--- /dev/null
+From 88a6a8780d3b502db967deea149a0733a36dc5e6 Mon Sep 17 00:00:00 2001
+From: Gertjan Halkes <gertjan@google.com>
+Date: Wed, 5 Sep 2018 15:41:29 +0900
+Subject: 9p: do not trust pdu content for stat item size
+
+[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]
+
+v9fs_dir_readdir() could deadloop if a struct was sent with a size set
+to -2
+
+Link: http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmadeus@codewreck.org
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
+Signed-off-by: Gertjan Halkes <gertjan@google.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/9p/vfs_dir.c | 8 +++-----
+ net/9p/protocol.c | 3 ++-
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
+index 48db9a9f13f9..cb6c4031af55 100644
+--- a/fs/9p/vfs_dir.c
++++ b/fs/9p/vfs_dir.c
+@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
+ int err = 0;
+ struct p9_fid *fid;
+ int buflen;
+- int reclen = 0;
+ struct p9_rdir *rdir;
+ struct kvec kvec;
+
+@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
+ while (rdir->head < rdir->tail) {
+ err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
+ rdir->tail - rdir->head, &st);
+- if (err) {
++ if (err <= 0) {
+ p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
+ return -EIO;
+ }
+- reclen = st.size+2;
+
+ over = !dir_emit(ctx, st.name, strlen(st.name),
+ v9fs_qid2ino(&st.qid), dt_type(&st));
+@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
+ if (over)
+ return 0;
+
+- rdir->head += reclen;
+- ctx->pos += reclen;
++ rdir->head += err;
++ ctx->pos += err;
+ }
+ }
+ }
+diff --git a/net/9p/protocol.c b/net/9p/protocol.c
+index ee32bbf12675..b4d80c533f89 100644
+--- a/net/9p/protocol.c
++++ b/net/9p/protocol.c
+@@ -571,9 +571,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int len, struct p9_wstat *st)
+ if (ret) {
+ p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
+ trace_9p_protocol_dump(clnt, &fake_pdu);
++ return ret;
+ }
+
+- return ret;
++ return fake_pdu.offset;
+ }
+ EXPORT_SYMBOL(p9stat_read);
+
+--
+2.19.1
+
--- /dev/null
+From 017963216deb7130c131128a3076e1edd200b3af Mon Sep 17 00:00:00 2001
+From: Dinu-Razvan Chis-Serban <justcsdr@gmail.com>
+Date: Wed, 5 Sep 2018 16:44:12 +0900
+Subject: 9p locks: add mount option for lock retry interval
+
+[ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ]
+
+The default P9_LOCK_TIMEOUT can be too long for some users exporting
+a local file system to a guest VM (30s), make this configurable at
+mount time.
+
+Link: http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmadeus@codewreck.org
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
+Signed-off-by: Dinu-Razvan Chis-Serban <justcsdr@gmail.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/9p/v9fs.c | 21 +++++++++++++++++++++
+ fs/9p/v9fs.h | 1 +
+ fs/9p/vfs_file.c | 6 +++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
+index 89bac3d2f05b..619128b55837 100644
+--- a/fs/9p/v9fs.c
++++ b/fs/9p/v9fs.c
+@@ -61,6 +61,8 @@ enum {
+ Opt_cache_loose, Opt_fscache, Opt_mmap,
+ /* Access options */
+ Opt_access, Opt_posixacl,
++ /* Lock timeout option */
++ Opt_locktimeout,
+ /* Error token */
+ Opt_err
+ };
+@@ -80,6 +82,7 @@ static const match_table_t tokens = {
+ {Opt_cachetag, "cachetag=%s"},
+ {Opt_access, "access=%s"},
+ {Opt_posixacl, "posixacl"},
++ {Opt_locktimeout, "locktimeout=%u"},
+ {Opt_err, NULL}
+ };
+
+@@ -187,6 +190,7 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts)
+ #ifdef CONFIG_9P_FSCACHE
+ v9ses->cachetag = NULL;
+ #endif
++ v9ses->session_lock_timeout = P9_LOCK_TIMEOUT;
+
+ if (!opts)
+ return 0;
+@@ -359,6 +363,23 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts)
+ #endif
+ break;
+
++ case Opt_locktimeout:
++ r = match_int(&args[0], &option);
++ if (r < 0) {
++ p9_debug(P9_DEBUG_ERROR,
++ "integer field, but no integer?\n");
++ ret = r;
++ continue;
++ }
++ if (option < 1) {
++ p9_debug(P9_DEBUG_ERROR,
++ "locktimeout must be a greater than zero integer.\n");
++ ret = -EINVAL;
++ continue;
++ }
++ v9ses->session_lock_timeout = (long)option * HZ;
++ break;
++
+ default:
+ continue;
+ }
+diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
+index 982e017acadb..129e5243a6bf 100644
+--- a/fs/9p/v9fs.h
++++ b/fs/9p/v9fs.h
+@@ -116,6 +116,7 @@ struct v9fs_session_info {
+ struct p9_client *clnt; /* 9p client */
+ struct list_head slist; /* list of sessions registered with v9fs */
+ struct rw_semaphore rename_sem;
++ long session_lock_timeout; /* retry interval for blocking locks */
+ };
+
+ /* cache_validity flags */
+diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
+index c87e6d6ec069..05454a7e22dc 100644
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ uint8_t status = P9_LOCK_ERROR;
+ int res = 0;
+ unsigned char fl_type;
++ struct v9fs_session_info *v9ses;
+
+ fid = filp->private_data;
+ BUG_ON(fid == NULL);
+@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ if (IS_SETLKW(cmd))
+ flock.flags = P9_LOCK_FLAGS_BLOCK;
+
++ v9ses = v9fs_inode2v9ses(file_inode(filp));
++
+ /*
+ * if its a blocked request and we get P9_LOCK_BLOCKED as the status
+ * for lock request, keep on trying
+@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ break;
+ if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd))
+ break;
+- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
++ if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
++ != 0)
+ break;
+ /*
+ * p9_client_lock_dotl overwrites flock.client_id with the
+--
+2.19.1
+
--- /dev/null
+From eeeff38cb7cbcd5fec7553e2eb853698c94f4aaf Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Mon, 17 Dec 2018 12:21:55 +0100
+Subject: ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle
+
+[ Upstream commit f941d3e41da7f86bdb9dcc1977c2bcc6b89bfe47 ]
+
+There are systems in which non-wakeup GPEs fire during the "noirq"
+suspend stage of suspending devices and that effectively prevents the
+system that tries to suspend to idle from entering any low-power
+state at all. If the offending GPE fires regularly and often enough,
+the system appears to be suspended, but in fact it is in a tight loop
+over "noirq" suspend and "noirq" resume of devices all the time.
+
+To prevent that from happening, disable all non-wakeup GPEs except
+for the EC GPE for suspend-to-idle (the EC GPE is special, because
+on some systems it has to be enabled for power button wakeup events
+to be generated as expected).
+
+Fixes: 147a7d9d25ca (ACPI / PM: Do not reconfigure GPEs for suspend-to-idle)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=201987
+Reported-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Tested-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/ec.c | 12 ++++++++++++
+ drivers/acpi/internal.h | 2 ++
+ drivers/acpi/sleep.c | 11 +++++++++++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index d4e5610e09c5..9d66a47d32fb 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1034,6 +1034,18 @@ void acpi_ec_unblock_transactions(void)
+ acpi_ec_start(first_ec, true);
+ }
+
++void acpi_ec_mark_gpe_for_wake(void)
++{
++ if (first_ec && !ec_no_wakeup)
++ acpi_mark_gpe_for_wake(NULL, first_ec->gpe);
++}
++
++void acpi_ec_set_gpe_wake_mask(u8 action)
++{
++ if (first_ec && !ec_no_wakeup)
++ acpi_set_gpe_wake_mask(NULL, first_ec->gpe, action);
++}
++
+ void acpi_ec_dispatch_gpe(void)
+ {
+ if (first_ec)
+diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h
+index 530a3f675490..f59d0b9e2683 100644
+--- a/drivers/acpi/internal.h
++++ b/drivers/acpi/internal.h
+@@ -188,6 +188,8 @@ int acpi_ec_ecdt_probe(void);
+ int acpi_ec_dsdt_probe(void);
+ void acpi_ec_block_transactions(void);
+ void acpi_ec_unblock_transactions(void);
++void acpi_ec_mark_gpe_for_wake(void);
++void acpi_ec_set_gpe_wake_mask(u8 action);
+ void acpi_ec_dispatch_gpe(void);
+ int acpi_ec_add_query_handler(struct acpi_ec *ec, u8 query_bit,
+ acpi_handle handle, acpi_ec_query_func func,
+diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
+index 754d59f95500..74c489047f57 100644
+--- a/drivers/acpi/sleep.c
++++ b/drivers/acpi/sleep.c
+@@ -940,6 +940,8 @@ static int lps0_device_attach(struct acpi_device *adev,
+
+ acpi_handle_debug(adev->handle, "_DSM function mask: 0x%x\n",
+ bitmask);
++
++ acpi_ec_mark_gpe_for_wake();
+ } else {
+ acpi_handle_debug(adev->handle,
+ "_DSM function 0 evaluation failed\n");
+@@ -968,11 +970,16 @@ static int acpi_s2idle_prepare(void)
+ if (lps0_device_handle) {
+ acpi_sleep_run_lps0_dsm(ACPI_LPS0_SCREEN_OFF);
+ acpi_sleep_run_lps0_dsm(ACPI_LPS0_ENTRY);
++
++ acpi_ec_set_gpe_wake_mask(ACPI_GPE_ENABLE);
+ }
+
+ if (acpi_sci_irq_valid())
+ enable_irq_wake(acpi_sci_irq);
+
++ /* Change the configuration of GPEs to avoid spurious wakeup. */
++ acpi_enable_all_wakeup_gpes();
++ acpi_os_wait_events_complete();
+ return 0;
+ }
+
+@@ -1017,10 +1024,14 @@ static void acpi_s2idle_sync(void)
+
+ static void acpi_s2idle_restore(void)
+ {
++ acpi_enable_all_runtime_gpes();
++
+ if (acpi_sci_irq_valid())
+ disable_irq_wake(acpi_sci_irq);
+
+ if (lps0_device_handle) {
++ acpi_ec_set_gpe_wake_mask(ACPI_GPE_DISABLE);
++
+ acpi_sleep_run_lps0_dsm(ACPI_LPS0_EXIT);
+ acpi_sleep_run_lps0_dsm(ACPI_LPS0_SCREEN_ON);
+ }
+--
+2.19.1
+
--- /dev/null
+From cba85c7692edd227f741b90bc5b0092744d32089 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ronald=20Tschal=C3=A4r?= <ronald@innovation.ch>
+Date: Sun, 30 Sep 2018 19:52:51 -0700
+Subject: ACPI / SBS: Fix GPE storm on recent MacBookPro's
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit ca1721c5bee77105829cbd7baab8ee0eab85b06d ]
+
+On Apple machines, plugging-in or unplugging the power triggers a GPE
+for the EC. Since these machines expose an SBS device, this GPE ends
+up triggering the acpi_sbs_callback(). This in turn tries to get the
+status of the SBS charger. However, on MBP13,* and MBP14,* machines,
+performing the smbus-read operation to get the charger's status triggers
+the EC's GPE again. The result is an endless re-triggering and handling
+of that GPE, consuming significant CPU resources (> 50% in irq).
+
+In the end this is quite similar to commit 3031cddea633 (ACPI / SBS:
+Don't assume the existence of an SBS charger), except that on the above
+machines a status of all 1's is returned. And like there, we just want
+ignore the charger here.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
+Signed-off-by: Ronald Tschalär <ronald@innovation.ch>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/sbs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
+index 295b59271189..96c5e27967f4 100644
+--- a/drivers/acpi/sbs.c
++++ b/drivers/acpi/sbs.c
+@@ -441,9 +441,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
+
+ /*
+ * The spec requires that bit 4 always be 1. If it's not set, assume
+- * that the implementation doesn't support an SBS charger
++ * that the implementation doesn't support an SBS charger.
++ *
++ * And on some MacBooks a status of 0xffff is always returned, no
++ * matter whether the charger is plugged in or not, which is also
++ * wrong, so ignore the SBS charger for those too.
+ */
+- if (!((status >> 4) & 0x1))
++ if (!((status >> 4) & 0x1) || status == 0xffff)
+ return -ENODEV;
+
+ sbs->charger_present = (status >> 15) & 0x1;
+--
+2.19.1
+
--- /dev/null
+From 9028777479d4d063f3688795784dd399303019c8 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 18 Mar 2019 21:47:09 +0300
+Subject: ACPI / utils: Drop reference in test for device presence
+
+[ Upstream commit 54e3aca84e571559915998aa6cc05e5ac37c043b ]
+
+When commit 8661423eea1a ("ACPI / utils: Add new acpi_dev_present
+helper") introduced acpi_dev_present(), it missed the fact that
+bus_find_device() took a reference on the device found by it and
+the callers of acpi_dev_present() don't drop that reference.
+
+Drop the reference on the device in acpi_dev_present().
+
+Fixes: 8661423eea1a ("ACPI / utils: Add new acpi_dev_present helper")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/acpi/utils.c b/drivers/acpi/utils.c
+index 78db97687f26..c4b06cc075f9 100644
+--- a/drivers/acpi/utils.c
++++ b/drivers/acpi/utils.c
+@@ -800,6 +800,7 @@ bool acpi_dev_present(const char *hid, const char *uid, s64 hrv)
+ match.hrv = hrv;
+
+ dev = bus_find_device(&acpi_bus_type, NULL, &match, acpi_dev_match_cb);
++ put_device(dev);
+ return !!dev;
+ }
+ EXPORT_SYMBOL(acpi_dev_present);
+--
+2.19.1
+
--- /dev/null
+From e37777c23b54dac119e49bbd1adc8796c6bafb48 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 14 Mar 2019 22:58:29 -0500
+Subject: ALSA: echoaudio: add a check for ioremap_nocache
+
+[ Upstream commit 6ade657d6125ec3ec07f95fa51e28138aef6208f ]
+
+In case ioremap_nocache fails, the fix releases chip and returns
+an error code upstream to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/echoaudio/echoaudio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c
+index 907cf1a46712..3ef2b27ebbe8 100644
+--- a/sound/pci/echoaudio/echoaudio.c
++++ b/sound/pci/echoaudio/echoaudio.c
+@@ -1954,6 +1954,11 @@ static int snd_echo_create(struct snd_card *card,
+ }
+ chip->dsp_registers = (volatile u32 __iomem *)
+ ioremap_nocache(chip->dsp_registers_phys, sz);
++ if (!chip->dsp_registers) {
++ dev_err(chip->card->dev, "ioremap failed\n");
++ snd_echo_free(chip);
++ return -ENOMEM;
++ }
+
+ if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED,
+ KBUILD_MODNAME, chip)) {
+--
+2.19.1
+
--- /dev/null
+From b6c1df2a51566cbc36ff1d63f0482fe2c86b8ef6 Mon Sep 17 00:00:00 2001
+From: Ayman Bagabas <ayman.bagabas@gmail.com>
+Date: Wed, 12 Dec 2018 18:07:57 -0500
+Subject: ALSA: hda: fix front speakers on Huawei MBXP
+
+[ Upstream commit 8ac51bbc4cfec4ef08b03bef24b31e2d50ef8b37 ]
+
+This patch solves bug 200501 'Only 2 of 4 speakers playing sound.'
+It enables the front speakers on Huawei Matebook X Pro laptops.
+These laptops come with Dolby Atmos sound system and these pins
+configuration enables the front speakers.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200501
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ayman Bagabas <ayman.bagabas@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index b9d832bde23e..bd60eb7168fa 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5604,6 +5604,7 @@ enum {
+ ALC298_FIXUP_TPT470_DOCK,
+ ALC255_FIXUP_DUMMY_LINEOUT_VERB,
+ ALC255_FIXUP_DELL_HEADSET_MIC,
++ ALC256_FIXUP_HUAWEI_MBXP_PINS,
+ ALC295_FIXUP_HP_X360,
+ ALC221_FIXUP_HP_HEADSET_MIC,
+ ALC285_FIXUP_LENOVO_HEADPHONE_NOISE,
+@@ -5892,6 +5893,22 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MIC
+ },
++ [ALC256_FIXUP_HUAWEI_MBXP_PINS] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ {0x12, 0x90a60130},
++ {0x13, 0x40000000},
++ {0x14, 0x90170110},
++ {0x18, 0x411111f0},
++ {0x19, 0x04a11040},
++ {0x1a, 0x411111f0},
++ {0x1b, 0x90170112},
++ {0x1d, 0x40759a05},
++ {0x1e, 0x411111f0},
++ {0x21, 0x04211020},
++ { }
++ },
++ },
+ [ALC269_FIXUP_ASUS_X101_FUNC] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc269_fixup_x101_headset_mic,
+@@ -6885,6 +6902,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),
+ SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
++ SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MBXP", ALC256_FIXUP_HUAWEI_MBXP_PINS),
+ SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */
+
+ #if 0
+--
+2.19.1
+
--- /dev/null
+From cbe6a0735ae191ef55e06b8f5b2742651dc2cfa0 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sun, 17 Mar 2019 23:21:24 +0000
+Subject: ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and
+ declaration
+
+[ Upstream commit b4748e7ab731e436cf5db4786358ada5dd2db6dd ]
+
+The function snd_opl3_drum_switch declaration in the header file
+has the order of the two arguments on_off and vel swapped when
+compared to the definition arguments of vel and on_off. Fix this
+by swapping them around to match the definition.
+
+This error predates the git history, so no idea when this error
+was introduced.
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/drivers/opl3/opl3_voice.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/drivers/opl3/opl3_voice.h b/sound/drivers/opl3/opl3_voice.h
+index 5b02bd49fde4..4e4ecc21760b 100644
+--- a/sound/drivers/opl3/opl3_voice.h
++++ b/sound/drivers/opl3/opl3_voice.h
+@@ -41,7 +41,7 @@ void snd_opl3_timer_func(struct timer_list *t);
+
+ /* Prototypes for opl3_drums.c */
+ void snd_opl3_load_drums(struct snd_opl3 *opl3);
+-void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int on_off, int vel, struct snd_midi_channel *chan);
++void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int vel, int on_off, struct snd_midi_channel *chan);
+
+ /* Prototypes for opl3_oss.c */
+ #if IS_ENABLED(CONFIG_SND_SEQUENCER_OSS)
+--
+2.19.1
+
--- /dev/null
+From 455594d19f427a0839a8ebf9a70aebc335d3c534 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 14 Mar 2019 23:04:14 -0500
+Subject: ALSA: sb8: add a check for request_region
+
+[ Upstream commit dcd0feac9bab901d5739de51b3f69840851f8919 ]
+
+In case request_region fails, the fix returns an error code to
+avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb8.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/isa/sb/sb8.c b/sound/isa/sb/sb8.c
+index d77dcba276b5..1eb8b61a185b 100644
+--- a/sound/isa/sb/sb8.c
++++ b/sound/isa/sb/sb8.c
+@@ -111,6 +111,10 @@ static int snd_sb8_probe(struct device *pdev, unsigned int dev)
+
+ /* block the 0x388 port to avoid PnP conflicts */
+ acard->fm_res = request_region(0x388, 4, "SoundBlaster FM");
++ if (!acard->fm_res) {
++ err = -EBUSY;
++ goto _err;
++ }
+
+ if (port[dev] != SNDRV_AUTO_PORT) {
+ if ((err = snd_sbdsp_create(card, port[dev], irq[dev],
+--
+2.19.1
+
--- /dev/null
+From 627c5c0488a3388a8af0371c939ac091f73e0d11 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 1 Mar 2019 10:57:57 +0800
+Subject: appletalk: Fix use-after-free in atalk_proc_exit
+
+[ Upstream commit 6377f787aeb945cae7abbb6474798de129e1f3ac ]
+
+KASAN report this:
+
+BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
+Read of size 8 at addr ffff8881f41fe5b0 by task syz-executor.0/2806
+
+CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
+ remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
+ atalk_proc_exit+0x18/0x820 [appletalk]
+ atalk_exit+0xf/0x5a [appletalk]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fb2de6b9c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0
+RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2de6ba6bc
+R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
+
+Allocated by task 2806:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
+ slab_post_alloc_hook mm/slab.h:444 [inline]
+ slab_alloc_node mm/slub.c:2739 [inline]
+ slab_alloc mm/slub.c:2747 [inline]
+ kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
+ kmem_cache_zalloc include/linux/slab.h:730 [inline]
+ __proc_create+0x30f/0xa20 fs/proc/generic.c:408
+ proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
+ 0xffffffffc10c01bb
+ 0xffffffffc10c0166
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 2806:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
+ slab_free_hook mm/slub.c:1409 [inline]
+ slab_free_freelist_hook mm/slub.c:1436 [inline]
+ slab_free mm/slub.c:2986 [inline]
+ kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
+ pde_put+0x6e/0x80 fs/proc/generic.c:647
+ remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
+ 0xffffffffc10c031c
+ 0xffffffffc10c0166
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881f41fe500
+ which belongs to the cache proc_dir_entry of size 256
+The buggy address is located 176 bytes inside of
+ 256-byte region [ffff8881f41fe500, ffff8881f41fe600)
+The buggy address belongs to the page:
+page:ffffea0007d07f80 count:1 mapcount:0 mapping:ffff8881f6e69a00 index:0x0
+flags: 0x2fffc0000000200(slab)
+raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00
+raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+It should check the return value of atalk_proc_init fails,
+otherwise atalk_exit will trgger use-after-free in pde_subdir_find
+while unload the module.This patch fix error cleanup path of atalk_init
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/atalk.h | 2 +-
+ net/appletalk/atalk_proc.c | 2 +-
+ net/appletalk/ddp.c | 37 ++++++++++++++++++++++++++------
+ net/appletalk/sysctl_net_atalk.c | 5 ++++-
+ 4 files changed, 37 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/atalk.h b/include/linux/atalk.h
+index 23f805562f4e..5a90f28d5ff2 100644
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -158,7 +158,7 @@ extern int sysctl_aarp_retransmit_limit;
+ extern int sysctl_aarp_resolve_time;
+
+ #ifdef CONFIG_SYSCTL
+-extern void atalk_register_sysctl(void);
++extern int atalk_register_sysctl(void);
+ extern void atalk_unregister_sysctl(void);
+ #else
+ #define atalk_register_sysctl() do { } while(0)
+diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
+index 8006295f8bd7..dda73991bb54 100644
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -255,7 +255,7 @@ int __init atalk_proc_init(void)
+ goto out;
+ }
+
+-void __exit atalk_proc_exit(void)
++void atalk_proc_exit(void)
+ {
+ remove_proc_entry("interface", atalk_proc_dir);
+ remove_proc_entry("route", atalk_proc_dir);
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 9b6bc5abe946..795fbc6c06aa 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1910,12 +1910,16 @@ static const char atalk_err_snap[] __initconst =
+ /* Called by proto.c on kernel start up */
+ static int __init atalk_init(void)
+ {
+- int rc = proto_register(&ddp_proto, 0);
++ int rc;
+
+- if (rc != 0)
++ rc = proto_register(&ddp_proto, 0);
++ if (rc)
+ goto out;
+
+- (void)sock_register(&atalk_family_ops);
++ rc = sock_register(&atalk_family_ops);
++ if (rc)
++ goto out_proto;
++
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+ if (!ddp_dl)
+ printk(atalk_err_snap);
+@@ -1923,12 +1927,33 @@ static int __init atalk_init(void)
+ dev_add_pack(<alk_packet_type);
+ dev_add_pack(&ppptalk_packet_type);
+
+- register_netdevice_notifier(&ddp_notifier);
++ rc = register_netdevice_notifier(&ddp_notifier);
++ if (rc)
++ goto out_sock;
++
+ aarp_proto_init();
+- atalk_proc_init();
+- atalk_register_sysctl();
++ rc = atalk_proc_init();
++ if (rc)
++ goto out_aarp;
++
++ rc = atalk_register_sysctl();
++ if (rc)
++ goto out_proc;
+ out:
+ return rc;
++out_proc:
++ atalk_proc_exit();
++out_aarp:
++ aarp_cleanup_module();
++ unregister_netdevice_notifier(&ddp_notifier);
++out_sock:
++ dev_remove_pack(&ppptalk_packet_type);
++ dev_remove_pack(<alk_packet_type);
++ unregister_snap_client(ddp_dl);
++ sock_unregister(PF_APPLETALK);
++out_proto:
++ proto_unregister(&ddp_proto);
++ goto out;
+ }
+ module_init(atalk_init);
+
+diff --git a/net/appletalk/sysctl_net_atalk.c b/net/appletalk/sysctl_net_atalk.c
+index c744a853fa5f..d945b7c0176d 100644
+--- a/net/appletalk/sysctl_net_atalk.c
++++ b/net/appletalk/sysctl_net_atalk.c
+@@ -45,9 +45,12 @@ static struct ctl_table atalk_table[] = {
+
+ static struct ctl_table_header *atalk_table_header;
+
+-void atalk_register_sysctl(void)
++int __init atalk_register_sysctl(void)
+ {
+ atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table);
++ if (!atalk_table_header)
++ return -ENOMEM;
++ return 0;
+ }
+
+ void atalk_unregister_sysctl(void)
+--
+2.19.1
+
--- /dev/null
+From c2f8e846bdd73d64d3b264b824515fc128eca77f Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Mon, 25 Feb 2019 09:45:38 +0000
+Subject: arc: hsdk_defconfig: Enable CONFIG_BLK_DEV_RAM
+
+[ Upstream commit 0728aeb7ead99a9b0dac2f3c92b3752b4e02ff97 ]
+
+We have now a HSDK device in our kernelci lab, but kernel builded via
+the hsdk_defconfig lacks ramfs supports, so it cannot boot kernelci jobs
+yet.
+
+So this patch enable CONFIG_BLK_DEV_RAM in hsdk_defconfig.
+
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Acked-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/configs/hsdk_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arc/configs/hsdk_defconfig b/arch/arc/configs/hsdk_defconfig
+index 2a1d2cbfee1a..651fa7978e51 100644
+--- a/arch/arc/configs/hsdk_defconfig
++++ b/arch/arc/configs/hsdk_defconfig
+@@ -8,6 +8,7 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
++CONFIG_BLK_DEV_RAM=y
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_VM_EVENT_COUNTERS is not set
+--
+2.19.1
+
--- /dev/null
+From ec29ab148d4776edf2c371f07831b1cd23f8cafc Mon Sep 17 00:00:00 2001
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Mon, 25 Feb 2019 20:16:01 +0300
+Subject: ARC: u-boot args: check that magic number is correct
+
+[ Upstream commit edb64bca50cd736c6894cc6081d5263c007ce005 ]
+
+In case of devboards we really often disable bootloader and load
+Linux image in memory via JTAG. Even if kernel tries to verify
+uboot_tag and uboot_arg there is sill a chance that we treat some
+garbage in registers as valid u-boot arguments in JTAG case.
+E.g. it is enough to have '1' in r0 to treat any value in r2 as
+a boot command line.
+
+So check that magic number passed from u-boot is correct and drop
+u-boot arguments otherwise. That helps to reduce the possibility
+of using garbage as u-boot arguments in JTAG case.
+
+We can safely check U-boot magic value (0x0) in linux passed via
+r1 register as U-boot pass it from the beginning. So there is no
+backward-compatibility issues.
+
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/kernel/head.S | 1 +
+ arch/arc/kernel/setup.c | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/arch/arc/kernel/head.S b/arch/arc/kernel/head.S
+index 1f945d0f40da..208bf2c9e7b0 100644
+--- a/arch/arc/kernel/head.S
++++ b/arch/arc/kernel/head.S
+@@ -107,6 +107,7 @@ ENTRY(stext)
+ ; r2 = pointer to uboot provided cmdline or external DTB in mem
+ ; These are handled later in handle_uboot_args()
+ st r0, [@uboot_tag]
++ st r1, [@uboot_magic]
+ st r2, [@uboot_arg]
+ #endif
+
+diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c
+index 3320ca2fe20f..a1218937abd6 100644
+--- a/arch/arc/kernel/setup.c
++++ b/arch/arc/kernel/setup.c
+@@ -35,6 +35,7 @@ unsigned int intr_to_DE_cnt;
+
+ /* Part of U-boot ABI: see head.S */
+ int __initdata uboot_tag;
++int __initdata uboot_magic;
+ char __initdata *uboot_arg;
+
+ const struct machine_desc *machine_desc;
+@@ -484,6 +485,8 @@ static inline bool uboot_arg_invalid(unsigned long addr)
+ #define UBOOT_TAG_NONE 0
+ #define UBOOT_TAG_CMDLINE 1
+ #define UBOOT_TAG_DTB 2
++/* We always pass 0 as magic from U-boot */
++#define UBOOT_MAGIC_VALUE 0
+
+ void __init handle_uboot_args(void)
+ {
+@@ -499,6 +502,11 @@ void __init handle_uboot_args(void)
+ goto ignore_uboot_args;
+ }
+
++ if (uboot_magic != UBOOT_MAGIC_VALUE) {
++ pr_warn(IGNORE_ARGS "non zero uboot magic\n");
++ goto ignore_uboot_args;
++ }
++
+ if (uboot_tag != UBOOT_TAG_NONE &&
+ uboot_arg_invalid((unsigned long)uboot_arg)) {
+ pr_warn(IGNORE_ARGS "invalid uboot arg: '%px'\n", uboot_arg);
+--
+2.19.1
+
--- /dev/null
+From 9c99c2cc2a2f3e033f39ff35e4b1303983539e1d Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang.shi@linaro.org>
+Date: Wed, 13 Feb 2019 17:14:23 +0100
+Subject: ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t
+
+[ Upstream commit 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90 ]
+
+When running kprobe on -rt kernel, the below bug is caught:
+
+|BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:931
+|in_atomic(): 1, irqs_disabled(): 128, pid: 14, name: migration/0
+|Preemption disabled at:[<802f2b98>] cpu_stopper_thread+0xc0/0x140
+|CPU: 0 PID: 14 Comm: migration/0 Tainted: G O 4.8.3-rt2 #1
+|Hardware name: Freescale LS1021A
+|[<8025a43c>] (___might_sleep)
+|[<80b5b324>] (rt_spin_lock)
+|[<80b5c31c>] (__patch_text_real)
+|[<80b5c3ac>] (patch_text_stop_machine)
+|[<802f2920>] (multi_cpu_stop)
+
+Since patch_text_stop_machine() is called in stop_machine() which
+disables IRQ, sleepable lock should be not used in this atomic context,
+ so replace patch_lock to raw lock.
+
+Signed-off-by: Yang Shi <yang.shi@linaro.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/patch.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
+index a50dc00d79a2..d0a05a3bdb96 100644
+--- a/arch/arm/kernel/patch.c
++++ b/arch/arm/kernel/patch.c
+@@ -16,7 +16,7 @@ struct patch {
+ unsigned int insn;
+ };
+
+-static DEFINE_SPINLOCK(patch_lock);
++static DEFINE_RAW_SPINLOCK(patch_lock);
+
+ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
+ __acquires(&patch_lock)
+@@ -33,7 +33,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
+ return addr;
+
+ if (flags)
+- spin_lock_irqsave(&patch_lock, *flags);
++ raw_spin_lock_irqsave(&patch_lock, *flags);
+ else
+ __acquire(&patch_lock);
+
+@@ -48,7 +48,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long *flags)
+ clear_fixmap(fixmap);
+
+ if (flags)
+- spin_unlock_irqrestore(&patch_lock, *flags);
++ raw_spin_unlock_irqrestore(&patch_lock, *flags);
+ else
+ __release(&patch_lock);
+ }
+--
+2.19.1
+
--- /dev/null
+From 50394f7bd475ba79952485cb8ac0d4301c1552b8 Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Date: Fri, 28 Sep 2018 15:32:46 +0200
+Subject: ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos
+ platforms
+
+[ Upstream commit 6862fdf2201ab67cd962dbf0643d37db909f4860 ]
+
+"S3C2410 PM Suspend Memory CRC" feature (controlled by
+SAMSUNG_PM_CHECK config option) is incompatible with highmem
+(uses phys_to_virt() instead of proper mapping) which is used by
+the majority of Exynos boards. The issue manifests itself in OOPS
+on affected boards, i.e. on Odroid-U3 I got the following one:
+
+Unable to handle kernel paging request at virtual address f0000000
+pgd = 1c0f9bb4
+[f0000000] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+[<c0458034>] (crc32_le) from [<c0121f8c>] (s3c_pm_makecheck+0x34/0x54)
+[<c0121f8c>] (s3c_pm_makecheck) from [<c0121efc>] (s3c_pm_run_res+0x74/0x8c)
+[<c0121efc>] (s3c_pm_run_res) from [<c0121ecc>] (s3c_pm_run_res+0x44/0x8c)
+[<c0121ecc>] (s3c_pm_run_res) from [<c01210b8>] (exynos_suspend_enter+0x64/0x148)
+[<c01210b8>] (exynos_suspend_enter) from [<c018893c>] (suspend_devices_and_enter+0x9ec/0xe74)
+[<c018893c>] (suspend_devices_and_enter) from [<c0189534>] (pm_suspend+0x770/0xc04)
+[<c0189534>] (pm_suspend) from [<c0186ce8>] (state_store+0x6c/0xcc)
+[<c0186ce8>] (state_store) from [<c09db434>] (kobj_attr_store+0x14/0x20)
+[<c09db434>] (kobj_attr_store) from [<c02fa63c>] (sysfs_kf_write+0x4c/0x50)
+[<c02fa63c>] (sysfs_kf_write) from [<c02f97a4>] (kernfs_fop_write+0xfc/0x1e4)
+[<c02f97a4>] (kernfs_fop_write) from [<c027b198>] (__vfs_write+0x2c/0x140)
+[<c027b198>] (__vfs_write) from [<c027b418>] (vfs_write+0xa4/0x160)
+[<c027b418>] (vfs_write) from [<c027b5d8>] (ksys_write+0x40/0x8c)
+[<c027b5d8>] (ksys_write) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+
+Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
+SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.
+
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/plat-samsung/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig
+index b600e38364eb..377ff9cda667 100644
+--- a/arch/arm/plat-samsung/Kconfig
++++ b/arch/arm/plat-samsung/Kconfig
+@@ -256,7 +256,7 @@ config S3C_PM_DEBUG_LED_SMDK
+
+ config SAMSUNG_PM_CHECK
+ bool "S3C2410 PM Suspend Memory CRC"
+- depends on PM
++ depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210)
+ select CRC32
+ help
+ Enable the PM code's memory area checksum over sleep. This option
+--
+2.19.1
+
--- /dev/null
+From d05259e093671d97eafeed36b3cae1655010cb23 Mon Sep 17 00:00:00 2001
+From: Rohit kumar <rohitkr@codeaurora.org>
+Date: Tue, 11 Sep 2018 14:59:21 +0530
+Subject: ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx()
+
+[ Upstream commit ae7d1247d8673ebfd686b17e759d4be391165368 ]
+
+In functions snd_soc_get_volsw_sx() or snd_soc_put_volsw_sx(),
+if the result of (min + max) is negative, then fls() returns
+signed integer with value as 32. This leads to signed integer
+overflow as complete operation is considered as signed integer.
+
+UBSAN: Undefined behaviour in sound/soc/soc-ops.c:382:50
+signed integer overflow:
+-2147483648 - 1 cannot be represented in type 'int'
+Call trace:
+[<ffffff852f746fe4>] __dump_stack lib/dump_stack.c:15 [inline]
+[<ffffff852f746fe4>] dump_stack+0xec/0x158 lib/dump_stack.c:51
+[<ffffff852f7b5f3c>] ubsan_epilogue+0x18/0x50 lib/ubsan.c:164
+[<ffffff852f7b6840>] handle_overflow+0xf8/0x130 lib/ubsan.c:195
+[<ffffff852f7b68f0>] __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:211
+[<ffffff85307971a0>] snd_soc_get_volsw_sx+0x1a8/0x1f8 sound/soc/soc-ops.c:382
+
+Typecast the operation to unsigned int to fix the issue.
+
+Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-ops.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
+index 592efb370c44..f4dc3d445aae 100644
+--- a/sound/soc/soc-ops.c
++++ b/sound/soc/soc-ops.c
+@@ -373,7 +373,7 @@ int snd_soc_get_volsw_sx(struct snd_kcontrol *kcontrol,
+ unsigned int rshift = mc->rshift;
+ int max = mc->max;
+ int min = mc->min;
+- unsigned int mask = (1 << (fls(min + max) - 1)) - 1;
++ unsigned int mask = (1U << (fls(min + max) - 1)) - 1;
+ unsigned int val;
+ int ret;
+
+@@ -418,7 +418,7 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
+ unsigned int rshift = mc->rshift;
+ int max = mc->max;
+ int min = mc->min;
+- unsigned int mask = (1 << (fls(min + max) - 1)) - 1;
++ unsigned int mask = (1U << (fls(min + max) - 1)) - 1;
+ int err = 0;
+ unsigned int val, val_mask, val2 = 0;
+
+--
+2.19.1
+
--- /dev/null
+From 307364c12fc97f46eb0f8c02cba07d1e4ac1f731 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 12 Mar 2019 16:44:28 +0200
+Subject: auxdisplay: hd44780: Fix memory leak on ->remove()
+
+[ Upstream commit 41c8d0adf3c4df1867d98cee4a2c4531352a33ad ]
+
+We have to free on ->remove() the allocated resources on ->probe().
+
+Fixes: d47d88361fee ("auxdisplay: Add HD44780 Character LCD support")
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/auxdisplay/hd44780.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/auxdisplay/hd44780.c b/drivers/auxdisplay/hd44780.c
+index f1a42f0f1ded..df3da49ff9e8 100644
+--- a/drivers/auxdisplay/hd44780.c
++++ b/drivers/auxdisplay/hd44780.c
+@@ -299,6 +299,8 @@ static int hd44780_remove(struct platform_device *pdev)
+ struct charlcd *lcd = platform_get_drvdata(pdev);
+
+ charlcd_unregister(lcd);
++
++ kfree(lcd);
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 72efe00758372948e3a90a9b53c8e102dab97d3b Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 20 Mar 2019 13:15:01 -0700
+Subject: blk-iolatency: #include "blk.h"
+
+[ Upstream commit 373e915cd8e84544609eced57a44fbc084f8d60f ]
+
+This patch avoids that the following warning is reported when building
+with W=1:
+
+block/blk-iolatency.c:734:5: warning: no previous prototype for 'blk_iolatency_init' [-Wmissing-prototypes]
+
+Cc: Josef Bacik <jbacik@fb.com>
+Fixes: d70675121546 ("block: introduce blk-iolatency io controller") # v4.19
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iolatency.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c
+index b154e057ca67..6b8396ccb5c4 100644
+--- a/block/blk-iolatency.c
++++ b/block/blk-iolatency.c
+@@ -75,6 +75,7 @@
+ #include <linux/blk-mq.h>
+ #include "blk-rq-qos.h"
+ #include "blk-stat.h"
++#include "blk.h"
+
+ #define DEFAULT_SCALE_COOKIE 1000000U
+
+--
+2.19.1
+
--- /dev/null
+From aa83bc6235bb2bb5f773783b7c4ae4ffbf2a30c9 Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Fri, 28 Sep 2018 21:54:30 +0300
+Subject: Bluetooth: Fix debugfs NULL pointer dereference
+
+[ Upstream commit 30d65e0804d58a03d1a8ea4e12c6fc07ed08218b ]
+
+Fix crash caused by NULL pointer dereference when debugfs functions
+le_max_key_read, le_max_key_size_write, le_min_key_size_read or
+le_min_key_size_write and Bluetooth adapter was powered off.
+
+Fix is to move max_key_size and min_key_size from smp_dev to hci_dev.
+At the same time they were renamed to le_max_key_size and
+le_min_key_size.
+
+BUG: unable to handle kernel NULL pointer dereference at 00000000000002e8
+PGD 0 P4D 0
+Oops: 0000 [#24] SMP PTI
+CPU: 2 PID: 6255 Comm: cat Tainted: G D OE 4.18.9-200.fc28.x86_64 #1
+Hardware name: LENOVO 4286CTO/4286CTO, BIOS 8DET76WW (1.46 ) 06/21/2018
+RIP: 0010:le_max_key_size_read+0x45/0xb0 [bluetooth]
+Code: 00 00 00 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 48 8b 87 c8 00 00 00 48 8d 7c 24 04 48 8b 80 48 0a 00 00 <48> 8b 80 e8 02 00 00 0f b6 48 52 e8 fb b6 b3 ed be 04 00 00 00 48
+RSP: 0018:ffffab23c3ff3df0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 00007f0b4ca2e000 RCX: ffffab23c3ff3f08
+RDX: ffffffffc0ddb033 RSI: 0000000000000004 RDI: ffffab23c3ff3df4
+RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffab23c3ff3ed8 R11: 0000000000000000 R12: ffffab23c3ff3f08
+R13: 00007f0b4ca2e000 R14: 0000000000020000 R15: ffffab23c3ff3f08
+FS: 00007f0b4ca0f540(0000) GS:ffff91bd5e280000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000000002e8 CR3: 00000000629fa006 CR4: 00000000000606e0
+Call Trace:
+ full_proxy_read+0x53/0x80
+ __vfs_read+0x36/0x180
+ vfs_read+0x8a/0x140
+ ksys_read+0x4f/0xb0
+ do_syscall_64+0x5b/0x160
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 2 ++
+ net/bluetooth/hci_core.c | 2 ++
+ net/bluetooth/smp.c | 23 +++++++++--------------
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 0db1b9b428b7..1dfb75057580 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -259,6 +259,8 @@ struct hci_dev {
+ __u16 le_max_tx_time;
+ __u16 le_max_rx_len;
+ __u16 le_max_rx_time;
++ __u8 le_max_key_size;
++ __u8 le_min_key_size;
+ __u16 discov_interleaved_timeout;
+ __u16 conn_info_min_age;
+ __u16 conn_info_max_age;
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 74b29c7d841c..a06f03047717 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3084,6 +3084,8 @@ struct hci_dev *hci_alloc_dev(void)
+ hdev->le_max_tx_time = 0x0148;
+ hdev->le_max_rx_len = 0x001b;
+ hdev->le_max_rx_time = 0x0148;
++ hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE;
++ hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE;
+ hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
+ hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 73f7211d0431..a1c1b7e8a45c 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -88,9 +88,6 @@ struct smp_dev {
+ u8 local_rand[16];
+ bool debug_key;
+
+- u8 min_key_size;
+- u8 max_key_size;
+-
+ struct crypto_cipher *tfm_aes;
+ struct crypto_shash *tfm_cmac;
+ struct crypto_kpp *tfm_ecdh;
+@@ -720,7 +717,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
+ if (rsp == NULL) {
+ req->io_capability = conn->hcon->io_capability;
+ req->oob_flag = oob_flag;
+- req->max_key_size = SMP_DEV(hdev)->max_key_size;
++ req->max_key_size = hdev->le_max_key_size;
+ req->init_key_dist = local_dist;
+ req->resp_key_dist = remote_dist;
+ req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
+@@ -731,7 +728,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
+
+ rsp->io_capability = conn->hcon->io_capability;
+ rsp->oob_flag = oob_flag;
+- rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
++ rsp->max_key_size = hdev->le_max_key_size;
+ rsp->init_key_dist = req->init_key_dist & remote_dist;
+ rsp->resp_key_dist = req->resp_key_dist & local_dist;
+ rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
+@@ -745,7 +742,7 @@ static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
+ struct hci_dev *hdev = conn->hcon->hdev;
+ struct smp_chan *smp = chan->data;
+
+- if (max_key_size > SMP_DEV(hdev)->max_key_size ||
++ if (max_key_size > hdev->le_max_key_size ||
+ max_key_size < SMP_MIN_ENC_KEY_SIZE)
+ return SMP_ENC_KEY_SIZE;
+
+@@ -3264,8 +3261,6 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
+ smp->tfm_aes = tfm_aes;
+ smp->tfm_cmac = tfm_cmac;
+ smp->tfm_ecdh = tfm_ecdh;
+- smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
+- smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
+
+ create_chan:
+ chan = l2cap_chan_create();
+@@ -3391,7 +3386,7 @@ static ssize_t le_min_key_size_read(struct file *file,
+ struct hci_dev *hdev = file->private_data;
+ char buf[4];
+
+- snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
++ snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
+
+ return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
+ }
+@@ -3412,11 +3407,11 @@ static ssize_t le_min_key_size_write(struct file *file,
+
+ sscanf(buf, "%hhu", &key_size);
+
+- if (key_size > SMP_DEV(hdev)->max_key_size ||
++ if (key_size > hdev->le_max_key_size ||
+ key_size < SMP_MIN_ENC_KEY_SIZE)
+ return -EINVAL;
+
+- SMP_DEV(hdev)->min_key_size = key_size;
++ hdev->le_min_key_size = key_size;
+
+ return count;
+ }
+@@ -3435,7 +3430,7 @@ static ssize_t le_max_key_size_read(struct file *file,
+ struct hci_dev *hdev = file->private_data;
+ char buf[4];
+
+- snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
++ snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
+
+ return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
+ }
+@@ -3457,10 +3452,10 @@ static ssize_t le_max_key_size_write(struct file *file,
+ sscanf(buf, "%hhu", &key_size);
+
+ if (key_size > SMP_MAX_ENC_KEY_SIZE ||
+- key_size < SMP_DEV(hdev)->min_key_size)
++ key_size < hdev->le_min_key_size)
+ return -EINVAL;
+
+- SMP_DEV(hdev)->max_key_size = key_size;
++ hdev->le_max_key_size = key_size;
+
+ return count;
+ }
+--
+2.19.1
+
--- /dev/null
+From 61e28706d40741412159e5a2813d251640f10606 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Fri, 19 Oct 2018 01:58:22 -0500
+Subject: cifs: fallback to older infolevels on findfirst queryinfo retry
+
+[ Upstream commit 3b7960caceafdfc2cdfe2850487f8d091eb41144 ]
+
+In cases where queryinfo fails, we have cases in cifs (vers=1.0)
+where with backupuid mounts we retry the query info with findfirst.
+This doesn't work to some NetApp servers which don't support
+WindowsXP (and later) infolevel 261 (SMB_FIND_FILE_ID_FULL_DIR_INFO)
+so in this case use other info levels (in this case it will usually
+be level 257, SMB_FIND_FILE_DIRECTORY_INFO).
+
+(Also fixes some indentation)
+
+See kernel bugzilla 201435
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/inode.c | 67 +++++++++++++++++++++++++++----------------------
+ 1 file changed, 37 insertions(+), 30 deletions(-)
+
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index 020f49c15b30..b59ebed4f615 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -780,43 +780,50 @@ cifs_get_inode_info(struct inode **inode, const char *full_path,
+ } else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
+ (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
+ == 0)) {
+- /*
+- * For SMB2 and later the backup intent flag is already
+- * sent if needed on open and there is no path based
+- * FindFirst operation to use to retry with
+- */
++ /*
++ * For SMB2 and later the backup intent flag is already
++ * sent if needed on open and there is no path based
++ * FindFirst operation to use to retry with
++ */
+
+- srchinf = kzalloc(sizeof(struct cifs_search_info),
+- GFP_KERNEL);
+- if (srchinf == NULL) {
+- rc = -ENOMEM;
+- goto cgii_exit;
+- }
++ srchinf = kzalloc(sizeof(struct cifs_search_info),
++ GFP_KERNEL);
++ if (srchinf == NULL) {
++ rc = -ENOMEM;
++ goto cgii_exit;
++ }
+
+- srchinf->endOfSearch = false;
++ srchinf->endOfSearch = false;
++ if (tcon->unix_ext)
++ srchinf->info_level = SMB_FIND_FILE_UNIX;
++ else if ((tcon->ses->capabilities &
++ tcon->ses->server->vals->cap_nt_find) == 0)
++ srchinf->info_level = SMB_FIND_FILE_INFO_STANDARD;
++ else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM)
+ srchinf->info_level = SMB_FIND_FILE_ID_FULL_DIR_INFO;
++ else /* no srvino useful for fallback to some netapp */
++ srchinf->info_level = SMB_FIND_FILE_DIRECTORY_INFO;
+
+- srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
+- CIFS_SEARCH_CLOSE_AT_END |
+- CIFS_SEARCH_BACKUP_SEARCH;
++ srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
++ CIFS_SEARCH_CLOSE_AT_END |
++ CIFS_SEARCH_BACKUP_SEARCH;
+
+- rc = CIFSFindFirst(xid, tcon, full_path,
+- cifs_sb, NULL, srchflgs, srchinf, false);
+- if (!rc) {
+- data =
+- (FILE_ALL_INFO *)srchinf->srch_entries_start;
++ rc = CIFSFindFirst(xid, tcon, full_path,
++ cifs_sb, NULL, srchflgs, srchinf, false);
++ if (!rc) {
++ data = (FILE_ALL_INFO *)srchinf->srch_entries_start;
+
+- cifs_dir_info_to_fattr(&fattr,
+- (FILE_DIRECTORY_INFO *)data, cifs_sb);
+- fattr.cf_uniqueid = le64_to_cpu(
+- ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
+- validinum = true;
++ cifs_dir_info_to_fattr(&fattr,
++ (FILE_DIRECTORY_INFO *)data, cifs_sb);
++ fattr.cf_uniqueid = le64_to_cpu(
++ ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
++ validinum = true;
+
+- cifs_buf_release(srchinf->ntwrk_buf_start);
+- }
+- kfree(srchinf);
+- if (rc)
+- goto cgii_exit;
++ cifs_buf_release(srchinf->ntwrk_buf_start);
++ }
++ kfree(srchinf);
++ if (rc)
++ goto cgii_exit;
+ } else
+ goto cgii_exit;
+
+--
+2.19.1
+
--- /dev/null
+From 493a4f40ed0558c97251969e7a50bd8498a8265e Mon Sep 17 00:00:00 2001
+From: "ndesaulniers@google.com" <ndesaulniers@google.com>
+Date: Mon, 15 Oct 2018 10:22:21 -0700
+Subject: compiler.h: update definition of unreachable()
+
+[ Upstream commit fe0640eb30b7da261ae84d252ed9ed3c7e68dfd8 ]
+
+Fixes the objtool warning seen with Clang:
+arch/x86/mm/fault.o: warning: objtool: no_context()+0x220: unreachable
+instruction
+
+Fixes commit 815f0ddb346c ("include/linux/compiler*.h: make compiler-*.h
+mutually exclusive")
+
+Josh noted that the fallback definition was meant to work around a
+pre-gcc-4.6 bug. GCC still needs to work around
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365, so compiler-gcc.h
+defines its own version of unreachable(). Clang and ICC can use this
+shared definition.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/204
+Suggested-by: Andy Lutomirski <luto@amacapital.net>
+Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index 269d376f5a11..81c2238b884c 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -124,7 +124,10 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
+ # define ASM_UNREACHABLE
+ #endif
+ #ifndef unreachable
+-# define unreachable() do { annotate_reachable(); do { } while (1); } while (0)
++# define unreachable() do { \
++ annotate_unreachable(); \
++ __builtin_unreachable(); \
++} while (0)
+ #endif
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From bdffc49a631af356f6ab57020b976cf913026c6b Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Tue, 5 Feb 2019 16:24:53 -0700
+Subject: coresight: cpu-debug: Support for CA73 CPUs
+
+[ Upstream commit a0f890aba2be33377f4eb24e13633c4a76a68f38 ]
+
+This patch is to add the AMBA device ID for CA73 CPU, so that CPU debug
+module can be initialized successfully when a SoC contain CA73 CPUs.
+
+This patch has been verified on 96boards Hikey960.
+
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-cpu-debug.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c
+index 45b2460f3166..e8819d750938 100644
+--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c
++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c
+@@ -668,6 +668,10 @@ static const struct amba_id debug_ids[] = {
+ .id = 0x000bbd08,
+ .mask = 0x000fffff,
+ },
++ { /* Debug for Cortex-A73 */
++ .id = 0x000bbd09,
++ .mask = 0x000fffff,
++ },
+ { 0, 0 },
+ };
+
+--
+2.19.1
+
--- /dev/null
+From 3edad5fa420ff2a9209b4611c12bda41fa6c426e Mon Sep 17 00:00:00 2001
+From: Lars Persson <lars.persson@axis.com>
+Date: Wed, 23 Jan 2019 12:59:42 +0100
+Subject: crypto: axis - fix for recursive locking from bottom half
+
+[ Upstream commit c34a83820f59bb275e5f2d55cd5ea99c64f6ef23 ]
+
+Clients may submit a new requests from the completion callback
+context. The driver was not prepared to receive a request in this
+state because it already held the request queue lock and a recursive
+lock error is triggered.
+
+Now all completions are queued up until we are ready to drop the queue
+lock and then delivered.
+
+The fault was triggered by TCP over an IPsec connection in the LTP
+test suite:
+ LTP: starting tcp4_ipsec02 (tcp_ipsec.sh -p ah -m transport -s "100 1000 65535")
+ BUG: spinlock recursion on CPU#1, genload/943
+ lock: 0xbf3c3094, .magic: dead4ead, .owner: genload/943, .owner_cpu: 1
+ CPU: 1 PID: 943 Comm: genload Tainted: G O 4.9.62-axis5-devel #6
+ Hardware name: Axis ARTPEC-6 Platform
+ (unwind_backtrace) from [<8010d134>] (show_stack+0x18/0x1c)
+ (show_stack) from [<803a289c>] (dump_stack+0x84/0x98)
+ (dump_stack) from [<8016e164>] (do_raw_spin_lock+0x124/0x128)
+ (do_raw_spin_lock) from [<804de1a4>] (artpec6_crypto_submit+0x2c/0xa0)
+ (artpec6_crypto_submit) from [<804def38>] (artpec6_crypto_prepare_submit_hash+0xd0/0x54c)
+ (artpec6_crypto_prepare_submit_hash) from [<7f3165f0>] (ah_output+0x2a4/0x3dc [ah4])
+ (ah_output [ah4]) from [<805df9bc>] (xfrm_output_resume+0x178/0x4a4)
+ (xfrm_output_resume) from [<805d283c>] (xfrm4_output+0xac/0xbc)
+ (xfrm4_output) from [<80587928>] (ip_queue_xmit+0x140/0x3b4)
+ (ip_queue_xmit) from [<805a13b4>] (tcp_transmit_skb+0x4c4/0x95c)
+ (tcp_transmit_skb) from [<8059f218>] (tcp_rcv_state_process+0xdf4/0xdfc)
+ (tcp_rcv_state_process) from [<805a7530>] (tcp_v4_do_rcv+0x64/0x1ac)
+ (tcp_v4_do_rcv) from [<805a9724>] (tcp_v4_rcv+0xa34/0xb74)
+ (tcp_v4_rcv) from [<80581d34>] (ip_local_deliver_finish+0x78/0x2b0)
+ (ip_local_deliver_finish) from [<8058259c>] (ip_local_deliver+0xe4/0x104)
+ (ip_local_deliver) from [<805d23ec>] (xfrm4_transport_finish+0xf4/0x144)
+ (xfrm4_transport_finish) from [<805df564>] (xfrm_input+0x4f4/0x74c)
+ (xfrm_input) from [<804de420>] (artpec6_crypto_task+0x208/0x38c)
+ (artpec6_crypto_task) from [<801271b0>] (tasklet_action+0x60/0xec)
+ (tasklet_action) from [<801266d4>] (__do_softirq+0xcc/0x3a4)
+ (__do_softirq) from [<80126d20>] (irq_exit+0xf4/0x15c)
+ (irq_exit) from [<801741e8>] (__handle_domain_irq+0x68/0xbc)
+ (__handle_domain_irq) from [<801014f0>] (gic_handle_irq+0x50/0x94)
+ (gic_handle_irq) from [<80657370>] (__irq_usr+0x50/0x80)
+
+Signed-off-by: Lars Persson <larper@axis.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/axis/artpec6_crypto.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/crypto/axis/artpec6_crypto.c b/drivers/crypto/axis/artpec6_crypto.c
+index 7f07a5085e9b..fdcdc751d03b 100644
+--- a/drivers/crypto/axis/artpec6_crypto.c
++++ b/drivers/crypto/axis/artpec6_crypto.c
+@@ -284,6 +284,7 @@ enum artpec6_crypto_hash_flags {
+
+ struct artpec6_crypto_req_common {
+ struct list_head list;
++ struct list_head complete_in_progress;
+ struct artpec6_crypto_dma_descriptors *dma;
+ struct crypto_async_request *req;
+ void (*complete)(struct crypto_async_request *req);
+@@ -2046,7 +2047,8 @@ static int artpec6_crypto_prepare_aead(struct aead_request *areq)
+ return artpec6_crypto_dma_map_descs(common);
+ }
+
+-static void artpec6_crypto_process_queue(struct artpec6_crypto *ac)
++static void artpec6_crypto_process_queue(struct artpec6_crypto *ac,
++ struct list_head *completions)
+ {
+ struct artpec6_crypto_req_common *req;
+
+@@ -2057,7 +2059,7 @@ static void artpec6_crypto_process_queue(struct artpec6_crypto *ac)
+ list_move_tail(&req->list, &ac->pending);
+ artpec6_crypto_start_dma(req);
+
+- req->req->complete(req->req, -EINPROGRESS);
++ list_add_tail(&req->complete_in_progress, completions);
+ }
+
+ /*
+@@ -2087,6 +2089,11 @@ static void artpec6_crypto_task(unsigned long data)
+ struct artpec6_crypto *ac = (struct artpec6_crypto *)data;
+ struct artpec6_crypto_req_common *req;
+ struct artpec6_crypto_req_common *n;
++ struct list_head complete_done;
++ struct list_head complete_in_progress;
++
++ INIT_LIST_HEAD(&complete_done);
++ INIT_LIST_HEAD(&complete_in_progress);
+
+ if (list_empty(&ac->pending)) {
+ pr_debug("Spurious IRQ\n");
+@@ -2120,19 +2127,30 @@ static void artpec6_crypto_task(unsigned long data)
+
+ pr_debug("Completing request %p\n", req);
+
+- list_del(&req->list);
++ list_move_tail(&req->list, &complete_done);
+
+ artpec6_crypto_dma_unmap_all(req);
+ artpec6_crypto_copy_bounce_buffers(req);
+
+ ac->pending_count--;
+ artpec6_crypto_common_destroy(req);
+- req->complete(req->req);
+ }
+
+- artpec6_crypto_process_queue(ac);
++ artpec6_crypto_process_queue(ac, &complete_in_progress);
+
+ spin_unlock_bh(&ac->queue_lock);
++
++ /* Perform the completion callbacks without holding the queue lock
++ * to allow new request submissions from the callbacks.
++ */
++ list_for_each_entry_safe(req, n, &complete_done, list) {
++ req->complete(req->req);
++ }
++
++ list_for_each_entry_safe(req, n, &complete_in_progress,
++ complete_in_progress) {
++ req->req->complete(req->req, -EINPROGRESS);
++ }
+ }
+
+ static void artpec6_crypto_complete_crypto(struct crypto_async_request *req)
+--
+2.19.1
+
--- /dev/null
+From cfb46ec7f0e3a2063ad61110a50ba080cde623da Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Sat, 16 Feb 2019 14:51:25 +0100
+Subject: crypto: sha256/arm - fix crash bug in Thumb2 build
+
+[ Upstream commit 69216a545cf81b2b32d01948f7039315abaf75a0 ]
+
+The SHA256 code we adopted from the OpenSSL project uses a rather
+peculiar way to take the address of the round constant table: it
+takes the address of the sha256_block_data_order() routine, and
+substracts a constant known quantity to arrive at the base of the
+table, which is emitted by the same assembler code right before
+the routine's entry point.
+
+However, recent versions of binutils have helpfully changed the
+behavior of references emitted via an ADR instruction when running
+in Thumb2 mode: it now takes the Thumb execution mode bit into
+account, which is bit 0 af the address. This means the produced
+table address also has bit 0 set, and so we end up with an address
+value pointing 1 byte past the start of the table, which results
+in crashes such as
+
+ Unable to handle kernel paging request at virtual address bf825000
+ pgd = 42f44b11
+ [bf825000] *pgd=80000040206003, *pmd=5f1bd003, *pte=00000000
+ Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2
+ Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ...
+ CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144
+ Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+ PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm]
+ LR is at __this_module+0x17fd/0xffffe800 [sha256_arm]
+ pc : [<bf820bca>] lr : [<bf824ffd>] psr: 800b0033
+ sp : ebc8bbe8 ip : faaabe1c fp : 2fdd3433
+ r10: 4c5f1692 r9 : e43037df r8 : b04b0a5a
+ r7 : c369d722 r6 : 39c3693e r5 : 7a013189 r4 : 1580d26b
+ r3 : 8762a9b0 r2 : eea9c2cd r1 : 3e9ab536 r0 : 1dea4ae7
+ Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user
+ Control: 70c5383d Table: 6b8467c0 DAC: dbadc0de
+ Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23)
+ Stack: (0xebc8bbe8 to 0xebc8c000)
+ ...
+ unwind: Unknown symbol address bf820bca
+ unwind: Index not found bf820bca
+ Code: 441a ea80 40f9 440a (f85e) 3b04
+ ---[ end trace e560cce92700ef8a ]---
+
+Given that this affects older kernels as well, in case they are built
+with a recent toolchain, apply a minimal backportable fix, which is
+to emit another non-code label at the start of the routine, and
+reference that instead. (This is similar to the current upstream state
+of this file in OpenSSL)
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/crypto/sha256-armv4.pl | 3 ++-
+ arch/arm/crypto/sha256-core.S_shipped | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/crypto/sha256-armv4.pl b/arch/arm/crypto/sha256-armv4.pl
+index b9ec44060ed3..a03cf4dfb781 100644
+--- a/arch/arm/crypto/sha256-armv4.pl
++++ b/arch/arm/crypto/sha256-armv4.pl
+@@ -212,10 +212,11 @@ K256:
+ .global sha256_block_data_order
+ .type sha256_block_data_order,%function
+ sha256_block_data_order:
++.Lsha256_block_data_order:
+ #if __ARM_ARCH__<7
+ sub r3,pc,#8 @ sha256_block_data_order
+ #else
+- adr r3,sha256_block_data_order
++ adr r3,.Lsha256_block_data_order
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ ldr r12,.LOPENSSL_armcap
+diff --git a/arch/arm/crypto/sha256-core.S_shipped b/arch/arm/crypto/sha256-core.S_shipped
+index 3b58300d611c..054aae0edfce 100644
+--- a/arch/arm/crypto/sha256-core.S_shipped
++++ b/arch/arm/crypto/sha256-core.S_shipped
+@@ -93,10 +93,11 @@ K256:
+ .global sha256_block_data_order
+ .type sha256_block_data_order,%function
+ sha256_block_data_order:
++.Lsha256_block_data_order:
+ #if __ARM_ARCH__<7
+ sub r3,pc,#8 @ sha256_block_data_order
+ #else
+- adr r3,sha256_block_data_order
++ adr r3,.Lsha256_block_data_order
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ ldr r12,.LOPENSSL_armcap
+--
+2.19.1
+
--- /dev/null
+From 887cda0b2577e61875de1c9fe23a8e74869f27e6 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Sat, 16 Feb 2019 14:51:26 +0100
+Subject: crypto: sha512/arm - fix crash bug in Thumb2 build
+
+[ Upstream commit c64316502008064c158fa40cc250665e461b0f2a ]
+
+The SHA512 code we adopted from the OpenSSL project uses a rather
+peculiar way to take the address of the round constant table: it
+takes the address of the sha256_block_data_order() routine, and
+substracts a constant known quantity to arrive at the base of the
+table, which is emitted by the same assembler code right before
+the routine's entry point.
+
+However, recent versions of binutils have helpfully changed the
+behavior of references emitted via an ADR instruction when running
+in Thumb2 mode: it now takes the Thumb execution mode bit into
+account, which is bit 0 af the address. This means the produced
+table address also has bit 0 set, and so we end up with an address
+value pointing 1 byte past the start of the table, which results
+in crashes such as
+
+ Unable to handle kernel paging request at virtual address bf825000
+ pgd = 42f44b11
+ [bf825000] *pgd=80000040206003, *pmd=5f1bd003, *pte=00000000
+ Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2
+ Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ...
+ CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144
+ Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+ PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm]
+ LR is at __this_module+0x17fd/0xffffe800 [sha256_arm]
+ pc : [<bf820bca>] lr : [<bf824ffd>] psr: 800b0033
+ sp : ebc8bbe8 ip : faaabe1c fp : 2fdd3433
+ r10: 4c5f1692 r9 : e43037df r8 : b04b0a5a
+ r7 : c369d722 r6 : 39c3693e r5 : 7a013189 r4 : 1580d26b
+ r3 : 8762a9b0 r2 : eea9c2cd r1 : 3e9ab536 r0 : 1dea4ae7
+ Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user
+ Control: 70c5383d Table: 6b8467c0 DAC: dbadc0de
+ Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23)
+ Stack: (0xebc8bbe8 to 0xebc8c000)
+ ...
+ unwind: Unknown symbol address bf820bca
+ unwind: Index not found bf820bca
+ Code: 441a ea80 40f9 440a (f85e) 3b04
+ ---[ end trace e560cce92700ef8a ]---
+
+Given that this affects older kernels as well, in case they are built
+with a recent toolchain, apply a minimal backportable fix, which is
+to emit another non-code label at the start of the routine, and
+reference that instead. (This is similar to the current upstream state
+of this file in OpenSSL)
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/crypto/sha512-armv4.pl | 3 ++-
+ arch/arm/crypto/sha512-core.S_shipped | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/crypto/sha512-armv4.pl b/arch/arm/crypto/sha512-armv4.pl
+index fb5d15048c0b..788c17b56ecc 100644
+--- a/arch/arm/crypto/sha512-armv4.pl
++++ b/arch/arm/crypto/sha512-armv4.pl
+@@ -274,10 +274,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
+ .global sha512_block_data_order
+ .type sha512_block_data_order,%function
+ sha512_block_data_order:
++.Lsha512_block_data_order:
+ #if __ARM_ARCH__<7
+ sub r3,pc,#8 @ sha512_block_data_order
+ #else
+- adr r3,sha512_block_data_order
++ adr r3,.Lsha512_block_data_order
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ ldr r12,.LOPENSSL_armcap
+diff --git a/arch/arm/crypto/sha512-core.S_shipped b/arch/arm/crypto/sha512-core.S_shipped
+index b1c334a49cda..710ea309769e 100644
+--- a/arch/arm/crypto/sha512-core.S_shipped
++++ b/arch/arm/crypto/sha512-core.S_shipped
+@@ -141,10 +141,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
+ .global sha512_block_data_order
+ .type sha512_block_data_order,%function
+ sha512_block_data_order:
++.Lsha512_block_data_order:
+ #if __ARM_ARCH__<7
+ sub r3,pc,#8 @ sha512_block_data_order
+ #else
+- adr r3,sha512_block_data_order
++ adr r3,.Lsha512_block_data_order
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ ldr r12,.LOPENSSL_armcap
+--
+2.19.1
+
--- /dev/null
+From e2cab22404b134be5fac853ead07f6bd86ee25b5 Mon Sep 17 00:00:00 2001
+From: Kevin Wang <kevin1.wang@amd.com>
+Date: Fri, 22 Feb 2019 12:36:49 +0800
+Subject: drm/amdkfd: use init_mqd function to allocate object for hid_mqd (CI)
+
+[ Upstream commit cac734c2dbd2514f14c8c6a17caba1990d83bf1d ]
+
+if use the legacy method to allocate object, when mqd_hiq need to run
+uninit code, it will be cause WARNING call trace.
+
+eg: (s3 suspend test)
+[ 34.918944] Call Trace:
+[ 34.918948] [<ffffffff92961dc1>] dump_stack+0x19/0x1b
+[ 34.918950] [<ffffffff92297648>] __warn+0xd8/0x100
+[ 34.918951] [<ffffffff9229778d>] warn_slowpath_null+0x1d/0x20
+[ 34.918991] [<ffffffffc03ce1fe>] uninit_mqd_hiq_sdma+0x4e/0x50 [amdgpu]
+[ 34.919028] [<ffffffffc03d0ef7>] uninitialize+0x37/0xe0 [amdgpu]
+[ 34.919064] [<ffffffffc03d15a6>] kernel_queue_uninit+0x16/0x30 [amdgpu]
+[ 34.919086] [<ffffffffc03d26c2>] pm_uninit+0x12/0x20 [amdgpu]
+[ 34.919107] [<ffffffffc03d4915>] stop_nocpsch+0x15/0x20 [amdgpu]
+[ 34.919129] [<ffffffffc03c1dce>] kgd2kfd_suspend.part.4+0x2e/0x50 [amdgpu]
+[ 34.919150] [<ffffffffc03c2667>] kgd2kfd_suspend+0x17/0x20 [amdgpu]
+[ 34.919171] [<ffffffffc03c103a>] amdgpu_amdkfd_suspend+0x1a/0x20 [amdgpu]
+[ 34.919187] [<ffffffffc02ec428>] amdgpu_device_suspend+0x88/0x3a0 [amdgpu]
+[ 34.919189] [<ffffffff922e22cf>] ? enqueue_entity+0x2ef/0xbe0
+[ 34.919205] [<ffffffffc02e8220>] amdgpu_pmops_suspend+0x20/0x30 [amdgpu]
+[ 34.919207] [<ffffffff925c56ff>] pci_pm_suspend+0x6f/0x150
+[ 34.919208] [<ffffffff925c5690>] ? pci_pm_freeze+0xf0/0xf0
+[ 34.919210] [<ffffffff926b45c6>] dpm_run_callback+0x46/0x90
+[ 34.919212] [<ffffffff926b49db>] __device_suspend+0xfb/0x2a0
+[ 34.919213] [<ffffffff926b4b9f>] async_suspend+0x1f/0xa0
+[ 34.919214] [<ffffffff922c918f>] async_run_entry_fn+0x3f/0x130
+[ 34.919216] [<ffffffff922b9d4f>] process_one_work+0x17f/0x440
+[ 34.919217] [<ffffffff922bade6>] worker_thread+0x126/0x3c0
+[ 34.919218] [<ffffffff922bacc0>] ? manage_workers.isra.25+0x2a0/0x2a0
+[ 34.919220] [<ffffffff922c1c31>] kthread+0xd1/0xe0
+[ 34.919221] [<ffffffff922c1b60>] ? insert_kthread_work+0x40/0x40
+[ 34.919222] [<ffffffff92974c1d>] ret_from_fork_nospec_begin+0x7/0x21
+[ 34.919224] [<ffffffff922c1b60>] ? insert_kthread_work+0x40/0x40
+[ 34.919224] ---[ end trace 38cd9f65c963adad ]---
+
+Signed-off-by: Kevin Wang <kevin1.wang@amd.com>
+Reviewed-by: Oak Zeng <Oak.Zeng@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c | 52 +------------------
+ 1 file changed, 1 insertion(+), 51 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
+index 47243165a082..ae90a99909ef 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
+@@ -323,57 +323,7 @@ static int init_mqd_hiq(struct mqd_manager *mm, void **mqd,
+ struct kfd_mem_obj **mqd_mem_obj, uint64_t *gart_addr,
+ struct queue_properties *q)
+ {
+- uint64_t addr;
+- struct cik_mqd *m;
+- int retval;
+-
+- retval = kfd_gtt_sa_allocate(mm->dev, sizeof(struct cik_mqd),
+- mqd_mem_obj);
+-
+- if (retval != 0)
+- return -ENOMEM;
+-
+- m = (struct cik_mqd *) (*mqd_mem_obj)->cpu_ptr;
+- addr = (*mqd_mem_obj)->gpu_addr;
+-
+- memset(m, 0, ALIGN(sizeof(struct cik_mqd), 256));
+-
+- m->header = 0xC0310800;
+- m->compute_pipelinestat_enable = 1;
+- m->compute_static_thread_mgmt_se0 = 0xFFFFFFFF;
+- m->compute_static_thread_mgmt_se1 = 0xFFFFFFFF;
+- m->compute_static_thread_mgmt_se2 = 0xFFFFFFFF;
+- m->compute_static_thread_mgmt_se3 = 0xFFFFFFFF;
+-
+- m->cp_hqd_persistent_state = DEFAULT_CP_HQD_PERSISTENT_STATE |
+- PRELOAD_REQ;
+- m->cp_hqd_quantum = QUANTUM_EN | QUANTUM_SCALE_1MS |
+- QUANTUM_DURATION(10);
+-
+- m->cp_mqd_control = MQD_CONTROL_PRIV_STATE_EN;
+- m->cp_mqd_base_addr_lo = lower_32_bits(addr);
+- m->cp_mqd_base_addr_hi = upper_32_bits(addr);
+-
+- m->cp_hqd_ib_control = DEFAULT_MIN_IB_AVAIL_SIZE;
+-
+- /*
+- * Pipe Priority
+- * Identifies the pipe relative priority when this queue is connected
+- * to the pipeline. The pipe priority is against the GFX pipe and HP3D.
+- * In KFD we are using a fixed pipe priority set to CS_MEDIUM.
+- * 0 = CS_LOW (typically below GFX)
+- * 1 = CS_MEDIUM (typically between HP3D and GFX
+- * 2 = CS_HIGH (typically above HP3D)
+- */
+- m->cp_hqd_pipe_priority = 1;
+- m->cp_hqd_queue_priority = 15;
+-
+- *mqd = m;
+- if (gart_addr)
+- *gart_addr = addr;
+- retval = mm->update_mqd(mm, m, q);
+-
+- return retval;
++ return init_mqd(mm, mqd, mqd_mem_obj, gart_addr, q);
+ }
+
+ static int update_mqd_hiq(struct mqd_manager *mm, void *mqd,
+--
+2.19.1
+
--- /dev/null
+From e7d7b0c2388d658d971c60b7b5a45fa8728dcb71 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Fri, 20 Jul 2018 13:27:43 +0200
+Subject: drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up
+
+[ Upstream commit abf7b30d7f61d981bfcca65d1e8331b27021b475 ]
+
+In the Cirrus driver, the regular clean-up code also performs the clean-up
+of a failed initialization. If the fbdev's framebuffer was not initialized,
+the clean-up will fail within drm_framebuffer_unregister_private. Booting
+with cirrus.bpp=16 triggers this bug.
+
+The framebuffer is currently stored directly within struct cirrus_fbdev. To
+fix the bug, we turn it into a pointer that is only set for initialized
+framebuffers. The fbdev's clean-up code skips uninitialized framebuffers.
+
+The memory for struct drm_framebuffer is allocated dynamically. This requires
+additional error handling within cirrusfb_create. The framebuffer clean-up is
+now performed by drm_framebuffer_put, which also frees the data strcuture's
+memory.
+
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1101822
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: http://patchwork.freedesktop.org/patch/msgid/20180720112743.27159-1-tzimmermann@suse.de
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/cirrus/cirrus_drv.h | 2 +-
+ drivers/gpu/drm/cirrus/cirrus_fbdev.c | 48 +++++++++++++++------------
+ drivers/gpu/drm/cirrus/cirrus_mode.c | 2 +-
+ 3 files changed, 29 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/gpu/drm/cirrus/cirrus_drv.h b/drivers/gpu/drm/cirrus/cirrus_drv.h
+index ce9db7aab225..a29f87e98d9d 100644
+--- a/drivers/gpu/drm/cirrus/cirrus_drv.h
++++ b/drivers/gpu/drm/cirrus/cirrus_drv.h
+@@ -146,7 +146,7 @@ struct cirrus_device {
+
+ struct cirrus_fbdev {
+ struct drm_fb_helper helper;
+- struct drm_framebuffer gfb;
++ struct drm_framebuffer *gfb;
+ void *sysram;
+ int size;
+ int x1, y1, x2, y2; /* dirty rect */
+diff --git a/drivers/gpu/drm/cirrus/cirrus_fbdev.c b/drivers/gpu/drm/cirrus/cirrus_fbdev.c
+index b643ac92801c..82cc82e0bd80 100644
+--- a/drivers/gpu/drm/cirrus/cirrus_fbdev.c
++++ b/drivers/gpu/drm/cirrus/cirrus_fbdev.c
+@@ -22,14 +22,14 @@ static void cirrus_dirty_update(struct cirrus_fbdev *afbdev,
+ struct drm_gem_object *obj;
+ struct cirrus_bo *bo;
+ int src_offset, dst_offset;
+- int bpp = afbdev->gfb.format->cpp[0];
++ int bpp = afbdev->gfb->format->cpp[0];
+ int ret = -EBUSY;
+ bool unmap = false;
+ bool store_for_later = false;
+ int x2, y2;
+ unsigned long flags;
+
+- obj = afbdev->gfb.obj[0];
++ obj = afbdev->gfb->obj[0];
+ bo = gem_to_cirrus_bo(obj);
+
+ /*
+@@ -82,7 +82,7 @@ static void cirrus_dirty_update(struct cirrus_fbdev *afbdev,
+ }
+ for (i = y; i < y + height; i++) {
+ /* assume equal stride for now */
+- src_offset = dst_offset = i * afbdev->gfb.pitches[0] + (x * bpp);
++ src_offset = dst_offset = i * afbdev->gfb->pitches[0] + (x * bpp);
+ memcpy_toio(bo->kmap.virtual + src_offset, afbdev->sysram + src_offset, width * bpp);
+
+ }
+@@ -192,23 +192,26 @@ static int cirrusfb_create(struct drm_fb_helper *helper,
+ return -ENOMEM;
+
+ info = drm_fb_helper_alloc_fbi(helper);
+- if (IS_ERR(info))
+- return PTR_ERR(info);
++ if (IS_ERR(info)) {
++ ret = PTR_ERR(info);
++ goto err_vfree;
++ }
+
+ info->par = gfbdev;
+
+- ret = cirrus_framebuffer_init(cdev->dev, &gfbdev->gfb, &mode_cmd, gobj);
++ fb = kzalloc(sizeof(*fb), GFP_KERNEL);
++ if (!fb) {
++ ret = -ENOMEM;
++ goto err_drm_gem_object_put_unlocked;
++ }
++
++ ret = cirrus_framebuffer_init(cdev->dev, fb, &mode_cmd, gobj);
+ if (ret)
+- return ret;
++ goto err_kfree;
+
+ gfbdev->sysram = sysram;
+ gfbdev->size = size;
+-
+- fb = &gfbdev->gfb;
+- if (!fb) {
+- DRM_INFO("fb is NULL\n");
+- return -EINVAL;
+- }
++ gfbdev->gfb = fb;
+
+ /* setup helper */
+ gfbdev->helper.fb = fb;
+@@ -241,24 +244,27 @@ static int cirrusfb_create(struct drm_fb_helper *helper,
+ DRM_INFO(" pitch is %d\n", fb->pitches[0]);
+
+ return 0;
++
++err_kfree:
++ kfree(fb);
++err_drm_gem_object_put_unlocked:
++ drm_gem_object_put_unlocked(gobj);
++err_vfree:
++ vfree(sysram);
++ return ret;
+ }
+
+ static int cirrus_fbdev_destroy(struct drm_device *dev,
+ struct cirrus_fbdev *gfbdev)
+ {
+- struct drm_framebuffer *gfb = &gfbdev->gfb;
++ struct drm_framebuffer *gfb = gfbdev->gfb;
+
+ drm_fb_helper_unregister_fbi(&gfbdev->helper);
+
+- if (gfb->obj[0]) {
+- drm_gem_object_put_unlocked(gfb->obj[0]);
+- gfb->obj[0] = NULL;
+- }
+-
+ vfree(gfbdev->sysram);
+ drm_fb_helper_fini(&gfbdev->helper);
+- drm_framebuffer_unregister_private(gfb);
+- drm_framebuffer_cleanup(gfb);
++ if (gfb)
++ drm_framebuffer_put(gfb);
+
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/cirrus/cirrus_mode.c b/drivers/gpu/drm/cirrus/cirrus_mode.c
+index 336bfda40125..90a4e641d3fb 100644
+--- a/drivers/gpu/drm/cirrus/cirrus_mode.c
++++ b/drivers/gpu/drm/cirrus/cirrus_mode.c
+@@ -127,7 +127,7 @@ static int cirrus_crtc_do_set_base(struct drm_crtc *crtc,
+ return ret;
+ }
+
+- if (&cdev->mode_info.gfbdev->gfb == crtc->primary->fb) {
++ if (cdev->mode_info.gfbdev->gfb == crtc->primary->fb) {
+ /* if pushing console in kmap it */
+ ret = ttm_bo_kmap(&bo->bo, 0, bo->bo.num_pages, &bo->kmap);
+ if (ret)
+--
+2.19.1
+
--- /dev/null
+From 76e46a2fd90d8390c2020dfd43a77758859f52da Mon Sep 17 00:00:00 2001
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Tue, 19 Mar 2019 14:05:11 +0100
+Subject: drm/exynos/mixer: fix MIXER shadow registry synchronisation code
+
+[ Upstream commit 6a3b45ada960ac475ec2b4103d43e57943b2b8d3 ]
+
+MIXER on Exynos5 SoCs uses different synchronisation method than Exynos4
+to update internal state (shadow registers).
+Apparently the driver implements it incorrectly. The rule should be
+as follows:
+- do not request updating registers until previous request was finished,
+ ie. MXR_CFG_LAYER_UPDATE_COUNT must be 0.
+- before setting registers synchronisation on VSYNC should be turned off,
+ ie. MXR_STATUS_SYNC_ENABLE should be reset,
+- after finishing MXR_STATUS_SYNC_ENABLE should be set again.
+The patch hopefully implements it correctly.
+Below sample kernel log from page fault caused by the bug:
+
+[ 25.670038] exynos-sysmmu 14650000.sysmmu: 14450000.mixer: PAGE FAULT occurred at 0x2247b800
+[ 25.677888] ------------[ cut here ]------------
+[ 25.682164] kernel BUG at ../drivers/iommu/exynos-iommu.c:450!
+[ 25.687971] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
+[ 25.693778] Modules linked in:
+[ 25.696816] CPU: 5 PID: 1553 Comm: fb-release_test Not tainted 5.0.0-rc7-01157-g5f86b1566bdd #136
+[ 25.705646] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+[ 25.711710] PC is at exynos_sysmmu_irq+0x1c0/0x264
+[ 25.716470] LR is at lock_is_held_type+0x44/0x64
+
+v2: added missing MXR_CFG_LAYER_UPDATE bit setting in mixer_enable_sync
+
+Reported-by: Marian Mihailescu <mihailescu2m@gmail.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_mixer.c | 110 +++++++++++++++-----------
+ 1 file changed, 66 insertions(+), 44 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_mixer.c b/drivers/gpu/drm/exynos/exynos_mixer.c
+index ffbf4a950f69..522d6c46d7b1 100644
+--- a/drivers/gpu/drm/exynos/exynos_mixer.c
++++ b/drivers/gpu/drm/exynos/exynos_mixer.c
+@@ -20,6 +20,7 @@
+ #include "regs-vp.h"
+
+ #include <linux/kernel.h>
++#include <linux/ktime.h>
+ #include <linux/spinlock.h>
+ #include <linux/wait.h>
+ #include <linux/i2c.h>
+@@ -337,15 +338,62 @@ static void mixer_cfg_vp_blend(struct mixer_context *ctx)
+ mixer_reg_write(ctx, MXR_VIDEO_CFG, val);
+ }
+
+-static void mixer_vsync_set_update(struct mixer_context *ctx, bool enable)
++static bool mixer_is_synced(struct mixer_context *ctx)
+ {
+- /* block update on vsync */
+- mixer_reg_writemask(ctx, MXR_STATUS, enable ?
+- MXR_STATUS_SYNC_ENABLE : 0, MXR_STATUS_SYNC_ENABLE);
++ u32 base, shadow;
+
++ if (ctx->mxr_ver == MXR_VER_16_0_33_0 ||
++ ctx->mxr_ver == MXR_VER_128_0_0_184)
++ return !(mixer_reg_read(ctx, MXR_CFG) &
++ MXR_CFG_LAYER_UPDATE_COUNT_MASK);
++
++ if (test_bit(MXR_BIT_VP_ENABLED, &ctx->flags) &&
++ vp_reg_read(ctx, VP_SHADOW_UPDATE))
++ return false;
++
++ base = mixer_reg_read(ctx, MXR_CFG);
++ shadow = mixer_reg_read(ctx, MXR_CFG_S);
++ if (base != shadow)
++ return false;
++
++ base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(0));
++ shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(0));
++ if (base != shadow)
++ return false;
++
++ base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(1));
++ shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(1));
++ if (base != shadow)
++ return false;
++
++ return true;
++}
++
++static int mixer_wait_for_sync(struct mixer_context *ctx)
++{
++ ktime_t timeout = ktime_add_us(ktime_get(), 100000);
++
++ while (!mixer_is_synced(ctx)) {
++ usleep_range(1000, 2000);
++ if (ktime_compare(ktime_get(), timeout) > 0)
++ return -ETIMEDOUT;
++ }
++ return 0;
++}
++
++static void mixer_disable_sync(struct mixer_context *ctx)
++{
++ mixer_reg_writemask(ctx, MXR_STATUS, 0, MXR_STATUS_SYNC_ENABLE);
++}
++
++static void mixer_enable_sync(struct mixer_context *ctx)
++{
++ if (ctx->mxr_ver == MXR_VER_16_0_33_0 ||
++ ctx->mxr_ver == MXR_VER_128_0_0_184)
++ mixer_reg_writemask(ctx, MXR_CFG, ~0, MXR_CFG_LAYER_UPDATE);
++ mixer_reg_writemask(ctx, MXR_STATUS, ~0, MXR_STATUS_SYNC_ENABLE);
+ if (test_bit(MXR_BIT_VP_ENABLED, &ctx->flags))
+- vp_reg_write(ctx, VP_SHADOW_UPDATE, enable ?
+- VP_SHADOW_UPDATE_ENABLE : 0);
++ vp_reg_write(ctx, VP_SHADOW_UPDATE, VP_SHADOW_UPDATE_ENABLE);
+ }
+
+ static void mixer_cfg_scan(struct mixer_context *ctx, int width, int height)
+@@ -482,7 +530,6 @@ static void vp_video_buffer(struct mixer_context *ctx,
+
+ spin_lock_irqsave(&ctx->reg_slock, flags);
+
+- vp_reg_write(ctx, VP_SHADOW_UPDATE, 1);
+ /* interlace or progressive scan mode */
+ val = (test_bit(MXR_BIT_INTERLACE, &ctx->flags) ? ~0 : 0);
+ vp_reg_writemask(ctx, VP_MODE, val, VP_MODE_LINE_SKIP);
+@@ -537,11 +584,6 @@ static void vp_video_buffer(struct mixer_context *ctx,
+ vp_regs_dump(ctx);
+ }
+
+-static void mixer_layer_update(struct mixer_context *ctx)
+-{
+- mixer_reg_writemask(ctx, MXR_CFG, ~0, MXR_CFG_LAYER_UPDATE);
+-}
+-
+ static void mixer_graph_buffer(struct mixer_context *ctx,
+ struct exynos_drm_plane *plane)
+ {
+@@ -618,11 +660,6 @@ static void mixer_graph_buffer(struct mixer_context *ctx,
+ mixer_cfg_layer(ctx, win, priority, true);
+ mixer_cfg_gfx_blend(ctx, win, fb->format->has_alpha);
+
+- /* layer update mandatory for mixer 16.0.33.0 */
+- if (ctx->mxr_ver == MXR_VER_16_0_33_0 ||
+- ctx->mxr_ver == MXR_VER_128_0_0_184)
+- mixer_layer_update(ctx);
+-
+ spin_unlock_irqrestore(&ctx->reg_slock, flags);
+
+ mixer_regs_dump(ctx);
+@@ -687,7 +724,7 @@ static void mixer_win_reset(struct mixer_context *ctx)
+ static irqreturn_t mixer_irq_handler(int irq, void *arg)
+ {
+ struct mixer_context *ctx = arg;
+- u32 val, base, shadow;
++ u32 val;
+
+ spin_lock(&ctx->reg_slock);
+
+@@ -701,26 +738,9 @@ static irqreturn_t mixer_irq_handler(int irq, void *arg)
+ val &= ~MXR_INT_STATUS_VSYNC;
+
+ /* interlace scan need to check shadow register */
+- if (test_bit(MXR_BIT_INTERLACE, &ctx->flags)) {
+- if (test_bit(MXR_BIT_VP_ENABLED, &ctx->flags) &&
+- vp_reg_read(ctx, VP_SHADOW_UPDATE))
+- goto out;
+-
+- base = mixer_reg_read(ctx, MXR_CFG);
+- shadow = mixer_reg_read(ctx, MXR_CFG_S);
+- if (base != shadow)
+- goto out;
+-
+- base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(0));
+- shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(0));
+- if (base != shadow)
+- goto out;
+-
+- base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(1));
+- shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(1));
+- if (base != shadow)
+- goto out;
+- }
++ if (test_bit(MXR_BIT_INTERLACE, &ctx->flags)
++ && !mixer_is_synced(ctx))
++ goto out;
+
+ drm_crtc_handle_vblank(&ctx->crtc->base);
+ }
+@@ -895,12 +915,14 @@ static void mixer_disable_vblank(struct exynos_drm_crtc *crtc)
+
+ static void mixer_atomic_begin(struct exynos_drm_crtc *crtc)
+ {
+- struct mixer_context *mixer_ctx = crtc->ctx;
++ struct mixer_context *ctx = crtc->ctx;
+
+- if (!test_bit(MXR_BIT_POWERED, &mixer_ctx->flags))
++ if (!test_bit(MXR_BIT_POWERED, &ctx->flags))
+ return;
+
+- mixer_vsync_set_update(mixer_ctx, false);
++ if (mixer_wait_for_sync(ctx))
++ dev_err(ctx->dev, "timeout waiting for VSYNC\n");
++ mixer_disable_sync(ctx);
+ }
+
+ static void mixer_update_plane(struct exynos_drm_crtc *crtc,
+@@ -942,7 +964,7 @@ static void mixer_atomic_flush(struct exynos_drm_crtc *crtc)
+ if (!test_bit(MXR_BIT_POWERED, &mixer_ctx->flags))
+ return;
+
+- mixer_vsync_set_update(mixer_ctx, true);
++ mixer_enable_sync(mixer_ctx);
+ exynos_crtc_handle_event(crtc);
+ }
+
+@@ -957,7 +979,7 @@ static void mixer_enable(struct exynos_drm_crtc *crtc)
+
+ exynos_drm_pipe_clk_enable(crtc, true);
+
+- mixer_vsync_set_update(ctx, false);
++ mixer_disable_sync(ctx);
+
+ mixer_reg_writemask(ctx, MXR_STATUS, ~0, MXR_STATUS_SOFT_RESET);
+
+@@ -970,7 +992,7 @@ static void mixer_enable(struct exynos_drm_crtc *crtc)
+
+ mixer_commit(ctx);
+
+- mixer_vsync_set_update(ctx, true);
++ mixer_enable_sync(ctx);
+
+ set_bit(MXR_BIT_POWERED, &ctx->flags);
+ }
+--
+2.19.1
+
--- /dev/null
+From 295e892ac600610cf3c6304a287187af5d8c12f2 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 28 Feb 2019 20:24:59 +0800
+Subject: drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure
+
+[ Upstream commit 909e9c9c428376e2a43d178ed4b0a2d5ba9cb7d3 ]
+
+pm_runtime_get_sync returns negative on failure.
+
+Fixes: eaeb9010bb4b ("drm/nouveau/debugfs: Wake up GPU before doing any reclocking")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+index 9109b69cd052..9635704a1d86 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+@@ -161,7 +161,7 @@ nouveau_debugfs_pstate_set(struct file *file, const char __user *ubuf,
+ }
+
+ ret = pm_runtime_get_sync(drm->dev);
+- if (IS_ERR_VALUE(ret) && ret != -EACCES)
++ if (ret < 0 && ret != -EACCES)
+ return ret;
+ ret = nvif_mthd(ctrl, NVIF_CONTROL_PSTATE_USER, &args, sizeof(args));
+ pm_runtime_put_autosuspend(drm->dev);
+--
+2.19.1
+
--- /dev/null
+From d4e710cb8b53cd5a377f2d73c3f6d2d47aa22948 Mon Sep 17 00:00:00 2001
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+Date: Sun, 13 Jan 2019 17:50:10 -0500
+Subject: drm/nouveau/volt/gf117: fix speedo readout register
+
+[ Upstream commit fc782242749fa4235592854fafe1a1297583c1fb ]
+
+GF117 appears to use the same register as GK104 (but still with the
+general Fermi readout mechanism).
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108980
+Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/nouveau/include/nvkm/subdev/volt.h | 1 +
+ .../gpu/drm/nouveau/nvkm/engine/device/base.c | 2 +-
+ .../gpu/drm/nouveau/nvkm/subdev/volt/Kbuild | 1 +
+ .../gpu/drm/nouveau/nvkm/subdev/volt/gf117.c | 60 +++++++++++++++++++
+ 4 files changed, 63 insertions(+), 1 deletion(-)
+ create mode 100644 drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c
+
+diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
+index 8a0f85f5fc1a..6a765682fbfa 100644
+--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
+@@ -38,6 +38,7 @@ int nvkm_volt_set_id(struct nvkm_volt *, u8 id, u8 min_id, u8 temp,
+
+ int nv40_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+ int gf100_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
++int gf117_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+ int gk104_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+ int gk20a_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+ int gm20b_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
+index e294013426ce..347a6a4cb339 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
+@@ -1613,7 +1613,7 @@ nvd7_chipset = {
+ .pci = gf106_pci_new,
+ .therm = gf119_therm_new,
+ .timer = nv41_timer_new,
+- .volt = gf100_volt_new,
++ .volt = gf117_volt_new,
+ .ce[0] = gf100_ce_new,
+ .disp = gf119_disp_new,
+ .dma = gf119_dma_new,
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
+index bcd179ba11d0..146adcdd316a 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
+@@ -2,6 +2,7 @@ nvkm-y += nvkm/subdev/volt/base.o
+ nvkm-y += nvkm/subdev/volt/gpio.o
+ nvkm-y += nvkm/subdev/volt/nv40.o
+ nvkm-y += nvkm/subdev/volt/gf100.o
++nvkm-y += nvkm/subdev/volt/gf117.o
+ nvkm-y += nvkm/subdev/volt/gk104.o
+ nvkm-y += nvkm/subdev/volt/gk20a.o
+ nvkm-y += nvkm/subdev/volt/gm20b.o
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c
+new file mode 100644
+index 000000000000..547a58f0aeac
+--- /dev/null
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c
+@@ -0,0 +1,60 @@
++/*
++ * Copyright 2019 Ilia Mirkin
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR
++ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
++ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
++ * OTHER DEALINGS IN THE SOFTWARE.
++ *
++ * Authors: Ilia Mirkin
++ */
++#include "priv.h"
++
++#include <subdev/fuse.h>
++
++static int
++gf117_volt_speedo_read(struct nvkm_volt *volt)
++{
++ struct nvkm_device *device = volt->subdev.device;
++ struct nvkm_fuse *fuse = device->fuse;
++
++ if (!fuse)
++ return -EINVAL;
++
++ return nvkm_fuse_read(fuse, 0x3a8);
++}
++
++static const struct nvkm_volt_func
++gf117_volt = {
++ .oneinit = gf100_volt_oneinit,
++ .vid_get = nvkm_voltgpio_get,
++ .vid_set = nvkm_voltgpio_set,
++ .speedo_read = gf117_volt_speedo_read,
++};
++
++int
++gf117_volt_new(struct nvkm_device *device, int index, struct nvkm_volt **pvolt)
++{
++ struct nvkm_volt *volt;
++ int ret;
++
++ ret = nvkm_volt_new_(&gf117_volt, device, index, &volt);
++ *pvolt = volt;
++ if (ret)
++ return ret;
++
++ return nvkm_voltgpio_init(volt);
++}
+--
+2.19.1
+
--- /dev/null
+From d47c89ae94dd7c8d10b9f8d90c924066aa9a422b Mon Sep 17 00:00:00 2001
+From: "Hsin-Yi, Wang" <hsinyi@chromium.org>
+Date: Wed, 9 Jan 2019 14:59:22 +0800
+Subject: drm/panel: panel-innolux: set display off in innolux_panel_unprepare
+
+[ Upstream commit 46f3ceaffa81e846677bca8668e0ad40e643cffd ]
+
+Move mipi_dsi_dcs_set_display_off() from innolux_panel_disable()
+to innolux_panel_unprepare(), so they are consistent with
+innolux_panel_enable() and innolux_panel_prepare().
+
+This also fixes some mode check and irq timeout issue in MTK dsi code.
+
+Since some dsi code (e.g. mtk_dsi) have following call trace:
+1. drm_panel_disable(), which calls innolux_panel_disable()
+2. switch to cmd mode
+3. drm_panel_unprepare(), which calls innolux_panel_unprepare()
+
+However, mtk_dsi needs to be in cmd mode to be able to send commands
+(e.g. mipi_dsi_dcs_set_display_off() and mipi_dsi_dcs_enter_sleep_mode()),
+so we need these functions to be called after the switch to cmd mode happens,
+i.e. in innolux_panel_unprepare.
+
+Signed-off-by: Hsin-Yi, Wang <hsinyi@chromium.org>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190109065922.231753-1-hsinyi@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-innolux-p079zca.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-innolux-p079zca.c b/drivers/gpu/drm/panel/panel-innolux-p079zca.c
+index 72edb334d997..88c7d035ace6 100644
+--- a/drivers/gpu/drm/panel/panel-innolux-p079zca.c
++++ b/drivers/gpu/drm/panel/panel-innolux-p079zca.c
+@@ -70,18 +70,12 @@ static inline struct innolux_panel *to_innolux_panel(struct drm_panel *panel)
+ static int innolux_panel_disable(struct drm_panel *panel)
+ {
+ struct innolux_panel *innolux = to_innolux_panel(panel);
+- int err;
+
+ if (!innolux->enabled)
+ return 0;
+
+ backlight_disable(innolux->backlight);
+
+- err = mipi_dsi_dcs_set_display_off(innolux->link);
+- if (err < 0)
+- DRM_DEV_ERROR(panel->dev, "failed to set display off: %d\n",
+- err);
+-
+ innolux->enabled = false;
+
+ return 0;
+@@ -95,6 +89,11 @@ static int innolux_panel_unprepare(struct drm_panel *panel)
+ if (!innolux->prepared)
+ return 0;
+
++ err = mipi_dsi_dcs_set_display_off(innolux->link);
++ if (err < 0)
++ DRM_DEV_ERROR(panel->dev, "failed to set display off: %d\n",
++ err);
++
+ err = mipi_dsi_dcs_enter_sleep_mode(innolux->link);
+ if (err < 0) {
+ DRM_DEV_ERROR(panel->dev, "failed to enter sleep mode: %d\n",
+--
+2.19.1
+
--- /dev/null
+From 3ad2ce6078fd2ef540d79b6c6b2bb3f9e2a4c91b Mon Sep 17 00:00:00 2001
+From: Trigger Huang <Trigger.Huang@amd.com>
+Date: Tue, 6 Nov 2018 19:37:58 +0800
+Subject: drm/ttm: Fix bo_global and mem_global kfree error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 30f33126feca0fe16df9e9302ffc28a953e2eb37 ]
+
+ttm_bo_glob and ttm_mem_glob are defined as structure instance, while
+not allocated by kzalloc, so kfree should not be invoked to release
+them anymore. Otherwise, it will cause the following kernel BUG when
+unloading amdgpu module
+
+[ 48.419294] kernel BUG at /build/linux-5s7Xkn/linux-4.15.0/mm/slub.c:3894!
+[ 48.419352] invalid opcode: 0000 [#1] SMP PTI
+[ 48.419387] Modules linked in: amdgpu(OE-) amdchash(OE) amdttm(OE) amd_sched(OE) amdkcl(OE) amd_iommu_v2 drm_kms_helper drm i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi pcbc snd_seq snd_seq_device snd_timer aesni_intel snd soundcore joydev aes_x86_64 crypto_simd glue_helper cryptd input_leds mac_hid serio_raw binfmt_misc nfsd auth_rpcgss nfs_acl lockd grace sunrpc sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 8139too psmouse i2c_piix4 8139cp mii floppy pata_acpi
+[ 48.419782] CPU: 1 PID: 1281 Comm: modprobe Tainted: G OE 4.15.0-20-generic #21-Ubuntu
+[ 48.419838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+[ 48.419901] RIP: 0010:kfree+0x137/0x180
+[ 48.419934] RSP: 0018:ffffb02101273bf8 EFLAGS: 00010246
+[ 48.419974] RAX: ffffeee1418ad7e0 RBX: ffffffffc075f100 RCX: ffff8fed7fca7ed0
+[ 48.420025] RDX: 0000000000000000 RSI: 000000000003440e RDI: 0000000022400000
+[ 48.420073] RBP: ffffb02101273c10 R08: 0000000000000010 R09: ffff8fed7ffd3680
+[ 48.420121] R10: ffffeee1418ad7c0 R11: ffff8fed7ffd3000 R12: ffffffffc075e2c0
+[ 48.420169] R13: ffffffffc074ec10 R14: ffff8fed73063900 R15: ffff8fed737428e8
+[ 48.420216] FS: 00007fdc912ec540(0000) GS:ffff8fed7fc80000(0000) knlGS:0000000000000000
+[ 48.420267] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 48.420308] CR2: 000055fa40c30060 CR3: 000000023470a006 CR4: 00000000003606e0
+[ 48.420358] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 48.420405] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 48.420452] Call Trace:
+[ 48.420485] ttm_bo_global_kobj_release+0x20/0x30 [amdttm]
+[ 48.420528] kobject_release+0x6a/0x180
+[ 48.420562] kobject_put+0x28/0x50
+[ 48.420595] ttm_bo_global_release+0x36/0x50 [amdttm]
+[ 48.420636] amdttm_bo_device_release+0x119/0x180 [amdttm]
+[ 48.420678] ? amdttm_bo_clean_mm+0xa6/0xf0 [amdttm]
+[ 48.420760] amdgpu_ttm_fini+0xc9/0x180 [amdgpu]
+[ 48.420821] amdgpu_bo_fini+0x12/0x40 [amdgpu]
+[ 48.420889] gmc_v9_0_sw_fini+0x40/0x50 [amdgpu]
+[ 48.420947] amdgpu_device_fini+0x36f/0x4c0 [amdgpu]
+[ 48.421007] amdgpu_driver_unload_kms+0xb4/0x150 [amdgpu]
+[ 48.421058] drm_dev_unregister+0x46/0xf0 [drm]
+[ 48.421102] drm_dev_unplug+0x12/0x70 [drm]
+
+Signed-off-by: Trigger Huang <Trigger.Huang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_bo.c | 1 -
+ drivers/gpu/drm/ttm/ttm_memory.c | 9 ---------
+ 2 files changed, 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
+index 7c484729f9b2..268f5a3b3122 100644
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -1445,7 +1445,6 @@ static void ttm_bo_global_kobj_release(struct kobject *kobj)
+ container_of(kobj, struct ttm_bo_global, kobj);
+
+ __free_page(glob->dummy_read_page);
+- kfree(glob);
+ }
+
+ void ttm_bo_global_release(struct drm_global_reference *ref)
+diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
+index 450387c92b63..df73d5ff84a8 100644
+--- a/drivers/gpu/drm/ttm/ttm_memory.c
++++ b/drivers/gpu/drm/ttm/ttm_memory.c
+@@ -216,14 +216,6 @@ static ssize_t ttm_mem_global_store(struct kobject *kobj,
+ return size;
+ }
+
+-static void ttm_mem_global_kobj_release(struct kobject *kobj)
+-{
+- struct ttm_mem_global *glob =
+- container_of(kobj, struct ttm_mem_global, kobj);
+-
+- kfree(glob);
+-}
+-
+ static struct attribute *ttm_mem_global_attrs[] = {
+ &ttm_mem_global_lower_mem_limit,
+ NULL
+@@ -235,7 +227,6 @@ static const struct sysfs_ops ttm_mem_global_ops = {
+ };
+
+ static struct kobj_type ttm_mem_glob_kobj_type = {
+- .release = &ttm_mem_global_kobj_release,
+ .sysfs_ops = &ttm_mem_global_ops,
+ .default_attrs = ttm_mem_global_attrs,
+ };
+--
+2.19.1
+
--- /dev/null
+From 783b8bd027731d0713de385b3de2e4f7eb4963e0 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Fri, 15 Mar 2019 11:37:20 +1000
+Subject: drm/udl: use drm_gem_object_put_unlocked.
+
+[ Upstream commit 8f3b487685b2acf71b42bb30d68fd9271bec8695 ]
+
+When Daniel removed struct_mutex he didn't fix this call to the unlocked
+variant which is required since we no longer use struct mutex.
+
+This fixes a bunch of:
+WARNING: CPU: 4 PID: 1370 at drivers/gpu/drm/drm_gem.c:931 drm_gem_object_put+0x2b/0x30 [drm]
+Modules linked in: udl xt_CHECKSUM ipt_MASQUERADE tun bridge stp llc nf_conntrack_netbios_ns nf_conntrack_broadcast xt_CT ip6t>
+CPU: 4 PID: 1370 Comm: Xorg Not tainted 5.0.0+ #2
+
+backtraces when you plug in a udl device.
+
+Fixes: ae358dacd217 (drm/udl: Get rid of dev->struct_mutex usage)
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/udl/udl_gem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c
+index d5a23295dd80..bb7b58407039 100644
+--- a/drivers/gpu/drm/udl/udl_gem.c
++++ b/drivers/gpu/drm/udl/udl_gem.c
+@@ -224,7 +224,7 @@ int udl_gem_mmap(struct drm_file *file, struct drm_device *dev,
+ *offset = drm_vma_node_offset_addr(&gobj->base.vma_node);
+
+ out:
+- drm_gem_object_put(&gobj->base);
++ drm_gem_object_put_unlocked(&gobj->base);
+ unlock:
+ mutex_unlock(&udl->gem_lock);
+ return ret;
+--
+2.19.1
+
--- /dev/null
+From c6767703c7de1533e98e45e43bacbb477dc98d84 Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Fri, 15 Mar 2019 00:15:32 -0400
+Subject: ext4: add missing brelse() in add_new_gdb_meta_bg()
+
+[ Upstream commit d64264d6218e6892edd832dc3a5a5857c2856c53 ]
+
+Currently in add_new_gdb_meta_bg() there is a missing brelse of gdb_bh
+in case ext4_journal_get_write_access() fails.
+Additionally kvfree() is missing in the same error path. Fix it by
+moving the ext4_journal_get_write_access() before the ext4 sb update as
+Ted suggested and release n_group_desc and gdb_bh in case it fails.
+
+Fixes: 61a9c11e5e7a ("ext4: add missing brelse() add_new_gdb_meta_bg()'s error path")
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/resize.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 3d9b18505c0c..90061c3d048b 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -932,11 +932,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
+ memcpy(n_group_desc, o_group_desc,
+ EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
+ n_group_desc[gdb_num] = gdb_bh;
++
++ BUFFER_TRACE(gdb_bh, "get_write_access");
++ err = ext4_journal_get_write_access(handle, gdb_bh);
++ if (err) {
++ kvfree(n_group_desc);
++ brelse(gdb_bh);
++ return err;
++ }
++
+ EXT4_SB(sb)->s_group_desc = n_group_desc;
+ EXT4_SB(sb)->s_gdb_count++;
+ kvfree(o_group_desc);
+- BUFFER_TRACE(gdb_bh, "get_write_access");
+- err = ext4_journal_get_write_access(handle, gdb_bh);
+ return err;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 62bc7895ff2657ce02062324352e1a1ffd18ce25 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 14 Mar 2019 23:46:05 -0400
+Subject: ext4: avoid panic during forced reboot
+
+[ Upstream commit 1dc1097ff60e4105216da7cd0aa99032b039a994 ]
+
+When admin calls "reboot -f" - i.e., does a hard system reboot by
+directly calling reboot(2) - ext4 filesystem mounted with errors=panic
+can panic the system. This happens because the underlying device gets
+disabled without unmounting the filesystem and thus some syscall running
+in parallel to reboot(2) can result in the filesystem getting IO errors.
+
+This is somewhat surprising to the users so try improve the behavior by
+switching to errors=remount-ro behavior when the system is running
+reboot(2).
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/super.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index a1cf7d68b4f0..abba7ece78e9 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -430,6 +430,12 @@ static void ext4_journal_commit_callback(journal_t *journal, transaction_t *txn)
+ spin_unlock(&sbi->s_md_lock);
+ }
+
++static bool system_going_down(void)
++{
++ return system_state == SYSTEM_HALT || system_state == SYSTEM_POWER_OFF
++ || system_state == SYSTEM_RESTART;
++}
++
+ /* Deal with the reporting of failure conditions on a filesystem such as
+ * inconsistencies detected or read IO failures.
+ *
+@@ -460,7 +466,12 @@ static void ext4_handle_error(struct super_block *sb)
+ if (journal)
+ jbd2_journal_abort(journal, -EIO);
+ }
+- if (test_opt(sb, ERRORS_RO)) {
++ /*
++ * We force ERRORS_RO behavior when system is rebooting. Otherwise we
++ * could panic during 'reboot -f' as the underlying device got already
++ * disabled.
++ */
++ if (test_opt(sb, ERRORS_RO) || system_going_down()) {
+ ext4_msg(sb, KERN_CRIT, "Remounting filesystem read-only");
+ /*
+ * Make sure updated value of ->s_mount_flags will be visible
+@@ -468,8 +479,7 @@ static void ext4_handle_error(struct super_block *sb)
+ */
+ smp_wmb();
+ sb->s_flags |= SB_RDONLY;
+- }
+- if (test_opt(sb, ERRORS_PANIC)) {
++ } else if (test_opt(sb, ERRORS_PANIC)) {
+ if (EXT4_SB(sb)->s_journal &&
+ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
+ return;
+--
+2.19.1
+
--- /dev/null
+From 2812b4f2701beac3248a9463bebb2081ef32ae9f Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Sat, 23 Mar 2019 12:10:29 -0400
+Subject: ext4: prohibit fstrim in norecovery mode
+
+[ Upstream commit 18915b5873f07e5030e6fb108a050fa7c71c59fb ]
+
+The ext4 fstrim implementation uses the block bitmaps to find free space
+that can be discarded. If we haven't replayed the journal, the bitmaps
+will be stale and we absolutely *cannot* use stale metadata to zap the
+underlying storage.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ioctl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
+index 2e76fb55d94a..5f24fdc140ad 100644
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -999,6 +999,13 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ if (!blk_queue_discard(q))
+ return -EOPNOTSUPP;
+
++ /*
++ * We haven't replayed the journal, so we cannot use our
++ * block-bitmap-guided storage zapping commands.
++ */
++ if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb))
++ return -EROFS;
++
+ if (copy_from_user(&range, (struct fstrim_range __user *)arg,
+ sizeof(range)))
+ return -EFAULT;
+--
+2.19.1
+
--- /dev/null
+From b3ce572831bc8f7063792eceb7005a1c393abe4c Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Fri, 15 Mar 2019 00:22:28 -0400
+Subject: ext4: report real fs size after failed resize
+
+[ Upstream commit 6c7328400e0488f7d49e19e02290ba343b6811b2 ]
+
+Currently when the file system resize using ext4_resize_fs() fails it
+will report into log that "resized filesystem to <requested block
+count>". However this may not be true in the case of failure. Use the
+current block count as returned by ext4_blocks_count() to report the
+block count.
+
+Additionally, report a warning that "error occurred during file system
+resize"
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/resize.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 90061c3d048b..e7ae26e36c9c 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -2080,6 +2080,10 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count)
+ free_flex_gd(flex_gd);
+ if (resize_inode != NULL)
+ iput(resize_inode);
+- ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", n_blocks_count);
++ if (err)
++ ext4_warning(sb, "error (%d) occurred during "
++ "file system resize", err);
++ ext4_msg(sb, KERN_INFO, "resized filesystem to %llu",
++ ext4_blocks_count(es));
+ return err;
+ }
+--
+2.19.1
+
--- /dev/null
+From 253fd3d04c38135e38f8ddff74bd1bc54dba0d50 Mon Sep 17 00:00:00 2001
+From: Sheng Yong <shengyong1@huawei.com>
+Date: Fri, 12 Oct 2018 18:49:26 +0800
+Subject: f2fs: cleanup dirty pages if recover failed
+
+[ Upstream commit 26b5a079197c8cb6725565968b7fd3299bd1877b ]
+
+During recover, we will try to create new dentries for inodes with
+dentry_mark. But if the parent is missing (e.g. killed by fsck),
+recover will break. But those recovered dirty pages are not cleanup.
+This will hit f2fs_bug_on:
+
+[ 53.519566] F2FS-fs (loop0): Found nat_bits in checkpoint
+[ 53.539354] F2FS-fs (loop0): recover_inode: ino = 5, name = file, inline = 3
+[ 53.539402] F2FS-fs (loop0): recover_dentry: ino = 5, name = file, dir = 0, err = -2
+[ 53.545760] F2FS-fs (loop0): Cannot recover all fsync data errno=-2
+[ 53.546105] F2FS-fs (loop0): access invalid blkaddr:4294967295
+[ 53.546171] WARNING: CPU: 1 PID: 1798 at fs/f2fs/checkpoint.c:163 f2fs_is_valid_blkaddr+0x26c/0x320
+[ 53.546174] Modules linked in:
+[ 53.546183] CPU: 1 PID: 1798 Comm: mount Not tainted 4.19.0-rc2+ #1
+[ 53.546186] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 53.546191] RIP: 0010:f2fs_is_valid_blkaddr+0x26c/0x320
+[ 53.546195] Code: 85 bb 00 00 00 48 89 df 88 44 24 07 e8 ad a8 db ff 48 8b 3b 44 89 e1 48 c7 c2 40 03 72 a9 48 c7 c6 e0 01 72 a9 e8 84 3c ff ff <0f> 0b 0f b6 44 24 07 e9 8a 00 00 00 48 8d bf 38 01 00 00 e8 7c a8
+[ 53.546201] RSP: 0018:ffff88006c067768 EFLAGS: 00010282
+[ 53.546208] RAX: 0000000000000000 RBX: ffff880068844200 RCX: ffffffffa83e1a33
+[ 53.546211] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88006d51e590
+[ 53.546215] RBP: 0000000000000005 R08: ffffed000daa3cb3 R09: ffffed000daa3cb3
+[ 53.546218] R10: 0000000000000001 R11: ffffed000daa3cb2 R12: 00000000ffffffff
+[ 53.546221] R13: ffff88006a1f8000 R14: 0000000000000200 R15: 0000000000000009
+[ 53.546226] FS: 00007fb2f3646840(0000) GS:ffff88006d500000(0000) knlGS:0000000000000000
+[ 53.546229] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 53.546234] CR2: 00007f0fd77f0008 CR3: 00000000687e6002 CR4: 00000000000206e0
+[ 53.546237] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 53.546240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 53.546242] Call Trace:
+[ 53.546248] f2fs_submit_page_bio+0x95/0x740
+[ 53.546253] read_node_page+0x161/0x1e0
+[ 53.546271] ? truncate_node+0x650/0x650
+[ 53.546283] ? add_to_page_cache_lru+0x12c/0x170
+[ 53.546288] ? pagecache_get_page+0x262/0x2d0
+[ 53.546292] __get_node_page+0x200/0x660
+[ 53.546302] f2fs_update_inode_page+0x4a/0x160
+[ 53.546306] f2fs_write_inode+0x86/0xb0
+[ 53.546317] __writeback_single_inode+0x49c/0x620
+[ 53.546322] writeback_single_inode+0xe4/0x1e0
+[ 53.546326] sync_inode_metadata+0x93/0xd0
+[ 53.546330] ? sync_inode+0x10/0x10
+[ 53.546342] ? do_raw_spin_unlock+0xed/0x100
+[ 53.546347] f2fs_sync_inode_meta+0xe0/0x130
+[ 53.546351] f2fs_fill_super+0x287d/0x2d10
+[ 53.546367] ? vsnprintf+0x742/0x7a0
+[ 53.546372] ? f2fs_commit_super+0x180/0x180
+[ 53.546379] ? up_write+0x20/0x40
+[ 53.546385] ? set_blocksize+0x5f/0x140
+[ 53.546391] ? f2fs_commit_super+0x180/0x180
+[ 53.546402] mount_bdev+0x181/0x200
+[ 53.546406] mount_fs+0x94/0x180
+[ 53.546411] vfs_kern_mount+0x6c/0x1e0
+[ 53.546415] do_mount+0xe5e/0x1510
+[ 53.546420] ? fs_reclaim_release+0x9/0x30
+[ 53.546424] ? copy_mount_string+0x20/0x20
+[ 53.546428] ? fs_reclaim_acquire+0xd/0x30
+[ 53.546435] ? __might_sleep+0x2c/0xc0
+[ 53.546440] ? ___might_sleep+0x53/0x170
+[ 53.546453] ? __might_fault+0x4c/0x60
+[ 53.546468] ? _copy_from_user+0x95/0xa0
+[ 53.546474] ? memdup_user+0x39/0x60
+[ 53.546478] ksys_mount+0x88/0xb0
+[ 53.546482] __x64_sys_mount+0x5d/0x70
+[ 53.546495] do_syscall_64+0x65/0x130
+[ 53.546503] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 53.547639] ---[ end trace b804d1ea2fec893e ]---
+
+So if recover fails, we need to drop all recovered data.
+
+Signed-off-by: Sheng Yong <shengyong1@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/recovery.c | 32 +++++++++++++++++++++-----------
+ fs/f2fs/super.c | 15 ++++++++++++++-
+ 2 files changed, 35 insertions(+), 12 deletions(-)
+
+diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c
+index 9a8579fb3a30..ae0e5f2e67b4 100644
+--- a/fs/f2fs/recovery.c
++++ b/fs/f2fs/recovery.c
+@@ -99,8 +99,12 @@ static struct fsync_inode_entry *add_fsync_inode(struct f2fs_sb_info *sbi,
+ return ERR_PTR(err);
+ }
+
+-static void del_fsync_inode(struct fsync_inode_entry *entry)
++static void del_fsync_inode(struct fsync_inode_entry *entry, int drop)
+ {
++ if (drop) {
++ /* inode should not be recovered, drop it */
++ f2fs_inode_synced(entry->inode);
++ }
+ iput(entry->inode);
+ list_del(&entry->list);
+ kmem_cache_free(fsync_entry_slab, entry);
+@@ -321,12 +325,12 @@ static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head,
+ return err;
+ }
+
+-static void destroy_fsync_dnodes(struct list_head *head)
++static void destroy_fsync_dnodes(struct list_head *head, int drop)
+ {
+ struct fsync_inode_entry *entry, *tmp;
+
+ list_for_each_entry_safe(entry, tmp, head, list)
+- del_fsync_inode(entry);
++ del_fsync_inode(entry, drop);
+ }
+
+ static int check_index_in_prev_nodes(struct f2fs_sb_info *sbi,
+@@ -561,7 +565,7 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode,
+ }
+
+ static int recover_data(struct f2fs_sb_info *sbi, struct list_head *inode_list,
+- struct list_head *dir_list)
++ struct list_head *tmp_inode_list, struct list_head *dir_list)
+ {
+ struct curseg_info *curseg;
+ struct page *page = NULL;
+@@ -615,7 +619,7 @@ static int recover_data(struct f2fs_sb_info *sbi, struct list_head *inode_list,
+ }
+
+ if (entry->blkaddr == blkaddr)
+- del_fsync_inode(entry);
++ list_move_tail(&entry->list, tmp_inode_list);
+ next:
+ /* check next segment */
+ blkaddr = next_blkaddr_of_node(page);
+@@ -628,7 +632,7 @@ static int recover_data(struct f2fs_sb_info *sbi, struct list_head *inode_list,
+
+ int f2fs_recover_fsync_data(struct f2fs_sb_info *sbi, bool check_only)
+ {
+- struct list_head inode_list;
++ struct list_head inode_list, tmp_inode_list;
+ struct list_head dir_list;
+ int err;
+ int ret = 0;
+@@ -659,6 +663,7 @@ int f2fs_recover_fsync_data(struct f2fs_sb_info *sbi, bool check_only)
+ }
+
+ INIT_LIST_HEAD(&inode_list);
++ INIT_LIST_HEAD(&tmp_inode_list);
+ INIT_LIST_HEAD(&dir_list);
+
+ /* prevent checkpoint */
+@@ -677,11 +682,16 @@ int f2fs_recover_fsync_data(struct f2fs_sb_info *sbi, bool check_only)
+ need_writecp = true;
+
+ /* step #2: recover data */
+- err = recover_data(sbi, &inode_list, &dir_list);
++ err = recover_data(sbi, &inode_list, &tmp_inode_list, &dir_list);
+ if (!err)
+ f2fs_bug_on(sbi, !list_empty(&inode_list));
++ else {
++ /* restore s_flags to let iput() trash data */
++ sbi->sb->s_flags = s_flags;
++ }
+ skip:
+- destroy_fsync_dnodes(&inode_list);
++ destroy_fsync_dnodes(&inode_list, err);
++ destroy_fsync_dnodes(&tmp_inode_list, err);
+
+ /* truncate meta pages to be used by the recovery */
+ truncate_inode_pages_range(META_MAPPING(sbi),
+@@ -690,13 +700,13 @@ int f2fs_recover_fsync_data(struct f2fs_sb_info *sbi, bool check_only)
+ if (err) {
+ truncate_inode_pages_final(NODE_MAPPING(sbi));
+ truncate_inode_pages_final(META_MAPPING(sbi));
++ } else {
++ clear_sbi_flag(sbi, SBI_POR_DOING);
+ }
+-
+- clear_sbi_flag(sbi, SBI_POR_DOING);
+ mutex_unlock(&sbi->cp_mutex);
+
+ /* let's drop all the directory inodes for clean checkpoint */
+- destroy_fsync_dnodes(&dir_list);
++ destroy_fsync_dnodes(&dir_list, err);
+
+ if (need_writecp) {
+ set_sbi_flag(sbi, SBI_IS_RECOVERED);
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 06017138eab0..2264f27fd26d 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1885,6 +1885,19 @@ void f2fs_quota_off_umount(struct super_block *sb)
+ }
+ }
+
++static void f2fs_truncate_quota_inode_pages(struct super_block *sb)
++{
++ struct quota_info *dqopt = sb_dqopt(sb);
++ int type;
++
++ for (type = 0; type < MAXQUOTAS; type++) {
++ if (!dqopt->files[type])
++ continue;
++ f2fs_inode_synced(dqopt->files[type]);
++ }
++}
++
++
+ static int f2fs_get_projid(struct inode *inode, kprojid_t *projid)
+ {
+ *projid = F2FS_I(inode)->i_projid;
+@@ -3131,10 +3144,10 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
+
+ free_meta:
+ #ifdef CONFIG_QUOTA
++ f2fs_truncate_quota_inode_pages(sb);
+ if (f2fs_sb_has_quota_ino(sb) && !f2fs_readonly(sb))
+ f2fs_quota_off_umount(sbi->sb);
+ #endif
+- f2fs_sync_inode_meta(sbi);
+ /*
+ * Some dirty meta pages can be produced by f2fs_recover_orphan_inodes()
+ * failed by EIO. Then, iput(node_inode) can trigger balance_fs_bg()
+--
+2.19.1
+
--- /dev/null
+From 4920b7f5ee7d7c95a77a7a5ec8916f80d763eb55 Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Tue, 4 Sep 2018 03:52:17 +0800
+Subject: f2fs: fix to avoid NULL pointer dereference on se->discard_map
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 7d20c8abb2edcf962ca857d51f4d0f9cd4b19053 ]
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200951
+
+These is a NULL pointer dereference issue reported in bugzilla:
+
+Hi,
+in the setup there is a SATA SSD connected to a SATA-to-USB bridge.
+
+The disc is "Samsung SSD 850 PRO 256G" which supports TRIM.
+There are four partitions:
+ sda1: FAT /boot
+ sda2: F2FS /
+ sda3: F2FS /home
+ sda4: F2FS
+
+The bridge is ASMT1153e which uses the "uas" driver.
+There is no TRIM pass-through, so, when mounting it reports:
+ mounting with "discard" option, but the device does not support discard
+
+The USB host is USB3.0 and UASP capable. It is the one on RK3399.
+
+Given this everything works fine, except there is no TRIM support.
+
+In order to enable TRIM a new UDEV rule is added [1]:
+ /etc/udev/rules.d/10-sata-bridge-trim.rules:
+ ACTION=="add|change", ATTRS{idVendor}=="174c", ATTRS{idProduct}=="55aa", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
+After reboot any F2FS write hangs forever and dmesg reports:
+ Unable to handle kernel NULL pointer dereference
+
+Also tested on a x86_64 system: works fine even with TRIM enabled.
+ same disc
+ same bridge
+ different usb host controller
+ different cpu architecture
+ not root filesystem
+
+Regards,
+ Vicenç.
+
+[1] Post #5 in https://bbs.archlinux.org/viewtopic.php?id=236280
+
+ Unable to handle kernel NULL pointer dereference at virtual address 000000000000003e
+ Mem abort info:
+ ESR = 0x96000004
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000626e3122
+ [000000000000003e] pgd=0000000000000000
+ Internal error: Oops: 96000004 [#1] SMP
+ Modules linked in: overlay snd_soc_hdmi_codec rc_cec dw_hdmi_i2s_audio dw_hdmi_cec snd_soc_simple_card snd_soc_simple_card_utils snd_soc_rockchip_i2s rockchip_rga snd_soc_rockchip_pcm rockchipdrm videobuf2_dma_sg v4l2_mem2mem rtc_rk808 videobuf2_memops analogix_dp videobuf2_v4l2 videobuf2_common dw_hdmi dw_wdt cec rc_core videodev drm_kms_helper media drm rockchip_thermal rockchip_saradc realtek drm_panel_orientation_quirks syscopyarea sysfillrect sysimgblt fb_sys_fops dwmac_rk stmmac_platform stmmac pwm_bl squashfs loop crypto_user gpio_keys hid_kensington
+ CPU: 5 PID: 957 Comm: nvim Not tainted 4.19.0-rc1-1-ARCH #1
+ Hardware name: Sapphire-RK3399 Board (DT)
+ pstate: 00000005 (nzcv daif -PAN -UAO)
+ pc : update_sit_entry+0x304/0x4b0
+ lr : update_sit_entry+0x108/0x4b0
+ sp : ffff00000ca13bd0
+ x29: ffff00000ca13bd0 x28: 000000000000003e
+ x27: 0000000000000020 x26: 0000000000080000
+ x25: 0000000000000048 x24: ffff8000ebb85cf8
+ x23: 0000000000000253 x22: 00000000ffffffff
+ x21: 00000000000535f2 x20: 00000000ffffffdf
+ x19: ffff8000eb9e6800 x18: ffff8000eb9e6be8
+ x17: 0000000007ce6926 x16: 000000001c83ffa8
+ x15: 0000000000000000 x14: ffff8000f602df90
+ x13: 0000000000000006 x12: 0000000000000040
+ x11: 0000000000000228 x10: 0000000000000000
+ x9 : 0000000000000000 x8 : 0000000000000000
+ x7 : 00000000000535f2 x6 : ffff8000ebff3440
+ x5 : ffff8000ebff3440 x4 : ffff8000ebe3a6c8
+ x3 : 00000000ffffffff x2 : 0000000000000020
+ x1 : 0000000000000000 x0 : ffff8000eb9e5800
+ Process nvim (pid: 957, stack limit = 0x0000000063a78320)
+ Call trace:
+ update_sit_entry+0x304/0x4b0
+ f2fs_invalidate_blocks+0x98/0x140
+ truncate_node+0x90/0x400
+ f2fs_remove_inode_page+0xe8/0x340
+ f2fs_evict_inode+0x2b0/0x408
+ evict+0xe0/0x1e0
+ iput+0x160/0x260
+ do_unlinkat+0x214/0x298
+ __arm64_sys_unlinkat+0x3c/0x68
+ el0_svc_handler+0x94/0x118
+ el0_svc+0x8/0xc
+ Code: f9400800 b9488400 36080140 f9400f01 (387c4820)
+ ---[ end trace a0f21a307118c477 ]---
+
+The reason is it is possible to enable discard flag on block queue via
+UDEV, but during mount, f2fs will initialize se->discard_map only if
+this flag is set, once the flag is set after mount, f2fs may dereference
+NULL pointer on se->discard_map.
+
+So this patch does below changes to fix this issue:
+- initialize and update se->discard_map all the time.
+- don't clear DISCARD option if device has no QUEUE_FLAG_DISCARD flag
+during mount.
+- don't issue small discard on zoned block device.
+- introduce some functions to enhance the readability.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Tested-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/debug.c | 3 +--
+ fs/f2fs/f2fs.h | 15 ++++++++---
+ fs/f2fs/file.c | 2 +-
+ fs/f2fs/segment.c | 65 ++++++++++++++++++++---------------------------
+ fs/f2fs/super.c | 16 +++---------
+ 5 files changed, 46 insertions(+), 55 deletions(-)
+
+diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c
+index 214a968962a1..ebe649d9793c 100644
+--- a/fs/f2fs/debug.c
++++ b/fs/f2fs/debug.c
+@@ -190,8 +190,7 @@ static void update_mem_info(struct f2fs_sb_info *sbi)
+ si->base_mem += MAIN_SEGS(sbi) * sizeof(struct seg_entry);
+ si->base_mem += f2fs_bitmap_size(MAIN_SEGS(sbi));
+ si->base_mem += 2 * SIT_VBLOCK_MAP_SIZE * MAIN_SEGS(sbi);
+- if (f2fs_discard_en(sbi))
+- si->base_mem += SIT_VBLOCK_MAP_SIZE * MAIN_SEGS(sbi);
++ si->base_mem += SIT_VBLOCK_MAP_SIZE * MAIN_SEGS(sbi);
+ si->base_mem += SIT_VBLOCK_MAP_SIZE;
+ if (sbi->segs_per_sec > 1)
+ si->base_mem += MAIN_SECS(sbi) * sizeof(struct sec_entry);
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index a3ba20e5946f..1f5d5f62bb77 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3409,11 +3409,20 @@ static inline int get_blkz_type(struct f2fs_sb_info *sbi,
+ }
+ #endif
+
+-static inline bool f2fs_discard_en(struct f2fs_sb_info *sbi)
++static inline bool f2fs_hw_should_discard(struct f2fs_sb_info *sbi)
+ {
+- struct request_queue *q = bdev_get_queue(sbi->sb->s_bdev);
++ return f2fs_sb_has_blkzoned(sbi->sb);
++}
+
+- return blk_queue_discard(q) || f2fs_sb_has_blkzoned(sbi->sb);
++static inline bool f2fs_hw_support_discard(struct f2fs_sb_info *sbi)
++{
++ return blk_queue_discard(bdev_get_queue(sbi->sb->s_bdev));
++}
++
++static inline bool f2fs_realtime_discard_enable(struct f2fs_sb_info *sbi)
++{
++ return (test_opt(sbi, DISCARD) && f2fs_hw_support_discard(sbi)) ||
++ f2fs_hw_should_discard(sbi);
+ }
+
+ static inline void set_opt_mode(struct f2fs_sb_info *sbi, unsigned int mt)
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 81c1dd635a8d..9fc076ca002d 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1983,7 +1983,7 @@ static int f2fs_ioc_fitrim(struct file *filp, unsigned long arg)
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+- if (!blk_queue_discard(q))
++ if (!f2fs_hw_support_discard(F2FS_SB(sb)))
+ return -EOPNOTSUPP;
+
+ if (copy_from_user(&range, (struct fstrim_range __user *)arg,
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 1fa6f8185766..ac038563273d 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -1744,11 +1744,11 @@ static bool add_discard_addrs(struct f2fs_sb_info *sbi, struct cp_control *cpc,
+ struct list_head *head = &SM_I(sbi)->dcc_info->entry_list;
+ int i;
+
+- if (se->valid_blocks == max_blocks || !f2fs_discard_en(sbi))
++ if (se->valid_blocks == max_blocks || !f2fs_hw_support_discard(sbi))
+ return false;
+
+ if (!force) {
+- if (!test_opt(sbi, DISCARD) || !se->valid_blocks ||
++ if (!f2fs_realtime_discard_enable(sbi) || !se->valid_blocks ||
+ SM_I(sbi)->dcc_info->nr_discards >=
+ SM_I(sbi)->dcc_info->max_discards)
+ return false;
+@@ -1854,7 +1854,7 @@ void f2fs_clear_prefree_segments(struct f2fs_sb_info *sbi,
+ dirty_i->nr_dirty[PRE]--;
+ }
+
+- if (!test_opt(sbi, DISCARD))
++ if (!f2fs_realtime_discard_enable(sbi))
+ continue;
+
+ if (force && start >= cpc->trim_start &&
+@@ -2044,8 +2044,7 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del)
+ del = 0;
+ }
+
+- if (f2fs_discard_en(sbi) &&
+- !f2fs_test_and_set_bit(offset, se->discard_map))
++ if (!f2fs_test_and_set_bit(offset, se->discard_map))
+ sbi->discard_blks--;
+
+ /* don't overwrite by SSR to keep node chain */
+@@ -2073,8 +2072,7 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del)
+ del = 0;
+ }
+
+- if (f2fs_discard_en(sbi) &&
+- f2fs_test_and_clear_bit(offset, se->discard_map))
++ if (f2fs_test_and_clear_bit(offset, se->discard_map))
+ sbi->discard_blks++;
+ }
+ if (!f2fs_test_bit(offset, se->ckpt_valid_map))
+@@ -2690,7 +2688,7 @@ int f2fs_trim_fs(struct f2fs_sb_info *sbi, struct fstrim_range *range)
+ * discard option. User configuration looks like using runtime discard
+ * or periodic fstrim instead of it.
+ */
+- if (test_opt(sbi, DISCARD))
++ if (f2fs_realtime_discard_enable(sbi))
+ goto out;
+
+ start_block = START_BLOCK(sbi, start_segno);
+@@ -3781,13 +3779,11 @@ static int build_sit_info(struct f2fs_sb_info *sbi)
+ return -ENOMEM;
+ #endif
+
+- if (f2fs_discard_en(sbi)) {
+- sit_i->sentries[start].discard_map
+- = f2fs_kzalloc(sbi, SIT_VBLOCK_MAP_SIZE,
+- GFP_KERNEL);
+- if (!sit_i->sentries[start].discard_map)
+- return -ENOMEM;
+- }
++ sit_i->sentries[start].discard_map
++ = f2fs_kzalloc(sbi, SIT_VBLOCK_MAP_SIZE,
++ GFP_KERNEL);
++ if (!sit_i->sentries[start].discard_map)
++ return -ENOMEM;
+ }
+
+ sit_i->tmp_map = f2fs_kzalloc(sbi, SIT_VBLOCK_MAP_SIZE, GFP_KERNEL);
+@@ -3935,18 +3931,16 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
+ total_node_blocks += se->valid_blocks;
+
+ /* build discard map only one time */
+- if (f2fs_discard_en(sbi)) {
+- if (is_set_ckpt_flags(sbi, CP_TRIMMED_FLAG)) {
+- memset(se->discard_map, 0xff,
+- SIT_VBLOCK_MAP_SIZE);
+- } else {
+- memcpy(se->discard_map,
+- se->cur_valid_map,
+- SIT_VBLOCK_MAP_SIZE);
+- sbi->discard_blks +=
+- sbi->blocks_per_seg -
+- se->valid_blocks;
+- }
++ if (is_set_ckpt_flags(sbi, CP_TRIMMED_FLAG)) {
++ memset(se->discard_map, 0xff,
++ SIT_VBLOCK_MAP_SIZE);
++ } else {
++ memcpy(se->discard_map,
++ se->cur_valid_map,
++ SIT_VBLOCK_MAP_SIZE);
++ sbi->discard_blks +=
++ sbi->blocks_per_seg -
++ se->valid_blocks;
+ }
+
+ if (sbi->segs_per_sec > 1)
+@@ -3984,16 +3978,13 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
+ if (IS_NODESEG(se->type))
+ total_node_blocks += se->valid_blocks;
+
+- if (f2fs_discard_en(sbi)) {
+- if (is_set_ckpt_flags(sbi, CP_TRIMMED_FLAG)) {
+- memset(se->discard_map, 0xff,
+- SIT_VBLOCK_MAP_SIZE);
+- } else {
+- memcpy(se->discard_map, se->cur_valid_map,
+- SIT_VBLOCK_MAP_SIZE);
+- sbi->discard_blks += old_valid_blocks;
+- sbi->discard_blks -= se->valid_blocks;
+- }
++ if (is_set_ckpt_flags(sbi, CP_TRIMMED_FLAG)) {
++ memset(se->discard_map, 0xff, SIT_VBLOCK_MAP_SIZE);
++ } else {
++ memcpy(se->discard_map, se->cur_valid_map,
++ SIT_VBLOCK_MAP_SIZE);
++ sbi->discard_blks += old_valid_blocks;
++ sbi->discard_blks -= se->valid_blocks;
+ }
+
+ if (sbi->segs_per_sec > 1) {
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 79370b7fa9d2..6539969a1c7f 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -360,7 +360,6 @@ static int f2fs_check_quota_options(struct f2fs_sb_info *sbi)
+ static int parse_options(struct super_block *sb, char *options)
+ {
+ struct f2fs_sb_info *sbi = F2FS_SB(sb);
+- struct request_queue *q;
+ substring_t args[MAX_OPT_ARGS];
+ char *p, *name;
+ int arg = 0;
+@@ -415,14 +414,7 @@ static int parse_options(struct super_block *sb, char *options)
+ return -EINVAL;
+ break;
+ case Opt_discard:
+- q = bdev_get_queue(sb->s_bdev);
+- if (blk_queue_discard(q)) {
+- set_opt(sbi, DISCARD);
+- } else if (!f2fs_sb_has_blkzoned(sb)) {
+- f2fs_msg(sb, KERN_WARNING,
+- "mounting with \"discard\" option, but "
+- "the device does not support discard");
+- }
++ set_opt(sbi, DISCARD);
+ break;
+ case Opt_nodiscard:
+ if (f2fs_sb_has_blkzoned(sb)) {
+@@ -1033,7 +1025,8 @@ static void f2fs_put_super(struct super_block *sb)
+ /* be sure to wait for any on-going discard commands */
+ dropped = f2fs_wait_discard_bios(sbi);
+
+- if (f2fs_discard_en(sbi) && !sbi->discard_blks && !dropped) {
++ if ((f2fs_hw_support_discard(sbi) || f2fs_hw_should_discard(sbi)) &&
++ !sbi->discard_blks && !dropped) {
+ struct cp_control cpc = {
+ .reason = CP_UMOUNT | CP_TRIMMED,
+ };
+@@ -1403,8 +1396,7 @@ static void default_options(struct f2fs_sb_info *sbi)
+ set_opt(sbi, NOHEAP);
+ sbi->sb->s_flags |= SB_LAZYTIME;
+ set_opt(sbi, FLUSH_MERGE);
+- if (blk_queue_discard(bdev_get_queue(sbi->sb->s_bdev)))
+- set_opt(sbi, DISCARD);
++ set_opt(sbi, DISCARD);
+ if (f2fs_sb_has_blkzoned(sbi->sb))
+ set_opt_mode(sbi, F2FS_MOUNT_LFS);
+ else
+--
+2.19.1
+
--- /dev/null
+From 292a083288d9d360331be542c139a98e90891f23 Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sat, 23 Feb 2019 09:48:27 +0800
+Subject: f2fs: fix to dirty inode for i_mode recovery
+
+[ Upstream commit ca597bddedd94906cd761d8be6a3ad21292725de ]
+
+As Seulbae Kim reported in bugzilla:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=202637
+
+We didn't recover permission field correctly after sudden power-cut,
+the reason is in setattr we didn't add inode into global dirty list
+once i_mode is changed, so latter checkpoint triggered by fsync will
+not flush last i_mode into disk, result in this problem, fix it.
+
+Reported-by: Seulbae Kim <seulbae@gatech.edu>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 9fc076ca002d..b3f46e3bec17 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -770,7 +770,6 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr)
+ {
+ struct inode *inode = d_inode(dentry);
+ int err;
+- bool size_changed = false;
+
+ if (unlikely(f2fs_cp_error(F2FS_I_SB(inode))))
+ return -EIO;
+@@ -830,8 +829,6 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr)
+ down_write(&F2FS_I(inode)->i_sem);
+ F2FS_I(inode)->last_disk_size = i_size_read(inode);
+ up_write(&F2FS_I(inode)->i_sem);
+-
+- size_changed = true;
+ }
+
+ __setattr_copy(inode, attr);
+@@ -845,7 +842,7 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr)
+ }
+
+ /* file size may changed here */
+- f2fs_mark_inode_dirty_sync(inode, size_changed);
++ f2fs_mark_inode_dirty_sync(inode, true);
+
+ /* inode change will produce dirty node pages flushed by checkpoint */
+ f2fs_balance_fs(F2FS_I_SB(inode), true);
+--
+2.19.1
+
--- /dev/null
+From 15139695be9a7643972a3ec1d281dff0c95f88a2 Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Thu, 6 Sep 2018 20:34:12 +0800
+Subject: f2fs: fix to do sanity check with current segment number
+
+[ Upstream commit 042be0f849e5fc24116d0afecfaf926eed5cac63 ]
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200219
+
+Reproduction way:
+- mount image
+- run poc code
+- umount image
+
+F2FS-fs (loop1): Bitmap was wrongly set, blk:15364
+------------[ cut here ]------------
+kernel BUG at /home/yuchao/git/devf2fs/segment.c:2061!
+invalid opcode: 0000 [#1] PREEMPT SMP
+CPU: 2 PID: 17686 Comm: umount Tainted: G W O 4.18.0-rc2+ #39
+Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+EIP: update_sit_entry+0x459/0x4e0 [f2fs]
+Code: e8 1c b5 fd ff 0f 0b 0f 0b 8b 45 e4 c7 44 24 08 9c 7a 6c f8 c7 44 24 04 bc 4a 6c f8 89 44 24 0c 8b 06 89 04 24 e8 f7 b4 fd ff <0f> 0b 8b 45 e4 0f b6 d2 89 54 24 10 c7 44 24 08 60 7a 6c f8 c7 44
+EAX: 00000032 EBX: 000000f8 ECX: 00000002 EDX: 00000001
+ESI: d7177000 EDI: f520fe68 EBP: d6477c6c ESP: d6477c34
+DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282
+CR0: 80050033 CR2: b7fbe000 CR3: 2a99b3c0 CR4: 000406f0
+Call Trace:
+ f2fs_allocate_data_block+0x124/0x580 [f2fs]
+ do_write_page+0x78/0x150 [f2fs]
+ f2fs_do_write_node_page+0x25/0xa0 [f2fs]
+ __write_node_page+0x2bf/0x550 [f2fs]
+ f2fs_sync_node_pages+0x60e/0x6d0 [f2fs]
+ ? sync_inode_metadata+0x2f/0x40
+ ? f2fs_write_checkpoint+0x28f/0x7d0 [f2fs]
+ ? up_write+0x1e/0x80
+ f2fs_write_checkpoint+0x2a9/0x7d0 [f2fs]
+ ? mark_held_locks+0x5d/0x80
+ ? _raw_spin_unlock_irq+0x27/0x50
+ kill_f2fs_super+0x68/0x90 [f2fs]
+ deactivate_locked_super+0x3d/0x70
+ deactivate_super+0x40/0x60
+ cleanup_mnt+0x39/0x70
+ __cleanup_mnt+0x10/0x20
+ task_work_run+0x81/0xa0
+ exit_to_usermode_loop+0x59/0xa7
+ do_fast_syscall_32+0x1f5/0x22c
+ entry_SYSENTER_32+0x53/0x86
+EIP: 0xb7f95c51
+Code: c1 1e f7 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
+EAX: 00000000 EBX: 0871ab90 ECX: bfb2cd00 EDX: 00000000
+ESI: 00000000 EDI: 0871ab90 EBP: 0871ab90 ESP: bfb2cd7c
+DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
+Modules linked in: f2fs(O) crc32_generic bnep rfcomm bluetooth ecdh_generic snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq pcbc joydev aesni_intel snd_seq_device aes_i586 snd_timer crypto_simd snd cryptd soundcore mac_hid serio_raw video i2c_piix4 parport_pc ppdev lp parport hid_generic psmouse usbhid hid e1000 [last unloaded: f2fs]
+---[ end trace d423f83982cfcdc5 ]---
+
+The reason is, different log headers using the same segment, once
+one log's next block address is used by another log, it will cause
+panic as above.
+
+Main area: 24 segs, 24 secs 24 zones
+ - COLD data: 0, 0, 0
+ - WARM data: 1, 1, 1
+ - HOT data: 20, 20, 20
+ - Dir dnode: 22, 22, 22
+ - File dnode: 22, 22, 22
+ - Indir nodes: 21, 21, 21
+
+So this patch adds sanity check to detect such condition to avoid
+this issue.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 6539969a1c7f..06017138eab0 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2329,7 +2329,7 @@ int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi)
+ unsigned int segment_count_main;
+ unsigned int cp_pack_start_sum, cp_payload;
+ block_t user_block_count;
+- int i;
++ int i, j;
+
+ total = le32_to_cpu(raw_super->segment_count);
+ fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
+@@ -2370,11 +2370,43 @@ int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi)
+ if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
+ le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
+ return 1;
++ for (j = i + 1; j < NR_CURSEG_NODE_TYPE; j++) {
++ if (le32_to_cpu(ckpt->cur_node_segno[i]) ==
++ le32_to_cpu(ckpt->cur_node_segno[j])) {
++ f2fs_msg(sbi->sb, KERN_ERR,
++ "Node segment (%u, %u) has the same "
++ "segno: %u", i, j,
++ le32_to_cpu(ckpt->cur_node_segno[i]));
++ return 1;
++ }
++ }
+ }
+ for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
+ if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
+ le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
+ return 1;
++ for (j = i + 1; j < NR_CURSEG_DATA_TYPE; j++) {
++ if (le32_to_cpu(ckpt->cur_data_segno[i]) ==
++ le32_to_cpu(ckpt->cur_data_segno[j])) {
++ f2fs_msg(sbi->sb, KERN_ERR,
++ "Data segment (%u, %u) has the same "
++ "segno: %u", i, j,
++ le32_to_cpu(ckpt->cur_data_segno[i]));
++ return 1;
++ }
++ }
++ }
++ for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
++ for (j = i; j < NR_CURSEG_DATA_TYPE; j++) {
++ if (le32_to_cpu(ckpt->cur_node_segno[i]) ==
++ le32_to_cpu(ckpt->cur_data_segno[j])) {
++ f2fs_msg(sbi->sb, KERN_ERR,
++ "Data segment (%u) and Data segment (%u)"
++ " has the same segno: %u", i, j,
++ le32_to_cpu(ckpt->cur_node_segno[i]));
++ return 1;
++ }
++ }
+ }
+
+ sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize);
+--
+2.19.1
+
--- /dev/null
+From c3e6d05fd45c882f224a5bab7e54e6815711f1c5 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sun, 17 Mar 2019 15:58:38 -0500
+Subject: fix incorrect error code mapping for OBJECTID_NOT_FOUND
+
+[ Upstream commit 85f9987b236cf46e06ffdb5c225cf1f3c0acb789 ]
+
+It was mapped to EIO which can be confusing when user space
+queries for an object GUID for an object for which the server
+file system doesn't support (or hasn't saved one).
+
+As Amir Goldstein suggested this is similar to ENOATTR
+(equivalently ENODATA in Linux errno definitions) so
+changing NT STATUS code mapping for OBJECTID_NOT_FOUND
+to ENODATA.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2maperror.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c
+index c3ae8c1d6089..18814f1d67d9 100644
+--- a/fs/cifs/smb2maperror.c
++++ b/fs/cifs/smb2maperror.c
+@@ -1036,7 +1036,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = {
+ {STATUS_UNFINISHED_CONTEXT_DELETED, -EIO,
+ "STATUS_UNFINISHED_CONTEXT_DELETED"},
+ {STATUS_NO_TGT_REPLY, -EIO, "STATUS_NO_TGT_REPLY"},
+- {STATUS_OBJECTID_NOT_FOUND, -EIO, "STATUS_OBJECTID_NOT_FOUND"},
++ /* Note that ENOATTTR and ENODATA are the same errno */
++ {STATUS_OBJECTID_NOT_FOUND, -ENODATA, "STATUS_OBJECTID_NOT_FOUND"},
+ {STATUS_NO_IP_ADDRESSES, -EIO, "STATUS_NO_IP_ADDRESSES"},
+ {STATUS_WRONG_CREDENTIAL_HANDLE, -EIO,
+ "STATUS_WRONG_CREDENTIAL_HANDLE"},
+--
+2.19.1
+
--- /dev/null
+From 6a6b6cad3756ba9352873b62e42599e7e92b6f61 Mon Sep 17 00:00:00 2001
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Sat, 25 Aug 2018 10:44:17 +0200
+Subject: gpio: pxa: handle corner case of unprobed device
+
+[ Upstream commit 9ce3ebe973bf4073426f35f282c6b955ed802765 ]
+
+In the corner case where the gpio driver probe fails, for whatever
+reason, the suspend and resume handlers will still be called as they
+have to be registered as syscore operations. This applies as well when
+no probe was called while the driver has been built in the kernel.
+
+Nicolas tracked this in :
+https://bugzilla.kernel.org/show_bug.cgi?id=200905
+
+Therefore, add a failsafe in these function, and test if a proper probe
+succeeded and the driver is functional.
+
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Reported-by: Nicolas Chauvet <kwizart@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-pxa.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpio/gpio-pxa.c b/drivers/gpio/gpio-pxa.c
+index eb27fa76e8fc..bcc6be4a5cb2 100644
+--- a/drivers/gpio/gpio-pxa.c
++++ b/drivers/gpio/gpio-pxa.c
+@@ -777,6 +777,9 @@ static int pxa_gpio_suspend(void)
+ struct pxa_gpio_bank *c;
+ int gpio;
+
++ if (!pchip)
++ return 0;
++
+ for_each_gpio_bank(gpio, c, pchip) {
+ c->saved_gplr = readl_relaxed(c->regbase + GPLR_OFFSET);
+ c->saved_gpdr = readl_relaxed(c->regbase + GPDR_OFFSET);
+@@ -795,6 +798,9 @@ static void pxa_gpio_resume(void)
+ struct pxa_gpio_bank *c;
+ int gpio;
+
++ if (!pchip)
++ return;
++
+ for_each_gpio_bank(gpio, c, pchip) {
+ /* restore level with set/clear */
+ writel_relaxed(c->saved_gplr, c->regbase + GPSR_OFFSET);
+--
+2.19.1
+
--- /dev/null
+From 8ad19cc70cac44c69cd9c6ae11e52348153bacec Mon Sep 17 00:00:00 2001
+From: Julian Sax <jsbc@gmx.de>
+Date: Wed, 19 Sep 2018 11:46:23 +0200
+Subject: HID: i2c-hid: override HID descriptors for certain devices
+
+[ Upstream commit 9ee3e06610fdb8a601cde59c92089fb6c1deb4aa ]
+
+A particular touchpad (SIPODEV SP1064) refuses to supply the HID
+descriptors. This patch provides the framework for overriding these
+descriptors based on DMI data. It also includes the descriptors for
+said touchpad, which were extracted by listening to the traffic of the
+windows filter driver, as well as the DMI data for the laptops known
+to use this device.
+
+Relevant Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1526312
+
+Cc: Hans de Goede <hdegoede@redhat.com>
+Reported-and-tested-by: ahormann@gmx.net
+Reported-and-tested-by: Bruno Jesus <bruno.fl.jesus@gmail.com>
+Reported-and-tested-by: Dietrich <enaut.w@googlemail.com>
+Reported-and-tested-by: kloxdami@yahoo.com
+Signed-off-by: Julian Sax <jsbc@gmx.de>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/i2c-hid/Makefile | 3 +
+ .../hid/i2c-hid/{i2c-hid.c => i2c-hid-core.c} | 56 ++-
+ drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 376 ++++++++++++++++++
+ drivers/hid/i2c-hid/i2c-hid.h | 20 +
+ 4 files changed, 437 insertions(+), 18 deletions(-)
+ rename drivers/hid/i2c-hid/{i2c-hid.c => i2c-hid-core.c} (96%)
+ create mode 100644 drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+ create mode 100644 drivers/hid/i2c-hid/i2c-hid.h
+
+diff --git a/drivers/hid/i2c-hid/Makefile b/drivers/hid/i2c-hid/Makefile
+index 832d8f9aaba2..099e1ce2f234 100644
+--- a/drivers/hid/i2c-hid/Makefile
++++ b/drivers/hid/i2c-hid/Makefile
+@@ -3,3 +3,6 @@
+ #
+
+ obj-$(CONFIG_I2C_HID) += i2c-hid.o
++
++i2c-hid-objs = i2c-hid-core.o
++i2c-hid-$(CONFIG_DMI) += i2c-hid-dmi-quirks.o
+diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid-core.c
+similarity index 96%
+rename from drivers/hid/i2c-hid/i2c-hid.c
+rename to drivers/hid/i2c-hid/i2c-hid-core.c
+index 88daa388e1f6..3cde7c1b9c33 100644
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -43,6 +43,7 @@
+ #include <linux/platform_data/i2c-hid.h>
+
+ #include "../hid-ids.h"
++#include "i2c-hid.h"
+
+ /* quirks to control the device */
+ #define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV BIT(0)
+@@ -687,6 +688,7 @@ static int i2c_hid_parse(struct hid_device *hid)
+ char *rdesc;
+ int ret;
+ int tries = 3;
++ char *use_override;
+
+ i2c_hid_dbg(ihid, "entering %s\n", __func__);
+
+@@ -705,26 +707,37 @@ static int i2c_hid_parse(struct hid_device *hid)
+ if (ret)
+ return ret;
+
+- rdesc = kzalloc(rsize, GFP_KERNEL);
++ use_override = i2c_hid_get_dmi_hid_report_desc_override(client->name,
++ &rsize);
+
+- if (!rdesc) {
+- dbg_hid("couldn't allocate rdesc memory\n");
+- return -ENOMEM;
+- }
++ if (use_override) {
++ rdesc = use_override;
++ i2c_hid_dbg(ihid, "Using a HID report descriptor override\n");
++ } else {
++ rdesc = kzalloc(rsize, GFP_KERNEL);
++
++ if (!rdesc) {
++ dbg_hid("couldn't allocate rdesc memory\n");
++ return -ENOMEM;
++ }
+
+- i2c_hid_dbg(ihid, "asking HID report descriptor\n");
++ i2c_hid_dbg(ihid, "asking HID report descriptor\n");
+
+- ret = i2c_hid_command(client, &hid_report_descr_cmd, rdesc, rsize);
+- if (ret) {
+- hid_err(hid, "reading report descriptor failed\n");
+- kfree(rdesc);
+- return -EIO;
++ ret = i2c_hid_command(client, &hid_report_descr_cmd,
++ rdesc, rsize);
++ if (ret) {
++ hid_err(hid, "reading report descriptor failed\n");
++ kfree(rdesc);
++ return -EIO;
++ }
+ }
+
+ i2c_hid_dbg(ihid, "Report Descriptor: %*ph\n", rsize, rdesc);
+
+ ret = hid_parse_report(hid, rdesc, rsize);
+- kfree(rdesc);
++ if (!use_override)
++ kfree(rdesc);
++
+ if (ret) {
+ dbg_hid("parsing report descriptor failed\n");
+ return ret;
+@@ -851,12 +864,19 @@ static int i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid)
+ int ret;
+
+ /* i2c hid fetch using a fixed descriptor size (30 bytes) */
+- i2c_hid_dbg(ihid, "Fetching the HID descriptor\n");
+- ret = i2c_hid_command(client, &hid_descr_cmd, ihid->hdesc_buffer,
+- sizeof(struct i2c_hid_desc));
+- if (ret) {
+- dev_err(&client->dev, "hid_descr_cmd failed\n");
+- return -ENODEV;
++ if (i2c_hid_get_dmi_i2c_hid_desc_override(client->name)) {
++ i2c_hid_dbg(ihid, "Using a HID descriptor override\n");
++ ihid->hdesc =
++ *i2c_hid_get_dmi_i2c_hid_desc_override(client->name);
++ } else {
++ i2c_hid_dbg(ihid, "Fetching the HID descriptor\n");
++ ret = i2c_hid_command(client, &hid_descr_cmd,
++ ihid->hdesc_buffer,
++ sizeof(struct i2c_hid_desc));
++ if (ret) {
++ dev_err(&client->dev, "hid_descr_cmd failed\n");
++ return -ENODEV;
++ }
+ }
+
+ /* Validate the length of HID descriptor, the 4 first bytes:
+diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+new file mode 100644
+index 000000000000..1d645c9ab417
+--- /dev/null
++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+@@ -0,0 +1,376 @@
++// SPDX-License-Identifier: GPL-2.0+
++
++/*
++ * Quirks for I2C-HID devices that do not supply proper descriptors
++ *
++ * Copyright (c) 2018 Julian Sax <jsbc@gmx.de>
++ *
++ */
++
++#include <linux/types.h>
++#include <linux/dmi.h>
++#include <linux/mod_devicetable.h>
++
++#include "i2c-hid.h"
++
++
++struct i2c_hid_desc_override {
++ union {
++ struct i2c_hid_desc *i2c_hid_desc;
++ uint8_t *i2c_hid_desc_buffer;
++ };
++ uint8_t *hid_report_desc;
++ unsigned int hid_report_desc_size;
++ uint8_t *i2c_name;
++};
++
++
++/*
++ * descriptors for the SIPODEV SP1064 touchpad
++ *
++ * This device does not supply any descriptors and on windows a filter
++ * driver operates between the i2c-hid layer and the device and injects
++ * these descriptors when the device is prompted. The descriptors were
++ * extracted by listening to the i2c-hid traffic that occurs between the
++ * windows filter driver and the windows i2c-hid driver.
++ */
++
++static const struct i2c_hid_desc_override sipodev_desc = {
++ .i2c_hid_desc_buffer = (uint8_t [])
++ {0x1e, 0x00, /* Length of descriptor */
++ 0x00, 0x01, /* Version of descriptor */
++ 0xdb, 0x01, /* Length of report descriptor */
++ 0x21, 0x00, /* Location of report descriptor */
++ 0x24, 0x00, /* Location of input report */
++ 0x1b, 0x00, /* Max input report length */
++ 0x25, 0x00, /* Location of output report */
++ 0x11, 0x00, /* Max output report length */
++ 0x22, 0x00, /* Location of command register */
++ 0x23, 0x00, /* Location of data register */
++ 0x11, 0x09, /* Vendor ID */
++ 0x88, 0x52, /* Product ID */
++ 0x06, 0x00, /* Version ID */
++ 0x00, 0x00, 0x00, 0x00 /* Reserved */
++ },
++
++ .hid_report_desc = (uint8_t [])
++ {0x05, 0x01, /* Usage Page (Desktop), */
++ 0x09, 0x02, /* Usage (Mouse), */
++ 0xA1, 0x01, /* Collection (Application), */
++ 0x85, 0x01, /* Report ID (1), */
++ 0x09, 0x01, /* Usage (Pointer), */
++ 0xA1, 0x00, /* Collection (Physical), */
++ 0x05, 0x09, /* Usage Page (Button), */
++ 0x19, 0x01, /* Usage Minimum (01h), */
++ 0x29, 0x02, /* Usage Maximum (02h), */
++ 0x25, 0x01, /* Logical Maximum (1), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x95, 0x06, /* Report Count (6), */
++ 0x81, 0x01, /* Input (Constant), */
++ 0x05, 0x01, /* Usage Page (Desktop), */
++ 0x09, 0x30, /* Usage (X), */
++ 0x09, 0x31, /* Usage (Y), */
++ 0x15, 0x81, /* Logical Minimum (-127), */
++ 0x25, 0x7F, /* Logical Maximum (127), */
++ 0x75, 0x08, /* Report Size (8), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0x81, 0x06, /* Input (Variable, Relative), */
++ 0xC0, /* End Collection, */
++ 0xC0, /* End Collection, */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x09, 0x05, /* Usage (Touchpad), */
++ 0xA1, 0x01, /* Collection (Application), */
++ 0x85, 0x04, /* Report ID (4), */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x09, 0x22, /* Usage (Finger), */
++ 0xA1, 0x02, /* Collection (Logical), */
++ 0x15, 0x00, /* Logical Minimum (0), */
++ 0x25, 0x01, /* Logical Maximum (1), */
++ 0x09, 0x47, /* Usage (Touch Valid), */
++ 0x09, 0x42, /* Usage (Tip Switch), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x75, 0x03, /* Report Size (3), */
++ 0x25, 0x05, /* Logical Maximum (5), */
++ 0x09, 0x51, /* Usage (Contact Identifier), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x95, 0x03, /* Report Count (3), */
++ 0x81, 0x03, /* Input (Constant, Variable), */
++ 0x05, 0x01, /* Usage Page (Desktop), */
++ 0x26, 0x44, 0x0A, /* Logical Maximum (2628), */
++ 0x75, 0x10, /* Report Size (16), */
++ 0x55, 0x0E, /* Unit Exponent (14), */
++ 0x65, 0x11, /* Unit (Centimeter), */
++ 0x09, 0x30, /* Usage (X), */
++ 0x46, 0x1A, 0x04, /* Physical Maximum (1050), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x46, 0xBC, 0x02, /* Physical Maximum (700), */
++ 0x26, 0x34, 0x05, /* Logical Maximum (1332), */
++ 0x09, 0x31, /* Usage (Y), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0xC0, /* End Collection, */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x09, 0x22, /* Usage (Finger), */
++ 0xA1, 0x02, /* Collection (Logical), */
++ 0x25, 0x01, /* Logical Maximum (1), */
++ 0x09, 0x47, /* Usage (Touch Valid), */
++ 0x09, 0x42, /* Usage (Tip Switch), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x75, 0x03, /* Report Size (3), */
++ 0x25, 0x05, /* Logical Maximum (5), */
++ 0x09, 0x51, /* Usage (Contact Identifier), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x95, 0x03, /* Report Count (3), */
++ 0x81, 0x03, /* Input (Constant, Variable), */
++ 0x05, 0x01, /* Usage Page (Desktop), */
++ 0x26, 0x44, 0x0A, /* Logical Maximum (2628), */
++ 0x75, 0x10, /* Report Size (16), */
++ 0x09, 0x30, /* Usage (X), */
++ 0x46, 0x1A, 0x04, /* Physical Maximum (1050), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x46, 0xBC, 0x02, /* Physical Maximum (700), */
++ 0x26, 0x34, 0x05, /* Logical Maximum (1332), */
++ 0x09, 0x31, /* Usage (Y), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0xC0, /* End Collection, */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x09, 0x22, /* Usage (Finger), */
++ 0xA1, 0x02, /* Collection (Logical), */
++ 0x25, 0x01, /* Logical Maximum (1), */
++ 0x09, 0x47, /* Usage (Touch Valid), */
++ 0x09, 0x42, /* Usage (Tip Switch), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x75, 0x03, /* Report Size (3), */
++ 0x25, 0x05, /* Logical Maximum (5), */
++ 0x09, 0x51, /* Usage (Contact Identifier), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x95, 0x03, /* Report Count (3), */
++ 0x81, 0x03, /* Input (Constant, Variable), */
++ 0x05, 0x01, /* Usage Page (Desktop), */
++ 0x26, 0x44, 0x0A, /* Logical Maximum (2628), */
++ 0x75, 0x10, /* Report Size (16), */
++ 0x09, 0x30, /* Usage (X), */
++ 0x46, 0x1A, 0x04, /* Physical Maximum (1050), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x46, 0xBC, 0x02, /* Physical Maximum (700), */
++ 0x26, 0x34, 0x05, /* Logical Maximum (1332), */
++ 0x09, 0x31, /* Usage (Y), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0xC0, /* End Collection, */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x09, 0x22, /* Usage (Finger), */
++ 0xA1, 0x02, /* Collection (Logical), */
++ 0x25, 0x01, /* Logical Maximum (1), */
++ 0x09, 0x47, /* Usage (Touch Valid), */
++ 0x09, 0x42, /* Usage (Tip Switch), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x75, 0x03, /* Report Size (3), */
++ 0x25, 0x05, /* Logical Maximum (5), */
++ 0x09, 0x51, /* Usage (Contact Identifier), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x95, 0x03, /* Report Count (3), */
++ 0x81, 0x03, /* Input (Constant, Variable), */
++ 0x05, 0x01, /* Usage Page (Desktop), */
++ 0x26, 0x44, 0x0A, /* Logical Maximum (2628), */
++ 0x75, 0x10, /* Report Size (16), */
++ 0x09, 0x30, /* Usage (X), */
++ 0x46, 0x1A, 0x04, /* Physical Maximum (1050), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x46, 0xBC, 0x02, /* Physical Maximum (700), */
++ 0x26, 0x34, 0x05, /* Logical Maximum (1332), */
++ 0x09, 0x31, /* Usage (Y), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0xC0, /* End Collection, */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x55, 0x0C, /* Unit Exponent (12), */
++ 0x66, 0x01, 0x10, /* Unit (Seconds), */
++ 0x47, 0xFF, 0xFF, 0x00, 0x00,/* Physical Maximum (65535), */
++ 0x27, 0xFF, 0xFF, 0x00, 0x00,/* Logical Maximum (65535), */
++ 0x75, 0x10, /* Report Size (16), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x09, 0x56, /* Usage (Scan Time), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x09, 0x54, /* Usage (Contact Count), */
++ 0x25, 0x7F, /* Logical Maximum (127), */
++ 0x75, 0x08, /* Report Size (8), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x05, 0x09, /* Usage Page (Button), */
++ 0x09, 0x01, /* Usage (01h), */
++ 0x25, 0x01, /* Logical Maximum (1), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x81, 0x02, /* Input (Variable), */
++ 0x95, 0x07, /* Report Count (7), */
++ 0x81, 0x03, /* Input (Constant, Variable), */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x85, 0x02, /* Report ID (2), */
++ 0x09, 0x55, /* Usage (Contact Count Maximum), */
++ 0x09, 0x59, /* Usage (59h), */
++ 0x75, 0x04, /* Report Size (4), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0x25, 0x0F, /* Logical Maximum (15), */
++ 0xB1, 0x02, /* Feature (Variable), */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x85, 0x07, /* Report ID (7), */
++ 0x09, 0x60, /* Usage (60h), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0x25, 0x01, /* Logical Maximum (1), */
++ 0xB1, 0x02, /* Feature (Variable), */
++ 0x95, 0x07, /* Report Count (7), */
++ 0xB1, 0x03, /* Feature (Constant, Variable), */
++ 0x85, 0x06, /* Report ID (6), */
++ 0x06, 0x00, 0xFF, /* Usage Page (FF00h), */
++ 0x09, 0xC5, /* Usage (C5h), */
++ 0x26, 0xFF, 0x00, /* Logical Maximum (255), */
++ 0x75, 0x08, /* Report Size (8), */
++ 0x96, 0x00, 0x01, /* Report Count (256), */
++ 0xB1, 0x02, /* Feature (Variable), */
++ 0xC0, /* End Collection, */
++ 0x06, 0x00, 0xFF, /* Usage Page (FF00h), */
++ 0x09, 0x01, /* Usage (01h), */
++ 0xA1, 0x01, /* Collection (Application), */
++ 0x85, 0x0D, /* Report ID (13), */
++ 0x26, 0xFF, 0x00, /* Logical Maximum (255), */
++ 0x19, 0x01, /* Usage Minimum (01h), */
++ 0x29, 0x02, /* Usage Maximum (02h), */
++ 0x75, 0x08, /* Report Size (8), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0xB1, 0x02, /* Feature (Variable), */
++ 0xC0, /* End Collection, */
++ 0x05, 0x0D, /* Usage Page (Digitizer), */
++ 0x09, 0x0E, /* Usage (Configuration), */
++ 0xA1, 0x01, /* Collection (Application), */
++ 0x85, 0x03, /* Report ID (3), */
++ 0x09, 0x22, /* Usage (Finger), */
++ 0xA1, 0x02, /* Collection (Logical), */
++ 0x09, 0x52, /* Usage (Device Mode), */
++ 0x25, 0x0A, /* Logical Maximum (10), */
++ 0x95, 0x01, /* Report Count (1), */
++ 0xB1, 0x02, /* Feature (Variable), */
++ 0xC0, /* End Collection, */
++ 0x09, 0x22, /* Usage (Finger), */
++ 0xA1, 0x00, /* Collection (Physical), */
++ 0x85, 0x05, /* Report ID (5), */
++ 0x09, 0x57, /* Usage (57h), */
++ 0x09, 0x58, /* Usage (58h), */
++ 0x75, 0x01, /* Report Size (1), */
++ 0x95, 0x02, /* Report Count (2), */
++ 0x25, 0x01, /* Logical Maximum (1), */
++ 0xB1, 0x02, /* Feature (Variable), */
++ 0x95, 0x06, /* Report Count (6), */
++ 0xB1, 0x03, /* Feature (Constant, Variable),*/
++ 0xC0, /* End Collection, */
++ 0xC0 /* End Collection */
++ },
++ .hid_report_desc_size = 475,
++ .i2c_name = "SYNA3602:00"
++};
++
++
++static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = {
++ {
++ .ident = "Teclast F6 Pro",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TECLAST"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "F6 Pro"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ },
++ {
++ .ident = "Teclast F7",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TECLAST"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "F7"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ },
++ {
++ .ident = "Trekstor Primebook C13",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TREKSTOR"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Primebook C13"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ },
++ {
++ .ident = "Trekstor Primebook C11",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TREKSTOR"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Primebook C11"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ },
++ {
++ .ident = "Direkt-Tek DTLAPY116-2",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Direkt-Tek"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "DTLAPY116-2"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ },
++ {
++ .ident = "Mediacom Flexbook Edge 11",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "MEDIACOM"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "FlexBook edge11 - M-FBE11"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ }
++};
++
++
++struct i2c_hid_desc *i2c_hid_get_dmi_i2c_hid_desc_override(uint8_t *i2c_name)
++{
++ struct i2c_hid_desc_override *override;
++ const struct dmi_system_id *system_id;
++
++ system_id = dmi_first_match(i2c_hid_dmi_desc_override_table);
++ if (!system_id)
++ return NULL;
++
++ override = system_id->driver_data;
++ if (strcmp(override->i2c_name, i2c_name))
++ return NULL;
++
++ return override->i2c_hid_desc;
++}
++
++char *i2c_hid_get_dmi_hid_report_desc_override(uint8_t *i2c_name,
++ unsigned int *size)
++{
++ struct i2c_hid_desc_override *override;
++ const struct dmi_system_id *system_id;
++
++ system_id = dmi_first_match(i2c_hid_dmi_desc_override_table);
++ if (!system_id)
++ return NULL;
++
++ override = system_id->driver_data;
++ if (strcmp(override->i2c_name, i2c_name))
++ return NULL;
++
++ *size = override->hid_report_desc_size;
++ return override->hid_report_desc;
++}
+diff --git a/drivers/hid/i2c-hid/i2c-hid.h b/drivers/hid/i2c-hid/i2c-hid.h
+new file mode 100644
+index 000000000000..a8c19aef5824
+--- /dev/null
++++ b/drivers/hid/i2c-hid/i2c-hid.h
+@@ -0,0 +1,20 @@
++/* SPDX-License-Identifier: GPL-2.0+ */
++
++#ifndef I2C_HID_H
++#define I2C_HID_H
++
++
++#ifdef CONFIG_DMI
++struct i2c_hid_desc *i2c_hid_get_dmi_i2c_hid_desc_override(uint8_t *i2c_name);
++char *i2c_hid_get_dmi_hid_report_desc_override(uint8_t *i2c_name,
++ unsigned int *size);
++#else
++static inline struct i2c_hid_desc
++ *i2c_hid_get_dmi_i2c_hid_desc_override(uint8_t *i2c_name)
++{ return NULL; }
++static inline char *i2c_hid_get_dmi_hid_report_desc_override(uint8_t *i2c_name,
++ unsigned int *size)
++{ return NULL; }
++#endif
++
++#endif
+--
+2.19.1
+
--- /dev/null
+From a709f9670e9281d164aae5e43dd26c8cbedbef78 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 11 Oct 2018 15:56:33 +0800
+Subject: HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2
+
+[ Upstream commit ce9d58d3eafcb2d452a69bdcc1c5f8b8ff640de5 ]
+
+Redragon Seymur 2 stops working since commit 190d7f02ce8e ("HID: input:
+do not increment usages when a duplicate is found").
+
+Use quirk HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE suggested by the commit
+can solve the issue.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200995
+BugLink: https://bugs.launchpad.net/bugs/1793846
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index b7870e7e41d4..97d33b8ed36c 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -348,6 +348,7 @@
+ #define USB_DEVICE_ID_DMI_ENC 0x5fab
+
+ #define USB_VENDOR_ID_DRAGONRISE 0x0079
++#define USB_DEVICE_ID_REDRAGON_SEYMUR2 0x0006
+ #define USB_DEVICE_ID_DRAGONRISE_WIIU 0x1800
+ #define USB_DEVICE_ID_DRAGONRISE_PS3 0x1801
+ #define USB_DEVICE_ID_DRAGONRISE_DOLPHINBAR 0x1803
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 77316f022c5a..94088c0ed68a 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -70,6 +70,7 @@ static const struct hid_device_id hid_quirks[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_2NES2SNES), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_4NES4SNES), HID_QUIRK_MULTI_INPUT },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_REDRAGON_SEYMUR2), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_DOLPHINBAR), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_GAMECUBE1), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3), HID_QUIRK_MULTI_INPUT },
+--
+2.19.1
+
--- /dev/null
+From db63e3afaf1509efc212a1216f7cb21e9a3bfade Mon Sep 17 00:00:00 2001
+From: Feng Tang <feng.tang@intel.com>
+Date: Thu, 14 Mar 2019 18:37:29 +0800
+Subject: i40iw: Avoid panic when handling the inetdev event
+
+[ Upstream commit ec4fe4bcc584b55e24e8d1768f5510a62c0fd619 ]
+
+There is a panic reported that on a system with x722 ethernet, when doing
+the operations like:
+
+ # ip link add br0 type bridge
+ # ip link set eno1 master br0
+ # systemctl restart systemd-networkd
+
+The system will panic "BUG: unable to handle kernel null pointer
+dereference at 0000000000000034", with call chain:
+
+ i40iw_inetaddr_event
+ notifier_call_chain
+ blocking_notifier_call_chain
+ notifier_call_chain
+ __inet_del_ifa
+ inet_rtm_deladdr
+ rtnetlink_rcv_msg
+ netlink_rcv_skb
+ rtnetlink_rcv
+ netlink_unicast
+ netlink_sendmsg
+ sock_sendmsg
+ __sys_sendto
+
+It is caused by "local_ipaddr = ntohl(in->ifa_list->ifa_address)", while
+the in->ifa_list is NULL.
+
+So add a check for the "in->ifa_list == NULL" case, and skip the ARP
+operation accordingly.
+
+Signed-off-by: Feng Tang <feng.tang@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/i40iw/i40iw_utils.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_utils.c b/drivers/infiniband/hw/i40iw/i40iw_utils.c
+index a9ea966877f2..dda8e79d4b27 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_utils.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c
+@@ -173,7 +173,12 @@ int i40iw_inetaddr_event(struct notifier_block *notifier,
+
+ rcu_read_lock();
+ in = __in_dev_get_rcu(upper_dev);
+- local_ipaddr = ntohl(in->ifa_list->ifa_address);
++
++ if (!in->ifa_list)
++ local_ipaddr = 0;
++ else
++ local_ipaddr = ntohl(in->ifa_list->ifa_address);
++
+ rcu_read_unlock();
+ } else {
+ local_ipaddr = ntohl(ifa->ifa_address);
+@@ -185,6 +190,11 @@ int i40iw_inetaddr_event(struct notifier_block *notifier,
+ case NETDEV_UP:
+ /* Fall through */
+ case NETDEV_CHANGEADDR:
++
++ /* Just skip if no need to handle ARP cache */
++ if (!local_ipaddr)
++ break;
++
+ i40iw_manage_arp_cache(iwdev,
+ netdev->dev_addr,
+ &local_ipaddr,
+--
+2.19.1
+
--- /dev/null
+From 1f980cbd1772189784e8beea5a229cb92c24cb96 Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 6 Mar 2019 19:17:56 +0200
+Subject: IB/mlx4: Fix race condition between catas error reset and aliasguid
+ flows
+
+[ Upstream commit 587443e7773e150ae29e643ee8f41a1eed226565 ]
+
+Code review revealed a race condition which could allow the catas error
+flow to interrupt the alias guid query post mechanism at random points.
+Thiis is fixed by doing cancel_delayed_work_sync() instead of
+cancel_delayed_work() during the alias guid mechanism destroy flow.
+
+Fixes: a0c64a17aba8 ("mlx4: Add alias_guid mechanism")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/alias_GUID.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c
+index 155b4dfc0ae8..baab9afa9174 100644
+--- a/drivers/infiniband/hw/mlx4/alias_GUID.c
++++ b/drivers/infiniband/hw/mlx4/alias_GUID.c
+@@ -804,8 +804,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev)
+ unsigned long flags;
+
+ for (i = 0 ; i < dev->num_ports; i++) {
+- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work);
+ det = &sriov->alias_guid.ports_guid[i];
++ cancel_delayed_work_sync(&det->alias_guid_work);
+ spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags);
+ while (!list_empty(&det->cb_list)) {
+ cb_ctx = list_entry(det->cb_list.next,
+--
+2.19.1
+
--- /dev/null
+From 85cd21d4b543bfd7363d5971844c4b58e13266d4 Mon Sep 17 00:00:00 2001
+From: Pi-Hsun Shih <pihsun@chromium.org>
+Date: Wed, 13 Mar 2019 11:44:33 -0700
+Subject: include/linux/swap.h: use offsetof() instead of custom __swapoffset
+ macro
+
+[ Upstream commit a4046c06be50a4f01d435aa7fe57514818e6cc82 ]
+
+Use offsetof() to calculate offset of a field to take advantage of
+compiler built-in version when possible, and avoid UBSAN warning when
+compiling with Clang:
+
+ UBSAN: Undefined behaviour in mm/swapfile.c:3010:38
+ member access within null pointer of type 'union swap_header'
+ CPU: 6 PID: 1833 Comm: swapon Tainted: G S 4.19.23 #43
+ Call trace:
+ dump_backtrace+0x0/0x194
+ show_stack+0x20/0x2c
+ __dump_stack+0x20/0x28
+ dump_stack+0x70/0x94
+ ubsan_epilogue+0x14/0x44
+ ubsan_type_mismatch_common+0xf4/0xfc
+ __ubsan_handle_type_mismatch_v1+0x34/0x54
+ __se_sys_swapon+0x654/0x1084
+ __arm64_sys_swapon+0x1c/0x24
+ el0_svc_common+0xa8/0x150
+ el0_svc_compat_handler+0x2c/0x38
+ el0_svc_compat+0x8/0x18
+
+Link: http://lkml.kernel.org/r/20190312081902.223764-1-pihsun@chromium.org
+Signed-off-by: Pi-Hsun Shih <pihsun@chromium.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/swap.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/swap.h b/include/linux/swap.h
+index 77221c16733a..7bd0a6f2ac2b 100644
+--- a/include/linux/swap.h
++++ b/include/linux/swap.h
+@@ -155,9 +155,9 @@ struct swap_extent {
+ /*
+ * Max bad pages in the new format..
+ */
+-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x)
+ #define MAX_SWAP_BADPAGES \
+- ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / sizeof(int))
++ ((offsetof(union swap_header, magic.magic) - \
++ offsetof(union swap_header, info.badpages)) / sizeof(int))
+
+ enum {
+ SWP_USED = (1 << 0), /* is slot in swap_info[] used? */
+--
+2.19.1
+
--- /dev/null
+From 05350815b3ef9f5ae6a6e06e376b7d1d328fde78 Mon Sep 17 00:00:00 2001
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Sat, 2 Mar 2019 09:17:32 +0800
+Subject: inotify: Fix fsnotify_mark refcount leak in
+ inotify_update_existing_watch()
+
+[ Upstream commit 62c9d2674b31d4c8a674bee86b7edc6da2803aea ]
+
+Commit 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for
+inotify_add_watch()") forgot to call fsnotify_put_mark() with
+IN_MASK_CREATE after fsnotify_find_mark()
+
+Fixes: 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()")
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/notify/inotify/inotify_user.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
+index 780bba695453..97a51690338e 100644
+--- a/fs/notify/inotify/inotify_user.c
++++ b/fs/notify/inotify/inotify_user.c
+@@ -519,8 +519,10 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
+ fsn_mark = fsnotify_find_mark(&inode->i_fsnotify_marks, group);
+ if (!fsn_mark)
+ return -ENOENT;
+- else if (create)
+- return -EEXIST;
++ else if (create) {
++ ret = -EEXIST;
++ goto out;
++ }
+
+ i_mark = container_of(fsn_mark, struct inotify_inode_mark, fsn_mark);
+
+@@ -548,6 +550,7 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
+ /* return the wd */
+ ret = i_mark->wd;
+
++out:
+ /* match the get from fsnotify_find_mark() */
+ fsnotify_put_mark(fsn_mark);
+
+--
+2.19.1
+
--- /dev/null
+From 5b1697c6c7253f0ac991eaf9bb2dab91a5ff46ca Mon Sep 17 00:00:00 2001
+From: Julia Cartwright <julia@ni.com>
+Date: Wed, 20 Feb 2019 16:46:31 +0000
+Subject: iommu/dmar: Fix buffer overflow during PCI bus notification
+
+[ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ]
+
+Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI
+device path") changed the type of the path data, however, the change in
+path type was not reflected in size calculations. Update to use the
+correct type and prevent a buffer overflow.
+
+This bug manifests in systems with deep PCI hierarchies, and can lead to
+an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
+or can lead to overflow of slab-allocated data.
+
+ BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
+ Write of size 1 at addr ffffffff90445d80 by task swapper/0/1
+ CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1
+ Call Trace:
+ ? dump_stack+0x46/0x59
+ ? print_address_description+0x1df/0x290
+ ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
+ ? kasan_report+0x256/0x340
+ ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
+ ? e820__memblock_setup+0xb0/0xb0
+ ? dmar_dev_scope_init+0x424/0x48f
+ ? __down_write_common+0x1ec/0x230
+ ? dmar_dev_scope_init+0x48f/0x48f
+ ? dmar_free_unused_resources+0x109/0x109
+ ? cpumask_next+0x16/0x20
+ ? __kmem_cache_create+0x392/0x430
+ ? kmem_cache_create+0x135/0x2f0
+ ? e820__memblock_setup+0xb0/0xb0
+ ? intel_iommu_init+0x170/0x1848
+ ? _raw_spin_unlock_irqrestore+0x32/0x60
+ ? migrate_enable+0x27a/0x5b0
+ ? sched_setattr+0x20/0x20
+ ? migrate_disable+0x1fc/0x380
+ ? task_rq_lock+0x170/0x170
+ ? try_to_run_init_process+0x40/0x40
+ ? locks_remove_file+0x85/0x2f0
+ ? dev_prepare_static_identity_mapping+0x78/0x78
+ ? rt_spin_unlock+0x39/0x50
+ ? lockref_put_or_lock+0x2a/0x40
+ ? dput+0x128/0x2f0
+ ? __rcu_read_unlock+0x66/0x80
+ ? __fput+0x250/0x300
+ ? __rcu_read_lock+0x1b/0x30
+ ? mntput_no_expire+0x38/0x290
+ ? e820__memblock_setup+0xb0/0xb0
+ ? pci_iommu_init+0x25/0x63
+ ? pci_iommu_init+0x25/0x63
+ ? do_one_initcall+0x7e/0x1c0
+ ? initcall_blacklisted+0x120/0x120
+ ? kernel_init_freeable+0x27b/0x307
+ ? rest_init+0xd0/0xd0
+ ? kernel_init+0xf/0x120
+ ? rest_init+0xd0/0xd0
+ ? ret_from_fork+0x1f/0x40
+ The buggy address belongs to the variable:
+ dmar_pci_notify_info_buf+0x40/0x60
+
+Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path")
+Signed-off-by: Julia Cartwright <julia@ni.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/dmar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
+index d9c748b6f9e4..7f9824b0609e 100644
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -144,7 +144,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event)
+ for (tmp = dev; tmp; tmp = tmp->bus->self)
+ level++;
+
+- size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path);
++ size = sizeof(*info) + level * sizeof(info->path[0]);
+ if (size <= sizeof(dmar_pci_notify_info_buf)) {
+ info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf;
+ } else {
+--
+2.19.1
+
--- /dev/null
+From a2dddae3f281fdaf8a539d56c41292c34e16dd51 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Wed, 20 Mar 2019 09:58:33 +0800
+Subject: iommu/vt-d: Check capability before disabling protected memory
+
+[ Upstream commit 5bb71fc790a88d063507dc5d445ab8b14e845591 ]
+
+The spec states in 10.4.16 that the Protected Memory Enable
+Register should be treated as read-only for implementations
+not supporting protected memory regions (PLMR and PHMR fields
+reported as Clear in the Capability register).
+
+Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Cc: mark gross <mgross@intel.com>
+Suggested-by: Ashok Raj <ashok.raj@intel.com>
+Fixes: f8bab73515ca5 ("intel-iommu: PMEN support")
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel-iommu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index 2b8f5ebae821..603bf5233a99 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -1624,6 +1624,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu)
+ u32 pmen;
+ unsigned long flags;
+
++ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap))
++ return;
++
+ raw_spin_lock_irqsave(&iommu->register_lock, flags);
+ pmen = readl(iommu->reg + DMAR_PMEN_REG);
+ pmen &= ~DMA_PMEN_EPM;
+--
+2.19.1
+
--- /dev/null
+From 761953d06cf00e7b50972889752cc9898f4bcc1b Mon Sep 17 00:00:00 2001
+From: Jianguo Chen <chenjianguo3@huawei.com>
+Date: Wed, 20 Mar 2019 18:54:21 +0000
+Subject: irqchip/mbigen: Don't clear eventid when freeing an MSI
+
+[ Upstream commit fca269f201a8d9985c0a31fb60b15d4eb57cef80 ]
+
+mbigen_write_msg clears eventid bits of a mbigen register
+when free a interrupt, because msi_domain_deactivate memset
+struct msg to zero. Then multiple mbigen pins with zero eventid
+will report the same interrupt number.
+
+The eventid clear call trace:
+ free_irq
+ __free_irq
+ irq_shutdown
+ irq_domain_deactivate_irq
+ __irq_domain_deactivate_irq
+ __irq_domain_deactivate_irq
+ msi_domain_deactivate
+ platform_msi_write_msg
+ mbigen_write_msg
+
+Signed-off-by: Jianguo Chen <chenjianguo3@huawei.com>
+[maz: massaged subject]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mbigen.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c
+index 567b29c47608..98b6e1d4b1a6 100644
+--- a/drivers/irqchip/irq-mbigen.c
++++ b/drivers/irqchip/irq-mbigen.c
+@@ -161,6 +161,9 @@ static void mbigen_write_msg(struct msi_desc *desc, struct msi_msg *msg)
+ void __iomem *base = d->chip_data;
+ u32 val;
+
++ if (!msg->address_lo && !msg->address_hi)
++ return;
++
+ base += get_mbigen_vec_reg(d->hwirq);
+ val = readl_relaxed(base);
+
+--
+2.19.1
+
--- /dev/null
+From 9b4300bdf4115cdbb0e16f9d376bedc475950c60 Mon Sep 17 00:00:00 2001
+From: Fabien Dessenne <fabien.dessenne@st.com>
+Date: Thu, 7 Mar 2019 19:40:35 +0100
+Subject: irqchip/stm32: Don't clear rising/falling config registers at init
+
+[ Upstream commit 0dda09666f50eae9c5b794dd89b1fd8a8d89d714 ]
+
+Falling and rising configuration and status registers are not banked.
+As they are shared with M4 co-processor, they should not be cleared
+at probe time, else M4 co-processor configuration will be lost.
+
+Fixes: f9fc1745501e ("irqchip/stm32: Add host and driver data structures")
+Signed-off-by: Loic Pallardy <loic.pallardy@st.com>
+Signed-off-by: Fabien Dessenne <fabien.dessenne@st.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-stm32-exti.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/irqchip/irq-stm32-exti.c b/drivers/irqchip/irq-stm32-exti.c
+index 0a2088e12d96..97b27f338c30 100644
+--- a/drivers/irqchip/irq-stm32-exti.c
++++ b/drivers/irqchip/irq-stm32-exti.c
+@@ -650,11 +650,6 @@ stm32_exti_chip_data *stm32_exti_chip_init(struct stm32_exti_host_data *h_data,
+ */
+ writel_relaxed(0, base + stm32_bank->imr_ofst);
+ writel_relaxed(0, base + stm32_bank->emr_ofst);
+- writel_relaxed(0, base + stm32_bank->rtsr_ofst);
+- writel_relaxed(0, base + stm32_bank->ftsr_ofst);
+- writel_relaxed(~0UL, base + stm32_bank->rpr_ofst);
+- if (stm32_bank->fpr_ofst != UNDEF_REG)
+- writel_relaxed(~0UL, base + stm32_bank->fpr_ofst);
+
+ pr_info("%s: bank%d, External IRQs available:%#x\n",
+ node->full_name, bank_idx, irqs_mask);
+--
+2.19.1
+
--- /dev/null
+From ffa058de9949bb763f8e4af34d2a6052b199cdc1 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Wed, 17 Oct 2018 13:23:55 +0200
+Subject: kernel: hung_task.c: disable on suspend
+
+[ Upstream commit a1c6ca3c6de763459a6e93b644ec6518c890ba1c ]
+
+It is possible to observe hung_task complaints when system goes to
+suspend-to-idle state:
+
+ # echo freeze > /sys/power/state
+
+ PM: Syncing filesystems ... done.
+ Freezing user space processes ... (elapsed 0.001 seconds) done.
+ OOM killer disabled.
+ Freezing remaining freezable tasks ... (elapsed 0.002 seconds) done.
+ sd 0:0:0:0: [sda] Synchronizing SCSI cache
+ INFO: task bash:1569 blocked for more than 120 seconds.
+ Not tainted 4.19.0-rc3_+ #687
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ bash D 0 1569 604 0x00000000
+ Call Trace:
+ ? __schedule+0x1fe/0x7e0
+ schedule+0x28/0x80
+ suspend_devices_and_enter+0x4ac/0x750
+ pm_suspend+0x2c0/0x310
+
+Register a PM notifier to disable the detector on suspend and re-enable
+back on wakeup.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/hung_task.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/hung_task.c b/kernel/hung_task.c
+index 9eca2371f189..4a9191617076 100644
+--- a/kernel/hung_task.c
++++ b/kernel/hung_task.c
+@@ -15,6 +15,7 @@
+ #include <linux/lockdep.h>
+ #include <linux/export.h>
+ #include <linux/sysctl.h>
++#include <linux/suspend.h>
+ #include <linux/utsname.h>
+ #include <linux/sched/signal.h>
+ #include <linux/sched/debug.h>
+@@ -240,6 +241,28 @@ void reset_hung_task_detector(void)
+ }
+ EXPORT_SYMBOL_GPL(reset_hung_task_detector);
+
++static bool hung_detector_suspended;
++
++static int hungtask_pm_notify(struct notifier_block *self,
++ unsigned long action, void *hcpu)
++{
++ switch (action) {
++ case PM_SUSPEND_PREPARE:
++ case PM_HIBERNATION_PREPARE:
++ case PM_RESTORE_PREPARE:
++ hung_detector_suspended = true;
++ break;
++ case PM_POST_SUSPEND:
++ case PM_POST_HIBERNATION:
++ case PM_POST_RESTORE:
++ hung_detector_suspended = false;
++ break;
++ default:
++ break;
++ }
++ return NOTIFY_OK;
++}
++
+ /*
+ * kthread which checks for tasks stuck in D state
+ */
+@@ -259,7 +282,8 @@ static int watchdog(void *dummy)
+ interval = min_t(unsigned long, interval, timeout);
+ t = hung_timeout_jiffies(hung_last_checked, interval);
+ if (t <= 0) {
+- if (!atomic_xchg(&reset_hung_task, 0))
++ if (!atomic_xchg(&reset_hung_task, 0) &&
++ !hung_detector_suspended)
+ check_hung_uninterruptible_tasks(timeout);
+ hung_last_checked = jiffies;
+ continue;
+@@ -273,6 +297,10 @@ static int watchdog(void *dummy)
+ static int __init hung_task_init(void)
+ {
+ atomic_notifier_chain_register(&panic_notifier_list, &panic_block);
++
++ /* Disable hung task detector on suspend */
++ pm_notifier(hungtask_pm_notify, 0);
++
+ watchdog_task = kthread_run(watchdog, NULL, "khungtaskd");
+
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From 81c57f10e4cf7add24e06909d1d218871f7d9953 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 22 Aug 2018 14:57:07 -0700
+Subject: KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit bd18bffca35397214ae68d85cf7203aca25c3c1d ]
+
+A VMEnter that VMFails (as opposed to VMExits) does not touch host
+state beyond registers that are explicitly noted in the VMFail path,
+e.g. EFLAGS. Host state does not need to be loaded because VMFail
+is only signaled for consistency checks that occur before the CPU
+starts to load guest state, i.e. there is no need to restore any
+state as nothing has been modified. But in the case where a VMFail
+is detected by hardware and not by KVM (due to deferring consistency
+checks to hardware), KVM has already loaded some amount of guest
+state. Luckily, "loaded" only means loaded to KVM's software model,
+i.e. vmcs01 has not been modified. So, unwind our software model to
+the pre-VMEntry host state.
+
+Not restoring host state in this VMFail path leads to a variety of
+failures because we end up with stale data in vcpu->arch, e.g. CR0,
+CR4, EFER, etc... will all be out of sync relative to vmcs01. Any
+significant delta in the stale data is all but guaranteed to crash
+L1, e.g. emulation of SMEP, SMAP, UMIP, WP, etc... will be wrong.
+
+An alternative to this "soft" reload would be to load host state from
+vmcs12 as if we triggered a VMExit (as opposed to VMFail), but that is
+wildly inconsistent with respect to the VMX architecture, e.g. an L1
+VMM with separate VMExit and VMFail paths would explode.
+
+Note that this approach does not mean KVM is 100% accurate with
+respect to VMX hardware behavior, even at an architectural level
+(the exact order of consistency checks is microarchitecture specific).
+But 100% emulation accuracy isn't the goal (with this patch), rather
+the goal is to be consistent in the information delivered to L1, e.g.
+a VMExit should not fall-through VMENTER, and a VMFail should not jump
+to HOST_RIP.
+
+This technically reverts commit "5af4157388ad (KVM: nVMX: Fix mmu
+context after VMLAUNCH/VMRESUME failure)", but retains the core
+aspects of that patch, just in an open coded form due to the need to
+pull state from vmcs01 instead of vmcs12. Restoring host state
+resolves a variety of issues introduced by commit "4f350c6dbcb9
+(kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly)",
+which remedied the incorrect behavior of treating VMFail like VMExit
+but in doing so neglected to restore arch state that had been modified
+prior to attempting nested VMEnter.
+
+A sample failure that occurs due to stale vcpu.arch state is a fault
+of some form while emulating an LGDT (due to emulated UMIP) from L1
+after a failed VMEntry to L3, in this case when running the KVM unit
+test test_tpr_threshold_values in L1. L0 also hits a WARN in this
+case due to a stale arch.cr4.UMIP.
+
+L1:
+ BUG: unable to handle kernel paging request at ffffc90000663b9e
+ PGD 276512067 P4D 276512067 PUD 276513067 PMD 274efa067 PTE 8000000271de2163
+ Oops: 0009 [#1] SMP
+ CPU: 5 PID: 12495 Comm: qemu-system-x86 Tainted: G W 4.18.0-rc2+ #2
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ RIP: 0010:native_load_gdt+0x0/0x10
+
+ ...
+
+ Call Trace:
+ load_fixmap_gdt+0x22/0x30
+ __vmx_load_host_state+0x10e/0x1c0 [kvm_intel]
+ vmx_switch_vmcs+0x2d/0x50 [kvm_intel]
+ nested_vmx_vmexit+0x222/0x9c0 [kvm_intel]
+ vmx_handle_exit+0x246/0x15a0 [kvm_intel]
+ kvm_arch_vcpu_ioctl_run+0x850/0x1830 [kvm]
+ kvm_vcpu_ioctl+0x3a1/0x5c0 [kvm]
+ do_vfs_ioctl+0x9f/0x600
+ ksys_ioctl+0x66/0x70
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x4f/0x100
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+L0:
+ WARNING: CPU: 2 PID: 3529 at arch/x86/kvm/vmx.c:6618 handle_desc+0x28/0x30 [kvm_intel]
+ ...
+ CPU: 2 PID: 3529 Comm: qemu-system-x86 Not tainted 4.17.2-coffee+ #76
+ Hardware name: Intel Corporation Kabylake Client platform/KBL S
+ RIP: 0010:handle_desc+0x28/0x30 [kvm_intel]
+
+ ...
+
+ Call Trace:
+ kvm_arch_vcpu_ioctl_run+0x863/0x1840 [kvm]
+ kvm_vcpu_ioctl+0x3a1/0x5c0 [kvm]
+ do_vfs_ioctl+0x9f/0x5e0
+ ksys_ioctl+0x66/0x70
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x49/0xf0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 5af4157388ad (KVM: nVMX: Fix mmu context after VMLAUNCH/VMRESUME failure)
+Fixes: 4f350c6dbcb9 (kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly)
+Cc: Jim Mattson <jmattson@google.com>
+Cc: Krish Sadhukhan <krish.sadhukhan@oracle.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim KrÄmář <rkrcmar@redhat.com>
+Cc: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 173 +++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 153 insertions(+), 20 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 6b6bcafd1d2c..3380a312d186 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -13181,24 +13181,6 @@ static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
+ kvm_clear_interrupt_queue(vcpu);
+ }
+
+-static void load_vmcs12_mmu_host_state(struct kvm_vcpu *vcpu,
+- struct vmcs12 *vmcs12)
+-{
+- u32 entry_failure_code;
+-
+- nested_ept_uninit_mmu_context(vcpu);
+-
+- /*
+- * Only PDPTE load can fail as the value of cr3 was checked on entry and
+- * couldn't have changed.
+- */
+- if (nested_vmx_load_cr3(vcpu, vmcs12->host_cr3, false, &entry_failure_code))
+- nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_PDPTE_FAIL);
+-
+- if (!enable_ept)
+- vcpu->arch.walk_mmu->inject_page_fault = kvm_inject_page_fault;
+-}
+-
+ /*
+ * A part of what we need to when the nested L2 guest exits and we want to
+ * run its L1 parent, is to reset L1's guest state to the host state specified
+@@ -13212,6 +13194,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
+ struct vmcs12 *vmcs12)
+ {
+ struct kvm_segment seg;
++ u32 entry_failure_code;
+
+ if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_EFER)
+ vcpu->arch.efer = vmcs12->host_ia32_efer;
+@@ -13238,7 +13221,17 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
+ vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
+ vmx_set_cr4(vcpu, vmcs12->host_cr4);
+
+- load_vmcs12_mmu_host_state(vcpu, vmcs12);
++ nested_ept_uninit_mmu_context(vcpu);
++
++ /*
++ * Only PDPTE load can fail as the value of cr3 was checked on entry and
++ * couldn't have changed.
++ */
++ if (nested_vmx_load_cr3(vcpu, vmcs12->host_cr3, false, &entry_failure_code))
++ nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_PDPTE_FAIL);
++
++ if (!enable_ept)
++ vcpu->arch.walk_mmu->inject_page_fault = kvm_inject_page_fault;
+
+ /*
+ * If vmcs01 don't use VPID, CPU flushes TLB on every
+@@ -13334,6 +13327,140 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
+ nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_MSR_FAIL);
+ }
+
++static inline u64 nested_vmx_get_vmcs01_guest_efer(struct vcpu_vmx *vmx)
++{
++ struct shared_msr_entry *efer_msr;
++ unsigned int i;
++
++ if (vm_entry_controls_get(vmx) & VM_ENTRY_LOAD_IA32_EFER)
++ return vmcs_read64(GUEST_IA32_EFER);
++
++ if (cpu_has_load_ia32_efer)
++ return host_efer;
++
++ for (i = 0; i < vmx->msr_autoload.guest.nr; ++i) {
++ if (vmx->msr_autoload.guest.val[i].index == MSR_EFER)
++ return vmx->msr_autoload.guest.val[i].value;
++ }
++
++ efer_msr = find_msr_entry(vmx, MSR_EFER);
++ if (efer_msr)
++ return efer_msr->data;
++
++ return host_efer;
++}
++
++static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu)
++{
++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
++ struct vcpu_vmx *vmx = to_vmx(vcpu);
++ struct vmx_msr_entry g, h;
++ struct msr_data msr;
++ gpa_t gpa;
++ u32 i, j;
++
++ vcpu->arch.pat = vmcs_read64(GUEST_IA32_PAT);
++
++ if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) {
++ /*
++ * L1's host DR7 is lost if KVM_GUESTDBG_USE_HW_BP is set
++ * as vmcs01.GUEST_DR7 contains a userspace defined value
++ * and vcpu->arch.dr7 is not squirreled away before the
++ * nested VMENTER (not worth adding a variable in nested_vmx).
++ */
++ if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)
++ kvm_set_dr(vcpu, 7, DR7_FIXED_1);
++ else
++ WARN_ON(kvm_set_dr(vcpu, 7, vmcs_readl(GUEST_DR7)));
++ }
++
++ /*
++ * Note that calling vmx_set_{efer,cr0,cr4} is important as they
++ * handle a variety of side effects to KVM's software model.
++ */
++ vmx_set_efer(vcpu, nested_vmx_get_vmcs01_guest_efer(vmx));
++
++ vcpu->arch.cr0_guest_owned_bits = X86_CR0_TS;
++ vmx_set_cr0(vcpu, vmcs_readl(CR0_READ_SHADOW));
++
++ vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
++ vmx_set_cr4(vcpu, vmcs_readl(CR4_READ_SHADOW));
++
++ nested_ept_uninit_mmu_context(vcpu);
++ vcpu->arch.cr3 = vmcs_readl(GUEST_CR3);
++ __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
++
++ /*
++ * Use ept_save_pdptrs(vcpu) to load the MMU's cached PDPTRs
++ * from vmcs01 (if necessary). The PDPTRs are not loaded on
++ * VMFail, like everything else we just need to ensure our
++ * software model is up-to-date.
++ */
++ ept_save_pdptrs(vcpu);
++
++ kvm_mmu_reset_context(vcpu);
++
++ if (cpu_has_vmx_msr_bitmap())
++ vmx_update_msr_bitmap(vcpu);
++
++ /*
++ * This nasty bit of open coding is a compromise between blindly
++ * loading L1's MSRs using the exit load lists (incorrect emulation
++ * of VMFail), leaving the nested VM's MSRs in the software model
++ * (incorrect behavior) and snapshotting the modified MSRs (too
++ * expensive since the lists are unbound by hardware). For each
++ * MSR that was (prematurely) loaded from the nested VMEntry load
++ * list, reload it from the exit load list if it exists and differs
++ * from the guest value. The intent is to stuff host state as
++ * silently as possible, not to fully process the exit load list.
++ */
++ msr.host_initiated = false;
++ for (i = 0; i < vmcs12->vm_entry_msr_load_count; i++) {
++ gpa = vmcs12->vm_entry_msr_load_addr + (i * sizeof(g));
++ if (kvm_vcpu_read_guest(vcpu, gpa, &g, sizeof(g))) {
++ pr_debug_ratelimited(
++ "%s read MSR index failed (%u, 0x%08llx)\n",
++ __func__, i, gpa);
++ goto vmabort;
++ }
++
++ for (j = 0; j < vmcs12->vm_exit_msr_load_count; j++) {
++ gpa = vmcs12->vm_exit_msr_load_addr + (j * sizeof(h));
++ if (kvm_vcpu_read_guest(vcpu, gpa, &h, sizeof(h))) {
++ pr_debug_ratelimited(
++ "%s read MSR failed (%u, 0x%08llx)\n",
++ __func__, j, gpa);
++ goto vmabort;
++ }
++ if (h.index != g.index)
++ continue;
++ if (h.value == g.value)
++ break;
++
++ if (nested_vmx_load_msr_check(vcpu, &h)) {
++ pr_debug_ratelimited(
++ "%s check failed (%u, 0x%x, 0x%x)\n",
++ __func__, j, h.index, h.reserved);
++ goto vmabort;
++ }
++
++ msr.index = h.index;
++ msr.data = h.value;
++ if (kvm_set_msr(vcpu, &msr)) {
++ pr_debug_ratelimited(
++ "%s WRMSR failed (%u, 0x%x, 0x%llx)\n",
++ __func__, j, h.index, h.value);
++ goto vmabort;
++ }
++ }
++ }
++
++ return;
++
++vmabort:
++ nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_MSR_FAIL);
++}
++
+ /*
+ * Emulate an exit from nested guest (L2) to L1, i.e., prepare to run L1
+ * and modify vmcs12 to make it see what it would expect to see there if
+@@ -13478,7 +13605,13 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
+ */
+ nested_vmx_failValid(vcpu, VMXERR_ENTRY_INVALID_CONTROL_FIELD);
+
+- load_vmcs12_mmu_host_state(vcpu, vmcs12);
++ /*
++ * Restore L1's host state to KVM's software model. We're here
++ * because a consistency check was caught by hardware, which
++ * means some amount of guest state has been propagated to KVM's
++ * model and needs to be unwound to the host's state.
++ */
++ nested_vmx_restore_host_state(vcpu);
+
+ /*
+ * The emulated instruction was already skipped in
+--
+2.19.1
+
--- /dev/null
+From ba504520f037217bf4a85d3282e1691ef2ee6a4b Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 7 Mar 2019 16:28:18 -0800
+Subject: lib/div64.c: off by one in shift
+
+[ Upstream commit cdc94a37493135e355dfc0b0e086d84e3eadb50d ]
+
+fls counts bits starting from 1 to 32 (returns 0 for zero argument). If
+we add 1 we shift right one bit more and loose precision from divisor,
+what cause function incorect results with some numbers.
+
+Corrected code was tested in user-space, see bugzilla:
+ https://bugzilla.kernel.org/show_bug.cgi?id=202391
+
+Link: http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgruszka@redhat.com
+Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms")
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Reported-by: Siarhei Volkau <lis8215@gmail.com>
+Tested-by: Siarhei Volkau <lis8215@gmail.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/div64.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/div64.c b/lib/div64.c
+index 01c8602bb6ff..ee146bb4c558 100644
+--- a/lib/div64.c
++++ b/lib/div64.c
+@@ -109,7 +109,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
+ quot = div_u64_rem(dividend, divisor, &rem32);
+ *remainder = rem32;
+ } else {
+- int n = 1 + fls(high);
++ int n = fls(high);
+ quot = div_u64(dividend >> n, divisor >> n);
+
+ if (quot != 0)
+@@ -147,7 +147,7 @@ u64 div64_u64(u64 dividend, u64 divisor)
+ if (high == 0) {
+ quot = div_u64(dividend, divisor);
+ } else {
+- int n = 1 + fls(high);
++ int n = fls(high);
+ quot = div_u64(dividend >> n, divisor >> n);
+
+ if (quot != 0)
+--
+2.19.1
+
--- /dev/null
+From 21400074d6f84dc5d40046ae665bfc9819354791 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Fri, 14 Dec 2018 15:26:20 +0000
+Subject: lkdtm: Add tests for NULL pointer dereference
+
+[ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ]
+
+Introduce lkdtm tests for NULL pointer dereference: check access or exec
+at NULL address, since these errors tend to be reported differently from
+the general fault error text. For example from x86:
+
+ pr_alert("BUG: unable to handle kernel %s at %px\n",
+ address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
+ (void *)address);
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/lkdtm/core.c | 2 ++
+ drivers/misc/lkdtm/lkdtm.h | 2 ++
+ drivers/misc/lkdtm/perms.c | 18 ++++++++++++++++++
+ 3 files changed, 22 insertions(+)
+
+diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
+index 2154d1bfd18b..07caaa2cfe1e 100644
+--- a/drivers/misc/lkdtm/core.c
++++ b/drivers/misc/lkdtm/core.c
+@@ -152,7 +152,9 @@ static const struct crashtype crashtypes[] = {
+ CRASHTYPE(EXEC_VMALLOC),
+ CRASHTYPE(EXEC_RODATA),
+ CRASHTYPE(EXEC_USERSPACE),
++ CRASHTYPE(EXEC_NULL),
+ CRASHTYPE(ACCESS_USERSPACE),
++ CRASHTYPE(ACCESS_NULL),
+ CRASHTYPE(WRITE_RO),
+ CRASHTYPE(WRITE_RO_AFTER_INIT),
+ CRASHTYPE(WRITE_KERN),
+diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
+index 9e513dcfd809..8c3f2e6af256 100644
+--- a/drivers/misc/lkdtm/lkdtm.h
++++ b/drivers/misc/lkdtm/lkdtm.h
+@@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void);
+ void lkdtm_EXEC_VMALLOC(void);
+ void lkdtm_EXEC_RODATA(void);
+ void lkdtm_EXEC_USERSPACE(void);
++void lkdtm_EXEC_NULL(void);
+ void lkdtm_ACCESS_USERSPACE(void);
++void lkdtm_ACCESS_NULL(void);
+
+ /* lkdtm_refcount.c */
+ void lkdtm_REFCOUNT_INC_OVERFLOW(void);
+diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
+index fa54add6375a..62f76d506f04 100644
+--- a/drivers/misc/lkdtm/perms.c
++++ b/drivers/misc/lkdtm/perms.c
+@@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void)
+ vm_munmap(user_addr, PAGE_SIZE);
+ }
+
++void lkdtm_EXEC_NULL(void)
++{
++ execute_location(NULL, CODE_AS_IS);
++}
++
+ void lkdtm_ACCESS_USERSPACE(void)
+ {
+ unsigned long user_addr, tmp = 0;
+@@ -195,6 +200,19 @@ void lkdtm_ACCESS_USERSPACE(void)
+ vm_munmap(user_addr, PAGE_SIZE);
+ }
+
++void lkdtm_ACCESS_NULL(void)
++{
++ unsigned long tmp;
++ unsigned long *ptr = (unsigned long *)NULL;
++
++ pr_info("attempting bad read at %px\n", ptr);
++ tmp = *ptr;
++ tmp += 0xc0dec0de;
++
++ pr_info("attempting bad write at %px\n", ptr);
++ *ptr = tmp;
++}
++
+ void __init lkdtm_perms_init(void)
+ {
+ /* Make sure we can write to __ro_after_init values during __init */
+--
+2.19.1
+
--- /dev/null
+From 0459f363746848e31489a2719812f64efd986e9e Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 7 Nov 2018 20:14:10 +0000
+Subject: lkdtm: Print real addresses
+
+[ Upstream commit 4c411157a42f122051ae3469bee0b5cabe89e139 ]
+
+Today, when doing a lkdtm test before the readiness of the
+random generator, (ptrval) is printed instead of the address
+at which it perform the fault:
+
+[ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE
+[ 1597.337142] lkdtm: attempting ok execution at (ptrval)
+[ 1597.337398] lkdtm: attempting bad execution at (ptrval)
+[ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? (uid: 0)
+[ 1597.344769] Unable to handle kernel paging request for instruction fetch
+[ 1597.351392] Faulting instruction address: 0x77858000
+[ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1]
+
+If the lkdtm test is done later on, it prints an hashed address.
+
+In both cases this is pointless. The purpose of the test is to
+ensure the kernel generates an Oops at the expected address,
+so real addresses needs to be printed. This patch fixes that.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/lkdtm/perms.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
+index 53b85c9d16b8..fa54add6375a 100644
+--- a/drivers/misc/lkdtm/perms.c
++++ b/drivers/misc/lkdtm/perms.c
+@@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write)
+ {
+ void (*func)(void) = dst;
+
+- pr_info("attempting ok execution at %p\n", do_nothing);
++ pr_info("attempting ok execution at %px\n", do_nothing);
+ do_nothing();
+
+ if (write == CODE_WRITE) {
+@@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write)
+ flush_icache_range((unsigned long)dst,
+ (unsigned long)dst + EXEC_SIZE);
+ }
+- pr_info("attempting bad execution at %p\n", func);
++ pr_info("attempting bad execution at %px\n", func);
+ func();
+ }
+
+@@ -66,14 +66,14 @@ static void execute_user_location(void *dst)
+ /* Intentionally crossing kernel/user memory boundary. */
+ void (*func)(void) = dst;
+
+- pr_info("attempting ok execution at %p\n", do_nothing);
++ pr_info("attempting ok execution at %px\n", do_nothing);
+ do_nothing();
+
+ copied = access_process_vm(current, (unsigned long)dst, do_nothing,
+ EXEC_SIZE, FOLL_WRITE);
+ if (copied < EXEC_SIZE)
+ return;
+- pr_info("attempting bad execution at %p\n", func);
++ pr_info("attempting bad execution at %px\n", func);
+ func();
+ }
+
+@@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void)
+ /* Explicitly cast away "const" for the test. */
+ unsigned long *ptr = (unsigned long *)&rodata;
+
+- pr_info("attempting bad rodata write at %p\n", ptr);
++ pr_info("attempting bad rodata write at %px\n", ptr);
+ *ptr ^= 0xabcd1234;
+ }
+
+@@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
+ return;
+ }
+
+- pr_info("attempting bad ro_after_init write at %p\n", ptr);
++ pr_info("attempting bad ro_after_init write at %px\n", ptr);
+ *ptr ^= 0xabcd1234;
+ }
+
+@@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void)
+ size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
+ ptr = (unsigned char *)do_overwritten;
+
+- pr_info("attempting bad %zu byte write at %p\n", size, ptr);
++ pr_info("attempting bad %zu byte write at %px\n", size, ptr);
+ memcpy(ptr, (unsigned char *)do_nothing, size);
+ flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
+
+@@ -185,11 +185,11 @@ void lkdtm_ACCESS_USERSPACE(void)
+
+ ptr = (unsigned long *)user_addr;
+
+- pr_info("attempting bad read at %p\n", ptr);
++ pr_info("attempting bad read at %px\n", ptr);
+ tmp = *ptr;
+ tmp += 0xc0dec0de;
+
+- pr_info("attempting bad write at %p\n", ptr);
++ pr_info("attempting bad write at %px\n", ptr);
+ *ptr = tmp;
+
+ vm_munmap(user_addr, PAGE_SIZE);
+--
+2.19.1
+
--- /dev/null
+From 5fa869bad2cc9ca2314eea371eb0ce8df8c0ae58 Mon Sep 17 00:00:00 2001
+From: Brad Love <brad@nextdimension.cc>
+Date: Thu, 6 Sep 2018 17:07:48 -0400
+Subject: media: au0828: cannot kfree dev before usb disconnect
+
+[ Upstream commit 4add7104919f9e94e0db03e234caeadbfcc02ea9 ]
+
+If au0828_analog_register fails, the dev is kfree'd and then flow
+jumps to done, which can call au0828_usb_disconnect. Since all USB
+error codes are negative, au0828_usb_disconnect will be called. The
+problem is au0828_usb_disconnect uses dev, if dev is NULL then there
+is immediate oops encountered.
+
+[ 7.454307] au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
+[ 7.454323] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
+[ 7.454421] PGD 0 P4D 0
+[ 7.454457] Oops: 0002 [#1] SMP PTI
+[ 7.454500] CPU: 1 PID: 262 Comm: systemd-udevd Tainted: P O 4.18.3 #1
+[ 7.454584] Hardware name: Google Panther/Panther, BIOS MattDevo 04/27/2015
+[ 7.454670] RIP: 0010:_raw_spin_lock_irqsave+0x2c/0x50
+[ 7.454725] Code: 44 00 00 55 48 89 e5 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 e8 db 23 1b ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 85 c0 75 08 4c 89 e0 5b 41 5c 5d c3 89 c6 48 89 df e8
+[ 7.455004] RSP: 0018:ffff9130f53ef988 EFLAGS: 00010046
+[ 7.455063] RAX: 0000000000000000 RBX: 0000000000000050 RCX: 0000000000000000
+[ 7.455139] RDX: 0000000000000001 RSI: 0000000000000003 RDI: 0000000000000050
+[ 7.455216] RBP: ffff9130f53ef998 R08: 0000000000000018 R09: 0000000000000090
+[ 7.455292] R10: ffffed4cc53cb000 R11: ffffed4cc53cb108 R12: 0000000000000082
+[ 7.455369] R13: ffff9130cf2c6188 R14: 0000000000000000 R15: 0000000000000018
+[ 7.455447] FS: 00007f2ff8514cc0(0000) GS:ffff9130fcb00000(0000) knlGS:0000000000000000
+[ 7.455535] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 7.455597] CR2: 0000000000000050 CR3: 00000001753f0002 CR4: 00000000000606a0
+[ 7.455675] Call Trace:
+[ 7.455713] __wake_up_common_lock+0x65/0xc0
+[ 7.455764] __wake_up+0x13/0x20
+[ 7.455808] ir_lirc_unregister+0x57/0xe0 [rc_core]
+[ 7.455865] rc_unregister_device+0xa0/0xc0 [rc_core]
+[ 7.455935] au0828_rc_unregister+0x25/0x40 [au0828]
+[ 7.455999] au0828_usb_disconnect+0x33/0x80 [au0828]
+[ 7.456064] au0828_usb_probe.cold.16+0x8d/0x2aa [au0828]
+[ 7.456130] usb_probe_interface+0xf1/0x300
+[ 7.456184] driver_probe_device+0x2e3/0x460
+[ 7.456235] __driver_attach+0xe4/0x110
+[ 7.456282] ? driver_probe_device+0x460/0x460
+[ 7.456335] bus_for_each_dev+0x74/0xb0
+[ 7.456385] ? kmem_cache_alloc_trace+0x15d/0x1d0
+[ 7.456441] driver_attach+0x1e/0x20
+[ 7.456485] bus_add_driver+0x159/0x230
+[ 7.456532] driver_register+0x70/0xc0
+[ 7.456578] usb_register_driver+0x7f/0x140
+[ 7.456626] ? 0xffffffffc0474000
+[ 7.456674] au0828_init+0xbc/0x1000 [au0828]
+[ 7.456725] do_one_initcall+0x4a/0x1c9
+[ 7.456771] ? _cond_resched+0x19/0x30
+[ 7.456817] ? kmem_cache_alloc_trace+0x15d/0x1d0
+[ 7.456873] do_init_module+0x60/0x210
+[ 7.456918] load_module+0x221b/0x2710
+[ 7.456966] ? vfs_read+0xf5/0x120
+[ 7.457010] __do_sys_finit_module+0xbd/0x120
+[ 7.457061] ? __do_sys_finit_module+0xbd/0x120
+[ 7.457115] __x64_sys_finit_module+0x1a/0x20
+[ 7.457166] do_syscall_64+0x5b/0x110
+[ 7.457210] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/au0828/au0828-core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/usb/au0828/au0828-core.c b/drivers/media/usb/au0828/au0828-core.c
+index cd363a2100d4..257ae0d8cfe2 100644
+--- a/drivers/media/usb/au0828/au0828-core.c
++++ b/drivers/media/usb/au0828/au0828-core.c
+@@ -629,7 +629,6 @@ static int au0828_usb_probe(struct usb_interface *interface,
+ pr_err("%s() au0282_dev_register failed to register on V4L2\n",
+ __func__);
+ mutex_unlock(&dev->lock);
+- kfree(dev);
+ goto done;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 0a78a63f1cef6e0947813dddab0b51df658203f5 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 7 Mar 2019 11:10:11 +0100
+Subject: mmc: davinci: remove extraneous __init annotation
+
+[ Upstream commit 9ce58dd7d9da3ca0d7cb8c9568f1c6f4746da65a ]
+
+Building with clang finds a mistaken __init tag:
+
+WARNING: vmlinux.o(.text+0x5e4250): Section mismatch in reference from the function davinci_mmcsd_probe() to the function .init.text:init_mmcsd_host()
+The function davinci_mmcsd_probe() references
+the function __init init_mmcsd_host().
+This is often because davinci_mmcsd_probe lacks a __init
+annotation or the annotation of init_mmcsd_host is wrong.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Wolfram Sang <wsa@the-dreams.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/davinci_mmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
+index 9e68c3645e22..e6f14257a7d0 100644
+--- a/drivers/mmc/host/davinci_mmc.c
++++ b/drivers/mmc/host/davinci_mmc.c
+@@ -1117,7 +1117,7 @@ static inline void mmc_davinci_cpufreq_deregister(struct mmc_davinci_host *host)
+ {
+ }
+ #endif
+-static void __init init_mmcsd_host(struct mmc_davinci_host *host)
++static void init_mmcsd_host(struct mmc_davinci_host *host)
+ {
+
+ mmc_davinci_reset_ctrl(host, 1);
+--
+2.19.1
+
--- /dev/null
+From 867226f25eb7af71daec87a948a4fb1294ee16af Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Wed, 20 Feb 2019 09:23:03 +0100
+Subject: net: ip6_gre: fix possible NULL pointer dereference in
+ ip6erspan_set_version
+
+[ Upstream commit efcc9bcaf77c07df01371a7c34e50424c291f3ac ]
+
+Fix a possible NULL pointer dereference in ip6erspan_set_version checking
+nlattr data pointer
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 7549 Comm: syz-executor432 Not tainted 5.0.0-rc6-next-20190218
+#37
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:ip6erspan_set_version+0x5c/0x350 net/ipv6/ip6_gre.c:1726
+Code: 07 38 d0 7f 08 84 c0 0f 85 9f 02 00 00 49 8d bc 24 b0 00 00 00 c6 43
+54 01 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
+85 9a 02 00 00 4d 8b ac 24 b0 00 00 00 4d 85 ed 0f
+RSP: 0018:ffff888089ed7168 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff8880869d6e58 RCX: 0000000000000000
+RDX: 0000000000000016 RSI: ffffffff862736b4 RDI: 00000000000000b0
+RBP: ffff888089ed7180 R08: 1ffff11010d3adcb R09: ffff8880869d6e58
+R10: ffffed1010d3add5 R11: ffff8880869d6eaf R12: 0000000000000000
+R13: ffffffff8931f8c0 R14: ffffffff862825d0 R15: ffff8880869d6e58
+FS: 0000000000b3d880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000184 CR3: 0000000092cc5000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ip6erspan_newlink+0x66/0x7b0 net/ipv6/ip6_gre.c:2210
+ __rtnl_newlink+0x107b/0x16c0 net/core/rtnetlink.c:3176
+ rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3234
+ rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192
+ netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485
+ rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg+0xdd/0x130 net/socket.c:631
+ ___sys_sendmsg+0x806/0x930 net/socket.c:2136
+ __sys_sendmsg+0x105/0x1d0 net/socket.c:2174
+ __do_sys_sendmsg net/socket.c:2183 [inline]
+ __se_sys_sendmsg net/socket.c:2181 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2181
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x440159
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
+48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fffa69156e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440159
+RDX: 0000000000000000 RSI: 0000000020001340 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
+R10: 0000000000000011 R11: 0000000000000246 R12: 00000000004019e0
+R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000
+Modules linked in:
+---[ end trace 09f8a7d13b4faaa1 ]---
+RIP: 0010:ip6erspan_set_version+0x5c/0x350 net/ipv6/ip6_gre.c:1726
+Code: 07 38 d0 7f 08 84 c0 0f 85 9f 02 00 00 49 8d bc 24 b0 00 00 00 c6 43
+54 01 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
+85 9a 02 00 00 4d 8b ac 24 b0 00 00 00 4d 85 ed 0f
+RSP: 0018:ffff888089ed7168 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff8880869d6e58 RCX: 0000000000000000
+RDX: 0000000000000016 RSI: ffffffff862736b4 RDI: 00000000000000b0
+RBP: ffff888089ed7180 R08: 1ffff11010d3adcb R09: ffff8880869d6e58
+R10: ffffed1010d3add5 R11: ffff8880869d6eaf R12: 0000000000000000
+R13: ffffffff8931f8c0 R14: ffffffff862825d0 R15: ffff8880869d6e58
+FS: 0000000000b3d880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000184 CR3: 0000000092cc5000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 4974d5f678ab ("net: ip6_gre: initialize erspan_ver just for erspan tunnels")
+Reported-and-tested-by: syzbot+30191cf1057abd3064af@syzkaller.appspotmail.com
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Reviewed-by: Greg Rose <gvrose8192@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index c4a7db62658e..01ecd510014f 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1743,6 +1743,9 @@ static int ip6erspan_tap_validate(struct nlattr *tb[], struct nlattr *data[],
+ static void ip6erspan_set_version(struct nlattr *data[],
+ struct __ip6_tnl_parm *parms)
+ {
++ if (!data)
++ return;
++
+ parms->erspan_ver = 1;
+ if (data[IFLA_GRE_ERSPAN_VER])
+ parms->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
+--
+2.19.1
+
--- /dev/null
+From c9c3456ab9e11570e614bf4853b4cda79672a699 Mon Sep 17 00:00:00 2001
+From: shamir rabinovitch <shamir.rabinovitch@oracle.com>
+Date: Sun, 16 Dec 2018 09:01:08 +0200
+Subject: net/rds: fix warn in rds_message_alloc_sgs
+
+[ Upstream commit ea010070d0a7497253d5a6f919f6dd107450b31a ]
+
+redundant copy_from_user in rds_sendmsg system call expose rds
+to issue where rds_rdma_extra_size walk the rds iovec and and
+calculate the number pf pages (sgs) it need to add to the tail of
+rds message and later rds_cmsg_rdma_args copy the rds iovec again
+and re calculate the same number and get different result causing
+WARN_ON in rds_message_alloc_sgs.
+
+fix this by doing the copy_from_user only once per rds_sendmsg
+system call.
+
+When issue occur the below dump is seen:
+
+WARNING: CPU: 0 PID: 19789 at net/rds/message.c:316 rds_message_alloc_sgs+0x10c/0x160 net/rds/message.c:316
+Kernel panic - not syncing: panic_on_warn set ...
+CPU: 0 PID: 19789 Comm: syz-executor827 Not tainted 4.19.0-next-20181030+ #101
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x244/0x39d lib/dump_stack.c:113
+ panic+0x2ad/0x55c kernel/panic.c:188
+ __warn.cold.8+0x20/0x45 kernel/panic.c:540
+ report_bug+0x254/0x2d0 lib/bug.c:186
+ fixup_bug arch/x86/kernel/traps.c:178 [inline]
+ do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
+ do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
+ invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
+RIP: 0010:rds_message_alloc_sgs+0x10c/0x160 net/rds/message.c:316
+Code: c0 74 04 3c 03 7e 6c 44 01 ab 78 01 00 00 e8 2b 9e 35 fa 4c 89 e0 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 14 9e 35 fa <0f> 0b 31 ff 44 89 ee e8 18 9f 35 fa 45 85 ed 75 1b e8 fe 9d 35 fa
+RSP: 0018:ffff8801c51b7460 EFLAGS: 00010293
+RAX: ffff8801bc412080 RBX: ffff8801d7bf4040 RCX: ffffffff8749c9e6
+RDX: 0000000000000000 RSI: ffffffff8749ca5c RDI: 0000000000000004
+RBP: ffff8801c51b7490 R08: ffff8801bc412080 R09: ffffed003b5c5b67
+R10: ffffed003b5c5b67 R11: ffff8801dae2db3b R12: 0000000000000000
+R13: 000000000007165c R14: 000000000007165c R15: 0000000000000005
+ rds_cmsg_rdma_args+0x82d/0x1510 net/rds/rdma.c:623
+ rds_cmsg_send net/rds/send.c:971 [inline]
+ rds_sendmsg+0x19a2/0x3180 net/rds/send.c:1273
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:632
+ ___sys_sendmsg+0x7fd/0x930 net/socket.c:2117
+ __sys_sendmsg+0x11d/0x280 net/socket.c:2155
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x44a859
+Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f1d4710ada8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044a859
+RDX: 0000000000000000 RSI: 0000000020001600 RDI: 0000000000000003
+RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dcc2c
+R13: 646e732f7665642f R14: 00007f1d4710b9c0 R15: 00000000006dcd2c
+Kernel Offset: disabled
+Rebooting in 86400 seconds..
+
+Reported-by: syzbot+26de17458aeda9d305d8@syzkaller.appspotmail.com
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: shamir rabinovitch <shamir.rabinovitch@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/rdma.c | 63 +++++++++++++++++++++++++-------------------------
+ net/rds/rds.h | 20 ++++++++++++----
+ net/rds/send.c | 50 +++++++++++++++++++++++++++++++++------
+ 3 files changed, 91 insertions(+), 42 deletions(-)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index 98237feb607a..e1965d9cbcf8 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -517,9 +517,10 @@ static int rds_rdma_pages(struct rds_iovec iov[], int nr_iovecs)
+ return tot_pages;
+ }
+
+-int rds_rdma_extra_size(struct rds_rdma_args *args)
++int rds_rdma_extra_size(struct rds_rdma_args *args,
++ struct rds_iov_vector *iov)
+ {
+- struct rds_iovec vec;
++ struct rds_iovec *vec;
+ struct rds_iovec __user *local_vec;
+ int tot_pages = 0;
+ unsigned int nr_pages;
+@@ -530,13 +531,23 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
+ if (args->nr_local == 0)
+ return -EINVAL;
+
++ iov->iov = kcalloc(args->nr_local,
++ sizeof(struct rds_iovec),
++ GFP_KERNEL);
++ if (!iov->iov)
++ return -ENOMEM;
++
++ vec = &iov->iov[0];
++
++ if (copy_from_user(vec, local_vec, args->nr_local *
++ sizeof(struct rds_iovec)))
++ return -EFAULT;
++ iov->len = args->nr_local;
++
+ /* figure out the number of pages in the vector */
+- for (i = 0; i < args->nr_local; i++) {
+- if (copy_from_user(&vec, &local_vec[i],
+- sizeof(struct rds_iovec)))
+- return -EFAULT;
++ for (i = 0; i < args->nr_local; i++, vec++) {
+
+- nr_pages = rds_pages_in_vec(&vec);
++ nr_pages = rds_pages_in_vec(vec);
+ if (nr_pages == 0)
+ return -EINVAL;
+
+@@ -558,15 +569,15 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
+ * Extract all arguments and set up the rdma_op
+ */
+ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+- struct cmsghdr *cmsg)
++ struct cmsghdr *cmsg,
++ struct rds_iov_vector *vec)
+ {
+ struct rds_rdma_args *args;
+ struct rm_rdma_op *op = &rm->rdma;
+ int nr_pages;
+ unsigned int nr_bytes;
+ struct page **pages = NULL;
+- struct rds_iovec iovstack[UIO_FASTIOV], *iovs = iovstack;
+- int iov_size;
++ struct rds_iovec *iovs;
+ unsigned int i, j;
+ int ret = 0;
+
+@@ -586,31 +597,23 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+ goto out_ret;
+ }
+
+- /* Check whether to allocate the iovec area */
+- iov_size = args->nr_local * sizeof(struct rds_iovec);
+- if (args->nr_local > UIO_FASTIOV) {
+- iovs = sock_kmalloc(rds_rs_to_sk(rs), iov_size, GFP_KERNEL);
+- if (!iovs) {
+- ret = -ENOMEM;
+- goto out_ret;
+- }
++ if (vec->len != args->nr_local) {
++ ret = -EINVAL;
++ goto out_ret;
+ }
+
+- if (copy_from_user(iovs, (struct rds_iovec __user *)(unsigned long) args->local_vec_addr, iov_size)) {
+- ret = -EFAULT;
+- goto out;
+- }
++ iovs = vec->iov;
+
+ nr_pages = rds_rdma_pages(iovs, args->nr_local);
+ if (nr_pages < 0) {
+ ret = -EINVAL;
+- goto out;
++ goto out_ret;
+ }
+
+ pages = kcalloc(nr_pages, sizeof(struct page *), GFP_KERNEL);
+ if (!pages) {
+ ret = -ENOMEM;
+- goto out;
++ goto out_ret;
+ }
+
+ op->op_write = !!(args->flags & RDS_RDMA_READWRITE);
+@@ -623,7 +626,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+ op->op_sg = rds_message_alloc_sgs(rm, nr_pages);
+ if (!op->op_sg) {
+ ret = -ENOMEM;
+- goto out;
++ goto out_pages;
+ }
+
+ if (op->op_notify || op->op_recverr) {
+@@ -635,7 +638,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+ op->op_notifier = kmalloc(sizeof(struct rds_notifier), GFP_KERNEL);
+ if (!op->op_notifier) {
+ ret = -ENOMEM;
+- goto out;
++ goto out_pages;
+ }
+ op->op_notifier->n_user_token = args->user_token;
+ op->op_notifier->n_status = RDS_RDMA_SUCCESS;
+@@ -681,7 +684,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+ */
+ ret = rds_pin_pages(iov->addr, nr, pages, !op->op_write);
+ if (ret < 0)
+- goto out;
++ goto out_pages;
+ else
+ ret = 0;
+
+@@ -714,13 +717,11 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+ nr_bytes,
+ (unsigned int) args->remote_vec.bytes);
+ ret = -EINVAL;
+- goto out;
++ goto out_pages;
+ }
+ op->op_bytes = nr_bytes;
+
+-out:
+- if (iovs != iovstack)
+- sock_kfree_s(rds_rs_to_sk(rs), iovs, iov_size);
++out_pages:
+ kfree(pages);
+ out_ret:
+ if (ret)
+diff --git a/net/rds/rds.h b/net/rds/rds.h
+index c4dcf654d8fe..4234ab81b5af 100644
+--- a/net/rds/rds.h
++++ b/net/rds/rds.h
+@@ -386,6 +386,18 @@ static inline void rds_message_zcopy_queue_init(struct rds_msg_zcopy_queue *q)
+ INIT_LIST_HEAD(&q->zcookie_head);
+ }
+
++struct rds_iov_vector {
++ struct rds_iovec *iov;
++ int len;
++};
++
++struct rds_iov_vector_arr {
++ struct rds_iov_vector *vec;
++ int len;
++ int indx;
++ int incr;
++};
++
+ struct rds_message {
+ refcount_t m_refcount;
+ struct list_head m_sock_item;
+@@ -904,13 +916,13 @@ int rds_get_mr(struct rds_sock *rs, char __user *optval, int optlen);
+ int rds_get_mr_for_dest(struct rds_sock *rs, char __user *optval, int optlen);
+ int rds_free_mr(struct rds_sock *rs, char __user *optval, int optlen);
+ void rds_rdma_drop_keys(struct rds_sock *rs);
+-int rds_rdma_extra_size(struct rds_rdma_args *args);
+-int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+- struct cmsghdr *cmsg);
++int rds_rdma_extra_size(struct rds_rdma_args *args,
++ struct rds_iov_vector *iov);
+ int rds_cmsg_rdma_dest(struct rds_sock *rs, struct rds_message *rm,
+ struct cmsghdr *cmsg);
+ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
+- struct cmsghdr *cmsg);
++ struct cmsghdr *cmsg,
++ struct rds_iov_vector *vec);
+ int rds_cmsg_rdma_map(struct rds_sock *rs, struct rds_message *rm,
+ struct cmsghdr *cmsg);
+ void rds_rdma_free_op(struct rm_rdma_op *ro);
+diff --git a/net/rds/send.c b/net/rds/send.c
+index fe785ee819dd..ec2267cbf85f 100644
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -876,13 +876,15 @@ static int rds_send_queue_rm(struct rds_sock *rs, struct rds_connection *conn,
+ * rds_message is getting to be quite complicated, and we'd like to allocate
+ * it all in one go. This figures out how big it needs to be up front.
+ */
+-static int rds_rm_size(struct msghdr *msg, int num_sgs)
++static int rds_rm_size(struct msghdr *msg, int num_sgs,
++ struct rds_iov_vector_arr *vct)
+ {
+ struct cmsghdr *cmsg;
+ int size = 0;
+ int cmsg_groups = 0;
+ int retval;
+ bool zcopy_cookie = false;
++ struct rds_iov_vector *iov, *tmp_iov;
+
+ for_each_cmsghdr(cmsg, msg) {
+ if (!CMSG_OK(msg, cmsg))
+@@ -893,8 +895,24 @@ static int rds_rm_size(struct msghdr *msg, int num_sgs)
+
+ switch (cmsg->cmsg_type) {
+ case RDS_CMSG_RDMA_ARGS:
++ if (vct->indx >= vct->len) {
++ vct->len += vct->incr;
++ tmp_iov =
++ krealloc(vct->vec,
++ vct->len *
++ sizeof(struct rds_iov_vector),
++ GFP_KERNEL);
++ if (!tmp_iov) {
++ vct->len -= vct->incr;
++ return -ENOMEM;
++ }
++ vct->vec = tmp_iov;
++ }
++ iov = &vct->vec[vct->indx];
++ memset(iov, 0, sizeof(struct rds_iov_vector));
++ vct->indx++;
+ cmsg_groups |= 1;
+- retval = rds_rdma_extra_size(CMSG_DATA(cmsg));
++ retval = rds_rdma_extra_size(CMSG_DATA(cmsg), iov);
+ if (retval < 0)
+ return retval;
+ size += retval;
+@@ -951,10 +969,11 @@ static int rds_cmsg_zcopy(struct rds_sock *rs, struct rds_message *rm,
+ }
+
+ static int rds_cmsg_send(struct rds_sock *rs, struct rds_message *rm,
+- struct msghdr *msg, int *allocated_mr)
++ struct msghdr *msg, int *allocated_mr,
++ struct rds_iov_vector_arr *vct)
+ {
+ struct cmsghdr *cmsg;
+- int ret = 0;
++ int ret = 0, ind = 0;
+
+ for_each_cmsghdr(cmsg, msg) {
+ if (!CMSG_OK(msg, cmsg))
+@@ -968,7 +987,10 @@ static int rds_cmsg_send(struct rds_sock *rs, struct rds_message *rm,
+ */
+ switch (cmsg->cmsg_type) {
+ case RDS_CMSG_RDMA_ARGS:
+- ret = rds_cmsg_rdma_args(rs, rm, cmsg);
++ if (ind >= vct->indx)
++ return -ENOMEM;
++ ret = rds_cmsg_rdma_args(rs, rm, cmsg, &vct->vec[ind]);
++ ind++;
+ break;
+
+ case RDS_CMSG_RDMA_DEST:
+@@ -1084,6 +1106,11 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+ sock_flag(rds_rs_to_sk(rs), SOCK_ZEROCOPY));
+ int num_sgs = ceil(payload_len, PAGE_SIZE);
+ int namelen;
++ struct rds_iov_vector_arr vct = {0};
++ int ind;
++
++ /* expect 1 RDMA CMSG per rds_sendmsg. can still grow if more needed. */
++ vct.incr = 1;
+
+ /* Mirror Linux UDP mirror of BSD error message compatibility */
+ /* XXX: Perhaps MSG_MORE someday */
+@@ -1220,7 +1247,7 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+ num_sgs = iov_iter_npages(&msg->msg_iter, INT_MAX);
+ }
+ /* size of rm including all sgs */
+- ret = rds_rm_size(msg, num_sgs);
++ ret = rds_rm_size(msg, num_sgs, &vct);
+ if (ret < 0)
+ goto out;
+
+@@ -1270,7 +1297,7 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+ rm->m_conn_path = cpath;
+
+ /* Parse any control messages the user may have included. */
+- ret = rds_cmsg_send(rs, rm, msg, &allocated_mr);
++ ret = rds_cmsg_send(rs, rm, msg, &allocated_mr, &vct);
+ if (ret) {
+ /* Trigger connection so that its ready for the next retry */
+ if (ret == -EAGAIN)
+@@ -1348,9 +1375,18 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+ if (ret)
+ goto out;
+ rds_message_put(rm);
++
++ for (ind = 0; ind < vct.indx; ind++)
++ kfree(vct.vec[ind].iov);
++ kfree(vct.vec);
++
+ return payload_len;
+
+ out:
++ for (ind = 0; ind < vct.indx; ind++)
++ kfree(vct.vec[ind].iov);
++ kfree(vct.vec);
++
+ /* If the user included a RDMA_MAP cmsg, we allocated a MR on the fly.
+ * If the sendmsg goes through, we keep the MR. If it fails with EAGAIN
+ * or in any other way, we need to destroy the MR again */
+--
+2.19.1
+
--- /dev/null
+From 4332a5620462795034c56ba5913d30a0dd2df0b6 Mon Sep 17 00:00:00 2001
+From: Thor Thayer <thor.thayer@linux.intel.com>
+Date: Mon, 22 Oct 2018 17:22:26 -0500
+Subject: net: stmmac: Set OWN bit for jumbo frames
+
+[ Upstream commit 487e2e22ab7968f2c0c82f37b5ca5883efd1a354 ]
+
+Ping with Jumbo packet does not reply and get a watchdog timeout
+
+[ 46.059616] ------------[ cut here ]------------
+[ 46.064268] NETDEV WATCHDOG: eth0 (socfpga-dwmac): transmit queue 0 timed out
+[ 46.071471] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:461 dev_watchdog+0x2cc/0x2d8
+[ 46.079708] Modules linked in:
+[ 46.082761] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.18.0-00115-gc262be665854-dirty #264
+[ 46.091082] Hardware name: SoCFPGA Stratix 10 SoCDK (DT)
+[ 46.096377] pstate: 20000005 (nzCv daif -PAN -UAO)
+[ 46.101152] pc : dev_watchdog+0x2cc/0x2d8
+[ 46.105149] lr : dev_watchdog+0x2cc/0x2d8
+[ 46.109144] sp : ffff00000800bd80
+[ 46.112447] x29: ffff00000800bd80 x28: ffff80007a9b4940
+[ 46.117744] x27: 00000000ffffffff x26: ffff80007aa183b0
+[ 46.123040] x25: 0000000000000001 x24: 0000000000000140
+[ 46.128336] x23: ffff80007aa1839c x22: ffff80007aa17fb0
+[ 46.133632] x21: ffff80007aa18000 x20: ffff0000091a7000
+[ 46.138927] x19: 0000000000000000 x18: ffffffffffffffff
+[ 46.144223] x17: 0000000000000000 x16: 0000000000000000
+[ 46.149519] x15: ffff0000091a96c8 x14: 07740775076f0720
+[ 46.154814] x13: 07640765076d0769 x12: 0774072007300720
+[ 46.160110] x11: 0765077507650775 x10: 0771072007740769
+[ 46.165406] x9 : 076d0773076e0761 x8 : 077207740720073a
+[ 46.170702] x7 : 072907630761076d x6 : ffff80007ff9a0c0
+[ 46.175997] x5 : ffff80007ff9a0c0 x4 : 0000000000000002
+[ 46.181293] x3 : 0000000000000000 x2 : ffff0000091ac180
+[ 46.186589] x1 : e6a742ebe628e800 x0 : 0000000000000000
+[ 46.191885] Call trace:
+[ 46.194326] dev_watchdog+0x2cc/0x2d8
+[ 46.197980] call_timer_fn+0x20/0x78
+[ 46.201544] expire_timers+0xa4/0xb0
+[ 46.205108] run_timer_softirq+0xe4/0x198
+[ 46.209107] __do_softirq+0x114/0x210
+[ 46.212760] irq_exit+0xd0/0xd8
+[ 46.215895] __handle_domain_irq+0x60/0xb0
+[ 46.219977] gic_handle_irq+0x58/0xa8
+[ 46.223628] el1_irq+0xb0/0x128
+[ 46.226761] arch_cpu_idle+0x10/0x18
+[ 46.230326] do_idle+0x1d4/0x288
+[ 46.233544] cpu_startup_entry+0x24/0x28
+[ 46.237457] secondary_start_kernel+0x17c/0x1c0
+[ 46.241971] ---[ end trace 57048cd1372cd828 ]---
+
+Inspection of queue showed Jumbo packets were not sent out.
+The ring Jumbo packet function needs to set the OWN bit so
+the packet is sent.
+
+Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+index afed0f0f4027..c0c75c111abb 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+@@ -59,7 +59,7 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum)
+
+ desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB);
+ stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum,
+- STMMAC_RING_MODE, 0, false, skb->len);
++ STMMAC_RING_MODE, 1, false, skb->len);
+ tx_q->tx_skbuff[entry] = NULL;
+ entry = STMMAC_GET_ENTRY(entry, DMA_TX_SIZE);
+
+@@ -91,7 +91,7 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum)
+ tx_q->tx_skbuff_dma[entry].is_jumbo = true;
+ desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB);
+ stmmac_prepare_tx_desc(priv, desc, 1, nopaged_len, csum,
+- STMMAC_RING_MODE, 0, true, skb->len);
++ STMMAC_RING_MODE, 1, true, skb->len);
+ }
+
+ tx_q->cur_tx = entry;
+--
+2.19.1
+
--- /dev/null
+From 5ed03cc3dde7fb7f962597229a91ac682eaca67b Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Tue, 2 Oct 2018 02:17:14 +0900
+Subject: netfilter: nf_flow_table: remove flowtable hook flush routine in
+ netns exit routine
+
+[ Upstream commit b7f1a16d29b2e28d3dcbb070511bd703e306281b ]
+
+When device is unregistered, flowtable flush routine is called
+by notifier_call(nf_tables_flowtable_event). and exit callback of
+nftables pernet_operation(nf_tables_exit_net) also has flowtable flush
+routine. but when network namespace is destroyed, both notifier_call
+and pernet_operation are called. hence flowtable flush routine in
+pernet_operation is unnecessary.
+
+test commands:
+ %ip netns add vm1
+ %ip netns exec vm1 nft add table ip filter
+ %ip netns exec vm1 nft add flowtable ip filter w \
+ { hook ingress priority 0\; devices = { lo }\; }
+ %ip netns del vm1
+
+splat looks like:
+[ 265.187019] WARNING: CPU: 0 PID: 87 at net/netfilter/core.c:309 nf_hook_entry_head+0xc7/0xf0
+[ 265.187112] Modules linked in: nf_flow_table_ipv4 nf_flow_table nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ip_tables x_tables
+[ 265.187390] CPU: 0 PID: 87 Comm: kworker/u4:2 Not tainted 4.19.0-rc3+ #5
+[ 265.187453] Workqueue: netns cleanup_net
+[ 265.187514] RIP: 0010:nf_hook_entry_head+0xc7/0xf0
+[ 265.187546] Code: 8d 81 68 03 00 00 5b c3 89 d0 83 fa 04 48 8d 84 c7 e8 11 00 00 76 81 0f 0b 31 c0 e9 78 ff ff ff 0f 0b 48 83 c4 08 31 c0 5b c3 <0f> 0b 31 c0 e9 65 ff ff ff 0f 0b 31 c0 e9 5c ff ff ff 48 89 0c 24
+[ 265.187573] RSP: 0018:ffff88011546f098 EFLAGS: 00010246
+[ 265.187624] RAX: ffffffff8d90e135 RBX: 1ffff10022a8de1c RCX: 0000000000000000
+[ 265.187645] RDX: 0000000000000000 RSI: 0000000000000005 RDI: ffff880116298040
+[ 265.187645] RBP: ffff88010ea4c1a8 R08: 0000000000000000 R09: 0000000000000000
+[ 265.187645] R10: ffff88011546f1d8 R11: ffffed0022c532c1 R12: ffff88010ea4c1d0
+[ 265.187645] R13: 0000000000000005 R14: dffffc0000000000 R15: ffff88010ea4c1c4
+[ 265.187645] FS: 0000000000000000(0000) GS:ffff88011b200000(0000) knlGS:0000000000000000
+[ 265.187645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 265.187645] CR2: 00007fdfb8d00000 CR3: 0000000057a16000 CR4: 00000000001006f0
+[ 265.187645] Call Trace:
+[ 265.187645] __nf_unregister_net_hook+0xca/0x5d0
+[ 265.187645] ? nf_hook_entries_free.part.3+0x80/0x80
+[ 265.187645] ? save_trace+0x300/0x300
+[ 265.187645] nf_unregister_net_hooks+0x2e/0x40
+[ 265.187645] nf_tables_exit_net+0x479/0x1340 [nf_tables]
+[ 265.187645] ? find_held_lock+0x39/0x1c0
+[ 265.187645] ? nf_tables_abort+0x30/0x30 [nf_tables]
+[ 265.187645] ? inet_frag_destroy_rcu+0xd0/0xd0
+[ 265.187645] ? trace_hardirqs_on+0x93/0x210
+[ 265.187645] ? __bpf_trace_preemptirq_template+0x10/0x10
+[ 265.187645] ? inet_frag_destroy_rcu+0xd0/0xd0
+[ 265.187645] ? inet_frag_destroy_rcu+0xd0/0xd0
+[ 265.187645] ? __mutex_unlock_slowpath+0x17f/0x740
+[ 265.187645] ? wait_for_completion+0x710/0x710
+[ 265.187645] ? bucket_table_free+0xb2/0x1f0
+[ 265.187645] ? nested_table_free+0x130/0x130
+[ 265.187645] ? __lock_is_held+0xb4/0x140
+[ 265.187645] ops_exit_list.isra.10+0x94/0x140
+[ 265.187645] cleanup_net+0x45b/0x900
+[ ... ]
+
+This WARNING means that hook unregisteration is failed because
+all flowtables hooks are already unregistered by notifier_call.
+
+Network namespace exit routine guarantees that all devices will be
+unregistered first. then, other exit callbacks of pernet_operations
+are called. so that removing flowtable flush routine in exit callback of
+pernet_operation(nf_tables_exit_net) doesn't make flowtable leak.
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 7d424fd27025..c06393fc716d 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7203,9 +7203,6 @@ static void __nft_release_tables(struct net *net)
+
+ list_for_each_entry(chain, &table->chains, list)
+ nf_tables_unregister_hook(net, table, chain);
+- list_for_each_entry(flowtable, &table->flowtables, list)
+- nf_unregister_net_hooks(net, flowtable->ops,
+- flowtable->ops_len);
+ /* No packets are walking on these chains anymore. */
+ ctx.table = table;
+ list_for_each_entry(chain, &table->chains, list) {
+--
+2.19.1
+
--- /dev/null
+From 38ce91a06407edebccad91717e4828ce994f56c7 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 4 Sep 2018 12:07:55 +0200
+Subject: netfilter: xt_cgroup: shrink size of v2 path
+
+[ Upstream commit 0d704967f4a49cc2212350b3e4a8231f8b4283ed ]
+
+cgroup v2 path field is PATH_MAX which is too large, this is placing too
+much pressure on memory allocation for people with many rules doing
+cgroup v1 classid matching, side effects of this are bug reports like:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200639
+
+This patch registers a new revision that shrinks the cgroup path to 512
+bytes, which is the same approach we follow in similar extensions that
+have a path field.
+
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/netfilter/xt_cgroup.h | 16 ++++++
+ net/netfilter/xt_cgroup.c | 72 ++++++++++++++++++++++++
+ 2 files changed, 88 insertions(+)
+
+diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h
+index e96dfa1b34f7..b74e370d6133 100644
+--- a/include/uapi/linux/netfilter/xt_cgroup.h
++++ b/include/uapi/linux/netfilter/xt_cgroup.h
+@@ -22,4 +22,20 @@ struct xt_cgroup_info_v1 {
+ void *priv __attribute__((aligned(8)));
+ };
+
++#define XT_CGROUP_PATH_MAX 512
++
++struct xt_cgroup_info_v2 {
++ __u8 has_path;
++ __u8 has_classid;
++ __u8 invert_path;
++ __u8 invert_classid;
++ union {
++ char path[XT_CGROUP_PATH_MAX];
++ __u32 classid;
++ };
++
++ /* kernel internal data */
++ void *priv __attribute__((aligned(8)));
++};
++
+ #endif /* _UAPI_XT_CGROUP_H */
+diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
+index 5d92e1781980..5cb1ecb29ea4 100644
+--- a/net/netfilter/xt_cgroup.c
++++ b/net/netfilter/xt_cgroup.c
+@@ -68,6 +68,38 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
+ return 0;
+ }
+
++static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
++{
++ struct xt_cgroup_info_v2 *info = par->matchinfo;
++ struct cgroup *cgrp;
++
++ if ((info->invert_path & ~1) || (info->invert_classid & ~1))
++ return -EINVAL;
++
++ if (!info->has_path && !info->has_classid) {
++ pr_info("xt_cgroup: no path or classid specified\n");
++ return -EINVAL;
++ }
++
++ if (info->has_path && info->has_classid) {
++ pr_info_ratelimited("path and classid specified\n");
++ return -EINVAL;
++ }
++
++ info->priv = NULL;
++ if (info->has_path) {
++ cgrp = cgroup_get_from_path(info->path);
++ if (IS_ERR(cgrp)) {
++ pr_info_ratelimited("invalid path, errno=%ld\n",
++ PTR_ERR(cgrp));
++ return -EINVAL;
++ }
++ info->priv = cgrp;
++ }
++
++ return 0;
++}
++
+ static bool
+ cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
+ {
+@@ -99,6 +131,24 @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
+ info->invert_classid;
+ }
+
++static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
++{
++ const struct xt_cgroup_info_v2 *info = par->matchinfo;
++ struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data;
++ struct cgroup *ancestor = info->priv;
++ struct sock *sk = skb->sk;
++
++ if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk)))
++ return false;
++
++ if (ancestor)
++ return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
++ info->invert_path;
++ else
++ return (info->classid == sock_cgroup_classid(skcd)) ^
++ info->invert_classid;
++}
++
+ static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
+ {
+ struct xt_cgroup_info_v1 *info = par->matchinfo;
+@@ -107,6 +157,14 @@ static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
+ cgroup_put(info->priv);
+ }
+
++static void cgroup_mt_destroy_v2(const struct xt_mtdtor_param *par)
++{
++ struct xt_cgroup_info_v2 *info = par->matchinfo;
++
++ if (info->priv)
++ cgroup_put(info->priv);
++}
++
+ static struct xt_match cgroup_mt_reg[] __read_mostly = {
+ {
+ .name = "cgroup",
+@@ -134,6 +192,20 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = {
+ (1 << NF_INET_POST_ROUTING) |
+ (1 << NF_INET_LOCAL_IN),
+ },
++ {
++ .name = "cgroup",
++ .revision = 2,
++ .family = NFPROTO_UNSPEC,
++ .checkentry = cgroup_mt_check_v2,
++ .match = cgroup_mt_v2,
++ .matchsize = sizeof(struct xt_cgroup_info_v2),
++ .usersize = offsetof(struct xt_cgroup_info_v2, priv),
++ .destroy = cgroup_mt_destroy_v2,
++ .me = THIS_MODULE,
++ .hooks = (1 << NF_INET_LOCAL_OUT) |
++ (1 << NF_INET_POST_ROUTING) |
++ (1 << NF_INET_LOCAL_IN),
++ },
+ };
+
+ static int __init cgroup_mt_init(void)
+--
+2.19.1
+
--- /dev/null
+From 47048dbd223b47565b2941ee96d3f29328a55967 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Thu, 31 Jan 2019 19:38:56 +0300
+Subject: PCI: Blacklist power management of Gigabyte X299 DESIGNARE EX PCIe
+ ports
+
+[ Upstream commit 85b0cae89d5266e6a7abb2e83c6f716326fc494c ]
+
+Gigabyte X299 DESIGNARE EX motherboard has one PCIe root port that is
+connected to an Alpine Ridge Thunderbolt controller. This port has slot
+implemented bit set in the config space but other than that it is not
+hotplug capable in the sense we are expecting in Linux (it has
+dev->is_hotplug_bridge set to 0):
+
+ 00:1c.4 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #5
+ Bus: primary=00, secondary=05, subordinate=46, sec-latency=0
+ Memory behind bridge: 78000000-8fffffff [size=384M]
+ Prefetchable memory behind bridge: 00003800f8000000-00003800ffffffff [size=128M]
+ ...
+ Capabilities: [40] Express (v2) Root Port (Slot+), MSI 00
+ ...
+ SltCap: AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug- Surprise-
+ Slot #8, PowerLimit 25.000W; Interlock- NoCompl+
+ SltCtl: Enable: AttnBtn- PwrFlt- MRL- PresDet- CmdCplt- HPIrq- LinkChg-
+ Control: AttnInd Unknown, PwrInd Unknown, Power- Interlock-
+ SltSta: Status: AttnBtn- PowerFlt- MRL- CmdCplt- PresDet- Interlock-
+ Changed: MRL- PresDet+ LinkState+
+
+This system is using ACPI based hotplug to notify the OS that it needs to
+rescan the PCI bus (ACPI hotplug).
+
+If there is nothing connected in any of the Thunderbolt ports the root port
+will not have any runtime PM active children and is thus automatically
+runtime suspended pretty soon after boot by PCI PM core. Now, when a
+device is connected the BIOS SMI handler responsible for enumerating newly
+added devices is not able to find anything because the port is in D3.
+
+Prevent this from happening by blacklisting PCI power management of this
+particular Gigabyte system.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=202031
+Reported-by: Kedar A Dongre <kedar.a.dongre@intel.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 7eb1549cea81..30649addc625 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2489,6 +2489,25 @@ void pci_config_pm_runtime_put(struct pci_dev *pdev)
+ pm_runtime_put_sync(parent);
+ }
+
++static const struct dmi_system_id bridge_d3_blacklist[] = {
++#ifdef CONFIG_X86
++ {
++ /*
++ * Gigabyte X299 root port is not marked as hotplug capable
++ * which allows Linux to power manage it. However, this
++ * confuses the BIOS SMI handler so don't power manage root
++ * ports on that system.
++ */
++ .ident = "X299 DESIGNARE EX-CF",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co., Ltd."),
++ DMI_MATCH(DMI_BOARD_NAME, "X299 DESIGNARE EX-CF"),
++ },
++ },
++#endif
++ { }
++};
++
+ /**
+ * pci_bridge_d3_possible - Is it possible to put the bridge into D3
+ * @bridge: Bridge to check
+@@ -2530,6 +2549,9 @@ bool pci_bridge_d3_possible(struct pci_dev *bridge)
+ if (bridge->is_hotplug_bridge)
+ return false;
+
++ if (dmi_check_system(bridge_d3_blacklist))
++ return false;
++
+ /*
+ * It should be safe to put PCIe ports from 2015 or newer
+ * to D3.
+--
+2.19.1
+
--- /dev/null
+From 481c392085dcbcf1d0e1eaaf66984a2bd5a9558f Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:46 +0800
+Subject: perf build-id: Fix memory leak in print_sdt_events()
+
+[ Upstream commit 8bde8516893da5a5fdf06121f74d11b52ab92df5 ]
+
+Detected with gcc's ASan:
+
+ Direct leak of 4356 byte(s) in 120 object(s) allocated from:
+ #0 0x7ff1a2b5a070 in __interceptor_strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3b070)
+ #1 0x55719aef4814 in build_id_cache__origname util/build-id.c:215
+ #2 0x55719af649b6 in print_sdt_events util/parse-events.c:2339
+ #3 0x55719af66272 in print_events util/parse-events.c:2542
+ #4 0x55719ad1ecaa in cmd_list /home/changbin/work/linux/tools/perf/builtin-list.c:58
+ #5 0x55719aec745d in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302
+ #6 0x55719aec7d1a in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354
+ #7 0x55719aec8184 in run_argv /home/changbin/work/linux/tools/perf/perf.c:398
+ #8 0x55719aeca41a in main /home/changbin/work/linux/tools/perf/perf.c:520
+ #9 0x7ff1a07ae09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Fixes: 40218daea1db ("perf list: Show SDT and pre-cached events")
+Link: http://lkml.kernel.org/r/20190316080556.3075-7-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/build-id.c | 1 +
+ tools/perf/util/parse-events.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
+index 04b1d53e4bf9..1d352621bd48 100644
+--- a/tools/perf/util/build-id.c
++++ b/tools/perf/util/build-id.c
+@@ -183,6 +183,7 @@ char *build_id_cache__linkname(const char *sbuild_id, char *bf, size_t size)
+ return bf;
+ }
+
++/* The caller is responsible to free the returned buffer. */
+ char *build_id_cache__origname(const char *sbuild_id)
+ {
+ char *linkname;
+diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
+index 85977cebf87c..1a7c76d2baa8 100644
+--- a/tools/perf/util/parse-events.c
++++ b/tools/perf/util/parse-events.c
+@@ -2334,6 +2334,7 @@ void print_sdt_events(const char *subsys_glob, const char *event_glob,
+ printf(" %-50s [%s]\n", buf, "SDT event");
+ free(buf);
+ }
++ free(path);
+ } else
+ printf(" %-50s [%s]\n", nd->s, "SDT event");
+ if (nd2) {
+--
+2.19.1
+
--- /dev/null
+From 65d2e83b0d7680e20907bf88f0d17b8d8edbe0d2 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:45 +0800
+Subject: perf config: Fix a memory leak in collect_config()
+
+[ Upstream commit 54569ba4b06d5baedae4614bde33a25a191473ba ]
+
+Detected with gcc's ASan:
+
+ Direct leak of 66 byte(s) in 5 object(s) allocated from:
+ #0 0x7ff3b1f32070 in __interceptor_strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3b070)
+ #1 0x560c8761034d in collect_config util/config.c:597
+ #2 0x560c8760d9cb in get_value util/config.c:169
+ #3 0x560c8760dfd7 in perf_parse_file util/config.c:285
+ #4 0x560c8760e0d2 in perf_config_from_file util/config.c:476
+ #5 0x560c876108fd in perf_config_set__init util/config.c:661
+ #6 0x560c87610c72 in perf_config_set__new util/config.c:709
+ #7 0x560c87610d2f in perf_config__init util/config.c:718
+ #8 0x560c87610e5d in perf_config util/config.c:730
+ #9 0x560c875ddea0 in main /home/changbin/work/linux/tools/perf/perf.c:442
+ #10 0x7ff3afb8609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Taeung Song <treeze.taeung@gmail.com>
+Fixes: 20105ca1240c ("perf config: Introduce perf_config_set class")
+Link: http://lkml.kernel.org/r/20190316080556.3075-6-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/config.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/config.c b/tools/perf/util/config.c
+index 5ac157056cdf..9bb742accfa5 100644
+--- a/tools/perf/util/config.c
++++ b/tools/perf/util/config.c
+@@ -628,11 +628,10 @@ static int collect_config(const char *var, const char *value,
+ }
+
+ ret = set_value(item, value);
+- return ret;
+
+ out_free:
+ free(key);
+- return -1;
++ return ret;
+ }
+
+ int perf_config_set__collect(struct perf_config_set *set, const char *file_name,
+--
+2.19.1
+
--- /dev/null
+From 516a1caa44ed89f2baa3bb804fcd4302e9112cbc Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:44 +0800
+Subject: perf config: Fix an error in the config template documentation
+
+[ Upstream commit 9b40dff7ba3caaf0d1919f98e136fa3400bd34aa ]
+
+The option 'sort-order' should be 'sort_order'.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Milian Wolff <milian.wolff@kdab.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Fixes: 893c5c798be9 ("perf config: Show default report configuration in example and docs")
+Link: http://lkml.kernel.org/r/20190316080556.3075-5-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/Documentation/perf-config.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/Documentation/perf-config.txt b/tools/perf/Documentation/perf-config.txt
+index 32f4a898e3f2..05c10eb56a0c 100644
+--- a/tools/perf/Documentation/perf-config.txt
++++ b/tools/perf/Documentation/perf-config.txt
+@@ -114,7 +114,7 @@ Given a $HOME/.perfconfig like this:
+
+ [report]
+ # Defaults
+- sort-order = comm,dso,symbol
++ sort_order = comm,dso,symbol
+ percent-limit = 0
+ queue-size = 0
+ children = true
+--
+2.19.1
+
--- /dev/null
+From cc94856df4767d5a21b662b986643dcd0bd3d5be Mon Sep 17 00:00:00 2001
+From: Stephane Eranian <eranian@google.com>
+Date: Thu, 7 Mar 2019 10:52:33 -0800
+Subject: perf/core: Restore mmap record type correctly
+
+[ Upstream commit d9c1bb2f6a2157b38e8eb63af437cb22701d31ee ]
+
+On mmap(), perf_events generates a RECORD_MMAP record and then checks
+which events are interested in this record. There are currently 2
+versions of mmap records: RECORD_MMAP and RECORD_MMAP2. MMAP2 is larger.
+The event configuration controls which version the user level tool
+accepts.
+
+If the event->attr.mmap2=1 field then MMAP2 record is returned. The
+perf_event_mmap_output() takes care of this. It checks attr->mmap2 and
+corrects the record fields before putting it in the sampling buffer of
+the event. At the end the function restores the modified MMAP record
+fields.
+
+The problem is that the function restores the size but not the type.
+Thus, if a subsequent event only accepts MMAP type, then it would
+instead receive an MMAP2 record with a size of MMAP record.
+
+This patch fixes the problem by restoring the record type on exit.
+
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Fixes: 13d7a2410fa6 ("perf: Add attr->mmap2 attribute to an event")
+Link: http://lkml.kernel.org/r/20190307185233.225521-1-eranian@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index aa996a0854b9..87bd96399d1c 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7178,6 +7178,7 @@ static void perf_event_mmap_output(struct perf_event *event,
+ struct perf_output_handle handle;
+ struct perf_sample_data sample;
+ int size = mmap_event->event_id.header.size;
++ u32 type = mmap_event->event_id.header.type;
+ int ret;
+
+ if (!perf_event_mmap_match(event, data))
+@@ -7221,6 +7222,7 @@ static void perf_event_mmap_output(struct perf_event *event,
+ perf_output_end(&handle);
+ out:
+ mmap_event->event_id.header.size = size;
++ mmap_event->event_id.header.type = type;
+ }
+
+ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
+--
+2.19.1
+
--- /dev/null
+From 3c09cf395c1a70a32840b9a049402e0c726f0f90 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Fri, 8 Mar 2019 14:47:36 +0100
+Subject: perf data: Don't store auxtrace index for directory data file
+
+[ Upstream commit cd3dd8dd8ff62374d90cb3f2e54b8c94106c7810 ]
+
+We can't store the auxtrace index when we store into multiple files,
+because we keep only offset for it, not the file.
+
+The auxtrace data will be processed correctly in the 'pipe' mode.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lkml.kernel.org/r/20190308134745.5057-3-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-record.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
+index 22ebeb92ac51..f5b438486a64 100644
+--- a/tools/perf/builtin-record.c
++++ b/tools/perf/builtin-record.c
+@@ -178,7 +178,7 @@ static int record__process_auxtrace(struct perf_tool *tool,
+ size_t padding;
+ u8 pad[8] = {0};
+
+- if (!perf_data__is_pipe(data)) {
++ if (!perf_data__is_pipe(data) && !perf_data__is_dir(data)) {
+ off_t file_offset;
+ int fd = perf_data__fd(data);
+ int err;
+--
+2.19.1
+
--- /dev/null
+From dfadcbf6a5680b89ccf6a4213077cd3999f25afc Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Mon, 18 Mar 2019 16:41:28 -0300
+Subject: perf evsel: Free evsel->counts in perf_evsel__exit()
+
+[ Upstream commit 42dfa451d825a2ad15793c476f73e7bbc0f9d312 ]
+
+Using gcc's ASan, Changbin reports:
+
+ =================================================================
+ ==7494==ERROR: LeakSanitizer: detected memory leaks
+
+ Direct leak of 48 byte(s) in 1 object(s) allocated from:
+ #0 0x7f0333a89138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
+ #1 0x5625e5330a5e in zalloc util/util.h:23
+ #2 0x5625e5330a9b in perf_counts__new util/counts.c:10
+ #3 0x5625e5330ca0 in perf_evsel__alloc_counts util/counts.c:47
+ #4 0x5625e520d8e5 in __perf_evsel__read_on_cpu util/evsel.c:1505
+ #5 0x5625e517a985 in perf_evsel__read_on_cpu /home/work/linux/tools/perf/util/evsel.h:347
+ #6 0x5625e517ad1a in test__openat_syscall_event tests/openat-syscall.c:47
+ #7 0x5625e51528e6 in run_test tests/builtin-test.c:358
+ #8 0x5625e5152baf in test_and_print tests/builtin-test.c:388
+ #9 0x5625e51543fe in __cmd_test tests/builtin-test.c:583
+ #10 0x5625e515572f in cmd_test tests/builtin-test.c:722
+ #11 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302
+ #12 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354
+ #13 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398
+ #14 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520
+ #15 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
+
+ Indirect leak of 72 byte(s) in 1 object(s) allocated from:
+ #0 0x7f0333a89138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
+ #1 0x5625e532560d in zalloc util/util.h:23
+ #2 0x5625e532566b in xyarray__new util/xyarray.c:10
+ #3 0x5625e5330aba in perf_counts__new util/counts.c:15
+ #4 0x5625e5330ca0 in perf_evsel__alloc_counts util/counts.c:47
+ #5 0x5625e520d8e5 in __perf_evsel__read_on_cpu util/evsel.c:1505
+ #6 0x5625e517a985 in perf_evsel__read_on_cpu /home/work/linux/tools/perf/util/evsel.h:347
+ #7 0x5625e517ad1a in test__openat_syscall_event tests/openat-syscall.c:47
+ #8 0x5625e51528e6 in run_test tests/builtin-test.c:358
+ #9 0x5625e5152baf in test_and_print tests/builtin-test.c:388
+ #10 0x5625e51543fe in __cmd_test tests/builtin-test.c:583
+ #11 0x5625e515572f in cmd_test tests/builtin-test.c:722
+ #12 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302
+ #13 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354
+ #14 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398
+ #15 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520
+ #16 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
+
+His patch took care of evsel->prev_raw_counts, but the above backtraces
+are about evsel->counts, so fix that instead.
+
+Reported-by: Changbin Du <changbin.du@gmail.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Link: https://lkml.kernel.org/n/tip-hd1x13g59f0nuhe4anxhsmfp@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/evsel.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index e7dbdcc8d465..b65ad5a273eb 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -1274,6 +1274,7 @@ void perf_evsel__exit(struct perf_evsel *evsel)
+ {
+ assert(list_empty(&evsel->node));
+ assert(evsel->evlist == NULL);
++ perf_evsel__free_counts(evsel);
+ perf_evsel__free_fd(evsel);
+ perf_evsel__free_id(evsel);
+ perf_evsel__free_config_terms(evsel);
+--
+2.19.1
+
--- /dev/null
+From c7b30a86f7b4605a0294e5a88b50b858a0837c0b Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:49 +0800
+Subject: perf hist: Add missing map__put() in error case
+
+[ Upstream commit cb6186aeffda4d27e56066c79e9579e7831541d3 ]
+
+We need to map__put() before returning from failure of
+sample__resolve_callchain().
+
+Detected with gcc's ASan.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Fixes: 9c68ae98c6f7 ("perf callchain: Reference count maps")
+Link: http://lkml.kernel.org/r/20190316080556.3075-10-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/hist.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
+index 828cb9794c76..e1e94b44d588 100644
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -1048,8 +1048,10 @@ int hist_entry_iter__add(struct hist_entry_iter *iter, struct addr_location *al,
+
+ err = sample__resolve_callchain(iter->sample, &callchain_cursor, &iter->parent,
+ iter->evsel, al, max_stack_depth);
+- if (err)
++ if (err) {
++ map__put(alm);
+ return err;
++ }
+
+ err = iter->ops->prepare_entry(iter, al);
+ if (err)
+--
+2.19.1
+
--- /dev/null
+From 586dd7a018104a0840dfa40a5c74b58a8eb65007 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:42 +0800
+Subject: perf list: Don't forget to drop the reference to the allocated
+ thread_map
+
+[ Upstream commit 39df730b09774bd860e39ea208a48d15078236cb ]
+
+Detected via gcc's ASan:
+
+ Direct leak of 2048 byte(s) in 64 object(s) allocated from:
+ 6 #0 0x7f606512e370 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee370)
+ 7 #1 0x556b0f1d7ddd in thread_map__realloc util/thread_map.c:43
+ 8 #2 0x556b0f1d84c7 in thread_map__new_by_tid util/thread_map.c:85
+ 9 #3 0x556b0f0e045e in is_event_supported util/parse-events.c:2250
+ 10 #4 0x556b0f0e1aa1 in print_hwcache_events util/parse-events.c:2382
+ 11 #5 0x556b0f0e3231 in print_events util/parse-events.c:2514
+ 12 #6 0x556b0ee0a66e in cmd_list /home/changbin/work/linux/tools/perf/builtin-list.c:58
+ 13 #7 0x556b0f01e0ae in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302
+ 14 #8 0x556b0f01e859 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354
+ 15 #9 0x556b0f01edc8 in run_argv /home/changbin/work/linux/tools/perf/perf.c:398
+ 16 #10 0x556b0f01f71f in main /home/changbin/work/linux/tools/perf/perf.c:520
+ 17 #11 0x7f6062ccf09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Fixes: 89896051f8da ("perf tools: Do not put a variable sized type not at the end of a struct")
+Link: http://lkml.kernel.org/r/20190316080556.3075-3-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/parse-events.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
+index ebb18a9bc460..85977cebf87c 100644
+--- a/tools/perf/util/parse-events.c
++++ b/tools/perf/util/parse-events.c
+@@ -2263,6 +2263,7 @@ static bool is_event_supported(u8 type, unsigned config)
+ perf_evsel__delete(evsel);
+ }
+
++ thread_map__put(tmap);
+ return ret;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 105120a7380475b70f70e0772f0dfe2a542dcfef Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:56 +0800
+Subject: perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test()
+
+[ Upstream commit d982b33133284fa7efa0e52ae06b88f9be3ea764 ]
+
+ =================================================================
+ ==20875==ERROR: LeakSanitizer: detected memory leaks
+
+ Direct leak of 1160 byte(s) in 1 object(s) allocated from:
+ #0 0x7f1b6fc84138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
+ #1 0x55bd50005599 in zalloc util/util.h:23
+ #2 0x55bd500068f5 in perf_evsel__newtp_idx util/evsel.c:327
+ #3 0x55bd4ff810fc in perf_evsel__newtp /home/work/linux/tools/perf/util/evsel.h:216
+ #4 0x55bd4ff81608 in test__perf_evsel__tp_sched_test tests/evsel-tp-sched.c:69
+ #5 0x55bd4ff528e6 in run_test tests/builtin-test.c:358
+ #6 0x55bd4ff52baf in test_and_print tests/builtin-test.c:388
+ #7 0x55bd4ff543fe in __cmd_test tests/builtin-test.c:583
+ #8 0x55bd4ff5572f in cmd_test tests/builtin-test.c:722
+ #9 0x55bd4ffc4087 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302
+ #10 0x55bd4ffc45c6 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354
+ #11 0x55bd4ffc49ca in run_argv /home/changbin/work/linux/tools/perf/perf.c:398
+ #12 0x55bd4ffc5138 in main /home/changbin/work/linux/tools/perf/perf.c:520
+ #13 0x7f1b6e34809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
+
+ Indirect leak of 19 byte(s) in 1 object(s) allocated from:
+ #0 0x7f1b6fc83f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
+ #1 0x7f1b6e3ac30f in vasprintf (/lib/x86_64-linux-gnu/libc.so.6+0x8830f)
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields")
+Link: http://lkml.kernel.org/r/20190316080556.3075-17-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/evsel-tp-sched.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c
+index d0406116c905..926a8e1b5e94 100644
+--- a/tools/perf/tests/evsel-tp-sched.c
++++ b/tools/perf/tests/evsel-tp-sched.c
+@@ -85,5 +85,6 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes
+ if (perf_evsel__test_field(evsel, "target_cpu", 4, true))
+ ret = -1;
+
++ perf_evsel__delete(evsel);
+ return ret;
+ }
+--
+2.19.1
+
--- /dev/null
+From 11f77fa71253e4d30678371e39ba3437669f7ec7 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:54 +0800
+Subject: perf tests: Fix a memory leak of cpu_map object in the
+ openat_syscall_event_on_all_cpus test
+
+[ Upstream commit 93faa52e8371f0291ee1ff4994edae2b336b6233 ]
+
+ =================================================================
+ ==7497==ERROR: LeakSanitizer: detected memory leaks
+
+ Direct leak of 40 byte(s) in 1 object(s) allocated from:
+ #0 0x7f0333a88f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
+ #1 0x5625e5326213 in cpu_map__trim_new util/cpumap.c:45
+ #2 0x5625e5326703 in cpu_map__read util/cpumap.c:103
+ #3 0x5625e53267ef in cpu_map__read_all_cpu_map util/cpumap.c:120
+ #4 0x5625e5326915 in cpu_map__new util/cpumap.c:135
+ #5 0x5625e517b355 in test__openat_syscall_event_on_all_cpus tests/openat-syscall-all-cpus.c:36
+ #6 0x5625e51528e6 in run_test tests/builtin-test.c:358
+ #7 0x5625e5152baf in test_and_print tests/builtin-test.c:388
+ #8 0x5625e51543fe in __cmd_test tests/builtin-test.c:583
+ #9 0x5625e515572f in cmd_test tests/builtin-test.c:722
+ #10 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302
+ #11 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354
+ #12 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398
+ #13 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520
+ #14 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Fixes: f30a79b012e5 ("perf tools: Add reference counting for cpu_map object")
+Link: http://lkml.kernel.org/r/20190316080556.3075-15-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/openat-syscall-all-cpus.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/openat-syscall-all-cpus.c b/tools/perf/tests/openat-syscall-all-cpus.c
+index c531e6deb104..493ecb611540 100644
+--- a/tools/perf/tests/openat-syscall-all-cpus.c
++++ b/tools/perf/tests/openat-syscall-all-cpus.c
+@@ -45,7 +45,7 @@ int test__openat_syscall_event_on_all_cpus(struct test *test __maybe_unused, int
+ if (IS_ERR(evsel)) {
+ tracing_path__strerror_open_tp(errno, errbuf, sizeof(errbuf), "syscalls", "sys_enter_openat");
+ pr_debug("%s\n", errbuf);
+- goto out_thread_map_delete;
++ goto out_cpu_map_delete;
+ }
+
+ if (perf_evsel__open(evsel, cpus, threads) < 0) {
+@@ -119,6 +119,8 @@ int test__openat_syscall_event_on_all_cpus(struct test *test __maybe_unused, int
+ perf_evsel__close_fd(evsel);
+ out_evsel_delete:
+ perf_evsel__delete(evsel);
++out_cpu_map_delete:
++ cpu_map__put(cpus);
+ out_thread_map_delete:
+ thread_map__put(threads);
+ return err;
+--
+2.19.1
+
--- /dev/null
+From 213edd4e1cb30b67cba31512aed1a6a13226d049 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:55 +0800
+Subject: perf tests: Fix memory leak by expr__find_other() in test__expr()
+
+[ Upstream commit f97a8991d3b998e518f56794d879f645964de649 ]
+
+ =================================================================
+ ==7506==ERROR: LeakSanitizer: detected memory leaks
+
+ Direct leak of 13 byte(s) in 3 object(s) allocated from:
+ #0 0x7f03339d6070 in __interceptor_strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3b070)
+ #1 0x5625e53aaef0 in expr__find_other util/expr.y:221
+ #2 0x5625e51bcd3f in test__expr tests/expr.c:52
+ #3 0x5625e51528e6 in run_test tests/builtin-test.c:358
+ #4 0x5625e5152baf in test_and_print tests/builtin-test.c:388
+ #5 0x5625e51543fe in __cmd_test tests/builtin-test.c:583
+ #6 0x5625e515572f in cmd_test tests/builtin-test.c:722
+ #7 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302
+ #8 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354
+ #9 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398
+ #10 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520
+ #11 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Fixes: 075167363f8b ("perf tools: Add a simple expression parser for JSON")
+Link: http://lkml.kernel.org/r/20190316080556.3075-16-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/expr.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/expr.c b/tools/perf/tests/expr.c
+index 01f0706995a9..9acc1e80b936 100644
+--- a/tools/perf/tests/expr.c
++++ b/tools/perf/tests/expr.c
+@@ -19,7 +19,7 @@ int test__expr(struct test *t __maybe_unused, int subtest __maybe_unused)
+ const char *p;
+ const char **other;
+ double val;
+- int ret;
++ int i, ret;
+ struct parse_ctx ctx;
+ int num_other;
+
+@@ -56,6 +56,9 @@ int test__expr(struct test *t __maybe_unused, int subtest __maybe_unused)
+ TEST_ASSERT_VAL("find other", !strcmp(other[1], "BAZ"));
+ TEST_ASSERT_VAL("find other", !strcmp(other[2], "BOZO"));
+ TEST_ASSERT_VAL("find other", other[3] == NULL);
++
++ for (i = 0; i < num_other; i++)
++ free((void *)other[i]);
+ free((void *)other);
+
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From 2e1e1efbdfcd96e666383e8121b42441cf8b1cc4 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Sat, 16 Mar 2019 16:05:48 +0800
+Subject: perf top: Fix error handling in cmd_top()
+
+[ Upstream commit 70c819e4bf1c5f492768b399d898d458ccdad2b6 ]
+
+We should go to the cleanup path, to avoid leaks, detected using gcc's
+ASan.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Link: http://lkml.kernel.org/r/20190316080556.3075-9-changbin.du@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-top.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
+index d21d8751e749..33eefc33e0ea 100644
+--- a/tools/perf/builtin-top.c
++++ b/tools/perf/builtin-top.c
+@@ -1491,8 +1491,9 @@ int cmd_top(int argc, const char **argv)
+ annotation_config__init();
+
+ symbol_conf.try_vmlinux_path = (symbol_conf.vmlinux_name == NULL);
+- if (symbol__init(NULL) < 0)
+- return -1;
++ status = symbol__init(NULL);
++ if (status < 0)
++ goto out_delete_evlist;
+
+ sort__setup_elide(stdout);
+
+--
+2.19.1
+
--- /dev/null
+From 69f4fb96c205f1584d10915e2062578ee4425927 Mon Sep 17 00:00:00 2001
+From: Yanjiang Jin <yanjiang.jin@hxt-semitech.com>
+Date: Sat, 29 Sep 2018 17:06:55 +0800
+Subject: pinctrl: core: make sure strcmp() doesn't get a null parameter
+
+[ Upstream commit 54a58185bfafb5af5045fb8388c45daa373f90f3 ]
+
+Some drivers, for example, QCOM's qdf2xxx, set groups[gpio].name only
+when gpio is valid, and leave invalid gpio names as null.
+If we want to access the sys node "pinconf-groups",
+pinctrl_get_group_selector() -> get_group_name() may return a null
+pointer if group_selector is invalid, then the below Kernel panic
+would happen since strcmp() uses this null pointer to do comparison.
+
+ Unable to handle kernel NULL pointer dereference at ss 00000000
+el:Internal error: Oops: 9600000[ 143.080279]
+SMP
+ CPU: 19 PID: 2493 Comm: read_all Tainted: G O
+.aarch64 #1
+ Hardware name: HXT Semiconductor HXT REP-2 System
+ PC is at strcmp+0x18/0x154
+ LR is at pinctrl_get_group_selector+0x6c/0xe8
+ Process read_all (pid: 2493, stack limit =
+ Call trace:
+ Exception stack
+ strcmp+0x18/0x154
+ pin_config_group_get+0x64/0xd8
+ pinconf_generic_dump_one+0xd8/0x1c0
+ pinconf_generic_dump_pins+0x94/0xc8
+ pinconf_groups_show+0xb4/0x104
+ seq_read+0x178/0x464
+ full_proxy_read+0x6c/0xac
+ __vfs_read+0x58/0x178
+ vfs_read+0x94/0x164
+ SyS_read+0x60/0xc0
+ __sys_trace_return+0x0/0x4
+ --[ end trace]--
+ Kernel panic - not syncing: Fatal exception
+
+Signed-off-by: Yanjiang Jin <yanjiang.jin@hxt-semitech.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
+index a3dd777e3ce8..c6ff4d5fa482 100644
+--- a/drivers/pinctrl/core.c
++++ b/drivers/pinctrl/core.c
+@@ -627,7 +627,7 @@ static int pinctrl_generic_group_name_to_selector(struct pinctrl_dev *pctldev,
+ while (selector < ngroups) {
+ const char *gname = ops->get_group_name(pctldev, selector);
+
+- if (!strcmp(function, gname))
++ if (gname && !strcmp(function, gname))
+ return selector;
+
+ selector++;
+@@ -743,7 +743,7 @@ int pinctrl_get_group_selector(struct pinctrl_dev *pctldev,
+ while (group_selector < ngroups) {
+ const char *gname = pctlops->get_group_name(pctldev,
+ group_selector);
+- if (!strcmp(gname, pin_group)) {
++ if (gname && !strcmp(gname, pin_group)) {
+ dev_dbg(pctldev->dev,
+ "found group selector %u for %s\n",
+ group_selector,
+--
+2.19.1
+
--- /dev/null
+From c0b763e812164bccafcd5a71122a1e8a599d0789 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 14 Oct 2018 19:54:27 +0200
+Subject: platform/x86: Add Intel AtomISP2 dummy / power-management driver
+
+[ Upstream commit 49ad712afa88c502831d37f7089d98eac441fb80 ]
+
+The Image Signal Processor found on Cherry Trail devices is brought up in
+D0 state on devices which have camera sensors attached to it. The ISP will
+not enter D3 state again without some massaging of its registers beforehand
+and the ISP not being in D3 state blocks the SoC from entering S0ix modes.
+
+There was a driver for the ISP in drivers/staging but that got removed
+again because it never worked. It does not seem likely that a real
+driver for the ISP will be added to the mainline kernel anytime soon.
+
+This commit adds a dummy driver which contains the necessary magic from
+the staging driver to powerdown the ISP, so that Cherry Trail devices where
+the ISP is used will properly use S0ix modes when suspended.
+
+Together with other recent S0ix related fixes this allows S0ix modes to
+be entered on e.g. a Chuwi Hi8 Pro and a HP x2 210.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=196915
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ MAINTAINERS | 6 ++
+ drivers/platform/x86/Kconfig | 12 +++
+ drivers/platform/x86/Makefile | 1 +
+ drivers/platform/x86/intel_atomisp2_pm.c | 119 +++++++++++++++++++++++
+ 4 files changed, 138 insertions(+)
+ create mode 100644 drivers/platform/x86/intel_atomisp2_pm.c
+
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 9e9b19ecf6f7..11a59e82d92e 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -7320,6 +7320,12 @@ L: alsa-devel@alsa-project.org (moderated for non-subscribers)
+ S: Supported
+ F: sound/soc/intel/
+
++INTEL ATOMISP2 DUMMY / POWER-MANAGEMENT DRIVER
++M: Hans de Goede <hdegoede@redhat.com>
++L: platform-driver-x86@vger.kernel.org
++S: Maintained
++F: drivers/platform/x86/intel_atomisp2_pm.c
++
+ INTEL C600 SERIES SAS CONTROLLER DRIVER
+ M: Intel SCU Linux support <intel-linux-scu@intel.com>
+ M: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
+diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
+index 7563c07e14e4..1e2524de6a63 100644
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -1231,6 +1231,18 @@ config I2C_MULTI_INSTANTIATE
+ To compile this driver as a module, choose M here: the module
+ will be called i2c-multi-instantiate.
+
++config INTEL_ATOMISP2_PM
++ tristate "Intel AtomISP2 dummy / power-management driver"
++ depends on PCI && IOSF_MBI && PM
++ help
++ Power-management driver for Intel's Image Signal Processor found on
++ Bay and Cherry Trail devices. This dummy driver's sole purpose is to
++ turn the ISP off (put it in D3) to save power and to allow entering
++ of S0ix modes.
++
++ To compile this driver as a module, choose M here: the module
++ will be called intel_atomisp2_pm.
++
+ endif # X86_PLATFORM_DEVICES
+
+ config PMC_ATOM
+diff --git a/drivers/platform/x86/Makefile b/drivers/platform/x86/Makefile
+index e6d1becf81ce..dc29af4d8e2f 100644
+--- a/drivers/platform/x86/Makefile
++++ b/drivers/platform/x86/Makefile
+@@ -92,3 +92,4 @@ obj-$(CONFIG_MLX_PLATFORM) += mlx-platform.o
+ obj-$(CONFIG_INTEL_TURBO_MAX_3) += intel_turbo_max_3.o
+ obj-$(CONFIG_INTEL_CHTDC_TI_PWRBTN) += intel_chtdc_ti_pwrbtn.o
+ obj-$(CONFIG_I2C_MULTI_INSTANTIATE) += i2c-multi-instantiate.o
++obj-$(CONFIG_INTEL_ATOMISP2_PM) += intel_atomisp2_pm.o
+diff --git a/drivers/platform/x86/intel_atomisp2_pm.c b/drivers/platform/x86/intel_atomisp2_pm.c
+new file mode 100644
+index 000000000000..9371603a0ac9
+--- /dev/null
++++ b/drivers/platform/x86/intel_atomisp2_pm.c
+@@ -0,0 +1,119 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Dummy driver for Intel's Image Signal Processor found on Bay and Cherry
++ * Trail devices. The sole purpose of this driver is to allow the ISP to
++ * be put in D3.
++ *
++ * Copyright (C) 2018 Hans de Goede <hdegoede@redhat.com>
++ *
++ * Based on various non upstream patches for ISP support:
++ * Copyright (C) 2010-2017 Intel Corporation. All rights reserved.
++ * Copyright (c) 2010 Silicon Hive www.siliconhive.com.
++ */
++
++#include <linux/delay.h>
++#include <linux/module.h>
++#include <linux/mod_devicetable.h>
++#include <linux/pci.h>
++#include <linux/pm_runtime.h>
++#include <asm/iosf_mbi.h>
++
++/* PCI configuration regs */
++#define PCI_INTERRUPT_CTRL 0x9c
++
++#define PCI_CSI_CONTROL 0xe8
++#define PCI_CSI_CONTROL_PORTS_OFF_MASK 0x7
++
++/* IOSF BT_MBI_UNIT_PMC regs */
++#define ISPSSPM0 0x39
++#define ISPSSPM0_ISPSSC_OFFSET 0
++#define ISPSSPM0_ISPSSC_MASK 0x00000003
++#define ISPSSPM0_ISPSSS_OFFSET 24
++#define ISPSSPM0_ISPSSS_MASK 0x03000000
++#define ISPSSPM0_IUNIT_POWER_ON 0x0
++#define ISPSSPM0_IUNIT_POWER_OFF 0x3
++
++static int isp_probe(struct pci_dev *dev, const struct pci_device_id *id)
++{
++ unsigned long timeout;
++ u32 val;
++
++ pci_write_config_dword(dev, PCI_INTERRUPT_CTRL, 0);
++
++ /*
++ * MRFLD IUNIT DPHY is located in an always-power-on island
++ * MRFLD HW design need all CSI ports are disabled before
++ * powering down the IUNIT.
++ */
++ pci_read_config_dword(dev, PCI_CSI_CONTROL, &val);
++ val |= PCI_CSI_CONTROL_PORTS_OFF_MASK;
++ pci_write_config_dword(dev, PCI_CSI_CONTROL, val);
++
++ /* Write 0x3 to ISPSSPM0 bit[1:0] to power off the IUNIT */
++ iosf_mbi_modify(BT_MBI_UNIT_PMC, MBI_REG_READ, ISPSSPM0,
++ ISPSSPM0_IUNIT_POWER_OFF, ISPSSPM0_ISPSSC_MASK);
++
++ /*
++ * There should be no IUNIT access while power-down is
++ * in progress HW sighting: 4567865
++ * Wait up to 50 ms for the IUNIT to shut down.
++ */
++ timeout = jiffies + msecs_to_jiffies(50);
++ while (1) {
++ /* Wait until ISPSSPM0 bit[25:24] shows 0x3 */
++ iosf_mbi_read(BT_MBI_UNIT_PMC, MBI_REG_READ, ISPSSPM0, &val);
++ val = (val & ISPSSPM0_ISPSSS_MASK) >> ISPSSPM0_ISPSSS_OFFSET;
++ if (val == ISPSSPM0_IUNIT_POWER_OFF)
++ break;
++
++ if (time_after(jiffies, timeout)) {
++ dev_err(&dev->dev, "IUNIT power-off timeout.\n");
++ return -EBUSY;
++ }
++ usleep_range(1000, 2000);
++ }
++
++ pm_runtime_allow(&dev->dev);
++ pm_runtime_put_sync_suspend(&dev->dev);
++
++ return 0;
++}
++
++static void isp_remove(struct pci_dev *dev)
++{
++ pm_runtime_get_sync(&dev->dev);
++ pm_runtime_forbid(&dev->dev);
++}
++
++static int isp_pci_suspend(struct device *dev)
++{
++ return 0;
++}
++
++static int isp_pci_resume(struct device *dev)
++{
++ return 0;
++}
++
++static UNIVERSAL_DEV_PM_OPS(isp_pm_ops, isp_pci_suspend,
++ isp_pci_resume, NULL);
++
++static const struct pci_device_id isp_id_table[] = {
++ { PCI_VDEVICE(INTEL, 0x22b8), },
++ { 0, }
++};
++MODULE_DEVICE_TABLE(pci, isp_id_table);
++
++static struct pci_driver isp_pci_driver = {
++ .name = "intel_atomisp2_pm",
++ .id_table = isp_id_table,
++ .probe = isp_probe,
++ .remove = isp_remove,
++ .driver.pm = &isp_pm_ops,
++};
++
++module_pci_driver(isp_pci_driver);
++
++MODULE_DESCRIPTION("Intel AtomISP2 dummy / power-management drv (for suspend)");
++MODULE_AUTHOR("Hans de Goede <hdegoede@redhat.com>");
++MODULE_LICENSE("GPL v2");
+--
+2.19.1
+
--- /dev/null
+From e2e5bb9a4e0febcbacfc446f0d9bd4bfd030a465 Mon Sep 17 00:00:00 2001
+From: Jiada Wang <jiada_wang@mentor.com>
+Date: Tue, 12 Mar 2019 15:51:28 +0900
+Subject: PM / Domains: Avoid a potential deadlock
+
+[ Upstream commit 2071ac985d37efe496782c34318dbead93beb02f ]
+
+Lockdep warns that prepare_lock and genpd->mlock can cause a deadlock
+the deadlock scenario is like following:
+First thread is probing cs2000
+cs2000_probe()
+ clk_register()
+ __clk_core_init()
+ clk_prepare_lock() ----> acquires prepare_lock
+ cs2000_recalc_rate()
+ i2c_smbus_read_byte_data()
+ rcar_i2c_master_xfer()
+ dma_request_chan()
+ rcar_dmac_of_xlate()
+ rcar_dmac_alloc_chan_resources()
+ pm_runtime_get_sync()
+ __pm_runtime_resume()
+ rpm_resume()
+ rpm_callback()
+ genpd_runtime_resume() ----> acquires genpd->mlock
+
+Second thread is attaching any device to the same PM domain
+genpd_add_device()
+ genpd_lock() ----> acquires genpd->mlock
+ cpg_mssr_attach_dev()
+ of_clk_get_from_provider()
+ __of_clk_get_from_provider()
+ __clk_create_clk()
+ clk_prepare_lock() ----> acquires prepare_lock
+
+Since currently no PM provider access genpd's critical section
+in .attach_dev, and .detach_dev callbacks, so there is no need to protect
+these two callbacks with genpd->mlock.
+This patch avoids a potential deadlock by moving out .attach_dev and .detach_dev
+from genpd->mlock, so that genpd->mlock won't be held when prepare_lock is acquired
+in .attach_dev and .detach_dev
+
+Signed-off-by: Jiada Wang <jiada_wang@mentor.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/domain.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
+index 4b5714199490..bf5be0bfaf77 100644
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -1388,12 +1388,12 @@ static int genpd_add_device(struct generic_pm_domain *genpd, struct device *dev,
+ if (IS_ERR(gpd_data))
+ return PTR_ERR(gpd_data);
+
+- genpd_lock(genpd);
+-
+ ret = genpd->attach_dev ? genpd->attach_dev(genpd, dev) : 0;
+ if (ret)
+ goto out;
+
++ genpd_lock(genpd);
++
+ dev_pm_domain_set(dev, &genpd->domain);
+
+ genpd->device_count++;
+@@ -1401,9 +1401,8 @@ static int genpd_add_device(struct generic_pm_domain *genpd, struct device *dev,
+
+ list_add_tail(&gpd_data->base.list_node, &genpd->dev_list);
+
+- out:
+ genpd_unlock(genpd);
+-
++ out:
+ if (ret)
+ genpd_free_dev_data(dev, gpd_data);
+ else
+@@ -1452,15 +1451,15 @@ static int genpd_remove_device(struct generic_pm_domain *genpd,
+ genpd->device_count--;
+ genpd->max_off_time_changed = true;
+
+- if (genpd->detach_dev)
+- genpd->detach_dev(genpd, dev);
+-
+ dev_pm_domain_set(dev, NULL);
+
+ list_del_init(&pdd->list_node);
+
+ genpd_unlock(genpd);
+
++ if (genpd->detach_dev)
++ genpd->detach_dev(genpd, dev);
++
+ genpd_free_dev_data(dev, gpd_data);
+
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From 78cf058f5faf2f8d0531c52013ec31cf217c49da Mon Sep 17 00:00:00 2001
+From: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Date: Mon, 10 Sep 2018 09:57:00 -0500
+Subject: powerpc/pseries: Remove prrn_work workqueue
+
+[ Upstream commit cd24e457fd8b2d087d9236700c8d2957054598bf ]
+
+When a PRRN event is received we are already running in a worker
+thread. Instead of spawning off another worker thread on the prrn_work
+workqueue to handle the PRRN event we can just call the PRRN handler
+routine directly.
+
+With this update we can also pass the scope variable for the PRRN
+event directly to the handler instead of it being a global variable.
+
+This patch fixes the following oops mnessage we are seeing in PRRN testing:
+
+ Oops: Bad kernel stack pointer, sig: 6 [#1]
+ SMP NR_CPUS=2048 NUMA pSeries
+ Modules linked in: nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache binfmt_misc reiserfs vfat fat rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag af_packet xfs libcrc32c dm_service_time ibmveth(X) ses enclosure scsi_transport_sas rtc_generic btrfs xor raid6_pq sd_mod ibmvscsi(X) scsi_transport_srp ipr(X) libata sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
+ Supported: Yes, External 54
+ CPU: 7 PID: 18967 Comm: kworker/u96:0 Tainted: G X 4.4.126-94.22-default #1
+ Workqueue: pseries hotplug workque pseries_hp_work_fn
+ task: c000000775367790 ti: c00000001ebd4000 task.ti: c00000070d140000
+ NIP: 0000000000000000 LR: 000000001fb3d050 CTR: 0000000000000000
+ REGS: c00000001ebd7d40 TRAP: 0700 Tainted: G X (4.4.126-94.22-default)
+ MSR: 8000000102081000 <41,VEC,ME5 CR: 28000002 XER: 20040018 4
+ CFAR: 000000001fb3d084 40 419 1 3
+ GPR00: 000000000000000040000000000010007 000000001ffff400 000000041fffe200
+ GPR04: 000000000000008050000000000000000 000000001fb15fa8 0000000500000500
+ GPR08: 000000000001f40040000000000000001 0000000000000000 000005:5200040002
+ GPR12: 00000000000000005c000000007a05400 c0000000000e89f8 000000001ed9f668
+ GPR16: 000000001fbeff944000000001fbeff94 000000001fb545e4 0000006000000060
+ GPR20: ffffffffffffffff4ffffffffffffffff 0000000000000000 0000000000000000
+ GPR24: 00000000000000005400000001fb3c000 0000000000000000 000000001fb1b040
+ GPR28: 000000001fb240004000000001fb440d8 0000000000000008 0000000000000000
+ NIP [0000000000000000] 5 (null)
+ LR [000000001fb3d050] 031fb3d050
+ Call Trace: 4
+ Instruction dump: 4 5:47 12 2
+ XXXXXXXX XXXXXXXX XXXXX4XX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
+ XXXXXXXX XXXXXXXX XXXXX5XX XXXXXXXX 60000000 60000000 60000000 60000000
+ ---[ end trace aa5627b04a7d9d6b ]--- 3NMI watchdog: BUG: soft lockup - CPU#27 stuck for 23s! [kworker/27:0:13903]
+ Modules linked in: nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache binfmt_misc reiserfs vfat fat rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag af_packet xfs libcrc32c dm_service_time ibmveth(X) ses enclosure scsi_transport_sas rtc_generic btrfs xor raid6_pq sd_mod ibmvscsi(X) scsi_transport_srp ipr(X) libata sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
+ Supported: Yes, External
+ CPU: 27 PID: 13903 Comm: kworker/27:0 Tainted: G D X 4.4.126-94.22-default #1
+ Workqueue: events prrn_work_fn
+ task: c000000747cfa390 ti: c00000074712c000 task.ti: c00000074712c000
+ NIP: c0000000008002a8 LR: c000000000090770 CTR: 000000000032e088
+ REGS: c00000074712f7b0 TRAP: 0901 Tainted: G D X (4.4.126-94.22-default)
+ MSR: 8000000100009033 <SF,EE,ME,IR,DR,RI,LE> CR: 22482044 XER: 20040000
+ CFAR: c0000000008002c4 SOFTE: 1
+ GPR00: c000000000090770 c00000074712fa30 c000000000f09800 c000000000fa1928 6:02
+ GPR04: c000000775f5e000 fffffffffffffffe 0000000000000001 c000000000f42db8
+ GPR08: 0000000000000001 0000000080000007 0000000000000000 0000000000000000
+ GPR12: 8006210083180000 c000000007a14400
+ NIP [c0000000008002a8] _raw_spin_lock+0x68/0xd0
+ LR [c000000000090770] mobility_rtas_call+0x50/0x100
+ Call Trace: 59 5
+ [c00000074712fa60] [c000000000090770] mobility_rtas_call+0x50/0x100
+ [c00000074712faf0] [c000000000090b08] pseries_devicetree_update+0xf8/0x530
+ [c00000074712fc20] [c000000000031ba4] prrn_work_fn+0x34/0x50
+ [c00000074712fc40] [c0000000000e0390] process_one_work+0x1a0/0x4e0
+ [c00000074712fcd0] [c0000000000e0870] worker_thread+0x1a0/0x6105:57 2
+ [c00000074712fd80] [c0000000000e8b18] kthread+0x128/0x150
+ [c00000074712fe30] [c0000000000096f8] ret_from_kernel_thread+0x5c/0x64
+ Instruction dump:
+ 2c090000 40c20010 7d40192d 40c2fff0 7c2004ac 2fa90000 40de0018 5:540030 3
+ e8010010 ebe1fff8 7c0803a6 4e800020 <7c210b78> e92d0000 89290009 792affe3
+
+Signed-off-by: John Allen <jallen@linux.ibm.com>
+Signed-off-by: Haren Myneni <haren@us.ibm.com>
+Signed-off-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/rtasd.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/arch/powerpc/kernel/rtasd.c b/arch/powerpc/kernel/rtasd.c
+index 44d66c33d59d..23b88b923f06 100644
+--- a/arch/powerpc/kernel/rtasd.c
++++ b/arch/powerpc/kernel/rtasd.c
+@@ -274,27 +274,16 @@ void pSeries_log_error(char *buf, unsigned int err_type, int fatal)
+ }
+
+ #ifdef CONFIG_PPC_PSERIES
+-static s32 prrn_update_scope;
+-
+-static void prrn_work_fn(struct work_struct *work)
++static void handle_prrn_event(s32 scope)
+ {
+ /*
+ * For PRRN, we must pass the negative of the scope value in
+ * the RTAS event.
+ */
+- pseries_devicetree_update(-prrn_update_scope);
++ pseries_devicetree_update(-scope);
+ numa_update_cpu_topology(false);
+ }
+
+-static DECLARE_WORK(prrn_work, prrn_work_fn);
+-
+-static void prrn_schedule_update(u32 scope)
+-{
+- flush_work(&prrn_work);
+- prrn_update_scope = scope;
+- schedule_work(&prrn_work);
+-}
+-
+ static void handle_rtas_event(const struct rtas_error_log *log)
+ {
+ if (rtas_error_type(log) != RTAS_TYPE_PRRN || !prrn_is_enabled())
+@@ -303,7 +292,7 @@ static void handle_rtas_event(const struct rtas_error_log *log)
+ /* For PRRN Events the extended log length is used to denote
+ * the scope for calling rtas update-nodes.
+ */
+- prrn_schedule_update(rtas_error_extended_log_length(log));
++ handle_prrn_event(rtas_error_extended_log_length(log));
+ }
+
+ #else
+--
+2.19.1
+
--- /dev/null
+From a538e4fe8e4c1c98c00ff6015bae3c7b47391383 Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Fri, 1 Feb 2019 14:13:41 +0800
+Subject: Revert "ACPI / EC: Remove old CLEAR_ON_RESUME quirk"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit b6a3e1475b0220378ad32bdf4d8692f058b1fc03 ]
+
+On some Samsung hardware, it is necessary to clear events accumulated by
+the EC during sleep. These ECs stop reporting GPEs until they are manually
+polled, if too many events are accumulated.
+Thus the CLEAR_ON_RESUME quirk is introduced to send EC query commands
+unconditionally after resume to clear all the EC query events on those
+platforms.
+
+Later, commit 4c237371f290 ("ACPI / EC: Remove old CLEAR_ON_RESUME quirk")
+removes the CLEAR_ON_RESUME quirk because we thought the new EC IRQ
+polling logic should handle this case.
+
+Now it has been proved that the EC IRQ Polling logic does not fix the
+issue actually because we got regression report on these Samsung
+platforms after removing the quirk.
+
+Thus revert commit 4c237371f290 ("ACPI / EC: Remove old CLEAR_ON_RESUME
+quirk") to introduce back the Samsung quirk in this patch.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=44161
+Tested-by: Ortwin Glück <odi@odi.ch>
+Tested-by: Francisco Cribari <cribari@gmail.com>
+Tested-by: Balazs Varga <balazs4web@gmail.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/ec.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index 9d66a47d32fb..49e16f009095 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -194,6 +194,7 @@ static struct workqueue_struct *ec_query_wq;
+ static int EC_FLAGS_QUERY_HANDSHAKE; /* Needs QR_EC issued when SCI_EVT set */
+ static int EC_FLAGS_CORRECT_ECDT; /* Needs ECDT port address correction */
+ static int EC_FLAGS_IGNORE_DSDT_GPE; /* Needs ECDT GPE as correction setting */
++static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */
+
+ /* --------------------------------------------------------------------------
+ * Logging/Debugging
+@@ -499,6 +500,26 @@ static inline void __acpi_ec_disable_event(struct acpi_ec *ec)
+ ec_log_drv("event blocked");
+ }
+
++/*
++ * Process _Q events that might have accumulated in the EC.
++ * Run with locked ec mutex.
++ */
++static void acpi_ec_clear(struct acpi_ec *ec)
++{
++ int i, status;
++ u8 value = 0;
++
++ for (i = 0; i < ACPI_EC_CLEAR_MAX; i++) {
++ status = acpi_ec_query(ec, &value);
++ if (status || !value)
++ break;
++ }
++ if (unlikely(i == ACPI_EC_CLEAR_MAX))
++ pr_warn("Warning: Maximum of %d stale EC events cleared\n", i);
++ else
++ pr_info("%d stale EC events cleared\n", i);
++}
++
+ static void acpi_ec_enable_event(struct acpi_ec *ec)
+ {
+ unsigned long flags;
+@@ -507,6 +528,10 @@ static void acpi_ec_enable_event(struct acpi_ec *ec)
+ if (acpi_ec_started(ec))
+ __acpi_ec_enable_event(ec);
+ spin_unlock_irqrestore(&ec->lock, flags);
++
++ /* Drain additional events if hardware requires that */
++ if (EC_FLAGS_CLEAR_ON_RESUME)
++ acpi_ec_clear(ec);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+@@ -1820,6 +1845,31 @@ static int ec_flag_query_handshake(const struct dmi_system_id *id)
+ }
+ #endif
+
++/*
++ * On some hardware it is necessary to clear events accumulated by the EC during
++ * sleep. These ECs stop reporting GPEs until they are manually polled, if too
++ * many events are accumulated. (e.g. Samsung Series 5/9 notebooks)
++ *
++ * https://bugzilla.kernel.org/show_bug.cgi?id=44161
++ *
++ * Ideally, the EC should also be instructed NOT to accumulate events during
++ * sleep (which Windows seems to do somehow), but the interface to control this
++ * behaviour is not known at this time.
++ *
++ * Models known to be affected are Samsung 530Uxx/535Uxx/540Uxx/550Pxx/900Xxx,
++ * however it is very likely that other Samsung models are affected.
++ *
++ * On systems which don't accumulate _Q events during sleep, this extra check
++ * should be harmless.
++ */
++static int ec_clear_on_resume(const struct dmi_system_id *id)
++{
++ pr_debug("Detected system needing EC poll on resume.\n");
++ EC_FLAGS_CLEAR_ON_RESUME = 1;
++ ec_event_clearing = ACPI_EC_EVT_TIMING_STATUS;
++ return 0;
++}
++
+ /*
+ * Some ECDTs contain wrong register addresses.
+ * MSI MS-171F
+@@ -1869,6 +1919,9 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = {
+ ec_honor_ecdt_gpe, "ASUS X580VD", {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "X580VD"),}, NULL},
++ {
++ ec_clear_on_resume, "Samsung hardware", {
++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD.")}, NULL},
+ {},
+ };
+
+--
+2.19.1
+
--- /dev/null
+From c2c8a545344d1fd3aeadbfb8f13a7dc6d318a852 Mon Sep 17 00:00:00 2001
+From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
+Date: Mon, 27 Aug 2018 17:05:15 +0530
+Subject: rsi: improve kernel thread handling to fix kernel panic
+
+[ Upstream commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473 ]
+
+While running regressions, observed below kernel panic when sdio disconnect
+called. This is because of, kthread_stop() is taking care of
+wait_for_completion() by default. When wait_for_completion triggered
+in kthread_stop and as it was done already, giving kernel panic.
+Hence, removing redundant wait_for_completion() from rsi_kill_thread().
+
+... skipping ...
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: [<ffffffff810a63df>] exit_creds+0x1f/0x50
+PGD 0
+Oops: 0002 [#1] SMP
+CPU: 0 PID: 6502 Comm: rmmod Tainted: G OE 4.15.9-Generic #154-Ubuntu
+Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
+Stack:
+ffff88007392e600 ffff880075847dc0 ffffffff8108160a 0000000000000000
+ffff88007392e600 ffff880075847de8 ffffffff810a484b ffff880076127000
+ffff88003cd3a800 ffff880074f12a00 ffff880075847e28 ffffffffc09bed15
+Call Trace:
+[<ffffffff8108160a>] __put_task_struct+0x5a/0x140
+[<ffffffff810a484b>] kthread_stop+0x10b/0x110
+[<ffffffffc09bed15>] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
+[<ffffffff81578bcb>] ? __pm_runtime_resume+0x5b/0x80
+[<ffffffff816f0918>] sdio_bus_remove+0x38/0x100
+[<ffffffff8156cc64>] __device_release_driver+0xa4/0x150
+[<ffffffff8156d7a5>] driver_detach+0xb5/0xc0
+[<ffffffff8156c6c5>] bus_remove_driver+0x55/0xd0
+[<ffffffff8156dfbc>] driver_unregister+0x2c/0x50
+[<ffffffff816f0b8a>] sdio_unregister_driver+0x1a/0x20
+[<ffffffffc09bf0f5>] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
+[<ffffffff8110cad8>] SyS_delete_module+0x1b8/0x210
+[<ffffffff81851dc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb
+
+Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_common.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_common.h b/drivers/net/wireless/rsi/rsi_common.h
+index d9ff3b8be86e..60f1f286b030 100644
+--- a/drivers/net/wireless/rsi/rsi_common.h
++++ b/drivers/net/wireless/rsi/rsi_common.h
+@@ -75,7 +75,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle)
+ atomic_inc(&handle->thread_done);
+ rsi_set_event(&handle->event);
+
+- wait_for_completion(&handle->completion);
+ return kthread_stop(handle->task);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 21e16e0e5f2a42be3b9ecd1ce4984fa5fba65497 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 8 Mar 2019 12:48:39 +0000
+Subject: rxrpc: Fix client call connect/disconnect race
+
+[ Upstream commit 930c9f9125c85b5134b3e711bc252ecc094708e3 ]
+
+rxrpc_disconnect_client_call() reads the call's connection ID protocol
+value (call->cid) as part of that function's variable declarations. This
+is bad because it's not inside the locked section and so may race with
+someone granting use of the channel to the call.
+
+This manifests as an assertion failure (see below) where the call in the
+presumed channel (0 because call->cid wasn't set when we read it) doesn't
+match the call attached to the channel we were actually granted (if 1, 2 or
+3).
+
+Fix this by moving the read and dependent calculations inside of the
+channel_lock section. Also, only set the channel number and pointer
+variables if cid is not zero (ie. unset).
+
+This problem can be induced by injecting an occasional error in
+rxrpc_wait_for_channel() before the call to schedule().
+
+Make two further changes also:
+
+ (1) Add a trace for wait failure in rxrpc_connect_call().
+
+ (2) Drop channel_lock before BUG'ing in the case of the assertion failure.
+
+The failure causes a trace akin to the following:
+
+rxrpc: Assertion failed - 18446612685268945920(0xffff8880beab8c00) == 18446612685268621312(0xffff8880bea69800) is false
+------------[ cut here ]------------
+kernel BUG at net/rxrpc/conn_client.c:824!
+...
+RIP: 0010:rxrpc_disconnect_client_call+0x2bf/0x99d
+...
+Call Trace:
+ rxrpc_connect_call+0x902/0x9b3
+ ? wake_up_q+0x54/0x54
+ rxrpc_new_client_call+0x3a0/0x751
+ ? rxrpc_kernel_begin_call+0x141/0x1bc
+ ? afs_alloc_call+0x1b5/0x1b5
+ rxrpc_kernel_begin_call+0x141/0x1bc
+ afs_make_call+0x20c/0x525
+ ? afs_alloc_call+0x1b5/0x1b5
+ ? __lock_is_held+0x40/0x71
+ ? lockdep_init_map+0xaf/0x193
+ ? lockdep_init_map+0xaf/0x193
+ ? __lock_is_held+0x40/0x71
+ ? yfs_fs_fetch_data+0x33b/0x34a
+ yfs_fs_fetch_data+0x33b/0x34a
+ afs_fetch_data+0xdc/0x3b7
+ afs_read_dir+0x52d/0x97f
+ afs_dir_iterate+0xa0/0x661
+ ? iterate_dir+0x63/0x141
+ iterate_dir+0xa2/0x141
+ ksys_getdents64+0x9f/0x11b
+ ? filldir+0x111/0x111
+ ? do_syscall_64+0x3e/0x1a0
+ __x64_sys_getdents64+0x16/0x19
+ do_syscall_64+0x7d/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 45025bceef17 ("rxrpc: Improve management and caching of client connection objects")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/rxrpc.h | 2 ++
+ net/rxrpc/conn_client.c | 20 +++++++++++++++-----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
+index 573d5b901fb1..6d182746afab 100644
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -76,6 +76,7 @@ enum rxrpc_client_trace {
+ rxrpc_client_chan_disconnect,
+ rxrpc_client_chan_pass,
+ rxrpc_client_chan_unstarted,
++ rxrpc_client_chan_wait_failed,
+ rxrpc_client_cleanup,
+ rxrpc_client_count,
+ rxrpc_client_discard,
+@@ -275,6 +276,7 @@ enum rxrpc_tx_point {
+ EM(rxrpc_client_chan_disconnect, "ChDisc") \
+ EM(rxrpc_client_chan_pass, "ChPass") \
+ EM(rxrpc_client_chan_unstarted, "ChUnst") \
++ EM(rxrpc_client_chan_wait_failed, "ChWtFl") \
+ EM(rxrpc_client_cleanup, "Clean ") \
+ EM(rxrpc_client_count, "Count ") \
+ EM(rxrpc_client_discard, "Discar") \
+diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
+index 6e419b15a9f8..c979a56faaef 100644
+--- a/net/rxrpc/conn_client.c
++++ b/net/rxrpc/conn_client.c
+@@ -707,6 +707,7 @@ int rxrpc_connect_call(struct rxrpc_sock *rx,
+
+ ret = rxrpc_wait_for_channel(call, gfp);
+ if (ret < 0) {
++ trace_rxrpc_client(call->conn, ret, rxrpc_client_chan_wait_failed);
+ rxrpc_disconnect_client_call(call);
+ goto out;
+ }
+@@ -777,16 +778,22 @@ static void rxrpc_set_client_reap_timer(struct rxrpc_net *rxnet)
+ */
+ void rxrpc_disconnect_client_call(struct rxrpc_call *call)
+ {
+- unsigned int channel = call->cid & RXRPC_CHANNELMASK;
+ struct rxrpc_connection *conn = call->conn;
+- struct rxrpc_channel *chan = &conn->channels[channel];
++ struct rxrpc_channel *chan = NULL;
+ struct rxrpc_net *rxnet = conn->params.local->rxnet;
++ unsigned int channel = -1;
++ u32 cid;
+
++ spin_lock(&conn->channel_lock);
++
++ cid = call->cid;
++ if (cid) {
++ channel = cid & RXRPC_CHANNELMASK;
++ chan = &conn->channels[channel];
++ }
+ trace_rxrpc_client(conn, channel, rxrpc_client_chan_disconnect);
+ call->conn = NULL;
+
+- spin_lock(&conn->channel_lock);
+-
+ /* Calls that have never actually been assigned a channel can simply be
+ * discarded. If the conn didn't get used either, it will follow
+ * immediately unless someone else grabs it in the meantime.
+@@ -810,7 +817,10 @@ void rxrpc_disconnect_client_call(struct rxrpc_call *call)
+ goto out;
+ }
+
+- ASSERTCMP(rcu_access_pointer(chan->call), ==, call);
++ if (rcu_access_pointer(chan->call) != call) {
++ spin_unlock(&conn->channel_lock);
++ BUG();
++ }
+
+ /* If a client call was exposed to the world, we save the result for
+ * retransmission.
+--
+2.19.1
+
--- /dev/null
+From d6a0bb333aa3878ba1f85cb0b37f32465a8b39cb Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 6 Mar 2019 20:11:42 +0300
+Subject: sched/core: Fix buffer overflow in cgroup2 property cpu.max
+
+[ Upstream commit 4c47acd824aaaa8fc6dc519fb4e08d1522105b7a ]
+
+Add limit into sscanf format string for on-stack buffer.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Li Zefan <lizefan@huawei.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 0d5936344f30 ("sched: Implement interface for cgroup unified hierarchy")
+Link: https://lkml.kernel.org/r/155189230232.2620.13120481613524200065.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 9a4f57d7e931..d7f409866cdf 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -6930,7 +6930,7 @@ static int __maybe_unused cpu_period_quota_parse(char *buf,
+ {
+ char tok[21]; /* U64_MAX */
+
+- if (!sscanf(buf, "%s %llu", tok, periodp))
++ if (sscanf(buf, "%20s %llu", tok, periodp) < 1)
+ return -EINVAL;
+
+ *periodp *= NSEC_PER_USEC;
+--
+2.19.1
+
--- /dev/null
+From fa94a5f8a487006470700f3301a7eb0703158faf Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 5 Mar 2019 09:32:02 +0100
+Subject: sched/cpufreq: Fix 32-bit math overflow
+
+[ Upstream commit a23314e9d88d89d49e69db08f60b7caa470f04e1 ]
+
+Vincent Wang reported that get_next_freq() has a mult overflow bug on
+32-bit platforms in the IOWAIT boost case, since in that case {util,max}
+are in freq units instead of capacity units.
+
+Solve this by moving the IOWAIT boost to capacity units. And since this
+means @max is constant; simplify the code.
+
+Reported-by: Vincent Wang <vincent.wang@unisoc.com>
+Tested-by: Vincent Wang <vincent.wang@unisoc.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Chunyan Zhang <zhang.lyra@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Quentin Perret <quentin.perret@arm.com>
+Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190305083202.GU32494@hirez.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cpufreq_schedutil.c | 59 ++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 34 deletions(-)
+
+diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
+index 3fffad3bc8a8..217f81ecae17 100644
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -50,10 +50,10 @@ struct sugov_cpu {
+
+ bool iowait_boost_pending;
+ unsigned int iowait_boost;
+- unsigned int iowait_boost_max;
+ u64 last_update;
+
+ unsigned long bw_dl;
++ unsigned long min;
+ unsigned long max;
+
+ /* The field below is for single-CPU policies only: */
+@@ -283,8 +283,7 @@ static bool sugov_iowait_reset(struct sugov_cpu *sg_cpu, u64 time,
+ if (delta_ns <= TICK_NSEC)
+ return false;
+
+- sg_cpu->iowait_boost = set_iowait_boost
+- ? sg_cpu->sg_policy->policy->min : 0;
++ sg_cpu->iowait_boost = set_iowait_boost ? sg_cpu->min : 0;
+ sg_cpu->iowait_boost_pending = set_iowait_boost;
+
+ return true;
+@@ -324,14 +323,13 @@ static void sugov_iowait_boost(struct sugov_cpu *sg_cpu, u64 time,
+
+ /* Double the boost at each request */
+ if (sg_cpu->iowait_boost) {
+- sg_cpu->iowait_boost <<= 1;
+- if (sg_cpu->iowait_boost > sg_cpu->iowait_boost_max)
+- sg_cpu->iowait_boost = sg_cpu->iowait_boost_max;
++ sg_cpu->iowait_boost =
++ min_t(unsigned int, sg_cpu->iowait_boost << 1, SCHED_CAPACITY_SCALE);
+ return;
+ }
+
+ /* First wakeup after IO: start with minimum boost */
+- sg_cpu->iowait_boost = sg_cpu->sg_policy->policy->min;
++ sg_cpu->iowait_boost = sg_cpu->min;
+ }
+
+ /**
+@@ -353,47 +351,38 @@ static void sugov_iowait_boost(struct sugov_cpu *sg_cpu, u64 time,
+ * This mechanism is designed to boost high frequently IO waiting tasks, while
+ * being more conservative on tasks which does sporadic IO operations.
+ */
+-static void sugov_iowait_apply(struct sugov_cpu *sg_cpu, u64 time,
+- unsigned long *util, unsigned long *max)
++static unsigned long sugov_iowait_apply(struct sugov_cpu *sg_cpu, u64 time,
++ unsigned long util, unsigned long max)
+ {
+- unsigned int boost_util, boost_max;
++ unsigned long boost;
+
+ /* No boost currently required */
+ if (!sg_cpu->iowait_boost)
+- return;
++ return util;
+
+ /* Reset boost if the CPU appears to have been idle enough */
+ if (sugov_iowait_reset(sg_cpu, time, false))
+- return;
++ return util;
+
+- /*
+- * An IO waiting task has just woken up:
+- * allow to further double the boost value
+- */
+- if (sg_cpu->iowait_boost_pending) {
+- sg_cpu->iowait_boost_pending = false;
+- } else {
++ if (!sg_cpu->iowait_boost_pending) {
+ /*
+- * Otherwise: reduce the boost value and disable it when we
+- * reach the minimum.
++ * No boost pending; reduce the boost value.
+ */
+ sg_cpu->iowait_boost >>= 1;
+- if (sg_cpu->iowait_boost < sg_cpu->sg_policy->policy->min) {
++ if (sg_cpu->iowait_boost < sg_cpu->min) {
+ sg_cpu->iowait_boost = 0;
+- return;
++ return util;
+ }
+ }
+
++ sg_cpu->iowait_boost_pending = false;
++
+ /*
+- * Apply the current boost value: a CPU is boosted only if its current
+- * utilization is smaller then the current IO boost level.
++ * @util is already in capacity scale; convert iowait_boost
++ * into the same scale so we can compare.
+ */
+- boost_util = sg_cpu->iowait_boost;
+- boost_max = sg_cpu->iowait_boost_max;
+- if (*util * boost_max < *max * boost_util) {
+- *util = boost_util;
+- *max = boost_max;
+- }
++ boost = (sg_cpu->iowait_boost * max) >> SCHED_CAPACITY_SHIFT;
++ return max(boost, util);
+ }
+
+ #ifdef CONFIG_NO_HZ_COMMON
+@@ -440,7 +429,7 @@ static void sugov_update_single(struct update_util_data *hook, u64 time,
+
+ util = sugov_get_util(sg_cpu);
+ max = sg_cpu->max;
+- sugov_iowait_apply(sg_cpu, time, &util, &max);
++ util = sugov_iowait_apply(sg_cpu, time, util, max);
+ next_f = get_next_freq(sg_policy, util, max);
+ /*
+ * Do not reduce the frequency if the CPU has not been idle
+@@ -480,7 +469,7 @@ static unsigned int sugov_next_freq_shared(struct sugov_cpu *sg_cpu, u64 time)
+
+ j_util = sugov_get_util(j_sg_cpu);
+ j_max = j_sg_cpu->max;
+- sugov_iowait_apply(j_sg_cpu, time, &j_util, &j_max);
++ j_util = sugov_iowait_apply(j_sg_cpu, time, j_util, j_max);
+
+ if (j_util * max > j_max * util) {
+ util = j_util;
+@@ -817,7 +806,9 @@ static int sugov_start(struct cpufreq_policy *policy)
+ memset(sg_cpu, 0, sizeof(*sg_cpu));
+ sg_cpu->cpu = cpu;
+ sg_cpu->sg_policy = sg_policy;
+- sg_cpu->iowait_boost_max = policy->cpuinfo.max_freq;
++ sg_cpu->min =
++ (SCHED_CAPACITY_SCALE * policy->cpuinfo.min_freq) /
++ policy->cpuinfo.max_freq;
+ }
+
+ for_each_cpu(cpu, policy->cpus) {
+--
+2.19.1
+
--- /dev/null
+From 4d6729b0eb164d3c69829ed3c465d00b185655c4 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Tue, 26 Feb 2019 16:35:26 -0800
+Subject: scsi: core: Avoid that system resume triggers a kernel warning
+
+[ Upstream commit 388b4e6a00bb3097278ed1648ac5a1cb48c894e6 ]
+
+scsi_device_quiesce() and scsi_device_resume() are called during
+system-wide suspend and resume. scsi_device_quiesce() only succeeds for
+SCSI devices that are in one of the RUNNING, OFFLINE or TRANSPORT_OFFLINE
+states (see also scsi_set_device_state()). This patch avoids that the
+following warning is triggered when resuming a system for which quiescing a
+SCSI device failed:
+
+WARNING: CPU: 2 PID: 11303 at drivers/scsi/scsi_lib.c:2600 scsi_device_resume+0x4f/0x58
+CPU: 2 PID: 11303 Comm: kworker/u8:70 Not tainted 5.0.0-rc1+ #50
+Hardware name: LENOVO 80E3/Lancer 5B2, BIOS A2CN45WW(V2.13) 08/04/2016
+Workqueue: events_unbound async_run_entry_fn
+Call Trace:
+ scsi_dev_type_resume+0x2e/0x60
+ async_run_entry_fn+0x32/0xd8
+ process_one_work+0x1f4/0x420
+ worker_thread+0x28/0x3c0
+ kthread+0x118/0x130
+ ret_from_fork+0x22/0x40
+
+Cc: Przemek Socha <soprwa@gmail.com>
+Reported-by: Przemek Socha <soprwa@gmail.com>
+Fixes: 3a0a529971ec ("block, scsi: Make SCSI quiesce and resume work reliably") # v4.15
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_lib.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 18e4289baf99..655790f30434 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -3095,7 +3095,6 @@ void scsi_device_resume(struct scsi_device *sdev)
+ * device deleted during suspend)
+ */
+ mutex_lock(&sdev->state_mutex);
+- WARN_ON_ONCE(!sdev->quiesced_by);
+ sdev->quiesced_by = NULL;
+ blk_clear_preempt_only(sdev->request_queue);
+ if (sdev->sdev_state == SDEV_QUIESCE)
+--
+2.19.1
+
--- /dev/null
+From 66b04402995d8a54181b4f34c8ad09096e96fdd2 Mon Sep 17 00:00:00 2001
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Mon, 28 Jan 2019 15:24:42 +0100
+Subject: scsi: iscsi: flush running unbind operations when removing a session
+
+[ Upstream commit 165aa2bfb42904b1bec4bf2fa257c8c603c14a06 ]
+
+In some cases, the iscsi_remove_session() function is called while an
+unbind_work operation is still running. This may cause a situation where
+sysfs objects are removed in an incorrect order, triggering a kernel
+warning.
+
+[ 605.249442] ------------[ cut here ]------------
+[ 605.259180] sysfs group 'power' not found for kobject 'target2:0:0'
+[ 605.321371] WARNING: CPU: 1 PID: 26794 at fs/sysfs/group.c:235 sysfs_remove_group+0x76/0x80
+[ 605.341266] Modules linked in: dm_service_time target_core_user target_core_pscsi target_core_file target_core_iblock iscsi_target_mod target_core_mod nls_utf8 isofs ppdev bochs_drm nfit ttm libnvdimm drm_kms_helper syscopyarea sysfillrect sysimgblt joydev pcspkr fb_sys_fops drm i2c_piix4 sg parport_pc parport xfs libcrc32c dm_multipath sr_mod sd_mod cdrom ata_generic 8021q garp mrp ata_piix stp crct10dif_pclmul crc32_pclmul llc libata crc32c_intel virtio_net net_failover ghash_clmulni_intel serio_raw failover sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
+[ 605.627479] CPU: 1 PID: 26794 Comm: kworker/u32:2 Not tainted 4.18.0-60.el8.x86_64 #1
+[ 605.721401] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014
+[ 605.823651] Workqueue: scsi_wq_2 __iscsi_unbind_session [scsi_transport_iscsi]
+[ 605.830940] RIP: 0010:sysfs_remove_group+0x76/0x80
+[ 605.922907] Code: 48 89 df 5b 5d 41 5c e9 38 c4 ff ff 48 89 df e8 e0 bf ff ff eb cb 49 8b 14 24 48 8b 75 00 48 c7 c7 38 73 cb a7 e8 24 77 d7 ff <0f> 0b 5b 5d 41 5c c3 0f 1f 00 0f 1f 44 00 00 41 56 41 55 41 54 55
+[ 606.122304] RSP: 0018:ffffbadcc8d1bda8 EFLAGS: 00010286
+[ 606.218492] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 606.326381] RDX: ffff98bdfe85eb40 RSI: ffff98bdfe856818 RDI: ffff98bdfe856818
+[ 606.514498] RBP: ffffffffa7ab73e0 R08: 0000000000000268 R09: 0000000000000007
+[ 606.529469] R10: 0000000000000000 R11: ffffffffa860d9ad R12: ffff98bdf978e838
+[ 606.630535] R13: ffff98bdc2cd4010 R14: ffff98bdc2cd3ff0 R15: ffff98bdc2cd4000
+[ 606.824707] FS: 0000000000000000(0000) GS:ffff98bdfe840000(0000) knlGS:0000000000000000
+[ 607.018333] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 607.117844] CR2: 00007f84b78ac024 CR3: 000000002c00a003 CR4: 00000000003606e0
+[ 607.117844] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 607.420926] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 607.524236] Call Trace:
+[ 607.530591] device_del+0x56/0x350
+[ 607.624393] ? ata_tlink_match+0x30/0x30 [libata]
+[ 607.727805] ? attribute_container_device_trigger+0xb4/0xf0
+[ 607.829911] scsi_target_reap_ref_release+0x39/0x50
+[ 607.928572] scsi_remove_target+0x1a2/0x1d0
+[ 608.017350] __iscsi_unbind_session+0xb3/0x160 [scsi_transport_iscsi]
+[ 608.117435] process_one_work+0x1a7/0x360
+[ 608.132917] worker_thread+0x30/0x390
+[ 608.222900] ? pwq_unbound_release_workfn+0xd0/0xd0
+[ 608.323989] kthread+0x112/0x130
+[ 608.418318] ? kthread_bind+0x30/0x30
+[ 608.513821] ret_from_fork+0x35/0x40
+[ 608.613909] ---[ end trace 0b98c310c8a6138c ]---
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Acked-by: Chris Leech <cleech@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 6fd2fe210fc3..4d0fc6b01fa0 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2185,6 +2185,8 @@ void iscsi_remove_session(struct iscsi_cls_session *session)
+ scsi_target_unblock(&session->dev, SDEV_TRANSPORT_OFFLINE);
+ /* flush running scans then delete devices */
+ flush_work(&session->scan_work);
++ /* flush running unbind operations */
++ flush_work(&session->unbind_work);
+ __iscsi_unbind_session(&session->unbind_work);
+
+ /* hw iscsi may not have removed all connections from session */
+--
+2.19.1
+
--- /dev/null
+From f17f01d4aa2af2c233343bbc233c76d03de84382 Mon Sep 17 00:00:00 2001
+From: Michal Simek <michal.simek@xilinx.com>
+Date: Mon, 3 Sep 2018 15:10:49 +0200
+Subject: serial: uartps: console_setup() can't be placed to init section
+
+[ Upstream commit 4bb1ce2350a598502b23088b169e16b43d4bc639 ]
+
+When console device is rebinded, console_setup() is called again.
+But marking it as __init means that function will be clear after boot is
+complete. If console device is binded again console_setup() is not found
+and error "Unable to handle kernel paging request at virtual address"
+is reported.
+
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
+index 0e3627289047..77efa0a43fe7 100644
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -1223,7 +1223,7 @@ static void cdns_uart_console_write(struct console *co, const char *s,
+ *
+ * Return: 0 on success, negative errno otherwise.
+ */
+-static int __init cdns_uart_console_setup(struct console *co, char *options)
++static int cdns_uart_console_setup(struct console *co, char *options)
+ {
+ struct uart_port *port = console_port;
+
+--
+2.19.1
+
--- /dev/null
+arc-u-boot-args-check-that-magic-number-is-correct.patch
+arc-hsdk_defconfig-enable-config_blk_dev_ram.patch
+inotify-fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
+perf-core-restore-mmap-record-type-correctly.patch
+perf-data-don-t-store-auxtrace-index-for-directory-d.patch
+ext4-avoid-panic-during-forced-reboot.patch
+ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch
+ext4-report-real-fs-size-after-failed-resize.patch
+alsa-echoaudio-add-a-check-for-ioremap_nocache.patch
+alsa-sb8-add-a-check-for-request_region.patch
+auxdisplay-hd44780-fix-memory-leak-on-remove.patch
+drm-udl-use-drm_gem_object_put_unlocked.patch
+ib-mlx4-fix-race-condition-between-catas-error-reset.patch
+i40iw-avoid-panic-when-handling-the-inetdev-event.patch
+mmc-davinci-remove-extraneous-__init-annotation.patch
+alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch
+thermal-intel_powerclamp-fix-__percpu-declaration-of.patch
+thermal-samsung-fix-incorrect-check-after-code-merge.patch
+thermal-bcm2835-fix-crash-in-bcm2835_thermal_debugfs.patch
+thermal-int340x_thermal-add-additional-uuids.patch
+thermal-int340x_thermal-fix-mode-setting.patch
+thermal-intel_powerclamp-fix-truncated-kthread-name.patch
+scsi-iscsi-flush-running-unbind-operations-when-remo.patch
+sched-cpufreq-fix-32-bit-math-overflow.patch
+sched-core-fix-buffer-overflow-in-cgroup2-property-c.patch
+x86-mm-don-t-leak-kernel-addresses.patch
+tools-power-turbostat-return-the-exit-status-of-a-co.patch
+perf-list-don-t-forget-to-drop-the-reference-to-the-.patch
+perf-config-fix-an-error-in-the-config-template-docu.patch
+perf-config-fix-a-memory-leak-in-collect_config.patch
+perf-build-id-fix-memory-leak-in-print_sdt_events.patch
+perf-top-fix-error-handling-in-cmd_top.patch
+perf-hist-add-missing-map__put-in-error-case.patch
+perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch
+perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch
+perf-tests-fix-memory-leak-by-expr__find_other-in-te.patch
+perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch
+acpi-utils-drop-reference-in-test-for-device-presenc.patch
+pm-domains-avoid-a-potential-deadlock.patch
+blk-iolatency-include-blk.h.patch
+drm-exynos-mixer-fix-mixer-shadow-registry-synchroni.patch
+irqchip-stm32-don-t-clear-rising-falling-config-regi.patch
+irqchip-mbigen-don-t-clear-eventid-when-freeing-an-m.patch
+x86-hpet-prevent-potential-null-pointer-dereference.patch
+x86-hyperv-prevent-potential-null-pointer-dereferenc.patch
+x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch
+drm-nouveau-debugfs-fix-check-of-pm_runtime_get_sync.patch
+iommu-vt-d-check-capability-before-disabling-protect.patch
+x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch
+fix-incorrect-error-code-mapping-for-objectid_not_fo.patch
+x86-gart-exclude-gart-aperture-from-kcore.patch
+ext4-prohibit-fstrim-in-norecovery-mode.patch
+drm-cirrus-use-drm_framebuffer_put-to-avoid-kernel-o.patch
+gpio-pxa-handle-corner-case-of-unprobed-device.patch
+rsi-improve-kernel-thread-handling-to-fix-kernel-pan.patch
+f2fs-fix-to-avoid-null-pointer-dereference-on-se-dis.patch
+9p-do-not-trust-pdu-content-for-stat-item-size.patch
+9p-locks-add-mount-option-for-lock-retry-interval.patch
+asoc-fix-ubsan-warning-at-snd_soc_get-put_volsw_sx.patch
+f2fs-fix-to-do-sanity-check-with-current-segment-num.patch
+netfilter-xt_cgroup-shrink-size-of-v2-path.patch
+serial-uartps-console_setup-can-t-be-placed-to-init-.patch
+powerpc-pseries-remove-prrn_work-workqueue.patch
+media-au0828-cannot-kfree-dev-before-usb-disconnect.patch
+bluetooth-fix-debugfs-null-pointer-dereference.patch
+hid-i2c-hid-override-hid-descriptors-for-certain-dev.patch
+pinctrl-core-make-sure-strcmp-doesn-t-get-a-null-par.patch
+arm-samsung-limit-samsung_pm_check-config-option-to-.patch
+usbip-fix-vhci_hcd-controller-counting.patch
+acpi-sbs-fix-gpe-storm-on-recent-macbookpro-s.patch
+hid-usbhid-add-quirk-for-redragon-dragonrise-seymur-.patch
+kvm-nvmx-restore-host-state-in-nested_vmx_vmexit-for.patch
+compiler.h-update-definition-of-unreachable.patch
+netfilter-nf_flow_table-remove-flowtable-hook-flush-.patch
+f2fs-cleanup-dirty-pages-if-recover-failed.patch
+net-stmmac-set-own-bit-for-jumbo-frames.patch
+cifs-fallback-to-older-infolevels-on-findfirst-query.patch
+kernel-hung_task.c-disable-on-suspend.patch
+platform-x86-add-intel-atomisp2-dummy-power-manageme.patch
+drm-ttm-fix-bo_global-and-mem_global-kfree-error.patch
+alsa-hda-fix-front-speakers-on-huawei-mbxp.patch
+acpi-ec-pm-disable-non-wakeup-gpes-for-suspend-to-id.patch
+net-rds-fix-warn-in-rds_message_alloc_sgs.patch
+xfrm-destroy-xfrm_state-synchronously-on-net-exit-pa.patch
+crypto-sha256-arm-fix-crash-bug-in-thumb2-build.patch
+crypto-sha512-arm-fix-crash-bug-in-thumb2-build.patch
+net-ip6_gre-fix-possible-null-pointer-dereference-in.patch
+iommu-dmar-fix-buffer-overflow-during-pci-bus-notifi.patch
+scsi-core-avoid-that-system-resume-triggers-a-kernel.patch
+soc-tegra-pmc-drop-locking-from-tegra_powergate_is_p.patch
+lkdtm-print-real-addresses.patch
+lkdtm-add-tests-for-null-pointer-dereference.patch
+drm-panel-panel-innolux-set-display-off-in-innolux_p.patch
+crypto-axis-fix-for-recursive-locking-from-bottom-ha.patch
+revert-acpi-ec-remove-old-clear_on_resume-quirk.patch
+coresight-cpu-debug-support-for-ca73-cpus.patch
+pci-blacklist-power-management-of-gigabyte-x299-desi.patch
+drm-nouveau-volt-gf117-fix-speedo-readout-register.patch
+arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch
+drm-amdkfd-use-init_mqd-function-to-allocate-object-.patch
+appletalk-fix-use-after-free-in-atalk_proc_exit.patch
+lib-div64.c-off-by-one-in-shift.patch
+rxrpc-fix-client-call-connect-disconnect-race.patch
+f2fs-fix-to-dirty-inode-for-i_mode-recovery.patch
+include-linux-swap.h-use-offsetof-instead-of-custom-.patch
--- /dev/null
+From 30dbf825fc54b61b4b0dc76a96b044fa1f958628 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sun, 21 Oct 2018 21:36:14 +0300
+Subject: soc/tegra: pmc: Drop locking from tegra_powergate_is_powered()
+
+[ Upstream commit b6e1fd17a38bd1d97c11d69fd3207b3ef9bfa4b3 ]
+
+This fixes splats like the one below if CONFIG_DEBUG_ATOMIC_SLEEP=y
+and machine (Tegra30) booted with SMP=n or all secondary CPU's are put
+offline. Locking isn't needed because it protects atomic operation.
+
+BUG: sleeping function called from invalid context at kernel/locking/mutex.c:254
+in_atomic(): 1, irqs_disabled(): 128, pid: 0, name: swapper/0
+CPU: 0 PID: 0 Comm: swapper/0 Tainted: G C 4.18.0-next-20180821-00180-gc3ebb6544e44-dirty #823
+Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
+[<c01134f4>] (unwind_backtrace) from [<c010db2c>] (show_stack+0x20/0x24)
+[<c010db2c>] (show_stack) from [<c0bd0f3c>] (dump_stack+0x94/0xa8)
+[<c0bd0f3c>] (dump_stack) from [<c0151df8>] (___might_sleep+0x13c/0x174)
+[<c0151df8>] (___might_sleep) from [<c0151ea0>] (__might_sleep+0x70/0xa8)
+[<c0151ea0>] (__might_sleep) from [<c0bec2b8>] (mutex_lock+0x2c/0x70)
+[<c0bec2b8>] (mutex_lock) from [<c0589844>] (tegra_powergate_is_powered+0x44/0xa8)
+[<c0589844>] (tegra_powergate_is_powered) from [<c0581a60>] (tegra30_cpu_rail_off_ready+0x30/0x74)
+[<c0581a60>] (tegra30_cpu_rail_off_ready) from [<c0122244>] (tegra30_idle_lp2+0xa0/0x108)
+[<c0122244>] (tegra30_idle_lp2) from [<c0853438>] (cpuidle_enter_state+0x140/0x540)
+[<c0853438>] (cpuidle_enter_state) from [<c08538a4>] (cpuidle_enter+0x40/0x4c)
+[<c08538a4>] (cpuidle_enter) from [<c01595e0>] (call_cpuidle+0x30/0x48)
+[<c01595e0>] (call_cpuidle) from [<c01599f8>] (do_idle+0x238/0x28c)
+[<c01599f8>] (do_idle) from [<c0159d28>] (cpu_startup_entry+0x28/0x2c)
+[<c0159d28>] (cpu_startup_entry) from [<c0be76c8>] (rest_init+0xd8/0xdc)
+[<c0be76c8>] (rest_init) from [<c1200f50>] (start_kernel+0x41c/0x430)
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/pmc.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c
+index ed71a4c9c8b2..4b452f36f054 100644
+--- a/drivers/soc/tegra/pmc.c
++++ b/drivers/soc/tegra/pmc.c
+@@ -524,16 +524,10 @@ EXPORT_SYMBOL(tegra_powergate_power_off);
+ */
+ int tegra_powergate_is_powered(unsigned int id)
+ {
+- int status;
+-
+ if (!tegra_powergate_is_valid(id))
+ return -EINVAL;
+
+- mutex_lock(&pmc->powergates_lock);
+- status = tegra_powergate_state(id);
+- mutex_unlock(&pmc->powergates_lock);
+-
+- return status;
++ return tegra_powergate_state(id);
+ }
+
+ /**
+--
+2.19.1
+
--- /dev/null
+From 62bd31ffde9ca57d1b07e965650b699836efb3ad Mon Sep 17 00:00:00 2001
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Tue, 29 Jan 2019 09:55:57 +0000
+Subject: thermal: bcm2835: Fix crash in bcm2835_thermal_debugfs
+
+[ Upstream commit 35122495a8c6683e863acf7b05a7036b2be64c7a ]
+
+"cat /sys/kernel/debug/bcm2835_thermal/regset" causes a NULL pointer
+dereference in bcm2835_thermal_debugfs. The driver makes use of the
+implementation details of the thermal framework to retrieve a pointer
+to its private data from a struct thermal_zone_device, and gets it
+wrong - leading to the crash. Instead, store its private data as the
+drvdata and retrieve the thermal_zone_device pointer from it.
+
+Fixes: bcb7dd9ef206 ("thermal: bcm2835: add thermal driver for bcm2835 SoC")
+
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/broadcom/bcm2835_thermal.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/thermal/broadcom/bcm2835_thermal.c b/drivers/thermal/broadcom/bcm2835_thermal.c
+index 24b006a95142..8646fb7425f2 100644
+--- a/drivers/thermal/broadcom/bcm2835_thermal.c
++++ b/drivers/thermal/broadcom/bcm2835_thermal.c
+@@ -128,8 +128,7 @@ static const struct debugfs_reg32 bcm2835_thermal_regs[] = {
+
+ static void bcm2835_thermal_debugfs(struct platform_device *pdev)
+ {
+- struct thermal_zone_device *tz = platform_get_drvdata(pdev);
+- struct bcm2835_thermal_data *data = tz->devdata;
++ struct bcm2835_thermal_data *data = platform_get_drvdata(pdev);
+ struct debugfs_regset32 *regset;
+
+ data->debugfsdir = debugfs_create_dir("bcm2835_thermal", NULL);
+@@ -275,7 +274,7 @@ static int bcm2835_thermal_probe(struct platform_device *pdev)
+
+ data->tz = tz;
+
+- platform_set_drvdata(pdev, tz);
++ platform_set_drvdata(pdev, data);
+
+ /*
+ * Thermal_zone doesn't enable hwmon as default,
+@@ -299,8 +298,8 @@ static int bcm2835_thermal_probe(struct platform_device *pdev)
+
+ static int bcm2835_thermal_remove(struct platform_device *pdev)
+ {
+- struct thermal_zone_device *tz = platform_get_drvdata(pdev);
+- struct bcm2835_thermal_data *data = tz->devdata;
++ struct bcm2835_thermal_data *data = platform_get_drvdata(pdev);
++ struct thermal_zone_device *tz = data->tz;
+
+ debugfs_remove_recursive(data->debugfsdir);
+ thermal_zone_of_sensor_unregister(&pdev->dev, tz);
+--
+2.19.1
+
--- /dev/null
+From 2f6158c77c29d1cde6a4e3b07e0bcbba0dd9da0e Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <matthewgarrett@google.com>
+Date: Wed, 10 Oct 2018 01:30:06 -0700
+Subject: thermal/int340x_thermal: Add additional UUIDs
+
+[ Upstream commit 16fc8eca1975358111dbd7ce65e4ce42d1a848fb ]
+
+Add more supported DPTF policies than the driver currently exposes.
+
+Signed-off-by: Matthew Garrett <mjg59@google.com>
+Cc: Nisha Aram <nisha.aram@intel.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/int340x_thermal/int3400_thermal.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c
+index e26b01c05e82..51c9097eaf7a 100644
+--- a/drivers/thermal/int340x_thermal/int3400_thermal.c
++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c
+@@ -22,6 +22,13 @@ enum int3400_thermal_uuid {
+ INT3400_THERMAL_PASSIVE_1,
+ INT3400_THERMAL_ACTIVE,
+ INT3400_THERMAL_CRITICAL,
++ INT3400_THERMAL_ADAPTIVE_PERFORMANCE,
++ INT3400_THERMAL_EMERGENCY_CALL_MODE,
++ INT3400_THERMAL_PASSIVE_2,
++ INT3400_THERMAL_POWER_BOSS,
++ INT3400_THERMAL_VIRTUAL_SENSOR,
++ INT3400_THERMAL_COOLING_MODE,
++ INT3400_THERMAL_HARDWARE_DUTY_CYCLING,
+ INT3400_THERMAL_MAXIMUM_UUID,
+ };
+
+@@ -29,6 +36,13 @@ static char *int3400_thermal_uuids[INT3400_THERMAL_MAXIMUM_UUID] = {
+ "42A441D6-AE6A-462b-A84B-4A8CE79027D3",
+ "3A95C389-E4B8-4629-A526-C52C88626BAE",
+ "97C68AE7-15FA-499c-B8C9-5DA81D606E0A",
++ "63BE270F-1C11-48FD-A6F7-3AF253FF3E2D",
++ "5349962F-71E6-431D-9AE8-0A635B710AEE",
++ "9E04115A-AE87-4D1C-9500-0F3E340BFE75",
++ "F5A35014-C209-46A4-993A-EB56DE7530A1",
++ "6ED722A7-9240-48A5-B479-31EEF723D7CF",
++ "16CAF1B7-DD38-40ED-B1C1-1B8A1913D531",
++ "BE84BABF-C4D4-403D-B495-3128FD44dAC1",
+ };
+
+ struct int3400_thermal_priv {
+--
+2.19.1
+
--- /dev/null
+From dab527b6795b5f36f8d9a2fb4280d9f6a29a303f Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <matthewgarrett@google.com>
+Date: Wed, 10 Oct 2018 01:30:07 -0700
+Subject: thermal/int340x_thermal: fix mode setting
+
+[ Upstream commit 396ee4d0cd52c13b3f6421b8d324d65da5e7e409 ]
+
+int3400 only pushes the UUID into the firmware when the mode is flipped
+to "enable". The current code only exposes the mode flag if the firmware
+supports the PASSIVE_1 UUID, which not all machines do. Remove the
+restriction.
+
+Signed-off-by: Matthew Garrett <mjg59@google.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/int340x_thermal/int3400_thermal.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c
+index 51c9097eaf7a..e9d58de8b5da 100644
+--- a/drivers/thermal/int340x_thermal/int3400_thermal.c
++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c
+@@ -316,10 +316,9 @@ static int int3400_thermal_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, priv);
+
+- if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) {
+- int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
+- int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
+- }
++ int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
++ int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
++
+ priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0,
+ priv, &int3400_thermal_ops,
+ &int3400_thermal_params, 0, 0);
+--
+2.19.1
+
--- /dev/null
+From bc791aecd09e4f9edf7426d17e6a370c0ffd8d9c Mon Sep 17 00:00:00 2001
+From: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
+Date: Sat, 19 Jan 2019 17:15:23 +0100
+Subject: thermal/intel_powerclamp: fix __percpu declaration of worker_data
+
+[ Upstream commit aa36e3616532f82a920b5ebf4e059fbafae63d88 ]
+
+This variable is declared as:
+ static struct powerclamp_worker_data * __percpu worker_data;
+In other words, a percpu pointer to struct ...
+
+But this variable not used like so but as a pointer to a percpu
+struct powerclamp_worker_data.
+
+So fix the declaration as:
+ static struct powerclamp_worker_data __percpu *worker_data;
+
+This also quiets Sparse's warnings from __verify_pcpu_ptr(), like:
+ 494:49: warning: incorrect type in initializer (different address spaces)
+ 494:49: expected void const [noderef] <asn:3> *__vpp_verify
+ 494:49: got struct powerclamp_worker_data *
+
+Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel_powerclamp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/intel_powerclamp.c b/drivers/thermal/intel_powerclamp.c
+index cde891c54cde..ea1aa7dbe42c 100644
+--- a/drivers/thermal/intel_powerclamp.c
++++ b/drivers/thermal/intel_powerclamp.c
+@@ -101,7 +101,7 @@ struct powerclamp_worker_data {
+ bool clamping;
+ };
+
+-static struct powerclamp_worker_data * __percpu worker_data;
++static struct powerclamp_worker_data __percpu *worker_data;
+ static struct thermal_cooling_device *cooling_dev;
+ static unsigned long *cpu_clamping_mask; /* bit map for tracking per cpu
+ * clamping kthread worker
+--
+2.19.1
+
--- /dev/null
+From 198c8b11eb52f1c159332a5a2b78f1a8ce973ca5 Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Mon, 18 Mar 2019 22:26:33 +0800
+Subject: thermal/intel_powerclamp: fix truncated kthread name
+
+[ Upstream commit e925b5be5751f6a7286bbd9a4cbbc4ac90cc5fa6 ]
+
+kthread name only allows 15 characters (TASK_COMMON_LEN is 16).
+Thus rename the kthreads created by intel_powerclamp driver from
+"kidle_inject/ + decimal cpuid" to "kidle_inj/ + decimal cpuid"
+to avoid truncated kthead name for cpu 100 and later.
+
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel_powerclamp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/intel_powerclamp.c b/drivers/thermal/intel_powerclamp.c
+index ea1aa7dbe42c..8e8328347c0e 100644
+--- a/drivers/thermal/intel_powerclamp.c
++++ b/drivers/thermal/intel_powerclamp.c
+@@ -494,7 +494,7 @@ static void start_power_clamp_worker(unsigned long cpu)
+ struct powerclamp_worker_data *w_data = per_cpu_ptr(worker_data, cpu);
+ struct kthread_worker *worker;
+
+- worker = kthread_create_worker_on_cpu(cpu, 0, "kidle_inject/%ld", cpu);
++ worker = kthread_create_worker_on_cpu(cpu, 0, "kidle_inj/%ld", cpu);
+ if (IS_ERR(worker))
+ return;
+
+--
+2.19.1
+
--- /dev/null
+From c2c3a2d8185d0e3a7aa493624c918a10aba76f07 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Tue, 22 Jan 2019 16:47:41 +0100
+Subject: thermal: samsung: Fix incorrect check after code merge
+
+[ Upstream commit 3b5236cc5d086dd3ddd01113ee9255421aab9fab ]
+
+Merge commit 19785cf93b6c ("Merge branch 'linus' of
+git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal")
+broke the code introduced by commit ffe6e16f14fa ("thermal: exynos: Reduce
+severity of too early temperature read"). Restore the original code from
+the mentioned commit to finally fix the warning message during boot:
+
+thermal thermal_zone0: failed to read out thermal zone (-22)
+
+Reported-by: Marian Mihailescu <mihailescu2m@gmail.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Fixes: 19785cf93b6c ("Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal")
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/samsung/exynos_tmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c
+index 48eef552cba4..fc9399d9c082 100644
+--- a/drivers/thermal/samsung/exynos_tmu.c
++++ b/drivers/thermal/samsung/exynos_tmu.c
+@@ -666,7 +666,7 @@ static int exynos_get_temp(void *p, int *temp)
+ struct exynos_tmu_data *data = p;
+ int value, ret = 0;
+
+- if (!data || !data->tmu_read || !data->enabled)
++ if (!data || !data->tmu_read)
+ return -EINVAL;
+ else if (!data->enabled)
+ /*
+--
+2.19.1
+
--- /dev/null
+From 94663cc89e34a415d4e9e5f75913507a3fc9b42d Mon Sep 17 00:00:00 2001
+From: David Arcari <darcari@redhat.com>
+Date: Tue, 12 Feb 2019 09:34:39 -0500
+Subject: tools/power turbostat: return the exit status of a command
+
+[ Upstream commit 2a95496634a017c19641f26f00907af75b962f01 ]
+
+turbostat failed to return a non-zero exit status even though the
+supplied command (turbostat <command>) failed. Currently when turbostat
+forks a command it returns zero instead of the actual exit status of the
+command. Modify the code to return the exit status.
+
+Signed-off-by: David Arcari <darcari@redhat.com>
+Acked-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 980bd9d20646..83964f796edb 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -5054,6 +5054,9 @@ int fork_it(char **argv)
+ signal(SIGQUIT, SIG_IGN);
+ if (waitpid(child_pid, &status, 0) == -1)
+ err(status, "waitpid");
++
++ if (WIFEXITED(status))
++ status = WEXITSTATUS(status);
+ }
+ /*
+ * n.b. fork_it() does not check for errors from for_all_cpus()
+--
+2.19.1
+
--- /dev/null
+From 2e4d635b0c8195d7378acab451df3f4b2932e312 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
+Date: Thu, 20 Sep 2018 13:29:42 -0700
+Subject: usbip: fix vhci_hcd controller counting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit e0a2e73e501c77037c8756137e87b12c7c3c9793 ]
+
+Without this usbip fails on a machine with devices
+that lexicographically come after vhci_hcd.
+
+ie.
+ $ ls -l /sys/devices/platform
+ ...
+ drwxr-xr-x. 4 root root 0 Sep 19 16:21 serial8250
+ -rw-r--r--. 1 root root 4096 Sep 19 23:50 uevent
+ drwxr-xr-x. 6 root root 0 Sep 20 13:15 vhci_hcd.0
+ drwxr-xr-x. 4 root root 0 Sep 19 16:22 w83627hf.656
+
+Because it detects 'w83627hf.656' as another vhci_hcd controller,
+and then fails to be able to talk to it.
+
+Note: this doesn't actually fix usbip's support for multiple
+controllers... that's still broken for other reasons
+("vhci_hcd.0" is hardcoded in a string macro), but is enough to
+actually make it work on the above machine.
+
+See also:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1631148
+
+Cc: Jonathan Dieter <jdieter@gmail.com>
+Cc: Valentina Manea <valentina.manea.m@gmail.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: linux-usb@vger.kernel.org
+Signed-off-by: Maciej Żenczykowski <zenczykowski@gmail.com>
+Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Tested-by: Jonathan Dieter <jdieter@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/usb/usbip/libsrc/vhci_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c
+index 4204359c9fee..8159fd98680b 100644
+--- a/tools/usb/usbip/libsrc/vhci_driver.c
++++ b/tools/usb/usbip/libsrc/vhci_driver.c
+@@ -150,7 +150,7 @@ static int get_nports(struct udev_device *hc_device)
+
+ static int vhci_hcd_filter(const struct dirent *dirent)
+ {
+- return strcmp(dirent->d_name, "vhci_hcd") >= 0;
++ return !strncmp(dirent->d_name, "vhci_hcd.", 9);
+ }
+
+ static int get_ncontrollers(void)
+--
+2.19.1
+
--- /dev/null
+From 7a3dfbba2f451caf02aa60b6698bd7211c7658b2 Mon Sep 17 00:00:00 2001
+From: Matthew Whitehead <tedheadster@gmail.com>
+Date: Thu, 14 Mar 2019 16:46:00 -0400
+Subject: x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors
+
+[ Upstream commit 18fb053f9b827bd98cfc64f2a35df8ab19745a1d ]
+
+There are comments in processor-cyrix.h advising you to _not_ make calls
+using the deprecated macros in this style:
+
+ setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x80);
+
+This is because it expands the macro into a non-functioning calling
+sequence. The calling order must be:
+
+ outb(CX86_CCR2, 0x22);
+ inb(0x23);
+
+From the comments:
+
+ * When using the old macros a line like
+ * setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);
+ * gets expanded to:
+ * do {
+ * outb((CX86_CCR2), 0x22);
+ * outb((({
+ * outb((CX86_CCR2), 0x22);
+ * inb(0x23);
+ * }) | 0x88), 0x23);
+ * } while (0);
+
+The new macros fix this problem, so use them instead. Tested on an
+actual Geode processor.
+
+Signed-off-by: Matthew Whitehead <tedheadster@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: luto@kernel.org
+Link: https://lkml.kernel.org/r/1552596361-8967-2-git-send-email-tedheadster@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/cyrix.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c
+index 8949b7ae6d92..fa61c870ada9 100644
+--- a/arch/x86/kernel/cpu/cyrix.c
++++ b/arch/x86/kernel/cpu/cyrix.c
+@@ -124,7 +124,7 @@ static void set_cx86_reorder(void)
+ setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */
+
+ /* Load/Store Serialize to mem access disable (=reorder it) */
+- setCx86_old(CX86_PCR0, getCx86_old(CX86_PCR0) & ~0x80);
++ setCx86(CX86_PCR0, getCx86(CX86_PCR0) & ~0x80);
+ /* set load/store serialize from 1GB to 4GB */
+ ccr3 |= 0xe0;
+ setCx86(CX86_CCR3, ccr3);
+@@ -135,11 +135,11 @@ static void set_cx86_memwb(void)
+ pr_info("Enable Memory-Write-back mode on Cyrix/NSC processor.\n");
+
+ /* CCR2 bit 2: unlock NW bit */
+- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) & ~0x04);
++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) & ~0x04);
+ /* set 'Not Write-through' */
+ write_cr0(read_cr0() | X86_CR0_NW);
+ /* CCR2 bit 2: lock NW bit and set WT1 */
+- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x14);
++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x14);
+ }
+
+ /*
+@@ -153,14 +153,14 @@ static void geode_configure(void)
+ local_irq_save(flags);
+
+ /* Suspend on halt power saving and enable #SUSP pin */
+- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x88);
++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);
+
+ ccr3 = getCx86(CX86_CCR3);
+ setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */
+
+
+ /* FPU fast, DTE cache, Mem bypass */
+- setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x38);
++ setCx86(CX86_CCR4, getCx86(CX86_CCR4) | 0x38);
+ setCx86(CX86_CCR3, ccr3); /* disable MAPEN */
+
+ set_cx86_memwb();
+@@ -296,7 +296,7 @@ static void init_cyrix(struct cpuinfo_x86 *c)
+ /* GXm supports extended cpuid levels 'ala' AMD */
+ if (c->cpuid_level == 2) {
+ /* Enable cxMMX extensions (GX1 Datasheet 54) */
+- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7) | 1);
++ setCx86(CX86_CCR7, getCx86(CX86_CCR7) | 1);
+
+ /*
+ * GXm : 0x30 ... 0x5f GXm datasheet 51
+@@ -319,7 +319,7 @@ static void init_cyrix(struct cpuinfo_x86 *c)
+ if (dir1 > 7) {
+ dir0_msn++; /* M II */
+ /* Enable MMX extensions (App note 108) */
+- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7)|1);
++ setCx86(CX86_CCR7, getCx86(CX86_CCR7)|1);
+ } else {
+ /* A 6x86MX - it has the bug. */
+ set_cpu_bug(c, X86_BUG_COMA);
+--
+2.19.1
+
--- /dev/null
+From 0c3d5e4dc98fd2dc7f4214c6e1e9c613648b1574 Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@redhat.com>
+Date: Fri, 8 Mar 2019 11:05:08 +0800
+Subject: x86/gart: Exclude GART aperture from kcore
+
+[ Upstream commit ffc8599aa9763f39f6736a79da4d1575e7006f9a ]
+
+On machines where the GART aperture is mapped over physical RAM,
+/proc/kcore contains the GART aperture range. Accessing the GART range via
+/proc/kcore results in a kernel crash.
+
+vmcore used to have the same issue, until it was fixed with commit
+2a3e83c6f96c ("x86/gart: Exclude GART aperture from vmcore")', leveraging
+existing hook infrastructure in vmcore to let /proc/vmcore return zeroes
+when attempting to read the aperture region, and so it won't read from the
+actual memory.
+
+Apply the same workaround for kcore. First implement the same hook
+infrastructure for kcore, then reuse the hook functions introduced in the
+previous vmcore fix. Just with some minor adjustment, rename some functions
+for more general usage, and simplify the hook infrastructure a bit as there
+is no module usage yet.
+
+Suggested-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Jiri Bohac <jbohac@suse.cz>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: Dave Young <dyoung@redhat.com>
+Link: https://lkml.kernel.org/r/20190308030508.13548-1-kasong@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/aperture_64.c | 20 +++++++++++++-------
+ fs/proc/kcore.c | 27 +++++++++++++++++++++++++++
+ include/linux/kcore.h | 2 ++
+ 3 files changed, 42 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kernel/aperture_64.c b/arch/x86/kernel/aperture_64.c
+index 2c4d5ece7456..93426c5fc70f 100644
+--- a/arch/x86/kernel/aperture_64.c
++++ b/arch/x86/kernel/aperture_64.c
+@@ -14,6 +14,7 @@
+ #define pr_fmt(fmt) "AGP: " fmt
+
+ #include <linux/kernel.h>
++#include <linux/kcore.h>
+ #include <linux/types.h>
+ #include <linux/init.h>
+ #include <linux/memblock.h>
+@@ -57,7 +58,7 @@ int fallback_aper_force __initdata;
+
+ int fix_aperture __initdata = 1;
+
+-#ifdef CONFIG_PROC_VMCORE
++#if defined(CONFIG_PROC_VMCORE) || defined(CONFIG_PROC_KCORE)
+ /*
+ * If the first kernel maps the aperture over e820 RAM, the kdump kernel will
+ * use the same range because it will remain configured in the northbridge.
+@@ -66,20 +67,25 @@ int fix_aperture __initdata = 1;
+ */
+ static unsigned long aperture_pfn_start, aperture_page_count;
+
+-static int gart_oldmem_pfn_is_ram(unsigned long pfn)
++static int gart_mem_pfn_is_ram(unsigned long pfn)
+ {
+ return likely((pfn < aperture_pfn_start) ||
+ (pfn >= aperture_pfn_start + aperture_page_count));
+ }
+
+-static void exclude_from_vmcore(u64 aper_base, u32 aper_order)
++static void __init exclude_from_core(u64 aper_base, u32 aper_order)
+ {
+ aperture_pfn_start = aper_base >> PAGE_SHIFT;
+ aperture_page_count = (32 * 1024 * 1024) << aper_order >> PAGE_SHIFT;
+- WARN_ON(register_oldmem_pfn_is_ram(&gart_oldmem_pfn_is_ram));
++#ifdef CONFIG_PROC_VMCORE
++ WARN_ON(register_oldmem_pfn_is_ram(&gart_mem_pfn_is_ram));
++#endif
++#ifdef CONFIG_PROC_KCORE
++ WARN_ON(register_mem_pfn_is_ram(&gart_mem_pfn_is_ram));
++#endif
+ }
+ #else
+-static void exclude_from_vmcore(u64 aper_base, u32 aper_order)
++static void exclude_from_core(u64 aper_base, u32 aper_order)
+ {
+ }
+ #endif
+@@ -469,7 +475,7 @@ int __init gart_iommu_hole_init(void)
+ * may have allocated the range over its e820 RAM
+ * and fixed up the northbridge
+ */
+- exclude_from_vmcore(last_aper_base, last_aper_order);
++ exclude_from_core(last_aper_base, last_aper_order);
+
+ return 1;
+ }
+@@ -515,7 +521,7 @@ int __init gart_iommu_hole_init(void)
+ * overlap with the first kernel's memory. We can't access the
+ * range through vmcore even though it should be part of the dump.
+ */
+- exclude_from_vmcore(aper_alloc, aper_order);
++ exclude_from_core(aper_alloc, aper_order);
+
+ /* Fix up the north bridges */
+ for (i = 0; i < amd_nb_bus_dev_ranges[i].dev_limit; i++) {
+diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
+index d297fe4472a9..d0137e3e585e 100644
+--- a/fs/proc/kcore.c
++++ b/fs/proc/kcore.c
+@@ -54,6 +54,28 @@ static LIST_HEAD(kclist_head);
+ static DECLARE_RWSEM(kclist_lock);
+ static int kcore_need_update = 1;
+
++/*
++ * Returns > 0 for RAM pages, 0 for non-RAM pages, < 0 on error
++ * Same as oldmem_pfn_is_ram in vmcore
++ */
++static int (*mem_pfn_is_ram)(unsigned long pfn);
++
++int __init register_mem_pfn_is_ram(int (*fn)(unsigned long pfn))
++{
++ if (mem_pfn_is_ram)
++ return -EBUSY;
++ mem_pfn_is_ram = fn;
++ return 0;
++}
++
++static int pfn_is_ram(unsigned long pfn)
++{
++ if (mem_pfn_is_ram)
++ return mem_pfn_is_ram(pfn);
++ else
++ return 1;
++}
++
+ /* This doesn't grab kclist_lock, so it should only be used at init time. */
+ void __init kclist_add(struct kcore_list *new, void *addr, size_t size,
+ int type)
+@@ -465,6 +487,11 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
+ goto out;
+ }
+ m = NULL; /* skip the list anchor */
++ } else if (!pfn_is_ram(__pa(start) >> PAGE_SHIFT)) {
++ if (clear_user(buffer, tsz)) {
++ ret = -EFAULT;
++ goto out;
++ }
+ } else if (m->type == KCORE_VMALLOC) {
+ vread(buf, (char *)start, tsz);
+ /* we have to zero-fill user buffer even if no read */
+diff --git a/include/linux/kcore.h b/include/linux/kcore.h
+index 8c3f8c14eeaa..c843f4a9c512 100644
+--- a/include/linux/kcore.h
++++ b/include/linux/kcore.h
+@@ -44,6 +44,8 @@ void kclist_add_remap(struct kcore_list *m, void *addr, void *vaddr, size_t sz)
+ m->vaddr = (unsigned long)vaddr;
+ kclist_add(m, addr, sz, KCORE_REMAP);
+ }
++
++extern int __init register_mem_pfn_is_ram(int (*fn)(unsigned long pfn));
+ #else
+ static inline
+ void kclist_add(struct kcore_list *new, void *addr, size_t size, int type)
+--
+2.19.1
+
--- /dev/null
+From ead5d5e7a08757725a1c588073a95b6af1fa436a Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Mon, 18 Mar 2019 21:19:56 -0500
+Subject: x86/hpet: Prevent potential NULL pointer dereference
+
+[ Upstream commit 2e84f116afca3719c9d0a1a78b47b48f75fd5724 ]
+
+hpet_virt_address may be NULL when ioremap_nocache fail, but the code lacks
+a check.
+
+Add a check to prevent NULL pointer dereference.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: kjlu@umn.edu
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Joe Perches <joe@perches.com>
+Cc: Nicolai Stange <nstange@suse.de>
+Cc: Roland Dreier <roland@purestorage.com>
+Link: https://lkml.kernel.org/r/20190319021958.17275-1-pakki001@umn.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/hpet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c
+index b0acb22e5a46..1e3f1f140ffb 100644
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -909,6 +909,8 @@ int __init hpet_enable(void)
+ return 0;
+
+ hpet_set_mapping();
++ if (!hpet_virt_address)
++ return 0;
+
+ /*
+ * Read the period and check for a sane value:
+--
+2.19.1
+
--- /dev/null
+From 440c36284efc6cc9b4acd0a2139afd6682175e08 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Thu, 7 Mar 2019 14:27:56 -0700
+Subject: x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse()
+ return an error
+
+[ Upstream commit e898e69d6b9475bf123f99b3c5d1a67bb7cb2361 ]
+
+When building with -Wsometimes-uninitialized, Clang warns:
+
+arch/x86/kernel/hw_breakpoint.c:355:2: warning: variable 'align' is used
+uninitialized whenever switch default is taken
+[-Wsometimes-uninitialized]
+
+The default cannot be reached because arch_build_bp_info() initializes
+hw->len to one of the specified cases. Nevertheless the warning is valid
+and returning -EINVAL makes sure that this cannot be broken by future
+modifications.
+
+Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: clang-built-linux@googlegroups.com
+Link: https://github.com/ClangBuiltLinux/linux/issues/392
+Link: https://lkml.kernel.org/r/20190307212756.4648-1-natechancellor@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/hw_breakpoint.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
+index 34a5c1715148..2882fe1d2a78 100644
+--- a/arch/x86/kernel/hw_breakpoint.c
++++ b/arch/x86/kernel/hw_breakpoint.c
+@@ -357,6 +357,7 @@ int hw_breakpoint_arch_parse(struct perf_event *bp,
+ #endif
+ default:
+ WARN_ON_ONCE(1);
++ return -EINVAL;
+ }
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From da013430939931480a110250ca520e40a73346ff Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 14 Mar 2019 00:46:51 -0500
+Subject: x86/hyperv: Prevent potential NULL pointer dereference
+
+[ Upstream commit 534c89c22e26b183d838294f0937ee092c82ad3a ]
+
+The page allocation in hv_cpu_init() can fail, but the code does not
+have a check for that.
+
+Add a check and return -ENOMEM when the allocation fails.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Acked-by: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: pakki001@umn.edu
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: linux-hyperv@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190314054651.1315-1-kjlu@umn.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/hyperv/hv_init.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c
+index 87abd5145cc9..3fb855155286 100644
+--- a/arch/x86/hyperv/hv_init.c
++++ b/arch/x86/hyperv/hv_init.c
+@@ -101,9 +101,13 @@ static int hv_cpu_init(unsigned int cpu)
+ u64 msr_vp_index;
+ struct hv_vp_assist_page **hvp = &hv_vp_assist_page[smp_processor_id()];
+ void **input_arg;
++ struct page *pg;
+
+ input_arg = (void **)this_cpu_ptr(hyperv_pcpu_input_arg);
+- *input_arg = page_address(alloc_page(GFP_KERNEL));
++ pg = alloc_page(GFP_KERNEL);
++ if (unlikely(!pg))
++ return -ENOMEM;
++ *input_arg = page_address(pg);
+
+ hv_get_vp_index(msr_vp_index);
+
+--
+2.19.1
+
--- /dev/null
+From 1224cbd980d7c688fd0bde4812b4cb0a7eb1a17b Mon Sep 17 00:00:00 2001
+From: Matteo Croce <mcroce@redhat.com>
+Date: Mon, 18 Mar 2019 22:24:03 +0100
+Subject: x86/mm: Don't leak kernel addresses
+
+[ Upstream commit a3151724437f54076cc10bc02b1c4f0003ae36cd ]
+
+Since commit:
+
+ ad67b74d2469d9b8 ("printk: hash addresses printed with %p")
+
+at boot "____ptrval____" is printed instead of actual addresses:
+
+ found SMP MP-table at [mem 0x000f5cc0-0x000f5ccf] mapped at [(____ptrval____)]
+
+Instead of changing the print to "%px", and leaking a kernel addresses,
+just remove the print completely, like in:
+
+ 071929dbdd865f77 ("arm64: Stop printing the virtual memory layout").
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/mpparse.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel/mpparse.c
+index f1c5eb99d445..ddb1ca6923b1 100644
+--- a/arch/x86/kernel/mpparse.c
++++ b/arch/x86/kernel/mpparse.c
+@@ -599,8 +599,8 @@ static int __init smp_scan_config(unsigned long base, unsigned long length)
+ mpf_base = base;
+ mpf_found = true;
+
+- pr_info("found SMP MP-table at [mem %#010lx-%#010lx] mapped at [%p]\n",
+- base, base + sizeof(*mpf) - 1, mpf);
++ pr_info("found SMP MP-table at [mem %#010lx-%#010lx]\n",
++ base, base + sizeof(*mpf) - 1);
+
+ memblock_reserve(base, sizeof(*mpf));
+ if (mpf->physptr)
+--
+2.19.1
+
--- /dev/null
+From d6066c90b59e8fa55a53a87acbf98a23246f3a5b Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 31 Jan 2019 13:05:49 -0800
+Subject: xfrm: destroy xfrm_state synchronously on net exit path
+
+[ Upstream commit f75a2804da391571563c4b6b29e7797787332673 ]
+
+xfrm_state_put() moves struct xfrm_state to the GC list
+and schedules the GC work to clean it up. On net exit call
+path, xfrm_state_flush() is called to clean up and
+xfrm_flush_gc() is called to wait for the GC work to complete
+before exit.
+
+However, this doesn't work because one of the ->destructor(),
+ipcomp_destroy(), schedules the same GC work again inside
+the GC work. It is hard to wait for such a nested async
+callback. This is also why syzbot still reports the following
+warning:
+
+ WARNING: CPU: 1 PID: 33 at net/ipv6/xfrm6_tunnel.c:351 xfrm6_tunnel_net_exit+0x2cb/0x500 net/ipv6/xfrm6_tunnel.c:351
+ ...
+ ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
+ cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
+ process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
+ worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
+ kthread+0x357/0x430 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+
+In fact, it is perfectly fine to bypass GC and destroy xfrm_state
+synchronously on net exit call path, because it is in process context
+and doesn't need a work struct to do any blocking work.
+
+This patch introduces xfrm_state_put_sync() which simply bypasses
+GC, and lets its callers to decide whether to use this synchronous
+version. On net exit path, xfrm_state_fini() and
+xfrm6_tunnel_net_exit() use it. And, as ipcomp_destroy() itself is
+blocking, it can use xfrm_state_put_sync() directly too.
+
+Also rename xfrm_state_gc_destroy() to ___xfrm_state_destroy() to
+reflect this change.
+
+Fixes: b48c05ab5d32 ("xfrm: Fix warning in xfrm6_tunnel_net_exit.")
+Reported-and-tested-by: syzbot+e9aebef558e3ed673934@syzkaller.appspotmail.com
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 12 +++++++++---
+ net/ipv6/xfrm6_tunnel.c | 2 +-
+ net/key/af_key.c | 2 +-
+ net/xfrm/xfrm_state.c | 30 +++++++++++++++++++-----------
+ net/xfrm/xfrm_user.c | 2 +-
+ 5 files changed, 31 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index da588def3c61..5e3daf53b3d1 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -850,7 +850,7 @@ static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
+ xfrm_pol_put(pols[i]);
+ }
+
+-void __xfrm_state_destroy(struct xfrm_state *);
++void __xfrm_state_destroy(struct xfrm_state *, bool);
+
+ static inline void __xfrm_state_put(struct xfrm_state *x)
+ {
+@@ -860,7 +860,13 @@ static inline void __xfrm_state_put(struct xfrm_state *x)
+ static inline void xfrm_state_put(struct xfrm_state *x)
+ {
+ if (refcount_dec_and_test(&x->refcnt))
+- __xfrm_state_destroy(x);
++ __xfrm_state_destroy(x, false);
++}
++
++static inline void xfrm_state_put_sync(struct xfrm_state *x)
++{
++ if (refcount_dec_and_test(&x->refcnt))
++ __xfrm_state_destroy(x, true);
+ }
+
+ static inline void xfrm_state_hold(struct xfrm_state *x)
+@@ -1616,7 +1622,7 @@ struct xfrmk_spdinfo {
+
+ struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
+ int xfrm_state_delete(struct xfrm_state *x);
+-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
++int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
+ int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
+ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
+ void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index f5b4febeaa25..bc65db782bfb 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -344,8 +344,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
+ struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
+ unsigned int i;
+
+- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_flush_gc();
++ xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
+
+ for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
+ WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 7da629d59717..7d4bed955060 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1773,7 +1773,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
+ if (proto == 0)
+ return -EINVAL;
+
+- err = xfrm_state_flush(net, proto, true);
++ err = xfrm_state_flush(net, proto, true, false);
+ err2 = unicast_flush_resp(sk, hdr);
+ if (err || err2) {
+ if (err == -ESRCH) /* empty table - go quietly */
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index cc0203efb584..3f729cd512af 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -432,7 +432,7 @@ void xfrm_state_free(struct xfrm_state *x)
+ }
+ EXPORT_SYMBOL(xfrm_state_free);
+
+-static void xfrm_state_gc_destroy(struct xfrm_state *x)
++static void ___xfrm_state_destroy(struct xfrm_state *x)
+ {
+ tasklet_hrtimer_cancel(&x->mtimer);
+ del_timer_sync(&x->rtimer);
+@@ -474,7 +474,7 @@ static void xfrm_state_gc_task(struct work_struct *work)
+ synchronize_rcu();
+
+ hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
+- xfrm_state_gc_destroy(x);
++ ___xfrm_state_destroy(x);
+ }
+
+ static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
+@@ -598,14 +598,19 @@ struct xfrm_state *xfrm_state_alloc(struct net *net)
+ }
+ EXPORT_SYMBOL(xfrm_state_alloc);
+
+-void __xfrm_state_destroy(struct xfrm_state *x)
++void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
+ {
+ WARN_ON(x->km.state != XFRM_STATE_DEAD);
+
+- spin_lock_bh(&xfrm_state_gc_lock);
+- hlist_add_head(&x->gclist, &xfrm_state_gc_list);
+- spin_unlock_bh(&xfrm_state_gc_lock);
+- schedule_work(&xfrm_state_gc_work);
++ if (sync) {
++ synchronize_rcu();
++ ___xfrm_state_destroy(x);
++ } else {
++ spin_lock_bh(&xfrm_state_gc_lock);
++ hlist_add_head(&x->gclist, &xfrm_state_gc_list);
++ spin_unlock_bh(&xfrm_state_gc_lock);
++ schedule_work(&xfrm_state_gc_work);
++ }
+ }
+ EXPORT_SYMBOL(__xfrm_state_destroy);
+
+@@ -708,7 +713,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool
+ }
+ #endif
+
+-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
++int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
+ {
+ int i, err = 0, cnt = 0;
+
+@@ -730,7 +735,10 @@ int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
+ err = xfrm_state_delete(x);
+ xfrm_audit_state_delete(x, err ? 0 : 1,
+ task_valid);
+- xfrm_state_put(x);
++ if (sync)
++ xfrm_state_put_sync(x);
++ else
++ xfrm_state_put(x);
+ if (!err)
+ cnt++;
+
+@@ -2217,7 +2225,7 @@ void xfrm_state_delete_tunnel(struct xfrm_state *x)
+ if (atomic_read(&t->tunnel_users) == 2)
+ xfrm_state_delete(t);
+ atomic_dec(&t->tunnel_users);
+- xfrm_state_put(t);
++ xfrm_state_put_sync(t);
+ x->tunnel = NULL;
+ }
+ }
+@@ -2377,8 +2385,8 @@ void xfrm_state_fini(struct net *net)
+ unsigned int sz;
+
+ flush_work(&net->xfrm.state_hash_work);
+- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ flush_work(&xfrm_state_gc_work);
++ xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
+
+ WARN_ON(!list_empty(&net->xfrm.state_all));
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index ab557827aac0..7e4904b93004 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1932,7 +1932,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct xfrm_usersa_flush *p = nlmsg_data(nlh);
+ int err;
+
+- err = xfrm_state_flush(net, p->proto, true);
++ err = xfrm_state_flush(net, p->proto, true, false);
+ if (err) {
+ if (err == -ESRCH) /* empty table */
+ return 0;
+--
+2.19.1
+