--- /dev/null
+From c1d3ad84eae35414b6b334790048406bd6301b12 Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Wed, 28 Aug 2019 16:11:10 -0500
+Subject: cfg80211: Purge frame registrations on iftype change
+
+From: Denis Kenzior <denkenz@gmail.com>
+
+commit c1d3ad84eae35414b6b334790048406bd6301b12 upstream.
+
+Currently frame registrations are not purged, even when changing the
+interface type. This can lead to potentially weird situations where
+frames possibly not allowed on a given interface type remain registered
+due to the type switching happening after registration.
+
+The kernel currently relies on userspace apps to actually purge the
+registrations themselves, this is not something that the kernel should
+rely on.
+
+Add a call to cfg80211_mlme_purge_registrations() to forcefully remove
+any registrations left over prior to switching the iftype.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Kenzior <denkenz@gmail.com>
+Link: https://lore.kernel.org/r/20190828211110.15005-1-denkenz@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -974,6 +974,7 @@ int cfg80211_change_iface(struct cfg8021
+ }
+
+ cfg80211_process_rdev_events(rdev);
++ cfg80211_mlme_purge_registrations(dev->ieee80211_ptr);
+ }
+
+ err = rdev_change_virtual_intf(rdev, dev, ntype, flags, params);
--- /dev/null
+From a016e2794fc3a245a91946038dd8f34d65e53cc3 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Thu, 26 Sep 2019 12:31:20 -0700
+Subject: CIFS: Fix oplock handling for SMB 2.1+ protocols
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit a016e2794fc3a245a91946038dd8f34d65e53cc3 upstream.
+
+There may be situations when a server negotiates SMB 2.1
+protocol version or higher but responds to a CREATE request
+with an oplock rather than a lease.
+
+Currently the client doesn't handle such a case correctly:
+when another CREATE comes in the server sends an oplock
+break to the initial CREATE and the client doesn't send
+an ack back due to a wrong caching level being set (READ
+instead of RWH). Missing an oplock break ack makes the
+server wait until the break times out which dramatically
+increases the latency of the second CREATE.
+
+Fix this by properly detecting oplocks when using SMB 2.1
+protocol version and higher.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1335,6 +1335,11 @@ smb21_set_oplock_level(struct cifsInodeI
+ if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE)
+ return;
+
++ /* Check if the server granted an oplock rather than a lease */
++ if (oplock & SMB2_OPLOCK_LEVEL_EXCLUSIVE)
++ return smb2_set_oplock_level(cinode, oplock, epoch,
++ purge_cache);
++
+ if (oplock & SMB2_LEASE_READ_CACHING_HE) {
+ new_oplock |= CIFS_CACHE_READ_FLG;
+ strcat(message, "R");
--- /dev/null
+From 8619e5bdeee8b2c685d686281f2d2a6017c4bc15 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 26 Aug 2019 22:13:25 +0900
+Subject: /dev/mem: Bail out upon SIGKILL.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 8619e5bdeee8b2c685d686281f2d2a6017c4bc15 upstream.
+
+syzbot found that a thread can stall for minutes inside read_mem() or
+write_mem() after that thread was killed by SIGKILL [1]. Reading from
+iomem areas of /dev/mem can be slow, depending on the hardware.
+While reading 2GB at one read() is legal, delaying termination of killed
+thread for minutes is bad. Thus, allow reading/writing /dev/mem and
+/dev/kmem to be preemptible and killable.
+
+ [ 1335.912419][T20577] read_mem: sz=4096 count=2134565632
+ [ 1335.943194][T20577] read_mem: sz=4096 count=2134561536
+ [ 1335.978280][T20577] read_mem: sz=4096 count=2134557440
+ [ 1336.011147][T20577] read_mem: sz=4096 count=2134553344
+ [ 1336.041897][T20577] read_mem: sz=4096 count=2134549248
+
+Theoretically, reading/writing /dev/mem and /dev/kmem can become
+"interruptible". But this patch chose "killable". Future patch will make
+them "interruptible" so that we can revert to "killable" if some program
+regressed.
+
+[1] https://syzkaller.appspot.com/bug?id=a0e3436829698d5824231251fad9d8e998f94f5e
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot <syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com>
+Link: https://lore.kernel.org/r/1566825205-10703-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/mem.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -95,6 +95,13 @@ void __weak unxlate_dev_mem_ptr(phys_add
+ }
+ #endif
+
++static inline bool should_stop_iteration(void)
++{
++ if (need_resched())
++ cond_resched();
++ return fatal_signal_pending(current);
++}
++
+ /*
+ * This funcion reads the *physical* memory. The f_pos points directly to the
+ * memory location.
+@@ -161,6 +168,8 @@ static ssize_t read_mem(struct file *fil
+ p += sz;
+ count -= sz;
+ read += sz;
++ if (should_stop_iteration())
++ break;
+ }
+
+ *ppos += read;
+@@ -232,6 +241,8 @@ static ssize_t write_mem(struct file *fi
+ p += sz;
+ count -= sz;
+ written += sz;
++ if (should_stop_iteration())
++ break;
+ }
+
+ *ppos += written;
+@@ -443,6 +454,10 @@ static ssize_t read_kmem(struct file *fi
+ read += sz;
+ low_count -= sz;
+ count -= sz;
++ if (should_stop_iteration()) {
++ count = 0;
++ break;
++ }
+ }
+ }
+
+@@ -467,6 +482,8 @@ static ssize_t read_kmem(struct file *fi
+ buf += sz;
+ read += sz;
+ p += sz;
++ if (should_stop_iteration())
++ break;
+ }
+ free_page((unsigned long)kbuf);
+ }
+@@ -517,6 +534,8 @@ static ssize_t do_write_kmem(unsigned lo
+ p += sz;
+ count -= sz;
+ written += sz;
++ if (should_stop_iteration())
++ break;
+ }
+
+ *ppos += written;
+@@ -568,6 +587,8 @@ static ssize_t write_kmem(struct file *f
+ buf += sz;
+ virtr += sz;
+ p += sz;
++ if (should_stop_iteration())
++ break;
+ }
+ free_page((unsigned long)kbuf);
+ }
--- /dev/null
+From c1e8220bd316d8ae8e524df39534b8a412a45d5e Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 23 Aug 2019 22:38:00 -0400
+Subject: ext4: fix punch hole for inline_data file systems
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit c1e8220bd316d8ae8e524df39534b8a412a45d5e upstream.
+
+If a program attempts to punch a hole on an inline data file, we need
+to convert it to a normal file first.
+
+This was detected using ext4/032 using the adv configuration. Simple
+reproducer:
+
+mke2fs -Fq -t ext4 -O inline_data /dev/vdc
+mount /vdc
+echo "" > /vdc/testfile
+xfs_io -c 'truncate 33554432' /vdc/testfile
+xfs_io -c 'fpunch 0 1048576' /vdc/testfile
+umount /vdc
+e2fsck -fy /dev/vdc
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -3705,6 +3705,15 @@ int ext4_punch_hole(struct inode *inode,
+
+ trace_ext4_punch_hole(inode, offset, length, 0);
+
++ ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
++ if (ext4_has_inline_data(inode)) {
++ down_write(&EXT4_I(inode)->i_mmap_sem);
++ ret = ext4_convert_inline_data(inode);
++ up_write(&EXT4_I(inode)->i_mmap_sem);
++ if (ret)
++ return ret;
++ }
++
+ /*
+ * Write out all dirty pages to avoid race conditions
+ * Then release them.
--- /dev/null
+From 78887832e76541f77169a24ac238fccb51059b63 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Tue, 17 Sep 2019 11:54:50 +0200
+Subject: hwrng: core - don't wait on add_early_randomness()
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+commit 78887832e76541f77169a24ac238fccb51059b63 upstream.
+
+add_early_randomness() is called by hwrng_register() when the
+hardware is added. If this hardware and its module are present
+at boot, and if there is no data available the boot hangs until
+data are available and can't be interrupted.
+
+For instance, in the case of virtio-rng, in some cases the host can be
+not able to provide enough entropy for all the guests.
+
+We can have two easy ways to reproduce the problem but they rely on
+misconfiguration of the hypervisor or the egd daemon:
+
+- if virtio-rng device is configured to connect to the egd daemon of the
+host but when the virtio-rng driver asks for data the daemon is not
+connected,
+
+- if virtio-rng device is configured to connect to the egd daemon of the
+host but the egd daemon doesn't provide data.
+
+The guest kernel will hang at boot until the virtio-rng driver provides
+enough data.
+
+To avoid that, call rng_get_data() in non-blocking mode (wait=0)
+from add_early_randomness().
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Fixes: d9e797261933 ("hwrng: add randomness to system from rng...")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/hw_random/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/hw_random/core.c
++++ b/drivers/char/hw_random/core.c
+@@ -88,7 +88,7 @@ static void add_early_randomness(struct
+ size_t size = min_t(size_t, 16, rng_buffer_size());
+
+ mutex_lock(&reading_mutex);
+- bytes_read = rng_get_data(rng, rng_buffer, size, 1);
++ bytes_read = rng_get_data(rng, rng_buffer, size, 0);
+ mutex_unlock(&reading_mutex);
+ if (bytes_read > 0)
+ add_device_randomness(rng_buffer, bytes_read);
--- /dev/null
+From a71e2ac1f32097fbb2beab098687a7a95c84543e Mon Sep 17 00:00:00 2001
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Thu, 26 Sep 2019 07:19:09 -0500
+Subject: i2c: riic: Clear NACK in tend isr
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+commit a71e2ac1f32097fbb2beab098687a7a95c84543e upstream.
+
+The NACKF flag should be cleared in INTRIICNAKI interrupt processing as
+description in HW manual.
+
+This issue shows up quickly when PREEMPT_RT is applied and a device is
+probed that is not plugged in (like a touchscreen controller). The result
+is endless interrupts that halt system boot.
+
+Fixes: 310c18a41450 ("i2c: riic: add driver")
+Cc: stable@vger.kernel.org
+Reported-by: Chien Nguyen <chien.nguyen.eb@rvc.renesas.com>
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-riic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i2c/busses/i2c-riic.c
++++ b/drivers/i2c/busses/i2c-riic.c
+@@ -212,6 +212,7 @@ static irqreturn_t riic_tend_isr(int irq
+ if (readb(riic->base + RIIC_ICSR2) & ICSR2_NACKF) {
+ /* We got a NACKIE */
+ readb(riic->base + RIIC_ICDRR); /* dummy read */
++ riic_clear_set_bit(riic, ICSR2_NACKF, 0, RIIC_ICSR2);
+ riic->err = -ENXIO;
+ } else if (riic->bytes_left) {
+ return IRQ_NONE;
+++ /dev/null
-From a7542b87607560d0b89e7ff81d870bd6ff8835cb Mon Sep 17 00:00:00 2001
-From: Stefan Assmann <sassmann@kpanic.de>
-Date: Wed, 21 Aug 2019 16:09:29 +0200
-Subject: i40e: check __I40E_VF_DISABLE bit in i40e_sync_filters_subtask
-
-From: Stefan Assmann <sassmann@kpanic.de>
-
-commit a7542b87607560d0b89e7ff81d870bd6ff8835cb upstream.
-
-While testing VF spawn/destroy the following panic occurred.
-
-BUG: unable to handle kernel NULL pointer dereference at 0000000000000029
-[...]
-Workqueue: i40e i40e_service_task [i40e]
-RIP: 0010:i40e_sync_vsi_filters+0x6fd/0xc60 [i40e]
-[...]
-Call Trace:
- ? __switch_to_asm+0x35/0x70
- ? __switch_to_asm+0x41/0x70
- ? __switch_to_asm+0x35/0x70
- ? _cond_resched+0x15/0x30
- i40e_sync_filters_subtask+0x56/0x70 [i40e]
- i40e_service_task+0x382/0x11b0 [i40e]
- ? __switch_to_asm+0x41/0x70
- ? __switch_to_asm+0x41/0x70
- process_one_work+0x1a7/0x3b0
- worker_thread+0x30/0x390
- ? create_worker+0x1a0/0x1a0
- kthread+0x112/0x130
- ? kthread_bind+0x30/0x30
- ret_from_fork+0x35/0x40
-
-Investigation revealed a race where pf->vf[vsi->vf_id].trusted may get
-accessed by the watchdog via i40e_sync_filters_subtask() although
-i40e_free_vfs() already free'd pf->vf.
-To avoid this the call to i40e_sync_vsi_filters() in
-i40e_sync_filters_subtask() needs to be guarded by __I40E_VF_DISABLE,
-which is also used by i40e_free_vfs().
-
-Note: put the __I40E_VF_DISABLE check after the
-__I40E_MACVLAN_SYNC_PENDING check as the latter is more likely to
-trigger.
-
-CC: stable@vger.kernel.org
-Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
-Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
-Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/net/ethernet/intel/i40e/i40e_main.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/drivers/net/ethernet/intel/i40e/i40e_main.c
-+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
-@@ -2589,6 +2589,10 @@ static void i40e_restore_vlan(struct i40
-
- if (!vsi->netdev)
- return;
-+ if (test_and_set_bit(__I40E_VF_DISABLE, pf->state)) {
-+ set_bit(__I40E_MACVLAN_SYNC_PENDING, pf->state);
-+ return;
-+ }
-
- i40e_vlan_rx_register(vsi->netdev, vsi->netdev->features);
-
-@@ -3057,6 +3061,7 @@ static void i40e_vsi_config_dcb_rings(st
- tx_ring->dcb_tc = n;
- }
- }
-+ clear_bit(__I40E_VF_DISABLE, pf->state);
- }
-
- /**
--- /dev/null
+From 143f6e733b73051cd22dcb80951c6c929da413ce Mon Sep 17 00:00:00 2001
+From: Xiao Ni <xni@redhat.com>
+Date: Mon, 8 Jul 2019 10:14:32 +0800
+Subject: md/raid6: Set R5_ReadError when there is read failure on parity disk
+
+From: Xiao Ni <xni@redhat.com>
+
+commit 143f6e733b73051cd22dcb80951c6c929da413ce upstream.
+
+7471fb77ce4d ("md/raid6: Fix anomily when recovering a single device in
+RAID6.") avoids rereading P when it can be computed from other members.
+However, this misses the chance to re-write the right data to P. This
+patch sets R5_ReadError if the re-read fails.
+
+Also, when re-read is skipped, we also missed the chance to reset
+rdev->read_errors to 0. It can fail the disk when there are many read
+errors on P member disk (other disks don't have read error)
+
+V2: upper layer read request don't read parity/Q data. So there is no
+need to consider such situation.
+
+This is Reported-by: kbuild test robot <lkp@intel.com>
+
+Fixes: 7471fb77ce4d ("md/raid6: Fix anomily when recovering a single device in RAID6.")
+Cc: <stable@vger.kernel.org> #4.4+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -2394,7 +2394,9 @@ static void raid5_end_read_request(struc
+ && !test_bit(R5_ReadNoMerge, &sh->dev[i].flags))
+ retry = 1;
+ if (retry)
+- if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags)) {
++ if (sh->qd_idx >= 0 && sh->pd_idx == i)
++ set_bit(R5_ReadError, &sh->dev[i].flags);
++ else if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags)) {
+ set_bit(R5_ReadError, &sh->dev[i].flags);
+ clear_bit(R5_ReadNoMerge, &sh->dev[i].flags);
+ } else
--- /dev/null
+From 6565c182094f69e4ffdece337d395eb7ec760efc Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 11 Sep 2019 17:36:50 +0800
+Subject: quota: fix wrong condition in is_quota_modification()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit 6565c182094f69e4ffdece337d395eb7ec760efc upstream.
+
+Quoted from
+commit 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize")
+
+" At LSF we decided that if we truncate up from isize we shouldn't trim
+ fallocated blocks that were fallocated with KEEP_SIZE and are past the
+ new i_size. This patch fixes ext4 to do this. "
+
+And generic/092 of fstest have covered this case for long time, however
+is_quota_modification() didn't adjust based on that rule, so that in
+below condition, we will lose to quota block change:
+- fallocate blocks beyond EOF
+- remount
+- truncate(file_path, file_size)
+
+Fix it.
+
+Link: https://lore.kernel.org/r/20190911093650.35329-1-yuchao0@huawei.com
+Fixes: 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize")
+CC: stable@vger.kernel.org
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/quotaops.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/quotaops.h
++++ b/include/linux/quotaops.h
+@@ -21,7 +21,7 @@ static inline struct quota_info *sb_dqop
+ /* i_mutex must being held */
+ static inline bool is_quota_modification(struct inode *inode, struct iattr *ia)
+ {
+- return (ia->ia_valid & ATTR_SIZE && ia->ia_size != inode->i_size) ||
++ return (ia->ia_valid & ATTR_SIZE) ||
+ (ia->ia_valid & ATTR_UID && !uid_eq(ia->ia_uid, inode->i_uid)) ||
+ (ia->ia_valid & ATTR_GID && !gid_eq(ia->ia_gid, inode->i_gid));
+ }
asoc-intel-fix-use-of-potentially-uninitialized-variable.patch
arm-zynq-use-memcpy_toio-instead-of-memcpy-on-smp-bring-up.patch
alarmtimer-use-eopnotsupp-instead-of-enotsupp.patch
-i40e-check-__i40e_vf_disable-bit-in-i40e_sync_filters_subtask.patch
+md-raid6-set-r5_readerror-when-there-is-read-failure-on-parity-disk.patch
+cfg80211-purge-frame-registrations-on-iftype-change.patch
+dev-mem-bail-out-upon-sigkill.patch
+ext4-fix-punch-hole-for-inline_data-file-systems.patch
+quota-fix-wrong-condition-in-is_quota_modification.patch
+hwrng-core-don-t-wait-on-add_early_randomness.patch
+i2c-riic-clear-nack-in-tend-isr.patch
+cifs-fix-oplock-handling-for-smb-2.1-protocols.patch
ovl-filter-of-trusted-xattr-results-in-audit.patch
btrfs-fix-use-after-free-when-using-the-tree-modification-log.patch
btrfs-relinquish-cpus-in-btrfs_compare_trees.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
