--- /dev/null
+From 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Fri, 14 Feb 2020 12:21:01 -0600
+Subject: ecryptfs: replace BUG_ON with error handling code
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+commit 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 upstream.
+
+In crypt_scatterlist, if the crypt_stat argument is not set up
+correctly, the kernel crashes. Instead, by returning an error code
+upstream, the error is handled safely.
+
+The issue is detected via a static analysis tool written by us.
+
+Fixes: 237fead619984 (ecryptfs: fs/Makefile and fs/Kconfig)
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Tyler Hicks <code@tyhicks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/crypto.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -339,8 +339,10 @@ static int crypt_scatterlist(struct ecry
+ struct extent_crypt_result ecr;
+ int rc = 0;
+
+- BUG_ON(!crypt_stat || !crypt_stat->tfm
+- || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
++ if (!crypt_stat || !crypt_stat->tfm
++ || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED))
++ return -EINVAL;
++
+ if (unlikely(ecryptfs_verbosity > 0)) {
+ ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
+ crypt_stat->key_size);
--- /dev/null
+From 76261ada16dcc3be610396a46d35acc3efbda682 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 12 Feb 2020 21:08:59 -0800
+Subject: scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout"
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 76261ada16dcc3be610396a46d35acc3efbda682 upstream.
+
+Since commit 04060db41178 introduces soft lockups when toggling network
+interfaces, revert it.
+
+Link: https://marc.info/?l=target-devel&m=158157054906196
+Cc: Rahul Kundu <rahul.kundu@chelsio.com>
+Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Reported-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
+Fixes: 04060db41178 ("scsi: RDMA/isert: Fix a recently introduced regression related to logout")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 12 ++++++++++++
+ drivers/target/iscsi/iscsi_target.c | 6 +++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2555,6 +2555,17 @@ isert_wait4logout(struct isert_conn *ise
+ }
+ }
+
++static void
++isert_wait4cmds(struct iscsi_conn *conn)
++{
++ isert_info("iscsi_conn %p\n", conn);
++
++ if (conn->sess) {
++ target_sess_cmd_list_set_waiting(conn->sess->se_sess);
++ target_wait_for_sess_cmds(conn->sess->se_sess);
++ }
++}
++
+ /**
+ * isert_put_unsol_pending_cmds() - Drop commands waiting for
+ * unsolicitate dataout
+@@ -2602,6 +2613,7 @@ static void isert_wait_conn(struct iscsi
+
+ ib_drain_qp(isert_conn->qp);
+ isert_put_unsol_pending_cmds(conn);
++ isert_wait4cmds(conn);
+ isert_wait4logout(isert_conn);
+
+ queue_work(isert_release_wq, &isert_conn->release_work);
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4162,6 +4162,9 @@ int iscsit_close_connection(
+ iscsit_stop_nopin_response_timer(conn);
+ iscsit_stop_nopin_timer(conn);
+
++ if (conn->conn_transport->iscsit_wait_conn)
++ conn->conn_transport->iscsit_wait_conn(conn);
++
+ /*
+ * During Connection recovery drop unacknowledged out of order
+ * commands for this connection, and prepare the other commands
+@@ -4247,9 +4250,6 @@ int iscsit_close_connection(
+ target_sess_cmd_list_set_waiting(sess->se_sess);
+ target_wait_for_sess_cmds(sess->se_sess);
+
+- if (conn->conn_transport->iscsit_wait_conn)
+- conn->conn_transport->iscsit_wait_conn(conn);
+-
+ ahash_request_free(conn->conn_tx_hash);
+ if (conn->conn_rx_hash) {
+ struct crypto_ahash *tfm;
--- /dev/null
+From 807b9515b7d044cf77df31f1af9d842a76ecd5cb Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 12 Feb 2020 21:09:00 -0800
+Subject: scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 807b9515b7d044cf77df31f1af9d842a76ecd5cb upstream.
+
+Since commit e9d3009cb936 introduced a regression and since the fix for
+that regression was not perfect, revert this commit.
+
+Link: https://marc.info/?l=target-devel&m=158157054906195
+Cc: Rahul Kundu <rahul.kundu@chelsio.com>
+Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Reported-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
+Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 10 ++--------
+ include/scsi/iscsi_proto.h | 1 -
+ 2 files changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1168,9 +1168,7 @@ int iscsit_setup_scsi_cmd(struct iscsi_c
+ hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length,
+ conn->cid);
+
+- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
+- return iscsit_add_reject_cmd(cmd,
+- ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
++ target_get_sess_cmd(&cmd->se_cmd, true);
+
+ cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd,
+ scsilun_to_int(&hdr->lun));
+@@ -1988,9 +1986,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
+ conn->sess->se_sess, 0, DMA_NONE,
+ TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
+
+- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
+- return iscsit_add_reject_cmd(cmd,
+- ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
++ target_get_sess_cmd(&cmd->se_cmd, true);
+
+ /*
+ * TASK_REASSIGN for ERL=2 / connection stays inside of
+@@ -4247,8 +4243,6 @@ int iscsit_close_connection(
+ * must wait until they have completed.
+ */
+ iscsit_check_conn_usage_count(conn);
+- target_sess_cmd_list_set_waiting(sess->se_sess);
+- target_wait_for_sess_cmds(sess->se_sess);
+
+ ahash_request_free(conn->conn_tx_hash);
+ if (conn->conn_rx_hash) {
+--- a/include/scsi/iscsi_proto.h
++++ b/include/scsi/iscsi_proto.h
+@@ -638,7 +638,6 @@ struct iscsi_reject {
+ #define ISCSI_REASON_BOOKMARK_INVALID 9
+ #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10
+ #define ISCSI_REASON_NEGOTIATION_RESET 11
+-#define ISCSI_REASON_WAITING_FOR_LOGOUT 12
+
+ /* Max. number of Key=Value pairs in a text message */
+ #define MAX_KEY_VALUE_PAIRS 8192
kvm-nvmx-check-io-instruction-vm-exit-conditions.patch
kvm-apic-avoid-calculating-pending-eoi-from-an-uninitialized-val.patch
btrfs-fix-btrfs_wait_ordered_range-so-that-it-waits-for-all-ordered-extents.patch
+scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch
+scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch
+usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch
+staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch
+ecryptfs-replace-bug_on-with-error-handling-code.patch
kvm-nvmx-handle-nested-posted-interrupts-when-apicv-is-disabled-for-l1.patch
--- /dev/null
+From b7db58105b80fa9232719c8329b995b3addfab55 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 5 Feb 2020 15:32:17 +0300
+Subject: staging: greybus: use after free in gb_audio_manager_remove_all()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b7db58105b80fa9232719c8329b995b3addfab55 upstream.
+
+When we call kobject_put() and it's the last reference to the kobject
+then it calls gb_audio_module_release() and frees module. We dereference
+"module" on the next line which is a use after free.
+
+Fixes: c77f85bbc91a ("greybus: audio: Fix incorrect counting of 'ida'")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Vaibhav Agarwal <vaibhav.sr@gmail.com>
+Link: https://lore.kernel.org/r/20200205123217.jreendkyxulqsool@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/greybus/audio_manager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/greybus/audio_manager.c
++++ b/drivers/staging/greybus/audio_manager.c
+@@ -90,8 +90,8 @@ void gb_audio_manager_remove_all(void)
+
+ list_for_each_entry_safe(module, next, &modules_list, list) {
+ list_del(&module->list);
+- kobject_put(&module->kobj);
+ ida_simple_remove(&module_id, module->id);
++ kobject_put(&module->kobj);
+ }
+
+ is_empty = list_empty(&modules_list);
--- /dev/null
+From c724417baf162bd3e035659e22cdf990cfb0d917 Mon Sep 17 00:00:00 2001
+From: Jack Pham <jackp@codeaurora.org>
+Date: Thu, 30 Jan 2020 19:10:35 -0800
+Subject: usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
+
+From: Jack Pham <jackp@codeaurora.org>
+
+commit c724417baf162bd3e035659e22cdf990cfb0d917 upstream.
+
+SuperSpeedPlus peripherals must report their bMaxPower of the
+configuration descriptor in units of 8mA as per the USB 3.2
+specification. The current switch statement in encode_bMaxPower()
+only checks for USB_SPEED_SUPER but not USB_SPEED_SUPER_PLUS so
+the latter falls back to USB 2.0 encoding which uses 2mA units.
+Replace the switch with a simple if/else.
+
+Fixes: eae5820b852f ("usb: gadget: composite: Write SuperSpeedPlus config descriptors")
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/composite.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -437,12 +437,10 @@ static u8 encode_bMaxPower(enum usb_devi
+ val = CONFIG_USB_GADGET_VBUS_DRAW;
+ if (!val)
+ return 0;
+- switch (speed) {
+- case USB_SPEED_SUPER:
+- return DIV_ROUND_UP(val, 8);
+- default:
++ if (speed < USB_SPEED_SUPER)
+ return DIV_ROUND_UP(val, 2);
+- }
++ else
++ return DIV_ROUND_UP(val, 8);
+ }
+
+ static int config_buf(struct usb_configuration *config,
projects / thirdparty / kernel / stable-queue.git / commitdiff
