinations of the glibc, kernel and openssh can result in long initial
+startup times on OMAP devices:
+
+[ 6.671425] systemd-rc-once[102]: Creating ED25519 key; this may take some time ...
+[ 142.652491] systemd-rc-once[102]: Creating ED25519 key; done.
+
+due to the blocking getrandom(2) system call:
+
+[ 142.610335] random: crng init done
+
+Set the quality level for the omap hwrng driver allowing the kernel to use the
+hwrng as an entropy source at boot.
+
+Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/omap-rng.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/char/hw_random/omap-rng.c b/drivers/char/hw_random/omap-rng.c
+index b65ff69628995..e9b6ac61fb7f6 100644
+--- a/drivers/char/hw_random/omap-rng.c
++++ b/drivers/char/hw_random/omap-rng.c
+@@ -443,6 +443,7 @@ static int omap_rng_probe(struct platform_device *pdev)
+ priv->rng.read = omap_rng_do_read;
+ priv->rng.init = omap_rng_init;
+ priv->rng.cleanup = omap_rng_cleanup;
++ priv->rng.quality = 900;
+
+ priv->rng.priv = (unsigned long)priv;
+ platform_set_drvdata(pdev, priv);
+--
+2.20.1
+
--- /dev/null
+From da33b4a3055c9540af3babbebd4ed9a9a137e3cf Mon Sep 17 00:00:00 2001
+From: Adam Ludkiewicz <adam.ludkiewicz@intel.com>
+Date: Wed, 6 Feb 2019 15:08:25 -0800
+Subject: i40e: Able to add up to 16 MAC filters on an untrusted VF
+
+[ Upstream commit 06b6e2a2333eb3581567a7ac43ca465ef45f4daa ]
+
+This patch fixes the problem with the driver being able to add only 7
+multicast MAC address filters instead of 16. The problem is fixed by
+changing the maximum number of MAC address filters to 16+1+1 (two extra
+are needed because the driver uses 1 for unicast MAC address and 1 for
+broadcast).
+
+Signed-off-by: Adam Ludkiewicz <adam.ludkiewicz@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 0b5b867c9fbcb..2b0362c827e98 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2454,8 +2454,10 @@ static int i40e_vc_get_stats_msg(struct i40e_vf *vf, u8 *msg)
+ (u8 *)&stats, sizeof(stats));
+ }
+
+-/* If the VF is not trusted restrict the number of MAC/VLAN it can program */
+-#define I40E_VC_MAX_MAC_ADDR_PER_VF 12
++/* If the VF is not trusted restrict the number of MAC/VLAN it can program
++ * MAC filters: 16 for multicast, 1 for MAC, 1 for broadcast
++ */
++#define I40E_VC_MAX_MAC_ADDR_PER_VF (16 + 1 + 1)
+ #define I40E_VC_MAX_VLAN_PER_VF 8
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From c0cd7a646810499a293cb8f84deb367c0ab83956 Mon Sep 17 00:00:00 2001
+From: Nicholas Nunley <nicholas.d.nunley@intel.com>
+Date: Wed, 6 Feb 2019 15:08:17 -0800
+Subject: i40e: don't allow changes to HW VLAN stripping on active port VLANs
+
+[ Upstream commit bfb0ebed53857cfc57f11c63fa3689940d71c1c8 ]
+
+Modifying the VLAN stripping options when a port VLAN is configured
+will break traffic for the VSI, and conceptually doesn't make sense,
+so don't allow this.
+
+Signed-off-by: Nicholas Nunley <nicholas.d.nunley@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index b1c265012c8ad..ac9fcb0976890 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2654,6 +2654,10 @@ void i40e_vlan_stripping_enable(struct i40e_vsi *vsi)
+ struct i40e_vsi_context ctxt;
+ i40e_status ret;
+
++ /* Don't modify stripping options if a port VLAN is active */
++ if (vsi->info.pvid)
++ return;
++
+ if ((vsi->info.valid_sections &
+ cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) &&
+ ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_MODE_MASK) == 0))
+@@ -2684,6 +2688,10 @@ void i40e_vlan_stripping_disable(struct i40e_vsi *vsi)
+ struct i40e_vsi_context ctxt;
+ i40e_status ret;
+
++ /* Don't modify stripping options if a port VLAN is active */
++ if (vsi->info.pvid)
++ return;
++
+ if ((vsi->info.valid_sections &
+ cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) &&
+ ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_EMOD_MASK) ==
+--
+2.20.1
+
--- /dev/null
+From a211a6ec10340637102f01e1536df42d13d38656 Mon Sep 17 00:00:00 2001
+From: Martyna Szapar <martyna.szapar@intel.com>
+Date: Mon, 15 Apr 2019 14:43:07 -0700
+Subject: i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
+
+[ Upstream commit 24474f2709af6729b9b1da1c5e160ab62e25e3a4 ]
+
+Fixed possible memory leak in i40e_vc_add_cloud_filter function:
+cfilter is being allocated and in some error conditions
+the function returns without freeing the memory.
+
+Fix of integer truncation from u16 (type of queue_id value) to u8
+when calling i40e_vc_isvalid_queue_id function.
+
+Signed-off-by: Martyna Szapar <martyna.szapar@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 831d52bc3c9ae..0b5b867c9fbcb 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct i40e_vf *vf, u16 vsi_id)
+ * check for the valid queue id
+ **/
+ static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
+- u8 qid)
++ u16 qid)
+ {
+ struct i40e_pf *pf = vf->pf;
+ struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
+@@ -3374,7 +3374,7 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg)
+
+ if (!test_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states)) {
+ aq_ret = I40E_ERR_PARAM;
+- goto err;
++ goto err_out;
+ }
+
+ if (!vf->adq_enabled) {
+@@ -3382,7 +3382,7 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg)
+ "VF %d: ADq is not enabled, can't apply cloud filter\n",
+ vf->vf_id);
+ aq_ret = I40E_ERR_PARAM;
+- goto err;
++ goto err_out;
+ }
+
+ if (i40e_validate_cloud_filter(vf, vcf)) {
+@@ -3390,7 +3390,7 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg)
+ "VF %d: Invalid input/s, can't apply cloud filter\n",
+ vf->vf_id);
+ aq_ret = I40E_ERR_PARAM;
+- goto err;
++ goto err_out;
+ }
+
+ cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL);
+@@ -3451,13 +3451,17 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg)
+ "VF %d: Failed to add cloud filter, err %s aq_err %s\n",
+ vf->vf_id, i40e_stat_str(&pf->hw, ret),
+ i40e_aq_str(&pf->hw, pf->hw.aq.asq_last_status));
+- goto err;
++ goto err_free;
+ }
+
+ INIT_HLIST_NODE(&cfilter->cloud_node);
+ hlist_add_head(&cfilter->cloud_node, &vf->cloud_filter_list);
++ /* release the pointer passing it to the collection */
++ cfilter = NULL;
+ vf->num_cloud_filters++;
+-err:
++err_free:
++ kfree(cfilter);
++err_out:
+ return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_ADD_CLOUD_FILTER,
+ aq_ret);
+ }
+--
+2.20.1
+
--- /dev/null
+From ad153758302d8a3cf126fd645363123a27ffb474 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Mon, 18 Mar 2019 09:55:09 -0700
+Subject: IB/hfi1: Fix WQ_MEM_RECLAIM warning
+
+[ Upstream commit 4c4b1996b5db688e2dcb8242b0a3bf7b1e845e42 ]
+
+The work_item cancels that occur when a QP is destroyed can elicit the
+following trace:
+
+ workqueue: WQ_MEM_RECLAIM ipoib_wq:ipoib_cm_tx_reap [ib_ipoib] is flushing !WQ_MEM_RECLAIM hfi0_0:_hfi1_do_send [hfi1]
+ WARNING: CPU: 7 PID: 1403 at kernel/workqueue.c:2486 check_flush_dependency+0xb1/0x100
+ Call Trace:
+ __flush_work.isra.29+0x8c/0x1a0
+ ? __switch_to_asm+0x40/0x70
+ __cancel_work_timer+0x103/0x190
+ ? schedule+0x32/0x80
+ iowait_cancel_work+0x15/0x30 [hfi1]
+ rvt_reset_qp+0x1f8/0x3e0 [rdmavt]
+ rvt_destroy_qp+0x65/0x1f0 [rdmavt]
+ ? _cond_resched+0x15/0x30
+ ib_destroy_qp+0xe9/0x230 [ib_core]
+ ipoib_cm_tx_reap+0x21c/0x560 [ib_ipoib]
+ process_one_work+0x171/0x370
+ worker_thread+0x49/0x3f0
+ kthread+0xf8/0x130
+ ? max_active_store+0x80/0x80
+ ? kthread_bind+0x10/0x10
+ ret_from_fork+0x35/0x40
+
+Since QP destruction frees memory, hfi1_wq should have the WQ_MEM_RECLAIM.
+
+The hfi1_wq does not allocate memory with GFP_KERNEL or otherwise become
+entangled with memory reclaim, so this flag is appropriate.
+
+Fixes: 0a226edd203f ("staging/rdma/hfi1: Use parallel workqueue for SDMA engines")
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/init.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c
+index faaaac8fbc553..3af5eb10a5ffb 100644
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -805,7 +805,8 @@ static int create_workqueues(struct hfi1_devdata *dd)
+ ppd->hfi1_wq =
+ alloc_workqueue(
+ "hfi%d_%d",
+- WQ_SYSFS | WQ_HIGHPRI | WQ_CPU_INTENSIVE,
++ WQ_SYSFS | WQ_HIGHPRI | WQ_CPU_INTENSIVE |
++ WQ_MEM_RECLAIM,
+ HFI1_MAX_ACTIVE_WORKQUEUE_ENTRIES,
+ dd->unit, pidx);
+ if (!ppd->hfi1_wq)
+--
+2.20.1
+
--- /dev/null
+From 6182dc553688d3a097b47b864e1f91beffcc99fa Mon Sep 17 00:00:00 2001
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Tue, 19 Mar 2019 11:24:39 +0200
+Subject: IB/mlx5: Compare only index part of a memory window rkey
+
+[ Upstream commit d623dfd2836114507d647c9793a80d213d8bffe8 ]
+
+The InfiniBand Architecture Specification section 10.6.7.2.4 TYPE 2 MEMORY
+WINDOWS says that if the CI supports the Base Memory Management Extensions
+defined in this specification, the R_Key format for a Type 2 Memory Window
+must consist of:
+
+* 24 bit index in the most significant bits of the R_Key, which is owned
+ by the CI, and
+* 8 bit key in the least significant bits of the R_Key, which is owned by
+ the Consumer.
+
+This means that the kernel should compare only the index part of a R_Key
+to determine equality with another R_Key.
+
+Fixes: db570d7deafb ("IB/mlx5: Add ODP support to MW")
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/odp.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c
+index 0aa10ebda5d9a..91669e35c6ca8 100644
+--- a/drivers/infiniband/hw/mlx5/odp.c
++++ b/drivers/infiniband/hw/mlx5/odp.c
+@@ -711,6 +711,15 @@ struct pf_frame {
+ int depth;
+ };
+
++static bool mkey_is_eq(struct mlx5_core_mkey *mmkey, u32 key)
++{
++ if (!mmkey)
++ return false;
++ if (mmkey->type == MLX5_MKEY_MW)
++ return mlx5_base_mkey(mmkey->key) == mlx5_base_mkey(key);
++ return mmkey->key == key;
++}
++
+ static int get_indirect_num_descs(struct mlx5_core_mkey *mmkey)
+ {
+ struct mlx5_ib_mw *mw;
+@@ -760,7 +769,7 @@ static int pagefault_single_data_segment(struct mlx5_ib_dev *dev,
+
+ next_mr:
+ mmkey = __mlx5_mr_lookup(dev->mdev, mlx5_base_mkey(key));
+- if (!mmkey || mmkey->key != key) {
++ if (!mkey_is_eq(mmkey, key)) {
+ mlx5_ib_dbg(dev, "failed to find mkey %x\n", key);
+ ret = -EFAULT;
+ goto srcu_unlock;
+--
+2.20.1
+
--- /dev/null
+From fcbad0bbd3af6b6839cf226550f2693ba0c4530e Mon Sep 17 00:00:00 2001
+From: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Date: Tue, 19 Feb 2019 15:04:01 -0800
+Subject: ice: Fix for adaptive interrupt moderation
+
+[ Upstream commit 64a59d05a4b3ddb37eb5ad3a3be0f17148f449f5 ]
+
+commit 63f545ed1285 ("ice: Add support for adaptive interrupt moderation")
+was meant to add support for adaptive interrupt moderation but there was
+an error on my part while formatting the patch, and thus only part of the
+patch ended up being submitted.
+
+This patch rectifies the error by adding the rest of the code.
+
+Fixes: 63f545ed1285 ("ice: Add support for adaptive interrupt moderation")
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice.h | 1 +
+ drivers/net/ethernet/intel/ice/ice_txrx.c | 292 ++++++++++++++++++++--
+ drivers/net/ethernet/intel/ice/ice_txrx.h | 6 +
+ 3 files changed, 275 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h
+index 89440775aea12..6af5bd5883ca4 100644
+--- a/drivers/net/ethernet/intel/ice/ice.h
++++ b/drivers/net/ethernet/intel/ice/ice.h
+@@ -277,6 +277,7 @@ struct ice_q_vector {
+ * value to the device
+ */
+ u8 intrl;
++ u8 itr_countdown; /* when 0 should adjust adaptive ITR */
+ } ____cacheline_internodealigned_in_smp;
+
+ enum ice_pf_flags {
+diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
+index c289d97f477d5..851030ad50160 100644
+--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
+@@ -1048,18 +1048,257 @@ static int ice_clean_rx_irq(struct ice_ring *rx_ring, int budget)
+ return failure ? budget : (int)total_rx_pkts;
+ }
+
++static unsigned int ice_itr_divisor(struct ice_port_info *pi)
++{
++ switch (pi->phy.link_info.link_speed) {
++ case ICE_AQ_LINK_SPEED_40GB:
++ return ICE_ITR_ADAPTIVE_MIN_INC * 1024;
++ case ICE_AQ_LINK_SPEED_25GB:
++ case ICE_AQ_LINK_SPEED_20GB:
++ return ICE_ITR_ADAPTIVE_MIN_INC * 512;
++ case ICE_AQ_LINK_SPEED_100MB:
++ return ICE_ITR_ADAPTIVE_MIN_INC * 32;
++ default:
++ return ICE_ITR_ADAPTIVE_MIN_INC * 256;
++ }
++}
++
++/**
++ * ice_update_itr - update the adaptive ITR value based on statistics
++ * @q_vector: structure containing interrupt and ring information
++ * @rc: structure containing ring performance data
++ *
++ * Stores a new ITR value based on packets and byte
++ * counts during the last interrupt. The advantage of per interrupt
++ * computation is faster updates and more accurate ITR for the current
++ * traffic pattern. Constants in this function were computed
++ * based on theoretical maximum wire speed and thresholds were set based
++ * on testing data as well as attempting to minimize response time
++ * while increasing bulk throughput.
++ */
++static void
++ice_update_itr(struct ice_q_vector *q_vector, struct ice_ring_container *rc)
++{
++ unsigned int avg_wire_size, packets, bytes, itr;
++ unsigned long next_update = jiffies;
++ bool container_is_rx;
++
++ if (!rc->ring || !ITR_IS_DYNAMIC(rc->itr_setting))
++ return;
++
++ /* If itr_countdown is set it means we programmed an ITR within
++ * the last 4 interrupt cycles. This has a side effect of us
++ * potentially firing an early interrupt. In order to work around
++ * this we need to throw out any data received for a few
++ * interrupts following the update.
++ */
++ if (q_vector->itr_countdown) {
++ itr = rc->target_itr;
++ goto clear_counts;
++ }
++
++ container_is_rx = (&q_vector->rx == rc);
++ /* For Rx we want to push the delay up and default to low latency.
++ * for Tx we want to pull the delay down and default to high latency.
++ */
++ itr = container_is_rx ?
++ ICE_ITR_ADAPTIVE_MIN_USECS | ICE_ITR_ADAPTIVE_LATENCY :
++ ICE_ITR_ADAPTIVE_MAX_USECS | ICE_ITR_ADAPTIVE_LATENCY;
++
++ /* If we didn't update within up to 1 - 2 jiffies we can assume
++ * that either packets are coming in so slow there hasn't been
++ * any work, or that there is so much work that NAPI is dealing
++ * with interrupt moderation and we don't need to do anything.
++ */
++ if (time_after(next_update, rc->next_update))
++ goto clear_counts;
++
++ packets = rc->total_pkts;
++ bytes = rc->total_bytes;
++
++ if (container_is_rx) {
++ /* If Rx there are 1 to 4 packets and bytes are less than
++ * 9000 assume insufficient data to use bulk rate limiting
++ * approach unless Tx is already in bulk rate limiting. We
++ * are likely latency driven.
++ */
++ if (packets && packets < 4 && bytes < 9000 &&
++ (q_vector->tx.target_itr & ICE_ITR_ADAPTIVE_LATENCY)) {
++ itr = ICE_ITR_ADAPTIVE_LATENCY;
++ goto adjust_by_size;
++ }
++ } else if (packets < 4) {
++ /* If we have Tx and Rx ITR maxed and Tx ITR is running in
++ * bulk mode and we are receiving 4 or fewer packets just
++ * reset the ITR_ADAPTIVE_LATENCY bit for latency mode so
++ * that the Rx can relax.
++ */
++ if (rc->target_itr == ICE_ITR_ADAPTIVE_MAX_USECS &&
++ (q_vector->rx.target_itr & ICE_ITR_MASK) ==
++ ICE_ITR_ADAPTIVE_MAX_USECS)
++ goto clear_counts;
++ } else if (packets > 32) {
++ /* If we have processed over 32 packets in a single interrupt
++ * for Tx assume we need to switch over to "bulk" mode.
++ */
++ rc->target_itr &= ~ICE_ITR_ADAPTIVE_LATENCY;
++ }
++
++ /* We have no packets to actually measure against. This means
++ * either one of the other queues on this vector is active or
++ * we are a Tx queue doing TSO with too high of an interrupt rate.
++ *
++ * Between 4 and 56 we can assume that our current interrupt delay
++ * is only slightly too low. As such we should increase it by a small
++ * fixed amount.
++ */
++ if (packets < 56) {
++ itr = rc->target_itr + ICE_ITR_ADAPTIVE_MIN_INC;
++ if ((itr & ICE_ITR_MASK) > ICE_ITR_ADAPTIVE_MAX_USECS) {
++ itr &= ICE_ITR_ADAPTIVE_LATENCY;
++ itr += ICE_ITR_ADAPTIVE_MAX_USECS;
++ }
++ goto clear_counts;
++ }
++
++ if (packets <= 256) {
++ itr = min(q_vector->tx.current_itr, q_vector->rx.current_itr);
++ itr &= ICE_ITR_MASK;
++
++ /* Between 56 and 112 is our "goldilocks" zone where we are
++ * working out "just right". Just report that our current
++ * ITR is good for us.
++ */
++ if (packets <= 112)
++ goto clear_counts;
++
++ /* If packet count is 128 or greater we are likely looking
++ * at a slight overrun of the delay we want. Try halving
++ * our delay to see if that will cut the number of packets
++ * in half per interrupt.
++ */
++ itr >>= 1;
++ itr &= ICE_ITR_MASK;
++ if (itr < ICE_ITR_ADAPTIVE_MIN_USECS)
++ itr = ICE_ITR_ADAPTIVE_MIN_USECS;
++
++ goto clear_counts;
++ }
++
++ /* The paths below assume we are dealing with a bulk ITR since
++ * number of packets is greater than 256. We are just going to have
++ * to compute a value and try to bring the count under control,
++ * though for smaller packet sizes there isn't much we can do as
++ * NAPI polling will likely be kicking in sooner rather than later.
++ */
++ itr = ICE_ITR_ADAPTIVE_BULK;
++
++adjust_by_size:
++ /* If packet counts are 256 or greater we can assume we have a gross
++ * overestimation of what the rate should be. Instead of trying to fine
++ * tune it just use the formula below to try and dial in an exact value
++ * gives the current packet size of the frame.
++ */
++ avg_wire_size = bytes / packets;
++
++ /* The following is a crude approximation of:
++ * wmem_default / (size + overhead) = desired_pkts_per_int
++ * rate / bits_per_byte / (size + ethernet overhead) = pkt_rate
++ * (desired_pkt_rate / pkt_rate) * usecs_per_sec = ITR value
++ *
++ * Assuming wmem_default is 212992 and overhead is 640 bytes per
++ * packet, (256 skb, 64 headroom, 320 shared info), we can reduce the
++ * formula down to
++ *
++ * (170 * (size + 24)) / (size + 640) = ITR
++ *
++ * We first do some math on the packet size and then finally bitshift
++ * by 8 after rounding up. We also have to account for PCIe link speed
++ * difference as ITR scales based on this.
++ */
++ if (avg_wire_size <= 60) {
++ /* Start at 250k ints/sec */
++ avg_wire_size = 4096;
++ } else if (avg_wire_size <= 380) {
++ /* 250K ints/sec to 60K ints/sec */
++ avg_wire_size *= 40;
++ avg_wire_size += 1696;
++ } else if (avg_wire_size <= 1084) {
++ /* 60K ints/sec to 36K ints/sec */
++ avg_wire_size *= 15;
++ avg_wire_size += 11452;
++ } else if (avg_wire_size <= 1980) {
++ /* 36K ints/sec to 30K ints/sec */
++ avg_wire_size *= 5;
++ avg_wire_size += 22420;
++ } else {
++ /* plateau at a limit of 30K ints/sec */
++ avg_wire_size = 32256;
++ }
++
++ /* If we are in low latency mode halve our delay which doubles the
++ * rate to somewhere between 100K to 16K ints/sec
++ */
++ if (itr & ICE_ITR_ADAPTIVE_LATENCY)
++ avg_wire_size >>= 1;
++
++ /* Resultant value is 256 times larger than it needs to be. This
++ * gives us room to adjust the value as needed to either increase
++ * or decrease the value based on link speeds of 10G, 2.5G, 1G, etc.
++ *
++ * Use addition as we have already recorded the new latency flag
++ * for the ITR value.
++ */
++ itr += DIV_ROUND_UP(avg_wire_size,
++ ice_itr_divisor(q_vector->vsi->port_info)) *
++ ICE_ITR_ADAPTIVE_MIN_INC;
++
++ if ((itr & ICE_ITR_MASK) > ICE_ITR_ADAPTIVE_MAX_USECS) {
++ itr &= ICE_ITR_ADAPTIVE_LATENCY;
++ itr += ICE_ITR_ADAPTIVE_MAX_USECS;
++ }
++
++clear_counts:
++ /* write back value */
++ rc->target_itr = itr;
++
++ /* next update should occur within next jiffy */
++ rc->next_update = next_update + 1;
++
++ rc->total_bytes = 0;
++ rc->total_pkts = 0;
++}
++
+ /**
+ * ice_buildreg_itr - build value for writing to the GLINT_DYN_CTL register
+ * @itr_idx: interrupt throttling index
+- * @reg_itr: interrupt throttling value adjusted based on ITR granularity
++ * @itr: interrupt throttling value in usecs
+ */
+-static u32 ice_buildreg_itr(int itr_idx, u16 reg_itr)
++static u32 ice_buildreg_itr(int itr_idx, u16 itr)
+ {
++ /* The itr value is reported in microseconds, and the register value is
++ * recorded in 2 microsecond units. For this reason we only need to
++ * shift by the GLINT_DYN_CTL_INTERVAL_S - ICE_ITR_GRAN_S to apply this
++ * granularity as a shift instead of division. The mask makes sure the
++ * ITR value is never odd so we don't accidentally write into the field
++ * prior to the ITR field.
++ */
++ itr &= ICE_ITR_MASK;
++
+ return GLINT_DYN_CTL_INTENA_M | GLINT_DYN_CTL_CLEARPBA_M |
+ (itr_idx << GLINT_DYN_CTL_ITR_INDX_S) |
+- (reg_itr << GLINT_DYN_CTL_INTERVAL_S);
++ (itr << (GLINT_DYN_CTL_INTERVAL_S - ICE_ITR_GRAN_S));
+ }
+
++/* The act of updating the ITR will cause it to immediately trigger. In order
++ * to prevent this from throwing off adaptive update statistics we defer the
++ * update so that it can only happen so often. So after either Tx or Rx are
++ * updated we make the adaptive scheme wait until either the ITR completely
++ * expires via the next_update expiration or we have been through at least
++ * 3 interrupts.
++ */
++#define ITR_COUNTDOWN_START 3
++
+ /**
+ * ice_update_ena_itr - Update ITR and re-enable MSIX interrupt
+ * @vsi: the VSI associated with the q_vector
+@@ -1068,10 +1307,14 @@ static u32 ice_buildreg_itr(int itr_idx, u16 reg_itr)
+ static void
+ ice_update_ena_itr(struct ice_vsi *vsi, struct ice_q_vector *q_vector)
+ {
+- struct ice_hw *hw = &vsi->back->hw;
+- struct ice_ring_container *rc;
++ struct ice_ring_container *tx = &q_vector->tx;
++ struct ice_ring_container *rx = &q_vector->rx;
+ u32 itr_val;
+
++ /* This will do nothing if dynamic updates are not enabled */
++ ice_update_itr(q_vector, tx);
++ ice_update_itr(q_vector, rx);
++
+ /* This block of logic allows us to get away with only updating
+ * one ITR value with each interrupt. The idea is to perform a
+ * pseudo-lazy update with the following criteria.
+@@ -1080,35 +1323,36 @@ ice_update_ena_itr(struct ice_vsi *vsi, struct ice_q_vector *q_vector)
+ * 2. If we must reduce an ITR that is given highest priority.
+ * 3. We then give priority to increasing ITR based on amount.
+ */
+- if (q_vector->rx.target_itr < q_vector->rx.current_itr) {
+- rc = &q_vector->rx;
++ if (rx->target_itr < rx->current_itr) {
+ /* Rx ITR needs to be reduced, this is highest priority */
+- itr_val = ice_buildreg_itr(rc->itr_idx, rc->target_itr);
+- rc->current_itr = rc->target_itr;
+- } else if ((q_vector->tx.target_itr < q_vector->tx.current_itr) ||
+- ((q_vector->rx.target_itr - q_vector->rx.current_itr) <
+- (q_vector->tx.target_itr - q_vector->tx.current_itr))) {
+- rc = &q_vector->tx;
++ itr_val = ice_buildreg_itr(rx->itr_idx, rx->target_itr);
++ rx->current_itr = rx->target_itr;
++ q_vector->itr_countdown = ITR_COUNTDOWN_START;
++ } else if ((tx->target_itr < tx->current_itr) ||
++ ((rx->target_itr - rx->current_itr) <
++ (tx->target_itr - tx->current_itr))) {
+ /* Tx ITR needs to be reduced, this is second priority
+ * Tx ITR needs to be increased more than Rx, fourth priority
+ */
+- itr_val = ice_buildreg_itr(rc->itr_idx, rc->target_itr);
+- rc->current_itr = rc->target_itr;
+- } else if (q_vector->rx.current_itr != q_vector->rx.target_itr) {
+- rc = &q_vector->rx;
++ itr_val = ice_buildreg_itr(tx->itr_idx, tx->target_itr);
++ tx->current_itr = tx->target_itr;
++ q_vector->itr_countdown = ITR_COUNTDOWN_START;
++ } else if (rx->current_itr != rx->target_itr) {
+ /* Rx ITR needs to be increased, third priority */
+- itr_val = ice_buildreg_itr(rc->itr_idx, rc->target_itr);
+- rc->current_itr = rc->target_itr;
++ itr_val = ice_buildreg_itr(rx->itr_idx, rx->target_itr);
++ rx->current_itr = rx->target_itr;
++ q_vector->itr_countdown = ITR_COUNTDOWN_START;
+ } else {
+ /* Still have to re-enable the interrupts */
+ itr_val = ice_buildreg_itr(ICE_ITR_NONE, 0);
++ if (q_vector->itr_countdown)
++ q_vector->itr_countdown--;
+ }
+
+- if (!test_bit(__ICE_DOWN, vsi->state)) {
+- int vector = vsi->hw_base_vector + q_vector->v_idx;
+-
+- wr32(hw, GLINT_DYN_CTL(vector), itr_val);
+- }
++ if (!test_bit(__ICE_DOWN, vsi->state))
++ wr32(&vsi->back->hw,
++ GLINT_DYN_CTL(vsi->hw_base_vector + q_vector->v_idx),
++ itr_val);
+ }
+
+ /**
+diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h
+index fc358ea81816f..74a031fbd7323 100644
+--- a/drivers/net/ethernet/intel/ice/ice_txrx.h
++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h
+@@ -128,6 +128,12 @@ enum ice_rx_dtype {
+ #define ICE_ITR_MASK 0x1FFE /* ITR register value alignment mask */
+ #define ITR_REG_ALIGN(setting) __ALIGN_MASK(setting, ~ICE_ITR_MASK)
+
++#define ICE_ITR_ADAPTIVE_MIN_INC 0x0002
++#define ICE_ITR_ADAPTIVE_MIN_USECS 0x0002
++#define ICE_ITR_ADAPTIVE_MAX_USECS 0x00FA
++#define ICE_ITR_ADAPTIVE_LATENCY 0x8000
++#define ICE_ITR_ADAPTIVE_BULK 0x0000
++
+ #define ICE_DFLT_INTRL 0
+
+ /* Legacy or Advanced Mode Queue */
+--
+2.20.1
+
--- /dev/null
+From b6ec21b4f77e6eb09f48c061b0b6b19514bb177d Mon Sep 17 00:00:00 2001
+From: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
+Date: Fri, 8 Feb 2019 12:50:49 -0800
+Subject: ice: Fix issue with VF reset and multiple VFs support on PFs
+
+[ Upstream commit 42b2cc83afb4d1afcf7794148dd4e8e45ba32943 ]
+
+This patch fixes issues with VF queues being disabled, and VF netdev
+network carrier being lost after reset. Basically, we need to check if VF
+is enabled, and queue configured in reset_all_vfs flow, and disable/enable
+those queues appropriately whenever the function is called after
+Global/CORER/PFR reset/rebuild/replay.
+
+Signed-off-by: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/ice/ice_virtchnl_pf.c | 20 ++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index 57155b4a59dc1..8b1ee9f3a39d6 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -764,6 +764,7 @@ static void ice_cleanup_and_realloc_vf(struct ice_vf *vf)
+ bool ice_reset_all_vfs(struct ice_pf *pf, bool is_vflr)
+ {
+ struct ice_hw *hw = &pf->hw;
++ struct ice_vf *vf;
+ int v, i;
+
+ /* If we don't have any VFs, then there is nothing to reset */
+@@ -778,12 +779,17 @@ bool ice_reset_all_vfs(struct ice_pf *pf, bool is_vflr)
+ for (v = 0; v < pf->num_alloc_vfs; v++)
+ ice_trigger_vf_reset(&pf->vf[v], is_vflr);
+
+- /* Call Disable LAN Tx queue AQ call with VFR bit set and 0
+- * queues to inform Firmware about VF reset.
+- */
+- for (v = 0; v < pf->num_alloc_vfs; v++)
+- ice_dis_vsi_txq(pf->vsi[0]->port_info, 0, NULL, NULL,
+- ICE_VF_RESET, v, NULL);
++ for (v = 0; v < pf->num_alloc_vfs; v++) {
++ struct ice_vsi *vsi;
++
++ vf = &pf->vf[v];
++ vsi = pf->vsi[vf->lan_vsi_idx];
++ if (test_bit(ICE_VF_STATE_ENA, vf->vf_states)) {
++ ice_vsi_stop_lan_tx_rings(vsi, ICE_VF_RESET, vf->vf_id);
++ ice_vsi_stop_rx_rings(vsi);
++ clear_bit(ICE_VF_STATE_ENA, vf->vf_states);
++ }
++ }
+
+ /* HW requires some time to make sure it can flush the FIFO for a VF
+ * when it resets it. Poll the VPGEN_VFRSTAT register for each VF in
+@@ -796,9 +802,9 @@ bool ice_reset_all_vfs(struct ice_pf *pf, bool is_vflr)
+
+ /* Check each VF in sequence */
+ while (v < pf->num_alloc_vfs) {
+- struct ice_vf *vf = &pf->vf[v];
+ u32 reg;
+
++ vf = &pf->vf[v];
+ reg = rd32(hw, VPGEN_VFRSTAT(vf->vf_id));
+ if (!(reg & VPGEN_VFRSTAT_VFRD_M))
+ break;
+--
+2.20.1
+
--- /dev/null
+From e108cb3d633f94a4deb11af87c654c69f1a5ab2e Mon Sep 17 00:00:00 2001
+From: Tony Nguyen <anthony.l.nguyen@intel.com>
+Date: Tue, 16 Apr 2019 10:21:15 -0700
+Subject: ice: Preserve VLAN Rx stripping settings
+
+[ Upstream commit e80e76db6c5bbc7a8f8512f3dc630a2170745b0b ]
+
+When Tx insertion is set, we are not accounting for the state of Rx
+stripping. This causes Rx stripping to be enabled any time Tx
+insertion is changed, even when it's supposed to be disabled.
+
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index fa61203bee269..b710545cf7d1a 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -1848,6 +1848,10 @@ int ice_vsi_manage_vlan_insertion(struct ice_vsi *vsi)
+ */
+ ctxt->info.vlan_flags = ICE_AQ_VSI_VLAN_MODE_ALL;
+
++ /* Preserve existing VLAN strip setting */
++ ctxt->info.vlan_flags |= (vsi->info.vlan_flags &
++ ICE_AQ_VSI_VLAN_EMOD_M);
++
+ ctxt->info.valid_sections = cpu_to_le16(ICE_AQ_VSI_PROP_VLAN_VALID);
+
+ status = ice_update_vsi(hw, vsi->idx, ctxt, NULL);
+--
+2.20.1
+
--- /dev/null
+From fb68b12250cb30d059a1025c6fb4e9c3f0ec0c98 Mon Sep 17 00:00:00 2001
+From: Dave Ertman <david.m.ertman@intel.com>
+Date: Wed, 13 Feb 2019 10:51:08 -0800
+Subject: ice: Prevent unintended multiple chain resets
+
+[ Upstream commit 2ebd4428d93a2f6ce0c813b10a1a43b6a8241fe5 ]
+
+In the current implementation of ice_reset_subtask, if multiple reset
+types are set in the pf->state, the most intrusive one is meant to be
+performed only, but the bits requesting the other types are not being
+cleared. This would lead to another reset being performed the next time
+the service task is scheduled.
+
+Change the flow of ice_reset_subtask so that all reset request bits in
+pf->state are cleared, and we still perform the most intrusive of the
+resets requested.
+
+Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index ac30288720f71..ba9f88cd138de 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -416,8 +416,14 @@ static void ice_reset_subtask(struct ice_pf *pf)
+ * for the reset now), poll for reset done, rebuild and return.
+ */
+ if (test_bit(__ICE_RESET_OICR_RECV, pf->state)) {
+- clear_bit(__ICE_GLOBR_RECV, pf->state);
+- clear_bit(__ICE_CORER_RECV, pf->state);
++ /* Perform the largest reset requested */
++ if (test_and_clear_bit(__ICE_CORER_RECV, pf->state))
++ reset_type = ICE_RESET_CORER;
++ if (test_and_clear_bit(__ICE_GLOBR_RECV, pf->state))
++ reset_type = ICE_RESET_GLOBR;
++ /* return if no valid reset type requested */
++ if (reset_type == ICE_RESET_INVAL)
++ return;
+ if (!test_bit(__ICE_PREPARED_FOR_RESET, pf->state))
+ ice_prepare_for_reset(pf);
+
+--
+2.20.1
+
--- /dev/null
+From 9ec3df1a032646d546feb51e6f4fc8ba6fb484f6 Mon Sep 17 00:00:00 2001
+From: Brett Creeley <brett.creeley@intel.com>
+Date: Wed, 13 Feb 2019 10:51:14 -0800
+Subject: ice: Put __ICE_PREPARED_FOR_RESET check in ice_prepare_for_reset
+
+[ Upstream commit 5abac9d7e1bb9a373673811154774d4c89a7f85e ]
+
+Currently we check if the __ICE_PREPARED_FOR_RESET bit is set prior to
+calling ice_prepare_for_reset in ice_reset_subtask(), but we aren't
+checking that bit in ice_do_reset() before calling
+ice_prepare_for_reset(). This is not consistent and can cause issues if
+ice_prepare_for_reset() is called prior to ice_do_reset(). Fix this by
+checking if the __ICE_PREPARED_FOR_RESET bit is set internal to
+ice_prepare_for_reset().
+
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index ba9f88cd138de..6ec73864019c0 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -342,6 +342,10 @@ ice_prepare_for_reset(struct ice_pf *pf)
+ {
+ struct ice_hw *hw = &pf->hw;
+
++ /* already prepared for reset */
++ if (test_bit(__ICE_PREPARED_FOR_RESET, pf->state))
++ return;
++
+ /* Notify VFs of impending reset */
+ if (ice_check_sq_alive(hw, &hw->mailboxq))
+ ice_vc_notify_reset(pf);
+@@ -424,8 +428,7 @@ static void ice_reset_subtask(struct ice_pf *pf)
+ /* return if no valid reset type requested */
+ if (reset_type == ICE_RESET_INVAL)
+ return;
+- if (!test_bit(__ICE_PREPARED_FOR_RESET, pf->state))
+- ice_prepare_for_reset(pf);
++ ice_prepare_for_reset(pf);
+
+ /* make sure we are ready to rebuild */
+ if (ice_check_reset(&pf->hw)) {
+--
+2.20.1
+
--- /dev/null
+From 889fefe7c691093563b96c0dee3d4a8aa707ad14 Mon Sep 17 00:00:00 2001
+From: Tony Nguyen <anthony.l.nguyen@intel.com>
+Date: Tue, 16 Apr 2019 10:21:23 -0700
+Subject: ice: Separate if conditions for ice_set_features()
+
+[ Upstream commit 8f529ff912073f778e3cd74e87fb69a36499fc2f ]
+
+Set features can have multiple features turned on|off in a single
+call. Grouping these all in an if/else means after one condition
+is met, other conditions/features will not be evaluated. Break
+the if/else statements by feature to ensure all features will be
+handled properly.
+
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 47cc3f905b7ff..ac30288720f71 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -2545,6 +2545,9 @@ static int ice_set_features(struct net_device *netdev,
+ struct ice_vsi *vsi = np->vsi;
+ int ret = 0;
+
++ /* Multiple features can be changed in one call so keep features in
++ * separate if/else statements to guarantee each feature is checked
++ */
+ if (features & NETIF_F_RXHASH && !(netdev->features & NETIF_F_RXHASH))
+ ret = ice_vsi_manage_rss_lut(vsi, true);
+ else if (!(features & NETIF_F_RXHASH) &&
+@@ -2557,8 +2560,9 @@ static int ice_set_features(struct net_device *netdev,
+ else if (!(features & NETIF_F_HW_VLAN_CTAG_RX) &&
+ (netdev->features & NETIF_F_HW_VLAN_CTAG_RX))
+ ret = ice_vsi_manage_vlan_stripping(vsi, false);
+- else if ((features & NETIF_F_HW_VLAN_CTAG_TX) &&
+- !(netdev->features & NETIF_F_HW_VLAN_CTAG_TX))
++
++ if ((features & NETIF_F_HW_VLAN_CTAG_TX) &&
++ !(netdev->features & NETIF_F_HW_VLAN_CTAG_TX))
+ ret = ice_vsi_manage_vlan_insertion(vsi);
+ else if (!(features & NETIF_F_HW_VLAN_CTAG_TX) &&
+ (netdev->features & NETIF_F_HW_VLAN_CTAG_TX))
+--
+2.20.1
+
--- /dev/null
+From eef268e89acbc876f59e84a822fbeeae3dbb028e Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 11 Dec 2018 15:59:38 +0800
+Subject: igb: Exclude device from suspend direct complete optimization
+
+[ Upstream commit 5b6e13216be29ced7350d9c354a1af8fe0ad9a3e ]
+
+igb sets different WoL settings in system suspend callback and runtime
+suspend callback.
+
+The suspend direct complete optimization leaves igb in runtime suspended
+state with wrong WoL setting during system suspend.
+
+To fix this, we need to disable suspend direct complete optimization to
+let igb always use suspend callback to set correct WoL during system
+suspend.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 3269d8e94744f..580d14b49fda1 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3452,6 +3452,9 @@ static int igb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ break;
+ }
+ }
++
++ dev_pm_set_driver_flags(&pdev->dev, DPM_FLAG_NEVER_SKIP);
++
+ pm_runtime_put_noidle(&pdev->dev);
+ return 0;
+
+--
+2.20.1
+
--- /dev/null
+From 05794ffcba1bdbeeffd042ac552593ff8edb5e4d Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Tue, 19 Mar 2019 13:37:55 +0200
+Subject: iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
+
+[ Upstream commit df1d80aee963480c5c2938c64ec0ac3e4a0df2e0 ]
+
+For devices from the SigmaDelta family we need to keep CS low when doing a
+conversion, since the device will use the MISO line as a interrupt to
+indicate that the conversion is complete.
+
+This is why the driver locks the SPI bus and when the SPI bus is locked
+keeps as long as a conversion is going on. The current implementation gets
+one small detail wrong though. CS is only de-asserted after the SPI bus is
+unlocked. This means it is possible for a different SPI device on the same
+bus to send a message which would be wrongfully be addressed to the
+SigmaDelta device as well. Make sure that the last SPI transfer that is
+done while holding the SPI bus lock de-asserts the CS signal.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Alexandru Ardelean <Alexandru.Ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c | 16 +++++++++++-----
+ include/linux/iio/adc/ad_sigma_delta.h | 1 +
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
+index 54d9978b27405..a4310600a8536 100644
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -62,7 +62,7 @@ int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
+ struct spi_transfer t = {
+ .tx_buf = data,
+ .len = size + 1,
+- .cs_change = sigma_delta->bus_locked,
++ .cs_change = sigma_delta->keep_cs_asserted,
+ };
+ struct spi_message m;
+ int ret;
+@@ -218,6 +218,7 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
+ reinit_completion(&sigma_delta->completion);
+
+ ret = ad_sigma_delta_set_mode(sigma_delta, mode);
+@@ -235,9 +236,10 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+ ret = 0;
+ }
+ out:
++ sigma_delta->keep_cs_asserted = false;
++ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ sigma_delta->bus_locked = false;
+ spi_bus_unlock(sigma_delta->spi->master);
+- ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+
+ return ret;
+ }
+@@ -290,6 +292,7 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
+ reinit_completion(&sigma_delta->completion);
+
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_SINGLE);
+@@ -299,9 +302,6 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ ret = wait_for_completion_interruptible_timeout(
+ &sigma_delta->completion, HZ);
+
+- sigma_delta->bus_locked = false;
+- spi_bus_unlock(sigma_delta->spi->master);
+-
+ if (ret == 0)
+ ret = -EIO;
+ if (ret < 0)
+@@ -322,7 +322,10 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ sigma_delta->irq_dis = true;
+ }
+
++ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
++ sigma_delta->bus_locked = false;
++ spi_bus_unlock(sigma_delta->spi->master);
+ mutex_unlock(&indio_dev->mlock);
+
+ if (ret)
+@@ -359,6 +362,8 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev)
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
++
+ ret = ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_CONTINUOUS);
+ if (ret)
+ goto err_unlock;
+@@ -387,6 +392,7 @@ static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
+ sigma_delta->irq_dis = true;
+ }
+
++ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+
+ sigma_delta->bus_locked = false;
+diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h
+index 7e84351fa2c05..6e9fb1932dde9 100644
+--- a/include/linux/iio/adc/ad_sigma_delta.h
++++ b/include/linux/iio/adc/ad_sigma_delta.h
+@@ -69,6 +69,7 @@ struct ad_sigma_delta {
+ bool irq_dis;
+
+ bool bus_locked;
++ bool keep_cs_asserted;
+
+ uint8_t comm;
+
+--
+2.20.1
+
--- /dev/null
+From 9a173888dc9c872e3ebc90d6c8999538e6b4d03d Mon Sep 17 00:00:00 2001
+From: Fabrice Gasnier <fabrice.gasnier@st.com>
+Date: Mon, 15 Apr 2019 15:00:50 +0200
+Subject: iio: adc: stm32-dfsdm: fix unmet direct dependencies detected
+
+[ Upstream commit ba7ecfe43d6bf12e2aa76705c45f7d187ae3d7c0 ]
+
+This fixes unmet direct dependencies seen when CONFIG_STM32_DFSDM_ADC
+is selected:
+
+WARNING: unmet direct dependencies detected for IIO_BUFFER_HW_CONSUMER
+ Depends on [n]: IIO [=y] && IIO_BUFFER [=n]
+ Selected by [y]:
+ - STM32_DFSDM_ADC [=y] && IIO [=y] && (ARCH_STM32 [=y] && OF [=y] ||
+ COMPILE_TEST [=n])
+
+Fixes: e2e6771c6462 ("IIO: ADC: add STM32 DFSDM sigma delta ADC support")
+
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig
+index 76db6e5cc2961..9ca21a8dfcd71 100644
+--- a/drivers/iio/adc/Kconfig
++++ b/drivers/iio/adc/Kconfig
+@@ -809,6 +809,7 @@ config STM32_DFSDM_ADC
+ depends on (ARCH_STM32 && OF) || COMPILE_TEST
+ select STM32_DFSDM_CORE
+ select REGMAP_MMIO
++ select IIO_BUFFER
+ select IIO_BUFFER_HW_CONSUMER
+ help
+ Select this option to support ADCSigma delta modulator for
+--
+2.20.1
+
--- /dev/null
+From f50b0c4bdaee03a5d749aefd1936efcbec72d3e1 Mon Sep 17 00:00:00 2001
+From: Justin Chen <justinpopo6@gmail.com>
+Date: Thu, 28 Feb 2019 14:16:48 -0800
+Subject: iio: adc: ti-ads7950: Fix improper use of mlock
+
+[ Upstream commit abbde2792999c9ad3514dd25d7f8d9a96034fe16 ]
+
+Indio->mlock is used for protecting the different iio device modes.
+It is currently not being used in this way. Replace the lock with
+an internal lock specifically used for protecting the SPI transfer
+buffer.
+
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ti-ads7950.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/ti-ads7950.c b/drivers/iio/adc/ti-ads7950.c
+index 0ad63592cc3c9..1e47bef72bb79 100644
+--- a/drivers/iio/adc/ti-ads7950.c
++++ b/drivers/iio/adc/ti-ads7950.c
+@@ -56,6 +56,9 @@ struct ti_ads7950_state {
+ struct spi_message ring_msg;
+ struct spi_message scan_single_msg;
+
++ /* Lock to protect the spi xfer buffers */
++ struct mutex slock;
++
+ struct regulator *reg;
+ unsigned int vref_mv;
+
+@@ -268,6 +271,7 @@ static irqreturn_t ti_ads7950_trigger_handler(int irq, void *p)
+ struct ti_ads7950_state *st = iio_priv(indio_dev);
+ int ret;
+
++ mutex_lock(&st->slock);
+ ret = spi_sync(st->spi, &st->ring_msg);
+ if (ret < 0)
+ goto out;
+@@ -276,6 +280,7 @@ static irqreturn_t ti_ads7950_trigger_handler(int irq, void *p)
+ iio_get_time_ns(indio_dev));
+
+ out:
++ mutex_unlock(&st->slock);
+ iio_trigger_notify_done(indio_dev->trig);
+
+ return IRQ_HANDLED;
+@@ -286,7 +291,7 @@ static int ti_ads7950_scan_direct(struct iio_dev *indio_dev, unsigned int ch)
+ struct ti_ads7950_state *st = iio_priv(indio_dev);
+ int ret, cmd;
+
+- mutex_lock(&indio_dev->mlock);
++ mutex_lock(&st->slock);
+
+ cmd = TI_ADS7950_CR_WRITE | TI_ADS7950_CR_CHAN(ch) | st->settings;
+ st->single_tx = cmd;
+@@ -298,7 +303,7 @@ static int ti_ads7950_scan_direct(struct iio_dev *indio_dev, unsigned int ch)
+ ret = st->single_rx;
+
+ out:
+- mutex_unlock(&indio_dev->mlock);
++ mutex_unlock(&st->slock);
+
+ return ret;
+ }
+@@ -432,16 +437,19 @@ static int ti_ads7950_probe(struct spi_device *spi)
+ if (ACPI_COMPANION(&spi->dev))
+ st->vref_mv = TI_ADS7950_VA_MV_ACPI_DEFAULT;
+
++ mutex_init(&st->slock);
++
+ st->reg = devm_regulator_get(&spi->dev, "vref");
+ if (IS_ERR(st->reg)) {
+ dev_err(&spi->dev, "Failed get get regulator \"vref\"\n");
+- return PTR_ERR(st->reg);
++ ret = PTR_ERR(st->reg);
++ goto error_destroy_mutex;
+ }
+
+ ret = regulator_enable(st->reg);
+ if (ret) {
+ dev_err(&spi->dev, "Failed to enable regulator \"vref\"\n");
+- return ret;
++ goto error_destroy_mutex;
+ }
+
+ ret = iio_triggered_buffer_setup(indio_dev, NULL,
+@@ -463,6 +471,8 @@ static int ti_ads7950_probe(struct spi_device *spi)
+ iio_triggered_buffer_cleanup(indio_dev);
+ error_disable_reg:
+ regulator_disable(st->reg);
++error_destroy_mutex:
++ mutex_destroy(&st->slock);
+
+ return ret;
+ }
+@@ -475,6 +485,7 @@ static int ti_ads7950_remove(struct spi_device *spi)
+ iio_device_unregister(indio_dev);
+ iio_triggered_buffer_cleanup(indio_dev);
+ regulator_disable(st->reg);
++ mutex_destroy(&st->slock);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 4012fe378c3608d30e1a07aa216c63a113c57900 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Thu, 7 Mar 2019 14:45:46 -0700
+Subject: iio: common: ssp_sensors: Initialize calculated_time in
+ ssp_common_process_data
+
+[ Upstream commit 6f9ca1d3eb74b81f811a87002de2d51640d135b1 ]
+
+When building with -Wsometimes-uninitialized, Clang warns:
+
+drivers/iio/common/ssp_sensors/ssp_iio.c:95:6: warning: variable
+'calculated_time' is used uninitialized whenever 'if' condition is false
+[-Wsometimes-uninitialized]
+
+While it isn't wrong, this will never be a problem because
+iio_push_to_buffers_with_timestamp only uses calculated_time
+on the same condition that it is assigned (when scan_timestamp
+is not zero). While iio_push_to_buffers_with_timestamp is marked
+as inline, Clang does inlining in the optimization stage, which
+happens after the semantic analysis phase (plus inline is merely
+a hint to the compiler).
+
+Fix this by just zero initializing calculated_time.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/394
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/common/ssp_sensors/ssp_iio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/common/ssp_sensors/ssp_iio.c b/drivers/iio/common/ssp_sensors/ssp_iio.c
+index 645f2e3975db4..e38f704d88b7e 100644
+--- a/drivers/iio/common/ssp_sensors/ssp_iio.c
++++ b/drivers/iio/common/ssp_sensors/ssp_iio.c
+@@ -81,7 +81,7 @@ int ssp_common_process_data(struct iio_dev *indio_dev, void *buf,
+ unsigned int len, int64_t timestamp)
+ {
+ __le32 time;
+- int64_t calculated_time;
++ int64_t calculated_time = 0;
+ struct ssp_sensor_data *spd = iio_priv(indio_dev);
+
+ if (indio_dev->scan_bytes == 0)
+--
+2.20.1
+
--- /dev/null
+From 06bc1f37470b4b1a6ec9faa4ad53fa2229990b49 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 16 Mar 2019 17:08:33 -0500
+Subject: iio: hmc5843: fix potential NULL pointer dereferences
+
+[ Upstream commit 536cc27deade8f1ec3c1beefa60d5fbe0f6fcb28 ]
+
+devm_regmap_init_i2c may fail and return NULL. The fix returns
+the error when it fails.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/hmc5843_i2c.c | 7 ++++++-
+ drivers/iio/magnetometer/hmc5843_spi.c | 7 ++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/magnetometer/hmc5843_i2c.c b/drivers/iio/magnetometer/hmc5843_i2c.c
+index 3de7f4426ac40..86abba5827a25 100644
+--- a/drivers/iio/magnetometer/hmc5843_i2c.c
++++ b/drivers/iio/magnetometer/hmc5843_i2c.c
+@@ -58,8 +58,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config = {
+ static int hmc5843_i2c_probe(struct i2c_client *cli,
+ const struct i2c_device_id *id)
+ {
++ struct regmap *regmap = devm_regmap_init_i2c(cli,
++ &hmc5843_i2c_regmap_config);
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
++
+ return hmc5843_common_probe(&cli->dev,
+- devm_regmap_init_i2c(cli, &hmc5843_i2c_regmap_config),
++ regmap,
+ id->driver_data, id->name);
+ }
+
+diff --git a/drivers/iio/magnetometer/hmc5843_spi.c b/drivers/iio/magnetometer/hmc5843_spi.c
+index 535f03a70d630..79b2b707f90e7 100644
+--- a/drivers/iio/magnetometer/hmc5843_spi.c
++++ b/drivers/iio/magnetometer/hmc5843_spi.c
+@@ -58,6 +58,7 @@ static const struct regmap_config hmc5843_spi_regmap_config = {
+ static int hmc5843_spi_probe(struct spi_device *spi)
+ {
+ int ret;
++ struct regmap *regmap;
+ const struct spi_device_id *id = spi_get_device_id(spi);
+
+ spi->mode = SPI_MODE_3;
+@@ -67,8 +68,12 @@ static int hmc5843_spi_probe(struct spi_device *spi)
+ if (ret)
+ return ret;
+
++ regmap = devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config);
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
++
+ return hmc5843_common_probe(&spi->dev,
+- devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config),
++ regmap,
+ id->driver_data, id->name);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From ced24def005719e4038cfd777d965cb08f0a3bc9 Mon Sep 17 00:00:00 2001
+From: Shenghui Wang <shhuiw@foxmail.com>
+Date: Tue, 7 May 2019 16:03:19 +0800
+Subject: io_uring: use cpu_online() to check p->sq_thread_cpu instead of
+ cpu_possible()
+
+[ Upstream commit 7889f44dd9cee15aff1c3f7daf81ca4dfed48fc7 ]
+
+This issue is found by running liburing/test/io_uring_setup test.
+
+When test run, the testcase "attempt to bind to invalid cpu" would not
+pass with messages like:
+ io_uring_setup(1, 0xbfc2f7c8), \
+flags: IORING_SETUP_SQPOLL|IORING_SETUP_SQ_AFF, \
+resv: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000, \
+sq_thread_cpu: 2
+ expected -1, got 3
+ FAIL
+
+On my system, there is:
+ CPU(s) possible : 0-3
+ CPU(s) online : 0-1
+ CPU(s) offline : 2-3
+ CPU(s) present : 0-1
+
+The sq_thread_cpu 2 is offline on my system, so the bind should fail.
+But cpu_possible() will pass the check. We shouldn't be able to bind
+to an offline cpu. Use cpu_online() to do the check.
+
+After the change, the testcase run as expected: EINVAL will be returned
+for cpu offlined.
+
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Shenghui Wang <shhuiw@foxmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 84efb8956734f..30a5687a17b65 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -2334,7 +2334,7 @@ static int io_sq_offload_start(struct io_ring_ctx *ctx,
+ nr_cpu_ids);
+
+ ret = -EINVAL;
+- if (!cpu_possible(cpu))
++ if (!cpu_online(cpu))
+ goto err;
+
+ ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
+--
+2.20.1
+
--- /dev/null
+From 9784deab7e7299a8972e86cd66b5399a28d3760e Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 9 Apr 2019 19:34:03 +1000
+Subject: irq_work: Do not raise an IPI when queueing work on the local CPU
+
+[ Upstream commit 471ba0e686cb13752bc1ff3216c54b69a2d250ea ]
+
+The QEMU PowerPC/PSeries machine model was not expecting a self-IPI,
+and it may be a bit surprising thing to do, so have irq_work_queue_on
+do local queueing when target is the current CPU.
+
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190409093403.20994-1-npiggin@gmail.com
+[ Simplified the preprocessor comments.
+ Fixed unbalanced curly brackets pointed out by Thomas. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq_work.c | 75 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+
+diff --git a/kernel/irq_work.c b/kernel/irq_work.c
+index 6b7cdf17ccf89..73288914ed5e7 100644
+--- a/kernel/irq_work.c
++++ b/kernel/irq_work.c
+@@ -56,61 +56,70 @@ void __weak arch_irq_work_raise(void)
+ */
+ }
+
+-/*
+- * Enqueue the irq_work @work on @cpu unless it's already pending
+- * somewhere.
+- *
+- * Can be re-enqueued while the callback is still in progress.
+- */
+-bool irq_work_queue_on(struct irq_work *work, int cpu)
++/* Enqueue on current CPU, work must already be claimed and preempt disabled */
++static void __irq_work_queue_local(struct irq_work *work)
+ {
+- /* All work should have been flushed before going offline */
+- WARN_ON_ONCE(cpu_is_offline(cpu));
+-
+-#ifdef CONFIG_SMP
+-
+- /* Arch remote IPI send/receive backend aren't NMI safe */
+- WARN_ON_ONCE(in_nmi());
++ /* If the work is "lazy", handle it from next tick if any */
++ if (work->flags & IRQ_WORK_LAZY) {
++ if (llist_add(&work->llnode, this_cpu_ptr(&lazy_list)) &&
++ tick_nohz_tick_stopped())
++ arch_irq_work_raise();
++ } else {
++ if (llist_add(&work->llnode, this_cpu_ptr(&raised_list)))
++ arch_irq_work_raise();
++ }
++}
+
++/* Enqueue the irq work @work on the current CPU */
++bool irq_work_queue(struct irq_work *work)
++{
+ /* Only queue if not already pending */
+ if (!irq_work_claim(work))
+ return false;
+
+- if (llist_add(&work->llnode, &per_cpu(raised_list, cpu)))
+- arch_send_call_function_single_ipi(cpu);
+-
+-#else /* #ifdef CONFIG_SMP */
+- irq_work_queue(work);
+-#endif /* #else #ifdef CONFIG_SMP */
++ /* Queue the entry and raise the IPI if needed. */
++ preempt_disable();
++ __irq_work_queue_local(work);
++ preempt_enable();
+
+ return true;
+ }
++EXPORT_SYMBOL_GPL(irq_work_queue);
+
+-/* Enqueue the irq work @work on the current CPU */
+-bool irq_work_queue(struct irq_work *work)
++/*
++ * Enqueue the irq_work @work on @cpu unless it's already pending
++ * somewhere.
++ *
++ * Can be re-enqueued while the callback is still in progress.
++ */
++bool irq_work_queue_on(struct irq_work *work, int cpu)
+ {
++#ifndef CONFIG_SMP
++ return irq_work_queue(work);
++
++#else /* CONFIG_SMP: */
++ /* All work should have been flushed before going offline */
++ WARN_ON_ONCE(cpu_is_offline(cpu));
++
+ /* Only queue if not already pending */
+ if (!irq_work_claim(work))
+ return false;
+
+- /* Queue the entry and raise the IPI if needed. */
+ preempt_disable();
+-
+- /* If the work is "lazy", handle it from next tick if any */
+- if (work->flags & IRQ_WORK_LAZY) {
+- if (llist_add(&work->llnode, this_cpu_ptr(&lazy_list)) &&
+- tick_nohz_tick_stopped())
+- arch_irq_work_raise();
++ if (cpu != smp_processor_id()) {
++ /* Arch remote IPI send/receive backend aren't NMI safe */
++ WARN_ON_ONCE(in_nmi());
++ if (llist_add(&work->llnode, &per_cpu(raised_list, cpu)))
++ arch_send_call_function_single_ipi(cpu);
+ } else {
+- if (llist_add(&work->llnode, this_cpu_ptr(&raised_list)))
+- arch_irq_work_raise();
++ __irq_work_queue_local(work);
+ }
+-
+ preempt_enable();
+
+ return true;
++#endif /* CONFIG_SMP */
+ }
+-EXPORT_SYMBOL_GPL(irq_work_queue);
++
+
+ bool irq_work_needs_cpu(void)
+ {
+--
+2.20.1
+
--- /dev/null
+From 6a2377746a206c981df59c0d486292b4947d82b4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 19 Feb 2019 14:22:11 +0100
+Subject: iwlwifi: mvm: IBSS: use BE FIFO for multicast
+
+[ Upstream commit 192a7e1f731fd9a64216cce35287eb23360437f6 ]
+
+Back in commit 4d339989acd7 ("iwlwifi: mvm: support ibss in dqa mode")
+we changed queue selection for IBSS to be:
+
+ if (ieee80211_is_probe_resp(fc) || ieee80211_is_auth(fc) ||
+ ieee80211_is_deauth(fc))
+ return IWL_MVM_DQA_AP_PROBE_RESP_QUEUE;
+ if (info->hw_queue == info->control.vif->cab_queue)
+ return info->hw_queue;
+ return IWL_MVM_DQA_AP_PROBE_RESP_QUEUE;
+
+Clearly, the thought at the time must've been that mac80211 will
+select the hw_queue as the cab_queue, so that we'll return and use
+that, where we store the multicast queue for IBSS. This, however,
+isn't true because mac80211 doesn't implement powersave for IBSS
+and thus selects the normal IBSS interface AC queue (best effort).
+
+This therefore always used the probe response queue, which maps to
+the BE FIFO.
+
+In commit cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model")
+we rethought this code, and as a consequence now started mapping the
+multicast traffic to the multicast hardware queue since we no longer
+relied on mac80211 selecting the queue, doing it ourselves instead.
+This queue is mapped to the MCAST FIFO. however, this isn't actually
+enabled/controlled by the firmware in IBSS mode because we don't
+implement powersave, and frames from this queue can never go out in
+this case.
+
+Therefore, we got queue hang reports such as
+https://bugzilla.kernel.org/show_bug.cgi?id=201707
+
+Fix this by mapping the multicast queue to the BE FIFO in IBSS so
+that all the frames can go out.
+
+Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+index 98d123dd71778..eb452e9dce057 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -2277,7 +2277,8 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+ static const u8 _maddr[] = {0x03, 0x00, 0x00, 0x00, 0x00, 0x00};
+ const u8 *maddr = _maddr;
+ struct iwl_trans_txq_scd_cfg cfg = {
+- .fifo = IWL_MVM_TX_FIFO_MCAST,
++ .fifo = vif->type == NL80211_IFTYPE_AP ?
++ IWL_MVM_TX_FIFO_MCAST : IWL_MVM_TX_FIFO_BE,
+ .sta_id = msta->sta_id,
+ .tid = 0,
+ .aggregate = false,
+--
+2.20.1
+
--- /dev/null
+From d1b231cb7bd04a31d94d5c438ce43b155e1ebb44 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 5 Mar 2019 10:31:11 +0100
+Subject: iwlwifi: pcie: don't crash on invalid RX interrupt
+
+[ Upstream commit 30f24eabab8cd801064c5c37589d803cb4341929 ]
+
+If for some reason the device gives us an RX interrupt before we're
+ready for it, perhaps during device power-on with misconfigured IRQ
+causes mapping or so, we can crash trying to access the queues.
+
+Prevent that by checking that we actually have RXQs and that they
+were properly allocated.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+index 8d4f0628622bb..12f02aaf923ed 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -1434,10 +1434,15 @@ static struct iwl_rx_mem_buffer *iwl_pcie_get_rxb(struct iwl_trans *trans,
+ static void iwl_pcie_rx_handle(struct iwl_trans *trans, int queue)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+- struct iwl_rxq *rxq = &trans_pcie->rxq[queue];
++ struct iwl_rxq *rxq;
+ u32 r, i, count = 0;
+ bool emergency = false;
+
++ if (WARN_ON_ONCE(!trans_pcie->rxq || !trans_pcie->rxq[queue].bd))
++ return;
++
++ rxq = &trans_pcie->rxq[queue];
++
+ restart:
+ spin_lock(&rxq->lock);
+ /* uCode's read index (stored in shared DRAM) indicates the last Rx
+--
+2.20.1
+
--- /dev/null
+From 153f4a9bdf93ce12e1a93b9e2562e84a8b849c4f Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sun, 17 Mar 2019 14:02:31 +0900
+Subject: kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice.
+
+[ Upstream commit c03a0fd0b609e2f5c669c2b7f27c8e1928e9196e ]
+
+syzbot is hitting use-after-free bug in uinput module [1]. This is because
+kobject_uevent(KOBJ_REMOVE) is called again due to commit 0f4dafc0563c6c49
+("Kobject: auto-cleanup on final unref") after memory allocation fault
+injection made kobject_uevent(KOBJ_REMOVE) from device_del() from
+input_unregister_device() fail, while uinput_destroy_device() is expecting
+that kobject_uevent(KOBJ_REMOVE) is not called after device_del() from
+input_unregister_device() completed.
+
+That commit intended to catch cases where nobody even attempted to send
+"remove" uevents. But there is no guarantee that an event will ultimately
+be sent. We are at the point of no return as far as the rest of the kernel
+is concerned; there are no repeats or do-overs.
+
+Also, it is not clear whether some subsystem depends on that commit.
+If no subsystem depends on that commit, it will be better to remove
+the state_{add,remove}_uevent_sent logic. But we don't want to risk
+a regression (in a patch which will be backported) by trying to remove
+that logic. Therefore, as a first step, let's avoid the use-after-free bug
+by making sure that kobject_uevent(KOBJ_REMOVE) won't be triggered twice.
+
+[1] https://syzkaller.appspot.com/bug?id=8b17c134fe938bbddd75a45afaa9e68af43a362d
+
+Reported-by: syzbot <syzbot+f648cfb7e0b52bf7ae32@syzkaller.appspotmail.com>
+Analyzed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Fixes: 0f4dafc0563c6c49 ("Kobject: auto-cleanup on final unref")
+Cc: Kay Sievers <kay@vrfy.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kobject_uevent.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
+index f05802687ba4d..7998affa45d49 100644
+--- a/lib/kobject_uevent.c
++++ b/lib/kobject_uevent.c
+@@ -466,6 +466,13 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
+ int i = 0;
+ int retval = 0;
+
++ /*
++ * Mark "remove" event done regardless of result, for some subsystems
++ * do not want to re-trigger "remove" event via automatic cleanup.
++ */
++ if (action == KOBJ_REMOVE)
++ kobj->state_remove_uevent_sent = 1;
++
+ pr_debug("kobject: '%s' (%p): %s\n",
+ kobject_name(kobj), kobj, __func__);
+
+@@ -567,10 +574,6 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
+ kobj->state_add_uevent_sent = 1;
+ break;
+
+- case KOBJ_REMOVE:
+- kobj->state_remove_uevent_sent = 1;
+- break;
+-
+ case KOBJ_UNBIND:
+ zap_modalias_env(env);
+ break;
+--
+2.20.1
+
--- /dev/null
+From 5045d4b0da8421588f3445238a1251cc0b6e9cab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= <bjorn.topel@intel.com>
+Date: Tue, 30 Apr 2019 14:45:35 +0200
+Subject: libbpf: fix invalid munmap call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 0e6741f092979535d159d5a851f12c88bfb7cb9a ]
+
+When unmapping the AF_XDP memory regions used for the rings, an
+invalid address was passed to the munmap() calls. Instead of passing
+the beginning of the memory region, the descriptor region was passed
+to munmap.
+
+When the userspace application tried to tear down an AF_XDP socket,
+the operation failed and the application would still have a reference
+to socket it wished to get rid of.
+
+Reported-by: William Tu <u9012063@gmail.com>
+Fixes: 1cad07884239 ("libbpf: add support for using AF_XDP sockets")
+Signed-off-by: Björn Töpel <bjorn.topel@intel.com>
+Tested-by: William Tu <u9012063@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/xsk.c | 77 +++++++++++++++++++++++----------------------
+ 1 file changed, 40 insertions(+), 37 deletions(-)
+
+diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c
+index 8d0078b65486f..af5f310ecca1c 100644
+--- a/tools/lib/bpf/xsk.c
++++ b/tools/lib/bpf/xsk.c
+@@ -248,8 +248,7 @@ int xsk_umem__create(struct xsk_umem **umem_ptr, void *umem_area, __u64 size,
+ return 0;
+
+ out_mmap:
+- munmap(umem->fill,
+- off.fr.desc + umem->config.fill_size * sizeof(__u64));
++ munmap(map, off.fr.desc + umem->config.fill_size * sizeof(__u64));
+ out_socket:
+ close(umem->fd);
+ out_umem_alloc:
+@@ -523,11 +522,11 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname,
+ struct xsk_ring_cons *rx, struct xsk_ring_prod *tx,
+ const struct xsk_socket_config *usr_config)
+ {
++ void *rx_map = NULL, *tx_map = NULL;
+ struct sockaddr_xdp sxdp = {};
+ struct xdp_mmap_offsets off;
+ struct xsk_socket *xsk;
+ socklen_t optlen;
+- void *map;
+ int err;
+
+ if (!umem || !xsk_ptr || !rx || !tx)
+@@ -593,40 +592,40 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname,
+ }
+
+ if (rx) {
+- map = xsk_mmap(NULL, off.rx.desc +
+- xsk->config.rx_size * sizeof(struct xdp_desc),
+- PROT_READ | PROT_WRITE,
+- MAP_SHARED | MAP_POPULATE,
+- xsk->fd, XDP_PGOFF_RX_RING);
+- if (map == MAP_FAILED) {
++ rx_map = xsk_mmap(NULL, off.rx.desc +
++ xsk->config.rx_size * sizeof(struct xdp_desc),
++ PROT_READ | PROT_WRITE,
++ MAP_SHARED | MAP_POPULATE,
++ xsk->fd, XDP_PGOFF_RX_RING);
++ if (rx_map == MAP_FAILED) {
+ err = -errno;
+ goto out_socket;
+ }
+
+ rx->mask = xsk->config.rx_size - 1;
+ rx->size = xsk->config.rx_size;
+- rx->producer = map + off.rx.producer;
+- rx->consumer = map + off.rx.consumer;
+- rx->ring = map + off.rx.desc;
++ rx->producer = rx_map + off.rx.producer;
++ rx->consumer = rx_map + off.rx.consumer;
++ rx->ring = rx_map + off.rx.desc;
+ }
+ xsk->rx = rx;
+
+ if (tx) {
+- map = xsk_mmap(NULL, off.tx.desc +
+- xsk->config.tx_size * sizeof(struct xdp_desc),
+- PROT_READ | PROT_WRITE,
+- MAP_SHARED | MAP_POPULATE,
+- xsk->fd, XDP_PGOFF_TX_RING);
+- if (map == MAP_FAILED) {
++ tx_map = xsk_mmap(NULL, off.tx.desc +
++ xsk->config.tx_size * sizeof(struct xdp_desc),
++ PROT_READ | PROT_WRITE,
++ MAP_SHARED | MAP_POPULATE,
++ xsk->fd, XDP_PGOFF_TX_RING);
++ if (tx_map == MAP_FAILED) {
+ err = -errno;
+ goto out_mmap_rx;
+ }
+
+ tx->mask = xsk->config.tx_size - 1;
+ tx->size = xsk->config.tx_size;
+- tx->producer = map + off.tx.producer;
+- tx->consumer = map + off.tx.consumer;
+- tx->ring = map + off.tx.desc;
++ tx->producer = tx_map + off.tx.producer;
++ tx->consumer = tx_map + off.tx.consumer;
++ tx->ring = tx_map + off.tx.desc;
+ tx->cached_cons = xsk->config.tx_size;
+ }
+ xsk->tx = tx;
+@@ -653,13 +652,11 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname,
+
+ out_mmap_tx:
+ if (tx)
+- munmap(xsk->tx,
+- off.tx.desc +
++ munmap(tx_map, off.tx.desc +
+ xsk->config.tx_size * sizeof(struct xdp_desc));
+ out_mmap_rx:
+ if (rx)
+- munmap(xsk->rx,
+- off.rx.desc +
++ munmap(rx_map, off.rx.desc +
+ xsk->config.rx_size * sizeof(struct xdp_desc));
+ out_socket:
+ if (--umem->refcount)
+@@ -684,10 +681,12 @@ int xsk_umem__delete(struct xsk_umem *umem)
+ optlen = sizeof(off);
+ err = getsockopt(umem->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen);
+ if (!err) {
+- munmap(umem->fill->ring,
+- off.fr.desc + umem->config.fill_size * sizeof(__u64));
+- munmap(umem->comp->ring,
+- off.cr.desc + umem->config.comp_size * sizeof(__u64));
++ (void)munmap(umem->fill->ring - off.fr.desc,
++ off.fr.desc +
++ umem->config.fill_size * sizeof(__u64));
++ (void)munmap(umem->comp->ring - off.cr.desc,
++ off.cr.desc +
++ umem->config.comp_size * sizeof(__u64));
+ }
+
+ close(umem->fd);
+@@ -698,6 +697,7 @@ int xsk_umem__delete(struct xsk_umem *umem)
+
+ void xsk_socket__delete(struct xsk_socket *xsk)
+ {
++ size_t desc_sz = sizeof(struct xdp_desc);
+ struct xdp_mmap_offsets off;
+ socklen_t optlen;
+ int err;
+@@ -710,14 +710,17 @@ void xsk_socket__delete(struct xsk_socket *xsk)
+ optlen = sizeof(off);
+ err = getsockopt(xsk->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen);
+ if (!err) {
+- if (xsk->rx)
+- munmap(xsk->rx->ring,
+- off.rx.desc +
+- xsk->config.rx_size * sizeof(struct xdp_desc));
+- if (xsk->tx)
+- munmap(xsk->tx->ring,
+- off.tx.desc +
+- xsk->config.tx_size * sizeof(struct xdp_desc));
++ if (xsk->rx) {
++ (void)munmap(xsk->rx->ring - off.rx.desc,
++ off.rx.desc +
++ xsk->config.rx_size * desc_sz);
++ }
++ if (xsk->tx) {
++ (void)munmap(xsk->tx->ring - off.tx.desc,
++ off.tx.desc +
++ xsk->config.tx_size * desc_sz);
++ }
++
+ }
+
+ xsk->umem->refcount--;
+--
+2.20.1
+
--- /dev/null
+From 849c1d3f7b23d98f5a6aa55f607a3cdee43d203d Mon Sep 17 00:00:00 2001
+From: "Daniel T. Lee" <danieltimlee@gmail.com>
+Date: Wed, 24 Apr 2019 05:24:56 +0900
+Subject: libbpf: fix samples/bpf build failure due to undefined UINT32_MAX
+
+[ Upstream commit 32e621e55496a0009f44fe4914cd4a23cade4984 ]
+
+Currently, building bpf samples will cause the following error.
+
+ ./tools/lib/bpf/bpf.h:132:27: error: 'UINT32_MAX' undeclared here (not in a function) ..
+ #define BPF_LOG_BUF_SIZE (UINT32_MAX >> 8) /* verifier maximum in kernels <= 5.1 */
+ ^
+ ./samples/bpf/bpf_load.h:31:25: note: in expansion of macro 'BPF_LOG_BUF_SIZE'
+ extern char bpf_log_buf[BPF_LOG_BUF_SIZE];
+ ^~~~~~~~~~~~~~~~
+
+Due to commit 4519efa6f8ea ("libbpf: fix BPF_LOG_BUF_SIZE off-by-one error")
+hard-coded size of BPF_LOG_BUF_SIZE has been replaced with UINT32_MAX which is
+defined in <stdint.h> header.
+
+Even with this change, bpf selftests are running fine since these are built
+with clang and it includes header(-idirafter) from clang/6.0.0/include.
+(it has <stdint.h>)
+
+ clang -I. -I./include/uapi -I../../../include/uapi -idirafter /usr/local/include -idirafter /usr/include \
+ -idirafter /usr/lib/llvm-6.0/lib/clang/6.0.0/include -idirafter /usr/include/x86_64-linux-gnu \
+ -Wno-compare-distinct-pointer-types -O2 -target bpf -emit-llvm -c progs/test_sysctl_prog.c -o - | \
+ llc -march=bpf -mcpu=generic -filetype=obj -o /linux/tools/testing/selftests/bpf/test_sysctl_prog.o
+
+But bpf samples are compiled with GCC, and it only searches and includes
+headers declared at the target file. As '#include <stdint.h>' hasn't been
+declared in tools/lib/bpf/bpf.h, it causes build failure of bpf samples.
+
+ gcc -Wp,-MD,./samples/bpf/.sockex3_user.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes \
+ -O2 -fomit-frame-pointer -std=gnu89 -I./usr/include -I./tools/lib/ -I./tools/testing/selftests/bpf/ \
+ -I./tools/ lib/ -I./tools/include -I./tools/perf -c -o ./samples/bpf/sockex3_user.o ./samples/bpf/sockex3_user.c;
+
+This commit add declaration of '#include <stdint.h>' to tools/lib/bpf/bpf.h
+to fix this problem.
+
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h
+index 6ffdd79bea89d..6dc1f418034fb 100644
+--- a/tools/lib/bpf/bpf.h
++++ b/tools/lib/bpf/bpf.h
+@@ -26,6 +26,7 @@
+ #include <linux/bpf.h>
+ #include <stdbool.h>
+ #include <stddef.h>
++#include <stdint.h>
+
+ #ifdef __cplusplus
+ extern "C" {
+--
+2.20.1
+
--- /dev/null
+From 2c04bdf1444537a2b89569520f5641d3261df6c1 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 19 Mar 2019 13:18:56 +0100
+Subject: locking/static_key: Fix false positive warnings on concurrent dec/inc
+
+[ Upstream commit a1247d06d01045d7ab2882a9c074fbf21137c690 ]
+
+Even though the atomic_dec_and_mutex_lock() in
+__static_key_slow_dec_cpuslocked() can never see a negative value in
+key->enabled the subsequent sanity check is re-reading key->enabled, which may
+have been set to -1 in the meantime by static_key_slow_inc_cpuslocked().
+
+ CPU A CPU B
+
+ __static_key_slow_dec_cpuslocked(): static_key_slow_inc_cpuslocked():
+ # enabled = 1
+ atomic_dec_and_mutex_lock()
+ # enabled = 0
+ atomic_read() == 0
+ atomic_set(-1)
+ # enabled = -1
+ val = atomic_read()
+ # Oops - val == -1!
+
+The test case is TCP's clean_acked_data_enable() / clean_acked_data_disable()
+as tickled by KTLS (net/ktls).
+
+Suggested-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reported-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Tested-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: ard.biesheuvel@linaro.org
+Cc: oss-drivers@netronome.com
+Cc: pbonzini@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/jump_label.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/jump_label.c b/kernel/jump_label.c
+index bad96b476eb6e..a799b1ac6b2fe 100644
+--- a/kernel/jump_label.c
++++ b/kernel/jump_label.c
+@@ -206,6 +206,8 @@ static void __static_key_slow_dec_cpuslocked(struct static_key *key,
+ unsigned long rate_limit,
+ struct delayed_work *work)
+ {
++ int val;
++
+ lockdep_assert_cpus_held();
+
+ /*
+@@ -215,17 +217,20 @@ static void __static_key_slow_dec_cpuslocked(struct static_key *key,
+ * returns is unbalanced, because all other static_key_slow_inc()
+ * instances block while the update is in progress.
+ */
+- if (!atomic_dec_and_mutex_lock(&key->enabled, &jump_label_mutex)) {
+- WARN(atomic_read(&key->enabled) < 0,
+- "jump label: negative count!\n");
++ val = atomic_fetch_add_unless(&key->enabled, -1, 1);
++ if (val != 1) {
++ WARN(val < 0, "jump label: negative count!\n");
+ return;
+ }
+
+- if (rate_limit) {
+- atomic_inc(&key->enabled);
+- schedule_delayed_work(work, rate_limit);
+- } else {
+- jump_label_update(key);
++ jump_label_lock();
++ if (atomic_dec_and_test(&key->enabled)) {
++ if (rate_limit) {
++ atomic_inc(&key->enabled);
++ schedule_delayed_work(work, rate_limit);
++ } else {
++ jump_label_update(key);
++ }
+ }
+ jump_label_unlock();
+ }
+--
+2.20.1
+
--- /dev/null
+From 199fe414aee9db03658cc76e589ae2906d05e729 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
+Date: Tue, 26 Mar 2019 09:27:37 +0000
+Subject: mac80211/cfg80211: update bss channel on channel switch
+
+[ Upstream commit 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8 ]
+
+FullMAC STAs have no way to update bss channel after CSA channel switch
+completion. As a result, user-space tools may provide inconsistent
+channel info. For instance, consider the following two commands:
+$ sudo iw dev wlan0 link
+$ sudo iw dev wlan0 info
+The latter command gets channel info from the hardware, so most probably
+its output will be correct. However the former command gets channel info
+from scan cache, so its output will contain outdated channel info.
+In fact, current bss channel info will not be updated until the
+next [re-]connect.
+
+Note that mac80211 STAs have a workaround for this, but it requires
+access to internal cfg80211 data, see ieee80211_chswitch_work:
+
+ /* XXX: shouldn't really modify cfg80211-owned data! */
+ ifmgd->associated->channel = sdata->csa_chandef.chan;
+
+This patch suggests to convert mac80211 workaround into cfg80211 behavior
+and to update current bss channel in cfg80211_ch_switch_notify.
+
+Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 3 ---
+ net/wireless/nl80211.c | 5 +++++
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 2dbcf5d5512ef..b7a9fe3d5fcb7 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1188,9 +1188,6 @@ static void ieee80211_chswitch_work(struct work_struct *work)
+ goto out;
+ }
+
+- /* XXX: shouldn't really modify cfg80211-owned data! */
+- ifmgd->associated->channel = sdata->csa_chandef.chan;
+-
+ ifmgd->csa_waiting_bcn = true;
+
+ ieee80211_sta_reset_beacon_monitor(sdata);
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 47e30a58566c2..d2a7459a5da43 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -15727,6 +15727,11 @@ void cfg80211_ch_switch_notify(struct net_device *dev,
+
+ wdev->chandef = *chandef;
+ wdev->preset_chandef = *chandef;
++
++ if (wdev->iftype == NL80211_IFTYPE_STATION &&
++ !WARN_ON(!wdev->current_bss))
++ wdev->current_bss->pub.channel = chandef->chan;
++
+ nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
+ NL80211_CMD_CH_SWITCH_NOTIFY, 0);
+ }
+--
+2.20.1
+
--- /dev/null
+From 91e03c315d977622557f3ef115690558af9352a5 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuah@kernel.org>
+Date: Mon, 1 Apr 2019 20:43:17 -0400
+Subject: media: au0828: Fix NULL pointer dereference in
+ au0828_analog_stream_enable()
+
+[ Upstream commit 898bc40bfcc26abb6e06e960d6d4754c36c58b50 ]
+
+Fix au0828_analog_stream_enable() to check if device is in the right
+state first. When unbind happens while bind is in progress, usbdev
+pointer could be invalid in au0828_analog_stream_enable() and a call
+to usb_ifnum_to_if() will result in the null pointer dereference.
+
+This problem is found with the new media_dev_allocator.sh test.
+
+kernel: [ 590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
+kernel: [ 590.359627] #PF error: [normal kernel read fault]
+kernel: [ 590.359629] PGD 0 P4D 0
+kernel: [ 590.359632] Oops: 0000 [#1] SMP PTI
+kernel: [ 590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
+kernel: [ 590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
+kernel: [ 590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
+kernel: [ 590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4
+ 10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
+6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
+9 74
+kernel: [ 590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
+kernel: [ 590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
+kernel: [ 590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
+kernel: [ 590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
+kernel: [ 590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
+kernel: [ 590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
+kernel: [ 590.359654] FS: 00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
+kernel: [ 590.359655] CS: 0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
+kernel: [ 590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
+kernel: [ 590.359658] Call Trace:
+kernel: [ 590.359664] ? au0828_analog_stream_enable+0x2c/0x180
+kernel: [ 590.359666] au0828_v4l2_open+0xa4/0x110
+kernel: [ 590.359670] v4l2_open+0x8b/0x120
+kernel: [ 590.359674] chrdev_open+0xa6/0x1c0
+kernel: [ 590.359676] ? cdev_put.part.3+0x20/0x20
+kernel: [ 590.359678] do_dentry_open+0x1f6/0x360
+kernel: [ 590.359681] vfs_open+0x2f/0x40
+kernel: [ 590.359684] path_openat+0x299/0xc20
+kernel: [ 590.359688] do_filp_open+0x9b/0x110
+kernel: [ 590.359695] ? _raw_spin_unlock+0x27/0x40
+kernel: [ 590.359697] ? __alloc_fd+0xb2/0x160
+kernel: [ 590.359700] do_sys_open+0x1ba/0x260
+kernel: [ 590.359702] ? do_sys_open+0x1ba/0x260
+kernel: [ 590.359712] __x64_sys_openat+0x20/0x30
+kernel: [ 590.359715] do_syscall_64+0x5a/0x120
+kernel: [ 590.359718] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/au0828/au0828-video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
+index ad2b1b7ecea4d..222723d946e4c 100644
+--- a/drivers/media/usb/au0828/au0828-video.c
++++ b/drivers/media/usb/au0828/au0828-video.c
+@@ -758,6 +758,9 @@ static int au0828_analog_stream_enable(struct au0828_dev *d)
+
+ dprintk(1, "au0828_analog_stream_enable called\n");
+
++ if (test_bit(DEV_DISCONNECTED, &d->dev_state))
++ return -ENODEV;
++
+ iface = usb_ifnum_to_if(d->usbdev, 0);
+ if (iface && iface->cur_altsetting->desc.bAlternateSetting != 5) {
+ dprintk(1, "Changing intf#0 to alt 5\n");
+--
+2.20.1
+
--- /dev/null
+From fe5e16d1fdcbf595534f564ad5fbd33851cc8665 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Tue, 2 Apr 2019 03:24:15 -0400
+Subject: media: au0828: stop video streaming only when last user stops
+
+[ Upstream commit f604f0f5afb88045944567f604409951b5eb6af8 ]
+
+If the application was streaming from both videoX and vbiX, and streaming
+from videoX was stopped, then the vbi streaming also stopped.
+
+The cause being that stop_streaming for video stopped the subdevs as well,
+instead of only doing that if dev->streaming_users reached 0.
+
+au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs
+at all when dev->streaming_users reached 0.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Tested-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/au0828/au0828-video.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
+index 7876c897cc1d6..ad2b1b7ecea4d 100644
+--- a/drivers/media/usb/au0828/au0828-video.c
++++ b/drivers/media/usb/au0828/au0828-video.c
+@@ -839,9 +839,9 @@ int au0828_start_analog_streaming(struct vb2_queue *vq, unsigned int count)
+ return rc;
+ }
+
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 1);
++
+ if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+- v4l2_device_call_all(&dev->v4l2_dev, 0, video,
+- s_stream, 1);
+ dev->vid_timeout_running = 1;
+ mod_timer(&dev->vid_timeout, jiffies + (HZ / 10));
+ } else if (vq->type == V4L2_BUF_TYPE_VBI_CAPTURE) {
+@@ -861,10 +861,11 @@ static void au0828_stop_streaming(struct vb2_queue *vq)
+
+ dprintk(1, "au0828_stop_streaming called %d\n", dev->streaming_users);
+
+- if (dev->streaming_users-- == 1)
++ if (dev->streaming_users-- == 1) {
+ au0828_uninit_isoc(dev);
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
++ }
+
+- v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
+ dev->vid_timeout_running = 0;
+ del_timer_sync(&dev->vid_timeout);
+
+@@ -893,8 +894,10 @@ void au0828_stop_vbi_streaming(struct vb2_queue *vq)
+ dprintk(1, "au0828_stop_vbi_streaming called %d\n",
+ dev->streaming_users);
+
+- if (dev->streaming_users-- == 1)
++ if (dev->streaming_users-- == 1) {
+ au0828_uninit_isoc(dev);
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
++ }
+
+ spin_lock_irqsave(&dev->slock, flags);
+ if (dev->isoc_ctl.vbi_buf != NULL) {
+--
+2.20.1
+
--- /dev/null
+From d44e90675642a19092c49767881a1b01c0e5eeb6 Mon Sep 17 00:00:00 2001
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+Date: Mon, 28 Jan 2019 15:55:00 -0500
+Subject: media: cedrus: Add a quirk for not setting DMA offset
+
+[ Upstream commit 70a4f5cda82f7197c350099b66fd23506620810e ]
+
+H6 VPU doesn't work if DMA offset is set.
+
+Add a quirk for it.
+
+Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/sunxi/cedrus/cedrus.h | 3 +++
+ drivers/staging/media/sunxi/cedrus/cedrus_hw.c | 3 ++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.h b/drivers/staging/media/sunxi/cedrus/cedrus.h
+index 4aedd24a98480..c57c04b41d2e8 100644
+--- a/drivers/staging/media/sunxi/cedrus/cedrus.h
++++ b/drivers/staging/media/sunxi/cedrus/cedrus.h
+@@ -28,6 +28,8 @@
+
+ #define CEDRUS_CAPABILITY_UNTILED BIT(0)
+
++#define CEDRUS_QUIRK_NO_DMA_OFFSET BIT(0)
++
+ enum cedrus_codec {
+ CEDRUS_CODEC_MPEG2,
+
+@@ -91,6 +93,7 @@ struct cedrus_dec_ops {
+
+ struct cedrus_variant {
+ unsigned int capabilities;
++ unsigned int quirks;
+ };
+
+ struct cedrus_dev {
+diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_hw.c b/drivers/staging/media/sunxi/cedrus/cedrus_hw.c
+index 0acf219a8c918..fbfff7c1c771f 100644
+--- a/drivers/staging/media/sunxi/cedrus/cedrus_hw.c
++++ b/drivers/staging/media/sunxi/cedrus/cedrus_hw.c
+@@ -177,7 +177,8 @@ int cedrus_hw_probe(struct cedrus_dev *dev)
+ */
+
+ #ifdef PHYS_PFN_OFFSET
+- dev->dev->dma_pfn_offset = PHYS_PFN_OFFSET;
++ if (!(variant->quirks & CEDRUS_QUIRK_NO_DMA_OFFSET))
++ dev->dev->dma_pfn_offset = PHYS_PFN_OFFSET;
+ #endif
+
+ ret = of_reserved_mem_device_init(dev->dev);
+--
+2.20.1
+
--- /dev/null
+From e052df1d88b3dea3ea41370b183f5655954fbcd4 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Mon, 8 Apr 2019 08:32:49 -0400
+Subject: media: coda: clear error return value before picture run
+
+[ Upstream commit bbeefa7357a648afe70e7183914c87c3878d528d ]
+
+The error return value is not written by some firmware codecs, such as
+MPEG-2 decode on CodaHx4. Clear the error return value before starting
+the picture run to avoid misinterpreting unrelated values returned by
+sequence initialization as error return value.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index b4f396c2e72c7..eaa86737fa04e 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -2010,6 +2010,9 @@ static int coda_prepare_decode(struct coda_ctx *ctx)
+ /* Clear decode success flag */
+ coda_write(dev, 0, CODA_RET_DEC_PIC_SUCCESS);
+
++ /* Clear error return value */
++ coda_write(dev, 0, CODA_RET_DEC_PIC_ERR_MB);
++
+ trace_coda_dec_pic_run(ctx, meta);
+
+ coda_command_async(ctx, CODA_COMMAND_PIC_RUN);
+--
+2.20.1
+
--- /dev/null
+From 3a2f2b9d25d706dff7281744e17e52459f0d665d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
+Date: Sat, 19 Jan 2019 20:30:04 -0500
+Subject: media: dvbsky: Avoid leaking dvb frontend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit fdfa59cd63b184e1e96d51ff170fcac739bc6f6f ]
+
+Commit 14f4eaeddabc ("media: dvbsky: fix driver unregister logic") fixed
+a use-after-free by removing the reference to the frontend after deleting
+the backing i2c device.
+
+This has the unfortunate side effect the frontend device is never freed
+in the dvb core leaving a dangling device, leading to errors when the
+dvb core tries to register the frontend after e.g. a replug as reported
+here: https://www.spinics.net/lists/linux-media/msg138181.html
+
+media: dvbsky: issues with DVBSky T680CI
+
+===
+[ 561.119145] sp2 8-0040: CIMaX SP2 successfully attached
+[ 561.119161] usb 2-3: DVB: registering adapter 0 frontend 0 (Silicon Labs
+Si2168)...
+[ 561.119174] sysfs: cannot create duplicate filename '/class/dvb/
+dvb0.frontend0'
+===
+
+The use after free happened as dvb_usbv2_disconnect calls in this order:
+- dvb_usb_device::props->exit(...)
+- dvb_usbv2_adapter_frontend_exit(...)
+ + if (fe) dvb_unregister_frontend(fe)
+ + dvb_usb_device::props->frontend_detach(...)
+
+Moving the release of the i2c device from exit() to frontend_detach()
+avoids the dangling pointer access and allows the core to unregister
+the frontend.
+
+This was originally reported for a DVBSky T680CI, but it also affects
+the MyGica T230C. As all supported devices structure the registration/
+unregistration identically, apply the change for all device types.
+
+Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/dvbsky.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/dvbsky.c b/drivers/media/usb/dvb-usb-v2/dvbsky.c
+index e28bd8836751e..ae0814dd202a6 100644
+--- a/drivers/media/usb/dvb-usb-v2/dvbsky.c
++++ b/drivers/media/usb/dvb-usb-v2/dvbsky.c
+@@ -615,16 +615,18 @@ static int dvbsky_init(struct dvb_usb_device *d)
+ return 0;
+ }
+
+-static void dvbsky_exit(struct dvb_usb_device *d)
++static int dvbsky_frontend_detach(struct dvb_usb_adapter *adap)
+ {
++ struct dvb_usb_device *d = adap_to_d(adap);
+ struct dvbsky_state *state = d_to_priv(d);
+- struct dvb_usb_adapter *adap = &d->adapter[0];
++
++ dev_dbg(&d->udev->dev, "%s: adap=%d\n", __func__, adap->id);
+
+ dvb_module_release(state->i2c_client_tuner);
+ dvb_module_release(state->i2c_client_demod);
+ dvb_module_release(state->i2c_client_ci);
+
+- adap->fe[0] = NULL;
++ return 0;
+ }
+
+ /* DVB USB Driver stuff */
+@@ -640,11 +642,11 @@ static struct dvb_usb_device_properties dvbsky_s960_props = {
+
+ .i2c_algo = &dvbsky_i2c_algo,
+ .frontend_attach = dvbsky_s960_attach,
++ .frontend_detach = dvbsky_frontend_detach,
+ .init = dvbsky_init,
+ .get_rc_config = dvbsky_get_rc_config,
+ .streaming_ctrl = dvbsky_streaming_ctrl,
+ .identify_state = dvbsky_identify_state,
+- .exit = dvbsky_exit,
+ .read_mac_address = dvbsky_read_mac_addr,
+
+ .num_adapters = 1,
+@@ -667,11 +669,11 @@ static struct dvb_usb_device_properties dvbsky_s960c_props = {
+
+ .i2c_algo = &dvbsky_i2c_algo,
+ .frontend_attach = dvbsky_s960c_attach,
++ .frontend_detach = dvbsky_frontend_detach,
+ .init = dvbsky_init,
+ .get_rc_config = dvbsky_get_rc_config,
+ .streaming_ctrl = dvbsky_streaming_ctrl,
+ .identify_state = dvbsky_identify_state,
+- .exit = dvbsky_exit,
+ .read_mac_address = dvbsky_read_mac_addr,
+
+ .num_adapters = 1,
+@@ -694,11 +696,11 @@ static struct dvb_usb_device_properties dvbsky_t680c_props = {
+
+ .i2c_algo = &dvbsky_i2c_algo,
+ .frontend_attach = dvbsky_t680c_attach,
++ .frontend_detach = dvbsky_frontend_detach,
+ .init = dvbsky_init,
+ .get_rc_config = dvbsky_get_rc_config,
+ .streaming_ctrl = dvbsky_streaming_ctrl,
+ .identify_state = dvbsky_identify_state,
+- .exit = dvbsky_exit,
+ .read_mac_address = dvbsky_read_mac_addr,
+
+ .num_adapters = 1,
+@@ -721,11 +723,11 @@ static struct dvb_usb_device_properties dvbsky_t330_props = {
+
+ .i2c_algo = &dvbsky_i2c_algo,
+ .frontend_attach = dvbsky_t330_attach,
++ .frontend_detach = dvbsky_frontend_detach,
+ .init = dvbsky_init,
+ .get_rc_config = dvbsky_get_rc_config,
+ .streaming_ctrl = dvbsky_streaming_ctrl,
+ .identify_state = dvbsky_identify_state,
+- .exit = dvbsky_exit,
+ .read_mac_address = dvbsky_read_mac_addr,
+
+ .num_adapters = 1,
+@@ -748,11 +750,11 @@ static struct dvb_usb_device_properties mygica_t230c_props = {
+
+ .i2c_algo = &dvbsky_i2c_algo,
+ .frontend_attach = dvbsky_mygica_t230c_attach,
++ .frontend_detach = dvbsky_frontend_detach,
+ .init = dvbsky_init,
+ .get_rc_config = dvbsky_get_rc_config,
+ .streaming_ctrl = dvbsky_streaming_ctrl,
+ .identify_state = dvbsky_identify_state,
+- .exit = dvbsky_exit,
+
+ .num_adapters = 1,
+ .adapter = {
+--
+2.20.1
+
--- /dev/null
+From d04ea2165e8f9951973819015afa3e91997dd8cc Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 12:01:58 -0500
+Subject: media: go7007: avoid clang frame overflow warning with KASAN
+
+[ Upstream commit ed713a4a1367aca5c0f2f329579465db00c17995 ]
+
+clang-8 warns about one function here when KASAN is enabled, even
+without the 'asan-stack' option:
+
+drivers/media/usb/go7007/go7007-fw.c:1551:5: warning: stack frame size of 2656 bytes in function
+
+I have reported this issue in the llvm bugzilla, but to make
+it work with the clang-8 release, a small annotation is still
+needed.
+
+Link: https://bugs.llvm.org/show_bug.cgi?id=38809
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix checkpatch warning]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/go7007/go7007-fw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/go7007/go7007-fw.c b/drivers/media/usb/go7007/go7007-fw.c
+index 24f5b615dc7af..dfa9f899d0c25 100644
+--- a/drivers/media/usb/go7007/go7007-fw.c
++++ b/drivers/media/usb/go7007/go7007-fw.c
+@@ -1499,8 +1499,8 @@ static int modet_to_package(struct go7007 *go, __le16 *code, int space)
+ return cnt;
+ }
+
+-static int do_special(struct go7007 *go, u16 type, __le16 *code, int space,
+- int *framelen)
++static noinline_for_stack int do_special(struct go7007 *go, u16 type,
++ __le16 *code, int space, int *framelen)
+ {
+ switch (type) {
+ case SPECIAL_FRM_HEAD:
+--
+2.20.1
+
--- /dev/null
+From e390722182d10047372c3abd5fd45f387b62dfe7 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Tue, 26 Feb 2019 07:54:22 -0500
+Subject: media: gspca: do not resubmit URBs when streaming has stopped
+
+[ Upstream commit e6f8bd59c28f758feea403a70d6c3ef28c50959f ]
+
+When streaming is stopped all URBs are killed, but in fill_frame and in
+bulk_irq this results in an attempt to resubmit the killed URB. That is
+not what you want and causes spurious kernel messages.
+
+So check if streaming has stopped before resubmitting.
+
+Also check against gspca_dev->streaming rather than vb2_start_streaming_called()
+since vb2_start_streaming_called() will return true when in stop_streaming,
+but gspca_dev->streaming is set to false when stop_streaming is called.
+
+Fixes: 6992effe5344 ("gspca: Kill all URBs before releasing any of them")
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/gspca.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
+index 128935f2a217e..4d7517411cc2d 100644
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -314,6 +314,8 @@ static void fill_frame(struct gspca_dev *gspca_dev,
+ }
+
+ resubmit:
++ if (!gspca_dev->streaming)
++ return;
+ /* resubmit the URB */
+ st = usb_submit_urb(urb, GFP_ATOMIC);
+ if (st < 0)
+@@ -330,7 +332,7 @@ static void isoc_irq(struct urb *urb)
+ struct gspca_dev *gspca_dev = (struct gspca_dev *) urb->context;
+
+ gspca_dbg(gspca_dev, D_PACK, "isoc irq\n");
+- if (!vb2_start_streaming_called(&gspca_dev->queue))
++ if (!gspca_dev->streaming)
+ return;
+ fill_frame(gspca_dev, urb);
+ }
+@@ -344,7 +346,7 @@ static void bulk_irq(struct urb *urb)
+ int st;
+
+ gspca_dbg(gspca_dev, D_PACK, "bulk irq\n");
+- if (!vb2_start_streaming_called(&gspca_dev->queue))
++ if (!gspca_dev->streaming)
+ return;
+ switch (urb->status) {
+ case 0:
+@@ -367,6 +369,8 @@ static void bulk_irq(struct urb *urb)
+ urb->actual_length);
+
+ resubmit:
++ if (!gspca_dev->streaming)
++ return;
+ /* resubmit the URB */
+ if (gspca_dev->cam.bulk_nurbs != 0) {
+ st = usb_submit_urb(urb, GFP_ATOMIC);
+--
+2.20.1
+
--- /dev/null
+From f5280abfe580552ebd8531478a89a93ed45eeb41 Mon Sep 17 00:00:00 2001
+From: Ezequiel Garcia <ezequiel@collabora.com>
+Date: Thu, 28 Feb 2019 10:28:34 -0500
+Subject: media: gspca: Kill URBs on USB device disconnect
+
+[ Upstream commit 9b9ea7c2b57a0c9c3341fc6db039d1f7971a432e ]
+
+In order to prevent ISOC URBs from being infinitely resubmitted,
+the driver's USB disconnect handler must kill all the in-flight URBs.
+
+While here, change the URB packet status message to a debug level,
+to avoid spamming the console too much.
+
+This commit fixes a lockup caused by an interrupt storm coming
+from the URB completion handler.
+
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/gspca.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
+index ac70b36d67b7b..128935f2a217e 100644
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -294,7 +294,7 @@ static void fill_frame(struct gspca_dev *gspca_dev,
+ /* check the packet status and length */
+ st = urb->iso_frame_desc[i].status;
+ if (st) {
+- pr_err("ISOC data error: [%d] len=%d, status=%d\n",
++ gspca_dbg(gspca_dev, D_PACK, "ISOC data error: [%d] len=%d, status=%d\n",
+ i, len, st);
+ gspca_dev->last_packet_type = DISCARD_PACKET;
+ continue;
+@@ -1638,6 +1638,8 @@ void gspca_disconnect(struct usb_interface *intf)
+
+ mutex_lock(&gspca_dev->usb_lock);
+ gspca_dev->present = false;
++ destroy_urbs(gspca_dev);
++ gspca_input_destroy_urb(gspca_dev);
+
+ vb2_queue_error(&gspca_dev->queue);
+
+--
+2.20.1
+
--- /dev/null
+From 9076291c1b1f96fe7095d473881906e3f24157bf Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 19 Feb 2019 20:09:38 -0500
+Subject: media: imx: vdic: Restore default case to prepare_vdi_in_buffers()
+
+[ Upstream commit ce3c2433b074eb9d569a0f63a15d6fd5dbc87f02 ]
+
+Restore a default case to prepare_vdi_in_buffers() to fix the following
+smatch errors:
+
+drivers/staging/media/imx/imx-media-vdic.c:236 prepare_vdi_in_buffers() error: uninitialized symbol 'prev_phys'.
+drivers/staging/media/imx/imx-media-vdic.c:237 prepare_vdi_in_buffers() error: uninitialized symbol 'curr_phys'.
+drivers/staging/media/imx/imx-media-vdic.c:238 prepare_vdi_in_buffers() error: uninitialized symbol 'next_phys'.
+
+Fixes: 6e537b58de772 ("media: imx: vdic: rely on VDIC for correct field order")
+
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-vdic.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/media/imx/imx-media-vdic.c b/drivers/staging/media/imx/imx-media-vdic.c
+index 8a9af4688fd41..8cdd3daa6c5f0 100644
+--- a/drivers/staging/media/imx/imx-media-vdic.c
++++ b/drivers/staging/media/imx/imx-media-vdic.c
+@@ -231,6 +231,12 @@ static void __maybe_unused prepare_vdi_in_buffers(struct vdic_priv *priv,
+ curr_phys = vb2_dma_contig_plane_dma_addr(curr_vb, 0);
+ next_phys = vb2_dma_contig_plane_dma_addr(curr_vb, 0) + is;
+ break;
++ default:
++ /*
++ * can't get here, priv->fieldtype can only be one of
++ * the above. This is to quiet smatch errors.
++ */
++ return;
+ }
+
+ ipu_cpmem_set_buffer(priv->vdi_in_ch_p, 0, prev_phys);
+--
+2.20.1
+
--- /dev/null
+From 18c63bfc51b471d518a9a8c6cf589e65bc90d213 Mon Sep 17 00:00:00 2001
+From: James Hutchinson <jahutchinson99@googlemail.com>
+Date: Sun, 13 Jan 2019 16:13:47 -0500
+Subject: media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
+
+[ Upstream commit 981fbe3da20a6f35f17977453bce7dfc1664d74f ]
+
+Ref: https://bugzilla.kernel.org/show_bug.cgi?id=199323
+
+Users are experiencing problems with the DVBSky S960/S960C USB devices
+since the following commit:
+
+9d659ae: ("locking/mutex: Add lock handoff to avoid starvation")
+
+The device malfunctions after running for an indeterminable period of
+time, and the problem can only be cleared by rebooting the machine.
+
+It is possible to encourage the problem to surface by blocking the
+signal to the LNB.
+
+Further debugging revealed the cause of the problem.
+
+In the following capture:
+- thread #1325 is running m88ds3103_set_frontend
+- thread #42 is running ts2020_stat_work
+
+a> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 80
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 08
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 68 3f
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 08 ff
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 3d
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+b> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 00
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 21
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 66
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+ [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 60 02 10 0b
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+
+Two i2c messages are sent to perform a reset in m88ds3103_set_frontend:
+
+ a. 0x07, 0x80
+ b. 0x07, 0x00
+
+However, as shown in the capture, the regmap mutex is being handed over
+to another thread (ts2020_stat_work) in between these two messages.
+
+>From here, the device responds to every i2c message with an 07 message,
+and will only return to normal operation following a power cycle.
+
+Use regmap_multi_reg_write to group the two reset messages, ensuring
+both are processed before the regmap mutex is unlocked.
+
+Signed-off-by: James Hutchinson <jahutchinson99@googlemail.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/m88ds3103.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
+index 123f2a33738b0..403f42806455e 100644
+--- a/drivers/media/dvb-frontends/m88ds3103.c
++++ b/drivers/media/dvb-frontends/m88ds3103.c
+@@ -309,6 +309,9 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ u16 u16tmp;
+ u32 tuner_frequency_khz, target_mclk;
+ s32 s32tmp;
++ static const struct reg_sequence reset_buf[] = {
++ {0x07, 0x80}, {0x07, 0x00}
++ };
+
+ dev_dbg(&client->dev,
+ "delivery_system=%d modulation=%d frequency=%u symbol_rate=%d inversion=%d pilot=%d rolloff=%d\n",
+@@ -321,11 +324,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ }
+
+ /* reset */
+- ret = regmap_write(dev->regmap, 0x07, 0x80);
+- if (ret)
+- goto err;
+-
+- ret = regmap_write(dev->regmap, 0x07, 0x00);
++ ret = regmap_multi_reg_write(dev->regmap, reset_buf, 2);
+ if (ret)
+ goto err;
+
+--
+2.20.1
+
--- /dev/null
+From e5fdb07ee651cc5693bef124fcc79b3360d63542 Mon Sep 17 00:00:00 2001
+From: Alexandre Courbot <acourbot@chromium.org>
+Date: Tue, 26 Mar 2019 03:44:23 -0400
+Subject: media: mtk-vcodec: fix access to incorrect planes member
+
+[ Upstream commit 52fafc58c3535c9f4f53864686dbaee3bcbadcb4 ]
+
+Commit 0650a91499e0 ("media: mtk-vcodec: Correct return type for mem2mem
+buffer helpers") fixed the return types for mem2mem buffer helper
+functions by changing a few local variables from vb2_buffer to
+vb2_v4l2_buffer. However, it left a few accesses to vb2_buffer::planes
+as-is, accidentally turning them into accesses to
+vb2_v4l2_buffer::planes and resulting in values being read from/written
+to the wrong place.
+
+Fix this by inserting vb2_buf into these accesses so they mimic their
+original behavior.
+
+Fixes: 0650a91499e0 ("media: mtk-vcodec: Correct return type for mem2mem buffer helpers")
+
+Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
+Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c | 4 ++--
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 10 +++++-----
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
+index d022c65bb34c2..49babf994cb75 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
+@@ -388,7 +388,7 @@ static void mtk_vdec_worker(struct work_struct *work)
+ }
+ buf.va = vb2_plane_vaddr(&src_buf->vb2_buf, 0);
+ buf.dma_addr = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0);
+- buf.size = (size_t)src_buf->planes[0].bytesused;
++ buf.size = (size_t)src_buf->vb2_buf.planes[0].bytesused;
+ if (!buf.va) {
+ v4l2_m2m_job_finish(dev->m2m_dev_dec, ctx->m2m_ctx);
+ mtk_v4l2_err("[%d] id=%d src_addr is NULL!!",
+@@ -1155,7 +1155,7 @@ static void vb2ops_vdec_buf_queue(struct vb2_buffer *vb)
+
+ src_mem.va = vb2_plane_vaddr(&src_buf->vb2_buf, 0);
+ src_mem.dma_addr = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0);
+- src_mem.size = (size_t)src_buf->planes[0].bytesused;
++ src_mem.size = (size_t)src_buf->vb2_buf.planes[0].bytesused;
+ mtk_v4l2_debug(2,
+ "[%d] buf id=%d va=%p dma=%pad size=%zx",
+ ctx->id, src_buf->index,
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c
+index c6b48b5925fbe..50351adafc470 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c
+@@ -894,7 +894,7 @@ static void vb2ops_venc_stop_streaming(struct vb2_queue *q)
+
+ if (q->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
+ while ((dst_buf = v4l2_m2m_dst_buf_remove(ctx->m2m_ctx))) {
+- dst_buf->planes[0].bytesused = 0;
++ dst_buf->vb2_buf.planes[0].bytesused = 0;
+ v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_ERROR);
+ }
+ } else {
+@@ -947,7 +947,7 @@ static int mtk_venc_encode_header(void *priv)
+
+ bs_buf.va = vb2_plane_vaddr(&dst_buf->vb2_buf, 0);
+ bs_buf.dma_addr = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0);
+- bs_buf.size = (size_t)dst_buf->planes[0].length;
++ bs_buf.size = (size_t)dst_buf->vb2_buf.planes[0].length;
+
+ mtk_v4l2_debug(1,
+ "[%d] buf id=%d va=0x%p dma_addr=0x%llx size=%zu",
+@@ -976,7 +976,7 @@ static int mtk_venc_encode_header(void *priv)
+ }
+
+ ctx->state = MTK_STATE_HEADER;
+- dst_buf->planes[0].bytesused = enc_result.bs_size;
++ dst_buf->vb2_buf.planes[0].bytesused = enc_result.bs_size;
+ v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_DONE);
+
+ return 0;
+@@ -1107,12 +1107,12 @@ static void mtk_venc_worker(struct work_struct *work)
+
+ if (ret) {
+ v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_ERROR);
+- dst_buf->planes[0].bytesused = 0;
++ dst_buf->vb2_buf.planes[0].bytesused = 0;
+ v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_ERROR);
+ mtk_v4l2_err("venc_if_encode failed=%d", ret);
+ } else {
+ v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE);
+- dst_buf->planes[0].bytesused = enc_result.bs_size;
++ dst_buf->vb2_buf.planes[0].bytesused = enc_result.bs_size;
+ v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_DONE);
+ mtk_v4l2_debug(2, "venc_if_encode bs size=%d",
+ enc_result.bs_size);
+--
+2.20.1
+
--- /dev/null
+From cc03a3a66fd64b0aaa19db1fe0853f4bacf89c40 Mon Sep 17 00:00:00 2001
+From: Alexandre Courbot <acourbot@chromium.org>
+Date: Wed, 6 Mar 2019 01:15:02 -0500
+Subject: media: mtk-vcodec: fix access to vb2_v4l2_buffer struct
+
+[ Upstream commit 3235d3946429f64b19addfd89fc926a36eaec06a ]
+
+Commit 0650a91499e0 ("media: mtk-vcodec: Correct return type for mem2mem
+buffer helpers") fixed the return types for mem2mem buffer helper
+functions, but omitted two occurrences that are accessed in the
+mtk_v4l2_debug() macro. These only trigger compiler errors when DEBUG is
+defined.
+
+Fixes: 0650a91499e0 ("media: mtk-vcodec: Correct return type for mem2mem buffer helpers")
+
+Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
+index 49babf994cb75..e20b340855e76 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
+@@ -1158,7 +1158,7 @@ static void vb2ops_vdec_buf_queue(struct vb2_buffer *vb)
+ src_mem.size = (size_t)src_buf->vb2_buf.planes[0].bytesused;
+ mtk_v4l2_debug(2,
+ "[%d] buf id=%d va=%p dma=%pad size=%zx",
+- ctx->id, src_buf->index,
++ ctx->id, src_buf->vb2_buf.index,
+ src_mem.va, &src_mem.dma_addr,
+ src_mem.size);
+
+@@ -1182,7 +1182,7 @@ static void vb2ops_vdec_buf_queue(struct vb2_buffer *vb)
+ }
+ mtk_v4l2_debug(ret ? 0 : 1,
+ "[%d] vdec_if_decode() src_buf=%d, size=%zu, fail=%d, res_chg=%d",
+- ctx->id, src_buf->index,
++ ctx->id, src_buf->vb2_buf.index,
+ src_mem.size, ret, res_chg);
+ return;
+ }
+--
+2.20.1
+
--- /dev/null
+From 0efc30b9116abc5664570bc40732de734befa74d Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sat, 30 Mar 2019 10:01:31 -0400
+Subject: media: ov2659: make S_FMT succeed even if requested format doesn't
+ match
+
+[ Upstream commit bccb89cf9cd07a0690d519696a00c00a973b3fe4 ]
+
+This driver returns an error if unsupported media bus pixel code is
+requested by VIDIOC_SUBDEV_S_FMT.
+
+But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst,
+
+Drivers must not return an error solely because the requested format
+doesn't match the device capabilities. They must instead modify the
+format to match what the hardware can provide.
+
+So select default format code and return success in that case.
+
+This is detected by v4l2-compliance.
+
+Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov2659.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c
+index 799acce803fe5..a1e9a980a4459 100644
+--- a/drivers/media/i2c/ov2659.c
++++ b/drivers/media/i2c/ov2659.c
+@@ -1117,8 +1117,10 @@ static int ov2659_set_fmt(struct v4l2_subdev *sd,
+ if (ov2659_formats[index].code == mf->code)
+ break;
+
+- if (index < 0)
+- return -EINVAL;
++ if (index < 0) {
++ index = 0;
++ mf->code = ov2659_formats[index].code;
++ }
+
+ mf->colorspace = V4L2_COLORSPACE_SRGB;
+ mf->field = V4L2_FIELD_NONE;
+--
+2.20.1
+
--- /dev/null
+From 071da5b29ba5e5821f15cfe86604241244f5719d Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Fri, 29 Mar 2019 21:06:09 -0400
+Subject: media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
+
+[ Upstream commit ccdd85d518d8b9320ace1d87271f0ba2175f21fa ]
+
+In preparation for adding asynchronous subdevice support to the driver,
+don't acquire v4l2_clk from the driver .probe() callback as that may
+fail if the clock is provided by a bridge driver which may be not yet
+initialized. Move the v4l2_clk_get() to ov6650_video_probe() helper
+which is going to be converted to v4l2_subdev_internal_ops.registered()
+callback, executed only when the bridge driver is ready.
+
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov6650.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c
+index f9359b11fa5cb..de7d9790f0542 100644
+--- a/drivers/media/i2c/ov6650.c
++++ b/drivers/media/i2c/ov6650.c
+@@ -810,9 +810,16 @@ static int ov6650_video_probe(struct i2c_client *client)
+ u8 pidh, pidl, midh, midl;
+ int ret;
+
++ priv->clk = v4l2_clk_get(&client->dev, NULL);
++ if (IS_ERR(priv->clk)) {
++ ret = PTR_ERR(priv->clk);
++ dev_err(&client->dev, "v4l2_clk request err: %d\n", ret);
++ return ret;
++ }
++
+ ret = ov6650_s_power(&priv->subdev, 1);
+ if (ret < 0)
+- return ret;
++ goto eclkput;
+
+ msleep(20);
+
+@@ -849,6 +856,11 @@ static int ov6650_video_probe(struct i2c_client *client)
+
+ done:
+ ov6650_s_power(&priv->subdev, 0);
++ if (!ret)
++ return 0;
++eclkput:
++ v4l2_clk_put(priv->clk);
++
+ return ret;
+ }
+
+@@ -991,18 +1003,9 @@ static int ov6650_probe(struct i2c_client *client,
+ priv->code = MEDIA_BUS_FMT_YUYV8_2X8;
+ priv->colorspace = V4L2_COLORSPACE_JPEG;
+
+- priv->clk = v4l2_clk_get(&client->dev, NULL);
+- if (IS_ERR(priv->clk)) {
+- ret = PTR_ERR(priv->clk);
+- goto eclkget;
+- }
+-
+ ret = ov6650_video_probe(client);
+- if (ret) {
+- v4l2_clk_put(priv->clk);
+-eclkget:
++ if (ret)
+ v4l2_ctrl_handler_free(&priv->hdl);
+- }
+
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From d4370438c27e8ccbee972ba0e39eb4beff8afd49 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Mon, 11 Mar 2019 11:36:02 -0400
+Subject: media: ov7670: restore default settings after power-up
+
+[ Upstream commit 32ab688b280301f7cee9e547564cb74e33e06322 ]
+
+Since commit 3d6a8fe25605 ("media: ov7670: hook s_power onto v4l2 core"),
+the device is actually powered off while the video stream is stopped.
+
+The frame format and framerate are restored right after power-up, but
+restoring the default register settings is forgotten.
+
+Fixes: 3d6a8fe25605 ("media: ov7670: hook s_power onto v4l2 core")
+
+Cc: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Reviewed-by: Lubomir Rintel <lkundrak@v3.sk>
+Tested-by: Lubomir Rintel <lkundrak@v3.sk>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov7670.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c
+index a7d26b294eb58..e65693c2aad5f 100644
+--- a/drivers/media/i2c/ov7670.c
++++ b/drivers/media/i2c/ov7670.c
+@@ -1664,6 +1664,7 @@ static int ov7670_s_power(struct v4l2_subdev *sd, int on)
+
+ if (on) {
+ ov7670_power_on (sd);
++ ov7670_init(sd, 0);
+ ov7670_apply_fmt(sd);
+ ov7675_apply_framerate(sd);
+ v4l2_ctrl_handler_setup(&info->hdl);
+--
+2.20.1
+
--- /dev/null
+From dd1f1fb0beadb5a591e5ecfeb8effda0f214d1be Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 8 Apr 2019 05:52:38 -0400
+Subject: media: pvrusb2: Prevent a buffer overflow
+
+[ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ]
+
+The ctrl_check_input() function is called from pvr2_ctrl_range_check().
+It's supposed to validate user supplied input and return true or false
+depending on whether the input is valid or not. The problem is that
+negative shifts or shifts greater than 31 are undefined in C. In
+practice with GCC they result in shift wrapping so this function returns
+true for some inputs which are not valid and this could result in a
+buffer overflow:
+
+ drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
+ warn: uncapped user index 'names[val]'
+
+The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
+and the highest valid bit is BIT(4).
+
+Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+index 446a999dd2ce1..2bab4713bc5b9 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -666,6 +666,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp)
+
+ static int ctrl_check_input(struct pvr2_ctrl *cptr,int v)
+ {
++ if (v < 0 || v > PVR2_CVAL_INPUT_MAX)
++ return 0;
+ return ((1 << v) & cptr->hdw->input_allowed_mask) != 0;
+ }
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+index 25648add77e58..bd2b7a67b7322 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+@@ -50,6 +50,7 @@
+ #define PVR2_CVAL_INPUT_COMPOSITE 2
+ #define PVR2_CVAL_INPUT_SVIDEO 3
+ #define PVR2_CVAL_INPUT_RADIO 4
++#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO
+
+ enum pvr2_config {
+ pvr2_config_empty, /* No configuration */
+--
+2.20.1
+
--- /dev/null
+From 81a56842d68c55e7022e32d2e05dbe0b54750b35 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 12:01:56 -0500
+Subject: media: saa7146: avoid high stack usage with clang
+
+[ Upstream commit 03aa4f191a36f33fce015387f84efa0eee94408e ]
+
+Two saa7146/hexium files contain a construct that causes a warning
+when built with clang:
+
+drivers/media/pci/saa7146/hexium_orion.c:210:12: error: stack frame size of 2272 bytes in function 'hexium_probe'
+ [-Werror,-Wframe-larger-than=]
+static int hexium_probe(struct saa7146_dev *dev)
+ ^
+drivers/media/pci/saa7146/hexium_gemini.c:257:12: error: stack frame size of 2304 bytes in function 'hexium_attach'
+ [-Werror,-Wframe-larger-than=]
+static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
+ ^
+
+This one happens regardless of KASAN, and the problem is that a
+constructor to initialize a dynamically allocated structure leads
+to a copy of that structure on the stack, whereas gcc initializes
+it in place.
+
+Link: https://bugs.llvm.org/show_bug.cgi?id=40776
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix checkpatch warnings]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7146/hexium_gemini.c | 5 ++---
+ drivers/media/pci/saa7146/hexium_orion.c | 5 ++---
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
+index 5817d9cde4d0c..6d8e4afe9673a 100644
+--- a/drivers/media/pci/saa7146/hexium_gemini.c
++++ b/drivers/media/pci/saa7146/hexium_gemini.c
+@@ -270,9 +270,8 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
+ /* enable i2c-port pins */
+ saa7146_write(dev, MC1, (MASK_08 | MASK_24 | MASK_10 | MASK_26));
+
+- hexium->i2c_adapter = (struct i2c_adapter) {
+- .name = "hexium gemini",
+- };
++ strscpy(hexium->i2c_adapter.name, "hexium gemini",
++ sizeof(hexium->i2c_adapter.name));
+ saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
+ if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
+ DEB_S("cannot register i2c-device. skipping.\n");
+diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
+index 0a05176c18ab6..a794f9e5f9908 100644
+--- a/drivers/media/pci/saa7146/hexium_orion.c
++++ b/drivers/media/pci/saa7146/hexium_orion.c
+@@ -231,9 +231,8 @@ static int hexium_probe(struct saa7146_dev *dev)
+ saa7146_write(dev, DD1_STREAM_B, 0x00000000);
+ saa7146_write(dev, MC2, (MASK_09 | MASK_25 | MASK_10 | MASK_26));
+
+- hexium->i2c_adapter = (struct i2c_adapter) {
+- .name = "hexium orion",
+- };
++ strscpy(hexium->i2c_adapter.name, "hexium orion",
++ sizeof(hexium->i2c_adapter.name));
+ saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
+ if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
+ DEB_S("cannot register i2c-device. skipping.\n");
+--
+2.20.1
+
--- /dev/null
+From 40de29a632fcf7eefb8ac31ee5bf9e9e31602a79 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 20 Dec 2018 23:54:03 -0500
+Subject: media: si2165: fix a missing check of return value
+
+[ Upstream commit 0ab34a08812a3334350dbaf69a018ee0ab3d2ddd ]
+
+si2165_readreg8() may fail. Looking into si2165_readreg8(), we will find
+that "val_tmp" will be an uninitialized value when regmap_read() fails.
+"val_tmp" is then assigned to "val". So if si2165_readreg8() fails,
+"val" will be a random value. Further use will lead to undefined
+behaviors. The fix checks if si2165_readreg8() fails, and if so, returns
+its error code upstream.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Matthias Schwarzott <zzam@gentoo.org>
+Tested-by: Matthias Schwarzott <zzam@gentoo.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/si2165.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/si2165.c b/drivers/media/dvb-frontends/si2165.c
+index feacd8da421da..d55d8f169dca6 100644
+--- a/drivers/media/dvb-frontends/si2165.c
++++ b/drivers/media/dvb-frontends/si2165.c
+@@ -275,18 +275,20 @@ static u32 si2165_get_fe_clk(struct si2165_state *state)
+
+ static int si2165_wait_init_done(struct si2165_state *state)
+ {
+- int ret = -EINVAL;
++ int ret;
+ u8 val = 0;
+ int i;
+
+ for (i = 0; i < 3; ++i) {
+- si2165_readreg8(state, REG_INIT_DONE, &val);
++ ret = si2165_readreg8(state, REG_INIT_DONE, &val);
++ if (ret < 0)
++ return ret;
+ if (val == 0x01)
+ return 0;
+ usleep_range(1000, 50000);
+ }
+ dev_err(&state->client->dev, "init_done was not set\n");
+- return ret;
++ return -EINVAL;
+ }
+
+ static int si2165_upload_firmware_block(struct si2165_state *state,
+--
+2.20.1
+
--- /dev/null
+From 03a9378331854bf9319e560fbb40eca3acb2dc2b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 5 Mar 2019 08:29:48 -0500
+Subject: media: staging: davinci_vpfe: disallow building with COMPILE_TEST
+
+[ Upstream commit 49dc762cffd8305a861ca649e82dc5533b3e3344 ]
+
+The driver should really call dm365_isif_setup_pinmux() through a callback,
+but uses a hack to include a davinci specific machine header file when
+compile testing instead. This works almost everywhere, but not on the
+ARM omap1 platform, which has another header named mach/mux.h. This
+causes a build failure:
+
+drivers/staging/media/davinci_vpfe/dm365_isif.c:2028:2: error: implicit declaration of function 'davinci_cfg_reg' [-Werror,-Wimplicit-function-declaration]
+ davinci_cfg_reg(DM365_VIN_CAM_WEN);
+ ^
+drivers/staging/media/davinci_vpfe/dm365_isif.c:2028:2: error: this function declaration is not a prototype [-Werror,-Wstrict-prototypes]
+drivers/staging/media/davinci_vpfe/dm365_isif.c:2028:18: error: use of undeclared identifier 'DM365_VIN_CAM_WEN'
+ davinci_cfg_reg(DM365_VIN_CAM_WEN);
+ ^
+drivers/staging/media/davinci_vpfe/dm365_isif.c:2029:18: error: use of undeclared identifier 'DM365_VIN_CAM_VD'
+ davinci_cfg_reg(DM365_VIN_CAM_VD);
+ ^
+drivers/staging/media/davinci_vpfe/dm365_isif.c:2030:18: error: use of undeclared identifier 'DM365_VIN_CAM_HD'
+ davinci_cfg_reg(DM365_VIN_CAM_HD);
+ ^
+drivers/staging/media/davinci_vpfe/dm365_isif.c:2031:18: error: use of undeclared identifier 'DM365_VIN_YIN4_7_EN'
+ davinci_cfg_reg(DM365_VIN_YIN4_7_EN);
+ ^
+drivers/staging/media/davinci_vpfe/dm365_isif.c:2032:18: error: use of undeclared identifier 'DM365_VIN_YIN0_3_EN'
+ davinci_cfg_reg(DM365_VIN_YIN0_3_EN);
+ ^
+7 errors generated.
+
+Exclude omap1 from compile-testing, under the assumption that all others
+still work.
+
+Fixes: 4907c73deefe ("media: staging: davinci_vpfe: allow building with COMPILE_TEST")
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/davinci_vpfe/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/davinci_vpfe/Kconfig b/drivers/staging/media/davinci_vpfe/Kconfig
+index aea449a8dbf8a..76818cc48ddcb 100644
+--- a/drivers/staging/media/davinci_vpfe/Kconfig
++++ b/drivers/staging/media/davinci_vpfe/Kconfig
+@@ -1,7 +1,7 @@
+ config VIDEO_DM365_VPFE
+ tristate "DM365 VPFE Media Controller Capture Driver"
+ depends on VIDEO_V4L2
+- depends on (ARCH_DAVINCI_DM365 && !VIDEO_DM365_ISIF) || COMPILE_TEST
++ depends on (ARCH_DAVINCI_DM365 && !VIDEO_DM365_ISIF) || (COMPILE_TEST && !ARCH_OMAP1)
+ depends on VIDEO_V4L2_SUBDEV_API
+ depends on VIDEO_DAVINCI_VPBE_DISPLAY
+ select VIDEOBUF2_DMA_CONTIG
+--
+2.20.1
+
--- /dev/null
+From 382294a033f7c8282d63cd23bdf92fd2c5809808 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 4 Mar 2019 15:29:10 -0500
+Subject: media: staging/intel-ipu3: mark PM function as __maybe_unused
+
+[ Upstream commit 948dff7cfa1d7653e7828e7b905863bd24ca5c02 ]
+
+The imgu_rpm_dummy_cb() looks like an API misuse that is explained
+in the comment above it. Aside from that, it also causes a warning
+when power management support is disabled:
+
+drivers/staging/media/ipu3/ipu3.c:794:12: error: 'imgu_rpm_dummy_cb' defined but not used [-Werror=unused-function]
+
+The warning is at least easy to fix by marking the function as
+__maybe_unused.
+
+Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver")
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/ipu3/ipu3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c
+index d575ac78c8f0b..d00d26264c37d 100644
+--- a/drivers/staging/media/ipu3/ipu3.c
++++ b/drivers/staging/media/ipu3/ipu3.c
+@@ -791,7 +791,7 @@ static int __maybe_unused imgu_resume(struct device *dev)
+ * PCI rpm framework checks the existence of driver rpm callbacks.
+ * Place a dummy callback here to avoid rpm going into error state.
+ */
+-static int imgu_rpm_dummy_cb(struct device *dev)
++static __maybe_unused int imgu_rpm_dummy_cb(struct device *dev)
+ {
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 6016604eb9da743e5c8a2180aede648eda78eb86 Mon Sep 17 00:00:00 2001
+From: Hugues Fruchet <hugues.fruchet@st.com>
+Date: Mon, 1 Apr 2019 04:56:09 -0400
+Subject: media: stm32-dcmi: fix crash when subdev do not expose any formats
+
+[ Upstream commit 33dfeb62e23c31619d2197850f7e8b50e8cc5466 ]
+
+Do not access sd_formats[] if num_of_sd_formats is zero, ie
+subdev sensor didn't expose any formats.
+
+Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/stm32/stm32-dcmi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c
+index a1f0801081ba9..922855b6025c7 100644
+--- a/drivers/media/platform/stm32/stm32-dcmi.c
++++ b/drivers/media/platform/stm32/stm32-dcmi.c
+@@ -811,6 +811,9 @@ static int dcmi_try_fmt(struct stm32_dcmi *dcmi, struct v4l2_format *f,
+
+ sd_fmt = find_format_by_fourcc(dcmi, pix->pixelformat);
+ if (!sd_fmt) {
++ if (!dcmi->num_of_sd_formats)
++ return -ENODATA;
++
+ sd_fmt = dcmi->sd_formats[dcmi->num_of_sd_formats - 1];
+ pix->pixelformat = sd_fmt->fourcc;
+ }
+@@ -989,6 +992,9 @@ static int dcmi_set_sensor_format(struct stm32_dcmi *dcmi,
+
+ sd_fmt = find_format_by_fourcc(dcmi, pix->pixelformat);
+ if (!sd_fmt) {
++ if (!dcmi->num_of_sd_formats)
++ return -ENODATA;
++
+ sd_fmt = dcmi->sd_formats[dcmi->num_of_sd_formats - 1];
+ pix->pixelformat = sd_fmt->fourcc;
+ }
+--
+2.20.1
+
--- /dev/null
+From 19cff01f62c72b7fc9399df29c7d040848435dcb Mon Sep 17 00:00:00 2001
+From: Fabien Dessenne <fabien.dessenne@st.com>
+Date: Wed, 24 Apr 2019 09:25:44 -0400
+Subject: media: stm32-dcmi: return appropriate error codes during probe
+
+[ Upstream commit b5b5a27bee5884860798ffd0f08e611a3942064b ]
+
+During probe, return the provided errors value instead of -ENODEV.
+This allows the driver to be deferred probed if needed.
+
+Signed-off-by: Fabien Dessenne <fabien.dessenne@st.com>
+Acked-by: Hugues Fruchet <hugues.fruchet@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/stm32/stm32-dcmi.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c
+index 5fe5b38fa901d..a1f0801081ba9 100644
+--- a/drivers/media/platform/stm32/stm32-dcmi.c
++++ b/drivers/media/platform/stm32/stm32-dcmi.c
+@@ -1645,7 +1645,7 @@ static int dcmi_probe(struct platform_device *pdev)
+ dcmi->rstc = devm_reset_control_get_exclusive(&pdev->dev, NULL);
+ if (IS_ERR(dcmi->rstc)) {
+ dev_err(&pdev->dev, "Could not get reset control\n");
+- return -ENODEV;
++ return PTR_ERR(dcmi->rstc);
+ }
+
+ /* Get bus characteristics from devicetree */
+@@ -1660,7 +1660,7 @@ static int dcmi_probe(struct platform_device *pdev)
+ of_node_put(np);
+ if (ret) {
+ dev_err(&pdev->dev, "Could not parse the endpoint\n");
+- return -ENODEV;
++ return ret;
+ }
+
+ if (ep.bus_type == V4L2_MBUS_CSI2_DPHY) {
+@@ -1673,8 +1673,9 @@ static int dcmi_probe(struct platform_device *pdev)
+
+ irq = platform_get_irq(pdev, 0);
+ if (irq <= 0) {
+- dev_err(&pdev->dev, "Could not get irq\n");
+- return -ENODEV;
++ if (irq != -EPROBE_DEFER)
++ dev_err(&pdev->dev, "Could not get irq\n");
++ return irq;
+ }
+
+ dcmi->res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+@@ -1694,12 +1695,13 @@ static int dcmi_probe(struct platform_device *pdev)
+ dev_name(&pdev->dev), dcmi);
+ if (ret) {
+ dev_err(&pdev->dev, "Unable to request irq %d\n", irq);
+- return -ENODEV;
++ return ret;
+ }
+
+ mclk = devm_clk_get(&pdev->dev, "mclk");
+ if (IS_ERR(mclk)) {
+- dev_err(&pdev->dev, "Unable to get mclk\n");
++ if (PTR_ERR(mclk) != -EPROBE_DEFER)
++ dev_err(&pdev->dev, "Unable to get mclk\n");
+ return PTR_ERR(mclk);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6c86937b0ce0de8399b26322052d69e113e70fb1 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Sat, 2 Mar 2019 10:23:12 -0500
+Subject: media: v4l2-fwnode: The first default data lane is 0 on C-PHY
+
+[ Upstream commit fff35d45e16fae125c6000cb87e254cb634ac7fb ]
+
+C-PHY has no clock lanes. Therefore the first data lane is 0 by default.
+
+Fixes: edc6d56c2e7e ("media: v4l: fwnode: Support parsing of CSI-2 C-PHY endpoints")
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-fwnode.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-fwnode.c b/drivers/media/v4l2-core/v4l2-fwnode.c
+index 20571846e6367..7495f83231479 100644
+--- a/drivers/media/v4l2-core/v4l2-fwnode.c
++++ b/drivers/media/v4l2-core/v4l2-fwnode.c
+@@ -225,6 +225,10 @@ static int v4l2_fwnode_endpoint_parse_csi2_bus(struct fwnode_handle *fwnode,
+ if (bus_type == V4L2_MBUS_CSI2_DPHY ||
+ bus_type == V4L2_MBUS_CSI2_CPHY || lanes_used ||
+ have_clk_lane || (flags & ~V4L2_MBUS_CSI2_CONTINUOUS_CLOCK)) {
++ /* Only D-PHY has a clock lane. */
++ unsigned int dfl_data_lane_index =
++ bus_type == V4L2_MBUS_CSI2_DPHY;
++
+ bus->flags = flags;
+ if (bus_type == V4L2_MBUS_UNKNOWN)
+ vep->bus_type = V4L2_MBUS_CSI2_DPHY;
+@@ -233,7 +237,7 @@ static int v4l2_fwnode_endpoint_parse_csi2_bus(struct fwnode_handle *fwnode,
+ if (use_default_lane_mapping) {
+ bus->clock_lane = 0;
+ for (i = 0; i < num_data_lanes; i++)
+- bus->data_lanes[i] = 1 + i;
++ bus->data_lanes[i] = dfl_data_lane_index + i;
+ } else {
+ bus->clock_lane = clock_lane;
+ for (i = 0; i < num_data_lanes; i++)
+--
+2.20.1
+
--- /dev/null
+From ef6f80ee2d898a86da4220bed6461c9c44ceb1f4 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Feb 2019 09:50:03 -0500
+Subject: media: vicodec: avoid clang frame size warning
+
+[ Upstream commit e855165f3dae6f71da859a5f00b85d5368641d61 ]
+
+Clang-9 makes some different inlining decisions compared to gcc, which
+leads to a warning about a possible stack overflow problem when building
+with CONFIG_KASAN, including when setting asan-stack=0, which avoids
+most other frame overflow warnings:
+
+drivers/media/platform/vicodec/codec-fwht.c:673:12: error: stack frame size of 2224 bytes in function 'encode_plane'
+
+Manually adding noinline_for_stack annotations in those functions
+called by encode_plane() or decode_plane() that require a significant
+amount of kernel stack makes this impossible to happen with any
+compiler.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vicodec/codec-fwht.c | 29 +++++++++++++--------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/platform/vicodec/codec-fwht.c b/drivers/media/platform/vicodec/codec-fwht.c
+index d1d6085da9f1d..cf469a1191aa7 100644
+--- a/drivers/media/platform/vicodec/codec-fwht.c
++++ b/drivers/media/platform/vicodec/codec-fwht.c
+@@ -46,8 +46,12 @@ static const uint8_t zigzag[64] = {
+ 63,
+ };
+
+-
+-static int rlc(const s16 *in, __be16 *output, int blocktype)
++/*
++ * noinline_for_stack to work around
++ * https://bugs.llvm.org/show_bug.cgi?id=38809
++ */
++static int noinline_for_stack
++rlc(const s16 *in, __be16 *output, int blocktype)
+ {
+ s16 block[8 * 8];
+ s16 *wp = block;
+@@ -106,8 +110,8 @@ static int rlc(const s16 *in, __be16 *output, int blocktype)
+ * This function will worst-case increase rlc_in by 65*2 bytes:
+ * one s16 value for the header and 8 * 8 coefficients of type s16.
+ */
+-static u16 derlc(const __be16 **rlc_in, s16 *dwht_out,
+- const __be16 *end_of_input)
++static noinline_for_stack u16
++derlc(const __be16 **rlc_in, s16 *dwht_out, const __be16 *end_of_input)
+ {
+ /* header */
+ const __be16 *input = *rlc_in;
+@@ -240,8 +244,9 @@ static void dequantize_inter(s16 *coeff)
+ *coeff <<= *quant;
+ }
+
+-static void fwht(const u8 *block, s16 *output_block, unsigned int stride,
+- unsigned int input_step, bool intra)
++static void noinline_for_stack fwht(const u8 *block, s16 *output_block,
++ unsigned int stride,
++ unsigned int input_step, bool intra)
+ {
+ /* we'll need more than 8 bits for the transformed coefficients */
+ s32 workspace1[8], workspace2[8];
+@@ -373,7 +378,8 @@ static void fwht(const u8 *block, s16 *output_block, unsigned int stride,
+ * Furthermore values can be negative... This is just a version that
+ * works with 16 signed data
+ */
+-static void fwht16(const s16 *block, s16 *output_block, int stride, int intra)
++static void noinline_for_stack
++fwht16(const s16 *block, s16 *output_block, int stride, int intra)
+ {
+ /* we'll need more than 8 bits for the transformed coefficients */
+ s32 workspace1[8], workspace2[8];
+@@ -456,7 +462,8 @@ static void fwht16(const s16 *block, s16 *output_block, int stride, int intra)
+ }
+ }
+
+-static void ifwht(const s16 *block, s16 *output_block, int intra)
++static noinline_for_stack void
++ifwht(const s16 *block, s16 *output_block, int intra)
+ {
+ /*
+ * we'll need more than 8 bits for the transformed coefficients
+@@ -604,9 +611,9 @@ static int var_inter(const s16 *old, const s16 *new)
+ return ret;
+ }
+
+-static int decide_blocktype(const u8 *cur, const u8 *reference,
+- s16 *deltablock, unsigned int stride,
+- unsigned int input_step)
++static noinline_for_stack int
++decide_blocktype(const u8 *cur, const u8 *reference, s16 *deltablock,
++ unsigned int stride, unsigned int input_step)
+ {
+ s16 tmp[64];
+ s16 old[64];
+--
+2.20.1
+
--- /dev/null
+From 9f115f47474965f67c03dee03bd2e922e0829c8e Mon Sep 17 00:00:00 2001
+From: Dafna Hirschfeld <dafna3@gmail.com>
+Date: Wed, 6 Mar 2019 16:13:28 -0500
+Subject: media: vicodec: bugfix - call v4l2_m2m_buf_copy_metadata also if
+ decoding fails
+
+[ Upstream commit 8eead25cbdf911e17cff321903bd3397bc6ea22c ]
+
+The function 'v4l2_m2m_buf_copy_metadata' should
+be called even if decoding/encoding ends with
+status VB2_BUF_STATE_ERROR, so that the metadata
+is copied from the source buffer to the dest buffer.
+
+Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vicodec/vicodec-core.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
+index d7636fe9e1749..6b618452700c4 100644
+--- a/drivers/media/platform/vicodec/vicodec-core.c
++++ b/drivers/media/platform/vicodec/vicodec-core.c
+@@ -159,12 +159,10 @@ static int device_process(struct vicodec_ctx *ctx,
+ struct vb2_v4l2_buffer *dst_vb)
+ {
+ struct vicodec_dev *dev = ctx->dev;
+- struct vicodec_q_data *q_dst;
+ struct v4l2_fwht_state *state = &ctx->state;
+ u8 *p_src, *p_dst;
+ int ret;
+
+- q_dst = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_CAPTURE);
+ if (ctx->is_enc)
+ p_src = vb2_plane_vaddr(&src_vb->vb2_buf, 0);
+ else
+@@ -186,8 +184,10 @@ static int device_process(struct vicodec_ctx *ctx,
+ return ret;
+ vb2_set_plane_payload(&dst_vb->vb2_buf, 0, ret);
+ } else {
++ struct vicodec_q_data *q_dst;
+ unsigned int comp_frame_size = ntohl(ctx->state.header.size);
+
++ q_dst = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_CAPTURE);
+ if (comp_frame_size > ctx->comp_max_size)
+ return -EINVAL;
+ state->info = q_dst->info;
+@@ -196,11 +196,6 @@ static int device_process(struct vicodec_ctx *ctx,
+ return ret;
+ vb2_set_plane_payload(&dst_vb->vb2_buf, 0, q_dst->sizeimage);
+ }
+-
+- dst_vb->sequence = q_dst->sequence++;
+- dst_vb->flags &= ~V4L2_BUF_FLAG_LAST;
+- v4l2_m2m_buf_copy_metadata(src_vb, dst_vb, !ctx->is_enc);
+-
+ return 0;
+ }
+
+@@ -274,16 +269,22 @@ static void device_run(void *priv)
+ struct vicodec_ctx *ctx = priv;
+ struct vicodec_dev *dev = ctx->dev;
+ struct vb2_v4l2_buffer *src_buf, *dst_buf;
+- struct vicodec_q_data *q_src;
++ struct vicodec_q_data *q_src, *q_dst;
+ u32 state;
+
+ src_buf = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx);
+ dst_buf = v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx);
+ q_src = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_OUTPUT);
++ q_dst = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_CAPTURE);
+
+ state = VB2_BUF_STATE_DONE;
+ if (device_process(ctx, src_buf, dst_buf))
+ state = VB2_BUF_STATE_ERROR;
++ else
++ dst_buf->sequence = q_dst->sequence++;
++ dst_buf->flags &= ~V4L2_BUF_FLAG_LAST;
++ v4l2_m2m_buf_copy_metadata(src_buf, dst_buf, !ctx->is_enc);
++
+ ctx->last_dst_buf = dst_buf;
+
+ spin_lock(ctx->lock);
+--
+2.20.1
+
--- /dev/null
+From 220657733e5cefdc2003bc605796cf288ad374f9 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Wed, 13 Mar 2019 10:47:13 -0400
+Subject: media: vicodec: reset last_src/dst_buf based on the IS_OUTPUT
+
+[ Upstream commit 76eb24fc233b8c94b2156ead5811e08d2046ad58 ]
+
+When start_streaming was called both last_src_buf and last_dst_buf
+pointers were set to NULL, but this depends on whether the capture
+or output queue starts streaming.
+
+When decoding with resolution changes in between the capture queue
+has to restart streaming whenever a resolution change occurs. And
+that would reset last_src_buf as well, which causes a problem if
+the decoder was stopped by the application. Since last_src_buf
+is now NULL, the LAST flag is never set for the last capture
+buffer.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vicodec/vicodec-core.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
+index 6b618452700c4..8788369e59a0a 100644
+--- a/drivers/media/platform/vicodec/vicodec-core.c
++++ b/drivers/media/platform/vicodec/vicodec-core.c
+@@ -1339,8 +1339,11 @@ static int vicodec_start_streaming(struct vb2_queue *q,
+ chroma_div = info->width_div * info->height_div;
+ q_data->sequence = 0;
+
+- ctx->last_src_buf = NULL;
+- ctx->last_dst_buf = NULL;
++ if (V4L2_TYPE_IS_OUTPUT(q->type))
++ ctx->last_src_buf = NULL;
++ else
++ ctx->last_dst_buf = NULL;
++
+ state->gop_cnt = 0;
+
+ if ((V4L2_TYPE_IS_OUTPUT(q->type) && !ctx->is_enc) ||
+--
+2.20.1
+
--- /dev/null
+From 470b6411be4e6729bdf777fbb53a9aa150cf32da Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 9 Mar 2019 02:20:56 -0500
+Subject: media: video-mux: fix null pointer dereferences
+
+[ Upstream commit aeb0d0f581e2079868e64a2e5ee346d340376eae ]
+
+devm_kcalloc may fail and return a null pointer. The fix returns
+-ENOMEM upon failures to avoid null pointer dereferences.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/video-mux.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/video-mux.c b/drivers/media/platform/video-mux.c
+index 0ba30756e1e40..d8cd5f5cb10d6 100644
+--- a/drivers/media/platform/video-mux.c
++++ b/drivers/media/platform/video-mux.c
+@@ -419,9 +419,14 @@ static int video_mux_probe(struct platform_device *pdev)
+ vmux->active = -1;
+ vmux->pads = devm_kcalloc(dev, num_pads, sizeof(*vmux->pads),
+ GFP_KERNEL);
++ if (!vmux->pads)
++ return -ENOMEM;
++
+ vmux->format_mbus = devm_kcalloc(dev, num_pads,
+ sizeof(*vmux->format_mbus),
+ GFP_KERNEL);
++ if (!vmux->format_mbus)
++ return -ENOMEM;
+
+ for (i = 0; i < num_pads; i++) {
+ vmux->pads[i].flags = (i < num_pads - 1) ? MEDIA_PAD_FL_SINK
+--
+2.20.1
+
--- /dev/null
+From 67e688f1880883703825319107912e5d52ab10a9 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Thu, 21 Feb 2019 08:35:15 -0500
+Subject: media: vim2m: replace devm_kzalloc by kzalloc
+
+[ Upstream commit ea6c7e34f3b28e165988aa7391310752969842e8 ]
+
+It is not possible to use devm_kzalloc since that memory is
+freed immediately when the device instance is unbound.
+
+Various objects like the video device may still be in use
+since someone has the device node open, and when that is closed
+it expects the memory to be around.
+
+So use kzalloc and release it at the appropriate time.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vim2m.c | 35 +++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/media/platform/vim2m.c b/drivers/media/platform/vim2m.c
+index 34dcaca45d8bb..dd47821fc661d 100644
+--- a/drivers/media/platform/vim2m.c
++++ b/drivers/media/platform/vim2m.c
+@@ -1262,6 +1262,15 @@ static int vim2m_release(struct file *file)
+ return 0;
+ }
+
++static void vim2m_device_release(struct video_device *vdev)
++{
++ struct vim2m_dev *dev = container_of(vdev, struct vim2m_dev, vfd);
++
++ v4l2_device_unregister(&dev->v4l2_dev);
++ v4l2_m2m_release(dev->m2m_dev);
++ kfree(dev);
++}
++
+ static const struct v4l2_file_operations vim2m_fops = {
+ .owner = THIS_MODULE,
+ .open = vim2m_open,
+@@ -1277,7 +1286,7 @@ static const struct video_device vim2m_videodev = {
+ .fops = &vim2m_fops,
+ .ioctl_ops = &vim2m_ioctl_ops,
+ .minor = -1,
+- .release = video_device_release_empty,
++ .release = vim2m_device_release,
+ .device_caps = V4L2_CAP_VIDEO_M2M | V4L2_CAP_STREAMING,
+ };
+
+@@ -1298,13 +1307,13 @@ static int vim2m_probe(struct platform_device *pdev)
+ struct video_device *vfd;
+ int ret;
+
+- dev = devm_kzalloc(&pdev->dev, sizeof(*dev), GFP_KERNEL);
++ dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ if (!dev)
+ return -ENOMEM;
+
+ ret = v4l2_device_register(&pdev->dev, &dev->v4l2_dev);
+ if (ret)
+- return ret;
++ goto error_free;
+
+ atomic_set(&dev->num_inst, 0);
+ mutex_init(&dev->dev_mutex);
+@@ -1317,7 +1326,7 @@ static int vim2m_probe(struct platform_device *pdev)
+ ret = video_register_device(vfd, VFL_TYPE_GRABBER, 0);
+ if (ret) {
+ v4l2_err(&dev->v4l2_dev, "Failed to register video device\n");
+- goto unreg_v4l2;
++ goto error_v4l2;
+ }
+
+ video_set_drvdata(vfd, dev);
+@@ -1330,7 +1339,7 @@ static int vim2m_probe(struct platform_device *pdev)
+ if (IS_ERR(dev->m2m_dev)) {
+ v4l2_err(&dev->v4l2_dev, "Failed to init mem2mem device\n");
+ ret = PTR_ERR(dev->m2m_dev);
+- goto unreg_dev;
++ goto error_dev;
+ }
+
+ #ifdef CONFIG_MEDIA_CONTROLLER
+@@ -1346,27 +1355,29 @@ static int vim2m_probe(struct platform_device *pdev)
+ MEDIA_ENT_F_PROC_VIDEO_SCALER);
+ if (ret) {
+ v4l2_err(&dev->v4l2_dev, "Failed to init mem2mem media controller\n");
+- goto unreg_m2m;
++ goto error_m2m;
+ }
+
+ ret = media_device_register(&dev->mdev);
+ if (ret) {
+ v4l2_err(&dev->v4l2_dev, "Failed to register mem2mem media device\n");
+- goto unreg_m2m_mc;
++ goto error_m2m_mc;
+ }
+ #endif
+ return 0;
+
+ #ifdef CONFIG_MEDIA_CONTROLLER
+-unreg_m2m_mc:
++error_m2m_mc:
+ v4l2_m2m_unregister_media_controller(dev->m2m_dev);
+-unreg_m2m:
++error_m2m:
+ v4l2_m2m_release(dev->m2m_dev);
+ #endif
+-unreg_dev:
++error_dev:
+ video_unregister_device(&dev->vfd);
+-unreg_v4l2:
++error_v4l2:
+ v4l2_device_unregister(&dev->v4l2_dev);
++error_free:
++ kfree(dev);
+
+ return ret;
+ }
+@@ -1382,9 +1393,7 @@ static int vim2m_remove(struct platform_device *pdev)
+ v4l2_m2m_unregister_media_controller(dev->m2m_dev);
+ media_device_cleanup(&dev->mdev);
+ #endif
+- v4l2_m2m_release(dev->m2m_dev);
+ video_unregister_device(&dev->vfd);
+- v4l2_device_unregister(&dev->v4l2_dev);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From d06a45a73e14fc7f004c94df694a5f5909f295d6 Mon Sep 17 00:00:00 2001
+From: Helen Fornazier <helen.koike@collabora.com>
+Date: Wed, 6 Mar 2019 17:42:38 -0500
+Subject: media: vimc: stream: fix thread state before sleep
+
+[ Upstream commit 2978a505aaa981b279ef359f74ba93d25098e0a0 ]
+
+The state TASK_UNINTERRUPTIBLE should be set just before
+schedule_timeout() call, so it knows the sleep mode it should enter.
+There is no point in setting TASK_UNINTERRUPTIBLE at the initialization
+of the thread as schedule_timeout() will set the state back to
+TASK_RUNNING.
+
+This fixes a warning in __might_sleep() call, as it's expecting the
+task to be in TASK_RUNNING state just before changing the state to
+a sleeping state.
+
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Helen Koike <helen.koike@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vimc/vimc-streamer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/vimc/vimc-streamer.c b/drivers/media/platform/vimc/vimc-streamer.c
+index fcc897fb247bc..392754c18046c 100644
+--- a/drivers/media/platform/vimc/vimc-streamer.c
++++ b/drivers/media/platform/vimc/vimc-streamer.c
+@@ -120,7 +120,6 @@ static int vimc_streamer_thread(void *data)
+ int i;
+
+ set_freezable();
+- set_current_state(TASK_UNINTERRUPTIBLE);
+
+ for (;;) {
+ try_to_freeze();
+@@ -137,6 +136,7 @@ static int vimc_streamer_thread(void *data)
+ break;
+ }
+ //wait for 60hz
++ set_current_state(TASK_UNINTERRUPTIBLE);
+ schedule_timeout(HZ / 60);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 1b96a0abe4137979362301129920d22cd931caf8 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Fri, 8 Mar 2019 08:02:26 -0500
+Subject: media: vimc: zero the media_device on probe
+
+[ Upstream commit f74267b51cb36321f777807b2e04ca02167ecc08 ]
+
+The media_device is part of a static global vimc_device struct.
+The media framework expects this to be zeroed before it is
+used, however, since this is a global this is not the case if
+vimc is unbound and then bound again.
+
+So call memset to ensure any left-over values are cleared.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vimc/vimc-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/vimc/vimc-core.c b/drivers/media/platform/vimc/vimc-core.c
+index 0fbb7914098f6..3aa62d7e3d0e0 100644
+--- a/drivers/media/platform/vimc/vimc-core.c
++++ b/drivers/media/platform/vimc/vimc-core.c
+@@ -304,6 +304,8 @@ static int vimc_probe(struct platform_device *pdev)
+
+ dev_dbg(&pdev->dev, "probe");
+
++ memset(&vimc->mdev, 0, sizeof(vimc->mdev));
++
+ /* Create platform_device for each entity in the topology*/
+ vimc->subdevs = devm_kcalloc(&vimc->pdev.dev, vimc->pipe_cfg->num_ents,
+ sizeof(*vimc->subdevs), GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From 4dc2ada71434069aa843629f7f44cd43284e8bc3 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 26 Mar 2019 01:12:07 -0400
+Subject: media: wl128x: prevent two potential buffer overflows
+
+[ Upstream commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 ]
+
+Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
+can copy up to 255 bytes and we only have room for two bytes. Even
+if this comes from the firmware and we trust it, the new policy
+generally is just to fix it as kernel hardenning.
+
+I can't test this code so I tried to be very conservative. I considered
+not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
+whole variable but in the end I decided to allow it and manually
+initialized "asic_id" and "asic_ver" to zero.
+
+Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/wl128x/fmdrv_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c
+index 3c8987af37725..ac5706b4cab84 100644
+--- a/drivers/media/radio/wl128x/fmdrv_common.c
++++ b/drivers/media/radio/wl128x/fmdrv_common.c
+@@ -489,7 +489,8 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 fm_op, u16 type, void *payload,
+ return -EIO;
+ }
+ /* Send response data to caller */
+- if (response != NULL && response_len != NULL && evt_hdr->dlen) {
++ if (response != NULL && response_len != NULL && evt_hdr->dlen &&
++ evt_hdr->dlen <= payload_len) {
+ /* Skip header info and copy only response data */
+ skb_pull(skb, sizeof(struct fm_event_msg_hdr));
+ memcpy(response, skb->data, evt_hdr->dlen);
+@@ -583,6 +584,8 @@ static void fm_irq_handle_flag_getcmd_resp(struct fmdev *fmdev)
+ return;
+
+ fm_evt_hdr = (void *)skb->data;
++ if (fm_evt_hdr->dlen > sizeof(fmdev->irq_info.flag))
++ return;
+
+ /* Skip header info and copy only response data */
+ skb_pull(skb, sizeof(struct fm_event_msg_hdr));
+@@ -1308,7 +1311,7 @@ static int load_default_rx_configuration(struct fmdev *fmdev)
+ static int fm_power_up(struct fmdev *fmdev, u8 mode)
+ {
+ u16 payload;
+- __be16 asic_id, asic_ver;
++ __be16 asic_id = 0, asic_ver = 0;
+ int resp_len, ret;
+ u8 fw_name[50];
+
+--
+2.20.1
+
--- /dev/null
+From 5ad4ff6fd9d47eac187ba1796217a00fdfc62eb9 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Thu, 7 Mar 2019 10:12:26 +0000
+Subject: misc: fastrpc: consider address offset before sending to DSP
+
+[ Upstream commit 80f3afd72bd4149c57daf852905476b43bb47647 ]
+
+While passing address phy address to DSP, take care of the offset
+calculated from virtual address vma.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/fastrpc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
+index 36d0d5c9cfbad..9996c83ba5cb9 100644
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -667,8 +667,16 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_invoke_ctx *ctx)
+ pages[i].size = roundup(len, PAGE_SIZE);
+
+ if (ctx->maps[i]) {
++ struct vm_area_struct *vma = NULL;
++
+ rpra[i].pv = (u64) ctx->args[i].ptr;
+ pages[i].addr = ctx->maps[i]->phys;
++
++ vma = find_vma(current->mm, ctx->args[i].ptr);
++ if (vma)
++ pages[i].addr += ctx->args[i].ptr -
++ vma->vm_start;
++
+ } else {
+ rlen -= ALIGN(args, FASTRPC_ALIGN) - args;
+ args = ALIGN(args, FASTRPC_ALIGN);
+--
+2.20.1
+
--- /dev/null
+From fe85c85e3778f794e23b796b9fbf3d2534304715 Mon Sep 17 00:00:00 2001
+From: Thierry Escande <thierry.escande@linaro.org>
+Date: Thu, 7 Mar 2019 10:12:23 +0000
+Subject: misc: fastrpc: Fix a possible double free
+
+[ Upstream commit b49f6d83e290f17e20f4e5cf31288d3bb4955ea6 ]
+
+This patch fixes the error exit path of fastrpc_init_create_process().
+If the DMA allocation or the DSP invoke fails the fastrpc_map was freed
+but not removed from the mapping list leading to a double free once the
+mapping list is emptied in fastrpc_device_release().
+
+[srinivas kandagatla]: Cleaned up error path labels and reset init mem
+to NULL after free
+Fixes: d73f71c7c6ee("misc: fastrpc: Add support for create remote init process")
+Signed-off-by: Thierry Escande <thierry.escande@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/fastrpc.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
+index a10937652ca73..35be1cc11dd85 100644
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -856,12 +856,12 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl,
+
+ if (copy_from_user(&init, argp, sizeof(init))) {
+ err = -EFAULT;
+- goto bail;
++ goto err;
+ }
+
+ if (init.filelen > INIT_FILELEN_MAX) {
+ err = -EINVAL;
+- goto bail;
++ goto err;
+ }
+
+ inbuf.pgid = fl->tgid;
+@@ -875,17 +875,15 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl,
+ if (init.filelen && init.filefd) {
+ err = fastrpc_map_create(fl, init.filefd, init.filelen, &map);
+ if (err)
+- goto bail;
++ goto err;
+ }
+
+ memlen = ALIGN(max(INIT_FILELEN_MAX, (int)init.filelen * 4),
+ 1024 * 1024);
+ err = fastrpc_buf_alloc(fl, fl->sctx->dev, memlen,
+ &imem);
+- if (err) {
+- fastrpc_map_put(map);
+- goto bail;
+- }
++ if (err)
++ goto err_alloc;
+
+ fl->init_mem = imem;
+ args[0].ptr = (u64)(uintptr_t)&inbuf;
+@@ -921,13 +919,24 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl,
+
+ err = fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE,
+ sc, args);
++ if (err)
++ goto err_invoke;
+
+- if (err) {
++ kfree(args);
++
++ return 0;
++
++err_invoke:
++ fl->init_mem = NULL;
++ fastrpc_buf_free(imem);
++err_alloc:
++ if (map) {
++ spin_lock(&fl->lock);
++ list_del(&map->node);
++ spin_unlock(&fl->lock);
+ fastrpc_map_put(map);
+- fastrpc_buf_free(imem);
+ }
+-
+-bail:
++err:
+ kfree(args);
+
+ return err;
+--
+2.20.1
+
--- /dev/null
+From 7a334152894513b3b38321e00d1396d4cd40659b Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Thu, 7 Mar 2019 10:12:24 +0000
+Subject: misc: fastrpc: make sure memory read and writes are visible
+
+[ Upstream commit 415a0729bd1225f0ffbc0ba82888dd65772554f7 ]
+
+dma_alloc_coherent buffers could have writes queued in store buffers so
+commit them before sending buffer to DSP using correct dma barriers.
+Same with vice-versa.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/fastrpc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
+index 9996c83ba5cb9..a10937652ca73 100644
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -790,6 +790,9 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel,
+ if (err)
+ goto bail;
+ }
++
++ /* make sure that all CPU memory writes are seen by DSP */
++ dma_wmb();
+ /* Send invoke buffer to remote dsp */
+ err = fastrpc_invoke_send(fl->sctx, ctx, kernel, handle);
+ if (err)
+@@ -806,6 +809,8 @@ static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel,
+ goto bail;
+
+ if (ctx->nscalars) {
++ /* make sure that all memory writes by DSP are seen by CPU */
++ dma_rmb();
+ /* populate all the output buffers with results */
+ err = fastrpc_put_args(ctx, kernel);
+ if (err)
+--
+2.20.1
+
--- /dev/null
+From dfe79ab56380b3ad3df0724e7160d99c5a736ff7 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 24 Apr 2019 09:19:25 +0200
+Subject: mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older
+ GCC versions
+
+[ Upstream commit 29da93fea3ea39ab9b12270cc6be1b70ef201c9e ]
+
+Randy reported objtool triggered on his (GCC-7.4) build:
+
+ lib/strncpy_from_user.o: warning: objtool: strncpy_from_user()+0x315: call to __ubsan_handle_add_overflow() with UACCESS enabled
+ lib/strnlen_user.o: warning: objtool: strnlen_user()+0x337: call to __ubsan_handle_sub_overflow() with UACCESS enabled
+
+This is due to UBSAN generating signed-overflow-UB warnings where it
+should not. Prior to GCC-8 UBSAN ignored -fwrapv (which the kernel
+uses through -fno-strict-overflow).
+
+Make the functions use 'unsigned long' throughout.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: luto@kernel.org
+Link: http://lkml.kernel.org/r/20190424072208.754094071@infradead.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/strncpy_from_user.c | 5 +++--
+ lib/strnlen_user.c | 4 ++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
+index 58eacd41526c5..023ba9f3b99f0 100644
+--- a/lib/strncpy_from_user.c
++++ b/lib/strncpy_from_user.c
+@@ -23,10 +23,11 @@
+ * hit it), 'max' is the address space maximum (and we return
+ * -EFAULT if we hit it).
+ */
+-static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
++static inline long do_strncpy_from_user(char *dst, const char __user *src,
++ unsigned long count, unsigned long max)
+ {
+ const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
+- long res = 0;
++ unsigned long res = 0;
+
+ /*
+ * Truncate 'max' to the user-specified limit, so that
+diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
+index 1c1a1b0e38a5f..7f2db3fe311fd 100644
+--- a/lib/strnlen_user.c
++++ b/lib/strnlen_user.c
+@@ -28,7 +28,7 @@
+ static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
+ {
+ const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
+- long align, res = 0;
++ unsigned long align, res = 0;
+ unsigned long c;
+
+ /*
+@@ -42,7 +42,7 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
+ * Do everything aligned. But that means that we
+ * need to also expand the maximum..
+ */
+- align = (sizeof(long) - 1) & (unsigned long)src;
++ align = (sizeof(unsigned long) - 1) & (unsigned long)src;
+ src -= align;
+ max += align;
+
+--
+2.20.1
+
--- /dev/null
+From 21e77696249d496e2ee5cde88ab1ff5165546276 Mon Sep 17 00:00:00 2001
+From: Andrea Merello <andrea.merello@gmail.com>
+Date: Fri, 5 Apr 2019 10:34:58 +0200
+Subject: mmc: core: make pwrseq_emmc (partially) support sleepy GPIO
+ controllers
+
+[ Upstream commit 002ee28e8b322d4d4b7b83234b5d0f4ebd428eda ]
+
+pwrseq_emmc.c implements a HW reset procedure for eMMC chip by driving a
+GPIO line.
+
+It registers the .reset() cb on mmc_pwrseq_ops and it registers a system
+restart notification handler; both of them perform reset by unconditionally
+calling gpiod_set_value().
+
+If the eMMC reset line is tied to a GPIO controller whose driver can sleep
+(i.e. I2C GPIO controller), then the kernel would spit warnings when trying
+to reset the eMMC chip by means of .reset() mmc_pwrseq_ops cb (that is
+exactly what I'm seeing during boot).
+
+Furthermore, on system reset we would gets to the system restart
+notification handler with disabled interrupts - local_irq_disable() is
+called in machine_restart() at least on ARM/ARM64 - and we would be in
+trouble when the GPIO driver tries to sleep (which indeed doesn't happen
+here, likely because in my case the machine specific code doesn't call
+do_kernel_restart(), I guess..).
+
+This patch fixes the .reset() cb to make use of gpiod_set_value_cansleep(),
+so that the eMMC gets reset on boot without complaints, while, since there
+isn't that much we can do, we avoid register the restart handler if the
+GPIO controller has a sleepy driver (and we spit a dev_notice() message to
+let people know)..
+
+This had been tested on a downstream 4.9 kernel with backported
+commit 83f37ee7ba33 ("mmc: pwrseq: Add reset callback to the struct
+mmc_pwrseq_ops") and commit ae60fb031cf2 ("mmc: core: Don't do eMMC HW
+reset when resuming the eMMC card"), because I couldn't boot my board
+otherwise. Maybe worth to RFT.
+
+Signed-off-by: Andrea Merello <andrea.merello@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/pwrseq_emmc.c | 38 ++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/mmc/core/pwrseq_emmc.c b/drivers/mmc/core/pwrseq_emmc.c
+index efb8a7965dd4a..154f4204d58cb 100644
+--- a/drivers/mmc/core/pwrseq_emmc.c
++++ b/drivers/mmc/core/pwrseq_emmc.c
+@@ -30,19 +30,14 @@ struct mmc_pwrseq_emmc {
+
+ #define to_pwrseq_emmc(p) container_of(p, struct mmc_pwrseq_emmc, pwrseq)
+
+-static void __mmc_pwrseq_emmc_reset(struct mmc_pwrseq_emmc *pwrseq)
+-{
+- gpiod_set_value(pwrseq->reset_gpio, 1);
+- udelay(1);
+- gpiod_set_value(pwrseq->reset_gpio, 0);
+- udelay(200);
+-}
+-
+ static void mmc_pwrseq_emmc_reset(struct mmc_host *host)
+ {
+ struct mmc_pwrseq_emmc *pwrseq = to_pwrseq_emmc(host->pwrseq);
+
+- __mmc_pwrseq_emmc_reset(pwrseq);
++ gpiod_set_value_cansleep(pwrseq->reset_gpio, 1);
++ udelay(1);
++ gpiod_set_value_cansleep(pwrseq->reset_gpio, 0);
++ udelay(200);
+ }
+
+ static int mmc_pwrseq_emmc_reset_nb(struct notifier_block *this,
+@@ -50,8 +45,11 @@ static int mmc_pwrseq_emmc_reset_nb(struct notifier_block *this,
+ {
+ struct mmc_pwrseq_emmc *pwrseq = container_of(this,
+ struct mmc_pwrseq_emmc, reset_nb);
++ gpiod_set_value(pwrseq->reset_gpio, 1);
++ udelay(1);
++ gpiod_set_value(pwrseq->reset_gpio, 0);
++ udelay(200);
+
+- __mmc_pwrseq_emmc_reset(pwrseq);
+ return NOTIFY_DONE;
+ }
+
+@@ -72,14 +70,18 @@ static int mmc_pwrseq_emmc_probe(struct platform_device *pdev)
+ if (IS_ERR(pwrseq->reset_gpio))
+ return PTR_ERR(pwrseq->reset_gpio);
+
+- /*
+- * register reset handler to ensure emmc reset also from
+- * emergency_reboot(), priority 255 is the highest priority
+- * so it will be executed before any system reboot handler.
+- */
+- pwrseq->reset_nb.notifier_call = mmc_pwrseq_emmc_reset_nb;
+- pwrseq->reset_nb.priority = 255;
+- register_restart_handler(&pwrseq->reset_nb);
++ if (!gpiod_cansleep(pwrseq->reset_gpio)) {
++ /*
++ * register reset handler to ensure emmc reset also from
++ * emergency_reboot(), priority 255 is the highest priority
++ * so it will be executed before any system reboot handler.
++ */
++ pwrseq->reset_nb.notifier_call = mmc_pwrseq_emmc_reset_nb;
++ pwrseq->reset_nb.priority = 255;
++ register_restart_handler(&pwrseq->reset_nb);
++ } else {
++ dev_notice(dev, "EMMC reset pin tied to a sleepy GPIO driver; reset on emergency-reboot disabled\n");
++ }
+
+ pwrseq->pwrseq.ops = &mmc_pwrseq_emmc_ops;
+ pwrseq->pwrseq.dev = dev;
+--
+2.20.1
+
--- /dev/null
+From 964b4eb785ead4ecd55eb876114390f8ac5d856f Mon Sep 17 00:00:00 2001
+From: Raul E Rangel <rrangel@chromium.org>
+Date: Mon, 29 Apr 2019 11:32:39 -0600
+Subject: mmc: core: Verify SD bus width
+
+[ Upstream commit 9e4be8d03f50d1b25c38e2b59e73b194c130df7d ]
+
+The SD Physical Layer Spec says the following: Since the SD Memory Card
+shall support at least the two bus modes 1-bit or 4-bit width, then any SD
+Card shall set at least bits 0 and 2 (SD_BUS_WIDTH="0101").
+
+This change verifies the card has specified a bus width.
+
+AMD SDHC Device 7806 can get into a bad state after a card disconnect
+where anything transferred via the DATA lines will always result in a
+zero filled buffer. Currently the driver will continue without error if
+the HC is in this condition. A block device will be created, but reading
+from it will result in a zero buffer. This makes it seem like the SD
+device has been erased, when in actuality the data is never getting
+copied from the DATA lines to the data buffer.
+
+SCR is the first command in the SD initialization sequence that uses the
+DATA lines. By checking that the response was invalid, we can abort
+mounting the card.
+
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Raul E Rangel <rrangel@chromium.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/sd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c
+index 265e1aeeb9d88..d3d32f9a2cb18 100644
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -221,6 +221,14 @@ static int mmc_decode_scr(struct mmc_card *card)
+
+ if (scr->sda_spec3)
+ scr->cmds = UNSTUFF_BITS(resp, 32, 2);
++
++ /* SD Spec says: any SD Card shall set at least bits 0 and 2 */
++ if (!(scr->bus_widths & SD_SCR_BUS_WIDTH_1) ||
++ !(scr->bus_widths & SD_SCR_BUS_WIDTH_4)) {
++ pr_err("%s: invalid bus width\n", mmc_hostname(card->host));
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 59b6d2a57379a0e8f1ce1428a7674b8ef3cbc7e8 Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:44 +0000
+Subject: mmc: sdhci-of-esdhc: add erratum A-009204 support
+
+[ Upstream commit 5dd195522562542bc6ebe6e7bd47890d8b7ca93c ]
+
+In the event of that any data error (like, IRQSTAT[DCE]) occurs
+during an eSDHC data transaction where DMA is used for data
+transfer to/from the system memory, setting the SYSCTL[RSTD]
+register may cause a system hang. If software sets the register
+SYSCTL[RSTD] to 1 for error recovery while DMA transferring is
+not complete, eSDHC may hang the system bus. This happens because
+the software register SYSCTL[RSTD] resets the DMA engine without
+waiting for the completion of pending system transactions. This
+erratum is to fix this issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index 9da53e548691b..4fc4d2c7643c5 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -694,6 +694,9 @@ static void esdhc_reset(struct sdhci_host *host, u8 mask)
+ sdhci_writel(host, host->ier, SDHCI_INT_ENABLE);
+ sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE);
+
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ mdelay(5);
++
+ if (mask & SDHCI_RESET_ALL) {
+ val = sdhci_readl(host, ESDHC_TBCTL);
+ val &= ~ESDHC_TB_EN;
+--
+2.20.1
+
--- /dev/null
+From 6fe28fd9d9752c0ed067966ecd6cccc16fdb300a Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:40 +0000
+Subject: mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 05cb6b2a66fa7837211a060878e91be5eb10cb07 ]
+
+eSDHC-A001: The data timeout counter (SYSCTL[DTOCV]) is not
+reliable for DTOCV values 0x4(2^17 SD clock), 0x8(2^21 SD clock),
+and 0xC(2^25 SD clock). The data timeout counter can count from
+2^13–2^27, but for values 2^17, 2^21, and 2^25, the timeout
+counter counts for only 2^13 SD clocks.
+A-008358: The data timeout counter value loaded into the timeout
+counter is less than expected and can result into early timeout
+error in case of eSDHC data transactions. The table below shows
+the expected vs actual timeout period for different values of
+SYSCTL[DTOCV]:
+these two erratum has the same quirk to control it, and set
+SDHCI_QUIRK_RESET_AFTER_REQUEST to fix above issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index 4fc4d2c7643c5..7e0eae8dafae0 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -1077,8 +1077,10 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
+ if (esdhc->vendor_ver > VENDOR_V_22)
+ host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
+
+- if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) {
+ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
++ host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL;
++ }
+
+ if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
+ of_device_is_compatible(np, "fsl,p5020-esdhc") ||
+--
+2.20.1
+
--- /dev/null
+From 3ce4b43b85e78be68696aeae4bd5a113adfad44c Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:36 +0000
+Subject: mmc: sdhci-of-esdhc: add erratum eSDHC5 support
+
+[ Upstream commit a46e42712596b51874f04c73f1cdf1017f88df52 ]
+
+Software writing to the Transfer Type configuration register
+(system clock domain) can cause a setup/hold violation in the
+CRC flops (card clock domain), which can cause write accesses
+to be sent with corrupt CRC values. This issue occurs only for
+write preceded by read. this erratum is to fix this issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index 4e669b4edfc11..9da53e548691b 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -1074,6 +1074,9 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
+ if (esdhc->vendor_ver > VENDOR_V_22)
+ host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
+
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
++
+ if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
+ of_device_is_compatible(np, "fsl,p5020-esdhc") ||
+ of_device_is_compatible(np, "fsl,p4080-esdhc") ||
+--
+2.20.1
+
--- /dev/null
+From 3542605b3e031e37bb06d244f8b2646222d78ec2 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Mon, 11 Mar 2019 00:53:33 -0500
+Subject: mmc_spi: add a status check for spi_sync_locked
+
+[ Upstream commit 611025983b7976df0183390a63a2166411d177f1 ]
+
+In case spi_sync_locked fails, the fix reports the error and
+returns the error code upstream.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmc_spi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
+index 1b1498805972c..a3533935e282b 100644
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct spi_transfer *t,
+ }
+
+ status = spi_sync_locked(spi, &host->m);
++ if (status < 0) {
++ dev_dbg(&spi->dev, "read error %d\n", status);
++ return status;
++ }
+
+ if (host->dma_dev) {
+ dma_sync_single_for_cpu(host->dma_dev,
+--
+2.20.1
+
--- /dev/null
+From bacdc3ae2879c8bde146cdbaa2a41b068071ade7 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Sat, 2 Mar 2019 14:47:38 +0100
+Subject: mt76: remove mt76_queue dependency from tx_queue_skb function pointer
+
+[ Upstream commit 89a37842b0c13c9e568bf12f4fcbe6507147e41d ]
+
+Remove mt76_queue dependency from tx_queue_skb function pointer and
+rely on mt76_tx_qid instead. This is a preliminary patch to introduce
+mt76_sw_queue support
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/dma.c | 3 ++-
+ drivers/net/wireless/mediatek/mt76/mt76.h | 4 ++--
+ drivers/net/wireless/mediatek/mt76/mt7603/beacon.c | 6 +++---
+ drivers/net/wireless/mediatek/mt76/mt76x02_mmio.c | 4 ++--
+ drivers/net/wireless/mediatek/mt76/tx.c | 10 +++++-----
+ drivers/net/wireless/mediatek/mt76/usb.c | 3 ++-
+ 6 files changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
+index 76629b98c78d7..8c7ee8302fb87 100644
+--- a/drivers/net/wireless/mediatek/mt76/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/dma.c
+@@ -271,10 +271,11 @@ mt76_dma_tx_queue_skb_raw(struct mt76_dev *dev, enum mt76_txq_id qid,
+ return 0;
+ }
+
+-int mt76_dma_tx_queue_skb(struct mt76_dev *dev, struct mt76_queue *q,
++int mt76_dma_tx_queue_skb(struct mt76_dev *dev, enum mt76_txq_id qid,
+ struct sk_buff *skb, struct mt76_wcid *wcid,
+ struct ieee80211_sta *sta)
+ {
++ struct mt76_queue *q = &dev->q_tx[qid];
+ struct mt76_queue_entry e;
+ struct mt76_txwi_cache *t;
+ struct mt76_queue_buf buf[32];
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
+index bcbfd3c4a44b6..eb882b2cbc0ec 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76.h
+@@ -156,7 +156,7 @@ struct mt76_queue_ops {
+ struct mt76_queue_buf *buf, int nbufs, u32 info,
+ struct sk_buff *skb, void *txwi);
+
+- int (*tx_queue_skb)(struct mt76_dev *dev, struct mt76_queue *q,
++ int (*tx_queue_skb)(struct mt76_dev *dev, enum mt76_txq_id qid,
+ struct sk_buff *skb, struct mt76_wcid *wcid,
+ struct ieee80211_sta *sta);
+
+@@ -645,7 +645,7 @@ static inline struct mt76_tx_cb *mt76_tx_skb_cb(struct sk_buff *skb)
+ return ((void *) IEEE80211_SKB_CB(skb)->status.status_driver_data);
+ }
+
+-int mt76_dma_tx_queue_skb(struct mt76_dev *dev, struct mt76_queue *q,
++int mt76_dma_tx_queue_skb(struct mt76_dev *dev, enum mt76_txq_id qid,
+ struct sk_buff *skb, struct mt76_wcid *wcid,
+ struct ieee80211_sta *sta);
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/beacon.c b/drivers/net/wireless/mediatek/mt76/mt7603/beacon.c
+index 4dcb465095d19..99c0a3ba37cb7 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7603/beacon.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7603/beacon.c
+@@ -23,7 +23,7 @@ mt7603_update_beacon_iter(void *priv, u8 *mac, struct ieee80211_vif *vif)
+ if (!skb)
+ return;
+
+- mt76_dma_tx_queue_skb(&dev->mt76, &dev->mt76.q_tx[MT_TXQ_BEACON], skb,
++ mt76_dma_tx_queue_skb(&dev->mt76, MT_TXQ_BEACON, skb,
+ &mvif->sta.wcid, NULL);
+
+ spin_lock_bh(&dev->ps_lock);
+@@ -118,8 +118,8 @@ void mt7603_pre_tbtt_tasklet(unsigned long arg)
+ struct ieee80211_vif *vif = info->control.vif;
+ struct mt7603_vif *mvif = (struct mt7603_vif *)vif->drv_priv;
+
+- mt76_dma_tx_queue_skb(&dev->mt76, q, skb, &mvif->sta.wcid,
+- NULL);
++ mt76_dma_tx_queue_skb(&dev->mt76, MT_TXQ_CAB, skb,
++ &mvif->sta.wcid, NULL);
+ }
+ mt76_queue_kick(dev, q);
+ spin_unlock_bh(&q->lock);
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_mmio.c b/drivers/net/wireless/mediatek/mt76/mt76x02_mmio.c
+index daaed1220147e..952fe19cba9b6 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mmio.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mmio.c
+@@ -146,8 +146,8 @@ static void mt76x02_pre_tbtt_tasklet(unsigned long arg)
+ struct ieee80211_vif *vif = info->control.vif;
+ struct mt76x02_vif *mvif = (struct mt76x02_vif *)vif->drv_priv;
+
+- mt76_dma_tx_queue_skb(&dev->mt76, q, skb, &mvif->group_wcid,
+- NULL);
++ mt76_dma_tx_queue_skb(&dev->mt76, MT_TXQ_PSD, skb,
++ &mvif->group_wcid, NULL);
+ }
+ spin_unlock_bh(&q->lock);
+ }
+diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
+index 2585df5123350..0c1036da9a92a 100644
+--- a/drivers/net/wireless/mediatek/mt76/tx.c
++++ b/drivers/net/wireless/mediatek/mt76/tx.c
+@@ -286,7 +286,7 @@ mt76_tx(struct mt76_dev *dev, struct ieee80211_sta *sta,
+ q = &dev->q_tx[qid];
+
+ spin_lock_bh(&q->lock);
+- dev->queue_ops->tx_queue_skb(dev, q, skb, wcid, sta);
++ dev->queue_ops->tx_queue_skb(dev, qid, skb, wcid, sta);
+ dev->queue_ops->kick(dev, q);
+
+ if (q->queued > q->ndesc - 8 && !q->stopped) {
+@@ -327,7 +327,6 @@ mt76_queue_ps_skb(struct mt76_dev *dev, struct ieee80211_sta *sta,
+ {
+ struct mt76_wcid *wcid = (struct mt76_wcid *) sta->drv_priv;
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+- struct mt76_queue *hwq = &dev->q_tx[MT_TXQ_PSD];
+
+ info->control.flags |= IEEE80211_TX_CTRL_PS_RESPONSE;
+ if (last)
+@@ -335,7 +334,7 @@ mt76_queue_ps_skb(struct mt76_dev *dev, struct ieee80211_sta *sta,
+ IEEE80211_TX_CTL_REQ_TX_STATUS;
+
+ mt76_skb_set_moredata(skb, !last);
+- dev->queue_ops->tx_queue_skb(dev, hwq, skb, wcid, sta);
++ dev->queue_ops->tx_queue_skb(dev, MT_TXQ_PSD, skb, wcid, sta);
+ }
+
+ void
+@@ -390,6 +389,7 @@ mt76_txq_send_burst(struct mt76_dev *dev, struct mt76_queue *hwq,
+ struct mt76_txq *mtxq, bool *empty)
+ {
+ struct ieee80211_txq *txq = mtxq_to_txq(mtxq);
++ enum mt76_txq_id qid = mt76_txq_get_qid(txq);
+ struct ieee80211_tx_info *info;
+ struct mt76_wcid *wcid = mtxq->wcid;
+ struct sk_buff *skb;
+@@ -423,7 +423,7 @@ mt76_txq_send_burst(struct mt76_dev *dev, struct mt76_queue *hwq,
+ if (ampdu)
+ mt76_check_agg_ssn(mtxq, skb);
+
+- idx = dev->queue_ops->tx_queue_skb(dev, hwq, skb, wcid, txq->sta);
++ idx = dev->queue_ops->tx_queue_skb(dev, qid, skb, wcid, txq->sta);
+
+ if (idx < 0)
+ return idx;
+@@ -458,7 +458,7 @@ mt76_txq_send_burst(struct mt76_dev *dev, struct mt76_queue *hwq,
+ if (cur_ampdu)
+ mt76_check_agg_ssn(mtxq, skb);
+
+- idx = dev->queue_ops->tx_queue_skb(dev, hwq, skb, wcid,
++ idx = dev->queue_ops->tx_queue_skb(dev, qid, skb, wcid,
+ txq->sta);
+ if (idx < 0)
+ return idx;
+diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
+index 4c1abd4924054..b1551419338f0 100644
+--- a/drivers/net/wireless/mediatek/mt76/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/usb.c
+@@ -726,10 +726,11 @@ mt76u_tx_build_sg(struct mt76_dev *dev, struct sk_buff *skb,
+ }
+
+ static int
+-mt76u_tx_queue_skb(struct mt76_dev *dev, struct mt76_queue *q,
++mt76u_tx_queue_skb(struct mt76_dev *dev, enum mt76_txq_id qid,
+ struct sk_buff *skb, struct mt76_wcid *wcid,
+ struct ieee80211_sta *sta)
+ {
++ struct mt76_queue *q = &dev->q_tx[qid];
+ struct mt76u_buf *buf;
+ u16 idx = q->tail;
+ int err;
+--
+2.20.1
+
--- /dev/null
+From 25c855ec69af3291801b51c8b56308f0d820565a Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 12 Mar 2019 15:03:58 +0800
+Subject: mwifiex: Fix mem leak in mwifiex_tm_cmd
+
+[ Upstream commit 003b686ace820ce2d635a83f10f2d7f9c147dabc ]
+
+'hostcmd' is alloced by kzalloc, should be freed before
+leaving from the error handling cases, otherwise it will
+cause mem leak.
+
+Fixes: 3935ccc14d2c ("mwifiex: add cfg80211 testmode support")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index c46f0a54a0c76..e582d9b3e50c2 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -4082,16 +4082,20 @@ static int mwifiex_tm_cmd(struct wiphy *wiphy, struct wireless_dev *wdev,
+
+ if (mwifiex_send_cmd(priv, 0, 0, 0, hostcmd, true)) {
+ dev_err(priv->adapter->dev, "Failed to process hostcmd\n");
++ kfree(hostcmd);
+ return -EFAULT;
+ }
+
+ /* process hostcmd response*/
+ skb = cfg80211_testmode_alloc_reply_skb(wiphy, hostcmd->len);
+- if (!skb)
++ if (!skb) {
++ kfree(hostcmd);
+ return -ENOMEM;
++ }
+ err = nla_put(skb, MWIFIEX_TM_ATTR_DATA,
+ hostcmd->len, hostcmd->cmd);
+ if (err) {
++ kfree(hostcmd);
+ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+--
+2.20.1
+
--- /dev/null
+From 6251a276131ad0c7a40243fc6b2f7fa75e0fe922 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Apr 2019 11:44:23 +0300
+Subject: mwifiex: prevent an array overflow
+
+[ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ]
+
+The "rate_index" is only used as an index into the phist_data->rx_rate[]
+array in the mwifiex_hist_data_set() function. That array has
+MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
+debugfs information. The "rate_index" variable comes from the network
+skb->data[] and it is a u8 so it's in the 0-255 range. We need to cap
+it to prevent an array overflow.
+
+Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfp.c b/drivers/net/wireless/marvell/mwifiex/cfp.c
+index bfe84e55df776..f1522fb1c1e87 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfp.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfp.c
+@@ -531,5 +531,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv,
+ rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ?
+ rx_rate - 1 : rx_rate;
+
++ if (rate_index >= MWIFIEX_MAX_AC_RX_RATES)
++ rate_index = MWIFIEX_MAX_AC_RX_RATES - 1;
++
+ return rate_index;
+ }
+--
+2.20.1
+
--- /dev/null
+From f6a707101f56439baf186140e585c1af77561ab3 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 03:05:02 -0500
+Subject: net: cw1200: fix a NULL pointer dereference
+
+[ Upstream commit 0ed2a005347400500a39ea7c7318f1fea57fb3ca ]
+
+In case create_singlethread_workqueue fails, the fix free the
+hardware and returns NULL to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/st/cw1200/main.c b/drivers/net/wireless/st/cw1200/main.c
+index 90dc979f260b6..c1608f0bf6d01 100644
+--- a/drivers/net/wireless/st/cw1200/main.c
++++ b/drivers/net/wireless/st/cw1200/main.c
+@@ -345,6 +345,11 @@ static struct ieee80211_hw *cw1200_init_common(const u8 *macaddr,
+ mutex_init(&priv->wsm_cmd_mux);
+ mutex_init(&priv->conf_mutex);
+ priv->workqueue = create_singlethread_workqueue("cw1200_wq");
++ if (!priv->workqueue) {
++ ieee80211_free_hw(hw);
++ return NULL;
++ }
++
+ sema_init(&priv->scan.lock, 1);
+ INIT_WORK(&priv->scan.work, cw1200_scan_work);
+ INIT_DELAYED_WORK(&priv->scan.probe_work, cw1200_probe_work);
+--
+2.20.1
+
--- /dev/null
+From f4edc50c768db85471c26e37c706e52c4407e8aa Mon Sep 17 00:00:00 2001
+From: Sameeh Jubran <sameehj@amazon.com>
+Date: Wed, 1 May 2019 16:47:04 +0300
+Subject: net: ena: fix: set freed objects to NULL to avoid failing future
+ allocations
+
+[ Upstream commit 8ee8ee7fe87bf64738ab4e31be036a7165608b27 ]
+
+In some cases when a queue related allocation fails, successful past
+allocations are freed but the pointer that pointed to them is not
+set to NULL. This is a problem for 2 reasons:
+1. This is generally a bad practice since this pointer might be
+accidentally accessed in the future.
+2. Future allocations using the same pointer check if the pointer
+is NULL and fail if it is not.
+
+Fixed this by setting such pointers to NULL in the allocation of
+queue related objects.
+
+Also refactored the code of ena_setup_tx_resources() to goto-style
+error handling to avoid code duplication of resource freeing.
+
+Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 25 ++++++++++++--------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 41c1c9acb3246..9b03d7e404f83 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -224,28 +224,23 @@ static int ena_setup_tx_resources(struct ena_adapter *adapter, int qid)
+ if (!tx_ring->tx_buffer_info) {
+ tx_ring->tx_buffer_info = vzalloc(size);
+ if (!tx_ring->tx_buffer_info)
+- return -ENOMEM;
++ goto err_tx_buffer_info;
+ }
+
+ size = sizeof(u16) * tx_ring->ring_size;
+ tx_ring->free_tx_ids = vzalloc_node(size, node);
+ if (!tx_ring->free_tx_ids) {
+ tx_ring->free_tx_ids = vzalloc(size);
+- if (!tx_ring->free_tx_ids) {
+- vfree(tx_ring->tx_buffer_info);
+- return -ENOMEM;
+- }
++ if (!tx_ring->free_tx_ids)
++ goto err_free_tx_ids;
+ }
+
+ size = tx_ring->tx_max_header_size;
+ tx_ring->push_buf_intermediate_buf = vzalloc_node(size, node);
+ if (!tx_ring->push_buf_intermediate_buf) {
+ tx_ring->push_buf_intermediate_buf = vzalloc(size);
+- if (!tx_ring->push_buf_intermediate_buf) {
+- vfree(tx_ring->tx_buffer_info);
+- vfree(tx_ring->free_tx_ids);
+- return -ENOMEM;
+- }
++ if (!tx_ring->push_buf_intermediate_buf)
++ goto err_push_buf_intermediate_buf;
+ }
+
+ /* Req id ring for TX out of order completions */
+@@ -259,6 +254,15 @@ static int ena_setup_tx_resources(struct ena_adapter *adapter, int qid)
+ tx_ring->next_to_clean = 0;
+ tx_ring->cpu = ena_irq->cpu;
+ return 0;
++
++err_push_buf_intermediate_buf:
++ vfree(tx_ring->free_tx_ids);
++ tx_ring->free_tx_ids = NULL;
++err_free_tx_ids:
++ vfree(tx_ring->tx_buffer_info);
++ tx_ring->tx_buffer_info = NULL;
++err_tx_buffer_info:
++ return -ENOMEM;
+ }
+
+ /* ena_free_tx_resources - Free I/O Tx Resources per Queue
+@@ -378,6 +382,7 @@ static int ena_setup_rx_resources(struct ena_adapter *adapter,
+ rx_ring->free_rx_ids = vzalloc(size);
+ if (!rx_ring->free_rx_ids) {
+ vfree(rx_ring->rx_buffer_info);
++ rx_ring->rx_buffer_info = NULL;
+ return -ENOMEM;
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 5bb0ed0a6164321e3f93a4b565bf743a72c9042b Mon Sep 17 00:00:00 2001
+From: Sameeh Jubran <sameehj@amazon.com>
+Date: Wed, 1 May 2019 16:47:10 +0300
+Subject: net: ena: gcc 8: fix compilation warning
+
+[ Upstream commit f913308879bc6ae437ce64d878c7b05643ddea44 ]
+
+GCC 8 contains a number of new warnings as well as enhancements to existing
+checkers. The warning - Wstringop-truncation - warns for calls to bounded
+string manipulation functions such as strncat, strncpy, and stpncpy that
+may either truncate the copied string or leave the destination unchanged.
+
+In our case the destination string length (32 bytes) is much shorter than
+the source string (64 bytes) which causes this warning to show up. In
+general the destination has to be at least a byte larger than the length
+of the source string with strncpy for this warning not to showup.
+
+This can be easily fixed by using strlcpy instead which already does the
+truncation to the string. Documentation for this function can be
+found here:
+
+https://elixir.bootlin.com/linux/latest/source/lib/string.c#L141
+
+Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index a6eacf2099c30..41c1c9acb3246 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -2292,7 +2292,7 @@ static void ena_config_host_info(struct ena_com_dev *ena_dev,
+ host_info->bdf = (pdev->bus->number << 8) | pdev->devfn;
+ host_info->os_type = ENA_ADMIN_OS_LINUX;
+ host_info->kernel_ver = LINUX_VERSION_CODE;
+- strncpy(host_info->kernel_ver_str, utsname()->version,
++ strlcpy(host_info->kernel_ver_str, utsname()->version,
+ sizeof(host_info->kernel_ver_str) - 1);
+ host_info->os_dist = 0;
+ strncpy(host_info->os_dist_str, utsname()->release,
+--
+2.20.1
+
--- /dev/null
+From e0693e5bc27eebe95490b69809ddba21061f6ceb Mon Sep 17 00:00:00 2001
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+Date: Fri, 26 Apr 2019 20:12:33 +0300
+Subject: net: ethernet: ti: cpsw: fix allmulti cfg in dual_mac mode
+
+[ Upstream commit 06095f34f8a0a2c4c83a19514c272699edd5f80b ]
+
+Now CPSW ALE will set/clean Host port bit in Unregistered Multicast Flood
+Mask (UNREG_MCAST_FLOOD_MASK) for every VLAN without checking if this port
+belongs to VLAN or not when ALLMULTI mode flag is set for nedev. This is
+working in non dual_mac mode, but in dual_mac - it causes
+enabling/disabling ALLMULTI flag for both ports.
+
+Hence fix it by adding additional parameter to cpsw_ale_set_allmulti() to
+specify ALE port number for which ALLMULTI has to be enabled and check if
+port belongs to VLAN before modifying UNREG_MCAST_FLOOD_MASK.
+
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 12 +++++++++---
+ drivers/net/ethernet/ti/cpsw_ale.c | 19 ++++++++++---------
+ drivers/net/ethernet/ti/cpsw_ale.h | 3 +--
+ 3 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
+index a591583d120e1..dd12b73a88530 100644
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -800,12 +800,17 @@ static int cpsw_purge_all_mc(struct net_device *ndev, const u8 *addr, int num)
+
+ static void cpsw_ndo_set_rx_mode(struct net_device *ndev)
+ {
+- struct cpsw_common *cpsw = ndev_to_cpsw(ndev);
++ struct cpsw_priv *priv = netdev_priv(ndev);
++ struct cpsw_common *cpsw = priv->cpsw;
++ int slave_port = -1;
++
++ if (cpsw->data.dual_emac)
++ slave_port = priv->emac_port + 1;
+
+ if (ndev->flags & IFF_PROMISC) {
+ /* Enable promiscuous mode */
+ cpsw_set_promiscious(ndev, true);
+- cpsw_ale_set_allmulti(cpsw->ale, IFF_ALLMULTI);
++ cpsw_ale_set_allmulti(cpsw->ale, IFF_ALLMULTI, slave_port);
+ return;
+ } else {
+ /* Disable promiscuous mode */
+@@ -813,7 +818,8 @@ static void cpsw_ndo_set_rx_mode(struct net_device *ndev)
+ }
+
+ /* Restore allmulti on vlans if necessary */
+- cpsw_ale_set_allmulti(cpsw->ale, ndev->flags & IFF_ALLMULTI);
++ cpsw_ale_set_allmulti(cpsw->ale,
++ ndev->flags & IFF_ALLMULTI, slave_port);
+
+ /* add/remove mcast address either for real netdev or for vlan */
+ __hw_addr_ref_sync_dev(&ndev->mc, ndev, cpsw_add_mc_addr,
+diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c
+index 798c989d5d934..b3d9591b4824a 100644
+--- a/drivers/net/ethernet/ti/cpsw_ale.c
++++ b/drivers/net/ethernet/ti/cpsw_ale.c
+@@ -482,24 +482,25 @@ int cpsw_ale_del_vlan(struct cpsw_ale *ale, u16 vid, int port_mask)
+ }
+ EXPORT_SYMBOL_GPL(cpsw_ale_del_vlan);
+
+-void cpsw_ale_set_allmulti(struct cpsw_ale *ale, int allmulti)
++void cpsw_ale_set_allmulti(struct cpsw_ale *ale, int allmulti, int port)
+ {
+ u32 ale_entry[ALE_ENTRY_WORDS];
+- int type, idx;
+ int unreg_mcast = 0;
+-
+- /* Only bother doing the work if the setting is actually changing */
+- if (ale->allmulti == allmulti)
+- return;
+-
+- /* Remember the new setting to check against next time */
+- ale->allmulti = allmulti;
++ int type, idx;
+
+ for (idx = 0; idx < ale->params.ale_entries; idx++) {
++ int vlan_members;
++
+ cpsw_ale_read(ale, idx, ale_entry);
+ type = cpsw_ale_get_entry_type(ale_entry);
+ if (type != ALE_TYPE_VLAN)
+ continue;
++ vlan_members =
++ cpsw_ale_get_vlan_member_list(ale_entry,
++ ale->vlan_field_bits);
++
++ if (port != -1 && !(vlan_members & BIT(port)))
++ continue;
+
+ unreg_mcast =
+ cpsw_ale_get_vlan_unreg_mcast(ale_entry,
+diff --git a/drivers/net/ethernet/ti/cpsw_ale.h b/drivers/net/ethernet/ti/cpsw_ale.h
+index cd07a3e96d576..1fe196d8a5e42 100644
+--- a/drivers/net/ethernet/ti/cpsw_ale.h
++++ b/drivers/net/ethernet/ti/cpsw_ale.h
+@@ -37,7 +37,6 @@ struct cpsw_ale {
+ struct cpsw_ale_params params;
+ struct timer_list timer;
+ unsigned long ageout;
+- int allmulti;
+ u32 version;
+ /* These bits are different on NetCP NU Switch ALE */
+ u32 port_mask_bits;
+@@ -116,7 +115,7 @@ int cpsw_ale_del_mcast(struct cpsw_ale *ale, const u8 *addr, int port_mask,
+ int cpsw_ale_add_vlan(struct cpsw_ale *ale, u16 vid, int port, int untag,
+ int reg_mcast, int unreg_mcast);
+ int cpsw_ale_del_vlan(struct cpsw_ale *ale, u16 vid, int port);
+-void cpsw_ale_set_allmulti(struct cpsw_ale *ale, int allmulti);
++void cpsw_ale_set_allmulti(struct cpsw_ale *ale, int allmulti, int port);
+
+ int cpsw_ale_control_get(struct cpsw_ale *ale, int port, int control);
+ int cpsw_ale_control_set(struct cpsw_ale *ale, int port,
+--
+2.20.1
+
--- /dev/null
+From 1f10cc24504f07678586057d9a2d9753b44cb51b Mon Sep 17 00:00:00 2001
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Sat, 6 Apr 2019 15:43:34 +0800
+Subject: net: hns3: add error handler for initializing command queue
+
+[ Upstream commit 4339ef396ab65a61f7f22f36d7ba94b6e9e0939b ]
+
+This patch adds error handler for the failure of command queue
+initialization both PF and VF.
+
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c | 11 ++++++++---
+ .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c | 11 ++++++++---
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
+index 3a093a92eac51..d92e4af11b1fe 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
+@@ -373,21 +373,26 @@ int hclge_cmd_init(struct hclge_dev *hdev)
+ * reset may happen when lower level reset is being processed.
+ */
+ if ((hclge_is_reset_pending(hdev))) {
+- set_bit(HCLGE_STATE_CMD_DISABLE, &hdev->state);
+- return -EBUSY;
++ ret = -EBUSY;
++ goto err_cmd_init;
+ }
+
+ ret = hclge_cmd_query_firmware_version(&hdev->hw, &version);
+ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "firmware version query failed %d\n", ret);
+- return ret;
++ goto err_cmd_init;
+ }
+ hdev->fw_version = version;
+
+ dev_info(&hdev->pdev->dev, "The firmware version is %08x\n", version);
+
+ return 0;
++
++err_cmd_init:
++ set_bit(HCLGE_STATE_CMD_DISABLE, &hdev->state);
++
++ return ret;
+ }
+
+ static void hclge_cmd_uninit_regs(struct hclge_hw *hw)
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c
+index 9a0a501908aec..382ecb15e7435 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c
+@@ -344,8 +344,8 @@ int hclgevf_cmd_init(struct hclgevf_dev *hdev)
+ * reset may happen when lower level reset is being processed.
+ */
+ if (hclgevf_is_reset_pending(hdev)) {
+- set_bit(HCLGEVF_STATE_CMD_DISABLE, &hdev->state);
+- return -EBUSY;
++ ret = -EBUSY;
++ goto err_cmd_init;
+ }
+
+ /* get firmware version */
+@@ -353,13 +353,18 @@ int hclgevf_cmd_init(struct hclgevf_dev *hdev)
+ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed(%d) to query firmware version\n", ret);
+- return ret;
++ goto err_cmd_init;
+ }
+ hdev->fw_version = version;
+
+ dev_info(&hdev->pdev->dev, "The firmware version is %08x\n", version);
+
+ return 0;
++
++err_cmd_init:
++ set_bit(HCLGEVF_STATE_CMD_DISABLE, &hdev->state);
++
++ return ret;
+ }
+
+ static void hclgevf_cmd_uninit_regs(struct hclgevf_hw *hw)
+--
+2.20.1
+
--- /dev/null
+From 580ff2dc75565693e096f63ae2e0262f926c212b Mon Sep 17 00:00:00 2001
+From: Jian Shen <shenjian15@huawei.com>
+Date: Thu, 4 Apr 2019 16:17:55 +0800
+Subject: net: hns3: add protect when handling mac addr list
+
+[ Upstream commit 389775a6605e040dddea21a778a88eaaa57c068d ]
+
+It used netdev->uc and netdev->mc list in function
+hns3_recover_hw_addr() and hns3_remove_hw_addr().
+We should add protect for them.
+
+Fixes: f05e21097121 ("net: hns3: Clear mac vlan table entries when unload driver or function reset")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index d6b488c2de332..c7d310903319f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3774,12 +3774,13 @@ static int hns3_recover_hw_addr(struct net_device *ndev)
+ struct netdev_hw_addr *ha, *tmp;
+ int ret = 0;
+
++ netif_addr_lock_bh(ndev);
+ /* go through and sync uc_addr entries to the device */
+ list = &ndev->uc;
+ list_for_each_entry_safe(ha, tmp, &list->list, list) {
+ ret = hns3_nic_uc_sync(ndev, ha->addr);
+ if (ret)
+- return ret;
++ goto out;
+ }
+
+ /* go through and sync mc_addr entries to the device */
+@@ -3787,9 +3788,11 @@ static int hns3_recover_hw_addr(struct net_device *ndev)
+ list_for_each_entry_safe(ha, tmp, &list->list, list) {
+ ret = hns3_nic_mc_sync(ndev, ha->addr);
+ if (ret)
+- return ret;
++ goto out;
+ }
+
++out:
++ netif_addr_unlock_bh(ndev);
+ return ret;
+ }
+
+@@ -3800,6 +3803,7 @@ static void hns3_remove_hw_addr(struct net_device *netdev)
+
+ hns3_nic_uc_unsync(netdev, netdev->dev_addr);
+
++ netif_addr_lock_bh(netdev);
+ /* go through and unsync uc_addr entries to the device */
+ list = &netdev->uc;
+ list_for_each_entry_safe(ha, tmp, &list->list, list)
+@@ -3810,6 +3814,8 @@ static void hns3_remove_hw_addr(struct net_device *netdev)
+ list_for_each_entry_safe(ha, tmp, &list->list, list)
+ if (ha->refcount > 1)
+ hns3_nic_mc_unsync(netdev, ha->addr);
++
++ netif_addr_unlock_bh(netdev);
+ }
+
+ static void hns3_clear_tx_ring(struct hns3_enet_ring *ring)
+--
+2.20.1
+
--- /dev/null
+From e988c2c24b9c8c535f3c80c9eef840f20aa1a1a7 Mon Sep 17 00:00:00 2001
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Thu, 4 Apr 2019 16:17:56 +0800
+Subject: net: hns3: check resetting status in hns3_get_stats()
+
+[ Upstream commit c4e401e5a934bb0798ebbba98e08dab129695eff ]
+
+hns3_get_stats() should check the resetting status firstly,
+since the device will be reinitialized when resetting. If the
+reset has not completed, the hns3_get_stats() may access
+invalid memory.
+
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+index 359d4731fb2db..ea94b5152963f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -483,6 +483,11 @@ static void hns3_get_stats(struct net_device *netdev,
+ struct hnae3_handle *h = hns3_get_handle(netdev);
+ u64 *p = data;
+
++ if (hns3_nic_resetting(netdev)) {
++ netdev_err(netdev, "dev resetting, could not get stats\n");
++ return;
++ }
++
+ if (!h->ae_algo->ops->get_stats || !h->ae_algo->ops->update_stats) {
+ netdev_err(netdev, "could not get any statistics\n");
+ return;
+--
+2.20.1
+
--- /dev/null
+From 69060e147a0af1c5bac77ea1e66321ea37870dcc Mon Sep 17 00:00:00 2001
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Thu, 25 Apr 2019 20:42:46 +0800
+Subject: net: hns3: fix for TX clean num when cleaning TX BD
+
+[ Upstream commit 63380a1ae4ced8aef67659ff9547c69ef8b9613a ]
+
+hns3_desc_unused() returns how many BD have been cleaned, but new
+buffer has not been attached to them. The register of
+HNS3_RING_RX_RING_FBDNUM_REG returns how many BD need allocating new
+buffer to or need to cleaned. So the remaining BD need to be clean
+is HNS3_RING_RX_RING_FBDNUM_REG - hns3_desc_unused().
+
+Also, new buffer can not attach to the pending BD when the last BD is
+not handled, because memcpy has not been done on the first pending BD.
+
+This patch fixes by subtracting the pending BD num from unused_count
+after 'HNS3_RING_RX_RING_FBDNUM_REG - unused_count' is used to calculate
+the BD bum need to be clean.
+
+Fixes: e55970950556 ("net: hns3: Add handling of GRO Pkts not fully RX'ed in NAPI poll")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 162cb9afa0e70..0208efe282775 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -2705,7 +2705,7 @@ int hns3_clean_rx_ring(
+ #define RCB_NOF_ALLOC_RX_BUFF_ONCE 16
+ struct net_device *netdev = ring->tqp->handle->kinfo.netdev;
+ int recv_pkts, recv_bds, clean_count, err;
+- int unused_count = hns3_desc_unused(ring) - ring->pending_buf;
++ int unused_count = hns3_desc_unused(ring);
+ struct sk_buff *skb = ring->skb;
+ int num;
+
+@@ -2714,6 +2714,7 @@ int hns3_clean_rx_ring(
+
+ recv_pkts = 0, recv_bds = 0, clean_count = 0;
+ num -= unused_count;
++ unused_count -= ring->pending_buf;
+
+ while (recv_pkts < budget && recv_bds < num) {
+ /* Reuse or realloc buffers */
+--
+2.20.1
+
--- /dev/null
+From 959849037c9521d60ef54209cc5a073ac4f4a78c Mon Sep 17 00:00:00 2001
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Sat, 6 Apr 2019 15:43:36 +0800
+Subject: net: hns3: fix keep_alive_timer not stop problem
+
+[ Upstream commit e233516e6a92baeec20aa40fa5b63be6b94f1627 ]
+
+When hclgevf_client_start() fails or VF driver unloaded, there is
+nobody to disable keep_alive_timer.
+
+So this patch fixes them.
+
+Fixes: a6d818e31d08 ("net: hns3: Add vport alive state checking support")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 8bc28e6f465f1..8dd7fef863f68 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2007,9 +2007,15 @@ static int hclgevf_set_alive(struct hnae3_handle *handle, bool alive)
+ static int hclgevf_client_start(struct hnae3_handle *handle)
+ {
+ struct hclgevf_dev *hdev = hclgevf_ae_get_hdev(handle);
++ int ret;
++
++ ret = hclgevf_set_alive(handle, true);
++ if (ret)
++ return ret;
+
+ mod_timer(&hdev->keep_alive_timer, jiffies + 2 * HZ);
+- return hclgevf_set_alive(handle, true);
++
++ return 0;
+ }
+
+ static void hclgevf_client_stop(struct hnae3_handle *handle)
+@@ -2051,6 +2057,10 @@ static void hclgevf_state_uninit(struct hclgevf_dev *hdev)
+ {
+ set_bit(HCLGEVF_STATE_DOWN, &hdev->state);
+
++ if (hdev->keep_alive_timer.function)
++ del_timer_sync(&hdev->keep_alive_timer);
++ if (hdev->keep_alive_task.func)
++ cancel_work_sync(&hdev->keep_alive_task);
+ if (hdev->service_timer.function)
+ del_timer_sync(&hdev->service_timer);
+ if (hdev->service_task.func)
+--
+2.20.1
+
--- /dev/null
+From f6f4a16f8f7b2fe97568fdff5271d39f33cc3dfb Mon Sep 17 00:00:00 2001
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Thu, 25 Apr 2019 20:42:52 +0800
+Subject: net: hns3: fix pause configure fail problem
+
+[ Upstream commit fba2efdae8b4f998f66a2ff4c9f0575e1c4bbc40 ]
+
+When configure pause, current implementation returns directly
+after setup PFC without setup BP, which is not sufficient.
+
+So this patch fixes it, only return while setting PFC failed.
+
+Fixes: 44e59e375bf7 ("net: hns3: do not return GE PFC setting err when initializing")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+index aafc69f4bfdd6..a7bbb6d3091a6 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+@@ -1331,8 +1331,11 @@ int hclge_pause_setup_hw(struct hclge_dev *hdev, bool init)
+ ret = hclge_pfc_setup_hw(hdev);
+ if (init && ret == -EOPNOTSUPP)
+ dev_warn(&hdev->pdev->dev, "GE MAC does not support pfc\n");
+- else
++ else if (ret) {
++ dev_err(&hdev->pdev->dev, "config pfc failed! ret = %d\n",
++ ret);
+ return ret;
++ }
+
+ return hclge_tm_bp_setup(hdev);
+ }
+--
+2.20.1
+
--- /dev/null
+From 0d0e226c72433ed6cb986d2afac214c89bcd6673 Mon Sep 17 00:00:00 2001
+From: Peng Li <lipeng321@huawei.com>
+Date: Sun, 14 Apr 2019 09:47:45 +0800
+Subject: net: hns3: free the pending skb when clean RX ring
+
+[ Upstream commit cc5ff6e90f808f9a4c8229bf2f1de0dfe5d7931c ]
+
+If there is pending skb in RX flow when close the port, and the
+pending buffer is not cleaned, the new packet will be added to
+the pending skb when the port opens again, and the first new
+packet has error data.
+
+This patch cleans the pending skb when clean RX ring.
+
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 0208efe282775..d6b488c2de332 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3851,6 +3851,13 @@ static int hns3_clear_rx_ring(struct hns3_enet_ring *ring)
+ ring_ptr_move_fw(ring, next_to_use);
+ }
+
++ /* Free the pending skb in rx ring */
++ if (ring->skb) {
++ dev_kfree_skb_any(ring->skb);
++ ring->skb = NULL;
++ ring->pending_buf = 0;
++ }
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From bfa161e45f392e6a780dd066cfbc2d56ded51b4f Mon Sep 17 00:00:00 2001
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Thu, 25 Apr 2019 20:42:49 +0800
+Subject: net: hns3: use atomic_t replace u32 for arq's count
+
+[ Upstream commit 30780a8b1677e7409b32ae52a9a84f7d41ae6b43 ]
+
+Since irq handler and mailbox task will both update arq's count,
+so arq's count should use atomic_t instead of u32, otherwise
+its value may go wrong finally.
+
+Fixes: 07a0556a3a73 ("net: hns3: Changes to support ARQ(Asynchronous Receive Queue)")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h | 2 +-
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c | 7 ++++---
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
+index 299b277bc7ae9..589b7ee32bff8 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
+@@ -107,7 +107,7 @@ struct hclgevf_mbx_arq_ring {
+ struct hclgevf_dev *hdev;
+ u32 head;
+ u32 tail;
+- u32 count;
++ atomic_t count;
+ u16 msg_q[HCLGE_MBX_MAX_ARQ_MSG_NUM][HCLGE_MBX_MAX_ARQ_MSG_SIZE];
+ };
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c
+index 9441b453d38df..9a0a501908aec 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_cmd.c
+@@ -327,7 +327,7 @@ int hclgevf_cmd_init(struct hclgevf_dev *hdev)
+ hdev->arq.hdev = hdev;
+ hdev->arq.head = 0;
+ hdev->arq.tail = 0;
+- hdev->arq.count = 0;
++ atomic_set(&hdev->arq.count, 0);
+ hdev->hw.cmq.csq.next_to_clean = 0;
+ hdev->hw.cmq.csq.next_to_use = 0;
+ hdev->hw.cmq.crq.next_to_clean = 0;
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
+index 7dc3c9f79169f..4f2c77283cb43 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
+@@ -208,7 +208,8 @@ void hclgevf_mbx_handler(struct hclgevf_dev *hdev)
+ /* we will drop the async msg if we find ARQ as full
+ * and continue with next message
+ */
+- if (hdev->arq.count >= HCLGE_MBX_MAX_ARQ_MSG_NUM) {
++ if (atomic_read(&hdev->arq.count) >=
++ HCLGE_MBX_MAX_ARQ_MSG_NUM) {
+ dev_warn(&hdev->pdev->dev,
+ "Async Q full, dropping msg(%d)\n",
+ req->msg[1]);
+@@ -220,7 +221,7 @@ void hclgevf_mbx_handler(struct hclgevf_dev *hdev)
+ memcpy(&msg_q[0], req->msg,
+ HCLGE_MBX_MAX_ARQ_MSG_SIZE * sizeof(u16));
+ hclge_mbx_tail_ptr_move_arq(hdev->arq);
+- hdev->arq.count++;
++ atomic_inc(&hdev->arq.count);
+
+ hclgevf_mbx_task_schedule(hdev);
+
+@@ -308,7 +309,7 @@ void hclgevf_mbx_async_handler(struct hclgevf_dev *hdev)
+ }
+
+ hclge_mbx_head_ptr_move_arq(hdev->arq);
+- hdev->arq.count--;
++ atomic_dec(&hdev->arq.count);
+ msg_q = hdev->arq.msg_q[hdev->arq.head];
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From b6dec2fe20d0117cc14bb9298dd2cf715bd1a9e2 Mon Sep 17 00:00:00 2001
+From: Bodong Wang <bodong@mellanox.com>
+Date: Thu, 18 Apr 2019 18:24:15 -0500
+Subject: net/mlx5: E-Switch, Use atomic rep state to serialize state change
+
+[ Upstream commit 6f4e02193c9a9ea54dd3151cf97489fa787cd0e6 ]
+
+When the state of rep was introduced, it was also designed to prevent
+duplicate unloading of the same rep. Considering the following two
+flows when an eswitch manager is at switchdev mode with n VF reps loaded.
+
++--------------------------------------+--------------------------------+
+| cpu-0 | cpu-1 |
+| -------- | -------- |
+| mlx5_ib_remove | mlx5_eswitch_disable_sriov |
+| mlx5_ib_unregister_vport_reps | esw_offloads_cleanup |
+| mlx5_eswitch_unregister_vport_reps | esw_offloads_unload_all_reps |
+| __unload_reps_all_vport | __unload_reps_all_vport |
++--------------------------------------+--------------------------------+
+
+These two flows will try to unload the same rep. Per original design,
+once one flow unloads the rep, the state moves to REGISTERED. The 2nd
+flow will no longer needs to do the unload and bails out. However, as
+read and write of the state is not atomic, when 1st flow is doing the
+unload, the state is still LOADED, 2nd flow is able to do the same
+unload action. Kernel crash will happen.
+
+To solve this, driver should do atomic test-and-set for the state. So
+that only one flow can change the rep state from LOADED to REGISTERED,
+and proceed to do the actual unloading.
+
+Since the state is changing to atomic type, all other read/write should
+be atomic action as well.
+
+Fixes: f121e0ea9586 (net/mlx5: E-Switch, Add state to eswitch vport representors)
+Signed-off-by: Bodong Wang <bodong@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Vu Pham <vuhuong@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/eswitch_offloads.c | 36 +++++++++----------
+ include/linux/mlx5/eswitch.h | 2 +-
+ 2 files changed, 18 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index 9b2d78ee22b88..d2d8da133082c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -363,7 +363,7 @@ static int esw_set_global_vlan_pop(struct mlx5_eswitch *esw, u8 val)
+ esw_debug(esw->dev, "%s applying global %s policy\n", __func__, val ? "pop" : "none");
+ for (vf_vport = 1; vf_vport < esw->enabled_vports; vf_vport++) {
+ rep = &esw->offloads.vport_reps[vf_vport];
+- if (rep->rep_if[REP_ETH].state != REP_LOADED)
++ if (atomic_read(&rep->rep_if[REP_ETH].state) != REP_LOADED)
+ continue;
+
+ err = __mlx5_eswitch_set_vport_vlan(esw, rep->vport, 0, 0, val);
+@@ -1306,7 +1306,8 @@ int esw_offloads_init_reps(struct mlx5_eswitch *esw)
+ ether_addr_copy(rep->hw_id, hw_id);
+
+ for (rep_type = 0; rep_type < NUM_REP_TYPES; rep_type++)
+- rep->rep_if[rep_type].state = REP_UNREGISTERED;
++ atomic_set(&rep->rep_if[rep_type].state,
++ REP_UNREGISTERED);
+ }
+
+ return 0;
+@@ -1315,11 +1316,9 @@ int esw_offloads_init_reps(struct mlx5_eswitch *esw)
+ static void __esw_offloads_unload_rep(struct mlx5_eswitch *esw,
+ struct mlx5_eswitch_rep *rep, u8 rep_type)
+ {
+- if (rep->rep_if[rep_type].state != REP_LOADED)
+- return;
+-
+- rep->rep_if[rep_type].unload(rep);
+- rep->rep_if[rep_type].state = REP_REGISTERED;
++ if (atomic_cmpxchg(&rep->rep_if[rep_type].state,
++ REP_LOADED, REP_REGISTERED) == REP_LOADED)
++ rep->rep_if[rep_type].unload(rep);
+ }
+
+ static void __unload_reps_special_vport(struct mlx5_eswitch *esw, u8 rep_type)
+@@ -1380,16 +1379,15 @@ static int __esw_offloads_load_rep(struct mlx5_eswitch *esw,
+ {
+ int err = 0;
+
+- if (rep->rep_if[rep_type].state != REP_REGISTERED)
+- return 0;
+-
+- err = rep->rep_if[rep_type].load(esw->dev, rep);
+- if (err)
+- return err;
+-
+- rep->rep_if[rep_type].state = REP_LOADED;
++ if (atomic_cmpxchg(&rep->rep_if[rep_type].state,
++ REP_REGISTERED, REP_LOADED) == REP_REGISTERED) {
++ err = rep->rep_if[rep_type].load(esw->dev, rep);
++ if (err)
++ atomic_set(&rep->rep_if[rep_type].state,
++ REP_REGISTERED);
++ }
+
+- return 0;
++ return err;
+ }
+
+ static int __load_reps_special_vport(struct mlx5_eswitch *esw, u8 rep_type)
+@@ -2076,7 +2074,7 @@ void mlx5_eswitch_register_vport_reps(struct mlx5_eswitch *esw,
+ rep_if->get_proto_dev = __rep_if->get_proto_dev;
+ rep_if->priv = __rep_if->priv;
+
+- rep_if->state = REP_REGISTERED;
++ atomic_set(&rep_if->state, REP_REGISTERED);
+ }
+ }
+ EXPORT_SYMBOL(mlx5_eswitch_register_vport_reps);
+@@ -2091,7 +2089,7 @@ void mlx5_eswitch_unregister_vport_reps(struct mlx5_eswitch *esw, u8 rep_type)
+ __unload_reps_all_vport(esw, max_vf, rep_type);
+
+ mlx5_esw_for_all_reps(esw, i, rep)
+- rep->rep_if[rep_type].state = REP_UNREGISTERED;
++ atomic_set(&rep->rep_if[rep_type].state, REP_UNREGISTERED);
+ }
+ EXPORT_SYMBOL(mlx5_eswitch_unregister_vport_reps);
+
+@@ -2111,7 +2109,7 @@ void *mlx5_eswitch_get_proto_dev(struct mlx5_eswitch *esw,
+
+ rep = mlx5_eswitch_get_rep(esw, vport);
+
+- if (rep->rep_if[rep_type].state == REP_LOADED &&
++ if (atomic_read(&rep->rep_if[rep_type].state) == REP_LOADED &&
+ rep->rep_if[rep_type].get_proto_dev)
+ return rep->rep_if[rep_type].get_proto_dev(rep);
+ return NULL;
+diff --git a/include/linux/mlx5/eswitch.h b/include/linux/mlx5/eswitch.h
+index 96d8435421de8..0ca77dd1429c0 100644
+--- a/include/linux/mlx5/eswitch.h
++++ b/include/linux/mlx5/eswitch.h
+@@ -35,7 +35,7 @@ struct mlx5_eswitch_rep_if {
+ void (*unload)(struct mlx5_eswitch_rep *rep);
+ void *(*get_proto_dev)(struct mlx5_eswitch_rep *rep);
+ void *priv;
+- u8 state;
++ atomic_t state;
+ };
+
+ struct mlx5_eswitch_rep {
+--
+2.20.1
+
--- /dev/null
+From 783ad08e58d9c4d0bb93e91c73f94cb7bfe8a4cc Mon Sep 17 00:00:00 2001
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Thu, 21 Mar 2019 15:51:33 -0700
+Subject: net/mlx5e: Fix compilation warning in en_tc.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit ee576ec1c1c66ec1cd0c4735bb12bc08f675f530 ]
+
+Amazingly a mlx5e_tc function is being called from the eswitch layer,
+which is by itself very terrible! The function was declared locally in
+eswitch_offloads.c so it could be used there, which caused the following
+compilation warning, fix that.
+
+drivers/.../mlx5/core/en_tc.c:3242:6: [-Werror=missing-prototypes]
+error: no previous prototype for ‘mlx5e_tc_clean_fdb_peer_flows’
+
+Fixes: 04de7dda7394 ("net/mlx5e: Infrastructure for duplicated offloading of TC flows")
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 3 +++
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 2 --
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+index 3f3cd32ae60a2..e0ba59b5296f0 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+@@ -431,6 +431,9 @@ static inline int mlx5_eswitch_index_to_vport_num(struct mlx5_eswitch *esw,
+ return index;
+ }
+
++/* TODO: This mlx5e_tc function shouldn't be called by eswitch */
++void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw);
++
+ #else /* CONFIG_MLX5_ESWITCH */
+ /* eswitch API stubs */
+ static inline int mlx5_eswitch_init(struct mlx5_core_dev *dev) { return 0; }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index d2d8da133082c..a97ffd0dbf014 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -1521,8 +1521,6 @@ static int mlx5_esw_offloads_pair(struct mlx5_eswitch *esw,
+ return 0;
+ }
+
+-void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw);
+-
+ static void mlx5_esw_offloads_unpair(struct mlx5_eswitch *esw)
+ {
+ mlx5e_tc_clean_fdb_peer_flows(esw);
+--
+2.20.1
+
--- /dev/null
+From 27277e80a363328a5713185efcf89ba7f9fd18b0 Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Wed, 24 Apr 2019 21:41:06 +0200
+Subject: net: phy: improve genphy_soft_reset
+
+[ Upstream commit 8c90b795e90f7753d23c18e8b95dd71b4a18c5d9 ]
+
+PHY's behave differently when being reset. Some reset registers to
+defaults, some don't. Some trigger an autoneg restart, some don't.
+
+So let's also set the autoneg restart bit when resetting. Then PHY
+behavior should be more consistent. Clearing BMCR_ISOLATE serves the
+same purpose and is borrowed from genphy_restart_aneg.
+
+BMCR holds the speed / duplex settings in fixed mode. Therefore
+we may have an issue if a soft reset resets BMCR to its default.
+So better call genphy_setup_forced() afterwards in fixed mode.
+We've seen no related complaint in the last >10 yrs, so let's
+treat it as an improvement.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index cd5966b0db571..f6a6cc5bf118d 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1829,13 +1829,25 @@ EXPORT_SYMBOL(genphy_read_status);
+ */
+ int genphy_soft_reset(struct phy_device *phydev)
+ {
++ u16 res = BMCR_RESET;
+ int ret;
+
+- ret = phy_set_bits(phydev, MII_BMCR, BMCR_RESET);
++ if (phydev->autoneg == AUTONEG_ENABLE)
++ res |= BMCR_ANRESTART;
++
++ ret = phy_modify(phydev, MII_BMCR, BMCR_ISOLATE, res);
+ if (ret < 0)
+ return ret;
+
+- return phy_poll_reset(phydev);
++ ret = phy_poll_reset(phydev);
++ if (ret)
++ return ret;
++
++ /* BMCR may be reset to defaults */
++ if (phydev->autoneg == AUTONEG_DISABLE)
++ ret = genphy_setup_forced(phydev);
++
++ return ret;
+ }
+ EXPORT_SYMBOL(genphy_soft_reset);
+
+--
+2.20.1
+
--- /dev/null
+From d96e4d7edc293a7ee3ad432ffc56976a5c82efb9 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Thu, 9 May 2019 07:25:21 -0400
+Subject: NFS: Fix a double unlock from nfs_match,get_client
+
+[ Upstream commit c260121a97a3e4df6536edbc2f26e166eff370ce ]
+
+Now that nfs_match_client drops the nfs_client_lock, we should be
+careful
+to always return it in the same condition: locked.
+
+Fixes: 950a578c6128 ("NFS: make nfs_match_client killable")
+Reported-by: syzbot+228a82b263b5da91883d@syzkaller.appspotmail.com
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/client.c b/fs/nfs/client.c
+index 350cfa561e0e8..dfb796eab9121 100644
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -299,9 +299,9 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat
+ spin_unlock(&nn->nfs_client_lock);
+ error = nfs_wait_client_init_complete(clp);
+ nfs_put_client(clp);
++ spin_lock(&nn->nfs_client_lock);
+ if (error < 0)
+ return ERR_PTR(error);
+- spin_lock(&nn->nfs_client_lock);
+ goto again;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 570f40098349db55cd5b737d58fd1da5af1817e2 Mon Sep 17 00:00:00 2001
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Date: Thu, 25 Apr 2019 15:36:51 +0200
+Subject: NFS: make nfs_match_client killable
+
+[ Upstream commit 950a578c6128c2886e295b9c7ecb0b6b22fcc92b ]
+
+ Actually we don't do anything with return value from
+ nfs_wait_client_init_complete in nfs_match_client, as a
+ consequence if we get a fatal signal and client is not
+ fully initialised, we'll loop to "again" label
+
+ This has been proven to cause soft lockups on some scenarios
+ (no-carrier but configured network interfaces)
+
+Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/client.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/client.c b/fs/nfs/client.c
+index 90d71fda65cec..350cfa561e0e8 100644
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -284,6 +284,7 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat
+ struct nfs_client *clp;
+ const struct sockaddr *sap = data->addr;
+ struct nfs_net *nn = net_generic(data->net, nfs_net_id);
++ int error;
+
+ again:
+ list_for_each_entry(clp, &nn->nfs_client_list, cl_share_link) {
+@@ -296,8 +297,10 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat
+ if (clp->cl_cons_state > NFS_CS_READY) {
+ refcount_inc(&clp->cl_count);
+ spin_unlock(&nn->nfs_client_lock);
+- nfs_wait_client_init_complete(clp);
++ error = nfs_wait_client_init_complete(clp);
+ nfs_put_client(clp);
++ if (error < 0)
++ return ERR_PTR(error);
+ spin_lock(&nn->nfs_client_lock);
+ goto again;
+ }
+@@ -407,6 +410,8 @@ struct nfs_client *nfs_get_client(const struct nfs_client_initdata *cl_init)
+ clp = nfs_match_client(cl_init);
+ if (clp) {
+ spin_unlock(&nn->nfs_client_lock);
++ if (IS_ERR(clp))
++ return clp;
+ if (new)
+ new->rpc_ops->free_client(new);
+ return nfs_found_client(cl_init, clp);
+--
+2.20.1
+
--- /dev/null
+From f9492eb9459b50a28cf4655c4852eab018a2318c Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Wed, 24 Apr 2019 11:53:18 -0700
+Subject: nvme-rdma: fix a NULL deref when an admin connect times out
+
+[ Upstream commit 1007709d7d06fab09bf2d007657575958676282b ]
+
+If we timeout the admin startup sequence we might not yet have
+an I/O tagset allocated which causes the teardown sequence to crash.
+Make nvme_tcp_teardown_io_queues safe by not iterating inflight tags
+if the tagset wasn't allocated.
+
+Fixes: 4c174e636674 ("nvme-rdma: fix timeout handler")
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index 11a5ecae78c8d..e1824c2e0a1c0 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -914,8 +914,9 @@ static void nvme_rdma_teardown_admin_queue(struct nvme_rdma_ctrl *ctrl,
+ {
+ blk_mq_quiesce_queue(ctrl->ctrl.admin_q);
+ nvme_rdma_stop_queue(&ctrl->queues[0]);
+- blk_mq_tagset_busy_iter(&ctrl->admin_tag_set, nvme_cancel_request,
+- &ctrl->ctrl);
++ if (ctrl->ctrl.admin_tagset)
++ blk_mq_tagset_busy_iter(ctrl->ctrl.admin_tagset,
++ nvme_cancel_request, &ctrl->ctrl);
+ blk_mq_unquiesce_queue(ctrl->ctrl.admin_q);
+ nvme_rdma_destroy_admin_queue(ctrl, remove);
+ }
+@@ -926,8 +927,9 @@ static void nvme_rdma_teardown_io_queues(struct nvme_rdma_ctrl *ctrl,
+ if (ctrl->ctrl.queue_count > 1) {
+ nvme_stop_queues(&ctrl->ctrl);
+ nvme_rdma_stop_io_queues(ctrl);
+- blk_mq_tagset_busy_iter(&ctrl->tag_set, nvme_cancel_request,
+- &ctrl->ctrl);
++ if (ctrl->ctrl.tagset)
++ blk_mq_tagset_busy_iter(ctrl->ctrl.tagset,
++ nvme_cancel_request, &ctrl->ctrl);
+ if (remove)
+ nvme_start_queues(&ctrl->ctrl);
+ nvme_rdma_destroy_io_queues(ctrl, remove);
+--
+2.20.1
+
--- /dev/null
+From ec210602b4a38a66b7ad123983f67218bc95384a Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 11 Mar 2019 15:02:25 -0700
+Subject: nvme: set 0 capacity if namespace block size exceeds PAGE_SIZE
+
+[ Upstream commit 01fa017484ad98fccdeaab32db0077c574b6bd6f ]
+
+If our target exposed a namespace with a block size that is greater
+than PAGE_SIZE, set 0 capacity on the namespace as we do not support it.
+
+This issue encountered when the nvmet namespace was backed by a tempfile.
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 2c43e12b70afc..8782d86a8ca38 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1591,6 +1591,10 @@ static void nvme_update_disk_info(struct gendisk *disk,
+ sector_t capacity = le64_to_cpup(&id->nsze) << (ns->lba_shift - 9);
+ unsigned short bs = 1 << ns->lba_shift;
+
++ if (ns->lba_shift > PAGE_SHIFT) {
++ /* unsupported block size, set capacity to 0 later */
++ bs = (1 << 9);
++ }
+ blk_mq_freeze_queue(disk->queue);
+ blk_integrity_unregister(disk);
+
+@@ -1601,7 +1605,8 @@ static void nvme_update_disk_info(struct gendisk *disk,
+ if (ns->ms && !ns->ext &&
+ (ns->ctrl->ops->flags & NVME_F_METADATA_SUPPORTED))
+ nvme_init_integrity(disk, ns->ms, ns->pi_type);
+- if (ns->ms && !nvme_ns_has_pi(ns) && !blk_get_integrity(disk))
++ if ((ns->ms && !nvme_ns_has_pi(ns) && !blk_get_integrity(disk)) ||
++ ns->lba_shift > PAGE_SHIFT)
+ capacity = 0;
+
+ set_capacity(disk, capacity);
+--
+2.20.1
+
--- /dev/null
+From 3a3cc2184117ef730d57fe12341f55297f836fff Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Wed, 24 Apr 2019 11:53:17 -0700
+Subject: nvme-tcp: fix a NULL deref when an admin connect times out
+
+[ Upstream commit 7a42589654ae79e1177f0d74306a02d6cef7bddf ]
+
+If we timeout the admin startup sequence we might not yet have
+an I/O tagset allocated which causes the teardown sequence to crash.
+Make nvme_tcp_teardown_io_queues safe by not iterating inflight tags
+if the tagset wasn't allocated.
+
+Fixes: 39d57757467b ("nvme-tcp: fix timeout handler")
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index 68c49dd672104..aae5374d2b93f 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -1710,7 +1710,9 @@ static void nvme_tcp_teardown_admin_queue(struct nvme_ctrl *ctrl,
+ {
+ blk_mq_quiesce_queue(ctrl->admin_q);
+ nvme_tcp_stop_queue(ctrl, 0);
+- blk_mq_tagset_busy_iter(ctrl->admin_tagset, nvme_cancel_request, ctrl);
++ if (ctrl->admin_tagset)
++ blk_mq_tagset_busy_iter(ctrl->admin_tagset,
++ nvme_cancel_request, ctrl);
+ blk_mq_unquiesce_queue(ctrl->admin_q);
+ nvme_tcp_destroy_admin_queue(ctrl, remove);
+ }
+@@ -1722,7 +1724,9 @@ static void nvme_tcp_teardown_io_queues(struct nvme_ctrl *ctrl,
+ return;
+ nvme_stop_queues(ctrl);
+ nvme_tcp_stop_io_queues(ctrl);
+- blk_mq_tagset_busy_iter(ctrl->tagset, nvme_cancel_request, ctrl);
++ if (ctrl->tagset)
++ blk_mq_tagset_busy_iter(ctrl->tagset,
++ nvme_cancel_request, ctrl);
+ if (remove)
+ nvme_start_queues(ctrl);
+ nvme_tcp_destroy_io_queues(ctrl, remove);
+--
+2.20.1
+
--- /dev/null
+From d92bfe14cf2653157fa5007f8b0a9fd628a4753d Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Sun, 17 Mar 2019 12:11:14 +0200
+Subject: overflow: Fix -Wtype-limits compilation warnings
+
+[ Upstream commit dc7fe518b0493faa0af0568d6d8c2a33c00f58d0 ]
+
+Attempt to use check_shl_overflow() with inputs of unsigned type
+produces the following compilation warnings.
+
+drivers/infiniband/hw/mlx5/qp.c: In function _set_user_rq_size_:
+./include/linux/overflow.h:230:6: warning: comparison of unsigned
+expression >= 0 is always true [-Wtype-limits]
+ _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0; \
+ ^~
+drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
+ if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift,
+&rwq->buf_size))
+ ^~~~~~~~~~~~~~~~~~
+./include/linux/overflow.h:232:26: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ (_to_shift != _s || *_d < 0 || _a < 0 || \
+ ^
+drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
+ if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift, &rwq->buf_size))
+ ^~~~~~~~~~~~~~~~~~
+./include/linux/overflow.h:232:36: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ (_to_shift != _s || *_d < 0 || _a < 0 || \
+ ^
+drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
+ if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift,&rwq->buf_size))
+ ^~~~~~~~~~~~~~~~~~
+
+Fixes: 0c66847793d1 ("overflow.h: Add arithmetic shift helper")
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/overflow.h | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/overflow.h b/include/linux/overflow.h
+index 40b48e2133cb8..15eb85de92269 100644
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -36,6 +36,12 @@
+ #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
+ #define type_min(T) ((T)((T)-type_max(T)-(T)1))
+
++/*
++ * Avoids triggering -Wtype-limits compilation warning,
++ * while using unsigned data types to check a < 0.
++ */
++#define is_non_negative(a) ((a) > 0 || (a) == 0)
++#define is_negative(a) (!(is_non_negative(a)))
+
+ #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
+ /*
+@@ -227,10 +233,10 @@
+ typeof(d) _d = d; \
+ u64 _a_full = _a; \
+ unsigned int _to_shift = \
+- _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0; \
++ is_non_negative(_s) && _s < 8 * sizeof(*d) ? _s : 0; \
+ *_d = (_a_full << _to_shift); \
+- (_to_shift != _s || *_d < 0 || _a < 0 || \
+- (*_d >> _to_shift) != _a); \
++ (_to_shift != _s || is_negative(*_d) || is_negative(_a) || \
++ (*_d >> _to_shift) != _a); \
+ })
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 932b9c979143412ee714f54bf74802949df6229f Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Tue, 16 Apr 2019 16:24:24 +0100
+Subject: perf/arm-cci: Remove broken race mitigation
+
+[ Upstream commit 0d2e2a82d4de298d006bf8eddc86829e3c7da820 ]
+
+Uncore PMU drivers face an awkward cyclic dependency wherein:
+
+ - They have to pick a valid online CPU to associate with before
+ registering the PMU device, since it will get exposed to userspace
+ immediately.
+ - The PMU registration has to be be at least partly complete before
+ hotplug events can be handled, since trying to migrate an
+ uninitialised context would be bad.
+ - The hotplug handler has to be ready as soon as a CPU is chosen, lest
+ it go offline without the user-visible cpumask value getting updated.
+
+The arm-cci driver has tried to solve this by using get_cpu() to pick
+the current CPU and prevent it from disappearing while both
+registrations are performed, but that results in taking mutexes with
+preemption disabled, which makes certain configurations very unhappy:
+
+[ 1.983337] BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:2004
+[ 1.983340] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
+[ 1.983342] Preemption disabled at:
+[ 1.983353] [<ffffff80089801f4>] cci_pmu_probe+0x1dc/0x488
+[ 1.983360] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.20-rt8-yocto-preempt-rt #1
+[ 1.983362] Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
+[ 1.983364] Call trace:
+[ 1.983369] dump_backtrace+0x0/0x158
+[ 1.983372] show_stack+0x24/0x30
+[ 1.983378] dump_stack+0x80/0xa4
+[ 1.983383] ___might_sleep+0x138/0x160
+[ 1.983386] __might_sleep+0x58/0x90
+[ 1.983391] __rt_mutex_lock_state+0x30/0xc0
+[ 1.983395] _mutex_lock+0x24/0x30
+[ 1.983400] perf_pmu_register+0x2c/0x388
+[ 1.983404] cci_pmu_probe+0x2bc/0x488
+[ 1.983409] platform_drv_probe+0x58/0xa8
+
+It is not feasible to resolve all the possible races outside of the perf
+core itself, so address the immediate bug by following the example of
+nearly every other PMU driver and not even trying to do so. Registering
+the hotplug notifier first should minimise the window in which things
+can go wrong, so that's about as much as we can reasonably do here. This
+also revealed an additional race in assigning the global pointer too
+late relative to the hotplug notifier, which gets fixed in the process.
+
+Reported-by: Li, Meng <Meng.Li@windriver.com>
+Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm-cci.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/perf/arm-cci.c b/drivers/perf/arm-cci.c
+index bfd03e0233084..8f8606b9bc9ee 100644
+--- a/drivers/perf/arm-cci.c
++++ b/drivers/perf/arm-cci.c
+@@ -1684,21 +1684,24 @@ static int cci_pmu_probe(struct platform_device *pdev)
+ raw_spin_lock_init(&cci_pmu->hw_events.pmu_lock);
+ mutex_init(&cci_pmu->reserve_mutex);
+ atomic_set(&cci_pmu->active_events, 0);
+- cci_pmu->cpu = get_cpu();
+-
+- ret = cci_pmu_init(cci_pmu, pdev);
+- if (ret) {
+- put_cpu();
+- return ret;
+- }
+
++ cci_pmu->cpu = raw_smp_processor_id();
++ g_cci_pmu = cci_pmu;
+ cpuhp_setup_state_nocalls(CPUHP_AP_PERF_ARM_CCI_ONLINE,
+ "perf/arm/cci:online", NULL,
+ cci_pmu_offline_cpu);
+- put_cpu();
+- g_cci_pmu = cci_pmu;
++
++ ret = cci_pmu_init(cci_pmu, pdev);
++ if (ret)
++ goto error_pmu_init;
++
+ pr_info("ARM %s PMU driver probed", cci_pmu->model->name);
+ return 0;
++
++error_pmu_init:
++ cpuhp_remove_state(CPUHP_AP_PERF_ARM_CCI_ONLINE);
++ g_cci_pmu = NULL;
++ return ret;
+ }
+
+ static int cci_pmu_remove(struct platform_device *pdev)
+--
+2.20.1
+
--- /dev/null
+From 8cb0d4ed25020f8f3b27ccefd726e88deb7d0cc8 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 2 Apr 2019 12:45:06 -0700
+Subject: perf/x86/intel/cstate: Add Icelake support
+
+[ Upstream commit f08c47d1f86c6dc666c7e659d94bf6d4492aa9d7 ]
+
+Icelake uses the same C-state residency events as Sandy Bridge.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: acme@kernel.org
+Cc: jolsa@kernel.org
+Link: https://lkml.kernel.org/r/20190402194509.2832-10-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/cstate.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c
+index d41de9af7a39b..6072f92cb8eaf 100644
+--- a/arch/x86/events/intel/cstate.c
++++ b/arch/x86/events/intel/cstate.c
+@@ -578,6 +578,8 @@ static const struct x86_cpu_id intel_cstates_match[] __initconst = {
+ X86_CSTATES_MODEL(INTEL_FAM6_ATOM_GOLDMONT_X, glm_cstates),
+
+ X86_CSTATES_MODEL(INTEL_FAM6_ATOM_GOLDMONT_PLUS, glm_cstates),
++
++ X86_CSTATES_MODEL(INTEL_FAM6_ICELAKE_MOBILE, snb_cstates),
+ { },
+ };
+ MODULE_DEVICE_TABLE(x86cpu, intel_cstates_match);
+--
+2.20.1
+
--- /dev/null
+From c376768983df0d10d6ae5368f6ee4474e832751b Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 2 Apr 2019 12:45:07 -0700
+Subject: perf/x86/intel/rapl: Add Icelake support
+
+[ Upstream commit b3377c3acb9e54cf86efcfe25f2e792bca599ed4 ]
+
+Icelake support the same RAPL counters as Skylake.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: acme@kernel.org
+Cc: jolsa@kernel.org
+Link: https://lkml.kernel.org/r/20190402194509.2832-11-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/rapl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/events/intel/rapl.c b/arch/x86/events/intel/rapl.c
+index 94dc564146ca8..37ebf6fc5415b 100644
+--- a/arch/x86/events/intel/rapl.c
++++ b/arch/x86/events/intel/rapl.c
+@@ -775,6 +775,8 @@ static const struct x86_cpu_id rapl_cpu_match[] __initconst = {
+ X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_GOLDMONT_X, hsw_rapl_init),
+
+ X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_GOLDMONT_PLUS, hsw_rapl_init),
++
++ X86_RAPL_MODEL_MATCH(INTEL_FAM6_ICELAKE_MOBILE, skl_rapl_init),
+ {},
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 40a7195c1c0d2d7152eee5fa3368997df1f211e4 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 2 Apr 2019 12:45:08 -0700
+Subject: perf/x86/msr: Add Icelake support
+
+[ Upstream commit cf50d79a8cfe5adae37fec026220b009559bbeed ]
+
+Icelake is the same as the existing Skylake parts.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: acme@kernel.org
+Cc: jolsa@kernel.org
+Link: https://lkml.kernel.org/r/20190402194509.2832-12-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/msr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/events/msr.c b/arch/x86/events/msr.c
+index a878e6286e4af..f3f4c2263501d 100644
+--- a/arch/x86/events/msr.c
++++ b/arch/x86/events/msr.c
+@@ -89,6 +89,7 @@ static bool test_intel(int idx)
+ case INTEL_FAM6_SKYLAKE_X:
+ case INTEL_FAM6_KABYLAKE_MOBILE:
+ case INTEL_FAM6_KABYLAKE_DESKTOP:
++ case INTEL_FAM6_ICELAKE_MOBILE:
+ if (idx == PERF_MSR_SMI || idx == PERF_MSR_PPERF)
+ return true;
+ break;
+--
+2.20.1
+
--- /dev/null
+From ee33717f2cd5909a3d1b83715a837dec41117312 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 4 Mar 2019 21:23:58 +0100
+Subject: phy: mapphone-mdm6600: add gpiolib dependency
+
+[ Upstream commit 208d3423ee463ab257908456f6bbca4024ab63f7 ]
+
+gcc points out that when CONFIG_GPIOLIB is disabled,
+gpiod_get_array_value_cansleep() returns 0 but fails to set its output:
+
+drivers/phy/motorola/phy-mapphone-mdm6600.c: In function 'phy_mdm6600_status':
+drivers/phy/motorola/phy-mapphone-mdm6600.c:220:24: error: 'values[0]' is used uninitialized in this function [-Werror=uninitialized]
+
+This could be fixed more generally in gpiolib by returning a failure
+code, but for this specific case, the easier workaround is to add a
+gpiolib dependency.
+
+Fixes: 5d1ebbda0318 ("phy: mapphone-mdm6600: Add USB PHY driver for MDM6600 on Droid 4")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/motorola/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/motorola/Kconfig b/drivers/phy/motorola/Kconfig
+index 82651524ffb9c..718f8729701df 100644
+--- a/drivers/phy/motorola/Kconfig
++++ b/drivers/phy/motorola/Kconfig
+@@ -13,7 +13,7 @@ config PHY_CPCAP_USB
+
+ config PHY_MAPPHONE_MDM6600
+ tristate "Motorola Mapphone MDM6600 modem USB PHY driver"
+- depends on OF && USB_SUPPORT
++ depends on OF && USB_SUPPORT && GPIOLIB
+ select GENERIC_PHY
+ help
+ Enable this for MDM6600 USB modem to work on Motorola phones
+--
+2.20.1
+
--- /dev/null
+From 3c0c1a685fe6de599c9e256548a73736468a2213 Mon Sep 17 00:00:00 2001
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Thu, 14 Mar 2019 14:05:18 +0100
+Subject: phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode
+
+[ Upstream commit e6f32efb1b128344a2c7df9875bc1a1abaa1d395 ]
+
+On platforms where the MUSB and HCI controllers share PHY0, PHY passby
+is required when using the HCI controller with the PHY, but it must be
+disabled when the MUSB controller is used instead.
+
+Without this, PHY0 passby is always enabled, which results in broken
+peripheral mode on such platforms (e.g. H3/H5).
+
+Fixes: ba4bdc9e1dc0 ("PHY: sunxi: Add driver for sunxi usb phy")
+
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/allwinner/phy-sun4i-usb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/phy/allwinner/phy-sun4i-usb.c b/drivers/phy/allwinner/phy-sun4i-usb.c
+index 4bbd9ede38c83..cc5af961778d6 100644
+--- a/drivers/phy/allwinner/phy-sun4i-usb.c
++++ b/drivers/phy/allwinner/phy-sun4i-usb.c
+@@ -554,6 +554,7 @@ static void sun4i_usb_phy0_id_vbus_det_scan(struct work_struct *work)
+ struct sun4i_usb_phy_data *data =
+ container_of(work, struct sun4i_usb_phy_data, detect.work);
+ struct phy *phy0 = data->phys[0].phy;
++ struct sun4i_usb_phy *phy = phy_get_drvdata(phy0);
+ bool force_session_end, id_notify = false, vbus_notify = false;
+ int id_det, vbus_det;
+
+@@ -610,6 +611,9 @@ static void sun4i_usb_phy0_id_vbus_det_scan(struct work_struct *work)
+ mutex_unlock(&phy0->mutex);
+ }
+
++ /* Enable PHY0 passby for host mode only. */
++ sun4i_usb_phy_passby(phy, !id_det);
++
+ /* Re-route PHY0 if necessary */
+ if (data->cfg->phy0_dual_route)
+ sun4i_usb_phy0_reroute(data, id_det);
+--
+2.20.1
+
--- /dev/null
+From 3c28656338f6f5589d15dcfe4e35f47bd1e847e8 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 4 Mar 2019 21:23:57 +0100
+Subject: phy: ti: usb2: fix OMAP_CONTROL_PHY dependency
+
+[ Upstream commit d41ce98a122c13ea77938af04ef06fb12ae0c69e ]
+
+With randconfig build testing on arm64, we can run into a configuration
+that has CONFIG_OMAP_CONTROL_PHY=m and CONFIG_OMAP_USB2=y, which in turn
+causes a link failure:
+
+drivers/phy/ti/phy-omap-usb2.o: In function `omap_usb_phy_power':
+phy-omap-usb2.c:(.text+0x17c): undefined reference to `omap_control_phy_power'
+
+I could not come up with a good way to correctly describe the relation
+of the two symbols, but if we just select CONFIG_OMAP_CONTROL_PHY
+during compile testing, we can no longer run into the broken configuration.
+
+Fixes: 6777cee3a872 ("phy: ti: usb2: Add support for AM654 USB2 PHY")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/ti/Kconfig b/drivers/phy/ti/Kconfig
+index 103efc456a12e..022ac16f626cf 100644
+--- a/drivers/phy/ti/Kconfig
++++ b/drivers/phy/ti/Kconfig
+@@ -37,7 +37,7 @@ config OMAP_USB2
+ depends on USB_SUPPORT
+ select GENERIC_PHY
+ select USB_PHY
+- select OMAP_CONTROL_PHY if ARCH_OMAP2PLUS
++ select OMAP_CONTROL_PHY if ARCH_OMAP2PLUS || COMPILE_TEST
+ help
+ Enable this to support the transceiver that is part of SOC. This
+ driver takes care of all the PHY functionality apart from comparator.
+--
+2.20.1
+
--- /dev/null
+From 2ad68834108e5ddf5cbdeb15225806378f7568ee Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:19 +0800
+Subject: pinctrl: pistachio: fix leaked of_node references
+
+[ Upstream commit 44a4455ac2c6b0981eace683a2b6eccf47689022 ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-pistachio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/pinctrl-pistachio.c b/drivers/pinctrl/pinctrl-pistachio.c
+index aa5f949ef219c..5b0678f310e52 100644
+--- a/drivers/pinctrl/pinctrl-pistachio.c
++++ b/drivers/pinctrl/pinctrl-pistachio.c
+@@ -1367,6 +1367,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
+ if (!of_find_property(child, "gpio-controller", NULL)) {
+ dev_err(pctl->dev,
+ "No gpio-controller property for bank %u\n", i);
++ of_node_put(child);
+ ret = -ENODEV;
+ goto err;
+ }
+@@ -1374,6 +1375,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
+ irq = irq_of_parse_and_map(child, 0);
+ if (irq < 0) {
+ dev_err(pctl->dev, "No IRQ for bank %u: %d\n", i, irq);
++ of_node_put(child);
+ ret = irq;
+ goto err;
+ }
+--
+2.20.1
+
--- /dev/null
+From f3b3141253a175bb5c4ba9bf12c2f4073247a0c4 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:22 +0800
+Subject: pinctrl: samsung: fix leaked of_node references
+
+[ Upstream commit 44b9f86cd41db6c522effa5aec251d664a52fbc0 ]
+
+The call to of_find_compatible_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:76:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function.
+./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:82:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Tomasz Figa <tomasz.figa@gmail.com>
+Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Cc: Kukjin Kim <kgene@kernel.org>
+Cc: linux-samsung-soc@vger.kernel.org
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/samsung/pinctrl-exynos-arm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/samsung/pinctrl-exynos-arm.c b/drivers/pinctrl/samsung/pinctrl-exynos-arm.c
+index 44c6b753f692a..85ddf49a51885 100644
+--- a/drivers/pinctrl/samsung/pinctrl-exynos-arm.c
++++ b/drivers/pinctrl/samsung/pinctrl-exynos-arm.c
+@@ -71,6 +71,7 @@ s5pv210_retention_init(struct samsung_pinctrl_drv_data *drvdata,
+ }
+
+ clk_base = of_iomap(np, 0);
++ of_node_put(np);
+ if (!clk_base) {
+ pr_err("%s: failed to map clock registers\n", __func__);
+ return ERR_PTR(-EINVAL);
+--
+2.20.1
+
--- /dev/null
+From c3c631ef3332f66e1a04d3d1fca575f1d95bf460 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:21 +0800
+Subject: pinctrl: st: fix leaked of_node references
+
+[ Upstream commit 483d70d73beaecab55882fcd2a357af72674e24c ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/pinctrl-st.c:1188:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1175, but without a corresponding object release within this function.
+./drivers/pinctrl/pinctrl-st.c:1188:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1175, but without a corresponding object release within this function.
+./drivers/pinctrl/pinctrl-st.c:1199:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1175, but without a corresponding object release within this function.
+./drivers/pinctrl/pinctrl-st.c:1199:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1175, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Patrice Chotard <patrice.chotard@st.com>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org (open list)
+Reviewed-by: Patrice Chotard <patrice.chotard@st.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-st.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-st.c b/drivers/pinctrl/pinctrl-st.c
+index e66af93f2cbf8..195b442a23434 100644
+--- a/drivers/pinctrl/pinctrl-st.c
++++ b/drivers/pinctrl/pinctrl-st.c
+@@ -1170,7 +1170,7 @@ static int st_pctl_dt_parse_groups(struct device_node *np,
+ struct property *pp;
+ struct st_pinconf *conf;
+ struct device_node *pins;
+- int i = 0, npins = 0, nr_props;
++ int i = 0, npins = 0, nr_props, ret = 0;
+
+ pins = of_get_child_by_name(np, "st,pins");
+ if (!pins)
+@@ -1185,7 +1185,8 @@ static int st_pctl_dt_parse_groups(struct device_node *np,
+ npins++;
+ } else {
+ pr_warn("Invalid st,pins in %pOFn node\n", np);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto out_put_node;
+ }
+ }
+
+@@ -1195,8 +1196,10 @@ static int st_pctl_dt_parse_groups(struct device_node *np,
+ grp->pin_conf = devm_kcalloc(info->dev,
+ npins, sizeof(*conf), GFP_KERNEL);
+
+- if (!grp->pins || !grp->pin_conf)
+- return -ENOMEM;
++ if (!grp->pins || !grp->pin_conf) {
++ ret = -ENOMEM;
++ goto out_put_node;
++ }
+
+ /* <bank offset mux direction rt_type rt_delay rt_clk> */
+ for_each_property_of_node(pins, pp) {
+@@ -1229,9 +1232,11 @@ static int st_pctl_dt_parse_groups(struct device_node *np,
+ }
+ i++;
+ }
++
++out_put_node:
+ of_node_put(pins);
+
+- return 0;
++ return ret;
+ }
+
+ static int st_pctl_parse_functions(struct device_node *np,
+--
+2.20.1
+
--- /dev/null
+From 503db02af0e6816fceb22d7bfdec78bce041b81a Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:23 +0800
+Subject: pinctrl: zte: fix leaked of_node references
+
+[ Upstream commit 02d15f0d80720545f1f4922a1550ea4aaad4e152 ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/zte/pinctrl-zx.c:415:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+./drivers/pinctrl/zte/pinctrl-zx.c:422:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+./drivers/pinctrl/zte/pinctrl-zx.c:436:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+./drivers/pinctrl/zte/pinctrl-zx.c:444:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+./drivers/pinctrl/zte/pinctrl-zx.c:448:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Jun Nie <jun.nie@linaro.org>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Acked-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/zte/pinctrl-zx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/zte/pinctrl-zx.c b/drivers/pinctrl/zte/pinctrl-zx.c
+index caa44dd2880a8..3cb69309912ba 100644
+--- a/drivers/pinctrl/zte/pinctrl-zx.c
++++ b/drivers/pinctrl/zte/pinctrl-zx.c
+@@ -411,6 +411,7 @@ int zx_pinctrl_init(struct platform_device *pdev,
+ }
+
+ zpctl->aux_base = of_iomap(np, 0);
++ of_node_put(np);
+ if (!zpctl->aux_base)
+ return -ENOMEM;
+
+--
+2.20.1
+
--- /dev/null
+From d84434c51963463394ca4902afd4eca7f72c6ed8 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 10 Apr 2019 11:55:16 +0200
+Subject: PM / core: Propagate dev->power.wakeup_path when no callbacks
+
+[ Upstream commit dc351d4c5f4fe4d0f274d6d660227be0c3a03317 ]
+
+The dev->power.direct_complete flag may become set in device_prepare() in
+case the device don't have any PM callbacks (dev->power.no_pm_callbacks is
+set). This leads to a broken behaviour, when there is child having wakeup
+enabled and relies on its parent to be used in the wakeup path.
+
+More precisely, when the direct complete path becomes selected for the
+child in __device_suspend(), the propagation of the dev->power.wakeup_path
+becomes skipped as well.
+
+Let's address this problem, by checking if the device is a part the wakeup
+path or has wakeup enabled, then prevent the direct complete path from
+being used.
+
+Reported-by: Loic Pallardy <loic.pallardy@st.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ rjw: Comment cleanup ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index f80d298de3fa4..8ad20ed0cb7c3 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1747,6 +1747,10 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async)
+ if (dev->power.syscore)
+ goto Complete;
+
++ /* Avoid direct_complete to let wakeup_path propagate. */
++ if (device_may_wakeup(dev) || dev->power.wakeup_path)
++ dev->power.direct_complete = false;
++
+ if (dev->power.direct_complete) {
+ if (pm_runtime_status_suspended(dev)) {
+ pm_runtime_disable(dev);
+--
+2.20.1
+
--- /dev/null
+From ebbdaa85384a6bfabcd06ab8e0636b325afb4d7e Mon Sep 17 00:00:00 2001
+From: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Date: Wed, 13 Mar 2019 13:22:53 +0100
+Subject: PM / devfreq: Fix static checker warning in try_then_request_governor
+
+[ Upstream commit b53b0128052ffd687797d5f4deeb76327e7b5711 ]
+
+The patch 23c7b54ca1cd: "PM / devfreq: Fix devfreq_add_device() when
+drivers are built as modules." leads to the following static checker
+warning:
+
+ drivers/devfreq/devfreq.c:1043 governor_store()
+ warn: 'governor' can also be NULL
+
+The reason is that the try_then_request_governor() function returns both
+error pointers and NULL. It should just return error pointers, so fix
+this by returning a ERR_PTR to the error intead of returning NULL.
+
+Fixes: 23c7b54ca1cd ("PM / devfreq: Fix devfreq_add_device() when drivers are built as modules.")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index 0ae3de76833b7..839621b044f49 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -228,7 +228,7 @@ static struct devfreq_governor *find_devfreq_governor(const char *name)
+ * if is not found. This can happen when both drivers (the governor driver
+ * and the driver that call devfreq_add_device) are built as modules.
+ * devfreq_list_lock should be held by the caller. Returns the matched
+- * governor's pointer.
++ * governor's pointer or an error pointer.
+ */
+ static struct devfreq_governor *try_then_request_governor(const char *name)
+ {
+@@ -254,7 +254,7 @@ static struct devfreq_governor *try_then_request_governor(const char *name)
+ /* Restore previous state before return */
+ mutex_lock(&devfreq_list_lock);
+ if (err)
+- return NULL;
++ return ERR_PTR(err);
+
+ governor = find_devfreq_governor(name);
+ }
+--
+2.20.1
+
--- /dev/null
+From 09e9db3da614a32e318ff9d7f08e0652887aa4f6 Mon Sep 17 00:00:00 2001
+From: Russell Currey <ruscur@russell.cc>
+Date: Wed, 27 Mar 2019 14:35:54 +1100
+Subject: powerpc/64: Fix booting large kernels with STRICT_KERNEL_RWX
+
+[ Upstream commit 56c46bba9bbfe229b4472a5be313c44c5b714a39 ]
+
+With STRICT_KERNEL_RWX enabled anything marked __init is placed at a 16M
+boundary. This is necessary so that it can be repurposed later with
+different permissions. However, in kernels with text larger than 16M,
+this pushes early_setup past 32M, incapable of being reached by the
+branch instruction.
+
+Fix this by setting the CTR and branching there instead.
+
+Fixes: 1e0fc9d1eb2b ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs")
+Signed-off-by: Russell Currey <ruscur@russell.cc>
+[mpe: Fix it to work on BE by using DOTSYM()]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/head_64.S | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S
+index 3fad8d499767c..5321a11c28358 100644
+--- a/arch/powerpc/kernel/head_64.S
++++ b/arch/powerpc/kernel/head_64.S
+@@ -968,7 +968,9 @@ start_here_multiplatform:
+
+ /* Restore parameters passed from prom_init/kexec */
+ mr r3,r31
+- bl early_setup /* also sets r13 and SPRG_PACA */
++ LOAD_REG_ADDR(r12, DOTSYM(early_setup))
++ mtctr r12
++ bctrl /* also sets r13 and SPRG_PACA */
+
+ LOAD_REG_ADDR(r3, start_here_common)
+ ld r4,PACAKMSR(r13)
+--
+2.20.1
+
--- /dev/null
+From d87e822fb7d4ae6dcf6046d61a4aaaa1ef693967 Mon Sep 17 00:00:00 2001
+From: Bo YU <tsu.yubo@gmail.com>
+Date: Tue, 30 Oct 2018 09:21:55 -0400
+Subject: powerpc/boot: Fix missing check of lseek() return value
+
+[ Upstream commit 5d085ec04a000fefb5182d3b03ee46ca96d8389b ]
+
+This is detected by Coverity scan: CID: 1440481
+
+Signed-off-by: Bo YU <tsu.yubo@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/addnote.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c
+index 9d9f6f334d3cc..3da3e2b1b51bc 100644
+--- a/arch/powerpc/boot/addnote.c
++++ b/arch/powerpc/boot/addnote.c
+@@ -223,7 +223,11 @@ main(int ac, char **av)
+ PUT_16(E_PHNUM, np + 2);
+
+ /* write back */
+- lseek(fd, (long) 0, SEEK_SET);
++ i = lseek(fd, (long) 0, SEEK_SET);
++ if (i < 0) {
++ perror("lseek");
++ exit(1);
++ }
+ i = write(fd, buf, n);
+ if (i < 0) {
+ perror("write");
+--
+2.20.1
+
--- /dev/null
+From cfa825c86d3e879f081e4901fa62ff7ee581071d Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathanl@linux.ibm.com>
+Date: Thu, 18 Apr 2019 13:56:57 -0500
+Subject: powerpc/numa: improve control of topology updates
+
+[ Upstream commit 2d4d9b308f8f8dec68f6dbbff18c68ec7c6bd26f ]
+
+When booted with "topology_updates=no", or when "off" is written to
+/proc/powerpc/topology_updates, NUMA reassignments are inhibited for
+PRRN and VPHN events. However, migration and suspend unconditionally
+re-enable reassignments via start_topology_update(). This is
+incoherent.
+
+Check the topology_updates_enabled flag in
+start/stop_topology_update() so that callers of those APIs need not be
+aware of whether reassignments are enabled. This allows the
+administrative decision on reassignments to remain in force across
+migrations and suspensions.
+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/numa.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
+index f976676004ad0..48c9a97eb2c33 100644
+--- a/arch/powerpc/mm/numa.c
++++ b/arch/powerpc/mm/numa.c
+@@ -1498,6 +1498,9 @@ int start_topology_update(void)
+ {
+ int rc = 0;
+
++ if (!topology_updates_enabled)
++ return 0;
++
+ if (firmware_has_feature(FW_FEATURE_PRRN)) {
+ if (!prrn_enabled) {
+ prrn_enabled = 1;
+@@ -1531,6 +1534,9 @@ int stop_topology_update(void)
+ {
+ int rc = 0;
+
++ if (!topology_updates_enabled)
++ return 0;
++
+ if (prrn_enabled) {
+ prrn_enabled = 0;
+ #ifdef CONFIG_SMP
+@@ -1588,11 +1594,13 @@ static ssize_t topology_write(struct file *file, const char __user *buf,
+
+ kbuf[read_len] = '\0';
+
+- if (!strncmp(kbuf, "on", 2))
++ if (!strncmp(kbuf, "on", 2)) {
++ topology_updates_enabled = true;
+ start_topology_update();
+- else if (!strncmp(kbuf, "off", 3))
++ } else if (!strncmp(kbuf, "off", 3)) {
+ stop_topology_update();
+- else
++ topology_updates_enabled = false;
++ } else
+ return -EINVAL;
+
+ return count;
+@@ -1607,9 +1615,7 @@ static const struct file_operations topology_ops = {
+
+ static int topology_update_init(void)
+ {
+- /* Do not poll for changes if disabled at boot */
+- if (topology_updates_enabled)
+- start_topology_update();
++ start_topology_update();
+
+ if (vphn_enabled)
+ topology_schedule_update();
+--
+2.20.1
+
--- /dev/null
+From 2eed6b0b9d3391d4d144f50c7b26659c2ac8fe57 Mon Sep 17 00:00:00 2001
+From: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Date: Tue, 18 Dec 2018 11:50:41 +0530
+Subject: powerpc/perf: Fix loop exit condition in nest_imc_event_init
+
+[ Upstream commit 860b7d2286236170a36f94946d03ca9888d32571 ]
+
+The data structure (i.e struct imc_mem_info) to hold the memory address
+information for nest imc units is allocated based on the number of nodes
+in the system.
+
+nest_imc_event_init() traverse this struct array to calculate the memory
+base address for the event-cpu. If we fail to find a match for the event
+cpu's chip-id in imc_mem_info struct array, then the do-while loop will
+iterate until we crash.
+
+Fix this by changing the loop exit condition based on the number of
+non zero vbase elements in the array, since the allocation is done for
+nr_chips + 1.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 885dcd709ba91 ("powerpc/perf: Add nest IMC PMU support")
+Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Reviewed-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/imc-pmu.c | 2 +-
+ arch/powerpc/platforms/powernv/opal-imc.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c
+index 6159e9edddfd0..2d12f0037e3a5 100644
+--- a/arch/powerpc/perf/imc-pmu.c
++++ b/arch/powerpc/perf/imc-pmu.c
+@@ -499,7 +499,7 @@ static int nest_imc_event_init(struct perf_event *event)
+ break;
+ }
+ pcni++;
+- } while (pcni);
++ } while (pcni->vbase != 0);
+
+ if (!flag)
+ return -ENODEV;
+diff --git a/arch/powerpc/platforms/powernv/opal-imc.c b/arch/powerpc/platforms/powernv/opal-imc.c
+index 58a07948c76e7..3d27f02695e41 100644
+--- a/arch/powerpc/platforms/powernv/opal-imc.c
++++ b/arch/powerpc/platforms/powernv/opal-imc.c
+@@ -127,7 +127,7 @@ static int imc_get_mem_addr_nest(struct device_node *node,
+ nr_chips))
+ goto error;
+
+- pmu_ptr->mem_info = kcalloc(nr_chips, sizeof(*pmu_ptr->mem_info),
++ pmu_ptr->mem_info = kcalloc(nr_chips + 1, sizeof(*pmu_ptr->mem_info),
+ GFP_KERNEL);
+ if (!pmu_ptr->mem_info)
+ goto error;
+--
+2.20.1
+
--- /dev/null
+From d72d04d8cb1f8edf207febff3df5bbc4a1ffb185 Mon Sep 17 00:00:00 2001
+From: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Date: Tue, 27 Nov 2018 13:54:52 +0530
+Subject: powerpc/perf: Return accordingly on invalid chip-id in
+
+[ Upstream commit a913e5e8b43be1d3897a141ce61c1ec071cad89c ]
+
+Nest hardware counter memory resides in a per-chip reserve-memory.
+During nest_imc_event_init(), chip-id of the event-cpu is considered to
+calculate the base memory addresss for that cpu. Return, proper error
+condition if the chip_id calculated is invalid.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 885dcd709ba91 ("powerpc/perf: Add nest IMC PMU support")
+Reviewed-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/imc-pmu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c
+index b1c37cc3fa98b..6159e9edddfd0 100644
+--- a/arch/powerpc/perf/imc-pmu.c
++++ b/arch/powerpc/perf/imc-pmu.c
+@@ -487,6 +487,11 @@ static int nest_imc_event_init(struct perf_event *event)
+ * Get the base memory addresss for this cpu.
+ */
+ chip_id = cpu_to_chip_id(event->cpu);
++
++ /* Return, if chip_id is not valid */
++ if (chip_id < 0)
++ return -ENODEV;
++
+ pcni = pmu->mem_info;
+ do {
+ if (pcni->id == chip_id) {
+--
+2.20.1
+
--- /dev/null
+From 37509921614848a755f9a4dbddfc66f9938d9c8a Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 9 Apr 2019 14:40:05 +1000
+Subject: powerpc/watchdog: Use hrtimers for per-CPU heartbeat
+
+[ Upstream commit 7ae3f6e130e8dc6188b59e3b4ebc2f16e9c8d053 ]
+
+Using a jiffies timer creates a dependency on the tick_do_timer_cpu
+incrementing jiffies. If that CPU has locked up and jiffies is not
+incrementing, the watchdog heartbeat timer for all CPUs stops and
+creates false positives and confusing warnings on local CPUs, and
+also causes the SMP detector to stop, so the root cause is never
+detected.
+
+Fix this by using hrtimer based timers for the watchdog heartbeat,
+like the generic kernel hardlockup detector.
+
+Cc: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Reported-by: Ravikumar Bangoria <ravi.bangoria@in.ibm.com>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Tested-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Reported-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/watchdog.c | 81 +++++++++++++++++-----------------
+ 1 file changed, 40 insertions(+), 41 deletions(-)
+
+diff --git a/arch/powerpc/kernel/watchdog.c b/arch/powerpc/kernel/watchdog.c
+index 3c6ab22a0c4e3..af3c15a1d41eb 100644
+--- a/arch/powerpc/kernel/watchdog.c
++++ b/arch/powerpc/kernel/watchdog.c
+@@ -77,7 +77,7 @@ static u64 wd_smp_panic_timeout_tb __read_mostly; /* panic other CPUs */
+
+ static u64 wd_timer_period_ms __read_mostly; /* interval between heartbeat */
+
+-static DEFINE_PER_CPU(struct timer_list, wd_timer);
++static DEFINE_PER_CPU(struct hrtimer, wd_hrtimer);
+ static DEFINE_PER_CPU(u64, wd_timer_tb);
+
+ /* SMP checker bits */
+@@ -293,21 +293,21 @@ void soft_nmi_interrupt(struct pt_regs *regs)
+ nmi_exit();
+ }
+
+-static void wd_timer_reset(unsigned int cpu, struct timer_list *t)
+-{
+- t->expires = jiffies + msecs_to_jiffies(wd_timer_period_ms);
+- if (wd_timer_period_ms > 1000)
+- t->expires = __round_jiffies_up(t->expires, cpu);
+- add_timer_on(t, cpu);
+-}
+-
+-static void wd_timer_fn(struct timer_list *t)
++static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer)
+ {
+ int cpu = smp_processor_id();
+
++ if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED))
++ return HRTIMER_NORESTART;
++
++ if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
++ return HRTIMER_NORESTART;
++
+ watchdog_timer_interrupt(cpu);
+
+- wd_timer_reset(cpu, t);
++ hrtimer_forward_now(hrtimer, ms_to_ktime(wd_timer_period_ms));
++
++ return HRTIMER_RESTART;
+ }
+
+ void arch_touch_nmi_watchdog(void)
+@@ -323,37 +323,22 @@ void arch_touch_nmi_watchdog(void)
+ }
+ EXPORT_SYMBOL(arch_touch_nmi_watchdog);
+
+-static void start_watchdog_timer_on(unsigned int cpu)
+-{
+- struct timer_list *t = per_cpu_ptr(&wd_timer, cpu);
+-
+- per_cpu(wd_timer_tb, cpu) = get_tb();
+-
+- timer_setup(t, wd_timer_fn, TIMER_PINNED);
+- wd_timer_reset(cpu, t);
+-}
+-
+-static void stop_watchdog_timer_on(unsigned int cpu)
+-{
+- struct timer_list *t = per_cpu_ptr(&wd_timer, cpu);
+-
+- del_timer_sync(t);
+-}
+-
+-static int start_wd_on_cpu(unsigned int cpu)
++static void start_watchdog(void *arg)
+ {
++ struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
++ int cpu = smp_processor_id();
+ unsigned long flags;
+
+ if (cpumask_test_cpu(cpu, &wd_cpus_enabled)) {
+ WARN_ON(1);
+- return 0;
++ return;
+ }
+
+ if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED))
+- return 0;
++ return;
+
+ if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
+- return 0;
++ return;
+
+ wd_smp_lock(&flags);
+ cpumask_set_cpu(cpu, &wd_cpus_enabled);
+@@ -363,27 +348,40 @@ static int start_wd_on_cpu(unsigned int cpu)
+ }
+ wd_smp_unlock(&flags);
+
+- start_watchdog_timer_on(cpu);
++ *this_cpu_ptr(&wd_timer_tb) = get_tb();
+
+- return 0;
++ hrtimer_init(hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
++ hrtimer->function = watchdog_timer_fn;
++ hrtimer_start(hrtimer, ms_to_ktime(wd_timer_period_ms),
++ HRTIMER_MODE_REL_PINNED);
+ }
+
+-static int stop_wd_on_cpu(unsigned int cpu)
++static int start_watchdog_on_cpu(unsigned int cpu)
+ {
++ return smp_call_function_single(cpu, start_watchdog, NULL, true);
++}
++
++static void stop_watchdog(void *arg)
++{
++ struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
++ int cpu = smp_processor_id();
+ unsigned long flags;
+
+ if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
+- return 0; /* Can happen in CPU unplug case */
++ return; /* Can happen in CPU unplug case */
+
+- stop_watchdog_timer_on(cpu);
++ hrtimer_cancel(hrtimer);
+
+ wd_smp_lock(&flags);
+ cpumask_clear_cpu(cpu, &wd_cpus_enabled);
+ wd_smp_unlock(&flags);
+
+ wd_smp_clear_cpu_pending(cpu, get_tb());
++}
+
+- return 0;
++static int stop_watchdog_on_cpu(unsigned int cpu)
++{
++ return smp_call_function_single(cpu, stop_watchdog, NULL, true);
+ }
+
+ static void watchdog_calc_timeouts(void)
+@@ -402,7 +400,7 @@ void watchdog_nmi_stop(void)
+ int cpu;
+
+ for_each_cpu(cpu, &wd_cpus_enabled)
+- stop_wd_on_cpu(cpu);
++ stop_watchdog_on_cpu(cpu);
+ }
+
+ void watchdog_nmi_start(void)
+@@ -411,7 +409,7 @@ void watchdog_nmi_start(void)
+
+ watchdog_calc_timeouts();
+ for_each_cpu_and(cpu, cpu_online_mask, &watchdog_cpumask)
+- start_wd_on_cpu(cpu);
++ start_watchdog_on_cpu(cpu);
+ }
+
+ /*
+@@ -423,7 +421,8 @@ int __init watchdog_nmi_probe(void)
+
+ err = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
+ "powerpc/watchdog:online",
+- start_wd_on_cpu, stop_wd_on_cpu);
++ start_watchdog_on_cpu,
++ stop_watchdog_on_cpu);
+ if (err < 0) {
+ pr_warn("could not be initialized");
+ return err;
+--
+2.20.1
+
--- /dev/null
+From 1d3b92348379a6715c24a028b9d25a28bfbad2b3 Mon Sep 17 00:00:00 2001
+From: Kristian Evensen <kristian.evensen@gmail.com>
+Date: Sun, 7 Apr 2019 15:39:09 +0200
+Subject: qmi_wwan: Add quirk for Quectel dynamic config
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit e4bf63482c309287ca84d91770ffa7dcc18e37eb ]
+
+Most, if not all, Quectel devices use dynamic interface numbers, and
+users are able to change the USB configuration at will. Matching on for
+example interface number is therefore not possible.
+
+Instead, the QMI device can be identified by looking at the interface
+class, subclass and protocol (all 0xff), as well as the number of
+endpoints. The reason we need to look at the number of endpoints, is
+that the diagnostic port interface has the same class, subclass and
+protocol as QMI. However, the diagnostic port only has two endpoints,
+while QMI has three.
+
+Until now, we have identified the QMI device by combining a match on
+class, subclass and protocol, with a call to the function
+quectel_diag_detect(). In quectel_diag_detect(), we check if the number
+of endpoints matches for known Quectel vendor/product ids.
+
+Adding new vendor/product ids to quectel_diag_detect() is not a good
+long-term solution. This commit replaces the function with a quirk, and
+applies the quirk to affected Quectel devices that I have been able to
+test the change with (EP06, EM12 and EC25). If the quirk is set and the
+number of endpoints equal two, we return from qmi_wwan_probe() with
+-ENODEV.
+
+Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 65 ++++++++++++++++++--------------------
+ 1 file changed, 31 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 366217263d704..d9a6699abe592 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -63,6 +63,7 @@ enum qmi_wwan_flags {
+
+ enum qmi_wwan_quirks {
+ QMI_WWAN_QUIRK_DTR = 1 << 0, /* needs "set DTR" request */
++ QMI_WWAN_QUIRK_QUECTEL_DYNCFG = 1 << 1, /* check num. endpoints */
+ };
+
+ struct qmimux_hdr {
+@@ -845,6 +846,16 @@ static const struct driver_info qmi_wwan_info_quirk_dtr = {
+ .data = QMI_WWAN_QUIRK_DTR,
+ };
+
++static const struct driver_info qmi_wwan_info_quirk_quectel_dyncfg = {
++ .description = "WWAN/QMI device",
++ .flags = FLAG_WWAN | FLAG_SEND_ZLP,
++ .bind = qmi_wwan_bind,
++ .unbind = qmi_wwan_unbind,
++ .manage_power = qmi_wwan_manage_power,
++ .rx_fixup = qmi_wwan_rx_fixup,
++ .data = QMI_WWAN_QUIRK_DTR | QMI_WWAN_QUIRK_QUECTEL_DYNCFG,
++};
++
+ #define HUAWEI_VENDOR_ID 0x12D1
+
+ /* map QMI/wwan function by a fixed interface number */
+@@ -865,6 +876,15 @@ static const struct driver_info qmi_wwan_info_quirk_dtr = {
+ #define QMI_GOBI_DEVICE(vend, prod) \
+ QMI_FIXED_INTF(vend, prod, 0)
+
++/* Quectel does not use fixed interface numbers on at least some of their
++ * devices. We need to check the number of endpoints to ensure that we bind to
++ * the correct interface.
++ */
++#define QMI_QUIRK_QUECTEL_DYNCFG(vend, prod) \
++ USB_DEVICE_AND_INTERFACE_INFO(vend, prod, USB_CLASS_VENDOR_SPEC, \
++ USB_SUBCLASS_VENDOR_SPEC, 0xff), \
++ .driver_info = (unsigned long)&qmi_wwan_info_quirk_quectel_dyncfg
++
+ static const struct usb_device_id products[] = {
+ /* 1. CDC ECM like devices match on the control interface */
+ { /* Huawei E392, E398 and possibly others sharing both device id and more... */
+@@ -969,20 +989,9 @@ static const struct usb_device_id products[] = {
+ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x581d, USB_CLASS_VENDOR_SPEC, 1, 7),
+ .driver_info = (unsigned long)&qmi_wwan_info,
+ },
+- { /* Quectel EP06/EG06/EM06 */
+- USB_DEVICE_AND_INTERFACE_INFO(0x2c7c, 0x0306,
+- USB_CLASS_VENDOR_SPEC,
+- USB_SUBCLASS_VENDOR_SPEC,
+- 0xff),
+- .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr,
+- },
+- { /* Quectel EG12/EM12 */
+- USB_DEVICE_AND_INTERFACE_INFO(0x2c7c, 0x0512,
+- USB_CLASS_VENDOR_SPEC,
+- USB_SUBCLASS_VENDOR_SPEC,
+- 0xff),
+- .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr,
+- },
++ {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0125)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
++ {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0306)}, /* Quectel EP06/EG06/EM06 */
++ {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0512)}, /* Quectel EG12/EM12 */
+
+ /* 3. Combined interface devices matching on interface number */
+ {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */
+@@ -1283,7 +1292,6 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
+ {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
+ {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */
+- {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
+ {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */
+@@ -1363,27 +1371,12 @@ static bool quectel_ec20_detected(struct usb_interface *intf)
+ return false;
+ }
+
+-static bool quectel_diag_detected(struct usb_interface *intf)
+-{
+- struct usb_device *dev = interface_to_usbdev(intf);
+- struct usb_interface_descriptor intf_desc = intf->cur_altsetting->desc;
+- u16 id_vendor = le16_to_cpu(dev->descriptor.idVendor);
+- u16 id_product = le16_to_cpu(dev->descriptor.idProduct);
+-
+- if (id_vendor != 0x2c7c || intf_desc.bNumEndpoints != 2)
+- return false;
+-
+- if (id_product == 0x0306 || id_product == 0x0512)
+- return true;
+- else
+- return false;
+-}
+-
+ static int qmi_wwan_probe(struct usb_interface *intf,
+ const struct usb_device_id *prod)
+ {
+ struct usb_device_id *id = (struct usb_device_id *)prod;
+ struct usb_interface_descriptor *desc = &intf->cur_altsetting->desc;
++ const struct driver_info *info;
+
+ /* Workaround to enable dynamic IDs. This disables usbnet
+ * blacklisting functionality. Which, if required, can be
+@@ -1417,10 +1410,14 @@ static int qmi_wwan_probe(struct usb_interface *intf,
+ * we need to match on class/subclass/protocol. These values are
+ * identical for the diagnostic- and QMI-interface, but bNumEndpoints is
+ * different. Ignore the current interface if the number of endpoints
+- * the number for the diag interface (two).
++ * equals the number for the diag interface (two).
+ */
+- if (quectel_diag_detected(intf))
+- return -ENODEV;
++ info = (void *)&id->driver_info;
++
++ if (info->data & QMI_WWAN_QUIRK_QUECTEL_DYNCFG) {
++ if (desc->bNumEndpoints == 2)
++ return -ENODEV;
++ }
+
+ return usbnet_probe(intf, id);
+ }
+--
+2.20.1
+
--- /dev/null
+From 6f998f90e499ad31df8c28bef9f4b56ace5198e1 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Sat, 20 Apr 2019 00:09:51 -0400
+Subject: random: add a spinlock_t to struct batched_entropy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit b7d5dc21072cda7124d13eae2aefb7343ef94197 ]
+
+The per-CPU variable batched_entropy_uXX is protected by get_cpu_var().
+This is just a preempt_disable() which ensures that the variable is only
+from the local CPU. It does not protect against users on the same CPU
+from another context. It is possible that a preemptible context reads
+slot 0 and then an interrupt occurs and the same value is read again.
+
+The above scenario is confirmed by lockdep if we add a spinlock:
+| ================================
+| WARNING: inconsistent lock state
+| 5.1.0-rc3+ #42 Not tainted
+| --------------------------------
+| inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
+| ksoftirqd/9/56 [HC0[0]:SC1[1]:HE0:SE0] takes:
+| (____ptrval____) (batched_entropy_u32.lock){+.?.}, at: get_random_u32+0x3e/0xe0
+| {SOFTIRQ-ON-W} state was registered at:
+| _raw_spin_lock+0x2a/0x40
+| get_random_u32+0x3e/0xe0
+| new_slab+0x15c/0x7b0
+| ___slab_alloc+0x492/0x620
+| __slab_alloc.isra.73+0x53/0xa0
+| kmem_cache_alloc_node+0xaf/0x2a0
+| copy_process.part.41+0x1e1/0x2370
+| _do_fork+0xdb/0x6d0
+| kernel_thread+0x20/0x30
+| kthreadd+0x1ba/0x220
+| ret_from_fork+0x3a/0x50
+…
+| other info that might help us debug this:
+| Possible unsafe locking scenario:
+|
+| CPU0
+| ----
+| lock(batched_entropy_u32.lock);
+| <Interrupt>
+| lock(batched_entropy_u32.lock);
+|
+| *** DEADLOCK ***
+|
+| stack backtrace:
+| Call Trace:
+…
+| kmem_cache_alloc_trace+0x20e/0x270
+| ipmi_alloc_recv_msg+0x16/0x40
+…
+| __do_softirq+0xec/0x48d
+| run_ksoftirqd+0x37/0x60
+| smpboot_thread_fn+0x191/0x290
+| kthread+0xfe/0x130
+| ret_from_fork+0x3a/0x50
+
+Add a spinlock_t to the batched_entropy data structure and acquire the
+lock while accessing it. Acquire the lock with disabled interrupts
+because this function may be used from interrupt context.
+
+Remove the batched_entropy_reset_lock lock. Now that we have a lock for
+the data scructure, we can access it from a remote CPU.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/random.c | 52 ++++++++++++++++++++++---------------------
+ 1 file changed, 27 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index d4d45ccfeefc0..af6e240f98ff4 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2214,8 +2214,8 @@ struct batched_entropy {
+ u32 entropy_u32[CHACHA_BLOCK_SIZE / sizeof(u32)];
+ };
+ unsigned int position;
++ spinlock_t batch_lock;
+ };
+-static rwlock_t batched_entropy_reset_lock = __RW_LOCK_UNLOCKED(batched_entropy_reset_lock);
+
+ /*
+ * Get a random word for internal kernel use only. The quality of the random
+@@ -2225,12 +2225,14 @@ static rwlock_t batched_entropy_reset_lock = __RW_LOCK_UNLOCKED(batched_entropy_
+ * wait_for_random_bytes() should be called and return 0 at least once
+ * at any point prior.
+ */
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64);
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
++ .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),
++};
++
+ u64 get_random_u64(void)
+ {
+ u64 ret;
+- bool use_lock;
+- unsigned long flags = 0;
++ unsigned long flags;
+ struct batched_entropy *batch;
+ static void *previous;
+
+@@ -2245,28 +2247,25 @@ u64 get_random_u64(void)
+
+ warn_unseeded_randomness(&previous);
+
+- use_lock = READ_ONCE(crng_init) < 2;
+- batch = &get_cpu_var(batched_entropy_u64);
+- if (use_lock)
+- read_lock_irqsave(&batched_entropy_reset_lock, flags);
++ batch = raw_cpu_ptr(&batched_entropy_u64);
++ spin_lock_irqsave(&batch->batch_lock, flags);
+ if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
+ extract_crng((u8 *)batch->entropy_u64);
+ batch->position = 0;
+ }
+ ret = batch->entropy_u64[batch->position++];
+- if (use_lock)
+- read_unlock_irqrestore(&batched_entropy_reset_lock, flags);
+- put_cpu_var(batched_entropy_u64);
++ spin_unlock_irqrestore(&batch->batch_lock, flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(get_random_u64);
+
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32);
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
++ .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock),
++};
+ u32 get_random_u32(void)
+ {
+ u32 ret;
+- bool use_lock;
+- unsigned long flags = 0;
++ unsigned long flags;
+ struct batched_entropy *batch;
+ static void *previous;
+
+@@ -2275,18 +2274,14 @@ u32 get_random_u32(void)
+
+ warn_unseeded_randomness(&previous);
+
+- use_lock = READ_ONCE(crng_init) < 2;
+- batch = &get_cpu_var(batched_entropy_u32);
+- if (use_lock)
+- read_lock_irqsave(&batched_entropy_reset_lock, flags);
++ batch = raw_cpu_ptr(&batched_entropy_u32);
++ spin_lock_irqsave(&batch->batch_lock, flags);
+ if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
+ extract_crng((u8 *)batch->entropy_u32);
+ batch->position = 0;
+ }
+ ret = batch->entropy_u32[batch->position++];
+- if (use_lock)
+- read_unlock_irqrestore(&batched_entropy_reset_lock, flags);
+- put_cpu_var(batched_entropy_u32);
++ spin_unlock_irqrestore(&batch->batch_lock, flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(get_random_u32);
+@@ -2300,12 +2295,19 @@ static void invalidate_batched_entropy(void)
+ int cpu;
+ unsigned long flags;
+
+- write_lock_irqsave(&batched_entropy_reset_lock, flags);
+ for_each_possible_cpu (cpu) {
+- per_cpu_ptr(&batched_entropy_u32, cpu)->position = 0;
+- per_cpu_ptr(&batched_entropy_u64, cpu)->position = 0;
++ struct batched_entropy *batched_entropy;
++
++ batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu);
++ spin_lock_irqsave(&batched_entropy->batch_lock, flags);
++ batched_entropy->position = 0;
++ spin_unlock(&batched_entropy->batch_lock);
++
++ batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu);
++ spin_lock(&batched_entropy->batch_lock);
++ batched_entropy->position = 0;
++ spin_unlock_irqrestore(&batched_entropy->batch_lock, flags);
+ }
+- write_unlock_irqrestore(&batched_entropy_reset_lock, flags);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From a8ae7965c30be7d9b94d7f9c00b693045f8eda59 Mon Sep 17 00:00:00 2001
+From: Jon DeVree <nuxi@vault24.org>
+Date: Fri, 19 Apr 2019 23:35:16 -0400
+Subject: random: fix CRNG initialization when random.trust_cpu=1
+
+[ Upstream commit fe6f1a6a8eedc1aa538fee0baa612b6a59639cf8 ]
+
+When the system boots with random.trust_cpu=1 it doesn't initialize the
+per-NUMA CRNGs because it skips the rest of the CRNG startup code. This
+means that the code from 1e7f583af67b ("random: make /dev/urandom scalable
+for silly userspace programs") is not used when random.trust_cpu=1.
+
+crash> dmesg | grep random:
+[ 0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
+[ 0.314029] random: crng done (trusting CPU's manufacturer)
+crash> print crng_node_pool
+$6 = (struct crng_state **) 0x0
+
+After adding the missing call to numa_crng_init() the per-NUMA CRNGs are
+initialized again:
+
+crash> dmesg | grep random:
+[ 0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
+[ 0.314031] random: crng done (trusting CPU's manufacturer)
+crash> print crng_node_pool
+$1 = (struct crng_state **) 0xffff9a915f4014a0
+
+The call to invalidate_batched_entropy() was also missing. This is
+important for architectures like PPC and S390 which only have the
+arch_get_random_seed_* functions.
+
+Fixes: 39a8883a2b98 ("random: add a config option to trust the CPU's hwrng")
+Signed-off-by: Jon DeVree <nuxi@vault24.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/random.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 38c6d1af6d1c0..d4d45ccfeefc0 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -777,6 +777,7 @@ static struct crng_state **crng_node_pool __read_mostly;
+ #endif
+
+ static void invalidate_batched_entropy(void);
++static void numa_crng_init(void);
+
+ static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+ static int __init parse_trust_cpu(char *arg)
+@@ -805,7 +806,9 @@ static void crng_initialize(struct crng_state *crng)
+ }
+ crng->state[i] ^= rv;
+ }
+- if (trust_cpu && arch_init) {
++ if (trust_cpu && arch_init && crng == &primary_crng) {
++ invalidate_batched_entropy();
++ numa_crng_init();
+ crng_init = 2;
+ pr_notice("random: crng done (trusting CPU's manufacturer)\n");
+ }
+--
+2.20.1
+
--- /dev/null
+From 4d5fa1e3dc647e5870189acd8a010dc1be2b9761 Mon Sep 17 00:00:00 2001
+From: Neeraj Upadhyay <neeraju@codeaurora.org>
+Date: Mon, 11 Mar 2019 17:28:03 +0530
+Subject: rcu: Do a single rhp->func read in rcu_head_after_call_rcu()
+
+[ Upstream commit b699cce1604e828f19c39845252626eb78cdf38a ]
+
+The rcu_head_after_call_rcu() function reads the rhp->func pointer twice,
+which can result in a false-positive WARN_ON_ONCE() if the callback
+were passed to call_rcu() between the two reads. Although racing
+rcu_head_after_call_rcu() with call_rcu() is to be a dubious use case
+(the return value is not reliable in that case), intermittent and
+irreproducible warnings are also quite dubious. This commit therefore
+uses a single READ_ONCE() to pick up the value of rhp->func once, then
+tests that value twice, thus guaranteeing consistent processing within
+rcu_head_after_call_rcu()().
+
+Neverthless, racing rcu_head_after_call_rcu() with call_rcu() is still
+a dubious use case.
+
+Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
+[ paulmck: Add blank line after declaration per checkpatch.pl. ]
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rcupdate.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index 6cdb1db776cf9..922bb68488133 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -878,9 +878,11 @@ static inline void rcu_head_init(struct rcu_head *rhp)
+ static inline bool
+ rcu_head_after_call_rcu(struct rcu_head *rhp, rcu_callback_t f)
+ {
+- if (READ_ONCE(rhp->func) == f)
++ rcu_callback_t func = READ_ONCE(rhp->func);
++
++ if (func == f)
+ return true;
+- WARN_ON_ONCE(READ_ONCE(rhp->func) != (rcu_callback_t)~0L);
++ WARN_ON_ONCE(func != (rcu_callback_t)~0L);
+ return false;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 9155bffc596569ff7aefc4b8fadaa3e8fdcb02bd Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Date: Thu, 21 Mar 2019 10:26:41 -0700
+Subject: rcuperf: Fix cleanup path for invalid perf_type strings
+
+[ Upstream commit ad092c027713a68a34168942a5ef422e42e039f4 ]
+
+If the specified rcuperf.perf_type is not in the rcu_perf_init()
+function's perf_ops[] array, rcuperf prints some console messages and
+then invokes rcu_perf_cleanup() to set state so that a future torture
+test can run. However, rcu_perf_cleanup() also attempts to end the
+test that didn't actually start, and in doing so relies on the value
+of cur_ops, a value that is not particularly relevant in this case.
+This can result in confusing output or even follow-on failures due to
+attempts to use facilities that have not been properly initialized.
+
+This commit therefore sets the value of cur_ops to NULL in this case and
+inserts a check near the beginning of rcu_perf_cleanup(), thus avoiding
+relying on an irrelevant cur_ops value.
+
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/rcuperf.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/rcu/rcuperf.c b/kernel/rcu/rcuperf.c
+index c297611528744..7a6890b23c5f5 100644
+--- a/kernel/rcu/rcuperf.c
++++ b/kernel/rcu/rcuperf.c
+@@ -494,6 +494,10 @@ rcu_perf_cleanup(void)
+
+ if (torture_cleanup_begin())
+ return;
++ if (!cur_ops) {
++ torture_cleanup_end();
++ return;
++ }
+
+ if (reader_tasks) {
+ for (i = 0; i < nrealreaders; i++)
+@@ -614,6 +618,7 @@ rcu_perf_init(void)
+ pr_cont("\n");
+ WARN_ON(!IS_MODULE(CONFIG_RCU_PERF_TEST));
+ firsterr = -EINVAL;
++ cur_ops = NULL;
+ goto unwind;
+ }
+ if (cur_ops->init)
+--
+2.20.1
+
--- /dev/null
+From 655fefe56f007c5d79bb2e2cf389f6111291289a Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Date: Thu, 21 Mar 2019 09:27:28 -0700
+Subject: rcutorture: Fix cleanup path for invalid torture_type strings
+
+[ Upstream commit b813afae7ab6a5e91b4e16cc567331d9c2ae1f04 ]
+
+If the specified rcutorture.torture_type is not in the rcu_torture_init()
+function's torture_ops[] array, rcutorture prints some console messages
+and then invokes rcu_torture_cleanup() to set state so that a future
+torture test can run. However, rcu_torture_cleanup() also attempts to
+end the test that didn't actually start, and in doing so relies on the
+value of cur_ops, a value that is not particularly relevant in this case.
+This can result in confusing output or even follow-on failures due to
+attempts to use facilities that have not been properly initialized.
+
+This commit therefore sets the value of cur_ops to NULL in this case
+and inserts a check near the beginning of rcu_torture_cleanup(),
+thus avoiding relying on an irrelevant cur_ops value.
+
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/rcutorture.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
+index f14d1b18a74fc..a2efe27317bef 100644
+--- a/kernel/rcu/rcutorture.c
++++ b/kernel/rcu/rcutorture.c
+@@ -2094,6 +2094,10 @@ rcu_torture_cleanup(void)
+ cur_ops->cb_barrier();
+ return;
+ }
++ if (!cur_ops) {
++ torture_cleanup_end();
++ return;
++ }
+
+ rcu_torture_barrier_cleanup();
+ torture_stop_kthread(rcu_torture_fwd_prog, fwd_prog_task);
+@@ -2267,6 +2271,7 @@ rcu_torture_init(void)
+ pr_cont("\n");
+ WARN_ON(!IS_MODULE(CONFIG_RCU_TORTURE_TEST));
+ firsterr = -EINVAL;
++ cur_ops = NULL;
+ goto unwind;
+ }
+ if (cur_ops->fqs == NULL && fqs_duration != 0) {
+--
+2.20.1
+
--- /dev/null
+From 8719f4fa4bfd377eb9952677e7e49d6d54e16883 Mon Sep 17 00:00:00 2001
+From: Parav Pandit <parav@mellanox.com>
+Date: Wed, 10 Apr 2019 11:23:04 +0300
+Subject: RDMA/cma: Consider scope_id while binding to ipv6 ll address
+
+[ Upstream commit 5d7ed2f27bbd482fd29e6b2e204b1a1ee8a0b268 ]
+
+When two netdev have same link local addresses (such as vlan and non
+vlan), two rdma cm listen id should be able to bind to following different
+addresses.
+
+listener-1: addr=lla, scope_id=A, port=X
+listener-2: addr=lla, scope_id=B, port=X
+
+However while comparing the addresses only addr and port are considered,
+due to which 2nd listener fails to listen.
+
+In below example of two listeners, 2nd listener is failing with address in
+use error.
+
+$ rping -sv -a fe80::268a:7ff:feb3:d113%ens2f1 -p 4545&
+
+$ rping -sv -a fe80::268a:7ff:feb3:d113%ens2f1.200 -p 4545
+rdma_bind_addr: Address already in use
+
+To overcome this, consider the scope_ids as well which forms the accurate
+IPv6 link local address.
+
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 68c997be24293..c54da16df0beb 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1173,18 +1173,31 @@ static inline bool cma_any_addr(const struct sockaddr *addr)
+ return cma_zero_addr(addr) || cma_loopback_addr(addr);
+ }
+
+-static int cma_addr_cmp(struct sockaddr *src, struct sockaddr *dst)
++static int cma_addr_cmp(const struct sockaddr *src, const struct sockaddr *dst)
+ {
+ if (src->sa_family != dst->sa_family)
+ return -1;
+
+ switch (src->sa_family) {
+ case AF_INET:
+- return ((struct sockaddr_in *) src)->sin_addr.s_addr !=
+- ((struct sockaddr_in *) dst)->sin_addr.s_addr;
+- case AF_INET6:
+- return ipv6_addr_cmp(&((struct sockaddr_in6 *) src)->sin6_addr,
+- &((struct sockaddr_in6 *) dst)->sin6_addr);
++ return ((struct sockaddr_in *)src)->sin_addr.s_addr !=
++ ((struct sockaddr_in *)dst)->sin_addr.s_addr;
++ case AF_INET6: {
++ struct sockaddr_in6 *src_addr6 = (struct sockaddr_in6 *)src;
++ struct sockaddr_in6 *dst_addr6 = (struct sockaddr_in6 *)dst;
++ bool link_local;
++
++ if (ipv6_addr_cmp(&src_addr6->sin6_addr,
++ &dst_addr6->sin6_addr))
++ return 1;
++ link_local = ipv6_addr_type(&dst_addr6->sin6_addr) &
++ IPV6_ADDR_LINKLOCAL;
++ /* Link local must match their scope_ids */
++ return link_local ? (src_addr6->sin6_scope_id !=
++ dst_addr6->sin6_scope_id) :
++ 0;
++ }
++
+ default:
+ return ib_addr_cmp(&((struct sockaddr_ib *) src)->sib_addr,
+ &((struct sockaddr_ib *) dst)->sib_addr);
+--
+2.20.1
+
--- /dev/null
+From 9c81dd4b9c2788c46498355f9edfe459644399ac Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 13 Apr 2019 17:00:26 +0100
+Subject: RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
+
+[ Upstream commit a6d2a5a92e67d151c98886babdc86d530d27111c ]
+
+Currently if alloc_skb fails to allocate the skb a null skb is passed to
+t4_set_arp_err_handler and this ends up dereferencing the null skb. Avoid
+the NULL pointer dereference by checking for a NULL skb and returning
+early.
+
+Addresses-Coverity: ("Dereference null return")
+Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index 4d232bdf9e976..689ba6bc2ca9c 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -457,6 +457,8 @@ static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
+ skb_reset_transport_header(skb);
+ } else {
+ skb = alloc_skb(len, gfp);
++ if (!skb)
++ return NULL;
+ }
+ t4_set_arp_err_handler(skb, NULL, NULL);
+ return skb;
+--
+2.20.1
+
--- /dev/null
+From 0e66b0773b3eeb6a75106a654f6f218360a93937 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 19 Mar 2019 11:10:08 +0200
+Subject: RDMA/hns: Fix bad endianess of port_pd variable
+
+[ Upstream commit 6734b2973565e36659e97e12ab0d0faf1d9f3fbe ]
+
+port_pd is treated as le32 in declaration and read, fix assignment to be
+in le32 too. This change fixes the following compilation warnings.
+
+drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: warning: incorrect type
+in assignment (different base types)
+drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: expected restricted __le32 [usertype] port_pd
+drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: got restricted __be32 [usertype]
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Gal Pressman <galpress@amazon.com>
+Reviewed-by: Lijun Ou <ouliun@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_ah.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c
+index b3c8c45ec1e3e..64e0c69b69c53 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_ah.c
++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c
+@@ -70,7 +70,7 @@ struct ib_ah *hns_roce_create_ah(struct ib_pd *ibpd,
+ HNS_ROCE_VLAN_SL_BIT_MASK) <<
+ HNS_ROCE_VLAN_SL_SHIFT;
+
+- ah->av.port_pd = cpu_to_be32(to_hr_pd(ibpd)->pdn |
++ ah->av.port_pd = cpu_to_le32(to_hr_pd(ibpd)->pdn |
+ (rdma_ah_get_port_num(ah_attr) <<
+ HNS_ROCE_PORT_NUM_SHIFT));
+ ah->av.gid_index = grh->sgid_index;
+--
+2.20.1
+
--- /dev/null
+From 9f78e34d021d699efc8084ba86b9fab74d1af54a Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 12 Mar 2019 10:15:44 +0200
+Subject: RDMA/rxe: Fix slab-out-bounds access which lead to kernel crash later
+
+[ Upstream commit a4b7013db23e93824ac53083eeb3e4efdef4b5b0 ]
+
+BUG: KASAN: slab-out-of-bounds in rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
+Read of size 8 at addr ffff88805c01a608 by task ib_send_bw/573
+
+CPU: 24 PID: 573 Comm: ib_send_bw Not tainted 5.0.0-rc5+ #189
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
+Call Trace:
+ rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
+ rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
+ ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
+ ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
+ ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
+ rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
+ rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
+ ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
+ ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
+ ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
+ ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs]
+ ib_uverbs_ioctl+0x202/0x310 [ib_uverbs]
+ do_vfs_ioctl+0x193/0x1440
+ ksys_ioctl+0x3a/0x70
+ __x64_sys_ioctl+0x6f/0xb0
+ do_syscall_64+0x13f/0x570
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Allocated by task 573:
+ __kasan_kmalloc.constprop.5+0xc1/0xd0
+ __kmalloc+0x161/0x310
+ rxe_mem_alloc+0x52/0x470 [rdma_rxe]
+ rxe_mem_init_user+0x113/0x740 [rdma_rxe]
+ rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
+ ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
+ ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
+ ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
+ ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs]
+ ib_uverbs_ioctl+0x202/0x310 [ib_uverbs]
+ do_vfs_ioctl+0x193/0x1440
+ ksys_ioctl+0x3a/0x70
+ __x64_sys_ioctl+0x6f/0xb0
+ do_syscall_64+0x13f/0x570
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 0:
+ __kasan_slab_free+0x12e/0x180
+ kfree+0x10a/0x2c0
+ rcu_process_callbacks+0xa77/0x1260
+ __do_softirq+0x2ad/0xacb
+
+Test scenario:
+ ib_send_bw -x 1 -d rxe0 -a &
+ ib_send_bw -x 1 -d rxe0 -a localhost
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Reported-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Tested-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_mr.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
+index 42f0f25e396c3..ec89fbd06c53c 100644
+--- a/drivers/infiniband/sw/rxe/rxe_mr.c
++++ b/drivers/infiniband/sw/rxe/rxe_mr.c
+@@ -199,6 +199,12 @@ int rxe_mem_init_user(struct rxe_pd *pd, u64 start,
+ buf = map[0]->buf;
+
+ for_each_sg_page(umem->sg_head.sgl, &sg_iter, umem->nmap, 0) {
++ if (num_buf >= RXE_BUF_PER_MAP) {
++ map++;
++ buf = map[0]->buf;
++ num_buf = 0;
++ }
++
+ vaddr = page_address(sg_page_iter_page(&sg_iter));
+ if (!vaddr) {
+ pr_warn("null vaddr\n");
+@@ -211,11 +217,6 @@ int rxe_mem_init_user(struct rxe_pd *pd, u64 start,
+ num_buf++;
+ buf++;
+
+- if (num_buf >= RXE_BUF_PER_MAP) {
+- map++;
+- buf = map[0]->buf;
+- num_buf = 0;
+- }
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 511c976d3fa712085a8e1ca13da3b79ee636f13a Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 4 Mar 2019 20:38:29 +0100
+Subject: regulator: add regulator_get_linear_step() stub helper
+
+[ Upstream commit 7287275b4301e230be9e4569431c7dacb67ebc13 ]
+
+The regulator header has empty inline functions for most interfaces,
+but not regulator_get_linear_step(), which has just grown a user
+that does not depend on regulators otherwise:
+
+drivers/clk/tegra/clk-tegra124-dfll-fcpu.c: In function 'get_alignment_from_regulator':
+drivers/clk/tegra/clk-tegra124-dfll-fcpu.c:555:19: error: implicit declaration of function 'regulator_get_linear_step'; did you mean 'regulator_get_drvdata'? [-Werror=implicit-function-declaration]
+ align->step_uv = regulator_get_linear_step(reg);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+ regulator_get_drvdata
+cc1: all warnings being treated as errors
+scripts/Makefile.build:278: recipe for target 'drivers/clk/tegra/clk-tegra124-dfll-fcpu.o' failed
+
+Add the missing stub along the others.
+
+Fixes: b3cf8d069505 ("clk: tegra: dfll: CVB calculation alignment with the regulator")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/regulator/consumer.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h
+index f3f76051e8b00..aaf3cee704397 100644
+--- a/include/linux/regulator/consumer.h
++++ b/include/linux/regulator/consumer.h
+@@ -478,6 +478,11 @@ static inline int regulator_is_supported_voltage(struct regulator *regulator,
+ return 0;
+ }
+
++static inline unsigned int regulator_get_linear_step(struct regulator *regulator)
++{
++ return 0;
++}
++
+ static inline int regulator_set_current_limit(struct regulator *regulator,
+ int min_uA, int max_uA)
+ {
+--
+2.20.1
+
--- /dev/null
+From 768fd6208817ef835ec35b039f46aff1eee8180d Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sat, 20 Apr 2019 13:34:30 +0200
+Subject: regulator: core: Actually put the gpiod after use
+
+[ Upstream commit 78927aa40bc82f32de07323ddc1c9de07ac68180 ]
+
+I went to great lengths to hand over the management of the GPIO
+descriptors to the regulator core, and some stray rebased
+oneliner in the old patch must have been assuming the devices
+were still doing devres management of it.
+
+We handed the management over to the regulator core, so of
+course the regulator core shall issue gpiod_put() when done.
+
+Sorry for the descriptor leak.
+
+Fixes: 541d052d7215 ("regulator: core: Only support passing enable GPIO descriptors")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 968dcd9d7a070..6da41207e479a 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -2256,6 +2256,7 @@ static void regulator_ena_gpio_free(struct regulator_dev *rdev)
+ if (pin->gpiod == rdev->ena_pin->gpiod) {
+ if (pin->request_count <= 1) {
+ pin->request_count = 0;
++ gpiod_put(pin->gpiod);
+ list_del(&pin->list);
+ kfree(pin);
+ rdev->ena_pin = NULL;
+--
+2.20.1
+
--- /dev/null
+From 877cef15978d35901dda7405fa1c5fea83e616d6 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Thu, 4 Apr 2019 16:32:18 +0100
+Subject: regulator: core: Avoid potential deadlock on regulator_unregister
+
+[ Upstream commit 063773011d33bb36588a90385aa9eb75d13c6d80 ]
+
+Lockdep reports the following issue on my setup:
+
+Possible unsafe locking scenario:
+
+CPU0 CPU1
+---- ----
+lock((work_completion)(&(&rdev->disable_work)->work));
+ lock(regulator_list_mutex);
+ lock((work_completion)(&(&rdev->disable_work)->work));
+lock(regulator_list_mutex);
+
+The problem is that regulator_unregister takes the
+regulator_list_mutex and then calls flush_work on disable_work. But
+regulator_disable_work calls regulator_lock_dependent which will
+also take the regulator_list_mutex. Resulting in a deadlock if the
+flush_work call actually needs to flush the work.
+
+Fix this issue by moving the flush_work outside of the
+regulator_list_mutex. The list mutex is not used to guard the point at
+which the delayed work is queued, so its use adds no additional safety.
+
+Fixes: f8702f9e4aa7 ("regulator: core: Use ww_mutex for regulators locking")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 6da41207e479a..35a7d020afecd 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5062,10 +5062,11 @@ void regulator_unregister(struct regulator_dev *rdev)
+ regulator_put(rdev->supply);
+ }
+
++ flush_work(&rdev->disable_work.work);
++
+ mutex_lock(®ulator_list_mutex);
+
+ debugfs_remove_recursive(rdev->debugfs);
+- flush_work(&rdev->disable_work.work);
+ WARN_ON(rdev->open_count);
+ regulator_remove_coupling(rdev);
+ unset_regulator_supplies(rdev);
+--
+2.20.1
+
--- /dev/null
+From affb359f8865bc6a7959678cd61d0005f67da36b Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 14:59:59 +0000
+Subject: regulator: da9055: Fix notifier mutex lock warning
+
+[ Upstream commit 5e6afb3832bedf420dd8e4c5b32ed85117c5087d ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: f6130be652d0 ("regulator: DA9055 regulator driver")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/da9055-regulator.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/regulator/da9055-regulator.c b/drivers/regulator/da9055-regulator.c
+index 3c6fac7936585..3ade4b8d204eb 100644
+--- a/drivers/regulator/da9055-regulator.c
++++ b/drivers/regulator/da9055-regulator.c
+@@ -487,8 +487,10 @@ static irqreturn_t da9055_ldo5_6_oc_irq(int irq, void *data)
+ {
+ struct da9055_regulator *regulator = data;
+
++ regulator_lock(regulator->rdev);
+ regulator_notifier_call_chain(regulator->rdev,
+ REGULATOR_EVENT_OVER_CURRENT, NULL);
++ regulator_unlock(regulator->rdev);
+
+ return IRQ_HANDLED;
+ }
+--
+2.20.1
+
--- /dev/null
+From e06eb95afd4424a7548cd601249346a0d33135dc Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:19:34 +0000
+Subject: regulator: da9062: Fix notifier mutex lock warning
+
+[ Upstream commit 978995def0f6030aa6b3b494682f673aca13881b ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: 4068e5182ada ("regulator: da9062: DA9062 regulator driver")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/da9062-regulator.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/regulator/da9062-regulator.c b/drivers/regulator/da9062-regulator.c
+index b064d8a19d4ce..bab88ddfc5098 100644
+--- a/drivers/regulator/da9062-regulator.c
++++ b/drivers/regulator/da9062-regulator.c
+@@ -974,8 +974,10 @@ static irqreturn_t da9062_ldo_lim_event(int irq, void *data)
+ continue;
+
+ if (BIT(regl->info->oc_event.lsb) & bits) {
++ regulator_lock(regl->rdev);
+ regulator_notifier_call_chain(regl->rdev,
+ REGULATOR_EVENT_OVER_CURRENT, NULL);
++ regulator_unlock(regl->rdev);
+ handled = IRQ_HANDLED;
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 11bf6f834df536297c13cd21fa5afdd095597fe4 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:23:02 +0000
+Subject: regulator: da9063: Fix notifier mutex lock warning
+
+[ Upstream commit 29d40b4a5776ec4727c9f0e00a884423dd5e3366 ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: 69ca3e58d178 ("regulator: da9063: Add Dialog DA9063 voltage regulators support.")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/da9063-regulator.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/da9063-regulator.c b/drivers/regulator/da9063-regulator.c
+index 2b0c7a85306ab..d7bdb95b7602e 100644
+--- a/drivers/regulator/da9063-regulator.c
++++ b/drivers/regulator/da9063-regulator.c
+@@ -615,9 +615,12 @@ static irqreturn_t da9063_ldo_lim_event(int irq, void *data)
+ if (regl->info->oc_event.reg != DA9063_REG_STATUS_D)
+ continue;
+
+- if (BIT(regl->info->oc_event.lsb) & bits)
++ if (BIT(regl->info->oc_event.lsb) & bits) {
++ regulator_lock(regl->rdev);
+ regulator_notifier_call_chain(regl->rdev,
+ REGULATOR_EVENT_OVER_CURRENT, NULL);
++ regulator_unlock(regl->rdev);
++ }
+ }
+
+ return IRQ_HANDLED;
+--
+2.20.1
+
--- /dev/null
+From feedc7aedc0d87321fbbe7125844244196501928 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:27:57 +0000
+Subject: regulator: da9211: Fix notifier mutex lock warning
+
+[ Upstream commit 65378de3359d30ebce44762d8b8027f372b5b1c4 ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: 1028a37daa14 ("regulator: da9211: new regulator driver")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/da9211-regulator.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/regulator/da9211-regulator.c b/drivers/regulator/da9211-regulator.c
+index 109ee12d43626..4d7fe4819c1ce 100644
+--- a/drivers/regulator/da9211-regulator.c
++++ b/drivers/regulator/da9211-regulator.c
+@@ -322,8 +322,10 @@ static irqreturn_t da9211_irq_handler(int irq, void *data)
+ goto error_i2c;
+
+ if (reg_val & DA9211_E_OV_CURR_A) {
++ regulator_lock(chip->rdev[0]);
+ regulator_notifier_call_chain(chip->rdev[0],
+ REGULATOR_EVENT_OVER_CURRENT, NULL);
++ regulator_unlock(chip->rdev[0]);
+
+ err = regmap_write(chip->regmap, DA9211_REG_EVENT_B,
+ DA9211_E_OV_CURR_A);
+@@ -334,8 +336,10 @@ static irqreturn_t da9211_irq_handler(int irq, void *data)
+ }
+
+ if (reg_val & DA9211_E_OV_CURR_B) {
++ regulator_lock(chip->rdev[1]);
+ regulator_notifier_call_chain(chip->rdev[1],
+ REGULATOR_EVENT_OVER_CURRENT, NULL);
++ regulator_unlock(chip->rdev[1]);
+
+ err = regmap_write(chip->regmap, DA9211_REG_EVENT_B,
+ DA9211_E_OV_CURR_B);
+--
+2.20.1
+
--- /dev/null
+From 923bfd0cc424b4bc376a8be35ae44ce7ec535164 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:32:18 +0000
+Subject: regulator: lp8755: Fix notifier mutex lock warning
+
+[ Upstream commit 89b2758c192c35068b07766a6830433bfbdc1f44 ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: b59320cc5a5e ("regulator: lp8755: new driver for LP8755")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/lp8755.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/regulator/lp8755.c b/drivers/regulator/lp8755.c
+index 14fd388071349..2e16a6ab491d6 100644
+--- a/drivers/regulator/lp8755.c
++++ b/drivers/regulator/lp8755.c
+@@ -372,10 +372,13 @@ static irqreturn_t lp8755_irq_handler(int irq, void *data)
+ for (icnt = 0; icnt < LP8755_BUCK_MAX; icnt++)
+ if ((flag0 & (0x4 << icnt))
+ && (pchip->irqmask & (0x04 << icnt))
+- && (pchip->rdev[icnt] != NULL))
++ && (pchip->rdev[icnt] != NULL)) {
++ regulator_lock(pchip->rdev[icnt]);
+ regulator_notifier_call_chain(pchip->rdev[icnt],
+ LP8755_EVENT_PWR_FAULT,
+ NULL);
++ regulator_unlock(pchip->rdev[icnt]);
++ }
+
+ /* read flag1 register */
+ ret = lp8755_read(pchip, 0x0E, &flag1);
+@@ -389,18 +392,24 @@ static irqreturn_t lp8755_irq_handler(int irq, void *data)
+ /* send OCP event to all regulator devices */
+ if ((flag1 & 0x01) && (pchip->irqmask & 0x01))
+ for (icnt = 0; icnt < LP8755_BUCK_MAX; icnt++)
+- if (pchip->rdev[icnt] != NULL)
++ if (pchip->rdev[icnt] != NULL) {
++ regulator_lock(pchip->rdev[icnt]);
+ regulator_notifier_call_chain(pchip->rdev[icnt],
+ LP8755_EVENT_OCP,
+ NULL);
++ regulator_unlock(pchip->rdev[icnt]);
++ }
+
+ /* send OVP event to all regulator devices */
+ if ((flag1 & 0x02) && (pchip->irqmask & 0x02))
+ for (icnt = 0; icnt < LP8755_BUCK_MAX; icnt++)
+- if (pchip->rdev[icnt] != NULL)
++ if (pchip->rdev[icnt] != NULL) {
++ regulator_lock(pchip->rdev[icnt]);
+ regulator_notifier_call_chain(pchip->rdev[icnt],
+ LP8755_EVENT_OVP,
+ NULL);
++ regulator_unlock(pchip->rdev[icnt]);
++ }
+ return IRQ_HANDLED;
+
+ err_i2c:
+--
+2.20.1
+
--- /dev/null
+From 011de1d89ed9a956efff4a6245c58c4284a31a3d Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:35:35 +0000
+Subject: regulator: ltc3589: Fix notifier mutex lock warning
+
+[ Upstream commit f132da2534ec6599c78c4adcef15340cff2e9dd9 ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: 3eb2c7ecb7ea ("regulator: Add LTC3589 support")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/ltc3589.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/regulator/ltc3589.c b/drivers/regulator/ltc3589.c
+index 63f724f260ef7..75089b037b723 100644
+--- a/drivers/regulator/ltc3589.c
++++ b/drivers/regulator/ltc3589.c
+@@ -419,16 +419,22 @@ static irqreturn_t ltc3589_isr(int irq, void *dev_id)
+
+ if (irqstat & LTC3589_IRQSTAT_THERMAL_WARN) {
+ event = REGULATOR_EVENT_OVER_TEMP;
+- for (i = 0; i < LTC3589_NUM_REGULATORS; i++)
++ for (i = 0; i < LTC3589_NUM_REGULATORS; i++) {
++ regulator_lock(ltc3589->regulators[i]);
+ regulator_notifier_call_chain(ltc3589->regulators[i],
+ event, NULL);
++ regulator_unlock(ltc3589->regulators[i]);
++ }
+ }
+
+ if (irqstat & LTC3589_IRQSTAT_UNDERVOLT_WARN) {
+ event = REGULATOR_EVENT_UNDER_VOLTAGE;
+- for (i = 0; i < LTC3589_NUM_REGULATORS; i++)
++ for (i = 0; i < LTC3589_NUM_REGULATORS; i++) {
++ regulator_lock(ltc3589->regulators[i]);
+ regulator_notifier_call_chain(ltc3589->regulators[i],
+ event, NULL);
++ regulator_unlock(ltc3589->regulators[i]);
++ }
+ }
+
+ /* Clear warning condition */
+--
+2.20.1
+
--- /dev/null
+From 2ee997b96ad2f721e0db2e40b01dfb7355f0c7a2 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:38:56 +0000
+Subject: regulator: ltc3676: Fix notifier mutex lock warning
+
+[ Upstream commit 769fc8d4182c1d1875db7859852afeb436714c5c ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: 37b918a034fe ("regulator: Add LTC3676 support")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/ltc3676.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/regulator/ltc3676.c b/drivers/regulator/ltc3676.c
+index e6d66e492b851..4be90c78c7209 100644
+--- a/drivers/regulator/ltc3676.c
++++ b/drivers/regulator/ltc3676.c
+@@ -285,17 +285,23 @@ static irqreturn_t ltc3676_isr(int irq, void *dev_id)
+ if (irqstat & LTC3676_IRQSTAT_THERMAL_WARN) {
+ dev_warn(dev, "Over-temperature Warning\n");
+ event = REGULATOR_EVENT_OVER_TEMP;
+- for (i = 0; i < LTC3676_NUM_REGULATORS; i++)
++ for (i = 0; i < LTC3676_NUM_REGULATORS; i++) {
++ regulator_lock(ltc3676->regulators[i]);
+ regulator_notifier_call_chain(ltc3676->regulators[i],
+ event, NULL);
++ regulator_unlock(ltc3676->regulators[i]);
++ }
+ }
+
+ if (irqstat & LTC3676_IRQSTAT_UNDERVOLT_WARN) {
+ dev_info(dev, "Undervoltage Warning\n");
+ event = REGULATOR_EVENT_UNDER_VOLTAGE;
+- for (i = 0; i < LTC3676_NUM_REGULATORS; i++)
++ for (i = 0; i < LTC3676_NUM_REGULATORS; i++) {
++ regulator_lock(ltc3676->regulators[i]);
+ regulator_notifier_call_chain(ltc3676->regulators[i],
+ event, NULL);
++ regulator_unlock(ltc3676->regulators[i]);
++ }
+ }
+
+ /* Clear warning condition */
+--
+2.20.1
+
--- /dev/null
+From 9cb19f8dbaaf54f2e7deef51e706c3de232d4005 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:42:50 +0000
+Subject: regulator: pv88060: Fix notifier mutex lock warning
+
+[ Upstream commit f58213637206e190453e3bd91f98f535566290a3 ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: f307a7e9b7af ("regulator: pv88060: new regulator driver")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/pv88060-regulator.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/regulator/pv88060-regulator.c b/drivers/regulator/pv88060-regulator.c
+index 1600f98218912..810816e9df5d5 100644
+--- a/drivers/regulator/pv88060-regulator.c
++++ b/drivers/regulator/pv88060-regulator.c
+@@ -244,9 +244,11 @@ static irqreturn_t pv88060_irq_handler(int irq, void *data)
+ if (reg_val & PV88060_E_VDD_FLT) {
+ for (i = 0; i < PV88060_MAX_REGULATORS; i++) {
+ if (chip->rdev[i] != NULL) {
++ regulator_lock(chip->rdev[i]);
+ regulator_notifier_call_chain(chip->rdev[i],
+ REGULATOR_EVENT_UNDER_VOLTAGE,
+ NULL);
++ regulator_unlock(chip->rdev[i]);
+ }
+ }
+
+@@ -261,9 +263,11 @@ static irqreturn_t pv88060_irq_handler(int irq, void *data)
+ if (reg_val & PV88060_E_OVER_TEMP) {
+ for (i = 0; i < PV88060_MAX_REGULATORS; i++) {
+ if (chip->rdev[i] != NULL) {
++ regulator_lock(chip->rdev[i]);
+ regulator_notifier_call_chain(chip->rdev[i],
+ REGULATOR_EVENT_OVER_TEMP,
+ NULL);
++ regulator_unlock(chip->rdev[i]);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d3221596a8b8a47f7f199fd1ecc59e6129889697 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:44:54 +0000
+Subject: regulator: pv88080: Fix notifier mutex lock warning
+
+[ Upstream commit 1867af94cfdf37fc70fe67b3d522e78352800196 ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: 99cf3af5e2d5 ("regulator: pv88080: new regulator driver")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/pv88080-regulator.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/regulator/pv88080-regulator.c b/drivers/regulator/pv88080-regulator.c
+index bdddacdbeb996..6279216fb2540 100644
+--- a/drivers/regulator/pv88080-regulator.c
++++ b/drivers/regulator/pv88080-regulator.c
+@@ -345,9 +345,11 @@ static irqreturn_t pv88080_irq_handler(int irq, void *data)
+ if (reg_val & PV88080_E_VDD_FLT) {
+ for (i = 0; i < PV88080_MAX_REGULATORS; i++) {
+ if (chip->rdev[i] != NULL) {
++ regulator_lock(chip->rdev[i]);
+ regulator_notifier_call_chain(chip->rdev[i],
+ REGULATOR_EVENT_UNDER_VOLTAGE,
+ NULL);
++ regulator_unlock(chip->rdev[i]);
+ }
+ }
+
+@@ -362,9 +364,11 @@ static irqreturn_t pv88080_irq_handler(int irq, void *data)
+ if (reg_val & PV88080_E_OVER_TEMP) {
+ for (i = 0; i < PV88080_MAX_REGULATORS; i++) {
+ if (chip->rdev[i] != NULL) {
++ regulator_lock(chip->rdev[i]);
+ regulator_notifier_call_chain(chip->rdev[i],
+ REGULATOR_EVENT_OVER_TEMP,
+ NULL);
++ regulator_unlock(chip->rdev[i]);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d36ffc1ce75d7bd895ca3b2a5a4afccbd32bb50d Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:46:55 +0000
+Subject: regulator: pv88090: Fix notifier mutex lock warning
+
+[ Upstream commit 275513b7695a61b75b2546406ecd0f8e3d9fc8be ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: c90456e36d9c ("regulator: pv88090: new regulator driver")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/pv88090-regulator.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/regulator/pv88090-regulator.c b/drivers/regulator/pv88090-regulator.c
+index 6e97cc6df2eec..90f4f907fb3fb 100644
+--- a/drivers/regulator/pv88090-regulator.c
++++ b/drivers/regulator/pv88090-regulator.c
+@@ -237,9 +237,11 @@ static irqreturn_t pv88090_irq_handler(int irq, void *data)
+ if (reg_val & PV88090_E_VDD_FLT) {
+ for (i = 0; i < PV88090_MAX_REGULATORS; i++) {
+ if (chip->rdev[i] != NULL) {
++ regulator_lock(chip->rdev[i]);
+ regulator_notifier_call_chain(chip->rdev[i],
+ REGULATOR_EVENT_UNDER_VOLTAGE,
+ NULL);
++ regulator_unlock(chip->rdev[i]);
+ }
+ }
+
+@@ -254,9 +256,11 @@ static irqreturn_t pv88090_irq_handler(int irq, void *data)
+ if (reg_val & PV88090_E_OVER_TEMP) {
+ for (i = 0; i < PV88090_MAX_REGULATORS; i++) {
+ if (chip->rdev[i] != NULL) {
++ regulator_lock(chip->rdev[i]);
+ regulator_notifier_call_chain(chip->rdev[i],
+ REGULATOR_EVENT_OVER_TEMP,
+ NULL);
++ regulator_unlock(chip->rdev[i]);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From c725e276f3d296b0dc4b3dbc94eacd4e9a3040b9 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:48:46 +0000
+Subject: regulator: wm831x: Fix notifier mutex lock warning
+
+[ Upstream commit 119c4f5085c45b60cb23c5595e45d06135b89518 ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: e4ee831f949a ("regulator: Add WM831x DC-DC buck convertor support")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/wm831x-dcdc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/regulator/wm831x-dcdc.c b/drivers/regulator/wm831x-dcdc.c
+index 12b422373580c..d1873f94bca74 100644
+--- a/drivers/regulator/wm831x-dcdc.c
++++ b/drivers/regulator/wm831x-dcdc.c
+@@ -183,9 +183,11 @@ static irqreturn_t wm831x_dcdc_uv_irq(int irq, void *data)
+ {
+ struct wm831x_dcdc *dcdc = data;
+
++ regulator_lock(dcdc->regulator);
+ regulator_notifier_call_chain(dcdc->regulator,
+ REGULATOR_EVENT_UNDER_VOLTAGE,
+ NULL);
++ regulator_unlock(dcdc->regulator);
+
+ return IRQ_HANDLED;
+ }
+@@ -194,9 +196,11 @@ static irqreturn_t wm831x_dcdc_oc_irq(int irq, void *data)
+ {
+ struct wm831x_dcdc *dcdc = data;
+
++ regulator_lock(dcdc->regulator);
+ regulator_notifier_call_chain(dcdc->regulator,
+ REGULATOR_EVENT_OVER_CURRENT,
+ NULL);
++ regulator_unlock(dcdc->regulator);
+
+ return IRQ_HANDLED;
+ }
+--
+2.20.1
+
--- /dev/null
+From e7c7ebbc215cb4ed05cec56d9ce61fa001905cf0 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:51:28 +0000
+Subject: regulator: wm831x isink: Fix notifier mutex lock warning
+
+[ Upstream commit f7a621728a6a23bfd2c6ac4d3e42e1303aefde0f ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: d4d6b722e780 ("regulator: Add WM831x ISINK support")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/wm831x-isink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/regulator/wm831x-isink.c b/drivers/regulator/wm831x-isink.c
+index 6dd891d7eee3b..11f351191dba9 100644
+--- a/drivers/regulator/wm831x-isink.c
++++ b/drivers/regulator/wm831x-isink.c
+@@ -140,9 +140,11 @@ static irqreturn_t wm831x_isink_irq(int irq, void *data)
+ {
+ struct wm831x_isink *isink = data;
+
++ regulator_lock(isink->regulator);
+ regulator_notifier_call_chain(isink->regulator,
+ REGULATOR_EVENT_OVER_CURRENT,
+ NULL);
++ regulator_unlock(isink->regulator);
+
+ return IRQ_HANDLED;
+ }
+--
+2.20.1
+
--- /dev/null
+From 1a9e7a04e89e151e0af0c2602c4090fb38cd14de Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Tue, 26 Feb 2019 15:54:01 +0000
+Subject: regulator: wm831x ldo: Fix notifier mutex lock warning
+
+[ Upstream commit 8be64b6d87bd47d81753b60ddafe70102ebfd76b ]
+
+The mutex for the regulator_dev must be controlled by the caller of
+the regulator_notifier_call_chain(), as described in the comment
+for that function.
+
+Failure to mutex lock and unlock surrounding the notifier call results
+in a kernel WARN_ON_ONCE() which will dump a backtrace for the
+regulator_notifier_call_chain() when that function call is first made.
+The mutex can be controlled using the regulator_lock/unlock() API.
+
+Fixes: d1c6b4fe668b ("regulator: Add WM831x LDO support")
+Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/wm831x-ldo.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/regulator/wm831x-ldo.c b/drivers/regulator/wm831x-ldo.c
+index e4a6f888484ec..fcd038e7cd803 100644
+--- a/drivers/regulator/wm831x-ldo.c
++++ b/drivers/regulator/wm831x-ldo.c
+@@ -51,9 +51,11 @@ static irqreturn_t wm831x_ldo_uv_irq(int irq, void *data)
+ {
+ struct wm831x_ldo *ldo = data;
+
++ regulator_lock(ldo->regulator);
+ regulator_notifier_call_chain(ldo->regulator,
+ REGULATOR_EVENT_UNDER_VOLTAGE,
+ NULL);
++ regulator_unlock(ldo->regulator);
+
+ return IRQ_HANDLED;
+ }
+--
+2.20.1
+
--- /dev/null
+From 07957149f5c52671e595ace8d4dedebc7bdda9c4 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Sat, 23 Mar 2019 15:49:16 -0500
+Subject: rsi: Fix NULL pointer dereference in kmalloc
+
+[ Upstream commit d5414c2355b20ea8201156d2e874265f1cb0d775 ]
+
+kmalloc can fail in rsi_register_rates_channels but memcpy still attempts
+to write to channels. The patch replaces these calls with kmemdup and
+passes the error upstream.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_mac80211.c | 30 ++++++++++++---------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+index 831046e760f8a..49df3bb08d41f 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+@@ -188,27 +188,27 @@ bool rsi_is_cipher_wep(struct rsi_common *common)
+ * @adapter: Pointer to the adapter structure.
+ * @band: Operating band to be set.
+ *
+- * Return: None.
++ * Return: int - 0 on success, negative error on failure.
+ */
+-static void rsi_register_rates_channels(struct rsi_hw *adapter, int band)
++static int rsi_register_rates_channels(struct rsi_hw *adapter, int band)
+ {
+ struct ieee80211_supported_band *sbands = &adapter->sbands[band];
+ void *channels = NULL;
+
+ if (band == NL80211_BAND_2GHZ) {
+- channels = kmalloc(sizeof(rsi_2ghz_channels), GFP_KERNEL);
+- memcpy(channels,
+- rsi_2ghz_channels,
+- sizeof(rsi_2ghz_channels));
++ channels = kmemdup(rsi_2ghz_channels, sizeof(rsi_2ghz_channels),
++ GFP_KERNEL);
++ if (!channels)
++ return -ENOMEM;
+ sbands->band = NL80211_BAND_2GHZ;
+ sbands->n_channels = ARRAY_SIZE(rsi_2ghz_channels);
+ sbands->bitrates = rsi_rates;
+ sbands->n_bitrates = ARRAY_SIZE(rsi_rates);
+ } else {
+- channels = kmalloc(sizeof(rsi_5ghz_channels), GFP_KERNEL);
+- memcpy(channels,
+- rsi_5ghz_channels,
+- sizeof(rsi_5ghz_channels));
++ channels = kmemdup(rsi_5ghz_channels, sizeof(rsi_5ghz_channels),
++ GFP_KERNEL);
++ if (!channels)
++ return -ENOMEM;
+ sbands->band = NL80211_BAND_5GHZ;
+ sbands->n_channels = ARRAY_SIZE(rsi_5ghz_channels);
+ sbands->bitrates = &rsi_rates[4];
+@@ -227,6 +227,7 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band)
+ sbands->ht_cap.mcs.rx_mask[0] = 0xff;
+ sbands->ht_cap.mcs.tx_params = IEEE80211_HT_MCS_TX_DEFINED;
+ /* sbands->ht_cap.mcs.rx_highest = 0x82; */
++ return 0;
+ }
+
+ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw,
+@@ -2064,11 +2065,16 @@ int rsi_mac80211_attach(struct rsi_common *common)
+ wiphy->available_antennas_rx = 1;
+ wiphy->available_antennas_tx = 1;
+
+- rsi_register_rates_channels(adapter, NL80211_BAND_2GHZ);
++ status = rsi_register_rates_channels(adapter, NL80211_BAND_2GHZ);
++ if (status)
++ return status;
+ wiphy->bands[NL80211_BAND_2GHZ] =
+ &adapter->sbands[NL80211_BAND_2GHZ];
+ if (common->num_supp_bands > 1) {
+- rsi_register_rates_channels(adapter, NL80211_BAND_5GHZ);
++ status = rsi_register_rates_channels(adapter,
++ NL80211_BAND_5GHZ);
++ if (status)
++ return status;
+ wiphy->bands[NL80211_BAND_5GHZ] =
+ &adapter->sbands[NL80211_BAND_5GHZ];
+ }
+--
+2.20.1
+
--- /dev/null
+From f89fcf9e5afcda7c263be488d359cdf0008b8e3e Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Fri, 26 Apr 2019 14:36:35 -0400
+Subject: rtc: 88pm860x: prevent use-after-free on device remove
+
+[ Upstream commit f22b1ba15ee5785aa028384ebf77dd39e8e47b70 ]
+
+The device's remove() attempts to shut down the delayed_work scheduled
+on the kernel-global workqueue by calling flush_scheduled_work().
+
+Unfortunately, flush_scheduled_work() does not prevent the delayed_work
+from re-scheduling itself. The delayed_work might run after the device
+has been removed, and touch the already de-allocated info structure.
+This is a potential use-after-free.
+
+Fix by calling cancel_delayed_work_sync() during remove(): this ensures
+that the delayed work is properly cancelled, is no longer running, and
+is not able to re-schedule itself.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-88pm860x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c
+index d25282b4a7dd1..73697e4b18a9d 100644
+--- a/drivers/rtc/rtc-88pm860x.c
++++ b/drivers/rtc/rtc-88pm860x.c
+@@ -421,7 +421,7 @@ static int pm860x_rtc_remove(struct platform_device *pdev)
+ struct pm860x_rtc_info *info = platform_get_drvdata(pdev);
+
+ #ifdef VRTC_CALIBRATION
+- flush_scheduled_work();
++ cancel_delayed_work_sync(&info->calib_work);
+ /* disable measurement */
+ pm860x_set_bits(info->i2c, PM8607_MEAS_EN2, MEAS2_VRTC, 0);
+ #endif /* VRTC_CALIBRATION */
+--
+2.20.1
+
--- /dev/null
+From 3309097b70b18fbcd7b61051f6d2d1f6ec894f21 Mon Sep 17 00:00:00 2001
+From: Fabien Dessenne <fabien.dessenne@st.com>
+Date: Wed, 24 Apr 2019 14:26:48 +0200
+Subject: rtc: stm32: manage the get_irq probe defer case
+
+[ Upstream commit cf612c5949aca2bd81a1e28688957c8149ea2693 ]
+
+Manage the -EPROBE_DEFER error case for the wake IRQ.
+
+Signed-off-by: Fabien Dessenne <fabien.dessenne@st.com>
+Acked-by: Amelie Delaunay <amelie.delaunay@st.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-stm32.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/rtc/rtc-stm32.c b/drivers/rtc/rtc-stm32.c
+index c5908cfea2340..8e6c9b3bcc29a 100644
+--- a/drivers/rtc/rtc-stm32.c
++++ b/drivers/rtc/rtc-stm32.c
+@@ -788,11 +788,14 @@ static int stm32_rtc_probe(struct platform_device *pdev)
+ ret = device_init_wakeup(&pdev->dev, true);
+ if (rtc->data->has_wakeirq) {
+ rtc->wakeirq_alarm = platform_get_irq(pdev, 1);
+- if (rtc->wakeirq_alarm <= 0)
+- ret = rtc->wakeirq_alarm;
+- else
++ if (rtc->wakeirq_alarm > 0) {
+ ret = dev_pm_set_dedicated_wake_irq(&pdev->dev,
+ rtc->wakeirq_alarm);
++ } else {
++ ret = rtc->wakeirq_alarm;
++ if (rtc->wakeirq_alarm == -EPROBE_DEFER)
++ goto err;
++ }
+ }
+ if (ret)
+ dev_warn(&pdev->dev, "alarm can't wake up the system: %d", ret);
+--
+2.20.1
+
--- /dev/null
+From 1d0f6e692f49f6a0d85ed1ea8b97eff818ddfe8f Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 20 Mar 2019 13:32:27 +0100
+Subject: rtc: xgene: fix possible race condition
+
+[ Upstream commit a652e00ee1233e251a337c28e18a1da59224e5ce ]
+
+The IRQ is requested before the struct rtc is allocated and registered, but
+this struct is used in the IRQ handler. This may lead to a NULL pointer
+dereference.
+
+Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
+struct before requesting the IRQ.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-xgene.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/rtc/rtc-xgene.c b/drivers/rtc/rtc-xgene.c
+index 153820876a820..2f741f455c30a 100644
+--- a/drivers/rtc/rtc-xgene.c
++++ b/drivers/rtc/rtc-xgene.c
+@@ -168,6 +168,10 @@ static int xgene_rtc_probe(struct platform_device *pdev)
+ if (IS_ERR(pdata->csr_base))
+ return PTR_ERR(pdata->csr_base);
+
++ pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
++ if (IS_ERR(pdata->rtc))
++ return PTR_ERR(pdata->rtc);
++
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0) {
+ dev_err(&pdev->dev, "No IRQ resource\n");
+@@ -198,15 +202,15 @@ static int xgene_rtc_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+- pdata->rtc = devm_rtc_device_register(&pdev->dev, pdev->name,
+- &xgene_rtc_ops, THIS_MODULE);
+- if (IS_ERR(pdata->rtc)) {
+- clk_disable_unprepare(pdata->clk);
+- return PTR_ERR(pdata->rtc);
+- }
+-
+ /* HW does not support update faster than 1 seconds */
+ pdata->rtc->uie_unsupported = 1;
++ pdata->rtc->ops = &xgene_rtc_ops;
++
++ ret = rtc_register_device(pdata->rtc);
++ if (ret) {
++ clk_disable_unprepare(pdata->clk);
++ return ret;
++ }
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 749090df2190a1d7f31c65fb0b7c30304b156cd8 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 02:56:33 -0500
+Subject: rtlwifi: fix a potential NULL pointer dereference
+
+[ Upstream commit 765976285a8c8db3f0eb7f033829a899d0c2786e ]
+
+In case alloc_workqueue fails, the fix reports the error and
+returns to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
+index 217d2a7a43c74..ac746c322554b 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -448,6 +448,11 @@ static void _rtl_init_deferred_work(struct ieee80211_hw *hw)
+ /* <2> work queue */
+ rtlpriv->works.hw = hw;
+ rtlpriv->works.rtl_wq = alloc_workqueue("%s", 0, 0, rtlpriv->cfg->name);
++ if (unlikely(!rtlpriv->works.rtl_wq)) {
++ pr_err("Failed to allocate work queue\n");
++ return;
++ }
++
+ INIT_DELAYED_WORK(&rtlpriv->works.watchdog_wq,
+ (void *)rtl_watchdog_wq_callback);
+ INIT_DELAYED_WORK(&rtlpriv->works.ips_nic_off_wq,
+--
+2.20.1
+
--- /dev/null
+From 7a6aca458b5351267e64ed68f96cb556456a91bc Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Tue, 12 Mar 2019 17:06:48 +0800
+Subject: rtlwifi: fix potential NULL pointer dereference
+
+[ Upstream commit 60209d482b97743915883d293c8b85226d230c19 ]
+
+In case dev_alloc_skb fails, the fix safely returns to avoid
+potential NULL pointer dereference.
+
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c | 4 ++++
+ 6 files changed, 14 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c
+index 203e7b574e845..e2e0bfbc24fe2 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c
+@@ -600,6 +600,8 @@ void rtl88e_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
+index 18c76990a0898..86b1b88cc4ed8 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
+@@ -623,6 +623,8 @@ void rtl92c_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ if (cmd_send_packet)
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
+index 7c5b54b71a92f..67305ce915ec4 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
+@@ -744,6 +744,8 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
+index be451a6f7dbe5..33481232fad01 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
+@@ -448,6 +448,8 @@ void rtl8723e_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
+index 4d7fa27f55caa..aa56058af56ef 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
+@@ -562,6 +562,8 @@ void rtl8723be_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+ u1rsvdpageloc, sizeof(u1rsvdpageloc));
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
+index dc0eb692088f6..fe32d397d2875 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
+@@ -1623,6 +1623,8 @@ void rtl8812ae_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+ &reserved_page_packet_8812[0], totalpacketlen);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet_8812, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+@@ -1759,6 +1761,8 @@ void rtl8821ae_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+ &reserved_page_packet_8821[0], totalpacketlen);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet_8821, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+--
+2.20.1
+
--- /dev/null
+From 95133d79bf385b234d1cffc244656325dcc421f7 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 8 Apr 2019 23:26:20 +0200
+Subject: s390: cio: fix cio_irb declaration
+
+[ Upstream commit e91012ee855ad9f5ef2ab106a3de51db93fe4d0c ]
+
+clang points out that the declaration of cio_irb does not match the
+definition exactly, it is missing the alignment attribute:
+
+../drivers/s390/cio/cio.c:50:1: warning: section does not match previous declaration [-Wsection]
+DEFINE_PER_CPU_ALIGNED(struct irb, cio_irb);
+^
+../include/linux/percpu-defs.h:150:2: note: expanded from macro 'DEFINE_PER_CPU_ALIGNED'
+ DEFINE_PER_CPU_SECTION(type, name, PER_CPU_ALIGNED_SECTION) \
+ ^
+../include/linux/percpu-defs.h:93:9: note: expanded from macro 'DEFINE_PER_CPU_SECTION'
+ extern __PCPU_ATTRS(sec) __typeof__(type) name; \
+ ^
+../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS'
+ __percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \
+ ^
+../drivers/s390/cio/cio.h:118:1: note: previous attribute is here
+DECLARE_PER_CPU(struct irb, cio_irb);
+^
+../include/linux/percpu-defs.h:111:2: note: expanded from macro 'DECLARE_PER_CPU'
+ DECLARE_PER_CPU_SECTION(type, name, "")
+ ^
+../include/linux/percpu-defs.h:87:9: note: expanded from macro 'DECLARE_PER_CPU_SECTION'
+ extern __PCPU_ATTRS(sec) __typeof__(type) name
+ ^
+../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS'
+ __percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \
+ ^
+Use DECLARE_PER_CPU_ALIGNED() here, to make the two match.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/cio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h
+index 9811fd8a0c731..92eabbb5f18d4 100644
+--- a/drivers/s390/cio/cio.h
++++ b/drivers/s390/cio/cio.h
+@@ -115,7 +115,7 @@ struct subchannel {
+ struct schib_config config;
+ } __attribute__ ((aligned(8)));
+
+-DECLARE_PER_CPU(struct irb, cio_irb);
++DECLARE_PER_CPU_ALIGNED(struct irb, cio_irb);
+
+ #define to_subchannel(n) container_of(n, struct subchannel, dev)
+
+--
+2.20.1
+
--- /dev/null
+From d8ab1c4a4d6079006056823de937ac36ad775d85 Mon Sep 17 00:00:00 2001
+From: Philipp Rudo <prudo@linux.ibm.com>
+Date: Mon, 1 Apr 2019 12:48:43 +0200
+Subject: s390/kexec_file: Fix detection of text segment in ELF loader
+
+[ Upstream commit 729829d775c9a5217abc784b2f16087d79c4eec8 ]
+
+To register data for the next kernel (command line, oldmem_base, etc.) the
+current kernel needs to find the ELF segment that contains head.S. This is
+currently done by checking ifor 'phdr->p_paddr == 0'. This works fine for
+the current kernel build but in theory the first few pages could be
+skipped. Make the detection more robust by checking if the entry point lies
+within the segment.
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/kexec_elf.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/kexec_elf.c b/arch/s390/kernel/kexec_elf.c
+index 5a286b012043b..602e7cc26d118 100644
+--- a/arch/s390/kernel/kexec_elf.c
++++ b/arch/s390/kernel/kexec_elf.c
+@@ -19,10 +19,15 @@ static int kexec_file_add_elf_kernel(struct kimage *image,
+ struct kexec_buf buf;
+ const Elf_Ehdr *ehdr;
+ const Elf_Phdr *phdr;
++ Elf_Addr entry;
+ int i, ret;
+
+ ehdr = (Elf_Ehdr *)kernel;
+ buf.image = image;
++ if (image->type == KEXEC_TYPE_CRASH)
++ entry = STARTUP_KDUMP_OFFSET;
++ else
++ entry = ehdr->e_entry;
+
+ phdr = (void *)ehdr + ehdr->e_phoff;
+ for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
+@@ -35,7 +40,7 @@ static int kexec_file_add_elf_kernel(struct kimage *image,
+ buf.mem = ALIGN(phdr->p_paddr, phdr->p_align);
+ buf.memsz = phdr->p_memsz;
+
+- if (phdr->p_paddr == 0) {
++ if (entry - phdr->p_paddr < phdr->p_memsz) {
+ data->kernel_buf = buf.buffer;
+ data->memsz += STARTUP_NORMAL_OFFSET;
+
+--
+2.20.1
+
--- /dev/null
+From c589a54fe24bfec339f7af9283d5d972f6709057 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Sun, 7 Apr 2019 14:55:09 +0200
+Subject: s390/mm: silence compiler warning when compiling without CONFIG_PGSTE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 81a8f2beb32a5951ecf04385301f50879abc092b ]
+
+If CONFIG_PGSTE is not set (e.g. when compiling without KVM), GCC complains:
+
+ CC arch/s390/mm/pgtable.o
+arch/s390/mm/pgtable.c:413:15: warning: ‘pmd_alloc_map’ defined but not
+ used [-Wunused-function]
+ static pmd_t *pmd_alloc_map(struct mm_struct *mm, unsigned long addr)
+ ^~~~~~~~~~~~~
+
+Wrap the function with "#ifdef CONFIG_PGSTE" to silence the warning.
+
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/pgtable.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
+index 8485d6dc27549..9ebd01219812c 100644
+--- a/arch/s390/mm/pgtable.c
++++ b/arch/s390/mm/pgtable.c
+@@ -410,6 +410,7 @@ static inline pmd_t pmdp_flush_lazy(struct mm_struct *mm,
+ return old;
+ }
+
++#ifdef CONFIG_PGSTE
+ static pmd_t *pmd_alloc_map(struct mm_struct *mm, unsigned long addr)
+ {
+ pgd_t *pgd;
+@@ -427,6 +428,7 @@ static pmd_t *pmd_alloc_map(struct mm_struct *mm, unsigned long addr)
+ pmd = pmd_alloc(mm, pud, addr);
+ return pmd;
+ }
++#endif
+
+ pmd_t pmdp_xchg_direct(struct mm_struct *mm, unsigned long addr,
+ pmd_t *pmdp, pmd_t new)
+--
+2.20.1
+
--- /dev/null
+From 28c9d94b6473f64f8fa0a762799420b9df7ba327 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 25 Apr 2019 18:25:54 +0200
+Subject: s390: qeth: address type mismatch warning
+
+[ Upstream commit 46b83629dede262315aa82179d105581f11763b6 ]
+
+clang produces a harmless warning for each use for the qeth_adp_supported
+macro:
+
+drivers/s390/net/qeth_l2_main.c:559:31: warning: implicit conversion from enumeration type 'enum qeth_ipa_setadp_cmd' to
+ different enumeration type 'enum qeth_ipa_funcs' [-Wenum-conversion]
+ if (qeth_adp_supported(card, IPA_SETADP_SET_PROMISC_MODE))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/s390/net/qeth_core.h:179:41: note: expanded from macro 'qeth_adp_supported'
+ qeth_is_ipa_supported(&c->options.adp, f)
+ ~~~~~~~~~~~~~~~~~~~~~ ^
+
+Add a version of this macro that uses the correct types, and
+remove the unused qeth_adp_enabled() macro that has the same
+problem.
+
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_core.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h
+index c851cf6e01c43..d603dfea97ab2 100644
+--- a/drivers/s390/net/qeth_core.h
++++ b/drivers/s390/net/qeth_core.h
+@@ -163,6 +163,12 @@ struct qeth_vnicc_info {
+ bool rx_bcast_enabled;
+ };
+
++static inline int qeth_is_adp_supported(struct qeth_ipa_info *ipa,
++ enum qeth_ipa_setadp_cmd func)
++{
++ return (ipa->supported_funcs & func);
++}
++
+ static inline int qeth_is_ipa_supported(struct qeth_ipa_info *ipa,
+ enum qeth_ipa_funcs func)
+ {
+@@ -176,9 +182,7 @@ static inline int qeth_is_ipa_enabled(struct qeth_ipa_info *ipa,
+ }
+
+ #define qeth_adp_supported(c, f) \
+- qeth_is_ipa_supported(&c->options.adp, f)
+-#define qeth_adp_enabled(c, f) \
+- qeth_is_ipa_enabled(&c->options.adp, f)
++ qeth_is_adp_supported(&c->options.adp, f)
+ #define qeth_is_supported(c, f) \
+ qeth_is_ipa_supported(&c->options.ipa4, f)
+ #define qeth_is_enabled(c, f) \
+--
+2.20.1
+
--- /dev/null
+From e0e4791e0852f0dac8bb0ba8a61bbe667af2a0de Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Wed, 17 Apr 2019 18:17:29 +0200
+Subject: s390/qeth: handle error from qeth_update_from_chp_desc()
+
+[ Upstream commit a4cdc9baee0740748f16e50cd70c2607510df492 ]
+
+Subsequent code relies on the values that qeth_update_from_chp_desc()
+reads from the CHP descriptor. Rather than dealing with weird errors
+later on, just handle it properly here.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_core_main.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
+index 44bd6f04c145d..8c73a99daff3e 100644
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -1308,7 +1308,7 @@ static void qeth_set_multiple_write_queues(struct qeth_card *card)
+ card->qdio.no_out_queues = 4;
+ }
+
+-static void qeth_update_from_chp_desc(struct qeth_card *card)
++static int qeth_update_from_chp_desc(struct qeth_card *card)
+ {
+ struct ccw_device *ccwdev;
+ struct channel_path_desc_fmt0 *chp_dsc;
+@@ -1318,7 +1318,7 @@ static void qeth_update_from_chp_desc(struct qeth_card *card)
+ ccwdev = card->data.ccwdev;
+ chp_dsc = ccw_device_get_chp_desc(ccwdev, 0);
+ if (!chp_dsc)
+- goto out;
++ return -ENOMEM;
+
+ card->info.func_level = 0x4100 + chp_dsc->desc;
+ if (card->info.type == QETH_CARD_TYPE_IQD)
+@@ -1333,6 +1333,7 @@ static void qeth_update_from_chp_desc(struct qeth_card *card)
+ kfree(chp_dsc);
+ QETH_DBF_TEXT_(SETUP, 2, "nr:%x", card->qdio.no_out_queues);
+ QETH_DBF_TEXT_(SETUP, 2, "lvl:%02x", card->info.func_level);
++ return 0;
+ }
+
+ static void qeth_init_qdio_info(struct qeth_card *card)
+@@ -4986,7 +4987,9 @@ int qeth_core_hardsetup_card(struct qeth_card *card, bool *carrier_ok)
+
+ QETH_DBF_TEXT(SETUP, 2, "hrdsetup");
+ atomic_set(&card->force_alloc_skb, 0);
+- qeth_update_from_chp_desc(card);
++ rc = qeth_update_from_chp_desc(card);
++ if (rc)
++ return rc;
+ retry:
+ if (retries < 3)
+ QETH_DBF_MESSAGE(2, "Retrying to do IDX activates on device %x.\n",
+@@ -5641,7 +5644,9 @@ static int qeth_core_probe_device(struct ccwgroup_device *gdev)
+ }
+
+ qeth_setup_card(card);
+- qeth_update_from_chp_desc(card);
++ rc = qeth_update_from_chp_desc(card);
++ if (rc)
++ goto err_chp_desc;
+
+ card->dev = qeth_alloc_netdev(card);
+ if (!card->dev) {
+@@ -5676,6 +5681,7 @@ static int qeth_core_probe_device(struct ccwgroup_device *gdev)
+ qeth_core_free_discipline(card);
+ err_load:
+ free_netdev(card->dev);
++err_chp_desc:
+ err_card:
+ qeth_core_free_card(card);
+ err_dev:
+--
+2.20.1
+
--- /dev/null
+From 41e332b90d671dc860ba036f998f47eb0299f674 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 8 Apr 2019 23:26:18 +0200
+Subject: s390: zcrypt: initialize variables before_use
+
+[ Upstream commit 913140e221567b3ecd21b4242257a7e3fa279026 ]
+
+The 'func_code' variable gets printed in debug statements without
+a prior initialization in multiple functions, as reported when building
+with clang:
+
+drivers/s390/crypto/zcrypt_api.c:659:6: warning: variable 'func_code' is used uninitialized whenever 'if' condition is true
+ [-Wsometimes-uninitialized]
+ if (mex->outputdatalength < mex->inputdatalength) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/s390/crypto/zcrypt_api.c:725:29: note: uninitialized use occurs here
+ trace_s390_zcrypt_rep(mex, func_code, rc,
+ ^~~~~~~~~
+drivers/s390/crypto/zcrypt_api.c:659:2: note: remove the 'if' if its condition is always false
+ if (mex->outputdatalength < mex->inputdatalength) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/s390/crypto/zcrypt_api.c:654:24: note: initialize the variable 'func_code' to silence this warning
+ unsigned int func_code;
+ ^
+
+Add initializations to all affected code paths to shut up the warning
+and make the warning output consistent.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_api.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
+index 689c2af7026a3..c31b2d31cd832 100644
+--- a/drivers/s390/crypto/zcrypt_api.c
++++ b/drivers/s390/crypto/zcrypt_api.c
+@@ -659,6 +659,7 @@ static long zcrypt_rsa_modexpo(struct ap_perms *perms,
+ trace_s390_zcrypt_req(mex, TP_ICARSAMODEXPO);
+
+ if (mex->outputdatalength < mex->inputdatalength) {
++ func_code = 0;
+ rc = -EINVAL;
+ goto out;
+ }
+@@ -742,6 +743,7 @@ static long zcrypt_rsa_crt(struct ap_perms *perms,
+ trace_s390_zcrypt_req(crt, TP_ICARSACRT);
+
+ if (crt->outputdatalength < crt->inputdatalength) {
++ func_code = 0;
+ rc = -EINVAL;
+ goto out;
+ }
+@@ -951,6 +953,7 @@ static long zcrypt_send_ep11_cprb(struct ap_perms *perms,
+
+ targets = kcalloc(target_num, sizeof(*targets), GFP_KERNEL);
+ if (!targets) {
++ func_code = 0;
+ rc = -ENOMEM;
+ goto out;
+ }
+@@ -958,6 +961,7 @@ static long zcrypt_send_ep11_cprb(struct ap_perms *perms,
+ uptr = (struct ep11_target_dev __force __user *) xcrb->targets;
+ if (copy_from_user(targets, uptr,
+ target_num * sizeof(*targets))) {
++ func_code = 0;
+ rc = -EFAULT;
+ goto out_free;
+ }
+--
+2.20.1
+
--- /dev/null
+From b88d0b6a79ee94762f3f0a2caa6060261aecc2b2 Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Thu, 4 Apr 2019 14:37:14 -0700
+Subject: samples/bpf: fix build with new clang
+
+[ Upstream commit 636e78b1cdb40b77a79b143dbd9d94847b360efa ]
+
+clang started to error on invalid asm clobber usage in x86 headers
+and many bpf program samples failed to build with the message:
+
+ CLANG-bpf /data/users/ast/bpf-next/samples/bpf/xdp_redirect_kern.o
+In file included from /data/users/ast/bpf-next/samples/bpf/xdp_redirect_kern.c:14:
+In file included from ../include/linux/in.h:23:
+In file included from ../include/uapi/linux/in.h:24:
+In file included from ../include/linux/socket.h:8:
+In file included from ../include/linux/uio.h:14:
+In file included from ../include/crypto/hash.h:16:
+In file included from ../include/linux/crypto.h:26:
+In file included from ../include/linux/uaccess.h:5:
+In file included from ../include/linux/sched.h:15:
+In file included from ../include/linux/sem.h:5:
+In file included from ../include/uapi/linux/sem.h:5:
+In file included from ../include/linux/ipc.h:9:
+In file included from ../include/linux/refcount.h:72:
+../arch/x86/include/asm/refcount.h:72:36: error: asm-specifier for input or output variable conflicts with asm clobber list
+ r->refs.counter, e, "er", i, "cx");
+ ^
+../arch/x86/include/asm/refcount.h:86:27: error: asm-specifier for input or output variable conflicts with asm clobber list
+ r->refs.counter, e, "cx");
+ ^
+2 errors generated.
+
+Override volatile() to workaround the problem.
+
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/asm_goto_workaround.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/samples/bpf/asm_goto_workaround.h b/samples/bpf/asm_goto_workaround.h
+index 5cd7c1d1a5d56..7409722727ca1 100644
+--- a/samples/bpf/asm_goto_workaround.h
++++ b/samples/bpf/asm_goto_workaround.h
+@@ -13,4 +13,5 @@
+ #define asm_volatile_goto(x...) asm volatile("invalid use of asm_volatile_goto")
+ #endif
+
++#define volatile(x...) volatile("")
+ #endif
+--
+2.20.1
+
--- /dev/null
+From b66d90b50b2fb988e3a4a9cceced6120b954cbb1 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 27 Feb 2019 11:10:20 +0300
+Subject: sched/core: Check quota and period overflow at usec to nsec
+ conversion
+
+[ Upstream commit 1a8b4540db732ca16c9e43ac7c08b1b8f0b252d8 ]
+
+Large values could overflow u64 and pass following sanity checks.
+
+ # echo 18446744073750000 > cpu.cfs_period_us
+ # cat cpu.cfs_period_us
+ 40448
+
+ # echo 18446744073750000 > cpu.cfs_quota_us
+ # cat cpu.cfs_quota_us
+ 40448
+
+After this patch they will fail with -EINVAL.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/155125502079.293431.3947497929372138600.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 4778c48a7fda4..89c9c1d7d22c5 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -6661,8 +6661,10 @@ int tg_set_cfs_quota(struct task_group *tg, long cfs_quota_us)
+ period = ktime_to_ns(tg->cfs_bandwidth.period);
+ if (cfs_quota_us < 0)
+ quota = RUNTIME_INF;
+- else
++ else if ((u64)cfs_quota_us <= U64_MAX / NSEC_PER_USEC)
+ quota = (u64)cfs_quota_us * NSEC_PER_USEC;
++ else
++ return -EINVAL;
+
+ return tg_set_cfs_bandwidth(tg, period, quota);
+ }
+@@ -6684,6 +6686,9 @@ int tg_set_cfs_period(struct task_group *tg, long cfs_period_us)
+ {
+ u64 quota, period;
+
++ if ((u64)cfs_period_us > U64_MAX / NSEC_PER_USEC)
++ return -EINVAL;
++
+ period = (u64)cfs_period_us * NSEC_PER_USEC;
+ quota = tg->cfs_bandwidth.quota;
+
+--
+2.20.1
+
--- /dev/null
+From c8f06ec51d099c389892daa81592a0cb9028ed8e Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 27 Feb 2019 11:10:18 +0300
+Subject: sched/core: Handle overflow in cpu_shares_write_u64
+
+[ Upstream commit 5b61d50ab4ef590f5e1d4df15cd2cea5f5715308 ]
+
+Bit shift in scale_load() could overflow shares. This patch saturates
+it to MAX_SHARES like following sched_group_set_shares().
+
+Example:
+
+ # echo 9223372036854776832 > cpu.shares
+ # cat cpu.shares
+
+Before patch: 1024
+After pattch: 262144
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/155125501891.293431.3345233332801109696.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 89c9c1d7d22c5..a75ad50b5e2ff 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -6559,6 +6559,8 @@ static void cpu_cgroup_attach(struct cgroup_taskset *tset)
+ static int cpu_shares_write_u64(struct cgroup_subsys_state *css,
+ struct cftype *cftype, u64 shareval)
+ {
++ if (shareval > scale_load_down(ULONG_MAX))
++ shareval = MAX_SHARES;
+ return sched_group_set_shares(css_tg(css), scale_load(shareval));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 288de1e1102cd367acd77b7738959ca4acb2a2e3 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 12 Apr 2019 14:26:13 +1000
+Subject: sched/nohz: Run NOHZ idle load balancer on HK_FLAG_MISC CPUs
+
+[ Upstream commit 9b019acb72e4b5741d88e8936d6f200ed44b66b2 ]
+
+The NOHZ idle balancer runs on the lowest idle CPU. This can
+interfere with isolated CPUs, so confine it to HK_FLAG_MISC
+housekeeping CPUs.
+
+HK_FLAG_SCHED is not used for this because it is not set anywhere
+at the moment. This could be folded into HK_FLAG_SCHED once that
+option is fixed.
+
+The problem was observed with increased jitter on an application
+running on CPU0, caused by NOHZ idle load balancing being run on
+CPU1 (an SMT sibling).
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190412042613.28930-1-npiggin@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 35f3ea3750844..232491e3ed0db 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -9551,22 +9551,26 @@ static inline int on_null_domain(struct rq *rq)
+ * - When one of the busy CPUs notice that there may be an idle rebalancing
+ * needed, they will kick the idle load balancer, which then does idle
+ * load balancing for all the idle CPUs.
++ * - HK_FLAG_MISC CPUs are used for this task, because HK_FLAG_SCHED not set
++ * anywhere yet.
+ */
+
+ static inline int find_new_ilb(void)
+ {
+- int ilb = cpumask_first(nohz.idle_cpus_mask);
++ int ilb;
+
+- if (ilb < nr_cpu_ids && idle_cpu(ilb))
+- return ilb;
++ for_each_cpu_and(ilb, nohz.idle_cpus_mask,
++ housekeeping_cpumask(HK_FLAG_MISC)) {
++ if (idle_cpu(ilb))
++ return ilb;
++ }
+
+ return nr_cpu_ids;
+ }
+
+ /*
+- * Kick a CPU to do the nohz balancing, if it is time for it. We pick the
+- * nohz_load_balancer CPU (if there is one) otherwise fallback to any idle
+- * CPU (if there is one).
++ * Kick a CPU to do the nohz balancing, if it is time for it. We pick any
++ * idle CPU in the HK_FLAG_MISC housekeeping set (if there is one).
+ */
+ static void kick_ilb(unsigned int flags)
+ {
+--
+2.20.1
+
--- /dev/null
+From 03d3e265acc8f83246f87718fb91815a8f5b0bfc Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 27 Feb 2019 11:10:17 +0300
+Subject: sched/rt: Check integer overflow at usec to nsec conversion
+
+[ Upstream commit 1a010e29cfa00fee2888fd2fd4983f848cbafb58 ]
+
+Example of unhandled overflows:
+
+ # echo 18446744073709651 > cpu.rt_runtime_us
+ # cat cpu.rt_runtime_us
+ 99
+
+ # echo 18446744073709900 > cpu.rt_period_us
+ # cat cpu.rt_period_us
+ 348
+
+After this patch they will fail with -EINVAL.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/155125501739.293431.5252197504404771496.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/rt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
+index 90fa23d36565d..1e6b909dca367 100644
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -2555,6 +2555,8 @@ int sched_group_set_rt_runtime(struct task_group *tg, long rt_runtime_us)
+ rt_runtime = (u64)rt_runtime_us * NSEC_PER_USEC;
+ if (rt_runtime_us < 0)
+ rt_runtime = RUNTIME_INF;
++ else if ((u64)rt_runtime_us > U64_MAX / NSEC_PER_USEC)
++ return -EINVAL;
+
+ return tg_set_rt_bandwidth(tg, rt_period, rt_runtime);
+ }
+@@ -2575,6 +2577,9 @@ int sched_group_set_rt_period(struct task_group *tg, u64 rt_period_us)
+ {
+ u64 rt_runtime, rt_period;
+
++ if (rt_period_us > U64_MAX / NSEC_PER_USEC)
++ return -EINVAL;
++
+ rt_period = rt_period_us * NSEC_PER_USEC;
+ rt_runtime = tg->rt_bandwidth.rt_runtime;
+
+--
+2.20.1
+
--- /dev/null
+From 081b51d3bfdd81a3ac06dbbf20dea729a91c0730 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Fri, 12 Apr 2019 16:57:56 +0800
+Subject: scsi: libsas: Do discovery on empty PHY to update PHY info
+
+[ Upstream commit d8649fc1c5e40e691d589ed825998c36a947491c ]
+
+When we discover the PHY is empty in sas_rediscover_dev(), the PHY
+information (like negotiated linkrate) is not updated.
+
+As such, for a user examining sysfs for that PHY, they would see
+incorrect values:
+
+root@(none)$ cd /sys/class/sas_phy/phy-0:0:20
+root@(none)$ more negotiated_linkrate
+3.0 Gbit
+root@(none)$ echo 0 > enable
+root@(none)$ more negotiated_linkrate
+3.0 Gbit
+
+So fix this, simply discover the PHY again, even though we know it's empty;
+in the above example, this gives us:
+
+root@(none)$ more negotiated_linkrate
+Phy disabled
+
+We must do this after unregistering the device associated with the PHY
+(in sas_unregister_devs_sas_addr()).
+
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 17b45a0c7bc38..3611a4ef0d150 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -2052,6 +2052,11 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id, bool last)
+ if ((SAS_ADDR(sas_addr) == 0) || (res == -ECOMM)) {
+ phy->phy_state = PHY_EMPTY;
+ sas_unregister_devs_sas_addr(dev, phy_id, last);
++ /*
++ * Even though the PHY is empty, for convenience we discover
++ * the PHY to update the PHY info, like negotiated linkrate.
++ */
++ sas_ex_phy_discover(dev, phy_id);
+ return res;
+ } else if (SAS_ADDR(sas_addr) == SAS_ADDR(phy->attached_sas_addr) &&
+ dev_type_flutter(type, phy->attached_dev_type)) {
+--
+2.20.1
+
--- /dev/null
+From e34309c2513a81b8670ddb98f6dde0a0b557eed0 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2019 15:25:49 +0100
+Subject: scsi: lpfc: avoid uninitialized variable warning
+
+[ Upstream commit faf5a744f4f8d76e7c03912b5cd381ac8045f6ec ]
+
+clang -Wuninitialized incorrectly sees a variable being used without
+initialization:
+
+drivers/scsi/lpfc/lpfc_nvme.c:2102:37: error: variable 'localport' is uninitialized when used here
+ [-Werror,-Wuninitialized]
+ lport = (struct lpfc_nvme_lport *)localport->private;
+ ^~~~~~~~~
+drivers/scsi/lpfc/lpfc_nvme.c:2059:38: note: initialize the variable 'localport' to silence this warning
+ struct nvme_fc_local_port *localport;
+ ^
+ = NULL
+1 error generated.
+
+This is clearly in dead code, as the condition leading up to it is always
+false when CONFIG_NVME_FC is disabled, and the variable is always
+initialized when nvme_fc_register_localport() got called successfully.
+
+Change the preprocessor conditional to the equivalent C construct, which
+makes the code more readable and gets rid of the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nvme.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c
+index 1aa00d2c3f74e..9defff7118846 100644
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -2080,15 +2080,15 @@ lpfc_nvme_create_localport(struct lpfc_vport *vport)
+ lpfc_nvme_template.max_hw_queues =
+ phba->sli4_hba.num_present_cpu;
+
++ if (!IS_ENABLED(CONFIG_NVME_FC))
++ return ret;
++
+ /* localport is allocated from the stack, but the registration
+ * call allocates heap memory as well as the private area.
+ */
+-#if (IS_ENABLED(CONFIG_NVME_FC))
++
+ ret = nvme_fc_register_localport(&nfcp_info, &lpfc_nvme_template,
+ &vport->phba->pcidev->dev, &localport);
+-#else
+- ret = -ENOMEM;
+-#endif
+ if (!ret) {
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME | LOG_NVME_DISC,
+ "6005 Successfully registered local "
+--
+2.20.1
+
--- /dev/null
+From ef2b3968c15ee02c3d1328c2ae18696120b67299 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:21 -0700
+Subject: scsi: lpfc: Fix fc4type information for FDMI
+
+[ Upstream commit 32a80c093b524a0682f1c6166c910387b116ffce ]
+
+The driver is reporting support for NVME even when not configured for NVME
+operation.
+
+Fix (and make more readable) when NVME protocol support is indicated.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_ct.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
+index 2e0ba206c084c..25553e7ba85c8 100644
+--- a/drivers/scsi/lpfc/lpfc_ct.c
++++ b/drivers/scsi/lpfc/lpfc_ct.c
+@@ -2363,10 +2363,11 @@ lpfc_fdmi_port_attr_fc4type(struct lpfc_vport *vport,
+ ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ memset(ae, 0, 32);
+
+- ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */
+- ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */
+- ae->un.AttrTypes[6] = 0x01; /* Type 40 - NVME */
+- ae->un.AttrTypes[7] = 0x01; /* Type 32 - CT */
++ ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */
++ ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */
++ if (vport->nvmei_support || vport->phba->nvmet_support)
++ ae->un.AttrTypes[6] = 0x01; /* Type 0x28 - NVME */
++ ae->un.AttrTypes[7] = 0x01; /* Type 0x20 - CT */
+ size = FOURBYTES + 32;
+ ad->AttrLen = cpu_to_be16(size);
+ ad->AttrType = cpu_to_be16(RPRT_SUPPORTED_FC4_TYPES);
+@@ -2676,9 +2677,11 @@ lpfc_fdmi_port_attr_active_fc4type(struct lpfc_vport *vport,
+ ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ memset(ae, 0, 32);
+
+- ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */
+- ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */
+- ae->un.AttrTypes[7] = 0x01; /* Type 32 - CT */
++ ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */
++ ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */
++ if (vport->phba->cfg_enable_fc4_type & LPFC_ENABLE_NVME)
++ ae->un.AttrTypes[6] = 0x1; /* Type 0x28 - NVME */
++ ae->un.AttrTypes[7] = 0x01; /* Type 0x20 - CT */
+ size = FOURBYTES + 32;
+ ad->AttrLen = cpu_to_be16(size);
+ ad->AttrType = cpu_to_be16(RPRT_ACTIVE_FC4_TYPES);
+--
+2.20.1
+
--- /dev/null
+From d91c65351e2fb68f11e1642f0a3765380ae45c9a Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:20 -0700
+Subject: scsi: lpfc: Fix FDMI manufacturer attribute value
+
+[ Upstream commit d67f935b79a76ac9d86dde1a27bdd413feb5d987 ]
+
+The FDMI manufacturer value being reported on Linux is inconsistent with
+other OS's.
+
+Set the value to "Emulex Corporation" for consistency.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_ct.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
+index 2e3949c6cd071..2e0ba206c084c 100644
+--- a/drivers/scsi/lpfc/lpfc_ct.c
++++ b/drivers/scsi/lpfc/lpfc_ct.c
+@@ -2005,8 +2005,11 @@ lpfc_fdmi_hba_attr_manufacturer(struct lpfc_vport *vport,
+ ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ memset(ae, 0, 256);
+
++ /* This string MUST be consistent with other FC platforms
++ * supported by Broadcom.
++ */
+ strncpy(ae->un.AttrString,
+- "Broadcom Inc.",
++ "Emulex Corporation",
+ sizeof(ae->un.AttrString));
+ len = strnlen(ae->un.AttrString,
+ sizeof(ae->un.AttrString));
+--
+2.20.1
+
--- /dev/null
+From f127614d66236091ae1ff12e56ba37bc576754dc Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:19 -0700
+Subject: scsi: lpfc: Fix io lost on host resets
+
+[ Upstream commit c66a91974634bfdf9d8e8736219d3b27621fa704 ]
+
+If the driver undergoes repeated host resets it starts losing exchange
+structures and eventually returns SCSI_MLQUEUE_HOST_BUSY and does not
+recover. The offline path is not reclaiming the outstanding ios on the fcp
+pring txcmplq before calling lpfc_destroy_multixripool, which causes the
+txmcplq to be reinit and the resources lost.
+
+Flush the fcp rings before destroying the multixripools.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_init.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index 7fcdaed3fa945..89a0c2bdb6a15 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -3245,6 +3245,13 @@ void lpfc_destroy_multixri_pools(struct lpfc_hba *phba)
+ if (phba->cfg_enable_fc4_type & LPFC_ENABLE_NVME)
+ lpfc_destroy_expedite_pool(phba);
+
++ if (!(phba->pport->load_flag & FC_UNLOADING)) {
++ lpfc_sli_flush_fcp_rings(phba);
++
++ if (phba->cfg_enable_fc4_type & LPFC_ENABLE_NVME)
++ lpfc_sli_flush_nvme_rings(phba);
++ }
++
+ hwq_count = phba->cfg_hdw_queue;
+
+ for (i = 0; i < hwq_count; i++) {
+--
+2.20.1
+
--- /dev/null
+From 794b808ce34df15e35da6c5a6454ea674a52948a Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:18 -0700
+Subject: scsi: lpfc: Fix mailbox hang on adapter init
+
+[ Upstream commit e8869f5b0a7273fcf20ef99066fd8129e58ba5b7 ]
+
+The adapter initialization sequence enables interrupts, initializes the
+adapter link_state to LINK_DOWN, then issues commands to initialize the
+adapter. The interrupt handler on the adapter validates the link_state (has
+to be at least LINK_DOWN) and if invalid, will discard the interrupting
+event.
+
+In most cases, there is not a command completion, thus an interrupt until
+the initialization commands have been sent which is post the setting of
+state to LINK_DOWN. However, in cases of firmware reset, the reset will
+modify the link_state to an invalid value (indicating a reset of the
+adapter) and there occasionally are cases where the adapter will generate
+an asynchronous event which shares the eq/cq used for mailbox commands. In
+the failure case, an interrupt is generated immediately after enabling them
+due to the async event. As link_state is invalid, the eq is list and the
+CQ not serviced. At this point link_state is initialized and the mailbox
+command sent. As the CQ has not been serviced, it is not armed, so no
+interrupt event is generated when the mailbox command completes.
+
+Modify the initialization sequence so that interrupts are enabled after
+link_state is properly initialized, which avoids the race condition with
+the async event.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 57b4a463b5892..7d2abb70cf093 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -7652,12 +7652,6 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba)
+ phba->cfg_xri_rebalancing = 0;
+ }
+
+- /* Arm the CQs and then EQs on device */
+- lpfc_sli4_arm_cqeq_intr(phba);
+-
+- /* Indicate device interrupt mode */
+- phba->sli4_hba.intr_enable = 1;
+-
+ /* Allow asynchronous mailbox command to go through */
+ spin_lock_irq(&phba->hbalock);
+ phba->sli.sli_flag &= ~LPFC_SLI_ASYNC_MBX_BLK;
+@@ -7726,6 +7720,12 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba)
+ phba->trunk_link.link3.state = LPFC_LINK_DOWN;
+ spin_unlock_irq(&phba->hbalock);
+
++ /* Arm the CQs and then EQs on device */
++ lpfc_sli4_arm_cqeq_intr(phba);
++
++ /* Indicate device interrupt mode */
++ phba->sli4_hba.intr_enable = 1;
++
+ if (!(phba->hba_flag & HBA_FCOE_MODE) &&
+ (phba->hba_flag & LINK_DISABLED)) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT | LOG_SLI,
+--
+2.20.1
+
--- /dev/null
+From 93a03f429840521f8722a6b372328c083bd3557b Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:07 -0700
+Subject: scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
+
+[ Upstream commit c95a3b4b0fb8d351e2329a96f87c4fc96a149505 ]
+
+During debug, it was seen that the driver is issuing commands specific to
+SLI3 on SLI4 devices. Although the adapter correctly rejected the command,
+this should not be done.
+
+Revise the code to stop sending these commands on a SLI4 adapter.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index aa4961a2caf81..676f4bf3f33a3 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -932,7 +932,11 @@ lpfc_linkdown(struct lpfc_hba *phba)
+ }
+ }
+ lpfc_destroy_vport_work_array(phba, vports);
+- /* Clean up any firmware default rpi's */
++
++ /* Clean up any SLI3 firmware default rpi's */
++ if (phba->sli_rev > LPFC_SLI_REV3)
++ goto skip_unreg_did;
++
+ mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (mb) {
+ lpfc_unreg_did(phba, 0xffff, LPFC_UNREG_ALL_DFLT_RPIS, mb);
+@@ -944,6 +948,7 @@ lpfc_linkdown(struct lpfc_hba *phba)
+ }
+ }
+
++ skip_unreg_did:
+ /* Setup myDID for link up if we are in pt2pt mode */
+ if (phba->pport->fc_flag & FC_PT2PT) {
+ mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+@@ -4979,6 +4984,10 @@ lpfc_unreg_default_rpis(struct lpfc_vport *vport)
+ LPFC_MBOXQ_t *mbox;
+ int rc;
+
++ /* Unreg DID is an SLI3 operation. */
++ if (phba->sli_rev > LPFC_SLI_REV3)
++ return;
++
+ mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (mbox) {
+ lpfc_unreg_did(phba, vport->vpi, LPFC_UNREG_ALL_DFLT_RPIS,
+--
+2.20.1
+
--- /dev/null
+From 40bc9c18e30ba8197959d0ed96d0a94999b81050 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:06 -0700
+Subject: scsi: lpfc: Fix use-after-free mailbox cmd completion
+
+[ Upstream commit 9b1640686470fbbd1c6efb35ada6fe1427ea8d0f ]
+
+When unloading the driver, mailbox commands may be sent without holding a
+reference on the ndlp. By the time the mailbox command completes, the ndlp
+may have reduced its ref counts and been freed. The problem was reported
+by KASAN.
+
+While unregistering due to driver unload, have the completion noop'd by
+setting the ndlp context NULL'd. Due to the unload, no further action was
+necessary. Also, while reviewing this path, the generic nulling of the
+context after handling should be slightly moved.
+
+Reported by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 4 ++++
+ drivers/scsi/lpfc/lpfc_sli.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index 676f4bf3f33a3..75e9d46d44d42 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -4873,6 +4873,10 @@ lpfc_unreg_rpi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
+ * accept PLOGIs after unreg_rpi_cmpl
+ */
+ acc_plogi = 0;
++ } else if (vport->load_flag & FC_UNLOADING) {
++ mbox->ctx_ndlp = NULL;
++ mbox->mbox_cmpl =
++ lpfc_sli_def_mbox_cmpl;
+ } else {
+ mbox->ctx_ndlp = ndlp;
+ mbox->mbox_cmpl =
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 7d2abb70cf093..dc933b6d7800e 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -2502,8 +2502,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb)
+ } else {
+ ndlp->nlp_flag &= ~NLP_UNREG_INP;
+ }
++ pmb->ctx_ndlp = NULL;
+ }
+- pmb->ctx_ndlp = NULL;
+ }
+
+ /* Check security permission status on INIT_LINK mailbox command */
+--
+2.20.1
+
--- /dev/null
+From e97c6969923d8764b97646a6259e524cd6152017 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:04 -0700
+Subject: scsi: lpfc: Resolve inconsistent check of hdwq in
+ lpfc_scsi_cmd_iocb_cmpl
+
+[ Upstream commit ff6bf89717b0dc7b8dd0934d1c065f29069831e7 ]
+
+A prior patch which added support for non-uniform allocation of MSIX
+vectors now causes a smatch complaint:
+
+ drivers/scsi/lpfc/lpfc_scsi.c:3674 lpfc_scsi_cmd_iocb_cmpl()
+ error: we previously assumed 'phba->sli4_hba.hdwq' could be
+ null (see line 3667)
+
+Resolve by removing the unnecessary check for a NULL hdwq table.
+
+Fixes 6a828b0f6192: ("scsi: lpfc: Support non-uniform allocation of MSIX vectors to hardware queues")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_scsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
+index a497b2c0cb798..25501d4605ff3 100644
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -3670,7 +3670,7 @@ lpfc_scsi_cmd_iocb_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pIocbIn,
+ #ifdef CONFIG_SCSI_LPFC_DEBUG_FS
+ if (phba->cpucheck_on & LPFC_CHECK_SCSI_IO) {
+ cpu = smp_processor_id();
+- if (cpu < LPFC_CHECK_CPU_CNT)
++ if (cpu < LPFC_CHECK_CPU_CNT && phba->sli4_hba.hdwq)
+ phba->sli4_hba.hdwq[idx].cpucheck_cmpl_io[cpu]++;
+ }
+ #endif
+--
+2.20.1
+
--- /dev/null
+From e8a8f5b00c8d0ca0d5b35277b8e0fc840acc5357 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:05 -0700
+Subject: scsi: lpfc: Resolve irq-unsafe lockdep heirarchy warning in
+ lpfc_io_free
+
+[ Upstream commit 50e3f871fb20a9bb644743e2986e8f50f98a25bc ]
+
+A patch in the 12.2.0.0 set caused a new lockdep warning:
+
+ WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
+ 5.0.0-rc8-next-20190301-dbg+ #1 Not tainted
+
+ Possible interrupt unsafe locking scenario:
+ CPU0 CPU1
+ ---- ----
+ lock(&(&qp->io_buf_list_put_lock)->rlock);
+ local_irq_disable();
+ lock(&(&phba->hbalock)->rlock);
+ lock(&(&qp->io_buf_list_put_lock)->rlock);
+ <Interrupt>
+ lock(&(&phba->hbalock)->rlock);
+
+see: https://www.spinics.net/lists/linux-scsi/msg128389.html
+
+In summary, the new patch added taking the io_buf_list_put_lock while under
+an irq-disabled hbalock. This created a lock heirarchy dependent upon irq
+being disabled, and there are paths that take the io_buf_list_put_lock
+without disabling irq.
+
+Looking at the lpfc_io_free routine, which is where the new heirarchy was
+introduced, there is no reason to be taking out the hbalock and raising
+irq, as the functionality is replaced by the io_buf_list_xxx locks.
+
+Resolve by removing the hbalock/irq calls in lpfc_io_free.
+
+Fixes: 5e5b511d8bfa ("scsi: lpfc: Partition XRI buffer list across Hardware Queues")
+Reported-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_init.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index 89a0c2bdb6a15..46e155d1fa155 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -3618,8 +3618,6 @@ lpfc_io_free(struct lpfc_hba *phba)
+ struct lpfc_sli4_hdw_queue *qp;
+ int idx;
+
+- spin_lock_irq(&phba->hbalock);
+-
+ for (idx = 0; idx < phba->cfg_hdw_queue; idx++) {
+ qp = &phba->sli4_hba.hdwq[idx];
+ /* Release all the lpfc_nvme_bufs maintained by this host. */
+@@ -3649,8 +3647,6 @@ lpfc_io_free(struct lpfc_hba *phba)
+ }
+ spin_unlock(&qp->io_buf_list_get_lock);
+ }
+-
+- spin_unlock_irq(&phba->hbalock);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 04f04ce63f3b38f3d94f75c798d1c8d506ee257e Mon Sep 17 00:00:00 2001
+From: Chad Dupuis <cdupuis@marvell.com>
+Date: Tue, 26 Mar 2019 00:38:35 -0700
+Subject: scsi: qedf: Add missing return in qedf_post_io_req() in the fcport
+ offload check
+
+[ Upstream commit c5e06ba2f76809ad1492fdad312e81335df46bc5 ]
+
+Fixes the following crash as the return was missing from the check if an
+fcport is offloaded. If we hit this code we continue to try to post an
+invalid task which can lead to the crash:
+
+[30259.616411] [0000:61:00.3]:[qedf_post_io_req:989]:3: Session not offloaded yet.
+[30259.616413] [0000:61:00.3]:[qedf_upload_connection:1340]:3: Uploading connection port_id=490020.
+[30259.623769] BUG: unable to handle kernel NULL pointer dereference at 0000000000000198
+[30259.631645] IP: [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
+[30259.638816] PGD 0
+[30259.640841] Oops: 0000 [#1] SMP
+[30259.644098] Modules linked in: fuse xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables devlink ip6table_filter ip6_tables iptable_filter vfat fat ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib ib_ucm ib_umad dm_service_time skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel rpcrdma sunrpc rdma_ucm ib_uverbs lrw gf128mul ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi qedr(OE) glue_helper ablk_helper cryptd ib_core dm_round_robin joydev pcspkr ipmi_ssif ses enclosure ipmi_si ipmi_devintf ipmi_msghandler mei_me
+[30259.715529] mei sg hpilo hpwdt shpchp wmi lpc_ich acpi_power_meter dm_multipath ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic uas usb_storage mgag200 qedf(OE) i2c_algo_bit libfcoe drm_kms_helper libfc syscopyarea sysfillrect scsi_transport_fc qede(OE) sysimgblt fb_sys_fops ptp ttm pps_core drm qed(OE) smartpqi crct10dif_pclmul crct10dif_common crc32c_intel i2c_core scsi_transport_sas scsi_tgt dm_mirror dm_region_hash dm_log dm_mod
+[30259.754237] CPU: 9 PID: 977 Comm: kdmwork-253:7 Kdump: loaded Tainted: G W OE ------------ 3.10.0-862.el7.x86_64 #1
+[30259.765664] Hardware name: HPE Synergy 480 Gen10/Synergy 480 Gen10 Compute Module, BIOS I42 04/04/2018
+[30259.775000] task: ffff8c801efd0000 ti: ffff8c801efd8000 task.ti: ffff8c801efd8000
+[30259.782505] RIP: 0010:[<ffffffffc035b1ed>] [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
+[30259.792116] RSP: 0018:ffff8c801efdbbb0 EFLAGS: 00010046
+[30259.797444] RAX: 0000000000000000 RBX: ffffa7f1450948d8 RCX: ffff8c7fe5bc40c8
+[30259.804600] RDX: ffff8c800715b300 RSI: ffffa7f1450948d8 RDI: ffff8c80169c2480
+[30259.811755] RBP: ffff8c801efdbc30 R08: 00000000000000ae R09: ffff8c800a314540
+[30259.818911] R10: ffff8c7fe5bc40c8 R11: ffff8c801efdb8ae R12: 0000000000000000
+[30259.826068] R13: ffff8c800715b300 R14: ffff8c80169c2480 R15: ffff8c8005da28e0
+[30259.833223] FS: 0000000000000000(0000) GS:ffff8c803f840000(0000) knlGS:0000000000000000
+[30259.841338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[30259.847100] CR2: 0000000000000198 CR3: 000000081242e000 CR4: 00000000007607e0
+[30259.854256] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[30259.861412] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[30259.868568] PKRU: 00000000
+[30259.871278] Call Trace:
+[30259.873737] [<ffffffffc035c948>] qedf_post_io_req+0x148/0x680 [qedf]
+[30259.880201] [<ffffffffc035d070>] qedf_queuecommand+0x1f0/0x240 [qedf]
+[30259.886749] [<ffffffffa329b050>] scsi_dispatch_cmd+0xb0/0x240
+[30259.892600] [<ffffffffa32a45bc>] scsi_request_fn+0x4cc/0x680
+[30259.898364] [<ffffffffa3118ad9>] __blk_run_queue+0x39/0x50
+[30259.903954] [<ffffffffa3114393>] __elv_add_request+0xd3/0x260
+[30259.909805] [<ffffffffa311baf0>] blk_insert_cloned_request+0xf0/0x1b0
+[30259.916358] [<ffffffffc010b622>] map_request+0x142/0x220 [dm_mod]
+[30259.922560] [<ffffffffc010b716>] map_tio_request+0x16/0x40 [dm_mod]
+[30259.928932] [<ffffffffa2ebb1f5>] kthread_worker_fn+0x85/0x180
+[30259.934782] [<ffffffffa2ebb170>] ? kthread_stop+0xf0/0xf0
+[30259.940284] [<ffffffffa2ebae31>] kthread+0xd1/0xe0
+[30259.945176] [<ffffffffa2ebad60>] ? insert_kthread_work+0x40/0x40
+[30259.951290] [<ffffffffa351f61d>] ret_from_fork_nospec_begin+0x7/0x21
+[30259.957750] [<ffffffffa2ebad60>] ? insert_kthread_work+0x40/0x40
+[30259.963860] Code: fe 41 55 49 89 d5 41 54 53 48 89 f3 48 83 ec 58 4c 8b 67 28 4c 8b 4e 18 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 4c 8b 7e 58 <49> 8b 84 24 98 01 00 00 48 8b 00 f6 80 31 01 00 00 10 0f 85 0b
+[30259.983372] RIP [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
+[30259.990630] RSP <ffff8c801efdbbb0>
+[30259.994127] CR2: 0000000000000198
+
+Signed-off-by: Chad Dupuis <cdupuis@marvell.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c
+index 6ca583bdde23c..29b51c4667217 100644
+--- a/drivers/scsi/qedf/qedf_io.c
++++ b/drivers/scsi/qedf/qedf_io.c
+@@ -902,6 +902,7 @@ int qedf_post_io_req(struct qedf_rport *fcport, struct qedf_ioreq *io_req)
+ if (!test_bit(QEDF_RPORT_SESSION_READY, &fcport->flags)) {
+ QEDF_ERR(&(qedf->dbg_ctx), "Session not offloaded yet.\n");
+ kref_put(&io_req->refcount, qedf_release_cmd);
++ return -EINVAL;
+ }
+
+ /* Obtain free SQE */
+--
+2.20.1
+
--- /dev/null
+From b3740fbe7e79edb485a3e7f332248bb8570240f2 Mon Sep 17 00:00:00 2001
+From: Manish Rangankar <mrangankar@marvell.com>
+Date: Fri, 26 Apr 2019 03:55:45 -0700
+Subject: scsi: qedi: Abort ep termination if offload not scheduled
+
+[ Upstream commit f848bfd8e167210a29374e8a678892bed591684f ]
+
+Sometimes during connection recovery when there is a failure to resolve
+ARP, and offload connection was not issued, driver tries to flush pending
+offload connection work which was not queued up.
+
+kernel: WARNING: CPU: 19 PID: 10110 at kernel/workqueue.c:3030 __flush_work.isra.34+0x19c/0x1b0
+kernel: CPU: 19 PID: 10110 Comm: iscsid Tainted: G W 5.1.0-rc4 #11
+kernel: Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 2.9.1 12/04/2018
+kernel: RIP: 0010:__flush_work.isra.34+0x19c/0x1b0
+kernel: Code: 8b fb 66 0f 1f 44 00 00 31 c0 eb ab 48 89 ef c6 07 00 0f 1f 40 00 fb 66 0f 1f 44 00 00 31 c0 eb 96 e8 08 16 fe ff 0f 0b eb 8d <0f> 0b 31 c0 eb 87 0f 1f 40 00 66 2e 0f 1
+f 84 00 00 00 00 00 0f 1f
+kernel: RSP: 0018:ffffa6b4054dba68 EFLAGS: 00010246
+kernel: RAX: 0000000000000000 RBX: ffff91df21c36fc0 RCX: 0000000000000000
+kernel: RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff91df21c36fc0
+kernel: RBP: ffff91df21c36ef0 R08: 0000000000000000 R09: 0000000000000000
+kernel: R10: 0000000000000038 R11: ffffa6b4054dbd60 R12: ffffffffc05e72c0
+kernel: R13: ffff91db10280820 R14: 0000000000000048 R15: 0000000000000000
+kernel: FS: 00007f5d83cc1740(0000) GS:ffff91df2f840000(0000) knlGS:0000000000000000
+kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+kernel: CR2: 0000000001cc5000 CR3: 0000000465450002 CR4: 00000000001606e0
+kernel: Call Trace:
+kernel: ? try_to_del_timer_sync+0x4d/0x80
+kernel: qedi_ep_disconnect+0x3b/0x410 [qedi]
+kernel: ? 0xffffffffc083c000
+kernel: ? klist_iter_exit+0x14/0x20
+kernel: ? class_find_device+0x93/0xf0
+kernel: iscsi_if_ep_disconnect.isra.18+0x58/0x70 [scsi_transport_iscsi]
+kernel: iscsi_if_recv_msg+0x10e2/0x1510 [scsi_transport_iscsi]
+kernel: ? copyout+0x22/0x30
+kernel: ? _copy_to_iter+0xa0/0x430
+kernel: ? _cond_resched+0x15/0x30
+kernel: ? __kmalloc_node_track_caller+0x1f9/0x270
+kernel: iscsi_if_rx+0xa5/0x1e0 [scsi_transport_iscsi]
+kernel: netlink_unicast+0x17f/0x230
+kernel: netlink_sendmsg+0x2d2/0x3d0
+kernel: sock_sendmsg+0x36/0x50
+kernel: ___sys_sendmsg+0x280/0x2a0
+kernel: ? timerqueue_add+0x54/0x80
+kernel: ? enqueue_hrtimer+0x38/0x90
+kernel: ? hrtimer_start_range_ns+0x19f/0x2c0
+kernel: __sys_sendmsg+0x58/0xa0
+kernel: do_syscall_64+0x5b/0x180
+kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_iscsi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
+index 6d6d6013e35b8..bf371e7b957d0 100644
+--- a/drivers/scsi/qedi/qedi_iscsi.c
++++ b/drivers/scsi/qedi/qedi_iscsi.c
+@@ -1000,6 +1000,9 @@ static void qedi_ep_disconnect(struct iscsi_endpoint *ep)
+ qedi_ep = ep->dd_data;
+ qedi = qedi_ep->qedi;
+
++ if (qedi_ep->state == EP_STATE_OFLDCONN_START)
++ goto ep_exit_recover;
++
+ flush_work(&qedi_ep->offload_work);
+
+ if (qedi_ep->conn) {
+--
+2.20.1
+
--- /dev/null
+From 1d86d6eef33fcfdb1059651e83414329e61bec31 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:43 -0700
+Subject: scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in
+ tcm_qla2xxx_close_session()
+
+[ Upstream commit d4023db71108375e4194e92730ba0d32d7f07813 ]
+
+This patch avoids that lockdep reports the following warning:
+
+=====================================================
+WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
+5.1.0-rc1-dbg+ #11 Tainted: G W
+-----------------------------------------------------
+rmdir/1478 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
+00000000e7ac4607 (&(&k->k_lock)->rlock){+.+.}, at: klist_next+0x43/0x1d0
+
+and this task is already holding:
+00000000cf0baf5e (&(&ha->tgt.sess_lock)->rlock){-...}, at: tcm_qla2xxx_close_session+0x57/0xb0 [tcm_qla2xxx]
+which would create a new lock dependency:
+ (&(&ha->tgt.sess_lock)->rlock){-...} -> (&(&k->k_lock)->rlock){+.+.}
+
+but this new dependency connects a HARDIRQ-irq-safe lock:
+ (&(&ha->tgt.sess_lock)->rlock){-...}
+
+... which became HARDIRQ-irq-safe at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla2x00_fcport_event_handler+0x1f3d/0x22b0 [qla2xxx]
+ qla2x00_async_login_sp_done+0x1dc/0x1f0 [qla2xxx]
+ qla24xx_process_response_queue+0xa37/0x10e0 [qla2xxx]
+ qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx]
+ __handle_irq_event_percpu+0x79/0x3c0
+ handle_irq_event_percpu+0x70/0xf0
+ handle_irq_event+0x5a/0x8b
+ handle_edge_irq+0x12c/0x310
+ handle_irq+0x192/0x20a
+ do_IRQ+0x73/0x160
+ ret_from_intr+0x0/0x1d
+ default_idle+0x23/0x1f0
+ arch_cpu_idle+0x15/0x20
+ default_idle_call+0x35/0x40
+ do_idle+0x2bb/0x2e0
+ cpu_startup_entry+0x1d/0x20
+ start_secondary+0x24d/0x2d0
+ secondary_startup_64+0xa4/0xb0
+
+to a HARDIRQ-irq-unsafe lock:
+ (&(&k->k_lock)->rlock){+.+.}
+
+... which became HARDIRQ-irq-unsafe at:
+...
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7f4/0xb60
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+
+other info that might help us debug this:
+
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&(&k->k_lock)->rlock);
+ local_irq_disable();
+ lock(&(&ha->tgt.sess_lock)->rlock);
+ lock(&(&k->k_lock)->rlock);
+ <Interrupt>
+ lock(&(&ha->tgt.sess_lock)->rlock);
+
+ *** DEADLOCK ***
+
+4 locks held by rmdir/1478:
+ #0: 000000002c7f1ba4 (sb_writers#10){.+.+}, at: mnt_want_write+0x32/0x70
+ #1: 00000000c85eb147 (&default_group_class[depth - 1]#2/1){+.+.}, at: do_rmdir+0x217/0x2d0
+ #2: 000000002b164d6f (&sb->s_type->i_mutex_key#13){++++}, at: vfs_rmdir+0x7e/0x1d0
+ #3: 00000000cf0baf5e (&(&ha->tgt.sess_lock)->rlock){-...}, at: tcm_qla2xxx_close_session+0x57/0xb0 [tcm_qla2xxx]
+
+the dependencies between HARDIRQ-irq-safe lock and the holding lock:
+-> (&(&ha->tgt.sess_lock)->rlock){-...} ops: 127 {
+ IN-HARDIRQ-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla2x00_fcport_event_handler+0x1f3d/0x22b0 [qla2xxx]
+ qla2x00_async_login_sp_done+0x1dc/0x1f0 [qla2xxx]
+ qla24xx_process_response_queue+0xa37/0x10e0 [qla2xxx]
+ qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx]
+ __handle_irq_event_percpu+0x79/0x3c0
+ handle_irq_event_percpu+0x70/0xf0
+ handle_irq_event+0x5a/0x8b
+ handle_edge_irq+0x12c/0x310
+ handle_irq+0x192/0x20a
+ do_IRQ+0x73/0x160
+ ret_from_intr+0x0/0x1d
+ default_idle+0x23/0x1f0
+ arch_cpu_idle+0x15/0x20
+ default_idle_call+0x35/0x40
+ do_idle+0x2bb/0x2e0
+ cpu_startup_entry+0x1d/0x20
+ start_secondary+0x24d/0x2d0
+ secondary_startup_64+0xa4/0xb0
+ INITIAL USE at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla2x00_loop_resync+0xb3d/0x2690 [qla2xxx]
+ qla2x00_do_dpc+0xcee/0xf30 [qla2xxx]
+ kthread+0x1d2/0x1f0
+ ret_from_fork+0x3a/0x50
+ }
+ ... key at: [<ffffffffa125f700>] __key.62804+0x0/0xfffffffffff7e900 [qla2xxx]
+ ... acquired at:
+ __lock_acquire+0x11ed/0x1b60
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx]
+ qlt_unreg_sess+0x104/0x2c0 [qla2xxx]
+ tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx]
+ target_shutdown_sessions+0x17b/0x190 [target_core_mod]
+ core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod]
+ target_fabric_nacl_base_release+0x25/0x30 [target_core_mod]
+ config_item_release+0x9f/0x120 [configfs]
+ config_item_put+0x29/0x2b [configfs]
+ configfs_rmdir+0x3d2/0x520 [configfs]
+ vfs_rmdir+0xb3/0x1d0
+ do_rmdir+0x25c/0x2d0
+ __x64_sys_rmdir+0x24/0x30
+ do_syscall_64+0x77/0x220
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+the dependencies between the lock to be acquired
+ and HARDIRQ-irq-unsafe lock:
+-> (&(&k->k_lock)->rlock){+.+.} ops: 14568 {
+ HARDIRQ-ON-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7f4/0xb60
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ SOFTIRQ-ON-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7f4/0xb60
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7f4/0xb60
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ }
+ ... key at: [<ffffffff83f3d900>] __key.15805+0x0/0x40
+ ... acquired at:
+ __lock_acquire+0x11ed/0x1b60
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx]
+ qlt_unreg_sess+0x104/0x2c0 [qla2xxx]
+ tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx]
+ target_shutdown_sessions+0x17b/0x190 [target_core_mod]
+ core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod]
+ target_fabric_nacl_base_release+0x25/0x30 [target_core_mod]
+ config_item_release+0x9f/0x120 [configfs]
+ config_item_put+0x29/0x2b [configfs]
+ configfs_rmdir+0x3d2/0x520 [configfs]
+ vfs_rmdir+0xb3/0x1d0
+ do_rmdir+0x25c/0x2d0
+ __x64_sys_rmdir+0x24/0x30
+ do_syscall_64+0x77/0x220
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+stack backtrace:
+CPU: 7 PID: 1478 Comm: rmdir Tainted: G W 5.1.0-rc1-dbg+ #11
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Call Trace:
+ dump_stack+0x86/0xca
+ check_usage.cold.59+0x473/0x563
+ check_prev_add.constprop.43+0x1f1/0x1170
+ __lock_acquire+0x11ed/0x1b60
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx]
+ qlt_unreg_sess+0x104/0x2c0 [qla2xxx]
+ tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx]
+ target_shutdown_sessions+0x17b/0x190 [target_core_mod]
+ core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod]
+ target_fabric_nacl_base_release+0x25/0x30 [target_core_mod]
+ config_item_release+0x9f/0x120 [configfs]
+ config_item_put+0x29/0x2b [configfs]
+ configfs_rmdir+0x3d2/0x520 [configfs]
+ vfs_rmdir+0xb3/0x1d0
+ do_rmdir+0x25c/0x2d0
+ __x64_sys_rmdir+0x24/0x30
+ do_syscall_64+0x77/0x220
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index bddb573c88dd2..d6104f23f697f 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -374,8 +374,9 @@ static void tcm_qla2xxx_close_session(struct se_session *se_sess)
+
+ spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags);
+ target_sess_cmd_list_set_waiting(se_sess);
+- tcm_qla2xxx_put_sess(sess);
+ spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags);
++
++ tcm_qla2xxx_put_sess(sess);
+ }
+
+ static u32 tcm_qla2xxx_sess_get_index(struct se_session *se_sess)
+--
+2.20.1
+
--- /dev/null
+From e4ac79b77296045b931df770623e073521a46182 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:24 -0700
+Subject: scsi: qla2xxx: Fix a qla24xx_enable_msix() error path
+
+[ Upstream commit 24afabdbd0b3553963a2bbf465895492b14d1107 ]
+
+Make sure that the allocated interrupts are freed if allocating memory for
+the msix_entries array fails.
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index 69bbea9239cc8..add17843148dd 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -3475,7 +3475,7 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp)
+ ql_log(ql_log_fatal, vha, 0x00c8,
+ "Failed to allocate memory for ha->msix_entries.\n");
+ ret = -ENOMEM;
+- goto msix_out;
++ goto free_irqs;
+ }
+ ha->flags.msix_enabled = 1;
+
+@@ -3558,6 +3558,10 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp)
+
+ msix_out:
+ return ret;
++
++free_irqs:
++ pci_free_irq_vectors(ha->pdev);
++ goto msix_out;
+ }
+
+ int
+--
+2.20.1
+
--- /dev/null
+From beb74d174ea931cb329f3ac35476ce44cb03bb50 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:28 -0700
+Subject: scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending()
+
+[ Upstream commit e209783d66bca04b5fce4429e59338517ffc1a0b ]
+
+Implementations of the .write_pending() callback functions must guarantee
+that an appropriate LIO core callback function will be called immediately or
+at a later time. Make sure that this guarantee is met for aborted SCSI
+commands.
+
+[mkp: typo]
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Fixes: 694833ee00c4 ("scsi: tcm_qla2xxx: Do not allow aborted cmd to advance.") # v4.13.
+Fixes: a07100e00ac4 ("qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM") # v4.5.
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index 8a3075d17c63c..bddb573c88dd2 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -399,6 +399,8 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd)
+ cmd->se_cmd.transport_state,
+ cmd->se_cmd.t_state,
+ cmd->se_cmd.se_cmd_flags);
++ transport_generic_request_failure(&cmd->se_cmd,
++ TCM_CHECK_CONDITION_ABORT_CMD);
+ return 0;
+ }
+ cmd->trc_flags |= TRC_XFR_RDY;
+--
+2.20.1
+
--- /dev/null
+From b71d2fe35c1f1debcc318e0e9b82e2acd92b0ef2 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:41 -0700
+Subject: scsi: qla2xxx: Fix hardirq-unsafe locking
+
+[ Upstream commit 300ec7415c1fed5c73660f50c8e14a67e236dc0a ]
+
+Since fc_remote_port_delete() must be called with interrupts enabled, do
+not disable interrupts when calling that function. Remove the lockin calls
+from around the put_sess() call. This is safe because the function that is
+called when the final reference is dropped, qlt_unreg_sess(), grabs the
+proper locks. This patch avoids that lockdep reports the following:
+
+WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
+kworker/2:1/62 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
+0000000009e679b3 (&(&k->k_lock)->rlock){+.+.}, at: klist_next+0x43/0x1d0
+
+and this task is already holding:
+00000000a033b71c (&(&ha->tgt.sess_lock)->rlock){-...}, at: qla24xx_delete_sess_fn+0x55/0xf0 [qla2xxx_scst]
+which would create a new lock dependency:
+ (&(&ha->tgt.sess_lock)->rlock){-...} -> (&(&k->k_lock)->rlock){+.+.}
+
+but this new dependency connects a HARDIRQ-irq-safe lock:
+ (&(&ha->tgt.sess_lock)->rlock){-...}
+
+... which became HARDIRQ-irq-safe at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla24xx_report_id_acquisition+0xa69/0xe30 [qla2xxx_scst]
+ qla24xx_process_response_queue+0x69e/0x1270 [qla2xxx_scst]
+ qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx_scst]
+ __handle_irq_event_percpu+0x79/0x3c0
+ handle_irq_event_percpu+0x70/0xf0
+ handle_irq_event+0x5a/0x8b
+ handle_edge_irq+0x12c/0x310
+ handle_irq+0x192/0x20a
+ do_IRQ+0x73/0x160
+ ret_from_intr+0x0/0x1d
+ default_idle+0x23/0x1f0
+ arch_cpu_idle+0x15/0x20
+ default_idle_call+0x35/0x40
+ do_idle+0x2bb/0x2e0
+ cpu_startup_entry+0x1d/0x20
+ start_secondary+0x2a8/0x320
+ secondary_startup_64+0xa4/0xb0
+
+to a HARDIRQ-irq-unsafe lock:
+ (&(&k->k_lock)->rlock){+.+.}
+
+... which became HARDIRQ-irq-unsafe at:
+...
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7e1/0xb50
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+
+other info that might help us debug this:
+
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&(&k->k_lock)->rlock);
+ local_irq_disable();
+ lock(&(&ha->tgt.sess_lock)->rlock);
+ lock(&(&k->k_lock)->rlock);
+ <Interrupt>
+ lock(&(&ha->tgt.sess_lock)->rlock);
+
+ *** DEADLOCK ***
+
+3 locks held by kworker/2:1/62:
+ #0: 00000000a4319c16 ((wq_completion)"qla2xxx_wq"){+.+.}, at: process_one_work+0x437/0xa80
+ #1: 00000000ffa34c42 ((work_completion)(&sess->del_work)){+.+.}, at: process_one_work+0x437/0xa80
+ #2: 00000000a033b71c (&(&ha->tgt.sess_lock)->rlock){-...}, at: qla24xx_delete_sess_fn+0x55/0xf0 [qla2xxx_scst]
+
+the dependencies between HARDIRQ-irq-safe lock and the holding lock:
+-> (&(&ha->tgt.sess_lock)->rlock){-...} ops: 8 {
+ IN-HARDIRQ-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla24xx_report_id_acquisition+0xa69/0xe30 [qla2xxx_scst]
+ qla24xx_process_response_queue+0x69e/0x1270 [qla2xxx_scst]
+ qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx_scst]
+ __handle_irq_event_percpu+0x79/0x3c0
+ handle_irq_event_percpu+0x70/0xf0
+ handle_irq_event+0x5a/0x8b
+ handle_edge_irq+0x12c/0x310
+ handle_irq+0x192/0x20a
+ do_IRQ+0x73/0x160
+ ret_from_intr+0x0/0x1d
+ default_idle+0x23/0x1f0
+ arch_cpu_idle+0x15/0x20
+ default_idle_call+0x35/0x40
+ do_idle+0x2bb/0x2e0
+ cpu_startup_entry+0x1d/0x20
+ start_secondary+0x2a8/0x320
+ secondary_startup_64+0xa4/0xb0
+ INITIAL USE at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ qla24xx_report_id_acquisition+0xa69/0xe30 [qla2xxx_scst]
+ qla24xx_process_response_queue+0x69e/0x1270 [qla2xxx_scst]
+ qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx_scst]
+ __handle_irq_event_percpu+0x79/0x3c0
+ handle_irq_event_percpu+0x70/0xf0
+ handle_irq_event+0x5a/0x8b
+ handle_edge_irq+0x12c/0x310
+ handle_irq+0x192/0x20a
+ do_IRQ+0x73/0x160
+ ret_from_intr+0x0/0x1d
+ default_idle+0x23/0x1f0
+ arch_cpu_idle+0x15/0x20
+ default_idle_call+0x35/0x40
+ do_idle+0x2bb/0x2e0
+ cpu_startup_entry+0x1d/0x20
+ start_secondary+0x2a8/0x320
+ secondary_startup_64+0xa4/0xb0
+ }
+ ... key at: [<ffffffffa0c0d080>] __key.85462+0x0/0xfffffffffff7df80 [qla2xxx_scst]
+ ... acquired at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0xa0b/0xa30 [qla2xxx_scst]
+ qlt_unreg_sess+0x1c6/0x380 [qla2xxx_scst]
+ qla24xx_delete_sess_fn+0xe6/0xf0 [qla2xxx_scst]
+ process_one_work+0x511/0xa80
+ worker_thread+0x67/0x5b0
+ kthread+0x1d2/0x1f0
+ ret_from_fork+0x3a/0x50
+
+the dependencies between the lock to be acquired
+ and HARDIRQ-irq-unsafe lock:
+-> (&(&k->k_lock)->rlock){+.+.} ops: 13831 {
+ HARDIRQ-ON-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7e1/0xb50
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ SOFTIRQ-ON-W at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7e1/0xb50
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock+0x32/0x50
+ klist_add_tail+0x33/0xb0
+ device_add+0x7e1/0xb50
+ device_create_groups_vargs+0x11c/0x150
+ device_create_with_groups+0x89/0xb0
+ vtconsole_class_init+0xb2/0x124
+ do_one_initcall+0xc5/0x3ce
+ kernel_init_freeable+0x295/0x32e
+ kernel_init+0x11/0x11b
+ ret_from_fork+0x3a/0x50
+ }
+ ... key at: [<ffffffff83ed8780>] __key.15491+0x0/0x40
+ ... acquired at:
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0xa0b/0xa30 [qla2xxx_scst]
+ qlt_unreg_sess+0x1c6/0x380 [qla2xxx_scst]
+ qla24xx_delete_sess_fn+0xe6/0xf0 [qla2xxx_scst]
+ process_one_work+0x511/0xa80
+ worker_thread+0x67/0x5b0
+ kthread+0x1d2/0x1f0
+ ret_from_fork+0x3a/0x50
+
+stack backtrace:
+CPU: 2 PID: 62 Comm: kworker/2:1 Tainted: G O 5.0.7-dbg+ #8
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Workqueue: qla2xxx_wq qla24xx_delete_sess_fn [qla2xxx_scst]
+Call Trace:
+ dump_stack+0x86/0xca
+ check_usage.cold.52+0x473/0x563
+ __lock_acquire+0x11c0/0x23e0
+ lock_acquire+0xe3/0x200
+ _raw_spin_lock_irqsave+0x3d/0x60
+ klist_next+0x43/0x1d0
+ device_for_each_child+0x96/0x110
+ scsi_target_block+0x3c/0x40 [scsi_mod]
+ fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc]
+ qla2x00_mark_device_lost+0xa0b/0xa30 [qla2xxx_scst]
+ qlt_unreg_sess+0x1c6/0x380 [qla2xxx_scst]
+ qla24xx_delete_sess_fn+0xe6/0xf0 [qla2xxx_scst]
+ process_one_work+0x511/0xa80
+ worker_thread+0x67/0x5b0
+ kthread+0x1d2/0x1f0
+ ret_from_fork+0x3a/0x50
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 25 ++++++++-----------------
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 --
+ 2 files changed, 8 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 697eee1d88474..b210a8296c275 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -680,7 +680,6 @@ int qla24xx_async_notify_ack(scsi_qla_host_t *vha, fc_port_t *fcport,
+ void qla24xx_do_nack_work(struct scsi_qla_host *vha, struct qla_work_evt *e)
+ {
+ fc_port_t *t;
+- unsigned long flags;
+
+ switch (e->u.nack.type) {
+ case SRB_NACK_PRLI:
+@@ -693,10 +692,8 @@ void qla24xx_do_nack_work(struct scsi_qla_host *vha, struct qla_work_evt *e)
+ if (t) {
+ ql_log(ql_log_info, vha, 0xd034,
+ "%s create sess success %p", __func__, t);
+- spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags);
+ /* create sess has an extra kref */
+ vha->hw->tgt.tgt_ops->put_sess(e->u.nack.fcport);
+- spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags);
+ }
+ break;
+ }
+@@ -708,9 +705,6 @@ void qla24xx_delete_sess_fn(struct work_struct *work)
+ {
+ fc_port_t *fcport = container_of(work, struct fc_port, del_work);
+ struct qla_hw_data *ha = fcport->vha->hw;
+- unsigned long flags;
+-
+- spin_lock_irqsave(&ha->tgt.sess_lock, flags);
+
+ if (fcport->se_sess) {
+ ha->tgt.tgt_ops->shutdown_sess(fcport);
+@@ -718,7 +712,6 @@ void qla24xx_delete_sess_fn(struct work_struct *work)
+ } else {
+ qlt_unreg_sess(fcport);
+ }
+- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+ }
+
+ /*
+@@ -787,8 +780,9 @@ void qlt_fc_port_added(struct scsi_qla_host *vha, fc_port_t *fcport)
+ fcport->port_name, sess->loop_id);
+ sess->local = 0;
+ }
+- ha->tgt.tgt_ops->put_sess(sess);
+ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
++
++ ha->tgt.tgt_ops->put_sess(sess);
+ }
+
+ /*
+@@ -4242,9 +4236,7 @@ static void __qlt_do_work(struct qla_tgt_cmd *cmd)
+ /*
+ * Drop extra session reference from qla_tgt_handle_cmd_for_atio*(
+ */
+- spin_lock_irqsave(&ha->tgt.sess_lock, flags);
+ ha->tgt.tgt_ops->put_sess(sess);
+- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+ return;
+
+ out_term:
+@@ -4261,9 +4253,7 @@ static void __qlt_do_work(struct qla_tgt_cmd *cmd)
+ target_free_tag(sess->se_sess, &cmd->se_cmd);
+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+
+- spin_lock_irqsave(&ha->tgt.sess_lock, flags);
+ ha->tgt.tgt_ops->put_sess(sess);
+- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+ }
+
+ static void qlt_do_work(struct work_struct *work)
+@@ -4472,9 +4462,7 @@ static int qlt_handle_cmd_for_atio(struct scsi_qla_host *vha,
+ if (!cmd) {
+ ql_dbg(ql_dbg_io, vha, 0x3062,
+ "qla_target(%d): Allocation of cmd failed\n", vha->vp_idx);
+- spin_lock_irqsave(&ha->tgt.sess_lock, flags);
+ ha->tgt.tgt_ops->put_sess(sess);
+- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+ return -EBUSY;
+ }
+
+@@ -6318,17 +6306,19 @@ static void qlt_abort_work(struct qla_tgt *tgt,
+ }
+
+ rc = __qlt_24xx_handle_abts(vha, &prm->abts, sess);
+- ha->tgt.tgt_ops->put_sess(sess);
+ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags2);
+
++ ha->tgt.tgt_ops->put_sess(sess);
++
+ if (rc != 0)
+ goto out_term;
+ return;
+
+ out_term2:
++ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags2);
++
+ if (sess)
+ ha->tgt.tgt_ops->put_sess(sess);
+- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags2);
+
+ out_term:
+ spin_lock_irqsave(&ha->hardware_lock, flags);
+@@ -6386,9 +6376,10 @@ static void qlt_tmr_work(struct qla_tgt *tgt,
+ scsilun_to_int((struct scsi_lun *)&a->u.isp24.fcp_cmnd.lun);
+
+ rc = qlt_issue_task_mgmt(sess, unpacked_lun, fn, iocb, 0);
+- ha->tgt.tgt_ops->put_sess(sess);
+ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+
++ ha->tgt.tgt_ops->put_sess(sess);
++
+ if (rc != 0)
+ goto out_term;
+ return;
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index d6104f23f697f..e58becb790fa3 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -359,7 +359,6 @@ static void tcm_qla2xxx_put_sess(struct fc_port *sess)
+ if (!sess)
+ return;
+
+- assert_spin_locked(&sess->vha->hw->tgt.sess_lock);
+ kref_put(&sess->sess_kref, tcm_qla2xxx_release_session);
+ }
+
+@@ -832,7 +831,6 @@ static void tcm_qla2xxx_clear_nacl_from_fcport_map(struct fc_port *sess)
+
+ static void tcm_qla2xxx_shutdown_sess(struct fc_port *sess)
+ {
+- assert_spin_locked(&sess->vha->hw->tgt.sess_lock);
+ target_sess_cmd_list_set_waiting(sess->se_sess);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 048b1b83b184f42ae76d2b8a1499fb5b97681093 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2019 15:25:03 +0100
+Subject: scsi: qla4xxx: avoid freeing unallocated dma memory
+
+[ Upstream commit 608f729c31d4caf52216ea00d20092a80959256d ]
+
+Clang -Wuninitialized notices that on is_qla40XX we never allocate any DMA
+memory in get_fw_boot_info() but attempt to free it anyway:
+
+drivers/scsi/qla4xxx/ql4_os.c:5915:7: error: variable 'buf_dma' is used uninitialized whenever 'if' condition is false
+ [-Werror,-Wsometimes-uninitialized]
+ if (!(val & 0x07)) {
+ ^~~~~~~~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5985:47: note: uninitialized use occurs here
+ dma_free_coherent(&ha->pdev->dev, size, buf, buf_dma);
+ ^~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5915:3: note: remove the 'if' if its condition is always true
+ if (!(val & 0x07)) {
+ ^~~~~~~~~~~~~~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5885:20: note: initialize the variable 'buf_dma' to silence this warning
+ dma_addr_t buf_dma;
+ ^
+ = 0
+
+Skip the call to dma_free_coherent() here.
+
+Fixes: 2a991c215978 ("[SCSI] qla4xxx: Boot from SAN support for open-iscsi")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 6e4f4931ae175..8c674eca09f13 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -5930,7 +5930,7 @@ static int get_fw_boot_info(struct scsi_qla_host *ha, uint16_t ddb_index[])
+ val = rd_nvram_byte(ha, sec_addr);
+ if (val & BIT_7)
+ ddb_index[1] = (val & 0x7f);
+-
++ goto exit_boot_info;
+ } else if (is_qla80XX(ha)) {
+ buf = dma_alloc_coherent(&ha->pdev->dev, size,
+ &buf_dma, GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From 6e4eef09833d7124c66d9cef10a16242eca5d9ec Mon Sep 17 00:00:00 2001
+From: Stanley Chu <stanley.chu@mediatek.com>
+Date: Thu, 28 Mar 2019 17:16:24 +0800
+Subject: scsi: ufs: Avoid configuring regulator with undefined voltage range
+
+[ Upstream commit 3b141e8cfd54ba3e5c610717295b2a02aab26a05 ]
+
+For regulators used by UFS, vcc, vccq and vccq2 will have voltage range
+initialized by ufshcd_populate_vreg(), however other regulators may have
+undefined voltage range if dt-bindings have no such definition.
+
+In above undefined case, both "min_uV" and "max_uV" fields in ufs_vreg
+struct will be zero values and these values will be configured on
+regulators in different power modes.
+
+Currently this may have no harm if both "min_uV" and "max_uV" always keep
+"zero values" because regulator_set_voltage() will always bypass such
+invalid values and return "good" results.
+
+However improper values shall be fixed to avoid potential bugs. Simply
+bypass voltage configuration if voltage range is not defined.
+
+Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 58e0bd1dac9b4..5ba49c8cd2a36 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -7048,12 +7048,15 @@ static int ufshcd_config_vreg(struct device *dev,
+ name = vreg->name;
+
+ if (regulator_count_voltages(reg) > 0) {
+- min_uV = on ? vreg->min_uV : 0;
+- ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
+- if (ret) {
+- dev_err(dev, "%s: %s set voltage failed, err=%d\n",
++ if (vreg->min_uV && vreg->max_uV) {
++ min_uV = on ? vreg->min_uV : 0;
++ ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
++ if (ret) {
++ dev_err(dev,
++ "%s: %s set voltage failed, err=%d\n",
+ __func__, name, ret);
+- goto out;
++ goto out;
++ }
+ }
+
+ uA_load = on ? vreg->max_uA : 0;
+--
+2.20.1
+
--- /dev/null
+From 3383791e0ed7962bce73a2995d4b980a373e8df2 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 02:11:56 -0500
+Subject: scsi: ufs: fix a missing check of devm_reset_control_get
+
+[ Upstream commit 63a06181d7ce169d09843645c50fea1901bc9f0a ]
+
+devm_reset_control_get could fail, so the fix checks its return value and
+passes the error code upstream in case it fails.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-hisi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/ufs/ufs-hisi.c b/drivers/scsi/ufs/ufs-hisi.c
+index 0e855b5afe82a..2f592df921d97 100644
+--- a/drivers/scsi/ufs/ufs-hisi.c
++++ b/drivers/scsi/ufs/ufs-hisi.c
+@@ -587,6 +587,10 @@ static int ufs_hisi_init_common(struct ufs_hba *hba)
+ ufshcd_set_variant(hba, host);
+
+ host->rst = devm_reset_control_get(dev, "rst");
++ if (IS_ERR(host->rst)) {
++ dev_err(dev, "%s: failed to get reset control\n", __func__);
++ return PTR_ERR(host->rst);
++ }
+
+ ufs_hisi_set_pm_lvl(hba);
+
+--
+2.20.1
+
--- /dev/null
+From a697a92094f971e92f2444ab7ae6b7c3511fe8cc Mon Sep 17 00:00:00 2001
+From: Stanley Chu <stanley.chu@mediatek.com>
+Date: Thu, 28 Mar 2019 17:16:25 +0800
+Subject: scsi: ufs: Fix regulator load and icc-level configuration
+
+[ Upstream commit 0487fff76632ec023d394a05b82e87a971db8c03 ]
+
+Currently if a regulator has "<name>-fixed-regulator" property in device
+tree, it will skip current limit initialization. This lead to a zero
+"max_uA" value in struct ufs_vreg.
+
+However, "regulator_set_load" operation shall be required on regulators
+which have valid current limits, otherwise a zero "max_uA" set by
+"regulator_set_load" may cause unexpected behavior when this regulator is
+enabled or set as high power mode.
+
+Similarly, in device's icc_level configuration flow, the target icc_level
+shall be updated if regulator also has valid current limit, otherwise a
+wrong icc_level will be calculated by zero "max_uA" and thus causes
+unexpected results after it is written to device.
+
+Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index e040f9dd9ff32..58e0bd1dac9b4 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -6294,19 +6294,19 @@ static u32 ufshcd_find_max_sup_active_icc_level(struct ufs_hba *hba,
+ goto out;
+ }
+
+- if (hba->vreg_info.vcc)
++ if (hba->vreg_info.vcc && hba->vreg_info.vcc->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vcc->max_uA,
+ POWER_DESC_MAX_ACTV_ICC_LVLS - 1,
+ &desc_buf[PWR_DESC_ACTIVE_LVLS_VCC_0]);
+
+- if (hba->vreg_info.vccq)
++ if (hba->vreg_info.vccq && hba->vreg_info.vccq->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vccq->max_uA,
+ icc_level,
+ &desc_buf[PWR_DESC_ACTIVE_LVLS_VCCQ_0]);
+
+- if (hba->vreg_info.vccq2)
++ if (hba->vreg_info.vccq2 && hba->vreg_info.vccq2->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vccq2->max_uA,
+ icc_level,
+@@ -7004,6 +7004,15 @@ static int ufshcd_config_vreg_load(struct device *dev, struct ufs_vreg *vreg,
+ if (!vreg)
+ return 0;
+
++ /*
++ * "set_load" operation shall be required on those regulators
++ * which specifically configured current limitation. Otherwise
++ * zero max_uA may cause unexpected behavior when regulator is
++ * enabled or set as high power mode.
++ */
++ if (!vreg->max_uA)
++ return 0;
++
+ ret = regulator_set_load(vreg->reg, ua);
+ if (ret < 0) {
+ dev_err(dev, "%s: %s set load (ua=%d) failed, err=%d\n",
+--
+2.20.1
+
--- /dev/null
+From 3f39e11763658f0329552b9f9ea42d4778f02a34 Mon Sep 17 00:00:00 2001
+From: "Daniel T. Lee" <danieltimlee@gmail.com>
+Date: Thu, 4 Apr 2019 07:17:55 +0900
+Subject: selftests/bpf: ksym_search won't check symbols exists
+
+[ Upstream commit 0979ff7992fb6f4eb837995b12f4071dcafebd2d ]
+
+Currently, ksym_search located at trace_helpers won't check symbols are
+existing or not.
+
+In ksym_search, when symbol is not found, it will return &syms[0](_stext).
+But when the kernel symbols are not loaded, it will return NULL, which is
+not a desired action.
+
+This commit will add verification logic whether symbols are loaded prior
+to the symbol search.
+
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/trace_helpers.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
+index 4cdb63bf0521d..9a9fc6c9b70b5 100644
+--- a/tools/testing/selftests/bpf/trace_helpers.c
++++ b/tools/testing/selftests/bpf/trace_helpers.c
+@@ -52,6 +52,10 @@ struct ksym *ksym_search(long key)
+ int start = 0, end = sym_cnt;
+ int result;
+
++ /* kallsyms not loaded. return NULL */
++ if (sym_cnt <= 0)
++ return NULL;
++
+ while (start < end) {
+ size_t mid = start + (end - start) / 2;
+
+--
+2.20.1
+
--- /dev/null
+From 0f2214d386b0af715110b638c89631632e0831c4 Mon Sep 17 00:00:00 2001
+From: Yonghong Song <yhs@fb.com>
+Date: Mon, 29 Apr 2019 16:59:38 -0700
+Subject: selftests/bpf: set RLIMIT_MEMLOCK properly for test_libbpf_open.c
+
+[ Upstream commit 6cea33701eb024bc6c920ab83940ee22afd29139 ]
+
+Test test_libbpf.sh failed on my development server with failure
+ -bash-4.4$ sudo ./test_libbpf.sh
+ [0] libbpf: Error in bpf_object__probe_name():Operation not permitted(1).
+ Couldn't load basic 'r0 = 0' BPF program.
+ test_libbpf: failed at file test_l4lb.o
+ selftests: test_libbpf [FAILED]
+ -bash-4.4$
+
+The reason is because my machine has 64KB locked memory by default which
+is not enough for this program to get locked memory.
+Similar to other bpf selftests, let us increase RLIMIT_MEMLOCK
+to infinity, which fixed the issue.
+
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_libbpf_open.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/test_libbpf_open.c b/tools/testing/selftests/bpf/test_libbpf_open.c
+index 65cbd30704b5a..9e9db202d218a 100644
+--- a/tools/testing/selftests/bpf/test_libbpf_open.c
++++ b/tools/testing/selftests/bpf/test_libbpf_open.c
+@@ -11,6 +11,8 @@ static const char *__doc__ =
+ #include <bpf/libbpf.h>
+ #include <getopt.h>
+
++#include "bpf_rlimit.h"
++
+ static const struct option long_options[] = {
+ {"help", no_argument, NULL, 'h' },
+ {"debug", no_argument, NULL, 'D' },
+--
+2.20.1
+
--- /dev/null
+From 207aa88bdc27999aaf8d662776ac70d1de9fcc8a Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Mon, 8 Apr 2019 15:12:30 -0700
+Subject: selftests: cgroup: fix cleanup path in test_memcg_subtree_control()
+
+[ Upstream commit e14d314c7a489f060d6d691866fef5f131281718 ]
+
+Dan reported, that cleanup path in test_memcg_subtree_control()
+triggers a static checker warning:
+ ./tools/testing/selftests/cgroup/test_memcontrol.c:76 \
+ test_memcg_subtree_control()
+ error: uninitialized symbol 'child2'.
+
+Fix this by initializing child2 and parent2 variables and
+split the cleanup path into few stages.
+
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Fixes: 84092dbcf901 ("selftests: cgroup: add memory controller self-tests")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/cgroup/test_memcontrol.c | 38 ++++++++++---------
+ 1 file changed, 21 insertions(+), 17 deletions(-)
+
+diff --git a/tools/testing/selftests/cgroup/test_memcontrol.c b/tools/testing/selftests/cgroup/test_memcontrol.c
+index 28d321ba311b4..6f339882a6ca1 100644
+--- a/tools/testing/selftests/cgroup/test_memcontrol.c
++++ b/tools/testing/selftests/cgroup/test_memcontrol.c
+@@ -26,7 +26,7 @@
+ */
+ static int test_memcg_subtree_control(const char *root)
+ {
+- char *parent, *child, *parent2, *child2;
++ char *parent, *child, *parent2 = NULL, *child2 = NULL;
+ int ret = KSFT_FAIL;
+ char buf[PAGE_SIZE];
+
+@@ -34,50 +34,54 @@ static int test_memcg_subtree_control(const char *root)
+ parent = cg_name(root, "memcg_test_0");
+ child = cg_name(root, "memcg_test_0/memcg_test_1");
+ if (!parent || !child)
+- goto cleanup;
++ goto cleanup_free;
+
+ if (cg_create(parent))
+- goto cleanup;
++ goto cleanup_free;
+
+ if (cg_write(parent, "cgroup.subtree_control", "+memory"))
+- goto cleanup;
++ goto cleanup_parent;
+
+ if (cg_create(child))
+- goto cleanup;
++ goto cleanup_parent;
+
+ if (cg_read_strstr(child, "cgroup.controllers", "memory"))
+- goto cleanup;
++ goto cleanup_child;
+
+ /* Create two nested cgroups without enabling memory controller */
+ parent2 = cg_name(root, "memcg_test_1");
+ child2 = cg_name(root, "memcg_test_1/memcg_test_1");
+ if (!parent2 || !child2)
+- goto cleanup;
++ goto cleanup_free2;
+
+ if (cg_create(parent2))
+- goto cleanup;
++ goto cleanup_free2;
+
+ if (cg_create(child2))
+- goto cleanup;
++ goto cleanup_parent2;
+
+ if (cg_read(child2, "cgroup.controllers", buf, sizeof(buf)))
+- goto cleanup;
++ goto cleanup_all;
+
+ if (!cg_read_strstr(child2, "cgroup.controllers", "memory"))
+- goto cleanup;
++ goto cleanup_all;
+
+ ret = KSFT_PASS;
+
+-cleanup:
+- cg_destroy(child);
+- cg_destroy(parent);
+- free(parent);
+- free(child);
+-
++cleanup_all:
+ cg_destroy(child2);
++cleanup_parent2:
+ cg_destroy(parent2);
++cleanup_free2:
+ free(parent2);
+ free(child2);
++cleanup_child:
++ cg_destroy(child);
++cleanup_parent:
++ cg_destroy(parent);
++cleanup_free:
++ free(parent);
++ free(child);
+
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 67ab3216b585802e21d5218c673095b8c71739be Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Mar 2019 15:23:11 +0100
+Subject: selinux: avoid uninitialized variable warning
+
+[ Upstream commit 98bbbb76f2edcfb8fb2b8f4b3ccc7b6e99d64bd8 ]
+
+clang correctly points out a code path that would lead
+to an uninitialized variable use:
+
+security/selinux/netlabel.c:310:6: error: variable 'addr' is used uninitialized whenever 'if' condition is false
+ [-Werror,-Wsometimes-uninitialized]
+ if (ip_hdr(skb)->version == 4) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+security/selinux/netlabel.c:322:40: note: uninitialized use occurs here
+ rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr);
+ ^~~~
+security/selinux/netlabel.c:310:2: note: remove the 'if' if its condition is always true
+ if (ip_hdr(skb)->version == 4) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+security/selinux/netlabel.c:291:23: note: initialize the variable 'addr' to silence this warning
+ struct sockaddr *addr;
+ ^
+ = NULL
+
+This is probably harmless since we should not see ipv6 packets
+of CONFIG_IPV6 is disabled, but it's better to rearrange the code
+so this cannot happen.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+[PM: removed old patchwork link, fixed checkpatch.pl style errors]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/netlabel.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
+index 186e727b737b9..6fd9954e1c085 100644
+--- a/security/selinux/netlabel.c
++++ b/security/selinux/netlabel.c
+@@ -288,11 +288,8 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
+ int rc;
+ struct netlbl_lsm_secattr secattr;
+ struct sk_security_struct *sksec = ep->base.sk->sk_security;
+- struct sockaddr *addr;
+ struct sockaddr_in addr4;
+-#if IS_ENABLED(CONFIG_IPV6)
+ struct sockaddr_in6 addr6;
+-#endif
+
+ if (ep->base.sk->sk_family != PF_INET &&
+ ep->base.sk->sk_family != PF_INET6)
+@@ -310,16 +307,15 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
+ if (ip_hdr(skb)->version == 4) {
+ addr4.sin_family = AF_INET;
+ addr4.sin_addr.s_addr = ip_hdr(skb)->saddr;
+- addr = (struct sockaddr *)&addr4;
+-#if IS_ENABLED(CONFIG_IPV6)
+- } else {
++ rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr4, &secattr);
++ } else if (IS_ENABLED(CONFIG_IPV6) && ip_hdr(skb)->version == 6) {
+ addr6.sin6_family = AF_INET6;
+ addr6.sin6_addr = ipv6_hdr(skb)->saddr;
+- addr = (struct sockaddr *)&addr6;
+-#endif
++ rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr6, &secattr);
++ } else {
++ rc = -EAFNOSUPPORT;
+ }
+
+- rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr);
+ if (rc == 0)
+ sksec->nlbl_state = NLBL_LABELED;
+
+--
+2.20.1
+
acct_on-don-t-mess-with-freeze-protection.patch
netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch
revert-btrfs-honour-fitrim-range-constraints-during-free-space-trim.patch
+gfs2-fix-lru_count-going-negative.patch
+cxgb4-fix-error-path-in-cxgb4_init_module.patch
+afs-fix-getting-the-afs.fid-xattr.patch
+nfs-make-nfs_match_client-killable.patch
+gfs2-fix-race-between-gfs2_freeze_func-and-unmount.patch
+io_uring-use-cpu_online-to-check-p-sq_thread_cpu-ins.patch
+ib-hfi1-fix-wq_mem_reclaim-warning.patch
+gfs2-fix-occasional-glock-use-after-free.patch
+mmc-core-verify-sd-bus-width.patch
+tools-bpf-fix-perf-build-error-with-uclibc-seen-on-a.patch
+i40e-fix-of-memory-leak-and-integer-truncation-in-i4.patch
+libbpf-fix-invalid-munmap-call.patch
+selftests-bpf-set-rlimit_memlock-properly-for-test_l.patch
+bpftool-exclude-bash-completion-bpftool-from-.gitign.patch
+ice-separate-if-conditions-for-ice_set_features.patch
+ice-preserve-vlan-rx-stripping-settings.patch
+blk-mq-split-blk_mq_alloc_and_init_hctx-into-two-par.patch
+blk-mq-grab-.q_usage_counter-when-queuing-request-fr.patch
+dmaengine-tegra210-dma-free-dma-controller-in-remove.patch
+net-ena-gcc-8-fix-compilation-warning.patch
+net-ena-fix-set-freed-objects-to-null-to-avoid-faili.patch
+hv_netvsc-fix-race-that-may-miss-tx-queue-wakeup.patch
+bluetooth-ignore-cc-events-not-matching-the-last-hci.patch
+pinctrl-zte-fix-leaked-of_node-references.patch
+asoc-intel-kbl_da7219_max98357a-map-btn_0-to-key_pla.patch
+usb-dwc2-gadget-increase-descriptors-count-for-isoc-.patch
+usb-dwc3-move-synchronize_irq-out-of-the-spinlock-pr.patch
+usb-gadget-f_fs-don-t-free-buffer-prematurely.patch
+asoc-hdmi-codec-unlock-the-device-on-startup-errors.patch
+powerpc-perf-return-accordingly-on-invalid-chip-id-i.patch
+powerpc-boot-fix-missing-check-of-lseek-return-value.patch
+powerpc-perf-fix-loop-exit-condition-in-nest_imc_eve.patch
+spi-atmel-quadspi-fix-crash-while-suspending.patch
+asoc-imx-fix-fiq-dependencies.patch
+spi-pxa2xx-fix-scr-divisor-calculation.patch
+net-mlx5-e-switch-use-atomic-rep-state-to-serialize-.patch
+brcm80211-potential-null-dereference-in-brcmf_cfg802.patch
+acpi-property-fix-handling-of-data_nodes-in-acpi_get.patch
+drm-nouveau-bar-nv50-ensure-bar-is-mapped.patch
+media-stm32-dcmi-return-appropriate-error-codes-duri.patch
+arm-vdso-remove-dependency-with-the-arch_timer-drive.patch
+arm64-fix-compiler-warning-from-pte_unmap-with-wunus.patch
+mt76-remove-mt76_queue-dependency-from-tx_queue_skb-.patch
+x86-ftrace-set-trampoline-pages-as-executable.patch
+powerpc-watchdog-use-hrtimers-for-per-cpu-heartbeat.patch
+cpufreq-fix-kobject-memleak.patch
+scsi-qla2xxx-fix-a-qla24xx_enable_msix-error-path.patch
+scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write.patch
+scsi-qla2xxx-avoid-that-lockdep-complains-about-unsa.patch
+scsi-qla2xxx-fix-hardirq-unsafe-locking.patch
+x86-modules-avoid-breaking-w-x-while-loading-modules.patch
+btrfs-fix-data-bytes_may_use-underflow-with-fallocat.patch
+btrfs-fix-panic-during-relocation-after-enospc-befor.patch
+btrfs-don-t-panic-when-we-can-t-find-a-root-key.patch
+iwlwifi-pcie-don-t-crash-on-invalid-rx-interrupt.patch
+rtc-88pm860x-prevent-use-after-free-on-device-remove.patch
+rtc-stm32-manage-the-get_irq-probe-defer-case.patch
+scsi-qedi-abort-ep-termination-if-offload-not-schedu.patch
+s390-kexec_file-fix-detection-of-text-segment-in-elf.patch
+alsa-hda-fix-unregister-device-twice-on-asoc-driver.patch
+sched-nohz-run-nohz-idle-load-balancer-on-hk_flag_mi.patch
+net-ethernet-ti-cpsw-fix-allmulti-cfg-in-dual_mac-mo.patch
+w1-fix-the-resume-command-api.patch
+net-hns3-fix-pause-configure-fail-problem.patch
+net-hns3-fix-for-tx-clean-num-when-cleaning-tx-bd.patch
+net-phy-improve-genphy_soft_reset.patch
+s390-qeth-address-type-mismatch-warning.patch
+arm64-futex-fix-futex_wake_op-atomic-ops-with-non-ze.patch
+net-hns3-use-atomic_t-replace-u32-for-arq-s-count.patch
+dmaengine-pl330-_stop-clear-interrupt-status.patch
+mac80211-cfg80211-update-bss-channel-on-channel-swit.patch
+drm-prefix-header-search-paths-with-srctree.patch
+libbpf-fix-samples-bpf-build-failure-due-to-undefine.patch
+slimbus-fix-a-potential-null-pointer-dereference-in-.patch
+regulator-core-actually-put-the-gpiod-after-use.patch
+asoc-fsl_sai-update-is_slave_mode-with-correct-value.patch
+fix-nfs4.2-return-einval-when-do-dedupe-operation.patch
+mwifiex-prevent-an-array-overflow.patch
+rsi-fix-null-pointer-dereference-in-kmalloc.patch
+net-cw1200-fix-a-null-pointer-dereference.patch
+nvme-set-0-capacity-if-namespace-block-size-exceeds-.patch
+nvme-rdma-fix-a-null-deref-when-an-admin-connect-tim.patch
+nvme-tcp-fix-a-null-deref-when-an-admin-connect-time.patch
+crypto-sun4i-ss-fix-invalid-calculation-of-hash-end.patch
+bcache-avoid-potential-memleak-of-list-of-journal_re.patch
+bcache-return-error-immediately-in-bch_journal_repla.patch
+bcache-fix-failure-in-journal-relplay.patch
+bcache-add-failure-check-to-run_cache_set-for-journa.patch
+bcache-avoid-clang-wunintialized-warning.patch
+rdma-cma-consider-scope_id-while-binding-to-ipv6-ll-.patch
+vfio-ccw-do-not-call-flush_workqueue-while-holding-t.patch
+vfio-ccw-release-any-channel-program-when-releasing-.patch
+x86-build-move-_etext-to-actual-end-of-.text.patch
+smpboot-place-the-__percpu-annotation-correctly.patch
+x86-uaccess-dont-leak-the-ac-flag-into-__put_user-ar.patch
+x86-mm-remove-in_nmi-warning-from-64-bit-implementat.patch
+mm-uaccess-use-unsigned-long-to-placate-ubsan-warnin.patch
+bluetooth-hci_qca-fix-crash-with-non-serdev-devices.patch
+bluetooth-hci_qca-give-enough-time-to-rome-controlle.patch
+bluetooth-btbcm-add-default-address-for-bcm43341b.patch
+bluetooth-mediatek-fixed-incorrect-type-in-assignmen.patch
+hid-logitech-hidpp-use-rap-instead-of-fap-to-get-the.patch
+pinctrl-pistachio-fix-leaked-of_node-references.patch
+pinctrl-st-fix-leaked-of_node-references.patch
+pinctrl-samsung-fix-leaked-of_node-references.patch
+clk-rockchip-undo-several-noc-and-special-clocks-as-.patch
+perf-arm-cci-remove-broken-race-mitigation.patch
+dmaengine-at_xdmac-remove-bug_on-macro-in-tasklet.patch
+media-coda-clear-error-return-value-before-picture-r.patch
+media-ov6650-move-v4l2_clk_get-to-ov6650_video_probe.patch
+media-au0828-stop-video-streaming-only-when-last-use.patch
+media-ov2659-make-s_fmt-succeed-even-if-requested-fo.patch
+audit-fix-a-memory-leak-bug.patch
+media-stm32-dcmi-fix-crash-when-subdev-do-not-expose.patch
+media-au0828-fix-null-pointer-dereference-in-au0828_.patch
+media-pvrusb2-prevent-a-buffer-overflow.patch
+iio-adc-stm32-dfsdm-fix-unmet-direct-dependencies-de.patch
+block-fix-use-after-free-on-gendisk.patch
+powerpc-numa-improve-control-of-topology-updates.patch
+powerpc-64-fix-booting-large-kernels-with-strict_ker.patch
+random-fix-crng-initialization-when-random.trust_cpu.patch
+random-add-a-spinlock_t-to-struct-batched_entropy.patch
+cgroup-protect-cgroup-nr_-dying_-descendants-by-css_.patch
+sched-core-check-quota-and-period-overflow-at-usec-t.patch
+sched-rt-check-integer-overflow-at-usec-to-nsec-conv.patch
+sched-core-handle-overflow-in-cpu_shares_write_u64.patch
+staging-vc04_services-handle-kzalloc-failure.patch
+drm-msm-dpu-release-resources-on-modeset-failure.patch
+drm-msm-a5xx-fix-possible-object-reference-leak.patch
+drm-msm-dpu-don-t-set-frame_busy_mask-for-async-upda.patch
+drm-msm-fix-null-pointer-dereference.patch
+irq_work-do-not-raise-an-ipi-when-queueing-work-on-t.patch
+thunderbolt-take-domain-lock-in-switch-sysfs-attribu.patch
+s390-qeth-handle-error-from-qeth_update_from_chp_des.patch
+usb-core-don-t-unbind-interfaces-following-device-re.patch
+x86-irq-64-limit-ist-stack-overflow-check-to-db-stac.patch
+drm-etnaviv-avoid-dma-api-warning-when-importing-buf.patch
+dt-bindings-phy-qcom-qmp-add-ufs-phy-reset.patch
+phy-sun4i-usb-make-sure-to-disable-phy0-passby-for-p.patch
+phy-mapphone-mdm6600-add-gpiolib-dependency.patch
+phy-ti-usb2-fix-omap_control_phy-dependency.patch
+dpaa2-eth-fix-rx-classification-status.patch
+i40e-able-to-add-up-to-16-mac-filters-on-an-untruste.patch
+i40e-don-t-allow-changes-to-hw-vlan-stripping-on-act.patch
+acpi-iort-reject-platform-device-creation-on-numa-no.patch
+arm64-vdso-fix-clock_getres-for-clock_realtime.patch
+rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb.patch
+fscrypt-use-read_once-to-access-i_crypt_info.patch
+perf-x86-msr-add-icelake-support.patch
+perf-x86-intel-rapl-add-icelake-support.patch
+perf-x86-intel-cstate-add-icelake-support.patch
+pm-devfreq-fix-static-checker-warning-in-try_then_re.patch
+hwmon-vt1211-use-request_muxed_region-for-super-io-a.patch
+hwmon-smsc47m1-use-request_muxed_region-for-super-io.patch
+hwmon-smsc47b397-use-request_muxed_region-for-super-.patch
+hwmon-pc87427-use-request_muxed_region-for-super-io-.patch
+hwmon-f71805f-use-request_muxed_region-for-super-io-.patch
+scsi-libsas-do-discovery-on-empty-phy-to-update-phy-.patch
+mmc-core-make-pwrseq_emmc-partially-support-sleepy-g.patch
+mmc_spi-add-a-status-check-for-spi_sync_locked.patch
+mmc-sdhci-of-esdhc-add-erratum-esdhc5-support.patch
+mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch
+mmc-sdhci-of-esdhc-add-erratum-esdhc-a001-and-a-0083.patch
+net-hns3-free-the-pending-skb-when-clean-rx-ring.patch
+drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch
+pm-core-propagate-dev-power.wakeup_path-when-no-call.patch
+clk-rockchip-fix-video-codec-clocks-on-rk3288.patch
+extcon-arizona-disable-mic-detect-if-running-when-dr.patch
+clk-rockchip-make-rkpwm-a-critical-clock-on-rk3288.patch
+clk-zynqmp-fix-check-for-fractional-clock.patch
+s390-zcrypt-initialize-variables-before_use.patch
+x86-microcode-fix-the-ancient-deprecated-microcode-l.patch
+drm-amd-display-initialize-stream_update-with-memset.patch
+s390-mm-silence-compiler-warning-when-compiling-with.patch
+s390-cio-fix-cio_irb-declaration.patch
+drm-amd-display-use-proper-formula-to-calculate-band.patch
+selftests-cgroup-fix-cleanup-path-in-test_memcg_subt.patch
+net-hns3-fix-keep_alive_timer-not-stop-problem.patch
+qmi_wwan-add-quirk-for-quectel-dynamic-config.patch
+net-hns3-add-error-handler-for-initializing-command-.patch
+cpufreq-ppc_cbe-fix-possible-object-reference-leak.patch
+cpufreq-pasemi-fix-possible-object-reference-leak.patch
+cpufreq-pmac32-fix-possible-object-reference-leak.patch
+cpufreq-kirkwood-fix-possible-object-reference-leak.patch
+cpufreq-imx6q-fix-possible-object-reference-leak.patch
+cpufreq-ap806-fix-possible-object-reference-leak.patch
+block-sed-opal-fix-ioc_opal_enable_disable_mbr.patch
+habanalabs-prevent-device-pte-read-write-during-hard.patch
+habanalabs-all-fd-must-be-closed-before-removing-dev.patch
+samples-bpf-fix-build-with-new-clang.patch
+x86-build-keep-local-relocations-with-ld.lld.patch
+spi-don-t-call-spi_get_gpio_descs-before-device-name.patch
+regulator-core-avoid-potential-deadlock-on-regulator.patch
+asoc-core-remove-link-components-before-cleaning-up-.patch
+drm-pl111-fix-possible-object-reference-leak.patch
+iio-ad_sigma_delta-properly-handle-spi-bus-locking-v.patch
+iio-hmc5843-fix-potential-null-pointer-dereferences.patch
+iio-common-ssp_sensors-initialize-calculated_time-in.patch
+iio-adc-ti-ads7950-fix-improper-use-of-mlock.patch
+net-hns3-check-resetting-status-in-hns3_get_stats.patch
+net-hns3-add-protect-when-handling-mac-addr-list.patch
+selftests-bpf-ksym_search-won-t-check-symbols-exists.patch
+rtlwifi-fix-a-potential-null-pointer-dereference.patch
+mwifiex-fix-mem-leak-in-mwifiex_tm_cmd.patch
+brcmfmac-fix-missing-checks-for-kmemdup.patch
+b43-shut-up-clang-wuninitialized-variable-warning.patch
+brcmfmac-convert-dev_init_lock-mutex-to-completion.patch
+brcmfmac-fix-warning-during-usb-disconnect-in-case-o.patch
+brcmfmac-fix-race-during-disconnect-when-usb-complet.patch
+brcmfmac-fix-oops-when-bringing-up-interface-during-.patch
+rtc-xgene-fix-possible-race-condition.patch
+spi-add-missing-error-handling-for-cs-gpios.patch
+rtlwifi-fix-potential-null-pointer-dereference.patch
+scsi-ufs-fix-regulator-load-and-icc-level-configurat.patch
+scsi-ufs-avoid-configuring-regulator-with-undefined-.patch
+drm-panel-otm8009a-add-delay-at-the-end-of-initializ.patch
+drm-amd-display-prevent-cursor-hotspot-overflow-for-.patch
+arm64-cpu_ops-fix-a-leaked-reference-by-adding-missi.patch
+locking-static_key-fix-false-positive-warnings-on-co.patch
+wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch
+x86-uaccess-ftrace-fix-ftrace_likely_update-vs.-smap.patch
+iwlwifi-mvm-ibss-use-be-fifo-for-multicast.patch
+x86-uaccess-signal-fix-ac-1-bloat.patch
+x86-ia32-fix-ia32_restore_sigcontext-ac-leak.patch
+x86-uaccess-fix-up-the-fixup.patch
+chardev-add-additional-check-for-minor-range-overlap.patch
+rdma-hns-fix-bad-endianess-of-port_pd-variable.patch
+sh-sh7786-add-explicit-i-o-cast-to-sh7786_mm_sel.patch
+hid-core-move-usage-page-concatenation-to-main-item.patch
+asoc-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch
+asoc-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch
+asoc-wcd9335-fix-a-leaked-reference-by-adding-missin.patch
+cxgb3-l2t-fix-undefined-behaviour.patch
+clk-renesas-rcar-gen3-correct-parent-clock-of-sys-dm.patch
+block-avoid-to-break-xen-by-multi-page-bvec.patch
+block-pass-page-to-xen_biovec_phys_mergeable.patch
+clk-renesas-rcar-gen3-correct-parent-clock-of-audio-.patch
+hid-logitech-hidpp-change-low-battery-level-threshol.patch
+spi-tegra114-reset-controller-on-probe.patch
+habanalabs-prevent-cpu-soft-lockup-on-palladium.patch
+kobject-don-t-trigger-kobject_uevent-kobj_remove-twi.patch
+media-video-mux-fix-null-pointer-dereferences.patch
+media-wl128x-prevent-two-potential-buffer-overflows.patch
+media-gspca-kill-urbs-on-usb-device-disconnect.patch
+efifb-omit-memory-map-check-on-legacy-boot.patch
+media-mtk-vcodec-fix-access-to-incorrect-planes-memb.patch
+thunderbolt-property-fix-a-missing-check-of-kzalloc.patch
+thunderbolt-fix-to-check-the-return-value-of-kmemdup.patch
+drm-rcar-du-lvds-set-lven-and-lvres-bits-together-on.patch
+drm-rcar-du-lvds-fix-post-dll-divider-calculation.patch
+timekeeping-force-upper-bound-for-setting-clock_real.patch
+ib-mlx5-compare-only-index-part-of-a-memory-window-r.patch
+scsi-qedf-add-missing-return-in-qedf_post_io_req-in-.patch
+misc-fastrpc-consider-address-offset-before-sending-.patch
+misc-fastrpc-make-sure-memory-read-and-writes-are-vi.patch
+misc-fastrpc-fix-a-possible-double-free.patch
+virtio_console-initialize-vtermno-value-for-ports.patch
+tty-ipwireless-fix-missing-checks-for-ioremap.patch
+staging-mt7621-mmc-initialize-completions-a-single-t.patch
+overflow-fix-wtype-limits-compilation-warnings.patch
+x86-mce-fix-machine_check_poll-tests-for-error-types.patch
+rcutorture-fix-cleanup-path-for-invalid-torture_type.patch
+x86-mce-handle-varying-mca-bank-counts.patch
+rcuperf-fix-cleanup-path-for-invalid-perf_type-strin.patch
+rcu-do-a-single-rhp-func-read-in-rcu_head_after_call.patch
+x86-platform-uv-fix-missing-checks-of-kcalloc-return.patch
+rdma-rxe-fix-slab-out-bounds-access-which-lead-to-ke.patch
+spi-stm32-qspi-add-spi_master_put-in-release-functio.patch
+usb-core-add-pm-runtime-calls-to-usb_hcd_platform_sh.patch
+ice-fix-for-adaptive-interrupt-moderation.patch
+scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch
+scsi-lpfc-avoid-uninitialized-variable-warning.patch
+media-vicodec-bugfix-call-v4l2_m2m_buf_copy_metadata.patch
+ice-prevent-unintended-multiple-chain-resets.patch
+selinux-avoid-uninitialized-variable-warning.patch
+batman-adv-allow-updating-dat-entry-timeouts-on-inco.patch
+dmaengine-tegra210-adma-use-devm_clk_-helpers.patch
+x86-cpu-hygon-fix-phys_proc_id-calculation-logic-for.patch
+net-mlx5e-fix-compilation-warning-in-en_tc.c.patch
+staging-mt7621-mmc-check-for-nonzero-number-of-scatt.patch
+hwrng-omap-set-default-quality.patch
+thunderbolt-fix-to-check-return-value-of-ida_simple_.patch
+thunderbolt-fix-to-check-for-kmemdup-failure.patch
+spi-export-tracepoint-symbols-to-modules.patch
+regulator-add-regulator_get_linear_step-stub-helper.patch
+drm-amd-display-fix-releasing-planes-when-exiting-od.patch
+drm-amd-display-link-train-only-when-link-is-dp-and-.patch
+drm-amd-display-update-abm-crtc-state-on-non-modeset.patch
+drm-amd-display-reset-alpha-state-for-planes-to-the-.patch
+thunderbolt-property-fix-a-null-pointer-dereference.patch
+media-v4l2-fwnode-the-first-default-data-lane-is-0-o.patch
+media-ov7670-restore-default-settings-after-power-up.patch
+media-staging-intel-ipu3-mark-pm-function-as-__maybe.patch
+media-vicodec-reset-last_src-dst_buf-based-on-the-is.patch
+ice-fix-issue-with-vf-reset-and-multiple-vfs-support.patch
+e1000e-disable-runtime-pm-on-cnp.patch
+tinydrm-mipi-dbi-use-dma-safe-buffers-for-all-spi-tr.patch
+igb-exclude-device-from-suspend-direct-complete-opti.patch
+media-si2165-fix-a-missing-check-of-return-value.patch
+media-dvbsky-avoid-leaking-dvb-frontend.patch
+media-m88ds3103-serialize-reset-messages-in-m88ds310.patch
+drm-amd-display-add-pipe-lock-during-stream-update.patch
+media-staging-davinci_vpfe-disallow-building-with-co.patch
+drm-amd-display-fix-divide-by-0-in-memory-calculatio.patch
+drm-amd-display-re-add-custom-degamma-support.patch
+drm-amd-display-half-bandwidth-for-ycbcr420-during-v.patch
+drm-amd-display-set-stream-mode_changed-when-connect.patch
+scsi-ufs-fix-a-missing-check-of-devm_reset_control_g.patch
+media-vimc-stream-fix-thread-state-before-sleep.patch
+media-gspca-do-not-resubmit-urbs-when-streaming-has-.patch
+media-vicodec-avoid-clang-frame-size-warning.patch
+media-go7007-avoid-clang-frame-overflow-warning-with.patch
+media-mtk-vcodec-fix-access-to-vb2_v4l2_buffer-struc.patch
+media-imx-vdic-restore-default-case-to-prepare_vdi_i.patch
+media-vimc-zero-the-media_device-on-probe.patch
+media-vim2m-replace-devm_kzalloc-by-kzalloc.patch
+media-cedrus-add-a-quirk-for-not-setting-dma-offset.patch
+scsi-lpfc-fix-fdmi-manufacturer-attribute-value.patch
+scsi-lpfc-fix-fc4type-information-for-fdmi.patch
+scsi-lpfc-fix-io-lost-on-host-resets.patch
+media-saa7146-avoid-high-stack-usage-with-clang.patch
+scsi-lpfc-fix-sli3-commands-being-issued-on-sli4-dev.patch
+scsi-lpfc-fix-mailbox-hang-on-adapter-init.patch
+scsi-lpfc-resolve-inconsistent-check-of-hdwq-in-lpfc.patch
+scsi-lpfc-resolve-irq-unsafe-lockdep-heirarchy-warni.patch
+scsi-lpfc-fix-use-after-free-mailbox-cmd-completion.patch
+audit-fix-a-memleak-caused-by-auditing-load-module.patch
+spi-spi-topcliff-pch-fix-to-handle-empty-dma-buffers.patch
+drm-writeback-fix-leak-of-writeback-job.patch
+drm-omap-dsi-fix-pm-for-display-blank-with-paired-ds.patch
+drm-omap-notify-all-devices-in-the-pipeline-of-outpu.patch
+spi-rspi-fix-sequencer-reset-during-initialization.patch
+regulator-wm831x-ldo-fix-notifier-mutex-lock-warning.patch
+regulator-wm831x-isink-fix-notifier-mutex-lock-warni.patch
+regulator-ltc3676-fix-notifier-mutex-lock-warning.patch
+regulator-ltc3589-fix-notifier-mutex-lock-warning.patch
+regulator-pv88060-fix-notifier-mutex-lock-warning.patch
+spi-imx-stop-buffer-overflow-in-rx-fifo-flush.patch
+regulator-lp8755-fix-notifier-mutex-lock-warning.patch
+regulator-da9211-fix-notifier-mutex-lock-warning.patch
+regulator-da9063-fix-notifier-mutex-lock-warning.patch
+regulator-pv88080-fix-notifier-mutex-lock-warning.patch
+regulator-wm831x-fix-notifier-mutex-lock-warning.patch
+regulator-pv88090-fix-notifier-mutex-lock-warning.patch
+regulator-da9062-fix-notifier-mutex-lock-warning.patch
+regulator-da9055-fix-notifier-mutex-lock-warning.patch
+spi-fix-zero-length-xfer-bug.patch
+asoc-davinci-mcasp-fix-clang-warning-without-config_.patch
+asoc-ti-fix-davinci_mcasp_probe-dependencies.patch
+drm-v3d-handle-errors-from-irq-setup.patch
+drm-amd-display-fix-exception-from-aux-acquire-failu.patch
+drm-amd-display-reset-planes-that-were-disabled-in-i.patch
+drm-drv-hold-ref-on-parent-device-during-drm_device-.patch
+drm-wake-up-next-in-drm_read-chain-if-we-are-forced-.patch
+drm-sun4i-dsi-change-the-start-delay-calculation.patch
+drm-sun4i-dsi-restrict-dsi-tcon-clock-divider.patch
+vfio-ccw-prevent-quiesce-function-going-into-an-infi.patch
+extcon-axp288-add-a-depends-on-acpi-to-the-kconfig-e.patch
+ice-put-__ice_prepared_for_reset-check-in-ice_prepar.patch
+drm-sun4i-dsi-enforce-boundaries-on-the-start-delay.patch
+nfs-fix-a-double-unlock-from-nfs_match-get_client.patch
--- /dev/null
+From 47d7ed6da8d2f8afa89a2c418d24865c4c972e3e Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 11 Feb 2019 13:58:43 +0100
+Subject: sh: sh7786: Add explicit I/O cast to sh7786_mm_sel()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 8440bb9b944c02222c7a840d406141ed42e945cd ]
+
+When compile-testing on arm:
+
+ arch/sh/include/cpu-sh4/cpu/sh7786.h: In function ‘sh7786_mm_sel’:
+ arch/sh/include/cpu-sh4/cpu/sh7786.h:135:21: warning: passing argument 1 of ‘__raw_readl’ makes pointer from integer without a cast [-Wint-conversion]
+ return __raw_readl(0xFC400020) & 0x7;
+ ^~~~~~~~~~
+ In file included from include/linux/io.h:25:0,
+ from arch/sh/include/cpu-sh4/cpu/sh7786.h:14,
+ from drivers/pinctrl/sh-pfc/pfc-sh7786.c:15:
+ arch/arm/include/asm/io.h:113:21: note: expected ‘const volatile void *’ but argument is of type ‘unsigned int’
+ #define __raw_readl __raw_readl
+ ^
+ arch/arm/include/asm/io.h:114:19: note: in expansion of macro ‘__raw_readl’
+ static inline u32 __raw_readl(const volatile void __iomem *addr)
+ ^~~~~~~~~~~
+
+__raw_readl() on SuperH is a macro that casts the passed I/O address to
+the correct type, while the implementations on most other architectures
+expect to be passed the correct pointer type.
+
+Add an explicit cast to fix this.
+
+Note that this also gets rid of a sparse warning on SuperH:
+
+ arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16: warning: incorrect type in argument 1 (different base types)
+ arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16: expected void const volatile [noderef] <asn:2>*<noident>
+ arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16: got unsigned int
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/cpu-sh4/cpu/sh7786.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/sh/include/cpu-sh4/cpu/sh7786.h b/arch/sh/include/cpu-sh4/cpu/sh7786.h
+index 8f9bfbf3cdb10..d6cce65b48713 100644
+--- a/arch/sh/include/cpu-sh4/cpu/sh7786.h
++++ b/arch/sh/include/cpu-sh4/cpu/sh7786.h
+@@ -132,7 +132,7 @@ enum {
+
+ static inline u32 sh7786_mm_sel(void)
+ {
+- return __raw_readl(0xFC400020) & 0x7;
++ return __raw_readl((const volatile void __iomem *)0xFC400020) & 0x7;
+ }
+
+ #endif /* __CPU_SH7786_H__ */
+--
+2.20.1
+
--- /dev/null
+From 045ef9a4bc4d30f282c3de88848c5abcc809ae4c Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 13 Apr 2019 11:34:47 +0100
+Subject: slimbus: fix a potential NULL pointer dereference in
+ of_qcom_slim_ngd_register
+
+[ Upstream commit 06d5d6b7f9948a89543e1160ef852d57892c750d ]
+
+In case platform_device_alloc fails, the fix returns an error
+code to avoid the NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c
+index 71f094c9ec684..f3585777324cf 100644
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1342,6 +1342,10 @@ static int of_qcom_slim_ngd_register(struct device *parent,
+ return -ENOMEM;
+
+ ngd->pdev = platform_device_alloc(QCOM_SLIM_NGD_DRV_NAME, id);
++ if (!ngd->pdev) {
++ kfree(ngd);
++ return -ENOMEM;
++ }
+ ngd->id = id;
+ ngd->pdev->dev.parent = parent;
+ ngd->pdev->driver_override = QCOM_SLIM_NGD_DRV_NAME;
+--
+2.20.1
+
--- /dev/null
+From 9d7376cb36ba2f9993008a7b62357baa86d51942 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Wed, 24 Apr 2019 10:52:53 +0200
+Subject: smpboot: Place the __percpu annotation correctly
+
+[ Upstream commit d4645d30b50d1691c26ff0f8fa4e718b08f8d3bb ]
+
+The test robot reported a wrong assignment of a per-CPU variable which
+it detected by using sparse and sent a report. The assignment itself is
+correct. The annotation for sparse was wrong and hence the report.
+The first pointer is a "normal" pointer and points to the per-CPU memory
+area. That means that the __percpu annotation has to be moved.
+
+Move the __percpu annotation to pointer which points to the per-CPU
+area. This change affects only the sparse tool (and is ignored by the
+compiler).
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E. McKenney <paulmck@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: f97f8f06a49fe ("smpboot: Provide infrastructure for percpu hotplug threads")
+Link: http://lkml.kernel.org/r/20190424085253.12178-1-bigeasy@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/smpboot.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/smpboot.h b/include/linux/smpboot.h
+index d0884b5250010..9d1bc65d226cc 100644
+--- a/include/linux/smpboot.h
++++ b/include/linux/smpboot.h
+@@ -29,7 +29,7 @@ struct smpboot_thread_data;
+ * @thread_comm: The base name of the thread
+ */
+ struct smp_hotplug_thread {
+- struct task_struct __percpu **store;
++ struct task_struct * __percpu *store;
+ struct list_head list;
+ int (*thread_should_run)(unsigned int cpu);
+ void (*thread_fn)(unsigned int cpu);
+--
+2.20.1
+
--- /dev/null
+From 356a40283a5bbcc5738f3319102f09a463086d0c Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 3 Apr 2019 16:46:56 +0200
+Subject: spi: Add missing error handling for CS GPIOs
+
+[ Upstream commit 1723fdec5fcbc4de3d26bbb23a9e1704ee258955 ]
+
+While devm_gpiod_get_index_optional() returns NULL if the GPIO is not
+present (i.e. -ENOENT), it may still return other error codes, like
+-EPROBE_DEFER. Currently these are not handled, leading to
+unrecoverable failures later in case of probe deferral:
+
+ gpiod_set_consumer_name: invalid GPIO (errorpointer)
+ gpiod_direction_output: invalid GPIO (errorpointer)
+ gpiod_set_value_cansleep: invalid GPIO (errorpointer)
+ gpiod_set_value_cansleep: invalid GPIO (errorpointer)
+ gpiod_set_value_cansleep: invalid GPIO (errorpointer)
+
+Detect and propagate errors to fix this.
+
+Fixes: f3186dd876697e69 ("spi: Optionally use GPIO descriptors for CS GPIOs")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index d17f68775a4bb..e3f2e15b75ad4 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -2195,6 +2195,8 @@ static int spi_get_gpio_descs(struct spi_controller *ctlr)
+ */
+ cs[i] = devm_gpiod_get_index_optional(dev, "cs", i,
+ GPIOD_OUT_LOW);
++ if (IS_ERR(cs[i]))
++ return PTR_ERR(cs[i]);
+
+ if (cs[i]) {
+ /*
+--
+2.20.1
+
--- /dev/null
+From a08a28036acb91904b5c88779ce7d9274c6b8c96 Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+Date: Wed, 24 Apr 2019 09:17:59 +0000
+Subject: spi: atmel-quadspi: fix crash while suspending
+
+[ Upstream commit e5c27498a0403b270620b1a8a0a66e3efc222fb6 ]
+
+atmel_qspi objects are kept in spi_controller objects, so, first get
+pointer to spi_controller object and then get atmel_qspi object from
+spi_controller object.
+
+Fixes: 2d30ac5ed633 ("mtd: spi-nor: atmel-quadspi: Use spi-mem interface for atmel-quadspi driver")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/atmel-quadspi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c
+index fffc21cd5f793..b3173ebddaded 100644
+--- a/drivers/spi/atmel-quadspi.c
++++ b/drivers/spi/atmel-quadspi.c
+@@ -570,7 +570,8 @@ static int atmel_qspi_remove(struct platform_device *pdev)
+
+ static int __maybe_unused atmel_qspi_suspend(struct device *dev)
+ {
+- struct atmel_qspi *aq = dev_get_drvdata(dev);
++ struct spi_controller *ctrl = dev_get_drvdata(dev);
++ struct atmel_qspi *aq = spi_controller_get_devdata(ctrl);
+
+ clk_disable_unprepare(aq->qspick);
+ clk_disable_unprepare(aq->pclk);
+@@ -580,7 +581,8 @@ static int __maybe_unused atmel_qspi_suspend(struct device *dev)
+
+ static int __maybe_unused atmel_qspi_resume(struct device *dev)
+ {
+- struct atmel_qspi *aq = dev_get_drvdata(dev);
++ struct spi_controller *ctrl = dev_get_drvdata(dev);
++ struct atmel_qspi *aq = spi_controller_get_devdata(ctrl);
+
+ clk_prepare_enable(aq->pclk);
+ clk_prepare_enable(aq->qspick);
+--
+2.20.1
+
--- /dev/null
+From 1296560d9a860bc9aabcb4f3630036f81fa328ef Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Tue, 2 Apr 2019 21:01:28 -0700
+Subject: spi: Don't call spi_get_gpio_descs() before device name is set
+
+[ Upstream commit 0a919ae49223d32ac0e8be3494547fcd1e4aa0aa ]
+
+Move code calling spi_get_gpio_descs() to happen after ctlr->dev's
+name is set in order to have proper GPIO consumer names.
+
+Before:
+
+cat /sys/kernel/debug/gpio
+gpiochip0: GPIOs 0-31, parent: platform/40049000.gpio, vf610-gpio:
+ gpio-6 ( |regulator-usb0-vbus ) out lo
+
+gpiochip1: GPIOs 32-63, parent: platform/4004a000.gpio, vf610-gpio:
+ gpio-36 ( |scl ) in hi
+ gpio-37 ( |sda ) in hi
+ gpio-40 ( |(null) CS1 ) out lo
+ gpio-41 ( |(null) CS0 ) out lo ACTIVE LOW
+ gpio-42 ( |miso ) in hi
+ gpio-43 ( |mosi ) in lo
+ gpio-44 ( |sck ) out lo
+
+After:
+
+cat /sys/kernel/debug/gpio
+gpiochip0: GPIOs 0-31, parent: platform/40049000.gpio, vf610-gpio:
+ gpio-6 ( |regulator-usb0-vbus ) out lo
+
+gpiochip1: GPIOs 32-63, parent: platform/4004a000.gpio, vf610-gpio:
+ gpio-36 ( |scl ) in hi
+ gpio-37 ( |sda ) in hi
+ gpio-40 ( |spi0 CS1 ) out lo
+ gpio-41 ( |spi0 CS0 ) out lo ACTIVE LOW
+ gpio-42 ( |miso ) in hi
+ gpio-43 ( |mosi ) in lo
+ gpio-44 ( |sck ) out lo
+
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Chris Healy <cphealy@gmail.com>
+Cc: linux-spi@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 37 +++++++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index 93986f879b09e..d17f68775a4bb 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -2275,24 +2275,6 @@ int spi_register_controller(struct spi_controller *ctlr)
+ if (status)
+ return status;
+
+- if (!spi_controller_is_slave(ctlr)) {
+- if (ctlr->use_gpio_descriptors) {
+- status = spi_get_gpio_descs(ctlr);
+- if (status)
+- return status;
+- /*
+- * A controller using GPIO descriptors always
+- * supports SPI_CS_HIGH if need be.
+- */
+- ctlr->mode_bits |= SPI_CS_HIGH;
+- } else {
+- /* Legacy code path for GPIOs from DT */
+- status = of_spi_register_master(ctlr);
+- if (status)
+- return status;
+- }
+- }
+-
+ /* even if it's just one always-selected device, there must
+ * be at least one chipselect
+ */
+@@ -2349,6 +2331,25 @@ int spi_register_controller(struct spi_controller *ctlr)
+ * registration fails if the bus ID is in use.
+ */
+ dev_set_name(&ctlr->dev, "spi%u", ctlr->bus_num);
++
++ if (!spi_controller_is_slave(ctlr)) {
++ if (ctlr->use_gpio_descriptors) {
++ status = spi_get_gpio_descs(ctlr);
++ if (status)
++ return status;
++ /*
++ * A controller using GPIO descriptors always
++ * supports SPI_CS_HIGH if need be.
++ */
++ ctlr->mode_bits |= SPI_CS_HIGH;
++ } else {
++ /* Legacy code path for GPIOs from DT */
++ status = of_spi_register_master(ctlr);
++ if (status)
++ return status;
++ }
++ }
++
+ status = device_add(&ctlr->dev);
+ if (status < 0) {
+ /* free bus id */
+--
+2.20.1
+
--- /dev/null
+From 0a72f0ef60862ab953829ce0c7a7cda630cfaf0a Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 21 Mar 2019 13:42:25 +0100
+Subject: spi: export tracepoint symbols to modules
+
+[ Upstream commit ca1438dcb34c7fcad63b6ce14ea63a870b92a69b ]
+
+The newly added tracepoints in the spi-mxs driver cause a link
+error when the driver is a loadable module:
+
+ERROR: "__tracepoint_spi_transfer_stop" [drivers/spi/spi-mxs.ko] undefined!
+ERROR: "__tracepoint_spi_transfer_start" [drivers/spi/spi-mxs.ko] undefined!
+
+I'm not quite sure where to put the export statements, but
+directly after the inclusion of the header seems as good as
+any other place.
+
+Fixes: f3fdea3af405 ("spi: mxs: add tracing to custom .transfer_one_message callback")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index e3f2e15b75ad4..6cb72287eac82 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -36,6 +36,8 @@
+
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/spi.h>
++EXPORT_TRACEPOINT_SYMBOL(spi_transfer_start);
++EXPORT_TRACEPOINT_SYMBOL(spi_transfer_stop);
+
+ #include "internals.h"
+
+--
+2.20.1
+
--- /dev/null
+From d80e39aff45a300aca4542e67f2c4cd587066fb2 Mon Sep 17 00:00:00 2001
+From: Chris Lesiak <chris.lesiak@licor.com>
+Date: Thu, 7 Mar 2019 20:39:00 +0000
+Subject: spi: Fix zero length xfer bug
+
+[ Upstream commit 5442dcaa0d90fc376bdfc179a018931a8f43dea4 ]
+
+This fixes a bug for messages containing both zero length and
+unidirectional xfers.
+
+The function spi_map_msg will allocate dummy tx and/or rx buffers
+for use with unidirectional transfers when the hardware can only do
+a bidirectional transfer. That dummy buffer will be used in place
+of a NULL buffer even when the xfer length is 0.
+
+Then in the function __spi_map_msg, if he hardware can dma,
+the zero length xfer will have spi_map_buf called on the dummy
+buffer.
+
+Eventually, __sg_alloc_table is called and returns -EINVAL
+because nents == 0.
+
+This fix prevents the error by not using the dummy buffer when
+the xfer length is zero.
+
+Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index 6cb72287eac82..a83fcddf1dadc 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1041,6 +1041,8 @@ static int spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg)
+ if (max_tx || max_rx) {
+ list_for_each_entry(xfer, &msg->transfers,
+ transfer_list) {
++ if (!xfer->len)
++ continue;
+ if (!xfer->tx_buf)
+ xfer->tx_buf = ctlr->dummy_tx;
+ if (!xfer->rx_buf)
+--
+2.20.1
+
--- /dev/null
+From c2c298b49e428909d9f7fd6f2ba724458c486475 Mon Sep 17 00:00:00 2001
+From: Trent Piepho <tpiepho@impinj.com>
+Date: Mon, 4 Mar 2019 20:18:49 +0000
+Subject: spi: imx: stop buffer overflow in RX FIFO flush
+
+[ Upstream commit c842749ea1d32513f9e603c074d60d7aa07cb2ef ]
+
+Commit 71abd29057cb ("spi: imx: Add support for SPI Slave mode") added
+an RX FIFO flush before start of a transfer. In slave mode, the master
+may have sent more data than expected and this data will still be in the
+RX FIFO at the start of the next transfer, and so needs to be flushed.
+
+However, the code to do the flush was accidentally saving this data into
+the previous transfer's RX buffer, clobbering the contents of whatever
+followed that buffer.
+
+Change it to empty the FIFO and throw away the data. Every one of the
+RX functions for the different eCSPI versions and modes reads the RX
+FIFO data using the same readl() call, so just use that, rather than
+using the spi_imx->rx function pointer and making sure all the different
+rx functions have a working "throw away" mode.
+
+There is another issue, which affects master mode when switching from
+DMA to PIO. There can be extra data in the RX FIFO which triggers this
+flush code, causing memory corruption in the same manner. I don't know
+why this data is unexpectedly in the FIFO. It's likely there is a
+different bug or erratum responsible for that. But regardless of that,
+I think this is proper fix the for bug at hand here.
+
+Fixes: 71abd29057cb ("spi: imx: Add support for SPI Slave mode")
+Cc: Jiada Wang <jiada_wang@mentor.com>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Stefan Agner <stefan@agner.ch>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Trent Piepho <tpiepho@impinj.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index 6ec647bbba772..a81ae29aa68a9 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1494,7 +1494,7 @@ static int spi_imx_transfer(struct spi_device *spi,
+
+ /* flush rxfifo before transfer */
+ while (spi_imx->devtype_data->rx_available(spi_imx))
+- spi_imx->rx(spi_imx);
++ readl(spi_imx->base + MXC_CSPIRXDATA);
+
+ if (spi_imx->slave_mode)
+ return spi_imx_pio_transfer_slave(spi, transfer);
+--
+2.20.1
+
--- /dev/null
+From c5ba4bd8277a9c70c2b6ec6034b5541b21c4354a Mon Sep 17 00:00:00 2001
+From: Flavio Suligoi <f.suligoi@asem.it>
+Date: Fri, 12 Apr 2019 09:32:19 +0200
+Subject: spi: pxa2xx: fix SCR (divisor) calculation
+
+[ Upstream commit 29f2133717c527f492933b0622a4aafe0b3cbe9e ]
+
+Calculate the divisor for the SCR (Serial Clock Rate), avoiding
+that the SSP transmission rate can be greater than the device rate.
+
+When the division between the SSP clock and the device rate generates
+a reminder, we have to increment by one the divisor.
+In this way the resulting SSP clock will never be greater than the
+device SPI max frequency.
+
+For example, with:
+
+ - ssp_clk = 50 MHz
+ - dev freq = 15 MHz
+
+without this patch the SSP clock will be greater than 15 MHz:
+
+ - 25 MHz for PXA25x_SSP and CE4100_SSP
+ - 16,56 MHz for the others
+
+Instead, with this patch, we have in both case an SSP clock of 12.5MHz,
+so the max rate of the SPI device clock is respected.
+
+Signed-off-by: Flavio Suligoi <f.suligoi@asem.it>
+Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-pxa2xx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
+index b6ddba833d021..d2076f2f468f0 100644
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -884,10 +884,14 @@ static unsigned int ssp_get_clk_div(struct driver_data *drv_data, int rate)
+
+ rate = min_t(int, ssp_clk, rate);
+
++ /*
++ * Calculate the divisor for the SCR (Serial Clock Rate), avoiding
++ * that the SSP transmission rate can be greater than the device rate
++ */
+ if (ssp->type == PXA25x_SSP || ssp->type == CE4100_SSP)
+- return (ssp_clk / (2 * rate) - 1) & 0xff;
++ return (DIV_ROUND_UP(ssp_clk, 2 * rate) - 1) & 0xff;
+ else
+- return (ssp_clk / rate - 1) & 0xfff;
++ return (DIV_ROUND_UP(ssp_clk, rate) - 1) & 0xfff;
+ }
+
+ static unsigned int pxa2xx_ssp_get_clk_div(struct driver_data *drv_data,
+--
+2.20.1
+
--- /dev/null
+From 29d1b89b04a25a6fc62f90b0971bb821cd506402 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 12 Mar 2019 19:45:13 +0100
+Subject: spi: rspi: Fix sequencer reset during initialization
+
+[ Upstream commit 26843bb128590edd7eba1ad7ce22e4b9f1066ce3 ]
+
+While the sequencer is reset after each SPI message since commit
+880c6d114fd79a69 ("spi: rspi: Add support for Quad and Dual SPI
+Transfers on QSPI"), it was never reset for the first message, thus
+relying on reset state or bootloader settings.
+
+Fix this by initializing it explicitly during configuration.
+
+Fixes: 0b2182ddac4b8837 ("spi: add support for Renesas RSPI")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-rspi.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c
+index 556870dcdf799..5d35a82945cd1 100644
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -271,7 +271,8 @@ static int rspi_set_config_register(struct rspi_data *rspi, int access_size)
+ /* Sets parity, interrupt mask */
+ rspi_write8(rspi, 0x00, RSPI_SPCR2);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+@@ -315,7 +316,8 @@ static int rspi_rz_set_config_register(struct rspi_data *rspi, int access_size)
+ rspi_write8(rspi, 0x00, RSPI_SSLND);
+ rspi_write8(rspi, 0x00, RSPI_SPND);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+@@ -366,7 +368,8 @@ static int qspi_set_config_register(struct rspi_data *rspi, int access_size)
+ /* Sets buffer to allow normal operation */
+ rspi_write8(rspi, 0x00, QSPI_SPBFCR);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+ /* Sets RSPI mode */
+--
+2.20.1
+
--- /dev/null
+From db2dad54474fd0c0af02255236c9606be8c47e6a Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 13 Mar 2019 11:55:41 -0500
+Subject: spi : spi-topcliff-pch: Fix to handle empty DMA buffers
+
+[ Upstream commit f37d8e67f39e6d3eaf4cc5471e8a3d21209843c6 ]
+
+pch_alloc_dma_buf allocated tx, rx DMA buffers which can fail. Further,
+these buffers are used without a check. The patch checks for these
+failures and sends the error upstream.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-topcliff-pch.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c
+index fba3f180f233b..8a5966963834c 100644
+--- a/drivers/spi/spi-topcliff-pch.c
++++ b/drivers/spi/spi-topcliff-pch.c
+@@ -1299,18 +1299,27 @@ static void pch_free_dma_buf(struct pch_spi_board_data *board_dat,
+ dma->rx_buf_virt, dma->rx_buf_dma);
+ }
+
+-static void pch_alloc_dma_buf(struct pch_spi_board_data *board_dat,
++static int pch_alloc_dma_buf(struct pch_spi_board_data *board_dat,
+ struct pch_spi_data *data)
+ {
+ struct pch_spi_dma_ctrl *dma;
++ int ret;
+
+ dma = &data->dma;
++ ret = 0;
+ /* Get Consistent memory for Tx DMA */
+ dma->tx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev,
+ PCH_BUF_SIZE, &dma->tx_buf_dma, GFP_KERNEL);
++ if (!dma->tx_buf_virt)
++ ret = -ENOMEM;
++
+ /* Get Consistent memory for Rx DMA */
+ dma->rx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev,
+ PCH_BUF_SIZE, &dma->rx_buf_dma, GFP_KERNEL);
++ if (!dma->rx_buf_virt)
++ ret = -ENOMEM;
++
++ return ret;
+ }
+
+ static int pch_spi_pd_probe(struct platform_device *plat_dev)
+@@ -1387,7 +1396,9 @@ static int pch_spi_pd_probe(struct platform_device *plat_dev)
+
+ if (use_dma) {
+ dev_info(&plat_dev->dev, "Use DMA for data transfers\n");
+- pch_alloc_dma_buf(board_dat, data);
++ ret = pch_alloc_dma_buf(board_dat, data);
++ if (ret)
++ goto err_spi_register_master;
+ }
+
+ ret = spi_register_master(master);
+--
+2.20.1
+
--- /dev/null
+From 58910ba59e97dc0f7ddec7388b3b62e320807c97 Mon Sep 17 00:00:00 2001
+From: Ludovic Barre <ludovic.barre@st.com>
+Date: Mon, 25 Mar 2019 18:01:39 +0100
+Subject: spi: stm32-qspi: add spi_master_put in release function
+
+[ Upstream commit a88eceb17ac7e8dc4ad9995681af61c8371668f4 ]
+
+This patch adds spi_master_put in release function
+to drop the controller's refcount.
+
+Signed-off-by: Ludovic Barre <ludovic.barre@st.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32-qspi.c | 46 ++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/spi/spi-stm32-qspi.c b/drivers/spi/spi-stm32-qspi.c
+index 3b2a9a6b990da..0b9a8bddb939d 100644
+--- a/drivers/spi/spi-stm32-qspi.c
++++ b/drivers/spi/spi-stm32-qspi.c
+@@ -93,6 +93,7 @@ struct stm32_qspi_flash {
+
+ struct stm32_qspi {
+ struct device *dev;
++ struct spi_controller *ctrl;
+ void __iomem *io_base;
+ void __iomem *mm_base;
+ resource_size_t mm_size;
+@@ -397,6 +398,7 @@ static void stm32_qspi_release(struct stm32_qspi *qspi)
+ writel_relaxed(0, qspi->io_base + QSPI_CR);
+ mutex_destroy(&qspi->lock);
+ clk_disable_unprepare(qspi->clk);
++ spi_master_put(qspi->ctrl);
+ }
+
+ static int stm32_qspi_probe(struct platform_device *pdev)
+@@ -413,43 +415,54 @@ static int stm32_qspi_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ qspi = spi_controller_get_devdata(ctrl);
++ qspi->ctrl = ctrl;
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "qspi");
+ qspi->io_base = devm_ioremap_resource(dev, res);
+- if (IS_ERR(qspi->io_base))
+- return PTR_ERR(qspi->io_base);
++ if (IS_ERR(qspi->io_base)) {
++ ret = PTR_ERR(qspi->io_base);
++ goto err;
++ }
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "qspi_mm");
+ qspi->mm_base = devm_ioremap_resource(dev, res);
+- if (IS_ERR(qspi->mm_base))
+- return PTR_ERR(qspi->mm_base);
++ if (IS_ERR(qspi->mm_base)) {
++ ret = PTR_ERR(qspi->mm_base);
++ goto err;
++ }
+
+ qspi->mm_size = resource_size(res);
+- if (qspi->mm_size > STM32_QSPI_MAX_MMAP_SZ)
+- return -EINVAL;
++ if (qspi->mm_size > STM32_QSPI_MAX_MMAP_SZ) {
++ ret = -EINVAL;
++ goto err;
++ }
+
+ irq = platform_get_irq(pdev, 0);
+ ret = devm_request_irq(dev, irq, stm32_qspi_irq, 0,
+ dev_name(dev), qspi);
+ if (ret) {
+ dev_err(dev, "failed to request irq\n");
+- return ret;
++ goto err;
+ }
+
+ init_completion(&qspi->data_completion);
+
+ qspi->clk = devm_clk_get(dev, NULL);
+- if (IS_ERR(qspi->clk))
+- return PTR_ERR(qspi->clk);
++ if (IS_ERR(qspi->clk)) {
++ ret = PTR_ERR(qspi->clk);
++ goto err;
++ }
+
+ qspi->clk_rate = clk_get_rate(qspi->clk);
+- if (!qspi->clk_rate)
+- return -EINVAL;
++ if (!qspi->clk_rate) {
++ ret = -EINVAL;
++ goto err;
++ }
+
+ ret = clk_prepare_enable(qspi->clk);
+ if (ret) {
+ dev_err(dev, "can not enable the clock\n");
+- return ret;
++ goto err;
+ }
+
+ rstc = devm_reset_control_get_exclusive(dev, NULL);
+@@ -472,14 +485,11 @@ static int stm32_qspi_probe(struct platform_device *pdev)
+ ctrl->dev.of_node = dev->of_node;
+
+ ret = devm_spi_register_master(dev, ctrl);
+- if (ret)
+- goto err_spi_register;
+-
+- return 0;
++ if (!ret)
++ return 0;
+
+-err_spi_register:
++err:
+ stm32_qspi_release(qspi);
+-
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 0774f91e633f407c9b2c084b74d8d073a13bd46e Mon Sep 17 00:00:00 2001
+From: Sowjanya Komatineni <skomatineni@nvidia.com>
+Date: Tue, 26 Mar 2019 22:56:32 -0700
+Subject: spi: tegra114: reset controller on probe
+
+[ Upstream commit 019194933339b3e9b486639c8cb3692020844d65 ]
+
+Fixes: SPI driver can be built as module so perform SPI controller reset
+on probe to make sure it is in valid state before initiating transfer.
+
+Signed-off-by: Sowjanya Komatineni <skomatineni@nvidia.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra114.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c
+index a76acedd7e2f4..a1888dc6a938a 100644
+--- a/drivers/spi/spi-tegra114.c
++++ b/drivers/spi/spi-tegra114.c
+@@ -1067,27 +1067,19 @@ static int tegra_spi_probe(struct platform_device *pdev)
+
+ spi_irq = platform_get_irq(pdev, 0);
+ tspi->irq = spi_irq;
+- ret = request_threaded_irq(tspi->irq, tegra_spi_isr,
+- tegra_spi_isr_thread, IRQF_ONESHOT,
+- dev_name(&pdev->dev), tspi);
+- if (ret < 0) {
+- dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
+- tspi->irq);
+- goto exit_free_master;
+- }
+
+ tspi->clk = devm_clk_get(&pdev->dev, "spi");
+ if (IS_ERR(tspi->clk)) {
+ dev_err(&pdev->dev, "can not get clock\n");
+ ret = PTR_ERR(tspi->clk);
+- goto exit_free_irq;
++ goto exit_free_master;
+ }
+
+ tspi->rst = devm_reset_control_get_exclusive(&pdev->dev, "spi");
+ if (IS_ERR(tspi->rst)) {
+ dev_err(&pdev->dev, "can not get reset\n");
+ ret = PTR_ERR(tspi->rst);
+- goto exit_free_irq;
++ goto exit_free_master;
+ }
+
+ tspi->max_buf_size = SPI_FIFO_DEPTH << 2;
+@@ -1095,7 +1087,7 @@ static int tegra_spi_probe(struct platform_device *pdev)
+
+ ret = tegra_spi_init_dma_param(tspi, true);
+ if (ret < 0)
+- goto exit_free_irq;
++ goto exit_free_master;
+ ret = tegra_spi_init_dma_param(tspi, false);
+ if (ret < 0)
+ goto exit_rx_dma_free;
+@@ -1117,18 +1109,32 @@ static int tegra_spi_probe(struct platform_device *pdev)
+ dev_err(&pdev->dev, "pm runtime get failed, e = %d\n", ret);
+ goto exit_pm_disable;
+ }
++
++ reset_control_assert(tspi->rst);
++ udelay(2);
++ reset_control_deassert(tspi->rst);
+ tspi->def_command1_reg = SPI_M_S;
+ tegra_spi_writel(tspi, tspi->def_command1_reg, SPI_COMMAND1);
+ pm_runtime_put(&pdev->dev);
++ ret = request_threaded_irq(tspi->irq, tegra_spi_isr,
++ tegra_spi_isr_thread, IRQF_ONESHOT,
++ dev_name(&pdev->dev), tspi);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
++ tspi->irq);
++ goto exit_pm_disable;
++ }
+
+ master->dev.of_node = pdev->dev.of_node;
+ ret = devm_spi_register_master(&pdev->dev, master);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "can not register to master err %d\n", ret);
+- goto exit_pm_disable;
++ goto exit_free_irq;
+ }
+ return ret;
+
++exit_free_irq:
++ free_irq(spi_irq, tspi);
+ exit_pm_disable:
+ pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+@@ -1136,8 +1142,6 @@ static int tegra_spi_probe(struct platform_device *pdev)
+ tegra_spi_deinit_dma_param(tspi, false);
+ exit_rx_dma_free:
+ tegra_spi_deinit_dma_param(tspi, true);
+-exit_free_irq:
+- free_irq(spi_irq, tspi);
+ exit_free_master:
+ spi_master_put(master);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 349ba1b03f2fe2ec8046d908d81def8a806bfc45 Mon Sep 17 00:00:00 2001
+From: George Hilliard <thirtythreeforty@gmail.com>
+Date: Wed, 20 Mar 2019 16:42:05 -0600
+Subject: staging: mt7621-mmc: Check for nonzero number of scatterlist entries
+
+[ Upstream commit d4223e06b6aed581625f574ad8faa71b6c0fc903 ]
+
+The buffer descriptor setup loop is correct only if it is setting up at
+least one bd struct. Besides, there is an error if dma_map_sg() returns
+0, which is possible and must be handled.
+
+Additionally, remove the BUG_ON() checking sglen, which is unnecessary
+because we configure DMA with that constraint during init.
+
+Signed-off-by: George Hilliard <thirtythreeforty@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/mt7621-mmc/sd.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/mt7621-mmc/sd.c b/drivers/staging/mt7621-mmc/sd.c
+index 74f0e57ad2f15..38f9ea02ee3a9 100644
+--- a/drivers/staging/mt7621-mmc/sd.c
++++ b/drivers/staging/mt7621-mmc/sd.c
+@@ -596,8 +596,6 @@ static void msdc_dma_setup(struct msdc_host *host, struct msdc_dma *dma,
+ struct bd *bd;
+ u32 j;
+
+- BUG_ON(sglen > MAX_BD_NUM); /* not support currently */
+-
+ gpd = dma->gpd;
+ bd = dma->bd;
+
+@@ -692,6 +690,13 @@ static int msdc_do_request(struct mmc_host *mmc, struct mmc_request *mrq)
+ data->sg_count = dma_map_sg(mmc_dev(mmc), data->sg,
+ data->sg_len,
+ mmc_get_dma_dir(data));
++
++ if (data->sg_count == 0) {
++ dev_err(mmc_dev(host->mmc), "failed to map DMA for transfer\n");
++ data->error = -ENOMEM;
++ goto done;
++ }
++
+ msdc_dma_setup(host, &host->dma, data->sg,
+ data->sg_count);
+
+--
+2.20.1
+
--- /dev/null
+From 4bbecc0ae5e66649d986459f984ccc748500282a Mon Sep 17 00:00:00 2001
+From: George Hilliard <thirtythreeforty@gmail.com>
+Date: Tue, 26 Mar 2019 19:50:57 -0600
+Subject: staging: mt7621-mmc: Initialize completions a single time during
+ probe
+
+[ Upstream commit 7ca8c2c8bbeda2a2a2a9898cd35066bc1dc83836 ]
+
+The module was initializing completions whenever it was going to wait on
+them, and not when the completion was allocated. This is incorrect
+according to the completion docs:
+
+ Calling init_completion() on the same completion object twice is
+ most likely a bug [...]
+
+Re-initialization is also unnecessary because the module never uses
+complete_all(). Fix this by only ever initializing the completion a
+single time, and log if the completions are not consumed as intended
+(this is not a fatal problem, but should not go unnoticed).
+
+Signed-off-by: George Hilliard <thirtythreeforty@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/mt7621-mmc/sd.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/mt7621-mmc/sd.c b/drivers/staging/mt7621-mmc/sd.c
+index 4b26ec896a96f..74f0e57ad2f15 100644
+--- a/drivers/staging/mt7621-mmc/sd.c
++++ b/drivers/staging/mt7621-mmc/sd.c
+@@ -468,7 +468,11 @@ static unsigned int msdc_command_start(struct msdc_host *host,
+ host->cmd = cmd;
+ host->cmd_rsp = resp;
+
+- init_completion(&host->cmd_done);
++ // The completion should have been consumed by the previous command
++ // response handler, because the mmc requests should be serialized
++ if (completion_done(&host->cmd_done))
++ dev_err(mmc_dev(host->mmc),
++ "previous command was not handled\n");
+
+ sdr_set_bits(host->base + MSDC_INTEN, wints);
+ sdc_send_cmd(rawcmd, cmd->arg);
+@@ -490,7 +494,6 @@ static unsigned int msdc_command_resp(struct msdc_host *host,
+ MSDC_INT_ACMD19_DONE;
+
+ BUG_ON(in_interrupt());
+- //init_completion(&host->cmd_done);
+ //sdr_set_bits(host->base + MSDC_INTEN, wints);
+
+ spin_unlock(&host->lock);
+@@ -674,7 +677,13 @@ static int msdc_do_request(struct mmc_host *mmc, struct mmc_request *mrq)
+ //msdc_clr_fifo(host); /* no need */
+
+ msdc_dma_on(); /* enable DMA mode first!! */
+- init_completion(&host->xfer_done);
++
++ // The completion should have been consumed by the previous
++ // xfer response handler, because the mmc requests should be
++ // serialized
++ if (completion_done(&host->cmd_done))
++ dev_err(mmc_dev(host->mmc),
++ "previous transfer was not handled\n");
+
+ /* start the command first*/
+ if (msdc_command_start(host, cmd, CMD_TIMEOUT) != 0)
+@@ -693,7 +702,6 @@ static int msdc_do_request(struct mmc_host *mmc, struct mmc_request *mrq)
+ /* for read, the data coming too fast, then CRC error
+ * start DMA no business with CRC.
+ */
+- //init_completion(&host->xfer_done);
+ msdc_dma_start(host);
+
+ spin_unlock(&host->lock);
+@@ -1688,6 +1696,8 @@ static int msdc_drv_probe(struct platform_device *pdev)
+ }
+ msdc_init_gpd_bd(host, &host->dma);
+
++ init_completion(&host->cmd_done);
++ init_completion(&host->xfer_done);
+ INIT_DELAYED_WORK(&host->card_delaywork, msdc_tasklet_card);
+ spin_lock_init(&host->lock);
+ msdc_init_hw(host);
+--
+2.20.1
+
--- /dev/null
+From 825faccd833861826469585616ad84cc3914386b Mon Sep 17 00:00:00 2001
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Fri, 19 Apr 2019 01:31:08 +0200
+Subject: staging: vc04_services: handle kzalloc failure
+
+[ Upstream commit a5112277872a56017b777770e2fd4324d4a6c866 ]
+
+The kzalloc here was being used without checking the return - if the
+kzalloc fails return VCHIQ_ERROR. The call-site of
+vchiq_platform_init_state() vchiq_init_state() was not responding
+to an allocation failure so checks for != VCHIQ_SUCCESS
+and pass VCHIQ_ERROR up to vchiq_platform_init() which then
+will fail with -EINVAL.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Reported-by: kbuild test robot <lkp@intel.com>
+Acked-By: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 3 +++
+ drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+index dd4898861b833..eb1e5dcb0d529 100644
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+@@ -209,6 +209,9 @@ vchiq_platform_init_state(struct vchiq_state *state)
+ struct vchiq_2835_state *platform_state;
+
+ state->platform_state = kzalloc(sizeof(*platform_state), GFP_KERNEL);
++ if (!state->platform_state)
++ return VCHIQ_ERROR;
++
+ platform_state = (struct vchiq_2835_state *)state->platform_state;
+
+ platform_state->inited = 1;
+diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
+index 53f5a1cb4636e..819813e742d8a 100644
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
+@@ -2239,6 +2239,8 @@ vchiq_init_state(struct vchiq_state *state, struct vchiq_slot_zero *slot_zero)
+ local->debug[DEBUG_ENTRIES] = DEBUG_MAX;
+
+ status = vchiq_platform_init_state(state);
++ if (status != VCHIQ_SUCCESS)
++ return VCHIQ_ERROR;
+
+ /*
+ bring up slot handler thread
+--
+2.20.1
+
--- /dev/null
+From 078fdcb4b1c8bcc6953e91243892c8164754cca9 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 10:57:54 -0500
+Subject: thunderbolt: Fix to check for kmemdup failure
+
+[ Upstream commit 2cc12751cf464a722ff57b54d17d30c84553f9c0 ]
+
+Memory allocated via kmemdup might fail and return a NULL pointer.
+This patch adds a check on the return value of kmemdup and passes the
+error upstream.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/switch.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c
+index 32e012713dbeb..f569a2673742f 100644
+--- a/drivers/thunderbolt/switch.c
++++ b/drivers/thunderbolt/switch.c
+@@ -1287,13 +1287,14 @@ int tb_switch_configure(struct tb_switch *sw)
+ return tb_plug_events_active(sw, true);
+ }
+
+-static void tb_switch_set_uuid(struct tb_switch *sw)
++static int tb_switch_set_uuid(struct tb_switch *sw)
+ {
+ u32 uuid[4];
+- int cap;
++ int cap, ret;
+
++ ret = 0;
+ if (sw->uuid)
+- return;
++ return ret;
+
+ /*
+ * The newer controllers include fused UUID as part of link
+@@ -1301,7 +1302,9 @@ static void tb_switch_set_uuid(struct tb_switch *sw)
+ */
+ cap = tb_switch_find_vse_cap(sw, TB_VSE_CAP_LINK_CONTROLLER);
+ if (cap > 0) {
+- tb_sw_read(sw, uuid, TB_CFG_SWITCH, cap + 3, 4);
++ ret = tb_sw_read(sw, uuid, TB_CFG_SWITCH, cap + 3, 4);
++ if (ret)
++ return ret;
+ } else {
+ /*
+ * ICM generates UUID based on UID and fills the upper
+@@ -1316,6 +1319,9 @@ static void tb_switch_set_uuid(struct tb_switch *sw)
+ }
+
+ sw->uuid = kmemdup(uuid, sizeof(uuid), GFP_KERNEL);
++ if (!sw->uuid)
++ ret = -ENOMEM;
++ return ret;
+ }
+
+ static int tb_switch_add_dma_port(struct tb_switch *sw)
+@@ -1365,7 +1371,9 @@ static int tb_switch_add_dma_port(struct tb_switch *sw)
+
+ if (status) {
+ tb_sw_info(sw, "switch flash authentication failed\n");
+- tb_switch_set_uuid(sw);
++ ret = tb_switch_set_uuid(sw);
++ if (ret)
++ return ret;
+ nvm_set_auth_status(sw, status);
+ }
+
+@@ -1415,7 +1423,9 @@ int tb_switch_add(struct tb_switch *sw)
+ }
+ tb_sw_dbg(sw, "uid: %#llx\n", sw->uid);
+
+- tb_switch_set_uuid(sw);
++ ret = tb_switch_set_uuid(sw);
++ if (ret)
++ return ret;
+
+ for (i = 0; i <= sw->config.max_port_number; i++) {
+ if (sw->ports[i].disabled) {
+--
+2.20.1
+
--- /dev/null
+From 3827ab496cf2b3af0f8c341e31645a96280d9569 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 11:34:09 -0500
+Subject: thunderbolt: Fix to check return value of ida_simple_get
+
+[ Upstream commit 9aabb68568b473bf2f0b179d053b403961e42e4d ]
+
+In enumerate_services, ida_simple_get on failure can return an error and
+leaks memory. The patch ensures that the dev_set_name is set on non
+failure cases, and releases memory during failure.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/xdomain.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
+index e27dd8beb94be..e0642dcb8b9bd 100644
+--- a/drivers/thunderbolt/xdomain.c
++++ b/drivers/thunderbolt/xdomain.c
+@@ -740,6 +740,7 @@ static void enumerate_services(struct tb_xdomain *xd)
+ struct tb_service *svc;
+ struct tb_property *p;
+ struct device *dev;
++ int id;
+
+ /*
+ * First remove all services that are not available anymore in
+@@ -768,7 +769,12 @@ static void enumerate_services(struct tb_xdomain *xd)
+ break;
+ }
+
+- svc->id = ida_simple_get(&xd->service_ids, 0, 0, GFP_KERNEL);
++ id = ida_simple_get(&xd->service_ids, 0, 0, GFP_KERNEL);
++ if (id < 0) {
++ kfree(svc);
++ break;
++ }
++ svc->id = id;
+ svc->dev.bus = &tb_bus_type;
+ svc->dev.type = &tb_service_type;
+ svc->dev.parent = &xd->dev;
+--
+2.20.1
+
--- /dev/null
+From c36510094fd3c24ec838921ce1d91af54f8eee06 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Mon, 25 Mar 2019 16:25:22 -0500
+Subject: thunderbolt: Fix to check the return value of kmemdup
+
+[ Upstream commit fd21b79e541e4666c938a344f3ad2df74b4f5120 ]
+
+uuid in add_switch is allocted via kmemdup which can fail. The patch
+logs the error and cleans up the allocated memory for switch.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/icm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/thunderbolt/icm.c b/drivers/thunderbolt/icm.c
+index e3fc920af6825..8b7f9131e9d12 100644
+--- a/drivers/thunderbolt/icm.c
++++ b/drivers/thunderbolt/icm.c
+@@ -473,6 +473,11 @@ static void add_switch(struct tb_switch *parent_sw, u64 route,
+ goto out;
+
+ sw->uuid = kmemdup(uuid, sizeof(*uuid), GFP_KERNEL);
++ if (!sw->uuid) {
++ tb_sw_warn(sw, "cannot allocate memory for switch\n");
++ tb_switch_put(sw);
++ goto out;
++ }
+ sw->connection_id = connection_id;
+ sw->connection_key = connection_key;
+ sw->link = link;
+--
+2.20.1
+
--- /dev/null
+From fdcea957520bda3ec6c4ffaaa6ba3751a1500604 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Mon, 25 Mar 2019 15:23:08 -0500
+Subject: thunderbolt: property: Fix a missing check of kzalloc
+
+[ Upstream commit 6183d5a51866f3acdeeb66b75e87d44025b01a55 ]
+
+No check is enforced for the return value of kzalloc,
+which may lead to NULL-pointer dereference.
+
+The patch fixes this issue.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/property.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
+index b2f0d6386ceea..ead18c532b53d 100644
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -578,7 +578,12 @@ int tb_property_add_text(struct tb_property_dir *parent, const char *key,
+ return -ENOMEM;
+
+ property->length = size / 4;
+- property->value.data = kzalloc(size, GFP_KERNEL);
++ property->value.text = kzalloc(size, GFP_KERNEL);
++ if (!property->value.text) {
++ kfree(property);
++ return -ENOMEM;
++ }
++
+ strcpy(property->value.text, text);
+
+ list_add_tail(&property->list, &parent->properties);
+--
+2.20.1
+
--- /dev/null
+From 93774bb6f4d84b51896c8ca681327743ff753073 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 03:33:28 -0500
+Subject: thunderbolt: property: Fix a NULL pointer dereference
+
+[ Upstream commit 106204b56f60abf1bead7dceb88f2be3e34433da ]
+
+In case kzalloc fails, the fix releases resources and returns
+-ENOMEM to avoid the NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/property.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
+index ead18c532b53d..8c077c4f3b5b2 100644
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -548,6 +548,11 @@ int tb_property_add_data(struct tb_property_dir *parent, const char *key,
+
+ property->length = size / 4;
+ property->value.data = kzalloc(size, GFP_KERNEL);
++ if (!property->value.data) {
++ kfree(property);
++ return -ENOMEM;
++ }
++
+ memcpy(property->value.data, buf, buflen);
+
+ list_add_tail(&property->list, &parent->properties);
+--
+2.20.1
+
--- /dev/null
+From 50e8c3e086ace3270a30a0ed3efd34d572fb324f Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Tue, 19 Mar 2019 16:48:41 +0200
+Subject: thunderbolt: Take domain lock in switch sysfs attribute callbacks
+
+[ Upstream commit 09f11b6c99feaf86a26444bca85dc693b3f58f8b ]
+
+switch_lock was introduced because it allowed serialization of device
+authorization requests from userspace without need to take the big
+domain lock (tb->lock). This was fine because device authorization with
+ICM is just one command that is sent to the firmware. Now that we start
+to handle all tunneling in the driver switch_lock is not enough because
+we need to walk over the topology to establish paths.
+
+For this reason drop switch_lock from the driver completely in favour of
+big domain lock.
+
+There is one complication, though. If userspace is waiting for the lock
+in tb_switch_set_authorized(), it keeps the device_del() from removing
+the sysfs attribute because it waits for active users to release the
+attribute first which leads into following splat:
+
+ INFO: task kworker/u8:3:73 blocked for more than 61 seconds.
+ Tainted: G W 5.1.0-rc1+ #244
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ kworker/u8:3 D12976 73 2 0x80000000
+ Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]
+ Call Trace:
+ ? __schedule+0x2e5/0x740
+ ? _raw_spin_lock_irqsave+0x12/0x40
+ ? prepare_to_wait_event+0xc5/0x160
+ schedule+0x2d/0x80
+ __kernfs_remove.part.17+0x183/0x1f0
+ ? finish_wait+0x80/0x80
+ kernfs_remove_by_name_ns+0x4a/0x90
+ remove_files.isra.1+0x2b/0x60
+ sysfs_remove_group+0x38/0x80
+ sysfs_remove_groups+0x24/0x40
+ device_remove_attrs+0x3d/0x70
+ device_del+0x14c/0x360
+ device_unregister+0x15/0x50
+ tb_switch_remove+0x9e/0x1d0 [thunderbolt]
+ tb_handle_hotplug+0x119/0x5a0 [thunderbolt]
+ ? process_one_work+0x1b7/0x420
+ process_one_work+0x1b7/0x420
+ worker_thread+0x37/0x380
+ ? _raw_spin_unlock_irqrestore+0xf/0x30
+ ? process_one_work+0x420/0x420
+ kthread+0x118/0x130
+ ? kthread_create_on_node+0x60/0x60
+ ret_from_fork+0x35/0x40
+
+We deal this by following what network stack did for some of their
+attributes and use mutex_trylock() with restart_syscall(). This makes
+userspace release the attribute allowing sysfs attribute removal to
+progress before the write is restarted and eventually fail when the
+attribute is removed.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/switch.c | 45 +++++++++++++++---------------------
+ drivers/thunderbolt/tb.h | 3 +--
+ 2 files changed, 20 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c
+index cd96994dc0947..32e012713dbeb 100644
+--- a/drivers/thunderbolt/switch.c
++++ b/drivers/thunderbolt/switch.c
+@@ -10,15 +10,13 @@
+ #include <linux/idr.h>
+ #include <linux/nvmem-provider.h>
+ #include <linux/pm_runtime.h>
++#include <linux/sched/signal.h>
+ #include <linux/sizes.h>
+ #include <linux/slab.h>
+ #include <linux/vmalloc.h>
+
+ #include "tb.h"
+
+-/* Switch authorization from userspace is serialized by this lock */
+-static DEFINE_MUTEX(switch_lock);
+-
+ /* Switch NVM support */
+
+ #define NVM_DEVID 0x05
+@@ -254,8 +252,8 @@ static int tb_switch_nvm_write(void *priv, unsigned int offset, void *val,
+ struct tb_switch *sw = priv;
+ int ret = 0;
+
+- if (mutex_lock_interruptible(&switch_lock))
+- return -ERESTARTSYS;
++ if (!mutex_trylock(&sw->tb->lock))
++ return restart_syscall();
+
+ /*
+ * Since writing the NVM image might require some special steps,
+@@ -275,7 +273,7 @@ static int tb_switch_nvm_write(void *priv, unsigned int offset, void *val,
+ memcpy(sw->nvm->buf + offset, val, bytes);
+
+ unlock:
+- mutex_unlock(&switch_lock);
++ mutex_unlock(&sw->tb->lock);
+
+ return ret;
+ }
+@@ -364,10 +362,7 @@ static int tb_switch_nvm_add(struct tb_switch *sw)
+ }
+ nvm->non_active = nvm_dev;
+
+- mutex_lock(&switch_lock);
+ sw->nvm = nvm;
+- mutex_unlock(&switch_lock);
+-
+ return 0;
+
+ err_nvm_active:
+@@ -384,10 +379,8 @@ static void tb_switch_nvm_remove(struct tb_switch *sw)
+ {
+ struct tb_switch_nvm *nvm;
+
+- mutex_lock(&switch_lock);
+ nvm = sw->nvm;
+ sw->nvm = NULL;
+- mutex_unlock(&switch_lock);
+
+ if (!nvm)
+ return;
+@@ -716,8 +709,8 @@ static int tb_switch_set_authorized(struct tb_switch *sw, unsigned int val)
+ {
+ int ret = -EINVAL;
+
+- if (mutex_lock_interruptible(&switch_lock))
+- return -ERESTARTSYS;
++ if (!mutex_trylock(&sw->tb->lock))
++ return restart_syscall();
+
+ if (sw->authorized)
+ goto unlock;
+@@ -760,7 +753,7 @@ static int tb_switch_set_authorized(struct tb_switch *sw, unsigned int val)
+ }
+
+ unlock:
+- mutex_unlock(&switch_lock);
++ mutex_unlock(&sw->tb->lock);
+ return ret;
+ }
+
+@@ -817,15 +810,15 @@ static ssize_t key_show(struct device *dev, struct device_attribute *attr,
+ struct tb_switch *sw = tb_to_switch(dev);
+ ssize_t ret;
+
+- if (mutex_lock_interruptible(&switch_lock))
+- return -ERESTARTSYS;
++ if (!mutex_trylock(&sw->tb->lock))
++ return restart_syscall();
+
+ if (sw->key)
+ ret = sprintf(buf, "%*phN\n", TB_SWITCH_KEY_SIZE, sw->key);
+ else
+ ret = sprintf(buf, "\n");
+
+- mutex_unlock(&switch_lock);
++ mutex_unlock(&sw->tb->lock);
+ return ret;
+ }
+
+@@ -842,8 +835,8 @@ static ssize_t key_store(struct device *dev, struct device_attribute *attr,
+ else if (hex2bin(key, buf, sizeof(key)))
+ return -EINVAL;
+
+- if (mutex_lock_interruptible(&switch_lock))
+- return -ERESTARTSYS;
++ if (!mutex_trylock(&sw->tb->lock))
++ return restart_syscall();
+
+ if (sw->authorized) {
+ ret = -EBUSY;
+@@ -858,7 +851,7 @@ static ssize_t key_store(struct device *dev, struct device_attribute *attr,
+ }
+ }
+
+- mutex_unlock(&switch_lock);
++ mutex_unlock(&sw->tb->lock);
+ return ret;
+ }
+ static DEVICE_ATTR(key, 0600, key_show, key_store);
+@@ -904,8 +897,8 @@ static ssize_t nvm_authenticate_store(struct device *dev,
+ bool val;
+ int ret;
+
+- if (mutex_lock_interruptible(&switch_lock))
+- return -ERESTARTSYS;
++ if (!mutex_trylock(&sw->tb->lock))
++ return restart_syscall();
+
+ /* If NVMem devices are not yet added */
+ if (!sw->nvm) {
+@@ -953,7 +946,7 @@ static ssize_t nvm_authenticate_store(struct device *dev,
+ }
+
+ exit_unlock:
+- mutex_unlock(&switch_lock);
++ mutex_unlock(&sw->tb->lock);
+
+ if (ret)
+ return ret;
+@@ -967,8 +960,8 @@ static ssize_t nvm_version_show(struct device *dev,
+ struct tb_switch *sw = tb_to_switch(dev);
+ int ret;
+
+- if (mutex_lock_interruptible(&switch_lock))
+- return -ERESTARTSYS;
++ if (!mutex_trylock(&sw->tb->lock))
++ return restart_syscall();
+
+ if (sw->safe_mode)
+ ret = -ENODATA;
+@@ -977,7 +970,7 @@ static ssize_t nvm_version_show(struct device *dev,
+ else
+ ret = sprintf(buf, "%x.%x\n", sw->nvm->major, sw->nvm->minor);
+
+- mutex_unlock(&switch_lock);
++ mutex_unlock(&sw->tb->lock);
+
+ return ret;
+ }
+diff --git a/drivers/thunderbolt/tb.h b/drivers/thunderbolt/tb.h
+index 52584c4003e3a..f5e0282225d1c 100644
+--- a/drivers/thunderbolt/tb.h
++++ b/drivers/thunderbolt/tb.h
+@@ -80,8 +80,7 @@ struct tb_switch_nvm {
+ * @depth: Depth in the chain this switch is connected (ICM only)
+ *
+ * When the switch is being added or removed to the domain (other
+- * switches) you need to have domain lock held. For switch authorization
+- * internal switch_lock is enough.
++ * switches) you need to have domain lock held.
+ */
+ struct tb_switch {
+ struct device dev;
+--
+2.20.1
+
--- /dev/null
+From f3e07abdbe8bc12ed8a9dfbe99a962ba31ca63d2 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sat, 23 Mar 2019 11:36:19 +0100
+Subject: timekeeping: Force upper bound for setting CLOCK_REALTIME
+
+[ Upstream commit 7a8e61f8478639072d402a26789055a4a4de8f77 ]
+
+Several people reported testing failures after setting CLOCK_REALTIME close
+to the limits of the kernel internal representation in nanoseconds,
+i.e. year 2262.
+
+The failures are exposed in subsequent operations, i.e. when arming timers
+or when the advancing CLOCK_MONOTONIC makes the calculation of
+CLOCK_REALTIME overflow into negative space.
+
+Now people start to paper over the underlying problem by clamping
+calculations to the valid range, but that's just wrong because such
+workarounds will prevent detection of real issues as well.
+
+It is reasonable to force an upper bound for the various methods of setting
+CLOCK_REALTIME. Year 2262 is the absolute upper bound. Assume a maximum
+uptime of 30 years which is plenty enough even for esoteric embedded
+systems. That results in an upper bound of year 2232 for setting the time.
+
+Once that limit is reached in reality this limit is only a small part of
+the problem space. But until then this stops people from trying to paper
+over the problem at the wrong places.
+
+Reported-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Reported-by: Hongbo Yao <yaohongbo@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: Miroslav Lichvar <mlichvar@redhat.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1903231125480.2157@nanos.tec.linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/time64.h | 21 +++++++++++++++++++++
+ kernel/time/time.c | 2 +-
+ kernel/time/timekeeping.c | 6 +++---
+ 3 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/time64.h b/include/linux/time64.h
+index f38d382ffec13..a620ee610b9f3 100644
+--- a/include/linux/time64.h
++++ b/include/linux/time64.h
+@@ -33,6 +33,17 @@ struct itimerspec64 {
+ #define KTIME_MAX ((s64)~((u64)1 << 63))
+ #define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC)
+
++/*
++ * Limits for settimeofday():
++ *
++ * To prevent setting the time close to the wraparound point time setting
++ * is limited so a reasonable uptime can be accomodated. Uptime of 30 years
++ * should be really sufficient, which means the cutoff is 2232. At that
++ * point the cutoff is just a small part of the larger problem.
++ */
++#define TIME_UPTIME_SEC_MAX (30LL * 365 * 24 *3600)
++#define TIME_SETTOD_SEC_MAX (KTIME_SEC_MAX - TIME_UPTIME_SEC_MAX)
++
+ static inline int timespec64_equal(const struct timespec64 *a,
+ const struct timespec64 *b)
+ {
+@@ -100,6 +111,16 @@ static inline bool timespec64_valid_strict(const struct timespec64 *ts)
+ return true;
+ }
+
++static inline bool timespec64_valid_settod(const struct timespec64 *ts)
++{
++ if (!timespec64_valid(ts))
++ return false;
++ /* Disallow values which cause overflow issues vs. CLOCK_REALTIME */
++ if ((unsigned long long)ts->tv_sec >= TIME_SETTOD_SEC_MAX)
++ return false;
++ return true;
++}
++
+ /**
+ * timespec64_to_ns - Convert timespec64 to nanoseconds
+ * @ts: pointer to the timespec64 variable to be converted
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index c3f756f8534bb..86656bbac232e 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -171,7 +171,7 @@ int do_sys_settimeofday64(const struct timespec64 *tv, const struct timezone *tz
+ static int firsttime = 1;
+ int error = 0;
+
+- if (tv && !timespec64_valid(tv))
++ if (tv && !timespec64_valid_settod(tv))
+ return -EINVAL;
+
+ error = security_settime64(tv, tz);
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index f986e1918d129..f136c56c28057 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -1221,7 +1221,7 @@ int do_settimeofday64(const struct timespec64 *ts)
+ unsigned long flags;
+ int ret = 0;
+
+- if (!timespec64_valid_strict(ts))
++ if (!timespec64_valid_settod(ts))
+ return -EINVAL;
+
+ raw_spin_lock_irqsave(&timekeeper_lock, flags);
+@@ -1278,7 +1278,7 @@ static int timekeeping_inject_offset(const struct timespec64 *ts)
+ /* Make sure the proposed value is valid */
+ tmp = timespec64_add(tk_xtime(tk), *ts);
+ if (timespec64_compare(&tk->wall_to_monotonic, ts) > 0 ||
+- !timespec64_valid_strict(&tmp)) {
++ !timespec64_valid_settod(&tmp)) {
+ ret = -EINVAL;
+ goto error;
+ }
+@@ -1527,7 +1527,7 @@ void __init timekeeping_init(void)
+ unsigned long flags;
+
+ read_persistent_wall_and_boot_offset(&wall_time, &boot_offset);
+- if (timespec64_valid_strict(&wall_time) &&
++ if (timespec64_valid_settod(&wall_time) &&
+ timespec64_to_ns(&wall_time) > 0) {
+ persistent_clock_exists = true;
+ } else if (timespec64_to_ns(&wall_time) != 0) {
+--
+2.20.1
+
--- /dev/null
+From 8c72ef27d44f3339fb9b8261b81b5dea5e05910a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Fri, 22 Feb 2019 13:43:29 +0100
+Subject: tinydrm/mipi-dbi: Use dma-safe buffers for all SPI transfers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit a89bfc5d9a0732d84b4de311e27133daa0586316 ]
+
+Buffers passed to spi_sync() must be dma-safe even for tiny buffers since
+some SPI controllers use DMA for all transfers.
+
+Example splat with CONFIG_DMA_API_DEBUG enabled:
+
+[ 23.750467] DMA-API: dw_dmac_pci 0000:00:15.0: device driver maps memory from stack [probable addr=000000001e49185d]
+[ 23.750529] WARNING: CPU: 1 PID: 1296 at kernel/dma/debug.c:1161 check_for_stack+0xb7/0x190
+[ 23.750533] Modules linked in: mmc_block(+) spi_pxa2xx_platform(+) pwm_lpss_pci pwm_lpss spi_pxa2xx_pci sdhci_pci cqhci intel_mrfld_pwrbtn extcon_intel_mrfld sdhci intel_mrfld_adc led_class mmc_core ili9341 mipi_dbi tinydrm backlight ti_ads7950 industrialio_triggered_buffer kfifo_buf intel_soc_pmic_mrfld hci_uart btbcm
+[ 23.750599] CPU: 1 PID: 1296 Comm: modprobe Not tainted 5.0.0-rc7+ #236
+[ 23.750605] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48
+[ 23.750620] RIP: 0010:check_for_stack+0xb7/0x190
+[ 23.750630] Code: 8b 6d 50 4d 85 ed 75 04 4c 8b 6d 10 48 89 ef e8 2f 8b 44 00 48 89 c6 4a 8d 0c 23 4c 89 ea 48 c7 c7 88 d0 82 b4 e8 40 7c f9 ff <0f> 0b 8b 05 79 00 4b 01 85 c0 74 07 5b 5d 41 5c 41 5d c3 8b 05 54
+[ 23.750637] RSP: 0000:ffff97bbc0292fa0 EFLAGS: 00010286
+[ 23.750646] RAX: 0000000000000000 RBX: ffff97bbc0290000 RCX: 0000000000000006
+[ 23.750652] RDX: 0000000000000007 RSI: 0000000000000002 RDI: ffff94b33e115450
+[ 23.750658] RBP: ffff94b33c8578b0 R08: 0000000000000002 R09: 00000000000201c0
+[ 23.750664] R10: 00000006ecb0ccc6 R11: 0000000000034f38 R12: 000000000000316c
+[ 23.750670] R13: ffff94b33c84b250 R14: ffff94b33dedd5a0 R15: 0000000000000001
+[ 23.750679] FS: 0000000000000000(0000) GS:ffff94b33e100000(0063) knlGS:00000000f7faf690
+[ 23.750686] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+[ 23.750691] CR2: 00000000f7f54faf CR3: 000000000722c000 CR4: 00000000001006e0
+[ 23.750696] Call Trace:
+[ 23.750713] debug_dma_map_sg+0x100/0x340
+[ 23.750727] ? dma_direct_map_sg+0x3b/0xb0
+[ 23.750739] spi_map_buf+0x25a/0x300
+[ 23.750751] __spi_pump_messages+0x2a4/0x680
+[ 23.750762] __spi_sync+0x1dd/0x1f0
+[ 23.750773] spi_sync+0x26/0x40
+[ 23.750790] mipi_dbi_typec3_command_read+0x14d/0x240 [mipi_dbi]
+[ 23.750802] ? spi_finalize_current_transfer+0x10/0x10
+[ 23.750821] mipi_dbi_typec3_command+0x1bc/0x1d0 [mipi_dbi]
+
+Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Tested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190222124329.23046-1-noralf@tronnes.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tinydrm/ili9225.c | 6 ++--
+ drivers/gpu/drm/tinydrm/mipi-dbi.c | 58 +++++++++++++++++++++---------
+ include/drm/tinydrm/mipi-dbi.h | 5 +--
+ 3 files changed, 48 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/gpu/drm/tinydrm/ili9225.c b/drivers/gpu/drm/tinydrm/ili9225.c
+index 43a3b68d90a20..998d75be9e16f 100644
+--- a/drivers/gpu/drm/tinydrm/ili9225.c
++++ b/drivers/gpu/drm/tinydrm/ili9225.c
+@@ -301,7 +301,7 @@ static void ili9225_pipe_disable(struct drm_simple_display_pipe *pipe)
+ mipi->enabled = false;
+ }
+
+-static int ili9225_dbi_command(struct mipi_dbi *mipi, u8 cmd, u8 *par,
++static int ili9225_dbi_command(struct mipi_dbi *mipi, u8 *cmd, u8 *par,
+ size_t num)
+ {
+ struct spi_device *spi = mipi->spi;
+@@ -311,11 +311,11 @@ static int ili9225_dbi_command(struct mipi_dbi *mipi, u8 cmd, u8 *par,
+
+ gpiod_set_value_cansleep(mipi->dc, 0);
+ speed_hz = mipi_dbi_spi_cmd_max_speed(spi, 1);
+- ret = tinydrm_spi_transfer(spi, speed_hz, NULL, 8, &cmd, 1);
++ ret = tinydrm_spi_transfer(spi, speed_hz, NULL, 8, cmd, 1);
+ if (ret || !num)
+ return ret;
+
+- if (cmd == ILI9225_WRITE_DATA_TO_GRAM && !mipi->swap_bytes)
++ if (*cmd == ILI9225_WRITE_DATA_TO_GRAM && !mipi->swap_bytes)
+ bpw = 16;
+
+ gpiod_set_value_cansleep(mipi->dc, 1);
+diff --git a/drivers/gpu/drm/tinydrm/mipi-dbi.c b/drivers/gpu/drm/tinydrm/mipi-dbi.c
+index 918f77c7de34e..295cbcbc2bb65 100644
+--- a/drivers/gpu/drm/tinydrm/mipi-dbi.c
++++ b/drivers/gpu/drm/tinydrm/mipi-dbi.c
+@@ -153,16 +153,42 @@ EXPORT_SYMBOL(mipi_dbi_command_read);
+ */
+ int mipi_dbi_command_buf(struct mipi_dbi *mipi, u8 cmd, u8 *data, size_t len)
+ {
++ u8 *cmdbuf;
+ int ret;
+
++ /* SPI requires dma-safe buffers */
++ cmdbuf = kmemdup(&cmd, 1, GFP_KERNEL);
++ if (!cmdbuf)
++ return -ENOMEM;
++
+ mutex_lock(&mipi->cmdlock);
+- ret = mipi->command(mipi, cmd, data, len);
++ ret = mipi->command(mipi, cmdbuf, data, len);
+ mutex_unlock(&mipi->cmdlock);
+
++ kfree(cmdbuf);
++
+ return ret;
+ }
+ EXPORT_SYMBOL(mipi_dbi_command_buf);
+
++/* This should only be used by mipi_dbi_command() */
++int mipi_dbi_command_stackbuf(struct mipi_dbi *mipi, u8 cmd, u8 *data, size_t len)
++{
++ u8 *buf;
++ int ret;
++
++ buf = kmemdup(data, len, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ ret = mipi_dbi_command_buf(mipi, cmd, buf, len);
++
++ kfree(buf);
++
++ return ret;
++}
++EXPORT_SYMBOL(mipi_dbi_command_stackbuf);
++
+ /**
+ * mipi_dbi_buf_copy - Copy a framebuffer, transforming it if necessary
+ * @dst: The destination buffer
+@@ -774,18 +800,18 @@ static int mipi_dbi_spi1_transfer(struct mipi_dbi *mipi, int dc,
+ return 0;
+ }
+
+-static int mipi_dbi_typec1_command(struct mipi_dbi *mipi, u8 cmd,
++static int mipi_dbi_typec1_command(struct mipi_dbi *mipi, u8 *cmd,
+ u8 *parameters, size_t num)
+ {
+- unsigned int bpw = (cmd == MIPI_DCS_WRITE_MEMORY_START) ? 16 : 8;
++ unsigned int bpw = (*cmd == MIPI_DCS_WRITE_MEMORY_START) ? 16 : 8;
+ int ret;
+
+- if (mipi_dbi_command_is_read(mipi, cmd))
++ if (mipi_dbi_command_is_read(mipi, *cmd))
+ return -ENOTSUPP;
+
+- MIPI_DBI_DEBUG_COMMAND(cmd, parameters, num);
++ MIPI_DBI_DEBUG_COMMAND(*cmd, parameters, num);
+
+- ret = mipi_dbi_spi1_transfer(mipi, 0, &cmd, 1, 8);
++ ret = mipi_dbi_spi1_transfer(mipi, 0, cmd, 1, 8);
+ if (ret || !num)
+ return ret;
+
+@@ -794,7 +820,7 @@ static int mipi_dbi_typec1_command(struct mipi_dbi *mipi, u8 cmd,
+
+ /* MIPI DBI Type C Option 3 */
+
+-static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd,
++static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 *cmd,
+ u8 *data, size_t len)
+ {
+ struct spi_device *spi = mipi->spi;
+@@ -803,7 +829,7 @@ static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd,
+ struct spi_transfer tr[2] = {
+ {
+ .speed_hz = speed_hz,
+- .tx_buf = &cmd,
++ .tx_buf = cmd,
+ .len = 1,
+ }, {
+ .speed_hz = speed_hz,
+@@ -821,8 +847,8 @@ static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd,
+ * Support non-standard 24-bit and 32-bit Nokia read commands which
+ * start with a dummy clock, so we need to read an extra byte.
+ */
+- if (cmd == MIPI_DCS_GET_DISPLAY_ID ||
+- cmd == MIPI_DCS_GET_DISPLAY_STATUS) {
++ if (*cmd == MIPI_DCS_GET_DISPLAY_ID ||
++ *cmd == MIPI_DCS_GET_DISPLAY_STATUS) {
+ if (!(len == 3 || len == 4))
+ return -EINVAL;
+
+@@ -852,7 +878,7 @@ static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd,
+ data[i] = (buf[i] << 1) | !!(buf[i + 1] & BIT(7));
+ }
+
+- MIPI_DBI_DEBUG_COMMAND(cmd, data, len);
++ MIPI_DBI_DEBUG_COMMAND(*cmd, data, len);
+
+ err_free:
+ kfree(buf);
+@@ -860,7 +886,7 @@ static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd,
+ return ret;
+ }
+
+-static int mipi_dbi_typec3_command(struct mipi_dbi *mipi, u8 cmd,
++static int mipi_dbi_typec3_command(struct mipi_dbi *mipi, u8 *cmd,
+ u8 *par, size_t num)
+ {
+ struct spi_device *spi = mipi->spi;
+@@ -868,18 +894,18 @@ static int mipi_dbi_typec3_command(struct mipi_dbi *mipi, u8 cmd,
+ u32 speed_hz;
+ int ret;
+
+- if (mipi_dbi_command_is_read(mipi, cmd))
++ if (mipi_dbi_command_is_read(mipi, *cmd))
+ return mipi_dbi_typec3_command_read(mipi, cmd, par, num);
+
+- MIPI_DBI_DEBUG_COMMAND(cmd, par, num);
++ MIPI_DBI_DEBUG_COMMAND(*cmd, par, num);
+
+ gpiod_set_value_cansleep(mipi->dc, 0);
+ speed_hz = mipi_dbi_spi_cmd_max_speed(spi, 1);
+- ret = tinydrm_spi_transfer(spi, speed_hz, NULL, 8, &cmd, 1);
++ ret = tinydrm_spi_transfer(spi, speed_hz, NULL, 8, cmd, 1);
+ if (ret || !num)
+ return ret;
+
+- if (cmd == MIPI_DCS_WRITE_MEMORY_START && !mipi->swap_bytes)
++ if (*cmd == MIPI_DCS_WRITE_MEMORY_START && !mipi->swap_bytes)
+ bpw = 16;
+
+ gpiod_set_value_cansleep(mipi->dc, 1);
+diff --git a/include/drm/tinydrm/mipi-dbi.h b/include/drm/tinydrm/mipi-dbi.h
+index f4ec2834bc229..7dfa67a15a04e 100644
+--- a/include/drm/tinydrm/mipi-dbi.h
++++ b/include/drm/tinydrm/mipi-dbi.h
+@@ -43,7 +43,7 @@ struct mipi_dbi {
+ struct spi_device *spi;
+ bool enabled;
+ struct mutex cmdlock;
+- int (*command)(struct mipi_dbi *mipi, u8 cmd, u8 *param, size_t num);
++ int (*command)(struct mipi_dbi *mipi, u8 *cmd, u8 *param, size_t num);
+ const u8 *read_commands;
+ struct gpio_desc *dc;
+ u16 *tx_buf;
+@@ -82,6 +82,7 @@ u32 mipi_dbi_spi_cmd_max_speed(struct spi_device *spi, size_t len);
+
+ int mipi_dbi_command_read(struct mipi_dbi *mipi, u8 cmd, u8 *val);
+ int mipi_dbi_command_buf(struct mipi_dbi *mipi, u8 cmd, u8 *data, size_t len);
++int mipi_dbi_command_stackbuf(struct mipi_dbi *mipi, u8 cmd, u8 *data, size_t len);
+ int mipi_dbi_buf_copy(void *dst, struct drm_framebuffer *fb,
+ struct drm_rect *clip, bool swap);
+ /**
+@@ -99,7 +100,7 @@ int mipi_dbi_buf_copy(void *dst, struct drm_framebuffer *fb,
+ #define mipi_dbi_command(mipi, cmd, seq...) \
+ ({ \
+ u8 d[] = { seq }; \
+- mipi_dbi_command_buf(mipi, cmd, d, ARRAY_SIZE(d)); \
++ mipi_dbi_command_stackbuf(mipi, cmd, d, ARRAY_SIZE(d)); \
+ })
+
+ #ifdef CONFIG_DEBUG_FS
+--
+2.20.1
+
--- /dev/null
+From 4fcfd2697e7295ed92862bcc6b03b4fc7f4428e7 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Date: Thu, 2 May 2019 08:56:50 -0700
+Subject: tools/bpf: fix perf build error with uClibc (seen on ARC)
+
+[ Upstream commit ca31ca8247e2d3807ff5fa1d1760616a2292001c ]
+
+When build perf for ARC recently, there was a build failure due to lack
+of __NR_bpf.
+
+| Auto-detecting system features:
+|
+| ... get_cpuid: [ OFF ]
+| ... bpf: [ on ]
+|
+| # error __NR_bpf not defined. libbpf does not support your arch.
+ ^~~~~
+| bpf.c: In function 'sys_bpf':
+| bpf.c:66:17: error: '__NR_bpf' undeclared (first use in this function)
+| return syscall(__NR_bpf, cmd, attr, size);
+| ^~~~~~~~
+| sys_bpf
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c
+index 9cd015574e838..d82edadf75893 100644
+--- a/tools/lib/bpf/bpf.c
++++ b/tools/lib/bpf/bpf.c
+@@ -46,6 +46,8 @@
+ # define __NR_bpf 349
+ # elif defined(__s390__)
+ # define __NR_bpf 351
++# elif defined(__arc__)
++# define __NR_bpf 280
+ # else
+ # error __NR_bpf not defined. libbpf does not support your arch.
+ # endif
+--
+2.20.1
+
--- /dev/null
+From 321bcfb023dd7fb8a5ef42947053473291b664bf Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 02:07:12 -0500
+Subject: tty: ipwireless: fix missing checks for ioremap
+
+[ Upstream commit 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3 ]
+
+ipw->attr_memory and ipw->common_memory are assigned with the
+return value of ioremap. ioremap may fail, but no checks
+are enforced. The fix inserts the checks to avoid potential
+NULL pointer dereferences.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/ipwireless/main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c
+index 3475e841ef5c1..4c18bbfe1a92e 100644
+--- a/drivers/tty/ipwireless/main.c
++++ b/drivers/tty/ipwireless/main.c
+@@ -114,6 +114,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
+
+ ipw->common_memory = ioremap(p_dev->resource[2]->start,
+ resource_size(p_dev->resource[2]));
++ if (!ipw->common_memory) {
++ ret = -ENOMEM;
++ goto exit1;
++ }
+ if (!request_mem_region(p_dev->resource[2]->start,
+ resource_size(p_dev->resource[2]),
+ IPWIRELESS_PCCARD_NAME)) {
+@@ -134,6 +138,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
+
+ ipw->attr_memory = ioremap(p_dev->resource[3]->start,
+ resource_size(p_dev->resource[3]));
++ if (!ipw->attr_memory) {
++ ret = -ENOMEM;
++ goto exit3;
++ }
+ if (!request_mem_region(p_dev->resource[3]->start,
+ resource_size(p_dev->resource[3]),
+ IPWIRELESS_PCCARD_NAME)) {
+--
+2.20.1
+
--- /dev/null
+From 569612d7899413f9f6013ca2631bf26b559cfc45 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 22 Mar 2019 14:54:05 -0700
+Subject: usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
+
+[ Upstream commit 8ead7e817224d7832fe51a19783cb8fcadc79467 ]
+
+If ohci-platform is runtime suspended, we can currently get an "imprecise
+external abort" on reboot with ohci-platform loaded when PM runtime
+is implemented for the SoC.
+
+Let's fix this by adding PM runtime support to usb_hcd_platform_shutdown.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hcd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index 975d7c1288e36..e9f740484001f 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -3020,6 +3020,9 @@ usb_hcd_platform_shutdown(struct platform_device *dev)
+ {
+ struct usb_hcd *hcd = platform_get_drvdata(dev);
+
++ /* No need for pm_runtime_put(), we're shutting down */
++ pm_runtime_get_sync(&dev->dev);
++
+ if (hcd->driver->shutdown)
+ hcd->driver->shutdown(hcd);
+ }
+--
+2.20.1
+
--- /dev/null
+From 2b7b0f1165481eba73ea835ea1a5ce1ae4ac2474 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 Apr 2019 10:50:01 -0400
+Subject: USB: core: Don't unbind interfaces following device reset failure
+
+[ Upstream commit 381419fa720060ba48b7bbc483be787d5b1dca6f ]
+
+The SCSI core does not like to have devices or hosts unregistered
+while error recovery is in progress. Trying to do so can lead to
+self-deadlock: Part of the removal code tries to obtain a lock already
+held by the error handler.
+
+This can cause problems for the usb-storage and uas drivers, because
+their error handler routines perform a USB reset, and if the reset
+fails then the USB core automatically goes on to unbind all drivers
+from the device's interfaces -- all while still in the context of the
+SCSI error handler.
+
+As it turns out, practically all the scenarios leading to a USB reset
+failure end up causing a device disconnect (the main error pathway in
+usb_reset_and_verify_device(), at the end of the routine, calls
+hub_port_logical_disconnect() before returning). As a result, the
+hub_wq thread will soon become aware of the problem and will unbind
+all the device's drivers in its own context, not in the
+error-handler's context.
+
+This means that usb_reset_device() does not need to call
+usb_unbind_and_rebind_marked_interfaces() in cases where
+usb_reset_and_verify_device() has returned an error, because hub_wq
+will take care of everything anyway.
+
+This particular problem was observed in somewhat artificial
+circumstances, by using usbfs to tell a hub to power-down a port
+connected to a USB-3 mass storage device using the UAS protocol. With
+the port turned off, the currently executing command timed out and the
+error handler started running. The USB reset naturally failed,
+because the hub port was off, and the error handler deadlocked as
+described above. Not carrying out the call to
+usb_unbind_and_rebind_marked_interfaces() fixes this issue.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
+Tested-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
+CC: Bart Van Assche <bvanassche@acm.org>
+CC: Martin K. Petersen <martin.petersen@oracle.com>
+CC: Jacky Cao <Jacky.Cao@sony.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hub.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 8d4631c81b9f0..310eef451db82 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5902,7 +5902,10 @@ int usb_reset_device(struct usb_device *udev)
+ cintf->needs_binding = 1;
+ }
+ }
+- usb_unbind_and_rebind_marked_interfaces(udev);
++
++ /* If the reset failed, hub_wq will unbind drivers later */
++ if (ret == 0)
++ usb_unbind_and_rebind_marked_interfaces(udev);
+ }
+
+ usb_autosuspend_device(udev);
+--
+2.20.1
+
--- /dev/null
+From 1fedfcbada84fcf380cd7135d948ea0f572c8e6c Mon Sep 17 00:00:00 2001
+From: Minas Harutyunyan <minas.harutyunyan@synopsys.com>
+Date: Mon, 18 Mar 2019 14:24:30 +0400
+Subject: usb: dwc2: gadget: Increase descriptors count for ISOC's
+
+[ Upstream commit 54f37f56631747075f1f9a2f0edf6ba405e3e66c ]
+
+Some function drivers queueing more than 128 ISOC requests at a time.
+To avoid "descriptor chain full" cases, increasing descriptors count
+from MAX_DMA_DESC_NUM_GENERIC to MAX_DMA_DESC_NUM_HS_ISOC for ISOC's
+only.
+
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/gadget.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
+index 6812a8a3a98ba..a749de7604c62 100644
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -714,13 +714,11 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep)
+ unsigned int maxsize;
+
+ if (is_isoc)
+- maxsize = hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT :
+- DEV_DMA_ISOC_RX_NBYTES_LIMIT;
++ maxsize = (hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT :
++ DEV_DMA_ISOC_RX_NBYTES_LIMIT) *
++ MAX_DMA_DESC_NUM_HS_ISOC;
+ else
+- maxsize = DEV_DMA_NBYTES_LIMIT;
+-
+- /* Above size of one descriptor was chosen, multiple it */
+- maxsize *= MAX_DMA_DESC_NUM_GENERIC;
++ maxsize = DEV_DMA_NBYTES_LIMIT * MAX_DMA_DESC_NUM_GENERIC;
+
+ return maxsize;
+ }
+@@ -932,7 +930,7 @@ static int dwc2_gadget_fill_isoc_desc(struct dwc2_hsotg_ep *hs_ep,
+
+ /* Update index of last configured entry in the chain */
+ hs_ep->next_desc++;
+- if (hs_ep->next_desc >= MAX_DMA_DESC_NUM_GENERIC)
++ if (hs_ep->next_desc >= MAX_DMA_DESC_NUM_HS_ISOC)
+ hs_ep->next_desc = 0;
+
+ return 0;
+@@ -964,7 +962,7 @@ static void dwc2_gadget_start_isoc_ddma(struct dwc2_hsotg_ep *hs_ep)
+ }
+
+ /* Initialize descriptor chain by Host Busy status */
+- for (i = 0; i < MAX_DMA_DESC_NUM_GENERIC; i++) {
++ for (i = 0; i < MAX_DMA_DESC_NUM_HS_ISOC; i++) {
+ desc = &hs_ep->desc_list[i];
+ desc->status = 0;
+ desc->status |= (DEV_DMA_BUFF_STS_HBUSY
+@@ -2162,7 +2160,7 @@ static void dwc2_gadget_complete_isoc_request_ddma(struct dwc2_hsotg_ep *hs_ep)
+ dwc2_hsotg_complete_request(hsotg, hs_ep, hs_req, 0);
+
+ hs_ep->compl_desc++;
+- if (hs_ep->compl_desc > (MAX_DMA_DESC_NUM_GENERIC - 1))
++ if (hs_ep->compl_desc > (MAX_DMA_DESC_NUM_HS_ISOC - 1))
+ hs_ep->compl_desc = 0;
+ desc_sts = hs_ep->desc_list[hs_ep->compl_desc].status;
+ }
+@@ -3899,6 +3897,7 @@ static int dwc2_hsotg_ep_enable(struct usb_ep *ep,
+ unsigned int i, val, size;
+ int ret = 0;
+ unsigned char ep_type;
++ int desc_num;
+
+ dev_dbg(hsotg->dev,
+ "%s: ep %s: a 0x%02x, attr 0x%02x, mps 0x%04x, intr %d\n",
+@@ -3945,11 +3944,15 @@ static int dwc2_hsotg_ep_enable(struct usb_ep *ep,
+ dev_dbg(hsotg->dev, "%s: read DxEPCTL=0x%08x from 0x%08x\n",
+ __func__, epctrl, epctrl_reg);
+
++ if (using_desc_dma(hsotg) && ep_type == USB_ENDPOINT_XFER_ISOC)
++ desc_num = MAX_DMA_DESC_NUM_HS_ISOC;
++ else
++ desc_num = MAX_DMA_DESC_NUM_GENERIC;
++
+ /* Allocate DMA descriptor chain for non-ctrl endpoints */
+ if (using_desc_dma(hsotg) && !hs_ep->desc_list) {
+ hs_ep->desc_list = dmam_alloc_coherent(hsotg->dev,
+- MAX_DMA_DESC_NUM_GENERIC *
+- sizeof(struct dwc2_dma_desc),
++ desc_num * sizeof(struct dwc2_dma_desc),
+ &hs_ep->desc_list_dma, GFP_ATOMIC);
+ if (!hs_ep->desc_list) {
+ ret = -ENOMEM;
+@@ -4092,7 +4095,7 @@ static int dwc2_hsotg_ep_enable(struct usb_ep *ep,
+
+ error2:
+ if (ret && using_desc_dma(hsotg) && hs_ep->desc_list) {
+- dmam_free_coherent(hsotg->dev, MAX_DMA_DESC_NUM_GENERIC *
++ dmam_free_coherent(hsotg->dev, desc_num *
+ sizeof(struct dwc2_dma_desc),
+ hs_ep->desc_list, hs_ep->desc_list_dma);
+ hs_ep->desc_list = NULL;
+--
+2.20.1
+
--- /dev/null
+From f498523104c014e3fbe0147051dd10e711a0c7a3 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 27 Mar 2019 10:56:08 +0100
+Subject: usb: dwc3: move synchronize_irq() out of the spinlock protected block
+
+[ Upstream commit 41a91c606e7d2b74358a944525267cc451c271e8 ]
+
+dwc3_gadget_suspend() is called under dwc->lock spinlock. In such context
+calling synchronize_irq() is not allowed. Move the problematic call out
+of the protected block to fix the following kernel BUG during system
+suspend:
+
+BUG: sleeping function called from invalid context at kernel/irq/manage.c:112
+in_atomic(): 1, irqs_disabled(): 128, pid: 1601, name: rtcwake
+6 locks held by rtcwake/1601:
+ #0: f70ac2a2 (sb_writers#7){.+.+}, at: vfs_write+0x130/0x16c
+ #1: b5fe1270 (&of->mutex){+.+.}, at: kernfs_fop_write+0xc0/0x1e4
+ #2: 7e597705 (kn->count#60){.+.+}, at: kernfs_fop_write+0xc8/0x1e4
+ #3: 8b3527d0 (system_transition_mutex){+.+.}, at: pm_suspend+0xc4/0xc04
+ #4: fc7f1c42 (&dev->mutex){....}, at: __device_suspend+0xd8/0x74c
+ #5: 4b36507e (&(&dwc->lock)->rlock){....}, at: dwc3_gadget_suspend+0x24/0x3c
+irq event stamp: 11252
+hardirqs last enabled at (11251): [<c09c54a4>] _raw_spin_unlock_irqrestore+0x6c/0x74
+hardirqs last disabled at (11252): [<c09c4d44>] _raw_spin_lock_irqsave+0x1c/0x5c
+softirqs last enabled at (9744): [<c0102564>] __do_softirq+0x3a4/0x66c
+softirqs last disabled at (9737): [<c0128528>] irq_exit+0x140/0x168
+Preemption disabled at:
+[<00000000>] (null)
+CPU: 7 PID: 1601 Comm: rtcwake Not tainted
+5.0.0-rc3-next-20190122-00039-ga3f4ee4f8a52 #5252
+Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+[<c01110f0>] (unwind_backtrace) from [<c010d120>] (show_stack+0x10/0x14)
+[<c010d120>] (show_stack) from [<c09a4d04>] (dump_stack+0x90/0xc8)
+[<c09a4d04>] (dump_stack) from [<c014c700>] (___might_sleep+0x22c/0x2c8)
+[<c014c700>] (___might_sleep) from [<c0189d68>] (synchronize_irq+0x28/0x84)
+[<c0189d68>] (synchronize_irq) from [<c05cbbf8>] (dwc3_gadget_suspend+0x34/0x3c)
+[<c05cbbf8>] (dwc3_gadget_suspend) from [<c05bd020>] (dwc3_suspend_common+0x154/0x410)
+[<c05bd020>] (dwc3_suspend_common) from [<c05bd34c>] (dwc3_suspend+0x14/0x2c)
+[<c05bd34c>] (dwc3_suspend) from [<c051c730>] (platform_pm_suspend+0x2c/0x54)
+[<c051c730>] (platform_pm_suspend) from [<c05285d4>] (dpm_run_callback+0xa4/0x3dc)
+[<c05285d4>] (dpm_run_callback) from [<c0528a40>] (__device_suspend+0x134/0x74c)
+[<c0528a40>] (__device_suspend) from [<c052c508>] (dpm_suspend+0x174/0x588)
+[<c052c508>] (dpm_suspend) from [<c0182134>] (suspend_devices_and_enter+0xc0/0xe74)
+[<c0182134>] (suspend_devices_and_enter) from [<c0183658>] (pm_suspend+0x770/0xc04)
+[<c0183658>] (pm_suspend) from [<c0180ddc>] (state_store+0x6c/0xcc)
+[<c0180ddc>] (state_store) from [<c09a9a70>] (kobj_attr_store+0x14/0x20)
+[<c09a9a70>] (kobj_attr_store) from [<c02d6800>] (sysfs_kf_write+0x4c/0x50)
+[<c02d6800>] (sysfs_kf_write) from [<c02d594c>] (kernfs_fop_write+0xfc/0x1e4)
+[<c02d594c>] (kernfs_fop_write) from [<c02593d8>] (__vfs_write+0x2c/0x160)
+[<c02593d8>] (__vfs_write) from [<c0259694>] (vfs_write+0xa4/0x16c)
+[<c0259694>] (vfs_write) from [<c0259870>] (ksys_write+0x40/0x8c)
+[<c0259870>] (ksys_write) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xed55ffa8 to 0xed55fff0)
+...
+
+Fixes: 01c10880d242 ("usb: dwc3: gadget: synchronize_irq dwc irq in suspend")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 2 ++
+ drivers/usb/dwc3/gadget.c | 2 --
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index f944cea4056bc..72110a8c49d68 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1600,6 +1600,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+ spin_lock_irqsave(&dwc->lock, flags);
+ dwc3_gadget_suspend(dwc);
+ spin_unlock_irqrestore(&dwc->lock, flags);
++ synchronize_irq(dwc->irq_gadget);
+ dwc3_core_exit(dwc);
+ break;
+ case DWC3_GCTL_PRTCAP_HOST:
+@@ -1632,6 +1633,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+ spin_lock_irqsave(&dwc->lock, flags);
+ dwc3_gadget_suspend(dwc);
+ spin_unlock_irqrestore(&dwc->lock, flags);
++ synchronize_irq(dwc->irq_gadget);
+ }
+
+ dwc3_otg_exit(dwc);
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index e293400cc6e95..2bb0ff9608d30 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -3384,8 +3384,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc)
+ dwc3_disconnect_gadget(dwc);
+ __dwc3_gadget_stop(dwc);
+
+- synchronize_irq(dwc->irq_gadget);
+-
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 4e5185ed8d132725f765afdbd23445b0c9afe821 Mon Sep 17 00:00:00 2001
+From: Fei Yang <fei.yang@intel.com>
+Date: Tue, 19 Mar 2019 22:32:20 -0700
+Subject: usb: gadget: f_fs: don't free buffer prematurely
+
+[ Upstream commit 73103c7f958b99561555c3bd1bc1a0809e0b7d61 ]
+
+The following kernel panic happens due to the io_data buffer gets deallocated
+before the async io is completed. Add a check for the case where io_data buffer
+should be deallocated by ffs_user_copy_worker.
+
+[ 41.663334] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
+[ 41.672099] #PF error: [normal kernel read fault]
+[ 41.677356] PGD 20c974067 P4D 20c974067 PUD 20c973067 PMD 0
+[ 41.683687] Oops: 0000 [#1] PREEMPT SMP
+[ 41.687976] CPU: 1 PID: 7 Comm: kworker/u8:0 Tainted: G U 5.0.0-quilt-2e5dc0ac-00790-gd8c79f2-dirty #2
+[ 41.705309] Workqueue: adb ffs_user_copy_worker
+[ 41.705316] RIP: 0010:__vunmap+0x2a/0xc0
+[ 41.705318] Code: 0f 1f 44 00 00 48 85 ff 0f 84 87 00 00 00 55 f7 c7 ff 0f 00 00 48 89 e5 41 55 41 89 f5 41 54 53 48 89 fb 75 71 e8 56 d7 ff ff <4c> 8b 60 48 4d 85 e4 74 76 48 89 df e8 25 ff ff ff 45 85 ed 74 46
+[ 41.705320] RSP: 0018:ffffbc3a40053df0 EFLAGS: 00010286
+[ 41.705322] RAX: 0000000000000000 RBX: ffffbc3a406f1000 RCX: 0000000000000000
+[ 41.705323] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff
+[ 41.705324] RBP: ffffbc3a40053e08 R08: 000000000001fb79 R09: 0000000000000037
+[ 41.705325] R10: ffffbc3a40053b68 R11: ffffbc3a40053cad R12: fffffffffffffff2
+[ 41.705326] R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffffffffff
+[ 41.705328] FS: 0000000000000000(0000) GS:ffff9e2977a80000(0000) knlGS:0000000000000000
+[ 41.705329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 41.705330] CR2: 0000000000000048 CR3: 000000020c994000 CR4: 00000000003406e0
+[ 41.705331] Call Trace:
+[ 41.705338] vfree+0x50/0xb0
+[ 41.705341] ffs_user_copy_worker+0xe9/0x1c0
+[ 41.705344] process_one_work+0x19f/0x3e0
+[ 41.705348] worker_thread+0x3f/0x3b0
+[ 41.829766] kthread+0x12b/0x150
+[ 41.833371] ? process_one_work+0x3e0/0x3e0
+[ 41.838045] ? kthread_create_worker_on_cpu+0x70/0x70
+[ 41.843695] ret_from_fork+0x3a/0x50
+[ 41.847689] Modules linked in: hci_uart bluetooth ecdh_generic rfkill_gpio dwc3_pci dwc3 snd_usb_audio mei_me tpm_crb snd_usbmidi_lib xhci_pci xhci_hcd mei tpm snd_hwdep cfg80211 snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_hda_core videobuf2_dma_sg crlmodule
+[ 41.876880] CR2: 0000000000000048
+[ 41.880584] ---[ end trace 2bc4addff0f2e673 ]---
+[ 41.891346] RIP: 0010:__vunmap+0x2a/0xc0
+[ 41.895734] Code: 0f 1f 44 00 00 48 85 ff 0f 84 87 00 00 00 55 f7 c7 ff 0f 00 00 48 89 e5 41 55 41 89 f5 41 54 53 48 89 fb 75 71 e8 56 d7 ff ff <4c> 8b 60 48 4d 85 e4 74 76 48 89 df e8 25 ff ff ff 45 85 ed 74 46
+[ 41.916740] RSP: 0018:ffffbc3a40053df0 EFLAGS: 00010286
+[ 41.922583] RAX: 0000000000000000 RBX: ffffbc3a406f1000 RCX: 0000000000000000
+[ 41.930563] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff
+[ 41.938540] RBP: ffffbc3a40053e08 R08: 000000000001fb79 R09: 0000000000000037
+[ 41.946520] R10: ffffbc3a40053b68 R11: ffffbc3a40053cad R12: fffffffffffffff2
+[ 41.954502] R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffffffffff
+[ 41.962482] FS: 0000000000000000(0000) GS:ffff9e2977a80000(0000) knlGS:0000000000000000
+[ 41.971536] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 41.977960] CR2: 0000000000000048 CR3: 000000020c994000 CR4: 00000000003406e0
+[ 41.985930] Kernel panic - not syncing: Fatal exception
+[ 41.991817] Kernel Offset: 0x16000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 42.009525] Rebooting in 10 seconds..
+[ 52.014376] ACPI MEMORY or I/O RESET_REG.
+
+Fixes: 772a7a724f69 ("usb: gadget: f_fs: Allow scatter-gather buffers")
+Signed-off-by: Fei Yang <fei.yang@intel.com>
+Reviewed-by: Manu Gautam <mgautam@codeaurora.org>
+Tested-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 20413c276c616..47be961f1bf3f 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1133,7 +1133,8 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
+ error_mutex:
+ mutex_unlock(&epfile->mutex);
+ error:
+- ffs_free_buffer(io_data);
++ if (ret != -EIOCBQUEUED) /* don't free if there is iocb queued */
++ ffs_free_buffer(io_data);
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8d5657a4128866feda428239876d35c40ae1a88d Mon Sep 17 00:00:00 2001
+From: Farhan Ali <alifm@linux.ibm.com>
+Date: Mon, 8 Apr 2019 17:05:31 -0400
+Subject: vfio-ccw: Do not call flush_workqueue while holding the spinlock
+
+[ Upstream commit cea5dde42a83b5f0a039da672f8686455936b8d8 ]
+
+Currently we call flush_workqueue while holding the subchannel
+spinlock. But flush_workqueue function can go to sleep, so
+do not call the function while holding the spinlock.
+
+Fixes the following bug:
+
+[ 285.203430] BUG: scheduling while atomic: bash/14193/0x00000002
+[ 285.203434] INFO: lockdep is turned off.
+....
+[ 285.203485] Preemption disabled at:
+[ 285.203488] [<000003ff80243e5c>] vfio_ccw_sch_quiesce+0xbc/0x120 [vfio_ccw]
+[ 285.203496] CPU: 7 PID: 14193 Comm: bash Tainted: G W
+....
+[ 285.203504] Call Trace:
+[ 285.203510] ([<0000000000113772>] show_stack+0x82/0xd0)
+[ 285.203514] [<0000000000b7a102>] dump_stack+0x92/0xd0
+[ 285.203518] [<000000000017b8be>] __schedule_bug+0xde/0xf8
+[ 285.203524] [<0000000000b95b5a>] __schedule+0x7a/0xc38
+[ 285.203528] [<0000000000b9678a>] schedule+0x72/0xb0
+[ 285.203533] [<0000000000b9bfbc>] schedule_timeout+0x34/0x528
+[ 285.203538] [<0000000000b97608>] wait_for_common+0x118/0x1b0
+[ 285.203544] [<0000000000166d6a>] flush_workqueue+0x182/0x548
+[ 285.203550] [<000003ff80243e6e>] vfio_ccw_sch_quiesce+0xce/0x120 [vfio_ccw]
+[ 285.203556] [<000003ff80245278>] vfio_ccw_mdev_reset+0x38/0x70 [vfio_ccw]
+[ 285.203562] [<000003ff802458b0>] vfio_ccw_mdev_remove+0x40/0x78 [vfio_ccw]
+[ 285.203567] [<000003ff801a499c>] mdev_device_remove_ops+0x3c/0x80 [mdev]
+[ 285.203573] [<000003ff801a4d5c>] mdev_device_remove+0xc4/0x130 [mdev]
+[ 285.203578] [<000003ff801a5074>] remove_store+0x6c/0xa8 [mdev]
+[ 285.203582] [<000000000046f494>] kernfs_fop_write+0x14c/0x1f8
+[ 285.203588] [<00000000003c1530>] __vfs_write+0x38/0x1a8
+[ 285.203593] [<00000000003c187c>] vfs_write+0xb4/0x198
+[ 285.203597] [<00000000003c1af2>] ksys_write+0x5a/0xb0
+[ 285.203601] [<0000000000b9e270>] system_call+0xdc/0x2d8
+
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Reviewed-by: Eric Farman <farman@linux.ibm.com>
+Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
+Message-Id: <626bab8bb2958ae132452e1ddaf1b20882ad5a9d.1554756534.git.alifm@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
+index 0b3b9de45c602..64bb121ba5987 100644
+--- a/drivers/s390/cio/vfio_ccw_drv.c
++++ b/drivers/s390/cio/vfio_ccw_drv.c
+@@ -54,9 +54,9 @@ int vfio_ccw_sch_quiesce(struct subchannel *sch)
+
+ wait_for_completion_timeout(&completion, 3*HZ);
+
+- spin_lock_irq(sch->lock);
+ private->completion = NULL;
+ flush_workqueue(vfio_ccw_work_q);
++ spin_lock_irq(sch->lock);
+ ret = cio_cancel_halt_clear(sch, &iretry);
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 92de13a90a1812a518950c2e8f9078fac413cc7a Mon Sep 17 00:00:00 2001
+From: Farhan Ali <alifm@linux.ibm.com>
+Date: Tue, 16 Apr 2019 17:23:14 -0400
+Subject: vfio-ccw: Prevent quiesce function going into an infinite loop
+
+[ Upstream commit d1ffa760d22aa1d8190478e5ef555c59a771db27 ]
+
+The quiesce function calls cio_cancel_halt_clear() and if we
+get an -EBUSY we go into a loop where we:
+ - wait for any interrupts
+ - flush all I/O in the workqueue
+ - retry cio_cancel_halt_clear
+
+During the period where we are waiting for interrupts or
+flushing all I/O, the channel subsystem could have completed
+a halt/clear action and turned off the corresponding activity
+control bits in the subchannel status word. This means the next
+time we call cio_cancel_halt_clear(), we will again start by
+calling cancel subchannel and so we can be stuck between calling
+cancel and halt forever.
+
+Rather than calling cio_cancel_halt_clear() immediately after
+waiting, let's try to disable the subchannel. If we succeed in
+disabling the subchannel then we know nothing else can happen
+with the device.
+
+Suggested-by: Eric Farman <farman@linux.ibm.com>
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Message-Id: <4d5a4b98ab1b41ac6131b5c36de18b76c5d66898.1555449329.git.alifm@linux.ibm.com>
+Reviewed-by: Eric Farman <farman@linux.ibm.com>
+Acked-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_drv.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
+index 64bb121ba5987..9e84d8a971ad9 100644
+--- a/drivers/s390/cio/vfio_ccw_drv.c
++++ b/drivers/s390/cio/vfio_ccw_drv.c
+@@ -40,26 +40,30 @@ int vfio_ccw_sch_quiesce(struct subchannel *sch)
+ if (ret != -EBUSY)
+ goto out_unlock;
+
++ iretry = 255;
+ do {
+- iretry = 255;
+
+ ret = cio_cancel_halt_clear(sch, &iretry);
+- while (ret == -EBUSY) {
+- /*
+- * Flush all I/O and wait for
+- * cancel/halt/clear completion.
+- */
+- private->completion = &completion;
+- spin_unlock_irq(sch->lock);
+
+- wait_for_completion_timeout(&completion, 3*HZ);
++ if (ret == -EIO) {
++ pr_err("vfio_ccw: could not quiesce subchannel 0.%x.%04x!\n",
++ sch->schid.ssid, sch->schid.sch_no);
++ break;
++ }
++
++ /*
++ * Flush all I/O and wait for
++ * cancel/halt/clear completion.
++ */
++ private->completion = &completion;
++ spin_unlock_irq(sch->lock);
+
+- private->completion = NULL;
+- flush_workqueue(vfio_ccw_work_q);
+- spin_lock_irq(sch->lock);
+- ret = cio_cancel_halt_clear(sch, &iretry);
+- };
++ if (ret == -EBUSY)
++ wait_for_completion_timeout(&completion, 3*HZ);
+
++ private->completion = NULL;
++ flush_workqueue(vfio_ccw_work_q);
++ spin_lock_irq(sch->lock);
+ ret = cio_disable_subchannel(sch);
+ } while (ret == -EBUSY);
+ out_unlock:
+--
+2.20.1
+
--- /dev/null
+From d44d4a5b2317e23df1f1f61706ac684b7521e228 Mon Sep 17 00:00:00 2001
+From: Farhan Ali <alifm@linux.ibm.com>
+Date: Mon, 8 Apr 2019 17:05:33 -0400
+Subject: vfio-ccw: Release any channel program when releasing/removing
+ vfio-ccw mdev
+
+[ Upstream commit b49bdc8602b7c9c7a977758bee4125683f73e59f ]
+
+When releasing the vfio-ccw mdev, we currently do not release
+any existing channel program and its pinned pages. This can
+lead to the following warning:
+
+[1038876.561565] WARNING: CPU: 2 PID: 144727 at drivers/vfio/vfio_iommu_type1.c:1494 vfio_sanity_check_pfn_list+0x40/0x70 [vfio_iommu_type1]
+
+....
+
+1038876.561921] Call Trace:
+[1038876.561935] ([<00000009897fb870>] 0x9897fb870)
+[1038876.561949] [<000003ff8013bf62>] vfio_iommu_type1_detach_group+0xda/0x2f0 [vfio_iommu_type1]
+[1038876.561965] [<000003ff8007b634>] __vfio_group_unset_container+0x64/0x190 [vfio]
+[1038876.561978] [<000003ff8007b87e>] vfio_group_put_external_user+0x26/0x38 [vfio]
+[1038876.562024] [<000003ff806fc608>] kvm_vfio_group_put_external_user+0x40/0x60 [kvm]
+[1038876.562045] [<000003ff806fcb9e>] kvm_vfio_destroy+0x5e/0xd0 [kvm]
+[1038876.562065] [<000003ff806f63fc>] kvm_put_kvm+0x2a4/0x3d0 [kvm]
+[1038876.562083] [<000003ff806f655e>] kvm_vm_release+0x36/0x48 [kvm]
+[1038876.562098] [<00000000003c2dc4>] __fput+0x144/0x228
+[1038876.562113] [<000000000016ee82>] task_work_run+0x8a/0xd8
+[1038876.562125] [<000000000014c7a8>] do_exit+0x5d8/0xd90
+[1038876.562140] [<000000000014d084>] do_group_exit+0xc4/0xc8
+[1038876.562155] [<000000000015c046>] get_signal+0x9ae/0xa68
+[1038876.562169] [<0000000000108d66>] do_signal+0x66/0x768
+[1038876.562185] [<0000000000b9e37e>] system_call+0x1ea/0x2d8
+[1038876.562195] 2 locks held by qemu-system-s39/144727:
+[1038876.562205] #0: 00000000537abaf9 (&container->group_lock){++++}, at: __vfio_group_unset_container+0x3c/0x190 [vfio]
+[1038876.562230] #1: 00000000670008b5 (&iommu->lock){+.+.}, at: vfio_iommu_type1_detach_group+0x36/0x2f0 [vfio_iommu_type1]
+[1038876.562250] Last Breaking-Event-Address:
+[1038876.562262] [<000003ff8013aa24>] vfio_sanity_check_pfn_list+0x3c/0x70 [vfio_iommu_type1]
+[1038876.562272] irq event stamp: 4236481
+[1038876.562287] hardirqs last enabled at (4236489): [<00000000001cee7a>] console_unlock+0x6d2/0x740
+[1038876.562299] hardirqs last disabled at (4236496): [<00000000001ce87e>] console_unlock+0xd6/0x740
+[1038876.562311] softirqs last enabled at (4234162): [<0000000000b9fa1e>] __do_softirq+0x556/0x598
+[1038876.562325] softirqs last disabled at (4234153): [<000000000014e4cc>] irq_exit+0xac/0x108
+[1038876.562337] ---[ end trace 6c96d467b1c3ca06 ]---
+
+Similarly we do not free the channel program when we are removing
+the vfio-ccw device. Let's fix this by resetting the device and freeing
+the channel program and pinned pages in the release path. For the remove
+path we can just quiesce the device, since in the remove path the mediated
+device is going away for good and so we don't need to do a full reset.
+
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Message-Id: <ae9f20dc8873f2027f7b3c5d2aaa0bdfe06850b8.1554756534.git.alifm@linux.ibm.com>
+Acked-by: Eric Farman <farman@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_ops.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_ops.c b/drivers/s390/cio/vfio_ccw_ops.c
+index f673e106c0415..dc5ff47de3fee 100644
+--- a/drivers/s390/cio/vfio_ccw_ops.c
++++ b/drivers/s390/cio/vfio_ccw_ops.c
+@@ -130,11 +130,12 @@ static int vfio_ccw_mdev_remove(struct mdev_device *mdev)
+
+ if ((private->state != VFIO_CCW_STATE_NOT_OPER) &&
+ (private->state != VFIO_CCW_STATE_STANDBY)) {
+- if (!vfio_ccw_mdev_reset(mdev))
++ if (!vfio_ccw_sch_quiesce(private->sch))
+ private->state = VFIO_CCW_STATE_STANDBY;
+ /* The state will be NOT_OPER on error. */
+ }
+
++ cp_free(&private->cp);
+ private->mdev = NULL;
+ atomic_inc(&private->avail);
+
+@@ -158,6 +159,14 @@ static void vfio_ccw_mdev_release(struct mdev_device *mdev)
+ struct vfio_ccw_private *private =
+ dev_get_drvdata(mdev_parent_dev(mdev));
+
++ if ((private->state != VFIO_CCW_STATE_NOT_OPER) &&
++ (private->state != VFIO_CCW_STATE_STANDBY)) {
++ if (!vfio_ccw_mdev_reset(mdev))
++ private->state = VFIO_CCW_STATE_STANDBY;
++ /* The state will be NOT_OPER on error. */
++ }
++
++ cp_free(&private->cp);
+ vfio_unregister_notifier(mdev_dev(mdev), VFIO_IOMMU_NOTIFY,
+ &private->nb);
+ }
+--
+2.20.1
+
--- /dev/null
+From 034eea57a1b3be364be1c53ef31800d7448998f6 Mon Sep 17 00:00:00 2001
+From: Pankaj Gupta <pagupta@redhat.com>
+Date: Tue, 19 Mar 2019 11:34:06 +0530
+Subject: virtio_console: initialize vtermno value for ports
+
+[ Upstream commit 4b0a2c5ff7215206ea6135a405f17c5f6fca7d00 ]
+
+For regular serial ports we do not initialize value of vtermno
+variable. A garbage value is assigned for non console ports.
+The value can be observed as a random integer with [1].
+
+[1] vim /sys/kernel/debug/virtio-ports/vport*p*
+
+This patch initialize the value of vtermno for console serial
+ports to '1' and regular serial ports are initiaized to '0'.
+
+Reported-by: siliu@redhat.com
+Signed-off-by: Pankaj Gupta <pagupta@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/virtio_console.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
+index fbeb71953526a..05dbfdb9f4aff 100644
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -75,7 +75,7 @@ struct ports_driver_data {
+ /* All the console devices handled by this driver */
+ struct list_head consoles;
+ };
+-static struct ports_driver_data pdrvdata;
++static struct ports_driver_data pdrvdata = { .next_vtermno = 1};
+
+ static DEFINE_SPINLOCK(pdrvdata_lock);
+ static DECLARE_COMPLETION(early_console_added);
+@@ -1394,6 +1394,7 @@ static int add_port(struct ports_device *portdev, u32 id)
+ port->async_queue = NULL;
+
+ port->cons.ws.ws_row = port->cons.ws.ws_col = 0;
++ port->cons.vtermno = 0;
+
+ port->host_connected = port->guest_connected = false;
+ port->stats = (struct port_stats) { 0 };
+--
+2.20.1
+
--- /dev/null
+From d25b69e697be7de1e4beaebf27dc08c1ca71ac68 Mon Sep 17 00:00:00 2001
+From: Mariusz Bialonczyk <manio@skyboo.net>
+Date: Thu, 21 Mar 2019 11:52:55 +0100
+Subject: w1: fix the resume command API
+
+[ Upstream commit 62909da8aca048ecf9fbd7e484e5100608f40a63 ]
+
+>From the DS2408 datasheet [1]:
+"Resume Command function checks the status of the RC flag and, if it is set,
+ directly transfers control to the control functions, similar to a Skip ROM
+ command. The only way to set the RC flag is through successfully executing
+ the Match ROM, Search ROM, Conditional Search ROM, or Overdrive-Match ROM
+ command"
+
+The function currently works perfectly fine in a multidrop bus, but when we
+have only a single slave connected, then only a Skip ROM is used and Match
+ROM is not called at all. This is leading to problems e.g. with single one
+DS2408 connected, as the Resume Command is not working properly and the
+device is responding with failing results after the Resume Command.
+
+This commit is fixing this by using a Skip ROM instead in those cases.
+The bandwidth / performance advantage is exactly the same.
+
+Refs:
+[1] https://datasheets.maximintegrated.com/en/ds/DS2408.pdf
+
+Signed-off-by: Mariusz Bialonczyk <manio@skyboo.net>
+Reviewed-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1_io.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/w1/w1_io.c b/drivers/w1/w1_io.c
+index 0364d3329c526..3516ce6718d94 100644
+--- a/drivers/w1/w1_io.c
++++ b/drivers/w1/w1_io.c
+@@ -432,8 +432,7 @@ int w1_reset_resume_command(struct w1_master *dev)
+ if (w1_reset_bus(dev))
+ return -1;
+
+- /* This will make only the last matched slave perform a skip ROM. */
+- w1_write_8(dev, W1_RESUME_CMD);
++ w1_write_8(dev, dev->slave_count > 1 ? W1_RESUME_CMD : W1_SKIP_ROM);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(w1_reset_resume_command);
+--
+2.20.1
+
--- /dev/null
+From be0a21c5000c964195c6137c271eaf310725b906 Mon Sep 17 00:00:00 2001
+From: Lior David <liord@codeaurora.org>
+Date: Thu, 28 Feb 2019 11:35:01 +0200
+Subject: wil6210: fix return code of wmi_mgmt_tx and wmi_mgmt_tx_ext
+
+[ Upstream commit 49122ec42634f73babb1dc96f170023e5228d080 ]
+
+The functions that send management TX frame have 3 possible
+results: success and other side acknowledged receive (ACK=1),
+success and other side did not acknowledge receive(ACK=0) and
+failure to send the frame. The current implementation
+incorrectly reports the ACK=0 case as failure.
+
+Signed-off-by: Lior David <liord@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/cfg80211.c | 5 +++++
+ drivers/net/wireless/ath/wil6210/wmi.c | 11 ++++++-----
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
+index a1e226652b4ab..692730415d781 100644
+--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
++++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
+@@ -1274,7 +1274,12 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ params->wait);
+
+ out:
++ /* when the sent packet was not acked by receiver(ACK=0), rc will
++ * be -EAGAIN. In this case this function needs to return success,
++ * the ACK=0 will be reflected in tx_status.
++ */
+ tx_status = (rc == 0);
++ rc = (rc == -EAGAIN) ? 0 : rc;
+ cfg80211_mgmt_tx_status(wdev, cookie ? *cookie : 0, buf, len,
+ tx_status, GFP_KERNEL);
+
+diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
+index bda4a9712f91f..63116f4b62c7f 100644
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -3502,8 +3502,9 @@ int wmi_mgmt_tx(struct wil6210_vif *vif, const u8 *buf, size_t len)
+ rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, vif->mid, cmd, total,
+ WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
+ if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) {
+- wil_err(wil, "mgmt_tx failed with status %d\n", evt.evt.status);
+- rc = -EINVAL;
++ wil_dbg_wmi(wil, "mgmt_tx failed with status %d\n",
++ evt.evt.status);
++ rc = -EAGAIN;
+ }
+
+ kfree(cmd);
+@@ -3555,9 +3556,9 @@ int wmi_mgmt_tx_ext(struct wil6210_vif *vif, const u8 *buf, size_t len,
+ rc = wmi_call(wil, WMI_SW_TX_REQ_EXT_CMDID, vif->mid, cmd, total,
+ WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
+ if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) {
+- wil_err(wil, "mgmt_tx_ext failed with status %d\n",
+- evt.evt.status);
+- rc = -EINVAL;
++ wil_dbg_wmi(wil, "mgmt_tx_ext failed with status %d\n",
++ evt.evt.status);
++ rc = -EAGAIN;
+ }
+
+ kfree(cmd);
+--
+2.20.1
+
--- /dev/null
+From 47f71772e5da92083213a43edc835f226b16904f Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 4 Apr 2019 14:40:27 -0700
+Subject: x86/build: Keep local relocations with ld.lld
+
+[ Upstream commit 7c21383f3429dd70da39c0c7f1efa12377a47ab6 ]
+
+The LLVM linker (ld.lld) defaults to removing local relocations, which
+causes KASLR boot failures. ld.bfd and ld.gold already handle this
+correctly. This adds the explicit instruction "--discard-none" during
+the link phase. There is no change in output for ld.bfd and ld.gold,
+but ld.lld now produces an image with all the needed relocations.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: clang-built-linux@googlegroups.com
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190404214027.GA7324@beast
+Link: https://github.com/ClangBuiltLinux/linux/issues/404
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index a587805c6687f..56e748a7679f4 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -47,7 +47,7 @@ export REALMODE_CFLAGS
+ export BITS
+
+ ifdef CONFIG_X86_NEED_RELOCS
+- LDFLAGS_vmlinux := --emit-relocs
++ LDFLAGS_vmlinux := --emit-relocs --discard-none
+ endif
+
+ #
+--
+2.20.1
+
--- /dev/null
+From 9549bc72721600d1be9cc7ea98da5838416fc492 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 23 Apr 2019 11:38:27 -0700
+Subject: x86/build: Move _etext to actual end of .text
+
+[ Upstream commit 392bef709659abea614abfe53cf228e7a59876a4 ]
+
+When building x86 with Clang LTO and CFI, CFI jump regions are
+automatically added to the end of the .text section late in linking. As a
+result, the _etext position was being labelled before the appended jump
+regions, causing confusion about where the boundaries of the executable
+region actually are in the running kernel, and broke at least the fault
+injection code. This moves the _etext mark to outside (and immediately
+after) the .text area, as it already the case on other architectures
+(e.g. arm64, arm).
+
+Reported-and-tested-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20190423183827.GA4012@beast
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/vmlinux.lds.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
+index a5127b2c195f9..834659288ba9b 100644
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -141,11 +141,11 @@ SECTIONS
+ *(.text.__x86.indirect_thunk)
+ __indirect_thunk_end = .;
+ #endif
+-
+- /* End of text section */
+- _etext = .;
+ } :text = 0x9090
+
++ /* End of text section */
++ _etext = .;
++
+ NOTES :text :note
+
+ EXCEPTION_TABLE(16) :text = 0x9090
+--
+2.20.1
+
--- /dev/null
+From f8f40a11dcd1959c732027454adbc2d41e1872ce Mon Sep 17 00:00:00 2001
+From: Pu Wen <puwen@hygon.cn>
+Date: Sat, 23 Mar 2019 23:42:20 +0800
+Subject: x86/CPU/hygon: Fix phys_proc_id calculation logic for multi-die
+ processors
+
+[ Upstream commit e0ceeae708cebf22c990c3d703a4ca187dc837f5 ]
+
+The Hygon family 18h multi-die processor platform supports 1, 2 or
+4-Dies per socket. The topology looks like this:
+
+ System View (with 1-Die 2-Socket):
+ |------------|
+ ------ -----
+ SOCKET0 | D0 | | D1 | SOCKET1
+ ------ -----
+
+ System View (with 2-Die 2-socket):
+ --------------------
+ | -------------|------
+ | | | |
+ ------------ ------------
+ SOCKET0 | D1 -- D0 | | D3 -- D2 | SOCKET1
+ ------------ ------------
+
+ System View (with 4-Die 2-Socket) :
+ --------------------
+ | -------------|------
+ | | | |
+ ------------ ------------
+ | D1 -- D0 | | D7 -- D6 |
+ | | \/ | | | | \/ | |
+ SOCKET0 | | /\ | | | | /\ | | SOCKET1
+ | D2 -- D3 | | D4 -- D5 |
+ ------------ ------------
+ | | | |
+ ------|------------| |
+ --------------------
+
+Currently
+
+ phys_proc_id = initial_apicid >> bits
+
+calculates the physical processor ID from the initial_apicid by shifting
+*bits*.
+
+However, this does not work for 1-Die and 2-Die 2-socket systems.
+
+According to document [1] section 2.1.11.1, the bits is the value of
+CPUID_Fn80000008_ECX[12:15]. The possible values are 4, 5 or 6 which
+mean:
+
+ 4 - 1 die
+ 5 - 2 dies
+ 6 - 3/4 dies.
+
+Hygon programs the initial ApicId the same way as AMD. The ApicId is
+read from CPUID_Fn00000001_EBX (see section 2.1.11.1 of referrence [1])
+and the definition is as below (see section 2.1.10.2.1.3 of [1]):
+
+ -------------------------------------------------
+ Bit | 6 | 5 4 | 3 | 2 1 0 |
+ |-----------|---------|--------|----------------|
+ IDs | Socket ID | Node ID | CCX ID | Core/Thread ID |
+ -------------------------------------------------
+
+So for 3/4-Die configurations, the bits variable is 6, which is the same
+as the ApicID definition field.
+
+For 1-Die and 2-Die configurations, bits is 4 or 5, which will cause the
+right shifted result to not be exactly the value of socket ID.
+
+However, the socket ID should be obtained from ApicId[6]. To fix the
+problem and match the ApicID field definition, set the shift bits to 6
+for all Hygon family 18h multi-die CPUs.
+
+Because AMD doesn't have 2-Socket systems with 1-Die/2-Die processors
+(see reference [2]), this doesn't need to be changed on the AMD side but
+only for Hygon.
+
+References:
+[1] https://www.amd.com/system/files/TechDocs/54945_PPR_Family_17h_Models_00h-0Fh.pdf
+[2] https://www.amd.com/en/products/specifications/processors
+
+ [bp: heavily massage commit message. ]
+
+Signed-off-by: Pu Wen <puwen@hygon.cn>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Thomas Lendacky <Thomas.Lendacky@amd.com>
+Cc: Yazen Ghannam <yazen.ghannam@amd.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/1553355740-19999-1-git-send-email-puwen@hygon.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/hygon.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/hygon.c b/arch/x86/kernel/cpu/hygon.c
+index cf25405444ab3..415621ddb8a23 100644
+--- a/arch/x86/kernel/cpu/hygon.c
++++ b/arch/x86/kernel/cpu/hygon.c
+@@ -19,6 +19,8 @@
+
+ #include "cpu.h"
+
++#define APICID_SOCKET_ID_BIT 6
++
+ /*
+ * nodes_per_socket: Stores the number of nodes per socket.
+ * Refer to CPUID Fn8000_001E_ECX Node Identifiers[10:8]
+@@ -87,6 +89,9 @@ static void hygon_get_topology(struct cpuinfo_x86 *c)
+ if (!err)
+ c->x86_coreid_bits = get_count_order(c->x86_max_cores);
+
++ /* Socket ID is ApicId[6] for these processors. */
++ c->phys_proc_id = c->apicid >> APICID_SOCKET_ID_BIT;
++
+ cacheinfo_hygon_init_llc_id(c, cpu, node_id);
+ } else if (cpu_has(c, X86_FEATURE_NODEID_MSR)) {
+ u64 value;
+--
+2.20.1
+
--- /dev/null
+From 1b754451ecfacc12184af1eb771ee40eb94fab76 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Thu, 25 Apr 2019 17:11:29 -0700
+Subject: x86/ftrace: Set trampoline pages as executable
+
+[ Upstream commit 3c0dab44e22782359a0a706cbce72de99a22aa75 ]
+
+Since alloc_module() will not set the pages as executable soon, set
+ftrace trampoline pages as executable after they are allocated.
+
+For the time being, do not change ftrace to use the text_poke()
+interface. As a result, ftrace still breaks W^X.
+
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: <akpm@linux-foundation.org>
+Cc: <ard.biesheuvel@linaro.org>
+Cc: <deneen.t.dock@intel.com>
+Cc: <kernel-hardening@lists.openwall.com>
+Cc: <kristen@linux.intel.com>
+Cc: <linux_dti@icloud.com>
+Cc: <will.deacon@arm.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190426001143.4983-10-namit@vmware.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/ftrace.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
+index bd553b3af22e9..6e0c0ed8e4bf4 100644
+--- a/arch/x86/kernel/ftrace.c
++++ b/arch/x86/kernel/ftrace.c
+@@ -749,6 +749,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
+ unsigned long end_offset;
+ unsigned long op_offset;
+ unsigned long offset;
++ unsigned long npages;
+ unsigned long size;
+ unsigned long retq;
+ unsigned long *ptr;
+@@ -781,6 +782,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
+ return 0;
+
+ *tramp_size = size + RET_SIZE + sizeof(void *);
++ npages = DIV_ROUND_UP(*tramp_size, PAGE_SIZE);
+
+ /* Copy ftrace_caller onto the trampoline memory */
+ ret = probe_kernel_read(trampoline, (void *)start_offset, size);
+@@ -825,6 +827,12 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
+ /* ALLOC_TRAMP flags lets us know we created it */
+ ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP;
+
++ /*
++ * Module allocation needs to be completed by making the page
++ * executable. The page is still writable, which is a security hazard,
++ * but anyhow ftrace breaks W^X completely.
++ */
++ set_memory_x((unsigned long)trampoline, npages);
+ return (unsigned long)trampoline;
+ fail:
+ tramp_free(trampoline, *tramp_size);
+--
+2.20.1
+
--- /dev/null
+From 57adade54e8f6c7f608b9cc5d6c93761bfd4bf4c Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 25 Feb 2019 12:56:35 +0100
+Subject: x86/ia32: Fix ia32_restore_sigcontext() AC leak
+
+[ Upstream commit 67a0514afdbb8b2fc70b771b8c77661a9cb9d3a9 ]
+
+Objtool spotted that we call native_load_gs_index() with AC set.
+Re-arrange the code to avoid that.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/ia32/ia32_signal.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
+index 321fe5f5d0e96..4d5fcd47ab75a 100644
+--- a/arch/x86/ia32/ia32_signal.c
++++ b/arch/x86/ia32/ia32_signal.c
+@@ -61,9 +61,8 @@
+ } while (0)
+
+ #define RELOAD_SEG(seg) { \
+- unsigned int pre = GET_SEG(seg); \
++ unsigned int pre = (seg) | 3; \
+ unsigned int cur = get_user_seg(seg); \
+- pre |= 3; \
+ if (pre != cur) \
+ set_user_seg(seg, pre); \
+ }
+@@ -72,6 +71,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ struct sigcontext_32 __user *sc)
+ {
+ unsigned int tmpflags, err = 0;
++ u16 gs, fs, es, ds;
+ void __user *buf;
+ u32 tmp;
+
+@@ -79,16 +79,10 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ current->restart_block.fn = do_no_restart_syscall;
+
+ get_user_try {
+- /*
+- * Reload fs and gs if they have changed in the signal
+- * handler. This does not handle long fs/gs base changes in
+- * the handler, but does not clobber them at least in the
+- * normal case.
+- */
+- RELOAD_SEG(gs);
+- RELOAD_SEG(fs);
+- RELOAD_SEG(ds);
+- RELOAD_SEG(es);
++ gs = GET_SEG(gs);
++ fs = GET_SEG(fs);
++ ds = GET_SEG(ds);
++ es = GET_SEG(es);
+
+ COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx);
+ COPY(dx); COPY(cx); COPY(ip); COPY(ax);
+@@ -106,6 +100,17 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ buf = compat_ptr(tmp);
+ } get_user_catch(err);
+
++ /*
++ * Reload fs and gs if they have changed in the signal
++ * handler. This does not handle long fs/gs base changes in
++ * the handler, but does not clobber them at least in the
++ * normal case.
++ */
++ RELOAD_SEG(gs);
++ RELOAD_SEG(fs);
++ RELOAD_SEG(ds);
++ RELOAD_SEG(es);
++
+ err |= fpu__restore_sig(buf, 1);
+
+ force_iret();
+--
+2.20.1
+
--- /dev/null
+From 1d8f6de114fb2dbc96173e033cb12fb125dcdfb8 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 14 Apr 2019 17:59:38 +0200
+Subject: x86/irq/64: Limit IST stack overflow check to #DB stack
+
+[ Upstream commit 7dbcf2b0b770eeb803a416ee8dcbef78e6389d40 ]
+
+Commit
+
+ 37fe6a42b343 ("x86: Check stack overflow in detail")
+
+added a broad check for the full exception stack area, i.e. it considers
+the full exception stack area as valid.
+
+That's wrong in two aspects:
+
+ 1) It does not check the individual areas one by one
+
+ 2) #DF, NMI and #MCE are not enabling interrupts which means that a
+ regular device interrupt cannot happen in their context. In fact if a
+ device interrupt hits one of those IST stacks that's a bug because some
+ code path enabled interrupts while handling the exception.
+
+Limit the check to the #DB stack and consider all other IST stacks as
+'overflow' or invalid.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
+Cc: Nicolai Stange <nstange@suse.de>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190414160143.682135110@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/irq_64.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
+index 0469cd078db15..b50ac9c7397bb 100644
+--- a/arch/x86/kernel/irq_64.c
++++ b/arch/x86/kernel/irq_64.c
+@@ -26,9 +26,18 @@ int sysctl_panic_on_stackoverflow;
+ /*
+ * Probabilistic stack overflow check:
+ *
+- * Only check the stack in process context, because everything else
+- * runs on the big interrupt stacks. Checking reliably is too expensive,
+- * so we just check from interrupts.
++ * Regular device interrupts can enter on the following stacks:
++ *
++ * - User stack
++ *
++ * - Kernel task stack
++ *
++ * - Interrupt stack if a device driver reenables interrupts
++ * which should only happen in really old drivers.
++ *
++ * - Debug IST stack
++ *
++ * All other contexts are invalid.
+ */
+ static inline void stack_overflow_check(struct pt_regs *regs)
+ {
+@@ -53,8 +62,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+ return;
+
+ oist = this_cpu_ptr(&orig_ist);
+- estack_top = (u64)oist->ist[0] - EXCEPTION_STKSZ + STACK_TOP_MARGIN;
+- estack_bottom = (u64)oist->ist[N_EXCEPTION_STACKS - 1];
++ estack_bottom = (u64)oist->ist[DEBUG_STACK];
++ estack_top = estack_bottom - DEBUG_STKSZ + STACK_TOP_MARGIN;
+ if (regs->sp >= estack_top && regs->sp <= estack_bottom)
+ return;
+
+--
+2.20.1
+
--- /dev/null
+From 891b96669fe34657b9ebe40e8cd6e3f3b18bbf89 Mon Sep 17 00:00:00 2001
+From: Tony Luck <tony.luck@intel.com>
+Date: Tue, 12 Mar 2019 10:09:38 -0700
+Subject: x86/mce: Fix machine_check_poll() tests for error types
+
+[ Upstream commit f19501aa07f18268ab14f458b51c1c6b7f72a134 ]
+
+There has been a lurking "TBD" in the machine check poll routine ever
+since it was first split out from the machine check handler. The
+potential issue is that the poll routine may have just begun a read from
+the STATUS register in a machine check bank when the hardware logs an
+error in that bank and signals a machine check.
+
+That race used to be pretty small back when machine checks were
+broadcast, but the addition of local machine check means that the poll
+code could continue running and clear the error from the bank before the
+local machine check handler on another CPU gets around to reading it.
+
+Fix the code to be sure to only process errors that need to be processed
+in the poll code, leaving other logged errors alone for the machine
+check handler to find and process.
+
+ [ bp: Massage a bit and flip the "== 0" check to the usual !(..) test. ]
+
+Fixes: b79109c3bbcf ("x86, mce: separate correct machine check poller and fatal exception handler")
+Fixes: ed7290d0ee8f ("x86, mce: implement new status bits")
+Reported-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Cc: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Link: https://lkml.kernel.org/r/20190312170938.GA23035@agluck-desk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/core.c | 44 ++++++++++++++++++++++++++++------
+ 1 file changed, 37 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
+index 1a7084ba9a3b6..0d47306cec7ae 100644
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -712,19 +712,49 @@ bool machine_check_poll(enum mcp_flags flags, mce_banks_t *b)
+
+ barrier();
+ m.status = mce_rdmsrl(msr_ops.status(i));
++
++ /* If this entry is not valid, ignore it */
+ if (!(m.status & MCI_STATUS_VAL))
+ continue;
+
+ /*
+- * Uncorrected or signalled events are handled by the exception
+- * handler when it is enabled, so don't process those here.
+- *
+- * TBD do the same check for MCI_STATUS_EN here?
++ * If we are logging everything (at CPU online) or this
++ * is a corrected error, then we must log it.
+ */
+- if (!(flags & MCP_UC) &&
+- (m.status & (mca_cfg.ser ? MCI_STATUS_S : MCI_STATUS_UC)))
+- continue;
++ if ((flags & MCP_UC) || !(m.status & MCI_STATUS_UC))
++ goto log_it;
++
++ /*
++ * Newer Intel systems that support software error
++ * recovery need to make additional checks. Other
++ * CPUs should skip over uncorrected errors, but log
++ * everything else.
++ */
++ if (!mca_cfg.ser) {
++ if (m.status & MCI_STATUS_UC)
++ continue;
++ goto log_it;
++ }
++
++ /* Log "not enabled" (speculative) errors */
++ if (!(m.status & MCI_STATUS_EN))
++ goto log_it;
++
++ /*
++ * Log UCNA (SDM: 15.6.3 "UCR Error Classification")
++ * UC == 1 && PCC == 0 && S == 0
++ */
++ if (!(m.status & MCI_STATUS_PCC) && !(m.status & MCI_STATUS_S))
++ goto log_it;
++
++ /*
++ * Skip anything else. Presumption is that our read of this
++ * bank is racing with a machine check. Leave the log alone
++ * for do_machine_check() to deal with it.
++ */
++ continue;
+
++log_it:
+ error_seen = true;
+
+ mce_read_aux(&m, i);
+--
+2.20.1
+
--- /dev/null
+From ce357e210354e2c932fc3bb6891a0a48dddcc54a Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Fri, 27 Jul 2018 16:40:09 -0500
+Subject: x86/mce: Handle varying MCA bank counts
+
+[ Upstream commit 006c077041dc73b9490fffc4c6af5befe0687110 ]
+
+Linux reads MCG_CAP[Count] to find the number of MCA banks visible to a
+CPU. Currently, this number is the same for all CPUs and a warning is
+shown if there is a difference. The number of banks is overwritten with
+the MCG_CAP[Count] value of each following CPU that boots.
+
+According to the Intel SDM and AMD APM, the MCG_CAP[Count] value gives
+the number of banks that are available to a "processor implementation".
+The AMD BKDGs/PPRs further clarify that this value is per core. This
+value has historically been the same for every core in the system, but
+that is not an architectural requirement.
+
+Future AMD systems may have different MCG_CAP[Count] values per core,
+so the assumption that all CPUs will have the same MCG_CAP[Count] value
+will no longer be valid.
+
+Also, the first CPU to boot will allocate the struct mce_banks[] array
+using the number of banks based on its MCG_CAP[Count] value. The machine
+check handler and other functions use the global number of banks to
+iterate and index into the mce_banks[] array. So it's possible to use an
+out-of-bounds index on an asymmetric system where a following CPU sees a
+MCG_CAP[Count] value greater than its predecessors.
+
+Thus, allocate the mce_banks[] array to the maximum number of banks.
+This will avoid the potential out-of-bounds index since the value of
+mca_cfg.banks is capped to MAX_NR_BANKS.
+
+Set the value of mca_cfg.banks equal to the max of the previous value
+and the value for the current CPU. This way mca_cfg.banks will always
+represent the max number of banks detected on any CPU in the system.
+
+This will ensure that all CPUs will access all the banks that are
+visible to them. A CPU that can access fewer than the max number of
+banks will find the registers of the extra banks to be read-as-zero.
+
+Furthermore, print the resulting number of MCA banks in use. Do this in
+mcheck_late_init() so that the final value is printed after all CPUs
+have been initialized.
+
+Finally, get bank count from target CPU when doing injection with mce-inject
+module.
+
+ [ bp: Remove out-of-bounds example, passify and cleanup commit message. ]
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: Pu Wen <puwen@hygon.cn>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20180727214009.78289-1-Yazen.Ghannam@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/core.c | 22 +++++++---------------
+ arch/x86/kernel/cpu/mce/inject.c | 14 +++++++-------
+ 2 files changed, 14 insertions(+), 22 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
+index 0d47306cec7ae..9e6a94c208e01 100644
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -1481,13 +1481,12 @@ EXPORT_SYMBOL_GPL(mce_notify_irq);
+ static int __mcheck_cpu_mce_banks_init(void)
+ {
+ int i;
+- u8 num_banks = mca_cfg.banks;
+
+- mce_banks = kcalloc(num_banks, sizeof(struct mce_bank), GFP_KERNEL);
++ mce_banks = kcalloc(MAX_NR_BANKS, sizeof(struct mce_bank), GFP_KERNEL);
+ if (!mce_banks)
+ return -ENOMEM;
+
+- for (i = 0; i < num_banks; i++) {
++ for (i = 0; i < MAX_NR_BANKS; i++) {
+ struct mce_bank *b = &mce_banks[i];
+
+ b->ctl = -1ULL;
+@@ -1501,28 +1500,19 @@ static int __mcheck_cpu_mce_banks_init(void)
+ */
+ static int __mcheck_cpu_cap_init(void)
+ {
+- unsigned b;
+ u64 cap;
++ u8 b;
+
+ rdmsrl(MSR_IA32_MCG_CAP, cap);
+
+ b = cap & MCG_BANKCNT_MASK;
+- if (!mca_cfg.banks)
+- pr_info("CPU supports %d MCE banks\n", b);
+-
+- if (b > MAX_NR_BANKS) {
+- pr_warn("Using only %u machine check banks out of %u\n",
+- MAX_NR_BANKS, b);
++ if (WARN_ON_ONCE(b > MAX_NR_BANKS))
+ b = MAX_NR_BANKS;
+- }
+
+- /* Don't support asymmetric configurations today */
+- WARN_ON(mca_cfg.banks != 0 && b != mca_cfg.banks);
+- mca_cfg.banks = b;
++ mca_cfg.banks = max(mca_cfg.banks, b);
+
+ if (!mce_banks) {
+ int err = __mcheck_cpu_mce_banks_init();
+-
+ if (err)
+ return err;
+ }
+@@ -2489,6 +2479,8 @@ EXPORT_SYMBOL_GPL(mcsafe_key);
+
+ static int __init mcheck_late_init(void)
+ {
++ pr_info("Using %d MCE banks\n", mca_cfg.banks);
++
+ if (mca_cfg.recovery)
+ static_branch_inc(&mcsafe_key);
+
+diff --git a/arch/x86/kernel/cpu/mce/inject.c b/arch/x86/kernel/cpu/mce/inject.c
+index 8492ef7d90150..3f82afd0f46f2 100644
+--- a/arch/x86/kernel/cpu/mce/inject.c
++++ b/arch/x86/kernel/cpu/mce/inject.c
+@@ -46,8 +46,6 @@
+ static struct mce i_mce;
+ static struct dentry *dfs_inj;
+
+-static u8 n_banks;
+-
+ #define MAX_FLAG_OPT_SIZE 4
+ #define NBCFG 0x44
+
+@@ -570,9 +568,15 @@ static void do_inject(void)
+ static int inj_bank_set(void *data, u64 val)
+ {
+ struct mce *m = (struct mce *)data;
++ u8 n_banks;
++ u64 cap;
++
++ /* Get bank count on target CPU so we can handle non-uniform values. */
++ rdmsrl_on_cpu(m->extcpu, MSR_IA32_MCG_CAP, &cap);
++ n_banks = cap & MCG_BANKCNT_MASK;
+
+ if (val >= n_banks) {
+- pr_err("Non-existent MCE bank: %llu\n", val);
++ pr_err("MCA bank %llu non-existent on CPU%d\n", val, m->extcpu);
+ return -EINVAL;
+ }
+
+@@ -665,10 +669,6 @@ static struct dfs_node {
+ static int __init debugfs_init(void)
+ {
+ unsigned int i;
+- u64 cap;
+-
+- rdmsrl(MSR_IA32_MCG_CAP, cap);
+- n_banks = cap & MCG_BANKCNT_MASK;
+
+ dfs_inj = debugfs_create_dir("mce-inject", NULL);
+ if (!dfs_inj)
+--
+2.20.1
+
--- /dev/null
+From 9e29b8fd1a715375ea2bbe77bab7ca49c0725f82 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Thu, 4 Apr 2019 22:14:07 +0200
+Subject: x86/microcode: Fix the ancient deprecated microcode loading method
+
+[ Upstream commit 24613a04ad1c0588c10f4b5403ca60a73d164051 ]
+
+Commit
+
+ 2613f36ed965 ("x86/microcode: Attempt late loading only when new microcode is present")
+
+added the new define UCODE_NEW to denote that an update should happen
+only when newer microcode (than installed on the system) has been found.
+
+But it missed adjusting that for the old /dev/cpu/microcode loading
+interface. Fix it.
+
+Fixes: 2613f36ed965 ("x86/microcode: Attempt late loading only when new microcode is present")
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Jann Horn <jannh@google.com>
+Link: https://lkml.kernel.org/r/20190405133010.24249-3-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/microcode/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 5260185cbf7ba..8a4a7823451ac 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -418,8 +418,9 @@ static int do_microcode_update(const void __user *buf, size_t size)
+ if (ustate == UCODE_ERROR) {
+ error = -1;
+ break;
+- } else if (ustate == UCODE_OK)
++ } else if (ustate == UCODE_NEW) {
+ apply_microcode_on_target(cpu);
++ }
+ }
+
+ return error;
+--
+2.20.1
+
--- /dev/null
+From bc4c8633dc7c0234383257ecdabc4274176ec4cb Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 24 Apr 2019 09:04:57 +0200
+Subject: x86/mm: Remove in_nmi() warning from 64-bit implementation of
+ vmalloc_fault()
+
+[ Upstream commit a65c88e16f32aa9ef2e8caa68ea5c29bd5eb0ff0 ]
+
+In-NMI warnings have been added to vmalloc_fault() via:
+
+ ebc8827f75 ("x86: Barf when vmalloc and kmemcheck faults happen in NMI")
+
+back in the time when our NMI entry code could not cope with nested NMIs.
+
+These days, it's perfectly fine to take a fault in NMI context and we
+don't have to care about the fact that IRET from the fault handler might
+cause NMI nesting.
+
+This warning has already been removed from 32-bit implementation of
+vmalloc_fault() in:
+
+ 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
+
+but the 64-bit version was omitted.
+
+Remove the bogus warning also from 64-bit implementation of vmalloc_fault().
+
+Reported-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1904240902280.9803@cbobk.fhfr.pm
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/fault.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index 667f1da36208e..5eaf67e8314f1 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -359,8 +359,6 @@ static noinline int vmalloc_fault(unsigned long address)
+ if (!(address >= VMALLOC_START && address < VMALLOC_END))
+ return -1;
+
+- WARN_ON_ONCE(in_nmi());
+-
+ /*
+ * Copy kernel mappings over when needed. This can also
+ * happen within a race in page table update. In the later
+--
+2.20.1
+
--- /dev/null
+From 27b4ba663f36650c5a72ce5e874df2e6833941af Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Thu, 25 Apr 2019 17:11:31 -0700
+Subject: x86/modules: Avoid breaking W^X while loading modules
+
+[ Upstream commit f2c65fb3221adc6b73b0549fc7ba892022db9797 ]
+
+When modules and BPF filters are loaded, there is a time window in
+which some memory is both writable and executable. An attacker that has
+already found another vulnerability (e.g., a dangling pointer) might be
+able to exploit this behavior to overwrite kernel code. Prevent having
+writable executable PTEs in this stage.
+
+In addition, avoiding having W+X mappings can also slightly simplify the
+patching of modules code on initialization (e.g., by alternatives and
+static-key), as would be done in the next patch. This was actually the
+main motivation for this patch.
+
+To avoid having W+X mappings, set them initially as RW (NX) and after
+they are set as RO set them as X as well. Setting them as executable is
+done as a separate step to avoid one core in which the old PTE is cached
+(hence writable), and another which sees the updated PTE (executable),
+which would break the W^X protection.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Suggested-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <akpm@linux-foundation.org>
+Cc: <ard.biesheuvel@linaro.org>
+Cc: <deneen.t.dock@intel.com>
+Cc: <kernel-hardening@lists.openwall.com>
+Cc: <kristen@linux.intel.com>
+Cc: <linux_dti@icloud.com>
+Cc: <will.deacon@arm.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jessica Yu <jeyu@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Rik van Riel <riel@surriel.com>
+Link: https://lkml.kernel.org/r/20190426001143.4983-12-namit@vmware.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/alternative.c | 28 +++++++++++++++++++++-------
+ arch/x86/kernel/module.c | 2 +-
+ include/linux/filter.h | 1 +
+ kernel/module.c | 5 +++++
+ 4 files changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
+index 9a79c7808f9cc..d7df79fc448cd 100644
+--- a/arch/x86/kernel/alternative.c
++++ b/arch/x86/kernel/alternative.c
+@@ -667,15 +667,29 @@ void __init alternative_instructions(void)
+ * handlers seeing an inconsistent instruction while you patch.
+ */
+ void *__init_or_module text_poke_early(void *addr, const void *opcode,
+- size_t len)
++ size_t len)
+ {
+ unsigned long flags;
+- local_irq_save(flags);
+- memcpy(addr, opcode, len);
+- local_irq_restore(flags);
+- sync_core();
+- /* Could also do a CLFLUSH here to speed up CPU recovery; but
+- that causes hangs on some VIA CPUs. */
++
++ if (boot_cpu_has(X86_FEATURE_NX) &&
++ is_module_text_address((unsigned long)addr)) {
++ /*
++ * Modules text is marked initially as non-executable, so the
++ * code cannot be running and speculative code-fetches are
++ * prevented. Just change the code.
++ */
++ memcpy(addr, opcode, len);
++ } else {
++ local_irq_save(flags);
++ memcpy(addr, opcode, len);
++ local_irq_restore(flags);
++ sync_core();
++
++ /*
++ * Could also do a CLFLUSH here to speed up CPU recovery; but
++ * that causes hangs on some VIA CPUs.
++ */
++ }
+ return addr;
+ }
+
+diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
+index b052e883dd8cc..cfa3106faee42 100644
+--- a/arch/x86/kernel/module.c
++++ b/arch/x86/kernel/module.c
+@@ -87,7 +87,7 @@ void *module_alloc(unsigned long size)
+ p = __vmalloc_node_range(size, MODULE_ALIGN,
+ MODULES_VADDR + get_module_load_offset(),
+ MODULES_END, GFP_KERNEL,
+- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
++ PAGE_KERNEL, 0, NUMA_NO_NODE,
+ __builtin_return_address(0));
+ if (p && (kasan_module_alloc(p, size) < 0)) {
+ vfree(p);
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index 6074aa064b540..14ec3bdad9a90 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -746,6 +746,7 @@ static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)
+ static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
+ {
+ set_memory_ro((unsigned long)hdr, hdr->pages);
++ set_memory_x((unsigned long)hdr, hdr->pages);
+ }
+
+ static inline void bpf_jit_binary_unlock_ro(struct bpf_binary_header *hdr)
+diff --git a/kernel/module.c b/kernel/module.c
+index 0b9aa8ab89f08..2b2845ae983ed 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1950,8 +1950,13 @@ void module_enable_ro(const struct module *mod, bool after_init)
+ return;
+
+ frob_text(&mod->core_layout, set_memory_ro);
++ frob_text(&mod->core_layout, set_memory_x);
++
+ frob_rodata(&mod->core_layout, set_memory_ro);
++
+ frob_text(&mod->init_layout, set_memory_ro);
++ frob_text(&mod->init_layout, set_memory_x);
++
+ frob_rodata(&mod->init_layout, set_memory_ro);
+
+ if (after_init)
+--
+2.20.1
+
--- /dev/null
+From c17e2dc402e77784f9667d87db3285fb0836eac6 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Mon, 25 Mar 2019 15:29:22 -0500
+Subject: x86/platform/uv: Fix missing checks of kcalloc() return values
+
+[ Upstream commit 766460852cfaeca4042e5f3aeb9616b3689147bc ]
+
+Handle potential errors returned from kcalloc().
+
+ [ bp: rewrite commit message. ]
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andrew Banman <abanman@hpe.com>
+Cc: Andy Shevchenko <andy@infradead.org>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: Darren Hart <dvhart@infradead.org>
+Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Mike Travis <mike.travis@hpe.com>
+Cc: Nicolai Stange <nstange@suse.de>
+Cc: pakki001@umn.edu
+Cc: platform-driver-x86@vger.kernel.org
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Varsha Rao <rvarsha016@gmail.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190325202924.4624-1-kjlu@umn.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/uv/tlb_uv.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/platform/uv/tlb_uv.c b/arch/x86/platform/uv/tlb_uv.c
+index 2c53b0f19329a..1297e185b8c8d 100644
+--- a/arch/x86/platform/uv/tlb_uv.c
++++ b/arch/x86/platform/uv/tlb_uv.c
+@@ -2133,14 +2133,19 @@ static int __init summarize_uvhub_sockets(int nuvhubs,
+ */
+ static int __init init_per_cpu(int nuvhubs, int base_part_pnode)
+ {
+- unsigned char *uvhub_mask;
+ struct uvhub_desc *uvhub_descs;
++ unsigned char *uvhub_mask = NULL;
+
+ if (is_uv3_hub() || is_uv2_hub() || is_uv1_hub())
+ timeout_us = calculate_destination_timeout();
+
+ uvhub_descs = kcalloc(nuvhubs, sizeof(struct uvhub_desc), GFP_KERNEL);
++ if (!uvhub_descs)
++ goto fail;
++
+ uvhub_mask = kzalloc((nuvhubs+7)/8, GFP_KERNEL);
++ if (!uvhub_mask)
++ goto fail;
+
+ if (get_cpu_topology(base_part_pnode, uvhub_descs, uvhub_mask))
+ goto fail;
+--
+2.20.1
+
--- /dev/null
+From e55d08b9118a4078334fb7f3218ae0ebcba12dba Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 24 Apr 2019 09:19:24 +0200
+Subject: x86/uaccess: Dont leak the AC flag into __put_user() argument
+ evaluation
+
+[ Upstream commit 6ae865615fc43d014da2fd1f1bba7e81ee622d1b ]
+
+The __put_user() macro evaluates it's @ptr argument inside the
+__uaccess_begin() / __uaccess_end() region. While this would normally
+not be expected to be an issue, an UBSAN bug (it ignored -fwrapv,
+fixed in GCC 8+) would transform the @ptr evaluation for:
+
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c: if (unlikely(__put_user(offset, &urelocs[r-stack].presumed_offset))) {
+
+into a signed-overflow-UB check and trigger the objtool AC validation.
+
+Finish this commit:
+
+ 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation")
+
+and explicitly evaluate all 3 arguments early.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: luto@kernel.org
+Fixes: 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation")
+Link: http://lkml.kernel.org/r/20190424072208.695962771@infradead.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/uaccess.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
+index 1954dd5552a2e..3822cc8ac9d6d 100644
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -427,10 +427,11 @@ do { \
+ ({ \
+ __label__ __pu_label; \
+ int __pu_err = -EFAULT; \
+- __typeof__(*(ptr)) __pu_val; \
+- __pu_val = x; \
++ __typeof__(*(ptr)) __pu_val = (x); \
++ __typeof__(ptr) __pu_ptr = (ptr); \
++ __typeof__(size) __pu_size = (size); \
+ __uaccess_begin(); \
+- __put_user_size(__pu_val, (ptr), (size), __pu_label); \
++ __put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_label); \
+ __pu_err = 0; \
+ __pu_label: \
+ __uaccess_end(); \
+--
+2.20.1
+
--- /dev/null
+From d35cbe1d662719dabf8d6b83ef87be820a175485 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 3 Apr 2019 09:39:45 +0200
+Subject: x86/uaccess: Fix up the fixup
+
+[ Upstream commit b69656fa7ea2f75e47d7bd5b9430359fa46488af ]
+
+New tooling got confused about this:
+
+ arch/x86/lib/memcpy_64.o: warning: objtool: .fixup+0x7: return with UACCESS enabled
+
+While the code isn't wrong, it is tedious (if at all possible) to
+figure out what function a particular chunk of .fixup belongs to.
+
+This then confuses the objtool uaccess validation. Instead of
+returning directly from the .fixup, jump back into the right function.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/lib/memcpy_64.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
+index 3b24dc05251c7..9d05572370edc 100644
+--- a/arch/x86/lib/memcpy_64.S
++++ b/arch/x86/lib/memcpy_64.S
+@@ -257,6 +257,7 @@ ENTRY(__memcpy_mcsafe)
+ /* Copy successful. Return zero */
+ .L_done_memcpy_trap:
+ xorl %eax, %eax
++.L_done:
+ ret
+ ENDPROC(__memcpy_mcsafe)
+ EXPORT_SYMBOL_GPL(__memcpy_mcsafe)
+@@ -273,7 +274,7 @@ EXPORT_SYMBOL_GPL(__memcpy_mcsafe)
+ addl %edx, %ecx
+ .E_trailing_bytes:
+ mov %ecx, %eax
+- ret
++ jmp .L_done
+
+ /*
+ * For write fault handling, given the destination is unaligned,
+--
+2.20.1
+
--- /dev/null
+From a79b5cdfc5a94b238deb2d1041b85da23fe0e4a6 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 7 Mar 2019 11:09:13 +0100
+Subject: x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP
+
+[ Upstream commit 4a6c91fbdef846ec7250b82f2eeeb87ac5f18cf9 ]
+
+For CONFIG_TRACE_BRANCH_PROFILING=y the likely/unlikely things get
+overloaded and generate callouts to this code, and thus also when
+AC=1.
+
+Make it safe.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_branch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/trace/trace_branch.c b/kernel/trace/trace_branch.c
+index 4ad967453b6fb..3ea65cdff30d5 100644
+--- a/kernel/trace/trace_branch.c
++++ b/kernel/trace/trace_branch.c
+@@ -205,6 +205,8 @@ void trace_likely_condition(struct ftrace_likely_data *f, int val, int expect)
+ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
+ int expect, int is_constant)
+ {
++ unsigned long flags = user_access_save();
++
+ /* A constant is always correct */
+ if (is_constant) {
+ f->constant++;
+@@ -223,6 +225,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
+ f->data.correct++;
+ else
+ f->data.incorrect++;
++
++ user_access_restore(flags);
+ }
+ EXPORT_SYMBOL(ftrace_likely_update);
+
+--
+2.20.1
+
--- /dev/null
+From 9287b35dbb898474d891c0301874c36cc4f7245a Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 3 Apr 2019 09:39:48 +0200
+Subject: x86/uaccess, signal: Fix AC=1 bloat
+
+[ Upstream commit 88e4718275c1bddca6f61f300688b4553dc8584b ]
+
+Occasionally GCC is less agressive with inlining and the following is
+observed:
+
+ arch/x86/kernel/signal.o: warning: objtool: restore_sigcontext()+0x3cc: call to force_valid_ss.isra.5() with UACCESS enabled
+ arch/x86/kernel/signal.o: warning: objtool: do_signal()+0x384: call to frame_uc_flags.isra.0() with UACCESS enabled
+
+Cure this by moving this code out of the AC=1 region, since it really
+isn't needed for the user access.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/signal.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
+index 08dfd4c1a4f95..c8aa58a2bab97 100644
+--- a/arch/x86/kernel/signal.c
++++ b/arch/x86/kernel/signal.c
+@@ -132,16 +132,6 @@ static int restore_sigcontext(struct pt_regs *regs,
+ COPY_SEG_CPL3(cs);
+ COPY_SEG_CPL3(ss);
+
+-#ifdef CONFIG_X86_64
+- /*
+- * Fix up SS if needed for the benefit of old DOSEMU and
+- * CRIU.
+- */
+- if (unlikely(!(uc_flags & UC_STRICT_RESTORE_SS) &&
+- user_64bit_mode(regs)))
+- force_valid_ss(regs);
+-#endif
+-
+ get_user_ex(tmpflags, &sc->flags);
+ regs->flags = (regs->flags & ~FIX_EFLAGS) | (tmpflags & FIX_EFLAGS);
+ regs->orig_ax = -1; /* disable syscall checks */
+@@ -150,6 +140,15 @@ static int restore_sigcontext(struct pt_regs *regs,
+ buf = (void __user *)buf_val;
+ } get_user_catch(err);
+
++#ifdef CONFIG_X86_64
++ /*
++ * Fix up SS if needed for the benefit of old DOSEMU and
++ * CRIU.
++ */
++ if (unlikely(!(uc_flags & UC_STRICT_RESTORE_SS) && user_64bit_mode(regs)))
++ force_valid_ss(regs);
++#endif
++
+ err |= fpu__restore_sig(buf, IS_ENABLED(CONFIG_X86_32));
+
+ force_iret();
+@@ -461,6 +460,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
+ {
+ struct rt_sigframe __user *frame;
+ void __user *fp = NULL;
++ unsigned long uc_flags;
+ int err = 0;
+
+ frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe), &fp);
+@@ -473,9 +473,11 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
+ return -EFAULT;
+ }
+
++ uc_flags = frame_uc_flags(regs);
++
+ put_user_try {
+ /* Create the ucontext. */
+- put_user_ex(frame_uc_flags(regs), &frame->uc.uc_flags);
++ put_user_ex(uc_flags, &frame->uc.uc_flags);
+ put_user_ex(0, &frame->uc.uc_link);
+ save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+
+@@ -541,6 +543,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
+ {
+ #ifdef CONFIG_X86_X32_ABI
+ struct rt_sigframe_x32 __user *frame;
++ unsigned long uc_flags;
+ void __user *restorer;
+ int err = 0;
+ void __user *fpstate = NULL;
+@@ -555,9 +558,11 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
+ return -EFAULT;
+ }
+
++ uc_flags = frame_uc_flags(regs);
++
+ put_user_try {
+ /* Create the ucontext. */
+- put_user_ex(frame_uc_flags(regs), &frame->uc.uc_flags);
++ put_user_ex(uc_flags, &frame->uc.uc_flags);
+ put_user_ex(0, &frame->uc.uc_link);
+ compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+ put_user_ex(0, &frame->uc.uc__pad0);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
