--- /dev/null
+From 5ea1cc994fc42fa529c3fdb89f0d4f4e405cbd8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 14:37:12 +0100
+Subject: afs: Fix key ref leak in afs_put_operation()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit ba8e42077bbe046a09bdb965dbfbf8c27594fe8f ]
+
+The afs_put_operation() function needs to put the reference to the key
+that's authenticating the operation.
+
+Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
+Reported-by: Dave Botsch <botsch@cnf.cornell.edu>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/fs_operation.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/afs/fs_operation.c b/fs/afs/fs_operation.c
+index 24fd163c6323e..97cab12b0a6c2 100644
+--- a/fs/afs/fs_operation.c
++++ b/fs/afs/fs_operation.c
+@@ -235,6 +235,7 @@ int afs_put_operation(struct afs_operation *op)
+ afs_end_cursor(&op->ac);
+ afs_put_serverlist(op->net, op->server_list);
+ afs_put_volume(op->net, op->volume, afs_volume_trace_put_put_op);
++ key_put(op->key);
+ kfree(op);
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 227455a6ee1dd65c50cfc7b15974ca10e000e535 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 10:15:12 +0100
+Subject: afs: Fix NULL deref in afs_dynroot_depopulate()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 5e0b17b026eb7c6de9baa9b0d45a51b05f05abe1 ]
+
+If an error occurs during the construction of an afs superblock, it's
+possible that an error occurs after a superblock is created, but before
+we've created the root dentry. If the superblock has a dynamic root
+(ie. what's normally mounted on /afs), the afs_kill_super() will call
+afs_dynroot_depopulate() to unpin any created dentries - but this will
+oops if the root hasn't been created yet.
+
+Fix this by skipping that bit of code if there is no root dentry.
+
+This leads to an oops looking like:
+
+ general protection fault, ...
+ KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
+ ...
+ RIP: 0010:afs_dynroot_depopulate+0x25f/0x529 fs/afs/dynroot.c:385
+ ...
+ Call Trace:
+ afs_kill_super+0x13b/0x180 fs/afs/super.c:535
+ deactivate_locked_super+0x94/0x160 fs/super.c:335
+ afs_get_tree+0x1124/0x1460 fs/afs/super.c:598
+ vfs_get_tree+0x89/0x2f0 fs/super.c:1547
+ do_new_mount fs/namespace.c:2875 [inline]
+ path_mount+0x1387/0x2070 fs/namespace.c:3192
+ do_mount fs/namespace.c:3205 [inline]
+ __do_sys_mount fs/namespace.c:3413 [inline]
+ __se_sys_mount fs/namespace.c:3390 [inline]
+ __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+which is oopsing on this line:
+
+ inode_lock(root->d_inode);
+
+presumably because sb->s_root was NULL.
+
+Fixes: 0da0b7fd73e4 ("afs: Display manually added cells in dynamic root mount")
+Reported-by: syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index b79879aacc02e..7b784af604fd9 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -382,15 +382,17 @@ void afs_dynroot_depopulate(struct super_block *sb)
+ net->dynroot_sb = NULL;
+ mutex_unlock(&net->proc_cells_lock);
+
+- inode_lock(root->d_inode);
+-
+- /* Remove all the pins for dirs created for manually added cells */
+- list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) {
+- if (subdir->d_fsdata) {
+- subdir->d_fsdata = NULL;
+- dput(subdir);
++ if (root) {
++ inode_lock(root->d_inode);
++
++ /* Remove all the pins for dirs created for manually added cells */
++ list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) {
++ if (subdir->d_fsdata) {
++ subdir->d_fsdata = NULL;
++ dput(subdir);
++ }
+ }
+- }
+
+- inode_unlock(root->d_inode);
++ inode_unlock(root->d_inode);
++ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 191122cfa36c386b1b9bada79d13eee328d3b713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 19:24:57 +0100
+Subject: arch/ia64: Restore arch-specific pgd_offset_k implementation
+
+From: Jessica Clarke <jrtc27@jrtc27.com>
+
+[ Upstream commit bd05220c7be3356046861c317d9c287ca50445ba ]
+
+IA-64 is special and treats pgd_offset_k() differently to pgd_offset(),
+using different formulae to calculate the indices into the kernel and user
+PGDs. The index into the user PGDs takes into account the region number,
+but the index into the kernel (init_mm) PGD always assumes a predefined
+kernel region number. Commit 974b9b2c68f3 ("mm: consolidate pte_index() and
+pte_offset_*() definitions") made IA-64 use a generic pgd_offset_k() which
+incorrectly used pgd_index() for kernel page tables. As a result, the
+index into the kernel PGD was going out of bounds and the kernel hung
+during early boot.
+
+Allow overrides of pgd_offset_k() and override it on IA-64 with the old
+implementation that will correctly index the kernel PGD.
+
+Fixes: 974b9b2c68f3 ("mm: consolidate pte_index() and pte_offset_*() definitions")
+Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
+Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Acked-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/include/asm/pgtable.h | 9 +++++++++
+ include/linux/pgtable.h | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h
+index 10850897a91c4..779b6972aa84b 100644
+--- a/arch/ia64/include/asm/pgtable.h
++++ b/arch/ia64/include/asm/pgtable.h
+@@ -366,6 +366,15 @@ pgd_index (unsigned long address)
+ }
+ #define pgd_index pgd_index
+
++/*
++ * In the kernel's mapped region we know everything is in region number 5, so
++ * as an optimisation its PGD already points to the area for that region.
++ * However, this also means that we cannot use pgd_index() and we must
++ * never add the region here.
++ */
++#define pgd_offset_k(addr) \
++ (init_mm.pgd + (((addr) >> PGDIR_SHIFT) & (PTRS_PER_PGD - 1)))
++
+ /* Look up a pgd entry in the gate area. On IA-64, the gate-area
+ resides in the kernel-mapped segment, hence we use pgd_offset_k()
+ here. */
+diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
+index 56c1e8eb7bb0a..8075f6ae185a1 100644
+--- a/include/linux/pgtable.h
++++ b/include/linux/pgtable.h
+@@ -117,7 +117,9 @@ static inline pgd_t *pgd_offset_pgd(pgd_t *pgd, unsigned long address)
+ * a shortcut which implies the use of the kernel's pgd, instead
+ * of a process's
+ */
++#ifndef pgd_offset_k
+ #define pgd_offset_k(address) pgd_offset(&init_mm, (address))
++#endif
+
+ /*
+ * In many cases it is known that a virtual address is mapped at PMD or PTE
+--
+2.25.1
+
--- /dev/null
+From fce8d3e3d56a3d704913992319c89eed59b37a68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 18:49:50 -0700
+Subject: ARM64: vdso32: Install vdso32 from vdso_install
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 8d75785a814241587802655cc33e384230744f0c ]
+
+Add the 32-bit vdso Makefile to the vdso_install rule so that 'make
+vdso_install' installs the 32-bit compat vdso when it is compiled.
+
+Fixes: a7f71a2c8903 ("arm64: compat: Add vDSO")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Acked-by: Will Deacon <will@kernel.org>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Link: https://lore.kernel.org/r/20200818014950.42492-1-swboyd@chromium.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Makefile | 1 +
+ arch/arm64/kernel/vdso32/Makefile | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index 70f5905954dde..91e377770a6b8 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -158,6 +158,7 @@ zinstall install:
+ PHONY += vdso_install
+ vdso_install:
+ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
++ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso32 $@
+
+ # We use MRPROPER_FILES and CLEAN_FILES now
+ archclean:
+diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile
+index 5139a5f192568..d6adb4677c25f 100644
+--- a/arch/arm64/kernel/vdso32/Makefile
++++ b/arch/arm64/kernel/vdso32/Makefile
+@@ -208,7 +208,7 @@ quiet_cmd_vdsosym = VDSOSYM $@
+ cmd_vdsosym = $(NM) $< | $(gen-vdsosym) | LC_ALL=C sort > $@
+
+ # Install commands for the unstripped file
+-quiet_cmd_vdso_install = INSTALL $@
++quiet_cmd_vdso_install = INSTALL32 $@
+ cmd_vdso_install = cp $(obj)/$@.dbg $(MODLIB)/vdso/vdso32.so
+
+ vdso.so: $(obj)/vdso.so.dbg
+--
+2.25.1
+
--- /dev/null
+From 9b4df721b17b90e9ee1a447f0e8bef51b035f6ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 16:41:10 +0800
+Subject: ASoC: intel: Fix memleak in sst_media_open
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 062fa09f44f4fb3776a23184d5d296b0c8872eb9 ]
+
+When power_up_sst() fails, stream needs to be freed
+just like when try_module_get() fails. However, current
+code is returning directly and ends up leaking memory.
+
+Fixes: 0121327c1a68b ("ASoC: Intel: mfld-pcm: add control for powering up/down dsp")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20200813084112.26205-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/atom/sst-mfld-platform-pcm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+index 8817eaae6bb7a..b520e3aeaf3de 100644
+--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c
++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+@@ -331,7 +331,7 @@ static int sst_media_open(struct snd_pcm_substream *substream,
+
+ ret_val = power_up_sst(stream);
+ if (ret_val < 0)
+- return ret_val;
++ goto out_power_up;
+
+ /* Make sure, that the period size is always even */
+ snd_pcm_hw_constraint_step(substream->runtime, 0,
+@@ -340,8 +340,9 @@ static int sst_media_open(struct snd_pcm_substream *substream,
+ return snd_pcm_hw_constraint_integer(runtime,
+ SNDRV_PCM_HW_PARAM_PERIODS);
+ out_ops:
+- kfree(stream);
+ mutex_unlock(&sst_lock);
++out_power_up:
++ kfree(stream);
+ return ret_val;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 90dd45da2f633f924b46fd3840f3c391b2b21e5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 11:34:52 +0100
+Subject: ASoC: msm8916-wcd-analog: fix register Interrupt offset
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit ff69c97ef84c9f7795adb49e9f07c9adcdd0c288 ]
+
+For some reason interrupt set and clear register offsets are
+not set correctly.
+This patch corrects them!
+
+Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200811103452.20448-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/msm8916-wcd-analog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c
+index 85bc7ae4d2671..26cf372ccda6f 100644
+--- a/sound/soc/codecs/msm8916-wcd-analog.c
++++ b/sound/soc/codecs/msm8916-wcd-analog.c
+@@ -19,8 +19,8 @@
+
+ #define CDC_D_REVISION1 (0xf000)
+ #define CDC_D_PERPH_SUBTYPE (0xf005)
+-#define CDC_D_INT_EN_SET (0x015)
+-#define CDC_D_INT_EN_CLR (0x016)
++#define CDC_D_INT_EN_SET (0xf015)
++#define CDC_D_INT_EN_CLR (0xf016)
+ #define MBHC_SWITCH_INT BIT(7)
+ #define MBHC_MIC_ELECTRICAL_INS_REM_DET BIT(6)
+ #define MBHC_BUTTON_PRESS_DET BIT(5)
+--
+2.25.1
+
--- /dev/null
+From faf681acc9aec889d068dc0f3e4e5fbd26b6e28e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 13:02:04 +0100
+Subject: ASoC: q6afe-dai: mark all widgets registers as SND_SOC_NOPM
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 56235e4bc5ae58cb8fcd9314dba4e9ab077ddda8 ]
+
+Looks like the q6afe-dai dapm widget registers are set as "0",
+which is a not correct.
+
+As this registers will be read by ASoC core during startup
+which will throw up errors, Fix this by making the registers
+as SND_SOC_NOPM as these should be never used.
+
+With recent changes to ASoC core, every register read/write
+failures are reported very verbosely. Prior to this fails to reads
+are totally ignored, so we never saw any error messages.
+
+Fixes: 24c4cbcfac09 ("ASoC: qdsp6: q6afe: Add q6afe dai driver")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20200811120205.21805-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/qdsp6/q6afe-dai.c | 210 +++++++++++++++----------------
+ 1 file changed, 105 insertions(+), 105 deletions(-)
+
+diff --git a/sound/soc/qcom/qdsp6/q6afe-dai.c b/sound/soc/qcom/qdsp6/q6afe-dai.c
+index 2a5302f1db98a..0168af8492727 100644
+--- a/sound/soc/qcom/qdsp6/q6afe-dai.c
++++ b/sound/soc/qcom/qdsp6/q6afe-dai.c
+@@ -1150,206 +1150,206 @@ static int q6afe_of_xlate_dai_name(struct snd_soc_component *component,
+ }
+
+ static const struct snd_soc_dapm_widget q6afe_dai_widgets[] = {
+- SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_MI2S_RX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_MI2S_TX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_MI2S_RX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_MI2S_TX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_MI2S_TX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX_SD1",
+ "Secondary MI2S Playback SD1",
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRI_MI2S_RX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRI_MI2S_TX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("DISPLAY_PORT_RX", "NULL", 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("DISPLAY_PORT_RX", "NULL", 0, SND_SOC_NOPM, 0, 0),
+ };
+
+ static const struct snd_soc_component_driver q6afe_dai_component = {
+--
+2.25.1
+
--- /dev/null
+From 54b561601d4ff143d683b6891967c208c9169385 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 13:02:05 +0100
+Subject: ASoC: q6routing: add dummy register read/write function
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 796a58fe2b8c9b6668db00d92512ec84be663027 ]
+
+Most of the DAPM widgets for DSP ASoC components reuse reg field
+of the widgets for its internal calculations, however these are not
+real registers. So read/writes to these numbers are not really
+valid. However ASoC core will read these registers to get default
+state during startup.
+
+With recent changes to ASoC core, every register read/write
+failures are reported very verbosely. Prior to this fails to reads
+are totally ignored, so we never saw any error messages.
+
+To fix this add dummy read/write function to return default value.
+
+Fixes: e3a33673e845 ("ASoC: qdsp6: q6routing: Add q6routing driver")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20200811120205.21805-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/qdsp6/q6routing.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/sound/soc/qcom/qdsp6/q6routing.c b/sound/soc/qcom/qdsp6/q6routing.c
+index 46e50612b92c1..750e6a30444eb 100644
+--- a/sound/soc/qcom/qdsp6/q6routing.c
++++ b/sound/soc/qcom/qdsp6/q6routing.c
+@@ -973,6 +973,20 @@ static int msm_routing_probe(struct snd_soc_component *c)
+ return 0;
+ }
+
++static unsigned int q6routing_reg_read(struct snd_soc_component *component,
++ unsigned int reg)
++{
++ /* default value */
++ return 0;
++}
++
++static int q6routing_reg_write(struct snd_soc_component *component,
++ unsigned int reg, unsigned int val)
++{
++ /* dummy */
++ return 0;
++}
++
+ static const struct snd_soc_component_driver msm_soc_routing_component = {
+ .probe = msm_routing_probe,
+ .name = DRV_NAME,
+@@ -981,6 +995,8 @@ static const struct snd_soc_component_driver msm_soc_routing_component = {
+ .num_dapm_widgets = ARRAY_SIZE(msm_qdsp6_widgets),
+ .dapm_routes = intercon,
+ .num_dapm_routes = ARRAY_SIZE(intercon),
++ .read = q6routing_reg_read,
++ .write = q6routing_reg_write,
+ };
+
+ static int q6pcm_routing_probe(struct platform_device *pdev)
+--
+2.25.1
+
--- /dev/null
+From 45e5dd84184d733c177c83c5bb177fe5de2d30a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 20:05:58 -0700
+Subject: bonding: fix a potential double-unregister
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ]
+
+When we tear down a network namespace, we unregister all
+the netdevices within it. So we may queue a slave device
+and a bonding device together in the same unregister queue.
+
+If the only slave device is non-ethernet, it would
+automatically unregister the bonding device as well. Thus,
+we may end up unregistering the bonding device twice.
+
+Workaround this special case by checking reg_state.
+
+Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()")
+Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index a35a05610a5e3..f438e20fcda1f 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2084,7 +2084,8 @@ static int bond_release_and_destroy(struct net_device *bond_dev,
+ int ret;
+
+ ret = __bond_release_one(bond_dev, slave_dev, false, true);
+- if (ret == 0 && !bond_has_slaves(bond)) {
++ if (ret == 0 && !bond_has_slaves(bond) &&
++ bond_dev->reg_state != NETREG_UNREGISTERING) {
+ bond_dev->priv_flags |= IFF_DISABLE_NETPOLL;
+ netdev_info(bond_dev, "Destroying bond\n");
+ bond_remove_proc_entry(bond);
+--
+2.25.1
+
--- /dev/null
+From f2cfb8316f595ed9f1d8e751bc15806dbd475b84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Aug 2020 20:52:44 +0200
+Subject: bonding: fix active-backup failover for current ARP slave
+
+From: Jiri Wiesner <jwiesner@suse.com>
+
+[ Upstream commit 0410d07190961ac526f05085765a8d04d926545b ]
+
+When the ARP monitor is used for link detection, ARP replies are
+validated for all slaves (arp_validate=3) and fail_over_mac is set to
+active, two slaves of an active-backup bond may get stuck in a state
+where both of them are active and pass packets that they receive to
+the bond. This state makes IPv6 duplicate address detection fail. The
+state is reached thus:
+1. The current active slave goes down because the ARP target
+ is not reachable.
+2. The current ARP slave is chosen and made active.
+3. A new slave is enslaved. This new slave becomes the current active
+ slave and can reach the ARP target.
+As a result, the current ARP slave stays active after the enslave
+action has finished and the log is littered with "PROBE BAD" messages:
+> bond0: PROBE: c_arp ens10 && cas ens11 BAD
+The workaround is to remove the slave with "going back" status from
+the bond and re-enslave it. This issue was encountered when DPDK PMD
+interfaces were being enslaved to an active-backup bond.
+
+I would be possible to fix the issue in bond_enslave() or
+bond_change_active_slave() but the ARP monitor was fixed instead to
+keep most of the actions changing the current ARP slave in the ARP
+monitor code. The current ARP slave is set as inactive and backup
+during the commit phase. A new state, BOND_LINK_FAIL, has been
+introduced for slaves in the context of the ARP monitor. This allows
+administrators to see how slaves are rotated for sending ARP requests
+and attempts are made to find a new active slave.
+
+Fixes: b2220cad583c9 ("bonding: refactor ARP active-backup monitor")
+Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index f438e20fcda1f..500aa3e19a4c7 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2825,6 +2825,9 @@ static int bond_ab_arp_inspect(struct bonding *bond)
+ if (bond_time_in_interval(bond, last_rx, 1)) {
+ bond_propose_link_state(slave, BOND_LINK_UP);
+ commit++;
++ } else if (slave->link == BOND_LINK_BACK) {
++ bond_propose_link_state(slave, BOND_LINK_FAIL);
++ commit++;
+ }
+ continue;
+ }
+@@ -2933,6 +2936,19 @@ static void bond_ab_arp_commit(struct bonding *bond)
+
+ continue;
+
++ case BOND_LINK_FAIL:
++ bond_set_slave_link_state(slave, BOND_LINK_FAIL,
++ BOND_SLAVE_NOTIFY_NOW);
++ bond_set_slave_inactive_flags(slave,
++ BOND_SLAVE_NOTIFY_NOW);
++
++ /* A slave has just been enslaved and has become
++ * the current active slave.
++ */
++ if (rtnl_dereference(bond->curr_active_slave))
++ RCU_INIT_POINTER(bond->current_arp_slave, NULL);
++ continue;
++
+ default:
+ slave_err(bond->dev, slave->dev,
+ "impossible: link_new_state %d on slave\n",
+@@ -2983,8 +2999,6 @@ static bool bond_ab_arp_probe(struct bonding *bond)
+ return should_notify_rtnl;
+ }
+
+- bond_set_slave_inactive_flags(curr_arp_slave, BOND_SLAVE_NOTIFY_LATER);
+-
+ bond_for_each_slave_rcu(bond, slave, iter) {
+ if (!found && !before && bond_slave_is_up(slave))
+ before = slave;
+--
+2.25.1
+
--- /dev/null
+From 8d747df62e7b2877e1e97e17ea48a85417ea5dc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 10:09:00 -0400
+Subject: bonding: show saner speed for broadcast mode
+
+From: Jarod Wilson <jarod@redhat.com>
+
+[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ]
+
+Broadcast mode bonds transmit a copy of all traffic simultaneously out of
+all interfaces, so the "speed" of the bond isn't really the aggregate of
+all interfaces, but rather, the speed of the slowest active interface.
+
+Also, the type of the speed field is u32, not unsigned long, so adjust
+that accordingly, as required to make min() function here without
+complaining about mismatching types.
+
+Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool")
+CC: Jay Vosburgh <j.vosburgh@gmail.com>
+CC: Veaceslav Falico <vfalico@gmail.com>
+CC: Andy Gospodarek <andy@greyhouse.net>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index f88cb097b022a..a35a05610a5e3 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4431,13 +4431,23 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ return ret;
+ }
+
++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed)
++{
++ if (speed == 0 || speed == SPEED_UNKNOWN)
++ speed = slave->speed;
++ else
++ speed = min(speed, slave->speed);
++
++ return speed;
++}
++
+ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev,
+ struct ethtool_link_ksettings *cmd)
+ {
+ struct bonding *bond = netdev_priv(bond_dev);
+- unsigned long speed = 0;
+ struct list_head *iter;
+ struct slave *slave;
++ u32 speed = 0;
+
+ cmd->base.duplex = DUPLEX_UNKNOWN;
+ cmd->base.port = PORT_OTHER;
+@@ -4449,8 +4459,13 @@ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev,
+ */
+ bond_for_each_slave(bond, slave, iter) {
+ if (bond_slave_can_tx(slave)) {
+- if (slave->speed != SPEED_UNKNOWN)
+- speed += slave->speed;
++ if (slave->speed != SPEED_UNKNOWN) {
++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST)
++ speed = bond_mode_bcast_speed(slave,
++ speed);
++ else
++ speed += slave->speed;
++ }
+ if (cmd->base.duplex == DUPLEX_UNKNOWN &&
+ slave->duplex != DUPLEX_UNKNOWN)
+ cmd->base.duplex = slave->duplex;
+--
+2.25.1
+
--- /dev/null
+From bc7f27ecd4c2ccf8a6645a58499a494ddd0b6cc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 15:04:37 -0700
+Subject: bpf: sock_ops ctx access may stomp registers in corner case
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit fd09af010788a884de1c39537c288830c3d305db ]
+
+I had a sockmap program that after doing some refactoring started spewing
+this splat at me:
+
+[18610.807284] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
+[...]
+[18610.807359] Call Trace:
+[18610.807370] ? 0xffffffffc114d0d5
+[18610.807382] __cgroup_bpf_run_filter_sock_ops+0x7d/0xb0
+[18610.807391] tcp_connect+0x895/0xd50
+[18610.807400] tcp_v4_connect+0x465/0x4e0
+[18610.807407] __inet_stream_connect+0xd6/0x3a0
+[18610.807412] ? __inet_stream_connect+0x5/0x3a0
+[18610.807417] inet_stream_connect+0x3b/0x60
+[18610.807425] __sys_connect+0xed/0x120
+
+After some debugging I was able to build this simple reproducer,
+
+ __section("sockops/reproducer_bad")
+ int bpf_reproducer_bad(struct bpf_sock_ops *skops)
+ {
+ volatile __maybe_unused __u32 i = skops->snd_ssthresh;
+ return 0;
+ }
+
+And along the way noticed that below program ran without splat,
+
+__section("sockops/reproducer_good")
+int bpf_reproducer_good(struct bpf_sock_ops *skops)
+{
+ volatile __maybe_unused __u32 i = skops->snd_ssthresh;
+ volatile __maybe_unused __u32 family;
+
+ compiler_barrier();
+
+ family = skops->family;
+ return 0;
+}
+
+So I decided to check out the code we generate for the above two
+programs and noticed each generates the BPF code you would expect,
+
+0000000000000000 <bpf_reproducer_bad>:
+; volatile __maybe_unused __u32 i = skops->snd_ssthresh;
+ 0: r1 = *(u32 *)(r1 + 96)
+ 1: *(u32 *)(r10 - 4) = r1
+; return 0;
+ 2: r0 = 0
+ 3: exit
+
+0000000000000000 <bpf_reproducer_good>:
+; volatile __maybe_unused __u32 i = skops->snd_ssthresh;
+ 0: r2 = *(u32 *)(r1 + 96)
+ 1: *(u32 *)(r10 - 4) = r2
+; family = skops->family;
+ 2: r1 = *(u32 *)(r1 + 20)
+ 3: *(u32 *)(r10 - 8) = r1
+; return 0;
+ 4: r0 = 0
+ 5: exit
+
+So we get reasonable assembly, but still something was causing the null
+pointer dereference. So, we load the programs and dump the xlated version
+observing that line 0 above 'r* = *(u32 *)(r1 +96)' is going to be
+translated by the skops access helpers.
+
+int bpf_reproducer_bad(struct bpf_sock_ops * skops):
+; volatile __maybe_unused __u32 i = skops->snd_ssthresh;
+ 0: (61) r1 = *(u32 *)(r1 +28)
+ 1: (15) if r1 == 0x0 goto pc+2
+ 2: (79) r1 = *(u64 *)(r1 +0)
+ 3: (61) r1 = *(u32 *)(r1 +2340)
+; volatile __maybe_unused __u32 i = skops->snd_ssthresh;
+ 4: (63) *(u32 *)(r10 -4) = r1
+; return 0;
+ 5: (b7) r0 = 0
+ 6: (95) exit
+
+int bpf_reproducer_good(struct bpf_sock_ops * skops):
+; volatile __maybe_unused __u32 i = skops->snd_ssthresh;
+ 0: (61) r2 = *(u32 *)(r1 +28)
+ 1: (15) if r2 == 0x0 goto pc+2
+ 2: (79) r2 = *(u64 *)(r1 +0)
+ 3: (61) r2 = *(u32 *)(r2 +2340)
+; volatile __maybe_unused __u32 i = skops->snd_ssthresh;
+ 4: (63) *(u32 *)(r10 -4) = r2
+; family = skops->family;
+ 5: (79) r1 = *(u64 *)(r1 +0)
+ 6: (69) r1 = *(u16 *)(r1 +16)
+; family = skops->family;
+ 7: (63) *(u32 *)(r10 -8) = r1
+; return 0;
+ 8: (b7) r0 = 0
+ 9: (95) exit
+
+Then we look at lines 0 and 2 above. In the good case we do the zero
+check in r2 and then load 'r1 + 0' at line 2. Do a quick cross-check
+into the bpf_sock_ops check and we can confirm that is the 'struct
+sock *sk' pointer field. But, in the bad case,
+
+ 0: (61) r1 = *(u32 *)(r1 +28)
+ 1: (15) if r1 == 0x0 goto pc+2
+ 2: (79) r1 = *(u64 *)(r1 +0)
+
+Oh no, we read 'r1 +28' into r1, this is skops->fullsock and then in
+line 2 we read the 'r1 +0' as a pointer. Now jumping back to our spat,
+
+[18610.807284] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
+
+The 0x01 makes sense because that is exactly the fullsock value. And
+its not a valid dereference so we splat.
+
+To fix we need to guard the case when a program is doing a sock_ops field
+access with src_reg == dst_reg. This is already handled in the load case
+where the ctx_access handler uses a tmp register being careful to
+store the old value and restore it. To fix the get case test if
+src_reg == dst_reg and in this case do the is_fullsock test in the
+temporary register. Remembering to restore the temporary register before
+writing to either dst_reg or src_reg to avoid smashing the pointer into
+the struct holding the tmp variable.
+
+Adding this inline code to test_tcpbpf_kern will now be generated
+correctly from,
+
+ 9: r2 = *(u32 *)(r2 + 96)
+
+to xlated code,
+
+ 12: (7b) *(u64 *)(r2 +32) = r9
+ 13: (61) r9 = *(u32 *)(r2 +28)
+ 14: (15) if r9 == 0x0 goto pc+4
+ 15: (79) r9 = *(u64 *)(r2 +32)
+ 16: (79) r2 = *(u64 *)(r2 +0)
+ 17: (61) r2 = *(u32 *)(r2 +2348)
+ 18: (05) goto pc+1
+ 19: (79) r9 = *(u64 *)(r2 +32)
+
+And in the normal case we keep the original code, because really this
+is an edge case. From this,
+
+ 9: r2 = *(u32 *)(r6 + 96)
+
+to xlated code,
+
+ 22: (61) r2 = *(u32 *)(r6 +28)
+ 23: (15) if r2 == 0x0 goto pc+2
+ 24: (79) r2 = *(u64 *)(r6 +0)
+ 25: (61) r2 = *(u32 *)(r2 +2348)
+
+So three additional instructions if dst == src register, but I scanned
+my current code base and did not see this pattern anywhere so should
+not be a big deal. Further, it seems no one else has hit this or at
+least reported it so it must a fairly rare pattern.
+
+Fixes: 9b1f3d6e5af29 ("bpf: Refactor sock_ops_convert_ctx_access")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/159718347772.4728.2781381670567919577.stgit@john-Precision-5820-Tower
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 82e1b5b061675..09286a1f7457d 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8249,15 +8249,31 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
+ /* Helper macro for adding read access to tcp_sock or sock fields. */
+ #define SOCK_OPS_GET_FIELD(BPF_FIELD, OBJ_FIELD, OBJ) \
+ do { \
++ int fullsock_reg = si->dst_reg, reg = BPF_REG_9, jmp = 2; \
+ BUILD_BUG_ON(sizeof_field(OBJ, OBJ_FIELD) > \
+ sizeof_field(struct bpf_sock_ops, BPF_FIELD)); \
++ if (si->dst_reg == reg || si->src_reg == reg) \
++ reg--; \
++ if (si->dst_reg == reg || si->src_reg == reg) \
++ reg--; \
++ if (si->dst_reg == si->src_reg) { \
++ *insn++ = BPF_STX_MEM(BPF_DW, si->src_reg, reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
++ fullsock_reg = reg; \
++ jmp += 2; \
++ } \
+ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \
+ struct bpf_sock_ops_kern, \
+ is_fullsock), \
+- si->dst_reg, si->src_reg, \
++ fullsock_reg, si->src_reg, \
+ offsetof(struct bpf_sock_ops_kern, \
+ is_fullsock)); \
+- *insn++ = BPF_JMP_IMM(BPF_JEQ, si->dst_reg, 0, 2); \
++ *insn++ = BPF_JMP_IMM(BPF_JEQ, fullsock_reg, 0, jmp); \
++ if (si->dst_reg == si->src_reg) \
++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
+ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \
+ struct bpf_sock_ops_kern, sk),\
+ si->dst_reg, si->src_reg, \
+@@ -8266,6 +8282,12 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
+ OBJ_FIELD), \
+ si->dst_reg, si->dst_reg, \
+ offsetof(OBJ, OBJ_FIELD)); \
++ if (si->dst_reg == si->src_reg) { \
++ *insn++ = BPF_JMP_A(1); \
++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
++ } \
+ } while (0)
+
+ #define SOCK_OPS_GET_TCP_SOCK_FIELD(FIELD) \
+--
+2.25.1
+
--- /dev/null
+From ea77cc473f9426579ef85a3d23aadd4d482266d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 15:04:56 -0700
+Subject: bpf: sock_ops sk access may stomp registers when dst_reg = src_reg
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 84f44df664e9f0e261157e16ee1acd77cc1bb78d ]
+
+Similar to patch ("bpf: sock_ops ctx access may stomp registers") if the
+src_reg = dst_reg when reading the sk field of a sock_ops struct we
+generate xlated code,
+
+ 53: (61) r9 = *(u32 *)(r9 +28)
+ 54: (15) if r9 == 0x0 goto pc+3
+ 56: (79) r9 = *(u64 *)(r9 +0)
+
+This stomps on the r9 reg to do the sk_fullsock check and then when
+reading the skops->sk field instead of the sk pointer we get the
+sk_fullsock. To fix use similar pattern noted in the previous fix
+and use the temp field to save/restore a register used to do
+sk_fullsock check.
+
+After the fix the generated xlated code reads,
+
+ 52: (7b) *(u64 *)(r9 +32) = r8
+ 53: (61) r8 = *(u32 *)(r9 +28)
+ 54: (15) if r9 == 0x0 goto pc+3
+ 55: (79) r8 = *(u64 *)(r9 +32)
+ 56: (79) r9 = *(u64 *)(r9 +0)
+ 57: (05) goto pc+1
+ 58: (79) r8 = *(u64 *)(r9 +32)
+
+Here r9 register was in-use so r8 is chosen as the temporary register.
+In line 52 r8 is saved in temp variable and at line 54 restored in case
+fullsock != 0. Finally we handle fullsock == 0 case by restoring at
+line 58.
+
+This adds a new macro SOCK_OPS_GET_SK it is almost possible to merge
+this with SOCK_OPS_GET_FIELD, but I found the extra branch logic a
+bit more confusing than just adding a new macro despite a bit of
+duplicating code.
+
+Fixes: 1314ef561102e ("bpf: export bpf_sock for BPF_PROG_TYPE_SOCK_OPS prog type")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/159718349653.4728.6559437186853473612.stgit@john-Precision-5820-Tower
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 49 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 09286a1f7457d..a69e79327c29e 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8290,6 +8290,43 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
+ } \
+ } while (0)
+
++#define SOCK_OPS_GET_SK() \
++ do { \
++ int fullsock_reg = si->dst_reg, reg = BPF_REG_9, jmp = 1; \
++ if (si->dst_reg == reg || si->src_reg == reg) \
++ reg--; \
++ if (si->dst_reg == reg || si->src_reg == reg) \
++ reg--; \
++ if (si->dst_reg == si->src_reg) { \
++ *insn++ = BPF_STX_MEM(BPF_DW, si->src_reg, reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
++ fullsock_reg = reg; \
++ jmp += 2; \
++ } \
++ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \
++ struct bpf_sock_ops_kern, \
++ is_fullsock), \
++ fullsock_reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ is_fullsock)); \
++ *insn++ = BPF_JMP_IMM(BPF_JEQ, fullsock_reg, 0, jmp); \
++ if (si->dst_reg == si->src_reg) \
++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
++ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \
++ struct bpf_sock_ops_kern, sk),\
++ si->dst_reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, sk));\
++ if (si->dst_reg == si->src_reg) { \
++ *insn++ = BPF_JMP_A(1); \
++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
++ } \
++ } while (0)
++
+ #define SOCK_OPS_GET_TCP_SOCK_FIELD(FIELD) \
+ SOCK_OPS_GET_FIELD(FIELD, FIELD, struct tcp_sock)
+
+@@ -8574,17 +8611,7 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
+ SOCK_OPS_GET_TCP_SOCK_FIELD(bytes_acked);
+ break;
+ case offsetof(struct bpf_sock_ops, sk):
+- *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+- struct bpf_sock_ops_kern,
+- is_fullsock),
+- si->dst_reg, si->src_reg,
+- offsetof(struct bpf_sock_ops_kern,
+- is_fullsock));
+- *insn++ = BPF_JMP_IMM(BPF_JEQ, si->dst_reg, 0, 1);
+- *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+- struct bpf_sock_ops_kern, sk),
+- si->dst_reg, si->src_reg,
+- offsetof(struct bpf_sock_ops_kern, sk));
++ SOCK_OPS_GET_SK();
+ break;
+ }
+ return insn - insn_buf;
+--
+2.25.1
+
--- /dev/null
+From d41f20e4dd8034803ba05f23f69d7a98bf843a79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 10:42:14 -0700
+Subject: bpf: Use get_file_rcu() instead of get_file() for task_file iterator
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit cf28f3bbfca097d956f9021cb710dfad56adcc62 ]
+
+With latest `bpftool prog` command, we observed the following kernel
+panic.
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor instruction fetch in kernel mode
+ #PF: error_code(0x0010) - not-present page
+ PGD dfe894067 P4D dfe894067 PUD deb663067 PMD 0
+ Oops: 0010 [#1] SMP
+ CPU: 9 PID: 6023 ...
+ RIP: 0010:0x0
+ Code: Bad RIP value.
+ RSP: 0000:ffffc900002b8f18 EFLAGS: 00010286
+ RAX: ffff8883a405f400 RBX: ffff888e46a6bf00 RCX: 000000008020000c
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8883a405f400
+ RBP: ffff888e46a6bf50 R08: 0000000000000000 R09: ffffffff81129600
+ R10: ffff8883a405f300 R11: 0000160000000000 R12: 0000000000002710
+ R13: 000000e9494b690c R14: 0000000000000202 R15: 0000000000000009
+ FS: 00007fd9187fe700(0000) GS:ffff888e46a40000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffffffffffffd6 CR3: 0000000de5d33002 CR4: 0000000000360ee0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <IRQ>
+ rcu_core+0x1a4/0x440
+ __do_softirq+0xd3/0x2c8
+ irq_exit+0x9d/0xa0
+ smp_apic_timer_interrupt+0x68/0x120
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+ RIP: 0033:0x47ce80
+ Code: Bad RIP value.
+ RSP: 002b:00007fd9187fba40 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
+ RAX: 0000000000000002 RBX: 00007fd931789160 RCX: 000000000000010c
+ RDX: 00007fd9308cdfb4 RSI: 00007fd9308cdfb4 RDI: 00007ffedd1ea0a8
+ RBP: 00007fd9187fbab0 R08: 000000000000000e R09: 000000000000002a
+ R10: 0000000000480210 R11: 00007fd9187fc570 R12: 00007fd9316cc400
+ R13: 0000000000000118 R14: 00007fd9308cdfb4 R15: 00007fd9317a9380
+
+After further analysis, the bug is triggered by
+Commit eaaacd23910f ("bpf: Add task and task/file iterator targets")
+which introduced task_file bpf iterator, which traverses all open file
+descriptors for all tasks in the current namespace.
+The latest `bpftool prog` calls a task_file bpf program to traverse
+all files in the system in order to associate processes with progs/maps, etc.
+When traversing files for a given task, rcu read_lock is taken to
+access all files in a file_struct. But it used get_file() to grab
+a file, which is not right. It is possible file->f_count is 0 and
+get_file() will unconditionally increase it.
+Later put_file() may cause all kind of issues with the above
+as one of sympotoms.
+
+The failure can be reproduced with the following steps in a few seconds:
+ $ cat t.c
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <unistd.h>
+
+ #define N 10000
+ int fd[N];
+ int main() {
+ int i;
+
+ for (i = 0; i < N; i++) {
+ fd[i] = open("./note.txt", 'r');
+ if (fd[i] < 0) {
+ fprintf(stderr, "failed\n");
+ return -1;
+ }
+ }
+ for (i = 0; i < N; i++)
+ close(fd[i]);
+
+ return 0;
+ }
+ $ gcc -O2 t.c
+ $ cat run.sh
+ #/bin/bash
+ for i in {1..100}
+ do
+ while true; do ./a.out; done &
+ done
+ $ ./run.sh
+ $ while true; do bpftool prog >& /dev/null; done
+
+This patch used get_file_rcu() which only grabs a file if the
+file->f_count is not zero. This is to ensure the file pointer
+is always valid. The above reproducer did not fail for more
+than 30 minutes.
+
+Fixes: eaaacd23910f ("bpf: Add task and task/file iterator targets")
+Suggested-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/bpf/20200817174214.252601-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/task_iter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c
+index ac7869a389990..a4a0fb4f94cc1 100644
+--- a/kernel/bpf/task_iter.c
++++ b/kernel/bpf/task_iter.c
+@@ -177,10 +177,11 @@ task_file_seq_get_next(struct bpf_iter_seq_task_file_info *info,
+ f = fcheck_files(curr_files, curr_fd);
+ if (!f)
+ continue;
++ if (!get_file_rcu(f))
++ continue;
+
+ /* set info->fd */
+ info->fd = curr_fd;
+- get_file(f);
+ rcu_read_unlock();
+ return f;
+ }
+--
+2.25.1
+
--- /dev/null
+From 30ec044f4d78cd833c88f50e74259cec3f4a37cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:50:24 +0800
+Subject: can: j1939: abort multipacket broadcast session when timeout occurs
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 2b8b2e31555cf55ba3680fb28e2b382e168d7ea1 ]
+
+If timeout occurs, j1939_tp_rxtimer() first calls hrtimer_start() to restart
+rxtimer, and then calls __j1939_session_cancel() to set session->state =
+J1939_SESSION_WAITING_ABORT. At next timeout expiration, because of the
+J1939_SESSION_WAITING_ABORT session state j1939_tp_rxtimer() will call
+j1939_session_deactivate_activate_next() to deactivate current session, and
+rxtimer won't be set.
+
+But for multipacket broadcast session, __j1939_session_cancel() don't set
+session->state = J1939_SESSION_WAITING_ABORT, thus current session won't be
+deactivate and hrtimer_start() is called to start new rxtimer again and again.
+
+So fix it by moving session->state = J1939_SESSION_WAITING_ABORT out of if
+(!j1939_cb_is_broadcast(&session->skcb)) statement.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1596599425-5534-4-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index d1a9adde677b0..e3167619b196f 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1074,9 +1074,9 @@ static void __j1939_session_cancel(struct j1939_session *session,
+ lockdep_assert_held(&session->priv->active_session_list_lock);
+
+ session->err = j1939_xtp_abort_to_errno(priv, err);
++ session->state = J1939_SESSION_WAITING_ABORT;
+ /* do not send aborts on incoming broadcasts */
+ if (!j1939_cb_is_broadcast(&session->skcb)) {
+- session->state = J1939_SESSION_WAITING_ABORT;
+ j1939_xtp_tx_abort(priv, &session->skcb,
+ !session->transmission,
+ err, session->skcb.addr.pgn);
+--
+2.25.1
+
--- /dev/null
+From 14fb728fef196f55279b0af892f5744800b95f48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:50:25 +0800
+Subject: can: j1939: add rxtimer for multipacket broadcast session
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 0ae18a82686f9b9965a8ce0dd81371871b306ffe ]
+
+According to SAE J1939/21 (Chapter 5.12.3 and APPENDIX C), for transmit side
+the required time interval between packets of a multipacket broadcast message
+is 50 to 200 ms, the responder shall use a timeout of 250ms (provides margin
+allowing for the maximumm spacing of 200ms). For receive side a timeout will
+occur when a time of greater than 750 ms elapsed between two message packets
+when more packets were expected.
+
+So this patch fix and add rxtimer for multipacket broadcast session.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1596599425-5534-5-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index e3167619b196f..dbd215cbc53d8 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -723,10 +723,12 @@ static int j1939_session_tx_rts(struct j1939_session *session)
+ return ret;
+
+ session->last_txcmd = dat[0];
+- if (dat[0] == J1939_TP_CMD_BAM)
++ if (dat[0] == J1939_TP_CMD_BAM) {
+ j1939_tp_schedule_txtimer(session, 50);
+-
+- j1939_tp_set_rxtimeout(session, 1250);
++ j1939_tp_set_rxtimeout(session, 250);
++ } else {
++ j1939_tp_set_rxtimeout(session, 1250);
++ }
+
+ netdev_dbg(session->priv->ndev, "%s: 0x%p\n", __func__, session);
+
+@@ -1687,11 +1689,15 @@ static void j1939_xtp_rx_rts(struct j1939_priv *priv, struct sk_buff *skb,
+ }
+ session->last_cmd = cmd;
+
+- j1939_tp_set_rxtimeout(session, 1250);
+-
+- if (cmd != J1939_TP_CMD_BAM && !session->transmission) {
+- j1939_session_txtimer_cancel(session);
+- j1939_tp_schedule_txtimer(session, 0);
++ if (cmd == J1939_TP_CMD_BAM) {
++ if (!session->transmission)
++ j1939_tp_set_rxtimeout(session, 750);
++ } else {
++ if (!session->transmission) {
++ j1939_session_txtimer_cancel(session);
++ j1939_tp_schedule_txtimer(session, 0);
++ }
++ j1939_tp_set_rxtimeout(session, 1250);
+ }
+
+ j1939_session_put(session);
+@@ -1742,6 +1748,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ int offset;
+ int nbytes;
+ bool final = false;
++ bool remain = false;
+ bool do_cts_eoma = false;
+ int packet;
+
+@@ -1804,6 +1811,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ j1939_cb_is_broadcast(&session->skcb)) {
+ if (session->pkt.rx >= session->pkt.total)
+ final = true;
++ else
++ remain = true;
+ } else {
+ /* never final, an EOMA must follow */
+ if (session->pkt.rx >= session->pkt.last)
+@@ -1813,6 +1822,9 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ if (final) {
+ j1939_session_timers_cancel(session);
+ j1939_session_completed(session);
++ } else if (remain) {
++ if (!session->transmission)
++ j1939_tp_set_rxtimeout(session, 750);
+ } else if (do_cts_eoma) {
+ j1939_tp_set_rxtimeout(session, 1250);
+ if (!session->transmission)
+--
+2.25.1
+
--- /dev/null
+From 4c070949a6e04857413733e9f7323948ce8135c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:50:23 +0800
+Subject: can: j1939: cancel rxtimer on multipacket broadcast session complete
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit e8b17653088f28a87c81845fa41a2d295a3b458c ]
+
+If j1939_xtp_rx_dat_one() receive last frame of multipacket broadcast message,
+j1939_session_timers_cancel() should be called to cancel rxtimer.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1596599425-5534-3-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 67189b4c482c5..d1a9adde677b0 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1811,6 +1811,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ }
+
+ if (final) {
++ j1939_session_timers_cancel(session);
+ j1939_session_completed(session);
+ } else if (do_cts_eoma) {
+ j1939_tp_set_rxtimeout(session, 1250);
+--
+2.25.1
+
--- /dev/null
+From bd6259ec02bc627a7a6be344026893cd5f06903f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 09:18:34 -0700
+Subject: can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 38ba8b9241f5848a49b80fddac9ab5f4692e434e ]
+
+syzbot found that at least 2 bytes of kernel information
+were leaked during getsockname() on AF_CAN CAN_J1939 socket.
+
+Since struct sockaddr_can has in fact two holes, simply
+clear the whole area before filling it with useful data.
+
+BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
+CPU: 0 PID: 8466 Comm: syz-executor511 Not tainted 5.8.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x21c/0x280 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
+ kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
+ kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
+ instrument_copy_to_user include/linux/instrumented.h:91 [inline]
+ _copy_to_user+0x18e/0x260 lib/usercopy.c:39
+ copy_to_user include/linux/uaccess.h:186 [inline]
+ move_addr_to_user+0x3de/0x670 net/socket.c:237
+ __sys_getsockname+0x407/0x5e0 net/socket.c:1909
+ __do_sys_getsockname net/socket.c:1920 [inline]
+ __se_sys_getsockname+0x91/0xb0 net/socket.c:1917
+ __x64_sys_getsockname+0x4a/0x70 net/socket.c:1917
+ do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x440219
+Code: Bad RIP value.
+RSP: 002b:00007ffe5ee150c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000033
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
+RDX: 0000000020000240 RSI: 0000000020000100 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a20
+R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable ----address@__sys_getsockname created at:
+ __sys_getsockname+0x91/0x5e0 net/socket.c:1894
+ __sys_getsockname+0x91/0x5e0 net/socket.c:1894
+
+Bytes 2-3 of 24 are uninitialized
+Memory access of size 24 starts at ffff8880ba2c7de8
+Data copied to user address 0000000020000100
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Robin van der Gracht <robin@protonic.nl>
+Cc: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: linux-can@vger.kernel.org
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20200813161834.4021638-1-edumazet@google.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/socket.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
+index 11d566c70a944..1b7dc1a8547f3 100644
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -561,6 +561,11 @@ static int j1939_sk_connect(struct socket *sock, struct sockaddr *uaddr,
+ static void j1939_sk_sock2sockaddr_can(struct sockaddr_can *addr,
+ const struct j1939_sock *jsk, int peer)
+ {
++ /* There are two holes (2 bytes and 3 bytes) to clear to avoid
++ * leaking kernel information to user space.
++ */
++ memset(addr, 0, J1939_MIN_NAMELEN);
++
+ addr->can_family = AF_CAN;
+ addr->can_ifindex = jsk->ifindex;
+ addr->can_addr.j1939.pgn = jsk->addr.pgn;
+--
+2.25.1
+
--- /dev/null
+From 8d2b534969033adb99c0f102fc98fc9d84fea7fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:50:22 +0800
+Subject: can: j1939: fix support for multipacket broadcast message
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit f4fd77fd87e9b214c26bb2ebd4f90055eaea5ade ]
+
+Currently j1939_tp_im_involved_anydir() in j1939_tp_recv() check the previously
+set flags J1939_ECU_LOCAL_DST and J1939_ECU_LOCAL_SRC of incoming skb, thus
+multipacket broadcast message was aborted by receive side because it may come
+from remote ECUs and have no exact dst address. Similarly, j1939_tp_cmd_recv()
+and j1939_xtp_rx_dat() didn't process broadcast message.
+
+So fix it by checking and process broadcast message in j1939_tp_recv(),
+j1939_tp_cmd_recv() and j1939_xtp_rx_dat().
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1596599425-5534-2-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 90a2baac8a4aa..67189b4c482c5 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1673,8 +1673,12 @@ static void j1939_xtp_rx_rts(struct j1939_priv *priv, struct sk_buff *skb,
+ return;
+ }
+ session = j1939_xtp_rx_rts_session_new(priv, skb);
+- if (!session)
++ if (!session) {
++ if (cmd == J1939_TP_CMD_BAM && j1939_sk_recv_match(priv, skcb))
++ netdev_info(priv->ndev, "%s: failed to create TP BAM session\n",
++ __func__);
+ return;
++ }
+ } else {
+ if (j1939_xtp_rx_rts_session_active(session, skb)) {
+ j1939_session_put(session);
+@@ -1852,6 +1856,13 @@ static void j1939_xtp_rx_dat(struct j1939_priv *priv, struct sk_buff *skb)
+ else
+ j1939_xtp_rx_dat_one(session, skb);
+ }
++
++ if (j1939_cb_is_broadcast(skcb)) {
++ session = j1939_session_get_by_addr(priv, &skcb->addr, false,
++ false);
++ if (session)
++ j1939_xtp_rx_dat_one(session, skb);
++ }
+ }
+
+ /* j1939 main intf */
+@@ -1943,7 +1954,7 @@ static void j1939_tp_cmd_recv(struct j1939_priv *priv, struct sk_buff *skb)
+ if (j1939_tp_im_transmitter(skcb))
+ j1939_xtp_rx_rts(priv, skb, true);
+
+- if (j1939_tp_im_receiver(skcb))
++ if (j1939_tp_im_receiver(skcb) || j1939_cb_is_broadcast(skcb))
+ j1939_xtp_rx_rts(priv, skb, false);
+
+ break;
+@@ -2007,7 +2018,7 @@ int j1939_tp_recv(struct j1939_priv *priv, struct sk_buff *skb)
+ {
+ struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb);
+
+- if (!j1939_tp_im_involved_anydir(skcb))
++ if (!j1939_tp_im_involved_anydir(skcb) && !j1939_cb_is_broadcast(skcb))
+ return 0;
+
+ switch (skcb->addr.pgn) {
+--
+2.25.1
+
--- /dev/null
+From 0e2ec63d186c508152de987685e1a6ec5a83ae6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Aug 2020 12:51:59 +0200
+Subject: can: j1939: transport: add j1939_session_skb_find_by_offset()
+ function
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 840835c9281215341d84966a8855f267a971e6a3 ]
+
+Sometimes it makes no sense to search the skb by pkt.dpo, since we need
+next the skb within the transaction block. This may happen if we have an
+ETP session with CTS set to less than 255 packets.
+
+After this patch, we will be able to work with ETP sessions where the
+block size (ETP.CM_CTS byte 2) is less than 255 packets.
+
+Reported-by: Henrique Figueira <henrislip@gmail.com>
+Reported-by: https://github.com/linux-can/can-utils/issues/228
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20200807105200.26441-5-o.rempel@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 30957c9a8eb7a..90a2baac8a4aa 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -352,17 +352,16 @@ void j1939_session_skb_queue(struct j1939_session *session,
+ skb_queue_tail(&session->skb_queue, skb);
+ }
+
+-static struct sk_buff *j1939_session_skb_find(struct j1939_session *session)
++static struct
++sk_buff *j1939_session_skb_find_by_offset(struct j1939_session *session,
++ unsigned int offset_start)
+ {
+ struct j1939_priv *priv = session->priv;
++ struct j1939_sk_buff_cb *do_skcb;
+ struct sk_buff *skb = NULL;
+ struct sk_buff *do_skb;
+- struct j1939_sk_buff_cb *do_skcb;
+- unsigned int offset_start;
+ unsigned long flags;
+
+- offset_start = session->pkt.dpo * 7;
+-
+ spin_lock_irqsave(&session->skb_queue.lock, flags);
+ skb_queue_walk(&session->skb_queue, do_skb) {
+ do_skcb = j1939_skb_to_cb(do_skb);
+@@ -382,6 +381,14 @@ static struct sk_buff *j1939_session_skb_find(struct j1939_session *session)
+ return skb;
+ }
+
++static struct sk_buff *j1939_session_skb_find(struct j1939_session *session)
++{
++ unsigned int offset_start;
++
++ offset_start = session->pkt.dpo * 7;
++ return j1939_session_skb_find_by_offset(session, offset_start);
++}
++
+ /* see if we are receiver
+ * returns 0 for broadcasts, although we will receive them
+ */
+@@ -766,7 +773,7 @@ static int j1939_session_tx_dat(struct j1939_session *session)
+ int ret = 0;
+ u8 dat[8];
+
+- se_skb = j1939_session_skb_find(session);
++ se_skb = j1939_session_skb_find_by_offset(session, session->pkt.tx * 7);
+ if (!se_skb)
+ return -ENOBUFS;
+
+@@ -1765,7 +1772,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ __func__, session);
+ goto out_session_cancel;
+ }
+- se_skb = j1939_session_skb_find(session);
++
++ se_skb = j1939_session_skb_find_by_offset(session, packet * 7);
+ if (!se_skb) {
+ netdev_warn(priv->ndev, "%s: 0x%p: no skb found\n", __func__,
+ session);
+--
+2.25.1
+
--- /dev/null
+From 3504785ed9cef1fdf26131dfe3bc589b7fd602ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Aug 2020 12:51:56 +0200
+Subject: can: j1939: transport: j1939_simple_recv(): ignore local J1939
+ messages send not by J1939 stack
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit b43e3a82bc432c1caaed8950e7662c143470c54c ]
+
+In current J1939 stack implementation, we process all locally send
+messages as own messages. Even if it was send by CAN_RAW socket.
+
+To reproduce it use following commands:
+testj1939 -P -r can0:0x80 &
+cansend can0 18238040#0123
+
+This step will trigger false positive not critical warning:
+j1939_simple_recv: Received already invalidated message
+
+With this patch we add additional check to make sure, related skb is own
+echo message.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20200807105200.26441-2-o.rempel@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/socket.c | 1 +
+ net/can/j1939/transport.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
+index 1b7dc1a8547f3..bf9fd6ee88fe0 100644
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -398,6 +398,7 @@ static int j1939_sk_init(struct sock *sk)
+ spin_lock_init(&jsk->sk_session_queue_lock);
+ INIT_LIST_HEAD(&jsk->sk_session_queue);
+ sk->sk_destruct = j1939_sk_sock_destruct;
++ sk->sk_protocol = CAN_J1939;
+
+ return 0;
+ }
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 5bfe6bf15a999..30957c9a8eb7a 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -2032,6 +2032,10 @@ void j1939_simple_recv(struct j1939_priv *priv, struct sk_buff *skb)
+ if (!skb->sk)
+ return;
+
++ if (skb->sk->sk_family != AF_CAN ||
++ skb->sk->sk_protocol != CAN_J1939)
++ return;
++
+ j1939_session_list_lock(priv);
+ session = j1939_session_get_simple(priv, skb);
+ j1939_session_list_unlock(priv);
+--
+2.25.1
+
--- /dev/null
+From b1eeee54b1d702b99aee61cfe48e36c1f015fa0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 18:16:47 +0800
+Subject: drm/virtio: fix missing dma_fence_put() in
+ virtio_gpu_execbuffer_ioctl()
+
+From: Qi Liu <liuqi.16@bytedance.com>
+
+[ Upstream commit 8b6ec999b198b59ae61e86e70f5e9df73fe4754f ]
+
+We should put the reference count of the fence after calling
+virtio_gpu_cmd_submit(). So add the missing dma_fence_put().
+
+Fixes: 2cd7b6f08bc4 ("drm/virtio: add in/out fence support for explicit synchronization")
+Co-developed-by: Xin He <hexin.op@bytedance.com>
+Signed-off-by: Xin He <hexin.op@bytedance.com>
+Signed-off-by: Qi Liu <liuqi.16@bytedance.com>
+Reviewed-by: Muchun Song <songmuchun@bytedance.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20200721101647.42653-1-hexin.op@bytedance.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+index 5df722072ba0b..19c5bc01eb790 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -179,6 +179,7 @@ static int virtio_gpu_execbuffer_ioctl(struct drm_device *dev, void *data,
+
+ virtio_gpu_cmd_submit(vgdev, buf, exbuf->size,
+ vfpriv->ctx_id, buflist, out_fence);
++ dma_fence_put(&out_fence->f);
+ virtio_gpu_notify(vgdev);
+ return 0;
+
+--
+2.25.1
+
--- /dev/null
+From 33af73499bc8f779403dd661206355d9cc8ccb2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 16:16:51 +0200
+Subject: efi: avoid error message when booting under Xen
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 6163a985e50cb19d5bdf73f98e45b8af91a77658 ]
+
+efifb_probe() will issue an error message in case the kernel is booted
+as Xen dom0 from UEFI as EFI_MEMMAP won't be set in this case. Avoid
+that message by calling efi_mem_desc_lookup() only if EFI_MEMMAP is set.
+
+Fixes: 38ac0287b7f4 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/efifb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
+index 65491ae74808d..e57c00824965c 100644
+--- a/drivers/video/fbdev/efifb.c
++++ b/drivers/video/fbdev/efifb.c
+@@ -453,7 +453,7 @@ static int efifb_probe(struct platform_device *dev)
+ info->apertures->ranges[0].base = efifb_fix.smem_start;
+ info->apertures->ranges[0].size = size_remap;
+
+- if (efi_enabled(EFI_BOOT) &&
++ if (efi_enabled(EFI_MEMMAP) &&
+ !efi_mem_desc_lookup(efifb_fix.smem_start, &md)) {
+ if ((efifb_fix.smem_start + efifb_fix.smem_len) >
+ (md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT))) {
+--
+2.25.1
+
--- /dev/null
+From bc14c93dfbd71fdc2b03ba1d1c3f1e1f9bb9d4fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 15:04:34 +0200
+Subject: ext4: check journal inode extents more carefully
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit ce9f24cccdc019229b70a5c15e2b09ad9c0ab5d1 ]
+
+Currently, system zones just track ranges of block, that are "important"
+fs metadata (bitmaps, group descriptors, journal blocks, etc.). This
+however complicates how extent tree (or indirect blocks) can be checked
+for inodes that actually track such metadata - currently the journal
+inode but arguably we should be treating quota files or resize inode
+similarly. We cannot run __ext4_ext_check() on such metadata inodes when
+loading their extents as that would immediately trigger the validity
+checks and so we just hack around that and special-case the journal
+inode. This however leads to a situation that a journal inode which has
+extent tree of depth at least one can have invalid extent tree that gets
+unnoticed until ext4_cache_extents() crashes.
+
+To overcome this limitation, track inode number each system zone belongs
+to (0 is used for zones not belonging to any inode). We can then verify
+inode number matches the expected one when verifying extent tree and
+thus avoid the false errors. With this there's no need to to
+special-case journal inode during extent tree checking anymore so remove
+it.
+
+Fixes: 0a944e8a6c66 ("ext4: don't perform block validity checks on the journal inode")
+Reported-by: Wolfgang Frisch <wolfgang.frisch@suse.com>
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20200728130437.7804-4-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/block_validity.c | 51 ++++++++++++++++++++--------------------
+ fs/ext4/ext4.h | 6 ++---
+ fs/ext4/extents.c | 16 +++++--------
+ fs/ext4/indirect.c | 6 ++---
+ fs/ext4/inode.c | 5 ++--
+ fs/ext4/mballoc.c | 4 ++--
+ 6 files changed, 41 insertions(+), 47 deletions(-)
+
+diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
+index b394a50ebbe30..e830a9d4e10d3 100644
+--- a/fs/ext4/block_validity.c
++++ b/fs/ext4/block_validity.c
+@@ -24,6 +24,7 @@ struct ext4_system_zone {
+ struct rb_node node;
+ ext4_fsblk_t start_blk;
+ unsigned int count;
++ u32 ino;
+ };
+
+ static struct kmem_cache *ext4_system_zone_cachep;
+@@ -45,7 +46,8 @@ void ext4_exit_system_zone(void)
+ static inline int can_merge(struct ext4_system_zone *entry1,
+ struct ext4_system_zone *entry2)
+ {
+- if ((entry1->start_blk + entry1->count) == entry2->start_blk)
++ if ((entry1->start_blk + entry1->count) == entry2->start_blk &&
++ entry1->ino == entry2->ino)
+ return 1;
+ return 0;
+ }
+@@ -66,7 +68,7 @@ static void release_system_zone(struct ext4_system_blocks *system_blks)
+ */
+ static int add_system_zone(struct ext4_system_blocks *system_blks,
+ ext4_fsblk_t start_blk,
+- unsigned int count)
++ unsigned int count, u32 ino)
+ {
+ struct ext4_system_zone *new_entry, *entry;
+ struct rb_node **n = &system_blks->root.rb_node, *node;
+@@ -89,6 +91,7 @@ static int add_system_zone(struct ext4_system_blocks *system_blks,
+ return -ENOMEM;
+ new_entry->start_blk = start_blk;
+ new_entry->count = count;
++ new_entry->ino = ino;
+ new_node = &new_entry->node;
+
+ rb_link_node(new_node, parent, n);
+@@ -149,7 +152,7 @@ static void debug_print_tree(struct ext4_sb_info *sbi)
+ static int ext4_data_block_valid_rcu(struct ext4_sb_info *sbi,
+ struct ext4_system_blocks *system_blks,
+ ext4_fsblk_t start_blk,
+- unsigned int count)
++ unsigned int count, ino_t ino)
+ {
+ struct ext4_system_zone *entry;
+ struct rb_node *n;
+@@ -170,7 +173,7 @@ static int ext4_data_block_valid_rcu(struct ext4_sb_info *sbi,
+ else if (start_blk >= (entry->start_blk + entry->count))
+ n = n->rb_right;
+ else
+- return 0;
++ return entry->ino == ino;
+ }
+ return 1;
+ }
+@@ -204,19 +207,18 @@ static int ext4_protect_reserved_inode(struct super_block *sb,
+ if (n == 0) {
+ i++;
+ } else {
+- if (!ext4_data_block_valid_rcu(sbi, system_blks,
+- map.m_pblk, n)) {
+- err = -EFSCORRUPTED;
+- __ext4_error(sb, __func__, __LINE__, -err,
+- map.m_pblk, "blocks %llu-%llu "
+- "from inode %u overlap system zone",
+- map.m_pblk,
+- map.m_pblk + map.m_len - 1, ino);
++ err = add_system_zone(system_blks, map.m_pblk, n, ino);
++ if (err < 0) {
++ if (err == -EFSCORRUPTED) {
++ __ext4_error(sb, __func__, __LINE__,
++ -err, map.m_pblk,
++ "blocks %llu-%llu from inode %u overlap system zone",
++ map.m_pblk,
++ map.m_pblk + map.m_len - 1,
++ ino);
++ }
+ break;
+ }
+- err = add_system_zone(system_blks, map.m_pblk, n);
+- if (err < 0)
+- break;
+ i += n;
+ }
+ }
+@@ -270,19 +272,19 @@ int ext4_setup_system_zone(struct super_block *sb)
+ ((i < 5) || ((i % flex_size) == 0)))
+ add_system_zone(system_blks,
+ ext4_group_first_block_no(sb, i),
+- ext4_bg_num_gdb(sb, i) + 1);
++ ext4_bg_num_gdb(sb, i) + 1, 0);
+ gdp = ext4_get_group_desc(sb, i, NULL);
+ ret = add_system_zone(system_blks,
+- ext4_block_bitmap(sb, gdp), 1);
++ ext4_block_bitmap(sb, gdp), 1, 0);
+ if (ret)
+ goto err;
+ ret = add_system_zone(system_blks,
+- ext4_inode_bitmap(sb, gdp), 1);
++ ext4_inode_bitmap(sb, gdp), 1, 0);
+ if (ret)
+ goto err;
+ ret = add_system_zone(system_blks,
+ ext4_inode_table(sb, gdp),
+- sbi->s_itb_per_group);
++ sbi->s_itb_per_group, 0);
+ if (ret)
+ goto err;
+ }
+@@ -331,7 +333,7 @@ void ext4_release_system_zone(struct super_block *sb)
+ call_rcu(&system_blks->rcu, ext4_destroy_system_zone);
+ }
+
+-int ext4_data_block_valid(struct ext4_sb_info *sbi, ext4_fsblk_t start_blk,
++int ext4_inode_block_valid(struct inode *inode, ext4_fsblk_t start_blk,
+ unsigned int count)
+ {
+ struct ext4_system_blocks *system_blks;
+@@ -343,9 +345,9 @@ int ext4_data_block_valid(struct ext4_sb_info *sbi, ext4_fsblk_t start_blk,
+ * mount option.
+ */
+ rcu_read_lock();
+- system_blks = rcu_dereference(sbi->system_blks);
+- ret = ext4_data_block_valid_rcu(sbi, system_blks, start_blk,
+- count);
++ system_blks = rcu_dereference(EXT4_SB(inode->i_sb)->system_blks);
++ ret = ext4_data_block_valid_rcu(EXT4_SB(inode->i_sb), system_blks,
++ start_blk, count, inode->i_ino);
+ rcu_read_unlock();
+ return ret;
+ }
+@@ -364,8 +366,7 @@ int ext4_check_blockref(const char *function, unsigned int line,
+ while (bref < p+max) {
+ blk = le32_to_cpu(*bref++);
+ if (blk &&
+- unlikely(!ext4_data_block_valid(EXT4_SB(inode->i_sb),
+- blk, 1))) {
++ unlikely(!ext4_inode_block_valid(inode, blk, 1))) {
+ ext4_error_inode(inode, function, line, blk,
+ "invalid block");
+ return -EFSCORRUPTED;
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index 42f5060f3cdf1..42815304902b8 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -3363,9 +3363,9 @@ extern void ext4_release_system_zone(struct super_block *sb);
+ extern int ext4_setup_system_zone(struct super_block *sb);
+ extern int __init ext4_init_system_zone(void);
+ extern void ext4_exit_system_zone(void);
+-extern int ext4_data_block_valid(struct ext4_sb_info *sbi,
+- ext4_fsblk_t start_blk,
+- unsigned int count);
++extern int ext4_inode_block_valid(struct inode *inode,
++ ext4_fsblk_t start_blk,
++ unsigned int count);
+ extern int ext4_check_blockref(const char *, unsigned int,
+ struct inode *, __le32 *, unsigned int);
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 221f240eae604..d75054570e44c 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -340,7 +340,7 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext)
+ */
+ if (lblock + len <= lblock)
+ return 0;
+- return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
++ return ext4_inode_block_valid(inode, block, len);
+ }
+
+ static int ext4_valid_extent_idx(struct inode *inode,
+@@ -348,7 +348,7 @@ static int ext4_valid_extent_idx(struct inode *inode,
+ {
+ ext4_fsblk_t block = ext4_idx_pblock(ext_idx);
+
+- return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, 1);
++ return ext4_inode_block_valid(inode, block, 1);
+ }
+
+ static int ext4_valid_extent_entries(struct inode *inode,
+@@ -507,14 +507,10 @@ __read_extent_tree_block(const char *function, unsigned int line,
+ }
+ if (buffer_verified(bh) && !(flags & EXT4_EX_FORCE_CACHE))
+ return bh;
+- if (!ext4_has_feature_journal(inode->i_sb) ||
+- (inode->i_ino !=
+- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) {
+- err = __ext4_ext_check(function, line, inode,
+- ext_block_hdr(bh), depth, pblk);
+- if (err)
+- goto errout;
+- }
++ err = __ext4_ext_check(function, line, inode,
++ ext_block_hdr(bh), depth, pblk);
++ if (err)
++ goto errout;
+ set_buffer_verified(bh);
+ /*
+ * If this is a leaf block, cache all of its entries
+diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c
+index be2b66eb65f7a..4026418257121 100644
+--- a/fs/ext4/indirect.c
++++ b/fs/ext4/indirect.c
+@@ -858,8 +858,7 @@ static int ext4_clear_blocks(handle_t *handle, struct inode *inode,
+ else if (ext4_should_journal_data(inode))
+ flags |= EXT4_FREE_BLOCKS_FORGET;
+
+- if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), block_to_free,
+- count)) {
++ if (!ext4_inode_block_valid(inode, block_to_free, count)) {
+ EXT4_ERROR_INODE(inode, "attempt to clear invalid "
+ "blocks %llu len %lu",
+ (unsigned long long) block_to_free, count);
+@@ -1004,8 +1003,7 @@ static void ext4_free_branches(handle_t *handle, struct inode *inode,
+ if (!nr)
+ continue; /* A hole */
+
+- if (!ext4_data_block_valid(EXT4_SB(inode->i_sb),
+- nr, 1)) {
++ if (!ext4_inode_block_valid(inode, nr, 1)) {
+ EXT4_ERROR_INODE(inode,
+ "invalid indirect mapped "
+ "block %lu (level %d)",
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 10dd470876b30..92573f8540ab7 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -394,8 +394,7 @@ static int __check_block_validity(struct inode *inode, const char *func,
+ (inode->i_ino ==
+ le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
+ return 0;
+- if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk,
+- map->m_len)) {
++ if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) {
+ ext4_error_inode(inode, func, line, map->m_pblk,
+ "lblock %lu mapped to illegal pblock %llu "
+ "(length %d)", (unsigned long) map->m_lblk,
+@@ -4760,7 +4759,7 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
+
+ ret = 0;
+ if (ei->i_file_acl &&
+- !ext4_data_block_valid(EXT4_SB(sb), ei->i_file_acl, 1)) {
++ !ext4_inode_block_valid(inode, ei->i_file_acl, 1)) {
+ ext4_error_inode(inode, function, line, 0,
+ "iget: bad extended attribute block %llu",
+ ei->i_file_acl);
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index c0a331e2feb02..38719c156573c 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -3090,7 +3090,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
+ block = ext4_grp_offs_to_block(sb, &ac->ac_b_ex);
+
+ len = EXT4_C2B(sbi, ac->ac_b_ex.fe_len);
+- if (!ext4_data_block_valid(sbi, block, len)) {
++ if (!ext4_inode_block_valid(ac->ac_inode, block, len)) {
+ ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
+ "fs metadata", block, block+len);
+ /* File system mounted not to panic on error
+@@ -4915,7 +4915,7 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode,
+
+ sbi = EXT4_SB(sb);
+ if (!(flags & EXT4_FREE_BLOCKS_VALIDATED) &&
+- !ext4_data_block_valid(sbi, block, count)) {
++ !ext4_inode_block_valid(inode, block, count)) {
+ ext4_error(sb, "Freeing blocks not in datazone - "
+ "block = %llu, count = %lu", block, count);
+ goto error_return;
+--
+2.25.1
+
--- /dev/null
+From 6c415733c47b862404b2a928ac14ff2aa23abe24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 15:04:33 +0200
+Subject: ext4: don't allow overlapping system zones
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit bf9a379d0980e7413d94cb18dac73db2bfc5f470 ]
+
+Currently, add_system_zone() just silently merges two added system zones
+that overlap. However the overlap should not happen and it generally
+suggests that some unrelated metadata overlap which indicates the fs is
+corrupted. We should have caught such problems earlier (e.g. in
+ext4_check_descriptors()) but add this check as another line of defense.
+In later patch we also use this for stricter checking of journal inode
+extent tree.
+
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20200728130437.7804-3-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/block_validity.c | 36 +++++++++++++-----------------------
+ 1 file changed, 13 insertions(+), 23 deletions(-)
+
+diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
+index 16e9b2fda03ae..b394a50ebbe30 100644
+--- a/fs/ext4/block_validity.c
++++ b/fs/ext4/block_validity.c
+@@ -68,7 +68,7 @@ static int add_system_zone(struct ext4_system_blocks *system_blks,
+ ext4_fsblk_t start_blk,
+ unsigned int count)
+ {
+- struct ext4_system_zone *new_entry = NULL, *entry;
++ struct ext4_system_zone *new_entry, *entry;
+ struct rb_node **n = &system_blks->root.rb_node, *node;
+ struct rb_node *parent = NULL, *new_node = NULL;
+
+@@ -79,30 +79,20 @@ static int add_system_zone(struct ext4_system_blocks *system_blks,
+ n = &(*n)->rb_left;
+ else if (start_blk >= (entry->start_blk + entry->count))
+ n = &(*n)->rb_right;
+- else {
+- if (start_blk + count > (entry->start_blk +
+- entry->count))
+- entry->count = (start_blk + count -
+- entry->start_blk);
+- new_node = *n;
+- new_entry = rb_entry(new_node, struct ext4_system_zone,
+- node);
+- break;
+- }
++ else /* Unexpected overlap of system zones. */
++ return -EFSCORRUPTED;
+ }
+
+- if (!new_entry) {
+- new_entry = kmem_cache_alloc(ext4_system_zone_cachep,
+- GFP_KERNEL);
+- if (!new_entry)
+- return -ENOMEM;
+- new_entry->start_blk = start_blk;
+- new_entry->count = count;
+- new_node = &new_entry->node;
+-
+- rb_link_node(new_node, parent, n);
+- rb_insert_color(new_node, &system_blks->root);
+- }
++ new_entry = kmem_cache_alloc(ext4_system_zone_cachep,
++ GFP_KERNEL);
++ if (!new_entry)
++ return -ENOMEM;
++ new_entry->start_blk = start_blk;
++ new_entry->count = count;
++ new_node = &new_entry->node;
++
++ rb_link_node(new_node, parent, n);
++ rb_insert_color(new_node, &system_blks->root);
+
+ /* Can we merge to the left? */
+ node = rb_prev(new_node);
+--
+2.25.1
+
--- /dev/null
+From 3eb2f400ab71ec361f07bdcaf7d72cefea4eec85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2020 14:19:04 -0500
+Subject: ext4: fix potential negative array index in do_split()
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit 5872331b3d91820e14716632ebb56b1399b34fe1 ]
+
+If for any reason a directory passed to do_split() does not have enough
+active entries to exceed half the size of the block, we can end up
+iterating over all "count" entries without finding a split point.
+
+In this case, count == move, and split will be zero, and we will
+attempt a negative index into map[].
+
+Guard against this by detecting this case, and falling back to
+split-to-half-of-count instead; in this case we will still have
+plenty of space (> half blocksize) in each split block.
+
+Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks")
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/namei.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 98b91f2314eba..a91a5bb8c3a2b 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1858,7 +1858,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
+ blocksize, hinfo, map);
+ map -= count;
+ dx_sort_map(map, count);
+- /* Split the existing block in the middle, size-wise */
++ /* Ensure that neither split block is over half full */
+ size = 0;
+ move = 0;
+ for (i = count-1; i >= 0; i--) {
+@@ -1868,8 +1868,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
+ size += map[i].size;
+ move++;
+ }
+- /* map index at which we will split */
+- split = count - move;
++ /*
++ * map index at which we will split
++ *
++ * If the sum of active entries didn't exceed half the block size, just
++ * split it in half by count; each resulting block will have at least
++ * half the space free.
++ */
++ if (i > 0)
++ split = count - move;
++ else
++ split = count/2;
++
+ hash2 = map[split].hash;
+ continued = hash2 == map[split - 1].hash;
+ dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n",
+--
+2.25.1
+
--- /dev/null
+From b39bb5917a7eb1c63d2d074e9e32f356ff167c25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 06:30:47 +0200
+Subject: Fix build error when CONFIG_ACPI is not set/enabled:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit ee87e1557c42dc9c2da11c38e11b87c311569853 ]
+
+../arch/x86/pci/xen.c: In function ‘pci_xen_init’:
+../arch/x86/pci/xen.c:410:2: error: implicit declaration of function ‘acpi_noirq_set’; did you mean ‘acpi_irq_get’? [-Werror=implicit-function-declaration]
+ acpi_noirq_set();
+
+Fixes: 88e9ca161c13 ("xen/pci: Use acpi_noirq_set() helper to avoid #ifdef")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: linux-pci@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/pci/xen.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c
+index e3f1ca3160684..db34fee931388 100644
+--- a/arch/x86/pci/xen.c
++++ b/arch/x86/pci/xen.c
+@@ -26,6 +26,7 @@
+ #include <asm/xen/pci.h>
+ #include <asm/xen/cpuid.h>
+ #include <asm/apic.h>
++#include <asm/acpi.h>
+ #include <asm/i8259.h>
+
+ static int xen_pcifront_enable_irq(struct pci_dev *dev)
+--
+2.25.1
+
--- /dev/null
+From f523b1bff85102d647473c801e4e259de2e19002 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 14:53:15 -0700
+Subject: hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit c3d897e01aef8ddc43149e4d661b86f823e3aae7 ]
+
+netvsc_vf_xmit() / dev_queue_xmit() will call VF NIC’s ndo_select_queue
+or netdev_pick_tx() again. They will use skb_get_rx_queue() to get the
+queue number, so the “skb->queue_mapping - 1” will be used. This may
+cause the last queue of VF not been used.
+
+Use skb_record_rx_queue() here, so that the skb_get_rx_queue() called
+later will get the correct queue number, and VF will be able to use
+all queues.
+
+Fixes: b3bf5666a510 ("hv_netvsc: defer queue selection to VF")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index 0d779bba1b019..6b81c04ab5e29 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -502,7 +502,7 @@ static int netvsc_vf_xmit(struct net_device *net, struct net_device *vf_netdev,
+ int rc;
+
+ skb->dev = vf_netdev;
+- skb->queue_mapping = qdisc_skb_cb(skb)->slave_dev_queue_mapping;
++ skb_record_rx_queue(skb, qdisc_skb_cb(skb)->slave_dev_queue_mapping);
+
+ rc = dev_queue_xmit(skb);
+ if (likely(rc == NET_XMIT_SUCCESS || rc == NET_XMIT_CN)) {
+--
+2.25.1
+
--- /dev/null
+From 32fe49f6da513597cf59ad28ed46b6065120015d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 10:56:49 +0000
+Subject: i40e: Fix crash during removing i40e driver
+
+From: Grzegorz Szczurek <grzegorzx.szczurek@intel.com>
+
+[ Upstream commit 5b6d4a7f20b09c47ca598760f6dafd554af8b6d5 ]
+
+Fix the reason of crashing system by add waiting time to finish reset
+recovery process before starting remove driver procedure.
+Now VSI is releasing if VSI is not in reset recovery mode.
+Without this fix it was possible to start remove driver if other
+processing command need reset recovery procedure which resulted in
+null pointer dereference. VSI used by the ethtool process has been
+cleared by remove driver process.
+
+[ 6731.508665] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 6731.508668] #PF: supervisor read access in kernel mode
+[ 6731.508670] #PF: error_code(0x0000) - not-present page
+[ 6731.508671] PGD 0 P4D 0
+[ 6731.508674] Oops: 0000 [#1] SMP PTI
+[ 6731.508679] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0021.032120170601 03/21/2017
+[ 6731.508694] RIP: 0010:i40e_down+0x252/0x310 [i40e]
+[ 6731.508696] Code: c7 78 de fa c0 e8 61 02 3a c1 66 83 bb f6 0c 00 00 00 0f 84 bf 00 00 00 45 31 e4 45 31 ff eb 03 41 89 c7 48 8b 83 98 0c 00 00 <4a> 8b 3c 20 e8 a5 79 02 00 48 83 bb d0 0c 00 00 00 74 10 48 8b 83
+[ 6731.508698] RSP: 0018:ffffb75ac7b3faf0 EFLAGS: 00010246
+[ 6731.508700] RAX: 0000000000000000 RBX: ffff9c9874bd5000 RCX: 0000000000000007
+[ 6731.508701] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9c987f4d9780
+[ 6731.508703] RBP: ffffb75ac7b3fb30 R08: 0000000000005b60 R09: 0000000000000004
+[ 6731.508704] R10: ffffb75ac64fbd90 R11: 0000000000000001 R12: 0000000000000000
+[ 6731.508706] R13: ffff9c97a08e0000 R14: ffff9c97a08e0a68 R15: 0000000000000000
+[ 6731.508708] FS: 00007f2617cd2740(0000) GS:ffff9c987f4c0000(0000) knlGS:0000000000000000
+[ 6731.508710] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 6731.508711] CR2: 0000000000000000 CR3: 0000001e765c4006 CR4: 00000000003606e0
+[ 6731.508713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 6731.508714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 6731.508715] Call Trace:
+[ 6731.508734] i40e_vsi_close+0x84/0x90 [i40e]
+[ 6731.508742] i40e_quiesce_vsi.part.98+0x3c/0x40 [i40e]
+[ 6731.508749] i40e_pf_quiesce_all_vsi+0x55/0x60 [i40e]
+[ 6731.508757] i40e_prep_for_reset+0x59/0x130 [i40e]
+[ 6731.508765] i40e_reconfig_rss_queues+0x5a/0x120 [i40e]
+[ 6731.508774] i40e_set_channels+0xda/0x170 [i40e]
+[ 6731.508778] ethtool_set_channels+0xe9/0x150
+[ 6731.508781] dev_ethtool+0x1b94/0x2920
+[ 6731.508805] dev_ioctl+0xc2/0x590
+[ 6731.508811] sock_do_ioctl+0xae/0x150
+[ 6731.508813] sock_ioctl+0x34f/0x3c0
+[ 6731.508821] ksys_ioctl+0x98/0xb0
+[ 6731.508828] __x64_sys_ioctl+0x1a/0x20
+[ 6731.508831] do_syscall_64+0x57/0x1c0
+[ 6731.508835] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 4b8164467b85 ("i40e: Add common function for finding VSI by type")
+Signed-off-by: Grzegorz Szczurek <grzegorzx.szczurek@intel.com>
+Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 56ecd6c3f2362..6af6367e7cac2 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -15352,6 +15352,9 @@ static void i40e_remove(struct pci_dev *pdev)
+ i40e_write_rx_ctl(hw, I40E_PFQF_HENA(0), 0);
+ i40e_write_rx_ctl(hw, I40E_PFQF_HENA(1), 0);
+
++ while (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state))
++ usleep_range(1000, 2000);
++
+ /* no more scheduling of any task */
+ set_bit(__I40E_SUSPENDED, pf->state);
+ set_bit(__I40E_DOWN, pf->state);
+--
+2.25.1
+
--- /dev/null
+From ffc83e96d05cb2807f2dc7cda8a09d6e3e300273 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 13:40:59 +0000
+Subject: i40e: Set RX_ONLY mode for unicast promiscuous on VLAN
+
+From: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+
+[ Upstream commit 4bd5e02a2ed1575c2f65bd3c557a077dd399f0e8 ]
+
+Trusted VF with unicast promiscuous mode set, could listen to TX
+traffic of other VFs.
+Set unicast promiscuous mode to RX traffic, if VSI has port VLAN
+configured. Rename misleading I40E_AQC_SET_VSI_PROMISC_TX bit to
+I40E_AQC_SET_VSI_PROMISC_RX_ONLY. Aligned unicast promiscuous with
+VLAN to the one without VLAN.
+
+Fixes: 6c41a7606967 ("i40e: Add promiscuous on VLAN support")
+Fixes: 3b1200891b7f ("i40e: When in promisc mode apply promisc mode to Tx Traffic as well")
+Signed-off-by: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/i40e/i40e_adminq_cmd.h | 2 +-
+ drivers/net/ethernet/intel/i40e/i40e_common.c | 35 ++++++++++++++-----
+ 2 files changed, 28 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
+index aa5f1c0aa7215..0921785a10795 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
+@@ -1211,7 +1211,7 @@ struct i40e_aqc_set_vsi_promiscuous_modes {
+ #define I40E_AQC_SET_VSI_PROMISC_BROADCAST 0x04
+ #define I40E_AQC_SET_VSI_DEFAULT 0x08
+ #define I40E_AQC_SET_VSI_PROMISC_VLAN 0x10
+-#define I40E_AQC_SET_VSI_PROMISC_TX 0x8000
++#define I40E_AQC_SET_VSI_PROMISC_RX_ONLY 0x8000
+ __le16 seid;
+ #define I40E_AQC_VSI_PROM_CMD_SEID_MASK 0x3FF
+ __le16 vlan_tag;
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c
+index 45b90eb11adba..21e44c6cd5eac 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_common.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c
+@@ -1969,6 +1969,21 @@ i40e_status i40e_aq_set_phy_debug(struct i40e_hw *hw, u8 cmd_flags,
+ return status;
+ }
+
++/**
++ * i40e_is_aq_api_ver_ge
++ * @aq: pointer to AdminQ info containing HW API version to compare
++ * @maj: API major value
++ * @min: API minor value
++ *
++ * Assert whether current HW API version is greater/equal than provided.
++ **/
++static bool i40e_is_aq_api_ver_ge(struct i40e_adminq_info *aq, u16 maj,
++ u16 min)
++{
++ return (aq->api_maj_ver > maj ||
++ (aq->api_maj_ver == maj && aq->api_min_ver >= min));
++}
++
+ /**
+ * i40e_aq_add_vsi
+ * @hw: pointer to the hw struct
+@@ -2094,18 +2109,16 @@ i40e_status i40e_aq_set_vsi_unicast_promiscuous(struct i40e_hw *hw,
+
+ if (set) {
+ flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST;
+- if (rx_only_promisc &&
+- (((hw->aq.api_maj_ver == 1) && (hw->aq.api_min_ver >= 5)) ||
+- (hw->aq.api_maj_ver > 1)))
+- flags |= I40E_AQC_SET_VSI_PROMISC_TX;
++ if (rx_only_promisc && i40e_is_aq_api_ver_ge(&hw->aq, 1, 5))
++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY;
+ }
+
+ cmd->promiscuous_flags = cpu_to_le16(flags);
+
+ cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST);
+- if (((hw->aq.api_maj_ver >= 1) && (hw->aq.api_min_ver >= 5)) ||
+- (hw->aq.api_maj_ver > 1))
+- cmd->valid_flags |= cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_TX);
++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5))
++ cmd->valid_flags |=
++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY);
+
+ cmd->seid = cpu_to_le16(seid);
+ status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details);
+@@ -2202,11 +2215,17 @@ enum i40e_status_code i40e_aq_set_vsi_uc_promisc_on_vlan(struct i40e_hw *hw,
+ i40e_fill_default_direct_cmd_desc(&desc,
+ i40e_aqc_opc_set_vsi_promiscuous_modes);
+
+- if (enable)
++ if (enable) {
+ flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST;
++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5))
++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY;
++ }
+
+ cmd->promiscuous_flags = cpu_to_le16(flags);
+ cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST);
++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5))
++ cmd->valid_flags |=
++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY);
+ cmd->seid = cpu_to_le16(seid);
+ cmd->vlan_tag = cpu_to_le16(vid | I40E_AQC_SET_VSI_VLAN_VALID);
+
+--
+2.25.1
+
--- /dev/null
+From 19783af68c84eedfea1e4a75c892e58b381262f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 11:32:07 -0700
+Subject: igc: Fix PTP initialization
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 3cda505a679ced78d69c889cfb418d1728bb2707 ]
+
+Right now, igc_ptp_reset() is called from igc_reset(), which is called
+from igc_probe() before igc_ptp_init() has a chance to run. It is
+detected as an attempt to use an spinlock without registering its key
+first. See log below.
+
+To avoid this problem, simplify the initialization: igc_ptp_init() is
+only called from igc_probe(), and igc_ptp_reset() is only called from
+igc_reset().
+
+[ 2.736332] INFO: trying to register non-static key.
+[ 2.736902] input: HDA Intel PCH Front Headphone as /devices/pci0000:00/0000:00:1f.3/sound/card0/input10
+[ 2.737513] the code is fine but needs lockdep annotation.
+[ 2.737513] turning off the locking correctness validator.
+[ 2.737515] CPU: 8 PID: 239 Comm: systemd-udevd Tainted: G E 5.8.0-rc7+ #13
+[ 2.737515] Hardware name: Gigabyte Technology Co., Ltd. Z390 AORUS ULTRA/Z390 AORUS ULTRA-CF, BIOS F7 03/14/2019
+[ 2.737516] Call Trace:
+[ 2.737521] dump_stack+0x78/0xa0
+[ 2.737524] register_lock_class+0x6b1/0x6f0
+[ 2.737526] ? lockdep_hardirqs_on_prepare+0xca/0x160
+[ 2.739177] ? _raw_spin_unlock_irq+0x24/0x50
+[ 2.739179] ? trace_hardirqs_on+0x1c/0xf0
+[ 2.740820] __lock_acquire+0x56/0x1ff0
+[ 2.740823] ? __schedule+0x30c/0x970
+[ 2.740825] lock_acquire+0x97/0x3e0
+[ 2.740830] ? igc_ptp_reset+0x35/0xf0 [igc]
+[ 2.740833] ? schedule_hrtimeout_range_clock+0xb7/0x120
+[ 2.742507] _raw_spin_lock_irqsave+0x3a/0x50
+[ 2.742512] ? igc_ptp_reset+0x35/0xf0 [igc]
+[ 2.742515] igc_ptp_reset+0x35/0xf0 [igc]
+[ 2.742519] igc_reset+0x96/0xd0 [igc]
+[ 2.744148] igc_probe+0x68f/0x7d0 [igc]
+[ 2.745796] local_pci_probe+0x3d/0x70
+[ 2.745799] pci_device_probe+0xd1/0x190
+[ 2.745802] really_probe+0x15a/0x3f0
+[ 2.759936] driver_probe_device+0xe1/0x150
+[ 2.759937] device_driver_attach+0xa8/0xb0
+[ 2.761786] __driver_attach+0x89/0x150
+[ 2.761786] ? device_driver_attach+0xb0/0xb0
+[ 2.761787] ? device_driver_attach+0xb0/0xb0
+[ 2.761788] bus_for_each_dev+0x66/0x90
+[ 2.765012] bus_add_driver+0x12e/0x1f0
+[ 2.765716] driver_register+0x8b/0xe0
+[ 2.766418] ? 0xffffffffc0230000
+[ 2.767119] do_one_initcall+0x5a/0x310
+[ 2.767826] ? kmem_cache_alloc_trace+0xe9/0x200
+[ 2.768528] do_init_module+0x5c/0x260
+[ 2.769206] __do_sys_finit_module+0x93/0xe0
+[ 2.770048] do_syscall_64+0x46/0xa0
+[ 2.770716] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 2.771396] RIP: 0033:0x7f83534589e0
+[ 2.772073] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 2e 2e 2e 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 80 24 0d 00 f7 d8 64 89 01 48
+[ 2.772074] RSP: 002b:00007ffd31d0ed18 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 2.774854] RAX: ffffffffffffffda RBX: 000055d52816aba0 RCX: 00007f83534589e0
+[ 2.774855] RDX: 0000000000000000 RSI: 00007f83535b982f RDI: 0000000000000006
+[ 2.774855] RBP: 00007ffd31d0ed60 R08: 0000000000000000 R09: 00007ffd31d0ed30
+[ 2.774856] R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000000
+[ 2.774856] R13: 0000000000020000 R14: 00007f83535b982f R15: 000055d527f5e120
+
+Fixes: 5f2958052c58 ("igc: Add basic skeleton for PTP")
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reviewed-by: Andre Guedes <andre.guedes@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 5 ++---
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 2 --
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 6919c50e449a2..63259ecd41e5b 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -5158,6 +5158,8 @@ static int igc_probe(struct pci_dev *pdev,
+ device_set_wakeup_enable(&adapter->pdev->dev,
+ adapter->flags & IGC_FLAG_WOL_SUPPORTED);
+
++ igc_ptp_init(adapter);
++
+ /* reset the hardware with the new settings */
+ igc_reset(adapter);
+
+@@ -5174,9 +5176,6 @@ static int igc_probe(struct pci_dev *pdev,
+ /* carrier off reporting is important to ethtool even BEFORE open */
+ netif_carrier_off(netdev);
+
+- /* do hw tstamp init after resetting */
+- igc_ptp_init(adapter);
+-
+ /* Check if Media Autosense is enabled */
+ adapter->ei = *ei;
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index 0d746f8588c81..61e38853aa47d 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -608,8 +608,6 @@ void igc_ptp_init(struct igc_adapter *adapter)
+ adapter->tstamp_config.rx_filter = HWTSTAMP_FILTER_NONE;
+ adapter->tstamp_config.tx_type = HWTSTAMP_TX_OFF;
+
+- igc_ptp_reset(adapter);
+-
+ adapter->ptp_clock = ptp_clock_register(&adapter->ptp_caps,
+ &adapter->pdev->dev);
+ if (IS_ERR(adapter->ptp_clock)) {
+--
+2.25.1
+
--- /dev/null
+From cf57f5075c7bd784fa7ce67ba416ead1c9572c0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 22:53:24 -0700
+Subject: ipvlan: fix device features
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit d0f5c7076e01fef6fcb86988d9508bf3ce258bd4 ]
+
+Processing NETDEV_FEAT_CHANGE causes IPvlan links to lose
+NETIF_F_LLTX feature because of the incorrect handling of
+features in ipvlan_fix_features().
+
+--before--
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~# ethtool -K ipvl0 tso off
+Cannot change tcp-segmentation-offload
+Actual changes:
+vlan-challenged: off [fixed]
+tx-lockless: off [fixed]
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: off [fixed]
+lpaa10:~#
+
+--after--
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~# ethtool -K ipvl0 tso off
+Cannot change tcp-segmentation-offload
+Could not change any device features
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~#
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index 15e87c097b0b3..5bca94c990061 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -106,12 +106,21 @@ static void ipvlan_port_destroy(struct net_device *dev)
+ kfree(port);
+ }
+
++#define IPVLAN_ALWAYS_ON_OFLOADS \
++ (NETIF_F_SG | NETIF_F_HW_CSUM | \
++ NETIF_F_GSO_ROBUST | NETIF_F_GSO_SOFTWARE | NETIF_F_GSO_ENCAP_ALL)
++
++#define IPVLAN_ALWAYS_ON \
++ (IPVLAN_ALWAYS_ON_OFLOADS | NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED)
++
+ #define IPVLAN_FEATURES \
+- (NETIF_F_SG | NETIF_F_CSUM_MASK | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
++ (NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
+ NETIF_F_GSO | NETIF_F_ALL_TSO | NETIF_F_GSO_ROBUST | \
+ NETIF_F_GRO | NETIF_F_RXCSUM | \
+ NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER)
+
++ /* NETIF_F_GSO_ENCAP_ALL NETIF_F_GSO_SOFTWARE Newly added */
++
+ #define IPVLAN_STATE_MASK \
+ ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT))
+
+@@ -125,7 +134,9 @@ static int ipvlan_init(struct net_device *dev)
+ dev->state = (dev->state & ~IPVLAN_STATE_MASK) |
+ (phy_dev->state & IPVLAN_STATE_MASK);
+ dev->features = phy_dev->features & IPVLAN_FEATURES;
+- dev->features |= NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED;
++ dev->features |= IPVLAN_ALWAYS_ON;
++ dev->vlan_features = phy_dev->vlan_features & IPVLAN_FEATURES;
++ dev->vlan_features |= IPVLAN_ALWAYS_ON_OFLOADS;
+ dev->hw_enc_features |= dev->features;
+ dev->gso_max_size = phy_dev->gso_max_size;
+ dev->gso_max_segs = phy_dev->gso_max_segs;
+@@ -227,7 +238,14 @@ static netdev_features_t ipvlan_fix_features(struct net_device *dev,
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+
+- return features & (ipvlan->sfeatures | ~IPVLAN_FEATURES);
++ features |= NETIF_F_ALL_FOR_ALL;
++ features &= (ipvlan->sfeatures | ~IPVLAN_FEATURES);
++ features = netdev_increment_features(ipvlan->phy_dev->features,
++ features, features);
++ features |= IPVLAN_ALWAYS_ON;
++ features &= (IPVLAN_FEATURES | IPVLAN_ALWAYS_ON);
++
++ return features;
+ }
+
+ static void ipvlan_change_rx_flags(struct net_device *dev, int change)
+@@ -734,10 +752,9 @@ static int ipvlan_device_event(struct notifier_block *unused,
+
+ case NETDEV_FEAT_CHANGE:
+ list_for_each_entry(ipvlan, &port->ipvlans, pnode) {
+- ipvlan->dev->features = dev->features & IPVLAN_FEATURES;
+ ipvlan->dev->gso_max_size = dev->gso_max_size;
+ ipvlan->dev->gso_max_segs = dev->gso_max_segs;
+- netdev_features_change(ipvlan->dev);
++ netdev_update_features(ipvlan->dev);
+ }
+ break;
+
+--
+2.25.1
+
--- /dev/null
+From fd3de18a7843647178b30c20df4e696fbe8e2273 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Aug 2020 18:19:08 +0900
+Subject: kconfig: qconf: do not limit the pop-up menu to the first row
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit fa8de0a3bf3c02e6f00b7746e7e934db522cdda9 ]
+
+If you right-click the first row in the option tree, the pop-up menu
+shows up, but if you right-click the second row or below, the event
+is ignored due to the following check:
+
+ if (e->y() <= header()->geometry().bottom()) {
+
+Perhaps, the intention was to show the pop-menu only when the tree
+header was right-clicked, but this handler is not called in that case.
+
+Since the origin of e->y() starts from the bottom of the header,
+this check is odd.
+
+Going forward, you can right-click anywhere in the tree to get the
+pop-up menu.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/qconf.cc | 68 ++++++++++++++++++++--------------------
+ 1 file changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
+index 23d1cb01a41ae..be67e74237d22 100644
+--- a/scripts/kconfig/qconf.cc
++++ b/scripts/kconfig/qconf.cc
+@@ -864,40 +864,40 @@ void ConfigList::focusInEvent(QFocusEvent *e)
+
+ void ConfigList::contextMenuEvent(QContextMenuEvent *e)
+ {
+- if (e->y() <= header()->geometry().bottom()) {
+- if (!headerPopup) {
+- QAction *action;
+-
+- headerPopup = new QMenu(this);
+- action = new QAction("Show Name", this);
+- action->setCheckable(true);
+- connect(action, SIGNAL(toggled(bool)),
+- parent(), SLOT(setShowName(bool)));
+- connect(parent(), SIGNAL(showNameChanged(bool)),
+- action, SLOT(setOn(bool)));
+- action->setChecked(showName);
+- headerPopup->addAction(action);
+- action = new QAction("Show Range", this);
+- action->setCheckable(true);
+- connect(action, SIGNAL(toggled(bool)),
+- parent(), SLOT(setShowRange(bool)));
+- connect(parent(), SIGNAL(showRangeChanged(bool)),
+- action, SLOT(setOn(bool)));
+- action->setChecked(showRange);
+- headerPopup->addAction(action);
+- action = new QAction("Show Data", this);
+- action->setCheckable(true);
+- connect(action, SIGNAL(toggled(bool)),
+- parent(), SLOT(setShowData(bool)));
+- connect(parent(), SIGNAL(showDataChanged(bool)),
+- action, SLOT(setOn(bool)));
+- action->setChecked(showData);
+- headerPopup->addAction(action);
+- }
+- headerPopup->exec(e->globalPos());
+- e->accept();
+- } else
+- e->ignore();
++ if (!headerPopup) {
++ QAction *action;
++
++ headerPopup = new QMenu(this);
++ action = new QAction("Show Name", this);
++ action->setCheckable(true);
++ connect(action, SIGNAL(toggled(bool)),
++ parent(), SLOT(setShowName(bool)));
++ connect(parent(), SIGNAL(showNameChanged(bool)),
++ action, SLOT(setOn(bool)));
++ action->setChecked(showName);
++ headerPopup->addAction(action);
++
++ action = new QAction("Show Range", this);
++ action->setCheckable(true);
++ connect(action, SIGNAL(toggled(bool)),
++ parent(), SLOT(setShowRange(bool)));
++ connect(parent(), SIGNAL(showRangeChanged(bool)),
++ action, SLOT(setOn(bool)));
++ action->setChecked(showRange);
++ headerPopup->addAction(action);
++
++ action = new QAction("Show Data", this);
++ action->setCheckable(true);
++ connect(action, SIGNAL(toggled(bool)),
++ parent(), SLOT(setShowData(bool)));
++ connect(parent(), SIGNAL(showDataChanged(bool)),
++ action, SLOT(setOn(bool)));
++ action->setChecked(showData);
++ headerPopup->addAction(action);
++ }
++
++ headerPopup->exec(e->globalPos());
++ e->accept();
+ }
+
+ ConfigView*ConfigView::viewList;
+--
+2.25.1
+
--- /dev/null
+From ca5829fe8025794e76463356ebbbba2bd868d69c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Aug 2020 01:36:29 +0900
+Subject: kconfig: qconf: fix signal connection to invalid slots
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit d85de3399f97467baa2026fbbbe587850d01ba8a ]
+
+If you right-click in the ConfigList window, you will see the following
+messages in the console:
+
+QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:888
+QObject::connect: (sender name: 'config')
+QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:897
+QObject::connect: (sender name: 'config')
+QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:906
+QObject::connect: (sender name: 'config')
+
+Right, there is no such slot in QAction. I think this is a typo of
+setChecked.
+
+Due to this bug, when you toggled the menu "Option->Show Name/Range/Data"
+the state of the context menu was not previously updated. Fix this.
+
+Fixes: d5d973c3f8a9 ("Port xconfig to Qt5 - Put back some of the old implementation(part 2)")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/qconf.cc | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
+index be67e74237d22..91ed69b651e99 100644
+--- a/scripts/kconfig/qconf.cc
++++ b/scripts/kconfig/qconf.cc
+@@ -873,7 +873,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e)
+ connect(action, SIGNAL(toggled(bool)),
+ parent(), SLOT(setShowName(bool)));
+ connect(parent(), SIGNAL(showNameChanged(bool)),
+- action, SLOT(setOn(bool)));
++ action, SLOT(setChecked(bool)));
+ action->setChecked(showName);
+ headerPopup->addAction(action);
+
+@@ -882,7 +882,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e)
+ connect(action, SIGNAL(toggled(bool)),
+ parent(), SLOT(setShowRange(bool)));
+ connect(parent(), SIGNAL(showRangeChanged(bool)),
+- action, SLOT(setOn(bool)));
++ action, SLOT(setChecked(bool)));
+ action->setChecked(showRange);
+ headerPopup->addAction(action);
+
+@@ -891,7 +891,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e)
+ connect(action, SIGNAL(toggled(bool)),
+ parent(), SLOT(setShowData(bool)));
+ connect(parent(), SIGNAL(showDataChanged(bool)),
+- action, SLOT(setOn(bool)));
++ action, SLOT(setChecked(bool)));
+ action->setChecked(showData);
+ headerPopup->addAction(action);
+ }
+@@ -1275,7 +1275,7 @@ QMenu* ConfigInfoView::createStandardContextMenu(const QPoint & pos)
+
+ action->setCheckable(true);
+ connect(action, SIGNAL(toggled(bool)), SLOT(setShowDebug(bool)));
+- connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setOn(bool)));
++ connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setChecked(bool)));
+ action->setChecked(showDebug());
+ popup->addSeparator();
+ popup->addAction(action);
+--
+2.25.1
+
--- /dev/null
+From 1531e9d9c77fc01a37e0dc0add87f59f8c3b1b15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 00:16:46 +0900
+Subject: kconfig: qconf: remove qInfo() to get back Qt4 support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 53efe2e76ca2bfad7f35e0b5330e2ccd44a643e3 ]
+
+qconf is supposed to work with Qt4 and Qt5, but since commit
+c4f7398bee9c ("kconfig: qconf: make debug links work again"),
+building with Qt4 fails as follows:
+
+ HOSTCXX scripts/kconfig/qconf.o
+scripts/kconfig/qconf.cc: In member function ‘void ConfigInfoView::clicked(const QUrl&)’:
+scripts/kconfig/qconf.cc:1241:3: error: ‘qInfo’ was not declared in this scope; did you mean ‘setInfo’?
+ 1241 | qInfo() << "Clicked link is empty";
+ | ^~~~~
+ | setInfo
+scripts/kconfig/qconf.cc:1254:3: error: ‘qInfo’ was not declared in this scope; did you mean ‘setInfo’?
+ 1254 | qInfo() << "Clicked symbol is invalid:" << data;
+ | ^~~~~
+ | setInfo
+make[1]: *** [scripts/Makefile.host:129: scripts/kconfig/qconf.o] Error 1
+make: *** [Makefile:606: xconfig] Error 2
+
+qInfo() does not exist in Qt4. In my understanding, these call-sites
+should be unreachable. Perhaps, qWarning(), assertion, or something
+is better, but qInfo() is not the right one to use here, I think.
+
+Fixes: c4f7398bee9c ("kconfig: qconf: make debug links work again")
+Reported-by: Ronald Warsow <rwarsow@gmx.de>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/qconf.cc | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
+index 91ed69b651e99..5ceb93010a973 100644
+--- a/scripts/kconfig/qconf.cc
++++ b/scripts/kconfig/qconf.cc
+@@ -1228,7 +1228,6 @@ void ConfigInfoView::clicked(const QUrl &url)
+ struct menu *m = NULL;
+
+ if (count < 1) {
+- qInfo() << "Clicked link is empty";
+ delete[] data;
+ return;
+ }
+@@ -1241,7 +1240,6 @@ void ConfigInfoView::clicked(const QUrl &url)
+ strcat(data, "$");
+ result = sym_re_search(data);
+ if (!result) {
+- qInfo() << "Clicked symbol is invalid:" << data;
+ delete[] data;
+ return;
+ }
+--
+2.25.1
+
--- /dev/null
+From 30761fbd0badfe54c778f9f9599714040b218e15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:16:54 -0700
+Subject: kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit cb957adb4ea422bd758568df5b2478ea3bb34f35 ]
+
+See the SDM, volume 3, section 4.4.1:
+
+If PAE paging would be in use following an execution of MOV to CR0 or
+MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of
+CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then
+the PDPTEs are loaded from the address in CR3.
+
+Fixes: b9baba8614890 ("KVM, pkeys: expose CPUID/CR4 to guest")
+Cc: Huaitong Han <huaitong.han@intel.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Peter Shier <pshier@google.com>
+Reviewed-by: Oliver Upton <oupton@google.com>
+Message-Id: <20200817181655.3716509-1-jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index a70156b9b72e5..f7304132d5907 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -967,7 +967,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ {
+ unsigned long old_cr4 = kvm_read_cr4(vcpu);
+ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
+- X86_CR4_SMEP | X86_CR4_PKE;
++ X86_CR4_SMEP;
+
+ if (kvm_valid_cr4(vcpu, cr4))
+ return 1;
+--
+2.25.1
+
--- /dev/null
+From 74d0d804fb2b2b3db2d637f1a7dc49e2a7731f99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:16:55 -0700
+Subject: kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit 427890aff8558eb4326e723835e0eae0e6fe3102 ]
+
+See the SDM, volume 3, section 4.4.1:
+
+If PAE paging would be in use following an execution of MOV to CR0 or
+MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of
+CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then
+the PDPTEs are loaded from the address in CR3.
+
+Fixes: 0be0226f07d14 ("KVM: MMU: fix SMAP virtualization")
+Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Peter Shier <pshier@google.com>
+Reviewed-by: Oliver Upton <oupton@google.com>
+Message-Id: <20200817181655.3716509-2-jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 4fe976c2495ea..a70156b9b72e5 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -967,7 +967,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ {
+ unsigned long old_cr4 = kvm_read_cr4(vcpu);
+ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
+- X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE;
++ X86_CR4_SMEP | X86_CR4_PKE;
+
+ if (kvm_valid_cr4(vcpu, cr4))
+ return 1;
+--
+2.25.1
+
--- /dev/null
+From be236ce9713d60af93b1098499e8164a7adb5231 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 13:49:39 -0700
+Subject: libbpf: Fix BTF-defined map-in-map initialization on 32-bit host
+ arches
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 15728ad3e71c120278105f20fa65b3735e715e0f ]
+
+Libbpf built in 32-bit mode should be careful about not conflating 64-bit BPF
+pointers in BPF ELF file and host architecture pointers. This patch fixes
+issue of incorrect initializating of map-in-map inner map slots due to such
+difference.
+
+Fixes: 646f02ffdd49 ("libbpf: Add BTF-defined map-in-map support")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200813204945.1020225-4-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 11e4725b8b1c0..e7642a6e39f9e 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -5025,7 +5025,8 @@ static int bpf_object__collect_st_ops_relos(struct bpf_object *obj,
+ static int bpf_object__collect_map_relos(struct bpf_object *obj,
+ GElf_Shdr *shdr, Elf_Data *data)
+ {
+- int i, j, nrels, new_sz, ptr_sz = sizeof(void *);
++ const int bpf_ptr_sz = 8, host_ptr_sz = sizeof(void *);
++ int i, j, nrels, new_sz;
+ const struct btf_var_secinfo *vi = NULL;
+ const struct btf_type *sec, *var, *def;
+ const struct btf_member *member;
+@@ -5074,7 +5075,7 @@ static int bpf_object__collect_map_relos(struct bpf_object *obj,
+
+ vi = btf_var_secinfos(sec) + map->btf_var_idx;
+ if (vi->offset <= rel.r_offset &&
+- rel.r_offset + sizeof(void *) <= vi->offset + vi->size)
++ rel.r_offset + bpf_ptr_sz <= vi->offset + vi->size)
+ break;
+ }
+ if (j == obj->nr_maps) {
+@@ -5110,17 +5111,20 @@ static int bpf_object__collect_map_relos(struct bpf_object *obj,
+ return -EINVAL;
+
+ moff = rel.r_offset - vi->offset - moff;
+- if (moff % ptr_sz)
++ /* here we use BPF pointer size, which is always 64 bit, as we
++ * are parsing ELF that was built for BPF target
++ */
++ if (moff % bpf_ptr_sz)
+ return -EINVAL;
+- moff /= ptr_sz;
++ moff /= bpf_ptr_sz;
+ if (moff >= map->init_slots_sz) {
+ new_sz = moff + 1;
+- tmp = realloc(map->init_slots, new_sz * ptr_sz);
++ tmp = realloc(map->init_slots, new_sz * host_ptr_sz);
+ if (!tmp)
+ return -ENOMEM;
+ map->init_slots = tmp;
+ memset(map->init_slots + map->init_slots_sz, 0,
+- (new_sz - map->init_slots_sz) * ptr_sz);
++ (new_sz - map->init_slots_sz) * host_ptr_sz);
+ map->init_slots_sz = new_sz;
+ }
+ map->init_slots[moff] = targ_map;
+--
+2.25.1
+
--- /dev/null
+From 63bd0d666ed2e9719c2c96e0268998ee35d3c980 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 06:56:00 -0700
+Subject: net: dsa: b53: check for timeout
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 774d977abfd024e6f73484544b9abe5a5cd62de7 ]
+
+clang static analysis reports this problem
+
+b53_common.c:1583:13: warning: The left expression of the compound
+ assignment is an uninitialized value. The computed value will
+ also be garbage
+ ent.port &= ~BIT(port);
+ ~~~~~~~~ ^
+
+ent is set by a successful call to b53_arl_read(). Unsuccessful
+calls are caught by an switch statement handling specific returns.
+b32_arl_read() calls b53_arl_op_wait() which fails with the
+unhandled -ETIMEDOUT.
+
+So add -ETIMEDOUT to the switch statement. Because
+b53_arl_op_wait() already prints out a message, do not add another
+one.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 1df05841ab6b1..86869337223a8 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1555,6 +1555,8 @@ static int b53_arl_op(struct b53_device *dev, int op, int port,
+ return ret;
+
+ switch (ret) {
++ case -ETIMEDOUT:
++ return ret;
+ case -ENOSPC:
+ dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n",
+ addr, vid);
+--
+2.25.1
+
--- /dev/null
+From 7a703396d4bd669ce3ad678772d872f35c0dedda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 20:28:37 +0300
+Subject: net: ena: Change WARN_ON expression in ena_del_napi_in_range()
+
+From: Shay Agroskin <shayagr@amazon.com>
+
+[ Upstream commit 8b147f6f3e7de4e51113e3e9ec44aa2debc02c58 ]
+
+The ena_del_napi_in_range() function unregisters the napi handler for
+rings in a given range.
+This function had the following WARN_ON macro:
+
+ WARN_ON(ENA_IS_XDP_INDEX(adapter, i) &&
+ adapter->ena_napi[i].xdp_ring);
+
+This macro prints the call stack if the expression inside of it is
+true [1], but the expression inside of it is the wanted situation.
+The expression checks whether the ring has an XDP queue and its index
+corresponds to a XDP one.
+
+This patch changes the expression to
+ !ENA_IS_XDP_INDEX(adapter, i) && adapter->ena_napi[i].xdp_ring
+which indicates an unwanted situation.
+
+Also, change the structure of the function. The napi handler is
+unregistered for all rings, and so there's no need to check whether the
+index is an XDP index or not. By removing this check the code becomes
+much more readable.
+
+Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action")
+Signed-off-by: Shay Agroskin <shayagr@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 1a2a464fb2f5f..000f57198352d 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -2177,13 +2177,10 @@ static void ena_del_napi_in_range(struct ena_adapter *adapter,
+ int i;
+
+ for (i = first_index; i < first_index + count; i++) {
+- /* Check if napi was initialized before */
+- if (!ENA_IS_XDP_INDEX(adapter, i) ||
+- adapter->ena_napi[i].xdp_ring)
+- netif_napi_del(&adapter->ena_napi[i].napi);
+- else
+- WARN_ON(ENA_IS_XDP_INDEX(adapter, i) &&
+- adapter->ena_napi[i].xdp_ring);
++ netif_napi_del(&adapter->ena_napi[i].napi);
++
++ WARN_ON(!ENA_IS_XDP_INDEX(adapter, i) &&
++ adapter->ena_napi[i].xdp_ring);
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 359e0fcb000057099fcdc1c6e23e242c5ededdba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 20:28:36 +0300
+Subject: net: ena: Prevent reset after device destruction
+
+From: Shay Agroskin <shayagr@amazon.com>
+
+[ Upstream commit 63d4a4c145cca2e84dc6e62d2ef5cb990c9723c2 ]
+
+The reset work is scheduled by the timer routine whenever it
+detects that a device reset is required (e.g. when a keep_alive signal
+is missing).
+When releasing device resources in ena_destroy_device() the driver
+cancels the scheduling of the timer routine without destroying the reset
+work explicitly.
+
+This creates the following bug:
+ The driver is suspended and the ena_suspend() function is called
+ -> This function calls ena_destroy_device() to free the net device
+ resources
+ -> The driver waits for the timer routine to finish
+ its execution and then cancels it, thus preventing from it
+ to be called again.
+
+ If, in its final execution, the timer routine schedules a reset,
+ the reset routine might be called afterwards,and a redundant call to
+ ena_restore_device() would be made.
+
+By changing the reset routine we allow it to read the device's state
+accurately.
+This is achieved by checking whether ENA_FLAG_TRIGGER_RESET flag is set
+before resetting the device and making both the destruction function and
+the flag check are under rtnl lock.
+The ENA_FLAG_TRIGGER_RESET is cleared at the end of the destruction
+routine. Also surround the flag check with 'likely' because
+we expect that the reset routine would be called only when
+ENA_FLAG_TRIGGER_RESET flag is set.
+
+The destruction of the timer and reset services in __ena_shutoff() have to
+stay, even though the timer routine is destroyed in ena_destroy_device().
+This is to avoid a case in which the reset routine is scheduled after
+free_netdev() in __ena_shutoff(), which would create an access to freed
+memory in adapter->flags.
+
+Fixes: 8c5c7abdeb2d ("net: ena: add power management ops to the ENA driver")
+Signed-off-by: Shay Agroskin <shayagr@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index dda4b8fc9525e..1a2a464fb2f5f 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -3523,16 +3523,14 @@ static void ena_fw_reset_device(struct work_struct *work)
+ {
+ struct ena_adapter *adapter =
+ container_of(work, struct ena_adapter, reset_task);
+- struct pci_dev *pdev = adapter->pdev;
+
+- if (unlikely(!test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) {
+- dev_err(&pdev->dev,
+- "device reset schedule while reset bit is off\n");
+- return;
+- }
+ rtnl_lock();
+- ena_destroy_device(adapter, false);
+- ena_restore_device(adapter);
++
++ if (likely(test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) {
++ ena_destroy_device(adapter, false);
++ ena_restore_device(adapter);
++ }
++
+ rtnl_unlock();
+ }
+
+@@ -4366,8 +4364,11 @@ static void __ena_shutoff(struct pci_dev *pdev, bool shutdown)
+ netdev->rx_cpu_rmap = NULL;
+ }
+ #endif /* CONFIG_RFS_ACCEL */
+- del_timer_sync(&adapter->timer_service);
+
++ /* Make sure timer and reset routine won't be called after
++ * freeing device resources.
++ */
++ del_timer_sync(&adapter->timer_service);
+ cancel_work_sync(&adapter->reset_task);
+
+ rtnl_lock(); /* lock released inside the below if-else block */
+--
+2.25.1
+
--- /dev/null
+From 75bcc3948c382bedf83fc84cd487e4ae0e78202e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 15:13:14 +0800
+Subject: net: fec: correct the error path for regulator disable in probe
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit c6165cf0dbb82ded90163dce3ac183fc7a913dc4 ]
+
+Correct the error path for regulator disable.
+
+Fixes: 9269e5560b26 ("net: fec: add phy-reset-gpios PROBE_DEFER check")
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index cc7fbfc093548..534fcc71a2a53 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3714,11 +3714,11 @@ fec_probe(struct platform_device *pdev)
+ failed_irq:
+ failed_init:
+ fec_ptp_stop(pdev);
+- if (fep->reg_phy)
+- regulator_disable(fep->reg_phy);
+ failed_reset:
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
++ if (fep->reg_phy)
++ regulator_disable(fep->reg_phy);
+ failed_regulator:
+ clk_disable_unprepare(fep->clk_ahb);
+ failed_clk_ahb:
+--
+2.25.1
+
--- /dev/null
+From f2e6aec657df8cffef555631b294e04b8bbff851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 10:33:09 +0800
+Subject: net: gemini: Fix missing free_netdev() in error path of
+ gemini_ethernet_port_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit cf96d977381d4a23957bade2ddf1c420b74a26b6 ]
+
+Replace alloc_etherdev_mq with devm_alloc_etherdev_mqs. In this way,
+when probe fails, netdev can be freed automatically.
+
+Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index 66e67b24a887c..62e271aea4a50 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -2389,7 +2389,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+
+ dev_info(dev, "probe %s ID %d\n", dev_name(dev), id);
+
+- netdev = alloc_etherdev_mq(sizeof(*port), TX_QUEUE_NUM);
++ netdev = devm_alloc_etherdev_mqs(dev, sizeof(*port), TX_QUEUE_NUM, TX_QUEUE_NUM);
+ if (!netdev) {
+ dev_err(dev, "Can't allocate ethernet device #%d\n", id);
+ return -ENOMEM;
+@@ -2521,7 +2521,6 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+ }
+
+ port->netdev = NULL;
+- free_netdev(netdev);
+ return ret;
+ }
+
+@@ -2530,7 +2529,6 @@ static int gemini_ethernet_port_remove(struct platform_device *pdev)
+ struct gemini_ethernet_port *port = platform_get_drvdata(pdev);
+
+ gemini_port_remove(port);
+- free_netdev(port->netdev);
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 7a3e92916143a659a4a819753efb8ac7a5a29b5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Aug 2020 17:44:09 -0400
+Subject: netfilter: nf_tables: nft_exthdr: the presence return value should be
+ little-endian
+
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+
+[ Upstream commit b428336676dbca363262cc134b6218205df4f530 ]
+
+On big-endian machine, the returned register data when the exthdr is
+present is not being compared correctly because little-endian is
+assumed. The function nft_cmp_fast_mask(), called by nft_cmp_fast_eval()
+and nft_cmp_fast_init(), calls cpu_to_le32().
+
+The following dump also shows that little endian is assumed:
+
+$ nft --debug=netlink add rule ip recordroute forward ip option rr exists counter
+ip
+ [ exthdr load ipv4 1b @ 7 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x01000000 ]
+ [ counter pkts 0 bytes 0 ]
+
+Lastly, debug print in nft_cmp_fast_init() and nft_cmp_fast_eval() when
+RR option exists in the packet shows that the comparison fails because
+the assumption:
+
+nft_cmp_fast_init:189 priv->sreg=4 desc.len=8 mask=0xff000000 data.data[0]=0x10003e0
+nft_cmp_fast_eval:57 regs->data[priv->sreg=4]=0x1 mask=0xff000000 priv->data=0x1000000
+
+v2: use nft_reg_store8() instead (Florian Westphal). Also to avoid the
+ warnings reported by kernel test robot.
+
+Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
+Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check")
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_exthdr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
+index 07782836fad6e..3c48cdc8935df 100644
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -44,7 +44,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
+
+ err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
+ if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+- *dest = (err >= 0);
++ nft_reg_store8(dest, err >= 0);
+ return;
+ } else if (err < 0) {
+ goto err;
+@@ -141,7 +141,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
+
+ err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type);
+ if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+- *dest = (err >= 0);
++ nft_reg_store8(dest, err >= 0);
+ return;
+ } else if (err < 0) {
+ goto err;
+--
+2.25.1
+
--- /dev/null
+From aca4af8bbf053db79e462f2724fb08a5388c3471 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 12:32:08 +0100
+Subject: of/address: check for invalid range.cpu_addr
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f49c7faf776f16607c948d852a03b04a88c3b583 ]
+
+Currently invalid CPU addresses are not being sanity checked resulting in
+SATA setup failure on a SynQuacer SC2A11 development machine. The original
+check was removed by and earlier commit, so add a sanity check back in
+to avoid this regression.
+
+Fixes: 7a8b64d17e35 ("of/address: use range parser for of_dma_get_range")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20200817113208.523805-1-colin.king@canonical.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/address.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/of/address.c b/drivers/of/address.c
+index 8eea3f6e29a44..340d3051b1ce2 100644
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -980,6 +980,11 @@ int of_dma_get_range(struct device_node *np, u64 *dma_addr, u64 *paddr, u64 *siz
+ /* Don't error out as we'd break some existing DTs */
+ continue;
+ }
++ if (range.cpu_addr == OF_BAD_ADDR) {
++ pr_err("translation of DMA address(%llx) to CPU address failed node(%pOF)\n",
++ range.bus_addr, node);
++ continue;
++ }
+ dma_offset = range.cpu_addr - range.bus_addr;
+
+ /* Take lower and upper limits */
+--
+2.25.1
+
--- /dev/null
+From 42042ec9d22c38fcd636299af50f269449860d92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 06:26:18 +0530
+Subject: powerpc: Add POWER10 raw mode cputable entry
+
+From: Madhavan Srinivasan <maddy@linux.ibm.com>
+
+[ Upstream commit 327da008e65a25b8206b36b7fc0c9e4edbb36a58 ]
+
+Add a raw mode cputable entry for POWER10. Copies most of the fields
+from commit a3ea40d5c736 ("powerpc: Add POWER10 architected mode")
+except for oprofile_cpu_type, machine_check_early, pvr_mask and
+pvr_mask fields. On bare metal systems we use DT CPU features, which
+doesn't need a cputable entry. But in VMs we still rely on the raw
+cputable entry to set the correct values for the PMU related fields.
+
+Fixes: a3ea40d5c736 ("powerpc: Add POWER10 architected mode")
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+[mpe: Reorder vs cleanup patch and add Fixes tag]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200817005618.3305028-2-maddy@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/cputable.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c
+index b4066354f0730..bb0c7f43a8283 100644
+--- a/arch/powerpc/kernel/cputable.c
++++ b/arch/powerpc/kernel/cputable.c
+@@ -75,6 +75,7 @@ extern void __restore_cpu_power10(void);
+ extern long __machine_check_early_realmode_p7(struct pt_regs *regs);
+ extern long __machine_check_early_realmode_p8(struct pt_regs *regs);
+ extern long __machine_check_early_realmode_p9(struct pt_regs *regs);
++extern long __machine_check_early_realmode_p10(struct pt_regs *regs);
+ #endif /* CONFIG_PPC64 */
+ #if defined(CONFIG_E500)
+ extern void __setup_cpu_e5500(unsigned long offset, struct cpu_spec* spec);
+@@ -541,6 +542,25 @@ static struct cpu_spec __initdata cpu_specs[] = {
+ .machine_check_early = __machine_check_early_realmode_p9,
+ .platform = "power9",
+ },
++ { /* Power10 */
++ .pvr_mask = 0xffff0000,
++ .pvr_value = 0x00800000,
++ .cpu_name = "POWER10 (raw)",
++ .cpu_features = CPU_FTRS_POWER10,
++ .cpu_user_features = COMMON_USER_POWER10,
++ .cpu_user_features2 = COMMON_USER2_POWER10,
++ .mmu_features = MMU_FTRS_POWER10,
++ .icache_bsize = 128,
++ .dcache_bsize = 128,
++ .num_pmcs = 6,
++ .pmc_type = PPC_PMC_IBM,
++ .oprofile_cpu_type = "ppc64/power10",
++ .oprofile_type = PPC_OPROFILE_INVALID,
++ .cpu_setup = __setup_cpu_power10,
++ .cpu_restore = __restore_cpu_power10,
++ .machine_check_early = __machine_check_early_realmode_p10,
++ .platform = "power10",
++ },
+ { /* Cell Broadband Engine */
+ .pvr_mask = 0xffff0000,
+ .pvr_value = 0x00700000,
+--
+2.25.1
+
--- /dev/null
+From 40c58f526096f652cccb83b458fca559dea134e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 06:03:26 +0000
+Subject: powerpc/fixmap: Fix the size of the early debug area
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit fdc6edbb31fba76fd25d7bd016b675a92908d81e ]
+
+Commit ("03fd42d458fb powerpc/fixmap: Fix FIX_EARLY_DEBUG_BASE when
+page size is 256k") reworked the setup of the early debug area and
+mistakenly replaced 128 * 1024 by SZ_128.
+
+Change to SZ_128K to restore the original 128 kbytes size of the area.
+
+Fixes: 03fd42d458fb ("powerpc/fixmap: Fix FIX_EARLY_DEBUG_BASE when page size is 256k")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/996184974d674ff984643778cf1cdd7fe58cc065.1597644194.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/fixmap.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/fixmap.h b/arch/powerpc/include/asm/fixmap.h
+index 925cf89cbf4ba..6bfc87915d5db 100644
+--- a/arch/powerpc/include/asm/fixmap.h
++++ b/arch/powerpc/include/asm/fixmap.h
+@@ -52,7 +52,7 @@ enum fixed_addresses {
+ FIX_HOLE,
+ /* reserve the top 128K for early debugging purposes */
+ FIX_EARLY_DEBUG_TOP = FIX_HOLE,
+- FIX_EARLY_DEBUG_BASE = FIX_EARLY_DEBUG_TOP+(ALIGN(SZ_128, PAGE_SIZE)/PAGE_SIZE)-1,
++ FIX_EARLY_DEBUG_BASE = FIX_EARLY_DEBUG_TOP+(ALIGN(SZ_128K, PAGE_SIZE)/PAGE_SIZE)-1,
+ #ifdef CONFIG_HIGHMEM
+ FIX_KMAP_BEGIN, /* reserved pte's for temporary kernel mappings */
+ FIX_KMAP_END = FIX_KMAP_BEGIN+(KM_TYPE_NR*NR_CPUS)-1,
+--
+2.25.1
+
--- /dev/null
+From 21e09376f862a388631d845391fd919b477cab63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 11:15:44 -0500
+Subject: powerpc/pseries/hotplug-cpu: wait indefinitely for vCPU death
+
+From: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+[ Upstream commit 801980f6497946048709b9b09771a1729551d705 ]
+
+For a power9 KVM guest with XIVE enabled, running a test loop
+where we hotplug 384 vcpus and then unplug them, the following traces
+can be seen (generally within a few loops) either from the unplugged
+vcpu:
+
+ cpu 65 (hwid 65) Ready to die...
+ Querying DEAD? cpu 66 (66) shows 2
+ list_del corruption. next->prev should be c00a000002470208, but was c00a000002470048
+ ------------[ cut here ]------------
+ kernel BUG at lib/list_debug.c:56!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ LE SMP NR_CPUS=2048 NUMA pSeries
+ Modules linked in: fuse nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 ...
+ CPU: 66 PID: 0 Comm: swapper/66 Kdump: loaded Not tainted 4.18.0-221.el8.ppc64le #1
+ NIP: c0000000007ab50c LR: c0000000007ab508 CTR: 00000000000003ac
+ REGS: c0000009e5a17840 TRAP: 0700 Not tainted (4.18.0-221.el8.ppc64le)
+ MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28000842 XER: 20040000
+ ...
+ NIP __list_del_entry_valid+0xac/0x100
+ LR __list_del_entry_valid+0xa8/0x100
+ Call Trace:
+ __list_del_entry_valid+0xa8/0x100 (unreliable)
+ free_pcppages_bulk+0x1f8/0x940
+ free_unref_page+0xd0/0x100
+ xive_spapr_cleanup_queue+0x148/0x1b0
+ xive_teardown_cpu+0x1bc/0x240
+ pseries_mach_cpu_die+0x78/0x2f0
+ cpu_die+0x48/0x70
+ arch_cpu_idle_dead+0x20/0x40
+ do_idle+0x2f4/0x4c0
+ cpu_startup_entry+0x38/0x40
+ start_secondary+0x7bc/0x8f0
+ start_secondary_prolog+0x10/0x14
+
+or on the worker thread handling the unplug:
+
+ pseries-hotplug-cpu: Attempting to remove CPU <NULL>, drc index: 1000013a
+ Querying DEAD? cpu 314 (314) shows 2
+ BUG: Bad page state in process kworker/u768:3 pfn:95de1
+ cpu 314 (hwid 314) Ready to die...
+ page:c00a000002577840 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
+ flags: 0x5ffffc00000000()
+ raw: 005ffffc00000000 5deadbeef0000100 5deadbeef0000200 0000000000000000
+ raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
+ page dumped because: nonzero mapcount
+ Modules linked in: kvm xt_CHECKSUM ipt_MASQUERADE xt_conntrack ...
+ CPU: 0 PID: 548 Comm: kworker/u768:3 Kdump: loaded Not tainted 4.18.0-224.el8.bz1856588.ppc64le #1
+ Workqueue: pseries hotplug workque pseries_hp_work_fn
+ Call Trace:
+ dump_stack+0xb0/0xf4 (unreliable)
+ bad_page+0x12c/0x1b0
+ free_pcppages_bulk+0x5bc/0x940
+ page_alloc_cpu_dead+0x118/0x120
+ cpuhp_invoke_callback.constprop.5+0xb8/0x760
+ _cpu_down+0x188/0x340
+ cpu_down+0x5c/0xa0
+ cpu_subsys_offline+0x24/0x40
+ device_offline+0xf0/0x130
+ dlpar_offline_cpu+0x1c4/0x2a0
+ dlpar_cpu_remove+0xb8/0x190
+ dlpar_cpu_remove_by_index+0x12c/0x150
+ dlpar_cpu+0x94/0x800
+ pseries_hp_work_fn+0x128/0x1e0
+ process_one_work+0x304/0x5d0
+ worker_thread+0xcc/0x7a0
+ kthread+0x1ac/0x1c0
+ ret_from_kernel_thread+0x5c/0x80
+
+The latter trace is due to the following sequence:
+
+ page_alloc_cpu_dead
+ drain_pages
+ drain_pages_zone
+ free_pcppages_bulk
+
+where drain_pages() in this case is called under the assumption that
+the unplugged cpu is no longer executing. To ensure that is the case,
+and early call is made to __cpu_die()->pseries_cpu_die(), which runs a
+loop that waits for the cpu to reach a halted state by polling its
+status via query-cpu-stopped-state RTAS calls. It only polls for 25
+iterations before giving up, however, and in the trace above this
+results in the following being printed only .1 seconds after the
+hotplug worker thread begins processing the unplug request:
+
+ pseries-hotplug-cpu: Attempting to remove CPU <NULL>, drc index: 1000013a
+ Querying DEAD? cpu 314 (314) shows 2
+
+At that point the worker thread assumes the unplugged CPU is in some
+unknown/dead state and procedes with the cleanup, causing the race
+with the XIVE cleanup code executed by the unplugged CPU.
+
+Fix this by waiting indefinitely, but also making an effort to avoid
+spurious lockup messages by allowing for rescheduling after polling
+the CPU status and printing a warning if we wait for longer than 120s.
+
+Fixes: eac1e731b59ee ("powerpc/xive: guest exploitation of the XIVE interrupt controller")
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Tested-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[mpe: Trim oopses in change log slightly for readability]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200811161544.10513-1-mdroth@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/hotplug-cpu.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c
+index 6d4ee03d476a9..ec04fc7f5a641 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
+@@ -107,22 +107,28 @@ static int pseries_cpu_disable(void)
+ */
+ static void pseries_cpu_die(unsigned int cpu)
+ {
+- int tries;
+ int cpu_status = 1;
+ unsigned int pcpu = get_hard_smp_processor_id(cpu);
++ unsigned long timeout = jiffies + msecs_to_jiffies(120000);
+
+- for (tries = 0; tries < 25; tries++) {
++ while (true) {
+ cpu_status = smp_query_cpu_stopped(pcpu);
+ if (cpu_status == QCSS_STOPPED ||
+ cpu_status == QCSS_HARDWARE_ERROR)
+ break;
+- cpu_relax();
+
++ if (time_after(jiffies, timeout)) {
++ pr_warn("CPU %i (hwid %i) didn't die after 120 seconds\n",
++ cpu, pcpu);
++ timeout = jiffies + msecs_to_jiffies(120000);
++ }
++
++ cond_resched();
+ }
+
+- if (cpu_status != 0) {
+- printk("Querying DEAD? cpu %i (%i) shows %i\n",
+- cpu, pcpu, cpu_status);
++ if (cpu_status == QCSS_HARDWARE_ERROR) {
++ pr_warn("CPU %i (hwid %i) reported error while dying\n",
++ cpu, pcpu);
+ }
+
+ /* Isolation and deallocation are definitely done by
+--
+2.25.1
+
--- /dev/null
+From 638dcf21869fee7c572b6ec667b83251ad6116f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 21:45:48 -0700
+Subject: RDMA/bnxt_re: Do not add user qps to flushlist
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit a812f2d60a9fb7818f9c81f967180317b52545c0 ]
+
+Driver shall add only the kernel qps to the flush list for clean up.
+During async error events from the HW, driver is adding qps to this list
+without checking if the qp is kernel qp or not.
+
+Add a check to avoid user qp addition to the flush list.
+
+Fixes: 942c9b6ca8de ("RDMA/bnxt_re: Avoid Hard lockup during error CQE processing")
+Fixes: c50866e2853a ("bnxt_re: fix the regression due to changes in alloc_pbl")
+Link: https://lore.kernel.org/r/1596689148-4023-1-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index b12fbc857f942..5c41e13496a02 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -811,7 +811,8 @@ static int bnxt_re_handle_qp_async_event(struct creq_qp_event *qp_event,
+ struct ib_event event;
+ unsigned int flags;
+
+- if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR) {
++ if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR &&
++ rdma_is_kernel_res(&qp->ib_qp.res)) {
+ flags = bnxt_re_lock_cqs(qp);
+ bnxt_qplib_add_flush_qp(&qp->qplib_qp);
+ bnxt_re_unlock_cqs(qp, flags);
+--
+2.25.1
+
--- /dev/null
+From c4667194ce7512d93d4dc90d24c02e1760ce5a9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 17:39:44 +0800
+Subject: Revert "RDMA/hns: Reserve one sge in order to avoid local length
+ error"
+
+From: Weihang Li <liweihang@huawei.com>
+
+[ Upstream commit 6da06c6291f38be4df6df2efb76ba925096d2691 ]
+
+This patch caused some issues on SEND operation, and it should be reverted
+to make the drivers work correctly. There will be a better solution that
+has been tested carefully to solve the original problem.
+
+This reverts commit 711195e57d341e58133d92cf8aaab1db24e4768d.
+
+Fixes: 711195e57d34 ("RDMA/hns: Reserve one sge in order to avoid local length error")
+Link: https://lore.kernel.org/r/1597829984-20223-1-git-send-email-liweihang@huawei.com
+Signed-off-by: Weihang Li <liweihang@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_device.h | 2 --
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 9 ++++-----
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 4 +---
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 5 ++---
+ drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +-
+ 5 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h
+index 479fa557993e7..c69453a62767c 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_device.h
++++ b/drivers/infiniband/hw/hns/hns_roce_device.h
+@@ -66,8 +66,6 @@
+ #define HNS_ROCE_CQE_WCMD_EMPTY_BIT 0x2
+ #define HNS_ROCE_MIN_CQE_CNT 16
+
+-#define HNS_ROCE_RESERVED_SGE 1
+-
+ #define HNS_ROCE_MAX_IRQ_NUM 128
+
+ #define HNS_ROCE_SGE_IN_WQE 2
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index eb71b941d21b7..38a48ab3e1d02 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -629,7 +629,7 @@ static int hns_roce_v2_post_recv(struct ib_qp *ibqp,
+
+ wqe_idx = (hr_qp->rq.head + nreq) & (hr_qp->rq.wqe_cnt - 1);
+
+- if (unlikely(wr->num_sge >= hr_qp->rq.max_gs)) {
++ if (unlikely(wr->num_sge > hr_qp->rq.max_gs)) {
+ ibdev_err(ibdev, "rq:num_sge=%d >= qp->sq.max_gs=%d\n",
+ wr->num_sge, hr_qp->rq.max_gs);
+ ret = -EINVAL;
+@@ -649,7 +649,6 @@ static int hns_roce_v2_post_recv(struct ib_qp *ibqp,
+ if (wr->num_sge < hr_qp->rq.max_gs) {
+ dseg->lkey = cpu_to_le32(HNS_ROCE_INVALID_LKEY);
+ dseg->addr = 0;
+- dseg->len = cpu_to_le32(HNS_ROCE_INVALID_SGE_LENGTH);
+ }
+
+ /* rq support inline data */
+@@ -783,8 +782,8 @@ static int hns_roce_v2_post_srq_recv(struct ib_srq *ibsrq,
+ }
+
+ if (wr->num_sge < srq->max_gs) {
+- dseg[i].len = cpu_to_le32(HNS_ROCE_INVALID_SGE_LENGTH);
+- dseg[i].lkey = cpu_to_le32(HNS_ROCE_INVALID_LKEY);
++ dseg[i].len = 0;
++ dseg[i].lkey = cpu_to_le32(0x100);
+ dseg[i].addr = 0;
+ }
+
+@@ -5098,7 +5097,7 @@ static int hns_roce_v2_query_srq(struct ib_srq *ibsrq, struct ib_srq_attr *attr)
+
+ attr->srq_limit = limit_wl;
+ attr->max_wr = srq->wqe_cnt - 1;
+- attr->max_sge = srq->max_gs - HNS_ROCE_RESERVED_SGE;
++ attr->max_sge = srq->max_gs;
+
+ out:
+ hns_roce_free_cmd_mailbox(hr_dev, mailbox);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index e6c385ced1872..4f840997c6c73 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -92,9 +92,7 @@
+ #define HNS_ROCE_V2_CQC_TIMER_ENTRY_SZ PAGE_SIZE
+ #define HNS_ROCE_V2_PAGE_SIZE_SUPPORTED 0xFFFFF000
+ #define HNS_ROCE_V2_MAX_INNER_MTPT_NUM 2
+-#define HNS_ROCE_INVALID_LKEY 0x0
+-#define HNS_ROCE_INVALID_SGE_LENGTH 0x80000000
+-
++#define HNS_ROCE_INVALID_LKEY 0x100
+ #define HNS_ROCE_CMQ_TX_TIMEOUT 30000
+ #define HNS_ROCE_V2_UC_RC_SGE_NUM_IN_WQE 2
+ #define HNS_ROCE_V2_RSV_QPS 8
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index a0a47bd669759..4edea397b6b80 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -386,8 +386,7 @@ static int set_rq_size(struct hns_roce_dev *hr_dev, struct ib_qp_cap *cap,
+ return -EINVAL;
+ }
+
+- hr_qp->rq.max_gs = roundup_pow_of_two(max(1U, cap->max_recv_sge) +
+- HNS_ROCE_RESERVED_SGE);
++ hr_qp->rq.max_gs = roundup_pow_of_two(max(1U, cap->max_recv_sge));
+
+ if (hr_dev->caps.max_rq_sg <= HNS_ROCE_SGE_IN_WQE)
+ hr_qp->rq.wqe_shift = ilog2(hr_dev->caps.max_rq_desc_sz);
+@@ -402,7 +401,7 @@ static int set_rq_size(struct hns_roce_dev *hr_dev, struct ib_qp_cap *cap,
+ hr_qp->rq_inl_buf.wqe_cnt = 0;
+
+ cap->max_recv_wr = cnt;
+- cap->max_recv_sge = hr_qp->rq.max_gs - HNS_ROCE_RESERVED_SGE;
++ cap->max_recv_sge = hr_qp->rq.max_gs;
+
+ return 0;
+ }
+diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c
+index f40a000e94ee7..b9e2dbd372b66 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_srq.c
++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c
+@@ -297,7 +297,7 @@ int hns_roce_create_srq(struct ib_srq *ib_srq,
+ spin_lock_init(&srq->lock);
+
+ srq->wqe_cnt = roundup_pow_of_two(init_attr->attr.max_wr + 1);
+- srq->max_gs = init_attr->attr.max_sge + HNS_ROCE_RESERVED_SGE;
++ srq->max_gs = init_attr->attr.max_sge;
+
+ if (udata) {
+ ret = ib_copy_from_udata(&ucmd, udata, sizeof(ucmd));
+--
+2.25.1
+
--- /dev/null
+From 3e4c571a1c2797f88f3116a4d4dbe30acced9245 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 04:10:14 -0700
+Subject: Revert "scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during
+ probe"
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit dca93232b361d260413933903cd4bdbd92ebcc7f ]
+
+FCP T10-PI and NVMe features are independent of each other. This patch
+allows both features to co-exist.
+
+This reverts commit 5da05a26b8305a625bc9d537671b981795b46dab.
+
+Link: https://lore.kernel.org/r/20200806111014.28434-12-njavali@marvell.com
+Fixes: 5da05a26b830 ("scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe")
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index e92fad99338cd..5c7c22d0fab4b 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -2829,10 +2829,6 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ /* This may fail but that's ok */
+ pci_enable_pcie_error_reporting(pdev);
+
+- /* Turn off T10-DIF when FC-NVMe is enabled */
+- if (ql2xnvmeenable)
+- ql2xenabledif = 0;
+-
+ ha = kzalloc(sizeof(struct qla_hw_data), GFP_KERNEL);
+ if (!ha) {
+ ql_log_pci(ql_log_fatal, pdev, 0x0009,
+--
+2.25.1
+
--- /dev/null
+From b29a0df10a6d16127fde71d07a3bb807a9c015f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Aug 2020 18:56:28 +0200
+Subject: s390/ptrace: fix storage key handling
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit fd78c59446b8d050ecf3e0897c5a486c7de7c595 ]
+
+The key member of the runtime instrumentation control block contains
+only the access key, not the complete storage key. Therefore the value
+must be shifted by four bits. Since existing user space does not
+necessarily query and set the access key correctly, just ignore the
+user space provided key and use the correct one.
+Note: this is only relevant for debugging purposes in case somebody
+compiles a kernel with a default storage access key set to a value not
+equal to zero.
+
+Fixes: 262832bc5acd ("s390/ptrace: add runtime instrumention register get/set")
+Reported-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/ptrace.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
+index 3cc15c0662983..2924f236d89c6 100644
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -1310,7 +1310,6 @@ static bool is_ri_cb_valid(struct runtime_instr_cb *cb)
+ cb->pc == 1 &&
+ cb->qc == 0 &&
+ cb->reserved2 == 0 &&
+- cb->key == PAGE_DEFAULT_KEY &&
+ cb->reserved3 == 0 &&
+ cb->reserved4 == 0 &&
+ cb->reserved5 == 0 &&
+@@ -1374,7 +1373,11 @@ static int s390_runtime_instr_set(struct task_struct *target,
+ kfree(data);
+ return -EINVAL;
+ }
+-
++ /*
++ * Override access key in any case, since user space should
++ * not be able to set it, nor should it care about it.
++ */
++ ri_cb.key = PAGE_DEFAULT_KEY >> 4;
+ preempt_disable();
+ if (!target->thread.ri_cb)
+ target->thread.ri_cb = data;
+--
+2.25.1
+
--- /dev/null
+From ca0e6e856c70d10e3d462a5ec7d44d2717f3ff2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Aug 2020 18:55:41 +0200
+Subject: s390/runtime_instrumentation: fix storage key handling
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 9eaba29c7985236e16468f4e6a49cc18cf01443e ]
+
+The key member of the runtime instrumentation control block contains
+only the access key, not the complete storage key. Therefore the value
+must be shifted by four bits.
+Note: this is only relevant for debugging purposes in case somebody
+compiles a kernel with a default storage access key set to a value not
+equal to zero.
+
+Fixes: e4b8b3f33fca ("s390: add support for runtime instrumentation")
+Reported-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/runtime_instr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/runtime_instr.c b/arch/s390/kernel/runtime_instr.c
+index 125c7f6e87150..1788a5454b6fc 100644
+--- a/arch/s390/kernel/runtime_instr.c
++++ b/arch/s390/kernel/runtime_instr.c
+@@ -57,7 +57,7 @@ static void init_runtime_instr_cb(struct runtime_instr_cb *cb)
+ cb->k = 1;
+ cb->ps = 1;
+ cb->pc = 1;
+- cb->key = PAGE_DEFAULT_KEY;
++ cb->key = PAGE_DEFAULT_KEY >> 4;
+ cb->v = 1;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From a411a945753a7b48fbd037310f5d8b7e03425e6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 06:46:50 +0530
+Subject: scsi: ufs: Add quirk to disallow reset of interrupt aggregation
+
+From: Alim Akhtar <alim.akhtar@samsung.com>
+
+[ Upstream commit b638b5eb624bd5d0766683b6181d578f414585e9 ]
+
+Some host controllers support interrupt aggregation but don't allow
+resetting counter and timer in software.
+
+Link: https://lore.kernel.org/r/20200528011658.71590-3-alim.akhtar@samsung.com
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Seungwon Jeon <essuuj@gmail.com>
+Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 3 ++-
+ drivers/scsi/ufs/ufshcd.h | 6 ++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 9da44a389becb..47a4c4c239196 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -4914,7 +4914,8 @@ static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba)
+ * false interrupt if device completes another request after resetting
+ * aggregation and before reading the DB.
+ */
+- if (ufshcd_is_intr_aggr_allowed(hba))
++ if (ufshcd_is_intr_aggr_allowed(hba) &&
++ !(hba->quirks & UFSHCI_QUIRK_SKIP_RESET_INTR_AGGR))
+ ufshcd_reset_intr_aggr(hba);
+
+ tr_doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index 2ddf4c2f76f55..bda7ba1aea519 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -525,6 +525,12 @@ enum ufshcd_quirks {
+ * Clear handling for transfer/task request list is just opposite.
+ */
+ UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR = 1 << 6,
++
++ /*
++ * This quirk needs to be enabled if host controller doesn't allow
++ * that the interrupt aggregation timer and counter are reset by s/w.
++ */
++ UFSHCI_QUIRK_SKIP_RESET_INTR_AGGR = 1 << 7,
+ };
+
+ enum ufshcd_caps {
+--
+2.25.1
+
--- /dev/null
+From 94539950352820f44d471514cb6919ab320ea4c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 06:46:51 +0530
+Subject: scsi: ufs: Add quirk to enable host controller without hce
+
+From: Alim Akhtar <alim.akhtar@samsung.com>
+
+[ Upstream commit 39bf2d83b54e900675cd7b52737ded695bb60bf1 ]
+
+Some host controllers don't support host controller enable via HCE.
+
+Link: https://lore.kernel.org/r/20200528011658.71590-4-alim.akhtar@samsung.com
+Reviewed-by: Can Guo <cang@codeaurora.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Seungwon Jeon <essuuj@gmail.com>
+Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 76 +++++++++++++++++++++++++++++++++++++--
+ drivers/scsi/ufs/ufshcd.h | 6 ++++
+ 2 files changed, 80 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 47a4c4c239196..87473fa5bd0f9 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -3557,6 +3557,52 @@ static int ufshcd_dme_link_startup(struct ufs_hba *hba)
+ "dme-link-startup: error code %d\n", ret);
+ return ret;
+ }
++/**
++ * ufshcd_dme_reset - UIC command for DME_RESET
++ * @hba: per adapter instance
++ *
++ * DME_RESET command is issued in order to reset UniPro stack.
++ * This function now deals with cold reset.
++ *
++ * Returns 0 on success, non-zero value on failure
++ */
++static int ufshcd_dme_reset(struct ufs_hba *hba)
++{
++ struct uic_command uic_cmd = {0};
++ int ret;
++
++ uic_cmd.command = UIC_CMD_DME_RESET;
++
++ ret = ufshcd_send_uic_cmd(hba, &uic_cmd);
++ if (ret)
++ dev_err(hba->dev,
++ "dme-reset: error code %d\n", ret);
++
++ return ret;
++}
++
++/**
++ * ufshcd_dme_enable - UIC command for DME_ENABLE
++ * @hba: per adapter instance
++ *
++ * DME_ENABLE command is issued in order to enable UniPro stack.
++ *
++ * Returns 0 on success, non-zero value on failure
++ */
++static int ufshcd_dme_enable(struct ufs_hba *hba)
++{
++ struct uic_command uic_cmd = {0};
++ int ret;
++
++ uic_cmd.command = UIC_CMD_DME_ENABLE;
++
++ ret = ufshcd_send_uic_cmd(hba, &uic_cmd);
++ if (ret)
++ dev_err(hba->dev,
++ "dme-reset: error code %d\n", ret);
++
++ return ret;
++}
+
+ static inline void ufshcd_add_delay_before_dme_cmd(struct ufs_hba *hba)
+ {
+@@ -4281,7 +4327,7 @@ static inline void ufshcd_hba_stop(struct ufs_hba *hba)
+ }
+
+ /**
+- * ufshcd_hba_enable - initialize the controller
++ * ufshcd_hba_execute_hce - initialize the controller
+ * @hba: per adapter instance
+ *
+ * The controller resets itself and controller firmware initialization
+@@ -4290,7 +4336,7 @@ static inline void ufshcd_hba_stop(struct ufs_hba *hba)
+ *
+ * Returns 0 on success, non-zero value on failure
+ */
+-int ufshcd_hba_enable(struct ufs_hba *hba)
++static int ufshcd_hba_execute_hce(struct ufs_hba *hba)
+ {
+ int retry;
+
+@@ -4338,6 +4384,32 @@ int ufshcd_hba_enable(struct ufs_hba *hba)
+
+ return 0;
+ }
++
++int ufshcd_hba_enable(struct ufs_hba *hba)
++{
++ int ret;
++
++ if (hba->quirks & UFSHCI_QUIRK_BROKEN_HCE) {
++ ufshcd_set_link_off(hba);
++ ufshcd_vops_hce_enable_notify(hba, PRE_CHANGE);
++
++ /* enable UIC related interrupts */
++ ufshcd_enable_intr(hba, UFSHCD_UIC_MASK);
++ ret = ufshcd_dme_reset(hba);
++ if (!ret) {
++ ret = ufshcd_dme_enable(hba);
++ if (!ret)
++ ufshcd_vops_hce_enable_notify(hba, POST_CHANGE);
++ if (ret)
++ dev_err(hba->dev,
++ "Host controller enable failed with non-hce\n");
++ }
++ } else {
++ ret = ufshcd_hba_execute_hce(hba);
++ }
++
++ return ret;
++}
+ EXPORT_SYMBOL_GPL(ufshcd_hba_enable);
+
+ static int ufshcd_disable_tx_lcc(struct ufs_hba *hba, bool peer)
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index bda7ba1aea519..4198e5d883a1a 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -531,6 +531,12 @@ enum ufshcd_quirks {
+ * that the interrupt aggregation timer and counter are reset by s/w.
+ */
+ UFSHCI_QUIRK_SKIP_RESET_INTR_AGGR = 1 << 7,
++
++ /*
++ * This quirks needs to be enabled if host controller cannot be
++ * enabled via HCE register.
++ */
++ UFSHCI_QUIRK_BROKEN_HCE = 1 << 8,
+ };
+
+ enum ufshcd_caps {
+--
+2.25.1
+
--- /dev/null
+From 855a55d05446be71f496673a1209de1418c851b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 06:46:53 +0530
+Subject: scsi: ufs: Add quirk to fix abnormal ocs fatal error
+
+From: Kiwoong Kim <kwmad.kim@samsung.com>
+
+[ Upstream commit d779a6e90e189f4883ce6f900da02995fb000df5 ]
+
+Some controller like Exynos determines if FATAL ERROR (0x7) in OCS field in
+UTRD occurs for values other than GOOD (0x0) in STATUS field in response
+upiu as well as errors that a host controller can't cover. This patch is
+to prevent from reporting command results in those cases.
+
+Link: https://lore.kernel.org/r/20200528011658.71590-6-alim.akhtar@samsung.com
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Kiwoong Kim <kwmad.kim@samsung.com>
+Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 6 ++++++
+ drivers/scsi/ufs/ufshcd.h | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 0be06e7c5f293..69c7c039b5fac 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -4824,6 +4824,12 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
+ /* overall command status of utrd */
+ ocs = ufshcd_get_tr_ocs(lrbp);
+
++ if (hba->quirks & UFSHCD_QUIRK_BROKEN_OCS_FATAL_ERROR) {
++ if (be32_to_cpu(lrbp->ucd_rsp_ptr->header.dword_1) &
++ MASK_RSP_UPIU_RESULT)
++ ocs = OCS_SUCCESS;
++ }
++
+ switch (ocs) {
+ case OCS_SUCCESS:
+ result = ufshcd_get_req_rsp(lrbp->ucd_rsp_ptr);
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index 97d649f546e3a..e38e9e0af6b59 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -543,6 +543,12 @@ enum ufshcd_quirks {
+ * resolution of the values of PRDTO and PRDTL in UTRD as byte.
+ */
+ UFSHCD_QUIRK_PRDT_BYTE_GRAN = 1 << 9,
++
++ /*
++ * This quirk needs to be enabled if the host controller reports
++ * OCS FATAL ERROR with device error through sense data
++ */
++ UFSHCD_QUIRK_BROKEN_OCS_FATAL_ERROR = 1 << 10,
+ };
+
+ enum ufshcd_caps {
+--
+2.25.1
+
--- /dev/null
+From 5ad34119780e2c9e05d01e716828cb8bdbe89d2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 06:46:49 +0530
+Subject: scsi: ufs: Add quirk to fix mishandling utrlclr/utmrlclr
+
+From: Alim Akhtar <alim.akhtar@samsung.com>
+
+[ Upstream commit 871838412adf533ffda0b4a0ede0c2984e3511e7 ]
+
+With the correct behavior, setting the bit to '0' indicates clear and '1'
+indicates no change. If host controller handles this the other way around,
+UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR can be used.
+
+Link: https://lore.kernel.org/r/20200528011658.71590-2-alim.akhtar@samsung.com
+Reviewed-by: Can Guo <cang@codeaurora.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Seungwon Jeon <essuuj@gmail.com>
+Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 11 +++++++++--
+ drivers/scsi/ufs/ufshcd.h | 5 +++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index dec56e99335f0..9da44a389becb 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -674,7 +674,11 @@ static inline int ufshcd_get_tr_ocs(struct ufshcd_lrb *lrbp)
+ */
+ static inline void ufshcd_utrl_clear(struct ufs_hba *hba, u32 pos)
+ {
+- ufshcd_writel(hba, ~(1 << pos), REG_UTP_TRANSFER_REQ_LIST_CLEAR);
++ if (hba->quirks & UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR)
++ ufshcd_writel(hba, (1 << pos), REG_UTP_TRANSFER_REQ_LIST_CLEAR);
++ else
++ ufshcd_writel(hba, ~(1 << pos),
++ REG_UTP_TRANSFER_REQ_LIST_CLEAR);
+ }
+
+ /**
+@@ -684,7 +688,10 @@ static inline void ufshcd_utrl_clear(struct ufs_hba *hba, u32 pos)
+ */
+ static inline void ufshcd_utmrl_clear(struct ufs_hba *hba, u32 pos)
+ {
+- ufshcd_writel(hba, ~(1 << pos), REG_UTP_TASK_REQ_LIST_CLEAR);
++ if (hba->quirks & UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR)
++ ufshcd_writel(hba, (1 << pos), REG_UTP_TASK_REQ_LIST_CLEAR);
++ else
++ ufshcd_writel(hba, ~(1 << pos), REG_UTP_TASK_REQ_LIST_CLEAR);
+ }
+
+ /**
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index 16187be98a94c..2ddf4c2f76f55 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -520,6 +520,11 @@ enum ufshcd_quirks {
+ * ops (get_ufs_hci_version) to get the correct version.
+ */
+ UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION = 1 << 5,
++
++ /*
++ * Clear handling for transfer/task request list is just opposite.
++ */
++ UFSHCI_QUIRK_BROKEN_REQ_LIST_CLR = 1 << 6,
+ };
+
+ enum ufshcd_caps {
+--
+2.25.1
+
--- /dev/null
+From e41790ba1293192bca5cc2bf3d7472d6c70f5dd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 16:39:35 +0300
+Subject: scsi: ufs: Fix interrupt error message for shared interrupts
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 6337f58cec030b34ced435b3d9d7d29d63c96e36 ]
+
+The interrupt might be shared, in which case it is not an error for the
+interrupt handler to be called when the interrupt status is zero, so don't
+print the message unless there was enabled interrupt status.
+
+Link: https://lore.kernel.org/r/20200811133936.19171-1-adrian.hunter@intel.com
+Fixes: 9333d7757348 ("scsi: ufs: Fix irq return code")
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 69c7c039b5fac..136b863bc1d45 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -6013,7 +6013,7 @@ static irqreturn_t ufshcd_intr(int irq, void *__hba)
+ intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
+ } while (intr_status && --retries);
+
+- if (retval == IRQ_NONE) {
++ if (enabled_intr_status && retval == IRQ_NONE) {
+ dev_err(hba->dev, "%s: Unhandled interrupt 0x%08x\n",
+ __func__, intr_status);
+ ufshcd_dump_regs(hba, 0, UFSHCI_REG_SPACE_SIZE, "host_regs: ");
+--
+2.25.1
+
--- /dev/null
+From 5df3e2dcfd338d6c94fac9701547f1be091926d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 06:46:52 +0530
+Subject: scsi: ufs: Introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk
+
+From: Alim Akhtar <alim.akhtar@samsung.com>
+
+[ Upstream commit 26f968d7de823ba4974a8f25c8bd8ee2df6ab74b ]
+
+Some UFS host controllers like Exynos uses granularities of PRDT length and
+offset as bytes, whereas others use actual segment count.
+
+Link: https://lore.kernel.org/r/20200528011658.71590-5-alim.akhtar@samsung.com
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Kiwoong Kim <kwmad.kim@samsung.com>
+Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 30 +++++++++++++++++++++++-------
+ drivers/scsi/ufs/ufshcd.h | 6 ++++++
+ 2 files changed, 29 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 87473fa5bd0f9..0be06e7c5f293 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -2175,8 +2175,14 @@ static int ufshcd_map_sg(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
+ return sg_segments;
+
+ if (sg_segments) {
+- lrbp->utr_descriptor_ptr->prd_table_length =
+- cpu_to_le16((u16)sg_segments);
++
++ if (hba->quirks & UFSHCD_QUIRK_PRDT_BYTE_GRAN)
++ lrbp->utr_descriptor_ptr->prd_table_length =
++ cpu_to_le16((sg_segments *
++ sizeof(struct ufshcd_sg_entry)));
++ else
++ lrbp->utr_descriptor_ptr->prd_table_length =
++ cpu_to_le16((u16) (sg_segments));
+
+ prd_table = (struct ufshcd_sg_entry *)lrbp->ucd_prdt_ptr;
+
+@@ -3523,11 +3529,21 @@ static void ufshcd_host_memory_configure(struct ufs_hba *hba)
+ cpu_to_le32(upper_32_bits(cmd_desc_element_addr));
+
+ /* Response upiu and prdt offset should be in double words */
+- utrdlp[i].response_upiu_offset =
+- cpu_to_le16(response_offset >> 2);
+- utrdlp[i].prd_table_offset = cpu_to_le16(prdt_offset >> 2);
+- utrdlp[i].response_upiu_length =
+- cpu_to_le16(ALIGNED_UPIU_SIZE >> 2);
++ if (hba->quirks & UFSHCD_QUIRK_PRDT_BYTE_GRAN) {
++ utrdlp[i].response_upiu_offset =
++ cpu_to_le16(response_offset);
++ utrdlp[i].prd_table_offset =
++ cpu_to_le16(prdt_offset);
++ utrdlp[i].response_upiu_length =
++ cpu_to_le16(ALIGNED_UPIU_SIZE);
++ } else {
++ utrdlp[i].response_upiu_offset =
++ cpu_to_le16(response_offset >> 2);
++ utrdlp[i].prd_table_offset =
++ cpu_to_le16(prdt_offset >> 2);
++ utrdlp[i].response_upiu_length =
++ cpu_to_le16(ALIGNED_UPIU_SIZE >> 2);
++ }
+
+ ufshcd_init_lrb(hba, &hba->lrb[i], i);
+ }
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index 4198e5d883a1a..97d649f546e3a 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -537,6 +537,12 @@ enum ufshcd_quirks {
+ * enabled via HCE register.
+ */
+ UFSHCI_QUIRK_BROKEN_HCE = 1 << 8,
++
++ /*
++ * This quirk needs to be enabled if the host controller regards
++ * resolution of the values of PRDTO and PRDTL in UTRD as byte.
++ */
++ UFSHCD_QUIRK_PRDT_BYTE_GRAN = 1 << 9,
+ };
+
+ enum ufshcd_caps {
+--
+2.25.1
+
--- /dev/null
+From 9b2d567e5b29ee8457d34743d09c89b4b87afb25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Aug 2020 17:10:24 +0300
+Subject: scsi: ufs-pci: Add quirk for broken auto-hibernate for Intel EHL
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 8da76f71fef7d8a1a72af09d48899573feb60065 ]
+
+Intel EHL UFS host controller advertises auto-hibernate capability but it
+does not work correctly. Add a quirk for that.
+
+[mkp: checkpatch fix]
+
+Link: https://lore.kernel.org/r/20200810141024.28859-1-adrian.hunter@intel.com
+Fixes: 8c09d7527697 ("scsi: ufshdc-pci: Add Intel PCI IDs for EHL")
+Acked-by: Stanley Chu <stanley.chu@mediatek.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd-pci.c | 16 ++++++++++++++--
+ drivers/scsi/ufs/ufshcd.h | 9 ++++++++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd-pci.c b/drivers/scsi/ufs/ufshcd-pci.c
+index 8f78a81514991..b220666774ce8 100644
+--- a/drivers/scsi/ufs/ufshcd-pci.c
++++ b/drivers/scsi/ufs/ufshcd-pci.c
+@@ -67,11 +67,23 @@ static int ufs_intel_link_startup_notify(struct ufs_hba *hba,
+ return err;
+ }
+
++static int ufs_intel_ehl_init(struct ufs_hba *hba)
++{
++ hba->quirks |= UFSHCD_QUIRK_BROKEN_AUTO_HIBERN8;
++ return 0;
++}
++
+ static struct ufs_hba_variant_ops ufs_intel_cnl_hba_vops = {
+ .name = "intel-pci",
+ .link_startup_notify = ufs_intel_link_startup_notify,
+ };
+
++static struct ufs_hba_variant_ops ufs_intel_ehl_hba_vops = {
++ .name = "intel-pci",
++ .init = ufs_intel_ehl_init,
++ .link_startup_notify = ufs_intel_link_startup_notify,
++};
++
+ #ifdef CONFIG_PM_SLEEP
+ /**
+ * ufshcd_pci_suspend - suspend power management function
+@@ -200,8 +212,8 @@ static const struct dev_pm_ops ufshcd_pci_pm_ops = {
+ static const struct pci_device_id ufshcd_pci_tbl[] = {
+ { PCI_VENDOR_ID_SAMSUNG, 0xC00C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
+ { PCI_VDEVICE(INTEL, 0x9DFA), (kernel_ulong_t)&ufs_intel_cnl_hba_vops },
+- { PCI_VDEVICE(INTEL, 0x4B41), (kernel_ulong_t)&ufs_intel_cnl_hba_vops },
+- { PCI_VDEVICE(INTEL, 0x4B43), (kernel_ulong_t)&ufs_intel_cnl_hba_vops },
++ { PCI_VDEVICE(INTEL, 0x4B41), (kernel_ulong_t)&ufs_intel_ehl_hba_vops },
++ { PCI_VDEVICE(INTEL, 0x4B43), (kernel_ulong_t)&ufs_intel_ehl_hba_vops },
+ { } /* terminate list */
+ };
+
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index e38e9e0af6b59..4bf98c2295372 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -549,6 +549,12 @@ enum ufshcd_quirks {
+ * OCS FATAL ERROR with device error through sense data
+ */
+ UFSHCD_QUIRK_BROKEN_OCS_FATAL_ERROR = 1 << 10,
++
++ /*
++ * This quirk needs to be enabled if the host controller has
++ * auto-hibernate capability but it doesn't work.
++ */
++ UFSHCD_QUIRK_BROKEN_AUTO_HIBERN8 = 1 << 11,
+ };
+
+ enum ufshcd_caps {
+@@ -815,7 +821,8 @@ return true;
+
+ static inline bool ufshcd_is_auto_hibern8_supported(struct ufs_hba *hba)
+ {
+- return (hba->capabilities & MASK_AUTO_HIBERN8_SUPPORT);
++ return (hba->capabilities & MASK_AUTO_HIBERN8_SUPPORT) &&
++ !(hba->quirks & UFSHCD_QUIRK_BROKEN_AUTO_HIBERN8);
+ }
+
+ static inline bool ufshcd_is_auto_hibern8_enabled(struct ufs_hba *hba)
+--
+2.25.1
+
--- /dev/null
+From 2c349389f1fea38a7e3c2b89771c93550efde314 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 15:01:35 +0800
+Subject: scsi: ufs: ti-j721e-ufs: Fix error return in ti_j721e_ufs_probe()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit 2138d1c918246e3d8193c3cb8b6d22d0bb888061 ]
+
+Fix to return error code PTR_ERR() from the error handling case instead of
+0.
+
+Link: https://lore.kernel.org/r/20200806070135.67797-1-jingxiangfeng@huawei.com
+Fixes: 22617e216331 ("scsi: ufs: ti-j721e-ufs: Fix unwinding of pm_runtime changes")
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ti-j721e-ufs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ufs/ti-j721e-ufs.c b/drivers/scsi/ufs/ti-j721e-ufs.c
+index 46bb905b4d6a9..eafe0db98d542 100644
+--- a/drivers/scsi/ufs/ti-j721e-ufs.c
++++ b/drivers/scsi/ufs/ti-j721e-ufs.c
+@@ -38,6 +38,7 @@ static int ti_j721e_ufs_probe(struct platform_device *pdev)
+ /* Select MPHY refclk frequency */
+ clk = devm_clk_get(dev, NULL);
+ if (IS_ERR(clk)) {
++ ret = PTR_ERR(clk);
+ dev_err(dev, "Cannot claim MPHY clock.\n");
+ goto clk_err;
+ }
+--
+2.25.1
+
--- /dev/null
+From 1df6ce30ff81b26783c636da5af972f000be4f01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 18:07:10 +0200
+Subject: selftests/bpf: Remove test_align leftovers
+
+From: Veronika Kabatova <vkabatov@redhat.com>
+
+[ Upstream commit 5597432dde62befd3ab92e6ef9e073564e277ea8 ]
+
+Calling generic selftests "make install" fails as rsync expects all
+files from TEST_GEN_PROGS to be present. The binary is not generated
+anymore (commit 3b09d27cc93d) so we can safely remove it from there
+and also from gitignore.
+
+Fixes: 3b09d27cc93d ("selftests/bpf: Move test_align under test_progs")
+Signed-off-by: Veronika Kabatova <vkabatov@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Link: https://lore.kernel.org/bpf/20200819160710.1345956-1-vkabatov@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/.gitignore | 1 -
+ tools/testing/selftests/bpf/Makefile | 2 +-
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
+index 1bb204cee853f..9a0946ddb705a 100644
+--- a/tools/testing/selftests/bpf/.gitignore
++++ b/tools/testing/selftests/bpf/.gitignore
+@@ -6,7 +6,6 @@ test_lpm_map
+ test_tag
+ FEATURE-DUMP.libbpf
+ fixdep
+-test_align
+ test_dev_cgroup
+ /test_progs*
+ test_tcpbpf_user
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index 4f322d5388757..50965cc7bf098 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -32,7 +32,7 @@ LDLIBS += -lcap -lelf -lz -lrt -lpthread
+
+ # Order correspond to 'make run_tests' order
+ TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \
+- test_align test_verifier_log test_dev_cgroup test_tcpbpf_user \
++ test_verifier_log test_dev_cgroup test_tcpbpf_user \
+ test_sock test_btf test_sockmap get_cgroup_id_user test_socket_cookie \
+ test_cgroup_storage \
+ test_netcnt test_tcpnotify_user test_sock_fields test_sysctl \
+--
+2.25.1
+
alpha-fix-annotation-of-io-read-write-16-32-be.patch
fat-fix-fat_ra_init-for-data-clusters-0.patch
fs-signalfd.c-fix-inconsistent-return-codes-for-sign.patch
+ext4-fix-potential-negative-array-index-in-do_split.patch
+drm-virtio-fix-missing-dma_fence_put-in-virtio_gpu_e.patch
+ext4-don-t-allow-overlapping-system-zones.patch
+ext4-check-journal-inode-extents-more-carefully.patch
+netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch
+spi-stm32-fixes-suspend-resume-management.patch
+asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch
+asoc-q6routing-add-dummy-register-read-write-functio.patch
+tools-bpftool-make-skeleton-code-c-17-friendly-by-dr.patch
+bpf-sock_ops-ctx-access-may-stomp-registers-in-corne.patch
+bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch
+libbpf-fix-btf-defined-map-in-map-initialization-on-.patch
+can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch
+can-j1939-transport-j1939_simple_recv-ignore-local-j.patch
+can-j1939-transport-add-j1939_session_skb_find_by_of.patch
+igc-fix-ptp-initialization.patch
+i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch
+i40e-fix-crash-during-removing-i40e-driver.patch
+net-fec-correct-the-error-path-for-regulator-disable.patch
+bonding-show-saner-speed-for-broadcast-mode.patch
+can-j1939-fix-support-for-multipacket-broadcast-mess.patch
+can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch
+can-j1939-abort-multipacket-broadcast-session-when-t.patch
+can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch
+bonding-fix-a-potential-double-unregister.patch
+ipvlan-fix-device-features.patch
+s390-runtime_instrumentation-fix-storage-key-handlin.patch
+s390-ptrace-fix-storage-key-handling.patch
+asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch
+asoc-intel-fix-memleak-in-sst_media_open.patch
+watch_queue-limit-the-number-of-watches-a-user-can-h.patch
+vfio-pci-avoid-recursive-read-lock-usage.patch
+vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch
+arch-ia64-restore-arch-specific-pgd_offset_k-impleme.patch
+kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch
+kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch
+of-address-check-for-invalid-range.cpu_addr.patch
+scsi-ufs-ti-j721e-ufs-fix-error-return-in-ti_j721e_u.patch
+scsi-ufs-add-quirk-to-fix-mishandling-utrlclr-utmrlc.patch
+scsi-ufs-add-quirk-to-disallow-reset-of-interrupt-ag.patch
+scsi-ufs-add-quirk-to-enable-host-controller-without.patch
+scsi-ufs-introduce-ufshcd_quirk_prdt_byte_gran-quirk.patch
+scsi-ufs-add-quirk-to-fix-abnormal-ocs-fatal-error.patch
+scsi-ufs-pci-add-quirk-for-broken-auto-hibernate-for.patch
+scsi-ufs-fix-interrupt-error-message-for-shared-inte.patch
+revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch
+kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch
+kconfig-qconf-fix-signal-connection-to-invalid-slots.patch
+efi-avoid-error-message-when-booting-under-xen.patch
+fix-build-error-when-config_acpi-is-not-set-enabled.patch
+rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch
+revert-rdma-hns-reserve-one-sge-in-order-to-avoid-lo.patch
+afs-fix-key-ref-leak-in-afs_put_operation.patch
+kconfig-qconf-remove-qinfo-to-get-back-qt4-support.patch
+afs-fix-null-deref-in-afs_dynroot_depopulate.patch
+arm64-vdso32-install-vdso32-from-vdso_install.patch
+powerpc-add-power10-raw-mode-cputable-entry.patch
+powerpc-fixmap-fix-the-size-of-the-early-debug-area.patch
+bpf-use-get_file_rcu-instead-of-get_file-for-task_fi.patch
+powerpc-pseries-hotplug-cpu-wait-indefinitely-for-vc.patch
+bonding-fix-active-backup-failover-for-current-arp-s.patch
+net-ena-prevent-reset-after-device-destruction.patch
+net-ena-change-warn_on-expression-in-ena_del_napi_in.patch
+net-gemini-fix-missing-free_netdev-in-error-path-of-.patch
+selftests-bpf-remove-test_align-leftovers.patch
+hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch
+net-dsa-b53-check-for-timeout.patch
--- /dev/null
+From 317cee5aa1fca172d6641a9f49e6cd0363bd54e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Aug 2020 09:12:37 +0200
+Subject: spi: stm32: fixes suspend/resume management
+
+From: Amelie Delaunay <amelie.delaunay@st.com>
+
+[ Upstream commit db96bf976a4fc65439be0b4524c0d41427d98814 ]
+
+This patch adds pinctrl power management, and reconfigure spi controller
+in case of resume.
+
+Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support")
+
+Signed-off-by: Amelie Delaunay <amelie.delaunay@st.com>
+Signed-off-by: Alain Volmat <alain.volmat@st.com>
+Link: https://lore.kernel.org/r/1597043558-29668-5-git-send-email-alain.volmat@st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32.c | 27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c
+index 4c643dfc7fbbc..9672cda2f8031 100644
+--- a/drivers/spi/spi-stm32.c
++++ b/drivers/spi/spi-stm32.c
+@@ -13,6 +13,7 @@
+ #include <linux/iopoll.h>
+ #include <linux/module.h>
+ #include <linux/of_platform.h>
++#include <linux/pinctrl/consumer.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+ #include <linux/spi/spi.h>
+@@ -1996,6 +1997,8 @@ static int stm32_spi_remove(struct platform_device *pdev)
+
+ pm_runtime_disable(&pdev->dev);
+
++ pinctrl_pm_select_sleep_state(&pdev->dev);
++
+ return 0;
+ }
+
+@@ -2007,13 +2010,18 @@ static int stm32_spi_runtime_suspend(struct device *dev)
+
+ clk_disable_unprepare(spi->clk);
+
+- return 0;
++ return pinctrl_pm_select_sleep_state(dev);
+ }
+
+ static int stm32_spi_runtime_resume(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct stm32_spi *spi = spi_master_get_devdata(master);
++ int ret;
++
++ ret = pinctrl_pm_select_default_state(dev);
++ if (ret)
++ return ret;
+
+ return clk_prepare_enable(spi->clk);
+ }
+@@ -2043,10 +2051,23 @@ static int stm32_spi_resume(struct device *dev)
+ return ret;
+
+ ret = spi_master_resume(master);
+- if (ret)
++ if (ret) {
+ clk_disable_unprepare(spi->clk);
++ return ret;
++ }
+
+- return ret;
++ ret = pm_runtime_get_sync(dev);
++ if (ret) {
++ dev_err(dev, "Unable to power device:%d\n", ret);
++ return ret;
++ }
++
++ spi->cfg->config(spi);
++
++ pm_runtime_mark_last_busy(dev);
++ pm_runtime_put_autosuspend(dev);
++
++ return 0;
+ }
+ #endif
+
+--
+2.25.1
+
--- /dev/null
+From 44dfaaecfdf8920ccdc0923bec4635ffbd78f58a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 19:59:07 -0700
+Subject: tools/bpftool: Make skeleton code C++17-friendly by dropping typeof()
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 8faf7fc597d59b142af41ddd4a2d59485f75f88a ]
+
+Seems like C++17 standard mode doesn't recognize typeof() anymore. This can
+be tested by compiling test_cpp test with -std=c++17 or -std=c++1z options.
+The use of typeof in skeleton generated code is unnecessary, all types are
+well-known at the time of code generation, so remove all typeof()'s to make
+skeleton code more future-proof when interacting with C++ compilers.
+
+Fixes: 985ead416df3 ("bpftool: Add skeleton codegen command")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20200812025907.1371956-1-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/gen.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
+index 540ffde0b03a3..0be1330b4c1ba 100644
+--- a/tools/bpf/bpftool/gen.c
++++ b/tools/bpf/bpftool/gen.c
+@@ -400,7 +400,7 @@ static int do_skeleton(int argc, char **argv)
+ { \n\
+ struct %1$s *obj; \n\
+ \n\
+- obj = (typeof(obj))calloc(1, sizeof(*obj)); \n\
++ obj = (struct %1$s *)calloc(1, sizeof(*obj)); \n\
+ if (!obj) \n\
+ return NULL; \n\
+ if (%1$s__create_skeleton(obj)) \n\
+@@ -464,7 +464,7 @@ static int do_skeleton(int argc, char **argv)
+ { \n\
+ struct bpf_object_skeleton *s; \n\
+ \n\
+- s = (typeof(s))calloc(1, sizeof(*s)); \n\
++ s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s));\n\
+ if (!s) \n\
+ return -1; \n\
+ obj->skeleton = s; \n\
+@@ -482,7 +482,7 @@ static int do_skeleton(int argc, char **argv)
+ /* maps */ \n\
+ s->map_cnt = %zu; \n\
+ s->map_skel_sz = sizeof(*s->maps); \n\
+- s->maps = (typeof(s->maps))calloc(s->map_cnt, s->map_skel_sz);\n\
++ s->maps = (struct bpf_map_skeleton *)calloc(s->map_cnt, s->map_skel_sz);\n\
+ if (!s->maps) \n\
+ goto err; \n\
+ ",
+@@ -518,7 +518,7 @@ static int do_skeleton(int argc, char **argv)
+ /* programs */ \n\
+ s->prog_cnt = %zu; \n\
+ s->prog_skel_sz = sizeof(*s->progs); \n\
+- s->progs = (typeof(s->progs))calloc(s->prog_cnt, s->prog_skel_sz);\n\
++ s->progs = (struct bpf_prog_skeleton *)calloc(s->prog_cnt, s->prog_skel_sz);\n\
+ if (!s->progs) \n\
+ goto err; \n\
+ ",
+--
+2.25.1
+
--- /dev/null
+From ec90fe733e1f54a90352430de6d1b8e4adef4dc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:08:18 -0600
+Subject: vfio-pci: Avoid recursive read-lock usage
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit bc93b9ae0151ae5ad5b8504cdc598428ea99570b ]
+
+A down_read on memory_lock is held when performing read/write accesses
+to MMIO BAR space, including across the copy_to/from_user() callouts
+which may fault. If the user buffer for these copies resides in an
+mmap of device MMIO space, the mmap fault handler will acquire a
+recursive read-lock on memory_lock. Avoid this by reducing the lock
+granularity. Sequential accesses requiring multiple ioread/iowrite
+cycles are expected to be rare, therefore typical accesses should not
+see additional overhead.
+
+VGA MMIO accesses are expected to be non-fatal regardless of the PCI
+memory enable bit to allow legacy probing, this behavior remains with
+a comment added. ioeventfds are now included in memory access testing,
+with writes dropped while memory space is disabled.
+
+Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory")
+Reported-by: Zhiyi Guo <zhguo@redhat.com>
+Tested-by: Zhiyi Guo <zhguo@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_private.h | 2 +
+ drivers/vfio/pci/vfio_pci_rdwr.c | 120 ++++++++++++++++++++++------
+ 2 files changed, 98 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h
+index 86a02aff8735f..61ca8ab165dc1 100644
+--- a/drivers/vfio/pci/vfio_pci_private.h
++++ b/drivers/vfio/pci/vfio_pci_private.h
+@@ -33,12 +33,14 @@
+
+ struct vfio_pci_ioeventfd {
+ struct list_head next;
++ struct vfio_pci_device *vdev;
+ struct virqfd *virqfd;
+ void __iomem *addr;
+ uint64_t data;
+ loff_t pos;
+ int bar;
+ int count;
++ bool test_mem;
+ };
+
+ struct vfio_pci_irq_ctx {
+diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
+index 916b184df3a5b..9e353c484ace2 100644
+--- a/drivers/vfio/pci/vfio_pci_rdwr.c
++++ b/drivers/vfio/pci/vfio_pci_rdwr.c
+@@ -37,17 +37,70 @@
+ #define vfio_ioread8 ioread8
+ #define vfio_iowrite8 iowrite8
+
++#define VFIO_IOWRITE(size) \
++static int vfio_pci_iowrite##size(struct vfio_pci_device *vdev, \
++ bool test_mem, u##size val, void __iomem *io) \
++{ \
++ if (test_mem) { \
++ down_read(&vdev->memory_lock); \
++ if (!__vfio_pci_memory_enabled(vdev)) { \
++ up_read(&vdev->memory_lock); \
++ return -EIO; \
++ } \
++ } \
++ \
++ vfio_iowrite##size(val, io); \
++ \
++ if (test_mem) \
++ up_read(&vdev->memory_lock); \
++ \
++ return 0; \
++}
++
++VFIO_IOWRITE(8)
++VFIO_IOWRITE(16)
++VFIO_IOWRITE(32)
++#ifdef iowrite64
++VFIO_IOWRITE(64)
++#endif
++
++#define VFIO_IOREAD(size) \
++static int vfio_pci_ioread##size(struct vfio_pci_device *vdev, \
++ bool test_mem, u##size *val, void __iomem *io) \
++{ \
++ if (test_mem) { \
++ down_read(&vdev->memory_lock); \
++ if (!__vfio_pci_memory_enabled(vdev)) { \
++ up_read(&vdev->memory_lock); \
++ return -EIO; \
++ } \
++ } \
++ \
++ *val = vfio_ioread##size(io); \
++ \
++ if (test_mem) \
++ up_read(&vdev->memory_lock); \
++ \
++ return 0; \
++}
++
++VFIO_IOREAD(8)
++VFIO_IOREAD(16)
++VFIO_IOREAD(32)
++
+ /*
+ * Read or write from an __iomem region (MMIO or I/O port) with an excluded
+ * range which is inaccessible. The excluded range drops writes and fills
+ * reads with -1. This is intended for handling MSI-X vector tables and
+ * leftover space for ROM BARs.
+ */
+-static ssize_t do_io_rw(void __iomem *io, char __user *buf,
++static ssize_t do_io_rw(struct vfio_pci_device *vdev, bool test_mem,
++ void __iomem *io, char __user *buf,
+ loff_t off, size_t count, size_t x_start,
+ size_t x_end, bool iswrite)
+ {
+ ssize_t done = 0;
++ int ret;
+
+ while (count) {
+ size_t fillable, filled;
+@@ -66,9 +119,15 @@ static ssize_t do_io_rw(void __iomem *io, char __user *buf,
+ if (copy_from_user(&val, buf, 4))
+ return -EFAULT;
+
+- vfio_iowrite32(val, io + off);
++ ret = vfio_pci_iowrite32(vdev, test_mem,
++ val, io + off);
++ if (ret)
++ return ret;
+ } else {
+- val = vfio_ioread32(io + off);
++ ret = vfio_pci_ioread32(vdev, test_mem,
++ &val, io + off);
++ if (ret)
++ return ret;
+
+ if (copy_to_user(buf, &val, 4))
+ return -EFAULT;
+@@ -82,9 +141,15 @@ static ssize_t do_io_rw(void __iomem *io, char __user *buf,
+ if (copy_from_user(&val, buf, 2))
+ return -EFAULT;
+
+- vfio_iowrite16(val, io + off);
++ ret = vfio_pci_iowrite16(vdev, test_mem,
++ val, io + off);
++ if (ret)
++ return ret;
+ } else {
+- val = vfio_ioread16(io + off);
++ ret = vfio_pci_ioread16(vdev, test_mem,
++ &val, io + off);
++ if (ret)
++ return ret;
+
+ if (copy_to_user(buf, &val, 2))
+ return -EFAULT;
+@@ -98,9 +163,15 @@ static ssize_t do_io_rw(void __iomem *io, char __user *buf,
+ if (copy_from_user(&val, buf, 1))
+ return -EFAULT;
+
+- vfio_iowrite8(val, io + off);
++ ret = vfio_pci_iowrite8(vdev, test_mem,
++ val, io + off);
++ if (ret)
++ return ret;
+ } else {
+- val = vfio_ioread8(io + off);
++ ret = vfio_pci_ioread8(vdev, test_mem,
++ &val, io + off);
++ if (ret)
++ return ret;
+
+ if (copy_to_user(buf, &val, 1))
+ return -EFAULT;
+@@ -178,14 +249,6 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
+
+ count = min(count, (size_t)(end - pos));
+
+- if (res->flags & IORESOURCE_MEM) {
+- down_read(&vdev->memory_lock);
+- if (!__vfio_pci_memory_enabled(vdev)) {
+- up_read(&vdev->memory_lock);
+- return -EIO;
+- }
+- }
+-
+ if (bar == PCI_ROM_RESOURCE) {
+ /*
+ * The ROM can fill less space than the BAR, so we start the
+@@ -213,7 +276,8 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
+ x_end = vdev->msix_offset + vdev->msix_size;
+ }
+
+- done = do_io_rw(io, buf, pos, count, x_start, x_end, iswrite);
++ done = do_io_rw(vdev, res->flags & IORESOURCE_MEM, io, buf, pos,
++ count, x_start, x_end, iswrite);
+
+ if (done >= 0)
+ *ppos += done;
+@@ -221,9 +285,6 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
+ if (bar == PCI_ROM_RESOURCE)
+ pci_unmap_rom(pdev, io);
+ out:
+- if (res->flags & IORESOURCE_MEM)
+- up_read(&vdev->memory_lock);
+-
+ return done;
+ }
+
+@@ -278,7 +339,12 @@ ssize_t vfio_pci_vga_rw(struct vfio_pci_device *vdev, char __user *buf,
+ return ret;
+ }
+
+- done = do_io_rw(iomem, buf, off, count, 0, 0, iswrite);
++ /*
++ * VGA MMIO is a legacy, non-BAR resource that hopefully allows
++ * probing, so we don't currently worry about access in relation
++ * to the memory enable bit in the command register.
++ */
++ done = do_io_rw(vdev, false, iomem, buf, off, count, 0, 0, iswrite);
+
+ vga_put(vdev->pdev, rsrc);
+
+@@ -296,17 +362,21 @@ static int vfio_pci_ioeventfd_handler(void *opaque, void *unused)
+
+ switch (ioeventfd->count) {
+ case 1:
+- vfio_iowrite8(ioeventfd->data, ioeventfd->addr);
++ vfio_pci_iowrite8(ioeventfd->vdev, ioeventfd->test_mem,
++ ioeventfd->data, ioeventfd->addr);
+ break;
+ case 2:
+- vfio_iowrite16(ioeventfd->data, ioeventfd->addr);
++ vfio_pci_iowrite16(ioeventfd->vdev, ioeventfd->test_mem,
++ ioeventfd->data, ioeventfd->addr);
+ break;
+ case 4:
+- vfio_iowrite32(ioeventfd->data, ioeventfd->addr);
++ vfio_pci_iowrite32(ioeventfd->vdev, ioeventfd->test_mem,
++ ioeventfd->data, ioeventfd->addr);
+ break;
+ #ifdef iowrite64
+ case 8:
+- vfio_iowrite64(ioeventfd->data, ioeventfd->addr);
++ vfio_pci_iowrite64(ioeventfd->vdev, ioeventfd->test_mem,
++ ioeventfd->data, ioeventfd->addr);
+ break;
+ #endif
+ }
+@@ -378,11 +448,13 @@ long vfio_pci_ioeventfd(struct vfio_pci_device *vdev, loff_t offset,
+ goto out_unlock;
+ }
+
++ ioeventfd->vdev = vdev;
+ ioeventfd->addr = vdev->barmap[bar] + pos;
+ ioeventfd->data = data;
+ ioeventfd->pos = pos;
+ ioeventfd->bar = bar;
+ ioeventfd->count = count;
++ ioeventfd->test_mem = vdev->pdev->resource[bar].flags & IORESOURCE_MEM;
+
+ ret = vfio_virqfd_enable(ioeventfd, vfio_pci_ioeventfd_handler,
+ NULL, NULL, &ioeventfd->virqfd, fd);
+--
+2.25.1
+
--- /dev/null
+From 9067aa2cca0762d44037e787c7d0a332bbcadd5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:09:13 -0600
+Subject: vfio/type1: Add proper error unwind for vfio_iommu_replay()
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit aae7a75a821a793ed6b8ad502a5890fb8e8f172d ]
+
+The vfio_iommu_replay() function does not currently unwind on error,
+yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma
+structure to indicate IOMMU mapping. The IOMMU mappings are torn down
+when the domain is destroyed, but the other actions go on to cause
+trouble later. For example, the iommu->domain_list can be empty if we
+only have a non-IOMMU backed mdev attached. We don't currently check
+if the list is empty before getting the first entry in the list, which
+leads to a bogus domain pointer. If a vfio_dma entry is erroneously
+marked as iommu_mapped, we'll attempt to use that bogus pointer to
+retrieve the existing physical page addresses.
+
+This is the scenario that uncovered this issue, attempting to hot-add
+a vfio-pci device to a container with an existing mdev device and DMA
+mappings, one of which could not be pinned, causing a failure adding
+the new group to the existing container and setting the conditions
+for a subsequent attempt to explode.
+
+To resolve this, we can first check if the domain_list is empty so
+that we can reject replay of a bogus domain, should we ever encounter
+this inconsistent state again in the future. The real fix though is
+to add the necessary unwind support, which means cleaning up the
+current pinning if an IOMMU mapping fails, then walking back through
+the r-b tree of DMA entries, reading from the IOMMU which ranges are
+mapped, and unmapping and unpinning those ranges. To be able to do
+this, we also defer marking the DMA entry as IOMMU mapped until all
+entries are processed, in order to allow the unwind to know the
+disposition of each entry.
+
+Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices")
+Reported-by: Zhiyi Guo <zhguo@redhat.com>
+Tested-by: Zhiyi Guo <zhguo@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 71 ++++++++++++++++++++++++++++++---
+ 1 file changed, 66 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index 5e556ac9102a5..f48f0db908a46 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -1422,13 +1422,16 @@ static int vfio_bus_type(struct device *dev, void *data)
+ static int vfio_iommu_replay(struct vfio_iommu *iommu,
+ struct vfio_domain *domain)
+ {
+- struct vfio_domain *d;
++ struct vfio_domain *d = NULL;
+ struct rb_node *n;
+ unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
+ int ret;
+
+ /* Arbitrarily pick the first domain in the list for lookups */
+- d = list_first_entry(&iommu->domain_list, struct vfio_domain, next);
++ if (!list_empty(&iommu->domain_list))
++ d = list_first_entry(&iommu->domain_list,
++ struct vfio_domain, next);
++
+ n = rb_first(&iommu->dma_list);
+
+ for (; n; n = rb_next(n)) {
+@@ -1446,6 +1449,11 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu,
+ phys_addr_t p;
+ dma_addr_t i;
+
++ if (WARN_ON(!d)) { /* mapped w/o a domain?! */
++ ret = -EINVAL;
++ goto unwind;
++ }
++
+ phys = iommu_iova_to_phys(d->domain, iova);
+
+ if (WARN_ON(!phys)) {
+@@ -1475,7 +1483,7 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu,
+ if (npage <= 0) {
+ WARN_ON(!npage);
+ ret = (int)npage;
+- return ret;
++ goto unwind;
+ }
+
+ phys = pfn << PAGE_SHIFT;
+@@ -1484,14 +1492,67 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu,
+
+ ret = iommu_map(domain->domain, iova, phys,
+ size, dma->prot | domain->prot);
+- if (ret)
+- return ret;
++ if (ret) {
++ if (!dma->iommu_mapped)
++ vfio_unpin_pages_remote(dma, iova,
++ phys >> PAGE_SHIFT,
++ size >> PAGE_SHIFT,
++ true);
++ goto unwind;
++ }
+
+ iova += size;
+ }
++ }
++
++ /* All dmas are now mapped, defer to second tree walk for unwind */
++ for (n = rb_first(&iommu->dma_list); n; n = rb_next(n)) {
++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node);
++
+ dma->iommu_mapped = true;
+ }
++
+ return 0;
++
++unwind:
++ for (; n; n = rb_prev(n)) {
++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node);
++ dma_addr_t iova;
++
++ if (dma->iommu_mapped) {
++ iommu_unmap(domain->domain, dma->iova, dma->size);
++ continue;
++ }
++
++ iova = dma->iova;
++ while (iova < dma->iova + dma->size) {
++ phys_addr_t phys, p;
++ size_t size;
++ dma_addr_t i;
++
++ phys = iommu_iova_to_phys(domain->domain, iova);
++ if (!phys) {
++ iova += PAGE_SIZE;
++ continue;
++ }
++
++ size = PAGE_SIZE;
++ p = phys + size;
++ i = iova + size;
++ while (i < dma->iova + dma->size &&
++ p == iommu_iova_to_phys(domain->domain, i)) {
++ size += PAGE_SIZE;
++ p += PAGE_SIZE;
++ i += PAGE_SIZE;
++ }
++
++ iommu_unmap(domain->domain, iova, size);
++ vfio_unpin_pages_remote(dma, iova, phys >> PAGE_SHIFT,
++ size >> PAGE_SHIFT, true);
++ }
++ }
++
++ return ret;
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From eaa833e616b7b7b4c2f516fdaa9b60c7fe7d6533 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:07:28 +0100
+Subject: watch_queue: Limit the number of watches a user can hold
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 29e44f4535faa71a70827af3639b5e6762d8f02a ]
+
+Impose a limit on the number of watches that a user can hold so that
+they can't use this mechanism to fill up all the available memory.
+
+This is done by putting a counter in user_struct that's incremented when
+a watch is allocated and decreased when it is released. If the number
+exceeds the RLIMIT_NOFILE limit, the watch is rejected with EAGAIN.
+
+This can be tested by the following means:
+
+ (1) Create a watch queue and attach it to fd 5 in the program given - in
+ this case, bash:
+
+ keyctl watch_session /tmp/nlog /tmp/gclog 5 bash
+
+ (2) In the shell, set the maximum number of files to, say, 99:
+
+ ulimit -n 99
+
+ (3) Add 200 keyrings:
+
+ for ((i=0; i<200; i++)); do keyctl newring a$i @s || break; done
+
+ (4) Try to watch all of the keyrings:
+
+ for ((i=0; i<200; i++)); do echo $i; keyctl watch_add 5 %:a$i || break; done
+
+ This should fail when the number of watches belonging to the user hits
+ 99.
+
+ (5) Remove all the keyrings and all of those watches should go away:
+
+ for ((i=0; i<200; i++)); do keyctl unlink %:a$i; done
+
+ (6) Kill off the watch queue by exiting the shell spawned by
+ watch_session.
+
+Fixes: c73be61cede5 ("pipe: Add general notification queue support")
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/user.h | 3 +++
+ kernel/watch_queue.c | 8 ++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/include/linux/sched/user.h b/include/linux/sched/user.h
+index 917d88edb7b9d..a8ec3b6093fcb 100644
+--- a/include/linux/sched/user.h
++++ b/include/linux/sched/user.h
+@@ -36,6 +36,9 @@ struct user_struct {
+ defined(CONFIG_NET) || defined(CONFIG_IO_URING)
+ atomic_long_t locked_vm;
+ #endif
++#ifdef CONFIG_WATCH_QUEUE
++ atomic_t nr_watches; /* The number of watches this user currently has */
++#endif
+
+ /* Miscellaneous per-user rate limit */
+ struct ratelimit_state ratelimit;
+diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
+index f74020f6bd9d5..0ef8f65bd2d71 100644
+--- a/kernel/watch_queue.c
++++ b/kernel/watch_queue.c
+@@ -393,6 +393,7 @@ static void free_watch(struct rcu_head *rcu)
+ struct watch *watch = container_of(rcu, struct watch, rcu);
+
+ put_watch_queue(rcu_access_pointer(watch->queue));
++ atomic_dec(&watch->cred->user->nr_watches);
+ put_cred(watch->cred);
+ }
+
+@@ -452,6 +453,13 @@ int add_watch_to_object(struct watch *watch, struct watch_list *wlist)
+ watch->cred = get_current_cred();
+ rcu_assign_pointer(watch->watch_list, wlist);
+
++ if (atomic_inc_return(&watch->cred->user->nr_watches) >
++ task_rlimit(current, RLIMIT_NOFILE)) {
++ atomic_dec(&watch->cred->user->nr_watches);
++ put_cred(watch->cred);
++ return -EAGAIN;
++ }
++
+ spin_lock_bh(&wqueue->lock);
+ kref_get(&wqueue->usage);
+ kref_get(&watch->usage);
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
