--- /dev/null
+From 55714cf73ecf4c0ef0dbfe55cb46a85b2a7fa90c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2020 10:13:07 -0700
+Subject: ACPI/IORT: Fix PMCG node single ID mapping handling
+
+From: Tuan Phan <tuanphan@os.amperecomputing.com>
+
+[ Upstream commit 50c8ab8d9fbf5b18d5162a797ca26568afc0af1a ]
+
+An IORT PMCG node can have no ID mapping if its overflow interrupt is
+wire based therefore the code that parses the PMCG node can not assume
+the node will always have a single mapping present at index 0.
+
+Fix iort_get_id_mapping_index() by checking for an overflow interrupt
+and mapping count.
+
+Fixes: 24e516049360 ("ACPI/IORT: Add support for PMCG")
+
+Signed-off-by: Tuan Phan <tuanphan@os.amperecomputing.com>
+Reviewed-by: Hanjun Guo <guoahanjun@huawei.com>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Link: https://lore.kernel.org/r/1589994787-28637-1-git-send-email-tuanphan@os.amperecomputing.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/arm64/iort.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
+index 7d04424189df..ec04435a7cea 100644
+--- a/drivers/acpi/arm64/iort.c
++++ b/drivers/acpi/arm64/iort.c
+@@ -414,6 +414,7 @@ static struct acpi_iort_node *iort_node_get_id(struct acpi_iort_node *node,
+ static int iort_get_id_mapping_index(struct acpi_iort_node *node)
+ {
+ struct acpi_iort_smmu_v3 *smmu;
++ struct acpi_iort_pmcg *pmcg;
+
+ switch (node->type) {
+ case ACPI_IORT_NODE_SMMU_V3:
+@@ -441,6 +442,10 @@ static int iort_get_id_mapping_index(struct acpi_iort_node *node)
+
+ return smmu->id_mapping_index;
+ case ACPI_IORT_NODE_PMCG:
++ pmcg = (struct acpi_iort_pmcg *)node->node_data;
++ if (pmcg->overflow_gsiv || node->mapping_count == 0)
++ return -EINVAL;
++
+ return 0;
+ default:
+ return -EINVAL;
+--
+2.25.1
+
--- /dev/null
+From d0f18bfb5280af6cd3c8307616c2287a7ff34226 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 14:22:28 +0200
+Subject: ACPI: video: Use native backlight on Acer TravelMate 5735Z
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Menzel <pmenzel@molgen.mpg.de>
+
+[ Upstream commit c41c36e900a337b4132b12ccabc97f5578248b44 ]
+
+Currently, changing the brightness of the internal display of the Acer
+TravelMate 5735Z does not work. Pressing the function keys or changing the
+slider, GNOME Shell 3.36.2 displays the OSD (five steps), but the
+brightness does not change.
+
+The Acer TravelMate 5735Z shipped with Windows 7 and as such does not
+trigger our "win8 ready" heuristic for preferring the native backlight
+interface.
+
+Still ACPI backlight control doesn't work on this model, where as the
+native (intel_video) backlight interface does work by adding
+`acpi_backlight=native` or `acpi_backlight=none` to Linux’ command line.
+
+So, add a quirk to force using native backlight control on this model.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=207835
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/video_detect.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index b4994e50608d..2499d7e3c710 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -361,6 +361,16 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "JV50"),
+ },
+ },
++ {
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=207835 */
++ .callback = video_detect_force_native,
++ .ident = "Acer TravelMate 5735Z",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 5735Z"),
++ DMI_MATCH(DMI_BOARD_NAME, "BA51_MV"),
++ },
++ },
+
+ /*
+ * Desktops which falsely report a backlight and which our heuristics
+--
+2.25.1
+
--- /dev/null
+From 1e5f65ad97e4ae7cdc1b7873200f994e2af5c37c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 17:46:52 -0700
+Subject: ACPICA: Dispatcher: add status checks
+
+From: Erik Kaneda <erik.kaneda@intel.com>
+
+[ Upstream commit 6bfe5344b2956d0bee116f1c640aef05e5cddd76 ]
+
+ACPICA commit 3244c1eeba9f9fb9ccedb875f7923a3d85e0c6aa
+
+The status chekcs are used to to avoid NULL pointer dereference on
+field objects
+
+Link: https://github.com/acpica/acpica/commit/3244c1ee
+Reported-by: Kurt Kennett <kurt_kennett@hotmail.com>
+Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/dsfield.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/acpica/dsfield.c b/drivers/acpi/acpica/dsfield.c
+index c901f5aec739..5725baec60f3 100644
+--- a/drivers/acpi/acpica/dsfield.c
++++ b/drivers/acpi/acpica/dsfield.c
+@@ -514,13 +514,20 @@ acpi_ds_create_field(union acpi_parse_object *op,
+ info.region_node = region_node;
+
+ status = acpi_ds_get_field_names(&info, walk_state, arg->common.next);
++ if (ACPI_FAILURE(status)) {
++ return_ACPI_STATUS(status);
++ }
++
+ if (info.region_node->object->region.space_id ==
+- ACPI_ADR_SPACE_PLATFORM_COMM
+- && !(region_node->object->field.internal_pcc_buffer =
+- ACPI_ALLOCATE_ZEROED(info.region_node->object->region.
+- length))) {
+- return_ACPI_STATUS(AE_NO_MEMORY);
++ ACPI_ADR_SPACE_PLATFORM_COMM) {
++ region_node->object->field.internal_pcc_buffer =
++ ACPI_ALLOCATE_ZEROED(info.region_node->object->region.
++ length);
++ if (!region_node->object->field.internal_pcc_buffer) {
++ return_ACPI_STATUS(AE_NO_MEMORY);
++ }
+ }
++
+ return_ACPI_STATUS(status);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From d571332d0cf3015ecf9daf509f4bd39d9fe604f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Apr 2020 14:08:53 +0100
+Subject: ARM: 8969/1: decompressor: simplify libfdt builds
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 7ae4a78daacf240a8247cde73337dc4b26d253da ]
+
+Copying source files during the build time may not end up with
+as clean code as expected.
+
+lib/fdt*.c simply wrap scripts/dtc/libfdt/fdt*.c, and it works
+nicely. Let's follow this approach for the arm decompressor, too.
+
+Add four wrappers, arch/arm/boot/compressed/fdt*.c and remove
+the Makefile messes. Another nice thing is we no longer need to
+maintain the own libfdt_env.h because the decompressor can include
+<linux/libfdt_env.h>.
+
+There is a subtle problem when generated files are turned into
+check-in files.
+
+When you are doing a rebuild of an existing object tree with O=
+option, there exists stale "shipped" copies that the old Makefile
+implementation created. The build system ends up with compiling the
+stale generated files because Make searches for prerequisites in the
+current directory, i.e. $(objtree) first, and then the directory
+listed in VPATH, i.e. $(srctree).
+
+To mend this issue, I added the following code:
+
+ ifdef building_out_of_srctree
+ $(shell rm -f $(addprefix $(obj)/, fdt_rw.c fdt_ro.c fdt_wip.c fdt.c))
+ endif
+
+This will need to stay for a while because "git bisect" crossing this
+commit, otherwise, would result in a build error.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/compressed/.gitignore | 9 ------
+ arch/arm/boot/compressed/Makefile | 38 ++++++++++---------------
+ arch/arm/boot/compressed/atags_to_fdt.c | 1 +
+ arch/arm/boot/compressed/fdt.c | 2 ++
+ arch/arm/boot/compressed/fdt_ro.c | 2 ++
+ arch/arm/boot/compressed/fdt_rw.c | 2 ++
+ arch/arm/boot/compressed/fdt_wip.c | 2 ++
+ arch/arm/boot/compressed/libfdt_env.h | 24 ----------------
+ 8 files changed, 24 insertions(+), 56 deletions(-)
+ create mode 100644 arch/arm/boot/compressed/fdt.c
+ create mode 100644 arch/arm/boot/compressed/fdt_ro.c
+ create mode 100644 arch/arm/boot/compressed/fdt_rw.c
+ create mode 100644 arch/arm/boot/compressed/fdt_wip.c
+ delete mode 100644 arch/arm/boot/compressed/libfdt_env.h
+
+diff --git a/arch/arm/boot/compressed/.gitignore b/arch/arm/boot/compressed/.gitignore
+index db05c6ef3e31..60606b0f378d 100644
+--- a/arch/arm/boot/compressed/.gitignore
++++ b/arch/arm/boot/compressed/.gitignore
+@@ -7,12 +7,3 @@ hyp-stub.S
+ piggy_data
+ vmlinux
+ vmlinux.lds
+-
+-# borrowed libfdt files
+-fdt.c
+-fdt.h
+-fdt_ro.c
+-fdt_rw.c
+-fdt_wip.c
+-libfdt.h
+-libfdt_internal.h
+diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
+index 9c11e7490292..00602a6fba04 100644
+--- a/arch/arm/boot/compressed/Makefile
++++ b/arch/arm/boot/compressed/Makefile
+@@ -76,29 +76,30 @@ compress-$(CONFIG_KERNEL_LZMA) = lzma
+ compress-$(CONFIG_KERNEL_XZ) = xzkern
+ compress-$(CONFIG_KERNEL_LZ4) = lz4
+
+-# Borrowed libfdt files for the ATAG compatibility mode
+-
+-libfdt := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c
+-libfdt_hdrs := fdt.h libfdt.h libfdt_internal.h
+-
+-libfdt_objs := $(addsuffix .o, $(basename $(libfdt)))
+-
+-$(addprefix $(obj)/,$(libfdt) $(libfdt_hdrs)): $(obj)/%: $(srctree)/scripts/dtc/libfdt/%
+- $(call cmd,shipped)
+-
+-$(addprefix $(obj)/,$(libfdt_objs) atags_to_fdt.o): \
+- $(addprefix $(obj)/,$(libfdt_hdrs))
++libfdt_objs := fdt_rw.o fdt_ro.o fdt_wip.o fdt.o
+
+ ifeq ($(CONFIG_ARM_ATAG_DTB_COMPAT),y)
+ OBJS += $(libfdt_objs) atags_to_fdt.o
+ endif
+
++# -fstack-protector-strong triggers protection checks in this code,
++# but it is being used too early to link to meaningful stack_chk logic.
++nossp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
++$(foreach o, $(libfdt_objs) atags_to_fdt.o, \
++ $(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt $(nossp-flags-y)))
++
++# These were previously generated C files. When you are building the kernel
++# with O=, make sure to remove the stale files in the output tree. Otherwise,
++# the build system wrongly compiles the stale ones.
++ifdef building_out_of_srctree
++$(shell rm -f $(addprefix $(obj)/, fdt_rw.c fdt_ro.c fdt_wip.c fdt.c))
++endif
++
+ targets := vmlinux vmlinux.lds piggy_data piggy.o \
+ lib1funcs.o ashldi3.o bswapsdi2.o \
+ head.o $(OBJS)
+
+-clean-files += piggy_data lib1funcs.S ashldi3.S bswapsdi2.S \
+- $(libfdt) $(libfdt_hdrs) hyp-stub.S
++clean-files += piggy_data lib1funcs.S ashldi3.S bswapsdi2.S hyp-stub.S
+
+ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
+
+@@ -107,15 +108,6 @@ ORIG_CFLAGS := $(KBUILD_CFLAGS)
+ KBUILD_CFLAGS = $(subst -pg, , $(ORIG_CFLAGS))
+ endif
+
+-# -fstack-protector-strong triggers protection checks in this code,
+-# but it is being used too early to link to meaningful stack_chk logic.
+-nossp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
+-CFLAGS_atags_to_fdt.o := $(nossp-flags-y)
+-CFLAGS_fdt.o := $(nossp-flags-y)
+-CFLAGS_fdt_ro.o := $(nossp-flags-y)
+-CFLAGS_fdt_rw.o := $(nossp-flags-y)
+-CFLAGS_fdt_wip.o := $(nossp-flags-y)
+-
+ ccflags-y := -fpic $(call cc-option,-mno-single-pic-base,) -fno-builtin \
+ -I$(obj) $(DISABLE_ARM_SSP_PER_TASK_PLUGIN)
+ asflags-y := -DZIMAGE
+diff --git a/arch/arm/boot/compressed/atags_to_fdt.c b/arch/arm/boot/compressed/atags_to_fdt.c
+index 64c49747f8a3..8452753efebe 100644
+--- a/arch/arm/boot/compressed/atags_to_fdt.c
++++ b/arch/arm/boot/compressed/atags_to_fdt.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#include <linux/libfdt_env.h>
+ #include <asm/setup.h>
+ #include <libfdt.h>
+
+diff --git a/arch/arm/boot/compressed/fdt.c b/arch/arm/boot/compressed/fdt.c
+new file mode 100644
+index 000000000000..f8ea7a201ab1
+--- /dev/null
++++ b/arch/arm/boot/compressed/fdt.c
+@@ -0,0 +1,2 @@
++// SPDX-License-Identifier: GPL-2.0-only
++#include "../../../../lib/fdt.c"
+diff --git a/arch/arm/boot/compressed/fdt_ro.c b/arch/arm/boot/compressed/fdt_ro.c
+new file mode 100644
+index 000000000000..93970a4ad5ae
+--- /dev/null
++++ b/arch/arm/boot/compressed/fdt_ro.c
+@@ -0,0 +1,2 @@
++// SPDX-License-Identifier: GPL-2.0-only
++#include "../../../../lib/fdt_ro.c"
+diff --git a/arch/arm/boot/compressed/fdt_rw.c b/arch/arm/boot/compressed/fdt_rw.c
+new file mode 100644
+index 000000000000..f7c6b8b7e01c
+--- /dev/null
++++ b/arch/arm/boot/compressed/fdt_rw.c
+@@ -0,0 +1,2 @@
++// SPDX-License-Identifier: GPL-2.0-only
++#include "../../../../lib/fdt_rw.c"
+diff --git a/arch/arm/boot/compressed/fdt_wip.c b/arch/arm/boot/compressed/fdt_wip.c
+new file mode 100644
+index 000000000000..048d2c7a088d
+--- /dev/null
++++ b/arch/arm/boot/compressed/fdt_wip.c
+@@ -0,0 +1,2 @@
++// SPDX-License-Identifier: GPL-2.0-only
++#include "../../../../lib/fdt_wip.c"
+diff --git a/arch/arm/boot/compressed/libfdt_env.h b/arch/arm/boot/compressed/libfdt_env.h
+deleted file mode 100644
+index 6a0f1f524466..000000000000
+--- a/arch/arm/boot/compressed/libfdt_env.h
++++ /dev/null
+@@ -1,24 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
+-#ifndef _ARM_LIBFDT_ENV_H
+-#define _ARM_LIBFDT_ENV_H
+-
+-#include <linux/limits.h>
+-#include <linux/types.h>
+-#include <linux/string.h>
+-#include <asm/byteorder.h>
+-
+-#define INT32_MAX S32_MAX
+-#define UINT32_MAX U32_MAX
+-
+-typedef __be16 fdt16_t;
+-typedef __be32 fdt32_t;
+-typedef __be64 fdt64_t;
+-
+-#define fdt16_to_cpu(x) be16_to_cpu(x)
+-#define cpu_to_fdt16(x) cpu_to_be16(x)
+-#define fdt32_to_cpu(x) be32_to_cpu(x)
+-#define cpu_to_fdt32(x) cpu_to_be32(x)
+-#define fdt64_to_cpu(x) be64_to_cpu(x)
+-#define cpu_to_fdt64(x) cpu_to_be64(x)
+-
+-#endif
+--
+2.25.1
+
--- /dev/null
+From c30cc26f4ff6f9e65868ee9f40ea96f6587dca00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2020 12:59:12 +0100
+Subject: ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit e1de94380af588bdf6ad6f0cc1f75004c35bc096 ]
+
+Recent work with KASan exposed the folling hard-coded bitmask
+in arch/arm/mm/proc-macros.S:
+
+ bic rd, sp, #8128
+ bic rd, rd, #63
+
+This forms the bitmask 0x1FFF that is coinciding with
+(PAGE_SIZE << THREAD_SIZE_ORDER) - 1, this code was assuming
+that THREAD_SIZE is always 8K (8192).
+
+As KASan was increasing THREAD_SIZE_ORDER to 2, I ran into
+this bug.
+
+Fix it by this little oneline suggested by Ard:
+
+ bic rd, sp, #(THREAD_SIZE - 1) & ~63
+
+Where THREAD_SIZE is defined using THREAD_SIZE_ORDER.
+
+We have to also include <linux/const.h> since the THREAD_SIZE
+expands to use the _AC() macro.
+
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Suggested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/proc-macros.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/proc-macros.S b/arch/arm/mm/proc-macros.S
+index 5461d589a1e2..60ac7c5999a9 100644
+--- a/arch/arm/mm/proc-macros.S
++++ b/arch/arm/mm/proc-macros.S
+@@ -5,6 +5,7 @@
+ * VMA_VM_FLAGS
+ * VM_EXEC
+ */
++#include <linux/const.h>
+ #include <asm/asm-offsets.h>
+ #include <asm/thread_info.h>
+
+@@ -30,7 +31,7 @@
+ * act_mm - get current->active_mm
+ */
+ .macro act_mm, rd
+- bic \rd, sp, #8128
++ bic \rd, sp, #(THREAD_SIZE - 1) & ~63
+ bic \rd, \rd, #63
+ ldr \rd, [\rd, #TI_TASK]
+ .if (TSK_ACTIVE_MM > IMM12_MASK)
+--
+2.25.1
+
--- /dev/null
+From b6085baf5e99aa5e56312b5593a726cadff475df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 18:05:18 +0100
+Subject: arm64: cacheflush: Fix KGDB trap detection
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit ab8ad279ceac4fc78ae4dcf1a26326e05695e537 ]
+
+flush_icache_range() contains a bodge to avoid issuing IPIs when the kgdb
+trap handler is running because issuing IPIs is unsafe (and not needed)
+in this execution context. However the current test, based on
+kgdb_connected is flawed: it both over-matches and under-matches.
+
+The over match occurs because kgdb_connected is set when gdb attaches
+to the stub and remains set during normal running. This is relatively
+harmelss because in almost all cases irq_disabled() will be false.
+
+The under match is more serious. When kdb is used instead of kgdb to access
+the debugger then kgdb_connected is not set in all the places that the
+debug core updates sw breakpoints (and hence flushes the icache). This
+can lead to deadlock.
+
+Fix by replacing the ad-hoc check with the proper kgdb macro. This also
+allows us to drop the #ifdef wrapper.
+
+Fixes: 3b8c9f1cdfc5 ("arm64: IPI each CPU after invalidating the I-cache for kernel mappings")
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20200504170518.2959478-1-daniel.thompson@linaro.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/cacheflush.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/include/asm/cacheflush.h b/arch/arm64/include/asm/cacheflush.h
+index e6cca3d4acf7..ce50c1f1f1ea 100644
+--- a/arch/arm64/include/asm/cacheflush.h
++++ b/arch/arm64/include/asm/cacheflush.h
+@@ -79,7 +79,7 @@ static inline void flush_icache_range(unsigned long start, unsigned long end)
+ * IPI all online CPUs so that they undergo a context synchronization
+ * event and are forced to refetch the new instructions.
+ */
+-#ifdef CONFIG_KGDB
++
+ /*
+ * KGDB performs cache maintenance with interrupts disabled, so we
+ * will deadlock trying to IPI the secondary CPUs. In theory, we can
+@@ -89,9 +89,9 @@ static inline void flush_icache_range(unsigned long start, unsigned long end)
+ * the patching operation, so we don't need extra IPIs here anyway.
+ * In which case, add a KGDB-specific bodge and return early.
+ */
+- if (kgdb_connected && irqs_disabled())
++ if (in_dbg_master())
+ return;
+-#endif
++
+ kick_all_cpus_sync();
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b60e2acfad72c7c40f6201fc78d4b932497da6af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 11:15:44 -0700
+Subject: arm64: insn: Fix two bugs in encoding 32-bit logical immediates
+
+From: Luke Nelson <lukenels@cs.washington.edu>
+
+[ Upstream commit 579d1b3faa3735e781ff74aac0afd598515dbc63 ]
+
+This patch fixes two issues present in the current function for encoding
+arm64 logical immediates when using the 32-bit variants of instructions.
+
+First, the code does not correctly reject an all-ones 32-bit immediate,
+and returns an undefined instruction encoding.
+
+Second, the code incorrectly rejects some 32-bit immediates that are
+actually encodable as logical immediates. The root cause is that the code
+uses a default mask of 64-bit all-ones, even for 32-bit immediates.
+This causes an issue later on when the default mask is used to fill the
+top bits of the immediate with ones, shown here:
+
+ /*
+ * Pattern: 0..01..10..01..1
+ *
+ * Fill the unused top bits with ones, and check if
+ * the result is a valid immediate (all ones with a
+ * contiguous ranges of zeroes).
+ */
+ imm |= ~mask;
+ if (!range_of_ones(~imm))
+ return AARCH64_BREAK_FAULT;
+
+To see the problem, consider an immediate of the form 0..01..10..01..1,
+where the upper 32 bits are zero, such as 0x80000001. The code checks
+if ~(imm | ~mask) contains a range of ones: the incorrect mask yields
+1..10..01..10..0, which fails the check; the correct mask yields
+0..01..10..0, which succeeds.
+
+The fix for both issues is to generate a correct mask based on the
+instruction immediate size, and use the mask to check for all-ones,
+all-zeroes, and values wider than the mask.
+
+Currently, arch/arm64/kvm/va_layout.c is the only user of this function,
+which uses 64-bit immediates and therefore won't trigger these bugs.
+
+We tested the new code against llvm-mc with all 1,302 encodable 32-bit
+logical immediates and all 5,334 encodable 64-bit logical immediates.
+
+Fixes: ef3935eeebff ("arm64: insn: Add encoder for bitwise operations using literals")
+Suggested-by: Will Deacon <will@kernel.org>
+Co-developed-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20200508181547.24783-2-luke.r.nels@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/insn.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c
+index 4a9e773a177f..cc2f3d901c91 100644
+--- a/arch/arm64/kernel/insn.c
++++ b/arch/arm64/kernel/insn.c
+@@ -1535,16 +1535,10 @@ static u32 aarch64_encode_immediate(u64 imm,
+ u32 insn)
+ {
+ unsigned int immr, imms, n, ones, ror, esz, tmp;
+- u64 mask = ~0UL;
+-
+- /* Can't encode full zeroes or full ones */
+- if (!imm || !~imm)
+- return AARCH64_BREAK_FAULT;
++ u64 mask;
+
+ switch (variant) {
+ case AARCH64_INSN_VARIANT_32BIT:
+- if (upper_32_bits(imm))
+- return AARCH64_BREAK_FAULT;
+ esz = 32;
+ break;
+ case AARCH64_INSN_VARIANT_64BIT:
+@@ -1556,6 +1550,12 @@ static u32 aarch64_encode_immediate(u64 imm,
+ return AARCH64_BREAK_FAULT;
+ }
+
++ mask = GENMASK(esz - 1, 0);
++
++ /* Can't encode full zeroes, full ones, or value wider than the mask */
++ if (!imm || imm == mask || imm & ~mask)
++ return AARCH64_BREAK_FAULT;
++
+ /*
+ * Inverse of Replicate(). Try to spot a repeating pattern
+ * with a pow2 stride.
+--
+2.25.1
+
--- /dev/null
+From 5881981c33997bc9b8eec367662812a01dffb180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 09:57:00 +1000
+Subject: arm64/kernel: Fix range on invalidating dcache for boot page tables
+
+From: Gavin Shan <gshan@redhat.com>
+
+[ Upstream commit 9d2d75ede59bc1edd8561f2ee9d4702a5ea0ae30 ]
+
+Prior to commit 8eb7e28d4c642c31 ("arm64/mm: move runtime pgds to
+rodata"), idmap_pgd_dir, tramp_pg_dir, reserved_ttbr0, swapper_pg_dir,
+and init_pg_dir were contiguous at the end of the kernel image. The
+maintenance at the end of __create_page_tables assumed these were
+contiguous, and affected everything from the start of idmap_pg_dir
+to the end of init_pg_dir.
+
+That commit moved all but init_pg_dir into the .rodata section, with
+other data placed between idmap_pg_dir and init_pg_dir, but did not
+update the maintenance. Hence the maintenance is performed on much
+more data than necessary (but as the bootloader previously made this
+clean to the PoC there is no functional problem).
+
+As we only alter idmap_pg_dir, and init_pg_dir, we only need to perform
+maintenance for these. As the other dirs are in .rodata, the bootloader
+will have initialised them as expected and cleaned them to the PoC. The
+kernel will initialize them as necessary after enabling the MMU.
+
+This patch reworks the maintenance to only cover the idmap_pg_dir and
+init_pg_dir to avoid this unnecessary work.
+
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20200427235700.112220-1-gshan@redhat.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/pgtable.h | 1 +
+ arch/arm64/kernel/head.S | 12 +++++++++---
+ arch/arm64/kernel/vmlinux.lds.S | 1 +
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index 538c85e62f86..25f56df7ed9a 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -457,6 +457,7 @@ extern pgd_t init_pg_dir[PTRS_PER_PGD];
+ extern pgd_t init_pg_end[];
+ extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
+ extern pgd_t idmap_pg_dir[PTRS_PER_PGD];
++extern pgd_t idmap_pg_end[];
+ extern pgd_t tramp_pg_dir[PTRS_PER_PGD];
+
+ extern void set_swapper_pgd(pgd_t *pgdp, pgd_t pgd);
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index 57a91032b4c2..32f5ecbec0ea 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -394,13 +394,19 @@ SYM_FUNC_START_LOCAL(__create_page_tables)
+
+ /*
+ * Since the page tables have been populated with non-cacheable
+- * accesses (MMU disabled), invalidate the idmap and swapper page
+- * tables again to remove any speculatively loaded cache lines.
++ * accesses (MMU disabled), invalidate those tables again to
++ * remove any speculatively loaded cache lines.
+ */
++ dmb sy
++
+ adrp x0, idmap_pg_dir
++ adrp x1, idmap_pg_end
++ sub x1, x1, x0
++ bl __inval_dcache_area
++
++ adrp x0, init_pg_dir
+ adrp x1, init_pg_end
+ sub x1, x1, x0
+- dmb sy
+ bl __inval_dcache_area
+
+ ret x28
+diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
+index 497f9675071d..94402aaf5f5c 100644
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -139,6 +139,7 @@ SECTIONS
+
+ idmap_pg_dir = .;
+ . += IDMAP_DIR_SIZE;
++ idmap_pg_end = .;
+
+ #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+ tramp_pg_dir = .;
+--
+2.25.1
+
--- /dev/null
+From 27522c40683d13b60101ecd79346dc024ec2054b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 18:31:41 +0200
+Subject: arm64: kexec_file: print appropriate variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Łukasz Stelmach <l.stelmach@samsung.com>
+
+[ Upstream commit 51075e0cb759a736e60ab4f3a5fed8670dba5852 ]
+
+The value of kbuf->memsz may be different than kbuf->bufsz after calling
+kexec_add_buffer(). Hence both values should be logged.
+
+Fixes: 52b2a8af74360 ("arm64: kexec_file: load initrd and device-tree")
+Fixes: 3751e728cef29 ("arm64: kexec_file: add crash dump support")
+Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
+Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Link: https://lore.kernel.org/r/20200430163142.27282-2-l.stelmach@samsung.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/machine_kexec_file.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
+index b40c3b0def92..5ebb21b859b4 100644
+--- a/arch/arm64/kernel/machine_kexec_file.c
++++ b/arch/arm64/kernel/machine_kexec_file.c
+@@ -284,7 +284,7 @@ int load_other_segments(struct kimage *image,
+ image->arch.elf_headers_sz = headers_sz;
+
+ pr_debug("Loaded elf core header at 0x%lx bufsz=0x%lx memsz=0x%lx\n",
+- image->arch.elf_headers_mem, headers_sz, headers_sz);
++ image->arch.elf_headers_mem, kbuf.bufsz, kbuf.memsz);
+ }
+
+ /* load initrd */
+@@ -305,7 +305,7 @@ int load_other_segments(struct kimage *image,
+ initrd_load_addr = kbuf.mem;
+
+ pr_debug("Loaded initrd at 0x%lx bufsz=0x%lx memsz=0x%lx\n",
+- initrd_load_addr, initrd_len, initrd_len);
++ initrd_load_addr, kbuf.bufsz, kbuf.memsz);
+ }
+
+ /* load dtb */
+@@ -332,7 +332,7 @@ int load_other_segments(struct kimage *image,
+ image->arch.dtb_mem = kbuf.mem;
+
+ pr_debug("Loaded dtb at 0x%lx bufsz=0x%lx memsz=0x%lx\n",
+- kbuf.mem, dtb_len, dtb_len);
++ kbuf.mem, kbuf.bufsz, kbuf.memsz);
+
+ return 0;
+
+--
+2.25.1
+
--- /dev/null
+From fe0db9b996588e202604e596458e6729366333e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 15:09:35 +0300
+Subject: ath10k: add flush tx packets for SDIO chip
+
+From: Wen Gong <wgong@codeaurora.org>
+
+[ Upstream commit dd7fc5545bbafdbd6c1efdc996b61883b285bdc5 ]
+
+When station connected to AP, and run TX traffic such as TCP/UDP, and
+system enter suspend state, then mac80211 call ath10k_flush with set
+drop flag, recently it only send wmi peer flush to firmware and
+firmware will flush all pending TX packets, for PCIe, firmware will
+indicate the TX packets status to ath10k, and then ath10k indicate to
+mac80211 TX complete with the status, then all the packets has been
+flushed at this moment. For SDIO chip, it is different, its TX
+complete indication is disabled by default, and it has a tx queue in
+ath10k, and its tx credit control is enabled, total tx credit is 96,
+when its credit is not sufficient, then the packets will buffered in
+the tx queue of ath10k, max packets is TARGET_TLV_NUM_MSDU_DESC_HL
+which is 1024, for SDIO, when mac80211 call ath10k_flush with set drop
+flag, maybe it have pending packets in tx queue of ath10k, and if it
+does not have sufficient tx credit, the packets will stay in queue
+untill tx credit report from firmware, if it is a noisy environment,
+tx speed is low and the tx credit report from firmware will delay more
+time, then the num_pending_tx will remain > 0 untill all packets send
+to firmware. After the 1st ath10k_flush, mac80211 will call the 2nd
+ath10k_flush without set drop flag immediately, then it will call to
+ath10k_mac_wait_tx_complete, and it wait untill num_pending_tx become
+to 0, in noisy environment, it is esay to wait about near 5 seconds,
+then it cause the suspend take long time.
+
+1st and 2nd callstack of ath10k_flush
+[ 303.740427] ath10k_sdio mmc1:0001:1: ath10k_flush drop:1, pending:0-0
+[ 303.740495] ------------[ cut here ]------------
+[ 303.740739] WARNING: CPU: 1 PID: 3921 at /mnt/host/source/src/third_party/kernel/v4.19/drivers/net/wireless/ath/ath10k/mac.c:7025 ath10k_flush+0x54/0x104 [ath10k_core]
+[ 303.740757] Modules linked in: bridge stp llc ath10k_sdio ath10k_core rfcomm uinput cros_ec_rpmsg mtk_seninf mtk_cam_isp mtk_vcodec_enc mtk_fd mtk_vcodec_dec mtk_vcodec_common mtk_dip mtk_mdp3 videobuf2_dma_contig videobuf2_memops v4l2_mem2mem videobuf2_v4l2 videobuf2_common hid_google_hammer hci_uart btqca bluetooth dw9768 ov8856 ecdh_generic ov02a10 v4l2_fwnode mtk_scp mtk_rpmsg rpmsg_core mtk_scp_ipi ipt_MASQUERADE fuse iio_trig_sysfs cros_ec_sensors_ring cros_ec_sensors_sync cros_ec_light_prox cros_ec_sensors industrialio_triggered_buffer
+[ 303.740914] kfifo_buf cros_ec_activity cros_ec_sensors_core lzo_rle lzo_compress ath mac80211 zram cfg80211 joydev [last unloaded: ath10k_core]
+[ 303.741009] CPU: 1 PID: 3921 Comm: kworker/u16:10 Tainted: G W 4.19.95 #2
+[ 303.741027] Hardware name: MediaTek krane sku176 board (DT)
+[ 303.741061] Workqueue: events_unbound async_run_entry_fn
+[ 303.741086] pstate: 60000005 (nZCv daif -PAN -UAO)
+[ 303.741166] pc : ath10k_flush+0x54/0x104 [ath10k_core]
+[ 303.741244] lr : ath10k_flush+0x54/0x104 [ath10k_core]
+[ 303.741260] sp : ffffffdf080e77a0
+[ 303.741276] x29: ffffffdf080e77a0 x28: ffffffdef3730040
+[ 303.741300] x27: ffffff907c2240a0 x26: ffffffde6ff39afc
+[ 303.741321] x25: ffffffdef3730040 x24: ffffff907bf61018
+[ 303.741343] x23: ffffff907c2240a0 x22: ffffffde6ff39a50
+[ 303.741364] x21: 0000000000000001 x20: ffffffde6ff39a50
+[ 303.741385] x19: ffffffde6bac2420 x18: 0000000000017200
+[ 303.741407] x17: ffffff907c24a000 x16: 0000000000000037
+[ 303.741428] x15: ffffff907b49a568 x14: ffffff907cf332c1
+[ 303.741476] x13: 00000000000922e4 x12: 0000000000000000
+[ 303.741497] x11: 0000000000000001 x10: 0000000000000007
+[ 303.741518] x9 : f2256b8c1de4bc00 x8 : f2256b8c1de4bc00
+[ 303.741539] x7 : ffffff907ab5e764 x6 : 0000000000000000
+[ 303.741560] x5 : 0000000000000080 x4 : 0000000000000001
+[ 303.741582] x3 : ffffffdf080e74a8 x2 : ffffff907aa91244
+[ 303.741603] x1 : ffffffdf080e74a8 x0 : 0000000000000024
+[ 303.741624] Call trace:
+[ 303.741701] ath10k_flush+0x54/0x104 [ath10k_core]
+[ 303.741941] __ieee80211_flush_queues+0x1dc/0x358 [mac80211]
+[ 303.742098] ieee80211_flush_queues+0x34/0x44 [mac80211]
+[ 303.742253] ieee80211_set_disassoc+0xc0/0x5ec [mac80211]
+[ 303.742399] ieee80211_mgd_deauth+0x720/0x7d4 [mac80211]
+[ 303.742535] ieee80211_deauth+0x24/0x30 [mac80211]
+[ 303.742720] cfg80211_mlme_deauth+0x250/0x3bc [cfg80211]
+[ 303.742849] cfg80211_mlme_down+0x90/0xd0 [cfg80211]
+[ 303.742971] cfg80211_disconnect+0x340/0x3a0 [cfg80211]
+[ 303.743087] __cfg80211_leave+0xe4/0x17c [cfg80211]
+[ 303.743203] cfg80211_leave+0x38/0x50 [cfg80211]
+[ 303.743319] wiphy_suspend+0x84/0x5bc [cfg80211]
+[ 303.743335] dpm_run_callback+0x170/0x304
+[ 303.743346] __device_suspend+0x2dc/0x3e8
+[ 303.743356] async_suspend+0x2c/0xb0
+[ 303.743370] async_run_entry_fn+0x48/0xf8
+[ 303.743383] process_one_work+0x304/0x604
+[ 303.743394] worker_thread+0x248/0x3f4
+[ 303.743403] kthread+0x120/0x130
+[ 303.743416] ret_from_fork+0x10/0x18
+
+[ 303.743812] ath10k_sdio mmc1:0001:1: ath10k_flush drop:0, pending:0-0
+[ 303.743858] ------------[ cut here ]------------
+[ 303.744057] WARNING: CPU: 1 PID: 3921 at /mnt/host/source/src/third_party/kernel/v4.19/drivers/net/wireless/ath/ath10k/mac.c:7025 ath10k_flush+0x54/0x104 [ath10k_core]
+[ 303.744075] Modules linked in: bridge stp llc ath10k_sdio ath10k_core rfcomm uinput cros_ec_rpmsg mtk_seninf mtk_cam_isp mtk_vcodec_enc mtk_fd mtk_vcodec_dec mtk_vcodec_common mtk_dip mtk_mdp3 videobuf2_dma_contig videobuf2_memops v4l2_mem2mem videobuf2_v4l2 videobuf2_common hid_google_hammer hci_uart btqca bluetooth dw9768 ov8856 ecdh_generic ov02a10 v4l2_fwnode mtk_scp mtk_rpmsg rpmsg_core mtk_scp_ipi ipt_MASQUERADE fuse iio_trig_sysfs cros_ec_sensors_ring cros_ec_sensors_sync cros_ec_light_prox cros_ec_sensors industrialio_triggered_buffer kfifo_buf cros_ec_activity cros_ec_sensors_core lzo_rle lzo_compress ath mac80211 zram cfg80211 joydev [last unloaded: ath10k_core]
+[ 303.744256] CPU: 1 PID: 3921 Comm: kworker/u16:10 Tainted: G W 4.19.95 #2
+[ 303.744273] Hardware name: MediaTek krane sku176 board (DT)
+[ 303.744301] Workqueue: events_unbound async_run_entry_fn
+[ 303.744325] pstate: 60000005 (nZCv daif -PAN -UAO)
+[ 303.744403] pc : ath10k_flush+0x54/0x104 [ath10k_core]
+[ 303.744480] lr : ath10k_flush+0x54/0x104 [ath10k_core]
+[ 303.744496] sp : ffffffdf080e77a0
+[ 303.744512] x29: ffffffdf080e77a0 x28: ffffffdef3730040
+[ 303.744534] x27: ffffff907c2240a0 x26: ffffffde6ff39afc
+[ 303.744556] x25: ffffffdef3730040 x24: ffffff907bf61018
+[ 303.744577] x23: ffffff907c2240a0 x22: ffffffde6ff39a50
+[ 303.744598] x21: 0000000000000000 x20: ffffffde6ff39a50
+[ 303.744620] x19: ffffffde6bac2420 x18: 000000000001831c
+[ 303.744641] x17: ffffff907c24a000 x16: 0000000000000037
+[ 303.744662] x15: ffffff907b49a568 x14: ffffff907cf332c1
+[ 303.744683] x13: 00000000000922ea x12: 0000000000000000
+[ 303.744704] x11: 0000000000000001 x10: 0000000000000007
+[ 303.744747] x9 : f2256b8c1de4bc00 x8 : f2256b8c1de4bc00
+[ 303.744768] x7 : ffffff907ab5e764 x6 : 0000000000000000
+[ 303.744789] x5 : 0000000000000080 x4 : 0000000000000001
+[ 303.744810] x3 : ffffffdf080e74a8 x2 : ffffff907aa91244
+[ 303.744831] x1 : ffffffdf080e74a8 x0 : 0000000000000024
+[ 303.744853] Call trace:
+[ 303.744929] ath10k_flush+0x54/0x104 [ath10k_core]
+[ 303.745098] __ieee80211_flush_queues+0x1dc/0x358 [mac80211]
+[ 303.745277] ieee80211_flush_queues+0x34/0x44 [mac80211]
+[ 303.745424] ieee80211_set_disassoc+0x108/0x5ec [mac80211]
+[ 303.745569] ieee80211_mgd_deauth+0x720/0x7d4 [mac80211]
+[ 303.745706] ieee80211_deauth+0x24/0x30 [mac80211]
+[ 303.745853] cfg80211_mlme_deauth+0x250/0x3bc [cfg80211]
+[ 303.745979] cfg80211_mlme_down+0x90/0xd0 [cfg80211]
+[ 303.746103] cfg80211_disconnect+0x340/0x3a0 [cfg80211]
+[ 303.746219] __cfg80211_leave+0xe4/0x17c [cfg80211]
+[ 303.746335] cfg80211_leave+0x38/0x50 [cfg80211]
+[ 303.746452] wiphy_suspend+0x84/0x5bc [cfg80211]
+[ 303.746467] dpm_run_callback+0x170/0x304
+[ 303.746477] __device_suspend+0x2dc/0x3e8
+[ 303.746487] async_suspend+0x2c/0xb0
+[ 303.746498] async_run_entry_fn+0x48/0xf8
+[ 303.746510] process_one_work+0x304/0x604
+[ 303.746521] worker_thread+0x248/0x3f4
+[ 303.746530] kthread+0x120/0x130
+[ 303.746542] ret_from_fork+0x10/0x18
+
+one sample's debugging log: it wait 3190 ms(5000 - 1810).
+
+1st ath10k_flush, it has 120 packets in tx queue of ath10k:
+<...>-1513 [000] .... 25374.786005: ath10k_log_err: ath10k_sdio mmc1:0001:1 ath10k_flush drop:1, pending:120-0
+<...>-1513 [000] ...1 25374.788375: ath10k_log_warn: ath10k_sdio mmc1:0001:1 ath10k_htt_tx_mgmt_inc_pending htt->num_pending_mgmt_tx:0
+<...>-1500 [001] .... 25374.790143: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx work, eid:1, count:121
+
+2st ath10k_flush, it has 121 packets in tx queue of ath10k:
+<...>-1513 [000] .... 25374.790571: ath10k_log_err: ath10k_sdio mmc1:0001:1 ath10k_flush drop:0, pending:121-0
+<...>-1513 [000] .... 25374.791990: ath10k_log_err: ath10k_sdio mmc1:0001:1 ath10k_mac_wait_tx_complete state:1 pending:121-0
+<...>-1508 [001] .... 25374.792696: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit update: delta:46
+<...>-1508 [001] .... 25374.792700: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit total:46
+<...>-1508 [001] .... 25374.792729: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx work, eid:1, count:121
+<...>-1508 [001] .... 25374.792937: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx status:0, eid:1, req count:88, count:32, len:49792
+<...>-1508 [001] .... 25374.793031: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx status:0, eid:1, req count:75, count:14, len:21784
+kworker/u16:0-25773 [003] .... 25374.793701: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx complete, eid:1, pending complete count:46
+<...>-1881 [000] .... 25375.073178: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit update: delta:24
+<...>-1881 [000] .... 25375.073182: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit total:24
+<...>-1881 [000] .... 25375.073429: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx work, eid:1, count:75
+<...>-1879 [001] .... 25375.074090: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx complete, eid:1, pending complete count:24
+<...>-1881 [000] .... 25375.074123: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx status:0, eid:1, req count:51, count:24, len:37344
+<...>-1879 [001] .... 25375.270126: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit update: delta:26
+<...>-1879 [001] .... 25375.270130: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit total:26
+<...>-1488 [000] .... 25375.270174: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx work, eid:1, count:51
+<...>-1488 [000] .... 25375.270529: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx status:0, eid:1, req count:25, count:26, len:40456
+<...>-1879 [001] .... 25375.270693: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx complete, eid:1, pending complete count:26
+<...>-1488 [001] .... 25377.775885: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit update: delta:12
+<...>-1488 [001] .... 25377.775890: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit total:12
+<...>-1488 [001] .... 25377.775933: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx work, eid:1, count:25
+<...>-1488 [001] .... 25377.776059: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx status:0, eid:1, req count:13, count:12, len:18672
+<...>-1879 [001] .... 25377.776100: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx complete, eid:1, pending complete count:12
+<...>-1488 [001] .... 25377.878079: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit update: delta:15
+<...>-1488 [001] .... 25377.878087: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit total:15
+<...>-1879 [000] .... 25377.878323: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx work, eid:1, count:13
+<...>-1879 [000] .... 25377.878487: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx status:0, eid:1, req count:0, count:13, len:20228
+<...>-1879 [000] .... 25377.878497: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx complete, eid:1, pending complete count:13
+<...>-1488 [001] .... 25377.919927: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit update: delta:11
+<...>-1488 [001] .... 25377.919932: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 credit total:13
+<...>-1488 [001] .... 25377.919976: ath10k_log_dbg: ath10k_sdio mmc1:0001:1 bundle tx work, eid:1, count:0
+<...>-1881 [000] .... 25377.982645: ath10k_log_warn: ath10k_sdio mmc1:0001:1 HTT_T2H_MSG_TYPE_MGMT_TX_COMPLETION status:0
+<...>-1513 [001] .... 25377.982973: ath10k_log_err: ath10k_sdio mmc1:0001:1 ath10k_mac_wait_tx_complete time_left:1810, pending:0-0
+
+Flush all pending TX packets for the 1st ath10k_flush reduced the wait
+time of the 2nd ath10k_flush and then suspend take short time.
+
+This Patch only effect SDIO chips.
+
+Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00042.
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200415233730.10581-1-wgong@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/htt.h | 7 +++++++
+ drivers/net/wireless/ath/ath10k/htt_tx.c | 8 +++++++-
+ drivers/net/wireless/ath/ath10k/mac.c | 1 +
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/htt.h b/drivers/net/wireless/ath/ath10k/htt.h
+index 4a12564fc30e..c5ac5b277017 100644
+--- a/drivers/net/wireless/ath/ath10k/htt.h
++++ b/drivers/net/wireless/ath/ath10k/htt.h
+@@ -2035,6 +2035,7 @@ struct ath10k_htt_tx_ops {
+ int (*htt_h2t_aggr_cfg_msg)(struct ath10k_htt *htt,
+ u8 max_subfrms_ampdu,
+ u8 max_subfrms_amsdu);
++ void (*htt_flush_tx)(struct ath10k_htt *htt);
+ };
+
+ static inline int ath10k_htt_send_rx_ring_cfg(struct ath10k_htt *htt)
+@@ -2074,6 +2075,12 @@ static inline int ath10k_htt_tx(struct ath10k_htt *htt,
+ return htt->tx_ops->htt_tx(htt, txmode, msdu);
+ }
+
++static inline void ath10k_htt_flush_tx(struct ath10k_htt *htt)
++{
++ if (htt->tx_ops->htt_flush_tx)
++ htt->tx_ops->htt_flush_tx(htt);
++}
++
+ static inline int ath10k_htt_alloc_txbuff(struct ath10k_htt *htt)
+ {
+ if (!htt->tx_ops->htt_alloc_txbuff)
+diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c
+index e9d12ea708b6..517ee2af2231 100644
+--- a/drivers/net/wireless/ath/ath10k/htt_tx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_tx.c
+@@ -529,9 +529,14 @@ void ath10k_htt_tx_destroy(struct ath10k_htt *htt)
+ htt->tx_mem_allocated = false;
+ }
+
+-void ath10k_htt_tx_stop(struct ath10k_htt *htt)
++static void ath10k_htt_flush_tx_queue(struct ath10k_htt *htt)
+ {
+ idr_for_each(&htt->pending_tx, ath10k_htt_tx_clean_up_pending, htt->ar);
++}
++
++void ath10k_htt_tx_stop(struct ath10k_htt *htt)
++{
++ ath10k_htt_flush_tx_queue(htt);
+ idr_destroy(&htt->pending_tx);
+ }
+
+@@ -1784,6 +1789,7 @@ static const struct ath10k_htt_tx_ops htt_tx_ops_hl = {
+ .htt_send_frag_desc_bank_cfg = ath10k_htt_send_frag_desc_bank_cfg_32,
+ .htt_tx = ath10k_htt_tx_hl,
+ .htt_h2t_aggr_cfg_msg = ath10k_htt_h2t_aggr_cfg_msg_32,
++ .htt_flush_tx = ath10k_htt_flush_tx_queue,
+ };
+
+ void ath10k_htt_set_tx_ops(struct ath10k_htt *htt)
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 7c4ba17a0b68..70331ca9e50e 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -7190,6 +7190,7 @@ static void ath10k_flush(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ ath10k_wmi_peer_flush(ar, arvif->vdev_id,
+ arvif->bssid, bitmap);
+ }
++ ath10k_htt_flush_tx(&ar->htt);
+ }
+ return;
+ }
+--
+2.25.1
+
--- /dev/null
+From 3b96fdfa6b66522f83aaffa4615289476052ed52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2020 15:48:10 +0530
+Subject: ath10k: fix kernel null pointer dereference
+
+From: Venkateswara Naralasetty <vnaralas@codeaurora.org>
+
+[ Upstream commit acb31476adc9ff271140cdd4d3c707ff0c97f5a4 ]
+
+Currently sta airtime is updated without any lock in case of
+host based airtime calculation. Which may result in accessing the
+invalid sta pointer in case of continuous station connect/disconnect.
+
+This patch fix the kernel null pointer dereference by updating the
+station airtime with proper RCU lock in case of host based airtime
+calculation.
+
+Proceeding with the analysis of "ARM Kernel Panic".
+The APSS crash happened due to OOPS on CPU 0.
+Crash Signature : Unable to handle kernel NULL pointer dereference
+at virtual address 00000300
+During the crash,
+PC points to "ieee80211_sta_register_airtime+0x1c/0x448 [mac80211]"
+LR points to "ath10k_txrx_tx_unref+0x17c/0x364 [ath10k_core]".
+The Backtrace obtained is as follows:
+[<bf880238>] (ieee80211_sta_register_airtime [mac80211]) from
+[<bf945a38>] (ath10k_txrx_tx_unref+0x17c/0x364 [ath10k_core])
+[<bf945a38>] (ath10k_txrx_tx_unref [ath10k_core]) from
+[<bf9428e4>] (ath10k_htt_txrx_compl_task+0xa50/0xfc0 [ath10k_core])
+[<bf9428e4>] (ath10k_htt_txrx_compl_task [ath10k_core]) from
+[<bf9b9bc8>] (ath10k_pci_napi_poll+0x50/0xf8 [ath10k_pci])
+[<bf9b9bc8>] (ath10k_pci_napi_poll [ath10k_pci]) from
+[<c059e3b0>] (net_rx_action+0xac/0x160)
+[<c059e3b0>] (net_rx_action) from [<c02329a4>] (__do_softirq+0x104/0x294)
+[<c02329a4>] (__do_softirq) from [<c0232b64>] (run_ksoftirqd+0x30/0x90)
+[<c0232b64>] (run_ksoftirqd) from [<c024e358>] (smpboot_thread_fn+0x25c/0x274)
+[<c024e358>] (smpboot_thread_fn) from [<c02482fc>] (kthread+0xd8/0xec)
+
+Tested HW: QCA9888
+Tested FW: 10.4-3.10-00047
+
+Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1585736290-17661-1-git-send-email-vnaralas@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/txrx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
+index 39abf8b12903..f46b9083bbf1 100644
+--- a/drivers/net/wireless/ath/ath10k/txrx.c
++++ b/drivers/net/wireless/ath/ath10k/txrx.c
+@@ -84,9 +84,11 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt,
+ wake_up(&htt->empty_tx_wq);
+ spin_unlock_bh(&htt->tx_lock);
+
++ rcu_read_lock();
+ if (txq && txq->sta && skb_cb->airtime_est)
+ ieee80211_sta_register_airtime(txq->sta, txq->tid,
+ skb_cb->airtime_est, 0);
++ rcu_read_unlock();
+
+ if (ar->bus_param.dev_type != ATH10K_DEV_TYPE_HL)
+ dma_unmap_single(dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE);
+--
+2.25.1
+
--- /dev/null
+From e9fc88aafa89c32b5316cb64fa7578c51957e816 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 10:43:48 +0000
+Subject: ath10k: fix possible memory leak in ath10k_bmi_lz_data_large()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 2326aa011967f0afbcba7fe1a005d01f8b12900b ]
+
+'cmd' is malloced in ath10k_bmi_lz_data_large() and should be freed
+before leaving from the error handling cases, otherwise it will cause
+memory leak.
+
+Fixes: d58f466a5dee ("ath10k: add large size for BMI download data for SDIO")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200427104348.13570-1-weiyongjun1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/bmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/bmi.c b/drivers/net/wireless/ath/ath10k/bmi.c
+index ea908107581d..5b6db6e66f65 100644
+--- a/drivers/net/wireless/ath/ath10k/bmi.c
++++ b/drivers/net/wireless/ath/ath10k/bmi.c
+@@ -380,6 +380,7 @@ static int ath10k_bmi_lz_data_large(struct ath10k *ar, const void *buffer, u32 l
+ NULL, NULL);
+ if (ret) {
+ ath10k_warn(ar, "unable to write to the device\n");
++ kfree(cmd);
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 918eb9ca83aae462598c16927d40d2ccc4e4bf7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Mar 2020 18:36:36 +0200
+Subject: ath10k: Fix the race condition in firmware dump work queue
+
+From: Maharaja Kennadyrajan <mkenna@codeaurora.org>
+
+[ Upstream commit 3d1c60460fb2823a19ead9e6ec8f184dd7271aa7 ]
+
+There is a race condition, when the user writes 'hw-restart' and
+'hard' in the simulate_fw_crash debugfs file without any delay.
+In the above scenario, the firmware dump work queue(scheduled by
+'hard') should be handled gracefully, while the target is in the
+'hw-restart'.
+
+Tested HW: QCA9984
+Tested FW: 10.4-3.9.0.2-00044
+
+Co-developed-by: Govindaraj Saminathan <gsamin@codeaurora.org>
+Signed-off-by: Govindaraj Saminathan <gsamin@codeaurora.org>
+Signed-off-by: Maharaja Kennadyrajan <mkenna@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1585213077-28439-1-git-send-email-mkenna@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
+index ded7a220a4aa..cd1c5d60261f 100644
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -2074,6 +2074,7 @@ static void ath10k_pci_hif_stop(struct ath10k *ar)
+ ath10k_pci_irq_sync(ar);
+ napi_synchronize(&ar->napi);
+ napi_disable(&ar->napi);
++ cancel_work_sync(&ar_pci->dump_work);
+
+ /* Most likely the device has HTT Rx ring configured. The only way to
+ * prevent the device from accessing (and possible corrupting) host
+--
+2.25.1
+
--- /dev/null
+From 8053ba0f5a0444848380adc096b6406b78280287 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 05:55:18 +0300
+Subject: ath10k: Remove msdu from idr when management pkt send fails
+
+From: Rakesh Pillai <pillair@codeaurora.org>
+
+[ Upstream commit c730c477176ad4af86d9aae4d360a7ad840b073a ]
+
+Currently when the sending of any management pkt
+via wmi command fails, the packet is being unmapped
+freed in the error handling. But the idr entry added,
+which is used to track these packet is not getting removed.
+
+Hence, during unload, in wmi cleanup, all the entries
+in IDR are removed and the corresponding buffer is
+attempted to be freed. This can cause a situation where
+one packet is attempted to be freed twice.
+
+Fix this error by rmeoving the msdu from the idr
+list when the sending of a management packet over
+wmi fails.
+
+Tested HW: WCN3990
+Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
+
+Fixes: 1807da49733e ("ath10k: wmi: add management tx by reference support over wmi")
+Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1588667015-25490-1-git-send-email-pillair@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 3 +++
+ drivers/net/wireless/ath/ath10k/wmi-ops.h | 10 ++++++++++
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 15 +++++++++++++++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 70331ca9e50e..7b60d8d6bfa9 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -3921,6 +3921,9 @@ void ath10k_mgmt_over_wmi_tx_work(struct work_struct *work)
+ if (ret) {
+ ath10k_warn(ar, "failed to transmit management frame by ref via WMI: %d\n",
+ ret);
++ /* remove this msdu from idr tracking */
++ ath10k_wmi_cleanup_mgmt_tx_send(ar, skb);
++
+ dma_unmap_single(ar->dev, paddr, skb->len,
+ DMA_TO_DEVICE);
+ ieee80211_free_txskb(ar->hw, skb);
+diff --git a/drivers/net/wireless/ath/ath10k/wmi-ops.h b/drivers/net/wireless/ath/ath10k/wmi-ops.h
+index 1491c25518bb..edccabc667e8 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h
++++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h
+@@ -133,6 +133,7 @@ struct wmi_ops {
+ struct sk_buff *(*gen_mgmt_tx_send)(struct ath10k *ar,
+ struct sk_buff *skb,
+ dma_addr_t paddr);
++ int (*cleanup_mgmt_tx_send)(struct ath10k *ar, struct sk_buff *msdu);
+ struct sk_buff *(*gen_dbglog_cfg)(struct ath10k *ar, u64 module_enable,
+ u32 log_level);
+ struct sk_buff *(*gen_pktlog_enable)(struct ath10k *ar, u32 filter);
+@@ -441,6 +442,15 @@ ath10k_wmi_get_txbf_conf_scheme(struct ath10k *ar)
+ return ar->wmi.ops->get_txbf_conf_scheme(ar);
+ }
+
++static inline int
++ath10k_wmi_cleanup_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu)
++{
++ if (!ar->wmi.ops->cleanup_mgmt_tx_send)
++ return -EOPNOTSUPP;
++
++ return ar->wmi.ops->cleanup_mgmt_tx_send(ar, msdu);
++}
++
+ static inline int
+ ath10k_wmi_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu,
+ dma_addr_t paddr)
+diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+index 4e68debda9bf..4a3e169965ae 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -2897,6 +2897,18 @@ ath10k_wmi_tlv_op_gen_request_stats(struct ath10k *ar, u32 stats_mask)
+ return skb;
+ }
+
++static int
++ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(struct ath10k *ar,
++ struct sk_buff *msdu)
++{
++ struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu);
++ struct ath10k_wmi *wmi = &ar->wmi;
++
++ idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
++
++ return 0;
++}
++
+ static int
+ ath10k_wmi_mgmt_tx_alloc_msdu_id(struct ath10k *ar, struct sk_buff *skb,
+ dma_addr_t paddr)
+@@ -2971,6 +2983,8 @@ ath10k_wmi_tlv_op_gen_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu,
+ if (desc_id < 0)
+ goto err_free_skb;
+
++ cb->msdu_id = desc_id;
++
+ ptr = (void *)skb->data;
+ tlv = ptr;
+ tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_MGMT_TX_CMD);
+@@ -4419,6 +4433,7 @@ static const struct wmi_ops wmi_tlv_ops = {
+ .gen_force_fw_hang = ath10k_wmi_tlv_op_gen_force_fw_hang,
+ /* .gen_mgmt_tx = not implemented; HTT is used */
+ .gen_mgmt_tx_send = ath10k_wmi_tlv_op_gen_mgmt_tx_send,
++ .cleanup_mgmt_tx_send = ath10k_wmi_tlv_op_cleanup_mgmt_tx_send,
+ .gen_dbglog_cfg = ath10k_wmi_tlv_op_gen_dbglog_cfg,
+ .gen_pktlog_enable = ath10k_wmi_tlv_op_gen_pktlog_enable,
+ .gen_pktlog_disable = ath10k_wmi_tlv_op_gen_pktlog_disable,
+--
+2.25.1
+
--- /dev/null
+From cfcd500026169e14230deb02ecc77058bd747500 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 12:03:14 +0300
+Subject: ath10k: remove the max_sched_scan_reqs value
+
+From: Wen Gong <wgong@codeaurora.org>
+
+[ Upstream commit d431f8939c1419854dfe89dd345387f5397c6edd ]
+
+The struct cfg80211_wowlan of NET_DETECT WoWLAN feature share the same
+struct cfg80211_sched_scan_request together with scheduled scan request
+feature, and max_sched_scan_reqs of wiphy is only used for sched scan,
+and ath10k does not support scheduled scan request feature, so ath10k
+does not set flag NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR, but ath10k
+set max_sched_scan_reqs of wiphy to a non zero value 1, then function
+nl80211_add_commands_unsplit of cfg80211 will set it support command
+NL80211_CMD_START_SCHED_SCAN because max_sched_scan_reqs is a non zero
+value, but actually ath10k not support it, then it leads a mismatch result
+for sched scan of cfg80211, then application shill found the mismatch and
+stop running case of MAC random address scan and then the case fail.
+
+After remove max_sched_scan_reqs value, it keeps match for sched scan and
+case of MAC random address scan pass.
+
+Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029.
+Tested with QCA6174 PCIe with firmware WLAN.RM.4.4.1-00110-QCARMSWP-1.
+
+Fixes: ce834e280f2f875 ("ath10k: support NET_DETECT WoWLAN feature")
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20191114050001.4658-1-wgong@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 2d03b8dd3b8c..7c4ba17a0b68 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -8919,7 +8919,6 @@ int ath10k_mac_register(struct ath10k *ar)
+ ar->hw->wiphy->max_scan_ie_len = WLAN_SCAN_PARAMS_MAX_IE_LEN;
+
+ if (test_bit(WMI_SERVICE_NLO, ar->wmi.svc_map)) {
+- ar->hw->wiphy->max_sched_scan_reqs = 1;
+ ar->hw->wiphy->max_sched_scan_ssids = WMI_PNO_MAX_SUPP_NETWORKS;
+ ar->hw->wiphy->max_match_sets = WMI_PNO_MAX_SUPP_NETWORKS;
+ ar->hw->wiphy->max_sched_scan_ie_len = WMI_PNO_MAX_IE_LENGTH;
+--
+2.25.1
+
--- /dev/null
+From 431729309b2b2ab9610d9e0790766c0f4b80bf86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 05:55:07 +0300
+Subject: ath10k: Skip handling del_server during driver exit
+
+From: Rakesh Pillai <pillair@codeaurora.org>
+
+[ Upstream commit 7c6d67b136ceb0aebc7a3153b300e925ed915daf ]
+
+The qmi infrastructure sends the client a del_server
+event when the client releases its qmi handle. This
+is not the msg indicating the actual qmi server exiting.
+In such cases the del_server msg should not be processed,
+since the wifi firmware does not reset its qmi state.
+
+Hence skip the processing of del_server event when the
+driver is unloading.
+
+Tested HW: WCN3990
+Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
+
+Fixes: ba94c753ccb4 ("ath10k: add QMI message handshake for wcn3990 client")
+Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1588663061-12138-1-git-send-email-pillair@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/qmi.c | 13 ++++++++++++-
+ drivers/net/wireless/ath/ath10k/qmi.h | 6 ++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c
+index 85dce43c5439..7abdef8d6b9b 100644
+--- a/drivers/net/wireless/ath/ath10k/qmi.c
++++ b/drivers/net/wireless/ath/ath10k/qmi.c
+@@ -961,7 +961,16 @@ static void ath10k_qmi_del_server(struct qmi_handle *qmi_hdl,
+ container_of(qmi_hdl, struct ath10k_qmi, qmi_hdl);
+
+ qmi->fw_ready = false;
+- ath10k_qmi_driver_event_post(qmi, ATH10K_QMI_EVENT_SERVER_EXIT, NULL);
++
++ /*
++ * The del_server event is to be processed only if coming from
++ * the qmi server. The qmi infrastructure sends del_server, when
++ * any client releases the qmi handle. In this case do not process
++ * this del_server event.
++ */
++ if (qmi->state == ATH10K_QMI_STATE_INIT_DONE)
++ ath10k_qmi_driver_event_post(qmi, ATH10K_QMI_EVENT_SERVER_EXIT,
++ NULL);
+ }
+
+ static struct qmi_ops ath10k_qmi_ops = {
+@@ -1091,6 +1100,7 @@ int ath10k_qmi_init(struct ath10k *ar, u32 msa_size)
+ if (ret)
+ goto err_qmi_lookup;
+
++ qmi->state = ATH10K_QMI_STATE_INIT_DONE;
+ return 0;
+
+ err_qmi_lookup:
+@@ -1109,6 +1119,7 @@ int ath10k_qmi_deinit(struct ath10k *ar)
+ struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar);
+ struct ath10k_qmi *qmi = ar_snoc->qmi;
+
++ qmi->state = ATH10K_QMI_STATE_DEINIT;
+ qmi_handle_release(&qmi->qmi_hdl);
+ cancel_work_sync(&qmi->event_work);
+ destroy_workqueue(qmi->event_wq);
+diff --git a/drivers/net/wireless/ath/ath10k/qmi.h b/drivers/net/wireless/ath/ath10k/qmi.h
+index dc257375f161..b59720524224 100644
+--- a/drivers/net/wireless/ath/ath10k/qmi.h
++++ b/drivers/net/wireless/ath/ath10k/qmi.h
+@@ -83,6 +83,11 @@ struct ath10k_qmi_driver_event {
+ void *data;
+ };
+
++enum ath10k_qmi_state {
++ ATH10K_QMI_STATE_INIT_DONE,
++ ATH10K_QMI_STATE_DEINIT,
++};
++
+ struct ath10k_qmi {
+ struct ath10k *ar;
+ struct qmi_handle qmi_hdl;
+@@ -105,6 +110,7 @@ struct ath10k_qmi {
+ char fw_build_timestamp[MAX_TIMESTAMP_LEN + 1];
+ struct ath10k_qmi_cal_data cal_data[MAX_NUM_CAL_V01];
+ bool msa_fixed_perm;
++ enum ath10k_qmi_state state;
+ };
+
+ int ath10k_qmi_wlan_enable(struct ath10k *ar,
+--
+2.25.1
+
--- /dev/null
+From 6bfdca2d41b557320cdbb8ae7314e288fc696a5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2020 16:47:08 +0530
+Subject: ath11k: Avoid mgmt tx count underflow
+
+From: Sriram R <srirrama@codeaurora.org>
+
+[ Upstream commit 800113ff4b1d277c2b66ffc04d4d38f202a0d187 ]
+
+The mgmt tx count reference is incremented/decremented on every mgmt tx and on
+tx completion event from firmware.
+In case of an unexpected mgmt tx completion event from firmware,
+the counter would underflow. Avoid this by decrementing
+only when the tx count is greater than 0.
+
+Signed-off-by: Sriram R <srirrama@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1585567028-9242-1-git-send-email-srirrama@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 6fec62846279..73beca6d6b5f 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -3740,8 +3740,9 @@ static int wmi_process_mgmt_tx_comp(struct ath11k *ar, u32 desc_id,
+
+ ieee80211_tx_status_irqsafe(ar->hw, msdu);
+
+- WARN_ON_ONCE(atomic_read(&ar->num_pending_mgmt_tx) == 0);
+- atomic_dec(&ar->num_pending_mgmt_tx);
++ /* WARN when we received this event without doing any mgmt tx */
++ if (atomic_dec_if_positive(&ar->num_pending_mgmt_tx) < 0)
++ WARN_ON_ONCE(1);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 7b31a40a30f843909258683891e1372e25fca994 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2020 19:26:39 +0000
+Subject: ath11k: fix error message to correctly report the command that failed
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 9a8074e3bcd7956ec6b4f7c26360af1b0b0abe38 ]
+
+Currently the error message refers to the command WMI_TWT_DIeABLE_CMDID
+which looks like a cut-n-paste mangled typo. Fix the message to match
+the command WMI_BSS_COLOR_CHANGE_ENABLE_CMDID that failed.
+
+Fixes: 5a032c8d1953 ("ath11k: add WMI calls required for handling BSS color")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200327192639.363354-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index e7ce36966d6a..6fec62846279 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -2779,7 +2779,7 @@ int ath11k_wmi_send_bss_color_change_enable_cmd(struct ath11k *ar, u32 vdev_id,
+ ret = ath11k_wmi_cmd_send(wmi, skb,
+ WMI_BSS_COLOR_CHANGE_ENABLE_CMDID);
+ if (ret) {
+- ath11k_warn(ab, "Failed to send WMI_TWT_DIeABLE_CMDID");
++ ath11k_warn(ab, "Failed to send WMI_BSS_COLOR_CHANGE_ENABLE_CMDID");
+ dev_kfree_skb(skb);
+ }
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From bcfcea0004c548cdc7ef464fabcfddd89ba804bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 10:46:21 +0000
+Subject: ath11k: fix error return code in ath11k_dp_alloc()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit f76f750aeea47fd98b6502eb6d37f84ca33662bf ]
+
+Fix to return negative error code -ENOMEM from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: d0998eb84ed3 ("ath11k: optimise ath11k_dp_tx_completion_handler")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200427104621.23752-1-weiyongjun1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c
+index 50350f77b309..2f35d325f7a5 100644
+--- a/drivers/net/wireless/ath/ath11k/dp.c
++++ b/drivers/net/wireless/ath/ath11k/dp.c
+@@ -909,8 +909,10 @@ int ath11k_dp_alloc(struct ath11k_base *ab)
+ dp->tx_ring[i].tx_status_head = 0;
+ dp->tx_ring[i].tx_status_tail = DP_TX_COMP_RING_SIZE - 1;
+ dp->tx_ring[i].tx_status = kmalloc(size, GFP_KERNEL);
+- if (!dp->tx_ring[i].tx_status)
++ if (!dp->tx_ring[i].tx_status) {
++ ret = -ENOMEM;
+ goto fail_cmn_srng_cleanup;
++ }
+ }
+
+ for (i = 0; i < HAL_DSCP_TID_MAP_TBL_NUM_ENTRIES_MAX; i++)
+--
+2.25.1
+
--- /dev/null
+From 3d73c05668076a2dac41bb736f59054cdeb570ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 22:29:28 +0530
+Subject: ath11k: fix kernel panic by freeing the msdu received with invalid
+ length
+
+From: Tamizh Chelvam <tamizhr@codeaurora.org>
+
+[ Upstream commit d7d43782d541edb8596d2f4fc7f41b0734948ec5 ]
+
+In certain scenario host receives the packets with invalid length
+which causes below kernel panic. Free up those msdus to avoid
+this kernel panic.
+
+ 2270.028121: <6> task: ffffffc0008306d0 ti: ffffffc0008306d0 task.ti: ffffffc0008306d0
+ 2270.035247: <2> PC is at skb_panic+0x40/0x44
+ 2270.042784: <2> LR is at skb_panic+0x40/0x44
+ 2270.521775: <2> [<ffffffc0004a06e0>] skb_panic+0x40/0x44
+ 2270.524039: <2> [<ffffffc0004a1278>] skb_put+0x54/0x5c
+ 2270.529264: <2> [<ffffffbffcc373a8>] ath11k_dp_process_rx_err+0x320/0x5b0 [ath11k]
+ 2270.533860: <2> [<ffffffbffcc30b68>] ath11k_dp_service_srng+0x80/0x268 [ath11k]
+ 2270.541063: <2> [<ffffffbffcc1d554>] ath11k_hal_rx_reo_ent_buf_paddr_get+0x200/0xb64 [ath11k]
+ 2270.547917: <2> [<ffffffc0004b1f74>] net_rx_action+0xf8/0x274
+ 2270.556247: <2> [<ffffffc000099df4>] __do_softirq+0x128/0x228
+ 2270.561625: <2> [<ffffffc00009a130>] irq_exit+0x84/0xcc
+ 2270.567008: <2> [<ffffffc0000cfb28>] __handle_domain_irq+0x8c/0xb0
+ 2270.571695: <2> [<ffffffc000082484>] gic_handle_irq+0x6c/0xbc
+
+Signed-off-by: Tamizh Chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1588611568-20791-1-git-send-email-tamizhr@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
+index 34b1e8e6a7fb..007bb73d6c61 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -2265,6 +2265,7 @@ static int ath11k_dp_rx_process_msdu(struct ath11k *ar,
+ struct ieee80211_hdr *hdr;
+ struct sk_buff *last_buf;
+ u8 l3_pad_bytes;
++ u8 *hdr_status;
+ u16 msdu_len;
+ int ret;
+
+@@ -2293,8 +2294,13 @@ static int ath11k_dp_rx_process_msdu(struct ath11k *ar,
+ skb_pull(msdu, HAL_RX_DESC_SIZE);
+ } else if (!rxcb->is_continuation) {
+ if ((msdu_len + HAL_RX_DESC_SIZE) > DP_RX_BUFFER_SIZE) {
++ hdr_status = ath11k_dp_rx_h_80211_hdr(rx_desc);
+ ret = -EINVAL;
+ ath11k_warn(ar->ab, "invalid msdu len %u\n", msdu_len);
++ ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", hdr_status,
++ sizeof(struct ieee80211_hdr));
++ ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", rx_desc,
++ sizeof(struct hal_rx_desc));
+ goto free_out;
+ }
+ skb_put(msdu, HAL_RX_DESC_SIZE + l3_pad_bytes + msdu_len);
+@@ -3389,6 +3395,7 @@ ath11k_dp_process_rx_err_buf(struct ath11k *ar, u32 *ring_desc, int buf_id, bool
+ struct sk_buff *msdu;
+ struct ath11k_skb_rxcb *rxcb;
+ struct hal_rx_desc *rx_desc;
++ u8 *hdr_status;
+ u16 msdu_len;
+
+ spin_lock_bh(&rx_ring->idr_lock);
+@@ -3426,6 +3433,17 @@ ath11k_dp_process_rx_err_buf(struct ath11k *ar, u32 *ring_desc, int buf_id, bool
+
+ rx_desc = (struct hal_rx_desc *)msdu->data;
+ msdu_len = ath11k_dp_rx_h_msdu_start_msdu_len(rx_desc);
++ if ((msdu_len + HAL_RX_DESC_SIZE) > DP_RX_BUFFER_SIZE) {
++ hdr_status = ath11k_dp_rx_h_80211_hdr(rx_desc);
++ ath11k_warn(ar->ab, "invalid msdu leng %u", msdu_len);
++ ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", hdr_status,
++ sizeof(struct ieee80211_hdr));
++ ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", rx_desc,
++ sizeof(struct hal_rx_desc));
++ dev_kfree_skb_any(msdu);
++ goto exit;
++ }
++
+ skb_put(msdu, HAL_RX_DESC_SIZE + msdu_len);
+
+ if (ath11k_dp_rx_frag_h_mpdu(ar, msdu, ring_desc)) {
+--
+2.25.1
+
--- /dev/null
+From 0daad73828b81daca832b488e48ddc6ace304e76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 May 2020 22:14:54 +0200
+Subject: ath11k: Fix some resource leaks in error path in
+ 'ath11k_thermal_register()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 25ca180ad380a0c7286442a922e7fbcc6a9f6083 ]
+
+If 'thermal_cooling_device_register()' fails, we must undo what has been
+allocated so far. So we must go to 'err_thermal_destroy' instead of
+returning directly
+
+In case of error in 'ath11k_thermal_register()', the previous
+'thermal_cooling_device_register()' call must also be undone. Move the
+'ar->thermal.cdev = cdev' a few lines above in order for this to be done
+in 'ath11k_thermal_unregister()' which is called in the error handling
+path.
+
+Fixes: 2a63bbca06b2 ("ath11k: add thermal cooling device support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200513201454.258111-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/thermal.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/thermal.c b/drivers/net/wireless/ath/ath11k/thermal.c
+index 259dddbda2c7..5a7e150c621b 100644
+--- a/drivers/net/wireless/ath/ath11k/thermal.c
++++ b/drivers/net/wireless/ath/ath11k/thermal.c
+@@ -174,9 +174,12 @@ int ath11k_thermal_register(struct ath11k_base *sc)
+ if (IS_ERR(cdev)) {
+ ath11k_err(sc, "failed to setup thermal device result: %ld\n",
+ PTR_ERR(cdev));
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_thermal_destroy;
+ }
+
++ ar->thermal.cdev = cdev;
++
+ ret = sysfs_create_link(&ar->hw->wiphy->dev.kobj, &cdev->device.kobj,
+ "cooling_device");
+ if (ret) {
+@@ -184,7 +187,6 @@ int ath11k_thermal_register(struct ath11k_base *sc)
+ goto err_thermal_destroy;
+ }
+
+- ar->thermal.cdev = cdev;
+ if (!IS_REACHABLE(CONFIG_HWMON))
+ return 0;
+
+--
+2.25.1
+
--- /dev/null
+From ac460a6b7545f35eabd336f731103ca6cbea009d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 09:24:17 +0000
+Subject: ath11k: use GFP_ATOMIC under spin lock
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 69c93f9674c97dc439cdc0527811f8ad104c2e35 ]
+
+A spin lock is taken here so we should use GFP_ATOMIC.
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200427092417.56236-1-weiyongjun1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
+index f74a0e74bf3e..34b1e8e6a7fb 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -892,7 +892,7 @@ int ath11k_peer_rx_tid_setup(struct ath11k *ar, const u8 *peer_mac, int vdev_id,
+ else
+ hw_desc_sz = ath11k_hal_reo_qdesc_size(DP_BA_WIN_SZ_MAX, tid);
+
+- vaddr = kzalloc(hw_desc_sz + HAL_LINK_DESC_ALIGN - 1, GFP_KERNEL);
++ vaddr = kzalloc(hw_desc_sz + HAL_LINK_DESC_ALIGN - 1, GFP_ATOMIC);
+ if (!vaddr) {
+ spin_unlock_bh(&ab->base_lock);
+ return -ENOMEM;
+--
+2.25.1
+
--- /dev/null
+From 9d16346172bb9392d95f3f502172b8dc1811dfa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 09:10:56 -0400
+Subject: audit: fix a net reference leak in audit_list_rules_send()
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit 3054d06719079388a543de6adb812638675ad8f5 ]
+
+If audit_list_rules_send() fails when trying to create a new thread
+to send the rules it also fails to cleanup properly, leaking a
+reference to a net structure. This patch fixes the error patch and
+renames audit_send_list() to audit_send_list_thread() to better
+match its cousin, audit_send_reply_thread().
+
+Reported-by: teroincn@gmail.com
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/audit.c | 2 +-
+ kernel/audit.h | 2 +-
+ kernel/auditfilter.c | 16 +++++++---------
+ 3 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 033b14712340..f711f424a28a 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -880,7 +880,7 @@ main_queue:
+ return 0;
+ }
+
+-int audit_send_list(void *_dest)
++int audit_send_list_thread(void *_dest)
+ {
+ struct audit_netlink_list *dest = _dest;
+ struct sk_buff *skb;
+diff --git a/kernel/audit.h b/kernel/audit.h
+index 2eed4d231624..f0233dc40b17 100644
+--- a/kernel/audit.h
++++ b/kernel/audit.h
+@@ -229,7 +229,7 @@ struct audit_netlink_list {
+ struct sk_buff_head q;
+ };
+
+-int audit_send_list(void *_dest);
++int audit_send_list_thread(void *_dest);
+
+ extern int selinux_audit_rule_update(void);
+
+diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
+index 026e34da4ace..a10e2997aa6c 100644
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -1161,11 +1161,8 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
+ */
+ int audit_list_rules_send(struct sk_buff *request_skb, int seq)
+ {
+- u32 portid = NETLINK_CB(request_skb).portid;
+- struct net *net = sock_net(NETLINK_CB(request_skb).sk);
+ struct task_struct *tsk;
+ struct audit_netlink_list *dest;
+- int err = 0;
+
+ /* We can't just spew out the rules here because we might fill
+ * the available socket buffer space and deadlock waiting for
+@@ -1173,25 +1170,26 @@ int audit_list_rules_send(struct sk_buff *request_skb, int seq)
+ * happen if we're actually running in the context of auditctl
+ * trying to _send_ the stuff */
+
+- dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
++ dest = kmalloc(sizeof(*dest), GFP_KERNEL);
+ if (!dest)
+ return -ENOMEM;
+- dest->net = get_net(net);
+- dest->portid = portid;
++ dest->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
++ dest->portid = NETLINK_CB(request_skb).portid;
+ skb_queue_head_init(&dest->q);
+
+ mutex_lock(&audit_filter_mutex);
+ audit_list_rules(seq, &dest->q);
+ mutex_unlock(&audit_filter_mutex);
+
+- tsk = kthread_run(audit_send_list, dest, "audit_send_list");
++ tsk = kthread_run(audit_send_list_thread, dest, "audit_send_list");
+ if (IS_ERR(tsk)) {
+ skb_queue_purge(&dest->q);
++ put_net(dest->net);
+ kfree(dest);
+- err = PTR_ERR(tsk);
++ return PTR_ERR(tsk);
+ }
+
+- return err;
++ return 0;
+ }
+
+ int audit_comparator(u32 left, u32 op, u32 right)
+--
+2.25.1
+
--- /dev/null
+From ec3c061777be27446b69a606fb31e71ffcb43766 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 10:09:29 -0400
+Subject: audit: fix a net reference leak in audit_send_reply()
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit a48b284b403a4a073d8beb72d2bb33e54df67fb6 ]
+
+If audit_send_reply() fails when trying to create a new thread to
+send the reply it also fails to cleanup properly, leaking a reference
+to a net structure. This patch fixes the error path and makes a
+handful of other cleanups that came up while fixing the code.
+
+Reported-by: teroincn@gmail.com
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/audit.c | 50 +++++++++++++++++++++++++++++---------------------
+ 1 file changed, 29 insertions(+), 21 deletions(-)
+
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 87f31bf1f0a0..033b14712340 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -924,19 +924,30 @@ out_kfree_skb:
+ return NULL;
+ }
+
++static void audit_free_reply(struct audit_reply *reply)
++{
++ if (!reply)
++ return;
++
++ if (reply->skb)
++ kfree_skb(reply->skb);
++ if (reply->net)
++ put_net(reply->net);
++ kfree(reply);
++}
++
+ static int audit_send_reply_thread(void *arg)
+ {
+ struct audit_reply *reply = (struct audit_reply *)arg;
+- struct sock *sk = audit_get_sk(reply->net);
+
+ audit_ctl_lock();
+ audit_ctl_unlock();
+
+ /* Ignore failure. It'll only happen if the sender goes away,
+ because our timeout is set to infinite. */
+- netlink_unicast(sk, reply->skb, reply->portid, 0);
+- put_net(reply->net);
+- kfree(reply);
++ netlink_unicast(audit_get_sk(reply->net), reply->skb, reply->portid, 0);
++ reply->skb = NULL;
++ audit_free_reply(reply);
+ return 0;
+ }
+
+@@ -950,35 +961,32 @@ static int audit_send_reply_thread(void *arg)
+ * @payload: payload data
+ * @size: payload size
+ *
+- * Allocates an skb, builds the netlink message, and sends it to the port id.
+- * No failure notifications.
++ * Allocates a skb, builds the netlink message, and sends it to the port id.
+ */
+ static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done,
+ int multi, const void *payload, int size)
+ {
+- struct net *net = sock_net(NETLINK_CB(request_skb).sk);
+- struct sk_buff *skb;
+ struct task_struct *tsk;
+- struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
+- GFP_KERNEL);
++ struct audit_reply *reply;
+
++ reply = kzalloc(sizeof(*reply), GFP_KERNEL);
+ if (!reply)
+ return;
+
+- skb = audit_make_reply(seq, type, done, multi, payload, size);
+- if (!skb)
+- goto out;
+-
+- reply->net = get_net(net);
++ reply->skb = audit_make_reply(seq, type, done, multi, payload, size);
++ if (!reply->skb)
++ goto err;
++ reply->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
+ reply->portid = NETLINK_CB(request_skb).portid;
+- reply->skb = skb;
+
+ tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
+- if (!IS_ERR(tsk))
+- return;
+- kfree_skb(skb);
+-out:
+- kfree(reply);
++ if (IS_ERR(tsk))
++ goto err;
++
++ return;
++
++err:
++ audit_free_reply(reply);
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 84afe01df0c8514e90c7a876de3b1f3a36a5f902 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 10:46:50 +0100
+Subject: batman-adv: Revert "disable ethtool link speed detection when auto
+ negotiation off"
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 9ad346c90509ebd983f60da7d082f261ad329507 ]
+
+The commit 8c46fcd78308 ("batman-adv: disable ethtool link speed detection
+when auto negotiation off") disabled the usage of ethtool's link_ksetting
+when auto negotation was enabled due to invalid values when used with
+tun/tap virtual net_devices. According to the patch, automatic measurements
+should be used for these kind of interfaces.
+
+But there are major flaws with this argumentation:
+
+* automatic measurements are not implemented
+* auto negotiation has nothing to do with the validity of the retrieved
+ values
+
+The first point has to be fixed by a longer patch series. The "validity"
+part of the second point must be addressed in the same patch series by
+dropping the usage of ethtool's link_ksetting (thus always doing automatic
+measurements over ethernet).
+
+Drop the patch again to have more default values for various net_device
+types/configurations. The user can still overwrite them using the
+batadv_hardif's BATADV_ATTR_THROUGHPUT_OVERRIDE.
+
+Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_v_elp.c | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index 1e3172db7492..955e0b8960d6 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -127,20 +127,7 @@ static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh)
+ rtnl_lock();
+ ret = __ethtool_get_link_ksettings(hard_iface->net_dev, &link_settings);
+ rtnl_unlock();
+-
+- /* Virtual interface drivers such as tun / tap interfaces, VLAN, etc
+- * tend to initialize the interface throughput with some value for the
+- * sake of having a throughput number to export via ethtool. This
+- * exported throughput leaves batman-adv to conclude the interface
+- * throughput is genuine (reflecting reality), thus no measurements
+- * are necessary.
+- *
+- * Based on the observation that those interface types also tend to set
+- * the link auto-negotiation to 'off', batman-adv shall check this
+- * setting to differentiate between genuine link throughput information
+- * and placeholders installed by virtual interfaces.
+- */
+- if (ret == 0 && link_settings.base.autoneg == AUTONEG_ENABLE) {
++ if (ret == 0) {
+ /* link characteristics might change over time */
+ if (link_settings.base.duplex == DUPLEX_FULL)
+ hard_iface->bat_v.flags |= BATADV_FULL_DUPLEX;
+--
+2.25.1
+
--- /dev/null
+From a6d05617eee84826821f29705e541f9b366ddc6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2020 12:01:53 +0800
+Subject: bcache: fix refcount underflow in bcache_device_free()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 86da9f736740eba602389908574dfbb0f517baa5 ]
+
+The problematic code piece in bcache_device_free() is,
+
+ 785 static void bcache_device_free(struct bcache_device *d)
+ 786 {
+ 787 struct gendisk *disk = d->disk;
+ [snipped]
+ 799 if (disk) {
+ 800 if (disk->flags & GENHD_FL_UP)
+ 801 del_gendisk(disk);
+ 802
+ 803 if (disk->queue)
+ 804 blk_cleanup_queue(disk->queue);
+ 805
+ 806 ida_simple_remove(&bcache_device_idx,
+ 807 first_minor_to_idx(disk->first_minor));
+ 808 put_disk(disk);
+ 809 }
+ [snipped]
+ 816 }
+
+At line 808, put_disk(disk) may encounter kobject refcount of 'disk'
+being underflow.
+
+Here is how to reproduce the issue,
+- Attche the backing device to a cache device and do random write to
+ make the cache being dirty.
+- Stop the bcache device while the cache device has dirty data of the
+ backing device.
+- Only register the backing device back, NOT register cache device.
+- The bcache device node /dev/bcache0 won't show up, because backing
+ device waits for the cache device shows up for the missing dirty
+ data.
+- Now echo 1 into /sys/fs/bcache/pendings_cleanup, to stop the pending
+ backing device.
+- After the pending backing device stopped, use 'dmesg' to check kernel
+ message, a use-after-free warning from KASA reported the refcount of
+ kobject linked to the 'disk' is underflow.
+
+The dropping refcount at line 808 in the above code piece is added by
+add_disk(d->disk) in bch_cached_dev_run(). But in the above condition
+the cache device is not registered, bch_cached_dev_run() has no chance
+to be called and the refcount is not added. The put_disk() for a non-
+added refcount of gendisk kobject triggers a underflow warning.
+
+This patch checks whether GENHD_FL_UP is set in disk->flags, if it is
+not set then the bcache device was not added, don't call put_disk()
+and the the underflow issue can be avoided.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index d98354fa28e3..4d8bf731b118 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -797,7 +797,9 @@ static void bcache_device_free(struct bcache_device *d)
+ bcache_device_detach(d);
+
+ if (disk) {
+- if (disk->flags & GENHD_FL_UP)
++ bool disk_added = (disk->flags & GENHD_FL_UP) != 0;
++
++ if (disk_added)
+ del_gendisk(disk);
+
+ if (disk->queue)
+@@ -805,7 +807,8 @@ static void bcache_device_free(struct bcache_device *d)
+
+ ida_simple_remove(&bcache_device_idx,
+ first_minor_to_idx(disk->first_minor));
+- put_disk(disk);
++ if (disk_added)
++ put_disk(disk);
+ }
+
+ bioset_exit(&d->bio_split);
+--
+2.25.1
+
--- /dev/null
+From 34e3bbd6d39c918462f6ab1e12c281362a37efde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Apr 2020 09:53:34 +0200
+Subject: bcache: remove a duplicate ->make_request_fn assignment
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit a91b2014fc31dc6eaa02ca33aa3b4d1b6e4a0207 ]
+
+The make_request_fn pointer should only be assigned by blk_alloc_queue.
+Fix a left over manual initialization.
+
+Fixes: ff27668ce809 ("bcache: pass the make_request methods to blk_queue_make_request")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/request.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c
+index 71a90fbec314..77d1a2697517 100644
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -1372,7 +1372,6 @@ void bch_flash_dev_request_init(struct bcache_device *d)
+ {
+ struct gendisk *g = d->disk;
+
+- g->queue->make_request_fn = flash_dev_make_request;
+ g->queue->backing_dev_info->congested_fn = flash_dev_congested;
+ d->cache_miss = flash_dev_cache_miss;
+ d->ioctl = flash_dev_ioctl;
+--
+2.25.1
+
--- /dev/null
+From 5527ee81c369d9f42d98a6f7caf6b7996112be4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 21:04:08 +0800
+Subject: block: alloc map and request for new hardware queue
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit fd689871bbfbb41cd77379d3e9e5f4def0f7d6c6 ]
+
+Alloc new map and request for new hardware queue when increse
+hardware queue count. Before this patch, it will show a
+warning for each new hardware queue, but it's not enough, these
+hctx have no maps and reqeust, when a bio was mapped to these
+hardware queue, it will trigger kernel panic when get request
+from these hctx.
+
+Test environment:
+ * A NVMe disk supports 128 io queues
+ * 96 cpus in system
+
+A corner case can always trigger this panic, there are 96
+io queues allocated for HCTX_TYPE_DEFAULT type, the corresponding kernel
+log: nvme nvme0: 96/0/0 default/read/poll queues. Now we set nvme write
+queues to 96, then nvme will alloc others(32) queues for read, but
+blk_mq_update_nr_hw_queues does not alloc map and request for these new
+added io queues. So when process read nvme disk, it will trigger kernel
+panic when get request from these hardware context.
+
+Reproduce script:
+
+nr=$(expr `cat /sys/block/nvme0n1/device/queue_count` - 1)
+echo $nr > /sys/module/nvme/parameters/write_queues
+echo 1 > /sys/block/nvme0n1/device/reset_controller
+dd if=/dev/nvme0n1 of=/dev/null bs=4K count=1
+
+[ 8040.805626] ------------[ cut here ]------------
+[ 8040.805627] WARNING: CPU: 82 PID: 12921 at block/blk-mq.c:2578 blk_mq_map_swqueue+0x2b6/0x2c0
+[ 8040.805627] Modules linked in: nvme nvme_core nf_conntrack_netlink xt_addrtype br_netfilter overlay xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nft_counter nf_nat_tftp nf_conntrack_tftp nft_masq nf_tables_set nft_fib_inet nft_f
+ib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack tun bridge nf_defrag_ipv6 nf_defrag_ipv4 stp llc ip6_tables ip_tables nft_compat rfkill ip_set nf_tables nfne
+tlink sunrpc intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass ipmi_ssif crct10dif_pclmul crc32_pclmul iTCO_wdt iTCO_vendor_support ghash_clmulni_intel intel_
+cstate intel_uncore raid0 joydev intel_rapl_perf ipmi_si pcspkr mei_me ioatdma sg ipmi_devintf mei i2c_i801 dca lpc_ich ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c sd_mod ast i2c_algo_bit drm_vram_helper drm_ttm_helper ttm d
+rm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops
+[ 8040.805637] ahci drm i40e libahci crc32c_intel libata t10_pi wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nvme_core]
+[ 8040.805640] CPU: 82 PID: 12921 Comm: kworker/u194:2 Kdump: loaded Tainted: G W 5.6.0-rc5.78317c+ #2
+[ 8040.805640] Hardware name: Inspur SA5212M5/YZMB-00882-104, BIOS 4.0.9 08/27/2019
+[ 8040.805641] Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+[ 8040.805642] RIP: 0010:blk_mq_map_swqueue+0x2b6/0x2c0
+[ 8040.805643] Code: 00 00 00 00 00 41 83 c5 01 44 39 6d 50 77 b8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8b bb 98 00 00 00 89 d6 e8 8c 81 03 00 eb 83 <0f> 0b e9 52 ff ff ff 0f 1f 00 0f 1f 44 00 00 41 57 48 89 f1 41 56
+[ 8040.805643] RSP: 0018:ffffba590d2e7d48 EFLAGS: 00010246
+[ 8040.805643] RAX: 0000000000000000 RBX: ffff9f013e1ba800 RCX: 000000000000003d
+[ 8040.805644] RDX: ffff9f00ffff6000 RSI: 0000000000000003 RDI: ffff9ed200246d90
+[ 8040.805644] RBP: ffff9f00f6a79860 R08: 0000000000000000 R09: 000000000000003d
+[ 8040.805645] R10: 0000000000000001 R11: ffff9f0138c3d000 R12: ffff9f00fb3a9008
+[ 8040.805645] R13: 000000000000007f R14: ffffffff96822660 R15: 000000000000005f
+[ 8040.805645] FS: 0000000000000000(0000) GS:ffff9f013fa80000(0000) knlGS:0000000000000000
+[ 8040.805646] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 8040.805646] CR2: 00007f7f397fa6f8 CR3: 0000003d8240a002 CR4: 00000000007606e0
+[ 8040.805647] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 8040.805647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 8040.805647] PKRU: 55555554
+[ 8040.805647] Call Trace:
+[ 8040.805649] blk_mq_update_nr_hw_queues+0x31b/0x390
+[ 8040.805650] nvme_reset_work+0xb4b/0xeab [nvme]
+[ 8040.805651] process_one_work+0x1a7/0x370
+[ 8040.805652] worker_thread+0x1c9/0x380
+[ 8040.805653] ? max_active_store+0x80/0x80
+[ 8040.805655] kthread+0x112/0x130
+[ 8040.805656] ? __kthread_parkme+0x70/0x70
+[ 8040.805657] ret_from_fork+0x35/0x40
+[ 8040.805658] ---[ end trace b5f13b1e73ccb5d3 ]---
+[ 8229.365135] BUG: kernel NULL pointer dereference, address: 0000000000000004
+[ 8229.365165] #PF: supervisor read access in kernel mode
+[ 8229.365178] #PF: error_code(0x0000) - not-present page
+[ 8229.365191] PGD 0 P4D 0
+[ 8229.365201] Oops: 0000 [#1] SMP PTI
+[ 8229.365212] CPU: 77 PID: 13024 Comm: dd Kdump: loaded Tainted: G W 5.6.0-rc5.78317c+ #2
+[ 8229.365232] Hardware name: Inspur SA5212M5/YZMB-00882-104, BIOS 4.0.9 08/27/2019
+[ 8229.365253] RIP: 0010:blk_mq_get_tag+0x227/0x250
+[ 8229.365265] Code: 44 24 04 44 01 e0 48 8b 74 24 38 65 48 33 34 25 28 00 00 00 75 33 48 83 c4 40 5b 5d 41 5c 41 5d 41 5e c3 48 8d 68 10 4c 89 ef <44> 8b 60 04 48 89 ee e8 dd f9 ff ff 83 f8 ff 75 c8 e9 67 fe ff ff
+[ 8229.365304] RSP: 0018:ffffba590e977970 EFLAGS: 00010246
+[ 8229.365317] RAX: 0000000000000000 RBX: ffff9f00f6a79860 RCX: ffffba590e977998
+[ 8229.365333] RDX: 0000000000000000 RSI: ffff9f012039b140 RDI: ffffba590e977a38
+[ 8229.365349] RBP: 0000000000000010 R08: ffffda58ff94e190 R09: ffffda58ff94e198
+[ 8229.365365] R10: 0000000000000011 R11: ffff9f00f6a79860 R12: 0000000000000000
+[ 8229.365381] R13: ffffba590e977a38 R14: ffff9f012039b140 R15: 0000000000000001
+[ 8229.365397] FS: 00007f481c230580(0000) GS:ffff9f013f940000(0000) knlGS:0000000000000000
+[ 8229.365415] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 8229.365428] CR2: 0000000000000004 CR3: 0000005f35e26004 CR4: 00000000007606e0
+[ 8229.365444] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 8229.365460] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 8229.365476] PKRU: 55555554
+[ 8229.365484] Call Trace:
+[ 8229.365498] ? finish_wait+0x80/0x80
+[ 8229.365512] blk_mq_get_request+0xcb/0x3f0
+[ 8229.365525] blk_mq_make_request+0x143/0x5d0
+[ 8229.365538] generic_make_request+0xcf/0x310
+[ 8229.365553] ? scan_shadow_nodes+0x30/0x30
+[ 8229.365564] submit_bio+0x3c/0x150
+[ 8229.365576] mpage_readpages+0x163/0x1a0
+[ 8229.365588] ? blkdev_direct_IO+0x490/0x490
+[ 8229.365601] read_pages+0x6b/0x190
+[ 8229.365612] __do_page_cache_readahead+0x1c1/0x1e0
+[ 8229.365626] ondemand_readahead+0x182/0x2f0
+[ 8229.365639] generic_file_buffered_read+0x590/0xab0
+[ 8229.365655] new_sync_read+0x12a/0x1c0
+[ 8229.365666] vfs_read+0x8a/0x140
+[ 8229.365676] ksys_read+0x59/0xd0
+[ 8229.365688] do_syscall_64+0x55/0x1d0
+[ 8229.365700] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Weiping Zhang <zhangweiping@didiglobal.com>
+Tested-by: Weiping Zhang <zhangweiping@didiglobal.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index a7785df2c944..b1772de26a74 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2521,18 +2521,6 @@ static void blk_mq_map_swqueue(struct request_queue *q)
+ * If the cpu isn't present, the cpu is mapped to first hctx.
+ */
+ for_each_possible_cpu(i) {
+- hctx_idx = set->map[HCTX_TYPE_DEFAULT].mq_map[i];
+- /* unmapped hw queue can be remapped after CPU topo changed */
+- if (!set->tags[hctx_idx] &&
+- !__blk_mq_alloc_rq_map(set, hctx_idx)) {
+- /*
+- * If tags initialization fail for some hctx,
+- * that hctx won't be brought online. In this
+- * case, remap the current ctx to hctx[0] which
+- * is guaranteed to always have tags allocated
+- */
+- set->map[HCTX_TYPE_DEFAULT].mq_map[i] = 0;
+- }
+
+ ctx = per_cpu_ptr(q->queue_ctx, i);
+ for (j = 0; j < set->nr_maps; j++) {
+@@ -2541,6 +2529,18 @@ static void blk_mq_map_swqueue(struct request_queue *q)
+ HCTX_TYPE_DEFAULT, i);
+ continue;
+ }
++ hctx_idx = set->map[j].mq_map[i];
++ /* unmapped hw queue can be remapped after CPU topo changed */
++ if (!set->tags[hctx_idx] &&
++ !__blk_mq_alloc_rq_map(set, hctx_idx)) {
++ /*
++ * If tags initialization fail for some hctx,
++ * that hctx won't be brought online. In this
++ * case, remap the current ctx to hctx[0] which
++ * is guaranteed to always have tags allocated
++ */
++ set->map[j].mq_map[i] = 0;
++ }
+
+ hctx = blk_mq_map_queue_type(q, j, i);
+ ctx->hctxs[j] = hctx;
+--
+2.25.1
+
--- /dev/null
+From 2af077a923cf27d97412d7df44f764f7cc2e673b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 May 2020 08:44:05 +0800
+Subject: block: reset mapping if failed to update hardware queue count
+
+From: Weiping Zhang <zhangweiping@didiglobal.com>
+
+[ Upstream commit aa880ad690ab6d4c53934af85fb5a43e69ecb0f5 ]
+
+When we increase hardware queue count, blk_mq_update_queue_map will
+reset the mapping between cpu and hardware queue base on the hardware
+queue count(set->nr_hw_queues). The mapping cannot be reset if it
+encounters error in blk_mq_realloc_hw_ctxs, but the fallback flow will
+continue using it, then blk_mq_map_swqueue will touch a invalid memory,
+because the mapping points to a wrong hctx.
+
+blktest block/030:
+
+null_blk: module loaded
+Increasing nr_hw_queues to 8 fails, fallback to 1
+==================================================================
+BUG: KASAN: null-ptr-deref in blk_mq_map_swqueue+0x2f2/0x830
+Read of size 8 at addr 0000000000000128 by task nproc/8541
+
+CPU: 5 PID: 8541 Comm: nproc Not tainted 5.7.0-rc4-dbg+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
+Call Trace:
+dump_stack+0xa5/0xe6
+__kasan_report.cold+0x65/0xbb
+kasan_report+0x45/0x60
+check_memory_region+0x15e/0x1c0
+__kasan_check_read+0x15/0x20
+blk_mq_map_swqueue+0x2f2/0x830
+__blk_mq_update_nr_hw_queues+0x3df/0x690
+blk_mq_update_nr_hw_queues+0x32/0x50
+nullb_device_submit_queues_store+0xde/0x160 [null_blk]
+configfs_write_file+0x1c4/0x250 [configfs]
+__vfs_write+0x4c/0x90
+vfs_write+0x14b/0x2d0
+ksys_write+0xdd/0x180
+__x64_sys_write+0x47/0x50
+do_syscall_64+0x6f/0x310
+entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+Signed-off-by: Weiping Zhang <zhangweiping@didiglobal.com>
+Tested-by: Bart van Assche <bvanassche@acm.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index b1772de26a74..98a702761e2c 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3353,8 +3353,8 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+
+ prev_nr_hw_queues = set->nr_hw_queues;
+ set->nr_hw_queues = nr_hw_queues;
+- blk_mq_update_queue_map(set);
+ fallback:
++ blk_mq_update_queue_map(set);
+ list_for_each_entry(q, &set->tag_list, tag_set_list) {
+ blk_mq_realloc_hw_ctxs(set, q);
+ if (q->nr_hw_queues != set->nr_hw_queues) {
+--
+2.25.1
+
--- /dev/null
+From ffadc77002ef9e040660e8c4a5c9e5060a47e379 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:27:04 +0800
+Subject: Bluetooth: Add SCO fallback for invalid LMP parameters error
+
+From: Hsin-Yu Chao <hychao@chromium.org>
+
+[ Upstream commit 56b5453a86203a44726f523b4133c1feca49ce7c ]
+
+Bluetooth PTS test case HFP/AG/ACC/BI-12-I accepts SCO connection
+with invalid parameter at the first SCO request expecting AG to
+attempt another SCO request with the use of "safe settings" for
+given codec, base on section 5.7.1.2 of HFP 1.7 specification.
+
+This patch addresses it by adding "Invalid LMP Parameters" (0x1e)
+to the SCO fallback case. Verified with below log:
+
+< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
+ Handle: 256
+ Transmit bandwidth: 8000
+ Receive bandwidth: 8000
+ Max latency: 13
+ Setting: 0x0003
+ Input Coding: Linear
+ Input Data Format: 1's complement
+ Input Sample Size: 8-bit
+ # of bits padding at MSB: 0
+ Air Coding Format: Transparent Data
+ Retransmission effort: Optimize for link quality (0x02)
+ Packet type: 0x0380
+ 3-EV3 may not be used
+ 2-EV5 may not be used
+ 3-EV5 may not be used
+> HCI Event: Command Status (0x0f) plen 4
+ Setup Synchronous Connection (0x01|0x0028) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Number of Completed Packets (0x13) plen 5
+ Num handles: 1
+ Handle: 256
+ Count: 1
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 1
+> HCI Event: Synchronous Connect Complete (0x2c) plen 17
+ Status: Invalid LMP Parameters / Invalid LL Parameters (0x1e)
+ Handle: 0
+ Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
+ Link type: eSCO (0x02)
+ Transmission interval: 0x00
+ Retransmission window: 0x02
+ RX packet length: 0
+ TX packet length: 0
+ Air mode: Transparent (0x03)
+< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
+ Handle: 256
+ Transmit bandwidth: 8000
+ Receive bandwidth: 8000
+ Max latency: 8
+ Setting: 0x0003
+ Input Coding: Linear
+ Input Data Format: 1's complement
+ Input Sample Size: 8-bit
+ # of bits padding at MSB: 0
+ Air Coding Format: Transparent Data
+ Retransmission effort: Optimize for link quality (0x02)
+ Packet type: 0x03c8
+ EV3 may be used
+ 2-EV3 may not be used
+ 3-EV3 may not be used
+ 2-EV5 may not be used
+ 3-EV5 may not be used
+> HCI Event: Command Status (0x0f) plen 4
+ Setup Synchronous Connection (0x01|0x0028) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 5
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 1
+> HCI Event: Synchronous Connect Complete (0x2c) plen 17
+ Status: Success (0x00)
+ Handle: 257
+ Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
+ Link type: eSCO (0x02)
+ Transmission interval: 0x06
+ Retransmission window: 0x04
+ RX packet length: 30
+ TX packet length: 30
+ Air mode: Transparent (0x03)
+
+Signed-off-by: Hsin-Yu Chao <hychao@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 0a591be8b0ae..b11f8d391ad8 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4292,6 +4292,7 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
+ case 0x11: /* Unsupported Feature or Parameter Value */
+ case 0x1c: /* SCO interval rejected */
+ case 0x1a: /* Unsupported Remote Feature */
++ case 0x1e: /* Invalid LMP Parameters */
+ case 0x1f: /* Unspecified error */
+ case 0x20: /* Unsupported LMP Parameter value */
+ if (conn->out) {
+--
+2.25.1
+
--- /dev/null
+From b7bfcad04d89079f28d69c956981f8920e2f8d19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 14:43:27 +0000
+Subject: Bluetooth: Adding driver and quirk defs for multi-role LE
+
+From: Alain Michaud <alainm@chromium.org>
+
+[ Upstream commit 220915857e29795ae5ba4222806268b4a99c19c1 ]
+
+This change adds the relevant driver and quirk to allow drivers to
+report the le_states as being trustworthy.
+
+This has historically been disabled as controllers did not reliably
+support this. In particular, this will be used to relax this condition
+for controllers that have been well tested and reliable.
+
+ /* Most controller will fail if we try to create new connections
+ * while we have an existing one in slave role.
+ */
+ if (hdev->conn_hash.le_num_slave > 0)
+ return NULL;
+
+Signed-off-by: Alain Michaud <alainm@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ include/net/bluetooth/hci.h | 9 +++++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 3bdec42c9612..3d9313c746f3 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -58,6 +58,7 @@ static struct usb_driver btusb_driver;
+ #define BTUSB_CW6622 0x100000
+ #define BTUSB_MEDIATEK 0x200000
+ #define BTUSB_WIDEBAND_SPEECH 0x400000
++#define BTUSB_VALID_LE_STATES 0x800000
+
+ static const struct usb_device_id btusb_table[] = {
+ /* Generic Bluetooth USB device */
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index 5f60e135aeb6..25c2e5ee81dc 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -214,6 +214,15 @@ enum {
+ * This quirk must be set before hci_register_dev is called.
+ */
+ HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
++
++ /* When this quirk is set, the controller has validated that
++ * LE states reported through the HCI_LE_READ_SUPPORTED_STATES are
++ * valid. This mechanism is necessary as many controllers have
++ * been seen has having trouble initiating a connectable
++ * advertisement despite the state combination being reported as
++ * supported.
++ */
++ HCI_QUIRK_VALID_LE_STATES,
+ };
+
+ /* HCI device flags */
+--
+2.25.1
+
--- /dev/null
+From e6ef5e121ece034452f962b66192aed5c75a7d07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Apr 2020 19:15:32 +0200
+Subject: Bluetooth: btbcm: Add 2 missing models to subver tables
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit c03ee9af4e07112bd3fc688daca9e654f41eca93 ]
+
+Currently the bcm_uart_subver_ and bcm_usb_subver_table-s lack entries
+for the BCM4324B5 and BCM20703A1 chipsets. This makes the code use just
+"BCM" as prefix for the filename to pass to request-firmware, making it
+harder for users to figure out which firmware they need. This especially
+is problematic with the UART attached BCM4324B5 where this leads to the
+filename being just "BCM.hcd".
+
+Add the 2 missing devices to subver tables. This has been tested on:
+
+1. A Dell XPS15 9550 where this makes btbcm.c try to load
+"BCM20703A1-0a5c-6410.hcd" before it tries to load "BCM-0a5c-6410.hcd".
+
+2. A Thinkpad 8 where this makes btbcm.c try to load
+"BCM4324B5.hcd" before it tries to load "BCM.hcd"
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btbcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
+index 1f498f358f60..e1377934507c 100644
+--- a/drivers/bluetooth/btbcm.c
++++ b/drivers/bluetooth/btbcm.c
+@@ -380,6 +380,7 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = {
+ { 0x410e, "BCM43341B0" }, /* 002.001.014 */
+ { 0x4204, "BCM2076B1" }, /* 002.002.004 */
+ { 0x4406, "BCM4324B3" }, /* 002.004.006 */
++ { 0x4606, "BCM4324B5" }, /* 002.006.006 */
+ { 0x6109, "BCM4335C0" }, /* 003.001.009 */
+ { 0x610c, "BCM4354" }, /* 003.001.012 */
+ { 0x2122, "BCM4343A0" }, /* 001.001.034 */
+@@ -395,6 +396,7 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = {
+ };
+
+ static const struct bcm_subver_table bcm_usb_subver_table[] = {
++ { 0x2105, "BCM20703A1" }, /* 001.001.005 */
+ { 0x210b, "BCM43142A0" }, /* 001.001.011 */
+ { 0x2112, "BCM4314A0" }, /* 001.001.018 */
+ { 0x2118, "BCM20702A0" }, /* 001.001.024 */
+--
+2.25.1
+
--- /dev/null
+From 9e87580afd4bf7896e9f3f112b003ebef5a81819 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 10:27:26 +0800
+Subject: Bluetooth: btmtkuart: Improve exception handling in btmtuart_probe()
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 4803c54ca24923a30664bea2a7772db6e7303c51 ]
+
+Calls of the functions clk_disable_unprepare() and hci_free_dev()
+were missing for the exception handling.
+Thus add the missed function calls together with corresponding
+jump targets.
+
+Fixes: 055825614c6b ("Bluetooth: btmtkuart: add an implementation for clock osc property")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtkuart.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c
+index e11169ad8247..8a81fbca5c9d 100644
+--- a/drivers/bluetooth/btmtkuart.c
++++ b/drivers/bluetooth/btmtkuart.c
+@@ -1015,7 +1015,7 @@ static int btmtkuart_probe(struct serdev_device *serdev)
+ if (btmtkuart_is_standalone(bdev)) {
+ err = clk_prepare_enable(bdev->osc);
+ if (err < 0)
+- return err;
++ goto err_hci_free_dev;
+
+ if (bdev->boot) {
+ gpiod_set_value_cansleep(bdev->boot, 1);
+@@ -1028,10 +1028,8 @@ static int btmtkuart_probe(struct serdev_device *serdev)
+
+ /* Power on */
+ err = regulator_enable(bdev->vcc);
+- if (err < 0) {
+- clk_disable_unprepare(bdev->osc);
+- return err;
+- }
++ if (err < 0)
++ goto err_clk_disable_unprepare;
+
+ /* Reset if the reset-gpios is available otherwise the board
+ * -level design should be guaranteed.
+@@ -1063,7 +1061,6 @@ static int btmtkuart_probe(struct serdev_device *serdev)
+ err = hci_register_dev(hdev);
+ if (err < 0) {
+ dev_err(&serdev->dev, "Can't register HCI device\n");
+- hci_free_dev(hdev);
+ goto err_regulator_disable;
+ }
+
+@@ -1072,6 +1069,11 @@ static int btmtkuart_probe(struct serdev_device *serdev)
+ err_regulator_disable:
+ if (btmtkuart_is_standalone(bdev))
+ regulator_disable(bdev->vcc);
++err_clk_disable_unprepare:
++ if (btmtkuart_is_standalone(bdev))
++ clk_disable_unprepare(bdev->osc);
++err_hci_free_dev:
++ hci_free_dev(hdev);
+
+ return err;
+ }
+--
+2.25.1
+
--- /dev/null
+From ee982e2ac27aca6c37e7f7b955ff6d38d2469b61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 04:31:07 +0800
+Subject: Bluetooth: hci_qca: Fix suspend/resume functionality failure
+
+From: Zijun Hu <zijuhu@codeaurora.org>
+
+[ Upstream commit feac90d756c03b03b83fabe83571bd88ecc96b78 ]
+
+@dev parameter of qca_suspend()/qca_resume() represents
+serdev_device, but it is mistook for hci_dev and causes
+succedent unexpected memory access.
+
+Fix by taking @dev as serdev_device.
+
+Fixes: 41d5b25fed0 ("Bluetooth: hci_qca: add PM support")
+Signed-off-by: Zijun Hu <zijuhu@codeaurora.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_qca.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 439392b1c043..0b1036e5e963 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1953,8 +1953,9 @@ static void qca_serdev_remove(struct serdev_device *serdev)
+
+ static int __maybe_unused qca_suspend(struct device *dev)
+ {
+- struct hci_dev *hdev = container_of(dev, struct hci_dev, dev);
+- struct hci_uart *hu = hci_get_drvdata(hdev);
++ struct serdev_device *serdev = to_serdev_device(dev);
++ struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
++ struct hci_uart *hu = &qcadev->serdev_hu;
+ struct qca_data *qca = hu->priv;
+ unsigned long flags;
+ int ret = 0;
+@@ -2033,8 +2034,9 @@ error:
+
+ static int __maybe_unused qca_resume(struct device *dev)
+ {
+- struct hci_dev *hdev = container_of(dev, struct hci_dev, dev);
+- struct hci_uart *hu = hci_get_drvdata(hdev);
++ struct serdev_device *serdev = to_serdev_device(dev);
++ struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
++ struct hci_uart *hu = &qcadev->serdev_hu;
+ struct qca_data *qca = hu->priv;
+
+ clear_bit(QCA_SUSPENDING, &qca->flags);
+--
+2.25.1
+
--- /dev/null
+From f271daecfb3a3889a2205a2c1b33f21417a61eab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2020 18:56:59 +0000
+Subject: bpf: Fix map permissions check
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit 1ea0f9120c8ce105ca181b070561df5cbd6bc049 ]
+
+The map_lookup_and_delete_elem() function should check for both FMODE_CAN_WRITE
+and FMODE_CAN_READ permissions because it returns a map element to user space.
+
+Fixes: bd513cd08f10 ("bpf: add MAP_LOOKUP_AND_DELETE_ELEM syscall")
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20200527185700.14658-5-a.s.protopopov@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 4e6dee19a668..5e52765161f9 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -1468,7 +1468,8 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr)
+ map = __bpf_map_get(f);
+ if (IS_ERR(map))
+ return PTR_ERR(map);
+- if (!(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
++ if (!(map_get_sys_perms(map, f) & FMODE_CAN_READ) ||
++ !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
+ err = -EPERM;
+ goto err_put;
+ }
+--
+2.25.1
+
--- /dev/null
+From 450a85acb6a91a327884e7903eab58ffb832174e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 16:06:59 -0700
+Subject: bpf: Fix running sk_skb program types with ktls
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit e91de6afa81c10e9f855c5695eb9a53168d96b73 ]
+
+KTLS uses a stream parser to collect TLS messages and send them to
+the upper layer tls receive handler. This ensures the tls receiver
+has a full TLS header to parse when it is run. However, when a
+socket has BPF_SK_SKB_STREAM_VERDICT program attached before KTLS
+is enabled we end up with two stream parsers running on the same
+socket.
+
+The result is both try to run on the same socket. First the KTLS
+stream parser runs and calls read_sock() which will tcp_read_sock
+which in turn calls tcp_rcv_skb(). This dequeues the skb from the
+sk_receive_queue. When this is done KTLS code then data_ready()
+callback which because we stacked KTLS on top of the bpf stream
+verdict program has been replaced with sk_psock_start_strp(). This
+will in turn kick the stream parser again and eventually do the
+same thing KTLS did above calling into tcp_rcv_skb() and dequeuing
+a skb from the sk_receive_queue.
+
+At this point the data stream is broke. Part of the stream was
+handled by the KTLS side some other bytes may have been handled
+by the BPF side. Generally this results in either missing data
+or more likely a "Bad Message" complaint from the kTLS receive
+handler as the BPF program steals some bytes meant to be in a
+TLS header and/or the TLS header length is no longer correct.
+
+We've already broke the idealized model where we can stack ULPs
+in any order with generic callbacks on the TX side to handle this.
+So in this patch we do the same thing but for RX side. We add
+a sk_psock_strp_enabled() helper so TLS can learn a BPF verdict
+program is running and add a tls_sw_has_ctx_rx() helper so BPF
+side can learn there is a TLS ULP on the socket.
+
+Then on BPF side we omit calling our stream parser to avoid
+breaking the data stream for the KTLS receiver. Then on the
+KTLS side we call BPF_SK_SKB_STREAM_VERDICT once the KTLS
+receiver is done with the packet but before it posts the
+msg to userspace. This gives us symmetry between the TX and
+RX halfs and IMO makes it usable again. On the TX side we
+process packets in this order BPF -> TLS -> TCP and on
+the receive side in the reverse order TCP -> TLS -> BPF.
+
+Discovered while testing OpenSSL 3.0 Alpha2.0 release.
+
+Fixes: d829e9c4112b5 ("tls: convert to generic sk_msg interface")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/159079361946.5745.605854335665044485.stgit@john-Precision-5820-Tower
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skmsg.h | 8 ++++++++
+ include/net/tls.h | 9 +++++++++
+ net/core/skmsg.c | 43 ++++++++++++++++++++++++++++++++++++++++---
+ net/tls/tls_sw.c | 20 ++++++++++++++++++--
+ 4 files changed, 75 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
+index ad31c9fb7158..08674cd14d5a 100644
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -437,4 +437,12 @@ static inline void psock_progs_drop(struct sk_psock_progs *progs)
+ psock_set_prog(&progs->skb_verdict, NULL);
+ }
+
++int sk_psock_tls_strp_read(struct sk_psock *psock, struct sk_buff *skb);
++
++static inline bool sk_psock_strp_enabled(struct sk_psock *psock)
++{
++ if (!psock)
++ return false;
++ return psock->parser.enabled;
++}
+ #endif /* _LINUX_SKMSG_H */
+diff --git a/include/net/tls.h b/include/net/tls.h
+index 18cd4f418464..ca5f7f437289 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -571,6 +571,15 @@ static inline bool tls_sw_has_ctx_tx(const struct sock *sk)
+ return !!tls_sw_ctx_tx(ctx);
+ }
+
++static inline bool tls_sw_has_ctx_rx(const struct sock *sk)
++{
++ struct tls_context *ctx = tls_get_ctx(sk);
++
++ if (!ctx)
++ return false;
++ return !!tls_sw_ctx_rx(ctx);
++}
++
+ void tls_sw_write_space(struct sock *sk, struct tls_context *ctx);
+ void tls_device_write_space(struct sock *sk, struct tls_context *ctx);
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 9d72f71e9b47..351afbf6bfba 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -7,6 +7,7 @@
+
+ #include <net/sock.h>
+ #include <net/tcp.h>
++#include <net/tls.h>
+
+ static bool sk_msg_try_coalesce_ok(struct sk_msg *msg, int elem_first_coalesce)
+ {
+@@ -714,6 +715,38 @@ static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb)
+ }
+ }
+
++static void sk_psock_tls_verdict_apply(struct sk_psock *psock,
++ struct sk_buff *skb, int verdict)
++{
++ switch (verdict) {
++ case __SK_REDIRECT:
++ sk_psock_skb_redirect(psock, skb);
++ break;
++ case __SK_PASS:
++ case __SK_DROP:
++ default:
++ break;
++ }
++}
++
++int sk_psock_tls_strp_read(struct sk_psock *psock, struct sk_buff *skb)
++{
++ struct bpf_prog *prog;
++ int ret = __SK_PASS;
++
++ rcu_read_lock();
++ prog = READ_ONCE(psock->progs.skb_verdict);
++ if (likely(prog)) {
++ tcp_skb_bpf_redirect_clear(skb);
++ ret = sk_psock_bpf_run(psock, prog, skb);
++ ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb));
++ }
++ rcu_read_unlock();
++ sk_psock_tls_verdict_apply(psock, skb, ret);
++ return ret;
++}
++EXPORT_SYMBOL_GPL(sk_psock_tls_strp_read);
++
+ static void sk_psock_verdict_apply(struct sk_psock *psock,
+ struct sk_buff *skb, int verdict)
+ {
+@@ -792,9 +825,13 @@ static void sk_psock_strp_data_ready(struct sock *sk)
+ rcu_read_lock();
+ psock = sk_psock(sk);
+ if (likely(psock)) {
+- write_lock_bh(&sk->sk_callback_lock);
+- strp_data_ready(&psock->parser.strp);
+- write_unlock_bh(&sk->sk_callback_lock);
++ if (tls_sw_has_ctx_rx(sk)) {
++ psock->parser.saved_data_ready(sk);
++ } else {
++ write_lock_bh(&sk->sk_callback_lock);
++ strp_data_ready(&psock->parser.strp);
++ write_unlock_bh(&sk->sk_callback_lock);
++ }
+ }
+ rcu_read_unlock();
+ }
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 8c2763eb6aae..24f64bc0de18 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1742,6 +1742,7 @@ int tls_sw_recvmsg(struct sock *sk,
+ long timeo;
+ bool is_kvec = iov_iter_is_kvec(&msg->msg_iter);
+ bool is_peek = flags & MSG_PEEK;
++ bool bpf_strp_enabled;
+ int num_async = 0;
+ int pending;
+
+@@ -1752,6 +1753,7 @@ int tls_sw_recvmsg(struct sock *sk,
+
+ psock = sk_psock_get(sk);
+ lock_sock(sk);
++ bpf_strp_enabled = sk_psock_strp_enabled(psock);
+
+ /* Process pending decrypted records. It must be non-zero-copy */
+ err = process_rx_list(ctx, msg, &control, &cmsg, 0, len, false,
+@@ -1805,11 +1807,12 @@ int tls_sw_recvmsg(struct sock *sk,
+
+ if (to_decrypt <= len && !is_kvec && !is_peek &&
+ ctx->control == TLS_RECORD_TYPE_DATA &&
+- prot->version != TLS_1_3_VERSION)
++ prot->version != TLS_1_3_VERSION &&
++ !bpf_strp_enabled)
+ zc = true;
+
+ /* Do not use async mode if record is non-data */
+- if (ctx->control == TLS_RECORD_TYPE_DATA)
++ if (ctx->control == TLS_RECORD_TYPE_DATA && !bpf_strp_enabled)
+ async_capable = ctx->async_capable;
+ else
+ async_capable = false;
+@@ -1859,6 +1862,19 @@ int tls_sw_recvmsg(struct sock *sk,
+ goto pick_next_record;
+
+ if (!zc) {
++ if (bpf_strp_enabled) {
++ err = sk_psock_tls_strp_read(psock, skb);
++ if (err != __SK_PASS) {
++ rxm->offset = rxm->offset + rxm->full_len;
++ rxm->full_len = 0;
++ if (err == __SK_DROP)
++ consume_skb(skb);
++ ctx->recv_pkt = NULL;
++ __strp_unpause(&ctx->strp);
++ continue;
++ }
++ }
++
+ if (rxm->full_len > len) {
+ retain_skb = true;
+ chunk = len;
+--
+2.25.1
+
--- /dev/null
+From 842914cf9936094e1c6d925b853303ed6902bf07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2020 16:58:32 +0200
+Subject: bpf: Fix up bpf_skb_adjust_room helper's skb csum setting
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 836e66c218f355ec01ba57671c85abf32961dcea ]
+
+Lorenz recently reported:
+
+ In our TC classifier cls_redirect [0], we use the following sequence of
+ helper calls to decapsulate a GUE (basically IP + UDP + custom header)
+ encapsulated packet:
+
+ bpf_skb_adjust_room(skb, -encap_len, BPF_ADJ_ROOM_MAC, BPF_F_ADJ_ROOM_FIXED_GSO)
+ bpf_redirect(skb->ifindex, BPF_F_INGRESS)
+
+ It seems like some checksums of the inner headers are not validated in
+ this case. For example, a TCP SYN packet with invalid TCP checksum is
+ still accepted by the network stack and elicits a SYN ACK. [...]
+
+ That is, we receive the following packet from the driver:
+
+ | ETH | IP | UDP | GUE | IP | TCP |
+ skb->ip_summed == CHECKSUM_UNNECESSARY
+
+ ip_summed is CHECKSUM_UNNECESSARY because our NICs do rx checksum offloading.
+ On this packet we run skb_adjust_room_mac(-encap_len), and get the following:
+
+ | ETH | IP | TCP |
+ skb->ip_summed == CHECKSUM_UNNECESSARY
+
+ Note that ip_summed is still CHECKSUM_UNNECESSARY. After bpf_redirect()'ing
+ into the ingress, we end up in tcp_v4_rcv(). There, skb_checksum_init() is
+ turned into a no-op due to CHECKSUM_UNNECESSARY.
+
+The bpf_skb_adjust_room() helper is not aware of protocol specifics. Internally,
+it handles the CHECKSUM_COMPLETE case via skb_postpull_rcsum(), but that does
+not cover CHECKSUM_UNNECESSARY. In this case skb->csum_level of the original
+skb prior to bpf_skb_adjust_room() call was 0, that is, covering UDP. Right now
+there is no way to adjust the skb->csum_level. NICs that have checksum offload
+disabled (CHECKSUM_NONE) or that support CHECKSUM_COMPLETE are not affected.
+
+Use a safe default for CHECKSUM_UNNECESSARY by resetting to CHECKSUM_NONE and
+add a flag to the helper called BPF_F_ADJ_ROOM_NO_CSUM_RESET that allows users
+from opting out. Opting out is useful for the case where we don't remove/add
+full protocol headers, or for the case where a user wants to adjust the csum
+level manually e.g. through bpf_csum_level() helper that is added in subsequent
+patch.
+
+The bpf_skb_proto_{4_to_6,6_to_4}() for NAT64/46 translation from the BPF
+bpf_skb_change_proto() helper uses bpf_skb_net_hdr_{push,pop}() pair internally
+as well but doesn't change layers, only transitions between v4 to v6 and vice
+versa, therefore no adoption is required there.
+
+ [0] https://lore.kernel.org/bpf/20200424185556.7358-1-lmb@cloudflare.com/
+
+Fixes: 2be7e212d541 ("bpf: add bpf_skb_adjust_room helper")
+Reported-by: Lorenz Bauer <lmb@cloudflare.com>
+Reported-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
+Link: https://lore.kernel.org/bpf/CACAyw9-uU_52esMd1JjuA80fRPHJv5vsSg8GnfW3t_qDU4aVKQ@mail.gmail.com/
+Link: https://lore.kernel.org/bpf/11a90472e7cce83e76ddbfce81fdfce7bfc68808.1591108731.git.daniel@iogearbox.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 8 ++++++++
+ include/uapi/linux/bpf.h | 8 ++++++++
+ net/core/filter.c | 8 ++++++--
+ tools/include/uapi/linux/bpf.h | 8 ++++++++
+ 4 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 3000c526f552..7e737a94bc63 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3945,6 +3945,14 @@ static inline void __skb_incr_checksum_unnecessary(struct sk_buff *skb)
+ }
+ }
+
++static inline void __skb_reset_checksum_unnecessary(struct sk_buff *skb)
++{
++ if (skb->ip_summed == CHECKSUM_UNNECESSARY) {
++ skb->ip_summed = CHECKSUM_NONE;
++ skb->csum_level = 0;
++ }
++}
++
+ /* Check if we need to perform checksum complete validation.
+ *
+ * Returns true if checksum complete is needed, false otherwise
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index f9b7fdd951e4..c01de7924e97 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -1589,6 +1589,13 @@ union bpf_attr {
+ * Grow or shrink the room for data in the packet associated to
+ * *skb* by *len_diff*, and according to the selected *mode*.
+ *
++ * By default, the helper will reset any offloaded checksum
++ * indicator of the skb to CHECKSUM_NONE. This can be avoided
++ * by the following flag:
++ *
++ * * **BPF_F_ADJ_ROOM_NO_CSUM_RESET**: Do not reset offloaded
++ * checksum data of the skb to CHECKSUM_NONE.
++ *
+ * There are two supported modes at this time:
+ *
+ * * **BPF_ADJ_ROOM_MAC**: Adjust room at the mac layer
+@@ -3235,6 +3242,7 @@ enum {
+ BPF_F_ADJ_ROOM_ENCAP_L3_IPV6 = (1ULL << 2),
+ BPF_F_ADJ_ROOM_ENCAP_L4_GRE = (1ULL << 3),
+ BPF_F_ADJ_ROOM_ENCAP_L4_UDP = (1ULL << 4),
++ BPF_F_ADJ_ROOM_NO_CSUM_RESET = (1ULL << 5),
+ };
+
+ enum {
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 5cc9276f1023..11b97c31bca5 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -3124,7 +3124,8 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 off, u32 len_diff,
+ {
+ int ret;
+
+- if (flags & ~BPF_F_ADJ_ROOM_FIXED_GSO)
++ if (unlikely(flags & ~(BPF_F_ADJ_ROOM_FIXED_GSO |
++ BPF_F_ADJ_ROOM_NO_CSUM_RESET)))
+ return -EINVAL;
+
+ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb)) {
+@@ -3174,7 +3175,8 @@ BPF_CALL_4(bpf_skb_adjust_room, struct sk_buff *, skb, s32, len_diff,
+ u32 off;
+ int ret;
+
+- if (unlikely(flags & ~BPF_F_ADJ_ROOM_MASK))
++ if (unlikely(flags & ~(BPF_F_ADJ_ROOM_MASK |
++ BPF_F_ADJ_ROOM_NO_CSUM_RESET)))
+ return -EINVAL;
+ if (unlikely(len_diff_abs > 0xfffU))
+ return -EFAULT;
+@@ -3202,6 +3204,8 @@ BPF_CALL_4(bpf_skb_adjust_room, struct sk_buff *, skb, s32, len_diff,
+
+ ret = shrink ? bpf_skb_net_shrink(skb, off, len_diff_abs, flags) :
+ bpf_skb_net_grow(skb, off, len_diff_abs, flags);
++ if (!ret && !(flags & BPF_F_ADJ_ROOM_NO_CSUM_RESET))
++ __skb_reset_checksum_unnecessary(skb);
+
+ bpf_compute_data_pointers(skb);
+ return ret;
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index 7bbf1b65be10..ad77cf9bb37e 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -1589,6 +1589,13 @@ union bpf_attr {
+ * Grow or shrink the room for data in the packet associated to
+ * *skb* by *len_diff*, and according to the selected *mode*.
+ *
++ * By default, the helper will reset any offloaded checksum
++ * indicator of the skb to CHECKSUM_NONE. This can be avoided
++ * by the following flag:
++ *
++ * * **BPF_F_ADJ_ROOM_NO_CSUM_RESET**: Do not reset offloaded
++ * checksum data of the skb to CHECKSUM_NONE.
++ *
+ * There are two supported modes at this time:
+ *
+ * * **BPF_ADJ_ROOM_MAC**: Adjust room at the mac layer
+@@ -3235,6 +3242,7 @@ enum {
+ BPF_F_ADJ_ROOM_ENCAP_L3_IPV6 = (1ULL << 2),
+ BPF_F_ADJ_ROOM_ENCAP_L4_GRE = (1ULL << 3),
+ BPF_F_ADJ_ROOM_ENCAP_L4_UDP = (1ULL << 4),
++ BPF_F_ADJ_ROOM_NO_CSUM_RESET = (1ULL << 5),
+ };
+
+ enum {
+--
+2.25.1
+
--- /dev/null
+From 72c3887a99b4d9f62deece834de51abc98a6413d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 16:06:41 -0700
+Subject: bpf: Refactor sockmap redirect code so its easy to reuse
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit ca2f5f21dbbd5e3a00cd3e97f728aa2ca0b2e011 ]
+
+We will need this block of code called from tls context shortly
+lets refactor the redirect logic so its easy to use. This also
+cleans up the switch stmt so we have fewer fallthrough cases.
+
+No logic changes are intended.
+
+Fixes: d829e9c4112b5 ("tls: convert to generic sk_msg interface")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/159079360110.5745.7024009076049029819.stgit@john-Precision-5820-Tower
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 55 ++++++++++++++++++++++++++++++------------------
+ 1 file changed, 34 insertions(+), 21 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index c479372f2cd2..9d72f71e9b47 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -682,13 +682,43 @@ static struct sk_psock *sk_psock_from_strp(struct strparser *strp)
+ return container_of(parser, struct sk_psock, parser);
+ }
+
+-static void sk_psock_verdict_apply(struct sk_psock *psock,
+- struct sk_buff *skb, int verdict)
++static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb)
+ {
+ struct sk_psock *psock_other;
+ struct sock *sk_other;
+ bool ingress;
+
++ sk_other = tcp_skb_bpf_redirect_fetch(skb);
++ if (unlikely(!sk_other)) {
++ kfree_skb(skb);
++ return;
++ }
++ psock_other = sk_psock(sk_other);
++ if (!psock_other || sock_flag(sk_other, SOCK_DEAD) ||
++ !sk_psock_test_state(psock_other, SK_PSOCK_TX_ENABLED)) {
++ kfree_skb(skb);
++ return;
++ }
++
++ ingress = tcp_skb_bpf_ingress(skb);
++ if ((!ingress && sock_writeable(sk_other)) ||
++ (ingress &&
++ atomic_read(&sk_other->sk_rmem_alloc) <=
++ sk_other->sk_rcvbuf)) {
++ if (!ingress)
++ skb_set_owner_w(skb, sk_other);
++ skb_queue_tail(&psock_other->ingress_skb, skb);
++ schedule_work(&psock_other->work);
++ } else {
++ kfree_skb(skb);
++ }
++}
++
++static void sk_psock_verdict_apply(struct sk_psock *psock,
++ struct sk_buff *skb, int verdict)
++{
++ struct sock *sk_other;
++
+ switch (verdict) {
+ case __SK_PASS:
+ sk_other = psock->sk;
+@@ -707,25 +737,8 @@ static void sk_psock_verdict_apply(struct sk_psock *psock,
+ }
+ goto out_free;
+ case __SK_REDIRECT:
+- sk_other = tcp_skb_bpf_redirect_fetch(skb);
+- if (unlikely(!sk_other))
+- goto out_free;
+- psock_other = sk_psock(sk_other);
+- if (!psock_other || sock_flag(sk_other, SOCK_DEAD) ||
+- !sk_psock_test_state(psock_other, SK_PSOCK_TX_ENABLED))
+- goto out_free;
+- ingress = tcp_skb_bpf_ingress(skb);
+- if ((!ingress && sock_writeable(sk_other)) ||
+- (ingress &&
+- atomic_read(&sk_other->sk_rmem_alloc) <=
+- sk_other->sk_rcvbuf)) {
+- if (!ingress)
+- skb_set_owner_w(skb, sk_other);
+- skb_queue_tail(&psock_other->ingress_skb, skb);
+- schedule_work(&psock_other->work);
+- break;
+- }
+- /* fall-through */
++ sk_psock_skb_redirect(psock, skb);
++ break;
+ case __SK_DROP:
+ /* fall-through */
+ default:
+--
+2.25.1
+
--- /dev/null
+From f8502a99f90a498468d64398b0758a0d1181de69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 17:28:04 -0700
+Subject: bpf, riscv: Fix tail call count off by one in RV32 BPF JIT
+
+From: Luke Nelson <lukenels@cs.washington.edu>
+
+[ Upstream commit 745abfaa9eafa597d31fdf24a3249e5206a98768 ]
+
+This patch fixes an off by one error in the RV32 JIT handling for BPF
+tail call. Currently, the code decrements TCC before checking if it
+is less than zero. This limits the maximum number of tail calls to 32
+instead of 33 as in other JITs. The fix is to instead check the old
+value of TCC before decrementing.
+
+Fixes: 5f316b65e99f ("riscv, bpf: Add RV32G eBPF JIT")
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Xi Wang <xi.wang@gmail.com>
+Link: https://lore.kernel.org/bpf/20200421002804.5118-1-luke.r.nels@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp32.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/net/bpf_jit_comp32.c b/arch/riscv/net/bpf_jit_comp32.c
+index 302934177760..11083d4d5f2d 100644
+--- a/arch/riscv/net/bpf_jit_comp32.c
++++ b/arch/riscv/net/bpf_jit_comp32.c
+@@ -770,12 +770,13 @@ static int emit_bpf_tail_call(int insn, struct rv_jit_context *ctx)
+ emit_bcc(BPF_JGE, lo(idx_reg), RV_REG_T1, off, ctx);
+
+ /*
+- * if ((temp_tcc = tcc - 1) < 0)
++ * temp_tcc = tcc - 1;
++ * if (tcc < 0)
+ * goto out;
+ */
+ emit(rv_addi(RV_REG_T1, RV_REG_TCC, -1), ctx);
+ off = (tc_ninsn - (ctx->ninsns - start_insn)) << 2;
+- emit_bcc(BPF_JSLT, RV_REG_T1, RV_REG_ZERO, off, ctx);
++ emit_bcc(BPF_JSLT, RV_REG_TCC, RV_REG_ZERO, off, ctx);
+
+ /*
+ * prog = array->ptrs[index];
+--
+2.25.1
+
--- /dev/null
+From 36f53e73049b12ab334e97d4adb0b2d327e3f05e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 05:03:08 -0500
+Subject: brcmfmac: fix WPA/WPA2-PSK 4-way handshake offload and SAE offload
+ failures
+
+From: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+
+[ Upstream commit b2fe11f0777311a764e47e2f9437809b4673b7b1 ]
+
+An incorrect value of use_fwsup is set for 4-way handshake offload for
+WPA//WPA2-PSK, caused by commit 3b1e0a7bdfee ("brcmfmac: add support for
+SAE authentication offload"). It results in missing bit
+BRCMF_VIF_STATUS_EAP_SUCCESS set in brcmf_is_linkup() and causes the
+failure. This patch correct the value for the case.
+
+Also setting bit BRCMF_VIF_STATUS_EAP_SUCCESS for SAE offload case in
+brcmf_is_linkup() to fix SAE offload failure.
+
+Fixes: 3b1e0a7bdfee ("brcmfmac: add support for SAE authentication offload")
+Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1589277788-119966-1-git-send-email-chi-hsien.lin@cypress.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 2ba165330038..bacd762cdf3e 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -1819,6 +1819,10 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
+ switch (sme->crypto.akm_suites[0]) {
+ case WLAN_AKM_SUITE_SAE:
+ val = WPA3_AUTH_SAE_PSK;
++ if (sme->crypto.sae_pwd) {
++ brcmf_dbg(INFO, "using SAE offload\n");
++ profile->use_fwsup = BRCMF_PROFILE_FWSUP_SAE;
++ }
+ break;
+ default:
+ bphy_err(drvr, "invalid cipher group (%d)\n",
+@@ -2104,11 +2108,6 @@ brcmf_cfg80211_connect(struct wiphy *wiphy, struct net_device *ndev,
+ goto done;
+ }
+
+- if (sme->crypto.sae_pwd) {
+- brcmf_dbg(INFO, "using SAE offload\n");
+- profile->use_fwsup = BRCMF_PROFILE_FWSUP_SAE;
+- }
+-
+ if (sme->crypto.psk &&
+ profile->use_fwsup != BRCMF_PROFILE_FWSUP_SAE) {
+ if (WARN_ON(profile->use_fwsup != BRCMF_PROFILE_FWSUP_NONE)) {
+@@ -5495,7 +5494,8 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
+ u32 event = e->event_code;
+ u32 status = e->status;
+
+- if (vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_PSK &&
++ if ((vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_PSK ||
++ vif->profile.use_fwsup == BRCMF_PROFILE_FWSUP_SAE) &&
+ event == BRCMF_E_PSK_SUP &&
+ status == BRCMF_E_STATUS_FWSUP_COMPLETED)
+ set_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
+--
+2.25.1
+
--- /dev/null
+From b5bee4de307b89742ef9a524da7ef44d32f771ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2020 14:25:28 +0900
+Subject: brcmfmac: fix wrong location to get firmware feature
+
+From: Jaehoon Chung <jh80.chung@samsung.com>
+
+[ Upstream commit c57673852062428cdeabdd6501ac8b8e4c302067 ]
+
+sup_wpa feature is getting after setting feature_disable flag.
+If firmware is supported sup_wpa feature, it's always enabled
+regardless of feature_disable flag.
+
+Fixes: b8a64f0e96c2 ("brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK")
+Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200330052528.10503-1-jh80.chung@samsung.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+index 5da0dda0d899..0dcefbd0c000 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -285,13 +285,14 @@ void brcmf_feat_attach(struct brcmf_pub *drvr)
+ if (!err)
+ ifp->drvr->feat_flags |= BIT(BRCMF_FEAT_SCAN_RANDOM_MAC);
+
++ brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa");
++
+ if (drvr->settings->feature_disable) {
+ brcmf_dbg(INFO, "Features: 0x%02x, disable: 0x%02x\n",
+ ifp->drvr->feat_flags,
+ drvr->settings->feature_disable);
+ ifp->drvr->feat_flags &= ~drvr->settings->feature_disable;
+ }
+- brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa");
+
+ brcmf_feat_firmware_overrides(drvr);
+
+--
+2.25.1
+
--- /dev/null
+From 6474a793db96a0a53392f0ab3cd7bbd2f3aff0a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2020 15:58:07 -0400
+Subject: btrfs: account for trans_block_rsv in may_commit_transaction
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit bb4f58a747f0421b10645fbf75a6acc88da0de50 ]
+
+On ppc64le with 64k page size (respectively 64k block size) generic/320
+was failing and debug output showed we were getting a premature ENOSPC
+with a bunch of space in btrfs_fs_info::trans_block_rsv.
+
+This meant there were still open transaction handles holding space, yet
+the flusher didn't commit the transaction because it deemed the freed
+space won't be enough to satisfy the current reserve ticket. Fix this
+by accounting for space in trans_block_rsv when deciding whether the
+current transaction should be committed or not.
+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Tested-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index ff17a4420358..3c0e9999bfd7 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -626,6 +626,7 @@ static int may_commit_transaction(struct btrfs_fs_info *fs_info,
+ struct reserve_ticket *ticket = NULL;
+ struct btrfs_block_rsv *delayed_rsv = &fs_info->delayed_block_rsv;
+ struct btrfs_block_rsv *delayed_refs_rsv = &fs_info->delayed_refs_rsv;
++ struct btrfs_block_rsv *trans_rsv = &fs_info->trans_block_rsv;
+ struct btrfs_trans_handle *trans;
+ u64 bytes_needed;
+ u64 reclaim_bytes = 0;
+@@ -688,6 +689,11 @@ static int may_commit_transaction(struct btrfs_fs_info *fs_info,
+ spin_lock(&delayed_refs_rsv->lock);
+ reclaim_bytes += delayed_refs_rsv->reserved;
+ spin_unlock(&delayed_refs_rsv->lock);
++
++ spin_lock(&trans_rsv->lock);
++ reclaim_bytes += trans_rsv->reserved;
++ spin_unlock(&trans_rsv->lock);
++
+ if (reclaim_bytes >= bytes_needed)
+ goto commit;
+ bytes_needed -= reclaim_bytes;
+--
+2.25.1
+
--- /dev/null
+From 3ea0cb515e470928fc8d3082be3529a2687496bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 12:15:09 +0100
+Subject: btrfs: do not ignore error from btrfs_next_leaf() when inserting
+ checksums
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 7e4a3f7ed5d54926ec671bbb13e171cfe179cc50 ]
+
+We are currently treating any non-zero return value from btrfs_next_leaf()
+the same way, by going to the code that inserts a new checksum item in the
+tree. However if btrfs_next_leaf() returns an error (a value < 0), we
+should just stop and return the error, and not behave as if nothing has
+happened, since in that case we do not have a way to know if there is a
+next leaf or we are currently at the last leaf already.
+
+So fix that by returning the error from btrfs_next_leaf().
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/file-item.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c
+index b618ad5339ba..a88a8bf4b12c 100644
+--- a/fs/btrfs/file-item.c
++++ b/fs/btrfs/file-item.c
+@@ -887,10 +887,12 @@ again:
+ nritems = btrfs_header_nritems(path->nodes[0]);
+ if (!nritems || (path->slots[0] >= nritems - 1)) {
+ ret = btrfs_next_leaf(root, path);
+- if (ret == 1)
++ if (ret < 0) {
++ goto out;
++ } else if (ret > 0) {
+ found_next = 1;
+- if (ret != 0)
+ goto insert;
++ }
+ slot = path->slots[0];
+ }
+ btrfs_item_key_to_cpu(path->nodes[0], &found_key, slot);
+--
+2.25.1
+
--- /dev/null
+From 1a6edb1a9549c015d42984e167bdd532f57f1f11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2020 15:58:05 -0400
+Subject: btrfs: improve global reserve stealing logic
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 7f9fe614407692f670601a634621138233ac00d7 ]
+
+For unlink transactions and block group removal
+btrfs_start_transaction_fallback_global_rsv will first try to start an
+ordinary transaction and if it fails it will fall back to reserving the
+required amount by stealing from the global reserve. This is problematic
+because of all the same reasons we had with previous iterations of the
+ENOSPC handling, thundering herd. We get a bunch of failures all at
+once, everybody tries to allocate from the global reserve, some win and
+some lose, we get an ENSOPC.
+
+Fix this behavior by introducing BTRFS_RESERVE_FLUSH_ALL_STEAL. It's
+used to mark unlink reservation. To fix this we need to integrate this
+logic into the normal ENOSPC infrastructure. We still go through all of
+the normal flushing work, and at the moment we begin to fail all the
+tickets we try to satisfy any tickets that are allowed to steal by
+stealing from the global reserve. If this works we start the flushing
+system over again just like we would with a normal ticket satisfaction.
+This serializes our global reserve stealing, so we don't have the
+thundering herd problem.
+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Tested-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.c | 2 +-
+ fs/btrfs/ctree.h | 1 +
+ fs/btrfs/inode.c | 2 +-
+ fs/btrfs/space-info.c | 37 ++++++++++++++++++++++++++++++++++++-
+ fs/btrfs/space-info.h | 1 +
+ fs/btrfs/transaction.c | 42 +++++-------------------------------------
+ fs/btrfs/transaction.h | 3 +--
+ 7 files changed, 46 insertions(+), 42 deletions(-)
+
+diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
+index 696f47103cfc..233c5663f233 100644
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -1175,7 +1175,7 @@ struct btrfs_trans_handle *btrfs_start_trans_remove_block_group(
+ free_extent_map(em);
+
+ return btrfs_start_transaction_fallback_global_rsv(fs_info->extent_root,
+- num_items, 1);
++ num_items);
+ }
+
+ /*
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 8aa7b9dac405..3510e33706c1 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2512,6 +2512,7 @@ enum btrfs_reserve_flush_enum {
+ BTRFS_RESERVE_FLUSH_LIMIT,
+ BTRFS_RESERVE_FLUSH_EVICT,
+ BTRFS_RESERVE_FLUSH_ALL,
++ BTRFS_RESERVE_FLUSH_ALL_STEAL,
+ };
+
+ enum btrfs_flush_state {
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 320d1062068d..259239b33370 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -3618,7 +3618,7 @@ static struct btrfs_trans_handle *__unlink_start_trans(struct inode *dir)
+ * 1 for the inode ref
+ * 1 for the inode
+ */
+- return btrfs_start_transaction_fallback_global_rsv(root, 5, 5);
++ return btrfs_start_transaction_fallback_global_rsv(root, 5);
+ }
+
+ static int btrfs_unlink(struct inode *dir, struct dentry *dentry)
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index 3c0e9999bfd7..eee6748c49e4 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -862,6 +862,34 @@ static inline int need_do_async_reclaim(struct btrfs_fs_info *fs_info,
+ !test_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state));
+ }
+
++static bool steal_from_global_rsv(struct btrfs_fs_info *fs_info,
++ struct btrfs_space_info *space_info,
++ struct reserve_ticket *ticket)
++{
++ struct btrfs_block_rsv *global_rsv = &fs_info->global_block_rsv;
++ u64 min_bytes;
++
++ if (global_rsv->space_info != space_info)
++ return false;
++
++ spin_lock(&global_rsv->lock);
++ min_bytes = div_factor(global_rsv->size, 5);
++ if (global_rsv->reserved < min_bytes + ticket->bytes) {
++ spin_unlock(&global_rsv->lock);
++ return false;
++ }
++ global_rsv->reserved -= ticket->bytes;
++ ticket->bytes = 0;
++ list_del_init(&ticket->list);
++ wake_up(&ticket->wait);
++ space_info->tickets_id++;
++ if (global_rsv->reserved < global_rsv->size)
++ global_rsv->full = 0;
++ spin_unlock(&global_rsv->lock);
++
++ return true;
++}
++
+ /*
+ * maybe_fail_all_tickets - we've exhausted our flushing, start failing tickets
+ * @fs_info - fs_info for this fs
+@@ -894,6 +922,10 @@ static bool maybe_fail_all_tickets(struct btrfs_fs_info *fs_info,
+ ticket = list_first_entry(&space_info->tickets,
+ struct reserve_ticket, list);
+
++ if (ticket->steal &&
++ steal_from_global_rsv(fs_info, space_info, ticket))
++ return true;
++
+ /*
+ * may_commit_transaction will avoid committing the transaction
+ * if it doesn't feel like the space reclaimed by the commit
+@@ -1110,6 +1142,7 @@ static int handle_reserve_ticket(struct btrfs_fs_info *fs_info,
+
+ switch (flush) {
+ case BTRFS_RESERVE_FLUSH_ALL:
++ case BTRFS_RESERVE_FLUSH_ALL_STEAL:
+ wait_reserve_ticket(fs_info, space_info, ticket);
+ break;
+ case BTRFS_RESERVE_FLUSH_LIMIT:
+@@ -1209,7 +1242,9 @@ static int __reserve_metadata_bytes(struct btrfs_fs_info *fs_info,
+ ticket.error = 0;
+ space_info->reclaim_size += ticket.bytes;
+ init_waitqueue_head(&ticket.wait);
+- if (flush == BTRFS_RESERVE_FLUSH_ALL) {
++ ticket.steal = (flush == BTRFS_RESERVE_FLUSH_ALL_STEAL);
++ if (flush == BTRFS_RESERVE_FLUSH_ALL ||
++ flush == BTRFS_RESERVE_FLUSH_ALL_STEAL) {
+ list_add_tail(&ticket.list, &space_info->tickets);
+ if (!space_info->flush) {
+ space_info->flush = 1;
+diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h
+index 0a5001ef1481..c3c64019950a 100644
+--- a/fs/btrfs/space-info.h
++++ b/fs/btrfs/space-info.h
+@@ -78,6 +78,7 @@ struct btrfs_space_info {
+ struct reserve_ticket {
+ u64 bytes;
+ int error;
++ bool steal;
+ struct list_head list;
+ wait_queue_head_t wait;
+ };
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 2d5498136e5e..b5da5d8342dc 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -563,7 +563,8 @@ start_transaction(struct btrfs_root *root, unsigned int num_items,
+ * refill that amount for whatever is missing in the reserve.
+ */
+ num_bytes = btrfs_calc_insert_metadata_size(fs_info, num_items);
+- if (delayed_refs_rsv->full == 0) {
++ if (flush == BTRFS_RESERVE_FLUSH_ALL &&
++ delayed_refs_rsv->full == 0) {
+ delayed_refs_bytes = num_bytes;
+ num_bytes <<= 1;
+ }
+@@ -699,43 +700,10 @@ struct btrfs_trans_handle *btrfs_start_transaction(struct btrfs_root *root,
+
+ struct btrfs_trans_handle *btrfs_start_transaction_fallback_global_rsv(
+ struct btrfs_root *root,
+- unsigned int num_items,
+- int min_factor)
++ unsigned int num_items)
+ {
+- struct btrfs_fs_info *fs_info = root->fs_info;
+- struct btrfs_trans_handle *trans;
+- u64 num_bytes;
+- int ret;
+-
+- /*
+- * We have two callers: unlink and block group removal. The
+- * former should succeed even if we will temporarily exceed
+- * quota and the latter operates on the extent root so
+- * qgroup enforcement is ignored anyway.
+- */
+- trans = start_transaction(root, num_items, TRANS_START,
+- BTRFS_RESERVE_FLUSH_ALL, false);
+- if (!IS_ERR(trans) || PTR_ERR(trans) != -ENOSPC)
+- return trans;
+-
+- trans = btrfs_start_transaction(root, 0);
+- if (IS_ERR(trans))
+- return trans;
+-
+- num_bytes = btrfs_calc_insert_metadata_size(fs_info, num_items);
+- ret = btrfs_cond_migrate_bytes(fs_info, &fs_info->trans_block_rsv,
+- num_bytes, min_factor);
+- if (ret) {
+- btrfs_end_transaction(trans);
+- return ERR_PTR(ret);
+- }
+-
+- trans->block_rsv = &fs_info->trans_block_rsv;
+- trans->bytes_reserved = num_bytes;
+- trace_btrfs_space_reservation(fs_info, "transaction",
+- trans->transid, num_bytes, 1);
+-
+- return trans;
++ return start_transaction(root, num_items, TRANS_START,
++ BTRFS_RESERVE_FLUSH_ALL_STEAL, false);
+ }
+
+ struct btrfs_trans_handle *btrfs_join_transaction(struct btrfs_root *root)
+diff --git a/fs/btrfs/transaction.h b/fs/btrfs/transaction.h
+index 31ae8d273065..bf102e64bfb2 100644
+--- a/fs/btrfs/transaction.h
++++ b/fs/btrfs/transaction.h
+@@ -193,8 +193,7 @@ struct btrfs_trans_handle *btrfs_start_transaction(struct btrfs_root *root,
+ unsigned int num_items);
+ struct btrfs_trans_handle *btrfs_start_transaction_fallback_global_rsv(
+ struct btrfs_root *root,
+- unsigned int num_items,
+- int min_factor);
++ unsigned int num_items);
+ struct btrfs_trans_handle *btrfs_join_transaction(struct btrfs_root *root);
+ struct btrfs_trans_handle *btrfs_join_transaction_spacecache(struct btrfs_root *root);
+ struct btrfs_trans_handle *btrfs_join_transaction_nostart(struct btrfs_root *root);
+--
+2.25.1
+
--- /dev/null
+From f500b2f0039450b788b60904d1b407f6a794ef65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2020 14:37:35 +0800
+Subject: btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot
+ to a new qgroup
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit cbab8ade585a18c4334b085564d9d046e01a3f70 ]
+
+[BUG]
+For the following operation, qgroup is guaranteed to be screwed up due
+to snapshot adding to a new qgroup:
+
+ # mkfs.btrfs -f $dev
+ # mount $dev $mnt
+ # btrfs qgroup en $mnt
+ # btrfs subv create $mnt/src
+ # xfs_io -f -c "pwrite 0 1m" $mnt/src/file
+ # sync
+ # btrfs qgroup create 1/0 $mnt/src
+ # btrfs subv snapshot -i 1/0 $mnt/src $mnt/snapshot
+ # btrfs qgroup show -prce $mnt/src
+ qgroupid rfer excl max_rfer max_excl parent child
+ -------- ---- ---- -------- -------- ------ -----
+ 0/5 16.00KiB 16.00KiB none none --- ---
+ 0/257 1.02MiB 16.00KiB none none --- ---
+ 0/258 1.02MiB 16.00KiB none none 1/0 ---
+ 1/0 0.00B 0.00B none none --- 0/258
+ ^^^^^^^^^^^^^^^^^^^^
+
+[CAUSE]
+The problem is in btrfs_qgroup_inherit(), we don't have good enough
+check to determine if the new relation would break the existing
+accounting.
+
+Unlike btrfs_add_qgroup_relation(), which has proper check to determine
+if we can do quick update without a rescan, in btrfs_qgroup_inherit() we
+can even assign a snapshot to multiple qgroups.
+
+[FIX]
+Fix it by manually marking qgroup inconsistent for snapshot inheritance.
+
+For subvolume creation, since all its extents are exclusively owned, we
+don't need to rescan.
+
+In theory, we should call relation check like quick_update_accounting()
+when doing qgroup inheritance and inform user about qgroup accounting
+inconsistency.
+
+But we don't have good mechanism to relay that back to the user in the
+snapshot creation context, thus we can only silently mark the qgroup
+inconsistent.
+
+Anyway, user shouldn't use qgroup inheritance during snapshot creation,
+and should add qgroup relationship after snapshot creation by 'btrfs
+qgroup assign', which has a much better UI to inform user about qgroup
+inconsistent and kick in rescan automatically.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index c3888fb367e7..5bd4089ad0e1 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2622,6 +2622,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ struct btrfs_root *quota_root;
+ struct btrfs_qgroup *srcgroup;
+ struct btrfs_qgroup *dstgroup;
++ bool need_rescan = false;
+ u32 level_size = 0;
+ u64 nums;
+
+@@ -2765,6 +2766,13 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ goto unlock;
+ }
+ ++i_qgroups;
++
++ /*
++ * If we're doing a snapshot, and adding the snapshot to a new
++ * qgroup, the numbers are guaranteed to be incorrect.
++ */
++ if (srcid)
++ need_rescan = true;
+ }
+
+ for (i = 0; i < inherit->num_ref_copies; ++i, i_qgroups += 2) {
+@@ -2784,6 +2792,9 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+
+ dst->rfer = src->rfer - level_size;
+ dst->rfer_cmpr = src->rfer_cmpr - level_size;
++
++ /* Manually tweaking numbers certainly needs a rescan */
++ need_rescan = true;
+ }
+ for (i = 0; i < inherit->num_excl_copies; ++i, i_qgroups += 2) {
+ struct btrfs_qgroup *src;
+@@ -2802,6 +2813,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+
+ dst->excl = src->excl + level_size;
+ dst->excl_cmpr = src->excl_cmpr + level_size;
++ need_rescan = true;
+ }
+
+ unlock:
+@@ -2809,6 +2821,8 @@ unlock:
+ out:
+ if (!committing)
+ mutex_unlock(&fs_info->qgroup_ioctl_lock);
++ if (need_rescan)
++ fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 64c14a3bf4b426f1aa46e674ada77743bb65431c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Mar 2020 12:53:02 -0700
+Subject: clocksource/drivers/timer-versatile: Clear OF_POPULATED flag
+
+From: Saravana Kannan <saravanak@google.com>
+
+[ Upstream commit 7a3768c206a006525afc090f92d4d618d8356b92 ]
+
+The commit 4f41fe386a94 ("clocksource/drivers/timer-probe: Avoid
+creating dead devices") broke the handling of arm,vexpress-sysreg [1].
+
+The arm,vexpress-sysreg device is handled by both timer-versatile.c and
+drivers/mfd/vexpress-sysreg.c. While the timer driver doesn't use the
+device, the mfd driver still needs a device to probe.
+
+So, this patch clears the OF_POPULATED flag to continue creating the
+device.
+
+[1] - https://lore.kernel.org/lkml/20200324175955.GA16972@arm.com/
+
+Fixes: 4f41fe386a94 ("clocksource/drivers/timer-probe: Avoid creating dead devices")
+Signed-off-by: Saravana Kannan <saravanak@google.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200324195302.203115-1-saravanak@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-versatile.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/clocksource/timer-versatile.c b/drivers/clocksource/timer-versatile.c
+index e4ebb656d005..f5d017b31afa 100644
+--- a/drivers/clocksource/timer-versatile.c
++++ b/drivers/clocksource/timer-versatile.c
+@@ -6,6 +6,7 @@
+
+ #include <linux/clocksource.h>
+ #include <linux/io.h>
++#include <linux/of.h>
+ #include <linux/of_address.h>
+ #include <linux/sched_clock.h>
+
+@@ -22,6 +23,8 @@ static int __init versatile_sched_clock_init(struct device_node *node)
+ {
+ void __iomem *base = of_iomap(node, 0);
+
++ of_node_clear_flag(node, OF_POPULATED);
++
+ if (!base)
+ return -ENXIO;
+
+--
+2.25.1
+
--- /dev/null
+From 0ae635fdb2a03501b9d5a4daa8f332207a3addee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 23:48:13 +0300
+Subject: clocksource: dw_apb_timer: Make CPU-affiliation being optional
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit cee43dbf2ee3f430434e2b66994eff8a1aeda889 ]
+
+Currently the DW APB Timer driver binds each clockevent timers to a
+particular CPU. This isn't good for multiple reasons. First of all seeing
+the device is placed on APB bus (which makes it accessible from any CPU
+core), accessible over MMIO and having the DYNIRQ flag set we can be sure
+that manually binding the timer to any CPU just isn't correct. By doing
+so we just set an extra limitation on device usage. This also doesn't
+reflect the device actual capability, since by setting the IRQ affinity
+we can make it virtually local to any CPU. Secondly imagine if you had a
+real CPU-local timer with the same rating and the same CPU-affinity.
+In this case if DW APB timer was registered first, then due to the
+clockevent framework tick-timer selection procedure we'll end up with the
+real CPU-local timer being left unselected for clock-events tracking. But
+on most of the platforms (MIPS/ARM/etc) such timers are normally embedded
+into the CPU core and are accessible with much better performance then
+devices placed on APB. For instance in MIPS architectures there is
+r4k-timer, which is CPU-local, assigned with the same rating, and normally
+its clockevent device is registered after the platform-specific one.
+
+So in order to fix all of these issues let's make the DW APB Timer CPU
+affinity being optional and deactivated by passing a negative CPU id,
+which will effectively set the DW APB clockevent timer cpumask to
+'cpu_possible_mask'.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-rtc@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200521204818.25436-5-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/dw_apb_timer.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clocksource/dw_apb_timer.c b/drivers/clocksource/dw_apb_timer.c
+index b207a77b0831..f5f24a95ee82 100644
+--- a/drivers/clocksource/dw_apb_timer.c
++++ b/drivers/clocksource/dw_apb_timer.c
+@@ -222,7 +222,8 @@ static int apbt_next_event(unsigned long delta,
+ /**
+ * dw_apb_clockevent_init() - use an APB timer as a clock_event_device
+ *
+- * @cpu: The CPU the events will be targeted at.
++ * @cpu: The CPU the events will be targeted at or -1 if CPU affiliation
++ * isn't required.
+ * @name: The name used for the timer and the IRQ for it.
+ * @rating: The rating to give the timer.
+ * @base: I/O base for the timer registers.
+@@ -257,7 +258,7 @@ dw_apb_clockevent_init(int cpu, const char *name, unsigned rating,
+ dw_ced->ced.max_delta_ticks = 0x7fffffff;
+ dw_ced->ced.min_delta_ns = clockevent_delta2ns(5000, &dw_ced->ced);
+ dw_ced->ced.min_delta_ticks = 5000;
+- dw_ced->ced.cpumask = cpumask_of(cpu);
++ dw_ced->ced.cpumask = cpu < 0 ? cpu_possible_mask : cpumask_of(cpu);
+ dw_ced->ced.features = CLOCK_EVT_FEAT_PERIODIC |
+ CLOCK_EVT_FEAT_ONESHOT | CLOCK_EVT_FEAT_DYNIRQ;
+ dw_ced->ced.set_state_shutdown = apbt_shutdown;
+--
+2.25.1
+
--- /dev/null
+From 73776ece2b43d6cdee4559223ce4af0028338e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 23:48:15 +0300
+Subject: clocksource: dw_apb_timer_of: Fix missing clockevent timers
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 6d2e16a3181bafb77b535095c39ad1c8b9558c8c ]
+
+Commit 100214889973 ("clocksource: dw_apb_timer_of: use
+clocksource_of_init") replaced a publicly available driver
+initialization method with one called by the timer_probe() method
+available after CLKSRC_OF. In current implementation it traverses
+all the timers available in the system and calls their initialization
+methods if corresponding devices were either in dtb or in acpi. But
+if before the commit any number of available timers would be installed
+as clockevent and clocksource devices, after that there would be at most
+two. The rest are just ignored since default case branch doesn't do
+anything. I don't see a reason of such behaviour, neither the commit
+message explains it. Moreover this might be wrong if on some platforms
+these timers might be used for different purpose, as virtually CPU-local
+clockevent timers and as an independent broadcast timer. So in order
+to keep the compatibility with the platforms where the order of the
+timers detection has some meaning, lets add the secondly discovered
+timer to be of clocksource/sched_clock type, while the very first and
+the others would provide the clockevents service.
+
+Fixes: 100214889973 ("clocksource: dw_apb_timer_of: use clocksource_of_init")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-rtc@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200521204818.25436-7-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/dw_apb_timer_of.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clocksource/dw_apb_timer_of.c b/drivers/clocksource/dw_apb_timer_of.c
+index 8c28b127759f..6921b91b61ef 100644
+--- a/drivers/clocksource/dw_apb_timer_of.c
++++ b/drivers/clocksource/dw_apb_timer_of.c
+@@ -147,10 +147,6 @@ static int num_called;
+ static int __init dw_apb_timer_init(struct device_node *timer)
+ {
+ switch (num_called) {
+- case 0:
+- pr_debug("%s: found clockevent timer\n", __func__);
+- add_clockevent(timer);
+- break;
+ case 1:
+ pr_debug("%s: found clocksource timer\n", __func__);
+ add_clocksource(timer);
+@@ -161,6 +157,8 @@ static int __init dw_apb_timer_init(struct device_node *timer)
+ #endif
+ break;
+ default:
++ pr_debug("%s: found clockevent timer\n", __func__);
++ add_clockevent(timer);
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 7ebea88038db551693fda4ff6490f0d6a141cee5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 May 2020 00:22:25 +0200
+Subject: cpufreq: qcom: fix wrong compatible binding
+
+From: Ansuel Smith <ansuelsmth@gmail.com>
+
+[ Upstream commit 2dea651680cea1f3a29925de51002f33d1f55711 ]
+
+Binding in Documentation is still "operating-points-v2-kryo-cpu".
+Restore the old binding to fix the compatibility problem.
+
+Fixes: a8811ec764f9 ("cpufreq: qcom: Add support for krait based socs")
+Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/qcom-cpufreq-nvmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/qcom-cpufreq-nvmem.c b/drivers/cpufreq/qcom-cpufreq-nvmem.c
+index a1b8238872a2..d06b37822c3d 100644
+--- a/drivers/cpufreq/qcom-cpufreq-nvmem.c
++++ b/drivers/cpufreq/qcom-cpufreq-nvmem.c
+@@ -277,7 +277,7 @@ static int qcom_cpufreq_probe(struct platform_device *pdev)
+ if (!np)
+ return -ENOENT;
+
+- ret = of_device_is_compatible(np, "operating-points-v2-qcom-cpu");
++ ret = of_device_is_compatible(np, "operating-points-v2-kryo-cpu");
+ if (!ret) {
+ of_node_put(np);
+ return -ENOENT;
+--
+2.25.1
+
--- /dev/null
+From 5142f2c397c3742de6468f91574f60eb678b94df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 13:20:46 -0500
+Subject: cpuidle: Fix three reference count leaks
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit c343bf1ba5efcbf2266a1fe3baefec9cc82f867f ]
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object.
+
+Previous commit "b8eb718348b8" fixed a similar problem.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+[ rjw: Subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/sysfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
+index cdeedbf02646..55107565b319 100644
+--- a/drivers/cpuidle/sysfs.c
++++ b/drivers/cpuidle/sysfs.c
+@@ -515,7 +515,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device)
+ ret = kobject_init_and_add(&kobj->kobj, &ktype_state_cpuidle,
+ &kdev->kobj, "state%d", i);
+ if (ret) {
+- kfree(kobj);
++ kobject_put(&kobj->kobj);
+ goto error_state;
+ }
+ cpuidle_add_s2idle_attr_group(kobj);
+@@ -646,7 +646,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev)
+ ret = kobject_init_and_add(&kdrv->kobj, &ktype_driver_cpuidle,
+ &kdev->kobj, "driver");
+ if (ret) {
+- kfree(kdrv);
++ kobject_put(&kdrv->kobj);
+ return ret;
+ }
+
+@@ -740,7 +740,7 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
+ error = kobject_init_and_add(&kdev->kobj, &ktype_cpuidle, &cpu_dev->kobj,
+ "cpuidle");
+ if (error) {
+- kfree(kdev);
++ kobject_put(&kdev->kobj);
+ return error;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 488604e1df4cffe90ff5088c4886bbeac1285e7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2020 15:33:46 +0200
+Subject: cpuidle: psci: Fixup execution order when entering a domain idle
+ state
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit 8b7ce5e49049ca78c238f03d70569a73da049f32 ]
+
+Moving forward, platforms are going to need to execute specific "last-man"
+operations before a domain idle state can be entered. In one way or the
+other, these operations needs to be triggered while walking the
+hierarchical topology via runtime PM and genpd, as it's at that point the
+last-man becomes known.
+
+Moreover, executing last-man operations needs to be done after the CPU PM
+notifications are sent through cpu_pm_enter(), as otherwise it's likely
+that some notifications would fail. Therefore, let's re-order the sequence
+in psci_enter_domain_idle_state(), so cpu_pm_enter() gets called prior
+pm_runtime_put_sync().
+
+Fixes: ce85aef570df ("cpuidle: psci: Manage runtime PM in the idle path")
+Reported-by: Lina Iyer <ilina@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/cpuidle-psci.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpuidle/cpuidle-psci.c b/drivers/cpuidle/cpuidle-psci.c
+index bae9140a65a5..d0fb585073c6 100644
+--- a/drivers/cpuidle/cpuidle-psci.c
++++ b/drivers/cpuidle/cpuidle-psci.c
+@@ -58,6 +58,10 @@ static int psci_enter_domain_idle_state(struct cpuidle_device *dev,
+ u32 state;
+ int ret;
+
++ ret = cpu_pm_enter();
++ if (ret)
++ return -1;
++
+ /* Do runtime PM to manage a hierarchical CPU toplogy. */
+ pm_runtime_put_sync_suspend(pd_dev);
+
+@@ -65,10 +69,12 @@ static int psci_enter_domain_idle_state(struct cpuidle_device *dev,
+ if (!state)
+ state = states[idx];
+
+- ret = psci_enter_state(idx, state);
++ ret = psci_cpu_suspend_enter(state) ? -1 : idx;
+
+ pm_runtime_get_sync(pd_dev);
+
++ cpu_pm_exit();
++
+ /* Clear the domain state to start fresh when back from idle. */
+ psci_set_domain_state(0);
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From c39444d5478fd7e720754e124513ac441980100b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 15:53:45 +0200
+Subject: crypto: blake2b - Fix clang optimization for ARMv7-M
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 0c0408e86dbe8f44d4b27bf42130e8ac905361d6 ]
+
+When building for ARMv7-M, clang-9 or higher tries to unroll some loops,
+which ends up confusing the register allocator to the point of generating
+rather bad code and using more than the warning limit for stack frames:
+
+warning: stack frame size of 1200 bytes in function 'blake2b_compress' [-Wframe-larger-than=]
+
+Forcing it to not unroll the final loop avoids this problem.
+
+Fixes: 91d689337fe8 ("crypto: blake2b - add blake2b generic implementation")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/blake2b_generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/blake2b_generic.c b/crypto/blake2b_generic.c
+index 1d262374fa4e..0ffd8d92e308 100644
+--- a/crypto/blake2b_generic.c
++++ b/crypto/blake2b_generic.c
+@@ -129,7 +129,9 @@ static void blake2b_compress(struct blake2b_state *S,
+ ROUND(9);
+ ROUND(10);
+ ROUND(11);
+-
++#ifdef CONFIG_CC_IS_CLANG
++#pragma nounroll /* https://bugs.llvm.org/show_bug.cgi?id=45803 */
++#endif
+ for (i = 0; i < 8; ++i)
+ S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
+ }
+--
+2.25.1
+
--- /dev/null
+From 89bcde0b604e6882895cc9c45643283d56a2126f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2020 18:26:48 +0200
+Subject: crypto: ccp -- don't "select" CONFIG_DMADEVICES
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit eebac678556d6927f09a992872f4464cf3aecc76 ]
+
+DMADEVICES is the top-level option for the slave DMA
+subsystem, and should not be selected by device drivers,
+as this can cause circular dependencies such as:
+
+drivers/net/ethernet/freescale/Kconfig:6:error: recursive dependency detected!
+drivers/net/ethernet/freescale/Kconfig:6: symbol NET_VENDOR_FREESCALE depends on PPC_BESTCOMM
+drivers/dma/bestcomm/Kconfig:6: symbol PPC_BESTCOMM depends on DMADEVICES
+drivers/dma/Kconfig:6: symbol DMADEVICES is selected by CRYPTO_DEV_SP_CCP
+drivers/crypto/ccp/Kconfig:10: symbol CRYPTO_DEV_SP_CCP depends on CRYPTO
+crypto/Kconfig:16: symbol CRYPTO is selected by LIBCRC32C
+lib/Kconfig:222: symbol LIBCRC32C is selected by LIQUIDIO
+drivers/net/ethernet/cavium/Kconfig:65: symbol LIQUIDIO depends on PTP_1588_CLOCK
+drivers/ptp/Kconfig:8: symbol PTP_1588_CLOCK is implied by FEC
+drivers/net/ethernet/freescale/Kconfig:23: symbol FEC depends on NET_VENDOR_FREESCALE
+
+The LIQUIDIO driver causing this problem is addressed in a
+separate patch, but this change is needed to prevent it from
+happening again.
+
+Using "depends on DMADEVICES" is what we do for all other
+implementations of slave DMA controllers as well.
+
+Fixes: b3c2fee5d66b ("crypto: ccp - Ensure all dependencies are specified")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/Kconfig | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/ccp/Kconfig b/drivers/crypto/ccp/Kconfig
+index e0a8bd15aa74..32268e239bf1 100644
+--- a/drivers/crypto/ccp/Kconfig
++++ b/drivers/crypto/ccp/Kconfig
+@@ -10,10 +10,9 @@ config CRYPTO_DEV_CCP_DD
+ config CRYPTO_DEV_SP_CCP
+ bool "Cryptographic Coprocessor device"
+ default y
+- depends on CRYPTO_DEV_CCP_DD
++ depends on CRYPTO_DEV_CCP_DD && DMADEVICES
+ select HW_RANDOM
+ select DMA_ENGINE
+- select DMADEVICES
+ select CRYPTO_SHA1
+ select CRYPTO_SHA256
+ help
+--
+2.25.1
+
--- /dev/null
+From 13be261e70ee296af2c84833a7ed87718b64064b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 08:42:54 +0530
+Subject: Crypto/chcr: fix ctr, cbc, xts and rfc3686-ctr failed tests
+
+From: Devulapally Shiva Krishna <shiva@chelsio.com>
+
+[ Upstream commit 6b363a286cd01961423f5dcd648b265088ec56d0 ]
+
+This solves the following issues observed during self test when
+CONFIG_CRYPTO_MANAGER_EXTRA_TESTS is enabled.
+
+1. Added fallback for cbc, ctr and rfc3686 if req->nbytes is zero
+and for xts added a fallback case if req->nbytes is not multiple of 16.
+
+2. In case of cbc-aes, solved wrong iv update. When
+chcr_cipher_fallback() is called, used req->info pointer instead of
+reqctx->iv.
+
+3. In cbc-aes decryption there was a wrong result. This occurs when
+chcr_cipher_fallback() is called from chcr_handle_cipher_resp().
+In the fallback function iv(req->info) used is wrongly updated.
+So use the initial iv for this case.
+
+4)In case of ctr-aes encryption observed wrong result. In adjust_ctr_overflow()
+there is condition which checks if ((bytes / AES_BLOCK_SIZE) > c),
+where c is the number of blocks which can be processed without iv overflow,
+but for the above bytes (req->nbytes < 32 , not a multiple of 16) this
+condition fails and the 2nd block is corrupted as it requires the rollover iv.
+So added a '=' condition in this to take care of this.
+
+5)In rfc3686-ctr there was wrong result observed. This occurs when
+chcr_cipher_fallback() is called from chcr_handle_cipher_resp().
+Here also copying initial_iv in init_iv pointer for handling the fallback
+case correctly.
+
+Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com>
+Signed-off-by: Devulapally Shiva Krishna <shiva@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/chelsio/chcr_algo.c | 42 ++++++++++++++++++----------
+ drivers/crypto/chelsio/chcr_crypto.h | 1 +
+ 2 files changed, 29 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c
+index 5a2d9ee9348d..446fb896ee6d 100644
+--- a/drivers/crypto/chelsio/chcr_algo.c
++++ b/drivers/crypto/chelsio/chcr_algo.c
+@@ -1054,8 +1054,8 @@ static unsigned int adjust_ctr_overflow(u8 *iv, u32 bytes)
+ u32 temp = be32_to_cpu(*--b);
+
+ temp = ~temp;
+- c = (u64)temp + 1; // No of block can processed withou overflow
+- if ((bytes / AES_BLOCK_SIZE) > c)
++ c = (u64)temp + 1; // No of block can processed without overflow
++ if ((bytes / AES_BLOCK_SIZE) >= c)
+ bytes = c * AES_BLOCK_SIZE;
+ return bytes;
+ }
+@@ -1158,15 +1158,16 @@ static int chcr_final_cipher_iv(struct skcipher_request *req,
+ static int chcr_handle_cipher_resp(struct skcipher_request *req,
+ unsigned char *input, int err)
+ {
++ struct chcr_skcipher_req_ctx *reqctx = skcipher_request_ctx(req);
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+- struct chcr_context *ctx = c_ctx(tfm);
+- struct uld_ctx *u_ctx = ULD_CTX(c_ctx(tfm));
+- struct ablk_ctx *ablkctx = ABLK_CTX(c_ctx(tfm));
+- struct sk_buff *skb;
+ struct cpl_fw6_pld *fw6_pld = (struct cpl_fw6_pld *)input;
+- struct chcr_skcipher_req_ctx *reqctx = skcipher_request_ctx(req);
+- struct cipher_wr_param wrparam;
++ struct ablk_ctx *ablkctx = ABLK_CTX(c_ctx(tfm));
++ struct uld_ctx *u_ctx = ULD_CTX(c_ctx(tfm));
+ struct chcr_dev *dev = c_ctx(tfm)->dev;
++ struct chcr_context *ctx = c_ctx(tfm);
++ struct adapter *adap = padap(ctx->dev);
++ struct cipher_wr_param wrparam;
++ struct sk_buff *skb;
+ int bytes;
+
+ if (err)
+@@ -1197,6 +1198,8 @@ static int chcr_handle_cipher_resp(struct skcipher_request *req,
+ if (unlikely(bytes == 0)) {
+ chcr_cipher_dma_unmap(&ULD_CTX(c_ctx(tfm))->lldi.pdev->dev,
+ req);
++ memcpy(req->iv, reqctx->init_iv, IV);
++ atomic_inc(&adap->chcr_stats.fallback);
+ err = chcr_cipher_fallback(ablkctx->sw_cipher,
+ req->base.flags,
+ req->src,
+@@ -1248,20 +1251,28 @@ static int process_cipher(struct skcipher_request *req,
+ struct sk_buff **skb,
+ unsigned short op_type)
+ {
++ struct chcr_skcipher_req_ctx *reqctx = skcipher_request_ctx(req);
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ unsigned int ivsize = crypto_skcipher_ivsize(tfm);
+- struct chcr_skcipher_req_ctx *reqctx = skcipher_request_ctx(req);
+ struct ablk_ctx *ablkctx = ABLK_CTX(c_ctx(tfm));
++ struct adapter *adap = padap(c_ctx(tfm)->dev);
+ struct cipher_wr_param wrparam;
+ int bytes, err = -EINVAL;
++ int subtype;
+
+ reqctx->processed = 0;
+ reqctx->partial_req = 0;
+ if (!req->iv)
+ goto error;
++ subtype = get_cryptoalg_subtype(tfm);
+ if ((ablkctx->enckey_len == 0) || (ivsize > AES_BLOCK_SIZE) ||
+ (req->cryptlen == 0) ||
+ (req->cryptlen % crypto_skcipher_blocksize(tfm))) {
++ if (req->cryptlen == 0 && subtype != CRYPTO_ALG_SUB_TYPE_XTS)
++ goto fallback;
++ else if (req->cryptlen % crypto_skcipher_blocksize(tfm) &&
++ subtype == CRYPTO_ALG_SUB_TYPE_XTS)
++ goto fallback;
+ pr_err("AES: Invalid value of Key Len %d nbytes %d IV Len %d\n",
+ ablkctx->enckey_len, req->cryptlen, ivsize);
+ goto error;
+@@ -1302,12 +1313,10 @@ static int process_cipher(struct skcipher_request *req,
+ } else {
+ bytes = req->cryptlen;
+ }
+- if (get_cryptoalg_subtype(tfm) ==
+- CRYPTO_ALG_SUB_TYPE_CTR) {
++ if (subtype == CRYPTO_ALG_SUB_TYPE_CTR) {
+ bytes = adjust_ctr_overflow(req->iv, bytes);
+ }
+- if (get_cryptoalg_subtype(tfm) ==
+- CRYPTO_ALG_SUB_TYPE_CTR_RFC3686) {
++ if (subtype == CRYPTO_ALG_SUB_TYPE_CTR_RFC3686) {
+ memcpy(reqctx->iv, ablkctx->nonce, CTR_RFC3686_NONCE_SIZE);
+ memcpy(reqctx->iv + CTR_RFC3686_NONCE_SIZE, req->iv,
+ CTR_RFC3686_IV_SIZE);
+@@ -1315,20 +1324,25 @@ static int process_cipher(struct skcipher_request *req,
+ /* initialize counter portion of counter block */
+ *(__be32 *)(reqctx->iv + CTR_RFC3686_NONCE_SIZE +
+ CTR_RFC3686_IV_SIZE) = cpu_to_be32(1);
++ memcpy(reqctx->init_iv, reqctx->iv, IV);
+
+ } else {
+
+ memcpy(reqctx->iv, req->iv, IV);
++ memcpy(reqctx->init_iv, req->iv, IV);
+ }
+ if (unlikely(bytes == 0)) {
+ chcr_cipher_dma_unmap(&ULD_CTX(c_ctx(tfm))->lldi.pdev->dev,
+ req);
++fallback: atomic_inc(&adap->chcr_stats.fallback);
+ err = chcr_cipher_fallback(ablkctx->sw_cipher,
+ req->base.flags,
+ req->src,
+ req->dst,
+ req->cryptlen,
+- reqctx->iv,
++ subtype ==
++ CRYPTO_ALG_SUB_TYPE_CTR_RFC3686 ?
++ reqctx->iv : req->iv,
+ op_type);
+ goto error;
+ }
+diff --git a/drivers/crypto/chelsio/chcr_crypto.h b/drivers/crypto/chelsio/chcr_crypto.h
+index 542bebae001f..b3fdbdc25acb 100644
+--- a/drivers/crypto/chelsio/chcr_crypto.h
++++ b/drivers/crypto/chelsio/chcr_crypto.h
+@@ -302,6 +302,7 @@ struct chcr_skcipher_req_ctx {
+ unsigned int op;
+ u16 imm;
+ u8 iv[CHCR_MAX_CRYPTO_IV_LEN];
++ u8 init_iv[CHCR_MAX_CRYPTO_IV_LEN];
+ u16 txqidx;
+ u16 rxqidx;
+ };
+--
+2.25.1
+
--- /dev/null
+From bde12878fb822f0f1dde5c584df772a432baf37b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 08:42:55 +0530
+Subject: Crypto/chcr: fix for ccm(aes) failed test
+
+From: Devulapally Shiva Krishna <shiva@chelsio.com>
+
+[ Upstream commit 10b0c75d7bc19606fa9a62c8ab9180e95c0e0385 ]
+
+The ccm(aes) test fails when req->assoclen > ~240bytes.
+
+The problem is the value assigned to auth_offset is wrong.
+As auth_offset is unsigned char, it can take max value as 255.
+So fix it by making it unsigned int.
+
+Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com>
+Signed-off-by: Devulapally Shiva Krishna <shiva@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/chelsio/chcr_algo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c
+index 446fb896ee6d..6c2cd36048ea 100644
+--- a/drivers/crypto/chelsio/chcr_algo.c
++++ b/drivers/crypto/chelsio/chcr_algo.c
+@@ -2925,7 +2925,7 @@ static void fill_sec_cpl_for_aead(struct cpl_tx_sec_pdu *sec_cpl,
+ unsigned int mac_mode = CHCR_SCMD_AUTH_MODE_CBCMAC;
+ unsigned int rx_channel_id = reqctx->rxqidx / ctx->rxq_perchan;
+ unsigned int ccm_xtra;
+- unsigned char tag_offset = 0, auth_offset = 0;
++ unsigned int tag_offset = 0, auth_offset = 0;
+ unsigned int assoclen;
+
+ if (get_aead_subtype(tfm) == CRYPTO_ALG_SUB_TYPE_AEAD_RFC4309)
+--
+2.25.1
+
--- /dev/null
+From 0c8b5fc5d1e5a2241b945fd3febd9ad583861dac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 23:11:59 +0530
+Subject: Crypto/chcr: Fixes a coccinile check error
+
+From: Ayush Sawal <ayush.sawal@chelsio.com>
+
+[ Upstream commit 055be6865dea6743b090d1c55c8d21a5e01df201 ]
+
+This fixes an error observed after running coccinile check.
+drivers/crypto/chelsio/chcr_algo.c:1462:5-8: Unneeded variable:
+"err". Return "0" on line 1480
+
+This line is missed in the commit 567be3a5d227 ("crypto:
+chelsio - Use multiple txq/rxq per tfm to process the requests").
+
+Fixes: 567be3a5d227 ("crypto:
+chelsio - Use multiple txq/rxq per tfm to process the requests").
+
+V1->V2
+-Modified subject.
+
+Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/chelsio/chcr_algo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c
+index c29b80dd30d8..5a2d9ee9348d 100644
+--- a/drivers/crypto/chelsio/chcr_algo.c
++++ b/drivers/crypto/chelsio/chcr_algo.c
+@@ -1443,6 +1443,7 @@ static int chcr_device_init(struct chcr_context *ctx)
+ if (!ctx->dev) {
+ u_ctx = assign_chcr_device();
+ if (!u_ctx) {
++ err = -ENXIO;
+ pr_err("chcr device assignment fails\n");
+ goto out;
+ }
+--
+2.25.1
+
--- /dev/null
+From 3131b5cffc56a61d929e6cdf729012a69bf7c4d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 16:11:09 +0200
+Subject: crypto: stm32/crc32 - fix ext4 chksum BUG_ON()
+
+From: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+
+[ Upstream commit 49c2c082e00e0bc4f5cbb7c21c7f0f873b35ab09 ]
+
+Allow use of crc_update without prior call to crc_init.
+And change (and fix) driver to use CRC device even on unaligned buffers.
+
+Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-crc32.c | 98 +++++++++++++++---------------
+ 1 file changed, 48 insertions(+), 50 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-crc32.c b/drivers/crypto/stm32/stm32-crc32.c
+index 8e92e4ac79f1..c6156bf6c603 100644
+--- a/drivers/crypto/stm32/stm32-crc32.c
++++ b/drivers/crypto/stm32/stm32-crc32.c
+@@ -28,8 +28,10 @@
+
+ /* Registers values */
+ #define CRC_CR_RESET BIT(0)
+-#define CRC_CR_REVERSE (BIT(7) | BIT(6) | BIT(5))
+ #define CRC_INIT_DEFAULT 0xFFFFFFFF
++#define CRC_CR_REV_IN_WORD (BIT(6) | BIT(5))
++#define CRC_CR_REV_IN_BYTE BIT(5)
++#define CRC_CR_REV_OUT BIT(7)
+
+ #define CRC_AUTOSUSPEND_DELAY 50
+
+@@ -38,8 +40,6 @@ struct stm32_crc {
+ struct device *dev;
+ void __iomem *regs;
+ struct clk *clk;
+- u8 pending_data[sizeof(u32)];
+- size_t nb_pending_bytes;
+ };
+
+ struct stm32_crc_list {
+@@ -59,7 +59,6 @@ struct stm32_crc_ctx {
+
+ struct stm32_crc_desc_ctx {
+ u32 partial; /* crc32c: partial in first 4 bytes of that struct */
+- struct stm32_crc *crc;
+ };
+
+ static int stm32_crc32_cra_init(struct crypto_tfm *tfm)
+@@ -99,25 +98,22 @@ static int stm32_crc_init(struct shash_desc *desc)
+ struct stm32_crc *crc;
+
+ spin_lock_bh(&crc_list.lock);
+- list_for_each_entry(crc, &crc_list.dev_list, list) {
+- ctx->crc = crc;
+- break;
+- }
++ crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
+ spin_unlock_bh(&crc_list.lock);
+
+- pm_runtime_get_sync(ctx->crc->dev);
++ pm_runtime_get_sync(crc->dev);
+
+ /* Reset, set key, poly and configure in bit reverse mode */
+- writel_relaxed(bitrev32(mctx->key), ctx->crc->regs + CRC_INIT);
+- writel_relaxed(bitrev32(mctx->poly), ctx->crc->regs + CRC_POL);
+- writel_relaxed(CRC_CR_RESET | CRC_CR_REVERSE, ctx->crc->regs + CRC_CR);
++ writel_relaxed(bitrev32(mctx->key), crc->regs + CRC_INIT);
++ writel_relaxed(bitrev32(mctx->poly), crc->regs + CRC_POL);
++ writel_relaxed(CRC_CR_RESET | CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
+
+ /* Store partial result */
+- ctx->partial = readl_relaxed(ctx->crc->regs + CRC_DR);
+- ctx->crc->nb_pending_bytes = 0;
++ ctx->partial = readl_relaxed(crc->regs + CRC_DR);
+
+- pm_runtime_mark_last_busy(ctx->crc->dev);
+- pm_runtime_put_autosuspend(ctx->crc->dev);
++ pm_runtime_mark_last_busy(crc->dev);
++ pm_runtime_put_autosuspend(crc->dev);
+
+ return 0;
+ }
+@@ -126,31 +122,49 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8,
+ unsigned int length)
+ {
+ struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc);
+- struct stm32_crc *crc = ctx->crc;
+- u32 *d32;
+- unsigned int i;
++ struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm);
++ struct stm32_crc *crc;
++
++ spin_lock_bh(&crc_list.lock);
++ crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
++ spin_unlock_bh(&crc_list.lock);
+
+ pm_runtime_get_sync(crc->dev);
+
+- if (unlikely(crc->nb_pending_bytes)) {
+- while (crc->nb_pending_bytes != sizeof(u32) && length) {
+- /* Fill in pending data */
+- crc->pending_data[crc->nb_pending_bytes++] = *(d8++);
++ /*
++ * Restore previously calculated CRC for this context as init value
++ * Restore polynomial configuration
++ * Configure in register for word input data,
++ * Configure out register in reversed bit mode data.
++ */
++ writel_relaxed(bitrev32(ctx->partial), crc->regs + CRC_INIT);
++ writel_relaxed(bitrev32(mctx->poly), crc->regs + CRC_POL);
++ writel_relaxed(CRC_CR_RESET | CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
++
++ if (d8 != PTR_ALIGN(d8, sizeof(u32))) {
++ /* Configure for byte data */
++ writel_relaxed(CRC_CR_REV_IN_BYTE | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
++ while (d8 != PTR_ALIGN(d8, sizeof(u32)) && length) {
++ writeb_relaxed(*d8++, crc->regs + CRC_DR);
+ length--;
+ }
+-
+- if (crc->nb_pending_bytes == sizeof(u32)) {
+- /* Process completed pending data */
+- writel_relaxed(*(u32 *)crc->pending_data,
+- crc->regs + CRC_DR);
+- crc->nb_pending_bytes = 0;
+- }
++ /* Configure for word data */
++ writel_relaxed(CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
+ }
+
+- d32 = (u32 *)d8;
+- for (i = 0; i < length >> 2; i++)
+- /* Process 32 bits data */
+- writel_relaxed(*(d32++), crc->regs + CRC_DR);
++ for (; length >= sizeof(u32); d8 += sizeof(u32), length -= sizeof(u32))
++ writel_relaxed(*((u32 *)d8), crc->regs + CRC_DR);
++
++ if (length) {
++ /* Configure for byte data */
++ writel_relaxed(CRC_CR_REV_IN_BYTE | CRC_CR_REV_OUT,
++ crc->regs + CRC_CR);
++ while (length--)
++ writeb_relaxed(*d8++, crc->regs + CRC_DR);
++ }
+
+ /* Store partial result */
+ ctx->partial = readl_relaxed(crc->regs + CRC_DR);
+@@ -158,22 +172,6 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8,
+ pm_runtime_mark_last_busy(crc->dev);
+ pm_runtime_put_autosuspend(crc->dev);
+
+- /* Check for pending data (non 32 bits) */
+- length &= 3;
+- if (likely(!length))
+- return 0;
+-
+- if ((crc->nb_pending_bytes + length) >= sizeof(u32)) {
+- /* Shall not happen */
+- dev_err(crc->dev, "Pending data overflow\n");
+- return -EINVAL;
+- }
+-
+- d8 = (const u8 *)d32;
+- for (i = 0; i < length; i++)
+- /* Store pending data */
+- crc->pending_data[crc->nb_pending_bytes++] = *(d8++);
+-
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From a29a365b50f63359ebaa2345077d8a482f819732 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 16:11:11 +0200
+Subject: crypto: stm32/crc32 - fix multi-instance
+
+From: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+
+[ Upstream commit 10b89c43a64eb0d236903b79a3bc9d8f6cbfd9c7 ]
+
+Ensure CRC algorithm is registered only once in crypto framework when
+there are several instances of CRC devices.
+
+Update the CRC device list management to avoid that only the first CRC
+instance is used.
+
+Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-crc32.c | 48 ++++++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-crc32.c b/drivers/crypto/stm32/stm32-crc32.c
+index 1c3e411b7acb..10304511f9b4 100644
+--- a/drivers/crypto/stm32/stm32-crc32.c
++++ b/drivers/crypto/stm32/stm32-crc32.c
+@@ -91,16 +91,29 @@ static int stm32_crc_setkey(struct crypto_shash *tfm, const u8 *key,
+ return 0;
+ }
+
+-static int stm32_crc_init(struct shash_desc *desc)
++static struct stm32_crc *stm32_crc_get_next_crc(void)
+ {
+- struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc);
+- struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm);
+ struct stm32_crc *crc;
+
+ spin_lock_bh(&crc_list.lock);
+ crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
++ if (crc)
++ list_move_tail(&crc->list, &crc_list.dev_list);
+ spin_unlock_bh(&crc_list.lock);
+
++ return crc;
++}
++
++static int stm32_crc_init(struct shash_desc *desc)
++{
++ struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc);
++ struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm);
++ struct stm32_crc *crc;
++
++ crc = stm32_crc_get_next_crc();
++ if (!crc)
++ return -ENODEV;
++
+ pm_runtime_get_sync(crc->dev);
+
+ /* Reset, set key, poly and configure in bit reverse mode */
+@@ -125,9 +138,9 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8,
+ struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm);
+ struct stm32_crc *crc;
+
+- spin_lock_bh(&crc_list.lock);
+- crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list);
+- spin_unlock_bh(&crc_list.lock);
++ crc = stm32_crc_get_next_crc();
++ if (!crc)
++ return -ENODEV;
+
+ pm_runtime_get_sync(crc->dev);
+
+@@ -200,6 +213,8 @@ static int stm32_crc_digest(struct shash_desc *desc, const u8 *data,
+ return stm32_crc_init(desc) ?: stm32_crc_finup(desc, data, length, out);
+ }
+
++static unsigned int refcnt;
++static DEFINE_MUTEX(refcnt_lock);
+ static struct shash_alg algs[] = {
+ /* CRC-32 */
+ {
+@@ -290,12 +305,18 @@ static int stm32_crc_probe(struct platform_device *pdev)
+ list_add(&crc->list, &crc_list.dev_list);
+ spin_unlock(&crc_list.lock);
+
+- ret = crypto_register_shashes(algs, ARRAY_SIZE(algs));
+- if (ret) {
+- dev_err(dev, "Failed to register\n");
+- clk_disable_unprepare(crc->clk);
+- return ret;
++ mutex_lock(&refcnt_lock);
++ if (!refcnt) {
++ ret = crypto_register_shashes(algs, ARRAY_SIZE(algs));
++ if (ret) {
++ mutex_unlock(&refcnt_lock);
++ dev_err(dev, "Failed to register\n");
++ clk_disable_unprepare(crc->clk);
++ return ret;
++ }
+ }
++ refcnt++;
++ mutex_unlock(&refcnt_lock);
+
+ dev_info(dev, "Initialized\n");
+
+@@ -316,7 +337,10 @@ static int stm32_crc_remove(struct platform_device *pdev)
+ list_del(&crc->list);
+ spin_unlock(&crc_list.lock);
+
+- crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
++ mutex_lock(&refcnt_lock);
++ if (!--refcnt)
++ crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
++ mutex_unlock(&refcnt_lock);
+
+ pm_runtime_disable(crc->dev);
+ pm_runtime_put_noidle(crc->dev);
+--
+2.25.1
+
--- /dev/null
+From f2b55517c386715fd40899abac8cae8e082b48ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 May 2020 16:11:10 +0200
+Subject: crypto: stm32/crc32 - fix run-time self test issue.
+
+From: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+
+[ Upstream commit a8cc3128bf2c01c4d448fe17149e87132113b445 ]
+
+Fix wrong crc32 initialisation value:
+"alg: shash: stm32_crc32 test failed (wrong result) on test vector 0,
+cfg="init+update+final aligned buffer"
+cra_name="crc32c" expects an init value of 0XFFFFFFFF,
+cra_name="crc32" expects an init value of 0.
+
+Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-crc32.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-crc32.c b/drivers/crypto/stm32/stm32-crc32.c
+index c6156bf6c603..1c3e411b7acb 100644
+--- a/drivers/crypto/stm32/stm32-crc32.c
++++ b/drivers/crypto/stm32/stm32-crc32.c
+@@ -28,10 +28,10 @@
+
+ /* Registers values */
+ #define CRC_CR_RESET BIT(0)
+-#define CRC_INIT_DEFAULT 0xFFFFFFFF
+ #define CRC_CR_REV_IN_WORD (BIT(6) | BIT(5))
+ #define CRC_CR_REV_IN_BYTE BIT(5)
+ #define CRC_CR_REV_OUT BIT(7)
++#define CRC32C_INIT_DEFAULT 0xFFFFFFFF
+
+ #define CRC_AUTOSUSPEND_DELAY 50
+
+@@ -65,7 +65,7 @@ static int stm32_crc32_cra_init(struct crypto_tfm *tfm)
+ {
+ struct stm32_crc_ctx *mctx = crypto_tfm_ctx(tfm);
+
+- mctx->key = CRC_INIT_DEFAULT;
++ mctx->key = 0;
+ mctx->poly = CRC32_POLY_LE;
+ return 0;
+ }
+@@ -74,7 +74,7 @@ static int stm32_crc32c_cra_init(struct crypto_tfm *tfm)
+ {
+ struct stm32_crc_ctx *mctx = crypto_tfm_ctx(tfm);
+
+- mctx->key = CRC_INIT_DEFAULT;
++ mctx->key = CRC32C_INIT_DEFAULT;
+ mctx->poly = CRC32C_POLY_LE;
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From ffb218e5c27c15200224e2a440d0d8e7fcf40301 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 16:57:50 +0200
+Subject: dpaa2-eth: fix return codes used in ndo_setup_tc
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit b89c1e6bdc73f5775e118eb2ab778e75b262b30c ]
+
+Drivers ndo_setup_tc call should return -EOPNOTSUPP, when it cannot
+support the qdisc type. Other return values will result in failing the
+qdisc setup. This lead to qdisc noop getting assigned, which will
+drop all TX packets on the interface.
+
+Fixes: ab1e6de2bd49 ("dpaa2-eth: Add mqprio support")
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+index d97c320a2dc0..569e06d2bab2 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -2018,7 +2018,7 @@ static int dpaa2_eth_setup_tc(struct net_device *net_dev,
+ int i;
+
+ if (type != TC_SETUP_QDISC_MQPRIO)
+- return -EINVAL;
++ return -EOPNOTSUPP;
+
+ mqprio->hw = TC_MQPRIO_HW_OFFLOAD_TCS;
+ num_queues = dpaa2_eth_queue_count(priv);
+@@ -2030,7 +2030,7 @@ static int dpaa2_eth_setup_tc(struct net_device *net_dev,
+ if (num_tc > dpaa2_eth_tc_count(priv)) {
+ netdev_err(net_dev, "Max %d traffic classes supported\n",
+ dpaa2_eth_tc_count(priv));
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ if (!num_tc) {
+--
+2.25.1
+
--- /dev/null
+From f4e1337c0ad097a2906e41e707f37e2c59dbb777 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2020 02:15:04 +0200
+Subject: Drivers: hv: vmbus: Always handle the VMBus messages on CPU0
+
+From: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
+
+[ Upstream commit 8a857c55420f29da4fc131adc22b12d474c48f4c ]
+
+A Linux guest have to pick a "connect CPU" to communicate with the
+Hyper-V host. This CPU can not be taken offline because Hyper-V does
+not provide a way to change that CPU assignment.
+
+Current code sets the connect CPU to whatever CPU ends up running the
+function vmbus_negotiate_version(), and this will generate problems if
+that CPU is taken offine.
+
+Establish CPU0 as the connect CPU, and add logics to prevents the
+connect CPU from being taken offline. We could pick some other CPU,
+and we could pick that "other CPU" dynamically if there was a reason to
+do so at some point in the future. But for now, #defining the connect
+CPU to 0 is the most straightforward and least complex solution.
+
+While on this, add inline comments explaining "why" offer and rescind
+messages should not be handled by a same serialized work queue.
+
+Suggested-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Link: https://lore.kernel.org/r/20200406001514.19876-2-parri.andrea@gmail.com
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/connection.c | 20 +-------------------
+ drivers/hv/hv.c | 7 +++++++
+ drivers/hv/hyperv_vmbus.h | 11 ++++++-----
+ drivers/hv/vmbus_drv.c | 20 +++++++++++++++++---
+ 4 files changed, 31 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
+index 74e77de89b4f..f4bd306d2cef 100644
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -69,7 +69,6 @@ MODULE_PARM_DESC(max_version,
+ int vmbus_negotiate_version(struct vmbus_channel_msginfo *msginfo, u32 version)
+ {
+ int ret = 0;
+- unsigned int cur_cpu;
+ struct vmbus_channel_initiate_contact *msg;
+ unsigned long flags;
+
+@@ -102,24 +101,7 @@ int vmbus_negotiate_version(struct vmbus_channel_msginfo *msginfo, u32 version)
+
+ msg->monitor_page1 = virt_to_phys(vmbus_connection.monitor_pages[0]);
+ msg->monitor_page2 = virt_to_phys(vmbus_connection.monitor_pages[1]);
+- /*
+- * We want all channel messages to be delivered on CPU 0.
+- * This has been the behavior pre-win8. This is not
+- * perf issue and having all channel messages delivered on CPU 0
+- * would be ok.
+- * For post win8 hosts, we support receiving channel messagges on
+- * all the CPUs. This is needed for kexec to work correctly where
+- * the CPU attempting to connect may not be CPU 0.
+- */
+- if (version >= VERSION_WIN8_1) {
+- cur_cpu = get_cpu();
+- msg->target_vcpu = hv_cpu_number_to_vp_number(cur_cpu);
+- vmbus_connection.connect_cpu = cur_cpu;
+- put_cpu();
+- } else {
+- msg->target_vcpu = 0;
+- vmbus_connection.connect_cpu = 0;
+- }
++ msg->target_vcpu = hv_cpu_number_to_vp_number(VMBUS_CONNECT_CPU);
+
+ /*
+ * Add to list before we send the request since we may
+diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
+index 533c8b82b344..3a5648aa5599 100644
+--- a/drivers/hv/hv.c
++++ b/drivers/hv/hv.c
+@@ -245,6 +245,13 @@ int hv_synic_cleanup(unsigned int cpu)
+ bool channel_found = false;
+ unsigned long flags;
+
++ /*
++ * Hyper-V does not provide a way to change the connect CPU once
++ * it is set; we must prevent the connect CPU from going offline.
++ */
++ if (cpu == VMBUS_CONNECT_CPU)
++ return -EBUSY;
++
+ /*
+ * Search for channels which are bound to the CPU we're about to
+ * cleanup. In case we find one and vmbus is still connected we need to
+diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
+index 70b30e223a57..67fb1edcbf52 100644
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -212,12 +212,13 @@ enum vmbus_connect_state {
+
+ #define MAX_SIZE_CHANNEL_MESSAGE HV_MESSAGE_PAYLOAD_BYTE_COUNT
+
+-struct vmbus_connection {
+- /*
+- * CPU on which the initial host contact was made.
+- */
+- int connect_cpu;
++/*
++ * The CPU that Hyper-V will interrupt for VMBUS messages, such as
++ * CHANNELMSG_OFFERCHANNEL and CHANNELMSG_RESCIND_CHANNELOFFER.
++ */
++#define VMBUS_CONNECT_CPU 0
+
++struct vmbus_connection {
+ u32 msg_conn_id;
+
+ atomic_t offer_in_progress;
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index e06c6b9555cf..ec173da45b42 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -1098,14 +1098,28 @@ void vmbus_on_msg_dpc(unsigned long data)
+ /*
+ * If we are handling the rescind message;
+ * schedule the work on the global work queue.
++ *
++ * The OFFER message and the RESCIND message should
++ * not be handled by the same serialized work queue,
++ * because the OFFER handler may call vmbus_open(),
++ * which tries to open the channel by sending an
++ * OPEN_CHANNEL message to the host and waits for
++ * the host's response; however, if the host has
++ * rescinded the channel before it receives the
++ * OPEN_CHANNEL message, the host just silently
++ * ignores the OPEN_CHANNEL message; as a result,
++ * the guest's OFFER handler hangs for ever, if we
++ * handle the RESCIND message in the same serialized
++ * work queue: the RESCIND handler can not start to
++ * run before the OFFER handler finishes.
+ */
+- schedule_work_on(vmbus_connection.connect_cpu,
++ schedule_work_on(VMBUS_CONNECT_CPU,
+ &ctx->work);
+ break;
+
+ case CHANNELMSG_OFFERCHANNEL:
+ atomic_inc(&vmbus_connection.offer_in_progress);
+- queue_work_on(vmbus_connection.connect_cpu,
++ queue_work_on(VMBUS_CONNECT_CPU,
+ vmbus_connection.work_queue,
+ &ctx->work);
+ break;
+@@ -1152,7 +1166,7 @@ static void vmbus_force_channel_rescinded(struct vmbus_channel *channel)
+
+ INIT_WORK(&ctx->work, vmbus_onmessage_work);
+
+- queue_work_on(vmbus_connection.connect_cpu,
++ queue_work_on(VMBUS_CONNECT_CPU,
+ vmbus_connection.work_queue,
+ &ctx->work);
+ }
+--
+2.25.1
+
--- /dev/null
+From 2890fa934fd7db0b8f0002f79088c564e95b804d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 02:52:20 +0000
+Subject: drivers: net: davinci_mdio: fix potential NULL dereference in
+ davinci_mdio_probe()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit e00edb4efbbc07425441a3be2aa87abaf5800d96 ]
+
+platform_get_resource() may fail and return NULL, so we should
+better check it's return value to avoid a NULL pointer dereference
+since devm_ioremap() does not check input parameters for null.
+
+This is detected by Coccinelle semantic patch.
+
+@@
+expression pdev, res, n, t, e, e1, e2;
+@@
+
+res = \(platform_get_resource\|platform_get_resource_byname\)(pdev, t, n);
++ if (!res)
++ return -EINVAL;
+... when != res == NULL
+e = devm_ioremap(e1, res->start, e2);
+
+Fixes: 03f66f067560 ("net: ethernet: ti: davinci_mdio: use devm_ioremap()")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/davinci_mdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/ti/davinci_mdio.c b/drivers/net/ethernet/ti/davinci_mdio.c
+index 38b7f6d35759..702fdc393da0 100644
+--- a/drivers/net/ethernet/ti/davinci_mdio.c
++++ b/drivers/net/ethernet/ti/davinci_mdio.c
+@@ -397,6 +397,8 @@ static int davinci_mdio_probe(struct platform_device *pdev)
+ data->dev = dev;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!res)
++ return -EINVAL;
+ data->regs = devm_ioremap(dev, res->start, resource_size(res));
+ if (!data->regs)
+ return -ENOMEM;
+--
+2.25.1
+
--- /dev/null
+From 50f2ac4e5d8146af249646550eb6d753fcf55997 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 20:05:30 +0800
+Subject: drivers/perf: hisi: Fix typo in events attribute array
+
+From: Shaokun Zhang <zhangshaokun@hisilicon.com>
+
+[ Upstream commit 88562f06ebf56587788783e5420f25fde3ca36c8 ]
+
+Fix up one typo: wr_dr_64b -> wr_ddr_64b.
+
+Fixes: 2bab3cf9104c ("perf: hisi: Add support for HiSilicon SoC HHA PMU driver")
+Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1587643530-34357-1-git-send-email-zhangshaokun@hisilicon.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_uncore_hha_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c b/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c
+index 6a1dd72d8abb..e5af9d7e6e14 100644
+--- a/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c
++++ b/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c
+@@ -283,7 +283,7 @@ static struct attribute *hisi_hha_pmu_events_attr[] = {
+ HISI_PMU_EVENT_ATTR(rx_wbip, 0x05),
+ HISI_PMU_EVENT_ATTR(rx_wtistash, 0x11),
+ HISI_PMU_EVENT_ATTR(rd_ddr_64b, 0x1c),
+- HISI_PMU_EVENT_ATTR(wr_dr_64b, 0x1d),
++ HISI_PMU_EVENT_ATTR(wr_ddr_64b, 0x1d),
+ HISI_PMU_EVENT_ATTR(rd_ddr_128b, 0x1e),
+ HISI_PMU_EVENT_ATTR(wr_ddr_128b, 0x1f),
+ HISI_PMU_EVENT_ATTR(spill_num, 0x20),
+--
+2.25.1
+
--- /dev/null
+From 8249afeafcd8e132124e0dc876631d17b88a5dcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2020 20:11:55 +0800
+Subject: drm/amd/display: Correct updating logic of dcn21's pipe VM flags
+
+From: Dale Zhao <dale.zhao@amd.com>
+
+[ Upstream commit 2a28fe92220a116735ef45939b7edcfee83cc6b0 ]
+
+[Why]:
+Renoir's pipe VM flags are not correctly updated if pipe strategy has
+changed during some scenarios. It will result in watermarks mistakenly
+calculation, thus underflow and garbage appear.
+
+[How]:
+Correctly update pipe VM flags to pipes which have been populated.
+
+Signed-off-by: Dale Zhao <dale.zhao@amd.com>
+Signed-off-by: Sung Lee <sung.lee@amd.com>
+Reviewed-by: Yongqiang Sun <yongqiang.sun@amd.com>
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+index a721bb401ef0..6d1736cf5c12 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+@@ -1694,12 +1694,8 @@ static int dcn21_populate_dml_pipes_from_context(
+ {
+ uint32_t pipe_cnt = dcn20_populate_dml_pipes_from_context(dc, context, pipes);
+ int i;
+- struct resource_context *res_ctx = &context->res_ctx;
+
+- for (i = 0; i < dc->res_pool->pipe_count; i++) {
+-
+- if (!res_ctx->pipe_ctx[i].stream)
+- continue;
++ for (i = 0; i < pipe_cnt; i++) {
+
+ pipes[i].pipe.src.hostvm = 1;
+ pipes[i].pipe.src.gpuvm = 1;
+--
+2.25.1
+
--- /dev/null
+From 9243c107a33910478eb906fdb1ba77f35f3ebe68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2020 17:18:47 +0800
+Subject: drm/amd/display: dmcu wait loop calculation is incorrect in RV
+
+From: Paul Hsieh <paul.hsieh@amd.com>
+
+[ Upstream commit 7fc5c319efceaed1a23b7ef35c333553ce39fecf ]
+
+[Why]
+Driver already get display clock from SMU base on MHz, but driver read
+again and mutiple 1000 cause wait loop value is overflow.
+
+[How]
+remove coding error
+
+Signed-off-by: Paul Hsieh <paul.hsieh@amd.com>
+Reviewed-by: Eric Yang <eric.yang2@amd.com>
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/display/dc/clk_mgr/dcn10/rv1_clk_mgr_vbios_smu.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn10/rv1_clk_mgr_vbios_smu.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn10/rv1_clk_mgr_vbios_smu.c
+index 97b7f32294fd..c320b7af7d34 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn10/rv1_clk_mgr_vbios_smu.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn10/rv1_clk_mgr_vbios_smu.c
+@@ -97,9 +97,6 @@ int rv1_vbios_smu_set_dispclk(struct clk_mgr_internal *clk_mgr, int requested_di
+ VBIOSSMC_MSG_SetDispclkFreq,
+ requested_dispclk_khz / 1000);
+
+- /* Actual dispclk set is returned in the parameter register */
+- actual_dispclk_set_mhz = REG_READ(MP1_SMN_C2PMSG_83) * 1000;
+-
+ if (!IS_FPGA_MAXIMUS_DC(dc->ctx->dce_environment)) {
+ if (dmcu && dmcu->funcs->is_dmcu_initialized(dmcu)) {
+ if (clk_mgr->dfs_bypass_disp_clk != actual_dispclk_set_mhz)
+--
+2.25.1
+
--- /dev/null
+From b047538cf9d246dcf8d8dc7611ef571ddb4f7f09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Apr 2020 18:07:48 -0400
+Subject: drm/amd/display: Do not disable pipe split if mode is not supported
+
+From: Sung Lee <sung.lee@amd.com>
+
+[ Upstream commit 1dfedb39d38f813357885e19badd1971c17f79a7 ]
+
+[WHY]
+If mode is not supported, pipe split should not be disabled.
+This may cause more modes to fail.
+
+[HOW]
+Check for mode support before disabling pipe split.
+
+This commit was previously reverted as it was thought to
+have problems, but those issues have been resolved.
+
+Signed-off-by: Sung Lee <sung.lee@amd.com>
+Reviewed-by: Yongqiang Sun <yongqiang.sun@amd.com>
+Acked-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+index e4348e3b6389..2719cdecc1cb 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+@@ -2597,19 +2597,24 @@ int dcn20_validate_apply_pipe_split_flags(
+
+ /* Avoid split loop looks for lowest voltage level that allows most unsplit pipes possible */
+ if (avoid_split) {
++ int max_mpc_comb = context->bw_ctx.dml.vba.maxMpcComb;
++
+ for (i = 0, pipe_idx = 0; i < dc->res_pool->pipe_count; i++) {
+ if (!context->res_ctx.pipe_ctx[i].stream)
+ continue;
+
+ for (vlevel_split = vlevel; vlevel <= context->bw_ctx.dml.soc.num_states; vlevel++)
+- if (context->bw_ctx.dml.vba.NoOfDPP[vlevel][0][pipe_idx] == 1)
++ if (context->bw_ctx.dml.vba.NoOfDPP[vlevel][0][pipe_idx] == 1 &&
++ context->bw_ctx.dml.vba.ModeSupport[vlevel][0])
+ break;
+ /* Impossible to not split this pipe */
+ if (vlevel > context->bw_ctx.dml.soc.num_states)
+ vlevel = vlevel_split;
++ else
++ max_mpc_comb = 0;
+ pipe_idx++;
+ }
+- context->bw_ctx.dml.vba.maxMpcComb = 0;
++ context->bw_ctx.dml.vba.maxMpcComb = max_mpc_comb;
+ }
+
+ /* Split loop sets which pipe should be split based on dml outputs and dc flags */
+--
+2.25.1
+
--- /dev/null
+From 943e18c6e12643106486cc57604725a48d7d8149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2020 12:01:07 -0400
+Subject: drm/amd/display: fix virtual signal dsc setup
+
+From: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+
+[ Upstream commit d5bef51f084fccafa984b114ff74a01a64a0e2e3 ]
+
+This prevents dpcd access on virtual links.
+
+Signed-off-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Reviewed-by: Eric Bernstein <Eric.Bernstein@amd.com>
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c
+index 51e0ee6e7695..6590f51caefa 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c
+@@ -400,7 +400,7 @@ static bool dp_set_dsc_on_rx(struct pipe_ctx *pipe_ctx, bool enable)
+ struct dc_stream_state *stream = pipe_ctx->stream;
+ bool result = false;
+
+- if (IS_FPGA_MAXIMUS_DC(dc->ctx->dce_environment))
++ if (dc_is_virtual_signal(stream->signal) || IS_FPGA_MAXIMUS_DC(dc->ctx->dce_environment))
+ result = true;
+ else
+ result = dm_helpers_dp_write_dsc_enable(dc->ctx, stream, enable);
+--
+2.25.1
+
--- /dev/null
+From b23b98eb61504a17e629891fe48973fd9b7ebe7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2020 15:49:02 -0400
+Subject: drm/amd/display: Force watermark value propagation
+
+From: Joshua Aberback <joshua.aberback@amd.com>
+
+[ Upstream commit 868149c9a072cbdc22a73ce25a487f9fbfa171ef ]
+
+[Why]
+The HUBBUB watermark registers are in an area that cannot be power
+gated, but the HUBP copies of the watermark values are in areas that can
+be power gated. When we power on a pipe, it will not automatically take
+the HUBBUB values, we need to force propagation by writing to a
+watermark register.
+
+[How]
+ - new HUBBUB function to re-write current value in a WM register
+ - touch WM register after enabling the plane in program_pipe
+
+Signed-off-by: Joshua Aberback <joshua.aberback@amd.com>
+Reviewed-by: Jun Lei <Jun.Lei@amd.com>
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 5 ++++-
+ drivers/gpu/drm/amd/display/dc/inc/hw/dchubbub.h | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index a023a4d59f41..c4fa13e4eaf9 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -1478,8 +1478,11 @@ static void dcn20_program_pipe(
+ if (pipe_ctx->update_flags.bits.odm)
+ hws->funcs.update_odm(dc, context, pipe_ctx);
+
+- if (pipe_ctx->update_flags.bits.enable)
++ if (pipe_ctx->update_flags.bits.enable) {
+ dcn20_enable_plane(dc, pipe_ctx, context);
++ if (dc->res_pool->hubbub->funcs->force_wm_propagate_to_pipes)
++ dc->res_pool->hubbub->funcs->force_wm_propagate_to_pipes(dc->res_pool->hubbub);
++ }
+
+ if (pipe_ctx->update_flags.raw || pipe_ctx->plane_state->update_flags.raw || pipe_ctx->stream->update_flags.raw)
+ dcn20_update_dchubp_dpp(dc, pipe_ctx, context);
+diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw/dchubbub.h b/drivers/gpu/drm/amd/display/dc/inc/hw/dchubbub.h
+index f5dd0cc73c63..47a566d82d6e 100644
+--- a/drivers/gpu/drm/amd/display/dc/inc/hw/dchubbub.h
++++ b/drivers/gpu/drm/amd/display/dc/inc/hw/dchubbub.h
+@@ -144,6 +144,8 @@ struct hubbub_funcs {
+ void (*allow_self_refresh_control)(struct hubbub *hubbub, bool allow);
+
+ void (*apply_DEDCN21_147_wa)(struct hubbub *hubbub);
++
++ void (*force_wm_propagate_to_pipes)(struct hubbub *hubbub);
+ };
+
+ struct hubbub {
+--
+2.25.1
+
--- /dev/null
+From d74fa3f32ba33c507b6fa05d1a2a415b840f551e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2020 16:41:05 -0400
+Subject: drm/amd/display: Revert to old formula in set_vtg_params
+
+From: Alvin Lee <alvin.lee2@amd.com>
+
+[ Upstream commit a1a0e61f3c43c610f0a3c109348c14ce930c1977 ]
+
+[Why]
+New formula + cursor change causing underflow
+on certain configs
+
+[How]
+Rever to old formula
+
+Signed-off-by: Alvin Lee <alvin.lee2@amd.com>
+Reviewed-by: Yongqiang Sun <yongqiang.sun@amd.com>
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c
+index 17d96ec6acd8..ec0ab42becba 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c
+@@ -299,6 +299,7 @@ void optc1_set_vtg_params(struct timing_generator *optc,
+ uint32_t asic_blank_end;
+ uint32_t v_init;
+ uint32_t v_fp2 = 0;
++ int32_t vertical_line_start;
+
+ struct optc *optc1 = DCN10TG_FROM_TG(optc);
+
+@@ -315,8 +316,9 @@ void optc1_set_vtg_params(struct timing_generator *optc,
+ patched_crtc_timing.v_border_top;
+
+ /* if VSTARTUP is before VSYNC, FP2 is the offset, otherwise 0 */
+- if (optc1->vstartup_start > asic_blank_end)
+- v_fp2 = optc1->vstartup_start - asic_blank_end;
++ vertical_line_start = asic_blank_end - optc1->vstartup_start + 1;
++ if (vertical_line_start < 0)
++ v_fp2 = -vertical_line_start;
+
+ /* Interlace */
+ if (REG(OTG_INTERLACE_CONTROL)) {
+--
+2.25.1
+
--- /dev/null
+From c70fc5e223628e78504890136be8c59cc524ac7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 17:15:34 +0800
+Subject: drm/amd/powerpay: Disable gfxoff when setting manual mode on picasso
+ and raven
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: chen gong <curry.gong@amd.com>
+
+[ Upstream commit cbd2d08c7463e78d625a69e9db27ad3004cbbd99 ]
+
+[Problem description]
+1. Boot up picasso platform, launches desktop, Don't do anything (APU enter into "gfxoff" state)
+2. Remote login to platform using SSH, then type the command line:
+ sudo su -c "echo manual > /sys/class/drm/card0/device/power_dpm_force_performance_level"
+ sudo su -c "echo 2 > /sys/class/drm/card0/device/pp_dpm_sclk" (fix SCLK to 1400MHz)
+3. Move the mouse around in Window
+4. Phenomenon : The screen frozen
+
+Tester will switch sclk level during glmark2 run time.
+APU will enter "gfxoff" state intermittently during glmark2 run time.
+The system got hanged if fix GFXCLK to 1400MHz when APU is in "gfxoff"
+state.
+
+[Debug]
+1. Fix SCLK to X MHz
+ 1400: screen frozen, screen black, then OS will reboot.
+ 1300: screen frozen.
+ 1200: screen frozen, screen black.
+ 1100: screen frozen, screen black, then OS will reboot.
+ 1000: screen frozen, screen black.
+ 900: screen frozen, screen black, then OS will reboot.
+ 800: Situation Nomal, issue disappear.
+ 700: Situation Nomal, issue disappear.
+2. SBIOS setting: AMD CBS --> SMU Debug Options -->SMU Debug --> "GFX DLDO Psm Margin Control":
+ 50 : Situation Nomal, issue disappear.
+ 45 : Situation Nomal, issue disappear.
+ 40 : Situation Nomal, issue disappear.
+ 35 : Situation Nomal, issue disappear.
+ 30 : screen black.
+ 25 : screen frozen, then blurred screen.
+ 20 : screen frozen.
+ 15 : screen black.
+ 10 : screen frozen.
+ 5 : screen frozen, then blurred screen.
+3. Disable GFXOFF feature
+ Situation Nomal, issue disappear.
+
+[Why]
+Through a period of time debugging with Sys Eng team and SMU team, Sys
+Eng team said this is voltage/frequency marginal issue not a F/W or H/W
+bug. This experiment proves that default targetPsm [for f=1400MHz] is
+not sufficient when GFXOFF is enabled on Picasso.
+
+SMU team think it is an odd test conditions to force sclk="1400MHz" when
+GPU is in "gfxoff" state,then wake up the GFX. SCLK should be in the
+"lowest frequency" when gfxoff.
+
+[How]
+Disable gfxoff when setting manual mode.
+Enable gfxoff when setting other mode(exiting manual mode) again.
+
+By the way, from the user point of view, now that user switch to manual
+mode and force SCLK Frequency, he don't want SCLK be controlled by
+workload.It becomes meaningless to "switch to manual mode" if APU enter "gfxoff"
+due to lack of workload at this point.
+
+Tips: Same issue observed on Raven.
+
+Signed-off-by: chen gong <curry.gong@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+index 49e2e43f2e4a..532f4d908b8d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+@@ -383,6 +383,15 @@ static ssize_t amdgpu_set_dpm_forced_performance_level(struct device *dev,
+ return count;
+ }
+
++ if (adev->asic_type == CHIP_RAVEN) {
++ if (adev->rev_id < 8) {
++ if (current_level != AMD_DPM_FORCED_LEVEL_MANUAL && level == AMD_DPM_FORCED_LEVEL_MANUAL)
++ amdgpu_gfx_off_ctrl(adev, false);
++ else if (current_level == AMD_DPM_FORCED_LEVEL_MANUAL && level != AMD_DPM_FORCED_LEVEL_MANUAL)
++ amdgpu_gfx_off_ctrl(adev, true);
++ }
++ }
++
+ /* profile_exit setting is valid only when current mode is in profile mode */
+ if (!(current_level & (AMD_DPM_FORCED_LEVEL_PROFILE_STANDARD |
+ AMD_DPM_FORCED_LEVEL_PROFILE_MIN_SCLK |
+--
+2.25.1
+
--- /dev/null
+From 6e04896af6cee1f49b9829df22b88dcf71fb8a1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2020 12:03:34 +0100
+Subject: drm/amdgpu: fix and cleanup amdgpu_gem_object_close v4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+[ Upstream commit 82c416b13cb7d22b96ec0888b296a48dff8a09eb ]
+
+The problem is that we can't add the clear fence to the BO
+when there is an exclusive fence on it since we can't
+guarantee the the clear fence will complete after the
+exclusive one.
+
+To fix this refactor the function and also add the exclusive
+fence as shared to the resv object.
+
+v2: fix warning
+v3: add excl fence as shared instead
+v4: squash in fix for fence handling in amdgpu_gem_object_close
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: xinhui pan <xinhui.pan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 43 ++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+index 4277125a79ee..32f36c940abb 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+@@ -161,16 +161,17 @@ void amdgpu_gem_object_close(struct drm_gem_object *obj,
+
+ struct amdgpu_bo_list_entry vm_pd;
+ struct list_head list, duplicates;
++ struct dma_fence *fence = NULL;
+ struct ttm_validate_buffer tv;
+ struct ww_acquire_ctx ticket;
+ struct amdgpu_bo_va *bo_va;
+- int r;
++ long r;
+
+ INIT_LIST_HEAD(&list);
+ INIT_LIST_HEAD(&duplicates);
+
+ tv.bo = &bo->tbo;
+- tv.num_shared = 1;
++ tv.num_shared = 2;
+ list_add(&tv.head, &list);
+
+ amdgpu_vm_get_pd_bo(vm, &list, &vm_pd);
+@@ -178,28 +179,34 @@ void amdgpu_gem_object_close(struct drm_gem_object *obj,
+ r = ttm_eu_reserve_buffers(&ticket, &list, false, &duplicates);
+ if (r) {
+ dev_err(adev->dev, "leaking bo va because "
+- "we fail to reserve bo (%d)\n", r);
++ "we fail to reserve bo (%ld)\n", r);
+ return;
+ }
+ bo_va = amdgpu_vm_bo_find(vm, bo);
+- if (bo_va && --bo_va->ref_count == 0) {
+- amdgpu_vm_bo_rmv(adev, bo_va);
+-
+- if (amdgpu_vm_ready(vm)) {
+- struct dma_fence *fence = NULL;
++ if (!bo_va || --bo_va->ref_count)
++ goto out_unlock;
+
+- r = amdgpu_vm_clear_freed(adev, vm, &fence);
+- if (unlikely(r)) {
+- dev_err(adev->dev, "failed to clear page "
+- "tables on GEM object close (%d)\n", r);
+- }
++ amdgpu_vm_bo_rmv(adev, bo_va);
++ if (!amdgpu_vm_ready(vm))
++ goto out_unlock;
+
+- if (fence) {
+- amdgpu_bo_fence(bo, fence, true);
+- dma_fence_put(fence);
+- }
+- }
++ fence = dma_resv_get_excl(bo->tbo.base.resv);
++ if (fence) {
++ amdgpu_bo_fence(bo, fence, true);
++ fence = NULL;
+ }
++
++ r = amdgpu_vm_clear_freed(adev, vm, &fence);
++ if (r || !fence)
++ goto out_unlock;
++
++ amdgpu_bo_fence(bo, fence, true);
++ dma_fence_put(fence);
++
++out_unlock:
++ if (unlikely(r < 0))
++ dev_err(adev->dev, "failed to clear page "
++ "tables on GEM object close (%ld)\n", r);
+ ttm_eu_backoff_reservation(&ticket, &list);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 5239709c71f44b4421ee3240e807f6320e7a2d12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Apr 2020 17:01:19 +0800
+Subject: drm/amdgpu: Init data to avoid oops while reading pp_num_states.
+
+From: limingyu <limingyu@uniontech.com>
+
+[ Upstream commit 6f81b2d047c59eb77cd04795a44245d6a52cdaec ]
+
+For chip like CHIP_OLAND with si enabled(amdgpu.si_support=1),
+the amdgpu will expose pp_num_states to the /sys directory.
+In this moment, read the pp_num_states file will excute the
+amdgpu_get_pp_num_states func. In our case, the data hasn't
+been initialized, so the kernel will access some ilegal
+address, trigger the segmentfault and system will reboot soon:
+
+ uos@uos-PC:~$ cat /sys/devices/pci0000\:00/0000\:00\:00.0/0000\:01\:00
+ .0/pp_num_states
+
+ Message from syslogd@uos-PC at Apr 22 09:26:20 ...
+ kernel:[ 82.154129] Internal error: Oops: 96000004 [#1] SMP
+
+This patch aims to fix this problem, avoid that reading file
+triggers the kernel sementfault.
+
+Signed-off-by: limingyu <limingyu@uniontech.com>
+Signed-off-by: zhoubinbin <zhoubinbin@uniontech.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+index abe94a55ecad..49e2e43f2e4a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+@@ -444,8 +444,11 @@ static ssize_t amdgpu_get_pp_num_states(struct device *dev,
+ ret = smu_get_power_num_states(&adev->smu, &data);
+ if (ret)
+ return ret;
+- } else if (adev->powerplay.pp_funcs->get_pp_num_states)
++ } else if (adev->powerplay.pp_funcs->get_pp_num_states) {
+ amdgpu_dpm_get_pp_num_states(adev, &data);
++ } else {
++ memset(&data, 0, sizeof(data));
++ }
+
+ pm_runtime_mark_last_busy(ddev->dev);
+ pm_runtime_put_autosuspend(ddev->dev);
+--
+2.25.1
+
--- /dev/null
+From 0d9debe2b4b30ba3ffda05e17b98924f95753593 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2020 21:02:45 -0400
+Subject: drm/amdgpu: Sync with VM root BO when switching VM to CPU update mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+[ Upstream commit 90ca78deb004abe75b5024968a199acb96bb70f9 ]
+
+This fixes an intermittent bug where a root PD clear operation still in
+progress could overwrite a PDE update done by the CPU, resulting in a
+VM fault.
+
+Fixes: 108b4d928c03 ("drm/amd/amdgpu: Update VM function pointer")
+Reported-by: Jay Cornwall <Jay.Cornwall@amd.com>
+Tested-by: Jay Cornwall <Jay.Cornwall@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+index 6d9252a27916..06242096973c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+@@ -2996,10 +2996,17 @@ int amdgpu_vm_make_compute(struct amdgpu_device *adev, struct amdgpu_vm *vm,
+ !amdgpu_gmc_vram_full_visible(&adev->gmc)),
+ "CPU update of VM recommended only for large BAR system\n");
+
+- if (vm->use_cpu_for_update)
++ if (vm->use_cpu_for_update) {
++ /* Sync with last SDMA update/clear before switching to CPU */
++ r = amdgpu_bo_sync_wait(vm->root.base.bo,
++ AMDGPU_FENCE_OWNER_UNDEFINED, true);
++ if (r)
++ goto free_idr;
++
+ vm->update_funcs = &amdgpu_vm_cpu_funcs;
+- else
++ } else {
+ vm->update_funcs = &amdgpu_vm_sdma_funcs;
++ }
+ dma_fence_put(vm->last_update);
+ vm->last_update = NULL;
+ vm->is_compute_context = true;
+--
+2.25.1
+
--- /dev/null
+From d3ac4e1fdb72f4a966063d2ac65545119404cb0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2020 10:40:12 +0100
+Subject: drm/ast: Allocate initial CRTC state of the correct size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit f0adbc382b8bb46a2467c4e5e1027763a197c8e1 ]
+
+The ast driver inherits from DRM's CRTC state, but still uses the atomic
+helper for struct drm_crtc_funcs.reset, drm_atomic_helper_crtc_reset().
+
+The helper only allocates enough memory for the core CRTC state. That
+results in an out-ouf-bounds access when duplicating the initial CRTC
+state. Simplified backtrace shown below:
+
+[ 21.469321] ==================================================================
+[ 21.469434] BUG: KASAN: slab-out-of-bounds in ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
+[ 21.469445] Read of size 8 at addr ffff888036c1c5f8 by task systemd-udevd/382
+[ 21.469451]
+[ 21.469464] CPU: 2 PID: 382 Comm: systemd-udevd Tainted: G E 5.5.0-rc6-1-default+ #214
+[ 21.469473] Hardware name: Sun Microsystems SUN FIRE X2270 M2/SUN FIRE X2270 M2, BIOS 2.05 07/01/2010
+[ 21.469480] Call Trace:
+[ 21.469501] dump_stack+0xb8/0x110
+[ 21.469528] print_address_description.constprop.0+0x1b/0x1e0
+[ 21.469557] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
+[ 21.469581] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
+[ 21.469597] __kasan_report.cold+0x1a/0x35
+[ 21.469640] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
+[ 21.469665] kasan_report+0xe/0x20
+[ 21.469693] ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
+[ 21.469733] drm_atomic_get_crtc_state+0xbf/0x1c0
+[ 21.469768] __drm_atomic_helper_set_config+0x81/0x5a0
+[ 21.469803] ? drm_atomic_plane_check+0x690/0x690
+[ 21.469843] ? drm_client_rotation+0xae/0x240
+[ 21.469876] drm_client_modeset_commit_atomic+0x230/0x390
+[ 21.469888] ? __mutex_lock+0x8f0/0xbe0
+[ 21.469929] ? drm_client_firmware_config.isra.0+0xa60/0xa60
+[ 21.469948] ? drm_client_modeset_commit_force+0x28/0x230
+[ 21.470031] ? memset+0x20/0x40
+[ 21.470078] drm_client_modeset_commit_force+0x90/0x230
+[ 21.470110] drm_fb_helper_restore_fbdev_mode_unlocked+0x5f/0xc0
+[ 21.470132] drm_fb_helper_set_par+0x59/0x70
+[ 21.470155] fbcon_init+0x61d/0xad0
+[ 21.470185] ? drm_fb_helper_restore_fbdev_mode_unlocked+0xc0/0xc0
+[ 21.470232] visual_init+0x187/0x240
+[ 21.470266] do_bind_con_driver+0x2e3/0x460
+[ 21.470321] do_take_over_console+0x20a/0x290
+[ 21.470371] do_fbcon_takeover+0x85/0x100
+[ 21.470402] register_framebuffer+0x2fd/0x490
+[ 21.470425] ? kzalloc.constprop.0+0x10/0x10
+[ 21.470503] __drm_fb_helper_initial_config_and_unlock+0xf2/0x140
+[ 21.470533] drm_fbdev_client_hotplug+0x162/0x250
+[ 21.470563] drm_fbdev_generic_setup+0xd2/0x155
+[ 21.470602] ast_driver_load+0x688/0x850 [ast]
+<...>
+[ 21.472625] ==================================================================
+
+Allocating enough memory for struct ast_crtc_state in a custom ast CRTC
+reset handler fixes the problem.
+
+v2:
+ * implement according to drm_atomic_helper_crtc_reset()
+ * update state with __drm_atomic_helper_crtc_reset()
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: 83be6a3ceb11 ("drm/ast: Introduce struct ast_crtc_state")
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: "Noralf Trønnes" <noralf@tronnes.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200130094012.32140-1-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_mode.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c
+index cdd6c46d6557..7a9f20a2fd30 100644
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -881,6 +881,17 @@ static const struct drm_crtc_helper_funcs ast_crtc_helper_funcs = {
+ .atomic_disable = ast_crtc_helper_atomic_disable,
+ };
+
++static void ast_crtc_reset(struct drm_crtc *crtc)
++{
++ struct ast_crtc_state *ast_state =
++ kzalloc(sizeof(*ast_state), GFP_KERNEL);
++
++ if (crtc->state)
++ crtc->funcs->atomic_destroy_state(crtc, crtc->state);
++
++ __drm_atomic_helper_crtc_reset(crtc, &ast_state->base);
++}
++
+ static void ast_crtc_destroy(struct drm_crtc *crtc)
+ {
+ drm_crtc_cleanup(crtc);
+@@ -919,7 +930,7 @@ static void ast_crtc_atomic_destroy_state(struct drm_crtc *crtc,
+ }
+
+ static const struct drm_crtc_funcs ast_crtc_funcs = {
+- .reset = drm_atomic_helper_crtc_reset,
++ .reset = ast_crtc_reset,
+ .set_config = drm_crtc_helper_set_config,
+ .gamma_set = drm_atomic_helper_legacy_gamma_set,
+ .destroy = ast_crtc_destroy,
+--
+2.25.1
+
--- /dev/null
+From 521b2990651aa3ede34472d1a7860e99b98f0721 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 14:35:08 +0300
+Subject: drm: bridge: adv7511: Extend list of audio sample rates
+
+From: Bogdan Togorean <bogdan.togorean@analog.com>
+
+[ Upstream commit b97b6a1f6e14a25d1e1ca2a46c5fa3e2ca374e22 ]
+
+ADV7511 support sample rates up to 192kHz. CTS and N parameters should
+be computed accordingly so this commit extend the list up to maximum
+supported sample rate.
+
+Signed-off-by: Bogdan Togorean <bogdan.togorean@analog.com>
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200413113513.86091-2-bogdan.togorean@analog.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+index a428185be2c1..d05b3033b510 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+@@ -19,13 +19,15 @@ static void adv7511_calc_cts_n(unsigned int f_tmds, unsigned int fs,
+ {
+ switch (fs) {
+ case 32000:
+- *n = 4096;
++ case 48000:
++ case 96000:
++ case 192000:
++ *n = fs * 128 / 1000;
+ break;
+ case 44100:
+- *n = 6272;
+- break;
+- case 48000:
+- *n = 6144;
++ case 88200:
++ case 176400:
++ *n = fs * 128 / 900;
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b2b7b354cfd85bb856b1719124685ff154ef044b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 23:53:54 +0200
+Subject: drm/bridge: fix stack usage warning on old gcc
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 78b0d99a68ecdc84728c99f4fef71942e9ecf35a ]
+
+Some older versions of gcc badly optimize code that passes
+an inline function argument into another function by reference,
+causing huge stack usage:
+
+drivers/gpu/drm/bridge/tc358768.c: In function 'tc358768_bridge_pre_enable':
+drivers/gpu/drm/bridge/tc358768.c:840:1: error: the frame size of 2256 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
+
+Use a temporary variable as a workaround and add a comment pointing
+to the gcc bug.
+
+Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200428215408.4111675-1-arnd@arndb.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/tc358768.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c
+index 1b39e8d37834..6650fe4cfc20 100644
+--- a/drivers/gpu/drm/bridge/tc358768.c
++++ b/drivers/gpu/drm/bridge/tc358768.c
+@@ -178,6 +178,8 @@ static int tc358768_clear_error(struct tc358768_priv *priv)
+
+ static void tc358768_write(struct tc358768_priv *priv, u32 reg, u32 val)
+ {
++ /* work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 */
++ int tmpval = val;
+ size_t count = 2;
+
+ if (priv->error)
+@@ -187,7 +189,7 @@ static void tc358768_write(struct tc358768_priv *priv, u32 reg, u32 val)
+ if (reg < 0x100 || reg >= 0x600)
+ count = 1;
+
+- priv->error = regmap_bulk_write(priv->regmap, reg, &val, count);
++ priv->error = regmap_bulk_write(priv->regmap, reg, &tmpval, count);
+ }
+
+ static void tc358768_read(struct tc358768_priv *priv, u32 reg, u32 *val)
+--
+2.25.1
+
--- /dev/null
+From 30a7ce4acaafa18923785e72a6fc3edc6893a409 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 23:06:54 +0200
+Subject: drm/bridge: panel: Return always an error pointer in
+ drm_panel_bridge_add()
+
+From: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+
+[ Upstream commit 30be3031087139061de4421bf52015931eaab569 ]
+
+Since commit 89958b7cd955 ("drm/bridge: panel: Infer connector type from
+panel by default"), drm_panel_bridge_add() and their variants can return
+NULL and an error pointer. This is fine but none of the actual users of
+the API are checking for the NULL value. Instead of change all the
+users, seems reasonable to return an error pointer instead. So change
+the returned value for those functions when the connector type is unknown.
+
+Suggested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200416210654.2468805-1-enric.balletbo@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/panel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/panel.c b/drivers/gpu/drm/bridge/panel.c
+index 8461ee8304ba..7a3df0f319f3 100644
+--- a/drivers/gpu/drm/bridge/panel.c
++++ b/drivers/gpu/drm/bridge/panel.c
+@@ -166,7 +166,7 @@ static const struct drm_bridge_funcs panel_bridge_bridge_funcs = {
+ *
+ * The connector type is set to @panel->connector_type, which must be set to a
+ * known type. Calling this function with a panel whose connector type is
+- * DRM_MODE_CONNECTOR_Unknown will return NULL.
++ * DRM_MODE_CONNECTOR_Unknown will return ERR_PTR(-EINVAL).
+ *
+ * See devm_drm_panel_bridge_add() for an automatically managed version of this
+ * function.
+@@ -174,7 +174,7 @@ static const struct drm_bridge_funcs panel_bridge_bridge_funcs = {
+ struct drm_bridge *drm_panel_bridge_add(struct drm_panel *panel)
+ {
+ if (WARN_ON(panel->connector_type == DRM_MODE_CONNECTOR_Unknown))
+- return NULL;
++ return ERR_PTR(-EINVAL);
+
+ return drm_panel_bridge_add_typed(panel, panel->connector_type);
+ }
+@@ -265,7 +265,7 @@ struct drm_bridge *devm_drm_panel_bridge_add(struct device *dev,
+ struct drm_panel *panel)
+ {
+ if (WARN_ON(panel->connector_type == DRM_MODE_CONNECTOR_Unknown))
+- return NULL;
++ return ERR_PTR(-EINVAL);
+
+ return devm_drm_panel_bridge_add_typed(dev, panel,
+ panel->connector_type);
+--
+2.25.1
+
--- /dev/null
+From 5e23d591f618c3c5ced90faf03dc36215121bf7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 22:56:35 -0400
+Subject: drm/dp: Lenovo X13 Yoga OLED panel brightness fix
+
+From: Mark Pearson <mpearson.lenovo@gmail.com>
+
+[ Upstream commit 0df3ff451287d71c620384eb7bb2cd3a8106412c ]
+
+Add another panel that needs the edid quirk to the list so that
+brightness control works correctly. Fixes issue seen on Lenovo X13 Yoga
+with OLED panel
+
+Co-developed-by: jendrina@lenovo.com
+Signed-off-by: Mark Pearson <mpearson@gmail.com>
+[fixed commit message, sobs]
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200519025635.22846-1-mpearson@lenovo.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_dp_helper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/drm_dp_helper.c b/drivers/gpu/drm/drm_dp_helper.c
+index c6fbe6e6bc9d..41f0e797ce8c 100644
+--- a/drivers/gpu/drm/drm_dp_helper.c
++++ b/drivers/gpu/drm/drm_dp_helper.c
+@@ -1313,6 +1313,7 @@ static const struct edid_quirk edid_quirk_list[] = {
+ { MFG(0x06, 0xaf), PROD_ID(0xeb, 0x41), BIT(DP_QUIRK_FORCE_DPCD_BACKLIGHT) },
+ { MFG(0x4d, 0x10), PROD_ID(0xc7, 0x14), BIT(DP_QUIRK_FORCE_DPCD_BACKLIGHT) },
+ { MFG(0x4d, 0x10), PROD_ID(0xe6, 0x14), BIT(DP_QUIRK_FORCE_DPCD_BACKLIGHT) },
++ { MFG(0x4c, 0x83), PROD_ID(0x47, 0x41), BIT(DP_QUIRK_FORCE_DPCD_BACKLIGHT) },
+ };
+
+ #undef MFG
+--
+2.25.1
+
--- /dev/null
+From bd7cb0b2004e14189ad0c419a5fb6fdf2e94faf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Mar 2020 11:43:01 +0800
+Subject: drm/hisilicon: Enforce 128-byte stride alignment to fix the hardware
+ limitation
+
+From: Tian Tao <tiantao6@hisilicon.com>
+
+[ Upstream commit 9c9a8468de21895abc43f45fc86346467217c986 ]
+
+because the hardware limitation,The initial color depth must set to 32bpp
+and must set the FB Offset of the display hardware to 128Byte alignment,
+which is used to solve the display problem at 800x600 and 1440x900
+resolution under 16bpp.
+
+Signed-off-by: Tian Tao <tiantao6@hisilicon.com>
+Signed-off-by: Gong junjie <gongjunjie2@huawei.com>
+Acked-by: Xinliang Liu <xinliang.liu@linaro.org>
+Signed-off-by: Xinliang Liu <xinliang.liu@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1583466184-7060-4-git-send-email-tiantao6@hisilicon.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c | 9 +++++----
+ drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 4 ++--
+ drivers/gpu/drm/hisilicon/hibmc/hibmc_ttm.c | 2 +-
+ 3 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c
+index 55b46a7150a5..cc70e836522f 100644
+--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c
++++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c
+@@ -94,6 +94,10 @@ static int hibmc_plane_atomic_check(struct drm_plane *plane,
+ return -EINVAL;
+ }
+
++ if (state->fb->pitches[0] % 128 != 0) {
++ DRM_DEBUG_ATOMIC("wrong stride with 128-byte aligned\n");
++ return -EINVAL;
++ }
+ return 0;
+ }
+
+@@ -119,11 +123,8 @@ static void hibmc_plane_atomic_update(struct drm_plane *plane,
+ writel(gpu_addr, priv->mmio + HIBMC_CRT_FB_ADDRESS);
+
+ reg = state->fb->width * (state->fb->format->cpp[0]);
+- /* now line_pad is 16 */
+- reg = PADDING(16, reg);
+
+- line_l = state->fb->width * state->fb->format->cpp[0];
+- line_l = PADDING(16, line_l);
++ line_l = state->fb->pitches[0];
+ writel(HIBMC_FIELD(HIBMC_CRT_FB_WIDTH_WIDTH, reg) |
+ HIBMC_FIELD(HIBMC_CRT_FB_WIDTH_OFFS, line_l),
+ priv->mmio + HIBMC_CRT_FB_WIDTH);
+diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
+index 222356a4f9a8..79a180ae4509 100644
+--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
++++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
+@@ -94,7 +94,7 @@ static int hibmc_kms_init(struct hibmc_drm_private *priv)
+ priv->dev->mode_config.max_height = 1200;
+
+ priv->dev->mode_config.fb_base = priv->fb_base;
+- priv->dev->mode_config.preferred_depth = 24;
++ priv->dev->mode_config.preferred_depth = 32;
+ priv->dev->mode_config.prefer_shadow = 1;
+
+ priv->dev->mode_config.funcs = (void *)&hibmc_mode_funcs;
+@@ -307,7 +307,7 @@ static int hibmc_load(struct drm_device *dev)
+ /* reset all the states of crtc/plane/encoder/connector */
+ drm_mode_config_reset(dev);
+
+- ret = drm_fbdev_generic_setup(dev, 16);
++ ret = drm_fbdev_generic_setup(dev, dev->mode_config.preferred_depth);
+ if (ret) {
+ DRM_ERROR("failed to initialize fbdev: %d\n", ret);
+ goto err;
+diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_ttm.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_ttm.c
+index 99397ac3b363..322bd542e89d 100644
+--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_ttm.c
++++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_ttm.c
+@@ -50,7 +50,7 @@ void hibmc_mm_fini(struct hibmc_drm_private *hibmc)
+ int hibmc_dumb_create(struct drm_file *file, struct drm_device *dev,
+ struct drm_mode_create_dumb *args)
+ {
+- return drm_gem_vram_fill_create_dumb(file, dev, 0, 16, args);
++ return drm_gem_vram_fill_create_dumb(file, dev, 0, 128, args);
+ }
+
+ const struct drm_mode_config_funcs hibmc_mode_funcs = {
+--
+2.25.1
+
--- /dev/null
+From 0ab128cf1a02808defa8688612a135e7ccb0054e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 07:31:45 +0000
+Subject: drm/mcde: dsi: Fix return value check in mcde_dsi_bind()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 761e9f4f80a21a4b845097027030bef863001636 ]
+
+The of_drm_find_bridge() function returns NULL on error, it doesn't return
+error pointers so this check doesn't work.
+
+Fixes: 5fc537bfd000 ("drm/mcde: Add new driver for ST-Ericsson MCDE")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200430073145.52321-1-weiyongjun1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mcde/mcde_dsi.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/mcde/mcde_dsi.c b/drivers/gpu/drm/mcde/mcde_dsi.c
+index 7af5ebb0c436..e705afc08c4e 100644
+--- a/drivers/gpu/drm/mcde/mcde_dsi.c
++++ b/drivers/gpu/drm/mcde/mcde_dsi.c
+@@ -1073,10 +1073,9 @@ static int mcde_dsi_bind(struct device *dev, struct device *master,
+ panel = NULL;
+
+ bridge = of_drm_find_bridge(child);
+- if (IS_ERR(bridge)) {
+- dev_err(dev, "failed to find bridge (%ld)\n",
+- PTR_ERR(bridge));
+- return PTR_ERR(bridge);
++ if (!bridge) {
++ dev_err(dev, "failed to find bridge\n");
++ return -EINVAL;
+ }
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 1b842874c3d165f5cfbb0104bc6ec369df8c53f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Apr 2020 09:13:19 +0800
+Subject: drm/mediatek: set dpi pin mode to gpio low to avoid leakage current
+
+From: Jitao Shi <jitao.shi@mediatek.com>
+
+[ Upstream commit 6bd4763fd532cff43f9b15704f324c45a9806f53 ]
+
+Config dpi pins mode to output and pull low when dpi is disabled.
+Aovid leakage current from some dpi pins (Hsync Vsync DE ... ).
+
+Signed-off-by: Jitao Shi <jitao.shi@mediatek.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dpi.c | 31 ++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
+index 4f0ce4cd5b8c..2994c63ea279 100644
+--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
+@@ -10,7 +10,9 @@
+ #include <linux/kernel.h>
+ #include <linux/of.h>
+ #include <linux/of_device.h>
++#include <linux/of_gpio.h>
+ #include <linux/of_graph.h>
++#include <linux/pinctrl/consumer.h>
+ #include <linux/platform_device.h>
+ #include <linux/types.h>
+
+@@ -74,6 +76,9 @@ struct mtk_dpi {
+ enum mtk_dpi_out_yc_map yc_map;
+ enum mtk_dpi_out_bit_num bit_num;
+ enum mtk_dpi_out_channel_swap channel_swap;
++ struct pinctrl *pinctrl;
++ struct pinctrl_state *pins_gpio;
++ struct pinctrl_state *pins_dpi;
+ int refcount;
+ };
+
+@@ -379,6 +384,9 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi)
+ if (--dpi->refcount != 0)
+ return;
+
++ if (dpi->pinctrl && dpi->pins_gpio)
++ pinctrl_select_state(dpi->pinctrl, dpi->pins_gpio);
++
+ mtk_dpi_disable(dpi);
+ clk_disable_unprepare(dpi->pixel_clk);
+ clk_disable_unprepare(dpi->engine_clk);
+@@ -403,6 +411,9 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
+ goto err_pixel;
+ }
+
++ if (dpi->pinctrl && dpi->pins_dpi)
++ pinctrl_select_state(dpi->pinctrl, dpi->pins_dpi);
++
+ mtk_dpi_enable(dpi);
+ return 0;
+
+@@ -705,6 +716,26 @@ static int mtk_dpi_probe(struct platform_device *pdev)
+ dpi->dev = dev;
+ dpi->conf = (struct mtk_dpi_conf *)of_device_get_match_data(dev);
+
++ dpi->pinctrl = devm_pinctrl_get(&pdev->dev);
++ if (IS_ERR(dpi->pinctrl)) {
++ dpi->pinctrl = NULL;
++ dev_dbg(&pdev->dev, "Cannot find pinctrl!\n");
++ }
++ if (dpi->pinctrl) {
++ dpi->pins_gpio = pinctrl_lookup_state(dpi->pinctrl, "sleep");
++ if (IS_ERR(dpi->pins_gpio)) {
++ dpi->pins_gpio = NULL;
++ dev_dbg(&pdev->dev, "Cannot find pinctrl idle!\n");
++ }
++ if (dpi->pins_gpio)
++ pinctrl_select_state(dpi->pinctrl, dpi->pins_gpio);
++
++ dpi->pins_dpi = pinctrl_lookup_state(dpi->pinctrl, "default");
++ if (IS_ERR(dpi->pins_dpi)) {
++ dpi->pins_dpi = NULL;
++ dev_dbg(&pdev->dev, "Cannot find pinctrl active!\n");
++ }
++ }
+ mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ dpi->regs = devm_ioremap_resource(dev, mem);
+ if (IS_ERR(dpi->regs)) {
+--
+2.25.1
+
--- /dev/null
+From 4d8b59c0e7a3c49321865cc07fb643f04f12e473 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2020 15:11:00 +0900
+Subject: drm: rcar-du: Set primary plane zpos immutably at initializing
+
+From: Tomohito Esaki <etom@igel.co.jp>
+
+[ Upstream commit 7982471d01aac33994276bf567c8f1f3a137648a ]
+
+According to drm_plane_create_zpos_property() function documentation,
+all planes zpos range should be set if zpos property is supported.
+However, the rcar-du driver didn't set primary plane zpos range. Since
+the primary plane's zpos is fixed, set it immutably.
+
+Reported-by: Yoshihito Ogawa <yoshihito.ogawa.kc@renesas.com>
+Reported-by: Koji Matsuoka <koji.matsuoka.xm@renesas.com>
+Signed-off-by: Tomohito Esaki <etom@igel.co.jp>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+[Turn continue into if ... else ...]
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_plane.c | 16 +++++++++-------
+ drivers/gpu/drm/rcar-du/rcar_du_vsp.c | 14 ++++++++------
+ 2 files changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/rcar_du_plane.c b/drivers/gpu/drm/rcar-du/rcar_du_plane.c
+index c6430027169f..a0021fc25b27 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_du_plane.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_plane.c
+@@ -785,13 +785,15 @@ int rcar_du_planes_init(struct rcar_du_group *rgrp)
+
+ drm_plane_create_alpha_property(&plane->plane);
+
+- if (type == DRM_PLANE_TYPE_PRIMARY)
+- continue;
+-
+- drm_object_attach_property(&plane->plane.base,
+- rcdu->props.colorkey,
+- RCAR_DU_COLORKEY_NONE);
+- drm_plane_create_zpos_property(&plane->plane, 1, 1, 7);
++ if (type == DRM_PLANE_TYPE_PRIMARY) {
++ drm_plane_create_zpos_immutable_property(&plane->plane,
++ 0);
++ } else {
++ drm_object_attach_property(&plane->plane.base,
++ rcdu->props.colorkey,
++ RCAR_DU_COLORKEY_NONE);
++ drm_plane_create_zpos_property(&plane->plane, 1, 1, 7);
++ }
+ }
+
+ return 0;
+diff --git a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
+index 5e4faf258c31..f1a81c9b184d 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
+@@ -392,12 +392,14 @@ int rcar_du_vsp_init(struct rcar_du_vsp *vsp, struct device_node *np,
+ drm_plane_helper_add(&plane->plane,
+ &rcar_du_vsp_plane_helper_funcs);
+
+- if (type == DRM_PLANE_TYPE_PRIMARY)
+- continue;
+-
+- drm_plane_create_alpha_property(&plane->plane);
+- drm_plane_create_zpos_property(&plane->plane, 1, 1,
+- vsp->num_planes - 1);
++ if (type == DRM_PLANE_TYPE_PRIMARY) {
++ drm_plane_create_zpos_immutable_property(&plane->plane,
++ 0);
++ } else {
++ drm_plane_create_alpha_property(&plane->plane);
++ drm_plane_create_zpos_property(&plane->plane, 1, 1,
++ vsp->num_planes - 1);
++ }
+ }
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 2f55a0f64cbb5b3ae02d94d36eee3d6af6dbc07e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 17:38:19 +0200
+Subject: dsa: sja1105: dynamically allocate stats structure
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit ae1804de93f6f1626906567ae7deec8e0111259d ]
+
+The addition of sja1105_port_status_ether structure into the
+statistics causes the frame size to go over the warning limit:
+
+drivers/net/dsa/sja1105/sja1105_ethtool.c:421:6: error: stack frame size of 1104 bytes in function 'sja1105_get_ethtool_stats' [-Werror,-Wframe-larger-than=]
+
+Use dynamic allocation to avoid this.
+
+Fixes: 336aa67bd027 ("net: dsa: sja1105: show more ethtool statistics counters for P/Q/R/S")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_ethtool.c | 144 +++++++++++-----------
+ 1 file changed, 74 insertions(+), 70 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_ethtool.c b/drivers/net/dsa/sja1105/sja1105_ethtool.c
+index d742ffcbfce9..709f035055c5 100644
+--- a/drivers/net/dsa/sja1105/sja1105_ethtool.c
++++ b/drivers/net/dsa/sja1105/sja1105_ethtool.c
+@@ -421,92 +421,96 @@ static char sja1105pqrs_extra_port_stats[][ETH_GSTRING_LEN] = {
+ void sja1105_get_ethtool_stats(struct dsa_switch *ds, int port, u64 *data)
+ {
+ struct sja1105_private *priv = ds->priv;
+- struct sja1105_port_status status;
++ struct sja1105_port_status *status;
+ int rc, i, k = 0;
+
+- memset(&status, 0, sizeof(status));
++ status = kzalloc(sizeof(*status), GFP_KERNEL);
++ if (!status)
++ goto out;
+
+- rc = sja1105_port_status_get(priv, &status, port);
++ rc = sja1105_port_status_get(priv, status, port);
+ if (rc < 0) {
+ dev_err(ds->dev, "Failed to read port %d counters: %d\n",
+ port, rc);
+- return;
++ goto out;
+ }
+ memset(data, 0, ARRAY_SIZE(sja1105_port_stats) * sizeof(u64));
+- data[k++] = status.mac.n_runt;
+- data[k++] = status.mac.n_soferr;
+- data[k++] = status.mac.n_alignerr;
+- data[k++] = status.mac.n_miierr;
+- data[k++] = status.mac.typeerr;
+- data[k++] = status.mac.sizeerr;
+- data[k++] = status.mac.tctimeout;
+- data[k++] = status.mac.priorerr;
+- data[k++] = status.mac.nomaster;
+- data[k++] = status.mac.memov;
+- data[k++] = status.mac.memerr;
+- data[k++] = status.mac.invtyp;
+- data[k++] = status.mac.intcyov;
+- data[k++] = status.mac.domerr;
+- data[k++] = status.mac.pcfbagdrop;
+- data[k++] = status.mac.spcprior;
+- data[k++] = status.mac.ageprior;
+- data[k++] = status.mac.portdrop;
+- data[k++] = status.mac.lendrop;
+- data[k++] = status.mac.bagdrop;
+- data[k++] = status.mac.policeerr;
+- data[k++] = status.mac.drpnona664err;
+- data[k++] = status.mac.spcerr;
+- data[k++] = status.mac.agedrp;
+- data[k++] = status.hl1.n_n664err;
+- data[k++] = status.hl1.n_vlanerr;
+- data[k++] = status.hl1.n_unreleased;
+- data[k++] = status.hl1.n_sizeerr;
+- data[k++] = status.hl1.n_crcerr;
+- data[k++] = status.hl1.n_vlnotfound;
+- data[k++] = status.hl1.n_ctpolerr;
+- data[k++] = status.hl1.n_polerr;
+- data[k++] = status.hl1.n_rxfrm;
+- data[k++] = status.hl1.n_rxbyte;
+- data[k++] = status.hl1.n_txfrm;
+- data[k++] = status.hl1.n_txbyte;
+- data[k++] = status.hl2.n_qfull;
+- data[k++] = status.hl2.n_part_drop;
+- data[k++] = status.hl2.n_egr_disabled;
+- data[k++] = status.hl2.n_not_reach;
++ data[k++] = status->mac.n_runt;
++ data[k++] = status->mac.n_soferr;
++ data[k++] = status->mac.n_alignerr;
++ data[k++] = status->mac.n_miierr;
++ data[k++] = status->mac.typeerr;
++ data[k++] = status->mac.sizeerr;
++ data[k++] = status->mac.tctimeout;
++ data[k++] = status->mac.priorerr;
++ data[k++] = status->mac.nomaster;
++ data[k++] = status->mac.memov;
++ data[k++] = status->mac.memerr;
++ data[k++] = status->mac.invtyp;
++ data[k++] = status->mac.intcyov;
++ data[k++] = status->mac.domerr;
++ data[k++] = status->mac.pcfbagdrop;
++ data[k++] = status->mac.spcprior;
++ data[k++] = status->mac.ageprior;
++ data[k++] = status->mac.portdrop;
++ data[k++] = status->mac.lendrop;
++ data[k++] = status->mac.bagdrop;
++ data[k++] = status->mac.policeerr;
++ data[k++] = status->mac.drpnona664err;
++ data[k++] = status->mac.spcerr;
++ data[k++] = status->mac.agedrp;
++ data[k++] = status->hl1.n_n664err;
++ data[k++] = status->hl1.n_vlanerr;
++ data[k++] = status->hl1.n_unreleased;
++ data[k++] = status->hl1.n_sizeerr;
++ data[k++] = status->hl1.n_crcerr;
++ data[k++] = status->hl1.n_vlnotfound;
++ data[k++] = status->hl1.n_ctpolerr;
++ data[k++] = status->hl1.n_polerr;
++ data[k++] = status->hl1.n_rxfrm;
++ data[k++] = status->hl1.n_rxbyte;
++ data[k++] = status->hl1.n_txfrm;
++ data[k++] = status->hl1.n_txbyte;
++ data[k++] = status->hl2.n_qfull;
++ data[k++] = status->hl2.n_part_drop;
++ data[k++] = status->hl2.n_egr_disabled;
++ data[k++] = status->hl2.n_not_reach;
+
+ if (priv->info->device_id == SJA1105E_DEVICE_ID ||
+ priv->info->device_id == SJA1105T_DEVICE_ID)
+- return;
++ goto out;;
+
+ memset(data + k, 0, ARRAY_SIZE(sja1105pqrs_extra_port_stats) *
+ sizeof(u64));
+ for (i = 0; i < 8; i++) {
+- data[k++] = status.hl2.qlevel_hwm[i];
+- data[k++] = status.hl2.qlevel[i];
++ data[k++] = status->hl2.qlevel_hwm[i];
++ data[k++] = status->hl2.qlevel[i];
+ }
+- data[k++] = status.ether.n_drops_nolearn;
+- data[k++] = status.ether.n_drops_noroute;
+- data[k++] = status.ether.n_drops_ill_dtag;
+- data[k++] = status.ether.n_drops_dtag;
+- data[k++] = status.ether.n_drops_sotag;
+- data[k++] = status.ether.n_drops_sitag;
+- data[k++] = status.ether.n_drops_utag;
+- data[k++] = status.ether.n_tx_bytes_1024_2047;
+- data[k++] = status.ether.n_tx_bytes_512_1023;
+- data[k++] = status.ether.n_tx_bytes_256_511;
+- data[k++] = status.ether.n_tx_bytes_128_255;
+- data[k++] = status.ether.n_tx_bytes_65_127;
+- data[k++] = status.ether.n_tx_bytes_64;
+- data[k++] = status.ether.n_tx_mcast;
+- data[k++] = status.ether.n_tx_bcast;
+- data[k++] = status.ether.n_rx_bytes_1024_2047;
+- data[k++] = status.ether.n_rx_bytes_512_1023;
+- data[k++] = status.ether.n_rx_bytes_256_511;
+- data[k++] = status.ether.n_rx_bytes_128_255;
+- data[k++] = status.ether.n_rx_bytes_65_127;
+- data[k++] = status.ether.n_rx_bytes_64;
+- data[k++] = status.ether.n_rx_mcast;
+- data[k++] = status.ether.n_rx_bcast;
++ data[k++] = status->ether.n_drops_nolearn;
++ data[k++] = status->ether.n_drops_noroute;
++ data[k++] = status->ether.n_drops_ill_dtag;
++ data[k++] = status->ether.n_drops_dtag;
++ data[k++] = status->ether.n_drops_sotag;
++ data[k++] = status->ether.n_drops_sitag;
++ data[k++] = status->ether.n_drops_utag;
++ data[k++] = status->ether.n_tx_bytes_1024_2047;
++ data[k++] = status->ether.n_tx_bytes_512_1023;
++ data[k++] = status->ether.n_tx_bytes_256_511;
++ data[k++] = status->ether.n_tx_bytes_128_255;
++ data[k++] = status->ether.n_tx_bytes_65_127;
++ data[k++] = status->ether.n_tx_bytes_64;
++ data[k++] = status->ether.n_tx_mcast;
++ data[k++] = status->ether.n_tx_bcast;
++ data[k++] = status->ether.n_rx_bytes_1024_2047;
++ data[k++] = status->ether.n_rx_bytes_512_1023;
++ data[k++] = status->ether.n_rx_bytes_256_511;
++ data[k++] = status->ether.n_rx_bytes_128_255;
++ data[k++] = status->ether.n_rx_bytes_65_127;
++ data[k++] = status->ether.n_rx_bytes_64;
++ data[k++] = status->ether.n_rx_mcast;
++ data[k++] = status->ether.n_rx_bcast;
++out:
++ kfree(status);
+ }
+
+ void sja1105_get_strings(struct dsa_switch *ds, int port,
+--
+2.25.1
+
--- /dev/null
+From 27c2d366cc574f6e0f7aa87b15ba78782b229b5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Apr 2020 09:13:17 +0800
+Subject: dt-bindings: display: mediatek: control dpi pins mode to avoid
+ leakage
+
+From: Jitao Shi <jitao.shi@mediatek.com>
+
+[ Upstream commit b0ff9b590733079f7f9453e5976a9dd2630949e3 ]
+
+Add property "pinctrl-names" to swap pin mode between gpio and dpi mode.
+Set the dpi pins to gpio mode and output-low to avoid leakage current
+when dpi disabled.
+
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Jitao Shi <jitao.shi@mediatek.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/display/mediatek/mediatek,dpi.txt | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt b/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt
+index 58914cf681b8..77def4456706 100644
+--- a/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt
++++ b/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt
+@@ -17,6 +17,9 @@ Required properties:
+ Documentation/devicetree/bindings/graph.txt. This port should be connected
+ to the input port of an attached HDMI or LVDS encoder chip.
+
++Optional properties:
++- pinctrl-names: Contain "default" and "sleep".
++
+ Example:
+
+ dpi0: dpi@1401d000 {
+@@ -27,6 +30,9 @@ dpi0: dpi@1401d000 {
+ <&mmsys CLK_MM_DPI_ENGINE>,
+ <&apmixedsys CLK_APMIXED_TVDPLL>;
+ clock-names = "pixel", "engine", "pll";
++ pinctrl-names = "default", "sleep";
++ pinctrl-0 = <&dpi_pin_func>;
++ pinctrl-1 = <&dpi_pin_idle>;
+
+ port {
+ dpi0_out: endpoint {
+--
+2.25.1
+
--- /dev/null
+From 065f063500fe31ce214a425d864e9884ecc7b732 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2020 22:23:02 -0800
+Subject: e1000: Distribute switch variables for initialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit a34c7f5156654ebaf7eaace102938be7ff7036cb ]
+
+Variables declared in a switch statement before any case statements
+cannot be automatically initialized with compiler instrumentation (as
+they are not part of any execution flow). With GCC's proposed automatic
+stack variable initialization feature, this triggers a warning (and they
+don't get initialized). Clang's automatic stack variable initialization
+(via CONFIG_INIT_STACK_ALL=y) doesn't throw a warning, but it also
+doesn't initialize such variables[1]. Note that these warnings (or silent
+skipping) happen before the dead-store elimination optimization phase,
+so even when the automatic initializations are later elided in favor of
+direct initializations, the warnings remain.
+
+To avoid these problems, move such variables into the "case" where
+they're used or lift them up into the main function body.
+
+drivers/net/ethernet/intel/e1000/e1000_main.c: In function ‘e1000_xmit_frame’:
+drivers/net/ethernet/intel/e1000/e1000_main.c:3143:18: warning: statement will never be executed [-Wswitch-unreachable]
+ 3143 | unsigned int pull_size;
+ | ^~~~~~~~~
+
+[1] https://bugs.llvm.org/show_bug.cgi?id=44916
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
+index 0d51cbc88028..05bc6e216bca 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -3136,8 +3136,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ hdr_len = skb_transport_offset(skb) + tcp_hdrlen(skb);
+ if (skb->data_len && hdr_len == len) {
+ switch (hw->mac_type) {
++ case e1000_82544: {
+ unsigned int pull_size;
+- case e1000_82544:
++
+ /* Make sure we have room to chop off 4 bytes,
+ * and that the end alignment will work out to
+ * this hardware's requirements
+@@ -3158,6 +3159,7 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ }
+ len = skb_headlen(skb);
+ break;
++ }
+ default:
+ /* do nothing */
+ break;
+--
+2.25.1
+
--- /dev/null
+From a0de631f32bccadb3b2bfd1cc34274c1c500d881 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 16:01:05 +0200
+Subject: efi/libstub/random: Align allocate size to EFI_ALLOC_ALIGN
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit e1df73e2d18b3b7d66f2ec38d81d9566b3a7fb21 ]
+
+The EFI stub uses a per-architecture #define for the minimum base
+and size alignment of page allocations, which is set to 4 KB for
+all architecures except arm64, which uses 64 KB, to ensure that
+allocations can always be (un)mapped efficiently, regardless of
+the page size used by the kernel proper, which could be a kexec'ee
+
+The API wrappers around page based allocations assume that this
+alignment is always taken into account, and so efi_free() will
+also round up its size argument to EFI_ALLOC_ALIGN.
+
+Currently, efi_random_alloc() does not honour this alignment for
+the allocated size, and so freeing such an allocation may result
+in unrelated memory to be freed, potentially leading to issues
+after boot. So let's round up size in efi_random_alloc() as well.
+
+Fixes: 2ddbfc81eac84a29 ("efi: stub: add implementation of efi_random_alloc()")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/randomalloc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c
+index 4578f59e160c..6200dfa650f5 100644
+--- a/drivers/firmware/efi/libstub/randomalloc.c
++++ b/drivers/firmware/efi/libstub/randomalloc.c
+@@ -74,6 +74,8 @@ efi_status_t efi_random_alloc(unsigned long size,
+ if (align < EFI_ALLOC_ALIGN)
+ align = EFI_ALLOC_ALIGN;
+
++ size = round_up(size, EFI_ALLOC_ALIGN);
++
+ /* count the suitable slots in each memory map entry */
+ for (map_offset = 0; map_offset < map_size; map_offset += desc_size) {
+ efi_memory_desc_t *md = (void *)memory_map + map_offset;
+@@ -109,7 +111,7 @@ efi_status_t efi_random_alloc(unsigned long size,
+ }
+
+ target = round_up(md->phys_addr, align) + target_slot * align;
+- pages = round_up(size, EFI_PAGE_SIZE) / EFI_PAGE_SIZE;
++ pages = size / EFI_PAGE_SIZE;
+
+ status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS,
+ EFI_LOADER_DATA, pages, &target);
+--
+2.25.1
+
--- /dev/null
+From 372e6697f5d835357dfcf1d96c6406035f648996 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 10:06:29 +0200
+Subject: efi/libstub/x86: Work around LLVM ELF quirk build regression
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit f77767ed5f4d398b29119563155e4ece2dfeee13 ]
+
+When building the x86 EFI stub with Clang, the libstub Makefile rules
+that manipulate the ELF object files may throw an error like:
+
+ STUBCPY drivers/firmware/efi/libstub/efi-stub-helper.stub.o
+ strip: drivers/firmware/efi/libstub/efi-stub-helper.stub.o: Failed to find link section for section 10
+ objcopy: drivers/firmware/efi/libstub/efi-stub-helper.stub.o: Failed to find link section for section 10
+
+This is the result of a LLVM feature [0] where symbol references are
+stored in a LLVM specific .llvm_addrsig section in a non-transparent way,
+causing generic ELF tools such as strip or objcopy to choke on them.
+
+So force the compiler not to emit these sections, by passing the
+appropriate command line option.
+
+[0] https://sourceware.org/bugzilla/show_bug.cgi?id=23817
+
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Peter Collingbourne <pcc@google.com>
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Suggested-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
+index 094eabdecfe6..d85016553f14 100644
+--- a/drivers/firmware/efi/libstub/Makefile
++++ b/drivers/firmware/efi/libstub/Makefile
+@@ -30,6 +30,7 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \
+ -D__NO_FORTIFY \
+ $(call cc-option,-ffreestanding) \
+ $(call cc-option,-fno-stack-protector) \
++ $(call cc-option,-fno-addrsig) \
+ -D__DISABLE_EXPORTS
+
+ GCOV_PROFILE := n
+--
+2.25.1
+
--- /dev/null
+From 03c3fb1678a5b84783d3d368cdf475976c87ff0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2020 23:06:57 +0100
+Subject: exit: Move preemption fixup up, move blocking operations down
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 586b58cac8b4683eb58a1446fbc399de18974e40 ]
+
+With CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_CGROUPS=y, kernel oopses in
+non-preemptible context look untidy; after the main oops, the kernel prints
+a "sleeping function called from invalid context" report because
+exit_signals() -> cgroup_threadgroup_change_begin() -> percpu_down_read()
+can sleep, and that happens before the preempt_count_set(PREEMPT_ENABLED)
+fixup.
+
+It looks like the same thing applies to profile_task_exit() and
+kcov_task_exit().
+
+Fix it by moving the preemption fixup up and the calls to
+profile_task_exit() and kcov_task_exit() down.
+
+Fixes: 1dc0fffc48af ("sched/core: Robustify preemption leak checks")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20200305220657.46800-1-jannh@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/exit.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index ce2a75bc0ade..d56fe51bdf07 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -708,8 +708,12 @@ void __noreturn do_exit(long code)
+ struct task_struct *tsk = current;
+ int group_dead;
+
+- profile_task_exit(tsk);
+- kcov_task_exit(tsk);
++ /*
++ * We can get here from a kernel oops, sometimes with preemption off.
++ * Start by checking for critical errors.
++ * Then fix up important state like USER_DS and preemption.
++ * Then do everything else.
++ */
+
+ WARN_ON(blk_needs_flush_plug(tsk));
+
+@@ -727,6 +731,16 @@ void __noreturn do_exit(long code)
+ */
+ set_fs(USER_DS);
+
++ if (unlikely(in_atomic())) {
++ pr_info("note: %s[%d] exited with preempt_count %d\n",
++ current->comm, task_pid_nr(current),
++ preempt_count());
++ preempt_count_set(PREEMPT_ENABLED);
++ }
++
++ profile_task_exit(tsk);
++ kcov_task_exit(tsk);
++
+ ptrace_event(PTRACE_EVENT_EXIT, code);
+
+ validate_creds_for_do_exit(tsk);
+@@ -744,13 +758,6 @@ void __noreturn do_exit(long code)
+
+ exit_signals(tsk); /* sets PF_EXITING */
+
+- if (unlikely(in_atomic())) {
+- pr_info("note: %s[%d] exited with preempt_count %d\n",
+- current->comm, task_pid_nr(current),
+- preempt_count());
+- preempt_count_set(PREEMPT_ENABLED);
+- }
+-
+ /* sync mm's RSS info before statistics gathering */
+ if (tsk->mm)
+ sync_mm_rss(tsk->mm);
+--
+2.25.1
+
--- /dev/null
+From d2c76be8857c69c2e440d628499af4eebf8b2c5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:42:15 -0700
+Subject: ice: Change number of XDP TxQ to 0 when destroying rings
+
+From: Marta Plantykow <marta.a.plantykow@intel.com>
+
+[ Upstream commit c8f135c6ee7851ad72bd4d877216950fcbd45fb6 ]
+
+When XDP Tx rings are destroyed the number of XDP Tx queues
+is not changing. This patch is changing this number to 0.
+
+Signed-off-by: Marta Plantykow <marta.a.plantykow@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 5b190c257124..599dab844034 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -1898,6 +1898,9 @@ free_qmap:
+ for (i = 0; i < vsi->tc_cfg.numtc; i++)
+ max_txqs[i] = vsi->num_txq;
+
++ /* change number of XDP Tx queues to 0 */
++ vsi->num_xdp_txq = 0;
++
+ return ice_cfg_vsi_lan(vsi->port_info, vsi->idx, vsi->tc_cfg.ena_tc,
+ max_txqs);
+ }
+--
+2.25.1
+
--- /dev/null
+From e150b2f742efdff653d00774738aebe5fb3e1af3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 17:41:06 -0700
+Subject: ice: cleanup vf_id signedness
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit 53bb66983f34d4ff0af179fe228e2c55e1e45921 ]
+
+The vf_id variable is dealt with in the code in inconsistent
+ways of sign usage, preventing compilation with -Werror=sign-compare.
+Fix this problem in the code by always treating vf_id as unsigned, since
+there are no valid values of vf_id that are negative.
+
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice.h | 2 +-
+ .../net/ethernet/intel/ice/ice_virtchnl_pf.c | 17 +++++++++--------
+ .../net/ethernet/intel/ice/ice_virtchnl_pf.h | 2 +-
+ 3 files changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h
+index 5c11448bfbb3..020ee167f73a 100644
+--- a/drivers/net/ethernet/intel/ice/ice.h
++++ b/drivers/net/ethernet/intel/ice/ice.h
+@@ -366,7 +366,7 @@ struct ice_pf {
+ struct ice_sw *first_sw; /* first switch created by firmware */
+ /* Virtchnl/SR-IOV config info */
+ struct ice_vf *vf;
+- int num_alloc_vfs; /* actual number of VFs allocated */
++ u16 num_alloc_vfs; /* actual number of VFs allocated */
+ u16 num_vfs_supported; /* num VFs supported for this PF */
+ u16 num_qps_per_vf;
+ u16 num_msix_per_vf;
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index 15191a325918..c9c281167873 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -10,10 +10,11 @@
+ * @pf: pointer to the PF structure
+ * @vf_id: the ID of the VF to check
+ */
+-static int ice_validate_vf_id(struct ice_pf *pf, int vf_id)
++static int ice_validate_vf_id(struct ice_pf *pf, u16 vf_id)
+ {
++ /* vf_id range is only valid for 0-255, and should always be unsigned */
+ if (vf_id >= pf->num_alloc_vfs) {
+- dev_err(ice_pf_to_dev(pf), "Invalid VF ID: %d\n", vf_id);
++ dev_err(ice_pf_to_dev(pf), "Invalid VF ID: %u\n", vf_id);
+ return -EINVAL;
+ }
+ return 0;
+@@ -27,7 +28,7 @@ static int ice_validate_vf_id(struct ice_pf *pf, int vf_id)
+ static int ice_check_vf_init(struct ice_pf *pf, struct ice_vf *vf)
+ {
+ if (!test_bit(ICE_VF_STATE_INIT, vf->vf_states)) {
+- dev_err(ice_pf_to_dev(pf), "VF ID: %d in reset. Try again.\n",
++ dev_err(ice_pf_to_dev(pf), "VF ID: %u in reset. Try again.\n",
+ vf->vf_id);
+ return -EBUSY;
+ }
+@@ -337,7 +338,7 @@ void ice_free_vfs(struct ice_pf *pf)
+ * before this function ever gets called.
+ */
+ if (!pci_vfs_assigned(pf->pdev)) {
+- int vf_id;
++ unsigned int vf_id;
+
+ /* Acknowledge VFLR for all VFs. Without this, VFs will fail to
+ * work correctly when SR-IOV gets re-enabled.
+@@ -368,9 +369,9 @@ static void ice_trigger_vf_reset(struct ice_vf *vf, bool is_vflr, bool is_pfr)
+ {
+ struct ice_pf *pf = vf->pf;
+ u32 reg, reg_idx, bit_idx;
++ unsigned int vf_abs_id, i;
+ struct device *dev;
+ struct ice_hw *hw;
+- int vf_abs_id, i;
+
+ dev = ice_pf_to_dev(pf);
+ hw = &pf->hw;
+@@ -418,7 +419,7 @@ static void ice_trigger_vf_reset(struct ice_vf *vf, bool is_vflr, bool is_pfr)
+ if ((reg & VF_TRANS_PENDING_M) == 0)
+ break;
+
+- dev_err(dev, "VF %d PCI transactions stuck\n", vf->vf_id);
++ dev_err(dev, "VF %u PCI transactions stuck\n", vf->vf_id);
+ udelay(ICE_PCI_CIAD_WAIT_DELAY_US);
+ }
+ }
+@@ -1483,7 +1484,7 @@ int ice_sriov_configure(struct pci_dev *pdev, int num_vfs)
+ void ice_process_vflr_event(struct ice_pf *pf)
+ {
+ struct ice_hw *hw = &pf->hw;
+- int vf_id;
++ unsigned int vf_id;
+ u32 reg;
+
+ if (!test_and_clear_bit(__ICE_VFLR_EVENT_PENDING, pf->state) ||
+@@ -1524,7 +1525,7 @@ static void ice_vc_reset_vf(struct ice_vf *vf)
+ */
+ static struct ice_vf *ice_get_vf_from_pfq(struct ice_pf *pf, u16 pfq)
+ {
+- int vf_id;
++ unsigned int vf_id;
+
+ ice_for_each_vf(pf, vf_id) {
+ struct ice_vf *vf = &pf->vf[vf_id];
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h
+index 3f9464269bd2..62875704cecf 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h
+@@ -64,7 +64,7 @@ struct ice_mdd_vf_events {
+ struct ice_vf {
+ struct ice_pf *pf;
+
+- s16 vf_id; /* VF ID in the PF space */
++ u16 vf_id; /* VF ID in the PF space */
+ u16 lan_vsi_idx; /* index into PF struct */
+ /* first vector index of this VF in the PF space */
+ int first_vector_idx;
+--
+2.25.1
+
--- /dev/null
+From 924635105d6ae6e80491969f538e30bb781b50bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:12:28 +0000
+Subject: ice: Fix error return code in ice_add_prof()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit f8d530ac29fe9248f5e58ca5bcf4c368f8393ccf ]
+
+Fix to return a error code from the error handling case
+instead of 0, as done elsewhere in this function.
+
+Fixes: 31ad4e4ee1e4 ("ice: Allocate flow profile")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+index 42bac3ec5526..e7a2671222d2 100644
+--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+@@ -2962,8 +2962,10 @@ ice_add_prof(struct ice_hw *hw, enum ice_block blk, u64 id, u8 ptypes[],
+
+ /* add profile info */
+ prof = devm_kzalloc(ice_hw_to_dev(hw), sizeof(*prof), GFP_KERNEL);
+- if (!prof)
++ if (!prof) {
++ status = ICE_ERR_NO_MEMORY;
+ goto err_ice_add_prof;
++ }
+
+ prof->profile_cookie = id;
+ prof->prof_id = prof_id;
+--
+2.25.1
+
--- /dev/null
+From bc32978626076e25e28c329cb5d997be533db88c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:36:43 -0700
+Subject: ice: Fix for memory leaks and modify ICE_FREE_CQ_BUFS
+
+From: Surabhi Boob <surabhi.boob@intel.com>
+
+[ Upstream commit 68d270783742783f96e89ef92ac24ab3c7fb1d31 ]
+
+Handle memory leaks during control queue initialization and
+buffer allocation failures. The macro ICE_FREE_CQ_BUFS is modified to
+re-use for this fix.
+
+Signed-off-by: Surabhi Boob <surabhi.boob@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_controlq.c | 49 +++++++++++--------
+ 1 file changed, 28 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_controlq.c b/drivers/net/ethernet/intel/ice/ice_controlq.c
+index dd946866d7b8..cc29a16f41f7 100644
+--- a/drivers/net/ethernet/intel/ice/ice_controlq.c
++++ b/drivers/net/ethernet/intel/ice/ice_controlq.c
+@@ -199,7 +199,9 @@ unwind_alloc_rq_bufs:
+ cq->rq.r.rq_bi[i].pa = 0;
+ cq->rq.r.rq_bi[i].size = 0;
+ }
++ cq->rq.r.rq_bi = NULL;
+ devm_kfree(ice_hw_to_dev(hw), cq->rq.dma_head);
++ cq->rq.dma_head = NULL;
+
+ return ICE_ERR_NO_MEMORY;
+ }
+@@ -245,7 +247,9 @@ unwind_alloc_sq_bufs:
+ cq->sq.r.sq_bi[i].pa = 0;
+ cq->sq.r.sq_bi[i].size = 0;
+ }
++ cq->sq.r.sq_bi = NULL;
+ devm_kfree(ice_hw_to_dev(hw), cq->sq.dma_head);
++ cq->sq.dma_head = NULL;
+
+ return ICE_ERR_NO_MEMORY;
+ }
+@@ -304,6 +308,28 @@ ice_cfg_rq_regs(struct ice_hw *hw, struct ice_ctl_q_info *cq)
+ return 0;
+ }
+
++#define ICE_FREE_CQ_BUFS(hw, qi, ring) \
++do { \
++ int i; \
++ /* free descriptors */ \
++ if ((qi)->ring.r.ring##_bi) \
++ for (i = 0; i < (qi)->num_##ring##_entries; i++) \
++ if ((qi)->ring.r.ring##_bi[i].pa) { \
++ dmam_free_coherent(ice_hw_to_dev(hw), \
++ (qi)->ring.r.ring##_bi[i].size, \
++ (qi)->ring.r.ring##_bi[i].va, \
++ (qi)->ring.r.ring##_bi[i].pa); \
++ (qi)->ring.r.ring##_bi[i].va = NULL;\
++ (qi)->ring.r.ring##_bi[i].pa = 0;\
++ (qi)->ring.r.ring##_bi[i].size = 0;\
++ } \
++ /* free the buffer info list */ \
++ if ((qi)->ring.cmd_buf) \
++ devm_kfree(ice_hw_to_dev(hw), (qi)->ring.cmd_buf); \
++ /* free DMA head */ \
++ devm_kfree(ice_hw_to_dev(hw), (qi)->ring.dma_head); \
++} while (0)
++
+ /**
+ * ice_init_sq - main initialization routine for Control ATQ
+ * @hw: pointer to the hardware structure
+@@ -357,6 +383,7 @@ static enum ice_status ice_init_sq(struct ice_hw *hw, struct ice_ctl_q_info *cq)
+ goto init_ctrlq_exit;
+
+ init_ctrlq_free_rings:
++ ICE_FREE_CQ_BUFS(hw, cq, sq);
+ ice_free_cq_ring(hw, &cq->sq);
+
+ init_ctrlq_exit:
+@@ -416,33 +443,13 @@ static enum ice_status ice_init_rq(struct ice_hw *hw, struct ice_ctl_q_info *cq)
+ goto init_ctrlq_exit;
+
+ init_ctrlq_free_rings:
++ ICE_FREE_CQ_BUFS(hw, cq, rq);
+ ice_free_cq_ring(hw, &cq->rq);
+
+ init_ctrlq_exit:
+ return ret_code;
+ }
+
+-#define ICE_FREE_CQ_BUFS(hw, qi, ring) \
+-do { \
+- int i; \
+- /* free descriptors */ \
+- for (i = 0; i < (qi)->num_##ring##_entries; i++) \
+- if ((qi)->ring.r.ring##_bi[i].pa) { \
+- dmam_free_coherent(ice_hw_to_dev(hw), \
+- (qi)->ring.r.ring##_bi[i].size,\
+- (qi)->ring.r.ring##_bi[i].va,\
+- (qi)->ring.r.ring##_bi[i].pa);\
+- (qi)->ring.r.ring##_bi[i].va = NULL; \
+- (qi)->ring.r.ring##_bi[i].pa = 0; \
+- (qi)->ring.r.ring##_bi[i].size = 0; \
+- } \
+- /* free the buffer info list */ \
+- if ((qi)->ring.cmd_buf) \
+- devm_kfree(ice_hw_to_dev(hw), (qi)->ring.cmd_buf); \
+- /* free DMA head */ \
+- devm_kfree(ice_hw_to_dev(hw), (qi)->ring.dma_head); \
+-} while (0)
+-
+ /**
+ * ice_shutdown_sq - shutdown the Control ATQ
+ * @hw: pointer to the hardware structure
+--
+2.25.1
+
--- /dev/null
+From 3643d97f128abf9b094c49b0632a0774518a85c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:55:00 -0700
+Subject: ice: Fix inability to set channels when down
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit 765dd7a1827c687b782e6ab3dd6daf4d13a4780f ]
+
+Currently the driver prevents a user from doing
+modprobe ice
+ethtool -L eth0 combined 5
+ip link set eth0 up
+
+The ethtool command fails, because the driver is checking to see if the
+interface is down before allowing the get_channels to proceed (even for
+a set_channels).
+
+Remove this check and allow the user to configure the interface
+before bringing it up, which is a much better usability case.
+
+Fixes: 87324e747fde ("ice: Implement ethtool ops for channels")
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+index 593fb37bd59e..153e3565e313 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -3171,10 +3171,6 @@ ice_get_channels(struct net_device *dev, struct ethtool_channels *ch)
+ struct ice_vsi *vsi = np->vsi;
+ struct ice_pf *pf = vsi->back;
+
+- /* check to see if VSI is active */
+- if (test_bit(__ICE_DOWN, vsi->state))
+- return;
+-
+ /* report maximum channels */
+ ch->max_rx = ice_get_max_rxq(pf);
+ ch->max_tx = ice_get_max_txq(pf);
+--
+2.25.1
+
--- /dev/null
+From 480cb9654f1a192e13ca441fa3107a09b561c5f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:36:42 -0700
+Subject: ice: Fix memory leak
+
+From: Surabhi Boob <surabhi.boob@intel.com>
+
+[ Upstream commit 1aaef2bc4e0a5ce9e4dd86359e6a0bf52c6aa64f ]
+
+Handle memory leak on filter management initialization failure.
+
+Signed-off-by: Surabhi Boob <surabhi.boob@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_common.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
+index 2c0d8fd3d5cd..09b374590ffc 100644
+--- a/drivers/net/ethernet/intel/ice/ice_common.c
++++ b/drivers/net/ethernet/intel/ice/ice_common.c
+@@ -322,6 +322,7 @@ ice_aq_get_link_info(struct ice_port_info *pi, bool ena_lse,
+ static enum ice_status ice_init_fltr_mgmt_struct(struct ice_hw *hw)
+ {
+ struct ice_switch_info *sw;
++ enum ice_status status;
+
+ hw->switch_info = devm_kzalloc(ice_hw_to_dev(hw),
+ sizeof(*hw->switch_info), GFP_KERNEL);
+@@ -332,7 +333,12 @@ static enum ice_status ice_init_fltr_mgmt_struct(struct ice_hw *hw)
+
+ INIT_LIST_HEAD(&sw->vsi_list_map_head);
+
+- return ice_init_def_sw_recp(hw);
++ status = ice_init_def_sw_recp(hw);
++ if (status) {
++ devm_kfree(ice_hw_to_dev(hw), hw->switch_info);
++ return status;
++ }
++ return 0;
+ }
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From 0f8b510901290b75647599eea66f0e72f6e2b240 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:55:03 -0700
+Subject: ice: fix PCI device serial number to be lowercase values
+
+From: Paul M Stillwell Jr <paul.m.stillwell.jr@intel.com>
+
+[ Upstream commit 1a9c561aa35534a03c0aa51c7fb1485731202a7c ]
+
+Commit ceb2f00707f9 ("ice: Use pci_get_dsn()") changed the code to
+use a new function to get the Device Serial Number. It also changed
+the case of the filename for loading a package on a specific NIC
+from lowercase to uppercase. Change the filename back to
+lowercase since that is what we specified.
+
+Fixes: ceb2f00707f9 ("ice: Use pci_get_dsn()")
+Signed-off-by: Paul M Stillwell Jr <paul.m.stillwell.jr@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 599dab844034..545817dbff67 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -3126,7 +3126,7 @@ static char *ice_get_opt_fw_name(struct ice_pf *pf)
+ if (!opt_fw_filename)
+ return NULL;
+
+- snprintf(opt_fw_filename, NAME_MAX, "%sice-%016llX.pkg",
++ snprintf(opt_fw_filename, NAME_MAX, "%sice-%016llx.pkg",
+ ICE_DDP_PKG_PATH, dsn);
+
+ return opt_fw_filename;
+--
+2.25.1
+
--- /dev/null
+From c6b805b1e42f4002c2ea972e9cb69e388bcfe2d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:42:24 -0700
+Subject: ice: fix potential double free in probe unrolling
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit bc3a024101ca497bea4c69be4054c32a5c349f1d ]
+
+If ice_init_interrupt_scheme fails, ice_probe will jump to clearing up
+the interrupts. This can lead to some static analysis tools such as the
+compiler sanitizers complaining about double free problems.
+
+Since ice_init_interrupt_scheme already unrolls internally on failure,
+there is no need to call ice_clear_interrupt_scheme when it fails. Add
+a new unroll label and use that instead.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 545817dbff67..69e50331e08e 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -3298,7 +3298,7 @@ ice_probe(struct pci_dev *pdev, const struct pci_device_id __always_unused *ent)
+ if (err) {
+ dev_err(dev, "ice_init_interrupt_scheme failed: %d\n", err);
+ err = -EIO;
+- goto err_init_interrupt_unroll;
++ goto err_init_vsi_unroll;
+ }
+
+ /* Driver is mostly up */
+@@ -3387,6 +3387,7 @@ err_msix_misc_unroll:
+ ice_free_irq_msix_misc(pf);
+ err_init_interrupt_unroll:
+ ice_clear_interrupt_scheme(pf);
++err_init_vsi_unroll:
+ devm_kfree(dev, pf->vsi);
+ err_init_pf_unroll:
+ ice_deinit_pf(pf);
+--
+2.25.1
+
--- /dev/null
+From af978f8f17a80e4c7abf1c5fd0e90d7fc57a4618 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 17:41:07 -0700
+Subject: ice: Fix resource leak on early exit from function
+
+From: Eric Joyner <eric.joyner@intel.com>
+
+[ Upstream commit 857a4f0e9f4956fffc0cedcaa2ba187a2e987153 ]
+
+Memory allocated in the ice_add_prof_id_vsig() function wasn't being
+properly freed if an error occurred inside the for-loop in the function.
+
+In particular, 'p' wasn't being freed if an error occurred before it was
+added to the resource list at the end of the for-loop.
+
+Signed-off-by: Eric Joyner <eric.joyner@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+index e7a2671222d2..abfec38bb483 100644
+--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+@@ -3705,8 +3705,10 @@ ice_add_prof_id_vsig(struct ice_hw *hw, enum ice_block blk, u16 vsig, u64 hdl,
+ t->tcam[i].prof_id,
+ t->tcam[i].ptg, vsig, 0, 0,
+ vl_msk, dc_msk, nm_msk);
+- if (status)
++ if (status) {
++ devm_kfree(ice_hw_to_dev(hw), p);
+ goto err_ice_add_prof_id_vsig;
++ }
+
+ /* log change */
+ list_add(&p->list_entry, chg);
+--
+2.25.1
+
--- /dev/null
+From 9ba7720253a786c38e12577d02d4496ec66a6125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:36:32 -0700
+Subject: ice: Fix Tx timeout when link is toggled on a VF's interface
+
+From: Brett Creeley <brett.creeley@intel.com>
+
+[ Upstream commit 4dc926d3a59e73b8c4adf51b261f1a1bbd48a989 ]
+
+Currently if the iavf is loaded and a VF link transitions from up to
+down to up again a Tx timeout will be triggered. This happens because
+Tx/Rx queue interrupts are only enabled when receiving the
+VIRTCHNL_OP_CONFIG_MAP_IRQ message, which happens on reset or initial
+iavf driver load, but not when bringing link up. This is problematic
+because they are disabled on the VIRTCHNL_OP_DISABLE_QUEUES message,
+which is part of bringing a VF's link down. However, they are not
+enabled on the VIRTCHNL_OP_ENABLE_QUEUES message, which is part of
+bringing a VF's link up.
+
+Fix this by re-enabling the VF's Rx and Tx queue interrupts when they
+were previously configured. This is done by first checking to make
+sure the previous value in QINT_[R|T]QCTL.MSIX_INDX is not 0, which
+is used to represent the OICR in the VF's interrupt space. If the
+MSIX_INDX is non-zero then enable the interrupt by setting the
+QINT_[R|T]CTL.CAUSE_ENA bit to 1.
+
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/ice/ice_virtchnl_pf.c | 48 +++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index c9c281167873..f1fdb4d4c826 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -2118,6 +2118,52 @@ static bool ice_vc_validate_vqs_bitmaps(struct virtchnl_queue_select *vqs)
+ return true;
+ }
+
++/**
++ * ice_vf_ena_txq_interrupt - enable Tx queue interrupt via QINT_TQCTL
++ * @vsi: VSI of the VF to configure
++ * @q_idx: VF queue index used to determine the queue in the PF's space
++ */
++static void ice_vf_ena_txq_interrupt(struct ice_vsi *vsi, u32 q_idx)
++{
++ struct ice_hw *hw = &vsi->back->hw;
++ u32 pfq = vsi->txq_map[q_idx];
++ u32 reg;
++
++ reg = rd32(hw, QINT_TQCTL(pfq));
++
++ /* MSI-X index 0 in the VF's space is always for the OICR, which means
++ * this is most likely a poll mode VF driver, so don't enable an
++ * interrupt that was never configured via VIRTCHNL_OP_CONFIG_IRQ_MAP
++ */
++ if (!(reg & QINT_TQCTL_MSIX_INDX_M))
++ return;
++
++ wr32(hw, QINT_TQCTL(pfq), reg | QINT_TQCTL_CAUSE_ENA_M);
++}
++
++/**
++ * ice_vf_ena_rxq_interrupt - enable Tx queue interrupt via QINT_RQCTL
++ * @vsi: VSI of the VF to configure
++ * @q_idx: VF queue index used to determine the queue in the PF's space
++ */
++static void ice_vf_ena_rxq_interrupt(struct ice_vsi *vsi, u32 q_idx)
++{
++ struct ice_hw *hw = &vsi->back->hw;
++ u32 pfq = vsi->rxq_map[q_idx];
++ u32 reg;
++
++ reg = rd32(hw, QINT_RQCTL(pfq));
++
++ /* MSI-X index 0 in the VF's space is always for the OICR, which means
++ * this is most likely a poll mode VF driver, so don't enable an
++ * interrupt that was never configured via VIRTCHNL_OP_CONFIG_IRQ_MAP
++ */
++ if (!(reg & QINT_RQCTL_MSIX_INDX_M))
++ return;
++
++ wr32(hw, QINT_RQCTL(pfq), reg | QINT_RQCTL_CAUSE_ENA_M);
++}
++
+ /**
+ * ice_vc_ena_qs_msg
+ * @vf: pointer to the VF info
+@@ -2178,6 +2224,7 @@ static int ice_vc_ena_qs_msg(struct ice_vf *vf, u8 *msg)
+ goto error_param;
+ }
+
++ ice_vf_ena_rxq_interrupt(vsi, vf_q_id);
+ set_bit(vf_q_id, vf->rxq_ena);
+ }
+
+@@ -2193,6 +2240,7 @@ static int ice_vc_ena_qs_msg(struct ice_vf *vf, u8 *msg)
+ if (test_bit(vf_q_id, vf->txq_ena))
+ continue;
+
++ ice_vf_ena_txq_interrupt(vsi, vf_q_id);
+ set_bit(vf_q_id, vf->txq_ena);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 332c6c4c290c8588f7a5246b878bd8440a8ef840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Mar 2020 16:10:40 -0700
+Subject: igc: Fix default MAC address filter override
+
+From: Andre Guedes <andre.guedes@intel.com>
+
+[ Upstream commit ac9156b27564a089ec52f526bfcb59f61c34e7c6 ]
+
+This patch fixes a bug when the user adds the first MAC address filter
+via ethtool NFC mechanism.
+
+When the first MAC address filter is added, it overwrites the default
+MAC address filter configured at RAL[0] and RAH[0]. As consequence,
+frames addressed to the interface MAC address are not sent to host
+anymore.
+
+This patch fixes the bug by calling igc_set_default_mac_filter() during
+adapter init so the position 0 of adapter->mac_table[] is assigned to
+the default MAC address.
+
+Signed-off-by: Andre Guedes <andre.guedes@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 69fa1ce1f927..c7020ff2f490 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -2325,7 +2325,9 @@ static void igc_configure(struct igc_adapter *adapter)
+ igc_setup_mrqc(adapter);
+ igc_setup_rctl(adapter);
+
++ igc_set_default_mac_filter(adapter);
+ igc_nfc_filter_restore(adapter);
++
+ igc_configure_tx(adapter);
+ igc_configure_rx(adapter);
+
+--
+2.25.1
+
--- /dev/null
+From f1f2d24e3316f6c88bf65c6918fb3a43912a28f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 11:56:54 -0600
+Subject: io_uring: allow POLL_ADD with double poll_wait() users
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 18bceab101adde8f38de76016bc77f3f25cf22f4 ]
+
+Some file descriptors use separate waitqueues for their f_ops->poll()
+handler, most commonly one for read and one for write. The io_uring
+poll implementation doesn't work with that, as the 2nd poll_wait()
+call will cause the io_uring poll request to -EINVAL.
+
+This affects (at least) tty devices and /dev/random as well. This is a
+big problem for event loops where some file descriptors work, and others
+don't.
+
+With this fix, io_uring handles multiple waitqueues.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 218 +++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 146 insertions(+), 72 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 07d9414268f1..2d5f81a1bf9c 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4106,27 +4106,6 @@ struct io_poll_table {
+ int error;
+ };
+
+-static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
+- struct wait_queue_head *head)
+-{
+- if (unlikely(poll->head)) {
+- pt->error = -EINVAL;
+- return;
+- }
+-
+- pt->error = 0;
+- poll->head = head;
+- add_wait_queue(head, &poll->wait);
+-}
+-
+-static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
+- struct poll_table_struct *p)
+-{
+- struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
+-
+- __io_queue_proc(&pt->req->apoll->poll, pt, head);
+-}
+-
+ static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
+ __poll_t mask, task_work_func_t func)
+ {
+@@ -4180,6 +4159,144 @@ static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll)
+ return false;
+ }
+
++static void io_poll_remove_double(struct io_kiocb *req)
++{
++ struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
++
++ lockdep_assert_held(&req->ctx->completion_lock);
++
++ if (poll && poll->head) {
++ struct wait_queue_head *head = poll->head;
++
++ spin_lock(&head->lock);
++ list_del_init(&poll->wait.entry);
++ if (poll->wait.private)
++ refcount_dec(&req->refs);
++ poll->head = NULL;
++ spin_unlock(&head->lock);
++ }
++}
++
++static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
++{
++ struct io_ring_ctx *ctx = req->ctx;
++
++ io_poll_remove_double(req);
++ req->poll.done = true;
++ io_cqring_fill_event(req, error ? error : mangle_poll(mask));
++ io_commit_cqring(ctx);
++}
++
++static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
++{
++ struct io_ring_ctx *ctx = req->ctx;
++
++ if (io_poll_rewait(req, &req->poll)) {
++ spin_unlock_irq(&ctx->completion_lock);
++ return;
++ }
++
++ hash_del(&req->hash_node);
++ io_poll_complete(req, req->result, 0);
++ req->flags |= REQ_F_COMP_LOCKED;
++ io_put_req_find_next(req, nxt);
++ spin_unlock_irq(&ctx->completion_lock);
++
++ io_cqring_ev_posted(ctx);
++}
++
++static void io_poll_task_func(struct callback_head *cb)
++{
++ struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
++ struct io_kiocb *nxt = NULL;
++
++ io_poll_task_handler(req, &nxt);
++ if (nxt) {
++ struct io_ring_ctx *ctx = nxt->ctx;
++
++ mutex_lock(&ctx->uring_lock);
++ __io_queue_sqe(nxt, NULL);
++ mutex_unlock(&ctx->uring_lock);
++ }
++}
++
++static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
++ int sync, void *key)
++{
++ struct io_kiocb *req = wait->private;
++ struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
++ __poll_t mask = key_to_poll(key);
++
++ /* for instances that support it check for an event match first: */
++ if (mask && !(mask & poll->events))
++ return 0;
++
++ if (req->poll.head) {
++ bool done;
++
++ spin_lock(&req->poll.head->lock);
++ done = list_empty(&req->poll.wait.entry);
++ if (!done)
++ list_del_init(&req->poll.wait.entry);
++ spin_unlock(&req->poll.head->lock);
++ if (!done)
++ __io_async_wake(req, poll, mask, io_poll_task_func);
++ }
++ refcount_dec(&req->refs);
++ return 1;
++}
++
++static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
++ wait_queue_func_t wake_func)
++{
++ poll->head = NULL;
++ poll->done = false;
++ poll->canceled = false;
++ poll->events = events;
++ INIT_LIST_HEAD(&poll->wait.entry);
++ init_waitqueue_func_entry(&poll->wait, wake_func);
++}
++
++static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
++ struct wait_queue_head *head)
++{
++ struct io_kiocb *req = pt->req;
++
++ /*
++ * If poll->head is already set, it's because the file being polled
++ * uses multiple waitqueues for poll handling (eg one for read, one
++ * for write). Setup a separate io_poll_iocb if this happens.
++ */
++ if (unlikely(poll->head)) {
++ /* already have a 2nd entry, fail a third attempt */
++ if (req->io) {
++ pt->error = -EINVAL;
++ return;
++ }
++ poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
++ if (!poll) {
++ pt->error = -ENOMEM;
++ return;
++ }
++ io_init_poll_iocb(poll, req->poll.events, io_poll_double_wake);
++ refcount_inc(&req->refs);
++ poll->wait.private = req;
++ req->io = (void *) poll;
++ }
++
++ pt->error = 0;
++ poll->head = head;
++ add_wait_queue(head, &poll->wait);
++}
++
++static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
++ struct poll_table_struct *p)
++{
++ struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
++
++ __io_queue_proc(&pt->req->apoll->poll, pt, head);
++}
++
+ static void io_async_task_func(struct callback_head *cb)
+ {
+ struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
+@@ -4255,18 +4372,13 @@ static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
+ bool cancel = false;
+
+ poll->file = req->file;
+- poll->head = NULL;
+- poll->done = poll->canceled = false;
+- poll->events = mask;
++ io_init_poll_iocb(poll, mask, wake_func);
++ poll->wait.private = req;
+
+ ipt->pt._key = mask;
+ ipt->req = req;
+ ipt->error = -EINVAL;
+
+- INIT_LIST_HEAD(&poll->wait.entry);
+- init_waitqueue_func_entry(&poll->wait, wake_func);
+- poll->wait.private = req;
+-
+ mask = vfs_poll(req->file, &ipt->pt) & poll->events;
+
+ spin_lock_irq(&ctx->completion_lock);
+@@ -4297,6 +4409,7 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
+ struct async_poll *apoll;
+ struct io_poll_table ipt;
+ __poll_t mask, ret;
++ bool had_io;
+
+ if (!req->file || !file_can_poll(req->file))
+ return false;
+@@ -4311,6 +4424,7 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
+
+ req->flags |= REQ_F_POLLED;
+ memcpy(&apoll->work, &req->work, sizeof(req->work));
++ had_io = req->io != NULL;
+
+ get_task_struct(current);
+ req->task = current;
+@@ -4330,7 +4444,9 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
+ io_async_wake);
+ if (ret) {
+ ipt.error = 0;
+- apoll->poll.done = true;
++ /* only remove double add if we did it here */
++ if (!had_io)
++ io_poll_remove_double(req);
+ spin_unlock_irq(&ctx->completion_lock);
+ memcpy(&req->work, &apoll->work, sizeof(req->work));
+ kfree(apoll);
+@@ -4363,6 +4479,7 @@ static bool io_poll_remove_one(struct io_kiocb *req)
+ bool do_complete;
+
+ if (req->opcode == IORING_OP_POLL_ADD) {
++ io_poll_remove_double(req);
+ do_complete = __io_poll_remove_one(req, &req->poll);
+ } else {
+ struct async_poll *apoll = req->apoll;
+@@ -4463,49 +4580,6 @@ static int io_poll_remove(struct io_kiocb *req)
+ return 0;
+ }
+
+-static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
+-{
+- struct io_ring_ctx *ctx = req->ctx;
+-
+- req->poll.done = true;
+- io_cqring_fill_event(req, error ? error : mangle_poll(mask));
+- io_commit_cqring(ctx);
+-}
+-
+-static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
+-{
+- struct io_ring_ctx *ctx = req->ctx;
+- struct io_poll_iocb *poll = &req->poll;
+-
+- if (io_poll_rewait(req, poll)) {
+- spin_unlock_irq(&ctx->completion_lock);
+- return;
+- }
+-
+- hash_del(&req->hash_node);
+- io_poll_complete(req, req->result, 0);
+- req->flags |= REQ_F_COMP_LOCKED;
+- io_put_req_find_next(req, nxt);
+- spin_unlock_irq(&ctx->completion_lock);
+-
+- io_cqring_ev_posted(ctx);
+-}
+-
+-static void io_poll_task_func(struct callback_head *cb)
+-{
+- struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
+- struct io_kiocb *nxt = NULL;
+-
+- io_poll_task_handler(req, &nxt);
+- if (nxt) {
+- struct io_ring_ctx *ctx = nxt->ctx;
+-
+- mutex_lock(&ctx->uring_lock);
+- __io_queue_sqe(nxt, NULL);
+- mutex_unlock(&ctx->uring_lock);
+- }
+-}
+-
+ static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
+ void *key)
+ {
+--
+2.25.1
+
--- /dev/null
+From 4ce5799f6b1c2433a4008e04c778ffeb2249dd81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 May 2020 13:54:12 -0600
+Subject: io_uring: cleanup io_poll_remove_one() logic
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 3bfa5bcb26f0b52d7ae8416aa0618fff21aceaaf ]
+
+We only need apoll in the one section, do the juggling with the work
+restoration there. This removes a special case further down as well.
+
+No functional changes in this patch.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index f071505e3430..07d9414268f1 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4354,32 +4354,31 @@ static bool __io_poll_remove_one(struct io_kiocb *req,
+ do_complete = true;
+ }
+ spin_unlock(&poll->head->lock);
++ hash_del(&req->hash_node);
+ return do_complete;
+ }
+
+ static bool io_poll_remove_one(struct io_kiocb *req)
+ {
+- struct async_poll *apoll = NULL;
+ bool do_complete;
+
+ if (req->opcode == IORING_OP_POLL_ADD) {
+ do_complete = __io_poll_remove_one(req, &req->poll);
+ } else {
+- apoll = req->apoll;
++ struct async_poll *apoll = req->apoll;
++
+ /* non-poll requests have submit ref still */
+- do_complete = __io_poll_remove_one(req, &req->apoll->poll);
+- if (do_complete)
++ do_complete = __io_poll_remove_one(req, &apoll->poll);
++ if (do_complete) {
+ io_put_req(req);
+- }
+-
+- hash_del(&req->hash_node);
+-
+- if (do_complete && apoll) {
+- /*
+- * restore ->work because we need to call io_req_work_drop_env.
+- */
+- memcpy(&req->work, &apoll->work, sizeof(req->work));
+- kfree(apoll);
++ /*
++ * restore ->work because we will call
++ * io_req_work_drop_env below when dropping the
++ * final reference.
++ */
++ memcpy(&req->work, &apoll->work, sizeof(req->work));
++ kfree(apoll);
++ }
+ }
+
+ if (do_complete) {
+--
+2.25.1
+
--- /dev/null
+From f1cfc339899d17057b9c21598ffe07aa92c692c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 14:19:15 +0300
+Subject: io_uring: fix overflowed reqs cancellation
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit 7b53d59859bc932b37895d2d37388e7fa29af7a5 ]
+
+Overflowed requests in io_uring_cancel_files() should be shed only of
+inflight and overflowed refs. All other left references are owned by
+someone else.
+
+If refcount_sub_and_test() fails, it will go further and put put extra
+ref, don't do that. Also, don't need to do io_wq_cancel_work()
+for overflowed reqs, they will be let go shortly anyway.
+
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 2d5f81a1bf9c..2698e9b08490 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -7477,10 +7477,11 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx,
+ finish_wait(&ctx->inflight_wait, &wait);
+ continue;
+ }
++ } else {
++ io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
++ io_put_req(cancel_req);
+ }
+
+- io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
+- io_put_req(cancel_req);
+ schedule();
+ finish_wait(&ctx->inflight_wait, &wait);
+ }
+--
+2.25.1
+
--- /dev/null
+From 1f5f2c1a0d3074abf59f65490bf55eb351c30190 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2019 17:18:11 -0700
+Subject: iocost: don't let vrate run wild while there's no saturation signal
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 81ca627a933063fa63a6d4c66425de822a2ab7f5 ]
+
+When the QoS targets are met and nothing is being throttled, there's
+no way to tell how saturated the underlying device is - it could be
+almost entirely idle, at the cusp of saturation or anywhere inbetween.
+Given that there's no information, it's best to keep vrate as-is in
+this state. Before 7cd806a9a953 ("iocost: improve nr_lagging
+handling"), this was the case - if the device isn't missing QoS
+targets and nothing is being throttled, busy_level was reset to zero.
+
+While fixing nr_lagging handling, 7cd806a9a953 ("iocost: improve
+nr_lagging handling") broke this. Now, while the device is hitting
+QoS targets and nothing is being throttled, vrate keeps getting
+adjusted according to the existing busy_level.
+
+This led to vrate keeping climing till it hits max when there's an IO
+issuer with limited request concurrency if the vrate started low.
+vrate starts getting adjusted upwards until the issuer can issue IOs
+w/o being throttled. From then on, QoS targets keeps getting met and
+nothing on the system needs throttling and vrate keeps getting
+increased due to the existing busy_level.
+
+This patch makes the following changes to the busy_level logic.
+
+* Reset busy_level if nr_shortages is zero to avoid the above
+ scenario.
+
+* Make non-zero nr_lagging block lowering nr_level but still clear
+ positive busy_level if there's clear non-saturation signal - QoS
+ targets are met and nr_shortages is non-zero. nr_lagging's role is
+ preventing adjusting vrate upwards while there are long-running
+ commands and it shouldn't keep busy_level positive while there's
+ clear non-saturation signal.
+
+* Restructure code for clarity and add comments.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Andy Newell <newella@fb.com>
+Fixes: 7cd806a9a953 ("iocost: improve nr_lagging handling")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iocost.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/block/blk-iocost.c b/block/blk-iocost.c
+index 7c1fe605d0d6..ef193389fffe 100644
+--- a/block/blk-iocost.c
++++ b/block/blk-iocost.c
+@@ -1543,19 +1543,39 @@ skip_surplus_transfers:
+ if (rq_wait_pct > RQ_WAIT_BUSY_PCT ||
+ missed_ppm[READ] > ppm_rthr ||
+ missed_ppm[WRITE] > ppm_wthr) {
++ /* clearly missing QoS targets, slow down vrate */
+ ioc->busy_level = max(ioc->busy_level, 0);
+ ioc->busy_level++;
+ } else if (rq_wait_pct <= RQ_WAIT_BUSY_PCT * UNBUSY_THR_PCT / 100 &&
+ missed_ppm[READ] <= ppm_rthr * UNBUSY_THR_PCT / 100 &&
+ missed_ppm[WRITE] <= ppm_wthr * UNBUSY_THR_PCT / 100) {
+- /* take action iff there is contention */
+- if (nr_shortages && !nr_lagging) {
++ /* QoS targets are being met with >25% margin */
++ if (nr_shortages) {
++ /*
++ * We're throttling while the device has spare
++ * capacity. If vrate was being slowed down, stop.
++ */
+ ioc->busy_level = min(ioc->busy_level, 0);
+- /* redistribute surpluses first */
+- if (!nr_surpluses)
++
++ /*
++ * If there are IOs spanning multiple periods, wait
++ * them out before pushing the device harder. If
++ * there are surpluses, let redistribution work it
++ * out first.
++ */
++ if (!nr_lagging && !nr_surpluses)
+ ioc->busy_level--;
++ } else {
++ /*
++ * Nobody is being throttled and the users aren't
++ * issuing enough IOs to saturate the device. We
++ * simply don't know how close the device is to
++ * saturation. Coast.
++ */
++ ioc->busy_level = 0;
+ }
+ } else {
++ /* inside the hysterisis margin, we're good */
+ ioc->busy_level = 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 5c95287921a12641e9d3274c397fd6ab05d3650c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 12:27:58 -0400
+Subject: iocost_monitor: drop string wrap around numbers when outputting json
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 21f3cfeab304fc07b90d93d98d4d2f62110fe6b2 ]
+
+Wrapping numbers in strings is used by some to work around bit-width issues in
+some enviroments. The problem isn't innate to json and the workaround seems to
+cause more integration problems than help. Let's drop the string wrapping.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/cgroup/iocost_monitor.py | 42 +++++++++++++++++-----------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/tools/cgroup/iocost_monitor.py b/tools/cgroup/iocost_monitor.py
+index 9d8e9613008a..103605f5be8c 100644
+--- a/tools/cgroup/iocost_monitor.py
++++ b/tools/cgroup/iocost_monitor.py
+@@ -112,14 +112,14 @@ class IocStat:
+
+ def dict(self, now):
+ return { 'device' : devname,
+- 'timestamp' : str(now),
+- 'enabled' : str(int(self.enabled)),
+- 'running' : str(int(self.running)),
+- 'period_ms' : str(self.period_ms),
+- 'period_at' : str(self.period_at),
+- 'period_vtime_at' : str(self.vperiod_at),
+- 'busy_level' : str(self.busy_level),
+- 'vrate_pct' : str(self.vrate_pct), }
++ 'timestamp' : now,
++ 'enabled' : self.enabled,
++ 'running' : self.running,
++ 'period_ms' : self.period_ms,
++ 'period_at' : self.period_at,
++ 'period_vtime_at' : self.vperiod_at,
++ 'busy_level' : self.busy_level,
++ 'vrate_pct' : self.vrate_pct, }
+
+ def table_preamble_str(self):
+ state = ('RUN' if self.running else 'IDLE') if self.enabled else 'OFF'
+@@ -179,19 +179,19 @@ class IocgStat:
+
+ def dict(self, now, path):
+ out = { 'cgroup' : path,
+- 'timestamp' : str(now),
+- 'is_active' : str(int(self.is_active)),
+- 'weight' : str(self.weight),
+- 'weight_active' : str(self.active),
+- 'weight_inuse' : str(self.inuse),
+- 'hweight_active_pct' : str(self.hwa_pct),
+- 'hweight_inuse_pct' : str(self.hwi_pct),
+- 'inflight_pct' : str(self.inflight_pct),
+- 'debt_ms' : str(self.debt_ms),
+- 'use_delay' : str(self.use_delay),
+- 'delay_ms' : str(self.delay_ms),
+- 'usage_pct' : str(self.usage),
+- 'address' : str(hex(self.address)) }
++ 'timestamp' : now,
++ 'is_active' : self.is_active,
++ 'weight' : self.weight,
++ 'weight_active' : self.active,
++ 'weight_inuse' : self.inuse,
++ 'hweight_active_pct' : self.hwa_pct,
++ 'hweight_inuse_pct' : self.hwi_pct,
++ 'inflight_pct' : self.inflight_pct,
++ 'debt_ms' : self.debt_ms,
++ 'use_delay' : self.use_delay,
++ 'delay_ms' : self.delay_ms,
++ 'usage_pct' : self.usage,
++ 'address' : self.address }
+ for i in range(len(self.usages)):
+ out[f'usage_pct_{i}'] = str(self.usages[i])
+ return out
+--
+2.25.1
+
--- /dev/null
+From 2c2afdf20d001c0f0a7e437661b1ea654cdfc39a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 18:48:15 +0300
+Subject: iwlwifi: avoid debug max amsdu config overwriting itself
+
+From: Mordechay Goodstein <mordechay.goodstein@intel.com>
+
+[ Upstream commit a65a5824298b06049dbaceb8a9bd19709dc9507c ]
+
+If we set amsdu_len one after another the second one overwrites
+the orig_amsdu_len so allow only moving from debug to non debug state.
+
+Also the TLC update check was wrong: it was checking that also the orig
+is smaller then the new updated size, which is not the case in debug
+amsdu mode.
+
+Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
+Fixes: af2984e9e625 ("iwlwifi: mvm: add a debugfs entry to set a fixed size AMSDU for all TX packets")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20200424182644.e565446a4fce.I9729d8c520d8b8bb4de9a5cdc62e01eb85168aac@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 11 +++++++----
+ drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c | 15 ++++++++-------
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+index 3beef8d077b8..8fae7e707374 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+@@ -5,10 +5,9 @@
+ *
+ * GPL LICENSE SUMMARY
+ *
+- * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+- * Copyright(c) 2018 - 2019 Intel Corporation
++ * Copyright(c) 2012 - 2014, 2018 - 2020 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -28,10 +27,9 @@
+ *
+ * BSD LICENSE
+ *
+- * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
+- * Copyright(c) 2018 - 2019 Intel Corporation
++ * Copyright(c) 2012 - 2014, 2018 - 2020 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -481,6 +479,11 @@ static ssize_t iwl_dbgfs_amsdu_len_write(struct ieee80211_sta *sta,
+ if (kstrtou16(buf, 0, &amsdu_len))
+ return -EINVAL;
+
++ /* only change from debug set <-> debug unset */
++ if ((amsdu_len && mvmsta->orig_amsdu_len) ||
++ (!!amsdu_len && mvmsta->orig_amsdu_len))
++ return -EBUSY;
++
+ if (amsdu_len) {
+ mvmsta->orig_amsdu_len = sta->max_amsdu_len;
+ sta->max_amsdu_len = amsdu_len;
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c
+index 15d11fb72aca..6f4d241d47e9 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c
+@@ -369,14 +369,15 @@ void iwl_mvm_tlc_update_notif(struct iwl_mvm *mvm,
+ u16 size = le32_to_cpu(notif->amsdu_size);
+ int i;
+
+- /*
+- * In debug sta->max_amsdu_len < size
+- * so also check with orig_amsdu_len which holds the original
+- * data before debugfs changed the value
+- */
+- if (WARN_ON(sta->max_amsdu_len < size &&
+- mvmsta->orig_amsdu_len < size))
++ if (sta->max_amsdu_len < size) {
++ /*
++ * In debug sta->max_amsdu_len < size
++ * so also check with orig_amsdu_len which holds the
++ * original data before debugfs changed the value
++ */
++ WARN_ON(mvmsta->orig_amsdu_len < size);
+ goto out;
++ }
+
+ mvmsta->amsdu_enabled = le32_to_cpu(notif->amsdu_enabled);
+ mvmsta->max_amsdu_len = size;
+--
+2.25.1
+
--- /dev/null
+From 4c184694cfb5706a054fce1e4242da9daf833900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 09:39:29 +0300
+Subject: iwlwifi: mvm: fix aux station leak
+
+From: Sharon <sara.sharon@intel.com>
+
+[ Upstream commit f327236df2afc8c3c711e7e070f122c26974f4da ]
+
+When mvm is initialized we alloc aux station with aux queue.
+We later free the station memory when driver is stopped, but we
+never free the queue's memory, which casues a leak.
+
+Add a proper de-initialization of the station.
+
+Signed-off-by: Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20200529092401.0121c5be55e9.Id7516fbb3482131d0c9dfb51ff20b226617ddb49@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 5 ++---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 18 +++++++++++++-----
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 6 +++---
+ 3 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index 7aa1350b093e..cf3c46c9b1ee 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -1209,14 +1209,13 @@ void __iwl_mvm_mac_stop(struct iwl_mvm *mvm)
+ */
+ flush_work(&mvm->roc_done_wk);
+
++ iwl_mvm_rm_aux_sta(mvm);
++
+ iwl_mvm_stop_device(mvm);
+
+ iwl_mvm_async_handlers_purge(mvm);
+ /* async_handlers_list is empty and will stay empty: HW is stopped */
+
+- /* the fw is stopped, the aux sta is dead: clean up driver state */
+- iwl_mvm_del_aux_sta(mvm);
+-
+ /*
+ * Clear IN_HW_RESTART and HW_RESTART_REQUESTED flag when stopping the
+ * hw (as restart_complete() won't be called in this case) and mac80211
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+index 56ae72debb96..07ca8c91499d 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -2080,16 +2080,24 @@ int iwl_mvm_rm_snif_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+ return ret;
+ }
+
+-void iwl_mvm_dealloc_snif_sta(struct iwl_mvm *mvm)
++int iwl_mvm_rm_aux_sta(struct iwl_mvm *mvm)
+ {
+- iwl_mvm_dealloc_int_sta(mvm, &mvm->snif_sta);
+-}
++ int ret;
+
+-void iwl_mvm_del_aux_sta(struct iwl_mvm *mvm)
+-{
+ lockdep_assert_held(&mvm->mutex);
+
++ iwl_mvm_disable_txq(mvm, NULL, mvm->aux_queue, IWL_MAX_TID_COUNT, 0);
++ ret = iwl_mvm_rm_sta_common(mvm, mvm->aux_sta.sta_id);
++ if (ret)
++ IWL_WARN(mvm, "Failed sending remove station\n");
+ iwl_mvm_dealloc_int_sta(mvm, &mvm->aux_sta);
++
++ return ret;
++}
++
++void iwl_mvm_dealloc_snif_sta(struct iwl_mvm *mvm)
++{
++ iwl_mvm_dealloc_int_sta(mvm, &mvm->snif_sta);
+ }
+
+ /*
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.h b/drivers/net/wireless/intel/iwlwifi/mvm/sta.h
+index 8d70093847cb..da2d1ac01229 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.h
+@@ -8,7 +8,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2014 Intel Mobile Communications GmbH
+ * Copyright(c) 2015 - 2016 Intel Deutschland GmbH
+- * Copyright(c) 2018 - 2019 Intel Corporation
++ * Copyright(c) 2018 - 2020 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -31,7 +31,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2014 Intel Mobile Communications GmbH
+ * Copyright(c) 2015 - 2016 Intel Deutschland GmbH
+- * Copyright(c) 2018 - 2019 Intel Corporation
++ * Copyright(c) 2018 - 2020 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -541,7 +541,7 @@ int iwl_mvm_sta_tx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
+ int tid, u8 queue, bool start);
+
+ int iwl_mvm_add_aux_sta(struct iwl_mvm *mvm);
+-void iwl_mvm_del_aux_sta(struct iwl_mvm *mvm);
++int iwl_mvm_rm_aux_sta(struct iwl_mvm *mvm);
+
+ int iwl_mvm_alloc_bcast_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif);
+ int iwl_mvm_send_add_bcast_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif);
+--
+2.25.1
+
--- /dev/null
+From 0d695cb40cc659bdd253b1262382e527b4d3ee21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 10:45:21 +0800
+Subject: ixgbe: fix signed-integer-overflow warning
+
+From: Xie XiuQi <xiexiuqi@huawei.com>
+
+[ Upstream commit 3b70683fc4d68f5d915d9dc7e5ba72c732c7315c ]
+
+ubsan report this warning, fix it by adding a unsigned suffix.
+
+UBSAN: signed-integer-overflow in
+drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:2246:26
+65535 * 65537 cannot be represented in type 'int'
+CPU: 21 PID: 7 Comm: kworker/u256:0 Not tainted 5.7.0-rc3-debug+ #39
+Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 03/27/2020
+Workqueue: ixgbe ixgbe_service_task [ixgbe]
+Call trace:
+ dump_backtrace+0x0/0x3f0
+ show_stack+0x28/0x38
+ dump_stack+0x154/0x1e4
+ ubsan_epilogue+0x18/0x60
+ handle_overflow+0xf8/0x148
+ __ubsan_handle_mul_overflow+0x34/0x48
+ ixgbe_fc_enable_generic+0x4d0/0x590 [ixgbe]
+ ixgbe_service_task+0xc20/0x1f78 [ixgbe]
+ process_one_work+0x8f0/0xf18
+ worker_thread+0x430/0x6d0
+ kthread+0x218/0x238
+ ret_from_fork+0x10/0x18
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+index 0bd1294ba517..39c5e6fdb72c 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+@@ -2243,7 +2243,7 @@ s32 ixgbe_fc_enable_generic(struct ixgbe_hw *hw)
+ }
+
+ /* Configure pause time (2 TCs per register) */
+- reg = hw->fc.pause_time * 0x00010001;
++ reg = hw->fc.pause_time * 0x00010001U;
+ for (i = 0; i < (MAX_TRAFFIC_CLASS / 2); i++)
+ IXGBE_WRITE_REG(hw, IXGBE_FCTTV(i), reg);
+
+--
+2.25.1
+
--- /dev/null
+From 3661d3fddd8199b9647c094f8e02449577aaa74d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 May 2020 12:50:49 +0200
+Subject: ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit 88eb0ee17b2ece64fcf6689a4557a5c2e7a89c4b ]
+
+The ixgbe driver have another memory model when compiled on archs with
+PAGE_SIZE above 4096 bytes. In this mode it doesn't split the page in
+two halves, but instead increment rx_buffer->page_offset by truesize of
+packet (which include headroom and tailroom for skb_shared_info).
+
+This is done correctly in ixgbe_build_skb(), but in ixgbe_rx_buffer_flip
+which is currently only called on XDP_TX and XDP_REDIRECT, it forgets
+to add the tailroom for skb_shared_info. This breaks XDP_REDIRECT, for
+veth and cpumap. Fix by adding size of skb_shared_info tailroom.
+
+Maintainers notice: This fix have been queued to Jeff.
+
+Fixes: 6453073987ba ("ixgbe: add initial support for xdp redirect")
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Link: https://lore.kernel.org/bpf/158945344946.97035.17031588499266605743.stgit@firesoul
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 718931d951bc..ea6834bae04c 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -2254,7 +2254,8 @@ static void ixgbe_rx_buffer_flip(struct ixgbe_ring *rx_ring,
+ rx_buffer->page_offset ^= truesize;
+ #else
+ unsigned int truesize = ring_uses_build_skb(rx_ring) ?
+- SKB_DATA_ALIGN(IXGBE_SKB_PAD + size) :
++ SKB_DATA_ALIGN(IXGBE_SKB_PAD + size) +
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) :
+ SKB_DATA_ALIGN(size);
+
+ rx_buffer->page_offset += truesize;
+--
+2.25.1
+
--- /dev/null
+From b5510257da8301aed23716b4574e2bd90fc42c85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2020 15:56:43 -0700
+Subject: kasan: stop tests being eliminated as dead code with FORTIFY_SOURCE
+
+From: Daniel Axtens <dja@axtens.net>
+
+[ Upstream commit adb72ae1915db28f934e9e02c18bfcea2f3ed3b7 ]
+
+Patch series "Fix some incompatibilites between KASAN and FORTIFY_SOURCE", v4.
+
+3 KASAN self-tests fail on a kernel with both KASAN and FORTIFY_SOURCE:
+memchr, memcmp and strlen.
+
+When FORTIFY_SOURCE is on, a number of functions are replaced with
+fortified versions, which attempt to check the sizes of the operands.
+However, these functions often directly invoke __builtin_foo() once they
+have performed the fortify check. The compiler can detect that the
+results of these functions are not used, and knows that they have no other
+side effects, and so can eliminate them as dead code.
+
+Why are only memchr, memcmp and strlen affected?
+================================================
+
+Of string and string-like functions, kasan_test tests:
+
+ * strchr -> not affected, no fortified version
+ * strrchr -> likewise
+ * strcmp -> likewise
+ * strncmp -> likewise
+
+ * strnlen -> not affected, the fortify source implementation calls the
+ underlying strnlen implementation which is instrumented, not
+ a builtin
+
+ * strlen -> affected, the fortify souce implementation calls a __builtin
+ version which the compiler can determine is dead.
+
+ * memchr -> likewise
+ * memcmp -> likewise
+
+ * memset -> not affected, the compiler knows that memset writes to its
+ first argument and therefore is not dead.
+
+Why does this not affect the functions normally?
+================================================
+
+In string.h, these functions are not marked as __pure, so the compiler
+cannot know that they do not have side effects. If relevant functions are
+marked as __pure in string.h, we see the following warnings and the
+functions are elided:
+
+lib/test_kasan.c: In function `kasan_memchr':
+lib/test_kasan.c:606:2: warning: statement with no effect [-Wunused-value]
+ memchr(ptr, '1', size + 1);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~
+lib/test_kasan.c: In function `kasan_memcmp':
+lib/test_kasan.c:622:2: warning: statement with no effect [-Wunused-value]
+ memcmp(ptr, arr, size+1);
+ ^~~~~~~~~~~~~~~~~~~~~~~~
+lib/test_kasan.c: In function `kasan_strings':
+lib/test_kasan.c:645:2: warning: statement with no effect [-Wunused-value]
+ strchr(ptr, '1');
+ ^~~~~~~~~~~~~~~~
+...
+
+This annotation would make sense to add and could be added at any point,
+so the behaviour of test_kasan.c should change.
+
+The fix
+=======
+
+Make all the functions that are pure write their results to a global,
+which makes them live. The strlen and memchr tests now pass.
+
+The memcmp test still fails to trigger, which is addressed in the next
+patch.
+
+[dja@axtens.net: drop patch 3]
+ Link: http://lkml.kernel.org/r/20200424145521.8203-2-dja@axtens.net
+Fixes: 0c96350a2d2f ("lib/test_kasan.c: add tests for several string/memory API functions")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: David Gow <davidgow@google.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Daniel Micay <danielmicay@gmail.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Link: http://lkml.kernel.org/r/20200423154503.5103-1-dja@axtens.net
+Link: http://lkml.kernel.org/r/20200423154503.5103-2-dja@axtens.net
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_kasan.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/lib/test_kasan.c b/lib/test_kasan.c
+index e3087d90e00d..dc2c6a51d11a 100644
+--- a/lib/test_kasan.c
++++ b/lib/test_kasan.c
+@@ -23,6 +23,14 @@
+
+ #include <asm/page.h>
+
++/*
++ * We assign some test results to these globals to make sure the tests
++ * are not eliminated as dead code.
++ */
++
++int kasan_int_result;
++void *kasan_ptr_result;
++
+ /*
+ * Note: test functions are marked noinline so that their names appear in
+ * reports.
+@@ -622,7 +630,7 @@ static noinline void __init kasan_memchr(void)
+ if (!ptr)
+ return;
+
+- memchr(ptr, '1', size + 1);
++ kasan_ptr_result = memchr(ptr, '1', size + 1);
+ kfree(ptr);
+ }
+
+@@ -638,7 +646,7 @@ static noinline void __init kasan_memcmp(void)
+ return;
+
+ memset(arr, 0, sizeof(arr));
+- memcmp(ptr, arr, size+1);
++ kasan_int_result = memcmp(ptr, arr, size + 1);
+ kfree(ptr);
+ }
+
+@@ -661,22 +669,22 @@ static noinline void __init kasan_strings(void)
+ * will likely point to zeroed byte.
+ */
+ ptr += 16;
+- strchr(ptr, '1');
++ kasan_ptr_result = strchr(ptr, '1');
+
+ pr_info("use-after-free in strrchr\n");
+- strrchr(ptr, '1');
++ kasan_ptr_result = strrchr(ptr, '1');
+
+ pr_info("use-after-free in strcmp\n");
+- strcmp(ptr, "2");
++ kasan_int_result = strcmp(ptr, "2");
+
+ pr_info("use-after-free in strncmp\n");
+- strncmp(ptr, "2", 1);
++ kasan_int_result = strncmp(ptr, "2", 1);
+
+ pr_info("use-after-free in strlen\n");
+- strlen(ptr);
++ kasan_int_result = strlen(ptr);
+
+ pr_info("use-after-free in strnlen\n");
+- strnlen(ptr, 1);
++ kasan_int_result = strnlen(ptr, 1);
+ }
+
+ static noinline void __init kasan_bitops(void)
+@@ -743,11 +751,12 @@ static noinline void __init kasan_bitops(void)
+ __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
+
+ pr_info("out-of-bounds in test_bit\n");
+- (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
++ kasan_int_result = test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
+
+ #if defined(clear_bit_unlock_is_negative_byte)
+ pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");
+- clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits);
++ kasan_int_result = clear_bit_unlock_is_negative_byte(BITS_PER_LONG +
++ BITS_PER_BYTE, bits);
+ #endif
+ kfree(bits);
+ }
+--
+2.25.1
+
--- /dev/null
+From 4a35dd239a7cb3d13eebd99b5c95afc21b106f9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 13:08:39 -0700
+Subject: kgdb: Disable WARN_CONSOLE_UNLOCKED for all kgdb
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 202164fbfa2b2ffa3e66b504e0f126ba9a745006 ]
+
+In commit 81eaadcae81b ("kgdboc: disable the console lock when in
+kgdb") we avoided the WARN_CONSOLE_UNLOCKED() yell when we were in
+kgdboc. That still works fine, but it turns out that we get a similar
+yell when using other I/O drivers. One example is the "I/O driver"
+for the kgdb test suite (kgdbts). When I enabled that I again got the
+same yells.
+
+Even though "kgdbts" doesn't actually interact with the user over the
+console, using it still causes kgdb to print to the consoles. That
+trips the same warning:
+ con_is_visible+0x60/0x68
+ con_scroll+0x110/0x1b8
+ lf+0x4c/0xc8
+ vt_console_print+0x1b8/0x348
+ vkdb_printf+0x320/0x89c
+ kdb_printf+0x68/0x90
+ kdb_main_loop+0x190/0x860
+ kdb_stub+0x2cc/0x3ec
+ kgdb_cpu_enter+0x268/0x744
+ kgdb_handle_exception+0x1a4/0x200
+ kgdb_compiled_brk_fn+0x34/0x44
+ brk_handler+0x7c/0xb8
+ do_debug_exception+0x1b4/0x228
+
+Let's increment/decrement the "ignore_console_lock_warning" variable
+all the time when we enter the debugger.
+
+This will allow us to later revert commit 81eaadcae81b ("kgdboc:
+disable the console lock when in kgdb").
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20200507130644.v4.1.Ied2b058357152ebcc8bf68edd6f20a11d98d7d4e@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/debug_core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
+index 2b7c9b67931d..950dc667c823 100644
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -668,6 +668,8 @@ return_normal:
+ if (kgdb_skipexception(ks->ex_vector, ks->linux_regs))
+ goto kgdb_restore;
+
++ atomic_inc(&ignore_console_lock_warning);
++
+ /* Call the I/O driver's pre_exception routine */
+ if (dbg_io_ops->pre_exception)
+ dbg_io_ops->pre_exception();
+@@ -740,6 +742,8 @@ cpu_master_loop:
+ if (dbg_io_ops->post_exception)
+ dbg_io_ops->post_exception();
+
++ atomic_dec(&ignore_console_lock_warning);
++
+ if (!kgdb_single_step) {
+ raw_spin_unlock(&dbg_slave_lock);
+ /* Wait till all the CPUs have quit from the debugger. */
+--
+2.25.1
+
--- /dev/null
+From cb3a1077c1f2b682231c994eeb6e268117a18cfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 17:42:23 +0100
+Subject: kgdb: Fix spurious true from in_dbg_master()
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit 3fec4aecb311995189217e64d725cfe84a568de3 ]
+
+Currently there is a small window where a badly timed migration could
+cause in_dbg_master() to spuriously return true. Specifically if we
+migrate to a new core after reading the processor id and the previous
+core takes a breakpoint then we will evaluate true if we read
+kgdb_active before we get the IPI to bring us to halt.
+
+Fix this by checking irqs_disabled() first. Interrupts are always
+disabled when we are executing the kgdb trap so this is an acceptable
+prerequisite. This also allows us to replace raw_smp_processor_id()
+with smp_processor_id() since the short circuit logic will prevent
+warnings from PREEMPT_DEBUG.
+
+Fixes: dcc7871128e9 ("kgdb: core changes to support kdb")
+Suggested-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20200506164223.2875760-1-daniel.thompson@linaro.org
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kgdb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h
+index b072aeb1fd78..4d6fe87fd38f 100644
+--- a/include/linux/kgdb.h
++++ b/include/linux/kgdb.h
+@@ -323,7 +323,7 @@ extern void gdbstub_exit(int status);
+ extern int kgdb_single_step;
+ extern atomic_t kgdb_active;
+ #define in_dbg_master() \
+- (raw_smp_processor_id() == atomic_read(&kgdb_active))
++ (irqs_disabled() && (smp_processor_id() == atomic_read(&kgdb_active)))
+ extern bool dbg_is_early;
+ extern void __init dbg_late_init(void);
+ extern void kgdb_panic(const char *msg);
+--
+2.25.1
+
--- /dev/null
+From b74cc7108706346cccf9e5e15b685b3d62f5e1bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 13:08:44 -0700
+Subject: kgdb: Prevent infinite recursive entries to the debugger
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 3ca676e4ca60d1834bb77535dafe24169cadacef ]
+
+If we detect that we recursively entered the debugger we should hack
+our I/O ops to NULL so that the panic() in the next line won't
+actually cause another recursion into the debugger. The first line of
+kgdb_panic() will check this and return.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20200507130644.v4.6.I89de39f68736c9de610e6f241e68d8dbc44bc266@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/debug_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
+index 950dc667c823..d47c7d6656cd 100644
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -532,6 +532,7 @@ static int kgdb_reenter_check(struct kgdb_state *ks)
+
+ if (exception_level > 1) {
+ dump_stack();
++ kgdb_io_module_registered = false;
+ panic("Recursive entry to debugger");
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 737fa843b939ec6970afabb387826c23b8bc95e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 13:08:41 -0700
+Subject: kgdboc: Use a platform device to handle tty drivers showing up late
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 68e55f61c13842baf825958129698c5371db432c ]
+
+If you build CONFIG_KGDB_SERIAL_CONSOLE into the kernel then you
+should be able to have KGDB init itself at bootup by specifying the
+"kgdboc=..." kernel command line parameter. This has worked OK for me
+for many years, but on a new device I switched to it stopped working.
+
+The problem is that on this new device the serial driver gets its
+probe deferred. Now when kgdb initializes it can't find the tty
+driver and when it gives up it never tries again.
+
+We could try to find ways to move up the initialization of the serial
+driver and such a thing might be worthwhile, but it's nice to be
+robust against serial drivers that load late. We could move kgdb to
+init itself later but that penalizes our ability to debug early boot
+code on systems where the driver inits early. We could roll our own
+system of detecting when new tty drivers get loaded and then use that
+to figure out when kgdb can init, but that's ugly.
+
+Instead, let's jump on the -EPROBE_DEFER bandwagon. We'll create a
+singleton instance of a "kgdboc" platform device. If we can't find
+our tty device when the singleton "kgdboc" probes we'll return
+-EPROBE_DEFER which means that the system will call us back later to
+try again when the tty device might be there.
+
+We won't fully transition all of the kgdboc to a platform device
+because early kgdb initialization (via the "ekgdboc" kernel command
+line parameter) still runs before the platform device has been
+created. The kgdb platform device is merely used as a convenient way
+to hook into the system's normal probe deferral mechanisms.
+
+As part of this, we'll ever-so-slightly change how the "kgdboc=..."
+kernel command line parameter works. Previously if you booted up and
+kgdb couldn't find the tty driver then later reading
+'/sys/module/kgdboc/parameters/kgdboc' would return a blank string.
+Now kgdb will keep track of the string that came as part of the
+command line and give it back to you. It's expected that this should
+be an OK change.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20200507130644.v4.3.I4a493cfb0f9f740ce8fd2ab58e62dc92d18fed30@changeid
+[daniel.thompson@linaro.org: Make config_mutex static]
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/kgdboc.c | 126 +++++++++++++++++++++++++++++-------
+ 1 file changed, 101 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
+index c9f94fa82be4..151256f70d37 100644
+--- a/drivers/tty/serial/kgdboc.c
++++ b/drivers/tty/serial/kgdboc.c
+@@ -20,6 +20,7 @@
+ #include <linux/vt_kern.h>
+ #include <linux/input.h>
+ #include <linux/module.h>
++#include <linux/platform_device.h>
+
+ #define MAX_CONFIG_LEN 40
+
+@@ -27,6 +28,7 @@ static struct kgdb_io kgdboc_io_ops;
+
+ /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
+ static int configured = -1;
++static DEFINE_MUTEX(config_mutex);
+
+ static char config[MAX_CONFIG_LEN];
+ static struct kparam_string kps = {
+@@ -38,6 +40,8 @@ static int kgdboc_use_kms; /* 1 if we use kernel mode switching */
+ static struct tty_driver *kgdb_tty_driver;
+ static int kgdb_tty_line;
+
++static struct platform_device *kgdboc_pdev;
++
+ #ifdef CONFIG_KDB_KEYBOARD
+ static int kgdboc_reset_connect(struct input_handler *handler,
+ struct input_dev *dev,
+@@ -133,11 +137,13 @@ static void kgdboc_unregister_kbd(void)
+
+ static void cleanup_kgdboc(void)
+ {
++ if (configured != 1)
++ return;
++
+ if (kgdb_unregister_nmi_console())
+ return;
+ kgdboc_unregister_kbd();
+- if (configured == 1)
+- kgdb_unregister_io_module(&kgdboc_io_ops);
++ kgdb_unregister_io_module(&kgdboc_io_ops);
+ }
+
+ static int configure_kgdboc(void)
+@@ -198,20 +204,79 @@ nmi_con_failed:
+ kgdb_unregister_io_module(&kgdboc_io_ops);
+ noconfig:
+ kgdboc_unregister_kbd();
+- config[0] = 0;
+ configured = 0;
+- cleanup_kgdboc();
+
+ return err;
+ }
+
++static int kgdboc_probe(struct platform_device *pdev)
++{
++ int ret = 0;
++
++ mutex_lock(&config_mutex);
++ if (configured != 1) {
++ ret = configure_kgdboc();
++
++ /* Convert "no device" to "defer" so we'll keep trying */
++ if (ret == -ENODEV)
++ ret = -EPROBE_DEFER;
++ }
++ mutex_unlock(&config_mutex);
++
++ return ret;
++}
++
++static struct platform_driver kgdboc_platform_driver = {
++ .probe = kgdboc_probe,
++ .driver = {
++ .name = "kgdboc",
++ .suppress_bind_attrs = true,
++ },
++};
++
+ static int __init init_kgdboc(void)
+ {
+- /* Already configured? */
+- if (configured == 1)
++ int ret;
++
++ /*
++ * kgdboc is a little bit of an odd "platform_driver". It can be
++ * up and running long before the platform_driver object is
++ * created and thus doesn't actually store anything in it. There's
++ * only one instance of kgdb so anything is stored as global state.
++ * The platform_driver is only created so that we can leverage the
++ * kernel's mechanisms (like -EPROBE_DEFER) to call us when our
++ * underlying tty is ready. Here we init our platform driver and
++ * then create the single kgdboc instance.
++ */
++ ret = platform_driver_register(&kgdboc_platform_driver);
++ if (ret)
++ return ret;
++
++ kgdboc_pdev = platform_device_alloc("kgdboc", PLATFORM_DEVID_NONE);
++ if (!kgdboc_pdev) {
++ ret = -ENOMEM;
++ goto err_did_register;
++ }
++
++ ret = platform_device_add(kgdboc_pdev);
++ if (!ret)
+ return 0;
+
+- return configure_kgdboc();
++ platform_device_put(kgdboc_pdev);
++
++err_did_register:
++ platform_driver_unregister(&kgdboc_platform_driver);
++ return ret;
++}
++
++static void exit_kgdboc(void)
++{
++ mutex_lock(&config_mutex);
++ cleanup_kgdboc();
++ mutex_unlock(&config_mutex);
++
++ platform_device_unregister(kgdboc_pdev);
++ platform_driver_unregister(&kgdboc_platform_driver);
+ }
+
+ static int kgdboc_get_char(void)
+@@ -234,24 +299,20 @@ static int param_set_kgdboc_var(const char *kmessage,
+ const struct kernel_param *kp)
+ {
+ size_t len = strlen(kmessage);
++ int ret = 0;
+
+ if (len >= MAX_CONFIG_LEN) {
+ pr_err("config string too long\n");
+ return -ENOSPC;
+ }
+
+- /* Only copy in the string if the init function has not run yet */
+- if (configured < 0) {
+- strcpy(config, kmessage);
+- return 0;
+- }
+-
+ if (kgdb_connected) {
+ pr_err("Cannot reconfigure while KGDB is connected.\n");
+-
+ return -EBUSY;
+ }
+
++ mutex_lock(&config_mutex);
++
+ strcpy(config, kmessage);
+ /* Chop out \n char as a result of echo */
+ if (len && config[len - 1] == '\n')
+@@ -260,8 +321,30 @@ static int param_set_kgdboc_var(const char *kmessage,
+ if (configured == 1)
+ cleanup_kgdboc();
+
+- /* Go and configure with the new params. */
+- return configure_kgdboc();
++ /*
++ * Configure with the new params as long as init already ran.
++ * Note that we can get called before init if someone loads us
++ * with "modprobe kgdboc kgdboc=..." or if they happen to use the
++ * the odd syntax of "kgdboc.kgdboc=..." on the kernel command.
++ */
++ if (configured >= 0)
++ ret = configure_kgdboc();
++
++ /*
++ * If we couldn't configure then clear out the config. Note that
++ * specifying an invalid config on the kernel command line vs.
++ * through sysfs have slightly different behaviors. If we fail
++ * to configure what was specified on the kernel command line
++ * we'll leave it in the 'config' and return -EPROBE_DEFER from
++ * our probe. When specified through sysfs userspace is
++ * responsible for loading the tty driver before setting up.
++ */
++ if (ret)
++ config[0] = '\0';
++
++ mutex_unlock(&config_mutex);
++
++ return ret;
+ }
+
+ static int dbg_restore_graphics;
+@@ -324,15 +407,8 @@ __setup("kgdboc=", kgdboc_option_setup);
+ /* This is only available if kgdboc is a built in for early debugging */
+ static int __init kgdboc_early_init(char *opt)
+ {
+- /* save the first character of the config string because the
+- * init routine can destroy it.
+- */
+- char save_ch;
+-
+ kgdboc_option_setup(opt);
+- save_ch = config[0];
+- init_kgdboc();
+- config[0] = save_ch;
++ configure_kgdboc();
+ return 0;
+ }
+
+@@ -340,7 +416,7 @@ early_param("ekgdboc", kgdboc_early_init);
+ #endif /* CONFIG_KGDB_SERIAL_CONSOLE */
+
+ module_init(init_kgdboc);
+-module_exit(cleanup_kgdboc);
++module_exit(exit_kgdboc);
+ module_param_call(kgdboc, param_set_kgdboc_var, param_get_string, &kps, 0644);
+ MODULE_PARM_DESC(kgdboc, "<serial_device>[,baud]");
+ MODULE_DESCRIPTION("KGDB Console TTY Driver");
+--
+2.25.1
+
--- /dev/null
+From f2e42e1b0d616799c43ecc953524bfebbb560beb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 14:47:04 -0700
+Subject: lib/mpi: Fix 64-bit MIPS build with Clang
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 18f1ca46858eac22437819937ae44aa9a8f9f2fa ]
+
+When building 64r6_defconfig with CONFIG_MIPS32_O32 disabled and
+CONFIG_CRYPTO_RSA enabled:
+
+lib/mpi/generic_mpih-mul1.c:37:24: error: invalid use of a cast in a
+inline asm context requiring an l-value: remove the cast
+or build with -fheinous-gnu-extensions
+ umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb);
+ ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+lib/mpi/longlong.h:664:22: note: expanded from macro 'umul_ppmm'
+ : "=d" ((UDItype)(w0))
+ ~~~~~~~~~~^~~
+lib/mpi/generic_mpih-mul1.c:37:13: error: invalid use of a cast in a
+inline asm context requiring an l-value: remove the cast
+or build with -fheinous-gnu-extensions
+ umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb);
+ ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+lib/mpi/longlong.h:668:22: note: expanded from macro 'umul_ppmm'
+ : "=d" ((UDItype)(w1))
+ ~~~~~~~~~~^~~
+2 errors generated.
+
+This special case for umul_ppmm for MIPS64r6 was added in
+commit bbc25bee37d2b ("lib/mpi: Fix umul_ppmm() for MIPS64r6"), due to
+GCC being inefficient and emitting a __multi3 intrinsic.
+
+There is no such issue with clang; with this patch applied, I can build
+this configuration without any problems and there are no link errors
+like mentioned in the commit above (which I can still reproduce with
+GCC 9.3.0 when that commit is reverted). Only use this definition when
+GCC is being used.
+
+This really should have been caught by commit b0c091ae04f67 ("lib/mpi:
+Eliminate unused umul_ppmm definitions for MIPS") when I was messing
+around in this area but I was not testing 64-bit MIPS at the time.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/885
+Reported-by: Dmitry Golovin <dima@golovin.in>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/mpi/longlong.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h
+index 891e1c3549c4..afbd99987cf8 100644
+--- a/lib/mpi/longlong.h
++++ b/lib/mpi/longlong.h
+@@ -653,7 +653,7 @@ do { \
+ ************** MIPS/64 **************
+ ***************************************/
+ #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64
+-#if defined(__mips_isa_rev) && __mips_isa_rev >= 6
++#if defined(__mips_isa_rev) && __mips_isa_rev >= 6 && defined(CONFIG_CC_IS_GCC)
+ /*
+ * GCC ends up emitting a __multi3 intrinsic call for MIPS64r6 with the plain C
+ * code below, so we special case MIPS64r6 until the compiler can do better.
+--
+2.25.1
+
--- /dev/null
+From 6935209418952cbcbaaaab77b887e13f8ad60dfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:08 -0700
+Subject: libbpf: Fix huge memory leak in libbpf_find_vmlinux_btf_id()
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 3521ffa2ee9a48c3236c93f54ae11c074490ebce ]
+
+BTF object wasn't freed.
+
+Fixes: a6ed02cac690 ("libbpf: Load btf_vmlinux only once per object.")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: KP Singh <kpsingh@google.com>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-9-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 63fc872723fc..cd53204d33f0 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -6688,6 +6688,7 @@ int libbpf_find_vmlinux_btf_id(const char *name,
+ enum bpf_attach_type attach_type)
+ {
+ struct btf *btf;
++ int err;
+
+ btf = libbpf_find_kernel_btf();
+ if (IS_ERR(btf)) {
+@@ -6695,7 +6696,9 @@ int libbpf_find_vmlinux_btf_id(const char *name,
+ return -EINVAL;
+ }
+
+- return __find_vmlinux_btf_id(btf, name, attach_type);
++ err = __find_vmlinux_btf_id(btf, name, attach_type);
++ btf__free(btf);
++ return err;
+ }
+
+ static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd)
+--
+2.25.1
+
--- /dev/null
+From 07f568f3a77a8228215b25fb6571b71e04212bb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:04 -0700
+Subject: libbpf: Fix memory leak and possible double-free in hashmap__clear
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 229bf8bf4d910510bc1a2fd0b89bd467cd71050d ]
+
+Fix memory leak in hashmap_clear() not freeing hashmap_entry structs for each
+of the remaining entries. Also NULL-out bucket list to prevent possible
+double-free between hashmap__clear() and hashmap__free().
+
+Running test_progs-asan flavor clearly showed this problem.
+
+Reported-by: Alston Tang <alston64@fb.com>
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-5-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/hashmap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/lib/bpf/hashmap.c b/tools/lib/bpf/hashmap.c
+index 54c30c802070..cffb96202e0d 100644
+--- a/tools/lib/bpf/hashmap.c
++++ b/tools/lib/bpf/hashmap.c
+@@ -59,7 +59,14 @@ struct hashmap *hashmap__new(hashmap_hash_fn hash_fn,
+
+ void hashmap__clear(struct hashmap *map)
+ {
++ struct hashmap_entry *cur, *tmp;
++ int bkt;
++
++ hashmap__for_each_entry_safe(map, cur, tmp, bkt) {
++ free(cur);
++ }
+ free(map->buckets);
++ map->buckets = NULL;
+ map->cap = map->cap_bits = map->sz = 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From aa5e71ab50d57a9eb33a3150d34327d4307bc7b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2020 10:42:00 +0200
+Subject: libbpf: Fix perf_buffer__free() API for sparse allocs
+
+From: Eelco Chaudron <echaudro@redhat.com>
+
+[ Upstream commit 601b05ca6edb0422bf6ce313fbfd55ec7bbbc0fd ]
+
+In case the cpu_bufs are sparsely allocated they are not all
+free'ed. These changes will fix this.
+
+Fixes: fb84b8224655 ("libbpf: add perf buffer API")
+Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/159056888305.330763.9684536967379110349.stgit@ebuild
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index cd53204d33f0..0c5b4fb553fb 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -7809,9 +7809,12 @@ void perf_buffer__free(struct perf_buffer *pb)
+ if (!pb)
+ return;
+ if (pb->cpu_bufs) {
+- for (i = 0; i < pb->cpu_cnt && pb->cpu_bufs[i]; i++) {
++ for (i = 0; i < pb->cpu_cnt; i++) {
+ struct perf_cpu_buf *cpu_buf = pb->cpu_bufs[i];
+
++ if (!cpu_buf)
++ continue;
++
+ bpf_map_delete_elem(pb->map_fd, &cpu_buf->map_key);
+ perf_buffer__free_cpu_buf(pb, cpu_buf);
+ }
+--
+2.25.1
+
--- /dev/null
+From cd9874a1024f8dbcccf120f4575c8190f2ec2385 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 17:27:38 -0700
+Subject: libbpf: Refactor map creation logic and fix cleanup leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 2d39d7c56f115148b05d1d8c6b8698a5730c8b53 ]
+
+Factor out map creation and destruction logic to simplify code and especially
+error handling. Also fix map FD leak in case of partially successful map
+creation during bpf_object load operation.
+
+Fixes: 57a00f41644f ("libbpf: Add auto-pinning of maps when loading BPF objects")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/bpf/20200429002739.48006-3-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 226 ++++++++++++++++++++++-------------------
+ 1 file changed, 121 insertions(+), 105 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 8f480e29a6b0..63fc872723fc 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -3482,107 +3482,111 @@ bpf_object__populate_internal_map(struct bpf_object *obj, struct bpf_map *map)
+ return 0;
+ }
+
++static void bpf_map__destroy(struct bpf_map *map);
++
++static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map)
++{
++ struct bpf_create_map_attr create_attr;
++ struct bpf_map_def *def = &map->def;
++
++ memset(&create_attr, 0, sizeof(create_attr));
++
++ if (obj->caps.name)
++ create_attr.name = map->name;
++ create_attr.map_ifindex = map->map_ifindex;
++ create_attr.map_type = def->type;
++ create_attr.map_flags = def->map_flags;
++ create_attr.key_size = def->key_size;
++ create_attr.value_size = def->value_size;
++
++ if (def->type == BPF_MAP_TYPE_PERF_EVENT_ARRAY && !def->max_entries) {
++ int nr_cpus;
++
++ nr_cpus = libbpf_num_possible_cpus();
++ if (nr_cpus < 0) {
++ pr_warn("map '%s': failed to determine number of system CPUs: %d\n",
++ map->name, nr_cpus);
++ return nr_cpus;
++ }
++ pr_debug("map '%s': setting size to %d\n", map->name, nr_cpus);
++ create_attr.max_entries = nr_cpus;
++ } else {
++ create_attr.max_entries = def->max_entries;
++ }
++
++ if (bpf_map__is_struct_ops(map))
++ create_attr.btf_vmlinux_value_type_id =
++ map->btf_vmlinux_value_type_id;
++
++ create_attr.btf_fd = 0;
++ create_attr.btf_key_type_id = 0;
++ create_attr.btf_value_type_id = 0;
++ if (obj->btf && !bpf_map_find_btf_info(obj, map)) {
++ create_attr.btf_fd = btf__fd(obj->btf);
++ create_attr.btf_key_type_id = map->btf_key_type_id;
++ create_attr.btf_value_type_id = map->btf_value_type_id;
++ }
++
++ map->fd = bpf_create_map_xattr(&create_attr);
++ if (map->fd < 0 && (create_attr.btf_key_type_id ||
++ create_attr.btf_value_type_id)) {
++ char *cp, errmsg[STRERR_BUFSIZE];
++ int err = -errno;
++
++ cp = libbpf_strerror_r(err, errmsg, sizeof(errmsg));
++ pr_warn("Error in bpf_create_map_xattr(%s):%s(%d). Retrying without BTF.\n",
++ map->name, cp, err);
++ create_attr.btf_fd = 0;
++ create_attr.btf_key_type_id = 0;
++ create_attr.btf_value_type_id = 0;
++ map->btf_key_type_id = 0;
++ map->btf_value_type_id = 0;
++ map->fd = bpf_create_map_xattr(&create_attr);
++ }
++
++ if (map->fd < 0)
++ return -errno;
++
++ return 0;
++}
++
+ static int
+ bpf_object__create_maps(struct bpf_object *obj)
+ {
+- struct bpf_create_map_attr create_attr = {};
+- int nr_cpus = 0;
+- unsigned int i;
++ struct bpf_map *map;
++ char *cp, errmsg[STRERR_BUFSIZE];
++ unsigned int i, j;
+ int err;
+
+ for (i = 0; i < obj->nr_maps; i++) {
+- struct bpf_map *map = &obj->maps[i];
+- struct bpf_map_def *def = &map->def;
+- char *cp, errmsg[STRERR_BUFSIZE];
+- int *pfd = &map->fd;
++ map = &obj->maps[i];
+
+ if (map->pin_path) {
+ err = bpf_object__reuse_map(map);
+ if (err) {
+- pr_warn("error reusing pinned map %s\n",
++ pr_warn("map '%s': error reusing pinned map\n",
+ map->name);
+- return err;
++ goto err_out;
+ }
+ }
+
+ if (map->fd >= 0) {
+- pr_debug("skip map create (preset) %s: fd=%d\n",
++ pr_debug("map '%s': skipping creation (preset fd=%d)\n",
+ map->name, map->fd);
+ continue;
+ }
+
+- if (obj->caps.name)
+- create_attr.name = map->name;
+- create_attr.map_ifindex = map->map_ifindex;
+- create_attr.map_type = def->type;
+- create_attr.map_flags = def->map_flags;
+- create_attr.key_size = def->key_size;
+- create_attr.value_size = def->value_size;
+- if (def->type == BPF_MAP_TYPE_PERF_EVENT_ARRAY &&
+- !def->max_entries) {
+- if (!nr_cpus)
+- nr_cpus = libbpf_num_possible_cpus();
+- if (nr_cpus < 0) {
+- pr_warn("failed to determine number of system CPUs: %d\n",
+- nr_cpus);
+- err = nr_cpus;
+- goto err_out;
+- }
+- pr_debug("map '%s': setting size to %d\n",
+- map->name, nr_cpus);
+- create_attr.max_entries = nr_cpus;
+- } else {
+- create_attr.max_entries = def->max_entries;
+- }
+- create_attr.btf_fd = 0;
+- create_attr.btf_key_type_id = 0;
+- create_attr.btf_value_type_id = 0;
+- if (bpf_map_type__is_map_in_map(def->type) &&
+- map->inner_map_fd >= 0)
+- create_attr.inner_map_fd = map->inner_map_fd;
+- if (bpf_map__is_struct_ops(map))
+- create_attr.btf_vmlinux_value_type_id =
+- map->btf_vmlinux_value_type_id;
+-
+- if (obj->btf && !bpf_map_find_btf_info(obj, map)) {
+- create_attr.btf_fd = btf__fd(obj->btf);
+- create_attr.btf_key_type_id = map->btf_key_type_id;
+- create_attr.btf_value_type_id = map->btf_value_type_id;
+- }
+-
+- *pfd = bpf_create_map_xattr(&create_attr);
+- if (*pfd < 0 && (create_attr.btf_key_type_id ||
+- create_attr.btf_value_type_id)) {
+- err = -errno;
+- cp = libbpf_strerror_r(err, errmsg, sizeof(errmsg));
+- pr_warn("Error in bpf_create_map_xattr(%s):%s(%d). Retrying without BTF.\n",
+- map->name, cp, err);
+- create_attr.btf_fd = 0;
+- create_attr.btf_key_type_id = 0;
+- create_attr.btf_value_type_id = 0;
+- map->btf_key_type_id = 0;
+- map->btf_value_type_id = 0;
+- *pfd = bpf_create_map_xattr(&create_attr);
+- }
+-
+- if (*pfd < 0) {
+- size_t j;
++ err = bpf_object__create_map(obj, map);
++ if (err)
++ goto err_out;
+
+- err = -errno;
+-err_out:
+- cp = libbpf_strerror_r(err, errmsg, sizeof(errmsg));
+- pr_warn("failed to create map (name: '%s'): %s(%d)\n",
+- map->name, cp, err);
+- pr_perm_msg(err);
+- for (j = 0; j < i; j++)
+- zclose(obj->maps[j].fd);
+- return err;
+- }
++ pr_debug("map '%s': created successfully, fd=%d\n", map->name,
++ map->fd);
+
+ if (bpf_map__is_internal(map)) {
+ err = bpf_object__populate_internal_map(obj, map);
+ if (err < 0) {
+- zclose(*pfd);
++ zclose(map->fd);
+ goto err_out;
+ }
+ }
+@@ -3590,16 +3594,23 @@ err_out:
+ if (map->pin_path && !map->pinned) {
+ err = bpf_map__pin(map, NULL);
+ if (err) {
+- pr_warn("failed to auto-pin map name '%s' at '%s'\n",
+- map->name, map->pin_path);
+- return err;
++ pr_warn("map '%s': failed to auto-pin at '%s': %d\n",
++ map->name, map->pin_path, err);
++ zclose(map->fd);
++ goto err_out;
+ }
+ }
+-
+- pr_debug("created map %s: fd=%d\n", map->name, *pfd);
+ }
+
+ return 0;
++
++err_out:
++ cp = libbpf_strerror_r(err, errmsg, sizeof(errmsg));
++ pr_warn("map '%s': failed to create: %s(%d)\n", map->name, cp, err);
++ pr_perm_msg(err);
++ for (j = 0; j < i; j++)
++ zclose(obj->maps[j].fd);
++ return err;
+ }
+
+ static int
+@@ -5955,6 +5966,32 @@ int bpf_object__pin(struct bpf_object *obj, const char *path)
+ return 0;
+ }
+
++static void bpf_map__destroy(struct bpf_map *map)
++{
++ if (map->clear_priv)
++ map->clear_priv(map, map->priv);
++ map->priv = NULL;
++ map->clear_priv = NULL;
++
++ if (map->mmaped) {
++ munmap(map->mmaped, bpf_map_mmap_sz(map));
++ map->mmaped = NULL;
++ }
++
++ if (map->st_ops) {
++ zfree(&map->st_ops->data);
++ zfree(&map->st_ops->progs);
++ zfree(&map->st_ops->kern_func_off);
++ zfree(&map->st_ops);
++ }
++
++ zfree(&map->name);
++ zfree(&map->pin_path);
++
++ if (map->fd >= 0)
++ zclose(map->fd);
++}
++
+ void bpf_object__close(struct bpf_object *obj)
+ {
+ size_t i;
+@@ -5970,29 +6007,8 @@ void bpf_object__close(struct bpf_object *obj)
+ btf__free(obj->btf);
+ btf_ext__free(obj->btf_ext);
+
+- for (i = 0; i < obj->nr_maps; i++) {
+- struct bpf_map *map = &obj->maps[i];
+-
+- if (map->clear_priv)
+- map->clear_priv(map, map->priv);
+- map->priv = NULL;
+- map->clear_priv = NULL;
+-
+- if (map->mmaped) {
+- munmap(map->mmaped, bpf_map_mmap_sz(map));
+- map->mmaped = NULL;
+- }
+-
+- if (map->st_ops) {
+- zfree(&map->st_ops->data);
+- zfree(&map->st_ops->progs);
+- zfree(&map->st_ops->kern_func_off);
+- zfree(&map->st_ops);
+- }
+-
+- zfree(&map->name);
+- zfree(&map->pin_path);
+- }
++ for (i = 0; i < obj->nr_maps; i++)
++ bpf_map__destroy(&obj->maps[i]);
+
+ zfree(&obj->kconfig);
+ zfree(&obj->externs);
+--
+2.25.1
+
--- /dev/null
+From 1a4cd5d3c2d77dff39422c0575f46332629a24c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 May 2020 18:39:00 +0100
+Subject: libertas_tf: avoid a null dereference in pointer priv
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 049ceac308b0d57c4f06b9fb957cdf95d315cf0b ]
+
+Currently there is a check if priv is null when calling lbtf_remove_card
+but not in a previous call to if_usb_reset_dev that can also dereference
+priv. Fix this by also only calling lbtf_remove_card if priv is null.
+
+It is noteable that there don't seem to be any bugs reported that the
+null pointer dereference has ever occurred, so I'm not sure if the null
+check is required, but since we're doing a null check anyway it should
+be done for both function calls.
+
+Addresses-Coverity: ("Dereference before null check")
+Fixes: baa0280f08c7 ("libertas_tf: don't defer firmware loading until start()")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200501173900.296658-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas_tf/if_usb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+index 25ac9db35dbf..bedc09215088 100644
+--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+@@ -247,10 +247,10 @@ static void if_usb_disconnect(struct usb_interface *intf)
+
+ lbtf_deb_enter(LBTF_DEB_MAIN);
+
+- if_usb_reset_device(priv);
+-
+- if (priv)
++ if (priv) {
++ if_usb_reset_device(priv);
+ lbtf_remove_card(priv);
++ }
+
+ /* Unlink and free urb */
+ if_usb_free(cardp);
+--
+2.25.1
+
--- /dev/null
+From 7e14eb84c2936141ccbd750b257d7581b115014b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2020 19:31:01 -0700
+Subject: libperf evlist: Fix a refcount leak
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 4599d292128d89e4cf866a0ea9a9b047a2de8418 ]
+
+Memory leaks found by applying LLVM's libfuzzer on the tools/perf
+parse_events function.
+
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Leo Yan <leo.yan@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: clang-built-linux@googlegroups.com
+Link: http://lore.kernel.org/lkml/20200319023101.82458-2-irogers@google.com
+[ Did a minor adjustment due to some other previous patch having already set evlist->all_cpus to NULL at perf_evlist__exit() ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/perf/evlist.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/perf/evlist.c b/tools/lib/perf/evlist.c
+index 5b9f2ca50591..62130d28652d 100644
+--- a/tools/lib/perf/evlist.c
++++ b/tools/lib/perf/evlist.c
+@@ -125,6 +125,7 @@ static void perf_evlist__purge(struct perf_evlist *evlist)
+ void perf_evlist__exit(struct perf_evlist *evlist)
+ {
+ perf_cpu_map__put(evlist->cpus);
++ perf_cpu_map__put(evlist->all_cpus);
+ perf_thread_map__put(evlist->threads);
+ evlist->cpus = NULL;
+ evlist->threads = NULL;
+--
+2.25.1
+
--- /dev/null
+From 08980a15a0ce0de78e13719462f71fd4b667638d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 May 2020 10:05:46 -0400
+Subject: lockdown: Allow unprivileged users to see lockdown status
+
+From: Jeremy Cline <jcline@redhat.com>
+
+[ Upstream commit 60cf7c5ed5f7087c4de87a7676b8c82d96fd166c ]
+
+A number of userspace tools, such as systemtap, need a way to see the
+current lockdown state so they can gracefully deal with the kernel being
+locked down. The state is already exposed in
+/sys/kernel/security/lockdown, but is only readable by root. Adjust the
+permissions so unprivileged users can read the state.
+
+Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
+Cc: Frank Ch. Eigler <fche@redhat.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: James Morris <jmorris@namei.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/lockdown/lockdown.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index 5a952617a0eb..87cbdc64d272 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -150,7 +150,7 @@ static int __init lockdown_secfs_init(void)
+ {
+ struct dentry *dentry;
+
+- dentry = securityfs_create_file("lockdown", 0600, NULL, NULL,
++ dentry = securityfs_create_file("lockdown", 0644, NULL, NULL,
+ &lockdown_ops);
+ return PTR_ERR_OR_ZERO(dentry);
+ }
+--
+2.25.1
+
--- /dev/null
+From 5f419a528475b0b7a0256b50e0baf28669296d2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2020 14:32:02 +1000
+Subject: m68k: mac: Don't call via_flush_cache() on Mac IIfx
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit bcc44f6b74106b31f0b0408b70305a40360d63b7 ]
+
+There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache().
+This avoids a boot crash which appeared in v5.4.
+
+printk: console [ttyS0] enabled
+printk: bootconsole [debug0] disabled
+printk: bootconsole [debug0] disabled
+Calibrating delay loop... 9.61 BogoMIPS (lpj=48064)
+pid_max: default: 32768 minimum: 301
+Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
+Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
+devtmpfs: initialized
+random: get_random_u32 called from bucket_table_alloc.isra.27+0x68/0x194 with crng_init=0
+clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
+futex hash table entries: 256 (order: -1, 3072 bytes, linear)
+NET: Registered protocol family 16
+Data read fault at 0x00000000 in Super Data (pc=0x8a6a)
+BAD KERNEL BUSERR
+Oops: 00000000
+Modules linked in:
+PC: [<00008a6a>] via_flush_cache+0x12/0x2c
+SR: 2700 SP: 01c1fe3c a2: 01c24000
+d0: 00001119 d1: 0000000c d2: 00012000 d3: 0000000f
+d4: 01c06840 d5: 00033b92 a0: 00000000 a1: 00000000
+Process swapper (pid: 1, task=01c24000)
+Frame format=B ssw=0755 isc=0200 isb=fff7 daddr=00000000 dobuf=01c1fed0
+baddr=00008a6e dibuf=0000004e ver=f
+Stack from 01c1fec4:
+ 01c1fed0 00007d7e 00010080 01c1fedc 0000792e 00000001 01c1fef4 00006b40
+ 01c80000 00040000 00000006 00000003 01c1ff1c 004a545e 004ff200 00040000
+ 00000000 00000003 01c06840 00033b92 004a5410 004b6c88 01c1ff84 000021e2
+ 00000073 00000003 01c06840 00033b92 0038507a 004bb094 004b6ca8 004b6c88
+ 004b6ca4 004b6c88 000021ae 00020002 00000000 01c0685d 00000000 01c1ffb4
+ 0049f938 00409c85 01c06840 0045bd40 00000073 00000002 00000002 00000000
+Call Trace: [<00007d7e>] mac_cache_card_flush+0x12/0x1c
+ [<00010080>] fix_dnrm+0x2/0x18
+ [<0000792e>] cache_push+0x46/0x5a
+ [<00006b40>] arch_dma_prep_coherent+0x60/0x6e
+ [<00040000>] switched_to_dl+0x76/0xd0
+ [<004a545e>] dma_atomic_pool_init+0x4e/0x188
+ [<00040000>] switched_to_dl+0x76/0xd0
+ [<00033b92>] parse_args+0x0/0x370
+ [<004a5410>] dma_atomic_pool_init+0x0/0x188
+ [<000021e2>] do_one_initcall+0x34/0x1be
+ [<00033b92>] parse_args+0x0/0x370
+ [<0038507a>] strcpy+0x0/0x1e
+ [<000021ae>] do_one_initcall+0x0/0x1be
+ [<00020002>] do_proc_dointvec_conv+0x54/0x74
+ [<0049f938>] kernel_init_freeable+0x126/0x190
+ [<0049f94c>] kernel_init_freeable+0x13a/0x190
+ [<004a5410>] dma_atomic_pool_init+0x0/0x188
+ [<00041798>] complete+0x0/0x3c
+ [<000b9b0c>] kfree+0x0/0x20a
+ [<0038df98>] schedule+0x0/0xd0
+ [<0038d604>] kernel_init+0x0/0xda
+ [<0038d610>] kernel_init+0xc/0xda
+ [<0038d604>] kernel_init+0x0/0xda
+ [<00002d38>] ret_from_kernel_thread+0xc/0x14
+Code: 0000 2079 0048 10da 2279 0048 10c8 d3c8 <1011> 0200 fff7 1280 d1f9 0048 10c8 1010 0000 0008 1080 4e5e 4e75 4e56 0000 2039
+Disabling lock debugging due to kernel taint
+Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+Thanks to Stan Johnson for capturing the console log and running git
+bisect.
+
+Git bisect said commit 8e3a68fb55e0 ("dma-mapping: make
+dma_atomic_pool_init self-contained") is the first "bad" commit. I don't
+know why. Perhaps mach_l2_flush first became reachable with that commit.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Cc: Joshua Thompson <funaho@jurai.org>
+Link: https://lore.kernel.org/r/b8bbeef197d6b3898e82ed0d231ad08f575a4b34.1589949122.git.fthain@telegraphics.com.au
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/mac_via.h | 1 +
+ arch/m68k/mac/config.c | 21 ++-------------------
+ arch/m68k/mac/via.c | 6 +++++-
+ 3 files changed, 8 insertions(+), 20 deletions(-)
+
+diff --git a/arch/m68k/include/asm/mac_via.h b/arch/m68k/include/asm/mac_via.h
+index de1470c4d829..1149251ea58d 100644
+--- a/arch/m68k/include/asm/mac_via.h
++++ b/arch/m68k/include/asm/mac_via.h
+@@ -257,6 +257,7 @@ extern int rbv_present,via_alt_mapping;
+
+ struct irq_desc;
+
++extern void via_l2_flush(int writeback);
+ extern void via_register_interrupts(void);
+ extern void via_irq_enable(int);
+ extern void via_irq_disable(int);
+diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
+index 611f73bfc87c..d0126ab01360 100644
+--- a/arch/m68k/mac/config.c
++++ b/arch/m68k/mac/config.c
+@@ -59,7 +59,6 @@ extern void iop_preinit(void);
+ extern void iop_init(void);
+ extern void via_init(void);
+ extern void via_init_clock(irq_handler_t func);
+-extern void via_flush_cache(void);
+ extern void oss_init(void);
+ extern void psc_init(void);
+ extern void baboon_init(void);
+@@ -130,21 +129,6 @@ int __init mac_parse_bootinfo(const struct bi_record *record)
+ return unknown;
+ }
+
+-/*
+- * Flip into 24bit mode for an instant - flushes the L2 cache card. We
+- * have to disable interrupts for this. Our IRQ handlers will crap
+- * themselves if they take an IRQ in 24bit mode!
+- */
+-
+-static void mac_cache_card_flush(int writeback)
+-{
+- unsigned long flags;
+-
+- local_irq_save(flags);
+- via_flush_cache();
+- local_irq_restore(flags);
+-}
+-
+ void __init config_mac(void)
+ {
+ if (!MACH_IS_MAC)
+@@ -175,9 +159,8 @@ void __init config_mac(void)
+ * not.
+ */
+
+- if (macintosh_config->ident == MAC_MODEL_IICI
+- || macintosh_config->ident == MAC_MODEL_IIFX)
+- mach_l2_flush = mac_cache_card_flush;
++ if (macintosh_config->ident == MAC_MODEL_IICI)
++ mach_l2_flush = via_l2_flush;
+ }
+
+
+diff --git a/arch/m68k/mac/via.c b/arch/m68k/mac/via.c
+index 3c2cfcb74982..1f0fad2a98a0 100644
+--- a/arch/m68k/mac/via.c
++++ b/arch/m68k/mac/via.c
+@@ -294,10 +294,14 @@ void via_debug_dump(void)
+ * the system into 24-bit mode for an instant.
+ */
+
+-void via_flush_cache(void)
++void via_l2_flush(int writeback)
+ {
++ unsigned long flags;
++
++ local_irq_save(flags);
+ via2[gBufB] &= ~VIA2B_vMode32;
+ via2[gBufB] |= VIA2B_vMode32;
++ local_irq_restore(flags);
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 3fa23746e379786218b581d381958e6a43ee8e23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 14:27:51 +0200
+Subject: macvlan: Skip loopback packets in RX handler
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+[ Upstream commit 81f3dc9349ce0bf7b8447f147f45e70f0a5b36a6 ]
+
+Ignore loopback-originatig packets soon enough and don't try to process L2
+header where it doesn't exist. The very similar br_handle_frame() in bridge
+code performs exactly the same check.
+
+This is an example of such ICMPv6 packet:
+
+skb len=96 headroom=40 headlen=96 tailroom=56
+mac=(40,0) net=(40,40) trans=80
+shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
+csum(0xae2e9a2f ip_summed=1 complete_sw=0 valid=0 level=0)
+hash(0xc97ebd88 sw=1 l4=1) proto=0x86dd pkttype=5 iif=24
+dev name=etha01.212 feat=0x0x0000000040005000
+skb headroom: 00000000: 00 7c 86 52 84 88 ff ff 00 00 00 00 00 00 08 00
+skb headroom: 00000010: 45 00 00 9e 5d 5c 40 00 40 11 33 33 00 00 00 01
+skb headroom: 00000020: 02 40 43 80 00 00 86 dd
+skb linear: 00000000: 60 09 88 bd 00 38 3a ff fe 80 00 00 00 00 00 00
+skb linear: 00000010: 00 40 43 ff fe 80 00 00 ff 02 00 00 00 00 00 00
+skb linear: 00000020: 00 00 00 00 00 00 00 01 86 00 61 00 40 00 00 2d
+skb linear: 00000030: 00 00 00 00 00 00 00 00 03 04 40 e0 00 00 01 2c
+skb linear: 00000040: 00 00 00 78 00 00 00 00 fd 5f 42 68 23 87 a8 81
+skb linear: 00000050: 00 00 00 00 00 00 00 00 01 01 02 40 43 80 00 00
+skb tailroom: 00000000: ...
+skb tailroom: 00000010: ...
+skb tailroom: 00000020: ...
+skb tailroom: 00000030: ...
+
+Call Trace, how it happens exactly:
+ ...
+ macvlan_handle_frame+0x321/0x425 [macvlan]
+ ? macvlan_forward_source+0x110/0x110 [macvlan]
+ __netif_receive_skb_core+0x545/0xda0
+ ? enqueue_task_fair+0xe5/0x8e0
+ ? __netif_receive_skb_one_core+0x36/0x70
+ __netif_receive_skb_one_core+0x36/0x70
+ process_backlog+0x97/0x140
+ net_rx_action+0x1eb/0x350
+ ? __hrtimer_run_queues+0x136/0x2e0
+ __do_softirq+0xe3/0x383
+ do_softirq_own_stack+0x2a/0x40
+ </IRQ>
+ do_softirq.part.4+0x4e/0x50
+ netif_rx_ni+0x60/0xd0
+ dev_loopback_xmit+0x83/0xf0
+ ip6_finish_output2+0x575/0x590 [ipv6]
+ ? ip6_cork_release.isra.1+0x64/0x90 [ipv6]
+ ? __ip6_make_skb+0x38d/0x680 [ipv6]
+ ? ip6_output+0x6c/0x140 [ipv6]
+ ip6_output+0x6c/0x140 [ipv6]
+ ip6_send_skb+0x1e/0x60 [ipv6]
+ rawv6_sendmsg+0xc4b/0xe10 [ipv6]
+ ? proc_put_long+0xd0/0xd0
+ ? rw_copy_check_uvector+0x4e/0x110
+ ? sock_sendmsg+0x36/0x40
+ sock_sendmsg+0x36/0x40
+ ___sys_sendmsg+0x2b6/0x2d0
+ ? proc_dointvec+0x23/0x30
+ ? addrconf_sysctl_forward+0x8d/0x250 [ipv6]
+ ? dev_forward_change+0x130/0x130 [ipv6]
+ ? _raw_spin_unlock+0x12/0x30
+ ? proc_sys_call_handler.isra.14+0x9f/0x110
+ ? __call_rcu+0x213/0x510
+ ? get_max_files+0x10/0x10
+ ? trace_hardirqs_on+0x2c/0xe0
+ ? __sys_sendmsg+0x63/0xa0
+ __sys_sendmsg+0x63/0xa0
+ do_syscall_64+0x6c/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 0482adc9916b..e900ebb94499 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -447,6 +447,10 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
+ int ret;
+ rx_handler_result_t handle_res;
+
++ /* Packets from dev_loopback_xmit() do not have L2 header, bail out */
++ if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
++ return RX_HANDLER_PASS;
++
+ port = macvlan_port_get_rcu(skb->dev);
+ if (is_multicast_ether_addr(eth->h_dest)) {
+ unsigned int hash;
+--
+2.25.1
+
--- /dev/null
+From 946e2cb1c5e2c3a092e2142e2385a476c8bf0f92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2020 23:57:09 +0200
+Subject: md: don't flush workqueue unconditionally in md_open
+
+From: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+
+[ Upstream commit f6766ff6afff70e2aaf39e1511e16d471de7c3ae ]
+
+We need to check mddev->del_work before flush workqueu since the purpose
+of flush is to ensure the previous md is disappeared. Otherwise the similar
+deadlock appeared if LOCKDEP is enabled, it is due to md_open holds the
+bdev->bd_mutex before flush workqueue.
+
+kernel: [ 154.522645] ======================================================
+kernel: [ 154.522647] WARNING: possible circular locking dependency detected
+kernel: [ 154.522650] 5.6.0-rc7-lp151.27-default #25 Tainted: G O
+kernel: [ 154.522651] ------------------------------------------------------
+kernel: [ 154.522653] mdadm/2482 is trying to acquire lock:
+kernel: [ 154.522655] ffff888078529128 ((wq_completion)md_misc){+.+.}, at: flush_workqueue+0x84/0x4b0
+kernel: [ 154.522673]
+kernel: [ 154.522673] but task is already holding lock:
+kernel: [ 154.522675] ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
+kernel: [ 154.522691]
+kernel: [ 154.522691] which lock already depends on the new lock.
+kernel: [ 154.522691]
+kernel: [ 154.522694]
+kernel: [ 154.522694] the existing dependency chain (in reverse order) is:
+kernel: [ 154.522696]
+kernel: [ 154.522696] -> #4 (&bdev->bd_mutex){+.+.}:
+kernel: [ 154.522704] __mutex_lock+0x87/0x950
+kernel: [ 154.522706] __blkdev_get+0x79/0x590
+kernel: [ 154.522708] blkdev_get+0x65/0x140
+kernel: [ 154.522709] blkdev_get_by_dev+0x2f/0x40
+kernel: [ 154.522716] lock_rdev+0x3d/0x90 [md_mod]
+kernel: [ 154.522719] md_import_device+0xd6/0x1b0 [md_mod]
+kernel: [ 154.522723] new_dev_store+0x15e/0x210 [md_mod]
+kernel: [ 154.522728] md_attr_store+0x7a/0xc0 [md_mod]
+kernel: [ 154.522732] kernfs_fop_write+0x117/0x1b0
+kernel: [ 154.522735] vfs_write+0xad/0x1a0
+kernel: [ 154.522737] ksys_write+0xa4/0xe0
+kernel: [ 154.522745] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522748] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522749]
+kernel: [ 154.522749] -> #3 (&mddev->reconfig_mutex){+.+.}:
+kernel: [ 154.522752] __mutex_lock+0x87/0x950
+kernel: [ 154.522756] new_dev_store+0xc9/0x210 [md_mod]
+kernel: [ 154.522759] md_attr_store+0x7a/0xc0 [md_mod]
+kernel: [ 154.522761] kernfs_fop_write+0x117/0x1b0
+kernel: [ 154.522763] vfs_write+0xad/0x1a0
+kernel: [ 154.522765] ksys_write+0xa4/0xe0
+kernel: [ 154.522767] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522769] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522770]
+kernel: [ 154.522770] -> #2 (kn->count#253){++++}:
+kernel: [ 154.522775] __kernfs_remove+0x253/0x2c0
+kernel: [ 154.522778] kernfs_remove+0x1f/0x30
+kernel: [ 154.522780] kobject_del+0x28/0x60
+kernel: [ 154.522783] mddev_delayed_delete+0x24/0x30 [md_mod]
+kernel: [ 154.522786] process_one_work+0x2a7/0x5f0
+kernel: [ 154.522788] worker_thread+0x2d/0x3d0
+kernel: [ 154.522793] kthread+0x117/0x130
+kernel: [ 154.522795] ret_from_fork+0x3a/0x50
+kernel: [ 154.522796]
+kernel: [ 154.522796] -> #1 ((work_completion)(&mddev->del_work)){+.+.}:
+kernel: [ 154.522800] process_one_work+0x27e/0x5f0
+kernel: [ 154.522802] worker_thread+0x2d/0x3d0
+kernel: [ 154.522804] kthread+0x117/0x130
+kernel: [ 154.522806] ret_from_fork+0x3a/0x50
+kernel: [ 154.522807]
+kernel: [ 154.522807] -> #0 ((wq_completion)md_misc){+.+.}:
+kernel: [ 154.522813] __lock_acquire+0x1392/0x1690
+kernel: [ 154.522816] lock_acquire+0xb4/0x1a0
+kernel: [ 154.522818] flush_workqueue+0xab/0x4b0
+kernel: [ 154.522821] md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522823] __blkdev_get+0xea/0x590
+kernel: [ 154.522825] blkdev_get+0x65/0x140
+kernel: [ 154.522828] do_dentry_open+0x1d1/0x380
+kernel: [ 154.522831] path_openat+0x567/0xcc0
+kernel: [ 154.522834] do_filp_open+0x9b/0x110
+kernel: [ 154.522836] do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522838] do_sys_open+0x57/0x80
+kernel: [ 154.522840] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522842] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522844]
+kernel: [ 154.522844] other info that might help us debug this:
+kernel: [ 154.522844]
+kernel: [ 154.522846] Chain exists of:
+kernel: [ 154.522846] (wq_completion)md_misc --> &mddev->reconfig_mutex --> &bdev->bd_mutex
+kernel: [ 154.522846]
+kernel: [ 154.522850] Possible unsafe locking scenario:
+kernel: [ 154.522850]
+kernel: [ 154.522852] CPU0 CPU1
+kernel: [ 154.522853] ---- ----
+kernel: [ 154.522854] lock(&bdev->bd_mutex);
+kernel: [ 154.522856] lock(&mddev->reconfig_mutex);
+kernel: [ 154.522858] lock(&bdev->bd_mutex);
+kernel: [ 154.522860] lock((wq_completion)md_misc);
+kernel: [ 154.522861]
+kernel: [ 154.522861] *** DEADLOCK ***
+kernel: [ 154.522861]
+kernel: [ 154.522864] 1 lock held by mdadm/2482:
+kernel: [ 154.522865] #0: ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
+kernel: [ 154.522868]
+kernel: [ 154.522868] stack backtrace:
+kernel: [ 154.522873] CPU: 1 PID: 2482 Comm: mdadm Tainted: G O 5.6.0-rc7-lp151.27-default #25
+kernel: [ 154.522875] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+kernel: [ 154.522878] Call Trace:
+kernel: [ 154.522881] dump_stack+0x8f/0xcb
+kernel: [ 154.522884] check_noncircular+0x194/0x1b0
+kernel: [ 154.522888] ? __lock_acquire+0x1392/0x1690
+kernel: [ 154.522890] __lock_acquire+0x1392/0x1690
+kernel: [ 154.522893] lock_acquire+0xb4/0x1a0
+kernel: [ 154.522895] ? flush_workqueue+0x84/0x4b0
+kernel: [ 154.522898] flush_workqueue+0xab/0x4b0
+kernel: [ 154.522900] ? flush_workqueue+0x84/0x4b0
+kernel: [ 154.522905] ? md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522908] md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522910] __blkdev_get+0xea/0x590
+kernel: [ 154.522912] ? bd_acquire+0xc0/0xc0
+kernel: [ 154.522914] blkdev_get+0x65/0x140
+kernel: [ 154.522916] ? bd_acquire+0xc0/0xc0
+kernel: [ 154.522918] do_dentry_open+0x1d1/0x380
+kernel: [ 154.522921] path_openat+0x567/0xcc0
+kernel: [ 154.522923] ? __lock_acquire+0x380/0x1690
+kernel: [ 154.522926] do_filp_open+0x9b/0x110
+kernel: [ 154.522929] ? __alloc_fd+0xe5/0x1f0
+kernel: [ 154.522935] ? kmem_cache_alloc+0x28c/0x630
+kernel: [ 154.522939] ? do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522941] do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522944] do_sys_open+0x57/0x80
+kernel: [ 154.522946] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522948] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522951] RIP: 0033:0x7f98d279d9ae
+
+And md_alloc also flushed the same workqueue, but the thing is different
+here. Because all the paths call md_alloc don't hold bdev->bd_mutex, and
+the flush is necessary to avoid race condition, so leave it as it is.
+
+Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 271e8a587354..41eead9cbee9 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7752,7 +7752,8 @@ static int md_open(struct block_device *bdev, fmode_t mode)
+ */
+ mddev_put(mddev);
+ /* Wait until bdev->bd_disk is definitely gone */
+- flush_workqueue(md_misc_wq);
++ if (work_pending(&mddev->del_work))
++ flush_workqueue(md_misc_wq);
+ /* Then retry the open from the top */
+ return -ERESTARTSYS;
+ }
+--
+2.25.1
+
--- /dev/null
+From 29747e07c3c4c5f101d9fbff2950bd80d1d9c6b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 10:25:56 +0200
+Subject: media: cec: silence shift wrapping warning in __cec_s_log_addrs()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 3b5af3171e2d5a73ae6f04965ed653d039904eb6 ]
+
+The log_addrs->log_addr_type[i] value is a u8 which is controlled by
+the user and comes from the ioctl. If it's over 31 then that results in
+undefined behavior (shift wrapping) and that leads to a Smatch static
+checker warning. We already cap the value later so we can silence the
+warning just by re-ordering the existing checks.
+
+I think the UBSan checker will also catch this bug at runtime and
+generate a warning. But otherwise the bug is harmless.
+
+Fixes: 9881fe0ca187 ("[media] cec: add HDMI CEC framework (adapter)")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/cec/cec-adap.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c
+index 6c95dc471d4c..6a04d19a96b2 100644
+--- a/drivers/media/cec/cec-adap.c
++++ b/drivers/media/cec/cec-adap.c
+@@ -1734,6 +1734,10 @@ int __cec_s_log_addrs(struct cec_adapter *adap,
+ unsigned j;
+
+ log_addrs->log_addr[i] = CEC_LOG_ADDR_INVALID;
++ if (log_addrs->log_addr_type[i] > CEC_LOG_ADDR_TYPE_UNREGISTERED) {
++ dprintk(1, "unknown logical address type\n");
++ return -EINVAL;
++ }
+ if (type_mask & (1 << log_addrs->log_addr_type[i])) {
+ dprintk(1, "duplicate logical address type\n");
+ return -EINVAL;
+@@ -1754,10 +1758,6 @@ int __cec_s_log_addrs(struct cec_adapter *adap,
+ dprintk(1, "invalid primary device type\n");
+ return -EINVAL;
+ }
+- if (log_addrs->log_addr_type[i] > CEC_LOG_ADDR_TYPE_UNREGISTERED) {
+- dprintk(1, "unknown logical address type\n");
+- return -EINVAL;
+- }
+ for (j = 0; j < feature_sz; j++) {
+ if ((features[j] & 0x80) == 0) {
+ if (op_is_dev_features)
+--
+2.25.1
+
--- /dev/null
+From 02ccd0f287309f2d62a2b43ef1281a311ce7e9d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2020 18:51:33 +0100
+Subject: media: dvb: return -EREMOTEIO on i2c transfer failure.
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 96f3a9392799dd0f6472648a7366622ffd0989f3 ]
+
+Currently when i2c transfers fail the error return -EREMOTEIO
+is assigned to err but then later overwritten when the tuner
+attach call is made. Fix this by returning early with the
+error return code -EREMOTEIO on i2c transfer failure errors.
+
+If the transfer fails, an uninitialized value will be read from b2.
+
+Addresses-Coverity: ("Unused value")
+
+Fixes: fbfee8684ff2 ("V4L/DVB (5651): Dibusb-mb: convert pll handling to properly use dvb-pll")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dibusb-mb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dibusb-mb.c b/drivers/media/usb/dvb-usb/dibusb-mb.c
+index d4ea72bf09c5..5131c8d4c632 100644
+--- a/drivers/media/usb/dvb-usb/dibusb-mb.c
++++ b/drivers/media/usb/dvb-usb/dibusb-mb.c
+@@ -81,7 +81,7 @@ static int dibusb_tuner_probe_and_attach(struct dvb_usb_adapter *adap)
+
+ if (i2c_transfer(&adap->dev->i2c_adap, msg, 2) != 2) {
+ err("tuner i2c write failed.");
+- ret = -EREMOTEIO;
++ return -EREMOTEIO;
+ }
+
+ if (adap->fe_adap[0].fe->ops.i2c_gate_ctrl)
+--
+2.25.1
+
--- /dev/null
+From 80d94c297c98e489a4efa1d7ab414045ff3a7351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2020 20:06:30 +0200
+Subject: media: i2c: imx219: Fix a bug in imx219_enum_frame_size
+
+From: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
+
+[ Upstream commit b2bbf1aac61186ef904fd28079e847d3feadb89e ]
+
+When enumerating the frame sizes, the value sent to
+imx219_get_format_code should be fse->code
+(the code from the ioctl) and not imx219->fmt.code
+which is the code set currently in the driver.
+
+Fixes: 22da1d56e982 ("media: i2c: imx219: Add support for RAW8 bit bayer format")
+Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
+Reviewed-by: Helen Koike <helen.koike@collabora.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/imx219.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/imx219.c b/drivers/media/i2c/imx219.c
+index cb03bdec1f9c..86e0564bfb4f 100644
+--- a/drivers/media/i2c/imx219.c
++++ b/drivers/media/i2c/imx219.c
+@@ -781,7 +781,7 @@ static int imx219_enum_frame_size(struct v4l2_subdev *sd,
+ if (fse->index >= ARRAY_SIZE(supported_modes))
+ return -EINVAL;
+
+- if (fse->code != imx219_get_format_code(imx219, imx219->fmt.code))
++ if (fse->code != imx219_get_format_code(imx219, fse->code))
+ return -EINVAL;
+
+ fse->min_width = supported_modes[fse->index].width;
+--
+2.25.1
+
--- /dev/null
+From c2bebfb733e469d55cc10e0f8d5a36451a2e2f6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2020 00:47:09 +0100
+Subject: media: imx: imx7-mipi-csis: Cleanup and fix subdev pad format
+ handling
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit d321dd233b9f2bb407b8e6b4759408f09ec207c3 ]
+
+The subdev set pad format operation currently misbehaves in multiple ways:
+
+- mipi_csis_try_format() unconditionally stores the format in the device
+ state, even for V4L2_SUBDEV_FORMAT_TRY.
+
+- The format is never stored in the pad cfg, but the pad cfg format
+ always overwrites the format requested by the user.
+
+- The sink format is not propagated to the source.
+
+Fix all this by reworking the set format operation as follows:
+
+1. For the source pad, turn set() into get() as the source format is not
+ modifiable.
+2. Validate the requested format and updated the stored format
+ accordingly.
+3. Return the format actually set.
+4. Propagate the format from sink to source.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx7-mipi-csis.c | 82 ++++++++++------------
+ 1 file changed, 37 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx7-mipi-csis.c b/drivers/staging/media/imx/imx7-mipi-csis.c
+index fbc1a924652a..6318f0aebb4b 100644
+--- a/drivers/staging/media/imx/imx7-mipi-csis.c
++++ b/drivers/staging/media/imx/imx7-mipi-csis.c
+@@ -669,28 +669,6 @@ static int mipi_csis_init_cfg(struct v4l2_subdev *mipi_sd,
+ return 0;
+ }
+
+-static struct csis_pix_format const *
+-mipi_csis_try_format(struct v4l2_subdev *mipi_sd, struct v4l2_mbus_framefmt *mf)
+-{
+- struct csi_state *state = mipi_sd_to_csis_state(mipi_sd);
+- struct csis_pix_format const *csis_fmt;
+-
+- csis_fmt = find_csis_format(mf->code);
+- if (!csis_fmt)
+- csis_fmt = &mipi_csis_formats[0];
+-
+- v4l_bound_align_image(&mf->width, 1, CSIS_MAX_PIX_WIDTH,
+- csis_fmt->pix_width_alignment,
+- &mf->height, 1, CSIS_MAX_PIX_HEIGHT, 1,
+- 0);
+-
+- state->format_mbus.code = csis_fmt->code;
+- state->format_mbus.width = mf->width;
+- state->format_mbus.height = mf->height;
+-
+- return csis_fmt;
+-}
+-
+ static struct v4l2_mbus_framefmt *
+ mipi_csis_get_format(struct csi_state *state,
+ struct v4l2_subdev_pad_config *cfg,
+@@ -703,53 +681,67 @@ mipi_csis_get_format(struct csi_state *state,
+ return &state->format_mbus;
+ }
+
+-static int mipi_csis_set_fmt(struct v4l2_subdev *mipi_sd,
++static int mipi_csis_get_fmt(struct v4l2_subdev *mipi_sd,
+ struct v4l2_subdev_pad_config *cfg,
+ struct v4l2_subdev_format *sdformat)
+ {
+ struct csi_state *state = mipi_sd_to_csis_state(mipi_sd);
+- struct csis_pix_format const *csis_fmt;
+ struct v4l2_mbus_framefmt *fmt;
+
+- if (sdformat->pad >= CSIS_PADS_NUM)
+- return -EINVAL;
+-
+- fmt = mipi_csis_get_format(state, cfg, sdformat->which, sdformat->pad);
+-
+ mutex_lock(&state->lock);
+- if (sdformat->pad == CSIS_PAD_SOURCE) {
+- sdformat->format = *fmt;
+- goto unlock;
+- }
+-
+- csis_fmt = mipi_csis_try_format(mipi_sd, &sdformat->format);
+-
++ fmt = mipi_csis_get_format(state, cfg, sdformat->which, sdformat->pad);
+ sdformat->format = *fmt;
+-
+- if (csis_fmt && sdformat->which == V4L2_SUBDEV_FORMAT_ACTIVE)
+- state->csis_fmt = csis_fmt;
+- else
+- cfg->try_fmt = sdformat->format;
+-
+-unlock:
+ mutex_unlock(&state->lock);
+
+ return 0;
+ }
+
+-static int mipi_csis_get_fmt(struct v4l2_subdev *mipi_sd,
++static int mipi_csis_set_fmt(struct v4l2_subdev *mipi_sd,
+ struct v4l2_subdev_pad_config *cfg,
+ struct v4l2_subdev_format *sdformat)
+ {
+ struct csi_state *state = mipi_sd_to_csis_state(mipi_sd);
++ struct csis_pix_format const *csis_fmt;
+ struct v4l2_mbus_framefmt *fmt;
+
+- mutex_lock(&state->lock);
++ /*
++ * The CSIS can't transcode in any way, the source format can't be
++ * modified.
++ */
++ if (sdformat->pad == CSIS_PAD_SOURCE)
++ return mipi_csis_get_fmt(mipi_sd, cfg, sdformat);
++
++ if (sdformat->pad != CSIS_PAD_SINK)
++ return -EINVAL;
+
+ fmt = mipi_csis_get_format(state, cfg, sdformat->which, sdformat->pad);
+
++ mutex_lock(&state->lock);
++
++ /* Validate the media bus code and clamp the size. */
++ csis_fmt = find_csis_format(sdformat->format.code);
++ if (!csis_fmt)
++ csis_fmt = &mipi_csis_formats[0];
++
++ fmt->code = csis_fmt->code;
++ fmt->width = sdformat->format.width;
++ fmt->height = sdformat->format.height;
++
++ v4l_bound_align_image(&fmt->width, 1, CSIS_MAX_PIX_WIDTH,
++ csis_fmt->pix_width_alignment,
++ &fmt->height, 1, CSIS_MAX_PIX_HEIGHT, 1, 0);
++
+ sdformat->format = *fmt;
+
++ /* Propagate the format from sink to source. */
++ fmt = mipi_csis_get_format(state, cfg, sdformat->which,
++ CSIS_PAD_SOURCE);
++ *fmt = sdformat->format;
++
++ /* Store the CSIS format descriptor for active formats. */
++ if (sdformat->which == V4L2_SUBDEV_FORMAT_ACTIVE)
++ state->csis_fmt = csis_fmt;
++
+ mutex_unlock(&state->lock);
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From aaa34a519482aefe6c0885dcf854d732cd8aec1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 23:20:29 +0200
+Subject: media: imx: utils: fix and simplify pixel format enumeration
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit f2267d7ed803add8820c7a6537c12a6d8732f570 ]
+
+Merge yuv_formats and rgb_formats into a single array. Always loop over
+all entries, skipping those that do not match the requested search
+criteria. This simplifies the code, lets us get rid of the manual
+counting of array entries, and stops accidentally ignoring some non-mbus
+RGB formats.
+
+Before:
+
+ $ v4l2-ctl -d /dev/video14 --list-formats-out
+ ioctl: VIDIOC_ENUM_FMT
+ Type: Video Output
+
+ [0]: 'UYVY' (UYVY 4:2:2)
+ [1]: 'YUYV' (YUYV 4:2:2)
+ [2]: 'YU12' (Planar YUV 4:2:0)
+ [3]: 'YV12' (Planar YVU 4:2:0)
+ [4]: '422P' (Planar YUV 4:2:2)
+ [5]: 'NV12' (Y/CbCr 4:2:0)
+ [6]: 'NV16' (Y/CbCr 4:2:2)
+ [7]: 'RGBP' (16-bit RGB 5-6-5)
+ [8]: 'RGB3' (24-bit RGB 8-8-8)
+ [9]: 'BX24' (32-bit XRGB 8-8-8-8)
+
+After:
+
+ $ v4l2-ctl -d /dev/video14 --list-formats-out
+ ioctl: VIDIOC_ENUM_FMT
+ Type: Video Output
+
+ [0]: 'UYVY' (UYVY 4:2:2)
+ [1]: 'YUYV' (YUYV 4:2:2)
+ [2]: 'YU12' (Planar YUV 4:2:0)
+ [3]: 'YV12' (Planar YVU 4:2:0)
+ [4]: '422P' (Planar YUV 4:2:2)
+ [5]: 'NV12' (Y/CbCr 4:2:0)
+ [6]: 'NV16' (Y/CbCr 4:2:2)
+ [7]: 'RGBP' (16-bit RGB 5-6-5)
+ [8]: 'RGB3' (24-bit RGB 8-8-8)
+ [9]: 'BGR3' (24-bit BGR 8-8-8)
+ [10]: 'BX24' (32-bit XRGB 8-8-8-8)
+ [11]: 'XR24' (32-bit BGRX 8-8-8-8)
+ [12]: 'RX24' (32-bit XBGR 8-8-8-8)
+ [13]: 'XB24' (32-bit RGBX 8-8-8-8)
+
+Tested on a imx6q-sabresd.
+
+[laurent.pinchart@ideasonboard.com: Make loop counters unsigned]
+[laurent.pinchart@ideasonboard.com: Decrement index instead of adding a counter]
+[laurent.pinchart@ideasonboard.com: Return directly from within loop instead of breaking]
+[slongerbeam@gmail.com: Fix colorspace comparison error]
+
+Fixes: e130291212df5 ("[media] media: Add i.MX media core driver")
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Tested-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-utils.c | 193 ++++++--------------
+ 1 file changed, 59 insertions(+), 134 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx-media-utils.c b/drivers/staging/media/imx/imx-media-utils.c
+index fae981698c49..39469031e510 100644
+--- a/drivers/staging/media/imx/imx-media-utils.c
++++ b/drivers/staging/media/imx/imx-media-utils.c
+@@ -9,12 +9,9 @@
+
+ /*
+ * List of supported pixel formats for the subdevs.
+- *
+- * In all of these tables, the non-mbus formats (with no
+- * mbus codes) must all fall at the end of the table.
+ */
+-
+-static const struct imx_media_pixfmt yuv_formats[] = {
++static const struct imx_media_pixfmt pixel_formats[] = {
++ /*** YUV formats start here ***/
+ {
+ .fourcc = V4L2_PIX_FMT_UYVY,
+ .codes = {
+@@ -31,12 +28,7 @@ static const struct imx_media_pixfmt yuv_formats[] = {
+ },
+ .cs = IPUV3_COLORSPACE_YUV,
+ .bpp = 16,
+- },
+- /***
+- * non-mbus YUV formats start here. NOTE! when adding non-mbus
+- * formats, NUM_NON_MBUS_YUV_FORMATS must be updated below.
+- ***/
+- {
++ }, {
+ .fourcc = V4L2_PIX_FMT_YUV420,
+ .cs = IPUV3_COLORSPACE_YUV,
+ .bpp = 12,
+@@ -62,13 +54,7 @@ static const struct imx_media_pixfmt yuv_formats[] = {
+ .bpp = 16,
+ .planar = true,
+ },
+-};
+-
+-#define NUM_NON_MBUS_YUV_FORMATS 5
+-#define NUM_YUV_FORMATS ARRAY_SIZE(yuv_formats)
+-#define NUM_MBUS_YUV_FORMATS (NUM_YUV_FORMATS - NUM_NON_MBUS_YUV_FORMATS)
+-
+-static const struct imx_media_pixfmt rgb_formats[] = {
++ /*** RGB formats start here ***/
+ {
+ .fourcc = V4L2_PIX_FMT_RGB565,
+ .codes = {MEDIA_BUS_FMT_RGB565_2X8_LE},
+@@ -83,12 +69,28 @@ static const struct imx_media_pixfmt rgb_formats[] = {
+ },
+ .cs = IPUV3_COLORSPACE_RGB,
+ .bpp = 24,
++ }, {
++ .fourcc = V4L2_PIX_FMT_BGR24,
++ .cs = IPUV3_COLORSPACE_RGB,
++ .bpp = 24,
+ }, {
+ .fourcc = V4L2_PIX_FMT_XRGB32,
+ .codes = {MEDIA_BUS_FMT_ARGB8888_1X32},
+ .cs = IPUV3_COLORSPACE_RGB,
+ .bpp = 32,
+ .ipufmt = true,
++ }, {
++ .fourcc = V4L2_PIX_FMT_XBGR32,
++ .cs = IPUV3_COLORSPACE_RGB,
++ .bpp = 32,
++ }, {
++ .fourcc = V4L2_PIX_FMT_BGRX32,
++ .cs = IPUV3_COLORSPACE_RGB,
++ .bpp = 32,
++ }, {
++ .fourcc = V4L2_PIX_FMT_RGBX32,
++ .cs = IPUV3_COLORSPACE_RGB,
++ .bpp = 32,
+ },
+ /*** raw bayer and grayscale formats start here ***/
+ {
+@@ -182,33 +184,8 @@ static const struct imx_media_pixfmt rgb_formats[] = {
+ .bpp = 16,
+ .bayer = true,
+ },
+- /***
+- * non-mbus RGB formats start here. NOTE! when adding non-mbus
+- * formats, NUM_NON_MBUS_RGB_FORMATS must be updated below.
+- ***/
+- {
+- .fourcc = V4L2_PIX_FMT_BGR24,
+- .cs = IPUV3_COLORSPACE_RGB,
+- .bpp = 24,
+- }, {
+- .fourcc = V4L2_PIX_FMT_XBGR32,
+- .cs = IPUV3_COLORSPACE_RGB,
+- .bpp = 32,
+- }, {
+- .fourcc = V4L2_PIX_FMT_BGRX32,
+- .cs = IPUV3_COLORSPACE_RGB,
+- .bpp = 32,
+- }, {
+- .fourcc = V4L2_PIX_FMT_RGBX32,
+- .cs = IPUV3_COLORSPACE_RGB,
+- .bpp = 32,
+- },
+ };
+
+-#define NUM_NON_MBUS_RGB_FORMATS 2
+-#define NUM_RGB_FORMATS ARRAY_SIZE(rgb_formats)
+-#define NUM_MBUS_RGB_FORMATS (NUM_RGB_FORMATS - NUM_NON_MBUS_RGB_FORMATS)
+-
+ static const struct imx_media_pixfmt ipu_yuv_formats[] = {
+ {
+ .fourcc = V4L2_PIX_FMT_YUV32,
+@@ -246,21 +223,24 @@ static void init_mbus_colorimetry(struct v4l2_mbus_framefmt *mbus,
+ mbus->ycbcr_enc);
+ }
+
+-static const
+-struct imx_media_pixfmt *__find_format(u32 fourcc,
+- u32 code,
+- bool allow_non_mbus,
+- bool allow_bayer,
+- const struct imx_media_pixfmt *array,
+- u32 array_size)
++static const struct imx_media_pixfmt *find_format(u32 fourcc,
++ u32 code,
++ enum codespace_sel cs_sel,
++ bool allow_non_mbus,
++ bool allow_bayer)
+ {
+- const struct imx_media_pixfmt *fmt;
+- int i, j;
++ unsigned int i;
+
+- for (i = 0; i < array_size; i++) {
+- fmt = &array[i];
++ for (i = 0; i < ARRAY_SIZE(pixel_formats); i++) {
++ const struct imx_media_pixfmt *fmt = &pixel_formats[i];
++ enum codespace_sel fmt_cs_sel;
++ unsigned int j;
+
+- if ((!allow_non_mbus && !fmt->codes[0]) ||
++ fmt_cs_sel = (fmt->cs == IPUV3_COLORSPACE_YUV) ?
++ CS_SEL_YUV : CS_SEL_RGB;
++
++ if ((cs_sel != CS_SEL_ANY && fmt_cs_sel != cs_sel) ||
++ (!allow_non_mbus && !fmt->codes[0]) ||
+ (!allow_bayer && fmt->bayer))
+ continue;
+
+@@ -270,39 +250,13 @@ struct imx_media_pixfmt *__find_format(u32 fourcc,
+ if (!code)
+ continue;
+
+- for (j = 0; fmt->codes[j]; j++) {
++ for (j = 0; j < ARRAY_SIZE(fmt->codes) && fmt->codes[j]; j++) {
+ if (code == fmt->codes[j])
+ return fmt;
+ }
+ }
+- return NULL;
+-}
+
+-static const struct imx_media_pixfmt *find_format(u32 fourcc,
+- u32 code,
+- enum codespace_sel cs_sel,
+- bool allow_non_mbus,
+- bool allow_bayer)
+-{
+- const struct imx_media_pixfmt *ret;
+-
+- switch (cs_sel) {
+- case CS_SEL_YUV:
+- return __find_format(fourcc, code, allow_non_mbus, allow_bayer,
+- yuv_formats, NUM_YUV_FORMATS);
+- case CS_SEL_RGB:
+- return __find_format(fourcc, code, allow_non_mbus, allow_bayer,
+- rgb_formats, NUM_RGB_FORMATS);
+- case CS_SEL_ANY:
+- ret = __find_format(fourcc, code, allow_non_mbus, allow_bayer,
+- yuv_formats, NUM_YUV_FORMATS);
+- if (ret)
+- return ret;
+- return __find_format(fourcc, code, allow_non_mbus, allow_bayer,
+- rgb_formats, NUM_RGB_FORMATS);
+- default:
+- return NULL;
+- }
++ return NULL;
+ }
+
+ static int enum_format(u32 *fourcc, u32 *code, u32 index,
+@@ -310,61 +264,32 @@ static int enum_format(u32 *fourcc, u32 *code, u32 index,
+ bool allow_non_mbus,
+ bool allow_bayer)
+ {
+- const struct imx_media_pixfmt *fmt;
+- u32 mbus_yuv_sz = NUM_MBUS_YUV_FORMATS;
+- u32 mbus_rgb_sz = NUM_MBUS_RGB_FORMATS;
+- u32 yuv_sz = NUM_YUV_FORMATS;
+- u32 rgb_sz = NUM_RGB_FORMATS;
++ unsigned int i;
+
+- switch (cs_sel) {
+- case CS_SEL_YUV:
+- if (index >= yuv_sz ||
+- (!allow_non_mbus && index >= mbus_yuv_sz))
+- return -EINVAL;
+- fmt = &yuv_formats[index];
+- break;
+- case CS_SEL_RGB:
+- if (index >= rgb_sz ||
+- (!allow_non_mbus && index >= mbus_rgb_sz))
+- return -EINVAL;
+- fmt = &rgb_formats[index];
+- if (!allow_bayer && fmt->bayer)
+- return -EINVAL;
+- break;
+- case CS_SEL_ANY:
+- if (!allow_non_mbus) {
+- if (index >= mbus_yuv_sz) {
+- index -= mbus_yuv_sz;
+- if (index >= mbus_rgb_sz)
+- return -EINVAL;
+- fmt = &rgb_formats[index];
+- if (!allow_bayer && fmt->bayer)
+- return -EINVAL;
+- } else {
+- fmt = &yuv_formats[index];
+- }
+- } else {
+- if (index >= yuv_sz + rgb_sz)
+- return -EINVAL;
+- if (index >= yuv_sz) {
+- fmt = &rgb_formats[index - yuv_sz];
+- if (!allow_bayer && fmt->bayer)
+- return -EINVAL;
+- } else {
+- fmt = &yuv_formats[index];
+- }
++ for (i = 0; i < ARRAY_SIZE(pixel_formats); i++) {
++ const struct imx_media_pixfmt *fmt = &pixel_formats[i];
++ enum codespace_sel fmt_cs_sel;
++
++ fmt_cs_sel = (fmt->cs == IPUV3_COLORSPACE_YUV) ?
++ CS_SEL_YUV : CS_SEL_RGB;
++
++ if ((cs_sel != CS_SEL_ANY && fmt_cs_sel != cs_sel) ||
++ (!allow_non_mbus && !fmt->codes[0]) ||
++ (!allow_bayer && fmt->bayer))
++ continue;
++
++ if (index == 0) {
++ if (fourcc)
++ *fourcc = fmt->fourcc;
++ if (code)
++ *code = fmt->codes[0];
++ return 0;
+ }
+- break;
+- default:
+- return -EINVAL;
+- }
+
+- if (fourcc)
+- *fourcc = fmt->fourcc;
+- if (code)
+- *code = fmt->codes[0];
++ index--;
++ }
+
+- return 0;
++ return -EINVAL;
+ }
+
+ const struct imx_media_pixfmt *
+--
+2.25.1
+
--- /dev/null
+From 7e0a0384dfa96e59b5aabf19de4926fba5e999ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 23:23:38 +0200
+Subject: media: imx: utils: fix media bus format enumeration
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit 1df2148fdfc036c9350d41ae81b09b3f8897c9b6 ]
+
+Iterate over all media bus formats, not just over the first format in
+each imx_media_pixfmt entry.
+
+Before:
+
+ $ v4l2-ctl -d $(media-ctl -e ipu1_csi0) --list-subdev-mbus-codes 0
+ ioctl: VIDIOC_SUBDEV_ENUM_MBUS_CODE (pad=0)
+ 0x2006: MEDIA_BUS_FMT_UYVY8_2X8
+ 0x2008: MEDIA_BUS_FMT_YUYV8_2X8
+ 0x1008: MEDIA_BUS_FMT_RGB565_2X8_LE
+ 0x100a: MEDIA_BUS_FMT_RGB888_1X24
+ 0x100d: MEDIA_BUS_FMT_ARGB8888_1X32
+ 0x3001: MEDIA_BUS_FMT_SBGGR8_1X8
+ 0x3013: MEDIA_BUS_FMT_SGBRG8_1X8
+ 0x3002: MEDIA_BUS_FMT_SGRBG8_1X8
+ 0x3014: MEDIA_BUS_FMT_SRGGB8_1X8
+ 0x3007: MEDIA_BUS_FMT_SBGGR10_1X10
+ 0x300e: MEDIA_BUS_FMT_SGBRG10_1X10
+ 0x300a: MEDIA_BUS_FMT_SGRBG10_1X10
+ 0x300f: MEDIA_BUS_FMT_SRGGB10_1X10
+ 0x2001: MEDIA_BUS_FMT_Y8_1X8
+ 0x200a: MEDIA_BUS_FMT_Y10_1X10
+
+After:
+
+ $ v4l2-ctl -d $(media-ctl -e ipu1_csi0) --list-subdev-mbus-codes 0
+ ioctl: VIDIOC_SUBDEV_ENUM_MBUS_CODE (pad=0)
+ 0x2006: MEDIA_BUS_FMT_UYVY8_2X8
+ 0x200f: MEDIA_BUS_FMT_UYVY8_1X16
+ 0x2008: MEDIA_BUS_FMT_YUYV8_2X8
+ 0x2011: MEDIA_BUS_FMT_YUYV8_1X16
+ 0x1008: MEDIA_BUS_FMT_RGB565_2X8_LE
+ 0x100a: MEDIA_BUS_FMT_RGB888_1X24
+ 0x100c: MEDIA_BUS_FMT_RGB888_2X12_LE
+ 0x100d: MEDIA_BUS_FMT_ARGB8888_1X32
+ 0x3001: MEDIA_BUS_FMT_SBGGR8_1X8
+ 0x3013: MEDIA_BUS_FMT_SGBRG8_1X8
+ 0x3002: MEDIA_BUS_FMT_SGRBG8_1X8
+ 0x3014: MEDIA_BUS_FMT_SRGGB8_1X8
+ 0x3007: MEDIA_BUS_FMT_SBGGR10_1X10
+ 0x3008: MEDIA_BUS_FMT_SBGGR12_1X12
+ 0x3019: MEDIA_BUS_FMT_SBGGR14_1X14
+ 0x301d: MEDIA_BUS_FMT_SBGGR16_1X16
+ 0x300e: MEDIA_BUS_FMT_SGBRG10_1X10
+ 0x3010: MEDIA_BUS_FMT_SGBRG12_1X12
+ 0x301a: MEDIA_BUS_FMT_SGBRG14_1X14
+ 0x301e: MEDIA_BUS_FMT_SGBRG16_1X16
+ 0x300a: MEDIA_BUS_FMT_SGRBG10_1X10
+ 0x3011: MEDIA_BUS_FMT_SGRBG12_1X12
+ 0x301b: MEDIA_BUS_FMT_SGRBG14_1X14
+ 0x301f: MEDIA_BUS_FMT_SGRBG16_1X16
+ 0x300f: MEDIA_BUS_FMT_SRGGB10_1X10
+ 0x3012: MEDIA_BUS_FMT_SRGGB12_1X12
+ 0x301c: MEDIA_BUS_FMT_SRGGB14_1X14
+ 0x3020: MEDIA_BUS_FMT_SRGGB16_1X16
+ 0x2001: MEDIA_BUS_FMT_Y8_1X8
+ 0x200a: MEDIA_BUS_FMT_Y10_1X10
+ 0x2013: MEDIA_BUS_FMT_Y12_1X12
+
+[laurent.pinchart@ideasonboard.com: Decrement index to replace loop counter k]
+[laurent.pinchart@ideasonboard.com: Return directly from within the loops]
+
+Fixes: e130291212df5 ("[media] media: Add i.MX media core driver")
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-utils.c | 22 +++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx-media-utils.c b/drivers/staging/media/imx/imx-media-utils.c
+index 39469031e510..00a71f01786c 100644
+--- a/drivers/staging/media/imx/imx-media-utils.c
++++ b/drivers/staging/media/imx/imx-media-utils.c
+@@ -269,6 +269,7 @@ static int enum_format(u32 *fourcc, u32 *code, u32 index,
+ for (i = 0; i < ARRAY_SIZE(pixel_formats); i++) {
+ const struct imx_media_pixfmt *fmt = &pixel_formats[i];
+ enum codespace_sel fmt_cs_sel;
++ unsigned int j;
+
+ fmt_cs_sel = (fmt->cs == IPUV3_COLORSPACE_YUV) ?
+ CS_SEL_YUV : CS_SEL_RGB;
+@@ -278,15 +279,24 @@ static int enum_format(u32 *fourcc, u32 *code, u32 index,
+ (!allow_bayer && fmt->bayer))
+ continue;
+
+- if (index == 0) {
+- if (fourcc)
+- *fourcc = fmt->fourcc;
+- if (code)
+- *code = fmt->codes[0];
++ if (fourcc && index == 0) {
++ *fourcc = fmt->fourcc;
+ return 0;
+ }
+
+- index--;
++ if (!code) {
++ index--;
++ continue;
++ }
++
++ for (j = 0; j < ARRAY_SIZE(fmt->codes) && fmt->codes[j]; j++) {
++ if (index == 0) {
++ *code = fmt->codes[j];
++ return 0;
++ }
++
++ index--;
++ }
+ }
+
+ return -EINVAL;
+--
+2.25.1
+
--- /dev/null
+From ad38d381543aff0ebbb264124476c62374c8b270 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 16:22:15 +0200
+Subject: media: m88ds3103: error in set_frontend is swallowed and not reported
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit c4ed27cfed45c16c2dd16c9fa3b883e306177e40 ]
+
+Bail out if registers can not be updated.
+
+Addresses-Coverity-ID: 1461655 ("Code maintainability issues")
+
+Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
+Fixes: e6089feca460 ("media: m88ds3103: Add support for ds3103b demod")
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/m88ds3103.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
+index d2c28dcf6b42..abddab02db9e 100644
+--- a/drivers/media/dvb-frontends/m88ds3103.c
++++ b/drivers/media/dvb-frontends/m88ds3103.c
+@@ -980,6 +980,8 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ goto err;
+
+ ret = m88ds3103_update_bits(dev, 0xc9, 0x08, 0x08);
++ if (ret)
++ goto err;
+ }
+
+ dev_dbg(&client->dev, "carrier offset=%d\n",
+--
+2.25.1
+
--- /dev/null
+From 4aca3777f079a816af9cd0eb1ba2b1b231be6ee7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2020 17:44:17 +0200
+Subject: media: platform: fcp: Set appropriate DMA parameters
+
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+
+[ Upstream commit dd844fb8e50b12e65bbdc5746c9876c6735500df ]
+
+Enabling CONFIG_DMA_API_DEBUG=y and CONFIG_DMA_API_DEBUG_SG=y will
+enable extra validation on DMA operations ensuring that the size
+restraints are met.
+
+When using the FCP in conjunction with the VSP1/DU, and display frames,
+the size of the DMA operations is larger than the default maximum
+segment size reported by the DMA core (64K). With the DMA debug enabled,
+this produces a warning such as the following:
+
+"DMA-API: rcar-fcp fea27000.fcp: mapping sg segment longer than device
+claims to support [len=3145728] [max=65536]"
+
+We have no specific limitation on the segment size which isn't already
+handled by the VSP1/DU which actually handles the DMA allcoations and
+buffer management, so define a maximum segment size of up to 4GB (a 32
+bit mask).
+
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Fixes: 7b49235e83b2 ("[media] v4l: Add Renesas R-Car FCP driver")
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-fcp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/rcar-fcp.c b/drivers/media/platform/rcar-fcp.c
+index 43c78620c9d8..5c6b00737fe7 100644
+--- a/drivers/media/platform/rcar-fcp.c
++++ b/drivers/media/platform/rcar-fcp.c
+@@ -8,6 +8,7 @@
+ */
+
+ #include <linux/device.h>
++#include <linux/dma-mapping.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
+ #include <linux/mod_devicetable.h>
+@@ -21,6 +22,7 @@
+ struct rcar_fcp_device {
+ struct list_head list;
+ struct device *dev;
++ struct device_dma_parameters dma_parms;
+ };
+
+ static LIST_HEAD(fcp_devices);
+@@ -136,6 +138,9 @@ static int rcar_fcp_probe(struct platform_device *pdev)
+
+ fcp->dev = &pdev->dev;
+
++ fcp->dev->dma_parms = &fcp->dma_parms;
++ dma_set_max_seg_size(fcp->dev, DMA_BIT_MASK(32));
++
+ pm_runtime_enable(&pdev->dev);
+
+ mutex_lock(&fcp_lock);
+--
+2.25.1
+
--- /dev/null
+From eff8d624748bc7973bc97012134f56ff3091c6cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 21:03:57 +0100
+Subject: media: si2157: Better check for running tuner in init
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit e955f959ac52e145f27ff2be9078b646d0352af0 ]
+
+Getting the Xtal trim property to check if running is less error prone.
+Reset if_frequency if state is unknown.
+
+Replaces the previous "garbage check".
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/si2157.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
+index 898e0f9f8b70..20487b25fbe1 100644
+--- a/drivers/media/tuners/si2157.c
++++ b/drivers/media/tuners/si2157.c
+@@ -75,24 +75,23 @@ static int si2157_init(struct dvb_frontend *fe)
+ struct si2157_cmd cmd;
+ const struct firmware *fw;
+ const char *fw_name;
+- unsigned int uitmp, chip_id;
++ unsigned int chip_id, xtal_trim;
+
+ dev_dbg(&client->dev, "\n");
+
+- /* Returned IF frequency is garbage when firmware is not running */
+- memcpy(cmd.args, "\x15\x00\x06\x07", 4);
++ /* Try to get Xtal trim property, to verify tuner still running */
++ memcpy(cmd.args, "\x15\x00\x04\x02", 4);
+ cmd.wlen = 4;
+ cmd.rlen = 4;
+ ret = si2157_cmd_execute(client, &cmd);
+- if (ret)
+- goto err;
+
+- uitmp = cmd.args[2] << 0 | cmd.args[3] << 8;
+- dev_dbg(&client->dev, "if_frequency kHz=%u\n", uitmp);
++ xtal_trim = cmd.args[2] | (cmd.args[3] << 8);
+
+- if (uitmp == dev->if_frequency / 1000)
++ if (ret == 0 && xtal_trim < 16)
+ goto warm;
+
++ dev->if_frequency = 0; /* we no longer know current tuner state */
++
+ /* power up */
+ if (dev->chiptype == SI2157_CHIPTYPE_SI2146) {
+ memcpy(cmd.args, "\xc0\x05\x01\x00\x00\x0b\x00\x00\x01", 9);
+--
+2.25.1
+
--- /dev/null
+From 530aa73deb08a2406bc5d66a2cd322c45902a38c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Mar 2020 05:16:48 +0100
+Subject: media: staging: imgu: do not hold spinlock during freeing mmu page
+ table
+
+From: Bingbu Cao <bingbu.cao@intel.com>
+
+[ Upstream commit e1ebe9f9c88e5a78fcc4670a9063c9b3cd87dda4 ]
+
+ImgU need set the mmu page table in memory as uncached, and set back
+to write-back when free the page table by set_memory_wb(),
+set_memory_wb() can not do flushing without interrupt, so the spinlock
+should not be hold during ImgU page alloc and free, the interrupt
+should be enabled during memory cache flush.
+
+This patch release spinlock before freeing pages table.
+
+Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
+Reviewed-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/ipu3/ipu3-mmu.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/media/ipu3/ipu3-mmu.c b/drivers/staging/media/ipu3/ipu3-mmu.c
+index 5f3ff964f3e7..cb9bf5fb29a5 100644
+--- a/drivers/staging/media/ipu3/ipu3-mmu.c
++++ b/drivers/staging/media/ipu3/ipu3-mmu.c
+@@ -174,8 +174,10 @@ static u32 *imgu_mmu_get_l2pt(struct imgu_mmu *mmu, u32 l1pt_idx)
+ spin_lock_irqsave(&mmu->lock, flags);
+
+ l2pt = mmu->l2pts[l1pt_idx];
+- if (l2pt)
+- goto done;
++ if (l2pt) {
++ spin_unlock_irqrestore(&mmu->lock, flags);
++ return l2pt;
++ }
+
+ spin_unlock_irqrestore(&mmu->lock, flags);
+
+@@ -190,8 +192,9 @@ static u32 *imgu_mmu_get_l2pt(struct imgu_mmu *mmu, u32 l1pt_idx)
+
+ l2pt = mmu->l2pts[l1pt_idx];
+ if (l2pt) {
++ spin_unlock_irqrestore(&mmu->lock, flags);
+ imgu_mmu_free_page_table(new_l2pt);
+- goto done;
++ return l2pt;
+ }
+
+ l2pt = new_l2pt;
+@@ -200,7 +203,6 @@ static u32 *imgu_mmu_get_l2pt(struct imgu_mmu *mmu, u32 l1pt_idx)
+ pteval = IPU3_ADDR2PTE(virt_to_phys(new_l2pt));
+ mmu->l1pt[l1pt_idx] = pteval;
+
+-done:
+ spin_unlock_irqrestore(&mmu->lock, flags);
+ return l2pt;
+ }
+--
+2.25.1
+
--- /dev/null
+From 04bc1c21a2fd4f22b7e880673d55bcc75ad9a66e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Mar 2020 15:54:37 +0100
+Subject: media: staging/intel-ipu3: Implement lock for stream on/off
+ operations
+
+From: Bingbu Cao <bingbu.cao@intel.com>
+
+[ Upstream commit 33e3c349b2bf1235be458df09fb8d237141486c4 ]
+
+Currently concurrent stream off operations on ImgU nodes are not
+synchronized, leading to use-after-free bugs (as reported by KASAN).
+
+[ 250.090724] BUG: KASAN: use-after-free in
+ipu3_dmamap_free+0xc5/0x116 [ipu3_imgu]
+[ 250.090726] Read of size 8 at addr ffff888127b29bc0 by task
+yavta/18836
+[ 250.090731] Hardware name: HP Soraka/Soraka, BIOS
+Google_Soraka.10431.17.0 03/22/2018
+[ 250.090732] Call Trace:
+[ 250.090735] dump_stack+0x6a/0xb1
+[ 250.090739] print_address_description+0x8e/0x279
+[ 250.090743] ? ipu3_dmamap_free+0xc5/0x116 [ipu3_imgu]
+[ 250.090746] kasan_report+0x260/0x28a
+[ 250.090750] ipu3_dmamap_free+0xc5/0x116 [ipu3_imgu]
+[ 250.090754] ipu3_css_pool_cleanup+0x24/0x37 [ipu3_imgu]
+[ 250.090759] ipu3_css_pipeline_cleanup+0x61/0xb9 [ipu3_imgu]
+[ 250.090763] ipu3_css_stop_streaming+0x1f2/0x321 [ipu3_imgu]
+[ 250.090768] imgu_s_stream+0x94/0x443 [ipu3_imgu]
+[ 250.090772] ? ipu3_vb2_buf_queue+0x280/0x280 [ipu3_imgu]
+[ 250.090775] ? vb2_dma_sg_unmap_dmabuf+0x16/0x6f [videobuf2_dma_sg]
+[ 250.090778] ? vb2_buffer_in_use+0x36/0x58 [videobuf2_common]
+[ 250.090782] ipu3_vb2_stop_streaming+0xf9/0x135 [ipu3_imgu]
+
+Implemented a lock to synchronize imgu stream on / off operations and
+the modification of streaming flag (in struct imgu_device), to prevent
+these issues.
+
+Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Suggested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Rajmohan Mani <rajmohan.mani@intel.com>
+Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/ipu3/ipu3-v4l2.c | 10 ++++++++++
+ drivers/staging/media/ipu3/ipu3.c | 3 +++
+ drivers/staging/media/ipu3/ipu3.h | 4 ++++
+ 3 files changed, 17 insertions(+)
+
+diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
+index 09c8ede1457c..db8b5d13631a 100644
+--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
+@@ -367,8 +367,10 @@ static void imgu_vb2_buf_queue(struct vb2_buffer *vb)
+
+ vb2_set_plane_payload(vb, 0, need_bytes);
+
++ mutex_lock(&imgu->streaming_lock);
+ if (imgu->streaming)
+ imgu_queue_buffers(imgu, false, node->pipe);
++ mutex_unlock(&imgu->streaming_lock);
+
+ dev_dbg(&imgu->pci_dev->dev, "%s for pipe %u node %u", __func__,
+ node->pipe, node->id);
+@@ -468,10 +470,13 @@ static int imgu_vb2_start_streaming(struct vb2_queue *vq, unsigned int count)
+ dev_dbg(dev, "%s node name %s pipe %u id %u", __func__,
+ node->name, node->pipe, node->id);
+
++ mutex_lock(&imgu->streaming_lock);
+ if (imgu->streaming) {
+ r = -EBUSY;
++ mutex_unlock(&imgu->streaming_lock);
+ goto fail_return_bufs;
+ }
++ mutex_unlock(&imgu->streaming_lock);
+
+ if (!node->enabled) {
+ dev_err(dev, "IMGU node is not enabled");
+@@ -498,9 +503,11 @@ static int imgu_vb2_start_streaming(struct vb2_queue *vq, unsigned int count)
+
+ /* Start streaming of the whole pipeline now */
+ dev_dbg(dev, "IMGU streaming is ready to start");
++ mutex_lock(&imgu->streaming_lock);
+ r = imgu_s_stream(imgu, true);
+ if (!r)
+ imgu->streaming = true;
++ mutex_unlock(&imgu->streaming_lock);
+
+ return 0;
+
+@@ -532,6 +539,7 @@ static void imgu_vb2_stop_streaming(struct vb2_queue *vq)
+ dev_err(&imgu->pci_dev->dev,
+ "failed to stop subdev streaming\n");
+
++ mutex_lock(&imgu->streaming_lock);
+ /* Was this the first node with streaming disabled? */
+ if (imgu->streaming && imgu_all_nodes_streaming(imgu, node)) {
+ /* Yes, really stop streaming now */
+@@ -542,6 +550,8 @@ static void imgu_vb2_stop_streaming(struct vb2_queue *vq)
+ }
+
+ imgu_return_all_buffers(imgu, node, VB2_BUF_STATE_ERROR);
++ mutex_unlock(&imgu->streaming_lock);
++
+ media_pipeline_stop(&node->vdev.entity);
+ }
+
+diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c
+index 7a1d1881483b..ee1bba6bdcac 100644
+--- a/drivers/staging/media/ipu3/ipu3.c
++++ b/drivers/staging/media/ipu3/ipu3.c
+@@ -675,6 +675,7 @@ static int imgu_pci_probe(struct pci_dev *pci_dev,
+ return r;
+
+ mutex_init(&imgu->lock);
++ mutex_init(&imgu->streaming_lock);
+ atomic_set(&imgu->qbuf_barrier, 0);
+ init_waitqueue_head(&imgu->buf_drain_wq);
+
+@@ -738,6 +739,7 @@ out_mmu_exit:
+ out_css_powerdown:
+ imgu_css_set_powerdown(&pci_dev->dev, imgu->base);
+ out_mutex_destroy:
++ mutex_destroy(&imgu->streaming_lock);
+ mutex_destroy(&imgu->lock);
+
+ return r;
+@@ -755,6 +757,7 @@ static void imgu_pci_remove(struct pci_dev *pci_dev)
+ imgu_css_set_powerdown(&pci_dev->dev, imgu->base);
+ imgu_dmamap_exit(imgu);
+ imgu_mmu_exit(imgu->mmu);
++ mutex_destroy(&imgu->streaming_lock);
+ mutex_destroy(&imgu->lock);
+ }
+
+diff --git a/drivers/staging/media/ipu3/ipu3.h b/drivers/staging/media/ipu3/ipu3.h
+index 73b123b2b8a2..8cd6a0077d99 100644
+--- a/drivers/staging/media/ipu3/ipu3.h
++++ b/drivers/staging/media/ipu3/ipu3.h
+@@ -146,6 +146,10 @@ struct imgu_device {
+ * vid_buf.list and css->queue
+ */
+ struct mutex lock;
++
++ /* Lock to protect writes to streaming flag in this struct */
++ struct mutex streaming_lock;
++
+ /* Forbid streaming and buffer queuing during system suspend. */
+ atomic_t qbuf_barrier;
+ /* Indicate if system suspend take place while imgu is streaming. */
+--
+2.25.1
+
--- /dev/null
+From 33952a50f48311ba4a081280f1927a3e2fa7e540 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Apr 2020 19:37:10 +0200
+Subject: media: staging: ipu3: Fix stale list entries on parameter queue
+ failure
+
+From: Tomasz Figa <tfiga@chromium.org>
+
+[ Upstream commit 735a02f1bbc2c5e6e9cdbf0222948ff03ff7ab2d ]
+
+When queuing parameters fails, current code bails out without deleting
+the corresponding vb2 buffer from the driver buffer list, but the buffer
+is returned to vb2. This leads to stale list entries and a crash when
+the driver stops streaming:
+
+[ 224.935561] ipu3-imgu 0000:00:05.0: set parameters failed.
+[ 224.998932] ipu3-imgu 0000:00:05.0: set parameters failed.
+[ 225.064430] ipu3-imgu 0000:00:05.0: set parameters failed.
+[ 225.128534] ipu3-imgu 0000:00:05.0: set parameters failed.
+[ 225.194945] ipu3-imgu 0000:00:05.0: set parameters failed.
+[ 225.360363] ------------[ cut here ]------------
+[ 225.360372] WARNING: CPU: 0 PID: 6704 at
+drivers/media/common/videobuf2/videobuf2-core.c:927
+vb2_buffer_done+0x20f/0x21a [videobuf2_common]
+[ 225.360374] Modules linked in: snd_seq_dummy snd_seq snd_seq_device
+veth bridge stp llc tun nf_nat_tftp nf_conntrack_tftp nf_nat_ftp
+nf_conntrack_ftp esp6 ah6 ip6t_REJECT ip6t_ipv6header cmac rfcomm uinput
+ipu3_imgu(C) ipu3_cio2 iova videobuf2_v4l2 videobuf2_common
+videobuf2_dma_sg videobuf2_memops ov13858 ov5670 v4l2_fwnode dw9714
+acpi_als xt_MASQUERADE fuse iio_trig_sysfs cros_ec_sensors_ring
+cros_ec_light_prox cros_ec_sensors cros_ec_sensors_core
+industrialio_triggered_buffer kfifo_buf industrialio
+cros_ec_sensorsupport cdc_ether btusb btrtl btintel btbcm usbnet
+bluetooth ecdh_generic ecc hid_google_hammer iwlmvm iwl7000_mac80211
+r8152 mii lzo_rle lzo_compress iwlwifi zram cfg80211 joydev
+[ 225.360400] CPU: 0 PID: 6704 Comm: CameraDeviceOps Tainted: G
+C 5.4.30 #5
+[ 225.360402] Hardware name: HP Soraka/Soraka, BIOS
+Google_Soraka.10431.106.0 12/03/2019
+[ 225.360405] RIP: 0010:vb2_buffer_done+0x20f/0x21a [videobuf2_common]
+[ 225.360408] Code: 5e 41 5f 5d e9 e0 16 5a d4 41 8b 55 08 48 c7 c7 8f
+8b 5c c0 48 c7 c6 36 9a 5c c0 44 89 f9 31 c0 e8 a5 1c 5b d4 e9 53 fe ff
+ff <0f> 0b eb a3 e8 12 d7 43 d4 eb 97 0f 1f 44 00 00 55 48 89 e5 41 56
+[ 225.360410] RSP: 0018:ffff9468ab32fba8 EFLAGS: 00010297
+[ 225.360412] RAX: ffff8aa7a51577a8 RBX: dead000000000122 RCX:
+ffff8aa7a51577a8
+[ 225.360414] RDX: 0000000000000000 RSI: 0000000000000006 RDI:
+ffff8aa7a5157400
+[ 225.360416] RBP: ffff9468ab32fbd8 R08: ffff8aa64e47e600 R09:
+0000000000000000
+[ 225.360418] R10: 0000000000000000 R11: ffffffffc06036e6 R12:
+dead000000000100
+[ 225.360420] R13: ffff8aa7820f1940 R14: ffff8aa7a51577a8 R15:
+0000000000000006
+[ 225.360422] FS: 00007c1146ffd700(0000) GS:ffff8aa7baa00000(0000)
+knlGS:0000000000000000
+[ 225.360424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 225.360426] CR2: 00007aea3473a000 CR3: 00000000537d6004 CR4:
+00000000003606f0
+[ 225.360427] Call Trace:
+[ 225.360434] imgu_return_all_buffers+0x6f/0x8e [ipu3_imgu]
+[ 225.360438] imgu_vb2_stop_streaming+0xd6/0xf0 [ipu3_imgu]
+[ 225.360441] __vb2_queue_cancel+0x33/0x22d [videobuf2_common]
+[ 225.360443] vb2_core_streamoff+0x16/0x78 [videobuf2_common]
+[ 225.360448] __video_do_ioctl+0x33d/0x42a
+[ 225.360452] video_usercopy+0x34a/0x615
+[ 225.360455] ? video_ioctl2+0x16/0x16
+[ 225.360458] v4l2_ioctl+0x46/0x53
+[ 225.360462] do_vfs_ioctl+0x50a/0x787
+[ 225.360465] ksys_ioctl+0x58/0x83
+[ 225.360468] __x64_sys_ioctl+0x1a/0x1e
+[ 225.360470] do_syscall_64+0x54/0x68
+[ 225.360474] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 225.360476] RIP: 0033:0x7c118030f497
+[ 225.360479] Code: 8a 66 90 48 8b 05 d1 d9 2b 00 64 c7 00 26 00 00 00
+48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f
+05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 d9 2b 00 f7 d8 64 89 01 48
+[ 225.360480] RSP: 002b:00007c1146ffa5a8 EFLAGS: 00000246 ORIG_RAX:
+0000000000000010
+[ 225.360483] RAX: ffffffffffffffda RBX: 00007c1140010018 RCX:
+00007c118030f497
+[ 225.360484] RDX: 00007c114001019c RSI: 0000000040045613 RDI:
+000000000000004c
+[ 225.360486] RBP: 00007c1146ffa700 R08: 00007c1140010048 R09:
+0000000000000000
+[ 225.360488] R10: 0000000000000000 R11: 0000000000000246 R12:
+00007c11400101b0
+[ 225.360489] R13: 00007c1140010200 R14: 00007c1140010048 R15:
+0000000000000001
+[ 225.360492] ---[ end trace 73625ecfbd1c930e ]---
+[ 225.360498] general protection fault: 0000 [#1] PREEMPT SMP PTI
+[ 225.360501] CPU: 0 PID: 6704 Comm: CameraDeviceOps Tainted: G
+WC 5.4.30 #5
+[ 225.360502] Hardware name: HP Soraka/Soraka, BIOS
+Google_Soraka.10431.106.0 12/03/2019
+[ 225.360505] RIP: 0010:imgu_return_all_buffers+0x52/0x8e [ipu3_imgu]
+[ 225.360507] Code: d4 49 8b 85 70 0a 00 00 49 81 c5 70 0a 00 00 49 39
+c5 74 3b 49 bc 00 01 00 00 00 00 ad de 49 8d 5c 24 22 4c 8b 30 48 8b 48
+08 <49> 89 4e 08 4c 89 31 4c 89 20 48 89 58 08 48 8d b8 58 fc ff ff 44
+[ 225.360509] RSP: 0018:ffff9468ab32fbe8 EFLAGS: 00010293
+[ 225.360511] RAX: ffff8aa7a51577a8 RBX: dead000000000122 RCX:
+dead000000000122
+[ 225.360512] RDX: 0000000000000000 RSI: 0000000000000006 RDI:
+ffff8aa7a5157400
+[ 225.360514] RBP: ffff9468ab32fc18 R08: ffff8aa64e47e600 R09:
+0000000000000000
+[ 225.360515] R10: 0000000000000000 R11: ffffffffc06036e6 R12:
+dead000000000100
+[ 225.360517] R13: ffff8aa7820f1940 R14: dead000000000100 R15:
+0000000000000006
+[ 225.360519] FS: 00007c1146ffd700(0000) GS:ffff8aa7baa00000(0000)
+knlGS:0000000000000000
+[ 225.360521] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 225.360523] CR2: 00007aea3473a000 CR3: 00000000537d6004 CR4:
+00000000003606f0
+[ 225.360525] Call Trace:
+[ 225.360528] imgu_vb2_stop_streaming+0xd6/0xf0 [ipu3_imgu]
+[ 225.360531] __vb2_queue_cancel+0x33/0x22d [videobuf2_common]
+[ 225.360534] vb2_core_streamoff+0x16/0x78 [videobuf2_common]
+[ 225.360537] __video_do_ioctl+0x33d/0x42a
+[ 225.360540] video_usercopy+0x34a/0x615
+[ 225.360542] ? video_ioctl2+0x16/0x16
+[ 225.360546] v4l2_ioctl+0x46/0x53
+[ 225.360548] do_vfs_ioctl+0x50a/0x787
+[ 225.360551] ksys_ioctl+0x58/0x83
+[ 225.360554] __x64_sys_ioctl+0x1a/0x1e
+[ 225.360556] do_syscall_64+0x54/0x68
+[ 225.360559] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 225.360561] RIP: 0033:0x7c118030f497
+[ 225.360563] Code: 8a 66 90 48 8b 05 d1 d9 2b 00 64 c7 00 26 00 00 00
+48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f
+05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 d9 2b 00 f7 d8 64 89 01 48
+[ 225.360565] RSP: 002b:00007c1146ffa5a8 EFLAGS: 00000246 ORIG_RAX:
+0000000000000010
+[ 225.360567] RAX: ffffffffffffffda RBX: 00007c1140010018 RCX:
+00007c118030f497
+[ 225.360569] RDX: 00007c114001019c RSI: 0000000040045613 RDI:
+000000000000004c
+[ 225.360570] RBP: 00007c1146ffa700 R08: 00007c1140010048 R09:
+0000000000000000
+[ 225.360572] R10: 0000000000000000 R11: 0000000000000246 R12:
+00007c11400101b0
+[ 225.360574] R13: 00007c1140010200 R14: 00007c1140010048 R15:
+0000000000000001
+[ 225.360576] Modules linked in: snd_seq_dummy snd_seq snd_seq_device
+veth bridge stp llc tun nf_nat_tftp nf_conntrack_tftp nf_nat_ftp
+nf_conntrack_ftp esp6 ah6 ip6t_REJECT ip6t_ipv6header cmac rfcomm uinput
+ipu3_imgu(C) ipu3_cio2 iova videobuf2_v4l2 videobuf2_common
+videobuf2_dma_sg videobuf2_memops ov13858 ov567
+
+Fix this by moving the list_del() call just below the list_first_entry()
+call when the buffer no longer needs to be in the list.
+
+Fixes: 8ecc7c9da013 ("media: staging/intel-ipu3: parameter buffer refactoring")
+Signed-off-by: Tomasz Figa <tfiga@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/ipu3/ipu3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c
+index 4d53aad31483..7a1d1881483b 100644
+--- a/drivers/staging/media/ipu3/ipu3.c
++++ b/drivers/staging/media/ipu3/ipu3.c
+@@ -261,6 +261,7 @@ int imgu_queue_buffers(struct imgu_device *imgu, bool initial, unsigned int pipe
+
+ ivb = list_first_entry(&imgu_pipe->nodes[node].buffers,
+ struct imgu_vb2_buffer, list);
++ list_del(&ivb->list);
+ vb = &ivb->vbb.vb2_buf;
+ r = imgu_css_set_parameters(&imgu->css, pipe,
+ vb2_plane_vaddr(vb, 0));
+@@ -274,7 +275,6 @@ int imgu_queue_buffers(struct imgu_device *imgu, bool initial, unsigned int pipe
+ vb2_buffer_done(vb, VB2_BUF_STATE_DONE);
+ dev_dbg(&imgu->pci_dev->dev,
+ "queue user parameters %d to css.", vb->index);
+- list_del(&ivb->list);
+ } else if (imgu_pipe->queue_enabled[node]) {
+ struct imgu_css_buffer *buf =
+ imgu_queue_getbuf(imgu, node, pipe);
+--
+2.25.1
+
--- /dev/null
+From a62bbae4c2f2edd34ebcd45d654e82b22f572ae2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 09:50:34 +0200
+Subject: media: sun8i: Fix an error handling path in
+ 'deinterlace_runtime_resume()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 62eedb356188376acd0368384a9b294d5180c00b ]
+
+It is spurious to call 'clk_disable_unprepare()' when
+'clk_prepare_enable()' has not been called yet.
+Re-order the error handling path to avoid it.
+
+Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: err_exlusive_rate -> err_exclusive_rate]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sunxi/sun8i-di/sun8i-di.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
+index d78f6593ddd1..ba5d07886607 100644
+--- a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
++++ b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
+@@ -941,7 +941,7 @@ static int deinterlace_runtime_resume(struct device *device)
+ if (ret) {
+ dev_err(dev->dev, "Failed to enable bus clock\n");
+
+- goto err_exlusive_rate;
++ goto err_exclusive_rate;
+ }
+
+ ret = clk_prepare_enable(dev->mod_clk);
+@@ -969,14 +969,14 @@ static int deinterlace_runtime_resume(struct device *device)
+
+ return 0;
+
+-err_exlusive_rate:
+- clk_rate_exclusive_put(dev->mod_clk);
+ err_ram_clk:
+ clk_disable_unprepare(dev->ram_clk);
+ err_mod_clk:
+ clk_disable_unprepare(dev->mod_clk);
+ err_bus_clk:
+ clk_disable_unprepare(dev->bus_clk);
++err_exclusive_rate:
++ clk_rate_exclusive_put(dev->mod_clk);
+
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 3c2f75e836d51dea8aecff2d49725f4effa54825 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2020 12:01:59 +0100
+Subject: media: v4l2-ctrls: v4l2_ctrl_g/s_ctrl*(): don't continue when WARN_ON
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 7c3bae3f430af6b4fcbdb7272e191e266fd94b45 ]
+
+If the v4l2_ctrl_g_ctrl*() or __v4l2_ctrl_s_ctrl*() functions
+are called for the wrong control type then they call WARN_ON
+since that is a driver error. But they still continue, potentially
+overwriting data. Change this to return an error (s_ctrl) or 0
+(g_ctrl), just to be safe.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c
+index 93d33d1db4e8..452edd06d67d 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -3794,7 +3794,8 @@ s32 v4l2_ctrl_g_ctrl(struct v4l2_ctrl *ctrl)
+ struct v4l2_ext_control c;
+
+ /* It's a driver bug if this happens. */
+- WARN_ON(!ctrl->is_int);
++ if (WARN_ON(!ctrl->is_int))
++ return 0;
+ c.value = 0;
+ get_ctrl(ctrl, &c);
+ return c.value;
+@@ -3806,7 +3807,8 @@ s64 v4l2_ctrl_g_ctrl_int64(struct v4l2_ctrl *ctrl)
+ struct v4l2_ext_control c;
+
+ /* It's a driver bug if this happens. */
+- WARN_ON(ctrl->is_ptr || ctrl->type != V4L2_CTRL_TYPE_INTEGER64);
++ if (WARN_ON(ctrl->is_ptr || ctrl->type != V4L2_CTRL_TYPE_INTEGER64))
++ return 0;
+ c.value64 = 0;
+ get_ctrl(ctrl, &c);
+ return c.value64;
+@@ -4215,7 +4217,8 @@ int __v4l2_ctrl_s_ctrl(struct v4l2_ctrl *ctrl, s32 val)
+ lockdep_assert_held(ctrl->handler->lock);
+
+ /* It's a driver bug if this happens. */
+- WARN_ON(!ctrl->is_int);
++ if (WARN_ON(!ctrl->is_int))
++ return -EINVAL;
+ ctrl->val = val;
+ return set_ctrl(NULL, ctrl, 0);
+ }
+@@ -4226,7 +4229,8 @@ int __v4l2_ctrl_s_ctrl_int64(struct v4l2_ctrl *ctrl, s64 val)
+ lockdep_assert_held(ctrl->handler->lock);
+
+ /* It's a driver bug if this happens. */
+- WARN_ON(ctrl->is_ptr || ctrl->type != V4L2_CTRL_TYPE_INTEGER64);
++ if (WARN_ON(ctrl->is_ptr || ctrl->type != V4L2_CTRL_TYPE_INTEGER64))
++ return -EINVAL;
+ *ctrl->p_new.p_s64 = val;
+ return set_ctrl(NULL, ctrl, 0);
+ }
+@@ -4237,7 +4241,8 @@ int __v4l2_ctrl_s_ctrl_string(struct v4l2_ctrl *ctrl, const char *s)
+ lockdep_assert_held(ctrl->handler->lock);
+
+ /* It's a driver bug if this happens. */
+- WARN_ON(ctrl->type != V4L2_CTRL_TYPE_STRING);
++ if (WARN_ON(ctrl->type != V4L2_CTRL_TYPE_STRING))
++ return -EINVAL;
+ strscpy(ctrl->p_new.p_char, s, ctrl->maximum + 1);
+ return set_ctrl(NULL, ctrl, 0);
+ }
+@@ -4249,7 +4254,8 @@ int __v4l2_ctrl_s_ctrl_area(struct v4l2_ctrl *ctrl,
+ lockdep_assert_held(ctrl->handler->lock);
+
+ /* It's a driver bug if this happens. */
+- WARN_ON(ctrl->type != V4L2_CTRL_TYPE_AREA);
++ if (WARN_ON(ctrl->type != V4L2_CTRL_TYPE_AREA))
++ return -EINVAL;
+ *ctrl->p_new.p_area = *area;
+ return set_ctrl(NULL, ctrl, 0);
+ }
+--
+2.25.1
+
--- /dev/null
+From 1c23688a0873b9f7a0cc37918e8696e5d5fb3d59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Apr 2020 09:17:25 +0200
+Subject: media: venus: core: remove CNOC voting while device suspend
+
+From: Mansur Alisha Shaik <mansur@codeaurora.org>
+
+[ Upstream commit 07f8f22a33a9e3e9955e24a84e2f856dcc8c31c4 ]
+
+The Venus driver is voting Configuration NoC during .probe but not clear
+voting in .suspend. Because of this NoC is up during shutdown also. As a
+consequence the whole device could leak energy while in .suspend.
+
+So correct this by moving voting in .resume and unvoting
+in .suspend
+
+Signed-off-by: Mansur Alisha Shaik <mansur@codeaurora.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/core.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c
+index 194b10b98767..13fa5076314c 100644
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -242,10 +242,6 @@ static int venus_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
+- ret = icc_set_bw(core->cpucfg_path, 0, kbps_to_icc(1000));
+- if (ret)
+- return ret;
+-
+ ret = hfi_create(core, &venus_core_ops);
+ if (ret)
+ return ret;
+@@ -350,6 +346,10 @@ static __maybe_unused int venus_runtime_suspend(struct device *dev)
+ if (ret)
+ return ret;
+
++ ret = icc_set_bw(core->cpucfg_path, 0, 0);
++ if (ret)
++ return ret;
++
+ if (pm_ops->core_power)
+ ret = pm_ops->core_power(dev, POWER_OFF);
+
+@@ -368,6 +368,10 @@ static __maybe_unused int venus_runtime_resume(struct device *dev)
+ return ret;
+ }
+
++ ret = icc_set_bw(core->cpucfg_path, 0, kbps_to_icc(1000));
++ if (ret)
++ return ret;
++
+ return hfi_core_resume(core, false);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 1658bfaa8a49cddae7e2e01ca3349978156aa9a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2020 11:32:37 +0200
+Subject: media: vicodec: Fix error codes in probe function
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit f36592e7b343d853edf44d3545bb68961c0949a4 ]
+
+If these functions fail then we return success, but we should instead
+preserve negative error code and return that.
+
+Fixes: fde649b418d1 ("media: vicodec: Register another node for stateless decoder")
+Fixes: c022a4a95722 ("media: vicodec: add struct for encoder/decoder instance")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vicodec/vicodec-core.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
+index 30ced1c21387..e879290727ef 100644
+--- a/drivers/media/platform/vicodec/vicodec-core.c
++++ b/drivers/media/platform/vicodec/vicodec-core.c
+@@ -2114,16 +2114,19 @@ static int vicodec_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, dev);
+
+- if (register_instance(dev, &dev->stateful_enc,
+- "stateful-encoder", true))
++ ret = register_instance(dev, &dev->stateful_enc, "stateful-encoder",
++ true);
++ if (ret)
+ goto unreg_dev;
+
+- if (register_instance(dev, &dev->stateful_dec,
+- "stateful-decoder", false))
++ ret = register_instance(dev, &dev->stateful_dec, "stateful-decoder",
++ false);
++ if (ret)
+ goto unreg_sf_enc;
+
+- if (register_instance(dev, &dev->stateless_dec,
+- "stateless-decoder", false))
++ ret = register_instance(dev, &dev->stateless_dec, "stateless-decoder",
++ false);
++ if (ret)
+ goto unreg_sf_dec;
+
+ #ifdef CONFIG_MEDIA_CONTROLLER
+--
+2.25.1
+
--- /dev/null
+From 9a59ba2dc052f4afdfc4252410ad537e6870d6f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 17:07:22 +0300
+Subject: mips: Add udelay lpj numbers adjustment
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit ed26aacfb5f71eecb20a51c4467da440cb719d66 ]
+
+Loops-per-jiffies is a special number which represents a number of
+noop-loop cycles per CPU-scheduler quantum - jiffies. As you
+understand aside from CPU-specific implementation it depends on
+the CPU frequency. So when a platform has the CPU frequency fixed,
+we have no problem and the current udelay interface will work
+just fine. But as soon as CPU-freq driver is enabled and the cores
+frequency changes, we'll end up with distorted udelay's. In order
+to fix this we have to accordinly adjust the per-CPU udelay_val
+(the same as the global loops_per_jiffy) number. This can be done
+in the CPU-freq transition event handler. We subscribe to that event
+in the MIPS arch time-inititalization method.
+
+Co-developed-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/time.c | 70 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 70 insertions(+)
+
+diff --git a/arch/mips/kernel/time.c b/arch/mips/kernel/time.c
+index 37e9413a393d..caa01457dce6 100644
+--- a/arch/mips/kernel/time.c
++++ b/arch/mips/kernel/time.c
+@@ -18,12 +18,82 @@
+ #include <linux/smp.h>
+ #include <linux/spinlock.h>
+ #include <linux/export.h>
++#include <linux/cpufreq.h>
++#include <linux/delay.h>
+
+ #include <asm/cpu-features.h>
+ #include <asm/cpu-type.h>
+ #include <asm/div64.h>
+ #include <asm/time.h>
+
++#ifdef CONFIG_CPU_FREQ
++
++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref);
++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref_freq);
++static unsigned long glb_lpj_ref;
++static unsigned long glb_lpj_ref_freq;
++
++static int cpufreq_callback(struct notifier_block *nb,
++ unsigned long val, void *data)
++{
++ struct cpufreq_freqs *freq = data;
++ struct cpumask *cpus = freq->policy->cpus;
++ unsigned long lpj;
++ int cpu;
++
++ /*
++ * Skip lpj numbers adjustment if the CPU-freq transition is safe for
++ * the loops delay. (Is this possible?)
++ */
++ if (freq->flags & CPUFREQ_CONST_LOOPS)
++ return NOTIFY_OK;
++
++ /* Save the initial values of the lpjes for future scaling. */
++ if (!glb_lpj_ref) {
++ glb_lpj_ref = boot_cpu_data.udelay_val;
++ glb_lpj_ref_freq = freq->old;
++
++ for_each_online_cpu(cpu) {
++ per_cpu(pcp_lpj_ref, cpu) =
++ cpu_data[cpu].udelay_val;
++ per_cpu(pcp_lpj_ref_freq, cpu) = freq->old;
++ }
++ }
++
++ /*
++ * Adjust global lpj variable and per-CPU udelay_val number in
++ * accordance with the new CPU frequency.
++ */
++ if ((val == CPUFREQ_PRECHANGE && freq->old < freq->new) ||
++ (val == CPUFREQ_POSTCHANGE && freq->old > freq->new)) {
++ loops_per_jiffy = cpufreq_scale(glb_lpj_ref,
++ glb_lpj_ref_freq,
++ freq->new);
++
++ for_each_cpu(cpu, cpus) {
++ lpj = cpufreq_scale(per_cpu(pcp_lpj_ref, cpu),
++ per_cpu(pcp_lpj_ref_freq, cpu),
++ freq->new);
++ cpu_data[cpu].udelay_val = (unsigned int)lpj;
++ }
++ }
++
++ return NOTIFY_OK;
++}
++
++static struct notifier_block cpufreq_notifier = {
++ .notifier_call = cpufreq_callback,
++};
++
++static int __init register_cpufreq_notifier(void)
++{
++ return cpufreq_register_notifier(&cpufreq_notifier,
++ CPUFREQ_TRANSITION_NOTIFIER);
++}
++core_initcall(register_cpufreq_notifier);
++
++#endif /* CONFIG_CPU_FREQ */
++
+ /*
+ * forward reference
+ */
+--
+2.25.1
+
--- /dev/null
+From 998f9046dae91563b67ba896b5486b027bc5b532 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 20:42:22 +0300
+Subject: mips: cm: Fix an invalid error code of INTVN_*_ERR
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 8a0efb8b101665a843205eab3d67ab09cb2d9a8d ]
+
+Commit 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache
+errors") adds cm2_causes[] array with map of error type ID and
+pointers to the short description string. There is a mistake in
+the table, since according to MIPS32 manual CM2_ERROR_TYPE = {17,18}
+correspond to INTVN_WR_ERR and INTVN_RD_ERR, while the table
+claims they have {0x17,0x18} codes. This is obviously hex-dec
+copy-paste bug. Moreover codes {0x18 - 0x1a} indicate L2 ECC errors.
+
+Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-pm@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/mips-cm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c
+index cdb93ed91cde..361bfc91a0e6 100644
+--- a/arch/mips/kernel/mips-cm.c
++++ b/arch/mips/kernel/mips-cm.c
+@@ -119,9 +119,9 @@ static char *cm2_causes[32] = {
+ "COH_RD_ERR", "MMIO_WR_ERR", "MMIO_RD_ERR", "0x07",
+ "0x08", "0x09", "0x0a", "0x0b",
+ "0x0c", "0x0d", "0x0e", "0x0f",
+- "0x10", "0x11", "0x12", "0x13",
+- "0x14", "0x15", "0x16", "INTVN_WR_ERR",
+- "INTVN_RD_ERR", "0x19", "0x1a", "0x1b",
++ "0x10", "INTVN_WR_ERR", "INTVN_RD_ERR", "0x13",
++ "0x14", "0x15", "0x16", "0x17",
++ "0x18", "0x19", "0x1a", "0x1b",
+ "0x1c", "0x1d", "0x1e", "0x1f"
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 5dc635f79dbc1c8eea10bc5194f412a320c3e0c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 17:07:16 +0300
+Subject: mips: Fix cpu_has_mips64r1/2 activation for MIPS32 CPUs
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit a2ac81c6ef4018ea49c034ce165bb9ea1cf99f3e ]
+
+Commit 1aeba347b3a9 ("MIPS: Hardcode cpu_has_mips* where target ISA
+allows") updated the cpu_has_mips* macro to be replaced with a constant
+expression where it's possible. By mistake it wasn't done correctly
+for cpu_has_mips64r1/cpu_has_mips64r2 macro. They are defined to
+be replaced with conditional expression __isa_range_or_flag(), which
+means either ISA revision being within the range or the corresponding
+CPU options flag was set at the probe stage or both being true at the
+same time. But the ISA level value doesn't indicate whether the ISA is
+MIPS32 or MIPS64. Due to this if we select MIPS32r1 - MIPS32r5
+architectures the __isa_range() macro will activate the
+cpu_has_mips64rX flags, which is incorrect. In order to fix the
+problem we make sure the 64bits CPU support is enabled by means of
+checking the flag cpu_has_64bits aside with proper ISA range and specific
+Revision flag being set.
+
+Fixes: 1aeba347b3a9 ("MIPS: Hardcode cpu_has_mips* where target ISA allows")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/cpu-features.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/cpu-features.h b/arch/mips/include/asm/cpu-features.h
+index de44c92b1c1f..d4e120464d41 100644
+--- a/arch/mips/include/asm/cpu-features.h
++++ b/arch/mips/include/asm/cpu-features.h
+@@ -288,10 +288,12 @@
+ # define cpu_has_mips32r6 __isa_ge_or_flag(6, MIPS_CPU_ISA_M32R6)
+ #endif
+ #ifndef cpu_has_mips64r1
+-# define cpu_has_mips64r1 __isa_range_or_flag(1, 6, MIPS_CPU_ISA_M64R1)
++# define cpu_has_mips64r1 (cpu_has_64bits && \
++ __isa_range_or_flag(1, 6, MIPS_CPU_ISA_M64R1))
+ #endif
+ #ifndef cpu_has_mips64r2
+-# define cpu_has_mips64r2 __isa_range_or_flag(2, 6, MIPS_CPU_ISA_M64R2)
++# define cpu_has_mips64r2 (cpu_has_64bits && \
++ __isa_range_or_flag(2, 6, MIPS_CPU_ISA_M64R2))
+ #endif
+ #ifndef cpu_has_mips64r6
+ # define cpu_has_mips64r6 __isa_ge_and_flag(6, MIPS_CPU_ISA_M64R6)
+--
+2.25.1
+
--- /dev/null
+From 44be2aa838cda978c2c2a7427c58409b06e21589 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 May 2020 23:50:34 +0800
+Subject: MIPS: Fix exception handler memcpy()
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+[ Upstream commit f39293fd37fff74c531b7a52d0459cc77db85e7f ]
+
+The exception handler subroutines are declared as a single char, but
+when copied to the required addresses the copy length is 0x80.
+
+When range checks are enabled for memcpy() this results in a build
+failure, with error messages such as:
+
+In file included from arch/mips/mti-malta/malta-init.c:15:
+In function 'memcpy',
+ inlined from 'mips_nmi_setup' at arch/mips/mti-malta/malta-init.c:98:2:
+include/linux/string.h:376:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
+ 376 | __read_overflow2();
+ | ^~~~~~~~~~~~~~~~~~
+
+Change the declarations to use type char[].
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: YunQiang Su <syq@debian.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/loongson2ef/common/init.c | 4 ++--
+ arch/mips/loongson64/init.c | 4 ++--
+ arch/mips/mti-malta/malta-init.c | 8 ++++----
+ arch/mips/pistachio/init.c | 8 ++++----
+ 4 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/arch/mips/loongson2ef/common/init.c b/arch/mips/loongson2ef/common/init.c
+index 45512178be77..ce3f02f75e2a 100644
+--- a/arch/mips/loongson2ef/common/init.c
++++ b/arch/mips/loongson2ef/common/init.c
+@@ -19,10 +19,10 @@ unsigned long __maybe_unused _loongson_addrwincfg_base;
+ static void __init mips_nmi_setup(void)
+ {
+ void *base;
+- extern char except_vec_nmi;
++ extern char except_vec_nmi[];
+
+ base = (void *)(CAC_BASE + 0x380);
+- memcpy(base, &except_vec_nmi, 0x80);
++ memcpy(base, except_vec_nmi, 0x80);
+ flush_icache_range((unsigned long)base, (unsigned long)base + 0x80);
+ }
+
+diff --git a/arch/mips/loongson64/init.c b/arch/mips/loongson64/init.c
+index da38944471f4..86c5e93258ce 100644
+--- a/arch/mips/loongson64/init.c
++++ b/arch/mips/loongson64/init.c
+@@ -17,10 +17,10 @@
+ static void __init mips_nmi_setup(void)
+ {
+ void *base;
+- extern char except_vec_nmi;
++ extern char except_vec_nmi[];
+
+ base = (void *)(CAC_BASE + 0x380);
+- memcpy(base, &except_vec_nmi, 0x80);
++ memcpy(base, except_vec_nmi, 0x80);
+ flush_icache_range((unsigned long)base, (unsigned long)base + 0x80);
+ }
+
+diff --git a/arch/mips/mti-malta/malta-init.c b/arch/mips/mti-malta/malta-init.c
+index ff2c1d809538..893af377aacc 100644
+--- a/arch/mips/mti-malta/malta-init.c
++++ b/arch/mips/mti-malta/malta-init.c
+@@ -90,24 +90,24 @@ static void __init console_config(void)
+ static void __init mips_nmi_setup(void)
+ {
+ void *base;
+- extern char except_vec_nmi;
++ extern char except_vec_nmi[];
+
+ base = cpu_has_veic ?
+ (void *)(CAC_BASE + 0xa80) :
+ (void *)(CAC_BASE + 0x380);
+- memcpy(base, &except_vec_nmi, 0x80);
++ memcpy(base, except_vec_nmi, 0x80);
+ flush_icache_range((unsigned long)base, (unsigned long)base + 0x80);
+ }
+
+ static void __init mips_ejtag_setup(void)
+ {
+ void *base;
+- extern char except_vec_ejtag_debug;
++ extern char except_vec_ejtag_debug[];
+
+ base = cpu_has_veic ?
+ (void *)(CAC_BASE + 0xa00) :
+ (void *)(CAC_BASE + 0x300);
+- memcpy(base, &except_vec_ejtag_debug, 0x80);
++ memcpy(base, except_vec_ejtag_debug, 0x80);
+ flush_icache_range((unsigned long)base, (unsigned long)base + 0x80);
+ }
+
+diff --git a/arch/mips/pistachio/init.c b/arch/mips/pistachio/init.c
+index a09a5da38e6b..558995ed6fe8 100644
+--- a/arch/mips/pistachio/init.c
++++ b/arch/mips/pistachio/init.c
+@@ -83,12 +83,12 @@ phys_addr_t mips_cdmm_phys_base(void)
+ static void __init mips_nmi_setup(void)
+ {
+ void *base;
+- extern char except_vec_nmi;
++ extern char except_vec_nmi[];
+
+ base = cpu_has_veic ?
+ (void *)(CAC_BASE + 0xa80) :
+ (void *)(CAC_BASE + 0x380);
+- memcpy(base, &except_vec_nmi, 0x80);
++ memcpy(base, except_vec_nmi, 0x80);
+ flush_icache_range((unsigned long)base,
+ (unsigned long)base + 0x80);
+ }
+@@ -96,12 +96,12 @@ static void __init mips_nmi_setup(void)
+ static void __init mips_ejtag_setup(void)
+ {
+ void *base;
+- extern char except_vec_ejtag_debug;
++ extern char except_vec_ejtag_debug[];
+
+ base = cpu_has_veic ?
+ (void *)(CAC_BASE + 0xa00) :
+ (void *)(CAC_BASE + 0x300);
+- memcpy(base, &except_vec_ejtag_debug, 0x80);
++ memcpy(base, except_vec_ejtag_debug, 0x80);
+ flush_icache_range((unsigned long)base,
+ (unsigned long)base + 0x80);
+ }
+--
+2.25.1
+
--- /dev/null
+From 808be4b6912b7fa62e9e9d5c01de95584fba3790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2020 14:11:30 +0800
+Subject: MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe()
+
+From: YuanJunQing <yuanjunqing66@163.com>
+
+[ Upstream commit 31e1b3efa802f97a17628dde280006c4cee4ce5e ]
+
+Register "a1" is unsaved in this function,
+ when CONFIG_TRACE_IRQFLAGS is enabled,
+ the TRACE_IRQS_OFF macro will call trace_hardirqs_off(),
+ and this may change register "a1".
+ The changed register "a1" as argument will be send
+ to do_fpe() and do_msa_fpe().
+
+Signed-off-by: YuanJunQing <yuanjunqing66@163.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/genex.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/kernel/genex.S b/arch/mips/kernel/genex.S
+index 0a43c9125267..5b7c67a3f78f 100644
+--- a/arch/mips/kernel/genex.S
++++ b/arch/mips/kernel/genex.S
+@@ -476,20 +476,20 @@ NESTED(nmi_handler, PT_SIZE, sp)
+ .endm
+
+ .macro __build_clear_fpe
++ CLI
++ TRACE_IRQS_OFF
+ .set push
+ /* gas fails to assemble cfc1 for some archs (octeon).*/ \
+ .set mips1
+ SET_HARDFLOAT
+ cfc1 a1, fcr31
+ .set pop
+- CLI
+- TRACE_IRQS_OFF
+ .endm
+
+ .macro __build_clear_msa_fpe
+- _cfcmsa a1, MSA_CSR
+ CLI
+ TRACE_IRQS_OFF
++ _cfcmsa a1, MSA_CSR
+ .endm
+
+ .macro __build_clear_ade
+--
+2.25.1
+
--- /dev/null
+From 8863da95ec90566c75c9cd045080c1aa3f1e6bc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 May 2020 10:15:48 +0800
+Subject: MIPS: Loongson: Build ATI Radeon GPU driver as module
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit a44de7497f91834df0b8b6d459e259788ba66794 ]
+
+When ATI Radeon GPU driver has been compiled directly into the kernel
+instead of as a module, we should make sure the firmware for the model
+(check available ones in /lib/firmware/radeon) is built-in to the kernel
+as well, otherwise there exists the following fatal error during GPU init,
+change CONFIG_DRM_RADEON=y to CONFIG_DRM_RADEON=m to fix it.
+
+[ 1.900997] [drm] Loading RS780 Microcode
+[ 1.905077] radeon 0000:01:05.0: Direct firmware load for radeon/RS780_pfp.bin failed with error -2
+[ 1.914140] r600_cp: Failed to load firmware "radeon/RS780_pfp.bin"
+[ 1.920405] [drm:r600_init] *ERROR* Failed to load firmware!
+[ 1.926069] radeon 0000:01:05.0: Fatal error during GPU init
+[ 1.931729] [drm] radeon: finishing device.
+
+Fixes: 024e6a8b5bb1 ("MIPS: Loongson: Add a Loongson-3 default config file")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/configs/loongson3_defconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/configs/loongson3_defconfig b/arch/mips/configs/loongson3_defconfig
+index 51675f5000d6..b0c24bd292b2 100644
+--- a/arch/mips/configs/loongson3_defconfig
++++ b/arch/mips/configs/loongson3_defconfig
+@@ -229,7 +229,7 @@ CONFIG_MEDIA_CAMERA_SUPPORT=y
+ CONFIG_MEDIA_USB_SUPPORT=y
+ CONFIG_USB_VIDEO_CLASS=m
+ CONFIG_DRM=y
+-CONFIG_DRM_RADEON=y
++CONFIG_DRM_RADEON=m
+ CONFIG_FB_RADEON=y
+ CONFIG_LCD_CLASS_DEVICE=y
+ CONFIG_LCD_PLATFORM=m
+--
+2.25.1
+
--- /dev/null
+From 978460686dd72de944b2b785e3d15a0c1e2ec9f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 03:34:37 +0300
+Subject: mips: MAAR: Use more precise address mask
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit bbb5946eb545fab8ad8f46bce8a803e1c0c39d47 ]
+
+Indeed according to the MIPS32 Privileged Resource Architecgture the MAAR
+pair register address field either takes [12:31] bits for non-XPA systems
+and [12:55] otherwise. In any case the current address mask is just
+wrong for 64-bit and 32-bits XPA chips. So lets extend it to 59-bits
+of physical address value. This shall cover the 64-bits architecture and
+systems with XPA enabled, and won't cause any problem for non-XPA 32-bit
+systems, since address values exceeding the architecture specific MAAR
+mask will be just truncated with setting zeros in the unsupported upper
+bits.
+
+Co-developed-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mipsregs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h
+index 796fe47cfd17..274c2bf0d4a1 100644
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -753,7 +753,7 @@
+
+ /* MAAR bit definitions */
+ #define MIPS_MAAR_VH (_U64CAST_(1) << 63)
+-#define MIPS_MAAR_ADDR ((BIT_ULL(BITS_PER_LONG - 12) - 1) << 12)
++#define MIPS_MAAR_ADDR GENMASK_ULL(55, 12)
+ #define MIPS_MAAR_ADDR_SHIFT 12
+ #define MIPS_MAAR_S (_ULCAST_(1) << 1)
+ #define MIPS_MAAR_VL (_ULCAST_(1) << 0)
+--
+2.25.1
+
--- /dev/null
+From 6b1a775d1c5e98e913a3974ec35bafa27f5ca93a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 19:59:46 +0800
+Subject: MIPS: Make sparse_init() using top-down allocation
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 269b3a9ac538c4ae87f84be640b9fa89914a2489 ]
+
+In the current code, if CONFIG_SWIOTLB is set, when failed to get IO TLB
+memory from the low pages by plat_swiotlb_setup(), it may lead to the boot
+process failed with kernel panic.
+
+(1) On the Loongson and SiByte platform
+arch/mips/loongson64/dma.c
+arch/mips/sibyte/common/dma.c
+void __init plat_swiotlb_setup(void)
+{
+ swiotlb_init(1);
+}
+
+kernel/dma/swiotlb.c
+void __init
+swiotlb_init(int verbose)
+{
+...
+ vstart = memblock_alloc_low(PAGE_ALIGN(bytes), PAGE_SIZE);
+ if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, verbose))
+ return;
+...
+ pr_warn("Cannot allocate buffer");
+ no_iotlb_memory = true;
+}
+
+phys_addr_t swiotlb_tbl_map_single()
+{
+...
+ if (no_iotlb_memory)
+ panic("Can not allocate SWIOTLB buffer earlier ...");
+...
+}
+
+(2) On the Cavium OCTEON platform
+arch/mips/cavium-octeon/dma-octeon.c
+void __init plat_swiotlb_setup(void)
+{
+...
+ octeon_swiotlb = memblock_alloc_low(swiotlbsize, PAGE_SIZE);
+ if (!octeon_swiotlb)
+ panic("%s: Failed to allocate %zu bytes align=%lx\n",
+ __func__, swiotlbsize, PAGE_SIZE);
+...
+}
+
+Because IO_TLB_DEFAULT_SIZE is 64M, if the rest size of low memory is less
+than 64M when call plat_swiotlb_setup(), we can easily reproduce the panic
+case.
+
+In order to reduce the possibility of kernel panic when failed to get IO
+TLB memory under CONFIG_SWIOTLB, it is better to allocate low memory as
+small as possible before plat_swiotlb_setup(), so make sparse_init() using
+top-down allocation.
+
+Reported-by: Juxin Gao <gaojuxin@loongson.cn>
+Co-developed-by: Juxin Gao <gaojuxin@loongson.cn>
+Signed-off-by: Juxin Gao <gaojuxin@loongson.cn>
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/setup.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
+index 10bef8f78e7c..573509e0f2d4 100644
+--- a/arch/mips/kernel/setup.c
++++ b/arch/mips/kernel/setup.c
+@@ -702,7 +702,17 @@ static void __init arch_mem_init(char **cmdline_p)
+ memblock_reserve(crashk_res.start, resource_size(&crashk_res));
+ #endif
+ device_tree_init();
++
++ /*
++ * In order to reduce the possibility of kernel panic when failed to
++ * get IO TLB memory under CONFIG_SWIOTLB, it is better to allocate
++ * low memory as small as possible before plat_swiotlb_setup(), so
++ * make sparse_init() using top-down allocation.
++ */
++ memblock_set_bottom_up(false);
+ sparse_init();
++ memblock_set_bottom_up(true);
++
+ plat_swiotlb_setup();
+
+ dma_contiguous_reserve(PFN_PHYS(max_low_pfn));
+--
+2.25.1
+
--- /dev/null
+From 79c09314046026d5cb14190880b2968e51d6e96b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 May 2020 20:59:41 +0800
+Subject: MIPS: tools: Fix resource leak in elf-entry.c
+
+From: Kaige Li <likaige@loongson.cn>
+
+[ Upstream commit f33a0b941017b9cb5a4e975af198b855b2f2b455 ]
+
+There is a file descriptor resource leak in elf-entry.c, fix this
+by adding fclose() before return and die.
+
+Signed-off-by: Kaige Li <likaige@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/tools/elf-entry.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/tools/elf-entry.c b/arch/mips/tools/elf-entry.c
+index adde79ce7fc0..dbd14ff05b4c 100644
+--- a/arch/mips/tools/elf-entry.c
++++ b/arch/mips/tools/elf-entry.c
+@@ -51,11 +51,14 @@ int main(int argc, const char *argv[])
+ nread = fread(&hdr, 1, sizeof(hdr), file);
+ if (nread != sizeof(hdr)) {
+ perror("Unable to read input file");
++ fclose(file);
+ return EXIT_FAILURE;
+ }
+
+- if (memcmp(hdr.ehdr32.e_ident, ELFMAG, SELFMAG))
++ if (memcmp(hdr.ehdr32.e_ident, ELFMAG, SELFMAG)) {
++ fclose(file);
+ die("Input is not an ELF\n");
++ }
+
+ switch (hdr.ehdr32.e_ident[EI_CLASS]) {
+ case ELFCLASS32:
+@@ -67,6 +70,7 @@ int main(int argc, const char *argv[])
+ entry = be32toh(hdr.ehdr32.e_entry);
+ break;
+ default:
++ fclose(file);
+ die("Invalid ELF encoding\n");
+ }
+
+@@ -83,14 +87,17 @@ int main(int argc, const char *argv[])
+ entry = be64toh(hdr.ehdr64.e_entry);
+ break;
+ default:
++ fclose(file);
+ die("Invalid ELF encoding\n");
+ }
+ break;
+
+ default:
++ fclose(file);
+ die("Invalid ELF class\n");
+ }
+
+ printf("0x%016" PRIx64 "\n", entry);
++ fclose(file);
+ return EXIT_SUCCESS;
+ }
+--
+2.25.1
+
--- /dev/null
+From f9065894dd61f42c077cef5468dbe4b099a083c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 13:52:45 +0800
+Subject: MIPS: Truncate link address into 32bit for 32bit kernel
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit ff487d41036035376e47972c7c522490b839ab37 ]
+
+LLD failed to link vmlinux with 64bit load address for 32bit ELF
+while bfd will strip 64bit address into 32bit silently.
+To fix LLD build, we should truncate load address provided by platform
+into 32bit for 32bit kernel.
+
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/786
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=25784
+Reviewed-by: Fangrui Song <maskray@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Maciej W. Rozycki <macro@linux-mips.org>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Makefile | 13 ++++++++++++-
+ arch/mips/boot/compressed/Makefile | 2 +-
+ arch/mips/kernel/vmlinux.lds.S | 2 +-
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/Makefile b/arch/mips/Makefile
+index e1c44aed8156..b6ee29e4565a 100644
+--- a/arch/mips/Makefile
++++ b/arch/mips/Makefile
+@@ -288,12 +288,23 @@ ifdef CONFIG_64BIT
+ endif
+ endif
+
++# When linking a 32-bit executable the LLVM linker cannot cope with a
++# 32-bit load address that has been sign-extended to 64 bits. Simply
++# remove the upper 32 bits then, as it is safe to do so with other
++# linkers.
++ifdef CONFIG_64BIT
++ load-ld = $(load-y)
++else
++ load-ld = $(subst 0xffffffff,0x,$(load-y))
++endif
++
+ KBUILD_AFLAGS += $(cflags-y)
+ KBUILD_CFLAGS += $(cflags-y)
+-KBUILD_CPPFLAGS += -DVMLINUX_LOAD_ADDRESS=$(load-y)
++KBUILD_CPPFLAGS += -DVMLINUX_LOAD_ADDRESS=$(load-y) -DLINKER_LOAD_ADDRESS=$(load-ld)
+ KBUILD_CPPFLAGS += -DDATAOFFSET=$(if $(dataoffset-y),$(dataoffset-y),0)
+
+ bootvars-y = VMLINUX_LOAD_ADDRESS=$(load-y) \
++ LINKER_LOAD_ADDRESS=$(load-ld) \
+ VMLINUX_ENTRY_ADDRESS=$(entry-y) \
+ PLATFORM="$(platform-y)" \
+ ITS_INPUTS="$(its-y)"
+diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile
+index 0df0ee8a298d..6e56caef69f0 100644
+--- a/arch/mips/boot/compressed/Makefile
++++ b/arch/mips/boot/compressed/Makefile
+@@ -90,7 +90,7 @@ ifneq ($(zload-y),)
+ VMLINUZ_LOAD_ADDRESS := $(zload-y)
+ else
+ VMLINUZ_LOAD_ADDRESS = $(shell $(obj)/calc_vmlinuz_load_addr \
+- $(obj)/vmlinux.bin $(VMLINUX_LOAD_ADDRESS))
++ $(obj)/vmlinux.bin $(LINKER_LOAD_ADDRESS))
+ endif
+ UIMAGE_LOADADDR = $(VMLINUZ_LOAD_ADDRESS)
+
+diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S
+index a5f00ec73ea6..f185a85a27c1 100644
+--- a/arch/mips/kernel/vmlinux.lds.S
++++ b/arch/mips/kernel/vmlinux.lds.S
+@@ -55,7 +55,7 @@ SECTIONS
+ /* . = 0xa800000000300000; */
+ . = 0xffffffff80300000;
+ #endif
+- . = VMLINUX_LOAD_ADDRESS;
++ . = LINKER_LOAD_ADDRESS;
+ /* read-only */
+ _text = .; /* Text and read-only data */
+ .text : {
+--
+2.25.1
+
--- /dev/null
+From 9b0ef016d0bdd1fde375621408c8e7e47ae765dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 00:28:05 +0200
+Subject: mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 91995b904ec2e44b5c159ac6a5d3f154345a4de7 ]
+
+The vendor driver (from the 3.10 kernel) triggers a soft reset every
+time before starting a new command. While this fixes a problem where
+SDIO cards are not detected at all (because all commands simply
+timed out) this hurts SD card read performance a bit (in my tests
+between 10% to 20%).
+
+Trigger a soft reset after we got a CRC error or if the previous command
+timed out (just like the vendor driver from the same 3.10 kernel for the
+newer SDHC controller IP does). This fixes detection of SDIO cards and
+doesn't hurt SD card read performance at the same time.
+
+With this patch the initialization of an RTL8723BS SDIO card looks like
+this:
+ req done (CMD52): -110: 00000000 00000000 00000000 00000000
+ clock 400000Hz busmode 2 powermode 2 cs 1 Vdd 21 width 1 timing 0
+ starting CMD0 arg 00000000 flags 000000c0
+ req done (CMD0): 0: 00000000 00000000 00000000 00000000
+ clock 400000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 0
+ starting CMD8 arg 000001aa flags 000002f5
+ req done (CMD8): -110: 00000000 00000000 00000000 00000000
+ starting CMD5 arg 00000000 flags 000002e1
+ req done (CMD5): 0: 90ff0000 00000000 00000000 00000000
+ starting CMD5 arg 00200000 flags 000002e1
+ req done (CMD5): 0: 90ff0000 00000000 00000000 00000000
+ starting CMD3 arg 00000000 flags 00000075
+ req done (CMD3): 0: 00010000 00000000 00000000 00000000
+ starting CMD7 arg 00010000 flags 00000015
+ req done (CMD7): 0: 00001e00 00000000 00000000 00000000
+ starting CMD52 arg 00000000 flags 00000195
+ req done (CMD52): 0: 00001032 00000000 00000000 00000000
+ [... more CMD52 omitted ...]
+ clock 400000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 2
+ clock 50000000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 2
+ starting CMD52 arg 00000e00 flags 00000195
+ req done (CMD52): 0: 00001000 00000000 00000000 00000000
+ starting CMD52 arg 80000e02 flags 00000195
+ req done (CMD52): 0: 00001002 00000000 00000000 00000000
+ clock 50000000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 4 timing 2
+ starting CMD52 arg 00020000 flags 00000195
+ req done (CMD52): 0: 00001007 00000000 00000000 00000000
+ [... more CMD52 omitted ...]
+ new high speed SDIO card at address 0001
+
+Fixes: ed80a13bb4c4c9 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20200503222805.2668941-1-martin.blumenstingl@googlemail.com
+Tested-by: Tobias Baumann <017623705678@o2online.de>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/meson-mx-sdio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c
+index 2e58743d83bb..3813b544f571 100644
+--- a/drivers/mmc/host/meson-mx-sdio.c
++++ b/drivers/mmc/host/meson-mx-sdio.c
+@@ -246,6 +246,9 @@ static void meson_mx_mmc_request_done(struct meson_mx_mmc_host *host)
+
+ mrq = host->mrq;
+
++ if (host->cmd->error)
++ meson_mx_mmc_soft_reset(host);
++
+ host->mrq = NULL;
+ host->cmd = NULL;
+
+--
+2.25.1
+
--- /dev/null
+From f5713200c851980b7c7367446e21f6b2d391ef5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 18:36:49 +0200
+Subject: mmc: mmci: Switch to mmc_regulator_set_vqmmc()
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 3e09a81e166c0a5544832459be17561a6b231ac7 ]
+
+Instead of reimplementing the logic in mmc_regulator_set_vqmmc(), use the
+mmc code function directly.
+
+This also allows us to fix a related issue on STM32MP1, when a voltage
+switch of 1.8V is done for the eMMC, but the current level is already set
+to 1.8V. More precisely, in this scenario the call to the
+->post_sig_volt_switch() hangs, indefinitely waiting for the voltage switch
+to complete. Fix this problem by checking if mmc_regulator_set_vqmmc()
+returned 1 and then skip invoking the callback.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Link: https://lore.kernel.org/r/20200416163649.336967-3-marex@denx.de
+[Ulf: Updated the commit message]
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmci.c | 30 ++++++++----------------------
+ 1 file changed, 8 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
+index 647567def612..a69d6a0c2e15 100644
+--- a/drivers/mmc/host/mmci.c
++++ b/drivers/mmc/host/mmci.c
+@@ -1861,31 +1861,17 @@ static int mmci_get_cd(struct mmc_host *mmc)
+ static int mmci_sig_volt_switch(struct mmc_host *mmc, struct mmc_ios *ios)
+ {
+ struct mmci_host *host = mmc_priv(mmc);
+- int ret = 0;
+-
+- if (!IS_ERR(mmc->supply.vqmmc)) {
++ int ret;
+
+- switch (ios->signal_voltage) {
+- case MMC_SIGNAL_VOLTAGE_330:
+- ret = regulator_set_voltage(mmc->supply.vqmmc,
+- 2700000, 3600000);
+- break;
+- case MMC_SIGNAL_VOLTAGE_180:
+- ret = regulator_set_voltage(mmc->supply.vqmmc,
+- 1700000, 1950000);
+- break;
+- case MMC_SIGNAL_VOLTAGE_120:
+- ret = regulator_set_voltage(mmc->supply.vqmmc,
+- 1100000, 1300000);
+- break;
+- }
++ ret = mmc_regulator_set_vqmmc(mmc, ios);
+
+- if (!ret && host->ops && host->ops->post_sig_volt_switch)
+- ret = host->ops->post_sig_volt_switch(host, ios);
++ if (!ret && host->ops && host->ops->post_sig_volt_switch)
++ ret = host->ops->post_sig_volt_switch(host, ios);
++ else if (ret)
++ ret = 0;
+
+- if (ret)
+- dev_warn(mmc_dev(mmc), "Voltage switch failed\n");
+- }
++ if (ret < 0)
++ dev_warn(mmc_dev(mmc), "Voltage switch failed\n");
+
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 6d0c373028b23da1c6429afd425e28c76e491758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 18:18:31 +0200
+Subject: mmc: mmci_sdmmc: fix power on issue due to pwr_reg initialization
+
+From: Ludovic Barre <ludovic.barre@st.com>
+
+[ Upstream commit 33ba6fec0012e47f4e72bfab922b99327373f210 ]
+
+This patch fix a power-on issue, and avoid to retry the power sequence.
+
+In power off sequence: sdmmc must set pwr_reg in "power-cycle" state
+(value 0x2), to prevent the card from being supplied through the signal
+lines (all the lines are driven low).
+
+In power on sequence: when the power is stable, sdmmc must set pwr_reg
+in "power-off" state (value 0x0) to drive all signal to high before to
+set "power-on".
+
+To avoid writing the same value to the power register several times, this
+register is cached by the pwr_reg variable. At probe pwr_reg is initialized
+to 0 by kzalloc of mmc_alloc_host.
+
+Like pwr_reg value is 0 at probing, the power on sequence fail because
+the "power-off" state is not writes (value 0x0) and the lines
+remain drive to low.
+
+This patch initializes "pwr_reg" variable with power register value.
+This it done in sdmmc variant init to not disturb default mmci behavior.
+
+Signed-off-by: Ludovic Barre <ludovic.barre@st.com>
+Link: https://lore.kernel.org/r/20200420161831.5043-1-ludovic.barre@st.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmci_stm32_sdmmc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/mmci_stm32_sdmmc.c b/drivers/mmc/host/mmci_stm32_sdmmc.c
+index cca7b3b3f618..2965b1c062e1 100644
+--- a/drivers/mmc/host/mmci_stm32_sdmmc.c
++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c
+@@ -522,6 +522,7 @@ void sdmmc_variant_init(struct mmci_host *host)
+ struct sdmmc_dlyb *dlyb;
+
+ host->ops = &sdmmc_variant_ops;
++ host->pwr_reg = readl_relaxed(host->base + MMCIPOWER);
+
+ base_dlyb = devm_of_iomap(mmc_dev(host->mmc), np, 1, NULL);
+ if (IS_ERR(base_dlyb))
+--
+2.25.1
+
--- /dev/null
+From 1f9abde1298b2940776479f0c4d39fc50c668f7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 18:14:01 +0200
+Subject: mmc: owl-mmc: Respect the cmd->busy_timeout from the mmc core
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit f37ac1ae3ca93d0995553ad9604a25eadfe9406d ]
+
+For commands that doesn't involve to prepare a data transfer, owl-mmc is
+using a fixed 30s response timeout. This is a bit problematic.
+
+For some commands it means waiting longer than needed for the completion to
+expire, which may not a big issue, but still. For other commands, like for
+an erase (CMD38) that uses a R1B response, may require longer timeouts than
+30s. In these cases, we may end up treating the command as it failed, while
+it just needed some more time to complete successfully.
+
+Fix the problem by respecting the cmd->busy_timeout, which is provided by
+the mmc core.
+
+Cc: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20200414161413.3036-8-ulf.hansson@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/owl-mmc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/owl-mmc.c b/drivers/mmc/host/owl-mmc.c
+index 01ffe51f413d..5e20c099fe03 100644
+--- a/drivers/mmc/host/owl-mmc.c
++++ b/drivers/mmc/host/owl-mmc.c
+@@ -92,6 +92,8 @@
+ #define OWL_SD_STATE_RC16ER BIT(1)
+ #define OWL_SD_STATE_CRC7ER BIT(0)
+
++#define OWL_CMD_TIMEOUT_MS 30000
++
+ struct owl_mmc_host {
+ struct device *dev;
+ struct reset_control *reset;
+@@ -172,6 +174,7 @@ static void owl_mmc_send_cmd(struct owl_mmc_host *owl_host,
+ struct mmc_command *cmd,
+ struct mmc_data *data)
+ {
++ unsigned long timeout;
+ u32 mode, state, resp[2];
+ u32 cmd_rsp_mask = 0;
+
+@@ -239,7 +242,10 @@ static void owl_mmc_send_cmd(struct owl_mmc_host *owl_host,
+ if (data)
+ return;
+
+- if (!wait_for_completion_timeout(&owl_host->sdc_complete, 30 * HZ)) {
++ timeout = msecs_to_jiffies(cmd->busy_timeout ? cmd->busy_timeout :
++ OWL_CMD_TIMEOUT_MS);
++
++ if (!wait_for_completion_timeout(&owl_host->sdc_complete, timeout)) {
+ dev_err(owl_host->dev, "CMD interrupt timeout\n");
+ cmd->error = -ETIMEDOUT;
+ return;
+--
+2.25.1
+
--- /dev/null
+From bdca2ed8b444c37bbb2b2cfb58314e874109d96b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 21:17:40 +0200
+Subject: mmc: sdhci: add quirks for be to le byte swapping
+
+From: Angelo Dureghello <angelo.dureghello@timesys.com>
+
+[ Upstream commit e93577ecde8f3cbd12a2eaa0522d5c85e0dbdd53 ]
+
+Some controller as the ColdFire eshdc may require an endianness
+byte swap, because DMA read endianness is not configurable.
+
+Facilitate using the bounce buffer for this by adding
+->copy_to_bounce_buffer().
+
+Signed-off-by: Angelo Dureghello <angelo.dureghello@timesys.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20200518191742.1251440-2-angelo.dureghello@timesys.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci.c | 10 +++++++---
+ drivers/mmc/host/sdhci.h | 3 +++
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
+index e368f2dabf20..5dcdda5918cb 100644
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -634,9 +634,13 @@ static int sdhci_pre_dma_transfer(struct sdhci_host *host,
+ }
+ if (mmc_get_dma_dir(data) == DMA_TO_DEVICE) {
+ /* Copy the data to the bounce buffer */
+- sg_copy_to_buffer(data->sg, data->sg_len,
+- host->bounce_buffer,
+- length);
++ if (host->ops->copy_to_bounce_buffer) {
++ host->ops->copy_to_bounce_buffer(host,
++ data, length);
++ } else {
++ sg_copy_to_buffer(data->sg, data->sg_len,
++ host->bounce_buffer, length);
++ }
+ }
+ /* Switch ownership to the DMA */
+ dma_sync_single_for_device(host->mmc->parent,
+diff --git a/drivers/mmc/host/sdhci.h b/drivers/mmc/host/sdhci.h
+index 79dffbb731d3..1bf4f1d91951 100644
+--- a/drivers/mmc/host/sdhci.h
++++ b/drivers/mmc/host/sdhci.h
+@@ -653,6 +653,9 @@ struct sdhci_ops {
+ void (*voltage_switch)(struct sdhci_host *host);
+ void (*adma_write_desc)(struct sdhci_host *host, void **desc,
+ dma_addr_t addr, int len, unsigned int cmd);
++ void (*copy_to_bounce_buffer)(struct sdhci_host *host,
++ struct mmc_data *data,
++ unsigned int length);
+ void (*request_done)(struct sdhci_host *host,
+ struct mmc_request *mrq);
+ };
+--
+2.25.1
+
--- /dev/null
+From f05a0eb3079bb04c3338d341fb6366fd0e89747f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 18:22:01 +0800
+Subject: mmc: sdhci-esdhc-imx: fix the mask for tuning start point
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 1194be8c949b8190b2882ad8335a5d98aa50c735 ]
+
+According the RM, the bit[6~0] of register ESDHC_TUNING_CTRL is
+TUNING_START_TAP, bit[7] of this register is to disable the command
+CRC check for standard tuning. So fix it here.
+
+Fixes: d87fc9663688 ("mmc: sdhci-esdhc-imx: support setting tuning start point")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Link: https://lore.kernel.org/r/1590488522-9292-1-git-send-email-haibo.chen@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index 5ec8e4bf1ac7..a514b9ea9460 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -89,7 +89,7 @@
+ #define ESDHC_STD_TUNING_EN (1 << 24)
+ /* NOTE: the minimum valid tuning start tap for mx6sl is 1 */
+ #define ESDHC_TUNING_START_TAP_DEFAULT 0x1
+-#define ESDHC_TUNING_START_TAP_MASK 0xff
++#define ESDHC_TUNING_START_TAP_MASK 0x7f
+ #define ESDHC_TUNING_STEP_MASK 0x00070000
+ #define ESDHC_TUNING_STEP_SHIFT 16
+
+--
+2.25.1
+
--- /dev/null
+From 083c529658dcca25f5a141815676866dbd555b25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 11:50:24 +0530
+Subject: mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk
+
+From: Veerabhadrarao Badiganti <vbadigan@codeaurora.org>
+
+[ Upstream commit d863cb03fb2aac07f017b2a1d923cdbc35021280 ]
+
+sdhci-msm can support auto cmd12.
+So enable SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk.
+
+Signed-off-by: Veerabhadrarao Badiganti <vbadigan@codeaurora.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/1587363626-20413-3-git-send-email-vbadigan@codeaurora.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
+index 87de46b6ed07..9ec733403027 100644
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -1888,7 +1888,9 @@ static const struct sdhci_ops sdhci_msm_ops = {
+ static const struct sdhci_pltfm_data sdhci_msm_pdata = {
+ .quirks = SDHCI_QUIRK_BROKEN_CARD_DETECTION |
+ SDHCI_QUIRK_SINGLE_POWER_WRITE |
+- SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN,
++ SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN |
++ SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
++
+ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
+ .ops = &sdhci_msm_ops,
+ };
+--
+2.25.1
+
--- /dev/null
+From 742e2182140ecf772b16069de75390e59b1b5caf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 18:14:10 +0200
+Subject: mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit 966244ccd2919e28f25555a77f204cd1c109cad8 ]
+
+Using a fixed 1s timeout for all commands (and data transfers) is a bit
+problematic.
+
+For some commands it means waiting longer than needed for the timer to
+expire, which may not a big issue, but still. For other commands, like for
+an erase (CMD38) that uses a R1B response, may require longer timeouts than
+1s. In these cases, we may end up treating the command as it failed, while
+it just needed some more time to complete successfully.
+
+Fix the problem by respecting the cmd->busy_timeout, which is provided by
+the mmc core.
+
+Cc: Bruce Chang <brucechang@via.com.tw>
+Cc: Harald Welte <HaraldWelte@viatech.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20200414161413.3036-17-ulf.hansson@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/via-sdmmc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
+index e48bddd95ce6..ef95bce50889 100644
+--- a/drivers/mmc/host/via-sdmmc.c
++++ b/drivers/mmc/host/via-sdmmc.c
+@@ -319,6 +319,8 @@ struct via_crdr_mmc_host {
+ /* some devices need a very long delay for power to stabilize */
+ #define VIA_CRDR_QUIRK_300MS_PWRDELAY 0x0001
+
++#define VIA_CMD_TIMEOUT_MS 1000
++
+ static const struct pci_device_id via_ids[] = {
+ {PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_9530,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0,},
+@@ -551,14 +553,17 @@ static void via_sdc_send_command(struct via_crdr_mmc_host *host,
+ {
+ void __iomem *addrbase;
+ struct mmc_data *data;
++ unsigned int timeout_ms;
+ u32 cmdctrl = 0;
+
+ WARN_ON(host->cmd);
+
+ data = cmd->data;
+- mod_timer(&host->timer, jiffies + HZ);
+ host->cmd = cmd;
+
++ timeout_ms = cmd->busy_timeout ? cmd->busy_timeout : VIA_CMD_TIMEOUT_MS;
++ mod_timer(&host->timer, jiffies + msecs_to_jiffies(timeout_ms));
++
+ /*Command index*/
+ cmdctrl = cmd->opcode << 8;
+
+--
+2.25.1
+
--- /dev/null
+From 36ba552818f25a762517a1b68beb731b26b4db03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Apr 2020 03:32:22 +0800
+Subject: mt76: avoid rx reorder buffer overflow
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+[ Upstream commit 7c4f744d6703757be959f521a7a441bf34745d99 ]
+
+Enlarge slot to support 11ax 256 BA (256 MPDUs in an AMPDU)
+
+Signed-off-by: Chih-Min Chen <chih-min.chen@mediatek.com>
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/agg-rx.c | 8 ++++----
+ drivers/net/wireless/mediatek/mt76/mt76.h | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c
+index f77f03530259..acdbe6f8248d 100644
+--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c
++++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c
+@@ -152,8 +152,8 @@ void mt76_rx_aggr_reorder(struct sk_buff *skb, struct sk_buff_head *frames)
+ struct ieee80211_sta *sta;
+ struct mt76_rx_tid *tid;
+ bool sn_less;
+- u16 seqno, head, size;
+- u8 ackp, idx;
++ u16 seqno, head, size, idx;
++ u8 ackp;
+
+ __skb_queue_tail(frames, skb);
+
+@@ -239,7 +239,7 @@ out:
+ }
+
+ int mt76_rx_aggr_start(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tidno,
+- u16 ssn, u8 size)
++ u16 ssn, u16 size)
+ {
+ struct mt76_rx_tid *tid;
+
+@@ -264,7 +264,7 @@ EXPORT_SYMBOL_GPL(mt76_rx_aggr_start);
+
+ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid)
+ {
+- u8 size = tid->size;
++ u16 size = tid->size;
+ int i;
+
+ spin_lock_bh(&tid->lock);
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
+index 8e4759bc8f59..37641ad14d49 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76.h
+@@ -241,8 +241,8 @@ struct mt76_rx_tid {
+ struct delayed_work reorder_work;
+
+ u16 head;
+- u8 size;
+- u8 nframes;
++ u16 size;
++ u16 nframes;
+
+ u8 num;
+
+@@ -788,7 +788,7 @@ int mt76_get_survey(struct ieee80211_hw *hw, int idx,
+ void mt76_set_stream_caps(struct mt76_dev *dev, bool vht);
+
+ int mt76_rx_aggr_start(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tid,
+- u16 ssn, u8 size);
++ u16 ssn, u16 size);
+ void mt76_rx_aggr_stop(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tid);
+
+ void mt76_wcid_key_setup(struct mt76_dev *dev, struct mt76_wcid *wcid,
+--
+2.25.1
+
--- /dev/null
+From abff4276d89630ecd6e0ea946e0377efef8a745b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2020 21:01:56 +0200
+Subject: mt76: mt7615: do not always reset the dfs state setting the channel
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit fdb786cce0ef3615dcbb30d8baf06a1d4cb7a344 ]
+
+mac80211/hostapd runs mt7615_set_channel with the same channel
+parameters sending multiple rdd commands overwriting the previous ones.
+This behaviour is causing tpt issues on dfs channels.
+Fix the issue checking new channel freq/width with the running one.
+
+Fixes: 5dabdf71e94e ("mt76: mt7615: add multiple wiphy support to the dfs support code")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7615/main.c | 21 ++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+index 6586176c29af..f92ac9a916fc 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+@@ -218,6 +218,25 @@ static void mt7615_remove_interface(struct ieee80211_hw *hw,
+ spin_unlock_bh(&dev->sta_poll_lock);
+ }
+
++static void mt7615_init_dfs_state(struct mt7615_phy *phy)
++{
++ struct mt76_phy *mphy = phy->mt76;
++ struct ieee80211_hw *hw = mphy->hw;
++ struct cfg80211_chan_def *chandef = &hw->conf.chandef;
++
++ if (hw->conf.flags & IEEE80211_CONF_OFFCHANNEL)
++ return;
++
++ if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
++ return;
++
++ if (mphy->chandef.chan->center_freq == chandef->chan->center_freq &&
++ mphy->chandef.width == chandef->width)
++ return;
++
++ phy->dfs_state = -1;
++}
++
+ static int mt7615_set_channel(struct mt7615_phy *phy)
+ {
+ struct mt7615_dev *dev = phy->dev;
+@@ -229,7 +248,7 @@ static int mt7615_set_channel(struct mt7615_phy *phy)
+ mutex_lock(&dev->mt76.mutex);
+ set_bit(MT76_RESET, &phy->mt76->state);
+
+- phy->dfs_state = -1;
++ mt7615_init_dfs_state(phy);
+ mt76_set_channel(phy->mt76);
+
+ ret = mt7615_mcu_set_chan_info(phy, MCU_EXT_CMD_CHANNEL_SWITCH);
+--
+2.25.1
+
--- /dev/null
+From f1fe52b7c43c401b92288adc503070ba5ee61916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 16:31:40 +0200
+Subject: mt76: mt7615: fix aid configuration in mt7615_mcu_wtbl_generic_tlv
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit fdf433121f82766ff508a6f06665d2aca3e258d5 ]
+
+If the vif is running in station mode the aid will be passed by mac80211
+using bss_conf.aid. Fix aid configuration in mt7615_mcu_wtbl_generic_tlv
+
+Fixes: 04b8e65922f6 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+index 610cfa918c7b..a19fb0cb7794 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+@@ -823,8 +823,11 @@ mt7615_mcu_wtbl_generic_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
+ generic = (struct wtbl_generic *)tlv;
+
+ if (sta) {
++ if (vif->type == NL80211_IFTYPE_STATION)
++ generic->partial_aid = cpu_to_le16(vif->bss_conf.aid);
++ else
++ generic->partial_aid = cpu_to_le16(sta->aid);
+ memcpy(generic->peer_addr, sta->addr, ETH_ALEN);
+- generic->partial_aid = cpu_to_le16(sta->aid);
+ generic->muar_idx = mvif->omac_idx;
+ generic->qos = sta->wme;
+ } else {
+--
+2.25.1
+
--- /dev/null
+From d0a495d71aac53a7a1296387e5b1379792579e6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 22:40:55 +0200
+Subject: mt76: mt7615: fix mt7615_driver_own routine
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 338061619185133f56ac17365deb1e75eaecc604 ]
+
+Introduce MT_PCIE_DOORBELL_PUSH register to fix mt7615_driver_own
+routine for mt7663e
+
+Fixes: f40ac0f3d3c0 ("mt76: mt7615: introduce mt7663e support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 6 +++++-
+ drivers/net/wireless/mediatek/mt76/mt7615/regs.h | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+index 0d56e0834bde..29a7aaabb6da 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+@@ -1526,16 +1526,20 @@ static void mt7622_trigger_hif_int(struct mt7615_dev *dev, bool en)
+
+ static int mt7615_driver_own(struct mt7615_dev *dev)
+ {
++ struct mt76_dev *mdev = &dev->mt76;
+ u32 addr;
+
+- addr = is_mt7663(&dev->mt76) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST;
++ addr = is_mt7663(mdev) ? MT_PCIE_DOORBELL_PUSH : MT_CFG_LPCR_HOST;
+ mt76_wr(dev, addr, MT_CFG_LPCR_HOST_DRV_OWN);
+
+ mt7622_trigger_hif_int(dev, true);
++
++ addr = is_mt7663(mdev) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST;
+ if (!mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, 0, 3000)) {
+ dev_err(dev->mt76.dev, "Timeout for driver own\n");
+ return -EIO;
+ }
++
+ mt7622_trigger_hif_int(dev, false);
+
+ return 0;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/regs.h b/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
+index f7c2a633841c..de0ef165c0ba 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
+@@ -65,6 +65,7 @@ enum mt7615_reg_base {
+ #define MT_HIF2_BASE 0xf0000
+ #define MT_HIF2(ofs) (MT_HIF2_BASE + (ofs))
+ #define MT_PCIE_IRQ_ENABLE MT_HIF2(0x188)
++#define MT_PCIE_DOORBELL_PUSH MT_HIF2(0x1484)
+
+ #define MT_CFG_LPCR_HOST MT_HIF(0x1f0)
+ #define MT_CFG_LPCR_HOST_FW_OWN BIT(0)
+--
+2.25.1
+
--- /dev/null
+From 7e0f5bd607faa5e8cfc320fcf29a483105dd70eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 14:07:45 +0200
+Subject: mt76: mt7615: fix mt7615_firmware_own for mt7663e
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit becdf0d5d7a46f5ed1f12405ffae4b04764fe27c ]
+
+Check the firmware-own configuration has been applied polling
+MT_CONN_HIF_ON_LPCTL register
+
+Fixes: f40ac0f3d3c0 ("mt76: mt7615: introduce mt7663e support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+index a19fb0cb7794..0d56e0834bde 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+@@ -1550,9 +1550,8 @@ static int mt7615_firmware_own(struct mt7615_dev *dev)
+
+ mt76_wr(dev, addr, MT_CFG_LPCR_HOST_FW_OWN);
+
+- if (is_mt7622(&dev->mt76) &&
+- !mt76_poll_msec(dev, MT_CFG_LPCR_HOST,
+- MT_CFG_LPCR_HOST_FW_OWN,
++ if (!is_mt7615(&dev->mt76) &&
++ !mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN,
+ MT_CFG_LPCR_HOST_FW_OWN, 3000)) {
+ dev_err(dev->mt76.dev, "Timeout for firmware own\n");
+ return -EIO;
+--
+2.25.1
+
--- /dev/null
+From 52990fb69fb3163ffc2295863d5579000a04bf91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 13:14:56 +0200
+Subject: mt76: mt7622: fix DMA unmap length
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit c0f8055b3986f9c9f990268b578173259769ba1c ]
+
+Fix DMA unmap length estimation in mt7615_txp_skb_unmap_hw for mt7622
+chipset
+
+Fixes: 6aa4ed7927f1 ("mt76: mt7615: implement DMA support for MT7622")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 6 +++---
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.h | 1 +
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+index 656231786d55..b5249d08564c 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -675,7 +675,7 @@ mt7615_txp_skb_unmap_hw(struct mt76_dev *dev, struct mt7615_hw_txp *txp)
+
+ len = le16_to_cpu(ptr->len0);
+ last = len & MT_TXD_LEN_MSDU_LAST;
+- len &= ~MT_TXD_LEN_MSDU_LAST;
++ len &= MT_TXD_LEN_MASK;
+ dma_unmap_single(dev->dev, le32_to_cpu(ptr->buf0), len,
+ DMA_TO_DEVICE);
+ if (last)
+@@ -683,7 +683,7 @@ mt7615_txp_skb_unmap_hw(struct mt76_dev *dev, struct mt7615_hw_txp *txp)
+
+ len = le16_to_cpu(ptr->len1);
+ last = len & MT_TXD_LEN_MSDU_LAST;
+- len &= ~MT_TXD_LEN_MSDU_LAST;
++ len &= MT_TXD_LEN_MASK;
+ dma_unmap_single(dev->dev, le32_to_cpu(ptr->buf1), len,
+ DMA_TO_DEVICE);
+ if (last)
+@@ -1107,8 +1107,8 @@ mt7615_write_hw_txp(struct mt7615_dev *dev, struct mt76_tx_info *tx_info,
+ txp->msdu_id[0] = cpu_to_le16(id | MT_MSDU_ID_VALID);
+
+ for (i = 0; i < nbuf; i++) {
++ u16 len = tx_info->buf[i + 1].len & MT_TXD_LEN_MASK;
+ u32 addr = tx_info->buf[i + 1].addr;
+- u16 len = tx_info->buf[i + 1].len;
+
+ if (i == nbuf - 1)
+ len |= MT_TXD_LEN_MSDU_LAST |
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.h b/drivers/net/wireless/mediatek/mt76/mt7615/mac.h
+index e0b89257db90..53ac184ab2d6 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.h
+@@ -252,6 +252,7 @@ enum tx_phy_bandwidth {
+
+ #define MT_MSDU_ID_VALID BIT(15)
+
++#define MT_TXD_LEN_MASK GENMASK(11, 0)
+ #define MT_TXD_LEN_MSDU_LAST BIT(14)
+ #define MT_TXD_LEN_AMSDU_LAST BIT(15)
+
+--
+2.25.1
+
--- /dev/null
+From f623e212c996bc556bb517178e3e9266084b1e3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 13:14:57 +0200
+Subject: mt76: mt7663: fix DMA unmap length
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 89829c9e65ab680f7e5a1658cb74bc6316ab036e ]
+
+Fix DMA unmap length for mt7663e devices in mt7615_txp_skb_unmap_hw
+
+Fixes: f40ac0f3d3c0 ("mt76: mt7615: introduce mt7663e support")
+Co-developed-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Co-developed-by: Soul Huang <soul.huang@mediatek.com>
+Signed-off-by: Soul Huang <soul.huang@mediatek.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7615/mac.c | 20 +++++++++++++------
+ .../net/wireless/mediatek/mt76/mt7615/mac.h | 2 ++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+index b5249d08564c..f66b76ff2978 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -666,15 +666,18 @@ mt7615_txp_skb_unmap_fw(struct mt76_dev *dev, struct mt7615_fw_txp *txp)
+ static void
+ mt7615_txp_skb_unmap_hw(struct mt76_dev *dev, struct mt7615_hw_txp *txp)
+ {
++ u32 last_mask;
+ int i;
+
++ last_mask = is_mt7663(dev) ? MT_TXD_LEN_LAST : MT_TXD_LEN_MSDU_LAST;
++
+ for (i = 0; i < ARRAY_SIZE(txp->ptr); i++) {
+ struct mt7615_txp_ptr *ptr = &txp->ptr[i];
+ bool last;
+ u16 len;
+
+ len = le16_to_cpu(ptr->len0);
+- last = len & MT_TXD_LEN_MSDU_LAST;
++ last = len & last_mask;
+ len &= MT_TXD_LEN_MASK;
+ dma_unmap_single(dev->dev, le32_to_cpu(ptr->buf0), len,
+ DMA_TO_DEVICE);
+@@ -682,7 +685,7 @@ mt7615_txp_skb_unmap_hw(struct mt76_dev *dev, struct mt7615_hw_txp *txp)
+ break;
+
+ len = le16_to_cpu(ptr->len1);
+- last = len & MT_TXD_LEN_MSDU_LAST;
++ last = len & last_mask;
+ len &= MT_TXD_LEN_MASK;
+ dma_unmap_single(dev->dev, le32_to_cpu(ptr->buf1), len,
+ DMA_TO_DEVICE);
+@@ -1098,21 +1101,26 @@ mt7615_write_hw_txp(struct mt7615_dev *dev, struct mt76_tx_info *tx_info,
+ {
+ struct mt7615_hw_txp *txp = txp_ptr;
+ struct mt7615_txp_ptr *ptr = &txp->ptr[0];
+- int nbuf = tx_info->nbuf - 1;
+- int i;
++ int i, nbuf = tx_info->nbuf - 1;
++ u32 last_mask;
+
+ tx_info->buf[0].len = MT_TXD_SIZE + sizeof(*txp);
+ tx_info->nbuf = 1;
+
+ txp->msdu_id[0] = cpu_to_le16(id | MT_MSDU_ID_VALID);
+
++ if (is_mt7663(&dev->mt76))
++ last_mask = MT_TXD_LEN_LAST;
++ else
++ last_mask = MT_TXD_LEN_AMSDU_LAST |
++ MT_TXD_LEN_MSDU_LAST;
++
+ for (i = 0; i < nbuf; i++) {
+ u16 len = tx_info->buf[i + 1].len & MT_TXD_LEN_MASK;
+ u32 addr = tx_info->buf[i + 1].addr;
+
+ if (i == nbuf - 1)
+- len |= MT_TXD_LEN_MSDU_LAST |
+- MT_TXD_LEN_AMSDU_LAST;
++ len |= last_mask;
+
+ if (i & 1) {
+ ptr->buf1 = cpu_to_le32(addr);
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.h b/drivers/net/wireless/mediatek/mt76/mt7615/mac.h
+index 53ac184ab2d6..d3da40df7f32 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.h
+@@ -255,6 +255,8 @@ enum tx_phy_bandwidth {
+ #define MT_TXD_LEN_MASK GENMASK(11, 0)
+ #define MT_TXD_LEN_MSDU_LAST BIT(14)
+ #define MT_TXD_LEN_AMSDU_LAST BIT(15)
++/* mt7663 */
++#define MT_TXD_LEN_LAST BIT(15)
+
+ struct mt7615_txp_ptr {
+ __le32 buf0;
+--
+2.25.1
+
--- /dev/null
+From c4d432a4ec85b32b9dc7d3c435e8a03f4b46b78d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2020 15:06:31 +0200
+Subject: mt76: mt7663: fix mt7615_mac_cca_stats_reset routine
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 886a862d3677ac0d3b57d19ffcf5b2d48b9c5267 ]
+
+Fix PHYMUX_5 register definition for mt7663 in
+mt7615_mac_cca_stats_reset routine
+
+Fixes: f40ac0f3d3c0 ("mt76: mt7615: introduce mt7663e support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 8 +++++++-
+ drivers/net/wireless/mediatek/mt76/mt7615/regs.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+index a27a6d164009..656231786d55 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -1574,8 +1574,14 @@ void mt7615_mac_cca_stats_reset(struct mt7615_phy *phy)
+ {
+ struct mt7615_dev *dev = phy->dev;
+ bool ext_phy = phy != &dev->phy;
+- u32 reg = MT_WF_PHY_R0_PHYMUX_5(ext_phy);
++ u32 reg;
+
++ if (is_mt7663(&dev->mt76))
++ reg = MT7663_WF_PHY_R0_PHYMUX_5;
++ else
++ reg = MT_WF_PHY_R0_PHYMUX_5(ext_phy);
++
++ /* reset PD and MDRDY counters */
+ mt76_clear(dev, reg, GENMASK(22, 20));
+ mt76_set(dev, reg, BIT(22) | BIT(20));
+ }
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/regs.h b/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
+index 1e0d95b917e1..f7c2a633841c 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
+@@ -151,6 +151,7 @@ enum mt7615_reg_base {
+ #define MT_WF_PHY_WF2_RFCTRL0_LPBCN_EN BIT(9)
+
+ #define MT_WF_PHY_R0_PHYMUX_5(_phy) MT_WF_PHY(0x0614 + ((_phy) << 9))
++#define MT7663_WF_PHY_R0_PHYMUX_5 MT_WF_PHY(0x0414)
+
+ #define MT_WF_PHY_R0_PHYCTRL_STS0(_phy) MT_WF_PHY(0x020c + ((_phy) << 9))
+ #define MT_WF_PHYCTRL_STAT_PD_OFDM GENMASK(31, 16)
+--
+2.25.1
+
--- /dev/null
+From a366975f8f907e23293eafe8c3abb864ad9dddce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 09:59:24 +0200
+Subject: mwifiex: Fix memory corruption in dump_station
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 ]
+
+The mwifiex_cfg80211_dump_station() uses static variable for iterating
+over a linked list of all associated stations (when the driver is in UAP
+role). This has a race condition if .dump_station is called in parallel
+for multiple interfaces. This corruption can be triggered by registering
+multiple SSIDs and calling, in parallel for multiple interfaces
+ iw dev <iface> station dump
+
+[16750.719775] Unable to handle kernel paging request at virtual address dead000000000110
+...
+[16750.899173] Call trace:
+[16750.901696] mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex]
+[16750.907824] nl80211_dump_station+0xbc/0x278 [cfg80211]
+[16750.913160] netlink_dump+0xe8/0x320
+[16750.916827] netlink_recvmsg+0x1b4/0x338
+[16750.920861] ____sys_recvmsg+0x7c/0x2b0
+[16750.924801] ___sys_recvmsg+0x70/0x98
+[16750.928564] __sys_recvmsg+0x58/0xa0
+[16750.932238] __arm64_sys_recvmsg+0x28/0x30
+[16750.936453] el0_svc_common.constprop.3+0x90/0x158
+[16750.941378] do_el0_svc+0x74/0x90
+[16750.944784] el0_sync_handler+0x12c/0x1a8
+[16750.948903] el0_sync+0x114/0x140
+[16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060)
+[16750.958583] ---[ end trace c8ad181c2f4b8576 ]---
+
+This patch drops the use of the static iterator, and instead every time
+the function is called iterates to the idx-th position of the
+linked-list.
+
+It would be better to convert the code not to use linked list for
+associated stations storage (since the chip has a limited number of
+associated stations anyway - it could just be an array). Such a change
+may be proposed in the future. In the meantime this patch can backported
+into stable kernels in this simple form.
+
+Fixes: 8baca1a34d4c ("mwifiex: dump station support in uap mode")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index 1566d2197906..12bfd653a405 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -1496,7 +1496,8 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev,
+ int idx, u8 *mac, struct station_info *sinfo)
+ {
+ struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
+- static struct mwifiex_sta_node *node;
++ struct mwifiex_sta_node *node;
++ int i;
+
+ if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) &&
+ priv->media_connected && idx == 0) {
+@@ -1506,13 +1507,10 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev,
+ mwifiex_send_cmd(priv, HOST_CMD_APCMD_STA_LIST,
+ HostCmd_ACT_GEN_GET, 0, NULL, true);
+
+- if (node && (&node->list == &priv->sta_list)) {
+- node = NULL;
+- return -ENOENT;
+- }
+-
+- node = list_prepare_entry(node, &priv->sta_list, list);
+- list_for_each_entry_continue(node, &priv->sta_list, list) {
++ i = 0;
++ list_for_each_entry(node, &priv->sta_list, list) {
++ if (i++ != idx)
++ continue;
+ ether_addr_copy(mac, node->mac_addr);
+ return mwifiex_dump_station_info(priv, node, sinfo);
+ }
+--
+2.25.1
+
--- /dev/null
+From fa37fa3154a80946869458cf1ee431fc6a4f72a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 10:49:20 +0800
+Subject: net: allwinner: Fix use correct return type for ndo_start_xmit()
+
+From: Yunjian Wang <wangyunjian@huawei.com>
+
+[ Upstream commit 09f6c44aaae0f1bdb8b983d7762676d5018c53bc ]
+
+The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix
+the ndo function to use the correct type. And emac_start_xmit() can
+leak one skb if 'channel' == 3.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/allwinner/sun4i-emac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/allwinner/sun4i-emac.c b/drivers/net/ethernet/allwinner/sun4i-emac.c
+index 18d3b4340bd4..b3b8a8010142 100644
+--- a/drivers/net/ethernet/allwinner/sun4i-emac.c
++++ b/drivers/net/ethernet/allwinner/sun4i-emac.c
+@@ -417,7 +417,7 @@ static void emac_timeout(struct net_device *dev, unsigned int txqueue)
+ /* Hardware start transmission.
+ * Send a packet to media from the upper layer.
+ */
+-static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct emac_board_info *db = netdev_priv(dev);
+ unsigned long channel;
+@@ -425,7 +425,7 @@ static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ channel = db->tx_fifo_stat & 3;
+ if (channel == 3)
+- return 1;
++ return NETDEV_TX_BUSY;
+
+ channel = (channel == 1 ? 1 : 0);
+
+--
+2.25.1
+
--- /dev/null
+From 41ac6c8cb42a5a5664030794b6c914c8f15fde84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 11:04:34 +0300
+Subject: net: atlantic: make hw_get_regs optional
+
+From: Mark Starovoytov <mstarovoitov@marvell.com>
+
+[ Upstream commit d0f23741c202c685447050713907f3be39a985ee ]
+
+This patch fixes potential crash in case if hw_get_regs is NULL.
+
+Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+index a369705a786a..e5391e0b84f8 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -764,6 +764,9 @@ int aq_nic_get_regs(struct aq_nic_s *self, struct ethtool_regs *regs, void *p)
+ u32 *regs_buff = p;
+ int err = 0;
+
++ if (unlikely(!self->aq_hw_ops->hw_get_regs))
++ return -EOPNOTSUPP;
++
+ regs->version = 1;
+
+ err = self->aq_hw_ops->hw_get_regs(self->aq_hw,
+@@ -778,6 +781,9 @@ err_exit:
+
+ int aq_nic_get_regs_count(struct aq_nic_s *self)
+ {
++ if (unlikely(!self->aq_hw_ops->hw_get_regs))
++ return 0;
++
+ return self->aq_nic_cfg.aq_hw_caps->mac_regs_count;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 707de4863ec0dc8b2580762ae67b0da72c4616ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 13:02:01 -0700
+Subject: net: bcmgenet: Fix WoL with password after deep sleep
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit 6f7689057a0f10a6c967b9f2759d7a3dc948b930 ]
+
+Broadcom STB chips support a deep sleep mode where all register contents
+are lost. Because we were stashing the MagicPacket password into some of
+these registers a suspend into that deep sleep then a resumption would
+not lead to being able to wake-up from MagicPacket with password again.
+
+Fix this by keeping a software copy of the password and program it
+during suspend.
+
+Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code")
+Suggested-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/broadcom/genet/bcmgenet.h | 2 +
+ .../ethernet/broadcom/genet/bcmgenet_wol.c | 39 +++++++++----------
+ 2 files changed, 20 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+index daf8fb2c39b6..c3bfe97f2e5c 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+@@ -14,6 +14,7 @@
+ #include <linux/if_vlan.h>
+ #include <linux/phy.h>
+ #include <linux/dim.h>
++#include <linux/ethtool.h>
+
+ /* total number of Buffer Descriptors, same for Rx/Tx */
+ #define TOTAL_DESC 256
+@@ -676,6 +677,7 @@ struct bcmgenet_priv {
+ /* WOL */
+ struct clk *clk_wol;
+ u32 wolopts;
++ u8 sopass[SOPASS_MAX];
+
+ struct bcmgenet_mib_counters mib;
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+index c9a43695b182..597c0498689a 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -41,18 +41,13 @@
+ void bcmgenet_get_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
+ {
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+- u32 reg;
+
+ wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE;
+ wol->wolopts = priv->wolopts;
+ memset(wol->sopass, 0, sizeof(wol->sopass));
+
+- if (wol->wolopts & WAKE_MAGICSECURE) {
+- reg = bcmgenet_umac_readl(priv, UMAC_MPD_PW_MS);
+- put_unaligned_be16(reg, &wol->sopass[0]);
+- reg = bcmgenet_umac_readl(priv, UMAC_MPD_PW_LS);
+- put_unaligned_be32(reg, &wol->sopass[2]);
+- }
++ if (wol->wolopts & WAKE_MAGICSECURE)
++ memcpy(wol->sopass, priv->sopass, sizeof(priv->sopass));
+ }
+
+ /* ethtool function - set WOL (Wake on LAN) settings.
+@@ -62,7 +57,6 @@ int bcmgenet_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
+ {
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct device *kdev = &priv->pdev->dev;
+- u32 reg;
+
+ if (!device_can_wakeup(kdev))
+ return -ENOTSUPP;
+@@ -70,17 +64,8 @@ int bcmgenet_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
+ if (wol->wolopts & ~(WAKE_MAGIC | WAKE_MAGICSECURE))
+ return -EINVAL;
+
+- reg = bcmgenet_umac_readl(priv, UMAC_MPD_CTRL);
+- if (wol->wolopts & WAKE_MAGICSECURE) {
+- bcmgenet_umac_writel(priv, get_unaligned_be16(&wol->sopass[0]),
+- UMAC_MPD_PW_MS);
+- bcmgenet_umac_writel(priv, get_unaligned_be32(&wol->sopass[2]),
+- UMAC_MPD_PW_LS);
+- reg |= MPD_PW_EN;
+- } else {
+- reg &= ~MPD_PW_EN;
+- }
+- bcmgenet_umac_writel(priv, reg, UMAC_MPD_CTRL);
++ if (wol->wolopts & WAKE_MAGICSECURE)
++ memcpy(priv->sopass, wol->sopass, sizeof(priv->sopass));
+
+ /* Flag the device and relevant IRQ as wakeup capable */
+ if (wol->wolopts) {
+@@ -120,6 +105,14 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv)
+ return retries;
+ }
+
++static void bcmgenet_set_mpd_password(struct bcmgenet_priv *priv)
++{
++ bcmgenet_umac_writel(priv, get_unaligned_be16(&priv->sopass[0]),
++ UMAC_MPD_PW_MS);
++ bcmgenet_umac_writel(priv, get_unaligned_be32(&priv->sopass[2]),
++ UMAC_MPD_PW_LS);
++}
++
+ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv,
+ enum bcmgenet_power_mode mode)
+ {
+@@ -144,13 +137,17 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv,
+
+ reg = bcmgenet_umac_readl(priv, UMAC_MPD_CTRL);
+ reg |= MPD_EN;
++ if (priv->wolopts & WAKE_MAGICSECURE) {
++ bcmgenet_set_mpd_password(priv);
++ reg |= MPD_PW_EN;
++ }
+ bcmgenet_umac_writel(priv, reg, UMAC_MPD_CTRL);
+
+ /* Do not leave UniMAC in MPD mode only */
+ retries = bcmgenet_poll_wol_status(priv);
+ if (retries < 0) {
+ reg = bcmgenet_umac_readl(priv, UMAC_MPD_CTRL);
+- reg &= ~MPD_EN;
++ reg &= ~(MPD_EN | MPD_PW_EN);
+ bcmgenet_umac_writel(priv, reg, UMAC_MPD_CTRL);
+ return retries;
+ }
+@@ -189,7 +186,7 @@ void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv,
+ reg = bcmgenet_umac_readl(priv, UMAC_MPD_CTRL);
+ if (!(reg & MPD_EN))
+ return; /* already powered up so skip the rest */
+- reg &= ~MPD_EN;
++ reg &= ~(MPD_EN | MPD_PW_EN);
+ bcmgenet_umac_writel(priv, reg, UMAC_MPD_CTRL);
+
+ /* Disable CRC Forward */
+--
+2.25.1
+
--- /dev/null
+From e3b9dbc53a0e4aa2c38ff592d418e2c7a1ce2007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 13:02:00 -0700
+Subject: net: bcmgenet: set Rx mode before starting netif
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit 72f96347628e73dbb61b307f18dd19293cc6792a ]
+
+This commit explicitly calls the bcmgenet_set_rx_mode() function when
+the network interface is started. This function is normally called by
+ndo_set_rx_mode when the flags are changed, but apparently not when
+the driver is suspended and resumed.
+
+This change ensures that address filtering or promiscuous mode are
+properly restored by the driver after the MAC may have been reset.
+
+Fixes: b6e978e50444 ("net: bcmgenet: add suspend/resume callbacks")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 79636c78127c..38bdfd4b46f0 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -70,6 +70,9 @@
+ #define GENET_RDMA_REG_OFF (priv->hw_params->rdma_offset + \
+ TOTAL_DESC * DMA_DESC_SIZE)
+
++/* Forward declarations */
++static void bcmgenet_set_rx_mode(struct net_device *dev);
++
+ static inline void bcmgenet_writel(u32 value, void __iomem *offset)
+ {
+ /* MIPS chips strapped for BE will automagically configure the
+@@ -2803,6 +2806,7 @@ static void bcmgenet_netif_start(struct net_device *dev)
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+
+ /* Start the network engine */
++ bcmgenet_set_rx_mode(dev);
+ bcmgenet_enable_rx_napi(priv);
+
+ umac_enable_set(priv, CMD_TX_EN | CMD_RX_EN, true);
+--
+2.25.1
+
--- /dev/null
+From 7af476aaa1a8d848544958e2550567dfd16ab78b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 May 2020 09:52:11 +0000
+Subject: net: ena: fix error returning in ena_com_get_hash_function()
+
+From: Arthur Kiyanovski <akiyano@amazon.com>
+
+[ Upstream commit e9a1de378dd46375f9abfd8de1e6f59ee114a793 ]
+
+In case the "func" parameter is NULL we now return "-EINVAL".
+This shouldn't happen in general, but when it does happen, this is the
+proper way to handle it.
+
+We also check func for NULL in the beginning of the function, as there
+is no reason to do all the work and realize in the end of the function
+it was useless.
+
+Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_com.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
+index a250046b8e18..07b0f396d3c2 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_com.c
++++ b/drivers/net/ethernet/amazon/ena/ena_com.c
+@@ -2345,6 +2345,9 @@ int ena_com_get_hash_function(struct ena_com_dev *ena_dev,
+ rss->hash_key;
+ int rc;
+
++ if (unlikely(!func))
++ return -EINVAL;
++
+ rc = ena_com_get_feature_ex(ena_dev, &get_resp,
+ ENA_ADMIN_RSS_HASH_FUNCTION,
+ rss->hash_key_dma_addr,
+@@ -2357,8 +2360,7 @@ int ena_com_get_hash_function(struct ena_com_dev *ena_dev,
+ if (rss->hash_func)
+ rss->hash_func--;
+
+- if (func)
+- *func = rss->hash_func;
++ *func = rss->hash_func;
+
+ if (key)
+ memcpy(key, hash_key->key, (size_t)(hash_key->keys_num) << 2);
+--
+2.25.1
+
--- /dev/null
+From 8dafe65f4c0f953fc3ee4c013295a5ae285ea886 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 00:27:10 +0800
+Subject: net: ethernet: fec: move GPR register offset and bit into DT
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit 8a448bf832af537d26aa557d183a16943dce4510 ]
+
+The commit da722186f654 (net: fec: set GPR bit on suspend by DT
+configuration) set the GPR reigster offset and bit in driver for
+wake on lan feature.
+
+But it introduces two issues here:
+- one SOC has two instances, they have different bit
+- different SOCs may have different offset and bit
+
+So to support wake-on-lan feature on other i.MX platforms, it should
+configure the GPR reigster offset and bit from DT.
+
+So the patch is to improve the commit da722186f654 (net: fec: set GPR
+bit on suspend by DT configuration) to support multiple ethernet
+instances on i.MX series.
+
+v2:
+ * switch back to store the quirks bitmask in driver_data
+v3:
+ * suggested by Sascha Hauer, use a struct fec_devinfo for
+ abstracting differences between different hardware variants,
+ it can give more freedom to describe the differences.
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 24 +++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index dc6f8763a5d4..2840dbad25cb 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -88,8 +88,6 @@ static void fec_enet_itr_coal_init(struct net_device *ndev);
+
+ struct fec_devinfo {
+ u32 quirks;
+- u8 stop_gpr_reg;
+- u8 stop_gpr_bit;
+ };
+
+ static const struct fec_devinfo fec_imx25_info = {
+@@ -112,8 +110,6 @@ static const struct fec_devinfo fec_imx6q_info = {
+ FEC_QUIRK_HAS_BUFDESC_EX | FEC_QUIRK_HAS_CSUM |
+ FEC_QUIRK_HAS_VLAN | FEC_QUIRK_ERR006358 |
+ FEC_QUIRK_HAS_RACC,
+- .stop_gpr_reg = 0x34,
+- .stop_gpr_bit = 27,
+ };
+
+ static const struct fec_devinfo fec_mvf600_info = {
+@@ -3452,19 +3448,23 @@ static int fec_enet_get_irq_cnt(struct platform_device *pdev)
+ }
+
+ static int fec_enet_init_stop_mode(struct fec_enet_private *fep,
+- struct fec_devinfo *dev_info,
+ struct device_node *np)
+ {
+ struct device_node *gpr_np;
++ u32 out_val[3];
+ int ret = 0;
+
+- if (!dev_info)
+- return 0;
+-
+- gpr_np = of_parse_phandle(np, "gpr", 0);
++ gpr_np = of_parse_phandle(np, "fsl,stop-mode", 0);
+ if (!gpr_np)
+ return 0;
+
++ ret = of_property_read_u32_array(np, "fsl,stop-mode", out_val,
++ ARRAY_SIZE(out_val));
++ if (ret) {
++ dev_dbg(&fep->pdev->dev, "no stop mode property\n");
++ return ret;
++ }
++
+ fep->stop_gpr.gpr = syscon_node_to_regmap(gpr_np);
+ if (IS_ERR(fep->stop_gpr.gpr)) {
+ dev_err(&fep->pdev->dev, "could not find gpr regmap\n");
+@@ -3473,8 +3473,8 @@ static int fec_enet_init_stop_mode(struct fec_enet_private *fep,
+ goto out;
+ }
+
+- fep->stop_gpr.reg = dev_info->stop_gpr_reg;
+- fep->stop_gpr.bit = dev_info->stop_gpr_bit;
++ fep->stop_gpr.reg = out_val[1];
++ fep->stop_gpr.bit = out_val[2];
+
+ out:
+ of_node_put(gpr_np);
+@@ -3551,7 +3551,7 @@ fec_probe(struct platform_device *pdev)
+ if (of_get_property(np, "fsl,magic-packet", NULL))
+ fep->wol_flag |= FEC_WOL_HAS_MAGIC_PACKET;
+
+- ret = fec_enet_init_stop_mode(fep, dev_info, np);
++ ret = fec_enet_init_stop_mode(fep, np);
+ if (ret)
+ goto failed_stop_mode;
+
+--
+2.25.1
+
--- /dev/null
+From c82e6e335b9c174dcf925d8b7a9587e6a07f7f6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 09:33:43 +0000
+Subject: net: ethernet: ti: fix return value check in
+ k3_cppi_desc_pool_create_name()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 2ac757e4152e3322a04a6dfb3d1fa010d3521abf ]
+
+In case of error, the function gen_pool_create() returns NULL pointer
+not ERR_PTR(). The IS_ERR() test in the return value check should be
+replaced with NULL test.
+
+Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/k3-cppi-desc-pool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/k3-cppi-desc-pool.c b/drivers/net/ethernet/ti/k3-cppi-desc-pool.c
+index ad7cfc1316ce..38cc12f9f133 100644
+--- a/drivers/net/ethernet/ti/k3-cppi-desc-pool.c
++++ b/drivers/net/ethernet/ti/k3-cppi-desc-pool.c
+@@ -64,8 +64,8 @@ k3_cppi_desc_pool_create_name(struct device *dev, size_t size,
+ return ERR_PTR(-ENOMEM);
+
+ pool->gen_pool = gen_pool_create(ilog2(pool->desc_size), -1);
+- if (IS_ERR(pool->gen_pool)) {
+- ret = PTR_ERR(pool->gen_pool);
++ if (!pool->gen_pool) {
++ ret = -ENOMEM;
+ dev_err(pool->dev, "pool create failed %d\n", ret);
+ kfree_const(pool_name);
+ goto gen_pool_create_fail;
+--
+2.25.1
+
--- /dev/null
+From 407a2174481e98545a175a6c26341a6b2055f6cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 15:07:31 -0500
+Subject: net: ipa: do not clear interrupt in gsi_channel_start()
+
+From: Alex Elder <elder@linaro.org>
+
+[ Upstream commit 195ef57f870070cb02f2f3b99a63d69e8e8f798e ]
+
+In gsi_channel_start() there is harmless-looking comment "Clear the
+channel's event ring interrupt in case it's pending". The intent
+was to avoid getting spurious interrupts when first bringing up a
+channel.
+
+However we now use channel stop/start to implement suspend and
+resume, and an interrupt pending at the time we resume is actually
+something we don't want to ignore.
+
+The very first time we bring up the channel we do not expect an
+interrupt to be pending, and even if it were, the effect would
+simply be to schedule NAPI on that channel, which would find nothing
+to do, which is not a problem.
+
+Stop clearing any pending IEOB interrupt in gsi_channel_start().
+That leaves one caller of the trivial function gsi_isr_ieob_clear().
+Get rid of that function and just open-code it in gsi_isr_ieob()
+instead.
+
+This fixes a problem where suspend/resume IPA v4.2 would get stuck
+when resuming after a suspend.
+
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/gsi.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/net/ipa/gsi.c b/drivers/net/ipa/gsi.c
+index 8d9ca1c335e8..043a675e1be1 100644
+--- a/drivers/net/ipa/gsi.c
++++ b/drivers/net/ipa/gsi.c
+@@ -238,11 +238,6 @@ static void gsi_irq_ieob_enable(struct gsi *gsi, u32 evt_ring_id)
+ iowrite32(val, gsi->virt + GSI_CNTXT_SRC_IEOB_IRQ_MSK_OFFSET);
+ }
+
+-static void gsi_isr_ieob_clear(struct gsi *gsi, u32 mask)
+-{
+- iowrite32(mask, gsi->virt + GSI_CNTXT_SRC_IEOB_IRQ_CLR_OFFSET);
+-}
+-
+ static void gsi_irq_ieob_disable(struct gsi *gsi, u32 evt_ring_id)
+ {
+ u32 val;
+@@ -756,7 +751,6 @@ static void gsi_channel_deprogram(struct gsi_channel *channel)
+ int gsi_channel_start(struct gsi *gsi, u32 channel_id)
+ {
+ struct gsi_channel *channel = &gsi->channel[channel_id];
+- u32 evt_ring_id = channel->evt_ring_id;
+ int ret;
+
+ mutex_lock(&gsi->mutex);
+@@ -765,9 +759,6 @@ int gsi_channel_start(struct gsi *gsi, u32 channel_id)
+
+ mutex_unlock(&gsi->mutex);
+
+- /* Clear the channel's event ring interrupt in case it's pending */
+- gsi_isr_ieob_clear(gsi, BIT(evt_ring_id));
+-
+ gsi_channel_thaw(channel);
+
+ return ret;
+@@ -1071,7 +1062,7 @@ static void gsi_isr_ieob(struct gsi *gsi)
+ u32 event_mask;
+
+ event_mask = ioread32(gsi->virt + GSI_CNTXT_SRC_IEOB_IRQ_OFFSET);
+- gsi_isr_ieob_clear(gsi, event_mask);
++ iowrite32(event_mask, gsi->virt + GSI_CNTXT_SRC_IEOB_IRQ_CLR_OFFSET);
+
+ while (event_mask) {
+ u32 evt_ring_id = __ffs(event_mask);
+--
+2.25.1
+
--- /dev/null
+From e680a8c6dc3ce57e1a70fc54bd1ba49d3a0e4265 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:15:07 +0000
+Subject: net: lpc-enet: fix error return code in lpc_mii_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 88ec7cb22ddde725ed4ce15991f0bd9dd817fd85 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: b7370112f519 ("lpc32xx: Added ethernet driver")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/nxp/lpc_eth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
+index d20cf03a3ea0..311454d9b0bc 100644
+--- a/drivers/net/ethernet/nxp/lpc_eth.c
++++ b/drivers/net/ethernet/nxp/lpc_eth.c
+@@ -823,7 +823,8 @@ static int lpc_mii_init(struct netdata_local *pldat)
+ if (err)
+ goto err_out_unregister_bus;
+
+- if (lpc_mii_probe(pldat->ndev) != 0)
++ err = lpc_mii_probe(pldat->ndev);
++ if (err)
+ goto err_out_unregister_bus;
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 6ef16d9ba30bc2f686d713921abc15d28b4f4dad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 21:53:14 +0800
+Subject: net/mlx4_core: Add missing iounmap() in error path
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit c90af587a9eee697e2d89683113707cada70116a ]
+
+This fixes the following coccicheck warning:
+
+drivers/net/ethernet/mellanox/mlx4/crdump.c:200:2-8: ERROR: missing iounmap;
+ioremap on line 190 and execution via conditional on line 198
+
+Fixes: 7ef19d3b1d5e ("devlink: report error once U32_MAX snapshot ids have been used")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/crdump.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/crdump.c b/drivers/net/ethernet/mellanox/mlx4/crdump.c
+index 73eae80e1cb7..ac5468b77488 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/crdump.c
++++ b/drivers/net/ethernet/mellanox/mlx4/crdump.c
+@@ -197,6 +197,7 @@ int mlx4_crdump_collect(struct mlx4_dev *dev)
+ err = devlink_region_snapshot_id_get(devlink, &id);
+ if (err) {
+ mlx4_err(dev, "crdump: devlink get snapshot id err %d\n", err);
++ iounmap(cr_space);
+ return err;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 4a39ec90733ee93cda6de815c2a841bffeb05652 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2020 09:52:02 +0300
+Subject: net/mlx5e: CT: Avoid false warning about rule may be used
+ uninitialized
+
+From: Roi Dayan <roid@mellanox.com>
+
+[ Upstream commit 70a5698a5683cd504b03c6030ee622b1bec3f702 ]
+
+Avoid gcc warning by preset rule to invalid ptr.
+
+Fixes: 4c3844d9e97e ("net/mlx5e: CT: Introduce connection tracking")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
+index 153d6eb19d3c..470282daed19 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
+@@ -1132,7 +1132,7 @@ mlx5_tc_ct_flow_offload(struct mlx5e_priv *priv,
+ {
+ bool clear_action = attr->ct_attr.ct_action & TCA_CT_ACT_CLEAR;
+ struct mlx5_tc_ct_priv *ct_priv = mlx5_tc_ct_get_ct_priv(priv);
+- struct mlx5_flow_handle *rule;
++ struct mlx5_flow_handle *rule = ERR_PTR(-EINVAL);
+ int err;
+
+ if (!ct_priv)
+--
+2.25.1
+
--- /dev/null
+From b13a9a87f2f32f66588f20193b9bd32ce2adbefa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 11:46:25 +0300
+Subject: net/mlx5e: IPoIB, Drop multicast packets that this interface sent
+
+From: Erez Shitrit <erezsh@mellanox.com>
+
+[ Upstream commit 8b46d424a743ddfef8056d5167f13ee7ebd1dcad ]
+
+After enabled loopback packets for IPoIB, we need to drop these packets
+that this HCA has replicated and came back to the same interface that
+sent them.
+
+Fixes: 4c6c615e3f30 ("net/mlx5e: IPoIB, Add PKEY child interface nic profile")
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+index e2beb89c1832..b69957be653a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -1501,6 +1501,7 @@ out:
+
+ #ifdef CONFIG_MLX5_CORE_IPOIB
+
++#define MLX5_IB_GRH_SGID_OFFSET 8
+ #define MLX5_IB_GRH_DGID_OFFSET 24
+ #define MLX5_GID_SIZE 16
+
+@@ -1514,6 +1515,7 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq,
+ struct net_device *netdev;
+ struct mlx5e_priv *priv;
+ char *pseudo_header;
++ u32 flags_rqpn;
+ u32 qpn;
+ u8 *dgid;
+ u8 g;
+@@ -1535,7 +1537,8 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq,
+ tstamp = &priv->tstamp;
+ stats = &priv->channel_stats[rq->ix].rq;
+
+- g = (be32_to_cpu(cqe->flags_rqpn) >> 28) & 3;
++ flags_rqpn = be32_to_cpu(cqe->flags_rqpn);
++ g = (flags_rqpn >> 28) & 3;
+ dgid = skb->data + MLX5_IB_GRH_DGID_OFFSET;
+ if ((!g) || dgid[0] != 0xff)
+ skb->pkt_type = PACKET_HOST;
+@@ -1544,9 +1547,15 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq,
+ else
+ skb->pkt_type = PACKET_MULTICAST;
+
+- /* TODO: IB/ipoib: Allow mcast packets from other VFs
+- * 68996a6e760e5c74654723eeb57bf65628ae87f4
++ /* Drop packets that this interface sent, ie multicast packets
++ * that the HCA has replicated.
+ */
++ if (g && (qpn == (flags_rqpn & 0xffffff)) &&
++ (memcmp(netdev->dev_addr + 4, skb->data + MLX5_IB_GRH_SGID_OFFSET,
++ MLX5_GID_SIZE) == 0)) {
++ skb->dev = NULL;
++ return;
++ }
+
+ skb_pull(skb, MLX5_IB_GRH_BYTES);
+
+--
+2.25.1
+
--- /dev/null
+From 85e2452c0dd2ec067170efb02fba49c0fa2adc33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Apr 2020 22:03:08 +0300
+Subject: net: mscc: ocelot: deal with problematic MAC_ETYPE VCAP IS2 rules
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 89f9ffd3eb670bad1260bc579f5e13b8f2d5b3e0 ]
+
+By default, the VCAP IS2 will produce a single match for each frame, on
+the most specific classification.
+
+Example: a ping packet (ICMP over IPv4 over Ethernet) sent from an IP
+address of 10.0.0.1 and a MAC address of 96:18:82:00:04:01 will match
+this rule:
+
+tc filter add dev swp0 ingress protocol ipv4 \
+ flower skip_sw src_ip 10.0.0.1 action drop
+
+but not this one:
+
+tc filter add dev swp0 ingress \
+ flower skip_sw src_mac 96:18:82:00:04:01 action drop
+
+Currently the driver does not really warn the user in any way about
+this, and the behavior is rather strange anyway.
+
+The current patch is a workaround to force matches on MAC_ETYPE keys
+(DMAC and SMAC) for all packets irrespective of higher layer protocol.
+The setting is made at the port level.
+
+Of course this breaks all other non-src_mac and non-dst_mac matches, so
+rule exclusivity checks have been added to the driver, in order to never
+have rules of both types on any ingress port.
+
+The bits that discard higher-level protocol information are set only
+once a MAC_ETYPE rule is added to a filter block, and only for the ports
+that are bound to that filter block. Then all further non-MAC_ETYPE
+rules added to that filter block should be denied by the ports bound to
+it.
+
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_ace.c | 103 +++++++++++++++++++++-
+ drivers/net/ethernet/mscc/ocelot_ace.h | 5 +-
+ drivers/net/ethernet/mscc/ocelot_flower.c | 2 +-
+ 3 files changed, 106 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_ace.c b/drivers/net/ethernet/mscc/ocelot_ace.c
+index 3bd286044480..8a2f7d13ef6d 100644
+--- a/drivers/net/ethernet/mscc/ocelot_ace.c
++++ b/drivers/net/ethernet/mscc/ocelot_ace.c
+@@ -706,13 +706,114 @@ ocelot_ace_rule_get_rule_index(struct ocelot_acl_block *block, int index)
+ return NULL;
+ }
+
++/* If @on=false, then SNAP, ARP, IP and OAM frames will not match on keys based
++ * on destination and source MAC addresses, but only on higher-level protocol
++ * information. The only frame types to match on keys containing MAC addresses
++ * in this case are non-SNAP, non-ARP, non-IP and non-OAM frames.
++ *
++ * If @on=true, then the above frame types (SNAP, ARP, IP and OAM) will match
++ * on MAC_ETYPE keys such as destination and source MAC on this ingress port.
++ * However the setting has the side effect of making these frames not matching
++ * on any _other_ keys than MAC_ETYPE ones.
++ */
++static void ocelot_match_all_as_mac_etype(struct ocelot *ocelot, int port,
++ bool on)
++{
++ u32 val = 0;
++
++ if (on)
++ val = ANA_PORT_VCAP_S2_CFG_S2_SNAP_DIS(3) |
++ ANA_PORT_VCAP_S2_CFG_S2_ARP_DIS(3) |
++ ANA_PORT_VCAP_S2_CFG_S2_IP_TCPUDP_DIS(3) |
++ ANA_PORT_VCAP_S2_CFG_S2_IP_OTHER_DIS(3) |
++ ANA_PORT_VCAP_S2_CFG_S2_OAM_DIS(3);
++
++ ocelot_rmw_gix(ocelot, val,
++ ANA_PORT_VCAP_S2_CFG_S2_SNAP_DIS_M |
++ ANA_PORT_VCAP_S2_CFG_S2_ARP_DIS_M |
++ ANA_PORT_VCAP_S2_CFG_S2_IP_TCPUDP_DIS_M |
++ ANA_PORT_VCAP_S2_CFG_S2_IP_OTHER_DIS_M |
++ ANA_PORT_VCAP_S2_CFG_S2_OAM_DIS_M,
++ ANA_PORT_VCAP_S2_CFG, port);
++}
++
++static bool ocelot_ace_is_problematic_mac_etype(struct ocelot_ace_rule *ace)
++{
++ if (ace->type != OCELOT_ACE_TYPE_ETYPE)
++ return false;
++ if (ether_addr_to_u64(ace->frame.etype.dmac.value) &
++ ether_addr_to_u64(ace->frame.etype.dmac.mask))
++ return true;
++ if (ether_addr_to_u64(ace->frame.etype.smac.value) &
++ ether_addr_to_u64(ace->frame.etype.smac.mask))
++ return true;
++ return false;
++}
++
++static bool ocelot_ace_is_problematic_non_mac_etype(struct ocelot_ace_rule *ace)
++{
++ if (ace->type == OCELOT_ACE_TYPE_SNAP)
++ return true;
++ if (ace->type == OCELOT_ACE_TYPE_ARP)
++ return true;
++ if (ace->type == OCELOT_ACE_TYPE_IPV4)
++ return true;
++ if (ace->type == OCELOT_ACE_TYPE_IPV6)
++ return true;
++ return false;
++}
++
++static bool ocelot_exclusive_mac_etype_ace_rules(struct ocelot *ocelot,
++ struct ocelot_ace_rule *ace)
++{
++ struct ocelot_acl_block *block = &ocelot->acl_block;
++ struct ocelot_ace_rule *tmp;
++ unsigned long port;
++ int i;
++
++ if (ocelot_ace_is_problematic_mac_etype(ace)) {
++ /* Search for any non-MAC_ETYPE rules on the port */
++ for (i = 0; i < block->count; i++) {
++ tmp = ocelot_ace_rule_get_rule_index(block, i);
++ if (tmp->ingress_port_mask & ace->ingress_port_mask &&
++ ocelot_ace_is_problematic_non_mac_etype(tmp))
++ return false;
++ }
++
++ for_each_set_bit(port, &ace->ingress_port_mask,
++ ocelot->num_phys_ports)
++ ocelot_match_all_as_mac_etype(ocelot, port, true);
++ } else if (ocelot_ace_is_problematic_non_mac_etype(ace)) {
++ /* Search for any MAC_ETYPE rules on the port */
++ for (i = 0; i < block->count; i++) {
++ tmp = ocelot_ace_rule_get_rule_index(block, i);
++ if (tmp->ingress_port_mask & ace->ingress_port_mask &&
++ ocelot_ace_is_problematic_mac_etype(tmp))
++ return false;
++ }
++
++ for_each_set_bit(port, &ace->ingress_port_mask,
++ ocelot->num_phys_ports)
++ ocelot_match_all_as_mac_etype(ocelot, port, false);
++ }
++
++ return true;
++}
++
+ int ocelot_ace_rule_offload_add(struct ocelot *ocelot,
+- struct ocelot_ace_rule *rule)
++ struct ocelot_ace_rule *rule,
++ struct netlink_ext_ack *extack)
+ {
+ struct ocelot_acl_block *block = &ocelot->acl_block;
+ struct ocelot_ace_rule *ace;
+ int i, index;
+
++ if (!ocelot_exclusive_mac_etype_ace_rules(ocelot, rule)) {
++ NL_SET_ERR_MSG_MOD(extack,
++ "Cannot mix MAC_ETYPE with non-MAC_ETYPE rules");
++ return -EBUSY;
++ }
++
+ /* Add rule to the linked list */
+ ocelot_ace_rule_add(ocelot, block, rule);
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_ace.h b/drivers/net/ethernet/mscc/ocelot_ace.h
+index 29d22c566786..099e177f2617 100644
+--- a/drivers/net/ethernet/mscc/ocelot_ace.h
++++ b/drivers/net/ethernet/mscc/ocelot_ace.h
+@@ -194,7 +194,7 @@ struct ocelot_ace_rule {
+
+ enum ocelot_ace_action action;
+ struct ocelot_ace_stats stats;
+- u16 ingress_port_mask;
++ unsigned long ingress_port_mask;
+
+ enum ocelot_vcap_bit dmac_mc;
+ enum ocelot_vcap_bit dmac_bc;
+@@ -215,7 +215,8 @@ struct ocelot_ace_rule {
+ };
+
+ int ocelot_ace_rule_offload_add(struct ocelot *ocelot,
+- struct ocelot_ace_rule *rule);
++ struct ocelot_ace_rule *rule,
++ struct netlink_ext_ack *extack);
+ int ocelot_ace_rule_offload_del(struct ocelot *ocelot,
+ struct ocelot_ace_rule *rule);
+ int ocelot_ace_rule_stats_update(struct ocelot *ocelot,
+diff --git a/drivers/net/ethernet/mscc/ocelot_flower.c b/drivers/net/ethernet/mscc/ocelot_flower.c
+index 341923311fec..954cb67eeaa2 100644
+--- a/drivers/net/ethernet/mscc/ocelot_flower.c
++++ b/drivers/net/ethernet/mscc/ocelot_flower.c
+@@ -205,7 +205,7 @@ int ocelot_cls_flower_replace(struct ocelot *ocelot, int port,
+ return ret;
+ }
+
+- return ocelot_ace_rule_offload_add(ocelot, ace);
++ return ocelot_ace_rule_offload_add(ocelot, ace, f->common.extack);
+ }
+ EXPORT_SYMBOL_GPL(ocelot_cls_flower_replace);
+
+--
+2.25.1
+
--- /dev/null
+From 74ed44b1fdf3929089cf620865c1d4df22fdd3b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2020 15:41:41 +0530
+Subject: net: qed*: Reduce RX and TX default ring count when running inside
+ kdump kernel
+
+From: Bhupesh Sharma <bhsharma@redhat.com>
+
+[ Upstream commit 73e030977f7884dbe1be0018bab517e8d02760f8 ]
+
+Normally kdump kernel(s) run under severe memory constraint with the
+basic idea being to save the crashdump vmcore reliably when the primary
+kernel panics/hangs.
+
+Currently the qed* ethernet driver ends up consuming a lot of memory in
+the kdump kernel, leading to kdump kernel panic when one tries to save
+the vmcore via ssh/nfs (thus utilizing the services of the underlying
+qed* network interfaces).
+
+An example OOM message log seen in the kdump kernel can be seen here
+[1], with crashkernel size reservation of 512M.
+
+Using tools like memstrack (see [2]), we can track the modules taking up
+the bulk of memory in the kdump kernel and organize the memory usage
+output as per 'highest allocator first'. An example log for the OOM case
+indicates that the qed* modules end up allocating approximately 216M
+memory, which is a large part of the total crashkernel size:
+
+ dracut-pre-pivot[676]: ======== Report format module_summary: ========
+ dracut-pre-pivot[676]: Module qed using 149.6MB (2394 pages), peak allocation 149.6MB (2394 pages)
+ dracut-pre-pivot[676]: Module qede using 65.3MB (1045 pages), peak allocation 65.3MB (1045 pages)
+
+This patch reduces the default RX and TX ring count from 1024 to 64
+when running inside kdump kernel, which leads to a significant memory
+saving.
+
+An example log with the patch applied shows the reduced memory
+allocation in the kdump kernel:
+ dracut-pre-pivot[674]: ======== Report format module_summary: ========
+ dracut-pre-pivot[674]: Module qed using 141.8MB (2268 pages), peak allocation 141.8MB (2268 pages)
+ <..snip..>
+[dracut-pre-pivot[674]: Module qede using 4.8MB (76 pages), peak allocation 4.9MB (78 pages)
+
+Tested crashdump vmcore save via ssh/nfs protocol using underlying qed*
+network interface after applying this patch.
+
+[1] OOM log:
+------------
+
+ kworker/0:6: page allocation failure: order:6,
+ mode:0x60c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null)
+ kworker/0:6 cpuset=/ mems_allowed=0
+ CPU: 0 PID: 145 Comm: kworker/0:6 Not tainted 4.18.0-109.el8.aarch64 #1
+ Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL025
+ 01/18/2019
+ Workqueue: events work_for_cpu_fn
+ Call trace:
+ dump_backtrace+0x0/0x188
+ show_stack+0x24/0x30
+ dump_stack+0x90/0xb4
+ warn_alloc+0xf4/0x178
+ __alloc_pages_nodemask+0xcac/0xd58
+ alloc_pages_current+0x8c/0xf8
+ kmalloc_order_trace+0x38/0x108
+ qed_iov_alloc+0x40/0x248 [qed]
+ qed_resc_alloc+0x224/0x518 [qed]
+ qed_slowpath_start+0x254/0x928 [qed]
+ __qede_probe+0xf8/0x5e0 [qede]
+ qede_probe+0x68/0xd8 [qede]
+ local_pci_probe+0x44/0xa8
+ work_for_cpu_fn+0x20/0x30
+ process_one_work+0x1ac/0x3e8
+ worker_thread+0x44/0x448
+ kthread+0x130/0x138
+ ret_from_fork+0x10/0x18
+ Cannot start slowpath
+ qede: probe of 0000:05:00.1 failed with error -12
+
+[2]. Memstrack tool: https://github.com/ryncsn/memstrack
+
+Cc: kexec@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Ariel Elior <aelior@marvell.com>
+Cc: GR-everest-linux-l2@marvell.com
+Cc: Manish Chopra <manishc@marvell.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Bhupesh Sharma <bhsharma@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede.h | 2 ++
+ drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +++++++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede.h b/drivers/net/ethernet/qlogic/qede/qede.h
+index 234c6f30effb..234c7e35ee1e 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede.h
++++ b/drivers/net/ethernet/qlogic/qede/qede.h
+@@ -574,12 +574,14 @@ int qede_add_tc_flower_fltr(struct qede_dev *edev, __be16 proto,
+ #define RX_RING_SIZE ((u16)BIT(RX_RING_SIZE_POW))
+ #define NUM_RX_BDS_MAX (RX_RING_SIZE - 1)
+ #define NUM_RX_BDS_MIN 128
++#define NUM_RX_BDS_KDUMP_MIN 63
+ #define NUM_RX_BDS_DEF ((u16)BIT(10) - 1)
+
+ #define TX_RING_SIZE_POW 13
+ #define TX_RING_SIZE ((u16)BIT(TX_RING_SIZE_POW))
+ #define NUM_TX_BDS_MAX (TX_RING_SIZE - 1)
+ #define NUM_TX_BDS_MIN 128
++#define NUM_TX_BDS_KDUMP_MIN 63
+ #define NUM_TX_BDS_DEF NUM_TX_BDS_MAX
+
+ #define QEDE_MIN_PKT_LEN 64
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c
+index 34fa3917eb33..1a83d1fd8ccd 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
+@@ -29,6 +29,7 @@
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
++#include <linux/crash_dump.h>
+ #include <linux/module.h>
+ #include <linux/pci.h>
+ #include <linux/version.h>
+@@ -707,8 +708,14 @@ static struct qede_dev *qede_alloc_etherdev(struct qed_dev *cdev,
+ edev->dp_module = dp_module;
+ edev->dp_level = dp_level;
+ edev->ops = qed_ops;
+- edev->q_num_rx_buffers = NUM_RX_BDS_DEF;
+- edev->q_num_tx_buffers = NUM_TX_BDS_DEF;
++
++ if (is_kdump_kernel()) {
++ edev->q_num_rx_buffers = NUM_RX_BDS_KDUMP_MIN;
++ edev->q_num_tx_buffers = NUM_TX_BDS_KDUMP_MIN;
++ } else {
++ edev->q_num_rx_buffers = NUM_RX_BDS_DEF;
++ edev->q_num_tx_buffers = NUM_TX_BDS_DEF;
++ }
+
+ DP_INFO(edev, "Allocated netdev with %d tx queues and %d rx queues\n",
+ info->num_queues, info->num_queues);
+--
+2.25.1
+
--- /dev/null
+From 2a17b6f53fe91e5e532aaf4be2381a1ca3acdecc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 10:41:50 +0800
+Subject: net: vmxnet3: fix possible buffer overflow caused by bad DMA value in
+ vmxnet3_get_rss()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 3e1c6846b9e108740ef8a37be80314053f5dd52a ]
+
+The value adapter->rss_conf is stored in DMA memory, and it is assigned
+to rssConf, so rssConf->indTableSize can be modified at anytime by
+malicious hardware. Because rssConf->indTableSize is assigned to n,
+buffer overflow may occur when the code "rssConf->indTable[n]" is
+executed.
+
+To fix this possible bug, n is checked after being used.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_ethtool.c b/drivers/net/vmxnet3/vmxnet3_ethtool.c
+index 6528940ce5f3..b53bb8bcd47f 100644
+--- a/drivers/net/vmxnet3/vmxnet3_ethtool.c
++++ b/drivers/net/vmxnet3/vmxnet3_ethtool.c
+@@ -700,6 +700,8 @@ vmxnet3_get_rss(struct net_device *netdev, u32 *p, u8 *key, u8 *hfunc)
+ *hfunc = ETH_RSS_HASH_TOP;
+ if (!p)
+ return 0;
++ if (n > UPT1_RSS_MAX_IND_TABLE_SIZE)
++ return 0;
+ while (n--)
+ p[n] = rssConf->indTable[n];
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From d97ee647a5ea19673bc69cf14aa3569e35199dfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 21:55:34 +0200
+Subject: netfilter: nft_nat: return EOPNOTSUPP if type or flags are not
+ supported
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 0d7c83463fdf7841350f37960a7abadd3e650b41 ]
+
+Instead of EINVAL which should be used for malformed netlink messages.
+
+Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_nat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
+index 8b44a4de5329..bb49a217635e 100644
+--- a/net/netfilter/nft_nat.c
++++ b/net/netfilter/nft_nat.c
+@@ -129,7 +129,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ priv->type = NF_NAT_MANIP_DST;
+ break;
+ default:
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ if (tb[NFTA_NAT_FAMILY] == NULL)
+@@ -196,7 +196,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ if (tb[NFTA_NAT_FLAGS]) {
+ priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS]));
+ if (priv->flags & ~NF_NAT_RANGE_MASK)
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ return nf_ct_netns_get(ctx->net, family);
+--
+2.25.1
+
--- /dev/null
+From 1df184fc861fc3fd771d001fe88ad0ba505a5137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 23:30:57 +0200
+Subject: nvme-fc: avoid gcc-10 zero-length-bounds warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 3add1d93d9919b6de94aa47900d4904adffbc976 ]
+
+When CONFIG_ARCH_NO_SG_CHAIN is set, op->sgl[0] cannot be dereferenced,
+as gcc-10 now points out:
+
+drivers/nvme/host/fc.c: In function 'nvme_fc_init_request':
+drivers/nvme/host/fc.c:1774:29: warning: array subscript 0 is outside the bounds of an interior zero-length array 'struct scatterlist[0]' [-Wzero-length-bounds]
+ 1774 | op->op.fcp_req.first_sgl = &op->sgl[0];
+ | ^~~~~~~~~~~
+drivers/nvme/host/fc.c:98:21: note: while referencing 'sgl'
+ 98 | struct scatterlist sgl[NVME_INLINE_SG_CNT];
+ | ^~~
+
+I don't know if this is a legitimate warning or a false-positive.
+If this is just a false alarm, the warning is easily suppressed
+by interpreting the array as a pointer.
+
+Fixes: b1ae1a238900 ("nvme-fc: Avoid preallocating big SGL for data")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/fc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
+index 7dfc4a2ecf1e..5ef4a84c442a 100644
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -1771,7 +1771,7 @@ nvme_fc_init_request(struct blk_mq_tag_set *set, struct request *rq,
+ res = __nvme_fc_init_request(ctrl, queue, &op->op, rq, queue->rqcnt++);
+ if (res)
+ return res;
+- op->op.fcp_req.first_sgl = &op->sgl[0];
++ op->op.fcp_req.first_sgl = op->sgl;
+ op->op.fcp_req.private = &op->priv[0];
+ nvme_req(rq)->ctrl = &ctrl->ctrl;
+ return res;
+--
+2.25.1
+
--- /dev/null
+From 0b0c9865a1a5e5edfb7ba77a9b9ab4fa2a6b10c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 15:29:41 +0800
+Subject: nvme-pci: align io queue count with allocted nvme_queue in nvme_probe
+
+From: Weiping Zhang <zhangweiping@didiglobal.com>
+
+[ Upstream commit 2a5bcfdd41d68559567cec3c124a75e093506cc1 ]
+
+Since commit 147b27e4bd08 ("nvme-pci: allocate device queues storage
+space at probe"), nvme_alloc_queue does not alloc the nvme queues
+itself anymore.
+
+If the write/poll_queues module parameters are changed at runtime to
+values larger than the number of allocated queues in nvme_probe,
+nvme_alloc_queue will access unallocated memory.
+
+Add a new nr_allocated_queues member to struct nvme_dev to record how
+many queues were alloctated in nvme_probe to avoid using more than the
+allocated queues after a reset following a change to the
+write/poll_queues module parameters.
+
+Also add nr_write_queues and nr_poll_queues members to allow refreshing
+the number of write and poll queues based on a change to the module
+parameters when resetting the controller.
+
+Fixes: 147b27e4bd08 ("nvme-pci: allocate device queues storage space at probe")
+Signed-off-by: Weiping Zhang <zhangweiping@didiglobal.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+[hch: add nvme_max_io_queues, update the commit message]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 57 ++++++++++++++++++++++++-----------------
+ 1 file changed, 33 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index cc46e250fcac..dcf597fbafad 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -128,6 +128,9 @@ struct nvme_dev {
+ dma_addr_t host_mem_descs_dma;
+ struct nvme_host_mem_buf_desc *host_mem_descs;
+ void **host_mem_desc_bufs;
++ unsigned int nr_allocated_queues;
++ unsigned int nr_write_queues;
++ unsigned int nr_poll_queues;
+ };
+
+ static int io_queue_depth_set(const char *val, const struct kernel_param *kp)
+@@ -209,25 +212,14 @@ struct nvme_iod {
+ struct scatterlist *sg;
+ };
+
+-static unsigned int max_io_queues(void)
++static inline unsigned int nvme_dbbuf_size(struct nvme_dev *dev)
+ {
+- return num_possible_cpus() + write_queues + poll_queues;
+-}
+-
+-static unsigned int max_queue_count(void)
+-{
+- /* IO queues + admin queue */
+- return 1 + max_io_queues();
+-}
+-
+-static inline unsigned int nvme_dbbuf_size(u32 stride)
+-{
+- return (max_queue_count() * 8 * stride);
++ return dev->nr_allocated_queues * 8 * dev->db_stride;
+ }
+
+ static int nvme_dbbuf_dma_alloc(struct nvme_dev *dev)
+ {
+- unsigned int mem_size = nvme_dbbuf_size(dev->db_stride);
++ unsigned int mem_size = nvme_dbbuf_size(dev);
+
+ if (dev->dbbuf_dbs)
+ return 0;
+@@ -252,7 +244,7 @@ static int nvme_dbbuf_dma_alloc(struct nvme_dev *dev)
+
+ static void nvme_dbbuf_dma_free(struct nvme_dev *dev)
+ {
+- unsigned int mem_size = nvme_dbbuf_size(dev->db_stride);
++ unsigned int mem_size = nvme_dbbuf_size(dev);
+
+ if (dev->dbbuf_dbs) {
+ dma_free_coherent(dev->dev, mem_size,
+@@ -2003,7 +1995,7 @@ static int nvme_setup_host_mem(struct nvme_dev *dev)
+ static void nvme_calc_irq_sets(struct irq_affinity *affd, unsigned int nrirqs)
+ {
+ struct nvme_dev *dev = affd->priv;
+- unsigned int nr_read_queues;
++ unsigned int nr_read_queues, nr_write_queues = dev->nr_write_queues;
+
+ /*
+ * If there is no interupt available for queues, ensure that
+@@ -2019,12 +2011,12 @@ static void nvme_calc_irq_sets(struct irq_affinity *affd, unsigned int nrirqs)
+ if (!nrirqs) {
+ nrirqs = 1;
+ nr_read_queues = 0;
+- } else if (nrirqs == 1 || !write_queues) {
++ } else if (nrirqs == 1 || !nr_write_queues) {
+ nr_read_queues = 0;
+- } else if (write_queues >= nrirqs) {
++ } else if (nr_write_queues >= nrirqs) {
+ nr_read_queues = 1;
+ } else {
+- nr_read_queues = nrirqs - write_queues;
++ nr_read_queues = nrirqs - nr_write_queues;
+ }
+
+ dev->io_queues[HCTX_TYPE_DEFAULT] = nrirqs - nr_read_queues;
+@@ -2048,7 +2040,7 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues)
+ * Poll queues don't need interrupts, but we need at least one IO
+ * queue left over for non-polled IO.
+ */
+- this_p_queues = poll_queues;
++ this_p_queues = dev->nr_poll_queues;
+ if (this_p_queues >= nr_io_queues) {
+ this_p_queues = nr_io_queues - 1;
+ irq_queues = 1;
+@@ -2078,14 +2070,25 @@ static void nvme_disable_io_queues(struct nvme_dev *dev)
+ __nvme_disable_io_queues(dev, nvme_admin_delete_cq);
+ }
+
++static unsigned int nvme_max_io_queues(struct nvme_dev *dev)
++{
++ return num_possible_cpus() + dev->nr_write_queues + dev->nr_poll_queues;
++}
++
+ static int nvme_setup_io_queues(struct nvme_dev *dev)
+ {
+ struct nvme_queue *adminq = &dev->queues[0];
+ struct pci_dev *pdev = to_pci_dev(dev->dev);
+- int result, nr_io_queues;
++ unsigned int nr_io_queues;
+ unsigned long size;
++ int result;
+
+- nr_io_queues = max_io_queues();
++ /*
++ * Sample the module parameters once at reset time so that we have
++ * stable values to work with.
++ */
++ dev->nr_write_queues = write_queues;
++ dev->nr_poll_queues = poll_queues;
+
+ /*
+ * If tags are shared with admin queue (Apple bug), then
+@@ -2093,6 +2096,9 @@ static int nvme_setup_io_queues(struct nvme_dev *dev)
+ */
+ if (dev->ctrl.quirks & NVME_QUIRK_SHARED_TAGS)
+ nr_io_queues = 1;
++ else
++ nr_io_queues = min(nvme_max_io_queues(dev),
++ dev->nr_allocated_queues - 1);
+
+ result = nvme_set_queue_count(&dev->ctrl, &nr_io_queues);
+ if (result < 0)
+@@ -2767,8 +2773,11 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ if (!dev)
+ return -ENOMEM;
+
+- dev->queues = kcalloc_node(max_queue_count(), sizeof(struct nvme_queue),
+- GFP_KERNEL, node);
++ dev->nr_write_queues = write_queues;
++ dev->nr_poll_queues = poll_queues;
++ dev->nr_allocated_queues = nvme_max_io_queues(dev) + 1;
++ dev->queues = kcalloc_node(dev->nr_allocated_queues,
++ sizeof(struct nvme_queue), GFP_KERNEL, node);
+ if (!dev->queues)
+ goto free;
+
+--
+2.25.1
+
--- /dev/null
+From e0866e38b54f4ff90fea8f30af6d5512f65247c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 May 2020 14:22:08 +0800
+Subject: nvme-pci: make sure write/poll_queues less or equal then cpu count
+
+From: Weiping Zhang <zhangweiping@didiglobal.com>
+
+[ Upstream commit 9c9e76d5792b121f10c3b8ddbb639617e49197f7 ]
+
+Check module parameter write/poll_queues before using it to catch
+too large values.
+
+Reproducer:
+
+modprobe -r nvme
+modprobe nvme write_queues=`nproc`
+echo $((`nproc`+1)) > /sys/module/nvme/parameters/write_queues
+echo 1 > /sys/block/nvme0n1/device/reset_controller
+
+[ 657.069000] ------------[ cut here ]------------
+[ 657.069022] WARNING: CPU: 10 PID: 1163 at kernel/irq/affinity.c:390 irq_create_affinity_masks+0x47c/0x4a0
+[ 657.069056] dm_region_hash dm_log dm_mod
+[ 657.069059] CPU: 10 PID: 1163 Comm: kworker/u193:9 Kdump: loaded Tainted: G W 5.6.0+ #8
+[ 657.069060] Hardware name: Inspur SA5212M5/YZMB-00882-104, BIOS 4.0.9 08/27/2019
+[ 657.069064] Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+[ 657.069066] RIP: 0010:irq_create_affinity_masks+0x47c/0x4a0
+[ 657.069067] Code: fe ff ff 48 c7 c0 b0 89 14 95 48 89 46 20 e9 e9 fb ff ff 31 c0 e9 90 fc ff ff 0f 0b 48 c7 44 24 08 00 00 00 00 e9 e9 fc ff ff <0f> 0b e9 87 fe ff ff 48 8b 7c 24 28 e8 33 a0 80 00 e9 b6 fc ff ff
+[ 657.069068] RSP: 0018:ffffb505ce1ffc78 EFLAGS: 00010202
+[ 657.069069] RAX: 0000000000000060 RBX: ffff9b97921fe5c0 RCX: 0000000000000000
+[ 657.069069] RDX: ffff9b67bad80000 RSI: 00000000ffffffa0 RDI: 0000000000000000
+[ 657.069070] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9b97921fe718
+[ 657.069070] R10: ffff9b97921fe710 R11: 0000000000000001 R12: 0000000000000064
+[ 657.069070] R13: 0000000000000060 R14: 0000000000000000 R15: 0000000000000001
+[ 657.069071] FS: 0000000000000000(0000) GS:ffff9b67c0880000(0000) knlGS:0000000000000000
+[ 657.069072] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 657.069072] CR2: 0000559eac6fc238 CR3: 000000057860a002 CR4: 00000000007606e0
+[ 657.069073] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 657.069073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 657.069073] PKRU: 55555554
+[ 657.069074] Call Trace:
+[ 657.069080] __pci_enable_msix_range+0x233/0x5a0
+[ 657.069085] ? kernfs_put+0xec/0x190
+[ 657.069086] pci_alloc_irq_vectors_affinity+0xbb/0x130
+[ 657.069089] nvme_reset_work+0x6e6/0xeab [nvme]
+[ 657.069093] ? __switch_to_asm+0x34/0x70
+[ 657.069094] ? __switch_to_asm+0x40/0x70
+[ 657.069095] ? nvme_irq_check+0x30/0x30 [nvme]
+[ 657.069098] process_one_work+0x1a7/0x370
+[ 657.069101] worker_thread+0x1c9/0x380
+[ 657.069102] ? max_active_store+0x80/0x80
+[ 657.069103] kthread+0x112/0x130
+[ 657.069104] ? __kthread_parkme+0x70/0x70
+[ 657.069105] ret_from_fork+0x35/0x40
+[ 657.069106] ---[ end trace f4f06b7d24513d06 ]---
+[ 657.077110] nvme nvme0: 95/1/0 default/read/poll queues
+
+Signed-off-by: Weiping Zhang <zhangweiping@didiglobal.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index dcf597fbafad..076bdd90c922 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -68,14 +68,30 @@ static int io_queue_depth = 1024;
+ module_param_cb(io_queue_depth, &io_queue_depth_ops, &io_queue_depth, 0644);
+ MODULE_PARM_DESC(io_queue_depth, "set io queue depth, should >= 2");
+
++static int io_queue_count_set(const char *val, const struct kernel_param *kp)
++{
++ unsigned int n;
++ int ret;
++
++ ret = kstrtouint(val, 10, &n);
++ if (ret != 0 || n > num_possible_cpus())
++ return -EINVAL;
++ return param_set_uint(val, kp);
++}
++
++static const struct kernel_param_ops io_queue_count_ops = {
++ .set = io_queue_count_set,
++ .get = param_get_uint,
++};
++
+ static unsigned int write_queues;
+-module_param(write_queues, uint, 0644);
++module_param_cb(write_queues, &io_queue_count_ops, &write_queues, 0644);
+ MODULE_PARM_DESC(write_queues,
+ "Number of queues to use for writes. If not set, reads and writes "
+ "will share a queue set.");
+
+ static unsigned int poll_queues;
+-module_param(poll_queues, uint, 0644);
++module_param_cb(poll_queues, &io_queue_count_ops, &poll_queues, 0644);
+ MODULE_PARM_DESC(poll_queues, "Number of queues to use for polled IO.");
+
+ struct nvme_dev;
+@@ -3140,8 +3156,6 @@ static int __init nvme_init(void)
+ BUILD_BUG_ON(sizeof(struct nvme_delete_queue) != 64);
+ BUILD_BUG_ON(IRQ_AFFINITY_MAX_SETS < 2);
+
+- write_queues = min(write_queues, num_possible_cpus());
+- poll_queues = min(poll_queues, num_possible_cpus());
+ return pci_register_driver(&nvme_driver);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 101986847f8db36d81bcc92736ae662ecb1e2916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2020 10:11:28 +0200
+Subject: nvme: refine the Qemu Identify CNS quirk
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit b9a5c3d4c34d8bd9fd75f7f28d18a57cb68da237 ]
+
+Add a helper to check if we can use Identify CNS values > 1, and refine
+the Qemu quirk to not apply to reported versions larger than 1.1, as the
+Qemu implementation had been fixed by then.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index f3c037f5a9ba..7b4cbe2c6954 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1027,6 +1027,19 @@ void nvme_stop_keep_alive(struct nvme_ctrl *ctrl)
+ }
+ EXPORT_SYMBOL_GPL(nvme_stop_keep_alive);
+
++/*
++ * In NVMe 1.0 the CNS field was just a binary controller or namespace
++ * flag, thus sending any new CNS opcodes has a big chance of not working.
++ * Qemu unfortunately had that bug after reporting a 1.1 version compliance
++ * (but not for any later version).
++ */
++static bool nvme_ctrl_limited_cns(struct nvme_ctrl *ctrl)
++{
++ if (ctrl->quirks & NVME_QUIRK_IDENTIFY_CNS)
++ return ctrl->vs < NVME_VS(1, 2, 0);
++ return ctrl->vs < NVME_VS(1, 1, 0);
++}
++
+ static int nvme_identify_ctrl(struct nvme_ctrl *dev, struct nvme_id_ctrl **id)
+ {
+ struct nvme_command c = { };
+@@ -3815,8 +3828,7 @@ static void nvme_scan_work(struct work_struct *work)
+
+ mutex_lock(&ctrl->scan_lock);
+ nn = le32_to_cpu(id->nn);
+- if (ctrl->vs >= NVME_VS(1, 1, 0) &&
+- !(ctrl->quirks & NVME_QUIRK_IDENTIFY_CNS)) {
++ if (!nvme_ctrl_limited_cns(ctrl)) {
+ if (!nvme_scan_ns_list(ctrl, nn))
+ goto out_free_id;
+ }
+--
+2.25.1
+
--- /dev/null
+From 09c3a3e5828d420f14c90cacb0bd4fa21d2601ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 13:59:32 -0700
+Subject: nvme-tcp: use bh_lock in data_ready
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 386e5e6e1aa90b479fcf0467935922df8524393d ]
+
+data_ready may be invoked from send context or from
+softirq, so need bh locking for that.
+
+Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index c15a92163c1f..4862fa962011 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -794,11 +794,11 @@ static void nvme_tcp_data_ready(struct sock *sk)
+ {
+ struct nvme_tcp_queue *queue;
+
+- read_lock(&sk->sk_callback_lock);
++ read_lock_bh(&sk->sk_callback_lock);
+ queue = sk->sk_user_data;
+ if (likely(queue && queue->rd_enabled))
+ queue_work_on(queue->io_cpu, nvme_tcp_wq, &queue->io_work);
+- read_unlock(&sk->sk_callback_lock);
++ read_unlock_bh(&sk->sk_callback_lock);
+ }
+
+ static void nvme_tcp_write_space(struct sock *sk)
+--
+2.25.1
+
--- /dev/null
+From f77f3f70aa33ce90079dcefe16e3f8862bbcecfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2020 12:48:12 -0700
+Subject: nvmet: fix memory leak when removing namespaces and controllers
+ concurrently
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 64f5e9cdd711b030b05062c17b2ecfbce890cf4c ]
+
+When removing a namespace, we add an NS_CHANGE async event, however if
+the controller admin queue is removed after the event was added but not
+yet processed, we won't free the aens, resulting in the below memory
+leak [1].
+
+Fix that by moving nvmet_async_event_free to the final controller
+release after it is detached from subsys->ctrls ensuring no async
+events are added, and modify it to simply remove all pending aens.
+
+--
+$ cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffff888c1af2c000 (size 32):
+ comm "nvmetcli", pid 5164, jiffies 4295220864 (age 6829.924s)
+ hex dump (first 32 bytes):
+ 28 01 82 3b 8b 88 ff ff 28 01 82 3b 8b 88 ff ff (..;....(..;....
+ 02 00 04 65 76 65 6e 74 5f 66 69 6c 65 00 00 00 ...event_file...
+ backtrace:
+ [<00000000217ae580>] nvmet_add_async_event+0x57/0x290 [nvmet]
+ [<0000000012aa2ea9>] nvmet_ns_changed+0x206/0x300 [nvmet]
+ [<00000000bb3fd52e>] nvmet_ns_disable+0x367/0x4f0 [nvmet]
+ [<00000000e91ca9ec>] nvmet_ns_free+0x15/0x180 [nvmet]
+ [<00000000a15deb52>] config_item_release+0xf1/0x1c0
+ [<000000007e148432>] configfs_rmdir+0x555/0x7c0
+ [<00000000f4506ea6>] vfs_rmdir+0x142/0x3c0
+ [<0000000000acaaf0>] do_rmdir+0x2b2/0x340
+ [<0000000034d1aa52>] do_syscall_64+0xa5/0x4d0
+ [<00000000211f13bc>] entry_SYSCALL_64_after_hwframe+0x6a/0xdf
+
+Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
+Reported-by: David Milburn <dmilburn@redhat.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Tested-by: David Milburn <dmilburn@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index b685f99d56a1..aa5ca222c6f5 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -157,14 +157,12 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status)
+
+ static void nvmet_async_events_free(struct nvmet_ctrl *ctrl)
+ {
+- struct nvmet_req *req;
++ struct nvmet_async_event *aen, *tmp;
+
+ mutex_lock(&ctrl->lock);
+- while (ctrl->nr_async_event_cmds) {
+- req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds];
+- mutex_unlock(&ctrl->lock);
+- nvmet_req_complete(req, NVME_SC_INTERNAL | NVME_SC_DNR);
+- mutex_lock(&ctrl->lock);
++ list_for_each_entry_safe(aen, tmp, &ctrl->async_events, entry) {
++ list_del(&aen->entry);
++ kfree(aen);
+ }
+ mutex_unlock(&ctrl->lock);
+ }
+@@ -764,10 +762,8 @@ void nvmet_sq_destroy(struct nvmet_sq *sq)
+ * If this is the admin queue, complete all AERs so that our
+ * queue doesn't have outstanding requests on it.
+ */
+- if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) {
++ if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq)
+ nvmet_async_events_process(ctrl, status);
+- nvmet_async_events_free(ctrl);
+- }
+ percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq);
+ wait_for_completion(&sq->confirm_done);
+ wait_for_completion(&sq->free_done);
+@@ -1357,6 +1353,7 @@ static void nvmet_ctrl_free(struct kref *ref)
+
+ ida_simple_remove(&cntlid_ida, ctrl->cntlid);
+
++ nvmet_async_events_free(ctrl);
+ kfree(ctrl->sqs);
+ kfree(ctrl->cqs);
+ kfree(ctrl->changed_ns_list);
+--
+2.25.1
+
--- /dev/null
+From b25b677dffcb1be86a745121c44747049c4f2c92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2020 15:28:41 +0000
+Subject: objtool: Ignore empty alternatives
+
+From: Julien Thierry <jthierry@redhat.com>
+
+[ Upstream commit 7170cf47d16f1ba29eca07fd818870b7af0a93a5 ]
+
+The .alternatives section can contain entries with no original
+instructions. Objtool will currently crash when handling such an entry.
+
+Just skip that entry, but still give a warning to discourage useless
+entries.
+
+Signed-off-by: Julien Thierry <jthierry@redhat.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index 3c6da70e6084..5a867a469ba5 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -916,6 +916,12 @@ static int add_special_section_alts(struct objtool_file *file)
+ }
+
+ if (special_alt->group) {
++ if (!special_alt->orig_len) {
++ WARN_FUNC("empty alternative entry",
++ orig_insn->sec, orig_insn->offset);
++ continue;
++ }
++
+ ret = handle_group_alt(file, special_alt, orig_insn,
+ &new_insn);
+ if (ret)
+--
+2.25.1
+
--- /dev/null
+From 5c84f382aa36f9605c7bcc33fc6bf5affbfb94fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:11:10 +0000
+Subject: octeontx2-pf: Fix error return code in otx2_probe()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 654cad8b6a17dcb00077070b27bc65873951a568 ]
+
+Fix to return negative error code -ENOMEM from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 5a6d7c9daef3 ("octeontx2-pf: Mailbox communication with AF")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+index 411e5ea1031e..64786568af0d 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+@@ -1856,13 +1856,17 @@ static int otx2_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ num_vec = pci_msix_vec_count(pdev);
+ hw->irq_name = devm_kmalloc_array(&hw->pdev->dev, num_vec, NAME_SIZE,
+ GFP_KERNEL);
+- if (!hw->irq_name)
++ if (!hw->irq_name) {
++ err = -ENOMEM;
+ goto err_free_netdev;
++ }
+
+ hw->affinity_mask = devm_kcalloc(&hw->pdev->dev, num_vec,
+ sizeof(cpumask_var_t), GFP_KERNEL);
+- if (!hw->affinity_mask)
++ if (!hw->affinity_mask) {
++ err = -ENOMEM;
+ goto err_free_netdev;
++ }
+
+ /* Map CSRs */
+ pf->reg_base = pcim_iomap(pdev, PCI_CFG_REG_BAR_NUM, 0);
+--
+2.25.1
+
--- /dev/null
+From b6512f95ecc503a67489f973597ec4d557981a8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 17:21:12 +0800
+Subject: PCI: Don't disable decoding when mmio_always_on is set
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit b6caa1d8c80cb71b6162cb1f1ec13aa655026c9f ]
+
+Don't disable MEM/IO decoding when a device have both non_compliant_bars
+and mmio_always_on.
+
+That would allow us quirk devices with junk in BARs but can't disable
+their decoding.
+
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Acked-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 77b8a145c39b..d9c2c3301a8a 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1822,7 +1822,7 @@ int pci_setup_device(struct pci_dev *dev)
+ /* Device class may be changed after fixup */
+ class = dev->class >> 8;
+
+- if (dev->non_compliant_bars) {
++ if (dev->non_compliant_bars && !dev->mmio_always_on) {
+ pci_read_config_word(dev, PCI_COMMAND, &cmd);
+ if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) {
+ pci_info(dev, "device has non-compliant BARs; disabling IO/MEM decoding\n");
+--
+2.25.1
+
--- /dev/null
+From 0df957d879e701a3fb7dc7563177b8fd29d70c51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 15:44:24 +0800
+Subject: platform/x86: asus_wmi: Reserve more space for struct bias_args
+
+From: Chris Chiu <chiu@endlessm.com>
+
+[ Upstream commit 7b91f1565fbfbe5a162d91f8a1f6c5580c2fc1d0 ]
+
+On the ASUS laptop UX325JA/UX425JA, most of the media keys are not
+working due to the ASUS WMI driver fails to be loaded. The ACPI error
+as follows leads to the failure of asus_wmi_evaluate_method.
+ ACPI BIOS Error (bug): AE_AML_BUFFER_LIMIT, Field [IIA3] at bit offset/length 96/32 exceeds size of target Buffer (96 bits) (20200326/dsopcode-203)
+ No Local Variables are initialized for Method [WMNB]
+ ACPI Error: Aborting method \_SB.ATKD.WMNB due to previous error (AE_AML_BUFFER_LIMIT) (20200326/psparse-531)
+
+The DSDT for the WMNB part shows that 5 DWORD required for local
+variables and the 3rd variable IIA3 hit the buffer limit.
+
+Method (WMNB, 3, Serialized)
+{ ..
+ CreateDWordField (Arg2, Zero, IIA0)
+ CreateDWordField (Arg2, 0x04, IIA1)
+ CreateDWordField (Arg2, 0x08, IIA2)
+ CreateDWordField (Arg2, 0x0C, IIA3)
+ CreateDWordField (Arg2, 0x10, IIA4)
+ Local0 = (Arg1 & 0xFFFFFFFF)
+ If ((Local0 == 0x54494E49))
+ ..
+}
+
+The limitation is determined by the input acpi_buffer size passed
+to the wmi_evaluate_method. Since the struct bios_args is the data
+structure used as input buffer by default for all ASUS WMI calls,
+the size needs to be expanded to fix the problem.
+
+Signed-off-by: Chris Chiu <chiu@endlessm.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-wmi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
+index bb7c529d7d16..cd212ee210e2 100644
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -116,6 +116,8 @@ struct bios_args {
+ u32 arg0;
+ u32 arg1;
+ u32 arg2; /* At least TUF Gaming series uses 3 dword input buffer. */
++ u32 arg4;
++ u32 arg5;
+ } __packed;
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From c1ab2907eed59829a133303fc63e78064395b0dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2020 09:44:56 +0800
+Subject: platform/x86: dell-laptop: don't register micmute LED if there is no
+ token
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Koba Ko <koba.ko@canonical.com>
+
+[ Upstream commit 257e03a334ccb96e657bf5f6ab3b5693a22c2aa4 ]
+
+On Dell G3-3590, error message is issued during boot up,
+"platform::micmute: Setting an LED's brightness failed (-19)",
+but there's no micmute led on the machine.
+
+Get the related tokens of SMBIOS, GLOBAL_MIC_MUTE_DISABLE/ENABLE.
+If one of two tokens doesn't exist,
+don't call led_classdev_register() for platform::micmute.
+After that, you wouldn't see the platform::micmute in /sys/class/leds/,
+and the error message wouldn't see in dmesg.
+
+Fixes: d00fa46e0a2c6 ("platform/x86: dell-laptop: Add micmute LED trigger support")
+Signed-off-by: Koba Ko <koba.ko@canonical.com>
+Reviewed-by: Mario Limonciello <Mario.limonciello@dell.com>
+Reviewed-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell-laptop.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c
+index f8d3e3bd1bb5..5e9c2296931c 100644
+--- a/drivers/platform/x86/dell-laptop.c
++++ b/drivers/platform/x86/dell-laptop.c
+@@ -2204,10 +2204,13 @@ static int __init dell_init(void)
+
+ dell_laptop_register_notifier(&dell_laptop_notifier);
+
+- micmute_led_cdev.brightness = ledtrig_audio_get(LED_AUDIO_MICMUTE);
+- ret = led_classdev_register(&platform_device->dev, &micmute_led_cdev);
+- if (ret < 0)
+- goto fail_led;
++ if (dell_smbios_find_token(GLOBAL_MIC_MUTE_DISABLE) &&
++ dell_smbios_find_token(GLOBAL_MIC_MUTE_ENABLE)) {
++ micmute_led_cdev.brightness = ledtrig_audio_get(LED_AUDIO_MICMUTE);
++ ret = led_classdev_register(&platform_device->dev, &micmute_led_cdev);
++ if (ret < 0)
++ goto fail_led;
++ }
+
+ if (acpi_video_get_backlight_type() != acpi_backlight_vendor)
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From a2602885977ef68f1266e4ae15fc894d2285bdf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 16:27:04 +0300
+Subject: platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 5cdc45ed3948042f0d73c6fec5ee9b59e637d0d2 ]
+
+First of all, unsigned long can overflow u32 value on 64-bit machine.
+Second, simple_strtoul() doesn't check for overflow in the input.
+
+Convert simple_strtoul() to kstrtou32() to eliminate above issues.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp-wmi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c
+index a881b709af25..a44a2ec33287 100644
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -461,8 +461,14 @@ static ssize_t postcode_show(struct device *dev, struct device_attribute *attr,
+ static ssize_t als_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+ {
+- u32 tmp = simple_strtoul(buf, NULL, 10);
+- int ret = hp_wmi_perform_query(HPWMI_ALS_QUERY, HPWMI_WRITE, &tmp,
++ u32 tmp;
++ int ret;
++
++ ret = kstrtou32(buf, 10, &tmp);
++ if (ret)
++ return ret;
++
++ ret = hp_wmi_perform_query(HPWMI_ALS_QUERY, HPWMI_WRITE, &tmp,
+ sizeof(tmp), sizeof(tmp));
+ if (ret)
+ return ret < 0 ? ret : -EINVAL;
+--
+2.25.1
+
--- /dev/null
+From 2b2ed62fc0e68fbce86a28cdd0d2f38e927f90e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 22:07:20 +0500
+Subject: platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015)
+
+From: Nickolai Kozachenko <daemongloom@gmail.com>
+
+[ Upstream commit 8fe63eb757ac6e661a384cc760792080bdc738dc ]
+
+HEBC method reports capabilities of 5 button array but HP Spectre X2 (2015)
+does not have this control method (the same was for Wacom MobileStudio Pro).
+Expand previous DMI quirk by Alex Hung to also enable 5 button array
+for this system.
+
+Signed-off-by: Nickolai Kozachenko <daemongloom@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-hid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c
+index cc7dd4d87cce..9ee79b74311c 100644
+--- a/drivers/platform/x86/intel-hid.c
++++ b/drivers/platform/x86/intel-hid.c
+@@ -79,6 +79,13 @@ static const struct dmi_system_id button_array_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Wacom MobileStudio Pro 16"),
+ },
+ },
++ {
++ .ident = "HP Spectre x2 (2015)",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Spectre x2 Detachable"),
++ },
++ },
+ { }
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 262d07e314335386a7eacf58ad40804f83261561 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 20:29:50 +0200
+Subject: platform/x86: intel-vbtn: Also handle tablet-mode switch on
+ "Detachable" and "Portable" chassis-types
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 1fac39fd0316b19c3e57a182524332332d1643ce ]
+
+Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode
+switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally
+reporting SW_TABLET_MODE = 1 to userspace on laptops.
+
+Some devices with a detachable keyboard and using the intel-vbnt (INT33D6)
+interface to report if they are in tablet mode (keyboard detached) or not,
+report 32 / "Detachable" as chassis-type, e.g. the HP Pavilion X2 series.
+
+Other devices with a detachable keyboard and using the intel-vbnt (INT33D6)
+interface to report SW_TABLET_MODE, report 8 / "Portable" as chassis-type.
+The Dell Venue 11 Pro 7130 is an example of this.
+
+Extend the DMI chassis-type check to also accept Portables and Detachables
+so that the intel-vbtn driver will report SW_TABLET_MODE on these devices.
+
+Note the chassis-type check was originally added to avoid a false-positive
+tablet-mode report on the Dell XPS 9360 laptop. To the best of my knowledge
+that laptop is using a chassis-type of 9 / "Laptop", so after this commit
+we still ignore the tablet-switch for that chassis-type.
+
+Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Mario Limonciello <Mario.limonciello@dell.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index 500fae82e12c..4921fc15dc6c 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -158,12 +158,22 @@ static void detect_tablet_mode(struct platform_device *device)
+ static bool intel_vbtn_has_switches(acpi_handle handle)
+ {
+ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
++ unsigned long chassis_type_int;
+ unsigned long long vgbs;
+ acpi_status status;
+
+- if (!(chassis_type && strcmp(chassis_type, "31") == 0))
++ if (kstrtoul(chassis_type, 10, &chassis_type_int))
+ return false;
+
++ switch (chassis_type_int) {
++ case 8: /* Portable */
++ case 31: /* Convertible */
++ case 32: /* Detachable */
++ break;
++ default:
++ return false;
++ }
++
+ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
+ return ACPI_SUCCESS(status);
+ }
+--
+2.25.1
+
--- /dev/null
+From 2a9f00f4e774b3356dd97cb19f6c75299514a5b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 20:29:49 +0200
+Subject: platform/x86: intel-vbtn: Do not advertise switches to userspace if
+ they are not there
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 990fbb48067bf8cfa34b7d1e6e1674eaaef2f450 ]
+
+Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode
+switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally
+reporting SW_TABLET_MODE = 1 to userspace on laptops (specifically on the
+Dell XPS 9360), to avoid e.g. userspace ignoring touchpad events because
+userspace thought the device was in tablet-mode.
+
+But if we are not getting the initial status of the switch because the
+device does not have a tablet mode, then we really should not advertise
+the presence of a tablet-mode switch to userspace at all, as userspace may
+use the mere presence of this switch for certain heuristics.
+
+Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index 634096cef21a..500fae82e12c 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -55,6 +55,7 @@ static const struct key_entry intel_vbtn_switchmap[] = {
+ struct intel_vbtn_priv {
+ struct key_entry keymap[KEYMAP_LEN];
+ struct input_dev *input_dev;
++ bool has_switches;
+ bool wakeup_mode;
+ };
+
+@@ -70,7 +71,7 @@ static int intel_vbtn_input_setup(struct platform_device *device)
+ keymap_len += ARRAY_SIZE(intel_vbtn_keymap);
+ }
+
+- if (true) {
++ if (priv->has_switches) {
+ memcpy(&priv->keymap[keymap_len], intel_vbtn_switchmap,
+ ARRAY_SIZE(intel_vbtn_switchmap) *
+ sizeof(struct key_entry));
+@@ -138,16 +139,12 @@ out_unknown:
+
+ static void detect_tablet_mode(struct platform_device *device)
+ {
+- const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
+ struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev);
+ acpi_handle handle = ACPI_HANDLE(&device->dev);
+ unsigned long long vgbs;
+ acpi_status status;
+ int m;
+
+- if (!(chassis_type && strcmp(chassis_type, "31") == 0))
+- return;
+-
+ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
+ if (ACPI_FAILURE(status))
+ return;
+@@ -158,6 +155,19 @@ static void detect_tablet_mode(struct platform_device *device)
+ input_report_switch(priv->input_dev, SW_DOCK, m);
+ }
+
++static bool intel_vbtn_has_switches(acpi_handle handle)
++{
++ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
++ unsigned long long vgbs;
++ acpi_status status;
++
++ if (!(chassis_type && strcmp(chassis_type, "31") == 0))
++ return false;
++
++ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
++ return ACPI_SUCCESS(status);
++}
++
+ static int intel_vbtn_probe(struct platform_device *device)
+ {
+ acpi_handle handle = ACPI_HANDLE(&device->dev);
+@@ -176,13 +186,16 @@ static int intel_vbtn_probe(struct platform_device *device)
+ return -ENOMEM;
+ dev_set_drvdata(&device->dev, priv);
+
++ priv->has_switches = intel_vbtn_has_switches(handle);
++
+ err = intel_vbtn_input_setup(device);
+ if (err) {
+ pr_err("Failed to setup Intel Virtual Button\n");
+ return err;
+ }
+
+- detect_tablet_mode(device);
++ if (priv->has_switches)
++ detect_tablet_mode(device);
+
+ status = acpi_install_notify_handler(handle,
+ ACPI_DEVICE_NOTIFY,
+--
+2.25.1
+
--- /dev/null
+From 11336e34ec49b22685250a56e2a0f0d2f9facda5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 20:39:16 +0200
+Subject: platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 /
+ "Laptop" chasis-type
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit cfae58ed681c5fe0185db843013ecc71cd265ebf ]
+
+The HP Stream x360 11-p000nd no longer report SW_TABLET_MODE state / events
+with recent kernels. This model reports a chassis-type of 10 / "Notebook"
+which is not on the recently introduced chassis-type whitelist
+
+Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode
+switch on 2-in-1's") added a chassis-type whitelist and only listed 31 /
+"Convertible" as being capable of generating valid SW_TABLET_MOD events.
+
+Commit 1fac39fd0316 ("platform/x86: intel-vbtn: Also handle tablet-mode
+switch on "Detachable" and "Portable" chassis-types") extended the
+whitelist with chassis-types 8 / "Portable" and 32 / "Detachable".
+
+And now we need to exten the whitelist again with 10 / "Notebook"...
+
+The issue original fixed by the whitelist is really a ACPI DSDT bug on
+the Dell XPS 9360 where it has a VGBS which reports it is in tablet mode
+even though it is not a 2-in-1 at all, but a regular laptop.
+
+So since this is a workaround for a DSDT issue on that specific model,
+instead of extending the whitelist over and over again, lets switch to
+a blacklist and only blacklist the chassis-type of the model for which
+the chassis-type check was added.
+
+Note this also fixes the current version of the code no longer checking
+if dmi_get_system_info(DMI_CHASSIS_TYPE) returns NULL.
+
+Fixes: 1fac39fd0316 ("platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Portable" chassis-types")
+Cc: Mario Limonciello <mario.limonciello@dell.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Mario Limonciello <Mario.limonciello@dell.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index 4921fc15dc6c..a05b80955dcd 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -158,21 +158,18 @@ static void detect_tablet_mode(struct platform_device *device)
+ static bool intel_vbtn_has_switches(acpi_handle handle)
+ {
+ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
+- unsigned long chassis_type_int;
+ unsigned long long vgbs;
+ acpi_status status;
+
+- if (kstrtoul(chassis_type, 10, &chassis_type_int))
+- return false;
+-
+- switch (chassis_type_int) {
+- case 8: /* Portable */
+- case 31: /* Convertible */
+- case 32: /* Detachable */
+- break;
+- default:
++ /*
++ * Some normal laptops have a VGBS method despite being non-convertible
++ * and their VGBS method always returns 0, causing detect_tablet_mode()
++ * to report SW_TABLET_MODE=1 to userspace, which causes issues.
++ * These laptops have a DMI chassis_type of 9 ("Laptop"), do not report
++ * switches on any devices with a DMI chassis_type of 9.
++ */
++ if (chassis_type && strcmp(chassis_type, "9") == 0)
+ return false;
+- }
+
+ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
+ return ACPI_SUCCESS(status);
+--
+2.25.1
+
--- /dev/null
+From 7bf7c5a6338be186e9e1fd857cbf44a6789ac9f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 20:29:48 +0200
+Subject: platform/x86: intel-vbtn: Split keymap into buttons and switches
+ parts
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit f6ba524970c4b73b234bf41ecd6628f5803b1559 ]
+
+Split the sparse keymap into 2 separate keymaps, a buttons and a switches
+keymap and combine the 2 to a single map again in intel_vbtn_input_setup().
+
+This is a preparation patch for not telling userspace that we have switches
+when we do not have them (and for doing the same for the buttons).
+
+Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index 191894d648bb..634096cef21a 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -40,14 +40,20 @@ static const struct key_entry intel_vbtn_keymap[] = {
+ { KE_IGNORE, 0xC7, { KEY_VOLUMEDOWN } }, /* volume-down key release */
+ { KE_KEY, 0xC8, { KEY_ROTATE_LOCK_TOGGLE } }, /* rotate-lock key press */
+ { KE_KEY, 0xC9, { KEY_ROTATE_LOCK_TOGGLE } }, /* rotate-lock key release */
++};
++
++static const struct key_entry intel_vbtn_switchmap[] = {
+ { KE_SW, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */
+ { KE_SW, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */
+ { KE_SW, 0xCC, { .sw = { SW_TABLET_MODE, 1 } } }, /* Tablet */
+ { KE_SW, 0xCD, { .sw = { SW_TABLET_MODE, 0 } } }, /* Laptop */
+- { KE_END },
+ };
+
++#define KEYMAP_LEN \
++ (ARRAY_SIZE(intel_vbtn_keymap) + ARRAY_SIZE(intel_vbtn_switchmap) + 1)
++
+ struct intel_vbtn_priv {
++ struct key_entry keymap[KEYMAP_LEN];
+ struct input_dev *input_dev;
+ bool wakeup_mode;
+ };
+@@ -55,13 +61,29 @@ struct intel_vbtn_priv {
+ static int intel_vbtn_input_setup(struct platform_device *device)
+ {
+ struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev);
+- int ret;
++ int ret, keymap_len = 0;
++
++ if (true) {
++ memcpy(&priv->keymap[keymap_len], intel_vbtn_keymap,
++ ARRAY_SIZE(intel_vbtn_keymap) *
++ sizeof(struct key_entry));
++ keymap_len += ARRAY_SIZE(intel_vbtn_keymap);
++ }
++
++ if (true) {
++ memcpy(&priv->keymap[keymap_len], intel_vbtn_switchmap,
++ ARRAY_SIZE(intel_vbtn_switchmap) *
++ sizeof(struct key_entry));
++ keymap_len += ARRAY_SIZE(intel_vbtn_switchmap);
++ }
++
++ priv->keymap[keymap_len].type = KE_END;
+
+ priv->input_dev = devm_input_allocate_device(&device->dev);
+ if (!priv->input_dev)
+ return -ENOMEM;
+
+- ret = sparse_keymap_setup(priv->input_dev, intel_vbtn_keymap, NULL);
++ ret = sparse_keymap_setup(priv->input_dev, priv->keymap, NULL);
+ if (ret)
+ return ret;
+
+--
+2.25.1
+
--- /dev/null
+From 7471d2689f86059462af20d8d17e3497e376f43b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 20:29:47 +0200
+Subject: platform/x86: intel-vbtn: Use acpi_evaluate_integer()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 18937875a231d831c309716d6d8fc358f8381881 ]
+
+Use acpi_evaluate_integer() instead of open-coding it.
+
+This is a preparation patch for adding a intel_vbtn_has_switches()
+helper function.
+
+Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index b5880936d785..191894d648bb 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -119,28 +119,21 @@ static void detect_tablet_mode(struct platform_device *device)
+ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE);
+ struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev);
+ acpi_handle handle = ACPI_HANDLE(&device->dev);
+- struct acpi_buffer vgbs_output = { ACPI_ALLOCATE_BUFFER, NULL };
+- union acpi_object *obj;
++ unsigned long long vgbs;
+ acpi_status status;
+ int m;
+
+ if (!(chassis_type && strcmp(chassis_type, "31") == 0))
+- goto out;
++ return;
+
+- status = acpi_evaluate_object(handle, "VGBS", NULL, &vgbs_output);
++ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs);
+ if (ACPI_FAILURE(status))
+- goto out;
+-
+- obj = vgbs_output.pointer;
+- if (!(obj && obj->type == ACPI_TYPE_INTEGER))
+- goto out;
++ return;
+
+- m = !(obj->integer.value & TABLET_MODE_FLAG);
++ m = !(vgbs & TABLET_MODE_FLAG);
+ input_report_switch(priv->input_dev, SW_TABLET_MODE, m);
+- m = (obj->integer.value & DOCK_MODE_FLAG) ? 1 : 0;
++ m = (vgbs & DOCK_MODE_FLAG) ? 1 : 0;
+ input_report_switch(priv->input_dev, SW_DOCK, m);
+-out:
+- kfree(vgbs_output.pointer);
+ }
+
+ static int intel_vbtn_probe(struct platform_device *device)
+--
+2.25.1
+
--- /dev/null
+From e6191546ec375093245c367452649214ad29f16c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Apr 2020 10:48:06 +0200
+Subject: pmu/smmuv3: Clear IRQ affinity hint on device removal
+
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+
+[ Upstream commit 10f6cd2af21bb44faab31a50ec3361d7649e5a39 ]
+
+Currently when trying to remove the SMMUv3 PMU module we get a
+WARN_ON_ONCE from free_irq(), because the affinity hint set during probe
+hasn't been properly cleared.
+
+[ 238.878383] WARNING: CPU: 0 PID: 175 at kernel/irq/manage.c:1744 free_irq+0x324/0x358
+...
+[ 238.897263] Call trace:
+[ 238.897998] free_irq+0x324/0x358
+[ 238.898792] devm_irq_release+0x18/0x28
+[ 238.899189] release_nodes+0x1b0/0x228
+[ 238.899984] devres_release_all+0x38/0x60
+[ 238.900779] device_release_driver_internal+0x10c/0x1d0
+[ 238.901574] driver_detach+0x50/0xe0
+[ 238.902368] bus_remove_driver+0x5c/0xd8
+[ 238.903448] driver_unregister+0x30/0x60
+[ 238.903958] platform_driver_unregister+0x14/0x20
+[ 238.905075] arm_smmu_pmu_exit+0x1c/0xecc [arm_smmuv3_pmu]
+[ 238.905547] __arm64_sys_delete_module+0x14c/0x260
+[ 238.906342] el0_svc_common.constprop.0+0x74/0x178
+[ 238.907355] do_el0_svc+0x24/0x90
+[ 238.907932] el0_sync_handler+0x11c/0x198
+[ 238.908979] el0_sync+0x158/0x180
+
+Just like the other perf drivers, clear the affinity hint before
+releasing the device.
+
+Fixes: 7d839b4b9e00 ("perf/smmuv3: Add arm64 smmuv3 pmu driver")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Link: https://lore.kernel.org/r/20200422084805.237738-1-jean-philippe@linaro.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_smmuv3_pmu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm_smmuv3_pmu.c b/drivers/perf/arm_smmuv3_pmu.c
+index f01a57e5a5f3..48e28ef93a70 100644
+--- a/drivers/perf/arm_smmuv3_pmu.c
++++ b/drivers/perf/arm_smmuv3_pmu.c
+@@ -814,7 +814,7 @@ static int smmu_pmu_probe(struct platform_device *pdev)
+ if (err) {
+ dev_err(dev, "Error %d registering hotplug, PMU @%pa\n",
+ err, &res_0->start);
+- return err;
++ goto out_clear_affinity;
+ }
+
+ err = perf_pmu_register(&smmu_pmu->pmu, name, -1);
+@@ -833,6 +833,8 @@ static int smmu_pmu_probe(struct platform_device *pdev)
+
+ out_unregister:
+ cpuhp_state_remove_instance_nocalls(cpuhp_state_num, &smmu_pmu->node);
++out_clear_affinity:
++ irq_set_affinity_hint(smmu_pmu->irq, NULL);
+ return err;
+ }
+
+@@ -842,6 +844,7 @@ static int smmu_pmu_remove(struct platform_device *pdev)
+
+ perf_pmu_unregister(&smmu_pmu->pmu);
+ cpuhp_state_remove_instance_nocalls(cpuhp_state_num, &smmu_pmu->node);
++ irq_set_affinity_hint(smmu_pmu->irq, NULL);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From cc3eda22a94ff05958ed84c7dc696c03236cfc9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 12:12:50 +0200
+Subject: powerpc/spufs: fix copy_to_user while atomic
+
+From: Jeremy Kerr <jk@ozlabs.org>
+
+[ Upstream commit 88413a6bfbbe2f648df399b62f85c934460b7a4d ]
+
+Currently, we may perform a copy_to_user (through
+simple_read_from_buffer()) while holding a context's register_lock,
+while accessing the context save area.
+
+This change uses a temporary buffer for the context save area data,
+which we then pass to simple_read_from_buffer.
+
+Includes changes from Christoph Hellwig <hch@lst.de>.
+
+Fixes: bf1ab978be23 ("[POWERPC] coredump: Add SPU elf notes to coredump.")
+Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+[hch: renamed to function to avoid ___-prefixes]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/spufs/file.c | 113 +++++++++++++++--------
+ 1 file changed, 75 insertions(+), 38 deletions(-)
+
+diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
+index c0f950a3f4e1..f4a4dfb191e7 100644
+--- a/arch/powerpc/platforms/cell/spufs/file.c
++++ b/arch/powerpc/platforms/cell/spufs/file.c
+@@ -1978,8 +1978,9 @@ static ssize_t __spufs_mbox_info_read(struct spu_context *ctx,
+ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+- int ret;
+ struct spu_context *ctx = file->private_data;
++ u32 stat, data;
++ int ret;
+
+ if (!access_ok(buf, len))
+ return -EFAULT;
+@@ -1988,11 +1989,16 @@ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_mbox_info_read(ctx, buf, len, pos);
++ stat = ctx->csa.prob.mb_stat_R;
++ data = ctx->csa.prob.pu_mb_R;
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ /* EOF if there's no entry in the mbox */
++ if (!(stat & 0x0000ff))
++ return 0;
++
++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data));
+ }
+
+ static const struct file_operations spufs_mbox_info_fops = {
+@@ -2019,6 +2025,7 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ u32 stat, data;
+ int ret;
+
+ if (!access_ok(buf, len))
+@@ -2028,11 +2035,16 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_ibox_info_read(ctx, buf, len, pos);
++ stat = ctx->csa.prob.mb_stat_R;
++ data = ctx->csa.priv2.puint_mb_R;
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ /* EOF if there's no entry in the ibox */
++ if (!(stat & 0xff0000))
++ return 0;
++
++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data));
+ }
+
+ static const struct file_operations spufs_ibox_info_fops = {
+@@ -2041,6 +2053,11 @@ static const struct file_operations spufs_ibox_info_fops = {
+ .llseek = generic_file_llseek,
+ };
+
++static size_t spufs_wbox_info_cnt(struct spu_context *ctx)
++{
++ return (4 - ((ctx->csa.prob.mb_stat_R & 0x00ff00) >> 8)) * sizeof(u32);
++}
++
+ static ssize_t __spufs_wbox_info_read(struct spu_context *ctx,
+ char __user *buf, size_t len, loff_t *pos)
+ {
+@@ -2049,7 +2066,7 @@ static ssize_t __spufs_wbox_info_read(struct spu_context *ctx,
+ u32 wbox_stat;
+
+ wbox_stat = ctx->csa.prob.mb_stat_R;
+- cnt = 4 - ((wbox_stat & 0x00ff00) >> 8);
++ cnt = spufs_wbox_info_cnt(ctx);
+ for (i = 0; i < cnt; i++) {
+ data[i] = ctx->csa.spu_mailbox_data[i];
+ }
+@@ -2062,7 +2079,8 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
+- int ret;
++ u32 data[ARRAY_SIZE(ctx->csa.spu_mailbox_data)];
++ int ret, count;
+
+ if (!access_ok(buf, len))
+ return -EFAULT;
+@@ -2071,11 +2089,13 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_wbox_info_read(ctx, buf, len, pos);
++ count = spufs_wbox_info_cnt(ctx);
++ memcpy(&data, &ctx->csa.spu_mailbox_data, sizeof(data));
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &data,
++ count * sizeof(u32));
+ }
+
+ static const struct file_operations spufs_wbox_info_fops = {
+@@ -2084,27 +2104,33 @@ static const struct file_operations spufs_wbox_info_fops = {
+ .llseek = generic_file_llseek,
+ };
+
+-static ssize_t __spufs_dma_info_read(struct spu_context *ctx,
+- char __user *buf, size_t len, loff_t *pos)
++static void spufs_get_dma_info(struct spu_context *ctx,
++ struct spu_dma_info *info)
+ {
+- struct spu_dma_info info;
+- struct mfc_cq_sr *qp, *spuqp;
+ int i;
+
+- info.dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW;
+- info.dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0];
+- info.dma_info_status = ctx->csa.spu_chnldata_RW[24];
+- info.dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25];
+- info.dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27];
++ info->dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW;
++ info->dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0];
++ info->dma_info_status = ctx->csa.spu_chnldata_RW[24];
++ info->dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25];
++ info->dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27];
+ for (i = 0; i < 16; i++) {
+- qp = &info.dma_info_command_data[i];
+- spuqp = &ctx->csa.priv2.spuq[i];
++ struct mfc_cq_sr *qp = &info->dma_info_command_data[i];
++ struct mfc_cq_sr *spuqp = &ctx->csa.priv2.spuq[i];
+
+ qp->mfc_cq_data0_RW = spuqp->mfc_cq_data0_RW;
+ qp->mfc_cq_data1_RW = spuqp->mfc_cq_data1_RW;
+ qp->mfc_cq_data2_RW = spuqp->mfc_cq_data2_RW;
+ qp->mfc_cq_data3_RW = spuqp->mfc_cq_data3_RW;
+ }
++}
++
++static ssize_t __spufs_dma_info_read(struct spu_context *ctx,
++ char __user *buf, size_t len, loff_t *pos)
++{
++ struct spu_dma_info info;
++
++ spufs_get_dma_info(ctx, &info);
+
+ return simple_read_from_buffer(buf, len, pos, &info,
+ sizeof info);
+@@ -2114,6 +2140,7 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ struct spu_dma_info info;
+ int ret;
+
+ if (!access_ok(buf, len))
+@@ -2123,11 +2150,12 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_dma_info_read(ctx, buf, len, pos);
++ spufs_get_dma_info(ctx, &info);
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &info,
++ sizeof(info));
+ }
+
+ static const struct file_operations spufs_dma_info_fops = {
+@@ -2136,13 +2164,31 @@ static const struct file_operations spufs_dma_info_fops = {
+ .llseek = no_llseek,
+ };
+
++static void spufs_get_proxydma_info(struct spu_context *ctx,
++ struct spu_proxydma_info *info)
++{
++ int i;
++
++ info->proxydma_info_type = ctx->csa.prob.dma_querytype_RW;
++ info->proxydma_info_mask = ctx->csa.prob.dma_querymask_RW;
++ info->proxydma_info_status = ctx->csa.prob.dma_tagstatus_R;
++
++ for (i = 0; i < 8; i++) {
++ struct mfc_cq_sr *qp = &info->proxydma_info_command_data[i];
++ struct mfc_cq_sr *puqp = &ctx->csa.priv2.puq[i];
++
++ qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW;
++ qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW;
++ qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW;
++ qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW;
++ }
++}
++
+ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
+ char __user *buf, size_t len, loff_t *pos)
+ {
+ struct spu_proxydma_info info;
+- struct mfc_cq_sr *qp, *puqp;
+ int ret = sizeof info;
+- int i;
+
+ if (len < ret)
+ return -EINVAL;
+@@ -2150,18 +2196,7 @@ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
+ if (!access_ok(buf, len))
+ return -EFAULT;
+
+- info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW;
+- info.proxydma_info_mask = ctx->csa.prob.dma_querymask_RW;
+- info.proxydma_info_status = ctx->csa.prob.dma_tagstatus_R;
+- for (i = 0; i < 8; i++) {
+- qp = &info.proxydma_info_command_data[i];
+- puqp = &ctx->csa.priv2.puq[i];
+-
+- qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW;
+- qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW;
+- qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW;
+- qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW;
+- }
++ spufs_get_proxydma_info(ctx, &info);
+
+ return simple_read_from_buffer(buf, len, pos, &info,
+ sizeof info);
+@@ -2171,17 +2206,19 @@ static ssize_t spufs_proxydma_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ struct spu_proxydma_info info;
+ int ret;
+
+ ret = spu_acquire_saved(ctx);
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_proxydma_info_read(ctx, buf, len, pos);
++ spufs_get_proxydma_info(ctx, &info);
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &info,
++ sizeof(info));
+ }
+
+ static const struct file_operations spufs_proxydma_info_fops = {
+--
+2.25.1
+
--- /dev/null
+From 7a41fbef7d0dbfe096c1b58332c2f86cb7443767 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 22:17:21 +0800
+Subject: raid5: remove gfp flags from scribble_alloc()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit ba54d4d4d2844c234f1b4692bd8c9e0f833c8a54 ]
+
+Using GFP_NOIO flag to call scribble_alloc() from resize_chunk() does
+not have the expected behavior. kvmalloc_array() inside scribble_alloc()
+which receives the GFP_NOIO flag will eventually call kmalloc_node() to
+allocate physically continuous pages.
+
+Now we have memalloc scope APIs in mddev_suspend()/mddev_resume() to
+prevent memory reclaim I/Os during raid array suspend context, calling
+to kvmalloc_array() with GFP_KERNEL flag may avoid deadlock of recursive
+I/O as expected.
+
+This patch removes the useless gfp flags from parameters list of
+scribble_alloc(), and call kvmalloc_array() with GFP_KERNEL flag. The
+incorrect GFP_NOIO flag does not exist anymore.
+
+Fixes: b330e6a49dc3 ("md: convert to kvmalloc")
+Suggested-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index ba00e9877f02..190dd70db514 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -2228,14 +2228,19 @@ static int grow_stripes(struct r5conf *conf, int num)
+ * of the P and Q blocks.
+ */
+ static int scribble_alloc(struct raid5_percpu *percpu,
+- int num, int cnt, gfp_t flags)
++ int num, int cnt)
+ {
+ size_t obj_size =
+ sizeof(struct page *) * (num+2) +
+ sizeof(addr_conv_t) * (num+2);
+ void *scribble;
+
+- scribble = kvmalloc_array(cnt, obj_size, flags);
++ /*
++ * If here is in raid array suspend context, it is in memalloc noio
++ * context as well, there is no potential recursive memory reclaim
++ * I/Os with the GFP_KERNEL flag.
++ */
++ scribble = kvmalloc_array(cnt, obj_size, GFP_KERNEL);
+ if (!scribble)
+ return -ENOMEM;
+
+@@ -2267,8 +2272,7 @@ static int resize_chunks(struct r5conf *conf, int new_disks, int new_sectors)
+
+ percpu = per_cpu_ptr(conf->percpu, cpu);
+ err = scribble_alloc(percpu, new_disks,
+- new_sectors / STRIPE_SECTORS,
+- GFP_NOIO);
++ new_sectors / STRIPE_SECTORS);
+ if (err)
+ break;
+ }
+@@ -6759,8 +6763,7 @@ static int alloc_scratch_buffer(struct r5conf *conf, struct raid5_percpu *percpu
+ conf->previous_raid_disks),
+ max(conf->chunk_sectors,
+ conf->prev_chunk_sectors)
+- / STRIPE_SECTORS,
+- GFP_KERNEL)) {
++ / STRIPE_SECTORS)) {
+ free_scratch_buffer(conf, percpu);
+ return -ENOMEM;
+ }
+--
+2.25.1
+
--- /dev/null
+From d2d24d530755623e4f61bdc2aa9a5a500638ae1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 22:37:08 -0700
+Subject: regulator: qcom-rpmh: Fix typos in pm8150 and pm8150l
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 906746ba26d0b45688f4c3b730c35f765dc958ba ]
+
+Fix typos in pm8150 l13/l16/l17 and pm8150l ldo8 supplies.
+
+Fixes: 06369bcc15a1 ("regulator: qcom-rpmh: Add support for SM8150")
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Tested-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Link: https://lore.kernel.org/r/20200415053708.717623-1-bjorn.andersson@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/qcom-rpmh-regulator.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/regulator/qcom-rpmh-regulator.c b/drivers/regulator/qcom-rpmh-regulator.c
+index c86ad40015ce..c88cfa8952d6 100644
+--- a/drivers/regulator/qcom-rpmh-regulator.c
++++ b/drivers/regulator/qcom-rpmh-regulator.c
+@@ -832,11 +832,11 @@ static const struct rpmh_vreg_init_data pm8150_vreg_data[] = {
+ RPMH_VREG("ldo10", "ldo%s10", &pmic5_pldo, "vdd-l2-l10"),
+ RPMH_VREG("ldo11", "ldo%s11", &pmic5_nldo, "vdd-l1-l8-l11"),
+ RPMH_VREG("ldo12", "ldo%s12", &pmic5_pldo_lv, "vdd-l7-l12-l14-l15"),
+- RPMH_VREG("ldo13", "ldo%s13", &pmic5_pldo, "vdd-l13-l6-l17"),
++ RPMH_VREG("ldo13", "ldo%s13", &pmic5_pldo, "vdd-l13-l16-l17"),
+ RPMH_VREG("ldo14", "ldo%s14", &pmic5_pldo_lv, "vdd-l7-l12-l14-l15"),
+ RPMH_VREG("ldo15", "ldo%s15", &pmic5_pldo_lv, "vdd-l7-l12-l14-l15"),
+- RPMH_VREG("ldo16", "ldo%s16", &pmic5_pldo, "vdd-l13-l6-l17"),
+- RPMH_VREG("ldo17", "ldo%s17", &pmic5_pldo, "vdd-l13-l6-l17"),
++ RPMH_VREG("ldo16", "ldo%s16", &pmic5_pldo, "vdd-l13-l16-l17"),
++ RPMH_VREG("ldo17", "ldo%s17", &pmic5_pldo, "vdd-l13-l16-l17"),
+ RPMH_VREG("ldo18", "ldo%s18", &pmic5_nldo, "vdd-l3-l4-l5-l18"),
+ {},
+ };
+@@ -857,7 +857,7 @@ static const struct rpmh_vreg_init_data pm8150l_vreg_data[] = {
+ RPMH_VREG("ldo5", "ldo%s5", &pmic5_pldo, "vdd-l4-l5-l6"),
+ RPMH_VREG("ldo6", "ldo%s6", &pmic5_pldo, "vdd-l4-l5-l6"),
+ RPMH_VREG("ldo7", "ldo%s7", &pmic5_pldo, "vdd-l7-l11"),
+- RPMH_VREG("ldo8", "ldo%s8", &pmic5_pldo_lv, "vdd-l1-l8-l11"),
++ RPMH_VREG("ldo8", "ldo%s8", &pmic5_pldo_lv, "vdd-l1-l8"),
+ RPMH_VREG("ldo9", "ldo%s9", &pmic5_pldo, "vdd-l9-l10"),
+ RPMH_VREG("ldo10", "ldo%s10", &pmic5_pldo, "vdd-l9-l10"),
+ RPMH_VREG("ldo11", "ldo%s11", &pmic5_pldo, "vdd-l7-l11"),
+--
+2.25.1
+
--- /dev/null
+From 7aceed6ebfc39a1d700f54049cab20fa47802384 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 May 2020 12:39:51 +0300
+Subject: rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit beb12813bc75d4a23de43b85ad1c7cb28d27631e ]
+
+Seven years ago we tried to fix a leak but actually introduced a double
+free instead. It was an understandable mistake because the code was a
+bit confusing and the free was done in the wrong place. The "skb"
+pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit().
+The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup()
+and I've cleaned the code up a bit to hopefully make it more clear.
+
+Fixes: 36ef0b473fbf ("rtlwifi: usb: add missing freeing of skbuff")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200513093951.GD347693@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index 348b0072cdd6..c66c6dc00378 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -881,10 +881,8 @@ static struct urb *_rtl_usb_tx_urb_setup(struct ieee80211_hw *hw,
+
+ WARN_ON(NULL == skb);
+ _urb = usb_alloc_urb(0, GFP_ATOMIC);
+- if (!_urb) {
+- kfree_skb(skb);
++ if (!_urb)
+ return NULL;
+- }
+ _rtl_install_trx_info(rtlusb, skb, ep_num);
+ usb_fill_bulk_urb(_urb, rtlusb->udev, usb_sndbulkpipe(rtlusb->udev,
+ ep_num), skb->data, skb->len, _rtl_tx_complete, skb);
+@@ -898,7 +896,6 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb,
+ struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw));
+ u32 ep_num;
+ struct urb *_urb = NULL;
+- struct sk_buff *_skb = NULL;
+
+ WARN_ON(NULL == rtlusb->usb_tx_aggregate_hdl);
+ if (unlikely(IS_USB_STOP(rtlusb))) {
+@@ -907,8 +904,7 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb,
+ return;
+ }
+ ep_num = rtlusb->ep_map.ep_mapping[qnum];
+- _skb = skb;
+- _urb = _rtl_usb_tx_urb_setup(hw, _skb, ep_num);
++ _urb = _rtl_usb_tx_urb_setup(hw, skb, ep_num);
+ if (unlikely(!_urb)) {
+ pr_err("Can't allocate urb. Drop skb!\n");
+ kfree_skb(skb);
+--
+2.25.1
+
--- /dev/null
+From ed89407c98f64915de5dd113f7e61c819b21f90a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 16:34:42 +0800
+Subject: rtw88: fix an issue about leak system resources
+
+From: Dejin Zheng <zhengdejin5@gmail.com>
+
+[ Upstream commit 191f6b08bfef24e1a9641eaac96ed030a7be4599 ]
+
+the related system resources were not released when pci_iomap() return
+error in the rtw_pci_io_mapping() function. add pci_release_regions() to
+fix it.
+
+Fixes: e3037485c68ec1a ("rtw88: new Realtek 802.11ac driver")
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
+Acked-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200504083442.3033-1-zhengdejin5@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c
+index 1af87eb2e53a..d735f3127fe8 100644
+--- a/drivers/net/wireless/realtek/rtw88/pci.c
++++ b/drivers/net/wireless/realtek/rtw88/pci.c
+@@ -1091,6 +1091,7 @@ static int rtw_pci_io_mapping(struct rtw_dev *rtwdev,
+ len = pci_resource_len(pdev, bar_id);
+ rtwpci->mmap = pci_iomap(pdev, bar_id, len);
+ if (!rtwpci->mmap) {
++ pci_release_regions(pdev);
+ rtw_err(rtwdev, "failed to map pci memory\n");
+ return -ENOMEM;
+ }
+--
+2.25.1
+
--- /dev/null
+From 99e2e1d2d2a755430b3a3f20f070dbc6f451f59a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2020 19:43:39 +0200
+Subject: s390/bpf: Maintain 8-byte stack alignment
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit effe5be17706167ee968fa28afe40dec9c6f71db ]
+
+Certain kernel functions (e.g. get_vtimer/set_vtimer) cause kernel
+panic when the stack is not 8-byte aligned. Currently JITed BPF programs
+may trigger this by allocating stack frames with non-rounded sizes and
+then being interrupted. Fix by using rounded fp->aux->stack_depth.
+
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20200602174339.2501066-1-iii@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 8d2134136290..0f37a1b635f8 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -594,7 +594,7 @@ static void bpf_jit_epilogue(struct bpf_jit *jit, u32 stack_depth)
+ * stack space for the large switch statement.
+ */
+ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
+- int i, bool extra_pass)
++ int i, bool extra_pass, u32 stack_depth)
+ {
+ struct bpf_insn *insn = &fp->insnsi[i];
+ u32 dst_reg = insn->dst_reg;
+@@ -1207,7 +1207,7 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
+ */
+
+ if (jit->seen & SEEN_STACK)
+- off = STK_OFF_TCCNT + STK_OFF + fp->aux->stack_depth;
++ off = STK_OFF_TCCNT + STK_OFF + stack_depth;
+ else
+ off = STK_OFF_TCCNT;
+ /* lhi %w0,1 */
+@@ -1249,7 +1249,7 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
+ /*
+ * Restore registers before calling function
+ */
+- save_restore_regs(jit, REGS_RESTORE, fp->aux->stack_depth);
++ save_restore_regs(jit, REGS_RESTORE, stack_depth);
+
+ /*
+ * goto *(prog->bpf_func + tail_call_start);
+@@ -1519,7 +1519,7 @@ static int bpf_set_addr(struct bpf_jit *jit, int i)
+ * Compile eBPF program into s390x code
+ */
+ static int bpf_jit_prog(struct bpf_jit *jit, struct bpf_prog *fp,
+- bool extra_pass)
++ bool extra_pass, u32 stack_depth)
+ {
+ int i, insn_count, lit32_size, lit64_size;
+
+@@ -1527,18 +1527,18 @@ static int bpf_jit_prog(struct bpf_jit *jit, struct bpf_prog *fp,
+ jit->lit64 = jit->lit64_start;
+ jit->prg = 0;
+
+- bpf_jit_prologue(jit, fp->aux->stack_depth);
++ bpf_jit_prologue(jit, stack_depth);
+ if (bpf_set_addr(jit, 0) < 0)
+ return -1;
+ for (i = 0; i < fp->len; i += insn_count) {
+- insn_count = bpf_jit_insn(jit, fp, i, extra_pass);
++ insn_count = bpf_jit_insn(jit, fp, i, extra_pass, stack_depth);
+ if (insn_count < 0)
+ return -1;
+ /* Next instruction address */
+ if (bpf_set_addr(jit, i + insn_count) < 0)
+ return -1;
+ }
+- bpf_jit_epilogue(jit, fp->aux->stack_depth);
++ bpf_jit_epilogue(jit, stack_depth);
+
+ lit32_size = jit->lit32 - jit->lit32_start;
+ lit64_size = jit->lit64 - jit->lit64_start;
+@@ -1569,6 +1569,7 @@ struct s390_jit_data {
+ */
+ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
+ {
++ u32 stack_depth = round_up(fp->aux->stack_depth, 8);
+ struct bpf_prog *tmp, *orig_fp = fp;
+ struct bpf_binary_header *header;
+ struct s390_jit_data *jit_data;
+@@ -1621,7 +1622,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
+ * - 3: Calculate program size and addrs arrray
+ */
+ for (pass = 1; pass <= 3; pass++) {
+- if (bpf_jit_prog(&jit, fp, extra_pass)) {
++ if (bpf_jit_prog(&jit, fp, extra_pass, stack_depth)) {
+ fp = orig_fp;
+ goto free_addrs;
+ }
+@@ -1635,7 +1636,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
+ goto free_addrs;
+ }
+ skip_init_ctx:
+- if (bpf_jit_prog(&jit, fp, extra_pass)) {
++ if (bpf_jit_prog(&jit, fp, extra_pass, stack_depth)) {
+ bpf_jit_binary_free(header);
+ fp = orig_fp;
+ goto free_addrs;
+--
+2.25.1
+
--- /dev/null
+From 580150e3a467a481cc00f9a90b0ec851c33a6a98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2020 17:40:33 -0400
+Subject: sched/core: Fix illegal RCU from offline CPUs
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit bf2c59fce4074e55d622089b34be3a6bc95484fb ]
+
+In the CPU-offline process, it calls mmdrop() after idle entry and the
+subsequent call to cpuhp_report_idle_dead(). Once execution passes the
+call to rcu_report_dead(), RCU is ignoring the CPU, which results in
+lockdep complaining when mmdrop() uses RCU from either memcg or
+debugobjects below.
+
+Fix it by cleaning up the active_mm state from BP instead. Every arch
+which has CONFIG_HOTPLUG_CPU should have already called idle_task_exit()
+from AP. The only exception is parisc because it switches them to
+&init_mm unconditionally (see smp_boot_one_cpu() and smp_cpu_init()),
+but the patch will still work there because it calls mmgrab(&init_mm) in
+smp_cpu_init() and then should call mmdrop(&init_mm) in finish_cpu().
+
+ WARNING: suspicious RCU usage
+ -----------------------------
+ kernel/workqueue.c:710 RCU or wq_pool_mutex should be held!
+
+ other info that might help us debug this:
+
+ RCU used illegally from offline CPU!
+ Call Trace:
+ dump_stack+0xf4/0x164 (unreliable)
+ lockdep_rcu_suspicious+0x140/0x164
+ get_work_pool+0x110/0x150
+ __queue_work+0x1bc/0xca0
+ queue_work_on+0x114/0x120
+ css_release+0x9c/0xc0
+ percpu_ref_put_many+0x204/0x230
+ free_pcp_prepare+0x264/0x570
+ free_unref_page+0x38/0xf0
+ __mmdrop+0x21c/0x2c0
+ idle_task_exit+0x170/0x1b0
+ pnv_smp_cpu_kill_self+0x38/0x2e0
+ cpu_die+0x48/0x64
+ arch_cpu_idle_dead+0x30/0x50
+ do_idle+0x2f4/0x470
+ cpu_startup_entry+0x38/0x40
+ start_secondary+0x7a8/0xa80
+ start_secondary_resume+0x10/0x14
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Link: https://lkml.kernel.org/r/20200401214033.8448-1-cai@lca.pw
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/smp.c | 1 -
+ include/linux/sched/mm.h | 2 ++
+ kernel/cpu.c | 18 +++++++++++++++++-
+ kernel/sched/core.c | 5 +++--
+ 4 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c
+index 13e251699346..b2ba3e95bda7 100644
+--- a/arch/powerpc/platforms/powernv/smp.c
++++ b/arch/powerpc/platforms/powernv/smp.c
+@@ -167,7 +167,6 @@ static void pnv_smp_cpu_kill_self(void)
+ /* Standard hot unplug procedure */
+
+ idle_task_exit();
+- current->active_mm = NULL; /* for sanity */
+ cpu = smp_processor_id();
+ DBG("CPU%d offline\n", cpu);
+ generic_set_cpu_dead(cpu);
+diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h
+index c49257a3b510..a132d875d351 100644
+--- a/include/linux/sched/mm.h
++++ b/include/linux/sched/mm.h
+@@ -49,6 +49,8 @@ static inline void mmdrop(struct mm_struct *mm)
+ __mmdrop(mm);
+ }
+
++void mmdrop(struct mm_struct *mm);
++
+ /*
+ * This has to be called after a get_task_mm()/mmget_not_zero()
+ * followed by taking the mmap_sem for writing before modifying the
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 2371292f30b0..244d30544377 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -3,6 +3,7 @@
+ *
+ * This code is licenced under the GPL.
+ */
++#include <linux/sched/mm.h>
+ #include <linux/proc_fs.h>
+ #include <linux/smp.h>
+ #include <linux/init.h>
+@@ -564,6 +565,21 @@ static int bringup_cpu(unsigned int cpu)
+ return bringup_wait_for_ap(cpu);
+ }
+
++static int finish_cpu(unsigned int cpu)
++{
++ struct task_struct *idle = idle_thread_get(cpu);
++ struct mm_struct *mm = idle->active_mm;
++
++ /*
++ * idle_task_exit() will have switched to &init_mm, now
++ * clean up any remaining active_mm state.
++ */
++ if (mm != &init_mm)
++ idle->active_mm = &init_mm;
++ mmdrop(mm);
++ return 0;
++}
++
+ /*
+ * Hotplug state machine related functions
+ */
+@@ -1549,7 +1565,7 @@ static struct cpuhp_step cpuhp_hp_states[] = {
+ [CPUHP_BRINGUP_CPU] = {
+ .name = "cpu:bringup",
+ .startup.single = bringup_cpu,
+- .teardown.single = NULL,
++ .teardown.single = finish_cpu,
+ .cant_stop = true,
+ },
+ /* Final state before CPU kills itself */
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 9a2fbf98fd6f..0bbf387d0f19 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -6190,13 +6190,14 @@ void idle_task_exit(void)
+ struct mm_struct *mm = current->active_mm;
+
+ BUG_ON(cpu_online(smp_processor_id()));
++ BUG_ON(current != this_rq()->idle);
+
+ if (mm != &init_mm) {
+ switch_mm(mm, &init_mm, current);
+- current->active_mm = &init_mm;
+ finish_arch_post_lock_switch();
+ }
+- mmdrop(mm);
++
++ /* finish_cpu(), as ran on the BP, will clean up the active_mm state */
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 32696fc4cf3ae2e46312cfd73aec9f72a676b401 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Apr 2020 18:52:48 +0800
+Subject: sched: Defend cfs and rt bandwidth quota against overflow
+
+From: Huaixin Chang <changhuaixin@linux.alibaba.com>
+
+[ Upstream commit d505b8af58912ae1e1a211fabc9995b19bd40828 ]
+
+When users write some huge number into cpu.cfs_quota_us or
+cpu.rt_runtime_us, overflow might happen during to_ratio() shifts of
+schedulable checks.
+
+to_ratio() could be altered to avoid unnecessary internal overflow, but
+min_cfs_quota_period is less than 1 << BW_SHIFT, so a cutoff would still
+be needed. Set a cap MAX_BW for cfs_quota_us and rt_runtime_us to
+prevent overflow.
+
+Signed-off-by: Huaixin Chang <changhuaixin@linux.alibaba.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Ben Segall <bsegall@google.com>
+Link: https://lkml.kernel.org/r/20200425105248.60093-1-changhuaixin@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 8 ++++++++
+ kernel/sched/rt.c | 12 +++++++++++-
+ kernel/sched/sched.h | 2 ++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 0bbf387d0f19..5eccfb816d23 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7386,6 +7386,8 @@ static DEFINE_MUTEX(cfs_constraints_mutex);
+
+ const u64 max_cfs_quota_period = 1 * NSEC_PER_SEC; /* 1s */
+ static const u64 min_cfs_quota_period = 1 * NSEC_PER_MSEC; /* 1ms */
++/* More than 203 days if BW_SHIFT equals 20. */
++static const u64 max_cfs_runtime = MAX_BW * NSEC_PER_USEC;
+
+ static int __cfs_schedulable(struct task_group *tg, u64 period, u64 runtime);
+
+@@ -7413,6 +7415,12 @@ static int tg_set_cfs_bandwidth(struct task_group *tg, u64 period, u64 quota)
+ if (period > max_cfs_quota_period)
+ return -EINVAL;
+
++ /*
++ * Bound quota to defend quota against overflow during bandwidth shift.
++ */
++ if (quota != RUNTIME_INF && quota > max_cfs_runtime)
++ return -EINVAL;
++
+ /*
+ * Prevent race between setting of cfs_rq->runtime_enabled and
+ * unthrottle_offline_cfs_rqs().
+diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
+index df11d88c9895..6d60ba21ed29 100644
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -9,6 +9,8 @@
+
+ int sched_rr_timeslice = RR_TIMESLICE;
+ int sysctl_sched_rr_timeslice = (MSEC_PER_SEC / HZ) * RR_TIMESLICE;
++/* More than 4 hours if BW_SHIFT equals 20. */
++static const u64 max_rt_runtime = MAX_BW;
+
+ static int do_sched_rt_period_timer(struct rt_bandwidth *rt_b, int overrun);
+
+@@ -2585,6 +2587,12 @@ static int tg_set_rt_bandwidth(struct task_group *tg,
+ if (rt_period == 0)
+ return -EINVAL;
+
++ /*
++ * Bound quota to defend quota against overflow during bandwidth shift.
++ */
++ if (rt_runtime != RUNTIME_INF && rt_runtime > max_rt_runtime)
++ return -EINVAL;
++
+ mutex_lock(&rt_constraints_mutex);
+ err = __rt_schedulable(tg, rt_period, rt_runtime);
+ if (err)
+@@ -2702,7 +2710,9 @@ static int sched_rt_global_validate(void)
+ return -EINVAL;
+
+ if ((sysctl_sched_rt_runtime != RUNTIME_INF) &&
+- (sysctl_sched_rt_runtime > sysctl_sched_rt_period))
++ ((sysctl_sched_rt_runtime > sysctl_sched_rt_period) ||
++ ((u64)sysctl_sched_rt_runtime *
++ NSEC_PER_USEC > max_rt_runtime)))
+ return -EINVAL;
+
+ return 0;
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index db3a57675ccf..1f58677a8f23 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -1918,6 +1918,8 @@ extern void init_dl_inactive_task_timer(struct sched_dl_entity *dl_se);
+ #define BW_SHIFT 20
+ #define BW_UNIT (1 << BW_SHIFT)
+ #define RATIO_SHIFT 8
++#define MAX_BW_BITS (64 - BW_SHIFT)
++#define MAX_BW ((1ULL << MAX_BW_BITS) - 1)
+ unsigned long to_ratio(u64 period, u64 runtime);
+
+ extern void init_entity_runnable_average(struct sched_entity *se);
+--
+2.25.1
+
--- /dev/null
+From b36a332251abeaf39930c6bbd837785252f3173d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2020 10:44:21 +0800
+Subject: sched/fair: Refill bandwidth before scaling
+
+From: Huaixin Chang <changhuaixin@linux.alibaba.com>
+
+[ Upstream commit 5a6d6a6ccb5f48ca8cf7c6d64ff83fd9c7999390 ]
+
+In order to prevent possible hardlockup of sched_cfs_period_timer()
+loop, loop count is introduced to denote whether to scale quota and
+period or not. However, scale is done between forwarding period timer
+and refilling cfs bandwidth runtime, which means that period timer is
+forwarded with old "period" while runtime is refilled with scaled
+"quota".
+
+Move do_sched_cfs_period_timer() before scaling to solve this.
+
+Fixes: 2e8e19226398 ("sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup")
+Signed-off-by: Huaixin Chang <changhuaixin@linux.alibaba.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Ben Segall <bsegall@google.com>
+Reviewed-by: Phil Auld <pauld@redhat.com>
+Link: https://lkml.kernel.org/r/20200420024421.22442-3-changhuaixin@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index da3e5b54715b..2ae7e30ccb33 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -5170,6 +5170,8 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
+ if (!overrun)
+ break;
+
++ idle = do_sched_cfs_period_timer(cfs_b, overrun, flags);
++
+ if (++count > 3) {
+ u64 new, old = ktime_to_ns(cfs_b->period);
+
+@@ -5199,8 +5201,6 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
+ /* reset count so we don't come right back in here */
+ count = 0;
+ }
+-
+- idle = do_sched_cfs_period_timer(cfs_b, overrun, flags);
+ }
+ if (idle)
+ cfs_b->period_active = 0;
+--
+2.25.1
+
--- /dev/null
+From 375f8279977f7dd3e472b4960af48b0cbcf4f669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 18:56:11 +0200
+Subject: scripts: sphinx-pre-install: address some issues with Gentoo
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit e45a631742fadd7c9feb5a0049382102e5d43fe7 ]
+
+There are some small misdetections with Gentoo. While they
+don't cause too much trouble, it keeps recomending to
+install things that are already there.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Link: https://lore.kernel.org/r/7f631edce102b02ccbdbfb18be1376a86b41373d.1586883286.git.mchehab+huawei@kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/sphinx-pre-install | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
+index fa3fb05cd54b..09b38ee38ce8 100755
+--- a/scripts/sphinx-pre-install
++++ b/scripts/sphinx-pre-install
+@@ -557,7 +557,8 @@ sub give_gentoo_hints()
+ "media-fonts/dejavu", 2) if ($pdf);
+
+ if ($pdf) {
+- check_missing_file(["/usr/share/fonts/noto-cjk/NotoSansCJKsc-Regular.otf"],
++ check_missing_file(["/usr/share/fonts/noto-cjk/NotoSansCJKsc-Regular.otf",
++ "/usr/share/fonts/noto-cjk/NotoSerifCJK-Regular.ttc"],
+ "media-fonts/noto-cjk", 2);
+ }
+
+@@ -572,10 +573,10 @@ sub give_gentoo_hints()
+ my $portage_imagemagick = "/etc/portage/package.use/imagemagick";
+ my $portage_cairo = "/etc/portage/package.use/graphviz";
+
+- if (qx(cat $portage_imagemagick) ne "$imagemagick\n") {
++ if (qx(grep imagemagick $portage_imagemagick 2>/dev/null) eq "") {
+ printf("\tsudo su -c 'echo \"$imagemagick\" > $portage_imagemagick'\n")
+ }
+- if (qx(cat $portage_cairo) ne "$cairo\n") {
++ if (qx(grep graphviz $portage_cairo 2>/dev/null) eq "") {
+ printf("\tsudo su -c 'echo \"$cairo\" > $portage_cairo'\n");
+ }
+
+--
+2.25.1
+
--- /dev/null
+From a5308976b7cb0099e71c734ce1b1c7f548967051 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:11 -0700
+Subject: selftests/bpf: Add runqslower binary to .gitignore
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit e4e8f4d047fdcf7ac7d944e266e85d8041f16cd6 ]
+
+With recent changes, runqslower is being copied into selftests/bpf root
+directory. So add it into .gitignore.
+
+Fixes: b26d1e2b6028 ("selftests/bpf: Copy runqslower to OUTPUT directory")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Veronika Kabatova <vkabatov@redhat.com>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-12-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/.gitignore | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
+index c30079c86998..35a577ca0226 100644
+--- a/tools/testing/selftests/bpf/.gitignore
++++ b/tools/testing/selftests/bpf/.gitignore
+@@ -39,4 +39,4 @@ test_cpp
+ /no_alu32
+ /bpf_gcc
+ /tools
+-
++/runqslower
+--
+2.25.1
+
--- /dev/null
+From 3169714c147773cf5de6cf3b54f931d252504ec7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 12:36:28 +0100
+Subject: selftests/bpf: CONFIG_IPV6_SEG6_BPF required for test_seg6_loop.o
+
+From: Alan Maguire <alan.maguire@oracle.com>
+
+[ Upstream commit 3c8e8cf4b18b3a7034fab4c4504fc4b54e4b6195 ]
+
+test_seg6_loop.o uses the helper bpf_lwt_seg6_adjust_srh();
+it will not be present if CONFIG_IPV6_SEG6_BPF is not specified.
+
+Fixes: b061017f8b4d ("selftests/bpf: add realistic loop tests")
+Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/1590147389-26482-2-git-send-email-alan.maguire@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/config | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
+index 60e3ae5d4e48..48e058552eb7 100644
+--- a/tools/testing/selftests/bpf/config
++++ b/tools/testing/selftests/bpf/config
+@@ -25,6 +25,7 @@ CONFIG_XDP_SOCKETS=y
+ CONFIG_FTRACE_SYSCALLS=y
+ CONFIG_IPV6_TUNNEL=y
+ CONFIG_IPV6_GRE=y
++CONFIG_IPV6_SEG6_BPF=y
+ CONFIG_NET_FOU=m
+ CONFIG_NET_FOU_IP_TUNNELS=y
+ CONFIG_IPV6_FOU=m
+--
+2.25.1
+
--- /dev/null
+From 60a4aea734d70d106a4a8dcd27803d31e054d81d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 12:36:29 +0100
+Subject: selftests/bpf: CONFIG_LIRC required for test_lirc_mode2.sh
+
+From: Alan Maguire <alan.maguire@oracle.com>
+
+[ Upstream commit a5dfaa2ab94057dd75c7911143482a0a85593c14 ]
+
+test_lirc_mode2.sh assumes presence of /sys/class/rc/rc0/lirc*/uevent
+which will not be present unless CONFIG_LIRC=y
+
+Fixes: 6bdd533cee9a ("bpf: add selftest for lirc_mode2 type program")
+Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/1590147389-26482-3-git-send-email-alan.maguire@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/config | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
+index 48e058552eb7..2118e23ac07a 100644
+--- a/tools/testing/selftests/bpf/config
++++ b/tools/testing/selftests/bpf/config
+@@ -38,3 +38,4 @@ CONFIG_IPV6_SIT=m
+ CONFIG_BPF_JIT=y
+ CONFIG_BPF_LSM=y
+ CONFIG_SECURITY=y
++CONFIG_LIRC=y
+--
+2.25.1
+
--- /dev/null
+From de0aa6d5474f200509a27471e032daf6a86827e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 19:37:42 +0200
+Subject: selftests/bpf: Copy runqslower to OUTPUT directory
+
+From: Veronika Kabatova <vkabatov@redhat.com>
+
+[ Upstream commit b26d1e2b60284dc9f66ffad9ccd5c5da1100bb4b ]
+
+$(OUTPUT)/runqslower makefile target doesn't actually create runqslower
+binary in the $(OUTPUT) directory. As lib.mk expects all
+TEST_GEN_PROGS_EXTENDED (which runqslower is a part of) to be present in
+the OUTPUT directory, this results in an error when running e.g. `make
+install`:
+
+rsync: link_stat "tools/testing/selftests/bpf/runqslower" failed: No
+ such file or directory (2)
+
+Copy the binary into the OUTPUT directory after building it to fix the
+error.
+
+Fixes: 3a0d3092a4ed ("selftests/bpf: Build runqslower from selftests")
+Signed-off-by: Veronika Kabatova <vkabatov@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/20200428173742.2988395-1-vkabatov@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index 7729892e0b04..4e654d41c7af 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -141,7 +141,8 @@ VMLINUX_BTF := $(abspath $(firstword $(wildcard $(VMLINUX_BTF_PATHS))))
+ $(OUTPUT)/runqslower: $(BPFOBJ)
+ $(Q)$(MAKE) $(submake_extras) -C $(TOOLSDIR)/bpf/runqslower \
+ OUTPUT=$(SCRATCH_DIR)/ VMLINUX_BTF=$(VMLINUX_BTF) \
+- BPFOBJ=$(BPFOBJ) BPF_INCLUDE=$(INCLUDE_DIR)
++ BPFOBJ=$(BPFOBJ) BPF_INCLUDE=$(INCLUDE_DIR) && \
++ cp $(SCRATCH_DIR)/runqslower $@
+
+ $(TEST_GEN_PROGS) $(TEST_GEN_PROGS_EXTENDED): $(OUTPUT)/test_stub.o $(BPFOBJ)
+
+--
+2.25.1
+
--- /dev/null
+From 0ad88bd386ff81f26f9c14391bfada3871901d5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:01 -0700
+Subject: selftests/bpf: Ensure test flavors use correct skeletons
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 76148faa161e7cfb2d7719f35b37d7db4f3f8596 ]
+
+Ensure that test runner flavors include their own skeletons from <flavor>/
+directory. Previously, skeletons generated for no-flavor test_progs were used.
+Apart from fixing correctness, this also makes it possible to compile only
+flavors individually:
+
+ $ make clean && make test_progs-no_alu32
+ ... now succeeds ...
+
+Fixes: 74b5a5968fe8 ("selftests/bpf: Replace test_progs and test_maps w/ general rule")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-2-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index 4e654d41c7af..01c95f8278c7 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -324,7 +324,7 @@ $(TRUNNER_TEST_OBJS): $(TRUNNER_OUTPUT)/%.test.o: \
+ $(TRUNNER_BPF_SKELS) \
+ $$(BPFOBJ) | $(TRUNNER_OUTPUT)
+ $$(call msg,TEST-OBJ,$(TRUNNER_BINARY),$$@)
+- cd $$(@D) && $$(CC) $$(CFLAGS) -c $(CURDIR)/$$< $$(LDLIBS) -o $$(@F)
++ cd $$(@D) && $$(CC) -I. $$(CFLAGS) -c $(CURDIR)/$$< $$(LDLIBS) -o $$(@F)
+
+ $(TRUNNER_EXTRA_OBJS): $(TRUNNER_OUTPUT)/%.o: \
+ %.c \
+--
+2.25.1
+
--- /dev/null
+From b6bedce1d7b58d6bc8022487cc6c07faf521b92d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:10 -0700
+Subject: selftests/bpf: Fix bpf_link leak in ns_current_pid_tgid selftest
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 8d30e80a049ad699264e4a12911e349f93c7279a ]
+
+If condition is inverted, but it's also just not necessary.
+
+Fixes: 1c1052e0140a ("tools/testing/selftests/bpf: Add self-tests for new helper bpf_get_ns_current_pid_tgid.")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Carlos Neira <cneirabustos@gmail.com>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-11-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
+index 542240e16564..e74dc501b27f 100644
+--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
++++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
+@@ -80,9 +80,6 @@ void test_ns_current_pid_tgid(void)
+ "User pid/tgid %llu BPF pid/tgid %llu\n", id, bss.pid_tgid))
+ goto cleanup;
+ cleanup:
+- if (!link) {
+- bpf_link__destroy(link);
+- link = NULL;
+- }
++ bpf_link__destroy(link);
+ bpf_object__close(obj);
+ }
+--
+2.25.1
+
--- /dev/null
+From 0d9744bd46d8d29a57eb7fbb4337d387f079964a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:07 -0700
+Subject: selftests/bpf: Fix invalid memory reads in core_relo selftest
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 13c908495e5d51718a6da84ae925fa2aac056380 ]
+
+Another one found by AddressSanitizer. input_len is bigger than actually
+initialized data size.
+
+Fixes: c7566a69695c ("selftests/bpf: Add field existence CO-RE relocs tests")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-8-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/core_reloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/core_reloc.c b/tools/testing/selftests/bpf/prog_tests/core_reloc.c
+index 31e177adbdf1..084ed26a7d78 100644
+--- a/tools/testing/selftests/bpf/prog_tests/core_reloc.c
++++ b/tools/testing/selftests/bpf/prog_tests/core_reloc.c
+@@ -392,7 +392,7 @@ static struct core_reloc_test_case test_cases[] = {
+ .input = STRUCT_TO_CHAR_PTR(core_reloc_existence___minimal) {
+ .a = 42,
+ },
+- .input_len = sizeof(struct core_reloc_existence),
++ .input_len = sizeof(struct core_reloc_existence___minimal),
+ .output = STRUCT_TO_CHAR_PTR(core_reloc_existence_output) {
+ .a_exists = 1,
+ .b_exists = 0,
+--
+2.25.1
+
--- /dev/null
+From a754edc3b8d5bb99dbe1b11fa8bf97268667adc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:06 -0700
+Subject: selftests/bpf: Fix memory leak in extract_build_id()
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 9f56bb531a809ecaa7f0ddca61d2cf3adc1cb81a ]
+
+getline() allocates string, which has to be freed.
+
+Fixes: 81f77fd0deeb ("bpf: add selftest for stackmap with BPF_F_STACK_BUILD_ID")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-7-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index 86d0020c9eec..93970ec1c9e9 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -351,6 +351,7 @@ int extract_build_id(char *build_id, size_t size)
+ len = size;
+ memcpy(build_id, line, len);
+ build_id[len] = '\0';
++ free(line);
+ return 0;
+ err:
+ fclose(fp);
+--
+2.25.1
+
--- /dev/null
+From cdc740226e5dd01b73954a4568c5a184606454a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 18:21:05 -0700
+Subject: selftests/bpf: Fix memory leak in test selector
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit f25d5416d64c796aa639136eb0b076c8bd579b54 ]
+
+Free test selector substrings, which were strdup()'ed.
+
+Fixes: b65053cd94f4 ("selftests/bpf: Add whitelist/blacklist of test names to test_progs")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200429012111.277390-6-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index b521e0a512b6..86d0020c9eec 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -420,6 +420,18 @@ static int libbpf_print_fn(enum libbpf_print_level level,
+ return 0;
+ }
+
++static void free_str_set(const struct str_set *set)
++{
++ int i;
++
++ if (!set)
++ return;
++
++ for (i = 0; i < set->cnt; i++)
++ free((void *)set->strs[i]);
++ free(set->strs);
++}
++
+ static int parse_str_list(const char *s, struct str_set *set)
+ {
+ char *input, *state = NULL, *next, **tmp, **strs = NULL;
+@@ -756,11 +768,11 @@ int main(int argc, char **argv)
+ fprintf(stdout, "Summary: %d/%d PASSED, %d SKIPPED, %d FAILED\n",
+ env.succ_cnt, env.sub_succ_cnt, env.skip_cnt, env.fail_cnt);
+
+- free(env.test_selector.blacklist.strs);
+- free(env.test_selector.whitelist.strs);
++ free_str_set(&env.test_selector.blacklist);
++ free_str_set(&env.test_selector.whitelist);
+ free(env.test_selector.num_set);
+- free(env.subtest_selector.blacklist.strs);
+- free(env.subtest_selector.whitelist.strs);
++ free_str_set(&env.subtest_selector.blacklist);
++ free_str_set(&env.subtest_selector.whitelist);
+ free(env.subtest_selector.num_set);
+
+ return env.fail_cnt ? EXIT_FAILURE : EXIT_SUCCESS;
+--
+2.25.1
+
--- /dev/null
+From f9b223342e19f9b10e14ed3047e85f98c360ff76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 12:49:03 -0700
+Subject: selftests/bpf: Fix test_align verifier log patterns
+
+From: Stanislav Fomichev <sdf@google.com>
+
+[ Upstream commit 5366d2269139ba8eb6a906d73a0819947e3e4e0a ]
+
+Commit 294f2fc6da27 ("bpf: Verifer, adjust_scalar_min_max_vals to always
+call update_reg_bounds()") changed the way verifier logs some of its state,
+adjust the test_align accordingly. Where possible, I tried to not copy-paste
+the entire log line and resorted to dropping the last closing brace instead.
+
+Fixes: 294f2fc6da27 ("bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()")
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20200515194904.229296-1-sdf@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_align.c | 41 ++++++++++++------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_align.c b/tools/testing/selftests/bpf/test_align.c
+index 0262f7b374f9..c9c9bdce9d6d 100644
+--- a/tools/testing/selftests/bpf/test_align.c
++++ b/tools/testing/selftests/bpf/test_align.c
+@@ -359,15 +359,15 @@ static struct bpf_align_test tests[] = {
+ * is still (4n), fixed offset is not changed.
+ * Also, we create a new reg->id.
+ */
+- {29, "R5_w=pkt(id=4,off=18,r=0,umax_value=2040,var_off=(0x0; 0x7fc))"},
++ {29, "R5_w=pkt(id=4,off=18,r=0,umax_value=2040,var_off=(0x0; 0x7fc)"},
+ /* At the time the word size load is performed from R5,
+ * its total fixed offset is NET_IP_ALIGN + reg->off (18)
+ * which is 20. Then the variable offset is (4n), so
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {33, "R4=pkt(id=4,off=22,r=22,umax_value=2040,var_off=(0x0; 0x7fc))"},
+- {33, "R5=pkt(id=4,off=18,r=22,umax_value=2040,var_off=(0x0; 0x7fc))"},
++ {33, "R4=pkt(id=4,off=22,r=22,umax_value=2040,var_off=(0x0; 0x7fc)"},
++ {33, "R5=pkt(id=4,off=18,r=22,umax_value=2040,var_off=(0x0; 0x7fc)"},
+ },
+ },
+ {
+@@ -410,15 +410,15 @@ static struct bpf_align_test tests[] = {
+ /* Adding 14 makes R6 be (4n+2) */
+ {9, "R6_w=inv(id=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
+ /* Packet pointer has (4n+2) offset */
+- {11, "R5_w=pkt(id=1,off=0,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
+- {13, "R4=pkt(id=1,off=4,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
++ {11, "R5_w=pkt(id=1,off=0,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
++ {13, "R4=pkt(id=1,off=4,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
+ /* At the time the word size load is performed from R5,
+ * its total fixed offset is NET_IP_ALIGN + reg->off (0)
+ * which is 2. Then the variable offset is (4n+2), so
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {15, "R5=pkt(id=1,off=0,r=4,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
++ {15, "R5=pkt(id=1,off=0,r=4,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
+ /* Newly read value in R6 was shifted left by 2, so has
+ * known alignment of 4.
+ */
+@@ -426,15 +426,15 @@ static struct bpf_align_test tests[] = {
+ /* Added (4n) to packet pointer's (4n+2) var_off, giving
+ * another (4n+2).
+ */
+- {19, "R5_w=pkt(id=2,off=0,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
+- {21, "R4=pkt(id=2,off=4,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
++ {19, "R5_w=pkt(id=2,off=0,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
++ {21, "R4=pkt(id=2,off=4,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
+ /* At the time the word size load is performed from R5,
+ * its total fixed offset is NET_IP_ALIGN + reg->off (0)
+ * which is 2. Then the variable offset is (4n+2), so
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {23, "R5=pkt(id=2,off=0,r=4,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
++ {23, "R5=pkt(id=2,off=0,r=4,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
+ },
+ },
+ {
+@@ -469,16 +469,16 @@ static struct bpf_align_test tests[] = {
+ .matches = {
+ {4, "R5_w=pkt_end(id=0,off=0,imm=0)"},
+ /* (ptr - ptr) << 2 == unknown, (4n) */
+- {6, "R5_w=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"},
++ {6, "R5_w=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc)"},
+ /* (4n) + 14 == (4n+2). We blow our bounds, because
+ * the add could overflow.
+ */
+- {7, "R5_w=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"},
++ {7, "R5_w=inv(id=0,smin_value=-9223372036854775806,smax_value=9223372036854775806,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"},
+ /* Checked s>=0 */
+- {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
+ /* packet pointer + nonnegative (4n+2) */
+- {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
+- {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
++ {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
++ {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
+ /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine.
+ * We checked the bounds, but it might have been able
+ * to overflow if the packet pointer started in the
+@@ -486,7 +486,7 @@ static struct bpf_align_test tests[] = {
+ * So we did not get a 'range' on R6, and the access
+ * attempt will fail.
+ */
+- {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
++ {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
+ }
+ },
+ {
+@@ -528,7 +528,7 @@ static struct bpf_align_test tests[] = {
+ /* New unknown value in R7 is (4n) */
+ {11, "R7_w=inv(id=0,umax_value=1020,var_off=(0x0; 0x3fc))"},
+ /* Subtracting it from R6 blows our unsigned bounds */
+- {12, "R6=inv(id=0,smin_value=-1006,smax_value=1034,var_off=(0x2; 0xfffffffffffffffc))"},
++ {12, "R6=inv(id=0,smin_value=-1006,smax_value=1034,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"},
+ /* Checked s>= 0 */
+ {14, "R6=inv(id=0,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc))"},
+ /* At the time the word size load is performed from R5,
+@@ -537,7 +537,8 @@ static struct bpf_align_test tests[] = {
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {20, "R5=pkt(id=1,off=0,r=4,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc))"},
++ {20, "R5=pkt(id=1,off=0,r=4,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc)"},
++
+ },
+ },
+ {
+@@ -579,18 +580,18 @@ static struct bpf_align_test tests[] = {
+ /* Adding 14 makes R6 be (4n+2) */
+ {11, "R6_w=inv(id=0,umin_value=14,umax_value=74,var_off=(0x2; 0x7c))"},
+ /* Subtracting from packet pointer overflows ubounds */
+- {13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c))"},
++ {13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c)"},
+ /* New unknown value in R7 is (4n), >= 76 */
+ {15, "R7_w=inv(id=0,umin_value=76,umax_value=1096,var_off=(0x0; 0x7fc))"},
+ /* Adding it to packet pointer gives nice bounds again */
+- {16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"},
++ {16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"},
+ /* At the time the word size load is performed from R5,
+ * its total fixed offset is NET_IP_ALIGN + reg->off (0)
+ * which is 2. Then the variable offset is (4n+2), so
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"},
++ {20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"},
+ },
+ },
+ };
+--
+2.25.1
+
--- /dev/null
+From 05516f59427fbfafc80c8a4a677999c82a441bfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 May 2020 10:28:44 +0200
+Subject: selftests/bpf, flow_dissector: Close TAP device FD after the test
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit b8215dce7dfd817ca38807f55165bf502146cd68 ]
+
+test_flow_dissector leaves a TAP device after it's finished, potentially
+interfering with other tests that will run after it. Fix it by closing the
+TAP descriptor on cleanup.
+
+Fixes: 0905beec9f52 ("selftests/bpf: run flow dissector tests in skb-less mode")
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200531082846.2117903-11-jakub@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+index 92563898867c..9f3634c9971d 100644
+--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+@@ -523,6 +523,7 @@ void test_flow_dissector(void)
+ CHECK_ATTR(err, tests[i].name, "bpf_map_delete_elem %d\n", err);
+ }
+
++ close(tap_fd);
+ bpf_prog_detach(prog_fd, BPF_FLOW_DISSECTOR);
+ bpf_object__close(obj);
+ }
+--
+2.25.1
+
--- /dev/null
+From 9fcda2aa1b7c080c159577f2c6d1c604e88f48a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 May 2020 05:17:22 +0300
+Subject: selftests/bpf: Install generated test progs
+
+From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+
+[ Upstream commit 309b81f0fdc4209d998bc63f0da52c2e96340d4e ]
+
+Before commit 74b5a5968fe8 ("selftests/bpf: Replace test_progs and
+test_maps w/ general rule") selftests/bpf used generic install
+target from selftests/lib.mk to install generated bpf test progs
+by mentioning them in TEST_GEN_FILES variable.
+
+Take that functionality back.
+
+Fixes: 74b5a5968fe8 ("selftests/bpf: Replace test_progs and test_maps w/ general rule")
+Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/20200513021722.7787-1-yauheni.kaliuta@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index 01c95f8278c7..af139d0e2e0c 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -264,6 +264,7 @@ TRUNNER_BPF_OBJS := $$(patsubst %.c,$$(TRUNNER_OUTPUT)/%.o, $$(TRUNNER_BPF_SRCS)
+ TRUNNER_BPF_SKELS := $$(patsubst %.c,$$(TRUNNER_OUTPUT)/%.skel.h, \
+ $$(filter-out $(SKEL_BLACKLIST), \
+ $$(TRUNNER_BPF_SRCS)))
++TEST_GEN_FILES += $$(TRUNNER_BPF_OBJS)
+
+ # Evaluate rules now with extra TRUNNER_XXX variables above already defined
+ $$(eval $$(call DEFINE_TEST_RUNNER_RULES,$1,$2))
+--
+2.25.1
+
--- /dev/null
+From a21390673bd90ee86f9c941eea2b6f00bfdc7720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 07:30:53 +0000
+Subject: selinux: fix error return code in policydb_read()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 4c09f8b6913a779ca0c70ea8058bf21537eebb3b ]
+
+Fix to return negative error code -ENOMEM from the kvcalloc() error
+handling case instead of 0, as done elsewhere in this function.
+
+Fixes: acdf52d97f82 ("selinux: convert to kvmalloc")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/ss/policydb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
+index c21b922e5ebe..1a4f74e7a267 100644
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -2504,6 +2504,7 @@ int policydb_read(struct policydb *p, void *fp)
+ if (rc)
+ goto bad;
+
++ rc = -ENOMEM;
+ p->type_attr_map_array = kvcalloc(p->p_types.nprim,
+ sizeof(*p->type_attr_map_array),
+ GFP_KERNEL);
+--
+2.25.1
+
acpi-ged-use-correct-trigger-type-field-in-_exx-_lxx-handling.patch
+drm-amdgpu-fix-and-cleanup-amdgpu_gem_object_close-v.patch
+ath10k-fix-the-race-condition-in-firmware-dump-work-.patch
+drm-bridge-adv7511-extend-list-of-audio-sample-rates.patch
+media-staging-imgu-do-not-hold-spinlock-during-freei.patch
+media-imx-imx7-mipi-csis-cleanup-and-fix-subdev-pad-.patch
+crypto-ccp-don-t-select-config_dmadevices.patch
+igc-fix-default-mac-address-filter-override.patch
+scripts-sphinx-pre-install-address-some-issues-with-.patch
+media-vicodec-fix-error-codes-in-probe-function.patch
+media-si2157-better-check-for-running-tuner-in-init.patch
+media-v4l2-ctrls-v4l2_ctrl_g-s_ctrl-don-t-continue-w.patch
+objtool-ignore-empty-alternatives.patch
+drm-amd-display-force-watermark-value-propagation.patch
+drm-amd-display-fix-virtual-signal-dsc-setup.patch
+spi-spi-mem-fix-dual-quad-modes-on-octal-capable-dev.patch
+drm-amdgpu-init-data-to-avoid-oops-while-reading-pp_.patch
+drm-bridge-panel-return-always-an-error-pointer-in-d.patch
+net-ethernet-ti-fix-return-value-check-in-k3_cppi_de.patch
+arm64-kernel-fix-range-on-invalidating-dcache-for-bo.patch
+selftests-bpf-copy-runqslower-to-output-directory.patch
+libbpf-fix-memory-leak-and-possible-double-free-in-h.patch
+spi-pxa2xx-apply-cs-clk-quirk-to-bxt.patch
+x86-smap-fix-smap_-save-restore-alternatives.patch
+sched-fair-refill-bandwidth-before-scaling.patch
+net-atlantic-make-hw_get_regs-optional.patch
+net-ena-fix-error-returning-in-ena_com_get_hash_func.patch
+efi-libstub-x86-work-around-llvm-elf-quirk-build-reg.patch
+ath10k-remove-the-max_sched_scan_reqs-value.patch
+arm64-cacheflush-fix-kgdb-trap-detection.patch
+media-staging-ipu3-fix-stale-list-entries-on-paramet.patch
+libperf-evlist-fix-a-refcount-leak.patch
+rtw88-fix-an-issue-about-leak-system-resources.patch
+spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch
+soc-fsl-dpio-properly-compute-the-consumer-index.patch
+acpica-dispatcher-add-status-checks.patch
+block-alloc-map-and-request-for-new-hardware-queue.patch
+arm64-insn-fix-two-bugs-in-encoding-32-bit-logical-i.patch
+tools-power-x86-intel-speed-select-fix-clx-n-package.patch
+mt76-mt7615-fix-aid-configuration-in-mt7615_mcu_wtbl.patch
+block-reset-mapping-if-failed-to-update-hardware-que.patch
+drm-rcar-du-set-primary-plane-zpos-immutably-at-init.patch
+lockdown-allow-unprivileged-users-to-see-lockdown-st.patch
+ixgbe-fix-xdp-redirect-on-archs-with-page_size-above.patch
+platform-x86-dell-laptop-don-t-register-micmute-led-.patch
+cpuidle-psci-fixup-execution-order-when-entering-a-d.patch
+mips-loongson-build-ati-radeon-gpu-driver-as-module.patch
+io_uring-cleanup-io_poll_remove_one-logic.patch
+media-i2c-imx219-fix-a-bug-in-imx219_enum_frame_size.patch
+bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch
+kgdb-disable-warn_console_unlocked-for-all-kgdb.patch
+kgdb-prevent-infinite-recursive-entries-to-the-debug.patch
+pmu-smmuv3-clear-irq-affinity-hint-on-device-removal.patch
+ath11k-fix-some-resource-leaks-in-error-path-in-ath1.patch
+acpi-iort-fix-pmcg-node-single-id-mapping-handling.patch
+drm-dp-lenovo-x13-yoga-oled-panel-brightness-fix.patch
+mips-fix-cpu_has_mips64r1-2-activation-for-mips32-cp.patch
+spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch
+clocksource-drivers-timer-versatile-clear-of_populat.patch
+clocksource-dw_apb_timer-make-cpu-affiliation-being-.patch
+clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch
+btrfs-account-for-trans_block_rsv-in-may_commit_tran.patch
+btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch
+spi-mux-repair-mux-usage.patch
+arm-8978-1-mm-make-act_mm-respect-thread_size.patch
+batman-adv-revert-disable-ethtool-link-speed-detecti.patch
+xfs-more-lockdep-whackamole-with-kmem_alloc.patch
+ice-fix-memory-leak.patch
+ice-fix-for-memory-leaks-and-modify-ice_free_cq_bufs.patch
+ice-change-number-of-xdp-txq-to-0-when-destroying-ri.patch
+mmc-mmci_sdmmc-fix-power-on-issue-due-to-pwr_reg-ini.patch
+mmc-meson-mx-sdio-trigger-a-soft-reset-after-a-timeo.patch
+bluetooth-btmtkuart-improve-exception-handling-in-bt.patch
+bluetooth-hci_qca-fix-suspend-resume-functionality-f.patch
+spi-dw-fix-rx-only-dma-transfers.patch
+ice-fix-pci-device-serial-number-to-be-lowercase-val.patch
+x86-kvm-hyper-v-explicitly-align-hcall-param-for-kvm.patch
+net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch
+crypto-chcr-fixes-a-coccinile-check-error.patch
+x86-fix-vmap-arguments-in-map_irq_stack.patch
+staging-android-ion-use-vmap-instead-of-vm_map_ram.patch
+ubsan-entirely-disable-alignment-checks-under-ubsan_.patch
+ath11k-fix-error-message-to-correctly-report-the-com.patch
+drm-hisilicon-enforce-128-byte-stride-alignment-to-f.patch
+ath11k-avoid-mgmt-tx-count-underflow.patch
+ath10k-fix-kernel-null-pointer-dereference.patch
+drm-amd-display-revert-to-old-formula-in-set_vtg_par.patch
+media-staging-intel-ipu3-implement-lock-for-stream-o.patch
+media-venus-core-remove-cnoc-voting-while-device-sus.patch
+spi-respect-databitlength-field-of-spiserialbusv2-ac.patch
+brcmfmac-fix-wrong-location-to-get-firmware-feature.patch
+regulator-qcom-rpmh-fix-typos-in-pm8150-and-pm8150l.patch
+tools-api-fs-make-xxx__mountpoint-more-scalable.patch
+e1000-distribute-switch-variables-for-initialization.patch
+net-mscc-ocelot-deal-with-problematic-mac_etype-vcap.patch
+drm-ast-allocate-initial-crtc-state-of-the-correct-s.patch
+dt-bindings-display-mediatek-control-dpi-pins-mode-t.patch
+drm-mediatek-set-dpi-pin-mode-to-gpio-low-to-avoid-l.patch
+audit-fix-a-net-reference-leak-in-audit_send_reply.patch
+media-dvb-return-eremoteio-on-i2c-transfer-failure.patch
+media-imx-utils-fix-and-simplify-pixel-format-enumer.patch
+media-imx-utils-fix-media-bus-format-enumeration.patch
+media-platform-fcp-set-appropriate-dma-parameters.patch
+mips-make-sparse_init-using-top-down-allocation.patch
+ath10k-add-flush-tx-packets-for-sdio-chip.patch
+bluetooth-btbcm-add-2-missing-models-to-subver-table.patch
+audit-fix-a-net-reference-leak-in-audit_list_rules_s.patch
+drm-amd-display-correct-updating-logic-of-dcn21-s-pi.patch
+drm-amd-display-dmcu-wait-loop-calculation-is-incorr.patch
+drivers-hv-vmbus-always-handle-the-vmbus-messages-on.patch
+efi-libstub-random-align-allocate-size-to-efi_alloc_.patch
+dpaa2-eth-fix-return-codes-used-in-ndo_setup_tc.patch
+bcache-remove-a-duplicate-make_request_fn-assignment.patch
+net-mlx4_core-add-missing-iounmap-in-error-path.patch
+bpf-riscv-fix-tail-call-count-off-by-one-in-rv32-bpf.patch
+netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch
+ath11k-use-gfp_atomic-under-spin-lock.patch
+bluetooth-adding-driver-and-quirk-defs-for-multi-rol.patch
+drm-amd-display-do-not-disable-pipe-split-if-mode-is.patch
+libbpf-refactor-map-creation-logic-and-fix-cleanup-l.patch
+selftests-bpf-ensure-test-flavors-use-correct-skelet.patch
+selftests-bpf-fix-memory-leak-in-test-selector.patch
+selftests-bpf-fix-memory-leak-in-extract_build_id.patch
+selftests-bpf-fix-invalid-memory-reads-in-core_relo-.patch
+libbpf-fix-huge-memory-leak-in-libbpf_find_vmlinux_b.patch
+selftests-bpf-fix-bpf_link-leak-in-ns_current_pid_tg.patch
+selftests-bpf-add-runqslower-binary-to-.gitignore.patch
+media-m88ds3103-error-in-set_frontend-is-swallowed-a.patch
+arm-8969-1-decompressor-simplify-libfdt-builds.patch
+drm-bridge-fix-stack-usage-warning-on-old-gcc.patch
+net-bcmgenet-set-rx-mode-before-starting-netif.patch
+net-bcmgenet-fix-wol-with-password-after-deep-sleep.patch
+lib-mpi-fix-64-bit-mips-build-with-clang.patch
+net-mlx5e-ct-avoid-false-warning-about-rule-may-be-u.patch
+exit-move-preemption-fixup-up-move-blocking-operatio.patch
+sched-core-fix-illegal-rcu-from-offline-cpus.patch
+stmmac-intel-fix-clock-handling-on-error-and-remove-.patch
+arm64-kexec_file-print-appropriate-variable.patch
+drivers-perf-hisi-fix-typo-in-events-attribute-array.patch
+iocost_monitor-drop-string-wrap-around-numbers-when-.patch
+octeontx2-pf-fix-error-return-code-in-otx2_probe.patch
+ice-fix-error-return-code-in-ice_add_prof.patch
+net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch
+selinux-fix-error-return-code-in-policydb_read.patch
+drivers-net-davinci_mdio-fix-potential-null-derefere.patch
+cpufreq-qcom-fix-wrong-compatible-binding.patch
+ath10k-fix-possible-memory-leak-in-ath10k_bmi_lz_dat.patch
+ath11k-fix-error-return-code-in-ath11k_dp_alloc.patch
+media-sun8i-fix-an-error-handling-path-in-deinterlac.patch
+media-cec-silence-shift-wrapping-warning-in-__cec_s_.patch
+net-allwinner-fix-use-correct-return-type-for-ndo_st.patch
+powerpc-spufs-fix-copy_to_user-while-atomic.patch
+ath11k-fix-kernel-panic-by-freeing-the-msdu-received.patch
+libertas_tf-avoid-a-null-dereference-in-pointer-priv.patch
+xfs-clean-up-the-error-handling-in-xfs_swap_extents.patch
+crypto-chcr-fix-ctr-cbc-xts-and-rfc3686-ctr-failed-t.patch
+crypto-chcr-fix-for-ccm-aes-failed-test.patch
+dsa-sja1105-dynamically-allocate-stats-structure.patch
+mips-truncate-link-address-into-32bit-for-32bit-kern.patch
+mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch
+kgdb-fix-spurious-true-from-in_dbg_master.patch
+xfs-reset-buffer-write-failure-state-on-successful-c.patch
+xfs-fix-duplicate-verification-from-xfs_qm_dqflush.patch
+platform-x86-intel-vbtn-use-acpi_evaluate_integer.patch
+platform-x86-intel-vbtn-split-keymap-into-buttons-an.patch
+platform-x86-intel-vbtn-do-not-advertise-switches-to.patch
+platform-x86-intel-vbtn-also-handle-tablet-mode-swit.patch
+iwlwifi-avoid-debug-max-amsdu-config-overwriting-its.patch
+nvme-refine-the-qemu-identify-cns-quirk.patch
+nvme-fc-avoid-gcc-10-zero-length-bounds-warning.patch
+nvme-pci-align-io-queue-count-with-allocted-nvme_que.patch
+nvme-tcp-use-bh_lock-in-data_ready.patch
+ath10k-skip-handling-del_server-during-driver-exit.patch
+ath10k-remove-msdu-from-idr-when-management-pkt-send.patch
+wcn36xx-fix-error-handling-path-in-wcn36xx_probe.patch
+net-qed-reduce-rx-and-tx-default-ring-count-when-run.patch
+drm-mcde-dsi-fix-return-value-check-in-mcde_dsi_bind.patch
+mt76-mt7663-fix-mt7615_mac_cca_stats_reset-routine.patch
+mt76-mt7615-do-not-always-reset-the-dfs-state-settin.patch
+mt76-mt7622-fix-dma-unmap-length.patch
+mt76-mt7663-fix-dma-unmap-length.patch
+mt76-mt7615-fix-mt7615_firmware_own-for-mt7663e.patch
+mt76-mt7615-fix-mt7615_driver_own-routine.patch
+mt76-avoid-rx-reorder-buffer-overflow.patch
+selftests-bpf-install-generated-test-progs.patch
+brcmfmac-fix-wpa-wpa2-psk-4-way-handshake-offload-an.patch
+md-don-t-flush-workqueue-unconditionally-in-md_open.patch
+raid5-remove-gfp-flags-from-scribble_alloc.patch
+iocost-don-t-let-vrate-run-wild-while-there-s-no-sat.patch
+veth-adjust-hard_start-offset-on-redirect-xdp-frames.patch
+crypto-blake2b-fix-clang-optimization-for-armv7-m.patch
+io_uring-allow-poll_add-with-double-poll_wait-users.patch
+net-mlx5e-ipoib-drop-multicast-packets-that-this-int.patch
+selftests-bpf-fix-test_align-verifier-log-patterns.patch
+net-ipa-do-not-clear-interrupt-in-gsi_channel_start.patch
+rtlwifi-fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch
+mwifiex-fix-memory-corruption-in-dump_station.patch
+kgdboc-use-a-platform-device-to-handle-tty-drivers-s.patch
+x86-boot-correct-relocation-destination-on-old-linke.patch
+xfs-don-t-fail-verifier-on-empty-attr3-leaf-block.patch
+sched-defend-cfs-and-rt-bandwidth-quota-against-over.patch
+mips-maar-use-more-precise-address-mask.patch
+ice-cleanup-vf_id-signedness.patch
+ice-fix-resource-leak-on-early-exit-from-function.patch
+mips-add-udelay-lpj-numbers-adjustment.patch
+crypto-stm32-crc32-fix-ext4-chksum-bug_on.patch
+crypto-stm32-crc32-fix-run-time-self-test-issue.patch
+crypto-stm32-crc32-fix-multi-instance.patch
+drm-amd-powerpay-disable-gfxoff-when-setting-manual-.patch
+drm-amdgpu-sync-with-vm-root-bo-when-switching-vm-to.patch
+selftests-bpf-config_ipv6_seg6_bpf-required-for-test.patch
+selftests-bpf-config_lirc-required-for-test_lirc_mod.patch
+ice-fix-tx-timeout-when-link-is-toggled-on-a-vf-s-in.patch
+x86-mm-stop-printing-brk-addresses.patch
+mips-fix-exception-handler-memcpy.patch
+mips-tools-fix-resource-leak-in-elf-entry.c.patch
+m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch
+btrfs-improve-global-reserve-stealing-logic.patch
+btrfs-qgroup-mark-qgroup-inconsistent-if-we-re-inher.patch
+acpi-video-use-native-backlight-on-acer-travelmate-5.patch
+net-ethernet-fec-move-gpr-register-offset-and-bit-in.patch
+nvme-pci-make-sure-write-poll_queues-less-or-equal-t.patch
+nvmet-fix-memory-leak-when-removing-namespaces-and-c.patch
+macvlan-skip-loopback-packets-in-rx-handler.patch
+pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch
+mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch
+bcache-fix-refcount-underflow-in-bcache_device_free.patch
+mmc-mmci-switch-to-mmc_regulator_set_vqmmc.patch
+mmc-sdhci-msm-set-sdhci_quirk_multiblock_read_acmd12.patch
+staging-greybus-sdio-respect-the-cmd-busy_timeout-fr.patch
+mmc-owl-mmc-respect-the-cmd-busy_timeout-from-the-mm.patch
+mmc-via-sdmmc-respect-the-cmd-busy_timeout-from-the-.patch
+mmc-sdhci-add-quirks-for-be-to-le-byte-swapping.patch
+ice-fix-potential-double-free-in-probe-unrolling.patch
+ixgbe-fix-signed-integer-overflow-warning.patch
+iwlwifi-mvm-fix-aux-station-leak.patch
+mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch
+spi-dw-return-any-value-retrieved-from-the-dma_trans.patch
+cpuidle-fix-three-reference-count-leaks.patch
+spi-spi-fsl-dspi-fix-native-data-copy.patch
+io_uring-fix-overflowed-reqs-cancellation.patch
+platform-x86-hp-wmi-convert-simple_strtoul-to-kstrto.patch
+ice-fix-inability-to-set-channels-when-down.patch
+platform-x86-intel-hid-add-a-quirk-to-support-hp-spe.patch
+platform-x86-intel-vbtn-only-blacklist-sw_tablet_mod.patch
+platform-x86-asus_wmi-reserve-more-space-for-struct-.patch
+libbpf-fix-perf_buffer__free-api-for-sparse-allocs.patch
+bpf-fix-map-permissions-check.patch
+bpf-refactor-sockmap-redirect-code-so-its-easy-to-re.patch
+bpf-fix-running-sk_skb-program-types-with-ktls.patch
+selftests-bpf-flow_dissector-close-tap-device-fd-aft.patch
+bpf-fix-up-bpf_skb_adjust_room-helper-s-skb-csum-set.patch
+s390-bpf-maintain-8-byte-stack-alignment.patch
+kasan-stop-tests-being-eliminated-as-dead-code-with-.patch
+string.h-fix-incompatibility-between-fortify_source-.patch
--- /dev/null
+From 042c9a133cd1c6121de9faa7dc969a906d0db2a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 23:14:29 +0300
+Subject: soc: fsl: dpio: properly compute the consumer index
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit 7596ac9d19a9df25707ecaac0675881f62dd8c18 ]
+
+Mask the consumer index before using it. Without this, we would be
+writing frame descriptors beyond the ring size supported by the QBMAN
+block.
+
+Fixes: 3b2abda7d28c ("soc: fsl: dpio: Replace QMAN array mode with ring mode enqueue")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Acked-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/dpio/qbman-portal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/fsl/dpio/qbman-portal.c b/drivers/soc/fsl/dpio/qbman-portal.c
+index 804b8ba9bf5c..23a1377971f4 100644
+--- a/drivers/soc/fsl/dpio/qbman-portal.c
++++ b/drivers/soc/fsl/dpio/qbman-portal.c
+@@ -669,6 +669,7 @@ int qbman_swp_enqueue_multiple_direct(struct qbman_swp *s,
+ eqcr_ci = s->eqcr.ci;
+ p = s->addr_cena + QBMAN_CENA_SWP_EQCR_CI;
+ s->eqcr.ci = qbman_read_register(s, QBMAN_CINH_SWP_EQCR_CI);
++ s->eqcr.ci &= full_mask;
+
+ s->eqcr.available = qm_cyc_diff(s->eqcr.pi_ring_size,
+ eqcr_ci, s->eqcr.ci);
+--
+2.25.1
+
--- /dev/null
+From 3f9b4344f773f394dee6b44dbe1657b66a2ebeca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 03:07:51 +0300
+Subject: spi: dw: Enable interrupts in accordance with DMA xfer mode
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 43dba9f3f98c2b184a19f856f06fe22817bfd9e0 ]
+
+It's pointless to track the Tx overrun interrupts if Rx-only SPI
+transfer is issued. Similarly there is no need in handling the Rx
+overrun/underrun interrupts if Tx-only SPI transfer is executed.
+So lets unmask the interrupts only if corresponding SPI
+transactions are implied.
+
+Co-developed-by: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Signed-off-by: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Link: https://lore.kernel.org/r/20200522000806.7381-3-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index 1058b8a6c8a0..e6c045ecffba 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -220,19 +220,23 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws,
+
+ static int mid_spi_dma_setup(struct dw_spi *dws, struct spi_transfer *xfer)
+ {
+- u16 dma_ctrl = 0;
++ u16 imr = 0, dma_ctrl = 0;
+
+ dw_writel(dws, DW_SPI_DMARDLR, 0xf);
+ dw_writel(dws, DW_SPI_DMATDLR, 0x10);
+
+- if (xfer->tx_buf)
++ if (xfer->tx_buf) {
+ dma_ctrl |= SPI_DMA_TDMAE;
+- if (xfer->rx_buf)
++ imr |= SPI_INT_TXOI;
++ }
++ if (xfer->rx_buf) {
+ dma_ctrl |= SPI_DMA_RDMAE;
++ imr |= SPI_INT_RXUI | SPI_INT_RXOI;
++ }
+ dw_writel(dws, DW_SPI_DMACR, dma_ctrl);
+
+ /* Set the interrupt mask */
+- spi_umask_intr(dws, SPI_INT_TXOI | SPI_INT_RXUI | SPI_INT_RXOI);
++ spi_umask_intr(dws, imr);
+
+ dws->transfer_handler = dma_transfer;
+
+--
+2.25.1
+
--- /dev/null
+From ff19722e4480e6818d68b5740942d5a8a530b31b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 16:11:57 +0300
+Subject: spi: dw: Fix Rx-only DMA transfers
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 46164fde6b7890e7a3982d54549947c8394c0192 ]
+
+Tx-only DMA transfers are working perfectly fine since in this case
+the code just ignores the Rx FIFO overflow interrupts. But it turns
+out the SPI Rx-only transfers are broken since nothing pushing any
+data to the shift registers, so the Rx FIFO is left empty and the
+SPI core subsystems just returns a timeout error. Since DW DMAC
+driver doesn't support something like cyclic write operations of
+a single byte to a device register, the only way to support the
+Rx-only SPI transfers is to fake it by using a dummy Tx-buffer.
+This is what we intend to fix in this commit by setting the
+SPI_CONTROLLER_MUST_TX flag for DMA-capable platform.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Link: https://lore.kernel.org/r/20200529131205.31838-9-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index dbf9b8d5cebe..5725c37544f2 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -531,6 +531,7 @@ int dw_spi_add_host(struct device *dev, struct dw_spi *dws)
+ dws->dma_inited = 0;
+ } else {
+ master->can_dma = dws->dma_ops->can_dma;
++ master->flags |= SPI_CONTROLLER_MUST_TX;
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 021d9347c49d2d11369ce3108268ae264ea5a3c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 16:11:51 +0300
+Subject: spi: dw: Return any value retrieved from the dma_transfer callback
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit f0410bbf7d0fb80149e3b17d11d31f5b5197873e ]
+
+DW APB SSI DMA-part of the driver may need to perform the requested
+SPI-transfer synchronously. In that case the dma_transfer() callback
+will return 0 as a marker of the SPI transfer being finished so the
+SPI core doesn't need to wait and may proceed with the SPI message
+trasnfers pumping procedure. This will be needed to fix the problem
+when DMA transactions are finished, but there is still data left in
+the SPI Tx/Rx FIFOs being sent/received. But for now make dma_transfer
+to return 1 as the normal dw_spi_transfer_one() method.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Link: https://lore.kernel.org/r/20200529131205.31838-3-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 2 +-
+ drivers/spi/spi-dw.c | 7 ++-----
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index e6c045ecffba..23cebdeb67e2 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -266,7 +266,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, struct spi_transfer *xfer)
+ dma_async_issue_pending(dws->txchan);
+ }
+
+- return 0;
++ return 1;
+ }
+
+ static void mid_spi_dma_stop(struct dw_spi *dws)
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index 5725c37544f2..c86c4bbb102e 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -381,11 +381,8 @@ static int dw_spi_transfer_one(struct spi_controller *master,
+
+ spi_enable_chip(dws, 1);
+
+- if (dws->dma_mapped) {
+- ret = dws->dma_ops->dma_transfer(dws, transfer);
+- if (ret < 0)
+- return ret;
+- }
++ if (dws->dma_mapped)
++ return dws->dma_ops->dma_transfer(dws, transfer);
+
+ if (chip->poll_mode)
+ return poll_transfer(dws);
+--
+2.25.1
+
--- /dev/null
+From a2297059bfcf08c49d3de3de40d7676591bd39ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 18:30:18 +0300
+Subject: spi: dw: Zero DMA Tx and Rx configurations on stack
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 3cb97e223d277f84171cc4ccecab31e08b2ee7b5 ]
+
+Some DMA controller drivers do not tolerate non-zero values in
+the DMA configuration structures. Zero them to avoid issues with
+such DMA controller drivers. Even despite above this is a good
+practice per se.
+
+Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Feng Tang <feng.tang@intel.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Link: https://lore.kernel.org/r/20200506153025.21441-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index 0d86c37e0aeb..1058b8a6c8a0 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -147,6 +147,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_tx(struct dw_spi *dws,
+ if (!xfer->tx_buf)
+ return NULL;
+
++ memset(&txconf, 0, sizeof(txconf));
+ txconf.direction = DMA_MEM_TO_DEV;
+ txconf.dst_addr = dws->dma_addr;
+ txconf.dst_maxburst = 16;
+@@ -193,6 +194,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws,
+ if (!xfer->rx_buf)
+ return NULL;
+
++ memset(&rxconf, 0, sizeof(rxconf));
+ rxconf.direction = DMA_DEV_TO_MEM;
+ rxconf.src_addr = dws->dma_addr;
+ rxconf.src_maxburst = 16;
+--
+2.25.1
+
--- /dev/null
+From 380e3fdc330447d49e7f93f5df89d811dc3d058d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2020 12:43:52 +0200
+Subject: spi: mux: repair mux usage
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit a2b02e4623fb127fa65a13e4ac5aa56e4ae16291 ]
+
+It is not valid to cache/short out selection of the mux.
+
+mux_control_select() only locks the mux until mux_control_deselect()
+is called. mux_control_deselect() may put the mux in some low power
+state or some other user of the mux might select it for other purposes.
+These things are probably not happening in the original setting where
+this driver was developed, but it is said to be a generic SPI mux.
+
+Also, the mux framework will short out the actual low level muxing
+operation when/if that is possible.
+
+Fixes: e9e40543ad5b ("spi: Add generic SPI multiplexer")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Link: https://lore.kernel.org/r/20200525104352.26807-1-peda@axentia.se
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mux.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-mux.c b/drivers/spi/spi-mux.c
+index 4f94c9127fc1..cc9ef371db14 100644
+--- a/drivers/spi/spi-mux.c
++++ b/drivers/spi/spi-mux.c
+@@ -51,6 +51,10 @@ static int spi_mux_select(struct spi_device *spi)
+ struct spi_mux_priv *priv = spi_controller_get_devdata(spi->controller);
+ int ret;
+
++ ret = mux_control_select(priv->mux, spi->chip_select);
++ if (ret)
++ return ret;
++
+ if (priv->current_cs == spi->chip_select)
+ return 0;
+
+@@ -62,10 +66,6 @@ static int spi_mux_select(struct spi_device *spi)
+ priv->spi->mode = spi->mode;
+ priv->spi->bits_per_word = spi->bits_per_word;
+
+- ret = mux_control_select(priv->mux, spi->chip_select);
+- if (ret)
+- return ret;
+-
+ priv->current_cs = spi->chip_select;
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 00560c47ca1d6f5ff0d6c0ca484cb481efbbbe50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 16:32:48 -0700
+Subject: spi: pxa2xx: Apply CS clk quirk to BXT
+
+From: Evan Green <evgreen@chromium.org>
+
+[ Upstream commit 6eefaee4f2d366a389da0eb95e524ba82bf358c4 ]
+
+With a couple allies at Intel, and much badgering, I got confirmation
+from Intel that at least BXT suffers from the same SPI chip-select
+issue as Cannonlake (and beyond). The issue being that after going
+through runtime suspend/resume, toggling the chip-select line without
+also sending data does nothing.
+
+Add the quirk to BXT to briefly toggle dynamic clock gating off and
+on, forcing the fabric to wake up enough to notice the CS register
+change.
+
+Signed-off-by: Evan Green <evgreen@chromium.org>
+Cc: Shobhit Srivastava <shobhit.srivastava@intel.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20200427163238.1.Ib1faaabe236e37ea73be9b8dcc6aa034cb3c8804@changeid
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-pxa2xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
+index f6e87344a36c..6721910e5f2a 100644
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -150,6 +150,7 @@ static const struct lpss_config lpss_platforms[] = {
+ .tx_threshold_hi = 48,
+ .cs_sel_shift = 8,
+ .cs_sel_mask = 3 << 8,
++ .cs_clk_stays_gated = true,
+ },
+ { /* LPSS_CNL_SSP */
+ .offset = 0x200,
+--
+2.25.1
+
--- /dev/null
+From c26c5a24371c0bcc1c1eaf6b43235359c304f8a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 21:04:06 +0300
+Subject: spi: Respect DataBitLength field of SpiSerialBusV2() ACPI resource
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 0dadde344d965566589cd82797893d5aa06557a3 ]
+
+By unknown reason the commit 64bee4d28c9e
+ ("spi / ACPI: add ACPI enumeration support")
+missed the DataBitLength property to encounter when parse SPI slave
+device data from ACPI.
+
+Fill the gap here.
+
+Fixes: 64bee4d28c9e ("spi / ACPI: add ACPI enumeration support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20200413180406.1826-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index 7067e4c44400..299384c91917 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -2111,6 +2111,7 @@ static int acpi_spi_add_resource(struct acpi_resource *ares, void *data)
+ }
+
+ lookup->max_speed_hz = sb->connection_speed;
++ lookup->bits_per_word = sb->data_bit_length;
+
+ if (sb->clock_phase == ACPI_SPI_SECOND_PHASE)
+ lookup->mode |= SPI_CPHA;
+--
+2.25.1
+
--- /dev/null
+From a2cb5678e3e71eaf527b413b78343fb19e54f517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 21:57:56 +0200
+Subject: spi: spi-fsl-dspi: fix native data copy
+
+From: Angelo Dureghello <angelo.dureghello@timesys.com>
+
+[ Upstream commit 263b81dc6c932c8bc550d5e7bfc178d2b3fc491e ]
+
+ColdFire is a big-endian cpu with a big-endian dspi hw module,
+so, it uses native access, but memcpy breaks the endianness.
+
+So, if i understand properly, by native copy we would mean
+be(cpu)->be(dspi) or le(cpu)->le(dspi) accesses, so my fix
+shouldn't break anything, but i couldn't test it on LS family,
+so every test is really appreciated.
+
+Fixes: 53fadb4d90c7 ("spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics")
+Signed-off-by: Angelo Dureghello <angelo.dureghello@timesys.com>
+Tested-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20200529195756.184677-1-angelo.dureghello@timesys.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
+index 50e41f66a2d7..2e9f9adc5900 100644
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -246,13 +246,33 @@ struct fsl_dspi {
+
+ static void dspi_native_host_to_dev(struct fsl_dspi *dspi, u32 *txdata)
+ {
+- memcpy(txdata, dspi->tx, dspi->oper_word_size);
++ switch (dspi->oper_word_size) {
++ case 1:
++ *txdata = *(u8 *)dspi->tx;
++ break;
++ case 2:
++ *txdata = *(u16 *)dspi->tx;
++ break;
++ case 4:
++ *txdata = *(u32 *)dspi->tx;
++ break;
++ }
+ dspi->tx += dspi->oper_word_size;
+ }
+
+ static void dspi_native_dev_to_host(struct fsl_dspi *dspi, u32 rxdata)
+ {
+- memcpy(dspi->rx, &rxdata, dspi->oper_word_size);
++ switch (dspi->oper_word_size) {
++ case 1:
++ *(u8 *)dspi->rx = rxdata;
++ break;
++ case 2:
++ *(u16 *)dspi->rx = rxdata;
++ break;
++ case 4:
++ *(u32 *)dspi->rx = rxdata;
++ break;
++ }
+ dspi->rx += dspi->oper_word_size;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 53d60091d9f38c02d77e7b1ccd063d78111eb3b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 12:14:18 +0200
+Subject: spi: spi-mem: Fix Dual/Quad modes on Octal-capable devices
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 80300a7d5f2d7178335652f41d2e55ba898b4ec1 ]
+
+Currently buswidths 2 and 4 are rejected for a device that advertises
+Octal capabilities. Allow these buswidths, just like is done for
+buswidth 2 and Quad-capable devices.
+
+Fixes: b12a084c8729ef42 ("spi: spi-mem: add support for octal mode I/O data transfer")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20200416101418.14379-1-geert+renesas@glider.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mem.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-mem.c b/drivers/spi/spi-mem.c
+index adaa0c49f966..9a86cc27fcc0 100644
+--- a/drivers/spi/spi-mem.c
++++ b/drivers/spi/spi-mem.c
+@@ -108,15 +108,17 @@ static int spi_check_buswidth_req(struct spi_mem *mem, u8 buswidth, bool tx)
+ return 0;
+
+ case 2:
+- if ((tx && (mode & (SPI_TX_DUAL | SPI_TX_QUAD))) ||
+- (!tx && (mode & (SPI_RX_DUAL | SPI_RX_QUAD))))
++ if ((tx &&
++ (mode & (SPI_TX_DUAL | SPI_TX_QUAD | SPI_TX_OCTAL))) ||
++ (!tx &&
++ (mode & (SPI_RX_DUAL | SPI_RX_QUAD | SPI_RX_OCTAL))))
+ return 0;
+
+ break;
+
+ case 4:
+- if ((tx && (mode & SPI_TX_QUAD)) ||
+- (!tx && (mode & SPI_RX_QUAD)))
++ if ((tx && (mode & (SPI_TX_QUAD | SPI_TX_OCTAL))) ||
++ (!tx && (mode & (SPI_RX_QUAD | SPI_RX_OCTAL))))
+ return 0;
+
+ break;
+--
+2.25.1
+
--- /dev/null
+From d1c4d7523d109d5ccccc4b1f67fc6d2e152a3ed6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 21:50:23 -0700
+Subject: staging: android: ion: use vmap instead of vm_map_ram
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 5bf9917452112694b2c774465ee4dbe441c84b77 ]
+
+vm_map_ram can keep mappings around after the vm_unmap_ram. Using that
+with non-PAGE_KERNEL mappings can lead to all kinds of aliasing issues.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Christophe Leroy <christophe.leroy@c-s.fr>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Gao Xiang <xiang@kernel.org>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Michael Kelley <mikelley@microsoft.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Nitin Gupta <ngupta@vflare.org>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: Wei Liu <wei.liu@kernel.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Paul Mackerras <paulus@ozlabs.org>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: http://lkml.kernel.org/r/20200414131348.444715-4-hch@lst.de
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/ion/ion_heap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
+index 473b465724f1..0755b11348ed 100644
+--- a/drivers/staging/android/ion/ion_heap.c
++++ b/drivers/staging/android/ion/ion_heap.c
+@@ -99,12 +99,12 @@ int ion_heap_map_user(struct ion_heap *heap, struct ion_buffer *buffer,
+
+ static int ion_heap_clear_pages(struct page **pages, int num, pgprot_t pgprot)
+ {
+- void *addr = vm_map_ram(pages, num, -1, pgprot);
++ void *addr = vmap(pages, num, VM_MAP, pgprot);
+
+ if (!addr)
+ return -ENOMEM;
+ memset(addr, 0, PAGE_SIZE * num);
+- vm_unmap_ram(addr, num);
++ vunmap(addr);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From a7b81fbb974fdcb647074316a674b355c533123d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 18:14:13 +0200
+Subject: staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc
+ core
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit a389087ee9f195fcf2f31cd771e9ec5f02c16650 ]
+
+Using a fixed 1s timeout for all commands is a bit problematic.
+
+For some commands it means waiting longer than needed for the timeout to
+expire, which may not a big issue, but still. For other commands, like for
+an erase (CMD38) that uses a R1B response, may require longer timeouts than
+1s. In these cases, we may end up treating the command as it failed, while
+it just needed some more time to complete successfully.
+
+Fix the problem by respecting the cmd->busy_timeout, which is provided by
+the mmc core.
+
+Cc: Rui Miguel Silva <rmfrfs@gmail.com>
+Cc: Johan Hovold <johan@kernel.org>
+Cc: Alex Elder <elder@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: greybus-dev@lists.linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20200414161413.3036-20-ulf.hansson@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/sdio.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/greybus/sdio.c b/drivers/staging/greybus/sdio.c
+index 68c5718be827..c4b16bb5c1a4 100644
+--- a/drivers/staging/greybus/sdio.c
++++ b/drivers/staging/greybus/sdio.c
+@@ -411,6 +411,7 @@ static int gb_sdio_command(struct gb_sdio_host *host, struct mmc_command *cmd)
+ struct gb_sdio_command_request request = {0};
+ struct gb_sdio_command_response response;
+ struct mmc_data *data = host->mrq->data;
++ unsigned int timeout_ms;
+ u8 cmd_flags;
+ u8 cmd_type;
+ int i;
+@@ -469,9 +470,12 @@ static int gb_sdio_command(struct gb_sdio_host *host, struct mmc_command *cmd)
+ request.data_blksz = cpu_to_le16(data->blksz);
+ }
+
+- ret = gb_operation_sync(host->connection, GB_SDIO_TYPE_COMMAND,
+- &request, sizeof(request), &response,
+- sizeof(response));
++ timeout_ms = cmd->busy_timeout ? cmd->busy_timeout :
++ GB_OPERATION_TIMEOUT_DEFAULT;
++
++ ret = gb_operation_sync_timeout(host->connection, GB_SDIO_TYPE_COMMAND,
++ &request, sizeof(request), &response,
++ sizeof(response), timeout_ms);
+ if (ret < 0)
+ goto out;
+
+--
+2.25.1
+
--- /dev/null
+From 2e4f38f32c5941282fb3f387a6853964e8e7dc90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 18:02:49 +0300
+Subject: stmmac: intel: Fix clock handling on error and remove paths
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 09f012e64e4b8126ed6f02d0a85a57c3a0465cf9 ]
+
+clk_prepare_enable() might fail, we have to check its returned value.
+Besides that we have to call clk_disable_unprepare() on the error and
+remove paths. Do above in the dwmac-intel driver.
+
+While at it, remove leftover in stmmac_pci and remove unneeded condition
+for NULL-aware clk_unregister_fixed_rate() call.
+
+Fixes: 58da0cfa6cf1 ("net: stmmac: create dwmac-intel.c to contain all Intel platform")
+Cc: Voon Weifeng <weifeng.voon@intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/dwmac-intel.c | 20 +++++++++++++++----
+ .../net/ethernet/stmicro/stmmac/stmmac_pci.c | 5 -----
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
+index 2e4aaedb93f5..d163c4b43da0 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
+@@ -252,6 +252,7 @@ static void common_default_data(struct plat_stmmacenet_data *plat)
+ static int intel_mgbe_common_data(struct pci_dev *pdev,
+ struct plat_stmmacenet_data *plat)
+ {
++ int ret;
+ int i;
+
+ plat->clk_csr = 5;
+@@ -324,7 +325,12 @@ static int intel_mgbe_common_data(struct pci_dev *pdev,
+ dev_warn(&pdev->dev, "Fail to register stmmac-clk\n");
+ plat->stmmac_clk = NULL;
+ }
+- clk_prepare_enable(plat->stmmac_clk);
++
++ ret = clk_prepare_enable(plat->stmmac_clk);
++ if (ret) {
++ clk_unregister_fixed_rate(plat->stmmac_clk);
++ return ret;
++ }
+
+ /* Set default value for multicast hash bins */
+ plat->multicast_filter_bins = HASH_TABLE_SIZE;
+@@ -657,7 +663,13 @@ static int intel_eth_pci_probe(struct pci_dev *pdev,
+ res.wol_irq = pdev->irq;
+ res.irq = pdev->irq;
+
+- return stmmac_dvr_probe(&pdev->dev, plat, &res);
++ ret = stmmac_dvr_probe(&pdev->dev, plat, &res);
++ if (ret) {
++ clk_disable_unprepare(plat->stmmac_clk);
++ clk_unregister_fixed_rate(plat->stmmac_clk);
++ }
++
++ return ret;
+ }
+
+ /**
+@@ -675,8 +687,8 @@ static void intel_eth_pci_remove(struct pci_dev *pdev)
+
+ stmmac_dvr_remove(&pdev->dev);
+
+- if (priv->plat->stmmac_clk)
+- clk_unregister_fixed_rate(priv->plat->stmmac_clk);
++ clk_disable_unprepare(priv->plat->stmmac_clk);
++ clk_unregister_fixed_rate(priv->plat->stmmac_clk);
+
+ for (i = 0; i < PCI_STD_NUM_BARS; i++) {
+ if (pci_resource_len(pdev, i) == 0)
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+index 3fb21f7ac9fb..272cb47af9f2 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+@@ -217,15 +217,10 @@ static int stmmac_pci_probe(struct pci_dev *pdev,
+ */
+ static void stmmac_pci_remove(struct pci_dev *pdev)
+ {
+- struct net_device *ndev = dev_get_drvdata(&pdev->dev);
+- struct stmmac_priv *priv = netdev_priv(ndev);
+ int i;
+
+ stmmac_dvr_remove(&pdev->dev);
+
+- if (priv->plat->stmmac_clk)
+- clk_unregister_fixed_rate(priv->plat->stmmac_clk);
+-
+ for (i = 0; i < PCI_STD_NUM_BARS; i++) {
+ if (pci_resource_len(pdev, i) == 0)
+ continue;
+--
+2.25.1
+
--- /dev/null
+From b8cdf4083a13c68408784a7fc24a268d9f49c5ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2020 15:56:46 -0700
+Subject: string.h: fix incompatibility between FORTIFY_SOURCE and KASAN
+
+From: Daniel Axtens <dja@axtens.net>
+
+[ Upstream commit 47227d27e2fcb01a9e8f5958d8997cf47a820afc ]
+
+The memcmp KASAN self-test fails on a kernel with both KASAN and
+FORTIFY_SOURCE.
+
+When FORTIFY_SOURCE is on, a number of functions are replaced with
+fortified versions, which attempt to check the sizes of the operands.
+However, these functions often directly invoke __builtin_foo() once they
+have performed the fortify check. Using __builtins may bypass KASAN
+checks if the compiler decides to inline it's own implementation as
+sequence of instructions, rather than emit a function call that goes out
+to a KASAN-instrumented implementation.
+
+Why is only memcmp affected?
+============================
+
+Of the string and string-like functions that kasan_test tests, only memcmp
+is replaced by an inline sequence of instructions in my testing on x86
+with gcc version 9.2.1 20191008 (Ubuntu 9.2.1-9ubuntu2).
+
+I believe this is due to compiler heuristics. For example, if I annotate
+kmalloc calls with the alloc_size annotation (and disable some fortify
+compile-time checking!), the compiler will replace every memset except the
+one in kmalloc_uaf_memset with inline instructions. (I have some WIP
+patches to add this annotation.)
+
+Does this affect other functions in string.h?
+=============================================
+
+Yes. Anything that uses __builtin_* rather than __real_* could be
+affected. This looks like:
+
+ - strncpy
+ - strcat
+ - strlen
+ - strlcpy maybe, under some circumstances?
+ - strncat under some circumstances
+ - memset
+ - memcpy
+ - memmove
+ - memcmp (as noted)
+ - memchr
+ - strcpy
+
+Whether a function call is emitted always depends on the compiler. Most
+bugs should get caught by FORTIFY_SOURCE, but the missed memcmp test shows
+that this is not always the case.
+
+Isn't FORTIFY_SOURCE disabled with KASAN?
+========================================-
+
+The string headers on all arches supporting KASAN disable fortify with
+kasan, but only when address sanitisation is _also_ disabled. For example
+from x86:
+
+ #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
+ /*
+ * For files that are not instrumented (e.g. mm/slub.c) we
+ * should use not instrumented version of mem* functions.
+ */
+ #define memcpy(dst, src, len) __memcpy(dst, src, len)
+ #define memmove(dst, src, len) __memmove(dst, src, len)
+ #define memset(s, c, n) __memset(s, c, n)
+
+ #ifndef __NO_FORTIFY
+ #define __NO_FORTIFY /* FORTIFY_SOURCE uses __builtin_memcpy, etc. */
+ #endif
+
+ #endif
+
+This comes from commit 6974f0c4555e ("include/linux/string.h: add the
+option of fortified string.h functions"), and doesn't work when KASAN is
+enabled and the file is supposed to be sanitised - as with test_kasan.c
+
+I'm pretty sure this is not wrong, but not as expansive it should be:
+
+ * we shouldn't use __builtin_memcpy etc in files where we don't have
+ instrumentation - it could devolve into a function call to memcpy,
+ which will be instrumented. Rather, we should use __memcpy which
+ by convention is not instrumented.
+
+ * we also shouldn't be using __builtin_memcpy when we have a KASAN
+ instrumented file, because it could be replaced with inline asm
+ that will not be instrumented.
+
+What is correct behaviour?
+==========================
+
+Firstly, there is some overlap between fortification and KASAN: both
+provide some level of _runtime_ checking. Only fortify provides
+compile-time checking.
+
+KASAN and fortify can pick up different things at runtime:
+
+ - Some fortify functions, notably the string functions, could easily be
+ modified to consider sub-object sizes (e.g. members within a struct),
+ and I have some WIP patches to do this. KASAN cannot detect these
+ because it cannot insert poision between members of a struct.
+
+ - KASAN can detect many over-reads/over-writes when the sizes of both
+ operands are unknown, which fortify cannot.
+
+So there are a couple of options:
+
+ 1) Flip the test: disable fortify in santised files and enable it in
+ unsanitised files. This at least stops us missing KASAN checking, but
+ we lose the fortify checking.
+
+ 2) Make the fortify code always call out to real versions. Do this only
+ for KASAN, for fear of losing the inlining opportunities we get from
+ __builtin_*.
+
+(We can't use kasan_check_{read,write}: because the fortify functions are
+_extern inline_, you can't include _static_ inline functions without a
+compiler warning. kasan_check_{read,write} are static inline so we can't
+use them even when they would otherwise be suitable.)
+
+Take approach 2 and call out to real versions when KASAN is enabled.
+
+Use __underlying_foo to distinguish from __real_foo: __real_foo always
+refers to the kernel's implementation of foo, __underlying_foo could be
+either the kernel implementation or the __builtin_foo implementation.
+
+This is sometimes enough to make the memcmp test succeed with
+FORTIFY_SOURCE enabled. It is at least enough to get the function call
+into the module. One more fix is needed to make it reliable: see the next
+patch.
+
+Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: David Gow <davidgow@google.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Daniel Micay <danielmicay@gmail.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Link: http://lkml.kernel.org/r/20200423154503.5103-3-dja@axtens.net
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/string.h | 60 +++++++++++++++++++++++++++++++++---------
+ 1 file changed, 48 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/string.h b/include/linux/string.h
+index 6dfbb2efa815..9b7a0632e87a 100644
+--- a/include/linux/string.h
++++ b/include/linux/string.h
+@@ -272,6 +272,31 @@ void __read_overflow3(void) __compiletime_error("detected read beyond size of ob
+ void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter");
+
+ #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
++
++#ifdef CONFIG_KASAN
++extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr);
++extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp);
++extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy);
++extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove);
++extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset);
++extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat);
++extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
++extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
++extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat);
++extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy);
++#else
++#define __underlying_memchr __builtin_memchr
++#define __underlying_memcmp __builtin_memcmp
++#define __underlying_memcpy __builtin_memcpy
++#define __underlying_memmove __builtin_memmove
++#define __underlying_memset __builtin_memset
++#define __underlying_strcat __builtin_strcat
++#define __underlying_strcpy __builtin_strcpy
++#define __underlying_strlen __builtin_strlen
++#define __underlying_strncat __builtin_strncat
++#define __underlying_strncpy __builtin_strncpy
++#endif
++
+ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
+ {
+ size_t p_size = __builtin_object_size(p, 0);
+@@ -279,14 +304,14 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
+ __write_overflow();
+ if (p_size < size)
+ fortify_panic(__func__);
+- return __builtin_strncpy(p, q, size);
++ return __underlying_strncpy(p, q, size);
+ }
+
+ __FORTIFY_INLINE char *strcat(char *p, const char *q)
+ {
+ size_t p_size = __builtin_object_size(p, 0);
+ if (p_size == (size_t)-1)
+- return __builtin_strcat(p, q);
++ return __underlying_strcat(p, q);
+ if (strlcat(p, q, p_size) >= p_size)
+ fortify_panic(__func__);
+ return p;
+@@ -300,7 +325,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p)
+ /* Work around gcc excess stack consumption issue */
+ if (p_size == (size_t)-1 ||
+ (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0'))
+- return __builtin_strlen(p);
++ return __underlying_strlen(p);
+ ret = strnlen(p, p_size);
+ if (p_size <= ret)
+ fortify_panic(__func__);
+@@ -333,7 +358,7 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size)
+ __write_overflow();
+ if (len >= p_size)
+ fortify_panic(__func__);
+- __builtin_memcpy(p, q, len);
++ __underlying_memcpy(p, q, len);
+ p[len] = '\0';
+ }
+ return ret;
+@@ -346,12 +371,12 @@ __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count)
+ size_t p_size = __builtin_object_size(p, 0);
+ size_t q_size = __builtin_object_size(q, 0);
+ if (p_size == (size_t)-1 && q_size == (size_t)-1)
+- return __builtin_strncat(p, q, count);
++ return __underlying_strncat(p, q, count);
+ p_len = strlen(p);
+ copy_len = strnlen(q, count);
+ if (p_size < p_len + copy_len + 1)
+ fortify_panic(__func__);
+- __builtin_memcpy(p + p_len, q, copy_len);
++ __underlying_memcpy(p + p_len, q, copy_len);
+ p[p_len + copy_len] = '\0';
+ return p;
+ }
+@@ -363,7 +388,7 @@ __FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size)
+ __write_overflow();
+ if (p_size < size)
+ fortify_panic(__func__);
+- return __builtin_memset(p, c, size);
++ return __underlying_memset(p, c, size);
+ }
+
+ __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
+@@ -378,7 +403,7 @@ __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
+ }
+ if (p_size < size || q_size < size)
+ fortify_panic(__func__);
+- return __builtin_memcpy(p, q, size);
++ return __underlying_memcpy(p, q, size);
+ }
+
+ __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
+@@ -393,7 +418,7 @@ __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
+ }
+ if (p_size < size || q_size < size)
+ fortify_panic(__func__);
+- return __builtin_memmove(p, q, size);
++ return __underlying_memmove(p, q, size);
+ }
+
+ extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan);
+@@ -419,7 +444,7 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size)
+ }
+ if (p_size < size || q_size < size)
+ fortify_panic(__func__);
+- return __builtin_memcmp(p, q, size);
++ return __underlying_memcmp(p, q, size);
+ }
+
+ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
+@@ -429,7 +454,7 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size)
+ __read_overflow();
+ if (p_size < size)
+ fortify_panic(__func__);
+- return __builtin_memchr(p, c, size);
++ return __underlying_memchr(p, c, size);
+ }
+
+ void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv);
+@@ -460,11 +485,22 @@ __FORTIFY_INLINE char *strcpy(char *p, const char *q)
+ size_t p_size = __builtin_object_size(p, 0);
+ size_t q_size = __builtin_object_size(q, 0);
+ if (p_size == (size_t)-1 && q_size == (size_t)-1)
+- return __builtin_strcpy(p, q);
++ return __underlying_strcpy(p, q);
+ memcpy(p, q, strlen(q) + 1);
+ return p;
+ }
+
++/* Don't use these outside the FORITFY_SOURCE implementation */
++#undef __underlying_memchr
++#undef __underlying_memcmp
++#undef __underlying_memcpy
++#undef __underlying_memmove
++#undef __underlying_memset
++#undef __underlying_strcat
++#undef __underlying_strcpy
++#undef __underlying_strlen
++#undef __underlying_strncat
++#undef __underlying_strncpy
+ #endif
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From 6878506ee9f1b3df58ed82d8b1f4df013bd65f49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2020 08:43:54 -0700
+Subject: tools api fs: Make xxx__mountpoint() more scalable
+
+From: Stephane Eranian <eranian@google.com>
+
+[ Upstream commit c6fddb28bad26e5472cb7acf7b04cd5126f1a4ab ]
+
+The xxx_mountpoint() interface provided by fs.c finds mount points for
+common pseudo filesystems. The first time xxx_mountpoint() is invoked,
+it scans the mount table (/proc/mounts) looking for a match. If found,
+it is cached. The price to scan /proc/mounts is paid once if the mount
+is found.
+
+When the mount point is not found, subsequent calls to xxx_mountpoint()
+scan /proc/mounts over and over again. There is no caching.
+
+This causes a scaling issue in perf record with hugeltbfs__mountpoint().
+The function is called for each process found in
+synthesize__mmap_events(). If the machine has thousands of processes
+and if the /proc/mounts has many entries this could cause major overhead
+in perf record. We have observed multi-second slowdowns on some
+configurations.
+
+As an example on a laptop:
+
+Before:
+
+ $ sudo umount /dev/hugepages
+ $ strace -e trace=openat -o /tmp/tt perf record -a ls
+ $ fgrep mounts /tmp/tt
+ 285
+
+After:
+
+ $ sudo umount /dev/hugepages
+ $ strace -e trace=openat -o /tmp/tt perf record -a ls
+ $ fgrep mounts /tmp/tt
+ 1
+
+One could argue that the non-caching in case the moint point is not
+found is intentional. That way subsequent calls may discover a moint
+point if the sysadmin mounts the filesystem. But the same argument could
+be made against caching the mount point. It could be unmounted causing
+errors. It all depends on the intent of the interface. This patch
+assumes it is expected to scan /proc/mounts once. The patch documents
+the caching behavior in the fs.h header file.
+
+An alternative would be to just fix perf record. But it would solve the
+problem with hugetlbs__mountpoint() but there could be similar issues
+(possibly down the line) with other xxx_mountpoint() calls in perf or
+other tools.
+
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrey Zhizhikin <andrey.z@gmail.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lore.kernel.org/lkml/20200402154357.107873-3-irogers@google.com
+Signed-off-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/api/fs/fs.c | 17 +++++++++++++++++
+ tools/lib/api/fs/fs.h | 12 ++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c
+index 027b18f7ed8c..82f53d81a7a7 100644
+--- a/tools/lib/api/fs/fs.c
++++ b/tools/lib/api/fs/fs.c
+@@ -90,6 +90,7 @@ struct fs {
+ const char * const *mounts;
+ char path[PATH_MAX];
+ bool found;
++ bool checked;
+ long magic;
+ };
+
+@@ -111,31 +112,37 @@ static struct fs fs__entries[] = {
+ .name = "sysfs",
+ .mounts = sysfs__fs_known_mountpoints,
+ .magic = SYSFS_MAGIC,
++ .checked = false,
+ },
+ [FS__PROCFS] = {
+ .name = "proc",
+ .mounts = procfs__known_mountpoints,
+ .magic = PROC_SUPER_MAGIC,
++ .checked = false,
+ },
+ [FS__DEBUGFS] = {
+ .name = "debugfs",
+ .mounts = debugfs__known_mountpoints,
+ .magic = DEBUGFS_MAGIC,
++ .checked = false,
+ },
+ [FS__TRACEFS] = {
+ .name = "tracefs",
+ .mounts = tracefs__known_mountpoints,
+ .magic = TRACEFS_MAGIC,
++ .checked = false,
+ },
+ [FS__HUGETLBFS] = {
+ .name = "hugetlbfs",
+ .mounts = hugetlbfs__known_mountpoints,
+ .magic = HUGETLBFS_MAGIC,
++ .checked = false,
+ },
+ [FS__BPF_FS] = {
+ .name = "bpf",
+ .mounts = bpf_fs__known_mountpoints,
+ .magic = BPF_FS_MAGIC,
++ .checked = false,
+ },
+ };
+
+@@ -158,6 +165,7 @@ static bool fs__read_mounts(struct fs *fs)
+ }
+
+ fclose(fp);
++ fs->checked = true;
+ return fs->found = found;
+ }
+
+@@ -220,6 +228,7 @@ static bool fs__env_override(struct fs *fs)
+ return false;
+
+ fs->found = true;
++ fs->checked = true;
+ strncpy(fs->path, override_path, sizeof(fs->path) - 1);
+ fs->path[sizeof(fs->path) - 1] = '\0';
+ return true;
+@@ -246,6 +255,14 @@ static const char *fs__mountpoint(int idx)
+ if (fs->found)
+ return (const char *)fs->path;
+
++ /* the mount point was already checked for the mount point
++ * but and did not exist, so return NULL to avoid scanning again.
++ * This makes the found and not found paths cost equivalent
++ * in case of multiple calls.
++ */
++ if (fs->checked)
++ return NULL;
++
+ return fs__get_mountpoint(fs);
+ }
+
+diff --git a/tools/lib/api/fs/fs.h b/tools/lib/api/fs/fs.h
+index 936edb95e1f3..aa222ca30311 100644
+--- a/tools/lib/api/fs/fs.h
++++ b/tools/lib/api/fs/fs.h
+@@ -18,6 +18,18 @@
+ const char *name##__mount(void); \
+ bool name##__configured(void); \
+
++/*
++ * The xxxx__mountpoint() entry points find the first match mount point for each
++ * filesystems listed below, where xxxx is the filesystem type.
++ *
++ * The interface is as follows:
++ *
++ * - If a mount point is found on first call, it is cached and used for all
++ * subsequent calls.
++ *
++ * - If a mount point is not found, NULL is returned on first call and all
++ * subsequent calls.
++ */
+ FS(sysfs)
+ FS(procfs)
+ FS(debugfs)
+--
+2.25.1
+
--- /dev/null
+From a0ab5737997dc85b5e69f6cd1624ab9d68deb8ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2020 14:07:32 -0400
+Subject: tools/power/x86/intel-speed-select: Fix CLX-N package information
+ output
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+[ Upstream commit 28c59ae6965ca0626e3150e2f2863e0f0c810ed7 ]
+
+On CLX-N the perf-profile output is missing the package, die, and cpu
+output. On CLX-N the pkg_dev struct will never be evaluated by the core
+code so pkg_dev.processed is always 0 and the package, die, and cpu
+information is never output.
+
+Set the pkg_dev.processed flag to 1 for CLX-N processors.
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: andriy.shevchenko@linux.intel.com
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: platform-driver-x86@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/intel-speed-select/isst-config.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/power/x86/intel-speed-select/isst-config.c b/tools/power/x86/intel-speed-select/isst-config.c
+index b73763489410..3688f1101ec4 100644
+--- a/tools/power/x86/intel-speed-select/isst-config.c
++++ b/tools/power/x86/intel-speed-select/isst-config.c
+@@ -1169,6 +1169,7 @@ static void dump_clx_n_config_for_cpu(int cpu, void *arg1, void *arg2,
+
+ ctdp_level = &clx_n_pkg_dev.ctdp_level[0];
+ pbf_info = &ctdp_level->pbf_info;
++ clx_n_pkg_dev.processed = 1;
+ isst_ctdp_display_information(cpu, outf, tdp_level, &clx_n_pkg_dev);
+ free_cpu_set(ctdp_level->core_cpumask);
+ free_cpu_set(pbf_info->core_cpumask);
+--
+2.25.1
+
--- /dev/null
+From 74fd6a9ed492a26f41b0708cdb09b41e9a5c7dc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 21:52:46 -0700
+Subject: ubsan: entirely disable alignment checks under UBSAN_TRAP
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 9380ce246a052a1e00121cd480028b6907aeae38 ]
+
+Commit 8d58f222e85f ("ubsan: disable UBSAN_ALIGNMENT under
+COMPILE_TEST") tried to fix the pathological results of UBSAN_ALIGNMENT
+with UBSAN_TRAP (which objtool would rightly scream about), but it made
+an assumption about how COMPILE_TEST gets set (it is not set for
+randconfig). As a result, we need a bigger hammer here: just don't
+allow the alignment checks with the trap mode.
+
+Fixes: 8d58f222e85f ("ubsan: disable UBSAN_ALIGNMENT under COMPILE_TEST")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Elena Petrova <lenaptr@google.com>
+Link: http://lkml.kernel.org/r/202005291236.000FCB6@keescook
+Link: https://lore.kernel.org/lkml/742521db-1e8c-0d7a-1ed4-a908894fb497@infradead.org/
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/Kconfig.ubsan | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
+index 929211039bac..27bcc2568c95 100644
+--- a/lib/Kconfig.ubsan
++++ b/lib/Kconfig.ubsan
+@@ -63,7 +63,7 @@ config UBSAN_SANITIZE_ALL
+ config UBSAN_ALIGNMENT
+ bool "Enable checks for pointers alignment"
+ default !HAVE_EFFICIENT_UNALIGNED_ACCESS
+- depends on !X86 || !COMPILE_TEST
++ depends on !UBSAN_TRAP
+ help
+ This option enables the check of unaligned memory accesses.
+ Enabling this option on architectures that support unaligned
+--
+2.25.1
+
--- /dev/null
+From f5fc639749573e2dfa92b0d57c3605b954a045d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 May 2020 12:49:43 +0200
+Subject: veth: Adjust hard_start offset on redirect XDP frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit 5c8572251fabc5bb49fd623c064e95a9daf6a3e3 ]
+
+When native XDP redirect into a veth device, the frame arrives in the
+xdp_frame structure. It is then processed in veth_xdp_rcv_one(),
+which can run a new XDP bpf_prog on the packet. Doing so requires
+converting xdp_frame to xdp_buff, but the tricky part is that
+xdp_frame memory area is located in the top (data_hard_start) memory
+area that xdp_buff will point into.
+
+The current code tried to protect the xdp_frame area, by assigning
+xdp_buff.data_hard_start past this memory. This results in 32 bytes
+less headroom to expand into via BPF-helper bpf_xdp_adjust_head().
+
+This protect step is actually not needed, because BPF-helper
+bpf_xdp_adjust_head() already reserve this area, and don't allow
+BPF-prog to expand into it. Thus, it is safe to point data_hard_start
+directly at xdp_frame memory area.
+
+Fixes: 9fc8d518d9d5 ("veth: Handle xdp_frames in xdp napi ring")
+Reported-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/bpf/158945338331.97035.5923525383710752178.stgit@firesoul
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index aece0e5eec8c..d5691bb84448 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -564,13 +564,15 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq,
+ struct veth_stats *stats)
+ {
+ void *hard_start = frame->data - frame->headroom;
+- void *head = hard_start - sizeof(struct xdp_frame);
+ int len = frame->len, delta = 0;
+ struct xdp_frame orig_frame;
+ struct bpf_prog *xdp_prog;
+ unsigned int headroom;
+ struct sk_buff *skb;
+
++ /* bpf_xdp_adjust_head() assures BPF cannot access xdp_frame area */
++ hard_start -= sizeof(struct xdp_frame);
++
+ rcu_read_lock();
+ xdp_prog = rcu_dereference(rq->xdp_prog);
+ if (likely(xdp_prog)) {
+@@ -592,7 +594,6 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq,
+ break;
+ case XDP_TX:
+ orig_frame = *frame;
+- xdp.data_hard_start = head;
+ xdp.rxq->mem = frame->mem;
+ if (unlikely(veth_xdp_tx(rq, &xdp, bq) < 0)) {
+ trace_xdp_exception(rq->dev, xdp_prog, act);
+@@ -605,7 +606,6 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq,
+ goto xdp_xmit;
+ case XDP_REDIRECT:
+ orig_frame = *frame;
+- xdp.data_hard_start = head;
+ xdp.rxq->mem = frame->mem;
+ if (xdp_do_redirect(rq->dev, &xdp, xdp_prog)) {
+ frame = &orig_frame;
+@@ -629,7 +629,7 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq,
+ rcu_read_unlock();
+
+ headroom = sizeof(struct xdp_frame) + frame->headroom - delta;
+- skb = veth_build_skb(head, headroom, len, 0);
++ skb = veth_build_skb(hard_start, headroom, len, 0);
+ if (!skb) {
+ xdp_return_frame(frame);
+ stats->rx_drops++;
+--
+2.25.1
+
--- /dev/null
+From 15fa7a27a17dbc2c63d787c1606eefe5e2263e00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 May 2020 05:56:03 +0300
+Subject: wcn36xx: Fix error handling path in 'wcn36xx_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a86308fc534edeceaf64670c691e17485436a4f4 ]
+
+In case of error, 'qcom_wcnss_open_channel()' must be undone by a call to
+'rpmsg_destroy_ept()', as already done in the remove function.
+
+Fixes: 5052de8deff5 ("soc: qcom: smd: Transition client drivers from smd to rpmsg")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200507043619.200051-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
+index e49c306e0eef..702b689c06df 100644
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -1339,7 +1339,7 @@ static int wcn36xx_probe(struct platform_device *pdev)
+ if (addr && ret != ETH_ALEN) {
+ wcn36xx_err("invalid local-mac-address\n");
+ ret = -EINVAL;
+- goto out_wq;
++ goto out_destroy_ept;
+ } else if (addr) {
+ wcn36xx_info("mac address: %pM\n", addr);
+ SET_IEEE80211_PERM_ADDR(wcn->hw, addr);
+@@ -1347,7 +1347,7 @@ static int wcn36xx_probe(struct platform_device *pdev)
+
+ ret = wcn36xx_platform_get_resources(wcn, pdev);
+ if (ret)
+- goto out_wq;
++ goto out_destroy_ept;
+
+ wcn36xx_init_ieee80211(wcn);
+ ret = ieee80211_register_hw(wcn->hw);
+@@ -1359,6 +1359,8 @@ static int wcn36xx_probe(struct platform_device *pdev)
+ out_unmap:
+ iounmap(wcn->ccu_base);
+ iounmap(wcn->dxe_base);
++out_destroy_ept:
++ rpmsg_destroy_ept(wcn->smd_channel);
+ out_wq:
+ ieee80211_free_hw(hw);
+ out_err:
+--
+2.25.1
+
--- /dev/null
+From 1828b011590db4c947a67edcc37b8ca976ad8b4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2020 16:49:26 -0500
+Subject: x86/boot: Correct relocation destination on old linkers
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 5214028dd89e49ba27007c3ee475279e584261f0 ]
+
+For the 32-bit kernel, as described in
+
+ 6d92bc9d483a ("x86/build: Build compressed x86 kernels as PIE"),
+
+pre-2.26 binutils generates R_386_32 relocations in PIE mode. Since the
+startup code does not perform relocation, any reloc entry with R_386_32
+will remain as 0 in the executing code.
+
+Commit
+
+ 974f221c84b0 ("x86/boot: Move compressed kernel to the end of the
+ decompression buffer")
+
+added a new symbol _end but did not mark it hidden, which doesn't give
+the correct offset on older linkers. This causes the compressed kernel
+to be copied beyond the end of the decompression buffer, rather than
+flush against it. This region of memory may be reserved or already
+allocated for other purposes by the bootloader.
+
+Mark _end as hidden to fix. This changes the relocation from R_386_32 to
+R_386_RELATIVE even on the pre-2.26 binutils.
+
+For 64-bit, this is not strictly necessary, as the 64-bit kernel is only
+built as PIE if the linker supports -z noreloc-overflow, which implies
+binutils-2.27+, but for consistency, mark _end as hidden here too.
+
+The below illustrates the before/after impact of the patch using
+binutils-2.25 and gcc-4.6.4 (locally compiled from source) and QEMU.
+
+ Disassembly before patch:
+ 48: 8b 86 60 02 00 00 mov 0x260(%esi),%eax
+ 4e: 2d 00 00 00 00 sub $0x0,%eax
+ 4f: R_386_32 _end
+ Disassembly after patch:
+ 48: 8b 86 60 02 00 00 mov 0x260(%esi),%eax
+ 4e: 2d 00 f0 76 00 sub $0x76f000,%eax
+ 4f: R_386_RELATIVE *ABS*
+
+Dump from extract_kernel before patch:
+ early console in extract_kernel
+ input_data: 0x0207c098 <--- this is at output + init_size
+ input_len: 0x0074fef1
+ output: 0x01000000
+ output_len: 0x00fa63d0
+ kernel_total_size: 0x0107c000
+ needed_size: 0x0107c000
+
+Dump from extract_kernel after patch:
+ early console in extract_kernel
+ input_data: 0x0190d098 <--- this is at output + init_size - _end
+ input_len: 0x0074fef1
+ output: 0x01000000
+ output_len: 0x00fa63d0
+ kernel_total_size: 0x0107c000
+ needed_size: 0x0107c000
+
+Fixes: 974f221c84b0 ("x86/boot: Move compressed kernel to the end of the decompression buffer")
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200207214926.3564079-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/boot/compressed/head_32.S | 5 +++--
+ arch/x86/boot/compressed/head_64.S | 1 +
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
+index ab3307036ba4..03557f2174bf 100644
+--- a/arch/x86/boot/compressed/head_32.S
++++ b/arch/x86/boot/compressed/head_32.S
+@@ -49,16 +49,17 @@
+ * Position Independent Executable (PIE) so that linker won't optimize
+ * R_386_GOT32X relocation to its fixed symbol address. Older
+ * linkers generate R_386_32 relocations against locally defined symbols,
+- * _bss, _ebss, _got and _egot, in PIE. It isn't wrong, just less
++ * _bss, _ebss, _got, _egot and _end, in PIE. It isn't wrong, just less
+ * optimal than R_386_RELATIVE. But the x86 kernel fails to properly handle
+ * R_386_32 relocations when relocating the kernel. To generate
+- * R_386_RELATIVE relocations, we mark _bss, _ebss, _got and _egot as
++ * R_386_RELATIVE relocations, we mark _bss, _ebss, _got, _egot and _end as
+ * hidden:
+ */
+ .hidden _bss
+ .hidden _ebss
+ .hidden _got
+ .hidden _egot
++ .hidden _end
+
+ __HEAD
+ SYM_FUNC_START(startup_32)
+diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
+index 4f7e6b84be07..76d1d64d51e3 100644
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -42,6 +42,7 @@
+ .hidden _ebss
+ .hidden _got
+ .hidden _egot
++ .hidden _end
+
+ __HEAD
+ .code32
+--
+2.25.1
+
--- /dev/null
+From 6f4bddb2028daacbae224c0846d980da737dd2cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 21:50:19 -0700
+Subject: x86: fix vmap arguments in map_irq_stack
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 0348801151b5aefbcf9d6e9b9e30aceb3a2a7b13 ]
+
+vmap does not take a gfp_t, the flags argument is for VM_* flags.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Christophe Leroy <christophe.leroy@c-s.fr>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Gao Xiang <xiang@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Michael Kelley <mikelley@microsoft.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Nitin Gupta <ngupta@vflare.org>
+Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: Wei Liu <wei.liu@kernel.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Paul Mackerras <paulus@ozlabs.org>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: http://lkml.kernel.org/r/20200414131348.444715-3-hch@lst.de
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/irq_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
+index 12df3a4abfdd..6b32ab009c19 100644
+--- a/arch/x86/kernel/irq_64.c
++++ b/arch/x86/kernel/irq_64.c
+@@ -43,7 +43,7 @@ static int map_irq_stack(unsigned int cpu)
+ pages[i] = pfn_to_page(pa >> PAGE_SHIFT);
+ }
+
+- va = vmap(pages, IRQ_STACK_SIZE / PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL);
++ va = vmap(pages, IRQ_STACK_SIZE / PAGE_SIZE, VM_MAP, PAGE_KERNEL);
+ if (!va)
+ return -ENOMEM;
+
+--
+2.25.1
+
--- /dev/null
+From aaf4d98de61f08dc095b198c7a18988c4833a328 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 14:37:40 +0300
+Subject: x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit
+
+From: Jon Doron <arilou@gmail.com>
+
+[ Upstream commit f7d31e65368aeef973fab788aa22c4f1d5a6af66 ]
+
+The problem the patch is trying to address is the fact that 'struct
+kvm_hyperv_exit' has different layout on when compiling in 32 and 64 bit
+modes.
+
+In 64-bit mode the default alignment boundary is 64 bits thus
+forcing extra gaps after 'type' and 'msr' but in 32-bit mode the
+boundary is at 32 bits thus no extra gaps.
+
+This is an issue as even when the kernel is 64 bit, the userspace using
+the interface can be both 32 and 64 bit but the same 32 bit userspace has
+to work with 32 bit kernel.
+
+The issue is fixed by forcing the 64 bit layout, this leads to ABI
+change for 32 bit builds and while we are obviously breaking '32 bit
+userspace with 32 bit kernel' case, we're fixing the '32 bit userspace
+with 64 bit kernel' one.
+
+As the interface has no (known) users and 32 bit KVM is rather baroque
+nowadays, this seems like a reasonable decision.
+
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Jon Doron <arilou@gmail.com>
+Message-Id: <20200424113746.3473563-2-arilou@gmail.com>
+Reviewed-by: Roman Kagan <rvkagan@yandex-team.ru>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/virt/kvm/api.rst | 2 ++
+ include/uapi/linux/kvm.h | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
+index efbbe570aa9b..750d005a75bc 100644
+--- a/Documentation/virt/kvm/api.rst
++++ b/Documentation/virt/kvm/api.rst
+@@ -5067,9 +5067,11 @@ EOI was received.
+ #define KVM_EXIT_HYPERV_SYNIC 1
+ #define KVM_EXIT_HYPERV_HCALL 2
+ __u32 type;
++ __u32 pad1;
+ union {
+ struct {
+ __u32 msr;
++ __u32 pad2;
+ __u64 control;
+ __u64 evt_page;
+ __u64 msg_page;
+diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
+index 428c7dde6b4b..9cdc5356f542 100644
+--- a/include/uapi/linux/kvm.h
++++ b/include/uapi/linux/kvm.h
+@@ -189,9 +189,11 @@ struct kvm_hyperv_exit {
+ #define KVM_EXIT_HYPERV_SYNIC 1
+ #define KVM_EXIT_HYPERV_HCALL 2
+ __u32 type;
++ __u32 pad1;
+ union {
+ struct {
+ __u32 msr;
++ __u32 pad2;
+ __u64 control;
+ __u64 evt_page;
+ __u64 msg_page;
+--
+2.25.1
+
--- /dev/null
+From 201f88af6d765e59e4c917e098fd720def649159 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Feb 2020 18:11:20 -0500
+Subject: x86/mm: Stop printing BRK addresses
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 67d631b7c05eff955ccff4139327f0f92a5117e5 ]
+
+This currently leaks kernel physical addresses into userspace.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Dave Hansen <dave.hansen@intel.com>
+Link: https://lkml.kernel.org/r/20200229231120.1147527-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/init.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
+index 1bba16c5742b..a573a3e63f02 100644
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -121,8 +121,6 @@ __ref void *alloc_low_pages(unsigned int num)
+ } else {
+ pfn = pgt_buf_end;
+ pgt_buf_end += num;
+- printk(KERN_DEBUG "BRK [%#010lx, %#010lx] PGTABLE\n",
+- pfn << PAGE_SHIFT, (pgt_buf_end << PAGE_SHIFT) - 1);
+ }
+
+ for (i = 0; i < num; i++) {
+--
+2.25.1
+
--- /dev/null
+From 3d4dc8dfafaf9dd027a3fe19dc2c341cb32d3b17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 19:57:59 +0200
+Subject: x86,smap: Fix smap_{save,restore}() alternatives
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 1ff865e343c2b59469d7e41d370a980a3f972c71 ]
+
+As reported by objtool:
+
+ lib/ubsan.o: warning: objtool: .altinstr_replacement+0x0: alternative modifies stack
+ lib/ubsan.o: warning: objtool: .altinstr_replacement+0x7: alternative modifies stack
+
+the smap_{save,restore}() alternatives violate (the newly enforced)
+rule on stack invariance. That is, due to there only being a single
+ORC table it must be valid to any alternative. These alternatives
+violate this with the direct result that unwinds will not be correct
+when it hits between the PUSH and POP instructions.
+
+Rewrite the functions to only have a conditional jump.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lkml.kernel.org/r/20200429101802.GI13592@hirez.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/smap.h | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
+index 27c47d183f4b..8b58d6975d5d 100644
+--- a/arch/x86/include/asm/smap.h
++++ b/arch/x86/include/asm/smap.h
+@@ -57,8 +57,10 @@ static __always_inline unsigned long smap_save(void)
+ {
+ unsigned long flags;
+
+- asm volatile (ALTERNATIVE("", "pushf; pop %0; " __ASM_CLAC,
+- X86_FEATURE_SMAP)
++ asm volatile ("# smap_save\n\t"
++ ALTERNATIVE("jmp 1f", "", X86_FEATURE_SMAP)
++ "pushf; pop %0; " __ASM_CLAC "\n\t"
++ "1:"
+ : "=rm" (flags) : : "memory", "cc");
+
+ return flags;
+@@ -66,7 +68,10 @@ static __always_inline unsigned long smap_save(void)
+
+ static __always_inline void smap_restore(unsigned long flags)
+ {
+- asm volatile (ALTERNATIVE("", "push %0; popf", X86_FEATURE_SMAP)
++ asm volatile ("# smap_restore\n\t"
++ ALTERNATIVE("jmp 1f", "", X86_FEATURE_SMAP)
++ "push %0; popf\n\t"
++ "1:"
+ : : "g" (flags) : "memory", "cc");
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b3c3a73b37cd30da67332ac0605dc7bcd4e469f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 May 2020 14:06:27 -0700
+Subject: xfs: clean up the error handling in xfs_swap_extents
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 8bc3b5e4b70d28f8edcafc3c9e4de515998eea9e ]
+
+Make sure we release resources properly if we cannot clean out the COW
+extents in preparation for an extent swap.
+
+Fixes: 96987eea537d6c ("xfs: cancel COW blocks before swapext")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_bmap_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
+index 4f800f7fe888..cc23a3e23e2d 100644
+--- a/fs/xfs/xfs_bmap_util.c
++++ b/fs/xfs/xfs_bmap_util.c
+@@ -1606,7 +1606,7 @@ xfs_swap_extents(
+ if (xfs_inode_has_cow_data(tip)) {
+ error = xfs_reflink_cancel_cow_range(tip, 0, NULLFILEOFF, true);
+ if (error)
+- return error;
++ goto out_unlock;
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 43e4fcb989b83826ee240837b1fc67e69b1ab7a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 May 2020 13:50:25 -0700
+Subject: xfs: don't fail verifier on empty attr3 leaf block
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit f28cef9e4daca11337cb9f144cdebedaab69d78c ]
+
+The attr fork can transition from shortform to leaf format while
+empty if the first xattr doesn't fit in shortform. While this empty
+leaf block state is intended to be transient, it is technically not
+due to the transactional implementation of the xattr set operation.
+
+We historically have a couple of bandaids to work around this
+problem. The first is to hold the buffer after the format conversion
+to prevent premature writeback of the empty leaf buffer and the
+second is to bypass the xattr count check in the verifier during
+recovery. The latter assumes that the xattr set is also in the log
+and will be recovered into the buffer soon after the empty leaf
+buffer is reconstructed. This is not guaranteed, however.
+
+If the filesystem crashes after the format conversion but before the
+xattr set that induced it, only the format conversion may exist in
+the log. When recovered, this creates a latent corrupted state on
+the inode as any subsequent attempts to read the buffer fail due to
+verifier failure. This includes further attempts to set xattrs on
+the inode or attempts to destroy the attr fork, which prevents the
+inode from ever being removed from the unlinked list.
+
+To avoid this condition, accept that an empty attr leaf block is a
+valid state and remove the count check from the verifier. This means
+that on rare occasions an attr fork might exist in an unexpected
+state, but is otherwise consistent and functional. Note that we
+retain the logic to avoid racing with metadata writeback to reduce
+the window where this can occur.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_attr_leaf.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
+index 1d67cc9f4209..5d0b55281f9d 100644
+--- a/fs/xfs/libxfs/xfs_attr_leaf.c
++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
+@@ -308,14 +308,6 @@ xfs_attr3_leaf_verify(
+ if (fa)
+ return fa;
+
+- /*
+- * In recovery there is a transient state where count == 0 is valid
+- * because we may have transitioned an empty shortform attr to a leaf
+- * if the attr didn't fit in shortform.
+- */
+- if (!xfs_log_in_recovery(mp) && ichdr.count == 0)
+- return __this_address;
+-
+ /*
+ * firstused is the block offset of the first name info structure.
+ * Make sure it doesn't go off the block or crash into the header.
+@@ -331,6 +323,13 @@ xfs_attr3_leaf_verify(
+ (char *)bp->b_addr + ichdr.firstused)
+ return __this_address;
+
++ /*
++ * NOTE: This verifier historically failed empty leaf buffers because
++ * we expect the fork to be in another format. Empty attr fork format
++ * conversions are possible during xattr set, however, and format
++ * conversion is not atomic with the xattr set that triggers it. We
++ * cannot assume leaf blocks are non-empty until that is addressed.
++ */
+ buf_end = (char *)bp->b_addr + mp->m_attr_geo->blksize;
+ for (i = 0, ent = entries; i < ichdr.count; ent++, i++) {
+ fa = xfs_attr3_leaf_verify_entry(mp, buf_end, leaf, &ichdr,
+--
+2.25.1
+
--- /dev/null
+From 5f9a7807f8fd16e09748d7d3c8982f79b1a0e439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 13:25:22 -0700
+Subject: xfs: fix duplicate verification from xfs_qm_dqflush()
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 629dcb38dc351947ed6a26a997d4b587f3bd5c7e ]
+
+The pre-flush dquot verification in xfs_qm_dqflush() duplicates the
+read verifier by checking the dquot in the on-disk buffer. Instead,
+verify the in-core variant before it is flushed to the buffer.
+
+Fixes: 7224fa482a6d ("xfs: add full xfs_dqblk verifier")
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Allison Collins <allison.henderson@oracle.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_dquot.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/fs/xfs/xfs_dquot.c b/fs/xfs/xfs_dquot.c
+index af2c8e5ceea0..265feb62290d 100644
+--- a/fs/xfs/xfs_dquot.c
++++ b/fs/xfs/xfs_dquot.c
+@@ -1116,13 +1116,12 @@ xfs_qm_dqflush(
+ dqb = bp->b_addr + dqp->q_bufoffset;
+ ddqp = &dqb->dd_diskdq;
+
+- /*
+- * A simple sanity check in case we got a corrupted dquot.
+- */
+- fa = xfs_dqblk_verify(mp, dqb, be32_to_cpu(ddqp->d_id), 0);
++ /* sanity check the in-core structure before we flush */
++ fa = xfs_dquot_verify(mp, &dqp->q_core, be32_to_cpu(dqp->q_core.d_id),
++ 0);
+ if (fa) {
+ xfs_alert(mp, "corrupt dquot ID 0x%x in memory at %pS",
+- be32_to_cpu(ddqp->d_id), fa);
++ be32_to_cpu(dqp->q_core.d_id), fa);
+ xfs_buf_relse(bp);
+ xfs_dqfunlock(dqp);
+ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+--
+2.25.1
+
--- /dev/null
+From 89b2a4c1356938b54cd2747cd8f3c33f607ec035 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 09:33:11 -0700
+Subject: xfs: more lockdep whackamole with kmem_alloc*
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 6dcde60efd946e38fac8d276a6ca47492103e856 ]
+
+Dave Airlie reported the following lockdep complaint:
+
+> ======================================================
+> WARNING: possible circular locking dependency detected
+> 5.7.0-0.rc5.20200515git1ae7efb38854.1.fc33.x86_64 #1 Not tainted
+> ------------------------------------------------------
+> kswapd0/159 is trying to acquire lock:
+> ffff9b38d01a4470 (&xfs_nondir_ilock_class){++++}-{3:3},
+> at: xfs_ilock+0xde/0x2c0 [xfs]
+>
+> but task is already holding lock:
+> ffffffffbbb8bd00 (fs_reclaim){+.+.}-{0:0}, at:
+> __fs_reclaim_acquire+0x5/0x30
+>
+> which lock already depends on the new lock.
+>
+>
+> the existing dependency chain (in reverse order) is:
+>
+> -> #1 (fs_reclaim){+.+.}-{0:0}:
+> fs_reclaim_acquire+0x34/0x40
+> __kmalloc+0x4f/0x270
+> kmem_alloc+0x93/0x1d0 [xfs]
+> kmem_alloc_large+0x4c/0x130 [xfs]
+> xfs_attr_copy_value+0x74/0xa0 [xfs]
+> xfs_attr_get+0x9d/0xc0 [xfs]
+> xfs_get_acl+0xb6/0x200 [xfs]
+> get_acl+0x81/0x160
+> posix_acl_xattr_get+0x3f/0xd0
+> vfs_getxattr+0x148/0x170
+> getxattr+0xa7/0x240
+> path_getxattr+0x52/0x80
+> do_syscall_64+0x5c/0xa0
+> entry_SYSCALL_64_after_hwframe+0x49/0xb3
+>
+> -> #0 (&xfs_nondir_ilock_class){++++}-{3:3}:
+> __lock_acquire+0x1257/0x20d0
+> lock_acquire+0xb0/0x310
+> down_write_nested+0x49/0x120
+> xfs_ilock+0xde/0x2c0 [xfs]
+> xfs_reclaim_inode+0x3f/0x400 [xfs]
+> xfs_reclaim_inodes_ag+0x20b/0x410 [xfs]
+> xfs_reclaim_inodes_nr+0x31/0x40 [xfs]
+> super_cache_scan+0x190/0x1e0
+> do_shrink_slab+0x184/0x420
+> shrink_slab+0x182/0x290
+> shrink_node+0x174/0x680
+> balance_pgdat+0x2d0/0x5f0
+> kswapd+0x21f/0x510
+> kthread+0x131/0x150
+> ret_from_fork+0x3a/0x50
+>
+> other info that might help us debug this:
+>
+> Possible unsafe locking scenario:
+>
+> CPU0 CPU1
+> ---- ----
+> lock(fs_reclaim);
+> lock(&xfs_nondir_ilock_class);
+> lock(fs_reclaim);
+> lock(&xfs_nondir_ilock_class);
+>
+> *** DEADLOCK ***
+>
+> 4 locks held by kswapd0/159:
+> #0: ffffffffbbb8bd00 (fs_reclaim){+.+.}-{0:0}, at:
+> __fs_reclaim_acquire+0x5/0x30
+> #1: ffffffffbbb7cef8 (shrinker_rwsem){++++}-{3:3}, at:
+> shrink_slab+0x115/0x290
+> #2: ffff9b39f07a50e8
+> (&type->s_umount_key#56){++++}-{3:3}, at: super_cache_scan+0x38/0x1e0
+> #3: ffff9b39f077f258
+> (&pag->pag_ici_reclaim_lock){+.+.}-{3:3}, at:
+> xfs_reclaim_inodes_ag+0x82/0x410 [xfs]
+
+This is a known false positive because inodes cannot simultaneously be
+getting reclaimed and the target of a getxattr operation, but lockdep
+doesn't know that. We can (selectively) shut up lockdep until either
+it gets smarter or we change inode reclaim not to require the ILOCK by
+applying a stupid GFP_NOLOCKDEP bandaid.
+
+Reported-by: Dave Airlie <airlied@gmail.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Tested-by: Dave Airlie <airlied@gmail.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/kmem.h | 6 +++++-
+ fs/xfs/libxfs/xfs_attr_leaf.c | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/kmem.h b/fs/xfs/kmem.h
+index 6143117770e9..11623489b769 100644
+--- a/fs/xfs/kmem.h
++++ b/fs/xfs/kmem.h
+@@ -19,6 +19,7 @@ typedef unsigned __bitwise xfs_km_flags_t;
+ #define KM_NOFS ((__force xfs_km_flags_t)0x0004u)
+ #define KM_MAYFAIL ((__force xfs_km_flags_t)0x0008u)
+ #define KM_ZERO ((__force xfs_km_flags_t)0x0010u)
++#define KM_NOLOCKDEP ((__force xfs_km_flags_t)0x0020u)
+
+ /*
+ * We use a special process flag to avoid recursive callbacks into
+@@ -30,7 +31,7 @@ kmem_flags_convert(xfs_km_flags_t flags)
+ {
+ gfp_t lflags;
+
+- BUG_ON(flags & ~(KM_NOFS|KM_MAYFAIL|KM_ZERO));
++ BUG_ON(flags & ~(KM_NOFS | KM_MAYFAIL | KM_ZERO | KM_NOLOCKDEP));
+
+ lflags = GFP_KERNEL | __GFP_NOWARN;
+ if (flags & KM_NOFS)
+@@ -49,6 +50,9 @@ kmem_flags_convert(xfs_km_flags_t flags)
+ if (flags & KM_ZERO)
+ lflags |= __GFP_ZERO;
+
++ if (flags & KM_NOLOCKDEP)
++ lflags |= __GFP_NOLOCKDEP;
++
+ return lflags;
+ }
+
+diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
+index 863444e2dda7..1d67cc9f4209 100644
+--- a/fs/xfs/libxfs/xfs_attr_leaf.c
++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
+@@ -489,7 +489,7 @@ xfs_attr_copy_value(
+ }
+
+ if (!args->value) {
+- args->value = kmem_alloc_large(valuelen, 0);
++ args->value = kmem_alloc_large(valuelen, KM_NOLOCKDEP);
+ if (!args->value)
+ return -ENOMEM;
+ }
+--
+2.25.1
+
--- /dev/null
+From a5fe6fcc20ac60ae1803d5cffd537d971bb2982a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 13:25:20 -0700
+Subject: xfs: reset buffer write failure state on successful completion
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit b6983e80b03bd4fd42de71993b3ac7403edac758 ]
+
+The buffer write failure flag is intended to control the internal
+write retry that XFS has historically implemented to help mitigate
+the severity of transient I/O errors. The flag is set when a buffer
+is resubmitted from the I/O completion path due to a previous
+failure. It is checked on subsequent I/O completions to skip the
+internal retry and fall through to the higher level configurable
+error handling mechanism. The flag is cleared in the synchronous and
+delwri submission paths and also checked in various places to log
+write failure messages.
+
+There are a couple minor problems with the current usage of this
+flag. One is that we issue an internal retry after every submission
+from xfsaild due to how delwri submission clears the flag. This
+results in double the expected or configured number of write
+attempts when under sustained failures. Another more subtle issue is
+that the flag is never cleared on successful I/O completion. This
+can cause xfs_wait_buftarg() to suggest that dirty buffers are being
+thrown away due to the existence of the flag, when the reality is
+that the flag might still be set because the write succeeded on the
+retry.
+
+Clear the write failure flag on successful I/O completion to address
+both of these problems. This means that the internal retry attempt
+occurs once since the last time a buffer write failed and that
+various other contexts only see the flag set when the immediately
+previous write attempt has failed.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Allison Collins <allison.henderson@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_buf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index 9ec3eaf1c618..afa73a19caa1 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -1197,8 +1197,10 @@ xfs_buf_ioend(
+ bp->b_ops->verify_read(bp);
+ }
+
+- if (!bp->b_error)
++ if (!bp->b_error) {
++ bp->b_flags &= ~XBF_WRITE_FAIL;
+ bp->b_flags |= XBF_DONE;
++ }
+
+ if (bp->b_iodone)
+ (*(bp->b_iodone))(bp);
+@@ -1258,7 +1260,7 @@ xfs_bwrite(
+
+ bp->b_flags |= XBF_WRITE;
+ bp->b_flags &= ~(XBF_ASYNC | XBF_READ | _XBF_DELWRI_Q |
+- XBF_WRITE_FAIL | XBF_DONE);
++ XBF_DONE);
+
+ error = xfs_buf_submit(bp);
+ if (error)
+@@ -1983,7 +1985,7 @@ xfs_buf_delwri_submit_buffers(
+ * synchronously. Otherwise, drop the buffer from the delwri
+ * queue and submit async.
+ */
+- bp->b_flags &= ~(_XBF_DELWRI_Q | XBF_WRITE_FAIL);
++ bp->b_flags &= ~_XBF_DELWRI_Q;
+ bp->b_flags |= XBF_WRITE;
+ if (wait_list) {
+ bp->b_flags &= ~XBF_ASYNC;
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
