--- /dev/null
+From a416b25097d2e0c3444727c97839d0d4f6579652 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 14:09:21 +0200
+Subject: ALSA: usb-audio: Fix potential use-after-free of streams
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ff58bbc7b9704a5869204176f804eff57307fef0 ]
+
+With the recent full-duplex support of implicit feedback streams, an
+endpoint can be still running after closing the capture stream as long
+as the playback stream with the sync-endpoint is running. In such a
+state, the URBs are still be handled and they may call retire_data_urb
+callback, which tries to transfer the data from the PCM buffer. Since
+the PCM stream gets closed, this may lead to use-after-free.
+
+This patch adds the proper clearance of the callback at stopping the
+capture stream for addressing the possible UAF above.
+
+Fixes: 10ce77e4817f ("ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback")
+Link: https://lore.kernel.org/r/20200616120921.12249-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/pcm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
+index d61c2f1095b5c..3411e27eb64bb 100644
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -1782,6 +1782,7 @@ static int snd_usb_substream_capture_trigger(struct snd_pcm_substream *substream
+ return 0;
+ case SNDRV_PCM_TRIGGER_STOP:
+ stop_endpoints(subs);
++ subs->data_endpoint->retire_data_urb = NULL;
+ subs->running = 0;
+ return 0;
+ case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
+--
+2.25.1
+
--- /dev/null
+From 36e3ce46cfd956b9e8225e44f4a86728839de9c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 19:12:06 +0100
+Subject: btrfs: fix a block group ref counter leak after failure to remove
+ block group
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9fecd13202f520f3f25d5b1c313adb740fe19773 ]
+
+When removing a block group, if we fail to delete the block group's item
+from the extent tree, we jump to the 'out' label and end up decrementing
+the block group's reference count once only (by 1), resulting in a counter
+leak because the block group at that point was already removed from the
+block group cache rbtree - so we have to decrement the reference count
+twice, once for the rbtree and once for our lookup at the start of the
+function.
+
+There is a second bug where if removing the free space tree entries (the
+call to remove_block_group_free_space()) fails we end up jumping to the
+'out_put_group' label but end up decrementing the reference count only
+once, when we should have done it twice, since we have already removed
+the block group from the block group cache rbtree. This happens because
+the reference count decrement for the rbtree reference happens after
+attempting to remove the free space tree entries, which is far away from
+the place where we remove the block group from the rbtree.
+
+To make things less error prone, decrement the reference count for the
+rbtree immediately after removing the block group from it. This also
+eleminates the need for two different exit labels on error, renaming
+'out_put_label' to just 'out' and removing the old 'out'.
+
+Fixes: f6033c5e333238 ("btrfs: fix block group leak when removing fails")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
+index 233c5663f2332..0c17f18b47940 100644
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -916,7 +916,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+ path = btrfs_alloc_path();
+ if (!path) {
+ ret = -ENOMEM;
+- goto out_put_group;
++ goto out;
+ }
+
+ /*
+@@ -954,7 +954,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+ ret = btrfs_orphan_add(trans, BTRFS_I(inode));
+ if (ret) {
+ btrfs_add_delayed_iput(inode);
+- goto out_put_group;
++ goto out;
+ }
+ clear_nlink(inode);
+ /* One for the block groups ref */
+@@ -977,13 +977,13 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+
+ ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1);
+ if (ret < 0)
+- goto out_put_group;
++ goto out;
+ if (ret > 0)
+ btrfs_release_path(path);
+ if (ret == 0) {
+ ret = btrfs_del_item(trans, tree_root, path);
+ if (ret)
+- goto out_put_group;
++ goto out;
+ btrfs_release_path(path);
+ }
+
+@@ -992,6 +992,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+ &fs_info->block_group_cache_tree);
+ RB_CLEAR_NODE(&block_group->cache_node);
+
++ /* Once for the block groups rbtree */
++ btrfs_put_block_group(block_group);
++
+ if (fs_info->first_logical_byte == block_group->start)
+ fs_info->first_logical_byte = (u64)-1;
+ spin_unlock(&fs_info->block_group_cache_lock);
+@@ -1102,10 +1105,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+
+ ret = remove_block_group_free_space(trans, block_group);
+ if (ret)
+- goto out_put_group;
+-
+- /* Once for the block groups rbtree */
+- btrfs_put_block_group(block_group);
++ goto out;
+
+ ret = btrfs_search_slot(trans, root, &key, path, -1, 1);
+ if (ret > 0)
+@@ -1128,10 +1128,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+ free_extent_map(em);
+ }
+
+-out_put_group:
++out:
+ /* Once for the lookup reference */
+ btrfs_put_block_group(block_group);
+-out:
+ if (remove_rsv)
+ btrfs_delayed_refs_rsv_release(fs_info, 1);
+ btrfs_free_path(path);
+--
+2.25.1
+
--- /dev/null
+From 40d2d2efc4b719a0bb6f7a4604d517fdad4be2a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jun 2020 23:44:24 -0400
+Subject: fix a braino in "sparc32: fix register window handling in
+ genregs32_[gs]et()"
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 9d964e1b82d8182184153b70174f445ea616f053 ]
+
+lost npc in PTRACE_SETREGSET, breaking PTRACE_SETREGS as well
+
+Fixes: cf51e129b968 "sparc32: fix register window handling in genregs32_[gs]et()"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/ptrace_32.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/sparc/kernel/ptrace_32.c b/arch/sparc/kernel/ptrace_32.c
+index 60f7205ebe40d..646dd58169ecb 100644
+--- a/arch/sparc/kernel/ptrace_32.c
++++ b/arch/sparc/kernel/ptrace_32.c
+@@ -168,12 +168,17 @@ static int genregs32_set(struct task_struct *target,
+ if (ret || !count)
+ return ret;
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+- ®s->y,
++ ®s->npc,
+ 34 * sizeof(u32), 35 * sizeof(u32));
+ if (ret || !count)
+ return ret;
++ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
++ ®s->y,
++ 35 * sizeof(u32), 36 * sizeof(u32));
++ if (ret || !count)
++ return ret;
+ return user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
+- 35 * sizeof(u32), 38 * sizeof(u32));
++ 36 * sizeof(u32), 38 * sizeof(u32));
+ }
+
+ static int fpregs32_get(struct task_struct *target,
+--
+2.25.1
+
--- /dev/null
+From e094c4558abe690203838e73d736e2c19d53b67a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jun 2020 00:16:55 -0700
+Subject: genetlink: clean up family attributes allocations
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit b65ce380b754e77fbfdcfc83fd6e29c8ceedf431 ]
+
+genl_family_rcv_msg_attrs_parse() and genl_family_rcv_msg_attrs_free()
+take a boolean parameter to determine whether allocate/free the family
+attrs. This is unnecessary as we can just check family->parallel_ops.
+More importantly, callers would not need to worry about pairing these
+parameters correctly after this patch.
+
+And this fixes a memory leak, as after commit c36f05559104
+("genetlink: fix memory leaks in genl_family_rcv_msg_dumpit()")
+we call genl_family_rcv_msg_attrs_parse() for both parallel and
+non-parallel cases.
+
+Fixes: c36f05559104 ("genetlink: fix memory leaks in genl_family_rcv_msg_dumpit()")
+Reported-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@mellanox.com>
+Tested-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/genetlink.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
+index bcbba0bef1c2a..9c1c27f3a0894 100644
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -474,8 +474,7 @@ genl_family_rcv_msg_attrs_parse(const struct genl_family *family,
+ struct netlink_ext_ack *extack,
+ const struct genl_ops *ops,
+ int hdrlen,
+- enum genl_validate_flags no_strict_flag,
+- bool parallel)
++ enum genl_validate_flags no_strict_flag)
+ {
+ enum netlink_validation validate = ops->validate & no_strict_flag ?
+ NL_VALIDATE_LIBERAL :
+@@ -486,7 +485,7 @@ genl_family_rcv_msg_attrs_parse(const struct genl_family *family,
+ if (!family->maxattr)
+ return NULL;
+
+- if (parallel) {
++ if (family->parallel_ops) {
+ attrbuf = kmalloc_array(family->maxattr + 1,
+ sizeof(struct nlattr *), GFP_KERNEL);
+ if (!attrbuf)
+@@ -498,7 +497,7 @@ genl_family_rcv_msg_attrs_parse(const struct genl_family *family,
+ err = __nlmsg_parse(nlh, hdrlen, attrbuf, family->maxattr,
+ family->policy, validate, extack);
+ if (err) {
+- if (parallel)
++ if (family->parallel_ops)
+ kfree(attrbuf);
+ return ERR_PTR(err);
+ }
+@@ -506,10 +505,9 @@ genl_family_rcv_msg_attrs_parse(const struct genl_family *family,
+ }
+
+ static void genl_family_rcv_msg_attrs_free(const struct genl_family *family,
+- struct nlattr **attrbuf,
+- bool parallel)
++ struct nlattr **attrbuf)
+ {
+- if (parallel)
++ if (family->parallel_ops)
+ kfree(attrbuf);
+ }
+
+@@ -537,15 +535,14 @@ static int genl_start(struct netlink_callback *cb)
+
+ attrs = genl_family_rcv_msg_attrs_parse(ctx->family, ctx->nlh, ctx->extack,
+ ops, ctx->hdrlen,
+- GENL_DONT_VALIDATE_DUMP_STRICT,
+- true);
++ GENL_DONT_VALIDATE_DUMP_STRICT);
+ if (IS_ERR(attrs))
+ return PTR_ERR(attrs);
+
+ no_attrs:
+ info = genl_dumpit_info_alloc();
+ if (!info) {
+- kfree(attrs);
++ genl_family_rcv_msg_attrs_free(ctx->family, attrs);
+ return -ENOMEM;
+ }
+ info->family = ctx->family;
+@@ -562,7 +559,7 @@ static int genl_start(struct netlink_callback *cb)
+ }
+
+ if (rc) {
+- kfree(attrs);
++ genl_family_rcv_msg_attrs_free(info->family, info->attrs);
+ genl_dumpit_info_free(info);
+ cb->data = NULL;
+ }
+@@ -591,7 +588,7 @@ static int genl_lock_done(struct netlink_callback *cb)
+ rc = ops->done(cb);
+ genl_unlock();
+ }
+- genl_family_rcv_msg_attrs_free(info->family, info->attrs, false);
++ genl_family_rcv_msg_attrs_free(info->family, info->attrs);
+ genl_dumpit_info_free(info);
+ return rc;
+ }
+@@ -604,7 +601,7 @@ static int genl_parallel_done(struct netlink_callback *cb)
+
+ if (ops->done)
+ rc = ops->done(cb);
+- genl_family_rcv_msg_attrs_free(info->family, info->attrs, true);
++ genl_family_rcv_msg_attrs_free(info->family, info->attrs);
+ genl_dumpit_info_free(info);
+ return rc;
+ }
+@@ -671,8 +668,7 @@ static int genl_family_rcv_msg_doit(const struct genl_family *family,
+
+ attrbuf = genl_family_rcv_msg_attrs_parse(family, nlh, extack,
+ ops, hdrlen,
+- GENL_DONT_VALIDATE_STRICT,
+- family->parallel_ops);
++ GENL_DONT_VALIDATE_STRICT);
+ if (IS_ERR(attrbuf))
+ return PTR_ERR(attrbuf);
+
+@@ -698,7 +694,7 @@ static int genl_family_rcv_msg_doit(const struct genl_family *family,
+ family->post_doit(ops, skb, &info);
+
+ out:
+- genl_family_rcv_msg_attrs_free(family, attrbuf, family->parallel_ops);
++ genl_family_rcv_msg_attrs_free(family, attrbuf);
+
+ return err;
+ }
+--
+2.25.1
+
--- /dev/null
+From 1725913607b1bedd6041e11bf44bc132659acc25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2020 13:59:55 -0500
+Subject: nvmet: cleanups the loop in nvmet_async_events_process
+
+From: David Milburn <dmilburn@redhat.com>
+
+[ Upstream commit 1cdf9f7670a7d74e27177d5c390c2f8b3b9ba338 ]
+
+Based-on-a-patch-by: Christoph Hellwig <hch@infradead.org>
+Tested-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: David Milburn <dmilburn@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index aa5ca222c6f59..ac7ae031ce78d 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -134,15 +134,10 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status)
+ struct nvmet_async_event *aen;
+ struct nvmet_req *req;
+
+- while (1) {
+- mutex_lock(&ctrl->lock);
+- aen = list_first_entry_or_null(&ctrl->async_events,
+- struct nvmet_async_event, entry);
+- if (!aen || !ctrl->nr_async_event_cmds) {
+- mutex_unlock(&ctrl->lock);
+- break;
+- }
+-
++ mutex_lock(&ctrl->lock);
++ while (ctrl->nr_async_event_cmds && !list_empty(&ctrl->async_events)) {
++ aen = list_first_entry(&ctrl->async_events,
++ struct nvmet_async_event, entry);
+ req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds];
+ if (status == 0)
+ nvmet_set_result(req, nvmet_async_event_result(aen));
+@@ -152,7 +147,9 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status)
+
+ mutex_unlock(&ctrl->lock);
+ nvmet_req_complete(req, status);
++ mutex_lock(&ctrl->lock);
+ }
++ mutex_unlock(&ctrl->lock);
+ }
+
+ static void nvmet_async_events_free(struct nvmet_ctrl *ctrl)
+--
+2.25.1
+
--- /dev/null
+From 6c91cb6b93e7b9959c5be4af1fb4e0fec85e06f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2020 16:55:14 -0700
+Subject: nvmet: fail outstanding host posted AEN req
+
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+
+[ Upstream commit 819f7b88b48fd2bce932cfe3a38bf8fcefbcabe7 ]
+
+In function nvmet_async_event_process() we only process AENs iff
+there is an open slot on the ctrl->async_event_cmds[] && aen
+event list posted by the target is not empty. This keeps host
+posted AEN outstanding if target generated AEN list is empty.
+We do cleanup the target generated entries from the aen list in
+nvmet_ctrl_free()-> nvmet_async_events_free() but we don't
+process AEN posted by the host. This leads to following problem :-
+
+When processing admin sq at the time of nvmet_sq_destroy() holds
+an extra percpu reference(atomic value = 1), so in the following code
+path after switching to atomic rcu, release function (nvmet_sq_free())
+is not getting called which blocks the sq->free_done in
+nvmet_sq_destroy() :-
+
+nvmet_sq_destroy()
+ percpu_ref_kill_and_confirm()
+ - __percpu_ref_switch_mode()
+ -- __percpu_ref_switch_to_atomic()
+ --- call_rcu() -> percpu_ref_switch_to_atomic_rcu()
+ ---- /* calls switch callback */
+ - percpu_ref_put()
+ -- percpu_ref_put_many(ref, 1)
+ --- else if (unlikely(atomic_long_sub_and_test(nr, &ref->count)))
+ ---- ref->release(ref); <---- Not called.
+
+This results in indefinite hang:-
+
+ void nvmet_sq_destroy(struct nvmet_sq *sq)
+...
+ if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) {
+ nvmet_async_events_process(ctrl, status);
+ percpu_ref_put(&sq->ref);
+ }
+ percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq);
+ wait_for_completion(&sq->confirm_done);
+ wait_for_completion(&sq->free_done); <-- Hang here
+
+Which breaks the further disconnect sequence. This problem seems to be
+introduced after commit 64f5e9cdd711b ("nvmet: fix memory leak when
+removing namespaces and controllers concurrently").
+
+This patch processes ctrl->async_event_cmds[] in the admin sq destroy()
+context irrespetive of aen_list. Also we get rid of the controller's
+aen_list processing in the nvmet_sq_destroy() context and just ignore
+ctrl->aen_list.
+
+This results in nvmet_async_events_process() being called from workqueue
+context so we adjust the code accordingly.
+
+Fixes: 64f5e9cdd711 ("nvmet: fix memory leak when removing namespaces and controllers concurrently ")
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index ac7ae031ce78d..96deaf3484662 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -129,7 +129,22 @@ static u32 nvmet_async_event_result(struct nvmet_async_event *aen)
+ return aen->event_type | (aen->event_info << 8) | (aen->log_page << 16);
+ }
+
+-static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status)
++static void nvmet_async_events_failall(struct nvmet_ctrl *ctrl)
++{
++ u16 status = NVME_SC_INTERNAL | NVME_SC_DNR;
++ struct nvmet_req *req;
++
++ mutex_lock(&ctrl->lock);
++ while (ctrl->nr_async_event_cmds) {
++ req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds];
++ mutex_unlock(&ctrl->lock);
++ nvmet_req_complete(req, status);
++ mutex_lock(&ctrl->lock);
++ }
++ mutex_unlock(&ctrl->lock);
++}
++
++static void nvmet_async_events_process(struct nvmet_ctrl *ctrl)
+ {
+ struct nvmet_async_event *aen;
+ struct nvmet_req *req;
+@@ -139,14 +154,13 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status)
+ aen = list_first_entry(&ctrl->async_events,
+ struct nvmet_async_event, entry);
+ req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds];
+- if (status == 0)
+- nvmet_set_result(req, nvmet_async_event_result(aen));
++ nvmet_set_result(req, nvmet_async_event_result(aen));
+
+ list_del(&aen->entry);
+ kfree(aen);
+
+ mutex_unlock(&ctrl->lock);
+- nvmet_req_complete(req, status);
++ nvmet_req_complete(req, 0);
+ mutex_lock(&ctrl->lock);
+ }
+ mutex_unlock(&ctrl->lock);
+@@ -169,7 +183,7 @@ static void nvmet_async_event_work(struct work_struct *work)
+ struct nvmet_ctrl *ctrl =
+ container_of(work, struct nvmet_ctrl, async_event_work);
+
+- nvmet_async_events_process(ctrl, 0);
++ nvmet_async_events_process(ctrl);
+ }
+
+ void nvmet_add_async_event(struct nvmet_ctrl *ctrl, u8 event_type,
+@@ -752,7 +766,6 @@ static void nvmet_confirm_sq(struct percpu_ref *ref)
+
+ void nvmet_sq_destroy(struct nvmet_sq *sq)
+ {
+- u16 status = NVME_SC_INTERNAL | NVME_SC_DNR;
+ struct nvmet_ctrl *ctrl = sq->ctrl;
+
+ /*
+@@ -760,7 +773,7 @@ void nvmet_sq_destroy(struct nvmet_sq *sq)
+ * queue doesn't have outstanding requests on it.
+ */
+ if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq)
+- nvmet_async_events_process(ctrl, status);
++ nvmet_async_events_failall(ctrl);
+ percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq);
+ wait_for_completion(&sq->confirm_done);
+ wait_for_completion(&sq->free_done);
+--
+2.25.1
+
--- /dev/null
+From 6b01634c9557e2413dd0e99f4f7c6f5980937f5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 13:31:58 +0200
+Subject: Revert "i2c: tegra: Fix suspending in active runtime PM state"
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 78ad73421831247e46c31899a7bead02740e4bef ]
+
+This reverts commit 9f42de8d4ec2304f10bbc51dc0484f3503d61196.
+
+It's not safe to use pm_runtime_force_{suspend,resume}(), especially
+during the noirq phase of suspend. See also the guidance provided in
+commit 1e2ef05bb8cf ("PM: Limit race conditions between runtime PM
+and system sleep (v2)").
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-tegra.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c
+index 4c4d17ddc96b9..7c88611c732c4 100644
+--- a/drivers/i2c/busses/i2c-tegra.c
++++ b/drivers/i2c/busses/i2c-tegra.c
+@@ -1769,14 +1769,9 @@ static int tegra_i2c_remove(struct platform_device *pdev)
+ static int __maybe_unused tegra_i2c_suspend(struct device *dev)
+ {
+ struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
+- int err;
+
+ i2c_mark_adapter_suspended(&i2c_dev->adapter);
+
+- err = pm_runtime_force_suspend(dev);
+- if (err < 0)
+- return err;
+-
+ return 0;
+ }
+
+@@ -1797,10 +1792,6 @@ static int __maybe_unused tegra_i2c_resume(struct device *dev)
+ if (err)
+ return err;
+
+- err = pm_runtime_force_resume(dev);
+- if (err < 0)
+- return err;
+-
+ i2c_mark_adapter_resumed(&i2c_dev->adapter);
+
+ return 0;
+--
+2.25.1
+
spi-spi-fsl-dspi-free-dma-memory-with-matching-function.patch
block-bio-integrity-don-t-free-buf-if-bio_integrity_add_page-failed.patch
+genetlink-clean-up-family-attributes-allocations.patch
+nvmet-cleanups-the-loop-in-nvmet_async_events_proces.patch
+nvmet-fail-outstanding-host-posted-aen-req.patch
+fix-a-braino-in-sparc32-fix-register-window-handling.patch
+alsa-usb-audio-fix-potential-use-after-free-of-strea.patch
+revert-i2c-tegra-fix-suspending-in-active-runtime-pm.patch
+btrfs-fix-a-block-group-ref-counter-leak-after-failu.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
