--- /dev/null
+From 66cb1e89bb7ec06b7fa9d7e86a3ca8d9ef3b85d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2020 11:07:22 +0200
+Subject: ARM: futex: Address build warning
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 8101b5a1531f3390b3a69fa7934c70a8fd6566ad ]
+
+Stephen reported the following build warning on a ARM multi_v7_defconfig
+build with GCC 9.2.1:
+
+kernel/futex.c: In function 'do_futex':
+kernel/futex.c:1676:17: warning: 'oldval' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 1676 | return oldval == cmparg;
+ | ~~~~~~~^~~~~~~~~
+kernel/futex.c:1652:6: note: 'oldval' was declared here
+ 1652 | int oldval, ret;
+ | ^~~~~~
+
+introduced by commit a08971e9488d ("futex: arch_futex_atomic_op_inuser()
+calling conventions change").
+
+While that change should not make any difference it confuses GCC which
+fails to work out that oldval is not referenced when the return value is
+not zero.
+
+GCC fails to properly analyze arch_futex_atomic_op_inuser(). It's not the
+early return, the issue is with the assembly macros. GCC fails to detect
+that those either set 'ret' to 0 and set oldval or set 'ret' to -EFAULT
+which makes oldval uninteresting. The store to the callsite supplied oldval
+pointer is conditional on ret == 0.
+
+The straight forward way to solve this is to make the store unconditional.
+
+Aside of addressing the build warning this makes sense anyway because it
+removes the conditional from the fastpath. In the error case the stored
+value is uninteresting and the extra store does not matter at all.
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/87pncao2ph.fsf@nanos.tec.linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/futex.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
+index cc414382dab4..561b2ba6bc28 100644
+--- a/arch/arm/include/asm/futex.h
++++ b/arch/arm/include/asm/futex.h
+@@ -162,8 +162,13 @@ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
+ preempt_enable();
+ #endif
+
+- if (!ret)
+- *oval = oldval;
++ /*
++ * Store unconditionally. If ret != 0 the extra store is the least
++ * of the worries but GCC cannot figure out that __futex_atomic_op()
++ * is either setting ret to -EFAULT or storing the old value in
++ * oldval which results in a uninitialized warning at the call site.
++ */
++ *oval = oldval;
+
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 18536ae089caed051c6f7eafb7e9f988a044d683 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 14:12:49 +0800
+Subject: ceph: fix double unlock in handle_cap_export()
+
+From: Wu Bo <wubo40@huawei.com>
+
+[ Upstream commit 4d8e28ff3106b093d98bfd2eceb9b430c70a8758 ]
+
+If the ceph_mdsc_open_export_target_session() return fails, it will
+do a "goto retry", but the session mutex has already been unlocked.
+Re-lock the mutex in that case to ensure that we don't unlock it
+twice.
+
+Signed-off-by: Wu Bo <wubo40@huawei.com>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/caps.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
+index 617e9ae67f50..e11aacb35d6b 100644
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -3394,6 +3394,7 @@ retry:
+ WARN_ON(1);
+ tsession = NULL;
+ target = -1;
++ mutex_lock(&session->s_mutex);
+ }
+ goto retry;
+
+--
+2.25.1
+
--- /dev/null
+From 77fd8b0401425060da0ce09d4506d6fb38a64d52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Apr 2020 13:02:41 -0600
+Subject: component: Silence bind error on -EPROBE_DEFER
+
+From: James Hilliard <james.hilliard1@gmail.com>
+
+[ Upstream commit 7706b0a76a9697021e2bf395f3f065c18f51043d ]
+
+If a component fails to bind due to -EPROBE_DEFER we should not log an
+error as this is not a real failure.
+
+Fixes messages like:
+vc4-drm soc:gpu: failed to bind 3f902000.hdmi (ops vc4_hdmi_ops): -517
+vc4-drm soc:gpu: master bind failed: -517
+
+Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
+Link: https://lore.kernel.org/r/20200411190241.89404-1-james.hilliard1@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/component.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/base/component.c b/drivers/base/component.c
+index 08da6160e94d..55f0856bd9b5 100644
+--- a/drivers/base/component.c
++++ b/drivers/base/component.c
+@@ -162,7 +162,8 @@ static int try_to_bring_up_master(struct master *master,
+ ret = master->ops->bind(master->dev);
+ if (ret < 0) {
+ devres_release_group(master->dev, NULL);
+- dev_info(master->dev, "master bind failed: %d\n", ret);
++ if (ret != -EPROBE_DEFER)
++ dev_info(master->dev, "master bind failed: %d\n", ret);
+ return ret;
+ }
+
+@@ -431,8 +432,9 @@ static int component_bind(struct component *component, struct master *master,
+ devres_release_group(component->dev, NULL);
+ devres_release_group(master->dev, NULL);
+
+- dev_err(master->dev, "failed to bind %s (ops %ps): %d\n",
+- dev_name(component->dev), component->ops, ret);
++ if (ret != -EPROBE_DEFER)
++ dev_err(master->dev, "failed to bind %s (ops %ps): %d\n",
++ dev_name(component->dev), component->ops, ret);
+ }
+
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From e0f5bcb24317eb45678e8ade9e1cb714dabb8b29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Apr 2020 20:52:26 +0800
+Subject: configfs: fix config_item refcnt leak in configfs_rmdir()
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit 8aebfffacfa379ba400da573a5bf9e49634e38cb ]
+
+configfs_rmdir() invokes configfs_get_config_item(), which returns a
+reference of the specified config_item object to "parent_item" with
+increased refcnt.
+
+When configfs_rmdir() returns, local variable "parent_item" becomes
+invalid, so the refcount should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+configfs_rmdir(). When down_write_killable() fails, the function forgets
+to decrease the refcnt increased by configfs_get_config_item(), causing
+a refcnt leak.
+
+Fix this issue by calling config_item_put() when down_write_killable()
+fails.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/configfs/dir.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index c2ef617d2f97..c875f246cb0e 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -1537,6 +1537,7 @@ static int configfs_rmdir(struct inode *dir, struct dentry *dentry)
+ spin_lock(&configfs_dirent_lock);
+ configfs_detach_rollback(dentry);
+ spin_unlock(&configfs_dirent_lock);
++ config_item_put(parent_item);
+ return -EINTR;
+ }
+ frag->frag_dead = true;
+--
+2.25.1
+
--- /dev/null
+From e993571ec93447532d82e834498f69e89ac69a0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:56 +0200
+Subject: evm: Check also if *tfm is an error pointer in init_desc()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit 53de3b080d5eae31d0de219617155dcc34e7d698 ]
+
+This patch avoids a kernel panic due to accessing an error pointer set by
+crypto_alloc_shash(). It occurs especially when there are many files that
+require an unsupported algorithm, as it would increase the likelihood of
+the following race condition:
+
+Task A: *tfm = crypto_alloc_shash() <= error pointer
+Task B: if (*tfm == NULL) <= *tfm is not NULL, use it
+Task B: rc = crypto_shash_init(desc) <= panic
+Task A: *tfm = NULL
+
+This patch uses the IS_ERR_OR_NULL macro to determine whether or not a new
+crypto context must be created.
+
+Cc: stable@vger.kernel.org
+Fixes: d46eb3699502b ("evm: crypto hash replaced by shash")
+Co-developed-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/evm/evm_crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
+index c783fefa558a..e034dc21421e 100644
+--- a/security/integrity/evm/evm_crypto.c
++++ b/security/integrity/evm/evm_crypto.c
+@@ -90,7 +90,7 @@ static struct shash_desc *init_desc(char type)
+ algo = evm_hash;
+ }
+
+- if (*tfm == NULL) {
++ if (IS_ERR_OR_NULL(*tfm)) {
+ mutex_lock(&mutex);
+ if (*tfm)
+ goto out;
+--
+2.25.1
+
--- /dev/null
+From c5868a509a5286ecdca8e2819ae1fc4f15f6570a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2020 17:48:52 -0400
+Subject: fix multiplication overflow in copy_fdtable()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 4e89b7210403fa4a8acafe7c602b6212b7af6c3b ]
+
+cpy and set really should be size_t; we won't get an overflow on that,
+since sysctl_nr_open can't be set above ~(size_t)0 / sizeof(void *),
+so nr that would've managed to overflow size_t on that multiplication
+won't get anywhere near copy_fdtable() - we'll fail with EMFILE
+before that.
+
+Cc: stable@kernel.org # v2.6.25+
+Fixes: 9cfe015aa424 (get rid of NR_OPEN and introduce a sysctl_nr_open)
+Reported-by: Thiago Macieira <thiago.macieira@intel.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/file.c b/fs/file.c
+index 09aac4d4729b..82d3f925bab3 100644
+--- a/fs/file.c
++++ b/fs/file.c
+@@ -89,7 +89,7 @@ static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,
+ */
+ static void copy_fdtable(struct fdtable *nfdt, struct fdtable *ofdt)
+ {
+- unsigned int cpy, set;
++ size_t cpy, set;
+
+ BUG_ON(nfdt->max_fds < ofdt->max_fds);
+
+--
+2.25.1
+
--- /dev/null
+From 2348f58b3d4f2afed4fa207f75df59fbce456ada Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2020 13:32:59 +0200
+Subject: gcc-common.h: Update for GCC 10
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frédéric Pierret (fepitre) <frederic.pierret@qubes-os.org>
+
+[ Upstream commit c7527373fe28f97d8a196ab562db5589be0d34b9 ]
+
+Remove "params.h" include, which has been dropped in GCC 10.
+
+Remove is_a_helper() macro, which is now defined in gimple.h, as seen
+when running './scripts/gcc-plugin.sh g++ g++ gcc':
+
+In file included from <stdin>:1:
+./gcc-plugins/gcc-common.h:852:13: error: redefinition of ‘static bool is_a_helper<T>::test(U*) [with U = const gimple; T = const ggoto*]’
+ 852 | inline bool is_a_helper<const ggoto *>::test(const_gimple gs)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~
+In file included from ./gcc-plugins/gcc-common.h:125,
+ from <stdin>:1:
+/usr/lib/gcc/x86_64-redhat-linux/10/plugin/include/gimple.h:1037:1: note: ‘static bool is_a_helper<T>::test(U*) [with U = const gimple; T = const ggoto*]’ previously declared here
+ 1037 | is_a_helper <const ggoto *>::test (const gimple *gs)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add -Wno-format-diag to scripts/gcc-plugins/Makefile to avoid
+meaningless warnings from error() formats used by plugins:
+
+scripts/gcc-plugins/structleak_plugin.c: In function ‘int plugin_init(plugin_name_args*, plugin_gcc_version*)’:
+scripts/gcc-plugins/structleak_plugin.c:253:12: warning: unquoted sequence of 2 consecutive punctuation characters ‘'-’ in format [-Wformat-diag]
+ 253 | error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Frédéric Pierret (fepitre) <frederic.pierret@qubes-os.org>
+Link: https://lore.kernel.org/r/20200407113259.270172-1-frederic.pierret@qubes-os.org
+[kees: include -Wno-format-diag for plugin builds]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gcc-plugins/Makefile | 1 +
+ scripts/gcc-plugins/gcc-common.h | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile
+index 8b29dc17c73c..2cad963c4fb7 100644
+--- a/scripts/gcc-plugins/Makefile
++++ b/scripts/gcc-plugins/Makefile
+@@ -9,6 +9,7 @@ else
+ HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti
+ HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb
+ HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable
++ HOST_EXTRACXXFLAGS += -Wno-format-diag
+ export HOST_EXTRACXXFLAGS
+ endif
+
+diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
+index 08fe09c28bd2..6792915f5174 100644
+--- a/scripts/gcc-plugins/gcc-common.h
++++ b/scripts/gcc-plugins/gcc-common.h
+@@ -31,7 +31,9 @@
+ #include "ggc.h"
+ #include "timevar.h"
+
++#if BUILDING_GCC_VERSION < 10000
+ #include "params.h"
++#endif
+
+ #if BUILDING_GCC_VERSION <= 4009
+ #include "pointer-set.h"
+@@ -796,6 +798,7 @@ static inline gimple gimple_build_assign_with_ops(enum tree_code subcode, tree l
+ return gimple_build_assign(lhs, subcode, op1, op2 PASS_MEM_STAT);
+ }
+
++#if BUILDING_GCC_VERSION < 10000
+ template <>
+ template <>
+ inline bool is_a_helper<const ggoto *>::test(const_gimple gs)
+@@ -809,6 +812,7 @@ inline bool is_a_helper<const greturn *>::test(const_gimple gs)
+ {
+ return gs->code == GIMPLE_RETURN;
+ }
++#endif
+
+ static inline gasm *as_a_gasm(gimple stmt)
+ {
+--
+2.25.1
+
--- /dev/null
+From 4f78841c994b8a84dd965e58a2caa8dd4b9a1757 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Apr 2020 14:01:36 +0900
+Subject: gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp()
+
+From: Yoshiyuki Kurauchi <ahochauwaaaaa@gmail.com>
+
+[ Upstream commit 846c68f7f1ac82c797a2f1db3344a2966c0fe2e1 ]
+
+In drivers/net/gtp.c, gtp_genl_dump_pdp() should set NLM_F_MULTI
+flag since it returns multipart message.
+This patch adds a new arg "flags" in gtp_genl_fill_info() so that
+flags can be set by the callers.
+
+Signed-off-by: Yoshiyuki Kurauchi <ahochauwaaaaa@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index a9e8a7356c41..fe844888e0ed 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -1108,11 +1108,11 @@ static struct genl_family gtp_genl_family = {
+ };
+
+ static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq,
+- u32 type, struct pdp_ctx *pctx)
++ int flags, u32 type, struct pdp_ctx *pctx)
+ {
+ void *genlh;
+
+- genlh = genlmsg_put(skb, snd_portid, snd_seq, >p_genl_family, 0,
++ genlh = genlmsg_put(skb, snd_portid, snd_seq, >p_genl_family, flags,
+ type);
+ if (genlh == NULL)
+ goto nlmsg_failure;
+@@ -1208,8 +1208,8 @@ static int gtp_genl_get_pdp(struct sk_buff *skb, struct genl_info *info)
+ goto err_unlock;
+ }
+
+- err = gtp_genl_fill_info(skb2, NETLINK_CB(skb).portid,
+- info->snd_seq, info->nlhdr->nlmsg_type, pctx);
++ err = gtp_genl_fill_info(skb2, NETLINK_CB(skb).portid, info->snd_seq,
++ 0, info->nlhdr->nlmsg_type, pctx);
+ if (err < 0)
+ goto err_unlock_free;
+
+@@ -1252,6 +1252,7 @@ static int gtp_genl_dump_pdp(struct sk_buff *skb,
+ gtp_genl_fill_info(skb,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
++ NLM_F_MULTI,
+ cb->nlh->nlmsg_type, pctx)) {
+ cb->args[0] = i;
+ cb->args[1] = j;
+--
+2.25.1
+
--- /dev/null
+From 3ce8bc954e560906977d4a853f222f42f5ad8be3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 18:02:37 +0200
+Subject: HID: multitouch: add eGalaxTouch P80H84 support
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit f9e82295eec141a0569649d400d249333d74aa91 ]
+
+Add support for P80H84 touchscreen from eGalaxy:
+
+ idVendor 0x0eef D-WAV Scientific Co., Ltd
+ idProduct 0xc002
+ iManufacturer 1 eGalax Inc.
+ iProduct 2 eGalaxTouch P80H84 2019 vDIVA_1204_T01 k4.02.146
+
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-multitouch.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 25c006338100..4630b58634d8 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -353,6 +353,7 @@
+ #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7349 0x7349
+ #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_73F7 0x73f7
+ #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002
+
+ #define USB_VENDOR_ID_ELAN 0x04f3
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index fba655d639af..1207102823de 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1332,6 +1332,9 @@ static const struct hid_device_id mt_devices[] = {
+ { .driver_data = MT_CLS_EGALAX_SERIAL,
+ MT_USB_DEVICE(USB_VENDOR_ID_DWAV,
+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001) },
++ { .driver_data = MT_CLS_EGALAX,
++ MT_USB_DEVICE(USB_VENDOR_ID_DWAV,
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002) },
+
+ /* Elitegroup panel */
+ { .driver_data = MT_CLS_SERIAL,
+--
+2.25.1
+
--- /dev/null
+From 0d58447f2f1c1af9898259454a533efbec260390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 21:21:00 +0200
+Subject: i2c: mux: demux-pinctrl: Fix an error handling path in
+ 'i2c_demux_pinctrl_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e9d1a0a41d4486955e96552293c1fcf1fce61602 ]
+
+A call to 'i2c_demux_deactivate_master()' is missing in the error handling
+path, as already done in the remove function.
+
+Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/muxes/i2c-demux-pinctrl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i2c/muxes/i2c-demux-pinctrl.c b/drivers/i2c/muxes/i2c-demux-pinctrl.c
+index 3e6fe1760d82..a86c511c29e0 100644
+--- a/drivers/i2c/muxes/i2c-demux-pinctrl.c
++++ b/drivers/i2c/muxes/i2c-demux-pinctrl.c
+@@ -270,6 +270,7 @@ static int i2c_demux_pinctrl_probe(struct platform_device *pdev)
+ err_rollback_available:
+ device_remove_file(&pdev->dev, &dev_attr_available_masters);
+ err_rollback:
++ i2c_demux_deactivate_master(priv);
+ for (j = 0; j < i; j++) {
+ of_node_put(priv->chan[j].parent_np);
+ of_changeset_destroy(&priv->chan[j].chgset);
+--
+2.25.1
+
--- /dev/null
+From 2250ff599d3773b7ef7eb788ea6135f9acade3a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:31:28 +0200
+Subject: ima: Fix return value of ima_write_policy()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit 2e3a34e9f409ebe83d1af7cd2f49fca7af97dfac ]
+
+This patch fixes the return value of ima_write_policy() when a new policy
+is directly passed to IMA and the current policy requires appraisal of the
+file containing the policy. Currently, if appraisal is not in ENFORCE mode,
+ima_write_policy() returns 0 and leads user space applications to an
+endless loop. Fix this issue by denying the operation regardless of the
+appraisal mode.
+
+Cc: stable@vger.kernel.org # 4.10.x
+Fixes: 19f8a84713edc ("ima: measure and appraise the IMA policy itself")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_fs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
+index 44b44d7e0dbc..853a7d2333b3 100644
+--- a/security/integrity/ima/ima_fs.c
++++ b/security/integrity/ima/ima_fs.c
+@@ -331,8 +331,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+ "policy_update", "signed policy required",
+ 1, 0);
+- if (ima_appraise & IMA_APPRAISE_ENFORCE)
+- result = -EACCES;
++ result = -EACCES;
+ } else {
+ result = ima_parse_add_rule(data);
+ }
+--
+2.25.1
+
--- /dev/null
+From 2472cad34c29e0ee7120ddd7b0b64cc72c9441ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2020 10:23:52 +0000
+Subject: iommu/amd: Fix over-read of ACPI UID from IVRS table
+
+From: Alexander Monakov <amonakov@ispras.ru>
+
+[ Upstream commit e461b8c991b9202b007ea2059d953e264240b0c9 ]
+
+IVRS parsing code always tries to read 255 bytes from memory when
+retrieving ACPI device path, and makes an assumption that firmware
+provides a zero-terminated string. Both of those are bugs: the entry
+is likely to be shorter than 255 bytes, and zero-termination is not
+guaranteed.
+
+With Acer SF314-42 firmware these issues manifest visibly in dmesg:
+
+AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR0\xf0\xa5, rdevid:160
+AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR1\xf0\xa5, rdevid:160
+AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR2\xf0\xa5, rdevid:160
+AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR3>\x83e\x8d\x9a\xd1...
+
+The first three lines show how the code over-reads adjacent table
+entries into the UID, and in the last line it even reads garbage data
+beyond the end of the IVRS table itself.
+
+Since each entry has the length of the UID (uidl member of ivhd_entry
+struct), use that for memcpy, and manually add a zero terminator.
+
+Avoid zero-filling hid and uid arrays up front, and instead ensure
+the uid array is always zero-terminated. No change needed for the hid
+array, as it was already properly zero-terminated.
+
+Fixes: 2a0cb4e2d423c ("iommu/amd: Add new map for storing IVHD dev entry type HID")
+
+Signed-off-by: Alexander Monakov <amonakov@ispras.ru>
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: iommu@lists.linux-foundation.org
+Link: https://lore.kernel.org/r/20200511102352.1831-1-amonakov@ispras.ru
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu_init.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index e6ae8d123984..a3279f303b49 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -1171,8 +1171,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu,
+ }
+ case IVHD_DEV_ACPI_HID: {
+ u16 devid;
+- u8 hid[ACPIHID_HID_LEN] = {0};
+- u8 uid[ACPIHID_UID_LEN] = {0};
++ u8 hid[ACPIHID_HID_LEN];
++ u8 uid[ACPIHID_UID_LEN];
+ int ret;
+
+ if (h->type != 0x40) {
+@@ -1189,6 +1189,7 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu,
+ break;
+ }
+
++ uid[0] = '\0';
+ switch (e->uidf) {
+ case UID_NOT_PRESENT:
+
+@@ -1203,8 +1204,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu,
+ break;
+ case UID_IS_CHARACTER:
+
+- memcpy(uid, (u8 *)(&e->uid), ACPIHID_UID_LEN - 1);
+- uid[ACPIHID_UID_LEN - 1] = '\0';
++ memcpy(uid, &e->uid, e->uidl);
++ uid[e->uidl] = '\0';
+
+ break;
+ default:
+--
+2.25.1
+
--- /dev/null
+From 1f9a088e8a573c9f8ee7ceab8fa38bf69fdc077e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2020 00:05:59 +0200
+Subject: platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 3bd12da7f50b8bc191fcb3bab1f55c582234df59 ]
+
+asus-nb-wmi does not add any extra functionality on these Asus
+Transformer books. They have detachable keyboards, so the hotkeys are
+send through a HID device (and handled by the hid-asus driver) and also
+the rfkill functionality is not used on these devices.
+
+Besides not adding any extra functionality, initializing the WMI interface
+on these devices actually has a negative side-effect. For some reason
+the \_SB.ATKD.INIT() function which asus_wmi_platform_init() calls drives
+GPO2 (INT33FC:02) pin 8, which is connected to the front facing webcam LED,
+high and there is no (WMI or other) interface to drive this low again
+causing the LED to be permanently on, even during suspend.
+
+This commit adds a blacklist of DMI system_ids on which not to load the
+asus-nb-wmi and adds these Transformer books to this list. This fixes
+the webcam LED being permanently on under Linux.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
+index 0fd7e40b86a0..8137aa343706 100644
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -561,9 +561,33 @@ static struct asus_wmi_driver asus_nb_wmi_driver = {
+ .detect_quirks = asus_nb_wmi_quirks,
+ };
+
++static const struct dmi_system_id asus_nb_wmi_blacklist[] __initconst = {
++ {
++ /*
++ * asus-nb-wm adds no functionality. The T100TA has a detachable
++ * USB kbd, so no hotkeys and it has no WMI rfkill; and loading
++ * asus-nb-wm causes the camera LED to turn and _stay_ on.
++ */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TA"),
++ },
++ },
++ {
++ /* The Asus T200TA has the same issue as the T100TA */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T200TA"),
++ },
++ },
++ {} /* Terminating entry */
++};
+
+ static int __init asus_nb_wmi_init(void)
+ {
++ if (dmi_check_system(asus_nb_wmi_blacklist))
++ return -ENODEV;
++
+ return asus_wmi_register_driver(&asus_nb_wmi_driver);
+ }
+
+--
+2.25.1
+
igb-use-igb_adapter-io_addr-instead-of-e1000_hw-hw_addr.patch
+evm-check-also-if-tfm-is-an-error-pointer-in-init_de.patch
+ima-fix-return-value-of-ima_write_policy.patch
+fix-multiplication-overflow-in-copy_fdtable.patch
+iommu-amd-fix-over-read-of-acpi-uid-from-ivrs-table.patch
+i2c-mux-demux-pinctrl-fix-an-error-handling-path-in-.patch
+gcc-common.h-update-for-gcc-10.patch
+hid-multitouch-add-egalaxtouch-p80h84-support.patch
+configfs-fix-config_item-refcnt-leak-in-configfs_rmd.patch
+component-silence-bind-error-on-eprobe_defer.patch
+gtp-set-nlm_f_multi-flag-in-gtp_genl_dump_pdp.patch
+ceph-fix-double-unlock-in-handle_cap_export.patch
+usb-core-fix-misleading-driver-bug-report.patch
+platform-x86-asus-nb-wmi-do-not-load-on-asus-t100ta-.patch
+arm-futex-address-build-warning.patch
--- /dev/null
+From d3a98dafc032df7384b33e5522b45419817e2e56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 May 2020 16:07:28 -0400
+Subject: USB: core: Fix misleading driver bug report
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+[ Upstream commit ac854131d9844f79e2fdcef67a7707227538d78a ]
+
+The syzbot fuzzer found a race between URB submission to endpoint 0
+and device reset. Namely, during the reset we call usb_ep0_reinit()
+because the characteristics of ep0 may have changed (if the reset
+follows a firmware update, for example). While usb_ep0_reinit() is
+running there is a brief period during which the pointers stored in
+udev->ep_in[0] and udev->ep_out[0] are set to NULL, and if an URB is
+submitted to ep0 during that period, usb_urb_ep_type_check() will
+report it as a driver bug. In the absence of those pointers, the
+routine thinks that the endpoint doesn't exist. The log message looks
+like this:
+
+------------[ cut here ]------------
+usb 2-1: BOGUS urb xfer, pipe 2 != type 2
+WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478
+usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
+
+Now, although submitting an URB while the device is being reset is a
+questionable thing to do, it shouldn't count as a driver bug as severe
+as submitting an URB for an endpoint that doesn't exist. Indeed,
+endpoint 0 always exists, even while the device is in its unconfigured
+state.
+
+To prevent these misleading driver bug reports, this patch updates
+usb_disable_endpoint() to avoid clearing the ep_in[] and ep_out[]
+pointers when the endpoint being disabled is ep0. There's no danger
+of leaving a stale pointer in place, because the usb_host_endpoint
+structure being pointed to is stored permanently in udev->ep0; it
+doesn't get deallocated until the entire usb_device structure does.
+
+Reported-and-tested-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2005011558590.903-100000@netrider.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/message.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
+index 2e541a029657..e33d23c2f6ea 100644
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -1081,11 +1081,11 @@ void usb_disable_endpoint(struct usb_device *dev, unsigned int epaddr,
+
+ if (usb_endpoint_out(epaddr)) {
+ ep = dev->ep_out[epnum];
+- if (reset_hardware)
++ if (reset_hardware && epnum != 0)
+ dev->ep_out[epnum] = NULL;
+ } else {
+ ep = dev->ep_in[epnum];
+- if (reset_hardware)
++ if (reset_hardware && epnum != 0)
+ dev->ep_in[epnum] = NULL;
+ }
+ if (ep) {
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
