--- /dev/null
+From 119c7d31519736562cf148d33be29f57d374edf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 18:47:52 +0000
+Subject: bonding: fix unexpected IFF_BONDING bit unset
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 65de65d9033750d2cf1b336c9d6e9da3a8b5cc6e ]
+
+The IFF_BONDING means bonding master or bonding slave device.
+->ndo_add_slave() sets IFF_BONDING flag and ->ndo_del_slave() unsets
+IFF_BONDING flag.
+
+bond0<--bond1
+
+Both bond0 and bond1 are bonding device and these should keep having
+IFF_BONDING flag until they are removed.
+But bond1 would lose IFF_BONDING at ->ndo_del_slave() because that routine
+do not check whether the slave device is the bonding type or not.
+This patch adds the interface type check routine before removing
+IFF_BONDING flag.
+
+Test commands:
+ ip link add bond0 type bond
+ ip link add bond1 type bond
+ ip link set bond1 master bond0
+ ip link set bond1 nomaster
+ ip link del bond1 type bond
+ ip link add bond1 type bond
+
+Splat looks like:
+[ 226.665555] proc_dir_entry 'bonding/bond1' already registered
+[ 226.666440] WARNING: CPU: 0 PID: 737 at fs/proc/generic.c:361 proc_register+0x2a9/0x3e0
+[ 226.667571] Modules linked in: bonding af_packet sch_fq_codel ip_tables x_tables unix
+[ 226.668662] CPU: 0 PID: 737 Comm: ip Not tainted 5.4.0-rc3+ #96
+[ 226.669508] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 226.670652] RIP: 0010:proc_register+0x2a9/0x3e0
+[ 226.671612] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 39 01 00 00 48 8b 04 24 48 89 ea 48 c7 c7 a0 0b 14 9f 48 8b b0 e
+0 00 00 00 e8 07 e7 88 ff <0f> 0b 48 c7 c7 40 2d a5 9f e8 59 d6 23 01 48 8b 4c 24 10 48 b8 00
+[ 226.675007] RSP: 0018:ffff888050e17078 EFLAGS: 00010282
+[ 226.675761] RAX: dffffc0000000008 RBX: ffff88805fdd0f10 RCX: ffffffff9dd344e2
+[ 226.676757] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806c9f6b8c
+[ 226.677751] RBP: ffff8880507160f3 R08: ffffed100d940019 R09: ffffed100d940019
+[ 226.678761] R10: 0000000000000001 R11: ffffed100d940018 R12: ffff888050716008
+[ 226.679757] R13: ffff8880507160f2 R14: dffffc0000000000 R15: ffffed100a0e2c1e
+[ 226.680758] FS: 00007fdc217cc0c0(0000) GS:ffff88806c800000(0000) knlGS:0000000000000000
+[ 226.681886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 226.682719] CR2: 00007f49313424d0 CR3: 0000000050e46001 CR4: 00000000000606f0
+[ 226.683727] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 226.684725] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 226.685681] Call Trace:
+[ 226.687089] proc_create_seq_private+0xb3/0xf0
+[ 226.687778] bond_create_proc_entry+0x1b3/0x3f0 [bonding]
+[ 226.691458] bond_netdev_event+0x433/0x970 [bonding]
+[ 226.692139] ? __module_text_address+0x13/0x140
+[ 226.692779] notifier_call_chain+0x90/0x160
+[ 226.693401] register_netdevice+0x9b3/0xd80
+[ 226.694010] ? alloc_netdev_mqs+0x854/0xc10
+[ 226.694629] ? netdev_change_features+0xa0/0xa0
+[ 226.695278] ? rtnl_create_link+0x2ed/0xad0
+[ 226.695849] bond_newlink+0x2a/0x60 [bonding]
+[ 226.696422] __rtnl_newlink+0xb9f/0x11b0
+[ 226.696968] ? rtnl_link_unregister+0x220/0x220
+[ ... ]
+
+Fixes: 0b680e753724 ("[PATCH] bonding: Add priv_flag to avoid event mishandling")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index c1971bca62fb1..d52fd842ef1fe 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1759,7 +1759,8 @@ err_detach:
+ slave_disable_netpoll(new_slave);
+
+ err_close:
+- slave_dev->priv_flags &= ~IFF_BONDING;
++ if (!netif_is_bond_master(slave_dev))
++ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
+
+ err_restore_mac:
+@@ -1960,7 +1961,8 @@ static int __bond_release_one(struct net_device *bond_dev,
+
+ dev_set_mtu(slave_dev, slave->original_mtu);
+
+- slave_dev->priv_flags &= ~IFF_BONDING;
++ if (!netif_is_bond_master(slave_dev))
++ slave_dev->priv_flags &= ~IFF_BONDING;
+
+ bond_free_slave(slave);
+
+--
+2.20.1
+
--- /dev/null
+From 10780beb127e974d50c54f920e7f53dd0ac881bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2019 08:00:26 +0000
+Subject: can: flexcan: disable completely the ECC mechanism
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit 5e269324db5adb2f5f6ec9a93a9c7b0672932b47 ]
+
+The ECC (memory error detection and correction) mechanism can be
+activated or not, controlled by the ECCDIS bit in CAN_MECR. When
+disabled, updates on indications and reporting registers are stopped.
+So if want to disable ECC completely, had better assert ECCDIS bit, not
+just mask the related interrupts.
+
+Fixes: cdce844865be ("can: flexcan: add vf610 support for FlexCAN")
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index baef09b9449f9..6b866d0451b21 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -923,6 +923,7 @@ static int flexcan_chip_start(struct net_device *dev)
+ reg_mecr = flexcan_read(®s->mecr);
+ reg_mecr &= ~FLEXCAN_MECR_ECRWRDIS;
+ flexcan_write(reg_mecr, ®s->mecr);
++ reg_mecr |= FLEXCAN_MECR_ECCDIS;
+ reg_mecr &= ~(FLEXCAN_MECR_NCEFAFRZ | FLEXCAN_MECR_HANCEI_MSK |
+ FLEXCAN_MECR_FANCEI_MSK);
+ flexcan_write(reg_mecr, ®s->mecr);
+--
+2.20.1
+
--- /dev/null
+From 9a1a494d8d47747159c78bf5b7b36dcf2cda6585 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2019 16:20:58 +0530
+Subject: dmaengine: xilinx_dma: Fix control reg update in
+ vdma_channel_set_config
+
+From: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+
+[ Upstream commit 6c6de1ddb1be3840f2ed5cc9d009a622720940c9 ]
+
+In vdma_channel_set_config clear the delay, frame count and master mask
+before updating their new values. It avoids programming incorrect state
+when input parameters are different from default.
+
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+Acked-by: Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Link: https://lore.kernel.org/r/1569495060-18117-3-git-send-email-radhey.shyam.pandey@xilinx.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index 8288fe4d17c38..cd271f7826051 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -72,6 +72,9 @@
+ #define XILINX_DMA_DMACR_CIRC_EN BIT(1)
+ #define XILINX_DMA_DMACR_RUNSTOP BIT(0)
+ #define XILINX_DMA_DMACR_FSYNCSRC_MASK GENMASK(6, 5)
++#define XILINX_DMA_DMACR_DELAY_MASK GENMASK(31, 24)
++#define XILINX_DMA_DMACR_FRAME_COUNT_MASK GENMASK(23, 16)
++#define XILINX_DMA_DMACR_MASTER_MASK GENMASK(11, 8)
+
+ #define XILINX_DMA_REG_DMASR 0x0004
+ #define XILINX_DMA_DMASR_EOL_LATE_ERR BIT(15)
+@@ -2054,8 +2057,10 @@ int xilinx_vdma_channel_set_config(struct dma_chan *dchan,
+ chan->config.gen_lock = cfg->gen_lock;
+ chan->config.master = cfg->master;
+
++ dmacr &= ~XILINX_DMA_DMACR_GENLOCK_EN;
+ if (cfg->gen_lock && chan->genlock) {
+ dmacr |= XILINX_DMA_DMACR_GENLOCK_EN;
++ dmacr &= ~XILINX_DMA_DMACR_MASTER_MASK;
+ dmacr |= cfg->master << XILINX_DMA_DMACR_MASTER_SHIFT;
+ }
+
+@@ -2069,11 +2074,13 @@ int xilinx_vdma_channel_set_config(struct dma_chan *dchan,
+ chan->config.delay = cfg->delay;
+
+ if (cfg->coalesc <= XILINX_DMA_DMACR_FRAME_COUNT_MAX) {
++ dmacr &= ~XILINX_DMA_DMACR_FRAME_COUNT_MASK;
+ dmacr |= cfg->coalesc << XILINX_DMA_DMACR_FRAME_COUNT_SHIFT;
+ chan->config.coalesc = cfg->coalesc;
+ }
+
+ if (cfg->delay <= XILINX_DMA_DMACR_DELAY_MAX) {
++ dmacr &= ~XILINX_DMA_DMACR_DELAY_MASK;
+ dmacr |= cfg->delay << XILINX_DMA_DMACR_DELAY_SHIFT;
+ chan->config.delay = cfg->delay;
+ }
+--
+2.20.1
+
--- /dev/null
+From c699f002733df7b691efe4aed11a793334de0a7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2019 00:59:21 -0500
+Subject: e1000: fix memory leaks
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 8472ba62154058b64ebb83d5f57259a352d28697 ]
+
+In e1000_set_ringparam(), 'tx_old' and 'rx_old' are not deallocated if
+e1000_up() fails, leading to memory leaks. Refactor the code to fix this
+issue.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index 2a81f6d721404..8936f19e9325f 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -628,6 +628,7 @@ static int e1000_set_ringparam(struct net_device *netdev,
+ for (i = 0; i < adapter->num_rx_queues; i++)
+ rxdr[i].count = rxdr->count;
+
++ err = 0;
+ if (netif_running(adapter->netdev)) {
+ /* Try to get new resources before deleting old */
+ err = e1000_setup_all_rx_resources(adapter);
+@@ -648,14 +649,13 @@ static int e1000_set_ringparam(struct net_device *netdev,
+ adapter->rx_ring = rxdr;
+ adapter->tx_ring = txdr;
+ err = e1000_up(adapter);
+- if (err)
+- goto err_setup;
+ }
+ kfree(tx_old);
+ kfree(rx_old);
+
+ clear_bit(__E1000_RESETTING, &adapter->flags);
+- return 0;
++ return err;
++
+ err_setup_tx:
+ e1000_free_all_rx_resources(adapter);
+ err_setup_rx:
+@@ -667,7 +667,6 @@ err_alloc_rx:
+ err_alloc_tx:
+ if (netif_running(adapter->netdev))
+ e1000_up(adapter);
+-err_setup:
+ clear_bit(__E1000_RESETTING, &adapter->flags);
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 68bfad3c6d830cb4e7ac4bc73d8ac98fbc85f11c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 12:06:02 +0100
+Subject: fjes: Handle workqueue allocation failure
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit 85ac30fa2e24f628e9f4f9344460f4015d33fd7d ]
+
+In the highly unlikely event that we fail to allocate either of the
+"/txrx" or "/control" workqueues, we should bail cleanly rather than
+blindly march on with NULL queue pointer(s) installed in the
+'fjes_adapter' instance.
+
+Cc: "David S. Miller" <davem@davemloft.net>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Link: https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/fjes/fjes_main.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c
+index 7ea8ead4fd1c7..bbc983b04561f 100644
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -1187,8 +1187,17 @@ static int fjes_probe(struct platform_device *plat_dev)
+ adapter->open_guard = false;
+
+ adapter->txrx_wq = alloc_workqueue(DRV_NAME "/txrx", WQ_MEM_RECLAIM, 0);
++ if (unlikely(!adapter->txrx_wq)) {
++ err = -ENOMEM;
++ goto err_free_netdev;
++ }
++
+ adapter->control_wq = alloc_workqueue(DRV_NAME "/control",
+ WQ_MEM_RECLAIM, 0);
++ if (unlikely(!adapter->control_wq)) {
++ err = -ENOMEM;
++ goto err_free_txrx_wq;
++ }
+
+ INIT_WORK(&adapter->tx_stall_task, fjes_tx_stall_task);
+ INIT_WORK(&adapter->raise_intr_rxdata_task,
+@@ -1205,7 +1214,7 @@ static int fjes_probe(struct platform_device *plat_dev)
+ hw->hw_res.irq = platform_get_irq(plat_dev, 0);
+ err = fjes_hw_init(&adapter->hw);
+ if (err)
+- goto err_free_netdev;
++ goto err_free_control_wq;
+
+ /* setup MAC address (02:00:00:00:00:[epid])*/
+ netdev->dev_addr[0] = 2;
+@@ -1225,6 +1234,10 @@ static int fjes_probe(struct platform_device *plat_dev)
+
+ err_hw_exit:
+ fjes_hw_exit(&adapter->hw);
++err_free_control_wq:
++ destroy_workqueue(adapter->control_wq);
++err_free_txrx_wq:
++ destroy_workqueue(adapter->txrx_wq);
+ err_free_netdev:
+ free_netdev(netdev);
+ err_out:
+--
+2.20.1
+
--- /dev/null
+From 015e96d1c4b27554c968dccd5ba551c5a9da0ee8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 08:15:59 +0800
+Subject: HID: intel-ish-hid: fix wrong error handling in
+ ishtp_cl_alloc_tx_ring()
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 16ff7bf6dbcc6f77d2eec1ac9120edf44213c2f1 ]
+
+When allocating tx ring buffers failed, should free tx buffers, not rx buffers.
+
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-ish-hid/ishtp/client-buffers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/intel-ish-hid/ishtp/client-buffers.c b/drivers/hid/intel-ish-hid/ishtp/client-buffers.c
+index b9b917d2d50db..c41dbb167c91b 100644
+--- a/drivers/hid/intel-ish-hid/ishtp/client-buffers.c
++++ b/drivers/hid/intel-ish-hid/ishtp/client-buffers.c
+@@ -90,7 +90,7 @@ int ishtp_cl_alloc_tx_ring(struct ishtp_cl *cl)
+ return 0;
+ out:
+ dev_err(&cl->device->dev, "error in allocating Tx pool\n");
+- ishtp_cl_free_rx_ring(cl);
++ ishtp_cl_free_tx_ring(cl);
+ return -ENOMEM;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From b7d75310caf1ee217f87b471ec0903ed1e7dc318 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2019 13:55:20 -0700
+Subject: igb: Fix constant media auto sense switching when no cable is
+ connected
+
+From: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
+
+[ Upstream commit 8d5cfd7f76a2414e23c74bb8858af7540365d985 ]
+
+At least on the i350 there is an annoying behavior that is maybe also
+present on 82580 devices, but was probably not noticed yet as MAS is not
+widely used.
+
+If no cable is connected on both fiber/copper ports the media auto sense
+code will constantly swap between them as part of the watchdog task and
+produce many unnecessary kernel log messages.
+
+The swap code responsible for this behavior (switching to fiber) should
+not be executed if the current media type is copper and there is no signal
+detected on the fiber port. In this case we can safely wait until the
+AUTOSENSE_EN bit is cleared.
+
+Signed-off-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 7956176c2c73e..7e35bd6656307 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1677,7 +1677,8 @@ static void igb_check_swap_media(struct igb_adapter *adapter)
+ if ((hw->phy.media_type == e1000_media_type_copper) &&
+ (!(connsw & E1000_CONNSW_AUTOSENSE_EN))) {
+ swap_now = true;
+- } else if (!(connsw & E1000_CONNSW_SERDESD)) {
++ } else if ((hw->phy.media_type != e1000_media_type_copper) &&
++ !(connsw & E1000_CONNSW_SERDESD)) {
+ /* copper signal takes time to appear */
+ if (adapter->copper_tries < 4) {
+ adapter->copper_tries++;
+--
+2.20.1
+
--- /dev/null
+From eefa8c64ced3b4f49bd6337308908143e8891106 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Oct 2019 09:53:03 -0700
+Subject: ipvs: move old_secure_tcp into struct netns_ipvs
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c24b75e0f9239e78105f81c5f03a751641eb07ef ]
+
+syzbot reported the following issue :
+
+BUG: KCSAN: data-race in update_defense_level / update_defense_level
+
+read to 0xffffffff861a6260 of 4 bytes by task 3006 on cpu 1:
+ update_defense_level+0x621/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:177
+ defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+write to 0xffffffff861a6260 of 4 bytes by task 7333 on cpu 0:
+ update_defense_level+0xa62/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:205
+ defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 7333 Comm: kworker/0:5 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events defense_work_handler
+
+Indeed, old_secure_tcp is currently a static variable, while it
+needs to be a per netns variable.
+
+Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_vs.h | 1 +
+ net/netfilter/ipvs/ip_vs_ctl.c | 15 +++++++--------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
+index cd6018a9ee246..a26165744d980 100644
+--- a/include/net/ip_vs.h
++++ b/include/net/ip_vs.h
+@@ -887,6 +887,7 @@ struct netns_ipvs {
+ struct delayed_work defense_work; /* Work handler */
+ int drop_rate;
+ int drop_counter;
++ int old_secure_tcp;
+ atomic_t dropentry;
+ /* locks in ctl.c */
+ spinlock_t dropentry_lock; /* drop entry handling */
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 8037b25ddb76a..33125fc009cfd 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -97,7 +97,6 @@ static bool __ip_vs_addr_is_local_v6(struct net *net,
+ static void update_defense_level(struct netns_ipvs *ipvs)
+ {
+ struct sysinfo i;
+- static int old_secure_tcp = 0;
+ int availmem;
+ int nomem;
+ int to_change = -1;
+@@ -178,35 +177,35 @@ static void update_defense_level(struct netns_ipvs *ipvs)
+ spin_lock(&ipvs->securetcp_lock);
+ switch (ipvs->sysctl_secure_tcp) {
+ case 0:
+- if (old_secure_tcp >= 2)
++ if (ipvs->old_secure_tcp >= 2)
+ to_change = 0;
+ break;
+ case 1:
+ if (nomem) {
+- if (old_secure_tcp < 2)
++ if (ipvs->old_secure_tcp < 2)
+ to_change = 1;
+ ipvs->sysctl_secure_tcp = 2;
+ } else {
+- if (old_secure_tcp >= 2)
++ if (ipvs->old_secure_tcp >= 2)
+ to_change = 0;
+ }
+ break;
+ case 2:
+ if (nomem) {
+- if (old_secure_tcp < 2)
++ if (ipvs->old_secure_tcp < 2)
+ to_change = 1;
+ } else {
+- if (old_secure_tcp >= 2)
++ if (ipvs->old_secure_tcp >= 2)
+ to_change = 0;
+ ipvs->sysctl_secure_tcp = 1;
+ }
+ break;
+ case 3:
+- if (old_secure_tcp < 2)
++ if (ipvs->old_secure_tcp < 2)
+ to_change = 1;
+ break;
+ }
+- old_secure_tcp = ipvs->sysctl_secure_tcp;
++ ipvs->old_secure_tcp = ipvs->sysctl_secure_tcp;
+ if (to_change >= 0)
+ ip_vs_protocol_timeout_change(ipvs,
+ ipvs->sysctl_secure_tcp > 1);
+--
+2.20.1
+
--- /dev/null
+From 31983caeaf28038722cda61c430488ecf737c10d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2019 20:17:25 +0800
+Subject: net: ethernet: arc: add the missed clk_disable_unprepare
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 4202e219edd6cc164c042e16fa327525410705ae ]
+
+The remove misses to disable and unprepare priv->macclk like what is done
+when probe fails.
+Add the missed call in remove.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/arc/emac_rockchip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/arc/emac_rockchip.c b/drivers/net/ethernet/arc/emac_rockchip.c
+index c770ca37c9b21..a7d30731d376f 100644
+--- a/drivers/net/ethernet/arc/emac_rockchip.c
++++ b/drivers/net/ethernet/arc/emac_rockchip.c
+@@ -261,6 +261,9 @@ static int emac_rockchip_remove(struct platform_device *pdev)
+ if (priv->regulator)
+ regulator_disable(priv->regulator);
+
++ if (priv->soc_data->need_div_macclk)
++ clk_disable_unprepare(priv->macclk);
++
+ free_netdev(ndev);
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 0ea88a14a184c1dd1ac60cd83601878cd2a2be31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 21:48:22 +0800
+Subject: net: hisilicon: Fix "Trying to free already-free IRQ"
+
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+
+[ Upstream commit 63a41746827cb16dc6ad0d4d761ab4e7dda7a0c3 ]
+
+When rmmod hip04_eth.ko, we can get the following warning:
+
+Task track: rmmod(1623)>bash(1591)>login(1581)>init(1)
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1623 at kernel/irq/manage.c:1557 __free_irq+0xa4/0x2ac()
+Trying to free already-free IRQ 200
+Modules linked in: ping(O) pramdisk(O) cpuinfo(O) rtos_snapshot(O) interrupt_ctrl(O) mtdblock mtd_blkdevrtfs nfs_acl nfs lockd grace sunrpc xt_tcpudp ipt_REJECT iptable_filter ip_tables x_tables nf_reject_ipv
+CPU: 0 PID: 1623 Comm: rmmod Tainted: G O 4.4.193 #1
+Hardware name: Hisilicon A15
+[<c020b408>] (rtos_unwind_backtrace) from [<c0206624>] (show_stack+0x10/0x14)
+[<c0206624>] (show_stack) from [<c03f2be4>] (dump_stack+0xa0/0xd8)
+[<c03f2be4>] (dump_stack) from [<c021a780>] (warn_slowpath_common+0x84/0xb0)
+[<c021a780>] (warn_slowpath_common) from [<c021a7e8>] (warn_slowpath_fmt+0x3c/0x68)
+[<c021a7e8>] (warn_slowpath_fmt) from [<c026876c>] (__free_irq+0xa4/0x2ac)
+[<c026876c>] (__free_irq) from [<c0268a14>] (free_irq+0x60/0x7c)
+[<c0268a14>] (free_irq) from [<c0469e80>] (release_nodes+0x1c4/0x1ec)
+[<c0469e80>] (release_nodes) from [<c0466924>] (__device_release_driver+0xa8/0x104)
+[<c0466924>] (__device_release_driver) from [<c0466a80>] (driver_detach+0xd0/0xf8)
+[<c0466a80>] (driver_detach) from [<c0465e18>] (bus_remove_driver+0x64/0x8c)
+[<c0465e18>] (bus_remove_driver) from [<c02935b0>] (SyS_delete_module+0x198/0x1e0)
+[<c02935b0>] (SyS_delete_module) from [<c0202ed0>] (__sys_trace_return+0x0/0x10)
+---[ end trace bb25d6123d849b44 ]---
+
+Currently "rmmod hip04_eth.ko" call free_irq more than once
+as devres_release_all and hip04_remove both call free_irq.
+This results in a 'Trying to free already-free IRQ' warning.
+To solve the problem free_irq has been moved out of hip04_remove.
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 407e1177d9d1a..4436a0307f32e 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -953,7 +953,6 @@ static int hip04_remove(struct platform_device *pdev)
+
+ hip04_free_ring(ndev, d);
+ unregister_netdev(ndev);
+- free_irq(ndev->irq, ndev);
+ of_node_put(priv->phy_node);
+ cancel_work_sync(&priv->tx_timeout_task);
+ free_netdev(ndev);
+--
+2.20.1
+
--- /dev/null
+From 8d5bc98a285088cf74af18f4dbdd1ac5355769cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 18:40:32 -0400
+Subject: NFSv4: Don't allow a cached open with a revoked delegation
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+[ Upstream commit be3df3dd4c70ee020587a943a31b98a0fb4b6424 ]
+
+If the delegation is marked as being revoked, we must not use it
+for cached opens.
+
+Fixes: 869f9dfa4d6d ("NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/delegation.c | 10 ++++++++++
+ fs/nfs/delegation.h | 1 +
+ fs/nfs/nfs4proc.c | 7 ++-----
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
+index dff600ae0d747..46afd7cdcc378 100644
+--- a/fs/nfs/delegation.c
++++ b/fs/nfs/delegation.c
+@@ -52,6 +52,16 @@ nfs4_is_valid_delegation(const struct nfs_delegation *delegation,
+ return false;
+ }
+
++struct nfs_delegation *nfs4_get_valid_delegation(const struct inode *inode)
++{
++ struct nfs_delegation *delegation;
++
++ delegation = rcu_dereference(NFS_I(inode)->delegation);
++ if (nfs4_is_valid_delegation(delegation, 0))
++ return delegation;
++ return NULL;
++}
++
+ static int
+ nfs4_do_check_delegation(struct inode *inode, fmode_t flags, bool mark)
+ {
+diff --git a/fs/nfs/delegation.h b/fs/nfs/delegation.h
+index e9d5557968739..2c6cb7fb7d5ee 100644
+--- a/fs/nfs/delegation.h
++++ b/fs/nfs/delegation.h
+@@ -62,6 +62,7 @@ int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state
+ int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, const nfs4_stateid *stateid);
+ bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags, nfs4_stateid *dst, struct rpc_cred **cred);
+
++struct nfs_delegation *nfs4_get_valid_delegation(const struct inode *inode);
+ void nfs_mark_delegation_referenced(struct nfs_delegation *delegation);
+ int nfs4_have_delegation(struct inode *inode, fmode_t flags);
+ int nfs4_check_delegation(struct inode *inode, fmode_t flags);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 8354dfae7038e..ca4249ae644f2 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1368,8 +1368,6 @@ static int can_open_delegated(struct nfs_delegation *delegation, fmode_t fmode,
+ return 0;
+ if ((delegation->type & fmode) != fmode)
+ return 0;
+- if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags))
+- return 0;
+ switch (claim) {
+ case NFS4_OPEN_CLAIM_NULL:
+ case NFS4_OPEN_CLAIM_FH:
+@@ -1628,7 +1626,6 @@ static void nfs4_return_incompatible_delegation(struct inode *inode, fmode_t fmo
+ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
+ {
+ struct nfs4_state *state = opendata->state;
+- struct nfs_inode *nfsi = NFS_I(state->inode);
+ struct nfs_delegation *delegation;
+ int open_mode = opendata->o_arg.open_flags;
+ fmode_t fmode = opendata->o_arg.fmode;
+@@ -1645,7 +1642,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
+ }
+ spin_unlock(&state->owner->so_lock);
+ rcu_read_lock();
+- delegation = rcu_dereference(nfsi->delegation);
++ delegation = nfs4_get_valid_delegation(state->inode);
+ if (!can_open_delegated(delegation, fmode, claim)) {
+ rcu_read_unlock();
+ break;
+@@ -2142,7 +2139,7 @@ static void nfs4_open_prepare(struct rpc_task *task, void *calldata)
+ if (can_open_cached(data->state, data->o_arg.fmode, data->o_arg.open_flags))
+ goto out_no_action;
+ rcu_read_lock();
+- delegation = rcu_dereference(NFS_I(data->state->inode)->delegation);
++ delegation = nfs4_get_valid_delegation(data->state->inode);
+ if (can_open_delegated(delegation, data->o_arg.fmode, claim))
+ goto unlock_no_action;
+ rcu_read_unlock();
+--
+2.20.1
+
--- /dev/null
+From d8d6fd70ceab733a61a27902ab581abf0aefde63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Oct 2019 10:09:54 -0500
+Subject: perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus
+ precise RIP validity
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+[ Upstream commit 317b96bb14303c7998dbcd5bc606bd8038fdd4b4 ]
+
+The loop that reads all the IBS MSRs into *buf stopped one MSR short of
+reading the IbsOpData register, which contains the RipInvalid status bit.
+
+Fix the offset_max assignment so the MSR gets read, so the RIP invalid
+evaluation is based on what the IBS h/w output, instead of what was
+left in memory.
+
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: d47e8238cd76 ("perf/x86-ibs: Take instruction pointer from ibs sample")
+Link: https://lkml.kernel.org/r/20191023150955.30292-1-kim.phillips@amd.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/ibs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
+index 112e3c4636b4f..a8317d384773a 100644
+--- a/arch/x86/events/amd/ibs.c
++++ b/arch/x86/events/amd/ibs.c
+@@ -624,7 +624,7 @@ fail:
+ if (event->attr.sample_type & PERF_SAMPLE_RAW)
+ offset_max = perf_ibs->offset_max;
+ else if (check_rip)
+- offset_max = 2;
++ offset_max = 3;
+ else
+ offset_max = 1;
+ do {
+--
+2.20.1
+
--- /dev/null
+From 0ea8a0932c3fe7f65f3482ae737f68f628753c8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Oct 2019 10:09:55 -0500
+Subject: perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family
+ (10h)
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+[ Upstream commit e431e79b60603079d269e0c2a5177943b95fa4b6 ]
+
+This saves us writing the IBS control MSR twice when disabling the
+event.
+
+I searched revision guides for all families since 10h, and did not
+find occurrence of erratum #420, nor anything remotely similar:
+so we isolate the secondary MSR write to family 10h only.
+
+Also unconditionally update the count mask for IBS Op implementations
+that have read & writeable current count (CurCnt) fields in addition
+to the MaxCnt field. These bits were reserved on prior
+implementations, and therefore shouldn't have negative impact.
+
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: c9574fe0bdb9 ("perf/x86-ibs: Implement workaround for IBS erratum #420")
+Link: https://lkml.kernel.org/r/20191023150955.30292-2-kim.phillips@amd.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/ibs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
+index a8317d384773a..5f72b473f3ed3 100644
+--- a/arch/x86/events/amd/ibs.c
++++ b/arch/x86/events/amd/ibs.c
+@@ -388,7 +388,8 @@ static inline void perf_ibs_disable_event(struct perf_ibs *perf_ibs,
+ struct hw_perf_event *hwc, u64 config)
+ {
+ config &= ~perf_ibs->cnt_mask;
+- wrmsrl(hwc->config_base, config);
++ if (boot_cpu_data.x86 == 0x10)
++ wrmsrl(hwc->config_base, config);
+ config &= ~perf_ibs->enable_mask;
+ wrmsrl(hwc->config_base, config);
+ }
+@@ -563,7 +564,8 @@ static struct perf_ibs perf_ibs_op = {
+ },
+ .msr = MSR_AMD64_IBSOPCTL,
+ .config_mask = IBS_OP_CONFIG_MASK,
+- .cnt_mask = IBS_OP_MAX_CNT,
++ .cnt_mask = IBS_OP_MAX_CNT | IBS_OP_CUR_CNT |
++ IBS_OP_CUR_CNT_RAND,
+ .enable_mask = IBS_OP_ENABLE,
+ .valid_mask = IBS_OP_VAL,
+ .max_period = IBS_OP_MAX_CNT << 4,
+--
+2.20.1
+
--- /dev/null
+From 8b40794fdf5bf579deb2e8da0d7fcc14eb82ec83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 18:04:40 +0530
+Subject: RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case
+
+From: Potnuri Bharat Teja <bharat@chelsio.com>
+
+[ Upstream commit d4934f45693651ea15357dd6c7c36be28b6da884 ]
+
+_put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by
+process_work(). fix double free by freeing the skb only in process_work().
+
+Fixes: 1dad0ebeea1c ("iw_cxgb4: Avoid touch after free error in ARP failure handlers")
+Link: https://lore.kernel.org/r/1572006880-5800-1-git-send-email-bharat@chelsio.com
+Signed-off-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index e5752352e0fb1..605d50ad123cc 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -490,7 +490,6 @@ static int _put_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb)
+
+ ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *)));
+ release_ep_resources(ep);
+- kfree_skb(skb);
+ return 0;
+ }
+
+@@ -501,7 +500,6 @@ static int _put_pass_ep_safe(struct c4iw_dev *dev, struct sk_buff *skb)
+ ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *)));
+ c4iw_put_ep(&ep->parent_ep->com);
+ release_ep_resources(ep);
+- kfree_skb(skb);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 94e5921b2ec0bf52409a4974e0c5a4230624ec62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2019 09:21:12 +0200
+Subject: scsi: lpfc: Honor module parameter lpfc_use_adisc
+
+From: Daniel Wagner <dwagner@suse.de>
+
+[ Upstream commit 0fd103ccfe6a06e40e2d9d8c91d96332cc9e1239 ]
+
+The initial lpfc_desc_set_adisc implementation in commit
+dea3101e0a5c ("lpfc: add Emulex FC driver version 8.0.28") enabled ADISC if
+
+ cfg_use_adisc && RSCN_MODE && FCP_2_DEVICE
+
+In commit 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of
+SLI-3") this changed to
+
+ (cfg_use_adisc && RSC_MODE) || FCP_2_DEVICE
+
+and later in commit ffc954936b13 ("[SCSI] lpfc 8.3.13: FC Discovery Fixes
+and enhancements.") to
+
+ (cfg_use_adisc && RSC_MODE) || (FCP_2_DEVICE && FCP_TARGET)
+
+A customer reports that after a devloss, an ADISC failure is logged. It
+turns out the ADISC flag is set even the user explicitly set lpfc_use_adisc
+= 0.
+
+[Sat Dec 22 22:55:58 2018] lpfc 0000:82:00.0: 2:(0):0203 Devloss timeout on WWPN 50:01:43:80:12:8e:40:20 NPort x05df00 Data: x82000000 x8 xa
+[Sat Dec 22 23:08:20 2018] lpfc 0000:82:00.0: 2:(0):2755 ADISC failure DID:05DF00 Status:x9/x70000
+
+[mkp: fixed Hannes' email]
+
+Fixes: 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of SLI-3")
+Cc: Dick Kennedy <dick.kennedy@broadcom.com>
+Cc: James Smart <james.smart@broadcom.com>
+Link: https://lore.kernel.org/r/20191022072112.132268-1-dwagner@suse.de
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Daniel Wagner <dwagner@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 56a3df4fddb05..21ec7b5b6c85c 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -759,9 +759,9 @@ lpfc_disc_set_adisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
+
+ if (!(vport->fc_flag & FC_PT2PT)) {
+ /* Check config parameter use-adisc or FCP-2 */
+- if ((vport->cfg_use_adisc && (vport->fc_flag & FC_RSCN_MODE)) ||
++ if (vport->cfg_use_adisc && ((vport->fc_flag & FC_RSCN_MODE) ||
+ ((ndlp->nlp_fcp_info & NLP_FCP_2_DEVICE) &&
+- (ndlp->nlp_type & NLP_FCP_TARGET))) {
++ (ndlp->nlp_type & NLP_FCP_TARGET)))) {
+ spin_lock_irq(shost->host_lock);
+ ndlp->nlp_flag |= NLP_NPR_ADISC;
+ spin_unlock_irq(shost->host_lock);
+--
+2.20.1
+
--- /dev/null
+From 85b04c2d62ea658804956bd8a55f668b67a34bd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2019 16:04:58 +0200
+Subject: scsi: qla2xxx: fixup incorrect usage of host_byte
+
+From: Hannes Reinecke <hare@suse.com>
+
+[ Upstream commit 66cf50e65b183c863825f5c28a818e3f47a72e40 ]
+
+DRIVER_ERROR is a a driver byte setting, not a host byte. The qla2xxx
+driver should rather return DID_ERROR here to be in line with the other
+drivers.
+
+Link: https://lore.kernel.org/r/20191018140458.108278-1-hare@suse.de
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
+index 4a6e086279f9a..33e4dceb895f2 100644
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -252,7 +252,7 @@ qla2x00_process_els(struct fc_bsg_job *bsg_job)
+ srb_t *sp;
+ const char *type;
+ int req_sg_cnt, rsp_sg_cnt;
+- int rval = (DRIVER_ERROR << 16);
++ int rval = (DID_ERROR << 16);
+ uint16_t nextlid = 0;
+
+ if (bsg_job->request->msgcode == FC_BSG_RPT_ELS) {
+@@ -426,7 +426,7 @@ qla2x00_process_ct(struct fc_bsg_job *bsg_job)
+ struct Scsi_Host *host = bsg_job->shost;
+ scsi_qla_host_t *vha = shost_priv(host);
+ struct qla_hw_data *ha = vha->hw;
+- int rval = (DRIVER_ERROR << 16);
++ int rval = (DID_ERROR << 16);
+ int req_sg_cnt, rsp_sg_cnt;
+ uint16_t loop_id;
+ struct fc_port *fcport;
+@@ -1911,7 +1911,7 @@ qlafx00_mgmt_cmd(struct fc_bsg_job *bsg_job)
+ struct Scsi_Host *host = bsg_job->shost;
+ scsi_qla_host_t *vha = shost_priv(host);
+ struct qla_hw_data *ha = vha->hw;
+- int rval = (DRIVER_ERROR << 16);
++ int rval = (DID_ERROR << 16);
+ struct qla_mt_iocb_rqst_fx00 *piocb_rqst;
+ srb_t *sp;
+ int req_sg_cnt = 0, rsp_sg_cnt = 0;
+--
+2.20.1
+
--- /dev/null
+From df7b5887c002fda414dfd6fb442e5bed1ed3741a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 16:38:04 +1000
+Subject: scsi: qla2xxx: stop timer in shutdown path
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit d3566abb1a1e7772116e4d50fb6a58d19c9802e5 ]
+
+In shutdown/reboot paths, the timer is not stopped:
+
+ qla2x00_shutdown
+ pci_device_shutdown
+ device_shutdown
+ kernel_restart_prepare
+ kernel_restart
+ sys_reboot
+
+This causes lockups (on powerpc) when firmware config space access calls
+are interrupted by smp_send_stop later in reboot.
+
+Fixes: e30d1756480dc ("[SCSI] qla2xxx: Addition of shutdown callback handler.")
+Link: https://lore.kernel.org/r/20191024063804.14538-1-npiggin@gmail.com
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index c813c9b75a10b..3bae56b202f87 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3077,6 +3077,10 @@ qla2x00_shutdown(struct pci_dev *pdev)
+ /* Stop currently executing firmware. */
+ qla2x00_try_to_stop_firmware(vha);
+
++ /* Disable timer */
++ if (vha->timer_active)
++ qla2x00_stop_timer(vha);
++
+ /* Turn adapter off line */
+ vha->flags.online = 0;
+
+--
+2.20.1
+
usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch
drivers-usb-usbip-add-missing-break-statement-to-switch.patch
pci-tegra-enable-relaxed-ordering-only-for-tegra20-tegra30.patch
+dmaengine-xilinx_dma-fix-control-reg-update-in-vdma_.patch
+hid-intel-ish-hid-fix-wrong-error-handling-in-ishtp_.patch
+scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch
+scsi-lpfc-honor-module-parameter-lpfc_use_adisc.patch
+ipvs-move-old_secure_tcp-into-struct-netns_ipvs.patch
+bonding-fix-unexpected-iff_bonding-bit-unset.patch
+usb-fsl-check-memory-resource-before-releasing-it.patch
+usb-gadget-udc-atmel-fix-interrupt-storm-in-fifo-mod.patch
+usb-gadget-composite-fix-possible-double-free-memory.patch
+usb-gadget-configfs-fix-concurrent-issue-between-com.patch
+usb-dwc3-remove-the-call-trace-of-usbx_gfladj.patch
+perf-x86-amd-ibs-fix-reading-of-the-ibs-opdata-regis.patch
+perf-x86-amd-ibs-handle-erratum-420-only-on-the-affe.patch
+usb-skip-endpoints-with-0-maxpacket-length.patch
+rdma-iw_cxgb4-avoid-freeing-skb-twice-in-arp-failure.patch
+scsi-qla2xxx-stop-timer-in-shutdown-path.patch
+fjes-handle-workqueue-allocation-failure.patch
+net-hisilicon-fix-trying-to-free-already-free-irq.patch
+nfsv4-don-t-allow-a-cached-open-with-a-revoked-deleg.patch
+net-ethernet-arc-add-the-missed-clk_disable_unprepar.patch
+igb-fix-constant-media-auto-sense-switching-when-no-.patch
+e1000-fix-memory-leaks.patch
+x86-apic-move-pending-interrupt-check-code-into-it-s.patch
+x86-apic-drop-logical_smp_processor_id-inline.patch
+x86-apic-32-avoid-bogus-ldr-warnings.patch
+can-flexcan-disable-completely-the-ecc-mechanism.patch
--- /dev/null
+From 0d3e038313ae29a2eb54b905fea70eec4f24974b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2019 14:46:07 +0800
+Subject: usb: dwc3: remove the call trace of USBx_GFLADJ
+
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+
+[ Upstream commit a7d9874c6f3fbc8d25cd9ceba35b6822612c4ebf ]
+
+layerscape board sometimes reported some usb call trace, that is due to
+kernel sent LPM tokerns automatically when it has no pending transfers
+and think that the link is idle enough to enter L1, which procedure will
+ask usb register has a recovery,then kernel will compare USBx_GFLADJ and
+set GFLADJ_30MHZ, GFLADJ_30MHZ_REG until GFLADJ_30MHZ is equal 0x20, if
+the conditions were met then issue occur, but whatever the conditions
+whether were met that usb is all need keep GFLADJ_30MHZ of value is 0x20
+(xhci spec ask use GFLADJ_30MHZ to adjust any offset from clock source
+that generates the clock that drives the SOF counter, 0x20 is default
+value of it)That is normal logic, so need remove the call trace.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 73dc5a6c61088..7154a93f01143 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -227,8 +227,7 @@ static void dwc3_frame_length_adjustment(struct dwc3 *dwc)
+
+ reg = dwc3_readl(dwc->regs, DWC3_GFLADJ);
+ dft = reg & DWC3_GFLADJ_30MHZ_MASK;
+- if (!dev_WARN_ONCE(dwc->dev, dft == dwc->fladj,
+- "request value same as default, ignoring\n")) {
++ if (dft != dwc->fladj) {
+ reg &= ~DWC3_GFLADJ_30MHZ_MASK;
+ reg |= DWC3_GFLADJ_30MHZ_SDBND_SEL | dwc->fladj;
+ dwc3_writel(dwc->regs, DWC3_GFLADJ, reg);
+--
+2.20.1
+
--- /dev/null
+From 65472cf5bc4cfc379db0f63757ef6cd031af6025 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 18:21:51 +0800
+Subject: usb: fsl: Check memory resource before releasing it
+
+From: Nikhil Badola <nikhil.badola@freescale.com>
+
+[ Upstream commit bc1e3a2dd0c9954fd956ac43ca2876bbea018c01 ]
+
+Check memory resource existence before releasing it to avoid NULL
+pointer dereference
+
+Signed-off-by: Nikhil Badola <nikhil.badola@freescale.com>
+Reviewed-by: Ran Wang <ran.wang_1@nxp.com>
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
+index 8991a40707926..bd98557caa280 100644
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -2570,7 +2570,7 @@ static int fsl_udc_remove(struct platform_device *pdev)
+ dma_pool_destroy(udc_controller->td_pool);
+ free_irq(udc_controller->irq, udc_controller);
+ iounmap(dr_regs);
+- if (pdata->operating_mode == FSL_USB2_DR_DEVICE)
++ if (res && (pdata->operating_mode == FSL_USB2_DR_DEVICE))
+ release_mem_region(res->start, resource_size(res));
+
+ /* free udc --wait for the release() finished */
+--
+2.20.1
+
--- /dev/null
+From 896d24c8c6801cfa937a6105ab74cf9bb41ffff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 13:16:48 +0530
+Subject: usb: gadget: composite: Fix possible double free memory bug
+
+From: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
+
+[ Upstream commit 1c20c89b0421b52b2417bb0f62a611bc669eda1d ]
+
+composite_dev_cleanup call from the failure of configfs_composite_bind
+frees up the cdev->os_desc_req and cdev->req. If the previous calls of
+bind and unbind is successful these will carry stale values.
+
+Consider the below sequence of function calls:
+configfs_composite_bind()
+ composite_dev_prepare()
+ - Allocate cdev->req, cdev->req->buf
+ composite_os_desc_req_prepare()
+ - Allocate cdev->os_desc_req, cdev->os_desc_req->buf
+configfs_composite_unbind()
+ composite_dev_cleanup()
+ - free the cdev->os_desc_req->buf and cdev->req->buf
+Next composition switch
+configfs_composite_bind()
+ - If it fails goto err_comp_cleanup will call the
+ composite_dev_cleanup() function
+ composite_dev_cleanup()
+ - calls kfree up with the stale values of cdev->req->buf and
+ cdev->os_desc_req from the previous configfs_composite_bind
+ call. The free call on these stale values leads to double free.
+
+Hence, Fix this issue by setting request and buffer pointer to NULL after
+kfree.
+
+Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 9fa168af847b5..854c4ec0af2c5 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2179,14 +2179,18 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev)
+ usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req);
+
+ kfree(cdev->os_desc_req->buf);
++ cdev->os_desc_req->buf = NULL;
+ usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);
++ cdev->os_desc_req = NULL;
+ }
+ if (cdev->req) {
+ if (cdev->setup_pending)
+ usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
+
+ kfree(cdev->req->buf);
++ cdev->req->buf = NULL;
+ usb_ep_free_request(cdev->gadget->ep0, cdev->req);
++ cdev->req = NULL;
+ }
+ cdev->next_string_id = 0;
+ device_remove_file(&cdev->gadget->dev, &dev_attr_suspended);
+--
+2.20.1
+
--- /dev/null
+From f88eb79f89465d2bd8969bb297b20395beed5bd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2019 15:10:55 -0400
+Subject: usb: gadget: configfs: fix concurrent issue between composite APIs
+
+From: Peter Chen <peter.chen@nxp.com>
+
+[ Upstream commit 1a1c851bbd706ea9f3a9756c2d3db28523506d3b ]
+
+We meet several NULL pointer issues if configfs_composite_unbind
+and composite_setup (or composite_disconnect) are running together.
+These issues occur when do the function switch stress test, the
+configfs_compsoite_unbind is called from user mode by
+echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt
+or disconnect interrupt occurs by hardware. The composite_setup
+will get the cdev from get_gadget_data, but configfs_composite_unbind
+will set gadget data as NULL, so the NULL pointer issue occurs.
+This concurrent is hard to reproduce by native kernel, but can be
+reproduced by android kernel.
+
+In this commit, we introduce one spinlock belongs to structure
+gadget_info since we can't use the same spinlock in usb_composite_dev
+due to exclusive running together between composite_setup and
+configfs_composite_unbind. And one bit flag 'unbind' to indicate the
+code is at unbind routine, this bit is needed due to we release the
+lock at during configfs_composite_unbind sometimes, and composite_setup
+may be run at that time.
+
+Several oops:
+
+oops 1:
+android_work: sent uevent USB_STATE=CONNECTED
+configfs-gadget gadget: super-speed config #1: b
+android_work: sent uevent USB_STATE=CONFIGURED
+init: Received control message 'start' for 'adbd' from pid: 3515 (system_server)
+Unable to handle kernel NULL pointer dereference at virtual address 0000002a
+init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic)
+Mem abort info:
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+user pgtable: 4k pages, 48-bit VAs, pgd = ffff8008f1b7f000
+[000000000000002a] *pgd=0000000000000000
+Internal error: Oops: 96000004 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16
+Hardware name: Freescale i.MX8QM MEK (DT)
+task: ffff8008f2a98000 task.stack: ffff00000b7b8000
+PC is at composite_setup+0x44/0x1508
+LR is at android_setup+0xb8/0x13c
+pc : [<ffff0000089ffb3c>] lr : [<ffff000008a032fc>] pstate: 800001c5
+sp : ffff00000b7bbb80
+x29: ffff00000b7bbb80 x28: ffff8008f2a3c010
+x27: 0000000000000001 x26: 0000000000000000 [1232/1897]
+audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64
+x25: 00000000ffffffa1 x24: ffff8008f2a3c010
+audit: rate limit exceeded
+x23: 0000000000000409 x22: ffff000009c8e000
+x21: ffff8008f7a8b428 x20: ffff00000afae000
+x19: ffff0000089ff000 x18: 0000000000000000
+x17: 0000000000000000 x16: ffff0000082b7c9c
+x15: 0000000000000000 x14: f1866f5b952aca46
+x13: e35502e30d44349c x12: 0000000000000008
+x11: 0000000000000008 x10: 0000000000000a30
+x9 : ffff00000b7bbd00 x8 : ffff8008f2a98a90
+x7 : ffff8008f27a9c90 x6 : 0000000000000001
+x5 : 0000000000000000 x4 : 0000000000000001
+x3 : 0000000000000000 x2 : 0000000000000006
+x1 : ffff0000089ff8d0 x0 : 732a010310b9ed00
+
+X7: 0xffff8008f27a9c10:
+9c10 00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040
+9c30 00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000
+9c50 00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078
+9c70 00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000
+9c90 00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008
+9cb0 f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001
+9cd0 870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000
+using random self ethernet address
+9cf0 019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000
+using random host ethernet address
+ 00000000
+
+X8: 0xffff8008f2a98a10:
+8a10 00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000
+8a30 eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000
+8a50 f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000
+8a70 fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000
+8a90 080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000
+8ab0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+8ad0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+8af0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+
+X21: 0xffff8008f7a8b3a8:
+b3a8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+b3c8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+b3e8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+b408 00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000
+b428 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+b448 0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003
+b468 e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008
+b488 f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000
+
+X24: 0xffff8008f2a3bf90:
+bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
+c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
+c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
+c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
+c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
+
+X28: 0xffff8008f2a3bf90:
+bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
+c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
+c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
+c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
+c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
+
+Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000)
+Call trace:
+Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80)
+ba40: 732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000
+ba60: 0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90
+ba80: ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008
+baa0: 0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000
+bac0: ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000
+bae0: ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409
+bb00: ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001
+bb20: ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80
+bb40: ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00
+bb60: ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c
+[<ffff0000089ffb3c>] composite_setup+0x44/0x1508
+[<ffff000008a032fc>] android_setup+0xb8/0x13c
+[<ffff0000089bd9a8>] cdns3_ep0_delegate_req+0x44/0x70
+[<ffff0000089bdff4>] cdns3_check_ep0_interrupt_proceed+0x33c/0x654
+[<ffff0000089bca44>] cdns3_device_thread_irq_handler+0x4b0/0x4bc
+[<ffff0000089b77b4>] cdns3_thread_irq+0x48/0x68
+[<ffff000008145bf0>] irq_thread_fn+0x28/0x88
+[<ffff000008145e38>] irq_thread+0x13c/0x228
+[<ffff0000080fed70>] kthread+0x104/0x130
+[<ffff000008085064>] ret_from_fork+0x10/0x18
+
+oops2:
+composite_disconnect: Calling disconnect on a Gadget that is not connected
+android_work: did not send uevent (0 0 (null))
+init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
+init: Sending signal 9 to service 'adbd' (pid 22343) process group...
+------------[ cut here ]------------
+audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64
+audit: rate limit exceeded
+WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88
+Modules linked in:
+CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16
+Hardware name: Freescale i.MX8QM MEK (DT)
+task: ffff8008f2349c00 task.stack: ffff00000b0a8000
+PC is at composite_disconnect+0x80/0x88
+LR is at composite_disconnect+0x80/0x88
+pc : [<ffff0000089ff9b0>] lr : [<ffff0000089ff9b0>] pstate: 600001c5
+sp : ffff000008003dd0
+x29: ffff000008003dd0 x28: ffff8008f2349c00
+x27: ffff000009885018 x26: ffff000008004000
+Timeout for IPC response!
+x25: ffff000009885018 x24: ffff000009c8e280
+x23: ffff8008f2d98010 x22: 00000000000001c0
+x21: ffff8008f2d98394 x20: ffff8008f2d98010
+x19: 0000000000000000 x18: 0000e3956f4f075a
+fxos8700 4-001e: i2c block read acc failed
+x17: 0000e395735727e8 x16: ffff00000829f4d4
+x15: ffffffffffffffff x14: 7463656e6e6f6320
+x13: 746f6e2009090920 x12: 7369207461687420
+x11: 7465676461472061 x10: 206e6f207463656e
+x9 : 6e6f637369642067 x8 : ffff000009c8e280
+x7 : ffff0000086ca6cc x6 : ffff000009f15e78
+x5 : 0000000000000000 x4 : 0000000000000000
+x3 : ffffffffffffffff x2 : c3f28b86000c3900
+x1 : c3f28b86000c3900 x0 : 000000000000004e
+
+X20: 0xffff8008f2d97f90:
+7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain
+7fd0
+Timeout for IPC response!
+ 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+using random self ethernet address
+7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
+8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc
+using random host ethernet address
+ ffff0000
+8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
+8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
+8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
+
+X21: 0xffff8008f2d98314:
+8314 ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+8334 00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000
+8354 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+8374 00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000
+8394 e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400
+Timeout for IPC response!
+83b4 ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018
+83d4 ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918
+83f4 ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000
+
+X23: 0xffff8008f2d97f90:
+7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
+8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000
+8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
+8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
+8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
+
+X28: 0xffff8008f2349b80:
+9b80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9ba0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9bc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9be0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9c00 00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000
+9c20 0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000
+9c40 00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008
+9c60 00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000
+
+Call trace:
+Exception stack(0xffff000008003c90 to 0xffff000008003dd0)
+3c80: 000000000000004e c3f28b86000c3900
+3ca0: c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000
+3cc0: ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067
+3ce0: 206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920
+3d00: 7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8
+3d20: 0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394
+3d40: 00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018
+3d60: ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0
+3d80: ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5
+3da0: ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000
+init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
+3dc0: ffff000008003dd0 ffff0000089ff9b0
+[<ffff0000089ff9b0>] composite_disconnect+0x80/0x88
+[<ffff000008a044d4>] android_disconnect+0x3c/0x68
+[<ffff0000089ba9f8>] cdns3_device_irq_handler+0xfc/0x2c8
+[<ffff0000089b84c0>] cdns3_irq+0x44/0x94
+[<ffff00000814494c>] __handle_irq_event_percpu+0x60/0x24c
+[<ffff000008144c0c>] handle_irq_event+0x58/0xc0
+[<ffff00000814873c>] handle_fasteoi_irq+0x98/0x180
+[<ffff000008143a10>] generic_handle_irq+0x24/0x38
+[<ffff000008144170>] __handle_domain_irq+0x60/0xac
+[<ffff0000080819c4>] gic_handle_irq+0xd4/0x17c
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/configfs.c | 110 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 105 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
+index a5ca409dc97e1..b5315a47f0b96 100644
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -60,6 +60,8 @@ struct gadget_info {
+ bool use_os_desc;
+ char b_vendor_code;
+ char qw_sign[OS_STRING_QW_SIGN_LEN];
++ spinlock_t spinlock;
++ bool unbind;
+ };
+
+ static inline struct gadget_info *to_gadget_info(struct config_item *item)
+@@ -1241,6 +1243,7 @@ static int configfs_composite_bind(struct usb_gadget *gadget,
+ int ret;
+
+ /* the gi->lock is hold by the caller */
++ gi->unbind = 0;
+ cdev->gadget = gadget;
+ set_gadget_data(gadget, cdev);
+ ret = composite_dev_prepare(composite, cdev);
+@@ -1373,31 +1376,128 @@ static void configfs_composite_unbind(struct usb_gadget *gadget)
+ {
+ struct usb_composite_dev *cdev;
+ struct gadget_info *gi;
++ unsigned long flags;
+
+ /* the gi->lock is hold by the caller */
+
+ cdev = get_gadget_data(gadget);
+ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ gi->unbind = 1;
++ spin_unlock_irqrestore(&gi->spinlock, flags);
+
+ kfree(otg_desc[0]);
+ otg_desc[0] = NULL;
+ purge_configs_funcs(gi);
+ composite_dev_cleanup(cdev);
+ usb_ep_autoconfig_reset(cdev->gadget);
++ spin_lock_irqsave(&gi->spinlock, flags);
+ cdev->gadget = NULL;
+ set_gadget_data(gadget, NULL);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++}
++
++static int configfs_composite_setup(struct usb_gadget *gadget,
++ const struct usb_ctrlrequest *ctrl)
++{
++ struct usb_composite_dev *cdev;
++ struct gadget_info *gi;
++ unsigned long flags;
++ int ret;
++
++ cdev = get_gadget_data(gadget);
++ if (!cdev)
++ return 0;
++
++ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ cdev = get_gadget_data(gadget);
++ if (!cdev || gi->unbind) {
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return 0;
++ }
++
++ ret = composite_setup(gadget, ctrl);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return ret;
++}
++
++static void configfs_composite_disconnect(struct usb_gadget *gadget)
++{
++ struct usb_composite_dev *cdev;
++ struct gadget_info *gi;
++ unsigned long flags;
++
++ cdev = get_gadget_data(gadget);
++ if (!cdev)
++ return;
++
++ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ cdev = get_gadget_data(gadget);
++ if (!cdev || gi->unbind) {
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return;
++ }
++
++ composite_disconnect(gadget);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++}
++
++static void configfs_composite_suspend(struct usb_gadget *gadget)
++{
++ struct usb_composite_dev *cdev;
++ struct gadget_info *gi;
++ unsigned long flags;
++
++ cdev = get_gadget_data(gadget);
++ if (!cdev)
++ return;
++
++ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ cdev = get_gadget_data(gadget);
++ if (!cdev || gi->unbind) {
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return;
++ }
++
++ composite_suspend(gadget);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++}
++
++static void configfs_composite_resume(struct usb_gadget *gadget)
++{
++ struct usb_composite_dev *cdev;
++ struct gadget_info *gi;
++ unsigned long flags;
++
++ cdev = get_gadget_data(gadget);
++ if (!cdev)
++ return;
++
++ gi = container_of(cdev, struct gadget_info, cdev);
++ spin_lock_irqsave(&gi->spinlock, flags);
++ cdev = get_gadget_data(gadget);
++ if (!cdev || gi->unbind) {
++ spin_unlock_irqrestore(&gi->spinlock, flags);
++ return;
++ }
++
++ composite_resume(gadget);
++ spin_unlock_irqrestore(&gi->spinlock, flags);
+ }
+
+ static const struct usb_gadget_driver configfs_driver_template = {
+ .bind = configfs_composite_bind,
+ .unbind = configfs_composite_unbind,
+
+- .setup = composite_setup,
+- .reset = composite_disconnect,
+- .disconnect = composite_disconnect,
++ .setup = configfs_composite_setup,
++ .reset = configfs_composite_disconnect,
++ .disconnect = configfs_composite_disconnect,
+
+- .suspend = composite_suspend,
+- .resume = composite_resume,
++ .suspend = configfs_composite_suspend,
++ .resume = configfs_composite_resume,
+
+ .max_speed = USB_SPEED_SUPER,
+ .driver = {
+--
+2.20.1
+
--- /dev/null
+From a37f1c91c807ce77d94ed16c1c2eb34e35e3de7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2019 20:10:54 +0300
+Subject: usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode.
+
+From: Cristian Birsan <cristian.birsan@microchip.com>
+
+[ Upstream commit ba3a1a915c49cc3023e4ddfc88f21e7514e82aa4 ]
+
+Fix interrupt storm generated by endpoints when working in FIFO mode.
+The TX_COMPLETE interrupt is used only by control endpoints processing.
+Do not enable it for other types of endpoints.
+
+Fixes: 914a3f3b3754 ("USB: add atmel_usba_udc driver")
+Signed-off-by: Cristian Birsan <cristian.birsan@microchip.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/atmel_usba_udc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
+index 9705bcdbc577f..57dd3bad95397 100644
+--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
+@@ -403,9 +403,11 @@ static void submit_request(struct usba_ep *ep, struct usba_request *req)
+ next_fifo_transaction(ep, req);
+ if (req->last_transaction) {
+ usba_ep_writel(ep, CTL_DIS, USBA_TX_PK_RDY);
+- usba_ep_writel(ep, CTL_ENB, USBA_TX_COMPLETE);
++ if (ep_is_control(ep))
++ usba_ep_writel(ep, CTL_ENB, USBA_TX_COMPLETE);
+ } else {
+- usba_ep_writel(ep, CTL_DIS, USBA_TX_COMPLETE);
++ if (ep_is_control(ep))
++ usba_ep_writel(ep, CTL_DIS, USBA_TX_COMPLETE);
+ usba_ep_writel(ep, CTL_ENB, USBA_TX_PK_RDY);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From a3b421cf5582c370c607b60af451a24df95c75c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Oct 2019 10:52:35 -0400
+Subject: USB: Skip endpoints with 0 maxpacket length
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+[ Upstream commit d482c7bb0541d19dea8bff437a9f3c5563b5b2d2 ]
+
+Endpoints with a maxpacket length of 0 are probably useless. They
+can't transfer any data, and it's not at all unlikely that an HCD will
+crash or hang when trying to handle an URB for such an endpoint.
+
+Currently the USB core does not check for endpoints having a maxpacket
+value of 0. This patch adds a check, printing a warning and skipping
+over any endpoints it catches.
+
+Now, the USB spec does not rule out endpoints having maxpacket = 0.
+But since they wouldn't have any practical use, there doesn't seem to
+be any good reason for us to accept them.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281050420.1485-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/config.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 94ec2dc27748e..e8061b02b7e3b 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -343,6 +343,11 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
+
+ /* Validate the wMaxPacketSize field */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
++ if (maxp == 0) {
++ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has wMaxPacketSize 0, skipping\n",
++ cfgno, inum, asnum, d->bEndpointAddress);
++ goto skip_to_next_endpoint_or_interface_descriptor;
++ }
+
+ /* Find the highest legal maxpacket size for this endpoint */
+ i = 0; /* additional transactions per microframe */
+--
+2.20.1
+
--- /dev/null
+From 7b93c8bfd5d4d8fb5952b4a2a69758983c2d916d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 10:34:19 +0100
+Subject: x86/apic/32: Avoid bogus LDR warnings
+
+From: Jan Beulich <jbeulich@suse.com>
+
+[ Upstream commit fe6f85ca121e9c74e7490fe66b0c5aae38e332c3 ]
+
+The removal of the LDR initialization in the bigsmp_32 APIC code unearthed
+a problem in setup_local_APIC().
+
+The code checks unconditionally for a mismatch of the logical APIC id by
+comparing the early APIC id which was initialized in get_smp_config() with
+the actual LDR value in the APIC.
+
+Due to the removal of the bogus LDR initialization the check now can
+trigger on bigsmp_32 APIC systems emitting a warning for every booting
+CPU. This is of course a false positive because the APIC is not using
+logical destination mode.
+
+Restrict the check and the possibly resulting fixup to systems which are
+actually using the APIC in logical destination mode.
+
+[ tglx: Massaged changelog and added Cc stable ]
+
+Fixes: bae3a8d3308 ("x86/apic: Do not initialize LDR and DFR for bigsmp")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/666d8f91-b5a8-1afd-7add-821e72a35f03@suse.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/apic.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index ad2a220a4a7f7..722a76b88bcc0 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1341,9 +1341,6 @@ void setup_local_APIC(void)
+ {
+ int cpu = smp_processor_id();
+ unsigned int value;
+-#ifdef CONFIG_X86_32
+- int logical_apicid, ldr_apicid;
+-#endif
+
+
+ if (disable_apic) {
+@@ -1384,16 +1381,21 @@ void setup_local_APIC(void)
+ apic->init_apic_ldr();
+
+ #ifdef CONFIG_X86_32
+- /*
+- * APIC LDR is initialized. If logical_apicid mapping was
+- * initialized during get_smp_config(), make sure it matches the
+- * actual value.
+- */
+- logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu);
+- ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR));
+- WARN_ON(logical_apicid != BAD_APICID && logical_apicid != ldr_apicid);
+- /* always use the value from LDR */
+- early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid;
++ if (apic->dest_logical) {
++ int logical_apicid, ldr_apicid;
++
++ /*
++ * APIC LDR is initialized. If logical_apicid mapping was
++ * initialized during get_smp_config(), make sure it matches
++ * the actual value.
++ */
++ logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu);
++ ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR));
++ if (logical_apicid != BAD_APICID)
++ WARN_ON(logical_apicid != ldr_apicid);
++ /* Always use the value from LDR. */
++ early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid;
++ }
+ #endif
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 8abdd062d965fdc7a3365f3c2cbf89bf78c6c25c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Mar 2018 13:59:30 +0800
+Subject: x86/apic: Drop logical_smp_processor_id() inline
+
+From: Dou Liyang <douly.fnst@cn.fujitsu.com>
+
+[ Upstream commit 8f1561680f42a5491b371b513f1ab8197f31fd62 ]
+
+The logical_smp_processor_id() inline which is only called in
+setup_local_APIC() on x86_32 systems has no real value.
+
+Drop it and directly use GET_APIC_LOGICAL_ID() at the call site and use a
+more suitable variable name for readability
+
+Signed-off-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: andy.shevchenko@gmail.com
+Cc: bhe@redhat.com
+Cc: ebiederm@xmission.com
+Link: https://lkml.kernel.org/r/20180301055930.2396-4-douly.fnst@cn.fujitsu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/smp.h | 10 ----------
+ arch/x86/kernel/apic/apic.c | 10 +++++-----
+ 2 files changed, 5 insertions(+), 15 deletions(-)
+
+diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
+index d25fb6beb2f0c..dcaf7100b69c2 100644
+--- a/arch/x86/include/asm/smp.h
++++ b/arch/x86/include/asm/smp.h
+@@ -177,16 +177,6 @@ extern int safe_smp_processor_id(void);
+ #endif
+
+ #ifdef CONFIG_X86_LOCAL_APIC
+-
+-#ifndef CONFIG_X86_64
+-static inline int logical_smp_processor_id(void)
+-{
+- /* we don't want to mark this access volatile - bad code generation */
+- return GET_APIC_LOGICAL_ID(apic_read(APIC_LDR));
+-}
+-
+-#endif
+-
+ extern int hard_smp_processor_id(void);
+
+ #else /* CONFIG_X86_LOCAL_APIC */
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index 264daf1f49915..ad2a220a4a7f7 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1342,7 +1342,7 @@ void setup_local_APIC(void)
+ int cpu = smp_processor_id();
+ unsigned int value;
+ #ifdef CONFIG_X86_32
+- int i;
++ int logical_apicid, ldr_apicid;
+ #endif
+
+
+@@ -1389,11 +1389,11 @@ void setup_local_APIC(void)
+ * initialized during get_smp_config(), make sure it matches the
+ * actual value.
+ */
+- i = early_per_cpu(x86_cpu_to_logical_apicid, cpu);
+- WARN_ON(i != BAD_APICID && i != logical_smp_processor_id());
++ logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu);
++ ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR));
++ WARN_ON(logical_apicid != BAD_APICID && logical_apicid != ldr_apicid);
+ /* always use the value from LDR */
+- early_per_cpu(x86_cpu_to_logical_apicid, cpu) =
+- logical_smp_processor_id();
++ early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid;
+ #endif
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 08f7fdbefe4405e8889c48ca57db61bb37ece94f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Mar 2018 13:59:28 +0800
+Subject: x86/apic: Move pending interrupt check code into it's own function
+
+From: Dou Liyang <douly.fnst@cn.fujitsu.com>
+
+[ Upstream commit 9b217f33017715903d0956dfc58f82d2a2d00e63 ]
+
+The pending interrupt check code is mixed with the local APIC setup code,
+that looks messy.
+
+Extract the related code, move it into a new function named
+apic_pending_intr_clear().
+
+Signed-off-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: bhe@redhat.com
+Cc: ebiederm@xmission.com
+Link: https://lkml.kernel.org/r/20180301055930.2396-2-douly.fnst@cn.fujitsu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/apic.c | 100 ++++++++++++++++++++----------------
+ 1 file changed, 55 insertions(+), 45 deletions(-)
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index 232350519062b..264daf1f49915 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1281,6 +1281,56 @@ static void lapic_setup_esr(void)
+ oldvalue, value);
+ }
+
++static void apic_pending_intr_clear(void)
++{
++ long long max_loops = cpu_khz ? cpu_khz : 1000000;
++ unsigned long long tsc = 0, ntsc;
++ unsigned int value, queued;
++ int i, j, acked = 0;
++
++ if (boot_cpu_has(X86_FEATURE_TSC))
++ tsc = rdtsc();
++ /*
++ * After a crash, we no longer service the interrupts and a pending
++ * interrupt from previous kernel might still have ISR bit set.
++ *
++ * Most probably by now CPU has serviced that pending interrupt and
++ * it might not have done the ack_APIC_irq() because it thought,
++ * interrupt came from i8259 as ExtInt. LAPIC did not get EOI so it
++ * does not clear the ISR bit and cpu thinks it has already serivced
++ * the interrupt. Hence a vector might get locked. It was noticed
++ * for timer irq (vector 0x31). Issue an extra EOI to clear ISR.
++ */
++ do {
++ queued = 0;
++ for (i = APIC_ISR_NR - 1; i >= 0; i--)
++ queued |= apic_read(APIC_IRR + i*0x10);
++
++ for (i = APIC_ISR_NR - 1; i >= 0; i--) {
++ value = apic_read(APIC_ISR + i*0x10);
++ for (j = 31; j >= 0; j--) {
++ if (value & (1<<j)) {
++ ack_APIC_irq();
++ acked++;
++ }
++ }
++ }
++ if (acked > 256) {
++ printk(KERN_ERR "LAPIC pending interrupts after %d EOI\n",
++ acked);
++ break;
++ }
++ if (queued) {
++ if (boot_cpu_has(X86_FEATURE_TSC) && cpu_khz) {
++ ntsc = rdtsc();
++ max_loops = (cpu_khz << 10) - (ntsc - tsc);
++ } else
++ max_loops--;
++ }
++ } while (queued && max_loops > 0);
++ WARN_ON(max_loops <= 0);
++}
++
+ /**
+ * setup_local_APIC - setup the local APIC
+ *
+@@ -1290,13 +1340,11 @@ static void lapic_setup_esr(void)
+ void setup_local_APIC(void)
+ {
+ int cpu = smp_processor_id();
+- unsigned int value, queued;
+- int i, j, acked = 0;
+- unsigned long long tsc = 0, ntsc;
+- long long max_loops = cpu_khz ? cpu_khz : 1000000;
++ unsigned int value;
++#ifdef CONFIG_X86_32
++ int i;
++#endif
+
+- if (boot_cpu_has(X86_FEATURE_TSC))
+- tsc = rdtsc();
+
+ if (disable_apic) {
+ disable_ioapic_support();
+@@ -1356,45 +1404,7 @@ void setup_local_APIC(void)
+ value &= ~APIC_TPRI_MASK;
+ apic_write(APIC_TASKPRI, value);
+
+- /*
+- * After a crash, we no longer service the interrupts and a pending
+- * interrupt from previous kernel might still have ISR bit set.
+- *
+- * Most probably by now CPU has serviced that pending interrupt and
+- * it might not have done the ack_APIC_irq() because it thought,
+- * interrupt came from i8259 as ExtInt. LAPIC did not get EOI so it
+- * does not clear the ISR bit and cpu thinks it has already serivced
+- * the interrupt. Hence a vector might get locked. It was noticed
+- * for timer irq (vector 0x31). Issue an extra EOI to clear ISR.
+- */
+- do {
+- queued = 0;
+- for (i = APIC_ISR_NR - 1; i >= 0; i--)
+- queued |= apic_read(APIC_IRR + i*0x10);
+-
+- for (i = APIC_ISR_NR - 1; i >= 0; i--) {
+- value = apic_read(APIC_ISR + i*0x10);
+- for (j = 31; j >= 0; j--) {
+- if (value & (1<<j)) {
+- ack_APIC_irq();
+- acked++;
+- }
+- }
+- }
+- if (acked > 256) {
+- printk(KERN_ERR "LAPIC pending interrupts after %d EOI\n",
+- acked);
+- break;
+- }
+- if (queued) {
+- if (boot_cpu_has(X86_FEATURE_TSC) && cpu_khz) {
+- ntsc = rdtsc();
+- max_loops = (cpu_khz << 10) - (ntsc - tsc);
+- } else
+- max_loops--;
+- }
+- } while (queued && max_loops > 0);
+- WARN_ON(max_loops <= 0);
++ apic_pending_intr_clear();
+
+ /*
+ * Now that we are all set up, enable the APIC
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
