--- /dev/null
+From 0eb894a7bc70eccbbeee2a97ad25a4943d459649 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 11:35:20 -0800
+Subject: ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
+
+From: Erik Kaneda <erik.kaneda@intel.com>
+
+[ Upstream commit 5ddbd77181dfca61b16d2e2222382ea65637f1b9 ]
+
+ACPICA commit 29cc8dbc5463a93625bed87d7550a8bed8913bf4
+
+create_buffer_field is a deferred op that is typically processed in
+load pass 2. However, disassembly of control method contents walk the
+parse tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are
+processed in a later walk. This is a problem when there is a control
+method that has the same name as the AML_CREATE object. In this case,
+any use of the name segment will be detected as a method call rather
+than a reference to a buffer field. If this is detected as a method
+call, it can result in a mal-formed parse tree if the control methods
+have parameters.
+
+This change in processing AML_CREATE ops earlier solves this issue by
+inserting the named object in the ACPI namespace so that references
+to this name would be detected as a name string rather than a method
+call.
+
+Link: https://github.com/acpica/acpica/commit/29cc8dbc
+Reported-by: Elia Geretto <elia.f.geretto@gmail.com>
+Tested-by: Elia Geretto <elia.f.geretto@gmail.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/dsfield.c | 2 +-
+ drivers/acpi/acpica/dswload.c | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpica/dsfield.c b/drivers/acpi/acpica/dsfield.c
+index 6a4b603d0e834..10bbf6ca082ab 100644
+--- a/drivers/acpi/acpica/dsfield.c
++++ b/drivers/acpi/acpica/dsfield.c
+@@ -272,7 +272,7 @@ cleanup:
+ * FUNCTION: acpi_ds_get_field_names
+ *
+ * PARAMETERS: info - create_field info structure
+- * ` walk_state - Current method state
++ * walk_state - Current method state
+ * arg - First parser arg for the field name list
+ *
+ * RETURN: Status
+diff --git a/drivers/acpi/acpica/dswload.c b/drivers/acpi/acpica/dswload.c
+index fd34040d4f44a..9c41d2153d0f2 100644
+--- a/drivers/acpi/acpica/dswload.c
++++ b/drivers/acpi/acpica/dswload.c
+@@ -440,6 +440,27 @@ acpi_status acpi_ds_load1_end_op(struct acpi_walk_state *walk_state)
+ ACPI_DEBUG_PRINT((ACPI_DB_DISPATCH, "Op=%p State=%p\n", op,
+ walk_state));
+
++ /*
++ * Disassembler: handle create field operators here.
++ *
++ * create_buffer_field is a deferred op that is typically processed in load
++ * pass 2. However, disassembly of control method contents walk the parse
++ * tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are processed
++ * in a later walk. This is a problem when there is a control method that
++ * has the same name as the AML_CREATE object. In this case, any use of the
++ * name segment will be detected as a method call rather than a reference
++ * to a buffer field.
++ *
++ * This earlier creation during disassembly solves this issue by inserting
++ * the named object in the ACPI namespace so that references to this name
++ * would be a name string rather than a method call.
++ */
++ if ((walk_state->parse_flags & ACPI_PARSE_DISASSEMBLE) &&
++ (walk_state->op_info->flags & AML_CREATE)) {
++ status = acpi_ds_create_buffer_field(op, walk_state);
++ return_ACPI_STATUS(status);
++ }
++
+ /* We are only interested in opcodes that have an associated name */
+
+ if (!(walk_state->op_info->flags & (AML_NAMED | AML_FIELD))) {
+--
+2.20.1
+
--- /dev/null
+From 0180217803eda52b0d962a39bc59c66cfd52561b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jan 2020 19:01:06 +0100
+Subject: ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Große <pegro@friiks.de>
+
+[ Upstream commit ef7d84caa5928b40b1c93a26dbe5a3f12737c6ab ]
+
+Lenovo Thinkpad T420s uses the same codec as T420, so apply the
+same quirk to enable audio output on a docking station.
+
+Signed-off-by: Peter Große <pegro@friiks.de>
+Link: https://lore.kernel.org/r/20200122180106.9351-1-pegro@friiks.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 8557b94e462cb..1e99500dbb6c8 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
+ SND_PCI_QUIRK(0x17aa, 0x215f, "Lenovo T510", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21ce, "Lenovo T420", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520", CXT_PINCFG_LENOVO_TP410),
++ SND_PCI_QUIRK(0x17aa, 0x21d2, "Lenovo T420s", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD),
+--
+2.20.1
+
--- /dev/null
+From bdb8f644fc59cea2328a0202de4d436d149c6025 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Jan 2020 15:48:23 +0100
+Subject: ALSA: sh: Fix compile warning wrt const
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit f1dd4795b1523fbca7ab4344dd5a8bb439cc770d ]
+
+A long-standing compile warning was seen during build test:
+ sound/sh/aica.c: In function 'load_aica_firmware':
+ sound/sh/aica.c:521:25: warning: passing argument 2 of 'spu_memload' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
+
+Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device")
+Link: https://lore.kernel.org/r/20200105144823.29547-69-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/sh/aica.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/sh/aica.c b/sound/sh/aica.c
+index fbbc252795599..2a127feb8e293 100644
+--- a/sound/sh/aica.c
++++ b/sound/sh/aica.c
+@@ -117,10 +117,10 @@ static void spu_memset(u32 toi, u32 what, int length)
+ }
+
+ /* spu_memload - write to SPU address space */
+-static void spu_memload(u32 toi, void *from, int length)
++static void spu_memload(u32 toi, const void *from, int length)
+ {
+ unsigned long flags;
+- u32 *froml = from;
++ const u32 *froml = from;
+ u32 __iomem *to = (u32 __iomem *) (SPU_MEMORY_BASE + toi);
+ int i;
+ u32 val;
+--
+2.20.1
+
--- /dev/null
+From 49a7a15d35a17a9e1c449a6524e9328a89f6f214 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 20:42:57 -0700
+Subject: ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit df4654bd6e42125d9b85ce3a26eaca2935290b98 ]
+
+Clang warns:
+
+../sound/usb/usx2y/usX2Yhwdep.c:122:3: warning: misleading indentation;
+statement is not part of the previous 'if' [-Wmisleading-indentation]
+ info->version = USX2Y_DRIVER_VERSION;
+ ^
+../sound/usb/usx2y/usX2Yhwdep.c:120:2: note: previous statement is here
+ if (us428->chip_status & USX2Y_STAT_CHIP_INIT)
+ ^
+1 warning generated.
+
+This warning occurs because there is a space before the tab on this
+line. Remove it so that the indentation is consistent with the Linux
+kernel coding style and clang no longer warns.
+
+This was introduced before the beginning of git history so no fixes tag.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/831
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Link: https://lore.kernel.org/r/20191218034257.54535-1-natechancellor@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/usx2y/usX2Yhwdep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c
+index 0b34dbc8f3020..7dcb33d3886bc 100644
+--- a/sound/usb/usx2y/usX2Yhwdep.c
++++ b/sound/usb/usx2y/usX2Yhwdep.c
+@@ -132,7 +132,7 @@ static int snd_usX2Y_hwdep_dsp_status(struct snd_hwdep *hw,
+ info->num_dsps = 2; // 0: Prepad Data, 1: FPGA Code
+ if (us428->chip_status & USX2Y_STAT_CHIP_INIT)
+ info->chip_ready = 1;
+- info->version = USX2Y_DRIVER_VERSION;
++ info->version = USX2Y_DRIVER_VERSION;
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From c6383d4a694717497f847cbaa8bc2f1a77176f8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2020 13:37:59 +0100
+Subject: ARM: 8951/1: Fix Kexec compilation issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+
+[ Upstream commit 76950f7162cad51d2200ebd22c620c14af38f718 ]
+
+To perform the reserve_crashkernel() operation kexec uses SECTION_SIZE to
+find a memblock in a range.
+SECTION_SIZE is not defined for nommu systems. Trying to compile kexec in
+these conditions results in a build error:
+
+ linux/arch/arm/kernel/setup.c: In function ‘reserve_crashkernel’:
+ linux/arch/arm/kernel/setup.c:1016:25: error: ‘SECTION_SIZE’ undeclared
+ (first use in this function); did you mean ‘SECTIONS_WIDTH’?
+ crash_size, SECTION_SIZE);
+ ^~~~~~~~~~~~
+ SECTIONS_WIDTH
+ linux/arch/arm/kernel/setup.c:1016:25: note: each undeclared identifier
+ is reported only once for each function it appears in
+ linux/scripts/Makefile.build:265: recipe for target 'arch/arm/kernel/setup.o'
+ failed
+
+Make KEXEC depend on MMU to fix the compilation issue.
+
+Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 74a70f91b01a4..56bd9beb6a35c 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -2020,7 +2020,7 @@ config XIP_PHYS_ADDR
+ config KEXEC
+ bool "Kexec system call (EXPERIMENTAL)"
+ depends on (!SMP || PM_SLEEP_SMP)
+- depends on !CPU_V7M
++ depends on MMU
+ select KEXEC_CORE
+ help
+ kexec is a system call that implements the ability to shutdown your
+--
+2.20.1
+
--- /dev/null
+From 8d0271a18b723a04a29ee748881aca28bc085f86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 01:18:35 +0000
+Subject: arm: dts: allwinner: H3: Add PMU node
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit 0388a110747bec0c9d9de995842bb2a03a26aae1 ]
+
+Add the Performance Monitoring Unit (PMU) device tree node to the H3
+.dtsi, which tells DT users which interrupts are triggered by PMU
+overflow events on each core. The numbers come from the manual and have
+been checked in U-Boot and with perf in Linux.
+
+Tested with perf record and taskset on an OrangePi Zero.
+
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/sun8i-h3.dtsi | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/sun8i-h3.dtsi b/arch/arm/boot/dts/sun8i-h3.dtsi
+index f4ba088b225ed..08d65f252e172 100644
+--- a/arch/arm/boot/dts/sun8i-h3.dtsi
++++ b/arch/arm/boot/dts/sun8i-h3.dtsi
+@@ -60,25 +60,34 @@
+ reg = <0>;
+ };
+
+- cpu@1 {
++ cpu1: cpu@1 {
+ compatible = "arm,cortex-a7";
+ device_type = "cpu";
+ reg = <1>;
+ };
+
+- cpu@2 {
++ cpu2: cpu@2 {
+ compatible = "arm,cortex-a7";
+ device_type = "cpu";
+ reg = <2>;
+ };
+
+- cpu@3 {
++ cpu3: cpu@3 {
+ compatible = "arm,cortex-a7";
+ device_type = "cpu";
+ reg = <3>;
+ };
+ };
+
++ pmu {
++ compatible = "arm,cortex-a7-pmu";
++ interrupts = <GIC_SPI 120 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 121 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 122 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 123 IRQ_TYPE_LEVEL_HIGH>;
++ interrupt-affinity = <&cpu0>, <&cpu1>, <&cpu2>, <&cpu3>;
++ };
++
+ timer {
+ compatible = "arm,armv7-timer";
+ interrupts = <GIC_PPI 13 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_LOW)>,
+--
+2.20.1
+
--- /dev/null
+From 5db65b15cf90db9205e5d5855a34eeb2b7e505a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 14:52:21 +0100
+Subject: ARM: dts: r8a7779: Add device node for ARM global timer
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 8443ffd1bbd5be74e9b12db234746d12e8ea93e2 ]
+
+Add a device node for the global timer, which is part of the Cortex-A9
+MPCore.
+
+The global timer can serve as an accurate (4 ns) clock source for
+scheduling and delay loops.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191211135222.26770-4-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/r8a7779.dtsi | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/arm/boot/dts/r8a7779.dtsi b/arch/arm/boot/dts/r8a7779.dtsi
+index b9bbcce69dfbd..6c6d4893e92d4 100644
+--- a/arch/arm/boot/dts/r8a7779.dtsi
++++ b/arch/arm/boot/dts/r8a7779.dtsi
+@@ -67,6 +67,14 @@
+ <0xf0000100 0x100>;
+ };
+
++ timer@f0000200 {
++ compatible = "arm,cortex-a9-global-timer";
++ reg = <0xf0000200 0x100>;
++ interrupts = <GIC_PPI 11
++ (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
++ clocks = <&cpg_clocks R8A7779_CLK_ZS>;
++ };
++
+ timer@f0000600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0xf0000600 0x20>;
+--
+2.20.1
+
--- /dev/null
+From 9b1def17f0667d8ac714659f64bd056daddc3383 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 12:46:52 -0700
+Subject: arm64: fix alternatives with LLVM's integrated assembler
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+[ Upstream commit c54f90c2627cc316d365e3073614731e17dbc631 ]
+
+LLVM's integrated assembler fails with the following error when
+building KVM:
+
+ <inline asm>:12:6: error: expected absolute expression
+ .if kvm_update_va_mask == 0
+ ^
+ <inline asm>:21:6: error: expected absolute expression
+ .if kvm_update_va_mask == 0
+ ^
+ <inline asm>:24:2: error: unrecognized instruction mnemonic
+ NOT_AN_INSTRUCTION
+ ^
+ LLVM ERROR: Error parsing inline asm
+
+These errors come from ALTERNATIVE_CB and __ALTERNATIVE_CFG,
+which test for the existence of the callback parameter in inline
+assembly using the following expression:
+
+ " .if " __stringify(cb) " == 0\n"
+
+This works with GNU as, but isn't supported by LLVM. This change
+splits __ALTERNATIVE_CFG and ALTINSTR_ENTRY into separate macros
+to fix the LLVM build.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/472
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/alternative.h | 32 ++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/arch/arm64/include/asm/alternative.h b/arch/arm64/include/asm/alternative.h
+index 7e842dcae4509..3626655175a2e 100644
+--- a/arch/arm64/include/asm/alternative.h
++++ b/arch/arm64/include/asm/alternative.h
+@@ -29,13 +29,16 @@ typedef void (*alternative_cb_t)(struct alt_instr *alt,
+ void __init apply_alternatives_all(void);
+ void apply_alternatives(void *start, size_t length);
+
+-#define ALTINSTR_ENTRY(feature,cb) \
++#define ALTINSTR_ENTRY(feature) \
+ " .word 661b - .\n" /* label */ \
+- " .if " __stringify(cb) " == 0\n" \
+ " .word 663f - .\n" /* new instruction */ \
+- " .else\n" \
++ " .hword " __stringify(feature) "\n" /* feature bit */ \
++ " .byte 662b-661b\n" /* source len */ \
++ " .byte 664f-663f\n" /* replacement len */
++
++#define ALTINSTR_ENTRY_CB(feature, cb) \
++ " .word 661b - .\n" /* label */ \
+ " .word " __stringify(cb) "- .\n" /* callback */ \
+- " .endif\n" \
+ " .hword " __stringify(feature) "\n" /* feature bit */ \
+ " .byte 662b-661b\n" /* source len */ \
+ " .byte 664f-663f\n" /* replacement len */
+@@ -56,15 +59,14 @@ void apply_alternatives(void *start, size_t length);
+ *
+ * Alternatives with callbacks do not generate replacement instructions.
+ */
+-#define __ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg_enabled, cb) \
++#define __ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg_enabled) \
+ ".if "__stringify(cfg_enabled)" == 1\n" \
+ "661:\n\t" \
+ oldinstr "\n" \
+ "662:\n" \
+ ".pushsection .altinstructions,\"a\"\n" \
+- ALTINSTR_ENTRY(feature,cb) \
++ ALTINSTR_ENTRY(feature) \
+ ".popsection\n" \
+- " .if " __stringify(cb) " == 0\n" \
+ ".pushsection .altinstr_replacement, \"a\"\n" \
+ "663:\n\t" \
+ newinstr "\n" \
+@@ -72,17 +74,25 @@ void apply_alternatives(void *start, size_t length);
+ ".popsection\n\t" \
+ ".org . - (664b-663b) + (662b-661b)\n\t" \
+ ".org . - (662b-661b) + (664b-663b)\n" \
+- ".else\n\t" \
++ ".endif\n"
++
++#define __ALTERNATIVE_CFG_CB(oldinstr, feature, cfg_enabled, cb) \
++ ".if "__stringify(cfg_enabled)" == 1\n" \
++ "661:\n\t" \
++ oldinstr "\n" \
++ "662:\n" \
++ ".pushsection .altinstructions,\"a\"\n" \
++ ALTINSTR_ENTRY_CB(feature, cb) \
++ ".popsection\n" \
+ "663:\n\t" \
+ "664:\n\t" \
+- ".endif\n" \
+ ".endif\n"
+
+ #define _ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg, ...) \
+- __ALTERNATIVE_CFG(oldinstr, newinstr, feature, IS_ENABLED(cfg), 0)
++ __ALTERNATIVE_CFG(oldinstr, newinstr, feature, IS_ENABLED(cfg))
+
+ #define ALTERNATIVE_CB(oldinstr, cb) \
+- __ALTERNATIVE_CFG(oldinstr, "NOT_AN_INSTRUCTION", ARM64_CB_PATCH, 1, cb)
++ __ALTERNATIVE_CFG_CB(oldinstr, ARM64_CB_PATCH, 1, cb)
+ #else
+
+ #include <asm/assembler.h>
+--
+2.20.1
+
--- /dev/null
+From 80ec26482254ad7bb94190a75976fd811ebbb637 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2020 21:32:42 +0800
+Subject: ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
+
+From: Chen Zhou <chenzhou10@huawei.com>
+
+[ Upstream commit 8fea78029f5e6ed734ae1957bef23cfda1af4354 ]
+
+If CONFIG_SND_ATMEL_SOC_DMA=m, build error:
+
+sound/soc/atmel/atmel_ssc_dai.o: In function `atmel_ssc_set_audio':
+(.text+0x7cd): undefined reference to `atmel_pcm_dma_platform_register'
+
+Function atmel_pcm_dma_platform_register is defined under
+CONFIG SND_ATMEL_SOC_DMA, so select SND_ATMEL_SOC_DMA in
+CONFIG SND_ATMEL_SOC_SSC, same to CONFIG_SND_ATMEL_SOC_PDC.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Chen Zhou <chenzhou10@huawei.com>
+Link: https://lore.kernel.org/r/20200113133242.144550-1-chenzhou10@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/atmel/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/atmel/Kconfig b/sound/soc/atmel/Kconfig
+index 22aec9a1e9a49..838d03a138ca2 100644
+--- a/sound/soc/atmel/Kconfig
++++ b/sound/soc/atmel/Kconfig
+@@ -25,6 +25,8 @@ config SND_ATMEL_SOC_DMA
+
+ config SND_ATMEL_SOC_SSC_DMA
+ tristate
++ select SND_ATMEL_SOC_DMA
++ select SND_ATMEL_SOC_PDC
+
+ config SND_ATMEL_SOC_SSC
+ tristate
+--
+2.20.1
+
--- /dev/null
+From 8ccee200e5830ac0081a7f1856cdbfbfb6cf92a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 00:55:26 +0700
+Subject: b43legacy: Fix -Wcast-function-type
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+[ Upstream commit 475eec112e4267232d10f4afe2f939a241692b6c ]
+
+correct usage prototype of callback in tasklet_init().
+Report by https://github.com/KSPP/linux/issues/20
+
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43legacy/main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43legacy/main.c b/drivers/net/wireless/broadcom/b43legacy/main.c
+index 83770d2ea0578..9da8bd7927022 100644
+--- a/drivers/net/wireless/broadcom/b43legacy/main.c
++++ b/drivers/net/wireless/broadcom/b43legacy/main.c
+@@ -1304,8 +1304,9 @@ static void handle_irq_ucode_debug(struct b43legacy_wldev *dev)
+ }
+
+ /* Interrupt handler bottom-half */
+-static void b43legacy_interrupt_tasklet(struct b43legacy_wldev *dev)
++static void b43legacy_interrupt_tasklet(unsigned long data)
+ {
++ struct b43legacy_wldev *dev = (struct b43legacy_wldev *)data;
+ u32 reason;
+ u32 dma_reason[ARRAY_SIZE(dev->dma_reason)];
+ u32 merged_dma_reason = 0;
+@@ -3775,7 +3776,7 @@ static int b43legacy_one_core_attach(struct ssb_device *dev,
+ b43legacy_set_status(wldev, B43legacy_STAT_UNINIT);
+ wldev->bad_frames_preempt = modparam_bad_frames_preempt;
+ tasklet_init(&wldev->isr_tasklet,
+- (void (*)(unsigned long))b43legacy_interrupt_tasklet,
++ b43legacy_interrupt_tasklet,
+ (unsigned long)wldev);
+ if (modparam_pio)
+ wldev->__using_pio = true;
+--
+2.20.1
+
--- /dev/null
+From 0347862eb6e2d9127c19d09849317ccd61e3e9fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Feb 2020 22:42:32 +0800
+Subject: bcache: explicity type cast in bset_bkey_last()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 7c02b0055f774ed9afb6e1c7724f33bf148ffdc0 ]
+
+In bset.h, macro bset_bkey_last() is defined as,
+ bkey_idx((struct bkey *) (i)->d, (i)->keys)
+
+Parameter i can be variable type of data structure, the macro always
+works once the type of struct i has member 'd' and 'keys'.
+
+bset_bkey_last() is also used in macro csum_set() to calculate the
+checksum of a on-disk data structure. When csum_set() is used to
+calculate checksum of on-disk bcache super block, the parameter 'i'
+data type is struct cache_sb_disk. Inside struct cache_sb_disk (also in
+struct cache_sb) the member keys is __u16 type. But bkey_idx() expects
+unsigned int (a 32bit width), so there is problem when sending
+parameters via stack to call bkey_idx().
+
+Sparse tool from Intel 0day kbuild system reports this incompatible
+problem. bkey_idx() is part of user space API, so the simplest fix is
+to cast the (i)->keys to unsigned int type in macro bset_bkey_last().
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/bset.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h
+index b935839ab79c6..f483041eed986 100644
+--- a/drivers/md/bcache/bset.h
++++ b/drivers/md/bcache/bset.h
+@@ -380,7 +380,8 @@ void bch_btree_keys_stats(struct btree_keys *, struct bset_stats *);
+
+ /* Bkey utility code */
+
+-#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, (i)->keys)
++#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, \
++ (unsigned int)(i)->keys)
+
+ static inline struct bkey *bset_bkey_idx(struct bset *i, unsigned idx)
+ {
+--
+2.20.1
+
--- /dev/null
+From d4224e44768e3bb3c797d6372a2c2bcfd2b35a93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 12:58:55 +0300
+Subject: brcmfmac: Fix use after free in brcmf_sdio_readframes()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 216b44000ada87a63891a8214c347e05a4aea8fe ]
+
+The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
+static checker warning:
+
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
+ error: dereferencing freed memory 'pkt'
+
+It looks like there was supposed to be a continue after we free "pkt".
+
+Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+index de52d826eb248..998a4bd6db78a 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -1921,6 +1921,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes)
+ BRCMF_SDIO_FT_NORMAL)) {
+ rd->len = 0;
+ brcmu_pkt_buf_free_skb(pkt);
++ continue;
+ }
+ bus->sdcnt.rx_readahead_cnt++;
+ if (rd->len != roundup(rd_new.len, 16)) {
+--
+2.20.1
+
--- /dev/null
+From 9f051261f2d9f41ccb70af85b4617beebc380178 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Feb 2020 19:30:20 +0800
+Subject: brd: check and limit max_part par
+
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+
+[ Upstream commit c8ab422553c81a0eb070329c63725df1cd1425bc ]
+
+In brd_init func, rd_nr num of brd_device are firstly allocated
+and add in brd_devices, then brd_devices are traversed to add each
+brd_device by calling add_disk func. When allocating brd_device,
+the disk->first_minor is set to i * max_part, if rd_nr * max_part
+is larger than MINORMASK, two different brd_device may have the same
+devt, then only one of them can be successfully added.
+when rmmod brd.ko, it will cause oops when calling brd_exit.
+
+Follow those steps:
+ # modprobe brd rd_nr=3 rd_size=102400 max_part=1048576
+ # rmmod brd
+then, the oops will appear.
+
+Oops log:
+[ 726.613722] Call trace:
+[ 726.614175] kernfs_find_ns+0x24/0x130
+[ 726.614852] kernfs_find_and_get_ns+0x44/0x68
+[ 726.615749] sysfs_remove_group+0x38/0xb0
+[ 726.616520] blk_trace_remove_sysfs+0x1c/0x28
+[ 726.617320] blk_unregister_queue+0x98/0x100
+[ 726.618105] del_gendisk+0x144/0x2b8
+[ 726.618759] brd_exit+0x68/0x560 [brd]
+[ 726.619501] __arm64_sys_delete_module+0x19c/0x2a0
+[ 726.620384] el0_svc_common+0x78/0x130
+[ 726.621057] el0_svc_handler+0x38/0x78
+[ 726.621738] el0_svc+0x8/0xc
+[ 726.622259] Code: aa0203f6 aa0103f7 aa1e03e0 d503201f (7940e260)
+
+Here, we add brd_check_and_reset_par func to check and limit max_part par.
+
+--
+V5->V6:
+ - remove useless code
+
+V4->V5:(suggested by Ming Lei)
+ - make sure max_part is not larger than DISK_MAX_PARTS
+
+V3->V4:(suggested by Ming Lei)
+ - remove useless change
+ - add one limit of max_part
+
+V2->V3: (suggested by Ming Lei)
+ - clear .minors when running out of consecutive minor space in brd_alloc
+ - remove limit of rd_nr
+
+V1->V2:
+ - add more checks in brd_check_par_valid as suggested by Ming Lei.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: Bob Liu <bob.liu@oracle.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/brd.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/brd.c b/drivers/block/brd.c
+index 0c76d4016eebe..7e35574a17dfc 100644
+--- a/drivers/block/brd.c
++++ b/drivers/block/brd.c
+@@ -581,6 +581,25 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data)
+ return kobj;
+ }
+
++static inline void brd_check_and_reset_par(void)
++{
++ if (unlikely(!max_part))
++ max_part = 1;
++
++ /*
++ * make sure 'max_part' can be divided exactly by (1U << MINORBITS),
++ * otherwise, it is possiable to get same dev_t when adding partitions.
++ */
++ if ((1U << MINORBITS) % max_part != 0)
++ max_part = 1UL << fls(max_part);
++
++ if (max_part > DISK_MAX_PARTS) {
++ pr_info("brd: max_part can't be larger than %d, reset max_part = %d.\n",
++ DISK_MAX_PARTS, DISK_MAX_PARTS);
++ max_part = DISK_MAX_PARTS;
++ }
++}
++
+ static int __init brd_init(void)
+ {
+ struct brd_device *brd, *next;
+@@ -604,8 +623,7 @@ static int __init brd_init(void)
+ if (register_blkdev(RAMDISK_MAJOR, "ramdisk"))
+ return -EIO;
+
+- if (unlikely(!max_part))
+- max_part = 1;
++ brd_check_and_reset_par();
+
+ for (i = 0; i < rd_nr; i++) {
+ brd = brd_alloc(i);
+--
+2.20.1
+
--- /dev/null
+From 7249e5fbba02ea7bc31b1c9bf6dfb3e3f6799778 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jan 2020 11:07:56 +1000
+Subject: cifs: fix NULL dereference in match_prepath
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit fe1292686333d1dadaf84091f585ee903b9ddb84 ]
+
+RHBZ: 1760879
+
+Fix an oops in match_prepath() by making sure that the prepath string is not
+NULL before we pass it into strcmp().
+
+This is similar to other checks we make for example in cifs_root_iget()
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 751bdde6515d5..961fcb40183a4 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2927,8 +2927,10 @@ match_prepath(struct super_block *sb, struct cifs_mnt_data *mnt_data)
+ {
+ struct cifs_sb_info *old = CIFS_SB(sb);
+ struct cifs_sb_info *new = mnt_data->cifs_sb;
+- bool old_set = old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH;
+- bool new_set = new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH;
++ bool old_set = (old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) &&
++ old->prepath;
++ bool new_set = (new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) &&
++ new->prepath;
+
+ if (old_set && new_set && !strcmp(new->prepath, old->prepath))
+ return 1;
+--
+2.20.1
+
--- /dev/null
+From 3b8f5f37ac81ff5a3f0068b7afdf128d5fc6ad29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Feb 2020 10:31:34 -0800
+Subject: clk: qcom: rcg2: Don't crash if our parent can't be found; return an
+ error
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 908b050114d8fefdddc57ec9fbc213c3690e7f5f ]
+
+When I got my clock parenting slightly wrong I ended up with a crash
+that looked like this:
+
+ Unable to handle kernel NULL pointer dereference at virtual
+ address 0000000000000000
+ ...
+ pc : clk_hw_get_rate+0x14/0x44
+ ...
+ Call trace:
+ clk_hw_get_rate+0x14/0x44
+ _freq_tbl_determine_rate+0x94/0xfc
+ clk_rcg2_determine_rate+0x2c/0x38
+ clk_core_determine_round_nolock+0x4c/0x88
+ clk_core_round_rate_nolock+0x6c/0xa8
+ clk_core_round_rate_nolock+0x9c/0xa8
+ clk_core_set_rate_nolock+0x70/0x180
+ clk_set_rate+0x3c/0x6c
+ of_clk_set_defaults+0x254/0x360
+ platform_drv_probe+0x28/0xb0
+ really_probe+0x120/0x2dc
+ driver_probe_device+0x64/0xfc
+ device_driver_attach+0x4c/0x6c
+ __driver_attach+0xac/0xc0
+ bus_for_each_dev+0x84/0xcc
+ driver_attach+0x2c/0x38
+ bus_add_driver+0xfc/0x1d0
+ driver_register+0x64/0xf8
+ __platform_driver_register+0x4c/0x58
+ msm_drm_register+0x5c/0x60
+ ...
+
+It turned out that clk_hw_get_parent_by_index() was returning NULL and
+we weren't checking. Let's check it so that we don't crash.
+
+Fixes: ac269395cdd8 ("clk: qcom: Convert to clk_hw based provider APIs")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Link: https://lkml.kernel.org/r/20200203103049.v4.1.I7487325fe8e701a68a07d3be8a6a4b571eca9cfa@changeid
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/clk-rcg2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c
+index 0ae1b0a66eb55..d8601b138dc1e 100644
+--- a/drivers/clk/qcom/clk-rcg2.c
++++ b/drivers/clk/qcom/clk-rcg2.c
+@@ -194,6 +194,9 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw,
+
+ clk_flags = clk_hw_get_flags(hw);
+ p = clk_hw_get_parent_by_index(hw, index);
++ if (!p)
++ return -EINVAL;
++
+ if (clk_flags & CLK_SET_RATE_PARENT) {
+ if (f->pre_div) {
+ if (!rate)
+--
+2.20.1
+
--- /dev/null
+From 78117a9cd071552cfc1ca2035f5cfd3d996031ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2020 16:04:41 +0300
+Subject: cmd64x: potential buffer overflow in cmd64x_program_timings()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 117fcc3053606d8db5cef8821dca15022ae578bb ]
+
+The "drive->dn" value is a u8 and it is controlled by root only, but
+it could be out of bounds here so let's check.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ide/cmd64x.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ide/cmd64x.c b/drivers/ide/cmd64x.c
+index b127ed60c7336..9dde8390da09b 100644
+--- a/drivers/ide/cmd64x.c
++++ b/drivers/ide/cmd64x.c
+@@ -65,6 +65,9 @@ static void cmd64x_program_timings(ide_drive_t *drive, u8 mode)
+ struct ide_timing t;
+ u8 arttim = 0;
+
++ if (drive->dn >= ARRAY_SIZE(drwtim_regs))
++ return;
++
+ ide_timing_compute(drive, mode, &t, T, 0);
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From d1148ca5ab2e55ab52b16b533e79b90bd30db8a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 09:34:54 +0100
+Subject: cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 45178ac0cea853fe0e405bf11e101bdebea57b15 ]
+
+Paul reported a very sporadic, rcutorture induced, workqueue failure.
+When the planets align, the workqueue rescuer's self-migrate fails and
+then triggers a WARN for running a work on the wrong CPU.
+
+Tejun then figured that set_cpus_allowed_ptr()'s stop_one_cpu() call
+could be ignored! When stopper->enabled is false, stop_machine will
+insta complete the work, without actually doing the work. Worse, it
+will not WARN about this (we really should fix this).
+
+It turns out there is a small window where a freshly online'ed CPU is
+marked 'online' but doesn't yet have the stopper task running:
+
+ BP AP
+
+ bringup_cpu()
+ __cpu_up(cpu, idle) --> start_secondary()
+ ...
+ cpu_startup_entry()
+ bringup_wait_for_ap()
+ wait_for_ap_thread() <-- cpuhp_online_idle()
+ while (1)
+ do_idle()
+
+ ... available to run kthreads ...
+
+ stop_machine_unpark()
+ stopper->enable = true;
+
+Close this by moving the stop_machine_unpark() into
+cpuhp_online_idle(), such that the stopper thread is ready before we
+start the idle loop and schedule.
+
+Reported-by: "Paul E. McKenney" <paulmck@kernel.org>
+Debugged-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: "Paul E. McKenney" <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cpu.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index c2573e858009b..1fbe93fefc1fa 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -515,8 +515,7 @@ static int bringup_wait_for_ap(unsigned int cpu)
+ if (WARN_ON_ONCE((!cpu_online(cpu))))
+ return -ECANCELED;
+
+- /* Unpark the stopper thread and the hotplug thread of the target cpu */
+- stop_machine_unpark(cpu);
++ /* Unpark the hotplug thread of the target cpu */
+ kthread_unpark(st->thread);
+
+ /*
+@@ -1115,8 +1114,8 @@ void notify_cpu_starting(unsigned int cpu)
+
+ /*
+ * Called from the idle task. Wake up the controlling task which brings the
+- * stopper and the hotplug thread of the upcoming CPU up and then delegates
+- * the rest of the online bringup to the hotplug thread.
++ * hotplug thread of the upcoming CPU up and then delegates the rest of the
++ * online bringup to the hotplug thread.
+ */
+ void cpuhp_online_idle(enum cpuhp_state state)
+ {
+@@ -1126,6 +1125,12 @@ void cpuhp_online_idle(enum cpuhp_state state)
+ if (state != CPUHP_AP_ONLINE_IDLE)
+ return;
+
++ /*
++ * Unpart the stopper thread before we start the idle loop (and start
++ * scheduling); this ensures the stopper task is always available.
++ */
++ stop_machine_unpark(smp_processor_id());
++
+ st->state = CPUHP_AP_ONLINE_IDLE;
+ complete(&st->done);
+ }
+--
+2.20.1
+
--- /dev/null
+From 6415a8924a1c5a8bc66913b65bd768b1ad8c7338 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2020 17:57:58 +0000
+Subject: driver core: platform: fix u32 greater or equal to zero comparison
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 0707cfa5c3ef58effb143db9db6d6e20503f9dec ]
+
+Currently the check that a u32 variable i is >= 0 is always true because
+the unsigned variable will never be negative, causing the loop to run
+forever. Fix this by changing the pre-decrement check to a zero check on
+i followed by a decrement of i.
+
+Addresses-Coverity: ("Unsigned compared against 0")
+Fixes: 39cc539f90d0 ("driver core: platform: Prevent resouce overflow from causing infinite loops")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://lore.kernel.org/r/20200116175758.88396-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index 6cdc198965f5a..bef299ef62276 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -418,7 +418,7 @@ int platform_device_add(struct platform_device *pdev)
+ pdev->id = PLATFORM_DEVID_AUTO;
+ }
+
+- while (--i >= 0) {
++ while (i--) {
+ struct resource *r = &pdev->resource[i];
+ if (r->parent)
+ release_resource(r);
+--
+2.20.1
+
--- /dev/null
+From a6595801ca05d4ac6713ab902f359d61f913d91f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 17:41:37 -0500
+Subject: driver core: platform: Prevent resouce overflow from causing infinite
+ loops
+
+From: Simon Schwartz <kern.simon@theschwartz.xyz>
+
+[ Upstream commit 39cc539f90d035a293240c9443af50be55ee81b8 ]
+
+num_resources in the platform_device struct is declared as a u32. The
+for loops that iterate over num_resources use an int as the counter,
+which can cause infinite loops on architectures with smaller ints.
+Change the loop counters to u32.
+
+Signed-off-by: Simon Schwartz <kern.simon@theschwartz.xyz>
+Link: https://lore.kernel.org/r/2201ce63a2a171ffd2ed14e867875316efcf71db.camel@theschwartz.xyz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index f90b1b9bbad0d..6cdc198965f5a 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -28,6 +28,7 @@
+ #include <linux/limits.h>
+ #include <linux/property.h>
+ #include <linux/kmemleak.h>
++#include <linux/types.h>
+
+ #include "base.h"
+ #include "power/power.h"
+@@ -68,7 +69,7 @@ void __weak arch_setup_pdev_archdata(struct platform_device *pdev)
+ struct resource *platform_get_resource(struct platform_device *dev,
+ unsigned int type, unsigned int num)
+ {
+- int i;
++ u32 i;
+
+ for (i = 0; i < dev->num_resources; i++) {
+ struct resource *r = &dev->resource[i];
+@@ -153,7 +154,7 @@ struct resource *platform_get_resource_byname(struct platform_device *dev,
+ unsigned int type,
+ const char *name)
+ {
+- int i;
++ u32 i;
+
+ for (i = 0; i < dev->num_resources; i++) {
+ struct resource *r = &dev->resource[i];
+@@ -350,7 +351,8 @@ EXPORT_SYMBOL_GPL(platform_device_add_properties);
+ */
+ int platform_device_add(struct platform_device *pdev)
+ {
+- int i, ret;
++ u32 i;
++ int ret;
+
+ if (!pdev)
+ return -EINVAL;
+@@ -437,7 +439,7 @@ EXPORT_SYMBOL_GPL(platform_device_add);
+ */
+ void platform_device_del(struct platform_device *pdev)
+ {
+- int i;
++ u32 i;
+
+ if (pdev) {
+ device_remove_properties(&pdev->dev);
+--
+2.20.1
+
--- /dev/null
+From 0a3851110e2402b956f0ee6a1fddadebdbb566a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 14:22:19 +0100
+Subject: driver core: Print device when resources present in really_probe()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 7c35e699c88bd60734277b26962783c60e04b494 ]
+
+If a device already has devres items attached before probing, a warning
+backtrace is printed. However, this backtrace does not reveal the
+offending device, leaving the user uninformed. Furthermore, using
+WARN_ON() causes systems with panic-on-warn to reboot.
+
+Fix this by replacing the WARN_ON() by a dev_crit() message.
+Abort probing the device, to prevent doing more damage to the device's
+resources.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191206132219.28908-1-geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/dd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/dd.c b/drivers/base/dd.c
+index ee25a69630c3a..854d218ea76ac 100644
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -341,7 +341,10 @@ static int really_probe(struct device *dev, struct device_driver *drv)
+ atomic_inc(&probe_count);
+ pr_debug("bus: '%s': %s: probing driver %s with device %s\n",
+ drv->bus->name, __func__, drv->name, dev_name(dev));
+- WARN_ON(!list_empty(&dev->devres_head));
++ if (!list_empty(&dev->devres_head)) {
++ dev_crit(dev, "Resources present before probing\n");
++ return -EBUSY;
++ }
+
+ re_probe:
+ dev->driver = drv;
+--
+2.20.1
+
--- /dev/null
+From 5ff4baaf819fbec85f3eeba9d4c5db03f39db004 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2019 21:27:20 +0800
+Subject: drm/amdgpu: remove 4 set but not used variable in
+ amdgpu_atombios_get_connector_info_from_object_table
+
+From: yu kuai <yukuai3@huawei.com>
+
+[ Upstream commit bae028e3e521e8cb8caf2cc16a455ce4c55f2332 ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c: In function
+'amdgpu_atombios_get_connector_info_from_object_table':
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:26: warning: variable
+'grph_obj_num' set but not used [-Wunused-but-set-variable]
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:13: warning: variable
+'grph_obj_id' set but not used [-Wunused-but-set-variable]
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:37: warning: variable
+'con_obj_type' set but not used [-Wunused-but-set-variable]
+drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:24: warning: variable
+'con_obj_num' set but not used [-Wunused-but-set-variable]
+
+They are never used, so can be removed.
+
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Signed-off-by: yu kuai <yukuai3@huawei.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+index 26afdffab5a06..ac8885562919d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+@@ -336,17 +336,9 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device *
+ path_size += le16_to_cpu(path->usSize);
+
+ if (device_support & le16_to_cpu(path->usDeviceTag)) {
+- uint8_t con_obj_id, con_obj_num, con_obj_type;
+-
+- con_obj_id =
++ uint8_t con_obj_id =
+ (le16_to_cpu(path->usConnObjectId) & OBJECT_ID_MASK)
+ >> OBJECT_ID_SHIFT;
+- con_obj_num =
+- (le16_to_cpu(path->usConnObjectId) & ENUM_ID_MASK)
+- >> ENUM_ID_SHIFT;
+- con_obj_type =
+- (le16_to_cpu(path->usConnObjectId) &
+- OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT;
+
+ /* Skip TV/CV support */
+ if ((le16_to_cpu(path->usDeviceTag) ==
+@@ -371,14 +363,7 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device *
+ router.ddc_valid = false;
+ router.cd_valid = false;
+ for (j = 0; j < ((le16_to_cpu(path->usSize) - 8) / 2); j++) {
+- uint8_t grph_obj_id, grph_obj_num, grph_obj_type;
+-
+- grph_obj_id =
+- (le16_to_cpu(path->usGraphicObjIds[j]) &
+- OBJECT_ID_MASK) >> OBJECT_ID_SHIFT;
+- grph_obj_num =
+- (le16_to_cpu(path->usGraphicObjIds[j]) &
+- ENUM_ID_MASK) >> ENUM_ID_SHIFT;
++ uint8_t grph_obj_type=
+ grph_obj_type =
+ (le16_to_cpu(path->usGraphicObjIds[j]) &
+ OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT;
+--
+2.20.1
+
--- /dev/null
+From 7952c71319e6fd4f58288572f60d92eb41b09cca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 16:30:48 +0100
+Subject: drm/gma500: Fixup fbdev stolen size usage evaluation
+
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+
+[ Upstream commit fd1a5e521c3c083bb43ea731aae0f8b95f12b9bd ]
+
+psbfb_probe performs an evaluation of the required size from the stolen
+GTT memory, but gets it wrong in two distinct ways:
+- The resulting size must be page-size-aligned;
+- The size to allocate is derived from the surface dimensions, not the fb
+ dimensions.
+
+When two connectors are connected with different modes, the smallest will
+be stored in the fb dimensions, but the size that needs to be allocated must
+match the largest (surface) dimensions. This is what is used in the actual
+allocation code.
+
+Fix this by correcting the evaluation to conform to the two points above.
+It allows correctly switching to 16bpp when one connector is e.g. 1920x1080
+and the other is 1024x768.
+
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191107153048.843881-1-paul.kocialkowski@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/framebuffer.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c
+index 3a44e705db538..d224fc12b7571 100644
+--- a/drivers/gpu/drm/gma500/framebuffer.c
++++ b/drivers/gpu/drm/gma500/framebuffer.c
+@@ -516,6 +516,7 @@ static int psbfb_probe(struct drm_fb_helper *helper,
+ container_of(helper, struct psb_fbdev, psb_fb_helper);
+ struct drm_device *dev = psb_fbdev->psb_fb_helper.dev;
+ struct drm_psb_private *dev_priv = dev->dev_private;
++ unsigned int fb_size;
+ int bytespp;
+
+ bytespp = sizes->surface_bpp / 8;
+@@ -525,8 +526,11 @@ static int psbfb_probe(struct drm_fb_helper *helper,
+ /* If the mode will not fit in 32bit then switch to 16bit to get
+ a console on full resolution. The X mode setting server will
+ allocate its own 32bit GEM framebuffer */
+- if (ALIGN(sizes->fb_width * bytespp, 64) * sizes->fb_height >
+- dev_priv->vram_stolen_size) {
++ fb_size = ALIGN(sizes->surface_width * bytespp, 64) *
++ sizes->surface_height;
++ fb_size = ALIGN(fb_size, PAGE_SIZE);
++
++ if (fb_size > dev_priv->vram_stolen_size) {
+ sizes->surface_bpp = 16;
+ sizes->surface_depth = 16;
+ }
+--
+2.20.1
+
--- /dev/null
+From a717f95d131f51b3ef78da9c856598a93ccf1cc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 13:05:21 +0800
+Subject: drm/mediatek: handle events when enabling/disabling crtc
+
+From: Bibby Hsieh <bibby.hsieh@mediatek.com>
+
+[ Upstream commit 411f5c1eacfebb1f6e40b653d29447cdfe7282aa ]
+
+The driver currently handles vblank events only when updating planes on
+an already enabled CRTC. The atomic update API however allows requesting
+an event when enabling or disabling a CRTC. This currently leads to
+event objects being leaked in the kernel and to events not being sent
+out. Fix it.
+
+Signed-off-by: Bibby Hsieh <bibby.hsieh@mediatek.com>
+Signed-off-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+index 01a21dd835b57..1ed60da76a0ce 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+@@ -306,6 +306,7 @@ err_pm_runtime_put:
+ static void mtk_crtc_ddp_hw_fini(struct mtk_drm_crtc *mtk_crtc)
+ {
+ struct drm_device *drm = mtk_crtc->base.dev;
++ struct drm_crtc *crtc = &mtk_crtc->base;
+ int i;
+
+ DRM_DEBUG_DRIVER("%s\n", __func__);
+@@ -327,6 +328,13 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_drm_crtc *mtk_crtc)
+ mtk_disp_mutex_unprepare(mtk_crtc->mutex);
+
+ pm_runtime_put(drm->dev);
++
++ if (crtc->state->event && !crtc->state->active) {
++ spin_lock_irq(&crtc->dev->event_lock);
++ drm_crtc_send_vblank_event(crtc, crtc->state->event);
++ crtc->state->event = NULL;
++ spin_unlock_irq(&crtc->dev->event_lock);
++ }
+ }
+
+ static void mtk_drm_crtc_enable(struct drm_crtc *crtc)
+--
+2.20.1
+
--- /dev/null
+From 64d9ec392f62a94e9ac829c2bd21264084185c60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2020 14:39:26 +1000
+Subject: drm/nouveau/disp/nv50-: prevent oops when no channel method map
+ provided
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 0e6176c6d286316e9431b4f695940cfac4ffe6c2 ]
+
+The implementations for most channel types contains a map of methods to
+priv registers in order to provide debugging info when a disp exception
+has been raised.
+
+This info is missing from the implementation of PIO channels as they're
+rather simplistic already, however, if an exception is raised by one of
+them, we'd end up triggering a NULL-pointer deref. Not ideal...
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206299
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c
+index 9d90d8b4b7e65..f5a8db1bb8b72 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c
+@@ -72,6 +72,8 @@ nv50_disp_chan_mthd(struct nv50_disp_chan *chan, int debug)
+
+ if (debug > subdev->debug)
+ return;
++ if (!mthd)
++ return;
+
+ for (i = 0; (list = mthd->data[i].mthd) != NULL; i++) {
+ u32 base = chan->head * mthd->addr;
+--
+2.20.1
+
--- /dev/null
+From eb5744cdbd548aa85d787a3e5528a63ead9ad9c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2020 14:32:01 +0800
+Subject: drm/nouveau: Fix copy-paste error in
+ nouveau_fence_wait_uevent_handler
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 1eb013473bff5f95b6fe1ca4dd7deda47257b9c2 ]
+
+Like other cases, it should use rcu protected 'chan' rather
+than 'fence->channel' in nouveau_fence_wait_uevent_handler.
+
+Fixes: 0ec5f02f0e2c ("drm/nouveau: prevent stale fence->channel pointers, and protect with rcu")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c
+index 4bb9ab892ae19..78e521d00251c 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_fence.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c
+@@ -158,7 +158,7 @@ nouveau_fence_wait_uevent_handler(struct nvif_notify *notify)
+
+ fence = list_entry(fctx->pending.next, typeof(*fence), head);
+ chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock));
+- if (nouveau_fence_update(fence->channel, fctx))
++ if (nouveau_fence_update(chan, fctx))
+ ret = NVIF_NOTIFY_DROP;
+ }
+ spin_unlock_irqrestore(&fctx->lock, flags);
+--
+2.20.1
+
--- /dev/null
+From b94e6f9d250eacbcc854685994b675104ab5c315 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2020 11:46:15 +1000
+Subject: drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read
+ from fw
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 7adc77aa0e11f25b0e762859219c70852cd8d56f ]
+
+Method init is typically ordered by class in the FW image as ThreeD,
+TwoD, Compute.
+
+Due to a bug in parsing the FW into our internal format, we've been
+accidentally sending Twod + Compute methods to the ThreeD class, as
+well as Compute methods to the TwoD class - oops.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/nouveau/nvkm/engine/gr/gk20a.c | 21 ++++++++++---------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c
+index de8b806b88fd9..7618b2eb4fdfd 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c
+@@ -143,23 +143,24 @@ gk20a_gr_av_to_method(struct gf100_gr *gr, const char *fw_name,
+
+ nent = (fuc.size / sizeof(struct gk20a_fw_av));
+
+- pack = vzalloc((sizeof(*pack) * max_classes) +
+- (sizeof(*init) * (nent + 1)));
++ pack = vzalloc((sizeof(*pack) * (max_classes + 1)) +
++ (sizeof(*init) * (nent + max_classes + 1)));
+ if (!pack) {
+ ret = -ENOMEM;
+ goto end;
+ }
+
+- init = (void *)(pack + max_classes);
++ init = (void *)(pack + max_classes + 1);
+
+- for (i = 0; i < nent; i++) {
+- struct gf100_gr_init *ent = &init[i];
++ for (i = 0; i < nent; i++, init++) {
+ struct gk20a_fw_av *av = &((struct gk20a_fw_av *)fuc.data)[i];
+ u32 class = av->addr & 0xffff;
+ u32 addr = (av->addr & 0xffff0000) >> 14;
+
+ if (prevclass != class) {
+- pack[classidx].init = ent;
++ if (prevclass) /* Add terminator to the method list. */
++ init++;
++ pack[classidx].init = init;
+ pack[classidx].type = class;
+ prevclass = class;
+ if (++classidx >= max_classes) {
+@@ -169,10 +170,10 @@ gk20a_gr_av_to_method(struct gf100_gr *gr, const char *fw_name,
+ }
+ }
+
+- ent->addr = addr;
+- ent->data = av->data;
+- ent->count = 1;
+- ent->pitch = 1;
++ init->addr = addr;
++ init->data = av->data;
++ init->count = 1;
++ init->pitch = 1;
+ }
+
+ *ppack = pack;
+--
+2.20.1
+
--- /dev/null
+From d00f62d57c43529d2745aa38748439cdfe422d00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2019 23:37:58 -0500
+Subject: drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 40efb09a7f53125719e49864da008495e39aaa1e ]
+
+In vmw_cmdbuf_res_add if drm_ht_insert_item fails the allocated memory
+for cres should be released.
+
+Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c
+index 1f013d45c9e9a..0c7c3005594cc 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c
+@@ -210,8 +210,10 @@ int vmw_cmdbuf_res_add(struct vmw_cmdbuf_res_manager *man,
+
+ cres->hash.key = user_key | (res_type << 24);
+ ret = drm_ht_insert_item(&man->resources, &cres->hash);
+- if (unlikely(ret != 0))
++ if (unlikely(ret != 0)) {
++ kfree(cres);
+ goto out_invalid_key;
++ }
+
+ cres->state = VMW_CMDBUF_RES_ADD;
+ cres->res = vmw_resource_reference(res);
+--
+2.20.1
+
--- /dev/null
+From 9c28ff2d1fef539c6f3a02899609b414b04a7d34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jan 2020 12:39:37 +0100
+Subject: efi/x86: Map the entire EFI vendor string before copying it
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit ffc2760bcf2dba0dbef74013ed73eea8310cc52c ]
+
+Fix a couple of issues with the way we map and copy the vendor string:
+- we map only 2 bytes, which usually works since you get at least a
+ page, but if the vendor string happens to cross a page boundary,
+ a crash will result
+- only call early_memunmap() if early_memremap() succeeded, or we will
+ call it with a NULL address which it doesn't like,
+- while at it, switch to early_memremap_ro(), and array indexing rather
+ than pointer dereferencing to read the CHAR16 characters.
+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Arvind Sankar <nivedita@alum.mit.edu>
+Cc: Matthew Garrett <mjg59@google.com>
+Cc: linux-efi@vger.kernel.org
+Fixes: 5b83683f32b1 ("x86: EFI runtime service support")
+Link: https://lkml.kernel.org/r/20200103113953.9571-5-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/efi.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index b6669d326545a..f08abdf8bb676 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -478,7 +478,6 @@ void __init efi_init(void)
+ efi_char16_t *c16;
+ char vendor[100] = "unknown";
+ int i = 0;
+- void *tmp;
+
+ #ifdef CONFIG_X86_32
+ if (boot_params.efi_info.efi_systab_hi ||
+@@ -503,14 +502,16 @@ void __init efi_init(void)
+ /*
+ * Show what we know for posterity
+ */
+- c16 = tmp = early_memremap(efi.systab->fw_vendor, 2);
++ c16 = early_memremap_ro(efi.systab->fw_vendor,
++ sizeof(vendor) * sizeof(efi_char16_t));
+ if (c16) {
+- for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
+- vendor[i] = *c16++;
++ for (i = 0; i < sizeof(vendor) - 1 && c16[i]; ++i)
++ vendor[i] = c16[i];
+ vendor[i] = '\0';
+- } else
++ early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t));
++ } else {
+ pr_err("Could not map the firmware vendor!\n");
+- early_memunmap(tmp, 2);
++ }
+
+ pr_info("EFI v%u.%.02u by %s\n",
+ efi.systab->hdr.revision >> 16,
+--
+2.20.1
+
--- /dev/null
+From 796b458c7819085d46f7ed5a281ee43d6af6010e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 20:46:12 +0800
+Subject: ext4, jbd2: ensure panic when aborting with zero errno
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 ]
+
+JBD2_REC_ERR flag used to indicate the errno has been updated when jbd2
+aborted, and then __ext4_abort() and ext4_handle_error() can invoke
+panic if ERRORS_PANIC is specified. But if the journal has been aborted
+with zero errno, jbd2_journal_abort() didn't set this flag so we can
+no longer panic. Fix this by always record the proper errno in the
+journal superblock.
+
+Fixes: 4327ba52afd03 ("ext4, jbd2: ensure entering into panic after recording an error in superblock")
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/checkpoint.c | 2 +-
+ fs/jbd2/journal.c | 15 ++++-----------
+ 2 files changed, 5 insertions(+), 12 deletions(-)
+
+diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c
+index 4d5a5a4cc017c..addb0784dd1c4 100644
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -168,7 +168,7 @@ void __jbd2_log_wait_for_space(journal_t *journal)
+ "journal space in %s\n", __func__,
+ journal->j_devname);
+ WARN_ON(1);
+- jbd2_journal_abort(journal, 0);
++ jbd2_journal_abort(journal, -EIO);
+ }
+ write_lock(&journal->j_state_lock);
+ } else {
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index 40c754854b29e..efc8cfd060730 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -2100,12 +2100,10 @@ static void __journal_abort_soft (journal_t *journal, int errno)
+
+ __jbd2_journal_abort_hard(journal);
+
+- if (errno) {
+- jbd2_journal_update_sb_errno(journal);
+- write_lock(&journal->j_state_lock);
+- journal->j_flags |= JBD2_REC_ERR;
+- write_unlock(&journal->j_state_lock);
+- }
++ jbd2_journal_update_sb_errno(journal);
++ write_lock(&journal->j_state_lock);
++ journal->j_flags |= JBD2_REC_ERR;
++ write_unlock(&journal->j_state_lock);
+ }
+
+ /**
+@@ -2147,11 +2145,6 @@ static void __journal_abort_soft (journal_t *journal, int errno)
+ * failure to disk. ext3_error, for example, now uses this
+ * functionality.
+ *
+- * Errors which originate from within the journaling layer will NOT
+- * supply an errno; a null errno implies that absolutely no further
+- * writes are done to the journal (unless there are any already in
+- * progress).
+- *
+ */
+
+ void jbd2_journal_abort(journal_t *journal, int errno)
+--
+2.20.1
+
--- /dev/null
+From 6f91e39a064c8cde655223ddf042af906e062d37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jan 2020 10:02:56 +0300
+Subject: ftrace: fpid_next() should increase position index
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+[ Upstream commit e4075e8bdffd93a9b6d6e1d52fabedceeca5a91b ]
+
+if seq_file .next fuction does not change position index,
+read after some lseek can generate unexpected output.
+
+Without patch:
+ # dd bs=4 skip=1 if=/sys/kernel/tracing/set_ftrace_pid
+ dd: /sys/kernel/tracing/set_ftrace_pid: cannot skip to specified offset
+ id
+ no pid
+ 2+1 records in
+ 2+1 records out
+ 10 bytes copied, 0.000213285 s, 46.9 kB/s
+
+Notice the "id" followed by "no pid".
+
+With the patch:
+ # dd bs=4 skip=1 if=/sys/kernel/tracing/set_ftrace_pid
+ dd: /sys/kernel/tracing/set_ftrace_pid: cannot skip to specified offset
+ id
+ 0+1 records in
+ 0+1 records out
+ 3 bytes copied, 0.000202112 s, 14.8 kB/s
+
+Notice that it only prints "id" and not the "no pid" afterward.
+
+Link: http://lkml.kernel.org/r/4f87c6ad-f114-30bb-8506-c32274ce2992@virtuozzo.com
+
+https://bugzilla.kernel.org/show_bug.cgi?id=206283
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ftrace.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 71a40e5c3a9f0..2ae98f8bce81b 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5455,9 +5455,10 @@ static void *fpid_next(struct seq_file *m, void *v, loff_t *pos)
+ struct trace_array *tr = m->private;
+ struct trace_pid_list *pid_list = rcu_dereference_sched(tr->function_pids);
+
+- if (v == FTRACE_NO_PIDS)
++ if (v == FTRACE_NO_PIDS) {
++ (*pos)++;
+ return NULL;
+-
++ }
+ return trace_pid_next(pid_list, v, pos);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8328f7072f1e4c14d7c5832c577a876b2487385b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Dec 2019 15:30:45 +0200
+Subject: gianfar: Fix TX timestamping with a stacked DSA driver
+
+From: Vladimir Oltean <olteanv@gmail.com>
+
+[ Upstream commit c26a2c2ddc0115eb088873f5c309cf46b982f522 ]
+
+The driver wrongly assumes that it is the only entity that can set the
+SKBTX_IN_PROGRESS bit of the current skb. Therefore, in the
+gfar_clean_tx_ring function, where the TX timestamp is collected if
+necessary, the aforementioned bit is used to discriminate whether or not
+the TX timestamp should be delivered to the socket's error queue.
+
+But a stacked driver such as a DSA switch can also set the
+SKBTX_IN_PROGRESS bit, which is actually exactly what it should do in
+order to denote that the hardware timestamping process is undergoing.
+
+Therefore, gianfar would misinterpret the "in progress" bit as being its
+own, and deliver a second skb clone in the socket's error queue,
+completely throwing off a PTP process which is not expecting to receive
+it, _even though_ TX timestamping is not enabled for gianfar.
+
+There have been discussions [0] as to whether non-MAC drivers need or
+not to set SKBTX_IN_PROGRESS at all (whose purpose is to avoid sending 2
+timestamps, a sw and a hw one, to applications which only expect one).
+But as of this patch, there are at least 2 PTP drivers that would break
+in conjunction with gianfar: the sja1105 DSA switch and the felix
+switch, by way of its ocelot core driver.
+
+So regardless of that conclusion, fix the gianfar driver to not do stuff
+based on flags set by others and not intended for it.
+
+[0]: https://www.spinics.net/lists/netdev/msg619699.html
+
+Fixes: f0ee7acfcdd4 ("gianfar: Add hardware TX timestamping support")
+Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/gianfar.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
+index 60bd1b36df606..b665d27f8e299 100644
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -2688,13 +2688,17 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue)
+ skb_dirtytx = tx_queue->skb_dirtytx;
+
+ while ((skb = tx_queue->tx_skbuff[skb_dirtytx])) {
++ bool do_tstamp;
++
++ do_tstamp = (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) &&
++ priv->hwts_tx_en;
+
+ frags = skb_shinfo(skb)->nr_frags;
+
+ /* When time stamping, one additional TxBD must be freed.
+ * Also, we need to dma_unmap_single() the TxPAL.
+ */
+- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS))
++ if (unlikely(do_tstamp))
+ nr_txbds = frags + 2;
+ else
+ nr_txbds = frags + 1;
+@@ -2708,7 +2712,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue)
+ (lstatus & BD_LENGTH_MASK))
+ break;
+
+- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) {
++ if (unlikely(do_tstamp)) {
+ next = next_txbd(bdp, base, tx_ring_size);
+ buflen = be16_to_cpu(next->length) +
+ GMAC_FCB_LEN + GMAC_TXPAL_LEN;
+@@ -2718,7 +2722,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue)
+ dma_unmap_single(priv->dev, be32_to_cpu(bdp->bufPtr),
+ buflen, DMA_TO_DEVICE);
+
+- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) {
++ if (unlikely(do_tstamp)) {
+ struct skb_shared_hwtstamps shhwtstamps;
+ u64 *ns = (u64 *)(((uintptr_t)skb->data + 0x10) &
+ ~0x7UL);
+--
+2.20.1
+
--- /dev/null
+From 2058623ba86f779eb982d4c3f853e8df9f0837c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 21:26:05 +0800
+Subject: gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in
+ grgpio_irq_map/unmap()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit e36eaf94be8f7bc4e686246eed3cf92d845e2ef8 ]
+
+The driver may sleep while holding a spinlock.
+The function call path (from bottom to top) in Linux 4.19 is:
+
+drivers/gpio/gpio-grgpio.c, 261:
+ request_irq in grgpio_irq_map
+drivers/gpio/gpio-grgpio.c, 255:
+ _raw_spin_lock_irqsave in grgpio_irq_map
+
+drivers/gpio/gpio-grgpio.c, 318:
+ free_irq in grgpio_irq_unmap
+drivers/gpio/gpio-grgpio.c, 299:
+ _raw_spin_lock_irqsave in grgpio_irq_unmap
+
+request_irq() and free_irq() can sleep at runtime.
+
+To fix these bugs, request_irq() and free_irq() are called without
+holding the spinlock.
+
+These bugs are found by a static analysis tool STCheck written by myself.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Link: https://lore.kernel.org/r/20191218132605.10594-1-baijiaju1990@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-grgpio.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c
+index 7847dd34f86fc..036a78b704270 100644
+--- a/drivers/gpio/gpio-grgpio.c
++++ b/drivers/gpio/gpio-grgpio.c
+@@ -259,17 +259,16 @@ static int grgpio_irq_map(struct irq_domain *d, unsigned int irq,
+ lirq->irq = irq;
+ uirq = &priv->uirqs[lirq->index];
+ if (uirq->refcnt == 0) {
++ spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags);
+ ret = request_irq(uirq->uirq, grgpio_irq_handler, 0,
+ dev_name(priv->dev), priv);
+ if (ret) {
+ dev_err(priv->dev,
+ "Could not request underlying irq %d\n",
+ uirq->uirq);
+-
+- spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags);
+-
+ return ret;
+ }
++ spin_lock_irqsave(&priv->gc.bgpio_lock, flags);
+ }
+ uirq->refcnt++;
+
+@@ -315,8 +314,11 @@ static void grgpio_irq_unmap(struct irq_domain *d, unsigned int irq)
+ if (index >= 0) {
+ uirq = &priv->uirqs[lirq->index];
+ uirq->refcnt--;
+- if (uirq->refcnt == 0)
++ if (uirq->refcnt == 0) {
++ spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags);
+ free_irq(uirq->uirq, priv);
++ return;
++ }
+ }
+
+ spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags);
+--
+2.20.1
+
--- /dev/null
+From 930a7e5de3cf3b0a1d2ad4bfdce2638bbbdd641e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jan 2020 09:10:47 +0300
+Subject: help_next should increase position index
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+[ Upstream commit 9f198a2ac543eaaf47be275531ad5cbd50db3edf ]
+
+if seq_file .next fuction does not change position index,
+read after some lseek can generate unexpected output.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=206283
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index 0748a26598fca..7d7df003f9d8d 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -304,6 +304,7 @@ static void *help_start(struct seq_file *m, loff_t *pos)
+
+ static void *help_next(struct seq_file *m, void *v, loff_t *pos)
+ {
++ (*pos)++;
+ gossip_debug(GOSSIP_DEBUGFS_DEBUG, "help_next: start\n");
+
+ return NULL;
+--
+2.20.1
+
--- /dev/null
+From 92c4868dc5014007d4a8128d8e2b00bef3f07e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 18:15:46 -0700
+Subject: hostap: Adjust indentation in prism2_hostapd_add_sta
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit b61156fba74f659d0bc2de8f2dbf5bad9f4b8faf ]
+
+Clang warns:
+
+../drivers/net/wireless/intersil/hostap/hostap_ap.c:2511:3: warning:
+misleading indentation; statement is not part of the previous 'if'
+[-Wmisleading-indentation]
+ if (sta->tx_supp_rates & WLAN_RATE_5M5)
+ ^
+../drivers/net/wireless/intersil/hostap/hostap_ap.c:2509:2: note:
+previous statement is here
+ if (sta->tx_supp_rates & WLAN_RATE_2M)
+ ^
+1 warning generated.
+
+This warning occurs because there is a space before the tab on this
+line. Remove it so that the indentation is consistent with the Linux
+kernel coding style and clang no longer warns.
+
+Fixes: ff1d2767d5a4 ("Add HostAP wireless driver.")
+Link: https://github.com/ClangBuiltLinux/linux/issues/813
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intersil/hostap/hostap_ap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intersil/hostap/hostap_ap.c b/drivers/net/wireless/intersil/hostap/hostap_ap.c
+index c995ace153ee6..30171d4c47187 100644
+--- a/drivers/net/wireless/intersil/hostap/hostap_ap.c
++++ b/drivers/net/wireless/intersil/hostap/hostap_ap.c
+@@ -2570,7 +2570,7 @@ static int prism2_hostapd_add_sta(struct ap_data *ap,
+ sta->supported_rates[0] = 2;
+ if (sta->tx_supp_rates & WLAN_RATE_2M)
+ sta->supported_rates[1] = 4;
+- if (sta->tx_supp_rates & WLAN_RATE_5M5)
++ if (sta->tx_supp_rates & WLAN_RATE_5M5)
+ sta->supported_rates[2] = 11;
+ if (sta->tx_supp_rates & WLAN_RATE_11M)
+ sta->supported_rates[3] = 22;
+--
+2.20.1
+
--- /dev/null
+From ce08f8294134cfad13fbae439ed5db5858e1c4f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2020 16:06:07 +0300
+Subject: ide: serverworks: potential overflow in svwks_set_pio_mode()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ce1f31b4c0b9551dd51874dd5364654ed4ca13ae ]
+
+The "drive->dn" variable is a u8 controlled by root.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ide/serverworks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/ide/serverworks.c b/drivers/ide/serverworks.c
+index a97affca18abe..0f57d45484d1d 100644
+--- a/drivers/ide/serverworks.c
++++ b/drivers/ide/serverworks.c
+@@ -114,6 +114,9 @@ static void svwks_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive)
+ struct pci_dev *dev = to_pci_dev(hwif->dev);
+ const u8 pio = drive->pio_mode - XFER_PIO_0;
+
++ if (drive->dn >= ARRAY_SIZE(drive_pci))
++ return;
++
+ pci_write_config_byte(dev, drive_pci[drive->dn], pio_modes[pio]);
+
+ if (svwks_csb_check(dev)) {
+@@ -140,6 +143,9 @@ static void svwks_set_dma_mode(ide_hwif_t *hwif, ide_drive_t *drive)
+
+ u8 ultra_enable = 0, ultra_timing = 0, dma_timing = 0;
+
++ if (drive->dn >= ARRAY_SIZE(drive_pci2))
++ return;
++
+ pci_read_config_byte(dev, (0x56|hwif->channel), &ultra_timing);
+ pci_read_config_byte(dev, 0x54, &ultra_enable);
+
+--
+2.20.1
+
--- /dev/null
+From 996983ad48bd9f05131ef057b019444bb9413498 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2020 17:03:21 -0800
+Subject: Input: edt-ft5x06 - work around first register access error
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit e112324cc0422c046f1cf54c56f333d34fa20885 ]
+
+The EP0700MLP1 returns bogus data on the first register read access
+(reading the threshold parameter from register 0x00):
+
+ edt_ft5x06 2-0038: crc error: 0xfc expected, got 0x40
+
+It ignores writes until then. This patch adds a dummy read after which
+the number of sensors and parameter read/writes work correctly.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Tested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/edt-ft5x06.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c
+index 28466e358fee1..22c8d2070faac 100644
+--- a/drivers/input/touchscreen/edt-ft5x06.c
++++ b/drivers/input/touchscreen/edt-ft5x06.c
+@@ -887,6 +887,7 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client,
+ {
+ const struct edt_i2c_chip_data *chip_data;
+ struct edt_ft5x06_ts_data *tsdata;
++ u8 buf[2] = { 0xfc, 0x00 };
+ struct input_dev *input;
+ unsigned long irq_flags;
+ int error;
+@@ -956,6 +957,12 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client,
+ return error;
+ }
+
++ /*
++ * Dummy read access. EP0700MLP1 returns bogus data on the first
++ * register read access and ignores writes.
++ */
++ edt_ft5x06_ts_readwrite(tsdata->client, 2, buf, 2, buf);
++
+ edt_ft5x06_ts_set_regs(tsdata);
+ edt_ft5x06_ts_get_defaults(&client->dev, tsdata);
+ edt_ft5x06_ts_get_parameters(tsdata);
+--
+2.20.1
+
--- /dev/null
+From cdf79f3346a77cc372269257a9ce0503e7421bbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2020 15:21:47 +0000
+Subject: iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit d71e01716b3606a6648df7e5646ae12c75babde4 ]
+
+If, for some bizarre reason, the compiler decided to split up the write
+of STE DWORD 0, we could end up making a partial structure valid.
+
+Although this probably won't happen, follow the example of the
+context-descriptor code and use WRITE_ONCE() to ensure atomicity of the
+write.
+
+Reported-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm-smmu-v3.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
+index 7bd98585d78d2..48d3820087881 100644
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -1103,7 +1103,8 @@ static void arm_smmu_write_strtab_ent(struct arm_smmu_device *smmu, u32 sid,
+ }
+
+ arm_smmu_sync_ste_for_sid(smmu, sid);
+- dst[0] = cpu_to_le64(val);
++ /* See comment in arm_smmu_write_ctx_desc() */
++ WRITE_ONCE(dst[0], cpu_to_le64(val));
+ arm_smmu_sync_ste_for_sid(smmu, sid);
+
+ /* It's likely that we'll want to use the new STE soon */
+--
+2.20.1
+
--- /dev/null
+From a4212856526cf8f570446ae7a254fe832095f193 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 00:55:27 +0700
+Subject: ipw2x00: Fix -Wcast-function-type
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+[ Upstream commit ebd77feb27e91bb5fe35a7818b7c13ea7435fb98 ]
+
+correct usage prototype of callback in tasklet_init().
+Report by https://github.com/KSPP/linux/issues/20
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/ipw2x00/ipw2100.c | 7 ++++---
+ drivers/net/wireless/intel/ipw2x00/ipw2200.c | 5 +++--
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2100.c b/drivers/net/wireless/intel/ipw2x00/ipw2100.c
+index bfa542c8d6f1a..86c84b11218db 100644
+--- a/drivers/net/wireless/intel/ipw2x00/ipw2100.c
++++ b/drivers/net/wireless/intel/ipw2x00/ipw2100.c
+@@ -3220,8 +3220,9 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv)
+ }
+ }
+
+-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv)
++static void ipw2100_irq_tasklet(unsigned long data)
+ {
++ struct ipw2100_priv *priv = (struct ipw2100_priv *)data;
+ struct net_device *dev = priv->net_dev;
+ unsigned long flags;
+ u32 inta, tmp;
+@@ -6029,7 +6030,7 @@ static void ipw2100_rf_kill(struct work_struct *work)
+ spin_unlock_irqrestore(&priv->low_lock, flags);
+ }
+
+-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv);
++static void ipw2100_irq_tasklet(unsigned long data);
+
+ static const struct net_device_ops ipw2100_netdev_ops = {
+ .ndo_open = ipw2100_open,
+@@ -6158,7 +6159,7 @@ static struct net_device *ipw2100_alloc_device(struct pci_dev *pci_dev,
+ INIT_DELAYED_WORK(&priv->rf_kill, ipw2100_rf_kill);
+ INIT_DELAYED_WORK(&priv->scan_event, ipw2100_scan_event);
+
+- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long))
++ tasklet_init(&priv->irq_tasklet,
+ ipw2100_irq_tasklet, (unsigned long)priv);
+
+ /* NOTE: We do not start the deferred work for status checks yet */
+diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
+index bfd68612a535d..48edb2b6eb7d5 100644
+--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c
++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
+@@ -1968,8 +1968,9 @@ static void notify_wx_assoc_event(struct ipw_priv *priv)
+ wireless_send_event(priv->net_dev, SIOCGIWAP, &wrqu, NULL);
+ }
+
+-static void ipw_irq_tasklet(struct ipw_priv *priv)
++static void ipw_irq_tasklet(unsigned long data)
+ {
++ struct ipw_priv *priv = (struct ipw_priv *)data;
+ u32 inta, inta_mask, handled = 0;
+ unsigned long flags;
+ int rc = 0;
+@@ -10705,7 +10706,7 @@ static int ipw_setup_deferred_work(struct ipw_priv *priv)
+ INIT_WORK(&priv->qos_activate, ipw_bg_qos_activate);
+ #endif /* CONFIG_IPW2200_QOS */
+
+- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long))
++ tasklet_init(&priv->irq_tasklet,
+ ipw_irq_tasklet, (unsigned long)priv);
+
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From df54ba9de0c4d149f07f041f9de4ee3ac1973ce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 15:10:21 +0800
+Subject: irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when
+ building INVALL
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+[ Upstream commit 107945227ac5d4c37911c7841b27c64b489ce9a9 ]
+
+It looks like an obvious mistake to use its_mapc_cmd descriptor when
+building the INVALL command block. It so far worked by luck because
+both its_mapc_cmd.col and its_invall_cmd.col sit at the same offset of
+the ITS command descriptor, but we should not rely on it.
+
+Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20191202071021.1251-1-yuzenghui@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 0c0cd2768d6e9..d1efbb8dadc53 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -365,7 +365,7 @@ static struct its_collection *its_build_invall_cmd(struct its_cmd_block *cmd,
+ struct its_cmd_desc *desc)
+ {
+ its_encode_cmd(cmd, GITS_CMD_INVALL);
+- its_encode_collection(cmd, desc->its_mapc_cmd.col->col_id);
++ its_encode_collection(cmd, desc->its_invall_cmd.col->col_id);
+
+ its_fixup_cmd(cmd);
+
+--
+2.20.1
+
--- /dev/null
+From ce066d730704e232e6a47a9031fde0fdb5d6054e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2019 11:24:57 +0000
+Subject: irqchip/gic-v3: Only provision redistributors that are enabled in
+ ACPI
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 926b5dfa6b8dc666ff398044af6906b156e1d949 ]
+
+We currently allocate redistributor region structures for
+individual redistributors when ACPI doesn't present us with
+compact MMIO regions covering multiple redistributors.
+
+It turns out that we allocate these structures even when
+the redistributor is flagged as disabled by ACPI. It works
+fine until someone actually tries to tarse one of these
+structures, and access the corresponding MMIO region.
+
+Instead, track the number of enabled redistributors, and
+only allocate what is required. This makes sure that there
+is no invalid data to misuse.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Reported-by: Heyi Guo <guoheyi@huawei.com>
+Tested-by: Heyi Guo <guoheyi@huawei.com>
+Link: https://lore.kernel.org/r/20191216062745.63397-1-guoheyi@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
+index f7b8681aed3f4..2ab6060031a43 100644
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -1195,6 +1195,7 @@ static struct
+ struct redist_region *redist_regs;
+ u32 nr_redist_regions;
+ bool single_redist;
++ int enabled_rdists;
+ u32 maint_irq;
+ int maint_irq_mode;
+ phys_addr_t vcpu_base;
+@@ -1289,8 +1290,10 @@ static int __init gic_acpi_match_gicc(struct acpi_subtable_header *header,
+ * If GICC is enabled and has valid gicr base address, then it means
+ * GICR base is presented via GICC
+ */
+- if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address)
++ if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address) {
++ acpi_data.enabled_rdists++;
+ return 0;
++ }
+
+ /*
+ * It's perfectly valid firmware can pass disabled GICC entry, driver
+@@ -1320,8 +1323,10 @@ static int __init gic_acpi_count_gicr_regions(void)
+
+ count = acpi_table_parse_madt(ACPI_MADT_TYPE_GENERIC_INTERRUPT,
+ gic_acpi_match_gicc, 0);
+- if (count > 0)
++ if (count > 0) {
+ acpi_data.single_redist = true;
++ count = acpi_data.enabled_rdists;
++ }
+
+ return count;
+ }
+--
+2.20.1
+
--- /dev/null
+From bfb5e9af517f5fed2bdceaff29f559c2e5566c4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2019 20:48:56 +0100
+Subject: isdn: don't mark kcapi_proc_exit as __exit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b33bdf8020c94438269becc6dace9ed49257c4ba ]
+
+As everybody pointed out by now, my patch to clean up CAPI introduced
+a link time warning, as the two parts of the capi driver are now in
+one module and the exit function may need to be called in the error
+path of the init function:
+
+>> WARNING: drivers/isdn/capi/kernelcapi.o(.text+0xea4): Section mismatch in reference from the function kcapi_exit() to the function .exit.text:kcapi_proc_exit()
+ The function kcapi_exit() references a function in an exit section.
+ Often the function kcapi_proc_exit() has valid usage outside the exit section
+ and the fix is to remove the __exit annotation of kcapi_proc_exit.
+
+Remove the incorrect __exit annotation.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: kernelci.org bot <bot@kernelci.org>
+Reported-by: Olof's autobuilder <build@lixom.net>
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20191216194909.1983639-1-arnd@arndb.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/capi/kcapi_proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/capi/kcapi_proc.c b/drivers/isdn/capi/kcapi_proc.c
+index 68db3c5a10636..d6ca626219c93 100644
+--- a/drivers/isdn/capi/kcapi_proc.c
++++ b/drivers/isdn/capi/kcapi_proc.c
+@@ -309,7 +309,7 @@ kcapi_proc_init(void)
+ proc_create("capi/driver", 0, NULL, &proc_driver_ops);
+ }
+
+-void __exit
++void
+ kcapi_proc_exit(void)
+ {
+ remove_proc_entry("capi/driver", NULL);
+--
+2.20.1
+
--- /dev/null
+From 8005cb2b0faf9a38ac282b21812257815bc94a72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Jan 2020 00:09:54 +0000
+Subject: iwlegacy: ensure loop counter addr does not wrap and cause an
+ infinite loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 ]
+
+The loop counter addr is a u16 where as the upper limit of the loop
+is an int. In the unlikely event that the il->cfg->eeprom_size is
+greater than 64K then we end up with an infinite loop since addr will
+wrap around an never reach upper loop limit. Fix this by making addr
+an int.
+
+Addresses-Coverity: ("Infinite loop")
+Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlegacy/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c
+index 140b6ea8f7cc4..db2373fe8ac32 100644
+--- a/drivers/net/wireless/intel/iwlegacy/common.c
++++ b/drivers/net/wireless/intel/iwlegacy/common.c
+@@ -717,7 +717,7 @@ il_eeprom_init(struct il_priv *il)
+ u32 gp = _il_rd(il, CSR_EEPROM_GP);
+ int sz;
+ int ret;
+- u16 addr;
++ int addr;
+
+ /* allocate eeprom */
+ sz = il->cfg->eeprom_size;
+--
+2.20.1
+
--- /dev/null
+From d2918dfb304677bcacd4f98ce3f5f3d4ab12b14d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 00:55:28 +0700
+Subject: iwlegacy: Fix -Wcast-function-type
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+[ Upstream commit da5e57e8a6a3e69dac2937ba63fa86355628fbb2 ]
+
+correct usage prototype of callback in tasklet_init().
+Report by https://github.com/KSPP/linux/issues/20
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlegacy/3945-mac.c | 5 +++--
+ drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlegacy/3945-mac.c b/drivers/net/wireless/intel/iwlegacy/3945-mac.c
+index 466912eb2d874..d853ccbf74cb2 100644
+--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c
++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c
+@@ -1399,8 +1399,9 @@ il3945_dump_nic_error_log(struct il_priv *il)
+ }
+
+ static void
+-il3945_irq_tasklet(struct il_priv *il)
++il3945_irq_tasklet(unsigned long data)
+ {
++ struct il_priv *il = (struct il_priv *)data;
+ u32 inta, handled = 0;
+ u32 inta_fh;
+ unsigned long flags;
+@@ -3432,7 +3433,7 @@ il3945_setup_deferred_work(struct il_priv *il)
+ setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il);
+
+ tasklet_init(&il->irq_tasklet,
+- (void (*)(unsigned long))il3945_irq_tasklet,
++ il3945_irq_tasklet,
+ (unsigned long)il);
+ }
+
+diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+index a91d170a614b6..6c2dcd2367136 100644
+--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+@@ -4361,8 +4361,9 @@ il4965_synchronize_irq(struct il_priv *il)
+ }
+
+ static void
+-il4965_irq_tasklet(struct il_priv *il)
++il4965_irq_tasklet(unsigned long data)
+ {
++ struct il_priv *il = (struct il_priv *)data;
+ u32 inta, handled = 0;
+ u32 inta_fh;
+ unsigned long flags;
+@@ -6260,7 +6261,7 @@ il4965_setup_deferred_work(struct il_priv *il)
+ setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il);
+
+ tasklet_init(&il->irq_tasklet,
+- (void (*)(unsigned long))il4965_irq_tasklet,
++ il4965_irq_tasklet,
+ (unsigned long)il);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 01fbcd9845564e983f319f08b15cfc2b3c7ffc89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jan 2020 15:45:24 +0200
+Subject: iwlwifi: mvm: Fix thermal zone registration
+
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+
+[ Upstream commit baa6cf8450b72dcab11f37c47efce7c5b9b8ad0f ]
+
+Use a unique name when registering a thermal zone. Otherwise, with
+multiple NICS, we hit the following warning during the unregistration.
+
+WARNING: CPU: 2 PID: 3525 at fs/sysfs/group.c:255
+ RIP: 0010:sysfs_remove_group+0x80/0x90
+ Call Trace:
+ dpm_sysfs_remove+0x57/0x60
+ device_del+0x5a/0x350
+ ? sscanf+0x4e/0x70
+ device_unregister+0x1a/0x60
+ hwmon_device_unregister+0x4a/0xa0
+ thermal_remove_hwmon_sysfs+0x175/0x1d0
+ thermal_zone_device_unregister+0x188/0x1e0
+ iwl_mvm_thermal_exit+0xe7/0x100 [iwlmvm]
+ iwl_op_mode_mvm_stop+0x27/0x180 [iwlmvm]
+ _iwl_op_mode_stop.isra.3+0x2b/0x50 [iwlwifi]
+ iwl_opmode_deregister+0x90/0xa0 [iwlwifi]
+ __exit_compat+0x10/0x2c7 [iwlmvm]
+ __x64_sys_delete_module+0x13f/0x270
+ do_syscall_64+0x5a/0x110
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c
+index c5203568a47ac..f0f205c3aadb7 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c
+@@ -736,7 +736,8 @@ static struct thermal_zone_device_ops tzone_ops = {
+ static void iwl_mvm_thermal_zone_register(struct iwl_mvm *mvm)
+ {
+ int i;
+- char name[] = "iwlwifi";
++ char name[16];
++ static atomic_t counter = ATOMIC_INIT(0);
+
+ if (!iwl_mvm_is_tt_in_fw(mvm)) {
+ mvm->tz_device.tzone = NULL;
+@@ -746,6 +747,7 @@ static void iwl_mvm_thermal_zone_register(struct iwl_mvm *mvm)
+
+ BUILD_BUG_ON(ARRAY_SIZE(name) >= THERMAL_NAME_LENGTH);
+
++ sprintf(name, "iwlwifi_%u", atomic_inc_return(&counter) & 0xFF);
+ mvm->tz_device.tzone = thermal_zone_device_register(name,
+ IWL_MAX_DTS_TRIPS,
+ IWL_WRITABLE_TRIPS_MSK,
+--
+2.20.1
+
--- /dev/null
+From e59d128c1ec0cbfc37872e7f2fc1c30ea3e3fbfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Jan 2020 10:25:42 +0800
+Subject: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail
+ info when load journal
+
+From: Kai Li <li.kai4@h3c.com>
+
+[ Upstream commit a09decff5c32060639a685581c380f51b14e1fc2 ]
+
+If the journal is dirty when the filesystem is mounted, jbd2 will replay
+the journal but the journal superblock will not be updated by
+journal_reset() because JBD2_ABORT flag is still set (it was set in
+journal_init_common()). This is problematic because when a new transaction
+is then committed, it will be recorded in block 1 (journal->j_tail was set
+to 1 in journal_reset()). If unclean shutdown happens again before the
+journal superblock is updated, the new recorded transaction will not be
+replayed during the next mount (because of stale sb->s_start and
+sb->s_sequence values) which can lead to filesystem corruption.
+
+Fixes: 85e0c4e89c1b ("jbd2: if the journal is aborted then don't allow update of the log tail")
+Signed-off-by: Kai Li <li.kai4@h3c.com>
+Link: https://lore.kernel.org/r/20200111022542.5008-1-li.kai4@h3c.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/journal.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index 3cbcf649ac660..40c754854b29e 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1670,6 +1670,11 @@ int jbd2_journal_load(journal_t *journal)
+ journal->j_devname);
+ return -EFSCORRUPTED;
+ }
++ /*
++ * clear JBD2_ABORT flag initialized in journal_init_common
++ * here to update log tail information with the newest seq.
++ */
++ journal->j_flags &= ~JBD2_ABORT;
+
+ /* OK, we've finished with the dynamic journal bits:
+ * reinitialise the dynamic contents of the superblock in memory
+@@ -1677,7 +1682,6 @@ int jbd2_journal_load(journal_t *journal)
+ if (journal_reset(journal))
+ goto recovery_error;
+
+- journal->j_flags &= ~JBD2_ABORT;
+ journal->j_flags |= JBD2_LOADED;
+ return 0;
+
+--
+2.20.1
+
--- /dev/null
+From 7b89ff7dda9c469a061ac86505860d5bcce7cec8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 20:46:11 +0800
+Subject: jbd2: switch to use jbd2_journal_abort() when failed to submit the
+ commit record
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 ]
+
+We invoke jbd2_journal_abort() to abort the journal and record errno
+in the jbd2 superblock when committing journal transaction besides the
+failure on submitting the commit record. But there is no need for the
+case and we can also invoke jbd2_journal_abort() instead of
+__jbd2_journal_abort_hard().
+
+Fixes: 818d276ceb83a ("ext4: Add the journal checksum feature")
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 72b5bbfd38447..1d06f81ee8b47 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -779,7 +779,7 @@ start_journal_io:
+ err = journal_submit_commit_record(journal, commit_transaction,
+ &cbh, crc32_sum);
+ if (err)
+- __jbd2_journal_abort_hard(journal);
++ jbd2_journal_abort(journal, err);
+ }
+
+ blk_finish_plug(&plug);
+@@ -872,7 +872,7 @@ start_journal_io:
+ err = journal_submit_commit_record(journal, commit_transaction,
+ &cbh, crc32_sum);
+ if (err)
+- __jbd2_journal_abort_hard(journal);
++ jbd2_journal_abort(journal, err);
+ }
+ if (cbh)
+ err = journal_wait_on_commit_record(journal, cbh);
+--
+2.20.1
+
--- /dev/null
+From c0bd11bc850accadc8226c9e1f71b73e63820820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Feb 2020 14:03:11 +0900
+Subject: kconfig: fix broken dependency in randconfig-generated .config
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 ]
+
+Running randconfig on arm64 using KCONFIG_SEED=0x40C5E904 (e.g. on v5.5)
+produces the .config with CONFIG_EFI=y and CONFIG_CPU_BIG_ENDIAN=y,
+which does not meet the !CONFIG_CPU_BIG_ENDIAN dependency.
+
+This is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs
+CONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the
+value of CONFIG_EFI is calculated.
+
+When this happens, the has_changed flag should be set.
+
+Currently, it takes the result from the last iteration. It should
+accumulate all the results of the loop.
+
+Fixes: 3b9a19e08960 ("kconfig: loop as long as we changed some symbols in randconfig")
+Reported-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/confdata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
+index 27aac273205ba..fa423fcd1a928 100644
+--- a/scripts/kconfig/confdata.c
++++ b/scripts/kconfig/confdata.c
+@@ -1238,7 +1238,7 @@ bool conf_set_all_new_symbols(enum conf_def_mode mode)
+
+ sym_calc_value(csym);
+ if (mode == def_random)
+- has_changed = randomize_choice_values(csym);
++ has_changed |= randomize_choice_values(csym);
+ else {
+ set_all_choice_values(csym);
+ has_changed = true;
+--
+2.20.1
+
--- /dev/null
+From 81feaf514e5eab608e0562d2bdba2b09445100c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2020 22:16:37 -0800
+Subject: lib/scatterlist.c: adjust indentation in __sg_alloc_table
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 4e456fee215677584cafa7f67298a76917e89c64 ]
+
+Clang warns:
+
+ ../lib/scatterlist.c:314:5: warning: misleading indentation; statement
+ is not part of the previous 'if' [-Wmisleading-indentation]
+ return -ENOMEM;
+ ^
+ ../lib/scatterlist.c:311:4: note: previous statement is here
+ if (prv)
+ ^
+ 1 warning generated.
+
+This warning occurs because there is a space before the tab on this
+line. Remove it so that the indentation is consistent with the Linux
+kernel coding style and clang no longer warns.
+
+Link: http://lkml.kernel.org/r/20191218033606.11942-1-natechancellor@gmail.com
+Link: https://github.com/ClangBuiltLinux/linux/issues/830
+Fixes: edce6820a9fd ("scatterlist: prevent invalid free when alloc fails")
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/scatterlist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/scatterlist.c b/lib/scatterlist.c
+index a854cc39f084f..ef8c14a56d0a7 100644
+--- a/lib/scatterlist.c
++++ b/lib/scatterlist.c
+@@ -317,7 +317,7 @@ int __sg_alloc_table(struct sg_table *table, unsigned int nents,
+ if (prv)
+ table->nents = ++table->orig_nents;
+
+- return -ENOMEM;
++ return -ENOMEM;
+ }
+
+ sg_init_table(sg, alloc_size);
+--
+2.20.1
+
--- /dev/null
+From decbebc1f73706bf9b9916088bfef1632bb591c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 08:55:24 +0100
+Subject: media: i2c: mt9v032: fix enum mbus codes and frame sizes
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+[ Upstream commit 1451d5ae351d938a0ab1677498c893f17b9ee21d ]
+
+This driver supports both the mt9v032 (color) and the mt9v022 (mono)
+sensors. Depending on which sensor is used, the format from the sensor is
+different. The format.code inside the dev struct holds this information.
+The enum mbus and enum frame sizes need to take into account both type of
+sensors, not just the color one. To solve this, use the format.code in
+these functions instead of the hardcoded bayer color format (which is only
+used for mt9v032).
+
+[Sakari Ailus: rewrapped commit message]
+
+Suggested-by: Wenyou Yang <wenyou.yang@microchip.com>
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/mt9v032.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/mt9v032.c b/drivers/media/i2c/mt9v032.c
+index 58eb62f1ba214..a018a76662df7 100644
+--- a/drivers/media/i2c/mt9v032.c
++++ b/drivers/media/i2c/mt9v032.c
+@@ -423,10 +423,12 @@ static int mt9v032_enum_mbus_code(struct v4l2_subdev *subdev,
+ struct v4l2_subdev_pad_config *cfg,
+ struct v4l2_subdev_mbus_code_enum *code)
+ {
++ struct mt9v032 *mt9v032 = to_mt9v032(subdev);
++
+ if (code->index > 0)
+ return -EINVAL;
+
+- code->code = MEDIA_BUS_FMT_SGRBG10_1X10;
++ code->code = mt9v032->format.code;
+ return 0;
+ }
+
+@@ -434,7 +436,11 @@ static int mt9v032_enum_frame_size(struct v4l2_subdev *subdev,
+ struct v4l2_subdev_pad_config *cfg,
+ struct v4l2_subdev_frame_size_enum *fse)
+ {
+- if (fse->index >= 3 || fse->code != MEDIA_BUS_FMT_SGRBG10_1X10)
++ struct mt9v032 *mt9v032 = to_mt9v032(subdev);
++
++ if (fse->index >= 3)
++ return -EINVAL;
++ if (mt9v032->format.code != fse->code)
+ return -EINVAL;
+
+ fse->min_width = MT9V032_WINDOW_WIDTH_DEF / (1 << fse->index);
+--
+2.20.1
+
--- /dev/null
+From 3ae6721c589b6b67c6fae50da8ff6a4903668d18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 11:34:01 +0100
+Subject: media: sti: bdisp: fix a possible sleep-in-atomic-context bug in
+ bdisp_device_run()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit bb6d42061a05d71dd73f620582d9e09c8fbf7f5b ]
+
+The driver may sleep while holding a spinlock.
+The function call path (from bottom to top) in Linux 4.19 is:
+
+drivers/media/platform/sti/bdisp/bdisp-hw.c, 385:
+ msleep in bdisp_hw_reset
+drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 341:
+ bdisp_hw_reset in bdisp_device_run
+drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 317:
+ _raw_spin_lock_irqsave in bdisp_device_run
+
+To fix this bug, msleep() is replaced with udelay().
+
+This bug is found by a static analysis tool STCheck written by myself.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/bdisp/bdisp-hw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/sti/bdisp/bdisp-hw.c b/drivers/media/platform/sti/bdisp/bdisp-hw.c
+index b7892f3efd988..5c4c3f0c57be1 100644
+--- a/drivers/media/platform/sti/bdisp/bdisp-hw.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-hw.c
+@@ -14,8 +14,8 @@
+ #define MAX_SRC_WIDTH 2048
+
+ /* Reset & boot poll config */
+-#define POLL_RST_MAX 50
+-#define POLL_RST_DELAY_MS 20
++#define POLL_RST_MAX 500
++#define POLL_RST_DELAY_MS 2
+
+ enum bdisp_target_plan {
+ BDISP_RGB,
+@@ -382,7 +382,7 @@ int bdisp_hw_reset(struct bdisp_dev *bdisp)
+ for (i = 0; i < POLL_RST_MAX; i++) {
+ if (readl(bdisp->regs + BLT_STA1) & BLT_STA1_IDLE)
+ break;
+- msleep(POLL_RST_DELAY_MS);
++ udelay(POLL_RST_DELAY_MS * 1000);
+ }
+ if (i == POLL_RST_MAX)
+ dev_err(bdisp->dev, "Reset timeout\n");
+--
+2.20.1
+
--- /dev/null
+From 1150529a8d7fe48b484795cead992209524892b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Dec 2019 22:11:40 +0100
+Subject: media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in
+ v4l2_device macros
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit afb34781620274236bd9fc9246e22f6963ef5262 ]
+
+When building with Clang + -Wtautological-constant-compare, several of
+the ivtv and cx18 drivers warn along the lines of:
+
+ drivers/media/pci/cx18/cx18-driver.c:1005:21: warning: converting the
+ result of '<<' to a boolean always evaluates to true
+ [-Wtautological-constant-compare]
+ cx18_call_hw(cx, CX18_HW_GPIO_RESET_CTRL,
+ ^
+ drivers/media/pci/cx18/cx18-cards.h:18:37: note: expanded from macro
+ 'CX18_HW_GPIO_RESET_CTRL'
+ #define CX18_HW_GPIO_RESET_CTRL (1 << 6)
+ ^
+ 1 warning generated.
+
+This warning happens because the shift operation is implicitly converted
+to a boolean in v4l2_device_mask_call_all before being negated. This can
+be solved by just comparing the mask result to 0 explicitly so that
+there is no boolean conversion. The ultimate goal is to enable
+-Wtautological-compare globally because there are several subwarnings
+that would be helpful to have.
+
+For visual consistency and avoidance of these warnings in the future,
+all of the implicitly boolean conversions in the v4l2_device macros
+are converted to explicit ones as well.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/752
+
+Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/media/v4l2-device.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h
+index 8ffa94009d1a9..76002416cead9 100644
+--- a/include/media/v4l2-device.h
++++ b/include/media/v4l2-device.h
+@@ -268,7 +268,7 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd,
+ struct v4l2_subdev *__sd; \
+ \
+ __v4l2_device_call_subdevs_p(v4l2_dev, __sd, \
+- !(grpid) || __sd->grp_id == (grpid), o, f , \
++ (grpid) == 0 || __sd->grp_id == (grpid), o, f , \
+ ##args); \
+ } while (0)
+
+@@ -280,7 +280,7 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd,
+ ({ \
+ struct v4l2_subdev *__sd; \
+ __v4l2_device_call_subdevs_until_err_p(v4l2_dev, __sd, \
+- !(grpid) || __sd->grp_id == (grpid), o, f , \
++ (grpid) == 0 || __sd->grp_id == (grpid), o, f , \
+ ##args); \
+ })
+
+@@ -294,8 +294,8 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd,
+ struct v4l2_subdev *__sd; \
+ \
+ __v4l2_device_call_subdevs_p(v4l2_dev, __sd, \
+- !(grpmsk) || (__sd->grp_id & (grpmsk)), o, f , \
+- ##args); \
++ (grpmsk) == 0 || (__sd->grp_id & (grpmsk)), o, \
++ f , ##args); \
+ } while (0)
+
+ /*
+@@ -308,8 +308,8 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd,
+ ({ \
+ struct v4l2_subdev *__sd; \
+ __v4l2_device_call_subdevs_until_err_p(v4l2_dev, __sd, \
+- !(grpmsk) || (__sd->grp_id & (grpmsk)), o, f , \
+- ##args); \
++ (grpmsk) == 0 || (__sd->grp_id & (grpmsk)), o, \
++ f , ##args); \
+ })
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 1e718c8c520614c9fa4b4306061f6873645c9d0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Jan 2020 18:44:34 +0530
+Subject: microblaze: Prevent the overflow of the start
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+[ Upstream commit 061d2c1d593076424c910cb1b64ecdb5c9a6923f ]
+
+In case the start + cache size is more than the max int the
+start overflows.
+Prevent the same.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/microblaze/kernel/cpu/cache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/microblaze/kernel/cpu/cache.c b/arch/microblaze/kernel/cpu/cache.c
+index 0bde47e4fa694..dcba53803fa5f 100644
+--- a/arch/microblaze/kernel/cpu/cache.c
++++ b/arch/microblaze/kernel/cpu/cache.c
+@@ -92,7 +92,8 @@ static inline void __disable_dcache_nomsr(void)
+ #define CACHE_LOOP_LIMITS(start, end, cache_line_length, cache_size) \
+ do { \
+ int align = ~(cache_line_length - 1); \
+- end = min(start + cache_size, end); \
++ if (start < UINT_MAX - cache_size) \
++ end = min(start + cache_size, end); \
+ start &= align; \
+ } while (0)
+
+--
+2.20.1
+
--- /dev/null
+From d2592c9dc617204c57622764f6f68be1bf760541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2020 09:30:42 +0800
+Subject: MIPS: Loongson: Fix potential NULL dereference in
+ loongson3_platform_init()
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 72d052e28d1d2363f9107be63ef3a3afdea6143c ]
+
+If kzalloc fails, it should return -ENOMEM, otherwise may trigger a NULL
+pointer dereference.
+
+Fixes: 3adeb2566b9b ("MIPS: Loongson: Improve LEFI firmware interface")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/loongson64/loongson-3/platform.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/mips/loongson64/loongson-3/platform.c b/arch/mips/loongson64/loongson-3/platform.c
+index 25a97cc0ee336..0db4cc3196ebd 100644
+--- a/arch/mips/loongson64/loongson-3/platform.c
++++ b/arch/mips/loongson64/loongson-3/platform.c
+@@ -31,6 +31,9 @@ static int __init loongson3_platform_init(void)
+ continue;
+
+ pdev = kzalloc(sizeof(struct platform_device), GFP_KERNEL);
++ if (!pdev)
++ return -ENOMEM;
++
+ pdev->name = loongson_sysconf.sensors[i].name;
+ pdev->id = loongson_sysconf.sensors[i].id;
+ pdev->dev.platform_data = &loongson_sysconf.sensors[i];
+--
+2.20.1
+
--- /dev/null
+From 8c94d44f1abdbbe44214a6388f3f3efbd8c22ee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2019 15:55:51 +0100
+Subject: net/wan/fsl_ucc_hdlc: reject muram offsets above 64K
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit 148587a59f6b85831695e0497d9dd1af5f0495af ]
+
+Qiang Zhao points out that these offsets get written to 16-bit
+registers, and there are some QE platforms with more than 64K
+muram. So it is possible that qe_muram_alloc() gives us an allocation
+that can't actually be used by the hardware, so detect and reject
+that.
+
+Reported-by: Qiang Zhao <qiang.zhao@nxp.com>
+Reviewed-by: Timur Tabi <timur@kernel.org>
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/fsl_ucc_hdlc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c
+index af85a1b3135e2..87bf05a81db50 100644
+--- a/drivers/net/wan/fsl_ucc_hdlc.c
++++ b/drivers/net/wan/fsl_ucc_hdlc.c
+@@ -209,6 +209,11 @@ static int uhdlc_init(struct ucc_hdlc_private *priv)
+ ret = -ENOMEM;
+ goto free_riptr;
+ }
++ if (riptr != (u16)riptr || tiptr != (u16)tiptr) {
++ dev_err(priv->dev, "MURAM allocation out of addressable range\n");
++ ret = -ENOMEM;
++ goto free_tiptr;
++ }
+
+ /* Set RIPTR, TIPTR */
+ iowrite16be(riptr, &priv->ucc_pram->riptr);
+--
+2.20.1
+
--- /dev/null
+From 4513ba054e22dce952c7ded8f67cd253ca8d87ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 21:08:45 +0800
+Subject: NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use
+ le16_add_cpu().
+
+From: Mao Wenan <maowenan@huawei.com>
+
+[ Upstream commit 718eae277e62a26e5862eb72a830b5e0fe37b04a ]
+
+Convert cpu_to_le16(le16_to_cpu(frame->datalen) + len) to
+use le16_add_cpu(), which is more concise and does the same thing.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/port100.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
+index 3cd995de1bbb5..151b220381f95 100644
+--- a/drivers/nfc/port100.c
++++ b/drivers/nfc/port100.c
+@@ -573,7 +573,7 @@ static void port100_tx_update_payload_len(void *_frame, int len)
+ {
+ struct port100_frame *frame = _frame;
+
+- frame->datalen = cpu_to_le16(le16_to_cpu(frame->datalen) + len);
++ le16_add_cpu(&frame->datalen, len);
+ }
+
+ static bool port100_rx_frame_is_valid(void *_frame)
+--
+2.20.1
+
--- /dev/null
+From e0d4740dac290b43dd78e4d4d11d01092291209a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 16:07:32 -0500
+Subject: nfsd4: avoid NULL deference on strange COPY compounds
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ]
+
+With cross-server COPY we've introduced the possibility that the current
+or saved filehandle might not have fh_dentry/fh_export filled in, but we
+missed a place that assumed it was. I think this could be triggered by
+a compound like:
+
+ PUTFH(foreign filehandle)
+ GETATTR
+ SAVEFH
+ COPY
+
+First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op.
+Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL.
+need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE
+set and GETATTR does not have OP_HANDLES_WRONGSEC set.
+
+We should probably also consider tightening the checks in
+check_if_stalefh_allowed and double-checking that we don't assume the
+filehandle is verified elsewhere in the compound. But I think this
+fixes the immediate issue.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... "
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index 66985a6a7047b..33537bbb70b36 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1800,7 +1800,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
+ if (opdesc->op_flags & OP_CLEAR_STATEID)
+ clear_current_stateid(cstate);
+
+- if (need_wrongsec_check(rqstp))
++ if (current_fh->fh_export &&
++ need_wrongsec_check(rqstp))
+ op->status = check_nfsd_access(current_fh->fh_export, rqstp);
+ }
+ encode_op:
+--
+2.20.1
+
--- /dev/null
+From 6d3a12d3746593b71a4ac212934bef9a83e02dd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2020 22:11:50 -0800
+Subject: ocfs2: fix a NULL pointer dereference when call
+ ocfs2_update_inode_fsync_trans()
+
+From: wangyan <wangyan122@huawei.com>
+
+[ Upstream commit 9f16ca48fc818a17de8be1f75d08e7f4addc4497 ]
+
+I found a NULL pointer dereference in ocfs2_update_inode_fsync_trans(),
+handle->h_transaction may be NULL in this situation:
+
+ocfs2_file_write_iter
+ ->__generic_file_write_iter
+ ->generic_perform_write
+ ->ocfs2_write_begin
+ ->ocfs2_write_begin_nolock
+ ->ocfs2_write_cluster_by_desc
+ ->ocfs2_write_cluster
+ ->ocfs2_mark_extent_written
+ ->ocfs2_change_extent_flag
+ ->ocfs2_split_extent
+ ->ocfs2_try_to_merge_extent
+ ->ocfs2_extend_rotate_transaction
+ ->ocfs2_extend_trans
+ ->jbd2_journal_restart
+ ->jbd2__journal_restart
+ // handle->h_transaction is NULL here
+ ->handle->h_transaction = NULL;
+ ->start_this_handle
+ /* journal aborted due to storage
+ network disconnection, return error */
+ ->return -EROFS;
+ /* line 3806 in ocfs2_try_to_merge_extent (),
+ it will ignore ret error. */
+ ->ret = 0;
+ ->...
+ ->ocfs2_write_end
+ ->ocfs2_write_end_nolock
+ ->ocfs2_update_inode_fsync_trans
+ // NULL pointer dereference
+ ->oi->i_sync_tid = handle->h_transaction->t_tid;
+
+The information of NULL pointer dereference as follows:
+ JBD2: Detected IO errors while flushing file data on dm-11-45
+ Aborting journal on device dm-11-45.
+ JBD2: Error -5 detected when updating journal superblock for dm-11-45.
+ (dd,22081,3):ocfs2_extend_trans:474 ERROR: status = -30
+ (dd,22081,3):ocfs2_try_to_merge_extent:3877 ERROR: status = -30
+ Unable to handle kernel NULL pointer dereference at
+ virtual address 0000000000000008
+ Mem abort info:
+ ESR = 0x96000004
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e74e1338
+ [0000000000000008] pgd=0000000000000000
+ Internal error: Oops: 96000004 [#1] SMP
+ Process dd (pid: 22081, stack limit = 0x00000000584f35a9)
+ CPU: 3 PID: 22081 Comm: dd Kdump: loaded
+ Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019
+ pstate: 60400009 (nZCv daif +PAN -UAO)
+ pc : ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2]
+ lr : ocfs2_write_end_nolock+0x2a0/0x550 [ocfs2]
+ sp : ffff0000459fba70
+ x29: ffff0000459fba70 x28: 0000000000000000
+ x27: ffff807ccf7f1000 x26: 0000000000000001
+ x25: ffff807bdff57970 x24: ffff807caf1d4000
+ x23: ffff807cc79e9000 x22: 0000000000001000
+ x21: 000000006c6cd000 x20: ffff0000091d9000
+ x19: ffff807ccb239db0 x18: ffffffffffffffff
+ x17: 000000000000000e x16: 0000000000000007
+ x15: ffff807c5e15bd78 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000001
+ x9 : 0000000000000228 x8 : 000000000000000c
+ x7 : 0000000000000fff x6 : ffff807a308ed6b0
+ x5 : ffff7e01f10967c0 x4 : 0000000000000018
+ x3 : d0bc661572445600 x2 : 0000000000000000
+ x1 : 000000001b2e0200 x0 : 0000000000000000
+ Call trace:
+ ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2]
+ ocfs2_write_end+0x4c/0x80 [ocfs2]
+ generic_perform_write+0x108/0x1a8
+ __generic_file_write_iter+0x158/0x1c8
+ ocfs2_file_write_iter+0x668/0x950 [ocfs2]
+ __vfs_write+0x11c/0x190
+ vfs_write+0xac/0x1c0
+ ksys_write+0x6c/0xd8
+ __arm64_sys_write+0x24/0x30
+ el0_svc_common+0x78/0x130
+ el0_svc_handler+0x38/0x78
+ el0_svc+0x8/0xc
+
+To prevent NULL pointer dereference in this situation, we use
+is_handle_aborted() before using handle->h_transaction->t_tid.
+
+Link: http://lkml.kernel.org/r/03e750ab-9ade-83aa-b000-b9e81e34e539@huawei.com
+Signed-off-by: Yan Wang <wangyan122@huawei.com>
+Reviewed-by: Jun Piao <piaojun@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/journal.h | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
+index 497a4171ef61f..bfb50fc51528f 100644
+--- a/fs/ocfs2/journal.h
++++ b/fs/ocfs2/journal.h
+@@ -637,9 +637,11 @@ static inline void ocfs2_update_inode_fsync_trans(handle_t *handle,
+ {
+ struct ocfs2_inode_info *oi = OCFS2_I(inode);
+
+- oi->i_sync_tid = handle->h_transaction->t_tid;
+- if (datasync)
+- oi->i_datasync_tid = handle->h_transaction->t_tid;
++ if (!is_handle_aborted(handle)) {
++ oi->i_sync_tid = handle->h_transaction->t_tid;
++ if (datasync)
++ oi->i_datasync_tid = handle->h_transaction->t_tid;
++ }
+ }
+
+ #endif /* OCFS2_JOURNAL_H */
+--
+2.20.1
+
--- /dev/null
+From 1ace914e428557ffe52eb5a5629055830644cb23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Dec 2019 13:58:58 -0600
+Subject: orinoco: avoid assertion in case of NULL pointer
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit c705f9fc6a1736dcf6ec01f8206707c108dca824 ]
+
+In ezusb_init, if upriv is NULL, the code crashes. However, the caller
+in ezusb_probe can handle the error and print the failure message.
+The patch replaces the BUG_ON call to error return.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
+index 8244d82629511..4e91c74fcfad9 100644
+--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
++++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
+@@ -1351,7 +1351,8 @@ static int ezusb_init(struct hermes *hw)
+ int retval;
+
+ BUG_ON(in_interrupt());
+- BUG_ON(!upriv);
++ if (!upriv)
++ return -EINVAL;
+
+ upriv->reply_count = 0;
+ /* Write the MAGIC number on the simulated registers to keep
+--
+2.20.1
+
--- /dev/null
+From 1bdef1e2e81dce73c8b58f95555d8dcbff1efc9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 14:31:11 -0500
+Subject: padata: always acquire cpu_hotplug_lock before pinst->lock
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit 38228e8848cd7dd86ccb90406af32de0cad24be3 ]
+
+lockdep complains when padata's paths to update cpumasks via CPU hotplug
+and sysfs are both taken:
+
+ # echo 0 > /sys/devices/system/cpu/cpu1/online
+ # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted
+ ------------------------------------------------------
+ bash/205 is trying to acquire lock:
+ ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120
+
+ but task is already holding lock:
+ ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120
+
+ which lock already depends on the new lock.
+
+padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent
+order. Which should be first? CPU hotplug calls into padata with
+cpu_hotplug_lock already held, so it should have priority.
+
+Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus")
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: linux-crypto@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 286c5142a0f74..6939111b3cbe0 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -614,8 +614,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type,
+ struct cpumask *serial_mask, *parallel_mask;
+ int err = -EINVAL;
+
+- mutex_lock(&pinst->lock);
+ get_online_cpus();
++ mutex_lock(&pinst->lock);
+
+ switch (cpumask_type) {
+ case PADATA_CPU_PARALLEL:
+@@ -633,8 +633,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type,
+ err = __padata_set_cpumasks(pinst, parallel_mask, serial_mask);
+
+ out:
+- put_online_cpus();
+ mutex_unlock(&pinst->lock);
++ put_online_cpus();
+
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 867265a84ebd4781c48a1fa3d9810358503b1f71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 13:52:52 -0600
+Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn()
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 8c386cc817878588195dde38e919aa6ba9409d58 ]
+
+In the implementation of pci_iov_add_virtfn() the allocated virtfn is
+leaked if pci_setup_device() fails. The error handling is not calling
+pci_stop_and_remove_bus_device(). Change the goto label to failed2.
+
+Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()")
+Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/iov.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
+index 1d32fe2d97aa7..9ec3cb628b0b6 100644
+--- a/drivers/pci/iov.c
++++ b/drivers/pci/iov.c
+@@ -181,6 +181,7 @@ int pci_iov_add_virtfn(struct pci_dev *dev, int id, int reset)
+ failed2:
+ sysfs_remove_link(&dev->dev.kobj, buf);
+ failed1:
++ pci_stop_and_remove_bus_device(virtfn);
+ pci_dev_put(dev);
+ mutex_lock(&iov->dev->sriov->lock);
+ pci_stop_and_remove_bus_device(virtfn);
+--
+2.20.1
+
--- /dev/null
+From 305c5574e6513b7a3f3eccbf2fb628937c31eeab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Dec 2019 00:04:47 +0100
+Subject: pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit a23680594da7a9e2696dbcf4f023e9273e2fa40b ]
+
+Suspending Goodix touchscreens requires changing the interrupt pin to
+output before sending them a power-down command. Followed by wiggling
+the interrupt pin to wake the device up, after which it is put back
+in input mode.
+
+On Bay Trail devices with a Goodix touchscreen direct-irq mode is used
+in combination with listing the pin as a normal GpioIo resource.
+
+This works fine, until the goodix driver gets rmmod-ed and then insmod-ed
+again. In this case byt_gpio_disable_free() calls
+byt_gpio_clear_triggering() which clears the IRQ flags and after that the
+(direct) IRQ no longer triggers.
+
+This commit fixes this by adding a check for the BYT_DIRECT_IRQ_EN flag
+to byt_gpio_clear_triggering().
+
+Note that byt_gpio_clear_triggering() only gets called from
+byt_gpio_disable_free() for direct-irq enabled pins, as these are excluded
+from the irq_valid mask by byt_init_irq_valid_mask().
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-baytrail.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-baytrail.c b/drivers/pinctrl/intel/pinctrl-baytrail.c
+index f83a2a60d9c9b..1e945aa77734b 100644
+--- a/drivers/pinctrl/intel/pinctrl-baytrail.c
++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c
+@@ -958,7 +958,13 @@ static void byt_gpio_clear_triggering(struct byt_gpio *vg, unsigned int offset)
+
+ raw_spin_lock_irqsave(&byt_lock, flags);
+ value = readl(reg);
+- value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL);
++
++ /* Do not clear direct-irq enabled IRQs (from gpio_disable_free) */
++ if (value & BYT_DIRECT_IRQ_EN)
++ /* nothing to do */ ;
++ else
++ value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL);
++
+ writel(value, reg);
+ raw_spin_unlock_irqrestore(&byt_lock, flags);
+ }
+--
+2.20.1
+
--- /dev/null
+From 0d353adcf49bd9235e72c335d6c5a1273c7343cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 20:48:09 +0100
+Subject: pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 55b1cb1f03ad5eea39897d0c74035e02deddcff2 ]
+
+pinmux_func_gpios[] contains a hole due to the missing function GPIO
+definition for the "CTX0&CTX1" signal, which is the logical "AND" of the
+two CAN outputs.
+
+Fix this by:
+ - Renaming CRX0_CRX1_MARK to CTX0_CTX1_MARK, as PJ2MD[2:0]=010
+ configures the combined "CTX0&CTX1" output signal,
+ - Renaming CRX0X1_MARK to CRX0_CRX1_MARK, as PJ3MD[1:0]=10 configures
+ the shared "CRX0/CRX1" input signal, which is fed to both CAN
+ inputs,
+ - Adding the missing function GPIO definition for "CTX0&CTX1" to
+ pinmux_func_gpios[],
+ - Moving all CAN enums next to each other.
+
+See SH7262 Group, SH7264 Group User's Manual: Hardware, Rev. 4.00:
+ [1] Figure 1.2 (3) (Pin Assignment for the SH7264 Group (1-Mbyte
+ Version),
+ [2] Figure 1.2 (4) Pin Assignment for the SH7264 Group (640-Kbyte
+ Version,
+ [3] Table 1.4 List of Pins,
+ [4] Figure 20.29 Connection Example when Using This Module as 1-Channel
+ Module (64 Mailboxes x 1 Channel),
+ [5] Table 32.10 Multiplexed Pins (Port J),
+ [6] Section 32.2.30 (3) Port J Control Register 0 (PJCR0).
+
+Note that the last 2 disagree about PJ2MD[2:0], which is probably the
+root cause of this bug. But considering [4], "CTx0&CTx1" in [5] must
+be correct, and "CRx0&CRx1" in [6] must be wrong.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191218194812.12741-4-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sh-pfc/pfc-sh7264.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7264.c b/drivers/pinctrl/sh-pfc/pfc-sh7264.c
+index e1c34e19222ee..3ddb9565ed804 100644
+--- a/drivers/pinctrl/sh-pfc/pfc-sh7264.c
++++ b/drivers/pinctrl/sh-pfc/pfc-sh7264.c
+@@ -500,17 +500,15 @@ enum {
+ SD_WP_MARK, SD_CLK_MARK, SD_CMD_MARK,
+ CRX0_MARK, CRX1_MARK,
+ CTX0_MARK, CTX1_MARK,
++ CRX0_CRX1_MARK, CTX0_CTX1_MARK,
+
+ PWM1A_MARK, PWM1B_MARK, PWM1C_MARK, PWM1D_MARK,
+ PWM1E_MARK, PWM1F_MARK, PWM1G_MARK, PWM1H_MARK,
+ PWM2A_MARK, PWM2B_MARK, PWM2C_MARK, PWM2D_MARK,
+ PWM2E_MARK, PWM2F_MARK, PWM2G_MARK, PWM2H_MARK,
+ IERXD_MARK, IETXD_MARK,
+- CRX0_CRX1_MARK,
+ WDTOVF_MARK,
+
+- CRX0X1_MARK,
+-
+ /* DMAC */
+ TEND0_MARK, DACK0_MARK, DREQ0_MARK,
+ TEND1_MARK, DACK1_MARK, DREQ1_MARK,
+@@ -998,12 +996,12 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_DATA(PJ3_DATA, PJ3MD_00),
+ PINMUX_DATA(CRX1_MARK, PJ3MD_01),
+- PINMUX_DATA(CRX0X1_MARK, PJ3MD_10),
++ PINMUX_DATA(CRX0_CRX1_MARK, PJ3MD_10),
+ PINMUX_DATA(IRQ1_PJ_MARK, PJ3MD_11),
+
+ PINMUX_DATA(PJ2_DATA, PJ2MD_000),
+ PINMUX_DATA(CTX1_MARK, PJ2MD_001),
+- PINMUX_DATA(CRX0_CRX1_MARK, PJ2MD_010),
++ PINMUX_DATA(CTX0_CTX1_MARK, PJ2MD_010),
+ PINMUX_DATA(CS2_MARK, PJ2MD_011),
+ PINMUX_DATA(SCK0_MARK, PJ2MD_100),
+ PINMUX_DATA(LCD_M_DISP_MARK, PJ2MD_101),
+@@ -1248,6 +1246,7 @@ static const struct pinmux_func pinmux_func_gpios[] = {
+ GPIO_FN(CTX1),
+ GPIO_FN(CRX1),
+ GPIO_FN(CTX0),
++ GPIO_FN(CTX0_CTX1),
+ GPIO_FN(CRX0),
+ GPIO_FN(CRX0_CRX1),
+
+--
+2.20.1
+
--- /dev/null
+From e1b0cdc7124b5614f71ce0d9bc0daf6c245d63e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 20:48:10 +0100
+Subject: pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 02aeb2f21530c98fc3ca51028eda742a3fafbd9f ]
+
+pinmux_func_gpios[] contains a hole due to the missing function GPIO
+definition for the "CTX0&CTX1" signal, which is the logical "AND" of the
+first two CAN outputs.
+
+A closer look reveals other issues:
+ - Some functionality is available on alternative pins, but the
+ PINMUX_DATA() entries is using the wrong marks,
+ - Several configurations are missing.
+
+Fix this by:
+ - Renaming CTX0CTX1CTX2_MARK, CRX0CRX1_PJ22_MARK, and
+ CRX0CRX1CRX2_PJ20_MARK to CTX0_CTX1_CTX2_MARK, CRX0_CRX1_PJ22_MARK,
+ resp. CRX0_CRX1_CRX2_PJ20_MARK for consistency with the
+ corresponding enum IDs,
+ - Adding all missing enum IDs and marks,
+ - Use the right (*_PJ2x) variants for alternative pins,
+ - Adding all missing configurations to pinmux_data[],
+ - Adding all missing function GPIO definitions to pinmux_func_gpios[].
+
+See SH7268 Group, SH7269 Group User’s Manual: Hardware, Rev. 2.00:
+ [1] Table 1.4 List of Pins
+ [2] Figure 23.29 Connection Example when Using Channels 0 and 1 as One
+ Channel (64 Mailboxes × 1 Channel) and Channel 2 as One Channel
+ (32 Mailboxes × 1 Channel),
+ [3] Figure 23.30 Connection Example when Using Channels 0, 1, and 2 as
+ One Channel (96 Mailboxes × 1 Channel),
+ [4] Table 48.3 Multiplexed Pins (Port B),
+ [5] Table 48.4 Multiplexed Pins (Port C),
+ [6] Table 48.10 Multiplexed Pins (Port J),
+ [7] Section 48.2.4 Port B Control Registers 0 to 5 (PBCR0 to PBCR5).
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191218194812.12741-5-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/cpu-sh2a/cpu/sh7269.h | 11 ++++++--
+ drivers/pinctrl/sh-pfc/pfc-sh7269.c | 39 ++++++++++++++++++---------
+ 2 files changed, 36 insertions(+), 14 deletions(-)
+
+diff --git a/arch/sh/include/cpu-sh2a/cpu/sh7269.h b/arch/sh/include/cpu-sh2a/cpu/sh7269.h
+index 2a0ca8780f0d8..e4caddd443daf 100644
+--- a/arch/sh/include/cpu-sh2a/cpu/sh7269.h
++++ b/arch/sh/include/cpu-sh2a/cpu/sh7269.h
+@@ -79,8 +79,15 @@ enum {
+ GPIO_FN_WDTOVF,
+
+ /* CAN */
+- GPIO_FN_CTX1, GPIO_FN_CRX1, GPIO_FN_CTX0, GPIO_FN_CTX0_CTX1,
+- GPIO_FN_CRX0, GPIO_FN_CRX0_CRX1, GPIO_FN_CRX0_CRX1_CRX2,
++ GPIO_FN_CTX2, GPIO_FN_CRX2,
++ GPIO_FN_CTX1, GPIO_FN_CRX1,
++ GPIO_FN_CTX0, GPIO_FN_CRX0,
++ GPIO_FN_CTX0_CTX1, GPIO_FN_CRX0_CRX1,
++ GPIO_FN_CTX0_CTX1_CTX2, GPIO_FN_CRX0_CRX1_CRX2,
++ GPIO_FN_CTX2_PJ21, GPIO_FN_CRX2_PJ20,
++ GPIO_FN_CTX1_PJ23, GPIO_FN_CRX1_PJ22,
++ GPIO_FN_CTX0_CTX1_PJ23, GPIO_FN_CRX0_CRX1_PJ22,
++ GPIO_FN_CTX0_CTX1_CTX2_PJ21, GPIO_FN_CRX0_CRX1_CRX2_PJ20,
+
+ /* DMAC */
+ GPIO_FN_TEND0, GPIO_FN_DACK0, GPIO_FN_DREQ0,
+diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7269.c b/drivers/pinctrl/sh-pfc/pfc-sh7269.c
+index cfdb4fc177c3e..3df0c0d139d08 100644
+--- a/drivers/pinctrl/sh-pfc/pfc-sh7269.c
++++ b/drivers/pinctrl/sh-pfc/pfc-sh7269.c
+@@ -740,13 +740,12 @@ enum {
+ CRX0_MARK, CTX0_MARK,
+ CRX1_MARK, CTX1_MARK,
+ CRX2_MARK, CTX2_MARK,
+- CRX0_CRX1_MARK,
+- CRX0_CRX1_CRX2_MARK,
+- CTX0CTX1CTX2_MARK,
++ CRX0_CRX1_MARK, CTX0_CTX1_MARK,
++ CRX0_CRX1_CRX2_MARK, CTX0_CTX1_CTX2_MARK,
+ CRX1_PJ22_MARK, CTX1_PJ23_MARK,
+ CRX2_PJ20_MARK, CTX2_PJ21_MARK,
+- CRX0CRX1_PJ22_MARK,
+- CRX0CRX1CRX2_PJ20_MARK,
++ CRX0_CRX1_PJ22_MARK, CTX0_CTX1_PJ23_MARK,
++ CRX0_CRX1_CRX2_PJ20_MARK, CTX0_CTX1_CTX2_PJ21_MARK,
+
+ /* VDC */
+ DV_CLK_MARK,
+@@ -824,6 +823,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_DATA(CS3_MARK, PC8MD_001),
+ PINMUX_DATA(TXD7_MARK, PC8MD_010),
+ PINMUX_DATA(CTX1_MARK, PC8MD_011),
++ PINMUX_DATA(CTX0_CTX1_MARK, PC8MD_100),
+
+ PINMUX_DATA(PC7_DATA, PC7MD_000),
+ PINMUX_DATA(CKE_MARK, PC7MD_001),
+@@ -836,11 +836,12 @@ static const u16 pinmux_data[] = {
+ PINMUX_DATA(CAS_MARK, PC6MD_001),
+ PINMUX_DATA(SCK7_MARK, PC6MD_010),
+ PINMUX_DATA(CTX0_MARK, PC6MD_011),
++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC6MD_100),
+
+ PINMUX_DATA(PC5_DATA, PC5MD_000),
+ PINMUX_DATA(RAS_MARK, PC5MD_001),
+ PINMUX_DATA(CRX0_MARK, PC5MD_011),
+- PINMUX_DATA(CTX0CTX1CTX2_MARK, PC5MD_100),
++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC5MD_100),
+ PINMUX_DATA(IRQ0_PC_MARK, PC5MD_101),
+
+ PINMUX_DATA(PC4_DATA, PC4MD_00),
+@@ -1292,30 +1293,32 @@ static const u16 pinmux_data[] = {
+ PINMUX_DATA(LCD_DATA23_PJ23_MARK, PJ23MD_010),
+ PINMUX_DATA(LCD_TCON6_MARK, PJ23MD_011),
+ PINMUX_DATA(IRQ3_PJ_MARK, PJ23MD_100),
+- PINMUX_DATA(CTX1_MARK, PJ23MD_101),
++ PINMUX_DATA(CTX1_PJ23_MARK, PJ23MD_101),
++ PINMUX_DATA(CTX0_CTX1_PJ23_MARK, PJ23MD_110),
+
+ PINMUX_DATA(PJ22_DATA, PJ22MD_000),
+ PINMUX_DATA(DV_DATA22_MARK, PJ22MD_001),
+ PINMUX_DATA(LCD_DATA22_PJ22_MARK, PJ22MD_010),
+ PINMUX_DATA(LCD_TCON5_MARK, PJ22MD_011),
+ PINMUX_DATA(IRQ2_PJ_MARK, PJ22MD_100),
+- PINMUX_DATA(CRX1_MARK, PJ22MD_101),
+- PINMUX_DATA(CRX0_CRX1_MARK, PJ22MD_110),
++ PINMUX_DATA(CRX1_PJ22_MARK, PJ22MD_101),
++ PINMUX_DATA(CRX0_CRX1_PJ22_MARK, PJ22MD_110),
+
+ PINMUX_DATA(PJ21_DATA, PJ21MD_000),
+ PINMUX_DATA(DV_DATA21_MARK, PJ21MD_001),
+ PINMUX_DATA(LCD_DATA21_PJ21_MARK, PJ21MD_010),
+ PINMUX_DATA(LCD_TCON4_MARK, PJ21MD_011),
+ PINMUX_DATA(IRQ1_PJ_MARK, PJ21MD_100),
+- PINMUX_DATA(CTX2_MARK, PJ21MD_101),
++ PINMUX_DATA(CTX2_PJ21_MARK, PJ21MD_101),
++ PINMUX_DATA(CTX0_CTX1_CTX2_PJ21_MARK, PJ21MD_110),
+
+ PINMUX_DATA(PJ20_DATA, PJ20MD_000),
+ PINMUX_DATA(DV_DATA20_MARK, PJ20MD_001),
+ PINMUX_DATA(LCD_DATA20_PJ20_MARK, PJ20MD_010),
+ PINMUX_DATA(LCD_TCON3_MARK, PJ20MD_011),
+ PINMUX_DATA(IRQ0_PJ_MARK, PJ20MD_100),
+- PINMUX_DATA(CRX2_MARK, PJ20MD_101),
+- PINMUX_DATA(CRX0CRX1CRX2_PJ20_MARK, PJ20MD_110),
++ PINMUX_DATA(CRX2_PJ20_MARK, PJ20MD_101),
++ PINMUX_DATA(CRX0_CRX1_CRX2_PJ20_MARK, PJ20MD_110),
+
+ PINMUX_DATA(PJ19_DATA, PJ19MD_000),
+ PINMUX_DATA(DV_DATA19_MARK, PJ19MD_001),
+@@ -1666,12 +1669,24 @@ static const struct pinmux_func pinmux_func_gpios[] = {
+ GPIO_FN(WDTOVF),
+
+ /* CAN */
++ GPIO_FN(CTX2),
++ GPIO_FN(CRX2),
+ GPIO_FN(CTX1),
+ GPIO_FN(CRX1),
+ GPIO_FN(CTX0),
+ GPIO_FN(CRX0),
++ GPIO_FN(CTX0_CTX1),
+ GPIO_FN(CRX0_CRX1),
++ GPIO_FN(CTX0_CTX1_CTX2),
+ GPIO_FN(CRX0_CRX1_CRX2),
++ GPIO_FN(CTX2_PJ21),
++ GPIO_FN(CRX2_PJ20),
++ GPIO_FN(CTX1_PJ23),
++ GPIO_FN(CRX1_PJ22),
++ GPIO_FN(CTX0_CTX1_PJ23),
++ GPIO_FN(CRX0_CRX1_PJ22),
++ GPIO_FN(CTX0_CTX1_CTX2_PJ21),
++ GPIO_FN(CRX0_CRX1_CRX2_PJ20),
+
+ /* DMAC */
+ GPIO_FN(TEND0),
+--
+2.20.1
+
--- /dev/null
+From 185f81ed9b1f55c1bc31aa4c6313de61176d0269 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:20:30 +0900
+Subject: PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC
+ dependency
+
+From: Chanwoo Choi <cw00.choi@samsung.com>
+
+[ Upstream commit eff5d31f7407fa9d31fb840106f1593399457298 ]
+
+To build test, add COMPILE_TEST depedency to both ARM_RK3399_DMC_DEVFREQ
+and DEVFREQ_EVENT_ROCKCHIP_DFI configuration. And ARM_RK3399_DMC_DEVFREQ
+used the SMCCC interface so that add HAVE_ARM_SMCCC dependency to prevent
+the build break.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/Kconfig | 3 ++-
+ drivers/devfreq/event/Kconfig | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/devfreq/Kconfig b/drivers/devfreq/Kconfig
+index 41254e702f1e9..2ce7cc94d78b1 100644
+--- a/drivers/devfreq/Kconfig
++++ b/drivers/devfreq/Kconfig
+@@ -102,7 +102,8 @@ config ARM_TEGRA_DEVFREQ
+
+ config ARM_RK3399_DMC_DEVFREQ
+ tristate "ARM RK3399 DMC DEVFREQ Driver"
+- depends on ARCH_ROCKCHIP
++ depends on (ARCH_ROCKCHIP && HAVE_ARM_SMCCC) || \
++ (COMPILE_TEST && HAVE_ARM_SMCCC)
+ select DEVFREQ_EVENT_ROCKCHIP_DFI
+ select DEVFREQ_GOV_SIMPLE_ONDEMAND
+ select PM_DEVFREQ_EVENT
+diff --git a/drivers/devfreq/event/Kconfig b/drivers/devfreq/event/Kconfig
+index cd949800eed96..8851bc4e8e3e1 100644
+--- a/drivers/devfreq/event/Kconfig
++++ b/drivers/devfreq/event/Kconfig
+@@ -33,7 +33,7 @@ config DEVFREQ_EVENT_EXYNOS_PPMU
+
+ config DEVFREQ_EVENT_ROCKCHIP_DFI
+ tristate "ROCKCHIP DFI DEVFREQ event Driver"
+- depends on ARCH_ROCKCHIP
++ depends on ARCH_ROCKCHIP || COMPILE_TEST
+ help
+ This add the devfreq-event driver for Rockchip SoC. It provides DFI
+ (DDR Monitor Module) driver to count ddr load.
+--
+2.20.1
+
--- /dev/null
+From 13882526e4f64eb643a948e95184a7a2bf2271ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Oct 2019 19:54:22 +1100
+Subject: powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid
+ PE number
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+[ Upstream commit 3b5b9997b331e77ce967eba2c4bc80dc3134a7fe ]
+
+On pseries there is a bug with adding hotplugged devices to an IOMMU
+group. For a number of dumb reasons fixing that bug first requires
+re-working how VFs are configured on PowerNV. For background, on
+PowerNV we use the pcibios_sriov_enable() hook to do two things:
+
+ 1. Create a pci_dn structure for each of the VFs, and
+ 2. Configure the PHB's internal BARs so the MMIO range for each VF
+ maps to a unique PE.
+
+Roughly speaking a PE is the hardware counterpart to a Linux IOMMU
+group since all the devices in a PE share the same IOMMU table. A PE
+also defines the set of devices that should be isolated in response to
+a PCI error (i.e. bad DMA, UR/CA, AER events, etc). When isolated all
+MMIO and DMA traffic to and from devicein the PE is blocked by the
+root complex until the PE is recovered by the OS.
+
+The requirement to block MMIO causes a giant headache because the P8
+PHB generally uses a fixed mapping between MMIO addresses and PEs. As
+a result we need to delay configuring the IOMMU groups for device
+until after MMIO resources are assigned. For physical devices (i.e.
+non-VFs) the PE assignment is done in pcibios_setup_bridge() which is
+called immediately after the MMIO resources for downstream
+devices (and the bridge's windows) are assigned. For VFs the setup is
+more complicated because:
+
+ a) pcibios_setup_bridge() is not called again when VFs are activated, and
+ b) The pci_dev for VFs are created by generic code which runs after
+ pcibios_sriov_enable() is called.
+
+The work around for this is a two step process:
+
+ 1. A fixup in pcibios_add_device() is used to initialised the cached
+ pe_number in pci_dn, then
+ 2. A bus notifier then adds the device to the IOMMU group for the PE
+ specified in pci_dn->pe_number.
+
+A side effect fixing the pseries bug mentioned in the first paragraph
+is moving the fixup out of pcibios_add_device() and into
+pcibios_bus_add_device(), which is called much later. This results in
+step 2. failing because pci_dn->pe_number won't be initialised when
+the bus notifier is run.
+
+We can fix this by removing the need for the fixup. The PE for a VF is
+known before the VF is even scanned so we can initialise
+pci_dn->pe_number pcibios_sriov_enable() instead. Unfortunately,
+moving the initialisation causes two problems:
+
+ 1. We trip the WARN_ON() in the current fixup code, and
+ 2. The EEH core clears pdn->pe_number when recovering a VF and
+ relies on the fixup to correctly re-set it.
+
+The only justification for either of these is a comment in
+eeh_rmv_device() suggesting that pdn->pe_number *must* be set to
+IODA_INVALID_PE in order for the VF to be scanned. However, this
+comment appears to have no basis in reality. Both bugs can be fixed by
+just deleting the code.
+
+Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191028085424.12006-1-oohall@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh_driver.c | 6 ------
+ arch/powerpc/platforms/powernv/pci-ioda.c | 19 +++++++++++++++----
+ arch/powerpc/platforms/powernv/pci.c | 4 ----
+ 3 files changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
+index 620e08d4eb6e2..adac3dee4c57e 100644
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -520,12 +520,6 @@ static void *eeh_rmv_device(void *data, void *userdata)
+
+ pci_iov_remove_virtfn(edev->physfn, pdn->vf_index, 0);
+ edev->pdev = NULL;
+-
+- /*
+- * We have to set the VF PE number to invalid one, which is
+- * required to plug the VF successfully.
+- */
+- pdn->pe_number = IODA_INVALID_PE;
+ #endif
+ if (rmv_data)
+ list_add(&edev->rmv_list, &rmv_data->edev_list);
+diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c
+index 3ec673b4ca6ce..b787a669a1e27 100644
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -1524,6 +1524,10 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs)
+
+ /* Reserve PE for each VF */
+ for (vf_index = 0; vf_index < num_vfs; vf_index++) {
++ int vf_devfn = pci_iov_virtfn_devfn(pdev, vf_index);
++ int vf_bus = pci_iov_virtfn_bus(pdev, vf_index);
++ struct pci_dn *vf_pdn;
++
+ if (pdn->m64_single_mode)
+ pe_num = pdn->pe_num_map[vf_index];
+ else
+@@ -1536,13 +1540,11 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs)
+ pe->pbus = NULL;
+ pe->parent_dev = pdev;
+ pe->mve_number = -1;
+- pe->rid = (pci_iov_virtfn_bus(pdev, vf_index) << 8) |
+- pci_iov_virtfn_devfn(pdev, vf_index);
++ pe->rid = (vf_bus << 8) | vf_devfn;
+
+ pe_info(pe, "VF %04d:%02d:%02d.%d associated with PE#%d\n",
+ hose->global_number, pdev->bus->number,
+- PCI_SLOT(pci_iov_virtfn_devfn(pdev, vf_index)),
+- PCI_FUNC(pci_iov_virtfn_devfn(pdev, vf_index)), pe_num);
++ PCI_SLOT(vf_devfn), PCI_FUNC(vf_devfn), pe_num);
+
+ if (pnv_ioda_configure_pe(phb, pe)) {
+ /* XXX What do we do here ? */
+@@ -1556,6 +1558,15 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs)
+ list_add_tail(&pe->list, &phb->ioda.pe_list);
+ mutex_unlock(&phb->ioda.pe_list_mutex);
+
++ /* associate this pe to it's pdn */
++ list_for_each_entry(vf_pdn, &pdn->parent->child_list, list) {
++ if (vf_pdn->busno == vf_bus &&
++ vf_pdn->devfn == vf_devfn) {
++ vf_pdn->pe_number = pe_num;
++ break;
++ }
++ }
++
+ pnv_pci_ioda2_setup_dma_pe(phb, pe);
+ }
+ }
+diff --git a/arch/powerpc/platforms/powernv/pci.c b/arch/powerpc/platforms/powernv/pci.c
+index 00dbf1e895a9d..2ed7627e991e0 100644
+--- a/arch/powerpc/platforms/powernv/pci.c
++++ b/arch/powerpc/platforms/powernv/pci.c
+@@ -856,16 +856,12 @@ void pnv_pci_dma_dev_setup(struct pci_dev *pdev)
+ struct pnv_phb *phb = hose->private_data;
+ #ifdef CONFIG_PCI_IOV
+ struct pnv_ioda_pe *pe;
+- struct pci_dn *pdn;
+
+ /* Fix the VF pdn PE number */
+ if (pdev->is_virtfn) {
+- pdn = pci_get_pdn(pdev);
+- WARN_ON(pdn->pe_number != IODA_INVALID_PE);
+ list_for_each_entry(pe, &phb->ioda.pe_list, list) {
+ if (pe->rid == ((pdev->bus->number << 8) |
+ (pdev->devfn & 0xff))) {
+- pdn->pe_number = pe->pe_number;
+ pe->pdev = pdev;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From dbdf310852925ed2b30b2b10708b096731ea9472 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2019 16:26:53 +1000
+Subject: powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+[ Upstream commit 1fb4124ca9d456656a324f1ee29b7bf942f59ac8 ]
+
+When disabling virtual functions on an SR-IOV adapter we currently do not
+correctly remove the EEH state for the now-dead virtual functions. When
+removing the pci_dn that was created for the VF when SR-IOV was enabled
+we free the corresponding eeh_dev without removing it from the child device
+list of the eeh_pe that contained it. This can result in crashes due to the
+use-after-free.
+
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+Reviewed-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Tested-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190821062655.19735-1-oohall@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/pci_dn.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c
+index 5926934370702..c8f1b78fbd0e2 100644
+--- a/arch/powerpc/kernel/pci_dn.c
++++ b/arch/powerpc/kernel/pci_dn.c
+@@ -271,9 +271,22 @@ void remove_dev_pci_data(struct pci_dev *pdev)
+ continue;
+
+ #ifdef CONFIG_EEH
+- /* Release EEH device for the VF */
++ /*
++ * Release EEH state for this VF. The PCI core
++ * has already torn down the pci_dev for this VF, but
++ * we're responsible to removing the eeh_dev since it
++ * has the same lifetime as the pci_dn that spawned it.
++ */
+ edev = pdn_to_eeh_dev(pdn);
+ if (edev) {
++ /*
++ * We allocate pci_dn's for the totalvfs count,
++ * but only only the vfs that were activated
++ * have a configured PE.
++ */
++ if (edev->pe)
++ eeh_rmv_from_parent_pe(edev);
++
+ pdn->edev = NULL;
+ kfree(edev);
+ }
+--
+2.20.1
+
--- /dev/null
+From 1e6cf6a27db839e9ad486dd3ca59a1ec7f5fc744 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2019 10:03:54 +0100
+Subject: pwm: omap-dmtimer: Remove PWM chip in .remove before making it
+ unfunctional
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 43efdc8f0e6d7088ec61bd55a73bf853f002d043 ]
+
+In the old code (e.g.) mutex_destroy() was called before
+pwmchip_remove(). Between these two calls it is possible that a PWM
+callback is used which tries to grab the mutex.
+
+Fixes: 6604c6556db9 ("pwm: Add PWM driver for OMAP using dual-mode timers")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-omap-dmtimer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-omap-dmtimer.c b/drivers/pwm/pwm-omap-dmtimer.c
+index 5ad42f33e70c1..2e15acf13893d 100644
+--- a/drivers/pwm/pwm-omap-dmtimer.c
++++ b/drivers/pwm/pwm-omap-dmtimer.c
+@@ -337,6 +337,11 @@ static int pwm_omap_dmtimer_probe(struct platform_device *pdev)
+ static int pwm_omap_dmtimer_remove(struct platform_device *pdev)
+ {
+ struct pwm_omap_dmtimer_chip *omap = platform_get_drvdata(pdev);
++ int ret;
++
++ ret = pwmchip_remove(&omap->chip);
++ if (ret)
++ return ret;
+
+ if (pm_runtime_active(&omap->dm_timer_pdev->dev))
+ omap->pdata->stop(omap->dm_timer);
+@@ -345,7 +350,7 @@ static int pwm_omap_dmtimer_remove(struct platform_device *pdev)
+
+ mutex_destroy(&omap->mutex);
+
+- return pwmchip_remove(&omap->chip);
++ return 0;
+ }
+
+ static const struct of_device_id pwm_omap_dmtimer_of_match[] = {
+--
+2.20.1
+
--- /dev/null
+From 9029ed0a677a5aa1c82f953a1843523a71e97ddc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2019 12:00:24 +0200
+Subject: pxa168fb: Fix the function used to release some memory in an error
+ handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 3c911fe799d1c338d94b78e7182ad452c37af897 ]
+
+In the probe function, some resources are allocated using 'dma_alloc_wc()',
+they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.
+
+We already use 'dma_free_wc()' in the remove function, but not in the
+error handling path of the probe function.
+
+Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already
+PAGE_ALIGNed.
+
+Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Lubomir Rintel <lkundrak@v3.sk>
+CC: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxa168fb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c
+index d059d04c63acd..20195d3dbf088 100644
+--- a/drivers/video/fbdev/pxa168fb.c
++++ b/drivers/video/fbdev/pxa168fb.c
+@@ -769,8 +769,8 @@ failed_free_cmap:
+ failed_free_clk:
+ clk_disable_unprepare(fbi->clk);
+ failed_free_fbmem:
+- dma_free_coherent(fbi->dev, info->fix.smem_len,
+- info->screen_base, fbi->fb_start_dma);
++ dma_free_wc(fbi->dev, info->fix.smem_len,
++ info->screen_base, fbi->fb_start_dma);
+ failed_free_info:
+ kfree(info);
+
+@@ -804,7 +804,7 @@ static int pxa168fb_remove(struct platform_device *pdev)
+
+ irq = platform_get_irq(pdev, 0);
+
+- dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
++ dma_free_wc(fbi->dev, info->fix.smem_len,
+ info->screen_base, info->fix.smem_start);
+
+ clk_disable_unprepare(fbi->clk);
+--
+2.20.1
+
--- /dev/null
+From 59160437ba887de4df54f550d5a2112925bdde52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2020 17:09:52 +0100
+Subject: radeon: insert 10ms sleep in dce5_crtc_load_lut
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit ec3d65082d7dabad6fa8f66a8ef166f2d522d6b2 ]
+
+Per at least one tester this is enough magic to recover the regression
+introduced for some people (but not all) in
+
+commit b8e2b0199cc377617dc238f5106352c06dcd3fa2
+Author: Peter Rosin <peda@axentia.se>
+Date: Tue Jul 4 12:36:57 2017 +0200
+
+ drm/fb-helper: factor out pseudo-palette
+
+which for radeon had the side-effect of refactoring out a seemingly
+redudant writing of the color palette.
+
+10ms in a fairly slow modeset path feels like an acceptable form of
+duct-tape, so maybe worth a shot and see what sticks.
+
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Michel Dänzer <michel.daenzer@amd.com>
+References: https://bugzilla.kernel.org/show_bug.cgi?id=198123
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index 8b6f8aa238063..432ad7d73cb9b 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -110,6 +110,8 @@ static void dce5_crtc_load_lut(struct drm_crtc *crtc)
+
+ DRM_DEBUG_KMS("%d\n", radeon_crtc->crtc_id);
+
++ msleep(10);
++
+ WREG32(NI_INPUT_CSC_CONTROL + radeon_crtc->crtc_offset,
+ (NI_INPUT_CSC_GRPH_MODE(NI_INPUT_CSC_BYPASS) |
+ NI_INPUT_CSC_OVL_MODE(NI_INPUT_CSC_BYPASS)));
+--
+2.20.1
+
--- /dev/null
+From c179dc71790196e4980f7b0c55390f3e161697f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Nov 2019 09:42:13 -0800
+Subject: rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 860c8802ace14c646864795e057349c9fb2d60ad ]
+
+Eric Dumazet supplied a KCSAN report of a bug that forces use
+of hlist_unhashed_lockless() from sk_unhashed():
+
+------------------------------------------------------------------------
+
+BUG: KCSAN: data-race in inet_unhash / inet_unhash
+
+write to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 1:
+ __hlist_nulls_del include/linux/list_nulls.h:88 [inline]
+ hlist_nulls_del_init_rcu include/linux/rculist_nulls.h:36 [inline]
+ __sk_nulls_del_node_init_rcu include/net/sock.h:676 [inline]
+ inet_unhash+0x38f/0x4a0 net/ipv4/inet_hashtables.c:612
+ tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249
+ tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854
+ tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56
+ tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479
+ tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599
+ tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619
+ call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404
+ expire_timers kernel/time/timer.c:1449 [inline]
+ __run_timers kernel/time/timer.c:1773 [inline]
+ __run_timers kernel/time/timer.c:1740 [inline]
+ run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0xbb/0xe0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
+ native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
+ arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
+ default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
+ cpuidle_idle_call kernel/sched/idle.c:154 [inline]
+ do_idle+0x1af/0x280 kernel/sched/idle.c:263
+ cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355
+ start_secondary+0x208/0x260 arch/x86/kernel/smpboot.c:264
+ secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
+
+read to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 0:
+ sk_unhashed include/net/sock.h:607 [inline]
+ inet_unhash+0x3d/0x4a0 net/ipv4/inet_hashtables.c:592
+ tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249
+ tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854
+ tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56
+ tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479
+ tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599
+ tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619
+ call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404
+ expire_timers kernel/time/timer.c:1449 [inline]
+ __run_timers kernel/time/timer.c:1773 [inline]
+ __run_timers kernel/time/timer.c:1740 [inline]
+ run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0xbb/0xe0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
+ native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
+ arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
+ default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
+ cpuidle_idle_call kernel/sched/idle.c:154 [inline]
+ do_idle+0x1af/0x280 kernel/sched/idle.c:263
+ cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355
+ rest_init+0xec/0xf6 init/main.c:452
+ arch_call_rest_init+0x17/0x37
+ start_kernel+0x838/0x85e init/main.c:786
+ x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
+ x86_64_start_kernel+0x72/0x76 arch/x86/kernel/head64.c:471
+ secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc6+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine,
+BIOS Google 01/01/2011
+
+------------------------------------------------------------------------
+
+This commit therefore replaces C-language assignments with WRITE_ONCE()
+in include/linux/list_nulls.h and include/linux/rculist_nulls.h.
+
+Reported-by: Eric Dumazet <edumazet@google.com> # For KCSAN
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/list_nulls.h | 8 ++++----
+ include/linux/rculist_nulls.h | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/list_nulls.h b/include/linux/list_nulls.h
+index 87ff4f58a2f01..9e20bf7f46a20 100644
+--- a/include/linux/list_nulls.h
++++ b/include/linux/list_nulls.h
+@@ -71,10 +71,10 @@ static inline void hlist_nulls_add_head(struct hlist_nulls_node *n,
+ struct hlist_nulls_node *first = h->first;
+
+ n->next = first;
+- n->pprev = &h->first;
++ WRITE_ONCE(n->pprev, &h->first);
+ h->first = n;
+ if (!is_a_nulls(first))
+- first->pprev = &n->next;
++ WRITE_ONCE(first->pprev, &n->next);
+ }
+
+ static inline void __hlist_nulls_del(struct hlist_nulls_node *n)
+@@ -84,13 +84,13 @@ static inline void __hlist_nulls_del(struct hlist_nulls_node *n)
+
+ WRITE_ONCE(*pprev, next);
+ if (!is_a_nulls(next))
+- next->pprev = pprev;
++ WRITE_ONCE(next->pprev, pprev);
+ }
+
+ static inline void hlist_nulls_del(struct hlist_nulls_node *n)
+ {
+ __hlist_nulls_del(n);
+- n->pprev = LIST_POISON2;
++ WRITE_ONCE(n->pprev, LIST_POISON2);
+ }
+
+ /**
+diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h
+index 106f4e0d7bd39..4d71e3687d1ed 100644
+--- a/include/linux/rculist_nulls.h
++++ b/include/linux/rculist_nulls.h
+@@ -33,7 +33,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
+ {
+ if (!hlist_nulls_unhashed(n)) {
+ __hlist_nulls_del(n);
+- n->pprev = NULL;
++ WRITE_ONCE(n->pprev, NULL);
+ }
+ }
+
+@@ -65,7 +65,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
+ static inline void hlist_nulls_del_rcu(struct hlist_nulls_node *n)
+ {
+ __hlist_nulls_del(n);
+- n->pprev = LIST_POISON2;
++ WRITE_ONCE(n->pprev, LIST_POISON2);
+ }
+
+ /**
+@@ -93,10 +93,10 @@ static inline void hlist_nulls_add_head_rcu(struct hlist_nulls_node *n,
+ struct hlist_nulls_node *first = h->first;
+
+ n->next = first;
+- n->pprev = &h->first;
++ WRITE_ONCE(n->pprev, &h->first);
+ rcu_assign_pointer(hlist_nulls_first_rcu(h), n);
+ if (!is_a_nulls(first))
+- first->pprev = &n->next;
++ WRITE_ONCE(first->pprev, &n->next);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From c56fc57e6b90ee77b44b2966ab09cd6b149fc6db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Dec 2019 19:36:13 +0800
+Subject: RDMA/rxe: Fix error type of mmap_offset
+
+From: Jiewei Ke <kejiewei.cn@gmail.com>
+
+[ Upstream commit 6ca18d8927d468c763571f78c9a7387a69ffa020 ]
+
+The type of mmap_offset should be u64 instead of int to match the type of
+mminfo.offset. If otherwise, after we create several thousands of CQs, it
+will run into overflow issues.
+
+Link: https://lore.kernel.org/r/20191227113613.5020-1-kejiewei.cn@gmail.com
+Signed-off-by: Jiewei Ke <kejiewei.cn@gmail.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_verbs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.h b/drivers/infiniband/sw/rxe/rxe_verbs.h
+index 47003d2a4a46e..dee3853163b60 100644
+--- a/drivers/infiniband/sw/rxe/rxe_verbs.h
++++ b/drivers/infiniband/sw/rxe/rxe_verbs.h
+@@ -422,7 +422,7 @@ struct rxe_dev {
+ struct list_head pending_mmaps;
+
+ spinlock_t mmap_offset_lock; /* guard mmap_offset */
+- int mmap_offset;
++ u64 mmap_offset;
+
+ struct rxe_port port;
+ struct list_head list;
+--
+2.20.1
+
--- /dev/null
+From 6757010f3416d97cf66f8ca168f38040a5a35ece Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 17:47:09 +0100
+Subject: regulator: rk808: Lower log level on optional GPIOs being not
+ available
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit b8a039d37792067c1a380dc710361905724b9b2f ]
+
+RK808 can leverage a couple of GPIOs to tweak the ramp rate during DVS
+(Dynamic Voltage Scaling). These GPIOs are entirely optional but a
+dev_warn() appeared when cleaning this driver to use a more up-to-date
+gpiod API. At least reduce the log level to 'info' as it is totally
+fine to not populate these GPIO on a hardware design.
+
+This change is trivial but it is worth not polluting the logs during
+bringup phase by having real warnings and errors sorted out
+correctly.
+
+Fixes: a13eaf02e2d6 ("regulator: rk808: make better use of the gpiod API")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20191203164709.11127-1-miquel.raynal@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/rk808-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c
+index dfa8d50a5d741..28646e4cf3bae 100644
+--- a/drivers/regulator/rk808-regulator.c
++++ b/drivers/regulator/rk808-regulator.c
+@@ -589,7 +589,7 @@ static int rk808_regulator_dt_parse_pdata(struct device *dev,
+ }
+
+ if (!pdata->dvs_gpio[i]) {
+- dev_warn(dev, "there is no dvs%d gpio\n", i);
++ dev_info(dev, "there is no dvs%d gpio\n", i);
+ continue;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 75a665d8fc9383b2ab7ae2d1493bdb38e8796d23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:35:58 +0100
+Subject: reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 4d5c1adaf893b8aa52525d2b81995e949bcb3239 ]
+
+When we fail to allocate string for journal device name we jump to
+'error' label which tries to unlock reiserfs write lock which is not
+held. Jump to 'error_unlocked' instead.
+
+Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal initialization")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
+index bfed2a7000154..677608a89b08d 100644
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -1928,7 +1928,7 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
+ if (!sbi->s_jdev) {
+ SWARN(silent, s, "", "Cannot allocate memory for "
+ "journal device name");
+- goto error;
++ goto error_unlocked;
+ }
+ }
+ #ifdef CONFIG_QUOTA
+--
+2.20.1
+
--- /dev/null
+From 61809afab044c7e5712b4b27a75ca3f58208b79d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2020 22:17:26 -0800
+Subject: reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
+
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+
+[ Upstream commit aacee5446a2a1aa35d0a49dab289552578657fb4 ]
+
+The variable inode may be NULL in reiserfs_insert_item(), but there is
+no check before accessing the member of inode.
+
+Fix this by adding NULL pointer check before calling reiserfs_debug().
+
+Link: http://lkml.kernel.org/r/79c5135d-ff25-1cc9-4e99-9f572b88cc00@huawei.com
+Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
+Cc: zhengbin <zhengbin13@huawei.com>
+Cc: Hu Shiyuan <hushiyuan@huawei.com>
+Cc: Feilong Lin <linfeilong@huawei.com>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/stree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
+index a97e352d05d3b..5f5fff0688776 100644
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -2249,7 +2249,8 @@ error_out:
+ /* also releases the path */
+ unfix_nodes(&s_ins_balance);
+ #ifdef REISERQUOTA_DEBUG
+- reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE,
++ if (inode)
++ reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE,
+ "reiserquota insert_item(): freeing %u id=%u type=%c",
+ quota_bytes, inode->i_uid, head2type(ih));
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 94db203348d35c9a9f9ab52d6ea181d5711a41b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2019 17:52:23 -0500
+Subject: remoteproc: Initialize rproc_class before use
+
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+
+[ Upstream commit a8f40111d184098cd2b3dc0c7170c42250a5fa09 ]
+
+The remoteproc_core and remoteproc drivers all initialize with module_init().
+However remoteproc drivers need the rproc_class during their probe. If one of
+the remoteproc drivers runs init and gets through probe before
+remoteproc_init() runs, a NULL pointer access of rproc_class's `glue_dirs`
+spinlock occurs.
+
+> Unable to handle kernel NULL pointer dereference at virtual address 000000dc
+> pgd = c0004000
+> [000000dc] *pgd=00000000
+> Internal error: Oops: 5 [#1] PREEMPT ARM
+> Modules linked in:
+> CPU: 0 PID: 1 Comm: swapper Tainted: G W 4.14.106-rt56 #1
+> Hardware name: Generic OMAP36xx (Flattened Device Tree)
+> task: c6050000 task.stack: c604a000
+> PC is at rt_spin_lock+0x40/0x6c
+> LR is at rt_spin_lock+0x28/0x6c
+> pc : [<c0523c90>] lr : [<c0523c78>] psr: 60000013
+> sp : c604bdc0 ip : 00000000 fp : 00000000
+> r10: 00000000 r9 : c61c7c10 r8 : c6269c20
+> r7 : c0905888 r6 : c6269c20 r5 : 00000000 r4 : 000000d4
+> r3 : 000000dc r2 : c6050000 r1 : 00000002 r0 : 000000d4
+> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+...
+> [<c0523c90>] (rt_spin_lock) from [<c03b65a4>] (get_device_parent+0x54/0x17c)
+> [<c03b65a4>] (get_device_parent) from [<c03b6bec>] (device_add+0xe0/0x5b4)
+> [<c03b6bec>] (device_add) from [<c042adf4>] (rproc_add+0x18/0xd8)
+> [<c042adf4>] (rproc_add) from [<c01110e4>] (my_rproc_probe+0x158/0x204)
+> [<c01110e4>] (my_rproc_probe) from [<c03bb6b8>] (platform_drv_probe+0x34/0x70)
+> [<c03bb6b8>] (platform_drv_probe) from [<c03b9dd4>] (driver_probe_device+0x2c8/0x420)
+> [<c03b9dd4>] (driver_probe_device) from [<c03ba02c>] (__driver_attach+0x100/0x11c)
+> [<c03ba02c>] (__driver_attach) from [<c03b7d08>] (bus_for_each_dev+0x7c/0xc0)
+> [<c03b7d08>] (bus_for_each_dev) from [<c03b910c>] (bus_add_driver+0x1cc/0x264)
+> [<c03b910c>] (bus_add_driver) from [<c03ba714>] (driver_register+0x78/0xf8)
+> [<c03ba714>] (driver_register) from [<c010181c>] (do_one_initcall+0x100/0x190)
+> [<c010181c>] (do_one_initcall) from [<c0800de8>] (kernel_init_freeable+0x130/0x1d0)
+> [<c0800de8>] (kernel_init_freeable) from [<c051eee8>] (kernel_init+0x8/0x114)
+> [<c051eee8>] (kernel_init) from [<c01175b0>] (ret_from_fork+0x14/0x24)
+> Code: e2843008 e3c2203f f5d3f000 e5922010 (e193cf9f)
+> ---[ end trace 0000000000000002 ]---
+
+Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
+Link: https://lore.kernel.org/r/20190530225223.136420-1-brandon.maier@rockwellcollins.com
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/remoteproc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
+index c6bfb3496684e..b99780574044a 100644
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -1488,7 +1488,7 @@ static int __init remoteproc_init(void)
+
+ return 0;
+ }
+-module_init(remoteproc_init);
++subsys_initcall(remoteproc_init);
+
+ static void __exit remoteproc_exit(void)
+ {
+--
+2.20.1
+
--- /dev/null
+From 42a203c16d02996ea19084434c36f2fc2425ee3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 00:55:29 +0700
+Subject: rtlwifi: rtl_pci: Fix -Wcast-function-type
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+[ Upstream commit cb775c88da5d48a85d99d95219f637b6fad2e0e9 ]
+
+correct usage prototype of callback in tasklet_init().
+Report by https://github.com/KSPP/linux/issues/20
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index e15b462d096bf..21b7cb845bf40 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -1095,13 +1095,15 @@ done:
+ return ret;
+ }
+
+-static void _rtl_pci_irq_tasklet(struct ieee80211_hw *hw)
++static void _rtl_pci_irq_tasklet(unsigned long data)
+ {
++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data;
+ _rtl_pci_tx_chk_waitq(hw);
+ }
+
+-static void _rtl_pci_prepare_bcn_tasklet(struct ieee80211_hw *hw)
++static void _rtl_pci_prepare_bcn_tasklet(unsigned long data)
+ {
++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data;
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
+ struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
+@@ -1223,10 +1225,10 @@ static void _rtl_pci_init_struct(struct ieee80211_hw *hw,
+
+ /*task */
+ tasklet_init(&rtlpriv->works.irq_tasklet,
+- (void (*)(unsigned long))_rtl_pci_irq_tasklet,
++ _rtl_pci_irq_tasklet,
+ (unsigned long)hw);
+ tasklet_init(&rtlpriv->works.irq_prepare_bcn_tasklet,
+- (void (*)(unsigned long))_rtl_pci_prepare_bcn_tasklet,
++ _rtl_pci_prepare_bcn_tasklet,
+ (unsigned long)hw);
+ INIT_WORK(&rtlpriv->works.lps_change_work,
+ rtl_lps_change_work_callback);
+--
+2.20.1
+
--- /dev/null
+From 99655674ef1b6164e85d12aa3395e9a81e7b8c06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 14:33:39 +0100
+Subject: s390/ftrace: generate traced function stack frame
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 45f7a0da600d3c409b5ad8d5ddddacd98ddc8840 ]
+
+Currently backtrace from ftraced function does not contain ftraced
+function itself. e.g. for "path_openat":
+
+arch_stack_walk+0x15c/0x2d8
+stack_trace_save+0x50/0x68
+stack_trace_call+0x15e/0x3d8
+ftrace_graph_caller+0x0/0x1c <-- ftrace code
+do_filp_open+0x7c/0xe8 <-- ftraced function caller
+do_open_execat+0x76/0x1b8
+open_exec+0x52/0x78
+load_elf_binary+0x180/0x1160
+search_binary_handler+0x8e/0x288
+load_script+0x2a8/0x2b8
+search_binary_handler+0x8e/0x288
+__do_execve_file.isra.39+0x6fa/0xb40
+__s390x_sys_execve+0x56/0x68
+system_call+0xdc/0x2d8
+
+Ftraced function is expected in the backtrace by ftrace kselftests, which
+are now failing. It would also be nice to have it for clarity reasons.
+
+"ftrace_caller" itself is called without stack frame allocated for it
+and does not store its caller (ftraced function). Instead it simply
+allocates a stack frame for "ftrace_trace_function" and sets backchain
+to point to ftraced function stack frame (which contains ftraced function
+caller in saved r14).
+
+To fix this issue make "ftrace_caller" allocate a stack frame
+for itself just to store ftraced function for the stack unwinder.
+As a result backtrace looks like the following:
+
+arch_stack_walk+0x15c/0x2d8
+stack_trace_save+0x50/0x68
+stack_trace_call+0x15e/0x3d8
+ftrace_graph_caller+0x0/0x1c <-- ftrace code
+path_openat+0x6/0xd60 <-- ftraced function
+do_filp_open+0x7c/0xe8 <-- ftraced function caller
+do_open_execat+0x76/0x1b8
+open_exec+0x52/0x78
+load_elf_binary+0x180/0x1160
+search_binary_handler+0x8e/0x288
+load_script+0x2a8/0x2b8
+search_binary_handler+0x8e/0x288
+__do_execve_file.isra.39+0x6fa/0xb40
+__s390x_sys_execve+0x56/0x68
+system_call+0xdc/0x2d8
+
+Reported-by: Sven Schnelle <sven.schnelle@ibm.com>
+Tested-by: Sven Schnelle <sven.schnelle@ibm.com>
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/mcount.S | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S
+index be75e8e49e43d..802a4ded9a626 100644
+--- a/arch/s390/kernel/mcount.S
++++ b/arch/s390/kernel/mcount.S
+@@ -24,6 +24,12 @@ ENTRY(ftrace_stub)
+ #define STACK_PTREGS (STACK_FRAME_OVERHEAD)
+ #define STACK_PTREGS_GPRS (STACK_PTREGS + __PT_GPRS)
+ #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW)
++#ifdef __PACK_STACK
++/* allocate just enough for r14, r15 and backchain */
++#define TRACED_FUNC_FRAME_SIZE 24
++#else
++#define TRACED_FUNC_FRAME_SIZE STACK_FRAME_OVERHEAD
++#endif
+
+ ENTRY(_mcount)
+ BR_EX %r14
+@@ -37,9 +43,16 @@ ENTRY(ftrace_caller)
+ #ifndef CC_USING_HOTPATCH
+ aghi %r0,MCOUNT_RETURN_FIXUP
+ #endif
+- aghi %r15,-STACK_FRAME_SIZE
++ # allocate stack frame for ftrace_caller to contain traced function
++ aghi %r15,-TRACED_FUNC_FRAME_SIZE
+ stg %r1,__SF_BACKCHAIN(%r15)
++ stg %r0,(__SF_GPRS+8*8)(%r15)
++ stg %r15,(__SF_GPRS+9*8)(%r15)
++ # allocate pt_regs and stack frame for ftrace_trace_function
++ aghi %r15,-STACK_FRAME_SIZE
+ stg %r1,(STACK_PTREGS_GPRS+15*8)(%r15)
++ aghi %r1,-TRACED_FUNC_FRAME_SIZE
++ stg %r1,__SF_BACKCHAIN(%r15)
+ stg %r0,(STACK_PTREGS_PSW+8)(%r15)
+ stmg %r2,%r14,(STACK_PTREGS_GPRS+2*8)(%r15)
+ #ifdef CONFIG_HAVE_MARCH_Z196_FEATURES
+--
+2.20.1
+
--- /dev/null
+From 8c5e64cd5ccd8607c44b992003af89bcd684335f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 18:42:20 -0700
+Subject: scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 4dbc96ad65c45cdd4e895ed7ae4c151b780790c5 ]
+
+Clang warns:
+
+../drivers/scsi/aic7xxx/aic7xxx_core.c:2317:5: warning: misleading
+indentation; statement is not part of the previous 'if'
+[-Wmisleading-indentation]
+ if ((syncrate->sxfr_u2 & ST_SXFR) != 0)
+ ^
+../drivers/scsi/aic7xxx/aic7xxx_core.c:2310:4: note: previous statement
+is here
+ if (syncrate == &ahc_syncrates[maxsync])
+ ^
+1 warning generated.
+
+This warning occurs because there is a space amongst the tabs on this
+line. Remove it so that the indentation is consistent with the Linux kernel
+coding style and clang no longer warns.
+
+This has been a problem since the beginning of git history hence no fixes
+tag.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/817
+Link: https://lore.kernel.org/r/20191218014220.52746-1-natechancellor@gmail.com
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aic7xxx/aic7xxx_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/aic7xxx/aic7xxx_core.c b/drivers/scsi/aic7xxx/aic7xxx_core.c
+index 64ab9eaec428c..def3208dd2905 100644
+--- a/drivers/scsi/aic7xxx/aic7xxx_core.c
++++ b/drivers/scsi/aic7xxx/aic7xxx_core.c
+@@ -2321,7 +2321,7 @@ ahc_find_syncrate(struct ahc_softc *ahc, u_int *period,
+ * At some speeds, we only support
+ * ST transfers.
+ */
+- if ((syncrate->sxfr_u2 & ST_SXFR) != 0)
++ if ((syncrate->sxfr_u2 & ST_SXFR) != 0)
+ *ppr_options &= ~MSG_EXT_PPR_DT_REQ;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 688bebabb43f0209352a65234b7e24d8383e77e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Dec 2019 15:31:48 -0500
+Subject: scsi: iscsi: Don't destroy session if there are outstanding
+ connections
+
+From: Nick Black <nlb@google.com>
+
+[ Upstream commit 54155ed4199c7aa3fd20866648024ab63c96d579 ]
+
+A faulty userspace that calls destroy_session() before destroying the
+connections can trigger the failure. This patch prevents the issue by
+refusing to destroy the session if there are outstanding connections.
+
+------------[ cut here ]------------
+kernel BUG at mm/slub.c:306!
+invalid opcode: 0000 [#1] SMP PTI
+CPU: 1 PID: 1224 Comm: iscsid Not tainted 5.4.0-rc2.iscsi+ #7
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+RIP: 0010:__slab_free+0x181/0x350
+[...]
+[ 1209.686056] RSP: 0018:ffffa93d4074fae0 EFLAGS: 00010246
+[ 1209.686694] RAX: ffff934efa5ad800 RBX: 000000008010000a RCX: ffff934efa5ad800
+[ 1209.687651] RDX: ffff934efa5ad800 RSI: ffffeb4041e96b00 RDI: ffff934efd402c40
+[ 1209.688582] RBP: ffffa93d4074fb80 R08: 0000000000000001 R09: ffffffffbb5dfa26
+[ 1209.689425] R10: ffff934efa5ad800 R11: 0000000000000001 R12: ffffeb4041e96b00
+[ 1209.690285] R13: ffff934efa5ad800 R14: ffff934efd402c40 R15: 0000000000000000
+[ 1209.691213] FS: 00007f7945dfb540(0000) GS:ffff934efda80000(0000) knlGS:0000000000000000
+[ 1209.692316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1209.693013] CR2: 000055877fd3da80 CR3: 0000000077384000 CR4: 00000000000006e0
+[ 1209.693897] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1209.694773] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 1209.695631] Call Trace:
+[ 1209.695957] ? __wake_up_common_lock+0x8a/0xc0
+[ 1209.696712] iscsi_pool_free+0x26/0x40
+[ 1209.697263] iscsi_session_teardown+0x2f/0xf0
+[ 1209.698117] iscsi_sw_tcp_session_destroy+0x45/0x60
+[ 1209.698831] iscsi_if_rx+0xd88/0x14e0
+[ 1209.699370] netlink_unicast+0x16f/0x200
+[ 1209.699932] netlink_sendmsg+0x21a/0x3e0
+[ 1209.700446] sock_sendmsg+0x4f/0x60
+[ 1209.700902] ___sys_sendmsg+0x2ae/0x320
+[ 1209.701451] ? cp_new_stat+0x150/0x180
+[ 1209.701922] __sys_sendmsg+0x59/0xa0
+[ 1209.702357] do_syscall_64+0x52/0x160
+[ 1209.702812] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1209.703419] RIP: 0033:0x7f7946433914
+[...]
+[ 1209.706084] RSP: 002b:00007fffb99f2378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 1209.706994] RAX: ffffffffffffffda RBX: 000055bc869eac20 RCX: 00007f7946433914
+[ 1209.708082] RDX: 0000000000000000 RSI: 00007fffb99f2390 RDI: 0000000000000005
+[ 1209.709120] RBP: 00007fffb99f2390 R08: 000055bc84fe9320 R09: 00007fffb99f1f07
+[ 1209.710110] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038
+[ 1209.711085] R13: 000055bc8502306e R14: 0000000000000000 R15: 0000000000000000
+ Modules linked in:
+ ---[ end trace a2d933ede7f730d8 ]---
+
+Link: https://lore.kernel.org/r/20191226203148.2172200-1-krisman@collabora.com
+Signed-off-by: Nick Black <nlb@google.com>
+Co-developed-by: Salman Qazi <sqazi@google.com>
+Signed-off-by: Salman Qazi <sqazi@google.com>
+Co-developed-by: Junho Ryu <jayr@google.com>
+Signed-off-by: Junho Ryu <jayr@google.com>
+Co-developed-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Co-developed-by: Gabriel Krisman Bertazi <krisman@collabora.com>
+Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 4 ++++
+ drivers/scsi/scsi_transport_iscsi.c | 26 +++++++++++++++++++++++---
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index d60564397be54..60c3e2bf87619 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -882,6 +882,10 @@ free_host:
+ static void iscsi_sw_tcp_session_destroy(struct iscsi_cls_session *cls_session)
+ {
+ struct Scsi_Host *shost = iscsi_session_to_shost(cls_session);
++ struct iscsi_session *session = cls_session->dd_data;
++
++ if (WARN_ON_ONCE(session->leadconn))
++ return;
+
+ iscsi_tcp_r2tpool_free(cls_session->dd_data);
+ iscsi_session_teardown(cls_session);
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index ab7bc4e634251..fff9c4d0f7c80 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2964,6 +2964,24 @@ iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev)
+ return err;
+ }
+
++static int iscsi_session_has_conns(int sid)
++{
++ struct iscsi_cls_conn *conn;
++ unsigned long flags;
++ int found = 0;
++
++ spin_lock_irqsave(&connlock, flags);
++ list_for_each_entry(conn, &connlist, conn_list) {
++ if (iscsi_conn_get_sid(conn) == sid) {
++ found = 1;
++ break;
++ }
++ }
++ spin_unlock_irqrestore(&connlock, flags);
++
++ return found;
++}
++
+ static int
+ iscsi_set_iface_params(struct iscsi_transport *transport,
+ struct iscsi_uevent *ev, uint32_t len)
+@@ -3538,10 +3556,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)
+ break;
+ case ISCSI_UEVENT_DESTROY_SESSION:
+ session = iscsi_session_lookup(ev->u.d_session.sid);
+- if (session)
+- transport->destroy_session(session);
+- else
++ if (!session)
+ err = -EINVAL;
++ else if (iscsi_session_has_conns(ev->u.d_session.sid))
++ err = -EBUSY;
++ else
++ transport->destroy_session(session);
+ break;
+ case ISCSI_UEVENT_UNBIND_SESSION:
+ session = iscsi_session_lookup(ev->u.d_session.sid);
+--
+2.20.1
+
--- /dev/null
+From f32cde6a869e76d8c9f33860bc015d39a6cb3e4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 17:25:47 +0530
+Subject: selinux: ensure we cleanup the internal AVC counters on error in
+ avc_update()
+
+From: Jaihind Yadav <jaihindyadav@codeaurora.org>
+
+[ Upstream commit 030b995ad9ece9fa2d218af4429c1c78c2342096 ]
+
+In AVC update we don't call avc_node_kill() when avc_xperms_populate()
+fails, resulting in the avc->avc_cache.active_nodes counter having a
+false value. In last patch this changes was missed , so correcting it.
+
+Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
+Signed-off-by: Jaihind Yadav <jaihindyadav@codeaurora.org>
+Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
+[PM: merge fuzz, minor description cleanup]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/avc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/selinux/avc.c b/security/selinux/avc.c
+index 52f3c550abcc4..f3c473791b698 100644
+--- a/security/selinux/avc.c
++++ b/security/selinux/avc.c
+@@ -865,7 +865,7 @@ static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
+ if (orig->ae.xp_node) {
+ rc = avc_xperms_populate(node, orig->ae.xp_node);
+ if (rc) {
+- kmem_cache_free(avc_node_cachep, node);
++ avc_node_kill(node);
+ goto out_unlock;
+ }
+ }
+--
+2.20.1
+
btrfs-print-message-when-tree-log-replay-starts.patch
scsi-qla2xxx-fix-a-potential-null-pointer-dereference.patch
revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch
+drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch
+nfsd4-avoid-null-deference-on-strange-copy-compounds.patch
+soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch
+cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch
+brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch
+gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch
+pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch
+pxa168fb-fix-the-function-used-to-release-some-memor.patch
+media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch
+powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch
+gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch
+media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch
+pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch
+efi-x86-map-the-entire-efi-vendor-string-before-copy.patch
+mips-loongson-fix-potential-null-dereference-in-loon.patch
+sparc-add-.exit.data-section.patch
+uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch
+usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch
+jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch
+x86-sysfb-fix-check-for-bad-vram-size.patch
+tracing-fix-tracing_stat-return-values-in-error-hand.patch
+tracing-fix-very-unlikely-race-of-registering-two-st.patch
+ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch
+kconfig-fix-broken-dependency-in-randconfig-generate.patch
+clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch
+drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch
+regulator-rk808-lower-log-level-on-optional-gpios-be.patch
+net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch
+pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch
+nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch
+arm-dts-allwinner-h3-add-pmu-node.patch
+padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch
+media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch
+reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch
+isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch
+alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch
+b43legacy-fix-wcast-function-type.patch
+ipw2x00-fix-wcast-function-type.patch
+iwlegacy-fix-wcast-function-type.patch
+rtlwifi-rtl_pci-fix-wcast-function-type.patch
+orinoco-avoid-assertion-in-case-of-null-pointer.patch
+acpica-disassembler-create-buffer-fields-in-acpi_par.patch
+scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch
+drm-mediatek-handle-events-when-enabling-disabling-c.patch
+arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch
+x86-vdso-provide-missing-include-file.patch
+pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch
+pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch
+rdma-rxe-fix-error-type-of-mmap_offset.patch
+alsa-sh-fix-compile-warning-wrt-const.patch
+tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch
+usbip-fix-unsafe-unaligned-pointer-usage.patch
+udf-fix-free-space-reporting-for-metadata-and-virtua.patch
+soc-tegra-fuse-correct-straps-address-for-older-tegr.patch
+rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch
+input-edt-ft5x06-work-around-first-register-access-e.patch
+wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch
+asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch
+tty-synclinkmp-adjust-indentation-in-several-functio.patch
+tty-synclink_gt-adjust-indentation-in-several-functi.patch
+driver-core-platform-prevent-resouce-overflow-from-c.patch
+driver-core-print-device-when-resources-present-in-r.patch
+vme-bridges-reduce-stack-usage.patch
+drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch
+drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch
+drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch
+usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch
+iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch
+scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch
+arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch
+pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch
+cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch
+ide-serverworks-potential-overflow-in-svwks_set_pio_.patch
+remoteproc-initialize-rproc_class-before-use.patch
+x86-decoder-add-test-opcode-to-group3-2.patch
+s390-ftrace-generate-traced-function-stack-frame.patch
+driver-core-platform-fix-u32-greater-or-equal-to-zer.patch
+alsa-hda-add-docking-station-support-for-lenovo-thin.patch
+powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch
+jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch
+arm-8951-1-fix-kexec-compilation-issue.patch
+hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch
+iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch
+cifs-fix-null-dereference-in-match_prepath.patch
+irqchip-gic-v3-only-provision-redistributors-that-ar.patch
+drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch
+ftrace-fpid_next-should-increase-position-index.patch
+trigger_next-should-increase-position-index.patch
+radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch
+ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch
+lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch
+reiserfs-prevent-null-pointer-dereference-in-reiserf.patch
+bcache-explicity-type-cast-in-bset_bkey_last.patch
+irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch
+iwlwifi-mvm-fix-thermal-zone-registration.patch
+microblaze-prevent-the-overflow-of-the-start.patch
+brd-check-and-limit-max_part-par.patch
+help_next-should-increase-position-index.patch
+selinux-ensure-we-cleanup-the-internal-avc-counters-.patch
--- /dev/null
+From 5e1f645c0954e355aa4c68359f761494fb755a36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2019 15:55:40 +0100
+Subject: soc: fsl: qe: change return type of cpm_muram_alloc() to s32
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit 800cd6fb76f0ec7711deb72a86c924db1ae42648 ]
+
+There are a number of problems with cpm_muram_alloc() and its
+callers. Most callers assign the return value to some variable and
+then use IS_ERR_VALUE to check for allocation failure. However, when
+that variable is not sizeof(long), this leads to warnings - and it is
+indeed broken to do e.g.
+
+ u32 foo = cpm_muram_alloc();
+ if (IS_ERR_VALUE(foo))
+
+on a 64-bit platform, since the condition
+
+ foo >= (unsigned long)-ENOMEM
+
+is tautologically false. There are also callers that ignore the
+possibility of error, and then there are those that check for error by
+comparing the return value to 0...
+
+One could fix that by changing all callers to store the return value
+temporarily in an "unsigned long" and test that. However, use of
+IS_ERR_VALUE() is error-prone and should be restricted to things which
+are inherently long-sized (stuff in pt_regs etc.). Instead, let's aim
+for changing to the standard kernel style
+
+ int foo = cpm_muram_alloc();
+ if (foo < 0)
+ deal_with_it()
+ some->where = foo;
+
+Changing the return type from unsigned long to s32 (aka signed int)
+doesn't change the value that gets stored into any of the callers'
+variables except if the caller was storing the result in a u64 _and_
+the allocation failed, so in itself this patch should be a no-op.
+
+Another problem with cpm_muram_alloc() is that it can certainly
+validly return 0 - and except if some cpm_muram_alloc_fixed() call
+interferes, the very first cpm_muram_alloc() call will return just
+that. But that shows that both ucc_slow_free() and ucc_fast_free() are
+buggy, since they assume that a value of 0 means "that field was never
+allocated". We'll later change cpm_muram_free() to accept (and ignore)
+a negative offset, so callers can use a sentinel of -1 instead of 0
+and just unconditionally call cpm_muram_free().
+
+Reviewed-by: Timur Tabi <timur@kernel.org>
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/qe_common.c | 29 ++++++++++++++++-------------
+ include/soc/fsl/qe/qe.h | 16 ++++++++--------
+ 2 files changed, 24 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/soc/fsl/qe/qe_common.c b/drivers/soc/fsl/qe/qe_common.c
+index 104e68d9b84f2..4f60724b06b7c 100644
+--- a/drivers/soc/fsl/qe/qe_common.c
++++ b/drivers/soc/fsl/qe/qe_common.c
+@@ -35,7 +35,7 @@ static phys_addr_t muram_pbase;
+
+ struct muram_block {
+ struct list_head head;
+- unsigned long start;
++ s32 start;
+ int size;
+ };
+
+@@ -113,13 +113,14 @@ out_muram:
+ * @algo: algorithm for alloc.
+ * @data: data for genalloc's algorithm.
+ *
+- * This function returns an offset into the muram area.
++ * This function returns a non-negative offset into the muram area, or
++ * a negative errno on failure.
+ */
+-static unsigned long cpm_muram_alloc_common(unsigned long size,
+- genpool_algo_t algo, void *data)
++static s32 cpm_muram_alloc_common(unsigned long size,
++ genpool_algo_t algo, void *data)
+ {
+ struct muram_block *entry;
+- unsigned long start;
++ s32 start;
+
+ if (!muram_pool && cpm_muram_init())
+ goto out2;
+@@ -140,7 +141,7 @@ static unsigned long cpm_muram_alloc_common(unsigned long size,
+ out1:
+ gen_pool_free(muram_pool, start, size);
+ out2:
+- return (unsigned long)-ENOMEM;
++ return -ENOMEM;
+ }
+
+ /*
+@@ -148,13 +149,14 @@ out2:
+ * @size: number of bytes to allocate
+ * @align: requested alignment, in bytes
+ *
+- * This function returns an offset into the muram area.
++ * This function returns a non-negative offset into the muram area, or
++ * a negative errno on failure.
+ * Use cpm_dpram_addr() to get the virtual address of the area.
+ * Use cpm_muram_free() to free the allocation.
+ */
+-unsigned long cpm_muram_alloc(unsigned long size, unsigned long align)
++s32 cpm_muram_alloc(unsigned long size, unsigned long align)
+ {
+- unsigned long start;
++ s32 start;
+ unsigned long flags;
+ struct genpool_data_align muram_pool_data;
+
+@@ -171,7 +173,7 @@ EXPORT_SYMBOL(cpm_muram_alloc);
+ * cpm_muram_free - free a chunk of multi-user ram
+ * @offset: The beginning of the chunk as returned by cpm_muram_alloc().
+ */
+-int cpm_muram_free(unsigned long offset)
++int cpm_muram_free(s32 offset)
+ {
+ unsigned long flags;
+ int size;
+@@ -197,13 +199,14 @@ EXPORT_SYMBOL(cpm_muram_free);
+ * cpm_muram_alloc_fixed - reserve a specific region of multi-user ram
+ * @offset: offset of allocation start address
+ * @size: number of bytes to allocate
+- * This function returns an offset into the muram area
++ * This function returns @offset if the area was available, a negative
++ * errno otherwise.
+ * Use cpm_dpram_addr() to get the virtual address of the area.
+ * Use cpm_muram_free() to free the allocation.
+ */
+-unsigned long cpm_muram_alloc_fixed(unsigned long offset, unsigned long size)
++s32 cpm_muram_alloc_fixed(unsigned long offset, unsigned long size)
+ {
+- unsigned long start;
++ s32 start;
+ unsigned long flags;
+ struct genpool_data_fixed muram_pool_data_fixed;
+
+diff --git a/include/soc/fsl/qe/qe.h b/include/soc/fsl/qe/qe.h
+index 226f915a68c28..55907f7ace82e 100644
+--- a/include/soc/fsl/qe/qe.h
++++ b/include/soc/fsl/qe/qe.h
+@@ -102,26 +102,26 @@ static inline void qe_reset(void) {}
+ int cpm_muram_init(void);
+
+ #if defined(CONFIG_CPM) || defined(CONFIG_QUICC_ENGINE)
+-unsigned long cpm_muram_alloc(unsigned long size, unsigned long align);
+-int cpm_muram_free(unsigned long offset);
+-unsigned long cpm_muram_alloc_fixed(unsigned long offset, unsigned long size);
++s32 cpm_muram_alloc(unsigned long size, unsigned long align);
++int cpm_muram_free(s32 offset);
++s32 cpm_muram_alloc_fixed(unsigned long offset, unsigned long size);
+ void __iomem *cpm_muram_addr(unsigned long offset);
+ unsigned long cpm_muram_offset(void __iomem *addr);
+ dma_addr_t cpm_muram_dma(void __iomem *addr);
+ #else
+-static inline unsigned long cpm_muram_alloc(unsigned long size,
+- unsigned long align)
++static inline s32 cpm_muram_alloc(unsigned long size,
++ unsigned long align)
+ {
+ return -ENOSYS;
+ }
+
+-static inline int cpm_muram_free(unsigned long offset)
++static inline int cpm_muram_free(s32 offset)
+ {
+ return -ENOSYS;
+ }
+
+-static inline unsigned long cpm_muram_alloc_fixed(unsigned long offset,
+- unsigned long size)
++static inline s32 cpm_muram_alloc_fixed(unsigned long offset,
++ unsigned long size)
+ {
+ return -ENOSYS;
+ }
+--
+2.20.1
+
--- /dev/null
+From d7372a798b6b9a89387374b6058241e3519bf8e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 21:23:03 +0300
+Subject: soc/tegra: fuse: Correct straps' address for older Tegra124 device
+ trees
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit 2d9ea1934f8ef0dfb862d103389562cc28b4fc03 ]
+
+Trying to read out Chip ID before APBMISC registers are mapped won't
+succeed, in a result Tegra124 gets a wrong address for the HW straps
+register if machine uses an old outdated device tree.
+
+Fixes: 297c4f3dcbff ("soc/tegra: fuse: Restrict legacy code to 32-bit ARM")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/fuse/tegra-apbmisc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/tegra/fuse/tegra-apbmisc.c b/drivers/soc/tegra/fuse/tegra-apbmisc.c
+index 5b18f6ffa45c7..cd61c883c19f5 100644
+--- a/drivers/soc/tegra/fuse/tegra-apbmisc.c
++++ b/drivers/soc/tegra/fuse/tegra-apbmisc.c
+@@ -134,7 +134,7 @@ void __init tegra_init_apbmisc(void)
+ apbmisc.flags = IORESOURCE_MEM;
+
+ /* strapping options */
+- if (tegra_get_chip_id() == TEGRA124) {
++ if (of_machine_is_compatible("nvidia,tegra124")) {
+ straps.start = 0x7000e864;
+ straps.end = 0x7000e867;
+ } else {
+--
+2.20.1
+
--- /dev/null
+From 35e01619323bbf8b17ebc3d5327d1cc31115cf6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jan 2020 00:07:42 -0800
+Subject: sparc: Add .exit.data section.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 548f0b9a5f4cffa0cecf62eb12aa8db682e4eee6 ]
+
+This fixes build errors of all sorts.
+
+Also, emit .exit.text unconditionally.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/vmlinux.lds.S | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/sparc/kernel/vmlinux.lds.S b/arch/sparc/kernel/vmlinux.lds.S
+index 572db686f8458..385d6d04564d5 100644
+--- a/arch/sparc/kernel/vmlinux.lds.S
++++ b/arch/sparc/kernel/vmlinux.lds.S
+@@ -151,12 +151,14 @@ SECTIONS
+ }
+ PERCPU_SECTION(SMP_CACHE_BYTES)
+
+-#ifdef CONFIG_JUMP_LABEL
+ . = ALIGN(PAGE_SIZE);
+ .exit.text : {
+ EXIT_TEXT
+ }
+-#endif
++
++ .exit.data : {
++ EXIT_DATA
++ }
+
+ . = ALIGN(PAGE_SIZE);
+ __init_end = .;
+--
+2.20.1
+
--- /dev/null
+From 229fdd12308635716a9d5bc78faa80c18887f43a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 08:01:09 +0000
+Subject: tools lib api fs: Fix gcc9 stringop-truncation compilation error
+
+From: Andrey Zhizhikin <andrey.z@gmail.com>
+
+[ Upstream commit 6794200fa3c9c3e6759dae099145f23e4310f4f7 ]
+
+GCC9 introduced string hardening mechanisms, which exhibits the error
+during fs api compilation:
+
+error: '__builtin_strncpy' specified bound 4096 equals destination size
+[-Werror=stringop-truncation]
+
+This comes when the length of copy passed to strncpy is is equal to
+destination size, which could potentially lead to buffer overflow.
+
+There is a need to mitigate this potential issue by limiting the size of
+destination by 1 and explicitly terminate the destination with NULL.
+
+Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: bpf@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20191211080109.18765-1-andrey.zhizhikin@leica-geosystems.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/api/fs/fs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c
+index f99f49e4a31e6..21e714cf0126c 100644
+--- a/tools/lib/api/fs/fs.c
++++ b/tools/lib/api/fs/fs.c
+@@ -194,6 +194,7 @@ static bool fs__env_override(struct fs *fs)
+ size_t name_len = strlen(fs->name);
+ /* name + "_PATH" + '\0' */
+ char upper_name[name_len + 5 + 1];
++
+ memcpy(upper_name, fs->name, name_len);
+ mem_toupper(upper_name, name_len);
+ strcpy(&upper_name[name_len], "_PATH");
+@@ -203,7 +204,8 @@ static bool fs__env_override(struct fs *fs)
+ return false;
+
+ fs->found = true;
+- strncpy(fs->path, override_path, sizeof(fs->path));
++ strncpy(fs->path, override_path, sizeof(fs->path) - 1);
++ fs->path[sizeof(fs->path) - 1] = '\0';
+ return true;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From b6ee19bd43c962d1b01cef6c61bab95c3cef90af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Sep 2014 22:49:41 +0100
+Subject: tracing: Fix tracing_stat return values in error handling paths
+
+From: Luis Henriques <luis.henriques@canonical.com>
+
+[ Upstream commit afccc00f75bbbee4e4ae833a96c2d29a7259c693 ]
+
+tracing_stat_init() was always returning '0', even on the error paths. It
+now returns -ENODEV if tracing_init_dentry() fails or -ENOMEM if it fails
+to created the 'trace_stat' debugfs directory.
+
+Link: http://lkml.kernel.org/r/1410299381-20108-1-git-send-email-luis.henriques@canonical.com
+
+Fixes: ed6f1c996bfe4 ("tracing: Check return value of tracing_init_dentry()")
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
+[ Pulled from the archeological digging of my INBOX ]
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_stat.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c
+index 413ff108fbd05..bc97b10e56ccc 100644
+--- a/kernel/trace/trace_stat.c
++++ b/kernel/trace/trace_stat.c
+@@ -277,18 +277,22 @@ static int tracing_stat_init(void)
+
+ d_tracing = tracing_init_dentry();
+ if (IS_ERR(d_tracing))
+- return 0;
++ return -ENODEV;
+
+ stat_dir = tracefs_create_dir("trace_stat", d_tracing);
+- if (!stat_dir)
++ if (!stat_dir) {
+ pr_warn("Could not create tracefs 'trace_stat' entry\n");
++ return -ENOMEM;
++ }
+ return 0;
+ }
+
+ static int init_stat_file(struct stat_session *session)
+ {
+- if (!stat_dir && tracing_stat_init())
+- return -ENODEV;
++ int ret;
++
++ if (!stat_dir && (ret = tracing_stat_init()))
++ return ret;
+
+ session->file = tracefs_create_file(session->ts->name, 0644,
+ stat_dir,
+--
+2.20.1
+
--- /dev/null
+From 4b2b0277364648e8a431ce0cc92e6e4cc4395908 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jan 2020 17:47:49 -0500
+Subject: tracing: Fix very unlikely race of registering two stat tracers
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+[ Upstream commit dfb6cd1e654315168e36d947471bd2a0ccd834ae ]
+
+Looking through old emails in my INBOX, I came across a patch from Luis
+Henriques that attempted to fix a race of two stat tracers registering the
+same stat trace (extremely unlikely, as this is done in the kernel, and
+probably doesn't even exist). The submitted patch wasn't quite right as it
+needed to deal with clean up a bit better (if two stat tracers were the
+same, it would have the same files).
+
+But to make the code cleaner, all we needed to do is to keep the
+all_stat_sessions_mutex held for most of the registering function.
+
+Link: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com
+
+Fixes: 002bb86d8d42f ("tracing/ftrace: separate events tracing and stats tracing engine")
+Reported-by: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_stat.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c
+index bc97b10e56ccc..d19f2191960ea 100644
+--- a/kernel/trace/trace_stat.c
++++ b/kernel/trace/trace_stat.c
+@@ -305,7 +305,7 @@ static int init_stat_file(struct stat_session *session)
+ int register_stat_tracer(struct tracer_stat *trace)
+ {
+ struct stat_session *session, *node;
+- int ret;
++ int ret = -EINVAL;
+
+ if (!trace)
+ return -EINVAL;
+@@ -316,17 +316,15 @@ int register_stat_tracer(struct tracer_stat *trace)
+ /* Already registered? */
+ mutex_lock(&all_stat_sessions_mutex);
+ list_for_each_entry(node, &all_stat_sessions, session_list) {
+- if (node->ts == trace) {
+- mutex_unlock(&all_stat_sessions_mutex);
+- return -EINVAL;
+- }
++ if (node->ts == trace)
++ goto out;
+ }
+- mutex_unlock(&all_stat_sessions_mutex);
+
++ ret = -ENOMEM;
+ /* Init the session */
+ session = kzalloc(sizeof(*session), GFP_KERNEL);
+ if (!session)
+- return -ENOMEM;
++ goto out;
+
+ session->ts = trace;
+ INIT_LIST_HEAD(&session->session_list);
+@@ -335,15 +333,16 @@ int register_stat_tracer(struct tracer_stat *trace)
+ ret = init_stat_file(session);
+ if (ret) {
+ destroy_session(session);
+- return ret;
++ goto out;
+ }
+
++ ret = 0;
+ /* Register */
+- mutex_lock(&all_stat_sessions_mutex);
+ list_add_tail(&session->session_list, &all_stat_sessions);
++ out:
+ mutex_unlock(&all_stat_sessions_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ void unregister_stat_tracer(struct tracer_stat *trace)
+--
+2.20.1
+
--- /dev/null
+From 292479abde59a2c4d1e99be6e16ee6826ef3e517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jan 2020 10:03:06 +0300
+Subject: trigger_next should increase position index
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+[ Upstream commit 6722b23e7a2ace078344064a9735fb73e554e9ef ]
+
+if seq_file .next fuction does not change position index,
+read after some lseek can generate unexpected output.
+
+Without patch:
+ # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger
+ dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset
+ n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
+ # Available triggers:
+ # traceon traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
+ 6+1 records in
+ 6+1 records out
+ 206 bytes copied, 0.00027916 s, 738 kB/s
+
+Notice the printing of "# Available triggers:..." after the line.
+
+With the patch:
+ # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger
+ dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset
+ n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
+ 2+1 records in
+ 2+1 records out
+ 88 bytes copied, 0.000526867 s, 167 kB/s
+
+It only prints the end of the file, and does not restart.
+
+Link: http://lkml.kernel.org/r/3c35ee24-dd3a-8119-9c19-552ed253388a@virtuozzo.com
+
+https://bugzilla.kernel.org/show_bug.cgi?id=206283
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_trigger.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
+index 7e6971ba95417..8a88e85c8c615 100644
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -126,9 +126,10 @@ static void *trigger_next(struct seq_file *m, void *t, loff_t *pos)
+ {
+ struct trace_event_file *event_file = event_file_data(m->private);
+
+- if (t == SHOW_AVAILABLE_TRIGGERS)
++ if (t == SHOW_AVAILABLE_TRIGGERS) {
++ (*pos)++;
+ return NULL;
+-
++ }
+ return seq_list_next(t, &event_file->triggers, pos);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 00d78467b9af3b3fcd2c4e2f5ce74d648c9060a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 19:39:13 -0700
+Subject: tty: synclink_gt: Adjust indentation in several functions
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 446e76873b5e4e70bdee5db2f2a894d5b4a7d081 ]
+
+Clang warns:
+
+../drivers/tty/synclink_gt.c:1337:3: warning: misleading indentation;
+statement is not part of the previous 'if' [-Wmisleading-indentation]
+ if (C_CRTSCTS(tty)) {
+ ^
+../drivers/tty/synclink_gt.c:1335:2: note: previous statement is here
+ if (I_IXOFF(tty))
+ ^
+../drivers/tty/synclink_gt.c:2563:3: warning: misleading indentation;
+statement is not part of the previous 'if' [-Wmisleading-indentation]
+ if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty))
+ ^
+../drivers/tty/synclink_gt.c:2561:2: note: previous statement is here
+ if (I_INPCK(info->port.tty))
+ ^
+../drivers/tty/synclink_gt.c:3221:3: warning: misleading indentation;
+statement is not part of the previous 'else' [-Wmisleading-indentation]
+ set_signals(info);
+ ^
+../drivers/tty/synclink_gt.c:3219:2: note: previous statement is here
+ else
+ ^
+3 warnings generated.
+
+The indentation on these lines is not at all consistent, tabs and spaces
+are mixed together. Convert to just using tabs to be consistent with the
+Linux kernel coding style and eliminate these warnings from clang.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/822
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Link: https://lore.kernel.org/r/20191218023912.13827-1-natechancellor@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/synclink_gt.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
+index e645ee1cfd989..7446ce29f6770 100644
+--- a/drivers/tty/synclink_gt.c
++++ b/drivers/tty/synclink_gt.c
+@@ -1349,10 +1349,10 @@ static void throttle(struct tty_struct * tty)
+ DBGINFO(("%s throttle\n", info->device_name));
+ if (I_IXOFF(tty))
+ send_xchar(tty, STOP_CHAR(tty));
+- if (C_CRTSCTS(tty)) {
++ if (C_CRTSCTS(tty)) {
+ spin_lock_irqsave(&info->lock,flags);
+ info->signals &= ~SerialSignal_RTS;
+- set_signals(info);
++ set_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+ }
+@@ -1374,10 +1374,10 @@ static void unthrottle(struct tty_struct * tty)
+ else
+ send_xchar(tty, START_CHAR(tty));
+ }
+- if (C_CRTSCTS(tty)) {
++ if (C_CRTSCTS(tty)) {
+ spin_lock_irqsave(&info->lock,flags);
+ info->signals |= SerialSignal_RTS;
+- set_signals(info);
++ set_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+ }
+@@ -2576,8 +2576,8 @@ static void change_params(struct slgt_info *info)
+ info->read_status_mask = IRQ_RXOVER;
+ if (I_INPCK(info->port.tty))
+ info->read_status_mask |= MASK_PARITY | MASK_FRAMING;
+- if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty))
+- info->read_status_mask |= MASK_BREAK;
++ if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty))
++ info->read_status_mask |= MASK_BREAK;
+ if (I_IGNPAR(info->port.tty))
+ info->ignore_status_mask |= MASK_PARITY | MASK_FRAMING;
+ if (I_IGNBRK(info->port.tty)) {
+@@ -3208,7 +3208,7 @@ static int tiocmset(struct tty_struct *tty,
+ info->signals &= ~SerialSignal_DTR;
+
+ spin_lock_irqsave(&info->lock,flags);
+- set_signals(info);
++ set_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ return 0;
+ }
+@@ -3219,7 +3219,7 @@ static int carrier_raised(struct tty_port *port)
+ struct slgt_info *info = container_of(port, struct slgt_info, port);
+
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ return (info->signals & SerialSignal_DCD) ? 1 : 0;
+ }
+@@ -3234,7 +3234,7 @@ static void dtr_rts(struct tty_port *port, int on)
+ info->signals |= SerialSignal_RTS | SerialSignal_DTR;
+ else
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+- set_signals(info);
++ set_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 01ad9430c47e9e0a4526bd6415438231571c0d1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2019 19:47:20 -0700
+Subject: tty: synclinkmp: Adjust indentation in several functions
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 1feedf61e7265128244f6993f23421f33dd93dbc ]
+
+Clang warns:
+
+../drivers/tty/synclinkmp.c:1456:3: warning: misleading indentation;
+statement is not part of the previous 'if' [-Wmisleading-indentation]
+ if (C_CRTSCTS(tty)) {
+ ^
+../drivers/tty/synclinkmp.c:1453:2: note: previous statement is here
+ if (I_IXOFF(tty))
+ ^
+../drivers/tty/synclinkmp.c:2473:8: warning: misleading indentation;
+statement is not part of the previous 'if' [-Wmisleading-indentation]
+ info->port.tty->hw_stopped = 0;
+ ^
+../drivers/tty/synclinkmp.c:2471:7: note: previous statement is here
+ if ( debug_level >= DEBUG_LEVEL_ISR )
+ ^
+../drivers/tty/synclinkmp.c:2482:8: warning: misleading indentation;
+statement is not part of the previous 'if' [-Wmisleading-indentation]
+ info->port.tty->hw_stopped = 1;
+ ^
+../drivers/tty/synclinkmp.c:2480:7: note: previous statement is here
+ if ( debug_level >= DEBUG_LEVEL_ISR )
+ ^
+../drivers/tty/synclinkmp.c:2809:3: warning: misleading indentation;
+statement is not part of the previous 'if' [-Wmisleading-indentation]
+ if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty))
+ ^
+../drivers/tty/synclinkmp.c:2807:2: note: previous statement is here
+ if (I_INPCK(info->port.tty))
+ ^
+../drivers/tty/synclinkmp.c:3246:3: warning: misleading indentation;
+statement is not part of the previous 'else' [-Wmisleading-indentation]
+ set_signals(info);
+ ^
+../drivers/tty/synclinkmp.c:3244:2: note: previous statement is here
+ else
+ ^
+5 warnings generated.
+
+The indentation on these lines is not at all consistent, tabs and spaces
+are mixed together. Convert to just using tabs to be consistent with the
+Linux kernel coding style and eliminate these warnings from clang.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/823
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Link: https://lore.kernel.org/r/20191218024720.3528-1-natechancellor@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/synclinkmp.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c
+index dec156586de1b..2f6df8d74b4aa 100644
+--- a/drivers/tty/synclinkmp.c
++++ b/drivers/tty/synclinkmp.c
+@@ -1467,10 +1467,10 @@ static void throttle(struct tty_struct * tty)
+ if (I_IXOFF(tty))
+ send_xchar(tty, STOP_CHAR(tty));
+
+- if (C_CRTSCTS(tty)) {
++ if (C_CRTSCTS(tty)) {
+ spin_lock_irqsave(&info->lock,flags);
+ info->serial_signals &= ~SerialSignal_RTS;
+- set_signals(info);
++ set_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+ }
+@@ -1496,10 +1496,10 @@ static void unthrottle(struct tty_struct * tty)
+ send_xchar(tty, START_CHAR(tty));
+ }
+
+- if (C_CRTSCTS(tty)) {
++ if (C_CRTSCTS(tty)) {
+ spin_lock_irqsave(&info->lock,flags);
+ info->serial_signals |= SerialSignal_RTS;
+- set_signals(info);
++ set_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+ }
+@@ -2485,7 +2485,7 @@ static void isr_io_pin( SLMP_INFO *info, u16 status )
+ if (status & SerialSignal_CTS) {
+ if ( debug_level >= DEBUG_LEVEL_ISR )
+ printk("CTS tx start...");
+- info->port.tty->hw_stopped = 0;
++ info->port.tty->hw_stopped = 0;
+ tx_start(info);
+ info->pending_bh |= BH_TRANSMIT;
+ return;
+@@ -2494,7 +2494,7 @@ static void isr_io_pin( SLMP_INFO *info, u16 status )
+ if (!(status & SerialSignal_CTS)) {
+ if ( debug_level >= DEBUG_LEVEL_ISR )
+ printk("CTS tx stop...");
+- info->port.tty->hw_stopped = 1;
++ info->port.tty->hw_stopped = 1;
+ tx_stop(info);
+ }
+ }
+@@ -2821,8 +2821,8 @@ static void change_params(SLMP_INFO *info)
+ info->read_status_mask2 = OVRN;
+ if (I_INPCK(info->port.tty))
+ info->read_status_mask2 |= PE | FRME;
+- if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty))
+- info->read_status_mask1 |= BRKD;
++ if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty))
++ info->read_status_mask1 |= BRKD;
+ if (I_IGNPAR(info->port.tty))
+ info->ignore_status_mask2 |= PE | FRME;
+ if (I_IGNBRK(info->port.tty)) {
+@@ -3192,7 +3192,7 @@ static int tiocmget(struct tty_struct *tty)
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+
+ result = ((info->serial_signals & SerialSignal_RTS) ? TIOCM_RTS : 0) |
+@@ -3230,7 +3230,7 @@ static int tiocmset(struct tty_struct *tty,
+ info->serial_signals &= ~SerialSignal_DTR;
+
+ spin_lock_irqsave(&info->lock,flags);
+- set_signals(info);
++ set_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+
+ return 0;
+@@ -3242,7 +3242,7 @@ static int carrier_raised(struct tty_port *port)
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+
+ return (info->serial_signals & SerialSignal_DCD) ? 1 : 0;
+@@ -3258,7 +3258,7 @@ static void dtr_rts(struct tty_port *port, int on)
+ info->serial_signals |= SerialSignal_RTS | SerialSignal_DTR;
+ else
+ info->serial_signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+- set_signals(info);
++ set_signals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 9443cda4075c772979a9c77a024d954bf9e44088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2020 16:36:49 +0100
+Subject: udf: Fix free space reporting for metadata and virtual partitions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit a4a8b99ec819ca60b49dc582a4287ef03411f117 ]
+
+Free space on filesystems with metadata or virtual partition maps
+currently gets misreported. This is because these partitions are just
+remapped onto underlying real partitions from which keep track of free
+blocks. Take this remapping into account when counting free blocks as
+well.
+
+Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
+Reported-by: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 03369a89600e0..4abdba453885e 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -2460,17 +2460,29 @@ static unsigned int udf_count_free_table(struct super_block *sb,
+ static unsigned int udf_count_free(struct super_block *sb)
+ {
+ unsigned int accum = 0;
+- struct udf_sb_info *sbi;
++ struct udf_sb_info *sbi = UDF_SB(sb);
+ struct udf_part_map *map;
++ unsigned int part = sbi->s_partition;
++ int ptype = sbi->s_partmaps[part].s_partition_type;
++
++ if (ptype == UDF_METADATA_MAP25) {
++ part = sbi->s_partmaps[part].s_type_specific.s_metadata.
++ s_phys_partition_ref;
++ } else if (ptype == UDF_VIRTUAL_MAP15 || ptype == UDF_VIRTUAL_MAP20) {
++ /*
++ * Filesystems with VAT are append-only and we cannot write to
++ * them. Let's just report 0 here.
++ */
++ return 0;
++ }
+
+- sbi = UDF_SB(sb);
+ if (sbi->s_lvid_bh) {
+ struct logicalVolIntegrityDesc *lvid =
+ (struct logicalVolIntegrityDesc *)
+ sbi->s_lvid_bh->b_data;
+- if (le32_to_cpu(lvid->numOfPartitions) > sbi->s_partition) {
++ if (le32_to_cpu(lvid->numOfPartitions) > part) {
+ accum = le32_to_cpu(
+- lvid->freeSpaceTable[sbi->s_partition]);
++ lvid->freeSpaceTable[part]);
+ if (accum == 0xFFFFFFFF)
+ accum = 0;
+ }
+@@ -2479,7 +2491,7 @@ static unsigned int udf_count_free(struct super_block *sb)
+ if (accum)
+ return accum;
+
+- map = &sbi->s_partmaps[sbi->s_partition];
++ map = &sbi->s_partmaps[part];
+ if (map->s_partition_flags & UDF_PART_FLAG_UNALLOC_BITMAP) {
+ accum += udf_count_free_bitmap(sb,
+ map->s_uspace.s_bitmap);
+--
+2.20.1
+
--- /dev/null
+From f1d9df94850124a2a63ce6b5b2e55ce224ca757e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 17:44:05 +0800
+Subject: uio: fix a sleep-in-atomic-context bug in
+ uio_dmem_genirq_irqcontrol()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit b74351287d4bd90636c3f48bc188c2f53824c2d4 ]
+
+The driver may sleep while holding a spinlock.
+The function call path (from bottom to top) in Linux 4.19 is:
+
+kernel/irq/manage.c, 523:
+ synchronize_irq in disable_irq
+drivers/uio/uio_dmem_genirq.c, 140:
+ disable_irq in uio_dmem_genirq_irqcontrol
+drivers/uio/uio_dmem_genirq.c, 134:
+ _raw_spin_lock_irqsave in uio_dmem_genirq_irqcontrol
+
+synchronize_irq() can sleep at runtime.
+
+To fix this bug, disable_irq() is called without holding the spinlock.
+
+This bug is found by a static analysis tool STCheck written by myself.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Link: https://lore.kernel.org/r/20191218094405.6009-1-baijiaju1990@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/uio/uio_dmem_genirq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
+index e1134a4d97f3f..a00b4aee6c799 100644
+--- a/drivers/uio/uio_dmem_genirq.c
++++ b/drivers/uio/uio_dmem_genirq.c
+@@ -135,11 +135,13 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on)
+ if (irq_on) {
+ if (test_and_clear_bit(0, &priv->flags))
+ enable_irq(dev_info->irq);
++ spin_unlock_irqrestore(&priv->lock, flags);
+ } else {
+- if (!test_and_set_bit(0, &priv->flags))
++ if (!test_and_set_bit(0, &priv->flags)) {
++ spin_unlock_irqrestore(&priv->lock, flags);
+ disable_irq(dev_info->irq);
++ }
+ }
+- spin_unlock_irqrestore(&priv->lock, flags);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 3fa5d18fff71180a330b9e20c8adee78f5b2e7db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:43:49 +0800
+Subject: usb: gadget: udc: fix possible sleep-in-atomic-context bugs in
+ gr_probe()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 9c1ed62ae0690dfe5d5e31d8f70e70a95cb48e52 ]
+
+The driver may sleep while holding a spinlock.
+The function call path (from bottom to top) in Linux 4.19 is:
+
+drivers/usb/gadget/udc/core.c, 1175:
+ kzalloc(GFP_KERNEL) in usb_add_gadget_udc_release
+drivers/usb/gadget/udc/core.c, 1272:
+ usb_add_gadget_udc_release in usb_add_gadget_udc
+drivers/usb/gadget/udc/gr_udc.c, 2186:
+ usb_add_gadget_udc in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2183:
+ spin_lock in gr_probe
+
+drivers/usb/gadget/udc/core.c, 1195:
+ mutex_lock in usb_add_gadget_udc_release
+drivers/usb/gadget/udc/core.c, 1272:
+ usb_add_gadget_udc_release in usb_add_gadget_udc
+drivers/usb/gadget/udc/gr_udc.c, 2186:
+ usb_add_gadget_udc in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2183:
+ spin_lock in gr_probe
+
+drivers/usb/gadget/udc/gr_udc.c, 212:
+ debugfs_create_file in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2197:
+ gr_dfs_create in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2183:
+ spin_lock in gr_probe
+
+drivers/usb/gadget/udc/gr_udc.c, 2114:
+ devm_request_threaded_irq in gr_request_irq
+drivers/usb/gadget/udc/gr_udc.c, 2202:
+ gr_request_irq in gr_probe
+drivers/usb/gadget/udc/gr_udc.c, 2183:
+ spin_lock in gr_probe
+
+kzalloc(GFP_KERNEL), mutex_lock(), debugfs_create_file() and
+devm_request_threaded_irq() can sleep at runtime.
+
+To fix these possible bugs, usb_add_gadget_udc(), gr_dfs_create() and
+gr_request_irq() are called without handling the spinlock.
+
+These bugs are found by a static analysis tool STCheck written by myself.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/gr_udc.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/gr_udc.c b/drivers/usb/gadget/udc/gr_udc.c
+index 39b7136d31d9c..9e246d2e55ca3 100644
+--- a/drivers/usb/gadget/udc/gr_udc.c
++++ b/drivers/usb/gadget/udc/gr_udc.c
+@@ -2200,8 +2200,6 @@ static int gr_probe(struct platform_device *pdev)
+ return -ENOMEM;
+ }
+
+- spin_lock(&dev->lock);
+-
+ /* Inside lock so that no gadget can use this udc until probe is done */
+ retval = usb_add_gadget_udc(dev->dev, &dev->gadget);
+ if (retval) {
+@@ -2210,15 +2208,21 @@ static int gr_probe(struct platform_device *pdev)
+ }
+ dev->added = 1;
+
++ spin_lock(&dev->lock);
++
+ retval = gr_udc_init(dev);
+- if (retval)
++ if (retval) {
++ spin_unlock(&dev->lock);
+ goto out;
+-
+- gr_dfs_create(dev);
++ }
+
+ /* Clear all interrupt enables that might be left on since last boot */
+ gr_disable_interrupts_and_pullup(dev);
+
++ spin_unlock(&dev->lock);
++
++ gr_dfs_create(dev);
++
+ retval = gr_request_irq(dev, dev->irq);
+ if (retval) {
+ dev_err(dev->dev, "Failed to request irq %d\n", dev->irq);
+@@ -2247,8 +2251,6 @@ static int gr_probe(struct platform_device *pdev)
+ dev_info(dev->dev, "regs: %p, irq %d\n", dev->regs, dev->irq);
+
+ out:
+- spin_unlock(&dev->lock);
+-
+ if (retval)
+ gr_remove(pdev);
+
+--
+2.20.1
+
--- /dev/null
+From 6c37676c020720624ee4141e6b2f6b2296341def Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2020 07:25:26 -0600
+Subject: usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 91b6dec32e5c25fbdbb564d1e5af23764ec17ef1 ]
+
+We currently have musb_set_vbus() called from two different paths. Mostly
+it gets called from the USB PHY via omap_musb_set_mailbox(), but in some
+cases it can get also called from musb_stage0_irq() rather via .set_vbus:
+
+(musb_set_host [musb_hdrc])
+(omap2430_musb_set_vbus [omap2430])
+(musb_stage0_irq [musb_hdrc])
+(musb_interrupt [musb_hdrc])
+(omap2430_musb_interrupt [omap2430])
+
+This is racy and will not work with introducing generic helper functions
+for musb_set_host() and musb_set_peripheral(). We want to get rid of the
+busy loops in favor of usleep_range().
+
+Let's just get rid of .set_vbus for omap2430 glue layer and let the PHY
+code handle VBUS with musb_set_vbus(). Note that in the follow-up patch
+we can completely remove omap2430_musb_set_vbus(), but let's do it in a
+separate patch as this change may actually turn out to be needed as a
+fix.
+
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Link: https://lore.kernel.org/r/20200115132547.364-5-b-liu@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/omap2430.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c
+index e8be8e39ab8fb..457ad33f4caa8 100644
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -388,8 +388,6 @@ static const struct musb_platform_ops omap2430_ops = {
+ .init = omap2430_musb_init,
+ .exit = omap2430_musb_exit,
+
+- .set_vbus = omap2430_musb_set_vbus,
+-
+ .enable = omap2430_musb_enable,
+ .disable = omap2430_musb_disable,
+
+--
+2.20.1
+
--- /dev/null
+From cb99acc0d706b75b97cf31b9046b29458bd34666 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2020 18:24:16 -0700
+Subject: usbip: Fix unsafe unaligned pointer usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit 585c91f40d201bc564d4e76b83c05b3b5363fe7e ]
+
+Fix unsafe unaligned pointer usage in usbip network interfaces. usbip tool
+build fails with new gcc -Werror=address-of-packed-member checks.
+
+usbip_network.c: In function ‘usbip_net_pack_usb_device’:
+usbip_network.c:79:32: error: taking address of packed member of ‘struct usbip_usb_device’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
+ 79 | usbip_net_pack_uint32_t(pack, &udev->busnum);
+
+Fix with minor changes to pass by value instead of by address.
+
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20200109012416.2875-1-skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/usb/usbip/src/usbip_network.c | 40 +++++++++++++++++------------
+ tools/usb/usbip/src/usbip_network.h | 12 +++------
+ 2 files changed, 27 insertions(+), 25 deletions(-)
+
+diff --git a/tools/usb/usbip/src/usbip_network.c b/tools/usb/usbip/src/usbip_network.c
+index b4c37e76a6e08..187dfaa67d0a2 100644
+--- a/tools/usb/usbip/src/usbip_network.c
++++ b/tools/usb/usbip/src/usbip_network.c
+@@ -62,39 +62,39 @@ void usbip_setup_port_number(char *arg)
+ info("using port %d (\"%s\")", usbip_port, usbip_port_string);
+ }
+
+-void usbip_net_pack_uint32_t(int pack, uint32_t *num)
++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num)
+ {
+ uint32_t i;
+
+ if (pack)
+- i = htonl(*num);
++ i = htonl(num);
+ else
+- i = ntohl(*num);
++ i = ntohl(num);
+
+- *num = i;
++ return i;
+ }
+
+-void usbip_net_pack_uint16_t(int pack, uint16_t *num)
++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num)
+ {
+ uint16_t i;
+
+ if (pack)
+- i = htons(*num);
++ i = htons(num);
+ else
+- i = ntohs(*num);
++ i = ntohs(num);
+
+- *num = i;
++ return i;
+ }
+
+ void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev)
+ {
+- usbip_net_pack_uint32_t(pack, &udev->busnum);
+- usbip_net_pack_uint32_t(pack, &udev->devnum);
+- usbip_net_pack_uint32_t(pack, &udev->speed);
++ udev->busnum = usbip_net_pack_uint32_t(pack, udev->busnum);
++ udev->devnum = usbip_net_pack_uint32_t(pack, udev->devnum);
++ udev->speed = usbip_net_pack_uint32_t(pack, udev->speed);
+
+- usbip_net_pack_uint16_t(pack, &udev->idVendor);
+- usbip_net_pack_uint16_t(pack, &udev->idProduct);
+- usbip_net_pack_uint16_t(pack, &udev->bcdDevice);
++ udev->idVendor = usbip_net_pack_uint16_t(pack, udev->idVendor);
++ udev->idProduct = usbip_net_pack_uint16_t(pack, udev->idProduct);
++ udev->bcdDevice = usbip_net_pack_uint16_t(pack, udev->bcdDevice);
+ }
+
+ void usbip_net_pack_usb_interface(int pack __attribute__((unused)),
+@@ -141,6 +141,14 @@ ssize_t usbip_net_send(int sockfd, void *buff, size_t bufflen)
+ return usbip_net_xmit(sockfd, buff, bufflen, 1);
+ }
+
++static inline void usbip_net_pack_op_common(int pack,
++ struct op_common *op_common)
++{
++ op_common->version = usbip_net_pack_uint16_t(pack, op_common->version);
++ op_common->code = usbip_net_pack_uint16_t(pack, op_common->code);
++ op_common->status = usbip_net_pack_uint32_t(pack, op_common->status);
++}
++
+ int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status)
+ {
+ struct op_common op_common;
+@@ -152,7 +160,7 @@ int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status)
+ op_common.code = code;
+ op_common.status = status;
+
+- PACK_OP_COMMON(1, &op_common);
++ usbip_net_pack_op_common(1, &op_common);
+
+ rc = usbip_net_send(sockfd, &op_common, sizeof(op_common));
+ if (rc < 0) {
+@@ -176,7 +184,7 @@ int usbip_net_recv_op_common(int sockfd, uint16_t *code)
+ goto err;
+ }
+
+- PACK_OP_COMMON(0, &op_common);
++ usbip_net_pack_op_common(0, &op_common);
+
+ if (op_common.version != USBIP_VERSION) {
+ dbg("version mismatch: %d %d", op_common.version,
+diff --git a/tools/usb/usbip/src/usbip_network.h b/tools/usb/usbip/src/usbip_network.h
+index c1e875cf1078c..573fa839b66b7 100644
+--- a/tools/usb/usbip/src/usbip_network.h
++++ b/tools/usb/usbip/src/usbip_network.h
+@@ -33,12 +33,6 @@ struct op_common {
+
+ } __attribute__((packed));
+
+-#define PACK_OP_COMMON(pack, op_common) do {\
+- usbip_net_pack_uint16_t(pack, &(op_common)->version);\
+- usbip_net_pack_uint16_t(pack, &(op_common)->code);\
+- usbip_net_pack_uint32_t(pack, &(op_common)->status);\
+-} while (0)
+-
+ /* ---------------------------------------------------------------------- */
+ /* Dummy Code */
+ #define OP_UNSPEC 0x00
+@@ -164,11 +158,11 @@ struct op_devlist_reply_extra {
+ } while (0)
+
+ #define PACK_OP_DEVLIST_REPLY(pack, reply) do {\
+- usbip_net_pack_uint32_t(pack, &(reply)->ndev);\
++ (reply)->ndev = usbip_net_pack_uint32_t(pack, (reply)->ndev);\
+ } while (0)
+
+-void usbip_net_pack_uint32_t(int pack, uint32_t *num);
+-void usbip_net_pack_uint16_t(int pack, uint16_t *num);
++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num);
++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num);
+ void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev);
+ void usbip_net_pack_usb_interface(int pack, struct usbip_usb_interface *uinf);
+
+--
+2.20.1
+
--- /dev/null
+From 9abcc3cabfb0c7c93e5bf301ff087917319cf9ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2020 21:05:43 +0100
+Subject: vme: bridges: reduce stack usage
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7483e7a939c074d887450ef1c4d9ccc5909405f8 ]
+
+With CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3, the stack usage in vme_fake
+grows above the warning limit:
+
+drivers/vme/bridges/vme_fake.c: In function 'fake_master_read':
+drivers/vme/bridges/vme_fake.c:610:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+drivers/vme/bridges/vme_fake.c: In function 'fake_master_write':
+drivers/vme/bridges/vme_fake.c:797:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+
+The problem is that in some configurations, each call to
+fake_vmereadX() puts another variable on the stack.
+
+Reduce the amount of inlining to get back to the previous state,
+with no function using more than 200 bytes each.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20200107200610.3482901-1-arnd@arndb.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vme/bridges/vme_fake.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/vme/bridges/vme_fake.c b/drivers/vme/bridges/vme_fake.c
+index 30b3acc938330..e81ec763b5555 100644
+--- a/drivers/vme/bridges/vme_fake.c
++++ b/drivers/vme/bridges/vme_fake.c
+@@ -418,8 +418,9 @@ static void fake_lm_check(struct fake_driver *bridge, unsigned long long addr,
+ }
+ }
+
+-static u8 fake_vmeread8(struct fake_driver *bridge, unsigned long long addr,
+- u32 aspace, u32 cycle)
++static noinline_for_stack u8 fake_vmeread8(struct fake_driver *bridge,
++ unsigned long long addr,
++ u32 aspace, u32 cycle)
+ {
+ u8 retval = 0xff;
+ int i;
+@@ -450,8 +451,9 @@ static u8 fake_vmeread8(struct fake_driver *bridge, unsigned long long addr,
+ return retval;
+ }
+
+-static u16 fake_vmeread16(struct fake_driver *bridge, unsigned long long addr,
+- u32 aspace, u32 cycle)
++static noinline_for_stack u16 fake_vmeread16(struct fake_driver *bridge,
++ unsigned long long addr,
++ u32 aspace, u32 cycle)
+ {
+ u16 retval = 0xffff;
+ int i;
+@@ -482,8 +484,9 @@ static u16 fake_vmeread16(struct fake_driver *bridge, unsigned long long addr,
+ return retval;
+ }
+
+-static u32 fake_vmeread32(struct fake_driver *bridge, unsigned long long addr,
+- u32 aspace, u32 cycle)
++static noinline_for_stack u32 fake_vmeread32(struct fake_driver *bridge,
++ unsigned long long addr,
++ u32 aspace, u32 cycle)
+ {
+ u32 retval = 0xffffffff;
+ int i;
+@@ -613,8 +616,9 @@ out:
+ return retval;
+ }
+
+-static void fake_vmewrite8(struct fake_driver *bridge, u8 *buf,
+- unsigned long long addr, u32 aspace, u32 cycle)
++static noinline_for_stack void fake_vmewrite8(struct fake_driver *bridge,
++ u8 *buf, unsigned long long addr,
++ u32 aspace, u32 cycle)
+ {
+ int i;
+ unsigned long long start, end, offset;
+@@ -643,8 +647,9 @@ static void fake_vmewrite8(struct fake_driver *bridge, u8 *buf,
+
+ }
+
+-static void fake_vmewrite16(struct fake_driver *bridge, u16 *buf,
+- unsigned long long addr, u32 aspace, u32 cycle)
++static noinline_for_stack void fake_vmewrite16(struct fake_driver *bridge,
++ u16 *buf, unsigned long long addr,
++ u32 aspace, u32 cycle)
+ {
+ int i;
+ unsigned long long start, end, offset;
+@@ -673,8 +678,9 @@ static void fake_vmewrite16(struct fake_driver *bridge, u16 *buf,
+
+ }
+
+-static void fake_vmewrite32(struct fake_driver *bridge, u32 *buf,
+- unsigned long long addr, u32 aspace, u32 cycle)
++static noinline_for_stack void fake_vmewrite32(struct fake_driver *bridge,
++ u32 *buf, unsigned long long addr,
++ u32 aspace, u32 cycle)
+ {
+ int i;
+ unsigned long long start, end, offset;
+--
+2.20.1
+
--- /dev/null
+From f0982a312fa02413cf7756e62adf2abf64de7b8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jan 2020 13:04:42 +0100
+Subject: wan: ixp4xx_hss: fix compile-testing on 64-bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 504c28c853ec5c626900b914b5833daf0581a344 ]
+
+Change the driver to use portable integer types to avoid
+warnings during compile testing:
+
+drivers/net/wan/ixp4xx_hss.c:863:21: error: cast to 'u32 *' (aka 'unsigned int *') from smaller integer type 'int' [-Werror,-Wint-to-pointer-cast]
+ memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4);
+ ^
+drivers/net/wan/ixp4xx_hss.c:979:12: error: incompatible pointer types passing 'u32 *' (aka 'unsigned int *') to parameter of type 'dma_addr_t *' (aka 'unsigned long long *') [-Werror,-Wincompatible-pointer-types]
+ &port->desc_tab_phys)))
+ ^~~~~~~~~~~~~~~~~~~~
+include/linux/dmapool.h:27:20: note: passing argument to parameter 'handle' here
+ dma_addr_t *handle);
+ ^
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/ixp4xx_hss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wan/ixp4xx_hss.c b/drivers/net/wan/ixp4xx_hss.c
+index e7bbdb7af53ac..97968e6a6a4eb 100644
+--- a/drivers/net/wan/ixp4xx_hss.c
++++ b/drivers/net/wan/ixp4xx_hss.c
+@@ -261,7 +261,7 @@ struct port {
+ struct hss_plat_info *plat;
+ buffer_t *rx_buff_tab[RX_DESCS], *tx_buff_tab[TX_DESCS];
+ struct desc *desc_tab; /* coherent */
+- u32 desc_tab_phys;
++ dma_addr_t desc_tab_phys;
+ unsigned int id;
+ unsigned int clock_type, clock_rate, loopback;
+ unsigned int initialized, carrier;
+@@ -861,7 +861,7 @@ static int hss_hdlc_xmit(struct sk_buff *skb, struct net_device *dev)
+ dev->stats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+- memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4);
++ memcpy_swab32(mem, (u32 *)((uintptr_t)skb->data & ~3), bytes / 4);
+ dev_kfree_skb(skb);
+ #endif
+
+--
+2.20.1
+
--- /dev/null
+From 5662e464f542bbb9a39b715dedf541d03fb8314e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jan 2020 13:11:54 +0900
+Subject: x86/decoder: Add TEST opcode to Group3-2
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 8b7e20a7ba54836076ff35a28349dabea4cec48f ]
+
+Add TEST opcode to Group3-2 reg=001b as same as Group3-1 does.
+
+Commit
+
+ 12a78d43de76 ("x86/decoder: Add new TEST instruction pattern")
+
+added a TEST opcode assignment to f6 XX/001/XXX (Group 3-1), but did
+not add f7 XX/001/XXX (Group 3-2).
+
+Actually, this TEST opcode variant (ModRM.reg /1) is not described in
+the Intel SDM Vol2 but in AMD64 Architecture Programmer's Manual Vol.3,
+Appendix A.2 Table A-6. ModRM.reg Extensions for the Primary Opcode Map.
+
+Without this fix, Randy found a warning by insn_decoder_test related
+to this issue as below.
+
+ HOSTCC arch/x86/tools/insn_decoder_test
+ HOSTCC arch/x86/tools/insn_sanity
+ TEST posttest
+ arch/x86/tools/insn_decoder_test: warning: Found an x86 instruction decoder bug, please report this.
+ arch/x86/tools/insn_decoder_test: warning: ffffffff81000bf1: f7 0b 00 01 08 00 testl $0x80100,(%rbx)
+ arch/x86/tools/insn_decoder_test: warning: objdump says 6 bytes, but insn_get_length() says 2
+ arch/x86/tools/insn_decoder_test: warning: Decoded and checked 11913894 instructions with 1 failures
+ TEST posttest
+ arch/x86/tools/insn_sanity: Success: decoded and checked 1000000 random instructions with 0 errors (seed:0x871ce29c)
+
+To fix this error, add the TEST opcode according to AMD64 APM Vol.3.
+
+ [ bp: Massage commit message. ]
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lkml.kernel.org/r/157966631413.9580.10311036595431878351.stgit@devnote2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/lib/x86-opcode-map.txt | 2 +-
+ tools/objtool/arch/x86/lib/x86-opcode-map.txt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt
+index 0f7eb4f5bdb71..82e105b284e01 100644
+--- a/arch/x86/lib/x86-opcode-map.txt
++++ b/arch/x86/lib/x86-opcode-map.txt
+@@ -909,7 +909,7 @@ EndTable
+
+ GrpTable: Grp3_2
+ 0: TEST Ev,Iz
+-1:
++1: TEST Ev,Iz
+ 2: NOT Ev
+ 3: NEG Ev
+ 4: MUL rAX,Ev
+diff --git a/tools/objtool/arch/x86/lib/x86-opcode-map.txt b/tools/objtool/arch/x86/lib/x86-opcode-map.txt
+index 0f7eb4f5bdb71..82e105b284e01 100644
+--- a/tools/objtool/arch/x86/lib/x86-opcode-map.txt
++++ b/tools/objtool/arch/x86/lib/x86-opcode-map.txt
+@@ -909,7 +909,7 @@ EndTable
+
+ GrpTable: Grp3_2
+ 0: TEST Ev,Iz
+-1:
++1: TEST Ev,Iz
+ 2: NOT Ev
+ 3: NEG Ev
+ 4: MUL rAX,Ev
+--
+2.20.1
+
--- /dev/null
+From 7eacfb3b69ee47d8fe1dc54e5e9f632536d8e8d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2020 18:04:10 -0500
+Subject: x86/sysfb: Fix check for bad VRAM size
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit dacc9092336be20b01642afe1a51720b31f60369 ]
+
+When checking whether the reported lfb_size makes sense, the height
+* stride result is page-aligned before seeing whether it exceeds the
+reported size.
+
+This doesn't work if height * stride is not an exact number of pages.
+For example, as reported in the kernel bugzilla below, an 800x600x32 EFI
+framebuffer gets skipped because of this.
+
+Move the PAGE_ALIGN to after the check vs size.
+
+Reported-by: Christopher Head <chead@chead.ca>
+Tested-by: Christopher Head <chead@chead.ca>
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=206051
+Link: https://lkml.kernel.org/r/20200107230410.2291947-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/sysfb_simplefb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/sysfb_simplefb.c b/arch/x86/kernel/sysfb_simplefb.c
+index 85195d447a922..f3215346e47fd 100644
+--- a/arch/x86/kernel/sysfb_simplefb.c
++++ b/arch/x86/kernel/sysfb_simplefb.c
+@@ -94,11 +94,11 @@ __init int create_simplefb(const struct screen_info *si,
+ if (si->orig_video_isVGA == VIDEO_TYPE_VLFB)
+ size <<= 16;
+ length = mode->height * mode->stride;
+- length = PAGE_ALIGN(length);
+ if (length > size) {
+ printk(KERN_WARNING "sysfb: VRAM smaller than advertised\n");
+ return -EINVAL;
+ }
++ length = PAGE_ALIGN(length);
+
+ /* setup IORESOURCE_MEM as framebuffer memory */
+ memset(&res, 0, sizeof(res));
+--
+2.20.1
+
--- /dev/null
+From ee63241bfc5012f9d25e7879c085e25a37320b83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2019 21:36:07 -0500
+Subject: x86/vdso: Provide missing include file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+
+[ Upstream commit bff47c2302cc249bcd550b17067f8dddbd4b6f77 ]
+
+When building with C=1, sparse issues a warning:
+
+ CHECK arch/x86/entry/vdso/vdso32-setup.c
+ arch/x86/entry/vdso/vdso32-setup.c:28:28: warning: symbol 'vdso32_enabled' was not declared. Should it be static?
+
+Provide the missing header file.
+
+Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/36224.1575599767@turing-police
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/vdso/vdso32-setup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/entry/vdso/vdso32-setup.c b/arch/x86/entry/vdso/vdso32-setup.c
+index 3f9d1a83891ad..50c1f77cab150 100644
+--- a/arch/x86/entry/vdso/vdso32-setup.c
++++ b/arch/x86/entry/vdso/vdso32-setup.c
+@@ -10,6 +10,7 @@
+ #include <linux/smp.h>
+ #include <linux/kernel.h>
+ #include <linux/mm_types.h>
++#include <linux/elf.h>
+
+ #include <asm/processor.h>
+ #include <asm/vdso.h>
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
