--- /dev/null
+From 0f394daef89b38d58c91118a2b08b8a1b316703b Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Mon, 20 Jan 2020 12:35:47 +0800
+Subject: irqdomain: Fix a memory leak in irq_domain_push_irq()
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit 0f394daef89b38d58c91118a2b08b8a1b316703b upstream.
+
+Fix a memory leak reported by kmemleak:
+unreferenced object 0xffff000bc6f50e80 (size 128):
+ comm "kworker/23:2", pid 201, jiffies 4294894947 (age 942.132s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 41 00 00 00 86 c0 03 00 00 00 00 00 ....A...........
+ 00 a0 b2 c6 0b 00 ff ff 40 51 fd 10 00 80 ff ff ........@Q......
+ backtrace:
+ [<00000000e62d2240>] kmem_cache_alloc_trace+0x1a4/0x320
+ [<00000000279143c9>] irq_domain_push_irq+0x7c/0x188
+ [<00000000d9f4c154>] thunderx_gpio_probe+0x3ac/0x438
+ [<00000000fd09ec22>] pci_device_probe+0xe4/0x198
+ [<00000000d43eca75>] really_probe+0xdc/0x320
+ [<00000000d3ebab09>] driver_probe_device+0x5c/0xf0
+ [<000000005b3ecaa0>] __device_attach_driver+0x88/0xc0
+ [<000000004e5915f5>] bus_for_each_drv+0x7c/0xc8
+ [<0000000079d4db41>] __device_attach+0xe4/0x140
+ [<00000000883bbda9>] device_initial_probe+0x18/0x20
+ [<000000003be59ef6>] bus_probe_device+0x98/0xa0
+ [<0000000039b03d3f>] deferred_probe_work_func+0x74/0xa8
+ [<00000000870934ce>] process_one_work+0x1c8/0x470
+ [<00000000e3cce570>] worker_thread+0x1f8/0x428
+ [<000000005d64975e>] kthread+0xfc/0x128
+ [<00000000f0eaa764>] ret_from_fork+0x10/0x18
+
+Fixes: 495c38d3001f ("irqdomain: Add irq_domain_{push,pop}_irq() functions")
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200120043547.22271-1-haokexin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/irqdomain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/irq/irqdomain.c
++++ b/kernel/irq/irqdomain.c
+@@ -1421,6 +1421,7 @@ int irq_domain_push_irq(struct irq_domai
+ if (rv) {
+ /* Restore the original irq_data. */
+ *root_irq_data = *child_irq_data;
++ kfree(child_irq_data);
+ goto error;
+ }
+
--- /dev/null
+From 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 30 Jan 2020 22:13:51 -0800
+Subject: lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more()
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 upstream.
+
+In case memory resources for _ptr2_ were allocated, release them before
+return.
+
+Notice that in case _ptr1_ happens to be NULL, krealloc() behaves
+exactly like kmalloc().
+
+Addresses-Coverity-ID: 1490594 ("Resource leak")
+Link: http://lkml.kernel.org/r/20200123160115.GA4202@embeddedor
+Fixes: 3f15801cdc23 ("lib: add kasan test module")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/test_kasan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/test_kasan.c
++++ b/lib/test_kasan.c
+@@ -157,6 +157,7 @@ static noinline void __init kmalloc_oob_
+ if (!ptr1 || !ptr2) {
+ pr_err("Allocation failed\n");
+ kfree(ptr1);
++ kfree(ptr2);
+ return;
+ }
+
--- /dev/null
+From 4a873f3fa5d6ca52e446d306dd7194dd86a09422 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 16 Dec 2019 15:15:01 +0100
+Subject: media: v4l2-core: compat: ignore native command codes
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 4a873f3fa5d6ca52e446d306dd7194dd86a09422 upstream.
+
+The do_video_ioctl() compat handler converts the compat command
+codes into the native ones before processing further, but this
+causes problems for 32-bit user applications that pass a command
+code that matches a 64-bit native number, which will then be
+handled the same way.
+
+Specifically, this breaks VIDIOC_DQEVENT_TIME from user space
+applications with 64-bit time_t, as the structure layout is
+the same as the native 64-bit layout on many architectures
+(x86 being the notable exception).
+
+Change the handler to use the converted command code only for
+passing into the native ioctl handler, not for deciding on the
+conversion, in order to make the compat behavior match the
+native behavior.
+
+Actual support for the 64-bit time_t version of VIDIOC_DQEVENT_TIME
+and other commands still needs to be added in a separate patch.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 148 +++++++++++++-------------
+ 1 file changed, 75 insertions(+), 73 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -1171,36 +1171,38 @@ static long do_video_ioctl(struct file *
+ u32 aux_space;
+ int compatible_arg = 1;
+ long err = 0;
++ unsigned int ncmd;
+
+ /*
+ * 1. When struct size is different, converts the command.
+ */
+ switch (cmd) {
+- case VIDIOC_G_FMT32: cmd = VIDIOC_G_FMT; break;
+- case VIDIOC_S_FMT32: cmd = VIDIOC_S_FMT; break;
+- case VIDIOC_QUERYBUF32: cmd = VIDIOC_QUERYBUF; break;
+- case VIDIOC_G_FBUF32: cmd = VIDIOC_G_FBUF; break;
+- case VIDIOC_S_FBUF32: cmd = VIDIOC_S_FBUF; break;
+- case VIDIOC_QBUF32: cmd = VIDIOC_QBUF; break;
+- case VIDIOC_DQBUF32: cmd = VIDIOC_DQBUF; break;
+- case VIDIOC_ENUMSTD32: cmd = VIDIOC_ENUMSTD; break;
+- case VIDIOC_ENUMINPUT32: cmd = VIDIOC_ENUMINPUT; break;
+- case VIDIOC_TRY_FMT32: cmd = VIDIOC_TRY_FMT; break;
+- case VIDIOC_G_EXT_CTRLS32: cmd = VIDIOC_G_EXT_CTRLS; break;
+- case VIDIOC_S_EXT_CTRLS32: cmd = VIDIOC_S_EXT_CTRLS; break;
+- case VIDIOC_TRY_EXT_CTRLS32: cmd = VIDIOC_TRY_EXT_CTRLS; break;
+- case VIDIOC_DQEVENT32: cmd = VIDIOC_DQEVENT; break;
+- case VIDIOC_OVERLAY32: cmd = VIDIOC_OVERLAY; break;
+- case VIDIOC_STREAMON32: cmd = VIDIOC_STREAMON; break;
+- case VIDIOC_STREAMOFF32: cmd = VIDIOC_STREAMOFF; break;
+- case VIDIOC_G_INPUT32: cmd = VIDIOC_G_INPUT; break;
+- case VIDIOC_S_INPUT32: cmd = VIDIOC_S_INPUT; break;
+- case VIDIOC_G_OUTPUT32: cmd = VIDIOC_G_OUTPUT; break;
+- case VIDIOC_S_OUTPUT32: cmd = VIDIOC_S_OUTPUT; break;
+- case VIDIOC_CREATE_BUFS32: cmd = VIDIOC_CREATE_BUFS; break;
+- case VIDIOC_PREPARE_BUF32: cmd = VIDIOC_PREPARE_BUF; break;
+- case VIDIOC_G_EDID32: cmd = VIDIOC_G_EDID; break;
+- case VIDIOC_S_EDID32: cmd = VIDIOC_S_EDID; break;
++ case VIDIOC_G_FMT32: ncmd = VIDIOC_G_FMT; break;
++ case VIDIOC_S_FMT32: ncmd = VIDIOC_S_FMT; break;
++ case VIDIOC_QUERYBUF32: ncmd = VIDIOC_QUERYBUF; break;
++ case VIDIOC_G_FBUF32: ncmd = VIDIOC_G_FBUF; break;
++ case VIDIOC_S_FBUF32: ncmd = VIDIOC_S_FBUF; break;
++ case VIDIOC_QBUF32: ncmd = VIDIOC_QBUF; break;
++ case VIDIOC_DQBUF32: ncmd = VIDIOC_DQBUF; break;
++ case VIDIOC_ENUMSTD32: ncmd = VIDIOC_ENUMSTD; break;
++ case VIDIOC_ENUMINPUT32: ncmd = VIDIOC_ENUMINPUT; break;
++ case VIDIOC_TRY_FMT32: ncmd = VIDIOC_TRY_FMT; break;
++ case VIDIOC_G_EXT_CTRLS32: ncmd = VIDIOC_G_EXT_CTRLS; break;
++ case VIDIOC_S_EXT_CTRLS32: ncmd = VIDIOC_S_EXT_CTRLS; break;
++ case VIDIOC_TRY_EXT_CTRLS32: ncmd = VIDIOC_TRY_EXT_CTRLS; break;
++ case VIDIOC_DQEVENT32: ncmd = VIDIOC_DQEVENT; break;
++ case VIDIOC_OVERLAY32: ncmd = VIDIOC_OVERLAY; break;
++ case VIDIOC_STREAMON32: ncmd = VIDIOC_STREAMON; break;
++ case VIDIOC_STREAMOFF32: ncmd = VIDIOC_STREAMOFF; break;
++ case VIDIOC_G_INPUT32: ncmd = VIDIOC_G_INPUT; break;
++ case VIDIOC_S_INPUT32: ncmd = VIDIOC_S_INPUT; break;
++ case VIDIOC_G_OUTPUT32: ncmd = VIDIOC_G_OUTPUT; break;
++ case VIDIOC_S_OUTPUT32: ncmd = VIDIOC_S_OUTPUT; break;
++ case VIDIOC_CREATE_BUFS32: ncmd = VIDIOC_CREATE_BUFS; break;
++ case VIDIOC_PREPARE_BUF32: ncmd = VIDIOC_PREPARE_BUF; break;
++ case VIDIOC_G_EDID32: ncmd = VIDIOC_G_EDID; break;
++ case VIDIOC_S_EDID32: ncmd = VIDIOC_S_EDID; break;
++ default: ncmd = cmd; break;
+ }
+
+ /*
+@@ -1209,11 +1211,11 @@ static long do_video_ioctl(struct file *
+ * argument into it.
+ */
+ switch (cmd) {
+- case VIDIOC_OVERLAY:
+- case VIDIOC_STREAMON:
+- case VIDIOC_STREAMOFF:
+- case VIDIOC_S_INPUT:
+- case VIDIOC_S_OUTPUT:
++ case VIDIOC_OVERLAY32:
++ case VIDIOC_STREAMON32:
++ case VIDIOC_STREAMOFF32:
++ case VIDIOC_S_INPUT32:
++ case VIDIOC_S_OUTPUT32:
+ err = alloc_userspace(sizeof(unsigned int), 0, &new_p64);
+ if (!err && assign_in_user((unsigned int __user *)new_p64,
+ (compat_uint_t __user *)p32))
+@@ -1221,23 +1223,23 @@ static long do_video_ioctl(struct file *
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_INPUT:
+- case VIDIOC_G_OUTPUT:
++ case VIDIOC_G_INPUT32:
++ case VIDIOC_G_OUTPUT32:
+ err = alloc_userspace(sizeof(unsigned int), 0, &new_p64);
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_EDID:
+- case VIDIOC_S_EDID:
++ case VIDIOC_G_EDID32:
++ case VIDIOC_S_EDID32:
+ err = alloc_userspace(sizeof(struct v4l2_edid), 0, &new_p64);
+ if (!err)
+ err = get_v4l2_edid32(new_p64, p32);
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_FMT:
+- case VIDIOC_S_FMT:
+- case VIDIOC_TRY_FMT:
++ case VIDIOC_G_FMT32:
++ case VIDIOC_S_FMT32:
++ case VIDIOC_TRY_FMT32:
+ err = bufsize_v4l2_format(p32, &aux_space);
+ if (!err)
+ err = alloc_userspace(sizeof(struct v4l2_format),
+@@ -1250,7 +1252,7 @@ static long do_video_ioctl(struct file *
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_CREATE_BUFS:
++ case VIDIOC_CREATE_BUFS32:
+ err = bufsize_v4l2_create(p32, &aux_space);
+ if (!err)
+ err = alloc_userspace(sizeof(struct v4l2_create_buffers),
+@@ -1263,10 +1265,10 @@ static long do_video_ioctl(struct file *
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_PREPARE_BUF:
+- case VIDIOC_QUERYBUF:
+- case VIDIOC_QBUF:
+- case VIDIOC_DQBUF:
++ case VIDIOC_PREPARE_BUF32:
++ case VIDIOC_QUERYBUF32:
++ case VIDIOC_QBUF32:
++ case VIDIOC_DQBUF32:
+ err = bufsize_v4l2_buffer(p32, &aux_space);
+ if (!err)
+ err = alloc_userspace(sizeof(struct v4l2_buffer),
+@@ -1279,7 +1281,7 @@ static long do_video_ioctl(struct file *
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_S_FBUF:
++ case VIDIOC_S_FBUF32:
+ err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
+ &new_p64);
+ if (!err)
+@@ -1287,13 +1289,13 @@ static long do_video_ioctl(struct file *
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_FBUF:
++ case VIDIOC_G_FBUF32:
+ err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
+ &new_p64);
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_ENUMSTD:
++ case VIDIOC_ENUMSTD32:
+ err = alloc_userspace(sizeof(struct v4l2_standard), 0,
+ &new_p64);
+ if (!err)
+@@ -1301,16 +1303,16 @@ static long do_video_ioctl(struct file *
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_ENUMINPUT:
++ case VIDIOC_ENUMINPUT32:
+ err = alloc_userspace(sizeof(struct v4l2_input), 0, &new_p64);
+ if (!err)
+ err = get_v4l2_input32(new_p64, p32);
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_EXT_CTRLS:
+- case VIDIOC_S_EXT_CTRLS:
+- case VIDIOC_TRY_EXT_CTRLS:
++ case VIDIOC_G_EXT_CTRLS32:
++ case VIDIOC_S_EXT_CTRLS32:
++ case VIDIOC_TRY_EXT_CTRLS32:
+ err = bufsize_v4l2_ext_controls(p32, &aux_space);
+ if (!err)
+ err = alloc_userspace(sizeof(struct v4l2_ext_controls),
+@@ -1322,7 +1324,7 @@ static long do_video_ioctl(struct file *
+ }
+ compatible_arg = 0;
+ break;
+- case VIDIOC_DQEVENT:
++ case VIDIOC_DQEVENT32:
+ err = alloc_userspace(sizeof(struct v4l2_event), 0, &new_p64);
+ compatible_arg = 0;
+ break;
+@@ -1340,9 +1342,9 @@ static long do_video_ioctl(struct file *
+ * Otherwise, it will pass the newly allocated @new_p64 argument.
+ */
+ if (compatible_arg)
+- err = native_ioctl(file, cmd, (unsigned long)p32);
++ err = native_ioctl(file, ncmd, (unsigned long)p32);
+ else
+- err = native_ioctl(file, cmd, (unsigned long)new_p64);
++ err = native_ioctl(file, ncmd, (unsigned long)new_p64);
+
+ if (err == -ENOTTY)
+ return err;
+@@ -1358,13 +1360,13 @@ static long do_video_ioctl(struct file *
+ * the blocks to maximum allowed value.
+ */
+ switch (cmd) {
+- case VIDIOC_G_EXT_CTRLS:
+- case VIDIOC_S_EXT_CTRLS:
+- case VIDIOC_TRY_EXT_CTRLS:
++ case VIDIOC_G_EXT_CTRLS32:
++ case VIDIOC_S_EXT_CTRLS32:
++ case VIDIOC_TRY_EXT_CTRLS32:
+ if (put_v4l2_ext_controls32(file, new_p64, p32))
+ err = -EFAULT;
+ break;
+- case VIDIOC_S_EDID:
++ case VIDIOC_S_EDID32:
+ if (put_v4l2_edid32(new_p64, p32))
+ err = -EFAULT;
+ break;
+@@ -1377,49 +1379,49 @@ static long do_video_ioctl(struct file *
+ * the original 32 bits structure.
+ */
+ switch (cmd) {
+- case VIDIOC_S_INPUT:
+- case VIDIOC_S_OUTPUT:
+- case VIDIOC_G_INPUT:
+- case VIDIOC_G_OUTPUT:
++ case VIDIOC_S_INPUT32:
++ case VIDIOC_S_OUTPUT32:
++ case VIDIOC_G_INPUT32:
++ case VIDIOC_G_OUTPUT32:
+ if (assign_in_user((compat_uint_t __user *)p32,
+ ((unsigned int __user *)new_p64)))
+ err = -EFAULT;
+ break;
+
+- case VIDIOC_G_FBUF:
++ case VIDIOC_G_FBUF32:
+ err = put_v4l2_framebuffer32(new_p64, p32);
+ break;
+
+- case VIDIOC_DQEVENT:
++ case VIDIOC_DQEVENT32:
+ err = put_v4l2_event32(new_p64, p32);
+ break;
+
+- case VIDIOC_G_EDID:
++ case VIDIOC_G_EDID32:
+ err = put_v4l2_edid32(new_p64, p32);
+ break;
+
+- case VIDIOC_G_FMT:
+- case VIDIOC_S_FMT:
+- case VIDIOC_TRY_FMT:
++ case VIDIOC_G_FMT32:
++ case VIDIOC_S_FMT32:
++ case VIDIOC_TRY_FMT32:
+ err = put_v4l2_format32(new_p64, p32);
+ break;
+
+- case VIDIOC_CREATE_BUFS:
++ case VIDIOC_CREATE_BUFS32:
+ err = put_v4l2_create32(new_p64, p32);
+ break;
+
+- case VIDIOC_PREPARE_BUF:
+- case VIDIOC_QUERYBUF:
+- case VIDIOC_QBUF:
+- case VIDIOC_DQBUF:
++ case VIDIOC_PREPARE_BUF32:
++ case VIDIOC_QUERYBUF32:
++ case VIDIOC_QBUF32:
++ case VIDIOC_DQBUF32:
+ err = put_v4l2_buffer32(new_p64, p32);
+ break;
+
+- case VIDIOC_ENUMSTD:
++ case VIDIOC_ENUMSTD32:
+ err = put_v4l2_standard32(new_p64, p32);
+ break;
+
+- case VIDIOC_ENUMINPUT:
++ case VIDIOC_ENUMINPUT32:
+ err = put_v4l2_input32(new_p64, p32);
+ break;
+ }
--- /dev/null
+From 3c7470b6f68434acae459482ab920d1e3fabd1c7 Mon Sep 17 00:00:00 2001
+From: John Hubbard <jhubbard@nvidia.com>
+Date: Thu, 30 Jan 2020 22:12:50 -0800
+Subject: media/v4l2-core: set pages dirty upon releasing DMA buffers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Hubbard <jhubbard@nvidia.com>
+
+commit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream.
+
+After DMA is complete, and the device and CPU caches are synchronized,
+it's still required to mark the CPU pages as dirty, if the data was
+coming from the device. However, this driver was just issuing a bare
+put_page() call, without any set_page_dirty*() call.
+
+Fix the problem, by calling set_page_dirty_lock() if the CPU pages were
+potentially receiving data from the device.
+
+Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com
+Signed-off-by: John Hubbard <jhubbard@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: <stable@vger.kernel.org>
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Björn Töpel <bjorn.topel@intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jason Gunthorpe <jgg@mellanox.com>
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Leon Romanovsky <leonro@mellanox.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf-dma-sg.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/videobuf-dma-sg.c
++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c
+@@ -352,8 +352,11 @@ int videobuf_dma_free(struct videobuf_dm
+ BUG_ON(dma->sglen);
+
+ if (dma->pages) {
+- for (i = 0; i < dma->nr_pages; i++)
++ for (i = 0; i < dma->nr_pages; i++) {
++ if (dma->direction == DMA_FROM_DEVICE)
++ set_page_dirty_lock(dma->pages[i]);
+ put_page(dma->pages[i]);
++ }
+ kfree(dma->pages);
+ dma->pages = NULL;
+ }
--- /dev/null
+From f51e50db4c20d46930b33be3f208851265694f3e Mon Sep 17 00:00:00 2001
+From: Helen Koike <helen.koike@collabora.com>
+Date: Tue, 17 Dec 2019 21:00:22 +0100
+Subject: media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments
+
+From: Helen Koike <helen.koike@collabora.com>
+
+commit f51e50db4c20d46930b33be3f208851265694f3e upstream.
+
+boundary->width and boundary->height are sizes relative to
+boundary->left and boundary->top coordinates, but they were not being
+taken into consideration to adjust r->left and r->top, leading to the
+following error:
+
+Consider the follow as initial values for boundary and r:
+
+struct v4l2_rect boundary = {
+ .left = 100,
+ .top = 100,
+ .width = 800,
+ .height = 600,
+}
+
+struct v4l2_rect r = {
+ .left = 0,
+ .top = 0,
+ .width = 1920,
+ .height = 960,
+}
+
+calling v4l2_rect_map_inside(&r, &boundary) was modifying r to:
+
+r = {
+ .left = 0,
+ .top = 0,
+ .width = 800,
+ .height = 600,
+}
+
+Which is wrongly outside the boundary rectangle, because:
+
+ v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600
+ ...
+ if (r->left + r->width > boundary->width) // true
+ r->left = boundary->width - r->width; // r->left = 800 - 800
+ if (r->top + r->height > boundary->height) // true
+ r->top = boundary->height - r->height; // r->height = 600 - 600
+
+Fix this by considering top/left coordinates from boundary.
+
+Fixes: ac49de8c49d7 ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions")
+Signed-off-by: Helen Koike <helen.koike@collabora.com>
+Cc: <stable@vger.kernel.org> # for v4.7 and up
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/media/v4l2-rect.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/media/v4l2-rect.h
++++ b/include/media/v4l2-rect.h
+@@ -63,10 +63,10 @@ static inline void v4l2_rect_map_inside(
+ r->left = boundary->left;
+ if (r->top < boundary->top)
+ r->top = boundary->top;
+- if (r->left + r->width > boundary->width)
+- r->left = boundary->width - r->width;
+- if (r->top + r->height > boundary->height)
+- r->top = boundary->height - r->height;
++ if (r->left + r->width > boundary->left + boundary->width)
++ r->left = boundary->left + boundary->width - r->width;
++ if (r->top + r->height > boundary->top + boundary->height)
++ r->top = boundary->top + boundary->height - r->height;
+ }
+
+ /**
--- /dev/null
+From f1037ec0cc8ac1a450974ad9754e991f72884f48 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 30 Jan 2020 22:11:17 -0800
+Subject: mm/memory_hotplug: fix remove_memory() lockdep splat
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit f1037ec0cc8ac1a450974ad9754e991f72884f48 upstream.
+
+The daxctl unit test for the dax_kmem driver currently triggers the
+(false positive) lockdep splat below. It results from the fact that
+remove_memory_block_devices() is invoked under the mem_hotplug_lock()
+causing lockdep entanglements with cpu_hotplug_lock() and sysfs (kernfs
+active state tracking). It is a false positive because the sysfs
+attribute path triggering the memory remove is not the same attribute
+path associated with memory-block device.
+
+sysfs_break_active_protection() is not applicable since there is no real
+deadlock conflict, instead move memory-block device removal outside the
+lock. The mem_hotplug_lock() is not needed to synchronize the
+memory-block device removal vs the page online state, that is already
+handled by lock_device_hotplug(). Specifically, lock_device_hotplug()
+is sufficient to allow try_remove_memory() to check the offline state of
+the memblocks and be assured that any in progress online attempts are
+flushed / blocked by kernfs_drain() / attribute removal.
+
+The add_memory() path safely creates memblock devices under the
+mem_hotplug_lock(). There is no kernfs active state synchronization in
+the memblock device_register() path, so nothing to fix there.
+
+This change is only possible thanks to the recent change that refactored
+memory block device removal out of arch_remove_memory() (commit
+4c4b7f9ba948 "mm/memory_hotplug: remove memory block devices before
+arch_remove_memory()"), and David's due diligence tracking down the
+guarantees afforded by kernfs_drain(). Not flagged for -stable since
+this only impacts ongoing development and lockdep validation, not a
+runtime issue.
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 5.5.0-rc3+ #230 Tainted: G OE
+ ------------------------------------------------------
+ lt-daxctl/6459 is trying to acquire lock:
+ ffff99c7f0003510 (kn->count#241){++++}, at: kernfs_remove_by_name_ns+0x41/0x80
+
+ but task is already holding lock:
+ ffffffffa76a5450 (mem_hotplug_lock.rw_sem){++++}, at: percpu_down_write+0x20/0xe0
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #2 (mem_hotplug_lock.rw_sem){++++}:
+ __lock_acquire+0x39c/0x790
+ lock_acquire+0xa2/0x1b0
+ get_online_mems+0x3e/0xb0
+ kmem_cache_create_usercopy+0x2e/0x260
+ kmem_cache_create+0x12/0x20
+ ptlock_cache_init+0x20/0x28
+ start_kernel+0x243/0x547
+ secondary_startup_64+0xb6/0xc0
+
+ -> #1 (cpu_hotplug_lock.rw_sem){++++}:
+ __lock_acquire+0x39c/0x790
+ lock_acquire+0xa2/0x1b0
+ cpus_read_lock+0x3e/0xb0
+ online_pages+0x37/0x300
+ memory_subsys_online+0x17d/0x1c0
+ device_online+0x60/0x80
+ state_store+0x65/0xd0
+ kernfs_fop_write+0xcf/0x1c0
+ vfs_write+0xdb/0x1d0
+ ksys_write+0x65/0xe0
+ do_syscall_64+0x5c/0xa0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ -> #0 (kn->count#241){++++}:
+ check_prev_add+0x98/0xa40
+ validate_chain+0x576/0x860
+ __lock_acquire+0x39c/0x790
+ lock_acquire+0xa2/0x1b0
+ __kernfs_remove+0x25f/0x2e0
+ kernfs_remove_by_name_ns+0x41/0x80
+ remove_files.isra.0+0x30/0x70
+ sysfs_remove_group+0x3d/0x80
+ sysfs_remove_groups+0x29/0x40
+ device_remove_attrs+0x39/0x70
+ device_del+0x16a/0x3f0
+ device_unregister+0x16/0x60
+ remove_memory_block_devices+0x82/0xb0
+ try_remove_memory+0xb5/0x130
+ remove_memory+0x26/0x40
+ dev_dax_kmem_remove+0x44/0x6a [kmem]
+ device_release_driver_internal+0xe4/0x1c0
+ unbind_store+0xef/0x120
+ kernfs_fop_write+0xcf/0x1c0
+ vfs_write+0xdb/0x1d0
+ ksys_write+0x65/0xe0
+ do_syscall_64+0x5c/0xa0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ other info that might help us debug this:
+
+ Chain exists of:
+ kn->count#241 --> cpu_hotplug_lock.rw_sem --> mem_hotplug_lock.rw_sem
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(mem_hotplug_lock.rw_sem);
+ lock(cpu_hotplug_lock.rw_sem);
+ lock(mem_hotplug_lock.rw_sem);
+ lock(kn->count#241);
+
+ *** DEADLOCK ***
+
+No fixes tag as this has been a long standing issue that predated the
+addition of kernfs lockdep annotations.
+
+Link: http://lkml.kernel.org/r/157991441887.2763922.4770790047389427325.stgit@dwillia2-desk3.amr.corp.intel.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory_hotplug.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1902,8 +1902,6 @@ void __ref __remove_memory(int nid, u64
+
+ BUG_ON(check_hotplug_memory_range(start, size));
+
+- mem_hotplug_begin();
+-
+ /*
+ * All memory blocks must be offlined before removing memory. Check
+ * whether all memory blocks in question are offline and trigger a BUG()
+@@ -1919,9 +1917,14 @@ void __ref __remove_memory(int nid, u64
+ memblock_free(start, size);
+ memblock_remove(start, size);
+
+- /* remove memory block devices before removing memory */
++ /*
++ * Memory block device removal under the device_hotplug_lock is
++ * a barrier against racing online attempts.
++ */
+ remove_memory_block_devices(start, size);
+
++ mem_hotplug_begin();
++
+ arch_remove_memory(nid, start, size, NULL);
+ __release_memory_resource(start, size);
+
--- /dev/null
+From 5984fabb6e82d9ab4e6305cb99694c85d46de8ae Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang.shi@linux.alibaba.com>
+Date: Thu, 30 Jan 2020 22:11:24 -0800
+Subject: mm: move_pages: report the number of non-attempted pages
+
+From: Yang Shi <yang.shi@linux.alibaba.com>
+
+commit 5984fabb6e82d9ab4e6305cb99694c85d46de8ae upstream.
+
+Since commit a49bd4d71637 ("mm, numa: rework do_pages_move"), the
+semantic of move_pages() has changed to return the number of
+non-migrated pages if they were result of a non-fatal reasons (usually a
+busy page).
+
+This was an unintentional change that hasn't been noticed except for LTP
+tests which checked for the documented behavior.
+
+There are two ways to go around this change. We can even get back to
+the original behavior and return -EAGAIN whenever migrate_pages is not
+able to migrate pages due to non-fatal reasons. Another option would be
+to simply continue with the changed semantic and extend move_pages
+documentation to clarify that -errno is returned on an invalid input or
+when migration simply cannot succeed (e.g. -ENOMEM, -EBUSY) or the
+number of pages that couldn't have been migrated due to ephemeral
+reasons (e.g. page is pinned or locked for other reasons).
+
+This patch implements the second option because this behavior is in
+place for some time without anybody complaining and possibly new users
+depending on it. Also it allows to have a slightly easier error
+handling as the caller knows that it is worth to retry when err > 0.
+
+But since the new semantic would be aborted immediately if migration is
+failed due to ephemeral reasons, need include the number of
+non-attempted pages in the return value too.
+
+Link: http://lkml.kernel.org/r/1580160527-109104-1-git-send-email-yang.shi@linux.alibaba.com
+Fixes: a49bd4d71637 ("mm, numa: rework do_pages_move")
+Signed-off-by: Yang Shi <yang.shi@linux.alibaba.com>
+Suggested-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Wei Yang <richardw.yang@linux.intel.com>
+Cc: <stable@vger.kernel.org> [4.17+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/migrate.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -1623,8 +1623,19 @@ static int do_pages_move(struct mm_struc
+ start = i;
+ } else if (node != current_node) {
+ err = do_move_pages_to_node(mm, &pagelist, current_node);
+- if (err)
++ if (err) {
++ /*
++ * Positive err means the number of failed
++ * pages to migrate. Since we are going to
++ * abort and return the number of non-migrated
++ * pages, so need to incude the rest of the
++ * nr_pages that have not been attempted as
++ * well.
++ */
++ if (err > 0)
++ err += nr_pages - i - 1;
+ goto out;
++ }
+ err = store_status(status, start, current_node, i - start);
+ if (err)
+ goto out;
+@@ -1655,8 +1666,11 @@ static int do_pages_move(struct mm_struc
+ goto out_flush;
+
+ err = do_move_pages_to_node(mm, &pagelist, current_node);
+- if (err)
++ if (err) {
++ if (err > 0)
++ err += nr_pages - i - 1;
+ goto out;
++ }
+ if (i > start) {
+ err = store_status(status, start, current_node, i - start);
+ if (err)
+@@ -1670,6 +1684,13 @@ out_flush:
+
+ /* Make sure we do not overwrite the existing error */
+ err1 = do_move_pages_to_node(mm, &pagelist, current_node);
++ /*
++ * Don't have to report non-attempted pages here since:
++ * - If the above loop is done gracefully all pages have been
++ * attempted.
++ * - If the above loop is aborted it means a fatal error
++ * happened, should return ret.
++ */
+ if (!err1)
+ err1 = store_status(status, start, current_node, i - start);
+ if (err >= 0)
--- /dev/null
+From e48b72a568bbd641c91dad354138d3c17d03ee6f Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 22 Jan 2020 19:28:04 +0300
+Subject: platform/x86: intel_scu_ipc: Fix interrupt support
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit e48b72a568bbd641c91dad354138d3c17d03ee6f upstream.
+
+Currently the driver has disabled interrupt support for Tangier but
+actually interrupt works just fine if the command is not written twice
+in a row. Also we need to ack the interrupt in the handler.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/intel_scu_ipc.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -69,26 +69,22 @@
+ struct intel_scu_ipc_pdata_t {
+ u32 i2c_base;
+ u32 i2c_len;
+- u8 irq_mode;
+ };
+
+ static const struct intel_scu_ipc_pdata_t intel_scu_ipc_lincroft_pdata = {
+ .i2c_base = 0xff12b000,
+ .i2c_len = 0x10,
+- .irq_mode = 0,
+ };
+
+ /* Penwell and Cloverview */
+ static const struct intel_scu_ipc_pdata_t intel_scu_ipc_penwell_pdata = {
+ .i2c_base = 0xff12b000,
+ .i2c_len = 0x10,
+- .irq_mode = 1,
+ };
+
+ static const struct intel_scu_ipc_pdata_t intel_scu_ipc_tangier_pdata = {
+ .i2c_base = 0xff00d000,
+ .i2c_len = 0x10,
+- .irq_mode = 0,
+ };
+
+ struct intel_scu_ipc_dev {
+@@ -101,6 +97,9 @@ struct intel_scu_ipc_dev {
+
+ static struct intel_scu_ipc_dev ipcdev; /* Only one for now */
+
++#define IPC_STATUS 0x04
++#define IPC_STATUS_IRQ BIT(2)
++
+ /*
+ * IPC Read Buffer (Read Only):
+ * 16 byte buffer for receiving data from SCU, if IPC command
+@@ -122,11 +121,8 @@ static DEFINE_MUTEX(ipclock); /* lock us
+ */
+ static inline void ipc_command(struct intel_scu_ipc_dev *scu, u32 cmd)
+ {
+- if (scu->irq_mode) {
+- reinit_completion(&scu->cmd_complete);
+- writel(cmd | IPC_IOC, scu->ipc_base);
+- }
+- writel(cmd, scu->ipc_base);
++ reinit_completion(&scu->cmd_complete);
++ writel(cmd | IPC_IOC, scu->ipc_base);
+ }
+
+ /*
+@@ -612,9 +608,10 @@ EXPORT_SYMBOL(intel_scu_ipc_i2c_cntrl);
+ static irqreturn_t ioc(int irq, void *dev_id)
+ {
+ struct intel_scu_ipc_dev *scu = dev_id;
++ int status = ipc_read_status(scu);
+
+- if (scu->irq_mode)
+- complete(&scu->cmd_complete);
++ writel(status | IPC_STATUS_IRQ, scu->ipc_base + IPC_STATUS);
++ complete(&scu->cmd_complete);
+
+ return IRQ_HANDLED;
+ }
+@@ -640,8 +637,6 @@ static int ipc_probe(struct pci_dev *pde
+ if (!pdata)
+ return -ENODEV;
+
+- scu->irq_mode = pdata->irq_mode;
+-
+ err = pcim_enable_device(pdev);
+ if (err)
+ return err;
usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch
alsa-usb-audio-fix-endianess-in-descriptor-validation.patch
alsa-dummy-fix-pcm-format-loop-in-proc-output.patch
+mm-memory_hotplug-fix-remove_memory-lockdep-splat.patch
+mm-move_pages-report-the-number-of-non-attempted-pages.patch
+media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch
+media-v4l2-core-compat-ignore-native-command-codes.patch
+media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch
+lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch
+irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch
+platform-x86-intel_scu_ipc-fix-interrupt-support.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
