--- /dev/null
+From f277dbaa8daa0a245e1419a97e342d694e0754b5 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 10 Jul 2019 15:05:43 +0200
+Subject: ACPI: blacklist: fix clang warning for unused DMI table
+
+[ Upstream commit b80d6a42bdc97bdb6139107d6034222e9843c6e2 ]
+
+When CONFIG_DMI is disabled, we only have a tentative declaration,
+which causes a warning from clang:
+
+drivers/acpi/blacklist.c:20:35: error: tentative array definition assumed to have one element [-Werror]
+static const struct dmi_system_id acpi_rev_dmi_table[] __initconst;
+
+As the variable is not actually used here, hide it entirely
+in an #ifdef to shut up the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/blacklist.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
+index 995c4d8922b12..761f0c19a4512 100644
+--- a/drivers/acpi/blacklist.c
++++ b/drivers/acpi/blacklist.c
+@@ -30,7 +30,9 @@
+
+ #include "internal.h"
+
++#ifdef CONFIG_DMI
+ static const struct dmi_system_id acpi_rev_dmi_table[] __initconst;
++#endif
+
+ /*
+ * POLICY: If *anything* doesn't work, put it on the blacklist.
+@@ -74,7 +76,9 @@ int __init acpi_blacklisted(void)
+ }
+
+ (void)early_acpi_osi_init();
++#ifdef CONFIG_DMI
+ dmi_check_system(acpi_rev_dmi_table);
++#endif
+
+ return blacklisted;
+ }
+--
+2.20.1
+
--- /dev/null
+From 08f2f540f634aec1e7beed6e6b0d0b899c3f44c6 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 12 Jul 2019 11:01:21 +0200
+Subject: ACPI: fix false-positive -Wuninitialized warning
+
+[ Upstream commit dfd6f9ad36368b8dbd5f5a2b2f0a4705ae69a323 ]
+
+clang gets confused by an uninitialized variable in what looks
+to it like a never executed code path:
+
+arch/x86/kernel/acpi/boot.c:618:13: error: variable 'polarity' is uninitialized when used here [-Werror,-Wuninitialized]
+ polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH;
+ ^~~~~~~~
+arch/x86/kernel/acpi/boot.c:606:32: note: initialize the variable 'polarity' to silence this warning
+ int rc, irq, trigger, polarity;
+ ^
+ = 0
+arch/x86/kernel/acpi/boot.c:617:12: error: variable 'trigger' is uninitialized when used here [-Werror,-Wuninitialized]
+ trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
+ ^~~~~~~
+arch/x86/kernel/acpi/boot.c:606:22: note: initialize the variable 'trigger' to silence this warning
+ int rc, irq, trigger, polarity;
+ ^
+ = 0
+
+This is unfortunately a design decision in clang and won't be fixed.
+
+Changing the acpi_get_override_irq() macro to an inline function
+reliably avoids the issue.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/acpi.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/acpi.h b/include/linux/acpi.h
+index de8d3d3fa6512..b4d23b3a2ef2d 100644
+--- a/include/linux/acpi.h
++++ b/include/linux/acpi.h
+@@ -326,7 +326,10 @@ void acpi_set_irq_model(enum acpi_irq_model_id model,
+ #ifdef CONFIG_X86_IO_APIC
+ extern int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity);
+ #else
+-#define acpi_get_override_irq(gsi, trigger, polarity) (-1)
++static inline int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity)
++{
++ return -1;
++}
+ #endif
+ /*
+ * This function undoes the effect of one call to acpi_register_gsi().
+--
+2.20.1
+
--- /dev/null
+From 6d373d5ee1d1c89918718d9b5a92aad8d11cf68f Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 3 May 2019 16:45:37 -0700
+Subject: ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again
+
+[ Upstream commit 99fa066710f75f18f4d9a5bc5f6a711968a581d5 ]
+
+When I try to boot rk3288-veyron-mickey I totally fail to make the
+eMMC work. Specifically my logs (on Chrome OS 4.19):
+
+ mmc_host mmc1: card is non-removable.
+ mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0)
+ mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0)
+ mmc1: switch to bus width 8 failed
+ mmc1: switch to bus width 4 failed
+ mmc1: new high speed MMC card at address 0001
+ mmcblk1: mmc1:0001 HAG2e 14.7 GiB
+ mmcblk1boot0: mmc1:0001 HAG2e partition 1 4.00 MiB
+ mmcblk1boot1: mmc1:0001 HAG2e partition 2 4.00 MiB
+ mmcblk1rpmb: mmc1:0001 HAG2e partition 3 4.00 MiB, chardev (243:0)
+ mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0)
+ mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0)
+ mmc1: switch to bus width 8 failed
+ mmc1: switch to bus width 4 failed
+ mmc1: tried to HW reset card, got error -110
+ mmcblk1: error -110 requesting status
+ mmcblk1: recovery failed!
+ print_req_error: I/O error, dev mmcblk1, sector 0
+ ...
+
+When I remove the '/delete-property/mmc-hs200-1_8v' then everything is
+hunky dory.
+
+That line comes from the original submission of the mickey dts
+upstream, so presumably at the time the HS200 was failing and just
+enumerating things as a high speed device was fine. ...or maybe it's
+just that some mickey devices work when enumerating at "high speed",
+just not mine?
+
+In any case, hs200 seems good now. Let's turn it on.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3288-veyron-mickey.dts | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/arm/boot/dts/rk3288-veyron-mickey.dts b/arch/arm/boot/dts/rk3288-veyron-mickey.dts
+index 1e0158acf895d..a593d0a998fc8 100644
+--- a/arch/arm/boot/dts/rk3288-veyron-mickey.dts
++++ b/arch/arm/boot/dts/rk3288-veyron-mickey.dts
+@@ -124,10 +124,6 @@
+ };
+ };
+
+-&emmc {
+- /delete-property/mmc-hs200-1_8v;
+-};
+-
+ &i2c2 {
+ status = "disabled";
+ };
+--
+2.20.1
+
--- /dev/null
+From c8040b9f3339e0a3230fed9b54cb352f2134d1af Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 3 May 2019 16:41:42 -0700
+Subject: ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200
+
+[ Upstream commit 1c0479023412ab7834f2e98b796eb0d8c627cd62 ]
+
+As some point hs200 was failing on rk3288-veyron-minnie. See commit
+984926781122 ("ARM: dts: rockchip: temporarily remove emmc hs200 speed
+from rk3288 minnie"). Although I didn't track down exactly when it
+started working, it seems to work OK now, so let's turn it back on.
+
+To test this, I booted from SD card and then used this script to
+stress the enumeration process after fixing a memory leak [1]:
+ cd /sys/bus/platform/drivers/dwmmc_rockchip
+ for i in $(seq 1 3000); do
+ echo "========================" $i
+ echo ff0f0000.dwmmc > unbind
+ sleep .5
+ echo ff0f0000.dwmmc > bind
+ while true; do
+ if [ -e /dev/mmcblk2 ]; then
+ break;
+ fi
+ sleep .1
+ done
+ done
+
+It worked fine.
+
+[1] https://lkml.kernel.org/r/20190503233526.226272-1-dianders@chromium.org
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3288-veyron-minnie.dts | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/arm/boot/dts/rk3288-veyron-minnie.dts b/arch/arm/boot/dts/rk3288-veyron-minnie.dts
+index f95d0c5fcf712..6e8946052c78b 100644
+--- a/arch/arm/boot/dts/rk3288-veyron-minnie.dts
++++ b/arch/arm/boot/dts/rk3288-veyron-minnie.dts
+@@ -90,10 +90,6 @@
+ pwm-off-delay-ms = <200>;
+ };
+
+-&emmc {
+- /delete-property/mmc-hs200-1_8v;
+-};
+-
+ &gpio_keys {
+ pinctrl-0 = <&pwr_key_l &ap_lid_int_l &volum_down_l &volum_up_l>;
+
+--
+2.20.1
+
--- /dev/null
+From 1d2a545845293077e757b9b2399ec0eee73e19d3 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 21 May 2019 16:49:33 -0700
+Subject: ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
+
+[ Upstream commit 8ef1ba39a9fa53d2205e633bc9b21840a275908e ]
+
+This is similar to commit e6186820a745 ("arm64: dts: rockchip: Arch
+counter doesn't tick in system suspend"). Specifically on the rk3288
+it can be seen that the timer stops ticking in suspend if we end up
+running through the "osc_disable" path in rk3288_slp_mode_set(). In
+that path the 24 MHz clock will turn off and the timer stops.
+
+To test this, I ran this on a Chrome OS filesystem:
+ before=$(date); \
+ suspend_stress_test -c1 --suspend_min=30 --suspend_max=31; \
+ echo ${before}; date
+
+...and I found that unless I plug in a device that requests USB wakeup
+to be active that the two calls to "date" would show that fewer than
+30 seconds passed.
+
+NOTE: deep suspend (where the 24 MHz clock gets disabled) isn't
+supported yet on upstream Linux so this was tested on a downstream
+kernel.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3288.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi
+index c706adf4aed2f..440d6783faca5 100644
+--- a/arch/arm/boot/dts/rk3288.dtsi
++++ b/arch/arm/boot/dts/rk3288.dtsi
+@@ -227,6 +227,7 @@
+ <GIC_PPI 11 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>,
+ <GIC_PPI 10 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>;
+ clock-frequency = <24000000>;
++ arm,no-tick-in-suspend;
+ };
+
+ timer: timer@ff810000 {
+--
+2.20.1
+
--- /dev/null
+From 4bb7f148bbeb05375ecba05338a9eca687551fa5 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 2 May 2019 17:19:18 +0100
+Subject: ARM: riscpc: fix DMA
+
+[ Upstream commit ffd9a1ba9fdb7f2bd1d1ad9b9243d34e96756ba2 ]
+
+DMA got broken a while back in two different ways:
+1) a change in the behaviour of disable_irq() to wait for the interrupt
+ to finish executing causes us to deadlock at the end of DMA.
+2) a change to avoid modifying the scatterlist left the first transfer
+ uninitialised.
+
+DMA is only used with expansion cards, so has gone unnoticed.
+
+Fixes: fa4e99899932 ("[ARM] dma: RiscPC: don't modify DMA SG entries")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-rpc/dma.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-rpc/dma.c b/arch/arm/mach-rpc/dma.c
+index fb48f3141fb4d..c4c96661eb89a 100644
+--- a/arch/arm/mach-rpc/dma.c
++++ b/arch/arm/mach-rpc/dma.c
+@@ -131,7 +131,7 @@ static irqreturn_t iomd_dma_handle(int irq, void *dev_id)
+ } while (1);
+
+ idma->state = ~DMA_ST_AB;
+- disable_irq(irq);
++ disable_irq_nosync(irq);
+
+ return IRQ_HANDLED;
+ }
+@@ -174,6 +174,9 @@ static void iomd_enable_dma(unsigned int chan, dma_t *dma)
+ DMA_FROM_DEVICE : DMA_TO_DEVICE);
+ }
+
++ idma->dma_addr = idma->dma.sg->dma_address;
++ idma->dma_len = idma->dma.sg->length;
++
+ iomd_writeb(DMA_CR_C, dma_base + CR);
+ idma->state = DMA_ST_AB;
+ }
+--
+2.20.1
+
--- /dev/null
+From 5e65d110f7c22f2fd484e8720ab7dff7979621aa Mon Sep 17 00:00:00 2001
+From: Helen Koike <helen.koike@collabora.com>
+Date: Mon, 3 Jun 2019 11:22:15 -0300
+Subject: arm64: dts: rockchip: fix isp iommu clocks and power domain
+
+[ Upstream commit c432a29d3fc9ee928caeca2f5cf68b3aebfa6817 ]
+
+isp iommu requires wrapper variants of the clocks.
+noc variants are always on and using the wrapper variants will activate
+{A,H}CLK_ISP{0,1} due to the hierarchy.
+
+Tested using the pending isp patch set (which is not upstream
+yet). Without this patch, streaming from the isp stalls.
+
+Also add the respective power domain and remove the "disabled" status.
+
+Refer:
+ RK3399 TRM v1.4 Fig. 2-4 RK3399 Clock Architecture Diagram
+ RK3399 TRM v1.4 Fig. 8-1 RK3399 Power Domain Partition
+
+Signed-off-by: Helen Koike <helen.koike@collabora.com>
+Tested-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+index df7e62d9a6708..cea44a7c7cf99 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+@@ -1643,11 +1643,11 @@
+ reg = <0x0 0xff914000 0x0 0x100>, <0x0 0xff915000 0x0 0x100>;
+ interrupts = <GIC_SPI 43 IRQ_TYPE_LEVEL_HIGH 0>;
+ interrupt-names = "isp0_mmu";
+- clocks = <&cru ACLK_ISP0_NOC>, <&cru HCLK_ISP0_NOC>;
++ clocks = <&cru ACLK_ISP0_WRAPPER>, <&cru HCLK_ISP0_WRAPPER>;
+ clock-names = "aclk", "iface";
+ #iommu-cells = <0>;
++ power-domains = <&power RK3399_PD_ISP0>;
+ rockchip,disable-mmu-reset;
+- status = "disabled";
+ };
+
+ isp1_mmu: iommu@ff924000 {
+@@ -1655,11 +1655,11 @@
+ reg = <0x0 0xff924000 0x0 0x100>, <0x0 0xff925000 0x0 0x100>;
+ interrupts = <GIC_SPI 44 IRQ_TYPE_LEVEL_HIGH 0>;
+ interrupt-names = "isp1_mmu";
+- clocks = <&cru ACLK_ISP1_NOC>, <&cru HCLK_ISP1_NOC>;
++ clocks = <&cru ACLK_ISP1_WRAPPER>, <&cru HCLK_ISP1_WRAPPER>;
+ clock-names = "aclk", "iface";
+ #iommu-cells = <0>;
++ power-domains = <&power RK3399_PD_ISP1>;
+ rockchip,disable-mmu-reset;
+- status = "disabled";
+ };
+
+ hdmi_sound: hdmi-sound {
+--
+2.20.1
+
--- /dev/null
+From 299af7c6c966153e015a5a94e2dc703d1e03a083 Mon Sep 17 00:00:00 2001
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Tue, 16 Jul 2019 17:16:55 +0900
+Subject: be2net: Signal that the device cannot transmit during reconfiguration
+
+[ Upstream commit 7429c6c0d9cb086d8e79f0d2a48ae14851d2115e ]
+
+While changing the number of interrupt channels, be2net stops adapter
+operation (including netif_tx_disable()) but it doesn't signal that it
+cannot transmit. This may lead dev_watchdog() to falsely trigger during
+that time.
+
+Add the missing call to netif_carrier_off(), following the pattern used in
+many other drivers. netif_carrier_on() is already taken care of in
+be_open().
+
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index bff74752cef16..3fe6a28027fe1 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -4700,8 +4700,12 @@ int be_update_queues(struct be_adapter *adapter)
+ struct net_device *netdev = adapter->netdev;
+ int status;
+
+- if (netif_running(netdev))
++ if (netif_running(netdev)) {
++ /* device cannot transmit now, avoid dev_watchdog timeouts */
++ netif_carrier_off(netdev);
++
+ be_close(netdev);
++ }
+
+ be_cancel_worker(adapter);
+
+--
+2.20.1
+
--- /dev/null
+From 1263d238060c49e05fc0345e58e720a9cc20f675 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.com>
+Date: Fri, 17 May 2019 11:43:13 +0200
+Subject: btrfs: fix minimum number of chunk errors for DUP
+
+[ Upstream commit 0ee5f8ae082e1f675a2fb6db601c31ac9958a134 ]
+
+The list of profiles in btrfs_chunk_max_errors lists DUP as a profile
+DUP able to tolerate 1 device missing. Though this profile is special
+with 2 copies, it still needs the device, unlike the others.
+
+Looking at the history of changes, thre's no clear reason why DUP is
+there, functions were refactored and blocks of code merged to one
+helper.
+
+d20983b40e828 Btrfs: fix writing data into the seed filesystem
+ - factor code to a helper
+
+de11cc12df173 Btrfs: don't pre-allocate btrfs bio
+ - unrelated change, DUP still in the list with max errors 1
+
+a236aed14ccb0 Btrfs: Deal with failed writes in mirrored configurations
+ - introduced the max errors, leaves DUP and RAID1 in the same group
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/volumes.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index 2fd000308be76..6e008bd5c8cd1 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -5040,8 +5040,7 @@ static inline int btrfs_chunk_max_errors(struct map_lookup *map)
+
+ if (map->type & (BTRFS_BLOCK_GROUP_RAID1 |
+ BTRFS_BLOCK_GROUP_RAID10 |
+- BTRFS_BLOCK_GROUP_RAID5 |
+- BTRFS_BLOCK_GROUP_DUP)) {
++ BTRFS_BLOCK_GROUP_RAID5)) {
+ max_errors = 1;
+ } else if (map->type & BTRFS_BLOCK_GROUP_RAID6) {
+ max_errors = 2;
+--
+2.20.1
+
--- /dev/null
+From c85c2de19e5362ea085106327adb7bd66fd00181 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Thu, 13 Jun 2019 17:31:24 +0800
+Subject: btrfs: qgroup: Don't hold qgroup_ioctl_lock in btrfs_qgroup_inherit()
+
+[ Upstream commit e88439debd0a7f969b3ddba6f147152cd0732676 ]
+
+[BUG]
+Lockdep will report the following circular locking dependency:
+
+ WARNING: possible circular locking dependency detected
+ 5.2.0-rc2-custom #24 Tainted: G O
+ ------------------------------------------------------
+ btrfs/8631 is trying to acquire lock:
+ 000000002536438c (&fs_info->qgroup_ioctl_lock#2){+.+.}, at: btrfs_qgroup_inherit+0x40/0x620 [btrfs]
+
+ but task is already holding lock:
+ 000000003d52cc23 (&fs_info->tree_log_mutex){+.+.}, at: create_pending_snapshot+0x8b6/0xe60 [btrfs]
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #2 (&fs_info->tree_log_mutex){+.+.}:
+ __mutex_lock+0x76/0x940
+ mutex_lock_nested+0x1b/0x20
+ btrfs_commit_transaction+0x475/0xa00 [btrfs]
+ btrfs_commit_super+0x71/0x80 [btrfs]
+ close_ctree+0x2bd/0x320 [btrfs]
+ btrfs_put_super+0x15/0x20 [btrfs]
+ generic_shutdown_super+0x72/0x110
+ kill_anon_super+0x18/0x30
+ btrfs_kill_super+0x16/0xa0 [btrfs]
+ deactivate_locked_super+0x3a/0x80
+ deactivate_super+0x51/0x60
+ cleanup_mnt+0x3f/0x80
+ __cleanup_mnt+0x12/0x20
+ task_work_run+0x94/0xb0
+ exit_to_usermode_loop+0xd8/0xe0
+ do_syscall_64+0x210/0x240
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ -> #1 (&fs_info->reloc_mutex){+.+.}:
+ __mutex_lock+0x76/0x940
+ mutex_lock_nested+0x1b/0x20
+ btrfs_commit_transaction+0x40d/0xa00 [btrfs]
+ btrfs_quota_enable+0x2da/0x730 [btrfs]
+ btrfs_ioctl+0x2691/0x2b40 [btrfs]
+ do_vfs_ioctl+0xa9/0x6d0
+ ksys_ioctl+0x67/0x90
+ __x64_sys_ioctl+0x1a/0x20
+ do_syscall_64+0x65/0x240
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ -> #0 (&fs_info->qgroup_ioctl_lock#2){+.+.}:
+ lock_acquire+0xa7/0x190
+ __mutex_lock+0x76/0x940
+ mutex_lock_nested+0x1b/0x20
+ btrfs_qgroup_inherit+0x40/0x620 [btrfs]
+ create_pending_snapshot+0x9d7/0xe60 [btrfs]
+ create_pending_snapshots+0x94/0xb0 [btrfs]
+ btrfs_commit_transaction+0x415/0xa00 [btrfs]
+ btrfs_mksubvol+0x496/0x4e0 [btrfs]
+ btrfs_ioctl_snap_create_transid+0x174/0x180 [btrfs]
+ btrfs_ioctl_snap_create_v2+0x11c/0x180 [btrfs]
+ btrfs_ioctl+0xa90/0x2b40 [btrfs]
+ do_vfs_ioctl+0xa9/0x6d0
+ ksys_ioctl+0x67/0x90
+ __x64_sys_ioctl+0x1a/0x20
+ do_syscall_64+0x65/0x240
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ other info that might help us debug this:
+
+ Chain exists of:
+ &fs_info->qgroup_ioctl_lock#2 --> &fs_info->reloc_mutex --> &fs_info->tree_log_mutex
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&fs_info->tree_log_mutex);
+ lock(&fs_info->reloc_mutex);
+ lock(&fs_info->tree_log_mutex);
+ lock(&fs_info->qgroup_ioctl_lock#2);
+
+ *** DEADLOCK ***
+
+ 6 locks held by btrfs/8631:
+ #0: 00000000ed8f23f6 (sb_writers#12){.+.+}, at: mnt_want_write_file+0x28/0x60
+ #1: 000000009fb1597a (&type->i_mutex_dir_key#10/1){+.+.}, at: btrfs_mksubvol+0x70/0x4e0 [btrfs]
+ #2: 0000000088c5ad88 (&fs_info->subvol_sem){++++}, at: btrfs_mksubvol+0x128/0x4e0 [btrfs]
+ #3: 000000009606fc3e (sb_internal#2){.+.+}, at: start_transaction+0x37a/0x520 [btrfs]
+ #4: 00000000f82bbdf5 (&fs_info->reloc_mutex){+.+.}, at: btrfs_commit_transaction+0x40d/0xa00 [btrfs]
+ #5: 000000003d52cc23 (&fs_info->tree_log_mutex){+.+.}, at: create_pending_snapshot+0x8b6/0xe60 [btrfs]
+
+[CAUSE]
+Due to the delayed subvolume creation, we need to call
+btrfs_qgroup_inherit() inside commit transaction code, with a lot of
+other mutex hold.
+This hell of lock chain can lead to above problem.
+
+[FIX]
+On the other hand, we don't really need to hold qgroup_ioctl_lock if
+we're in the context of create_pending_snapshot().
+As in that context, we're the only one being able to modify qgroup.
+
+All other qgroup functions which needs qgroup_ioctl_lock are either
+holding a transaction handle, or will start a new transaction:
+ Functions will start a new transaction():
+ * btrfs_quota_enable()
+ * btrfs_quota_disable()
+ Functions hold a transaction handler:
+ * btrfs_add_qgroup_relation()
+ * btrfs_del_qgroup_relation()
+ * btrfs_create_qgroup()
+ * btrfs_remove_qgroup()
+ * btrfs_limit_qgroup()
+ * btrfs_qgroup_inherit() call inside create_subvol()
+
+So we have a higher level protection provided by transaction, thus we
+don't need to always hold qgroup_ioctl_lock in btrfs_qgroup_inherit().
+
+Only the btrfs_qgroup_inherit() call in create_subvol() needs to hold
+qgroup_ioctl_lock, while the btrfs_qgroup_inherit() call in
+create_pending_snapshot() is already protected by transaction.
+
+So the fix is to detect the context by checking
+trans->transaction->state.
+If we're at TRANS_STATE_COMMIT_DOING, then we're in commit transaction
+context and no need to get the mutex.
+
+Reported-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index e46e83e876001..734866ab51941 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2249,6 +2249,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ int ret = 0;
+ int i;
+ u64 *i_qgroups;
++ bool committing = false;
+ struct btrfs_fs_info *fs_info = trans->fs_info;
+ struct btrfs_root *quota_root;
+ struct btrfs_qgroup *srcgroup;
+@@ -2256,7 +2257,25 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ u32 level_size = 0;
+ u64 nums;
+
+- mutex_lock(&fs_info->qgroup_ioctl_lock);
++ /*
++ * There are only two callers of this function.
++ *
++ * One in create_subvol() in the ioctl context, which needs to hold
++ * the qgroup_ioctl_lock.
++ *
++ * The other one in create_pending_snapshot() where no other qgroup
++ * code can modify the fs as they all need to either start a new trans
++ * or hold a trans handler, thus we don't need to hold
++ * qgroup_ioctl_lock.
++ * This would avoid long and complex lock chain and make lockdep happy.
++ */
++ spin_lock(&fs_info->trans_lock);
++ if (trans->transaction->state == TRANS_STATE_COMMIT_DOING)
++ committing = true;
++ spin_unlock(&fs_info->trans_lock);
++
++ if (!committing)
++ mutex_lock(&fs_info->qgroup_ioctl_lock);
+ if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags))
+ goto out;
+
+@@ -2420,7 +2439,8 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ unlock:
+ spin_unlock(&fs_info->qgroup_lock);
+ out:
+- mutex_unlock(&fs_info->qgroup_ioctl_lock);
++ if (!committing)
++ mutex_unlock(&fs_info->qgroup_ioctl_lock);
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 891a27a000f3544b4187015a79bb43be9592129d Mon Sep 17 00:00:00 2001
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+Date: Mon, 20 May 2019 19:23:58 +0200
+Subject: ceph: fix improper use of smp_mb__before_atomic()
+
+[ Upstream commit 749607731e26dfb2558118038c40e9c0c80d23b5 ]
+
+This barrier only applies to the read-modify-write operations; in
+particular, it does not apply to the atomic64_set() primitive.
+
+Replace the barrier with an smp_mb().
+
+Fixes: fdd4e15838e59 ("ceph: rework dcache readdir")
+Reported-by: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/super.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 582e28fd1b7bf..d8579a56e5dc2 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -526,7 +526,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci,
+ long long release_count,
+ long long ordered_count)
+ {
+- smp_mb__before_atomic();
++ /*
++ * Makes sure operations that setup readdir cache (update page
++ * cache and i_size) are strongly ordered w.r.t. the following
++ * atomic64_set() operations.
++ */
++ smp_mb();
+ atomic64_set(&ci->i_complete_seq[0], release_count);
+ atomic64_set(&ci->i_complete_seq[1], ordered_count);
+ }
+--
+2.20.1
+
--- /dev/null
+From 388ea7b4569edcb246cbd311909c21773e79c96d Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 13 Jun 2019 15:17:00 -0400
+Subject: ceph: return -ERANGE if virtual xattr value didn't fit in buffer
+
+[ Upstream commit 3b421018f48c482bdc9650f894aa1747cf90e51d ]
+
+The getxattr manpage states that we should return ERANGE if the
+destination buffer size is too small to hold the value.
+ceph_vxattrcb_layout does this internally, but we should be doing
+this for all vxattrs.
+
+Fix the only caller of getxattr_cb to check the returned size
+against the buffer length and return -ERANGE if it doesn't fit.
+Drop the same check in ceph_vxattrcb_layout and just rely on the
+caller to handle it.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Acked-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/xattr.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index 5cc8b94f82069..0a2d4898ee163 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -79,7 +79,7 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val,
+ const char *ns_field = " pool_namespace=";
+ char buf[128];
+ size_t len, total_len = 0;
+- int ret;
++ ssize_t ret;
+
+ pool_ns = ceph_try_get_string(ci->i_layout.pool_ns);
+
+@@ -103,11 +103,8 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val,
+ if (pool_ns)
+ total_len += strlen(ns_field) + pool_ns->len;
+
+- if (!size) {
+- ret = total_len;
+- } else if (total_len > size) {
+- ret = -ERANGE;
+- } else {
++ ret = total_len;
++ if (size >= total_len) {
+ memcpy(val, buf, len);
+ ret = len;
+ if (pool_name) {
+@@ -817,8 +814,11 @@ ssize_t __ceph_getxattr(struct inode *inode, const char *name, void *value,
+ if (err)
+ return err;
+ err = -ENODATA;
+- if (!(vxattr->exists_cb && !vxattr->exists_cb(ci)))
++ if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) {
+ err = vxattr->getxattr_cb(ci, value, size);
++ if (size && size < err)
++ err = -ERANGE;
++ }
+ return err;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e80662f36efdcfe2df799ccdb6ef09a2460b2795 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Sat, 6 Jul 2019 06:52:46 +1000
+Subject: cifs: Fix a race condition with cifs_echo_request
+
+[ Upstream commit f2caf901c1b7ce65f9e6aef4217e3241039db768 ]
+
+There is a race condition with how we send (or supress and don't send)
+smb echos that will cause the client to incorrectly think the
+server is unresponsive and thus needs to be reconnected.
+
+Summary of the race condition:
+ 1) Daisy chaining scheduling creates a gap.
+ 2) If traffic comes unfortunate shortly after
+ the last echo, the planned echo is suppressed.
+ 3) Due to the gap, the next echo transmission is delayed
+ until after the timeout, which is set hard to twice
+ the echo interval.
+
+This is fixed by changing the timeouts from 2 to three times the echo interval.
+
+Detailed description of the bug: https://lutz.donnerhacke.de/eng/Blog/Groundhog-Day-with-SMB-remount
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index f31339db45fdb..c53a2e86ed544 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -563,10 +563,10 @@ static bool
+ server_unresponsive(struct TCP_Server_Info *server)
+ {
+ /*
+- * We need to wait 2 echo intervals to make sure we handle such
++ * We need to wait 3 echo intervals to make sure we handle such
+ * situations right:
+ * 1s client sends a normal SMB request
+- * 2s client gets a response
++ * 3s client gets a response
+ * 30s echo workqueue job pops, and decides we got a response recently
+ * and don't need to send another
+ * ...
+@@ -575,9 +575,9 @@ server_unresponsive(struct TCP_Server_Info *server)
+ */
+ if ((server->tcpStatus == CifsGood ||
+ server->tcpStatus == CifsNeedNegotiate) &&
+- time_after(jiffies, server->lstrp + 2 * server->echo_interval)) {
++ time_after(jiffies, server->lstrp + 3 * server->echo_interval)) {
+ cifs_dbg(VFS, "Server %s has not responded in %lu seconds. Reconnecting...\n",
+- server->hostname, (2 * server->echo_interval) / HZ);
++ server->hostname, (3 * server->echo_interval) / HZ);
+ cifs_reconnect(server);
+ wake_up(&server->response_q);
+ return true;
+--
+2.20.1
+
--- /dev/null
+From daff339fac6b0eb661dd9f7791a2c318b0d6c5dd Mon Sep 17 00:00:00 2001
+From: Chunyan Zhang <zhang.chunyan@linaro.org>
+Date: Wed, 22 May 2019 09:15:03 +0800
+Subject: clk: sprd: Add check for return value of sprd_clk_regmap_init()
+
+[ Upstream commit c974c48deeb969c5e4250e4f06af91edd84b1f10 ]
+
+sprd_clk_regmap_init() doesn't always return success, adding check
+for its return value should make the code more strong.
+
+Signed-off-by: Chunyan Zhang <zhang.chunyan@linaro.org>
+Reviewed-by: Baolin Wang <baolin.wang@linaro.org>
+[sboyd@kernel.org: Add a missing int ret]
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sprd/sc9860-clk.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sprd/sc9860-clk.c b/drivers/clk/sprd/sc9860-clk.c
+index 9980ab55271ba..f76305b4bc8df 100644
+--- a/drivers/clk/sprd/sc9860-clk.c
++++ b/drivers/clk/sprd/sc9860-clk.c
+@@ -2023,6 +2023,7 @@ static int sc9860_clk_probe(struct platform_device *pdev)
+ {
+ const struct of_device_id *match;
+ const struct sprd_clk_desc *desc;
++ int ret;
+
+ match = of_match_node(sprd_sc9860_clk_ids, pdev->dev.of_node);
+ if (!match) {
+@@ -2031,7 +2032,9 @@ static int sc9860_clk_probe(struct platform_device *pdev)
+ }
+
+ desc = match->data;
+- sprd_clk_regmap_init(pdev, desc);
++ ret = sprd_clk_regmap_init(pdev, desc);
++ if (ret)
++ return ret;
+
+ return sprd_clk_probe(&pdev->dev, desc->hw_clks);
+ }
+--
+2.20.1
+
--- /dev/null
+From 675bc9c809fd09a1fb2e58b5cf0e9596e7cba209 Mon Sep 17 00:00:00 2001
+From: JC Kuo <jckuo@nvidia.com>
+Date: Wed, 12 Jun 2019 11:14:34 +0800
+Subject: clk: tegra210: fix PLLU and PLLU_OUT1
+
+[ Upstream commit 0d34dfbf3023cf119b83f6470692c0b10c832495 ]
+
+Full-speed and low-speed USB devices do not work with Tegra210
+platforms because of incorrect PLLU/PLLU_OUT1 clock settings.
+
+When full-speed device is connected:
+[ 14.059886] usb 1-3: new full-speed USB device number 2 using tegra-xusb
+[ 14.196295] usb 1-3: device descriptor read/64, error -71
+[ 14.436311] usb 1-3: device descriptor read/64, error -71
+[ 14.675749] usb 1-3: new full-speed USB device number 3 using tegra-xusb
+[ 14.812335] usb 1-3: device descriptor read/64, error -71
+[ 15.052316] usb 1-3: device descriptor read/64, error -71
+[ 15.164799] usb usb1-port3: attempt power cycle
+
+When low-speed device is connected:
+[ 37.610949] usb usb1-port3: Cannot enable. Maybe the USB cable is bad?
+[ 38.557376] usb usb1-port3: Cannot enable. Maybe the USB cable is bad?
+[ 38.564977] usb usb1-port3: attempt power cycle
+
+This commit fixes the issue by:
+ 1. initializing PLLU_OUT1 before initializing XUSB_FS_SRC clock
+ because PLLU_OUT1 is parent of XUSB_FS_SRC.
+ 2. changing PLLU post-divider to /2 (DIVP=1) according to Technical
+ Reference Manual.
+
+Fixes: e745f992cf4b ("clk: tegra: Rework pll_u")
+Signed-off-by: JC Kuo <jckuo@nvidia.com>
+Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra210.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c
+index 9eb1cb14fce11..4e1bc23c98655 100644
+--- a/drivers/clk/tegra/clk-tegra210.c
++++ b/drivers/clk/tegra/clk-tegra210.c
+@@ -2214,9 +2214,9 @@ static struct div_nmp pllu_nmp = {
+ };
+
+ static struct tegra_clk_pll_freq_table pll_u_freq_table[] = {
+- { 12000000, 480000000, 40, 1, 0, 0 },
+- { 13000000, 480000000, 36, 1, 0, 0 }, /* actual: 468.0 MHz */
+- { 38400000, 480000000, 25, 2, 0, 0 },
++ { 12000000, 480000000, 40, 1, 1, 0 },
++ { 13000000, 480000000, 36, 1, 1, 0 }, /* actual: 468.0 MHz */
++ { 38400000, 480000000, 25, 2, 1, 0 },
+ { 0, 0, 0, 0, 0, 0 },
+ };
+
+@@ -3343,6 +3343,7 @@ static struct tegra_clk_init_table init_table[] __initdata = {
+ { TEGRA210_CLK_DFLL_REF, TEGRA210_CLK_PLL_P, 51000000, 1 },
+ { TEGRA210_CLK_SBC4, TEGRA210_CLK_PLL_P, 12000000, 1 },
+ { TEGRA210_CLK_PLL_RE_VCO, TEGRA210_CLK_CLK_MAX, 672000000, 1 },
++ { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 },
+ { TEGRA210_CLK_XUSB_GATE, TEGRA210_CLK_CLK_MAX, 0, 1 },
+ { TEGRA210_CLK_XUSB_SS_SRC, TEGRA210_CLK_PLL_U_480M, 120000000, 0 },
+ { TEGRA210_CLK_XUSB_FS_SRC, TEGRA210_CLK_PLL_U_48M, 48000000, 0 },
+@@ -3367,7 +3368,6 @@ static struct tegra_clk_init_table init_table[] __initdata = {
+ { TEGRA210_CLK_PLL_DP, TEGRA210_CLK_CLK_MAX, 270000000, 0 },
+ { TEGRA210_CLK_SOC_THERM, TEGRA210_CLK_PLL_P, 51000000, 0 },
+ { TEGRA210_CLK_CCLK_G, TEGRA210_CLK_CLK_MAX, 0, 1 },
+- { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 },
+ { TEGRA210_CLK_PLL_U_OUT2, TEGRA210_CLK_CLK_MAX, 60000000, 1 },
+ /* This MUST be the last entry. */
+ { TEGRA210_CLK_CLK_MAX, TEGRA210_CLK_CLK_MAX, 0, 0 },
+--
+2.20.1
+
--- /dev/null
+From 6d94da3ac9670bd56c02ac4774fdd30cf5ae477a Mon Sep 17 00:00:00 2001
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Tue, 16 Jul 2019 16:28:13 -0700
+Subject: coda: add error handling for fget
+
+[ Upstream commit 02551c23bcd85f0c68a8259c7b953d49d44f86af ]
+
+When fget fails, the lack of error-handling code may cause unexpected
+results.
+
+This patch adds error-handling code after calling fget.
+
+Link: http://lkml.kernel.org/r/2514ec03df9c33b86e56748513267a80dd8004d9.1558117389.git.jaharkes@cs.cmu.edu
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Fabian Frederick <fabf@skynet.be>
+Cc: Mikko Rapeli <mikko.rapeli@iki.fi>
+Cc: Sam Protsenko <semen.protsenko@linaro.org>
+Cc: Yann Droneaud <ydroneaud@opteya.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/coda/psdev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c
+index c5234c21b5394..55824cba32453 100644
+--- a/fs/coda/psdev.c
++++ b/fs/coda/psdev.c
+@@ -187,8 +187,11 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf,
+ if (req->uc_opcode == CODA_OPEN_BY_FD) {
+ struct coda_open_by_fd_out *outp =
+ (struct coda_open_by_fd_out *)req->uc_data;
+- if (!outp->oh.result)
++ if (!outp->oh.result) {
+ outp->fh = fget(outp->fd);
++ if (!outp->fh)
++ return -EBADF;
++ }
+ }
+
+ wake_up(&req->uc_sleep);
+--
+2.20.1
+
--- /dev/null
+From 62c8a0f0ada062ee5ec7d97012e0e5774a9766f1 Mon Sep 17 00:00:00 2001
+From: Sam Protsenko <semen.protsenko@linaro.org>
+Date: Tue, 16 Jul 2019 16:28:20 -0700
+Subject: coda: fix build using bare-metal toolchain
+
+[ Upstream commit b2a57e334086602be56b74958d9f29b955cd157f ]
+
+The kernel is self-contained project and can be built with bare-metal
+toolchain. But bare-metal toolchain doesn't define __linux__. Because
+of this u_quad_t type is not defined when using bare-metal toolchain and
+codafs build fails. This patch fixes it by defining u_quad_t type
+unconditionally.
+
+Link: http://lkml.kernel.org/r/3cbb40b0a57b6f9923a9d67b53473c0b691a3eaa.1558117389.git.jaharkes@cs.cmu.edu
+Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Fabian Frederick <fabf@skynet.be>
+Cc: Mikko Rapeli <mikko.rapeli@iki.fi>
+Cc: Yann Droneaud <ydroneaud@opteya.com>
+Cc: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/coda.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/include/linux/coda.h b/include/linux/coda.h
+index d30209b9cef81..0ca0c83fdb1c4 100644
+--- a/include/linux/coda.h
++++ b/include/linux/coda.h
+@@ -58,8 +58,7 @@ Mellon the rights to redistribute these changes without encumbrance.
+ #ifndef _CODA_HEADER_
+ #define _CODA_HEADER_
+
+-#if defined(__linux__)
+ typedef unsigned long long u_quad_t;
+-#endif
++
+ #include <uapi/linux/coda.h>
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 0cb1e691103cd66480598dd153948f31253c287b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 24 Jun 2019 14:38:18 +0200
+Subject: dmaengine: rcar-dmac: Reject zero-length slave DMA requests
+
+[ Upstream commit 78efb76ab4dfb8f74f290ae743f34162cd627f19 ]
+
+While the .device_prep_slave_sg() callback rejects empty scatterlists,
+it still accepts single-entry scatterlists with a zero-length segment.
+These may happen if a driver calls dmaengine_prep_slave_single() with a
+zero len parameter. The corresponding DMA request will never complete,
+leading to messages like:
+
+ rcar-dmac e7300000.dma-controller: Channel Address Error happen
+
+and DMA timeouts.
+
+Although requesting a zero-length DMA request is a driver bug, rejecting
+it early eases debugging. Note that the .device_prep_dma_memcpy()
+callback already rejects requests to copy zero bytes.
+
+Reported-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Analyzed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
+index 0b05a1e08d213..041ce864097e4 100644
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -1164,7 +1164,7 @@ rcar_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
+ struct rcar_dmac_chan *rchan = to_rcar_dmac_chan(chan);
+
+ /* Someone calling slave DMA on a generic channel? */
+- if (rchan->mid_rid < 0 || !sg_len) {
++ if (rchan->mid_rid < 0 || !sg_len || !sg_dma_len(sgl)) {
+ dev_warn(chan->device->dev,
+ "%s: bad parameter: len=%d, id=%d\n",
+ __func__, sg_len, rchan->mid_rid);
+--
+2.20.1
+
--- /dev/null
+From 995207fd40ef971de56bebc8ce7fb1c215e38287 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Thu, 30 May 2019 00:43:55 +0300
+Subject: dmaengine: tegra-apb: Error out if DMA_PREP_INTERRUPT flag is unset
+
+[ Upstream commit dc161064beb83c668e0f85766b92b1e7ed186e58 ]
+
+Apparently driver was never tested with DMA_PREP_INTERRUPT flag being
+unset since it completely disables interrupt handling instead of skipping
+the callbacks invocations, hence putting channel into unusable state.
+
+The flag is always set by all of kernel drivers that use APB DMA, so let's
+error out in otherwise case for consistency. It won't be difficult to
+support that case properly if ever will be needed.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/tegra20-apb-dma.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c
+index 8219ab88a507c..fb23993430d31 100644
+--- a/drivers/dma/tegra20-apb-dma.c
++++ b/drivers/dma/tegra20-apb-dma.c
+@@ -981,8 +981,12 @@ static struct dma_async_tx_descriptor *tegra_dma_prep_slave_sg(
+ csr |= tdc->slave_id << TEGRA_APBDMA_CSR_REQ_SEL_SHIFT;
+ }
+
+- if (flags & DMA_PREP_INTERRUPT)
++ if (flags & DMA_PREP_INTERRUPT) {
+ csr |= TEGRA_APBDMA_CSR_IE_EOC;
++ } else {
++ WARN_ON_ONCE(1);
++ return NULL;
++ }
+
+ apb_seq |= TEGRA_APBDMA_APBSEQ_WRAP_WORD_1;
+
+@@ -1124,8 +1128,12 @@ static struct dma_async_tx_descriptor *tegra_dma_prep_dma_cyclic(
+ csr |= tdc->slave_id << TEGRA_APBDMA_CSR_REQ_SEL_SHIFT;
+ }
+
+- if (flags & DMA_PREP_INTERRUPT)
++ if (flags & DMA_PREP_INTERRUPT) {
+ csr |= TEGRA_APBDMA_CSR_IE_EOC;
++ } else {
++ WARN_ON_ONCE(1);
++ return NULL;
++ }
+
+ apb_seq |= TEGRA_APBDMA_APBSEQ_WRAP_WORD_1;
+
+--
+2.20.1
+
--- /dev/null
+From 3d8d4ee1a46fdfedc4b68dfa8a5899761139f88e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 16 Jul 2019 16:30:03 -0700
+Subject: drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings
+
+[ Upstream commit 156e0b1a8112b76e351684ac948c59757037ac36 ]
+
+The dev_info.name[] array has space for RIO_MAX_DEVNAME_SZ + 1
+characters. But the problem here is that we don't ensure that the user
+put a NUL terminator on the end of the string. It could lead to an out
+of bounds read.
+
+Link: http://lkml.kernel.org/r/20190529110601.GB19119@mwanda
+Fixes: e8de370188d0 ("rapidio: add mport char device driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
+index cbe467ff1aba9..fa0bbda4b3f2e 100644
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -1688,6 +1688,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
+
+ if (copy_from_user(&dev_info, arg, sizeof(dev_info)))
+ return -EFAULT;
++ dev_info.name[sizeof(dev_info.name) - 1] = '\0';
+
+ rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name,
+ dev_info.comptag, dev_info.destid, dev_info.hopcount);
+@@ -1819,6 +1820,7 @@ static int rio_mport_del_riodev(struct mport_cdev_priv *priv, void __user *arg)
+
+ if (copy_from_user(&dev_info, arg, sizeof(dev_info)))
+ return -EFAULT;
++ dev_info.name[sizeof(dev_info.name) - 1] = '\0';
+
+ mport = priv->md->mport;
+
+--
+2.20.1
+
--- /dev/null
+From d920cf32227e235ce4a01417ac1aa49af7f28e48 Mon Sep 17 00:00:00 2001
+From: Yongxin Liu <yongxin.liu@windriver.com>
+Date: Mon, 1 Jul 2019 09:46:22 +0800
+Subject: drm/nouveau: fix memory leak in nouveau_conn_reset()
+
+[ Upstream commit 09b90e2fe35faeace2488234e2a7728f2ea8ba26 ]
+
+In nouveau_conn_reset(), if connector->state is true,
+__drm_atomic_helper_connector_destroy_state() will be called,
+but the memory pointed by asyc isn't freed. Memory leak happens
+in the following function __drm_atomic_helper_connector_reset(),
+where newly allocated asyc->state will be assigned to connector->state.
+
+So using nouveau_conn_atomic_destroy_state() instead of
+__drm_atomic_helper_connector_destroy_state to free the "old" asyc.
+
+Here the is the log showing memory leak.
+
+unreferenced object 0xffff8c5480483c80 (size 192):
+ comm "kworker/0:2", pid 188, jiffies 4294695279 (age 53.179s)
+ hex dump (first 32 bytes):
+ 00 f0 ba 7b 54 8c ff ff 00 00 00 00 00 00 00 00 ...{T...........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000005005c0d0>] kmem_cache_alloc_trace+0x195/0x2c0
+ [<00000000a122baed>] nouveau_conn_reset+0x25/0xc0 [nouveau]
+ [<000000004fd189a2>] nouveau_connector_create+0x3a7/0x610 [nouveau]
+ [<00000000c73343a8>] nv50_display_create+0x343/0x980 [nouveau]
+ [<000000002e2b03c3>] nouveau_display_create+0x51f/0x660 [nouveau]
+ [<00000000c924699b>] nouveau_drm_device_init+0x182/0x7f0 [nouveau]
+ [<00000000cc029436>] nouveau_drm_probe+0x20c/0x2c0 [nouveau]
+ [<000000007e961c3e>] local_pci_probe+0x47/0xa0
+ [<00000000da14d569>] work_for_cpu_fn+0x1a/0x30
+ [<0000000028da4805>] process_one_work+0x27c/0x660
+ [<000000001d415b04>] worker_thread+0x22b/0x3f0
+ [<0000000003b69f1f>] kthread+0x12f/0x150
+ [<00000000c94c29b7>] ret_from_fork+0x3a/0x50
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_connector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
+index 247f72cc4d10a..fb0094fc55834 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
+@@ -251,7 +251,7 @@ nouveau_conn_reset(struct drm_connector *connector)
+ return;
+
+ if (connector->state)
+- __drm_atomic_helper_connector_destroy_state(connector->state);
++ nouveau_conn_atomic_destroy_state(connector, connector->state);
+ __drm_atomic_helper_connector_reset(connector, &asyc->state);
+ asyc->dither.mode = DITHERING_MODE_AUTO;
+ asyc->dither.depth = DITHERING_DEPTH_AUTO;
+--
+2.20.1
+
--- /dev/null
+From 50ab445340120699ee575c424fa4d20c7120c0c2 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Mon, 10 Jun 2019 18:38:29 +0100
+Subject: firmware/psci: psci_checker: Park kthreads before stopping them
+
+[ Upstream commit 92e074acf6f7694e96204265eb18ac113f546e80 ]
+
+Since commit 85f1abe0019f ("kthread, sched/wait: Fix kthread_parkme()
+completion issue"), kthreads that are bound to a CPU must be parked
+before being stopped. At the moment the PSCI checker calls
+kthread_stop() directly on the suspend kthread, which triggers the
+following warning:
+
+[ 6.068288] WARNING: CPU: 1 PID: 1 at kernel/kthread.c:398 __kthread_bind_mask+0x20/0x78
+ ...
+[ 6.190151] Call trace:
+[ 6.192566] __kthread_bind_mask+0x20/0x78
+[ 6.196615] kthread_unpark+0x74/0x80
+[ 6.200235] kthread_stop+0x44/0x1d8
+[ 6.203769] psci_checker+0x3bc/0x484
+[ 6.207389] do_one_initcall+0x48/0x260
+[ 6.211180] kernel_init_freeable+0x2c8/0x368
+[ 6.215488] kernel_init+0x10/0x100
+[ 6.218935] ret_from_fork+0x10/0x1c
+[ 6.222467] ---[ end trace e05e22863d043cd3 ]---
+
+kthread_unpark() tries to bind the thread to its CPU and aborts with a
+WARN() if the thread wasn't in TASK_PARKED state. Park the kthreads
+before stopping them.
+
+Fixes: 85f1abe0019f ("kthread, sched/wait: Fix kthread_parkme() completion issue")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/psci_checker.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/psci_checker.c b/drivers/firmware/psci_checker.c
+index 3469436579622..cbd53cb1b2d47 100644
+--- a/drivers/firmware/psci_checker.c
++++ b/drivers/firmware/psci_checker.c
+@@ -366,16 +366,16 @@ static int suspend_test_thread(void *arg)
+ for (;;) {
+ /* Needs to be set first to avoid missing a wakeup. */
+ set_current_state(TASK_INTERRUPTIBLE);
+- if (kthread_should_stop()) {
+- __set_current_state(TASK_RUNNING);
++ if (kthread_should_park())
+ break;
+- }
+ schedule();
+ }
+
+ pr_info("CPU %d suspend test results: success %d, shallow states %d, errors %d\n",
+ cpu, nb_suspend, nb_shallow_sleep, nb_err);
+
++ kthread_parkme();
++
+ return nb_err;
+ }
+
+@@ -440,8 +440,10 @@ static int suspend_tests(void)
+
+
+ /* Stop and destroy all threads, get return status. */
+- for (i = 0; i < nb_threads; ++i)
++ for (i = 0; i < nb_threads; ++i) {
++ err += kthread_park(threads[i]);
+ err += kthread_stop(threads[i]);
++ }
+ out:
+ cpuidle_resume_and_unlock();
+ kfree(threads);
+--
+2.20.1
+
--- /dev/null
+From c6a4ecd10eb0fd4078cd0541fa96695375d78358 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 4 Jun 2019 14:50:14 +0100
+Subject: fs/adfs: super: fix use-after-free bug
+
+[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ]
+
+Fix a use-after-free bug during filesystem initialisation, where we
+access the disc record (which is stored in a buffer) after we have
+released the buffer.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/adfs/super.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/adfs/super.c b/fs/adfs/super.c
+index 7e099a7a4eb1e..4dc15b2634894 100644
+--- a/fs/adfs/super.c
++++ b/fs/adfs/super.c
+@@ -369,6 +369,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
+ struct buffer_head *bh;
+ struct object_info root_obj;
+ unsigned char *b_data;
++ unsigned int blocksize;
+ struct adfs_sb_info *asb;
+ struct inode *root;
+ int ret = -EINVAL;
+@@ -420,8 +421,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
+ goto error_free_bh;
+ }
+
++ blocksize = 1 << dr->log2secsize;
+ brelse(bh);
+- if (sb_set_blocksize(sb, 1 << dr->log2secsize)) {
++
++ if (sb_set_blocksize(sb, blocksize)) {
+ bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize);
+ if (!bh) {
+ adfs_error(sb, "couldn't read superblock on "
+--
+2.20.1
+
--- /dev/null
+From 37c98ffea1b8ebc4860a6dadb2f70b8a3deb737b Mon Sep 17 00:00:00 2001
+From: Cheng Jian <cj.chengjian@huawei.com>
+Date: Sat, 4 May 2019 19:39:39 +0800
+Subject: ftrace: Enable trampoline when rec count returns back to one
+
+[ Upstream commit a124692b698b00026a58d89831ceda2331b2e1d0 ]
+
+Custom trampolines can only be enabled if there is only a single ops
+attached to it. If there's only a single callback registered to a function,
+and the ops has a trampoline registered for it, then we can call the
+trampoline directly. This is very useful for improving the performance of
+ftrace and livepatch.
+
+If more than one callback is registered to a function, the general
+trampoline is used, and the custom trampoline is not restored back to the
+direct call even if all the other callbacks were unregistered and we are
+back to one callback for the function.
+
+To fix this, set FTRACE_FL_TRAMP flag if rec count is decremented
+to one, and the ops that left has a trampoline.
+
+Testing After this patch :
+
+insmod livepatch_unshare_files.ko
+cat /sys/kernel/debug/tracing/enabled_functions
+
+ unshare_files (1) R I tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0
+
+echo unshare_files > /sys/kernel/debug/tracing/set_ftrace_filter
+echo function > /sys/kernel/debug/tracing/current_tracer
+cat /sys/kernel/debug/tracing/enabled_functions
+
+ unshare_files (2) R I ->ftrace_ops_list_func+0x0/0x150
+
+echo nop > /sys/kernel/debug/tracing/current_tracer
+cat /sys/kernel/debug/tracing/enabled_functions
+
+ unshare_files (1) R I tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0
+
+Link: http://lkml.kernel.org/r/1556969979-111047-1-git-send-email-cj.chengjian@huawei.com
+
+Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ftrace.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 118ecce143866..d9dd709b3c12f 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -1647,6 +1647,11 @@ static bool test_rec_ops_needs_regs(struct dyn_ftrace *rec)
+ return keep_regs;
+ }
+
++static struct ftrace_ops *
++ftrace_find_tramp_ops_any(struct dyn_ftrace *rec);
++static struct ftrace_ops *
++ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops);
++
+ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops,
+ int filter_hash,
+ bool inc)
+@@ -1775,15 +1780,17 @@ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops,
+ }
+
+ /*
+- * If the rec had TRAMP enabled, then it needs to
+- * be cleared. As TRAMP can only be enabled iff
+- * there is only a single ops attached to it.
+- * In otherwords, always disable it on decrementing.
+- * In the future, we may set it if rec count is
+- * decremented to one, and the ops that is left
+- * has a trampoline.
++ * The TRAMP needs to be set only if rec count
++ * is decremented to one, and the ops that is
++ * left has a trampoline. As TRAMP can only be
++ * enabled if there is only a single ops attached
++ * to it.
+ */
+- rec->flags &= ~FTRACE_FL_TRAMP;
++ if (ftrace_rec_count(rec) == 1 &&
++ ftrace_find_tramp_ops_any(rec))
++ rec->flags |= FTRACE_FL_TRAMP;
++ else
++ rec->flags &= ~FTRACE_FL_TRAMP;
+
+ /*
+ * flags will be cleared in ftrace_check_record()
+@@ -1976,11 +1983,6 @@ static void print_ip_ins(const char *fmt, const unsigned char *p)
+ printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]);
+ }
+
+-static struct ftrace_ops *
+-ftrace_find_tramp_ops_any(struct dyn_ftrace *rec);
+-static struct ftrace_ops *
+-ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops);
+-
+ enum ftrace_bug_type ftrace_bug_type;
+ const void *ftrace_expected;
+
+--
+2.20.1
+
--- /dev/null
+From 6ddee23cfdaf53212fb2aecaf1b6d0b03339b83e Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 16 Jul 2019 16:30:21 -0700
+Subject: ipc/mqueue.c: only perform resource calculation if user valid
+
+[ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ]
+
+Andreas Christoforou reported:
+
+ UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow:
+ 9 * 2305843009213693951 cannot be represented in type 'long int'
+ ...
+ Call Trace:
+ mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414
+ evict+0x472/0x8c0 fs/inode.c:558
+ iput_final fs/inode.c:1547 [inline]
+ iput+0x51d/0x8c0 fs/inode.c:1573
+ mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320
+ mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459
+ vfs_mkobj+0x39e/0x580 fs/namei.c:2892
+ prepare_open ipc/mqueue.c:731 [inline]
+ do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771
+
+Which could be triggered by:
+
+ struct mq_attr attr = {
+ .mq_flags = 0,
+ .mq_maxmsg = 9,
+ .mq_msgsize = 0x1fffffffffffffff,
+ .mq_curmsgs = 0,
+ };
+
+ if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1)
+ perror("mq_open");
+
+mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and
+preparing to return -EINVAL. During the cleanup, it calls
+mqueue_evict_inode() which performed resource usage tracking math for
+updating "user", before checking if there was a valid "user" at all
+(which would indicate that the calculations would be sane). Instead,
+delay this check to after seeing a valid "user".
+
+The overflow was real, but the results went unused, so while the flaw is
+harmless, it's noisy for kernel fuzzers, so just fix it by moving the
+calculation under the non-NULL "user" where it actually gets used.
+
+Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Andreas Christoforou <andreaschristofo@gmail.com>
+Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ ipc/mqueue.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c
+index bce7af1546d9c..de4070d5472f2 100644
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -389,7 +389,6 @@ static void mqueue_evict_inode(struct inode *inode)
+ {
+ struct mqueue_inode_info *info;
+ struct user_struct *user;
+- unsigned long mq_bytes, mq_treesize;
+ struct ipc_namespace *ipc_ns;
+ struct msg_msg *msg, *nmsg;
+ LIST_HEAD(tmp_msg);
+@@ -412,16 +411,18 @@ static void mqueue_evict_inode(struct inode *inode)
+ free_msg(msg);
+ }
+
+- /* Total amount of bytes accounted for the mqueue */
+- mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
+- min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
+- sizeof(struct posix_msg_tree_node);
+-
+- mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
+- info->attr.mq_msgsize);
+-
+ user = info->user;
+ if (user) {
++ unsigned long mq_bytes, mq_treesize;
++
++ /* Total amount of bytes accounted for the mqueue */
++ mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
++ min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
++ sizeof(struct posix_msg_tree_node);
++
++ mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
++ info->attr.mq_msgsize);
++
+ spin_lock(&mq_lock);
+ user->mq_bytes -= mq_bytes;
+ /*
+--
+2.20.1
+
--- /dev/null
+From 26ecb4ef1b594ebd938c532c6b8a36e825ab46ff Mon Sep 17 00:00:00 2001
+From: Prarit Bhargava <prarit@redhat.com>
+Date: Wed, 29 May 2019 07:26:25 -0400
+Subject: kernel/module.c: Only return -EEXIST for modules that have finished
+ loading
+
+[ Upstream commit 6e6de3dee51a439f76eb73c22ae2ffd2c9384712 ]
+
+Microsoft HyperV disables the X86_FEATURE_SMCA bit on AMD systems, and
+linux guests boot with repeated errors:
+
+amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2)
+amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2)
+amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2)
+amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2)
+amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2)
+amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2)
+
+The warnings occur because the module code erroneously returns -EEXIST
+for modules that have failed to load and are in the process of being
+removed from the module list.
+
+module amd64_edac_mod has a dependency on module edac_mce_amd. Using
+modules.dep, systemd will load edac_mce_amd for every request of
+amd64_edac_mod. When the edac_mce_amd module loads, the module has
+state MODULE_STATE_UNFORMED and once the module load fails and the state
+becomes MODULE_STATE_GOING. Another request for edac_mce_amd module
+executes and add_unformed_module() will erroneously return -EEXIST even
+though the previous instance of edac_mce_amd has MODULE_STATE_GOING.
+Upon receiving -EEXIST, systemd attempts to load amd64_edac_mod, which
+fails because of unknown symbols from edac_mce_amd.
+
+add_unformed_module() must wait to return for any case other than
+MODULE_STATE_LIVE to prevent a race between multiple loads of
+dependent modules.
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Signed-off-by: Barret Rhoden <brho@google.com>
+Cc: David Arcari <darcari@redhat.com>
+Cc: Jessica Yu <jeyu@kernel.org>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/module.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/module.c b/kernel/module.c
+index b8f37376856bd..3fda10c549a25 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -3388,8 +3388,7 @@ static bool finished_loading(const char *name)
+ sched_annotate_sleep();
+ mutex_lock(&module_mutex);
+ mod = find_module_all(name, strlen(name), true);
+- ret = !mod || mod->state == MODULE_STATE_LIVE
+- || mod->state == MODULE_STATE_GOING;
++ ret = !mod || mod->state == MODULE_STATE_LIVE;
+ mutex_unlock(&module_mutex);
+
+ return ret;
+@@ -3559,8 +3558,7 @@ again:
+ mutex_lock(&module_mutex);
+ old = find_module_all(mod->name, strlen(mod->name), true);
+ if (old != NULL) {
+- if (old->state == MODULE_STATE_COMING
+- || old->state == MODULE_STATE_UNFORMED) {
++ if (old->state != MODULE_STATE_LIVE) {
+ /* Wait in case it fails to load. */
+ mutex_unlock(&module_mutex);
+ err = wait_event_interruptible(module_wq,
+--
+2.20.1
+
--- /dev/null
+From ddebaaa09d5cfe2962431d16ab06295ad780fe63 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 16 Jul 2019 16:27:24 -0700
+Subject: lib/test_overflow.c: avoid tainting the kernel and fix wrap size
+
+[ Upstream commit 8e060c21ae2c265a2b596e9e7f9f97ec274151a4 ]
+
+This adds __GFP_NOWARN to the kmalloc()-portions of the overflow test to
+avoid tainting the kernel. Additionally fixes up the math on wrap size
+to be architecture and page size agnostic.
+
+Link: http://lkml.kernel.org/r/201905282012.0A8767E24@keescook
+Fixes: ca90800a91ba ("test_overflow: Add memory allocation overflow tests")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Joe Perches <joe@perches.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_overflow.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/test_overflow.c b/lib/test_overflow.c
+index fc680562d8b69..7a4b6f6c5473c 100644
+--- a/lib/test_overflow.c
++++ b/lib/test_overflow.c
+@@ -486,16 +486,17 @@ static int __init test_overflow_shift(void)
+ * Deal with the various forms of allocator arguments. See comments above
+ * the DEFINE_TEST_ALLOC() instances for mapping of the "bits".
+ */
+-#define alloc010(alloc, arg, sz) alloc(sz, GFP_KERNEL)
+-#define alloc011(alloc, arg, sz) alloc(sz, GFP_KERNEL, NUMA_NO_NODE)
++#define alloc_GFP (GFP_KERNEL | __GFP_NOWARN)
++#define alloc010(alloc, arg, sz) alloc(sz, alloc_GFP)
++#define alloc011(alloc, arg, sz) alloc(sz, alloc_GFP, NUMA_NO_NODE)
+ #define alloc000(alloc, arg, sz) alloc(sz)
+ #define alloc001(alloc, arg, sz) alloc(sz, NUMA_NO_NODE)
+-#define alloc110(alloc, arg, sz) alloc(arg, sz, GFP_KERNEL)
++#define alloc110(alloc, arg, sz) alloc(arg, sz, alloc_GFP)
+ #define free0(free, arg, ptr) free(ptr)
+ #define free1(free, arg, ptr) free(arg, ptr)
+
+-/* Wrap around to 8K */
+-#define TEST_SIZE (9 << PAGE_SHIFT)
++/* Wrap around to 16K */
++#define TEST_SIZE (5 * 4096)
+
+ #define DEFINE_TEST_ALLOC(func, free_func, want_arg, want_gfp, want_node)\
+ static int __init test_ ## func (void *arg) \
+--
+2.20.1
+
--- /dev/null
+From 517c4a34a9eac6d8a3bcbe6992a748aaa9c06284 Mon Sep 17 00:00:00 2001
+From: Peter Rosin <peda@axentia.se>
+Date: Tue, 16 Jul 2019 16:27:18 -0700
+Subject: lib/test_string.c: avoid masking memset16/32/64 failures
+
+[ Upstream commit 33d6e0ff68af74be0c846c8e042e84a9a1a0561e ]
+
+If a memsetXX implementation is completely broken and fails in the first
+iteration, when i, j, and k are all zero, the failure is masked as zero
+is returned. Failing in the first iteration is perhaps the most likely
+failure, so this makes the tests pretty much useless. Avoid the
+situation by always setting a random unused bit in the result on
+failure.
+
+Link: http://lkml.kernel.org/r/20190506124634.6807-3-peda@axentia.se
+Fixes: 03270c13c5ff ("lib/string.c: add testcases for memset16/32/64")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_string.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/test_string.c b/lib/test_string.c
+index 0fcdb82dca866..98a787e7a1fd6 100644
+--- a/lib/test_string.c
++++ b/lib/test_string.c
+@@ -35,7 +35,7 @@ static __init int memset16_selftest(void)
+ fail:
+ kfree(p);
+ if (i < 256)
+- return (i << 24) | (j << 16) | k;
++ return (i << 24) | (j << 16) | k | 0x8000;
+ return 0;
+ }
+
+@@ -71,7 +71,7 @@ static __init int memset32_selftest(void)
+ fail:
+ kfree(p);
+ if (i < 256)
+- return (i << 24) | (j << 16) | k;
++ return (i << 24) | (j << 16) | k | 0x8000;
+ return 0;
+ }
+
+@@ -107,7 +107,7 @@ static __init int memset64_selftest(void)
+ fail:
+ kfree(p);
+ if (i < 256)
+- return (i << 24) | (j << 16) | k;
++ return (i << 24) | (j << 16) | k | 0x8000;
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 00f4228232f28696a0c48db433954768c5703fe2 Mon Sep 17 00:00:00 2001
+From: Petr Cvek <petrcvekcz@gmail.com>
+Date: Thu, 20 Jun 2019 23:39:37 +0200
+Subject: MIPS: lantiq: Fix bitfield masking
+
+[ Upstream commit ba1bc0fcdeaf3bf583c1517bd2e3e29cf223c969 ]
+
+The modification of EXIN register doesn't clean the bitfield before
+the writing of a new value. After a few modifications the bitfield would
+accumulate only '1's.
+
+Signed-off-by: Petr Cvek <petrcvekcz@gmail.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: hauke@hauke-m.de
+Cc: john@phrozen.org
+Cc: linux-mips@vger.kernel.org
+Cc: openwrt-devel@lists.openwrt.org
+Cc: pakahmar@hotmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/irq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c
+index c4ef1c31e0c4f..37caeadb2964c 100644
+--- a/arch/mips/lantiq/irq.c
++++ b/arch/mips/lantiq/irq.c
+@@ -156,8 +156,9 @@ static int ltq_eiu_settype(struct irq_data *d, unsigned int type)
+ if (edge)
+ irq_set_handler(d->hwirq, handle_edge_irq);
+
+- ltq_eiu_w32(ltq_eiu_r32(LTQ_EIU_EXIN_C) |
+- (val << (i * 4)), LTQ_EIU_EXIN_C);
++ ltq_eiu_w32((ltq_eiu_r32(LTQ_EIU_EXIN_C) &
++ (~(7 << (i * 4)))) | (val << (i * 4)),
++ LTQ_EIU_EXIN_C);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8a8414fc594e136e2f47b5db3e9e461b37f665ab Mon Sep 17 00:00:00 2001
+From: Petr Machata <petrm@mellanox.com>
+Date: Wed, 17 Jul 2019 23:29:07 +0300
+Subject: mlxsw: spectrum_dcb: Configure DSCP map as the last rule is removed
+
+[ Upstream commit dedfde2fe1c4ccf27179fcb234e2112d065c39bb ]
+
+Spectrum systems use DSCP rewrite map to update DSCP field in egressing
+packets to correspond to priority that the packet has. Whether rewriting
+will take place is determined at the point when the packet ingresses the
+switch: if the port is in Trust L3 mode, packet priority is determined from
+the DSCP map at the port, and DSCP rewrite will happen. If the port is in
+Trust L2 mode, 802.1p is used for packet prioritization, and no DSCP
+rewrite will happen.
+
+The driver determines the port trust mode based on whether any DSCP
+prioritization rules are in effect at given port. If there are any, trust
+level is L3, otherwise it's L2. When the last DSCP rule is removed, the
+port is switched to trust L2. Under that scenario, if DSCP of a packet
+should be rewritten, it should be rewritten to 0.
+
+However, when switching to Trust L2, the driver neglects to also update the
+DSCP rewrite map. The last DSCP rule thus remains in effect, and packets
+egressing through this port, if they have the right priority, will have
+their DSCP set according to this rule.
+
+Fix by first configuring the rewrite map, and only then switching to trust
+L2 and bailing out.
+
+Fixes: b2b1dab6884e ("mlxsw: spectrum: Support ieee_setapp, ieee_delapp")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Reported-by: Alex Veber <alexve@mellanox.com>
+Tested-by: Alex Veber <alexve@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlxsw/spectrum_dcb.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c
+index b25048c6c7618..21296fa7f7fbf 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c
+@@ -408,14 +408,6 @@ static int mlxsw_sp_port_dcb_app_update(struct mlxsw_sp_port *mlxsw_sp_port)
+ have_dscp = mlxsw_sp_port_dcb_app_prio_dscp_map(mlxsw_sp_port,
+ &prio_map);
+
+- if (!have_dscp) {
+- err = mlxsw_sp_port_dcb_toggle_trust(mlxsw_sp_port,
+- MLXSW_REG_QPTS_TRUST_STATE_PCP);
+- if (err)
+- netdev_err(mlxsw_sp_port->dev, "Couldn't switch to trust L2\n");
+- return err;
+- }
+-
+ mlxsw_sp_port_dcb_app_dscp_prio_map(mlxsw_sp_port, default_prio,
+ &dscp_map);
+ err = mlxsw_sp_port_dcb_app_update_qpdpm(mlxsw_sp_port,
+@@ -432,6 +424,14 @@ static int mlxsw_sp_port_dcb_app_update(struct mlxsw_sp_port *mlxsw_sp_port)
+ return err;
+ }
+
++ if (!have_dscp) {
++ err = mlxsw_sp_port_dcb_toggle_trust(mlxsw_sp_port,
++ MLXSW_REG_QPTS_TRUST_STATE_PCP);
++ if (err)
++ netdev_err(mlxsw_sp_port->dev, "Couldn't switch to trust L2\n");
++ return err;
++ }
++
+ err = mlxsw_sp_port_dcb_toggle_trust(mlxsw_sp_port,
+ MLXSW_REG_QPTS_TRUST_STATE_DSCP);
+ if (err) {
+--
+2.20.1
+
--- /dev/null
+From 460d37446708b86135422e8b88d98e4bb1d3cc9d Mon Sep 17 00:00:00 2001
+From: Doug Berger <opendmb@gmail.com>
+Date: Tue, 16 Jul 2019 16:26:24 -0700
+Subject: mm/cma.c: fail if fixed declaration can't be honored
+
+[ Upstream commit c633324e311243586675e732249339685e5d6faa ]
+
+The description of cma_declare_contiguous() indicates that if the
+'fixed' argument is true the reserved contiguous area must be exactly at
+the address of the 'base' argument.
+
+However, the function currently allows the 'base', 'size', and 'limit'
+arguments to be silently adjusted to meet alignment constraints. This
+commit enforces the documented behavior through explicit checks that
+return an error if the region does not fit within a specified region.
+
+Link: http://lkml.kernel.org/r/1561422051-16142-1-git-send-email-opendmb@gmail.com
+Fixes: 5ea3b1b2f8ad ("cma: add placement specifier for "cma=" kernel parameter")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Michal Nazarewicz <mina86@mina86.com>
+Cc: Yue Hu <huyue2@yulong.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Peng Fan <peng.fan@nxp.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/cma.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/mm/cma.c b/mm/cma.c
+index 476dfe13a701f..4c2864270a39b 100644
+--- a/mm/cma.c
++++ b/mm/cma.c
+@@ -282,6 +282,12 @@ int __init cma_declare_contiguous(phys_addr_t base,
+ */
+ alignment = max(alignment, (phys_addr_t)PAGE_SIZE <<
+ max_t(unsigned long, MAX_ORDER - 1, pageblock_order));
++ if (fixed && base & (alignment - 1)) {
++ ret = -EINVAL;
++ pr_err("Region at %pa must be aligned to %pa bytes\n",
++ &base, &alignment);
++ goto err;
++ }
+ base = ALIGN(base, alignment);
+ size = ALIGN(size, alignment);
+ limit &= ~(alignment - 1);
+@@ -312,6 +318,13 @@ int __init cma_declare_contiguous(phys_addr_t base,
+ if (limit == 0 || limit > memblock_end)
+ limit = memblock_end;
+
++ if (base + size > limit) {
++ ret = -EINVAL;
++ pr_err("Size (%pa) of region at %pa exceeds limit (%pa)\n",
++ &size, &base, &limit);
++ goto err;
++ }
++
+ /* Reserve memory */
+ if (fixed) {
+ if (memblock_is_region_reserved(base, size) ||
+--
+2.20.1
+
--- /dev/null
+From ad149a6e8eb27de52948eef60554d959e60d6595 Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Date: Tue, 11 Jun 2019 08:31:09 +0530
+Subject: perf version: Fix segfault due to missing OPT_END()
+
+[ Upstream commit 916c31fff946fae0e05862f9b2435fdb29fd5090 ]
+
+'perf version' on powerpc segfaults when used with non-supported
+option:
+ # perf version -a
+ Segmentation fault (core dumped)
+
+Fix this.
+
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Tested-by: Mamatha Inamdar <mamatha4@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/20190611030109.20228-1-ravi.bangoria@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-version.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/builtin-version.c b/tools/perf/builtin-version.c
+index 50df168be326d..b02c961046403 100644
+--- a/tools/perf/builtin-version.c
++++ b/tools/perf/builtin-version.c
+@@ -19,6 +19,7 @@ static struct version version;
+ static struct option version_options[] = {
+ OPT_BOOLEAN(0, "build-options", &version.build_options,
+ "display the build options"),
++ OPT_END(),
+ };
+
+ static const char * const version_usage[] = {
+--
+2.20.1
+
--- /dev/null
+From f73ef82826bedbe47f051480d6969a392e692d69 Mon Sep 17 00:00:00 2001
+From: Benjamin Block <bblock@linux.ibm.com>
+Date: Tue, 2 Jul 2019 23:02:02 +0200
+Subject: scsi: zfcp: fix GCC compiler warning emitted with
+ -Wmaybe-uninitialized
+
+[ Upstream commit 484647088826f2f651acbda6bcf9536b8a466703 ]
+
+GCC v9 emits this warning:
+ CC drivers/s390/scsi/zfcp_erp.o
+ drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_action_enqueue':
+ drivers/s390/scsi/zfcp_erp.c:217:26: warning: 'erp_action' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 217 | struct zfcp_erp_action *erp_action;
+ | ^~~~~~~~~~
+
+This is a possible false positive case, as also documented in the GCC
+documentations:
+ https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wmaybe-uninitialized
+
+The actual code-sequence is like this:
+ Various callers can invoke the function below with the argument "want"
+ being one of:
+ ZFCP_ERP_ACTION_REOPEN_ADAPTER,
+ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+ ZFCP_ERP_ACTION_REOPEN_PORT, or
+ ZFCP_ERP_ACTION_REOPEN_LUN.
+
+ zfcp_erp_action_enqueue(want, ...)
+ ...
+ need = zfcp_erp_required_act(want, ...)
+ need = want
+ ...
+ maybe: need = ZFCP_ERP_ACTION_REOPEN_PORT
+ maybe: need = ZFCP_ERP_ACTION_REOPEN_ADAPTER
+ ...
+ return need
+ ...
+ zfcp_erp_setup_act(need, ...)
+ struct zfcp_erp_action *erp_action; // <== line 217
+ ...
+ switch(need) {
+ case ZFCP_ERP_ACTION_REOPEN_LUN:
+ ...
+ erp_action = &zfcp_sdev->erp_action;
+ WARN_ON_ONCE(erp_action->port != port); // <== access
+ ...
+ break;
+ case ZFCP_ERP_ACTION_REOPEN_PORT:
+ case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
+ ...
+ erp_action = &port->erp_action;
+ WARN_ON_ONCE(erp_action->port != port); // <== access
+ ...
+ break;
+ case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
+ ...
+ erp_action = &adapter->erp_action;
+ WARN_ON_ONCE(erp_action->port != NULL); // <== access
+ ...
+ break;
+ }
+ ...
+ WARN_ON_ONCE(erp_action->adapter != adapter); // <== access
+
+When zfcp_erp_setup_act() is called, 'need' will never be anything else
+than one of the 4 possible enumeration-names that are used in the
+switch-case, and 'erp_action' is initialized for every one of them, before
+it is used. Thus the warning is a false positive, as documented.
+
+We introduce the extra if{} in the beginning to create an extra code-flow,
+so the compiler can be convinced that the switch-case will never see any
+other value.
+
+BUG_ON()/BUG() is intentionally not used to not crash anything, should
+this ever happen anyway - right now it's impossible, as argued above; and
+it doesn't introduce a 'default:' switch-case to retain warnings should
+'enum zfcp_erp_act_type' ever be extended and no explicit case be
+introduced. See also v5.0 commit 399b6c8bc9f7 ("scsi: zfcp: drop old
+default switch case which might paper over missing case").
+
+Signed-off-by: Benjamin Block <bblock@linux.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Reviewed-by: Steffen Maier <maier@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/scsi/zfcp_erp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
+index ebdbc457003fe..332701db7379d 100644
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -11,6 +11,7 @@
+ #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
+
+ #include <linux/kthread.h>
++#include <linux/bug.h>
+ #include "zfcp_ext.h"
+ #include "zfcp_reqlist.h"
+
+@@ -238,6 +239,12 @@ static struct zfcp_erp_action *zfcp_erp_setup_act(int need, u32 act_status,
+ struct zfcp_erp_action *erp_action;
+ struct zfcp_scsi_dev *zfcp_sdev;
+
++ if (WARN_ON_ONCE(need != ZFCP_ERP_ACTION_REOPEN_LUN &&
++ need != ZFCP_ERP_ACTION_REOPEN_PORT &&
++ need != ZFCP_ERP_ACTION_REOPEN_PORT_FORCED &&
++ need != ZFCP_ERP_ACTION_REOPEN_ADAPTER))
++ return NULL;
++
+ switch (need) {
+ case ZFCP_ERP_ACTION_REOPEN_LUN:
+ zfcp_sdev = sdev_to_zfcp(sdev);
+--
+2.20.1
+
--- /dev/null
+arm-riscpc-fix-dma.patch
+arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch
+arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch
+arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch
+ftrace-enable-trampoline-when-rec-count-returns-back.patch
+dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch
+arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch
+kernel-module.c-only-return-eexist-for-modules-that-.patch
+firmware-psci-psci_checker-park-kthreads-before-stop.patch
+mips-lantiq-fix-bitfield-masking.patch
+dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch
+clk-tegra210-fix-pllu-and-pllu_out1.patch
+fs-adfs-super-fix-use-after-free-bug.patch
+clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch
+btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch
+btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch
+cifs-fix-a-race-condition-with-cifs_echo_request.patch
+ceph-fix-improper-use-of-smp_mb__before_atomic.patch
+ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch
+acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch
+scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch
+perf-version-fix-segfault-due-to-missing-opt_end.patch
+x86-kvm-avoid-constant-conversion-warning.patch
+acpi-fix-false-positive-wuninitialized-warning.patch
+be2net-signal-that-the-device-cannot-transmit-during.patch
+x86-apic-silence-wtype-limits-compiler-warnings.patch
+x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch
+mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch
+lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch
+lib-test_string.c-avoid-masking-memset16-32-64-failu.patch
+coda-add-error-handling-for-fget.patch
+coda-fix-build-using-bare-metal-toolchain.patch
+uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch
+drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch
+ipc-mqueue.c-only-perform-resource-calculation-if-us.patch
+mlxsw-spectrum_dcb-configure-dscp-map-as-the-last-ru.patch
+xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch
+x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch
+x86-paravirt-fix-callee-saved-function-elf-sizes.patch
+x86-boot-remove-multiple-copy-of-static-function-san.patch
+drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch
--- /dev/null
+From 615d6d2492dff4eea4f9d3c7a53f14ccbcbc66ae Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@iki.fi>
+Date: Tue, 16 Jul 2019 16:28:10 -0700
+Subject: uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel
+ side headers
+
+[ Upstream commit f90fb3c7e2c13ae829db2274b88b845a75038b8a ]
+
+Only users of upc_req in kernel side fs/coda/psdev.c and
+fs/coda/upcall.c already include linux/coda_psdev.h.
+
+Suggested by Jan Harkes <jaharkes@cs.cmu.edu> in
+ https://lore.kernel.org/lkml/20150531111913.GA23377@cs.cmu.edu/
+
+Fixes these include/uapi/linux/coda_psdev.h compilation errors in userspace:
+
+ linux/coda_psdev.h:12:19: error: field `uc_chain' has incomplete type
+ struct list_head uc_chain;
+ ^
+ linux/coda_psdev.h:13:2: error: unknown type name `caddr_t'
+ caddr_t uc_data;
+ ^
+ linux/coda_psdev.h:14:2: error: unknown type name `u_short'
+ u_short uc_flags;
+ ^
+ linux/coda_psdev.h:15:2: error: unknown type name `u_short'
+ u_short uc_inSize; /* Size is at most 5000 bytes */
+ ^
+ linux/coda_psdev.h:16:2: error: unknown type name `u_short'
+ u_short uc_outSize;
+ ^
+ linux/coda_psdev.h:17:2: error: unknown type name `u_short'
+ u_short uc_opcode; /* copied from data to save lookup */
+ ^
+ linux/coda_psdev.h:19:2: error: unknown type name `wait_queue_head_t'
+ wait_queue_head_t uc_sleep; /* process' wait queue */
+ ^
+
+Link: http://lkml.kernel.org/r/9f99f5ce6a0563d5266e6cf7aa9585aac2cae971.1558117389.git.jaharkes@cs.cmu.edu
+Signed-off-by: Mikko Rapeli <mikko.rapeli@iki.fi>
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Fabian Frederick <fabf@skynet.be>
+Cc: Sam Protsenko <semen.protsenko@linaro.org>
+Cc: Yann Droneaud <ydroneaud@opteya.com>
+Cc: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/coda_psdev.h | 11 +++++++++++
+ include/uapi/linux/coda_psdev.h | 13 -------------
+ 2 files changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/include/linux/coda_psdev.h b/include/linux/coda_psdev.h
+index 15170954aa2b3..57d2b2faf6a3e 100644
+--- a/include/linux/coda_psdev.h
++++ b/include/linux/coda_psdev.h
+@@ -19,6 +19,17 @@ struct venus_comm {
+ struct mutex vc_mutex;
+ };
+
++/* messages between coda filesystem in kernel and Venus */
++struct upc_req {
++ struct list_head uc_chain;
++ caddr_t uc_data;
++ u_short uc_flags;
++ u_short uc_inSize; /* Size is at most 5000 bytes */
++ u_short uc_outSize;
++ u_short uc_opcode; /* copied from data to save lookup */
++ int uc_unique;
++ wait_queue_head_t uc_sleep; /* process' wait queue */
++};
+
+ static inline struct venus_comm *coda_vcp(struct super_block *sb)
+ {
+diff --git a/include/uapi/linux/coda_psdev.h b/include/uapi/linux/coda_psdev.h
+index aa6623efd2dd0..d50d51a57fe4e 100644
+--- a/include/uapi/linux/coda_psdev.h
++++ b/include/uapi/linux/coda_psdev.h
+@@ -7,19 +7,6 @@
+ #define CODA_PSDEV_MAJOR 67
+ #define MAX_CODADEVS 5 /* how many do we allow */
+
+-
+-/* messages between coda filesystem in kernel and Venus */
+-struct upc_req {
+- struct list_head uc_chain;
+- caddr_t uc_data;
+- u_short uc_flags;
+- u_short uc_inSize; /* Size is at most 5000 bytes */
+- u_short uc_outSize;
+- u_short uc_opcode; /* copied from data to save lookup */
+- int uc_unique;
+- wait_queue_head_t uc_sleep; /* process' wait queue */
+-};
+-
+ #define CODA_REQ_ASYNC 0x1
+ #define CODA_REQ_READ 0x2
+ #define CODA_REQ_WRITE 0x4
+--
+2.20.1
+
--- /dev/null
+From 2c010f87ddf2ad650210ae1b245b6657208b1049 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Mon, 8 Jul 2019 17:36:45 -0400
+Subject: x86/apic: Silence -Wtype-limits compiler warnings
+
+[ Upstream commit ec6335586953b0df32f83ef696002063090c7aef ]
+
+There are many compiler warnings like this,
+
+In file included from ./arch/x86/include/asm/smp.h:13,
+ from ./arch/x86/include/asm/mmzone_64.h:11,
+ from ./arch/x86/include/asm/mmzone.h:5,
+ from ./include/linux/mmzone.h:969,
+ from ./include/linux/gfp.h:6,
+ from ./include/linux/mm.h:10,
+ from arch/x86/kernel/apic/io_apic.c:34:
+arch/x86/kernel/apic/io_apic.c: In function 'check_timer':
+./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned
+expression >= 0 is always true [-Wtype-limits]
+ if ((v) <= apic_verbosity) \
+ ^~
+arch/x86/kernel/apic/io_apic.c:2160:2: note: in expansion of macro
+'apic_printk'
+ apic_printk(APIC_QUIET, KERN_INFO "..TIMER: vector=0x%02X "
+ ^~~~~~~~~~~
+./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned
+expression >= 0 is always true [-Wtype-limits]
+ if ((v) <= apic_verbosity) \
+ ^~
+arch/x86/kernel/apic/io_apic.c:2207:4: note: in expansion of macro
+'apic_printk'
+ apic_printk(APIC_QUIET, KERN_ERR "..MP-BIOS bug: "
+ ^~~~~~~~~~~
+
+APIC_QUIET is 0, so silence them by making apic_verbosity type int.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/1562621805-24789-1-git-send-email-cai@lca.pw
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/kernel/apic/apic.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
+index 130e81e10fc7c..050368db9d357 100644
+--- a/arch/x86/include/asm/apic.h
++++ b/arch/x86/include/asm/apic.h
+@@ -48,7 +48,7 @@ static inline void generic_apic_probe(void)
+
+ #ifdef CONFIG_X86_LOCAL_APIC
+
+-extern unsigned int apic_verbosity;
++extern int apic_verbosity;
+ extern int local_apic_timer_c2_ok;
+
+ extern int disable_apic;
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index 02020f2e00809..272a12865b2aa 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -181,7 +181,7 @@ EXPORT_SYMBOL_GPL(local_apic_timer_c2_ok);
+ /*
+ * Debug level, exported for io_apic.c
+ */
+-unsigned int apic_verbosity;
++int apic_verbosity;
+
+ int pic_mode;
+
+--
+2.20.1
+
--- /dev/null
+From 292ea7c8e297b66a7d2a634c2945819bed1cf4c8 Mon Sep 17 00:00:00 2001
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Date: Tue, 16 Jul 2019 21:18:12 +0800
+Subject: x86, boot: Remove multiple copy of static function
+ sanitize_boot_params()
+
+[ Upstream commit 8c5477e8046ca139bac250386c08453da37ec1ae ]
+
+Kernel build warns:
+ 'sanitize_boot_params' defined but not used [-Wunused-function]
+
+at below files:
+ arch/x86/boot/compressed/cmdline.c
+ arch/x86/boot/compressed/error.c
+ arch/x86/boot/compressed/early_serial_console.c
+ arch/x86/boot/compressed/acpi.c
+
+That's becausethey each include misc.h which includes a definition of
+sanitize_boot_params() via bootparam_utils.h.
+
+Remove the inclusion from misc.h and have the c file including
+bootparam_utils.h directly.
+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/1563283092-1189-1-git-send-email-zhenzhong.duan@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/boot/compressed/misc.c | 1 +
+ arch/x86/boot/compressed/misc.h | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
+index 8dd1d5ccae580..0387d7a96c842 100644
+--- a/arch/x86/boot/compressed/misc.c
++++ b/arch/x86/boot/compressed/misc.c
+@@ -17,6 +17,7 @@
+ #include "pgtable.h"
+ #include "../string.h"
+ #include "../voffset.h"
++#include <asm/bootparam_utils.h>
+
+ /*
+ * WARNING!!
+diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
+index a423bdb426862..47fd18db6b3bf 100644
+--- a/arch/x86/boot/compressed/misc.h
++++ b/arch/x86/boot/compressed/misc.h
+@@ -22,7 +22,6 @@
+ #include <asm/page.h>
+ #include <asm/boot.h>
+ #include <asm/bootparam.h>
+-#include <asm/bootparam_utils.h>
+
+ #define BOOT_BOOT_H
+ #include "../ctype.h"
+--
+2.20.1
+
--- /dev/null
+From 017206a418313f4cf4b9edfb195b1fdda4e57520 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 12 Jul 2019 11:12:30 +0200
+Subject: x86: kvm: avoid constant-conversion warning
+
+[ Upstream commit a6a6d3b1f867d34ba5bd61aa7bb056b48ca67cff ]
+
+clang finds a contruct suspicious that converts an unsigned
+character to a signed integer and back, causing an overflow:
+
+arch/x86/kvm/mmu.c:4605:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -205 to 51 [-Werror,-Wconstant-conversion]
+ u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0;
+ ~~ ^~
+arch/x86/kvm/mmu.c:4607:38: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -241 to 15 [-Werror,-Wconstant-conversion]
+ u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0;
+ ~~ ^~
+arch/x86/kvm/mmu.c:4609:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -171 to 85 [-Werror,-Wconstant-conversion]
+ u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0;
+ ~~ ^~
+
+Add an explicit cast to tell clang that everything works as
+intended here.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://github.com/ClangBuiltLinux/linux/issues/95
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/mmu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
+index e0f982e35c96b..cdc0c460950f3 100644
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -4532,11 +4532,11 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
+ */
+
+ /* Faults from writes to non-writable pages */
+- u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0;
++ u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0;
+ /* Faults from user mode accesses to supervisor pages */
+- u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0;
++ u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0;
+ /* Faults from fetches of non-executable pages*/
+- u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0;
++ u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0;
+ /* Faults from kernel mode fetches of user pages */
+ u8 smepf = 0;
+ /* Faults from kernel mode accesses of user pages */
+--
+2.20.1
+
--- /dev/null
+From f5f97fb992fbb37b4edee66c13b3350836053e1a Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Wed, 17 Jul 2019 20:36:39 -0500
+Subject: x86/kvm: Don't call kvm_spurious_fault() from .fixup
+
+[ Upstream commit 3901336ed9887b075531bffaeef7742ba614058b ]
+
+After making a change to improve objtool's sibling call detection, it
+started showing the following warning:
+
+ arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame
+
+The problem is the ____kvm_handle_fault_on_reboot() macro. It does a
+fake call by pushing a fake RIP and doing a jump. That tricks the
+unwinder into printing the function which triggered the exception,
+rather than the .fixup code.
+
+Instead of the hack to make it look like the original function made the
+call, just change the macro so that the original function actually does
+make the call. This allows removal of the hack, and also makes objtool
+happy.
+
+I triggered a vmx instruction exception and verified that the stack
+trace is still sane:
+
+ kernel BUG at arch/x86/kvm/x86.c:358!
+ invalid opcode: 0000 [#1] SMP PTI
+ CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16
+ Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017
+ RIP: 0010:kvm_spurious_fault+0x5/0x10
+ Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41
+ RSP: 0018:ffffbf91c683bd00 EFLAGS: 00010246
+ RAX: 000061f040000000 RBX: ffff9e159c77bba0 RCX: ffff9e15a5c87000
+ RDX: 0000000665c87000 RSI: ffff9e15a5c87000 RDI: ffff9e159c77bba0
+ RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9e15a5c87000
+ R10: 0000000000000000 R11: fffff8f2d99721c0 R12: ffff9e159c77bba0
+ R13: ffffbf91c671d960 R14: ffff9e159c778000 R15: 0000000000000000
+ FS: 00007fa341cbe700(0000) GS:ffff9e15b7400000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fdd38356804 CR3: 00000006759de003 CR4: 00000000007606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ loaded_vmcs_init+0x4f/0xe0
+ alloc_loaded_vmcs+0x38/0xd0
+ vmx_create_vcpu+0xf7/0x600
+ kvm_vm_ioctl+0x5e9/0x980
+ ? __switch_to_asm+0x40/0x70
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ ? __switch_to_asm+0x34/0x70
+ ? free_one_page+0x13f/0x4e0
+ do_vfs_ioctl+0xa4/0x630
+ ksys_ioctl+0x60/0x90
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x55/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7fa349b1ee5b
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/kvm_host.h | 34 ++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 7014dba23d20c..2877e1fbadd86 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1427,25 +1427,29 @@ enum {
+ #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0)
+ #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm)
+
++asmlinkage void __noreturn kvm_spurious_fault(void);
++
+ /*
+ * Hardware virtualization extension instructions may fault if a
+ * reboot turns off virtualization while processes are running.
+- * Trap the fault and ignore the instruction if that happens.
++ * Usually after catching the fault we just panic; during reboot
++ * instead the instruction is ignored.
+ */
+-asmlinkage void kvm_spurious_fault(void);
+-
+-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \
+- "666: " insn "\n\t" \
+- "668: \n\t" \
+- ".pushsection .fixup, \"ax\" \n" \
+- "667: \n\t" \
+- cleanup_insn "\n\t" \
+- "cmpb $0, kvm_rebooting \n\t" \
+- "jne 668b \n\t" \
+- __ASM_SIZE(push) " $666b \n\t" \
+- "jmp kvm_spurious_fault \n\t" \
+- ".popsection \n\t" \
+- _ASM_EXTABLE(666b, 667b)
++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \
++ "666: \n\t" \
++ insn "\n\t" \
++ "jmp 668f \n\t" \
++ "667: \n\t" \
++ "call kvm_spurious_fault \n\t" \
++ "668: \n\t" \
++ ".pushsection .fixup, \"ax\" \n\t" \
++ "700: \n\t" \
++ cleanup_insn "\n\t" \
++ "cmpb $0, kvm_rebooting\n\t" \
++ "je 667b \n\t" \
++ "jmp 668b \n\t" \
++ ".popsection \n\t" \
++ _ASM_EXTABLE(666b, 700b)
+
+ #define __kvm_handle_fault_on_reboot(insn) \
+ ____kvm_handle_fault_on_reboot(insn, "")
+--
+2.20.1
+
--- /dev/null
+From f19b95fa44ae1aa10e184c51539be9937a520038 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 12 Jul 2019 11:08:05 +0200
+Subject: x86: math-emu: Hide clang warnings for 16-bit overflow
+
+[ Upstream commit 29e7e9664aec17b94a9c8c5a75f8d216a206aa3a ]
+
+clang warns about a few parts of the math-emu implementation
+where a 16-bit integer becomes negative during assignment:
+
+arch/x86/math-emu/poly_tan.c:88:35: error: implicit conversion from 'int' to 'short' changes value from 49216 to -16320 [-Werror,-Wconstant-conversion]
+ (0x41 + EXTENDED_Ebias) | SIGN_Negative);
+ ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~
+arch/x86/math-emu/fpu_emu.h:180:58: note: expanded from macro 'setexponent16'
+ #define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); }
+ ~ ^
+arch/x86/math-emu/reg_constant.c:37:32: error: implicit conversion from 'int' to 'short' changes value from 49085 to -16451 [-Werror,-Wconstant-conversion]
+FPU_REG const CONST_PI2extra = MAKE_REG(NEG, -66,
+ ^~~~~~~~~~~~~~~~~~
+arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG'
+ ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
+ ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
+arch/x86/math-emu/reg_constant.c:48:28: error: implicit conversion from 'int' to 'short' changes value from 65535 to -1 [-Werror,-Wconstant-conversion]
+FPU_REG const CONST_QNaN = MAKE_REG(NEG, EXP_OVER, 0x00000000, 0xC0000000);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG'
+ ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
+ ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The code is correct as is, so add a typecast to shut up the warnings.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190712090816.350668-1-arnd@arndb.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/math-emu/fpu_emu.h | 2 +-
+ arch/x86/math-emu/reg_constant.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/math-emu/fpu_emu.h b/arch/x86/math-emu/fpu_emu.h
+index a5a41ec580721..0c122226ca56f 100644
+--- a/arch/x86/math-emu/fpu_emu.h
++++ b/arch/x86/math-emu/fpu_emu.h
+@@ -177,7 +177,7 @@ static inline void reg_copy(FPU_REG const *x, FPU_REG *y)
+ #define setexponentpos(x,y) { (*(short *)&((x)->exp)) = \
+ ((y) + EXTENDED_Ebias) & 0x7fff; }
+ #define exponent16(x) (*(short *)&((x)->exp))
+-#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); }
++#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (u16)(y); }
+ #define addexponent(x,y) { (*(short *)&((x)->exp)) += (y); }
+ #define stdexp(x) { (*(short *)&((x)->exp)) += EXTENDED_Ebias; }
+
+diff --git a/arch/x86/math-emu/reg_constant.c b/arch/x86/math-emu/reg_constant.c
+index 8dc9095bab224..742619e94bdf2 100644
+--- a/arch/x86/math-emu/reg_constant.c
++++ b/arch/x86/math-emu/reg_constant.c
+@@ -18,7 +18,7 @@
+ #include "control_w.h"
+
+ #define MAKE_REG(s, e, l, h) { l, h, \
+- ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
++ (u16)((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
+
+ FPU_REG const CONST_1 = MAKE_REG(POS, 0, 0x00000000, 0x80000000);
+ #if 0
+--
+2.20.1
+
--- /dev/null
+From 491a1d148d4595105f9a95a657ab1c64e01764d5 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Wed, 17 Jul 2019 20:36:36 -0500
+Subject: x86/paravirt: Fix callee-saved function ELF sizes
+
+[ Upstream commit 083db6764821996526970e42d09c1ab2f4155dd4 ]
+
+The __raw_callee_save_*() functions have an ELF symbol size of zero,
+which confuses objtool and other tools.
+
+Fixes a bunch of warnings like the following:
+
+ arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pte_val() is missing an ELF size annotation
+ arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pgd_val() is missing an ELF size annotation
+ arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pte() is missing an ELF size annotation
+ arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pgd() is missing an ELF size annotation
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/afa6d49bb07497ca62e4fc3b27a2d0cece545b4e.1563413318.git.jpoimboe@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/paravirt.h | 1 +
+ arch/x86/kernel/kvm.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
+index e375d4266b53e..a04677038872c 100644
+--- a/arch/x86/include/asm/paravirt.h
++++ b/arch/x86/include/asm/paravirt.h
+@@ -768,6 +768,7 @@ static __always_inline bool pv_vcpu_is_preempted(long cpu)
+ PV_RESTORE_ALL_CALLER_REGS \
+ FRAME_END \
+ "ret;" \
++ ".size " PV_THUNK_NAME(func) ", .-" PV_THUNK_NAME(func) ";" \
+ ".popsection")
+
+ /* Get a reference to a callee-save function */
+diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
+index 7f89d609095ac..cee45d46e67dc 100644
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -830,6 +830,7 @@ asm(
+ "cmpb $0, " __stringify(KVM_STEAL_TIME_preempted) "+steal_time(%rax);"
+ "setne %al;"
+ "ret;"
++".size __raw_callee_save___kvm_vcpu_is_preempted, .-__raw_callee_save___kvm_vcpu_is_preempted;"
+ ".popsection");
+
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 1440c591cc271f01dc9a57b07556eb083636e095 Mon Sep 17 00:00:00 2001
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Date: Sun, 14 Jul 2019 17:15:32 +0800
+Subject: xen/pv: Fix a boot up hang revealed by int3 self test
+
+[ Upstream commit b23e5844dfe78a80ba672793187d3f52e4b528d7 ]
+
+Commit 7457c0da024b ("x86/alternatives: Add int3_emulate_call()
+selftest") is used to ensure there is a gap setup in int3 exception stack
+which could be used for inserting call return address.
+
+This gap is missed in XEN PV int3 exception entry path, then below panic
+triggered:
+
+[ 0.772876] general protection fault: 0000 [#1] SMP NOPTI
+[ 0.772886] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.2.0+ #11
+[ 0.772893] RIP: e030:int3_magic+0x0/0x7
+[ 0.772905] RSP: 3507:ffffffff82203e98 EFLAGS: 00000246
+[ 0.773334] Call Trace:
+[ 0.773334] alternative_instructions+0x3d/0x12e
+[ 0.773334] check_bugs+0x7c9/0x887
+[ 0.773334] ? __get_locked_pte+0x178/0x1f0
+[ 0.773334] start_kernel+0x4ff/0x535
+[ 0.773334] ? set_init_arg+0x55/0x55
+[ 0.773334] xen_start_kernel+0x571/0x57a
+
+For 64bit PV guests, Xen's ABI enters the kernel with using SYSRET, with
+%rcx/%r11 on the stack. To convert back to "normal" looking exceptions,
+the xen thunks do 'xen_*: pop %rcx; pop %r11; jmp *'.
+
+E.g. Extracting 'xen_pv_trap xenint3' we have:
+xen_xenint3:
+ pop %rcx;
+ pop %r11;
+ jmp xenint3
+
+As xenint3 and int3 entry code are same except xenint3 doesn't generate
+a gap, we can fix it by using int3 and drop useless xenint3.
+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Stefano Stabellini <sstabellini@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/entry_64.S | 1 -
+ arch/x86/include/asm/traps.h | 2 +-
+ arch/x86/xen/enlighten_pv.c | 2 +-
+ arch/x86/xen/xen-asm_64.S | 1 -
+ 4 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
+index 206df099950ea..e7572a209fbe7 100644
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -1196,7 +1196,6 @@ idtentry stack_segment do_stack_segment has_error_code=1
+ #ifdef CONFIG_XEN
+ idtentry xennmi do_nmi has_error_code=0
+ idtentry xendebug do_debug has_error_code=0
+-idtentry xenint3 do_int3 has_error_code=0
+ #endif
+
+ idtentry general_protection do_general_protection has_error_code=1
+diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
+index afbc87206886e..b771bb3d159bc 100644
+--- a/arch/x86/include/asm/traps.h
++++ b/arch/x86/include/asm/traps.h
+@@ -40,7 +40,7 @@ asmlinkage void simd_coprocessor_error(void);
+ asmlinkage void xen_divide_error(void);
+ asmlinkage void xen_xennmi(void);
+ asmlinkage void xen_xendebug(void);
+-asmlinkage void xen_xenint3(void);
++asmlinkage void xen_int3(void);
+ asmlinkage void xen_overflow(void);
+ asmlinkage void xen_bounds(void);
+ asmlinkage void xen_invalid_op(void);
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index 782f98b332f05..1730a26ff6abc 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -597,12 +597,12 @@ struct trap_array_entry {
+
+ static struct trap_array_entry trap_array[] = {
+ { debug, xen_xendebug, true },
+- { int3, xen_xenint3, true },
+ { double_fault, xen_double_fault, true },
+ #ifdef CONFIG_X86_MCE
+ { machine_check, xen_machine_check, true },
+ #endif
+ { nmi, xen_xennmi, true },
++ { int3, xen_int3, false },
+ { overflow, xen_overflow, false },
+ #ifdef CONFIG_IA32_EMULATION
+ { entry_INT80_compat, xen_entry_INT80_compat, false },
+diff --git a/arch/x86/xen/xen-asm_64.S b/arch/x86/xen/xen-asm_64.S
+index 417b339e5c8e1..3a6feed76dfc1 100644
+--- a/arch/x86/xen/xen-asm_64.S
++++ b/arch/x86/xen/xen-asm_64.S
+@@ -30,7 +30,6 @@ xen_pv_trap divide_error
+ xen_pv_trap debug
+ xen_pv_trap xendebug
+ xen_pv_trap int3
+-xen_pv_trap xenint3
+ xen_pv_trap xennmi
+ xen_pv_trap overflow
+ xen_pv_trap bounds
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
