commit 2d16cf4817bc6944a2adb5bf4db607c8258e87da
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed May 27 17:37:46 2020 +0200

    Linux 4.19.125

commit 32eff2f22b438e3c3b1ffb0cb4fa6b157904cef5
Author: David Howells <dhowells@redhat.com>
Date:   Wed Apr 29 23:48:43 2020 +0100

    rxrpc: Fix ack discard
    
    [ Upstream commit 441fdee1eaf050ef0040bde0d7af075c1c6a6d8b ]
    
    The Rx protocol has a "previousPacket" field in it that is not handled in
    the same way by all protocol implementations.  Sometimes it contains the
    serial number of the last DATA packet received, sometimes the sequence
    number of the last DATA packet received and sometimes the highest sequence
    number so far received.
    
    AF_RXRPC is using this to weed out ACKs that are out of date (it's possible
    for ACK packets to get reordered on the wire), but this does not work with
    OpenAFS which will just stick the sequence number of the last packet seen
    into previousPacket.
    
    The issue being seen is that big AFS FS.StoreData RPC (eg. of ~256MiB) are
    timing out when partly sent.  A trace was captured, with an additional
    tracepoint to show ACKs being discarded in rxrpc_input_ack().  Here's an
    excerpt showing the problem.
    
     52873.203230: rxrpc_tx_data: c=000004ae DATA ed1a3584:00000002 0002449c q=00024499 fl=09
    
    A DATA packet with sequence number 00024499 has been transmitted (the "q="
    field).
    
     ...
     52873.243296: rxrpc_rx_ack: c=000004ae 00012a2b DLY r=00024499 f=00024497 p=00024496 n=0
     52873.243376: rxrpc_rx_ack: c=000004ae 00012a2c IDL r=0002449b f=00024499 p=00024498 n=0
     52873.243383: rxrpc_rx_ack: c=000004ae 00012a2d OOS r=0002449d f=00024499 p=0002449a n=2
    
    The Out-Of-Sequence ACK indicates that the server didn't see DATA sequence
    number 00024499, but did see seq 0002449a (previousPacket, shown as "p=",
    skipped the number, but firstPacket, "f=", which shows the bottom of the
    window is set at that point).
    
     52873.252663: rxrpc_retransmit: c=000004ae q=24499 a=02 xp=14581537
     52873.252664: rxrpc_tx_data: c=000004ae DATA ed1a3584:00000002 000244bc q=00024499 fl=0b *RETRANS*
    
    The packet has been retransmitted.  Retransmission recurs until the peer
    says it got the packet.
    
     52873.271013: rxrpc_rx_ack: c=000004ae 00012a31 OOS r=000244a1 f=00024499 p=0002449e n=6
    
    More OOS ACKs indicate that the other packets that are already in the
    transmission pipeline are being received.  The specific-ACK list is up to 6
    ACKs and NAKs.
    
     ...
     52873.284792: rxrpc_rx_ack: c=000004ae 00012a49 OOS r=000244b9 f=00024499 p=000244b6 n=30
     52873.284802: rxrpc_retransmit: c=000004ae q=24499 a=0a xp=63505500
     52873.284804: rxrpc_tx_data: c=000004ae DATA ed1a3584:00000002 000244c2 q=00024499 fl=0b *RETRANS*
     52873.287468: rxrpc_rx_ack: c=000004ae 00012a4a OOS r=000244ba f=00024499 p=000244b7 n=31
     52873.287478: rxrpc_rx_ack: c=000004ae 00012a4b OOS r=000244bb f=00024499 p=000244b8 n=32
    
    At this point, the server's receive window is full (n=32) with presumably 1
    NAK'd packet and 31 ACK'd packets.  We can't transmit any more packets.
    
     52873.287488: rxrpc_retransmit: c=000004ae q=24499 a=0a xp=61327980
     52873.287489: rxrpc_tx_data: c=000004ae DATA ed1a3584:00000002 000244c3 q=00024499 fl=0b *RETRANS*
     52873.293850: rxrpc_rx_ack: c=000004ae 00012a4c DLY r=000244bc f=000244a0 p=00024499 n=25
    
    And now we've received an ACK indicating that a DATA retransmission was
    received.  7 packets have been processed (the occupied part of the window
    moved, as indicated by f= and n=).
    
     52873.293853: rxrpc_rx_discard_ack: c=000004ae r=00012a4c 000244a0<00024499 00024499<000244b8
    
    However, the DLY ACK gets discarded because its previousPacket has gone
    backwards (from p=000244b8, in the ACK at 52873.287478 to p=00024499 in the
    ACK at 52873.293850).
    
    We then end up in a continuous cycle of retransmit/discard.  kafs fails to
    update its window because it's discarding the ACKs and can't transmit an
    extra packet that would clear the issue because the window is full.
    OpenAFS doesn't change the previousPacket value in the ACKs because no new
    DATA packets are received with a different previousPacket number.
    
    Fix this by altering the discard check to only discard an ACK based on
    previousPacket if there was no advance in the firstPacket.  This allows us
    to transmit a new packet which will cause previousPacket to advance in the
    next ACK.
    
    The check, however, needs to allow for the possibility that previousPacket
    may actually have had the serial number placed in it instead - in which
    case it will go outside the window and we should ignore it.
    
    Fixes: 1a2391c30c0b ("rxrpc: Fix detection of out of order acks")
    Reported-by: Dave Botsch <botsch@cnf.cornell.edu>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit db7a934a02236c63eaa057cc768e700f8ac0644d
Author: David Howells <dhowells@redhat.com>
Date:   Tue Apr 28 22:06:54 2020 +0100

    rxrpc: Trace discarded ACKs
    
    [ Upstream commit d1f129470e6cb79b8b97fecd12689f6eb49e27fe ]
    
    Add a tracepoint to track received ACKs that are discarded due to being
    outside of the Tx window.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d268f8ddbb51851b58928862dcffd83f5c1120dc
Author: Fabrice Gasnier <fabrice.gasnier@st.com>
Date:   Thu Apr 30 11:28:46 2020 +0200

    iio: adc: stm32-dfsdm: fix device used to request dma
    
    [ Upstream commit b455d06e6fb3c035711e8aab1ca18082ccb15d87 ]
    
    DMA channel request should use device struct from platform device struct.
    Currently it's using iio device struct. But at this stage when probing,
    device struct isn't yet registered (e.g. device_register is done in
    iio_device_register). Since commit 71723a96b8b1 ("dmaengine: Create
    symlinks between DMA channels and slaves"), a warning message is printed
    as the links in sysfs can't be created, due to device isn't yet registered:
    - Cannot create DMA slave symlink
    - Cannot create DMA dma:rx symlink
    
    Fix this by using device struct from platform device to request dma chan.
    
    Fixes: eca949800d2d ("IIO: ADC: add stm32 DFSDM support for PDM microphone")
    
    Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ae862e350a607cb7f290526a18393a3b49efd85c
Author: Peter Ujfalusi <peter.ujfalusi@ti.com>
Date:   Tue Jan 7 13:45:32 2020 +0200

    iio: adc: stm32-dfsdm: Use dma_request_chan() instead dma_request_slave_channel()
    
    [ Upstream commit a9ab624edd9186fbad734cfe5d606a6da3ca34db ]
    
    dma_request_slave_channel() is a wrapper on top of dma_request_chan()
    eating up the error code.
    
    By using dma_request_chan() directly the driver can support deferred
    probing against DMA.
    
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
    Acked-by: Olivier Moysan <olivier.moysan@st.com>
    Acked-by: Fabrice Gasnier <fabrice.gasnier@st.com>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 90af01f6d9faa30367cbd0d09fbbbaa0ac0eea8e
Author: Fabrice Gasnier <fabrice.gasnier@st.com>
Date:   Thu Apr 30 11:28:45 2020 +0200

    iio: adc: stm32-adc: fix device used to request dma
    
    [ Upstream commit 52cd91c27f3908b88e8b25aed4a4d20660abcc45 ]
    
    DMA channel request should use device struct from platform device struct.
    Currently it's using iio device struct. But at this stage when probing,
    device struct isn't yet registered (e.g. device_register is done in
    iio_device_register). Since commit 71723a96b8b1 ("dmaengine: Create
    symlinks between DMA channels and slaves"), a warning message is printed
    as the links in sysfs can't be created, due to device isn't yet registered:
    - Cannot create DMA slave symlink
    - Cannot create DMA dma:rx symlink
    
    Fix this by using device struct from platform device to request dma chan.
    
    Fixes: 2763ea0585c99 ("iio: adc: stm32: add optional dma support")
    
    Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cdaedaba687bdffdbc215a2fb7272cb3f0871921
Author: Peter Ujfalusi <peter.ujfalusi@ti.com>
Date:   Wed Jan 8 10:08:01 2020 +0200

    iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel()
    
    [ Upstream commit 735404b846dffcb320264f62b76e6f70012214dd ]
    
    dma_request_slave_channel() is a wrapper on top of dma_request_chan()
    eating up the error code.
    
    By using dma_request_chan() directly the driver can support deferred
    probing against DMA.
    
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
    Acked-by: Fabrice Gasnier <fabrice.gasnier@st.com>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 754254daca39b9a75c5c2e6e3d9c5d3c7923abed
Author: Josh Poimboeuf <jpoimboe@redhat.com>
Date:   Fri May 22 08:54:35 2020 -0500

    x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks
    
    commit 187b96db5ca79423618dfa29a05c438c34f9e1f0 upstream.
    
    Normally, show_trace_log_lvl() scans the stack, looking for text
    addresses to print.  In parallel, it unwinds the stack with
    unwind_next_frame().  If the stack address matches the pointer returned
    by unwind_get_return_address_ptr() for the current frame, the text
    address is printed normally without a question mark.  Otherwise it's
    considered a breadcrumb (potentially from a previous call path) and it's
    printed with a question mark to indicate that the address is unreliable
    and typically can be ignored.
    
    Since the following commit:
    
      f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks")
    
    ... for inactive tasks, show_trace_log_lvl() prints *only* unreliable
    addresses (prepended with '?').
    
    That happens because, for the first frame of an inactive task,
    unwind_get_return_address_ptr() returns the wrong return address
    pointer: one word *below* the task stack pointer.  show_trace_log_lvl()
    starts scanning at the stack pointer itself, so it never finds the first
    'reliable' address, causing only guesses to being printed.
    
    The first frame of an inactive task isn't a normal stack frame.  It's
    actually just an instance of 'struct inactive_task_frame' which is left
    behind by __switch_to_asm().  Now that this inactive frame is actually
    exposed to callers, fix unwind_get_return_address_ptr() to interpret it
    properly.
    
    Fixes: f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks")
    Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
    Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20200522135435.vbxs7umku5pyrdbk@treble
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e7980748ed5a609a0a011c400a3fb620fa6f34d6
Author: Qiushi Wu <wu000273@umn.edu>
Date:   Fri May 22 13:45:18 2020 -0500

    rxrpc: Fix a memory leak in rxkad_verify_response()
    
    commit f45d01f4f30b53c3a0a1c6c1c154acb7ff74ab9f upstream.
    
    A ticket was not released after a call of the function
    "rxkad_decrypt_ticket" failed. Thus replace the jump target
    "temporary_error_free_resp" by "temporary_error_free_ticket".
    
    Fixes: 8c2f826dc3631 ("rxrpc: Don't put crypto buffers on the stack")
    Signed-off-by: Qiushi Wu <wu000273@umn.edu>
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Markus Elfring <Markus.Elfring@web.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0ce2f76e97d8ff16565d86b1d43645c4fabd38fa
Author: John Hubbard <jhubbard@nvidia.com>
Date:   Fri May 22 22:22:48 2020 -0700

    rapidio: fix an error in get_user_pages_fast() error handling
    
    commit ffca476a0a8d26de767cc41d62b8ca7f540ecfdd upstream.
    
    In the case of get_user_pages_fast() returning fewer pages than
    requested, rio_dma_transfer() does not quite do the right thing.  It
    attempts to release all the pages that were requested, rather than just
    the pages that were pinned.
    
    Fix the error handling so that only the pages that were successfully
    pinned are released.
    
    Fixes: e8de370188d0 ("rapidio: add mport char device driver")
    Signed-off-by: John Hubbard <jhubbard@nvidia.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Matt Porter <mporter@kernel.crashing.org>
    Cc: Alexandre Bounine <alex.bou9@gmail.com>
    Cc: Sumit Semwal <sumit.semwal@linaro.org>
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/20200517235620.205225-2-jhubbard@nvidia.com
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a851990732c596d0f25d2f7c3dc6c8690efaac7e
Author: Wei Yongjun <weiyongjun1@huawei.com>
Date:   Thu May 7 09:42:37 2020 +0000

    ipack: tpci200: fix error return code in tpci200_register()
    
    commit 133317479f0324f6faaf797c4f5f3e9b1b36ce35 upstream.
    
    Fix to return negative error code -ENOMEM from the ioremap() error handling
    case instead of 0, as done elsewhere in this function.
    
    Fixes: 43986798fd50 ("ipack: add error handling for ioremap_nocache")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
    Cc: stable <stable@vger.kernel.org>
    Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
    Link: https://lore.kernel.org/r/20200507094237.13599-1-weiyongjun1@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 77433aa4cd86ce1a10983649bb18415b8c31afe6
Author: Alexander Usyskin <alexander.usyskin@intel.com>
Date:   Wed May 13 01:31:40 2020 +0300

    mei: release me_cl object reference
    
    commit fc9c03ce30f79b71807961bfcb42be191af79873 upstream.
    
    Allow me_cl object to be freed by releasing the reference
    that was acquired  by one of the search functions:
    __mei_me_cl_by_uuid_id() or __mei_me_cl_by_uuid()
    
    Cc: <stable@vger.kernel.org>
    Reported-by: 亿一 <teroincn@gmail.com>
    Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
    Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
    Link: https://lore.kernel.org/r/20200512223140.32186-1-tomas.winkler@intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eabaf0d2d5bec2d603e4ad6481db3e259f1421d0
Author: Klaus Doth <kdlnx@doth.eu>
Date:   Fri May 22 12:56:04 2020 +0200

    misc: rtsx: Add short delay after exit from ASPM
    
    commit 7a839dbab1be59f5ed3b3b046de29e166784c9b4 upstream.
    
    DMA transfers to and from the SD card stall for 10 seconds and run into
    timeout on RTS5260 card readers after ASPM was enabled.
    
    Adding a short msleep after disabling ASPM fixes the issue on several
    Dell Precision 7530/7540 systems I tested.
    
    This function is only called when waking up after the chip went into
    power-save after not transferring data for a few seconds. The added
    msleep does therefore not change anything in data transfer speed or
    induce any excessive waiting while data transfers are running, or the
    chip is sleeping. Only the transition from sleep to active is affected.
    
    Signed-off-by: Klaus Doth <kdlnx@doth.eu>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/4434eaa7-2ee3-a560-faee-6cee63ebd6d4@doth.eu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f2c5f3aefb3a5cb579486c6fdc9520bd09241e4e
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sun Apr 26 21:44:03 2020 +0200

    iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()'
    
    commit aad4742fbf0a560c25827adb58695a4497ffc204 upstream.
    
    A call to 'vf610_dac_exit()' is missing in an error handling path.
    
    Fixes: 1b983bf42fad ("iio: dac: vf610_dac: Add IIO DAC driver for Vybrid SoC")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f289ee6ebb64ef45abb845a08f7f42f3aa0c3892
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Wed May 6 05:52:06 2020 +0200

    iio: sca3000: Remove an erroneous 'get_device()'
    
    commit 928edefbc18cd8433f7df235c6e09a9306e7d580 upstream.
    
    This looks really unusual to have a 'get_device()' hidden in a 'dev_err()'
    call.
    Remove it.
    
    While at it add a missing \n at the end of the message.
    
    Fixes: 574fb258d636 ("Staging: IIO: VTI sca3000 series accelerometer driver (spi)")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c6d40a80584697251846b08366cecb2a9e9d032c
Author: Oscar Carter <oscar.carter@gmx.com>
Date:   Sun May 10 12:14:26 2020 +0200

    staging: greybus: Fix uninitialized scalar variable
    
    commit 34625c1931f8204c234c532b446b9f53c69f4b68 upstream.
    
    In the "gb_tty_set_termios" function the "newline" variable is declared
    but not initialized. So the "flow_control" member is not initialized and
    the OR / AND operations with itself results in an undefined value in
    this member.
    
    The purpose of the code is to set the flow control type, so remove the
    OR / AND self operator and set the value directly.
    
    Addresses-Coverity-ID: 1374016 ("Uninitialized scalar variable")
    Fixes: e55c25206d5c9 ("greybus: uart: Handle CRTSCTS flag in termios")
    Signed-off-by: Oscar Carter <oscar.carter@gmx.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200510101426.23631-1-oscar.carter@gmx.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7f08947a5420678a3f557bb5ddec5a221f78eaaa
Author: Dragos Bogdan <dragos.bogdan@analog.com>
Date:   Wed Apr 29 10:21:29 2020 +0300

    staging: iio: ad2s1210: Fix SPI reading
    
    commit 5e4f99a6b788047b0b8a7496c2e0c8f372f6edf2 upstream.
    
    If the serial interface is used, the 8-bit address should be latched using
    the rising edge of the WR/FSYNC signal.
    
    This basically means that a CS change is required between the first byte
    sent, and the second one.
    This change splits the single-transfer transfer of 2 bytes into 2 transfers
    with a single byte, and CS change in-between.
    
    Note fixes tag is not accurate, but reflects a point beyond which there
    are too many refactors to make backporting straight forward.
    
    Fixes: b19e9ad5e2cb ("staging:iio:resolver:ad2s1210 general driver cleanup.")
    Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
    Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit acc014ae002f674fbe29e0cf1dd9a5f1f68fef44
Author: Bob Peterson <rpeterso@redhat.com>
Date:   Fri May 8 15:01:25 2020 -0500

    Revert "gfs2: Don't demote a glock until its revokes are written"
    
    [ Upstream commit b14c94908b1b884276a6608dea3d0b1b510338b7 ]
    
    This reverts commit df5db5f9ee112e76b5202fbc331f990a0fc316d6.
    
    This patch fixes a regression: patch df5db5f9ee112 allowed function
    run_queue() to bypass its call to do_xmote() if revokes were queued for
    the glock. That's wrong because its call to do_xmote() is what is
    responsible for calling the go_sync() glops functions to sync both
    the ail list and any revokes queued for it. By bypassing the call,
    gfs2 could get into a stand-off where the glock could not be demoted
    until its revokes are written back, but the revokes would not be
    written back because do_xmote() was never called.
    
    It "sort of" works, however, because there are other mechanisms like
    the log flush daemon (logd) that can sync the ail items and revokes,
    if it deems it necessary. The problem is: without file system pressure,
    it might never deem it necessary.
    
    Signed-off-by: Bob Peterson <rpeterso@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 46eafd0f598787494efb1ea61627ab44105a01eb
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Tue Jan 28 14:14:57 2020 -0800

    brcmfmac: abort and release host after error
    
    [ Upstream commit 863844ee3bd38219c88e82966d1df36a77716f3e ]
    
    With commit 216b44000ada ("brcmfmac: Fix use after free in
    brcmf_sdio_readframes()") applied, we see locking timeouts in
    brcmf_sdio_watchdog_thread().
    
    brcmfmac: brcmf_escan_timeout: timer expired
    INFO: task brcmf_wdog/mmc1:621 blocked for more than 120 seconds.
    Not tainted 4.19.94-07984-g24ff99a0f713 #1
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    brcmf_wdog/mmc1 D    0   621      2 0x00000000 last_sleep: 2440793077.  last_runnable: 2440766827
    [<c0aa1e60>] (__schedule) from [<c0aa2100>] (schedule+0x98/0xc4)
    [<c0aa2100>] (schedule) from [<c0853830>] (__mmc_claim_host+0x154/0x274)
    [<c0853830>] (__mmc_claim_host) from [<bf10c5b8>] (brcmf_sdio_watchdog_thread+0x1b0/0x1f8 [brcmfmac])
    [<bf10c5b8>] (brcmf_sdio_watchdog_thread [brcmfmac]) from [<c02570b8>] (kthread+0x178/0x180)
    
    In addition to restarting or exiting the loop, it is also necessary to
    abort the command and to release the host.
    
    Fixes: 216b44000ada ("brcmfmac: Fix use after free in brcmf_sdio_readframes()")
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: Matthias Kaehlcke <mka@chromium.org>
    Cc: Brian Norris <briannorris@chromium.org>
    Cc: Douglas Anderson <dianders@chromium.org>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Reviewed-by: Douglas Anderson <dianders@chromium.org>
    Acked-by: franky.lin@broadcom.com
    Acked-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9c05084cb55125b76cfa7bd3365ef99c5525067a
Author: Matthias Kaehlcke <mka@chromium.org>
Date:   Wed Dec 19 10:17:47 2018 -0800

    tty: serial: qcom_geni_serial: Fix wrap around of TX buffer
    
    [ Upstream commit 3c66eb4ba18dd1cab0d1bde651cde6d8bdb47696 ]
    
    Before commit a1fee899e5bed ("tty: serial: qcom_geni_serial: Fix
    softlock") the size of TX transfers was limited to the TX FIFO size,
    and wrap arounds of the UART circular buffer were split into two
    transfers. With the commit wrap around are allowed within a transfer.
    The TX FIFO of the geni serial port uses a word size of 4 bytes. In
    case of a circular buffer wrap within a transfer the driver currently
    may write an incomplete word to the FIFO, with some bytes containing
    data from the circular buffer and others being zero. Since the
    transfer isn't completed yet the zero bytes are sent as if they were
    actual data.
    
    Handle wrap arounds of the TX buffer properly and ensure that words
    written to the TX FIFO always contain valid data (unless the transfer
    is completed).
    
    Fixes: a1fee899e5bed ("tty: serial: qcom_geni_serial: Fix softlock")
    Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
    Reviewed-by: Evan Green <evgreen@chromium.org>
    Tested-by: Ryan Case <ryandcase@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7f76dcd7cd31d3cad05106f626f1c7905b6ddd3b
Author: Arjun Vynipadath <arjun@chelsio.com>
Date:   Tue Nov 20 12:11:39 2018 +0530

    cxgb4/cxgb4vf: Fix mac_hlist initialization and free
    
    [ Upstream commit b539ea60f5043b9acd7562f04fa2117f18776cbb ]
    
    Null pointer dereference seen when cxgb4vf driver is unloaded
    without bringing up any interfaces, moving mac_hlist initialization
    to driver probe and free the mac_hlist in remove to fix the issue.
    
    Fixes: 24357e06ba51 ("cxgb4vf: fix memleak in mac_hlist initialization")
    Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
    Signed-off-by: Casey Leedom <leedom@chelsio.com>
    Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 810ed91e89801479e5304ee6f4898e78360e8190
Author: Arjun Vynipadath <arjun@chelsio.com>
Date:   Fri Nov 9 14:50:25 2018 +0530

    cxgb4: free mac_hlist properly
    
    [ Upstream commit 2a8d84bf513823ba398f4b2dec41b8decf4041af ]
    
    The locally maintained list for tracking hash mac table was
    not freed during driver remove.
    
    Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
    Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 36235239745cf036450bb2d85b95f1bcd4190b25
Author: Doug Berger <opendmb@gmail.com>
Date:   Fri Nov 16 18:00:22 2018 -0800

    net: bcmgenet: abort suspend on error
    
    [ Upstream commit c5a54bbcececa36852807c36157a86d808b62310 ]
    
    If an error occurs during suspension of the driver the driver should
    restore the hardware configuration and return an error to force the
    system to resume.
    
    Fixes: 0db55093b566 ("net: bcmgenet: return correct value 'ret' from bcmgenet_power_down")
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fb12b3e643fd5f2474b9ccbff8310716975770c9
Author: Doug Berger <opendmb@gmail.com>
Date:   Fri Nov 16 18:00:21 2018 -0800

    net: bcmgenet: code movement
    
    [ Upstream commit a94cbf03eb514d4d64d8c4f4caa0616b7ce5040a ]
    
    This commit switches the order of bcmgenet_suspend and bcmgenet_resume
    in the file to prevent the need for a forward declaration in the next
    commit and to make the review of that commit easier.
    
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 747c7d5ac0d0e6ab483f6ba7e9039c103d66f032
Author: Juliet Kim <julietk@linux.vnet.ibm.com>
Date:   Wed Nov 20 10:50:03 2019 -0500

    Revert "net/ibmvnic: Fix EOI when running in XIVE mode"
    
    [ Upstream commit 284f87d2f3871247d08a2b6a24466ae905079913 ]
    
    This reverts commit 11d49ce9f7946dfed4dcf5dbde865c78058b50ab
    (“net/ibmvnic: Fix EOI when running in XIVE mode.”) since that
    has the unintended effect of changing the interrupt priority
    and emits warning when running in legacy XICS mode.
    
    Signed-off-by: Juliet Kim <julietk@linux.vnet.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f8ed06a6531b75032be629ae9679c6256b281dc3
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Thu Oct 24 10:09:16 2019 -0300

    media: fdp1: Fix R-Car M3-N naming in debug message
    
    [ Upstream commit c05b9d7b9f3ece2831e4e4829f10e904df296df8 ]
    
    The official name is "R-Car M3-N", not "R-Car M3N".
    
    Fixes: 4e8c120de9268fc2 ("media: fdp1: Support M3N and E3 platforms")
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0373456471aa63d5a7aa8a4b211cd87681f2511a
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date:   Fri Mar 15 14:56:21 2019 +0200

    thunderbolt: Drop duplicated get_switch_at_route()
    
    [ Upstream commit 8f965efd215a09c20b0b5e5bb4e20009a954472e ]
    
    tb_switch_find_by_route() does the same already so use it instead and
    remove duplicated get_switch_at_route().
    
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Reviewed-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 472592bb5fa74b1fc51046fb7ec56d5d101999a0
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Mon Apr 22 10:40:38 2019 -0500

    staging: most: core: replace strcpy() by strscpy()
    
    [ Upstream commit 3970d0d81816310175b6272e709ee09dd3e05171 ]
    
    The strcpy() function is being deprecated. Replace it by the safer
    strscpy() and fix the following Coverity warning:
    
    "You might overrun the 80-character fixed-size string iface->p->name
    by copying iface->description without checking the length."
    
    Addresses-Coverity-ID: 1444760 ("Copy into fixed size buffer")
    Fixes: 131ac62253db ("staging: most: core: use device description as name")
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4e160b91c77632b9c3ed09f1ee762953072ed088
Author: Vishal Verma <vishal.l.verma@intel.com>
Date:   Wed Feb 27 17:06:27 2019 -0700

    libnvdimm/btt: Fix LBA masking during 'free list' population
    
    [ Upstream commit 9dedc73a4658ebcc0c9b58c3cb84e9ac80122213 ]
    
    The Linux BTT implementation assumes that log entries will never have
    the 'zero' flag set, and indeed it never sets that flag for log entries
    itself.
    
    However, the UEFI spec is ambiguous on the exact format of the LBA field
    of a log entry, specifically as to whether it should include the
    additional flag bits or not. While a zero bit doesn't make sense in the
    context of a log entry, other BTT implementations might still have it set.
    
    If an implementation does happen to have it set, we would happily read
    it in as the next block to write to for writes. Since a high bit is set,
    it pushes the block number out of the range of an 'arena', and we fail
    such a write with an EIO.
    
    Follow the robustness principle, and tolerate such implementations by
    stripping out the zero flag when populating the free list during
    initialization. Additionally, use the same stripped out entries for
    detection of incomplete writes and map restoration that happens at this
    stage.
    
    Add a sysfs file 'log_zero_flags' that indicates the ability to accept
    such a layout to userspace applications. This enables 'ndctl
    check-namespace' to recognize whether the kernel is able to handle zero
    flags, or whether it should attempt a fix-up under the --repair option.
    
    Cc: Dan Williams <dan.j.williams@intel.com>
    Reported-by: Dexuan Cui <decui@microsoft.com>
    Reported-by: Pedro d'Aquino Filocre F S Barbuda <pbarbuda@microsoft.com>
    Tested-by: Dexuan Cui <decui@microsoft.com>
    Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2979da373471f64a14d67904c969c74cd42b0dda
Author: Vishal Verma <vishal.l.verma@intel.com>
Date:   Wed Feb 27 17:06:26 2019 -0700

    libnvdimm/btt: Remove unnecessary code in btt_freelist_init
    
    [ Upstream commit 2f8c9011151337d0bc106693f272f9bddbccfab2 ]
    
    We call btt_log_read() twice, once to get the 'old' log entry, and again
    to get the 'new' entry. However, we have no use for the 'old' entry, so
    remove it.
    
    Cc: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5e66a5e2fd776bf014f06ba8ff569318c5415c71
Author: Dexuan Cui <decui@microsoft.com>
Date:   Tue Jan 29 00:56:17 2019 +0000

    nfit: Add Hyper-V NVDIMM DSM command set to white list
    
    [ Upstream commit 1194c4133195dfcb6c5fc0935d54bbed872a5285 ]
    
    Add the Hyper-V _DSM command set to the white list of NVDIMM command
    sets.
    
    This command set is documented at http://www.uefi.org/RFIC_LIST
    (see "Virtual NVDIMM 0x1901").
    
    Signed-off-by: Dexuan Cui <decui@microsoft.com>
    Reviewed-by: Michael Kelley <mikelley@microsoft.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 833607d44b56e2daac2810bf93b1aeaa125b1b7e
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Wed May 20 23:36:05 2020 +1000

    powerpc/64s: Disable STRICT_KERNEL_RWX
    
    [ Upstream commit 8659a0e0efdd975c73355dbc033f79ba3b31e82c ]
    
    Several strange crashes have been eventually traced back to
    STRICT_KERNEL_RWX and its interaction with code patching.
    
    Various paths in our ftrace, kprobes and other patching code need to
    be hardened against patching failures, otherwise we can end up running
    with partially/incorrectly patched ftrace paths, kprobes or jump
    labels, which can then cause strange crashes.
    
    Although fixes for those are in development, they're not -rc material.
    
    There also seem to be problems with the underlying strict RWX logic,
    which needs further debugging.
    
    So for now disable STRICT_KERNEL_RWX on 64-bit to prevent people from
    enabling the option and tripping over the bugs.
    
    Fixes: 1e0fc9d1eb2b ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs")
    Cc: stable@vger.kernel.org # v4.13+
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20200520133605.972649-1-mpe@ellerman.id.au
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3d21543203675c6d63f9e7a4eab179ed89c8c1d0
Author: Russell Currey <ruscur@russell.cc>
Date:   Tue Dec 24 17:41:26 2019 +1100

    powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE
    
    [ Upstream commit c55d7b5e64265fdca45c85b639013e770bde2d0e ]
    
    I have tested this with the Radix MMU and everything seems to work, and
    the previous patch for Hash seems to fix everything too.
    STRICT_KERNEL_RWX should still be disabled by default for now.
    
    Please test STRICT_KERNEL_RWX + RELOCATABLE!
    
    Signed-off-by: Russell Currey <ruscur@russell.cc>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20191224064126.183670-2-ruscur@russell.cc
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6da57562007ab59755a99cf9ea83f1361d8a1b62
Author: Colin Xu <colin.xu@intel.com>
Date:   Fri May 8 14:05:06 2020 +0800

    drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance.
    
    commit f965b68188ab59a40a421ced1b05a2fea638465c upstream.
    
    Init value of some display vregs rea inherited from host pregs. When
    host display in different status, i.e. all monitors unpluged, different
    display configurations, etc., GVT virtual display setup don't consistent
    thus may lead to guest driver consider display goes malfunctional.
    
    The added init vreg values are based on PRMs and fixed by calcuation
    from current configuration (only PIPE_A) and the virtual EDID.
    
    Fixes: 04d348ae3f0a ("drm/i915/gvt: vGPU display virtualization")
    Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
    Signed-off-by: Colin Xu <colin.xu@intel.com>
    Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
    Link: http://patchwork.freedesktop.org/patch/msgid/20200508060506.216250-1-colin.xu@intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f0cd63e5dd99c68f84fb210cc1f37dbf271bd95e
Author: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
Date:   Sat May 2 20:15:51 2020 +0300

    dmaengine: owl: Use correct lock in owl_dma_get_pchan()
    
    commit f8f482deb078389b42768b2193e050a81aae137d upstream.
    
    When the kernel is built with lockdep support and the owl-dma driver is
    used, the following message is shown:
    
    [    2.496939] INFO: trying to register non-static key.
    [    2.501889] the code is fine but needs lockdep annotation.
    [    2.507357] turning off the locking correctness validator.
    [    2.512834] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.3+ #15
    [    2.519084] Hardware name: Generic DT based system
    [    2.523878] Workqueue: events_freezable mmc_rescan
    [    2.528681] [<801127f0>] (unwind_backtrace) from [<8010da58>] (show_stack+0x10/0x14)
    [    2.536420] [<8010da58>] (show_stack) from [<8080fbe8>] (dump_stack+0xb4/0xe0)
    [    2.543645] [<8080fbe8>] (dump_stack) from [<8017efa4>] (register_lock_class+0x6f0/0x718)
    [    2.551816] [<8017efa4>] (register_lock_class) from [<8017b7d0>] (__lock_acquire+0x78/0x25f0)
    [    2.560330] [<8017b7d0>] (__lock_acquire) from [<8017e5e4>] (lock_acquire+0xd8/0x1f4)
    [    2.568159] [<8017e5e4>] (lock_acquire) from [<80831fb0>] (_raw_spin_lock_irqsave+0x3c/0x50)
    [    2.576589] [<80831fb0>] (_raw_spin_lock_irqsave) from [<8051b5fc>] (owl_dma_issue_pending+0xbc/0x120)
    [    2.585884] [<8051b5fc>] (owl_dma_issue_pending) from [<80668cbc>] (owl_mmc_request+0x1b0/0x390)
    [    2.594655] [<80668cbc>] (owl_mmc_request) from [<80650ce0>] (mmc_start_request+0x94/0xbc)
    [    2.602906] [<80650ce0>] (mmc_start_request) from [<80650ec0>] (mmc_wait_for_req+0x64/0xd0)
    [    2.611245] [<80650ec0>] (mmc_wait_for_req) from [<8065aa10>] (mmc_app_send_scr+0x10c/0x144)
    [    2.619669] [<8065aa10>] (mmc_app_send_scr) from [<80659b3c>] (mmc_sd_setup_card+0x4c/0x318)
    [    2.628092] [<80659b3c>] (mmc_sd_setup_card) from [<80659f0c>] (mmc_sd_init_card+0x104/0x430)
    [    2.636601] [<80659f0c>] (mmc_sd_init_card) from [<8065a3e0>] (mmc_attach_sd+0xcc/0x16c)
    [    2.644678] [<8065a3e0>] (mmc_attach_sd) from [<8065301c>] (mmc_rescan+0x3ac/0x40c)
    [    2.652332] [<8065301c>] (mmc_rescan) from [<80143244>] (process_one_work+0x2d8/0x780)
    [    2.660239] [<80143244>] (process_one_work) from [<80143730>] (worker_thread+0x44/0x598)
    [    2.668323] [<80143730>] (worker_thread) from [<8014b5f8>] (kthread+0x148/0x150)
    [    2.675708] [<8014b5f8>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
    [    2.682912] Exception stack(0xee8fdfb0 to 0xee8fdff8)
    [    2.687954] dfa0:                                     00000000 00000000 00000000 00000000
    [    2.696118] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    [    2.704277] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
    
    The obvious fix would be to use 'spin_lock_init()' on 'pchan->lock'
    before attempting to call 'spin_lock_irqsave()' in 'owl_dma_get_pchan()'.
    
    However, according to Manivannan Sadhasivam, 'pchan->lock' was supposed
    to only protect 'pchan->vchan' while 'od->lock' does a similar job in
    'owl_dma_terminate_pchan()'.
    
    Therefore, this patch substitutes 'pchan->lock' with 'od->lock' and
    removes the 'lock' attribute in 'owl_dma_pchan' struct.
    
    Fixes: 47e20577c24d ("dmaengine: Add Actions Semi Owl family S900 DMA driver")
    Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
    Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Acked-by: Andreas Färber <afaerber@suse.de>
    Link: https://lore.kernel.org/r/c6e6cdaca252b5364bd294093673951036488cf0.1588439073.git.cristian.ciocaltea@gmail.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c4bea8476305a61794f36bb628a5348f64536464
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sat May 16 23:42:05 2020 +0200

    dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()'
    
    commit 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 upstream.
    
    Commit b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
    has moved some code in the probe function and reordered the error handling
    path accordingly.
    However, a goto has been missed.
    
    Fix it and goto the right label if 'dma_async_device_register()' fails, so
    that all resources are released.
    
    Fixes: b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
    Acked-by: Thierry Reding <treding@nvidia.com>
    Link: https://lore.kernel.org/r/20200516214205.276266-1-christophe.jaillet@wanadoo.fr
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7018495028f9cc5585b204e49e540ba8930e211
Author: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Date:   Mon Apr 20 13:35:28 2020 +0800

    apparmor: Fix aa_label refcnt leak in policy_update
    
    commit c6b39f070722ea9963ffe756bfe94e89218c5e63 upstream.
    
    policy_update() invokes begin_current_label_crit_section(), which
    returns a reference of the updated aa_label object to "label" with
    increased refcount.
    
    When policy_update() returns, "label" becomes invalid, so the refcount
    should be decreased to keep refcount balanced.
    
    The reference counting issue happens in one exception handling path of
    policy_update(). When aa_may_manage_policy() returns not NULL, the
    refcnt increased by begin_current_label_crit_section() is not decreased,
    causing a refcnt leak.
    
    Fix this issue by jumping to "end_section" label when
    aa_may_manage_policy() returns not NULL.
    
    Fixes: 5ac8c355ae00 ("apparmor: allow introspecting the loaded policy pre internal transform")
    Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
    Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dd73adb161fec02d9303ce98e0e5bf844c5d791e
Author: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Date:   Sun Apr 5 13:11:55 2020 +0800

    apparmor: fix potential label refcnt leak in aa_change_profile
    
    commit a0b845ffa0d91855532b50fc040aeb2d8338dca4 upstream.
    
    aa_change_profile() invokes aa_get_current_label(), which returns
    a reference of the current task's label.
    
    According to the comment of aa_get_current_label(), the returned
    reference must be put with aa_put_label().
    However, when the original object pointed by "label" becomes
    unreachable because aa_change_profile() returns or a new object
    is assigned to "label", reference count increased by
    aa_get_current_label() is not decreased, causing a refcnt leak.
    
    Fix this by calling aa_put_label() before aa_change_profile() return
    and dropping unnecessary aa_get_current_label().
    
    Fixes: 9fcf78cca198 ("apparmor: update domain transitions that are subsets of confinement at nnp")
    Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
    Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f1738ae012a106c6c8fa7d33ed47fb478d9d3c75
Author: Navid Emamdoost <navid.emamdoost@gmail.com>
Date:   Mon Oct 21 10:23:47 2019 -0500

    apparmor: Fix use-after-free in aa_audit_rule_init
    
    commit c54d481d71c6849e044690d3960aaebc730224cc upstream.
    
    In the implementation of aa_audit_rule_init(), when aa_label_parse()
    fails the allocated memory for rule is released using
    aa_audit_rule_free(). But after this release, the return statement
    tries to access the label field of the rule which results in
    use-after-free. Before releasing the rule, copy errNo and return it
    after release.
    
    Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
    Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 90389f4f54e8c383fff8ea9f5dc8140731426738
Author: Christian Gmeiner <christian.gmeiner@gmail.com>
Date:   Tue May 19 07:30:15 2020 +0200

    drm/etnaviv: fix perfmon domain interation
    
    commit 40b697e256ccdb88aaff424b44b4d300eb8460e8 upstream.
    
    The GC860 has one GPU device which has a 2d and 3d core. In this case
    we want to expose perfmon information for both cores.
    
    The driver has one array which contains all possible perfmon domains
    with some meta data - doms_meta. Here we can see that for the GC860
    two elements of that array are relevant:
    
      doms_3d: is at index 0 in the doms_meta array with 8 perfmon domains
      doms_2d: is at index 1 in the doms_meta array with 1 perfmon domain
    
    The userspace driver wants to get a list of all perfmon domains and
    their perfmon signals. This is done by iterating over all domains and
    their signals. If the userspace driver wants to access the domain with
    id 8 the kernel driver fails and returns invalid data from doms_3d with
    and invalid offset.
    
    This results in:
      Unable to handle kernel paging request at virtual address 00000000
    
    On such a device it is not possible to use the userspace driver at all.
    
    The fix for this off-by-one error is quite simple.
    
    Reported-by: Paul Cercueil <paul@crapouillou.net>
    Tested-by: Paul Cercueil <paul@crapouillou.net>
    Fixes: ed1dd899baa3 ("drm/etnaviv: rework perfmon query infrastructure")
    Cc: stable@vger.kernel.org
    Signed-off-by: Christian Gmeiner <christian.gmeiner@gmail.com>
    Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7fd4b8ddf3117f2767cbe1f2e5da26d6b1a9da5b
Author: PeiSen Hou <pshou@realtek.com>
Date:   Tue May 19 08:50:12 2020 +0200

    ALSA: hda/realtek - Add more fixup entries for Clevo machines
    
    commit 259eb82475316672a5d682a94dc8bdd53cf8d8c3 upstream.
    
    A few known Clevo machines (PC50, PC70, X170) with ALC1220 codec need
    the existing quirk for pins for PB51 and co.
    
    Signed-off-by: PeiSen Hou <pshou@realtek.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200519065012.13119-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2865e45c775610b4d684988a19bd28e560304f34
Author: Christian Lachner <gladiac@gmail.com>
Date:   Mon May 18 07:38:44 2020 +0200

    ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme
    
    commit d9e8fe0cffbfdd18de96fa68ee2a8b667a0b046e upstream.
    
    The Gigabyte X570 Aorus Xtreme motherboard with ALC1220 codec
    requires a similar workaround for Clevo laptops to enforce the
    DAC/mixer connection path. Set up a quirk entry for that.
    
    BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205275
    Signed-off-by: Christian Lachner <gladiac@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200518053844.42743-2-gladiac@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f479482fc10b35b862f95e9918f5e992d007a4b8
Author: Brent Lu <brent.lu@intel.com>
Date:   Mon May 18 12:30:38 2020 +0800

    ALSA: pcm: fix incorrect hw_base increase
    
    commit e7513c5786f8b33f0c107b3759e433bc6cbb2efa upstream.
    
    There is a corner case that ALSA keeps increasing the hw_ptr but DMA
    already stop working/updating the position for a long time.
    
    In following log we can see the position returned from DMA driver does
    not move at all but the hw_ptr got increased at some point of time so
    snd_pcm_avail() will return a large number which seems to be a buffer
    underrun event from user space program point of view. The program
    thinks there is space in the buffer and fill more data.
    
    [  418.510086] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 4096 avail 12368
    [  418.510149] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 6910 avail 9554
    ...
    [  418.681052] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 15102 avail 1362
    [  418.681130] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 16464 avail 0
    [  418.726515] sound pcmC0D5p: pos 96 hw_ptr 16464 appl_ptr 16464 avail 16368
    
    This is because the hw_base will be increased by runtime->buffer_size
    frames unconditionally if the hw_ptr is not updated for over half of
    buffer time. As the hw_base increases, so does the hw_ptr increased
    by the same number.
    
    The avail value returned from snd_pcm_avail() could exceed the limit
    (buffer_size) easily becase the hw_ptr itself got increased by same
    buffer_size samples when the corner case happens. In following log,
    the buffer_size is 16368 samples but the avail is 21810 samples so
    CRAS server complains about it.
    
    [  418.851755] sound pcmC0D5p: pos 96 hw_ptr 16464 appl_ptr 27390 avail 5442
    [  418.926491] sound pcmC0D5p: pos 96 hw_ptr 32832 appl_ptr 27390 avail 21810
    
    cras_server[1907]: pcm_avail returned frames larger than buf_size:
    sof-glkda7219max: :0,5: 21810 > 16368
    
    By updating runtime->hw_ptr_jiffies each time the HWSYNC is called,
    the hw_base will keep the same when buffer stall happens at long as
    the interval between each HWSYNC call is shorter than half of buffer
    time.
    
    Following is a log captured by a patched kernel. The hw_base/hw_ptr
    value is fixed in this corner case and user space program should be
    aware of the buffer stall and handle it.
    
    [  293.525543] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 4096 avail 12368
    [  293.525606] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 6880 avail 9584
    [  293.525975] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 10976 avail 5488
    [  293.611178] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 15072 avail 1392
    [  293.696429] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 16464 avail 0
    ...
    [  381.139517] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 16464 avail 0
    
    Signed-off-by: Brent Lu <brent.lu@intel.com>
    Reviewed-by: Jaroslav Kysela <perex@perex.cz>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/1589776238-23877-1-git-send-email-brent.lu@intel.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7754403d85cf6b45dd4071f062dd7261e6f03afe
Author: Scott Bahling <sbahling@suse.com>
Date:   Mon May 18 19:57:28 2020 +0200

    ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option
    
    commit b0cb099062b0c18246c3a20caaab4c0afc303255 upstream.
    
    The ST Audio ADCIII is an STDSP24 card plus extension box. With commit
    e8a91ae18bdc ("ALSA: ice1712: Add support for STAudio ADCIII") we
    enabled the ADCIII ports using the model=staudio option but forgot
    this part to ensure the STDSP24 card is initialized properly.
    
    Fixes: e8a91ae18bdc ("ALSA: ice1712: Add support for STAudio ADCIII")
    Signed-off-by: Scott Bahling <sbahling@suse.com>
    Cc: <stable@vger.kernel.org>
    BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1048934
    Link: https://lore.kernel.org/r/20200518175728.28766-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 189b4cfafe61fc236b467d427c01d00d77876662
Author: Daniel Jordan <daniel.m.jordan@oracle.com>
Date:   Thu May 21 16:40:51 2020 -0400

    padata: purge get_cpu and reorder_via_wq from padata_do_serial
    
    [ Upstream commit 065cf577135a4977931c7a1e1edf442bfd9773dd ]
    
    With the removal of the padata timer, padata_do_serial no longer
    needs special CPU handling, so remove it.
    
    Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: linux-crypto@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1538674ceea853dc922c0a56dda331fb9b359d2e
Author: Daniel Jordan <daniel.m.jordan@oracle.com>
Date:   Thu May 21 16:40:50 2020 -0400

    padata: initialize pd->cpu with effective cpumask
    
    [ Upstream commit ec9c7d19336ee98ecba8de80128aa405c45feebb ]
    
    Exercising CPU hotplug on a 5.2 kernel with recent padata fixes from
    cryptodev-2.6.git in an 8-CPU kvm guest...
    
        # modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
        # echo 0 > /sys/devices/system/cpu/cpu1/online
        # echo c > /sys/kernel/pcrypt/pencrypt/parallel_cpumask
        # modprobe tcrypt mode=215
    
    ...caused the following crash:
    
        BUG: kernel NULL pointer dereference, address: 0000000000000000
        #PF: supervisor read access in kernel mode
        #PF: error_code(0x0000) - not-present page
        PGD 0 P4D 0
        Oops: 0000 [#1] SMP PTI
        CPU: 2 PID: 134 Comm: kworker/2:2 Not tainted 5.2.0-padata-base+ #7
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-<snip>
        Workqueue: pencrypt padata_parallel_worker
        RIP: 0010:padata_reorder+0xcb/0x180
        ...
        Call Trace:
         padata_do_serial+0x57/0x60
         pcrypt_aead_enc+0x3a/0x50 [pcrypt]
         padata_parallel_worker+0x9b/0xe0
         process_one_work+0x1b5/0x3f0
         worker_thread+0x4a/0x3c0
         ...
    
    In padata_alloc_pd, pd->cpu is set using the user-supplied cpumask
    instead of the effective cpumask, and in this case cpumask_first picked
    an offline CPU.
    
    The offline CPU's reorder->list.next is NULL in padata_reorder because
    the list wasn't initialized in padata_init_pqueues, which only operates
    on CPUs in the effective mask.
    
    Fix by using the effective mask in padata_alloc_pd.
    
    Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder")
    Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: linux-crypto@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4252abf74253d8e5d32ccc7f4bdcdfaac65daf13
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Thu May 21 16:40:49 2020 -0400

    padata: Replace delayed timer with immediate workqueue in padata_reorder
    
    [ Upstream commit 6fc4dbcf0276279d488c5fbbfabe94734134f4fa ]
    
    The function padata_reorder will use a timer when it cannot progress
    while completed jobs are outstanding (pd->reorder_objects > 0).  This
    is suboptimal as if we do end up using the timer then it would have
    introduced a gratuitous delay of one second.
    
    In fact we can easily distinguish between whether completed jobs
    are outstanding and whether we can make progress.  All we have to
    do is look at the next pqueue list.
    
    This patch does that by replacing pd->processed with pd->cpu so
    that the next pqueue is more accessible.
    
    A work queue is used instead of the original try_again to avoid
    hogging the CPU.
    
    Note that we don't bother removing the work queue in
    padata_flush_queues because the whole premise is broken.  You
    cannot flush async crypto requests so it makes no sense to even
    try.  A subsequent patch will fix it by replacing it with a ref
    counting scheme.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    [dj: - adjust context
         - corrected setup_timer -> timer_setup to delete hunk
         - skip padata_flush_queues() hunk, function already removed
           in 4.19]
    Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 20239639167676bb336e424a113ddb23d392ba0e
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Tue Apr 14 11:07:22 2020 +0200

    ARM: futex: Address build warning
    
    [ Upstream commit 8101b5a1531f3390b3a69fa7934c70a8fd6566ad ]
    
    Stephen reported the following build warning on a ARM multi_v7_defconfig
    build with GCC 9.2.1:
    
    kernel/futex.c: In function 'do_futex':
    kernel/futex.c:1676:17: warning: 'oldval' may be used uninitialized in this function [-Wmaybe-uninitialized]
     1676 |   return oldval == cmparg;
          |          ~~~~~~~^~~~~~~~~
    kernel/futex.c:1652:6: note: 'oldval' was declared here
     1652 |  int oldval, ret;
          |      ^~~~~~
    
    introduced by commit a08971e9488d ("futex: arch_futex_atomic_op_inuser()
    calling conventions change").
    
    While that change should not make any difference it confuses GCC which
    fails to work out that oldval is not referenced when the return value is
    not zero.
    
    GCC fails to properly analyze arch_futex_atomic_op_inuser(). It's not the
    early return, the issue is with the assembly macros. GCC fails to detect
    that those either set 'ret' to 0 and set oldval or set 'ret' to -EFAULT
    which makes oldval uninteresting. The store to the callsite supplied oldval
    pointer is conditional on ret == 0.
    
    The straight forward way to solve this is to make the store unconditional.
    
    Aside of addressing the build warning this makes sense anyway because it
    removes the conditional from the fastpath. In the error case the stored
    value is uninteresting and the extra store does not matter at all.
    
    Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lkml.kernel.org/r/87pncao2ph.fsf@nanos.tec.linutronix.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4276e29974f39507c6b7cc926e6457210f1421b6
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Thu Apr 23 00:05:59 2020 +0200

    platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA
    
    [ Upstream commit 3bd12da7f50b8bc191fcb3bab1f55c582234df59 ]
    
    asus-nb-wmi does not add any extra functionality on these Asus
    Transformer books. They have detachable keyboards, so the hotkeys are
    send through a HID device (and handled by the hid-asus driver) and also
    the rfkill functionality is not used on these devices.
    
    Besides not adding any extra functionality, initializing the WMI interface
    on these devices actually has a negative side-effect. For some reason
    the \_SB.ATKD.INIT() function which asus_wmi_platform_init() calls drives
    GPO2 (INT33FC:02) pin 8, which is connected to the front facing webcam LED,
    high and there is no (WMI or other) interface to drive this low again
    causing the LED to be permanently on, even during suspend.
    
    This commit adds a blacklist of DMI system_ids on which not to load the
    asus-nb-wmi and adds these Transformer books to this list. This fixes
    the webcam LED being permanently on under Linux.
    
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 661595bc360a62c337215353118d5564c234f3fa
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Fri May 1 16:07:28 2020 -0400

    USB: core: Fix misleading driver bug report
    
    [ Upstream commit ac854131d9844f79e2fdcef67a7707227538d78a ]
    
    The syzbot fuzzer found a race between URB submission to endpoint 0
    and device reset.  Namely, during the reset we call usb_ep0_reinit()
    because the characteristics of ep0 may have changed (if the reset
    follows a firmware update, for example).  While usb_ep0_reinit() is
    running there is a brief period during which the pointers stored in
    udev->ep_in[0] and udev->ep_out[0] are set to NULL, and if an URB is
    submitted to ep0 during that period, usb_urb_ep_type_check() will
    report it as a driver bug.  In the absence of those pointers, the
    routine thinks that the endpoint doesn't exist.  The log message looks
    like this:
    
    ------------[ cut here ]------------
    usb 2-1: BOGUS urb xfer, pipe 2 != type 2
    WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478
    usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
    
    Now, although submitting an URB while the device is being reset is a
    questionable thing to do, it shouldn't count as a driver bug as severe
    as submitting an URB for an endpoint that doesn't exist.  Indeed,
    endpoint 0 always exists, even while the device is in its unconfigured
    state.
    
    To prevent these misleading driver bug reports, this patch updates
    usb_disable_endpoint() to avoid clearing the ep_in[] and ep_out[]
    pointers when the endpoint being disabled is ep0.  There's no danger
    of leaving a stale pointer in place, because the usb_host_endpoint
    structure being pointed to is stored permanently in udev->ep0; it
    doesn't get deallocated until the entire usb_device structure does.
    
    Reported-and-tested-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    
    Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2005011558590.903-100000@netrider.rowland.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e5645ec7f7152e44a64b726025b86aef5fd0907c
Author: Maxim Petrov <mmrmaximuzz@gmail.com>
Date:   Mon May 4 09:26:43 2020 +0300

    stmmac: fix pointer check after utilization in stmmac_interrupt
    
    [ Upstream commit f42234ffd531ca6b13d9da02faa60b72eccf8334 ]
    
    The paranoidal pointer check in IRQ handler looks very strange - it
    really protects us only against bogus drivers which request IRQ line
    with null pointer dev_id. However, the code fragment is incorrect
    because the dev pointer is used before the actual check which leads
    to undefined behavior. Remove the check to avoid confusing people
    with incorrect code.
    
    Signed-off-by: Maxim Petrov <mmrmaximuzz@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7b9e34e82120641953ece4cc6a8e2553575d7149
Author: Wu Bo <wubo40@huawei.com>
Date:   Thu Apr 30 14:12:49 2020 +0800

    ceph: fix double unlock in handle_cap_export()
    
    [ Upstream commit 4d8e28ff3106b093d98bfd2eceb9b430c70a8758 ]
    
    If the ceph_mdsc_open_export_target_session() return fails, it will
    do a "goto retry", but the session mutex has already been unlocked.
    Re-lock the mutex in that case to ensure that we don't unlock it
    twice.
    
    Signed-off-by: Wu Bo <wubo40@huawei.com>
    Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d4c0e42f14fbe410ed24f166f691d74e7ad4b073
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Sat May 2 20:18:42 2020 +0200

    HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock
    
    [ Upstream commit 1e189f267015a098bdcb82cc652d13fbf2203fa0 ]
    
    Add a HID_QUIRK_NO_INIT_REPORTS quirk for the Dell K12A keyboard-dock,
    which can be used with various Dell Venue 11 models.
    
    Without this quirk the keyboard/touchpad combo works fine when connected
    at boot, but when hotplugged 9 out of 10 times it will not work properly.
    Adding the quirk fixes this.
    
    Cc: Mario Limonciello <mario.limonciello@dell.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5aa6bc02414d734167fcc47675a2cec310923543
Author: Yoshiyuki Kurauchi <ahochauwaaaaa@gmail.com>
Date:   Thu Apr 30 14:01:36 2020 +0900

    gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp()
    
    [ Upstream commit 846c68f7f1ac82c797a2f1db3344a2966c0fe2e1 ]
    
    In drivers/net/gtp.c, gtp_genl_dump_pdp() should set NLM_F_MULTI
    flag since it returns multipart message.
    This patch adds a new arg "flags" in gtp_genl_fill_info() so that
    flags can be set by the callers.
    
    Signed-off-by: Yoshiyuki Kurauchi <ahochauwaaaaa@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3c52564729cc63dcb3007e252a8409378a8cd0c7
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Apr 27 16:55:57 2020 +0200

    x86/apic: Move TSC deadline timer debug printk
    
    [ Upstream commit c84cb3735fd53c91101ccdb191f2e3331a9262cb ]
    
    Leon reported that the printk_once() in __setup_APIC_LVTT() triggers a
    lockdep splat due to a lock order violation between hrtimer_base::lock and
    console_sem, when the 'once' condition is reset via
    /sys/kernel/debug/clear_warn_once after boot.
    
    The initial printk cannot trigger this because that happens during boot
    when the local APIC timer is set up on the boot CPU.
    
    Prevent it by moving the printk to a place which is guaranteed to be only
    called once during boot.
    
    Mark the deadline timer check related functions and data __init while at
    it.
    
    Reported-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lkml.kernel.org/r/87y2qhoshi.fsf@nanos.tec.linutronix.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 467926e4ac904feaf35f4ce5a5939d8ae07d5ba7
Author: Daniel Playfair Cal <daniel.playfair.cal@gmail.com>
Date:   Sat Apr 25 20:58:17 2020 +1000

    HID: i2c-hid: reset Synaptics SYNA2393 on resume
    
    [ Upstream commit 538f67407e2c0e5ed2a46e7d7ffa52f2e30c7ef8 ]
    
    On the Dell XPS 9570, the Synaptics SYNA2393 touchpad generates spurious
    interrupts after resuming from suspend until it receives some input or
    is reset. Add it to the quirk I2C_HID_QUIRK_RESET_ON_RESUME so that it
    is reset when resuming from suspend.
    
    More information about the bug can be found in this mailing list
    discussion: https://www.spinics.net/lists/linux-input/msg59530.html
    
    Signed-off-by: Daniel Playfair Cal <daniel.playfair.cal@gmail.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 62fe53c2572fd04e56c76a27cfaecadcb4bf12f8
Author: Tyrel Datwyler <tyreld@linux.ibm.com>
Date:   Mon Apr 27 15:49:53 2020 -0700

    scsi: ibmvscsi: Fix WARN_ON during event pool release
    
    [ Upstream commit b36522150e5b85045f868768d46fbaaa034174b2 ]
    
    While removing an ibmvscsi client adapter a WARN_ON like the following is
    seen in the kernel log:
    
    drmgr: drmgr: -r -c slot -s U9080.M9S.783AEC8-V11-C11 -w 5 -d 1
    WARNING: CPU: 9 PID: 24062 at ../kernel/dma/mapping.c:311 dma_free_attrs+0x78/0x110
    Supported: No, Unreleased kernel
    CPU: 9 PID: 24062 Comm: drmgr Kdump: loaded Tainted: G               X 5.3.18-12-default
    NIP:  c0000000001fa758 LR: c0000000001fa744 CTR: c0000000001fa6e0
    REGS: c0000002173375d0 TRAP: 0700   Tainted: G               X (5.3.18-12-default)
    MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 28088282  XER: 20000000
    CFAR: c0000000001fbf0c IRQMASK: 1
    GPR00: c0000000001fa744 c000000217337860 c00000000161ab00 0000000000000000
    GPR04: 0000000000000000 c000011e12250000 0000000018010000 0000000000000000
    GPR08: 0000000000000000 0000000000000001 0000000000000001 c0080000190f4fa8
    GPR12: c0000000001fa6e0 c000000007fc2a00 0000000000000000 0000000000000000
    GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
    GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
    GPR24: 000000011420e310 0000000000000000 0000000000000000 0000000018010000
    GPR28: c00000000159de50 c000011e12250000 0000000000006600 c000011e5c994848
    NIP [c0000000001fa758] dma_free_attrs+0x78/0x110
    LR [c0000000001fa744] dma_free_attrs+0x64/0x110
    Call Trace:
    [c000000217337860] [000000011420e310] 0x11420e310 (unreliable)
    [c0000002173378b0] [c0080000190f0280] release_event_pool+0xd8/0x120 [ibmvscsi]
    [c000000217337930] [c0080000190f3f74] ibmvscsi_remove+0x6c/0x160 [ibmvscsi]
    [c000000217337960] [c0000000000f3cac] vio_bus_remove+0x5c/0x100
    [c0000002173379a0] [c00000000087a0a4] device_release_driver_internal+0x154/0x280
    [c0000002173379e0] [c0000000008777cc] bus_remove_device+0x11c/0x220
    [c000000217337a60] [c000000000870fc4] device_del+0x1c4/0x470
    [c000000217337b10] [c0000000008712a0] device_unregister+0x30/0xa0
    [c000000217337b80] [c0000000000f39ec] vio_unregister_device+0x2c/0x60
    [c000000217337bb0] [c00800001a1d0964] dlpar_remove_slot+0x14c/0x250 [rpadlpar_io]
    [c000000217337c50] [c00800001a1d0bcc] remove_slot_store+0xa4/0x110 [rpadlpar_io]
    [c000000217337cd0] [c000000000c091a0] kobj_attr_store+0x30/0x50
    [c000000217337cf0] [c00000000057c934] sysfs_kf_write+0x64/0x90
    [c000000217337d10] [c00000000057be10] kernfs_fop_write+0x1b0/0x290
    [c000000217337d60] [c000000000488c4c] __vfs_write+0x3c/0x70
    [c000000217337d80] [c00000000048c648] vfs_write+0xd8/0x260
    [c000000217337dd0] [c00000000048ca8c] ksys_write+0xdc/0x130
    [c000000217337e20] [c00000000000b488] system_call+0x5c/0x70
    Instruction dump:
    7c840074 f8010010 f821ffb1 20840040 eb830218 7c8407b4 48002019 60000000
    2fa30000 409e003c 892d0988 792907e0 <0b090000> 2fbd0000 419e0028 2fbc0000
    ---[ end trace 5955b3c0cc079942 ]---
    rpadlpar_io: slot U9080.M9S.783AEC8-V11-C11 removed
    
    This is tripped as a result of irqs being disabled during the call to
    dma_free_coherent() by release_event_pool(). At this point in the code path
    we have quiesced the adapter and it is overly paranoid to be holding the
    host lock.
    
    [mkp: fixed build warning reported by sfr]
    
    Link: https://lore.kernel.org/r/1588027793-17952-1-git-send-email-tyreld@linux.ibm.com
    Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f8dacda9c713e72368e64922295154d0e63032b3
Author: James Hilliard <james.hilliard1@gmail.com>
Date:   Sat Apr 11 13:02:41 2020 -0600

    component: Silence bind error on -EPROBE_DEFER
    
    [ Upstream commit 7706b0a76a9697021e2bf395f3f065c18f51043d ]
    
    If a component fails to bind due to -EPROBE_DEFER we should not log an
    error as this is not a real failure.
    
    Fixes messages like:
    vc4-drm soc:gpu: failed to bind 3f902000.hdmi (ops vc4_hdmi_ops): -517
    vc4-drm soc:gpu: master bind failed: -517
    
    Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
    Link: https://lore.kernel.org/r/20200411190241.89404-1-james.hilliard1@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 297a69f4775c32ab0ed937f7e4e0ee676e191792
Author: Richard Clark <richard.xnu.clark@gmail.com>
Date:   Sat Apr 25 08:58:11 2020 +0800

    aquantia: Fix the media type of AQC100 ethernet controller in the driver
    
    [ Upstream commit 6de556c31061e3b9c36546ffaaac5fdb679a2f14 ]
    
    The Aquantia AQC100 controller enables a SFP+ port, so the driver should
    configure the media type as '_TYPE_FIBRE' instead of '_TYPE_TP'.
    
    Signed-off-by: Richard Clark <richard.xnu.clark@gmail.com>
    Cc: Igor Russkikh <irusskikh@marvell.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Acked-by: Igor Russkikh <irusskikh@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b6067828fd4aad5a6c24882a0f429260942e745c
Author: Stefano Garzarella <sgarzare@redhat.com>
Date:   Fri Apr 24 17:08:29 2020 +0200

    vhost/vsock: fix packet delivery order to monitoring devices
    
    [ Upstream commit 107bc0766b9feb5113074c753735a3f115c2141f ]
    
    We want to deliver packets to monitoring devices before it is
    put in the virtqueue, to avoid that replies can appear in the
    packet capture before the transmitted packet.
    
    Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 96fc3559de8d439a2f5032993442b55869f0c05c
Author: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Date:   Sat Apr 25 20:52:26 2020 +0800

    configfs: fix config_item refcnt leak in configfs_rmdir()
    
    [ Upstream commit 8aebfffacfa379ba400da573a5bf9e49634e38cb ]
    
    configfs_rmdir() invokes configfs_get_config_item(), which returns a
    reference of the specified config_item object to "parent_item" with
    increased refcnt.
    
    When configfs_rmdir() returns, local variable "parent_item" becomes
    invalid, so the refcount should be decreased to keep refcount balanced.
    
    The reference counting issue happens in one exception handling path of
    configfs_rmdir(). When down_write_killable() fails, the function forgets
    to decrease the refcnt increased by configfs_get_config_item(), causing
    a refcnt leak.
    
    Fix this issue by calling config_item_put() when down_write_killable()
    fails.
    
    Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
    Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 19bba55319fa84adfacc5c26cf2681df0e57737c
Author: Quinn Tran <qutran@marvell.com>
Date:   Tue Mar 31 03:40:15 2020 -0700

    scsi: qla2xxx: Delete all sessions before unregister local nvme port
    
    [ Upstream commit c48f849d3f7a4ec1025105f446e29d395c4dcc2f ]
    
    Delete all sessions before unregistering local nvme port.  This allows nvme
    layer to decrement all active rport count down to zero.  Once the count is
    down to zero, nvme would call qla to continue with the npiv port deletion.
    
    PID: 27448  TASK: ffff9e34b777c1c0  CPU: 0   COMMAND: "qaucli"
     0 [ffff9e25e84abbd8] __schedule at ffffffff977858ca
     1 [ffff9e25e84abc68] schedule at ffffffff97785d79
     2 [ffff9e25e84abc78] schedule_timeout at ffffffff97783881
     3 [ffff9e25e84abd28] wait_for_completion at ffffffff9778612d
     4 [ffff9e25e84abd88] qla_nvme_delete at ffffffffc0e3024e [qla2xxx]
     5 [ffff9e25e84abda8] qla24xx_vport_delete at ffffffffc0e024b9 [qla2xxx]
     6 [ffff9e25e84abdf0] fc_vport_terminate at ffffffffc011c247 [scsi_transport_fc]
     7 [ffff9e25e84abe28] store_fc_host_vport_delete at ffffffffc011cd94 [scsi_transport_fc]
     8 [ffff9e25e84abe70] dev_attr_store at ffffffff974b376b
     9 [ffff9e25e84abe80] sysfs_kf_write at ffffffff972d9a92
    10 [ffff9e25e84abe90] kernfs_fop_write at ffffffff972d907b
    11 [ffff9e25e84abec8] vfs_write at ffffffff9724c790
    12 [ffff9e25e84abf08] sys_write at ffffffff9724d55f
    13 [ffff9e25e84abf50] system_call_fastpath at ffffffff97792ed2
        RIP: 00007fc0bd81a6fd  RSP: 00007ffff78d9648  RFLAGS: 00010202
        RAX: 0000000000000001  RBX: 0000000000000022  RCX: 00007ffff78d96e0
        RDX: 0000000000000022  RSI: 00007ffff78d94e0  RDI: 0000000000000008
        RBP: 00007ffff78d9440   R8: 0000000000000000   R9: 00007fc0bd48b2cd
        R10: 0000000000000017  R11: 0000000000000293  R12: 0000000000000000
        R13: 00005624e4dac840  R14: 00005624e4da9a10  R15: 0000000000000000
        ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b
    
    Link: https://lore.kernel.org/r/20200331104015.24868-4-njavali@marvell.com
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Quinn Tran <qutran@marvell.com>
    Signed-off-by: Nilesh Javali <njavali@marvell.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b1cd543ed3a9d8b02561107224286a88cee72468
Author: Arun Easi <aeasi@marvell.com>
Date:   Tue Mar 31 03:40:14 2020 -0700

    scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV
    
    [ Upstream commit 45a76264c26fd8cfd0c9746196892d9b7e2657ee ]
    
    In NPIV environment, a NPIV host may use a queue pair created by base host
    or other NPIVs, so the check for a queue pair created by this NPIV is not
    correct, and can cause an abort to fail, which in turn means the NVME
    command not returned.  This leads to hang in nvme_fc layer in
    nvme_fc_delete_association() which waits for all I/Os to be returned, which
    is seen as hang in the application.
    
    Link: https://lore.kernel.org/r/20200331104015.24868-3-njavali@marvell.com
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Arun Easi <aeasi@marvell.com>
    Signed-off-by: Nilesh Javali <njavali@marvell.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 10c034037ecb639490975d4c528b60c856026382
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Wed Apr 15 14:51:42 2020 +0200

    HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead
    
    [ Upstream commit 185af3e775b693f773d9a4b5a8c3cda69fc8ca0f ]
    
    HID_DEVICE_ID_ALPS_1657 PID is too specific, as there are many other
    ALPS hardware IDs using this particular touchpad.
    
    Rename the identifier to HID_DEVICE_ID_ALPS_U1_UNICORN_LEGACY in order
    to describe reality better.
    
    Fixes: 640e403b1fd24 ("HID: alps: Add AUI1657 device ID")
    Reported-by: Xiaojian Cao <xiaojian.cao@cn.alps.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit afdc30836903753cf892d9040bb9849d327a3f40
Author: Artem Borisov <dedsa2002@gmail.com>
Date:   Mon Apr 6 03:55:15 2020 +0400

    HID: alps: Add AUI1657 device ID
    
    [ Upstream commit 640e403b1fd24e7f31ac6f29f0b6a21d285ed729 ]
    
    This device is used on Lenovo V130-15IKB variants and uses
    the same registers as U1.
    
    Signed-off-by: Artem Borisov <dedsa2002@gmail.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0faf568db7eeac009d516b82b176f322788d4111
Author: Sebastian Reichel <sebastian.reichel@collabora.com>
Date:   Mon Apr 13 18:02:37 2020 +0200

    HID: multitouch: add eGalaxTouch P80H84 support
    
    [ Upstream commit f9e82295eec141a0569649d400d249333d74aa91 ]
    
    Add support for P80H84 touchscreen from eGalaxy:
    
      idVendor           0x0eef D-WAV Scientific Co., Ltd
      idProduct          0xc002
      iManufacturer           1 eGalax Inc.
      iProduct                2 eGalaxTouch P80H84 2019 vDIVA_1204_T01 k4.02.146
    
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3704132ab05139eb4b10e81d952d0246fd844bd7
Author: Frédéric Pierret (fepitre) <frederic.pierret@qubes-os.org>
Date:   Tue Apr 7 13:32:59 2020 +0200

    gcc-common.h: Update for GCC 10
    
    [ Upstream commit c7527373fe28f97d8a196ab562db5589be0d34b9 ]
    
    Remove "params.h" include, which has been dropped in GCC 10.
    
    Remove is_a_helper() macro, which is now defined in gimple.h, as seen
    when running './scripts/gcc-plugin.sh g++ g++ gcc':
    
    In file included from <stdin>:1:
    ./gcc-plugins/gcc-common.h:852:13: error: redefinition of ‘static bool is_a_helper<T>::test(U*) [with U = const gimple; T = const ggoto*]’
      852 | inline bool is_a_helper<const ggoto *>::test(const_gimple gs)
          |             ^~~~~~~~~~~~~~~~~~~~~~~~~~
    In file included from ./gcc-plugins/gcc-common.h:125,
                     from <stdin>:1:
    /usr/lib/gcc/x86_64-redhat-linux/10/plugin/include/gimple.h:1037:1: note: ‘static bool is_a_helper<T>::test(U*) [with U = const gimple; T = const ggoto*]’ previously declared here
     1037 | is_a_helper <const ggoto *>::test (const gimple *gs)
          | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Add -Wno-format-diag to scripts/gcc-plugins/Makefile to avoid
    meaningless warnings from error() formats used by plugins:
    
    scripts/gcc-plugins/structleak_plugin.c: In function ‘int plugin_init(plugin_name_args*, plugin_gcc_version*)’:
    scripts/gcc-plugins/structleak_plugin.c:253:12: warning: unquoted sequence of 2 consecutive punctuation characters ‘'-’ in format [-Wformat-diag]
      253 |   error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
          |            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Frédéric Pierret (fepitre) <frederic.pierret@qubes-os.org>
    Link: https://lore.kernel.org/r/20200407113259.270172-1-frederic.pierret@qubes-os.org
    [kees: include -Wno-format-diag for plugin builds]
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3251a0749e09441e6ea69414f52d37bd7a81d960
Author: Richard Weinberger <richard@nod.at>
Date:   Sat May 2 14:48:02 2020 +0200

    ubi: Fix seq_file usage in detailed_erase_block_info debugfs file
    
    [ Upstream commit 0e7572cffe442290c347e779bf8bd4306bb0aa7c ]
    
    3bfa7e141b0b ("fs/seq_file.c: seq_read(): add info message about buggy .next functions")
    showed that we don't use seq_file correctly.
    So make sure that our ->next function always updates the position.
    
    Fixes: 7bccd12d27b7 ("ubi: Add debugfs file for tracking PEB state")
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c3c1cf3dbb9ca9809a670927a8bb5f97c386ce3b
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Wed May 6 21:21:00 2020 +0200

    i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()'
    
    [ Upstream commit e9d1a0a41d4486955e96552293c1fcf1fce61602 ]
    
    A call to 'i2c_demux_deactivate_master()' is missing in the error handling
    path, as already done in the remove function.
    
    Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0c673a0996009463978d11e6dbf6829f2940cd3d
Author: Alexander Monakov <amonakov@ispras.ru>
Date:   Mon May 11 10:23:52 2020 +0000

    iommu/amd: Fix over-read of ACPI UID from IVRS table
    
    [ Upstream commit e461b8c991b9202b007ea2059d953e264240b0c9 ]
    
    IVRS parsing code always tries to read 255 bytes from memory when
    retrieving ACPI device path, and makes an assumption that firmware
    provides a zero-terminated string. Both of those are bugs: the entry
    is likely to be shorter than 255 bytes, and zero-termination is not
    guaranteed.
    
    With Acer SF314-42 firmware these issues manifest visibly in dmesg:
    
    AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR0\xf0\xa5, rdevid:160
    AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR1\xf0\xa5, rdevid:160
    AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR2\xf0\xa5, rdevid:160
    AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR3>\x83e\x8d\x9a\xd1...
    
    The first three lines show how the code over-reads adjacent table
    entries into the UID, and in the last line it even reads garbage data
    beyond the end of the IVRS table itself.
    
    Since each entry has the length of the UID (uidl member of ivhd_entry
    struct), use that for memcpy, and manually add a zero terminator.
    
    Avoid zero-filling hid and uid arrays up front, and instead ensure
    the uid array is always zero-terminated. No change needed for the hid
    array, as it was already properly zero-terminated.
    
    Fixes: 2a0cb4e2d423c ("iommu/amd: Add new map for storing IVHD dev entry type HID")
    
    Signed-off-by: Alexander Monakov <amonakov@ispras.ru>
    Cc: Joerg Roedel <joro@8bytes.org>
    Cc: iommu@lists.linux-foundation.org
    Link: https://lore.kernel.org/r/20200511102352.1831-1-amonakov@ispras.ru
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e0fdf46af950320ba7c100951a0c12bb6553dbee
Author: Christoph Hellwig <hch@lst.de>
Date:   Thu Apr 9 13:33:05 2020 +0200

    ubifs: remove broken lazytime support
    
    [ Upstream commit ecf84096a526f2632ee85c32a3d05de3fa60ce80 ]
    
    When "ubifs: introduce UBIFS_ATIME_SUPPORT to ubifs" introduced atime
    support to ubifs, it also added lazytime support.  As far as I can tell
    the lazytime support is terminally broken, as it causes
    mark_inode_dirty_sync to be called from __writeback_single_inode, which
    will then trigger the locking assert in ubifs_dirty_inode.  Just remove
    the broken lazytime support for now, it can be added back later,
    especially as some infrastructure changes should make that easier soon.
    
    Fixes: 8c1c5f263833 ("ubifs: introduce UBIFS_ATIME_SUPPORT to ubifs")
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b23af87aabc04ee63935b7f80664f2b36f74fdef
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Tue May 19 17:48:52 2020 -0400

    fix multiplication overflow in copy_fdtable()
    
    [ Upstream commit 4e89b7210403fa4a8acafe7c602b6212b7af6c3b ]
    
    cpy and set really should be size_t; we won't get an overflow on that,
    since sysctl_nr_open can't be set above ~(size_t)0 / sizeof(void *),
    so nr that would've managed to overflow size_t on that multiplication
    won't get anywhere near copy_fdtable() - we'll fail with EMFILE
    before that.
    
    Cc: stable@kernel.org # v2.6.25+
    Fixes: 9cfe015aa424 (get rid of NR_OPEN and introduce a sysctl_nr_open)
    Reported-by: Thiago Macieira <thiago.macieira@intel.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e7a71903eceda26983222895fd2fd3d86197b03b
Author: Miquel Raynal <miquel.raynal@bootlin.com>
Date:   Wed May 13 15:10:29 2020 +0200

    mtd: spinand: Propagate ECC information to the MTD structure
    
    [ Upstream commit 3507273d5a4d3c2e46f9d3f9ed9449805f5dff07 ]
    
    This is done by default in the raw NAND core (nand_base.c) but was
    missing in the SPI-NAND core. Without these two lines the ecc_strength
    and ecc_step_size values are not exported to the user through sysfs.
    
    Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
    Cc: stable@vger.kernel.org
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 657a03ff6c97319d8e664c05a1beebd8eb15d049
Author: Roberto Sassu <roberto.sassu@huawei.com>
Date:   Mon Apr 27 12:31:28 2020 +0200

    ima: Fix return value of ima_write_policy()
    
    [ Upstream commit 2e3a34e9f409ebe83d1af7cd2f49fca7af97dfac ]
    
    This patch fixes the return value of ima_write_policy() when a new policy
    is directly passed to IMA and the current policy requires appraisal of the
    file containing the policy. Currently, if appraisal is not in ENFORCE mode,
    ima_write_policy() returns 0 and leads user space applications to an
    endless loop. Fix this issue by denying the operation regardless of the
    appraisal mode.
    
    Cc: stable@vger.kernel.org # 4.10.x
    Fixes: 19f8a84713edc ("ima: measure and appraise the IMA policy itself")
    Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
    Reviewed-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
    Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4c7a2e76ae93577628a022d2d2adf5e0d8a89147
Author: Roberto Sassu <roberto.sassu@huawei.com>
Date:   Mon Apr 27 12:28:56 2020 +0200

    evm: Check also if *tfm is an error pointer in init_desc()
    
    [ Upstream commit 53de3b080d5eae31d0de219617155dcc34e7d698 ]
    
    This patch avoids a kernel panic due to accessing an error pointer set by
    crypto_alloc_shash(). It occurs especially when there are many files that
    require an unsupported algorithm, as it would increase the likelihood of
    the following race condition:
    
    Task A: *tfm = crypto_alloc_shash() <= error pointer
    Task B: if (*tfm == NULL) <= *tfm is not NULL, use it
    Task B: rc = crypto_shash_init(desc) <= panic
    Task A: *tfm = NULL
    
    This patch uses the IS_ERR_OR_NULL macro to determine whether or not a new
    crypto context must be created.
    
    Cc: stable@vger.kernel.org
    Fixes: d46eb3699502b ("evm: crypto hash replaced by shash")
    Co-developed-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
    Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
    Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
    Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 904de138bae903a6e377322e64312e22a84f2140
Author: Roberto Sassu <roberto.sassu@huawei.com>
Date:   Mon Apr 27 12:28:55 2020 +0200

    ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash()
    
    [ Upstream commit 0014cc04e8ec077dc482f00c87dfd949cfe2b98f ]
    
    Commit a408e4a86b36 ("ima: open a new file instance if no read
    permissions") tries to create a new file descriptor to calculate a file
    digest if the file has not been opened with O_RDONLY flag. However, if a
    new file descriptor cannot be obtained, it sets the FMODE_READ flag to
    file->f_flags instead of file->f_mode.
    
    This patch fixes this issue by replacing f_flags with f_mode as it was
    before that commit.
    
    Cc: stable@vger.kernel.org # 4.20.x
    Fixes: a408e4a86b36 ("ima: open a new file instance if no read permissions")
    Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
    Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
    Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 512f9837b44827736ee5da7f96dbd92dc30457c8
Author: Vincent Chen <vincent.chen@sifive.com>
Date:   Mon Apr 27 14:59:24 2020 +0800

    riscv: set max_pfn to the PFN of the last page
    
    commit c749bb2d554825e007cbc43b791f54e124dadfce upstream.
    
    The current max_pfn equals to zero. In this case, I found it caused users
    cannot get some page information through /proc such as kpagecount in v5.6
    kernel because of new sanity checks. The following message is displayed by
    stress-ng test suite with the command "stress-ng --verbose --physpage 1 -t
    1" on HiFive unleashed board.
    
     # stress-ng --verbose --physpage 1 -t 1
     stress-ng: debug: [109] 4 processors online, 4 processors configured
     stress-ng: info: [109] dispatching hogs: 1 physpage
     stress-ng: debug: [109] cache allocate: reducing cache level from L3 (too high) to L0
     stress-ng: debug: [109] get_cpu_cache: invalid cache_level: 0
     stress-ng: info: [109] cache allocate: using built-in defaults as no suitable cache found
     stress-ng: debug: [109] cache allocate: default cache size: 2048K
     stress-ng: debug: [109] starting stressors
     stress-ng: debug: [109] 1 stressor spawned
     stress-ng: debug: [110] stress-ng-physpage: started [110] (instance 0)
     stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd34de000 in /proc/kpagecount, errno=0 (Success)
     stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd32db078 in /proc/kpagecount, errno=0 (Success)
     ...
     stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd32db078 in /proc/kpagecount, errno=0 (Success)
     stress-ng: debug: [110] stress-ng-physpage: exited [110] (instance 0)
     stress-ng: debug: [109] process [110] terminated
     stress-ng: info: [109] successful run completed in 1.00s
     #
    
    After applying this patch, the kernel can pass the test.
    
     # stress-ng --verbose --physpage 1 -t 1
     stress-ng: debug: [104] 4 processors online, 4 processors configured stress-ng: info: [104] dispatching hogs: 1 physpage
     stress-ng: info: [104] cache allocate: using defaults, can't determine cache details from sysfs
     stress-ng: debug: [104] cache allocate: default cache size: 2048K
     stress-ng: debug: [104] starting stressors
     stress-ng: debug: [104] 1 stressor spawned
     stress-ng: debug: [105] stress-ng-physpage: started [105] (instance 0) stress-ng: debug: [105] stress-ng-physpage: exited [105] (instance 0) stress-ng: debug: [104] process [105] terminated
     stress-ng: info: [104] successful run completed in 1.01s
     #
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Vincent Chen <vincent.chen@sifive.com>
    Reviewed-by: Anup Patel <anup@brainfault.org>
    Reviewed-by: Yash Shah <yash.shah@sifive.com>
    Tested-by: Yash Shah <yash.shah@sifive.com>
    Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
    [Palmer: back-ported to 4.19]
    Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 008708152ebb229c29e065135599984fa9c4a51c
Author: Miaohe Lin <linmiaohe@huawei.com>
Date:   Sat Jan 4 16:56:49 2020 +0800

    KVM: SVM: Fix potential memory leak in svm_cpu_init()
    
    commit d80b64ff297e40c2b6f7d7abc1b3eba70d22a068 upstream.
    
    When kmalloc memory for sd->sev_vmcbs failed, we forget to free the page
    held by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually
    the only possible outcome here.
    
    Reviewed-by: Liran Alon <liran.alon@oracle.com>
    Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a612c4ece2eb757011ae88a8410b48e523220b8d
Author: Kevin Hao <haokexin@gmail.com>
Date:   Fri Oct 11 23:00:14 2019 +0800

    i2c: dev: Fix the race between the release of i2c_dev and cdev
    
    commit 1413ef638abae4ab5621901cf4d8ef08a4a48ba6 upstream.
    
    The struct cdev is embedded in the struct i2c_dev. In the current code,
    we would free the i2c_dev struct directly in put_i2c_dev(), but the
    cdev is manged by a kobject, and the release of it is not predictable.
    So it is very possible that the i2c_dev is freed before the cdev is
    entirely released. We can easily get the following call trace with
    CONFIG_DEBUG_KOBJECT_RELEASE and CONFIG_DEBUG_OBJECTS_TIMERS enabled.
      ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x38
      WARNING: CPU: 19 PID: 1 at lib/debugobjects.c:325 debug_print_object+0xb0/0xf0
      Modules linked in:
      CPU: 19 PID: 1 Comm: swapper/0 Tainted: G        W         5.2.20-yocto-standard+ #120
      Hardware name: Marvell OcteonTX CN96XX board (DT)
      pstate: 80c00089 (Nzcv daIf +PAN +UAO)
      pc : debug_print_object+0xb0/0xf0
      lr : debug_print_object+0xb0/0xf0
      sp : ffff00001292f7d0
      x29: ffff00001292f7d0 x28: ffff800b82151788
      x27: 0000000000000001 x26: ffff800b892c0000
      x25: ffff0000124a2558 x24: 0000000000000000
      x23: ffff00001107a1d8 x22: ffff0000116b5088
      x21: ffff800bdc6afca8 x20: ffff000012471ae8
      x19: ffff00001168f2c8 x18: 0000000000000010
      x17: 00000000fd6f304b x16: 00000000ee79de43
      x15: ffff800bc0e80568 x14: 79616c6564203a74
      x13: 6e6968207473696c x12: 5f72656d6974203a
      x11: ffff0000113f0018 x10: 0000000000000000
      x9 : 000000000000001f x8 : 0000000000000000
      x7 : ffff0000101294cc x6 : 0000000000000000
      x5 : 0000000000000000 x4 : 0000000000000001
      x3 : 00000000ffffffff x2 : 0000000000000000
      x1 : 387fc15c8ec0f200 x0 : 0000000000000000
      Call trace:
       debug_print_object+0xb0/0xf0
       __debug_check_no_obj_freed+0x19c/0x228
       debug_check_no_obj_freed+0x1c/0x28
       kfree+0x250/0x440
       put_i2c_dev+0x68/0x78
       i2cdev_detach_adapter+0x60/0xc8
       i2cdev_notifier_call+0x3c/0x70
       notifier_call_chain+0x8c/0xe8
       blocking_notifier_call_chain+0x64/0x88
       device_del+0x74/0x380
       device_unregister+0x54/0x78
       i2c_del_adapter+0x278/0x2d0
       unittest_i2c_bus_remove+0x3c/0x80
       platform_drv_remove+0x30/0x50
       device_release_driver_internal+0xf4/0x1c0
       driver_detach+0x58/0xa0
       bus_remove_driver+0x84/0xd8
       driver_unregister+0x34/0x60
       platform_driver_unregister+0x20/0x30
       of_unittest_overlay+0x8d4/0xbe0
       of_unittest+0xae8/0xb3c
       do_one_initcall+0xac/0x450
       do_initcall_level+0x208/0x224
       kernel_init_freeable+0x2d8/0x36c
       kernel_init+0x18/0x108
       ret_from_fork+0x10/0x1c
      irq event stamp: 3934661
      hardirqs last  enabled at (3934661): [<ffff00001009fa04>] debug_exception_exit+0x4c/0x58
      hardirqs last disabled at (3934660): [<ffff00001009fb14>] debug_exception_enter+0xa4/0xe0
      softirqs last  enabled at (3934654): [<ffff000010081d94>] __do_softirq+0x46c/0x628
      softirqs last disabled at (3934649): [<ffff0000100b4a1c>] irq_exit+0x104/0x118
    
    This is a common issue when using cdev embedded in a struct.
    Fortunately, we already have a mechanism to solve this kind of issue.
    Please see commit 233ed09d7fda ("chardev: add helper function to
    register char devs with a struct device") for more detail.
    
    In this patch, we choose to embed the struct device into the i2c_dev,
    and use the API provided by the commit 233ed09d7fda to make sure that
    the release of i2c_dev and cdev are in sequence.
    
    Signed-off-by: Kevin Hao <haokexin@gmail.com>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f5a8138cd4836bbe31200d83e3d6b1833bf09512
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Fri Aug 2 21:48:58 2019 -0700

    ubsan: build ubsan.c more conservatively
    
    commit af700eaed0564d5d3963a7a51cb0843629d7fe3d upstream.
    
    objtool points out several conditions that it does not like, depending
    on the combination with other configuration options and compiler
    variants:
    
    stack protector:
      lib/ubsan.o: warning: objtool: __ubsan_handle_type_mismatch()+0xbf: call to __stack_chk_fail() with UACCESS enabled
      lib/ubsan.o: warning: objtool: __ubsan_handle_type_mismatch_v1()+0xbe: call to __stack_chk_fail() with UACCESS enabled
    
    stackleak plugin:
      lib/ubsan.o: warning: objtool: __ubsan_handle_type_mismatch()+0x4a: call to stackleak_track_stack() with UACCESS enabled
      lib/ubsan.o: warning: objtool: __ubsan_handle_type_mismatch_v1()+0x4a: call to stackleak_track_stack() with UACCESS enabled
    
    kasan:
      lib/ubsan.o: warning: objtool: __ubsan_handle_type_mismatch()+0x25: call to memcpy() with UACCESS enabled
      lib/ubsan.o: warning: objtool: __ubsan_handle_type_mismatch_v1()+0x25: call to memcpy() with UACCESS enabled
    
    The stackleak and kasan options just need to be disabled for this file
    as we do for other files already.  For the stack protector, we already
    attempt to disable it, but this fails on clang because the check is
    mixed with the gcc specific -fno-conserve-stack option.  According to
    Andrey Ryabinin, that option is not even needed, dropping it here fixes
    the stackprotector issue.
    
    Link: http://lkml.kernel.org/r/20190722125139.1335385-1-arnd@arndb.de
    Link: https://lore.kernel.org/lkml/20190617123109.667090-1-arnd@arndb.de/t/
    Link: https://lore.kernel.org/lkml/20190722091050.2188664-1-arnd@arndb.de/t/
    Fixes: d08965a27e84 ("x86/uaccess, ubsan: Fix UBSAN vs. SMAP")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce1cc0d8c23744679b4f016075fb9b50469f208f
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Wed Apr 3 09:40:16 2019 +0200

    x86/uaccess, ubsan: Fix UBSAN vs. SMAP
    
    commit d08965a27e84ca090b504844d50c24fc98587b11 upstream.
    
    UBSAN can insert extra code in random locations; including AC=1
    sections. Typically this code is not safe and needs wrapping.
    
    So far, only __ubsan_handle_type_mismatch* have been observed in AC=1
    sections and therefore only those are annotated.
    
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    [stable backport: only take the lib/Makefile change to resolve gcc-10
     build issues]
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>