--- /dev/null
+From 175eeee224a63bfbf26faa08ebbdd916ed3510d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jun 2020 10:19:50 -0700
+Subject: ARM: dts: Fix duovero smsc interrupt for suspend
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 9cf28e41f9f768791f54ee18333239fda6927ed8 ]
+
+While testing the recent suspend and resume regressions I noticed that
+duovero can still end up losing edge gpio interrupts on runtime
+suspend. This causes NFSroot easily stopping working after resume on
+duovero.
+
+Let's fix the issue by using gpio level interrupts for smsc as then
+the gpio interrupt state is seen by the gpio controller on resume.
+
+Fixes: 731b409878a3 ("ARM: dts: Configure duovero for to allow core retention during idle")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap4-duovero-parlor.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/omap4-duovero-parlor.dts b/arch/arm/boot/dts/omap4-duovero-parlor.dts
+index cfcac0d73851e..93d6fb6db5785 100644
+--- a/arch/arm/boot/dts/omap4-duovero-parlor.dts
++++ b/arch/arm/boot/dts/omap4-duovero-parlor.dts
+@@ -142,7 +142,7 @@ &gpmc {
+ ethernet@gpmc {
+ reg = <5 0 0xff>;
+ interrupt-parent = <&gpio2>;
+- interrupts = <12 IRQ_TYPE_EDGE_FALLING>; /* gpio_44 */
++ interrupts = <12 IRQ_TYPE_LEVEL_LOW>; /* gpio_44 */
+
+ phy-mode = "mii";
+
+--
+2.25.1
+
--- /dev/null
+From f2fc1231fd2b4cc733cb35b58c887d9e8f8c9669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 15:19:00 -0700
+Subject: ARM: dts: NSP: Correct FA2 mailbox node
+
+From: Matthew Hagan <mnhagan88@gmail.com>
+
+[ Upstream commit ac4e106d8934a5894811fc263f4b03fc8ed0fb7a ]
+
+The FA2 mailbox is specified at 0x18025000 but should actually be
+0x18025c00, length 0x400 according to socregs_nsp.h and board_bu.c. Also
+the interrupt was off by one and should be GIC SPI 151 instead of 150.
+
+Fixes: 17d517172300 ("ARM: dts: NSP: Add mailbox (PDC) to NSP")
+Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm-nsp.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/bcm-nsp.dtsi b/arch/arm/boot/dts/bcm-nsp.dtsi
+index 2b219addeb449..273a316045798 100644
+--- a/arch/arm/boot/dts/bcm-nsp.dtsi
++++ b/arch/arm/boot/dts/bcm-nsp.dtsi
+@@ -249,10 +249,10 @@ amac2: ethernet@24000 {
+ status = "disabled";
+ };
+
+- mailbox: mailbox@25000 {
++ mailbox: mailbox@25c00 {
+ compatible = "brcm,iproc-fa2-mbox";
+- reg = <0x25000 0x445>;
+- interrupts = <GIC_SPI 150 IRQ_TYPE_LEVEL_HIGH>;
++ reg = <0x25c00 0x400>;
++ interrupts = <GIC_SPI 151 IRQ_TYPE_LEVEL_HIGH>;
+ #mbox-cells = <1>;
+ brcm,rx-status-len = <32>;
+ brcm,use-bcm-hdr;
+--
+2.25.1
+
--- /dev/null
+From d28e6b927679b6116a7cc5de9fcc0741a840a625 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 20:42:06 +0800
+Subject: ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
+
+From: yu kuai <yukuai3@huawei.com>
+
+[ Upstream commit 586745f1598ccf71b0a5a6df2222dee0a865954e ]
+
+if of_find_device_by_node() succeed, imx_suspend_alloc_ocram() doesn't
+have a corresponding put_device(). Thus add a jump target to fix the
+exception handling for this function implementation.
+
+Fixes: 1579c7b9fe01 ("ARM: imx53: Set DDR pins to high impedance when in suspend to RAM.")
+Signed-off-by: yu kuai <yukuai3@huawei.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-imx/pm-imx5.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/mach-imx/pm-imx5.c b/arch/arm/mach-imx/pm-imx5.c
+index 868781fd460c7..14c630c899c5d 100644
+--- a/arch/arm/mach-imx/pm-imx5.c
++++ b/arch/arm/mach-imx/pm-imx5.c
+@@ -301,14 +301,14 @@ static int __init imx_suspend_alloc_ocram(
+ if (!ocram_pool) {
+ pr_warn("%s: ocram pool unavailable!\n", __func__);
+ ret = -ENODEV;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_base = gen_pool_alloc(ocram_pool, size);
+ if (!ocram_base) {
+ pr_warn("%s: unable to alloc ocram!\n", __func__);
+ ret = -ENOMEM;
+- goto put_node;
++ goto put_device;
+ }
+
+ phys = gen_pool_virt_to_phys(ocram_pool, ocram_base);
+@@ -318,6 +318,8 @@ static int __init imx_suspend_alloc_ocram(
+ if (virt_out)
+ *virt_out = virt;
+
++put_device:
++ put_device(&pdev->dev);
+ put_node:
+ of_node_put(node);
+
+--
+2.25.1
+
--- /dev/null
+From 62100a21e88288b36d5722b4c61bd35f25c3e940 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jun 2020 18:03:10 +0100
+Subject: arm64/sve: Eliminate data races on sve_default_vl
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+[ Upstream commit 1e570f512cbdc5e9e401ba640d9827985c1bea1e ]
+
+sve_default_vl can be modified via the /proc/sys/abi/sve_default_vl
+sysctl concurrently with use, and modified concurrently by multiple
+threads.
+
+Adding a lock for this seems overkill, and I don't want to think any
+more than necessary, so just define wrappers using READ_ONCE()/
+WRITE_ONCE().
+
+This will avoid the possibility of torn accesses and repeated loads
+and stores.
+
+There's no evidence yet that this is going wrong in practice: this
+is just hygiene. For generic sysctl users, it would be better to
+build this kind of thing into the sysctl common code somehow.
+
+Reported-by: Will Deacon <will@kernel.org>
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Link: https://lore.kernel.org/r/1591808590-20210-3-git-send-email-Dave.Martin@arm.com
+[will: move set_sve_default_vl() inside #ifdef to squash allnoconfig warning]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/fpsimd.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index 14fdbaa6ee3ab..af59b42973141 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -22,6 +22,7 @@
+ #include <linux/bug.h>
+ #include <linux/cache.h>
+ #include <linux/compat.h>
++#include <linux/compiler.h>
+ #include <linux/cpu.h>
+ #include <linux/cpu_pm.h>
+ #include <linux/kernel.h>
+@@ -124,10 +125,20 @@ struct fpsimd_last_state_struct {
+ static DEFINE_PER_CPU(struct fpsimd_last_state_struct, fpsimd_last_state);
+
+ /* Default VL for tasks that don't set it explicitly: */
+-static int sve_default_vl = -1;
++static int __sve_default_vl = -1;
++
++static int get_sve_default_vl(void)
++{
++ return READ_ONCE(__sve_default_vl);
++}
+
+ #ifdef CONFIG_ARM64_SVE
+
++static void set_sve_default_vl(int val)
++{
++ WRITE_ONCE(__sve_default_vl, val);
++}
++
+ /* Maximum supported vector length across all CPUs (initially poisoned) */
+ int __ro_after_init sve_max_vl = SVE_VL_MIN;
+ /* Set of available vector lengths, as vq_to_bit(vq): */
+@@ -311,7 +322,7 @@ static int sve_proc_do_default_vl(struct ctl_table *table, int write,
+ loff_t *ppos)
+ {
+ int ret;
+- int vl = sve_default_vl;
++ int vl = get_sve_default_vl();
+ struct ctl_table tmp_table = {
+ .data = &vl,
+ .maxlen = sizeof(vl),
+@@ -328,7 +339,7 @@ static int sve_proc_do_default_vl(struct ctl_table *table, int write,
+ if (!sve_vl_valid(vl))
+ return -EINVAL;
+
+- sve_default_vl = find_supported_vector_length(vl);
++ set_sve_default_vl(find_supported_vector_length(vl));
+ return 0;
+ }
+
+@@ -772,12 +783,12 @@ void __init sve_setup(void)
+ * For the default VL, pick the maximum supported value <= 64.
+ * VL == 64 is guaranteed not to grow the signal frame.
+ */
+- sve_default_vl = find_supported_vector_length(64);
++ set_sve_default_vl(find_supported_vector_length(64));
+
+ pr_info("SVE: maximum available vector length %u bytes per vector\n",
+ sve_max_vl);
+ pr_info("SVE: default vector length %u bytes per vector\n",
+- sve_default_vl);
++ get_sve_default_vl());
+
+ sve_efi_setup();
+ }
+@@ -914,13 +925,13 @@ void fpsimd_flush_thread(void)
+ * vector length configured: no kernel task can become a user
+ * task without an exec and hence a call to this function.
+ * By the time the first call to this function is made, all
+- * early hardware probing is complete, so sve_default_vl
++ * early hardware probing is complete, so __sve_default_vl
+ * should be valid.
+ * If a bug causes this to go wrong, we make some noise and
+ * try to fudge thread.sve_vl to a safe value here.
+ */
+ vl = current->thread.sve_vl_onexec ?
+- current->thread.sve_vl_onexec : sve_default_vl;
++ current->thread.sve_vl_onexec : get_sve_default_vl();
+
+ if (WARN_ON(!sve_vl_valid(vl)))
+ vl = SVE_VL_MIN;
+--
+2.25.1
+
--- /dev/null
+From deae3261f6069c9e505678ebeffe5ead0ada65b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 18:29:11 +0100
+Subject: arm64: sve: Fix build failure when ARM64_SVE=y and SYSCTL=n
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit e575fb9e76c8e33440fb859572a8b7d430f053d6 ]
+
+When I squashed the 'allnoconfig' compiler warning about the
+set_sve_default_vl() function being defined but not used in commit
+1e570f512cbd ("arm64/sve: Eliminate data races on sve_default_vl"), I
+accidentally broke the build for configs where ARM64_SVE is enabled, but
+SYSCTL is not.
+
+Fix this by only compiling the SVE sysctl support if both CONFIG_SVE=y
+and CONFIG_SYSCTL=y.
+
+Cc: Dave Martin <Dave.Martin@arm.com>
+Reported-by: Qian Cai <cai@lca.pw>
+Link: https://lore.kernel.org/r/20200616131808.GA1040@lca.pw
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/fpsimd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index af59b42973141..177363abbd3e3 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -315,7 +315,7 @@ static unsigned int find_supported_vector_length(unsigned int vl)
+ return sve_vl_from_vq(bit_to_vq(bit));
+ }
+
+-#ifdef CONFIG_SYSCTL
++#if defined(CONFIG_ARM64_SVE) && defined(CONFIG_SYSCTL)
+
+ static int sve_proc_do_default_vl(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+@@ -361,9 +361,9 @@ static int __init sve_sysctl_init(void)
+ return 0;
+ }
+
+-#else /* ! CONFIG_SYSCTL */
++#else /* ! (CONFIG_ARM64_SVE && CONFIG_SYSCTL) */
+ static int __init sve_sysctl_init(void) { return 0; }
+-#endif /* ! CONFIG_SYSCTL */
++#endif /* ! (CONFIG_ARM64_SVE && CONFIG_SYSCTL) */
+
+ #define ZREG(sve_state, vq, n) ((char *)(sve_state) + \
+ (SVE_SIG_ZREG_OFFSET(vq, n) - SVE_SIG_REGS_OFFSET))
+--
+2.25.1
+
--- /dev/null
+From 627e83acaa0d5d680ed9195848d397e55e25009e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 10:53:48 +0800
+Subject: ASoC: fsl_ssi: Fix bclk calculation for mono channel
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit ed1220df6e666500ebf58c4f2fccc681941646fb ]
+
+For mono channel, SSI will switch to Normal mode.
+
+In Normal mode and Network mode, the Word Length Control bits
+control the word length divider in clock generator, which is
+different with I2S Master mode (the word length is fixed to
+32bit), it should be the value of params_width(hw_params).
+
+The condition "slots == 2" is not good for I2S Master mode,
+because for Network mode and Normal mode, the slots can also
+be 2. Then we need to use (ssi->i2s_net & SSI_SCR_I2S_MODE_MASK)
+to check if it is I2S Master mode.
+
+So we refine the formula for mono channel, otherwise there
+will be sound issue for S24_LE.
+
+Fixes: b0a7043d5c2c ("ASoC: fsl_ssi: Caculate bit clock rate using slot number and width")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Link: https://lore.kernel.org/r/034eff1435ff6ce300b6c781130cefd9db22ab9a.1592276147.git.shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_ssi.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c
+index d83be26d64467..0e2bdad373d66 100644
+--- a/sound/soc/fsl/fsl_ssi.c
++++ b/sound/soc/fsl/fsl_ssi.c
+@@ -678,8 +678,9 @@ static int fsl_ssi_set_bclk(struct snd_pcm_substream *substream,
+ struct regmap *regs = ssi->regs;
+ u32 pm = 999, div2, psr, stccr, mask, afreq, factor, i;
+ unsigned long clkrate, baudrate, tmprate;
+- unsigned int slots = params_channels(hw_params);
+- unsigned int slot_width = 32;
++ unsigned int channels = params_channels(hw_params);
++ unsigned int slot_width = params_width(hw_params);
++ unsigned int slots = 2;
+ u64 sub, savesub = 100000;
+ unsigned int freq;
+ bool baudclk_is_used;
+@@ -688,10 +689,14 @@ static int fsl_ssi_set_bclk(struct snd_pcm_substream *substream,
+ /* Override slots and slot_width if being specifically set... */
+ if (ssi->slots)
+ slots = ssi->slots;
+- /* ...but keep 32 bits if slots is 2 -- I2S Master mode */
+- if (ssi->slot_width && slots != 2)
++ if (ssi->slot_width)
+ slot_width = ssi->slot_width;
+
++ /* ...but force 32 bits for stereo audio using I2S Master Mode */
++ if (channels == 2 &&
++ (ssi->i2s_net & SSI_SCR_I2S_MODE_MASK) == SSI_SCR_I2S_MODE_MASTER)
++ slot_width = 32;
++
+ /* Generate bit clock based on the slot number and slot width */
+ freq = slots * slot_width * params_rate(hw_params);
+
+--
+2.25.1
+
--- /dev/null
+From ea48b908b1660b3e9f680dae7883acff92ebe7fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jun 2020 13:41:53 +0100
+Subject: ASoC: q6asm: handle EOS correctly
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 6476b60f32866be49d05e2e0163f337374c55b06 ]
+
+Successful send of EOS command does not indicate that EOS is actually
+finished, correct event to wait EOS is finished is EOS_RENDERED event.
+EOS_RENDERED means that the DSP has finished processing all the buffers
+for that particular session and stream.
+
+This patch fixes EOS handling!
+
+Fixes: 68fd8480bb7b ("ASoC: qdsp6: q6asm: Add support to audio stream apis")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20200611124159.20742-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/qdsp6/q6asm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/qcom/qdsp6/q6asm.c b/sound/soc/qcom/qdsp6/q6asm.c
+index 2b2c7233bb5fa..1bdacf7976139 100644
+--- a/sound/soc/qcom/qdsp6/q6asm.c
++++ b/sound/soc/qcom/qdsp6/q6asm.c
+@@ -25,6 +25,7 @@
+ #define ASM_STREAM_CMD_FLUSH 0x00010BCE
+ #define ASM_SESSION_CMD_PAUSE 0x00010BD3
+ #define ASM_DATA_CMD_EOS 0x00010BDB
++#define ASM_DATA_EVENT_RENDERED_EOS 0x00010C1C
+ #define ASM_NULL_POPP_TOPOLOGY 0x00010C68
+ #define ASM_STREAM_CMD_FLUSH_READBUFS 0x00010C09
+ #define ASM_STREAM_CMD_SET_ENCDEC_PARAM 0x00010C10
+@@ -545,9 +546,6 @@ static int32_t q6asm_stream_callback(struct apr_device *adev,
+ case ASM_SESSION_CMD_SUSPEND:
+ client_event = ASM_CLIENT_EVENT_CMD_SUSPEND_DONE;
+ break;
+- case ASM_DATA_CMD_EOS:
+- client_event = ASM_CLIENT_EVENT_CMD_EOS_DONE;
+- break;
+ case ASM_STREAM_CMD_FLUSH:
+ client_event = ASM_CLIENT_EVENT_CMD_FLUSH_DONE;
+ break;
+@@ -650,6 +648,9 @@ static int32_t q6asm_stream_callback(struct apr_device *adev,
+ spin_unlock_irqrestore(&ac->lock, flags);
+ }
+
++ break;
++ case ASM_DATA_EVENT_RENDERED_EOS:
++ client_event = ASM_CLIENT_EVENT_CMD_EOS_DONE;
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From dd7bf9914b4fdc19ddca6ece842326d0b68102f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 15:51:58 -0500
+Subject: ASoC: rockchip: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit f141a422159a199f4c8dedb7e0df55b3b2cf16cd ]
+
+Calling pm_runtime_get_sync increments the counter even in case of
+failure, causing incorrect ref count if pm_runtime_put is not called in
+error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails.
+
+Fixes: fc05a5b22253 ("ASoC: rockchip: add support for pdm controller")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20200613205158.27296-1-wu000273@umn.edu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_pdm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/rockchip/rockchip_pdm.c b/sound/soc/rockchip/rockchip_pdm.c
+index 8a2e3bbce3a16..ad16c8310dd38 100644
+--- a/sound/soc/rockchip/rockchip_pdm.c
++++ b/sound/soc/rockchip/rockchip_pdm.c
+@@ -478,8 +478,10 @@ static int rockchip_pdm_resume(struct device *dev)
+ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put(dev);
+ return ret;
++ }
+
+ ret = regcache_sync(pdm->regmap);
+
+--
+2.25.1
+
--- /dev/null
+From 2d01d73951c3f59218463396a8e480f819ed9b02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 09:41:49 +0800
+Subject: ata/libata: Fix usage of page address by page_address in
+ ata_scsi_mode_select_xlat function
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit f650ef61e040bcb175dd8762164b00a5d627f20e ]
+
+BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0
+drivers/ata/libata-scsi.c:4045
+Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621
+
+CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+__dump_stack lib/dump_stack.c:77 [inline]
+dump_stack+0xac/0xee lib/dump_stack.c:118
+print_address_description+0x60/0x223 mm/kasan/report.c:253
+kasan_report_error mm/kasan/report.c:351 [inline]
+kasan_report mm/kasan/report.c:409 [inline]
+kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393
+ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045
+ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035
+__ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline]
+ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409
+scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867
+scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170
+blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186
+blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108
+blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204
+__blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308
+__blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376
+blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413
+blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397
+blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64
+blk_execute_rq+0xc5/0x112 block/blk-exec.c:101
+sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507
+sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106
+vfs_ioctl fs/ioctl.c:46 [inline]
+file_ioctl fs/ioctl.c:501 [inline]
+do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688
+ksys_ioctl+0x76/0xa0 fs/ioctl.c:705
+__do_sys_ioctl fs/ioctl.c:712 [inline]
+__se_sys_ioctl fs/ioctl.c:710 [inline]
+__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
+do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
+entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45c479
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
+f7 48
+89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ff 0f
+83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479
+RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003
+RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc
+
+Allocated by task 12577:
+set_track mm/kasan/kasan.c:460 [inline]
+kasan_kmalloc mm/kasan/kasan.c:553 [inline]
+kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
+__kmalloc+0xf3/0x1e0 mm/slub.c:3749
+kmalloc include/linux/slab.h:520 [inline]
+load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441
+load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737
+search_binary_handler fs/exec.c:1654 [inline]
+search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
+exec_binprm fs/exec.c:1696 [inline]
+__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
+do_execveat_common fs/exec.c:1866 [inline]
+do_execve fs/exec.c:1883 [inline]
+__do_sys_execve fs/exec.c:1964 [inline]
+__se_sys_execve fs/exec.c:1959 [inline]
+__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
+do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
+entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 12577:
+set_track mm/kasan/kasan.c:460 [inline]
+__kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521
+slab_free_hook mm/slub.c:1370 [inline]
+slab_free_freelist_hook mm/slub.c:1397 [inline]
+slab_free mm/slub.c:2952 [inline]
+kfree+0x8b/0x1a0 mm/slub.c:3904
+load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118
+search_binary_handler fs/exec.c:1654 [inline]
+search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
+exec_binprm fs/exec.c:1696 [inline]
+__do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
+do_execveat_common fs/exec.c:1866 [inline]
+do_execve fs/exec.c:1883 [inline]
+__do_sys_execve fs/exec.c:1964 [inline]
+__se_sys_execve fs/exec.c:1959 [inline]
+__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
+do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
+entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The buggy address belongs to the object at ffff88803b8ccf00
+which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 259 bytes inside of
+512-byte region [ffff88803b8ccf00, ffff88803b8cd100)
+The buggy address belongs to the page:
+page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080
+index:0xffff88803b8cc780 compound_mapcount: 0
+flags: 0x100000000008100(slab|head)
+raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080
+raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+^
+ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce
+this error.
+
+The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000
+which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))"
+maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer"
+may not page aligned.
+This also looks completely buggy on highmem systems and really needs to use a
+kmap_atomic. --Christoph Hellwig
+To address above bugs, Paolo Bonzini advise to simpler to just make a char array
+of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer
+to copy from the sglist into the buffer, and workthere.
+
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-scsi.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index 0c1572a1cc5ed..6c2c2b07f029e 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3995,12 +3995,13 @@ static unsigned int ata_scsi_mode_select_xlat(struct ata_queued_cmd *qc)
+ {
+ struct scsi_cmnd *scmd = qc->scsicmd;
+ const u8 *cdb = scmd->cmnd;
+- const u8 *p;
+ u8 pg, spg;
+ unsigned six_byte, pg_len, hdr_len, bd_len;
+ int len;
+ u16 fp = (u16)-1;
+ u8 bp = 0xff;
++ u8 buffer[64];
++ const u8 *p = buffer;
+
+ VPRINTK("ENTER\n");
+
+@@ -4034,12 +4035,14 @@ static unsigned int ata_scsi_mode_select_xlat(struct ata_queued_cmd *qc)
+ if (!scsi_sg_count(scmd) || scsi_sglist(scmd)->length < len)
+ goto invalid_param_len;
+
+- p = page_address(sg_page(scsi_sglist(scmd)));
+-
+ /* Move past header and block descriptors. */
+ if (len < hdr_len)
+ goto invalid_param_len;
+
++ if (!sg_copy_to_buffer(scsi_sglist(scmd), scsi_sg_count(scmd),
++ buffer, sizeof(buffer)))
++ goto invalid_param_len;
++
+ if (six_byte)
+ bd_len = p[3];
+ else
+--
+2.25.1
+
--- /dev/null
+From 87691bb77fe35930d37b63005301234f486f1d02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 16:58:36 +0200
+Subject: blktrace: break out of blktrace setup on concurrent calls
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+[ Upstream commit 1b0b283648163dae2a214ca28ed5a99f62a77319 ]
+
+We use one blktrace per request_queue, that means one per the entire
+disk. So we cannot run one blktrace on say /dev/vda and then /dev/vda1,
+or just two calls on /dev/vda.
+
+We check for concurrent setup only at the very end of the blktrace setup though.
+
+If we try to run two concurrent blktraces on the same block device the
+second one will fail, and the first one seems to go on. However when
+one tries to kill the first one one will see things like this:
+
+The kernel will show these:
+
+```
+debugfs: File 'dropped' in directory 'nvme1n1' already present!
+debugfs: File 'msg' in directory 'nvme1n1' already present!
+debugfs: File 'trace0' in directory 'nvme1n1' already present!
+``
+
+And userspace just sees this error message for the second call:
+
+```
+blktrace /dev/nvme1n1
+BLKTRACESETUP(2) /dev/nvme1n1 failed: 5/Input/output error
+```
+
+The first userspace process #1 will also claim that the files
+were taken underneath their nose as well. The files are taken
+away form the first process given that when the second blktrace
+fails, it will follow up with a BLKTRACESTOP and BLKTRACETEARDOWN.
+This means that even if go-happy process #1 is waiting for blktrace
+data, we *have* been asked to take teardown the blktrace.
+
+This can easily be reproduced with break-blktrace [0] run_0005.sh test.
+
+Just break out early if we know we're already going to fail, this will
+prevent trying to create the files all over again, which we know still
+exist.
+
+[0] https://github.com/mcgrof/break-blktrace
+
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/blktrace.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
+index b7e1e09a0bef5..7a4ca2deb39bc 100644
+--- a/kernel/trace/blktrace.c
++++ b/kernel/trace/blktrace.c
+@@ -3,6 +3,9 @@
+ * Copyright (C) 2006 Jens Axboe <axboe@kernel.dk>
+ *
+ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
+ #include <linux/kernel.h>
+ #include <linux/blkdev.h>
+ #include <linux/blktrace_api.h>
+@@ -495,6 +498,16 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
+ */
+ strreplace(buts->name, '/', '_');
+
++ /*
++ * bdev can be NULL, as with scsi-generic, this is a helpful as
++ * we can be.
++ */
++ if (q->blk_trace) {
++ pr_warn("Concurrent blktraces are not allowed on %s\n",
++ buts->name);
++ return -EBUSY;
++ }
++
+ bt = kzalloc(sizeof(*bt), GFP_KERNEL);
+ if (!bt)
+ return -ENOMEM;
+--
+2.25.1
+
--- /dev/null
+From ca89d85181a21eeb468e364446bd1ee59a6535f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 01:51:31 +0530
+Subject: cxgb4: move handling L2T ARP failures to caller
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit 11d8cd5c9f3b46f397f889cefdb66795518aaebd ]
+
+Move code handling L2T ARP failures to the only caller.
+
+Fixes following sparse warning:
+skbuff.h:2091:29: warning: context imbalance in
+'handle_failed_resolution' - unexpected unlock
+
+Fixes: 749cb5fe48bb ("cxgb4: Replace arpq_head/arpq_tail with SKB double link-list code")
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/l2t.c | 52 +++++++++++-------------
+ 1 file changed, 24 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/l2t.c b/drivers/net/ethernet/chelsio/cxgb4/l2t.c
+index 986277744611c..08f4780e7fe7a 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/l2t.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/l2t.c
+@@ -507,41 +507,20 @@ u64 cxgb4_select_ntuple(struct net_device *dev,
+ }
+ EXPORT_SYMBOL(cxgb4_select_ntuple);
+
+-/*
+- * Called when address resolution fails for an L2T entry to handle packets
+- * on the arpq head. If a packet specifies a failure handler it is invoked,
+- * otherwise the packet is sent to the device.
+- */
+-static void handle_failed_resolution(struct adapter *adap, struct l2t_entry *e)
+-{
+- struct sk_buff *skb;
+-
+- while ((skb = __skb_dequeue(&e->arpq)) != NULL) {
+- const struct l2t_skb_cb *cb = L2T_SKB_CB(skb);
+-
+- spin_unlock(&e->lock);
+- if (cb->arp_err_handler)
+- cb->arp_err_handler(cb->handle, skb);
+- else
+- t4_ofld_send(adap, skb);
+- spin_lock(&e->lock);
+- }
+-}
+-
+ /*
+ * Called when the host's neighbor layer makes a change to some entry that is
+ * loaded into the HW L2 table.
+ */
+ void t4_l2t_update(struct adapter *adap, struct neighbour *neigh)
+ {
+- struct l2t_entry *e;
+- struct sk_buff_head *arpq = NULL;
+- struct l2t_data *d = adap->l2t;
+ unsigned int addr_len = neigh->tbl->key_len;
+ u32 *addr = (u32 *) neigh->primary_key;
+- int ifidx = neigh->dev->ifindex;
+- int hash = addr_hash(d, addr, addr_len, ifidx);
++ int hash, ifidx = neigh->dev->ifindex;
++ struct sk_buff_head *arpq = NULL;
++ struct l2t_data *d = adap->l2t;
++ struct l2t_entry *e;
+
++ hash = addr_hash(d, addr, addr_len, ifidx);
+ read_lock_bh(&d->lock);
+ for (e = d->l2tab[hash].first; e; e = e->next)
+ if (!addreq(e, addr) && e->ifindex == ifidx) {
+@@ -574,8 +553,25 @@ void t4_l2t_update(struct adapter *adap, struct neighbour *neigh)
+ write_l2e(adap, e, 0);
+ }
+
+- if (arpq)
+- handle_failed_resolution(adap, e);
++ if (arpq) {
++ struct sk_buff *skb;
++
++ /* Called when address resolution fails for an L2T
++ * entry to handle packets on the arpq head. If a
++ * packet specifies a failure handler it is invoked,
++ * otherwise the packet is sent to the device.
++ */
++ while ((skb = __skb_dequeue(&e->arpq)) != NULL) {
++ const struct l2t_skb_cb *cb = L2T_SKB_CB(skb);
++
++ spin_unlock(&e->lock);
++ if (cb->arp_err_handler)
++ cb->arp_err_handler(cb->handle, skb);
++ else
++ t4_ofld_send(adap, skb);
++ spin_lock(&e->lock);
++ }
++ }
+ spin_unlock_bh(&e->lock);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 735a9cdfc219a747ee8580806e44f5b233ba43e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 20:37:44 +0300
+Subject: drm/amd/display: Use kfree() to free rgb_user in
+ calculate_user_regamma_ramp()
+
+From: Denis Efremov <efremov@linux.com>
+
+[ Upstream commit 43a562774fceba867e8eebba977d7d42f8a2eac7 ]
+
+Use kfree() instead of kvfree() to free rgb_user in
+calculate_user_regamma_ramp() because the memory is allocated with
+kcalloc().
+
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/modules/color/color_gamma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c
+index 962900932beed..11ea1a0e629bd 100644
+--- a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c
++++ b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c
+@@ -1561,7 +1561,7 @@ bool calculate_user_regamma_ramp(struct dc_transfer_func *output_tf,
+
+ kfree(rgb_regamma);
+ rgb_regamma_alloc_fail:
+- kvfree(rgb_user);
++ kfree(rgb_user);
+ rgb_user_alloc_fail:
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From d6f78243512850eb1cdd25bf492777a8559ccd76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 13:38:04 -0500
+Subject: efi/esrt: Fix reference count leak in esre_create_sysfs_entry.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 4ddf4739be6e375116c375f0a68bf3893ffcee21 ]
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object. Previous
+commit "b8eb718348b8" fixed a similar problem.
+
+Fixes: 0bb549052d33 ("efi: Add esrt support")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Link: https://lore.kernel.org/r/20200528183804.4497-1-wu000273@umn.edu
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/esrt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c
+index 5d06bd247d073..2f6204b2fdd38 100644
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -180,7 +180,7 @@ static int esre_create_sysfs_entry(void *esre, int entry_num)
+ rc = kobject_init_and_add(&entry->kobj, &esre1_ktype, NULL,
+ "entry%d", entry_num);
+ if (rc) {
+- kfree(entry);
++ kobject_put(&entry->kobj);
+ return rc;
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 2d0729dab1c05eacd77962a67f507a15cc201498 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 15:21:04 +0800
+Subject: hwrng: ks-sa - Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 95459261c99f1621d90bc628c2a48e60b7cf9a88 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+the call returns an error code. Thus a pairing decrement is needed
+on the error handling path to keep the counter balanced.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/ks-sa-rng.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/char/hw_random/ks-sa-rng.c b/drivers/char/hw_random/ks-sa-rng.c
+index 62c6696c1dbd8..b6d7db362b217 100644
+--- a/drivers/char/hw_random/ks-sa-rng.c
++++ b/drivers/char/hw_random/ks-sa-rng.c
+@@ -216,6 +216,7 @@ static int ks_sa_rng_probe(struct platform_device *pdev)
+ ret = pm_runtime_get_sync(dev);
+ if (ret < 0) {
+ dev_err(dev, "Failed to enable SA power-domain\n");
++ pm_runtime_put_noidle(dev);
+ pm_runtime_disable(dev);
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 2093311a5dac2926564c9765e572676154e757b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 11:41:09 +0100
+Subject: i2c: core: check returned size of emulated smbus block read
+
+From: Mans Rullgard <mans@mansr.com>
+
+[ Upstream commit 40e05200593af06633f64ab0effff052eee6f076 ]
+
+If the i2c bus driver ignores the I2C_M_RECV_LEN flag (as some of
+them do), it is possible for an I2C_SMBUS_BLOCK_DATA read issued
+on some random device to return an arbitrary value in the first
+byte (and nothing else). When this happens, i2c_smbus_xfer_emulated()
+will happily write past the end of the supplied data buffer, thus
+causing Bad Things to happen. To prevent this, check the size
+before copying the data block and return an error if it is too large.
+
+Fixes: 209d27c3b167 ("i2c: Emulate SMBus block read over I2C")
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+[wsa: use better errno]
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-smbus.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c
+index 9cd66cabb84fd..8d6fad05b0c7f 100644
+--- a/drivers/i2c/i2c-core-smbus.c
++++ b/drivers/i2c/i2c-core-smbus.c
+@@ -497,6 +497,13 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
+ break;
+ case I2C_SMBUS_BLOCK_DATA:
+ case I2C_SMBUS_BLOCK_PROC_CALL:
++ if (msg[1].buf[0] > I2C_SMBUS_BLOCK_MAX) {
++ dev_err(&adapter->dev,
++ "Invalid block size returned: %d\n",
++ msg[1].buf[0]);
++ status = -EPROTO;
++ goto cleanup;
++ }
+ for (i = 0; i < msg[1].buf[0] + 1; i++)
+ data->block[i] = msg[1].buf[i];
+ break;
+--
+2.25.1
+
--- /dev/null
+From d0d155e45a7e7dda14ae432d010a1922fd64c461 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2020 15:15:54 -0500
+Subject: i2c: fsi: Fix the port number field in status register
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit 502035e284cc7e9efef22b01771d822d49698ab9 ]
+
+The port number field in the status register was not correct, so fix it.
+
+Fixes: d6ffb6300116 ("i2c: Add FSI-attached I2C master algorithm")
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-fsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-fsi.c b/drivers/i2c/busses/i2c-fsi.c
+index 1e2be2219a602..46aef609fb708 100644
+--- a/drivers/i2c/busses/i2c-fsi.c
++++ b/drivers/i2c/busses/i2c-fsi.c
+@@ -98,7 +98,7 @@
+ #define I2C_STAT_DAT_REQ BIT(25)
+ #define I2C_STAT_CMD_COMP BIT(24)
+ #define I2C_STAT_STOP_ERR BIT(23)
+-#define I2C_STAT_MAX_PORT GENMASK(19, 16)
++#define I2C_STAT_MAX_PORT GENMASK(22, 16)
+ #define I2C_STAT_ANY_INT BIT(15)
+ #define I2C_STAT_SCL_IN BIT(11)
+ #define I2C_STAT_SDA_IN BIT(10)
+--
+2.25.1
+
--- /dev/null
+From a0a00dc6afcd7429de3b9d8d8b67a01a28d21ec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jun 2020 13:47:35 +0300
+Subject: IB/mad: Fix use after free when destroying MAD agent
+
+From: Shay Drory <shayd@mellanox.com>
+
+[ Upstream commit 116a1b9f1cb769b83e5adff323f977a62b1dcb2e ]
+
+Currently, when RMPP MADs are processed while the MAD agent is destroyed,
+it could result in use after free of rmpp_recv, as decribed below:
+
+ cpu-0 cpu-1
+ ----- -----
+ib_mad_recv_done()
+ ib_mad_complete_recv()
+ ib_process_rmpp_recv_wc()
+ unregister_mad_agent()
+ ib_cancel_rmpp_recvs()
+ cancel_delayed_work()
+ process_rmpp_data()
+ start_rmpp()
+ queue_delayed_work(rmpp_recv->cleanup_work)
+ destroy_rmpp_recv()
+ free_rmpp_recv()
+ cleanup_work()[1]
+ spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free
+
+[1] cleanup_work() == recv_cleanup_handler
+
+Fix it by waiting for the MAD agent reference count becoming zero before
+calling to ib_cancel_rmpp_recvs().
+
+Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
+Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@kernel.org
+Signed-off-by: Shay Drory <shayd@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/mad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
+index fd0a2fd8bfdf7..a36b3b4f5c0a2 100644
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -615,10 +615,10 @@ static void unregister_mad_agent(struct ib_mad_agent_private *mad_agent_priv)
+ idr_unlock(&ib_mad_clients);
+
+ flush_workqueue(port_priv->wq);
+- ib_cancel_rmpp_recvs(mad_agent_priv);
+
+ deref_mad_agent(mad_agent_priv);
+ wait_for_completion(&mad_agent_priv->comp);
++ ib_cancel_rmpp_recvs(mad_agent_priv);
+
+ ib_mad_agent_security_cleanup(&mad_agent_priv->agent);
+
+--
+2.25.1
+
--- /dev/null
+From fba84f6749206e99da798a1d00c9d9584102378f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 10:29:23 -0500
+Subject: ibmvnic: Harden device login requests
+
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+
+[ Upstream commit dff515a3e71dc8ab3b9dcc2e23a9b5fca88b3c18 ]
+
+The VNIC driver's "login" command sequence is the final step
+in the driver's initialization process with device firmware,
+confirming the available device queue resources to be utilized
+by the driver. Under high system load, firmware may not respond
+to the request in a timely manner or may abort the request. In
+such cases, the driver should reattempt the login command
+sequence. In case of a device error, the number of retries
+is bounded.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 645298628b6f7..5e9e45befc875 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -792,12 +792,13 @@ static int ibmvnic_login(struct net_device *netdev)
+ struct ibmvnic_adapter *adapter = netdev_priv(netdev);
+ unsigned long timeout = msecs_to_jiffies(30000);
+ int retry_count = 0;
++ int retries = 10;
+ bool retry;
+ int rc;
+
+ do {
+ retry = false;
+- if (retry_count > IBMVNIC_MAX_QUEUES) {
++ if (retry_count > retries) {
+ netdev_warn(netdev, "Login attempts exceeded\n");
+ return -1;
+ }
+@@ -812,11 +813,23 @@ static int ibmvnic_login(struct net_device *netdev)
+
+ if (!wait_for_completion_timeout(&adapter->init_done,
+ timeout)) {
+- netdev_warn(netdev, "Login timed out\n");
+- return -1;
++ netdev_warn(netdev, "Login timed out, retrying...\n");
++ retry = true;
++ adapter->init_done_rc = 0;
++ retry_count++;
++ continue;
+ }
+
+- if (adapter->init_done_rc == PARTIALSUCCESS) {
++ if (adapter->init_done_rc == ABORTED) {
++ netdev_warn(netdev, "Login aborted, retrying...\n");
++ retry = true;
++ adapter->init_done_rc = 0;
++ retry_count++;
++ /* FW or device may be busy, so
++ * wait a bit before retrying login
++ */
++ msleep(500);
++ } else if (adapter->init_done_rc == PARTIALSUCCESS) {
+ retry_count++;
+ release_sub_crqs(adapter, 1);
+
+--
+2.25.1
+
--- /dev/null
+From ccddb7ab0230cd950e64cee48d3e849479263b2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 23:43:40 +0900
+Subject: kbuild: improve cc-option to clean up all temporary files
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit f2f02ebd8f3833626642688b2d2c6a7b3c141fa9 ]
+
+When cc-option and friends evaluate compiler flags, the temporary file
+$$TMP is created as an output object, and automatically cleaned up.
+The actual file path of $$TMP is .<pid>.tmp, here <pid> is the process
+ID of $(shell ...) invoked from cc-option. (Please note $$$$ is the
+escape sequence of $$).
+
+Such garbage files are cleaned up in most cases, but some compiler flags
+create additional output files.
+
+For example, -gsplit-dwarf creates a .dwo file.
+
+When CONFIG_DEBUG_INFO_SPLIT=y, you will see a bunch of .<pid>.dwo files
+left in the top of build directories. You may not notice them unless you
+do 'ls -a', but the garbage files will increase every time you run 'make'.
+
+This commit changes the temporary object path to .tmp_<pid>/tmp, and
+removes .tmp_<pid> directory when exiting. Separate build artifacts such
+as *.dwo will be cleaned up all together because their file paths are
+usually determined based on the base name of the object.
+
+Another example is -ftest-coverage, which outputs the coverage data into
+<base-name-of-object>.gcno
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Kbuild.include | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include
+index ce53639a864a1..c830750d725b7 100644
+--- a/scripts/Kbuild.include
++++ b/scripts/Kbuild.include
+@@ -81,20 +81,21 @@ cc-cross-prefix = \
+ fi)))
+
+ # output directory for tests below
+-TMPOUT := $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/)
++TMPOUT = $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/).tmp_$$$$
+
+ # try-run
+ # Usage: option = $(call try-run, $(CC)...-o "$$TMP",option-ok,otherwise)
+ # Exit code chooses option. "$$TMP" serves as a temporary file and is
+ # automatically cleaned up.
+ try-run = $(shell set -e; \
+- TMP="$(TMPOUT).$$$$.tmp"; \
+- TMPO="$(TMPOUT).$$$$.o"; \
++ TMP=$(TMPOUT)/tmp; \
++ TMPO=$(TMPOUT)/tmp.o; \
++ mkdir -p $(TMPOUT); \
++ trap "rm -rf $(TMPOUT)" EXIT; \
+ if ($(1)) >/dev/null 2>&1; \
+ then echo "$(2)"; \
+ else echo "$(3)"; \
+- fi; \
+- rm -f "$$TMP" "$$TMPO")
++ fi)
+
+ # as-option
+ # Usage: cflags-y += $(call as-option,-Wa$(comma)-isa=foo,)
+--
+2.25.1
+
--- /dev/null
+From 2abbff41927b65e495d0ccac838192a52f404dbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 11:50:29 -0400
+Subject: net: alx: fix race condition in alx_remove
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit e89df5c4322c1bf495f62d74745895b5fd2a4393 ]
+
+There is a race condition exist during termination. The path is
+alx_stop and then alx_remove. An alx_schedule_link_check could be called
+before alx_stop by interrupt handler and invoke alx_link_check later.
+Alx_stop frees the napis, and alx_remove cancels any pending works.
+If any of the work is scheduled before termination and invoked before
+alx_remove, a null-ptr-deref occurs because both expect alx->napis[i].
+
+This patch fix the race condition by moving cancel_work_sync functions
+before alx_free_napis inside alx_stop. Because interrupt handler can call
+alx_schedule_link_check again, alx_free_irq is moved before
+cancel_work_sync calls too.
+
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/alx/main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
+index 6d32211349275..dd63b993ce7b3 100644
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -1250,8 +1250,12 @@ static int __alx_open(struct alx_priv *alx, bool resume)
+
+ static void __alx_stop(struct alx_priv *alx)
+ {
+- alx_halt(alx);
+ alx_free_irq(alx);
++
++ cancel_work_sync(&alx->link_check_wk);
++ cancel_work_sync(&alx->reset_wk);
++
++ alx_halt(alx);
+ alx_free_rings(alx);
+ alx_free_napis(alx);
+ }
+@@ -1861,9 +1865,6 @@ static void alx_remove(struct pci_dev *pdev)
+ struct alx_priv *alx = pci_get_drvdata(pdev);
+ struct alx_hw *hw = &alx->hw;
+
+- cancel_work_sync(&alx->link_check_wk);
+- cancel_work_sync(&alx->reset_wk);
+-
+ /* restore permanent mac address */
+ alx_set_macaddr(hw, hw->perm_addr);
+
+--
+2.25.1
+
--- /dev/null
+From 2488abcd69d838e27d77c9e136aef6e2d3427d04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 18:14:55 -0700
+Subject: net: bcmgenet: use hardware padding of runt frames
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit 20d1f2d1b024f6be199a3bedf1578a1d21592bc5 ]
+
+When commit 474ea9cafc45 ("net: bcmgenet: correctly pad short
+packets") added the call to skb_padto() it should have been
+located before the nr_frags parameter was read since that value
+could be changed when padding packets with lengths between 55
+and 59 bytes (inclusive).
+
+The use of a stale nr_frags value can cause corruption of the
+pad data when tx-scatter-gather is enabled. This corruption of
+the pad can cause invalid checksum computation when hardware
+offload of tx-checksum is also enabled.
+
+Since the original reason for the padding was corrected by
+commit 7dd399130efb ("net: bcmgenet: fix skb_len in
+bcmgenet_xmit_single()") we can remove the software padding all
+together and make use of hardware padding of short frames as
+long as the hardware also always appends the FCS value to the
+frame.
+
+Fixes: 474ea9cafc45 ("net: bcmgenet: correctly pad short packets")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 40e8ef984b624..c7667017c1a3f 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1593,11 +1593,6 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
+ goto out;
+ }
+
+- if (skb_padto(skb, ETH_ZLEN)) {
+- ret = NETDEV_TX_OK;
+- goto out;
+- }
+-
+ /* Retain how many bytes will be sent on the wire, without TSB inserted
+ * by transmit checksum offload
+ */
+@@ -1646,6 +1641,9 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
+ len_stat = (size << DMA_BUFLENGTH_SHIFT) |
+ (priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT);
+
++ /* Note: if we ever change from DMA_TX_APPEND_CRC below we
++ * will need to restore software padding of "runt" packets
++ */
+ if (!i) {
+ len_stat |= DMA_TX_APPEND_CRC | DMA_SOP;
+ if (skb->ip_summed == CHECKSUM_PARTIAL)
+--
+2.25.1
+
--- /dev/null
+From cf44ee53437890015d484fdb8527fb42046d2d19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 16:51:33 +0300
+Subject: net: qed: fix excessive QM ILT lines consumption
+
+From: Alexander Lobakin <alobakin@marvell.com>
+
+[ Upstream commit d434d02f7e7c24c721365fd594ed781acb18e0da ]
+
+This is likely a copy'n'paste mistake. The amount of ILT lines to
+reserve for a single VF was being multiplied by the total VFs count.
+This led to a huge redundancy in reservation and potential lines
+drainouts.
+
+Fixes: 1408cc1fa48c ("qed: Introduce VFs")
+Signed-off-by: Alexander Lobakin <alobakin@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+index f1977aa440e5d..f3d7c38f539a8 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+@@ -397,7 +397,7 @@ static void qed_cxt_qm_iids(struct qed_hwfn *p_hwfn,
+ vf_tids += segs[NUM_TASK_PF_SEGMENTS].count;
+ }
+
+- iids->vf_cids += vf_cids * p_mngr->vf_count;
++ iids->vf_cids = vf_cids;
+ iids->tids += vf_tids * p_mngr->vf_count;
+
+ DP_VERBOSE(p_hwfn, QED_MSG_ILT,
+--
+2.25.1
+
--- /dev/null
+From 16cb39a9af4637f731754365f461710da6d966fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 16:51:29 +0300
+Subject: net: qed: fix left elements count calculation
+
+From: Alexander Lobakin <alobakin@marvell.com>
+
+[ Upstream commit 97dd1abd026ae4e6a82fa68645928404ad483409 ]
+
+qed_chain_get_element_left{,_u32} returned 0 when the difference
+between producer and consumer page count was equal to the total
+page count.
+Fix this by conditional expanding of producer value (vs
+unconditional). This allowed to eliminate normalizaton against
+total page count, which was the cause of this bug.
+
+Misc: replace open-coded constants with common defines.
+
+Fixes: a91eb52abb50 ("qed: Revisit chain implementation")
+Signed-off-by: Alexander Lobakin <alobakin@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/qed/qed_chain.h | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/qed/qed_chain.h b/include/linux/qed/qed_chain.h
+index 733fad7dfbed9..6d15040c642cb 100644
+--- a/include/linux/qed/qed_chain.h
++++ b/include/linux/qed/qed_chain.h
+@@ -207,28 +207,34 @@ static inline u32 qed_chain_get_cons_idx_u32(struct qed_chain *p_chain)
+
+ static inline u16 qed_chain_get_elem_left(struct qed_chain *p_chain)
+ {
++ u16 elem_per_page = p_chain->elem_per_page;
++ u32 prod = p_chain->u.chain16.prod_idx;
++ u32 cons = p_chain->u.chain16.cons_idx;
+ u16 used;
+
+- used = (u16) (((u32)0x10000 +
+- (u32)p_chain->u.chain16.prod_idx) -
+- (u32)p_chain->u.chain16.cons_idx);
++ if (prod < cons)
++ prod += (u32)U16_MAX + 1;
++
++ used = (u16)(prod - cons);
+ if (p_chain->mode == QED_CHAIN_MODE_NEXT_PTR)
+- used -= p_chain->u.chain16.prod_idx / p_chain->elem_per_page -
+- p_chain->u.chain16.cons_idx / p_chain->elem_per_page;
++ used -= prod / elem_per_page - cons / elem_per_page;
+
+ return (u16)(p_chain->capacity - used);
+ }
+
+ static inline u32 qed_chain_get_elem_left_u32(struct qed_chain *p_chain)
+ {
++ u16 elem_per_page = p_chain->elem_per_page;
++ u64 prod = p_chain->u.chain32.prod_idx;
++ u64 cons = p_chain->u.chain32.cons_idx;
+ u32 used;
+
+- used = (u32) (((u64)0x100000000ULL +
+- (u64)p_chain->u.chain32.prod_idx) -
+- (u64)p_chain->u.chain32.cons_idx);
++ if (prod < cons)
++ prod += (u64)U32_MAX + 1;
++
++ used = (u32)(prod - cons);
+ if (p_chain->mode == QED_CHAIN_MODE_NEXT_PTR)
+- used -= p_chain->u.chain32.prod_idx / p_chain->elem_per_page -
+- p_chain->u.chain32.cons_idx / p_chain->elem_per_page;
++ used -= (u32)(prod / elem_per_page - cons / elem_per_page);
+
+ return p_chain->capacity - used;
+ }
+--
+2.25.1
+
--- /dev/null
+From 713a966ea963fcdc129cb6ad760315d23db5d64a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 16:51:32 +0300
+Subject: net: qed: fix NVMe login fails over VFs
+
+From: Alexander Lobakin <alobakin@marvell.com>
+
+[ Upstream commit ccd7c7ce167a21dbf2b698ffcf00f11d96d44f9b ]
+
+25ms sleep cycles in waiting for PF response are excessive and may lead
+to different timeout failures.
+
+Start to wait with short udelays, and in most cases polling will end
+here. If the time was not sufficient, switch to msleeps.
+usleep_range() may go far beyond 100us depending on platform and tick
+configuration, hence atomic udelays for consistency.
+
+Also add explicit DMA barriers since 'done' always comes from a shared
+request-response DMA pool, and note that in the comment nearby.
+
+Fixes: 1408cc1fa48c ("qed: Introduce VFs")
+Signed-off-by: Alexander Lobakin <alobakin@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+index 5dda547772c13..93a0fbf6a132b 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -81,12 +81,17 @@ static void qed_vf_pf_req_end(struct qed_hwfn *p_hwfn, int req_status)
+ mutex_unlock(&(p_hwfn->vf_iov_info->mutex));
+ }
+
++#define QED_VF_CHANNEL_USLEEP_ITERATIONS 90
++#define QED_VF_CHANNEL_USLEEP_DELAY 100
++#define QED_VF_CHANNEL_MSLEEP_ITERATIONS 10
++#define QED_VF_CHANNEL_MSLEEP_DELAY 25
++
+ static int qed_send_msg2pf(struct qed_hwfn *p_hwfn, u8 *done, u32 resp_size)
+ {
+ union vfpf_tlvs *p_req = p_hwfn->vf_iov_info->vf2pf_request;
+ struct ustorm_trigger_vf_zone trigger;
+ struct ustorm_vf_zone *zone_data;
+- int rc = 0, time = 100;
++ int iter, rc = 0;
+
+ zone_data = (struct ustorm_vf_zone *)PXP_VF_BAR0_START_USDM_ZONE_B;
+
+@@ -126,11 +131,19 @@ static int qed_send_msg2pf(struct qed_hwfn *p_hwfn, u8 *done, u32 resp_size)
+ REG_WR(p_hwfn, (uintptr_t)&zone_data->trigger, *((u32 *)&trigger));
+
+ /* When PF would be done with the response, it would write back to the
+- * `done' address. Poll until then.
++ * `done' address from a coherent DMA zone. Poll until then.
+ */
+- while ((!*done) && time) {
+- msleep(25);
+- time--;
++
++ iter = QED_VF_CHANNEL_USLEEP_ITERATIONS;
++ while (!*done && iter--) {
++ udelay(QED_VF_CHANNEL_USLEEP_DELAY);
++ dma_rmb();
++ }
++
++ iter = QED_VF_CHANNEL_MSLEEP_ITERATIONS;
++ while (!*done && iter--) {
++ msleep(QED_VF_CHANNEL_MSLEEP_DELAY);
++ dma_rmb();
+ }
+
+ if (!*done) {
+--
+2.25.1
+
--- /dev/null
+From 0a4813eb66f192d72f35e9c5a84e93831c716afa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jun 2020 21:51:11 +0100
+Subject: netfilter: ipset: fix unaligned atomic access
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 715028460082d07a7ec6fcd87b14b46784346a72 ]
+
+When using ip_set with counters and comment, traffic causes the kernel
+to panic on 32-bit ARM:
+
+Alignment trap: not handling instruction e1b82f9f at [<bf01b0dc>]
+Unhandled fault: alignment exception (0x221) at 0xea08133c
+PC is at ip_set_match_extensions+0xe0/0x224 [ip_set]
+
+The problem occurs when we try to update the 64-bit counters - the
+faulting address above is not 64-bit aligned. The problem occurs
+due to the way elements are allocated, for example:
+
+ set->dsize = ip_set_elem_len(set, tb, 0, 0);
+ map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
+
+If the element has a requirement for a member to be 64-bit aligned,
+and set->dsize is not a multiple of 8, but is a multiple of four,
+then every odd numbered elements will be misaligned - and hitting
+an atomic64_add() on that element will cause the kernel to panic.
+
+ip_set_elem_len() must return a size that is rounded to the maximum
+alignment of any extension field stored in the element. This change
+ensures that is the case.
+
+Fixes: 95ad1f4a9358 ("netfilter: ipset: Fix extension alignment")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 21eb53f6d4fe3..36ebc40a4313c 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -385,6 +385,8 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len,
+ for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
+ if (!add_extension(id, cadt_flags, tb))
+ continue;
++ if (align < ip_set_extensions[id].align)
++ align = ip_set_extensions[id].align;
+ len = ALIGN(len, ip_set_extensions[id].align);
+ set->offset[id] = len;
+ set->extensions |= ip_set_extensions[id].type;
+--
+2.25.1
+
--- /dev/null
+From afc6f75bcc7b635708e953a7cdc768d77f85f572 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 01:53:08 -0700
+Subject: nvme: fix possible deadlock when I/O is blocked
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 3b4b19721ec652ad2c4fe51dfbe5124212b5f581 ]
+
+Revert fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk
+in nvme_validate_ns")
+
+When adding a new namespace to the head disk (via nvme_mpath_set_live)
+we will see partition scan which triggers I/O on the mpath device node.
+This process will usually be triggered from the scan_work which holds
+the scan_lock. If I/O blocks (if we got ana change currently have only
+available paths but none are accessible) this can deadlock on the head
+disk bd_mutex as both partition scan I/O takes it, and head disk revalidation
+takes it to check for resize (also triggered from scan_work on a different
+path). See trace [1].
+
+The mpath disk revalidation was originally added to detect online disk
+size change, but this is no longer needed since commit cb224c3af4df
+("nvme: Convert to use set_capacity_revalidate_and_notify") which already
+updates resize info without unnecessarily revalidating the disk (the
+mpath disk doesn't even implement .revalidate_disk fop).
+
+[1]:
+--
+kernel: INFO: task kworker/u65:9:494 blocked for more than 241 seconds.
+kernel: Tainted: G OE 5.3.5-050305-generic #201910071830
+kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+kernel: kworker/u65:9 D 0 494 2 0x80004000
+kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
+kernel: Call Trace:
+kernel: __schedule+0x2b9/0x6c0
+kernel: schedule+0x42/0xb0
+kernel: schedule_preempt_disabled+0xe/0x10
+kernel: __mutex_lock.isra.0+0x182/0x4f0
+kernel: __mutex_lock_slowpath+0x13/0x20
+kernel: mutex_lock+0x2e/0x40
+kernel: revalidate_disk+0x63/0xa0
+kernel: __nvme_revalidate_disk+0xfe/0x110 [nvme_core]
+kernel: nvme_revalidate_disk+0xa4/0x160 [nvme_core]
+kernel: ? evict+0x14c/0x1b0
+kernel: revalidate_disk+0x2b/0xa0
+kernel: nvme_validate_ns+0x49/0x940 [nvme_core]
+kernel: ? blk_mq_free_request+0xd2/0x100
+kernel: ? __nvme_submit_sync_cmd+0xbe/0x1e0 [nvme_core]
+kernel: nvme_scan_work+0x24f/0x380 [nvme_core]
+kernel: process_one_work+0x1db/0x380
+kernel: worker_thread+0x249/0x400
+kernel: kthread+0x104/0x140
+kernel: ? process_one_work+0x380/0x380
+kernel: ? kthread_park+0x80/0x80
+kernel: ret_from_fork+0x1f/0x40
+...
+kernel: INFO: task kworker/u65:1:2630 blocked for more than 241 seconds.
+kernel: Tainted: G OE 5.3.5-050305-generic #201910071830
+kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+kernel: kworker/u65:1 D 0 2630 2 0x80004000
+kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
+kernel: Call Trace:
+kernel: __schedule+0x2b9/0x6c0
+kernel: schedule+0x42/0xb0
+kernel: io_schedule+0x16/0x40
+kernel: do_read_cache_page+0x438/0x830
+kernel: ? __switch_to_asm+0x34/0x70
+kernel: ? file_fdatawait_range+0x30/0x30
+kernel: read_cache_page+0x12/0x20
+kernel: read_dev_sector+0x27/0xc0
+kernel: read_lba+0xc1/0x220
+kernel: ? kmem_cache_alloc_trace+0x19c/0x230
+kernel: efi_partition+0x1e6/0x708
+kernel: ? vsnprintf+0x39e/0x4e0
+kernel: ? snprintf+0x49/0x60
+kernel: check_partition+0x154/0x244
+kernel: rescan_partitions+0xae/0x280
+kernel: __blkdev_get+0x40f/0x560
+kernel: blkdev_get+0x3d/0x140
+kernel: __device_add_disk+0x388/0x480
+kernel: device_add_disk+0x13/0x20
+kernel: nvme_mpath_set_live+0x119/0x140 [nvme_core]
+kernel: nvme_update_ns_ana_state+0x5c/0x60 [nvme_core]
+kernel: nvme_set_ns_ana_state+0x1e/0x30 [nvme_core]
+kernel: nvme_parse_ana_log+0xa1/0x180 [nvme_core]
+kernel: ? nvme_update_ns_ana_state+0x60/0x60 [nvme_core]
+kernel: nvme_mpath_add_disk+0x47/0x90 [nvme_core]
+kernel: nvme_validate_ns+0x396/0x940 [nvme_core]
+kernel: ? blk_mq_free_request+0xd2/0x100
+kernel: nvme_scan_work+0x24f/0x380 [nvme_core]
+kernel: process_one_work+0x1db/0x380
+kernel: worker_thread+0x249/0x400
+kernel: kthread+0x104/0x140
+kernel: ? process_one_work+0x380/0x380
+kernel: ? kthread_park+0x80/0x80
+kernel: ret_from_fork+0x1f/0x40
+--
+
+Fixes: fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk
+in nvme_validate_ns")
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 0d60f2f8f3eec..5c9326777334f 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1602,7 +1602,6 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id)
+ if (ns->head->disk) {
+ nvme_update_disk_info(ns->head->disk, ns, id);
+ blk_queue_stack_limits(ns->head->disk->queue, ns->queue);
+- revalidate_disk(ns->head->disk);
+ }
+ #endif
+ }
+--
+2.25.1
+
--- /dev/null
+From 90ab3045208e61be9f8e0342975c68bcbf57ecf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 01:53:09 -0700
+Subject: nvme-multipath: fix deadlock between ana_work and scan_work
+
+From: Anton Eidelman <anton@lightbitslabs.com>
+
+[ Upstream commit 489dd102a2c7c94d783a35f9412eb085b8da1aa4 ]
+
+When scan_work calls nvme_mpath_add_disk() this holds ana_lock
+and invokes nvme_parse_ana_log(), which may issue IO
+in device_add_disk() and hang waiting for an accessible path.
+While nvme_mpath_set_live() only called when nvme_state_is_live(),
+a transition may cause NVME_SC_ANA_TRANSITION and requeue the IO.
+
+In order to recover and complete the IO ana_work on the same ctrl
+should be able to update the path state and remove NVME_NS_ANA_PENDING.
+
+The deadlock occurs because scan_work keeps holding ana_lock,
+so ana_work hangs [1].
+
+Fix:
+Now nvme_mpath_add_disk() uses nvme_parse_ana_log() to obtain a copy
+of the ANA group desc, and then calls nvme_update_ns_ana_state() without
+holding ana_lock.
+
+[1]:
+kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
+kernel: Call Trace:
+kernel: __schedule+0x2b9/0x6c0
+kernel: schedule+0x42/0xb0
+kernel: io_schedule+0x16/0x40
+kernel: do_read_cache_page+0x438/0x830
+kernel: read_cache_page+0x12/0x20
+kernel: read_dev_sector+0x27/0xc0
+kernel: read_lba+0xc1/0x220
+kernel: efi_partition+0x1e6/0x708
+kernel: check_partition+0x154/0x244
+kernel: rescan_partitions+0xae/0x280
+kernel: __blkdev_get+0x40f/0x560
+kernel: blkdev_get+0x3d/0x140
+kernel: __device_add_disk+0x388/0x480
+kernel: device_add_disk+0x13/0x20
+kernel: nvme_mpath_set_live+0x119/0x140 [nvme_core]
+kernel: nvme_update_ns_ana_state+0x5c/0x60 [nvme_core]
+kernel: nvme_set_ns_ana_state+0x1e/0x30 [nvme_core]
+kernel: nvme_parse_ana_log+0xa1/0x180 [nvme_core]
+kernel: nvme_mpath_add_disk+0x47/0x90 [nvme_core]
+kernel: nvme_validate_ns+0x396/0x940 [nvme_core]
+kernel: nvme_scan_work+0x24f/0x380 [nvme_core]
+kernel: process_one_work+0x1db/0x380
+kernel: worker_thread+0x249/0x400
+kernel: kthread+0x104/0x140
+
+kernel: Workqueue: nvme-wq nvme_ana_work [nvme_core]
+kernel: Call Trace:
+kernel: __schedule+0x2b9/0x6c0
+kernel: schedule+0x42/0xb0
+kernel: schedule_preempt_disabled+0xe/0x10
+kernel: __mutex_lock.isra.0+0x182/0x4f0
+kernel: ? __switch_to_asm+0x34/0x70
+kernel: ? select_task_rq_fair+0x1aa/0x5c0
+kernel: ? kvm_sched_clock_read+0x11/0x20
+kernel: ? sched_clock+0x9/0x10
+kernel: __mutex_lock_slowpath+0x13/0x20
+kernel: mutex_lock+0x2e/0x40
+kernel: nvme_read_ana_log+0x3a/0x100 [nvme_core]
+kernel: nvme_ana_work+0x15/0x20 [nvme_core]
+kernel: process_one_work+0x1db/0x380
+kernel: worker_thread+0x4d/0x400
+kernel: kthread+0x104/0x140
+kernel: ? process_one_work+0x380/0x380
+kernel: ? kthread_park+0x80/0x80
+kernel: ret_from_fork+0x35/0x40
+
+Fixes: 0d0b660f214d ("nvme: add ANA support")
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 6f584a9515f42..3ad6183c5e6b4 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -496,26 +496,34 @@ static ssize_t ana_state_show(struct device *dev, struct device_attribute *attr,
+ }
+ DEVICE_ATTR_RO(ana_state);
+
+-static int nvme_set_ns_ana_state(struct nvme_ctrl *ctrl,
++static int nvme_lookup_ana_group_desc(struct nvme_ctrl *ctrl,
+ struct nvme_ana_group_desc *desc, void *data)
+ {
+- struct nvme_ns *ns = data;
++ struct nvme_ana_group_desc *dst = data;
+
+- if (ns->ana_grpid == le32_to_cpu(desc->grpid)) {
+- nvme_update_ns_ana_state(desc, ns);
+- return -ENXIO; /* just break out of the loop */
+- }
++ if (desc->grpid != dst->grpid)
++ return 0;
+
+- return 0;
++ *dst = *desc;
++ return -ENXIO; /* just break out of the loop */
+ }
+
+ void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id)
+ {
+ if (nvme_ctrl_use_ana(ns->ctrl)) {
++ struct nvme_ana_group_desc desc = {
++ .grpid = id->anagrpid,
++ .state = 0,
++ };
++
+ mutex_lock(&ns->ctrl->ana_lock);
+ ns->ana_grpid = le32_to_cpu(id->anagrpid);
+- nvme_parse_ana_log(ns->ctrl, ns, nvme_set_ns_ana_state);
++ nvme_parse_ana_log(ns->ctrl, &desc, nvme_lookup_ana_group_desc);
+ mutex_unlock(&ns->ctrl->ana_lock);
++ if (desc.state) {
++ /* found the group desc: update */
++ nvme_update_ns_ana_state(&desc, ns);
++ }
+ } else {
+ mutex_lock(&ns->head->lock);
+ ns->ana_state = NVME_ANA_OPTIMIZED;
+--
+2.25.1
+
--- /dev/null
+From d18a99a506620a80566806c5d65a3fd7ee875792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 09:09:04 -0700
+Subject: nvme-multipath: set bdi capabilities once
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit b2ce4d90690bd29ce5b554e203cd03682dd59697 ]
+
+The queues' backing device info capabilities don't change with each
+namespace revalidation. Set it only when each path's request_queue
+is initially added to a multipath queue.
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 588864beabd80..6f584a9515f42 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -11,6 +11,7 @@
+ * more details.
+ */
+
++#include <linux/backing-dev.h>
+ #include <linux/moduleparam.h>
+ #include <trace/events/block.h>
+ #include "nvme.h"
+@@ -521,6 +522,13 @@ void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id)
+ nvme_mpath_set_live(ns);
+ mutex_unlock(&ns->head->lock);
+ }
++
++ if (bdi_cap_stable_pages_required(ns->queue->backing_dev_info)) {
++ struct backing_dev_info *info =
++ ns->head->disk->queue->backing_dev_info;
++
++ info->capabilities |= BDI_CAP_STABLE_WRITES;
++ }
+ }
+
+ void nvme_mpath_remove_disk(struct nvme_ns_head *head)
+--
+2.25.1
+
--- /dev/null
+From 93584b194ae04a4a578902a47e21e50cd24d9c4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 13:43:04 +0300
+Subject: RDMA/cma: Protect bind_list and listen_list while finding matching cm
+ id
+
+From: Mark Zhang <markz@mellanox.com>
+
+[ Upstream commit 730c8912484186d4623d0c76509066d285c3a755 ]
+
+The bind_list and listen_list must be accessed under a lock, add the
+missing locking around the access in cm_ib_id_from_event()
+
+In addition add lockdep asserts to make it clearer what the locking
+semantic is here.
+
+ general protection fault: 0000 [#1] SMP NOPTI
+ CPU: 226 PID: 126135 Comm: kworker/226:1 Tainted: G OE 4.12.14-150.47-default #1 SLE15
+ Hardware name: Cray Inc. Windom/Windom, BIOS 0.8.7 01-10-2020
+ Workqueue: ib_cm cm_work_handler [ib_cm]
+ task: ffff9c5a60a1d2c0 task.stack: ffffc1d91f554000
+ RIP: 0010:cma_ib_req_handler+0x3f1/0x11b0 [rdma_cm]
+ RSP: 0018:ffffc1d91f557b40 EFLAGS: 00010286
+ RAX: deacffffffffff30 RBX: 0000000000000001 RCX: ffff9c2af5bb6000
+ RDX: 00000000000000a9 RSI: ffff9c5aa4ed2f10 RDI: ffffc1d91f557b08
+ RBP: ffffc1d91f557d90 R08: ffff9c340cc80000 R09: ffff9c2c0f901900
+ R10: 0000000000000000 R11: 0000000000000001 R12: deacffffffffff30
+ R13: ffff9c5a48aeec00 R14: ffffc1d91f557c30 R15: ffff9c5c2eea3688
+ FS: 0000000000000000(0000) GS:ffff9c5c2fa80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00002b5cc03fa320 CR3: 0000003f8500a000 CR4: 00000000003406e0
+ Call Trace:
+ ? rdma_addr_cancel+0xa0/0xa0 [ib_core]
+ ? cm_process_work+0x28/0x140 [ib_cm]
+ cm_process_work+0x28/0x140 [ib_cm]
+ ? cm_get_bth_pkey.isra.44+0x34/0xa0 [ib_cm]
+ cm_work_handler+0xa06/0x1a6f [ib_cm]
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ ? __switch_to+0x7c/0x4b0
+ ? __switch_to_asm+0x40/0x70
+ ? __switch_to_asm+0x34/0x70
+ process_one_work+0x1da/0x400
+ worker_thread+0x2b/0x3f0
+ ? process_one_work+0x400/0x400
+ kthread+0x118/0x140
+ ? kthread_create_on_node+0x40/0x40
+ ret_from_fork+0x22/0x40
+ Code: 00 66 83 f8 02 0f 84 ca 05 00 00 49 8b 84 24 d0 01 00 00 48 85 c0 0f 84 68 07 00 00 48 2d d0 01
+ 00 00 49 89 c4 0f 84 59 07 00 00 <41> 0f b7 44 24 20 49 8b 77 50 66 83 f8 0a 75 9e 49 8b 7c 24 28
+
+Fixes: 4c21b5bcef73 ("IB/cma: Add net_dev and private data checks to RDMA CM")
+Link: https://lore.kernel.org/r/20200616104304.2426081-1-leon@kernel.org
+Signed-off-by: Mark Zhang <markz@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 5c03f4701ece2..1f14cd4ce3db5 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1507,6 +1507,8 @@ static struct rdma_id_private *cma_find_listener(
+ {
+ struct rdma_id_private *id_priv, *id_priv_dev;
+
++ lockdep_assert_held(&lock);
++
+ if (!bind_list)
+ return ERR_PTR(-EINVAL);
+
+@@ -1552,6 +1554,7 @@ cma_ib_id_from_event(struct ib_cm_id *cm_id,
+ }
+ }
+
++ mutex_lock(&lock);
+ /*
+ * Net namespace might be getting deleted while route lookup,
+ * cm_id lookup is in progress. Therefore, perform netdevice
+@@ -1593,6 +1596,7 @@ cma_ib_id_from_event(struct ib_cm_id *cm_id,
+ id_priv = cma_find_listener(bind_list, cm_id, ib_event, &req, *net_dev);
+ err:
+ rcu_read_unlock();
++ mutex_unlock(&lock);
+ if (IS_ERR(id_priv) && *net_dev) {
+ dev_put(*net_dev);
+ *net_dev = NULL;
+@@ -2346,6 +2350,8 @@ static void cma_listen_on_dev(struct rdma_id_private *id_priv,
+ struct net *net = id_priv->id.route.addr.dev_addr.net;
+ int ret;
+
++ lockdep_assert_held(&lock);
++
+ if (cma_family(id_priv) == AF_IB && !rdma_cap_ib_cm(cma_dev->device, 1))
+ return;
+
+@@ -3081,6 +3087,8 @@ static void cma_bind_port(struct rdma_bind_list *bind_list,
+ u64 sid, mask;
+ __be16 port;
+
++ lockdep_assert_held(&lock);
++
+ addr = cma_src_addr(id_priv);
+ port = htons(bind_list->port);
+
+@@ -3109,6 +3117,8 @@ static int cma_alloc_port(enum rdma_ucm_port_space ps,
+ struct rdma_bind_list *bind_list;
+ int ret;
+
++ lockdep_assert_held(&lock);
++
+ bind_list = kzalloc(sizeof *bind_list, GFP_KERNEL);
+ if (!bind_list)
+ return -ENOMEM;
+@@ -3135,6 +3145,8 @@ static int cma_port_is_unique(struct rdma_bind_list *bind_list,
+ struct sockaddr *saddr = cma_src_addr(id_priv);
+ __be16 dport = cma_port(daddr);
+
++ lockdep_assert_held(&lock);
++
+ hlist_for_each_entry(cur_id, &bind_list->owners, node) {
+ struct sockaddr *cur_daddr = cma_dst_addr(cur_id);
+ struct sockaddr *cur_saddr = cma_src_addr(cur_id);
+@@ -3174,6 +3186,8 @@ static int cma_alloc_any_port(enum rdma_ucm_port_space ps,
+ unsigned int rover;
+ struct net *net = id_priv->id.route.addr.dev_addr.net;
+
++ lockdep_assert_held(&lock);
++
+ inet_get_local_port_range(net, &low, &high);
+ remaining = (high - low) + 1;
+ rover = prandom_u32() % remaining + low;
+@@ -3221,6 +3235,8 @@ static int cma_check_port(struct rdma_bind_list *bind_list,
+ struct rdma_id_private *cur_id;
+ struct sockaddr *addr, *cur_addr;
+
++ lockdep_assert_held(&lock);
++
+ addr = cma_src_addr(id_priv);
+ hlist_for_each_entry(cur_id, &bind_list->owners, node) {
+ if (id_priv == cur_id)
+@@ -3251,6 +3267,8 @@ static int cma_use_port(enum rdma_ucm_port_space ps,
+ unsigned short snum;
+ int ret;
+
++ lockdep_assert_held(&lock);
++
+ snum = ntohs(cma_port(cma_src_addr(id_priv)));
+ if (snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+ return -EACCES;
+--
+2.25.1
+
--- /dev/null
+From 53ff781a10484341b611aafda1aa1a58b69a86f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jun 2020 14:38:24 +0800
+Subject: RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads()
+
+From: Fan Guo <guofan5@huawei.com>
+
+[ Upstream commit a17f4bed811c60712d8131883cdba11a105d0161 ]
+
+If ib_dma_mapping_error() returns non-zero value,
+ib_mad_post_receive_mads() will jump out of loops and return -ENOMEM
+without freeing mad_priv. Fix this memory-leak problem by freeing mad_priv
+in this case.
+
+Fixes: 2c34e68f4261 ("IB/mad: Check and handle potential DMA mapping errors")
+Link: https://lore.kernel.org/r/20200612063824.180611-1-guofan5@huawei.com
+Signed-off-by: Fan Guo <guofan5@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/mad.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
+index 218411282069b..fd0a2fd8bfdf7 100644
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -2920,6 +2920,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ DMA_FROM_DEVICE);
+ if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device,
+ sg_list.addr))) {
++ kfree(mad_priv);
+ ret = -ENOMEM;
+ break;
+ }
+--
+2.25.1
+
--- /dev/null
+From 566db0deda4a007af16369e8c2122dc040342b6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 12:34:08 +0300
+Subject: RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
+
+From: Michal Kalderon <michal.kalderon@marvell.com>
+
+[ Upstream commit 0dfbd5ecf28cbcb81674c49d34ee97366db1be44 ]
+
+Private data passed to iwarp_cm_handler is copied for connection request /
+response, but ignored otherwise. If junk is passed, it is stored in the
+event and used later in the event processing.
+
+The driver passes an old junk pointer during connection close which leads
+to a use-after-free on event processing. Set private data to NULL for
+events that don 't have private data.
+
+ BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
+ kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
+ kernel:
+ kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
+ kernel: Call Trace:
+ kernel: dump_stack+0x8c/0xc0
+ kernel: print_address_description.constprop.0+0x1b/0x210
+ kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
+ kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
+ kernel: __kasan_report.cold+0x1a/0x33
+ kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
+ kernel: kasan_report+0xe/0x20
+ kernel: check_memory_region+0x130/0x1a0
+ kernel: memcpy+0x20/0x50
+ kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
+ kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
+ kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
+ kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
+ kernel: ? enqueue_timer+0x86/0x140
+ kernel: ? _raw_write_lock_irq+0xd0/0xd0
+ kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]
+
+Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
+Link: https://lore.kernel.org/r/20200616093408.17827-1-michal.kalderon@marvell.com
+Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/qedr_iw_cm.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+index 93b16237b7677..2566715773675 100644
+--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+@@ -128,8 +128,17 @@ qedr_iw_issue_event(void *context,
+ if (params->cm_info) {
+ event.ird = params->cm_info->ird;
+ event.ord = params->cm_info->ord;
+- event.private_data_len = params->cm_info->private_data_len;
+- event.private_data = (void *)params->cm_info->private_data;
++ /* Only connect_request and reply have valid private data
++ * the rest of the events this may be left overs from
++ * connection establishment. CONNECT_REQUEST is issued via
++ * qedr_iw_mpa_request
++ */
++ if (event_type == IW_CM_EVENT_CONNECT_REPLY) {
++ event.private_data_len =
++ params->cm_info->private_data_len;
++ event.private_data =
++ (void *)params->cm_info->private_data;
++ }
+ }
+
+ if (ep->cm_id)
+--
+2.25.1
+
--- /dev/null
+From 6f712a03a3b8c83587e21b381fbed9197dc39c09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2020 16:21:29 +0100
+Subject: regmap: Fix memory leak from regmap_register_patch
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 95b2c3ec4cb1689db2389c251d39f64490ba641c ]
+
+When a register patch is registered the reg_sequence is copied but the
+memory allocated is never freed. Add a kfree in regmap_exit to clean it
+up.
+
+Fixes: 22f0d90a3482 ("regmap: Support register patch sets")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20200617152129.19655-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index 6c9f6988bc093..b38b2d8c333d5 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1336,6 +1336,7 @@ void regmap_exit(struct regmap *map)
+ if (map->hwlock)
+ hwspin_lock_free(map->hwlock);
+ kfree_const(map->name);
++ kfree(map->patch);
+ kfree(map);
+ }
+ EXPORT_SYMBOL_GPL(regmap_exit);
+--
+2.25.1
+
--- /dev/null
+From c7d3dae8c0af841e6c5da0f20a1cfa9a11bce5a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 05:54:08 +0800
+Subject: regualtor: pfuze100: correct sw1a/sw2 on pfuze3000
+
+From: Robin Gong <yibin.gong@nxp.com>
+
+[ Upstream commit 6f1cf5257acc6e6242ddf2f52bc7912aed77b79f ]
+
+PFUZE100_SWB_REG is not proper for sw1a/sw2, because enable_mask/enable_reg
+is not correct. On PFUZE3000, sw1a/sw2 should be the same as sw1a/sw2 on
+pfuze100 except that voltages are not linear, so add new PFUZE3000_SW_REG
+and pfuze3000_sw_regulator_ops which like the non-linear PFUZE100_SW_REG
+and pfuze100_sw_regulator_ops.
+
+Fixes: 1dced996ee70 ("regulator: pfuze100: update voltage setting for pfuze3000 sw1a")
+Reported-by: Christophe Meynard <Christophe.Meynard@ign.fr>
+Signed-off-by: Robin Gong <yibin.gong@nxp.com>
+Link: https://lore.kernel.org/r/1592171648-8752-1-git-send-email-yibin.gong@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/pfuze100-regulator.c | 60 +++++++++++++++++---------
+ 1 file changed, 39 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c
+index 69a377ab26041..30e92a9cc97e9 100644
+--- a/drivers/regulator/pfuze100-regulator.c
++++ b/drivers/regulator/pfuze100-regulator.c
+@@ -196,6 +196,19 @@ static const struct regulator_ops pfuze100_swb_regulator_ops = {
+
+ };
+
++static const struct regulator_ops pfuze3000_sw_regulator_ops = {
++ .enable = regulator_enable_regmap,
++ .disable = regulator_disable_regmap,
++ .is_enabled = regulator_is_enabled_regmap,
++ .list_voltage = regulator_list_voltage_table,
++ .map_voltage = regulator_map_voltage_ascend,
++ .set_voltage_sel = regulator_set_voltage_sel_regmap,
++ .get_voltage_sel = regulator_get_voltage_sel_regmap,
++ .set_voltage_time_sel = regulator_set_voltage_time_sel,
++ .set_ramp_delay = pfuze100_set_ramp_delay,
++
++};
++
+ #define PFUZE100_FIXED_REG(_chip, _name, base, voltage) \
+ [_chip ## _ ## _name] = { \
+ .desc = { \
+@@ -305,23 +318,28 @@ static const struct regulator_ops pfuze100_swb_regulator_ops = {
+ .stby_mask = 0x20, \
+ }
+
+-
+-#define PFUZE3000_SW2_REG(_chip, _name, base, min, max, step) { \
+- .desc = { \
+- .name = #_name,\
+- .n_voltages = ((max) - (min)) / (step) + 1, \
+- .ops = &pfuze100_sw_regulator_ops, \
+- .type = REGULATOR_VOLTAGE, \
+- .id = _chip ## _ ## _name, \
+- .owner = THIS_MODULE, \
+- .min_uV = (min), \
+- .uV_step = (step), \
+- .vsel_reg = (base) + PFUZE100_VOL_OFFSET, \
+- .vsel_mask = 0x7, \
+- }, \
+- .stby_reg = (base) + PFUZE100_STANDBY_OFFSET, \
+- .stby_mask = 0x7, \
+-}
++/* No linar case for the some switches of PFUZE3000 */
++#define PFUZE3000_SW_REG(_chip, _name, base, mask, voltages) \
++ [_chip ## _ ## _name] = { \
++ .desc = { \
++ .name = #_name, \
++ .n_voltages = ARRAY_SIZE(voltages), \
++ .ops = &pfuze3000_sw_regulator_ops, \
++ .type = REGULATOR_VOLTAGE, \
++ .id = _chip ## _ ## _name, \
++ .owner = THIS_MODULE, \
++ .volt_table = voltages, \
++ .vsel_reg = (base) + PFUZE100_VOL_OFFSET, \
++ .vsel_mask = (mask), \
++ .enable_reg = (base) + PFUZE100_MODE_OFFSET, \
++ .enable_mask = 0xf, \
++ .enable_val = 0x8, \
++ .enable_time = 500, \
++ }, \
++ .stby_reg = (base) + PFUZE100_STANDBY_OFFSET, \
++ .stby_mask = (mask), \
++ .sw_reg = true, \
++ }
+
+ #define PFUZE3000_SW3_REG(_chip, _name, base, min, max, step) { \
+ .desc = { \
+@@ -377,9 +395,9 @@ static struct pfuze_regulator pfuze200_regulators[] = {
+ };
+
+ static struct pfuze_regulator pfuze3000_regulators[] = {
+- PFUZE100_SWB_REG(PFUZE3000, SW1A, PFUZE100_SW1ABVOL, 0x1f, pfuze3000_sw1a),
++ PFUZE3000_SW_REG(PFUZE3000, SW1A, PFUZE100_SW1ABVOL, 0x1f, pfuze3000_sw1a),
+ PFUZE100_SW_REG(PFUZE3000, SW1B, PFUZE100_SW1CVOL, 700000, 1475000, 25000),
+- PFUZE100_SWB_REG(PFUZE3000, SW2, PFUZE100_SW2VOL, 0x7, pfuze3000_sw2lo),
++ PFUZE3000_SW_REG(PFUZE3000, SW2, PFUZE100_SW2VOL, 0x7, pfuze3000_sw2lo),
+ PFUZE3000_SW3_REG(PFUZE3000, SW3, PFUZE100_SW3AVOL, 900000, 1650000, 50000),
+ PFUZE100_SWB_REG(PFUZE3000, SWBST, PFUZE100_SWBSTCON1, 0x3, pfuze100_swbst),
+ PFUZE100_SWB_REG(PFUZE3000, VSNVS, PFUZE100_VSNVSVOL, 0x7, pfuze100_vsnvs),
+@@ -393,8 +411,8 @@ static struct pfuze_regulator pfuze3000_regulators[] = {
+ };
+
+ static struct pfuze_regulator pfuze3001_regulators[] = {
+- PFUZE100_SWB_REG(PFUZE3001, SW1, PFUZE100_SW1ABVOL, 0x1f, pfuze3000_sw1a),
+- PFUZE100_SWB_REG(PFUZE3001, SW2, PFUZE100_SW2VOL, 0x7, pfuze3000_sw2lo),
++ PFUZE3000_SW_REG(PFUZE3001, SW1, PFUZE100_SW1ABVOL, 0x1f, pfuze3000_sw1a),
++ PFUZE3000_SW_REG(PFUZE3001, SW2, PFUZE100_SW2VOL, 0x7, pfuze3000_sw2lo),
+ PFUZE3000_SW3_REG(PFUZE3001, SW3, PFUZE100_SW3AVOL, 900000, 1650000, 50000),
+ PFUZE100_SWB_REG(PFUZE3001, VSNVS, PFUZE100_VSNVSVOL, 0x7, pfuze100_vsnvs),
+ PFUZE100_VGEN_REG(PFUZE3001, VLDO1, PFUZE100_VGEN1VOL, 1800000, 3300000, 100000),
+--
+2.25.1
+
--- /dev/null
+From e91e8b6418e874a6754c41a504b6cbec56f59616 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 19:33:06 +0530
+Subject: RISC-V: Don't allow write+exec only page mapping request in mmap
+
+From: Yash Shah <yash.shah@sifive.com>
+
+[ Upstream commit e0d17c842c0f824fd4df9f4688709fc6907201e1 ]
+
+As per the table 4.4 of version "20190608-Priv-MSU-Ratified" of the
+RISC-V instruction set manual[0], the PTE permission bit combination of
+"write+exec only" is reserved for future use. Hence, don't allow such
+mapping request in mmap call.
+
+An issue is been reported by David Abdurachmanov, that while running
+stress-ng with "sysbadaddr" argument, RCU stalls are observed on RISC-V
+specific kernel.
+
+This issue arises when the stress-sysbadaddr request for pages with
+"write+exec only" permission bits and then passes the address obtain
+from this mmap call to various system call. For the riscv kernel, the
+mmap call should fail for this particular combination of permission bits
+since it's not valid.
+
+[0]: http://dabbelt.com/~palmer/keep/riscv-isa-manual/riscv-privileged-20190608-1.pdf
+
+Signed-off-by: Yash Shah <yash.shah@sifive.com>
+Reported-by: David Abdurachmanov <david.abdurachmanov@gmail.com>
+[Palmer: Refer to the latest ISA specification at the only link I could
+find, and update the terminology.]
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/sys_riscv.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/riscv/kernel/sys_riscv.c b/arch/riscv/kernel/sys_riscv.c
+index fb03a4482ad60..db44da32701f2 100644
+--- a/arch/riscv/kernel/sys_riscv.c
++++ b/arch/riscv/kernel/sys_riscv.c
+@@ -16,6 +16,7 @@
+ #include <linux/syscalls.h>
+ #include <asm/unistd.h>
+ #include <asm/cacheflush.h>
++#include <asm-generic/mman-common.h>
+
+ static long riscv_sys_mmap(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags,
+@@ -24,6 +25,11 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len,
+ {
+ if (unlikely(offset & (~PAGE_MASK >> page_shift_offset)))
+ return -EINVAL;
++
++ if ((prot & PROT_WRITE) && (prot & PROT_EXEC))
++ if (unlikely(!(prot & PROT_READ)))
++ return -EINVAL;
++
+ return ksys_mmap_pgoff(addr, len, prot, flags, fd,
+ offset >> (PAGE_SHIFT - page_shift_offset));
+ }
+--
+2.25.1
+
--- /dev/null
+From 85c88ccae9bd67b45e58a26ec37078f648fa6f6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jun 2020 18:32:35 +0000
+Subject: riscv/atomic: Fix sign extension for RV64I
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 6c58f25e6938c073198af8b1e1832f83f8f0df33 ]
+
+The argument passed to cmpxchg is not guaranteed to be sign
+extended, but lr.w sign extends on RV64I. This makes cmpxchg
+fail on clang built kernels when __old is negative.
+
+To fix this, we just cast __old to long which sign extends on
+RV64I. With this fix, clang built RISC-V kernels now boot.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/867
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/cmpxchg.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/riscv/include/asm/cmpxchg.h b/arch/riscv/include/asm/cmpxchg.h
+index c12833f7b6bd1..42978aac99d53 100644
+--- a/arch/riscv/include/asm/cmpxchg.h
++++ b/arch/riscv/include/asm/cmpxchg.h
+@@ -187,7 +187,7 @@
+ " bnez %1, 0b\n" \
+ "1:\n" \
+ : "=&r" (__ret), "=&r" (__rc), "+A" (*__ptr) \
+- : "rJ" (__old), "rJ" (__new) \
++ : "rJ" ((long)__old), "rJ" (__new) \
+ : "memory"); \
+ break; \
+ case 8: \
+@@ -232,7 +232,7 @@
+ RISCV_ACQUIRE_BARRIER \
+ "1:\n" \
+ : "=&r" (__ret), "=&r" (__rc), "+A" (*__ptr) \
+- : "rJ" (__old), "rJ" (__new) \
++ : "rJ" ((long)__old), "rJ" (__new) \
+ : "memory"); \
+ break; \
+ case 8: \
+@@ -278,7 +278,7 @@
+ " bnez %1, 0b\n" \
+ "1:\n" \
+ : "=&r" (__ret), "=&r" (__rc), "+A" (*__ptr) \
+- : "rJ" (__old), "rJ" (__new) \
++ : "rJ" ((long)__old), "rJ" (__new) \
+ : "memory"); \
+ break; \
+ case 8: \
+@@ -324,7 +324,7 @@
+ " fence rw, rw\n" \
+ "1:\n" \
+ : "=&r" (__ret), "=&r" (__rc), "+A" (*__ptr) \
+- : "rJ" (__old), "rJ" (__new) \
++ : "rJ" ((long)__old), "rJ" (__new) \
+ : "memory"); \
+ break; \
+ case 8: \
+--
+2.25.1
+
--- /dev/null
+From d77a8b2c1b67a15899110ba98c12d84d6db2c29a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2020 23:01:23 +0100
+Subject: rxrpc: Fix handling of rwind from an ACK packet
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit a2ad7c21ad8cf1ce4ad65e13df1c2a1c29b38ac5 ]
+
+The handling of the receive window size (rwind) from a received ACK packet
+is not correct. The rxrpc_input_ackinfo() function currently checks the
+current Tx window size against the rwind from the ACK to see if it has
+changed, but then limits the rwind size before storing it in the tx_winsize
+member and, if it increased, wake up the transmitting process. This means
+that if rwind > RXRPC_RXTX_BUFF_SIZE - 1, this path will always be
+followed.
+
+Fix this by limiting rwind before we compare it to tx_winsize.
+
+The effect of this can be seen by enabling the rxrpc_rx_rwind_change
+tracepoint.
+
+Fixes: 702f2ac87a9a ("rxrpc: Wake up the transmitter if Rx window size increases on the peer")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index e65b230fce4c4..58bd558a277a4 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -735,13 +735,12 @@ static void rxrpc_input_ackinfo(struct rxrpc_call *call, struct sk_buff *skb,
+ ntohl(ackinfo->rxMTU), ntohl(ackinfo->maxMTU),
+ rwind, ntohl(ackinfo->jumbo_max));
+
++ if (rwind > RXRPC_RXTX_BUFF_SIZE - 1)
++ rwind = RXRPC_RXTX_BUFF_SIZE - 1;
+ if (call->tx_winsize != rwind) {
+- if (rwind > RXRPC_RXTX_BUFF_SIZE - 1)
+- rwind = RXRPC_RXTX_BUFF_SIZE - 1;
+ if (rwind > call->tx_winsize)
+ wake = true;
+- trace_rxrpc_rx_rwind_change(call, sp->hdr.serial,
+- ntohl(ackinfo->rwind), wake);
++ trace_rxrpc_rx_rwind_change(call, sp->hdr.serial, rwind, wake);
+ call->tx_winsize = rwind;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From cccac21db5a9b7c1b03b1078f8093be1751a6e1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Mar 2020 16:44:50 +0100
+Subject: s390/ptrace: fix setting syscall number
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+[ Upstream commit 873e5a763d604c32988c4a78913a8dab3862d2f9 ]
+
+When strace wants to update the syscall number, it sets GPR2
+to the desired number and updates the GPR via PTRACE_SETREGSET.
+It doesn't update regs->int_code which would cause the old syscall
+executed on syscall restart. As we cannot change the ptrace ABI and
+don't have a field for the interruption code, check whether the tracee
+is in a syscall and the last instruction was svc. In that case assume
+that the tracer wants to update the syscall number and copy the GPR2
+value to regs->int_code.
+
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/ptrace.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
+index cd3df5514552c..65fefbf61e1ca 100644
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -325,6 +325,25 @@ static inline void __poke_user_per(struct task_struct *child,
+ child->thread.per_user.end = data;
+ }
+
++static void fixup_int_code(struct task_struct *child, addr_t data)
++{
++ struct pt_regs *regs = task_pt_regs(child);
++ int ilc = regs->int_code >> 16;
++ u16 insn;
++
++ if (ilc > 6)
++ return;
++
++ if (ptrace_access_vm(child, regs->psw.addr - (regs->int_code >> 16),
++ &insn, sizeof(insn), FOLL_FORCE) != sizeof(insn))
++ return;
++
++ /* double check that tracee stopped on svc instruction */
++ if ((insn >> 8) != 0xa)
++ return;
++
++ regs->int_code = 0x20000 | (data & 0xffff);
++}
+ /*
+ * Write a word to the user area of a process at location addr. This
+ * operation does have an additional problem compared to peek_user.
+@@ -336,7 +355,9 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
+ struct user *dummy = NULL;
+ addr_t offset;
+
++
+ if (addr < (addr_t) &dummy->regs.acrs) {
++ struct pt_regs *regs = task_pt_regs(child);
+ /*
+ * psw and gprs are stored on the stack
+ */
+@@ -354,7 +375,11 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
+ /* Invalid addressing mode bits */
+ return -EINVAL;
+ }
+- *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
++
++ if (test_pt_regs_flag(regs, PIF_SYSCALL) &&
++ addr == offsetof(struct user, regs.gprs[2]))
++ fixup_int_code(child, data);
++ *(addr_t *)((addr_t) ®s->psw + addr) = data;
+
+ } else if (addr < (addr_t) (&dummy->regs.orig_gpr2)) {
+ /*
+@@ -720,6 +745,10 @@ static int __poke_user_compat(struct task_struct *child,
+ regs->psw.mask = (regs->psw.mask & ~PSW_MASK_BA) |
+ (__u64)(tmp & PSW32_ADDR_AMODE);
+ } else {
++
++ if (test_pt_regs_flag(regs, PIF_SYSCALL) &&
++ addr == offsetof(struct compat_user, regs.gprs[2]))
++ fixup_int_code(child, data);
+ /* gpr 0-15 */
+ *(__u32*)((addr_t) ®s->psw + addr*2 + 4) = tmp;
+ }
+--
+2.25.1
+
--- /dev/null
+From 16077a8140677362c97c3e2aeaf1f235d7bbdc7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Mar 2020 12:10:27 +0000
+Subject: s390/vdso: fix vDSO clock_getres()
+
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+
+[ Upstream commit 478237a595120a18e9b52fd2c57a6e8b7a01e411 ]
+
+clock_getres in the vDSO library has to preserve the same behaviour
+of posix_get_hrtimer_res().
+
+In particular, posix_get_hrtimer_res() does:
+ sec = 0;
+ ns = hrtimer_resolution;
+and hrtimer_resolution depends on the enablement of the high
+resolution timers that can happen either at compile or at run time.
+
+Fix the s390 vdso implementation of clock_getres keeping a copy of
+hrtimer_resolution in vdso data and using that directly.
+
+Link: https://lkml.kernel.org/r/20200324121027.21665-1-vincenzo.frascino@arm.com
+Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Acked-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+[heiko.carstens@de.ibm.com: use llgf for proper zero extension]
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/vdso.h | 1 +
+ arch/s390/kernel/asm-offsets.c | 2 +-
+ arch/s390/kernel/time.c | 1 +
+ arch/s390/kernel/vdso64/clock_getres.S | 10 +++++-----
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/arch/s390/include/asm/vdso.h b/arch/s390/include/asm/vdso.h
+index 169d7604eb804..f3ba84fa9bd18 100644
+--- a/arch/s390/include/asm/vdso.h
++++ b/arch/s390/include/asm/vdso.h
+@@ -36,6 +36,7 @@ struct vdso_data {
+ __u32 tk_shift; /* Shift used for xtime_nsec 0x60 */
+ __u32 ts_dir; /* TOD steering direction 0x64 */
+ __u64 ts_end; /* TOD steering end 0x68 */
++ __u32 hrtimer_res; /* hrtimer resolution 0x70 */
+ };
+
+ struct vdso_per_cpu_data {
+diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c
+index 66e830f1c7bfe..e9d09f6e81d25 100644
+--- a/arch/s390/kernel/asm-offsets.c
++++ b/arch/s390/kernel/asm-offsets.c
+@@ -75,6 +75,7 @@ int main(void)
+ OFFSET(__VDSO_TK_SHIFT, vdso_data, tk_shift);
+ OFFSET(__VDSO_TS_DIR, vdso_data, ts_dir);
+ OFFSET(__VDSO_TS_END, vdso_data, ts_end);
++ OFFSET(__VDSO_CLOCK_REALTIME_RES, vdso_data, hrtimer_res);
+ OFFSET(__VDSO_ECTG_BASE, vdso_per_cpu_data, ectg_timer_base);
+ OFFSET(__VDSO_ECTG_USER, vdso_per_cpu_data, ectg_user_time);
+ OFFSET(__VDSO_CPU_NR, vdso_per_cpu_data, cpu_nr);
+@@ -86,7 +87,6 @@ int main(void)
+ DEFINE(__CLOCK_REALTIME_COARSE, CLOCK_REALTIME_COARSE);
+ DEFINE(__CLOCK_MONOTONIC_COARSE, CLOCK_MONOTONIC_COARSE);
+ DEFINE(__CLOCK_THREAD_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID);
+- DEFINE(__CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC);
+ DEFINE(__CLOCK_COARSE_RES, LOW_RES_NSEC);
+ BLANK();
+ /* idle data offsets */
+diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c
+index e8766beee5ad8..8ea9db599d38d 100644
+--- a/arch/s390/kernel/time.c
++++ b/arch/s390/kernel/time.c
+@@ -310,6 +310,7 @@ void update_vsyscall(struct timekeeper *tk)
+
+ vdso_data->tk_mult = tk->tkr_mono.mult;
+ vdso_data->tk_shift = tk->tkr_mono.shift;
++ vdso_data->hrtimer_res = hrtimer_resolution;
+ smp_wmb();
+ ++vdso_data->tb_update_count;
+ }
+diff --git a/arch/s390/kernel/vdso64/clock_getres.S b/arch/s390/kernel/vdso64/clock_getres.S
+index 081435398e0a1..0c79caa32b592 100644
+--- a/arch/s390/kernel/vdso64/clock_getres.S
++++ b/arch/s390/kernel/vdso64/clock_getres.S
+@@ -17,12 +17,14 @@
+ .type __kernel_clock_getres,@function
+ __kernel_clock_getres:
+ CFI_STARTPROC
+- larl %r1,4f
++ larl %r1,3f
++ lg %r0,0(%r1)
+ cghi %r2,__CLOCK_REALTIME_COARSE
+ je 0f
+ cghi %r2,__CLOCK_MONOTONIC_COARSE
+ je 0f
+- larl %r1,3f
++ larl %r1,_vdso_data
++ llgf %r0,__VDSO_CLOCK_REALTIME_RES(%r1)
+ cghi %r2,__CLOCK_REALTIME
+ je 0f
+ cghi %r2,__CLOCK_MONOTONIC
+@@ -36,7 +38,6 @@ __kernel_clock_getres:
+ jz 2f
+ 0: ltgr %r3,%r3
+ jz 1f /* res == NULL */
+- lg %r0,0(%r1)
+ xc 0(8,%r3),0(%r3) /* set tp->tv_sec to zero */
+ stg %r0,8(%r3) /* store tp->tv_usec */
+ 1: lghi %r2,0
+@@ -45,6 +46,5 @@ __kernel_clock_getres:
+ svc 0
+ br %r14
+ CFI_ENDPROC
+-3: .quad __CLOCK_REALTIME_RES
+-4: .quad __CLOCK_COARSE_RES
++3: .quad __CLOCK_COARSE_RES
+ .size __kernel_clock_getres,.-__kernel_clock_getres
+--
+2.25.1
+
--- /dev/null
+From a0453b75d0768144b719a1d73401c2896c8dc38d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 22:06:43 -0500
+Subject: sata_rcar: handle pm_runtime_get_sync failure cases
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit eea1238867205b9e48a67c1a63219529a73c46fd ]
+
+Calling pm_runtime_get_sync increments the counter even in case of
+failure, causing incorrect ref count. Call pm_runtime_put if
+pm_runtime_get_sync fails.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_rcar.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c
+index 03867f539f3a8..50ebd779d975f 100644
+--- a/drivers/ata/sata_rcar.c
++++ b/drivers/ata/sata_rcar.c
+@@ -909,7 +909,7 @@ static int sata_rcar_probe(struct platform_device *pdev)
+ pm_runtime_enable(dev);
+ ret = pm_runtime_get_sync(dev);
+ if (ret < 0)
+- goto err_pm_disable;
++ goto err_pm_put;
+
+ host = ata_host_alloc(dev, 1);
+ if (!host) {
+@@ -940,7 +940,6 @@ static int sata_rcar_probe(struct platform_device *pdev)
+
+ err_pm_put:
+ pm_runtime_put(dev);
+-err_pm_disable:
+ pm_runtime_disable(dev);
+ return ret;
+ }
+@@ -994,8 +993,10 @@ static int sata_rcar_resume(struct device *dev)
+ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put(dev);
+ return ret;
++ }
+
+ if (priv->type == RCAR_GEN3_SATA) {
+ sata_rcar_init_module(priv);
+@@ -1020,8 +1021,10 @@ static int sata_rcar_restore(struct device *dev)
+ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put(dev);
+ return ret;
++ }
+
+ sata_rcar_setup_port(host);
+
+--
+2.25.1
+
--- /dev/null
+From a07b499b86e9113ae4eda81ba6f60bb9dda0fdf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Nov 2018 16:32:01 +0100
+Subject: sched/core: Fix PI boosting between RT and DEADLINE tasks
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit 740797ce3a124b7dd22b7fb832d87bc8fba1cf6f ]
+
+syzbot reported the following warning:
+
+ WARNING: CPU: 1 PID: 6351 at kernel/sched/deadline.c:628
+ enqueue_task_dl+0x22da/0x38a0 kernel/sched/deadline.c:1504
+
+At deadline.c:628 we have:
+
+ 623 static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se)
+ 624 {
+ 625 struct dl_rq *dl_rq = dl_rq_of_se(dl_se);
+ 626 struct rq *rq = rq_of_dl_rq(dl_rq);
+ 627
+ 628 WARN_ON(dl_se->dl_boosted);
+ 629 WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline));
+ [...]
+ }
+
+Which means that setup_new_dl_entity() has been called on a task
+currently boosted. This shouldn't happen though, as setup_new_dl_entity()
+is only called when the 'dynamic' deadline of the new entity
+is in the past w.r.t. rq_clock and boosted tasks shouldn't verify this
+condition.
+
+Digging through the PI code I noticed that what above might in fact happen
+if an RT tasks blocks on an rt_mutex hold by a DEADLINE task. In the
+first branch of boosting conditions we check only if a pi_task 'dynamic'
+deadline is earlier than mutex holder's and in this case we set mutex
+holder to be dl_boosted. However, since RT 'dynamic' deadlines are only
+initialized if such tasks get boosted at some point (or if they become
+DEADLINE of course), in general RT 'dynamic' deadlines are usually equal
+to 0 and this verifies the aforementioned condition.
+
+Fix it by checking that the potential donor task is actually (even if
+temporary because in turn boosted) running at DEADLINE priority before
+using its 'dynamic' deadline value.
+
+Fixes: 2d3d891d3344 ("sched/deadline: Add SCHED_DEADLINE inheritance logic")
+Reported-by: syzbot+119ba87189432ead09b4@syzkaller.appspotmail.com
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Tested-by: Daniel Wagner <dwagner@suse.de>
+Link: https://lkml.kernel.org/r/20181119153201.GB2119@localhost.localdomain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 0325ccf3a8e45..843394d0ea426 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -3862,7 +3862,8 @@ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task)
+ */
+ if (dl_prio(prio)) {
+ if (!dl_prio(p->normal_prio) ||
+- (pi_task && dl_entity_preempt(&pi_task->dl, &p->dl))) {
++ (pi_task && dl_prio(pi_task->prio) &&
++ dl_entity_preempt(&pi_task->dl, &p->dl))) {
+ p->dl.dl_boosted = 1;
+ queue_flag |= ENQUEUE_REPLENISH;
+ } else
+--
+2.25.1
+
--- /dev/null
+From 3fcdde09b0dcb6d8169841765118d05859c8c79e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2020 09:29:19 +0200
+Subject: sched/deadline: Initialize ->dl_boosted
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit ce9bc3b27f2a21a7969b41ffb04df8cf61bd1592 ]
+
+syzbot reported the following warning triggered via SYSC_sched_setattr():
+
+ WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 setup_new_dl_entity /kernel/sched/deadline.c:594 [inline]
+ WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 enqueue_dl_entity /kernel/sched/deadline.c:1370 [inline]
+ WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 enqueue_task_dl+0x1c17/0x2ba0 /kernel/sched/deadline.c:1441
+
+This happens because the ->dl_boosted flag is currently not initialized by
+__dl_clear_params() (unlike the other flags) and setup_new_dl_entity()
+rightfully complains about it.
+
+Initialize dl_boosted to 0.
+
+Fixes: 2d3d891d3344 ("sched/deadline: Add SCHED_DEADLINE inheritance logic")
+Reported-by: syzbot+5ac8bac25f95e8b221e7@syzkaller.appspotmail.com
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Tested-by: Daniel Wagner <dwagner@suse.de>
+Link: https://lkml.kernel.org/r/20200617072919.818409-1-juri.lelli@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index ebec37cb3be9a..8aecfb143859d 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2688,6 +2688,7 @@ void __dl_clear_params(struct task_struct *p)
+ dl_se->dl_bw = 0;
+ dl_se->dl_density = 0;
+
++ dl_se->dl_boosted = 0;
+ dl_se->dl_throttled = 0;
+ dl_se->dl_yielded = 0;
+ dl_se->dl_non_contending = 0;
+--
+2.25.1
+
cdc-acm-add-disable_echo-quirk-for-microchip-smsc-chip.patch
cifs-smb3-fix-data-inconsistent-when-punch-hole.patch
cifs-smb3-fix-data-inconsistent-when-zero-file-range.patch
+xfrm-fix-double-esp-trailer-insertion-in-ipsec-crypt.patch
+asoc-q6asm-handle-eos-correctly.patch
+efi-esrt-fix-reference-count-leak-in-esre_create_sys.patch
+regualtor-pfuze100-correct-sw1a-sw2-on-pfuze3000.patch
+asoc-fsl_ssi-fix-bclk-calculation-for-mono-channel.patch
+arm-dts-fix-duovero-smsc-interrupt-for-suspend.patch
+x86-resctrl-fix-a-null-vs-is_err-static-checker-warn.patch
+regmap-fix-memory-leak-from-regmap_register_patch.patch
+arm-dts-nsp-correct-fa2-mailbox-node.patch
+rxrpc-fix-handling-of-rwind-from-an-ack-packet.patch
+rdma-qedr-fix-kasan-use-after-free-in-ucma_event_han.patch
+rdma-cma-protect-bind_list-and-listen_list-while-fin.patch
+asoc-rockchip-fix-a-reference-count-leak.patch
+rdma-mad-fix-possible-memory-leak-in-ib_mad_post_rec.patch
+ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
+net-qed-fix-left-elements-count-calculation.patch
+net-qed-fix-nvme-login-fails-over-vfs.patch
+net-qed-fix-excessive-qm-ilt-lines-consumption.patch
+cxgb4-move-handling-l2t-arp-failures-to-caller.patch
+arm-imx5-add-missing-put_device-call-in-imx_suspend_.patch
+usb-gadget-udc-potential-oops-in-error-handling-code.patch
+nvme-multipath-set-bdi-capabilities-once.patch
+nvme-fix-possible-deadlock-when-i-o-is-blocked.patch
+nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch
+netfilter-ipset-fix-unaligned-atomic-access.patch
+net-bcmgenet-use-hardware-padding-of-runt-frames.patch
+i2c-fsi-fix-the-port-number-field-in-status-register.patch
+i2c-core-check-returned-size-of-emulated-smbus-block.patch
+sched-deadline-initialize-dl_boosted.patch
+sched-core-fix-pi-boosting-between-rt-and-deadline-t.patch
+sata_rcar-handle-pm_runtime_get_sync-failure-cases.patch
+ata-libata-fix-usage-of-page-address-by-page_address.patch
+drm-amd-display-use-kfree-to-free-rgb_user-in-calcul.patch
+riscv-atomic-fix-sign-extension-for-rv64i.patch
+hwrng-ks-sa-fix-runtime-pm-imbalance-on-error.patch
+arm64-sve-eliminate-data-races-on-sve_default_vl.patch
+ibmvnic-harden-device-login-requests.patch
+net-alx-fix-race-condition-in-alx_remove.patch
+s390-ptrace-fix-setting-syscall-number.patch
+s390-vdso-fix-vdso-clock_getres.patch
+arm64-sve-fix-build-failure-when-arm64_sve-y-and-sys.patch
+kbuild-improve-cc-option-to-clean-up-all-temporary-f.patch
+blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch
+risc-v-don-t-allow-write-exec-only-page-mapping-requ.patch
--- /dev/null
+From 2aeb963ead0eb3b0ea5373380a3e28446824b859 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 14:27:19 +0300
+Subject: usb: gadget: udc: Potential Oops in error handling code
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e55f3c37cb8d31c7e301f46396b2ac6a19eb3a7c ]
+
+If this is in "transceiver" mode the the ->qwork isn't required and is
+a NULL pointer. This can lead to a NULL dereference when we call
+destroy_workqueue(udc->qwork).
+
+Fixes: 3517c31a8ece ("usb: gadget: mv_udc: use devm_xxx for probe")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/mv_udc_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/mv_udc_core.c b/drivers/usb/gadget/udc/mv_udc_core.c
+index 95f52232493b2..83e98b59910ec 100644
+--- a/drivers/usb/gadget/udc/mv_udc_core.c
++++ b/drivers/usb/gadget/udc/mv_udc_core.c
+@@ -2313,7 +2313,8 @@ static int mv_udc_probe(struct platform_device *pdev)
+ return 0;
+
+ err_create_workqueue:
+- destroy_workqueue(udc->qwork);
++ if (udc->qwork)
++ destroy_workqueue(udc->qwork);
+ err_destroy_dma:
+ dma_pool_destroy(udc->dtd_pool);
+ err_free_dma:
+--
+2.25.1
+
--- /dev/null
+From 8361b99aea414a3328c5dfa87e31b86ba88b8fb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2020 22:36:11 +0300
+Subject: x86/resctrl: Fix a NULL vs IS_ERR() static checker warning in
+ rdt_cdp_peer_get()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit cc5277fe66cf3ad68f41f1c539b2ef0d5e432974 ]
+
+The callers don't expect *d_cdp to be set to an error pointer, they only
+check for NULL. This leads to a static checker warning:
+
+ arch/x86/kernel/cpu/resctrl/rdtgroup.c:2648 __init_one_rdt_domain()
+ warn: 'd_cdp' could be an error pointer
+
+This would not trigger a bug in this specific case because
+__init_one_rdt_domain() calls it with a valid domain that would not have
+a negative id and thus not trigger the return of the ERR_PTR(). If this
+was a negative domain id then the call to rdt_find_domain() in
+domain_add_cpu() would have returned the ERR_PTR() much earlier and the
+creation of the domain with an invalid id would have been prevented.
+
+Even though a bug is not triggered currently the right and safe thing to
+do is to set the pointer to NULL because that is what can be checked for
+when the caller is handling the CDP and non-CDP cases.
+
+Fixes: 52eb74339a62 ("x86/resctrl: Fix rdt_find_domain() return value and checks")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Reinette Chatre <reinette.chatre@intel.com>
+Acked-by: Fenghua Yu <fenghua.yu@intel.com>
+Link: https://lkml.kernel.org/r/20200602193611.GA190851@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+index cea7e01a346d3..e62e416dd1162 100644
+--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
++++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+@@ -1035,6 +1035,7 @@ static int rdt_cdp_peer_get(struct rdt_resource *r, struct rdt_domain *d,
+ _d_cdp = rdt_find_domain(_r_cdp, d->id, NULL);
+ if (WARN_ON(IS_ERR_OR_NULL(_d_cdp))) {
+ _r_cdp = NULL;
++ _d_cdp = NULL;
+ ret = -EINVAL;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From fc49a85fbc7398f0714b9cf33679e78d8259227d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 16:39:37 -0500
+Subject: xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
+
+From: Huy Nguyen <huyn@mellanox.com>
+
+[ Upstream commit 94579ac3f6d0820adc83b5dc5358ead0158101e9 ]
+
+During IPsec performance testing, we see bad ICMP checksum. The error packet
+has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call
+is from ip_output, but the packet cannot be sent because
+netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second
+call is from NET_TX softirq. However after the first call, the packet already
+has the ESP trailer.
+
+Fix by marking the skb with XFRM_XMIT bit after the packet is handled by
+validate_xmit_xfrm to avoid duplicate ESP trailer insertion.
+
+Fixes: f6e27114a60a ("net: Add a xfrm validate function to validate_xmit_skb")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Reviewed-by: Boris Pismenny <borisp@mellanox.com>
+Reviewed-by: Raed Salem <raeds@mellanox.com>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 1 +
+ net/xfrm/xfrm_device.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 48dc1ce2170d8..f087c8d125b8f 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1083,6 +1083,7 @@ struct xfrm_offload {
+ #define XFRM_GRO 32
+ #define XFRM_ESP_NO_TRAILER 64
+ #define XFRM_DEV_RESUME 128
++#define XFRM_XMIT 256
+
+ __u32 status;
+ #define CRYPTO_SUCCESS 1
+diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
+index 8634ce6771421..e7a0ce98479f3 100644
+--- a/net/xfrm/xfrm_device.c
++++ b/net/xfrm/xfrm_device.c
+@@ -33,7 +33,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
+ netdev_features_t esp_features = features;
+ struct xfrm_offload *xo = xfrm_offload(skb);
+
+- if (!xo)
++ if (!xo || (xo->flags & XFRM_XMIT))
+ return skb;
+
+ if (!(features & NETIF_F_HW_ESP))
+@@ -53,6 +53,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
+ return skb;
+ }
+
++ xo->flags |= XFRM_XMIT;
++
+ if (skb_is_gso(skb)) {
+ struct net_device *dev = skb->dev;
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
