--- /dev/null
+From 1244ad1657bfd23032631faecafe7ff299632938 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 11:07:22 +0200
+Subject: ARM: futex: Address build warning
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 8101b5a1531f3390b3a69fa7934c70a8fd6566ad ]
+
+Stephen reported the following build warning on a ARM multi_v7_defconfig
+build with GCC 9.2.1:
+
+kernel/futex.c: In function 'do_futex':
+kernel/futex.c:1676:17: warning: 'oldval' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 1676 | return oldval == cmparg;
+ | ~~~~~~~^~~~~~~~~
+kernel/futex.c:1652:6: note: 'oldval' was declared here
+ 1652 | int oldval, ret;
+ | ^~~~~~
+
+introduced by commit a08971e9488d ("futex: arch_futex_atomic_op_inuser()
+calling conventions change").
+
+While that change should not make any difference it confuses GCC which
+fails to work out that oldval is not referenced when the return value is
+not zero.
+
+GCC fails to properly analyze arch_futex_atomic_op_inuser(). It's not the
+early return, the issue is with the assembly macros. GCC fails to detect
+that those either set 'ret' to 0 and set oldval or set 'ret' to -EFAULT
+which makes oldval uninteresting. The store to the callsite supplied oldval
+pointer is conditional on ret == 0.
+
+The straight forward way to solve this is to make the store unconditional.
+
+Aside of addressing the build warning this makes sense anyway because it
+removes the conditional from the fastpath. In the error case the stored
+value is uninteresting and the extra store does not matter at all.
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/87pncao2ph.fsf@nanos.tec.linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/futex.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
+index ffebe7b7a5b7..91ca80035fc4 100644
+--- a/arch/arm/include/asm/futex.h
++++ b/arch/arm/include/asm/futex.h
+@@ -163,8 +163,13 @@ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
+ preempt_enable();
+ #endif
+
+- if (!ret)
+- *oval = oldval;
++ /*
++ * Store unconditionally. If ret != 0 the extra store is the least
++ * of the worries but GCC cannot figure out that __futex_atomic_op()
++ * is either setting ret to -EFAULT or storing the old value in
++ * oldval which results in a uninitialized warning at the call site.
++ */
++ *oval = oldval;
+
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From a0142ccc56667f1a0b9e5b458c4f2f748c72d38f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 14:12:49 +0800
+Subject: ceph: fix double unlock in handle_cap_export()
+
+From: Wu Bo <wubo40@huawei.com>
+
+[ Upstream commit 4d8e28ff3106b093d98bfd2eceb9b430c70a8758 ]
+
+If the ceph_mdsc_open_export_target_session() return fails, it will
+do a "goto retry", but the session mutex has already been unlocked.
+Re-lock the mutex in that case to ensure that we don't unlock it
+twice.
+
+Signed-off-by: Wu Bo <wubo40@huawei.com>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/caps.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
+index 1b5a50848b5b..589cfe3ed873 100644
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -3502,6 +3502,7 @@ retry:
+ WARN_ON(1);
+ tsession = NULL;
+ target = -1;
++ mutex_lock(&session->s_mutex);
+ }
+ goto retry;
+
+--
+2.25.1
+
--- /dev/null
+From 3c5db303686be919b463b07780551867ea9c056b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Apr 2020 13:02:41 -0600
+Subject: component: Silence bind error on -EPROBE_DEFER
+
+From: James Hilliard <james.hilliard1@gmail.com>
+
+[ Upstream commit 7706b0a76a9697021e2bf395f3f065c18f51043d ]
+
+If a component fails to bind due to -EPROBE_DEFER we should not log an
+error as this is not a real failure.
+
+Fixes messages like:
+vc4-drm soc:gpu: failed to bind 3f902000.hdmi (ops vc4_hdmi_ops): -517
+vc4-drm soc:gpu: master bind failed: -517
+
+Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
+Link: https://lore.kernel.org/r/20200411190241.89404-1-james.hilliard1@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/component.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/base/component.c b/drivers/base/component.c
+index 08da6160e94d..55f0856bd9b5 100644
+--- a/drivers/base/component.c
++++ b/drivers/base/component.c
+@@ -162,7 +162,8 @@ static int try_to_bring_up_master(struct master *master,
+ ret = master->ops->bind(master->dev);
+ if (ret < 0) {
+ devres_release_group(master->dev, NULL);
+- dev_info(master->dev, "master bind failed: %d\n", ret);
++ if (ret != -EPROBE_DEFER)
++ dev_info(master->dev, "master bind failed: %d\n", ret);
+ return ret;
+ }
+
+@@ -431,8 +432,9 @@ static int component_bind(struct component *component, struct master *master,
+ devres_release_group(component->dev, NULL);
+ devres_release_group(master->dev, NULL);
+
+- dev_err(master->dev, "failed to bind %s (ops %ps): %d\n",
+- dev_name(component->dev), component->ops, ret);
++ if (ret != -EPROBE_DEFER)
++ dev_err(master->dev, "failed to bind %s (ops %ps): %d\n",
++ dev_name(component->dev), component->ops, ret);
+ }
+
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From 697082ee91e2572522bf104a010d14e20a88c982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Apr 2020 20:52:26 +0800
+Subject: configfs: fix config_item refcnt leak in configfs_rmdir()
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit 8aebfffacfa379ba400da573a5bf9e49634e38cb ]
+
+configfs_rmdir() invokes configfs_get_config_item(), which returns a
+reference of the specified config_item object to "parent_item" with
+increased refcnt.
+
+When configfs_rmdir() returns, local variable "parent_item" becomes
+invalid, so the refcount should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+configfs_rmdir(). When down_write_killable() fails, the function forgets
+to decrease the refcnt increased by configfs_get_config_item(), causing
+a refcnt leak.
+
+Fix this issue by calling config_item_put() when down_write_killable()
+fails.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/configfs/dir.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index c2ef617d2f97..c875f246cb0e 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -1537,6 +1537,7 @@ static int configfs_rmdir(struct inode *dir, struct dentry *dentry)
+ spin_lock(&configfs_dirent_lock);
+ configfs_detach_rollback(dentry);
+ spin_unlock(&configfs_dirent_lock);
++ config_item_put(parent_item);
+ return -EINTR;
+ }
+ frag->frag_dead = true;
+--
+2.25.1
+
--- /dev/null
+From 4dd9d7932cf58787a25adcc8e82dd7d160ee3911 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:56 +0200
+Subject: evm: Check also if *tfm is an error pointer in init_desc()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit 53de3b080d5eae31d0de219617155dcc34e7d698 ]
+
+This patch avoids a kernel panic due to accessing an error pointer set by
+crypto_alloc_shash(). It occurs especially when there are many files that
+require an unsupported algorithm, as it would increase the likelihood of
+the following race condition:
+
+Task A: *tfm = crypto_alloc_shash() <= error pointer
+Task B: if (*tfm == NULL) <= *tfm is not NULL, use it
+Task B: rc = crypto_shash_init(desc) <= panic
+Task A: *tfm = NULL
+
+This patch uses the IS_ERR_OR_NULL macro to determine whether or not a new
+crypto context must be created.
+
+Cc: stable@vger.kernel.org
+Fixes: d46eb3699502b ("evm: crypto hash replaced by shash")
+Co-developed-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/evm/evm_crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
+index f1f030ae363b..73791d22ae07 100644
+--- a/security/integrity/evm/evm_crypto.c
++++ b/security/integrity/evm/evm_crypto.c
+@@ -90,7 +90,7 @@ static struct shash_desc *init_desc(char type)
+ algo = evm_hash;
+ }
+
+- if (*tfm == NULL) {
++ if (IS_ERR_OR_NULL(*tfm)) {
+ mutex_lock(&mutex);
+ if (*tfm)
+ goto out;
+--
+2.25.1
+
--- /dev/null
+From ad30dc375778714d8f2f5b4f4edd22f39b7ccafb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2020 17:48:52 -0400
+Subject: fix multiplication overflow in copy_fdtable()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 4e89b7210403fa4a8acafe7c602b6212b7af6c3b ]
+
+cpy and set really should be size_t; we won't get an overflow on that,
+since sysctl_nr_open can't be set above ~(size_t)0 / sizeof(void *),
+so nr that would've managed to overflow size_t on that multiplication
+won't get anywhere near copy_fdtable() - we'll fail with EMFILE
+before that.
+
+Cc: stable@kernel.org # v2.6.25+
+Fixes: 9cfe015aa424 (get rid of NR_OPEN and introduce a sysctl_nr_open)
+Reported-by: Thiago Macieira <thiago.macieira@intel.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/file.c b/fs/file.c
+index 0c25b980affe..97c6f0df39da 100644
+--- a/fs/file.c
++++ b/fs/file.c
+@@ -75,7 +75,7 @@ static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,
+ */
+ static void copy_fdtable(struct fdtable *nfdt, struct fdtable *ofdt)
+ {
+- unsigned int cpy, set;
++ size_t cpy, set;
+
+ BUG_ON(nfdt->max_fds < ofdt->max_fds);
+
+--
+2.25.1
+
--- /dev/null
+From 3508c401865937db6d3c747841ec48b7eba03e32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2020 13:32:59 +0200
+Subject: gcc-common.h: Update for GCC 10
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frédéric Pierret (fepitre) <frederic.pierret@qubes-os.org>
+
+[ Upstream commit c7527373fe28f97d8a196ab562db5589be0d34b9 ]
+
+Remove "params.h" include, which has been dropped in GCC 10.
+
+Remove is_a_helper() macro, which is now defined in gimple.h, as seen
+when running './scripts/gcc-plugin.sh g++ g++ gcc':
+
+In file included from <stdin>:1:
+./gcc-plugins/gcc-common.h:852:13: error: redefinition of ‘static bool is_a_helper<T>::test(U*) [with U = const gimple; T = const ggoto*]’
+ 852 | inline bool is_a_helper<const ggoto *>::test(const_gimple gs)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~
+In file included from ./gcc-plugins/gcc-common.h:125,
+ from <stdin>:1:
+/usr/lib/gcc/x86_64-redhat-linux/10/plugin/include/gimple.h:1037:1: note: ‘static bool is_a_helper<T>::test(U*) [with U = const gimple; T = const ggoto*]’ previously declared here
+ 1037 | is_a_helper <const ggoto *>::test (const gimple *gs)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add -Wno-format-diag to scripts/gcc-plugins/Makefile to avoid
+meaningless warnings from error() formats used by plugins:
+
+scripts/gcc-plugins/structleak_plugin.c: In function ‘int plugin_init(plugin_name_args*, plugin_gcc_version*)’:
+scripts/gcc-plugins/structleak_plugin.c:253:12: warning: unquoted sequence of 2 consecutive punctuation characters ‘'-’ in format [-Wformat-diag]
+ 253 | error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Frédéric Pierret (fepitre) <frederic.pierret@qubes-os.org>
+Link: https://lore.kernel.org/r/20200407113259.270172-1-frederic.pierret@qubes-os.org
+[kees: include -Wno-format-diag for plugin builds]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gcc-plugins/Makefile | 1 +
+ scripts/gcc-plugins/gcc-common.h | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile
+index e2ff425f4c7e..c404d7628039 100644
+--- a/scripts/gcc-plugins/Makefile
++++ b/scripts/gcc-plugins/Makefile
+@@ -10,6 +10,7 @@ else
+ HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti
+ HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb
+ HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable
++ HOST_EXTRACXXFLAGS += -Wno-format-diag
+ export HOST_EXTRACXXFLAGS
+ endif
+
+diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
+index 797e3786b415..01312b1d6294 100644
+--- a/scripts/gcc-plugins/gcc-common.h
++++ b/scripts/gcc-plugins/gcc-common.h
+@@ -35,7 +35,9 @@
+ #include "ggc.h"
+ #include "timevar.h"
+
++#if BUILDING_GCC_VERSION < 10000
+ #include "params.h"
++#endif
+
+ #if BUILDING_GCC_VERSION <= 4009
+ #include "pointer-set.h"
+@@ -841,6 +843,7 @@ static inline gimple gimple_build_assign_with_ops(enum tree_code subcode, tree l
+ return gimple_build_assign(lhs, subcode, op1, op2 PASS_MEM_STAT);
+ }
+
++#if BUILDING_GCC_VERSION < 10000
+ template <>
+ template <>
+ inline bool is_a_helper<const ggoto *>::test(const_gimple gs)
+@@ -854,6 +857,7 @@ inline bool is_a_helper<const greturn *>::test(const_gimple gs)
+ {
+ return gs->code == GIMPLE_RETURN;
+ }
++#endif
+
+ static inline gasm *as_a_gasm(gimple stmt)
+ {
+--
+2.25.1
+
--- /dev/null
+From e49266e749c61f712c8d453081dd9003ad0b564d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 14:01:36 +0900
+Subject: gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp()
+
+From: Yoshiyuki Kurauchi <ahochauwaaaaa@gmail.com>
+
+[ Upstream commit 846c68f7f1ac82c797a2f1db3344a2966c0fe2e1 ]
+
+In drivers/net/gtp.c, gtp_genl_dump_pdp() should set NLM_F_MULTI
+flag since it returns multipart message.
+This patch adds a new arg "flags" in gtp_genl_fill_info() so that
+flags can be set by the callers.
+
+Signed-off-by: Yoshiyuki Kurauchi <ahochauwaaaaa@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 92e4e5d53053..090607e725a2 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -1177,11 +1177,11 @@ out_unlock:
+ static struct genl_family gtp_genl_family;
+
+ static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq,
+- u32 type, struct pdp_ctx *pctx)
++ int flags, u32 type, struct pdp_ctx *pctx)
+ {
+ void *genlh;
+
+- genlh = genlmsg_put(skb, snd_portid, snd_seq, >p_genl_family, 0,
++ genlh = genlmsg_put(skb, snd_portid, snd_seq, >p_genl_family, flags,
+ type);
+ if (genlh == NULL)
+ goto nlmsg_failure;
+@@ -1235,8 +1235,8 @@ static int gtp_genl_get_pdp(struct sk_buff *skb, struct genl_info *info)
+ goto err_unlock;
+ }
+
+- err = gtp_genl_fill_info(skb2, NETLINK_CB(skb).portid,
+- info->snd_seq, info->nlhdr->nlmsg_type, pctx);
++ err = gtp_genl_fill_info(skb2, NETLINK_CB(skb).portid, info->snd_seq,
++ 0, info->nlhdr->nlmsg_type, pctx);
+ if (err < 0)
+ goto err_unlock_free;
+
+@@ -1279,6 +1279,7 @@ static int gtp_genl_dump_pdp(struct sk_buff *skb,
+ gtp_genl_fill_info(skb,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
++ NLM_F_MULTI,
+ cb->nlh->nlmsg_type, pctx)) {
+ cb->args[0] = i;
+ cb->args[1] = j;
+--
+2.25.1
+
--- /dev/null
+From c61f5be6b4de06c2e165a5dfc5a734dd57609205 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 18:02:37 +0200
+Subject: HID: multitouch: add eGalaxTouch P80H84 support
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit f9e82295eec141a0569649d400d249333d74aa91 ]
+
+Add support for P80H84 touchscreen from eGalaxy:
+
+ idVendor 0x0eef D-WAV Scientific Co., Ltd
+ idProduct 0xc002
+ iManufacturer 1 eGalax Inc.
+ iProduct 2 eGalaxTouch P80H84 2019 vDIVA_1204_T01 k4.02.146
+
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-multitouch.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 9d372fa7c298..a1e5e0529545 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -369,6 +369,7 @@
+ #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7349 0x7349
+ #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_73F7 0x73f7
+ #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002
+
+ #define USB_VENDOR_ID_ELAN 0x04f3
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 07d92d4a9f7c..db29bf539a4b 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1550,6 +1550,9 @@ static const struct hid_device_id mt_devices[] = {
+ { .driver_data = MT_CLS_EGALAX_SERIAL,
+ MT_USB_DEVICE(USB_VENDOR_ID_DWAV,
+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001) },
++ { .driver_data = MT_CLS_EGALAX,
++ MT_USB_DEVICE(USB_VENDOR_ID_DWAV,
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002) },
+
+ /* Elitegroup panel */
+ { .driver_data = MT_CLS_SERIAL,
+--
+2.25.1
+
--- /dev/null
+From 5c13762c7f9b11ee0cad6427aff58c037c23a61d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 21:21:00 +0200
+Subject: i2c: mux: demux-pinctrl: Fix an error handling path in
+ 'i2c_demux_pinctrl_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e9d1a0a41d4486955e96552293c1fcf1fce61602 ]
+
+A call to 'i2c_demux_deactivate_master()' is missing in the error handling
+path, as already done in the remove function.
+
+Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/muxes/i2c-demux-pinctrl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i2c/muxes/i2c-demux-pinctrl.c b/drivers/i2c/muxes/i2c-demux-pinctrl.c
+index 33ce032cb701..0c637ae81404 100644
+--- a/drivers/i2c/muxes/i2c-demux-pinctrl.c
++++ b/drivers/i2c/muxes/i2c-demux-pinctrl.c
+@@ -270,6 +270,7 @@ static int i2c_demux_pinctrl_probe(struct platform_device *pdev)
+ err_rollback_available:
+ device_remove_file(&pdev->dev, &dev_attr_available_masters);
+ err_rollback:
++ i2c_demux_deactivate_master(priv);
+ for (j = 0; j < i; j++) {
+ of_node_put(priv->chan[j].parent_np);
+ of_changeset_destroy(&priv->chan[j].chgset);
+--
+2.25.1
+
--- /dev/null
+From f3f1a988b115074074cf6e7b3032bb5c1b50effd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:31:28 +0200
+Subject: ima: Fix return value of ima_write_policy()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit 2e3a34e9f409ebe83d1af7cd2f49fca7af97dfac ]
+
+This patch fixes the return value of ima_write_policy() when a new policy
+is directly passed to IMA and the current policy requires appraisal of the
+file containing the policy. Currently, if appraisal is not in ENFORCE mode,
+ima_write_policy() returns 0 and leads user space applications to an
+endless loop. Fix this issue by denying the operation regardless of the
+appraisal mode.
+
+Cc: stable@vger.kernel.org # 4.10.x
+Fixes: 19f8a84713edc ("ima: measure and appraise the IMA policy itself")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_fs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
+index 2c4e83f6409e..d37f9ac46670 100644
+--- a/security/integrity/ima/ima_fs.c
++++ b/security/integrity/ima/ima_fs.c
+@@ -340,8 +340,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+ "policy_update", "signed policy required",
+ 1, 0);
+- if (ima_appraise & IMA_APPRAISE_ENFORCE)
+- result = -EACCES;
++ result = -EACCES;
+ } else {
+ result = ima_parse_add_rule(data);
+ }
+--
+2.25.1
+
--- /dev/null
+From d9f7c296646c3c51ff0fd327daf9e6d5aef774cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:55 +0200
+Subject: ima: Set file->f_mode instead of file->f_flags in
+ ima_calc_file_hash()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit 0014cc04e8ec077dc482f00c87dfd949cfe2b98f ]
+
+Commit a408e4a86b36 ("ima: open a new file instance if no read
+permissions") tries to create a new file descriptor to calculate a file
+digest if the file has not been opened with O_RDONLY flag. However, if a
+new file descriptor cannot be obtained, it sets the FMODE_READ flag to
+file->f_flags instead of file->f_mode.
+
+This patch fixes this issue by replacing f_flags with f_mode as it was
+before that commit.
+
+Cc: stable@vger.kernel.org # 4.20.x
+Fixes: a408e4a86b36 ("ima: open a new file instance if no read permissions")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_crypto.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
+index 06b0ee75f34f..7b16e54f01c6 100644
+--- a/security/integrity/ima/ima_crypto.c
++++ b/security/integrity/ima/ima_crypto.c
+@@ -432,7 +432,7 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
+ loff_t i_size;
+ int rc;
+ struct file *f = file;
+- bool new_file_instance = false, modified_flags = false;
++ bool new_file_instance = false, modified_mode = false;
+
+ /*
+ * For consistency, fail file's opened with the O_DIRECT flag on
+@@ -452,13 +452,13 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
+ f = dentry_open(&file->f_path, flags, file->f_cred);
+ if (IS_ERR(f)) {
+ /*
+- * Cannot open the file again, lets modify f_flags
++ * Cannot open the file again, lets modify f_mode
+ * of original and continue
+ */
+ pr_info_ratelimited("Unable to reopen file for reading.\n");
+ f = file;
+- f->f_flags |= FMODE_READ;
+- modified_flags = true;
++ f->f_mode |= FMODE_READ;
++ modified_mode = true;
+ } else {
+ new_file_instance = true;
+ }
+@@ -476,8 +476,8 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
+ out:
+ if (new_file_instance)
+ fput(f);
+- else if (modified_flags)
+- f->f_flags &= ~FMODE_READ;
++ else if (modified_mode)
++ f->f_mode &= ~FMODE_READ;
+ return rc;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 25da396ed29092407c7e440c699401ad3dfe1a27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2020 10:23:52 +0000
+Subject: iommu/amd: Fix over-read of ACPI UID from IVRS table
+
+From: Alexander Monakov <amonakov@ispras.ru>
+
+[ Upstream commit e461b8c991b9202b007ea2059d953e264240b0c9 ]
+
+IVRS parsing code always tries to read 255 bytes from memory when
+retrieving ACPI device path, and makes an assumption that firmware
+provides a zero-terminated string. Both of those are bugs: the entry
+is likely to be shorter than 255 bytes, and zero-termination is not
+guaranteed.
+
+With Acer SF314-42 firmware these issues manifest visibly in dmesg:
+
+AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR0\xf0\xa5, rdevid:160
+AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR1\xf0\xa5, rdevid:160
+AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR2\xf0\xa5, rdevid:160
+AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR3>\x83e\x8d\x9a\xd1...
+
+The first three lines show how the code over-reads adjacent table
+entries into the UID, and in the last line it even reads garbage data
+beyond the end of the IVRS table itself.
+
+Since each entry has the length of the UID (uidl member of ivhd_entry
+struct), use that for memcpy, and manually add a zero terminator.
+
+Avoid zero-filling hid and uid arrays up front, and instead ensure
+the uid array is always zero-terminated. No change needed for the hid
+array, as it was already properly zero-terminated.
+
+Fixes: 2a0cb4e2d423c ("iommu/amd: Add new map for storing IVHD dev entry type HID")
+
+Signed-off-by: Alexander Monakov <amonakov@ispras.ru>
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: iommu@lists.linux-foundation.org
+Link: https://lore.kernel.org/r/20200511102352.1831-1-amonakov@ispras.ru
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu_init.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index 6c228144b3da..ec9a20e06941 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -1317,8 +1317,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu,
+ }
+ case IVHD_DEV_ACPI_HID: {
+ u16 devid;
+- u8 hid[ACPIHID_HID_LEN] = {0};
+- u8 uid[ACPIHID_UID_LEN] = {0};
++ u8 hid[ACPIHID_HID_LEN];
++ u8 uid[ACPIHID_UID_LEN];
+ int ret;
+
+ if (h->type != 0x40) {
+@@ -1335,6 +1335,7 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu,
+ break;
+ }
+
++ uid[0] = '\0';
+ switch (e->uidf) {
+ case UID_NOT_PRESENT:
+
+@@ -1349,8 +1350,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu,
+ break;
+ case UID_IS_CHARACTER:
+
+- memcpy(uid, (u8 *)(&e->uid), ACPIHID_UID_LEN - 1);
+- uid[ACPIHID_UID_LEN - 1] = '\0';
++ memcpy(uid, &e->uid, e->uidl);
++ uid[e->uidl] = '\0';
+
+ break;
+ default:
+--
+2.25.1
+
--- /dev/null
+From 223783fa1b29a65a5965305a7224984b46efba2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 00:05:59 +0200
+Subject: platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 3bd12da7f50b8bc191fcb3bab1f55c582234df59 ]
+
+asus-nb-wmi does not add any extra functionality on these Asus
+Transformer books. They have detachable keyboards, so the hotkeys are
+send through a HID device (and handled by the hid-asus driver) and also
+the rfkill functionality is not used on these devices.
+
+Besides not adding any extra functionality, initializing the WMI interface
+on these devices actually has a negative side-effect. For some reason
+the \_SB.ATKD.INIT() function which asus_wmi_platform_init() calls drives
+GPO2 (INT33FC:02) pin 8, which is connected to the front facing webcam LED,
+high and there is no (WMI or other) interface to drive this low again
+causing the LED to be permanently on, even during suspend.
+
+This commit adds a blacklist of DMI system_ids on which not to load the
+asus-nb-wmi and adds these Transformer books to this list. This fixes
+the webcam LED being permanently on under Linux.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
+index 59f3a37a44d7..8db2dc05b8cf 100644
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -517,9 +517,33 @@ static struct asus_wmi_driver asus_nb_wmi_driver = {
+ .detect_quirks = asus_nb_wmi_quirks,
+ };
+
++static const struct dmi_system_id asus_nb_wmi_blacklist[] __initconst = {
++ {
++ /*
++ * asus-nb-wm adds no functionality. The T100TA has a detachable
++ * USB kbd, so no hotkeys and it has no WMI rfkill; and loading
++ * asus-nb-wm causes the camera LED to turn and _stay_ on.
++ */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TA"),
++ },
++ },
++ {
++ /* The Asus T200TA has the same issue as the T100TA */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T200TA"),
++ },
++ },
++ {} /* Terminating entry */
++};
+
+ static int __init asus_nb_wmi_init(void)
+ {
++ if (dmi_check_system(asus_nb_wmi_blacklist))
++ return -ENODEV;
++
+ return asus_wmi_register_driver(&asus_nb_wmi_driver);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 7bb50dd79a9ffd9c6e26a062e4a21ff978deb768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 15:49:53 -0700
+Subject: scsi: ibmvscsi: Fix WARN_ON during event pool release
+
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+
+[ Upstream commit b36522150e5b85045f868768d46fbaaa034174b2 ]
+
+While removing an ibmvscsi client adapter a WARN_ON like the following is
+seen in the kernel log:
+
+drmgr: drmgr: -r -c slot -s U9080.M9S.783AEC8-V11-C11 -w 5 -d 1
+WARNING: CPU: 9 PID: 24062 at ../kernel/dma/mapping.c:311 dma_free_attrs+0x78/0x110
+Supported: No, Unreleased kernel
+CPU: 9 PID: 24062 Comm: drmgr Kdump: loaded Tainted: G X 5.3.18-12-default
+NIP: c0000000001fa758 LR: c0000000001fa744 CTR: c0000000001fa6e0
+REGS: c0000002173375d0 TRAP: 0700 Tainted: G X (5.3.18-12-default)
+MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 28088282 XER: 20000000
+CFAR: c0000000001fbf0c IRQMASK: 1
+GPR00: c0000000001fa744 c000000217337860 c00000000161ab00 0000000000000000
+GPR04: 0000000000000000 c000011e12250000 0000000018010000 0000000000000000
+GPR08: 0000000000000000 0000000000000001 0000000000000001 c0080000190f4fa8
+GPR12: c0000000001fa6e0 c000000007fc2a00 0000000000000000 0000000000000000
+GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+GPR24: 000000011420e310 0000000000000000 0000000000000000 0000000018010000
+GPR28: c00000000159de50 c000011e12250000 0000000000006600 c000011e5c994848
+NIP [c0000000001fa758] dma_free_attrs+0x78/0x110
+LR [c0000000001fa744] dma_free_attrs+0x64/0x110
+Call Trace:
+[c000000217337860] [000000011420e310] 0x11420e310 (unreliable)
+[c0000002173378b0] [c0080000190f0280] release_event_pool+0xd8/0x120 [ibmvscsi]
+[c000000217337930] [c0080000190f3f74] ibmvscsi_remove+0x6c/0x160 [ibmvscsi]
+[c000000217337960] [c0000000000f3cac] vio_bus_remove+0x5c/0x100
+[c0000002173379a0] [c00000000087a0a4] device_release_driver_internal+0x154/0x280
+[c0000002173379e0] [c0000000008777cc] bus_remove_device+0x11c/0x220
+[c000000217337a60] [c000000000870fc4] device_del+0x1c4/0x470
+[c000000217337b10] [c0000000008712a0] device_unregister+0x30/0xa0
+[c000000217337b80] [c0000000000f39ec] vio_unregister_device+0x2c/0x60
+[c000000217337bb0] [c00800001a1d0964] dlpar_remove_slot+0x14c/0x250 [rpadlpar_io]
+[c000000217337c50] [c00800001a1d0bcc] remove_slot_store+0xa4/0x110 [rpadlpar_io]
+[c000000217337cd0] [c000000000c091a0] kobj_attr_store+0x30/0x50
+[c000000217337cf0] [c00000000057c934] sysfs_kf_write+0x64/0x90
+[c000000217337d10] [c00000000057be10] kernfs_fop_write+0x1b0/0x290
+[c000000217337d60] [c000000000488c4c] __vfs_write+0x3c/0x70
+[c000000217337d80] [c00000000048c648] vfs_write+0xd8/0x260
+[c000000217337dd0] [c00000000048ca8c] ksys_write+0xdc/0x130
+[c000000217337e20] [c00000000000b488] system_call+0x5c/0x70
+Instruction dump:
+7c840074 f8010010 f821ffb1 20840040 eb830218 7c8407b4 48002019 60000000
+2fa30000 409e003c 892d0988 792907e0 <0b090000> 2fbd0000 419e0028 2fbc0000
+---[ end trace 5955b3c0cc079942 ]---
+rpadlpar_io: slot U9080.M9S.783AEC8-V11-C11 removed
+
+This is tripped as a result of irqs being disabled during the call to
+dma_free_coherent() by release_event_pool(). At this point in the code path
+we have quiesced the adapter and it is overly paranoid to be holding the
+host lock.
+
+[mkp: fixed build warning reported by sfr]
+
+Link: https://lore.kernel.org/r/1588027793-17952-1-git-send-email-tyreld@linux.ibm.com
+Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c
+index 07c23bbd968c..83645a1c6f82 100644
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
+@@ -2299,16 +2299,12 @@ static int ibmvscsi_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+ static int ibmvscsi_remove(struct vio_dev *vdev)
+ {
+ struct ibmvscsi_host_data *hostdata = dev_get_drvdata(&vdev->dev);
+- unsigned long flags;
+
+ srp_remove_host(hostdata->host);
+ scsi_remove_host(hostdata->host);
+
+ purge_requests(hostdata, DID_ERROR);
+-
+- spin_lock_irqsave(hostdata->host->host_lock, flags);
+ release_event_pool(&hostdata->pool, hostdata);
+- spin_unlock_irqrestore(hostdata->host->host_lock, flags);
+
+ ibmvscsi_release_crq_queue(&hostdata->queue, hostdata,
+ max_events);
+--
+2.25.1
+
--- /dev/null
+From 9338b2e167531d9e55773dda66cd2d004f66b9ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2020 03:40:14 -0700
+Subject: scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV
+
+From: Arun Easi <aeasi@marvell.com>
+
+[ Upstream commit 45a76264c26fd8cfd0c9746196892d9b7e2657ee ]
+
+In NPIV environment, a NPIV host may use a queue pair created by base host
+or other NPIVs, so the check for a queue pair created by this NPIV is not
+correct, and can cause an abort to fail, which in turn means the NVME
+command not returned. This leads to hang in nvme_fc layer in
+nvme_fc_delete_association() which waits for all I/Os to be returned, which
+is seen as hang in the application.
+
+Link: https://lore.kernel.org/r/20200331104015.24868-3-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 5e8ae510aef8..9d9737114dcf 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -2998,7 +2998,7 @@ qla24xx_abort_command(srb_t *sp)
+ ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x108c,
+ "Entered %s.\n", __func__);
+
+- if (vha->flags.qpairs_available && sp->qpair)
++ if (sp->qpair)
+ req = sp->qpair->req;
+
+ if (ql2xasynctmfenable)
+--
+2.25.1
+
ext4-add-cond_resched-to-ext4_protect_reserved_inode.patch
watchdog-fix-the-race-between-the-release-of-watchdog_core_data-and-cdev.patch
i2c-dev-fix-the-race-between-the-release-of-i2c_dev-and-cdev.patch
+ima-set-file-f_mode-instead-of-file-f_flags-in-ima_c.patch
+evm-check-also-if-tfm-is-an-error-pointer-in-init_de.patch
+ima-fix-return-value-of-ima_write_policy.patch
+fix-multiplication-overflow-in-copy_fdtable.patch
+iommu-amd-fix-over-read-of-acpi-uid-from-ivrs-table.patch
+i2c-mux-demux-pinctrl-fix-an-error-handling-path-in-.patch
+ubi-fix-seq_file-usage-in-detailed_erase_block_info-.patch
+gcc-common.h-update-for-gcc-10.patch
+hid-multitouch-add-egalaxtouch-p80h84-support.patch
+scsi-qla2xxx-fix-hang-when-issuing-nvme-disconnect-a.patch
+configfs-fix-config_item-refcnt-leak-in-configfs_rmd.patch
+vhost-vsock-fix-packet-delivery-order-to-monitoring-.patch
+component-silence-bind-error-on-eprobe_defer.patch
+scsi-ibmvscsi-fix-warn_on-during-event-pool-release.patch
+x86-apic-move-tsc-deadline-timer-debug-printk.patch
+gtp-set-nlm_f_multi-flag-in-gtp_genl_dump_pdp.patch
+ceph-fix-double-unlock-in-handle_cap_export.patch
+usb-core-fix-misleading-driver-bug-report.patch
+platform-x86-asus-nb-wmi-do-not-load-on-asus-t100ta-.patch
+arm-futex-address-build-warning.patch
--- /dev/null
+From 3aa6611218f3b39461e10df54fe9cb6f5fd9c570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 May 2020 14:48:02 +0200
+Subject: ubi: Fix seq_file usage in detailed_erase_block_info debugfs file
+
+From: Richard Weinberger <richard@nod.at>
+
+[ Upstream commit 0e7572cffe442290c347e779bf8bd4306bb0aa7c ]
+
+3bfa7e141b0b ("fs/seq_file.c: seq_read(): add info message about buggy .next functions")
+showed that we don't use seq_file correctly.
+So make sure that our ->next function always updates the position.
+
+Fixes: 7bccd12d27b7 ("ubi: Add debugfs file for tracking PEB state")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/debug.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/mtd/ubi/debug.c b/drivers/mtd/ubi/debug.c
+index 7bc96294ae4d..b108e1f04bf6 100644
+--- a/drivers/mtd/ubi/debug.c
++++ b/drivers/mtd/ubi/debug.c
+@@ -405,9 +405,6 @@ static void *eraseblk_count_seq_start(struct seq_file *s, loff_t *pos)
+ {
+ struct ubi_device *ubi = s->private;
+
+- if (*pos == 0)
+- return SEQ_START_TOKEN;
+-
+ if (*pos < ubi->peb_count)
+ return pos;
+
+@@ -421,8 +418,6 @@ static void *eraseblk_count_seq_next(struct seq_file *s, void *v, loff_t *pos)
+ {
+ struct ubi_device *ubi = s->private;
+
+- if (v == SEQ_START_TOKEN)
+- return pos;
+ (*pos)++;
+
+ if (*pos < ubi->peb_count)
+@@ -444,11 +439,8 @@ static int eraseblk_count_seq_show(struct seq_file *s, void *iter)
+ int err;
+
+ /* If this is the start, print a header */
+- if (iter == SEQ_START_TOKEN) {
+- seq_puts(s,
+- "physical_block_number\terase_count\tblock_status\tread_status\n");
+- return 0;
+- }
++ if (*block_number == 0)
++ seq_puts(s, "physical_block_number\terase_count\n");
+
+ err = ubi_io_is_bad(ubi, *block_number);
+ if (err)
+--
+2.25.1
+
--- /dev/null
+From 4e90d9490e1b9574c19eda0f2c45021f32dcf196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 May 2020 16:07:28 -0400
+Subject: USB: core: Fix misleading driver bug report
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+[ Upstream commit ac854131d9844f79e2fdcef67a7707227538d78a ]
+
+The syzbot fuzzer found a race between URB submission to endpoint 0
+and device reset. Namely, during the reset we call usb_ep0_reinit()
+because the characteristics of ep0 may have changed (if the reset
+follows a firmware update, for example). While usb_ep0_reinit() is
+running there is a brief period during which the pointers stored in
+udev->ep_in[0] and udev->ep_out[0] are set to NULL, and if an URB is
+submitted to ep0 during that period, usb_urb_ep_type_check() will
+report it as a driver bug. In the absence of those pointers, the
+routine thinks that the endpoint doesn't exist. The log message looks
+like this:
+
+------------[ cut here ]------------
+usb 2-1: BOGUS urb xfer, pipe 2 != type 2
+WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478
+usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
+
+Now, although submitting an URB while the device is being reset is a
+questionable thing to do, it shouldn't count as a driver bug as severe
+as submitting an URB for an endpoint that doesn't exist. Indeed,
+endpoint 0 always exists, even while the device is in its unconfigured
+state.
+
+To prevent these misleading driver bug reports, this patch updates
+usb_disable_endpoint() to avoid clearing the ep_in[] and ep_out[]
+pointers when the endpoint being disabled is ep0. There's no danger
+of leaving a stale pointer in place, because the usb_host_endpoint
+structure being pointed to is stored permanently in udev->ep0; it
+doesn't get deallocated until the entire usb_device structure does.
+
+Reported-and-tested-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2005011558590.903-100000@netrider.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/message.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
+index 00e80cfe614c..298c91f83aee 100644
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -1082,11 +1082,11 @@ void usb_disable_endpoint(struct usb_device *dev, unsigned int epaddr,
+
+ if (usb_endpoint_out(epaddr)) {
+ ep = dev->ep_out[epnum];
+- if (reset_hardware)
++ if (reset_hardware && epnum != 0)
+ dev->ep_out[epnum] = NULL;
+ } else {
+ ep = dev->ep_in[epnum];
+- if (reset_hardware)
++ if (reset_hardware && epnum != 0)
+ dev->ep_in[epnum] = NULL;
+ }
+ if (ep) {
+--
+2.25.1
+
--- /dev/null
+From bedbcdd27eb1cc249ae7f46fa74c3878875ed3c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 17:08:29 +0200
+Subject: vhost/vsock: fix packet delivery order to monitoring devices
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit 107bc0766b9feb5113074c753735a3f115c2141f ]
+
+We want to deliver packets to monitoring devices before it is
+put in the virtqueue, to avoid that replies can appear in the
+packet capture before the transmitted packet.
+
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index 834e88e20550..3f2f34ebf51f 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -182,14 +182,14 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock,
+ break;
+ }
+
+- vhost_add_used(vq, head, sizeof(pkt->hdr) + payload_len);
+- added = true;
+-
+- /* Deliver to monitoring devices all correctly transmitted
+- * packets.
++ /* Deliver to monitoring devices all packets that we
++ * will transmit.
+ */
+ virtio_transport_deliver_tap_pkt(pkt);
+
++ vhost_add_used(vq, head, sizeof(pkt->hdr) + payload_len);
++ added = true;
++
+ pkt->off += payload_len;
+ total_len += payload_len;
+
+--
+2.25.1
+
--- /dev/null
+From 5e67469201b9e33b0f71c27dbd9dc76ee58a18d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 16:55:57 +0200
+Subject: x86/apic: Move TSC deadline timer debug printk
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit c84cb3735fd53c91101ccdb191f2e3331a9262cb ]
+
+Leon reported that the printk_once() in __setup_APIC_LVTT() triggers a
+lockdep splat due to a lock order violation between hrtimer_base::lock and
+console_sem, when the 'once' condition is reset via
+/sys/kernel/debug/clear_warn_once after boot.
+
+The initial printk cannot trigger this because that happens during boot
+when the local APIC timer is set up on the boot CPU.
+
+Prevent it by moving the printk to a place which is guaranteed to be only
+called once during boot.
+
+Mark the deadline timer check related functions and data __init while at
+it.
+
+Reported-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/87y2qhoshi.fsf@nanos.tec.linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/apic.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index 6415b4aead54..48ab5fdd1044 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -353,8 +353,6 @@ static void __setup_APIC_LVTT(unsigned int clocks, int oneshot, int irqen)
+ * According to Intel, MFENCE can do the serialization here.
+ */
+ asm volatile("mfence" : : : "memory");
+-
+- printk_once(KERN_DEBUG "TSC deadline timer enabled\n");
+ return;
+ }
+
+@@ -553,7 +551,7 @@ static DEFINE_PER_CPU(struct clock_event_device, lapic_events);
+ #define DEADLINE_MODEL_MATCH_REV(model, rev) \
+ { X86_VENDOR_INTEL, 6, model, X86_FEATURE_ANY, (unsigned long)rev }
+
+-static u32 hsx_deadline_rev(void)
++static __init u32 hsx_deadline_rev(void)
+ {
+ switch (boot_cpu_data.x86_stepping) {
+ case 0x02: return 0x3a; /* EP */
+@@ -563,7 +561,7 @@ static u32 hsx_deadline_rev(void)
+ return ~0U;
+ }
+
+-static u32 bdx_deadline_rev(void)
++static __init u32 bdx_deadline_rev(void)
+ {
+ switch (boot_cpu_data.x86_stepping) {
+ case 0x02: return 0x00000011;
+@@ -575,7 +573,7 @@ static u32 bdx_deadline_rev(void)
+ return ~0U;
+ }
+
+-static u32 skx_deadline_rev(void)
++static __init u32 skx_deadline_rev(void)
+ {
+ switch (boot_cpu_data.x86_stepping) {
+ case 0x03: return 0x01000136;
+@@ -588,7 +586,7 @@ static u32 skx_deadline_rev(void)
+ return ~0U;
+ }
+
+-static const struct x86_cpu_id deadline_match[] = {
++static const struct x86_cpu_id deadline_match[] __initconst = {
+ DEADLINE_MODEL_MATCH_FUNC( INTEL_FAM6_HASWELL_X, hsx_deadline_rev),
+ DEADLINE_MODEL_MATCH_REV ( INTEL_FAM6_BROADWELL_X, 0x0b000020),
+ DEADLINE_MODEL_MATCH_FUNC( INTEL_FAM6_BROADWELL_XEON_D, bdx_deadline_rev),
+@@ -610,18 +608,19 @@ static const struct x86_cpu_id deadline_match[] = {
+ {},
+ };
+
+-static void apic_check_deadline_errata(void)
++static __init bool apic_validate_deadline_timer(void)
+ {
+ const struct x86_cpu_id *m;
+ u32 rev;
+
+- if (!boot_cpu_has(X86_FEATURE_TSC_DEADLINE_TIMER) ||
+- boot_cpu_has(X86_FEATURE_HYPERVISOR))
+- return;
++ if (!boot_cpu_has(X86_FEATURE_TSC_DEADLINE_TIMER))
++ return false;
++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
++ return true;
+
+ m = x86_match_cpu(deadline_match);
+ if (!m)
+- return;
++ return true;
+
+ /*
+ * Function pointers will have the MSB set due to address layout,
+@@ -633,11 +632,12 @@ static void apic_check_deadline_errata(void)
+ rev = (u32)m->driver_data;
+
+ if (boot_cpu_data.microcode >= rev)
+- return;
++ return true;
+
+ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
+ pr_err(FW_BUG "TSC_DEADLINE disabled due to Errata; "
+ "please update microcode to version: 0x%x (or later)\n", rev);
++ return false;
+ }
+
+ /*
+@@ -1914,7 +1914,8 @@ void __init init_apic_mappings(void)
+ {
+ unsigned int new_apicid;
+
+- apic_check_deadline_errata();
++ if (apic_validate_deadline_timer())
++ pr_debug("TSC deadline timer available\n");
+
+ if (x2apic_mode) {
+ boot_cpu_physical_apicid = read_apic_id();
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
