+++ /dev/null
-From 4022af6a23d3b26c5d902120fab6ae1818100a7c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 12 Dec 2019 10:32:13 -0800
-Subject: 6pack,mkiss: fix possible deadlock
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d ]
-
-We got another syzbot report [1] that tells us we must use
-write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
-
-[1]
-
-WARNING: inconsistent lock state
-5.5.0-rc1-syzkaller #0 Not tainted
---------------------------------
-inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
-syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
-ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
-{HARDIRQ-ON-W} state was registered at:
- lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
- __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
- _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
- sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
- tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
- tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
- tiocsetd drivers/tty/tty_io.c:2337 [inline]
- tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
- vfs_ioctl fs/ioctl.c:47 [inline]
- file_ioctl fs/ioctl.c:545 [inline]
- do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
- ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
- __do_sys_ioctl fs/ioctl.c:756 [inline]
- __se_sys_ioctl fs/ioctl.c:754 [inline]
- __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
- do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-irq event stamp: 3946
-hardirqs last enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
-hardirqs last enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
-hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
-softirqs last enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
-softirqs last enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
-softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
-softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
-
-other info that might help us debug this:
- Possible unsafe locking scenario:
-
- CPU0
- ----
- lock(disc_data_lock);
- <Interrupt>
- lock(disc_data_lock);
-
- *** DEADLOCK ***
-
-5 locks held by syz-executor826/9605:
- #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
- #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
- #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
- #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
- #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
- #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
-
-stack backtrace:
-CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-Call Trace:
- <IRQ>
- __dump_stack lib/dump_stack.c:77 [inline]
- dump_stack+0x197/0x210 lib/dump_stack.c:118
- print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
- valid_state kernel/locking/lockdep.c:3112 [inline]
- mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
- mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
- mark_usage kernel/locking/lockdep.c:3554 [inline]
- __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
- lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
- __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
- _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
- sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
- sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
- tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
- tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
- tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
- uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
- serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
- serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
- serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
- serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
- serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
- __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
- handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
- handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
- handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
- generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
- do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
- common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
- </IRQ>
-RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
-RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
-Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
-RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
-RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
-RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
-RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
-R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
-R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
- mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
- __mutex_lock_common kernel/locking/mutex.c:962 [inline]
- __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
- mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
- tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
- tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
- __fput+0x2ff/0x890 fs/file_table.c:280
- ____fput+0x16/0x20 fs/file_table.c:313
- task_work_run+0x145/0x1c0 kernel/task_work.c:113
- exit_task_work include/linux/task_work.h:22 [inline]
- do_exit+0x8e7/0x2ef0 kernel/exit.c:797
- do_group_exit+0x135/0x360 kernel/exit.c:895
- __do_sys_exit_group kernel/exit.c:906 [inline]
- __se_sys_exit_group kernel/exit.c:904 [inline]
- __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
- do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-RIP: 0033:0x43fef8
-Code: Bad RIP value.
-RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
-RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
-RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
-RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
-R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
-R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
-
-Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Cc: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/hamradio/6pack.c | 4 ++--
- drivers/net/hamradio/mkiss.c | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
-index 54e63ec04907..8c636c493227 100644
---- a/drivers/net/hamradio/6pack.c
-+++ b/drivers/net/hamradio/6pack.c
-@@ -654,10 +654,10 @@ static void sixpack_close(struct tty_struct *tty)
- {
- struct sixpack *sp;
-
-- write_lock_bh(&disc_data_lock);
-+ write_lock_irq(&disc_data_lock);
- sp = tty->disc_data;
- tty->disc_data = NULL;
-- write_unlock_bh(&disc_data_lock);
-+ write_unlock_irq(&disc_data_lock);
- if (!sp)
- return;
-
-diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
-index 13e4c1eff353..3b14e6e281d4 100644
---- a/drivers/net/hamradio/mkiss.c
-+++ b/drivers/net/hamradio/mkiss.c
-@@ -783,10 +783,10 @@ static void mkiss_close(struct tty_struct *tty)
- {
- struct mkiss *ax;
-
-- write_lock_bh(&disc_data_lock);
-+ write_lock_irq(&disc_data_lock);
- ax = tty->disc_data;
- tty->disc_data = NULL;
-- write_unlock_bh(&disc_data_lock);
-+ write_unlock_irq(&disc_data_lock);
-
- if (!ax)
- return;
---
-2.20.1
-
+++ /dev/null
-From ccddf41a0635c11431ad37519ae646717677eb6c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 9 Dec 2019 15:04:43 +0000
-Subject: afs: Fix afs_find_server lookups for ipv4 peers
-
-From: Marc Dionne <marc.dionne@auristor.com>
-
-[ Upstream commit 9bd0160d12370a076e44f8d1320cde9c83f2c647 ]
-
-afs_find_server tries to find a server that has an address that
-matches the transport address of an rxrpc peer. The code assumes
-that the transport address is always ipv6, with ipv4 represented
-as ipv4 mapped addresses, but that's not the case. If the transport
-family is AF_INET, srx->transport.sin6.sin6_addr.s6_addr32[] will
-be beyond the actual ipv4 address and will always be 0, and all
-ipv4 addresses will be seen as matching.
-
-As a result, the first ipv4 address seen on any server will be
-considered a match, and the server returned may be the wrong one.
-
-One of the consequences is that callbacks received over ipv4 will
-only be correctly applied for the server that happens to have the
-first ipv4 address on the fs_addresses4 list. Callbacks over ipv4
-from all other servers are dropped, causing the client to serve stale
-data.
-
-This is fixed by looking at the transport family, and comparing ipv4
-addresses based on a sockaddr_in structure rather than a sockaddr_in6.
-
-Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
-Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/afs/server.c | 21 ++++++++-------------
- 1 file changed, 8 insertions(+), 13 deletions(-)
-
-diff --git a/fs/afs/server.c b/fs/afs/server.c
-index 1d329e6981d5..2c7f6211c360 100644
---- a/fs/afs/server.c
-+++ b/fs/afs/server.c
-@@ -34,18 +34,11 @@ static void afs_dec_servers_outstanding(struct afs_net *net)
- struct afs_server *afs_find_server(struct afs_net *net,
- const struct sockaddr_rxrpc *srx)
- {
-- const struct sockaddr_in6 *a = &srx->transport.sin6, *b;
- const struct afs_addr_list *alist;
- struct afs_server *server = NULL;
- unsigned int i;
-- bool ipv6 = true;
- int seq = 0, diff;
-
-- if (srx->transport.sin6.sin6_addr.s6_addr32[0] == 0 ||
-- srx->transport.sin6.sin6_addr.s6_addr32[1] == 0 ||
-- srx->transport.sin6.sin6_addr.s6_addr32[2] == htonl(0xffff))
-- ipv6 = false;
--
- rcu_read_lock();
-
- do {
-@@ -54,7 +47,8 @@ struct afs_server *afs_find_server(struct afs_net *net,
- server = NULL;
- read_seqbegin_or_lock(&net->fs_addr_lock, &seq);
-
-- if (ipv6) {
-+ if (srx->transport.family == AF_INET6) {
-+ const struct sockaddr_in6 *a = &srx->transport.sin6, *b;
- hlist_for_each_entry_rcu(server, &net->fs_addresses6, addr6_link) {
- alist = rcu_dereference(server->addresses);
- for (i = alist->nr_ipv4; i < alist->nr_addrs; i++) {
-@@ -70,15 +64,16 @@ struct afs_server *afs_find_server(struct afs_net *net,
- }
- }
- } else {
-+ const struct sockaddr_in *a = &srx->transport.sin, *b;
- hlist_for_each_entry_rcu(server, &net->fs_addresses4, addr4_link) {
- alist = rcu_dereference(server->addresses);
- for (i = 0; i < alist->nr_ipv4; i++) {
-- b = &alist->addrs[i].transport.sin6;
-- diff = ((u16 __force)a->sin6_port -
-- (u16 __force)b->sin6_port);
-+ b = &alist->addrs[i].transport.sin;
-+ diff = ((u16 __force)a->sin_port -
-+ (u16 __force)b->sin_port);
- if (diff == 0)
-- diff = ((u32 __force)a->sin6_addr.s6_addr32[3] -
-- (u32 __force)b->sin6_addr.s6_addr32[3]);
-+ diff = ((u32 __force)a->sin_addr.s_addr -
-+ (u32 __force)b->sin_addr.s_addr);
- if (diff == 0)
- goto found;
- }
---
-2.20.1
-
+++ /dev/null
-From 5e46a0a2c79d228fba5562ed9a367b722aa24482 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 11 Dec 2019 08:56:04 +0000
-Subject: afs: Fix creation calls in the dynamic root to fail with EOPNOTSUPP
-
-From: David Howells <dhowells@redhat.com>
-
-[ Upstream commit 1da4bd9f9d187f53618890d7b66b9628bbec3c70 ]
-
-Fix the lookup method on the dynamic root directory such that creation
-calls, such as mkdir, open(O_CREAT), symlink, etc. fail with EOPNOTSUPP
-rather than failing with some odd error (such as EEXIST).
-
-lookup() itself tries to create automount directories when it is invoked.
-These are cached locally in RAM and not committed to storage.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
-Tested-by: Jonathan Billings <jsbillings@jsbillings.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/afs/dynroot.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
-index f29c6dade7f6..069273a2483f 100644
---- a/fs/afs/dynroot.c
-+++ b/fs/afs/dynroot.c
-@@ -145,6 +145,9 @@ static struct dentry *afs_dynroot_lookup(struct inode *dir, struct dentry *dentr
-
- ASSERTCMP(d_inode(dentry), ==, NULL);
-
-+ if (flags & LOOKUP_CREATE)
-+ return ERR_PTR(-EOPNOTSUPP);
-+
- if (dentry->d_name.len >= AFSNAMEMAX) {
- _leave(" = -ENAMETOOLONG");
- return ERR_PTR(-ENAMETOOLONG);
---
-2.20.1
-
+++ /dev/null
-From 2bc0217f2a84e3df2afa4ebb0387963443c29ecf Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 9 Dec 2019 15:04:45 +0000
-Subject: afs: Fix SELinux setting security label on /afs
-
-From: David Howells <dhowells@redhat.com>
-
-[ Upstream commit bcbccaf2edcf1b76f73f890e968babef446151a4 ]
-
-Make the AFS dynamic root superblock R/W so that SELinux can set the
-security label on it. Without this, upgrades to, say, the Fedora
-filesystem-afs RPM fail if afs is mounted on it because the SELinux label
-can't be (re-)applied.
-
-It might be better to make it possible to bypass the R/O check for LSM
-label application through setxattr.
-
-Fixes: 4d673da14533 ("afs: Support the AFS dynamic root")
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
-cc: selinux@vger.kernel.org
-cc: linux-security-module@vger.kernel.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/afs/super.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/fs/afs/super.c b/fs/afs/super.c
-index 4d3e274207fb..bd2608297473 100644
---- a/fs/afs/super.c
-+++ b/fs/afs/super.c
-@@ -404,7 +404,6 @@ static int afs_fill_super(struct super_block *sb,
- /* allocate the root inode and dentry */
- if (as->dyn_root) {
- inode = afs_iget_pseudo_dir(sb, true);
-- sb->s_flags |= SB_RDONLY;
- } else {
- sprintf(sb->s_id, "%u", as->volume->vid);
- afs_activate_volume(as->volume);
---
-2.20.1
-
+++ /dev/null
-From 12f9cb34b5def8a14b1b4a71322f35fd998aa66a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 16 Dec 2019 16:12:24 +0100
-Subject: ALSA: hda - Downgrade error message for single-cmd fallback
-
-From: Takashi Iwai <tiwai@suse.de>
-
-[ Upstream commit 475feec0c41ad71cb7d02f0310e56256606b57c5 ]
-
-We made the error message for the CORB/RIRB communication clearer by
-upgrading to dev_WARN() so that user can notice better. But this
-struck us like a boomerang: now it caught syzbot and reported back as
-a fatal issue although it's not really any too serious bug that worth
-for stopping the whole system.
-
-OK, OK, let's be softy, downgrade it to the standard dev_err() again.
-
-Fixes: dd65f7e19c69 ("ALSA: hda - Show the fatal CORB/RIRB error more clearly")
-Reported-by: syzbot+b3028ac3933f5c466389@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/r/20191216151224.30013-1-tiwai@suse.de
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/pci/hda/hda_controller.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
-index 8fcb421193e0..fa261b27d858 100644
---- a/sound/pci/hda/hda_controller.c
-+++ b/sound/pci/hda/hda_controller.c
-@@ -883,7 +883,7 @@ static int azx_rirb_get_response(struct hdac_bus *bus, unsigned int addr,
- return -EAGAIN; /* give a chance to retry */
- }
-
-- dev_WARN(chip->card->dev,
-+ dev_err(chip->card->dev,
- "azx_get_response timeout, switching to single_cmd mode: last cmd=0x%08x\n",
- bus->last_cmd[addr]);
- chip->single_cmd = 1;
---
-2.20.1
-
+++ /dev/null
-From d32af2f3f220750de97e12be0da2eb49f6a32eb8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 29 Nov 2019 15:40:27 +0100
-Subject: ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen
-
-From: Jaroslav Kysela <perex@perex.cz>
-
-[ Upstream commit d2cd795c4ece1a24fda170c35eeb4f17d9826cbb ]
-
-The auto-parser assigns the bass speaker to DAC3 (NID 0x06) which
-is without the volume control. I do not see a reason to use DAC2,
-because the shared output to all speakers produces the sufficient
-and well balanced sound. The stereo support is enough for this
-purpose (laptop).
-
-Signed-off-by: Jaroslav Kysela <perex@perex.cz>
-Link: https://lore.kernel.org/r/20191129144027.14765-1-perex@perex.cz
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/pci/hda/patch_realtek.c | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 0c007d14588a..bf42b6f7fb5c 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -5441,6 +5441,16 @@ static void alc295_fixup_disable_dac3(struct hda_codec *codec,
- }
- }
-
-+/* force NID 0x17 (Bass Speaker) to DAC1 to share it with the main speaker */
-+static void alc285_fixup_speaker2_to_dac1(struct hda_codec *codec,
-+ const struct hda_fixup *fix, int action)
-+{
-+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
-+ hda_nid_t conn[1] = { 0x02 };
-+ snd_hda_override_conn_list(codec, 0x17, 1, conn);
-+ }
-+}
-+
- /* Hook to update amp GPIO4 for automute */
- static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec,
- struct hda_jack_callback *jack)
-@@ -5661,6 +5671,7 @@ enum {
- ALC225_FIXUP_DISABLE_MIC_VREF,
- ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
- ALC295_FIXUP_DISABLE_DAC3,
-+ ALC285_FIXUP_SPEAKER2_TO_DAC1,
- ALC280_FIXUP_HP_HEADSET_MIC,
- ALC221_FIXUP_HP_FRONT_MIC,
- ALC292_FIXUP_TPT460,
-@@ -6444,6 +6455,10 @@ static const struct hda_fixup alc269_fixups[] = {
- .type = HDA_FIXUP_FUNC,
- .v.func = alc295_fixup_disable_dac3,
- },
-+ [ALC285_FIXUP_SPEAKER2_TO_DAC1] = {
-+ .type = HDA_FIXUP_FUNC,
-+ .v.func = alc285_fixup_speaker2_to_dac1,
-+ },
- [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
- .type = HDA_FIXUP_PINS,
- .v.pins = (const struct hda_pintbl[]) {
-@@ -7023,6 +7038,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
- SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
- SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
- SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
-+ SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
- SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
- SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
- SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
-@@ -7206,6 +7222,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
- {.id = ALC255_FIXUP_DELL_SPK_NOISE, .name = "dell-spk-noise"},
- {.id = ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "alc225-dell1"},
- {.id = ALC295_FIXUP_DISABLE_DAC3, .name = "alc295-disable-dac3"},
-+ {.id = ALC285_FIXUP_SPEAKER2_TO_DAC1, .name = "alc285-speaker2-to-dac1"},
- {.id = ALC280_FIXUP_HP_HEADSET_MIC, .name = "alc280-hp-headset"},
- {.id = ALC221_FIXUP_HP_FRONT_MIC, .name = "alc221-hp-mic"},
- {.id = ALC298_FIXUP_SPK_VOLUME, .name = "alc298-spk-volume"},
---
-2.20.1
-
+++ /dev/null
-From e838aea7de3c29b1c0d08fdf8394b08a71769e52 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 19 Dec 2019 14:12:15 +0800
-Subject: ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker
-
-From: Kailang Yang <kailang@realtek.com>
-
-[ Upstream commit e79c22695abd3b75a6aecf4ea4b9607e8d82c49c ]
-
-Dell has new platform which has dual speaker connecting.
-They want dual speaker which use same dac for output.
-
-Signed-off-by: Kailang Yang <kailang@realtek.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/229c7efa2b474a16b7d8a916cd096b68@realtek.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 019dee96dbaa..9cd0cef9ec27 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -5705,6 +5705,8 @@ enum {
- ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC,
- ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE,
- ALC294_FIXUP_ASUS_INTSPK_GPIO,
-+ ALC289_FIXUP_DELL_SPK2,
-+ ALC289_FIXUP_DUAL_SPK,
- };
-
- static const struct hda_fixup alc269_fixups[] = {
-@@ -6775,6 +6777,21 @@ static const struct hda_fixup alc269_fixups[] = {
- .chained = true,
- .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC
- },
-+ [ALC289_FIXUP_DELL_SPK2] = {
-+ .type = HDA_FIXUP_PINS,
-+ .v.pins = (const struct hda_pintbl[]) {
-+ { 0x17, 0x90170130 }, /* bass spk */
-+ { }
-+ },
-+ .chained = true,
-+ .chain_id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE
-+ },
-+ [ALC289_FIXUP_DUAL_SPK] = {
-+ .type = HDA_FIXUP_FUNC,
-+ .v.func = alc285_fixup_speaker2_to_dac1,
-+ .chained = true,
-+ .chain_id = ALC289_FIXUP_DELL_SPK2
-+ },
- };
-
- static const struct snd_pci_quirk alc269_fixup_tbl[] = {
-@@ -6847,6 +6864,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
- SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
-+ SND_PCI_QUIRK(0x1028, 0x097e, "Dell Precision", ALC289_FIXUP_DUAL_SPK),
-+ SND_PCI_QUIRK(0x1028, 0x097d, "Dell Precision", ALC289_FIXUP_DUAL_SPK),
- SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
---
-2.20.1
-
+++ /dev/null
-From 491b3cb310f25c7bd771705f4a121e8acc73591f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 30 Dec 2019 11:11:18 +0800
-Subject: ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC
-
-From: Chris Chiu <chiu@endlessm.com>
-
-[ Upstream commit 48e01504cf5315cbe6de9b7412e792bfcc3dd9e1 ]
-
-ASUS reported that there's an bass speaker in addition to internal
-speaker and it uses DAC 0x02. It was not enabled in the commit
-436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS
-UX431FLC") which only enables the amplifier and the front speaker.
-This commit enables the bass speaker on top of the aforementioned
-work to improve the acoustic experience.
-
-Fixes: 436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC")
-Signed-off-by: Chris Chiu <chiu@endlessm.com>
-Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20191230031118.95076-1-chiu@endlessm.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/pci/hda/patch_realtek.c | 38 +++++++++++++++++------------------
- 1 file changed, 18 insertions(+), 20 deletions(-)
-
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 9cd0cef9ec27..0c007d14588a 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -5702,11 +5702,12 @@ enum {
- ALC256_FIXUP_ASUS_HEADSET_MIC,
- ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
- ALC299_FIXUP_PREDATOR_SPK,
-- ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC,
- ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE,
-- ALC294_FIXUP_ASUS_INTSPK_GPIO,
- ALC289_FIXUP_DELL_SPK2,
- ALC289_FIXUP_DUAL_SPK,
-+ ALC294_FIXUP_SPK2_TO_DAC1,
-+ ALC294_FIXUP_ASUS_DUAL_SPK,
-+
- };
-
- static const struct hda_fixup alc269_fixups[] = {
-@@ -6750,16 +6751,6 @@ static const struct hda_fixup alc269_fixups[] = {
- { }
- }
- },
-- [ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC] = {
-- .type = HDA_FIXUP_PINS,
-- .v.pins = (const struct hda_pintbl[]) {
-- { 0x14, 0x411111f0 }, /* disable confusing internal speaker */
-- { 0x19, 0x04a11150 }, /* use as headset mic, without its own jack detect */
-- { }
-- },
-- .chained = true,
-- .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
-- },
- [ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE] = {
- .type = HDA_FIXUP_PINS,
- .v.pins = (const struct hda_pintbl[]) {
-@@ -6770,13 +6761,6 @@ static const struct hda_fixup alc269_fixups[] = {
- .chained = true,
- .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE
- },
-- [ALC294_FIXUP_ASUS_INTSPK_GPIO] = {
-- .type = HDA_FIXUP_FUNC,
-- /* The GPIO must be pulled to initialize the AMP */
-- .v.func = alc_fixup_gpio4,
-- .chained = true,
-- .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC
-- },
- [ALC289_FIXUP_DELL_SPK2] = {
- .type = HDA_FIXUP_PINS,
- .v.pins = (const struct hda_pintbl[]) {
-@@ -6792,6 +6776,20 @@ static const struct hda_fixup alc269_fixups[] = {
- .chained = true,
- .chain_id = ALC289_FIXUP_DELL_SPK2
- },
-+ [ALC294_FIXUP_SPK2_TO_DAC1] = {
-+ .type = HDA_FIXUP_FUNC,
-+ .v.func = alc285_fixup_speaker2_to_dac1,
-+ .chained = true,
-+ .chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC
-+ },
-+ [ALC294_FIXUP_ASUS_DUAL_SPK] = {
-+ .type = HDA_FIXUP_FUNC,
-+ /* The GPIO must be pulled to initialize the AMP */
-+ .v.func = alc_fixup_gpio4,
-+ .chained = true,
-+ .chain_id = ALC294_FIXUP_SPK2_TO_DAC1
-+ },
-+
- };
-
- static const struct snd_pci_quirk alc269_fixup_tbl[] = {
-@@ -6953,7 +6951,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
- SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK),
- SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
- SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
-- SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_INTSPK_GPIO),
-+ SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK),
- SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC),
- SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
- SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC),
---
-2.20.1
-
+++ /dev/null
-From 6c1e41007271c205774bd0d3681cb338c6de25b7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 7 Nov 2019 17:18:20 -0500
-Subject: drm/amd/display: Fixed kernel panic when booting with DP-to-HDMI
- dongle
-
-From: David Galiffi <David.Galiffi@amd.com>
-
-[ Upstream commit a51d9f8fe756beac51ce26ef54195da00a260d13 ]
-
-[Why]
-In dc_link_is_dp_sink_present, if dal_ddc_open fails, then
-dal_gpio_destroy_ddc is called, destroying pin_data and pin_clock. They
-are created only on dc_construct, and next aux access will cause a panic.
-
-[How]
-Instead of calling dal_gpio_destroy_ddc, call dal_ddc_close.
-
-Signed-off-by: David Galiffi <David.Galiffi@amd.com>
-Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
-Acked-by: Leo Li <sunpeng.li@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
-index c6f7c1344a9b..2f42964fb9f4 100644
---- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
-+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
-@@ -348,7 +348,7 @@ bool dc_link_is_dp_sink_present(struct dc_link *link)
-
- if (GPIO_RESULT_OK != dal_ddc_open(
- ddc, GPIO_MODE_INPUT, GPIO_DDC_CONFIG_TYPE_MODE_I2C)) {
-- dal_gpio_destroy_ddc(&ddc);
-+ dal_ddc_close(ddc);
-
- return present;
- }
---
-2.20.1
-
+++ /dev/null
-From 065e3733f7cb09c97499ace5a628dc83b779645f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Nov 2019 12:08:58 +0100
-Subject: drm/amdgpu: add cache flush workaround to gfx8 emit_fence
-
-From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
-
-[ Upstream commit bf26da927a1cd57c9deb2db29ae8cf276ba8b17b ]
-
-The same workaround is used for gfx7.
-Both PAL and Mesa use it for gfx8 too, so port this commit to
-gfx_v8_0_ring_emit_fence_gfx.
-
-Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
-Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 22 +++++++++++++++++++---
- 1 file changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
-index 5a9534a82d40..e1cb7fa89e4d 100644
---- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
-+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
-@@ -6405,7 +6405,23 @@ static void gfx_v8_0_ring_emit_fence_gfx(struct amdgpu_ring *ring, u64 addr,
- bool write64bit = flags & AMDGPU_FENCE_FLAG_64BIT;
- bool int_sel = flags & AMDGPU_FENCE_FLAG_INT;
-
-- /* EVENT_WRITE_EOP - flush caches, send int */
-+ /* Workaround for cache flush problems. First send a dummy EOP
-+ * event down the pipe with seq one below.
-+ */
-+ amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4));
-+ amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN |
-+ EOP_TC_ACTION_EN |
-+ EOP_TC_WB_ACTION_EN |
-+ EVENT_TYPE(CACHE_FLUSH_AND_INV_TS_EVENT) |
-+ EVENT_INDEX(5)));
-+ amdgpu_ring_write(ring, addr & 0xfffffffc);
-+ amdgpu_ring_write(ring, (upper_32_bits(addr) & 0xffff) |
-+ DATA_SEL(1) | INT_SEL(0));
-+ amdgpu_ring_write(ring, lower_32_bits(seq - 1));
-+ amdgpu_ring_write(ring, upper_32_bits(seq - 1));
-+
-+ /* Then send the real EOP event down the pipe:
-+ * EVENT_WRITE_EOP - flush caches, send int */
- amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4));
- amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN |
- EOP_TC_ACTION_EN |
-@@ -7154,7 +7170,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = {
- 5 + /* COND_EXEC */
- 7 + /* PIPELINE_SYNC */
- VI_FLUSH_GPU_TLB_NUM_WREG * 5 + 9 + /* VM_FLUSH */
-- 8 + /* FENCE for VM_FLUSH */
-+ 12 + /* FENCE for VM_FLUSH */
- 20 + /* GDS switch */
- 4 + /* double SWITCH_BUFFER,
- the first COND_EXEC jump to the place just
-@@ -7166,7 +7182,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = {
- 31 + /* DE_META */
- 3 + /* CNTX_CTRL */
- 5 + /* HDP_INVL */
-- 8 + 8 + /* FENCE x2 */
-+ 12 + 12 + /* FENCE x2 */
- 2, /* SWITCH_BUFFER */
- .emit_ib_size = 4, /* gfx_v8_0_ring_emit_ib_gfx */
- .emit_ib = gfx_v8_0_ring_emit_ib_gfx,
---
-2.20.1
-
+++ /dev/null
-From 910d69dcd485d1b7a4793a661c54ae0a49fb2504 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 4 Dec 2019 15:51:16 +0800
-Subject: drm/amdgpu: add check before enabling/disabling broadcast mode
-
-From: Guchun Chen <guchun.chen@amd.com>
-
-[ Upstream commit 6e807535dae5dbbd53bcc5e81047a20bf5eb08ea ]
-
-When security violation from new vbios happens, data fabric is
-risky to stop working. So prevent the direct access to DF
-mmFabricConfigAccessControl from the new vbios and onwards.
-
-Signed-off-by: Guchun Chen <guchun.chen@amd.com>
-Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/amdgpu/df_v3_6.c | 38 ++++++++++++++++------------
- 1 file changed, 22 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
-index d5ebe566809b..a1c941229f4b 100644
---- a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
-+++ b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
-@@ -75,23 +75,29 @@ static void df_v3_6_update_medium_grain_clock_gating(struct amdgpu_device *adev,
- {
- u32 tmp;
-
-- /* Put DF on broadcast mode */
-- adev->df_funcs->enable_broadcast_mode(adev, true);
--
-- if (enable && (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG)) {
-- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater);
-- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
-- tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY;
-- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp);
-- } else {
-- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater);
-- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
-- tmp |= DF_V3_6_MGCG_DISABLE;
-- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp);
-+ if (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG) {
-+ /* Put DF on broadcast mode */
-+ adev->df_funcs->enable_broadcast_mode(adev, true);
-+
-+ if (enable) {
-+ tmp = RREG32_SOC15(DF, 0,
-+ mmDF_PIE_AON0_DfGlobalClkGater);
-+ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
-+ tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY;
-+ WREG32_SOC15(DF, 0,
-+ mmDF_PIE_AON0_DfGlobalClkGater, tmp);
-+ } else {
-+ tmp = RREG32_SOC15(DF, 0,
-+ mmDF_PIE_AON0_DfGlobalClkGater);
-+ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
-+ tmp |= DF_V3_6_MGCG_DISABLE;
-+ WREG32_SOC15(DF, 0,
-+ mmDF_PIE_AON0_DfGlobalClkGater, tmp);
-+ }
-+
-+ /* Exit broadcast mode */
-+ adev->df_funcs->enable_broadcast_mode(adev, false);
- }
--
-- /* Exit broadcast mode */
-- adev->df_funcs->enable_broadcast_mode(adev, false);
- }
-
- static void df_v3_6_get_clockgating_state(struct amdgpu_device *adev,
---
-2.20.1
-
+++ /dev/null
-From 49613540c28510ee7479562ad3df721c8d133ac6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 4 Dec 2019 16:52:37 -0800
-Subject: drm: limit to INT_MAX in create_blob ioctl
-
-From: Daniel Vetter <daniel.vetter@ffwll.ch>
-
-[ Upstream commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c ]
-
-The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb
-("uaccess: disallow > INT_MAX copy sizes")
-
-Code itself should have been fine as-is.
-
-Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch
-Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
-Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
-Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Alexander Viro <viro@zeniv.linux.org.uk>
-Cc: Stephen Rothwell <sfr@canb.auug.org.au>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/drm_property.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
-index cdb10f885a4f..69dfed57c2f8 100644
---- a/drivers/gpu/drm/drm_property.c
-+++ b/drivers/gpu/drm/drm_property.c
-@@ -556,7 +556,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
- struct drm_property_blob *blob;
- int ret;
-
-- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
-+ if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
- return ERR_PTR(-EINVAL);
-
- blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
---
-2.20.1
-
+++ /dev/null
-From f4087b6a0f22567950bc481970f6f371e6d82e00 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 24 Oct 2019 10:52:52 +0200
-Subject: drm/nouveau: Move the declaration of struct nouveau_conn_atom up a
- bit
-
-From: Hans de Goede <hdegoede@redhat.com>
-
-[ Upstream commit 37a68eab4cd92b507c9e8afd760fdc18e4fecac6 ]
-
-Place the declaration of struct nouveau_conn_atom above that of
-struct nouveau_connector. This commit makes no changes to the moved
-block what so ever, it just moves it up a bit.
-
-This is a preparation patch to fix some issues with connector handling
-on pre nv50 displays (which do not use atomic modesetting).
-
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
-Reviewed-by: Lyude Paul <lyude@redhat.com>
-Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/nouveau/nouveau_connector.h | 110 ++++++++++----------
- 1 file changed, 55 insertions(+), 55 deletions(-)
-
-diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h
-index dc7454e7f19a..b46e99f7641e 100644
---- a/drivers/gpu/drm/nouveau/nouveau_connector.h
-+++ b/drivers/gpu/drm/nouveau/nouveau_connector.h
-@@ -29,6 +29,7 @@
-
- #include <nvif/notify.h>
-
-+#include <drm/drm_crtc.h>
- #include <drm/drm_edid.h>
- #include <drm/drm_encoder.h>
- #include <drm/drm_dp_helper.h>
-@@ -37,6 +38,60 @@
-
- struct nvkm_i2c_port;
-
-+#define nouveau_conn_atom(p) \
-+ container_of((p), struct nouveau_conn_atom, state)
-+
-+struct nouveau_conn_atom {
-+ struct drm_connector_state state;
-+
-+ struct {
-+ /* The enum values specifically defined here match nv50/gf119
-+ * hw values, and the code relies on this.
-+ */
-+ enum {
-+ DITHERING_MODE_OFF = 0x00,
-+ DITHERING_MODE_ON = 0x01,
-+ DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON,
-+ DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON,
-+ DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON,
-+ DITHERING_MODE_AUTO
-+ } mode;
-+ enum {
-+ DITHERING_DEPTH_6BPC = 0x00,
-+ DITHERING_DEPTH_8BPC = 0x02,
-+ DITHERING_DEPTH_AUTO
-+ } depth;
-+ } dither;
-+
-+ struct {
-+ int mode; /* DRM_MODE_SCALE_* */
-+ struct {
-+ enum {
-+ UNDERSCAN_OFF,
-+ UNDERSCAN_ON,
-+ UNDERSCAN_AUTO,
-+ } mode;
-+ u32 hborder;
-+ u32 vborder;
-+ } underscan;
-+ bool full;
-+ } scaler;
-+
-+ struct {
-+ int color_vibrance;
-+ int vibrant_hue;
-+ } procamp;
-+
-+ union {
-+ struct {
-+ bool dither:1;
-+ bool scaler:1;
-+ bool procamp:1;
-+ };
-+ u8 mask;
-+ } set;
-+};
-+
- struct nouveau_connector {
- struct drm_connector base;
- enum dcb_connector_type type;
-@@ -111,61 +166,6 @@ extern int nouveau_ignorelid;
- extern int nouveau_duallink;
- extern int nouveau_hdmimhz;
-
--#include <drm/drm_crtc.h>
--#define nouveau_conn_atom(p) \
-- container_of((p), struct nouveau_conn_atom, state)
--
--struct nouveau_conn_atom {
-- struct drm_connector_state state;
--
-- struct {
-- /* The enum values specifically defined here match nv50/gf119
-- * hw values, and the code relies on this.
-- */
-- enum {
-- DITHERING_MODE_OFF = 0x00,
-- DITHERING_MODE_ON = 0x01,
-- DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON,
-- DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON,
-- DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON,
-- DITHERING_MODE_AUTO
-- } mode;
-- enum {
-- DITHERING_DEPTH_6BPC = 0x00,
-- DITHERING_DEPTH_8BPC = 0x02,
-- DITHERING_DEPTH_AUTO
-- } depth;
-- } dither;
--
-- struct {
-- int mode; /* DRM_MODE_SCALE_* */
-- struct {
-- enum {
-- UNDERSCAN_OFF,
-- UNDERSCAN_ON,
-- UNDERSCAN_AUTO,
-- } mode;
-- u32 hborder;
-- u32 vborder;
-- } underscan;
-- bool full;
-- } scaler;
--
-- struct {
-- int color_vibrance;
-- int vibrant_hue;
-- } procamp;
--
-- union {
-- struct {
-- bool dither:1;
-- bool scaler:1;
-- bool procamp:1;
-- };
-- u8 mask;
-- } set;
--};
--
- void nouveau_conn_attach_properties(struct drm_connector *);
- void nouveau_conn_reset(struct drm_connector *);
- struct drm_connector_state *
---
-2.20.1
-
+++ /dev/null
-From 9c4f22df730830afdbf0795132a83040ceb8c9c5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 12 Dec 2019 11:12:13 +0200
-Subject: IB/mlx4: Follow mirror sequence of device add during device removal
-
-From: Parav Pandit <parav@mellanox.com>
-
-[ Upstream commit 89f988d93c62384758b19323c886db917a80c371 ]
-
-Current code device add sequence is:
-
-ib_register_device()
-ib_mad_init()
-init_sriov_init()
-register_netdev_notifier()
-
-Therefore, the remove sequence should be,
-
-unregister_netdev_notifier()
-close_sriov()
-mad_cleanup()
-ib_unregister_device()
-
-However it is not above.
-Hence, make do above remove sequence.
-
-Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE")
-Signed-off-by: Parav Pandit <parav@mellanox.com>
-Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
-Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
-Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org
-Signed-off-by: Doug Ledford <dledford@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/infiniband/hw/mlx4/main.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
-index 0bbeaaae47e0..9386bb57b3d7 100644
---- a/drivers/infiniband/hw/mlx4/main.c
-+++ b/drivers/infiniband/hw/mlx4/main.c
-@@ -3069,16 +3069,17 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr)
- ibdev->ib_active = false;
- flush_workqueue(wq);
-
-- mlx4_ib_close_sriov(ibdev);
-- mlx4_ib_mad_cleanup(ibdev);
-- ib_unregister_device(&ibdev->ib_dev);
-- mlx4_ib_diag_cleanup(ibdev);
- if (ibdev->iboe.nb.notifier_call) {
- if (unregister_netdevice_notifier(&ibdev->iboe.nb))
- pr_warn("failure unregistering notifier\n");
- ibdev->iboe.nb.notifier_call = NULL;
- }
-
-+ mlx4_ib_close_sriov(ibdev);
-+ mlx4_ib_mad_cleanup(ibdev);
-+ ib_unregister_device(&ibdev->ib_dev);
-+ mlx4_ib_diag_cleanup(ibdev);
-+
- mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
- ibdev->steer_qpn_count);
- kfree(ibdev->ib_uc_qpns_bitmap);
---
-2.20.1
-
+++ /dev/null
-From 83f0facc69041ef49fb39f8f21aab6d6d65df86c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 12 Dec 2019 11:12:14 +0200
-Subject: IB/mlx5: Fix steering rule of drop and count
-
-From: Maor Gottlieb <maorg@mellanox.com>
-
-[ Upstream commit ed9085fed9d95d5921582e3c8474f3736c5d2782 ]
-
-There are two flow rule destinations: QP and packet. While users are
-setting DROP packet rule, the QP should not be set as a destination.
-
-Fixes: 3b3233fbf02e ("IB/mlx5: Add flow counters binding support")
-Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
-Reviewed-by: Raed Salem <raeds@mellanox.com>
-Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
-Link: https://lore.kernel.org/r/20191212091214.315005-4-leon@kernel.org
-Signed-off-by: Doug Ledford <dledford@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/infiniband/hw/mlx5/main.c | 13 ++++++-------
- 1 file changed, 6 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
-index f4ffdc588ea0..df5be462dd28 100644
---- a/drivers/infiniband/hw/mlx5/main.c
-+++ b/drivers/infiniband/hw/mlx5/main.c
-@@ -3286,10 +3286,6 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
- }
-
- INIT_LIST_HEAD(&handler->list);
-- if (dst) {
-- memcpy(&dest_arr[0], dst, sizeof(*dst));
-- dest_num++;
-- }
-
- for (spec_index = 0; spec_index < flow_attr->num_of_specs; spec_index++) {
- err = parse_flow_attr(dev->mdev, spec->match_criteria,
-@@ -3303,6 +3299,11 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
- ib_flow += ((union ib_flow_spec *)ib_flow)->size;
- }
-
-+ if (dst && !(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP)) {
-+ memcpy(&dest_arr[0], dst, sizeof(*dst));
-+ dest_num++;
-+ }
-+
- if (!flow_is_multicast_only(flow_attr))
- set_underlay_qp(dev, spec, underlay_qpn);
-
-@@ -3340,10 +3341,8 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
- }
-
- if (flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP) {
-- if (!(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_COUNT)) {
-+ if (!dest_num)
- rule_dst = NULL;
-- dest_num = 0;
-- }
- } else {
- if (is_egress)
- flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_ALLOW;
---
-2.20.1
-
+++ /dev/null
-From b4a3dcdb004f24c8ecb73f0c0cdf2263d3cbc719 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 2 Dec 2019 09:55:46 +0100
-Subject: iio: adc: max9611: Fix too short conversion time delay
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-
-[ Upstream commit 9fd229c478fbf77c41c8528aa757ef14210365f6 ]
-
-As of commit b9ddd5091160793e ("iio: adc: max9611: Fix temperature
-reading in probe"), max9611 initialization sometimes fails on the
-Salvator-X(S) development board with:
-
- max9611 4-007f: Invalid value received from ADC 0x8000: aborting
- max9611: probe of 4-007f failed with error -5
-
-The max9611 driver tests communications with the chip by reading the die
-temperature during the probe function, which returns an invalid value.
-
-According to the datasheet, the typical ADC conversion time is 2 ms, but
-no minimum or maximum values are provided. Maxim Technical Support
-confirmed this was tested with temperature Ta=25 degreeC, and promised
-to inform me if a maximum/minimum value is available (they didn't get
-back to me, so I assume it is not).
-
-However, the driver assumes a 1 ms conversion time. Usually the
-usleep_range() call returns after more than 1.8 ms, hence it succeeds.
-When it returns earlier, the data register may be read too early, and
-the previous measurement value will be returned. After boot, this is
-the temperature POR (power-on reset) value, causing the failure above.
-
-Fix this by increasing the delay from 1000-2000 µs to 3000-3300 µs.
-
-Note that this issue has always been present, but it was exposed by the
-aformentioned commit.
-
-Fixes: 69780a3bbc0b1e7e ("iio: adc: Add Maxim max9611 ADC driver")
-Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Reviewed-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
-Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/iio/adc/max9611.c | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c
-index 0884435eec68..9f1a5ef0b444 100644
---- a/drivers/iio/adc/max9611.c
-+++ b/drivers/iio/adc/max9611.c
-@@ -92,6 +92,12 @@
- #define MAX9611_TEMP_SCALE_NUM 1000000
- #define MAX9611_TEMP_SCALE_DIV 2083
-
-+/*
-+ * Conversion time is 2 ms (typically) at Ta=25 degreeC
-+ * No maximum value is known, so play it safe.
-+ */
-+#define MAX9611_CONV_TIME_US_RANGE 3000, 3300
-+
- struct max9611_dev {
- struct device *dev;
- struct i2c_client *i2c_client;
-@@ -239,11 +245,9 @@ static int max9611_read_single(struct max9611_dev *max9611,
- return ret;
- }
-
-- /*
-- * need a delay here to make register configuration
-- * stabilize. 1 msec at least, from empirical testing.
-- */
-- usleep_range(1000, 2000);
-+ /* need a delay here to make register configuration stabilize. */
-+
-+ usleep_range(MAX9611_CONV_TIME_US_RANGE);
-
- ret = i2c_smbus_read_word_swapped(max9611->i2c_client, reg_addr);
- if (ret < 0) {
-@@ -510,7 +514,7 @@ static int max9611_init(struct max9611_dev *max9611)
- MAX9611_REG_CTRL2, 0);
- return ret;
- }
-- usleep_range(1000, 2000);
-+ usleep_range(MAX9611_CONV_TIME_US_RANGE);
-
- return 0;
- }
---
-2.20.1
-
+++ /dev/null
-From 7c3b2ffda857a8361bfb2c2a7b673aa7cd8e3454 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 7 Nov 2019 10:30:42 -0800
-Subject: inetpeer: fix data-race in inet_putpeer / inet_putpeer
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 71685eb4ce80ae9c49eff82ca4dd15acab215de9 ]
-
-We need to explicitely forbid read/store tearing in inet_peer_gc()
-and inet_putpeer().
-
-The following syzbot report reminds us about inet_putpeer()
-running without a lock held.
-
-BUG: KCSAN: data-race in inet_putpeer / inet_putpeer
-
-write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 0:
- inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240
- ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102
- inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228
- __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
- rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157
- rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377
- rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386
- __do_softirq+0x115/0x33f kernel/softirq.c:292
- invoke_softirq kernel/softirq.c:373 [inline]
- irq_exit+0xbb/0xe0 kernel/softirq.c:413
- exiting_irq arch/x86/include/asm/apic.h:536 [inline]
- smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
- apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
- native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
- arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
- default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
- cpuidle_idle_call kernel/sched/idle.c:154 [inline]
- do_idle+0x1af/0x280 kernel/sched/idle.c:263
-
-write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 1:
- inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240
- ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102
- inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228
- __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
- rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157
- rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377
- rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386
- __do_softirq+0x115/0x33f kernel/softirq.c:292
- run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
- smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
- kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
- ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
-
-Reported by Kernel Concurrency Sanitizer on:
-CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-
-Fixes: 4b9d9be839fd ("inetpeer: remove unused list")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv4/inetpeer.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
-index be778599bfed..ff327a62c9ce 100644
---- a/net/ipv4/inetpeer.c
-+++ b/net/ipv4/inetpeer.c
-@@ -160,7 +160,12 @@ static void inet_peer_gc(struct inet_peer_base *base,
- base->total / inet_peer_threshold * HZ;
- for (i = 0; i < gc_cnt; i++) {
- p = gc_stack[i];
-- delta = (__u32)jiffies - p->dtime;
-+
-+ /* The READ_ONCE() pairs with the WRITE_ONCE()
-+ * in inet_putpeer()
-+ */
-+ delta = (__u32)jiffies - READ_ONCE(p->dtime);
-+
- if (delta < ttl || !refcount_dec_if_one(&p->refcnt))
- gc_stack[i] = NULL;
- }
-@@ -237,7 +242,10 @@ EXPORT_SYMBOL_GPL(inet_getpeer);
-
- void inet_putpeer(struct inet_peer *p)
- {
-- p->dtime = (__u32)jiffies;
-+ /* The WRITE_ONCE() pairs with itself (we run lockless)
-+ * and the READ_ONCE() in inet_peer_gc()
-+ */
-+ WRITE_ONCE(p->dtime, (__u32)jiffies);
-
- if (refcount_dec_and_test(&p->refcnt))
- call_rcu(&p->rcu, inetpeer_free_rcu);
---
-2.20.1
-
+++ /dev/null
-From 0a3bcd478972b202206fd8a250d58e99e57501fd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 10 Dec 2019 10:42:25 +0800
-Subject: md: raid1: check rdev before reference in raid1_sync_request func
-
-From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
-
-[ Upstream commit 028288df635f5a9addd48ac4677b720192747944 ]
-
-In raid1_sync_request func, rdev should be checked before reference.
-
-Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
-Signed-off-by: Song Liu <songliubraving@fb.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/raid1.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index 6800dcd50a11..abcb4c3a76c1 100644
---- a/drivers/md/raid1.c
-+++ b/drivers/md/raid1.c
-@@ -2756,7 +2756,7 @@ static sector_t raid1_sync_request(struct mddev *mddev, sector_t sector_nr,
- write_targets++;
- }
- }
-- if (bio->bi_end_io) {
-+ if (rdev && bio->bi_end_io) {
- atomic_inc(&rdev->nr_pending);
- bio->bi_iter.bi_sector = sector_nr + rdev->data_offset;
- bio_set_dev(bio, rdev->bdev);
---
-2.20.1
-
+++ /dev/null
-From d29fb490a11c0644f44f9655802bb2dc1f237d68 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 7 Nov 2019 18:49:43 -0800
-Subject: net: add a READ_ONCE() in skb_peek_tail()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit f8cc62ca3e660ae3fdaee533b1d554297cd2ae82 ]
-
-skb_peek_tail() can be used without protection of a lock,
-as spotted by KCSAN [1]
-
-In order to avoid load-stearing, add a READ_ONCE()
-
-Note that the corresponding WRITE_ONCE() are already there.
-
-[1]
-BUG: KCSAN: data-race in sk_wait_data / skb_queue_tail
-
-read to 0xffff8880b36a4118 of 8 bytes by task 20426 on cpu 1:
- skb_peek_tail include/linux/skbuff.h:1784 [inline]
- sk_wait_data+0x15b/0x250 net/core/sock.c:2477
- kcm_wait_data+0x112/0x1f0 net/kcm/kcmsock.c:1103
- kcm_recvmsg+0xac/0x320 net/kcm/kcmsock.c:1130
- sock_recvmsg_nosec net/socket.c:871 [inline]
- sock_recvmsg net/socket.c:889 [inline]
- sock_recvmsg+0x92/0xb0 net/socket.c:885
- ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480
- do_recvmmsg+0x19a/0x5c0 net/socket.c:2601
- __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680
- __do_sys_recvmmsg net/socket.c:2703 [inline]
- __se_sys_recvmmsg net/socket.c:2696 [inline]
- __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696
- do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
- entry_SYSCALL_64_after_hwframe+0x44/0xa9
-
-write to 0xffff8880b36a4118 of 8 bytes by task 451 on cpu 0:
- __skb_insert include/linux/skbuff.h:1852 [inline]
- __skb_queue_before include/linux/skbuff.h:1958 [inline]
- __skb_queue_tail include/linux/skbuff.h:1991 [inline]
- skb_queue_tail+0x7e/0xc0 net/core/skbuff.c:3145
- kcm_queue_rcv_skb+0x202/0x310 net/kcm/kcmsock.c:206
- kcm_rcv_strparser+0x74/0x4b0 net/kcm/kcmsock.c:370
- __strp_recv+0x348/0xf50 net/strparser/strparser.c:309
- strp_recv+0x84/0xa0 net/strparser/strparser.c:343
- tcp_read_sock+0x174/0x5c0 net/ipv4/tcp.c:1639
- strp_read_sock+0xd4/0x140 net/strparser/strparser.c:366
- do_strp_work net/strparser/strparser.c:414 [inline]
- strp_work+0x9a/0xe0 net/strparser/strparser.c:423
- process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
- worker_thread+0xa0/0x800 kernel/workqueue.c:2415
- kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
- ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
-
-Reported by Kernel Concurrency Sanitizer on:
-CPU: 0 PID: 451 Comm: kworker/u4:3 Not tainted 5.4.0-rc3+ #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-Workqueue: kstrp strp_work
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/skbuff.h | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index 80c3da1aa8b1..25407c206e73 100644
---- a/include/linux/skbuff.h
-+++ b/include/linux/skbuff.h
-@@ -1669,7 +1669,7 @@ static inline struct sk_buff *skb_peek_next(struct sk_buff *skb,
- */
- static inline struct sk_buff *skb_peek_tail(const struct sk_buff_head *list_)
- {
-- struct sk_buff *skb = list_->prev;
-+ struct sk_buff *skb = READ_ONCE(list_->prev);
-
- if (skb == (struct sk_buff *)list_)
- skb = NULL;
-@@ -1737,7 +1737,9 @@ static inline void __skb_insert(struct sk_buff *newsk,
- struct sk_buff *prev, struct sk_buff *next,
- struct sk_buff_head *list)
- {
-- /* see skb_queue_empty_lockless() for the opposite READ_ONCE() */
-+ /* See skb_queue_empty_lockless() and skb_peek_tail()
-+ * for the opposite READ_ONCE()
-+ */
- WRITE_ONCE(newsk->next, next);
- WRITE_ONCE(newsk->prev, prev);
- WRITE_ONCE(next->prev, newsk);
---
-2.20.1
-
+++ /dev/null
-From e0e866aff942503605da43861e120ecf1576e7db Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 8 Nov 2019 10:34:47 -0800
-Subject: net: icmp: fix data-race in cmp_global_allow()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit bbab7ef235031f6733b5429ae7877bfa22339712 ]
-
-This code reads two global variables without protection
-of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to
-avoid load/store-tearing and better document the intent.
-
-KCSAN reported :
-BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow
-
-read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0:
- icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254
- icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
- icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
- icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
- icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
- ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
- dst_link_failure include/net/dst.h:419 [inline]
- vti_xmit net/ipv4/ip_vti.c:243 [inline]
- vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
- __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
- netdev_start_xmit include/linux/netdevice.h:4434 [inline]
- xmit_one net/core/dev.c:3280 [inline]
- dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
- __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
- dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
- neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
- neigh_output include/net/neighbour.h:511 [inline]
- ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
- __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
- __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
- ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
- NF_HOOK_COND include/linux/netfilter.h:294 [inline]
- ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
- dst_output include/net/dst.h:436 [inline]
- ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
-
-write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1:
- icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272
- icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
- icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
- icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
- icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
- ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
- dst_link_failure include/net/dst.h:419 [inline]
- vti_xmit net/ipv4/ip_vti.c:243 [inline]
- vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
- __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
- netdev_start_xmit include/linux/netdevice.h:4434 [inline]
- xmit_one net/core/dev.c:3280 [inline]
- dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
- __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
- dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
- neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
- neigh_output include/net/neighbour.h:511 [inline]
- ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
- __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
- __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
- ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
- NF_HOOK_COND include/linux/netfilter.h:294 [inline]
- ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
-
-Reported by Kernel Concurrency Sanitizer on:
-CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-
-Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv4/icmp.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
-index 0167e23d1c8f..4efa5e33513e 100644
---- a/net/ipv4/icmp.c
-+++ b/net/ipv4/icmp.c
-@@ -254,10 +254,11 @@ bool icmp_global_allow(void)
- bool rc = false;
-
- /* Check if token bucket is empty and cannot be refilled
-- * without taking the spinlock.
-+ * without taking the spinlock. The READ_ONCE() are paired
-+ * with the following WRITE_ONCE() in this same function.
- */
-- if (!icmp_global.credit) {
-- delta = min_t(u32, now - icmp_global.stamp, HZ);
-+ if (!READ_ONCE(icmp_global.credit)) {
-+ delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ);
- if (delta < HZ / 50)
- return false;
- }
-@@ -267,14 +268,14 @@ bool icmp_global_allow(void)
- if (delta >= HZ / 50) {
- incr = sysctl_icmp_msgs_per_sec * delta / HZ ;
- if (incr)
-- icmp_global.stamp = now;
-+ WRITE_ONCE(icmp_global.stamp, now);
- }
- credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst);
- if (credit) {
- credit--;
- rc = true;
- }
-- icmp_global.credit = credit;
-+ WRITE_ONCE(icmp_global.credit, credit);
- spin_unlock(&icmp_global.lock);
- return rc;
- }
---
-2.20.1
-
+++ /dev/null
-From e12a987a693147176e806d57198b689075522a4a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 9 Dec 2019 20:58:56 -0700
-Subject: net: make socket read/write_iter() honor IOCB_NOWAIT
-
-From: Jens Axboe <axboe@kernel.dk>
-
-[ Upstream commit ebfcd8955c0b52eb793bcbc9e71140e3d0cdb228 ]
-
-The socket read/write helpers only look at the file O_NONBLOCK. not
-the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2
-and io_uring that rely on not having the file itself marked nonblocking,
-but rather the iocb itself.
-
-Cc: netdev@vger.kernel.org
-Acked-by: David Miller <davem@davemloft.net>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/socket.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/socket.c b/net/socket.c
-index 18d27b8c2511..1290aad5d1c3 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -867,7 +867,7 @@ static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to)
- .msg_iocb = iocb};
- ssize_t res;
-
-- if (file->f_flags & O_NONBLOCK)
-+ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
- msg.msg_flags = MSG_DONTWAIT;
-
- if (iocb->ki_pos != 0)
-@@ -892,7 +892,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from)
- if (iocb->ki_pos != 0)
- return -ESPIPE;
-
-- if (file->f_flags & O_NONBLOCK)
-+ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
- msg.msg_flags = MSG_DONTWAIT;
-
- if (sock->type == SOCK_SEQPACKET)
---
-2.20.1
-
+++ /dev/null
-From 7e72c4ea56ffa31730b5e5f02d1829bc2b09bb67 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 7 Dec 2019 14:43:39 -0800
-Subject: netfilter: bridge: make sure to pull arp header in
- br_nf_forward_arp()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 5604285839aaedfb23ebe297799c6e558939334d ]
-
-syzbot is kind enough to remind us we need to call skb_may_pull()
-
-BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
-CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-Call Trace:
- <IRQ>
- __dump_stack lib/dump_stack.c:77 [inline]
- dump_stack+0x1c9/0x220 lib/dump_stack.c:118
- kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
- __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
- br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
- nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
- nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
- nf_hook include/linux/netfilter.h:260 [inline]
- NF_HOOK include/linux/netfilter.h:303 [inline]
- __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
- br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
- br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
- nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
- br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
- __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
- __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
- __netif_receive_skb net/core/dev.c:5043 [inline]
- process_backlog+0x610/0x13c0 net/core/dev.c:5874
- napi_poll net/core/dev.c:6311 [inline]
- net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
- __do_softirq+0x4a1/0x83a kernel/softirq.c:293
- do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
- </IRQ>
- do_softirq kernel/softirq.c:338 [inline]
- __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
- local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
- rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
- __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
- dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
- packet_snd net/packet/af_packet.c:2959 [inline]
- packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
- sock_sendmsg_nosec net/socket.c:637 [inline]
- sock_sendmsg net/socket.c:657 [inline]
- __sys_sendto+0xc44/0xc70 net/socket.c:1952
- __do_sys_sendto net/socket.c:1964 [inline]
- __se_sys_sendto+0x107/0x130 net/socket.c:1960
- __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
- do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
- entry_SYSCALL_64_after_hwframe+0x44/0xa9
-RIP: 0033:0x45a679
-Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
-RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
-RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
-RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
-R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
-R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
-
-Uninit was created at:
- kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
- kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
- kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
- slab_alloc_node mm/slub.c:2773 [inline]
- __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
- __kmalloc_reserve net/core/skbuff.c:141 [inline]
- __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
- alloc_skb include/linux/skbuff.h:1049 [inline]
- alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
- sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
- packet_alloc_skb net/packet/af_packet.c:2807 [inline]
- packet_snd net/packet/af_packet.c:2902 [inline]
- packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
- sock_sendmsg_nosec net/socket.c:637 [inline]
- sock_sendmsg net/socket.c:657 [inline]
- __sys_sendto+0xc44/0xc70 net/socket.c:1952
- __do_sys_sendto net/socket.c:1964 [inline]
- __se_sys_sendto+0x107/0x130 net/socket.c:1960
- __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
- do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
- entry_SYSCALL_64_after_hwframe+0x44/0xa9
-
-Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Reviewed-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/bridge/br_netfilter_hooks.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
-index 212c184c1eee..ccab290c14d4 100644
---- a/net/bridge/br_netfilter_hooks.c
-+++ b/net/bridge/br_netfilter_hooks.c
-@@ -646,6 +646,9 @@ static unsigned int br_nf_forward_arp(void *priv,
- nf_bridge_pull_encap_header(skb);
- }
-
-+ if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
-+ return NF_DROP;
-+
- if (arp_hdr(skb)->ar_pln != 4) {
- if (IS_VLAN_ARP(skb))
- nf_bridge_push_encap_header(skb);
---
-2.20.1
-
+++ /dev/null
-From 08266b24c424b81c1cbdc4f2bdeef434e466e758 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 15 Dec 2019 03:49:25 +0100
-Subject: netfilter: ebtables: compat: reject all padding in matches/watchers
-
-From: Florian Westphal <fw@strlen.de>
-
-[ Upstream commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe ]
-
-syzbot reported following splat:
-
-BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
-BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
-Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
-
-CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
- size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
- compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
- compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
- compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
- [..]
-
-Because padding isn't considered during computation of ->buf_user_offset,
-"total" is decremented by fewer bytes than it should.
-
-Therefore, the first part of
-
-if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
-
-will pass, -- it should not have. This causes oob access:
-entry->next_offset is past the vmalloced size.
-
-Reject padding and check that computed user offset (sum of ebt_entry
-structure plus all individual matches/watchers/targets) is same
-value that userspace gave us as the offset of the next entry.
-
-Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
-Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++-----------------
- 1 file changed, 16 insertions(+), 17 deletions(-)
-
-diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
-index 7d249afa1466..785e19afd6aa 100644
---- a/net/bridge/netfilter/ebtables.c
-+++ b/net/bridge/netfilter/ebtables.c
-@@ -1876,7 +1876,7 @@ static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
- }
-
- static int ebt_buf_add(struct ebt_entries_buf_state *state,
-- void *data, unsigned int sz)
-+ const void *data, unsigned int sz)
- {
- if (state->buf_kern_start == NULL)
- goto count_only;
-@@ -1910,7 +1910,7 @@ enum compat_mwt {
- EBT_COMPAT_TARGET,
- };
-
--static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
-+static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
- enum compat_mwt compat_mwt,
- struct ebt_entries_buf_state *state,
- const unsigned char *base)
-@@ -1988,22 +1988,23 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
- /* return size of all matches, watchers or target, including necessary
- * alignment and padding.
- */
--static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
-+static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32,
- unsigned int size_left, enum compat_mwt type,
- struct ebt_entries_buf_state *state, const void *base)
- {
-+ const char *buf = (const char *)match32;
- int growth = 0;
-- char *buf;
-
- if (size_left == 0)
- return 0;
-
-- buf = (char *) match32;
--
-- while (size_left >= sizeof(*match32)) {
-+ do {
- struct ebt_entry_match *match_kern;
- int ret;
-
-+ if (size_left < sizeof(*match32))
-+ return -EINVAL;
-+
- match_kern = (struct ebt_entry_match *) state->buf_kern_start;
- if (match_kern) {
- char *tmp;
-@@ -2040,22 +2041,18 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
- if (match_kern)
- match_kern->match_size = ret;
-
-- /* rule should have no remaining data after target */
-- if (type == EBT_COMPAT_TARGET && size_left)
-- return -EINVAL;
--
- match32 = (struct compat_ebt_entry_mwt *) buf;
-- }
-+ } while (size_left);
-
- return growth;
- }
-
- /* called for all ebt_entry structures. */
--static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
-+static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base,
- unsigned int *total,
- struct ebt_entries_buf_state *state)
- {
-- unsigned int i, j, startoff, new_offset = 0;
-+ unsigned int i, j, startoff, next_expected_off, new_offset = 0;
- /* stores match/watchers/targets & offset of next struct ebt_entry: */
- unsigned int offsets[4];
- unsigned int *offsets_update = NULL;
-@@ -2141,11 +2138,13 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
- return ret;
- }
-
-- startoff = state->buf_user_offset - startoff;
-+ next_expected_off = state->buf_user_offset - startoff;
-+ if (next_expected_off != entry->next_offset)
-+ return -EINVAL;
-
-- if (WARN_ON(*total < startoff))
-+ if (*total < entry->next_offset)
- return -EINVAL;
-- *total -= startoff;
-+ *total -= entry->next_offset;
- return 0;
- }
-
---
-2.20.1
-
+++ /dev/null
-From f738d51fb6738400077ca915069797a9a07505d2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 18 Dec 2019 00:59:29 +0100
-Subject: netfilter: nft_tproxy: Fix port selector on Big Endian
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Phil Sutter <phil@nwl.cc>
-
-[ Upstream commit 8cb4ec44de42b99b92399b4d1daf3dc430ed0186 ]
-
-On Big Endian architectures, u16 port value was extracted from the wrong
-parts of u32 sreg_port, just like commit 10596608c4d62 ("netfilter:
-nf_tables: fix mismatch in big-endian system") describes.
-
-Fixes: 4ed8eb6570a49 ("netfilter: nf_tables: Add native tproxy support")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Acked-by: Florian Westphal <fw@strlen.de>
-Acked-by: MĂ¡tĂ© Eckl <ecklm94@gmail.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/netfilter/nft_tproxy.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
-index f92a82c73880..95980154ef02 100644
---- a/net/netfilter/nft_tproxy.c
-+++ b/net/netfilter/nft_tproxy.c
-@@ -50,7 +50,7 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
- taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);
-
- if (priv->sreg_port)
-- tport = regs->data[priv->sreg_port];
-+ tport = nft_reg_load16(®s->data[priv->sreg_port]);
- if (!tport)
- tport = hp->dest;
-
-@@ -117,7 +117,7 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
- taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr);
-
- if (priv->sreg_port)
-- tport = regs->data[priv->sreg_port];
-+ tport = nft_reg_load16(®s->data[priv->sreg_port]);
- if (!tport)
- tport = hp->dest;
-
---
-2.20.1
-
+++ /dev/null
-From 6c1fa6e67d1b484cc511616b3f65255d5bdf49f2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 21 Nov 2019 09:59:37 -0800
-Subject: nvme-fc: fix double-free scenarios on hw queues
-
-From: James Smart <jsmart2021@gmail.com>
-
-[ Upstream commit c869e494ef8b5846d9ba91f1e922c23cd444f0c1 ]
-
-If an error occurs on one of the ios used for creating an
-association, the creating routine has error paths that are
-invoked by the command failure and the error paths will free
-up the controller resources created to that point.
-
-But... the io was ultimately determined by an asynchronous
-completion routine that detected the error and which
-unconditionally invokes the error_recovery path which calls
-delete_association. Delete association deletes all outstanding
-io then tears down the controller resources. So the
-create_association thread can be running in parallel with
-the error_recovery thread. What was seen was the LLDD received
-a call to delete a queue, causing the LLDD to do a free of a
-resource, then the transport called the delete queue again
-causing the driver to repeat the free call. The second free
-routine corrupted the allocator. The transport shouldn't be
-making the duplicate call, and the delete queue is just one
-of the resources being freed.
-
-To fix, it is realized that the create_association path is
-completely serialized with one command at a time. So the
-failed io completion will always be seen by the create_association
-path and as of the failure, there are no ios to terminate and there
-is no reason to be manipulating queue freeze states, etc.
-The serialized condition stays true until the controller is
-transitioned to the LIVE state. Thus the fix is to change the
-error recovery path to check the controller state and only
-invoke the teardown path if not already in the CONNECTING state.
-
-Reviewed-by: Himanshu Madhani <hmadhani@marvell.com>
-Reviewed-by: Ewan D. Milne <emilne@redhat.com>
-Signed-off-by: James Smart <jsmart2021@gmail.com>
-Signed-off-by: Keith Busch <kbusch@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/nvme/host/fc.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
-index d567035571bf..1875f6b8a907 100644
---- a/drivers/nvme/host/fc.c
-+++ b/drivers/nvme/host/fc.c
-@@ -2894,10 +2894,22 @@ nvme_fc_reconnect_or_delete(struct nvme_fc_ctrl *ctrl, int status)
- static void
- __nvme_fc_terminate_io(struct nvme_fc_ctrl *ctrl)
- {
-- nvme_stop_keep_alive(&ctrl->ctrl);
-+ /*
-+ * if state is connecting - the error occurred as part of a
-+ * reconnect attempt. The create_association error paths will
-+ * clean up any outstanding io.
-+ *
-+ * if it's a different state - ensure all pending io is
-+ * terminated. Given this can delay while waiting for the
-+ * aborted io to return, we recheck adapter state below
-+ * before changing state.
-+ */
-+ if (ctrl->ctrl.state != NVME_CTRL_CONNECTING) {
-+ nvme_stop_keep_alive(&ctrl->ctrl);
-
-- /* will block will waiting for io to terminate */
-- nvme_fc_delete_association(ctrl);
-+ /* will block will waiting for io to terminate */
-+ nvme_fc_delete_association(ctrl);
-+ }
-
- if (ctrl->ctrl.state != NVME_CTRL_CONNECTING &&
- !nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING))
---
-2.20.1
-
+++ /dev/null
-From 7ec3a1cfb371f4d7cbd91ad416cc812087b863b1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 14 Nov 2019 15:15:26 -0800
-Subject: nvme_fc: add module to ops template to allow module references
-
-From: James Smart <jsmart2021@gmail.com>
-
-[ Upstream commit 863fbae929c7a5b64e96b8a3ffb34a29eefb9f8f ]
-
-In nvme-fc: it's possible to have connected active controllers
-and as no references are taken on the LLDD, the LLDD can be
-unloaded. The controller would enter a reconnect state and as
-long as the LLDD resumed within the reconnect timeout, the
-controller would resume. But if a namespace on the controller
-is the root device, allowing the driver to unload can be problematic.
-To reload the driver, it may require new io to the boot device,
-and as it's no longer connected we get into a catch-22 that
-eventually fails, and the system locks up.
-
-Fix this issue by taking a module reference for every connected
-controller (which is what the core layer did to the transport
-module). Reference is cleared when the controller is removed.
-
-Acked-by: Himanshu Madhani <hmadhani@marvell.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Signed-off-by: James Smart <jsmart2021@gmail.com>
-Signed-off-by: Keith Busch <kbusch@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/nvme/host/fc.c | 14 ++++++++++++--
- drivers/nvme/target/fcloop.c | 1 +
- drivers/scsi/lpfc/lpfc_nvme.c | 2 ++
- drivers/scsi/qla2xxx/qla_nvme.c | 1 +
- include/linux/nvme-fc-driver.h | 4 ++++
- 5 files changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
-index 565bddcfd130..d567035571bf 100644
---- a/drivers/nvme/host/fc.c
-+++ b/drivers/nvme/host/fc.c
-@@ -342,7 +342,8 @@ nvme_fc_register_localport(struct nvme_fc_port_info *pinfo,
- !template->ls_req || !template->fcp_io ||
- !template->ls_abort || !template->fcp_abort ||
- !template->max_hw_queues || !template->max_sgl_segments ||
-- !template->max_dif_sgl_segments || !template->dma_boundary) {
-+ !template->max_dif_sgl_segments || !template->dma_boundary ||
-+ !template->module) {
- ret = -EINVAL;
- goto out_reghost_failed;
- }
-@@ -1986,6 +1987,7 @@ nvme_fc_ctrl_free(struct kref *ref)
- {
- struct nvme_fc_ctrl *ctrl =
- container_of(ref, struct nvme_fc_ctrl, ref);
-+ struct nvme_fc_lport *lport = ctrl->lport;
- unsigned long flags;
-
- if (ctrl->ctrl.tagset) {
-@@ -2011,6 +2013,7 @@ nvme_fc_ctrl_free(struct kref *ref)
- if (ctrl->ctrl.opts)
- nvmf_free_options(ctrl->ctrl.opts);
- kfree(ctrl);
-+ module_put(lport->ops->module);
- }
-
- static void
-@@ -3040,10 +3043,15 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
- goto out_fail;
- }
-
-+ if (!try_module_get(lport->ops->module)) {
-+ ret = -EUNATCH;
-+ goto out_free_ctrl;
-+ }
-+
- idx = ida_simple_get(&nvme_fc_ctrl_cnt, 0, 0, GFP_KERNEL);
- if (idx < 0) {
- ret = -ENOSPC;
-- goto out_free_ctrl;
-+ goto out_mod_put;
- }
-
- ctrl->ctrl.opts = opts;
-@@ -3185,6 +3193,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
- out_free_ida:
- put_device(ctrl->dev);
- ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum);
-+out_mod_put:
-+ module_put(lport->ops->module);
- out_free_ctrl:
- kfree(ctrl);
- out_fail:
-diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
-index 291f4121f516..f0536d341f2f 100644
---- a/drivers/nvme/target/fcloop.c
-+++ b/drivers/nvme/target/fcloop.c
-@@ -825,6 +825,7 @@ fcloop_targetport_delete(struct nvmet_fc_target_port *targetport)
- #define FCLOOP_DMABOUND_4G 0xFFFFFFFF
-
- static struct nvme_fc_port_template fctemplate = {
-+ .module = THIS_MODULE,
- .localport_delete = fcloop_localport_delete,
- .remoteport_delete = fcloop_remoteport_delete,
- .create_queue = fcloop_create_queue,
-diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c
-index f73726e55e44..6c355d87c709 100644
---- a/drivers/scsi/lpfc/lpfc_nvme.c
-+++ b/drivers/scsi/lpfc/lpfc_nvme.c
-@@ -1903,6 +1903,8 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport,
-
- /* Declare and initialization an instance of the FC NVME template. */
- static struct nvme_fc_port_template lpfc_nvme_template = {
-+ .module = THIS_MODULE,
-+
- /* initiator-based functions */
- .localport_delete = lpfc_nvme_localport_delete,
- .remoteport_delete = lpfc_nvme_remoteport_delete,
-diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
-index 5590d6e8b576..db367e428095 100644
---- a/drivers/scsi/qla2xxx/qla_nvme.c
-+++ b/drivers/scsi/qla2xxx/qla_nvme.c
-@@ -560,6 +560,7 @@ static void qla_nvme_remoteport_delete(struct nvme_fc_remote_port *rport)
- }
-
- static struct nvme_fc_port_template qla_nvme_fc_transport = {
-+ .module = THIS_MODULE,
- .localport_delete = qla_nvme_localport_delete,
- .remoteport_delete = qla_nvme_remoteport_delete,
- .create_queue = qla_nvme_alloc_queue,
-diff --git a/include/linux/nvme-fc-driver.h b/include/linux/nvme-fc-driver.h
-index 496ff759f84c..2f3ae41c212d 100644
---- a/include/linux/nvme-fc-driver.h
-+++ b/include/linux/nvme-fc-driver.h
-@@ -282,6 +282,8 @@ struct nvme_fc_remote_port {
- *
- * Host/Initiator Transport Entrypoints/Parameters:
- *
-+ * @module: The LLDD module using the interface
-+ *
- * @localport_delete: The LLDD initiates deletion of a localport via
- * nvme_fc_deregister_localport(). However, the teardown is
- * asynchronous. This routine is called upon the completion of the
-@@ -395,6 +397,8 @@ struct nvme_fc_remote_port {
- * Value is Mandatory. Allowed to be zero.
- */
- struct nvme_fc_port_template {
-+ struct module *module;
-+
- /* initiator-based functions */
- void (*localport_delete)(struct nvme_fc_local_port *);
- void (*remoteport_delete)(struct nvme_fc_remote_port *);
---
-2.20.1
-
+++ /dev/null
-From 6f80a66835fc2c5200ba315a0718810131896e81 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 14 Nov 2019 01:21:31 +0200
-Subject: PM / devfreq: Don't fail devfreq_dev_release if not in list
-
-From: Leonard Crestez <leonard.crestez@nxp.com>
-
-[ Upstream commit 42a6b25e67df6ee6675e8d1eaf18065bd73328ba ]
-
-Right now devfreq_dev_release will print a warning and abort the rest of
-the cleanup if the devfreq instance is not part of the global
-devfreq_list. But this is a valid scenario, for example it can happen if
-the governor can't be found or on any other init error that happens
-after device_register.
-
-Initialize devfreq->node to an empty list head in devfreq_add_device so
-that list_del becomes a safe noop inside devfreq_dev_release and we can
-continue the rest of the cleanup.
-
-Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
-Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
-Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/devfreq/devfreq.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
-index a47e76a62287..69bbb1e9ab23 100644
---- a/drivers/devfreq/devfreq.c
-+++ b/drivers/devfreq/devfreq.c
-@@ -575,11 +575,6 @@ static void devfreq_dev_release(struct device *dev)
- struct devfreq *devfreq = to_devfreq(dev);
-
- mutex_lock(&devfreq_list_lock);
-- if (IS_ERR(find_device_devfreq(devfreq->dev.parent))) {
-- mutex_unlock(&devfreq_list_lock);
-- dev_warn(&devfreq->dev, "releasing devfreq which doesn't exist\n");
-- return;
-- }
- list_del(&devfreq->node);
- mutex_unlock(&devfreq_list_lock);
-
-@@ -634,6 +629,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
- devfreq->dev.parent = dev;
- devfreq->dev.class = devfreq_class;
- devfreq->dev.release = devfreq_dev_release;
-+ INIT_LIST_HEAD(&devfreq->node);
- devfreq->profile = profile;
- strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN);
- devfreq->previous_freq = profile->initial_freq;
---
-2.20.1
-
+++ /dev/null
-From 8ffe5914b24d3b00bb0487c5efcebd3e2473232c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 31 Oct 2019 23:34:18 +0200
-Subject: PM / devfreq: Fix devfreq_notifier_call returning errno
-
-From: Leonard Crestez <leonard.crestez@nxp.com>
-
-[ Upstream commit e876e710ede23f670494331e062d643928e4142a ]
-
-Notifier callbacks shouldn't return negative errno but one of the
-NOTIFY_OK/DONE/BAD values.
-
-The OPP core will ignore return values from notifiers but returning a
-value that matches NOTIFY_STOP_MASK will stop the notification chain.
-
-Fix by always returning NOTIFY_OK.
-
-Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
-Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
-Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/devfreq/devfreq.c | 24 +++++++++++++-----------
- 1 file changed, 13 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
-index 61fbaa89d7b4..34e297f28fc2 100644
---- a/drivers/devfreq/devfreq.c
-+++ b/drivers/devfreq/devfreq.c
-@@ -538,26 +538,28 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type,
- void *devp)
- {
- struct devfreq *devfreq = container_of(nb, struct devfreq, nb);
-- int ret;
-+ int err = -EINVAL;
-
- mutex_lock(&devfreq->lock);
-
- devfreq->scaling_min_freq = find_available_min_freq(devfreq);
-- if (!devfreq->scaling_min_freq) {
-- mutex_unlock(&devfreq->lock);
-- return -EINVAL;
-- }
-+ if (!devfreq->scaling_min_freq)
-+ goto out;
-
- devfreq->scaling_max_freq = find_available_max_freq(devfreq);
-- if (!devfreq->scaling_max_freq) {
-- mutex_unlock(&devfreq->lock);
-- return -EINVAL;
-- }
-+ if (!devfreq->scaling_max_freq)
-+ goto out;
-+
-+ err = update_devfreq(devfreq);
-
-- ret = update_devfreq(devfreq);
-+out:
- mutex_unlock(&devfreq->lock);
-+ if (err)
-+ dev_err(devfreq->dev.parent,
-+ "failed to update frequency from OPP notifier (%d)\n",
-+ err);
-
-- return ret;
-+ return NOTIFY_OK;
- }
-
- /**
---
-2.20.1
-
+++ /dev/null
-From a871897a0062136aeb26d8a9a25e30fadee152e7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 31 Oct 2019 23:34:19 +0200
-Subject: PM / devfreq: Set scaling_max_freq to max on OPP notifier error
-
-From: Leonard Crestez <leonard.crestez@nxp.com>
-
-[ Upstream commit e7cc792d00049c874010b398a27c3cc7bc8fef34 ]
-
-The devfreq_notifier_call functions will update scaling_min_freq and
-scaling_max_freq when the OPP table is updated.
-
-If fetching the maximum frequency fails then scaling_max_freq remains
-set to zero which is confusing. Set to ULONG_MAX instead so we don't
-need special handling for this case in other places.
-
-Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
-Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
-Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/devfreq/devfreq.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
-index 34e297f28fc2..a47e76a62287 100644
---- a/drivers/devfreq/devfreq.c
-+++ b/drivers/devfreq/devfreq.c
-@@ -547,8 +547,10 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type,
- goto out;
-
- devfreq->scaling_max_freq = find_available_max_freq(devfreq);
-- if (!devfreq->scaling_max_freq)
-+ if (!devfreq->scaling_max_freq) {
-+ devfreq->scaling_max_freq = ULONG_MAX;
- goto out;
-+ }
-
- err = update_devfreq(devfreq);
-
---
-2.20.1
-
+++ /dev/null
-From 6d0519f72a59fefe3d4ad1622acb1a3c2f8116d9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 25 Sep 2019 15:39:12 +0100
-Subject: PM / hibernate: memory_bm_find_bit(): Tighten node optimisation
-
-From: Andy Whitcroft <apw@canonical.com>
-
-[ Upstream commit da6043fe85eb5ec621e34a92540735dcebbea134 ]
-
-When looking for a bit by number we make use of the cached result from the
-preceding lookup to speed up operation. Firstly we check if the requested
-pfn is within the cached zone and if not lookup the new zone. We then
-check if the offset for that pfn falls within the existing cached node.
-This happens regardless of whether the node is within the zone we are
-now scanning. With certain memory layouts it is possible for this to
-false trigger creating a temporary alias for the pfn to a different bit.
-This leads the hibernation code to free memory which it was never allocated
-with the expected fallout.
-
-Ensure the zone we are scanning matches the cached zone before considering
-the cached node.
-
-Deep thanks go to Andrea for many, many, many hours of hacking and testing
-that went into cornering this bug.
-
-Reported-by: Andrea Righi <andrea.righi@canonical.com>
-Tested-by: Andrea Righi <andrea.righi@canonical.com>
-Signed-off-by: Andy Whitcroft <apw@canonical.com>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/power/snapshot.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
-index 3d37c279c090..f2635fc751d9 100644
---- a/kernel/power/snapshot.c
-+++ b/kernel/power/snapshot.c
-@@ -736,8 +736,15 @@ static int memory_bm_find_bit(struct memory_bitmap *bm, unsigned long pfn,
- * We have found the zone. Now walk the radix tree to find the leaf node
- * for our PFN.
- */
-+
-+ /*
-+ * If the zone we wish to scan is the the current zone and the
-+ * pfn falls into the current node then we do not need to walk
-+ * the tree.
-+ */
- node = bm->cur.node;
-- if (((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn)
-+ if (zone == bm->cur.zone &&
-+ ((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn)
- goto node_found;
-
- node = zone->rtree;
---
-2.20.1
-
+++ /dev/null
-From 3ad6ca0039401014fa468ba8f3567862d72a547d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 6 Dec 2019 09:24:26 +0800
-Subject: RDMA/cma: add missed unregister_pernet_subsys in init failure
-
-From: Chuhong Yuan <hslester96@gmail.com>
-
-[ Upstream commit 44a7b6759000ac51b92715579a7bba9e3f9245c2 ]
-
-The driver forgets to call unregister_pernet_subsys() in the error path
-of cma_init().
-Add the missed call to fix it.
-
-Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces")
-Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
-Reviewed-by: Parav Pandit <parav@mellanox.com>
-Link: https://lore.kernel.org/r/20191206012426.12744-1-hslester96@gmail.com
-Signed-off-by: Doug Ledford <dledford@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/infiniband/core/cma.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
-index 1f373ba573b6..319bfef00a4a 100644
---- a/drivers/infiniband/core/cma.c
-+++ b/drivers/infiniband/core/cma.c
-@@ -4658,6 +4658,7 @@ static int __init cma_init(void)
- err:
- unregister_netdevice_notifier(&cma_nb);
- ib_sa_unregister_client(&sa_client);
-+ unregister_pernet_subsys(&cma_pernet_operations);
- err_wq:
- destroy_workqueue(cma_wq);
- return ret;
---
-2.20.1
-
+++ /dev/null
-From b46f7947eae19c0558d0ef05441bcf2e1c6e0288 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 2 Dec 2019 20:03:20 -0600
-Subject: rxe: correctly calculate iCRC for unaligned payloads
-
-From: Steve Wise <larrystevenwise@gmail.com>
-
-[ Upstream commit 2030abddec6884aaf5892f5724c48fc340e6826f ]
-
-If RoCE PDUs being sent or received contain pad bytes, then the iCRC
-is miscalculated, resulting in PDUs being emitted by RXE with an incorrect
-iCRC, as well as ingress PDUs being dropped due to erroneously detecting
-a bad iCRC in the PDU. The fix is to include the pad bytes, if any,
-in iCRC computations.
-
-Note: This bug has caused broken on-the-wire compatibility with actual
-hardware RoCE devices since the soft-RoCE driver was first put into the
-mainstream kernel. Fixing it will create an incompatibility with the
-original soft-RoCE devices, but is necessary to be compatible with real
-hardware devices.
-
-Fixes: 8700e3e7c485 ("Soft RoCE driver")
-Signed-off-by: Steve Wise <larrystevenwise@gmail.com>
-Link: https://lore.kernel.org/r/20191203020319.15036-2-larrystevenwise@gmail.com
-Signed-off-by: Doug Ledford <dledford@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/infiniband/sw/rxe/rxe_recv.c | 2 +-
- drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++++
- drivers/infiniband/sw/rxe/rxe_resp.c | 7 +++++++
- 3 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c
-index d30dbac24583..695a607e2d14 100644
---- a/drivers/infiniband/sw/rxe/rxe_recv.c
-+++ b/drivers/infiniband/sw/rxe/rxe_recv.c
-@@ -391,7 +391,7 @@ void rxe_rcv(struct sk_buff *skb)
-
- calc_icrc = rxe_icrc_hdr(pkt, skb);
- calc_icrc = rxe_crc32(rxe, calc_icrc, (u8 *)payload_addr(pkt),
-- payload_size(pkt));
-+ payload_size(pkt) + bth_pad(pkt));
- calc_icrc = (__force u32)cpu_to_be32(~calc_icrc);
- if (unlikely(calc_icrc != pack_icrc)) {
- if (skb->protocol == htons(ETH_P_IPV6))
-diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c
-index f7dd8de79941..1c1eae0ef8c2 100644
---- a/drivers/infiniband/sw/rxe/rxe_req.c
-+++ b/drivers/infiniband/sw/rxe/rxe_req.c
-@@ -500,6 +500,12 @@ static int fill_packet(struct rxe_qp *qp, struct rxe_send_wqe *wqe,
- if (err)
- return err;
- }
-+ if (bth_pad(pkt)) {
-+ u8 *pad = payload_addr(pkt) + paylen;
-+
-+ memset(pad, 0, bth_pad(pkt));
-+ crc = rxe_crc32(rxe, crc, pad, bth_pad(pkt));
-+ }
- }
- p = payload_addr(pkt) + paylen + bth_pad(pkt);
-
-diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
-index 681d8e0913d0..9078cfd3b8bd 100644
---- a/drivers/infiniband/sw/rxe/rxe_resp.c
-+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
-@@ -737,6 +737,13 @@ static enum resp_states read_reply(struct rxe_qp *qp,
- if (err)
- pr_err("Failed copying memory\n");
-
-+ if (bth_pad(&ack_pkt)) {
-+ struct rxe_dev *rxe = to_rdev(qp->ibqp.device);
-+ u8 *pad = payload_addr(&ack_pkt) + payload;
-+
-+ memset(pad, 0, bth_pad(&ack_pkt));
-+ icrc = rxe_crc32(rxe, icrc, pad, bth_pad(&ack_pkt));
-+ }
- p = payload_addr(&ack_pkt) + payload + bth_pad(&ack_pkt);
- *p = ~icrc;
-
---
-2.20.1
-
+++ /dev/null
-From b339b2c0fa07022042fbafc519a62237405dc279 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Nov 2019 10:26:41 +0100
-Subject: s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
-
-From: Thomas Richter <tmricht@linux.ibm.com>
-
-[ Upstream commit 39d4a501a9ef55c57b51e3ef07fc2aeed7f30b3b ]
-
-Function perf_event_ever_overflow() and perf_event_account_interrupt()
-are called every time samples are processed by the interrupt handler.
-However function perf_event_account_interrupt() has checks to avoid being
-flooded with interrupts (more then 1000 samples are received per
-task_tick). Samples are then dropped and a PERF_RECORD_THROTTLED is
-added to the perf data. The perf subsystem limit calculation is:
-
- maximum sample frequency := 100000 --> 1 samples per 10 us
- task_tick = 10ms = 10000us --> 1000 samples per task_tick
-
-The work flow is
-
-measurement_alert() uses SDBT head and each SBDT points to 511
- SDB pages, each with 126 sample entries. After processing 8 SBDs
- and for each valid sample calling:
-
- perf_event_overflow()
- perf_event_account_interrupts()
-
-there is a considerable amount of samples being dropped, especially when
-the sample frequency is very high and near the 100000 limit.
-
-To avoid the high amount of samples being dropped near the end of a
-task_tick time frame, increment the sampling interval in case of
-dropped events. The CPU Measurement sampling facility on the s390
-supports only intervals, specifiing how many CPU cycles have to be
-executed before a sample is generated. Increase the interval when the
-samples being generated hit the task_tick limit.
-
-Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
-Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/kernel/perf_cpum_sf.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
-index df92c2af99b6..0b0958530552 100644
---- a/arch/s390/kernel/perf_cpum_sf.c
-+++ b/arch/s390/kernel/perf_cpum_sf.c
-@@ -1260,6 +1260,22 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
- if (sampl_overflow)
- OVERFLOW_REG(hwc) = DIV_ROUND_UP(OVERFLOW_REG(hwc) +
- sampl_overflow, 1 + num_sdb);
-+
-+ /* Perf_event_overflow() and perf_event_account_interrupt() limit
-+ * the interrupt rate to an upper limit. Roughly 1000 samples per
-+ * task tick.
-+ * Hitting this limit results in a large number
-+ * of throttled REF_REPORT_THROTTLE entries and the samples
-+ * are dropped.
-+ * Slightly increase the interval to avoid hitting this limit.
-+ */
-+ if (event_overflow) {
-+ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10);
-+ debug_sprintf_event(sfdbg, 1, "%s: rate adjustment %ld\n",
-+ __func__,
-+ DIV_ROUND_UP(SAMPL_RATE(hwc), 10));
-+ }
-+
- if (sampl_overflow || event_overflow)
- debug_sprintf_event(sfdbg, 4, "hw_perf_event_update: "
- "overflow stats: sample=%llu event=%llu\n",
---
-2.20.1
-
+++ /dev/null
-From a6cda674635e422b565e2b66b009f9ad6e6c7c5a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 29 Nov 2019 15:24:25 +0100
-Subject: s390/cpum_sf: Avoid SBD overflow condition in irq handler
-
-From: Thomas Richter <tmricht@linux.ibm.com>
-
-[ Upstream commit 0539ad0b22877225095d8adef0c376f52cc23834 ]
-
-The s390 CPU Measurement sampling facility has an overflow condition
-which fires when all entries in a SBD are used.
-The measurement alert interrupt is triggered and reads out all samples
-in this SDB. It then tests the successor SDB, if this SBD is not full,
-the interrupt handler does not read any samples at all from this SDB
-The design waits for the hardware to fill this SBD and then trigger
-another meassurement alert interrupt.
-
-This scheme works nicely until
-an perf_event_overflow() function call discards the sample due to
-a too high sampling rate.
-The interrupt handler has logic to read out a partially filled SDB
-when the perf event overflow condition in linux common code is met.
-This causes the CPUM sampling measurement hardware and the PMU
-device driver to operate on the same SBD's trailer entry.
-This should not happen.
-
-This can be seen here using this trace:
- cpumsf_pmu_add: tear:0xb5286000
- hw_perf_event_update: sdbt 0xb5286000 full 1 over 0 flush_all:0
- hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
- above shows 1. interrupt
- hw_perf_event_update: sdbt 0xb5286008 full 1 over 0 flush_all:0
- hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
- above shows 2. interrupt
- ... this goes on fine until...
- hw_perf_event_update: sdbt 0xb5286068 full 1 over 0 flush_all:0
- perf_push_sample1: overflow
- one or more samples read from the IRQ handler are rejected by
- perf_event_overflow() and the IRQ handler advances to the next SDB
- and modifies the trailer entry of a partially filled SDB.
- hw_perf_event_update: sdbt 0xb5286070 full 0 over 0 flush_all:1
- timestamp: 14:32:52.519953
-
-Next time the IRQ handler is called for this SDB the trailer entry shows
-an overflow count of 19 missed entries.
- hw_perf_event_update: sdbt 0xb5286070 full 1 over 19 flush_all:1
- timestamp: 14:32:52.970058
-
-Remove access to a follow on SDB when event overflow happened.
-
-Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
-Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/kernel/perf_cpum_sf.c | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
-index 0b0958530552..8ba440ba8462 100644
---- a/arch/s390/kernel/perf_cpum_sf.c
-+++ b/arch/s390/kernel/perf_cpum_sf.c
-@@ -1248,12 +1248,6 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
- */
- if (flush_all && done)
- break;
--
-- /* If an event overflow happened, discard samples by
-- * processing any remaining sample-data-blocks.
-- */
-- if (event_overflow)
-- flush_all = 1;
- }
-
- /* Account sample overflows in the event hardware structure */
---
-2.20.1
-
+++ /dev/null
-From 9ca67aa79fa426d9c2271cdf60a9d880b350a137 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 3 Dec 2019 12:45:09 +0300
-Subject: scsi: iscsi: qla4xxx: fix double free in probe
-
-From: Dan Carpenter <dan.carpenter@oracle.com>
-
-[ Upstream commit fee92f25777789d73e1936b91472e9c4644457c8 ]
-
-On this error path we call qla4xxx_mem_free() and then the caller also
-calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a
-couple double frees:
-
-drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed
-drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed
-
-Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx")
-Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla4xxx/ql4_os.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
-index 25c8ce54a976..f8acf101af3d 100644
---- a/drivers/scsi/qla4xxx/ql4_os.c
-+++ b/drivers/scsi/qla4xxx/ql4_os.c
-@@ -4280,7 +4280,6 @@ static int qla4xxx_mem_alloc(struct scsi_qla_host *ha)
- return QLA_SUCCESS;
-
- mem_alloc_error_exit:
-- qla4xxx_mem_free(ha);
- return QLA_ERROR;
- }
-
---
-2.20.1
-
+++ /dev/null
-From 66e24d40bab935ae8ed1eafb343f01b6193cb040 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 6 Dec 2019 09:11:18 +0800
-Subject: scsi: libsas: stop discovering if oob mode is disconnected
-
-From: Jason Yan <yanaijie@huawei.com>
-
-[ Upstream commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f ]
-
-The discovering of sas port is driven by workqueue in libsas. When libsas
-is processing port events or phy events in workqueue, new events may rise
-up and change the state of some structures such as asd_sas_phy. This may
-cause some problems such as follows:
-
-==>thread 1 ==>thread 2
-
- ==>phy up
- ==>phy_up_v3_hw()
- ==>oob_mode = SATA_OOB_MODE;
- ==>phy down quickly
- ==>hisi_sas_phy_down()
- ==>sas_ha->notify_phy_event()
- ==>sas_phy_disconnected()
- ==>oob_mode = OOB_NOT_CONNECTED
-==>workqueue wakeup
-==>sas_form_port()
- ==>sas_discover_domain()
- ==>sas_get_port_device()
- ==>oob_mode is OOB_NOT_CONNECTED and device
- is wrongly taken as expander
-
-This at last lead to the panic when libsas trying to issue a command to
-discover the device.
-
-[183047.614035] Unable to handle kernel NULL pointer dereference at
-virtual address 0000000000000058
-[183047.622896] Mem abort info:
-[183047.625762] ESR = 0x96000004
-[183047.628893] Exception class = DABT (current EL), IL = 32 bits
-[183047.634888] SET = 0, FnV = 0
-[183047.638015] EA = 0, S1PTW = 0
-[183047.641232] Data abort info:
-[183047.644189] ISV = 0, ISS = 0x00000004
-[183047.648100] CM = 0, WnR = 0
-[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp =
-00000000b7df67be
-[183047.657834] [0000000000000058] pgd=0000000000000000
-[183047.662789] Internal error: Oops: 96000004 [#1] SMP
-[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit =
-0x00000000417c4974)
-[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G
-W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1
-[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10,
-BIOS 0.15 10/22/2019
-[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain
-[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO)
-[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
-[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw]
-[183047.717153] sp : ffff00000f28ba60
-[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228
-[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200
-[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0
-[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228
-[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200
-[183047.747464] x19: 0000000000f80800 x18: 0000000000000010
-[183047.752848] x17: 0000000000000000 x16: 0000000000000000
-[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005
-[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20
-[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870
-[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0
-[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f
-[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0
-[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007
-[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000
-[183047.801307] Call trace:
-[183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
-[183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main]
-[183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main]
-[183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main]
-[183047.826757] smp_execute_task_sg+0xec/0x218
-[183047.831013] smp_execute_task+0x74/0xa0
-[183047.834921] sas_discover_expander.part.7+0x9c/0x5f8
-[183047.839959] sas_discover_root_expander+0x90/0x160
-[183047.844822] sas_discover_domain+0x1b8/0x1e8
-[183047.849164] process_one_work+0x1b4/0x3f8
-[183047.853246] worker_thread+0x54/0x470
-[183047.856981] kthread+0x134/0x138
-[183047.860283] ret_from_fork+0x10/0x18
-[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800)
-[183047.870097] kernel fault(0x1) notification starting on CPU 0
-[183047.875828] kernel fault(0x1) notification finished on CPU 0
-[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE)
-hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE)
-[183047.892418] ---[ end trace 4cc26083fc11b783 ]---
-[183047.897107] Kernel panic - not syncing: Fatal exception
-[183047.902403] kernel fault(0x5) notification starting on CPU 0
-[183047.908134] kernel fault(0x5) notification finished on CPU 0
-[183047.913865] SMP: stopping secondary CPUs
-[183047.917861] Kernel Offset: disabled
-[183047.921422] CPU features: 0x2,a2a00a38
-[183047.925243] Memory Limit: none
-[183047.928372] kernel reboot(0x2) notification starting on CPU 0
-[183047.934190] kernel reboot(0x2) notification finished on CPU 0
-[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception
-]---
-
-Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
-Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com
-Reported-by: Gao Chuan <gaochuan4@huawei.com>
-Reviewed-by: John Garry <john.garry@huawei.com>
-Signed-off-by: Jason Yan <yanaijie@huawei.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/libsas/sas_discover.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c
-index 0148ae62a52a..e320534310b1 100644
---- a/drivers/scsi/libsas/sas_discover.c
-+++ b/drivers/scsi/libsas/sas_discover.c
-@@ -97,12 +97,21 @@ static int sas_get_port_device(struct asd_sas_port *port)
- else
- dev->dev_type = SAS_SATA_DEV;
- dev->tproto = SAS_PROTOCOL_SATA;
-- } else {
-+ } else if (port->oob_mode == SAS_OOB_MODE) {
- struct sas_identify_frame *id =
- (struct sas_identify_frame *) dev->frame_rcvd;
- dev->dev_type = id->dev_type;
- dev->iproto = id->initiator_bits;
- dev->tproto = id->target_bits;
-+ } else {
-+ /* If the oob mode is OOB_NOT_CONNECTED, the port is
-+ * disconnected due to race with PHY down. We cannot
-+ * continue to discover this port
-+ */
-+ sas_put_device(dev);
-+ pr_warn("Port %016llx is disconnected when discovering\n",
-+ SAS_ADDR(port->attached_sas_addr));
-+ return -ENODEV;
- }
-
- sas_init_dev(dev);
---
-2.20.1
-
+++ /dev/null
-From 458a20e8845f2b8133f1639b38791086190a1a58 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 7 Dec 2019 03:22:46 +0000
-Subject: scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
-
-From: Bo Wu <wubo40@huawei.com>
-
-[ Upstream commit 9a1b0b9a6dab452fb0e39fe96880c4faf3878369 ]
-
-When phba->mbox_ext_buf_ctx.seqNum != phba->mbox_ext_buf_ctx.numBuf,
-dd_data should be freed before return SLI_CONFIG_HANDLED.
-
-When lpfc_sli_issue_mbox func return fails, pmboxq should be also freed in
-job_error tag.
-
-Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E7A966@DGGEML525-MBS.china.huawei.com
-Signed-off-by: Bo Wu <wubo40@huawei.com>
-Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
-Reviewed-by: James Smart <james.smart@broadcom.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/lpfc/lpfc_bsg.c | 15 +++++++++------
- 1 file changed, 9 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
-index 99aea52e584b..21f104c5eab6 100644
---- a/drivers/scsi/lpfc/lpfc_bsg.c
-+++ b/drivers/scsi/lpfc/lpfc_bsg.c
-@@ -4419,12 +4419,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
- phba->mbox_ext_buf_ctx.seqNum++;
- nemb_tp = phba->mbox_ext_buf_ctx.nembType;
-
-- dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
-- if (!dd_data) {
-- rc = -ENOMEM;
-- goto job_error;
-- }
--
- pbuf = (uint8_t *)dmabuf->virt;
- size = job->request_payload.payload_len;
- sg_copy_to_buffer(job->request_payload.sg_list,
-@@ -4461,6 +4455,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
- "2968 SLI_CONFIG ext-buffer wr all %d "
- "ebuffers received\n",
- phba->mbox_ext_buf_ctx.numBuf);
-+
-+ dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
-+ if (!dd_data) {
-+ rc = -ENOMEM;
-+ goto job_error;
-+ }
-+
- /* mailbox command structure for base driver */
- pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
- if (!pmboxq) {
-@@ -4509,6 +4510,8 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
- return SLI_CONFIG_HANDLED;
-
- job_error:
-+ if (pmboxq)
-+ mempool_free(pmboxq, phba->mbox_mem_pool);
- lpfc_bsg_dma_page_free(phba, dmabuf);
- kfree(dd_data);
-
---
-2.20.1
-
+++ /dev/null
-From 4493eada791790bd1bf69dfcc3475727f9b03a17 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 25 Nov 2019 19:56:58 +0300
-Subject: scsi: qla2xxx: Configure local loop for N2N target
-
-From: Roman Bolshakov <r.bolshakov@yadro.com>
-
-[ Upstream commit fd1de5830a5abaf444cc4312871e02c41e24fdc1 ]
-
-qla2x00_configure_local_loop initializes PLOGI payload for PLOGI ELS using
-Get Parameters mailbox command.
-
-In the case when the driver is running in target mode, the topology is N2N
-and the target port has higher WWPN, LOCAL_LOOP_UPDATE bit is cleared too
-early and PLOGI payload is not initialized by the Get Parameters
-command. That causes a failure of ELS IOCB carrying the PLOGI with 0x15 aka
-Data Underrun error.
-
-LOCAL_LOOP_UPDATE has to be set to initialize PLOGI payload.
-
-Fixes: 48acad099074 ("scsi: qla2xxx: Fix N2N link re-connect")
-Link: https://lore.kernel.org/r/20191125165702.1013-10-r.bolshakov@yadro.com
-Acked-by: Quinn Tran <qutran@marvell.com>
-Acked-by: Himanshu Madhani <hmadhani@marvell.com>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Tested-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_init.c | 10 ++--------
- 1 file changed, 2 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index 4512aaa16f78..851f75b12216 100644
---- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -4815,14 +4815,8 @@ qla2x00_configure_loop(scsi_qla_host_t *vha)
- set_bit(RSCN_UPDATE, &flags);
- clear_bit(LOCAL_LOOP_UPDATE, &flags);
-
-- } else if (ha->current_topology == ISP_CFG_N) {
-- clear_bit(RSCN_UPDATE, &flags);
-- if (qla_tgt_mode_enabled(vha)) {
-- /* allow the other side to start the login */
-- clear_bit(LOCAL_LOOP_UPDATE, &flags);
-- set_bit(RELOGIN_NEEDED, &vha->dpc_flags);
-- }
-- } else if (ha->current_topology == ISP_CFG_NL) {
-+ } else if (ha->current_topology == ISP_CFG_NL ||
-+ ha->current_topology == ISP_CFG_N) {
- clear_bit(RSCN_UPDATE, &flags);
- set_bit(LOCAL_LOOP_UPDATE, &flags);
- } else if (!vha->flags.online ||
---
-2.20.1
-
+++ /dev/null
-From 87fb7ca5840313c0ec2897d4987182798692d41a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 25 Nov 2019 19:56:56 +0300
-Subject: scsi: qla2xxx: Don't call qlt_async_event twice
-
-From: Roman Bolshakov <r.bolshakov@yadro.com>
-
-[ Upstream commit 2c2f4bed9b6299e6430a65a29b5d27b8763fdf25 ]
-
-MBA_PORT_UPDATE generates duplicate log lines in target mode because
-qlt_async_event is called twice. Drop the calls within the case as the
-function will be called right after the switch statement.
-
-Cc: Quinn Tran <qutran@marvell.com>
-Link: https://lore.kernel.org/r/20191125165702.1013-8-r.bolshakov@yadro.com
-Acked-by: Himanshu Madhani <hmadhani@marvel.com>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Tested-by: Hannes Reinecke <hare@suse.de>
-Acked-by: Himanshu Madhani <hmadhani@marvell.com>
-Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_isr.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
-index afe15b3e45fb..e6d162945f5d 100644
---- a/drivers/scsi/qla2xxx/qla_isr.c
-+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -1049,8 +1049,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
- ql_dbg(ql_dbg_async, vha, 0x5011,
- "Asynchronous PORT UPDATE ignored %04x/%04x/%04x.\n",
- mb[1], mb[2], mb[3]);
--
-- qlt_async_event(mb[0], vha, mb);
- break;
- }
-
-@@ -1067,8 +1065,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
- set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
- set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags);
- set_bit(VP_CONFIG_OK, &vha->vp_flags);
--
-- qlt_async_event(mb[0], vha, mb);
- break;
-
- case MBA_RSCN_UPDATE: /* State Change Registration */
---
-2.20.1
-
+++ /dev/null
-From b2d3d43c8b877fe24434f0a418a2f4d2382d12f9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 25 Nov 2019 19:56:53 +0300
-Subject: scsi: qla2xxx: Drop superfluous INIT_WORK of del_work
-
-From: Roman Bolshakov <r.bolshakov@yadro.com>
-
-[ Upstream commit 600954e6f2df695434887dfc6a99a098859990cf ]
-
-del_work is already initialized inside qla2x00_alloc_fcport, there's no
-need to overwrite it. Indeed, it might prevent complete traversal of
-workqueue list.
-
-Fixes: a01c77d2cbc45 ("scsi: qla2xxx: Move session delete to driver work queue")
-Cc: Quinn Tran <qutran@marvell.com>
-Link: https://lore.kernel.org/r/20191125165702.1013-5-r.bolshakov@yadro.com
-Acked-by: Himanshu Madhani <hmadhani@marvell.com>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Tested-by: Hannes Reinecke <hare@suse.de>
-Reviewed-by: Bart Van Assche <bvanassche@acm.org>
-Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_target.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
-index 210ce294038d..8eda55e917e0 100644
---- a/drivers/scsi/qla2xxx/qla_target.c
-+++ b/drivers/scsi/qla2xxx/qla_target.c
-@@ -1261,7 +1261,6 @@ void qlt_schedule_sess_for_deletion(struct fc_port *sess)
- "Scheduling sess %p for deletion %8phC\n",
- sess, sess->port_name);
-
-- INIT_WORK(&sess->del_work, qla24xx_delete_sess_fn);
- WARN_ON(!queue_work(sess->vha->hw->wq, &sess->del_work));
- }
-
---
-2.20.1
-
+++ /dev/null
-From 1a7e8fb20059096214607310386f6ec6abb48781 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 25 Nov 2019 19:56:57 +0300
-Subject: scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length
-
-From: Roman Bolshakov <r.bolshakov@yadro.com>
-
-[ Upstream commit 0334cdea1fba36fad8bdf9516f267ce01de625f7 ]
-
-The size of the buffer is hardcoded as 0x70 or 112 bytes, while the size of
-ELS IOCB is 0x40 and the size of PLOGI payload returned by Get Parameters
-command is 0x74.
-
-Cc: Quinn Tran <qutran@marvell.com>
-Link: https://lore.kernel.org/r/20191125165702.1013-9-r.bolshakov@yadro.com
-Acked-by: Himanshu Madhani <hmadhani@marvell.com>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Tested-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_iocb.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
-index c699bbb8485b..7e47321e003c 100644
---- a/drivers/scsi/qla2xxx/qla_iocb.c
-+++ b/drivers/scsi/qla2xxx/qla_iocb.c
-@@ -2537,7 +2537,8 @@ qla24xx_els_logo_iocb(srb_t *sp, struct els_entry_24xx *els_iocb)
- ql_dbg(ql_dbg_io + ql_dbg_buffer, vha, 0x3073,
- "PLOGI ELS IOCB:\n");
- ql_dump_buffer(ql_log_info, vha, 0x0109,
-- (uint8_t *)els_iocb, 0x70);
-+ (uint8_t *)els_iocb,
-+ sizeof(*els_iocb));
- } else {
- els_iocb->tx_byte_count = sizeof(struct els_logo_payload);
- els_iocb->tx_address[0] =
-@@ -2703,7 +2704,8 @@ qla24xx_els_dcmd2_iocb(scsi_qla_host_t *vha, int els_opcode,
-
- ql_dbg(ql_dbg_disc + ql_dbg_buffer, vha, 0x3073, "PLOGI buffer:\n");
- ql_dump_buffer(ql_dbg_disc + ql_dbg_buffer, vha, 0x0109,
-- (uint8_t *)elsio->u.els_plogi.els_plogi_pyld, 0x70);
-+ (uint8_t *)elsio->u.els_plogi.els_plogi_pyld,
-+ sizeof(*elsio->u.els_plogi.els_plogi_pyld));
-
- rval = qla2x00_start_sp(sp);
- if (rval != QLA_SUCCESS) {
---
-2.20.1
-
+++ /dev/null
-From 18a23fde804af1606eea478173b5fb17c8e4fc28 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 25 Nov 2019 19:57:01 +0300
-Subject: scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI
-
-From: Roman Bolshakov <r.bolshakov@yadro.com>
-
-[ Upstream commit af22f0c7b052c5c203207f1e5ebd6aa65f87c538 ]
-
-PORT UPDATE asynchronous event is generated on the host that issues PLOGI
-ELS (in the case of higher WWPN). In that case, the event shouldn't be
-handled as it sets unwanted DPC flags (i.e. LOOP_RESYNC_NEEDED) that
-trigger link flap.
-
-Ignore the event if the host has higher WWPN, but handle otherwise.
-
-Cc: Quinn Tran <qutran@marvell.com>
-Link: https://lore.kernel.org/r/20191125165702.1013-13-r.bolshakov@yadro.com
-Acked-by: Himanshu Madhani <hmadhani@marvell.com>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Tested-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_mbx.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
-index b01f69dd4b28..abef3b29fa10 100644
---- a/drivers/scsi/qla2xxx/qla_mbx.c
-+++ b/drivers/scsi/qla2xxx/qla_mbx.c
-@@ -3871,6 +3871,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
- vha->d_id.b24 = 0;
- vha->d_id.b.al_pa = 1;
- ha->flags.n2n_bigger = 1;
-+ ha->flags.n2n_ae = 0;
-
- id.b.al_pa = 2;
- ql_dbg(ql_dbg_async, vha, 0x5075,
-@@ -3881,6 +3882,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
- "Format 1: Remote login - Waiting for WWPN %8phC.\n",
- rptid_entry->u.f1.port_name);
- ha->flags.n2n_bigger = 0;
-+ ha->flags.n2n_ae = 1;
- }
- qla24xx_post_newsess_work(vha, &id,
- rptid_entry->u.f1.port_name,
-@@ -3892,7 +3894,6 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
- /* if our portname is higher then initiate N2N login */
-
- set_bit(N2N_LOGIN_NEEDED, &vha->dpc_flags);
-- ha->flags.n2n_ae = 1;
- return;
- break;
- case TOPO_FL:
---
-2.20.1
-
+++ /dev/null
-From daf9f542d6d74dbd6af2ee240617f2115da772bb Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 25 Nov 2019 19:56:59 +0300
-Subject: scsi: qla2xxx: Send Notify ACK after N2N PLOGI
-
-From: Roman Bolshakov <r.bolshakov@yadro.com>
-
-[ Upstream commit 5e6b01d84b9d20bcd77fc7c4733a2a4149bf220a ]
-
-qlt_handle_login schedules session for deletion even if a login is in
-progress. That causes login bouncing, i.e. a few logins are made before it
-settles down.
-
-Complete the first login by sending Notify Acknowledge IOCB via
-qlt_plogi_ack_unref if the session is pending login completion.
-
-Fixes: 9cd883f07a54 ("scsi: qla2xxx: Fix session cleanup for N2N")
-Cc: Krishna Kant <krishna.kant@purestorage.com>
-Cc: Alexei Potashnik <alexei@purestorage.com>
-Link: https://lore.kernel.org/r/20191125165702.1013-11-r.bolshakov@yadro.com
-Acked-by: Quinn Tran <qutran@marvell.com>
-Acked-by: Himanshu Madhani <hmadhani@marvell.com>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Tested-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_target.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
-index 8eda55e917e0..e9545411ec5a 100644
---- a/drivers/scsi/qla2xxx/qla_target.c
-+++ b/drivers/scsi/qla2xxx/qla_target.c
-@@ -4779,6 +4779,7 @@ static int qlt_handle_login(struct scsi_qla_host *vha,
-
- switch (sess->disc_state) {
- case DSC_DELETED:
-+ case DSC_LOGIN_PEND:
- qlt_plogi_ack_unref(vha, pla);
- break;
-
---
-2.20.1
-
+++ /dev/null
-nvme_fc-add-module-to-ops-template-to-allow-module-r.patch
-nvme-fc-fix-double-free-scenarios-on-hw-queues.patch
-drm-amdgpu-add-check-before-enabling-disabling-broad.patch
-drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch
-drm-amd-display-fixed-kernel-panic-when-booting-with.patch
-iio-adc-max9611-fix-too-short-conversion-time-delay.patch
-pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch
-pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch
-pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch
-afs-fix-afs_find_server-lookups-for-ipv4-peers.patch
-afs-fix-selinux-setting-security-label-on-afs.patch
-rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch
-rxe-correctly-calculate-icrc-for-unaligned-payloads.patch
-scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch
-scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch
-scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch
-scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch
-scsi-qla2xxx-configure-local-loop-for-n2n-target.patch
-scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch
-scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch
-scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
-scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch
-drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch
-usb-gadget-fix-wrong-endpoint-desc.patch
-net-make-socket-read-write_iter-honor-iocb_nowait.patch
-afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch
-md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch
-s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch
-s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch
-ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch
-ib-mlx5-fix-steering-rule-of-drop-and-count.patch
-xen-blkback-prevent-premature-module-unload.patch
-xen-balloon-fix-ballooned-page-accounting-without-ho.patch
-pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch
-alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch
-alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch
-alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch
-inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch
-net-add-a-read_once-in-skb_peek_tail.patch
-net-icmp-fix-data-race-in-cmp_global_allow.patch
-xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch
-taskstats-fix-data-race.patch
-drm-limit-to-int_max-in-create_blob-ioctl.patch
-netfilter-bridge-make-sure-to-pull-arp-header-in-br_.patch
-6pack-mkiss-fix-possible-deadlock.patch
-alsa-hda-downgrade-error-message-for-single-cmd-fall.patch
-netfilter-ebtables-compat-reject-all-padding-in-matc.patch
-netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch
+++ /dev/null
-From 5a25101e0b360c469a07facba60fa90aac9a0dec Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 9 Oct 2019 13:48:09 +0200
-Subject: taskstats: fix data-race
-
-From: Christian Brauner <christian.brauner@ubuntu.com>
-
-[ Upstream commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 ]
-
-When assiging and testing taskstats in taskstats_exit() there's a race
-when setting up and reading sig->stats when a thread-group with more
-than one thread exits:
-
-write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0:
- taskstats_tgid_alloc kernel/taskstats.c:567 [inline]
- taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596
- do_exit+0x2c2/0x18e0 kernel/exit.c:864
- do_group_exit+0xb4/0x1c0 kernel/exit.c:983
- get_signal+0x2a2/0x1320 kernel/signal.c:2734
- do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815
- exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159
- prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
- syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
- do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299
- entry_SYSCALL_64_after_hwframe+0x44/0xa9
-
-read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1:
- taskstats_tgid_alloc kernel/taskstats.c:559 [inline]
- taskstats_exit+0xb2/0x717 kernel/taskstats.c:596
- do_exit+0x2c2/0x18e0 kernel/exit.c:864
- do_group_exit+0xb4/0x1c0 kernel/exit.c:983
- __do_sys_exit_group kernel/exit.c:994 [inline]
- __se_sys_exit_group kernel/exit.c:992 [inline]
- __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992
- do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
- entry_SYSCALL_64_after_hwframe+0x44/0xa9
-
-Fix this by using smp_load_acquire() and smp_store_release().
-
-Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com
-Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation")
-Cc: stable@vger.kernel.org
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
-Acked-by: Marco Elver <elver@google.com>
-Reviewed-by: Will Deacon <will@kernel.org>
-Reviewed-by: Andrea Parri <parri.andrea@gmail.com>
-Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
-Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/taskstats.c | 30 +++++++++++++++++++-----------
- 1 file changed, 19 insertions(+), 11 deletions(-)
-
-diff --git a/kernel/taskstats.c b/kernel/taskstats.c
-index 4e62a4a8fa91..82393952683c 100644
---- a/kernel/taskstats.c
-+++ b/kernel/taskstats.c
-@@ -564,25 +564,33 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
- static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk)
- {
- struct signal_struct *sig = tsk->signal;
-- struct taskstats *stats;
-+ struct taskstats *stats_new, *stats;
-
-- if (sig->stats || thread_group_empty(tsk))
-- goto ret;
-+ /* Pairs with smp_store_release() below. */
-+ stats = smp_load_acquire(&sig->stats);
-+ if (stats || thread_group_empty(tsk))
-+ return stats;
-
- /* No problem if kmem_cache_zalloc() fails */
-- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
-+ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
-
- spin_lock_irq(&tsk->sighand->siglock);
-- if (!sig->stats) {
-- sig->stats = stats;
-- stats = NULL;
-+ stats = sig->stats;
-+ if (!stats) {
-+ /*
-+ * Pairs with smp_store_release() above and order the
-+ * kmem_cache_zalloc().
-+ */
-+ smp_store_release(&sig->stats, stats_new);
-+ stats = stats_new;
-+ stats_new = NULL;
- }
- spin_unlock_irq(&tsk->sighand->siglock);
-
-- if (stats)
-- kmem_cache_free(taskstats_cache, stats);
--ret:
-- return sig->stats;
-+ if (stats_new)
-+ kmem_cache_free(taskstats_cache, stats_new);
-+
-+ return stats;
- }
-
- /* Send pid data out on exit */
---
-2.20.1
-
+++ /dev/null
-From 4c75cfc4a1bc1dfb058f914c75d6a97d9404446f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 3 Dec 2019 23:34:56 -0800
-Subject: usb: gadget: fix wrong endpoint desc
-
-From: EJ Hsu <ejh@nvidia.com>
-
-[ Upstream commit e5b5da96da50ef30abb39cb9f694e99366404d24 ]
-
-Gadget driver should always use config_ep_by_speed() to initialize
-usb_ep struct according to usb device's operating speed. Otherwise,
-usb_ep struct may be wrong if usb devcie's operating speed is changed.
-
-The key point in this patch is that we want to make sure the desc pointer
-in usb_ep struct will be set to NULL when gadget is disconnected.
-This will force it to call config_ep_by_speed() to correctly initialize
-usb_ep struct based on the new operating speed when gadget is
-re-connected later.
-
-Reviewed-by: Peter Chen <peter.chen@nxp.com>
-Signed-off-by: EJ Hsu <ejh@nvidia.com>
-Signed-off-by: Felipe Balbi <balbi@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/function/f_ecm.c | 6 +++++-
- drivers/usb/gadget/function/f_rndis.c | 1 +
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c
-index 6ce044008cf6..460d5d7c984f 100644
---- a/drivers/usb/gadget/function/f_ecm.c
-+++ b/drivers/usb/gadget/function/f_ecm.c
-@@ -621,8 +621,12 @@ static void ecm_disable(struct usb_function *f)
-
- DBG(cdev, "ecm deactivated\n");
-
-- if (ecm->port.in_ep->enabled)
-+ if (ecm->port.in_ep->enabled) {
- gether_disconnect(&ecm->port);
-+ } else {
-+ ecm->port.in_ep->desc = NULL;
-+ ecm->port.out_ep->desc = NULL;
-+ }
-
- usb_ep_disable(ecm->notify);
- ecm->notify->desc = NULL;
-diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c
-index d48df36622b7..0d8e4a364ca6 100644
---- a/drivers/usb/gadget/function/f_rndis.c
-+++ b/drivers/usb/gadget/function/f_rndis.c
-@@ -618,6 +618,7 @@ static void rndis_disable(struct usb_function *f)
- gether_disconnect(&rndis->port);
-
- usb_ep_disable(rndis->notify);
-+ rndis->notify->desc = NULL;
- }
-
- /*-------------------------------------------------------------------------*/
---
-2.20.1
-
+++ /dev/null
-From b439f9322bd8681d4079936e2e2c1ebed5c8923e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 12 Dec 2019 15:17:50 +0100
-Subject: xen/balloon: fix ballooned page accounting without hotplug enabled
-
-From: Juergen Gross <jgross@suse.com>
-
-[ Upstream commit c673ec61ade89bf2f417960f986bc25671762efb ]
-
-When CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not defined
-reserve_additional_memory() will set balloon_stats.target_pages to a
-wrong value in case there are still some ballooned pages allocated via
-alloc_xenballooned_pages().
-
-This will result in balloon_process() no longer be triggered when
-ballooned pages are freed in batches.
-
-Reported-by: Nicholas Tsirakis <niko.tsirakis@gmail.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/xen/balloon.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
-index 747a15acbce3..6fa7209f24f4 100644
---- a/drivers/xen/balloon.c
-+++ b/drivers/xen/balloon.c
-@@ -395,7 +395,8 @@ static struct notifier_block xen_memory_nb = {
- #else
- static enum bp_state reserve_additional_memory(void)
- {
-- balloon_stats.target_pages = balloon_stats.current_pages;
-+ balloon_stats.target_pages = balloon_stats.current_pages +
-+ balloon_stats.target_unpopulated;
- return BP_ECANCELED;
- }
- #endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */
---
-2.20.1
-
+++ /dev/null
-From f9f424f25ba8de9aabb772273ced24015ef39c2e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 10 Dec 2019 14:53:05 +0000
-Subject: xen-blkback: prevent premature module unload
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Paul Durrant <pdurrant@amazon.com>
-
-[ Upstream commit fa2ac657f9783f0891b2935490afe9a7fd29d3fa ]
-
-Objects allocated by xen_blkif_alloc come from the 'blkif_cache' kmem
-cache. This cache is destoyed when xen-blkif is unloaded so it is
-necessary to wait for the deferred free routine used for such objects to
-complete. This necessity was missed in commit 14855954f636 "xen-blkback:
-allow module to be cleanly unloaded". This patch fixes the problem by
-taking/releasing extra module references in xen_blkif_alloc/free()
-respectively.
-
-Signed-off-by: Paul Durrant <pdurrant@amazon.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/block/xen-blkback/xenbus.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
-index 55869b362fdf..25c41ce070a7 100644
---- a/drivers/block/xen-blkback/xenbus.c
-+++ b/drivers/block/xen-blkback/xenbus.c
-@@ -179,6 +179,15 @@ static struct xen_blkif *xen_blkif_alloc(domid_t domid)
- blkif->domid = domid;
- atomic_set(&blkif->refcnt, 1);
- init_completion(&blkif->drain_complete);
-+
-+ /*
-+ * Because freeing back to the cache may be deferred, it is not
-+ * safe to unload the module (and hence destroy the cache) until
-+ * this has completed. To prevent premature unloading, take an
-+ * extra module reference here and release only when the object
-+ * has been freed back to the cache.
-+ */
-+ __module_get(THIS_MODULE);
- INIT_WORK(&blkif->free_work, xen_blkif_deferred_free);
-
- return blkif;
-@@ -328,6 +337,7 @@ static void xen_blkif_free(struct xen_blkif *blkif)
-
- /* Make sure everything is drained before shutting down */
- kmem_cache_free(xen_blkif_cachep, blkif);
-+ module_put(THIS_MODULE);
- }
-
- int __init xen_blkif_interface_init(void)
---
-2.20.1
-
+++ /dev/null
-From 4664a6153e89ee57eb6c206cb7ee116315791d90 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 3 Dec 2019 07:53:15 -0800
-Subject: xfs: fix mount failure crash on invalid iclog memory access
-
-From: Brian Foster <bfoster@redhat.com>
-
-[ Upstream commit 798a9cada4694ca8d970259f216cec47e675bfd5 ]
-
-syzbot (via KASAN) reports a use-after-free in the error path of
-xlog_alloc_log(). Specifically, the iclog freeing loop doesn't
-handle the case of a fully initialized ->l_iclog linked list.
-Instead, it assumes that the list is partially constructed and NULL
-terminated.
-
-This bug manifested because there was no possible error scenario
-after iclog list setup when the original code was added. Subsequent
-code and associated error conditions were added some time later,
-while the original error handling code was never updated. Fix up the
-error loop to terminate either on a NULL iclog or reaching the end
-of the list.
-
-Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com
-Signed-off-by: Brian Foster <bfoster@redhat.com>
-Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
-Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/xfs/xfs_log.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
-index c3b610b687d1..7bba551cbf90 100644
---- a/fs/xfs/xfs_log.c
-+++ b/fs/xfs/xfs_log.c
-@@ -1578,6 +1578,8 @@ xlog_alloc_log(
- if (iclog->ic_bp)
- xfs_buf_free(iclog->ic_bp);
- kmem_free(iclog);
-+ if (prev_iclog == log->l_iclog)
-+ break;
- }
- spinlock_destroy(&log->l_icloglock);
- xfs_buf_free(log->l_xbuf);
---
-2.20.1
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
