--- /dev/null
+From b6aa06de7757667bac88997a8807b143b8436035 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Mon, 29 Jun 2020 14:24:43 +0200
+Subject: ASoC: qcom: Drop HAS_DMA dependency to fix link failure
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+commit b6aa06de7757667bac88997a8807b143b8436035 upstream.
+
+When building on allyesconfig kernel for a NO_DMA=y platform (e.g.
+Sun-3), CONFIG_SND_SOC_QCOM_COMMON=y, but CONFIG_SND_SOC_QDSP6_AFE=n,
+leading to a link failure:
+
+ sound/soc/qcom/common.o: In function `qcom_snd_parse_of':
+ common.c:(.text+0x2e2): undefined reference to `q6afe_is_rx_port'
+
+While SND_SOC_QDSP6 depends on HAS_DMA, SND_SOC_MSM8996 and SND_SOC_SDM845
+don't, so the following warning is seen:
+
+ WARNING: unmet direct dependencies detected for SND_SOC_QDSP6
+ Depends on [n]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && HAS_DMA [=n]
+ Selected by [y]:
+ - SND_SOC_MSM8996 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y]
+ - SND_SOC_SDM845 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && CROS_EC [=y] && I2C [=y] && SOUNDWIRE [=y]
+
+Until recently, this warning was harmless (from a compile-testing
+point-of-view), but the new user of q6afe_is_rx_port() turned this into
+a hard failure.
+
+As the QDSP6 driver itself builds fine if NO_DMA=y, and it depends on
+QCOM_APR (which in turns depends on ARCH_QCOM || COMPILE_TEST), it is
+safe to increase compile testing coverage. Hence fix the link failure
+by dropping the HAS_DMA dependency of SND_SOC_QDSP6.
+
+Fixes: a2120089251f1fe2 ("ASoC: qcom: common: set correct directions for dailinks")
+Fixes: 6b1687bf76ef84cb ("ASoC: qcom: add sdm845 sound card support")
+Fixes: a6f933f63f2ffdb2 ("ASoC: qcom: apq8096: Add db820c machine driver")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20200629122443.21736-1-geert@linux-m68k.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/qcom/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/qcom/Kconfig
++++ b/sound/soc/qcom/Kconfig
+@@ -72,7 +72,7 @@ config SND_SOC_QDSP6_ASM_DAI
+
+ config SND_SOC_QDSP6
+ tristate "SoC ALSA audio driver for QDSP6"
+- depends on QCOM_APR && HAS_DMA
++ depends on QCOM_APR
+ select SND_SOC_QDSP6_COMMON
+ select SND_SOC_QDSP6_CORE
+ select SND_SOC_QDSP6_AFE
--- /dev/null
+From 85ca6b17e2bb96b19caac3b02c003d670b66de96 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 28 Jun 2020 17:52:28 +0200
+Subject: ASoC: rt5670: Add new gpio1_is_ext_spk_en quirk and enable it on the Lenovo Miix 2 10
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 85ca6b17e2bb96b19caac3b02c003d670b66de96 upstream.
+
+The Lenovo Miix 2 10 has a keyboard dock with extra speakers in the dock.
+Rather then the ACL5672's GPIO1 pin being used as IRQ to the CPU, it is
+actually used to enable the amplifier for these speakers
+(the IRQ to the CPU comes directly from the jack-detect switch).
+
+Add a quirk for having an ext speaker-amplifier enable pin on GPIO1
+and replace the Lenovo Miix 2 10's dmi_system_id table entry's wrong
+GPIO_DEV quirk (which needs to be renamed to GPIO1_IS_IRQ) with the
+new RT5670_GPIO1_IS_EXT_SPK_EN quirk, so that we enable the external
+speaker-amplifier as necessary.
+
+Also update the ident field for the dmi_system_id table entry, the
+Miix models are not Thinkpads.
+
+Fixes: 67e03ff3f32f ("ASoC: codecs: rt5670: add Thinkpad Tablet 10 quirk")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1786723
+Link: https://lore.kernel.org/r/20200628155231.71089-4-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/rt5670.h | 1
+ sound/soc/codecs/rt5670.c | 71 ++++++++++++++++++++++++++++++++++++----------
+ 2 files changed, 57 insertions(+), 15 deletions(-)
+
+--- a/include/sound/rt5670.h
++++ b/include/sound/rt5670.h
+@@ -12,6 +12,7 @@ struct rt5670_platform_data {
+ int jd_mode;
+ bool in2_diff;
+ bool dev_gpio;
++ bool gpio1_is_ext_spk_en;
+
+ bool dmic_en;
+ unsigned int dmic1_data_pin;
+--- a/sound/soc/codecs/rt5670.c
++++ b/sound/soc/codecs/rt5670.c
+@@ -31,18 +31,19 @@
+ #include "rt5670.h"
+ #include "rt5670-dsp.h"
+
+-#define RT5670_DEV_GPIO BIT(0)
+-#define RT5670_IN2_DIFF BIT(1)
+-#define RT5670_DMIC_EN BIT(2)
+-#define RT5670_DMIC1_IN2P BIT(3)
+-#define RT5670_DMIC1_GPIO6 BIT(4)
+-#define RT5670_DMIC1_GPIO7 BIT(5)
+-#define RT5670_DMIC2_INR BIT(6)
+-#define RT5670_DMIC2_GPIO8 BIT(7)
+-#define RT5670_DMIC3_GPIO5 BIT(8)
+-#define RT5670_JD_MODE1 BIT(9)
+-#define RT5670_JD_MODE2 BIT(10)
+-#define RT5670_JD_MODE3 BIT(11)
++#define RT5670_DEV_GPIO BIT(0)
++#define RT5670_IN2_DIFF BIT(1)
++#define RT5670_DMIC_EN BIT(2)
++#define RT5670_DMIC1_IN2P BIT(3)
++#define RT5670_DMIC1_GPIO6 BIT(4)
++#define RT5670_DMIC1_GPIO7 BIT(5)
++#define RT5670_DMIC2_INR BIT(6)
++#define RT5670_DMIC2_GPIO8 BIT(7)
++#define RT5670_DMIC3_GPIO5 BIT(8)
++#define RT5670_JD_MODE1 BIT(9)
++#define RT5670_JD_MODE2 BIT(10)
++#define RT5670_JD_MODE3 BIT(11)
++#define RT5670_GPIO1_IS_EXT_SPK_EN BIT(12)
+
+ static unsigned long rt5670_quirk;
+ static unsigned int quirk_override;
+@@ -1447,6 +1448,33 @@ static int rt5670_hp_event(struct snd_so
+ return 0;
+ }
+
++static int rt5670_spk_event(struct snd_soc_dapm_widget *w,
++ struct snd_kcontrol *kcontrol, int event)
++{
++ struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
++ struct rt5670_priv *rt5670 = snd_soc_component_get_drvdata(component);
++
++ if (!rt5670->pdata.gpio1_is_ext_spk_en)
++ return 0;
++
++ switch (event) {
++ case SND_SOC_DAPM_POST_PMU:
++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2,
++ RT5670_GP1_OUT_MASK, RT5670_GP1_OUT_HI);
++ break;
++
++ case SND_SOC_DAPM_PRE_PMD:
++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2,
++ RT5670_GP1_OUT_MASK, RT5670_GP1_OUT_LO);
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 0;
++}
++
+ static int rt5670_bst1_event(struct snd_soc_dapm_widget *w,
+ struct snd_kcontrol *kcontrol, int event)
+ {
+@@ -1860,7 +1888,9 @@ static const struct snd_soc_dapm_widget
+ };
+
+ static const struct snd_soc_dapm_widget rt5672_specific_dapm_widgets[] = {
+- SND_SOC_DAPM_PGA("SPO Amp", SND_SOC_NOPM, 0, 0, NULL, 0),
++ SND_SOC_DAPM_PGA_E("SPO Amp", SND_SOC_NOPM, 0, 0, NULL, 0,
++ rt5670_spk_event, SND_SOC_DAPM_PRE_PMD |
++ SND_SOC_DAPM_POST_PMU),
+ SND_SOC_DAPM_OUTPUT("SPOLP"),
+ SND_SOC_DAPM_OUTPUT("SPOLN"),
+ SND_SOC_DAPM_OUTPUT("SPORP"),
+@@ -2857,14 +2887,14 @@ static const struct dmi_system_id dmi_pl
+ },
+ {
+ .callback = rt5670_quirk_cb,
+- .ident = "Lenovo Thinkpad Tablet 10",
++ .ident = "Lenovo Miix 2 10",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Miix 2 10"),
+ },
+ .driver_data = (unsigned long *)(RT5670_DMIC_EN |
+ RT5670_DMIC1_IN2P |
+- RT5670_DEV_GPIO |
++ RT5670_GPIO1_IS_EXT_SPK_EN |
+ RT5670_JD_MODE2),
+ },
+ {
+@@ -2924,6 +2954,10 @@ static int rt5670_i2c_probe(struct i2c_c
+ rt5670->pdata.dev_gpio = true;
+ dev_info(&i2c->dev, "quirk dev_gpio\n");
+ }
++ if (rt5670_quirk & RT5670_GPIO1_IS_EXT_SPK_EN) {
++ rt5670->pdata.gpio1_is_ext_spk_en = true;
++ dev_info(&i2c->dev, "quirk GPIO1 is external speaker enable\n");
++ }
+ if (rt5670_quirk & RT5670_IN2_DIFF) {
+ rt5670->pdata.in2_diff = true;
+ dev_info(&i2c->dev, "quirk IN2_DIFF\n");
+@@ -3022,6 +3056,13 @@ static int rt5670_i2c_probe(struct i2c_c
+ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2,
+ RT5670_GP1_PF_MASK, RT5670_GP1_PF_OUT);
+ }
++
++ if (rt5670->pdata.gpio1_is_ext_spk_en) {
++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL1,
++ RT5670_GP1_PIN_MASK, RT5670_GP1_PIN_GPIO1);
++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2,
++ RT5670_GP1_PF_MASK, RT5670_GP1_PF_OUT);
++ }
+
+ if (rt5670->pdata.jd_mode) {
+ regmap_update_bits(rt5670->regmap, RT5670_GLB_CLK,
--- /dev/null
+From 6f0307df83f2aa6bdf656c2219c89ce96502d20e Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Tue, 7 Jul 2020 15:37:45 -0500
+Subject: ASoC: topology: fix kernel oops on route addition error
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+commit 6f0307df83f2aa6bdf656c2219c89ce96502d20e upstream.
+
+When errors happens while loading graph components, the kernel oopses
+while trying to remove all topology components. This can be
+root-caused to a list pointing to memory that was already freed on
+error.
+
+remove_route() is already called on errors and will perform the
+required cleanups so there's no need to free the route memory in
+soc_tplg_dapm_graph_elems_load() if the route was added to the
+list. We do however want to free the routes allocated but not added to
+the list.
+
+Fixes: 7df04ea7a31ea ('ASoC: topology: modify dapm route loading routine and add dapm route unloading')
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20200707203749.113883-2-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-topology.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1284,17 +1284,29 @@ static int soc_tplg_dapm_graph_elems_loa
+ list_add(&routes[i]->dobj.list, &tplg->comp->dobj_list);
+
+ ret = soc_tplg_add_route(tplg, routes[i]);
+- if (ret < 0)
++ if (ret < 0) {
++ /*
++ * this route was added to the list, it will
++ * be freed in remove_route() so increment the
++ * counter to skip it in the error handling
++ * below.
++ */
++ i++;
+ break;
++ }
+
+ /* add route, but keep going if some fail */
+ snd_soc_dapm_add_routes(dapm, routes[i], 1);
+ }
+
+- /* free memory allocated for all dapm routes in case of error */
+- if (ret < 0)
+- for (i = 0; i < count ; i++)
+- kfree(routes[i]);
++ /*
++ * free memory allocated for all dapm routes not added to the
++ * list in case of error
++ */
++ if (ret < 0) {
++ while (i < count)
++ kfree(routes[i++]);
++ }
+
+ /*
+ * free pointer to array of dapm routes as this is no longer needed.
--- /dev/null
+From 8edac489e7c3fce44208373bb3e7b5835a672c66 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Tue, 7 Jul 2020 15:37:46 -0500
+Subject: ASoC: topology: fix tlvs in error handling for widget_dmixer
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+commit 8edac489e7c3fce44208373bb3e7b5835a672c66 upstream.
+
+we need to free all allocated tlvs, not just the one allocated in
+the loop before releasing kcontrols - other the tlvs references will
+leak.
+
+Fixes: 9f90af3a995298 ('ASoC: topology: Consolidate and fix asoc_tplg_dapm_widget_*_create flow')
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20200707203749.113883-3-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1394,7 +1394,6 @@ static struct snd_kcontrol_new *soc_tplg
+ if (err < 0) {
+ dev_err(tplg->dev, "ASoC: failed to init %s\n",
+ mc->hdr.name);
+- soc_tplg_free_tlv(tplg, &kc[i]);
+ goto err_sm;
+ }
+ }
+@@ -1402,6 +1401,7 @@ static struct snd_kcontrol_new *soc_tplg
+
+ err_sm:
+ for (; i >= 0; i--) {
++ soc_tplg_free_tlv(tplg, &kc[i]);
+ sm = (struct soc_mixer_control *)kc[i].private_value;
+ kfree(sm);
+ kfree(kc[i].name);
--- /dev/null
+From 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 Mon Sep 17 00:00:00 2001
+From: Qiujun Huang <hqjagain@gmail.com>
+Date: Sat, 4 Apr 2020 12:18:38 +0800
+Subject: ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
+
+From: Qiujun Huang <hqjagain@gmail.com>
+
+commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream.
+
+In ath9k_hif_usb_rx_cb interface number is assumed to be 0.
+usb_ifnum_to_if(urb->dev, 0)
+But it isn't always true.
+
+The case reported by syzbot:
+https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com
+usb 2-1: new high-speed USB device number 2 using dummy_hcd
+usb 2-1: config 1 has an invalid interface number: 2 but max is 0
+usb 2-1: config 1 has no interface number 0
+usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice=
+1.08
+usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+general protection fault, probably for non-canonical address
+0xdffffc0000000015: 0000 [#1] SMP KASAN
+KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
+
+Call Trace
+__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
+usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
+dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
+call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
+expire_timers kernel/time/timer.c:1449 [inline]
+__run_timers kernel/time/timer.c:1773 [inline]
+__run_timers kernel/time/timer.c:1740 [inline]
+run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
+__do_softirq+0x21e/0x950 kernel/softirq.c:292
+invoke_softirq kernel/softirq.c:373 [inline]
+irq_exit+0x178/0x1a0 kernel/softirq.c:413
+exiting_irq arch/x86/include/asm/apic.h:546 [inline]
+smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
+apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
+
+Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
+Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com
+Cc: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 48 +++++++++++++++++++++++--------
+ drivers/net/wireless/ath/ath9k/hif_usb.h | 5 +++
+ 2 files changed, 42 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -643,9 +643,9 @@ err:
+
+ static void ath9k_hif_usb_rx_cb(struct urb *urb)
+ {
+- struct sk_buff *skb = (struct sk_buff *) urb->context;
+- struct hif_device_usb *hif_dev =
+- usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0));
++ struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
++ struct hif_device_usb *hif_dev = rx_buf->hif_dev;
++ struct sk_buff *skb = rx_buf->skb;
+ int ret;
+
+ if (!skb)
+@@ -685,14 +685,15 @@ resubmit:
+ return;
+ free:
+ kfree_skb(skb);
++ kfree(rx_buf);
+ }
+
+ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
+ {
+- struct sk_buff *skb = (struct sk_buff *) urb->context;
++ struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
++ struct hif_device_usb *hif_dev = rx_buf->hif_dev;
++ struct sk_buff *skb = rx_buf->skb;
+ struct sk_buff *nskb;
+- struct hif_device_usb *hif_dev =
+- usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0));
+ int ret;
+
+ if (!skb)
+@@ -750,6 +751,7 @@ resubmit:
+ return;
+ free:
+ kfree_skb(skb);
++ kfree(rx_buf);
+ urb->context = NULL;
+ }
+
+@@ -795,7 +797,7 @@ static int ath9k_hif_usb_alloc_tx_urbs(s
+ init_usb_anchor(&hif_dev->mgmt_submitted);
+
+ for (i = 0; i < MAX_TX_URB_NUM; i++) {
+- tx_buf = kzalloc(sizeof(struct tx_buf), GFP_KERNEL);
++ tx_buf = kzalloc(sizeof(*tx_buf), GFP_KERNEL);
+ if (!tx_buf)
+ goto err;
+
+@@ -832,8 +834,9 @@ static void ath9k_hif_usb_dealloc_rx_urb
+
+ static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev)
+ {
+- struct urb *urb = NULL;
++ struct rx_buf *rx_buf = NULL;
+ struct sk_buff *skb = NULL;
++ struct urb *urb = NULL;
+ int i, ret;
+
+ init_usb_anchor(&hif_dev->rx_submitted);
+@@ -841,6 +844,12 @@ static int ath9k_hif_usb_alloc_rx_urbs(s
+
+ for (i = 0; i < MAX_RX_URB_NUM; i++) {
+
++ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL);
++ if (!rx_buf) {
++ ret = -ENOMEM;
++ goto err_rxb;
++ }
++
+ /* Allocate URB */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (urb == NULL) {
+@@ -855,11 +864,14 @@ static int ath9k_hif_usb_alloc_rx_urbs(s
+ goto err_skb;
+ }
+
++ rx_buf->hif_dev = hif_dev;
++ rx_buf->skb = skb;
++
+ usb_fill_bulk_urb(urb, hif_dev->udev,
+ usb_rcvbulkpipe(hif_dev->udev,
+ USB_WLAN_RX_PIPE),
+ skb->data, MAX_RX_BUF_SIZE,
+- ath9k_hif_usb_rx_cb, skb);
++ ath9k_hif_usb_rx_cb, rx_buf);
+
+ /* Anchor URB */
+ usb_anchor_urb(urb, &hif_dev->rx_submitted);
+@@ -885,6 +897,8 @@ err_submit:
+ err_skb:
+ usb_free_urb(urb);
+ err_urb:
++ kfree(rx_buf);
++err_rxb:
+ ath9k_hif_usb_dealloc_rx_urbs(hif_dev);
+ return ret;
+ }
+@@ -896,14 +910,21 @@ static void ath9k_hif_usb_dealloc_reg_in
+
+ static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev)
+ {
+- struct urb *urb = NULL;
++ struct rx_buf *rx_buf = NULL;
+ struct sk_buff *skb = NULL;
++ struct urb *urb = NULL;
+ int i, ret;
+
+ init_usb_anchor(&hif_dev->reg_in_submitted);
+
+ for (i = 0; i < MAX_REG_IN_URB_NUM; i++) {
+
++ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL);
++ if (!rx_buf) {
++ ret = -ENOMEM;
++ goto err_rxb;
++ }
++
+ /* Allocate URB */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (urb == NULL) {
+@@ -918,11 +939,14 @@ static int ath9k_hif_usb_alloc_reg_in_ur
+ goto err_skb;
+ }
+
++ rx_buf->hif_dev = hif_dev;
++ rx_buf->skb = skb;
++
+ usb_fill_int_urb(urb, hif_dev->udev,
+ usb_rcvintpipe(hif_dev->udev,
+ USB_REG_IN_PIPE),
+ skb->data, MAX_REG_IN_BUF_SIZE,
+- ath9k_hif_usb_reg_in_cb, skb, 1);
++ ath9k_hif_usb_reg_in_cb, rx_buf, 1);
+
+ /* Anchor URB */
+ usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
+@@ -948,6 +972,8 @@ err_submit:
+ err_skb:
+ usb_free_urb(urb);
+ err_urb:
++ kfree(rx_buf);
++err_rxb:
+ ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev);
+ return ret;
+ }
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
+@@ -86,6 +86,11 @@ struct tx_buf {
+ struct list_head list;
+ };
+
++struct rx_buf {
++ struct sk_buff *skb;
++ struct hif_device_usb *hif_dev;
++};
++
+ #define HIF_USB_TX_STOP BIT(0)
+ #define HIF_USB_TX_FLUSH BIT(1)
+
--- /dev/null
+From 92f53e2fda8bb9a559ad61d57bfb397ce67ed0ab Mon Sep 17 00:00:00 2001
+From: Mark O'Donovan <shiftee@posteo.net>
+Date: Sat, 11 Jul 2020 05:33:24 +0100
+Subject: ath9k: Fix regression with Atheros 9271
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mark O'Donovan <shiftee@posteo.net>
+
+commit 92f53e2fda8bb9a559ad61d57bfb397ce67ed0ab upstream.
+
+This fix allows ath9k_htc modules to connect to WLAN once again.
+
+Fixes: 2bbcaaee1fcb ("ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=208251
+Signed-off-by: Mark O'Donovan <shiftee@posteo.net>
+Reported-by: Roman Mamedov <rm@romanrm.net>
+Tested-by: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200711043324.8079-1-shiftee@posteo.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -733,11 +733,13 @@ static void ath9k_hif_usb_reg_in_cb(stru
+ return;
+ }
+
++ rx_buf->skb = nskb;
++
+ usb_fill_int_urb(urb, hif_dev->udev,
+ usb_rcvintpipe(hif_dev->udev,
+ USB_REG_IN_PIPE),
+ nskb->data, MAX_REG_IN_BUF_SIZE,
+- ath9k_hif_usb_reg_in_cb, nskb, 1);
++ ath9k_hif_usb_reg_in_cb, rx_buf, 1);
+ }
+
+ resubmit:
--- /dev/null
+From 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 23 Jul 2020 10:42:09 -0400
+Subject: dm integrity: fix integrity recalculation that is improperly skipped
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 upstream.
+
+Commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 ("dm: report suspended
+device during destroy") broke integrity recalculation.
+
+The problem is dm_suspended() returns true not only during suspend,
+but also during resume. So this race condition could occur:
+1. dm_integrity_resume calls queue_work(ic->recalc_wq, &ic->recalc_work)
+2. integrity_recalc (&ic->recalc_work) preempts the current thread
+3. integrity_recalc calls if (unlikely(dm_suspended(ic->ti))) goto unlock_ret;
+4. integrity_recalc exits and no recalculating is done.
+
+To fix this race condition, add a function dm_post_suspending that is
+only true during the postsuspend phase and use it instead of
+dm_suspended().
+
+Signed-off-by: Mikulas Patocka <mpatocka redhat com>
+Fixes: adc0daad366b ("dm: report suspended device during destroy")
+Cc: stable vger kernel org # v4.18+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-integrity.c | 4 ++--
+ drivers/md/dm.c | 17 +++++++++++++++++
+ include/linux/device-mapper.h | 1 +
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -2298,7 +2298,7 @@ static void integrity_writer(struct work
+ unsigned prev_free_sectors;
+
+ /* the following test is not needed, but it tests the replay code */
+- if (unlikely(dm_suspended(ic->ti)) && !ic->meta_dev)
++ if (unlikely(dm_post_suspending(ic->ti)) && !ic->meta_dev)
+ return;
+
+ spin_lock_irq(&ic->endio_wait.lock);
+@@ -2359,7 +2359,7 @@ static void integrity_recalc(struct work
+
+ next_chunk:
+
+- if (unlikely(dm_suspended(ic->ti)))
++ if (unlikely(dm_post_suspending(ic->ti)))
+ goto unlock_ret;
+
+ range.logical_sector = le64_to_cpu(ic->sb->recalc_sector);
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -141,6 +141,7 @@ EXPORT_SYMBOL_GPL(dm_bio_get_target_bio_
+ #define DMF_NOFLUSH_SUSPENDING 5
+ #define DMF_DEFERRED_REMOVE 6
+ #define DMF_SUSPENDED_INTERNALLY 7
++#define DMF_POST_SUSPENDING 8
+
+ #define DM_NUMA_NODE NUMA_NO_NODE
+ static int dm_numa_node = DM_NUMA_NODE;
+@@ -2377,6 +2378,7 @@ static void __dm_destroy(struct mapped_d
+ if (!dm_suspended_md(md)) {
+ dm_table_presuspend_targets(map);
+ set_bit(DMF_SUSPENDED, &md->flags);
++ set_bit(DMF_POST_SUSPENDING, &md->flags);
+ dm_table_postsuspend_targets(map);
+ }
+ /* dm_put_live_table must be before msleep, otherwise deadlock is possible */
+@@ -2735,7 +2737,9 @@ retry:
+ if (r)
+ goto out_unlock;
+
++ set_bit(DMF_POST_SUSPENDING, &md->flags);
+ dm_table_postsuspend_targets(map);
++ clear_bit(DMF_POST_SUSPENDING, &md->flags);
+
+ out_unlock:
+ mutex_unlock(&md->suspend_lock);
+@@ -2832,7 +2836,9 @@ static void __dm_internal_suspend(struct
+ (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE,
+ DMF_SUSPENDED_INTERNALLY);
+
++ set_bit(DMF_POST_SUSPENDING, &md->flags);
+ dm_table_postsuspend_targets(map);
++ clear_bit(DMF_POST_SUSPENDING, &md->flags);
+ }
+
+ static void __dm_internal_resume(struct mapped_device *md)
+@@ -2993,6 +2999,11 @@ int dm_suspended_md(struct mapped_device
+ return test_bit(DMF_SUSPENDED, &md->flags);
+ }
+
++static int dm_post_suspending_md(struct mapped_device *md)
++{
++ return test_bit(DMF_POST_SUSPENDING, &md->flags);
++}
++
+ int dm_suspended_internally_md(struct mapped_device *md)
+ {
+ return test_bit(DMF_SUSPENDED_INTERNALLY, &md->flags);
+@@ -3009,6 +3020,12 @@ int dm_suspended(struct dm_target *ti)
+ }
+ EXPORT_SYMBOL_GPL(dm_suspended);
+
++int dm_post_suspending(struct dm_target *ti)
++{
++ return dm_post_suspending_md(dm_table_get_md(ti->table));
++}
++EXPORT_SYMBOL_GPL(dm_post_suspending);
++
+ int dm_noflush_suspending(struct dm_target *ti)
+ {
+ return __noflush_suspending(dm_table_get_md(ti->table));
+--- a/include/linux/device-mapper.h
++++ b/include/linux/device-mapper.h
+@@ -422,6 +422,7 @@ const char *dm_device_name(struct mapped
+ int dm_copy_name_and_uuid(struct mapped_device *md, char *name, char *uuid);
+ struct gendisk *dm_disk(struct mapped_device *md);
+ int dm_suspended(struct dm_target *ti);
++int dm_post_suspending(struct dm_target *ti);
+ int dm_noflush_suspending(struct dm_target *ti);
+ void dm_accept_partial_bio(struct bio *bio, unsigned n_sectors);
+ void dm_remap_zone_report(struct dm_target *ti, sector_t start,
--- /dev/null
+From 88bb16ad998a0395fe4b346b7d3f621aaa0a2324 Mon Sep 17 00:00:00 2001
+From: Qiu Wenbo <qiuwenbo@phytium.com.cn>
+Date: Fri, 17 Jul 2020 15:09:57 +0800
+Subject: drm/amd/powerplay: fix a crash when overclocking Vega M
+
+From: Qiu Wenbo <qiuwenbo@phytium.com.cn>
+
+commit 88bb16ad998a0395fe4b346b7d3f621aaa0a2324 upstream.
+
+Avoid kernel crash when vddci_control is SMU7_VOLTAGE_CONTROL_NONE and
+vddci_voltage_table is empty. It has been tested on Intel Hades Canyon
+(i7-8809G).
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=208489
+Fixes: ac7822b0026f ("drm/amd/powerplay: add smumgr support for VEGAM (v2)")
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Qiu Wenbo <qiuwenbo@phytium.com.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c
++++ b/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c
+@@ -642,9 +642,6 @@ static int vegam_get_dependency_volt_by_
+
+ /* sclk is bigger than max sclk in the dependence table */
+ *voltage |= (dep_table->entries[i - 1].vddc * VOLTAGE_SCALE) << VDDC_SHIFT;
+- vddci = phm_find_closest_vddci(&(data->vddci_voltage_table),
+- (dep_table->entries[i - 1].vddc -
+- (uint16_t)VDDC_VDDCI_DELTA));
+
+ if (SMU7_VOLTAGE_CONTROL_NONE == data->vddci_control)
+ *voltage |= (data->vbios_boot_state.vddci_bootup_value *
+@@ -652,8 +649,13 @@ static int vegam_get_dependency_volt_by_
+ else if (dep_table->entries[i - 1].vddci)
+ *voltage |= (dep_table->entries[i - 1].vddci *
+ VOLTAGE_SCALE) << VDDC_SHIFT;
+- else
++ else {
++ vddci = phm_find_closest_vddci(&(data->vddci_voltage_table),
++ (dep_table->entries[i - 1].vddc -
++ (uint16_t)VDDC_VDDCI_DELTA));
++
+ *voltage |= (vddci * VOLTAGE_SCALE) << VDDCI_SHIFT;
++ }
+
+ if (SMU7_VOLTAGE_CONTROL_NONE == data->mvdd_control)
+ *mvdd = data->vbios_boot_state.mvdd_bootup_value * VOLTAGE_SCALE;
--- /dev/null
+From 38e0c89a19fd13f28d2b4721035160a3e66e270b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <me@woland.xyz>
+Date: Sun, 19 Jul 2020 17:54:53 +0200
+Subject: drm/amdgpu: Fix NULL dereference in dpm sysfs handlers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paweł Gronowski <me@woland.xyz>
+
+commit 38e0c89a19fd13f28d2b4721035160a3e66e270b upstream.
+
+NULL dereference occurs when string that is not ended with space or
+newline is written to some dpm sysfs interface (for example pp_dpm_sclk).
+This happens because strsep replaces the tmp with NULL if the delimiter
+is not present in string, which is then dereferenced by tmp[0].
+
+Reproduction example:
+sudo sh -c 'echo -n 1 > /sys/class/drm/card0/device/pp_dpm_sclk'
+
+Signed-off-by: Paweł Gronowski <me@woland.xyz>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+@@ -691,8 +691,7 @@ static ssize_t amdgpu_set_pp_od_clk_volt
+ tmp_str++;
+ while (isspace(*++tmp_str));
+
+- while (tmp_str[0]) {
+- sub_str = strsep(&tmp_str, delimiter);
++ while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) {
+ ret = kstrtol(sub_str, 0, ¶meter[parameter_size]);
+ if (ret)
+ return -EINVAL;
+@@ -883,8 +882,7 @@ static ssize_t amdgpu_read_mask(const ch
+ memcpy(buf_cpy, buf, bytes);
+ buf_cpy[bytes] = '\0';
+ tmp = buf_cpy;
+- while (tmp[0]) {
+- sub_str = strsep(&tmp, delimiter);
++ while ((sub_str = strsep(&tmp, delimiter)) != NULL) {
+ if (strlen(sub_str)) {
+ ret = kstrtol(sub_str, 0, &level);
+ if (ret)
+@@ -1300,8 +1298,7 @@ static ssize_t amdgpu_set_pp_power_profi
+ i++;
+ memcpy(buf_cpy, buf, count-i);
+ tmp_str = buf_cpy;
+- while (tmp_str[0]) {
+- sub_str = strsep(&tmp_str, delimiter);
++ while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) {
+ ret = kstrtol(sub_str, 0, ¶meter[parameter_size]);
+ if (ret) {
+ count = -EINVAL;
--- /dev/null
+From e0b3e0b1a04367fc15c07f44e78361545b55357c Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Thu, 23 Jul 2020 21:15:46 -0700
+Subject: io-mapping: indicate mapping failure
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit e0b3e0b1a04367fc15c07f44e78361545b55357c upstream.
+
+The !ATOMIC_IOMAP version of io_maping_init_wc will always return
+success, even when the ioremap fails.
+
+Since the ATOMIC_IOMAP version returns NULL when the init fails, and
+callers check for a NULL return on error this is unexpected.
+
+During a device probe, where the ioremap failed, a crash can look like
+this:
+
+ BUG: unable to handle page fault for address: 0000000000210000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ Oops: 0002 [#1] PREEMPT SMP
+ CPU: 0 PID: 177 Comm:
+ RIP: 0010:fill_page_dma [i915]
+ gen8_ppgtt_create [i915]
+ i915_ppgtt_create [i915]
+ intel_gt_init [i915]
+ i915_gem_init [i915]
+ i915_driver_probe [i915]
+ pci_device_probe
+ really_probe
+ driver_probe_device
+
+The remap failure occurred much earlier in the probe. If it had been
+propagated, the driver would have exited with an error.
+
+Return NULL on ioremap failure.
+
+[akpm@linux-foundation.org: detect ioremap_wc() errors earlier]
+
+Fixes: cafaf14a5d8f ("io-mapping: Always create a struct to hold metadata about the io-mapping")
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200721171936.81563-1-michael.j.ruhl@intel.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/io-mapping.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/linux/io-mapping.h
++++ b/include/linux/io-mapping.h
+@@ -108,9 +108,12 @@ io_mapping_init_wc(struct io_mapping *io
+ resource_size_t base,
+ unsigned long size)
+ {
++ iomap->iomem = ioremap_wc(base, size);
++ if (!iomap->iomem)
++ return NULL;
++
+ iomap->base = base;
+ iomap->size = size;
+- iomap->iomem = ioremap_wc(base, size);
+ #if defined(pgprot_noncached_wc) /* archs can't agree on a name ... */
+ iomap->prot = pgprot_noncached_wc(PAGE_KERNEL);
+ #elif defined(pgprot_writecombine)
--- /dev/null
+From 594cced14ad3903166c8b091ff96adac7552f0b3 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Thu, 23 Jul 2020 21:15:34 -0700
+Subject: khugepaged: fix null-pointer dereference due to race
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 594cced14ad3903166c8b091ff96adac7552f0b3 upstream.
+
+khugepaged has to drop mmap lock several times while collapsing a page.
+The situation can change while the lock is dropped and we need to
+re-validate that the VMA is still in place and the PMD is still subject
+for collapse.
+
+But we miss one corner case: while collapsing an anonymous pages the VMA
+could be replaced with file VMA. If the file VMA doesn't have any
+private pages we get NULL pointer dereference:
+
+ general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ anon_vma_lock_write include/linux/rmap.h:120 [inline]
+ collapse_huge_page mm/khugepaged.c:1110 [inline]
+ khugepaged_scan_pmd mm/khugepaged.c:1349 [inline]
+ khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline]
+ khugepaged_do_scan mm/khugepaged.c:2193 [inline]
+ khugepaged+0x3bba/0x5a10 mm/khugepaged.c:2238
+
+The fix is to make sure that the VMA is anonymous in
+hugepage_vma_revalidate(). The helper is only used for collapsing
+anonymous pages.
+
+Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
+Reported-by: syzbot+ed318e8b790ca72c5ad0@syzkaller.appspotmail.com
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Yang Shi <yang.shi@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200722121439.44328-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/khugepaged.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -876,6 +876,9 @@ static int hugepage_vma_revalidate(struc
+ return SCAN_ADDRESS_RANGE;
+ if (!hugepage_vma_check(vma, vma->vm_flags))
+ return SCAN_VMA_CHECK;
++ /* Anon VMA expected */
++ if (!vma->anon_vma || vma->vm_ops)
++ return SCAN_VMA_CHECK;
+ return 0;
+ }
+
--- /dev/null
+From 8d22a9351035ef2ff12ef163a1091b8b8cf1e49c Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Thu, 23 Jul 2020 21:15:24 -0700
+Subject: mm/memcg: fix refcount error while moving and swapping
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 8d22a9351035ef2ff12ef163a1091b8b8cf1e49c upstream.
+
+It was hard to keep a test running, moving tasks between memcgs with
+move_charge_at_immigrate, while swapping: mem_cgroup_id_get_many()'s
+refcount is discovered to be 0 (supposedly impossible), so it is then
+forced to REFCOUNT_SATURATED, and after thousands of warnings in quick
+succession, the test is at last put out of misery by being OOM killed.
+
+This is because of the way moved_swap accounting was saved up until the
+task move gets completed in __mem_cgroup_clear_mc(), deferred from when
+mem_cgroup_move_swap_account() actually exchanged old and new ids.
+Concurrent activity can free up swap quicker than the task is scanned,
+bringing id refcount down 0 (which should only be possible when
+offlining).
+
+Just skip that optimization: do that part of the accounting immediately.
+
+Fixes: 615d66c37c75 ("mm: memcontrol: fix memcg id ref counter on swap charge move")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Alex Shi <alex.shi@linux.alibaba.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Alex Shi <alex.shi@linux.alibaba.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2007071431050.4726@eggly.anvils
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -5770,7 +5770,6 @@ static void __mem_cgroup_clear_mc(void)
+ if (!mem_cgroup_is_root(mc.to))
+ page_counter_uncharge(&mc.to->memory, mc.moved_swap);
+
+- mem_cgroup_id_get_many(mc.to, mc.moved_swap);
+ css_put_many(&mc.to->css, mc.moved_swap);
+
+ mc.moved_swap = 0;
+@@ -5961,7 +5960,8 @@ put: /* get_mctgt_type() gets the page
+ ent = target.ent;
+ if (!mem_cgroup_move_swap_account(ent, mc.from, mc.to)) {
+ mc.precharge--;
+- /* we fixup refcnts and charges later. */
++ mem_cgroup_id_get_many(mc.to, 1);
++ /* we fixup other refcnts and charges later. */
+ mc.moved_swap++;
+ }
+ break;
--- /dev/null
+From d38a2b7a9c939e6d7329ab92b96559ccebf7b135 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Thu, 23 Jul 2020 21:15:27 -0700
+Subject: mm: memcg/slab: fix memory leak at non-root kmem_cache destroy
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit d38a2b7a9c939e6d7329ab92b96559ccebf7b135 upstream.
+
+If the kmem_cache refcount is greater than one, we should not mark the
+root kmem_cache as dying. If we mark the root kmem_cache dying
+incorrectly, the non-root kmem_cache can never be destroyed. It
+resulted in memory leak when memcg was destroyed. We can use the
+following steps to reproduce.
+
+ 1) Use kmem_cache_create() to create a new kmem_cache named A.
+ 2) Coincidentally, the kmem_cache A is an alias for kmem_cache B,
+ so the refcount of B is just increased.
+ 3) Use kmem_cache_destroy() to destroy the kmem_cache A, just
+ decrease the B's refcount but mark the B as dying.
+ 4) Create a new memory cgroup and alloc memory from the kmem_cache
+ B. It leads to create a non-root kmem_cache for allocating memory.
+ 5) When destroy the memory cgroup created in the step 4), the
+ non-root kmem_cache can never be destroyed.
+
+If we repeat steps 4) and 5), this will cause a lot of memory leak. So
+only when refcount reach zero, we mark the root kmem_cache as dying.
+
+Fixes: 92ee383f6daa ("mm: fix race between kmem_cache destroy, create and deactivate")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slab_common.c | 35 ++++++++++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 7 deletions(-)
+
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -326,6 +326,14 @@ int slab_unmergeable(struct kmem_cache *
+ if (s->refcount < 0)
+ return 1;
+
++#ifdef CONFIG_MEMCG_KMEM
++ /*
++ * Skip the dying kmem_cache.
++ */
++ if (s->memcg_params.dying)
++ return 1;
++#endif
++
+ return 0;
+ }
+
+@@ -886,12 +894,15 @@ static int shutdown_memcg_caches(struct
+ return 0;
+ }
+
+-static void flush_memcg_workqueue(struct kmem_cache *s)
++static void memcg_set_kmem_cache_dying(struct kmem_cache *s)
+ {
+ spin_lock_irq(&memcg_kmem_wq_lock);
+ s->memcg_params.dying = true;
+ spin_unlock_irq(&memcg_kmem_wq_lock);
++}
+
++static void flush_memcg_workqueue(struct kmem_cache *s)
++{
+ /*
+ * SLAB and SLUB deactivate the kmem_caches through call_rcu. Make
+ * sure all registered rcu callbacks have been invoked.
+@@ -923,10 +934,6 @@ static inline int shutdown_memcg_caches(
+ {
+ return 0;
+ }
+-
+-static inline void flush_memcg_workqueue(struct kmem_cache *s)
+-{
+-}
+ #endif /* CONFIG_MEMCG_KMEM */
+
+ void slab_kmem_cache_release(struct kmem_cache *s)
+@@ -944,8 +951,6 @@ void kmem_cache_destroy(struct kmem_cach
+ if (unlikely(!s))
+ return;
+
+- flush_memcg_workqueue(s);
+-
+ get_online_cpus();
+ get_online_mems();
+
+@@ -955,6 +960,22 @@ void kmem_cache_destroy(struct kmem_cach
+ if (s->refcount)
+ goto out_unlock;
+
++#ifdef CONFIG_MEMCG_KMEM
++ memcg_set_kmem_cache_dying(s);
++
++ mutex_unlock(&slab_mutex);
++
++ put_online_mems();
++ put_online_cpus();
++
++ flush_memcg_workqueue(s);
++
++ get_online_cpus();
++ get_online_mems();
++
++ mutex_lock(&slab_mutex);
++#endif
++
+ err = shutdown_memcg_caches(s);
+ if (!err)
+ err = shutdown_cache(s);
--- /dev/null
+From 246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Thu, 23 Jul 2020 21:15:11 -0700
+Subject: mm/mmap.c: close race between munmap() and expand_upwards()/downwards()
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c upstream.
+
+VMA with VM_GROWSDOWN or VM_GROWSUP flag set can change their size under
+mmap_read_lock(). It can lead to race with __do_munmap():
+
+ Thread A Thread B
+__do_munmap()
+ detach_vmas_to_be_unmapped()
+ mmap_write_downgrade()
+ expand_downwards()
+ vma->vm_start = address;
+ // The VMA now overlaps with
+ // VMAs detached by the Thread A
+ // page fault populates expanded part
+ // of the VMA
+ unmap_region()
+ // Zaps pagetables partly
+ // populated by Thread B
+
+Similar race exists for expand_upwards().
+
+The fix is to avoid downgrading mmap_lock in __do_munmap() if detached
+VMAs are next to VM_GROWSDOWN or VM_GROWSUP VMA.
+
+[akpm@linux-foundation.org: s/mmap_sem/mmap_lock/ in comment]
+
+Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: <stable@vger.kernel.org> [4.20+]
+Link: http://lkml.kernel.org/r/20200709105309.42495-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2622,7 +2622,7 @@ static void unmap_region(struct mm_struc
+ * Create a list of vma's touched by the unmap, removing them from the mm's
+ * vma list as we go..
+ */
+-static void
++static bool
+ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ struct vm_area_struct *prev, unsigned long end)
+ {
+@@ -2647,6 +2647,17 @@ detach_vmas_to_be_unmapped(struct mm_str
+
+ /* Kill the cache */
+ vmacache_invalidate(mm);
++
++ /*
++ * Do not downgrade mmap_lock if we are next to VM_GROWSDOWN or
++ * VM_GROWSUP VMA. Such VMAs can change their size under
++ * down_read(mmap_lock) and collide with the VMA we are about to unmap.
++ */
++ if (vma && (vma->vm_flags & VM_GROWSDOWN))
++ return false;
++ if (prev && (prev->vm_flags & VM_GROWSUP))
++ return false;
++ return true;
+ }
+
+ /*
+@@ -2827,7 +2838,8 @@ int __do_munmap(struct mm_struct *mm, un
+ }
+
+ /* Detach vmas from rbtree */
+- detach_vmas_to_be_unmapped(mm, vma, prev, end);
++ if (!detach_vmas_to_be_unmapped(mm, vma, prev, end))
++ downgrade = false;
+
+ if (downgrade)
+ downgrade_write(&mm->mmap_sem);
--- /dev/null
+From ebd4050c6144b38098d8eed34df461e5e3fa82a9 Mon Sep 17 00:00:00 2001
+From: Eddie James <eajames@linux.ibm.com>
+Date: Thu, 9 Jul 2020 14:57:06 -0500
+Subject: mmc: sdhci-of-aspeed: Fix clock divider calculation
+
+From: Eddie James <eajames@linux.ibm.com>
+
+commit ebd4050c6144b38098d8eed34df461e5e3fa82a9 upstream.
+
+When calculating the clock divider, start dividing at 2 instead of 1.
+The divider is divided by two at the end of the calculation, so starting
+at 1 may result in a divider of 0, which shouldn't happen.
+
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Acked-by: Joel Stanley <joel@jms.id.au>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20200709195706.12741-3-eajames@linux.ibm.com
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-of-aspeed.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-of-aspeed.c
++++ b/drivers/mmc/host/sdhci-of-aspeed.c
+@@ -68,7 +68,7 @@ static void aspeed_sdhci_set_clock(struc
+ if (WARN_ON(clock > host->max_clk))
+ clock = host->max_clk;
+
+- for (div = 1; div < 256; div *= 2) {
++ for (div = 2; div < 256; div *= 2) {
+ if ((parent / div) <= clock)
+ break;
+ }
--- /dev/null
+From be6577af0cef934ccb036445314072e8cb9217b9 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Tue, 21 Jul 2020 07:36:59 -0400
+Subject: parisc: Add atomic64_set_release() define to avoid CPU soft lockups
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit be6577af0cef934ccb036445314072e8cb9217b9 upstream.
+
+Stalls are quite frequent with recent kernels. I enabled
+CONFIG_SOFTLOCKUP_DETECTOR and I caught the following stall:
+
+watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [cc1:22803]
+CPU: 0 PID: 22803 Comm: cc1 Not tainted 5.6.17+ #3
+Hardware name: 9000/800/rp3440
+ IAOQ[0]: d_alloc_parallel+0x384/0x688
+ IAOQ[1]: d_alloc_parallel+0x388/0x688
+ RP(r2): d_alloc_parallel+0x134/0x688
+Backtrace:
+ [<000000004036974c>] __lookup_slow+0xa4/0x200
+ [<0000000040369fc8>] walk_component+0x288/0x458
+ [<000000004036a9a0>] path_lookupat+0x88/0x198
+ [<000000004036e748>] filename_lookup+0xa0/0x168
+ [<000000004036e95c>] user_path_at_empty+0x64/0x80
+ [<000000004035d93c>] vfs_statx+0x104/0x158
+ [<000000004035dfcc>] __do_sys_lstat64+0x44/0x80
+ [<000000004035e5a0>] sys_lstat64+0x20/0x38
+ [<0000000040180054>] syscall_exit+0x0/0x14
+
+The code was stuck in this loop in d_alloc_parallel:
+
+ 4037d414: 0e 00 10 dc ldd 0(r16),ret0
+ 4037d418: c7 fc 5f ed bb,< ret0,1f,4037d414 <d_alloc_parallel+0x384>
+ 4037d41c: 08 00 02 40 nop
+
+This is the inner loop of bit_spin_lock which is called by hlist_bl_unlock in
+d_alloc_parallel:
+
+static inline void bit_spin_lock(int bitnum, unsigned long *addr)
+{
+ /*
+ * Assuming the lock is uncontended, this never enters
+ * the body of the outer loop. If it is contended, then
+ * within the inner loop a non-atomic test is used to
+ * busywait with less bus contention for a good time to
+ * attempt to acquire the lock bit.
+ */
+ preempt_disable();
+#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)
+ while (unlikely(test_and_set_bit_lock(bitnum, addr))) {
+ preempt_enable();
+ do {
+ cpu_relax();
+ } while (test_bit(bitnum, addr));
+ preempt_disable();
+ }
+#endif
+ __acquire(bitlock);
+}
+
+After consideration, I realized that we must be losing bit unlocks.
+Then, I noticed that we missed defining atomic64_set_release().
+Adding this define fixes the stalls in bit operations.
+
+Signed-off-by: Dave Anglin <dave.anglin@bell.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/atomic.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/parisc/include/asm/atomic.h
++++ b/arch/parisc/include/asm/atomic.h
+@@ -212,6 +212,8 @@ atomic64_set(atomic64_t *v, s64 i)
+ _atomic_spin_unlock_irqrestore(v, flags);
+ }
+
++#define atomic64_set_release(v, i) atomic64_set((v), (i))
++
+ static __inline__ s64
+ atomic64_read(const atomic64_t *v)
+ {
fbdev-detect-integer-underflow-at-struct-fbcon_ops-clear_margins.patch
vt-reject-zero-sized-screen-buffer-size.patch
makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch
+mm-mmap.c-close-race-between-munmap-and-expand_upwards-downwards.patch
+mm-memcg-fix-refcount-error-while-moving-and-swapping.patch
+mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch
+khugepaged-fix-null-pointer-dereference-due-to-race.patch
+io-mapping-indicate-mapping-failure.patch
+mmc-sdhci-of-aspeed-fix-clock-divider-calculation.patch
+drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch
+drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch
+parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch
+x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch
+asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch
+asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch
+asoc-topology-fix-kernel-oops-on-route-addition-error.patch
+asoc-topology-fix-tlvs-in-error-handling-for-widget_dmixer.patch
+dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch
+ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch
+ath9k-fix-regression-with-atheros-9271.patch
--- /dev/null
+From de2b41be8fcccb2f5b6c480d35df590476344201 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Tue, 21 Jul 2020 11:34:48 +0200
+Subject: x86, vmlinux.lds: Page-align end of ..page_aligned sections
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit de2b41be8fcccb2f5b6c480d35df590476344201 upstream.
+
+On x86-32 the idt_table with 256 entries needs only 2048 bytes. It is
+page-aligned, but the end of the .bss..page_aligned section is not
+guaranteed to be page-aligned.
+
+As a result, objects from other .bss sections may end up on the same 4k
+page as the idt_table, and will accidentially get mapped read-only during
+boot, causing unexpected page-faults when the kernel writes to them.
+
+This could be worked around by making the objects in the page aligned
+sections page sized, but that's wrong.
+
+Explicit sections which store only page aligned objects have an implicit
+guarantee that the object is alone in the page in which it is placed. That
+works for all objects except the last one. That's inconsistent.
+
+Enforcing page sized objects for these sections would wreckage memory
+sanitizers, because the object becomes artificially larger than it should
+be and out of bound access becomes legit.
+
+Align the end of the .bss..page_aligned and .data..page_aligned section on
+page-size so all objects places in these sections are guaranteed to have
+their own page.
+
+[ tglx: Amended changelog ]
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20200721093448.10417-1-joro@8bytes.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/vmlinux.lds.S | 1 +
+ include/asm-generic/vmlinux.lds.h | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -362,6 +362,7 @@ SECTIONS
+ .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
+ __bss_start = .;
+ *(.bss..page_aligned)
++ . = ALIGN(PAGE_SIZE);
+ *(BSS_MAIN)
+ BSS_DECRYPTED
+ . = ALIGN(PAGE_SIZE);
+--- a/include/asm-generic/vmlinux.lds.h
++++ b/include/asm-generic/vmlinux.lds.h
+@@ -306,7 +306,8 @@
+
+ #define PAGE_ALIGNED_DATA(page_align) \
+ . = ALIGN(page_align); \
+- *(.data..page_aligned)
++ *(.data..page_aligned) \
++ . = ALIGN(page_align);
+
+ #define READ_MOSTLY_DATA(align) \
+ . = ALIGN(align); \
+@@ -695,7 +696,9 @@
+ . = ALIGN(bss_align); \
+ .bss : AT(ADDR(.bss) - LOAD_OFFSET) { \
+ BSS_FIRST_SECTIONS \
++ . = ALIGN(PAGE_SIZE); \
+ *(.bss..page_aligned) \
++ . = ALIGN(PAGE_SIZE); \
+ *(.dynbss) \
+ *(BSS_MAIN) \
+ *(COMMON) \
projects / thirdparty / kernel / stable-queue.git / commitdiff
