--- /dev/null
+From 8051f90c1debb29feaa41d06efd4ab3dc5447b7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 15:46:30 +0800
+Subject: ALSA: echoaudio: Fix potential Oops in snd_echo_resume()
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 5a25de6df789cc805a9b8ba7ab5deef5067af47e ]
+
+Freeing chip on error may lead to an Oops at the next time
+the system goes to resume. Fix this by removing all
+snd_echo_free() calls on error.
+
+Fixes: 47b5d028fdce8 ("ALSA: Echoaudio - Add suspend support #2")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Link: https://lore.kernel.org/r/20200813074632.17022-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/echoaudio/echoaudio.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c
+index d73ee11a32bd0..db14ee43e461a 100644
+--- a/sound/pci/echoaudio/echoaudio.c
++++ b/sound/pci/echoaudio/echoaudio.c
+@@ -2215,7 +2215,6 @@ static int snd_echo_resume(struct device *dev)
+ if (err < 0) {
+ kfree(commpage_bak);
+ dev_err(dev, "resume init_hw err=%d\n", err);
+- snd_echo_free(chip);
+ return err;
+ }
+
+@@ -2242,7 +2241,6 @@ static int snd_echo_resume(struct device *dev)
+ if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED,
+ KBUILD_MODNAME, chip)) {
+ dev_err(chip->card->dev, "cannot grab irq\n");
+- snd_echo_free(chip);
+ return -EBUSY;
+ }
+ chip->irq = pci->irq;
+--
+2.25.1
+
--- /dev/null
+From 44b575a38fd5e6cf44f3f0938c8bbfce4003cb34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jul 2020 03:21:43 +0000
+Subject: clk: clk-atlas6: fix return value check in atlas6_clk_init()
+
+From: Xu Wang <vulab@iscas.ac.cn>
+
+[ Upstream commit 12b90b40854a8461a02ef19f6f4474cc88d64b66 ]
+
+In case of error, the function clk_register() returns ERR_PTR()
+and never returns NULL. The NULL test in the return value check
+should be replaced with IS_ERR().
+
+Signed-off-by: Xu Wang <vulab@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20200713032143.21362-1-vulab@iscas.ac.cn
+Acked-by: Barry Song <baohua@kernel.org>
+Fixes: 7bf21bc81f28 ("clk: sirf: re-arch to make the codes support both prima2 and atlas6")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sirf/clk-atlas6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sirf/clk-atlas6.c b/drivers/clk/sirf/clk-atlas6.c
+index c5eaa9d162476..9af2d0dcd6a0f 100644
+--- a/drivers/clk/sirf/clk-atlas6.c
++++ b/drivers/clk/sirf/clk-atlas6.c
+@@ -137,7 +137,7 @@ static void __init atlas6_clk_init(struct device_node *np)
+
+ for (i = pll1; i < maxclk; i++) {
+ atlas6_clks[i] = clk_register(NULL, atlas6_clk_hw_array[i]);
+- BUG_ON(!atlas6_clks[i]);
++ BUG_ON(IS_ERR(atlas6_clks[i]));
+ }
+ clk_register_clkdev(atlas6_clks[cpu], NULL, "cpu");
+ clk_register_clkdev(atlas6_clks[io], NULL, "io");
+--
+2.25.1
+
--- /dev/null
+From 6dcde46075c2037ddc0b97ecc162580e29cc430d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jun 2020 13:39:59 +0300
+Subject: drm/vmwgfx: Fix two list_for_each loop exit tests
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4437c1152ce0e57ab8f401aa696ea6291cc07ab1 ]
+
+These if statements are supposed to be true if we ended the
+list_for_each_entry() loops without hitting a break statement but they
+don't work.
+
+In the first loop, we increment "i" after the "if (i == unit)" condition
+so we don't necessarily know that "i" is not equal to unit at the end of
+the loop.
+
+In the second loop we exit when mode is not pointing to a valid
+drm_display_mode struct so it doesn't make sense to check "mode->type".
+
+Fixes: a278724aa23c ("drm/vmwgfx: Implement fbdev on kms v2")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Roland Scheidegger <sroland@vmware.com>
+Signed-off-by: Roland Scheidegger <sroland@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+index 9b97f70fbb3df..0b7427d474feb 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -2086,7 +2086,7 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv,
+ ++i;
+ }
+
+- if (i != unit) {
++ if (&con->head == &dev_priv->dev->mode_config.connector_list) {
+ DRM_ERROR("Could not find initial display unit.\n");
+ return -EINVAL;
+ }
+@@ -2108,13 +2108,13 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv,
+ break;
+ }
+
+- if (mode->type & DRM_MODE_TYPE_PREFERRED)
+- *p_mode = mode;
+- else {
++ if (&mode->head == &con->modes) {
+ WARN_ONCE(true, "Could not find initial preferred mode.\n");
+ *p_mode = list_first_entry(&con->modes,
+ struct drm_display_mode,
+ head);
++ } else {
++ *p_mode = mode;
+ }
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 2663441081806f11595dc7edad06b1ea50885601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 18:35:53 -0700
+Subject: fs/ufs: avoid potential u32 multiplication overflow
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 88b2e9b06381551b707d980627ad0591191f7a2d ]
+
+The 64 bit ino is being compared to the product of two u32 values,
+however, the multiplication is being performed using a 32 bit multiply so
+there is a potential of an overflow. To be fully safe, cast uspi->s_ncg
+to a u64 to ensure a 64 bit multiplication occurs to avoid any chance of
+overflow.
+
+Fixes: f3e2a520f5fb ("ufs: NFS support")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Evgeniy Dushistov <dushistov@mail.ru>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Link: http://lkml.kernel.org/r/20200715170355.1081713-1-colin.king@canonical.com
+Addresses-Coverity: ("Unintentional integer overflow")
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ufs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ufs/super.c b/fs/ufs/super.c
+index 10f364490833e..be68b48de1cc6 100644
+--- a/fs/ufs/super.c
++++ b/fs/ufs/super.c
+@@ -99,7 +99,7 @@ static struct inode *ufs_nfs_get_inode(struct super_block *sb, u64 ino, u32 gene
+ struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi;
+ struct inode *inode;
+
+- if (ino < UFS_ROOTINO || ino > uspi->s_ncg * uspi->s_ipg)
++ if (ino < UFS_ROOTINO || ino > (u64)uspi->s_ncg * uspi->s_ipg)
+ return ERR_PTR(-ESTALE);
+
+ inode = ufs_iget(sb, ino);
+--
+2.25.1
+
--- /dev/null
+From 4651725af4db3a35bc36d23ff6aa3be61f6a789c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 17:38:07 +0200
+Subject: i2c: rcar: slave: only send STOP event when we have been addressed
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 314139f9f0abdba61ed9a8463bbcb0bf900ac5a2 ]
+
+When the SSR interrupt is activated, it will detect every STOP condition
+on the bus, not only the ones after we have been addressed. So, enable
+this interrupt only after we have been addressed, and disable it
+otherwise.
+
+Fixes: de20d1857dd6 ("i2c: rcar: add slave support")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-rcar.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c
+index dfe1a53ce4ad3..ddfb08a3e6c20 100644
+--- a/drivers/i2c/busses/i2c-rcar.c
++++ b/drivers/i2c/busses/i2c-rcar.c
+@@ -386,13 +386,14 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv)
+ rcar_i2c_write(priv, ICSIER, SDR | SSR | SAR);
+ }
+
+- rcar_i2c_write(priv, ICSSR, ~SAR & 0xff);
++ /* Clear SSR, too, because of old STOPs to other clients than us */
++ rcar_i2c_write(priv, ICSSR, ~(SAR | SSR) & 0xff);
+ }
+
+ /* master sent stop */
+ if (ssr_filtered & SSR) {
+ i2c_slave_event(priv->slave, I2C_SLAVE_STOP, &value);
+- rcar_i2c_write(priv, ICSIER, SAR | SSR);
++ rcar_i2c_write(priv, ICSIER, SAR);
+ rcar_i2c_write(priv, ICSSR, ~SSR & 0xff);
+ }
+
+@@ -541,7 +542,7 @@ static int rcar_reg_slave(struct i2c_client *slave)
+ priv->slave = slave;
+ rcar_i2c_write(priv, ICSAR, slave->addr);
+ rcar_i2c_write(priv, ICSSR, 0);
+- rcar_i2c_write(priv, ICSIER, SAR | SSR);
++ rcar_i2c_write(priv, ICSIER, SAR);
+ rcar_i2c_write(priv, ICSCR, SIE | SDBS);
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 39cc399a243c5d3da0b83929630c653f550ba712 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 15:35:34 -0700
+Subject: Input: sentelic - fix error return when fsp_reg_write fails
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit ea38f06e0291986eb93beb6d61fd413607a30ca4 ]
+
+Currently when the call to fsp_reg_write fails -EIO is not being returned
+because the count is being returned instead of the return value in retval.
+Fix this by returning the value in retval instead of count.
+
+Addresses-Coverity: ("Unused value")
+Fixes: fc69f4a6af49 ("Input: add new driver for Sentelic Finger Sensing Pad")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20200603141218.131663-1-colin.king@canonical.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/mouse/sentelic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/mouse/sentelic.c b/drivers/input/mouse/sentelic.c
+index 11c32ac8234b2..779d0b9341c0d 100644
+--- a/drivers/input/mouse/sentelic.c
++++ b/drivers/input/mouse/sentelic.c
+@@ -454,7 +454,7 @@ static ssize_t fsp_attr_set_setreg(struct psmouse *psmouse, void *data,
+
+ fsp_reg_write_enable(psmouse, false);
+
+- return count;
++ return retval;
+ }
+
+ PSMOUSE_DEFINE_WO_ATTR(setreg, S_IWUSR, NULL, fsp_attr_set_setreg);
+--
+2.25.1
+
--- /dev/null
+From f69fdc720455fed3408c77227d7f156c52ce19d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 20:22:11 +0100
+Subject: iommu/omap: Check for failure of a call to omap_iommu_dump_ctx
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit dee9d154f40c58d02f69acdaa5cfd1eae6ebc28b ]
+
+It is possible for the call to omap_iommu_dump_ctx to return
+a negative error number, so check for the failure and return
+the error number rather than pass the negative value to
+simple_read_from_buffer.
+
+Fixes: 14e0e6796a0d ("OMAP: iommu: add initial debugfs support")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20200714192211.744776-1-colin.king@canonical.com
+Addresses-Coverity: ("Improper use of negative value")
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/omap-iommu-debug.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
+index 9bc20e2119a35..82bf208295f4b 100644
+--- a/drivers/iommu/omap-iommu-debug.c
++++ b/drivers/iommu/omap-iommu-debug.c
+@@ -101,8 +101,11 @@ static ssize_t debug_read_regs(struct file *file, char __user *userbuf,
+ mutex_lock(&iommu_debug_lock);
+
+ bytes = omap_iommu_dump_ctx(obj, p, count);
++ if (bytes < 0)
++ goto err;
+ bytes = simple_read_from_buffer(userbuf, count, ppos, buf, bytes);
+
++err:
+ mutex_unlock(&iommu_debug_lock);
+ kfree(buf);
+
+--
+2.25.1
+
--- /dev/null
+From 90e8b5f9a3da387e917147bdf0c7edef7acc209b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 09:49:14 +0800
+Subject: iommu/vt-d: Enforce PASID devTLB field mask
+
+From: Liu Yi L <yi.l.liu@intel.com>
+
+[ Upstream commit 5f77d6ca5ca74e4b4a5e2e010f7ff50c45dea326 ]
+
+Set proper masks to avoid invalid input spillover to reserved bits.
+
+Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Link: https://lore.kernel.org/r/20200724014925.15523-2-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/intel-iommu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h
+index 27dbab59f034c..d86ac620f0aac 100644
+--- a/include/linux/intel-iommu.h
++++ b/include/linux/intel-iommu.h
+@@ -317,8 +317,8 @@ enum {
+
+ #define QI_DEV_EIOTLB_ADDR(a) ((u64)(a) & VTD_PAGE_MASK)
+ #define QI_DEV_EIOTLB_SIZE (((u64)1) << 11)
+-#define QI_DEV_EIOTLB_GLOB(g) ((u64)g)
+-#define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32)
++#define QI_DEV_EIOTLB_GLOB(g) ((u64)(g) & 0x1)
++#define QI_DEV_EIOTLB_PASID(p) ((u64)((p) & 0xfffff) << 32)
+ #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16)
+ #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4)
+ #define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | \
+--
+2.25.1
+
--- /dev/null
+From 59204d3a9f02b5dbfe7a9c88f5fe0edaf543aedb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 16:02:46 +0300
+Subject: mfd: dln2: Run event handler loop under spinlock
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 3d858942250820b9adc35f963a257481d6d4c81d ]
+
+The event handler loop must be run with interrupts disabled.
+Otherwise we will have a warning:
+
+[ 1970.785649] irq 31 handler lineevent_irq_handler+0x0/0x20 enabled interrupts
+[ 1970.792739] WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x162/0x170
+[ 1970.860732] RIP: 0010:__handle_irq_event_percpu+0x162/0x170
+...
+[ 1970.946994] Call Trace:
+[ 1970.949446] <IRQ>
+[ 1970.951471] handle_irq_event_percpu+0x2c/0x80
+[ 1970.955921] handle_irq_event+0x23/0x43
+[ 1970.959766] handle_simple_irq+0x57/0x70
+[ 1970.963695] generic_handle_irq+0x42/0x50
+[ 1970.967717] dln2_rx+0xc1/0x210 [dln2]
+[ 1970.971479] ? usb_hcd_unmap_urb_for_dma+0xa6/0x1c0
+[ 1970.976362] __usb_hcd_giveback_urb+0x77/0xe0
+[ 1970.980727] usb_giveback_urb_bh+0x8e/0xe0
+[ 1970.984837] tasklet_action_common.isra.0+0x4a/0xe0
+...
+
+Recently xHCI driver switched to tasklets in the commit 36dc01657b49
+("usb: host: xhci: Support running urb giveback in tasklet context").
+
+The handle_irq_event_* functions are expected to be called with interrupts
+disabled and they rightfully complain here because we run in tasklet context
+with interrupts enabled.
+
+Use a event spinlock to protect event handler from being interrupted.
+
+Note, that there are only two users of this GPIO and ADC drivers and both of
+them are using generic_handle_irq() which makes above happen.
+
+Fixes: 338a12814297 ("mfd: Add support for Diolan DLN-2 devices")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/dln2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
+index 672831d5ee32e..97a69cd6f1278 100644
+--- a/drivers/mfd/dln2.c
++++ b/drivers/mfd/dln2.c
+@@ -294,7 +294,11 @@ static void dln2_rx(struct urb *urb)
+ len = urb->actual_length - sizeof(struct dln2_header);
+
+ if (handle == DLN2_HANDLE_EVENT) {
++ unsigned long flags;
++
++ spin_lock_irqsave(&dln2->event_cb_lock, flags);
+ dln2_run_event_callbacks(dln2, id, echo, data, len);
++ spin_unlock_irqrestore(&dln2->event_cb_lock, flags);
+ } else {
+ /* URB will be re-submitted in _dln2_transfer (free_rx_slot) */
+ if (dln2_transfer_complete(dln2, urb, handle, echo))
+--
+2.25.1
+
--- /dev/null
+From 339d37e3e6c371d897ced18b35285835e677da65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 12:23:19 -0500
+Subject: nfs: Fix getxattr kernel panic and memory overflow
+
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+
+[ Upstream commit b4487b93545214a9db8cbf32e86411677b0cca21 ]
+
+Move the buffer size check to decode_attr_security_label() before memcpy()
+Only call memcpy() if the buffer is large enough
+
+Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS")
+Signed-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+[Trond: clean up duplicate test of label->len != 0]
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 2 --
+ fs/nfs/nfs4xdr.c | 6 +++++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 566afcc36adb5..ca1702cefb852 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4916,8 +4916,6 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf,
+ return ret;
+ if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL))
+ return -ENOENT;
+- if (buflen < label.len)
+- return -ERANGE;
+ return 0;
+ }
+
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index 15cd9db6d616d..28c1b765e4444 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4158,7 +4158,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
+ goto out_overflow;
+ if (len < NFS4_MAXLABELLEN) {
+ if (label) {
+- memcpy(label->label, p, len);
++ if (label->len) {
++ if (label->len < len)
++ return -ERANGE;
++ memcpy(label->label, p, len);
++ }
+ label->len = len;
+ label->pi = pi;
+ label->lfs = lfs;
+--
+2.25.1
+
ocfs2-change-slot-number-type-s16-to-u16.patch
kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch
pseries-fix-64-bit-logical-memory-block-panic.patch
+usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch
+usb-serial-ftdi_sio-clean-up-receive-processing.patch
+usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch
+iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch
+iommu-vt-d-enforce-pasid-devtlb-field-mask.patch
+i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch
+clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch
+input-sentelic-fix-error-return-when-fsp_reg_write-f.patch
+drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch
+nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch
+fs-ufs-avoid-potential-u32-multiplication-overflow.patch
+mfd-dln2-run-event-handler-loop-under-spinlock.patch
+alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch
+sh-landisk-add-missing-initialization-of-sh_io_port_.patch
--- /dev/null
+From 5ac205afecfb8864b6c6bd6e2e687fc444d90654 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 14:42:45 +0200
+Subject: sh: landisk: Add missing initialization of sh_io_port_base
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 0c64a0dce51faa9c706fdf1f957d6f19878f4b81 ]
+
+The Landisk setup code maps the CF IDE area using ioremap_prot(), and
+passes the resulting virtual addresses to the pata_platform driver,
+disguising them as I/O port addresses. Hence the pata_platform driver
+translates them again using ioport_map().
+As CONFIG_GENERIC_IOMAP=n, and CONFIG_HAS_IOPORT_MAP=y, the
+SuperH-specific mapping code in arch/sh/kernel/ioport.c translates
+I/O port addresses to virtual addresses by adding sh_io_port_base, which
+defaults to -1, thus breaking the assumption of an identity mapping.
+
+Fix this by setting sh_io_port_base to zero.
+
+Fixes: 37b7a97884ba64bf ("sh: machvec IO death.")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/boards/mach-landisk/setup.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/sh/boards/mach-landisk/setup.c b/arch/sh/boards/mach-landisk/setup.c
+index f1147caebacf0..af69fb7fef7c7 100644
+--- a/arch/sh/boards/mach-landisk/setup.c
++++ b/arch/sh/boards/mach-landisk/setup.c
+@@ -85,6 +85,9 @@ device_initcall(landisk_devices_setup);
+
+ static void __init landisk_setup(char **cmdline_p)
+ {
++ /* I/O port identity mapping */
++ __set_io_port_base(0);
++
+ /* LED ON */
+ __raw_writeb(__raw_readb(PA_LED) | 0x03, PA_LED);
+
+--
+2.25.1
+
--- /dev/null
+From 7522c33a9c81a0a29feb4c67d84d589342007637 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 14:49:52 +0200
+Subject: USB: serial: ftdi_sio: clean up receive processing
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit ce054039ba5e47b75a3be02a00274e52b06a6456 ]
+
+Clean up receive processing by dropping the character pointer and
+keeping the length argument unchanged throughout the function.
+
+Also make it more apparent that sysrq processing can consume a
+characters by adding an explicit continue.
+
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 4b9404f99c010..0afea511eb376 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -2054,7 +2054,6 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+ struct ftdi_private *priv, unsigned char *buf, int len)
+ {
+ unsigned char status;
+- unsigned char *ch;
+ int i;
+ char flag;
+
+@@ -2097,8 +2096,7 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+ else
+ priv->transmit_empty = 0;
+
+- len -= 2;
+- if (!len)
++ if (len == 2)
+ return 0; /* status only */
+
+ /*
+@@ -2127,19 +2125,20 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+ }
+ }
+
+- port->icount.rx += len;
+- ch = buf + 2;
++ port->icount.rx += len - 2;
+
+ if (port->port.console && port->sysrq) {
+- for (i = 0; i < len; i++, ch++) {
+- if (!usb_serial_handle_sysrq_char(port, *ch))
+- tty_insert_flip_char(&port->port, *ch, flag);
++ for (i = 2; i < len; i++) {
++ if (usb_serial_handle_sysrq_char(port, buf[i]))
++ continue;
++ tty_insert_flip_char(&port->port, buf[i], flag);
+ }
+ } else {
+- tty_insert_flip_string_fixed_flag(&port->port, ch, flag, len);
++ tty_insert_flip_string_fixed_flag(&port->port, buf + 2, flag,
++ len - 2);
+ }
+
+- return len;
++ return len - 2;
+ }
+
+ static void ftdi_process_read_urb(struct urb *urb)
+--
+2.25.1
+
--- /dev/null
+From fa9cb56cffc3e2c6d0a157b8d0109079ab0ba43d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 14:49:53 +0200
+Subject: USB: serial: ftdi_sio: fix break and sysrq handling
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 733fff67941dad64b8a630450b8372b1873edc41 ]
+
+Only the last NUL in a packet should be flagged as a break character,
+for example, to avoid dropping unrelated characters when IGNBRK is set.
+
+Also make sysrq work by consuming the break character instead of having
+it immediately cancel the sysrq request, and by not processing it
+prematurely to avoid triggering a sysrq based on an unrelated character
+received in the same packet (which was received *before* the break).
+
+Note that the break flag can be left set also for a packet received
+immediately following a break and that and an ending NUL in such a
+packet will continue to be reported as a break as there's no good way to
+tell it apart from an actual break.
+
+Tested on FT232R and FT232H.
+
+Fixes: 72fda3ca6fc1 ("USB: serial: ftd_sio: implement sysrq handling on break")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 0afea511eb376..2dfec4c1ef4de 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -2054,6 +2054,7 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+ struct ftdi_private *priv, unsigned char *buf, int len)
+ {
+ unsigned char status;
++ bool brkint = false;
+ int i;
+ char flag;
+
+@@ -2105,13 +2106,17 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+ */
+ flag = TTY_NORMAL;
+ if (buf[1] & FTDI_RS_ERR_MASK) {
+- /* Break takes precedence over parity, which takes precedence
+- * over framing errors */
+- if (buf[1] & FTDI_RS_BI) {
+- flag = TTY_BREAK;
++ /*
++ * Break takes precedence over parity, which takes precedence
++ * over framing errors. Note that break is only associated
++ * with the last character in the buffer and only when it's a
++ * NUL.
++ */
++ if (buf[1] & FTDI_RS_BI && buf[len - 1] == '\0') {
+ port->icount.brk++;
+- usb_serial_handle_break(port);
+- } else if (buf[1] & FTDI_RS_PE) {
++ brkint = true;
++ }
++ if (buf[1] & FTDI_RS_PE) {
+ flag = TTY_PARITY;
+ port->icount.parity++;
+ } else if (buf[1] & FTDI_RS_FE) {
+@@ -2127,8 +2132,13 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+
+ port->icount.rx += len - 2;
+
+- if (port->port.console && port->sysrq) {
++ if (brkint || (port->port.console && port->sysrq)) {
+ for (i = 2; i < len; i++) {
++ if (brkint && i == len - 1) {
++ if (usb_serial_handle_break(port))
++ return len - 3;
++ flag = TTY_BREAK;
++ }
+ if (usb_serial_handle_sysrq_char(port, buf[i]))
+ continue;
+ tty_insert_flip_char(&port->port, buf[i], flag);
+--
+2.25.1
+
--- /dev/null
+From d61346287dddcda8ec23950569ff4cc312ceefbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 14:49:51 +0200
+Subject: USB: serial: ftdi_sio: make process-packet buffer unsigned
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit ab4cc4ef6724ea588e835fc1e764c4b4407a70b7 ]
+
+Use an unsigned type for the process-packet buffer argument and give it
+a more apt name.
+
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 8388f88ce6356..4b9404f99c010 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -2051,12 +2051,12 @@ static int ftdi_prepare_write_buffer(struct usb_serial_port *port,
+ #define FTDI_RS_ERR_MASK (FTDI_RS_BI | FTDI_RS_PE | FTDI_RS_FE | FTDI_RS_OE)
+
+ static int ftdi_process_packet(struct usb_serial_port *port,
+- struct ftdi_private *priv, char *packet, int len)
++ struct ftdi_private *priv, unsigned char *buf, int len)
+ {
++ unsigned char status;
++ unsigned char *ch;
+ int i;
+- char status;
+ char flag;
+- char *ch;
+
+ if (len < 2) {
+ dev_dbg(&port->dev, "malformed packet\n");
+@@ -2066,7 +2066,7 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+ /* Compare new line status to the old one, signal if different/
+ N.B. packet may be processed more than once, but differences
+ are only processed once. */
+- status = packet[0] & FTDI_STATUS_B0_MASK;
++ status = buf[0] & FTDI_STATUS_B0_MASK;
+ if (status != priv->prev_status) {
+ char diff_status = status ^ priv->prev_status;
+
+@@ -2092,7 +2092,7 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+ }
+
+ /* save if the transmitter is empty or not */
+- if (packet[1] & FTDI_RS_TEMT)
++ if (buf[1] & FTDI_RS_TEMT)
+ priv->transmit_empty = 1;
+ else
+ priv->transmit_empty = 0;
+@@ -2106,29 +2106,29 @@ static int ftdi_process_packet(struct usb_serial_port *port,
+ * data payload to avoid over-reporting.
+ */
+ flag = TTY_NORMAL;
+- if (packet[1] & FTDI_RS_ERR_MASK) {
++ if (buf[1] & FTDI_RS_ERR_MASK) {
+ /* Break takes precedence over parity, which takes precedence
+ * over framing errors */
+- if (packet[1] & FTDI_RS_BI) {
++ if (buf[1] & FTDI_RS_BI) {
+ flag = TTY_BREAK;
+ port->icount.brk++;
+ usb_serial_handle_break(port);
+- } else if (packet[1] & FTDI_RS_PE) {
++ } else if (buf[1] & FTDI_RS_PE) {
+ flag = TTY_PARITY;
+ port->icount.parity++;
+- } else if (packet[1] & FTDI_RS_FE) {
++ } else if (buf[1] & FTDI_RS_FE) {
+ flag = TTY_FRAME;
+ port->icount.frame++;
+ }
+ /* Overrun is special, not associated with a char */
+- if (packet[1] & FTDI_RS_OE) {
++ if (buf[1] & FTDI_RS_OE) {
+ port->icount.overrun++;
+ tty_insert_flip_char(&port->port, 0, TTY_OVERRUN);
+ }
+ }
+
+ port->icount.rx += len;
+- ch = packet + 2;
++ ch = buf + 2;
+
+ if (port->port.console && port->sysrq) {
+ for (i = 0; i < len; i++, ch++) {
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
