--- /dev/null
+From 9f063b3f22a18a0e02ea088deb3dfa26ad032dba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2020 12:59:12 +0100
+Subject: ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit e1de94380af588bdf6ad6f0cc1f75004c35bc096 ]
+
+Recent work with KASan exposed the folling hard-coded bitmask
+in arch/arm/mm/proc-macros.S:
+
+ bic rd, sp, #8128
+ bic rd, rd, #63
+
+This forms the bitmask 0x1FFF that is coinciding with
+(PAGE_SIZE << THREAD_SIZE_ORDER) - 1, this code was assuming
+that THREAD_SIZE is always 8K (8192).
+
+As KASan was increasing THREAD_SIZE_ORDER to 2, I ran into
+this bug.
+
+Fix it by this little oneline suggested by Ard:
+
+ bic rd, sp, #(THREAD_SIZE - 1) & ~63
+
+Where THREAD_SIZE is defined using THREAD_SIZE_ORDER.
+
+We have to also include <linux/const.h> since the THREAD_SIZE
+expands to use the _AC() macro.
+
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Suggested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/proc-macros.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/proc-macros.S b/arch/arm/mm/proc-macros.S
+index e6bfdcc381f8..1da55d34f4d6 100644
+--- a/arch/arm/mm/proc-macros.S
++++ b/arch/arm/mm/proc-macros.S
+@@ -4,6 +4,7 @@
+ * VMA_VM_FLAGS
+ * VM_EXEC
+ */
++#include <linux/const.h>
+ #include <asm/asm-offsets.h>
+ #include <asm/thread_info.h>
+
+@@ -30,7 +31,7 @@
+ * act_mm - get current->active_mm
+ */
+ .macro act_mm, rd
+- bic \rd, sp, #8128
++ bic \rd, sp, #(THREAD_SIZE - 1) & ~63
+ bic \rd, \rd, #63
+ ldr \rd, [\rd, #TI_TASK]
+ ldr \rd, [\rd, #TSK_ACTIVE_MM]
+--
+2.25.1
+
--- /dev/null
+From f632ddb46ed044a6edbc114872100bce49eb53af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 17:27:04 +0800
+Subject: Bluetooth: Add SCO fallback for invalid LMP parameters error
+
+From: Hsin-Yu Chao <hychao@chromium.org>
+
+[ Upstream commit 56b5453a86203a44726f523b4133c1feca49ce7c ]
+
+Bluetooth PTS test case HFP/AG/ACC/BI-12-I accepts SCO connection
+with invalid parameter at the first SCO request expecting AG to
+attempt another SCO request with the use of "safe settings" for
+given codec, base on section 5.7.1.2 of HFP 1.7 specification.
+
+This patch addresses it by adding "Invalid LMP Parameters" (0x1e)
+to the SCO fallback case. Verified with below log:
+
+< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
+ Handle: 256
+ Transmit bandwidth: 8000
+ Receive bandwidth: 8000
+ Max latency: 13
+ Setting: 0x0003
+ Input Coding: Linear
+ Input Data Format: 1's complement
+ Input Sample Size: 8-bit
+ # of bits padding at MSB: 0
+ Air Coding Format: Transparent Data
+ Retransmission effort: Optimize for link quality (0x02)
+ Packet type: 0x0380
+ 3-EV3 may not be used
+ 2-EV5 may not be used
+ 3-EV5 may not be used
+> HCI Event: Command Status (0x0f) plen 4
+ Setup Synchronous Connection (0x01|0x0028) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Number of Completed Packets (0x13) plen 5
+ Num handles: 1
+ Handle: 256
+ Count: 1
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 1
+> HCI Event: Synchronous Connect Complete (0x2c) plen 17
+ Status: Invalid LMP Parameters / Invalid LL Parameters (0x1e)
+ Handle: 0
+ Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
+ Link type: eSCO (0x02)
+ Transmission interval: 0x00
+ Retransmission window: 0x02
+ RX packet length: 0
+ TX packet length: 0
+ Air mode: Transparent (0x03)
+< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
+ Handle: 256
+ Transmit bandwidth: 8000
+ Receive bandwidth: 8000
+ Max latency: 8
+ Setting: 0x0003
+ Input Coding: Linear
+ Input Data Format: 1's complement
+ Input Sample Size: 8-bit
+ # of bits padding at MSB: 0
+ Air Coding Format: Transparent Data
+ Retransmission effort: Optimize for link quality (0x02)
+ Packet type: 0x03c8
+ EV3 may be used
+ 2-EV3 may not be used
+ 3-EV3 may not be used
+ 2-EV5 may not be used
+ 3-EV5 may not be used
+> HCI Event: Command Status (0x0f) plen 4
+ Setup Synchronous Connection (0x01|0x0028) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 5
+> HCI Event: Max Slots Change (0x1b) plen 3
+ Handle: 256
+ Max slots: 1
+> HCI Event: Synchronous Connect Complete (0x2c) plen 17
+ Status: Success (0x00)
+ Handle: 257
+ Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
+ Link type: eSCO (0x02)
+ Transmission interval: 0x06
+ Retransmission window: 0x04
+ RX packet length: 30
+ TX packet length: 30
+ Air mode: Transparent (0x03)
+
+Signed-off-by: Hsin-Yu Chao <hychao@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 37fe2b158c2a..1d957c7f1783 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3761,6 +3761,7 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
+ case 0x11: /* Unsupported Feature or Parameter Value */
+ case 0x1c: /* SCO interval rejected */
+ case 0x1a: /* Unsupported Remote Feature */
++ case 0x1e: /* Invalid LMP Parameters */
+ case 0x1f: /* Unspecified error */
+ case 0x20: /* Unsupported LMP Parameter value */
+ if (conn->out) {
+--
+2.25.1
+
--- /dev/null
+From 05ff45649d5dde3539a1a383aeae0dbb9f4d2a87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 12:15:09 +0100
+Subject: btrfs: do not ignore error from btrfs_next_leaf() when inserting
+ checksums
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 7e4a3f7ed5d54926ec671bbb13e171cfe179cc50 ]
+
+We are currently treating any non-zero return value from btrfs_next_leaf()
+the same way, by going to the code that inserts a new checksum item in the
+tree. However if btrfs_next_leaf() returns an error (a value < 0), we
+should just stop and return the error, and not behave as if nothing has
+happened, since in that case we do not have a way to know if there is a
+next leaf or we are currently at the last leaf already.
+
+So fix that by returning the error from btrfs_next_leaf().
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/file-item.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c
+index 58ece6558430..fb5c97ea670f 100644
+--- a/fs/btrfs/file-item.c
++++ b/fs/btrfs/file-item.c
+@@ -742,10 +742,12 @@ again:
+ nritems = btrfs_header_nritems(path->nodes[0]);
+ if (!nritems || (path->slots[0] >= nritems - 1)) {
+ ret = btrfs_next_leaf(root, path);
+- if (ret == 1)
++ if (ret < 0) {
++ goto out;
++ } else if (ret > 0) {
+ found_next = 1;
+- if (ret != 0)
+ goto insert;
++ }
+ slot = path->slots[0];
+ }
+ btrfs_item_key_to_cpu(path->nodes[0], &found_key, slot);
+--
+2.25.1
+
--- /dev/null
+From a72e8bb3fa367c496ad193acd45c820d1bbbc1a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 23:48:15 +0300
+Subject: clocksource: dw_apb_timer_of: Fix missing clockevent timers
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 6d2e16a3181bafb77b535095c39ad1c8b9558c8c ]
+
+Commit 100214889973 ("clocksource: dw_apb_timer_of: use
+clocksource_of_init") replaced a publicly available driver
+initialization method with one called by the timer_probe() method
+available after CLKSRC_OF. In current implementation it traverses
+all the timers available in the system and calls their initialization
+methods if corresponding devices were either in dtb or in acpi. But
+if before the commit any number of available timers would be installed
+as clockevent and clocksource devices, after that there would be at most
+two. The rest are just ignored since default case branch doesn't do
+anything. I don't see a reason of such behaviour, neither the commit
+message explains it. Moreover this might be wrong if on some platforms
+these timers might be used for different purpose, as virtually CPU-local
+clockevent timers and as an independent broadcast timer. So in order
+to keep the compatibility with the platforms where the order of the
+timers detection has some meaning, lets add the secondly discovered
+timer to be of clocksource/sched_clock type, while the very first and
+the others would provide the clockevents service.
+
+Fixes: 100214889973 ("clocksource: dw_apb_timer_of: use clocksource_of_init")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-rtc@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200521204818.25436-7-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/dw_apb_timer_of.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clocksource/dw_apb_timer_of.c b/drivers/clocksource/dw_apb_timer_of.c
+index a19a3f619cc7..99e5fd59964b 100644
+--- a/drivers/clocksource/dw_apb_timer_of.c
++++ b/drivers/clocksource/dw_apb_timer_of.c
+@@ -134,16 +134,14 @@ static int num_called;
+ static void __init dw_apb_timer_init(struct device_node *timer)
+ {
+ switch (num_called) {
+- case 0:
+- pr_debug("%s: found clockevent timer\n", __func__);
+- add_clockevent(timer);
+- break;
+ case 1:
+ pr_debug("%s: found clocksource timer\n", __func__);
+ add_clocksource(timer);
+ init_sched_clock();
+ break;
+ default:
++ pr_debug("%s: found clockevent timer\n", __func__);
++ add_clockevent(timer);
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 94edd28fdc57d40c732fd37f9a72d2a7e841643f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 13:20:46 -0500
+Subject: cpuidle: Fix three reference count leaks
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit c343bf1ba5efcbf2266a1fe3baefec9cc82f867f ]
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object.
+
+Previous commit "b8eb718348b8" fixed a similar problem.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+[ rjw: Subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/sysfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
+index 9e98a5fbbc1d..e7e92ed34f0c 100644
+--- a/drivers/cpuidle/sysfs.c
++++ b/drivers/cpuidle/sysfs.c
+@@ -412,7 +412,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device)
+ ret = kobject_init_and_add(&kobj->kobj, &ktype_state_cpuidle,
+ &kdev->kobj, "state%d", i);
+ if (ret) {
+- kfree(kobj);
++ kobject_put(&kobj->kobj);
+ goto error_state;
+ }
+ kobject_uevent(&kobj->kobj, KOBJ_ADD);
+@@ -542,7 +542,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev)
+ ret = kobject_init_and_add(&kdrv->kobj, &ktype_driver_cpuidle,
+ &kdev->kobj, "driver");
+ if (ret) {
+- kfree(kdrv);
++ kobject_put(&kdrv->kobj);
+ return ret;
+ }
+
+@@ -636,7 +636,7 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
+ error = kobject_init_and_add(&kdev->kobj, &ktype_cpuidle, &cpu_dev->kobj,
+ "cpuidle");
+ if (error) {
+- kfree(kdev);
++ kobject_put(&kdev->kobj);
+ return error;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 952175a7b945c840f798bf33652034cb6654c0fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2020 22:23:02 -0800
+Subject: e1000: Distribute switch variables for initialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit a34c7f5156654ebaf7eaace102938be7ff7036cb ]
+
+Variables declared in a switch statement before any case statements
+cannot be automatically initialized with compiler instrumentation (as
+they are not part of any execution flow). With GCC's proposed automatic
+stack variable initialization feature, this triggers a warning (and they
+don't get initialized). Clang's automatic stack variable initialization
+(via CONFIG_INIT_STACK_ALL=y) doesn't throw a warning, but it also
+doesn't initialize such variables[1]. Note that these warnings (or silent
+skipping) happen before the dead-store elimination optimization phase,
+so even when the automatic initializations are later elided in favor of
+direct initializations, the warnings remain.
+
+To avoid these problems, move such variables into the "case" where
+they're used or lift them up into the main function body.
+
+drivers/net/ethernet/intel/e1000/e1000_main.c: In function ‘e1000_xmit_frame’:
+drivers/net/ethernet/intel/e1000/e1000_main.c:3143:18: warning: statement will never be executed [-Wswitch-unreachable]
+ 3143 | unsigned int pull_size;
+ | ^~~~~~~~~
+
+[1] https://bugs.llvm.org/show_bug.cgi?id=44916
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
+index 1f84f2fa459f..f958188207fd 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -3162,8 +3162,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ hdr_len = skb_transport_offset(skb) + tcp_hdrlen(skb);
+ if (skb->data_len && hdr_len == len) {
+ switch (hw->mac_type) {
++ case e1000_82544: {
+ unsigned int pull_size;
+- case e1000_82544:
++
+ /* Make sure we have room to chop off 4 bytes,
+ * and that the end alignment will work out to
+ * this hardware's requirements
+@@ -3184,6 +3185,7 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ }
+ len = skb_headlen(skb);
+ break;
++ }
+ default:
+ /* do nothing */
+ break;
+--
+2.25.1
+
--- /dev/null
+From 67a5898725af2cd57371a74978751f0040000013 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 10:45:21 +0800
+Subject: ixgbe: fix signed-integer-overflow warning
+
+From: Xie XiuQi <xiexiuqi@huawei.com>
+
+[ Upstream commit 3b70683fc4d68f5d915d9dc7e5ba72c732c7315c ]
+
+ubsan report this warning, fix it by adding a unsigned suffix.
+
+UBSAN: signed-integer-overflow in
+drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:2246:26
+65535 * 65537 cannot be represented in type 'int'
+CPU: 21 PID: 7 Comm: kworker/u256:0 Not tainted 5.7.0-rc3-debug+ #39
+Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 03/27/2020
+Workqueue: ixgbe ixgbe_service_task [ixgbe]
+Call trace:
+ dump_backtrace+0x0/0x3f0
+ show_stack+0x28/0x38
+ dump_stack+0x154/0x1e4
+ ubsan_epilogue+0x18/0x60
+ handle_overflow+0xf8/0x148
+ __ubsan_handle_mul_overflow+0x34/0x48
+ ixgbe_fc_enable_generic+0x4d0/0x590 [ixgbe]
+ ixgbe_service_task+0xc20/0x1f78 [ixgbe]
+ process_one_work+0x8f0/0xf18
+ worker_thread+0x430/0x6d0
+ kthread+0x218/0x238
+ ret_from_fork+0x10/0x18
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+index cd2afe92f1da..e10808b3d118 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+@@ -2185,7 +2185,7 @@ s32 ixgbe_fc_enable_generic(struct ixgbe_hw *hw)
+ }
+
+ /* Configure pause time (2 TCs per register) */
+- reg = hw->fc.pause_time * 0x00010001;
++ reg = hw->fc.pause_time * 0x00010001U;
+ for (i = 0; i < (MAX_TRAFFIC_CLASS / 2); i++)
+ IXGBE_WRITE_REG(hw, IXGBE_FCTTV(i), reg);
+
+--
+2.25.1
+
--- /dev/null
+From ef33651c2d9814a1c7e94a2a83774f51c992948f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 17:42:23 +0100
+Subject: kgdb: Fix spurious true from in_dbg_master()
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit 3fec4aecb311995189217e64d725cfe84a568de3 ]
+
+Currently there is a small window where a badly timed migration could
+cause in_dbg_master() to spuriously return true. Specifically if we
+migrate to a new core after reading the processor id and the previous
+core takes a breakpoint then we will evaluate true if we read
+kgdb_active before we get the IPI to bring us to halt.
+
+Fix this by checking irqs_disabled() first. Interrupts are always
+disabled when we are executing the kgdb trap so this is an acceptable
+prerequisite. This also allows us to replace raw_smp_processor_id()
+with smp_processor_id() since the short circuit logic will prevent
+warnings from PREEMPT_DEBUG.
+
+Fixes: dcc7871128e9 ("kgdb: core changes to support kdb")
+Suggested-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20200506164223.2875760-1-daniel.thompson@linaro.org
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kgdb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h
+index e465bb15912d..6be5545d3584 100644
+--- a/include/linux/kgdb.h
++++ b/include/linux/kgdb.h
+@@ -317,7 +317,7 @@ extern void gdbstub_exit(int status);
+ extern int kgdb_single_step;
+ extern atomic_t kgdb_active;
+ #define in_dbg_master() \
+- (raw_smp_processor_id() == atomic_read(&kgdb_active))
++ (irqs_disabled() && (smp_processor_id() == atomic_read(&kgdb_active)))
+ extern bool dbg_is_early;
+ extern void __init dbg_late_init(void);
+ #else /* ! CONFIG_KGDB */
+--
+2.25.1
+
--- /dev/null
+From 767d5dc30c2306fa9df5157184a62f0cda04aaa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 13:08:44 -0700
+Subject: kgdb: Prevent infinite recursive entries to the debugger
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 3ca676e4ca60d1834bb77535dafe24169cadacef ]
+
+If we detect that we recursively entered the debugger we should hack
+our I/O ops to NULL so that the panic() in the next line won't
+actually cause another recursion into the debugger. The first line of
+kgdb_panic() will check this and return.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20200507130644.v4.6.I89de39f68736c9de610e6f241e68d8dbc44bc266@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/debug_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
+index 79517e5549f1..9c939c6bf21c 100644
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -443,6 +443,7 @@ static int kgdb_reenter_check(struct kgdb_state *ks)
+
+ if (exception_level > 1) {
+ dump_stack();
++ kgdb_io_module_registered = false;
+ panic("Recursive entry to debugger");
+ }
+
+--
+2.25.1
+
--- /dev/null
+From bd7f31330178dbebe7980ff1c1cb191a66df9fd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 14:47:04 -0700
+Subject: lib/mpi: Fix 64-bit MIPS build with Clang
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 18f1ca46858eac22437819937ae44aa9a8f9f2fa ]
+
+When building 64r6_defconfig with CONFIG_MIPS32_O32 disabled and
+CONFIG_CRYPTO_RSA enabled:
+
+lib/mpi/generic_mpih-mul1.c:37:24: error: invalid use of a cast in a
+inline asm context requiring an l-value: remove the cast
+or build with -fheinous-gnu-extensions
+ umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb);
+ ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+lib/mpi/longlong.h:664:22: note: expanded from macro 'umul_ppmm'
+ : "=d" ((UDItype)(w0))
+ ~~~~~~~~~~^~~
+lib/mpi/generic_mpih-mul1.c:37:13: error: invalid use of a cast in a
+inline asm context requiring an l-value: remove the cast
+or build with -fheinous-gnu-extensions
+ umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb);
+ ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+lib/mpi/longlong.h:668:22: note: expanded from macro 'umul_ppmm'
+ : "=d" ((UDItype)(w1))
+ ~~~~~~~~~~^~~
+2 errors generated.
+
+This special case for umul_ppmm for MIPS64r6 was added in
+commit bbc25bee37d2b ("lib/mpi: Fix umul_ppmm() for MIPS64r6"), due to
+GCC being inefficient and emitting a __multi3 intrinsic.
+
+There is no such issue with clang; with this patch applied, I can build
+this configuration without any problems and there are no link errors
+like mentioned in the commit above (which I can still reproduce with
+GCC 9.3.0 when that commit is reverted). Only use this definition when
+GCC is being used.
+
+This really should have been caught by commit b0c091ae04f67 ("lib/mpi:
+Eliminate unused umul_ppmm definitions for MIPS") when I was messing
+around in this area but I was not testing 64-bit MIPS at the time.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/885
+Reported-by: Dmitry Golovin <dima@golovin.in>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/mpi/longlong.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h
+index f1f31c754b3e..70f5cf8deab3 100644
+--- a/lib/mpi/longlong.h
++++ b/lib/mpi/longlong.h
+@@ -671,7 +671,7 @@ do { \
+ ************** MIPS/64 **************
+ ***************************************/
+ #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64
+-#if defined(__mips_isa_rev) && __mips_isa_rev >= 6
++#if defined(__mips_isa_rev) && __mips_isa_rev >= 6 && defined(CONFIG_CC_IS_GCC)
+ /*
+ * GCC ends up emitting a __multi3 intrinsic call for MIPS64r6 with the plain C
+ * code below, so we special case MIPS64r6 until the compiler can do better.
+--
+2.25.1
+
--- /dev/null
+From 59e308bf5278290735cf1079d7834d69a3b93d97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2020 14:32:02 +1000
+Subject: m68k: mac: Don't call via_flush_cache() on Mac IIfx
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit bcc44f6b74106b31f0b0408b70305a40360d63b7 ]
+
+There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache().
+This avoids a boot crash which appeared in v5.4.
+
+printk: console [ttyS0] enabled
+printk: bootconsole [debug0] disabled
+printk: bootconsole [debug0] disabled
+Calibrating delay loop... 9.61 BogoMIPS (lpj=48064)
+pid_max: default: 32768 minimum: 301
+Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
+Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
+devtmpfs: initialized
+random: get_random_u32 called from bucket_table_alloc.isra.27+0x68/0x194 with crng_init=0
+clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
+futex hash table entries: 256 (order: -1, 3072 bytes, linear)
+NET: Registered protocol family 16
+Data read fault at 0x00000000 in Super Data (pc=0x8a6a)
+BAD KERNEL BUSERR
+Oops: 00000000
+Modules linked in:
+PC: [<00008a6a>] via_flush_cache+0x12/0x2c
+SR: 2700 SP: 01c1fe3c a2: 01c24000
+d0: 00001119 d1: 0000000c d2: 00012000 d3: 0000000f
+d4: 01c06840 d5: 00033b92 a0: 00000000 a1: 00000000
+Process swapper (pid: 1, task=01c24000)
+Frame format=B ssw=0755 isc=0200 isb=fff7 daddr=00000000 dobuf=01c1fed0
+baddr=00008a6e dibuf=0000004e ver=f
+Stack from 01c1fec4:
+ 01c1fed0 00007d7e 00010080 01c1fedc 0000792e 00000001 01c1fef4 00006b40
+ 01c80000 00040000 00000006 00000003 01c1ff1c 004a545e 004ff200 00040000
+ 00000000 00000003 01c06840 00033b92 004a5410 004b6c88 01c1ff84 000021e2
+ 00000073 00000003 01c06840 00033b92 0038507a 004bb094 004b6ca8 004b6c88
+ 004b6ca4 004b6c88 000021ae 00020002 00000000 01c0685d 00000000 01c1ffb4
+ 0049f938 00409c85 01c06840 0045bd40 00000073 00000002 00000002 00000000
+Call Trace: [<00007d7e>] mac_cache_card_flush+0x12/0x1c
+ [<00010080>] fix_dnrm+0x2/0x18
+ [<0000792e>] cache_push+0x46/0x5a
+ [<00006b40>] arch_dma_prep_coherent+0x60/0x6e
+ [<00040000>] switched_to_dl+0x76/0xd0
+ [<004a545e>] dma_atomic_pool_init+0x4e/0x188
+ [<00040000>] switched_to_dl+0x76/0xd0
+ [<00033b92>] parse_args+0x0/0x370
+ [<004a5410>] dma_atomic_pool_init+0x0/0x188
+ [<000021e2>] do_one_initcall+0x34/0x1be
+ [<00033b92>] parse_args+0x0/0x370
+ [<0038507a>] strcpy+0x0/0x1e
+ [<000021ae>] do_one_initcall+0x0/0x1be
+ [<00020002>] do_proc_dointvec_conv+0x54/0x74
+ [<0049f938>] kernel_init_freeable+0x126/0x190
+ [<0049f94c>] kernel_init_freeable+0x13a/0x190
+ [<004a5410>] dma_atomic_pool_init+0x0/0x188
+ [<00041798>] complete+0x0/0x3c
+ [<000b9b0c>] kfree+0x0/0x20a
+ [<0038df98>] schedule+0x0/0xd0
+ [<0038d604>] kernel_init+0x0/0xda
+ [<0038d610>] kernel_init+0xc/0xda
+ [<0038d604>] kernel_init+0x0/0xda
+ [<00002d38>] ret_from_kernel_thread+0xc/0x14
+Code: 0000 2079 0048 10da 2279 0048 10c8 d3c8 <1011> 0200 fff7 1280 d1f9 0048 10c8 1010 0000 0008 1080 4e5e 4e75 4e56 0000 2039
+Disabling lock debugging due to kernel taint
+Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+Thanks to Stan Johnson for capturing the console log and running git
+bisect.
+
+Git bisect said commit 8e3a68fb55e0 ("dma-mapping: make
+dma_atomic_pool_init self-contained") is the first "bad" commit. I don't
+know why. Perhaps mach_l2_flush first became reachable with that commit.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Cc: Joshua Thompson <funaho@jurai.org>
+Link: https://lore.kernel.org/r/b8bbeef197d6b3898e82ed0d231ad08f575a4b34.1589949122.git.fthain@telegraphics.com.au
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/mac_via.h | 1 +
+ arch/m68k/mac/config.c | 21 ++-------------------
+ arch/m68k/mac/via.c | 6 +++++-
+ 3 files changed, 8 insertions(+), 20 deletions(-)
+
+diff --git a/arch/m68k/include/asm/mac_via.h b/arch/m68k/include/asm/mac_via.h
+index 53c632c85b03..dff6db19ae4d 100644
+--- a/arch/m68k/include/asm/mac_via.h
++++ b/arch/m68k/include/asm/mac_via.h
+@@ -256,6 +256,7 @@ extern int rbv_present,via_alt_mapping;
+
+ struct irq_desc;
+
++extern void via_l2_flush(int writeback);
+ extern void via_register_interrupts(void);
+ extern void via_irq_enable(int);
+ extern void via_irq_disable(int);
+diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
+index 689b47d292ac..c4be82cc07df 100644
+--- a/arch/m68k/mac/config.c
++++ b/arch/m68k/mac/config.c
+@@ -60,7 +60,6 @@ extern void iop_preinit(void);
+ extern void iop_init(void);
+ extern void via_init(void);
+ extern void via_init_clock(irq_handler_t func);
+-extern void via_flush_cache(void);
+ extern void oss_init(void);
+ extern void psc_init(void);
+ extern void baboon_init(void);
+@@ -131,21 +130,6 @@ int __init mac_parse_bootinfo(const struct bi_record *record)
+ return unknown;
+ }
+
+-/*
+- * Flip into 24bit mode for an instant - flushes the L2 cache card. We
+- * have to disable interrupts for this. Our IRQ handlers will crap
+- * themselves if they take an IRQ in 24bit mode!
+- */
+-
+-static void mac_cache_card_flush(int writeback)
+-{
+- unsigned long flags;
+-
+- local_irq_save(flags);
+- via_flush_cache();
+- local_irq_restore(flags);
+-}
+-
+ void __init config_mac(void)
+ {
+ if (!MACH_IS_MAC)
+@@ -178,9 +162,8 @@ void __init config_mac(void)
+ * not.
+ */
+
+- if (macintosh_config->ident == MAC_MODEL_IICI
+- || macintosh_config->ident == MAC_MODEL_IIFX)
+- mach_l2_flush = mac_cache_card_flush;
++ if (macintosh_config->ident == MAC_MODEL_IICI)
++ mach_l2_flush = via_l2_flush;
+ }
+
+
+diff --git a/arch/m68k/mac/via.c b/arch/m68k/mac/via.c
+index 49f9fa4529a8..b4c40ed2099a 100644
+--- a/arch/m68k/mac/via.c
++++ b/arch/m68k/mac/via.c
+@@ -299,10 +299,14 @@ void via_debug_dump(void)
+ * the system into 24-bit mode for an instant.
+ */
+
+-void via_flush_cache(void)
++void via_l2_flush(int writeback)
+ {
++ unsigned long flags;
++
++ local_irq_save(flags);
+ via2[gBufB] &= ~VIA2B_vMode32;
+ via2[gBufB] |= VIA2B_vMode32;
++ local_irq_restore(flags);
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 5cea65012c88e3509a0c38c740082350b68cf005 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 14:27:51 +0200
+Subject: macvlan: Skip loopback packets in RX handler
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+[ Upstream commit 81f3dc9349ce0bf7b8447f147f45e70f0a5b36a6 ]
+
+Ignore loopback-originatig packets soon enough and don't try to process L2
+header where it doesn't exist. The very similar br_handle_frame() in bridge
+code performs exactly the same check.
+
+This is an example of such ICMPv6 packet:
+
+skb len=96 headroom=40 headlen=96 tailroom=56
+mac=(40,0) net=(40,40) trans=80
+shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
+csum(0xae2e9a2f ip_summed=1 complete_sw=0 valid=0 level=0)
+hash(0xc97ebd88 sw=1 l4=1) proto=0x86dd pkttype=5 iif=24
+dev name=etha01.212 feat=0x0x0000000040005000
+skb headroom: 00000000: 00 7c 86 52 84 88 ff ff 00 00 00 00 00 00 08 00
+skb headroom: 00000010: 45 00 00 9e 5d 5c 40 00 40 11 33 33 00 00 00 01
+skb headroom: 00000020: 02 40 43 80 00 00 86 dd
+skb linear: 00000000: 60 09 88 bd 00 38 3a ff fe 80 00 00 00 00 00 00
+skb linear: 00000010: 00 40 43 ff fe 80 00 00 ff 02 00 00 00 00 00 00
+skb linear: 00000020: 00 00 00 00 00 00 00 01 86 00 61 00 40 00 00 2d
+skb linear: 00000030: 00 00 00 00 00 00 00 00 03 04 40 e0 00 00 01 2c
+skb linear: 00000040: 00 00 00 78 00 00 00 00 fd 5f 42 68 23 87 a8 81
+skb linear: 00000050: 00 00 00 00 00 00 00 00 01 01 02 40 43 80 00 00
+skb tailroom: 00000000: ...
+skb tailroom: 00000010: ...
+skb tailroom: 00000020: ...
+skb tailroom: 00000030: ...
+
+Call Trace, how it happens exactly:
+ ...
+ macvlan_handle_frame+0x321/0x425 [macvlan]
+ ? macvlan_forward_source+0x110/0x110 [macvlan]
+ __netif_receive_skb_core+0x545/0xda0
+ ? enqueue_task_fair+0xe5/0x8e0
+ ? __netif_receive_skb_one_core+0x36/0x70
+ __netif_receive_skb_one_core+0x36/0x70
+ process_backlog+0x97/0x140
+ net_rx_action+0x1eb/0x350
+ ? __hrtimer_run_queues+0x136/0x2e0
+ __do_softirq+0xe3/0x383
+ do_softirq_own_stack+0x2a/0x40
+ </IRQ>
+ do_softirq.part.4+0x4e/0x50
+ netif_rx_ni+0x60/0xd0
+ dev_loopback_xmit+0x83/0xf0
+ ip6_finish_output2+0x575/0x590 [ipv6]
+ ? ip6_cork_release.isra.1+0x64/0x90 [ipv6]
+ ? __ip6_make_skb+0x38d/0x680 [ipv6]
+ ? ip6_output+0x6c/0x140 [ipv6]
+ ip6_output+0x6c/0x140 [ipv6]
+ ip6_send_skb+0x1e/0x60 [ipv6]
+ rawv6_sendmsg+0xc4b/0xe10 [ipv6]
+ ? proc_put_long+0xd0/0xd0
+ ? rw_copy_check_uvector+0x4e/0x110
+ ? sock_sendmsg+0x36/0x40
+ sock_sendmsg+0x36/0x40
+ ___sys_sendmsg+0x2b6/0x2d0
+ ? proc_dointvec+0x23/0x30
+ ? addrconf_sysctl_forward+0x8d/0x250 [ipv6]
+ ? dev_forward_change+0x130/0x130 [ipv6]
+ ? _raw_spin_unlock+0x12/0x30
+ ? proc_sys_call_handler.isra.14+0x9f/0x110
+ ? __call_rcu+0x213/0x510
+ ? get_max_files+0x10/0x10
+ ? trace_hardirqs_on+0x2c/0xe0
+ ? __sys_sendmsg+0x63/0xa0
+ __sys_sendmsg+0x63/0xa0
+ do_syscall_64+0x6c/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 0c4e1ef80355..73061bee35cd 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -420,6 +420,10 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
+ int ret;
+ rx_handler_result_t handle_res;
+
++ /* Packets from dev_loopback_xmit() do not have L2 header, bail out */
++ if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
++ return RX_HANDLER_PASS;
++
+ port = macvlan_port_get_rcu(skb->dev);
+ if (is_multicast_ether_addr(eth->h_dest)) {
+ skb = ip_check_defrag(dev_net(skb->dev), skb, IP_DEFRAG_MACVLAN);
+--
+2.25.1
+
--- /dev/null
+From e21afc3a9eb5c966854cfccb781bd3ef1b45494e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2020 23:57:09 +0200
+Subject: md: don't flush workqueue unconditionally in md_open
+
+From: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+
+[ Upstream commit f6766ff6afff70e2aaf39e1511e16d471de7c3ae ]
+
+We need to check mddev->del_work before flush workqueu since the purpose
+of flush is to ensure the previous md is disappeared. Otherwise the similar
+deadlock appeared if LOCKDEP is enabled, it is due to md_open holds the
+bdev->bd_mutex before flush workqueue.
+
+kernel: [ 154.522645] ======================================================
+kernel: [ 154.522647] WARNING: possible circular locking dependency detected
+kernel: [ 154.522650] 5.6.0-rc7-lp151.27-default #25 Tainted: G O
+kernel: [ 154.522651] ------------------------------------------------------
+kernel: [ 154.522653] mdadm/2482 is trying to acquire lock:
+kernel: [ 154.522655] ffff888078529128 ((wq_completion)md_misc){+.+.}, at: flush_workqueue+0x84/0x4b0
+kernel: [ 154.522673]
+kernel: [ 154.522673] but task is already holding lock:
+kernel: [ 154.522675] ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
+kernel: [ 154.522691]
+kernel: [ 154.522691] which lock already depends on the new lock.
+kernel: [ 154.522691]
+kernel: [ 154.522694]
+kernel: [ 154.522694] the existing dependency chain (in reverse order) is:
+kernel: [ 154.522696]
+kernel: [ 154.522696] -> #4 (&bdev->bd_mutex){+.+.}:
+kernel: [ 154.522704] __mutex_lock+0x87/0x950
+kernel: [ 154.522706] __blkdev_get+0x79/0x590
+kernel: [ 154.522708] blkdev_get+0x65/0x140
+kernel: [ 154.522709] blkdev_get_by_dev+0x2f/0x40
+kernel: [ 154.522716] lock_rdev+0x3d/0x90 [md_mod]
+kernel: [ 154.522719] md_import_device+0xd6/0x1b0 [md_mod]
+kernel: [ 154.522723] new_dev_store+0x15e/0x210 [md_mod]
+kernel: [ 154.522728] md_attr_store+0x7a/0xc0 [md_mod]
+kernel: [ 154.522732] kernfs_fop_write+0x117/0x1b0
+kernel: [ 154.522735] vfs_write+0xad/0x1a0
+kernel: [ 154.522737] ksys_write+0xa4/0xe0
+kernel: [ 154.522745] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522748] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522749]
+kernel: [ 154.522749] -> #3 (&mddev->reconfig_mutex){+.+.}:
+kernel: [ 154.522752] __mutex_lock+0x87/0x950
+kernel: [ 154.522756] new_dev_store+0xc9/0x210 [md_mod]
+kernel: [ 154.522759] md_attr_store+0x7a/0xc0 [md_mod]
+kernel: [ 154.522761] kernfs_fop_write+0x117/0x1b0
+kernel: [ 154.522763] vfs_write+0xad/0x1a0
+kernel: [ 154.522765] ksys_write+0xa4/0xe0
+kernel: [ 154.522767] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522769] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522770]
+kernel: [ 154.522770] -> #2 (kn->count#253){++++}:
+kernel: [ 154.522775] __kernfs_remove+0x253/0x2c0
+kernel: [ 154.522778] kernfs_remove+0x1f/0x30
+kernel: [ 154.522780] kobject_del+0x28/0x60
+kernel: [ 154.522783] mddev_delayed_delete+0x24/0x30 [md_mod]
+kernel: [ 154.522786] process_one_work+0x2a7/0x5f0
+kernel: [ 154.522788] worker_thread+0x2d/0x3d0
+kernel: [ 154.522793] kthread+0x117/0x130
+kernel: [ 154.522795] ret_from_fork+0x3a/0x50
+kernel: [ 154.522796]
+kernel: [ 154.522796] -> #1 ((work_completion)(&mddev->del_work)){+.+.}:
+kernel: [ 154.522800] process_one_work+0x27e/0x5f0
+kernel: [ 154.522802] worker_thread+0x2d/0x3d0
+kernel: [ 154.522804] kthread+0x117/0x130
+kernel: [ 154.522806] ret_from_fork+0x3a/0x50
+kernel: [ 154.522807]
+kernel: [ 154.522807] -> #0 ((wq_completion)md_misc){+.+.}:
+kernel: [ 154.522813] __lock_acquire+0x1392/0x1690
+kernel: [ 154.522816] lock_acquire+0xb4/0x1a0
+kernel: [ 154.522818] flush_workqueue+0xab/0x4b0
+kernel: [ 154.522821] md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522823] __blkdev_get+0xea/0x590
+kernel: [ 154.522825] blkdev_get+0x65/0x140
+kernel: [ 154.522828] do_dentry_open+0x1d1/0x380
+kernel: [ 154.522831] path_openat+0x567/0xcc0
+kernel: [ 154.522834] do_filp_open+0x9b/0x110
+kernel: [ 154.522836] do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522838] do_sys_open+0x57/0x80
+kernel: [ 154.522840] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522842] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522844]
+kernel: [ 154.522844] other info that might help us debug this:
+kernel: [ 154.522844]
+kernel: [ 154.522846] Chain exists of:
+kernel: [ 154.522846] (wq_completion)md_misc --> &mddev->reconfig_mutex --> &bdev->bd_mutex
+kernel: [ 154.522846]
+kernel: [ 154.522850] Possible unsafe locking scenario:
+kernel: [ 154.522850]
+kernel: [ 154.522852] CPU0 CPU1
+kernel: [ 154.522853] ---- ----
+kernel: [ 154.522854] lock(&bdev->bd_mutex);
+kernel: [ 154.522856] lock(&mddev->reconfig_mutex);
+kernel: [ 154.522858] lock(&bdev->bd_mutex);
+kernel: [ 154.522860] lock((wq_completion)md_misc);
+kernel: [ 154.522861]
+kernel: [ 154.522861] *** DEADLOCK ***
+kernel: [ 154.522861]
+kernel: [ 154.522864] 1 lock held by mdadm/2482:
+kernel: [ 154.522865] #0: ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
+kernel: [ 154.522868]
+kernel: [ 154.522868] stack backtrace:
+kernel: [ 154.522873] CPU: 1 PID: 2482 Comm: mdadm Tainted: G O 5.6.0-rc7-lp151.27-default #25
+kernel: [ 154.522875] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+kernel: [ 154.522878] Call Trace:
+kernel: [ 154.522881] dump_stack+0x8f/0xcb
+kernel: [ 154.522884] check_noncircular+0x194/0x1b0
+kernel: [ 154.522888] ? __lock_acquire+0x1392/0x1690
+kernel: [ 154.522890] __lock_acquire+0x1392/0x1690
+kernel: [ 154.522893] lock_acquire+0xb4/0x1a0
+kernel: [ 154.522895] ? flush_workqueue+0x84/0x4b0
+kernel: [ 154.522898] flush_workqueue+0xab/0x4b0
+kernel: [ 154.522900] ? flush_workqueue+0x84/0x4b0
+kernel: [ 154.522905] ? md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522908] md_open+0xb6/0xc0 [md_mod]
+kernel: [ 154.522910] __blkdev_get+0xea/0x590
+kernel: [ 154.522912] ? bd_acquire+0xc0/0xc0
+kernel: [ 154.522914] blkdev_get+0x65/0x140
+kernel: [ 154.522916] ? bd_acquire+0xc0/0xc0
+kernel: [ 154.522918] do_dentry_open+0x1d1/0x380
+kernel: [ 154.522921] path_openat+0x567/0xcc0
+kernel: [ 154.522923] ? __lock_acquire+0x380/0x1690
+kernel: [ 154.522926] do_filp_open+0x9b/0x110
+kernel: [ 154.522929] ? __alloc_fd+0xe5/0x1f0
+kernel: [ 154.522935] ? kmem_cache_alloc+0x28c/0x630
+kernel: [ 154.522939] ? do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522941] do_sys_openat2+0x201/0x2a0
+kernel: [ 154.522944] do_sys_open+0x57/0x80
+kernel: [ 154.522946] do_syscall_64+0x64/0x2b0
+kernel: [ 154.522948] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kernel: [ 154.522951] RIP: 0033:0x7f98d279d9ae
+
+And md_alloc also flushed the same workqueue, but the thing is different
+here. Because all the paths call md_alloc don't hold bdev->bd_mutex, and
+the flush is necessary to avoid race condition, so leave it as it is.
+
+Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index d59d79b77fd6..60161690e226 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7038,7 +7038,8 @@ static int md_open(struct block_device *bdev, fmode_t mode)
+ */
+ mddev_put(mddev);
+ /* Wait until bdev->bd_disk is definitely gone */
+- flush_workqueue(md_misc_wq);
++ if (work_pending(&mddev->del_work))
++ flush_workqueue(md_misc_wq);
+ /* Then retry the open from the top */
+ return -ERESTARTSYS;
+ }
+--
+2.25.1
+
--- /dev/null
+From 13e3886a36d85fb94ae2a3968e615bfc33090899 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2020 18:51:33 +0100
+Subject: media: dvb: return -EREMOTEIO on i2c transfer failure.
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 96f3a9392799dd0f6472648a7366622ffd0989f3 ]
+
+Currently when i2c transfers fail the error return -EREMOTEIO
+is assigned to err but then later overwritten when the tuner
+attach call is made. Fix this by returning early with the
+error return code -EREMOTEIO on i2c transfer failure errors.
+
+If the transfer fails, an uninitialized value will be read from b2.
+
+Addresses-Coverity: ("Unused value")
+
+Fixes: fbfee8684ff2 ("V4L/DVB (5651): Dibusb-mb: convert pll handling to properly use dvb-pll")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dibusb-mb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dibusb-mb.c b/drivers/media/usb/dvb-usb/dibusb-mb.c
+index a4ac37e0e98b..d888e27dad3c 100644
+--- a/drivers/media/usb/dvb-usb/dibusb-mb.c
++++ b/drivers/media/usb/dvb-usb/dibusb-mb.c
+@@ -84,7 +84,7 @@ static int dibusb_tuner_probe_and_attach(struct dvb_usb_adapter *adap)
+
+ if (i2c_transfer(&adap->dev->i2c_adap, msg, 2) != 2) {
+ err("tuner i2c write failed.");
+- ret = -EREMOTEIO;
++ return -EREMOTEIO;
+ }
+
+ if (adap->fe_adap[0].fe->ops.i2c_gate_ctrl)
+--
+2.25.1
+
--- /dev/null
+From fd7ea93eb7457b9ba9747e6a6f76aca6af429824 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 17:07:22 +0300
+Subject: mips: Add udelay lpj numbers adjustment
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit ed26aacfb5f71eecb20a51c4467da440cb719d66 ]
+
+Loops-per-jiffies is a special number which represents a number of
+noop-loop cycles per CPU-scheduler quantum - jiffies. As you
+understand aside from CPU-specific implementation it depends on
+the CPU frequency. So when a platform has the CPU frequency fixed,
+we have no problem and the current udelay interface will work
+just fine. But as soon as CPU-freq driver is enabled and the cores
+frequency changes, we'll end up with distorted udelay's. In order
+to fix this we have to accordinly adjust the per-CPU udelay_val
+(the same as the global loops_per_jiffy) number. This can be done
+in the CPU-freq transition event handler. We subscribe to that event
+in the MIPS arch time-inititalization method.
+
+Co-developed-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/time.c | 70 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 70 insertions(+)
+
+diff --git a/arch/mips/kernel/time.c b/arch/mips/kernel/time.c
+index 8d0170969e22..345978cc105b 100644
+--- a/arch/mips/kernel/time.c
++++ b/arch/mips/kernel/time.c
+@@ -22,12 +22,82 @@
+ #include <linux/smp.h>
+ #include <linux/spinlock.h>
+ #include <linux/export.h>
++#include <linux/cpufreq.h>
++#include <linux/delay.h>
+
+ #include <asm/cpu-features.h>
+ #include <asm/cpu-type.h>
+ #include <asm/div64.h>
+ #include <asm/time.h>
+
++#ifdef CONFIG_CPU_FREQ
++
++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref);
++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref_freq);
++static unsigned long glb_lpj_ref;
++static unsigned long glb_lpj_ref_freq;
++
++static int cpufreq_callback(struct notifier_block *nb,
++ unsigned long val, void *data)
++{
++ struct cpufreq_freqs *freq = data;
++ struct cpumask *cpus = freq->policy->cpus;
++ unsigned long lpj;
++ int cpu;
++
++ /*
++ * Skip lpj numbers adjustment if the CPU-freq transition is safe for
++ * the loops delay. (Is this possible?)
++ */
++ if (freq->flags & CPUFREQ_CONST_LOOPS)
++ return NOTIFY_OK;
++
++ /* Save the initial values of the lpjes for future scaling. */
++ if (!glb_lpj_ref) {
++ glb_lpj_ref = boot_cpu_data.udelay_val;
++ glb_lpj_ref_freq = freq->old;
++
++ for_each_online_cpu(cpu) {
++ per_cpu(pcp_lpj_ref, cpu) =
++ cpu_data[cpu].udelay_val;
++ per_cpu(pcp_lpj_ref_freq, cpu) = freq->old;
++ }
++ }
++
++ /*
++ * Adjust global lpj variable and per-CPU udelay_val number in
++ * accordance with the new CPU frequency.
++ */
++ if ((val == CPUFREQ_PRECHANGE && freq->old < freq->new) ||
++ (val == CPUFREQ_POSTCHANGE && freq->old > freq->new)) {
++ loops_per_jiffy = cpufreq_scale(glb_lpj_ref,
++ glb_lpj_ref_freq,
++ freq->new);
++
++ for_each_cpu(cpu, cpus) {
++ lpj = cpufreq_scale(per_cpu(pcp_lpj_ref, cpu),
++ per_cpu(pcp_lpj_ref_freq, cpu),
++ freq->new);
++ cpu_data[cpu].udelay_val = (unsigned int)lpj;
++ }
++ }
++
++ return NOTIFY_OK;
++}
++
++static struct notifier_block cpufreq_notifier = {
++ .notifier_call = cpufreq_callback,
++};
++
++static int __init register_cpufreq_notifier(void)
++{
++ return cpufreq_register_notifier(&cpufreq_notifier,
++ CPUFREQ_TRANSITION_NOTIFIER);
++}
++core_initcall(register_cpufreq_notifier);
++
++#endif /* CONFIG_CPU_FREQ */
++
+ /*
+ * forward reference
+ */
+--
+2.25.1
+
--- /dev/null
+From 72e100335d9552fb452c2f70571a8bd1c63553c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 20:42:22 +0300
+Subject: mips: cm: Fix an invalid error code of INTVN_*_ERR
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 8a0efb8b101665a843205eab3d67ab09cb2d9a8d ]
+
+Commit 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache
+errors") adds cm2_causes[] array with map of error type ID and
+pointers to the short description string. There is a mistake in
+the table, since according to MIPS32 manual CM2_ERROR_TYPE = {17,18}
+correspond to INTVN_WR_ERR and INTVN_RD_ERR, while the table
+claims they have {0x17,0x18} codes. This is obviously hex-dec
+copy-paste bug. Moreover codes {0x18 - 0x1a} indicate L2 ECC errors.
+
+Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-pm@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/mips-cm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c
+index 76f18c56141c..3458d23d230c 100644
+--- a/arch/mips/kernel/mips-cm.c
++++ b/arch/mips/kernel/mips-cm.c
+@@ -123,9 +123,9 @@ static char *cm2_causes[32] = {
+ "COH_RD_ERR", "MMIO_WR_ERR", "MMIO_RD_ERR", "0x07",
+ "0x08", "0x09", "0x0a", "0x0b",
+ "0x0c", "0x0d", "0x0e", "0x0f",
+- "0x10", "0x11", "0x12", "0x13",
+- "0x14", "0x15", "0x16", "INTVN_WR_ERR",
+- "INTVN_RD_ERR", "0x19", "0x1a", "0x1b",
++ "0x10", "INTVN_WR_ERR", "INTVN_RD_ERR", "0x13",
++ "0x14", "0x15", "0x16", "0x17",
++ "0x18", "0x19", "0x1a", "0x1b",
+ "0x1c", "0x1d", "0x1e", "0x1f"
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 7058b8e343b6c16c49ce6a3c23bac2643cca0817 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2020 14:11:30 +0800
+Subject: MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe()
+
+From: YuanJunQing <yuanjunqing66@163.com>
+
+[ Upstream commit 31e1b3efa802f97a17628dde280006c4cee4ce5e ]
+
+Register "a1" is unsaved in this function,
+ when CONFIG_TRACE_IRQFLAGS is enabled,
+ the TRACE_IRQS_OFF macro will call trace_hardirqs_off(),
+ and this may change register "a1".
+ The changed register "a1" as argument will be send
+ to do_fpe() and do_msa_fpe().
+
+Signed-off-by: YuanJunQing <yuanjunqing66@163.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/genex.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/kernel/genex.S b/arch/mips/kernel/genex.S
+index bb72f3ce7e29..7ffd158de76e 100644
+--- a/arch/mips/kernel/genex.S
++++ b/arch/mips/kernel/genex.S
+@@ -430,20 +430,20 @@ NESTED(nmi_handler, PT_SIZE, sp)
+ .endm
+
+ .macro __build_clear_fpe
++ CLI
++ TRACE_IRQS_OFF
+ .set push
+ /* gas fails to assemble cfc1 for some archs (octeon).*/ \
+ .set mips1
+ SET_HARDFLOAT
+ cfc1 a1, fcr31
+ .set pop
+- CLI
+- TRACE_IRQS_OFF
+ .endm
+
+ .macro __build_clear_msa_fpe
+- _cfcmsa a1, MSA_CSR
+ CLI
+ TRACE_IRQS_OFF
++ _cfcmsa a1, MSA_CSR
+ .endm
+
+ .macro __build_clear_ade
+--
+2.25.1
+
--- /dev/null
+From 1b09878ba96f8bd861ad6024e1e7e0c9830c5da2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 19:59:46 +0800
+Subject: MIPS: Make sparse_init() using top-down allocation
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 269b3a9ac538c4ae87f84be640b9fa89914a2489 ]
+
+In the current code, if CONFIG_SWIOTLB is set, when failed to get IO TLB
+memory from the low pages by plat_swiotlb_setup(), it may lead to the boot
+process failed with kernel panic.
+
+(1) On the Loongson and SiByte platform
+arch/mips/loongson64/dma.c
+arch/mips/sibyte/common/dma.c
+void __init plat_swiotlb_setup(void)
+{
+ swiotlb_init(1);
+}
+
+kernel/dma/swiotlb.c
+void __init
+swiotlb_init(int verbose)
+{
+...
+ vstart = memblock_alloc_low(PAGE_ALIGN(bytes), PAGE_SIZE);
+ if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, verbose))
+ return;
+...
+ pr_warn("Cannot allocate buffer");
+ no_iotlb_memory = true;
+}
+
+phys_addr_t swiotlb_tbl_map_single()
+{
+...
+ if (no_iotlb_memory)
+ panic("Can not allocate SWIOTLB buffer earlier ...");
+...
+}
+
+(2) On the Cavium OCTEON platform
+arch/mips/cavium-octeon/dma-octeon.c
+void __init plat_swiotlb_setup(void)
+{
+...
+ octeon_swiotlb = memblock_alloc_low(swiotlbsize, PAGE_SIZE);
+ if (!octeon_swiotlb)
+ panic("%s: Failed to allocate %zu bytes align=%lx\n",
+ __func__, swiotlbsize, PAGE_SIZE);
+...
+}
+
+Because IO_TLB_DEFAULT_SIZE is 64M, if the rest size of low memory is less
+than 64M when call plat_swiotlb_setup(), we can easily reproduce the panic
+case.
+
+In order to reduce the possibility of kernel panic when failed to get IO
+TLB memory under CONFIG_SWIOTLB, it is better to allocate low memory as
+small as possible before plat_swiotlb_setup(), so make sparse_init() using
+top-down allocation.
+
+Reported-by: Juxin Gao <gaojuxin@loongson.cn>
+Co-developed-by: Juxin Gao <gaojuxin@loongson.cn>
+Signed-off-by: Juxin Gao <gaojuxin@loongson.cn>
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/setup.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
+index 8fa30516f39d..33f5aeaf0024 100644
+--- a/arch/mips/kernel/setup.c
++++ b/arch/mips/kernel/setup.c
+@@ -769,7 +769,17 @@ static void __init arch_mem_init(char **cmdline_p)
+ BOOTMEM_DEFAULT);
+ #endif
+ device_tree_init();
++
++ /*
++ * In order to reduce the possibility of kernel panic when failed to
++ * get IO TLB memory under CONFIG_SWIOTLB, it is better to allocate
++ * low memory as small as possible before plat_swiotlb_setup(), so
++ * make sparse_init() using top-down allocation.
++ */
++ memblock_set_bottom_up(false);
+ sparse_init();
++ memblock_set_bottom_up(true);
++
+ plat_swiotlb_setup();
+ paging_init();
+
+--
+2.25.1
+
--- /dev/null
+From d6e26212be435a3009ba139364cba572d7d9f8a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 09:59:24 +0200
+Subject: mwifiex: Fix memory corruption in dump_station
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 ]
+
+The mwifiex_cfg80211_dump_station() uses static variable for iterating
+over a linked list of all associated stations (when the driver is in UAP
+role). This has a race condition if .dump_station is called in parallel
+for multiple interfaces. This corruption can be triggered by registering
+multiple SSIDs and calling, in parallel for multiple interfaces
+ iw dev <iface> station dump
+
+[16750.719775] Unable to handle kernel paging request at virtual address dead000000000110
+...
+[16750.899173] Call trace:
+[16750.901696] mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex]
+[16750.907824] nl80211_dump_station+0xbc/0x278 [cfg80211]
+[16750.913160] netlink_dump+0xe8/0x320
+[16750.916827] netlink_recvmsg+0x1b4/0x338
+[16750.920861] ____sys_recvmsg+0x7c/0x2b0
+[16750.924801] ___sys_recvmsg+0x70/0x98
+[16750.928564] __sys_recvmsg+0x58/0xa0
+[16750.932238] __arm64_sys_recvmsg+0x28/0x30
+[16750.936453] el0_svc_common.constprop.3+0x90/0x158
+[16750.941378] do_el0_svc+0x74/0x90
+[16750.944784] el0_sync_handler+0x12c/0x1a8
+[16750.948903] el0_sync+0x114/0x140
+[16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060)
+[16750.958583] ---[ end trace c8ad181c2f4b8576 ]---
+
+This patch drops the use of the static iterator, and instead every time
+the function is called iterates to the idx-th position of the
+linked-list.
+
+It would be better to convert the code not to use linked list for
+associated stations storage (since the chip has a limited number of
+associated stations anyway - it could just be an array). Such a change
+may be proposed in the future. In the meantime this patch can backported
+into stable kernels in this simple form.
+
+Fixes: 8baca1a34d4c ("mwifiex: dump station support in uap mode")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mwifiex/cfg80211.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
+index c6c2d3304dba..8b649b8e4301 100644
+--- a/drivers/net/wireless/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/mwifiex/cfg80211.c
+@@ -1387,7 +1387,8 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev,
+ int idx, u8 *mac, struct station_info *sinfo)
+ {
+ struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
+- static struct mwifiex_sta_node *node;
++ struct mwifiex_sta_node *node;
++ int i;
+
+ if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) &&
+ priv->media_connected && idx == 0) {
+@@ -1397,13 +1398,10 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev,
+ mwifiex_send_cmd(priv, HOST_CMD_APCMD_STA_LIST,
+ HostCmd_ACT_GEN_GET, 0, NULL, true);
+
+- if (node && (&node->list == &priv->sta_list)) {
+- node = NULL;
+- return -ENOENT;
+- }
+-
+- node = list_prepare_entry(node, &priv->sta_list, list);
+- list_for_each_entry_continue(node, &priv->sta_list, list) {
++ i = 0;
++ list_for_each_entry(node, &priv->sta_list, list) {
++ if (i++ != idx)
++ continue;
+ ether_addr_copy(mac, node->mac_addr);
+ return mwifiex_dump_station_info(priv, node, sinfo);
+ }
+--
+2.25.1
+
--- /dev/null
+From c22918f42fab8d61e4a4a73da330ac9430edfc75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 10:49:20 +0800
+Subject: net: allwinner: Fix use correct return type for ndo_start_xmit()
+
+From: Yunjian Wang <wangyunjian@huawei.com>
+
+[ Upstream commit 09f6c44aaae0f1bdb8b983d7762676d5018c53bc ]
+
+The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix
+the ndo function to use the correct type. And emac_start_xmit() can
+leak one skb if 'channel' == 3.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/allwinner/sun4i-emac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/allwinner/sun4i-emac.c b/drivers/net/ethernet/allwinner/sun4i-emac.c
+index 8d50314ac3eb..dde3cd2d4763 100644
+--- a/drivers/net/ethernet/allwinner/sun4i-emac.c
++++ b/drivers/net/ethernet/allwinner/sun4i-emac.c
+@@ -438,7 +438,7 @@ static void emac_timeout(struct net_device *dev)
+ /* Hardware start transmission.
+ * Send a packet to media from the upper layer.
+ */
+-static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct emac_board_info *db = netdev_priv(dev);
+ unsigned long channel;
+@@ -446,7 +446,7 @@ static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ channel = db->tx_fifo_stat & 3;
+ if (channel == 3)
+- return 1;
++ return NETDEV_TX_BUSY;
+
+ channel = (channel == 1 ? 1 : 0);
+
+--
+2.25.1
+
--- /dev/null
+From aecf8dab3a5ae1c9815df2d973a28fc0b703497c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:15:07 +0000
+Subject: net: lpc-enet: fix error return code in lpc_mii_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 88ec7cb22ddde725ed4ce15991f0bd9dd817fd85 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: b7370112f519 ("lpc32xx: Added ethernet driver")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/nxp/lpc_eth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
+index ba14bad81a21..14b5a0dbf40b 100644
+--- a/drivers/net/ethernet/nxp/lpc_eth.c
++++ b/drivers/net/ethernet/nxp/lpc_eth.c
+@@ -865,7 +865,8 @@ static int lpc_mii_init(struct netdata_local *pldat)
+ if (mdiobus_register(pldat->mii_bus))
+ goto err_out_free_mdio_irq;
+
+- if (lpc_mii_probe(pldat->ndev) != 0)
++ err = lpc_mii_probe(pldat->ndev);
++ if (err)
+ goto err_out_unregister_bus;
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 9f56dfa6dbaa59d6c6469a06672baeb6ffe4bd6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 10:41:50 +0800
+Subject: net: vmxnet3: fix possible buffer overflow caused by bad DMA value in
+ vmxnet3_get_rss()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 3e1c6846b9e108740ef8a37be80314053f5dd52a ]
+
+The value adapter->rss_conf is stored in DMA memory, and it is assigned
+to rssConf, so rssConf->indTableSize can be modified at anytime by
+malicious hardware. Because rssConf->indTableSize is assigned to n,
+buffer overflow may occur when the code "rssConf->indTable[n]" is
+executed.
+
+To fix this possible bug, n is checked after being used.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_ethtool.c b/drivers/net/vmxnet3/vmxnet3_ethtool.c
+index 9ba11d737753..f35597c44e3c 100644
+--- a/drivers/net/vmxnet3/vmxnet3_ethtool.c
++++ b/drivers/net/vmxnet3/vmxnet3_ethtool.c
+@@ -664,6 +664,8 @@ vmxnet3_get_rss(struct net_device *netdev, u32 *p, u8 *key, u8 *hfunc)
+ *hfunc = ETH_RSS_HASH_TOP;
+ if (!p)
+ return 0;
++ if (n > UPT1_RSS_MAX_IND_TABLE_SIZE)
++ return 0;
+ while (n--)
+ p[n] = rssConf->indTable[n];
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From c212642333f760e5b275013f8b0524f249c66aa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 21:55:34 +0200
+Subject: netfilter: nft_nat: return EOPNOTSUPP if type or flags are not
+ supported
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 0d7c83463fdf7841350f37960a7abadd3e650b41 ]
+
+Instead of EINVAL which should be used for malformed netlink messages.
+
+Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_nat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
+index ee2d71753746..868480b83649 100644
+--- a/net/netfilter/nft_nat.c
++++ b/net/netfilter/nft_nat.c
+@@ -135,7 +135,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ priv->type = NF_NAT_MANIP_DST;
+ break;
+ default:
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ err = nft_nat_validate(ctx, expr, NULL);
+@@ -206,7 +206,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ if (tb[NFTA_NAT_FLAGS]) {
+ priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS]));
+ if (priv->flags & ~NF_NAT_RANGE_MASK)
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From dae73c49b87f29b27d02c6a9b828a4f9881f92b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 17:21:12 +0800
+Subject: PCI: Don't disable decoding when mmio_always_on is set
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit b6caa1d8c80cb71b6162cb1f1ec13aa655026c9f ]
+
+Don't disable MEM/IO decoding when a device have both non_compliant_bars
+and mmio_always_on.
+
+That would allow us quirk devices with junk in BARs but can't disable
+their decoding.
+
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Acked-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 5f040619393f..46656322d23e 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1226,7 +1226,7 @@ int pci_setup_device(struct pci_dev *dev)
+ /* device class may be changed after fixup */
+ class = dev->class >> 8;
+
+- if (dev->non_compliant_bars) {
++ if (dev->non_compliant_bars && !dev->mmio_always_on) {
+ pci_read_config_word(dev, PCI_COMMAND, &cmd);
+ if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) {
+ dev_info(&dev->dev, "device has non-compliant BARs; disabling IO/MEM decoding\n");
+--
+2.25.1
+
--- /dev/null
+From ec239934107b99c694376d9595f556cc299d8a02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 12:12:50 +0200
+Subject: powerpc/spufs: fix copy_to_user while atomic
+
+From: Jeremy Kerr <jk@ozlabs.org>
+
+[ Upstream commit 88413a6bfbbe2f648df399b62f85c934460b7a4d ]
+
+Currently, we may perform a copy_to_user (through
+simple_read_from_buffer()) while holding a context's register_lock,
+while accessing the context save area.
+
+This change uses a temporary buffer for the context save area data,
+which we then pass to simple_read_from_buffer.
+
+Includes changes from Christoph Hellwig <hch@lst.de>.
+
+Fixes: bf1ab978be23 ("[POWERPC] coredump: Add SPU elf notes to coredump.")
+Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+[hch: renamed to function to avoid ___-prefixes]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/spufs/file.c | 113 +++++++++++++++--------
+ 1 file changed, 75 insertions(+), 38 deletions(-)
+
+diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
+index 5038fd578e65..e708c163fd6d 100644
+--- a/arch/powerpc/platforms/cell/spufs/file.c
++++ b/arch/powerpc/platforms/cell/spufs/file.c
+@@ -2044,8 +2044,9 @@ static ssize_t __spufs_mbox_info_read(struct spu_context *ctx,
+ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+- int ret;
+ struct spu_context *ctx = file->private_data;
++ u32 stat, data;
++ int ret;
+
+ if (!access_ok(VERIFY_WRITE, buf, len))
+ return -EFAULT;
+@@ -2054,11 +2055,16 @@ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_mbox_info_read(ctx, buf, len, pos);
++ stat = ctx->csa.prob.mb_stat_R;
++ data = ctx->csa.prob.pu_mb_R;
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ /* EOF if there's no entry in the mbox */
++ if (!(stat & 0x0000ff))
++ return 0;
++
++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data));
+ }
+
+ static const struct file_operations spufs_mbox_info_fops = {
+@@ -2085,6 +2091,7 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ u32 stat, data;
+ int ret;
+
+ if (!access_ok(VERIFY_WRITE, buf, len))
+@@ -2094,11 +2101,16 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_ibox_info_read(ctx, buf, len, pos);
++ stat = ctx->csa.prob.mb_stat_R;
++ data = ctx->csa.priv2.puint_mb_R;
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ /* EOF if there's no entry in the ibox */
++ if (!(stat & 0xff0000))
++ return 0;
++
++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data));
+ }
+
+ static const struct file_operations spufs_ibox_info_fops = {
+@@ -2107,6 +2119,11 @@ static const struct file_operations spufs_ibox_info_fops = {
+ .llseek = generic_file_llseek,
+ };
+
++static size_t spufs_wbox_info_cnt(struct spu_context *ctx)
++{
++ return (4 - ((ctx->csa.prob.mb_stat_R & 0x00ff00) >> 8)) * sizeof(u32);
++}
++
+ static ssize_t __spufs_wbox_info_read(struct spu_context *ctx,
+ char __user *buf, size_t len, loff_t *pos)
+ {
+@@ -2115,7 +2132,7 @@ static ssize_t __spufs_wbox_info_read(struct spu_context *ctx,
+ u32 wbox_stat;
+
+ wbox_stat = ctx->csa.prob.mb_stat_R;
+- cnt = 4 - ((wbox_stat & 0x00ff00) >> 8);
++ cnt = spufs_wbox_info_cnt(ctx);
+ for (i = 0; i < cnt; i++) {
+ data[i] = ctx->csa.spu_mailbox_data[i];
+ }
+@@ -2128,7 +2145,8 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
+- int ret;
++ u32 data[ARRAY_SIZE(ctx->csa.spu_mailbox_data)];
++ int ret, count;
+
+ if (!access_ok(VERIFY_WRITE, buf, len))
+ return -EFAULT;
+@@ -2137,11 +2155,13 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_wbox_info_read(ctx, buf, len, pos);
++ count = spufs_wbox_info_cnt(ctx);
++ memcpy(&data, &ctx->csa.spu_mailbox_data, sizeof(data));
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &data,
++ count * sizeof(u32));
+ }
+
+ static const struct file_operations spufs_wbox_info_fops = {
+@@ -2150,27 +2170,33 @@ static const struct file_operations spufs_wbox_info_fops = {
+ .llseek = generic_file_llseek,
+ };
+
+-static ssize_t __spufs_dma_info_read(struct spu_context *ctx,
+- char __user *buf, size_t len, loff_t *pos)
++static void spufs_get_dma_info(struct spu_context *ctx,
++ struct spu_dma_info *info)
+ {
+- struct spu_dma_info info;
+- struct mfc_cq_sr *qp, *spuqp;
+ int i;
+
+- info.dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW;
+- info.dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0];
+- info.dma_info_status = ctx->csa.spu_chnldata_RW[24];
+- info.dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25];
+- info.dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27];
++ info->dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW;
++ info->dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0];
++ info->dma_info_status = ctx->csa.spu_chnldata_RW[24];
++ info->dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25];
++ info->dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27];
+ for (i = 0; i < 16; i++) {
+- qp = &info.dma_info_command_data[i];
+- spuqp = &ctx->csa.priv2.spuq[i];
++ struct mfc_cq_sr *qp = &info->dma_info_command_data[i];
++ struct mfc_cq_sr *spuqp = &ctx->csa.priv2.spuq[i];
+
+ qp->mfc_cq_data0_RW = spuqp->mfc_cq_data0_RW;
+ qp->mfc_cq_data1_RW = spuqp->mfc_cq_data1_RW;
+ qp->mfc_cq_data2_RW = spuqp->mfc_cq_data2_RW;
+ qp->mfc_cq_data3_RW = spuqp->mfc_cq_data3_RW;
+ }
++}
++
++static ssize_t __spufs_dma_info_read(struct spu_context *ctx,
++ char __user *buf, size_t len, loff_t *pos)
++{
++ struct spu_dma_info info;
++
++ spufs_get_dma_info(ctx, &info);
+
+ return simple_read_from_buffer(buf, len, pos, &info,
+ sizeof info);
+@@ -2180,6 +2206,7 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ struct spu_dma_info info;
+ int ret;
+
+ if (!access_ok(VERIFY_WRITE, buf, len))
+@@ -2189,11 +2216,12 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_dma_info_read(ctx, buf, len, pos);
++ spufs_get_dma_info(ctx, &info);
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &info,
++ sizeof(info));
+ }
+
+ static const struct file_operations spufs_dma_info_fops = {
+@@ -2202,13 +2230,31 @@ static const struct file_operations spufs_dma_info_fops = {
+ .llseek = no_llseek,
+ };
+
++static void spufs_get_proxydma_info(struct spu_context *ctx,
++ struct spu_proxydma_info *info)
++{
++ int i;
++
++ info->proxydma_info_type = ctx->csa.prob.dma_querytype_RW;
++ info->proxydma_info_mask = ctx->csa.prob.dma_querymask_RW;
++ info->proxydma_info_status = ctx->csa.prob.dma_tagstatus_R;
++
++ for (i = 0; i < 8; i++) {
++ struct mfc_cq_sr *qp = &info->proxydma_info_command_data[i];
++ struct mfc_cq_sr *puqp = &ctx->csa.priv2.puq[i];
++
++ qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW;
++ qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW;
++ qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW;
++ qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW;
++ }
++}
++
+ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
+ char __user *buf, size_t len, loff_t *pos)
+ {
+ struct spu_proxydma_info info;
+- struct mfc_cq_sr *qp, *puqp;
+ int ret = sizeof info;
+- int i;
+
+ if (len < ret)
+ return -EINVAL;
+@@ -2216,18 +2262,7 @@ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
+ if (!access_ok(VERIFY_WRITE, buf, len))
+ return -EFAULT;
+
+- info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW;
+- info.proxydma_info_mask = ctx->csa.prob.dma_querymask_RW;
+- info.proxydma_info_status = ctx->csa.prob.dma_tagstatus_R;
+- for (i = 0; i < 8; i++) {
+- qp = &info.proxydma_info_command_data[i];
+- puqp = &ctx->csa.priv2.puq[i];
+-
+- qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW;
+- qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW;
+- qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW;
+- qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW;
+- }
++ spufs_get_proxydma_info(ctx, &info);
+
+ return simple_read_from_buffer(buf, len, pos, &info,
+ sizeof info);
+@@ -2237,17 +2272,19 @@ static ssize_t spufs_proxydma_info_read(struct file *file, char __user *buf,
+ size_t len, loff_t *pos)
+ {
+ struct spu_context *ctx = file->private_data;
++ struct spu_proxydma_info info;
+ int ret;
+
+ ret = spu_acquire_saved(ctx);
+ if (ret)
+ return ret;
+ spin_lock(&ctx->csa.register_lock);
+- ret = __spufs_proxydma_info_read(ctx, buf, len, pos);
++ spufs_get_proxydma_info(ctx, &info);
+ spin_unlock(&ctx->csa.register_lock);
+ spu_release_saved(ctx);
+
+- return ret;
++ return simple_read_from_buffer(buf, len, pos, &info,
++ sizeof(info));
+ }
+
+ static const struct file_operations spufs_proxydma_info_fops = {
+--
+2.25.1
+
mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
fat-don-t-allow-to-mount-if-the-fat-length-0.patch
can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
+spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch
+bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch
+kgdb-prevent-infinite-recursive-entries-to-the-debug.patch
+spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch
+clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch
+btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch
+arm-8978-1-mm-make-act_mm-respect-thread_size.patch
+net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch
+staging-android-ion-use-vmap-instead-of-vm_map_ram.patch
+e1000-distribute-switch-variables-for-initialization.patch
+media-dvb-return-eremoteio-on-i2c-transfer-failure.patch
+mips-make-sparse_init-using-top-down-allocation.patch
+netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch
+lib-mpi-fix-64-bit-mips-build-with-clang.patch
+net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch
+net-allwinner-fix-use-correct-return-type-for-ndo_st.patch
+powerpc-spufs-fix-copy_to_user-while-atomic.patch
+mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch
+kgdb-fix-spurious-true-from-in_dbg_master.patch
+md-don-t-flush-workqueue-unconditionally-in-md_open.patch
+mwifiex-fix-memory-corruption-in-dump_station.patch
+mips-add-udelay-lpj-numbers-adjustment.patch
+x86-mm-stop-printing-brk-addresses.patch
+m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch
+macvlan-skip-loopback-packets-in-rx-handler.patch
+pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch
+mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch
+ixgbe-fix-signed-integer-overflow-warning.patch
+spi-dw-return-any-value-retrieved-from-the-dma_trans.patch
+cpuidle-fix-three-reference-count-leaks.patch
--- /dev/null
+From b28364c49c290c90a3f277855d098b6b0118304d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 03:07:51 +0300
+Subject: spi: dw: Enable interrupts in accordance with DMA xfer mode
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 43dba9f3f98c2b184a19f856f06fe22817bfd9e0 ]
+
+It's pointless to track the Tx overrun interrupts if Rx-only SPI
+transfer is issued. Similarly there is no need in handling the Rx
+overrun/underrun interrupts if Tx-only SPI transfer is executed.
+So lets unmask the interrupts only if corresponding SPI
+transactions are implied.
+
+Co-developed-by: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Signed-off-by: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Paul Burton <paulburton@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Link: https://lore.kernel.org/r/20200522000806.7381-3-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index 4d6434b244e2..bd116f117b02 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -228,19 +228,23 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws,
+
+ static int mid_spi_dma_setup(struct dw_spi *dws, struct spi_transfer *xfer)
+ {
+- u16 dma_ctrl = 0;
++ u16 imr = 0, dma_ctrl = 0;
+
+ dw_writel(dws, DW_SPI_DMARDLR, 0xf);
+ dw_writel(dws, DW_SPI_DMATDLR, 0x10);
+
+- if (xfer->tx_buf)
++ if (xfer->tx_buf) {
+ dma_ctrl |= SPI_DMA_TDMAE;
+- if (xfer->rx_buf)
++ imr |= SPI_INT_TXOI;
++ }
++ if (xfer->rx_buf) {
+ dma_ctrl |= SPI_DMA_RDMAE;
++ imr |= SPI_INT_RXUI | SPI_INT_RXOI;
++ }
+ dw_writel(dws, DW_SPI_DMACR, dma_ctrl);
+
+ /* Set the interrupt mask */
+- spi_umask_intr(dws, SPI_INT_TXOI | SPI_INT_RXUI | SPI_INT_RXOI);
++ spi_umask_intr(dws, imr);
+
+ dws->transfer_handler = dma_transfer;
+
+--
+2.25.1
+
--- /dev/null
+From 30ca878b08ccaa7bbeb9a01a47bf5ccb229d3b0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2020 16:11:51 +0300
+Subject: spi: dw: Return any value retrieved from the dma_transfer callback
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit f0410bbf7d0fb80149e3b17d11d31f5b5197873e ]
+
+DW APB SSI DMA-part of the driver may need to perform the requested
+SPI-transfer synchronously. In that case the dma_transfer() callback
+will return 0 as a marker of the SPI transfer being finished so the
+SPI core doesn't need to wait and may proceed with the SPI message
+trasnfers pumping procedure. This will be needed to fix the problem
+when DMA transactions are finished, but there is still data left in
+the SPI Tx/Rx FIFOs being sent/received. But for now make dma_transfer
+to return 1 as the normal dw_spi_transfer_one() method.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Cc: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
+Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
+Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: devicetree@vger.kernel.org
+Link: https://lore.kernel.org/r/20200529131205.31838-3-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 2 +-
+ drivers/spi/spi-dw.c | 7 ++-----
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index bd116f117b02..14902efae621 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -274,7 +274,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, struct spi_transfer *xfer)
+ dma_async_issue_pending(dws->txchan);
+ }
+
+- return 0;
++ return 1;
+ }
+
+ static void mid_spi_dma_stop(struct dw_spi *dws)
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index 295249843e7c..8076fa708b24 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -385,11 +385,8 @@ static int dw_spi_transfer_one(struct spi_master *master,
+
+ spi_enable_chip(dws, 1);
+
+- if (dws->dma_mapped) {
+- ret = dws->dma_ops->dma_transfer(dws, transfer);
+- if (ret < 0)
+- return ret;
+- }
++ if (dws->dma_mapped)
++ return dws->dma_ops->dma_transfer(dws, transfer);
+
+ if (chip->poll_mode)
+ return poll_transfer(dws);
+--
+2.25.1
+
--- /dev/null
+From 9bd8d25208f87ecb4c5d414161fdf1a02d1f6849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 18:30:18 +0300
+Subject: spi: dw: Zero DMA Tx and Rx configurations on stack
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 3cb97e223d277f84171cc4ccecab31e08b2ee7b5 ]
+
+Some DMA controller drivers do not tolerate non-zero values in
+the DMA configuration structures. Zero them to avoid issues with
+such DMA controller drivers. Even despite above this is a good
+practice per se.
+
+Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Feng Tang <feng.tang@intel.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Link: https://lore.kernel.org/r/20200506153025.21441-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-mid.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index bb1052e748f2..4d6434b244e2 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -155,6 +155,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_tx(struct dw_spi *dws,
+ if (!xfer->tx_buf)
+ return NULL;
+
++ memset(&txconf, 0, sizeof(txconf));
+ txconf.direction = DMA_MEM_TO_DEV;
+ txconf.dst_addr = dws->dma_addr;
+ txconf.dst_maxburst = 16;
+@@ -201,6 +202,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws,
+ if (!xfer->rx_buf)
+ return NULL;
+
++ memset(&rxconf, 0, sizeof(rxconf));
+ rxconf.direction = DMA_DEV_TO_MEM;
+ rxconf.src_addr = dws->dma_addr;
+ rxconf.src_maxburst = 16;
+--
+2.25.1
+
--- /dev/null
+From 210237cafb62abf8e9490a543a831555b68620c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 21:50:23 -0700
+Subject: staging: android: ion: use vmap instead of vm_map_ram
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 5bf9917452112694b2c774465ee4dbe441c84b77 ]
+
+vm_map_ram can keep mappings around after the vm_unmap_ram. Using that
+with non-PAGE_KERNEL mappings can lead to all kinds of aliasing issues.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Christophe Leroy <christophe.leroy@c-s.fr>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Gao Xiang <xiang@kernel.org>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Michael Kelley <mikelley@microsoft.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Nitin Gupta <ngupta@vflare.org>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: Wei Liu <wei.liu@kernel.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Paul Mackerras <paulus@ozlabs.org>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: http://lkml.kernel.org/r/20200414131348.444715-4-hch@lst.de
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/ion/ion_heap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
+index 13a9b4c42b26..ae08b3253c21 100644
+--- a/drivers/staging/android/ion/ion_heap.c
++++ b/drivers/staging/android/ion/ion_heap.c
+@@ -105,12 +105,12 @@ int ion_heap_map_user(struct ion_heap *heap, struct ion_buffer *buffer,
+
+ static int ion_heap_clear_pages(struct page **pages, int num, pgprot_t pgprot)
+ {
+- void *addr = vm_map_ram(pages, num, -1, pgprot);
++ void *addr = vmap(pages, num, VM_MAP, pgprot);
+
+ if (!addr)
+ return -ENOMEM;
+ memset(addr, 0, PAGE_SIZE * num);
+- vm_unmap_ram(addr, num);
++ vunmap(addr);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From ee7846b12c70e669b1d6ab7bd0bcd4b69965ffd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Feb 2020 18:11:20 -0500
+Subject: x86/mm: Stop printing BRK addresses
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 67d631b7c05eff955ccff4139327f0f92a5117e5 ]
+
+This currently leaks kernel physical addresses into userspace.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Dave Hansen <dave.hansen@intel.com>
+Link: https://lkml.kernel.org/r/20200229231120.1147527-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/init.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
+index f00eb52c16a6..17eb564901ca 100644
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -109,8 +109,6 @@ __ref void *alloc_low_pages(unsigned int num)
+ } else {
+ pfn = pgt_buf_end;
+ pgt_buf_end += num;
+- printk(KERN_DEBUG "BRK [%#010lx, %#010lx] PGTABLE\n",
+- pfn << PAGE_SHIFT, (pgt_buf_end << PAGE_SHIFT) - 1);
+ }
+
+ for (i = 0; i < num; i++) {
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
