--- /dev/null
+From d0cb50185ae942b03c4327be322055d622dc79f6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 26 Jan 2020 09:29:34 -0500
+Subject: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit d0cb50185ae942b03c4327be322055d622dc79f6 upstream.
+
+may_create_in_sticky() call is done when we already have dropped the
+reference to dir.
+
+Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1001,7 +1001,8 @@ static int may_linkat(struct path *link)
+ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
+ * should be allowed, or not, on files that already
+ * exist.
+- * @dir: the sticky parent directory
++ * @dir_mode: mode bits of directory
++ * @dir_uid: owner of directory
+ * @inode: the inode of the file to open
+ *
+ * Block an O_CREAT open of a FIFO (or a regular file) when:
+@@ -1017,18 +1018,18 @@ static int may_linkat(struct path *link)
+ *
+ * Returns 0 if the open is allowed, -ve on error.
+ */
+-static int may_create_in_sticky(struct dentry * const dir,
++static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid,
+ struct inode * const inode)
+ {
+ if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
+ (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
+- likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
+- uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
++ likely(!(dir_mode & S_ISVTX)) ||
++ uid_eq(inode->i_uid, dir_uid) ||
+ uid_eq(current_fsuid(), inode->i_uid))
+ return 0;
+
+- if (likely(dir->d_inode->i_mode & 0002) ||
+- (dir->d_inode->i_mode & 0020 &&
++ if (likely(dir_mode & 0002) ||
++ (dir_mode & 0020 &&
+ ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
+ (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
+ return -EACCES;
+@@ -3248,6 +3249,8 @@ static int do_last(struct nameidata *nd,
+ struct file *file, const struct open_flags *op)
+ {
+ struct dentry *dir = nd->path.dentry;
++ kuid_t dir_uid = dir->d_inode->i_uid;
++ umode_t dir_mode = dir->d_inode->i_mode;
+ int open_flag = op->open_flag;
+ bool will_truncate = (open_flag & O_TRUNC) != 0;
+ bool got_write = false;
+@@ -3383,7 +3386,7 @@ finish_open:
+ error = -EISDIR;
+ if (d_is_dir(nd->path.dentry))
+ goto out;
+- error = may_create_in_sticky(dir,
++ error = may_create_in_sticky(dir_mode, dir_uid,
+ d_backing_inode(nd->path.dentry));
+ if (unlikely(error))
+ goto out;
--- /dev/null
+From ecc4d2a52df65479de5e333a9065ed02202a400f Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Fri, 17 Jan 2020 13:24:13 +0000
+Subject: drm/i915/userptr: fix size calculation
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit ecc4d2a52df65479de5e333a9065ed02202a400f upstream.
+
+If we create a rather large userptr object(e.g 1ULL << 32) we might
+shift past the type-width of num_pages: (int)num_pages << PAGE_SHIFT,
+resulting in a totally bogus sg_table, which fortunately will eventually
+manifest as:
+
+gen8_ppgtt_insert_huge:463 GEM_BUG_ON(iter->sg->length < page_size)
+kernel BUG at drivers/gpu/drm/i915/gt/gen8_ppgtt.c:463!
+
+v2: more unsigned long
+ prefer I915_GTT_PAGE_SIZE
+
+Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200117132413.1170563-2-matthew.auld@intel.com
+(cherry picked from commit 8e78871bc1e5efec22c950d3fd24ddb63d4ff28a)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gem/i915_gem_userptr.c | 9 +++++----
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 2 ++
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
+@@ -427,7 +427,7 @@ struct get_pages_work {
+
+ static struct sg_table *
+ __i915_gem_userptr_alloc_pages(struct drm_i915_gem_object *obj,
+- struct page **pvec, int num_pages)
++ struct page **pvec, unsigned long num_pages)
+ {
+ unsigned int max_segment = i915_sg_segment_size();
+ struct sg_table *st;
+@@ -473,9 +473,10 @@ __i915_gem_userptr_get_pages_worker(stru
+ {
+ struct get_pages_work *work = container_of(_work, typeof(*work), work);
+ struct drm_i915_gem_object *obj = work->obj;
+- const int npages = obj->base.size >> PAGE_SHIFT;
++ const unsigned long npages = obj->base.size >> PAGE_SHIFT;
++ unsigned long pinned;
+ struct page **pvec;
+- int pinned, ret;
++ int ret;
+
+ ret = -ENOMEM;
+ pinned = 0;
+@@ -578,7 +579,7 @@ __i915_gem_userptr_get_pages_schedule(st
+
+ static int i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj)
+ {
+- const int num_pages = obj->base.size >> PAGE_SHIFT;
++ const unsigned long num_pages = obj->base.size >> PAGE_SHIFT;
+ struct mm_struct *mm = obj->userptr.mm->mm;
+ struct page **pvec;
+ struct sg_table *pages;
+--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
+@@ -1178,6 +1178,7 @@ gen8_ppgtt_insert_pte(struct i915_ppgtt
+ pd = i915_pd_entry(pdp, gen8_pd_index(idx, 2));
+ vaddr = kmap_atomic_px(i915_pt_entry(pd, gen8_pd_index(idx, 1)));
+ do {
++ GEM_BUG_ON(iter->sg->length < I915_GTT_PAGE_SIZE);
+ vaddr[gen8_pd_index(idx, 0)] = pte_encode | iter->dma;
+
+ iter->dma += I915_GTT_PAGE_SIZE;
+@@ -1657,6 +1658,7 @@ static void gen6_ppgtt_insert_entries(st
+
+ vaddr = kmap_atomic_px(i915_pt_entry(pd, act_pt));
+ do {
++ GEM_BUG_ON(iter.sg->length < I915_GTT_PAGE_SIZE);
+ vaddr[act_pte] = pte_encode | GEN6_PTE_ADDR_ENCODE(iter.dma);
+
+ iter.dma += I915_GTT_PAGE_SIZE;
--- /dev/null
+From 80892772c4edac88c538165d26a0105f19b61c1c Mon Sep 17 00:00:00 2001
+From: "xiaofeng.yan" <yanxiaofeng7@jd.com>
+Date: Mon, 20 Jan 2020 14:26:39 +0800
+Subject: hsr: Fix a compilation error
+
+From: xiaofeng.yan <yanxiaofeng7@jd.com>
+
+commit 80892772c4edac88c538165d26a0105f19b61c1c upstream.
+
+A compliation error happen when building branch 5.5-rc7
+
+In file included from net/hsr/hsr_main.c:12:0:
+net/hsr/hsr_main.h:194:20: error: two or more data types in declaration specifiers
+ static inline void void hsr_debugfs_rename(struct net_device *dev)
+
+So Removed one void.
+
+Fixes: 4c2d5e33dcd3 ("hsr: rename debugfs file when interface name is changed")
+Signed-off-by: xiaofeng.yan <yanxiaofeng7@jd.com>
+Acked-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/hsr/hsr_main.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/hsr/hsr_main.h
++++ b/net/hsr/hsr_main.h
+@@ -191,7 +191,7 @@ void hsr_debugfs_term(struct hsr_priv *p
+ void hsr_debugfs_create_root(void);
+ void hsr_debugfs_remove_root(void);
+ #else
+-static inline void void hsr_debugfs_rename(struct net_device *dev)
++static inline void hsr_debugfs_rename(struct net_device *dev)
+ {
+ }
+ static inline void hsr_debugfs_init(struct hsr_priv *priv,
--- /dev/null
+From e51a7dda299815e92f43960d620cdfc8dfc144f2 Mon Sep 17 00:00:00 2001
+From: Gilles Buloz <gilles.buloz@kontron.com>
+Date: Fri, 29 Nov 2019 10:56:05 +0100
+Subject: hwmon: (nct7802) Fix non-working alarm on voltages
+
+From: Gilles Buloz <gilles.buloz@kontron.com>
+
+commit e51a7dda299815e92f43960d620cdfc8dfc144f2 upstream.
+
+No alarm is reported by /sys/.../inX_alarm
+
+In detail:
+
+The SMI Voltage status register is the only register giving a status
+for voltages, but it does not work like the non-SMI status registers
+used for temperatures and fans.
+A bit is set for each input crossing a threshold, in both direction,
+but the "inside" or "outside" limits info is not available.
+Also this register is cleared on read.
+Note : this is not explicitly spelled out in the datasheet, but from
+experiment.
+As a result if an input is crossing a threshold (min or max in any
+direction), the alarm is reported only once even if the input is
+still outside limits. Also if the alarm for another input is read
+before the one of this input, no alarm is reported at all.
+
+Signed-off-by: Gilles Buloz <gilles.buloz@kontron.com>
+Link: https://lore.kernel.org/r/5de0f566.tBga5POKAgHlmd0p%gilles.buloz@kontron.com
+Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/nct7802.c | 71 +++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 67 insertions(+), 4 deletions(-)
+
+--- a/drivers/hwmon/nct7802.c
++++ b/drivers/hwmon/nct7802.c
+@@ -58,6 +58,8 @@ static const u8 REG_VOLTAGE_LIMIT_MSB_SH
+ struct nct7802_data {
+ struct regmap *regmap;
+ struct mutex access_lock; /* for multi-byte read and write operations */
++ u8 in_status;
++ struct mutex in_alarm_lock;
+ };
+
+ static ssize_t temp_type_show(struct device *dev,
+@@ -368,6 +370,66 @@ static ssize_t in_store(struct device *d
+ return err ? : count;
+ }
+
++static ssize_t in_alarm_show(struct device *dev, struct device_attribute *attr,
++ char *buf)
++{
++ struct sensor_device_attribute_2 *sattr = to_sensor_dev_attr_2(attr);
++ struct nct7802_data *data = dev_get_drvdata(dev);
++ int volt, min, max, ret;
++ unsigned int val;
++
++ mutex_lock(&data->in_alarm_lock);
++
++ /*
++ * The SMI Voltage status register is the only register giving a status
++ * for voltages. A bit is set for each input crossing a threshold, in
++ * both direction, but the "inside" or "outside" limits info is not
++ * available. Also this register is cleared on read.
++ * Note: this is not explicitly spelled out in the datasheet, but
++ * from experiment.
++ * To deal with this we use a status cache with one validity bit and
++ * one status bit for each input. Validity is cleared at startup and
++ * each time the register reports a change, and the status is processed
++ * by software based on current input value and limits.
++ */
++ ret = regmap_read(data->regmap, 0x1e, &val); /* SMI Voltage status */
++ if (ret < 0)
++ goto abort;
++
++ /* invalidate cached status for all inputs crossing a threshold */
++ data->in_status &= ~((val & 0x0f) << 4);
++
++ /* if cached status for requested input is invalid, update it */
++ if (!(data->in_status & (0x10 << sattr->index))) {
++ ret = nct7802_read_voltage(data, sattr->nr, 0);
++ if (ret < 0)
++ goto abort;
++ volt = ret;
++
++ ret = nct7802_read_voltage(data, sattr->nr, 1);
++ if (ret < 0)
++ goto abort;
++ min = ret;
++
++ ret = nct7802_read_voltage(data, sattr->nr, 2);
++ if (ret < 0)
++ goto abort;
++ max = ret;
++
++ if (volt < min || volt > max)
++ data->in_status |= (1 << sattr->index);
++ else
++ data->in_status &= ~(1 << sattr->index);
++
++ data->in_status |= 0x10 << sattr->index;
++ }
++
++ ret = sprintf(buf, "%u\n", !!(data->in_status & (1 << sattr->index)));
++abort:
++ mutex_unlock(&data->in_alarm_lock);
++ return ret;
++}
++
+ static ssize_t temp_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+ {
+@@ -660,7 +722,7 @@ static const struct attribute_group nct7
+ static SENSOR_DEVICE_ATTR_2_RO(in0_input, in, 0, 0);
+ static SENSOR_DEVICE_ATTR_2_RW(in0_min, in, 0, 1);
+ static SENSOR_DEVICE_ATTR_2_RW(in0_max, in, 0, 2);
+-static SENSOR_DEVICE_ATTR_2_RO(in0_alarm, alarm, 0x1e, 3);
++static SENSOR_DEVICE_ATTR_2_RO(in0_alarm, in_alarm, 0, 3);
+ static SENSOR_DEVICE_ATTR_2_RW(in0_beep, beep, 0x5a, 3);
+
+ static SENSOR_DEVICE_ATTR_2_RO(in1_input, in, 1, 0);
+@@ -668,19 +730,19 @@ static SENSOR_DEVICE_ATTR_2_RO(in1_input
+ static SENSOR_DEVICE_ATTR_2_RO(in2_input, in, 2, 0);
+ static SENSOR_DEVICE_ATTR_2_RW(in2_min, in, 2, 1);
+ static SENSOR_DEVICE_ATTR_2_RW(in2_max, in, 2, 2);
+-static SENSOR_DEVICE_ATTR_2_RO(in2_alarm, alarm, 0x1e, 0);
++static SENSOR_DEVICE_ATTR_2_RO(in2_alarm, in_alarm, 2, 0);
+ static SENSOR_DEVICE_ATTR_2_RW(in2_beep, beep, 0x5a, 0);
+
+ static SENSOR_DEVICE_ATTR_2_RO(in3_input, in, 3, 0);
+ static SENSOR_DEVICE_ATTR_2_RW(in3_min, in, 3, 1);
+ static SENSOR_DEVICE_ATTR_2_RW(in3_max, in, 3, 2);
+-static SENSOR_DEVICE_ATTR_2_RO(in3_alarm, alarm, 0x1e, 1);
++static SENSOR_DEVICE_ATTR_2_RO(in3_alarm, in_alarm, 3, 1);
+ static SENSOR_DEVICE_ATTR_2_RW(in3_beep, beep, 0x5a, 1);
+
+ static SENSOR_DEVICE_ATTR_2_RO(in4_input, in, 4, 0);
+ static SENSOR_DEVICE_ATTR_2_RW(in4_min, in, 4, 1);
+ static SENSOR_DEVICE_ATTR_2_RW(in4_max, in, 4, 2);
+-static SENSOR_DEVICE_ATTR_2_RO(in4_alarm, alarm, 0x1e, 2);
++static SENSOR_DEVICE_ATTR_2_RO(in4_alarm, in_alarm, 4, 2);
+ static SENSOR_DEVICE_ATTR_2_RW(in4_beep, beep, 0x5a, 2);
+
+ static struct attribute *nct7802_in_attrs[] = {
+@@ -1011,6 +1073,7 @@ static int nct7802_probe(struct i2c_clie
+ return PTR_ERR(data->regmap);
+
+ mutex_init(&data->access_lock);
++ mutex_init(&data->in_alarm_lock);
+
+ ret = nct7802_init_chip(data);
+ if (ret < 0)
--- /dev/null
+From 7713e62c8623c54dac88d1fa724aa487a38c3efb Mon Sep 17 00:00:00 2001
+From: Gilles Buloz <gilles.buloz@kontron.com>
+Date: Wed, 27 Nov 2019 18:09:34 +0100
+Subject: hwmon: (nct7802) Fix voltage limits to wrong registers
+
+From: Gilles Buloz <gilles.buloz@kontron.com>
+
+commit 7713e62c8623c54dac88d1fa724aa487a38c3efb upstream.
+
+in0 thresholds are written to the in2 thresholds registers
+in2 thresholds to in3 thresholds
+in3 thresholds to in4 thresholds
+in4 thresholds to in0 thresholds
+
+Signed-off-by: Gilles Buloz <gilles.buloz@kontron.com>
+Link: https://lore.kernel.org/r/5de0f509.rc0oEvPOMjbfPW1w%gilles.buloz@kontron.com
+Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/nct7802.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/nct7802.c
++++ b/drivers/hwmon/nct7802.c
+@@ -23,8 +23,8 @@
+ static const u8 REG_VOLTAGE[5] = { 0x09, 0x0a, 0x0c, 0x0d, 0x0e };
+
+ static const u8 REG_VOLTAGE_LIMIT_LSB[2][5] = {
+- { 0x40, 0x00, 0x42, 0x44, 0x46 },
+- { 0x3f, 0x00, 0x41, 0x43, 0x45 },
++ { 0x46, 0x00, 0x40, 0x42, 0x44 },
++ { 0x45, 0x00, 0x3f, 0x41, 0x43 },
+ };
+
+ static const u8 REG_VOLTAGE_LIMIT_MSB[5] = { 0x48, 0x00, 0x47, 0x47, 0x48 };
--- /dev/null
+From 8c17bbf6c8f70058a66305f2e1982552e6ea7f47 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Thu, 23 Jan 2020 15:32:14 -0700
+Subject: iommu/amd: Fix IOMMU perf counter clobbering during init
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 8c17bbf6c8f70058a66305f2e1982552e6ea7f47 upstream.
+
+init_iommu_perf_ctr() clobbers the register when it checks write access
+to IOMMU perf counters and fails to restore when they are writable.
+
+Add save and restore to fix it.
+
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Fixes: 30861ddc9cca4 ("perf/x86/amd: Add IOMMU Performance Counter resource management")
+Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu_init.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -1655,27 +1655,39 @@ static int iommu_pc_get_set_reg(struct a
+ static void init_iommu_perf_ctr(struct amd_iommu *iommu)
+ {
+ struct pci_dev *pdev = iommu->dev;
+- u64 val = 0xabcd, val2 = 0;
++ u64 val = 0xabcd, val2 = 0, save_reg = 0;
+
+ if (!iommu_feature(iommu, FEATURE_PC))
+ return;
+
+ amd_iommu_pc_present = true;
+
++ /* save the value to restore, if writable */
++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false))
++ goto pc_false;
++
+ /* Check if the performance counters can be written to */
+ if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) ||
+ (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) ||
+- (val != val2)) {
+- pci_err(pdev, "Unable to write to IOMMU perf counter.\n");
+- amd_iommu_pc_present = false;
+- return;
+- }
++ (val != val2))
++ goto pc_false;
++
++ /* restore */
++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true))
++ goto pc_false;
+
+ pci_info(pdev, "IOMMU performance counters supported\n");
+
+ val = readl(iommu->mmio_base + MMIO_CNTR_CONF_OFFSET);
+ iommu->max_banks = (u8) ((val >> 12) & 0x3f);
+ iommu->max_counters = (u8) ((val >> 7) & 0xf);
++
++ return;
++
++pc_false:
++ pci_err(pdev, "Unable to read/write to IOMMU perf counter.\n");
++ amd_iommu_pc_present = false;
++ return;
+ }
+
+ static ssize_t amd_iommu_show_cap(struct device *dev,
--- /dev/null
+From df2378ab0f2a9dd4cf4501268af1902cc4ebacd8 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 11 Dec 2019 10:15:52 +0100
+Subject: iwlwifi: mvm: fix potential SKB leak on TXQ TX
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit df2378ab0f2a9dd4cf4501268af1902cc4ebacd8 upstream.
+
+When we transmit after TXQ dequeue, we aren't paying attention to
+the return value of the transmit functions, leading to a potential
+SKB leak.
+
+Refactor the code a bit (and rename ..._tx to ..._tx_sta) to check
+for this happening.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 28 ++++++++++++----------
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 4 +--
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 4 +--
+ 3 files changed, 20 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -742,6 +742,20 @@ int iwl_mvm_mac_setup_register(struct iw
+ return ret;
+ }
+
++static void iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
++ struct ieee80211_sta *sta)
++{
++ if (likely(sta)) {
++ if (likely(iwl_mvm_tx_skb_sta(mvm, skb, sta) == 0))
++ return;
++ } else {
++ if (likely(iwl_mvm_tx_skb_non_sta(mvm, skb) == 0))
++ return;
++ }
++
++ ieee80211_free_txskb(mvm->hw, skb);
++}
++
+ static void iwl_mvm_mac_tx(struct ieee80211_hw *hw,
+ struct ieee80211_tx_control *control,
+ struct sk_buff *skb)
+@@ -785,14 +799,7 @@ static void iwl_mvm_mac_tx(struct ieee80
+ }
+ }
+
+- if (sta) {
+- if (iwl_mvm_tx_skb(mvm, skb, sta))
+- goto drop;
+- return;
+- }
+-
+- if (iwl_mvm_tx_skb_non_sta(mvm, skb))
+- goto drop;
++ iwl_mvm_tx_skb(mvm, skb, sta);
+ return;
+ drop:
+ ieee80211_free_txskb(hw, skb);
+@@ -842,10 +849,7 @@ void iwl_mvm_mac_itxq_xmit(struct ieee80
+ break;
+ }
+
+- if (!txq->sta)
+- iwl_mvm_tx_skb_non_sta(mvm, skb);
+- else
+- iwl_mvm_tx_skb(mvm, skb, txq->sta);
++ iwl_mvm_tx_skb(mvm, skb, txq->sta);
+ }
+ } while (atomic_dec_return(&mvmtxq->tx_request));
+ rcu_read_unlock();
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -1508,8 +1508,8 @@ int __must_check iwl_mvm_send_cmd_status
+ int __must_check iwl_mvm_send_cmd_pdu_status(struct iwl_mvm *mvm, u32 id,
+ u16 len, const void *data,
+ u32 *status);
+-int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
+- struct ieee80211_sta *sta);
++int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
++ struct ieee80211_sta *sta);
+ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb);
+ void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb,
+ struct iwl_tx_cmd *tx_cmd,
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -1203,8 +1203,8 @@ drop:
+ return -1;
+ }
+
+-int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
+- struct ieee80211_sta *sta)
++int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
++ struct ieee80211_sta *sta)
+ {
+ struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+ struct ieee80211_tx_info info;
--- /dev/null
+From b9f726c94224e863d4d3458dfec2e7e1284a39ce Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 11 Dec 2019 10:09:56 +0100
+Subject: iwlwifi: mvm: fix SKB leak on invalid queue
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b9f726c94224e863d4d3458dfec2e7e1284a39ce upstream.
+
+It used to be the case that if we got here, we wouldn't warn
+but instead allocate the queue (DQA). With using the mac80211
+TXQs model this changed, and we really have nothing to do with
+the frame here anymore, hence the warning now.
+
+However, clearly we missed in coding & review that this is now
+a pure error path and leaks the SKB if we return 0 instead of
+an indication that the SKB needs to be freed. Fix this.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -1151,7 +1151,7 @@ static int iwl_mvm_tx_mpdu(struct iwl_mv
+ if (WARN_ONCE(txq_id == IWL_MVM_INVALID_QUEUE, "Invalid TXQ id")) {
+ iwl_trans_free_tx_cmd(mvm->trans, dev_cmd);
+ spin_unlock(&mvmsta->lock);
+- return 0;
++ return -1;
+ }
+
+ if (!iwl_mvm_has_new_tx_api(mvm)) {
--- /dev/null
+From 90a8e82d3ca8c1f85ac63f4a94c9b034f05af4ee Mon Sep 17 00:00:00 2001
+From: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Date: Thu, 5 Dec 2019 22:25:01 +0100
+Subject: leds: gpio: Fix uninitialized gpio label for fwnode based probe
+
+From: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+
+commit 90a8e82d3ca8c1f85ac63f4a94c9b034f05af4ee upstream.
+
+When switching to using generic LED name composition mechanism via
+devm_led_classdev_register_ext() API the part of code initializing
+struct gpio_led's template name property was removed alongside.
+It was however overlooked that the property was also passed to
+devm_fwnode_get_gpiod_from_child() in place of "label" parameter,
+which when set to NULL, results in gpio label being initialized to '?'.
+
+It could be observed in debugfs and failed to properly identify
+gpio association with LED consumer.
+
+Fix this shortcoming by updating the GPIO label after the LED is
+registered and its final name is known.
+
+Fixes: d7235f5feaa0 ("leds: gpio: Use generic support for composing LED names")
+Cc: Russell King <linux@armlinux.org.uk>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+[fixed comment]
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-gpio.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-gpio.c
++++ b/drivers/leds/leds-gpio.c
+@@ -151,9 +151,14 @@ static struct gpio_leds_priv *gpio_leds_
+ struct gpio_led led = {};
+ const char *state = NULL;
+
++ /*
++ * Acquire gpiod from DT with uninitialized label, which
++ * will be updated after LED class device is registered,
++ * Only then the final LED name is known.
++ */
+ led.gpiod = devm_fwnode_get_gpiod_from_child(dev, NULL, child,
+ GPIOD_ASIS,
+- led.name);
++ NULL);
+ if (IS_ERR(led.gpiod)) {
+ fwnode_handle_put(child);
+ return ERR_CAST(led.gpiod);
+@@ -186,6 +191,9 @@ static struct gpio_leds_priv *gpio_leds_
+ fwnode_handle_put(child);
+ return ERR_PTR(ret);
+ }
++ /* Set gpiod label to match the corresponding LED name. */
++ gpiod_set_consumer_name(led_dat->gpiod,
++ led_dat->cdev.dev->kobj.name);
+ priv->num_leds++;
+ }
+
--- /dev/null
+From ab10ae1c3bef56c29bac61e1201c752221b87b41 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Thu, 23 Jan 2020 08:34:18 +0000
+Subject: lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user()
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit ab10ae1c3bef56c29bac61e1201c752221b87b41 upstream.
+
+The range passed to user_access_begin() by strncpy_from_user() and
+strnlen_user() starts at 'src' and goes up to the limit of userspace
+although reads will be limited by the 'count' param.
+
+On 32 bits powerpc (book3s/32) access has to be granted for each
+256Mbytes segment and the cost increases with the number of segments to
+unlock.
+
+Limit the range with 'count' param.
+
+Fixes: 594cc251fdd0 ("make 'user_access_begin()' do 'access_ok()'")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/strncpy_from_user.c | 14 +++++++-------
+ lib/strnlen_user.c | 14 +++++++-------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+--- a/lib/strncpy_from_user.c
++++ b/lib/strncpy_from_user.c
+@@ -30,13 +30,6 @@ static inline long do_strncpy_from_user(
+ const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
+ unsigned long res = 0;
+
+- /*
+- * Truncate 'max' to the user-specified limit, so that
+- * we only have one limit we need to check in the loop
+- */
+- if (max > count)
+- max = count;
+-
+ if (IS_UNALIGNED(src, dst))
+ goto byte_at_a_time;
+
+@@ -114,6 +107,13 @@ long strncpy_from_user(char *dst, const
+ unsigned long max = max_addr - src_addr;
+ long retval;
+
++ /*
++ * Truncate 'max' to the user-specified limit, so that
++ * we only have one limit we need to check in the loop
++ */
++ if (max > count)
++ max = count;
++
+ kasan_check_write(dst, count);
+ check_object_size(dst, count, false);
+ if (user_access_begin(src, max)) {
+--- a/lib/strnlen_user.c
++++ b/lib/strnlen_user.c
+@@ -27,13 +27,6 @@ static inline long do_strnlen_user(const
+ unsigned long c;
+
+ /*
+- * Truncate 'max' to the user-specified limit, so that
+- * we only have one limit we need to check in the loop
+- */
+- if (max > count)
+- max = count;
+-
+- /*
+ * Do everything aligned. But that means that we
+ * need to also expand the maximum..
+ */
+@@ -109,6 +102,13 @@ long strnlen_user(const char __user *str
+ unsigned long max = max_addr - src_addr;
+ long retval;
+
++ /*
++ * Truncate 'max' to the user-specified limit, so that
++ * we only have one limit we need to check in the loop
++ */
++ if (max > count)
++ max = count;
++
+ if (user_access_begin(str, max)) {
+ retval = do_strnlen_user(str, count, max);
+ user_access_end();
From: Erez Shitrit <erezsh@mellanox.com>
+commmit b850a82114df9b0ec1d191dc64eed1f20a772e0f upstream.
+
The current code handles only counters that attached to dest, we still
have the cases where we have counter on non-dest, like over drop etc.
From: Erez Shitrit <erezsh@mellanox.com>
+commit c0702a4bd41829f05638ec2dab70f6bb8d8010ce upstream.
+
Use raw_smp_processor_id instead of smp_processor_id() otherwise we will
get the following trace in debug-kernel:
BUG: using smp_processor_id() in preemptible [00000000] code: devlink
From: Eli Cohen <eli@mellanox.com>
+commit e401a1848be87123a2b2049addbf21138cb47081 upstream.
+
Since the implementation relies on limiting the VF transmit rate to
simulate ingress rate limiting, and since either uplink representor or
ecpf are not associated with a VF, we limit the rate limit configuration
From: Paul Blakey <paulb@mellanox.com>
+commit 93b8a7ecb7287cc9b0196f12a25b57c2462d11dc upstream.
+
The pool sizes represent the pool sizes in the fw. when we request
a pool size from fw, it will return the next possible group.
We track how many pools the fw has left and start requesting groups
From: Meir Lichtinger <meirl@mellanox.com>
+commit 505a7f5478062c6cd11e22022d9f1bf64cd8eab3 upstream
+
Add the upcoming ConnectX-7 device ID.
Fixes: 85327a9c4150 ("net/mlx5: Update the list of the PCI supported devices")
From: Tariq Toukan <tariqt@mellanox.com>
+commit 342508c1c7540e281fd36151c175ba5ff954a99f upstream.
+
When TCP out-of-order is identified (unexpected tcp seq mismatch), driver
analyzes the packet and decides what handling should it get:
1. go to accelerated path (to be encrypted in HW),
From: Tariq Toukan <tariqt@mellanox.com>
+commit ffbd9ca94e2ebbfe802d4b28bab5ba19818de853 upstream.
+
There are the following cases:
1. Packet ends before start marker: bypass offload.
From: Tariq Toukan <tariqt@mellanox.com>
+commit 1e92899791358dba94a9db7cc3b6004636b5a2f6 upstream.
+
The call to tx_post_resync_params() is done earlier in the flow,
the post of the control WQEs is unnecessarily repeated. Remove it.
--- /dev/null
+From 58c8db929db1c1d785a6f5d8f8692e5dbcc35e84 Mon Sep 17 00:00:00 2001
+From: Jakub Sitnicki <jakub@cloudflare.com>
+Date: Tue, 21 Jan 2020 13:31:47 +0100
+Subject: net, sk_msg: Don't check if sock is locked when tearing down psock
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+commit 58c8db929db1c1d785a6f5d8f8692e5dbcc35e84 upstream.
+
+As John Fastabend reports [0], psock state tear-down can happen on receive
+path *after* unlocking the socket, if the only other psock user, that is
+sockmap or sockhash, releases its psock reference before tcp_bpf_recvmsg
+does so:
+
+ tcp_bpf_recvmsg()
+ psock = sk_psock_get(sk) <- refcnt 2
+ lock_sock(sk);
+ ...
+ sock_map_free() <- refcnt 1
+ release_sock(sk)
+ sk_psock_put() <- refcnt 0
+
+Remove the lockdep check for socket lock in psock tear-down that got
+introduced in 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during
+tear down").
+
+[0] https://lore.kernel.org/netdev/5e25dc995d7d_74082aaee6e465b441@john-XPS-13-9370.notmuch/
+
+Fixes: 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during tear down")
+Reported-by: syzbot+d73682fcf7fee6982fe3@syzkaller.appspotmail.com
+Suggested-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skmsg.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -594,8 +594,6 @@ EXPORT_SYMBOL_GPL(sk_psock_destroy);
+
+ void sk_psock_drop(struct sock *sk, struct sk_psock *psock)
+ {
+- sock_owned_by_me(sk);
+-
+ sk_psock_cork_free(psock);
+ sk_psock_zap_ingress(psock);
+
--- /dev/null
+From 772f66421d5aa0b9f256056f513bbc38ac132271 Mon Sep 17 00:00:00 2001
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Thu, 23 Jan 2020 09:07:26 +1100
+Subject: net/sonic: Fix CAM initialization
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+commit 772f66421d5aa0b9f256056f513bbc38ac132271 upstream.
+
+Section 4.3.1 of the datasheet says,
+
+ This bit [TXP] must not be set if a Load CAM operation is in
+ progress (LCAM is set). The SONIC will lock up if both bits are
+ set simultaneously.
+
+Testing has shown that the driver sometimes attempts to set LCAM
+while TXP is set. Avoid this by waiting for command completion
+before and after giving the LCAM command.
+
+After issuing the Load CAM command, poll for !SONIC_CR_LCAM rather than
+SONIC_INT_LCD, because the SONIC_CR_TXP bit can't be used until
+!SONIC_CR_LCAM.
+
+When in reset mode, take the opportunity to reset the CAM Enable
+register.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/natsemi/sonic.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -550,6 +550,8 @@ static void sonic_multicast_list(struct
+ (netdev_mc_count(dev) > 15)) {
+ rcr |= SONIC_RCR_AMC;
+ } else {
++ unsigned long flags;
++
+ netif_dbg(lp, ifup, dev, "%s: mc_count %d\n", __func__,
+ netdev_mc_count(dev));
+ sonic_set_cam_enable(dev, 1); /* always enable our own address */
+@@ -563,9 +565,14 @@ static void sonic_multicast_list(struct
+ i++;
+ }
+ SONIC_WRITE(SONIC_CDC, 16);
+- /* issue Load CAM command */
+ SONIC_WRITE(SONIC_CDP, lp->cda_laddr & 0xffff);
++
++ /* LCAM and TXP commands can't be used simultaneously */
++ spin_lock_irqsave(&lp->lock, flags);
++ sonic_quiesce(dev, SONIC_CR_TXP);
+ SONIC_WRITE(SONIC_CMD, SONIC_CR_LCAM);
++ sonic_quiesce(dev, SONIC_CR_LCAM);
++ spin_unlock_irqrestore(&lp->lock, flags);
+ }
+ }
+
+@@ -592,6 +599,9 @@ static int sonic_init(struct net_device
+ SONIC_WRITE(SONIC_ISR, 0x7fff);
+ SONIC_WRITE(SONIC_CMD, SONIC_CR_RST);
+
++ /* While in reset mode, clear CAM Enable register */
++ SONIC_WRITE(SONIC_CE, 0);
++
+ /*
+ * clear software reset flag, disable receiver, clear and
+ * enable interrupts, then completely initialize the SONIC
+@@ -713,14 +723,7 @@ static int sonic_init(struct net_device
+ * load the CAM
+ */
+ SONIC_WRITE(SONIC_CMD, SONIC_CR_LCAM);
+-
+- i = 0;
+- while (i++ < 100) {
+- if (SONIC_READ(SONIC_ISR) & SONIC_INT_LCD)
+- break;
+- }
+- netif_dbg(lp, ifup, dev, "%s: CMD=%x, ISR=%x, i=%d\n", __func__,
+- SONIC_READ(SONIC_CMD), SONIC_READ(SONIC_ISR), i);
++ sonic_quiesce(dev, SONIC_CR_LCAM);
+
+ /*
+ * enable receiver, disable loopback
--- /dev/null
+From 3c2659bd1db81ed6a264a9fc6262d51667d655ad Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 22 Jan 2020 12:37:25 -0800
+Subject: readdir: make user_access_begin() use the real access range
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3c2659bd1db81ed6a264a9fc6262d51667d655ad upstream.
+
+In commit 9f79b78ef744 ("Convert filldir[64]() from __put_user() to
+unsafe_put_user()") I changed filldir to not do individual __put_user()
+accesses, but instead use unsafe_put_user() surrounded by the proper
+user_access_begin/end() pair.
+
+That make them enormously faster on modern x86, where the STAC/CLAC
+games make individual user accesses fairly heavy-weight.
+
+However, the user_access_begin() range was not really the exact right
+one, since filldir() has the unfortunate problem that it needs to not
+only fill out the new directory entry, it also needs to fix up the
+previous one to contain the proper file offset.
+
+It's unfortunate, but the "d_off" field in "struct dirent" is _not_ the
+file offset of the directory entry itself - it's the offset of the next
+one. So we end up backfilling the offset in the previous entry as we
+walk along.
+
+But since x86 didn't really care about the exact range, and used to be
+the only architecture that did anything fancy in user_access_begin() to
+begin with, the filldir[64]() changes did something lazy, and even
+commented on it:
+
+ /*
+ * Note! This range-checks 'previous' (which may be NULL).
+ * The real range was checked in getdents
+ */
+ if (!user_access_begin(dirent, sizeof(*dirent)))
+ goto efault;
+
+and it all worked fine.
+
+But now 32-bit ppc is starting to also implement user_access_begin(),
+and the fact that we faked the range to only be the (possibly not even
+valid) previous directory entry becomes a problem, because ppc32 will
+actually be using the range that is passed in for more than just "check
+that it's user space".
+
+This is a complete rewrite of Christophe's original patch.
+
+By saving off the record length of the previous entry instead of a
+pointer to it in the filldir data structures, we can simplify the range
+check and the writing of the previous entry d_off field. No need for
+any conditionals in the user accesses themselves, although we retain the
+conditional EINTR checking for the "was this the first directory entry"
+signal handling latency logic.
+
+Fixes: 9f79b78ef744 ("Convert filldir[64]() from __put_user() to unsafe_put_user()")
+Link: https://lore.kernel.org/lkml/a02d3426f93f7eb04960a4d9140902d278cab0bb.1579697910.git.christophe.leroy@c-s.fr/
+Link: https://lore.kernel.org/lkml/408c90c4068b00ea8f1c41cca45b84ec23d4946b.1579783936.git.christophe.leroy@c-s.fr/
+Reported-and-tested-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/readdir.c | 73 ++++++++++++++++++++++++++++-------------------------------
+ 1 file changed, 35 insertions(+), 38 deletions(-)
+
+--- a/fs/readdir.c
++++ b/fs/readdir.c
+@@ -206,7 +206,7 @@ struct linux_dirent {
+ struct getdents_callback {
+ struct dir_context ctx;
+ struct linux_dirent __user * current_dir;
+- struct linux_dirent __user * previous;
++ int prev_reclen;
+ int count;
+ int error;
+ };
+@@ -214,12 +214,13 @@ struct getdents_callback {
+ static int filldir(struct dir_context *ctx, const char *name, int namlen,
+ loff_t offset, u64 ino, unsigned int d_type)
+ {
+- struct linux_dirent __user * dirent;
++ struct linux_dirent __user *dirent, *prev;
+ struct getdents_callback *buf =
+ container_of(ctx, struct getdents_callback, ctx);
+ unsigned long d_ino;
+ int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
+ sizeof(long));
++ int prev_reclen;
+
+ buf->error = verify_dirent_name(name, namlen);
+ if (unlikely(buf->error))
+@@ -232,28 +233,24 @@ static int filldir(struct dir_context *c
+ buf->error = -EOVERFLOW;
+ return -EOVERFLOW;
+ }
+- dirent = buf->previous;
+- if (dirent && signal_pending(current))
++ prev_reclen = buf->prev_reclen;
++ if (prev_reclen && signal_pending(current))
+ return -EINTR;
+-
+- /*
+- * Note! This range-checks 'previous' (which may be NULL).
+- * The real range was checked in getdents
+- */
+- if (!user_access_begin(dirent, sizeof(*dirent)))
+- goto efault;
+- if (dirent)
+- unsafe_put_user(offset, &dirent->d_off, efault_end);
+ dirent = buf->current_dir;
++ prev = (void __user *) dirent - prev_reclen;
++ if (!user_access_begin(prev, reclen + prev_reclen))
++ goto efault;
++
++ /* This might be 'dirent->d_off', but if so it will get overwritten */
++ unsafe_put_user(offset, &prev->d_off, efault_end);
+ unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
+ unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
+ unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
+ unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
+ user_access_end();
+
+- buf->previous = dirent;
+- dirent = (void __user *)dirent + reclen;
+- buf->current_dir = dirent;
++ buf->current_dir = (void __user *)dirent + reclen;
++ buf->prev_reclen = reclen;
+ buf->count -= reclen;
+ return 0;
+ efault_end:
+@@ -267,7 +264,6 @@ SYSCALL_DEFINE3(getdents, unsigned int,
+ struct linux_dirent __user *, dirent, unsigned int, count)
+ {
+ struct fd f;
+- struct linux_dirent __user * lastdirent;
+ struct getdents_callback buf = {
+ .ctx.actor = filldir,
+ .count = count,
+@@ -285,8 +281,10 @@ SYSCALL_DEFINE3(getdents, unsigned int,
+ error = iterate_dir(f.file, &buf.ctx);
+ if (error >= 0)
+ error = buf.error;
+- lastdirent = buf.previous;
+- if (lastdirent) {
++ if (buf.prev_reclen) {
++ struct linux_dirent __user * lastdirent;
++ lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
++
+ if (put_user(buf.ctx.pos, &lastdirent->d_off))
+ error = -EFAULT;
+ else
+@@ -299,7 +297,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
+ struct getdents_callback64 {
+ struct dir_context ctx;
+ struct linux_dirent64 __user * current_dir;
+- struct linux_dirent64 __user * previous;
++ int prev_reclen;
+ int count;
+ int error;
+ };
+@@ -307,11 +305,12 @@ struct getdents_callback64 {
+ static int filldir64(struct dir_context *ctx, const char *name, int namlen,
+ loff_t offset, u64 ino, unsigned int d_type)
+ {
+- struct linux_dirent64 __user *dirent;
++ struct linux_dirent64 __user *dirent, *prev;
+ struct getdents_callback64 *buf =
+ container_of(ctx, struct getdents_callback64, ctx);
+ int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
+ sizeof(u64));
++ int prev_reclen;
+
+ buf->error = verify_dirent_name(name, namlen);
+ if (unlikely(buf->error))
+@@ -319,30 +318,27 @@ static int filldir64(struct dir_context
+ buf->error = -EINVAL; /* only used if we fail.. */
+ if (reclen > buf->count)
+ return -EINVAL;
+- dirent = buf->previous;
+- if (dirent && signal_pending(current))
++ prev_reclen = buf->prev_reclen;
++ if (prev_reclen && signal_pending(current))
+ return -EINTR;
+-
+- /*
+- * Note! This range-checks 'previous' (which may be NULL).
+- * The real range was checked in getdents
+- */
+- if (!user_access_begin(dirent, sizeof(*dirent)))
+- goto efault;
+- if (dirent)
+- unsafe_put_user(offset, &dirent->d_off, efault_end);
+ dirent = buf->current_dir;
++ prev = (void __user *)dirent - prev_reclen;
++ if (!user_access_begin(prev, reclen + prev_reclen))
++ goto efault;
++
++ /* This might be 'dirent->d_off', but if so it will get overwritten */
++ unsafe_put_user(offset, &prev->d_off, efault_end);
+ unsafe_put_user(ino, &dirent->d_ino, efault_end);
+ unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
+ unsafe_put_user(d_type, &dirent->d_type, efault_end);
+ unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
+ user_access_end();
+
+- buf->previous = dirent;
+- dirent = (void __user *)dirent + reclen;
+- buf->current_dir = dirent;
++ buf->prev_reclen = reclen;
++ buf->current_dir = (void __user *)dirent + reclen;
+ buf->count -= reclen;
+ return 0;
++
+ efault_end:
+ user_access_end();
+ efault:
+@@ -354,7 +350,6 @@ int ksys_getdents64(unsigned int fd, str
+ unsigned int count)
+ {
+ struct fd f;
+- struct linux_dirent64 __user * lastdirent;
+ struct getdents_callback64 buf = {
+ .ctx.actor = filldir64,
+ .count = count,
+@@ -372,9 +367,11 @@ int ksys_getdents64(unsigned int fd, str
+ error = iterate_dir(f.file, &buf.ctx);
+ if (error >= 0)
+ error = buf.error;
+- lastdirent = buf.previous;
+- if (lastdirent) {
++ if (buf.prev_reclen) {
++ struct linux_dirent64 __user * lastdirent;
+ typeof(lastdirent->d_off) d_off = buf.ctx.pos;
++
++ lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
+ if (__put_user(d_off, &lastdirent->d_off))
+ error = -EFAULT;
+ else
--- /dev/null
+From 04060db41178c7c244f2c7dcd913e7fd331de915 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 15 Jan 2020 20:47:37 -0800
+Subject: scsi: RDMA/isert: Fix a recently introduced regression related to logout
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 04060db41178c7c244f2c7dcd913e7fd331de915 upstream.
+
+iscsit_close_connection() calls isert_wait_conn(). Due to commit
+e9d3009cb936 both functions call target_wait_for_sess_cmds() although that
+last function should be called only once. Fix this by removing the
+target_wait_for_sess_cmds() call from isert_wait_conn() and by only calling
+isert_wait_conn() after target_wait_for_sess_cmds().
+
+Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session").
+Link: https://lore.kernel.org/r/20200116044737.19507-1-bvanassche@acm.org
+Reported-by: Rahul Kundu <rahul.kundu@chelsio.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Acked-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 12 ------------
+ drivers/target/iscsi/iscsi_target.c | 6 +++---
+ 2 files changed, 3 insertions(+), 15 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2575,17 +2575,6 @@ isert_wait4logout(struct isert_conn *ise
+ }
+ }
+
+-static void
+-isert_wait4cmds(struct iscsi_conn *conn)
+-{
+- isert_info("iscsi_conn %p\n", conn);
+-
+- if (conn->sess) {
+- target_sess_cmd_list_set_waiting(conn->sess->se_sess);
+- target_wait_for_sess_cmds(conn->sess->se_sess);
+- }
+-}
+-
+ /**
+ * isert_put_unsol_pending_cmds() - Drop commands waiting for
+ * unsolicitate dataout
+@@ -2633,7 +2622,6 @@ static void isert_wait_conn(struct iscsi
+
+ ib_drain_qp(isert_conn->qp);
+ isert_put_unsol_pending_cmds(conn);
+- isert_wait4cmds(conn);
+ isert_wait4logout(isert_conn);
+
+ queue_work(isert_release_wq, &isert_conn->release_work);
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4151,9 +4151,6 @@ int iscsit_close_connection(
+ iscsit_stop_nopin_response_timer(conn);
+ iscsit_stop_nopin_timer(conn);
+
+- if (conn->conn_transport->iscsit_wait_conn)
+- conn->conn_transport->iscsit_wait_conn(conn);
+-
+ /*
+ * During Connection recovery drop unacknowledged out of order
+ * commands for this connection, and prepare the other commands
+@@ -4239,6 +4236,9 @@ int iscsit_close_connection(
+ target_sess_cmd_list_set_waiting(sess->se_sess);
+ target_wait_for_sess_cmds(sess->se_sess);
+
++ if (conn->conn_transport->iscsit_wait_conn)
++ conn->conn_transport->iscsit_wait_conn(conn);
++
+ ahash_request_free(conn->conn_tx_hash);
+ if (conn->conn_rx_hash) {
+ struct crypto_ahash *tfm;
input-pegasus_notetaker-fix-endpoint-sanity-check.patch
input-sun4i-ts-add-a-check-for-devm_thermal_zone_of_sensor_register.patch
netfilter-nft_osf-add-missing-check-for-dreg-attribute.patch
+lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch
+iommu-amd-fix-iommu-perf-counter-clobbering-during-init.patch
+readdir-make-user_access_begin-use-the-real-access-range.patch
+leds-gpio-fix-uninitialized-gpio-label-for-fwnode-based-probe.patch
+hsr-fix-a-compilation-error.patch
+hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch
+hwmon-nct7802-fix-non-working-alarm-on-voltages.patch
+scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch
+tracing-xen-ordered-comparison-of-function-pointers.patch
+iwlwifi-mvm-fix-skb-leak-on-invalid-queue.patch
+iwlwifi-mvm-fix-potential-skb-leak-on-txq-tx.patch
+drm-i915-userptr-fix-size-calculation.patch
+xfrm-support-output_mark-for-offload-esp-packets.patch
+net-sk_msg-don-t-check-if-sock-is-locked-when-tearing-down-psock.patch
+do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch
+net-sonic-fix-cam-initialization.patch
--- /dev/null
+From d0695e2351102affd8efae83989056bc4b275917 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@intel.com>
+Date: Sun, 12 Jan 2020 11:42:31 +0800
+Subject: tracing: xen: Ordered comparison of function pointers
+
+From: Changbin Du <changbin.du@gmail.com>
+
+commit d0695e2351102affd8efae83989056bc4b275917 upstream.
+
+Just as commit 0566e40ce7 ("tracing: initcall: Ordered comparison of
+function pointers"), this patch fixes another remaining one in xen.h
+found by clang-9.
+
+In file included from arch/x86/xen/trace.c:21:
+In file included from ./include/trace/events/xen.h:475:
+In file included from ./include/trace/define_trace.h:102:
+In file included from ./include/trace/trace_events.h:473:
+./include/trace/events/xen.h:69:7: warning: ordered comparison of function \
+pointers ('xen_mc_callback_fn_t' (aka 'void (*)(void *)') and 'xen_mc_callback_fn_t') [-Wordered-compare-function-pointers]
+ __field(xen_mc_callback_fn_t, fn)
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./include/trace/trace_events.h:421:29: note: expanded from macro '__field'
+ ^
+./include/trace/trace_events.h:407:6: note: expanded from macro '__field_ext'
+ is_signed_type(type), filter_type); \
+ ^
+./include/linux/trace_events.h:554:44: note: expanded from macro 'is_signed_type'
+ ^
+
+Fixes: c796f213a6934 ("xen/trace: add multicall tracing")
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/trace/events/xen.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/trace/events/xen.h
++++ b/include/trace/events/xen.h
+@@ -66,7 +66,11 @@ TRACE_EVENT(xen_mc_callback,
+ TP_PROTO(xen_mc_callback_fn_t fn, void *data),
+ TP_ARGS(fn, data),
+ TP_STRUCT__entry(
+- __field(xen_mc_callback_fn_t, fn)
++ /*
++ * Use field_struct to avoid is_signed_type()
++ * comparison of a function pointer.
++ */
++ __field_struct(xen_mc_callback_fn_t, fn)
+ __field(void *, data)
+ ),
+ TP_fast_assign(
--- /dev/null
+From 4e4362d2bf2a49ff44dbbc9585207977ca3d71d0 Mon Sep 17 00:00:00 2001
+From: Ulrich Weber <ulrich.weber@gmail.com>
+Date: Wed, 15 Jan 2020 12:11:29 +0100
+Subject: xfrm: support output_mark for offload ESP packets
+
+From: Ulrich Weber <ulrich.weber@gmail.com>
+
+commit 4e4362d2bf2a49ff44dbbc9585207977ca3d71d0 upstream.
+
+Commit 9b42c1f179a6 ("xfrm: Extend the output_mark") added output_mark
+support but missed ESP offload support.
+
+xfrm_smark_get() is not called within xfrm_input() for packets coming
+from esp4_gro_receive() or esp6_gro_receive(). Therefore call
+xfrm_smark_get() directly within these functions.
+
+Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction and masking.")
+Signed-off-by: Ulrich Weber <ulrich.weber@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/esp4_offload.c | 2 ++
+ net/ipv6/esp6_offload.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -57,6 +57,8 @@ static struct sk_buff *esp4_gro_receive(
+ if (!x)
+ goto out_reset;
+
++ skb->mark = xfrm_smark_get(skb->mark, x);
++
+ sp->xvec[sp->len++] = x;
+ sp->olen++;
+
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -79,6 +79,8 @@ static struct sk_buff *esp6_gro_receive(
+ if (!x)
+ goto out_reset;
+
++ skb->mark = xfrm_smark_get(skb->mark, x);
++
+ sp->xvec[sp->len++] = x;
+ sp->olen++;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
