--- /dev/null
+From ece6031ece2dd64d63708cfe1088016cee5b10c0 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Thu, 20 Jun 2019 09:17:01 +0100
+Subject: arm64: tegra: Update Jetson TX1 GPU regulator timings
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit ece6031ece2dd64d63708cfe1088016cee5b10c0 upstream.
+
+The GPU regulator enable ramp delay for Jetson TX1 is set to 1ms which
+not sufficient because the enable ramp delay has been measured to be
+greater than 1ms. Furthermore, the downstream kernels released by NVIDIA
+for Jetson TX1 are using a enable ramp delay 2ms and a settling delay of
+160us. Update the GPU regulator enable ramp delay for Jetson TX1 to be
+2ms and add a settling delay of 160us.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Fixes: 5e6b9a89afce ("arm64: tegra: Add VDD_GPU regulator to Jetson TX1")
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi
+@@ -322,7 +322,8 @@
+ regulator-max-microvolt = <1320000>;
+ enable-gpios = <&pmic 6 GPIO_ACTIVE_HIGH>;
+ regulator-ramp-delay = <80>;
+- regulator-enable-ramp-delay = <1000>;
++ regulator-enable-ramp-delay = <2000>;
++ regulator-settling-time-us = <160>;
+ };
+ };
+ };
--- /dev/null
+From f54d801dda14942dbefa00541d10603015b7859c Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:44 +0800
+Subject: bcache: destroy dc->writeback_write_wq if failed to create dc->writeback_thread
+
+From: Coly Li <colyli@suse.de>
+
+commit f54d801dda14942dbefa00541d10603015b7859c upstream.
+
+Commit 9baf30972b55 ("bcache: fix for gc and write-back race") added a
+new work queue dc->writeback_write_wq, but forgot to destroy it in the
+error condition when creating dc->writeback_thread failed.
+
+This patch destroys dc->writeback_write_wq if kthread_create() returns
+error pointer to dc->writeback_thread, then a memory leak is avoided.
+
+Fixes: 9baf30972b55 ("bcache: fix for gc and write-back race")
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/writeback.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -834,6 +834,7 @@ int bch_cached_dev_writeback_start(struc
+ "bcache_writeback");
+ if (IS_ERR(dc->writeback_thread)) {
+ cached_dev_put(dc);
++ destroy_workqueue(dc->writeback_write_wq);
+ return PTR_ERR(dc->writeback_thread);
+ }
+ dc->writeback_running = true;
--- /dev/null
+From 5461999848e0462c14f306a62923d22de820a59c Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:43 +0800
+Subject: bcache: fix mistaken sysfs entry for io_error counter
+
+From: Coly Li <colyli@suse.de>
+
+commit 5461999848e0462c14f306a62923d22de820a59c upstream.
+
+In bch_cached_dev_files[] from driver/md/bcache/sysfs.c, sysfs_errors is
+incorrectly inserted in. The correct entry should be sysfs_io_errors.
+
+This patch fixes the problem and now I/O errors of cached device can be
+read from /sys/block/bcache<N>/bcache/io_errors.
+
+Fixes: c7b7bd07404c5 ("bcache: add io_disable to struct cached_dev")
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/sysfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bcache/sysfs.c
++++ b/drivers/md/bcache/sysfs.c
+@@ -180,7 +180,7 @@ SHOW(__bch_cached_dev)
+ var_print(writeback_percent);
+ sysfs_hprint(writeback_rate,
+ wb ? atomic_long_read(&dc->writeback_rate.rate) << 9 : 0);
+- sysfs_hprint(io_errors, atomic_read(&dc->io_errors));
++ sysfs_printf(io_errors, "%i", atomic_read(&dc->io_errors));
+ sysfs_printf(io_error_limit, "%i", dc->error_limit);
+ sysfs_printf(io_disable, "%i", dc->io_disable);
+ var_print(writeback_rate_update_seconds);
+@@ -464,7 +464,7 @@ static struct attribute *bch_cached_dev_
+ &sysfs_writeback_rate_p_term_inverse,
+ &sysfs_writeback_rate_minimum,
+ &sysfs_writeback_rate_debug,
+- &sysfs_errors,
++ &sysfs_io_errors,
+ &sysfs_io_error_limit,
+ &sysfs_io_disable,
+ &sysfs_dirty_data,
--- /dev/null
+From 578df99b1b0531d19af956530fe4da63d01a1604 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:29 +0800
+Subject: bcache: ignore read-ahead request failure on backing device
+
+From: Coly Li <colyli@suse.de>
+
+commit 578df99b1b0531d19af956530fe4da63d01a1604 upstream.
+
+When md raid device (e.g. raid456) is used as backing device, read-ahead
+requests on a degrading and recovering md raid device might be failured
+immediately by md raid code, but indeed this md raid array can still be
+read or write for normal I/O requests. Therefore such failed read-ahead
+request are not real hardware failure. Further more, after degrading and
+recovering accomplished, read-ahead requests will be handled by md raid
+array again.
+
+For such condition, I/O failures of read-ahead requests don't indicate
+real health status (because normal I/O still be served), they should not
+be counted into I/O error counter dc->io_errors.
+
+Since there is no simple way to detect whether the backing divice is a
+md raid device, this patch simply ignores I/O failures for read-ahead
+bios on backing device, to avoid bogus backing device failure on a
+degrading md raid array.
+
+Suggested-and-tested-by: Thorsten Knabe <linux@thorsten-knabe.de>
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/io.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/md/bcache/io.c
++++ b/drivers/md/bcache/io.c
+@@ -58,6 +58,18 @@ void bch_count_backing_io_errors(struct
+
+ WARN_ONCE(!dc, "NULL pointer of struct cached_dev");
+
++ /*
++ * Read-ahead requests on a degrading and recovering md raid
++ * (e.g. raid6) device might be failured immediately by md
++ * raid code, which is not a real hardware media failure. So
++ * we shouldn't count failed REQ_RAHEAD bio to dc->io_errors.
++ */
++ if (bio->bi_opf & REQ_RAHEAD) {
++ pr_warn_ratelimited("%s: Read-ahead I/O failed on backing device, ignore",
++ dc->backing_dev_name);
++ return;
++ }
++
+ errors = atomic_add_return(1, &dc->io_errors);
+ if (errors < dc->error_limit)
+ pr_err("%s: IO error on backing device, unrecoverable",
--- /dev/null
+From 249a5f6da57c28a903c75d81505d58ec8c10030d Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:54 +0800
+Subject: bcache: Revert "bcache: fix high CPU occupancy during journal"
+
+From: Coly Li <colyli@suse.de>
+
+commit 249a5f6da57c28a903c75d81505d58ec8c10030d upstream.
+
+This reverts commit c4dc2497d50d9c6fb16aa0d07b6a14f3b2adb1e0.
+
+This patch enlarges a race between normal btree flush code path and
+flush_btree_write(), which causes deadlock when journal space is
+exhausted. Reverts this patch makes the race window from 128 btree
+nodes to only 1 btree nodes.
+
+Fixes: c4dc2497d50d ("bcache: fix high CPU occupancy during journal")
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Cc: Tang Junhui <tang.junhui.linux@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/bcache.h | 2 -
+ drivers/md/bcache/journal.c | 47 ++++++++++++++------------------------------
+ drivers/md/bcache/util.h | 2 -
+ 3 files changed, 15 insertions(+), 36 deletions(-)
+
+--- a/drivers/md/bcache/bcache.h
++++ b/drivers/md/bcache/bcache.h
+@@ -726,8 +726,6 @@ struct cache_set {
+
+ #define BUCKET_HASH_BITS 12
+ struct hlist_head bucket_hash[1 << BUCKET_HASH_BITS];
+-
+- DECLARE_HEAP(struct btree *, flush_btree);
+ };
+
+ struct bbio {
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -390,12 +390,6 @@ err:
+ }
+
+ /* Journalling */
+-#define journal_max_cmp(l, r) \
+- (fifo_idx(&c->journal.pin, btree_current_write(l)->journal) < \
+- fifo_idx(&(c)->journal.pin, btree_current_write(r)->journal))
+-#define journal_min_cmp(l, r) \
+- (fifo_idx(&c->journal.pin, btree_current_write(l)->journal) > \
+- fifo_idx(&(c)->journal.pin, btree_current_write(r)->journal))
+
+ static void btree_flush_write(struct cache_set *c)
+ {
+@@ -403,35 +397,25 @@ static void btree_flush_write(struct cac
+ * Try to find the btree node with that references the oldest journal
+ * entry, best is our current candidate and is locked if non NULL:
+ */
+- struct btree *b;
+- int i;
++ struct btree *b, *best;
++ unsigned int i;
+
+ atomic_long_inc(&c->flush_write);
+-
+ retry:
+- spin_lock(&c->journal.lock);
+- if (heap_empty(&c->flush_btree)) {
+- for_each_cached_btree(b, c, i)
+- if (btree_current_write(b)->journal) {
+- if (!heap_full(&c->flush_btree))
+- heap_add(&c->flush_btree, b,
+- journal_max_cmp);
+- else if (journal_max_cmp(b,
+- heap_peek(&c->flush_btree))) {
+- c->flush_btree.data[0] = b;
+- heap_sift(&c->flush_btree, 0,
+- journal_max_cmp);
+- }
+- }
+-
+- for (i = c->flush_btree.used / 2 - 1; i >= 0; --i)
+- heap_sift(&c->flush_btree, i, journal_min_cmp);
+- }
++ best = NULL;
+
+- b = NULL;
+- heap_pop(&c->flush_btree, b, journal_min_cmp);
+- spin_unlock(&c->journal.lock);
++ for_each_cached_btree(b, c, i)
++ if (btree_current_write(b)->journal) {
++ if (!best)
++ best = b;
++ else if (journal_pin_cmp(c,
++ btree_current_write(best)->journal,
++ btree_current_write(b)->journal)) {
++ best = b;
++ }
++ }
+
++ b = best;
+ if (b) {
+ mutex_lock(&b->write_lock);
+ if (!btree_current_write(b)->journal) {
+@@ -873,8 +857,7 @@ int bch_journal_alloc(struct cache_set *
+ j->w[0].c = c;
+ j->w[1].c = c;
+
+- if (!(init_heap(&c->flush_btree, 128, GFP_KERNEL)) ||
+- !(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) ||
++ if (!(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) ||
+ !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)) ||
+ !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)))
+ return -ENOMEM;
+--- a/drivers/md/bcache/util.h
++++ b/drivers/md/bcache/util.h
+@@ -113,8 +113,6 @@ do { \
+
+ #define heap_full(h) ((h)->used == (h)->size)
+
+-#define heap_empty(h) ((h)->used == 0)
+-
+ #define DECLARE_FIFO(type, name) \
+ struct { \
+ size_t front, back, size, mask; \
--- /dev/null
+From ba82c1ac1667d6efb91a268edb13fc9cdaecec9b Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:53 +0800
+Subject: bcache: Revert "bcache: free heap cache_set->flush_btree in bch_journal_free"
+
+From: Coly Li <colyli@suse.de>
+
+commit ba82c1ac1667d6efb91a268edb13fc9cdaecec9b upstream.
+
+This reverts commit 6268dc2c4703aabfb0b35681be709acf4c2826c6.
+
+This patch depends on commit c4dc2497d50d ("bcache: fix high CPU
+occupancy during journal") which is reverted in previous patch. So
+revert this one too.
+
+Fixes: 6268dc2c4703 ("bcache: free heap cache_set->flush_btree in bch_journal_free")
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Cc: Shenghui Wang <shhuiw@foxmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/journal.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -842,7 +842,6 @@ void bch_journal_free(struct cache_set *
+ free_pages((unsigned long) c->journal.w[1].data, JSET_BITS);
+ free_pages((unsigned long) c->journal.w[0].data, JSET_BITS);
+ free_fifo(&c->journal.pin);
+- free_heap(&c->flush_btree);
+ }
+
+ int bch_journal_alloc(struct cache_set *c)
--- /dev/null
+From 3e2725796cbdfe4efc7eb7b27cacaeac2ddad1a5 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Sat, 6 Jul 2019 06:43:08 +1000
+Subject: cifs: always add credits back for unsolicited PDUs
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 3e2725796cbdfe4efc7eb7b27cacaeac2ddad1a5 upstream.
+
+not just if CONFIG_CIFS_DEBUG2 is enabled.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1221,11 +1221,11 @@ next_pdu:
+ atomic_read(&midCount));
+ cifs_dump_mem("Received Data is: ", bufs[i],
+ HEADER_SIZE(server));
++ smb2_add_credits_from_hdr(bufs[i], server);
+ #ifdef CONFIG_CIFS_DEBUG2
+ if (server->ops->dump_detail)
+ server->ops->dump_detail(bufs[i],
+ server);
+- smb2_add_credits_from_hdr(bufs[i], server);
+ cifs_dump_mids(server);
+ #endif /* CIFS_DEBUG2 */
+ }
--- /dev/null
+From 88a92c913cef09e70b1744a8877d177aa6cb2189 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Tue, 16 Jul 2019 10:41:46 +1000
+Subject: cifs: fix crash in smb2_compound_op()/smb2_set_next_command()
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 88a92c913cef09e70b1744a8877d177aa6cb2189 upstream.
+
+RHBZ: 1722704
+
+In low memory situations the various SMB2_*_init() functions can fail
+to allocate a request PDU and thus leave the request iovector as NULL.
+
+If we don't check the return code for failure we end up calling
+smb2_set_next_command() with a NULL iovector causing a crash when it tries
+to dereference it.
+
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2inode.c | 12 ++++++++++++
+ fs/cifs/smb2ops.c | 11 ++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2inode.c
++++ b/fs/cifs/smb2inode.c
+@@ -120,6 +120,8 @@ smb2_compound_op(const unsigned int xid,
+ SMB2_O_INFO_FILE, 0,
+ sizeof(struct smb2_file_all_info) +
+ PATH_MAX * 2, 0, NULL);
++ if (rc)
++ goto finished;
+ smb2_set_next_command(tcon, &rqst[num_rqst]);
+ smb2_set_related(&rqst[num_rqst++]);
+ trace_smb3_query_info_compound_enter(xid, ses->Suid, tcon->tid,
+@@ -147,6 +149,8 @@ smb2_compound_op(const unsigned int xid,
+ COMPOUND_FID, current->tgid,
+ FILE_DISPOSITION_INFORMATION,
+ SMB2_O_INFO_FILE, 0, data, size);
++ if (rc)
++ goto finished;
+ smb2_set_next_command(tcon, &rqst[num_rqst]);
+ smb2_set_related(&rqst[num_rqst++]);
+ trace_smb3_rmdir_enter(xid, ses->Suid, tcon->tid, full_path);
+@@ -163,6 +167,8 @@ smb2_compound_op(const unsigned int xid,
+ COMPOUND_FID, current->tgid,
+ FILE_END_OF_FILE_INFORMATION,
+ SMB2_O_INFO_FILE, 0, data, size);
++ if (rc)
++ goto finished;
+ smb2_set_next_command(tcon, &rqst[num_rqst]);
+ smb2_set_related(&rqst[num_rqst++]);
+ trace_smb3_set_eof_enter(xid, ses->Suid, tcon->tid, full_path);
+@@ -180,6 +186,8 @@ smb2_compound_op(const unsigned int xid,
+ COMPOUND_FID, current->tgid,
+ FILE_BASIC_INFORMATION,
+ SMB2_O_INFO_FILE, 0, data, size);
++ if (rc)
++ goto finished;
+ smb2_set_next_command(tcon, &rqst[num_rqst]);
+ smb2_set_related(&rqst[num_rqst++]);
+ trace_smb3_set_info_compound_enter(xid, ses->Suid, tcon->tid,
+@@ -206,6 +214,8 @@ smb2_compound_op(const unsigned int xid,
+ COMPOUND_FID, current->tgid,
+ FILE_RENAME_INFORMATION,
+ SMB2_O_INFO_FILE, 0, data, size);
++ if (rc)
++ goto finished;
+ smb2_set_next_command(tcon, &rqst[num_rqst]);
+ smb2_set_related(&rqst[num_rqst++]);
+ trace_smb3_rename_enter(xid, ses->Suid, tcon->tid, full_path);
+@@ -231,6 +241,8 @@ smb2_compound_op(const unsigned int xid,
+ COMPOUND_FID, current->tgid,
+ FILE_LINK_INFORMATION,
+ SMB2_O_INFO_FILE, 0, data, size);
++ if (rc)
++ goto finished;
+ smb2_set_next_command(tcon, &rqst[num_rqst]);
+ smb2_set_related(&rqst[num_rqst++]);
+ trace_smb3_hardlink_enter(xid, ses->Suid, tcon->tid, full_path);
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -2004,6 +2004,10 @@ smb2_set_related(struct smb_rqst *rqst)
+ struct smb2_sync_hdr *shdr;
+
+ shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base);
++ if (shdr == NULL) {
++ cifs_dbg(FYI, "shdr NULL in smb2_set_related\n");
++ return;
++ }
+ shdr->Flags |= SMB2_FLAGS_RELATED_OPERATIONS;
+ }
+
+@@ -2018,6 +2022,12 @@ smb2_set_next_command(struct cifs_tcon *
+ unsigned long len = smb_rqst_len(server, rqst);
+ int i, num_padding;
+
++ shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base);
++ if (shdr == NULL) {
++ cifs_dbg(FYI, "shdr NULL in smb2_set_next_command\n");
++ return;
++ }
++
+ /* SMB headers in a compound are 8 byte aligned. */
+
+ /* No padding needed */
+@@ -2057,7 +2067,6 @@ smb2_set_next_command(struct cifs_tcon *
+ }
+
+ finished:
+- shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base);
+ shdr->NextCommand = cpu_to_le32(len);
+ }
+
--- /dev/null
+From 7e5a70ad88b1e6f6d9b934b2efb41afff496820f Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Wed, 17 Jul 2019 12:46:28 +0200
+Subject: CIFS: fix deadlock in cached root handling
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit 7e5a70ad88b1e6f6d9b934b2efb41afff496820f upstream.
+
+Prevent deadlock between open_shroot() and
+cifs_mark_open_files_invalid() by releasing the lock before entering
+SMB2_open, taking it again after and checking if we still need to use
+the result.
+
+Link: https://lore.kernel.org/linux-cifs/684ed01c-cbca-2716-bc28-b0a59a0f8521@prodrive-technologies.com/T/#u
+Fixes: 3d4ef9a15343 ("smb3: fix redundant opens on root")
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 46 +++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 45 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -705,8 +705,51 @@ int open_shroot(unsigned int xid, struct
+
+ smb2_set_related(&rqst[1]);
+
++ /*
++ * We do not hold the lock for the open because in case
++ * SMB2_open needs to reconnect, it will end up calling
++ * cifs_mark_open_files_invalid() which takes the lock again
++ * thus causing a deadlock
++ */
++
++ mutex_unlock(&tcon->crfid.fid_mutex);
+ rc = compound_send_recv(xid, ses, flags, 2, rqst,
+ resp_buftype, rsp_iov);
++ mutex_lock(&tcon->crfid.fid_mutex);
++
++ /*
++ * Now we need to check again as the cached root might have
++ * been successfully re-opened from a concurrent process
++ */
++
++ if (tcon->crfid.is_valid) {
++ /* work was already done */
++
++ /* stash fids for close() later */
++ struct cifs_fid fid = {
++ .persistent_fid = pfid->persistent_fid,
++ .volatile_fid = pfid->volatile_fid,
++ };
++
++ /*
++ * caller expects this func to set pfid to a valid
++ * cached root, so we copy the existing one and get a
++ * reference.
++ */
++ memcpy(pfid, tcon->crfid.fid, sizeof(*pfid));
++ kref_get(&tcon->crfid.refcount);
++
++ mutex_unlock(&tcon->crfid.fid_mutex);
++
++ if (rc == 0) {
++ /* close extra handle outside of crit sec */
++ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
++ }
++ goto oshr_free;
++ }
++
++ /* Cached root is still invalid, continue normaly */
++
+ if (rc)
+ goto oshr_exit;
+
+@@ -740,8 +783,9 @@ int open_shroot(unsigned int xid, struct
+ (char *)&tcon->crfid.file_all_info))
+ tcon->crfid.file_all_info_is_valid = 1;
+
+- oshr_exit:
++oshr_exit:
+ mutex_unlock(&tcon->crfid.fid_mutex);
++oshr_free:
+ SMB2_open_free(&rqst[0]);
+ SMB2_query_info_free(&rqst[1]);
+ free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
--- /dev/null
+From aa081859b10c5d8b19f5c525c78883a59d73c2b8 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Fri, 19 Jul 2019 08:12:11 +1000
+Subject: cifs: flush before set-info if we have writeable handles
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit aa081859b10c5d8b19f5c525c78883a59d73c2b8 upstream.
+
+Servers can defer destaging any data and updating the mtime until close().
+This means that if we do a setinfo to modify the mtime while other handles
+are open for write the server may overwrite our setinfo timestamps when
+if flushes the file on close() of the writeable handle.
+
+To solve this we add an explicit flush when the mtime is about to
+be updated.
+
+This fixes "cp -p" to preserve mtime when copying a file onto an SMB2 share.
+
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -2371,6 +2371,8 @@ cifs_setattr_nounix(struct dentry *diren
+ struct inode *inode = d_inode(direntry);
+ struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
+ struct cifsInodeInfo *cifsInode = CIFS_I(inode);
++ struct cifsFileInfo *wfile;
++ struct cifs_tcon *tcon;
+ char *full_path = NULL;
+ int rc = -EACCES;
+ __u32 dosattr = 0;
+@@ -2417,6 +2419,20 @@ cifs_setattr_nounix(struct dentry *diren
+ mapping_set_error(inode->i_mapping, rc);
+ rc = 0;
+
++ if (attrs->ia_valid & ATTR_MTIME) {
++ rc = cifs_get_writable_file(cifsInode, false, &wfile);
++ if (!rc) {
++ tcon = tlink_tcon(wfile->tlink);
++ rc = tcon->ses->server->ops->flush(xid, tcon, &wfile->fid);
++ cifsFileInfo_put(wfile);
++ if (rc)
++ return rc;
++ } else if (rc != -EBADF)
++ return rc;
++ else
++ rc = 0;
++ }
++
+ if (attrs->ia_valid & ATTR_SIZE) {
+ rc = cifs_set_file_size(inode, attrs, xid, full_path);
+ if (rc != 0)
--- /dev/null
+From 29fbeb7a908a60a5ae8c50fbe171cb8fdcef1980 Mon Sep 17 00:00:00 2001
+From: "Paulo Alcantara (SUSE)" <paulo@paulo.ac>
+Date: Tue, 18 Jun 2019 16:16:02 -0300
+Subject: cifs: Properly handle auto disabling of serverino option
+
+From: Paulo Alcantara (SUSE) <paulo@paulo.ac>
+
+commit 29fbeb7a908a60a5ae8c50fbe171cb8fdcef1980 upstream.
+
+Fix mount options comparison when serverino option is turned off later
+in cifs_autodisable_serverino() and thus avoiding mismatch of new cifs
+mounts.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <paulo@paulo.ac>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilove@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_fs_sb.h | 5 +++++
+ fs/cifs/connect.c | 8 ++++++--
+ fs/cifs/misc.c | 1 +
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifs_fs_sb.h
++++ b/fs/cifs/cifs_fs_sb.h
+@@ -83,5 +83,10 @@ struct cifs_sb_info {
+ * failover properly.
+ */
+ char *origin_fullpath; /* \\HOST\SHARE\[OPTIONAL PATH] */
++ /*
++ * Indicate whether serverino option was turned off later
++ * (cifs_autodisable_serverino) in order to match new mounts.
++ */
++ bool mnt_cifs_serverino_autodisabled;
+ };
+ #endif /* _CIFS_FS_SB_H */
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3455,12 +3455,16 @@ compare_mount_options(struct super_block
+ {
+ struct cifs_sb_info *old = CIFS_SB(sb);
+ struct cifs_sb_info *new = mnt_data->cifs_sb;
++ unsigned int oldflags = old->mnt_cifs_flags & CIFS_MOUNT_MASK;
++ unsigned int newflags = new->mnt_cifs_flags & CIFS_MOUNT_MASK;
+
+ if ((sb->s_flags & CIFS_MS_MASK) != (mnt_data->flags & CIFS_MS_MASK))
+ return 0;
+
+- if ((old->mnt_cifs_flags & CIFS_MOUNT_MASK) !=
+- (new->mnt_cifs_flags & CIFS_MOUNT_MASK))
++ if (old->mnt_cifs_serverino_autodisabled)
++ newflags &= ~CIFS_MOUNT_SERVER_INUM;
++
++ if (oldflags != newflags)
+ return 0;
+
+ /*
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -539,6 +539,7 @@ cifs_autodisable_serverino(struct cifs_s
+ tcon = cifs_sb_master_tcon(cifs_sb);
+
+ cifs_sb->mnt_cifs_flags &= ~CIFS_MOUNT_SERVER_INUM;
++ cifs_sb->mnt_cifs_serverino_autodisabled = true;
+ cifs_dbg(VFS, "Autodisabling the use of server inode numbers on %s.\n",
+ tcon ? tcon->treeName : "new server");
+ cifs_dbg(VFS, "The server doesn't seem to support them properly or the files might be on different servers (DFS).\n");
--- /dev/null
+From 7e4935ccc3236751e5fe4bd6846f86e46bb2e427 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 15 Jul 2019 10:00:58 -0700
+Subject: Input: alps - don't handle ALPS cs19 trackpoint-only device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 7e4935ccc3236751e5fe4bd6846f86e46bb2e427 upstream.
+
+On a latest Lenovo laptop, the trackpoint and 3 buttons below it
+don't work at all, when we move the trackpoint or press those 3
+buttons, the kernel will print out:
+"Rejected trackstick packet from non DualPoint device"
+
+This device is identified as an alps touchpad but the packet has
+trackpoint format, so the alps.c drops the packet and prints out
+the message above.
+
+According to XiaoXiao's explanation, this device is named cs19 and
+is trackpoint-only device, its firmware is only for trackpoint, it
+is independent of touchpad and is a device completely different from
+DualPoint ones.
+
+To drive this device with mininal changes to the existing driver, we
+just let the alps driver not handle this device, then the trackpoint.c
+will be the driver of this device if the trackpoint driver is enabled.
+(if not, this device will fallback to a bare PS/2 device)
+
+With the trackpoint.c, this trackpoint and 3 buttons all work well,
+they have all features that the trackpoint should have, like
+scrolling-screen, drag-and-drop and frame-selection.
+
+Signed-off-by: XiaoXiao Liu <sliuuxiaonxiao@gmail.com>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/alps.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -24,6 +24,7 @@
+
+ #include "psmouse.h"
+ #include "alps.h"
++#include "trackpoint.h"
+
+ /*
+ * Definitions for ALPS version 3 and 4 command mode protocol
+@@ -2864,6 +2865,23 @@ static const struct alps_protocol_info *
+ return NULL;
+ }
+
++static bool alps_is_cs19_trackpoint(struct psmouse *psmouse)
++{
++ u8 param[2] = { 0 };
++
++ if (ps2_command(&psmouse->ps2dev,
++ param, MAKE_PS2_CMD(0, 2, TP_READ_ID)))
++ return false;
++
++ /*
++ * param[0] contains the trackpoint device variant_id while
++ * param[1] contains the firmware_id. So far all alps
++ * trackpoint-only devices have their variant_ids equal
++ * TP_VARIANT_ALPS and their firmware_ids are in 0x20~0x2f range.
++ */
++ return param[0] == TP_VARIANT_ALPS && (param[1] & 0x20);
++}
++
+ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv)
+ {
+ const struct alps_protocol_info *protocol;
+@@ -3165,6 +3183,20 @@ int alps_detect(struct psmouse *psmouse,
+ return error;
+
+ /*
++ * ALPS cs19 is a trackpoint-only device, and uses different
++ * protocol than DualPoint ones, so we return -EINVAL here and let
++ * trackpoint.c drive this device. If the trackpoint driver is not
++ * enabled, the device will fall back to a bare PS/2 mouse.
++ * If ps2_command() fails here, we depend on the immediately
++ * followed psmouse_reset() to reset the device to normal state.
++ */
++ if (alps_is_cs19_trackpoint(psmouse)) {
++ psmouse_dbg(psmouse,
++ "ALPS CS19 trackpoint-only device detected, ignoring\n");
++ return -EINVAL;
++ }
++
++ /*
+ * Reset the device to make sure it is fully operational:
+ * on some laptops, like certain Dell Latitudes, we may
+ * fail to properly detect presence of trackstick if device
--- /dev/null
+From 771a081e44a9baa1991ef011cc453ef425591740 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Fri, 19 Jul 2019 12:38:58 +0300
+Subject: Input: alps - fix a mismatch between a condition check and its comment
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 771a081e44a9baa1991ef011cc453ef425591740 upstream.
+
+In the function alps_is_cs19_trackpoint(), we check if the param[1] is
+in the 0x20~0x2f range, but the code we wrote for this checking is not
+correct:
+(param[1] & 0x20) does not mean param[1] is in the range of 0x20~0x2f,
+it also means the param[1] is in the range of 0x30~0x3f, 0x60~0x6f...
+
+Now fix it with a new condition checking ((param[1] & 0xf0) == 0x20).
+
+Fixes: 7e4935ccc323 ("Input: alps - don't handle ALPS cs19 trackpoint-only device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/alps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -2879,7 +2879,7 @@ static bool alps_is_cs19_trackpoint(stru
+ * trackpoint-only devices have their variant_ids equal
+ * TP_VARIANT_ALPS and their firmware_ids are in 0x20~0x2f range.
+ */
+- return param[0] == TP_VARIANT_ALPS && (param[1] & 0x20);
++ return param[0] == TP_VARIANT_ALPS && ((param[1] & 0xf0) == 0x20);
+ }
+
+ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv)
--- /dev/null
+From 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 Mon Sep 17 00:00:00 2001
+From: Grant Hernandez <granthernandez@google.com>
+Date: Sat, 13 Jul 2019 01:00:12 -0700
+Subject: Input: gtco - bounds check collection indent level
+
+From: Grant Hernandez <granthernandez@google.com>
+
+commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream.
+
+The GTCO tablet input driver configures itself from an HID report sent
+via USB during the initial enumeration process. Some debugging messages
+are generated during the parsing. A debugging message indentation
+counter is not bounds checked, leading to the ability for a specially
+crafted HID report to cause '-' and null bytes be written past the end
+of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
+enabled, this code will not be optimized out. This was discovered
+during code review after a previous syzkaller bug was found in this
+driver.
+
+Signed-off-by: Grant Hernandez <granthernandez@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/gtco.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
+
+ /* Max size of a single report */
+ #define REPORT_MAX_SIZE 10
++#define MAX_COLLECTION_LEVELS 10
+
+
+ /* Bitmask whether pen is in range */
+@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(
+ char maintype = 'x';
+ char globtype[12];
+ int indent = 0;
+- char indentstr[10] = "";
+-
++ char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 };
+
+ dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
+
+@@ -350,6 +350,13 @@ static void parse_hid_report_descriptor(
+ case TAG_MAIN_COL_START:
+ maintype = 'S';
+
++ if (indent == MAX_COLLECTION_LEVELS) {
++ dev_err(ddev, "Collection level %d would exceed limit of %d\n",
++ indent + 1,
++ MAX_COLLECTION_LEVELS);
++ break;
++ }
++
+ if (data == 0) {
+ dev_dbg(ddev, "======>>>>>> Physical\n");
+ strcpy(globtype, "Physical");
+@@ -369,8 +376,15 @@ static void parse_hid_report_descriptor(
+ break;
+
+ case TAG_MAIN_COL_END:
+- dev_dbg(ddev, "<<<<<<======\n");
+ maintype = 'E';
++
++ if (indent == 0) {
++ dev_err(ddev, "Collection level already at zero\n");
++ break;
++ }
++
++ dev_dbg(ddev, "<<<<<<======\n");
++
+ indent--;
+ for (x = 0; x < indent; x++)
+ indentstr[x] = '-';
--- /dev/null
+From 1976d7d200c5a32e72293a2ada36b7b7c9d6dd6e Mon Sep 17 00:00:00 2001
+From: Nick Black <dankamongmen@gmail.com>
+Date: Thu, 11 Jul 2019 23:42:03 -0700
+Subject: Input: synaptics - whitelist Lenovo T580 SMBus intertouch
+
+From: Nick Black <dankamongmen@gmail.com>
+
+commit 1976d7d200c5a32e72293a2ada36b7b7c9d6dd6e upstream.
+
+Adds the Lenovo T580 to the SMBus intertouch list for Synaptics
+touchpads. I've tested with this for a week now, and it seems a great
+improvement. It's also nice to have the complaint gone from dmesg.
+
+Signed-off-by: Nick Black <dankamongmen@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -179,6 +179,7 @@ static const char * const smbus_pnp_ids[
+ "LEN0093", /* T480 */
+ "LEN0096", /* X280 */
+ "LEN0097", /* X280 -> ALPS trackpoint */
++ "LEN009b", /* T580 */
+ "LEN200f", /* T450s */
+ "LEN2054", /* E480 */
+ "LEN2055", /* E580 */
--- /dev/null
+From 498d3eb5bfbb2e05e40005152976a7b9eadfb59c Mon Sep 17 00:00:00 2001
+From: Oren Givon <oren.givon@intel.com>
+Date: Thu, 20 Jun 2019 11:46:23 +0300
+Subject: iwlwifi: add support for hr1 RF ID
+
+From: Oren Givon <oren.givon@intel.com>
+
+commit 498d3eb5bfbb2e05e40005152976a7b9eadfb59c upstream.
+
+The 22000 series FW that was meant to be used with hr is
+also the FW that is used for hr1 and has a different RF ID.
+Add support to load the hr FW when hr1 RF ID is detected.
+
+Cc: stable@vger.kernel.org # 5.1+
+Signed-off-by: Oren Givon <oren.givon@intel.com>
+Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 1 +
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 8 +++++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-csr.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-csr.h
+@@ -335,6 +335,7 @@ enum {
+ /* RF_ID value */
+ #define CSR_HW_RF_ID_TYPE_JF (0x00105100)
+ #define CSR_HW_RF_ID_TYPE_HR (0x0010A000)
++#define CSR_HW_RF_ID_TYPE_HR1 (0x0010c100)
+ #define CSR_HW_RF_ID_TYPE_HRCDB (0x00109F00)
+ #define CSR_HW_RF_ID_TYPE_GF (0x0010D000)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -3562,9 +3562,11 @@ struct iwl_trans *iwl_trans_pcie_alloc(s
+ trans->cfg = &iwlax210_2ax_cfg_so_gf_a0;
+ }
+ } else if (cfg == &iwl_ax101_cfg_qu_hr) {
+- if (CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) ==
+- CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR) &&
+- trans->hw_rev == CSR_HW_REV_TYPE_QNJ_B0) {
++ if ((CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) ==
++ CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR) &&
++ trans->hw_rev == CSR_HW_REV_TYPE_QNJ_B0) ||
++ (CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) ==
++ CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR1))) {
+ trans->cfg = &iwl22000_2ax_cfg_qnj_hr_b0;
+ } else if (CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) ==
+ CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR)) {
--- /dev/null
+From 0d53cfd0cca3c729a089c39eef0e7d8ae7662974 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 22 May 2019 12:17:09 +0300
+Subject: iwlwifi: don't WARN when calling iwl_get_shared_mem_conf with RF-Kill
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 0d53cfd0cca3c729a089c39eef0e7d8ae7662974 upstream.
+
+iwl_mvm_send_cmd returns 0 when the command won't be sent
+because RF-Kill is asserted. Do the same when we call
+iwl_get_shared_mem_conf since it is not sent through
+iwl_mvm_send_cmd but directly calls the transport layer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/fw/smem.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/smem.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/smem.c
+@@ -8,7 +8,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+- * Copyright(c) 2018 Intel Corporation
++ * Copyright(c) 2018 - 2019 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -31,7 +31,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+- * Copyright(c) 2018 Intel Corporation
++ * Copyright(c) 2018 - 2019 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -134,6 +134,7 @@ void iwl_get_shared_mem_conf(struct iwl_
+ .len = { 0, },
+ };
+ struct iwl_rx_packet *pkt;
++ int ret;
+
+ if (fw_has_capa(&fwrt->fw->ucode_capa,
+ IWL_UCODE_TLV_CAPA_EXTEND_SHARED_MEM_CFG))
+@@ -141,8 +142,13 @@ void iwl_get_shared_mem_conf(struct iwl_
+ else
+ cmd.id = SHARED_MEM_CFG;
+
+- if (WARN_ON(iwl_trans_send_cmd(fwrt->trans, &cmd)))
++ ret = iwl_trans_send_cmd(fwrt->trans, &cmd);
++
++ if (ret) {
++ WARN(ret != -ERFKILL,
++ "Could not send the SMEM command: %d\n", ret);
+ return;
++ }
+
+ pkt = cmd.resp_pkt;
+ if (fwrt->trans->cfg->device_family >= IWL_DEVICE_FAMILY_22000)
--- /dev/null
+From ed3e4c6d3cd8f093a3636cb05492429fe2af228d Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 20 May 2019 15:18:24 +0300
+Subject: iwlwifi: fix RF-Kill interrupt while FW load for gen2 devices
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit ed3e4c6d3cd8f093a3636cb05492429fe2af228d upstream.
+
+Newest devices have a new firmware load mechanism. This
+mechanism is called the context info. It means that the
+driver doesn't need to load the sections of the firmware.
+The driver rather prepares a place in DRAM, with pointers
+to the relevant sections of the firmware, and the firmware
+loads itself.
+At the end of the process, the firmware sends the ALIVE
+interrupt. This is different from the previous scheme in
+which the driver expected the FH_TX interrupt after each
+section being transferred over the DMA.
+
+In order to support this new flow, we enabled all the
+interrupts. This broke the assumption that we have in the
+code that the RF-Kill interrupt can't interrupt the firmware
+load flow.
+
+Change the context info flow to enable only the ALIVE
+interrupt, and re-enable all the other interrupts only
+after the firmware is alive. Then, we won't see the RF-Kill
+interrupt until then. Getting the RF-Kill interrupt while
+loading the firmware made us kill the firmware while it is
+loading and we ended up dumping garbage instead of the firmware
+state.
+
+Re-enable the ALIVE | RX interrupts from the ISR when we
+get the ALIVE interrupt to be able to get the RX interrupt
+that comes immediately afterwards for the ALIVE
+notification. This is needed for non MSI-X only.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c | 2 -
+ drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info.c | 2 -
+ drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 27 +++++++++++++++
+ drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 5 ++
+ drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 9 +++++
+ 5 files changed, 43 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
+@@ -168,7 +168,7 @@ int iwl_pcie_ctxt_info_gen3_init(struct
+
+ memcpy(iml_img, trans->iml, trans->iml_len);
+
+- iwl_enable_interrupts(trans);
++ iwl_enable_fw_load_int_ctx_info(trans);
+
+ /* kick FW self load */
+ iwl_write64(trans, CSR_CTXT_INFO_ADDR,
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info.c
+@@ -222,7 +222,7 @@ int iwl_pcie_ctxt_info_init(struct iwl_t
+
+ trans_pcie->ctxt_info = ctxt_info;
+
+- iwl_enable_interrupts(trans);
++ iwl_enable_fw_load_int_ctx_info(trans);
+
+ /* Configure debug, if exists */
+ if (iwl_pcie_dbg_on(trans))
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+@@ -894,6 +894,33 @@ static inline void iwl_enable_fw_load_in
+ }
+ }
+
++static inline void iwl_enable_fw_load_int_ctx_info(struct iwl_trans *trans)
++{
++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
++
++ IWL_DEBUG_ISR(trans, "Enabling ALIVE interrupt only\n");
++
++ if (!trans_pcie->msix_enabled) {
++ /*
++ * When we'll receive the ALIVE interrupt, the ISR will call
++ * iwl_enable_fw_load_int_ctx_info again to set the ALIVE
++ * interrupt (which is not really needed anymore) but also the
++ * RX interrupt which will allow us to receive the ALIVE
++ * notification (which is Rx) and continue the flow.
++ */
++ trans_pcie->inta_mask = CSR_INT_BIT_ALIVE | CSR_INT_BIT_FH_RX;
++ iwl_write32(trans, CSR_INT_MASK, trans_pcie->inta_mask);
++ } else {
++ iwl_enable_hw_int_msk_msix(trans,
++ MSIX_HW_INT_CAUSES_REG_ALIVE);
++ /*
++ * Leave all the FH causes enabled to get the ALIVE
++ * notification.
++ */
++ iwl_enable_fh_int_msk_msix(trans, trans_pcie->fh_init_mask);
++ }
++}
++
+ static inline u16 iwl_pcie_get_cmd_index(const struct iwl_txq *q, u32 index)
+ {
+ return index & (q->n_window - 1);
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -1850,6 +1850,8 @@ irqreturn_t iwl_pcie_irq_handler(int irq
+ */
+ iwl_pcie_rxmq_restock(trans, trans_pcie->rxq);
+ }
++
++ handled |= CSR_INT_BIT_ALIVE;
+ }
+
+ /* Safely ignore these bits for debug checks below */
+@@ -1968,6 +1970,9 @@ irqreturn_t iwl_pcie_irq_handler(int irq
+ /* Re-enable RF_KILL if it occurred */
+ else if (handled & CSR_INT_BIT_RF_KILL)
+ iwl_enable_rfkill_int(trans);
++ /* Re-enable the ALIVE / Rx interrupt if it occurred */
++ else if (handled & (CSR_INT_BIT_ALIVE | CSR_INT_BIT_FH_RX))
++ iwl_enable_fw_load_int_ctx_info(trans);
+ spin_unlock(&trans_pcie->irq_lock);
+
+ out:
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+@@ -272,6 +272,15 @@ void iwl_trans_pcie_gen2_fw_alive(struct
+ * paging memory cannot be freed included since FW will still use it
+ */
+ iwl_pcie_ctxt_info_free(trans);
++
++ /*
++ * Re-enable all the interrupts, including the RF-Kill one, now that
++ * the firmware is alive.
++ */
++ iwl_enable_interrupts(trans);
++ mutex_lock(&trans_pcie->mutex);
++ iwl_pcie_check_hw_rf_kill(trans);
++ mutex_unlock(&trans_pcie->mutex);
+ }
+
+ int iwl_trans_pcie_gen2_start_fw(struct iwl_trans *trans,
--- /dev/null
+From 940225628652b340b2bfe99f42f3d2db9fd9ce6c Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 22 May 2019 12:22:35 +0300
+Subject: iwlwifi: mvm: clear rfkill_safe_init_done when we start the firmware
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 940225628652b340b2bfe99f42f3d2db9fd9ce6c upstream.
+
+Otherwise it'll stay set forever which is clearly buggy.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -419,6 +419,8 @@ static int iwl_run_unified_mvm_ucode(str
+
+ lockdep_assert_held(&mvm->mutex);
+
++ mvm->rfkill_safe_init_done = false;
++
+ iwl_init_notification_wait(&mvm->notif_wait,
+ &init_wait,
+ init_complete,
+@@ -537,8 +539,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mv
+
+ lockdep_assert_held(&mvm->mutex);
+
+- if (WARN_ON_ONCE(mvm->rfkill_safe_init_done))
+- return 0;
++ mvm->rfkill_safe_init_done = false;
+
+ iwl_init_notification_wait(&mvm->notif_wait,
+ &calib_wait,
+@@ -1108,10 +1109,13 @@ static int iwl_mvm_load_rt_fw(struct iwl
+
+ iwl_fw_dbg_apply_point(&mvm->fwrt, IWL_FW_INI_APPLY_EARLY);
+
++ mvm->rfkill_safe_init_done = false;
+ ret = iwl_mvm_load_ucode_wait_alive(mvm, IWL_UCODE_REGULAR);
+ if (ret)
+ return ret;
+
++ mvm->rfkill_safe_init_done = true;
++
+ iwl_fw_dbg_apply_point(&mvm->fwrt, IWL_FW_INI_APPLY_AFTER_ALIVE);
+
+ return iwl_init_paging(&mvm->fwrt, mvm->fwrt.cur_fw_img);
--- /dev/null
+From c56e00a3feaee2b46b7d33875fb7f52efd30241f Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 20 May 2019 14:49:56 +0200
+Subject: iwlwifi: mvm: delay GTK setting in FW in AP mode
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c56e00a3feaee2b46b7d33875fb7f52efd30241f upstream.
+
+In AP (and IBSS) mode, we can only set GTKs to firmware after we have
+sent down the multicast station, but this we can only do after we've
+enabled beaconing, etc.
+
+However, during rfkill exit, hostapd will configure the keys before
+starting the AP, and cfg80211/mac80211 accept it happily.
+
+On earlier devices, this didn't bother us as GTK TX wasn't really
+handled in firmware, we just put the key material into the TX cmd
+and thus it only mattered when we actually transmitted a frame.
+
+On newer devices, however, the firmware needs to track all of this
+and that doesn't work if we add the key before the (multicast) sta
+it belongs to.
+
+To fix this, keep a list of keys to add during AP enable, and call
+the function there.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 53 +++++++++++++++++++++-
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +
+ 2 files changed, 54 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -207,6 +207,12 @@ static const struct cfg80211_pmsr_capabi
+ },
+ };
+
++static int iwl_mvm_mac_set_key(struct ieee80211_hw *hw,
++ enum set_key_cmd cmd,
++ struct ieee80211_vif *vif,
++ struct ieee80211_sta *sta,
++ struct ieee80211_key_conf *key);
++
+ void iwl_mvm_ref(struct iwl_mvm *mvm, enum iwl_mvm_ref_type ref_type)
+ {
+ if (!iwl_mvm_is_d0i3_supported(mvm))
+@@ -2535,7 +2541,7 @@ static int iwl_mvm_start_ap_ibss(struct
+ {
+ struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+- int ret;
++ int ret, i;
+
+ /*
+ * iwl_mvm_mac_ctxt_add() might read directly from the device
+@@ -2609,6 +2615,20 @@ static int iwl_mvm_start_ap_ibss(struct
+ /* must be set before quota calculations */
+ mvmvif->ap_ibss_active = true;
+
++ /* send all the early keys to the device now */
++ for (i = 0; i < ARRAY_SIZE(mvmvif->ap_early_keys); i++) {
++ struct ieee80211_key_conf *key = mvmvif->ap_early_keys[i];
++
++ if (!key)
++ continue;
++
++ mvmvif->ap_early_keys[i] = NULL;
++
++ ret = iwl_mvm_mac_set_key(hw, SET_KEY, vif, NULL, key);
++ if (ret)
++ goto out_quota_failed;
++ }
++
+ if (vif->type == NL80211_IFTYPE_AP && !vif->p2p) {
+ iwl_mvm_vif_set_low_latency(mvmvif, true,
+ LOW_LATENCY_VIF_TYPE);
+@@ -3378,11 +3398,12 @@ static int iwl_mvm_mac_set_key(struct ie
+ struct ieee80211_sta *sta,
+ struct ieee80211_key_conf *key)
+ {
++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+ struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+ struct iwl_mvm_sta *mvmsta;
+ struct iwl_mvm_key_pn *ptk_pn;
+ int keyidx = key->keyidx;
+- int ret;
++ int ret, i;
+ u8 key_offset;
+
+ if (iwlwifi_mod_params.swcrypto) {
+@@ -3455,6 +3476,22 @@ static int iwl_mvm_mac_set_key(struct ie
+ key->hw_key_idx = STA_KEY_IDX_INVALID;
+ break;
+ }
++
++ if (!mvmvif->ap_ibss_active) {
++ for (i = 0;
++ i < ARRAY_SIZE(mvmvif->ap_early_keys);
++ i++) {
++ if (!mvmvif->ap_early_keys[i]) {
++ mvmvif->ap_early_keys[i] = key;
++ break;
++ }
++ }
++
++ if (i >= ARRAY_SIZE(mvmvif->ap_early_keys))
++ ret = -ENOSPC;
++
++ break;
++ }
+ }
+
+ /* During FW restart, in order to restore the state as it was,
+@@ -3523,6 +3560,18 @@ static int iwl_mvm_mac_set_key(struct ie
+
+ break;
+ case DISABLE_KEY:
++ ret = -ENOENT;
++ for (i = 0; i < ARRAY_SIZE(mvmvif->ap_early_keys); i++) {
++ if (mvmvif->ap_early_keys[i] == key) {
++ mvmvif->ap_early_keys[i] = NULL;
++ ret = 0;
++ }
++ }
++
++ /* found in pending list - don't do anything else */
++ if (ret == 0)
++ break;
++
+ if (key->hw_key_idx == STA_KEY_IDX_INVALID) {
+ ret = 0;
+ break;
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -498,6 +498,9 @@ struct iwl_mvm_vif {
+ netdev_features_t features;
+
+ struct iwl_probe_resp_data __rcu *probe_resp_data;
++
++ /* we can only have 2 GTK + 2 IGTK active at a time */
++ struct ieee80211_key_conf *ap_early_keys[4];
+ };
+
+ static inline struct iwl_mvm_vif *
--- /dev/null
+From 3b57a10ca14c619707398dc58fe5ece18c95b20b Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Tue, 21 May 2019 15:10:38 +0300
+Subject: iwlwifi: pcie: don't service an interrupt that was masked
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 3b57a10ca14c619707398dc58fe5ece18c95b20b upstream.
+
+Sometimes the register status can include interrupts that
+were masked. We can, for example, get the RF-Kill bit set
+in the interrupt status register although this interrupt
+was masked. Then if we get the ALIVE interrupt (for example)
+that was not masked, we need to *not* service the RF-Kill
+interrupt.
+Fix this in the MSI-X interrupt handler.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -2113,10 +2113,18 @@ irqreturn_t iwl_pcie_irq_msix_handler(in
+ return IRQ_NONE;
+ }
+
+- if (iwl_have_debug_level(IWL_DL_ISR))
+- IWL_DEBUG_ISR(trans, "ISR inta_fh 0x%08x, enabled 0x%08x\n",
+- inta_fh,
++ if (iwl_have_debug_level(IWL_DL_ISR)) {
++ IWL_DEBUG_ISR(trans,
++ "ISR inta_fh 0x%08x, enabled (sw) 0x%08x (hw) 0x%08x\n",
++ inta_fh, trans_pcie->fh_mask,
+ iwl_read32(trans, CSR_MSIX_FH_INT_MASK_AD));
++ if (inta_fh & ~trans_pcie->fh_mask)
++ IWL_DEBUG_ISR(trans,
++ "We got a masked interrupt (0x%08x)\n",
++ inta_fh & ~trans_pcie->fh_mask);
++ }
++
++ inta_fh &= trans_pcie->fh_mask;
+
+ if ((trans_pcie->shared_vec_mask & IWL_SHARED_IRQ_NON_RX) &&
+ inta_fh & MSIX_FH_INT_CAUSES_Q0) {
+@@ -2156,11 +2164,18 @@ irqreturn_t iwl_pcie_irq_msix_handler(in
+ }
+
+ /* After checking FH register check HW register */
+- if (iwl_have_debug_level(IWL_DL_ISR))
++ if (iwl_have_debug_level(IWL_DL_ISR)) {
+ IWL_DEBUG_ISR(trans,
+- "ISR inta_hw 0x%08x, enabled 0x%08x\n",
+- inta_hw,
++ "ISR inta_hw 0x%08x, enabled (sw) 0x%08x (hw) 0x%08x\n",
++ inta_hw, trans_pcie->hw_mask,
+ iwl_read32(trans, CSR_MSIX_HW_INT_MASK_AD));
++ if (inta_hw & ~trans_pcie->hw_mask)
++ IWL_DEBUG_ISR(trans,
++ "We got a masked interrupt 0x%08x\n",
++ inta_hw & ~trans_pcie->hw_mask);
++ }
++
++ inta_hw &= trans_pcie->hw_mask;
+
+ /* Alive notification via Rx interrupt will do the real work */
+ if (inta_hw & MSIX_HW_INT_CAUSES_REG_ALIVE) {
--- /dev/null
+From ec46ae30245ecb41d73f8254613db07c653fb498 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Tue, 21 May 2019 15:03:21 +0300
+Subject: iwlwifi: pcie: fix ALIVE interrupt handling for gen2 devices w/o MSI-X
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit ec46ae30245ecb41d73f8254613db07c653fb498 upstream.
+
+We added code to restock the buffer upon ALIVE interrupt
+when MSI-X is disabled. This was added as part of the context
+info code. This code was added only if the ISR debug level
+is set which is very unlikely to be related.
+Move this code to run even when the ISR debug level is not
+set.
+
+Note that gen2 devices work with MSI-X in most cases so that
+this path is seldom used.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 34 ++++++++++++---------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -1832,25 +1832,23 @@ irqreturn_t iwl_pcie_irq_handler(int irq
+ goto out;
+ }
+
+- if (iwl_have_debug_level(IWL_DL_ISR)) {
+- /* NIC fires this, but we don't use it, redundant with WAKEUP */
+- if (inta & CSR_INT_BIT_SCD) {
+- IWL_DEBUG_ISR(trans,
+- "Scheduler finished to transmit the frame/frames.\n");
+- isr_stats->sch++;
+- }
++ /* NIC fires this, but we don't use it, redundant with WAKEUP */
++ if (inta & CSR_INT_BIT_SCD) {
++ IWL_DEBUG_ISR(trans,
++ "Scheduler finished to transmit the frame/frames.\n");
++ isr_stats->sch++;
++ }
+
+- /* Alive notification via Rx interrupt will do the real work */
+- if (inta & CSR_INT_BIT_ALIVE) {
+- IWL_DEBUG_ISR(trans, "Alive interrupt\n");
+- isr_stats->alive++;
+- if (trans->cfg->gen2) {
+- /*
+- * We can restock, since firmware configured
+- * the RFH
+- */
+- iwl_pcie_rxmq_restock(trans, trans_pcie->rxq);
+- }
++ /* Alive notification via Rx interrupt will do the real work */
++ if (inta & CSR_INT_BIT_ALIVE) {
++ IWL_DEBUG_ISR(trans, "Alive interrupt\n");
++ isr_stats->alive++;
++ if (trans->cfg->gen2) {
++ /*
++ * We can restock, since firmware configured
++ * the RFH
++ */
++ iwl_pcie_rxmq_restock(trans, trans_pcie->rxq);
+ }
+ }
+
--- /dev/null
+From 560d1bcad715c215e7ffe5d7cffe045974b623d0 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sun, 23 Jun 2019 20:50:53 +0300
+Subject: opp: Don't use IS_ERR on invalid supplies
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 560d1bcad715c215e7ffe5d7cffe045974b623d0 upstream.
+
+_set_opp_custom() receives a set of OPP supplies as its arguments and
+the caller of it passes NULL when the supplies are not valid. But
+_set_opp_custom(), by mistake, checks for error by performing
+IS_ERR(old_supply) on it which will always evaluate to false.
+
+The problem was spotted during of testing of upcoming update for the
+NVIDIA Tegra CPUFreq driver.
+
+Cc: stable <stable@vger.kernel.org>
+Fixes: 7e535993fa4f ("OPP: Separate out custom OPP handler specific code")
+Reported-by: Marc Dietrich <marvin24@gmx.de>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+[ Viresh: Massaged changelog ]
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/opp/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/opp/core.c
++++ b/drivers/opp/core.c
+@@ -631,7 +631,7 @@ static int _set_opp_custom(const struct
+
+ data->old_opp.rate = old_freq;
+ size = sizeof(*old_supply) * opp_table->regulator_count;
+- if (IS_ERR(old_supply))
++ if (!old_supply)
+ memset(data->old_opp.supplies, 0, size);
+ else
+ memcpy(data->old_opp.supplies, old_supply, size);
--- /dev/null
+From 16da0eb5ab6ef2dd1d33431199126e63db9997cc Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 29 Jun 2019 13:44:45 +0200
+Subject: regulator: s2mps11: Fix buck7 and buck8 wrong voltages
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 16da0eb5ab6ef2dd1d33431199126e63db9997cc upstream.
+
+On S2MPS11 device, the buck7 and buck8 regulator voltages start at 750
+mV, not 600 mV. Using wrong minimal value caused shifting of these
+regulator values by 150 mV (e.g. buck7 usually configured to v1.35 V was
+reported as 1.2 V).
+
+On most of the boards these regulators are left in default state so this
+was only affecting reported voltage. However if any driver wanted to
+change them, then effectively it would set voltage 150 mV higher than
+intended.
+
+Cc: <stable@vger.kernel.org>
+Fixes: cb74685ecb39 ("regulator: s2mps11: Add samsung s2mps11 regulator driver")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/s2mps11.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/regulator/s2mps11.c
++++ b/drivers/regulator/s2mps11.c
+@@ -372,8 +372,8 @@ static const struct regulator_desc s2mps
+ regulator_desc_s2mps11_buck1_4(4),
+ regulator_desc_s2mps11_buck5,
+ regulator_desc_s2mps11_buck67810(6, MIN_600_MV, STEP_6_25_MV),
+- regulator_desc_s2mps11_buck67810(7, MIN_600_MV, STEP_12_5_MV),
+- regulator_desc_s2mps11_buck67810(8, MIN_600_MV, STEP_12_5_MV),
++ regulator_desc_s2mps11_buck67810(7, MIN_750_MV, STEP_12_5_MV),
++ regulator_desc_s2mps11_buck67810(8, MIN_750_MV, STEP_12_5_MV),
+ regulator_desc_s2mps11_buck9,
+ regulator_desc_s2mps11_buck67810(10, MIN_750_MV, STEP_12_5_MV),
+ };
--- /dev/null
+From 70ca117b02f3b1c8830fe95e4e3dea2937038e11 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Wed, 19 Jun 2019 14:42:39 +0200
+Subject: regulator: s2mps11: Fix ERR_PTR dereference on GPIO lookup failure
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 70ca117b02f3b1c8830fe95e4e3dea2937038e11 upstream.
+
+If devm_gpiod_get_from_of_node() call returns ERR_PTR, it is assigned
+into an array of GPIO descriptors and used later because such error is
+not treated as critical thus it is not propagated back to the probe
+function.
+
+All code later expects that such GPIO descriptor is either a NULL or
+proper value. This later might lead to dereference of ERR_PTR.
+
+Only devices with S2MPS14 flavor are affected (other do not control
+regulators with GPIOs).
+
+Fixes: 1c984942f0a4 ("regulator: s2mps11: Pass descriptor instead of GPIO number")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/s2mps11.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/regulator/s2mps11.c
++++ b/drivers/regulator/s2mps11.c
+@@ -826,6 +826,7 @@ static void s2mps14_pmic_dt_parse_ext_co
+ else if (IS_ERR(gpio[reg])) {
+ dev_err(&pdev->dev, "Failed to get control GPIO for %d/%s\n",
+ reg, rdata[reg].name);
++ gpio[reg] = NULL;
+ continue;
+ }
+ if (gpio[reg])
--- /dev/null
+From 695277f16b3a102fcc22c97fdf2de77c7b19f0b3 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:27 +0800
+Subject: Revert "bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()"
+
+From: Coly Li <colyli@suse.de>
+
+commit 695277f16b3a102fcc22c97fdf2de77c7b19f0b3 upstream.
+
+This reverts commit 6147305c73e4511ca1a975b766b97a779d442567.
+
+Although this patch helps the failed bcache device to stop faster when
+too many I/O errors detected on corresponding cached device, setting
+CACHE_SET_IO_DISABLE bit to cache set c->flags was not a good idea. This
+operation will disable all I/Os on cache set, which means other attached
+bcache devices won't work neither.
+
+Without this patch, the failed bcache device can also be stopped
+eventually if internal I/O accomplished (e.g. writeback). Therefore here
+I revert it.
+
+Fixes: 6147305c73e4 ("bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()")
+Reported-by: Yong Li <mr.liyong@qq.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/super.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1429,8 +1429,6 @@ int bch_flash_dev_create(struct cache_se
+
+ bool bch_cached_dev_error(struct cached_dev *dc)
+ {
+- struct cache_set *c;
+-
+ if (!dc || test_bit(BCACHE_DEV_CLOSING, &dc->disk.flags))
+ return false;
+
+@@ -1441,21 +1439,6 @@ bool bch_cached_dev_error(struct cached_
+ pr_err("stop %s: too many IO errors on backing device %s\n",
+ dc->disk.disk->disk_name, dc->backing_dev_name);
+
+- /*
+- * If the cached device is still attached to a cache set,
+- * even dc->io_disable is true and no more I/O requests
+- * accepted, cache device internal I/O (writeback scan or
+- * garbage collection) may still prevent bcache device from
+- * being stopped. So here CACHE_SET_IO_DISABLE should be
+- * set to c->flags too, to make the internal I/O to cache
+- * device rejected and stopped immediately.
+- * If c is NULL, that means the bcache device is not attached
+- * to any cache set, then no CACHE_SET_IO_DISABLE bit to set.
+- */
+- c = dc->disk.c;
+- if (c && test_and_set_bit(CACHE_SET_IO_DISABLE, &c->flags))
+- pr_info("CACHE_SET_IO_DISABLE already set");
+-
+ bcache_device_stop(&dc->disk);
+ return true;
+ }
crypto-ccp-memset-structure-fields-to-zero-before-reuse.patch
crypto-ccp-gcm-use-const-time-tag-comparison.patch
crypto-crypto4xx-fix-a-potential-double-free-in-ppc4xx_trng_probe.patch
+cifs-always-add-credits-back-for-unsolicited-pdus.patch
+cifs-fix-crash-in-smb2_compound_op-smb2_set_next_command.patch
+cifs-properly-handle-auto-disabling-of-serverino-option.patch
+cifs-flush-before-set-info-if-we-have-writeable-handles.patch
+cifs-fix-deadlock-in-cached-root-handling.patch
+revert-bcache-set-cache_set_io_disable-in-bch_cached_dev_error.patch
+bcache-revert-bcache-fix-high-cpu-occupancy-during-journal.patch
+bcache-revert-bcache-free-heap-cache_set-flush_btree-in-bch_journal_free.patch
+bcache-ignore-read-ahead-request-failure-on-backing-device.patch
+bcache-fix-mistaken-sysfs-entry-for-io_error-counter.patch
+bcache-destroy-dc-writeback_write_wq-if-failed-to-create-dc-writeback_thread.patch
+input-gtco-bounds-check-collection-indent-level.patch
+input-alps-don-t-handle-alps-cs19-trackpoint-only-device.patch
+input-synaptics-whitelist-lenovo-t580-smbus-intertouch.patch
+input-alps-fix-a-mismatch-between-a-condition-check-and-its-comment.patch
+regulator-s2mps11-fix-err_ptr-dereference-on-gpio-lookup-failure.patch
+regulator-s2mps11-fix-buck7-and-buck8-wrong-voltages.patch
+arm64-tegra-update-jetson-tx1-gpu-regulator-timings.patch
+iwlwifi-add-support-for-hr1-rf-id.patch
+iwlwifi-pcie-don-t-service-an-interrupt-that-was-masked.patch
+iwlwifi-pcie-fix-alive-interrupt-handling-for-gen2-devices-w-o-msi-x.patch
+iwlwifi-don-t-warn-when-calling-iwl_get_shared_mem_conf-with-rf-kill.patch
+iwlwifi-fix-rf-kill-interrupt-while-fw-load-for-gen2-devices.patch
+iwlwifi-mvm-delay-gtk-setting-in-fw-in-ap-mode.patch
+iwlwifi-mvm-clear-rfkill_safe_init_done-when-we-start-the-firmware.patch
+opp-don-t-use-is_err-on-invalid-supplies.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
