commit a834132bd465f9d7f4049be65648e01cf2533cb8
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Aug 19 08:15:08 2020 +0200

    Linux 4.19.140
    
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e4ca0185dc1c18eb998e94c8dfa2757a85f67aa5
Author: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
Date:   Thu Aug 13 09:21:09 2020 +0300

    xen/gntdev: Fix dmabuf import with non-zero sgt offset
    
    commit 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b upstream.
    
    It is possible that the scatter-gather table during dmabuf import has
    non-zero offset of the data, but user-space doesn't expect that.
    Fix this by failing the import, so user-space doesn't access wrong data.
    
    Fixes: bf8dc55b1358 ("xen/gntdev: Implement dma-buf import functionality")
    
    Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
    Acked-by: Juergen Gross <jgross@suse.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200813062113.11030-2-andr2000@gmail.com
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0fc9dd00afe7f82ff6692387c6a0088bb2c9f067
Author: Roger Pau Monne <roger.pau@citrix.com>
Date:   Mon Jul 27 11:13:40 2020 +0200

    xen/balloon: make the balloon wait interruptible
    
    commit 88a479ff6ef8af7f07e11593d58befc644244ff7 upstream.
    
    So it can be killed, or else processes can get hung indefinitely
    waiting for balloon pages.
    
    Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20200727091342.52325-3-roger.pau@citrix.com
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bbe6145f996edb4490ddde31e981dafb1e922917
Author: Roger Pau Monne <roger.pau@citrix.com>
Date:   Mon Jul 27 11:13:39 2020 +0200

    xen/balloon: fix accounting in alloc_xenballooned_pages error path
    
    commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream.
    
    target_unpopulated is incremented with nr_pages at the start of the
    function, but the call to free_xenballooned_pages will only subtract
    pgno number of pages, and thus the rest need to be subtracted before
    returning or else accounting will be skewed.
    
    Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20200727091342.52325-2-roger.pau@citrix.com
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8e22f6848fc80c34ce7e7bf2bdbd5c8fb54e2fe4
Author: Jon Derrick <jonathan.derrick@intel.com>
Date:   Tue Jul 21 14:26:09 2020 -0600

    irqdomain/treewide: Free firmware node after domain removal
    
    commit ec0160891e387f4771f953b888b1fe951398e5d9 upstream.
    
    Commit 711419e504eb ("irqdomain: Add the missing assignment of
    domain->fwnode for named fwnode") unintentionally caused a dangling pointer
    page fault issue on firmware nodes that were freed after IRQ domain
    allocation. Commit e3beca48a45b fixed that dangling pointer issue by only
    freeing the firmware node after an IRQ domain allocation failure. That fix
    no longer frees the firmware node immediately, but leaves the firmware node
    allocated after the domain is removed.
    
    The firmware node must be kept around through irq_domain_remove, but should be
    freed it afterwards.
    
    Add the missing free operations after domain removal where where appropriate.
    
    Fixes: e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated")
    Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Acked-by: Bjorn Helgaas <bhelgaas@google.com>   # drivers/pci
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/1595363169-7157-1-git-send-email-jonathan.derrick@intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c0cfb9eb60bd626665bc01a8657a94946c5f0dab
Author: Nathan Huckleberry <nhuck@google.com>
Date:   Fri Jul 10 20:23:37 2020 +0100

    ARM: 8992/1: Fix unwind_frame for clang-built kernels
    
    commit b4d5ec9b39f8b31d98f65bc5577b5d15d93795d7 upstream.
    
    Since clang does not push pc and sp in function prologues, the current
    implementation of unwind_frame does not work. By using the previous
    frame's lr/fp instead of saved pc/sp we get valid unwinds on clang-built
    kernels.
    
    The bounds check on next frame pointer must be changed as well since
    there are 8 less bytes between frames.
    
    This fixes /proc/<pid>/stack.
    
    Link: https://github.com/ClangBuiltLinux/linux/issues/912
    
    Reported-by: Miles Chen <miles.chen@mediatek.com>
    Tested-by: Miles Chen <miles.chen@mediatek.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Nathan Huckleberry <nhuck@google.com>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2310f713e110b66e8ee61636e7d40b4fa9068c97
Author: Sven Schnelle <svens@stackframe.org>
Date:   Tue Aug 11 18:19:19 2020 +0200

    parisc: mask out enable and reserved bits from sba imask
    
    commit 5b24993c21cbf2de11aff077a48c5cb0505a0450 upstream.
    
    When using kexec the SBA IOMMU IBASE might still have the RE
    bit set. This triggers a WARN_ON when trying to write back the
    IBASE register later, and it also makes some mask calculations fail.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Sven Schnelle <svens@stackframe.org>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c46716b16d6db3d51b745c18ea3fb1ff01be108e
Author: John David Anglin <dave.anglin@bell.net>
Date:   Thu Jul 30 08:59:12 2020 -0400

    parisc: Implement __smp_store_release and __smp_load_acquire barriers
    
    commit e96ebd589debd9a6a793608c4ec7019c38785dea upstream.
    
    This patch implements the __smp_store_release and __smp_load_acquire barriers
    using ordered stores and loads.  This avoids the sync instruction present in
    the generic implementation.
    
    Cc: <stable@vger.kernel.org> # 4.14+
    Signed-off-by: Dave Anglin <dave.anglin@bell.net>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f6859ae7cc40ae092dbe2cea7ff5c89c60a433dd
Author: Sivaprakash Murugesan <sivaprak@codeaurora.org>
Date:   Fri Jun 12 13:28:15 2020 +0530

    mtd: rawnand: qcom: avoid write to unavailable register
    
    commit 443440cc4a901af462239d286cd10721aa1c7dfc upstream.
    
    SFLASHC_BURST_CFG is only available on older ipq NAND platforms, this
    register has been removed when the NAND controller got implemented in
    the qpic controller.
    
    Avoid writing this register on devices which are based on qpic NAND
    controller.
    
    Fixes: dce84760b09f ("mtd: nand: qcom: Support for IPQ8074 QPIC NAND controller")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sivaprakash Murugesan <sivaprak@codeaurora.org>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/1591948696-16015-2-git-send-email-sivaprak@codeaurora.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit acc8ff07a2117b4b0d02e1f007dd1c66f34a8645
Author: Christian Eggers <ceggers@arri.de>
Date:   Tue Jul 28 12:08:32 2020 +0200

    spi: spidev: Align buffers for DMA
    
    commit aa9e862d7d5bcecd4dca9f39e8b684b93dd84ee7 upstream.
    
    Simply copying all xfers from userspace into one bounce buffer causes
    alignment problems if the SPI controller uses DMA.
    
    Ensure that all transfer data blocks within the rx and tx bounce buffers
    are aligned for DMA (according to ARCH_KMALLOC_MINALIGN).
    
    Alignment may increase the usage of the bounce buffers. In some cases,
    the buffers may need to be increased using the "bufsiz" module
    parameter.
    
    Signed-off-by: Christian Eggers <ceggers@arri.de>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20200728100832.24788-1-ceggers@arri.de
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5de7ab80c866b4e31907109cb1993ac7422e09ae
Author: Romain Naour <romain.naour@gmail.com>
Date:   Fri Aug 14 17:31:57 2020 -0700

    include/asm-generic/vmlinux.lds.h: align ro_after_init
    
    commit 7f897acbe5d57995438c831670b7c400e9c0dc00 upstream.
    
    Since the patch [1], building the kernel using a toolchain built with
    binutils 2.33.1 prevents booting a sh4 system under Qemu.  Apply the patch
    provided by Alan Modra [2] that fix alignment of rodata.
    
    [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ebd2263ba9a9124d93bbc0ece63d7e0fae89b40e
    [2] https://www.sourceware.org/ml/binutils/2019-12/msg00112.html
    
    Signed-off-by: Romain Naour <romain.naour@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Alan Modra <amodra@gmail.com>
    Cc: Bin Meng <bin.meng@windriver.com>
    Cc: Chen Zhou <chenzhou10@huawei.com>
    Cc: Geert Uytterhoeven <geert+renesas@glider.be>
    Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
    Cc: Krzysztof Kozlowski <krzk@kernel.org>
    Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    Cc: Rich Felker <dalias@libc.org>
    Cc: Sam Ravnborg <sam@ravnborg.org>
    Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: <stable@vger.kernel.org>
    Link: https://marc.info/?l=linux-sh&m=158429470221261
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 93a64a8d27e8285144b82897f5f930a8c7d34019
Author: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Date:   Sat Jun 20 17:44:49 2020 +0100

    cpufreq: dt: fix oops on armada37xx
    
    commit 10470dec3decaf5ed3c596f85debd7c42777ae12 upstream.
    
    Commit 0c868627e617e43a295d8 (cpufreq: dt: Allow platform specific
    intermediate callbacks) added two function pointers to the
    struct cpufreq_dt_platform_data. However, armada37xx_cpufreq_driver_init()
    has this struct (pdata) located on the stack and uses only "suspend"
    and "resume" fields. So these newly added "get_intermediate" and
    "target_intermediate" pointers are uninitialized and contain arbitrary
    non-null values, causing all kinds of trouble.
    
    For instance, here is an oops on espressobin after an attempt to change
    the cpefreq governor:
    
    [   29.174554] Unable to handle kernel execute from non-executable memory at virtual address ffff00003f87bdc0
    ...
    [   29.269373] pc : 0xffff00003f87bdc0
    [   29.272957] lr : __cpufreq_driver_target+0x138/0x580
    ...
    
    Fixed by zeroing out pdata before use.
    
    Cc: <stable@vger.kernel.org> # v5.7+
    Signed-off-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5052b997592af482f29c5441b8bc39831015818c
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Wed Aug 5 09:03:56 2020 -0400

    NFS: Don't return layout segments that are in use
    
    commit d474f96104bd4377573526ebae2ee212205a6839 upstream.
    
    If the NFS_LAYOUT_RETURN_REQUESTED flag is set, we want to return the
    layout as soon as possible, meaning that the affected layout segments
    should be marked as invalid, and should no longer be in use for I/O.
    
    Fixes: f0b429819b5f ("pNFS: Ignore non-recalled layouts in pnfs_layout_need_return()")
    Cc: stable@vger.kernel.org # v4.19+
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ceefd5f9a60e25a89f6acd8f00bd4d1ecc229b00
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Tue Aug 4 16:30:30 2020 -0400

    NFS: Don't move layouts to plh_return_segs list while in use
    
    commit ff041727e9e029845857cac41aae118ead5e261b upstream.
    
    If the layout segment is still in use for a read or a write, we should
    not move it to the layout plh_return_segs list. If we do, we can end
    up returning the layout while I/O is still in progress.
    
    Fixes: e0b7d420f72a ("pNFS: Don't discard layout segments that are marked for return")
    Cc: stable@vger.kernel.org # v4.19+
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 10c8a526b2db1fcdf9e2d59d4885377b91939c55
Author: Dave Airlie <airlied@redhat.com>
Date:   Tue Jul 28 14:17:36 2020 +1000

    drm/ttm/nouveau: don't call tt destroy callback on alloc failure.
    
    commit 5de5b6ecf97a021f29403aa272cb4e03318ef586 upstream.
    
    This is confusing, and from my reading of all the drivers only
    nouveau got this right.
    
    Just make the API act under driver control of it's own allocation
    failing, and don't call destroy, if the page table fails to
    create there is nothing to cleanup here.
    
    (I'm willing to believe I've missed something here, so please
    review deeply).
    
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200728041736.20689-1-airlied@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ec41ee06e9e0c9a6dbc2cf420f199fc2a522aec8
Author: Zheng Bin <zhengbin13@huawei.com>
Date:   Mon Jun 15 09:21:53 2020 +0800

    9p: Fix memory leak in v9fs_mount
    
    commit cb0aae0e31c632c407a2cab4307be85a001d4d98 upstream.
    
    v9fs_mount
      v9fs_session_init
        v9fs_cache_session_get_cookie
          v9fs_random_cachetag                     -->alloc cachetag
          v9ses->fscache = fscache_acquire_cookie  -->maybe NULL
      sb = sget                                    -->fail, goto clunk
    clunk_fid:
      v9fs_session_close
        if (v9ses->fscache)                        -->NULL
          kfree(v9ses->cachetag)
    
    Thus memleak happens.
    
    Link: http://lkml.kernel.org/r/20200615012153.89538-1-zhengbin13@huawei.com
    Fixes: 60e78d2c993e ("9p: Add fscache support to 9p")
    Cc: <stable@vger.kernel.org> # v2.6.32+
    Signed-off-by: Zheng Bin <zhengbin13@huawei.com>
    Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d22c224704b720887e3fad683281a2cf97b679ea
Author: Hector Martin <marcan@marcan.st>
Date:   Mon Aug 10 17:25:02 2020 +0900

    ALSA: usb-audio: add quirk for Pioneer DDJ-RB
    
    commit 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 upstream.
    
    This is just another Pioneer device with fixed endpoints. Input is dummy
    but used as feedback (it always returns silence).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Hector Martin <marcan@marcan.st>
    Link: https://lore.kernel.org/r/20200810082502.225979-1-marcan@marcan.st
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Aug 11 18:35:30 2020 -0700

    fs/minix: reject too-large maximum file size
    
    commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream.
    
    If the minix filesystem tries to map a very large logical block number to
    its on-disk location, block_to_path() can return offsets that are too
    large, causing out-of-bounds memory accesses when accessing indirect index
    blocks.  This should be prevented by the check against the maximum file
    size, but this doesn't work because the maximum file size is read directly
    from the on-disk superblock and isn't validated itself.
    
    Fix this by validating the maximum file size at mount time.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com
    Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com
    Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Qiujun Huang <anenbupt@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 169f7f37bd6b0bb91242099cc261219791067d5c
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Aug 11 18:35:27 2020 -0700

    fs/minix: don't allow getting deleted inodes
    
    commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream.
    
    If an inode has no links, we need to mark it bad rather than allowing it
    to be accessed.  This avoids WARNINGs in inc_nlink() and drop_nlink() when
    doing directory operations on a fuzzed filesystem.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com
    Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Qiujun Huang <anenbupt@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/20200628060846.682158-3-ebiggers@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b846b77fba7b62246a6538618498bf13f5c148a7
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Aug 11 18:35:24 2020 -0700

    fs/minix: check return value of sb_getblk()
    
    commit da27e0a0e5f655f0d58d4e153c3182bb2b290f64 upstream.
    
    Patch series "fs/minix: fix syzbot bugs and set s_maxbytes".
    
    This series fixes all syzbot bugs in the minix filesystem:
    
            KASAN: null-ptr-deref Write in get_block
            KASAN: use-after-free Write in get_block
            KASAN: use-after-free Read in get_block
            WARNING in inc_nlink
            KMSAN: uninit-value in get_block
            WARNING in drop_nlink
    
    It also fixes the minix filesystem to set s_maxbytes correctly, so that
    userspace sees the correct behavior when exceeding the max file size.
    
    This patch (of 6):
    
    sb_getblk() can fail, so check its return value.
    
    This fixes a NULL pointer dereference.
    
    Originally from Qiujun Huang.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Qiujun Huang <anenbupt@gmail.com>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/20200628060846.682158-1-ebiggers@kernel.org
    Link: http://lkml.kernel.org/r/20200628060846.682158-2-ebiggers@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2824988a204adf11c1d646a8ef4d192a2d30cff2
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Mon Aug 10 11:21:11 2020 -0700

    bitfield.h: don't compile-time validate _val in FIELD_FIT
    
    commit 444da3f52407d74c9aa12187ac6b01f76ee47d62 upstream.
    
    When ur_load_imm_any() is inlined into jeq_imm(), it's possible for the
    compiler to deduce a case where _val can only have the value of -1 at
    compile time. Specifically,
    
    /* struct bpf_insn: _s32 imm */
    u64 imm = insn->imm; /* sign extend */
    if (imm >> 32) { /* non-zero only if insn->imm is negative */
      /* inlined from ur_load_imm_any */
      u32 __imm = imm >> 32; /* therefore, always 0xffffffff */
      if (__builtin_constant_p(__imm) && __imm > 255)
        compiletime_assert_XXX()
    
    This can result in tripping a BUILD_BUG_ON() in __BF_FIELD_CHECK() that
    checks that a given value is representable in one byte (interpreted as
    unsigned).
    
    FIELD_FIT() should return true or false at runtime for whether a value
    can fit for not. Don't break the build over a value that's too large for
    the mask. We'd prefer to keep the inlining and compiler optimizations
    though we know this case will always return false.
    
    Cc: stable@vger.kernel.org
    Fixes: 1697599ee301a ("bitfield.h: add FIELD_FIT() helper")
    Link: https://lore.kernel.org/kernel-hardening/CAK7LNASvb0UDJ0U5wkYYRzTAdnEs64HjXpEUL7d=V0CXiAXcNw@mail.gmail.com/
    Reported-by: Masahiro Yamada <masahiroy@kernel.org>
    Debugged-by: Sami Tolvanen <samitolvanen@google.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7590efac26aa5f4ed2487f5d8fbfb1ccc7cfacc
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Wed Jun 17 09:48:56 2020 -0400

    crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified
    
    commit 9e27c99104707f083dccd3b4d79762859b5a0614 upstream.
    
    There is this call chain:
    cvm_encrypt -> cvm_enc_dec -> cptvf_do_request -> process_request -> kzalloc
    where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP
    was not specified.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: stable@vger.kernel.org      # v4.11+
    Fixes: c694b233295b ("crypto: cavium - Add the Virtual Function driver for CPT")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aabc11c145177650ec2cd7f6a496aa4c4a77a64f
Author: John Allen <john.allen@amd.com>
Date:   Mon Jun 22 15:24:02 2020 -0500

    crypto: ccp - Fix use of merged scatterlists
    
    commit 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 upstream.
    
    Running the crypto manager self tests with
    CONFIG_CRYPTO_MANAGER_EXTRA_TESTS may result in several types of errors
    when using the ccp-crypto driver:
    
    alg: skcipher: cbc-des3-ccp encryption failed on test vector 0; expected_error=0, actual_error=-5 ...
    
    alg: skcipher: ctr-aes-ccp decryption overran dst buffer on test vector 0 ...
    
    alg: ahash: sha224-ccp test failed (wrong result) on test vector ...
    
    These errors are the result of improper processing of scatterlists mapped
    for DMA.
    
    Given a scatterlist in which entries are merged as part of mapping the
    scatterlist for DMA, the DMA length of a merged entry will reflect the
    combined length of the entries that were merged. The subsequent
    scatterlist entry will contain DMA information for the scatterlist entry
    after the last merged entry, but the non-DMA information will be that of
    the first merged entry.
    
    The ccp driver does not take this scatterlist merging into account. To
    address this, add a second scatterlist pointer to track the current
    position in the DMA mapped representation of the scatterlist. Both the DMA
    representation and the original representation of the scatterlist must be
    tracked as while most of the driver can use just the DMA representation,
    scatterlist_map_and_copy() must use the original representation and
    expects the scatterlist pointer to be accurate to the original
    representation.
    
    In order to properly walk the original scatterlist, the scatterlist must
    be walked until the combined lengths of the entries seen is equal to the
    DMA length of the current entry being processed in the DMA mapped
    representation.
    
    Fixes: 63b945091a070 ("crypto: ccp - CCP device driver and interface support")
    Signed-off-by: John Allen <john.allen@amd.com>
    Cc: stable@vger.kernel.org
    Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef1b91644f50ca4c6aaeb30bcfe188f13c099660
Author: Tom Rix <trix@redhat.com>
Date:   Mon Jul 13 07:06:34 2020 -0700

    crypto: qat - fix double free in qat_uclo_create_batch_init_list
    
    commit c06c76602e03bde24ee69a2022a829127e504202 upstream.
    
    clang static analysis flags this error
    
    qat_uclo.c:297:3: warning: Attempt to free released memory
      [unix.Malloc]
                    kfree(*init_tab_base);
                    ^~~~~~~~~~~~~~~~~~~~~
    
    When input *init_tab_base is null, the function allocates memory for
    the head of the list.  When there is problem allocating other list
    elements the list is unwound and freed.  Then a check is made if the
    list head was allocated and is also freed.
    
    Keeping track of the what may need to be freed is the variable 'tail_old'.
    The unwinding/freeing block is
    
            while (tail_old) {
                    mem_init = tail_old->next;
                    kfree(tail_old);
                    tail_old = mem_init;
            }
    
    The problem is that the first element of tail_old is also what was
    allocated for the list head
    
                    init_header = kzalloc(sizeof(*init_header), GFP_KERNEL);
                    ...
                    *init_tab_base = init_header;
                    flag = 1;
            }
            tail_old = init_header;
    
    So *init_tab_base/init_header are freed twice.
    
    There is another problem.
    When the input *init_tab_base is non null the tail_old is calculated by
    traveling down the list to first non null entry.
    
            tail_old = init_header;
            while (tail_old->next)
                    tail_old = tail_old->next;
    
    When the unwinding free happens, the last entry of the input list will
    be freed.
    
    So the freeing needs a general changed.
    If locally allocated the first element of tail_old is freed, else it
    is skipped.  As a bit of cleanup, reset *init_tab_base if it came in
    as null.
    
    Fixes: b4b7e67c917f ("crypto: qat - Intel(R) QAT ucode part of fw loader")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tom Rix <trix@redhat.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 92d211b1217cc1bffaa1c8a7a968104522ffbcb4
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Wed Jun 17 09:49:52 2020 -0400

    crypto: hisilicon - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified
    
    commit 5ead051780404b5cb22147170acadd1994dc3236 upstream.
    
    There is this call chain:
    sec_alg_skcipher_encrypt -> sec_alg_skcipher_crypto ->
    sec_alg_alloc_and_calc_split_sizes -> kcalloc
    where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP
    was not specified.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: stable@vger.kernel.org      # v4.19+
    Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
    Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3b71aed505934d9fe4d30c07e7a2d55d9b8291b2
Author: Matteo Croce <mcroce@linux.microsoft.com>
Date:   Mon Jul 6 19:37:36 2020 -0700

    pstore: Fix linking when crypto API disabled
    
    commit fd49e03280e596e54edb93a91bc96170f8e97e4a upstream.
    
    When building a kernel with CONFIG_PSTORE=y and CONFIG_CRYPTO not set,
    a build error happens:
    
        ld: fs/pstore/platform.o: in function `pstore_dump':
        platform.c:(.text+0x3f9): undefined reference to `crypto_comp_compress'
        ld: fs/pstore/platform.o: in function `pstore_get_backend_records':
        platform.c:(.text+0x784): undefined reference to `crypto_comp_decompress'
    
    This because some pstore code uses crypto_comp_(de)compress regardless
    of the CONFIG_CRYPTO status. Fix it by wrapping the (de)compress usage
    by IS_ENABLED(CONFIG_PSTORE_COMPRESS)
    
    Signed-off-by: Matteo Croce <mcroce@linux.microsoft.com>
    Link: https://lore.kernel.org/lkml/20200706234045.9516-1-mcroce@linux.microsoft.com
    Fixes: cb3bee0369bc ("pstore: Use crypto compress API")
    Cc: stable@vger.kernel.org
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 820ec1efe430395f6a699fa920c516bf0a70aa1c
Author: Hector Martin <marcan@marcan.st>
Date:   Mon Aug 10 17:24:00 2020 +0900

    ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
    
    commit 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 upstream.
    
    Further investigation of the L-R swap problem on the MS2109 reveals that
    the problem isn't that the channels are swapped, but rather that they
    are swapped and also out of phase by one sample. In other words, the
    issue is actually that the very first frame that comes from the hardware
    is a half-frame containing only the right channel, and after that
    everything becomes offset.
    
    So introduce a new quirk field to drop the very first 2 bytes that come
    in after the format is configured and a capture stream starts. This puts
    the channels in phase and in the correct order.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Hector Martin <marcan@marcan.st>
    Link: https://lore.kernel.org/r/20200810082400.225858-1-marcan@marcan.st
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7f496a7224b1a70a07ed7ed0d5b329980730816e
Author: Hector Martin <marcan@marcan.st>
Date:   Mon Aug 10 13:53:19 2020 +0900

    ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109
    
    commit 14a720dc1f5332f3bdf30a23a3bc549e81be974c upstream.
    
    Matching by device matches all interfaces, which breaks the video/HID
    portions of the device depending on module load order.
    
    Fixes: e337bf19f6af ("ALSA: usb-audio: add quirk for MacroSilicon MS2109")
    Cc: stable@vger.kernel.org
    Signed-off-by: Hector Martin <marcan@marcan.st>
    Link: https://lore.kernel.org/r/20200810045319.128745-1-marcan@marcan.st
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce46fc10b1ca91b2c472e0c0b20a88838d9080c0
Author: Mirko Dietrich <buzz@l4m1.de>
Date:   Thu Aug 6 14:48:50 2020 +0200

    ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support
    
    commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream.
    
    Adds an entry for Creative USB X-Fi to the rc_config array in
    mixer_quirks.c to allow use of volume knob on the device.
    Adds support for newer X-Fi Pro card, known as "Model No. SB1095"
    with USB ID "041e:3263"
    
    Signed-off-by: Mirko Dietrich <buzz@l4m1.de>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200806124850.20334-1-buzz@l4m1.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit db0d4c7a97d8848f89ebff4074ff9c6d12f8b987
Author: Hui Wang <hui.wang@canonical.com>
Date:   Mon Aug 10 10:16:59 2020 +0800

    ALSA: hda - fix the micmute led status for Lenovo ThinkCentre AIO
    
    commit 386a6539992b82fe9ac4f9dc3f548956fd894d8c upstream.
    
    After installing the Ubuntu Linux, the micmute led status is not
    correct. Users expect that the led is on if the capture is disabled,
    but with the current kernel, the led is off with the capture disabled.
    
    We tried the old linux kernel like linux-4.15, there is no this issue.
    It looks like we introduced this issue when switching to the led_cdev.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Hui Wang <hui.wang@canonical.com>
    Link: https://lore.kernel.org/r/20200810021659.7429-1-hui.wang@canonical.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6614bb86cec4d4e1dac5119199fe622efcdbd738
Author: Brant Merryman <brant.merryman@silabs.com>
Date:   Fri Jun 26 04:22:58 2020 +0000

    USB: serial: cp210x: enable usb generic throttle/unthrottle
    
    commit 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 upstream.
    
    Assign the .throttle and .unthrottle functions to be generic function
    in the driver structure to prevent data loss that can otherwise occur
    if the host does not enable USB throttling.
    
    Signed-off-by: Brant Merryman <brant.merryman@silabs.com>
    Co-developed-by: Phu Luu <phu.luu@silabs.com>
    Signed-off-by: Phu Luu <phu.luu@silabs.com>
    Link: https://lore.kernel.org/r/57401AF3-9961-461F-95E1-F8AFC2105F5E@silabs.com
    [ johan: fix up tags ]
    Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control")
    Cc: stable <stable@vger.kernel.org>     # 2.6.12
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 05c411cafd1c5e01760fb800b5dc6c0445521573
Author: Brant Merryman <brant.merryman@silabs.com>
Date:   Fri Jun 26 04:24:20 2020 +0000

    USB: serial: cp210x: re-enable auto-RTS on open
    
    commit c7614ff9b73a1e6fb2b1b51396da132ed22fecdb upstream.
    
    CP210x hardware disables auto-RTS but leaves auto-CTS when in hardware
    flow control mode and UART on cp210x hardware is disabled. When
    re-opening the port, if auto-CTS is enabled on the cp210x, then auto-RTS
    must be re-enabled in the driver.
    
    Signed-off-by: Brant Merryman <brant.merryman@silabs.com>
    Co-developed-by: Phu Luu <phu.luu@silabs.com>
    Signed-off-by: Phu Luu <phu.luu@silabs.com>
    Link: https://lore.kernel.org/r/ECCF8E73-91F3-4080-BE17-1714BC8818FB@silabs.com
    [ johan: fix up tags and problem description ]
    Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control")
    Cc: stable <stable@vger.kernel.org>     # 2.6.12
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0e866a435676b6c6fa546bdc1f6709be6367685e
Author: Tim Froidcoeur <tim.froidcoeur@tessares.net>
Date:   Tue Aug 11 20:33:24 2020 +0200

    net: initialize fastreuse on inet_inherit_port
    
    [ Upstream commit d76f3351cea2d927fdf70dd7c06898235035e84e ]
    
    In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or
    SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind
    behaviour or in the incorrect reuse of a bind.
    
    the kernel keeps track for each bind_bucket if all sockets in the
    bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags.
    These flags allow skipping the costly bind_conflict check when possible
    (meaning when all sockets have the proper SO_REUSE option).
    
    For every socket added to a bind_bucket, these flags need to be updated.
    As soon as a socket that does not support reuse is added, the flag is
    set to false and will never go back to true, unless the bind_bucket is
    deleted.
    
    Note that there is no mechanism to re-evaluate these flags when a socket
    is removed (this might make sense when removing a socket that would not
    allow reuse; this leaves room for a future patch).
    
    For this optimization to work, it is mandatory that these flags are
    properly initialized and updated.
    
    When a child socket is created from a listen socket in
    __inet_inherit_port, the TPROXY case could create a new bind bucket
    without properly initializing these flags, thus preventing the
    optimization to work. Alternatively, a socket not allowing reuse could
    be added to an existing bind bucket without updating the flags, causing
    bind_conflict to never be called as it should.
    
    Call inet_csk_update_fastreuse when __inet_inherit_port decides to create
    a new bind_bucket or use a different bind_bucket than the one of the
    listen socket.
    
    Fixes: 093d282321da ("tproxy: fix hash locking issue when using port redirection in __inet_inherit_port()")
    Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
    Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 42f4480a37d682da5d144488f4c7443fd41d5067
Author: Tim Froidcoeur <tim.froidcoeur@tessares.net>
Date:   Tue Aug 11 20:33:23 2020 +0200

    net: refactor bind_bucket fastreuse into helper
    
    [ Upstream commit 62ffc589abb176821662efc4525ee4ac0b9c3894 ]
    
    Refactor the fastreuse update code in inet_csk_get_port into a small
    helper function that can be called from other places.
    
    Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
    Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bc8ce7de36b00ad3d416a03555cb4f4bdd4519ef
Author: Ira Weiny <ira.weiny@intel.com>
Date:   Mon Aug 10 17:02:58 2020 -0700

    net/tls: Fix kmap usage
    
    [ Upstream commit b06c19d9f827f6743122795570bfc0c72db482b0 ]
    
    When MSG_OOB is specified to tls_device_sendpage() the mapped page is
    never unmapped.
    
    Hold off mapping the page until after the flags are checked and the page
    is actually needed.
    
    Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
    Signed-off-by: Ira Weiny <ira.weiny@intel.com>
    Reviewed-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 520f0e37ba9ea2ca70135d99924652a106f85072
Author: Miaohe Lin <linmiaohe@huawei.com>
Date:   Thu Aug 6 19:53:16 2020 +0800

    net: Set fput_needed iff FDPUT_FPUT is set
    
    [ Upstream commit ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 ]
    
    We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed
    accordingly.
    
    Fixes: 00e188ef6a7e ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light")
    Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b200620cada4eaa63108be32e040ed557a1965fd
Author: Qingyu Li <ieatmuttonchuan@gmail.com>
Date:   Mon Aug 10 09:51:00 2020 +0800

    net/nfc/rawsock.c: add CAP_NET_RAW check.
    
    [ Upstream commit 26896f01467a28651f7a536143fe5ac8449d4041 ]
    
    When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.
    
    Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 597d2df941303316651fc147457bf85aced2f959
Author: Xie He <xie.he.0141@gmail.com>
Date:   Wed Aug 5 18:50:40 2020 -0700

    drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
    
    [ Upstream commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 ]
    
    1. Added a skb->len check
    
    This driver expects upper layers to include a pseudo header of 1 byte
    when passing down a skb for transmission. This driver will read this
    1-byte header. This patch added a skb->len check before reading the
    header to make sure the header exists.
    
    2. Changed to use needed_headroom instead of hard_header_len to request
    necessary headroom to be allocated
    
    In net/packet/af_packet.c, the function packet_snd first reserves a
    headroom of length (dev->hard_header_len + dev->needed_headroom).
    Then if the socket is a SOCK_DGRAM socket, it calls dev_hard_header,
    which calls dev->header_ops->create, to create the link layer header.
    If the socket is a SOCK_RAW socket, it "un-reserves" a headroom of
    length (dev->hard_header_len), and assumes the user to provide the
    appropriate link layer header.
    
    So according to the logic of af_packet.c, dev->hard_header_len should
    be the length of the header that would be created by
    dev->header_ops->create.
    
    However, this driver doesn't provide dev->header_ops, so logically
    dev->hard_header_len should be 0.
    
    So we should use dev->needed_headroom instead of dev->hard_header_len
    to request necessary headroom to be allocated.
    
    This change fixes kernel panic when this driver is used with AF_PACKET
    SOCK_RAW sockets.
    
    Call stack when panic:
    
    [  168.399197] skbuff: skb_under_panic: text:ffffffff819d95fb len:20
    put:14 head:ffff8882704c0a00 data:ffff8882704c09fd tail:0x11 end:0xc0
    dev:veth0
    ...
    [  168.399255] Call Trace:
    [  168.399259]  skb_push.cold+0x14/0x24
    [  168.399262]  eth_header+0x2b/0xc0
    [  168.399267]  lapbeth_data_transmit+0x9a/0xb0 [lapbether]
    [  168.399275]  lapb_data_transmit+0x22/0x2c [lapb]
    [  168.399277]  lapb_transmit_buffer+0x71/0xb0 [lapb]
    [  168.399279]  lapb_kick+0xe3/0x1c0 [lapb]
    [  168.399281]  lapb_data_request+0x76/0xc0 [lapb]
    [  168.399283]  lapbeth_xmit+0x56/0x90 [lapbether]
    [  168.399286]  dev_hard_start_xmit+0x91/0x1f0
    [  168.399289]  ? irq_init_percpu_irqstack+0xc0/0x100
    [  168.399291]  __dev_queue_xmit+0x721/0x8e0
    [  168.399295]  ? packet_parse_headers.isra.0+0xd2/0x110
    [  168.399297]  dev_queue_xmit+0x10/0x20
    [  168.399298]  packet_sendmsg+0xbf0/0x19b0
    ......
    
    Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
    Cc: Martin Schiller <ms@dev.tdt.de>
    Cc: Brian Norris <briannorris@chromium.org>
    Signed-off-by: Xie He <xie.he.0141@gmail.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ff00ef9aac0a8e17f52169c25f70e5c7e88c87c9
Author: John Ogness <john.ogness@linutronix.de>
Date:   Thu Aug 13 21:45:25 2020 +0206

    af_packet: TPACKET_V3: fix fill status rwlock imbalance
    
    [ Upstream commit 88fd1cb80daa20af063bce81e1fad14e945a8dc4 ]
    
    After @blk_fill_in_prog_lock is acquired there is an early out vnet
    situation that can occur. In that case, the rwlock needs to be
    released.
    
    Also, since @blk_fill_in_prog_lock is only acquired when @tp_version
    is exactly TPACKET_V3, only release it on that exact condition as
    well.
    
    And finally, add sparse annotation so that it is clearer that
    prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring
    and releasing @blk_fill_in_prog_lock, respectively. sparse is still
    unable to understand the balance, but the warnings are now on a
    higher level that make more sense.
    
    Fixes: 632ca50f2cbd ("af_packet: TPACKET_V3: replace busy-wait loop")
    Signed-off-by: John Ogness <john.ogness@linutronix.de>
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7ea71a7be5e19b3b08cc263d68852af277ec93cb
Author: Jian Cai <caij2003@gmail.com>
Date:   Mon Jun 22 16:24:33 2020 -0700

    crypto: aesni - add compatibility with IAS
    
    [ Upstream commit 44069737ac9625a0f02f0f7f5ab96aae4cd819bc ]
    
    Clang's integrated assembler complains "invalid reassignment of
    non-absolute variable 'var_ddq_add'" while assembling
    arch/x86/crypto/aes_ctrby8_avx-x86_64.S. It was because var_ddq_add was
    reassigned with non-absolute values several times, which IAS did not
    support. We can avoid the reassignment by replacing the uses of
    var_ddq_add with its definitions accordingly to have compatilibility
    with IAS.
    
    Link: https://github.com/ClangBuiltLinux/linux/issues/1008
    Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
    Reported-by: Fangrui Song <maskray@google.com>
    Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # build+boot Linux v5.7.5; clang v11.0.0-git
    Signed-off-by: Jian Cai <caij2003@gmail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4331212e4a6329470dc480bd15ae5cd20a6f1093
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Aug 14 11:16:17 2020 -0700

    x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task
    
    [ Upstream commit 8ab49526b53d3172d1d8dd03a75c7d1f5bd21239 ]
    
    syzbot found its way in 86_fsgsbase_read_task() and triggered this oops:
    
       KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
       CPU: 0 PID: 6866 Comm: syz-executor262 Not tainted 5.8.0-syzkaller #0
       RIP: 0010:x86_fsgsbase_read_task+0x16d/0x310 arch/x86/kernel/process_64.c:393
       Call Trace:
         putreg32+0x3ab/0x530 arch/x86/kernel/ptrace.c:876
         genregs32_set arch/x86/kernel/ptrace.c:1026 [inline]
         genregs32_set+0xa4/0x100 arch/x86/kernel/ptrace.c:1006
         copy_regset_from_user include/linux/regset.h:326 [inline]
         ia32_arch_ptrace arch/x86/kernel/ptrace.c:1061 [inline]
         compat_arch_ptrace+0x36c/0xd90 arch/x86/kernel/ptrace.c:1198
         __do_compat_sys_ptrace kernel/ptrace.c:1420 [inline]
         __se_compat_sys_ptrace kernel/ptrace.c:1389 [inline]
         __ia32_compat_sys_ptrace+0x220/0x2f0 kernel/ptrace.c:1389
         do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]
         __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126
         do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
         entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
    
    This can happen if ptrace() or sigreturn() pokes an LDT selector into FS
    or GS for a task with no LDT and something tries to read the base before
    a return to usermode notices the bad selector and fixes it.
    
    The fix is to make sure ldt pointer is not NULL.
    
    Fixes: 07e1d88adaae ("x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately")
    Co-developed-by: Jann Horn <jannh@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Acked-by: Andy Lutomirski <luto@kernel.org>
    Cc: Chang S. Bae <chang.seok.bae@intel.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Markus T Metzger <markus.t.metzger@intel.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Ravi Shankar <ravi.v.shankar@intel.com>
    Cc: Rik van Riel <riel@surriel.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fc14f613ca02398a25d9a54ce4f877f9213cd656
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Thu Jun 11 12:44:56 2020 -0400

    svcrdma: Fix page leak in svc_rdma_recv_read_chunk()
    
    [ Upstream commit e814eecbe3bbeaa8b004d25a4b8974d232b765a9 ]
    
    Commit 07d0ff3b0cd2 ("svcrdma: Clean up Read chunk path") moved the
    page saver logic so that it gets executed event when an error occurs.
    In that case, the I/O is never posted, and those pages are then
    leaked. Errors in this path, however, are quite rare.
    
    Fixes: 07d0ff3b0cd2 ("svcrdma: Clean up Read chunk path")
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8bf3b460bf2fa14bb3e78b46594d0d52de366da9
Author: Drew Fustini <drew@beagleboard.org>
Date:   Mon Jun 8 14:51:43 2020 +0200

    pinctrl-single: fix pcs_parse_pinconf() return value
    
    [ Upstream commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f ]
    
    This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no
    pinctrl_map is added.  The current behavior is to return 0 when
    !PCS_HAS_PINCONF or !nconfs.  Thus pcs_parse_one_pinctrl_entry()
    incorrectly assumes that a map was added and sets num_maps = 2.
    
    Analysis:
    =========
    The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf()
    if PCS_HAS_PINCONF is enabled.  The function pcs_parse_pinconf()
    returns 0 to indicate there was no error and num_maps is then set to 2:
    
     980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs,
     981                                                 struct device_node *np,
     982                                                 struct pinctrl_map **map,
     983                                                 unsigned *num_maps,
     984                                                 const char **pgnames)
     985 {
    <snip>
    1053         (*map)->type = PIN_MAP_TYPE_MUX_GROUP;
    1054         (*map)->data.mux.group = np->name;
    1055         (*map)->data.mux.function = np->name;
    1056
    1057         if (PCS_HAS_PINCONF && function) {
    1058                 res = pcs_parse_pinconf(pcs, np, function, map);
    1059                 if (res)
    1060                         goto free_pingroups;
    1061                 *num_maps = 2;
    1062         } else {
    1063                 *num_maps = 1;
    1064         }
    
    However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or
    !nconfs.  I believe these conditions should indicate that no map was
    added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry()
    will set num_maps = 2 even though no maps were successfully added, as
    it does not reach "m++" on line 940:
    
     895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
     896                              struct pcs_function *func,
     897                              struct pinctrl_map **map)
     898
     899 {
     900         struct pinctrl_map *m = *map;
    <snip>
     917         /* If pinconf isn't supported, don't parse properties in below. */
     918         if (!PCS_HAS_PINCONF)
     919                 return 0;
     920
     921         /* cacluate how much properties are supported in current node */
     922         for (i = 0; i < ARRAY_SIZE(prop2); i++) {
     923                 if (of_find_property(np, prop2[i].name, NULL))
     924                         nconfs++;
     925         }
     926         for (i = 0; i < ARRAY_SIZE(prop4); i++) {
     927                 if (of_find_property(np, prop4[i].name, NULL))
     928                         nconfs++;
     929         }
     930         if (!nconfs)
     919                 return 0;
     932
     933         func->conf = devm_kcalloc(pcs->dev,
     934                                   nconfs, sizeof(struct pcs_conf_vals),
     935                                   GFP_KERNEL);
     936         if (!func->conf)
     937                 return -ENOMEM;
     938         func->nconfs = nconfs;
     939         conf = &(func->conf[0]);
     940         m++;
    
    This situtation will cause a boot failure [0] on the BeagleBone Black
    (AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi
    has compatible = "pinconf-single" instead of "pinctrl-single".
    
    The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF
    or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no
    map was added.
    
    Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish
    between -ENOSUPP and other errors.  In the case of -ENOSUPP, num_maps
    is set to 1 as it is valid for pinconf to be enabled and a given pin
    group to not any pinconf properties.
    
    [0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/
    
    Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf")
    Signed-off-by: Drew Fustini <drew@beagleboard.org>
    Acked-by: Tony Lindgren <tony@atomide.com>
    Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fc1ffe508c0ad59291b84a5dc78c5880efeb9e1b
Author: Pavel Machek <pavel@ucw.cz>
Date:   Thu Aug 6 23:18:09 2020 -0700

    ocfs2: fix unbalanced locking
    
    [ Upstream commit 57c720d4144a9c2b88105c3e8f7b0e97e4b5cc93 ]
    
    Based on what fails, function can return with nfs_sync_rwlock either
    locked or unlocked. That can not be right.
    
    Always return with lock unlocked on error.
    
    Fixes: 4cd9973f9ff6 ("ocfs2: avoid inode removal while nfsd is accessing it")
    Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Link: http://lkml.kernel.org/r/20200724124443.GA28164@duo.ucw.cz
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6a2db034f9b3d811b4afd0aaafa54cfec1c4030a
Author: Wang Hai <wanghai38@huawei.com>
Date:   Mon Jun 15 11:25:33 2020 +0800

    dlm: Fix kobject memleak
    
    [ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ]
    
    Currently the error return path from kobject_init_and_add() is not
    followed by a call to kobject_put() - which means we are leaking
    the kobject.
    
    Set do_unreg = 1 before kobject_init_and_add() to ensure that
    kobject_put() can be called in its error patch.
    
    Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Signed-off-by: David Teigland <teigland@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2986dda799e6d7d2becc24ed3db11610a49ad911
Author: Florinel Iordache <florinel.iordache@nxp.com>
Date:   Mon Aug 3 10:07:34 2020 +0300

    fsl/fman: fix eth hash table allocation
    
    [ Upstream commit 3207f715c34317d08e798e11a10ce816feb53c0f ]
    
    Fix memory allocation for ethernet address hash table.
    The code was wrongly allocating an array for eth hash table which
    is incorrect because this is the main structure for eth hash table
    (struct eth_hash_t) that contains inside a number of elements.
    
    Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support")
    Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 623b1bba4cbd8d3551c3d07cb4f541f507d6eff2
Author: Florinel Iordache <florinel.iordache@nxp.com>
Date:   Mon Aug 3 10:07:33 2020 +0300

    fsl/fman: check dereferencing null pointer
    
    [ Upstream commit cc5d229a122106733a85c279d89d7703f21e4d4f ]
    
    Add a safe check to avoid dereferencing null pointer
    
    Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support")
    Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 48320371e70d98f2d6a3d59fcb8aeb864ff784b1
Author: Florinel Iordache <florinel.iordache@nxp.com>
Date:   Mon Aug 3 10:07:32 2020 +0300

    fsl/fman: fix unreachable code
    
    [ Upstream commit cc79fd8f557767de90ff199d3b6fb911df43160a ]
    
    The parameter 'priority' is incorrectly forced to zero which ultimately
    induces logically dead code in the subsequent lines.
    
    Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support")
    Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9d29b75478079474cc94c1d568c847f36b52e659
Author: Florinel Iordache <florinel.iordache@nxp.com>
Date:   Mon Aug 3 10:07:31 2020 +0300

    fsl/fman: fix dereference null return value
    
    [ Upstream commit 0572054617f32670abab4b4e89a876954d54b704 ]
    
    Check before using returned value to avoid dereferencing null pointer.
    
    Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support")
    Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b39993b26c6d78ec74952849310a72aa6a7a2fb7
Author: Florinel Iordache <florinel.iordache@nxp.com>
Date:   Mon Aug 3 10:07:30 2020 +0300

    fsl/fman: use 32-bit unsigned integer
    
    [ Upstream commit 99f47abd9f7bf6e365820d355dc98f6955a562df ]
    
    Potentially overflowing expression (ts_freq << 16 and intgr << 16)
    declared as type u32 (32-bit unsigned) is evaluated using 32-bit
    arithmetic and then used in a context that expects an expression of
    type u64 (64-bit unsigned) which ultimately is used as 16-bit
    unsigned by typecasting to u16. Fixed by using an unsigned 32-bit
    integer since the value is truncated anyway in the end.
    
    Fixes: 414fd46e7762 ("fsl/fman: Add FMan support")
    Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9cd863d4e114de28a1558d12dad9c353af6a2f12
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sun Aug 2 15:53:33 2020 +0200

    net: spider_net: Fix the size used in a 'dma_free_coherent()' call
    
    [ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ]
    
    Update the size used in 'dma_free_coherent()' in order to match the one
    used in the corresponding 'dma_alloc_coherent()', in
    'spider_net_init_chain()'.
    
    Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 78b41e3b0e29ff3aecd9f365c07138e3956247aa
Author: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date:   Sun Aug 2 19:15:44 2020 +0800

    liquidio: Fix wrong return value in cn23xx_get_pf_num()
    
    [ Upstream commit aa027850a292ea65524b8fab83eb91a124ad362c ]
    
    On an error exit path, a negative error code should be returned
    instead of a positive return value.
    
    Fixes: 0c45d7fe12c7e ("liquidio: fix use of pf in pass-through mode in a virtual machine")
    Cc: Rick Farrington <ricardo.farrington@cavium.com>
    Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 79508a540f7de2e81d4d7dadcded834ede24eeb9
Author: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date:   Sun Aug 2 19:15:37 2020 +0800

    net: ethernet: aquantia: Fix wrong return value
    
    [ Upstream commit 0470a48880f8bc42ce26962b79c7b802c5a695ec ]
    
    In function hw_atl_a0_hw_multicast_list_set(), when an invalid
    request is encountered, a negative error code should be returned.
    
    Fixes: bab6de8fd180b ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions")
    Cc: David VomLehn <vomlehn@texas.net>
    Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5c928cc547d89150702a82d09fb4ab54f941bed0
Author: Andrii Nakryiko <andriin@fb.com>
Date:   Thu Jul 30 19:42:44 2020 -0700

    tools, build: Propagate build failures from tools/build/Makefile.build
    
    [ Upstream commit a278f3d8191228212c553a5d4303fa603214b717 ]
    
    The '&&' command seems to have a bad effect when $(cmd_$(1)) exits with
    non-zero effect: the command failure is masked (despite `set -e`) and all but
    the first command of $(dep-cmd) is executed (successfully, as they are mostly
    printfs), thus overall returning 0 in the end.
    
    This means in practice that despite compilation errors, tools's build Makefile
    will return success. We see this very reliably with libbpf's Makefile, which
    doesn't get compilation error propagated properly. This in turns causes issues
    with selftests build, as well as bpftool and other projects that rely on
    building libbpf.
    
    The fix is simple: don't use &&. Given `set -e`, we don't need to chain
    commands with &&. The shell will exit on first failure, giving desired
    behavior and propagating error properly.
    
    Fixes: 275e2d95591e ("tools build: Move dependency copy into function")
    Signed-off-by: Andrii Nakryiko <andriin@fb.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Jiri Olsa <jolsa@redhat.com>
    Link: https://lore.kernel.org/bpf/20200731024244.872574-1-andriin@fb.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 89d733f13a9f3797ef893ce6779050bb33aaad12
Author: Wang Hai <wanghai38@huawei.com>
Date:   Thu Jul 30 15:39:39 2020 +0800

    wl1251: fix always return 0 error
    
    [ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ]
    
    wl1251_event_ps_report() should not always return 0 because
    wl1251_ps_set_mode() may fail. Change it to return 'ret'.
    
    Fixes: f7ad1eed4d4b ("wl1251: retry power save entry")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dea13b385f6a2459b05062803ab1ed8a840ac982
Author: Julian Wiedmann <jwi@linux.ibm.com>
Date:   Thu Jul 30 17:01:20 2020 +0200

    s390/qeth: don't process empty bridge port events
    
    [ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ]
    
    Discard events that don't contain any entries. This shouldn't happen,
    but subsequent code relies on being able to use entry 0. So better
    be safe than accessing garbage.
    
    Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control")
    Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
    Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 62b15380d0908b71515be193bb7ae67d2e3afbcb
Author: Jerome Brunet <jbrunet@baylibre.com>
Date:   Wed Jul 29 17:44:53 2020 +0200

    ASoC: meson: axg-tdm-interface: fix link fmt setup
    
    [ Upstream commit 6878ba91ce84f7a07887a0615af70f969508839f ]
    
    The .set_fmt() callback of the axg tdm interface incorrectly
    test the content of SND_SOC_DAIFMT_MASTER_MASK as if it was a
    bitfield, which it is not.
    
    Implement the test correctly.
    
    Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver")
    Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
    Link: https://lore.kernel.org/r/20200729154456.1983396-2-jbrunet@baylibre.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8615b9cacd6cf3dd3521fc080252940b723a0972
Author: Sandipan Das <sandipan@linux.ibm.com>
Date:   Thu Jul 30 10:38:46 2020 +0530

    selftests/powerpc: Fix online CPU selection
    
    [ Upstream commit dfa03fff86027e58c8dba5c03ae68150d4e513ad ]
    
    The size of the CPU affinity mask must be large enough for
    systems with a very large number of CPUs. Otherwise, tests
    which try to determine the first online CPU by calling
    sched_getaffinity() will fail. This makes sure that the size
    of the allocated affinity mask is dependent on the number of
    CPUs as reported by get_nprocs_conf().
    
    Fixes: 3752e453f6ba ("selftests/powerpc: Add tests of PMU EBBs")
    Reported-by: Shirisha Ganta <shiganta@in.ibm.com>
    Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
    Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/a408c4b8e9a23bb39b539417a21eb0ff47bb5127.1596084858.git.sandipan@linux.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 88106a1039032405b738e8da72c4061cb79aa4e1
Author: Hanjun Guo <guohanjun@huawei.com>
Date:   Wed Jul 22 17:44:28 2020 +0800

    PCI: Release IVRS table in AMD ACS quirk
    
    [ Upstream commit 090688fa4e448284aaa16136372397d7d10814db ]
    
    The acpi_get_table() should be coupled with acpi_put_table() if the mapped
    table is not used at runtime to release the table mapping.
    
    In pci_quirk_amd_sb_acs(), IVRS table is just used for checking AMD IOMMU
    is supported, not used at runtime, so put the table after using it.
    
    Fixes: 15b100dfd1c9 ("PCI: Claim ACS support for AMD southbridge devices")
    Link: https://lore.kernel.org/r/1595411068-15440-1-git-send-email-guohanjun@huawei.com
    Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c2a811630880eec62025b9975d5ce09e891f152f
Author: Harish <harish@linux.ibm.com>
Date:   Tue Jun 9 13:44:23 2020 +0530

    selftests/powerpc: Fix CPU affinity for child process
    
    [ Upstream commit 854eb5022be04f81e318765f089f41a57c8e5d83 ]
    
    On systems with large number of cpus, test fails trying to set
    affinity by calling sched_setaffinity() with smaller size for affinity
    mask. This patch fixes it by making sure that the size of allocated
    affinity mask is dependent on the number of CPUs as reported by
    get_nprocs().
    
    Fixes: 00b7ec5c9cf3 ("selftests/powerpc: Import Anton's context_switch2 benchmark")
    Reported-by: Shirisha Ganta <shiganta@in.ibm.com>
    Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
    Signed-off-by: Harish <harish@linux.ibm.com>
    Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
    Reviewed-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20200609081423.529664-1-harish@linux.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fb17074f89eadd865d978547aafe503f1897f350
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Fri Jul 24 23:17:26 2020 +1000

    powerpc/boot: Fix CONFIG_PPC_MPC52XX references
    
    [ Upstream commit e5eff89657e72a9050d95fde146b54c7dc165981 ]
    
    Commit 866bfc75f40e ("powerpc: conditionally compile platform-specific
    serial drivers") made some code depend on CONFIG_PPC_MPC52XX, which
    doesn't exist.
    
    Fix it to use CONFIG_PPC_MPC52xx.
    
    Fixes: 866bfc75f40e ("powerpc: conditionally compile platform-specific serial drivers")
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20200724131728.1643966-7-mpe@ellerman.id.au
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 79a10f5a0021735171488889a9100aacd6f5b68c
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Mon Jul 27 01:34:40 2020 +0200

    net: dsa: rtl8366: Fix VLAN set-up
    
    [ Upstream commit 788abc6d9d278ed6fa1fa94db2098481a04152b7 ]
    
    Alter the rtl8366_vlan_add() to call rtl8366_set_vlan()
    inside the loop that goes over all VIDs since we now
    properly support calling that function more than once.
    Augment the loop to postincrement as this is more
    intuitive.
    
    The loop moved past the last VID but called
    rtl8366_set_vlan() with the port number instead of
    the VID, assuming a 1-to-1 correspondence between
    ports and VIDs. This was also a bug.
    
    Cc: DENG Qingfang <dqfext@gmail.com>
    Cc: Mauri Sandberg <sandberg@mailfence.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f212dc76bac1490c91c25760c146fc7c0f5c3390
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Mon Jul 27 01:34:39 2020 +0200

    net: dsa: rtl8366: Fix VLAN semantics
    
    [ Upstream commit 15ab7906cc9290afb006df1bb1074907fbcc7061 ]
    
    The RTL8366 would not handle adding new members (ports) to
    a VLAN: the code assumed that ->port_vlan_add() was only
    called once for a single port. When intializing the
    switch with .configure_vlan_while_not_filtering set to
    true, the function is called numerous times for adding
    all ports to VLAN1, which was something the code could
    not handle.
    
    Alter rtl8366_set_vlan() to just |= new members and
    untagged flags to 4k and MC VLAN table entries alike.
    This makes it possible to just add new ports to a
    VLAN.
    
    Put in some helpful debug code that can be used to find
    any further bugs here.
    
    Cc: DENG Qingfang <dqfext@gmail.com>
    Cc: Mauri Sandberg <sandberg@mailfence.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d30d21110706a0a197ec4803f5af1fa364e49826
Author: Nicolas Boichat <drinkcat@chromium.org>
Date:   Tue Jul 21 10:37:16 2020 +0800

    Bluetooth: hci_serdev: Only unregister device if it was registered
    
    [ Upstream commit 202798db9570104728dce8bb57dfeed47ce764bc ]
    
    We should not call hci_unregister_dev if the device was not
    successfully registered.
    
    Fixes: c34dc3bfa7642fd ("Bluetooth: hci_serdev: Introduce hci_uart_unregister_device()")
    Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a8acb2bd0c03a9f02806f82032cfc9e976cab5c4
Author: Nicolas Boichat <drinkcat@chromium.org>
Date:   Tue Jul 21 10:37:15 2020 +0800

    Bluetooth: hci_h5: Set HCI_UART_RESET_ON_INIT to correct flags
    
    [ Upstream commit a7ad4b6119d740b1ec5788f1b98be0fd1c1b5a5a ]
    
    HCI_UART_RESET_ON_INIT belongs in hdev_flags, not flags.
    
    Fixes: ce945552fde4a09 ("Bluetooth: hci_h5: Add support for serdev enumerated devices")
    Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6b03a2a347b2ac8e11cf8107f08086d7ec468fc6
Author: Tom Rix <trix@redhat.com>
Date:   Sun Jul 12 12:23:51 2020 -0700

    power: supply: check if calc_soc succeeded in pm860x_init_battery
    
    [ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ]
    
    clang static analysis flags this error
    
    88pm860x_battery.c:522:19: warning: Assigned value is
      garbage or undefined [core.uninitialized.Assign]
                    info->start_soc = soc;
                                    ^ ~~~
    soc is set by calling calc_soc.
    But calc_soc can return without setting soc.
    
    So check the return status and bail similarly to other
    checks in pm860x_init_battery and initialize soc to
    silence the warning.
    
    Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x")
    
    Signed-off-by: Tom Rix <trix@redhat.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit adef6d2d512d140ac2b02776a3f266f60b8827d2
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jul 23 18:23:05 2020 +0300

    Smack: prevent underflow in smk_set_cipso()
    
    [ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ]
    
    We have an upper bound on "maplevel" but forgot to check for negative
    values.
    
    Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 820defebf4ead19c96ecc36a16dba85f315c0931
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jul 23 18:22:19 2020 +0300

    Smack: fix another vsscanf out of bounds
    
    [ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ]
    
    This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in
    vsscanf") where we added a bounds check on "rule".
    
    Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com
    Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b6be0b71eaaa2eb71d87d29f2775c74a36d320ad
Author: Li Heng <liheng40@huawei.com>
Date:   Sat Jul 25 10:56:27 2020 +0800

    RDMA/core: Fix return error value in _ib_modify_qp() to negative
    
    [ Upstream commit 47fda651d5af2506deac57d54887cf55ce26e244 ]
    
    The error codes in _ib_modify_qp() are supposed to be negative errno.
    
    Fixes: 7a5c938b9ed0 ("IB/core: Check for rdma_protocol_ib only after validating port_num")
    Link: https://lore.kernel.org/r/1595645787-20375-1-git-send-email-liheng40@huawei.com
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Li Heng <liheng40@huawei.com>
    Reviewed-by: Parav Pandit <parav@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e3e983b327e7f2456c6d72c7942dcbb1a91160af
Author: Kishon Vijay Abraham I <kishon@ti.com>
Date:   Wed Jul 22 16:33:11 2020 +0530

    PCI: cadence: Fix updating Vendor ID and Subsystem Vendor ID register
    
    [ Upstream commit e3bca37d15dca118f2ef1f0a068bb6e07846ea20 ]
    
    Commit 1b79c5284439 ("PCI: cadence: Add host driver for Cadence PCIe
    controller") in order to update Vendor ID, directly wrote to
    PCI_VENDOR_ID register. However PCI_VENDOR_ID in root port configuration
    space is read-only register and writing to it will have no effect.
    Use local management register to configure Vendor ID and Subsystem Vendor
    ID.
    
    Link: https://lore.kernel.org/r/20200722110317.4744-10-kishon@ti.com
    Fixes: 1b79c5284439 ("PCI: cadence: Add host driver for Cadence PCIe controller")
    Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Reviewed-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f5a77bafe02c6c31be5883458b0cbce4c43ea4cd
Author: Chris Packham <chris.packham@alliedtelesis.co.nz>
Date:   Fri Jul 24 11:21:20 2020 +1200

    net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration
    
    [ Upstream commit 0f3c66a3c7b4e8b9f654b3c998e9674376a51b0f ]
    
    The MV88E6097 chip does not support configuring jumbo frames. Prior to
    commit 5f4366660d65 only the 6352, 6351, 6165 and 6320 chips configured
    jumbo mode. The refactor accidentally added the function for the 6097.
    Remove the erroneous function pointer assignment.
    
    Fixes: 5f4366660d65 ("net: dsa: mv88e6xxx: Refactor setting of jumbo frames")
    Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 73add9e317c34d01e6d487256a9975633ecd8e9c
Author: Finn Thain <fthain@telegraphics.com.au>
Date:   Thu Jul 23 09:25:51 2020 +1000

    scsi: mesh: Fix panic after host or bus reset
    
    [ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ]
    
    Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus
    results in EH measures and a panic:
    
    [   25.499838] mesh: configured for synchronous 5 MB/s
    [   25.787154] mesh: performing initial bus reset...
    [   29.867115] scsi host0: MESH
    [   29.929527] mesh: target 0 synchronous at 3.6 MB/s
    [   29.998763] scsi 0:0:0:0: Direct-Access     CONNER   CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS
    [   31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB)
    [   32.070975] sd 0:0:0:0: [sda] Write Protect is off
    [   32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08
    [   32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
    [   32.332708]  sda: [mac] sda1 sda2 sda3
    [   32.417733] sd 0:0:0:0: [sda] Attached SCSI disk
    ... snip ...
    [   76.687067] mesh_abort((ptrval))
    [   76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval)
    [   76.810798]     ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85
    [   76.880720]     dma stat=84e0 cmdptr=1f73d000
    [   76.941387]     phase=4 msgphase=0 conn_tgt=0 data_ptr=24576
    [   77.005567]     dma_st=1 dma_ct=0 n_msgout=0
    [   77.065456]     target 0: req=(ptrval) goes_out=0 saved_ptr=0
    [   77.130512] mesh_abort((ptrval))
    [   77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval)
    [   77.255594]     ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85
    [   77.325778]     dma stat=84e0 cmdptr=1f73d000
    [   77.387239]     phase=4 msgphase=0 conn_tgt=0 data_ptr=24576
    [   77.453665]     dma_st=1 dma_ct=0 n_msgout=0
    [   77.515900]     target 0: req=(ptrval) goes_out=0 saved_ptr=0
    [   77.582902] mesh_host_reset
    [   88.187083] Kernel panic - not syncing: mesh: double DMA start !
    [   88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1
    [   88.323302] Call Trace:
    [   88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable)
    [   88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414
    [   88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70
    [   88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384
    [   88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8
    [   88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178
    [   88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8
    [   88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520
    [   88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8
    [   88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c
    [   89.044112] Rebooting in 180 seconds..
    
    In theory, a panic can happen after a bus or host reset with dma_started
    flag set. Fix this by halting the DMA before reinitializing the host.
    Don't assume that ms->current_req is set when halt_dma() is invoked as it
    may not hold for bus or host reset.
    
    BTW, this particular Conner drive can be made to work by inhibiting
    disconnect/reselect with 'mesh.resel_targets=0'.
    
    Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: Paul Mackerras <paulus@ozlabs.org>
    Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
    Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fa7fd9ba18533e9aa5f718a06de3deb522a4b587
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Thu Jul 16 14:09:48 2020 +0200

    usb: dwc2: Fix error path in gadget registration
    
    [ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ]
    
    When gadget registration fails, one should not call usb_del_gadget_udc().
    Ensure this by setting gadget->udc to NULL. Also in case of a failure
    there is no need to disable low-level hardware, so return immiedetly
    instead of jumping to error_init label.
    
    This fixes the following kernel NULL ptr dereference on gadget failure
    (can be easily triggered with g_mass_storage without any module
    parameters):
    
    dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1
    dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024
    dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM
    Mass Storage Function, version: 2009/09/11
    LUN: removable file: (no medium)
    no file given for LUN0
    g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22
    8<--- cut here ---
    Unable to handle kernel NULL pointer dereference at virtual address 00000104
    pgd = (ptrval)
    [00000104] *pgd=00000000
    Internal error: Oops: 805 [#1] PREEMPT SMP ARM
    Modules linked in:
    CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133
    Hardware name: Samsung Exynos (Flattened Device Tree)
    Workqueue: events deferred_probe_work_func
    PC is at usb_del_gadget_udc+0x38/0xc4
    LR is at __mutex_lock+0x31c/0xb18
    ...
    Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval))
    Stack: (0xef121db0 to 0xef122000)
    ...
    [<c076bf3c>] (usb_del_gadget_udc) from [<c0726bec>] (dwc2_hsotg_remove+0x10/0x20)
    [<c0726bec>] (dwc2_hsotg_remove) from [<c0711208>] (dwc2_driver_probe+0x57c/0x69c)
    [<c0711208>] (dwc2_driver_probe) from [<c06247c0>] (platform_drv_probe+0x6c/0xa4)
    [<c06247c0>] (platform_drv_probe) from [<c0621df4>] (really_probe+0x200/0x48c)
    [<c0621df4>] (really_probe) from [<c06221e8>] (driver_probe_device+0x78/0x1fc)
    [<c06221e8>] (driver_probe_device) from [<c061fcd4>] (bus_for_each_drv+0x74/0xb8)
    [<c061fcd4>] (bus_for_each_drv) from [<c0621b54>] (__device_attach+0xd4/0x16c)
    [<c0621b54>] (__device_attach) from [<c0620c98>] (bus_probe_device+0x88/0x90)
    [<c0620c98>] (bus_probe_device) from [<c06211b0>] (deferred_probe_work_func+0x3c/0xd0)
    [<c06211b0>] (deferred_probe_work_func) from [<c0149280>] (process_one_work+0x234/0x7dc)
    [<c0149280>] (process_one_work) from [<c014986c>] (worker_thread+0x44/0x51c)
    [<c014986c>] (worker_thread) from [<c0150b1c>] (kthread+0x158/0x1a0)
    [<c0150b1c>] (kthread) from [<c0100114>] (ret_from_fork+0x14/0x20)
    Exception stack(0xef121fb0 to 0xef121ff8)
    ...
    ---[ end trace 9724c2fc7cc9c982 ]---
    
    While fixing this also fix the double call to dwc2_lowlevel_hw_disable()
    if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level
    hardware is already disabled before calling usb_add_gadget_udc(). That
    function correctly preserves low-level hardware state, there is no need
    for the second unconditional dwc2_lowlevel_hw_disable() call.
    
    Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver")
    Acked-by: Minas Harutyunyan <hminas@synopsys.com>
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1aadfae64db50bba5d81a9a6724a62ed4a60ddf1
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Tue Jul 21 21:47:18 2020 +0800

    MIPS: OCTEON: add missing put_device() call in dwc3_octeon_device_init()
    
    [ Upstream commit e8b9fc10f2615b9a525fce56981e40b489528355 ]
    
    if of_find_device_by_node() succeed, dwc3_octeon_device_init() doesn't have
    a corresponding put_device(). Thus add put_device() to fix the exception
    handling for this function implementation.
    
    Fixes: 93e502b3c2d4 ("MIPS: OCTEON: Platform support for OCTEON III USB controller")
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e13f98ef31b3c3fd8e4788f312576f9f414314c2
Author: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Date:   Thu Jul 16 11:57:42 2020 -0600

    coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb()
    
    [ Upstream commit d021f5c5ff679432c5e9faee0fd7350db2efb97c ]
    
    Reading TMC mode register without proper coresight power
    management can lead to exceptions like the one in the call
    trace below in tmc_read_unprepare_etb() when the trace data
    is read after the sink is disabled. So fix this by having
    a check for coresight sysfs mode before reading TMC mode
    management register in tmc_read_unprepare_etb() similar to
    tmc_read_prepare_etb().
    
      SError Interrupt on CPU6, code 0xbe000411 -- SError
      pstate: 80400089 (Nzcv daIf +PAN -UAO)
      pc : tmc_read_unprepare_etb+0x74/0x108
      lr : tmc_read_unprepare_etb+0x54/0x108
      sp : ffffff80d9507c30
      x29: ffffff80d9507c30 x28: ffffff80b3569a0c
      x27: 0000000000000000 x26: 00000000000a0001
      x25: ffffff80cbae9550 x24: 0000000000000010
      x23: ffffffd07296b0f0 x22: ffffffd0109ee028
      x21: 0000000000000000 x20: ffffff80d19e70e0
      x19: ffffff80d19e7080 x18: 0000000000000000
      x17: 0000000000000000 x16: 0000000000000000
      x15: 0000000000000000 x14: 0000000000000000
      x13: 0000000000000000 x12: 0000000000000000
      x11: 0000000000000000 x10: dfffffd000000001
      x9 : 0000000000000000 x8 : 0000000000000002
      x7 : ffffffd071d0fe78 x6 : 0000000000000000
      x5 : 0000000000000080 x4 : 0000000000000001
      x3 : ffffffd071d0fe98 x2 : 0000000000000000
      x1 : 0000000000000004 x0 : 0000000000000001
      Kernel panic - not syncing: Asynchronous SError Interrupt
    
    Fixes: 4525412a5046 ("coresight: tmc: making prepare/unprepare functions generic")
    Reported-by: Mike Leach <mike.leach@linaro.org>
    Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
    Tested-by: Mike Leach <mike.leach@linaro.org>
    Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
    Link: https://lore.kernel.org/r/20200716175746.3338735-14-mathieu.poirier@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 34c4882cf00ff81685698336506fcc39f93e72b2
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jun 16 12:19:49 2020 +0300

    thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor()
    
    [ Upstream commit 0f348db01fdf128813fdd659fcc339038fb421a4 ]
    
    This condition is reversed and will cause breakage.
    
    Fixes: 7440f518dad9 ("thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Link: https://lore.kernel.org/r/20200616091949.GA11940@mwanda
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ebb23423609067b714e0e05358b0cf4bbd75d239
Author: Kars Mulder <kerneldev@karsmulder.nl>
Date:   Tue Jul 7 16:43:50 2020 +0200

    usb: core: fix quirks_param_set() writing to a const pointer
    
    [ Upstream commit b1b6bed3b5036509b449b5965285d5057ba42527 ]
    
    The function quirks_param_set() takes as argument a const char* pointer
    to the new value of the usbcore.quirks parameter. It then casts this
    pointer to a non-const char* pointer and passes it to the strsep()
    function, which overwrites the value.
    
    Fix this by creating a copy of the value using kstrdup() and letting
    that copy be written to by strsep().
    
    Fixes: 027bd6cafd9a ("usb: core: Add "quirks" parameter for usbcore")
    Signed-off-by: Kars Mulder <kerneldev@karsmulder.nl>
    
    Link: https://lore.kernel.org/r/5ee2-5f048a00-21-618c5c00@230659773
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ac780c229e0408f587194e307106da2b806071e0
Author: Johan Hovold <johan@kernel.org>
Date:   Thu Jul 16 10:50:55 2020 +0200

    USB: serial: iuu_phoenix: fix led-activity helpers
    
    [ Upstream commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c ]
    
    The set-led command is eight bytes long and starts with a command byte
    followed by six bytes of RGB data and ends with a byte encoding a
    frequency (see iuu_led() and iuu_rgbf_fill_buffer()).
    
    The led activity helpers had a few long-standing bugs which corrupted
    the command packets by inserting a second command byte and thereby
    offsetting the RGB data and dropping the frequency in non-xmas mode.
    
    In xmas mode, a related off-by-one error left the frequency field
    uninitialised.
    
    Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver")
    Reported-by: George Spelvin <lkml@sdf.org>
    Link: https://lore.kernel.org/r/20200716085056.31471-1-johan@kernel.org
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 58a42b449d71ad9e46aea134e8a498006bbec274
Author: Marco Felsch <m.felsch@pengutronix.de>
Date:   Thu Jun 11 14:43:32 2020 +0200

    drm/imx: tve: fix regulator_disable error path
    
    [ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ]
    
    Add missing regulator_disable() as devm_action to avoid dedicated
    unbind() callback and fix the missing error handling.
    
    Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)")
    Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
    Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2cb6880f0e8cde9c4ee63dd19d1f3dd19e670829
Author: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Date:   Thu Jul 9 08:59:24 2020 +0530

    powerpc/book3s64/pkeys: Use PVR check instead of cpu feature
    
    [ Upstream commit d79e7a5f26f1d179cbb915a8bf2469b6d7431c29 ]
    
    We are wrongly using CPU_FTRS_POWER8 to check for P8 support. Instead, we should
    use PVR value. Now considering we are using CPU_FTRS_POWER8, that
    implies we returned true for P9 with older firmware. Keep the same behavior
    by checking for P9 PVR value.
    
    Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20200709032946.881753-2-aneesh.kumar@linux.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 35903b8dbbddaca48df46cbb84639aa76c40eac8
Author: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Date:   Fri Jul 17 15:59:25 2020 +0800

    PCI/ASPM: Add missing newline in sysfs 'policy'
    
    [ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ]
    
    When I cat ASPM parameter 'policy' by sysfs, it displays as follows.  Add a
    newline for easy reading.  Other sysfs attributes already include a
    newline.
    
      [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy
      [default] performance powersave powersupersave [root@localhost ~]#
    
    Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support")
    Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com
    Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8b26055ccdc02047e39caa128e65add116b29525
Author: Colin Ian King <colin.king@canonical.com>
Date:   Thu Jul 16 16:47:20 2020 +0100

    staging: rtl8192u: fix a dubious looking mask before a shift
    
    [ Upstream commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 ]
    
    Currently the masking of ret with 0xff and followed by a right shift
    of 8 bits always leaves a zero result.  It appears the mask of 0xff
    is incorrect and should be 0xff00, but I don't have the hardware to
    test this. Fix this to mask the upper 8 bits before shifting.
    
    [ Not tested ]
    
    Addresses-Coverity: ("Operands don't affect result")
    Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Link: https://lore.kernel.org/r/20200716154720.1710252-1-colin.king@canonical.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7573ee6f763e8db3a104ef7dabc5859122e3132c
Author: Mikhail Malygin <m.malygin@yadro.com>
Date:   Thu Jul 16 22:03:41 2020 +0300

    RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
    
    [ Upstream commit 5f0b2a6093a4d9aab093964c65083fe801ef1e58 ]
    
    rxe_post_send_kernel() iterates over linked list of wr's, until the
    wr->next ptr is NULL.  However if we've got an interrupt after last wr is
    posted, control may be returned to the code after send completion callback
    is executed and wr memory is freed.
    
    As a result, wr->next pointer may contain incorrect value leading to
    panic. Store the wr->next on the stack before posting it.
    
    Fixes: 8700e3e7c485 ("Soft RoCE driver")
    Link: https://lore.kernel.org/r/20200716190340.23453-1-m.malygin@yadro.com
    Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
    Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3383a99923a14c7b93e108731a4f4a1534b0f0a8
Author: Yuval Basson <ybason@marvell.com>
Date:   Wed Jul 8 22:55:26 2020 +0300

    RDMA/qedr: SRQ's bug fixes
    
    [ Upstream commit acca72e2b031b9fbb4184511072bd246a0abcebc ]
    
    QP's with the same SRQ, working on different CQs and running in parallel
    on different CPUs could lead to a race when maintaining the SRQ consumer
    count, and leads to FW running out of SRQs. Update the consumer
    atomically.  Make sure the wqe_prod is updated after the sge_prod due to
    FW requirements.
    
    Fixes: 3491c9e799fb ("qedr: Add support for kernel mode SRQ's")
    Link: https://lore.kernel.org/r/20200708195526.31040-1-ybason@marvell.com
    Signed-off-by: Michal Kalderon <mkalderon@marvell.com>
    Signed-off-by: Yuval Basson <ybason@marvell.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dbc374d039a159b7e7cc0d68530552c46a0db498
Author: Milton Miller <miltonm@us.ibm.com>
Date:   Thu Jul 16 09:37:04 2020 +1000

    powerpc/vdso: Fix vdso cpu truncation
    
    [ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ]
    
    The code in vdso_cpu_init that exposes the cpu and numa node to
    userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means
    that any kernel running on a box with more than 4096 threads (NR_CPUS
    advertises a limit of of 8192 cpus) would expose userspace to two cpu
    contexts running at the same time with the same cpu number.
    
    Note: I'm not aware of any distro shipping a kernel with support for more
    than 4096 threads today, nor of any system image that currently exceeds
    4096 threads. Found via code browsing.
    
    Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu")
    Signed-off-by: Milton Miller <miltonm@us.ibm.com>
    Signed-off-by: Anton Blanchard <anton@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit daa69a213f038f4dafb4feda19db9d135b5ce308
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Jul 8 14:58:57 2020 +0300

    mwifiex: Prevent memory corruption handling keys
    
    [ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ]
    
    The length of the key comes from the network and it's a 16 bit number.  It
    needs to be capped to prevent a buffer overflow.
    
    Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 96867800fc148f854ec34641c976ff5bcf8c8dd7
Author: John Garry <john.garry@huawei.com>
Date:   Thu Jul 9 20:23:19 2020 +0800

    scsi: scsi_debug: Add check for sdebug_max_queue during module init
    
    [ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ]
    
    sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like
    this can be triggered by passing an out-of-range value:
    
    Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
     pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--)
     pc : schedule_resp+0x2a4/0xa70 [scsi_debug]
     lr : schedule_resp+0x52c/0xa70 [scsi_debug]
     sp : ffff800022ab36f0
     x29: ffff800022ab36f0 x28: ffff0023a935a610
     x27: ffff800008e0a648 x26: 0000000000000003
     x25: ffff0023e84f3200 x24: 00000000003d0900
     x23: 0000000000000000 x22: 0000000000000000
     x21: ffff0023be60a320 x20: ffff0023be60b538
     x19: ffff800008e13000 x18: 0000000000000000
     x17: 0000000000000000 x16: 0000000000000000
     x15: 0000000000000000 x14: 0000000000000000
     x13: 0000000000000000 x12: 0000000000000000
     x11: 0000000000000000 x10: 0000000000000000
     x9 : 0000000000000001 x8 : 0000000000000000
     x7 : 0000000000000000 x6 : 00000000000000c1
     x5 : 0000020000200000 x4 : dead0000000000ff
     x3 : 0000000000000200 x2 : 0000000000000200
     x1 : ffff800008e13d88 x0 : 0000000000000000
     Call trace:
    schedule_resp+0x2a4/0xa70 [scsi_debug]
    scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug]
    scsi_queue_rq+0x698/0x840
    __blk_mq_try_issue_directly+0x108/0x228
    blk_mq_request_issue_directly+0x58/0x98
    blk_mq_try_issue_list_directly+0x5c/0xf0
    blk_mq_sched_insert_requests+0x18c/0x200
    blk_mq_flush_plug_list+0x11c/0x190
    blk_flush_plug_list+0xdc/0x110
    blk_finish_plug+0x38/0x210
    blkdev_direct_IO+0x450/0x4d8
    generic_file_read_iter+0x84/0x180
    blkdev_read_iter+0x3c/0x50
    aio_read+0xc0/0x170
    io_submit_one+0x5c8/0xc98
    __arm64_sys_io_submit+0x1b0/0x258
    el0_svc_common.constprop.3+0x68/0x170
    do_el0_svc+0x24/0x90
    el0_sync_handler+0x13c/0x1a8
    el0_sync+0x158/0x180
     Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340)
    
    In addition, it should not be less than 1.
    
    So add checks for these, and fail the module init for those cases.
    
    [mkp: changed if condition to match error message]
    
    Link: https://lore.kernel.org/r/1594297400-24756-2-git-send-email-john.garry@huawei.com
    Fixes: c483739430f1 ("scsi_debug: add multiple queue support")
    Reviewed-by: Ming Lei <ming.lei@redhat.com>
    Acked-by: Douglas Gilbert <dgilbert@interlog.com>
    Signed-off-by: John Garry <john.garry@huawei.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a135b366c37b942117d19e1bdbb955d81eadb222
Author: Tom Rix <trix@redhat.com>
Date:   Sun Jul 12 08:24:53 2020 -0700

    drm/bridge: sil_sii8620: initialize return of sii8620_readb
    
    [ Upstream commit 02cd2d3144653e6e2a0c7ccaa73311e48e2dc686 ]
    
    clang static analysis flags this error
    
    sil-sii8620.c:184:2: warning: Undefined or garbage value
      returned to caller [core.uninitialized.UndefReturn]
            return ret;
            ^~~~~~~~~~
    
    sii8620_readb calls sii8620_read_buf.
    sii8620_read_buf can return without setting its output
    pararmeter 'ret'.
    
    So initialize ret.
    
    Fixes: ce6e153f414a ("drm/bridge: add Silicon Image SiI8620 driver")
    Signed-off-by: Tom Rix <trix@redhat.com>
    Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
    Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200712152453.27510-1-trix@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 84d2717b22603d86628dbca1d66a3bd55870d857
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Wed Jul 8 15:38:00 2020 +0200

    phy: exynos5-usbdrd: Calibrating makes sense only for USB2.0 PHY
    
    [ Upstream commit dcbabfeb17c3c2fdb6bc92a3031ecd37df1834a8 ]
    
    PHY calibration is needed only for USB2.0 (UTMI) PHY, so skip calling
    calibration code when phy_calibrate() is called for USB3.0 (PIPE3) PHY.
    
    Fixes: d8c80bb3b55b ("phy: exynos5-usbdrd: Calibrate LOS levels for exynos5420/5800")
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
    Link: https://lore.kernel.org/r/20200708133800.3336-1-m.szyprowski@samsung.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f275958ecef38b6c3d034a621a77ee00fa0b2ffb
Author: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Date:   Sun Jul 12 01:53:17 2020 +0300

    drm: panel: simple: Fix bpc for LG LB070WV8 panel
    
    [ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ]
    
    The LG LB070WV8 panel incorrectly reports a 16 bits per component value,
    while the panel uses 8 bits per component. Fix it.
    
    Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel")
    Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
    Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 92887e8b7e81f52fd4155cf3452c7b6af236865e
Author: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date:   Thu Jul 2 13:45:00 2020 +0800

    leds: core: Flush scheduled work for system suspend
    
    [ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ]
    
    Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon
    system suspend.
    
    led_set_brightness_nopm() uses schedule_work() to set LED brightness.
    However, there's no guarantee that the scheduled work gets executed
    because no one flushes the work.
    
    So flush the scheduled work to make sure LED gets turned off.
    
    Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
    Acked-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
    Fixes: 81fe8e5b73e3 ("leds: core: Add led_set_brightness_nosleep{nopm} functions")
    Signed-off-by: Pavel Machek <pavel@ucw.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit adf0cae3ea6c6236a8579a4a9f92da4021b6e293
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Thu Jun 25 18:14:55 2020 -0500

    PCI: Fix pci_cfg_wait queue locking problem
    
    [ Upstream commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb ]
    
    The pci_cfg_wait queue is used to prevent user-space config accesses to
    devices while they are recovering from reset.
    
    Previously we used these operations on pci_cfg_wait:
    
      __add_wait_queue(&pci_cfg_wait, ...)
      __remove_wait_queue(&pci_cfg_wait, ...)
      wake_up_all(&pci_cfg_wait)
    
    The wake_up acquires the wait queue lock, but the add and remove do not.
    
    Originally these were all protected by the pci_lock, but cdcb33f98244
    ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock"), moved
    wake_up_all() outside pci_lock, so it could race with add/remove
    operations, which caused occasional kernel panics, e.g., during vfio-pci
    hotplug/unplug testing:
    
      Unable to handle kernel read from unreadable memory at virtual address ffff802dac469000
    
    Resolve this by using wait_event() instead of __add_wait_queue() and
    __remove_wait_queue().  The wait queue lock is held by both wait_event()
    and wake_up_all(), so it provides mutual exclusion.
    
    Fixes: cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock")
    Link: https://lore.kernel.org/linux-pci/79827f2f-9b43-4411-1376-b9063b67aee3@huawei.com/T/#u
    Based-on: https://lore.kernel.org/linux-pci/20191210031527.40136-1-zhengxiang9@huawei.com/
    Based-on-patch-by: Xiang Zheng <zhengxiang9@huawei.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Tested-by: Xiang Zheng <zhengxiang9@huawei.com>
    Cc: Heyi Guo <guoheyi@huawei.com>
    Cc: Biaoxiang Ye <yebiaoxiang@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 13a8ac537f1d86c3a85f46f701083ce4460d2171
Author: Zhu Yanjun <yanjunz@mellanox.com>
Date:   Tue Jun 30 15:36:05 2020 +0300

    RDMA/rxe: Skip dgid check in loopback mode
    
    [ Upstream commit 5c99274be8864519328aa74bc550ba410095bc1c ]
    
    In the loopback tests, the following call trace occurs.
    
     Call Trace:
      __rxe_do_task+0x1a/0x30 [rdma_rxe]
      rxe_qp_destroy+0x61/0xa0 [rdma_rxe]
      rxe_destroy_qp+0x20/0x60 [rdma_rxe]
      ib_destroy_qp_user+0xcc/0x220 [ib_core]
      uverbs_free_qp+0x3c/0xc0 [ib_uverbs]
      destroy_hw_idr_uobject+0x24/0x70 [ib_uverbs]
      uverbs_destroy_uobject+0x43/0x1b0 [ib_uverbs]
      uobj_destroy+0x41/0x70 [ib_uverbs]
      __uobj_get_destroy+0x39/0x70 [ib_uverbs]
      ib_uverbs_destroy_qp+0x88/0xc0 [ib_uverbs]
      ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xb9/0xf0 [ib_uverbs]
      ib_uverbs_cmd_verbs+0xb16/0xc30 [ib_uverbs]
    
    The root cause is that the actual RDMA connection is not created in the
    loopback tests and the rxe_match_dgid will fail randomly.
    
    To fix this call trace which appear in the loopback tests, skip check of
    the dgid.
    
    Fixes: 8700e3e7c485 ("Soft RoCE driver")
    Link: https://lore.kernel.org/r/20200630123605.446959-1-leon@kernel.org
    Signed-off-by: Zhu Yanjun <yanjunz@mellanox.com>
    Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4c2c947f4888454a91f04a5df26cf8303453e089
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date:   Mon Jun 29 14:47:18 2020 -0700

    xfs: fix reflink quota reservation accounting error
    
    [ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ]
    
    Quota reservations are supposed to account for the blocks that might be
    allocated due to a bmap btree split.  Reflink doesn't do this, so fix
    this to make the quota accounting more accurate before we start
    rearranging things.
    
    Fixes: 862bb360ef56 ("xfs: reflink extents from one file to another")
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 17979d8c8b2a18e10c309860054bf522c980159e
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date:   Mon Jun 29 14:47:17 2020 -0700

    xfs: don't eat an EIO/ENOSPC writeback error when scrubbing data fork
    
    [ Upstream commit eb0efe5063bb10bcb653e4f8e92a74719c03a347 ]
    
    The data fork scrubber calls filemap_write_and_wait to flush dirty pages
    and delalloc reservations out to disk prior to checking the data fork's
    extent mappings.  Unfortunately, this means that scrub can consume the
    EIO/ENOSPC errors that would otherwise have stayed around in the address
    space until (we hope) the writer application calls fsync to persist data
    and collect errors.  The end result is that programs that wrote to a
    file might never see the error code and proceed as if nothing were
    wrong.
    
    xfs_scrub is not in a position to notify file writers about the
    writeback failure, and it's only here to check metadata, not file
    contents.  Therefore, if writeback fails, we should stuff the error code
    back into the address space so that an fsync by the writer application
    can pick that up.
    
    Fixes: 99d9d8d05da2 ("xfs: scrub inode block mappings")
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Reviewed-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f6ed47df61f3c5dc21fa5b359d99ad01df8f803d
Author: Chuhong Yuan <hslester96@gmail.com>
Date:   Thu May 28 08:41:47 2020 +0200

    media: exynos4-is: Add missed check for pinctrl_lookup_state()
    
    [ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ]
    
    fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state().
    Add the missed check to fix it.
    
    Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]")
    Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6f88a685bdc140fd41491286a5bbe31ca45ac755
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri May 8 16:40:22 2020 +0200

    media: firewire: Using uninitialized values in node_probe()
    
    [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ]
    
    If fw_csr_string() returns -ENOENT, then "name" is uninitialized.  So
    then the "strlen(model_names[i]) <= name_len" is true because strlen()
    is unsigned and -ENOENT is type promoted to a very high positive value.
    Then the "strncmp(name, model_names[i], name_len)" uses uninitialized
    data because "name" is uninitialized.
    
    Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7106f943302247ed9fcde84afdca06cbe9e19dce
Author: Julian Anastasov <ja@ssi.bg>
Date:   Wed Jul 1 18:17:19 2020 +0300

    ipvs: allow connection reuse for unconfirmed conntrack
    
    [ Upstream commit f0a5e4d7a594e0fe237d3dfafb069bb82f80f42f ]
    
    YangYuxi is reporting that connection reuse
    is causing one-second delay when SYN hits
    existing connection in TIME_WAIT state.
    Such delay was added to give time to expire
    both the IPVS connection and the corresponding
    conntrack. This was considered a rare case
    at that time but it is causing problem for
    some environments such as Kubernetes.
    
    As nf_conntrack_tcp_packet() can decide to
    release the conntrack in TIME_WAIT state and
    to replace it with a fresh NEW conntrack, we
    can use this to allow rescheduling just by
    tuning our check: if the conntrack is
    confirmed we can not schedule it to different
    real server and the one-second delay still
    applies but if new conntrack was created,
    we are free to select new real server without
    any delays.
    
    YangYuxi lists some of the problem reports:
    
    - One second connection delay in masquerading mode:
    https://marc.info/?t=151683118100004&r=1&w=2
    
    - IPVS low throughput #70747
    https://github.com/kubernetes/kubernetes/issues/70747
    
    - Apache Bench can fill up ipvs service proxy in seconds #544
    https://github.com/cloudnativelabs/kube-router/issues/544
    
    - Additional 1s latency in `host -> service IP -> pod`
    https://github.com/kubernetes/kubernetes/issues/90854
    
    Fixes: f719e3754ee2 ("ipvs: drop first packet to redirect conntrack")
    Co-developed-by: YangYuxi <yx.atom1@gmail.com>
    Signed-off-by: YangYuxi <yx.atom1@gmail.com>
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Reviewed-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fdac85326f40c7ba6ae2b9e4a2c710f26b708ab8
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Fri Jun 26 06:05:53 2020 +0200

    scsi: eesox: Fix different dev_id between request_irq() and free_irq()
    
    [ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ]
    
    The dev_id used in request_irq() and free_irq() should match. Use 'info' in
    both cases.
    
    Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5afc55c836e980d3dc3f1dda82c195a8d8b27dd3
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Fri Jun 26 05:59:48 2020 +0200

    scsi: powertec: Fix different dev_id between request_irq() and free_irq()
    
    [ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ]
    
    The dev_id used in request_irq() and free_irq() should match. Use 'info' in
    both cases.
    
    Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 50037ae68bbd1d9f2c7daeb823dcb61dfd988a00
Author: Colin Ian King <colin.king@canonical.com>
Date:   Wed Jun 24 13:07:10 2020 +0100

    drm/radeon: fix array out-of-bounds read and write issues
    
    [ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ]
    
    There is an off-by-one bounds check on the index into arrays
    table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that
    can lead to reads and writes outside of arrays. Fix the bound checking
    off-by-one error.
    
    Addresses-Coverity: ("Out-of-bounds read/write")
    Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)")
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bf9efd4118d4341cb58582e8ac46525e343c7022
Author: Wang Hai <wanghai38@huawei.com>
Date:   Tue Jun 2 20:07:33 2020 +0800

    cxl: Fix kobject memleak
    
    [ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ]
    
    Currently the error return path from kobject_init_and_add() is not
    followed by a call to kobject_put() - which means we are leaking
    the kobject.
    
    Fix it by adding a call to kobject_put() in the error path of
    kobject_init_and_add().
    
    Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
    Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
    Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1292ad224fa5c6e1e7b1cf2b24eb816685baed05
Author: Emil Velikov <emil.velikov@collabora.com>
Date:   Tue May 5 17:03:29 2020 +0100

    drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline
    
    [ Upstream commit 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 ]
    
    The helper uses the MIPI_DCS_SET_TEAR_SCANLINE, although it's currently
    using the generic write. This does not look right.
    
    Perhaps some platforms don't distinguish between the two writers?
    
    Cc: Robert Chiras <robert.chiras@nxp.com>
    Cc: Vinay Simha BN <simhavcs@gmail.com>
    Cc: Jani Nikula <jani.nikula@intel.com>
    Cc: Thierry Reding <treding@nvidia.com>
    Fixes: e83950816367 ("drm/dsi: Implement set tear scanline")
    Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
    Reviewed-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200505160329.2976059-3-emil.l.velikov@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fdc83318dd5c9de1c8b8fa3950c1f9736b12a767
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Thu Jun 25 22:47:30 2020 +0200

    scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()
    
    [ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ]
    
    The dev_id used in request_irq() and free_irq() should match.  Use 'info'
    in both cases.
    
    Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Acked-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 18e8f1f6b535656c0f598277981659521486060c
Author: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Date:   Thu Jun 25 14:12:55 2020 -0500

    ASoC: Intel: bxt_rt298: add missing .owner field
    
    [ Upstream commit 88cee34b776f80d2da04afb990c2a28c36799c43 ]
    
    This field is required for ASoC cards. Not setting it will result in a
    module->name pointer being NULL and generate problems such as
    
    cat /proc/asound/modules
     0 (efault)
    
    Fixes: 76016322ec56 ('ASoC: Intel: Add Broxton-P machine driver')
    Reported-by: Jaroslav Kysela <perex@perex.cz>
    Suggested-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
    Link: https://lore.kernel.org/r/20200625191308.3322-5-pierre-louis.bossart@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7af83dfb6e30260f80ca844b070f5e4fd86adaed
Author: Chuhong Yuan <hslester96@gmail.com>
Date:   Wed Jun 3 18:41:22 2020 +0200

    media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()
    
    [ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ]
    
    preview_init_entities() does not call v4l2_ctrl_handler_free() when
    it fails.
    Add the missed function to fix it.
    
    Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer")
    Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
    Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 125ec9008e56a201d2d845384872bf05110191d0
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Tue May 5 16:19:17 2020 +0200

    leds: lm355x: avoid enum conversion warning
    
    [ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ]
    
    clang points out that doing arithmetic between diffent enums is usually
    a mistake:
    
    drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion]
                    reg_val = pdata->pin_tx2 | pdata->ntc_pin;
                              ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
    drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion]
                    reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode;
                              ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
    
    In this driver, it is intentional, so add a cast to hide the false-positive
    warning. It appears to be the only instance of this warning at the moment.
    
    Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Pavel Machek <pavel@ucw.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 64918e3f716ec0b13417f4396118183889c80636
Author: Colin Ian King <colin.king@canonical.com>
Date:   Thu Jun 18 11:04:00 2020 +0100

    drm/arm: fix unintentional integer overflow on left shift
    
    [ Upstream commit 5f368ddea6fec519bdb93b5368f6a844b6ea27a6 ]
    
    Shifting the integer value 1 is evaluated using 32-bit arithmetic
    and then used in an expression that expects a long value leads to
    a potential integer overflow. Fix this by using the BIT macro to
    perform the shift to avoid the overflow.
    
    Addresses-Coverity: ("Unintentional integer overflow")
    Fixes: ad49f8602fe8 ("drm/arm: Add support for Mali Display Processors")
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Acked-by: Liviu Dudau <liviu.dudau@arm.com>
    Signed-off-by: Liviu Dudau <Liviu.Dudau@arm.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200618100400.11464-1-colin.king@canonical.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0e0d6222a489a15329aad30715d25d7f14cb6638
Author: Lubomir Rintel <lkundrak@v3.sk>
Date:   Tue Jun 16 23:21:24 2020 +0200

    drm/etnaviv: Fix error path on failure to enable bus clk
    
    [ Upstream commit f8794feaf65cdc97767604cf864775d20b97f397 ]
    
    Since commit 65f037e8e908 ("drm/etnaviv: add support for slave interface
    clock") the reg clock is enabled before the bus clock and we need to undo
    its enablement on error.
    
    Fixes: 65f037e8e908 ("drm/etnaviv: add support for slave interface clock")
    Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
    Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8b6e1f79d7ea283c80fb5521747a768ab1f58113
Author: Tomasz Duszynski <tomasz.duszynski@octakon.com>
Date:   Mon Jun 1 18:15:52 2020 +0200

    iio: improve IIO_CONCENTRATION channel type description
    
    [ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ]
    
    IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting
    raw concentrations of pollutants. Raw value should be meaningless
    before being properly scaled. Because of that description shouldn't
    mention raw value unit whatsoever.
    
    Fix this by rephrasing existing description so it follows conventions
    used throughout IIO ABI docs.
    
    Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type")
    Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
    Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 43bd11238da345ad4b09a585ae2a038c6f8b7113
Author: Evan Green <evgreen@chromium.org>
Date:   Thu Jun 4 10:59:11 2020 -0700

    ath10k: Acquire tx_lock in tx error paths
    
    [ Upstream commit a738e766e3ed92c4ee5ec967777276b5ce11dd2c ]
    
    ath10k_htt_tx_free_msdu_id() has a lockdep assertion that htt->tx_lock
    is held. Acquire the lock in a couple of error paths when calling that
    function to ensure this condition is met.
    
    Fixes: 6421969f248fd ("ath10k: refactor tx pending management")
    Fixes: e62ee5c381c59 ("ath10k: Add support for htt_data_tx_desc_64 descriptor")
    Signed-off-by: Evan Green <evgreen@chromium.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200604105901.1.I5b8b0c7ee0d3e51a73248975a9da61401b8f3900@changeid
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 73f971a790e3b975ee894f6f1f51f3eac03981f3
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Wed Apr 29 10:45:05 2020 +0200

    video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call
    
    [ Upstream commit 499a2c41b954518c372873202d5e7714e22010c4 ]
    
    'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()'
    not 'dma_free_wc()'.
    The correct dma_free_ function is already used in the error handling path
    of the probe function.
    
    Fixes: 77e196752bdd ("[ARM] pxafb: allow video memory size to be configurable")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Cc: Sumit Semwal <sumit.semwal@linaro.org>
    Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Viresh Kumar <viresh.kumar@linaro.org>
    Cc: Jani Nikula <jani.nikula@intel.com>
    cc: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Cc: Eric Miao <eric.miao@marvell.com>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200429084505.108897-1-christophe.jaillet@wanadoo.fr
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fd6aeb2e69996b27e3cfc4579e4a28718e2cc99b
Author: Dejin Zheng <zhengdejin5@gmail.com>
Date:   Fri Apr 24 00:42:51 2020 +0800

    console: newport_con: fix an issue about leak related system resources
    
    [ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ]
    
    A call of the function do_take_over_console() can fail here.
    The corresponding system resources were not released then.
    Thus add a call of iounmap() and release_mem_region()
    together with the check of a failure predicate. and also
    add release_mem_region() on device removal.
    
    Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding")
    Suggested-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 573150b10c2e9f4d50aac3a2a9125c1b05b9a4d0
Author: Dejin Zheng <zhengdejin5@gmail.com>
Date:   Thu Apr 23 00:07:19 2020 +0800

    video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
    
    [ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ]
    
    the sfb->fb->screen_base is not save the value get by iounmap() when
    the chip id is 0x720. so iounmap() for address sfb->fb->screen_base
    is not right.
    
    Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev")
    Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
    Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Cc: Teddy Wang <teddy.wang@siliconmotion.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ea01e491c3da0952f6b8bc84f62236a5e431e808
Author: Qiushi Wu <wu000273@umn.edu>
Date:   Fri May 22 09:34:51 2020 +0100

    agp/intel: Fix a memory leak on module initialisation failure
    
    [ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ]
    
    In intel_gtt_setup_scratch_page(), pointer "page" is not released if
    pci_dma_mapping_error() return an error, leading to a memory leak on
    module initialisation failure.  Simply fix this issue by freeing "page"
    before return.
    
    Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page")
    Signed-off-by: Qiushi Wu <wu000273@umn.edu>
    Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dfa9bc1aaf0679e9d81ef80ba3a2390bf44f8a2a
Author: Rob Clark <robdclark@chromium.org>
Date:   Wed Jul 1 13:36:00 2020 -0700

    drm/msm: ratelimit crtc event overflow error
    
    [ Upstream commit 5e16372b5940b1fecc3cc887fc02a50ba148d373 ]
    
    This can happen a lot when things go pear shaped.  Lets not flood dmesg
    when this happens.
    
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org>
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3ca48b8952b4d0aa4aa77770d98901db206ec190
Author: Erik Kaneda <erik.kaneda@intel.com>
Date:   Mon Jul 20 10:31:20 2020 -0700

    ACPICA: Do not increment operation_region reference counts for field units
    
    [ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ]
    
    ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70
    
    Object reference counts are used as a part of ACPICA's garbage
    collection mechanism. This mechanism keeps track of references to
    heap-allocated structures such as the ACPI operand objects.
    
    Recent server firmware has revealed that this reference count can
    overflow on large servers that declare many field units under the
    same operation_region. This occurs because each field unit declaration
    will add a reference count to the source operation_region.
    
    This change solves the reference count overflow for operation_regions
    objects by preventing fieldunits from incrementing their
    operation_region's reference count. Each operation_region's reference
    count will not be changed by named objects declared under the Field
    operator. During namespace deletion, the operation_region namespace
    node will be deleted and each fieldunit will be deleted without
    touching the deleted operation_region object.
    
    Link: https://github.com/acpica/acpica/commit/e17b28cf
    Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
    Signed-off-by: Bob Moore <robert.moore@intel.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8f2cb3d2e3bba8f61360b8144e0988499c540268
Author: Coly Li <colyli@suse.de>
Date:   Sat Jul 25 20:00:26 2020 +0800

    bcache: fix super block seq numbers comparision in register_cache_set()
    
    [ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ]
    
    In register_cache_set(), c is pointer to struct cache_set, and ca is
    pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this
    registering cache has up to date version and other members, the in-
    memory version and other members should be updated to the newer value.
    
    But current implementation makes a cache set only has a single cache
    device, so the above assumption works well except for a special case.
    The execption is when a cache device new created and both ca->sb.seq and
    c->sb.seq are 0, because the super block is never flushed out yet. In
    the location for the following if() check,
    2156         if (ca->sb.seq > c->sb.seq) {
    2157                 c->sb.version           = ca->sb.version;
    2158                 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16);
    2159                 c->sb.flags             = ca->sb.flags;
    2160                 c->sb.seq               = ca->sb.seq;
    2161                 pr_debug("set version = %llu\n", c->sb.version);
    2162         }
    c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0,
    the if() check will fail (because both values are 0), and the cache set
    version, set_uuid, flags and seq won't be updated.
    
    The above problem is hiden for current code, because the bucket size is
    compatible among different super block version. And the next time when
    running cache set again, ca->sb.seq will be larger than 0 and cache set
    super block version will be updated properly.
    
    But if the large bucket feature is enabled,  sb->bucket_size is the low
    16bits of the bucket size. For a power of 2 value, when the actual
    bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then
    read_super_common() will fail because the if() check to
    is_power_of_2(sb->bucket_size) is false. This is how the long time
    hidden bug is triggered.
    
    This patch modifies the if() check to the following way,
    2156         if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) {
    Then cache set's version, set_uuid, flags and seq will always be updated
    corectly including for a new created cache device.
    
    Signed-off-by: Coly Li <colyli@suse.de>
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 26613103374bbf2675c9f02bc087da229c38337b
Author: Jim Cromie <jim.cromie@gmail.com>
Date:   Sun Jul 19 17:10:47 2020 -0600

    dyndbg: fix a BUG_ON in ddebug_describe_flags
    
    [ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ]
    
    ddebug_describe_flags() currently fills a caller provided string buffer,
    after testing its size (also passed) in a BUG_ON.  Fix this by
    replacing them with a known-big-enough string buffer wrapped in a
    struct, and passing that instead.
    
    Also simplify ddebug_describe_flags() flags parameter from a struct to
    a member in that struct, and hoist the member deref up to the caller.
    This makes the function reusable (soon) where flags are unpacked.
    
    Acked-by: <jbaron@akamai.com>
    Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
    Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e1f67b26653c7a47745c6d3c524938a87fd93cdc
Author: Danesh Petigara <danesh.petigara@broadcom.com>
Date:   Wed Jul 22 13:07:45 2020 -0400

    usb: bdc: Halt controller on suspend
    
    [ Upstream commit 5fc453d7de3d0c345812453823a3a56783c5f82c ]
    
    GISB bus error kernel panics have been observed during S2 transition
    tests on the 7271t platform. The errors are a result of the BDC
    interrupt handler trying to access BDC register space after the
    system's suspend callbacks have completed.
    
    Adding a suspend hook to the BDC driver that halts the controller before
    S2 entry thus preventing unwanted access to the BDC register space during
    this transition.
    
    Signed-off-by: Danesh Petigara <danesh.petigara@broadcom.com>
    Signed-off-by: Al Cooper <alcooperx@gmail.com>
    Acked-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 469ea9a2968899d3b1f634731b914fd7a5740efd
Author: Sasi Kumar <sasi.kumar@broadcom.com>
Date:   Wed Jul 22 13:07:42 2020 -0400

    bdc: Fix bug causing crash after multiple disconnects
    
    [ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ]
    
    Multiple connects/disconnects can cause a crash on the second
    disconnect. The driver had a problem where it would try to send
    endpoint commands after it was disconnected which is not allowed
    by the hardware. The fix is to only allow the endpoint commands
    when the endpoint is connected. This will also fix issues that
    showed up when using configfs to create gadgets.
    
    Signed-off-by: Sasi Kumar <sasi.kumar@broadcom.com>
    Signed-off-by: Al Cooper <alcooperx@gmail.com>
    Acked-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fec3ffe702a0a407586fdcccdb4bf3918cf18fb3
Author: Evgeny Novikov <novikov@ispras.ru>
Date:   Tue Jul 21 23:15:58 2020 +0300

    usb: gadget: net2280: fix memory leak on probe error handling paths
    
    [ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ]
    
    Driver does not release memory for device on error handling paths in
    net2280_probe() when gadget_release() is not registered yet.
    
    The patch fixes the bug like in other similar drivers.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e68ee83f8b989c6f6e9009c0ba4eccd99d4d1791
Author: Dmitry Osipenko <digetx@gmail.com>
Date:   Mon Jun 29 06:18:41 2020 +0300

    gpu: host1x: debug: Fix multiple channels emitting messages simultaneously
    
    [ Upstream commit 35681862808472a0a4b9a8817ae2789c0b5b3edc ]
    
    Once channel's job is hung, it dumps the channel's state into KMSG before
    tearing down the offending job. If multiple channels hang at once, then
    they dump messages simultaneously, making the debug info unreadable, and
    thus, useless. This patch adds mutex which allows only one channel to emit
    debug messages at a time.
    
    Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b1b3ee664a04196ca7a9d9c11bd933943915d524
Author: Bolarinwa Olayemi Saheed <refactormyself@gmail.com>
Date:   Mon Jul 13 19:55:27 2020 +0200

    iwlegacy: Check the return value of pcie_capability_read_*()
    
    [ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ]
    
    On failure pcie_capability_read_dword() sets it's last parameter, val
    to 0. However, with Patch 14/14, it is possible that val is set to ~0 on
    failure. This would introduce a bug because (x & x) == (~0 & x).
    
    This bug can be avoided without changing the function's behaviour if the
    return value of pcie_capability_read_dword is checked to confirm success.
    
    Check the return value of pcie_capability_read_dword() to ensure success.
    
    Suggested-by: Bjorn Helgaas <bjorn@helgaas.com>
    Signed-off-by: Bolarinwa Olayemi Saheed <refactormyself@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8cdea53c0c3e2101e44efdc14c8696578b1faccc
Author: Wright Feng <wright.feng@cypress.com>
Date:   Wed Jun 24 04:16:07 2020 -0500

    brcmfmac: set state of hanger slot to FREE when flushing PSQ
    
    [ Upstream commit fcdd7a875def793c38d7369633af3eba6c7cf089 ]
    
    When USB or SDIO device got abnormal bus disconnection, host driver
    tried to clean up the skbs in PSQ and TXQ (The skb's pointer in hanger
    slot linked to PSQ and TSQ), so we should set the state of skb hanger slot
    to BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb.
    In brcmf_fws_bus_txq_cleanup it already sets
    BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb, therefore we add the
    same thing in brcmf_fws_psq_flush to avoid following warning message.
    
       [ 1580.012880] ------------   [ cut here ]------------
       [ 1580.017550] WARNING: CPU: 3 PID: 3065 at
    drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49
    brcmu_pkt_buf_free_skb+0x21/0x30 [brcmutil]
       [ 1580.184017] Call Trace:
       [ 1580.186514]  brcmf_fws_cleanup+0x14e/0x190 [brcmfmac]
       [ 1580.191594]  brcmf_fws_del_interface+0x70/0x90 [brcmfmac]
       [ 1580.197029]  brcmf_proto_bcdc_del_if+0xe/0x10 [brcmfmac]
       [ 1580.202418]  brcmf_remove_interface+0x69/0x190 [brcmfmac]
       [ 1580.207888]  brcmf_detach+0x90/0xe0 [brcmfmac]
       [ 1580.212385]  brcmf_usb_disconnect+0x76/0xb0 [brcmfmac]
       [ 1580.217557]  usb_unbind_interface+0x72/0x260
       [ 1580.221857]  device_release_driver_internal+0x141/0x200
       [ 1580.227152]  device_release_driver+0x12/0x20
       [ 1580.231460]  bus_remove_device+0xfd/0x170
       [ 1580.235504]  device_del+0x1d9/0x300
       [ 1580.239041]  usb_disable_device+0x9e/0x270
       [ 1580.243160]  usb_disconnect+0x94/0x270
       [ 1580.246980]  hub_event+0x76d/0x13b0
       [ 1580.250499]  process_one_work+0x144/0x360
       [ 1580.254564]  worker_thread+0x4d/0x3c0
       [ 1580.258247]  kthread+0x109/0x140
       [ 1580.261515]  ? rescuer_thread+0x340/0x340
       [ 1580.265543]  ? kthread_park+0x60/0x60
       [ 1580.269237]  ? SyS_exit_group+0x14/0x20
       [ 1580.273118]  ret_from_fork+0x25/0x30
       [ 1580.300446] ------------   [ cut here ]------------
    
    Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Wright Feng <wright.feng@cypress.com>
    Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200624091608.25154-2-wright.feng@cypress.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a08c30d9ccf19146f8477feb21b1007acd149357
Author: Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com>
Date:   Thu Jun 4 02:18:35 2020 -0500

    brcmfmac: To fix Bss Info flag definition Bug
    
    [ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ]
    
    Bss info flag definition need to be fixed from 0x2 to 0x4
    This flag is for rssi info received on channel.
    All Firmware branches defined as 0x4 and this is bug in brcmfmac.
    
    Signed-off-by: Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com>
    Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
    Signed-off-by: Wright Feng <wright.feng@cypress.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f76dab806863d50597bc52d5553e10c54eb5f096
Author: Wright Feng <wright.feng@cypress.com>
Date:   Thu Jun 4 02:18:33 2020 -0500

    brcmfmac: keep SDIO watchdog running when console_interval is non-zero
    
    [ Upstream commit eccbf46b15bb3e35d004148f7c3a8fa8e9b26c1e ]
    
    brcmfmac host driver makes SDIO bus sleep and stops SDIO watchdog if no
    pending event or data. As a result, host driver does not poll firmware
    console buffer before buffer overflow, which leads to missing firmware
    logs. We should not stop SDIO watchdog if console_interval is non-zero
    in debug build.
    
    Signed-off-by: Wright Feng <wright.feng@cypress.com>
    Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200604071835.3842-4-wright.feng@cypress.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit abfa9c47ece7c712d3fab494d1771c8f15bba8fa
Author: Paul E. McKenney <paulmck@kernel.org>
Date:   Thu Apr 16 16:46:10 2020 -0700

    mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
    
    [ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ]
    
    A large process running on a heavily loaded system can encounter the
    following RCU CPU stall warning:
    
      rcu: INFO: rcu_sched self-detected stall on CPU
      rcu:  3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190
            (t=21013 jiffies g=1005461 q=132576)
      NMI backtrace for cpu 3
      CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1
      Hardware name: Wiwynn   HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016
      Call Trace:
       <IRQ>
       dump_stack+0x46/0x60
       nmi_cpu_backtrace.cold.3+0x13/0x50
       ? lapic_can_unplug_cpu.cold.27+0x34/0x34
       nmi_trigger_cpumask_backtrace+0xba/0xca
       rcu_dump_cpu_stacks+0x99/0xc7
       rcu_sched_clock_irq.cold.87+0x1aa/0x397
       ? tick_sched_do_timer+0x60/0x60
       update_process_times+0x28/0x60
       tick_sched_timer+0x37/0x70
       __hrtimer_run_queues+0xfe/0x270
       hrtimer_interrupt+0xf4/0x210
       smp_apic_timer_interrupt+0x5e/0x120
       apic_timer_interrupt+0xf/0x20
       </IRQ>
      RIP: 0010:kmem_cache_free+0x223/0x300
      Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65
      RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
      RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030
      RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18
      RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff
      R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f
      R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00
       ? remove_vma+0x4f/0x60
       remove_vma+0x4f/0x60
       exit_mmap+0xd6/0x160
       mmput+0x4a/0x110
       do_exit+0x278/0xae0
       ? syscall_trace_enter+0x1d3/0x2b0
       ? handle_mm_fault+0xaa/0x1c0
       do_group_exit+0x3a/0xa0
       __x64_sys_exit_group+0x14/0x20
       do_syscall_64+0x42/0x100
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run
    for a very long time given a large process.  This commit therefore adds
    a cond_resched() to this loop, providing RCU any needed quiescent states.
    
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: <linux-mm@kvack.org>
    Reviewed-by: Shakeel Butt <shakeelb@google.com>
    Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1016f98b586dce303561d4e32c1173e1cecd7131
Author: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Date:   Mon Jun 15 09:44:45 2020 +0200

    irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock
    
    [ Upstream commit 6eeb997ab5075e770a002c51351fa4ec2c6b5c39 ]
    
    This driver may take a regular spinlock when a raw spinlock
    (irq_desc->lock) is already taken which results in the following
    lockdep splat:
    
    =============================
    [ BUG: Invalid wait context ]
    5.7.0-rc7 #1 Not tainted
    -----------------------------
    swapper/0/0 is trying to lock:
    ffffff800303b798 (&chip_data->lock){....}-{3:3}, at: mtk_sysirq_set_type+0x48/0xc0
    other info that might help us debug this:
    context-{5:5}
    2 locks held by swapper/0/0:
     #0: ffffff800302ee68 (&desc->request_mutex){....}-{4:4}, at: __setup_irq+0xc4/0x8a0
     #1: ffffff800302ecf0 (&irq_desc_lock_class){....}-{2:2}, at: __setup_irq+0xe4/0x8a0
    stack backtrace:
    CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc7 #1
    Hardware name: Pumpkin MT8516 (DT)
    Call trace:
     dump_backtrace+0x0/0x180
     show_stack+0x14/0x20
     dump_stack+0xd0/0x118
     __lock_acquire+0x8c8/0x2270
     lock_acquire+0xf8/0x470
     _raw_spin_lock_irqsave+0x50/0x78
     mtk_sysirq_set_type+0x48/0xc0
     __irq_set_trigger+0x58/0x170
     __setup_irq+0x420/0x8a0
     request_threaded_irq+0xd8/0x190
     timer_of_init+0x1e8/0x2c4
     mtk_gpt_init+0x5c/0x1dc
     timer_probe+0x74/0xf4
     time_init+0x14/0x44
     start_kernel+0x394/0x4f0
    
    Replace the spinlock_t with raw_spinlock_t to avoid this warning.
    
    Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20200615074445.3579-1-brgl@bgdev.pl
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2b8064de21e82b2d643f55849ab903b8f252ea7f
Author: Christian König <christian.koenig@amd.com>
Date:   Tue May 12 10:55:58 2020 +0200

    drm/radeon: disable AGP by default
    
    [ Upstream commit ba806f98f868ce107aa9c453fef751de9980e4af ]
    
    Always use the PCI GART instead. We just have to many cases
    where AGP still causes problems. This means a performance
    regression for some GPUs, but also a bug fix for some others.
    
    Signed-off-by: Christian König <christian.koenig@amd.com>
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1bed3b87449484134f45f4c263a5e61aa5b9653d
Author: Michael Tretter <m.tretter@pengutronix.de>
Date:   Thu Aug 17 12:43:07 2017 +0200

    drm/debugfs: fix plain echo to connector "force" attribute
    
    [ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ]
    
    Using plain echo to set the "force" connector attribute fails with
    -EINVAL, because echo appends a newline to the output.
    
    Replace strcmp with sysfs_streq to also accept strings that end with a
    newline.
    
    v2: use sysfs_streq instead of stripping trailing whitespace
    
    Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
    Reviewed-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 459863b756436b4f8f6bd806a38d09646e5b51f7
Author: Chunfeng Yun <chunfeng.yun@mediatek.com>
Date:   Mon Jul 27 15:14:59 2020 +0800

    usb: mtu3: clear dual mode of u3port when disable device
    
    [ Upstream commit f1e51e99ed498d4aa9ae5df28e43d558ea627781 ]
    
    If not clear u3port's dual mode when disable device, the IP
    will fail to enter sleep mode when suspend.
    
    Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
    Link: https://lore.kernel.org/r/1595834101-13094-10-git-send-email-chunfeng.yun@mediatek.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit afd847bb56cbf87c5e5b384d7c89d4661b6c3755
Author: Aditya Pakki <pakki001@umn.edu>
Date:   Sat Jun 13 20:41:56 2020 -0500

    drm/nouveau: fix multiple instances of reference count leaks
    
    [ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ]
    
    On calling pm_runtime_get_sync() the reference count of the device
    is incremented. In case of failure, decrement the
    ref count before returning the error.
    
    Signed-off-by: Aditya Pakki <pakki001@umn.edu>
    Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3d6955baf30486424af0a9ec46afc294d8c7e3b9
Author: Navid Emamdoost <navid.emamdoost@gmail.com>
Date:   Mon Jun 15 01:12:20 2020 -0500

    drm/etnaviv: fix ref count leak via pm_runtime_get_sync
    
    [ Upstream commit c5d5a32ead1e3a61a07a1e59eb52a53e4a6b2a7f ]
    
    in etnaviv_gpu_submit, etnaviv_gpu_recover_hang, etnaviv_gpu_debugfs,
    and etnaviv_gpu_init the call to pm_runtime_get_sync increments the
    counter even in case of failure, leading to incorrect ref count.
    In case of failure, decrement the ref count before returning.
    
    Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
    Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6569387565961965d872bab558f3cf167e818689
Author: Ricardo Cañuelo <ricardo.canuelo@collabora.com>
Date:   Mon Jun 1 08:33:06 2020 +0200

    arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding
    
    [ Upstream commit bbe28fc3cbabbef781bcdf847615d52ce2e26e42 ]
    
    hi3660-hikey960.dts:
      Define a 'ports' node for 'adv7533: adv7533@39' and the
      'adi,dsi-lanes' property to make it compliant with the adi,adv7533 DT
      binding.
    
      This fills the requirements to meet the binding requirements,
      remote endpoints are not defined.
    
    hi6220-hikey.dts:
      Change property name s/pd-gpio/pd-gpios, gpio properties should be
      plural. This is just a cosmetic change.
    
    Signed-off-by: Ricardo Cañuelo <ricardo.canuelo@collabora.com>
    Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0bd6a2313852306374e423e9bb724850e13805ae
Author: Zhao Heming <heming.zhao@suse.com>
Date:   Thu Jul 9 11:29:29 2020 +0800

    md-cluster: fix wild pointer of unlock_all_bitmaps()
    
    [ Upstream commit 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 ]
    
    reproduction steps:
    ```
    node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda
    /dev/sdb
    node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb
    node1 # mdadm -G /dev/md0 -b none
    mdadm: failed to remove clustered bitmap.
    node1 # mdadm -S --scan
    ^C  <==== mdadm hung & kernel crash
    ```
    
    kernel stack:
    ```
    [  335.230657] general protection fault: 0000 [#1] SMP NOPTI
    [...]
    [  335.230848] Call Trace:
    [  335.230873]  ? unlock_all_bitmaps+0x5/0x70 [md_cluster]
    [  335.230886]  unlock_all_bitmaps+0x3d/0x70 [md_cluster]
    [  335.230899]  leave+0x10f/0x190 [md_cluster]
    [  335.230932]  ? md_super_wait+0x93/0xa0 [md_mod]
    [  335.230947]  ? leave+0x5/0x190 [md_cluster]
    [  335.230973]  md_cluster_stop+0x1a/0x30 [md_mod]
    [  335.230999]  md_bitmap_free+0x142/0x150 [md_mod]
    [  335.231013]  ? _cond_resched+0x15/0x40
    [  335.231025]  ? mutex_lock+0xe/0x30
    [  335.231056]  __md_stop+0x1c/0xa0 [md_mod]
    [  335.231083]  do_md_stop+0x160/0x580 [md_mod]
    [  335.231119]  ? 0xffffffffc05fb078
    [  335.231148]  md_ioctl+0xa04/0x1930 [md_mod]
    [  335.231165]  ? filename_lookup+0xf2/0x190
    [  335.231179]  blkdev_ioctl+0x93c/0xa10
    [  335.231205]  ? _cond_resched+0x15/0x40
    [  335.231214]  ? __check_object_size+0xd4/0x1a0
    [  335.231224]  block_ioctl+0x39/0x40
    [  335.231243]  do_vfs_ioctl+0xa0/0x680
    [  335.231253]  ksys_ioctl+0x70/0x80
    [  335.231261]  __x64_sys_ioctl+0x16/0x20
    [  335.231271]  do_syscall_64+0x65/0x1f0
    [  335.231278]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    ```
    
    Signed-off-by: Zhao Heming <heming.zhao@suse.com>
    Signed-off-by: Song Liu <songliubraving@fb.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dc1446923ef058574e1a94523d197fd19170f5ff
Author: Evgeny Novikov <novikov@ispras.ru>
Date:   Tue Jun 30 22:54:51 2020 +0300

    video: fbdev: neofb: fix memory leak in neo_scan_monitor()
    
    [ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ]
    
    neofb_probe() calls neo_scan_monitor() that can successfully allocate a
    memory for info->monspecs.modedb and proceed to case 0x03. There it does
    not free the memory and returns -1. neofb_probe() goes to label
    err_scan_monitor, thus, it does not free this memory through calling
    fb_destroy_modedb() as well. We can not go to label err_init_hw since
    neo_scan_monitor() can fail during memory allocation. So, the patch frees
    the memory directly for case 0x03.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
    Cc: Jani Nikula <jani.nikula@intel.com>
    Cc: Mike Rapoport <rppt@linux.ibm.com>
    Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 98d7ab74d3346aebc3c14e012023267af4b4edda
Author: Sedat Dilek <sedat.dilek@gmail.com>
Date:   Fri Jul 3 16:32:06 2020 +0200

    crypto: aesni - Fix build with LLVM_IAS=1
    
    [ Upstream commit 3347c8a079d67af21760a78cc5f2abbcf06d9571 ]
    
    When building with LLVM_IAS=1 means using Clang's Integrated Assembly (IAS)
    from LLVM/Clang >= v10.0.1-rc1+ instead of GNU/as from GNU/binutils
    I see the following breakage in Debian/testing AMD64:
    
    <instantiation>:15:74: error: too many positional arguments
     PRECOMPUTE 8*3+8(%rsp), %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
                                                                             ^
     arch/x86/crypto/aesni-intel_asm.S:1598:2: note: while in macro instantiation
     GCM_INIT %r9, 8*3 +8(%rsp), 8*3 +16(%rsp), 8*3 +24(%rsp)
     ^
    <instantiation>:47:2: error: unknown use of instruction mnemonic without a size suffix
     GHASH_4_ENCRYPT_4_PARALLEL_dec %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, enc
     ^
    arch/x86/crypto/aesni-intel_asm.S:1599:2: note: while in macro instantiation
     GCM_ENC_DEC dec
     ^
    <instantiation>:15:74: error: too many positional arguments
     PRECOMPUTE 8*3+8(%rsp), %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
                                                                             ^
    arch/x86/crypto/aesni-intel_asm.S:1686:2: note: while in macro instantiation
     GCM_INIT %r9, 8*3 +8(%rsp), 8*3 +16(%rsp), 8*3 +24(%rsp)
     ^
    <instantiation>:47:2: error: unknown use of instruction mnemonic without a size suffix
     GHASH_4_ENCRYPT_4_PARALLEL_enc %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, enc
     ^
    arch/x86/crypto/aesni-intel_asm.S:1687:2: note: while in macro instantiation
     GCM_ENC_DEC enc
    
    Craig Topper suggested me in ClangBuiltLinux issue #1050:
    
    > I think the "too many positional arguments" is because the parser isn't able
    > to handle the trailing commas.
    >
    > The "unknown use of instruction mnemonic" is because the macro was named
    > GHASH_4_ENCRYPT_4_PARALLEL_DEC but its being instantiated with
    > GHASH_4_ENCRYPT_4_PARALLEL_dec I guess gas ignores case on the
    > macro instantiation, but llvm doesn't.
    
    First, I removed the trailing comma in the PRECOMPUTE line.
    
    Second, I substituted:
    1. GHASH_4_ENCRYPT_4_PARALLEL_DEC -> GHASH_4_ENCRYPT_4_PARALLEL_dec
    2. GHASH_4_ENCRYPT_4_PARALLEL_ENC -> GHASH_4_ENCRYPT_4_PARALLEL_enc
    
    With these changes I was able to build with LLVM_IAS=1 and boot on bare metal.
    
    I confirmed that this works with Linux-kernel v5.7.5 final.
    
    NOTE: This patch is on top of Linux v5.7 final.
    
    Thanks to Craig and especially Nick for double-checking and his comments.
    
    Suggested-by: Craig Topper <craig.topper@intel.com>
    Suggested-by: Craig Topper <craig.topper@gmail.com>
    Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Cc: "ClangBuiltLinux" <clang-built-linux@googlegroups.com>
    Link: https://github.com/ClangBuiltLinux/linux/issues/1050
    Link: https://bugs.llvm.org/show_bug.cgi?id=24494
    Signed-off-by: Sedat Dilek <sedat.dilek@gmail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4a4776ef5b229f95848b774c46ce555405ff2d46
Author: Aditya Pakki <pakki001@umn.edu>
Date:   Sat Jun 13 21:21:22 2020 -0500

    drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
    
    [ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ]
    
    On calling pm_runtime_get_sync() the reference count of the device
    is incremented. In case of failure, decrement the
    reference count before returning the error.
    
    Acked-by: Evan Quan <evan.quan@amd.com>
    Signed-off-by: Aditya Pakki <pakki001@umn.edu>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 59d2736af398b7cc96f8ce69f91e1403676eaa87
Author: Jack Xiao <Jack.Xiao@amd.com>
Date:   Wed Jun 5 16:30:13 2019 +0800

    drm/amdgpu: avoid dereferencing a NULL pointer
    
    [ Upstream commit 55611b507fd6453d26030c0c0619fdf0c262766d ]
    
    Check if irq_src is NULL to avoid dereferencing a NULL pointer,
    for MES ring is uneccessary to recieve an interrupt notification.
    
    Signed-off-by: Jack Xiao <Jack.Xiao@amd.com>
    Acked-by: Alex Deucher <alexander.deucher@amd.com>
    Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5e5bcbb1083555fa631f1cc9dd0ae23fffd12c30
Author: Paul E. McKenney <paulmck@kernel.org>
Date:   Fri May 8 14:15:37 2020 -0700

    fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
    
    [ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ]
    
    Very large I/Os can cause the following RCU CPU stall warning:
    
    RIP: 0010:rb_prev+0x8/0x50
    Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c =
    89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48
    RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13
    RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0
    RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630
    RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238
    R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001
    R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0
     __lookup_extent_mapping+0xa0/0x110
     try_release_extent_mapping+0xdc/0x220
     btrfs_releasepage+0x45/0x70
     shrink_page_list+0xa39/0xb30
     shrink_inactive_list+0x18f/0x3b0
     shrink_lruvec+0x38e/0x6b0
     shrink_node+0x14d/0x690
     do_try_to_free_pages+0xc6/0x3e0
     try_to_free_mem_cgroup_pages+0xe6/0x1e0
     reclaim_high.constprop.73+0x87/0xc0
     mem_cgroup_handle_over_high+0x66/0x150
     exit_to_usermode_loop+0x82/0xd0
     do_syscall_64+0xd4/0x100
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    On a PREEMPT=n kernel, the try_release_extent_mapping() function's
    "while" loop might run for a very long time on a large I/O.  This commit
    therefore adds a cond_resched() to this loop, providing RCU any needed
    quiescent states.
    
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f73b59725d73ad239a5670e85b8765ec23099f0d
Author: Luis Chamberlain <mcgrof@kernel.org>
Date:   Fri Jun 19 20:47:27 2020 +0000

    loop: be paranoid on exit and prevent new additions / removals
    
    [ Upstream commit 200f93377220504c5e56754823e7adfea6037f1a ]
    
    Be pedantic on removal as well and hold the mutex.
    This should prevent uses of addition while we exit.
    
    Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
    Reviewed-by: Ming Lei <ming.lei@redhat.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 29e1dfcd5150097f32f34891c85a50d9ead19df3
Author: Lihong Kou <koulihong@huawei.com>
Date:   Tue Jun 23 20:28:41 2020 +0800

    Bluetooth: add a mutex lock to avoid UAF in do_enale_set
    
    [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]
    
    In the case we set or free the global value listen_chan in
    different threads, we can encounter the UAF problems because
    the method is not protected by any lock, add one to avoid
    this bug.
    
    BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
    net/bluetooth/l2cap_core.c:730
    Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868
    
    CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine,
    BIOS Google 01/01/2011
    Workqueue: events do_enable_set
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1fb/0x318 lib/dump_stack.c:118
     print_address_description+0x74/0x5c0 mm/kasan/report.c:374
     __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
     kasan_report+0x26/0x50 mm/kasan/common.c:641
     __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
     l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
     do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
     process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
     worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
     kthread+0x332/0x350 kernel/kthread.c:255
     ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
    
    Allocated by task 2870:
     save_stack mm/kasan/common.c:72 [inline]
     set_track mm/kasan/common.c:80 [inline]
     __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
     kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
     kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
     kmalloc include/linux/slab.h:555 [inline]
     kzalloc include/linux/slab.h:669 [inline]
     l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
     chan_create net/bluetooth/6lowpan.c:640 [inline]
     bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
     do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
     process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
     worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
     kthread+0x332/0x350 kernel/kthread.c:255
     ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
    
    Freed by task 2870:
     save_stack mm/kasan/common.c:72 [inline]
     set_track mm/kasan/common.c:80 [inline]
     kasan_set_free_info mm/kasan/common.c:337 [inline]
     __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
     kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
     __cache_free mm/slab.c:3426 [inline]
     kfree+0x10d/0x220 mm/slab.c:3757
     l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
     kref_put include/linux/kref.h:65 [inline]
     l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
     do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
     process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
     worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
     kthread+0x332/0x350 kernel/kthread.c:255
     ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
    
    The buggy address belongs to the object at ffff888096950000
     which belongs to the cache kmalloc-2k of size 2048
    The buggy address is located 0 bytes inside of
     2048-byte region [ffff888096950000, ffff888096950800)
    The buggy address belongs to the page:
    page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
    flags: 0xfffe0000000200(slab)
    raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
    raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
     ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    
    Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
    Signed-off-by: Lihong Kou <koulihong@huawei.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fe104ad82e51fc70636f060a6d805be75ce47004
Author: Maulik Shah <mkshah@codeaurora.org>
Date:   Mon Jun 22 12:23:25 2020 +0530

    soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag
    
    [ Upstream commit 1a53ce9ab4faeb841b33d62d23283dc76c0e7c5a ]
    
    rpmh-rsc driver is fairly core to system and should not be removable
    once its probed. However it allows to unbind driver from sysfs using
    below command which results into a crash on sc7180.
    
    echo 18200000.rsc > /sys/bus/platform/drivers/rpmh/unbind
    
    Lets prevent unbind at runtime by setting suppress_bind_attrs flag.
    
    Reviewed-by: Stephen Boyd <swboyd@chromium.org>
    Signed-off-by: Maulik Shah <mkshah@codeaurora.org>
    Link: https://lore.kernel.org/r/1592808805-2437-1-git-send-email-mkshah@codeaurora.org
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1e3a04cb7f4efcdb2afe594217bb1a4ecebdd224
Author: Tomi Valkeinen <tomi.valkeinen@ti.com>
Date:   Wed Apr 29 13:42:32 2020 +0300

    drm/tilcdc: fix leak & null ref in panel_connector_get_modes
    
    [ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ]
    
    If videomode_from_timings() returns true, the mode allocated with
    drm_mode_create will be leaked.
    
    Also, the return value of drm_mode_create() is never checked, and thus
    could cause NULL deref.
    
    Fix these two issues.
    
    Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com
    Reviewed-by: Jyri Sarha <jsarha@ti.com>
    Acked-by: Sam Ravnborg <sam@ravnborg.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c4579cda1929584ae50c20e673c1991068397739
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Tue Jul 21 21:45:51 2020 +0800

    ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()
    
    [ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ]
    
    if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh
    doesn't have a corresponding put_device(). Thus add a jump target to
    fix the exception handling for this function implementation.
    
    Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram")
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3fcd97daf6e4606d9bc36fb420bcebcf9b38df49
Author: Dilip Kota <eswara.kota@linux.intel.com>
Date:   Fri Jul 17 14:27:50 2020 +0800

    spi: lantiq: fix: Rx overflow error in full duplex mode
    
    [ Upstream commit 661ccf2b3f1360be50242726f7c26ced6a9e7d52 ]
    
    In full duplex mode, rx overflow error is observed. To overcome the error,
    wait until the complete data got received and proceed further.
    
    Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller")
    Signed-off-by: Dilip Kota <eswara.kota@linux.intel.com>
    Link: https://lore.kernel.org/r/efb650b0faa49a00788c4e0ca8ef7196bdba851d.1594957019.git.eswara.kota@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bcaf2719dba43f7ccbcc126c56f05111058eef52
Author: yu kuai <yukuai3@huawei.com>
Date:   Thu Jun 4 20:33:01 2020 +0800

    ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
    
    [ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ]
    
    if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have
    a corresponding put_device(). Thus add a jump target to fix the exception
    handling for this function implementation.
    
    Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM")
    Signed-off-by: yu kuai <yukuai3@huawei.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 12b7ce2cb93e99f02e92cd33d79b231e04052f05
Author: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Date:   Mon Jul 13 13:10:16 2020 +0200

    ARM: dts: gose: Fix ports node name for adv7612
    
    [ Upstream commit 59692ac5a7bb8c97ff440fc8917828083fbc38d6 ]
    
    When adding the adv7612 device node the ports node was misspelled as
    port, fix this.
    
    Fixes: bc63cd87f3ce924f ("ARM: dts: gose: add HDMI input")
    Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
    Link: https://lore.kernel.org/r/20200713111016.523189-1-niklas.soderlund+renesas@ragnatech.se
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 55da218df6a861b3c4bec184dfaea191af8b5dea
Author: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Date:   Sat Jul 4 17:58:55 2020 +0200

    ARM: dts: gose: Fix ports node name for adv7180
    
    [ Upstream commit d344234abde938ae1062edb6c05852b0bafb4a03 ]
    
    When adding the adv7180 device node the ports node was misspelled as
    port, fix this.
    
    Fixes: 8cae359049a88b75 ("ARM: dts: gose: add composite video input")
    Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
    Link: https://lore.kernel.org/r/20200704155856.3037010-2-niklas.soderlund+renesas@ragnatech.se
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 473a0cdc8529ee271758b770c477418f0fe430c8
Author: Lu Wei <luwei32@huawei.com>
Date:   Fri Jul 10 17:30:18 2020 +0800

    platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()
    
    [ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ]
    
    In the function check_acpi_dev(), if it fails to create
    platform device, the return value is ERR_PTR() or NULL.
    Thus it must use IS_ERR_OR_NULL() to check return value.
    
    Fixes: 332e081225fc ("intel-vbtn: new driver for Intel Virtual Button")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Lu Wei <luwei32@huawei.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d5c4d84c95198da37445918013abd9d6bf9a0e02
Author: Lu Wei <luwei32@huawei.com>
Date:   Fri Jul 10 17:30:17 2020 +0800

    platform/x86: intel-hid: Fix return value check in check_acpi_dev()
    
    [ Upstream commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 ]
    
    In the function check_acpi_dev(), if it fails to create
    platform device, the return value is ERR_PTR() or NULL.
    Thus it must use IS_ERR_OR_NULL() to check return value.
    
    Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Lu Wei <luwei32@huawei.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c0603524c0985073818117fee7403aa14486fec8
Author: Finn Thain <fthain@telegraphics.com.au>
Date:   Sun May 31 09:12:13 2020 +1000

    m68k: mac: Fix IOP status/control register writes
    
    [ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ]
    
    When writing values to the IOP status/control register make sure those
    values do not have any extraneous bits that will clear interrupt flags.
    
    To place the SCC IOP into bypass mode would be desirable but this is not
    achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS
    to the control register. Drop this ineffective register write.
    
    Remove the flawed and unused iop_bypass() function. Make use of the
    unused iop_stop() function.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
    Tested-by: Stan Johnson <userm57@yahoo.com>
    Cc: Joshua Thompson <funaho@jurai.org>
    Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 63e0ea8e26692a64bed3fc8049ef9d36c9a3ad74
Author: Finn Thain <fthain@telegraphics.com.au>
Date:   Sun May 31 09:12:13 2020 +1000

    m68k: mac: Don't send IOP message until channel is idle
    
    [ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ]
    
    In the following sequence of calls, iop_do_send() gets called when the
    "send" channel is not in the IOP_MSG_IDLE state:
    
            iop_ism_irq()
                    iop_handle_send()
                            (msg->handler)()
                                    iop_send_message()
                            iop_do_send()
    
    Avoid this by testing the channel state before calling iop_do_send().
    
    When sending, and iop_send_queue is empty, call iop_do_send() because
    the channel is idle. If iop_send_queue is not empty, iop_do_send() will
    get called later by iop_handle_send().
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
    Tested-by: Stan Johnson <userm57@yahoo.com>
    Cc: Joshua Thompson <funaho@jurai.org>
    Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a9b01fdb9afc6e9886dcf2347f34f08fe63bc8ea
Author: Sudeep Holla <sudeep.holla@arm.com>
Date:   Thu Jul 9 09:17:05 2020 +0100

    clk: scmi: Fix min and max rate when registering clocks with discrete rates
    
    [ Upstream commit fcd2e0deae50bce48450f14c8fc5611b08d7438c ]
    
    Currently we are not initializing the scmi clock with discrete rates
    correctly. We fetch the min_rate and max_rate value only for clocks with
    ranges and ignore the ones with discrete rates. This will lead to wrong
    initialization of rate range when clock supports discrete rate.
    
    Fix this by using the first and the last rate in the sorted list of the
    discrete clock rates while registering the clock.
    
    Link: https://lore.kernel.org/r/20200709081705.46084-2-sudeep.holla@arm.com
    Fixes: 6d6a1d82eaef7 ("clk: add support for clocks provided by SCMI")
    Reviewed-by: Stephen Boyd <sboyd@kernel.org>
    Reported-and-tested-by: Dien Pham <dien.pham.ry@renesas.com>
    Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 605614ea4349f2c83c20060628d2d8bfb4c8ede2
Author: Alim Akhtar <alim.akhtar@samsung.com>
Date:   Sun Jul 5 12:39:17 2020 +0530

    arm64: dts: exynos: Fix silent hang after boot on Espresso
    
    [ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ]
    
    Once regulators are disabled after kernel boot, on Espresso board silent
    hang observed because of LDO7 being disabled.  LDO7 actually provide
    power to CPU cores and non-cpu blocks circuitries.  Keep this regulator
    always-on to fix this hang.
    
    Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso")
    Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com>
    Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bccb966e9354b91a18e13a2f835c021ad544bc46
Author: Cristian Marussi <cristian.marussi@arm.com>
Date:   Fri Jun 19 23:03:30 2020 +0100

    firmware: arm_scmi: Fix SCMI genpd domain probing
    
    [ Upstream commit e0f1a30cf184821499eeb67daedd7a3f21bbcb0b ]
    
    When, at probe time, an SCMI communication failure inhibits the capacity
    to query power domains states, such domains should be skipped.
    
    Registering partially initialized SCMI power domains with genpd will
    causes kernel panic.
    
     arm-scmi timed out in resp(caller: scmi_power_state_get+0xa4/0xd0)
     scmi-power-domain scmi_dev.2: failed to get state for domain 9
     Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
     Mem abort info:
       ESR = 0x96000006
       EC = 0x25: DABT (current EL), IL = 32 bits
       SET = 0, FnV = 0
       EA = 0, S1PTW = 0
     Data abort info:
       ISV = 0, ISS = 0x00000006
       CM = 0, WnR = 0
     user pgtable: 4k pages, 48-bit VAs, pgdp=00000009f3691000
     [0000000000000000] pgd=00000009f1ca0003, p4d=00000009f1ca0003, pud=00000009f35ea003, pmd=0000000000000000
     Internal error: Oops: 96000006 [#1] PREEMPT SMP
     CPU: 2 PID: 381 Comm: bash Not tainted 5.8.0-rc1-00011-gebd118c2cca8 #2
     Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Jan  3 2020
     Internal error: Oops: 96000006 [#1] PREEMPT SMP
     pstate: 80000005 (Nzcv daif -PAN -UAO BTYPE=--)
     pc : of_genpd_add_provider_onecell+0x98/0x1f8
     lr : of_genpd_add_provider_onecell+0x48/0x1f8
     Call trace:
      of_genpd_add_provider_onecell+0x98/0x1f8
      scmi_pm_domain_probe+0x174/0x1e8
      scmi_dev_probe+0x90/0xe0
      really_probe+0xe4/0x448
      driver_probe_device+0xfc/0x168
      device_driver_attach+0x7c/0x88
      bind_store+0xe8/0x128
      drv_attr_store+0x2c/0x40
      sysfs_kf_write+0x4c/0x60
      kernfs_fop_write+0x114/0x230
      __vfs_write+0x24/0x50
      vfs_write+0xbc/0x1e0
      ksys_write+0x70/0xf8
      __arm64_sys_write+0x24/0x30
      el0_svc_common.constprop.3+0x94/0x160
      do_el0_svc+0x2c/0x98
      el0_sync_handler+0x148/0x1a8
      el0_sync+0x158/0x180
    
    Do not register any power domain that failed to be queried with genpd.
    
    Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd")
    Link: https://lore.kernel.org/r/20200619220330.12217-1-cristian.marussi@arm.com
    Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
    Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e09b2a736ee5e258172c552c6380a8cacb182c2a
Author: Gilad Ben-Yossef <gilad@benyossef.com>
Date:   Sun Jun 21 14:19:57 2020 +0300

    crypto: ccree - fix resource leak on error path
    
    [ Upstream commit 9bc6165d608d676f05d8bf156a2c9923ee38d05b ]
    
    Fix a small resource leak on the error path of cipher processing.
    
    Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
    Fixes: 63ee04c8b491e ("crypto: ccree - add skcipher support")
    Cc: Markus Elfring <Markus.Elfring@web.de>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3b1712152c9fae9f35d55dbdb14a25dc15663e3a
Author: Stephan Gerhold <stephan@gerhold.net>
Date:   Fri Jun 5 20:59:14 2020 +0200

    arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property
    
    [ Upstream commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 ]
    
    msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio
    pin configurations. This was likely copied from the qcom kernel fork
    where the same property was used for these audio pins.
    
    However, "bias-pull-none" actually does not exist at all - not in
    mainline and not in downstream. I can only guess that the original
    intention was to configure "no pull", i.e. bias-disable.
    
    Change it to that instead.
    
    Fixes: 143bb9ad85b7 ("arm64: dts: qcom: add audio pinctrls")
    Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
    Link: https://lore.kernel.org/r/20200605185916.318494-2-stephan@gerhold.net
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0a9c84ce0c78d27004ea46aca1e8a5752dffd924
Author: Qiushi Wu <wu000273@umn.edu>
Date:   Thu May 28 15:22:37 2020 -0500

    EDAC: Fix reference count leaks
    
    [ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ]
    
    When kobject_init_and_add() returns an error, it should be handled
    because kobject_init_and_add() takes a reference even when it fails. If
    this function returns an error, kobject_put() must be called to properly
    clean up the memory associated with the object.
    
    Therefore, replace calling kfree() and call kobject_put() and add a
    missing kobject_put() in the edac_device_register_sysfs_main_kobj()
    error path.
    
     [ bp: Massage and merge into a single patch. ]
    
    Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add")
    Signed-off-by: Qiushi Wu <wu000273@umn.edu>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu
    Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7a8abc99f9569b336d2585ba8b337ac1e3390f2b
Author: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Date:   Wed Jun 3 15:28:36 2020 +0200

    arm64: dts: rockchip: fix rk3399-puma gmac reset gpio
    
    [ Upstream commit 8a445086f8af0b7b9bd8d1901d6f306bb154f70d ]
    
    The puma gmac node currently uses opposite active-values for the
    gmac phy reset pin. The gpio-declaration uses active-high while the
    separate snps,reset-active-low property marks the pin as active low.
    
    While on the kernel side this works ok, other DT users may get
    confused - as seen with uboot right now.
    
    So bring this in line and make both properties match, similar to the
    other Rockchip board.
    
    Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
    Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
    Link: https://lore.kernel.org/r/20200603132836.362519-1-heiko@sntech.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ecf6e2538009f1756cfd2d191905611077ddb23f
Author: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Date:   Thu Jun 4 11:12:39 2020 +0200

    arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio
    
    [ Upstream commit 7a7184f6cfa9279f1a1c10a1845d247d7fad54ff ]
    
    The puma vcc5v0_host regulator node currently uses opposite active-values
    for the enable pin. The gpio-declaration uses active-high while the
    separate enable-active-low property marks the pin as active low.
    
    While on the kernel side this works ok, other DT users may get
    confused - as seen with uboot right now.
    
    So bring this in line and make both properties match, similar to the
    gmac fix.
    
    Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
    Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
    Link: https://lore.kernel.org/r/20200604091239.424318-1-heiko@sntech.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3fe4f18eebb473481371287ba202cefceaa9a3c9
Author: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Date:   Sun Jun 7 23:29:09 2020 +0200

    arm64: dts: rockchip: fix rk3368-lion gmac reset gpio
    
    [ Upstream commit 2300e6dab473e93181cf76e4fe6671aa3d24c57b ]
    
    The lion gmac node currently uses opposite active-values for the
    gmac phy reset pin. The gpio-declaration uses active-high while the
    separate snps,reset-active-low property marks the pin as active low.
    
    While on the kernel side this works ok, other DT users may get
    confused - as seen with uboot right now.
    
    So bring this in line and make both properties match, similar to the
    other Rockchip board.
    
    Fixes: d99a02bcfa81 ("arm64: dts: rockchip: add RK3368-uQ7 (Lion) SoM")
    Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
    Link: https://lore.kernel.org/r/20200607212909.920575-1-heiko@sntech.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 008560eb23a8ad242c15cb90478c428a5a69f546
Author: Peng Liu <iwtbavbm@gmail.com>
Date:   Tue Jun 9 23:09:36 2020 +0800

    sched: correct SD_flags returned by tl->sd_flags()
    
    [ Upstream commit 9b1b234bb86bcdcdb142e900d39b599185465dbb ]
    
    During sched domain init, we check whether non-topological SD_flags are
    returned by tl->sd_flags(), if found, fire a waning and correct the
    violation, but the code failed to correct the violation. Correct this.
    
    Fixes: 143e1e28cb40 ("sched: Rework sched_domain topology definition")
    Signed-off-by: Peng Liu <iwtbavbm@gmail.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
    Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
    Link: https://lkml.kernel.org/r/20200609150936.GA13060@iZj6chx1xj0e0buvshuecpZ
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 519252e38ca1e1d614b11f982b1f489d62c135ee
Author: Vincent Guittot <vincent.guittot@linaro.org>
Date:   Tue Jun 9 14:37:48 2020 +0200

    sched/fair: Fix NOHZ next idle balance
    
    [ Upstream commit 3ea2f097b17e13a8280f1f9386c331b326a3dbef ]
    
    With commit:
      'b7031a02ec75 ("sched/fair: Add NOHZ_STATS_KICK")'
    rebalance_domains of the local cfs_rq happens before others idle cpus have
    updated nohz.next_balance and its value is overwritten.
    
    Move the update of nohz.next_balance for other idles cpus before balancing
    and updating the next_balance of local cfs_rq.
    
    Also, the nohz.next_balance is now updated only if all idle cpus got a
    chance to rebalance their domains and the idle balance has not been aborted
    because of new activities on the CPU. In case of need_resched, the idle
    load balance will be kick the next jiffie in order to address remaining
    ilb.
    
    Fixes: b7031a02ec75 ("sched/fair: Add NOHZ_STATS_KICK")
    Reported-by: Peng Liu <iwtbavbm@gmail.com>
    Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
    Acked-by: Mel Gorman <mgorman@suse.de>
    Link: https://lkml.kernel.org/r/20200609123748.18636-1-vincent.guittot@linaro.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 40f981691bdf470c1b0b7f4605690efdf28baec3
Author: Zhenzhong Duan <zhenzhong.duan@gmail.com>
Date:   Thu Jun 11 10:32:38 2020 +0800

    x86/mce/inject: Fix a wrong assignment of i_mce.status
    
    [ Upstream commit 5d7f7d1d5e01c22894dee7c9c9266500478dca99 ]
    
    The original code is a nop as i_mce.status is or'ed with part of itself,
    fix it.
    
    Fixes: a1300e505297 ("x86/ras/mce_amd_inj: Trigger deferred and thresholding errors interrupts")
    Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Acked-by: Yazen Ghannam <yazen.ghannam@amd.com>
    Link: https://lkml.kernel.org/r/20200611023238.3830-1-zhenzhong.duan@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 38de4308c5c3319ae9c815b6d6aa8d2b5804bace
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Thu Aug 13 20:33:42 2020 +0000

    cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
    
    Add skcd->no_refcnt check which is missed when backporting
    ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()").
    
    This patch is needed in stable-4.9, stable-4.14 and stable-4.19.
    
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 37274b5c9b88b7dd7ba1f4ecc947be64815a8a50
Author: Grant Likely <grant.likely@secretlab.ca>
Date:   Fri Jul 10 16:19:39 2020 +0100

    HID: input: Fix devices that return multiple bytes in battery report
    
    commit 4f57cace81438cc873a96f9f13f08298815c9b51 upstream.
    
    Some devices, particularly the 3DConnexion Spacemouse wireless 3D
    controllers, return more than just the battery capacity in the battery
    report. The Spacemouse devices return an additional byte with a device
    specific field. However, hidinput_query_battery_capacity() only
    requests a 2 byte transfer.
    
    When a spacemouse is connected via USB (direct wire, no wireless dongle)
    and it returns a 3 byte report instead of the assumed 2 byte battery
    report the larger transfer confuses and frightens the USB subsystem
    which chooses to ignore the transfer. Then after 2 seconds assume the
    device has stopped responding and reset it. This can be reproduced
    easily by using a wired connection with a wireless spacemouse. The
    Spacemouse will enter a loop of resetting every 2 seconds which can be
    observed in dmesg.
    
    This patch solves the problem by increasing the transfer request to 4
    bytes instead of 2. The fix isn't particularly elegant, but it is simple
    and safe to backport to stable kernels. A further patch will follow to
    more elegantly handle battery reports that contain additional data.
    
    Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
    Cc: Darren Hart <darren@dvhart.com>
    Cc: Jiri Kosina <jikos@kernel.org>
    Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Cc: stable@vger.kernel.org
    Tested-by: Darren Hart <dvhart@infradead.org>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1874d3d6ad0b06bab747e36e70d9b2a5aeb3183a
Author: Nick Desaulniers <ndesaulniers@google.com>
Date:   Thu Jul 30 15:45:54 2020 -0700

    tracepoint: Mark __tracepoint_string's __used
    
    commit f3751ad0116fb6881f2c3c957d66a9327f69cefb upstream.
    
    __tracepoint_string's have their string data stored in .rodata, and an
    address to that data stored in the "__tracepoint_str" section. Functions
    that refer to those strings refer to the symbol of the address. Compiler
    optimization can replace those address references with references
    directly to the string data. If the address doesn't appear to have other
    uses, then it appears dead to the compiler and is removed. This can
    break the /tracing/printk_formats sysfs node which iterates the
    addresses stored in the "__tracepoint_str" section.
    
    Like other strings stored in custom sections in this header, mark these
    __used to inform the compiler that there are other non-obvious users of
    the address, so they should still be emitted.
    
    Link: https://lkml.kernel.org/r/20200730224555.2142154-2-ndesaulniers@google.com
    
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
    Cc: stable@vger.kernel.org
    Fixes: 102c9323c35a8 ("tracing: Add __tracepoint_string() to export string pointers")
    Reported-by: Tim Murray <timmurray@google.com>
    Reported-by: Simon MacMullen <simonmacm@google.com>
    Suggested-by: Greg Hackmann <ghackmann@google.com>
    Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>