--- /dev/null
+From 10e62b47973b0b0ceda076255bcb147b83e20517 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:56 +0800
+Subject: bus: hisi_lpc: Add .remove method to avoid driver unbind crash
+
+From: John Garry <john.garry@huawei.com>
+
+commit 10e62b47973b0b0ceda076255bcb147b83e20517 upstream.
+
+The original driver author seemed to be under the impression that a driver
+cannot be removed if it does not have a .remove method. Or maybe if it is
+a built-in platform driver.
+
+This is not true. This crash can be created:
+
+root@ubuntu:/sys/bus/platform/drivers/hisi-lpc# echo HISI0191\:00 > unbind
+root@ubuntu:/sys/bus/platform/drivers/hisi-lpc# ipmitool raw 6 1
+ Unable to handle kernel paging request at virtual address ffff000010035010
+ Mem abort info:
+ ESR = 0x96000047
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000047
+ CM = 0, WnR = 1
+ swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000000118b000
+ [ffff000010035010] pgd=0000041ffbfff003, pud=0000041ffbffe003, pmd=0000041ffbffd003, pte=0000000000000000
+ Internal error: Oops: 96000047 [#1] PREEMPT SMP
+ Modules linked in:
+ CPU: 17 PID: 1473 Comm: ipmitool Not tainted 5.2.0-rc5-00003-gf68c53b414a3-dirty #198
+ Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018
+ pstate: 20000085 (nzCv daIf -PAN -UAO)
+ pc : hisi_lpc_target_in+0x7c/0x120
+ lr : hisi_lpc_target_in+0x70/0x120
+ sp : ffff00001efe3930
+ x29: ffff00001efe3930 x28: ffff841f9f599200
+ x27: 0000000000000002 x26: 0000000000000000
+ x25: 0000000000000080 x24: 00000000000000e4
+ x23: 0000000000000000 x22: 0000000000000064
+ x21: ffff801fb667d280 x20: 0000000000000001
+ x19: ffff00001efe39ac x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000
+ x15: 0000000000000000 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000
+ x9 : 0000000000000000 x8 : ffff841febe60340
+ x7 : ffff801fb55c52e8 x6 : 0000000000000000
+ x5 : 0000000000ffc0e3 x4 : 0000000000000001
+ x3 : ffff801fb667d280 x2 : 0000000000000001
+ x1 : ffff000010035010 x0 : ffff000010035000
+ Call trace:
+ hisi_lpc_target_in+0x7c/0x120
+ hisi_lpc_comm_in+0x88/0x98
+ logic_inb+0x5c/0xb8
+ port_inb+0x18/0x20
+ bt_event+0x38/0x808
+ smi_event_handler+0x4c/0x5a0
+ check_start_timer_thread.part.4+0x40/0x58
+ sender+0x78/0x88
+ smi_send.isra.6+0x94/0x108
+ i_ipmi_request+0x2c4/0x8f8
+ ipmi_request_settime+0x124/0x160
+ handle_send_req+0x19c/0x208
+ ipmi_ioctl+0x2c0/0x990
+ do_vfs_ioctl+0xb8/0x8f8
+ ksys_ioctl+0x80/0xb8
+ __arm64_sys_ioctl+0x1c/0x28
+ el0_svc_common.constprop.0+0x64/0x160
+ el0_svc_handler+0x28/0x78
+ el0_svc+0x8/0xc
+ Code: 941d1511 aa0003f9 f94006a0 91004001 (b9000034)
+ ---[ end trace aa842b86af7069e4 ]---
+
+The problem here is that the host goes away but the associated logical PIO
+region remains registered, as do the children devices.
+
+Fix by adding a .remove method to tidy-up by removing the child devices
+and unregistering the logical PIO region.
+
+Cc: stable@vger.kernel.org
+Fixes: adf38bb0b595 ("HISI LPC: Support the LPC host on Hip06/Hip07 with DT bindings")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/hisi_lpc.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+--- a/drivers/bus/hisi_lpc.c
++++ b/drivers/bus/hisi_lpc.c
+@@ -456,6 +456,17 @@ struct hisi_lpc_acpi_cell {
+ size_t pdata_size;
+ };
+
++static void hisi_lpc_acpi_remove(struct device *hostdev)
++{
++ struct acpi_device *adev = ACPI_COMPANION(hostdev);
++ struct acpi_device *child;
++
++ device_for_each_child(hostdev, NULL, hisi_lpc_acpi_remove_subdev);
++
++ list_for_each_entry(child, &adev->children, node)
++ acpi_device_clear_enumerated(child);
++}
++
+ /*
+ * hisi_lpc_acpi_probe - probe children for ACPI FW
+ * @hostdev: LPC host device pointer
+@@ -555,8 +566,7 @@ static int hisi_lpc_acpi_probe(struct de
+ return 0;
+
+ fail:
+- device_for_each_child(hostdev, NULL,
+- hisi_lpc_acpi_remove_subdev);
++ hisi_lpc_acpi_remove(hostdev);
+ return ret;
+ }
+
+@@ -569,6 +579,10 @@ static int hisi_lpc_acpi_probe(struct de
+ {
+ return -ENODEV;
+ }
++
++static void hisi_lpc_acpi_remove(struct device *hostdev)
++{
++}
+ #endif // CONFIG_ACPI
+
+ /*
+@@ -626,6 +640,8 @@ static int hisi_lpc_probe(struct platfor
+ return ret;
+ }
+
++ dev_set_drvdata(dev, lpcdev);
++
+ io_end = lpcdev->io_host->io_start + lpcdev->io_host->size;
+ dev_info(dev, "registered range [%pa - %pa]\n",
+ &lpcdev->io_host->io_start, &io_end);
+@@ -633,6 +649,23 @@ static int hisi_lpc_probe(struct platfor
+ return ret;
+ }
+
++static int hisi_lpc_remove(struct platform_device *pdev)
++{
++ struct device *dev = &pdev->dev;
++ struct acpi_device *acpi_device = ACPI_COMPANION(dev);
++ struct hisi_lpc_dev *lpcdev = dev_get_drvdata(dev);
++ struct logic_pio_hwaddr *range = lpcdev->io_host;
++
++ if (acpi_device)
++ hisi_lpc_acpi_remove(dev);
++ else
++ of_platform_depopulate(dev);
++
++ logic_pio_unregister_range(range);
++
++ return 0;
++}
++
+ static const struct of_device_id hisi_lpc_of_match[] = {
+ { .compatible = "hisilicon,hip06-lpc", },
+ { .compatible = "hisilicon,hip07-lpc", },
+@@ -646,5 +679,6 @@ static struct platform_driver hisi_lpc_d
+ .acpi_match_table = ACPI_PTR(hisi_lpc_acpi_match),
+ },
+ .probe = hisi_lpc_probe,
++ .remove = hisi_lpc_remove,
+ };
+ builtin_platform_driver(hisi_lpc_driver);
--- /dev/null
+From 1b15a5632a809ab57d403fd972ca68785363b654 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:55 +0800
+Subject: bus: hisi_lpc: Unregister logical PIO range to avoid potential use-after-free
+
+From: John Garry <john.garry@huawei.com>
+
+commit 1b15a5632a809ab57d403fd972ca68785363b654 upstream.
+
+If, after registering a logical PIO range, the driver probe later fails,
+the logical PIO range memory will be released automatically.
+
+This causes an issue, in that the logical PIO range is not unregistered
+and the released range memory may be later referenced.
+
+Fix by unregistering the logical PIO range.
+
+And since we now unregister the logical PIO range for probe failure, avoid
+the special ordering of setting logical PIO range ops, which was the
+previous (poor) attempt at a safeguard against this.
+
+Cc: stable@vger.kernel.org
+Fixes: adf38bb0b595 ("HISI LPC: Support the LPC host on Hip06/Hip07 with DT bindings")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/hisi_lpc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/bus/hisi_lpc.c
++++ b/drivers/bus/hisi_lpc.c
+@@ -606,24 +606,25 @@ static int hisi_lpc_probe(struct platfor
+ range->fwnode = dev->fwnode;
+ range->flags = LOGIC_PIO_INDIRECT;
+ range->size = PIO_INDIRECT_SIZE;
++ range->hostdata = lpcdev;
++ range->ops = &hisi_lpc_ops;
++ lpcdev->io_host = range;
+
+ ret = logic_pio_register_range(range);
+ if (ret) {
+ dev_err(dev, "register IO range failed (%d)!\n", ret);
+ return ret;
+ }
+- lpcdev->io_host = range;
+
+ /* register the LPC host PIO resources */
+ if (acpi_device)
+ ret = hisi_lpc_acpi_probe(dev);
+ else
+ ret = of_platform_populate(dev->of_node, NULL, NULL, dev);
+- if (ret)
++ if (ret) {
++ logic_pio_unregister_range(range);
+ return ret;
+-
+- lpcdev->io_host->hostdata = lpcdev;
+- lpcdev->io_host->ops = &hisi_lpc_ops;
++ }
+
+ io_end = lpcdev->io_host->io_start + lpcdev->io_host->size;
+ dev_info(dev, "registered range [%pa - %pa]\n",
--- /dev/null
+From 5871cd93692c8071fb9358daccb715b5081316ac Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Mon, 19 Aug 2019 22:23:27 +0000
+Subject: crypto: ccp - Ignore unconfigured CCP device on suspend/resume
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit 5871cd93692c8071fb9358daccb715b5081316ac upstream.
+
+If a CCP is unconfigured (e.g. there are no available queues) then
+there will be no data structures allocated for the device. Thus, we
+must check for validity of a pointer before trying to access structure
+members.
+
+Fixes: 720419f01832f ("crypto: ccp - Introduce the AMD Secure Processor device")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-dev.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/crypto/ccp/ccp-dev.c
++++ b/drivers/crypto/ccp/ccp-dev.c
+@@ -540,6 +540,10 @@ int ccp_dev_suspend(struct sp_device *sp
+ unsigned long flags;
+ unsigned int i;
+
++ /* If there's no device there's nothing to do */
++ if (!ccp)
++ return 0;
++
+ spin_lock_irqsave(&ccp->cmd_lock, flags);
+
+ ccp->suspending = 1;
+@@ -564,6 +568,10 @@ int ccp_dev_resume(struct sp_device *sp)
+ unsigned long flags;
+ unsigned int i;
+
++ /* If there's no device there's nothing to do */
++ if (!ccp)
++ return 0;
++
+ spin_lock_irqsave(&ccp->cmd_lock, flags);
+
+ ccp->suspending = 0;
--- /dev/null
+From 317a3aaef94d73ba6be88aea11b41bb631b2d581 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 27 Aug 2019 17:33:32 +0800
+Subject: drm/amdgpu: Add APTX quirk for Dell Latitude 5495
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 317a3aaef94d73ba6be88aea11b41bb631b2d581 upstream.
+
+Needs ATPX rather than _PR3 to really turn off the dGPU. This can save
+~5W when dGPU is runtime-suspended.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
+@@ -574,6 +574,7 @@ static const struct amdgpu_px_quirk amdg
+ { 0x1002, 0x6900, 0x1002, 0x0124, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1028, 0x0812, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1028, 0x0813, AMDGPU_PX_QUIRK_FORCE_ATPX },
++ { 0x1002, 0x699f, 0x1028, 0x0814, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1025, 0x125A, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x17AA, 0x3806, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0, 0, 0, 0, 0 },
--- /dev/null
+From 41940ff50f6c347f3541163702566cd526200d98 Mon Sep 17 00:00:00 2001
+From: Aaron Liu <aaron.liu@amd.com>
+Date: Tue, 27 Aug 2019 22:59:45 +0800
+Subject: drm/amdgpu: fix GFXOFF on Picasso and Raven2
+
+From: Aaron Liu <aaron.liu@amd.com>
+
+commit 41940ff50f6c347f3541163702566cd526200d98 upstream.
+
+For picasso(adev->pdev->device == 0x15d8)&raven2(adev->rev_id >= 0x8),
+firmware is sufficient to support gfxoff.
+In commit 98f58ada2d37e, for picasso&raven2,
+return directly and cause gfxoff disabled.
+
+Fixes: 98f58ada2d37 ("drm/amdgpu/gfx9: update pg_flags after determining if gfx off is possible")
+Reviewed-by: Huang Rui <ray.huang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Aaron Liu <aaron.liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -588,14 +588,14 @@ static void gfx_v9_0_check_if_need_gfxof
+ case CHIP_VEGA20:
+ break;
+ case CHIP_RAVEN:
+- if (adev->rev_id >= 0x8 || adev->pdev->device == 0x15d8)
+- break;
+- if ((adev->gfx.rlc_fw_version != 106 &&
+- adev->gfx.rlc_fw_version < 531) ||
+- (adev->gfx.rlc_fw_version == 53815) ||
+- (adev->gfx.rlc_feature_version < 1) ||
+- !adev->gfx.rlc.is_rlc_v2_1)
++ if (!(adev->rev_id >= 0x8 || adev->pdev->device == 0x15d8)
++ &&((adev->gfx.rlc_fw_version != 106 &&
++ adev->gfx.rlc_fw_version < 531) ||
++ (adev->gfx.rlc_fw_version == 53815) ||
++ (adev->gfx.rlc_feature_version < 1) ||
++ !adev->gfx.rlc.is_rlc_v2_1))
+ adev->pm.pp_feature &= ~PP_GFXOFF_MASK;
++
+ if (adev->pm.pp_feature & PP_GFXOFF_MASK)
+ adev->pg_flags |= AMD_PG_SUPPORT_GFX_PG |
+ AMD_PG_SUPPORT_CP |
--- /dev/null
+From 32f0a982650b123bdab36865617d3e03ebcacf3b Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Fri, 23 Aug 2019 16:52:51 -0400
+Subject: drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe()
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 32f0a982650b123bdab36865617d3e03ebcacf3b upstream.
+
+Currently, we don't call dma_set_max_seg_size() for i915 because we
+intentionally do not limit the segment length that the device supports.
+However, this results in a warning being emitted if we try to map
+anything larger than SZ_64K on a kernel with CONFIG_DMA_API_DEBUG_SG
+enabled:
+
+[ 7.751926] DMA-API: i915 0000:00:02.0: mapping sg segment longer
+than device claims to support [len=98304] [max=65536]
+[ 7.751934] WARNING: CPU: 5 PID: 474 at kernel/dma/debug.c:1220
+debug_dma_map_sg+0x20f/0x340
+
+This was originally brought up on
+https://bugs.freedesktop.org/show_bug.cgi?id=108517 , and the consensus
+there was it wasn't really useful to set a limit (and that dma-debug
+isn't really all that useful for i915 in the first place). Unfortunately
+though, CONFIG_DMA_API_DEBUG_SG is enabled in the debug configs for
+various distro kernels. Since a WARN_ON() will disable automatic problem
+reporting (and cause any CI with said option enabled to start
+complaining), we really should just fix the problem.
+
+Note that as me and Chris Wilson discussed, the other solution for this
+would be to make DMA-API not make such assumptions when a driver hasn't
+explicitly set a maximum segment size. But, taking a look at the commit
+which originally introduced this behavior, commit 78c47830a5cb
+("dma-debug: check scatterlist segments"), there is an explicit mention
+of this assumption and how it applies to devices with no segment size:
+
+ Conversely, devices which are less limited than the rather
+ conservative defaults, or indeed have no limitations at all
+ (e.g. GPUs with their own internal MMU), should be encouraged to
+ set appropriate dma_parms, as they may get more efficient DMA
+ mapping performance out of it.
+
+So unless there's any concerns (I'm open to discussion!), let's just
+follow suite and call dma_set_max_seg_size() with UINT_MAX as our limit
+to silence any warnings.
+
+Changes since v3:
+* Drop patch for enabling CONFIG_DMA_API_DEBUG_SG in CI. It looks like
+ just turning it on causes the kernel to spit out bogus WARN_ONs()
+ during some igt tests which would otherwise require teaching igt to
+ disable the various DMA-API debugging options causing this. This is
+ too much work to be worth it, since DMA-API debugging is useless for
+ us. So, we'll just settle with this single patch to squelch WARN_ONs()
+ during driver load for users that have CONFIG_DMA_API_DEBUG_SG turned
+ on for some reason.
+* Move dma_set_max_seg_size() call into i915_driver_hw_probe() - Chris
+ Wilson
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: <stable@vger.kernel.org> # v4.18+
+Link: https://patchwork.freedesktop.org/patch/msgid/20190823205251.14298-1-lyude@redhat.com
+(cherry picked from commit acd674af95d3f627062007429b9c195c6b32361d)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_drv.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_drv.c
++++ b/drivers/gpu/drm/i915/i915_drv.c
+@@ -1569,6 +1569,12 @@ static int i915_driver_init_hw(struct dr
+
+ pci_set_master(pdev);
+
++ /*
++ * We don't have a max segment size, so set it to the max so sg's
++ * debugging layer doesn't complain
++ */
++ dma_set_max_seg_size(&pdev->dev, UINT_MAX);
++
+ /* overlay on gen2 is broken and can't address above 1G */
+ if (IS_GEN(dev_priv, 2)) {
+ ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(30));
--- /dev/null
+From 0a3dfbb5cd9033752639ef33e319c2f2863c713a Mon Sep 17 00:00:00 2001
+From: Xiong Zhang <xiong.y.zhang@intel.com>
+Date: Tue, 20 Aug 2019 13:46:17 +0800
+Subject: drm/i915: Don't deballoon unused ggtt drm_mm_node in linux guest
+
+From: Xiong Zhang <xiong.y.zhang@intel.com>
+
+commit 0a3dfbb5cd9033752639ef33e319c2f2863c713a upstream.
+
+The following call trace may exist in linux guest dmesg when guest i915
+driver is unloaded.
+[ 90.776610] [drm:vgt_deballoon_space.isra.0 [i915]] deballoon space: range [0x0 - 0x0] 0 KiB.
+[ 90.776621] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0
+[ 90.776691] IP: drm_mm_remove_node+0x4d/0x320 [drm]
+[ 90.776718] PGD 800000012c7d0067 P4D 800000012c7d0067 PUD 138e4c067 PMD 0
+[ 90.777091] task: ffff9adab60f2f00 task.stack: ffffaf39c0fe0000
+[ 90.777142] RIP: 0010:drm_mm_remove_node+0x4d/0x320 [drm]
+[ 90.777573] Call Trace:
+[ 90.777653] intel_vgt_deballoon+0x4c/0x60 [i915]
+[ 90.777729] i915_ggtt_cleanup_hw+0x121/0x190 [i915]
+[ 90.777792] i915_driver_unload+0x145/0x180 [i915]
+[ 90.777856] i915_pci_remove+0x15/0x20 [i915]
+[ 90.777890] pci_device_remove+0x3b/0xc0
+[ 90.777916] device_release_driver_internal+0x157/0x220
+[ 90.777945] driver_detach+0x39/0x70
+[ 90.777967] bus_remove_driver+0x51/0xd0
+[ 90.777990] pci_unregister_driver+0x23/0x90
+[ 90.778019] SyS_delete_module+0x1da/0x240
+[ 90.778045] entry_SYSCALL_64_fastpath+0x24/0x87
+[ 90.778072] RIP: 0033:0x7f34312af067
+[ 90.778092] RSP: 002b:00007ffdea3da0d8 EFLAGS: 00000206
+[ 90.778297] RIP: drm_mm_remove_node+0x4d/0x320 [drm] RSP: ffffaf39c0fe3dc0
+[ 90.778344] ---[ end trace f4b1bc8305fc59dd ]---
+
+Four drm_mm_node are used to reserve guest ggtt space, but some of them
+may be skipped and not initialised due to space constraints in
+intel_vgt_balloon(). If drm_mm_remove_node() is called with
+uninitialized drm_mm_node, the above call trace occurs.
+
+This patch check drm_mm_node's validity before calling
+drm_mm_remove_node().
+
+Fixes: ff8f797557c7("drm/i915: return the correct usable aperture size under gvt environment")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xiong Zhang <xiong.y.zhang@intel.com>
+Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/1566279978-9659-1-git-send-email-xiong.y.zhang@intel.com
+(cherry picked from commit 4776f3529d6b1e47f02904ad1d264d25ea22b27b)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_vgpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_vgpu.c
++++ b/drivers/gpu/drm/i915/i915_vgpu.c
+@@ -101,6 +101,9 @@ static struct _balloon_info_ bl_info;
+ static void vgt_deballoon_space(struct i915_ggtt *ggtt,
+ struct drm_mm_node *node)
+ {
++ if (!drm_mm_node_allocated(node))
++ return;
++
+ DRM_DEBUG_DRIVER("deballoon space: range [0x%llx - 0x%llx] %llu KiB.\n",
+ node->start,
+ node->start + node->size,
--- /dev/null
+From 8919dfcb31161fae7d607bbef5247e5e82fd6457 Mon Sep 17 00:00:00 2001
+From: Eddie James <eajames@linux.ibm.com>
+Date: Tue, 27 Aug 2019 12:12:49 +0800
+Subject: fsi: scom: Don't abort operations for minor errors
+
+From: Eddie James <eajames@linux.ibm.com>
+
+commit 8919dfcb31161fae7d607bbef5247e5e82fd6457 upstream.
+
+The scom driver currently fails out of operations if certain system
+errors are flagged in the status register; system checkstop, special
+attention, or recoverable error. These errors won't impact the ability
+of the scom engine to perform operations, so the driver should continue
+under these conditions.
+Also, don't do a PIB reset for these conditions, since it won't help.
+
+Fixes: 6b293258cded ("fsi: scom: Major overhaul")
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Jeremy Kerr <jk@ozlabs.org>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Link: https://lore.kernel.org/r/20190827041249.13381-1-jk@ozlabs.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/fsi/fsi-scom.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/fsi/fsi-scom.c
++++ b/drivers/fsi/fsi-scom.c
+@@ -38,8 +38,7 @@
+ #define SCOM_STATUS_PIB_RESP_MASK 0x00007000
+ #define SCOM_STATUS_PIB_RESP_SHIFT 12
+
+-#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_ERR_SUMMARY | \
+- SCOM_STATUS_PROTECTION | \
++#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_PROTECTION | \
+ SCOM_STATUS_PARITY | \
+ SCOM_STATUS_PIB_ABORT | \
+ SCOM_STATUS_PIB_RESP_MASK)
+@@ -251,11 +250,6 @@ static int handle_fsi2pib_status(struct
+ /* Return -EBUSY on PIB abort to force a retry */
+ if (status & SCOM_STATUS_PIB_ABORT)
+ return -EBUSY;
+- if (status & SCOM_STATUS_ERR_SUMMARY) {
+- fsi_device_write(scom->fsi_dev, SCOM_FSI2PIB_RESET_REG, &dummy,
+- sizeof(uint32_t));
+- return -EIO;
+- }
+ return 0;
+ }
+
--- /dev/null
+From c7c06a1532f3fe106687ac82a13492c6a619ff1c Mon Sep 17 00:00:00 2001
+From: Andrew Cooks <andrew.cooks@opengear.com>
+Date: Fri, 2 Aug 2019 14:52:46 +0200
+Subject: i2c: piix4: Fix port selection for AMD Family 16h Model 30h
+
+From: Andrew Cooks <andrew.cooks@opengear.com>
+
+commit c7c06a1532f3fe106687ac82a13492c6a619ff1c upstream.
+
+Family 16h Model 30h SMBus controller needs the same port selection fix
+as described and fixed in commit 0fe16195f891 ("i2c: piix4: Fix SMBus port
+selection for AMD Family 17h chips")
+
+commit 6befa3fde65f ("i2c: piix4: Support alternative port selection
+register") also fixed the port selection for Hudson2, but unfortunately
+this is not the exact same device and the AMD naming and PCI Device IDs
+aren't particularly helpful here.
+
+The SMBus port selection register is common to the following Families
+and models, as documented in AMD's publicly available BIOS and Kernel
+Developer Guides:
+
+ 50742 - Family 15h Model 60h-6Fh (PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)
+ 55072 - Family 15h Model 70h-7Fh (PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)
+ 52740 - Family 16h Model 30h-3Fh (PCI_DEVICE_ID_AMD_HUDSON2_SMBUS)
+
+The Hudson2 PCI Device ID (PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) is shared
+between Bolton FCH and Family 16h Model 30h, but the location of the
+SmBus0Sel port selection bits are different:
+
+ 51192 - Bolton Register Reference Guide
+
+We distinguish between Bolton and Family 16h Model 30h using the PCI
+Revision ID:
+
+ Bolton is device 0x780b, revision 0x15
+ Family 16h Model 30h is device 0x780b, revision 0x1F
+ Family 15h Model 60h and 70h are both device 0x790b, revision 0x4A.
+
+The following additional public AMD BKDG documents were checked and do
+not share the same port selection register:
+
+ 42301 - Family 15h Model 00h-0Fh doesn't mention any
+ 42300 - Family 15h Model 10h-1Fh doesn't mention any
+ 49125 - Family 15h Model 30h-3Fh doesn't mention any
+
+ 48751 - Family 16h Model 00h-0Fh uses the previously supported
+ index register SB800_PIIX4_PORT_IDX_ALT at 0x2e
+
+Signed-off-by: Andrew Cooks <andrew.cooks@opengear.com>
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Cc: stable@vger.kernel.org [v4.6+]
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-piix4.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-piix4.c
++++ b/drivers/i2c/busses/i2c-piix4.c
+@@ -91,7 +91,7 @@
+ #define SB800_PIIX4_PORT_IDX_MASK 0x06
+ #define SB800_PIIX4_PORT_IDX_SHIFT 1
+
+-/* On kerncz, SmBus0Sel is at bit 20:19 of PMx00 DecodeEn */
++/* On kerncz and Hudson2, SmBus0Sel is at bit 20:19 of PMx00 DecodeEn */
+ #define SB800_PIIX4_PORT_IDX_KERNCZ 0x02
+ #define SB800_PIIX4_PORT_IDX_MASK_KERNCZ 0x18
+ #define SB800_PIIX4_PORT_IDX_SHIFT_KERNCZ 3
+@@ -358,18 +358,16 @@ static int piix4_setup_sb800(struct pci_
+ /* Find which register is used for port selection */
+ if (PIIX4_dev->vendor == PCI_VENDOR_ID_AMD ||
+ PIIX4_dev->vendor == PCI_VENDOR_ID_HYGON) {
+- switch (PIIX4_dev->device) {
+- case PCI_DEVICE_ID_AMD_KERNCZ_SMBUS:
++ if (PIIX4_dev->device == PCI_DEVICE_ID_AMD_KERNCZ_SMBUS ||
++ (PIIX4_dev->device == PCI_DEVICE_ID_AMD_HUDSON2_SMBUS &&
++ PIIX4_dev->revision >= 0x1F)) {
+ piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_KERNCZ;
+ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK_KERNCZ;
+ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT_KERNCZ;
+- break;
+- case PCI_DEVICE_ID_AMD_HUDSON2_SMBUS:
+- default:
++ } else {
+ piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_ALT;
+ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK;
+ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT;
+- break;
+ }
+ } else {
+ if (!request_muxed_region(SB800_PIIX4_SMB_IDX, 2,
--- /dev/null
+From 164eb56e3b64f3a816238d410c9efec7567a82ef Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Wed, 21 Aug 2019 10:49:54 +0300
+Subject: intel_th: pci: Add support for another Lewisburg PCH
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 164eb56e3b64f3a816238d410c9efec7567a82ef upstream.
+
+Add support for the Trace Hub in another Lewisburg PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20190821074955.3925-4-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -165,6 +165,11 @@ static const struct pci_device_id intel_
+ .driver_data = (kernel_ulong_t)0,
+ },
+ {
++ /* Lewisburg PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa226),
++ .driver_data = (kernel_ulong_t)0,
++ },
++ {
+ /* Gemini Lake */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
--- /dev/null
+From 9c78255fdde45c6b9a1ee30f652f7b34c727f5c7 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Wed, 21 Aug 2019 10:49:55 +0300
+Subject: intel_th: pci: Add Tiger Lake support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 9c78255fdde45c6b9a1ee30f652f7b34c727f5c7 upstream.
+
+This adds support for the Trace Hub in Tiger Lake PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20190821074955.3925-5-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -204,6 +204,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x45c5),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
++ {
++ /* Tiger Lake PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From b884e2de2afc68ce30f7093747378ef972dde253 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:54 +0800
+Subject: lib: logic_pio: Add logic_pio_unregister_range()
+
+From: John Garry <john.garry@huawei.com>
+
+commit b884e2de2afc68ce30f7093747378ef972dde253 upstream.
+
+Add a function to unregister a logical PIO range.
+
+Logical PIO space can still be leaked when unregistering certain
+LOGIC_PIO_CPU_MMIO regions, but this acceptable for now since there are no
+callers to unregister LOGIC_PIO_CPU_MMIO regions, and the logical PIO
+region allocation scheme would need significant work to improve this.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/logic_pio.h | 1 +
+ lib/logic_pio.c | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+
+--- a/include/linux/logic_pio.h
++++ b/include/linux/logic_pio.h
+@@ -117,6 +117,7 @@ struct logic_pio_hwaddr *find_io_range_b
+ unsigned long logic_pio_trans_hwaddr(struct fwnode_handle *fwnode,
+ resource_size_t hw_addr, resource_size_t size);
+ int logic_pio_register_range(struct logic_pio_hwaddr *newrange);
++void logic_pio_unregister_range(struct logic_pio_hwaddr *range);
+ resource_size_t logic_pio_to_hwaddr(unsigned long pio);
+ unsigned long logic_pio_trans_cpuaddr(resource_size_t hw_addr);
+
+--- a/lib/logic_pio.c
++++ b/lib/logic_pio.c
+@@ -99,6 +99,20 @@ end_register:
+ }
+
+ /**
++ * logic_pio_unregister_range - unregister a logical PIO range for a host
++ * @range: pointer to the IO range which has been already registered.
++ *
++ * Unregister a previously-registered IO range node.
++ */
++void logic_pio_unregister_range(struct logic_pio_hwaddr *range)
++{
++ mutex_lock(&io_range_mutex);
++ list_del_rcu(&range->list);
++ mutex_unlock(&io_range_mutex);
++ synchronize_rcu();
++}
++
++/**
+ * find_io_range_by_fwnode - find logical PIO range for given FW node
+ * @fwnode: FW node handle associated with logical PIO range
+ *
--- /dev/null
+From 0a27142bd1ee259e24a0be2b0133e5ca5df8da91 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:53 +0800
+Subject: lib: logic_pio: Avoid possible overlap for unregistering regions
+
+From: John Garry <john.garry@huawei.com>
+
+commit 0a27142bd1ee259e24a0be2b0133e5ca5df8da91 upstream.
+
+The code was originally written to not support unregistering logical PIO
+regions.
+
+To accommodate supporting unregistering logical PIO regions, subtly modify
+LOGIC_PIO_CPU_MMIO region registration code, such that the "end" of the
+registered regions is the "end" of the last region, and not the sum of
+the sizes of all the registered regions.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/logic_pio.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/lib/logic_pio.c
++++ b/lib/logic_pio.c
+@@ -35,7 +35,7 @@ int logic_pio_register_range(struct logi
+ struct logic_pio_hwaddr *range;
+ resource_size_t start;
+ resource_size_t end;
+- resource_size_t mmio_sz = 0;
++ resource_size_t mmio_end = 0;
+ resource_size_t iio_sz = MMIO_UPPER_LIMIT;
+ int ret = 0;
+
+@@ -56,7 +56,7 @@ int logic_pio_register_range(struct logi
+ /* for MMIO ranges we need to check for overlap */
+ if (start >= range->hw_start + range->size ||
+ end < range->hw_start) {
+- mmio_sz += range->size;
++ mmio_end = range->io_start + range->size;
+ } else {
+ ret = -EFAULT;
+ goto end_register;
+@@ -69,16 +69,16 @@ int logic_pio_register_range(struct logi
+
+ /* range not registered yet, check for available space */
+ if (new_range->flags == LOGIC_PIO_CPU_MMIO) {
+- if (mmio_sz + new_range->size - 1 > MMIO_UPPER_LIMIT) {
++ if (mmio_end + new_range->size - 1 > MMIO_UPPER_LIMIT) {
+ /* if it's too big check if 64K space can be reserved */
+- if (mmio_sz + SZ_64K - 1 > MMIO_UPPER_LIMIT) {
++ if (mmio_end + SZ_64K - 1 > MMIO_UPPER_LIMIT) {
+ ret = -E2BIG;
+ goto end_register;
+ }
+ new_range->size = SZ_64K;
+ pr_warn("Requested IO range too big, new size set to 64K\n");
+ }
+- new_range->io_start = mmio_sz;
++ new_range->io_start = mmio_end;
+ } else if (new_range->flags == LOGIC_PIO_INDIRECT) {
+ if (iio_sz + new_range->size - 1 > IO_SPACE_LIMIT) {
+ ret = -E2BIG;
--- /dev/null
+From 06709e81c668f5f56c65b806895b278517bd44e0 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:52 +0800
+Subject: lib: logic_pio: Fix RCU usage
+
+From: John Garry <john.garry@huawei.com>
+
+commit 06709e81c668f5f56c65b806895b278517bd44e0 upstream.
+
+The traversing of io_range_list with list_for_each_entry_rcu()
+is not properly protected by rcu_read_lock() and rcu_read_unlock(),
+so add them.
+
+These functions mark the critical section scope where the list is
+protected for the reader, it cannot be "reclaimed". Any updater - in
+this case, the logical PIO registration functions - cannot update the
+list until the reader exits this critical section.
+
+In addition, the list traversing used in logic_pio_register_range()
+does not need to use the rcu variant.
+
+This is because we are already using io_range_mutex to guarantee mutual
+exclusion from mutating the list.
+
+Cc: stable@vger.kernel.org
+Fixes: 031e3601869c ("lib: Add generic PIO mapping method")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/logic_pio.c | 49 +++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 35 insertions(+), 14 deletions(-)
+
+--- a/lib/logic_pio.c
++++ b/lib/logic_pio.c
+@@ -46,7 +46,7 @@ int logic_pio_register_range(struct logi
+ end = new_range->hw_start + new_range->size;
+
+ mutex_lock(&io_range_mutex);
+- list_for_each_entry_rcu(range, &io_range_list, list) {
++ list_for_each_entry(range, &io_range_list, list) {
+ if (range->fwnode == new_range->fwnode) {
+ /* range already there */
+ goto end_register;
+@@ -108,26 +108,38 @@ end_register:
+ */
+ struct logic_pio_hwaddr *find_io_range_by_fwnode(struct fwnode_handle *fwnode)
+ {
+- struct logic_pio_hwaddr *range;
++ struct logic_pio_hwaddr *range, *found_range = NULL;
+
++ rcu_read_lock();
+ list_for_each_entry_rcu(range, &io_range_list, list) {
+- if (range->fwnode == fwnode)
+- return range;
++ if (range->fwnode == fwnode) {
++ found_range = range;
++ break;
++ }
+ }
+- return NULL;
++ rcu_read_unlock();
++
++ return found_range;
+ }
+
+ /* Return a registered range given an input PIO token */
+ static struct logic_pio_hwaddr *find_io_range(unsigned long pio)
+ {
+- struct logic_pio_hwaddr *range;
++ struct logic_pio_hwaddr *range, *found_range = NULL;
+
++ rcu_read_lock();
+ list_for_each_entry_rcu(range, &io_range_list, list) {
+- if (in_range(pio, range->io_start, range->size))
+- return range;
++ if (in_range(pio, range->io_start, range->size)) {
++ found_range = range;
++ break;
++ }
+ }
+- pr_err("PIO entry token %lx invalid\n", pio);
+- return NULL;
++ rcu_read_unlock();
++
++ if (!found_range)
++ pr_err("PIO entry token 0x%lx invalid\n", pio);
++
++ return found_range;
+ }
+
+ /**
+@@ -180,14 +192,23 @@ unsigned long logic_pio_trans_cpuaddr(re
+ {
+ struct logic_pio_hwaddr *range;
+
++ rcu_read_lock();
+ list_for_each_entry_rcu(range, &io_range_list, list) {
+ if (range->flags != LOGIC_PIO_CPU_MMIO)
+ continue;
+- if (in_range(addr, range->hw_start, range->size))
+- return addr - range->hw_start + range->io_start;
++ if (in_range(addr, range->hw_start, range->size)) {
++ unsigned long cpuaddr;
++
++ cpuaddr = addr - range->hw_start + range->io_start;
++
++ rcu_read_unlock();
++ return cpuaddr;
++ }
+ }
+- pr_err("addr %llx not registered in io_range_list\n",
+- (unsigned long long) addr);
++ rcu_read_unlock();
++
++ pr_err("addr %pa not registered in io_range_list\n", &addr);
++
+ return ~0UL;
+ }
+
--- /dev/null
+From b9bc7b8b1e9e815b231c1ca0b566ee723f480987 Mon Sep 17 00:00:00 2001
+From: Raul E Rangel <rrangel@chromium.org>
+Date: Tue, 27 Aug 2019 11:36:19 -0600
+Subject: lkdtm/bugs: fix build error in lkdtm_EXHAUST_STACK
+
+From: Raul E Rangel <rrangel@chromium.org>
+
+commit b9bc7b8b1e9e815b231c1ca0b566ee723f480987 upstream.
+
+lkdtm/bugs.c:94:2: error: format '%d' expects argument of type 'int', but argument 2 has type 'long unsigned int' [-Werror=format=]
+ pr_info("Calling function with %d frame size to depth %d ...\n",
+ ^
+THREAD_SIZE is defined as a unsigned long, cast CONFIG_FRAME_WARN to
+unsigned long as well.
+
+Fixes: 24cccab42c419 ("lkdtm/bugs: Adjust recursion test to avoid elision")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Raul E Rangel <rrangel@chromium.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20190827173619.170065-1-rrangel@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/lkdtm/bugs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/lkdtm/bugs.c
++++ b/drivers/misc/lkdtm/bugs.c
+@@ -22,7 +22,7 @@ struct lkdtm_list {
+ * recurse past the end of THREAD_SIZE by default.
+ */
+ #if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
+-#define REC_STACK_SIZE (CONFIG_FRAME_WARN / 2)
++#define REC_STACK_SIZE (_AC(CONFIG_FRAME_WARN, UL) / 2)
+ #else
+ #define REC_STACK_SIZE (THREAD_SIZE / 8)
+ #endif
+@@ -91,7 +91,7 @@ void lkdtm_LOOP(void)
+
+ void lkdtm_EXHAUST_STACK(void)
+ {
+- pr_info("Calling function with %d frame size to depth %d ...\n",
++ pr_info("Calling function with %lu frame size to depth %d ...\n",
+ REC_STACK_SIZE, recur_count);
+ recursive_loop(recur_count);
+ pr_info("FAIL: survived without exhausting stack?!\n");
--- /dev/null
+From b4c46484dc3fa3721d68fdfae85c1d7b1f6b5472 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 30 Aug 2019 16:04:39 -0700
+Subject: mm, memcg: partially revert "mm/memcontrol.c: keep local VM counters in sync with the hierarchical ones"
+
+From: Roman Gushchin <guro@fb.com>
+
+commit b4c46484dc3fa3721d68fdfae85c1d7b1f6b5472 upstream.
+
+Commit 766a4c19d880 ("mm/memcontrol.c: keep local VM counters in sync
+with the hierarchical ones") effectively decreased the precision of
+per-memcg vmstats_local and per-memcg-per-node lruvec percpu counters.
+
+That's good for displaying in memory.stat, but brings a serious
+regression into the reclaim process.
+
+One issue I've discovered and debugged is the following:
+lruvec_lru_size() can return 0 instead of the actual number of pages in
+the lru list, preventing the kernel to reclaim last remaining pages.
+Result is yet another dying memory cgroups flooding. The opposite is
+also happening: scanning an empty lru list is the waste of cpu time.
+
+Also, inactive_list_is_low() can return incorrect values, preventing the
+active lru from being scanned and freed. It can fail both because the
+size of active and inactive lists are inaccurate, and because the number
+of workingset refaults isn't precise. In other words, the result is
+pretty random.
+
+I'm not sure, if using the approximate number of slab pages in
+count_shadow_number() is acceptable, but issues described above are
+enough to partially revert the patch.
+
+Let's keep per-memcg vmstat_local batched (they are only used for
+displaying stats to the userspace), but keep lruvec stats precise. This
+change fixes the dead memcg flooding on my setup.
+
+Link: http://lkml.kernel.org/r/20190817004726.2530670-1-guro@fb.com
+Fixes: 766a4c19d880 ("mm/memcontrol.c: keep local VM counters in sync with the hierarchical ones")
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -748,15 +748,13 @@ void __mod_lruvec_state(struct lruvec *l
+ /* Update memcg */
+ __mod_memcg_state(memcg, idx, val);
+
++ /* Update lruvec */
++ __this_cpu_add(pn->lruvec_stat_local->count[idx], val);
++
+ x = val + __this_cpu_read(pn->lruvec_stat_cpu->count[idx]);
+ if (unlikely(abs(x) > MEMCG_CHARGE_BATCH)) {
+ struct mem_cgroup_per_node *pi;
+
+- /*
+- * Batch local counters to keep them in sync with
+- * the hierarchical ones.
+- */
+- __this_cpu_add(pn->lruvec_stat_local->count[idx], x);
+ for (pi = pn; pi; pi = parent_nodeinfo(pi, pgdat->node_id))
+ atomic_long_add(x, &pi->lruvec_stat[idx]);
+ x = 0;
--- /dev/null
+From 6c1c280805ded72eceb2afc1a0d431b256608554 Mon Sep 17 00:00:00 2001
+From: Shakeel Butt <shakeelb@google.com>
+Date: Fri, 30 Aug 2019 16:04:53 -0700
+Subject: mm: memcontrol: fix percpu vmstats and vmevents flush
+
+From: Shakeel Butt <shakeelb@google.com>
+
+commit 6c1c280805ded72eceb2afc1a0d431b256608554 upstream.
+
+Instead of using raw_cpu_read() use per_cpu() to read the actual data of
+the corresponding cpu otherwise we will be reading the data of the
+current cpu for the number of online CPUs.
+
+Link: http://lkml.kernel.org/r/20190829203110.129263-1-shakeelb@google.com
+Fixes: bb65f89b7d3d ("mm: memcontrol: flush percpu vmevents before releasing memcg")
+Fixes: c350a99ea2b1 ("mm: memcontrol: flush percpu vmstats before releasing memcg")
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -3159,7 +3159,7 @@ static void memcg_flush_percpu_vmstats(s
+
+ for_each_online_cpu(cpu)
+ for (i = 0; i < MEMCG_NR_STAT; i++)
+- stat[i] += raw_cpu_read(memcg->vmstats_percpu->stat[i]);
++ stat[i] += per_cpu(memcg->vmstats_percpu->stat[i], cpu);
+
+ for (mi = memcg; mi; mi = parent_mem_cgroup(mi))
+ for (i = 0; i < MEMCG_NR_STAT; i++)
+@@ -3174,8 +3174,8 @@ static void memcg_flush_percpu_vmstats(s
+
+ for_each_online_cpu(cpu)
+ for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++)
+- stat[i] += raw_cpu_read(
+- pn->lruvec_stat_cpu->count[i]);
++ stat[i] += per_cpu(
++ pn->lruvec_stat_cpu->count[i], cpu);
+
+ for (pi = pn; pi; pi = parent_nodeinfo(pi, node))
+ for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++)
+@@ -3194,8 +3194,8 @@ static void memcg_flush_percpu_vmevents(
+
+ for_each_online_cpu(cpu)
+ for (i = 0; i < NR_VM_EVENT_ITEMS; i++)
+- events[i] += raw_cpu_read(
+- memcg->vmstats_percpu->events[i]);
++ events[i] += per_cpu(memcg->vmstats_percpu->events[i],
++ cpu);
+
+ for (mi = memcg; mi; mi = parent_mem_cgroup(mi))
+ for (i = 0; i < NR_VM_EVENT_ITEMS; i++)
--- /dev/null
+From 72741084d903e65e121c27bd29494d941729d4a1 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Tue, 27 Aug 2019 10:10:43 +0200
+Subject: mmc: core: Fix init of SD cards reporting an invalid VDD range
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 72741084d903e65e121c27bd29494d941729d4a1 upstream.
+
+The OCR register defines the supported range of VDD voltages for SD cards.
+However, it has turned out that some SD cards reports an invalid voltage
+range, for example having bit7 set.
+
+When a host supports MMC_CAP2_FULL_PWR_CYCLE and some of the voltages from
+the invalid VDD range, this triggers the core to run a power cycle of the
+card to try to initialize it at the lowest common supported voltage.
+Obviously this fails, since the card can't support it.
+
+Let's fix this problem, by clearing invalid bits from the read OCR register
+for SD cards, before proceeding with the VDD voltage negotiation.
+
+Cc: stable@vger.kernel.org
+Reported-by: Philip Langdale <philipl@overt.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Philip Langdale <philipl@overt.org>
+Tested-by: Philip Langdale <philipl@overt.org>
+Tested-by: Manuel Presnitz <mail@mpy.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/sd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -1292,6 +1292,12 @@ int mmc_attach_sd(struct mmc_host *host)
+ goto err;
+ }
+
++ /*
++ * Some SD cards claims an out of spec VDD voltage range. Let's treat
++ * these bits as being in-valid and especially also bit7.
++ */
++ ocr &= ~0x7FFF;
++
+ rocr = mmc_select_voltage(host, ocr);
+
+ /*
--- /dev/null
+From e73a3896eaca95ea5fc895720502a3f040eb4b39 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 29 Aug 2019 19:49:26 +0900
+Subject: mmc: sdhci-cadence: enable v4_mode to fix ADMA 64-bit addressing
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+commit e73a3896eaca95ea5fc895720502a3f040eb4b39 upstream.
+
+The IP datasheet says this controller is compatible with SD Host
+Specification Version v4.00.
+
+As it turned out, the ADMA of this IP does not work with 64-bit mode
+when it is in the Version 3.00 compatible mode; it understands the
+old 64-bit descriptor table (as defined in SDHCI v2), but the ADMA
+System Address Register (SDHCI_ADMA_ADDRESS) cannot point to the
+64-bit address.
+
+I noticed this issue only after commit bd2e75633c80 ("dma-contiguous:
+use fallback alloc_pages for single pages"). Prior to that commit,
+dma_set_mask_and_coherent() returned the dma address that fits in
+32-bit range, at least for the default arm64 configuration
+(arch/arm64/configs/defconfig). Now the host->adma_addr exceeds the
+32-bit limit, causing the real problem for the Socionext SoCs.
+(As a side-note, I was also able to reproduce the issue for older
+kernels by turning off CONFIG_DMA_CMA.)
+
+Call sdhci_enable_v4_mode() to fix this.
+
+Cc: <stable@vger.kernel.org> # v4.20+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-cadence.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci-cadence.c
++++ b/drivers/mmc/host/sdhci-cadence.c
+@@ -369,6 +369,7 @@ static int sdhci_cdns_probe(struct platf
+ host->mmc_host_ops.execute_tuning = sdhci_cdns_execute_tuning;
+ host->mmc_host_ops.hs400_enhanced_strobe =
+ sdhci_cdns_hs400_enhanced_strobe;
++ sdhci_enable_v4_mode(host);
+
+ sdhci_get_of_property(pdev);
+
--- /dev/null
+From 7871aa60ae0086fe4626abdf5ed13eeddf306c61 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Thu, 8 Aug 2019 08:35:40 +0000
+Subject: mmc: sdhci-of-at91: add quirk for broken HS200
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+commit 7871aa60ae0086fe4626abdf5ed13eeddf306c61 upstream.
+
+HS200 is not implemented in the driver, but the controller claims it
+through caps. Remove it via a quirk, to make sure the mmc core do not try
+to enable HS200, as it causes the eMMC initialization to fail.
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-of-at91.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-of-at91.c
++++ b/drivers/mmc/host/sdhci-of-at91.c
+@@ -357,6 +357,9 @@ static int sdhci_at91_probe(struct platf
+ pm_runtime_set_autosuspend_delay(&pdev->dev, 50);
+ pm_runtime_use_autosuspend(&pdev->dev);
+
++ /* HS200 is broken at this moment */
++ host->quirks2 = SDHCI_QUIRK2_BROKEN_HS200;
++
+ ret = sdhci_add_host(host);
+ if (ret)
+ goto pm_runtime_disable;
--- /dev/null
+From 6a526f66ab1494b63c71cd6639d9d96fd7216add Mon Sep 17 00:00:00 2001
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Date: Wed, 28 Aug 2019 10:17:34 +0800
+Subject: mmc: sdhci-sprd: add SDHCI_QUIRK2_PRESET_VALUE_BROKEN
+
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+
+commit 6a526f66ab1494b63c71cd6639d9d96fd7216add upstream.
+
+The bit of PRESET_VAL_ENABLE in HOST_CONTROL2 register is reserved on
+sprd's sd host controller, set quirk2 to disable configuring this.
+
+Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller")
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Signed-off-by: Chunyan Zhang <zhang.lyra@gmail.com>
+Reviewed-by: Baolin Wang <baolin.wang@linaro.org>
+Tested-by: Baolin Wang <baolin.wang@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-sprd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-sprd.c
++++ b/drivers/mmc/host/sdhci-sprd.c
+@@ -321,7 +321,8 @@ static void sdhci_sprd_request(struct mm
+ static const struct sdhci_pltfm_data sdhci_sprd_pdata = {
+ .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK,
+ .quirks2 = SDHCI_QUIRK2_BROKEN_HS200 |
+- SDHCI_QUIRK2_USE_32BIT_BLK_CNT,
++ SDHCI_QUIRK2_USE_32BIT_BLK_CNT |
++ SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
+ .ops = &sdhci_sprd_ops,
+ };
+
--- /dev/null
+From efdaf27517a892238e0dfa046cd91184b039d681 Mon Sep 17 00:00:00 2001
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Date: Wed, 28 Aug 2019 10:17:32 +0800
+Subject: mmc: sdhci-sprd: fixed incorrect clock divider
+
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+
+commit efdaf27517a892238e0dfa046cd91184b039d681 upstream.
+
+The register SDHCI_CLOCK_CONTROL should be cleared before config clock
+divider, otherwise the frequency configured maybe lower than we
+expected.
+
+Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller")
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Signed-off-by: Chunyan Zhang <zhang.lyra@gmail.com>
+Reviewed-by: Baolin Wang <baolin.wang@linaro.org>
+Tested-by: Baolin Wang <baolin.wang@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-sprd.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-sprd.c
++++ b/drivers/mmc/host/sdhci-sprd.c
+@@ -174,10 +174,11 @@ static inline void _sdhci_sprd_set_clock
+ struct sdhci_sprd_host *sprd_host = TO_SPRD_HOST(host);
+ u32 div, val, mask;
+
+- div = sdhci_sprd_calc_div(sprd_host->base_rate, clk);
++ sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
+
+- clk |= ((div & 0x300) >> 2) | ((div & 0xFF) << 8);
+- sdhci_enable_clk(host, clk);
++ div = sdhci_sprd_calc_div(sprd_host->base_rate, clk);
++ div = ((div & 0x300) >> 2) | ((div & 0xFF) << 8);
++ sdhci_enable_clk(host, div);
+
+ /* enable auto gate sdhc_enable_auto_gate */
+ val = sdhci_readl(host, SDHCI_SPRD_REG_32_BUSY_POSI);
--- /dev/null
+From 4324e54bbea0107b054336f20075a26939b2bd51 Mon Sep 17 00:00:00 2001
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Date: Wed, 28 Aug 2019 10:17:35 +0800
+Subject: mms: sdhci-sprd: add SDHCI_QUIRK_BROKEN_CARD_DETECTION
+
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+
+commit 4324e54bbea0107b054336f20075a26939b2bd51 upstream.
+
+sprd's sd host controller doesn't support detection to
+card insert or remove.
+
+Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller")
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Signed-off-by: Chunyan Zhang <zhang.lyra@gmail.com>
+Reviewed-by: Baolin Wang <baolin.wang@linaro.org>
+Tested-by: Baolin Wang <baolin.wang@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-sprd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-sprd.c
++++ b/drivers/mmc/host/sdhci-sprd.c
+@@ -319,7 +319,8 @@ static void sdhci_sprd_request(struct mm
+ }
+
+ static const struct sdhci_pltfm_data sdhci_sprd_pdata = {
+- .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK,
++ .quirks = SDHCI_QUIRK_BROKEN_CARD_DETECTION |
++ SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK,
+ .quirks2 = SDHCI_QUIRK2_BROKEN_HS200 |
+ SDHCI_QUIRK2_USE_32BIT_BLK_CNT |
+ SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
--- /dev/null
+From 8f2d163cb26da87e7d8e1677368b8ba1ba4d30b3 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 18 Jul 2019 12:38:10 +0200
+Subject: mt76: mt76x0u: do not reset radio on resume
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 8f2d163cb26da87e7d8e1677368b8ba1ba4d30b3 upstream.
+
+On some machines mt76x0u firmware can hung during resume,
+what result on messages like below:
+
+[ 475.480062] mt76x0 1-8:1.0: Error: MCU response pre-completed!
+[ 475.990066] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110
+[ 475.990075] mt76x0 1-8:1.0: Error: MCU response pre-completed!
+[ 476.500003] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110
+[ 476.500012] mt76x0 1-8:1.0: Error: MCU response pre-completed!
+[ 477.010046] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110
+[ 477.010055] mt76x0 1-8:1.0: Error: MCU response pre-completed!
+[ 477.529997] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110
+[ 477.530006] mt76x0 1-8:1.0: Error: MCU response pre-completed!
+[ 477.824907] mt76x0 1-8:1.0: Error: send MCU cmd failed:-71
+[ 477.824916] mt76x0 1-8:1.0: Error: MCU response pre-completed!
+[ 477.825029] usb 1-8: USB disconnect, device number 6
+
+and possible whole system freeze.
+
+This can be avoided, if we do not perform mt76x0_chip_onoff() reset.
+
+Cc: stable@vger.kernel.org
+Fixes: 134b2d0d1fcf ("mt76x0: init files")
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt76/mt76x0/usb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76x0/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x0/usb.c
+@@ -136,11 +136,11 @@ static const struct ieee80211_ops mt76x0
+ .release_buffered_frames = mt76_release_buffered_frames,
+ };
+
+-static int mt76x0u_init_hardware(struct mt76x02_dev *dev)
++static int mt76x0u_init_hardware(struct mt76x02_dev *dev, bool reset)
+ {
+ int err;
+
+- mt76x0_chip_onoff(dev, true, true);
++ mt76x0_chip_onoff(dev, true, reset);
+
+ if (!mt76x02_wait_for_mac(&dev->mt76))
+ return -ETIMEDOUT;
+@@ -173,7 +173,7 @@ static int mt76x0u_register_device(struc
+ if (err < 0)
+ goto out_err;
+
+- err = mt76x0u_init_hardware(dev);
++ err = mt76x0u_init_hardware(dev, true);
+ if (err < 0)
+ goto out_err;
+
+@@ -309,7 +309,7 @@ static int __maybe_unused mt76x0_resume(
+ if (ret < 0)
+ goto err;
+
+- ret = mt76x0u_init_hardware(dev);
++ ret = mt76x0u_init_hardware(dev, false);
+ if (ret)
+ goto err;
+
--- /dev/null
+From eb2c50da9e256dbbb3ff27694440e4c1900cfef8 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 12 Aug 2019 18:04:36 -0400
+Subject: NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit eb2c50da9e256dbbb3ff27694440e4c1900cfef8 upstream.
+
+If the attempt to resend the I/O results in no bytes being read/written,
+we must ensure that we report the error.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Fixes: 0a00b77b331a ("nfs: mirroring support for direct io")
+Cc: stable@vger.kernel.org # v3.20+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/direct.c | 27 ++++++++++++++++++---------
+ fs/nfs/pagelist.c | 1 +
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -401,15 +401,21 @@ static void nfs_direct_read_completion(s
+ unsigned long bytes = 0;
+ struct nfs_direct_req *dreq = hdr->dreq;
+
+- if (test_bit(NFS_IOHDR_REDO, &hdr->flags))
+- goto out_put;
+-
+ spin_lock(&dreq->lock);
+- if (test_bit(NFS_IOHDR_ERROR, &hdr->flags) && (hdr->good_bytes == 0))
++ if (test_bit(NFS_IOHDR_ERROR, &hdr->flags))
+ dreq->error = hdr->error;
+- else
++
++ if (test_bit(NFS_IOHDR_REDO, &hdr->flags)) {
++ spin_unlock(&dreq->lock);
++ goto out_put;
++ }
++
++ if (hdr->good_bytes != 0)
+ nfs_direct_good_bytes(dreq, hdr);
+
++ if (test_bit(NFS_IOHDR_EOF, &hdr->flags))
++ dreq->error = 0;
++
+ spin_unlock(&dreq->lock);
+
+ while (!list_empty(&hdr->pages)) {
+@@ -782,16 +788,19 @@ static void nfs_direct_write_completion(
+ bool request_commit = false;
+ struct nfs_page *req = nfs_list_entry(hdr->pages.next);
+
+- if (test_bit(NFS_IOHDR_REDO, &hdr->flags))
+- goto out_put;
+-
+ nfs_init_cinfo_from_dreq(&cinfo, dreq);
+
+ spin_lock(&dreq->lock);
+
+ if (test_bit(NFS_IOHDR_ERROR, &hdr->flags))
+ dreq->error = hdr->error;
+- if (dreq->error == 0) {
++
++ if (test_bit(NFS_IOHDR_REDO, &hdr->flags)) {
++ spin_unlock(&dreq->lock);
++ goto out_put;
++ }
++
++ if (hdr->good_bytes != 0) {
+ nfs_direct_good_bytes(dreq, hdr);
+ if (nfs_write_need_commit(hdr)) {
+ if (dreq->flags == NFS_ODIRECT_RESCHED_WRITES)
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1268,6 +1268,7 @@ int nfs_pageio_resend(struct nfs_pageio_
+ if (!list_empty(&pages)) {
+ int err = desc->pg_error < 0 ? desc->pg_error : -EIO;
+ hdr->completion_ops->error_cleanup(&pages, err);
++ nfs_set_pgio_error(hdr, err, hdr->io_start);
+ return err;
+ }
+ return 0;
--- /dev/null
+From f4340e9314dbfadc48758945f85fc3b16612d06f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 12 Aug 2019 15:19:54 -0400
+Subject: NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit f4340e9314dbfadc48758945f85fc3b16612d06f upstream.
+
+If the attempt to resend the pages fails, we need to ensure that we
+clean up those pages that were not transmitted.
+
+Fixes: d600ad1f2bdb ("NFS41: pop some layoutget errors to application")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pagelist.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1253,20 +1253,22 @@ static void nfs_pageio_complete_mirror(s
+ int nfs_pageio_resend(struct nfs_pageio_descriptor *desc,
+ struct nfs_pgio_header *hdr)
+ {
+- LIST_HEAD(failed);
++ LIST_HEAD(pages);
+
+ desc->pg_io_completion = hdr->io_completion;
+ desc->pg_dreq = hdr->dreq;
+- while (!list_empty(&hdr->pages)) {
+- struct nfs_page *req = nfs_list_entry(hdr->pages.next);
++ list_splice_init(&hdr->pages, &pages);
++ while (!list_empty(&pages)) {
++ struct nfs_page *req = nfs_list_entry(pages.next);
+
+ if (!nfs_pageio_add_request(desc, req))
+- nfs_list_move_request(req, &failed);
++ break;
+ }
+ nfs_pageio_complete(desc);
+- if (!list_empty(&failed)) {
+- list_move(&failed, &hdr->pages);
+- return desc->pg_error < 0 ? desc->pg_error : -EIO;
++ if (!list_empty(&pages)) {
++ int err = desc->pg_error < 0 ? desc->pg_error : -EIO;
++ hdr->completion_ops->error_cleanup(&pages, err);
++ return err;
+ }
+ return 0;
+ }
--- /dev/null
+From d5711920ec6e578f51db95caa6f185f5090b865e Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Fri, 16 Aug 2019 08:37:26 -0400
+Subject: Revert "NFSv4/flexfiles: Abort I/O early if the layout segment was invalidated"
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit d5711920ec6e578f51db95caa6f185f5090b865e upstream.
+
+This reverts commit a79f194aa4879e9baad118c3f8bb2ca24dbef765.
+The mechanism for aborting I/O is racy, since we are not guaranteed that
+the request is asleep while we're changing both task->tk_status and
+task->tk_action.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v5.1
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 17 -----------------
+ include/linux/sunrpc/sched.h | 1 -
+ net/sunrpc/xprt.c | 7 -------
+ 3 files changed, 25 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -1128,8 +1128,6 @@ static int ff_layout_async_handle_error_
+ break;
+ case -NFS4ERR_RETRY_UNCACHED_REP:
+ break;
+- case -EAGAIN:
+- return -NFS4ERR_RESET_TO_PNFS;
+ /* Invalidate Layout errors */
+ case -NFS4ERR_PNFS_NO_LAYOUT:
+ case -ESTALE: /* mapped NFS4ERR_STALE */
+@@ -1190,7 +1188,6 @@ static int ff_layout_async_handle_error_
+ case -EBADHANDLE:
+ case -ELOOP:
+ case -ENOSPC:
+- case -EAGAIN:
+ break;
+ case -EJUKEBOX:
+ nfs_inc_stats(lseg->pls_layout->plh_inode, NFSIOS_DELAY);
+@@ -1425,16 +1422,6 @@ static void ff_layout_read_prepare_v4(st
+ ff_layout_read_prepare_common(task, hdr);
+ }
+
+-static void
+-ff_layout_io_prepare_transmit(struct rpc_task *task,
+- void *data)
+-{
+- struct nfs_pgio_header *hdr = data;
+-
+- if (!pnfs_is_valid_lseg(hdr->lseg))
+- rpc_exit(task, -EAGAIN);
+-}
+-
+ static void ff_layout_read_call_done(struct rpc_task *task, void *data)
+ {
+ struct nfs_pgio_header *hdr = data;
+@@ -1720,7 +1707,6 @@ static void ff_layout_commit_release(voi
+
+ static const struct rpc_call_ops ff_layout_read_call_ops_v3 = {
+ .rpc_call_prepare = ff_layout_read_prepare_v3,
+- .rpc_call_prepare_transmit = ff_layout_io_prepare_transmit,
+ .rpc_call_done = ff_layout_read_call_done,
+ .rpc_count_stats = ff_layout_read_count_stats,
+ .rpc_release = ff_layout_read_release,
+@@ -1728,7 +1714,6 @@ static const struct rpc_call_ops ff_layo
+
+ static const struct rpc_call_ops ff_layout_read_call_ops_v4 = {
+ .rpc_call_prepare = ff_layout_read_prepare_v4,
+- .rpc_call_prepare_transmit = ff_layout_io_prepare_transmit,
+ .rpc_call_done = ff_layout_read_call_done,
+ .rpc_count_stats = ff_layout_read_count_stats,
+ .rpc_release = ff_layout_read_release,
+@@ -1736,7 +1721,6 @@ static const struct rpc_call_ops ff_layo
+
+ static const struct rpc_call_ops ff_layout_write_call_ops_v3 = {
+ .rpc_call_prepare = ff_layout_write_prepare_v3,
+- .rpc_call_prepare_transmit = ff_layout_io_prepare_transmit,
+ .rpc_call_done = ff_layout_write_call_done,
+ .rpc_count_stats = ff_layout_write_count_stats,
+ .rpc_release = ff_layout_write_release,
+@@ -1744,7 +1728,6 @@ static const struct rpc_call_ops ff_layo
+
+ static const struct rpc_call_ops ff_layout_write_call_ops_v4 = {
+ .rpc_call_prepare = ff_layout_write_prepare_v4,
+- .rpc_call_prepare_transmit = ff_layout_io_prepare_transmit,
+ .rpc_call_done = ff_layout_write_call_done,
+ .rpc_count_stats = ff_layout_write_count_stats,
+ .rpc_release = ff_layout_write_release,
+--- a/include/linux/sunrpc/sched.h
++++ b/include/linux/sunrpc/sched.h
+@@ -98,7 +98,6 @@ typedef void (*rpc_action)(struct rpc_
+
+ struct rpc_call_ops {
+ void (*rpc_call_prepare)(struct rpc_task *, void *);
+- void (*rpc_call_prepare_transmit)(struct rpc_task *, void *);
+ void (*rpc_call_done)(struct rpc_task *, void *);
+ void (*rpc_count_stats)(struct rpc_task *, void *);
+ void (*rpc_release)(void *);
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -1380,13 +1380,6 @@ xprt_request_transmit(struct rpc_rqst *r
+ status = -EBADMSG;
+ goto out_dequeue;
+ }
+- if (task->tk_ops->rpc_call_prepare_transmit) {
+- task->tk_ops->rpc_call_prepare_transmit(task,
+- task->tk_calldata);
+- status = task->tk_status;
+- if (status < 0)
+- goto out_dequeue;
+- }
+ if (RPC_SIGNALLED(task)) {
+ status = -ERESTARTSYS;
+ goto out_dequeue;
kvm-arm-arm64-vgic-v2-handle-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch
mei-me-add-tiger-lake-point-lp-device-id.patch
revert-mmc-sdhci-tegra-drop-get_ro-implementation.patch
+mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch
+mmc-sdhci-cadence-enable-v4_mode-to-fix-adma-64-bit-addressing.patch
+mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch
+mmc-sdhci-sprd-fixed-incorrect-clock-divider.patch
+mmc-sdhci-sprd-add-sdhci_quirk2_preset_value_broken.patch
+stm-class-fix-a-double-free-of-stm_source_device.patch
+intel_th-pci-add-support-for-another-lewisburg-pch.patch
+intel_th-pci-add-tiger-lake-support.patch
+typec-tcpm-fix-a-typo-in-the-comparison-of-pdo_max_voltage.patch
+fsi-scom-don-t-abort-operations-for-minor-errors.patch
+lkdtm-bugs-fix-build-error-in-lkdtm_exhaust_stack.patch
+nfsv4-pnfs-fix-a-page-lock-leak-in-nfs_pageio_resend.patch
+nfs-ensure-o_direct-reports-an-error-if-the-bytes-read-written-is-0.patch
+revert-nfsv4-flexfiles-abort-i-o-early-if-the-layout-segment-was-invalidated.patch
+lib-logic_pio-fix-rcu-usage.patch
+lib-logic_pio-avoid-possible-overlap-for-unregistering-regions.patch
+lib-logic_pio-add-logic_pio_unregister_range.patch
+drm-amdgpu-add-aptx-quirk-for-dell-latitude-5495.patch
+drm-amdgpu-fix-gfxoff-on-picasso-and-raven2.patch
+drm-i915-don-t-deballoon-unused-ggtt-drm_mm_node-in-linux-guest.patch
+drm-i915-call-dma_set_max_seg_size-in-i915_driver_hw_probe.patch
+i2c-piix4-fix-port-selection-for-amd-family-16h-model-30h.patch
+bus-hisi_lpc-unregister-logical-pio-range-to-avoid-potential-use-after-free.patch
+bus-hisi_lpc-add-.remove-method-to-avoid-driver-unbind-crash.patch
+vmci-release-resource-if-the-work-is-already-queued.patch
+crypto-ccp-ignore-unconfigured-ccp-device-on-suspend-resume.patch
+sunrpc-don-t-handle-errors-if-the-bind-connect-succeeded.patch
+mt76-mt76x0u-do-not-reset-radio-on-resume.patch
+mms-sdhci-sprd-add-sdhci_quirk_broken_card_detection.patch
+mm-memcg-partially-revert-mm-memcontrol.c-keep-local-vm-counters-in-sync-with-the-hierarchical-ones.patch
+mm-memcontrol-fix-percpu-vmstats-and-vmevents-flush.patch
--- /dev/null
+From 961b6ffe0e2c403b09a8efe4a2e986b3c415391a Mon Sep 17 00:00:00 2001
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Date: Wed, 21 Aug 2019 10:49:52 +0300
+Subject: stm class: Fix a double free of stm_source_device
+
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+
+commit 961b6ffe0e2c403b09a8efe4a2e986b3c415391a upstream.
+
+In the error path of stm_source_register_device(), the kfree is
+unnecessary, as the put_device() before it ends up calling
+stm_source_device_release() to free stm_source_device, leading to
+a double free at the outer kfree() call. Remove it.
+
+Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2fa ("stm class: Introduce an abstraction for System Trace Module devices")
+Link: https://lore.kernel.org/linux-arm-kernel/1563354988-23826-1-git-send-email-dingxiang@cmss.chinamobile.com/
+Cc: stable@vger.kernel.org # v4.4+
+Link: https://lore.kernel.org/r/20190821074955.3925-2-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -1276,7 +1276,6 @@ int stm_source_register_device(struct de
+
+ err:
+ put_device(&src->dev);
+- kfree(src);
+
+ return err;
+ }
--- /dev/null
+From bd736ed3e2d1088d9b4050f727342e1e619c3841 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 15 Aug 2019 17:26:17 -0400
+Subject: SUNRPC: Don't handle errors if the bind/connect succeeded
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit bd736ed3e2d1088d9b4050f727342e1e619c3841 upstream.
+
+Don't handle errors in call_bind_status()/call_connect_status()
+if it turns out that a previous call caused it to succeed.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v5.1+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/clnt.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -1893,6 +1893,7 @@ call_bind(struct rpc_task *task)
+ static void
+ call_bind_status(struct rpc_task *task)
+ {
++ struct rpc_xprt *xprt = task->tk_rqstp->rq_xprt;
+ int status = -EIO;
+
+ if (rpc_task_transmitted(task)) {
+@@ -1900,14 +1901,15 @@ call_bind_status(struct rpc_task *task)
+ return;
+ }
+
+- if (task->tk_status >= 0) {
+- dprint_status(task);
++ dprint_status(task);
++ trace_rpc_bind_status(task);
++ if (task->tk_status >= 0)
++ goto out_next;
++ if (xprt_bound(xprt)) {
+ task->tk_status = 0;
+- task->tk_action = call_connect;
+- return;
++ goto out_next;
+ }
+
+- trace_rpc_bind_status(task);
+ switch (task->tk_status) {
+ case -ENOMEM:
+ dprintk("RPC: %5u rpcbind out of memory\n", task->tk_pid);
+@@ -1966,7 +1968,9 @@ call_bind_status(struct rpc_task *task)
+
+ rpc_call_rpcerror(task, status);
+ return;
+-
++out_next:
++ task->tk_action = call_connect;
++ return;
+ retry_timeout:
+ task->tk_status = 0;
+ task->tk_action = call_bind;
+@@ -2013,6 +2017,7 @@ call_connect(struct rpc_task *task)
+ static void
+ call_connect_status(struct rpc_task *task)
+ {
++ struct rpc_xprt *xprt = task->tk_rqstp->rq_xprt;
+ struct rpc_clnt *clnt = task->tk_client;
+ int status = task->tk_status;
+
+@@ -2022,8 +2027,17 @@ call_connect_status(struct rpc_task *tas
+ }
+
+ dprint_status(task);
+-
+ trace_rpc_connect_status(task);
++
++ if (task->tk_status == 0) {
++ clnt->cl_stats->netreconn++;
++ goto out_next;
++ }
++ if (xprt_connected(xprt)) {
++ task->tk_status = 0;
++ goto out_next;
++ }
++
+ task->tk_status = 0;
+ switch (status) {
+ case -ECONNREFUSED:
+@@ -2054,13 +2068,12 @@ call_connect_status(struct rpc_task *tas
+ case -EAGAIN:
+ case -ETIMEDOUT:
+ goto out_retry;
+- case 0:
+- clnt->cl_stats->netreconn++;
+- task->tk_action = call_transmit;
+- return;
+ }
+ rpc_call_rpcerror(task, status);
+ return;
++out_next:
++ task->tk_action = call_transmit;
++ return;
+ out_retry:
+ /* Check for timeouts before looping back to call_bind */
+ task->tk_action = call_bind;
--- /dev/null
+From a684d8fd87182090ee96e34519ecdf009cef093a Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 22 Aug 2019 14:52:12 +0100
+Subject: typec: tcpm: fix a typo in the comparison of pdo_max_voltage
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit a684d8fd87182090ee96e34519ecdf009cef093a upstream.
+
+There appears to be a typo in the comparison of pdo_max_voltage[i]
+with the previous value, currently it is checking against the
+array pdo_min_voltage rather than pdo_max_voltage. I believe this
+is a typo. Fix this.
+
+Addresses-Coverity: ("Copy-paste error")
+Fixes: 5007e1b5db73 ("typec: tcpm: Validate source and sink caps")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20190822135212.10195-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/tcpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -1446,7 +1446,7 @@ static enum pdo_err tcpm_caps_err(struct
+ else if ((pdo_min_voltage(pdo[i]) ==
+ pdo_min_voltage(pdo[i - 1])) &&
+ (pdo_max_voltage(pdo[i]) ==
+- pdo_min_voltage(pdo[i - 1])))
++ pdo_max_voltage(pdo[i - 1])))
+ return PDO_ERR_DUPE_PDO;
+ break;
+ /*
--- /dev/null
+From ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Tue, 20 Aug 2019 13:26:38 -0700
+Subject: VMCI: Release resource if the work is already queued
+
+From: Nadav Amit <namit@vmware.com>
+
+commit ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 upstream.
+
+Francois reported that VMware balloon gets stuck after a balloon reset,
+when the VMCI doorbell is removed. A similar error can occur when the
+balloon driver is removed with the following splat:
+
+[ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds.
+[ 1088.622035] Tainted: G W 5.2.0 #4
+[ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 1088.622205] modprobe D 0 3565 1450 0x00000000
+[ 1088.622210] Call Trace:
+[ 1088.622246] __schedule+0x2a8/0x690
+[ 1088.622248] schedule+0x2d/0x90
+[ 1088.622250] schedule_timeout+0x1d3/0x2f0
+[ 1088.622252] wait_for_completion+0xba/0x140
+[ 1088.622320] ? wake_up_q+0x80/0x80
+[ 1088.622370] vmci_resource_remove+0xb9/0xc0 [vmw_vmci]
+[ 1088.622373] vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci]
+[ 1088.622379] vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon]
+[ 1088.622381] vmballoon_exit+0x18/0xcc8 [vmw_balloon]
+[ 1088.622394] __x64_sys_delete_module+0x146/0x280
+[ 1088.622408] do_syscall_64+0x5a/0x130
+[ 1088.622410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1088.622415] RIP: 0033:0x7f54f62791b7
+[ 1088.622421] Code: Bad RIP value.
+[ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7
+[ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68
+[ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000
+[ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68
+[ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0
+
+The cause for the bug is that when the "delayed" doorbell is invoked, it
+takes a reference on the doorbell entry and schedules work that is
+supposed to run the appropriate code and drop the doorbell entry
+reference. The code ignores the fact that if the work is already queued,
+it will not be scheduled to run one more time. As a result one of the
+references would not be dropped. When the code waits for the reference
+to get to zero, during balloon reset or module removal, it gets stuck.
+
+Fix it. Drop the reference if schedule_work() indicates that the work is
+already queued.
+
+Note that this bug got more apparent (or apparent at all) due to
+commit ce664331b248 ("vmw_balloon: VMCI_DOORBELL_SET does not check status").
+
+Fixes: 83e2ec765be03 ("VMCI: doorbell implementation.")
+Reported-by: Francois Rigault <rigault.francois@gmail.com>
+Cc: Jorgen Hansen <jhansen@vmware.com>
+Cc: Adit Ranadive <aditr@vmware.com>
+Cc: Alexios Zavras <alexios.zavras@intel.com>
+Cc: Vishnu DASA <vdasa@vmware.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_vmci/vmci_doorbell.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_doorbell.c
++++ b/drivers/misc/vmw_vmci/vmci_doorbell.c
+@@ -310,7 +310,8 @@ int vmci_dbell_host_context_notify(u32 s
+
+ entry = container_of(resource, struct dbell_entry, resource);
+ if (entry->run_delayed) {
+- schedule_work(&entry->work);
++ if (!schedule_work(&entry->work))
++ vmci_resource_put(resource);
+ } else {
+ entry->notify_cb(entry->client_data);
+ vmci_resource_put(resource);
+@@ -361,7 +362,8 @@ static void dbell_fire_entries(u32 notif
+ atomic_read(&dbell->active) == 1) {
+ if (dbell->run_delayed) {
+ vmci_resource_get(&dbell->resource);
+- schedule_work(&dbell->work);
++ if (!schedule_work(&dbell->work))
++ vmci_resource_put(&dbell->resource);
+ } else {
+ dbell->notify_cb(dbell->client_data);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
