--- /dev/null
+From c9b5a435ddb312b0988918a4db5d25c0a64417ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2020 15:38:36 +0300
+Subject: ALSA: hda/hdmi: fix race in monitor detection during probe
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+[ Upstream commit ca76282b6faffc83601c25bd2a95f635c03503ef ]
+
+A race exists between build_pcms() and build_controls() phases of codec
+setup. Build_pcms() sets up notifier for jack events. If a monitor event
+is received before build_controls() is run, the initial jack state is
+lost and never reported via mixer controls.
+
+The problem can be hit at least with SOF as the controller driver. SOF
+calls snd_hda_codec_build_controls() in its workqueue-based probe and
+this can be delayed enough to hit the race condition.
+
+Fix the issue by invalidating the per-pin ELD information when
+build_controls() is called. The existing call to hdmi_present_sense()
+will update the ELD contents. This ensures initial monitor state is
+correctly reflected via mixer controls.
+
+BugLink: https://github.com/thesofproject/linux/issues/1687
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20200428123836.24512-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_hdmi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index 435c0efb9bf29..6b4ebaefd8f85 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -2212,7 +2212,9 @@ static int generic_hdmi_build_controls(struct hda_codec *codec)
+
+ for (pin_idx = 0; pin_idx < spec->num_pins; pin_idx++) {
+ struct hdmi_spec_per_pin *per_pin = get_pin(spec, pin_idx);
++ struct hdmi_eld *pin_eld = &per_pin->sink_eld;
+
++ pin_eld->eld_valid = false;
+ hdmi_present_sense(per_pin, 0);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 88ef81b2fec7abe9d619179cdd9f6c5c0962c1af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 May 2020 23:24:47 +0800
+Subject: ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 52e4e36807aeac1cdd07b14e509c8a64101e1a09 ]
+
+Commit 317d9313925c ("ALSA: hda/realtek - Set default power save node to
+0") makes the ALC225 have pop noise on S3 resume and cold boot.
+
+The previous fix enable power save node universally for ALC225, however
+it makes some ALC225 systems unable to produce any sound.
+
+So let's only enable power save node for the affected Dell Wyse
+platform.
+
+Fixes: 317d9313925c ("ALSA: hda/realtek - Set default power save node to 0")
+BugLink: https://bugs.launchpad.net/bugs/1866357
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Link: https://lore.kernel.org/r/20200503152449.22761-2-kai.heng.feng@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index b2aec97414fb8..d578f6594223f 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5354,6 +5354,15 @@ static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec,
+ }
+ }
+
++static void alc225_fixup_s3_pop_noise(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ if (action != HDA_FIXUP_ACT_PRE_PROBE)
++ return;
++
++ codec->power_save_node = 1;
++}
++
+ /* Forcibly assign NID 0x03 to HP/LO while NID 0x02 to SPK for EQ */
+ static void alc274_fixup_bind_dacs(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+@@ -5507,6 +5516,7 @@ enum {
+ ALC233_FIXUP_LENOVO_MULTI_CODECS,
+ ALC294_FIXUP_LENOVO_MIC_LOCATION,
+ ALC225_FIXUP_DELL_WYSE_MIC_NO_PRESENCE,
++ ALC225_FIXUP_S3_POP_NOISE,
+ ALC700_FIXUP_INTEL_REFERENCE,
+ ALC274_FIXUP_DELL_BIND_DACS,
+ ALC274_FIXUP_DELL_AIO_LINEOUT_VERB,
+@@ -6339,6 +6349,12 @@ static const struct hda_fixup alc269_fixups[] = {
+ { }
+ },
+ .chained = true,
++ .chain_id = ALC225_FIXUP_S3_POP_NOISE
++ },
++ [ALC225_FIXUP_S3_POP_NOISE] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc225_fixup_s3_pop_noise,
++ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
+ },
+ [ALC700_FIXUP_INTEL_REFERENCE] = {
+--
+2.20.1
+
--- /dev/null
+From 6d97c7aaf119c98d3cd69ffbe1f91ad82efb03c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Apr 2020 20:26:29 +0100
+Subject: cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode
+ once
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit 8c539776ac83c0857395e1ccc9c6b516521a2d32 ]
+
+Make a note of the first time we discover the turbo mode has been
+disabled by the BIOS, as otherwise we complain every time we try to
+update the mode.
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/intel_pstate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index 7a5662425b291..1aa0b05c8cbdf 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -935,7 +935,7 @@ static ssize_t store_no_turbo(struct kobject *a, struct kobj_attribute *b,
+
+ update_turbo_state();
+ if (global.turbo_disabled) {
+- pr_warn("Turbo disabled by BIOS or unavailable on processor\n");
++ pr_notice_once("Turbo disabled by BIOS or unavailable on processor\n");
+ mutex_unlock(&intel_pstate_limits_lock);
+ mutex_unlock(&intel_pstate_driver_lock);
+ return -EPERM;
+--
+2.20.1
+
--- /dev/null
+From d31f72d90ea41821715f29132991c66351a4408f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Apr 2020 18:49:09 +0200
+Subject: dmaengine: mmp_tdma: Reset channel error on release
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+[ Upstream commit 0c89446379218698189a47871336cb30286a7197 ]
+
+When a channel configuration fails, the status of the channel is set to
+DEV_ERROR so that an attempt to submit it fails. However, this status
+sticks until the heat end of the universe, making it impossible to
+recover from the error.
+
+Let's reset it when the channel is released so that further use of the
+channel with correct configuration is not impacted.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Link: https://lore.kernel.org/r/20200419164912.670973-5-lkundrak@v3.sk
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mmp_tdma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/dma/mmp_tdma.c b/drivers/dma/mmp_tdma.c
+index 13c68b6434ce2..15b4a44e60069 100644
+--- a/drivers/dma/mmp_tdma.c
++++ b/drivers/dma/mmp_tdma.c
+@@ -362,6 +362,8 @@ static void mmp_tdma_free_descriptor(struct mmp_tdma_chan *tdmac)
+ gen_pool_free(gpool, (unsigned long)tdmac->desc_arr,
+ size);
+ tdmac->desc_arr = NULL;
++ if (tdmac->status == DMA_ERROR)
++ tdmac->status = DMA_COMPLETE;
+
+ return;
+ }
+--
+2.20.1
+
--- /dev/null
+From a42b5d1ffc1b39190f93bcd0b9b64bd6230d5035 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 11:53:35 +0530
+Subject: dmaengine: pch_dma.c: Avoid data race between probe and irq handler
+
+From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+
+[ Upstream commit 2e45676a4d33af47259fa186ea039122ce263ba9 ]
+
+pd->dma.dev is read in irq handler pd_irq().
+However, it is set to pdev->dev after request_irq().
+Therefore, set pd->dma.dev to pdev->dev before request_irq() to
+avoid data race between pch_dma_probe() and pd_irq().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+Link: https://lore.kernel.org/r/20200416062335.29223-1-madhuparnabhowmik10@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pch_dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/pch_dma.c b/drivers/dma/pch_dma.c
+index f9028e9d0dfc2..d6af2d439b979 100644
+--- a/drivers/dma/pch_dma.c
++++ b/drivers/dma/pch_dma.c
+@@ -873,6 +873,7 @@ static int pch_dma_probe(struct pci_dev *pdev,
+ }
+
+ pci_set_master(pdev);
++ pd->dma.dev = &pdev->dev;
+
+ err = request_irq(pdev->irq, pd_irq, IRQF_SHARED, DRV_NAME, pd);
+ if (err) {
+@@ -888,7 +889,6 @@ static int pch_dma_probe(struct pci_dev *pdev,
+ goto err_free_irq;
+ }
+
+- pd->dma.dev = &pdev->dev;
+
+ INIT_LIST_HEAD(&pd->dma.channels);
+
+--
+2.20.1
+
--- /dev/null
+From 7091491864a82ddf12793a5ba1e232f6817edadb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 12:34:36 +0300
+Subject: drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+[ Upstream commit 5b5703dbafae74adfbe298a56a81694172caf5e6 ]
+
+v2: removed TODO reminder
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/a4e0ae09-a73c-1c62-04ef-3f990d41bea9@virtuozzo.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/qxl/qxl_image.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/qxl/qxl_image.c b/drivers/gpu/drm/qxl/qxl_image.c
+index 7fbcc35e8ad35..c89c10055641e 100644
+--- a/drivers/gpu/drm/qxl/qxl_image.c
++++ b/drivers/gpu/drm/qxl/qxl_image.c
+@@ -210,7 +210,8 @@ qxl_image_init_helper(struct qxl_device *qdev,
+ break;
+ default:
+ DRM_ERROR("unsupported image bit depth\n");
+- return -EINVAL; /* TODO: cleanup */
++ qxl_bo_kunmap_atomic_page(qdev, image_bo, ptr);
++ return -EINVAL;
+ }
+ image->u.bitmap.flags = QXL_BITMAP_TOP_DOWN;
+ image->u.bitmap.x = width;
+--
+2.20.1
+
--- /dev/null
+From 1226096af87404eec35f35026b835e9272c1b5b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2020 13:02:19 +0200
+Subject: hwmon: (da9052) Synchronize access with mfd
+
+From: Samu Nuutamo <samu.nuutamo@vincit.fi>
+
+[ Upstream commit 333e22db228f0bd0c839553015a6a8d3db4ba569 ]
+
+When tsi-as-adc is configured it is possible for in7[0123]_input read to
+return an incorrect value if a concurrent read to in[456]_input is
+performed. This is caused by a concurrent manipulation of the mux
+channel without proper locking as hwmon and mfd use different locks for
+synchronization.
+
+Switch hwmon to use the same lock as mfd when accessing the TSI channel.
+
+Fixes: 4f16cab19a3d5 ("hwmon: da9052: Add support for TSI channel")
+Signed-off-by: Samu Nuutamo <samu.nuutamo@vincit.fi>
+[rebase to current master, reword commit message slightly]
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/da9052-hwmon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/da9052-hwmon.c b/drivers/hwmon/da9052-hwmon.c
+index a973eb6a28908..9e44d2385e6f9 100644
+--- a/drivers/hwmon/da9052-hwmon.c
++++ b/drivers/hwmon/da9052-hwmon.c
+@@ -250,9 +250,9 @@ static ssize_t da9052_read_tsi(struct device *dev,
+ int channel = to_sensor_dev_attr(devattr)->index;
+ int ret;
+
+- mutex_lock(&hwmon->hwmon_lock);
++ mutex_lock(&hwmon->da9052->auxadc_lock);
+ ret = __da9052_read_tsi(dev, channel);
+- mutex_unlock(&hwmon->hwmon_lock);
++ mutex_unlock(&hwmon->da9052->auxadc_lock);
+
+ if (ret < 0)
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 553c966fff5e3fae8b7a20ef6f1641fcb245d84b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Apr 2020 12:22:11 +0300
+Subject: i40iw: Fix error handling in i40iw_manage_arp_cache()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 37e31d2d26a4124506c24e95434e9baf3405a23a ]
+
+The i40iw_arp_table() function can return -EOVERFLOW if
+i40iw_alloc_resource() fails so we can't just test for "== -1".
+
+Fixes: 4e9042e647ff ("i40iw: add hw and utils files")
+Link: https://lore.kernel.org/r/20200422092211.GA195357@mwanda
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/i40iw/i40iw_hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c
+index 476867a3f584f..4ded9411fb325 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c
+@@ -483,7 +483,7 @@ void i40iw_manage_arp_cache(struct i40iw_device *iwdev,
+ int arp_index;
+
+ arp_index = i40iw_arp_table(iwdev, ip_addr, ipv4, mac_addr, action);
+- if (arp_index == -1)
++ if (arp_index < 0)
+ return;
+ cqp_request = i40iw_get_cqp_request(&iwdev->cqp, false);
+ if (!cqp_request)
+--
+2.20.1
+
--- /dev/null
+From 0adb9b2e1dec5610ba5a8b27854d4f3038e17cd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2020 10:59:21 +0300
+Subject: IB/mlx4: Test return value of calls to ib_get_cached_pkey
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit 6693ca95bd4330a0ad7326967e1f9bcedd6b0800 ]
+
+In the mlx4_ib_post_send() flow, some functions call ib_get_cached_pkey()
+without checking its return value. If ib_get_cached_pkey() returns an
+error code, these functions should return failure.
+
+Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
+Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
+Fixes: e622f2f4ad21 ("IB: split struct ib_send_wr")
+Link: https://lore.kernel.org/r/20200426075921.130074-1-leon@kernel.org
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
+index e10c3d915e389..df1ecd29057f8 100644
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -2917,6 +2917,7 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp,
+ int send_size;
+ int header_size;
+ int spc;
++ int err;
+ int i;
+
+ if (wr->wr.opcode != IB_WR_SEND)
+@@ -2951,7 +2952,9 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp,
+
+ sqp->ud_header.lrh.virtual_lane = 0;
+ sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED);
+- ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey);
++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey);
++ if (err)
++ return err;
+ sqp->ud_header.bth.pkey = cpu_to_be16(pkey);
+ if (sqp->qp.mlx4_ib_qp_type == MLX4_IB_QPT_TUN_SMI_OWNER)
+ sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn);
+@@ -3240,9 +3243,14 @@ static int build_mlx_header(struct mlx4_ib_sqp *sqp, struct ib_ud_wr *wr,
+ }
+ sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED);
+ if (!sqp->qp.ibqp.qp_num)
+- ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index, &pkey);
++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index,
++ &pkey);
+ else
+- ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index, &pkey);
++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index,
++ &pkey);
++ if (err)
++ return err;
++
+ sqp->ud_header.bth.pkey = cpu_to_be16(pkey);
+ sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn);
+ sqp->ud_header.bth.psn = cpu_to_be32((sqp->send_psn++) & ((1 << 24) - 1));
+--
+2.20.1
+
--- /dev/null
+From eaf1c2fcf1589ed457c28ba7205dea919d2515b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 May 2020 17:50:48 -0700
+Subject: ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+[ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ]
+
+Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase
+position index") is causing this bug (seen on 5.6.8):
+
+ # ipcs -q
+
+ ------ Message Queues --------
+ key msqid owner perms used-bytes messages
+
+ # ipcmk -Q
+ Message queue id: 0
+ # ipcs -q
+
+ ------ Message Queues --------
+ key msqid owner perms used-bytes messages
+ 0x82db8127 0 root 644 0 0
+
+ # ipcmk -Q
+ Message queue id: 1
+ # ipcs -q
+
+ ------ Message Queues --------
+ key msqid owner perms used-bytes messages
+ 0x82db8127 0 root 644 0 0
+ 0x76d1fb2a 1 root 644 0 0
+
+ # ipcrm -q 0
+ # ipcs -q
+
+ ------ Message Queues --------
+ key msqid owner perms used-bytes messages
+ 0x76d1fb2a 1 root 644 0 0
+ 0x76d1fb2a 1 root 644 0 0
+
+ # ipcmk -Q
+ Message queue id: 2
+ # ipcrm -q 2
+ # ipcs -q
+
+ ------ Message Queues --------
+ key msqid owner perms used-bytes messages
+ 0x76d1fb2a 1 root 644 0 0
+ 0x76d1fb2a 1 root 644 0 0
+
+ # ipcmk -Q
+ Message queue id: 3
+ # ipcrm -q 1
+ # ipcs -q
+
+ ------ Message Queues --------
+ key msqid owner perms used-bytes messages
+ 0x7c982867 3 root 644 0 0
+ 0x7c982867 3 root 644 0 0
+ 0x7c982867 3 root 644 0 0
+ 0x7c982867 3 root 644 0 0
+
+Whenever an IPC item with a low id is deleted, the items with higher ids
+are duplicated, as if filling a hole.
+
+new_pos should jump through hole of unused ids, pos can be updated
+inside "for" cycle.
+
+Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index")
+Reported-by: Andreas Schwab <schwab@suse.de>
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Waiman Long <longman@redhat.com>
+Cc: NeilBrown <neilb@suse.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Peter Oberparleiter <oberpar@linux.ibm.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ ipc/util.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/ipc/util.c b/ipc/util.c
+index 7989f5e532198..5a65b0cbae7db 100644
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -750,21 +750,21 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos,
+ total++;
+ }
+
+- *new_pos = pos + 1;
++ ipc = NULL;
+ if (total >= ids->in_use)
+- return NULL;
++ goto out;
+
+ for (; pos < IPCMNI; pos++) {
+ ipc = idr_find(&ids->ipcs_idr, pos);
+ if (ipc != NULL) {
+ rcu_read_lock();
+ ipc_lock_object(ipc);
+- return ipc;
++ break;
+ }
+ }
+-
+- /* Out of range - return NULL to terminate iteration */
+- return NULL;
++out:
++ *new_pos = pos + 1;
++ return ipc;
+ }
+
+ static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos)
+--
+2.20.1
+
--- /dev/null
+From c234412e3ae3af53b3d9a78bef3633eb9d4d09f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Aug 2018 10:00:34 -0500
+Subject: ipmi: Fix NULL pointer dereference in ssif_probe
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+[ Upstream commit a8627cda7cfffe1792c199660c2b4f03ba2bd97b ]
+
+There is a potential execution path in which function ssif_info_find()
+returns NULL, hence there is a NULL pointer dereference when accessing
+pointer *addr_info*
+
+Fix this by null checking *addr_info* before dereferencing it.
+
+Addresses-Coverity-ID: 1473145 ("Explicit null dereferenced")
+Fixes: e333054a91d1 ("ipmi: Fix I2C client removal in the SSIF driver")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
+index 0146bc3252c5a..cf87bfe971e6b 100644
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -1731,7 +1731,9 @@ static int ssif_probe(struct i2c_client *client, const struct i2c_device_id *id)
+
+ out:
+ if (rv) {
+- addr_info->client = NULL;
++ if (addr_info)
++ addr_info->client = NULL;
++
+ dev_err(&client->dev, "Unable to start IPMI SSIF: %d\n", rv);
+ kfree(ssif_info);
+ }
+--
+2.20.1
+
--- /dev/null
+From 4e892d6cf2b02e9c8fe5b98a32aa28ff11d0c2bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 23:30:48 +0200
+Subject: netfilter: conntrack: avoid gcc-10 zero-length-bounds warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 2c407aca64977ede9b9f35158e919773cae2082f ]
+
+gcc-10 warns around a suspicious access to an empty struct member:
+
+net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc':
+net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds]
+ 1522 | memset(&ct->__nfct_init_offset[0], 0,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~
+In file included from net/netfilter/nf_conntrack_core.c:37:
+include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset'
+ 90 | u8 __nfct_init_offset[0];
+ | ^~~~~~~~~~~~~~~~~~
+
+The code is correct but a bit unusual. Rework it slightly in a way that
+does not trigger the warning, using an empty struct instead of an empty
+array. There are probably more elegant ways to do this, but this is the
+smallest change.
+
+Fixes: c41884ce0562 ("netfilter: conntrack: avoid zeroing timer")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_conntrack.h | 2 +-
+ net/netfilter/nf_conntrack_core.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
+index 93bbae8f96414..b6dbc80b6ed15 100644
+--- a/include/net/netfilter/nf_conntrack.h
++++ b/include/net/netfilter/nf_conntrack.h
+@@ -80,7 +80,7 @@ struct nf_conn {
+ struct hlist_node nat_bysource;
+ #endif
+ /* all members below initialized via memset */
+- u8 __nfct_init_offset[0];
++ struct { } __nfct_init_offset;
+
+ /* If we were expected by an expectation, this will be it */
+ struct nf_conn *master;
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index a79f5a89cab14..8064d769c953c 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1208,9 +1208,9 @@ __nf_conntrack_alloc(struct net *net,
+ *(unsigned long *)(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode.pprev) = hash;
+ ct->status = 0;
+ write_pnet(&ct->ct_net, net);
+- memset(&ct->__nfct_init_offset[0], 0,
++ memset(&ct->__nfct_init_offset, 0,
+ offsetof(struct nf_conn, proto) -
+- offsetof(struct nf_conn, __nfct_init_offset[0]));
++ offsetof(struct nf_conn, __nfct_init_offset));
+
+ nf_ct_zone_add(ct, zone);
+
+--
+2.20.1
+
--- /dev/null
+From b5e1e7f6d0bbc1ceba9d1ece8cd2e64be5d322f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 19:32:54 +0200
+Subject: pinctrl: baytrail: Enable pin configuration setting for GPIO chip
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit ccd025eaddaeb99e982029446197c544252108e2 ]
+
+It appears that pin configuration for GPIO chip hasn't been enabled yet
+due to absence of ->set_config() callback.
+
+Enable it here for Intel Baytrail.
+
+Fixes: c501d0b149de ("pinctrl: baytrail: Add pin control operations")
+Depends-on: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-baytrail.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-baytrail.c b/drivers/pinctrl/intel/pinctrl-baytrail.c
+index 4fb3e44f91331..2ea4bb9ce6e16 100644
+--- a/drivers/pinctrl/intel/pinctrl-baytrail.c
++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c
+@@ -1503,6 +1503,7 @@ static const struct gpio_chip byt_gpio_chip = {
+ .direction_output = byt_gpio_direction_output,
+ .get = byt_gpio_get,
+ .set = byt_gpio_set,
++ .set_config = gpiochip_generic_config,
+ .dbg_show = byt_gpio_dbg_show,
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 99a4cba40e397fffc7e5ee511575b4d896763bc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Apr 2020 12:11:54 +0800
+Subject: pinctrl: cherryview: Add missing spinlock usage in
+ chv_gpio_irq_handler
+
+From: Grace Kao <grace.kao@intel.com>
+
+[ Upstream commit 69388e15f5078c961b9e5319e22baea4c57deff1 ]
+
+According to Braswell NDA Specification Update (#557593),
+concurrent read accesses may result in returning 0xffffffff and write
+instructions may be dropped. We have an established format for the
+commit references, i.e.
+cdca06e4e859 ("pinctrl: baytrail: Add missing spinlock usage in
+byt_gpio_irq_handler")
+
+Fixes: 0bd50d719b00 ("pinctrl: cherryview: prevent concurrent access to GPIO controllers")
+Signed-off-by: Grace Kao <grace.kao@intel.com>
+Reported-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
+index 0907531a02caa..d39718b4242d9 100644
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1514,11 +1514,15 @@ static void chv_gpio_irq_handler(struct irq_desc *desc)
+ struct chv_pinctrl *pctrl = gpiochip_get_data(gc);
+ struct irq_chip *chip = irq_desc_get_chip(desc);
+ unsigned long pending;
++ unsigned long flags;
+ u32 intr_line;
+
+ chained_irq_enter(chip, desc);
+
++ raw_spin_lock_irqsave(&chv_lock, flags);
+ pending = readl(pctrl->regs + CHV_INTSTAT);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
++
+ for_each_set_bit(intr_line, &pending, pctrl->community->nirqs) {
+ unsigned irq, offset;
+
+--
+2.20.1
+
drop_monitor-work-around-gcc-10-stringop-overflow-wa.patch
virtio-blk-handle-block_device_operations-callbacks-.patch
scsi-sg-add-sg_remove_request-in-sg_write.patch
+dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch
+dmaengine-mmp_tdma-reset-channel-error-on-release.patch
+cpufreq-intel_pstate-only-mention-the-bios-disabling.patch
+alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch
+drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch
+ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch
+alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch
+x86-entry-64-fix-unwind-hints-in-register-clearing-c.patch
+ipmi-fix-null-pointer-dereference-in-ssif_probe.patch
+pinctrl-baytrail-enable-pin-configuration-setting-fo.patch
+pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch
+i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch
+netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch
+ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch
+hwmon-da9052-synchronize-access-with-mfd.patch
--- /dev/null
+From d0a62c8026f5e5e55891764f18b0f64ec4c65d4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Apr 2020 05:03:01 -0500
+Subject: x86/entry/64: Fix unwind hints in register clearing code
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+[ Upstream commit 06a9750edcffa808494d56da939085c35904e618 ]
+
+The PUSH_AND_CLEAR_REGS macro zeroes each register immediately after
+pushing it. If an NMI or exception hits after a register is cleared,
+but before the UNWIND_HINT_REGS annotation, the ORC unwinder will
+wrongly think the previous value of the register was zero. This can
+confuse the unwinding process and cause it to exit early.
+
+Because ORC is simpler than DWARF, there are a limited number of unwind
+annotation states, so it's not possible to add an individual unwind hint
+after each push/clear combination. Instead, the register clearing
+instructions need to be consolidated and moved to after the
+UNWIND_HINT_REGS annotation.
+
+Fixes: 3f01daecd545 ("x86/entry/64: Introduce the PUSH_AND_CLEAN_REGS macro")
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Jones <dsj@fb.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: https://lore.kernel.org/r/68fd3d0bc92ae2d62ff7879d15d3684217d51f08.1587808742.git.jpoimboe@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/calling.h | 38 +++++++++++++++++++++-----------------
+ 1 file changed, 21 insertions(+), 17 deletions(-)
+
+diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
+index 557c1bdda311b..1dbc62a96b859 100644
+--- a/arch/x86/entry/calling.h
++++ b/arch/x86/entry/calling.h
+@@ -98,13 +98,6 @@ For 32-bit we have the following conventions - kernel is built with
+ #define SIZEOF_PTREGS 21*8
+
+ .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax save_ret=0
+- /*
+- * Push registers and sanitize registers of values that a
+- * speculation attack might otherwise want to exploit. The
+- * lower registers are likely clobbered well before they
+- * could be put to use in a speculative execution gadget.
+- * Interleave XOR with PUSH for better uop scheduling:
+- */
+ .if \save_ret
+ pushq %rsi /* pt_regs->si */
+ movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */
+@@ -117,29 +110,40 @@ For 32-bit we have the following conventions - kernel is built with
+ pushq %rcx /* pt_regs->cx */
+ pushq \rax /* pt_regs->ax */
+ pushq %r8 /* pt_regs->r8 */
+- xorl %r8d, %r8d /* nospec r8 */
+ pushq %r9 /* pt_regs->r9 */
+- xorl %r9d, %r9d /* nospec r9 */
+ pushq %r10 /* pt_regs->r10 */
+- xorl %r10d, %r10d /* nospec r10 */
+ pushq %r11 /* pt_regs->r11 */
+- xorl %r11d, %r11d /* nospec r11*/
+ pushq %rbx /* pt_regs->rbx */
+- xorl %ebx, %ebx /* nospec rbx*/
+ pushq %rbp /* pt_regs->rbp */
+- xorl %ebp, %ebp /* nospec rbp*/
+ pushq %r12 /* pt_regs->r12 */
+- xorl %r12d, %r12d /* nospec r12*/
+ pushq %r13 /* pt_regs->r13 */
+- xorl %r13d, %r13d /* nospec r13*/
+ pushq %r14 /* pt_regs->r14 */
+- xorl %r14d, %r14d /* nospec r14*/
+ pushq %r15 /* pt_regs->r15 */
+- xorl %r15d, %r15d /* nospec r15*/
+ UNWIND_HINT_REGS
++
+ .if \save_ret
+ pushq %rsi /* return address on top of stack */
+ .endif
++
++ /*
++ * Sanitize registers of values that a speculation attack might
++ * otherwise want to exploit. The lower registers are likely clobbered
++ * well before they could be put to use in a speculative execution
++ * gadget.
++ */
++ xorl %edx, %edx /* nospec dx */
++ xorl %ecx, %ecx /* nospec cx */
++ xorl %r8d, %r8d /* nospec r8 */
++ xorl %r9d, %r9d /* nospec r9 */
++ xorl %r10d, %r10d /* nospec r10 */
++ xorl %r11d, %r11d /* nospec r11 */
++ xorl %ebx, %ebx /* nospec rbx */
++ xorl %ebp, %ebp /* nospec rbp */
++ xorl %r12d, %r12d /* nospec r12 */
++ xorl %r13d, %r13d /* nospec r13 */
++ xorl %r14d, %r14d /* nospec r14 */
++ xorl %r15d, %r15d /* nospec r15 */
++
+ .endm
+
+ .macro POP_REGS pop_rdi=1 skip_r11rcx=0
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
