--- /dev/null
+From d51b900b9fd8f4e78f45fa6e878938df03442d3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 11:35:20 -0800
+Subject: ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
+
+From: Erik Kaneda <erik.kaneda@intel.com>
+
+[ Upstream commit 5ddbd77181dfca61b16d2e2222382ea65637f1b9 ]
+
+ACPICA commit 29cc8dbc5463a93625bed87d7550a8bed8913bf4
+
+create_buffer_field is a deferred op that is typically processed in
+load pass 2. However, disassembly of control method contents walk the
+parse tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are
+processed in a later walk. This is a problem when there is a control
+method that has the same name as the AML_CREATE object. In this case,
+any use of the name segment will be detected as a method call rather
+than a reference to a buffer field. If this is detected as a method
+call, it can result in a mal-formed parse tree if the control methods
+have parameters.
+
+This change in processing AML_CREATE ops earlier solves this issue by
+inserting the named object in the ACPI namespace so that references
+to this name would be detected as a name string rather than a method
+call.
+
+Link: https://github.com/acpica/acpica/commit/29cc8dbc
+Reported-by: Elia Geretto <elia.f.geretto@gmail.com>
+Tested-by: Elia Geretto <elia.f.geretto@gmail.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/dsfield.c | 2 +-
+ drivers/acpi/acpica/dswload.c | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpica/dsfield.c b/drivers/acpi/acpica/dsfield.c
+index 20de148594fdc..d56cbcda37c13 100644
+--- a/drivers/acpi/acpica/dsfield.c
++++ b/drivers/acpi/acpica/dsfield.c
+@@ -272,7 +272,7 @@ cleanup:
+ * FUNCTION: acpi_ds_get_field_names
+ *
+ * PARAMETERS: info - create_field info structure
+- * ` walk_state - Current method state
++ * walk_state - Current method state
+ * arg - First parser arg for the field name list
+ *
+ * RETURN: Status
+diff --git a/drivers/acpi/acpica/dswload.c b/drivers/acpi/acpica/dswload.c
+index 097188a6b1c1b..35f1d7657927a 100644
+--- a/drivers/acpi/acpica/dswload.c
++++ b/drivers/acpi/acpica/dswload.c
+@@ -440,6 +440,27 @@ acpi_status acpi_ds_load1_end_op(struct acpi_walk_state *walk_state)
+ ACPI_DEBUG_PRINT((ACPI_DB_DISPATCH, "Op=%p State=%p\n", op,
+ walk_state));
+
++ /*
++ * Disassembler: handle create field operators here.
++ *
++ * create_buffer_field is a deferred op that is typically processed in load
++ * pass 2. However, disassembly of control method contents walk the parse
++ * tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are processed
++ * in a later walk. This is a problem when there is a control method that
++ * has the same name as the AML_CREATE object. In this case, any use of the
++ * name segment will be detected as a method call rather than a reference
++ * to a buffer field.
++ *
++ * This earlier creation during disassembly solves this issue by inserting
++ * the named object in the ACPI namespace so that references to this name
++ * would be a name string rather than a method call.
++ */
++ if ((walk_state->parse_flags & ACPI_PARSE_DISASSEMBLE) &&
++ (walk_state->op_info->flags & AML_CREATE)) {
++ status = acpi_ds_create_buffer_field(op, walk_state);
++ return_ACPI_STATUS(status);
++ }
++
+ /* We are only interested in opcodes that have an associated name */
+
+ if (!(walk_state->op_info->flags & (AML_NAMED | AML_FIELD))) {
+--
+2.20.1
+
--- /dev/null
+From a6aa18c5258abedd59e340628e148b12acb13d4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jan 2020 19:01:06 +0100
+Subject: ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Große <pegro@friiks.de>
+
+[ Upstream commit ef7d84caa5928b40b1c93a26dbe5a3f12737c6ab ]
+
+Lenovo Thinkpad T420s uses the same codec as T420, so apply the
+same quirk to enable audio output on a docking station.
+
+Signed-off-by: Peter Große <pegro@friiks.de>
+Link: https://lore.kernel.org/r/20200122180106.9351-1-pegro@friiks.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 05e745e2f4271..3150ddfbdb25e 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -866,6 +866,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
+ SND_PCI_QUIRK(0x17aa, 0x215f, "Lenovo T510", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21ce, "Lenovo T420", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520", CXT_PINCFG_LENOVO_TP410),
++ SND_PCI_QUIRK(0x17aa, 0x21d2, "Lenovo T420s", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD),
+--
+2.20.1
+
--- /dev/null
+From 08b43053d9524f95dec4b8097d0d68811bd93fd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Jan 2020 15:48:23 +0100
+Subject: ALSA: sh: Fix compile warning wrt const
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit f1dd4795b1523fbca7ab4344dd5a8bb439cc770d ]
+
+A long-standing compile warning was seen during build test:
+ sound/sh/aica.c: In function 'load_aica_firmware':
+ sound/sh/aica.c:521:25: warning: passing argument 2 of 'spu_memload' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
+
+Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device")
+Link: https://lore.kernel.org/r/20200105144823.29547-69-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/sh/aica.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/sh/aica.c b/sound/sh/aica.c
+index ad3d9ae380349..dd601b39f69ef 100644
+--- a/sound/sh/aica.c
++++ b/sound/sh/aica.c
+@@ -120,10 +120,10 @@ static void spu_memset(u32 toi, u32 what, int length)
+ }
+
+ /* spu_memload - write to SPU address space */
+-static void spu_memload(u32 toi, void *from, int length)
++static void spu_memload(u32 toi, const void *from, int length)
+ {
+ unsigned long flags;
+- u32 *froml = from;
++ const u32 *froml = from;
+ u32 __iomem *to = (u32 __iomem *) (SPU_MEMORY_BASE + toi);
+ int i;
+ u32 val;
+--
+2.20.1
+
--- /dev/null
+From 1f130c2d18f4559ed2736c57ec8e8ca3bf1524a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 20:42:57 -0700
+Subject: ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit df4654bd6e42125d9b85ce3a26eaca2935290b98 ]
+
+Clang warns:
+
+../sound/usb/usx2y/usX2Yhwdep.c:122:3: warning: misleading indentation;
+statement is not part of the previous 'if' [-Wmisleading-indentation]
+ info->version = USX2Y_DRIVER_VERSION;
+ ^
+../sound/usb/usx2y/usX2Yhwdep.c:120:2: note: previous statement is here
+ if (us428->chip_status & USX2Y_STAT_CHIP_INIT)
+ ^
+1 warning generated.
+
+This warning occurs because there is a space before the tab on this
+line. Remove it so that the indentation is consistent with the Linux
+kernel coding style and clang no longer warns.
+
+This was introduced before the beginning of git history so no fixes tag.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/831
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Link: https://lore.kernel.org/r/20191218034257.54535-1-natechancellor@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/usx2y/usX2Yhwdep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c
+index 0b34dbc8f3020..7dcb33d3886bc 100644
+--- a/sound/usb/usx2y/usX2Yhwdep.c
++++ b/sound/usb/usx2y/usX2Yhwdep.c
+@@ -132,7 +132,7 @@ static int snd_usX2Y_hwdep_dsp_status(struct snd_hwdep *hw,
+ info->num_dsps = 2; // 0: Prepad Data, 1: FPGA Code
+ if (us428->chip_status & USX2Y_STAT_CHIP_INIT)
+ info->chip_ready = 1;
+- info->version = USX2Y_DRIVER_VERSION;
++ info->version = USX2Y_DRIVER_VERSION;
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 82402126c6bf7cb8cac783d8fc9bf10cf2ef3511 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2020 13:37:59 +0100
+Subject: ARM: 8951/1: Fix Kexec compilation issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+
+[ Upstream commit 76950f7162cad51d2200ebd22c620c14af38f718 ]
+
+To perform the reserve_crashkernel() operation kexec uses SECTION_SIZE to
+find a memblock in a range.
+SECTION_SIZE is not defined for nommu systems. Trying to compile kexec in
+these conditions results in a build error:
+
+ linux/arch/arm/kernel/setup.c: In function ‘reserve_crashkernel’:
+ linux/arch/arm/kernel/setup.c:1016:25: error: ‘SECTION_SIZE’ undeclared
+ (first use in this function); did you mean ‘SECTIONS_WIDTH’?
+ crash_size, SECTION_SIZE);
+ ^~~~~~~~~~~~
+ SECTIONS_WIDTH
+ linux/arch/arm/kernel/setup.c:1016:25: note: each undeclared identifier
+ is reported only once for each function it appears in
+ linux/scripts/Makefile.build:265: recipe for target 'arch/arm/kernel/setup.o'
+ failed
+
+Make KEXEC depend on MMU to fix the compilation issue.
+
+Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 2ba69df49cf86..45f2a5930379a 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -2000,7 +2000,7 @@ config XIP_PHYS_ADDR
+ config KEXEC
+ bool "Kexec system call (EXPERIMENTAL)"
+ depends on (!SMP || PM_SLEEP_SMP)
+- depends on !CPU_V7M
++ depends on MMU
+ select KEXEC_CORE
+ help
+ kexec is a system call that implements the ability to shutdown your
+--
+2.20.1
+
--- /dev/null
+From a330aa57da5577e340c614661c38a526fd9a7b8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 14:52:21 +0100
+Subject: ARM: dts: r8a7779: Add device node for ARM global timer
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 8443ffd1bbd5be74e9b12db234746d12e8ea93e2 ]
+
+Add a device node for the global timer, which is part of the Cortex-A9
+MPCore.
+
+The global timer can serve as an accurate (4 ns) clock source for
+scheduling and delay loops.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191211135222.26770-4-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/r8a7779.dtsi | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/arm/boot/dts/r8a7779.dtsi b/arch/arm/boot/dts/r8a7779.dtsi
+index 6afa909865b52..8636e2321ab71 100644
+--- a/arch/arm/boot/dts/r8a7779.dtsi
++++ b/arch/arm/boot/dts/r8a7779.dtsi
+@@ -63,6 +63,14 @@
+ <0xf0000100 0x100>;
+ };
+
++ timer@f0000200 {
++ compatible = "arm,cortex-a9-global-timer";
++ reg = <0xf0000200 0x100>;
++ interrupts = <GIC_PPI 11
++ (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
++ clocks = <&cpg_clocks R8A7779_CLK_ZS>;
++ };
++
+ timer@f0000600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0xf0000600 0x20>;
+--
+2.20.1
+
--- /dev/null
+From c79db4c7e7bbb9cd239bca57e511d467211b7755 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2020 21:32:42 +0800
+Subject: ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
+
+From: Chen Zhou <chenzhou10@huawei.com>
+
+[ Upstream commit 8fea78029f5e6ed734ae1957bef23cfda1af4354 ]
+
+If CONFIG_SND_ATMEL_SOC_DMA=m, build error:
+
+sound/soc/atmel/atmel_ssc_dai.o: In function `atmel_ssc_set_audio':
+(.text+0x7cd): undefined reference to `atmel_pcm_dma_platform_register'
+
+Function atmel_pcm_dma_platform_register is defined under
+CONFIG SND_ATMEL_SOC_DMA, so select SND_ATMEL_SOC_DMA in
+CONFIG SND_ATMEL_SOC_SSC, same to CONFIG_SND_ATMEL_SOC_PDC.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Chen Zhou <chenzhou10@huawei.com>
+Link: https://lore.kernel.org/r/20200113133242.144550-1-chenzhou10@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/atmel/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/atmel/Kconfig b/sound/soc/atmel/Kconfig
+index 2d30464b81cef..d7b471c69f4fb 100644
+--- a/sound/soc/atmel/Kconfig
++++ b/sound/soc/atmel/Kconfig
+@@ -24,6 +24,8 @@ config SND_ATMEL_SOC_DMA
+
+ config SND_ATMEL_SOC_SSC_DMA
+ tristate
++ select SND_ATMEL_SOC_DMA
++ select SND_ATMEL_SOC_PDC
+
+ config SND_ATMEL_SOC_SSC
+ tristate
+--
+2.20.1
+
--- /dev/null
+From 31914bd6c2ba9802f69a030c86574d7c2515e282 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 00:55:26 +0700
+Subject: b43legacy: Fix -Wcast-function-type
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+[ Upstream commit 475eec112e4267232d10f4afe2f939a241692b6c ]
+
+correct usage prototype of callback in tasklet_init().
+Report by https://github.com/KSPP/linux/issues/20
+
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/b43legacy/main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/b43legacy/main.c b/drivers/net/wireless/b43legacy/main.c
+index afc1fb3e38dfe..bd35a702382fb 100644
+--- a/drivers/net/wireless/b43legacy/main.c
++++ b/drivers/net/wireless/b43legacy/main.c
+@@ -1304,8 +1304,9 @@ static void handle_irq_ucode_debug(struct b43legacy_wldev *dev)
+ }
+
+ /* Interrupt handler bottom-half */
+-static void b43legacy_interrupt_tasklet(struct b43legacy_wldev *dev)
++static void b43legacy_interrupt_tasklet(unsigned long data)
+ {
++ struct b43legacy_wldev *dev = (struct b43legacy_wldev *)data;
+ u32 reason;
+ u32 dma_reason[ARRAY_SIZE(dev->dma_reason)];
+ u32 merged_dma_reason = 0;
+@@ -3775,7 +3776,7 @@ static int b43legacy_one_core_attach(struct ssb_device *dev,
+ b43legacy_set_status(wldev, B43legacy_STAT_UNINIT);
+ wldev->bad_frames_preempt = modparam_bad_frames_preempt;
+ tasklet_init(&wldev->isr_tasklet,
+- (void (*)(unsigned long))b43legacy_interrupt_tasklet,
++ b43legacy_interrupt_tasklet,
+ (unsigned long)wldev);
+ if (modparam_pio)
+ wldev->__using_pio = true;
+--
+2.20.1
+
--- /dev/null
+From 264165cd695ce801f1899e586af6962d9625eea5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Feb 2020 22:42:32 +0800
+Subject: bcache: explicity type cast in bset_bkey_last()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 7c02b0055f774ed9afb6e1c7724f33bf148ffdc0 ]
+
+In bset.h, macro bset_bkey_last() is defined as,
+ bkey_idx((struct bkey *) (i)->d, (i)->keys)
+
+Parameter i can be variable type of data structure, the macro always
+works once the type of struct i has member 'd' and 'keys'.
+
+bset_bkey_last() is also used in macro csum_set() to calculate the
+checksum of a on-disk data structure. When csum_set() is used to
+calculate checksum of on-disk bcache super block, the parameter 'i'
+data type is struct cache_sb_disk. Inside struct cache_sb_disk (also in
+struct cache_sb) the member keys is __u16 type. But bkey_idx() expects
+unsigned int (a 32bit width), so there is problem when sending
+parameters via stack to call bkey_idx().
+
+Sparse tool from Intel 0day kbuild system reports this incompatible
+problem. bkey_idx() is part of user space API, so the simplest fix is
+to cast the (i)->keys to unsigned int type in macro bset_bkey_last().
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/bset.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h
+index b935839ab79c6..f483041eed986 100644
+--- a/drivers/md/bcache/bset.h
++++ b/drivers/md/bcache/bset.h
+@@ -380,7 +380,8 @@ void bch_btree_keys_stats(struct btree_keys *, struct bset_stats *);
+
+ /* Bkey utility code */
+
+-#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, (i)->keys)
++#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, \
++ (unsigned int)(i)->keys)
+
+ static inline struct bkey *bset_bkey_idx(struct bset *i, unsigned idx)
+ {
+--
+2.20.1
+
--- /dev/null
+From 21ee7b30e0901a43c12722c28ea394f44b93df13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 12:58:55 +0300
+Subject: brcmfmac: Fix use after free in brcmf_sdio_readframes()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 216b44000ada87a63891a8214c347e05a4aea8fe ]
+
+The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
+static checker warning:
+
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
+ error: dereferencing freed memory 'pkt'
+
+It looks like there was supposed to be a continue after we free "pkt".
+
+Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
+index 9954e641c943d..8bb028f740fd8 100644
+--- a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
+@@ -2027,6 +2027,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes)
+ BRCMF_SDIO_FT_NORMAL)) {
+ rd->len = 0;
+ brcmu_pkt_buf_free_skb(pkt);
++ continue;
+ }
+ bus->sdcnt.rx_readahead_cnt++;
+ if (rd->len != roundup(rd_new.len, 16)) {
+--
+2.20.1
+
--- /dev/null
+From 9a785b208e704bac1409b1acb51348bbb9cace15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Feb 2020 19:30:20 +0800
+Subject: brd: check and limit max_part par
+
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+
+[ Upstream commit c8ab422553c81a0eb070329c63725df1cd1425bc ]
+
+In brd_init func, rd_nr num of brd_device are firstly allocated
+and add in brd_devices, then brd_devices are traversed to add each
+brd_device by calling add_disk func. When allocating brd_device,
+the disk->first_minor is set to i * max_part, if rd_nr * max_part
+is larger than MINORMASK, two different brd_device may have the same
+devt, then only one of them can be successfully added.
+when rmmod brd.ko, it will cause oops when calling brd_exit.
+
+Follow those steps:
+ # modprobe brd rd_nr=3 rd_size=102400 max_part=1048576
+ # rmmod brd
+then, the oops will appear.
+
+Oops log:
+[ 726.613722] Call trace:
+[ 726.614175] kernfs_find_ns+0x24/0x130
+[ 726.614852] kernfs_find_and_get_ns+0x44/0x68
+[ 726.615749] sysfs_remove_group+0x38/0xb0
+[ 726.616520] blk_trace_remove_sysfs+0x1c/0x28
+[ 726.617320] blk_unregister_queue+0x98/0x100
+[ 726.618105] del_gendisk+0x144/0x2b8
+[ 726.618759] brd_exit+0x68/0x560 [brd]
+[ 726.619501] __arm64_sys_delete_module+0x19c/0x2a0
+[ 726.620384] el0_svc_common+0x78/0x130
+[ 726.621057] el0_svc_handler+0x38/0x78
+[ 726.621738] el0_svc+0x8/0xc
+[ 726.622259] Code: aa0203f6 aa0103f7 aa1e03e0 d503201f (7940e260)
+
+Here, we add brd_check_and_reset_par func to check and limit max_part par.
+
+--
+V5->V6:
+ - remove useless code
+
+V4->V5:(suggested by Ming Lei)
+ - make sure max_part is not larger than DISK_MAX_PARTS
+
+V3->V4:(suggested by Ming Lei)
+ - remove useless change
+ - add one limit of max_part
+
+V2->V3: (suggested by Ming Lei)
+ - clear .minors when running out of consecutive minor space in brd_alloc
+ - remove limit of rd_nr
+
+V1->V2:
+ - add more checks in brd_check_par_valid as suggested by Ming Lei.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: Bob Liu <bob.liu@oracle.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/brd.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/brd.c b/drivers/block/brd.c
+index 1914c63ca8b1d..58c1138ad5e17 100644
+--- a/drivers/block/brd.c
++++ b/drivers/block/brd.c
+@@ -581,6 +581,25 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data)
+ return kobj;
+ }
+
++static inline void brd_check_and_reset_par(void)
++{
++ if (unlikely(!max_part))
++ max_part = 1;
++
++ /*
++ * make sure 'max_part' can be divided exactly by (1U << MINORBITS),
++ * otherwise, it is possiable to get same dev_t when adding partitions.
++ */
++ if ((1U << MINORBITS) % max_part != 0)
++ max_part = 1UL << fls(max_part);
++
++ if (max_part > DISK_MAX_PARTS) {
++ pr_info("brd: max_part can't be larger than %d, reset max_part = %d.\n",
++ DISK_MAX_PARTS, DISK_MAX_PARTS);
++ max_part = DISK_MAX_PARTS;
++ }
++}
++
+ static int __init brd_init(void)
+ {
+ struct brd_device *brd, *next;
+@@ -604,8 +623,7 @@ static int __init brd_init(void)
+ if (register_blkdev(RAMDISK_MAJOR, "ramdisk"))
+ return -EIO;
+
+- if (unlikely(!max_part))
+- max_part = 1;
++ brd_check_and_reset_par();
+
+ for (i = 0; i < rd_nr; i++) {
+ brd = brd_alloc(i);
+--
+2.20.1
+
--- /dev/null
+From 89bb8acf6214b747c0b6100b159a8068742558e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Feb 2020 10:31:34 -0800
+Subject: clk: qcom: rcg2: Don't crash if our parent can't be found; return an
+ error
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 908b050114d8fefdddc57ec9fbc213c3690e7f5f ]
+
+When I got my clock parenting slightly wrong I ended up with a crash
+that looked like this:
+
+ Unable to handle kernel NULL pointer dereference at virtual
+ address 0000000000000000
+ ...
+ pc : clk_hw_get_rate+0x14/0x44
+ ...
+ Call trace:
+ clk_hw_get_rate+0x14/0x44
+ _freq_tbl_determine_rate+0x94/0xfc
+ clk_rcg2_determine_rate+0x2c/0x38
+ clk_core_determine_round_nolock+0x4c/0x88
+ clk_core_round_rate_nolock+0x6c/0xa8
+ clk_core_round_rate_nolock+0x9c/0xa8
+ clk_core_set_rate_nolock+0x70/0x180
+ clk_set_rate+0x3c/0x6c
+ of_clk_set_defaults+0x254/0x360
+ platform_drv_probe+0x28/0xb0
+ really_probe+0x120/0x2dc
+ driver_probe_device+0x64/0xfc
+ device_driver_attach+0x4c/0x6c
+ __driver_attach+0xac/0xc0
+ bus_for_each_dev+0x84/0xcc
+ driver_attach+0x2c/0x38
+ bus_add_driver+0xfc/0x1d0
+ driver_register+0x64/0xf8
+ __platform_driver_register+0x4c/0x58
+ msm_drm_register+0x5c/0x60
+ ...
+
+It turned out that clk_hw_get_parent_by_index() was returning NULL and
+we weren't checking. Let's check it so that we don't crash.
+
+Fixes: ac269395cdd8 ("clk: qcom: Convert to clk_hw based provider APIs")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Link: https://lkml.kernel.org/r/20200203103049.v4.1.I7487325fe8e701a68a07d3be8a6a4b571eca9cfa@changeid
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/clk-rcg2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c
+index 350a01f748706..8b549ece9f13c 100644
+--- a/drivers/clk/qcom/clk-rcg2.c
++++ b/drivers/clk/qcom/clk-rcg2.c
+@@ -194,6 +194,9 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw,
+
+ clk_flags = clk_hw_get_flags(hw);
+ p = clk_hw_get_parent_by_index(hw, index);
++ if (!p)
++ return -EINVAL;
++
+ if (clk_flags & CLK_SET_RATE_PARENT) {
+ if (f->pre_div) {
+ if (!rate)
+--
+2.20.1
+
--- /dev/null
+From a87b2163232239d2cf73c7f553318e35c356ff08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2020 16:04:41 +0300
+Subject: cmd64x: potential buffer overflow in cmd64x_program_timings()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 117fcc3053606d8db5cef8821dca15022ae578bb ]
+
+The "drive->dn" value is a u8 and it is controlled by root only, but
+it could be out of bounds here so let's check.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ide/cmd64x.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ide/cmd64x.c b/drivers/ide/cmd64x.c
+index b127ed60c7336..9dde8390da09b 100644
+--- a/drivers/ide/cmd64x.c
++++ b/drivers/ide/cmd64x.c
+@@ -65,6 +65,9 @@ static void cmd64x_program_timings(ide_drive_t *drive, u8 mode)
+ struct ide_timing t;
+ u8 arttim = 0;
+
++ if (drive->dn >= ARRAY_SIZE(drwtim_regs))
++ return;
++
+ ide_timing_compute(drive, mode, &t, T, 0);
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 832c4e2ccca940f164bc26b0e0645c50c2d910cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 14:22:19 +0100
+Subject: driver core: Print device when resources present in really_probe()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 7c35e699c88bd60734277b26962783c60e04b494 ]
+
+If a device already has devres items attached before probing, a warning
+backtrace is printed. However, this backtrace does not reveal the
+offending device, leaving the user uninformed. Furthermore, using
+WARN_ON() causes systems with panic-on-warn to reboot.
+
+Fix this by replacing the WARN_ON() by a dev_crit() message.
+Abort probing the device, to prevent doing more damage to the device's
+resources.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191206132219.28908-1-geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/dd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/dd.c b/drivers/base/dd.c
+index 1dffb018a7feb..04a923186081f 100644
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -283,7 +283,10 @@ static int really_probe(struct device *dev, struct device_driver *drv)
+ atomic_inc(&probe_count);
+ pr_debug("bus: '%s': %s: probing driver %s with device %s\n",
+ drv->bus->name, __func__, drv->name, dev_name(dev));
+- WARN_ON(!list_empty(&dev->devres_head));
++ if (!list_empty(&dev->devres_head)) {
++ dev_crit(dev, "Resources present before probing\n");
++ return -EBUSY;
++ }
+
+ dev->driver = drv;
+
+--
+2.20.1
+
--- /dev/null
+From 438aece190c8200751c411ca17ae3a5f23f60242 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2019 21:27:20 +0800
+Subject: drm/amdgpu: remove 4 set but not used variable in
+ amdgpu_atombios_get_connector_info_from_object_table
+
+From: yu kuai <yukuai3@huawei.com>
+
+[ Upstream commit bae028e3e521e8cb8caf2cc16a455ce4c55f2332 ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c: In function
+'amdgpu_atombios_get_connector_info_from_object_table':
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:26: warning: variable
+'grph_obj_num' set but not used [-Wunused-but-set-variable]
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:13: warning: variable
+'grph_obj_id' set but not used [-Wunused-but-set-variable]
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:37: warning: variable
+'con_obj_type' set but not used [-Wunused-but-set-variable]
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:24: warning: variable
+'con_obj_num' set but not used [-Wunused-but-set-variable]
+
+They are never used, so can be removed.
+
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Signed-off-by: yu kuai <yukuai3@huawei.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+index 3e90ddcbb24a7..d799927d3a5de 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+@@ -319,17 +319,9 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device *
+ path_size += le16_to_cpu(path->usSize);
+
+ if (device_support & le16_to_cpu(path->usDeviceTag)) {
+- uint8_t con_obj_id, con_obj_num, con_obj_type;
+-
+- con_obj_id =
++ uint8_t con_obj_id =
+ (le16_to_cpu(path->usConnObjectId) & OBJECT_ID_MASK)
+ >> OBJECT_ID_SHIFT;
+- con_obj_num =
+- (le16_to_cpu(path->usConnObjectId) & ENUM_ID_MASK)
+- >> ENUM_ID_SHIFT;
+- con_obj_type =
+- (le16_to_cpu(path->usConnObjectId) &
+- OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT;
+
+ /* Skip TV/CV support */
+ if ((le16_to_cpu(path->usDeviceTag) ==
+@@ -354,14 +346,7 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device *
+ router.ddc_valid = false;
+ router.cd_valid = false;
+ for (j = 0; j < ((le16_to_cpu(path->usSize) - 8) / 2); j++) {
+- uint8_t grph_obj_id, grph_obj_num, grph_obj_type;
+-
+- grph_obj_id =
+- (le16_to_cpu(path->usGraphicObjIds[j]) &
+- OBJECT_ID_MASK) >> OBJECT_ID_SHIFT;
+- grph_obj_num =
+- (le16_to_cpu(path->usGraphicObjIds[j]) &
+- ENUM_ID_MASK) >> ENUM_ID_SHIFT;
++ uint8_t grph_obj_type=
+ grph_obj_type =
+ (le16_to_cpu(path->usGraphicObjIds[j]) &
+ OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT;
+--
+2.20.1
+
--- /dev/null
+From fa9da0fb6c5e463a14788890c339b50373d97c8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 16:30:48 +0100
+Subject: drm/gma500: Fixup fbdev stolen size usage evaluation
+
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+
+[ Upstream commit fd1a5e521c3c083bb43ea731aae0f8b95f12b9bd ]
+
+psbfb_probe performs an evaluation of the required size from the stolen
+GTT memory, but gets it wrong in two distinct ways:
+- The resulting size must be page-size-aligned;
+- The size to allocate is derived from the surface dimensions, not the fb
+ dimensions.
+
+When two connectors are connected with different modes, the smallest will
+be stored in the fb dimensions, but the size that needs to be allocated must
+match the largest (surface) dimensions. This is what is used in the actual
+allocation code.
+
+Fix this by correcting the evaluation to conform to the two points above.
+It allows correctly switching to 16bpp when one connector is e.g. 1920x1080
+and the other is 1024x768.
+
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191107153048.843881-1-paul.kocialkowski@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/framebuffer.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c
+index 2eaf1b31c7bd8..ef60bb1971951 100644
+--- a/drivers/gpu/drm/gma500/framebuffer.c
++++ b/drivers/gpu/drm/gma500/framebuffer.c
+@@ -533,6 +533,7 @@ static int psbfb_probe(struct drm_fb_helper *helper,
+ container_of(helper, struct psb_fbdev, psb_fb_helper);
+ struct drm_device *dev = psb_fbdev->psb_fb_helper.dev;
+ struct drm_psb_private *dev_priv = dev->dev_private;
++ unsigned int fb_size;
+ int bytespp;
+
+ bytespp = sizes->surface_bpp / 8;
+@@ -542,8 +543,11 @@ static int psbfb_probe(struct drm_fb_helper *helper,
+ /* If the mode will not fit in 32bit then switch to 16bit to get
+ a console on full resolution. The X mode setting server will
+ allocate its own 32bit GEM framebuffer */
+- if (ALIGN(sizes->fb_width * bytespp, 64) * sizes->fb_height >
+- dev_priv->vram_stolen_size) {
++ fb_size = ALIGN(sizes->surface_width * bytespp, 64) *
++ sizes->surface_height;
++ fb_size = ALIGN(fb_size, PAGE_SIZE);
++
++ if (fb_size > dev_priv->vram_stolen_size) {
+ sizes->surface_bpp = 16;
+ sizes->surface_depth = 16;
+ }
+--
+2.20.1
+
--- /dev/null
+From f78e44908db4f7986eb8eedeb814ce24a2e3500e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2020 14:39:26 +1000
+Subject: drm/nouveau/disp/nv50-: prevent oops when no channel method map
+ provided
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 0e6176c6d286316e9431b4f695940cfac4ffe6c2 ]
+
+The implementations for most channel types contains a map of methods to
+priv registers in order to provide debugging info when a disp exception
+has been raised.
+
+This info is missing from the implementation of PIO channels as they're
+rather simplistic already, however, if an exception is raised by one of
+them, we'd end up triggering a NULL-pointer deref. Not ideal...
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206299
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c
+index 01803c0679b68..d012df9fb9df0 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c
+@@ -72,6 +72,8 @@ nv50_disp_chan_mthd(struct nv50_disp_chan *chan, int debug)
+
+ if (debug > subdev->debug)
+ return;
++ if (!mthd)
++ return;
+
+ for (i = 0; (list = mthd->data[i].mthd) != NULL; i++) {
+ u32 base = chan->head * mthd->addr;
+--
+2.20.1
+
--- /dev/null
+From 8c55ab29c752f7f2eca17cb5263a1905852ef437 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2020 14:32:01 +0800
+Subject: drm/nouveau: Fix copy-paste error in
+ nouveau_fence_wait_uevent_handler
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 1eb013473bff5f95b6fe1ca4dd7deda47257b9c2 ]
+
+Like other cases, it should use rcu protected 'chan' rather
+than 'fence->channel' in nouveau_fence_wait_uevent_handler.
+
+Fixes: 0ec5f02f0e2c ("drm/nouveau: prevent stale fence->channel pointers, and protect with rcu")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c
+index 574c36b492ee4..fccec23731e24 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_fence.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c
+@@ -157,7 +157,7 @@ nouveau_fence_wait_uevent_handler(struct nvif_notify *notify)
+
+ fence = list_entry(fctx->pending.next, typeof(*fence), head);
+ chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock));
+- if (nouveau_fence_update(fence->channel, fctx))
++ if (nouveau_fence_update(chan, fctx))
+ ret = NVIF_NOTIFY_DROP;
+ }
+ spin_unlock_irqrestore(&fctx->lock, flags);
+--
+2.20.1
+
--- /dev/null
+From 3c07b7c386b69da7c821d6e129a39a0661956b6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2019 23:37:58 -0500
+Subject: drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 40efb09a7f53125719e49864da008495e39aaa1e ]
+
+In vmw_cmdbuf_res_add if drm_ht_insert_item fails the allocated memory
+for cres should be released.
+
+Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c
+index 1f013d45c9e9a..0c7c3005594cc 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c
+@@ -210,8 +210,10 @@ int vmw_cmdbuf_res_add(struct vmw_cmdbuf_res_manager *man,
+
+ cres->hash.key = user_key | (res_type << 24);
+ ret = drm_ht_insert_item(&man->resources, &cres->hash);
+- if (unlikely(ret != 0))
++ if (unlikely(ret != 0)) {
++ kfree(cres);
+ goto out_invalid_key;
++ }
+
+ cres->state = VMW_CMDBUF_RES_ADD;
+ cres->res = vmw_resource_reference(res);
+--
+2.20.1
+
--- /dev/null
+From 85ae2c5bc3453b841e02526a8327c20fb3ca646f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jan 2020 12:39:37 +0100
+Subject: efi/x86: Map the entire EFI vendor string before copying it
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit ffc2760bcf2dba0dbef74013ed73eea8310cc52c ]
+
+Fix a couple of issues with the way we map and copy the vendor string:
+- we map only 2 bytes, which usually works since you get at least a
+ page, but if the vendor string happens to cross a page boundary,
+ a crash will result
+- only call early_memunmap() if early_memremap() succeeded, or we will
+ call it with a NULL address which it doesn't like,
+- while at it, switch to early_memremap_ro(), and array indexing rather
+ than pointer dereferencing to read the CHAR16 characters.
+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Arvind Sankar <nivedita@alum.mit.edu>
+Cc: Matthew Garrett <mjg59@google.com>
+Cc: linux-efi@vger.kernel.org
+Fixes: 5b83683f32b1 ("x86: EFI runtime service support")
+Link: https://lkml.kernel.org/r/20200103113953.9571-5-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/efi.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 4bc352fc08f19..105872617be08 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -465,7 +465,6 @@ void __init efi_init(void)
+ efi_char16_t *c16;
+ char vendor[100] = "unknown";
+ int i = 0;
+- void *tmp;
+
+ #ifdef CONFIG_X86_32
+ if (boot_params.efi_info.efi_systab_hi ||
+@@ -490,14 +489,16 @@ void __init efi_init(void)
+ /*
+ * Show what we know for posterity
+ */
+- c16 = tmp = early_memremap(efi.systab->fw_vendor, 2);
++ c16 = early_memremap_ro(efi.systab->fw_vendor,
++ sizeof(vendor) * sizeof(efi_char16_t));
+ if (c16) {
+- for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
+- vendor[i] = *c16++;
++ for (i = 0; i < sizeof(vendor) - 1 && c16[i]; ++i)
++ vendor[i] = c16[i];
+ vendor[i] = '\0';
+- } else
++ early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t));
++ } else {
+ pr_err("Could not map the firmware vendor!\n");
+- early_memunmap(tmp, 2);
++ }
+
+ pr_info("EFI v%u.%.02u by %s\n",
+ efi.systab->hdr.revision >> 16,
+--
+2.20.1
+
--- /dev/null
+From ee433d8c425e4cc4078fac1ae5c8b9950896793b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 20:46:12 +0800
+Subject: ext4, jbd2: ensure panic when aborting with zero errno
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 ]
+
+JBD2_REC_ERR flag used to indicate the errno has been updated when jbd2
+aborted, and then __ext4_abort() and ext4_handle_error() can invoke
+panic if ERRORS_PANIC is specified. But if the journal has been aborted
+with zero errno, jbd2_journal_abort() didn't set this flag so we can
+no longer panic. Fix this by always record the proper errno in the
+journal superblock.
+
+Fixes: 4327ba52afd03 ("ext4, jbd2: ensure entering into panic after recording an error in superblock")
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/checkpoint.c | 2 +-
+ fs/jbd2/journal.c | 15 ++++-----------
+ 2 files changed, 5 insertions(+), 12 deletions(-)
+
+diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c
+index 4d5a5a4cc017c..addb0784dd1c4 100644
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -168,7 +168,7 @@ void __jbd2_log_wait_for_space(journal_t *journal)
+ "journal space in %s\n", __func__,
+ journal->j_devname);
+ WARN_ON(1);
+- jbd2_journal_abort(journal, 0);
++ jbd2_journal_abort(journal, -EIO);
+ }
+ write_lock(&journal->j_state_lock);
+ } else {
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index deb3300299709..d62435897d0d0 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -2086,12 +2086,10 @@ static void __journal_abort_soft (journal_t *journal, int errno)
+
+ __jbd2_journal_abort_hard(journal);
+
+- if (errno) {
+- jbd2_journal_update_sb_errno(journal);
+- write_lock(&journal->j_state_lock);
+- journal->j_flags |= JBD2_REC_ERR;
+- write_unlock(&journal->j_state_lock);
+- }
++ jbd2_journal_update_sb_errno(journal);
++ write_lock(&journal->j_state_lock);
++ journal->j_flags |= JBD2_REC_ERR;
++ write_unlock(&journal->j_state_lock);
+ }
+
+ /**
+@@ -2133,11 +2131,6 @@ static void __journal_abort_soft (journal_t *journal, int errno)
+ * failure to disk. ext3_error, for example, now uses this
+ * functionality.
+ *
+- * Errors which originate from within the journaling layer will NOT
+- * supply an errno; a null errno implies that absolutely no further
+- * writes are done to the journal (unless there are any already in
+- * progress).
+- *
+ */
+
+ void jbd2_journal_abort(journal_t *journal, int errno)
+--
+2.20.1
+
--- /dev/null
+From ae548c3ffd497ce99b8bdfee4fcb701f4374b900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Dec 2019 15:30:45 +0200
+Subject: gianfar: Fix TX timestamping with a stacked DSA driver
+
+From: Vladimir Oltean <olteanv@gmail.com>
+
+[ Upstream commit c26a2c2ddc0115eb088873f5c309cf46b982f522 ]
+
+The driver wrongly assumes that it is the only entity that can set the
+SKBTX_IN_PROGRESS bit of the current skb. Therefore, in the
+gfar_clean_tx_ring function, where the TX timestamp is collected if
+necessary, the aforementioned bit is used to discriminate whether or not
+the TX timestamp should be delivered to the socket's error queue.
+
+But a stacked driver such as a DSA switch can also set the
+SKBTX_IN_PROGRESS bit, which is actually exactly what it should do in
+order to denote that the hardware timestamping process is undergoing.
+
+Therefore, gianfar would misinterpret the "in progress" bit as being its
+own, and deliver a second skb clone in the socket's error queue,
+completely throwing off a PTP process which is not expecting to receive
+it, _even though_ TX timestamping is not enabled for gianfar.
+
+There have been discussions [0] as to whether non-MAC drivers need or
+not to set SKBTX_IN_PROGRESS at all (whose purpose is to avoid sending 2
+timestamps, a sw and a hw one, to applications which only expect one).
+But as of this patch, there are at least 2 PTP drivers that would break
+in conjunction with gianfar: the sja1105 DSA switch and the felix
+switch, by way of its ocelot core driver.
+
+So regardless of that conclusion, fix the gianfar driver to not do stuff
+based on flags set by others and not intended for it.
+
+[0]: https://www.spinics.net/lists/netdev/msg619699.html
+
+Fixes: f0ee7acfcdd4 ("gianfar: Add hardware TX timestamping support")
+Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/gianfar.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
+index 2d61369f586f7..37cc1f838dd8b 100644
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -2679,13 +2679,17 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue)
+ skb_dirtytx = tx_queue->skb_dirtytx;
+
+ while ((skb = tx_queue->tx_skbuff[skb_dirtytx])) {
++ bool do_tstamp;
++
++ do_tstamp = (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) &&
++ priv->hwts_tx_en;
+
+ frags = skb_shinfo(skb)->nr_frags;
+
+ /* When time stamping, one additional TxBD must be freed.
+ * Also, we need to dma_unmap_single() the TxPAL.
+ */
+- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS))
++ if (unlikely(do_tstamp))
+ nr_txbds = frags + 2;
+ else
+ nr_txbds = frags + 1;
+@@ -2699,7 +2703,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue)
+ (lstatus & BD_LENGTH_MASK))
+ break;
+
+- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) {
++ if (unlikely(do_tstamp)) {
+ next = next_txbd(bdp, base, tx_ring_size);
+ buflen = be16_to_cpu(next->length) +
+ GMAC_FCB_LEN + GMAC_TXPAL_LEN;
+@@ -2709,7 +2713,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue)
+ dma_unmap_single(priv->dev, be32_to_cpu(bdp->bufPtr),
+ buflen, DMA_TO_DEVICE);
+
+- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) {
++ if (unlikely(do_tstamp)) {
+ struct skb_shared_hwtstamps shhwtstamps;
+ u64 *ns = (u64 *)(((uintptr_t)skb->data + 0x10) &
+ ~0x7UL);
+--
+2.20.1
+
--- /dev/null
+From 128ff466286c20718ad26d0271267095822f4da3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 18:15:46 -0700
+Subject: hostap: Adjust indentation in prism2_hostapd_add_sta
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit b61156fba74f659d0bc2de8f2dbf5bad9f4b8faf ]
+
+Clang warns:
+
+../drivers/net/wireless/intersil/hostap/hostap_ap.c:2511:3: warning:
+misleading indentation; statement is not part of the previous 'if'
+[-Wmisleading-indentation]
+ if (sta->tx_supp_rates & WLAN_RATE_5M5)
+ ^
+../drivers/net/wireless/intersil/hostap/hostap_ap.c:2509:2: note:
+previous statement is here
+ if (sta->tx_supp_rates & WLAN_RATE_2M)
+ ^
+1 warning generated.
+
+This warning occurs because there is a space before the tab on this
+line. Remove it so that the indentation is consistent with the Linux
+kernel coding style and clang no longer warns.
+
+Fixes: ff1d2767d5a4 ("Add HostAP wireless driver.")
+Link: https://github.com/ClangBuiltLinux/linux/issues/813
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/hostap/hostap_ap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/hostap/hostap_ap.c b/drivers/net/wireless/hostap/hostap_ap.c
+index c995ace153ee6..30171d4c47187 100644
+--- a/drivers/net/wireless/hostap/hostap_ap.c
++++ b/drivers/net/wireless/hostap/hostap_ap.c
+@@ -2570,7 +2570,7 @@ static int prism2_hostapd_add_sta(struct ap_data *ap,
+ sta->supported_rates[0] = 2;
+ if (sta->tx_supp_rates & WLAN_RATE_2M)
+ sta->supported_rates[1] = 4;
+- if (sta->tx_supp_rates & WLAN_RATE_5M5)
++ if (sta->tx_supp_rates & WLAN_RATE_5M5)
+ sta->supported_rates[2] = 11;
+ if (sta->tx_supp_rates & WLAN_RATE_11M)
+ sta->supported_rates[3] = 22;
+--
+2.20.1
+
--- /dev/null
+From 79bc69b8026c78418518ac3fb9c08ff23e898b2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2020 16:06:07 +0300
+Subject: ide: serverworks: potential overflow in svwks_set_pio_mode()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ce1f31b4c0b9551dd51874dd5364654ed4ca13ae ]
+
+The "drive->dn" variable is a u8 controlled by root.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ide/serverworks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/ide/serverworks.c b/drivers/ide/serverworks.c
+index a97affca18abe..0f57d45484d1d 100644
+--- a/drivers/ide/serverworks.c
++++ b/drivers/ide/serverworks.c
+@@ -114,6 +114,9 @@ static void svwks_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive)
+ struct pci_dev *dev = to_pci_dev(hwif->dev);
+ const u8 pio = drive->pio_mode - XFER_PIO_0;
+
++ if (drive->dn >= ARRAY_SIZE(drive_pci))
++ return;
++
+ pci_write_config_byte(dev, drive_pci[drive->dn], pio_modes[pio]);
+
+ if (svwks_csb_check(dev)) {
+@@ -140,6 +143,9 @@ static void svwks_set_dma_mode(ide_hwif_t *hwif, ide_drive_t *drive)
+
+ u8 ultra_enable = 0, ultra_timing = 0, dma_timing = 0;
+
++ if (drive->dn >= ARRAY_SIZE(drive_pci2))
++ return;
++
+ pci_read_config_byte(dev, (0x56|hwif->channel), &ultra_timing);
+ pci_read_config_byte(dev, 0x54, &ultra_enable);
+
+--
+2.20.1
+
--- /dev/null
+From 950071bea2e0c1fdb52d3d5d689abc2cd1f1d2f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2020 17:03:21 -0800
+Subject: Input: edt-ft5x06 - work around first register access error
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit e112324cc0422c046f1cf54c56f333d34fa20885 ]
+
+The EP0700MLP1 returns bogus data on the first register read access
+(reading the threshold parameter from register 0x00):
+
+ edt_ft5x06 2-0038: crc error: 0xfc expected, got 0x40
+
+It ignores writes until then. This patch adds a dummy read after which
+the number of sensors and parameter read/writes work correctly.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Tested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/edt-ft5x06.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c
+index 0b0f8c17f3f7e..a9d97d577a7e9 100644
+--- a/drivers/input/touchscreen/edt-ft5x06.c
++++ b/drivers/input/touchscreen/edt-ft5x06.c
+@@ -880,6 +880,7 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client,
+ {
+ const struct edt_i2c_chip_data *chip_data;
+ struct edt_ft5x06_ts_data *tsdata;
++ u8 buf[2] = { 0xfc, 0x00 };
+ struct input_dev *input;
+ unsigned long irq_flags;
+ int error;
+@@ -949,6 +950,12 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client,
+ return error;
+ }
+
++ /*
++ * Dummy read access. EP0700MLP1 returns bogus data on the first
++ * register read access and ignores writes.
++ */
++ edt_ft5x06_ts_readwrite(tsdata->client, 2, buf, 2, buf);
++
+ edt_ft5x06_ts_set_regs(tsdata);
+ edt_ft5x06_ts_get_defaults(&client->dev, tsdata);
+ edt_ft5x06_ts_get_parameters(tsdata);
+--
+2.20.1
+
--- /dev/null
+From 9014c7e2532a217b5fa5d437741890a6337037e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2020 15:21:47 +0000
+Subject: iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit d71e01716b3606a6648df7e5646ae12c75babde4 ]
+
+If, for some bizarre reason, the compiler decided to split up the write
+of STE DWORD 0, we could end up making a partial structure valid.
+
+Although this probably won't happen, follow the example of the
+context-descriptor code and use WRITE_ONCE() to ensure atomicity of the
+write.
+
+Reported-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm-smmu-v3.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
+index eb9937225d645..6c10f307a1c98 100644
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -1090,7 +1090,8 @@ static void arm_smmu_write_strtab_ent(struct arm_smmu_device *smmu, u32 sid,
+ }
+
+ arm_smmu_sync_ste_for_sid(smmu, sid);
+- dst[0] = cpu_to_le64(val);
++ /* See comment in arm_smmu_write_ctx_desc() */
++ WRITE_ONCE(dst[0], cpu_to_le64(val));
+ arm_smmu_sync_ste_for_sid(smmu, sid);
+
+ /* It's likely that we'll want to use the new STE soon */
+--
+2.20.1
+
--- /dev/null
+From 1552524ef2de217c064047a3b8b63d81bcda7a6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 00:55:27 +0700
+Subject: ipw2x00: Fix -Wcast-function-type
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+[ Upstream commit ebd77feb27e91bb5fe35a7818b7c13ea7435fb98 ]
+
+correct usage prototype of callback in tasklet_init().
+Report by https://github.com/KSPP/linux/issues/20
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ipw2x00/ipw2100.c | 7 ++++---
+ drivers/net/wireless/ipw2x00/ipw2200.c | 5 +++--
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ipw2x00/ipw2100.c b/drivers/net/wireless/ipw2x00/ipw2100.c
+index 36818c7f30b96..11cfc5822eb03 100644
+--- a/drivers/net/wireless/ipw2x00/ipw2100.c
++++ b/drivers/net/wireless/ipw2x00/ipw2100.c
+@@ -3213,8 +3213,9 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv)
+ }
+ }
+
+-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv)
++static void ipw2100_irq_tasklet(unsigned long data)
+ {
++ struct ipw2100_priv *priv = (struct ipw2100_priv *)data;
+ struct net_device *dev = priv->net_dev;
+ unsigned long flags;
+ u32 inta, tmp;
+@@ -6022,7 +6023,7 @@ static void ipw2100_rf_kill(struct work_struct *work)
+ spin_unlock_irqrestore(&priv->low_lock, flags);
+ }
+
+-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv);
++static void ipw2100_irq_tasklet(unsigned long data);
+
+ static const struct net_device_ops ipw2100_netdev_ops = {
+ .ndo_open = ipw2100_open,
+@@ -6151,7 +6152,7 @@ static struct net_device *ipw2100_alloc_device(struct pci_dev *pci_dev,
+ INIT_DELAYED_WORK(&priv->rf_kill, ipw2100_rf_kill);
+ INIT_DELAYED_WORK(&priv->scan_event, ipw2100_scan_event);
+
+- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long))
++ tasklet_init(&priv->irq_tasklet,
+ ipw2100_irq_tasklet, (unsigned long)priv);
+
+ /* NOTE: We do not start the deferred work for status checks yet */
+diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c
+index ed0adaf1eec44..1e08f94dc4da3 100644
+--- a/drivers/net/wireless/ipw2x00/ipw2200.c
++++ b/drivers/net/wireless/ipw2x00/ipw2200.c
+@@ -1968,8 +1968,9 @@ static void notify_wx_assoc_event(struct ipw_priv *priv)
+ wireless_send_event(priv->net_dev, SIOCGIWAP, &wrqu, NULL);
+ }
+
+-static void ipw_irq_tasklet(struct ipw_priv *priv)
++static void ipw_irq_tasklet(unsigned long data)
+ {
++ struct ipw_priv *priv = (struct ipw_priv *)data;
+ u32 inta, inta_mask, handled = 0;
+ unsigned long flags;
+ int rc = 0;
+@@ -10705,7 +10706,7 @@ static int ipw_setup_deferred_work(struct ipw_priv *priv)
+ INIT_WORK(&priv->qos_activate, ipw_bg_qos_activate);
+ #endif /* CONFIG_IPW2200_QOS */
+
+- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long))
++ tasklet_init(&priv->irq_tasklet,
+ ipw_irq_tasklet, (unsigned long)priv);
+
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 837926ac61e4e718dca0b922e94e962a4e0c8883 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 15:10:21 +0800
+Subject: irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when
+ building INVALL
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+[ Upstream commit 107945227ac5d4c37911c7841b27c64b489ce9a9 ]
+
+It looks like an obvious mistake to use its_mapc_cmd descriptor when
+building the INVALL command block. It so far worked by luck because
+both its_mapc_cmd.col and its_invall_cmd.col sit at the same offset of
+the ITS command descriptor, but we should not rely on it.
+
+Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20191202071021.1251-1-yuzenghui@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index cf11d43ce2416..d4ae43f71e723 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -352,7 +352,7 @@ static struct its_collection *its_build_invall_cmd(struct its_cmd_block *cmd,
+ struct its_cmd_desc *desc)
+ {
+ its_encode_cmd(cmd, GITS_CMD_INVALL);
+- its_encode_collection(cmd, desc->its_mapc_cmd.col->col_id);
++ its_encode_collection(cmd, desc->its_invall_cmd.col->col_id);
+
+ its_fixup_cmd(cmd);
+
+--
+2.20.1
+
--- /dev/null
+From f4385dedc633e253c0ad64d5dc82c00f1bcf9a67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2019 20:48:56 +0100
+Subject: isdn: don't mark kcapi_proc_exit as __exit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b33bdf8020c94438269becc6dace9ed49257c4ba ]
+
+As everybody pointed out by now, my patch to clean up CAPI introduced
+a link time warning, as the two parts of the capi driver are now in
+one module and the exit function may need to be called in the error
+path of the init function:
+
+>> WARNING: drivers/isdn/capi/kernelcapi.o(.text+0xea4): Section mismatch in reference from the function kcapi_exit() to the function .exit.text:kcapi_proc_exit()
+ The function kcapi_exit() references a function in an exit section.
+ Often the function kcapi_proc_exit() has valid usage outside the exit section
+ and the fix is to remove the __exit annotation of kcapi_proc_exit.
+
+Remove the incorrect __exit annotation.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: kernelci.org bot <bot@kernelci.org>
+Reported-by: Olof's autobuilder <build@lixom.net>
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20191216194909.1983639-1-arnd@arndb.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/capi/kcapi_proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/capi/kcapi_proc.c b/drivers/isdn/capi/kcapi_proc.c
+index 68db3c5a10636..d6ca626219c93 100644
+--- a/drivers/isdn/capi/kcapi_proc.c
++++ b/drivers/isdn/capi/kcapi_proc.c
+@@ -309,7 +309,7 @@ kcapi_proc_init(void)
+ proc_create("capi/driver", 0, NULL, &proc_driver_ops);
+ }
+
+-void __exit
++void
+ kcapi_proc_exit(void)
+ {
+ remove_proc_entry("capi/driver", NULL);
+--
+2.20.1
+
--- /dev/null
+From 2940f6022f7068a912bd98ade7bd3de3d4199bc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Jan 2020 00:09:54 +0000
+Subject: iwlegacy: ensure loop counter addr does not wrap and cause an
+ infinite loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 ]
+
+The loop counter addr is a u16 where as the upper limit of the loop
+is an int. In the unlikely event that the il->cfg->eeprom_size is
+greater than 64K then we end up with an infinite loop since addr will
+wrap around an never reach upper loop limit. Fix this by making addr
+an int.
+
+Addresses-Coverity: ("Infinite loop")
+Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/iwlegacy/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c
+index 887114582583b..544ab3750ea6e 100644
+--- a/drivers/net/wireless/iwlegacy/common.c
++++ b/drivers/net/wireless/iwlegacy/common.c
+@@ -717,7 +717,7 @@ il_eeprom_init(struct il_priv *il)
+ u32 gp = _il_rd(il, CSR_EEPROM_GP);
+ int sz;
+ int ret;
+- u16 addr;
++ int addr;
+
+ /* allocate eeprom */
+ sz = il->cfg->eeprom_size;
+--
+2.20.1
+
--- /dev/null
+From c85189b2bd384419259b5984cdb0ed7e95a7b3b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 00:55:28 +0700
+Subject: iwlegacy: Fix -Wcast-function-type
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+[ Upstream commit da5e57e8a6a3e69dac2937ba63fa86355628fbb2 ]
+
+correct usage prototype of callback in tasklet_init().
+Report by https://github.com/KSPP/linux/issues/20
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/iwlegacy/3945-mac.c | 5 +++--
+ drivers/net/wireless/iwlegacy/4965-mac.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
+index af1b3e6839fa6..775f5e7791d48 100644
+--- a/drivers/net/wireless/iwlegacy/3945-mac.c
++++ b/drivers/net/wireless/iwlegacy/3945-mac.c
+@@ -1399,8 +1399,9 @@ il3945_dump_nic_error_log(struct il_priv *il)
+ }
+
+ static void
+-il3945_irq_tasklet(struct il_priv *il)
++il3945_irq_tasklet(unsigned long data)
+ {
++ struct il_priv *il = (struct il_priv *)data;
+ u32 inta, handled = 0;
+ u32 inta_fh;
+ unsigned long flags;
+@@ -3432,7 +3433,7 @@ il3945_setup_deferred_work(struct il_priv *il)
+ setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il);
+
+ tasklet_init(&il->irq_tasklet,
+- (void (*)(unsigned long))il3945_irq_tasklet,
++ il3945_irq_tasklet,
+ (unsigned long)il);
+ }
+
+diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c
+index 04b0349a6ad9f..b1925bdb11718 100644
+--- a/drivers/net/wireless/iwlegacy/4965-mac.c
++++ b/drivers/net/wireless/iwlegacy/4965-mac.c
+@@ -4361,8 +4361,9 @@ il4965_synchronize_irq(struct il_priv *il)
+ }
+
+ static void
+-il4965_irq_tasklet(struct il_priv *il)
++il4965_irq_tasklet(unsigned long data)
+ {
++ struct il_priv *il = (struct il_priv *)data;
+ u32 inta, handled = 0;
+ u32 inta_fh;
+ unsigned long flags;
+@@ -6257,7 +6258,7 @@ il4965_setup_deferred_work(struct il_priv *il)
+ setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il);
+
+ tasklet_init(&il->irq_tasklet,
+- (void (*)(unsigned long))il4965_irq_tasklet,
++ il4965_irq_tasklet,
+ (unsigned long)il);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 2d590528b4c0912f8e50d85774a8e5c4ebdde0bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Jan 2020 10:25:42 +0800
+Subject: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail
+ info when load journal
+
+From: Kai Li <li.kai4@h3c.com>
+
+[ Upstream commit a09decff5c32060639a685581c380f51b14e1fc2 ]
+
+If the journal is dirty when the filesystem is mounted, jbd2 will replay
+the journal but the journal superblock will not be updated by
+journal_reset() because JBD2_ABORT flag is still set (it was set in
+journal_init_common()). This is problematic because when a new transaction
+is then committed, it will be recorded in block 1 (journal->j_tail was set
+to 1 in journal_reset()). If unclean shutdown happens again before the
+journal superblock is updated, the new recorded transaction will not be
+replayed during the next mount (because of stale sb->s_start and
+sb->s_sequence values) which can lead to filesystem corruption.
+
+Fixes: 85e0c4e89c1b ("jbd2: if the journal is aborted then don't allow update of the log tail")
+Signed-off-by: Kai Li <li.kai4@h3c.com>
+Link: https://lore.kernel.org/r/20200111022542.5008-1-li.kai4@h3c.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/journal.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index 9398d1b70545c..deb3300299709 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1656,6 +1656,11 @@ int jbd2_journal_load(journal_t *journal)
+ journal->j_devname);
+ return -EFSCORRUPTED;
+ }
++ /*
++ * clear JBD2_ABORT flag initialized in journal_init_common
++ * here to update log tail information with the newest seq.
++ */
++ journal->j_flags &= ~JBD2_ABORT;
+
+ /* OK, we've finished with the dynamic journal bits:
+ * reinitialise the dynamic contents of the superblock in memory
+@@ -1663,7 +1668,6 @@ int jbd2_journal_load(journal_t *journal)
+ if (journal_reset(journal))
+ goto recovery_error;
+
+- journal->j_flags &= ~JBD2_ABORT;
+ journal->j_flags |= JBD2_LOADED;
+ return 0;
+
+--
+2.20.1
+
--- /dev/null
+From 906414d1f275761e987f937d71aeb6a9d61b7b6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 20:46:11 +0800
+Subject: jbd2: switch to use jbd2_journal_abort() when failed to submit the
+ commit record
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 ]
+
+We invoke jbd2_journal_abort() to abort the journal and record errno
+in the jbd2 superblock when committing journal transaction besides the
+failure on submitting the commit record. But there is no need for the
+case and we can also invoke jbd2_journal_abort() instead of
+__jbd2_journal_abort_hard().
+
+Fixes: 818d276ceb83a ("ext4: Add the journal checksum feature")
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 7fe61edb1bb9e..a7d12dd6d56e8 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -797,7 +797,7 @@ start_journal_io:
+ err = journal_submit_commit_record(journal, commit_transaction,
+ &cbh, crc32_sum);
+ if (err)
+- __jbd2_journal_abort_hard(journal);
++ jbd2_journal_abort(journal, err);
+ }
+
+ blk_finish_plug(&plug);
+@@ -890,7 +890,7 @@ start_journal_io:
+ err = journal_submit_commit_record(journal, commit_transaction,
+ &cbh, crc32_sum);
+ if (err)
+- __jbd2_journal_abort_hard(journal);
++ jbd2_journal_abort(journal, err);
+ }
+ if (cbh)
+ err = journal_wait_on_commit_record(journal, cbh);
+--
+2.20.1
+
--- /dev/null
+From 55a0910e0e3e7b32d6e2136ebff4a3f7dde2601e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Feb 2020 14:03:11 +0900
+Subject: kconfig: fix broken dependency in randconfig-generated .config
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 ]
+
+Running randconfig on arm64 using KCONFIG_SEED=0x40C5E904 (e.g. on v5.5)
+produces the .config with CONFIG_EFI=y and CONFIG_CPU_BIG_ENDIAN=y,
+which does not meet the !CONFIG_CPU_BIG_ENDIAN dependency.
+
+This is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs
+CONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the
+value of CONFIG_EFI is calculated.
+
+When this happens, the has_changed flag should be set.
+
+Currently, it takes the result from the last iteration. It should
+accumulate all the results of the loop.
+
+Fixes: 3b9a19e08960 ("kconfig: loop as long as we changed some symbols in randconfig")
+Reported-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/confdata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
+index 138d7f100f7e8..4216940e875df 100644
+--- a/scripts/kconfig/confdata.c
++++ b/scripts/kconfig/confdata.c
+@@ -1236,7 +1236,7 @@ bool conf_set_all_new_symbols(enum conf_def_mode mode)
+
+ sym_calc_value(csym);
+ if (mode == def_random)
+- has_changed = randomize_choice_values(csym);
++ has_changed |= randomize_choice_values(csym);
+ else {
+ set_all_choice_values(csym);
+ has_changed = true;
+--
+2.20.1
+
--- /dev/null
+From 92d4fbbbc272b8a4fd92cdc401318fdb832eb748 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2020 22:16:37 -0800
+Subject: lib/scatterlist.c: adjust indentation in __sg_alloc_table
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 4e456fee215677584cafa7f67298a76917e89c64 ]
+
+Clang warns:
+
+ ../lib/scatterlist.c:314:5: warning: misleading indentation; statement
+ is not part of the previous 'if' [-Wmisleading-indentation]
+ return -ENOMEM;
+ ^
+ ../lib/scatterlist.c:311:4: note: previous statement is here
+ if (prv)
+ ^
+ 1 warning generated.
+
+This warning occurs because there is a space before the tab on this
+line. Remove it so that the indentation is consistent with the Linux
+kernel coding style and clang no longer warns.
+
+Link: http://lkml.kernel.org/r/20191218033606.11942-1-natechancellor@gmail.com
+Link: https://github.com/ClangBuiltLinux/linux/issues/830
+Fixes: edce6820a9fd ("scatterlist: prevent invalid free when alloc fails")
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/scatterlist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/scatterlist.c b/lib/scatterlist.c
+index 0b86b7992f931..1875c09eede91 100644
+--- a/lib/scatterlist.c
++++ b/lib/scatterlist.c
+@@ -317,7 +317,7 @@ int __sg_alloc_table(struct sg_table *table, unsigned int nents,
+ if (prv)
+ table->nents = ++table->orig_nents;
+
+- return -ENOMEM;
++ return -ENOMEM;
+ }
+
+ sg_init_table(sg, alloc_size);
+--
+2.20.1
+
--- /dev/null
+From 75f1448f94f4f6f09c8f277c8b62d46364effd6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 08:55:24 +0100
+Subject: media: i2c: mt9v032: fix enum mbus codes and frame sizes
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+[ Upstream commit 1451d5ae351d938a0ab1677498c893f17b9ee21d ]
+
+This driver supports both the mt9v032 (color) and the mt9v022 (mono)
+sensors. Depending on which sensor is used, the format from the sensor is
+different. The format.code inside the dev struct holds this information.
+The enum mbus and enum frame sizes need to take into account both type of
+sensors, not just the color one. To solve this, use the format.code in
+these functions instead of the hardcoded bayer color format (which is only
+used for mt9v032).
+
+[Sakari Ailus: rewrapped commit message]
+
+Suggested-by: Wenyou Yang <wenyou.yang@microchip.com>
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/mt9v032.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/mt9v032.c b/drivers/media/i2c/mt9v032.c
+index a68ce94ee0976..cacdab30fece0 100644
+--- a/drivers/media/i2c/mt9v032.c
++++ b/drivers/media/i2c/mt9v032.c
+@@ -454,10 +454,12 @@ static int mt9v032_enum_mbus_code(struct v4l2_subdev *subdev,
+ struct v4l2_subdev_pad_config *cfg,
+ struct v4l2_subdev_mbus_code_enum *code)
+ {
++ struct mt9v032 *mt9v032 = to_mt9v032(subdev);
++
+ if (code->index > 0)
+ return -EINVAL;
+
+- code->code = MEDIA_BUS_FMT_SGRBG10_1X10;
++ code->code = mt9v032->format.code;
+ return 0;
+ }
+
+@@ -465,7 +467,11 @@ static int mt9v032_enum_frame_size(struct v4l2_subdev *subdev,
+ struct v4l2_subdev_pad_config *cfg,
+ struct v4l2_subdev_frame_size_enum *fse)
+ {
+- if (fse->index >= 3 || fse->code != MEDIA_BUS_FMT_SGRBG10_1X10)
++ struct mt9v032 *mt9v032 = to_mt9v032(subdev);
++
++ if (fse->index >= 3)
++ return -EINVAL;
++ if (mt9v032->format.code != fse->code)
+ return -EINVAL;
+
+ fse->min_width = MT9V032_WINDOW_WIDTH_DEF / (1 << fse->index);
+--
+2.20.1
+
--- /dev/null
+From 1f4ee95be6be066f183ad2759ca5908f5f22cdf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 11:34:01 +0100
+Subject: media: sti: bdisp: fix a possible sleep-in-atomic-context bug in
+ bdisp_device_run()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit bb6d42061a05d71dd73f620582d9e09c8fbf7f5b ]
+
+The driver may sleep while holding a spinlock.
+The function call path (from bottom to top) in Linux 4.19 is:
+
+drivers/media/platform/sti/bdisp/bdisp-hw.c, 385:
+ msleep in bdisp_hw_reset
+drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 341:
+ bdisp_hw_reset in bdisp_device_run
+drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 317:
+ _raw_spin_lock_irqsave in bdisp_device_run
+
+To fix this bug, msleep() is replaced with udelay().
+
+This bug is found by a static analysis tool STCheck written by myself.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/bdisp/bdisp-hw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/sti/bdisp/bdisp-hw.c b/drivers/media/platform/sti/bdisp/bdisp-hw.c
+index 052c932ac9426..0792db43ce9db 100644
+--- a/drivers/media/platform/sti/bdisp/bdisp-hw.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-hw.c
+@@ -14,8 +14,8 @@
+ #define MAX_SRC_WIDTH 2048
+
+ /* Reset & boot poll config */
+-#define POLL_RST_MAX 50
+-#define POLL_RST_DELAY_MS 20
++#define POLL_RST_MAX 500
++#define POLL_RST_DELAY_MS 2
+
+ enum bdisp_target_plan {
+ BDISP_RGB,
+@@ -77,7 +77,7 @@ int bdisp_hw_reset(struct bdisp_dev *bdisp)
+ for (i = 0; i < POLL_RST_MAX; i++) {
+ if (readl(bdisp->regs + BLT_STA1) & BLT_STA1_IDLE)
+ break;
+- msleep(POLL_RST_DELAY_MS);
++ udelay(POLL_RST_DELAY_MS * 1000);
+ }
+ if (i == POLL_RST_MAX)
+ dev_err(bdisp->dev, "Reset timeout\n");
+--
+2.20.1
+
--- /dev/null
+From 1e86b5fec8c37a33b631350c93637a6457331ded Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Jan 2020 18:44:34 +0530
+Subject: microblaze: Prevent the overflow of the start
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+[ Upstream commit 061d2c1d593076424c910cb1b64ecdb5c9a6923f ]
+
+In case the start + cache size is more than the max int the
+start overflows.
+Prevent the same.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/microblaze/kernel/cpu/cache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/microblaze/kernel/cpu/cache.c b/arch/microblaze/kernel/cpu/cache.c
+index 0bde47e4fa694..dcba53803fa5f 100644
+--- a/arch/microblaze/kernel/cpu/cache.c
++++ b/arch/microblaze/kernel/cpu/cache.c
+@@ -92,7 +92,8 @@ static inline void __disable_dcache_nomsr(void)
+ #define CACHE_LOOP_LIMITS(start, end, cache_line_length, cache_size) \
+ do { \
+ int align = ~(cache_line_length - 1); \
+- end = min(start + cache_size, end); \
++ if (start < UINT_MAX - cache_size) \
++ end = min(start + cache_size, end); \
+ start &= align; \
+ } while (0)
+
+--
+2.20.1
+
--- /dev/null
+From 65647070a46e2d4f15876b858323b74119ce9650 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2020 09:30:42 +0800
+Subject: MIPS: Loongson: Fix potential NULL dereference in
+ loongson3_platform_init()
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 72d052e28d1d2363f9107be63ef3a3afdea6143c ]
+
+If kzalloc fails, it should return -ENOMEM, otherwise may trigger a NULL
+pointer dereference.
+
+Fixes: 3adeb2566b9b ("MIPS: Loongson: Improve LEFI firmware interface")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/loongson64/loongson-3/platform.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/mips/loongson64/loongson-3/platform.c b/arch/mips/loongson64/loongson-3/platform.c
+index 25a97cc0ee336..0db4cc3196ebd 100644
+--- a/arch/mips/loongson64/loongson-3/platform.c
++++ b/arch/mips/loongson64/loongson-3/platform.c
+@@ -31,6 +31,9 @@ static int __init loongson3_platform_init(void)
+ continue;
+
+ pdev = kzalloc(sizeof(struct platform_device), GFP_KERNEL);
++ if (!pdev)
++ return -ENOMEM;
++
+ pdev->name = loongson_sysconf.sensors[i].name;
+ pdev->id = loongson_sysconf.sensors[i].id;
+ pdev->dev.platform_data = &loongson_sysconf.sensors[i];
+--
+2.20.1
+
--- /dev/null
+From f903f807da4f4e8ab52871d66b93a62417cda50b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 21:08:45 +0800
+Subject: NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use
+ le16_add_cpu().
+
+From: Mao Wenan <maowenan@huawei.com>
+
+[ Upstream commit 718eae277e62a26e5862eb72a830b5e0fe37b04a ]
+
+Convert cpu_to_le16(le16_to_cpu(frame->datalen) + len) to
+use le16_add_cpu(), which is more concise and does the same thing.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/port100.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
+index 87d5099967040..3ffbed72adf75 100644
+--- a/drivers/nfc/port100.c
++++ b/drivers/nfc/port100.c
+@@ -545,7 +545,7 @@ static void port100_tx_update_payload_len(void *_frame, int len)
+ {
+ struct port100_frame *frame = _frame;
+
+- frame->datalen = cpu_to_le16(le16_to_cpu(frame->datalen) + len);
++ le16_add_cpu(&frame->datalen, len);
+ }
+
+ static bool port100_rx_frame_is_valid(void *_frame)
+--
+2.20.1
+
--- /dev/null
+From 9b25fab30134e1f85c419a794e0c4f29dd76f43a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2019 16:32:38 +0100
+Subject: nfs: NFS_SWAP should depend on SWAP
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 474c4f306eefbb21b67ebd1de802d005c7d7ecdc ]
+
+If CONFIG_SWAP=n, it does not make much sense to offer the user the
+option to enable support for swapping over NFS, as that will still fail
+at run time:
+
+ # swapon /swap
+ swapon: /swap: swapon failed: Function not implemented
+
+Fix this by adding a dependency on CONFIG_SWAP.
+
+Fixes: a564b8f0398636ba ("nfs: enable swap on NFS")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
+index b1daeafbea920..c3428767332c2 100644
+--- a/fs/nfs/Kconfig
++++ b/fs/nfs/Kconfig
+@@ -89,7 +89,7 @@ config NFS_V4
+ config NFS_SWAP
+ bool "Provide swap over NFS support"
+ default n
+- depends on NFS_FS
++ depends on NFS_FS && SWAP
+ select SUNRPC_SWAP
+ help
+ This option enables swapon to work on files located on NFS mounts.
+--
+2.20.1
+
--- /dev/null
+From 1afcc98c1b35802dcf7854cf2b29e19c30416c86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 16:07:32 -0500
+Subject: nfsd4: avoid NULL deference on strange COPY compounds
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ]
+
+With cross-server COPY we've introduced the possibility that the current
+or saved filehandle might not have fh_dentry/fh_export filled in, but we
+missed a place that assumed it was. I think this could be triggered by
+a compound like:
+
+ PUTFH(foreign filehandle)
+ GETATTR
+ SAVEFH
+ COPY
+
+First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op.
+Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL.
+need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE
+set and GETATTR does not have OP_HANDLES_WRONGSEC set.
+
+We should probably also consider tightening the checks in
+check_if_stalefh_allowed and double-checking that we don't assume the
+filehandle is verified elsewhere in the compound. But I think this
+fixes the immediate issue.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... "
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index c67064d94096b..0cb956d792f21 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1704,7 +1704,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
+ if (opdesc->op_flags & OP_CLEAR_STATEID)
+ clear_current_stateid(cstate);
+
+- if (need_wrongsec_check(rqstp))
++ if (current_fh->fh_export &&
++ need_wrongsec_check(rqstp))
+ op->status = check_nfsd_access(current_fh->fh_export, rqstp);
+ }
+ encode_op:
+--
+2.20.1
+
--- /dev/null
+From 97e8f1a2b32a0de6ffbfab6fc175c6f0222e5faf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2020 22:11:50 -0800
+Subject: ocfs2: fix a NULL pointer dereference when call
+ ocfs2_update_inode_fsync_trans()
+
+From: wangyan <wangyan122@huawei.com>
+
+[ Upstream commit 9f16ca48fc818a17de8be1f75d08e7f4addc4497 ]
+
+I found a NULL pointer dereference in ocfs2_update_inode_fsync_trans(),
+handle->h_transaction may be NULL in this situation:
+
+ocfs2_file_write_iter
+ ->__generic_file_write_iter
+ ->generic_perform_write
+ ->ocfs2_write_begin
+ ->ocfs2_write_begin_nolock
+ ->ocfs2_write_cluster_by_desc
+ ->ocfs2_write_cluster
+ ->ocfs2_mark_extent_written
+ ->ocfs2_change_extent_flag
+ ->ocfs2_split_extent
+ ->ocfs2_try_to_merge_extent
+ ->ocfs2_extend_rotate_transaction
+ ->ocfs2_extend_trans
+ ->jbd2_journal_restart
+ ->jbd2__journal_restart
+ // handle->h_transaction is NULL here
+ ->handle->h_transaction = NULL;
+ ->start_this_handle
+ /* journal aborted due to storage
+ network disconnection, return error */
+ ->return -EROFS;
+ /* line 3806 in ocfs2_try_to_merge_extent (),
+ it will ignore ret error. */
+ ->ret = 0;
+ ->...
+ ->ocfs2_write_end
+ ->ocfs2_write_end_nolock
+ ->ocfs2_update_inode_fsync_trans
+ // NULL pointer dereference
+ ->oi->i_sync_tid = handle->h_transaction->t_tid;
+
+The information of NULL pointer dereference as follows:
+ JBD2: Detected IO errors while flushing file data on dm-11-45
+ Aborting journal on device dm-11-45.
+ JBD2: Error -5 detected when updating journal superblock for dm-11-45.
+ (dd,22081,3):ocfs2_extend_trans:474 ERROR: status = -30
+ (dd,22081,3):ocfs2_try_to_merge_extent:3877 ERROR: status = -30
+ Unable to handle kernel NULL pointer dereference at
+ virtual address 0000000000000008
+ Mem abort info:
+ ESR = 0x96000004
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e74e1338
+ [0000000000000008] pgd=0000000000000000
+ Internal error: Oops: 96000004 [#1] SMP
+ Process dd (pid: 22081, stack limit = 0x00000000584f35a9)
+ CPU: 3 PID: 22081 Comm: dd Kdump: loaded
+ Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019
+ pstate: 60400009 (nZCv daif +PAN -UAO)
+ pc : ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2]
+ lr : ocfs2_write_end_nolock+0x2a0/0x550 [ocfs2]
+ sp : ffff0000459fba70
+ x29: ffff0000459fba70 x28: 0000000000000000
+ x27: ffff807ccf7f1000 x26: 0000000000000001
+ x25: ffff807bdff57970 x24: ffff807caf1d4000
+ x23: ffff807cc79e9000 x22: 0000000000001000
+ x21: 000000006c6cd000 x20: ffff0000091d9000
+ x19: ffff807ccb239db0 x18: ffffffffffffffff
+ x17: 000000000000000e x16: 0000000000000007
+ x15: ffff807c5e15bd78 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000001
+ x9 : 0000000000000228 x8 : 000000000000000c
+ x7 : 0000000000000fff x6 : ffff807a308ed6b0
+ x5 : ffff7e01f10967c0 x4 : 0000000000000018
+ x3 : d0bc661572445600 x2 : 0000000000000000
+ x1 : 000000001b2e0200 x0 : 0000000000000000
+ Call trace:
+ ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2]
+ ocfs2_write_end+0x4c/0x80 [ocfs2]
+ generic_perform_write+0x108/0x1a8
+ __generic_file_write_iter+0x158/0x1c8
+ ocfs2_file_write_iter+0x668/0x950 [ocfs2]
+ __vfs_write+0x11c/0x190
+ vfs_write+0xac/0x1c0
+ ksys_write+0x6c/0xd8
+ __arm64_sys_write+0x24/0x30
+ el0_svc_common+0x78/0x130
+ el0_svc_handler+0x38/0x78
+ el0_svc+0x8/0xc
+
+To prevent NULL pointer dereference in this situation, we use
+is_handle_aborted() before using handle->h_transaction->t_tid.
+
+Link: http://lkml.kernel.org/r/03e750ab-9ade-83aa-b000-b9e81e34e539@huawei.com
+Signed-off-by: Yan Wang <wangyan122@huawei.com>
+Reviewed-by: Jun Piao <piaojun@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/journal.h | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
+index f4cd3c3e9fb70..0a4d2cbf512f8 100644
+--- a/fs/ocfs2/journal.h
++++ b/fs/ocfs2/journal.h
+@@ -637,9 +637,11 @@ static inline void ocfs2_update_inode_fsync_trans(handle_t *handle,
+ {
+ struct ocfs2_inode_info *oi = OCFS2_I(inode);
+
+- oi->i_sync_tid = handle->h_transaction->t_tid;
+- if (datasync)
+- oi->i_datasync_tid = handle->h_transaction->t_tid;
++ if (!is_handle_aborted(handle)) {
++ oi->i_sync_tid = handle->h_transaction->t_tid;
++ if (datasync)
++ oi->i_datasync_tid = handle->h_transaction->t_tid;
++ }
+ }
+
+ #endif /* OCFS2_JOURNAL_H */
+--
+2.20.1
+
--- /dev/null
+From 49f84cf618c083e5647df394b6d41d18f7ad9bad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Dec 2019 13:58:58 -0600
+Subject: orinoco: avoid assertion in case of NULL pointer
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit c705f9fc6a1736dcf6ec01f8206707c108dca824 ]
+
+In ezusb_init, if upriv is NULL, the code crashes. However, the caller
+in ezusb_probe can handle the error and print the failure message.
+The patch replaces the BUG_ON call to error return.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/orinoco/orinoco_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/orinoco/orinoco_usb.c b/drivers/net/wireless/orinoco/orinoco_usb.c
+index e434f7ca8ff36..3c5baccd67922 100644
+--- a/drivers/net/wireless/orinoco/orinoco_usb.c
++++ b/drivers/net/wireless/orinoco/orinoco_usb.c
+@@ -1351,7 +1351,8 @@ static int ezusb_init(struct hermes *hw)
+ int retval;
+
+ BUG_ON(in_interrupt());
+- BUG_ON(!upriv);
++ if (!upriv)
++ return -EINVAL;
+
+ upriv->reply_count = 0;
+ /* Write the MAGIC number on the simulated registers to keep
+--
+2.20.1
+
--- /dev/null
+From 0fde03153ecc6044b38e96dfefd75f058eb8a3d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 14:31:11 -0500
+Subject: padata: always acquire cpu_hotplug_lock before pinst->lock
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit 38228e8848cd7dd86ccb90406af32de0cad24be3 ]
+
+lockdep complains when padata's paths to update cpumasks via CPU hotplug
+and sysfs are both taken:
+
+ # echo 0 > /sys/devices/system/cpu/cpu1/online
+ # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted
+ ------------------------------------------------------
+ bash/205 is trying to acquire lock:
+ ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120
+
+ but task is already holding lock:
+ ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120
+
+ which lock already depends on the new lock.
+
+padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent
+order. Which should be first? CPU hotplug calls into padata with
+cpu_hotplug_lock already held, so it should have priority.
+
+Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus")
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: linux-crypto@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 0d7ec5fd520bc..ae036af3f0129 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -640,8 +640,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type,
+ struct cpumask *serial_mask, *parallel_mask;
+ int err = -EINVAL;
+
+- mutex_lock(&pinst->lock);
+ get_online_cpus();
++ mutex_lock(&pinst->lock);
+
+ switch (cpumask_type) {
+ case PADATA_CPU_PARALLEL:
+@@ -659,8 +659,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type,
+ err = __padata_set_cpumasks(pinst, parallel_mask, serial_mask);
+
+ out:
+- put_online_cpus();
+ mutex_unlock(&pinst->lock);
++ put_online_cpus();
+
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 7737477262d2f86ffe5dd1d74c9dcb5756b880bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2020 14:32:08 -0700
+Subject: PCI: Don't disable bridge BARs when assigning bus resources
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+[ Upstream commit 9db8dc6d0785225c42a37be7b44d1b07b31b8957 ]
+
+Some PCI bridges implement BARs in addition to bridge windows. For
+example, here's a PLX switch:
+
+ 04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI
+ Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca)
+ (prog-if 00 [Normal decode])
+ Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0
+ Memory at 90a00000 (32-bit, non-prefetchable) [size=256K]
+ Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0
+ I/O behind bridge: 00002000-00003fff
+ Memory behind bridge: 90000000-909fffff
+ Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff
+
+Previously, when the kernel assigned resource addresses (with the
+pci=realloc command line parameter, for example) it could clear the struct
+resource corresponding to the BAR. When this happened, lspci would report
+this BAR as "ignored":
+
+ Region 0: Memory at <ignored> (32-bit, non-prefetchable) [size=256K]
+
+This is because the kernel reports a zero start address and zero flags
+in the corresponding sysfs resource file and in /proc/bus/pci/devices.
+Investigation with 'lspci -x', however, shows the BIOS-assigned address
+will still be programmed in the device's BAR registers.
+
+It's clearly a bug that the kernel lost track of the BAR value, but in most
+cases, this still won't result in a visible issue because nothing uses the
+memory, so nothing is affected. However, when an IOMMU is in use, it will
+not reserve this space in the IOVA because the kernel no longer thinks the
+range is valid. (See dmar_init_reserved_ranges() for the Intel
+implementation of this.)
+
+Without the proper reserved range, a DMA mapping may allocate an IOVA that
+matches a bridge BAR, which results in DMA accesses going to the BAR
+instead of the intended RAM.
+
+The problem was in pci_assign_unassigned_root_bus_resources(). When any
+resource from a bridge device fails to get assigned, the code set the
+resource's flags to zero. This makes sense for bridge windows, as they
+will be re-enabled later, but for regular BARs, it makes the kernel
+permanently lose track of the fact that they decode address space.
+
+Change pci_assign_unassigned_root_bus_resources() and
+pci_assign_unassigned_bridge_resources() so they only clear "res->flags"
+for bridge *windows*, not bridge BARs.
+
+Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)")
+Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com
+[bhelgaas: commit log, check for pci_is_bridge()]
+Reported-by: Kit Chow <kchow@gigaio.com>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/setup-bus.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
+index 1723ac1b30e10..fe2865a0da395 100644
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -1760,12 +1760,18 @@ again:
+ /* restore size and flags */
+ list_for_each_entry(fail_res, &fail_head, list) {
+ struct resource *res = fail_res->res;
++ int idx;
+
+ res->start = fail_res->start;
+ res->end = fail_res->end;
+ res->flags = fail_res->flags;
+- if (fail_res->dev->subordinate)
+- res->flags = 0;
++
++ if (pci_is_bridge(fail_res->dev)) {
++ idx = res - &fail_res->dev->resource[0];
++ if (idx >= PCI_BRIDGE_RESOURCES &&
++ idx <= PCI_BRIDGE_RESOURCE_END)
++ res->flags = 0;
++ }
+ }
+ free_list(&fail_head);
+
+@@ -1826,12 +1832,18 @@ again:
+ /* restore size and flags */
+ list_for_each_entry(fail_res, &fail_head, list) {
+ struct resource *res = fail_res->res;
++ int idx;
+
+ res->start = fail_res->start;
+ res->end = fail_res->end;
+ res->flags = fail_res->flags;
+- if (fail_res->dev->subordinate)
+- res->flags = 0;
++
++ if (pci_is_bridge(fail_res->dev)) {
++ idx = res - &fail_res->dev->resource[0];
++ if (idx >= PCI_BRIDGE_RESOURCES &&
++ idx <= PCI_BRIDGE_RESOURCE_END)
++ res->flags = 0;
++ }
+ }
+ free_list(&fail_head);
+
+--
+2.20.1
+
--- /dev/null
+From 9c7955080b019be288561966ee2c2a7fc95e1d22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 20:48:09 +0100
+Subject: pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 55b1cb1f03ad5eea39897d0c74035e02deddcff2 ]
+
+pinmux_func_gpios[] contains a hole due to the missing function GPIO
+definition for the "CTX0&CTX1" signal, which is the logical "AND" of the
+two CAN outputs.
+
+Fix this by:
+ - Renaming CRX0_CRX1_MARK to CTX0_CTX1_MARK, as PJ2MD[2:0]=010
+ configures the combined "CTX0&CTX1" output signal,
+ - Renaming CRX0X1_MARK to CRX0_CRX1_MARK, as PJ3MD[1:0]=10 configures
+ the shared "CRX0/CRX1" input signal, which is fed to both CAN
+ inputs,
+ - Adding the missing function GPIO definition for "CTX0&CTX1" to
+ pinmux_func_gpios[],
+ - Moving all CAN enums next to each other.
+
+See SH7262 Group, SH7264 Group User's Manual: Hardware, Rev. 4.00:
+ [1] Figure 1.2 (3) (Pin Assignment for the SH7264 Group (1-Mbyte
+ Version),
+ [2] Figure 1.2 (4) Pin Assignment for the SH7264 Group (640-Kbyte
+ Version,
+ [3] Table 1.4 List of Pins,
+ [4] Figure 20.29 Connection Example when Using This Module as 1-Channel
+ Module (64 Mailboxes x 1 Channel),
+ [5] Table 32.10 Multiplexed Pins (Port J),
+ [6] Section 32.2.30 (3) Port J Control Register 0 (PJCR0).
+
+Note that the last 2 disagree about PJ2MD[2:0], which is probably the
+root cause of this bug. But considering [4], "CTx0&CTx1" in [5] must
+be correct, and "CRx0&CRx1" in [6] must be wrong.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191218194812.12741-4-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sh-pfc/pfc-sh7264.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7264.c b/drivers/pinctrl/sh-pfc/pfc-sh7264.c
+index e1c34e19222ee..3ddb9565ed804 100644
+--- a/drivers/pinctrl/sh-pfc/pfc-sh7264.c
++++ b/drivers/pinctrl/sh-pfc/pfc-sh7264.c
+@@ -500,17 +500,15 @@ enum {
+ SD_WP_MARK, SD_CLK_MARK, SD_CMD_MARK,
+ CRX0_MARK, CRX1_MARK,
+ CTX0_MARK, CTX1_MARK,
++ CRX0_CRX1_MARK, CTX0_CTX1_MARK,
+
+ PWM1A_MARK, PWM1B_MARK, PWM1C_MARK, PWM1D_MARK,
+ PWM1E_MARK, PWM1F_MARK, PWM1G_MARK, PWM1H_MARK,
+ PWM2A_MARK, PWM2B_MARK, PWM2C_MARK, PWM2D_MARK,
+ PWM2E_MARK, PWM2F_MARK, PWM2G_MARK, PWM2H_MARK,
+ IERXD_MARK, IETXD_MARK,
+- CRX0_CRX1_MARK,
+ WDTOVF_MARK,
+
+- CRX0X1_MARK,
+-
+ /* DMAC */
+ TEND0_MARK, DACK0_MARK, DREQ0_MARK,
+ TEND1_MARK, DACK1_MARK, DREQ1_MARK,
+@@ -998,12 +996,12 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_DATA(PJ3_DATA, PJ3MD_00),
+ PINMUX_DATA(CRX1_MARK, PJ3MD_01),
+- PINMUX_DATA(CRX0X1_MARK, PJ3MD_10),
++ PINMUX_DATA(CRX0_CRX1_MARK, PJ3MD_10),
+ PINMUX_DATA(IRQ1_PJ_MARK, PJ3MD_11),
+
+ PINMUX_DATA(PJ2_DATA, PJ2MD_000),
+ PINMUX_DATA(CTX1_MARK, PJ2MD_001),
+- PINMUX_DATA(CRX0_CRX1_MARK, PJ2MD_010),
++ PINMUX_DATA(CTX0_CTX1_MARK, PJ2MD_010),
+ PINMUX_DATA(CS2_MARK, PJ2MD_011),
+ PINMUX_DATA(SCK0_MARK, PJ2MD_100),
+ PINMUX_DATA(LCD_M_DISP_MARK, PJ2MD_101),
+@@ -1248,6 +1246,7 @@ static const struct pinmux_func pinmux_func_gpios[] = {
+ GPIO_FN(CTX1),
+ GPIO_FN(CRX1),
+ GPIO_FN(CTX0),
++ GPIO_FN(CTX0_CTX1),
+ GPIO_FN(CRX0),
+ GPIO_FN(CRX0_CRX1),
+
+--
+2.20.1
+
--- /dev/null
+From c3e44eb8ba1635bbd78cfa3ab6d9c46e4369960a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 20:48:10 +0100
+Subject: pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 02aeb2f21530c98fc3ca51028eda742a3fafbd9f ]
+
+pinmux_func_gpios[] contains a hole due to the missing function GPIO
+definition for the "CTX0&CTX1" signal, which is the logical "AND" of the
+first two CAN outputs.
+
+A closer look reveals other issues:
+ - Some functionality is available on alternative pins, but the
+ PINMUX_DATA() entries is using the wrong marks,
+ - Several configurations are missing.
+
+Fix this by:
+ - Renaming CTX0CTX1CTX2_MARK, CRX0CRX1_PJ22_MARK, and
+ CRX0CRX1CRX2_PJ20_MARK to CTX0_CTX1_CTX2_MARK, CRX0_CRX1_PJ22_MARK,
+ resp. CRX0_CRX1_CRX2_PJ20_MARK for consistency with the
+ corresponding enum IDs,
+ - Adding all missing enum IDs and marks,
+ - Use the right (*_PJ2x) variants for alternative pins,
+ - Adding all missing configurations to pinmux_data[],
+ - Adding all missing function GPIO definitions to pinmux_func_gpios[].
+
+See SH7268 Group, SH7269 Group User’s Manual: Hardware, Rev. 2.00:
+ [1] Table 1.4 List of Pins
+ [2] Figure 23.29 Connection Example when Using Channels 0 and 1 as One
+ Channel (64 Mailboxes × 1 Channel) and Channel 2 as One Channel
+ (32 Mailboxes × 1 Channel),
+ [3] Figure 23.30 Connection Example when Using Channels 0, 1, and 2 as
+ One Channel (96 Mailboxes × 1 Channel),
+ [4] Table 48.3 Multiplexed Pins (Port B),
+ [5] Table 48.4 Multiplexed Pins (Port C),
+ [6] Table 48.10 Multiplexed Pins (Port J),
+ [7] Section 48.2.4 Port B Control Registers 0 to 5 (PBCR0 to PBCR5).
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191218194812.12741-5-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/cpu-sh2a/cpu/sh7269.h | 11 ++++++--
+ drivers/pinctrl/sh-pfc/pfc-sh7269.c | 39 ++++++++++++++++++---------
+ 2 files changed, 36 insertions(+), 14 deletions(-)
+
+diff --git a/arch/sh/include/cpu-sh2a/cpu/sh7269.h b/arch/sh/include/cpu-sh2a/cpu/sh7269.h
+index 2a0ca8780f0d8..e4caddd443daf 100644
+--- a/arch/sh/include/cpu-sh2a/cpu/sh7269.h
++++ b/arch/sh/include/cpu-sh2a/cpu/sh7269.h
+@@ -79,8 +79,15 @@ enum {
+ GPIO_FN_WDTOVF,
+
+ /* CAN */
+- GPIO_FN_CTX1, GPIO_FN_CRX1, GPIO_FN_CTX0, GPIO_FN_CTX0_CTX1,
+- GPIO_FN_CRX0, GPIO_FN_CRX0_CRX1, GPIO_FN_CRX0_CRX1_CRX2,
++ GPIO_FN_CTX2, GPIO_FN_CRX2,
++ GPIO_FN_CTX1, GPIO_FN_CRX1,
++ GPIO_FN_CTX0, GPIO_FN_CRX0,
++ GPIO_FN_CTX0_CTX1, GPIO_FN_CRX0_CRX1,
++ GPIO_FN_CTX0_CTX1_CTX2, GPIO_FN_CRX0_CRX1_CRX2,
++ GPIO_FN_CTX2_PJ21, GPIO_FN_CRX2_PJ20,
++ GPIO_FN_CTX1_PJ23, GPIO_FN_CRX1_PJ22,
++ GPIO_FN_CTX0_CTX1_PJ23, GPIO_FN_CRX0_CRX1_PJ22,
++ GPIO_FN_CTX0_CTX1_CTX2_PJ21, GPIO_FN_CRX0_CRX1_CRX2_PJ20,
+
+ /* DMAC */
+ GPIO_FN_TEND0, GPIO_FN_DACK0, GPIO_FN_DREQ0,
+diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7269.c b/drivers/pinctrl/sh-pfc/pfc-sh7269.c
+index cfdb4fc177c3e..3df0c0d139d08 100644
+--- a/drivers/pinctrl/sh-pfc/pfc-sh7269.c
++++ b/drivers/pinctrl/sh-pfc/pfc-sh7269.c
+@@ -740,13 +740,12 @@ enum {
+ CRX0_MARK, CTX0_MARK,
+ CRX1_MARK, CTX1_MARK,
+ CRX2_MARK, CTX2_MARK,
+- CRX0_CRX1_MARK,
+- CRX0_CRX1_CRX2_MARK,
+- CTX0CTX1CTX2_MARK,
++ CRX0_CRX1_MARK, CTX0_CTX1_MARK,
++ CRX0_CRX1_CRX2_MARK, CTX0_CTX1_CTX2_MARK,
+ CRX1_PJ22_MARK, CTX1_PJ23_MARK,
+ CRX2_PJ20_MARK, CTX2_PJ21_MARK,
+- CRX0CRX1_PJ22_MARK,
+- CRX0CRX1CRX2_PJ20_MARK,
++ CRX0_CRX1_PJ22_MARK, CTX0_CTX1_PJ23_MARK,
++ CRX0_CRX1_CRX2_PJ20_MARK, CTX0_CTX1_CTX2_PJ21_MARK,
+
+ /* VDC */
+ DV_CLK_MARK,
+@@ -824,6 +823,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_DATA(CS3_MARK, PC8MD_001),
+ PINMUX_DATA(TXD7_MARK, PC8MD_010),
+ PINMUX_DATA(CTX1_MARK, PC8MD_011),
++ PINMUX_DATA(CTX0_CTX1_MARK, PC8MD_100),
+
+ PINMUX_DATA(PC7_DATA, PC7MD_000),
+ PINMUX_DATA(CKE_MARK, PC7MD_001),
+@@ -836,11 +836,12 @@ static const u16 pinmux_data[] = {
+ PINMUX_DATA(CAS_MARK, PC6MD_001),
+ PINMUX_DATA(SCK7_MARK, PC6MD_010),
+ PINMUX_DATA(CTX0_MARK, PC6MD_011),
++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC6MD_100),
+
+ PINMUX_DATA(PC5_DATA, PC5MD_000),
+ PINMUX_DATA(RAS_MARK, PC5MD_001),
+ PINMUX_DATA(CRX0_MARK, PC5MD_011),
+- PINMUX_DATA(CTX0CTX1CTX2_MARK, PC5MD_100),
++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC5MD_100),
+ PINMUX_DATA(IRQ0_PC_MARK, PC5MD_101),
+
+ PINMUX_DATA(PC4_DATA, PC4MD_00),
+@@ -1292,30 +1293,32 @@ static const u16 pinmux_data[] = {
+ PINMUX_DATA(LCD_DATA23_PJ23_MARK, PJ23MD_010),
+ PINMUX_DATA(LCD_TCON6_MARK, PJ23MD_011),
+ PINMUX_DATA(IRQ3_PJ_MARK, PJ23MD_100),
+- PINMUX_DATA(CTX1_MARK, PJ23MD_101),
++ PINMUX_DATA(CTX1_PJ23_MARK, PJ23MD_101),
++ PINMUX_DATA(CTX0_CTX1_PJ23_MARK, PJ23MD_110),
+
+ PINMUX_DATA(PJ22_DATA, PJ22MD_000),
+ PINMUX_DATA(DV_DATA22_MARK, PJ22MD_001),
+ PINMUX_DATA(LCD_DATA22_PJ22_MARK, PJ22MD_010),
+ PINMUX_DATA(LCD_TCON5_MARK, PJ22MD_011),
+ PINMUX_DATA(IRQ2_PJ_MARK, PJ22MD_100),
+- PINMUX_DATA(CRX1_MARK, PJ22MD_101),
+- PINMUX_DATA(CRX0_CRX1_MARK, PJ22MD_110),
++ PINMUX_DATA(CRX1_PJ22_MARK, PJ22MD_101),
++ PINMUX_DATA(CRX0_CRX1_PJ22_MARK, PJ22MD_110),
+
+ PINMUX_DATA(PJ21_DATA, PJ21MD_000),
+ PINMUX_DATA(DV_DATA21_MARK, PJ21MD_001),
+ PINMUX_DATA(LCD_DATA21_PJ21_MARK, PJ21MD_010),
+ PINMUX_DATA(LCD_TCON4_MARK, PJ21MD_011),
+ PINMUX_DATA(IRQ1_PJ_MARK, PJ21MD_100),
+- PINMUX_DATA(CTX2_MARK, PJ21MD_101),
++ PINMUX_DATA(CTX2_PJ21_MARK, PJ21MD_101),
++ PINMUX_DATA(CTX0_CTX1_CTX2_PJ21_MARK, PJ21MD_110),
+
+ PINMUX_DATA(PJ20_DATA, PJ20MD_000),
+ PINMUX_DATA(DV_DATA20_MARK, PJ20MD_001),
+ PINMUX_DATA(LCD_DATA20_PJ20_MARK, PJ20MD_010),
+ PINMUX_DATA(LCD_TCON3_MARK, PJ20MD_011),
+ PINMUX_DATA(IRQ0_PJ_MARK, PJ20MD_100),
+- PINMUX_DATA(CRX2_MARK, PJ20MD_101),
+- PINMUX_DATA(CRX0CRX1CRX2_PJ20_MARK, PJ20MD_110),
++ PINMUX_DATA(CRX2_PJ20_MARK, PJ20MD_101),
++ PINMUX_DATA(CRX0_CRX1_CRX2_PJ20_MARK, PJ20MD_110),
+
+ PINMUX_DATA(PJ19_DATA, PJ19MD_000),
+ PINMUX_DATA(DV_DATA19_MARK, PJ19MD_001),
+@@ -1666,12 +1669,24 @@ static const struct pinmux_func pinmux_func_gpios[] = {
+ GPIO_FN(WDTOVF),
+
+ /* CAN */
++ GPIO_FN(CTX2),
++ GPIO_FN(CRX2),
+ GPIO_FN(CTX1),
+ GPIO_FN(CRX1),
+ GPIO_FN(CTX0),
+ GPIO_FN(CRX0),
++ GPIO_FN(CTX0_CTX1),
+ GPIO_FN(CRX0_CRX1),
++ GPIO_FN(CTX0_CTX1_CTX2),
+ GPIO_FN(CRX0_CRX1_CRX2),
++ GPIO_FN(CTX2_PJ21),
++ GPIO_FN(CRX2_PJ20),
++ GPIO_FN(CTX1_PJ23),
++ GPIO_FN(CRX1_PJ22),
++ GPIO_FN(CTX0_CTX1_PJ23),
++ GPIO_FN(CRX0_CRX1_PJ22),
++ GPIO_FN(CTX0_CTX1_CTX2_PJ21),
++ GPIO_FN(CRX0_CRX1_CRX2_PJ20),
+
+ /* DMAC */
+ GPIO_FN(TEND0),
+--
+2.20.1
+
--- /dev/null
+From a2ae9514a96068f0920710672d252a2c3e9d6876 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2020 17:09:52 +0100
+Subject: radeon: insert 10ms sleep in dce5_crtc_load_lut
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit ec3d65082d7dabad6fa8f66a8ef166f2d522d6b2 ]
+
+Per at least one tester this is enough magic to recover the regression
+introduced for some people (but not all) in
+
+commit b8e2b0199cc377617dc238f5106352c06dcd3fa2
+Author: Peter Rosin <peda@axentia.se>
+Date: Tue Jul 4 12:36:57 2017 +0200
+
+ drm/fb-helper: factor out pseudo-palette
+
+which for radeon had the side-effect of refactoring out a seemingly
+redudant writing of the color palette.
+
+10ms in a fairly slow modeset path feels like an acceptable form of
+duct-tape, so maybe worth a shot and see what sticks.
+
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Michel Dänzer <michel.daenzer@amd.com>
+References: https://bugzilla.kernel.org/show_bug.cgi?id=198123
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index 446d990623069..4572bfba017c5 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -110,6 +110,8 @@ static void dce5_crtc_load_lut(struct drm_crtc *crtc)
+
+ DRM_DEBUG_KMS("%d\n", radeon_crtc->crtc_id);
+
++ msleep(10);
++
+ WREG32(NI_INPUT_CSC_CONTROL + radeon_crtc->crtc_offset,
+ (NI_INPUT_CSC_GRPH_MODE(NI_INPUT_CSC_BYPASS) |
+ NI_INPUT_CSC_OVL_MODE(NI_INPUT_CSC_BYPASS)));
+--
+2.20.1
+
--- /dev/null
+From 6220e4420de6ccd456ed3f63145a05c8d6aa297d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Nov 2019 09:42:13 -0800
+Subject: rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 860c8802ace14c646864795e057349c9fb2d60ad ]
+
+Eric Dumazet supplied a KCSAN report of a bug that forces use
+of hlist_unhashed_lockless() from sk_unhashed():
+
+------------------------------------------------------------------------
+
+BUG: KCSAN: data-race in inet_unhash / inet_unhash
+
+write to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 1:
+ __hlist_nulls_del include/linux/list_nulls.h:88 [inline]
+ hlist_nulls_del_init_rcu include/linux/rculist_nulls.h:36 [inline]
+ __sk_nulls_del_node_init_rcu include/net/sock.h:676 [inline]
+ inet_unhash+0x38f/0x4a0 net/ipv4/inet_hashtables.c:612
+ tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249
+ tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854
+ tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56
+ tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479
+ tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599
+ tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619
+ call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404
+ expire_timers kernel/time/timer.c:1449 [inline]
+ __run_timers kernel/time/timer.c:1773 [inline]
+ __run_timers kernel/time/timer.c:1740 [inline]
+ run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0xbb/0xe0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
+ native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
+ arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
+ default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
+ cpuidle_idle_call kernel/sched/idle.c:154 [inline]
+ do_idle+0x1af/0x280 kernel/sched/idle.c:263
+ cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355
+ start_secondary+0x208/0x260 arch/x86/kernel/smpboot.c:264
+ secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
+
+read to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 0:
+ sk_unhashed include/net/sock.h:607 [inline]
+ inet_unhash+0x3d/0x4a0 net/ipv4/inet_hashtables.c:592
+ tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249
+ tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854
+ tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56
+ tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479
+ tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599
+ tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619
+ call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404
+ expire_timers kernel/time/timer.c:1449 [inline]
+ __run_timers kernel/time/timer.c:1773 [inline]
+ __run_timers kernel/time/timer.c:1740 [inline]
+ run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0xbb/0xe0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
+ native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
+ arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
+ default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
+ cpuidle_idle_call kernel/sched/idle.c:154 [inline]
+ do_idle+0x1af/0x280 kernel/sched/idle.c:263
+ cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355
+ rest_init+0xec/0xf6 init/main.c:452
+ arch_call_rest_init+0x17/0x37
+ start_kernel+0x838/0x85e init/main.c:786
+ x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
+ x86_64_start_kernel+0x72/0x76 arch/x86/kernel/head64.c:471
+ secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc6+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine,
+BIOS Google 01/01/2011
+
+------------------------------------------------------------------------
+
+This commit therefore replaces C-language assignments with WRITE_ONCE()
+in include/linux/list_nulls.h and include/linux/rculist_nulls.h.
+
+Reported-by: Eric Dumazet <edumazet@google.com> # For KCSAN
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/list_nulls.h | 8 ++++----
+ include/linux/rculist_nulls.h | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/list_nulls.h b/include/linux/list_nulls.h
+index 444d2b1313bda..703928e4fd42d 100644
+--- a/include/linux/list_nulls.h
++++ b/include/linux/list_nulls.h
+@@ -66,10 +66,10 @@ static inline void hlist_nulls_add_head(struct hlist_nulls_node *n,
+ struct hlist_nulls_node *first = h->first;
+
+ n->next = first;
+- n->pprev = &h->first;
++ WRITE_ONCE(n->pprev, &h->first);
+ h->first = n;
+ if (!is_a_nulls(first))
+- first->pprev = &n->next;
++ WRITE_ONCE(first->pprev, &n->next);
+ }
+
+ static inline void __hlist_nulls_del(struct hlist_nulls_node *n)
+@@ -79,13 +79,13 @@ static inline void __hlist_nulls_del(struct hlist_nulls_node *n)
+
+ WRITE_ONCE(*pprev, next);
+ if (!is_a_nulls(next))
+- next->pprev = pprev;
++ WRITE_ONCE(next->pprev, pprev);
+ }
+
+ static inline void hlist_nulls_del(struct hlist_nulls_node *n)
+ {
+ __hlist_nulls_del(n);
+- n->pprev = LIST_POISON2;
++ WRITE_ONCE(n->pprev, LIST_POISON2);
+ }
+
+ /**
+diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h
+index 1c33dd7da4a7d..f35dc0a1d6ebc 100644
+--- a/include/linux/rculist_nulls.h
++++ b/include/linux/rculist_nulls.h
+@@ -33,7 +33,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
+ {
+ if (!hlist_nulls_unhashed(n)) {
+ __hlist_nulls_del(n);
+- n->pprev = NULL;
++ WRITE_ONCE(n->pprev, NULL);
+ }
+ }
+
+@@ -65,7 +65,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
+ static inline void hlist_nulls_del_rcu(struct hlist_nulls_node *n)
+ {
+ __hlist_nulls_del(n);
+- n->pprev = LIST_POISON2;
++ WRITE_ONCE(n->pprev, LIST_POISON2);
+ }
+
+ /**
+@@ -93,10 +93,10 @@ static inline void hlist_nulls_add_head_rcu(struct hlist_nulls_node *n,
+ struct hlist_nulls_node *first = h->first;
+
+ n->next = first;
+- n->pprev = &h->first;
++ WRITE_ONCE(n->pprev, &h->first);
+ rcu_assign_pointer(hlist_nulls_first_rcu(h), n);
+ if (!is_a_nulls(first))
+- first->pprev = &n->next;
++ WRITE_ONCE(first->pprev, &n->next);
+ }
+ /**
+ * hlist_nulls_for_each_entry_rcu - iterate over rcu list of given type
+--
+2.20.1
+
--- /dev/null
+From b9daa0f0c46a968f76be514df1e2acd249e44379 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 17:47:09 +0100
+Subject: regulator: rk808: Lower log level on optional GPIOs being not
+ available
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit b8a039d37792067c1a380dc710361905724b9b2f ]
+
+RK808 can leverage a couple of GPIOs to tweak the ramp rate during DVS
+(Dynamic Voltage Scaling). These GPIOs are entirely optional but a
+dev_warn() appeared when cleaning this driver to use a more up-to-date
+gpiod API. At least reduce the log level to 'info' as it is totally
+fine to not populate these GPIO on a hardware design.
+
+This change is trivial but it is worth not polluting the logs during
+bringup phase by having real warnings and errors sorted out
+correctly.
+
+Fixes: a13eaf02e2d6 ("regulator: rk808: make better use of the gpiod API")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20191203164709.11127-1-miquel.raynal@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/rk808-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c
+index d86a3dcd61e24..b96d50a03022c 100644
+--- a/drivers/regulator/rk808-regulator.c
++++ b/drivers/regulator/rk808-regulator.c
+@@ -551,7 +551,7 @@ static int rk808_regulator_dt_parse_pdata(struct device *dev,
+ }
+
+ if (!pdata->dvs_gpio[i]) {
+- dev_warn(dev, "there is no dvs%d gpio\n", i);
++ dev_info(dev, "there is no dvs%d gpio\n", i);
+ continue;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 08373057db5191741d1a268c272880b139d6f64f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:35:58 +0100
+Subject: reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 4d5c1adaf893b8aa52525d2b81995e949bcb3239 ]
+
+When we fail to allocate string for journal device name we jump to
+'error' label which tries to unlock reiserfs write lock which is not
+held. Jump to 'error_unlocked' instead.
+
+Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal initialization")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
+index 519bf410e65b2..f9796fd515315 100644
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -1921,7 +1921,7 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
+ if (!sbi->s_jdev) {
+ SWARN(silent, s, "", "Cannot allocate memory for "
+ "journal device name");
+- goto error;
++ goto error_unlocked;
+ }
+ }
+ #ifdef CONFIG_QUOTA
+--
+2.20.1
+
--- /dev/null
+From b9d92843125e8bc185b19d1fb94f542ff59be8dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2020 22:17:26 -0800
+Subject: reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
+
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+
+[ Upstream commit aacee5446a2a1aa35d0a49dab289552578657fb4 ]
+
+The variable inode may be NULL in reiserfs_insert_item(), but there is
+no check before accessing the member of inode.
+
+Fix this by adding NULL pointer check before calling reiserfs_debug().
+
+Link: http://lkml.kernel.org/r/79c5135d-ff25-1cc9-4e99-9f572b88cc00@huawei.com
+Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
+Cc: zhengbin <zhengbin13@huawei.com>
+Cc: Hu Shiyuan <hushiyuan@huawei.com>
+Cc: Feilong Lin <linfeilong@huawei.com>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/stree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
+index 24cbe013240fa..e3a4cbad9620c 100644
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -2249,7 +2249,8 @@ error_out:
+ /* also releases the path */
+ unfix_nodes(&s_ins_balance);
+ #ifdef REISERQUOTA_DEBUG
+- reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE,
++ if (inode)
++ reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE,
+ "reiserquota insert_item(): freeing %u id=%u type=%c",
+ quota_bytes, inode->i_uid, head2type(ih));
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 94a00087710e6fb76f3b106c3ab14150368cb5fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2019 17:52:23 -0500
+Subject: remoteproc: Initialize rproc_class before use
+
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+
+[ Upstream commit a8f40111d184098cd2b3dc0c7170c42250a5fa09 ]
+
+The remoteproc_core and remoteproc drivers all initialize with module_init().
+However remoteproc drivers need the rproc_class during their probe. If one of
+the remoteproc drivers runs init and gets through probe before
+remoteproc_init() runs, a NULL pointer access of rproc_class's `glue_dirs`
+spinlock occurs.
+
+> Unable to handle kernel NULL pointer dereference at virtual address 000000dc
+> pgd = c0004000
+> [000000dc] *pgd=00000000
+> Internal error: Oops: 5 [#1] PREEMPT ARM
+> Modules linked in:
+> CPU: 0 PID: 1 Comm: swapper Tainted: G W 4.14.106-rt56 #1
+> Hardware name: Generic OMAP36xx (Flattened Device Tree)
+> task: c6050000 task.stack: c604a000
+> PC is at rt_spin_lock+0x40/0x6c
+> LR is at rt_spin_lock+0x28/0x6c
+> pc : [<c0523c90>] lr : [<c0523c78>] psr: 60000013
+> sp : c604bdc0 ip : 00000000 fp : 00000000
+> r10: 00000000 r9 : c61c7c10 r8 : c6269c20
+> r7 : c0905888 r6 : c6269c20 r5 : 00000000 r4 : 000000d4
+> r3 : 000000dc r2 : c6050000 r1 : 00000002 r0 : 000000d4
+> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+...
+> [<c0523c90>] (rt_spin_lock) from [<c03b65a4>] (get_device_parent+0x54/0x17c)
+> [<c03b65a4>] (get_device_parent) from [<c03b6bec>] (device_add+0xe0/0x5b4)
+> [<c03b6bec>] (device_add) from [<c042adf4>] (rproc_add+0x18/0xd8)
+> [<c042adf4>] (rproc_add) from [<c01110e4>] (my_rproc_probe+0x158/0x204)
+> [<c01110e4>] (my_rproc_probe) from [<c03bb6b8>] (platform_drv_probe+0x34/0x70)
+> [<c03bb6b8>] (platform_drv_probe) from [<c03b9dd4>] (driver_probe_device+0x2c8/0x420)
+> [<c03b9dd4>] (driver_probe_device) from [<c03ba02c>] (__driver_attach+0x100/0x11c)
+> [<c03ba02c>] (__driver_attach) from [<c03b7d08>] (bus_for_each_dev+0x7c/0xc0)
+> [<c03b7d08>] (bus_for_each_dev) from [<c03b910c>] (bus_add_driver+0x1cc/0x264)
+> [<c03b910c>] (bus_add_driver) from [<c03ba714>] (driver_register+0x78/0xf8)
+> [<c03ba714>] (driver_register) from [<c010181c>] (do_one_initcall+0x100/0x190)
+> [<c010181c>] (do_one_initcall) from [<c0800de8>] (kernel_init_freeable+0x130/0x1d0)
+> [<c0800de8>] (kernel_init_freeable) from [<c051eee8>] (kernel_init+0x8/0x114)
+> [<c051eee8>] (kernel_init) from [<c01175b0>] (ret_from_fork+0x14/0x24)
+> Code: e2843008 e3c2203f f5d3f000 e5922010 (e193cf9f)
+> ---[ end trace 0000000000000002 ]---
+
+Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
+Link: https://lore.kernel.org/r/20190530225223.136420-1-brandon.maier@rockwellcollins.com
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/remoteproc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
+index 4f7ce0097191d..b76ef5244b655 100644
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -1477,7 +1477,7 @@ static int __init remoteproc_init(void)
+
+ return 0;
+ }
+-module_init(remoteproc_init);
++subsys_initcall(remoteproc_init);
+
+ static void __exit remoteproc_exit(void)
+ {
+--
+2.20.1
+
--- /dev/null
+From 7789f94e56dcdd36824207478e8ea519907cb485 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 00:55:29 +0700
+Subject: rtlwifi: rtl_pci: Fix -Wcast-function-type
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+[ Upstream commit cb775c88da5d48a85d99d95219f637b6fad2e0e9 ]
+
+correct usage prototype of callback in tasklet_init().
+Report by https://github.com/KSPP/linux/issues/20
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index b51815eccdb3b..17a07d6b961c7 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -1096,13 +1096,15 @@ done:
+ return ret;
+ }
+
+-static void _rtl_pci_irq_tasklet(struct ieee80211_hw *hw)
++static void _rtl_pci_irq_tasklet(unsigned long data)
+ {
++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data;
+ _rtl_pci_tx_chk_waitq(hw);
+ }
+
+-static void _rtl_pci_prepare_bcn_tasklet(struct ieee80211_hw *hw)
++static void _rtl_pci_prepare_bcn_tasklet(unsigned long data)
+ {
++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data;
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
+ struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
+@@ -1223,10 +1225,10 @@ static void _rtl_pci_init_struct(struct ieee80211_hw *hw,
+
+ /*task */
+ tasklet_init(&rtlpriv->works.irq_tasklet,
+- (void (*)(unsigned long))_rtl_pci_irq_tasklet,
++ _rtl_pci_irq_tasklet,
+ (unsigned long)hw);
+ tasklet_init(&rtlpriv->works.irq_prepare_bcn_tasklet,
+- (void (*)(unsigned long))_rtl_pci_prepare_bcn_tasklet,
++ _rtl_pci_prepare_bcn_tasklet,
+ (unsigned long)hw);
+ INIT_WORK(&rtlpriv->works.lps_change_work,
+ rtl_lps_change_work_callback);
+--
+2.20.1
+
--- /dev/null
+From a04ad3d769f4c20d1f22fc913fa1c0369eb0a9ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 14:33:39 +0100
+Subject: s390/ftrace: generate traced function stack frame
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 45f7a0da600d3c409b5ad8d5ddddacd98ddc8840 ]
+
+Currently backtrace from ftraced function does not contain ftraced
+function itself. e.g. for "path_openat":
+
+arch_stack_walk+0x15c/0x2d8
+stack_trace_save+0x50/0x68
+stack_trace_call+0x15e/0x3d8
+ftrace_graph_caller+0x0/0x1c <-- ftrace code
+do_filp_open+0x7c/0xe8 <-- ftraced function caller
+do_open_execat+0x76/0x1b8
+open_exec+0x52/0x78
+load_elf_binary+0x180/0x1160
+search_binary_handler+0x8e/0x288
+load_script+0x2a8/0x2b8
+search_binary_handler+0x8e/0x288
+__do_execve_file.isra.39+0x6fa/0xb40
+__s390x_sys_execve+0x56/0x68
+system_call+0xdc/0x2d8
+
+Ftraced function is expected in the backtrace by ftrace kselftests, which
+are now failing. It would also be nice to have it for clarity reasons.
+
+"ftrace_caller" itself is called without stack frame allocated for it
+and does not store its caller (ftraced function). Instead it simply
+allocates a stack frame for "ftrace_trace_function" and sets backchain
+to point to ftraced function stack frame (which contains ftraced function
+caller in saved r14).
+
+To fix this issue make "ftrace_caller" allocate a stack frame
+for itself just to store ftraced function for the stack unwinder.
+As a result backtrace looks like the following:
+
+arch_stack_walk+0x15c/0x2d8
+stack_trace_save+0x50/0x68
+stack_trace_call+0x15e/0x3d8
+ftrace_graph_caller+0x0/0x1c <-- ftrace code
+path_openat+0x6/0xd60 <-- ftraced function
+do_filp_open+0x7c/0xe8 <-- ftraced function caller
+do_open_execat+0x76/0x1b8
+open_exec+0x52/0x78
+load_elf_binary+0x180/0x1160
+search_binary_handler+0x8e/0x288
+load_script+0x2a8/0x2b8
+search_binary_handler+0x8e/0x288
+__do_execve_file.isra.39+0x6fa/0xb40
+__s390x_sys_execve+0x56/0x68
+system_call+0xdc/0x2d8
+
+Reported-by: Sven Schnelle <sven.schnelle@ibm.com>
+Tested-by: Sven Schnelle <sven.schnelle@ibm.com>
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/mcount.S | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S
+index 6c1c7d399bf95..78ba14546e007 100644
+--- a/arch/s390/kernel/mcount.S
++++ b/arch/s390/kernel/mcount.S
+@@ -23,6 +23,12 @@ ENTRY(ftrace_stub)
+ #define STACK_PTREGS (STACK_FRAME_OVERHEAD)
+ #define STACK_PTREGS_GPRS (STACK_PTREGS + __PT_GPRS)
+ #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW)
++#ifdef __PACK_STACK
++/* allocate just enough for r14, r15 and backchain */
++#define TRACED_FUNC_FRAME_SIZE 24
++#else
++#define TRACED_FUNC_FRAME_SIZE STACK_FRAME_OVERHEAD
++#endif
+
+ ENTRY(_mcount)
+ BR_EX %r14
+@@ -34,9 +40,16 @@ ENTRY(ftrace_caller)
+ #ifndef CC_USING_HOTPATCH
+ aghi %r0,MCOUNT_RETURN_FIXUP
+ #endif
+- aghi %r15,-STACK_FRAME_SIZE
++ # allocate stack frame for ftrace_caller to contain traced function
++ aghi %r15,-TRACED_FUNC_FRAME_SIZE
+ stg %r1,__SF_BACKCHAIN(%r15)
++ stg %r0,(__SF_GPRS+8*8)(%r15)
++ stg %r15,(__SF_GPRS+9*8)(%r15)
++ # allocate pt_regs and stack frame for ftrace_trace_function
++ aghi %r15,-STACK_FRAME_SIZE
+ stg %r1,(STACK_PTREGS_GPRS+15*8)(%r15)
++ aghi %r1,-TRACED_FUNC_FRAME_SIZE
++ stg %r1,__SF_BACKCHAIN(%r15)
+ stg %r0,(STACK_PTREGS_PSW+8)(%r15)
+ stmg %r2,%r14,(STACK_PTREGS_GPRS+2*8)(%r15)
+ #ifdef CONFIG_HAVE_MARCH_Z196_FEATURES
+--
+2.20.1
+
--- /dev/null
+From af9298ab1865a18f411bb5e829a7249a2f47ea67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 18:42:20 -0700
+Subject: scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 4dbc96ad65c45cdd4e895ed7ae4c151b780790c5 ]
+
+Clang warns:
+
+../drivers/scsi/aic7xxx/aic7xxx_core.c:2317:5: warning: misleading
+indentation; statement is not part of the previous 'if'
+[-Wmisleading-indentation]
+ if ((syncrate->sxfr_u2 & ST_SXFR) != 0)
+ ^
+../drivers/scsi/aic7xxx/aic7xxx_core.c:2310:4: note: previous statement
+is here
+ if (syncrate == &ahc_syncrates[maxsync])
+ ^
+1 warning generated.
+
+This warning occurs because there is a space amongst the tabs on this
+line. Remove it so that the indentation is consistent with the Linux kernel
+coding style and clang no longer warns.
+
+This has been a problem since the beginning of git history hence no fixes
+tag.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/817
+Link: https://lore.kernel.org/r/20191218014220.52746-1-natechancellor@gmail.com
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aic7xxx/aic7xxx_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/aic7xxx/aic7xxx_core.c b/drivers/scsi/aic7xxx/aic7xxx_core.c
+index 64ab9eaec428c..def3208dd2905 100644
+--- a/drivers/scsi/aic7xxx/aic7xxx_core.c
++++ b/drivers/scsi/aic7xxx/aic7xxx_core.c
+@@ -2321,7 +2321,7 @@ ahc_find_syncrate(struct ahc_softc *ahc, u_int *period,
+ * At some speeds, we only support
+ * ST transfers.
+ */
+- if ((syncrate->sxfr_u2 & ST_SXFR) != 0)
++ if ((syncrate->sxfr_u2 & ST_SXFR) != 0)
+ *ppr_options &= ~MSG_EXT_PPR_DT_REQ;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 195c755e15e6d38a6f0f1bb380816cbc2143d0da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Dec 2019 15:31:48 -0500
+Subject: scsi: iscsi: Don't destroy session if there are outstanding
+ connections
+
+From: Nick Black <nlb@google.com>
+
+[ Upstream commit 54155ed4199c7aa3fd20866648024ab63c96d579 ]
+
+A faulty userspace that calls destroy_session() before destroying the
+connections can trigger the failure. This patch prevents the issue by
+refusing to destroy the session if there are outstanding connections.
+
+------------[ cut here ]------------
+kernel BUG at mm/slub.c:306!
+invalid opcode: 0000 [#1] SMP PTI
+CPU: 1 PID: 1224 Comm: iscsid Not tainted 5.4.0-rc2.iscsi+ #7
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+RIP: 0010:__slab_free+0x181/0x350
+[...]
+[ 1209.686056] RSP: 0018:ffffa93d4074fae0 EFLAGS: 00010246
+[ 1209.686694] RAX: ffff934efa5ad800 RBX: 000000008010000a RCX: ffff934efa5ad800
+[ 1209.687651] RDX: ffff934efa5ad800 RSI: ffffeb4041e96b00 RDI: ffff934efd402c40
+[ 1209.688582] RBP: ffffa93d4074fb80 R08: 0000000000000001 R09: ffffffffbb5dfa26
+[ 1209.689425] R10: ffff934efa5ad800 R11: 0000000000000001 R12: ffffeb4041e96b00
+[ 1209.690285] R13: ffff934efa5ad800 R14: ffff934efd402c40 R15: 0000000000000000
+[ 1209.691213] FS: 00007f7945dfb540(0000) GS:ffff934efda80000(0000) knlGS:0000000000000000
+[ 1209.692316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1209.693013] CR2: 000055877fd3da80 CR3: 0000000077384000 CR4: 00000000000006e0
+[ 1209.693897] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1209.694773] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 1209.695631] Call Trace:
+[ 1209.695957] ? __wake_up_common_lock+0x8a/0xc0
+[ 1209.696712] iscsi_pool_free+0x26/0x40
+[ 1209.697263] iscsi_session_teardown+0x2f/0xf0
+[ 1209.698117] iscsi_sw_tcp_session_destroy+0x45/0x60
+[ 1209.698831] iscsi_if_rx+0xd88/0x14e0
+[ 1209.699370] netlink_unicast+0x16f/0x200
+[ 1209.699932] netlink_sendmsg+0x21a/0x3e0
+[ 1209.700446] sock_sendmsg+0x4f/0x60
+[ 1209.700902] ___sys_sendmsg+0x2ae/0x320
+[ 1209.701451] ? cp_new_stat+0x150/0x180
+[ 1209.701922] __sys_sendmsg+0x59/0xa0
+[ 1209.702357] do_syscall_64+0x52/0x160
+[ 1209.702812] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1209.703419] RIP: 0033:0x7f7946433914
+[...]
+[ 1209.706084] RSP: 002b:00007fffb99f2378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 1209.706994] RAX: ffffffffffffffda RBX: 000055bc869eac20 RCX: 00007f7946433914
+[ 1209.708082] RDX: 0000000000000000 RSI: 00007fffb99f2390 RDI: 0000000000000005
+[ 1209.709120] RBP: 00007fffb99f2390 R08: 000055bc84fe9320 R09: 00007fffb99f1f07
+[ 1209.710110] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038
+[ 1209.711085] R13: 000055bc8502306e R14: 0000000000000000 R15: 0000000000000000
+ Modules linked in:
+ ---[ end trace a2d933ede7f730d8 ]---
+
+Link: https://lore.kernel.org/r/20191226203148.2172200-1-krisman@collabora.com
+Signed-off-by: Nick Black <nlb@google.com>
+Co-developed-by: Salman Qazi <sqazi@google.com>
+Signed-off-by: Salman Qazi <sqazi@google.com>
+Co-developed-by: Junho Ryu <jayr@google.com>
+Signed-off-by: Junho Ryu <jayr@google.com>
+Co-developed-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Co-developed-by: Gabriel Krisman Bertazi <krisman@collabora.com>
+Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 4 ++++
+ drivers/scsi/scsi_transport_iscsi.c | 26 +++++++++++++++++++++++---
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index fccb8991bd5b7..64a49dccb0b63 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -872,6 +872,10 @@ free_host:
+ static void iscsi_sw_tcp_session_destroy(struct iscsi_cls_session *cls_session)
+ {
+ struct Scsi_Host *shost = iscsi_session_to_shost(cls_session);
++ struct iscsi_session *session = cls_session->dd_data;
++
++ if (WARN_ON_ONCE(session->leadconn))
++ return;
+
+ iscsi_tcp_r2tpool_free(cls_session->dd_data);
+ iscsi_session_teardown(cls_session);
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index ab32e60736424..20cf01d6ded7e 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2965,6 +2965,24 @@ iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev)
+ return err;
+ }
+
++static int iscsi_session_has_conns(int sid)
++{
++ struct iscsi_cls_conn *conn;
++ unsigned long flags;
++ int found = 0;
++
++ spin_lock_irqsave(&connlock, flags);
++ list_for_each_entry(conn, &connlist, conn_list) {
++ if (iscsi_conn_get_sid(conn) == sid) {
++ found = 1;
++ break;
++ }
++ }
++ spin_unlock_irqrestore(&connlock, flags);
++
++ return found;
++}
++
+ static int
+ iscsi_set_iface_params(struct iscsi_transport *transport,
+ struct iscsi_uevent *ev, uint32_t len)
+@@ -3539,10 +3557,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)
+ break;
+ case ISCSI_UEVENT_DESTROY_SESSION:
+ session = iscsi_session_lookup(ev->u.d_session.sid);
+- if (session)
+- transport->destroy_session(session);
+- else
++ if (!session)
+ err = -EINVAL;
++ else if (iscsi_session_has_conns(ev->u.d_session.sid))
++ err = -EBUSY;
++ else
++ transport->destroy_session(session);
+ break;
+ case ISCSI_UEVENT_UNBIND_SESSION:
+ session = iscsi_session_lookup(ev->u.d_session.sid);
+--
+2.20.1
+
--- /dev/null
+From 50c078a8b1b5c4798d9dc4f178da68aa96e386f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 17:25:47 +0530
+Subject: selinux: ensure we cleanup the internal AVC counters on error in
+ avc_update()
+
+From: Jaihind Yadav <jaihindyadav@codeaurora.org>
+
+[ Upstream commit 030b995ad9ece9fa2d218af4429c1c78c2342096 ]
+
+In AVC update we don't call avc_node_kill() when avc_xperms_populate()
+fails, resulting in the avc->avc_cache.active_nodes counter having a
+false value. In last patch this changes was missed , so correcting it.
+
+Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
+Signed-off-by: Jaihind Yadav <jaihindyadav@codeaurora.org>
+Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
+[PM: merge fuzz, minor description cleanup]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/avc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/selinux/avc.c b/security/selinux/avc.c
+index 52f3c550abcc4..f3c473791b698 100644
+--- a/security/selinux/avc.c
++++ b/security/selinux/avc.c
+@@ -865,7 +865,7 @@ static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
+ if (orig->ae.xp_node) {
+ rc = avc_xperms_populate(node, orig->ae.xp_node);
+ if (rc) {
+- kmem_cache_free(avc_node_cachep, node);
++ avc_node_kill(node);
+ goto out_unlock;
+ }
+ }
+--
+2.20.1
+
btrfs-print-message-when-tree-log-replay-starts.patch
scsi-qla2xxx-fix-a-potential-null-pointer-dereference.patch
revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch
+drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch
+nfsd4-avoid-null-deference-on-strange-copy-compounds.patch
+brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch
+gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch
+pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch
+media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch
+media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch
+efi-x86-map-the-entire-efi-vendor-string-before-copy.patch
+mips-loongson-fix-potential-null-dereference-in-loon.patch
+uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch
+usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch
+nfs-nfs_swap-should-depend-on-swap.patch
+jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch
+tracing-fix-very-unlikely-race-of-registering-two-st.patch
+ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch
+kconfig-fix-broken-dependency-in-randconfig-generate.patch
+clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch
+drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch
+regulator-rk808-lower-log-level-on-optional-gpios-be.patch
+nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch
+padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch
+reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch
+isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch
+alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch
+b43legacy-fix-wcast-function-type.patch
+ipw2x00-fix-wcast-function-type.patch
+iwlegacy-fix-wcast-function-type.patch
+rtlwifi-rtl_pci-fix-wcast-function-type.patch
+orinoco-avoid-assertion-in-case-of-null-pointer.patch
+acpica-disassembler-create-buffer-fields-in-acpi_par.patch
+scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch
+arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch
+x86-vdso-provide-missing-include-file.patch
+pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch
+alsa-sh-fix-compile-warning-wrt-const.patch
+tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch
+usbip-fix-unsafe-unaligned-pointer-usage.patch
+soc-tegra-fuse-correct-straps-address-for-older-tegr.patch
+rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch
+input-edt-ft5x06-work-around-first-register-access-e.patch
+wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch
+asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch
+pci-don-t-disable-bridge-bars-when-assigning-bus-res.patch
+driver-core-print-device-when-resources-present-in-r.patch
+drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch
+drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch
+iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch
+scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch
+cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch
+ide-serverworks-potential-overflow-in-svwks_set_pio_.patch
+remoteproc-initialize-rproc_class-before-use.patch
+s390-ftrace-generate-traced-function-stack-frame.patch
+alsa-hda-add-docking-station-support-for-lenovo-thin.patch
+jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch
+arm-8951-1-fix-kexec-compilation-issue.patch
+hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch
+iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch
+drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch
+trigger_next-should-increase-position-index.patch
+radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch
+ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch
+lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch
+reiserfs-prevent-null-pointer-dereference-in-reiserf.patch
+bcache-explicity-type-cast-in-bset_bkey_last.patch
+irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch
+microblaze-prevent-the-overflow-of-the-start.patch
+brd-check-and-limit-max_part-par.patch
+selinux-ensure-we-cleanup-the-internal-avc-counters-.patch
--- /dev/null
+From a44f86232f7a43b72bd547b02ec83d92eda10f33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 21:23:03 +0300
+Subject: soc/tegra: fuse: Correct straps' address for older Tegra124 device
+ trees
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit 2d9ea1934f8ef0dfb862d103389562cc28b4fc03 ]
+
+Trying to read out Chip ID before APBMISC registers are mapped won't
+succeed, in a result Tegra124 gets a wrong address for the HW straps
+register if machine uses an old outdated device tree.
+
+Fixes: 297c4f3dcbff ("soc/tegra: fuse: Restrict legacy code to 32-bit ARM")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/fuse/tegra-apbmisc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/tegra/fuse/tegra-apbmisc.c b/drivers/soc/tegra/fuse/tegra-apbmisc.c
+index 5b18f6ffa45c7..cd61c883c19f5 100644
+--- a/drivers/soc/tegra/fuse/tegra-apbmisc.c
++++ b/drivers/soc/tegra/fuse/tegra-apbmisc.c
+@@ -134,7 +134,7 @@ void __init tegra_init_apbmisc(void)
+ apbmisc.flags = IORESOURCE_MEM;
+
+ /* strapping options */
+- if (tegra_get_chip_id() == TEGRA124) {
++ if (of_machine_is_compatible("nvidia,tegra124")) {
+ straps.start = 0x7000e864;
+ straps.end = 0x7000e867;
+ } else {
+--
+2.20.1
+
--- /dev/null
+From 63eeab91223a6a28d6e497c799290b7e74bd6947 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 08:01:09 +0000
+Subject: tools lib api fs: Fix gcc9 stringop-truncation compilation error
+
+From: Andrey Zhizhikin <andrey.z@gmail.com>
+
+[ Upstream commit 6794200fa3c9c3e6759dae099145f23e4310f4f7 ]
+
+GCC9 introduced string hardening mechanisms, which exhibits the error
+during fs api compilation:
+
+error: '__builtin_strncpy' specified bound 4096 equals destination size
+[-Werror=stringop-truncation]
+
+This comes when the length of copy passed to strncpy is is equal to
+destination size, which could potentially lead to buffer overflow.
+
+There is a need to mitigate this potential issue by limiting the size of
+destination by 1 and explicitly terminate the destination with NULL.
+
+Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: bpf@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20191211080109.18765-1-andrey.zhizhikin@leica-geosystems.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/api/fs/fs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c
+index 459599d1b6c41..58f05748dd39e 100644
+--- a/tools/lib/api/fs/fs.c
++++ b/tools/lib/api/fs/fs.c
+@@ -179,6 +179,7 @@ static bool fs__env_override(struct fs *fs)
+ size_t name_len = strlen(fs->name);
+ /* name + "_PATH" + '\0' */
+ char upper_name[name_len + 5 + 1];
++
+ memcpy(upper_name, fs->name, name_len);
+ mem_toupper(upper_name, name_len);
+ strcpy(&upper_name[name_len], "_PATH");
+@@ -188,7 +189,8 @@ static bool fs__env_override(struct fs *fs)
+ return false;
+
+ fs->found = true;
+- strncpy(fs->path, override_path, sizeof(fs->path));
++ strncpy(fs->path, override_path, sizeof(fs->path) - 1);
++ fs->path[sizeof(fs->path) - 1] = '\0';
+ return true;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 00be0564d3ae6fc1b185c63b6c7df911fe15755f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jan 2020 17:47:49 -0500
+Subject: tracing: Fix very unlikely race of registering two stat tracers
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+[ Upstream commit dfb6cd1e654315168e36d947471bd2a0ccd834ae ]
+
+Looking through old emails in my INBOX, I came across a patch from Luis
+Henriques that attempted to fix a race of two stat tracers registering the
+same stat trace (extremely unlikely, as this is done in the kernel, and
+probably doesn't even exist). The submitted patch wasn't quite right as it
+needed to deal with clean up a bit better (if two stat tracers were the
+same, it would have the same files).
+
+But to make the code cleaner, all we needed to do is to keep the
+all_stat_sessions_mutex held for most of the registering function.
+
+Link: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com
+
+Fixes: 002bb86d8d42f ("tracing/ftrace: separate events tracing and stats tracing engine")
+Reported-by: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_stat.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c
+index 6cf9353167696..a2081a7f0c2cd 100644
+--- a/kernel/trace/trace_stat.c
++++ b/kernel/trace/trace_stat.c
+@@ -302,7 +302,7 @@ static int init_stat_file(struct stat_session *session)
+ int register_stat_tracer(struct tracer_stat *trace)
+ {
+ struct stat_session *session, *node;
+- int ret;
++ int ret = -EINVAL;
+
+ if (!trace)
+ return -EINVAL;
+@@ -313,17 +313,15 @@ int register_stat_tracer(struct tracer_stat *trace)
+ /* Already registered? */
+ mutex_lock(&all_stat_sessions_mutex);
+ list_for_each_entry(node, &all_stat_sessions, session_list) {
+- if (node->ts == trace) {
+- mutex_unlock(&all_stat_sessions_mutex);
+- return -EINVAL;
+- }
++ if (node->ts == trace)
++ goto out;
+ }
+- mutex_unlock(&all_stat_sessions_mutex);
+
++ ret = -ENOMEM;
+ /* Init the session */
+ session = kzalloc(sizeof(*session), GFP_KERNEL);
+ if (!session)
+- return -ENOMEM;
++ goto out;
+
+ session->ts = trace;
+ INIT_LIST_HEAD(&session->session_list);
+@@ -332,15 +330,16 @@ int register_stat_tracer(struct tracer_stat *trace)
+ ret = init_stat_file(session);
+ if (ret) {
+ destroy_session(session);
+- return ret;
++ goto out;
+ }
+
++ ret = 0;
+ /* Register */
+- mutex_lock(&all_stat_sessions_mutex);
+ list_add_tail(&session->session_list, &all_stat_sessions);
++ out:
+ mutex_unlock(&all_stat_sessions_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ void unregister_stat_tracer(struct tracer_stat *trace)
+--
+2.20.1
+
--- /dev/null
+From 640e84aa241d66a4578e5c6ecfd4e190716f4ea5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jan 2020 10:03:06 +0300
+Subject: trigger_next should increase position index
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+[ Upstream commit 6722b23e7a2ace078344064a9735fb73e554e9ef ]
+
+if seq_file .next fuction does not change position index,
+read after some lseek can generate unexpected output.
+
+Without patch:
+ # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger
+ dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset
+ n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
+ # Available triggers:
+ # traceon traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
+ 6+1 records in
+ 6+1 records out
+ 206 bytes copied, 0.00027916 s, 738 kB/s
+
+Notice the printing of "# Available triggers:..." after the line.
+
+With the patch:
+ # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger
+ dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset
+ n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
+ 2+1 records in
+ 2+1 records out
+ 88 bytes copied, 0.000526867 s, 167 kB/s
+
+It only prints the end of the file, and does not restart.
+
+Link: http://lkml.kernel.org/r/3c35ee24-dd3a-8119-9c19-552ed253388a@virtuozzo.com
+
+https://bugzilla.kernel.org/show_bug.cgi?id=206283
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_trigger.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
+index 8be66a2b0cacf..6524920c6ebc8 100644
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -121,9 +121,10 @@ static void *trigger_next(struct seq_file *m, void *t, loff_t *pos)
+ {
+ struct trace_event_file *event_file = event_file_data(m->private);
+
+- if (t == SHOW_AVAILABLE_TRIGGERS)
++ if (t == SHOW_AVAILABLE_TRIGGERS) {
++ (*pos)++;
+ return NULL;
+-
++ }
+ return seq_list_next(t, &event_file->triggers, pos);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6b56c73f953c2d03d3d0058bd0a6a1227c3156d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 17:44:05 +0800
+Subject: uio: fix a sleep-in-atomic-context bug in
+ uio_dmem_genirq_irqcontrol()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit b74351287d4bd90636c3f48bc188c2f53824c2d4 ]
+
+The driver may sleep while holding a spinlock.
+The function call path (from bottom to top) in Linux 4.19 is:
+
+kernel/irq/manage.c, 523:
+ synchronize_irq in disable_irq
+drivers/uio/uio_dmem_genirq.c, 140:
+ disable_irq in uio_dmem_genirq_irqcontrol
+drivers/uio/uio_dmem_genirq.c, 134:
+ _raw_spin_lock_irqsave in uio_dmem_genirq_irqcontrol
+
+synchronize_irq() can sleep at runtime.
+
+To fix this bug, disable_irq() is called without holding the spinlock.
+
+This bug is found by a static analysis tool STCheck written by myself.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Link: https://lore.kernel.org/r/20191218094405.6009-1-baijiaju1990@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/uio/uio_dmem_genirq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
+index e1134a4d97f3f..a00b4aee6c799 100644
+--- a/drivers/uio/uio_dmem_genirq.c
++++ b/drivers/uio/uio_dmem_genirq.c
+@@ -135,11 +135,13 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on)
+ if (irq_on) {
+ if (test_and_clear_bit(0, &priv->flags))
+ enable_irq(dev_info->irq);
++ spin_unlock_irqrestore(&priv->lock, flags);
+ } else {
+- if (!test_and_set_bit(0, &priv->flags))
++ if (!test_and_set_bit(0, &priv->flags)) {
++ spin_unlock_irqrestore(&priv->lock, flags);
+ disable_irq(dev_info->irq);
++ }
+ }
+- spin_unlock_irqrestore(&priv->lock, flags);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 7a1d568920ab7377d38933a8f898d5b8d80e55a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:43:49 +0800
+Subject: usb: gadget: udc: fix possible sleep-in-atomic-context bugs in
+ gr_probe()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 9c1ed62ae0690dfe5d5e31d8f70e70a95cb48e52 ]
+
+The driver may sleep while holding a spinlock.
+The function call path (from bottom to top) in Linux 4.19 is:
+
+drivers/usb/gadget/udc/core.c, 1175:
+ kzalloc(GFP_KERNEL) in usb_add_gadget_udc_release
+drivers/usb/gadget/udc/core.c, 1272:
+ usb_add_gadget_udc_release in usb_add_gadget_udc
+drivers/usb/gadget/udc/gr_udc.c, 2186:
+ usb_add_gadget_udc in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2183:
+ spin_lock in gr_probe
+
+drivers/usb/gadget/udc/core.c, 1195:
+ mutex_lock in usb_add_gadget_udc_release
+drivers/usb/gadget/udc/core.c, 1272:
+ usb_add_gadget_udc_release in usb_add_gadget_udc
+drivers/usb/gadget/udc/gr_udc.c, 2186:
+ usb_add_gadget_udc in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2183:
+ spin_lock in gr_probe
+
+drivers/usb/gadget/udc/gr_udc.c, 212:
+ debugfs_create_file in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2197:
+ gr_dfs_create in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2183:
+ spin_lock in gr_probe
+
+drivers/usb/gadget/udc/gr_udc.c, 2114:
+ devm_request_threaded_irq in gr_request_irq
+drivers/usb/gadget/udc/gr_udc.c, 2202:
+ gr_request_irq in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2183:
+ spin_lock in gr_probe
+
+kzalloc(GFP_KERNEL), mutex_lock(), debugfs_create_file() and
+devm_request_threaded_irq() can sleep at runtime.
+
+To fix these possible bugs, usb_add_gadget_udc(), gr_dfs_create() and
+gr_request_irq() are called without handling the spinlock.
+
+These bugs are found by a static analysis tool STCheck written by myself.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/gr_udc.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/gr_udc.c b/drivers/usb/gadget/udc/gr_udc.c
+index b9429bc425116..594639e5cbf82 100644
+--- a/drivers/usb/gadget/udc/gr_udc.c
++++ b/drivers/usb/gadget/udc/gr_udc.c
+@@ -2201,8 +2201,6 @@ static int gr_probe(struct platform_device *pdev)
+ return -ENOMEM;
+ }
+
+- spin_lock(&dev->lock);
+-
+ /* Inside lock so that no gadget can use this udc until probe is done */
+ retval = usb_add_gadget_udc(dev->dev, &dev->gadget);
+ if (retval) {
+@@ -2211,15 +2209,21 @@ static int gr_probe(struct platform_device *pdev)
+ }
+ dev->added = 1;
+
++ spin_lock(&dev->lock);
++
+ retval = gr_udc_init(dev);
+- if (retval)
++ if (retval) {
++ spin_unlock(&dev->lock);
+ goto out;
+-
+- gr_dfs_create(dev);
++ }
+
+ /* Clear all interrupt enables that might be left on since last boot */
+ gr_disable_interrupts_and_pullup(dev);
+
++ spin_unlock(&dev->lock);
++
++ gr_dfs_create(dev);
++
+ retval = gr_request_irq(dev, dev->irq);
+ if (retval) {
+ dev_err(dev->dev, "Failed to request irq %d\n", dev->irq);
+@@ -2248,8 +2252,6 @@ static int gr_probe(struct platform_device *pdev)
+ dev_info(dev->dev, "regs: %p, irq %d\n", dev->regs, dev->irq);
+
+ out:
+- spin_unlock(&dev->lock);
+-
+ if (retval)
+ gr_remove(pdev);
+
+--
+2.20.1
+
--- /dev/null
+From af02c3b9fa23c95432b022b162a1e8de0483e52c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2020 18:24:16 -0700
+Subject: usbip: Fix unsafe unaligned pointer usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit 585c91f40d201bc564d4e76b83c05b3b5363fe7e ]
+
+Fix unsafe unaligned pointer usage in usbip network interfaces. usbip tool
+build fails with new gcc -Werror=address-of-packed-member checks.
+
+usbip_network.c: In function ‘usbip_net_pack_usb_device’:
+usbip_network.c:79:32: error: taking address of packed member of ‘struct usbip_usb_device’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
+ 79 | usbip_net_pack_uint32_t(pack, &udev->busnum);
+
+Fix with minor changes to pass by value instead of by address.
+
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20200109012416.2875-1-skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/usb/usbip/src/usbip_network.c | 40 +++++++++++++++++------------
+ tools/usb/usbip/src/usbip_network.h | 12 +++------
+ 2 files changed, 27 insertions(+), 25 deletions(-)
+
+diff --git a/tools/usb/usbip/src/usbip_network.c b/tools/usb/usbip/src/usbip_network.c
+index b4c37e76a6e08..187dfaa67d0a2 100644
+--- a/tools/usb/usbip/src/usbip_network.c
++++ b/tools/usb/usbip/src/usbip_network.c
+@@ -62,39 +62,39 @@ void usbip_setup_port_number(char *arg)
+ info("using port %d (\"%s\")", usbip_port, usbip_port_string);
+ }
+
+-void usbip_net_pack_uint32_t(int pack, uint32_t *num)
++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num)
+ {
+ uint32_t i;
+
+ if (pack)
+- i = htonl(*num);
++ i = htonl(num);
+ else
+- i = ntohl(*num);
++ i = ntohl(num);
+
+- *num = i;
++ return i;
+ }
+
+-void usbip_net_pack_uint16_t(int pack, uint16_t *num)
++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num)
+ {
+ uint16_t i;
+
+ if (pack)
+- i = htons(*num);
++ i = htons(num);
+ else
+- i = ntohs(*num);
++ i = ntohs(num);
+
+- *num = i;
++ return i;
+ }
+
+ void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev)
+ {
+- usbip_net_pack_uint32_t(pack, &udev->busnum);
+- usbip_net_pack_uint32_t(pack, &udev->devnum);
+- usbip_net_pack_uint32_t(pack, &udev->speed);
++ udev->busnum = usbip_net_pack_uint32_t(pack, udev->busnum);
++ udev->devnum = usbip_net_pack_uint32_t(pack, udev->devnum);
++ udev->speed = usbip_net_pack_uint32_t(pack, udev->speed);
+
+- usbip_net_pack_uint16_t(pack, &udev->idVendor);
+- usbip_net_pack_uint16_t(pack, &udev->idProduct);
+- usbip_net_pack_uint16_t(pack, &udev->bcdDevice);
++ udev->idVendor = usbip_net_pack_uint16_t(pack, udev->idVendor);
++ udev->idProduct = usbip_net_pack_uint16_t(pack, udev->idProduct);
++ udev->bcdDevice = usbip_net_pack_uint16_t(pack, udev->bcdDevice);
+ }
+
+ void usbip_net_pack_usb_interface(int pack __attribute__((unused)),
+@@ -141,6 +141,14 @@ ssize_t usbip_net_send(int sockfd, void *buff, size_t bufflen)
+ return usbip_net_xmit(sockfd, buff, bufflen, 1);
+ }
+
++static inline void usbip_net_pack_op_common(int pack,
++ struct op_common *op_common)
++{
++ op_common->version = usbip_net_pack_uint16_t(pack, op_common->version);
++ op_common->code = usbip_net_pack_uint16_t(pack, op_common->code);
++ op_common->status = usbip_net_pack_uint32_t(pack, op_common->status);
++}
++
+ int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status)
+ {
+ struct op_common op_common;
+@@ -152,7 +160,7 @@ int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status)
+ op_common.code = code;
+ op_common.status = status;
+
+- PACK_OP_COMMON(1, &op_common);
++ usbip_net_pack_op_common(1, &op_common);
+
+ rc = usbip_net_send(sockfd, &op_common, sizeof(op_common));
+ if (rc < 0) {
+@@ -176,7 +184,7 @@ int usbip_net_recv_op_common(int sockfd, uint16_t *code)
+ goto err;
+ }
+
+- PACK_OP_COMMON(0, &op_common);
++ usbip_net_pack_op_common(0, &op_common);
+
+ if (op_common.version != USBIP_VERSION) {
+ dbg("version mismatch: %d %d", op_common.version,
+diff --git a/tools/usb/usbip/src/usbip_network.h b/tools/usb/usbip/src/usbip_network.h
+index c1e875cf1078c..573fa839b66b7 100644
+--- a/tools/usb/usbip/src/usbip_network.h
++++ b/tools/usb/usbip/src/usbip_network.h
+@@ -33,12 +33,6 @@ struct op_common {
+
+ } __attribute__((packed));
+
+-#define PACK_OP_COMMON(pack, op_common) do {\
+- usbip_net_pack_uint16_t(pack, &(op_common)->version);\
+- usbip_net_pack_uint16_t(pack, &(op_common)->code);\
+- usbip_net_pack_uint32_t(pack, &(op_common)->status);\
+-} while (0)
+-
+ /* ---------------------------------------------------------------------- */
+ /* Dummy Code */
+ #define OP_UNSPEC 0x00
+@@ -164,11 +158,11 @@ struct op_devlist_reply_extra {
+ } while (0)
+
+ #define PACK_OP_DEVLIST_REPLY(pack, reply) do {\
+- usbip_net_pack_uint32_t(pack, &(reply)->ndev);\
++ (reply)->ndev = usbip_net_pack_uint32_t(pack, (reply)->ndev);\
+ } while (0)
+
+-void usbip_net_pack_uint32_t(int pack, uint32_t *num);
+-void usbip_net_pack_uint16_t(int pack, uint16_t *num);
++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num);
++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num);
+ void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev);
+ void usbip_net_pack_usb_interface(int pack, struct usbip_usb_interface *uinf);
+
+--
+2.20.1
+
--- /dev/null
+From 9621097375b077c3b6f754e4c1c98465aad3d94a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jan 2020 13:04:42 +0100
+Subject: wan: ixp4xx_hss: fix compile-testing on 64-bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 504c28c853ec5c626900b914b5833daf0581a344 ]
+
+Change the driver to use portable integer types to avoid
+warnings during compile testing:
+
+drivers/net/wan/ixp4xx_hss.c:863:21: error: cast to 'u32 *' (aka 'unsigned int *') from smaller integer type 'int' [-Werror,-Wint-to-pointer-cast]
+ memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4);
+ ^
+drivers/net/wan/ixp4xx_hss.c:979:12: error: incompatible pointer types passing 'u32 *' (aka 'unsigned int *') to parameter of type 'dma_addr_t *' (aka 'unsigned long long *') [-Werror,-Wincompatible-pointer-types]
+ &port->desc_tab_phys)))
+ ^~~~~~~~~~~~~~~~~~~~
+include/linux/dmapool.h:27:20: note: passing argument to parameter 'handle' here
+ dma_addr_t *handle);
+ ^
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/ixp4xx_hss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wan/ixp4xx_hss.c b/drivers/net/wan/ixp4xx_hss.c
+index e7bbdb7af53ac..97968e6a6a4eb 100644
+--- a/drivers/net/wan/ixp4xx_hss.c
++++ b/drivers/net/wan/ixp4xx_hss.c
+@@ -261,7 +261,7 @@ struct port {
+ struct hss_plat_info *plat;
+ buffer_t *rx_buff_tab[RX_DESCS], *tx_buff_tab[TX_DESCS];
+ struct desc *desc_tab; /* coherent */
+- u32 desc_tab_phys;
++ dma_addr_t desc_tab_phys;
+ unsigned int id;
+ unsigned int clock_type, clock_rate, loopback;
+ unsigned int initialized, carrier;
+@@ -861,7 +861,7 @@ static int hss_hdlc_xmit(struct sk_buff *skb, struct net_device *dev)
+ dev->stats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+- memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4);
++ memcpy_swab32(mem, (u32 *)((uintptr_t)skb->data & ~3), bytes / 4);
+ dev_kfree_skb(skb);
+ #endif
+
+--
+2.20.1
+
--- /dev/null
+From 487a52717027317f1edb9096a081345846c6fa08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 21:36:07 -0500
+Subject: x86/vdso: Provide missing include file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+
+[ Upstream commit bff47c2302cc249bcd550b17067f8dddbd4b6f77 ]
+
+When building with C=1, sparse issues a warning:
+
+ CHECK arch/x86/entry/vdso/vdso32-setup.c
+ arch/x86/entry/vdso/vdso32-setup.c:28:28: warning: symbol 'vdso32_enabled' was not declared. Should it be static?
+
+Provide the missing header file.
+
+Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/36224.1575599767@turing-police
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/vdso/vdso32-setup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/entry/vdso/vdso32-setup.c b/arch/x86/entry/vdso/vdso32-setup.c
+index 3f9d1a83891ad..50c1f77cab150 100644
+--- a/arch/x86/entry/vdso/vdso32-setup.c
++++ b/arch/x86/entry/vdso/vdso32-setup.c
+@@ -10,6 +10,7 @@
+ #include <linux/smp.h>
+ #include <linux/kernel.h>
+ #include <linux/mm_types.h>
++#include <linux/elf.h>
+
+ #include <asm/processor.h>
+ #include <asm/vdso.h>
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
