--- /dev/null
+From b146a3ad8fee6fa6f8dd327b16c27658eca384e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2019 14:09:04 +0100
+Subject: apparmor: fix unsigned len comparison with less than zero
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 00e0590dbaec6f1bcaa36a85467d7e3497ced522 ]
+
+The sanity check in macro update_for_len checks to see if len
+is less than zero, however, len is a size_t so it can never be
+less than zero, so this sanity check is a no-op. Fix this by
+making len a ssize_t so the comparison will work and add ulen
+that is a size_t copy of len so that the min() macro won't
+throw warnings about comparing different types.
+
+Addresses-Coverity: ("Macro compares unsigned to 0")
+Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/label.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/security/apparmor/label.c b/security/apparmor/label.c
+index c5b99b954580..ea63710442ae 100644
+--- a/security/apparmor/label.c
++++ b/security/apparmor/label.c
+@@ -1463,11 +1463,13 @@ static inline bool use_label_hname(struct aa_ns *ns, struct aa_label *label,
+ /* helper macro for snprint routines */
+ #define update_for_len(total, len, size, str) \
+ do { \
++ size_t ulen = len; \
++ \
+ AA_BUG(len < 0); \
+- total += len; \
+- len = min(len, size); \
+- size -= len; \
+- str += len; \
++ total += ulen; \
++ ulen = min(ulen, size); \
++ size -= ulen; \
++ str += ulen; \
+ } while (0)
+
+ /**
+@@ -1602,7 +1604,7 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns,
+ struct aa_ns *prev_ns = NULL;
+ struct label_it i;
+ int count = 0, total = 0;
+- size_t len;
++ ssize_t len;
+
+ AA_BUG(!str && size != 0);
+ AA_BUG(!label);
+--
+2.20.1
+
--- /dev/null
+From e5a27fbf90ada632c37af1b4e80234d89349b004 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 16:03:24 +0800
+Subject: bcache: at least try to shrink 1 node in bch_mca_scan()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 9fcc34b1a6dd4b8e5337e2b6ef45e428897eca6b ]
+
+In bch_mca_scan(), the number of shrinking btree node is calculated
+by code like this,
+ unsigned long nr = sc->nr_to_scan;
+
+ nr /= c->btree_pages;
+ nr = min_t(unsigned long, nr, mca_can_free(c));
+variable sc->nr_to_scan is number of objects (here is bcache B+tree
+nodes' number) to shrink, and pointer variable sc is sent from memory
+management code as parametr of a callback.
+
+If sc->nr_to_scan is smaller than c->btree_pages, after the above
+calculation, variable 'nr' will be 0 and nothing will be shrunk. It is
+frequeently observed that only 1 or 2 is set to sc->nr_to_scan and make
+nr to be zero. Then bch_mca_scan() will do nothing more then acquiring
+and releasing mutex c->bucket_lock.
+
+This patch checkes whether nr is 0 after the above calculation, if 0
+is the result then set 1 to variable 'n'. Then at least bch_mca_scan()
+will try to shrink a single B+tree node.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/btree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
+index 9406326216f1..96a6583e7b52 100644
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -685,6 +685,8 @@ static unsigned long bch_mca_scan(struct shrinker *shrink,
+ * IO can always make forward progress:
+ */
+ nr /= c->btree_pages;
++ if (nr == 0)
++ nr = 1;
+ nr = min_t(unsigned long, nr, mca_can_free(c));
+
+ i = 0;
+--
+2.20.1
+
--- /dev/null
+From 7a74cb7ea8025ee38242e786dc78e28dec3e1ce1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2019 21:37:08 +0000
+Subject: cdrom: respect device capabilities during opening action
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Diego Elio Pettenò <flameeyes@flameeyes.com>
+
+[ Upstream commit 366ba7c71ef77c08d06b18ad61b26e2df7352338 ]
+
+Reading the TOC only works if the device can play audio, otherwise
+these commands fail (and possibly bring the device to an unhealthy
+state.)
+
+Similarly, cdrom_mmc3_profile() should only be called if the device
+supports generic packet commands.
+
+To: Jens Axboe <axboe@kernel.dk>
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-scsi@vger.kernel.org
+Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cdrom/cdrom.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 90dd8e7291da..1c90da4af94f 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -995,6 +995,12 @@ static void cdrom_count_tracks(struct cdrom_device_info *cdi, tracktype *tracks)
+ tracks->xa = 0;
+ tracks->error = 0;
+ cd_dbg(CD_COUNT_TRACKS, "entering cdrom_count_tracks\n");
++
++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) {
++ tracks->error = CDS_NO_INFO;
++ return;
++ }
++
+ /* Grab the TOC header so we can see how many tracks there are */
+ ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCHDR, &header);
+ if (ret) {
+@@ -1161,7 +1167,8 @@ int cdrom_open(struct cdrom_device_info *cdi, struct block_device *bdev,
+ ret = open_for_data(cdi);
+ if (ret)
+ goto err;
+- cdrom_mmc3_profile(cdi);
++ if (CDROM_CAN(CDC_GENERIC_PACKET))
++ cdrom_mmc3_profile(cdi);
+ if (mode & FMODE_WRITE) {
+ ret = -EROFS;
+ if (cdrom_open_write(cdi))
+@@ -2878,6 +2885,9 @@ int cdrom_get_last_written(struct cdrom_device_info *cdi, long *last_written)
+ it doesn't give enough information or fails. then we return
+ the toc contents. */
+ use_toc:
++ if (!CDROM_CAN(CDC_PLAY_AUDIO))
++ return -ENOSYS;
++
+ toc.cdte_format = CDROM_MSF;
+ toc.cdte_track = CDROM_LEADOUT;
+ if ((ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCENTRY, &toc)))
+--
+2.20.1
+
--- /dev/null
+From 8a7502b656f081bceee7523e951d07247f513c43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2019 21:44:20 +0200
+Subject: clk: pxa: fix one of the pxa RTC clocks
+
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+
+[ Upstream commit 46acbcb4849b2ca2e6e975e7c8130c1d61c8fd0c ]
+
+The pxa27x platforms have a single IP with 2 drivers, sa1100-rtc and
+rtc-pxa drivers.
+
+A previous patch fixed the sa1100-rtc case, but the pxa-rtc wasn't
+fixed. This patch completes the previous one.
+
+Fixes: 8b6d10345e16 ("clk: pxa: add missing pxa27x clocks for Irda and sa1100-rtc")
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Link: https://lkml.kernel.org/r/20191026194420.11918-1-robert.jarzmik@free.fr
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/pxa/clk-pxa27x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/pxa/clk-pxa27x.c b/drivers/clk/pxa/clk-pxa27x.c
+index 25a30194d27a..b67ea86ff156 100644
+--- a/drivers/clk/pxa/clk-pxa27x.c
++++ b/drivers/clk/pxa/clk-pxa27x.c
+@@ -462,6 +462,7 @@ struct dummy_clk {
+ };
+ static struct dummy_clk dummy_clks[] __initdata = {
+ DUMMY_CLK(NULL, "pxa27x-gpio", "osc_32_768khz"),
++ DUMMY_CLK(NULL, "pxa-rtc", "osc_32_768khz"),
+ DUMMY_CLK(NULL, "sa1100-rtc", "osc_32_768khz"),
+ DUMMY_CLK("UARTCLK", "pxa2xx-ir", "STUART"),
+ };
+--
+2.20.1
+
--- /dev/null
+From 794791e58096cbf13a7ee75f350815d37c7aa770 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 11:57:15 -0700
+Subject: clk: qcom: Allow constant ratio freq tables for rcg
+
+From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+
+[ Upstream commit efd164b5520afd6fb2883b68e0d408a7de29c491 ]
+
+Some RCGs (the gfx_3d_src_clk in msm8998 for example) are basically just
+some constant ratio from the input across the entire frequency range. It
+would be great if we could specify the frequency table as a single entry
+constant ratio instead of a long list, ie:
+
+ { .src = P_GPUPLL0_OUT_EVEN, .pre_div = 3 },
+ { }
+
+So, lets support that.
+
+We need to fix a corner case in qcom_find_freq() where if the freq table
+is non-null, but has no frequencies, we end up returning an "entry" before
+the table array, which is bad. Then, we need ignore the freq from the
+table, and instead base everything on the requested freq.
+
+Suggested-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Link: https://lkml.kernel.org/r/20191031185715.15504-1-jeffrey.l.hugo@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/clk-rcg2.c | 2 ++
+ drivers/clk/qcom/common.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c
+index 1a0985ae20d2..a93439242565 100644
+--- a/drivers/clk/qcom/clk-rcg2.c
++++ b/drivers/clk/qcom/clk-rcg2.c
+@@ -212,6 +212,8 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw, const struct freq_tbl *f,
+ p = clk_hw_get_parent_by_index(hw, index);
+ if (clk_flags & CLK_SET_RATE_PARENT) {
+ if (f->pre_div) {
++ if (!rate)
++ rate = req->rate;
+ rate /= 2;
+ rate *= f->pre_div + 1;
+ }
+diff --git a/drivers/clk/qcom/common.c b/drivers/clk/qcom/common.c
+index 28ceaf1e9937..ae9352f7706d 100644
+--- a/drivers/clk/qcom/common.c
++++ b/drivers/clk/qcom/common.c
+@@ -37,6 +37,9 @@ struct freq_tbl *qcom_find_freq(const struct freq_tbl *f, unsigned long rate)
+ if (!f)
+ return NULL;
+
++ if (!f->freq)
++ return f;
++
+ for (; f->freq; f++)
+ if (rate <= f->freq)
+ return f;
+--
+2.20.1
+
--- /dev/null
+From 7cf3d22d240c8022f8dd863ee21d618e584cb560 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 20:43:30 +0800
+Subject: clocksource/drivers/asm9260: Add a check for of_clk_get
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 6e001f6a4cc73cd06fc7b8c633bc4906c33dd8ad ]
+
+asm9260_timer_init misses a check for of_clk_get.
+Add a check for it and print errors like other clocksource drivers.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20191016124330.22211-1-hslester96@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/asm9260_timer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/clocksource/asm9260_timer.c b/drivers/clocksource/asm9260_timer.c
+index 38cd2feb87c4..0ce760776406 100644
+--- a/drivers/clocksource/asm9260_timer.c
++++ b/drivers/clocksource/asm9260_timer.c
+@@ -198,6 +198,10 @@ static int __init asm9260_timer_init(struct device_node *np)
+ }
+
+ clk = of_clk_get(np, 0);
++ if (IS_ERR(clk)) {
++ pr_err("Failed to get clk!\n");
++ return PTR_ERR(clk);
++ }
+
+ ret = clk_prepare_enable(clk);
+ if (ret) {
+--
+2.20.1
+
--- /dev/null
+From 346f0288c9d257f57a53a4411c49e01e05691ed9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Oct 2019 14:56:46 -0700
+Subject: dma-debug: add a schedule point in debug_dma_dump_mappings()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9ff6aa027dbb98755f0265695354f2dd07c0d1ce ]
+
+debug_dma_dump_mappings() can take a lot of cpu cycles :
+
+lpk43:/# time wc -l /sys/kernel/debug/dma-api/dump
+163435 /sys/kernel/debug/dma-api/dump
+
+real 0m0.463s
+user 0m0.003s
+sys 0m0.459s
+
+Let's add a cond_resched() to avoid holding cpu for too long.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Corentin Labbe <clabbe@baylibre.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/dma-debug.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/dma-debug.c b/lib/dma-debug.c
+index ea4cc3dde4f1..61e7240947f5 100644
+--- a/lib/dma-debug.c
++++ b/lib/dma-debug.c
+@@ -437,6 +437,7 @@ void debug_dma_dump_mappings(struct device *dev)
+ }
+
+ spin_unlock_irqrestore(&bucket->lock, flags);
++ cond_resched();
+ }
+ }
+ EXPORT_SYMBOL(debug_dma_dump_mappings);
+--
+2.20.1
+
--- /dev/null
+From 80e10d2642bcc70b27f4d17a72209944904f6118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 22:59:22 +1100
+Subject: ext4: update direct I/O read lock pattern for IOCB_NOWAIT
+
+From: Matthew Bobrowski <mbobrowski@mbobrowski.org>
+
+[ Upstream commit 548feebec7e93e58b647dba70b3303dcb569c914 ]
+
+This patch updates the lock pattern in ext4_direct_IO_read() to not
+block on inode lock in cases of IOCB_NOWAIT direct I/O reads. The
+locking condition implemented here is similar to that of 942491c9e6d6
+("xfs: fix AIM7 regression").
+
+Fixes: 16c54688592c ("ext4: Allow parallel DIO reads")
+Signed-off-by: Matthew Bobrowski <mbobrowski@mbobrowski.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Link: https://lore.kernel.org/r/c5d5e759f91747359fbd2c6f9a36240cf75ad79f.1572949325.git.mbobrowski@mbobrowski.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inode.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index c2920cbfa3bf..a91b8404d3dc 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -3796,7 +3796,13 @@ static ssize_t ext4_direct_IO_read(struct kiocb *iocb, struct iov_iter *iter)
+ * writes & truncates and since we take care of writing back page cache,
+ * we are protected against page writeback as well.
+ */
+- inode_lock_shared(inode);
++ if (iocb->ki_flags & IOCB_NOWAIT) {
++ if (!inode_trylock_shared(inode))
++ return -EAGAIN;
++ } else {
++ inode_lock_shared(inode);
++ }
++
+ ret = filemap_write_and_wait_range(mapping, iocb->ki_pos,
+ iocb->ki_pos + count - 1);
+ if (ret)
+--
+2.20.1
+
--- /dev/null
+From 08e2cc5d4082aaca040bd8ebcff50429c0e41627 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 11:20:36 +0800
+Subject: f2fs: choose hardlimit when softlimit is larger than hardlimit in
+ f2fs_statfs_project()
+
+From: Chengguang Xu <cgxu519@mykernel.net>
+
+[ Upstream commit 909110c060f22e65756659ec6fa957ae75777e00 ]
+
+Setting softlimit larger than hardlimit seems meaningless
+for disk quota but currently it is allowed. In this case,
+there may be a bit of comfusion for users when they run
+df comamnd to directory which has project quota.
+
+For example, we set 20M softlimit and 10M hardlimit of
+block usage limit for project quota of test_dir(project id 123).
+
+[root@hades f2fs]# repquota -P -a
+*** Report for project quotas on device /dev/nvme0n1p8
+Block grace time: 7days; Inode grace time: 7days
+Block limits File limits
+Project used soft hard grace used soft hard grace
+----------------------------------------------------------------------
+0 -- 4 0 0 1 0 0
+123 +- 10248 20480 10240 2 0 0
+
+The result of df command as below:
+
+[root@hades f2fs]# df -h /mnt/f2fs/test
+Filesystem Size Used Avail Use% Mounted on
+/dev/nvme0n1p8 20M 11M 10M 51% /mnt/f2fs
+
+Even though it looks like there is another 10M free space to use,
+if we write new data to diretory test(inherit project id),
+the write will fail with errno(-EDQUOT).
+
+After this patch, the df result looks like below.
+
+[root@hades f2fs]# df -h /mnt/f2fs/test
+Filesystem Size Used Avail Use% Mounted on
+/dev/nvme0n1p8 10M 10M 0 100% /mnt/f2fs
+
+Signed-off-by: Chengguang Xu <cgxu519@mykernel.net>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index e4aabfc21bd4..8635df6cba55 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -912,9 +912,13 @@ static int f2fs_statfs_project(struct super_block *sb,
+ return PTR_ERR(dquot);
+ spin_lock(&dq_data_lock);
+
+- limit = (dquot->dq_dqb.dqb_bsoftlimit ?
+- dquot->dq_dqb.dqb_bsoftlimit :
+- dquot->dq_dqb.dqb_bhardlimit) >> sb->s_blocksize_bits;
++ limit = 0;
++ if (dquot->dq_dqb.dqb_bsoftlimit)
++ limit = dquot->dq_dqb.dqb_bsoftlimit;
++ if (dquot->dq_dqb.dqb_bhardlimit &&
++ (!limit || dquot->dq_dqb.dqb_bhardlimit < limit))
++ limit = dquot->dq_dqb.dqb_bhardlimit;
++
+ if (limit && buf->f_blocks > limit) {
+ curblock = dquot->dq_dqb.dqb_curspace >> sb->s_blocksize_bits;
+ buf->f_blocks = limit;
+@@ -923,9 +927,13 @@ static int f2fs_statfs_project(struct super_block *sb,
+ (buf->f_blocks - curblock) : 0;
+ }
+
+- limit = dquot->dq_dqb.dqb_isoftlimit ?
+- dquot->dq_dqb.dqb_isoftlimit :
+- dquot->dq_dqb.dqb_ihardlimit;
++ limit = 0;
++ if (dquot->dq_dqb.dqb_isoftlimit)
++ limit = dquot->dq_dqb.dqb_isoftlimit;
++ if (dquot->dq_dqb.dqb_ihardlimit &&
++ (!limit || dquot->dq_dqb.dqb_ihardlimit < limit))
++ limit = dquot->dq_dqb.dqb_ihardlimit;
++
+ if (limit && buf->f_files > limit) {
+ buf->f_files = limit;
+ buf->f_ffree =
+--
+2.20.1
+
--- /dev/null
+From 4453d8462c3f84d653510cbf84268f7e7fc50504 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 14:12:05 +0800
+Subject: f2fs: fix to update dir's i_pino during cross_rename
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 2a60637f06ac94869b2e630eaf837110d39bf291 ]
+
+As Eric reported:
+
+RENAME_EXCHANGE support was just added to fsstress in xfstests:
+
+ commit 65dfd40a97b6bbbd2a22538977bab355c5bc0f06
+ Author: kaixuxia <xiakaixu1987@gmail.com>
+ Date: Thu Oct 31 14:41:48 2019 +0800
+
+ fsstress: add EXCHANGE renameat2 support
+
+This is causing xfstest generic/579 to fail due to fsck.f2fs reporting errors.
+I'm not sure what the problem is, but it still happens even with all the
+fs-verity stuff in the test commented out, so that the test just runs fsstress.
+
+generic/579 23s ... [10:02:25]
+[ 7.745370] run fstests generic/579 at 2019-11-04 10:02:25
+_check_generic_filesystem: filesystem on /dev/vdc is inconsistent
+(see /results/f2fs/results-default/generic/579.full for details)
+ [10:02:47]
+Ran: generic/579
+Failures: generic/579
+Failed 1 of 1 tests
+Xunit report: /results/f2fs/results-default/result.xml
+
+Here's the contents of 579.full:
+
+_check_generic_filesystem: filesystem on /dev/vdc is inconsistent
+*** fsck.f2fs output ***
+[ASSERT] (__chk_dots_dentries:1378) --> Bad inode number[0x24] for '..', parent parent ino is [0xd10]
+
+The root cause is that we forgot to update directory's i_pino during
+cross_rename, fix it.
+
+Fixes: 32f9bc25cbda0 ("f2fs: support ->rename2()")
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Tested-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index b80e7db3b55b..b13383948fca 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -862,7 +862,8 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ if (!old_dir_entry || whiteout)
+ file_lost_pino(old_inode);
+ else
+- F2FS_I(old_inode)->i_pino = new_dir->i_ino;
++ /* adjust dir's i_pino to pass fsck check */
++ f2fs_i_pino_write(old_inode, new_dir->i_ino);
+ up_write(&F2FS_I(old_inode)->i_sem);
+
+ old_inode->i_ctime = current_time(old_inode);
+@@ -1027,7 +1028,11 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
+ f2fs_set_link(old_dir, old_entry, old_page, new_inode);
+
+ down_write(&F2FS_I(old_inode)->i_sem);
+- file_lost_pino(old_inode);
++ if (!old_dir_entry)
++ file_lost_pino(old_inode);
++ else
++ /* adjust dir's i_pino to pass fsck check */
++ f2fs_i_pino_write(old_inode, new_dir->i_ino);
+ up_write(&F2FS_I(old_inode)->i_sem);
+
+ old_dir->i_ctime = current_time(old_dir);
+@@ -1042,7 +1047,11 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
+ f2fs_set_link(new_dir, new_entry, new_page, old_inode);
+
+ down_write(&F2FS_I(new_inode)->i_sem);
+- file_lost_pino(new_inode);
++ if (!new_dir_entry)
++ file_lost_pino(new_inode);
++ else
++ /* adjust dir's i_pino to pass fsck check */
++ f2fs_i_pino_write(new_inode, old_dir->i_ino);
+ up_write(&F2FS_I(new_inode)->i_sem);
+
+ new_dir->i_ctime = current_time(new_dir);
+--
+2.20.1
+
--- /dev/null
+From 75e3be48e8b6996564e7d88017d843543b6ca45f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Nov 2019 12:49:06 +0300
+Subject: fs/quota: handle overflows of sysctl fs.quota.* and report as
+ unsigned long
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+[ Upstream commit 6fcbcec9cfc7b3c6a2c1f1a23ebacedff7073e0a ]
+
+Quota statistics counted as 64-bit per-cpu counter. Reading sums per-cpu
+fractions as signed 64-bit int, filters negative values and then reports
+lower half as signed 32-bit int.
+
+Result may looks like:
+
+fs.quota.allocated_dquots = 22327
+fs.quota.cache_hits = -489852115
+fs.quota.drops = -487288718
+fs.quota.free_dquots = 22083
+fs.quota.lookups = -486883485
+fs.quota.reads = 22327
+fs.quota.syncs = 335064
+fs.quota.writes = 3088689
+
+Values bigger than 2^31-1 reported as negative.
+
+All counters except "allocated_dquots" and "free_dquots" are monotonic,
+thus they should be reported as is without filtering negative values.
+
+Kernel doesn't have generic helper for 64-bit sysctl yet,
+let's use at least unsigned long.
+
+Link: https://lore.kernel.org/r/157337934693.2078.9842146413181153727.stgit@buzz
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 29 +++++++++++++++++------------
+ include/linux/quota.h | 2 +-
+ 2 files changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 3254c90fd899..3fdbdd29702b 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -2849,68 +2849,73 @@ EXPORT_SYMBOL(dquot_quotactl_sysfile_ops);
+ static int do_proc_dqstats(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+- unsigned int type = (int *)table->data - dqstats.stat;
++ unsigned int type = (unsigned long *)table->data - dqstats.stat;
++ s64 value = percpu_counter_sum(&dqstats.counter[type]);
++
++ /* Filter negative values for non-monotonic counters */
++ if (value < 0 && (type == DQST_ALLOC_DQUOTS ||
++ type == DQST_FREE_DQUOTS))
++ value = 0;
+
+ /* Update global table */
+- dqstats.stat[type] =
+- percpu_counter_sum_positive(&dqstats.counter[type]);
+- return proc_dointvec(table, write, buffer, lenp, ppos);
++ dqstats.stat[type] = value;
++ return proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
+ }
+
+ static struct ctl_table fs_dqstats_table[] = {
+ {
+ .procname = "lookups",
+ .data = &dqstats.stat[DQST_LOOKUPS],
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(unsigned long),
+ .mode = 0444,
+ .proc_handler = do_proc_dqstats,
+ },
+ {
+ .procname = "drops",
+ .data = &dqstats.stat[DQST_DROPS],
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(unsigned long),
+ .mode = 0444,
+ .proc_handler = do_proc_dqstats,
+ },
+ {
+ .procname = "reads",
+ .data = &dqstats.stat[DQST_READS],
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(unsigned long),
+ .mode = 0444,
+ .proc_handler = do_proc_dqstats,
+ },
+ {
+ .procname = "writes",
+ .data = &dqstats.stat[DQST_WRITES],
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(unsigned long),
+ .mode = 0444,
+ .proc_handler = do_proc_dqstats,
+ },
+ {
+ .procname = "cache_hits",
+ .data = &dqstats.stat[DQST_CACHE_HITS],
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(unsigned long),
+ .mode = 0444,
+ .proc_handler = do_proc_dqstats,
+ },
+ {
+ .procname = "allocated_dquots",
+ .data = &dqstats.stat[DQST_ALLOC_DQUOTS],
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(unsigned long),
+ .mode = 0444,
+ .proc_handler = do_proc_dqstats,
+ },
+ {
+ .procname = "free_dquots",
+ .data = &dqstats.stat[DQST_FREE_DQUOTS],
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(unsigned long),
+ .mode = 0444,
+ .proc_handler = do_proc_dqstats,
+ },
+ {
+ .procname = "syncs",
+ .data = &dqstats.stat[DQST_SYNCS],
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(unsigned long),
+ .mode = 0444,
+ .proc_handler = do_proc_dqstats,
+ },
+diff --git a/include/linux/quota.h b/include/linux/quota.h
+index 5ac9de4fcd6f..aa9a42eceab0 100644
+--- a/include/linux/quota.h
++++ b/include/linux/quota.h
+@@ -263,7 +263,7 @@ enum {
+ };
+
+ struct dqstats {
+- int stat[_DQST_DQSTAT_LAST];
++ unsigned long stat[_DQST_DQSTAT_LAST];
+ struct percpu_counter counter[_DQST_DQSTAT_LAST];
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 23f0140f92f6ce98cdeb10f5aac6669446ea3ff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 14:55:51 +0200
+Subject: gpio: mpc8xxx: Don't overwrite default irq_set_type callback
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 4e50573f39229d5e9c985fa3b4923a8b29619ade ]
+
+The per-SoC devtype structures can contain their own callbacks that
+overwrite mpc8xxx_gpio_devtype_default.
+
+The clear intention is that mpc8xxx_irq_set_type is used in case the SoC
+does not specify a more specific callback. But what happens is that if
+the SoC doesn't specify one, its .irq_set_type is de-facto NULL, and
+this overwrites mpc8xxx_irq_set_type to a no-op. This means that the
+following SoCs are affected:
+
+- fsl,mpc8572-gpio
+- fsl,ls1028a-gpio
+- fsl,ls1088a-gpio
+
+On these boards, the irq_set_type does exactly nothing, and the GPIO
+controller keeps its GPICR register in the hardware-default state. On
+the LS1028A, that is ACTIVE_BOTH, which means 2 interrupts are raised
+even if the IRQ client requests LEVEL_HIGH. Another implication is that
+the IRQs are not checked (e.g. level-triggered interrupts are not
+rejected, although they are not supported).
+
+Fixes: 82e39b0d8566 ("gpio: mpc8xxx: handle differences between incarnations at a single place")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20191115125551.31061-1-olteanv@gmail.com
+Tested-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-mpc8xxx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c
+index 8c93dec498fa..e7783b852d69 100644
+--- a/drivers/gpio/gpio-mpc8xxx.c
++++ b/drivers/gpio/gpio-mpc8xxx.c
+@@ -337,7 +337,8 @@ static int mpc8xxx_probe(struct platform_device *pdev)
+ * It's assumed that only a single type of gpio controller is available
+ * on the current machine, so overwriting global data is fine.
+ */
+- mpc8xxx_irq_chip.irq_set_type = devtype->irq_set_type;
++ if (devtype->irq_set_type)
++ mpc8xxx_irq_chip.irq_set_type = devtype->irq_set_type;
+
+ if (devtype->gpio_dir_out)
+ gc->direction_output = devtype->gpio_dir_out;
+--
+2.20.1
+
--- /dev/null
+From 4f09f6ae465ddbe72eef0c5d41c0c6ac015d2402 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2019 20:02:46 +0900
+Subject: HID: Improve Windows Precision Touchpad detection.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Blaž Hrastnik <blaz@mxxn.io>
+
+[ Upstream commit 2dbc6f113acd74c66b04bf49fb027efd830b1c5a ]
+
+Per Microsoft spec, usage 0xC5 (page 0xFF) returns a blob containing
+data used to verify the touchpad as a Windows Precision Touchpad.
+
+ 0x85, REPORTID_PTPHQA, // REPORT_ID (PTPHQA)
+ 0x09, 0xC5, // USAGE (Vendor Usage 0xC5)
+ 0x15, 0x00, // LOGICAL_MINIMUM (0)
+ 0x26, 0xff, 0x00, // LOGICAL_MAXIMUM (0xff)
+ 0x75, 0x08, // REPORT_SIZE (8)
+ 0x96, 0x00, 0x01, // REPORT_COUNT (0x100 (256))
+ 0xb1, 0x02, // FEATURE (Data,Var,Abs)
+
+However, some devices, namely Microsoft's Surface line of products
+instead implement a "segmented device certification report" (usage 0xC6)
+which returns the same report, but in smaller chunks.
+
+ 0x06, 0x00, 0xff, // USAGE_PAGE (Vendor Defined)
+ 0x85, REPORTID_PTPHQA, // REPORT_ID (PTPHQA)
+ 0x09, 0xC6, // USAGE (Vendor usage for segment #)
+ 0x25, 0x08, // LOGICAL_MAXIMUM (8)
+ 0x75, 0x08, // REPORT_SIZE (8)
+ 0x95, 0x01, // REPORT_COUNT (1)
+ 0xb1, 0x02, // FEATURE (Data,Var,Abs)
+ 0x09, 0xC7, // USAGE (Vendor Usage)
+ 0x26, 0xff, 0x00, // LOGICAL_MAXIMUM (0xff)
+ 0x95, 0x20, // REPORT_COUNT (32)
+ 0xb1, 0x02, // FEATURE (Data,Var,Abs)
+
+By expanding Win8 touchpad detection to also look for the segmented
+report, all Surface touchpads are now properly recognized by
+hid-multitouch.
+
+Signed-off-by: Blaž Hrastnik <blaz@mxxn.io>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 0c547bf841f4..6a04b56d161b 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -760,6 +760,10 @@ static void hid_scan_feature_usage(struct hid_parser *parser, u32 usage)
+ if (usage == 0xff0000c5 && parser->global.report_count == 256 &&
+ parser->global.report_size == 8)
+ parser->scan_flags |= HID_SCAN_FLAG_MT_WIN_8;
++
++ if (usage == 0xff0000c6 && parser->global.report_count == 1 &&
++ parser->global.report_size == 8)
++ parser->scan_flags |= HID_SCAN_FLAG_MT_WIN_8;
+ }
+
+ static void hid_scan_collection(struct hid_parser *parser, unsigned type)
+--
+2.20.1
+
--- /dev/null
+From 22117f205c4e2d0116ec079b025ebe8e1b114ba9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 15:30:46 +0100
+Subject: HID: logitech-hidpp: Silence intermittent get_battery_capacity errors
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 61005d65b6c7dcf61c19516e6ebe5acc02d2cdda ]
+
+My Logitech M185 (PID:4038) 2.4 GHz wireless HID++ mouse is causing
+intermittent errors like these in the log:
+
+[11091.034857] logitech-hidpp-device 0003:046D:4038.0006: hidpp20_batterylevel_get_battery_capacity: received protocol error 0x09
+[12388.031260] logitech-hidpp-device 0003:046D:4038.0006: hidpp20_batterylevel_get_battery_capacity: received protocol error 0x09
+[16613.718543] logitech-hidpp-device 0003:046D:4038.0006: hidpp20_batterylevel_get_battery_capacity: received protocol error 0x09
+[23529.938728] logitech-hidpp-device 0003:046D:4038.0006: hidpp20_batterylevel_get_battery_capacity: received protocol error 0x09
+
+We are already silencing error-code 0x09 (HIDPP_ERROR_RESOURCE_ERROR)
+errors in other places, lets do the same in
+hidpp20_batterylevel_get_battery_capacity to remove these harmless,
+but scary looking errors from the dmesg output.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index 4706fb852eaf..6ad776b4711b 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -978,6 +978,9 @@ static int hidpp20_batterylevel_get_battery_capacity(struct hidpp_device *hidpp,
+ ret = hidpp_send_fap_command_sync(hidpp, feature_index,
+ CMD_BATTERY_LEVEL_STATUS_GET_BATTERY_LEVEL_STATUS,
+ NULL, 0, &response);
++ /* Ignore these intermittent errors */
++ if (ret == HIDPP_ERROR_RESOURCE_ERROR)
++ return -EIO;
+ if (ret > 0) {
+ hid_err(hidpp->hid_dev, "%s: received protocol error 0x%02x\n",
+ __func__, ret);
+--
+2.20.1
+
--- /dev/null
+From 7ef36c5fa884ff093edb5d08dfbba01efc8500a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 14:00:21 -0700
+Subject: Input: atmel_mxt_ts - disable IRQ across suspend
+
+From: Evan Green <evgreen@chromium.org>
+
+[ Upstream commit 463fa44eec2fef50d111ed0199cf593235065c04 ]
+
+Across suspend and resume, we are seeing error messages like the following:
+
+atmel_mxt_ts i2c-PRP0001:00: __mxt_read_reg: i2c transfer failed (-121)
+atmel_mxt_ts i2c-PRP0001:00: Failed to read T44 and T5 (-121)
+
+This occurs because the driver leaves its IRQ enabled. Upon resume, there
+is an IRQ pending, but the interrupt is serviced before both the driver and
+the underlying I2C bus have been resumed. This causes EREMOTEIO errors.
+
+Disable the IRQ in suspend, and re-enable it on resume. If there are cases
+where the driver enters suspend with interrupts disabled, that's a bug we
+should fix separately.
+
+Signed-off-by: Evan Green <evgreen@chromium.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
+index 59aaac43db91..138d1f3b12b2 100644
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3257,6 +3257,8 @@ static int __maybe_unused mxt_suspend(struct device *dev)
+
+ mutex_unlock(&input_dev->mutex);
+
++ disable_irq(data->irq);
++
+ return 0;
+ }
+
+@@ -3269,6 +3271,8 @@ static int __maybe_unused mxt_resume(struct device *dev)
+ if (!input_dev)
+ return 0;
+
++ enable_irq(data->irq);
++
+ mutex_lock(&input_dev->mutex);
+
+ if (input_dev->users)
+--
+2.20.1
+
--- /dev/null
+From 6954e33b27c4c19c6f18659a813b2d255c1fbbfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2019 13:50:26 +0200
+Subject: iommu/tegra-smmu: Fix page tables in > 4 GiB memory
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 96d3ab802e4930a29a33934373157d6dff1b2c7e ]
+
+Page tables that reside in physical memory beyond the 4 GiB boundary are
+currently not working properly. The reason is that when the physical
+address for page directory entries is read, it gets truncated at 32 bits
+and can cause crashes when passing that address to the DMA API.
+
+Fix this by first casting the PDE value to a dma_addr_t and then using
+the page frame number mask for the SMMU instance to mask out the invalid
+bits, which are typically used for mapping attributes, etc.
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/tegra-smmu.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c
+index 40eb8138546a..848dac3e4580 100644
+--- a/drivers/iommu/tegra-smmu.c
++++ b/drivers/iommu/tegra-smmu.c
+@@ -156,9 +156,9 @@ static bool smmu_dma_addr_valid(struct tegra_smmu *smmu, dma_addr_t addr)
+ return (addr & smmu->pfn_mask) == addr;
+ }
+
+-static dma_addr_t smmu_pde_to_dma(u32 pde)
++static dma_addr_t smmu_pde_to_dma(struct tegra_smmu *smmu, u32 pde)
+ {
+- return pde << 12;
++ return (dma_addr_t)(pde & smmu->pfn_mask) << 12;
+ }
+
+ static void smmu_flush_ptc_all(struct tegra_smmu *smmu)
+@@ -543,6 +543,7 @@ static u32 *tegra_smmu_pte_lookup(struct tegra_smmu_as *as, unsigned long iova,
+ dma_addr_t *dmap)
+ {
+ unsigned int pd_index = iova_pd_index(iova);
++ struct tegra_smmu *smmu = as->smmu;
+ struct page *pt_page;
+ u32 *pd;
+
+@@ -551,7 +552,7 @@ static u32 *tegra_smmu_pte_lookup(struct tegra_smmu_as *as, unsigned long iova,
+ return NULL;
+
+ pd = page_address(as->pd);
+- *dmap = smmu_pde_to_dma(pd[pd_index]);
++ *dmap = smmu_pde_to_dma(smmu, pd[pd_index]);
+
+ return tegra_smmu_pte_offset(pt_page, iova);
+ }
+@@ -593,7 +594,7 @@ static u32 *as_get_pte(struct tegra_smmu_as *as, dma_addr_t iova,
+ } else {
+ u32 *pd = page_address(as->pd);
+
+- *dmap = smmu_pde_to_dma(pd[pde]);
++ *dmap = smmu_pde_to_dma(smmu, pd[pde]);
+ }
+
+ return tegra_smmu_pte_offset(as->pts[pde], iova);
+@@ -618,7 +619,7 @@ static void tegra_smmu_pte_put_use(struct tegra_smmu_as *as, unsigned long iova)
+ if (--as->count[pde] == 0) {
+ struct tegra_smmu *smmu = as->smmu;
+ u32 *pd = page_address(as->pd);
+- dma_addr_t pte_dma = smmu_pde_to_dma(pd[pde]);
++ dma_addr_t pte_dma = smmu_pde_to_dma(smmu, pd[pde]);
+
+ tegra_smmu_set_pde(as, iova, 0);
+
+--
+2.20.1
+
--- /dev/null
+From bc72dcd34d9ccf28109890f3f8f828f8f5723e64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 19:25:22 +0800
+Subject: irqchip: ingenic: Error out if IRQ domain creation failed
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+[ Upstream commit 52ecc87642f273a599c9913b29fd179c13de457b ]
+
+If we cannot create the IRQ domain, the driver should fail to probe
+instead of succeeding with just a warning message.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/1570015525-27018-3-git-send-email-zhouyanjie@zoho.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-ingenic.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/irqchip/irq-ingenic.c b/drivers/irqchip/irq-ingenic.c
+index fc5953dea509..b2e16dca76a6 100644
+--- a/drivers/irqchip/irq-ingenic.c
++++ b/drivers/irqchip/irq-ingenic.c
+@@ -117,6 +117,14 @@ static int __init ingenic_intc_of_init(struct device_node *node,
+ goto out_unmap_irq;
+ }
+
++ domain = irq_domain_add_legacy(node, num_chips * 32,
++ JZ4740_IRQ_BASE, 0,
++ &irq_domain_simple_ops, NULL);
++ if (!domain) {
++ err = -ENOMEM;
++ goto out_unmap_base;
++ }
++
+ for (i = 0; i < num_chips; i++) {
+ /* Mask all irqs */
+ writel(0xffffffff, intc->base + (i * CHIP_SIZE) +
+@@ -143,14 +151,11 @@ static int __init ingenic_intc_of_init(struct device_node *node,
+ IRQ_NOPROBE | IRQ_LEVEL);
+ }
+
+- domain = irq_domain_add_legacy(node, num_chips * 32, JZ4740_IRQ_BASE, 0,
+- &irq_domain_simple_ops, NULL);
+- if (!domain)
+- pr_warn("unable to register IRQ domain\n");
+-
+ setup_irq(parent_irq, &intc_cascade_action);
+ return 0;
+
++out_unmap_base:
++ iounmap(intc->base);
+ out_unmap_irq:
+ irq_dispose_mapping(parent_irq);
+ out_free:
+--
+2.20.1
+
--- /dev/null
+From fbb509f08621c77c41eccc5fb04f011f8a7e2d8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 13:14:13 -0700
+Subject: irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 27eebb60357ed5aa6659442f92907c0f7368d6ae ]
+
+If the 'brcm,irq-can-wake' property is specified, make sure we also
+enable the corresponding parent interrupt we are attached to.
+
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20191024201415.23454-4-f.fainelli@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-bcm7038-l1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/irqchip/irq-bcm7038-l1.c b/drivers/irqchip/irq-bcm7038-l1.c
+index 0b9a8b709abf..b32988cac80c 100644
+--- a/drivers/irqchip/irq-bcm7038-l1.c
++++ b/drivers/irqchip/irq-bcm7038-l1.c
+@@ -284,6 +284,10 @@ static int __init bcm7038_l1_init_one(struct device_node *dn,
+ pr_err("failed to map parent interrupt %d\n", parent_irq);
+ return -EINVAL;
+ }
++
++ if (of_property_read_bool(dn, "brcm,irq-can-wake"))
++ enable_irq_wake(parent_irq);
++
+ irq_set_chained_handler_and_data(parent_irq, bcm7038_l1_irq_handle,
+ intc);
+
+--
+2.20.1
+
--- /dev/null
+From e76200f4db164c5e7954d2aa2aaacd587fe9dadd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 17:44:19 +0100
+Subject: jbd2: Fix statistics for the number of logged blocks
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 015c6033068208d6227612c878877919f3fcf6b6 ]
+
+jbd2 statistics counting number of blocks logged in a transaction was
+wrong. It didn't count the commit block and more importantly it didn't
+count revoke descriptor blocks. Make sure these get properly counted.
+
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20191105164437.32602-13-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 0567b17a970c..7dd613392592 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -726,7 +726,6 @@ start_journal_io:
+ submit_bh(REQ_OP_WRITE, REQ_SYNC, bh);
+ }
+ cond_resched();
+- stats.run.rs_blocks_logged += bufs;
+
+ /* Force a new descriptor to be generated next
+ time round the loop. */
+@@ -813,6 +812,7 @@ start_journal_io:
+ if (unlikely(!buffer_uptodate(bh)))
+ err = -EIO;
+ jbd2_unfile_log_bh(bh);
++ stats.run.rs_blocks_logged++;
+
+ /*
+ * The list contains temporary buffer heads created by
+@@ -858,6 +858,7 @@ start_journal_io:
+ BUFFER_TRACE(bh, "ph5: control buffer writeout done: unfile");
+ clear_buffer_jwrite(bh);
+ jbd2_unfile_log_bh(bh);
++ stats.run.rs_blocks_logged++;
+ __brelse(bh); /* One for getblk */
+ /* AKPM: bforget here */
+ }
+@@ -879,6 +880,7 @@ start_journal_io:
+ }
+ if (cbh)
+ err = journal_wait_on_commit_record(journal, cbh);
++ stats.run.rs_blocks_logged++;
+ if (jbd2_has_feature_async_commit(journal) &&
+ journal->j_flags & JBD2_BARRIER) {
+ blkdev_issue_flush(journal->j_dev, GFP_NOFS, NULL);
+--
+2.20.1
+
--- /dev/null
+From 245759dd6f930cc834d0c217f8ff1b96f4666c08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2019 17:56:08 -0800
+Subject: kernel: sysctl: make drop_caches write-only
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+[ Upstream commit 204cb79ad42f015312a5bbd7012d09c93d9b46fb ]
+
+Currently, the drop_caches proc file and sysctl read back the last value
+written, suggesting this is somehow a stateful setting instead of a
+one-time command. Make it write-only, like e.g. compact_memory.
+
+While mitigating a VM problem at scale in our fleet, there was confusion
+about whether writing to this file will permanently switch the kernel into
+a non-caching mode. This influences the decision making in a tense
+situation, where tens of people are trying to fix tens of thousands of
+affected machines: Do we need a rollback strategy? What are the
+performance implications of operating in a non-caching state for several
+days? It also caused confusion when the kernel team said we may need to
+write the file several times to make sure it's effective ("But it already
+reads back 3?").
+
+Link: http://lkml.kernel.org/r/20191031221602.9375-1-hannes@cmpxchg.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Chris Down <chris@chrisdown.name>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sysctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index cfc2c0d1369a..74fc3a9d1923 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -1397,7 +1397,7 @@ static struct ctl_table vm_table[] = {
+ .procname = "drop_caches",
+ .data = &sysctl_drop_caches,
+ .maxlen = sizeof(int),
+- .mode = 0644,
++ .mode = 0200,
+ .proc_handler = drop_caches_sysctl_handler,
+ .extra1 = &one,
+ .extra2 = &four,
+--
+2.20.1
+
--- /dev/null
+From 032fdffd1664e10a76a3e075179ba225e3a64141 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 16:12:02 +0900
+Subject: libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit a8de1304b7df30e3a14f2a8b9709bb4ff31a0385 ]
+
+The DTC v1.5.1 added references to (U)INT32_MAX.
+
+This is no problem for user-space programs since <stdint.h> defines
+(U)INT32_MAX along with (u)int32_t.
+
+For the kernel space, libfdt_env.h needs to be adjusted before we
+pull in the changes.
+
+In the kernel, we usually use s/u32 instead of (u)int32_t for the
+fixed-width types.
+
+Accordingly, we already have S/U32_MAX for their max values.
+So, we should not add (U)INT32_MAX to <linux/limits.h> any more.
+
+Instead, add them to the in-kernel libfdt_env.h to compile the
+latest libfdt.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/compressed/libfdt_env.h | 4 +++-
+ arch/powerpc/boot/libfdt_env.h | 2 ++
+ include/linux/libfdt_env.h | 3 +++
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/compressed/libfdt_env.h b/arch/arm/boot/compressed/libfdt_env.h
+index b36c0289a308..6a0f1f524466 100644
+--- a/arch/arm/boot/compressed/libfdt_env.h
++++ b/arch/arm/boot/compressed/libfdt_env.h
+@@ -2,11 +2,13 @@
+ #ifndef _ARM_LIBFDT_ENV_H
+ #define _ARM_LIBFDT_ENV_H
+
++#include <linux/limits.h>
+ #include <linux/types.h>
+ #include <linux/string.h>
+ #include <asm/byteorder.h>
+
+-#define INT_MAX ((int)(~0U>>1))
++#define INT32_MAX S32_MAX
++#define UINT32_MAX U32_MAX
+
+ typedef __be16 fdt16_t;
+ typedef __be32 fdt32_t;
+diff --git a/arch/powerpc/boot/libfdt_env.h b/arch/powerpc/boot/libfdt_env.h
+index 39155d3b2cef..ac5d3c947e04 100644
+--- a/arch/powerpc/boot/libfdt_env.h
++++ b/arch/powerpc/boot/libfdt_env.h
+@@ -6,6 +6,8 @@
+ #include <string.h>
+
+ #define INT_MAX ((int)(~0U>>1))
++#define UINT32_MAX ((u32)~0U)
++#define INT32_MAX ((s32)(UINT32_MAX >> 1))
+
+ #include "of.h"
+
+diff --git a/include/linux/libfdt_env.h b/include/linux/libfdt_env.h
+index 1aa707ab19bb..8b54c591678e 100644
+--- a/include/linux/libfdt_env.h
++++ b/include/linux/libfdt_env.h
+@@ -7,6 +7,9 @@
+
+ #include <asm/byteorder.h>
+
++#define INT32_MAX S32_MAX
++#define UINT32_MAX U32_MAX
++
+ typedef __be16 fdt16_t;
+ typedef __be32 fdt32_t;
+ typedef __be64 fdt64_t;
+--
+2.20.1
+
--- /dev/null
+From 61644700f2de97f50f6a6653fd48b110c78b3dd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 10:05:19 -0400
+Subject: libnvdimm/btt: fix variable 'rc' set but not used
+
+From: Qian Cai <cai@lca.pw>
+
+[ Upstream commit 4e24e37d5313edca8b4ab86f240c046c731e28d6 ]
+
+drivers/nvdimm/btt.c: In function 'btt_read_pg':
+drivers/nvdimm/btt.c:1264:8: warning: variable 'rc' set but not used
+[-Wunused-but-set-variable]
+ int rc;
+ ^~
+
+Add a ratelimited message in case a storm of errors is encountered.
+
+Fixes: d9b83c756953 ("libnvdimm, btt: rework error clearing")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Link: https://lore.kernel.org/r/1572530719-32161-1-git-send-email-cai@lca.pw
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/btt.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvdimm/btt.c b/drivers/nvdimm/btt.c
+index b2feda35966b..471498469d0a 100644
+--- a/drivers/nvdimm/btt.c
++++ b/drivers/nvdimm/btt.c
+@@ -1259,11 +1259,11 @@ static int btt_read_pg(struct btt *btt, struct bio_integrity_payload *bip,
+
+ ret = btt_data_read(arena, page, off, postmap, cur_len);
+ if (ret) {
+- int rc;
+-
+ /* Media error - set the e_flag */
+- rc = btt_map_write(arena, premap, postmap, 0, 1,
+- NVDIMM_IO_ATOMIC);
++ if (btt_map_write(arena, premap, postmap, 0, 1, NVDIMM_IO_ATOMIC))
++ dev_warn_ratelimited(to_dev(arena),
++ "Error persistently tracking bad blocks at %#x\n",
++ premap);
+ goto out_rtt;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 4e5cff956224a5cb9216206fb5ba973ea6b5529a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 11:19:50 +0000
+Subject: mfd: mfd-core: Honour Device Tree's request to disable a child-device
+
+From: Lee Jones <lee.jones@linaro.org>
+
+[ Upstream commit 6b5c350648b857047b47acf74a57087ad27d6183 ]
+
+Until now, MFD has assumed all child devices passed to it (via
+mfd_cells) are to be registered. It does not take into account
+requests from Device Tree and the like to disable child devices
+on a per-platform basis.
+
+Well now it does.
+
+Link: https://www.spinics.net/lists/arm-kernel/msg366309.html
+Link: https://lkml.org/lkml/2019/8/22/1350
+
+Reported-by: Barry Song <Baohua.Song@csr.com>
+Reported-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Tested-by: Stephan Gerhold <stephan@gerhold.net>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/mfd-core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
+index 5c8ed2150c8b..fae7bfe7a21a 100644
+--- a/drivers/mfd/mfd-core.c
++++ b/drivers/mfd/mfd-core.c
+@@ -178,6 +178,11 @@ static int mfd_add_device(struct device *parent, int id,
+ if (parent->of_node && cell->of_compatible) {
+ for_each_child_of_node(parent->of_node, np) {
+ if (of_device_is_compatible(np, cell->of_compatible)) {
++ if (!of_device_is_available(np)) {
++ /* Ignore disabled devices error free */
++ ret = 0;
++ goto fail_alias;
++ }
+ pdev->dev.of_node = np;
+ pdev->dev.fwnode = &np->fwnode;
+ break;
+--
+2.20.1
+
--- /dev/null
+From cccfdf01cc8dcff271ecdba5c0fa246517094c99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2019 17:49:12 -0800
+Subject: ocfs2: fix passing zero to 'PTR_ERR' warning
+
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+
+[ Upstream commit 188c523e1c271d537f3c9f55b6b65bf4476de32f ]
+
+Fix a static code checker warning:
+fs/ocfs2/acl.c:331
+ ocfs2_acl_chmod() warn: passing zero to 'PTR_ERR'
+
+Link: http://lkml.kernel.org/r/1dee278b-6c96-eec2-ce76-fe6e07c6e20f@linux.alibaba.com
+Fixes: 5ee0fbd50fd ("ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang")
+Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/acl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
+index 917fadca8a7b..b73b78771915 100644
+--- a/fs/ocfs2/acl.c
++++ b/fs/ocfs2/acl.c
+@@ -335,8 +335,8 @@ int ocfs2_acl_chmod(struct inode *inode, struct buffer_head *bh)
+ down_read(&OCFS2_I(inode)->ip_xattr_sem);
+ acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh);
+ up_read(&OCFS2_I(inode)->ip_xattr_sem);
+- if (IS_ERR(acl) || !acl)
+- return PTR_ERR(acl);
++ if (IS_ERR_OR_NULL(acl))
++ return PTR_ERR_OR_ZERO(acl);
+ ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
+ if (ret)
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 2922c0b7e53e7df11dc2ac92974a7e39f370cde8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 10:13:34 -0300
+Subject: perf regs: Make perf_reg_name() return "unknown" instead of NULL
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 5b596e0ff0e1852197d4c82d3314db5e43126bf7 ]
+
+To avoid breaking the build on arches where this is not wired up, at
+least all the other features should be made available and when using
+this specific routine, the "unknown" should point the user/developer to
+the need to wire this up on this particular hardware architecture.
+
+Detected in a container mipsel debian cross build environment, where it
+shows up as:
+
+ In file included from /usr/mipsel-linux-gnu/include/stdio.h:867,
+ from /git/linux/tools/perf/lib/include/perf/cpumap.h:6,
+ from util/session.c:13:
+ In function 'printf',
+ inlined from 'regs_dump__printf' at util/session.c:1103:3,
+ inlined from 'regs__printf' at util/session.c:1131:2:
+ /usr/mipsel-linux-gnu/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
+ 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+cross compiler details:
+
+ mipsel-linux-gnu-gcc (Debian 9.2.1-8) 9.2.1 20190909
+
+Also on mips64:
+
+ In file included from /usr/mips64-linux-gnuabi64/include/stdio.h:867,
+ from /git/linux/tools/perf/lib/include/perf/cpumap.h:6,
+ from util/session.c:13:
+ In function 'printf',
+ inlined from 'regs_dump__printf' at util/session.c:1103:3,
+ inlined from 'regs__printf' at util/session.c:1131:2,
+ inlined from 'regs_user__printf' at util/session.c:1139:3,
+ inlined from 'dump_sample' at util/session.c:1246:3,
+ inlined from 'machines__deliver_event' at util/session.c:1421:3:
+ /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
+ 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In function 'printf',
+ inlined from 'regs_dump__printf' at util/session.c:1103:3,
+ inlined from 'regs__printf' at util/session.c:1131:2,
+ inlined from 'regs_intr__printf' at util/session.c:1147:3,
+ inlined from 'dump_sample' at util/session.c:1249:3,
+ inlined from 'machines__deliver_event' at util/session.c:1421:3:
+ /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
+ 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+cross compiler details:
+
+ mips64-linux-gnuabi64-gcc (Debian 9.2.1-8) 9.2.1 20190909
+
+Fixes: 2bcd355b71da ("perf tools: Add interface to arch registers sets")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lkml.kernel.org/n/tip-95wjyv4o65nuaeweq31t7l1s@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/perf_regs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/perf_regs.h b/tools/perf/util/perf_regs.h
+index c9319f8d17a6..f732e3af2bd4 100644
+--- a/tools/perf/util/perf_regs.h
++++ b/tools/perf/util/perf_regs.h
+@@ -34,7 +34,7 @@ int perf_reg_value(u64 *valp, struct regs_dump *regs, int id);
+
+ static inline const char *perf_reg_name(int id __maybe_unused)
+ {
+- return NULL;
++ return "unknown";
+ }
+
+ static inline int perf_reg_value(u64 *valp __maybe_unused,
+--
+2.20.1
+
--- /dev/null
+From af39d18c623fbb0595eaaf5cab89e27d6b80cf0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 11:53:21 +0200
+Subject: perf script: Fix brstackinsn for AUXTRACE
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 0cd032d3b5fcebf5454315400ab310746a81ca53 ]
+
+brstackinsn must be allowed to be set by the user when AUX area data has
+been captured because, in that case, the branch stack might be
+synthesized on the fly. This fixes the following error:
+
+Before:
+
+ $ perf record -e '{intel_pt//,cpu/mem_inst_retired.all_loads,aux-sample-size=8192/pp}:u' grep -rqs jhgjhg /boot
+ [ perf record: Woken up 19 times to write data ]
+ [ perf record: Captured and wrote 2.274 MB perf.data ]
+ $ perf script -F +brstackinsn --xed --itrace=i1usl100 | head
+ Display of branch stack assembler requested, but non all-branch filter set
+ Hint: run 'perf record -b ...'
+
+After:
+
+ $ perf record -e '{intel_pt//,cpu/mem_inst_retired.all_loads,aux-sample-size=8192/pp}:u' grep -rqs jhgjhg /boot
+ [ perf record: Woken up 19 times to write data ]
+ [ perf record: Captured and wrote 2.274 MB perf.data ]
+ $ perf script -F +brstackinsn --xed --itrace=i1usl100 | head
+ grep 13759 [002] 8091.310257: 1862 instructions:uH: 5641d58069eb bmexec+0x86b (/bin/grep)
+ bmexec+2485:
+ 00005641d5806b35 jnz 0x5641d5806bd0 # MISPRED
+ 00005641d5806bd0 movzxb (%r13,%rdx,1), %eax
+ 00005641d5806bd6 add %rdi, %rax
+ 00005641d5806bd9 movzxb -0x1(%rax), %edx
+ 00005641d5806bdd cmp %rax, %r14
+ 00005641d5806be0 jnb 0x5641d58069c0 # MISPRED
+ mismatch of LBR data and executable
+ 00005641d58069c0 movzxb (%r13,%rdx,1), %edi
+
+Fixes: 48d02a1d5c13 ("perf script: Add 'brstackinsn' for branch stacks")
+Reported-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lore.kernel.org/lkml/20191127095322.15417-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-script.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
+index 76789523429a..09c4380bc225 100644
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -355,7 +355,7 @@ static int perf_evsel__check_attr(struct perf_evsel *evsel,
+ "selected. Hence, no address to lookup the source line number.\n");
+ return -EINVAL;
+ }
+- if (PRINT_FIELD(BRSTACKINSN) &&
++ if (PRINT_FIELD(BRSTACKINSN) && !allow_user_set &&
+ !(perf_evlist__combined_branch_type(session->evlist) &
+ PERF_SAMPLE_BRANCH_ANY)) {
+ pr_err("Display of branch stack assembler requested, but non all-branch filter set\n"
+--
+2.20.1
+
--- /dev/null
+From 409022ce01db53886ba3c38b4fb127856e955fd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 14:16:56 +0530
+Subject: powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+[ Upstream commit 16f6b67cf03cb43db7104acb2ca877bdc2606c92 ]
+
+With large memory (8TB and more) hotplug, we can get soft lockup
+warnings as below. These were caused by a long loop without any
+explicit cond_resched which is a problem for !PREEMPT kernels.
+
+Avoid this using cond_resched() while inserting hash page table
+entries. We already do similar cond_resched() in __add_pages(), see
+commit f64ac5e6e306 ("mm, memory_hotplug: add scheduling point to
+__add_pages").
+
+ rcu: 3-....: (24002 ticks this GP) idle=13e/1/0x4000000000000002 softirq=722/722 fqs=12001
+ (t=24003 jiffies g=4285 q=2002)
+ NMI backtrace for cpu 3
+ CPU: 3 PID: 3870 Comm: ndctl Not tainted 5.3.0-197.18-default+ #2
+ Call Trace:
+ dump_stack+0xb0/0xf4 (unreliable)
+ nmi_cpu_backtrace+0x124/0x130
+ nmi_trigger_cpumask_backtrace+0x1ac/0x1f0
+ arch_trigger_cpumask_backtrace+0x28/0x3c
+ rcu_dump_cpu_stacks+0xf8/0x154
+ rcu_sched_clock_irq+0x878/0xb40
+ update_process_times+0x48/0x90
+ tick_sched_handle.isra.16+0x4c/0x80
+ tick_sched_timer+0x68/0xe0
+ __hrtimer_run_queues+0x180/0x430
+ hrtimer_interrupt+0x110/0x300
+ timer_interrupt+0x108/0x2f0
+ decrementer_common+0x114/0x120
+ --- interrupt: 901 at arch_add_memory+0xc0/0x130
+ LR = arch_add_memory+0x74/0x130
+ memremap_pages+0x494/0x650
+ devm_memremap_pages+0x3c/0xa0
+ pmem_attach_disk+0x188/0x750
+ nvdimm_bus_probe+0xac/0x2c0
+ really_probe+0x148/0x570
+ driver_probe_device+0x19c/0x1d0
+ device_driver_attach+0xcc/0x100
+ bind_store+0x134/0x1c0
+ drv_attr_store+0x44/0x60
+ sysfs_kf_write+0x64/0x90
+ kernfs_fop_write+0x1a0/0x270
+ __vfs_write+0x3c/0x70
+ vfs_write+0xd0/0x260
+ ksys_write+0xdc/0x130
+ system_call+0x5c/0x68
+
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191001084656.31277-1-aneesh.kumar@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/hash_utils_64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c
+index cf1d76e03635..387600ecea60 100644
+--- a/arch/powerpc/mm/hash_utils_64.c
++++ b/arch/powerpc/mm/hash_utils_64.c
+@@ -303,6 +303,7 @@ int htab_bolt_mapping(unsigned long vstart, unsigned long vend,
+ if (ret < 0)
+ break;
+
++ cond_resched();
+ #ifdef CONFIG_DEBUG_PAGEALLOC
+ if (debug_pagealloc_enabled() &&
+ (paddr >> PAGE_SHIFT) < linear_map_hash_count)
+--
+2.20.1
+
--- /dev/null
+From 76bcf1b41425ed0dd5263c5a81b9c8e5fd40dc9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 15:29:22 +0100
+Subject: powerpc/pseries/cmm: Implement release() function for sysfs device
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit 7d8212747435c534c8d564fbef4541a463c976ff ]
+
+When unloading the module, one gets
+ ------------[ cut here ]------------
+ Device 'cmm0' does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt.
+ WARNING: CPU: 0 PID: 19308 at drivers/base/core.c:1244 .device_release+0xcc/0xf0
+ ...
+
+We only have one static fake device. There is nothing to do when
+releasing the device (via cmm_exit()).
+
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191031142933.10779-2-david@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/cmm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/powerpc/platforms/pseries/cmm.c b/arch/powerpc/platforms/pseries/cmm.c
+index 4ac419c7eb4c..25224c9e1dc0 100644
+--- a/arch/powerpc/platforms/pseries/cmm.c
++++ b/arch/powerpc/platforms/pseries/cmm.c
+@@ -425,6 +425,10 @@ static struct bus_type cmm_subsys = {
+ .dev_name = "cmm",
+ };
+
++static void cmm_release_device(struct device *dev)
++{
++}
++
+ /**
+ * cmm_sysfs_register - Register with sysfs
+ *
+@@ -440,6 +444,7 @@ static int cmm_sysfs_register(struct device *dev)
+
+ dev->id = 0;
+ dev->bus = &cmm_subsys;
++ dev->release = cmm_release_device;
+
+ if ((rc = device_register(dev)))
+ goto subsys_unregister;
+--
+2.20.1
+
--- /dev/null
+From a419333554f0c1412283116cca882314cc7ec4ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 15:05:41 +0530
+Subject: powerpc/pseries: Don't fail hash page table insert for bolted mapping
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+[ Upstream commit 75838a3290cd4ebbd1f567f310ba04b6ef017ce4 ]
+
+If the hypervisor returned H_PTEG_FULL for H_ENTER hcall, retry a hash page table
+insert by removing a random entry from the group.
+
+After some runtime, it is very well possible to find all the 8 hash page table
+entry slot in the hpte group used for mapping. Don't fail a bolted entry insert
+in that case. With Storage class memory a user can find this error easily since
+a namespace enable/disable is equivalent to memory add/remove.
+
+This results in failures as reported below:
+
+$ ndctl create-namespace -r region1 -t pmem -m devdax -a 65536 -s 100M
+libndctl: ndctl_dax_enable: dax1.3: failed to enable
+ Error: namespace1.2: failed to enable
+
+failed to create namespace: No such device or address
+
+In kernel log we find the details as below:
+
+Unable to create mapping for hot added memory 0xc000042006000000..0xc00004200d000000: -1
+dax_pmem: probe of dax1.3 failed with error -14
+
+This indicates that we failed to create a bolted hash table entry for direct-map
+address backing the namespace.
+
+We also observe failures such that not all namespaces will be enabled with
+ndctl enable-namespace all command.
+
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191024093542.29777-2-aneesh.kumar@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/hash_utils_64.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c
+index 58c14749bb0c..cf1d76e03635 100644
+--- a/arch/powerpc/mm/hash_utils_64.c
++++ b/arch/powerpc/mm/hash_utils_64.c
+@@ -292,7 +292,14 @@ int htab_bolt_mapping(unsigned long vstart, unsigned long vend,
+ ret = mmu_hash_ops.hpte_insert(hpteg, vpn, paddr, tprot,
+ HPTE_V_BOLTED, psize, psize,
+ ssize);
+-
++ if (ret == -1) {
++ /* Try to remove a non bolted entry */
++ ret = mmu_hash_ops.hpte_remove(hpteg);
++ if (ret != -1)
++ ret = mmu_hash_ops.hpte_insert(hpteg, vpn, paddr, tprot,
++ HPTE_V_BOLTED, psize, psize,
++ ssize);
++ }
+ if (ret < 0)
+ break;
+
+--
+2.20.1
+
--- /dev/null
+From af9761aefceaa444aa60ae776d0e440be01be60f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2019 21:23:51 +1100
+Subject: powerpc/pseries: Mark accumulate_stolen_time() as notrace
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit eb8e20f89093b64f48975c74ccb114e6775cee22 ]
+
+accumulate_stolen_time() is called prior to interrupt state being
+reconciled, which can trip the warning in arch_local_irq_restore():
+
+ WARNING: CPU: 5 PID: 1017 at arch/powerpc/kernel/irq.c:258 .arch_local_irq_restore+0x9c/0x130
+ ...
+ NIP .arch_local_irq_restore+0x9c/0x130
+ LR .rb_start_commit+0x38/0x80
+ Call Trace:
+ .ring_buffer_lock_reserve+0xe4/0x620
+ .trace_function+0x44/0x210
+ .function_trace_call+0x148/0x170
+ .ftrace_ops_no_ops+0x180/0x1d0
+ ftrace_call+0x4/0x8
+ .accumulate_stolen_time+0x1c/0xb0
+ decrementer_common+0x124/0x160
+
+For now just mark it as notrace. We may change the ordering to call it
+after interrupt state has been reconciled, but that is a larger
+change.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191024055932.27940-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c
+index 14f3f28a089e..66a9987dc0f8 100644
+--- a/arch/powerpc/kernel/time.c
++++ b/arch/powerpc/kernel/time.c
+@@ -241,7 +241,7 @@ static u64 scan_dispatch_log(u64 stop_tb)
+ * Accumulate stolen time by scanning the dispatch trace log.
+ * Called on entry from user mode.
+ */
+-void accumulate_stolen_time(void)
++void notrace accumulate_stolen_time(void)
+ {
+ u64 sst, ust;
+ u8 save_soft_enabled = local_paca->soft_enabled;
+--
+2.20.1
+
--- /dev/null
+From 3a433d57724a3e769ed1ec7f2a6754541a8b9515 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 12:07:59 -0700
+Subject: powerpc/security/book3s64: Report L1TF status in sysfs
+
+From: Anthony Steinhauser <asteinhauser@google.com>
+
+[ Upstream commit 8e6b6da91ac9b9ec5a925b6cb13f287a54bd547d ]
+
+Some PowerPC CPUs are vulnerable to L1TF to the same extent as to
+Meltdown. It is also mitigated by flushing the L1D on privilege
+transition.
+
+Currently the sysfs gives a false negative on L1TF on CPUs that I
+verified to be vulnerable, a Power9 Talos II Boston 004e 1202, PowerNV
+T2P9D01.
+
+Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+[mpe: Just have cpu_show_l1tf() call cpu_show_meltdown() directly]
+Link: https://lore.kernel.org/r/20191029190759.84821-1-asteinhauser@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/security.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
+index f5d6541bf8c2..fef3f09fc238 100644
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -160,6 +160,11 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha
+
+ return sprintf(buf, "Vulnerable\n");
+ }
++
++ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
++{
++ return cpu_show_meltdown(dev, attr, buf);
++}
+ #endif
+
+ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
+--
+2.20.1
+
--- /dev/null
+From de489ac563af2d646d8dbf742e89546441c34569 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 May 2019 18:09:07 -0300
+Subject: powerpc/security: Fix wrong message when RFI Flush is disable
+
+From: Gustavo L. F. Walbon <gwalbon@linux.ibm.com>
+
+[ Upstream commit 4e706af3cd8e1d0503c25332b30cad33c97ed442 ]
+
+The issue was showing "Mitigation" message via sysfs whatever the
+state of "RFI Flush", but it should show "Vulnerable" when it is
+disabled.
+
+If you have "L1D private" feature enabled and not "RFI Flush" you are
+vulnerable to meltdown attacks.
+
+"RFI Flush" is the key feature to mitigate the meltdown whatever the
+"L1D private" state.
+
+SEC_FTR_L1D_THREAD_PRIV is a feature for Power9 only.
+
+So the message should be as the truth table shows:
+
+ CPU | L1D private | RFI Flush | sysfs
+ ----|-------------|-----------|-------------------------------------
+ P9 | False | False | Vulnerable
+ P9 | False | True | Mitigation: RFI Flush
+ P9 | True | False | Vulnerable: L1D private per thread
+ P9 | True | True | Mitigation: RFI Flush, L1D private per thread
+ P8 | False | False | Vulnerable
+ P8 | False | True | Mitigation: RFI Flush
+
+Output before this fix:
+ # cat /sys/devices/system/cpu/vulnerabilities/meltdown
+ Mitigation: RFI Flush, L1D private per thread
+ # echo 0 > /sys/kernel/debug/powerpc/rfi_flush
+ # cat /sys/devices/system/cpu/vulnerabilities/meltdown
+ Mitigation: L1D private per thread
+
+Output after fix:
+ # cat /sys/devices/system/cpu/vulnerabilities/meltdown
+ Mitigation: RFI Flush, L1D private per thread
+ # echo 0 > /sys/kernel/debug/powerpc/rfi_flush
+ # cat /sys/devices/system/cpu/vulnerabilities/meltdown
+ Vulnerable: L1D private per thread
+
+Signed-off-by: Gustavo L. F. Walbon <gwalbon@linux.ibm.com>
+Signed-off-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190502210907.42375-1-gwalbon@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/security.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
+index fef3f09fc238..b3f540c9f410 100644
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -134,26 +134,22 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha
+
+ thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV);
+
+- if (rfi_flush || thread_priv) {
++ if (rfi_flush) {
+ struct seq_buf s;
+ seq_buf_init(&s, buf, PAGE_SIZE - 1);
+
+- seq_buf_printf(&s, "Mitigation: ");
+-
+- if (rfi_flush)
+- seq_buf_printf(&s, "RFI Flush");
+-
+- if (rfi_flush && thread_priv)
+- seq_buf_printf(&s, ", ");
+-
++ seq_buf_printf(&s, "Mitigation: RFI Flush");
+ if (thread_priv)
+- seq_buf_printf(&s, "L1D private per thread");
++ seq_buf_printf(&s, ", L1D private per thread");
+
+ seq_buf_printf(&s, "\n");
+
+ return s.len;
+ }
+
++ if (thread_priv)
++ return sprintf(buf, "Vulnerable: L1D private per thread\n");
++
+ if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
+ !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
+ return sprintf(buf, "Not affected\n");
+--
+2.20.1
+
--- /dev/null
+From f6978d99958952ac52de6074908406c345bc1e8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 11:47:30 +1100
+Subject: powerpc/tools: Don't quote $objdump in scripts
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit e44ff9ea8f4c8a90c82f7b85bd4f5e497c841960 ]
+
+Some of our scripts are passed $objdump and then call it as
+"$objdump". This doesn't work if it contains spaces because we're
+using ccache, for example you get errors such as:
+
+ ./arch/powerpc/tools/relocs_check.sh: line 48: ccache ppc64le-objdump: No such file or directory
+ ./arch/powerpc/tools/unrel_branch_check.sh: line 26: ccache ppc64le-objdump: No such file or directory
+
+Fix it by not quoting the string when we expand it, allowing the shell
+to do the right thing for us.
+
+Fixes: a71aa05e1416 ("powerpc: Convert relocs_check to a shell script using grep")
+Fixes: 4ea80652dc75 ("powerpc/64s: Tool to flag direct branches from unrelocated interrupt vectors")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191024004730.32135-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/tools/relocs_check.sh | 2 +-
+ arch/powerpc/tools/unrel_branch_check.sh | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/tools/relocs_check.sh b/arch/powerpc/tools/relocs_check.sh
+index ec2d5c835170..d6c16e7faa38 100755
+--- a/arch/powerpc/tools/relocs_check.sh
++++ b/arch/powerpc/tools/relocs_check.sh
+@@ -23,7 +23,7 @@ objdump="$1"
+ vmlinux="$2"
+
+ bad_relocs=$(
+-"$objdump" -R "$vmlinux" |
++$objdump -R "$vmlinux" |
+ # Only look at relocation lines.
+ grep -E '\<R_' |
+ # These relocations are okay
+diff --git a/arch/powerpc/tools/unrel_branch_check.sh b/arch/powerpc/tools/unrel_branch_check.sh
+index 1e972df3107e..77114755dc6f 100755
+--- a/arch/powerpc/tools/unrel_branch_check.sh
++++ b/arch/powerpc/tools/unrel_branch_check.sh
+@@ -18,14 +18,14 @@ vmlinux="$2"
+ #__end_interrupts should be located within the first 64K
+
+ end_intr=0x$(
+-"$objdump" -R "$vmlinux" -d --start-address=0xc000000000000000 \
++$objdump -R "$vmlinux" -d --start-address=0xc000000000000000 \
+ --stop-address=0xc000000000010000 |
+ grep '\<__end_interrupts>:' |
+ awk '{print $1}'
+ )
+
+ BRANCHES=$(
+-"$objdump" -R "$vmlinux" -D --start-address=0xc000000000000000 \
++$objdump -R "$vmlinux" -D --start-address=0xc000000000000000 \
+ --stop-address=${end_intr} |
+ grep -e "^c[0-9a-f]*:[[:space:]]*\([0-9a-f][0-9a-f][[:space:]]\)\{4\}[[:space:]]*b" |
+ grep -v '\<__start_initialization_multiplatform>' |
+--
+2.20.1
+
--- /dev/null
+From 72bb7f5d89530beb198edfcad6e3adf5b9671ee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2019 16:43:15 +0100
+Subject: s390/cpum_sf: Check for SDBT and SDB consistency
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 247f265fa502e7b17a0cb0cc330e055a36aafce4 ]
+
+Each SBDT is located at a 4KB page and contains 512 entries.
+Each entry of a SDBT points to a SDB, a 4KB page containing
+sampled data. The last entry is a link to another SDBT page.
+
+When an event is created the function sequence executed is:
+
+ __hw_perf_event_init()
+ +--> allocate_buffers()
+ +--> realloc_sampling_buffers()
+ +---> alloc_sample_data_block()
+
+Both functions realloc_sampling_buffers() and
+alloc_sample_data_block() allocate pages and the allocation
+can fail. This is handled correctly and all allocated
+pages are freed and error -ENOMEM is returned to the
+top calling function. Finally the event is not created.
+
+Once the event has been created, the amount of initially
+allocated SDBT and SDB can be too low. This is detected
+during measurement interrupt handling, where the amount
+of lost samples is calculated. If the number of lost samples
+is too high considering sampling frequency and already allocated
+SBDs, the number of SDBs is enlarged during the next execution
+of cpumsf_pmu_enable().
+
+If more SBDs need to be allocated, functions
+
+ realloc_sampling_buffers()
+ +---> alloc-sample_data_block()
+
+are called to allocate more pages. Page allocation may fail
+and the returned error is ignored. A SDBT and SDB setup
+already exists.
+
+However the modified SDBTs and SDBs might end up in a situation
+where the first entry of an SDBT does not point to an SDB,
+but another SDBT, basicly an SBDT without payload.
+This can not be handled by the interrupt handler, where an SDBT
+must have at least one entry pointing to an SBD.
+
+Add a check to avoid SDBTs with out payload (SDBs) when enlarging
+the buffer setup.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 2e2fd9535f86..45304085b6ee 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -185,7 +185,7 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb,
+ unsigned long num_sdb, gfp_t gfp_flags)
+ {
+ int i, rc;
+- unsigned long *new, *tail;
++ unsigned long *new, *tail, *tail_prev = NULL;
+
+ if (!sfb->sdbt || !sfb->tail)
+ return -EINVAL;
+@@ -224,6 +224,7 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb,
+ sfb->num_sdbt++;
+ /* Link current page to tail of chain */
+ *tail = (unsigned long)(void *) new + 1;
++ tail_prev = tail;
+ tail = new;
+ }
+
+@@ -233,10 +234,22 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb,
+ * issue, a new realloc call (if required) might succeed.
+ */
+ rc = alloc_sample_data_block(tail, gfp_flags);
+- if (rc)
++ if (rc) {
++ /* Undo last SDBT. An SDBT with no SDB at its first
++ * entry but with an SDBT entry instead can not be
++ * handled by the interrupt handler code.
++ * Avoid this situation.
++ */
++ if (tail_prev) {
++ sfb->num_sdbt--;
++ free_page((unsigned long) new);
++ tail = tail_prev;
++ }
+ break;
++ }
+ sfb->num_sdb++;
+ tail++;
++ tail_prev = new = NULL; /* Allocated at least one SBD */
+ }
+
+ /* Link sampling buffer to its origin */
+--
+2.20.1
+
--- /dev/null
+From edd26810029fc7531eaf849623f8c2b8545ed92a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2019 11:44:31 +0100
+Subject: s390/zcrypt: handle new reply code FILTERED_BY_HYPERVISOR
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 6733775a92eacd612ac88afa0fd922e4ffeb2bc7 ]
+
+This patch introduces support for a new architectured reply
+code 0x8B indicating that a hypervisor layer (if any) has
+rejected an ap message.
+
+Linux may run as a guest on top of a hypervisor like zVM
+or KVM. So the crypto hardware seen by the ap bus may be
+restricted by the hypervisor for example only a subset like
+only clear key crypto requests may be supported. Other
+requests will be filtered out - rejected by the hypervisor.
+The new reply code 0x8B will appear in such cases and needs
+to get recognized by the ap bus and zcrypt device driver zoo.
+
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_error.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/s390/crypto/zcrypt_error.h b/drivers/s390/crypto/zcrypt_error.h
+index 9499cd3a05f8..02a936db0092 100644
+--- a/drivers/s390/crypto/zcrypt_error.h
++++ b/drivers/s390/crypto/zcrypt_error.h
+@@ -75,6 +75,7 @@ struct error_hdr {
+ #define REP82_ERROR_EVEN_MOD_IN_OPND 0x85
+ #define REP82_ERROR_RESERVED_FIELD 0x88
+ #define REP82_ERROR_INVALID_DOMAIN_PENDING 0x8A
++#define REP82_ERROR_FILTERED_BY_HYPERVISOR 0x8B
+ #define REP82_ERROR_TRANSPORT_FAIL 0x90
+ #define REP82_ERROR_PACKET_TRUNCATED 0xA0
+ #define REP82_ERROR_ZERO_BUFFER_LEN 0xB0
+@@ -105,6 +106,7 @@ static inline int convert_error(struct zcrypt_queue *zq,
+ case REP82_ERROR_INVALID_DOMAIN_PRECHECK:
+ case REP82_ERROR_INVALID_DOMAIN_PENDING:
+ case REP82_ERROR_INVALID_SPECIAL_CMD:
++ case REP82_ERROR_FILTERED_BY_HYPERVISOR:
+ // REP88_ERROR_INVALID_KEY // '82' CEX2A
+ // REP88_ERROR_OPERAND // '84' CEX2A
+ // REP88_ERROR_OPERAND_EVEN_MOD // '85' CEX2A
+--
+2.20.1
+
--- /dev/null
+From c64d8552cf677366abbabbf82671d9ac4ec73e08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Nov 2019 01:04:30 +0900
+Subject: scripts/kallsyms: fix definitely-lost memory leak
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit 21915eca088dc271c970e8351290e83d938114ac ]
+
+build_initial_tok_table() overwrites unused sym_entry to shrink the
+table size. Before the entry is overwritten, table[i].sym must be freed
+since it is malloc'ed data.
+
+This fixes the 'definitely lost' report from valgrind. I ran valgrind
+against x86_64_defconfig of v5.4-rc8 kernel, and here is the summary:
+
+[Before the fix]
+
+ LEAK SUMMARY:
+ definitely lost: 53,184 bytes in 2,874 blocks
+
+[After the fix]
+
+ LEAK SUMMARY:
+ definitely lost: 0 bytes in 0 blocks
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kallsyms.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
+index b471022c8162..b43531899648 100644
+--- a/scripts/kallsyms.c
++++ b/scripts/kallsyms.c
+@@ -510,6 +510,8 @@ static void build_initial_tok_table(void)
+ table[pos] = table[i];
+ learn_symbol(table[pos].sym, table[pos].len);
+ pos++;
++ } else {
++ free(table[i].sym);
+ }
+ }
+ table_cnt = pos;
+--
+2.20.1
+
--- /dev/null
+From 5d06939faedafa4641e94accb732aecd8715936e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Nov 2019 12:06:54 +1100
+Subject: scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 79172ab20bfd8437b277254028efdb68484e2c21 ]
+
+Since the scsi subsystem adopted the blk-mq API, a host with zero
+sg_tablesize crashes with a NULL pointer dereference.
+
+blk_queue_max_segments: set to minimum 1
+scsi 0:0:0:0: Direct-Access QEMU QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5
+scsi target0:0:0: Beginning Domain Validation
+scsi target0:0:0: Domain Validation skipping write tests
+scsi target0:0:0: Ending Domain Validation
+blk_queue_max_segments: set to minimum 1
+scsi 0:0:1:0: Direct-Access QEMU QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5
+scsi target0:0:1: Beginning Domain Validation
+scsi target0:0:1: Domain Validation skipping write tests
+scsi target0:0:1: Ending Domain Validation
+blk_queue_max_segments: set to minimum 1
+scsi 0:0:2:0: CD-ROM QEMU QEMU CD-ROM 2.5+ PQ: 0 ANSI: 5
+scsi target0:0:2: Beginning Domain Validation
+scsi target0:0:2: Domain Validation skipping write tests
+scsi target0:0:2: Ending Domain Validation
+blk_queue_max_segments: set to minimum 1
+blk_queue_max_segments: set to minimum 1
+blk_queue_max_segments: set to minimum 1
+blk_queue_max_segments: set to minimum 1
+sr 0:0:2:0: Power-on or device reset occurred
+sd 0:0:0:0: Power-on or device reset occurred
+sd 0:0:1:0: Power-on or device reset occurred
+sd 0:0:0:0: [sda] 10485762 512-byte logical blocks: (5.37 GB/5.00 GiB)
+sd 0:0:0:0: [sda] Write Protect is off
+sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
+Unable to handle kernel NULL pointer dereference at virtual address (ptrval)
+Oops: 00000000
+Modules linked in:
+PC: [<001cd874>] blk_mq_free_request+0x66/0xe2
+SR: 2004 SP: (ptrval) a2: 00874520
+d0: 00000000 d1: 00000000 d2: 009ba800 d3: 00000000
+d4: 00000000 d5: 08000002 a0: 0087be68 a1: 009a81e0
+Process kworker/u2:2 (pid: 15, task=(ptrval))
+Frame format=7 eff addr=0000007a ssw=0505 faddr=0000007a
+wb 1 stat/addr/data: 0000 00000000 00000000
+wb 2 stat/addr/data: 0000 00000000 00000000
+wb 3 stat/addr/data: 0000 0000007a 00000000
+push data: 00000000 00000000 00000000 00000000
+Stack from 0087bd98:
+ 00000002 00000000 0087be72 009a7820 0087bdb4 001c4f6c 009a7820 0087bdd4
+ 0024d200 009a7820 0024d0dc 0087be72 009baa00 0087be68 009a5000 0087be7c
+ 00265d10 009a5000 0087be72 00000003 00000000 00000000 00000000 0087be68
+ 00000bb8 00000005 00000000 00000000 00000000 00000000 00265c56 00000000
+ 009ba60c 0036ddf4 00000002 ffffffff 009baa00 009ba600 009a50d6 0087be74
+ 00227ba0 009baa08 00000001 009baa08 009ba60c 0036ddf4 00000000 00000000
+Call Trace: [<001c4f6c>] blk_put_request+0xe/0x14
+ [<0024d200>] __scsi_execute+0x124/0x174
+ [<0024d0dc>] __scsi_execute+0x0/0x174
+ [<00265d10>] sd_revalidate_disk+0xba/0x1f02
+ [<00265c56>] sd_revalidate_disk+0x0/0x1f02
+ [<0036ddf4>] strlen+0x0/0x22
+ [<00227ba0>] device_add+0x3da/0x604
+ [<0036ddf4>] strlen+0x0/0x22
+ [<00267e64>] sd_probe+0x30c/0x4b4
+ [<0002da44>] process_one_work+0x0/0x402
+ [<0022b978>] really_probe+0x226/0x354
+ [<0022bc34>] driver_probe_device+0xa4/0xf0
+ [<0002da44>] process_one_work+0x0/0x402
+ [<0022bcd0>] __driver_attach_async_helper+0x50/0x70
+ [<00035dae>] async_run_entry_fn+0x36/0x130
+ [<0002db88>] process_one_work+0x144/0x402
+ [<0002e1aa>] worker_thread+0x0/0x570
+ [<0002e29a>] worker_thread+0xf0/0x570
+ [<0002e1aa>] worker_thread+0x0/0x570
+ [<003768d8>] schedule+0x0/0xb8
+ [<0003f58c>] __init_waitqueue_head+0x0/0x12
+ [<00033e92>] kthread+0xc2/0xf6
+ [<000331e8>] kthread_parkme+0x0/0x4e
+ [<003768d8>] schedule+0x0/0xb8
+ [<00033dd0>] kthread+0x0/0xf6
+ [<00002c10>] ret_from_kernel_thread+0xc/0x14
+Code: 0280 0006 0800 56c0 4400 0280 0000 00ff <52b4> 0c3a 082b 0006 0013 6706 2042 53a8 00c4 4ab9 0047 3374 6640 202d 000c 670c
+Disabling lock debugging due to kernel taint
+
+Avoid this by setting sg_tablesize = 1.
+
+Link: https://lore.kernel.org/r/4567bcae94523b47d6f3b77450ba305823bca479.1572656814.git.fthain@telegraphics.com.au
+Reported-and-tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Michael Schmitz <schmitzmic@gmail.com>
+References: commit 68ab2d76e4be ("scsi: cxlflash: Set sg_tablesize to 1 instead of SG_NONE")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/atari_scsi.c | 6 +++---
+ drivers/scsi/mac_scsi.c | 2 +-
+ drivers/scsi/sun3_scsi.c | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/atari_scsi.c b/drivers/scsi/atari_scsi.c
+index 89f5154c40b6..764c46d7333e 100644
+--- a/drivers/scsi/atari_scsi.c
++++ b/drivers/scsi/atari_scsi.c
+@@ -742,7 +742,7 @@ static int __init atari_scsi_probe(struct platform_device *pdev)
+ atari_scsi_template.sg_tablesize = SG_ALL;
+ } else {
+ atari_scsi_template.can_queue = 1;
+- atari_scsi_template.sg_tablesize = SG_NONE;
++ atari_scsi_template.sg_tablesize = 1;
+ }
+
+ if (setup_can_queue > 0)
+@@ -751,8 +751,8 @@ static int __init atari_scsi_probe(struct platform_device *pdev)
+ if (setup_cmd_per_lun > 0)
+ atari_scsi_template.cmd_per_lun = setup_cmd_per_lun;
+
+- /* Leave sg_tablesize at 0 on a Falcon! */
+- if (ATARIHW_PRESENT(TT_SCSI) && setup_sg_tablesize >= 0)
++ /* Don't increase sg_tablesize on Falcon! */
++ if (ATARIHW_PRESENT(TT_SCSI) && setup_sg_tablesize > 0)
+ atari_scsi_template.sg_tablesize = setup_sg_tablesize;
+
+ if (setup_hostid >= 0) {
+diff --git a/drivers/scsi/mac_scsi.c b/drivers/scsi/mac_scsi.c
+index 643321fc152d..b5050c2ede00 100644
+--- a/drivers/scsi/mac_scsi.c
++++ b/drivers/scsi/mac_scsi.c
+@@ -429,7 +429,7 @@ static int __init mac_scsi_probe(struct platform_device *pdev)
+ mac_scsi_template.can_queue = setup_can_queue;
+ if (setup_cmd_per_lun > 0)
+ mac_scsi_template.cmd_per_lun = setup_cmd_per_lun;
+- if (setup_sg_tablesize >= 0)
++ if (setup_sg_tablesize > 0)
+ mac_scsi_template.sg_tablesize = setup_sg_tablesize;
+ if (setup_hostid >= 0)
+ mac_scsi_template.this_id = setup_hostid & 7;
+diff --git a/drivers/scsi/sun3_scsi.c b/drivers/scsi/sun3_scsi.c
+index 9492638296c8..af8a7ef9c858 100644
+--- a/drivers/scsi/sun3_scsi.c
++++ b/drivers/scsi/sun3_scsi.c
+@@ -498,7 +498,7 @@ static struct scsi_host_template sun3_scsi_template = {
+ .eh_host_reset_handler = sun3scsi_host_reset,
+ .can_queue = 16,
+ .this_id = 7,
+- .sg_tablesize = SG_NONE,
++ .sg_tablesize = 1,
+ .cmd_per_lun = 2,
+ .use_clustering = DISABLE_CLUSTERING,
+ .cmd_size = NCR5380_CMD_SIZE,
+@@ -520,7 +520,7 @@ static int __init sun3_scsi_probe(struct platform_device *pdev)
+ sun3_scsi_template.can_queue = setup_can_queue;
+ if (setup_cmd_per_lun > 0)
+ sun3_scsi_template.cmd_per_lun = setup_cmd_per_lun;
+- if (setup_sg_tablesize >= 0)
++ if (setup_sg_tablesize > 0)
+ sun3_scsi_template.sg_tablesize = setup_sg_tablesize;
+ if (setup_hostid >= 0)
+ sun3_scsi_template.this_id = setup_hostid & 7;
+--
+2.20.1
+
--- /dev/null
+From 686ca5282fba35ee236f67dab5d9462698450b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Oct 2019 11:59:13 +0300
+Subject: scsi: csiostor: Don't enable IRQs too early
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d6c9b31ac3064fbedf8961f120a4c117daa59932 ]
+
+These are called with IRQs disabled from csio_mgmt_tmo_handler() so we
+can't call spin_unlock_irq() or it will enable IRQs prematurely.
+
+Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver")
+Link: https://lore.kernel.org/r/20191019085913.GA14245@mwanda
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_lnode.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c
+index be5ee2d37815..957767d38361 100644
+--- a/drivers/scsi/csiostor/csio_lnode.c
++++ b/drivers/scsi/csiostor/csio_lnode.c
+@@ -301,6 +301,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
+ struct fc_fdmi_port_name *port_name;
+ uint8_t buf[64];
+ uint8_t *fc4_type;
++ unsigned long flags;
+
+ if (fdmi_req->wr_status != FW_SUCCESS) {
+ csio_ln_dbg(ln, "WR error:%x in processing fdmi rhba cmd\n",
+@@ -377,13 +378,13 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
+ len = (uint32_t)(pld - (uint8_t *)cmd);
+
+ /* Submit FDMI RPA request */
+- spin_lock_irq(&hw->lock);
++ spin_lock_irqsave(&hw->lock, flags);
+ if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_done,
+ FCOE_CT, &fdmi_req->dma_buf, len)) {
+ CSIO_INC_STATS(ln, n_fdmi_err);
+ csio_ln_dbg(ln, "Failed to issue fdmi rpa req\n");
+ }
+- spin_unlock_irq(&hw->lock);
++ spin_unlock_irqrestore(&hw->lock, flags);
+ }
+
+ /*
+@@ -404,6 +405,7 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
+ struct fc_fdmi_rpl *reg_pl;
+ struct fs_fdmi_attrs *attrib_blk;
+ uint8_t buf[64];
++ unsigned long flags;
+
+ if (fdmi_req->wr_status != FW_SUCCESS) {
+ csio_ln_dbg(ln, "WR error:%x in processing fdmi dprt cmd\n",
+@@ -483,13 +485,13 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
+ attrib_blk->numattrs = htonl(numattrs);
+
+ /* Submit FDMI RHBA request */
+- spin_lock_irq(&hw->lock);
++ spin_lock_irqsave(&hw->lock, flags);
+ if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_rhba_cbfn,
+ FCOE_CT, &fdmi_req->dma_buf, len)) {
+ CSIO_INC_STATS(ln, n_fdmi_err);
+ csio_ln_dbg(ln, "Failed to issue fdmi rhba req\n");
+ }
+- spin_unlock_irq(&hw->lock);
++ spin_unlock_irqrestore(&hw->lock, flags);
+ }
+
+ /*
+@@ -504,6 +506,7 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
+ void *cmd;
+ struct fc_fdmi_port_name *port_name;
+ uint32_t len;
++ unsigned long flags;
+
+ if (fdmi_req->wr_status != FW_SUCCESS) {
+ csio_ln_dbg(ln, "WR error:%x in processing fdmi dhba cmd\n",
+@@ -534,13 +537,13 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
+ len += sizeof(*port_name);
+
+ /* Submit FDMI request */
+- spin_lock_irq(&hw->lock);
++ spin_lock_irqsave(&hw->lock, flags);
+ if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_dprt_cbfn,
+ FCOE_CT, &fdmi_req->dma_buf, len)) {
+ CSIO_INC_STATS(ln, n_fdmi_err);
+ csio_ln_dbg(ln, "Failed to issue fdmi dprt req\n");
+ }
+- spin_unlock_irq(&hw->lock);
++ spin_unlock_irqrestore(&hw->lock, flags);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 65ee33ccc828ec4f2a767b7235eaf16a15630c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 19:47:35 -0500
+Subject: scsi: iscsi: Don't send data to unbound connection
+
+From: Anatol Pomazau <anatol@google.com>
+
+[ Upstream commit 238191d65d7217982d69e21c1d623616da34b281 ]
+
+If a faulty initiator fails to bind the socket to the iSCSI connection
+before emitting a command, for instance, a subsequent send_pdu, it will
+crash the kernel due to a null pointer dereference in sock_sendmsg(), as
+shown in the log below. This patch makes sure the bind succeeded before
+trying to use the socket.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP PTI
+CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.4.0-rc2.iscsi+ #13
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+[ 24.158246] Workqueue: iscsi_q_0 iscsi_xmitworker
+[ 24.158883] RIP: 0010:apparmor_socket_sendmsg+0x5/0x20
+[...]
+[ 24.161739] RSP: 0018:ffffab6440043ca0 EFLAGS: 00010282
+[ 24.162400] RAX: ffffffff891c1c00 RBX: ffffffff89d53968 RCX: 0000000000000001
+[ 24.163253] RDX: 0000000000000030 RSI: ffffab6440043d00 RDI: 0000000000000000
+[ 24.164104] RBP: 0000000000000030 R08: 0000000000000030 R09: 0000000000000030
+[ 24.165166] R10: ffffffff893e66a0 R11: 0000000000000018 R12: ffffab6440043d00
+[ 24.166038] R13: 0000000000000000 R14: 0000000000000000 R15: ffff9d5575a62e90
+[ 24.166919] FS: 0000000000000000(0000) GS:ffff9d557db80000(0000) knlGS:0000000000000000
+[ 24.167890] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 24.168587] CR2: 0000000000000018 CR3: 000000007a838000 CR4: 00000000000006e0
+[ 24.169451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 24.170320] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 24.171214] Call Trace:
+[ 24.171537] security_socket_sendmsg+0x3a/0x50
+[ 24.172079] sock_sendmsg+0x16/0x60
+[ 24.172506] iscsi_sw_tcp_xmit_segment+0x77/0x120
+[ 24.173076] iscsi_sw_tcp_pdu_xmit+0x58/0x170
+[ 24.173604] ? iscsi_dbg_trace+0x63/0x80
+[ 24.174087] iscsi_tcp_task_xmit+0x101/0x280
+[ 24.174666] iscsi_xmit_task+0x83/0x110
+[ 24.175206] iscsi_xmitworker+0x57/0x380
+[ 24.175757] ? __schedule+0x2a2/0x700
+[ 24.176273] process_one_work+0x1b5/0x360
+[ 24.176837] worker_thread+0x50/0x3c0
+[ 24.177353] kthread+0xf9/0x130
+[ 24.177799] ? process_one_work+0x360/0x360
+[ 24.178401] ? kthread_park+0x90/0x90
+[ 24.178915] ret_from_fork+0x35/0x40
+[ 24.179421] Modules linked in:
+[ 24.179856] CR2: 0000000000000018
+[ 24.180327] ---[ end trace b4b7674b6df5f480 ]---
+
+Signed-off-by: Anatol Pomazau <anatol@google.com>
+Co-developed-by: Frank Mayhar <fmayhar@google.com>
+Signed-off-by: Frank Mayhar <fmayhar@google.com>
+Co-developed-by: Bharath Ravi <rbharath@google.com>
+Signed-off-by: Bharath Ravi <rbharath@google.com>
+Co-developed-by: Khazhimsel Kumykov <khazhy@google.com>
+Signed-off-by: Khazhimsel Kumykov <khazhy@google.com>
+Co-developed-by: Gabriel Krisman Bertazi <krisman@collabora.com>
+Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index 045207b5560e..7e3a77d3c6f0 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -372,8 +372,16 @@ static int iscsi_sw_tcp_pdu_xmit(struct iscsi_task *task)
+ {
+ struct iscsi_conn *conn = task->conn;
+ unsigned int noreclaim_flag;
++ struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
++ struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data;
+ int rc = 0;
+
++ if (!tcp_sw_conn->sock) {
++ iscsi_conn_printk(KERN_ERR, conn,
++ "Transport not bound to socket!\n");
++ return -EINVAL;
++ }
++
+ noreclaim_flag = memalloc_noreclaim_save();
+
+ while (iscsi_sw_tcp_xmit_qlen(conn)) {
+--
+2.20.1
+
--- /dev/null
+From f0f1335c71b66d375f31dcda7ca9fa7f206681ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2019 15:03:57 -0800
+Subject: scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer
+ dereferences
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 6c6d59e0fe5b86cf273d6d744a6a9768c4ecc756 ]
+
+Coverity reported the following:
+
+*** CID 101747: Null pointer dereferences (FORWARD_NULL)
+/drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp()
+4433 kfree(mp);
+4434 }
+4435 mempool_free(mbox, phba->mbox_mem_pool);
+4436 }
+4437 out:
+4438 if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
+vvv CID 101747: Null pointer dereferences (FORWARD_NULL)
+vvv Dereferencing null pointer "shost".
+4439 spin_lock_irq(shost->host_lock);
+4440 ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
+4441 spin_unlock_irq(shost->host_lock);
+4442
+4443 /* If the node is not being used by another discovery thread,
+4444 * and we are sending a reject, we are done with it.
+
+Fix by adding a check for non-null shost in line 4438.
+The scenario when shost is set to null is when ndlp is null.
+As such, the ndlp check present was sufficient. But better safe
+than sorry so add the shost check.
+
+Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
+Addresses-Coverity-ID: 101747 ("Null pointer dereferences")
+Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports")
+
+CC: James Bottomley <James.Bottomley@SteelEye.com>
+CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+CC: linux-next@vger.kernel.org
+Link: https://lore.kernel.org/r/20191111230401.12958-3-jsmart2021@gmail.com
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index c851fd14ff3e..4c84c2ae1112 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -4102,7 +4102,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ mempool_free(mbox, phba->mbox_mem_pool);
+ }
+ out:
+- if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
++ if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) {
+ spin_lock_irq(shost->host_lock);
+ ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
+ spin_unlock_irq(shost->host_lock);
+--
+2.20.1
+
--- /dev/null
+From e6a1a42ae6c7eedb6a3c1405aeb08b64b34f2fc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Sep 2019 20:58:55 -0700
+Subject: scsi: lpfc: Fix discovery failures when target device connectivity
+ bounces
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 3f97aed6117c7677eb16756c4ec8b86000fd5822 ]
+
+An issue was seen discovering all SCSI Luns when a target device undergoes
+link bounce.
+
+The driver currently does not qualify the FC4 support on the target.
+Therefore it will send a SCSI PRLI and an NVMe PRLI. The expectation is
+that the target will reject the PRLI if it is not supported. If a PRLI
+times out, the driver will retry. The driver will not proceed with the
+device until both SCSI and NVMe PRLIs are resolved. In the failure case,
+the device is FCP only and does not respond to the NVMe PRLI, thus
+initiating the wait/retry loop in the driver. During that time, a RSCN is
+received (device bounced) causing the driver to issue a GID_FT. The GID_FT
+response comes back before the PRLI mess is resolved and it prematurely
+cancels the PRLI retry logic and leaves the device in a STE_PRLI_ISSUE
+state. Discovery with the target never completes or resets.
+
+Fix by resetting the node state back to STE_NPR_NODE when GID_FT completes,
+thereby restarting the discovery process for the node.
+
+Link: https://lore.kernel.org/r/20190922035906.10977-10-jsmart2021@gmail.com
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index 3f88f3d79622..4a0889dd4c1d 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -5220,9 +5220,14 @@ lpfc_setup_disc_node(struct lpfc_vport *vport, uint32_t did)
+ /* If we've already received a PLOGI from this NPort
+ * we don't need to try to discover it again.
+ */
+- if (ndlp->nlp_flag & NLP_RCV_PLOGI)
++ if (ndlp->nlp_flag & NLP_RCV_PLOGI &&
++ !(ndlp->nlp_type &
++ (NLP_FCP_TARGET | NLP_NVME_TARGET)))
+ return NULL;
+
++ ndlp->nlp_prev_state = ndlp->nlp_state;
++ lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE);
++
+ spin_lock_irq(shost->host_lock);
+ ndlp->nlp_flag |= NLP_NPR_2B_DISC;
+ spin_unlock_irq(shost->host_lock);
+--
+2.20.1
+
--- /dev/null
+From db8f4cdbd513b836448bf1f24930daa4f0d54d59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2019 16:56:58 -0800
+Subject: scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 7cfd5639d99bec0d27af089d0c8c114330e43a72 ]
+
+If the driver receives a login that is later then LOGO'd by the remote port
+(aka ndlp), the driver, upon the completion of the LOGO ACC transmission,
+will logout the node and unregister the rpi that is being used for the
+node. As part of the unreg, the node's rpi value is replaced by the
+LPFC_RPI_ALLOC_ERROR value. If the port is subsequently offlined, the
+offline walks the nodes and ensures they are logged out, which possibly
+entails unreg'ing their rpi values. This path does not validate the node's
+rpi value, thus doesn't detect that it has been unreg'd already. The
+replaced rpi value is then used when accessing the rpi bitmask array which
+tracks active rpi values. As the LPFC_RPI_ALLOC_ERROR value is not a valid
+index for the bitmask, it may fault the system.
+
+Revise the rpi release code to detect when the rpi value is the replaced
+RPI_ALLOC_ERROR value and ignore further release steps.
+
+Link: https://lore.kernel.org/r/20191105005708.7399-2-jsmart2021@gmail.com
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 7920b8c72caf..d8e0ba68879c 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -17492,6 +17492,13 @@ lpfc_sli4_alloc_rpi(struct lpfc_hba *phba)
+ static void
+ __lpfc_sli4_free_rpi(struct lpfc_hba *phba, int rpi)
+ {
++ /*
++ * if the rpi value indicates a prior unreg has already
++ * been done, skip the unreg.
++ */
++ if (rpi == LPFC_RPI_ALLOC_ERROR)
++ return;
++
+ if (test_and_clear_bit(rpi, phba->sli4_hba.rpi_bmask)) {
+ phba->sli4_hba.rpi_count--;
+ phba->sli4_hba.max_cfg_param.rpi_used--;
+--
+2.20.1
+
--- /dev/null
+From e812e19711df294c627e6f445f7c852b1e0b33d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Sep 2019 20:58:53 -0700
+Subject: scsi: lpfc: Fix locking on mailbox command completion
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 07b8582430370097238b589f4e24da7613ca6dd3 ]
+
+Symptoms were seen of the driver not having valid data for mailbox
+commands. After debugging, the following sequence was found:
+
+The driver maintains a port-wide pointer of the mailbox command that is
+currently in execution. Once finished, the port-wide pointer is cleared
+(done in lpfc_sli4_mq_release()). The next mailbox command issued will set
+the next pointer and so on.
+
+The mailbox response data is only copied if there is a valid port-wide
+pointer.
+
+In the failing case, it was seen that a new mailbox command was being
+attempted in parallel with the completion. The parallel path was seeing
+the mailbox no long in use (flag check under lock) and thus set the port
+pointer. The completion path had cleared the active flag under lock, but
+had not touched the port pointer. The port pointer is cleared after the
+lock is released. In this case, the completion path cleared the just-set
+value by the parallel path.
+
+Fix by making the calls that clear mbox state/port pointer while under
+lock. Also slightly cleaned up the error path.
+
+Link: https://lore.kernel.org/r/20190922035906.10977-8-jsmart2021@gmail.com
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index d3bad0dbfaf7..7920b8c72caf 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -12689,13 +12689,19 @@ send_current_mbox:
+ phba->sli.sli_flag &= ~LPFC_SLI_MBOX_ACTIVE;
+ /* Setting active mailbox pointer need to be in sync to flag clear */
+ phba->sli.mbox_active = NULL;
++ if (bf_get(lpfc_trailer_consumed, mcqe))
++ lpfc_sli4_mq_release(phba->sli4_hba.mbx_wq);
+ spin_unlock_irqrestore(&phba->hbalock, iflags);
+ /* Wake up worker thread to post the next pending mailbox command */
+ lpfc_worker_wake_up(phba);
++ return workposted;
++
+ out_no_mqe_complete:
++ spin_lock_irqsave(&phba->hbalock, iflags);
+ if (bf_get(lpfc_trailer_consumed, mcqe))
+ lpfc_sli4_mq_release(phba->sli4_hba.mbx_wq);
+- return workposted;
++ spin_unlock_irqrestore(&phba->hbalock, iflags);
++ return false;
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From ac46313f69486f16eb5186114188310043a9cd3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2019 14:18:20 -0700
+Subject: scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit feff8b3d84d3d9570f893b4d83e5eab6693d6a52 ]
+
+When operating in private loop mode, PLOGI exchanges are racing and the
+driver tries to abort it's PLOGI. But the PLOGI abort ends up terminating
+the login with the other end causing the other end to abort its PLOGI as
+well. Discovery never fully completes.
+
+Fix by disabling the PLOGI abort when private loop and letting the state
+machine play out.
+
+Link: https://lore.kernel.org/r/20191018211832.7917-5-jsmart2021@gmail.com
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 043bca6449cd..96411754aa43 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -483,8 +483,10 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+ * single discovery thread, this will cause a huge delay in
+ * discovery. Also this will cause multiple state machines
+ * running in parallel for this node.
++ * This only applies to a fabric environment.
+ */
+- if (ndlp->nlp_state == NLP_STE_PLOGI_ISSUE) {
++ if ((ndlp->nlp_state == NLP_STE_PLOGI_ISSUE) &&
++ (vport->fc_flag & FC_FABRIC)) {
+ /* software abort outstanding PLOGI */
+ lpfc_els_abort(phba, ndlp);
+ }
+--
+2.20.1
+
--- /dev/null
+From 8d67b147f0a0bbbe8ecf0b633ed8fbe3aafc1542 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2019 09:04:40 -0400
+Subject: scsi: mpt3sas: Fix clear pending bit in ioctl status
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+[ Upstream commit 782b281883caf70289ba6a186af29441a117d23e ]
+
+When user issues diag register command from application with required size,
+and if driver unable to allocate the memory, then it will fail the register
+command. While failing the register command, driver is not currently
+clearing MPT3_CMD_PENDING bit in ctl_cmds.status variable which was set
+before trying to allocate the memory. As this bit is set, subsequent
+register command will be failed with BUSY status even when user wants to
+register the trace buffer will less memory.
+
+Clear MPT3_CMD_PENDING bit in ctl_cmds.status before returning the diag
+register command with no memory status.
+
+Link: https://lore.kernel.org/r/1568379890-18347-4-git-send-email-sreekanth.reddy@broadcom.com
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_ctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+index bdffb692bded..622dcf2984a9 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+@@ -1502,7 +1502,8 @@ _ctl_diag_register_2(struct MPT3SAS_ADAPTER *ioc,
+ " for diag buffers, requested size(%d)\n",
+ ioc->name, __func__, request_data_sz);
+ mpt3sas_base_free_smid(ioc, smid);
+- return -ENOMEM;
++ rc = -ENOMEM;
++ goto out;
+ }
+ ioc->diag_buffer[buffer_type] = request_data;
+ ioc->diag_buffer_sz[buffer_type] = request_data_sz;
+--
+2.20.1
+
--- /dev/null
+From 3fc4fc17d2e2658fe5f07bc38cdf373f472fbb61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Nov 2019 14:36:57 +1100
+Subject: scsi: NCR5380: Add disconnect_mask module parameter
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 0b7a223552d455bcfba6fb9cfc5eef2b5fce1491 ]
+
+Add a module parameter to inhibit disconnect/reselect for individual
+targets. This gains compatibility with Aztec PowerMonster SCSI/SATA
+adapters with buggy firmware. (No fix is available from the vendor.)
+
+Apparently these adapters pass-through the product/vendor of the attached
+SATA device. Since they can't be identified from the response to an INQUIRY
+command, a device blacklist flag won't work.
+
+Cc: Michael Schmitz <schmitzmic@gmail.com>
+Link: https://lore.kernel.org/r/993b17545990f31f9fa5a98202b51102a68e7594.1573875417.git.fthain@telegraphics.com.au
+Reviewed-and-tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/NCR5380.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c
+index 21377ac71168..79b0b4eece19 100644
+--- a/drivers/scsi/NCR5380.c
++++ b/drivers/scsi/NCR5380.c
+@@ -129,6 +129,9 @@
+ #define NCR5380_release_dma_irq(x)
+ #endif
+
++static unsigned int disconnect_mask = ~0;
++module_param(disconnect_mask, int, 0444);
++
+ static int do_abort(struct Scsi_Host *);
+ static void do_reset(struct Scsi_Host *);
+ static void bus_reset_cleanup(struct Scsi_Host *);
+@@ -946,7 +949,8 @@ static bool NCR5380_select(struct Scsi_Host *instance, struct scsi_cmnd *cmd)
+ int err;
+ bool ret = true;
+ bool can_disconnect = instance->irq != NO_IRQ &&
+- cmd->cmnd[0] != REQUEST_SENSE;
++ cmd->cmnd[0] != REQUEST_SENSE &&
++ (disconnect_mask & BIT(scmd_id(cmd)));
+
+ NCR5380_dprint(NDEBUG_ARBITRATION, instance);
+ dsprintk(NDEBUG_ARBITRATION, instance, "starting arbitration, id = %d\n",
+--
+2.20.1
+
--- /dev/null
+From b38e08a2ec7dd24c70e3b205d1a0afeda215d519 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 15:38:58 +0530
+Subject: scsi: pm80xx: Fix for SATA device discovery
+
+From: peter chang <dpf@google.com>
+
+[ Upstream commit ce21c63ee995b7a8b7b81245f2cee521f8c3c220 ]
+
+Driver was missing complete() call in mpi_sata_completion which result in
+SATA abort error handling timing out. That causes the device to be left in
+the in_recovery state so subsequent commands sent to the device fail and
+the OS removes access to it.
+
+Link: https://lore.kernel.org/r/20191114100910.6153-2-deepak.ukey@microchip.com
+Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com>
+Signed-off-by: peter chang <dpf@google.com>
+Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com>
+Signed-off-by: Viswas G <Viswas.G@microchip.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/pm8001/pm80xx_hwi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c
+index 9edd61c063a1..df5f0bc29587 100644
+--- a/drivers/scsi/pm8001/pm80xx_hwi.c
++++ b/drivers/scsi/pm8001/pm80xx_hwi.c
+@@ -2368,6 +2368,8 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb)
+ pm8001_printk("task 0x%p done with io_status 0x%x"
+ " resp 0x%x stat 0x%x but aborted by upper layer!\n",
+ t, status, ts->resp, ts->stat));
++ if (t->slow_task)
++ complete(&t->slow_task->completion);
+ pm8001_ccb_task_free(pm8001_ha, t, ccb, tag);
+ } else {
+ spin_unlock_irqrestore(&t->task_state_lock, flags);
+--
+2.20.1
+
--- /dev/null
+From 1c6ed51f23a95601e3e3886a5516ec50900fb658 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 17:37:27 +0100
+Subject: scsi: scsi_debug: num_tgts must be >= 0
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit aa5334c4f3014940f11bf876e919c956abef4089 ]
+
+Passing the parameter "num_tgts=-1" will start an infinite loop that
+exhausts the system memory
+
+Link: https://lore.kernel.org/r/20191115163727.24626-1-mlombard@redhat.com
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index 92bc5b2d24ae..ac936b5ca74e 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -4960,6 +4960,11 @@ static int __init scsi_debug_init(void)
+ return -EINVAL;
+ }
+
++ if (sdebug_num_tgts < 0) {
++ pr_err("num_tgts must be >= 0\n");
++ return -EINVAL;
++ }
++
+ if (sdebug_guard > 1) {
+ pr_err("guard must be 0 or 1\n");
+ return -EINVAL;
+--
+2.20.1
+
--- /dev/null
+From c51ddb57a922c2b3b89edbffbeaf0f358fb11ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2019 11:55:45 +0200
+Subject: scsi: target: compare full CHAP_A Algorithm strings
+
+From: David Disseldorp <ddiss@suse.de>
+
+[ Upstream commit 9cef2a7955f2754257a7cddedec16edae7b587d0 ]
+
+RFC 2307 states:
+
+ For CHAP [RFC1994], in the first step, the initiator MUST send:
+
+ CHAP_A=<A1,A2...>
+
+ Where A1,A2... are proposed algorithms, in order of preference.
+...
+ For the Algorithm, as stated in [RFC1994], one value is required to
+ be implemented:
+
+ 5 (CHAP with MD5)
+
+LIO currently checks for this value by only comparing a single byte in
+the tokenized Algorithm string, which means that any value starting with
+a '5' (e.g. "55") is interpreted as "CHAP with MD5". Fix this by
+comparing the entire tokenized string.
+
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Link: https://lore.kernel.org/r/20190912095547.22427-2-ddiss@suse.de
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
+index e2fa3a3bc81d..b6bf605fa5c1 100644
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -78,7 +78,7 @@ static int chap_check_algorithm(const char *a_str)
+ if (!token)
+ goto out;
+
+- if (!strncmp(token, "5", 1)) {
++ if (!strcmp(token, "5")) {
+ pr_debug("Selected MD5 Algorithm\n");
+ kfree(orig);
+ return CHAP_DIGEST_MD5;
+--
+2.20.1
+
--- /dev/null
+From f527a3a2b4bf2331956488468124025005c6e940 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 14:05:08 -0800
+Subject: scsi: target: iscsi: Wait for all commands to finish before freeing a
+ session
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit e9d3009cb936bd0faf0719f68d98ad8afb1e613b ]
+
+The iSCSI target driver is the only target driver that does not wait for
+ongoing commands to finish before freeing a session. Make the iSCSI target
+driver wait for ongoing commands to finish before freeing a session. This
+patch fixes the following KASAN complaint:
+
+BUG: KASAN: use-after-free in __lock_acquire+0xb1a/0x2710
+Read of size 8 at addr ffff8881154eca70 by task kworker/0:2/247
+
+CPU: 0 PID: 247 Comm: kworker/0:2 Not tainted 5.4.0-rc1-dbg+ #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+Workqueue: target_completion target_complete_ok_work [target_core_mod]
+Call Trace:
+ dump_stack+0x8a/0xd6
+ print_address_description.constprop.0+0x40/0x60
+ __kasan_report.cold+0x1b/0x33
+ kasan_report+0x16/0x20
+ __asan_load8+0x58/0x90
+ __lock_acquire+0xb1a/0x2710
+ lock_acquire+0xd3/0x200
+ _raw_spin_lock_irqsave+0x43/0x60
+ target_release_cmd_kref+0x162/0x7f0 [target_core_mod]
+ target_put_sess_cmd+0x2e/0x40 [target_core_mod]
+ lio_check_stop_free+0x12/0x20 [iscsi_target_mod]
+ transport_cmd_check_stop_to_fabric+0xd8/0xe0 [target_core_mod]
+ target_complete_ok_work+0x1b0/0x790 [target_core_mod]
+ process_one_work+0x549/0xa40
+ worker_thread+0x7a/0x5d0
+ kthread+0x1bc/0x210
+ ret_from_fork+0x24/0x30
+
+Allocated by task 889:
+ save_stack+0x23/0x90
+ __kasan_kmalloc.constprop.0+0xcf/0xe0
+ kasan_slab_alloc+0x12/0x20
+ kmem_cache_alloc+0xf6/0x360
+ transport_alloc_session+0x29/0x80 [target_core_mod]
+ iscsi_target_login_thread+0xcd6/0x18f0 [iscsi_target_mod]
+ kthread+0x1bc/0x210
+ ret_from_fork+0x24/0x30
+
+Freed by task 1025:
+ save_stack+0x23/0x90
+ __kasan_slab_free+0x13a/0x190
+ kasan_slab_free+0x12/0x20
+ kmem_cache_free+0x146/0x400
+ transport_free_session+0x179/0x2f0 [target_core_mod]
+ transport_deregister_session+0x130/0x180 [target_core_mod]
+ iscsit_close_session+0x12c/0x350 [iscsi_target_mod]
+ iscsit_logout_post_handler+0x136/0x380 [iscsi_target_mod]
+ iscsit_response_queue+0x8de/0xbe0 [iscsi_target_mod]
+ iscsi_target_tx_thread+0x27f/0x370 [iscsi_target_mod]
+ kthread+0x1bc/0x210
+ ret_from_fork+0x24/0x30
+
+The buggy address belongs to the object at ffff8881154ec9c0
+ which belongs to the cache se_sess_cache of size 352
+The buggy address is located 176 bytes inside of
+ 352-byte region [ffff8881154ec9c0, ffff8881154ecb20)
+The buggy address belongs to the page:
+page:ffffea0004553b00 refcount:1 mapcount:0 mapping:ffff888101755400 index:0x0 compound_mapcount: 0
+flags: 0x2fff000000010200(slab|head)
+raw: 2fff000000010200 dead000000000100 dead000000000122 ffff888101755400
+raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881154ec900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8881154ec980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+>ffff8881154eca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8881154eca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8881154ecb00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
+
+Cc: Mike Christie <mchristi@redhat.com>
+Link: https://lore.kernel.org/r/20191113220508.198257-3-bvanassche@acm.org
+Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target.c | 10 ++++++++--
+ include/scsi/iscsi_proto.h | 1 +
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
+index fb7bd422e2e1..21ce92ee1652 100644
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1158,7 +1158,9 @@ int iscsit_setup_scsi_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
+ hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length,
+ conn->cid);
+
+- target_get_sess_cmd(&cmd->se_cmd, true);
++ if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
++ return iscsit_add_reject_cmd(cmd,
++ ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
+
+ cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd,
+ scsilun_to_int(&hdr->lun));
+@@ -2004,7 +2006,9 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
+ conn->sess->se_sess, 0, DMA_NONE,
+ TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
+
+- target_get_sess_cmd(&cmd->se_cmd, true);
++ if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
++ return iscsit_add_reject_cmd(cmd,
++ ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
+
+ /*
+ * TASK_REASSIGN for ERL=2 / connection stays inside of
+@@ -4236,6 +4240,8 @@ int iscsit_close_connection(
+ * must wait until they have completed.
+ */
+ iscsit_check_conn_usage_count(conn);
++ target_sess_cmd_list_set_waiting(sess->se_sess);
++ target_wait_for_sess_cmds(sess->se_sess);
+
+ ahash_request_free(conn->conn_tx_hash);
+ if (conn->conn_rx_hash) {
+diff --git a/include/scsi/iscsi_proto.h b/include/scsi/iscsi_proto.h
+index df156f1d50b2..f0a01a54bd15 100644
+--- a/include/scsi/iscsi_proto.h
++++ b/include/scsi/iscsi_proto.h
+@@ -638,6 +638,7 @@ struct iscsi_reject {
+ #define ISCSI_REASON_BOOKMARK_INVALID 9
+ #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10
+ #define ISCSI_REASON_NEGOTIATION_RESET 11
++#define ISCSI_REASON_WAITING_FOR_LOGOUT 12
+
+ /* Max. number of Key=Value pairs in a text message */
+ #define MAX_KEY_VALUE_PAIRS 8192
+--
+2.20.1
+
--- /dev/null
+From c8ab4f32b888d89c028c9d520ce008025507cf61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 13:55:53 -0800
+Subject: scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and
+ WRITE(6)
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit f6b8540f40201bff91062dd64db8e29e4ddaaa9d ]
+
+According to SBC-2 a TRANSFER LENGTH field of zero means that 256 logical
+blocks must be transferred. Make the SCSI tracing code follow SBC-2.
+
+Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points")
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Link: https://lore.kernel.org/r/20191105215553.185018-1-bvanassche@acm.org
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_trace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/scsi_trace.c b/drivers/scsi/scsi_trace.c
+index 0ff083bbf5b1..617a60737590 100644
+--- a/drivers/scsi/scsi_trace.c
++++ b/drivers/scsi/scsi_trace.c
+@@ -30,15 +30,18 @@ static const char *
+ scsi_trace_rw6(struct trace_seq *p, unsigned char *cdb, int len)
+ {
+ const char *ret = trace_seq_buffer_ptr(p);
+- sector_t lba = 0, txlen = 0;
++ u32 lba = 0, txlen;
+
+ lba |= ((cdb[1] & 0x1F) << 16);
+ lba |= (cdb[2] << 8);
+ lba |= cdb[3];
+- txlen = cdb[4];
++ /*
++ * From SBC-2: a TRANSFER LENGTH field set to zero specifies that 256
++ * logical blocks shall be read (READ(6)) or written (WRITE(6)).
++ */
++ txlen = cdb[4] ? cdb[4] : 256;
+
+- trace_seq_printf(p, "lba=%llu txlen=%llu",
+- (unsigned long long)lba, (unsigned long long)txlen);
++ trace_seq_printf(p, "lba=%u txlen=%u", lba, txlen);
+ trace_seq_putc(p, 0);
+
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 9cbfcda264a5387ce41ad369ed11ed6a01af298d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 22:09:30 -0800
+Subject: scsi: ufs: Fix error handing during hibern8 enter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Subhash Jadavani <subhashj@codeaurora.org>
+
+[ Upstream commit 6d303e4b19d694cdbebf76bcdb51ada664ee953d ]
+
+During clock gating (ufshcd_gate_work()), we first put the link hibern8 by
+calling ufshcd_uic_hibern8_enter() and if ufshcd_uic_hibern8_enter()
+returns success (0) then we gate all the clocks. Now let’s zoom in to what
+ufshcd_uic_hibern8_enter() does internally: It calls
+__ufshcd_uic_hibern8_enter() and if failure is encountered, link recovery
+shall put the link back to the highest HS gear and returns success (0) to
+ufshcd_uic_hibern8_enter() which is the issue as link is still in active
+state due to recovery! Now ufshcd_uic_hibern8_enter() returns success to
+ufshcd_gate_work() and hence it goes ahead with gating the UFS clock while
+link is still in active state hence I believe controller would raise UIC
+error interrupts. But when we service the interrupt, clocks might have
+already been disabled!
+
+This change fixes for this by returning failure from
+__ufshcd_uic_hibern8_enter() if recovery succeeds as link is still not in
+hibern8, upon receiving the error ufshcd_hibern8_enter() would initiate
+retry to put the link state back into hibern8.
+
+Link: https://lore.kernel.org/r/1573798172-20534-8-git-send-email-cang@codeaurora.org
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 9feae23bfd09..d25082e573e0 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -3684,15 +3684,24 @@ static int __ufshcd_uic_hibern8_enter(struct ufs_hba *hba)
+ ktime_to_us(ktime_sub(ktime_get(), start)), ret);
+
+ if (ret) {
++ int err;
++
+ dev_err(hba->dev, "%s: hibern8 enter failed. ret = %d\n",
+ __func__, ret);
+
+ /*
+- * If link recovery fails then return error so that caller
+- * don't retry the hibern8 enter again.
++ * If link recovery fails then return error code returned from
++ * ufshcd_link_recovery().
++ * If link recovery succeeds then return -EAGAIN to attempt
++ * hibern8 enter retry again.
+ */
+- if (ufshcd_link_recovery(hba))
+- ret = -ENOLINK;
++ err = ufshcd_link_recovery(hba);
++ if (err) {
++ dev_err(hba->dev, "%s: link recovery failed", __func__);
++ ret = err;
++ } else {
++ ret = -EAGAIN;
++ }
+ } else
+ ufshcd_vops_hibern8_notify(hba, UIC_CMD_DME_HIBER_ENTER,
+ POST_CHANGE);
+@@ -3706,7 +3715,7 @@ static int ufshcd_uic_hibern8_enter(struct ufs_hba *hba)
+
+ for (retries = UIC_HIBERN8_ENTER_RETRIES; retries > 0; retries--) {
+ ret = __ufshcd_uic_hibern8_enter(hba);
+- if (!ret || ret == -ENOLINK)
++ if (!ret)
+ goto out;
+ }
+ out:
+--
+2.20.1
+
--- /dev/null
+From 1cec8eb626611168691c6fa86dbfdadc10ba4f2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2019 23:34:36 +0100
+Subject: scsi: ufs: fix potential bug which ends in system hang
+
+From: Bean Huo <beanhuo@micron.com>
+
+[ Upstream commit cfcbae3895b86c390ede57b2a8f601dd5972b47b ]
+
+In function __ufshcd_query_descriptor(), in the event of an error
+happening, we directly goto out_unlock and forget to invaliate
+hba->dev_cmd.query.descriptor pointer. This results in this pointer still
+valid in ufshcd_copy_query_response() for other query requests which go
+through ufshcd_exec_raw_upiu_cmd(). This will cause __memcpy() crash and
+system hangs. Log as shown below:
+
+Unable to handle kernel paging request at virtual address
+ffff000012233c40
+Mem abort info:
+ ESR = 0x96000047
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+Data abort info:
+ ISV = 0, ISS = 0x00000047
+ CM = 0, WnR = 1
+swapper pgtable: 4k pages, 48-bit VAs, pgdp = 0000000028cc735c
+[ffff000012233c40] pgd=00000000bffff003, pud=00000000bfffe003,
+pmd=00000000ba8b8003, pte=0000000000000000
+ Internal error: Oops: 96000047 [#2] PREEMPT SMP
+ ...
+ Call trace:
+ __memcpy+0x74/0x180
+ ufshcd_issue_devman_upiu_cmd+0x250/0x3c0
+ ufshcd_exec_raw_upiu_cmd+0xfc/0x1a8
+ ufs_bsg_request+0x178/0x3b0
+ bsg_queue_rq+0xc0/0x118
+ blk_mq_dispatch_rq_list+0xb0/0x538
+ blk_mq_sched_dispatch_requests+0x18c/0x1d8
+ __blk_mq_run_hw_queue+0xb4/0x118
+ blk_mq_run_work_fn+0x28/0x38
+ process_one_work+0x1ec/0x470
+ worker_thread+0x48/0x458
+ kthread+0x130/0x138
+ ret_from_fork+0x10/0x1c
+ Code: 540000ab a8c12027 a88120c7 a8c12027 (a88120c7)
+ ---[ end trace 793e1eb5dff69f2d ]---
+ note: kworker/0:2H[2054] exited with preempt_count 1
+
+This patch is to move "descriptor = NULL" down to below the label
+"out_unlock".
+
+Fixes: d44a5f98bb49b2(ufs: query descriptor API)
+Link: https://lore.kernel.org/r/20191112223436.27449-3-huobean@gmail.com
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 07cae5ea608c..9feae23bfd09 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -2867,10 +2867,10 @@ static int __ufshcd_query_descriptor(struct ufs_hba *hba,
+ goto out_unlock;
+ }
+
+- hba->dev_cmd.query.descriptor = NULL;
+ *buf_len = be16_to_cpu(response->upiu_res.length);
+
+ out_unlock:
++ hba->dev_cmd.query.descriptor = NULL;
+ mutex_unlock(&hba->dev_cmd.lock);
+ out:
+ ufshcd_release(hba);
+--
+2.20.1
+
--- /dev/null
+scsi-lpfc-fix-discovery-failures-when-target-device-.patch
+scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch
+scsi-lpfc-fix-locking-on-mailbox-command-completion.patch
+input-atmel_mxt_ts-disable-irq-across-suspend.patch
+iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch
+scsi-target-compare-full-chap_a-algorithm-strings.patch
+scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch
+scsi-csiostor-don-t-enable-irqs-too-early.patch
+powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch
+powerpc-pseries-don-t-fail-hash-page-table-insert-fo.patch
+powerpc-tools-don-t-quote-objdump-in-scripts.patch
+dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch
+clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch
+powerpc-security-book3s64-report-l1tf-status-in-sysf.patch
+powerpc-book3s64-hash-add-cond_resched-to-avoid-soft.patch
+ext4-update-direct-i-o-read-lock-pattern-for-iocb_no.patch
+jbd2-fix-statistics-for-the-number-of-logged-blocks.patch
+scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch
+scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch
+f2fs-fix-to-update-dir-s-i_pino-during-cross_rename.patch
+clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch
+irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch
+irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch
+mfd-mfd-core-honour-device-tree-s-request-to-disable.patch
+fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch
+scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch
+scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch
+powerpc-pseries-cmm-implement-release-function-for-s.patch
+powerpc-security-fix-wrong-message-when-rfi-flush-is.patch
+scsi-atari_scsi-sun3_scsi-set-sg_tablesize-to-1-inst.patch
+clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch
+bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch
+hid-logitech-hidpp-silence-intermittent-get_battery_.patch
+libnvdimm-btt-fix-variable-rc-set-but-not-used.patch
+hid-improve-windows-precision-touchpad-detection.patch
+scsi-pm80xx-fix-for-sata-device-discovery.patch
+scsi-ufs-fix-error-handing-during-hibern8-enter.patch
+scsi-scsi_debug-num_tgts-must-be-0.patch
+scsi-ncr5380-add-disconnect_mask-module-parameter.patch
+scsi-iscsi-don-t-send-data-to-unbound-connection.patch
+scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch
+gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch
+apparmor-fix-unsigned-len-comparison-with-less-than-.patch
+scripts-kallsyms-fix-definitely-lost-memory-leak.patch
+f2fs-choose-hardlimit-when-softlimit-is-larger-than-.patch
+cdrom-respect-device-capabilities-during-opening-act.patch
+perf-script-fix-brstackinsn-for-auxtrace.patch
+perf-regs-make-perf_reg_name-return-unknown-instead-.patch
+s390-zcrypt-handle-new-reply-code-filtered_by_hyperv.patch
+libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch
+s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch
+ocfs2-fix-passing-zero-to-ptr_err-warning.patch
+kernel-sysctl-make-drop_caches-write-only.patch
+userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch
--- /dev/null
+From 6cc3b86d595f5fa66f558c56640ed89737570572 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2019 17:58:01 -0800
+Subject: userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK
+
+From: Mike Rapoport <rppt@linux.ibm.com>
+
+[ Upstream commit 3c1c24d91ffd536de0a64688a9df7f49e58fadbc ]
+
+A while ago Andy noticed
+(http://lkml.kernel.org/r/CALCETrWY+5ynDct7eU_nDUqx=okQvjm=Y5wJvA4ahBja=CQXGw@mail.gmail.com)
+that UFFD_FEATURE_EVENT_FORK used by an unprivileged user may have
+security implications.
+
+As the first step of the solution the following patch limits the availably
+of UFFD_FEATURE_EVENT_FORK only for those having CAP_SYS_PTRACE.
+
+The usage of CAP_SYS_PTRACE ensures compatibility with CRIU.
+
+Yet, if there are other users of non-cooperative userfaultfd that run
+without CAP_SYS_PTRACE, they would be broken :(
+
+Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file
+descriptor table from the read() implementation of uffd, which may have
+security implications for unprivileged use of the userfaultfd.
+
+Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have
+CAP_SYS_PTRACE.
+
+Link: http://lkml.kernel.org/r/1572967777-8812-2-git-send-email-rppt@linux.ibm.com
+Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Daniel Colascione <dancol@google.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Lokesh Gidra <lokeshgidra@google.com>
+Cc: Nick Kralevich <nnk@google.com>
+Cc: Nosh Minwalla <nosh@google.com>
+Cc: Pavel Emelyanov <ovzxemul@gmail.com>
+Cc: Tim Murray <timmurray@google.com>
+Cc: Aleksa Sarai <cyphar@cyphar.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/userfaultfd.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
+index a609d480606d..e2b2196fd942 100644
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -1807,13 +1807,12 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
+ if (copy_from_user(&uffdio_api, buf, sizeof(uffdio_api)))
+ goto out;
+ features = uffdio_api.features;
+- if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) {
+- memset(&uffdio_api, 0, sizeof(uffdio_api));
+- if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
+- goto out;
+- ret = -EINVAL;
+- goto out;
+- }
++ ret = -EINVAL;
++ if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES))
++ goto err_out;
++ ret = -EPERM;
++ if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE))
++ goto err_out;
+ /* report all available features and ioctls to userland */
+ uffdio_api.features = UFFD_API_FEATURES;
+ uffdio_api.ioctls = UFFD_API_IOCTLS;
+@@ -1826,6 +1825,11 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
+ ret = 0;
+ out:
+ return ret;
++err_out:
++ memset(&uffdio_api, 0, sizeof(uffdio_api));
++ if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
++ ret = -EFAULT;
++ goto out;
+ }
+
+ static long userfaultfd_ioctl(struct file *file, unsigned cmd,
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
