--- /dev/null
+From 6a68f11c406e63795b5c283e914b9985ff5e3da2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Apr 2019 18:04:17 +0200
+Subject: ALSA: seq: Fix race of get-subscription call vs port-delete ioctls
+
+[ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ]
+
+The snd_seq_ioctl_get_subscription() retrieves the port subscriber
+information as a pointer, while the object isn't protected, hence it
+may be deleted before the actual reference. This race was spotted by
+syzkaller and may lead to a UAF.
+
+The fix is simply copying the data in the lookup function that
+performs in the rwsem to protect against the deletion.
+
+Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 10 ++--------
+ sound/core/seq/seq_ports.c | 13 ++++++++-----
+ sound/core/seq/seq_ports.h | 5 +++--
+ 3 files changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 40ae8f67efde..37312a3ae60f 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1900,20 +1900,14 @@ static int snd_seq_ioctl_get_subscription(struct snd_seq_client *client,
+ int result;
+ struct snd_seq_client *sender = NULL;
+ struct snd_seq_client_port *sport = NULL;
+- struct snd_seq_subscribers *p;
+
+ result = -EINVAL;
+ if ((sender = snd_seq_client_use_ptr(subs->sender.client)) == NULL)
+ goto __end;
+ if ((sport = snd_seq_port_use_ptr(sender, subs->sender.port)) == NULL)
+ goto __end;
+- p = snd_seq_port_get_subscription(&sport->c_src, &subs->dest);
+- if (p) {
+- result = 0;
+- *subs = p->info;
+- } else
+- result = -ENOENT;
+-
++ result = snd_seq_port_get_subscription(&sport->c_src, &subs->dest,
++ subs);
+ __end:
+ if (sport)
+ snd_seq_port_unlock(sport);
+diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
+index da31aa8e216e..16289aefb443 100644
+--- a/sound/core/seq/seq_ports.c
++++ b/sound/core/seq/seq_ports.c
+@@ -635,20 +635,23 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector,
+
+
+ /* get matched subscriber */
+-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
+- struct snd_seq_addr *dest_addr)
++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
++ struct snd_seq_addr *dest_addr,
++ struct snd_seq_port_subscribe *subs)
+ {
+- struct snd_seq_subscribers *s, *found = NULL;
++ struct snd_seq_subscribers *s;
++ int err = -ENOENT;
+
+ down_read(&src_grp->list_mutex);
+ list_for_each_entry(s, &src_grp->list_head, src_list) {
+ if (addr_match(dest_addr, &s->info.dest)) {
+- found = s;
++ *subs = s->info;
++ err = 0;
+ break;
+ }
+ }
+ up_read(&src_grp->list_mutex);
+- return found;
++ return err;
+ }
+
+ /*
+diff --git a/sound/core/seq/seq_ports.h b/sound/core/seq/seq_ports.h
+index 26bd71f36c41..06003b36652e 100644
+--- a/sound/core/seq/seq_ports.h
++++ b/sound/core/seq/seq_ports.h
+@@ -135,7 +135,8 @@ int snd_seq_port_subscribe(struct snd_seq_client_port *port,
+ struct snd_seq_port_subscribe *info);
+
+ /* get matched subscriber */
+-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
+- struct snd_seq_addr *dest_addr);
++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
++ struct snd_seq_addr *dest_addr,
++ struct snd_seq_port_subscribe *subs);
+
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 310b4ab58553793343b3ded3efc72bee50bfa5c6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Apr 2019 17:35:22 +0200
+Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex
+
+[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
+
+ALSA OSS sequencer calls the ioctl function indirectly via
+snd_seq_kernel_client_ctl(). While we already applied the protection
+against races between the normal ioctls and writes via the client's
+ioctl_mutex, this code path was left untouched. And this seems to be
+the cause of still remaining some rare UAF as spontaneously triggered
+by syzkaller.
+
+For the sake of robustness, wrap the ioctl_mutex also for the call via
+snd_seq_kernel_client_ctl(), too.
+
+Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index b55cb96d1fed..40ae8f67efde 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
+ {
+ const struct ioctl_handler *handler;
+ struct snd_seq_client *client;
++ int err;
+
+ client = clientptr(clientid);
+ if (client == NULL)
+ return -ENXIO;
+
+ for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
+- if (handler->cmd == cmd)
+- return handler->func(client, arg);
++ if (handler->cmd == cmd) {
++ mutex_lock(&client->ioctl_mutex);
++ err = handler->func(client, arg);
++ mutex_unlock(&client->ioctl_mutex);
++ return err;
++ }
+ }
+
+ pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
+--
+2.20.1
+
--- /dev/null
+From 234c4d98a8ea683357afe5f4240b13db12e04aec Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 14 May 2019 14:30:06 +0530
+Subject: arm64/mm: Inhibit huge-vmap with ptdump
+
+[ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ]
+
+The arm64 ptdump code can race with concurrent modification of the
+kernel page tables. At the time this was added, this was sound as:
+
+* Modifications to leaf entries could result in stale information being
+ logged, but would not result in a functional problem.
+
+* Boot time modifications to non-leaf entries (e.g. freeing of initmem)
+ were performed when the ptdump code cannot be invoked.
+
+* At runtime, modifications to non-leaf entries only occurred in the
+ vmalloc region, and these were strictly additive, as intermediate
+ entries were never freed.
+
+However, since commit:
+
+ commit 324420bf91f6 ("arm64: add support for ioremap() block mappings")
+
+... it has been possible to create huge mappings in the vmalloc area at
+runtime, and as part of this existing intermediate levels of table my be
+removed and freed.
+
+It's possible for the ptdump code to race with this, and continue to
+walk tables which have been freed (and potentially poisoned or
+reallocated). As a result of this, the ptdump code may dereference bogus
+addresses, which could be fatal.
+
+Since huge-vmap is a TLB and memory optimization, we can disable it when
+the runtime ptdump code is in use to avoid this problem.
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Fixes: 324420bf91f60582 ("arm64: add support for ioremap() block mappings")
+Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/mmu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
+index 8080c9f489c3..0fa558176fb1 100644
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -921,13 +921,18 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys)
+
+ int __init arch_ioremap_pud_supported(void)
+ {
+- /* only 4k granule supports level 1 block mappings */
+- return IS_ENABLED(CONFIG_ARM64_4K_PAGES);
++ /*
++ * Only 4k granule supports level 1 block mappings.
++ * SW table walks can't handle removal of intermediate entries.
++ */
++ return IS_ENABLED(CONFIG_ARM64_4K_PAGES) &&
++ !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS);
+ }
+
+ int __init arch_ioremap_pmd_supported(void)
+ {
+- return 1;
++ /* See arch_ioremap_pud_supported() */
++ return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS);
+ }
+
+ int pud_set_huge(pud_t *pudp, phys_addr_t phys, pgprot_t prot)
+--
+2.20.1
+
--- /dev/null
+From 235ea756a25d398437a8d48880075bd21e91adda Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Fri, 12 Apr 2019 15:45:06 +0800
+Subject: Drivers: misc: fix out-of-bounds access in function
+ param_set_kgdbts_var
+
+[ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ]
+
+There is an out-of-bounds access to "config[len - 1]" array when the
+variable "len" is zero.
+
+See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug
+in param_set_kgdboc_var()") for details.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/kgdbts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c
+index 6193270e7b3d..eb4d90b7d99e 100644
+--- a/drivers/misc/kgdbts.c
++++ b/drivers/misc/kgdbts.c
+@@ -1139,7 +1139,7 @@ static void kgdbts_put_char(u8 chr)
+ static int param_set_kgdbts_var(const char *kmessage,
+ const struct kernel_param *kp)
+ {
+- int len = strlen(kmessage);
++ size_t len = strlen(kmessage);
+
+ if (len >= MAX_CONFIG_LEN) {
+ printk(KERN_ERR "kgdbts: config string too long\n");
+@@ -1159,7 +1159,7 @@ static int param_set_kgdbts_var(const char *kmessage,
+
+ strcpy(config, kmessage);
+ /* Chop out \n char as a result of echo */
+- if (config[len - 1] == '\n')
++ if (len && config[len - 1] == '\n')
+ config[len - 1] = '\0';
+
+ /* Go and configure with the new params. */
+--
+2.20.1
+
--- /dev/null
+From 551220c9cfa90499cd0ee031bb3f97f8ebf6b818 Mon Sep 17 00:00:00 2001
+From: Randall Huang <huangrandall@google.com>
+Date: Thu, 11 Apr 2019 16:26:46 +0800
+Subject: f2fs: fix to avoid accessing xattr across the boundary
+
+[ Upstream commit 2777e654371dd4207a3a7f4fb5fa39550053a080 ]
+
+When we traverse xattr entries via __find_xattr(),
+if the raw filesystem content is faked or any hardware failure occurs,
+out-of-bound error can be detected by KASAN.
+Fix the issue by introducing boundary check.
+
+[ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c
+[ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task
+[ 38.402935] c7 1827 Call trace:
+[ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc
+[ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c
+[ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140
+[ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8
+[ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc
+[ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc
+[ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8
+[ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c
+[ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0
+[ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc
+[ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938
+[ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38
+[ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98
+[ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348
+[ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774
+[ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc
+[ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520
+[ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4
+[ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8
+[ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68
+[ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c
+[ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38
+
+Signed-off-by: Randall Huang <huangrandall@google.com>
+[Jaegeuk Kim: Fix wrong ending boundary]
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/xattr.c | 36 +++++++++++++++++++++++++++---------
+ fs/f2fs/xattr.h | 2 ++
+ 2 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index 409a637f7a92..88e30f7cf9e1 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -205,12 +205,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index)
+ return handler;
+ }
+
+-static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index,
+- size_t len, const char *name)
++static struct f2fs_xattr_entry *__find_xattr(void *base_addr,
++ void *last_base_addr, int index,
++ size_t len, const char *name)
+ {
+ struct f2fs_xattr_entry *entry;
+
+ list_for_each_xattr(entry, base_addr) {
++ if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
++ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr)
++ return NULL;
++
+ if (entry->e_name_index != index)
+ continue;
+ if (entry->e_name_len != len)
+@@ -300,20 +305,22 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
+ const char *name, struct f2fs_xattr_entry **xe,
+ void **base_addr, int *base_size)
+ {
+- void *cur_addr, *txattr_addr, *last_addr = NULL;
++ void *cur_addr, *txattr_addr, *last_txattr_addr;
++ void *last_addr = NULL;
+ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+- unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
+ unsigned int inline_size = inline_xattr_size(inode);
+ int err = 0;
+
+- if (!size && !inline_size)
++ if (!xnid && !inline_size)
+ return -ENODATA;
+
+- *base_size = inline_size + size + XATTR_PADDING_SIZE;
++ *base_size = XATTR_SIZE(xnid, inode) + XATTR_PADDING_SIZE;
+ txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS);
+ if (!txattr_addr)
+ return -ENOMEM;
+
++ last_txattr_addr = (void *)txattr_addr + XATTR_SIZE(xnid, inode);
++
+ /* read from inline xattr */
+ if (inline_size) {
+ err = read_inline_xattr(inode, ipage, txattr_addr);
+@@ -340,7 +347,11 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
+ else
+ cur_addr = txattr_addr;
+
+- *xe = __find_xattr(cur_addr, index, len, name);
++ *xe = __find_xattr(cur_addr, last_txattr_addr, index, len, name);
++ if (!*xe) {
++ err = -EFAULT;
++ goto out;
++ }
+ check:
+ if (IS_XATTR_LAST_ENTRY(*xe)) {
+ err = -ENODATA;
+@@ -584,7 +595,8 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ struct page *ipage, int flags)
+ {
+ struct f2fs_xattr_entry *here, *last;
+- void *base_addr;
++ void *base_addr, *last_base_addr;
++ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+ int found, newsize;
+ size_t len;
+ __u32 new_hsize;
+@@ -608,8 +620,14 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ if (error)
+ return error;
+
++ last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode);
++
+ /* find entry with wanted name. */
+- here = __find_xattr(base_addr, index, len, name);
++ here = __find_xattr(base_addr, last_base_addr, index, len, name);
++ if (!here) {
++ error = -EFAULT;
++ goto exit;
++ }
+
+ found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1;
+
+diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h
+index dbcd1d16e669..2a4ecaf338ea 100644
+--- a/fs/f2fs/xattr.h
++++ b/fs/f2fs/xattr.h
+@@ -74,6 +74,8 @@ struct f2fs_xattr_entry {
+ entry = XATTR_NEXT_ENTRY(entry))
+ #define VALID_XATTR_BLOCK_SIZE (PAGE_SIZE - sizeof(struct node_footer))
+ #define XATTR_PADDING_SIZE (sizeof(__u32))
++#define XATTR_SIZE(x,i) (((x) ? VALID_XATTR_BLOCK_SIZE : 0) + \
++ (inline_xattr_size(i)))
+ #define MIN_OFFSET(i) XATTR_ALIGN(inline_xattr_size(i) + \
+ VALID_XATTR_BLOCK_SIZE)
+
+--
+2.20.1
+
--- /dev/null
+From 4c37e3642dc8e0ecc0be4cee4eb636c1ca9441fc Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Wed, 22 May 2019 18:47:05 +0100
+Subject: KVM: arm/arm64: Move cc/it checks under hyp's Makefile to avoid
+ instrumentation
+
+[ Upstream commit 623e1528d4090bd1abaf93ec46f047dee9a6fb32 ]
+
+KVM has helpers to handle the condition codes of trapped aarch32
+instructions. These are marked __hyp_text and used from HYP, but they
+aren't built by the 'hyp' Makefile, which has all the runes to avoid ASAN
+and KCOV instrumentation.
+
+Move this code to a new hyp/aarch32.c to avoid a hyp-panic when starting
+an aarch32 guest on a host built with the ASAN/KCOV debug options.
+
+Fixes: 021234ef3752f ("KVM: arm64: Make kvm_condition_valid32() accessible from EL2")
+Fixes: 8cebe750c4d9a ("arm64: KVM: Make kvm_skip_instr32 available to HYP")
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kvm/hyp/Makefile | 1 +
+ arch/arm64/kvm/hyp/Makefile | 1 +
+ virt/kvm/arm/aarch32.c | 121 --------------------------------
+ virt/kvm/arm/hyp/aarch32.c | 136 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 138 insertions(+), 121 deletions(-)
+ create mode 100644 virt/kvm/arm/hyp/aarch32.c
+
+diff --git a/arch/arm/kvm/hyp/Makefile b/arch/arm/kvm/hyp/Makefile
+index d2b5ec9c4b92..ba88b1eca93c 100644
+--- a/arch/arm/kvm/hyp/Makefile
++++ b/arch/arm/kvm/hyp/Makefile
+@@ -11,6 +11,7 @@ CFLAGS_ARMV7VE :=$(call cc-option, -march=armv7ve)
+
+ obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o
+ obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o
++obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/aarch32.o
+
+ obj-$(CONFIG_KVM_ARM_HOST) += tlb.o
+ obj-$(CONFIG_KVM_ARM_HOST) += cp15-sr.o
+diff --git a/arch/arm64/kvm/hyp/Makefile b/arch/arm64/kvm/hyp/Makefile
+index 2fabc2dc1966..feef06fc7c5a 100644
+--- a/arch/arm64/kvm/hyp/Makefile
++++ b/arch/arm64/kvm/hyp/Makefile
+@@ -10,6 +10,7 @@ KVM=../../../../virt/kvm
+
+ obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o
+ obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o
++obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/aarch32.o
+
+ obj-$(CONFIG_KVM_ARM_HOST) += vgic-v2-cpuif-proxy.o
+ obj-$(CONFIG_KVM_ARM_HOST) += sysreg-sr.o
+diff --git a/virt/kvm/arm/aarch32.c b/virt/kvm/arm/aarch32.c
+index 5abbe9b3c652..6880236974b8 100644
+--- a/virt/kvm/arm/aarch32.c
++++ b/virt/kvm/arm/aarch32.c
+@@ -25,127 +25,6 @@
+ #include <asm/kvm_emulate.h>
+ #include <asm/kvm_hyp.h>
+
+-/*
+- * stolen from arch/arm/kernel/opcodes.c
+- *
+- * condition code lookup table
+- * index into the table is test code: EQ, NE, ... LT, GT, AL, NV
+- *
+- * bit position in short is condition code: NZCV
+- */
+-static const unsigned short cc_map[16] = {
+- 0xF0F0, /* EQ == Z set */
+- 0x0F0F, /* NE */
+- 0xCCCC, /* CS == C set */
+- 0x3333, /* CC */
+- 0xFF00, /* MI == N set */
+- 0x00FF, /* PL */
+- 0xAAAA, /* VS == V set */
+- 0x5555, /* VC */
+- 0x0C0C, /* HI == C set && Z clear */
+- 0xF3F3, /* LS == C clear || Z set */
+- 0xAA55, /* GE == (N==V) */
+- 0x55AA, /* LT == (N!=V) */
+- 0x0A05, /* GT == (!Z && (N==V)) */
+- 0xF5FA, /* LE == (Z || (N!=V)) */
+- 0xFFFF, /* AL always */
+- 0 /* NV */
+-};
+-
+-/*
+- * Check if a trapped instruction should have been executed or not.
+- */
+-bool __hyp_text kvm_condition_valid32(const struct kvm_vcpu *vcpu)
+-{
+- unsigned long cpsr;
+- u32 cpsr_cond;
+- int cond;
+-
+- /* Top two bits non-zero? Unconditional. */
+- if (kvm_vcpu_get_hsr(vcpu) >> 30)
+- return true;
+-
+- /* Is condition field valid? */
+- cond = kvm_vcpu_get_condition(vcpu);
+- if (cond == 0xE)
+- return true;
+-
+- cpsr = *vcpu_cpsr(vcpu);
+-
+- if (cond < 0) {
+- /* This can happen in Thumb mode: examine IT state. */
+- unsigned long it;
+-
+- it = ((cpsr >> 8) & 0xFC) | ((cpsr >> 25) & 0x3);
+-
+- /* it == 0 => unconditional. */
+- if (it == 0)
+- return true;
+-
+- /* The cond for this insn works out as the top 4 bits. */
+- cond = (it >> 4);
+- }
+-
+- cpsr_cond = cpsr >> 28;
+-
+- if (!((cc_map[cond] >> cpsr_cond) & 1))
+- return false;
+-
+- return true;
+-}
+-
+-/**
+- * adjust_itstate - adjust ITSTATE when emulating instructions in IT-block
+- * @vcpu: The VCPU pointer
+- *
+- * When exceptions occur while instructions are executed in Thumb IF-THEN
+- * blocks, the ITSTATE field of the CPSR is not advanced (updated), so we have
+- * to do this little bit of work manually. The fields map like this:
+- *
+- * IT[7:0] -> CPSR[26:25],CPSR[15:10]
+- */
+-static void __hyp_text kvm_adjust_itstate(struct kvm_vcpu *vcpu)
+-{
+- unsigned long itbits, cond;
+- unsigned long cpsr = *vcpu_cpsr(vcpu);
+- bool is_arm = !(cpsr & PSR_AA32_T_BIT);
+-
+- if (is_arm || !(cpsr & PSR_AA32_IT_MASK))
+- return;
+-
+- cond = (cpsr & 0xe000) >> 13;
+- itbits = (cpsr & 0x1c00) >> (10 - 2);
+- itbits |= (cpsr & (0x3 << 25)) >> 25;
+-
+- /* Perform ITAdvance (see page A2-52 in ARM DDI 0406C) */
+- if ((itbits & 0x7) == 0)
+- itbits = cond = 0;
+- else
+- itbits = (itbits << 1) & 0x1f;
+-
+- cpsr &= ~PSR_AA32_IT_MASK;
+- cpsr |= cond << 13;
+- cpsr |= (itbits & 0x1c) << (10 - 2);
+- cpsr |= (itbits & 0x3) << 25;
+- *vcpu_cpsr(vcpu) = cpsr;
+-}
+-
+-/**
+- * kvm_skip_instr - skip a trapped instruction and proceed to the next
+- * @vcpu: The vcpu pointer
+- */
+-void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr)
+-{
+- bool is_thumb;
+-
+- is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT);
+- if (is_thumb && !is_wide_instr)
+- *vcpu_pc(vcpu) += 2;
+- else
+- *vcpu_pc(vcpu) += 4;
+- kvm_adjust_itstate(vcpu);
+-}
+-
+ /*
+ * Table taken from ARMv8 ARM DDI0487B-B, table G1-10.
+ */
+diff --git a/virt/kvm/arm/hyp/aarch32.c b/virt/kvm/arm/hyp/aarch32.c
+new file mode 100644
+index 000000000000..d31f267961e7
+--- /dev/null
++++ b/virt/kvm/arm/hyp/aarch32.c
+@@ -0,0 +1,136 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Hyp portion of the (not much of an) Emulation layer for 32bit guests.
++ *
++ * Copyright (C) 2012,2013 - ARM Ltd
++ * Author: Marc Zyngier <marc.zyngier@arm.com>
++ *
++ * based on arch/arm/kvm/emulate.c
++ * Copyright (C) 2012 - Virtual Open Systems and Columbia University
++ * Author: Christoffer Dall <c.dall@virtualopensystems.com>
++ */
++
++#include <linux/kvm_host.h>
++#include <asm/kvm_emulate.h>
++#include <asm/kvm_hyp.h>
++
++/*
++ * stolen from arch/arm/kernel/opcodes.c
++ *
++ * condition code lookup table
++ * index into the table is test code: EQ, NE, ... LT, GT, AL, NV
++ *
++ * bit position in short is condition code: NZCV
++ */
++static const unsigned short cc_map[16] = {
++ 0xF0F0, /* EQ == Z set */
++ 0x0F0F, /* NE */
++ 0xCCCC, /* CS == C set */
++ 0x3333, /* CC */
++ 0xFF00, /* MI == N set */
++ 0x00FF, /* PL */
++ 0xAAAA, /* VS == V set */
++ 0x5555, /* VC */
++ 0x0C0C, /* HI == C set && Z clear */
++ 0xF3F3, /* LS == C clear || Z set */
++ 0xAA55, /* GE == (N==V) */
++ 0x55AA, /* LT == (N!=V) */
++ 0x0A05, /* GT == (!Z && (N==V)) */
++ 0xF5FA, /* LE == (Z || (N!=V)) */
++ 0xFFFF, /* AL always */
++ 0 /* NV */
++};
++
++/*
++ * Check if a trapped instruction should have been executed or not.
++ */
++bool __hyp_text kvm_condition_valid32(const struct kvm_vcpu *vcpu)
++{
++ unsigned long cpsr;
++ u32 cpsr_cond;
++ int cond;
++
++ /* Top two bits non-zero? Unconditional. */
++ if (kvm_vcpu_get_hsr(vcpu) >> 30)
++ return true;
++
++ /* Is condition field valid? */
++ cond = kvm_vcpu_get_condition(vcpu);
++ if (cond == 0xE)
++ return true;
++
++ cpsr = *vcpu_cpsr(vcpu);
++
++ if (cond < 0) {
++ /* This can happen in Thumb mode: examine IT state. */
++ unsigned long it;
++
++ it = ((cpsr >> 8) & 0xFC) | ((cpsr >> 25) & 0x3);
++
++ /* it == 0 => unconditional. */
++ if (it == 0)
++ return true;
++
++ /* The cond for this insn works out as the top 4 bits. */
++ cond = (it >> 4);
++ }
++
++ cpsr_cond = cpsr >> 28;
++
++ if (!((cc_map[cond] >> cpsr_cond) & 1))
++ return false;
++
++ return true;
++}
++
++/**
++ * adjust_itstate - adjust ITSTATE when emulating instructions in IT-block
++ * @vcpu: The VCPU pointer
++ *
++ * When exceptions occur while instructions are executed in Thumb IF-THEN
++ * blocks, the ITSTATE field of the CPSR is not advanced (updated), so we have
++ * to do this little bit of work manually. The fields map like this:
++ *
++ * IT[7:0] -> CPSR[26:25],CPSR[15:10]
++ */
++static void __hyp_text kvm_adjust_itstate(struct kvm_vcpu *vcpu)
++{
++ unsigned long itbits, cond;
++ unsigned long cpsr = *vcpu_cpsr(vcpu);
++ bool is_arm = !(cpsr & PSR_AA32_T_BIT);
++
++ if (is_arm || !(cpsr & PSR_AA32_IT_MASK))
++ return;
++
++ cond = (cpsr & 0xe000) >> 13;
++ itbits = (cpsr & 0x1c00) >> (10 - 2);
++ itbits |= (cpsr & (0x3 << 25)) >> 25;
++
++ /* Perform ITAdvance (see page A2-52 in ARM DDI 0406C) */
++ if ((itbits & 0x7) == 0)
++ itbits = cond = 0;
++ else
++ itbits = (itbits << 1) & 0x1f;
++
++ cpsr &= ~PSR_AA32_IT_MASK;
++ cpsr |= cond << 13;
++ cpsr |= (itbits & 0x1c) << (10 - 2);
++ cpsr |= (itbits & 0x3) << 25;
++ *vcpu_cpsr(vcpu) = cpsr;
++}
++
++/**
++ * kvm_skip_instr - skip a trapped instruction and proceed to the next
++ * @vcpu: The vcpu pointer
++ */
++void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr)
++{
++ bool is_thumb;
++
++ is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT);
++ if (is_thumb && !is_wide_instr)
++ *vcpu_pc(vcpu) += 2;
++ else
++ *vcpu_pc(vcpu) += 4;
++ kvm_adjust_itstate(vcpu);
++}
+--
+2.20.1
+
--- /dev/null
+From 82ec14e4f731f48f279459f210c214e92bc120f3 Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 24 May 2019 16:06:23 +0200
+Subject: KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
+
+[ Upstream commit 19ec166c3f39fe1d3789888a74cc95544ac266d4 ]
+
+kselftests exposed a problem in the s390 handling for memory slots.
+Right now we only do proper memory slot handling for creation of new
+memory slots. Neither MOVE, nor DELETION are handled properly. Let us
+implement those.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/kvm-s390.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index f538e3fac7ad..fc7de27960e7 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -4156,21 +4156,28 @@ void kvm_arch_commit_memory_region(struct kvm *kvm,
+ const struct kvm_memory_slot *new,
+ enum kvm_mr_change change)
+ {
+- int rc;
+-
+- /* If the basics of the memslot do not change, we do not want
+- * to update the gmap. Every update causes several unnecessary
+- * segment translation exceptions. This is usually handled just
+- * fine by the normal fault handler + gmap, but it will also
+- * cause faults on the prefix page of running guest CPUs.
+- */
+- if (old->userspace_addr == mem->userspace_addr &&
+- old->base_gfn * PAGE_SIZE == mem->guest_phys_addr &&
+- old->npages * PAGE_SIZE == mem->memory_size)
+- return;
++ int rc = 0;
+
+- rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr,
+- mem->guest_phys_addr, mem->memory_size);
++ switch (change) {
++ case KVM_MR_DELETE:
++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE,
++ old->npages * PAGE_SIZE);
++ break;
++ case KVM_MR_MOVE:
++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE,
++ old->npages * PAGE_SIZE);
++ if (rc)
++ break;
++ /* FALLTHROUGH */
++ case KVM_MR_CREATE:
++ rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr,
++ mem->guest_phys_addr, mem->memory_size);
++ break;
++ case KVM_MR_FLAGS_ONLY:
++ break;
++ default:
++ WARN(1, "Unknown KVM MR CHANGE: %d\n", change);
++ }
+ if (rc)
+ pr_warn("failed to commit memory region\n");
+ return;
+--
+2.20.1
+
--- /dev/null
+From 5a3b25545d1dd31e8b1e84d7c2dd0a849c949542 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 May 2019 17:34:30 +0200
+Subject: KVM: x86/pmu: do not mask the value that is written to fixed PMUs
+
+[ Upstream commit 2924b52117b2812e9633d5ea337333299166d373 ]
+
+According to the SDM, for MSR_IA32_PERFCTR0/1 "the lower-order 32 bits of
+each MSR may be written with any value, and the high-order 8 bits are
+sign-extended according to the value of bit 31", but the fixed counters
+in real hardware are limited to the width of the fixed counters ("bits
+beyond the width of the fixed-function counter are reserved and must be
+written as zeros"). Fix KVM to do the same.
+
+Reported-by: Nadav Amit <nadav.amit@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/pmu_intel.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c
+index ad7ea81fbfbf..c3f103e2b08e 100644
+--- a/arch/x86/kvm/pmu_intel.c
++++ b/arch/x86/kvm/pmu_intel.c
+@@ -240,11 +240,14 @@ static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ }
+ break;
+ default:
+- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) ||
+- (pmc = get_fixed_pmc(pmu, msr))) {
+- if (!msr_info->host_initiated)
+- data = (s64)(s32)data;
+- pmc->counter += data - pmc_read_counter(pmc);
++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) {
++ if (msr_info->host_initiated)
++ pmc->counter = data;
++ else
++ pmc->counter = (s32)data;
++ return 0;
++ } else if ((pmc = get_fixed_pmc(pmu, msr))) {
++ pmc->counter = data;
+ return 0;
+ } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) {
+ if (data == pmc->eventsel)
+--
+2.20.1
+
--- /dev/null
+From be536c2e23dc305f7ac01a9474b170bafa6ed761 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 May 2019 17:20:40 +0200
+Subject: KVM: x86/pmu: mask the result of rdpmc according to the width of the
+ counters
+
+[ Upstream commit 0e6f467ee28ec97f68c7b74e35ec1601bb1368a7 ]
+
+This patch will simplify the changes in the next, by enforcing the
+masking of the counters to RDPMC and RDMSR.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/pmu.c | 10 +++-------
+ arch/x86/kvm/pmu.h | 3 ++-
+ arch/x86/kvm/pmu_amd.c | 2 +-
+ arch/x86/kvm/pmu_intel.c | 13 +++++++++----
+ 4 files changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c
+index 58ead7db71a3..952aebd0a8a3 100644
+--- a/arch/x86/kvm/pmu.c
++++ b/arch/x86/kvm/pmu.c
+@@ -282,20 +282,16 @@ int kvm_pmu_rdpmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *data)
+ {
+ bool fast_mode = idx & (1u << 31);
+ struct kvm_pmc *pmc;
+- u64 ctr_val;
++ u64 mask = fast_mode ? ~0u : ~0ull;
+
+ if (is_vmware_backdoor_pmc(idx))
+ return kvm_pmu_rdpmc_vmware(vcpu, idx, data);
+
+- pmc = kvm_x86_ops->pmu_ops->msr_idx_to_pmc(vcpu, idx);
++ pmc = kvm_x86_ops->pmu_ops->msr_idx_to_pmc(vcpu, idx, &mask);
+ if (!pmc)
+ return 1;
+
+- ctr_val = pmc_read_counter(pmc);
+- if (fast_mode)
+- ctr_val = (u32)ctr_val;
+-
+- *data = ctr_val;
++ *data = pmc_read_counter(pmc) & mask;
+ return 0;
+ }
+
+diff --git a/arch/x86/kvm/pmu.h b/arch/x86/kvm/pmu.h
+index ba8898e1a854..22dff661145a 100644
+--- a/arch/x86/kvm/pmu.h
++++ b/arch/x86/kvm/pmu.h
+@@ -25,7 +25,8 @@ struct kvm_pmu_ops {
+ unsigned (*find_fixed_event)(int idx);
+ bool (*pmc_is_enabled)(struct kvm_pmc *pmc);
+ struct kvm_pmc *(*pmc_idx_to_pmc)(struct kvm_pmu *pmu, int pmc_idx);
+- struct kvm_pmc *(*msr_idx_to_pmc)(struct kvm_vcpu *vcpu, unsigned idx);
++ struct kvm_pmc *(*msr_idx_to_pmc)(struct kvm_vcpu *vcpu, unsigned idx,
++ u64 *mask);
+ int (*is_valid_msr_idx)(struct kvm_vcpu *vcpu, unsigned idx);
+ bool (*is_valid_msr)(struct kvm_vcpu *vcpu, u32 msr);
+ int (*get_msr)(struct kvm_vcpu *vcpu, u32 msr, u64 *data);
+diff --git a/arch/x86/kvm/pmu_amd.c b/arch/x86/kvm/pmu_amd.c
+index 1495a735b38e..41dff881e0f0 100644
+--- a/arch/x86/kvm/pmu_amd.c
++++ b/arch/x86/kvm/pmu_amd.c
+@@ -186,7 +186,7 @@ static int amd_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx)
+ }
+
+ /* idx is the ECX register of RDPMC instruction */
+-static struct kvm_pmc *amd_msr_idx_to_pmc(struct kvm_vcpu *vcpu, unsigned idx)
++static struct kvm_pmc *amd_msr_idx_to_pmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *mask)
+ {
+ struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
+ struct kvm_pmc *counters;
+diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c
+index 5ab4a364348e..ad7ea81fbfbf 100644
+--- a/arch/x86/kvm/pmu_intel.c
++++ b/arch/x86/kvm/pmu_intel.c
+@@ -126,7 +126,7 @@ static int intel_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx)
+ }
+
+ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu,
+- unsigned idx)
++ unsigned idx, u64 *mask)
+ {
+ struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
+ bool fixed = idx & (1u << 30);
+@@ -138,6 +138,7 @@ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu,
+ if (fixed && idx >= pmu->nr_arch_fixed_counters)
+ return NULL;
+ counters = fixed ? pmu->fixed_counters : pmu->gp_counters;
++ *mask &= pmu->counter_bitmask[fixed ? KVM_PMC_FIXED : KVM_PMC_GP];
+
+ return &counters[idx];
+ }
+@@ -183,9 +184,13 @@ static int intel_pmu_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *data)
+ *data = pmu->global_ovf_ctrl;
+ return 0;
+ default:
+- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) ||
+- (pmc = get_fixed_pmc(pmu, msr))) {
+- *data = pmc_read_counter(pmc);
++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) {
++ u64 val = pmc_read_counter(pmc);
++ *data = val & pmu->counter_bitmask[KVM_PMC_GP];
++ return 0;
++ } else if ((pmc = get_fixed_pmc(pmu, msr))) {
++ u64 val = pmc_read_counter(pmc);
++ *data = val & pmu->counter_bitmask[KVM_PMC_FIXED];
+ return 0;
+ } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) {
+ *data = pmc->eventsel;
+--
+2.20.1
+
--- /dev/null
+From 41e8d47b09252207bf56043648fe3910974dea70 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Thu, 16 May 2019 12:04:53 -0400
+Subject: libnvdimm: Fix compilation warnings with W=1
+
+[ Upstream commit c01dafad77fea8d64c4fdca0a6031c980842ad65 ]
+
+Several places (dimm_devs.c, core.c etc) include label.h but only
+label.c uses NSINDEX_SIGNATURE, so move its definition to label.c
+instead.
+
+In file included from drivers/nvdimm/dimm_devs.c:23:
+drivers/nvdimm/label.h:41:19: warning: 'NSINDEX_SIGNATURE' defined but
+not used [-Wunused-const-variable=]
+
+Also, some places abuse "/**" which is only reserved for the kernel-doc.
+
+drivers/nvdimm/bus.c:648: warning: cannot understand function prototype:
+'struct attribute_group nd_device_attribute_group = '
+drivers/nvdimm/bus.c:677: warning: cannot understand function prototype:
+'struct attribute_group nd_numa_attribute_group = '
+
+Those are just some member assignments for the "struct attribute_group"
+instances and it can't be expressed in the kernel-doc.
+
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/bus.c | 4 ++--
+ drivers/nvdimm/label.c | 2 ++
+ drivers/nvdimm/label.h | 2 --
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
+index 9148015ed803..a3132a9eb91c 100644
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -612,7 +612,7 @@ static struct attribute *nd_device_attributes[] = {
+ NULL,
+ };
+
+-/**
++/*
+ * nd_device_attribute_group - generic attributes for all devices on an nd bus
+ */
+ struct attribute_group nd_device_attribute_group = {
+@@ -641,7 +641,7 @@ static umode_t nd_numa_attr_visible(struct kobject *kobj, struct attribute *a,
+ return a->mode;
+ }
+
+-/**
++/*
+ * nd_numa_attribute_group - NUMA attributes for all devices on an nd bus
+ */
+ struct attribute_group nd_numa_attribute_group = {
+diff --git a/drivers/nvdimm/label.c b/drivers/nvdimm/label.c
+index 452ad379ed70..9f1b7e3153f9 100644
+--- a/drivers/nvdimm/label.c
++++ b/drivers/nvdimm/label.c
+@@ -25,6 +25,8 @@ static guid_t nvdimm_btt2_guid;
+ static guid_t nvdimm_pfn_guid;
+ static guid_t nvdimm_dax_guid;
+
++static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0";
++
+ static u32 best_seq(u32 a, u32 b)
+ {
+ a &= NSINDEX_SEQ_MASK;
+diff --git a/drivers/nvdimm/label.h b/drivers/nvdimm/label.h
+index 18bbe183b3a9..52f9fcada00a 100644
+--- a/drivers/nvdimm/label.h
++++ b/drivers/nvdimm/label.h
+@@ -38,8 +38,6 @@ enum {
+ ND_NSINDEX_INIT = 0x1,
+ };
+
+-static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0";
+-
+ /**
+ * struct nd_namespace_index - label set superblock
+ * @sig: NAMESPACE_INDEX\0
+--
+2.20.1
+
--- /dev/null
+From 44482a7804dd9efd6ecc64b2ed3ad3f8523218d1 Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Thu, 16 May 2019 19:30:07 -0700
+Subject: nvme: fix memory leak for power latency tolerance
+
+[ Upstream commit 510a405d945bc985abc513fafe45890cac34fafa ]
+
+Unconditionally hide device pm latency tolerance when uninitializing
+the controller to ensure all qos resources are released so that we're
+not leaking this memory. This is safe to call if none were allocated in
+the first place, or were previously freed.
+
+Fixes: c5552fde102fc("nvme: Enable autonomous power state transitions")
+Suggested-by: Keith Busch <keith.busch@intel.com>
+Tested-by: David Milburn <dmilburn@redhat.com>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+[changelog]
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 818788275406..a867a139bb35 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3525,6 +3525,7 @@ EXPORT_SYMBOL_GPL(nvme_start_ctrl);
+
+ void nvme_uninit_ctrl(struct nvme_ctrl *ctrl)
+ {
++ dev_pm_qos_hide_latency_tolerance(ctrl->device);
+ cdev_device_del(&ctrl->cdev, ctrl->device);
+ }
+ EXPORT_SYMBOL_GPL(nvme_uninit_ctrl);
+--
+2.20.1
+
--- /dev/null
+From 68cc7e87c5bd34b5024a7ee52694cd054aec1575 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 17 May 2019 02:47:33 -0700
+Subject: nvme: fix srcu locking on error return in nvme_get_ns_from_disk
+
+[ Upstream commit 100c815cbd56480b3e31518475b04719c363614a ]
+
+If we can't get a namespace don't leak the SRCU lock. nvme_ioctl was
+working around this, but nvme_pr_command wasn't handling this properly.
+Just do what callers would usually expect.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index abfb46378cc1..44d8077fbe95 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1277,9 +1277,14 @@ static struct nvme_ns *nvme_get_ns_from_disk(struct gendisk *disk,
+ {
+ #ifdef CONFIG_NVME_MULTIPATH
+ if (disk->fops == &nvme_ns_head_ops) {
++ struct nvme_ns *ns;
++
+ *head = disk->private_data;
+ *srcu_idx = srcu_read_lock(&(*head)->srcu);
+- return nvme_find_path(*head);
++ ns = nvme_find_path(*head);
++ if (!ns)
++ srcu_read_unlock(&(*head)->srcu, *srcu_idx);
++ return ns;
+ }
+ #endif
+ *head = NULL;
+@@ -1326,9 +1331,9 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+
+ ns = nvme_get_ns_from_disk(bdev->bd_disk, &head, &srcu_idx);
+ if (unlikely(!ns))
+- ret = -EWOULDBLOCK;
+- else
+- ret = nvme_ns_ioctl(ns, cmd, arg);
++ return -EWOULDBLOCK;
++
++ ret = nvme_ns_ioctl(ns, cmd, arg);
+ nvme_put_ns_from_disk(head, srcu_idx);
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 827bde44e79a6f06b93c46c803ee953cfc8f90b5 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 17 May 2019 02:47:35 -0700
+Subject: nvme: merge nvme_ns_ioctl into nvme_ioctl
+
+[ Upstream commit 90ec611adcf20b96d0c2b7166497d53e4301a57f ]
+
+Merge the two functions to make future changes a little easier.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 47 ++++++++++++++++++++--------------------
+ 1 file changed, 24 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 1cdfea3c094a..82f5f1d030d4 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1298,32 +1298,11 @@ static void nvme_put_ns_from_disk(struct nvme_ns_head *head, int idx)
+ srcu_read_unlock(&head->srcu, idx);
+ }
+
+-static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned cmd, unsigned long arg)
+-{
+- switch (cmd) {
+- case NVME_IOCTL_ID:
+- force_successful_syscall_return();
+- return ns->head->ns_id;
+- case NVME_IOCTL_ADMIN_CMD:
+- return nvme_user_cmd(ns->ctrl, NULL, (void __user *)arg);
+- case NVME_IOCTL_IO_CMD:
+- return nvme_user_cmd(ns->ctrl, ns, (void __user *)arg);
+- case NVME_IOCTL_SUBMIT_IO:
+- return nvme_submit_io(ns, (void __user *)arg);
+- default:
+- if (ns->ndev)
+- return nvme_nvm_ioctl(ns, cmd, arg);
+- if (is_sed_ioctl(cmd))
+- return sed_ioctl(ns->ctrl->opal_dev, cmd,
+- (void __user *) arg);
+- return -ENOTTY;
+- }
+-}
+-
+ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct nvme_ns_head *head = NULL;
++ void __user *argp = (void __user *)arg;
+ struct nvme_ns *ns;
+ int srcu_idx, ret;
+
+@@ -1331,7 +1310,29 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+ if (unlikely(!ns))
+ return -EWOULDBLOCK;
+
+- ret = nvme_ns_ioctl(ns, cmd, arg);
++ switch (cmd) {
++ case NVME_IOCTL_ID:
++ force_successful_syscall_return();
++ ret = ns->head->ns_id;
++ break;
++ case NVME_IOCTL_ADMIN_CMD:
++ ret = nvme_user_cmd(ns->ctrl, NULL, argp);
++ break;
++ case NVME_IOCTL_IO_CMD:
++ ret = nvme_user_cmd(ns->ctrl, ns, argp);
++ break;
++ case NVME_IOCTL_SUBMIT_IO:
++ ret = nvme_submit_io(ns, argp);
++ break;
++ default:
++ if (ns->ndev)
++ ret = nvme_nvm_ioctl(ns, cmd, arg);
++ else if (is_sed_ioctl(cmd))
++ ret = sed_ioctl(ns->ctrl->opal_dev, cmd, argp);
++ else
++ ret = -ENOTTY;
++ }
++
+ nvme_put_ns_from_disk(head, srcu_idx);
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From db251685664dd1cf36456732d5372b31b0f69d12 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 17 May 2019 11:47:36 +0200
+Subject: nvme: release namespace SRCU protection before performing controller
+ ioctls
+
+[ Upstream commit 5fb4aac756acacf260b9ebd88747251effa3a2f2 ]
+
+Holding the SRCU critical section protecting the namespace list can
+cause deadlocks when using the per-namespace admin passthrough ioctl to
+delete as namespace. Release it earlier when performing per-controller
+ioctls to avoid that.
+
+Reported-by: Kenneth Heitke <kenneth.heitke@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 82f5f1d030d4..818788275406 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1310,14 +1310,31 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+ if (unlikely(!ns))
+ return -EWOULDBLOCK;
+
++ /*
++ * Handle ioctls that apply to the controller instead of the namespace
++ * seperately and drop the ns SRCU reference early. This avoids a
++ * deadlock when deleting namespaces using the passthrough interface.
++ */
++ if (cmd == NVME_IOCTL_ADMIN_CMD || is_sed_ioctl(cmd)) {
++ struct nvme_ctrl *ctrl = ns->ctrl;
++
++ nvme_get_ctrl(ns->ctrl);
++ nvme_put_ns_from_disk(head, srcu_idx);
++
++ if (cmd == NVME_IOCTL_ADMIN_CMD)
++ ret = nvme_user_cmd(ctrl, NULL, argp);
++ else
++ ret = sed_ioctl(ctrl->opal_dev, cmd, argp);
++
++ nvme_put_ctrl(ctrl);
++ return ret;
++ }
++
+ switch (cmd) {
+ case NVME_IOCTL_ID:
+ force_successful_syscall_return();
+ ret = ns->head->ns_id;
+ break;
+- case NVME_IOCTL_ADMIN_CMD:
+- ret = nvme_user_cmd(ns->ctrl, NULL, argp);
+- break;
+ case NVME_IOCTL_IO_CMD:
+ ret = nvme_user_cmd(ns->ctrl, ns, argp);
+ break;
+@@ -1327,8 +1344,6 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+ default:
+ if (ns->ndev)
+ ret = nvme_nvm_ioctl(ns, cmd, arg);
+- else if (is_sed_ioctl(cmd))
+- ret = sed_ioctl(ns->ctrl->opal_dev, cmd, argp);
+ else
+ ret = -ENOTTY;
+ }
+--
+2.20.1
+
--- /dev/null
+From 570323416a8877caf51536e15e3b2c62856937eb Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 17 May 2019 02:47:34 -0700
+Subject: nvme: remove the ifdef around nvme_nvm_ioctl
+
+[ Upstream commit 3f98bcc58cd5f1e4668db289dcab771874cc0920 ]
+
+We already have a proper stub if lightnvm is not enabled, so don't bother
+with the ifdef.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 44d8077fbe95..1cdfea3c094a 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1311,10 +1311,8 @@ static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned cmd, unsigned long arg)
+ case NVME_IOCTL_SUBMIT_IO:
+ return nvme_submit_io(ns, (void __user *)arg);
+ default:
+-#ifdef CONFIG_NVM
+ if (ns->ndev)
+ return nvme_nvm_ioctl(ns, cmd, arg);
+-#endif
+ if (is_sed_ioctl(cmd))
+ return sed_ioctl(ns->ctrl->opal_dev, cmd,
+ (void __user *) arg);
+--
+2.20.1
+
--- /dev/null
+From b96e67bd55410412b12999b87d7ef8b666b109af Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 29 Apr 2019 17:01:35 +0200
+Subject: platform/x86: pmc_atom: Add Lex 3I380D industrial PC to
+ critclk_systems DMI table
+
+[ Upstream commit 3d0818f5eba80fbe4c0addbfe6ddb2d19dc82cd4 ]
+
+The Lex 3I380D industrial PC has 4 ethernet controllers on board
+which need pmc_plt_clk0 - 3 to function, add it to the critclk_systems
+DMI table, so that drivers/clk/x86/clk-pmc-atom.c will mark the clocks
+as CLK_CRITICAL and they will not get turned off.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Reported-and-tested-by: Semyon Verchenko <semverchenko@factor-ts.ru>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pmc_atom.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index c7039f52ad51..a311f48ce7c9 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -398,12 +398,21 @@ static int pmc_dbgfs_register(struct pmc_dev *pmc)
+ */
+ static const struct dmi_system_id critclk_systems[] = {
+ {
++ /* pmc_plt_clk0 is used for an external HSIC USB HUB */
+ .ident = "MPL CEC1x",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "MPL AG"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "CEC10 Family"),
+ },
+ },
++ {
++ /* pmc_plt_clk0 - 3 are used for the 4 ethernet controllers */
++ .ident = "Lex 3I380D",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Lex BayTrail"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"),
++ },
++ },
+ { /*sentinel*/ }
+ };
+
+--
+2.20.1
+
--- /dev/null
+From a0263cb5a140a118c38e1b9591ddc68c8c09fdbd Mon Sep 17 00:00:00 2001
+From: Steffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
+Date: Thu, 2 May 2019 15:03:51 +0200
+Subject: platform/x86: pmc_atom: Add several Beckhoff Automation boards to
+ critclk_systems DMI table
+
+[ Upstream commit d6423bd03031c020121da26c41a26bd5cc6d0da3 ]
+
+There are several Beckhoff Automation industrial PC boards which use
+pmc_plt_clk* clocks for ethernet controllers. This adds affected boards
+to critclk_systems DMI table so the clocks are marked as CLK_CRITICAL and
+not turned off.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Signed-off-by: Steffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pmc_atom.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index a311f48ce7c9..b1d804376237 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -413,6 +413,30 @@ static const struct dmi_system_id critclk_systems[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"),
+ },
+ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB3163",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB3163"),
++ },
++ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB6263",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB6263"),
++ },
++ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB6363",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB6363"),
++ },
++ },
+ { /*sentinel*/ }
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 207b3c11e76dcbffe76539c6a1fb24df126e7eae Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 11 Apr 2019 19:58:32 +0200
+Subject: Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"
+
+[ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ]
+
+This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32.
+
+The fix attempt was incorrect, leading to the mutex deadlock through
+the close of OSS sequencer client. The proper fix needs more
+consideration, so let's revert it now.
+
+Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex")
+Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 37312a3ae60f..f59e13c1d84a 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -2337,19 +2337,14 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
+ {
+ const struct ioctl_handler *handler;
+ struct snd_seq_client *client;
+- int err;
+
+ client = clientptr(clientid);
+ if (client == NULL)
+ return -ENXIO;
+
+ for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
+- if (handler->cmd == cmd) {
+- mutex_lock(&client->ioctl_mutex);
+- err = handler->func(client, arg);
+- mutex_unlock(&client->ioctl_mutex);
+- return err;
+- }
++ if (handler->cmd == cmd)
++ return handler->func(client, arg);
+ }
+
+ pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
+--
+2.20.1
+
--- /dev/null
+From 8ddc768af39a1e298e2ac61868319052e22f28da Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 23 Apr 2019 15:36:36 +0200
+Subject: s390/kasan: fix strncpy_from_user kasan checks
+
+[ Upstream commit 01eb42afb45719cb41bb32c278e068073738899d ]
+
+arch/s390/lib/uaccess.c is built without kasan instrumentation. Kasan
+checks are performed explicitly in copy_from_user/copy_to_user
+functions. But since those functions could be inlined, calls from
+files like uaccess.c with instrumentation disabled won't generate
+kasan reports. This is currently the case with strncpy_from_user
+function which was revealed by newly added kasan test. Avoid inlining of
+copy_from_user/copy_to_user when the kernel is built with kasan support
+to make sure kasan checks are fully functional.
+
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/uaccess.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
+index ad6b91013a05..5332f628c1ed 100644
+--- a/arch/s390/include/asm/uaccess.h
++++ b/arch/s390/include/asm/uaccess.h
+@@ -56,8 +56,10 @@ raw_copy_from_user(void *to, const void __user *from, unsigned long n);
+ unsigned long __must_check
+ raw_copy_to_user(void __user *to, const void *from, unsigned long n);
+
++#ifndef CONFIG_KASAN
+ #define INLINE_COPY_FROM_USER
+ #define INLINE_COPY_TO_USER
++#endif
+
+ #ifdef CONFIG_HAVE_MARCH_Z10_FEATURES
+
+--
+2.20.1
+
--- /dev/null
+From 6ed90c1dc28f933d20470d51258b3b3445fc5c18 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 4 May 2019 17:48:29 +0100
+Subject: scsi: bnx2fc: fix incorrect cast to u64 on shift operation
+
+[ Upstream commit d0c0d902339249c75da85fd9257a86cbb98dfaa5 ]
+
+Currently an int is being shifted and the result is being cast to a u64
+which leads to undefined behaviour if the shift is more than 31 bits. Fix
+this by casting the integer value 1 to u64 before the shift operation.
+
+Addresses-Coverity: ("Bad shift operation")
+Fixes: 7b594769120b ("[SCSI] bnx2fc: Handle REC_TOV error code from firmware")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bnx2fc/bnx2fc_hwi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+index e8ae4d671d23..097305949a95 100644
+--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+@@ -830,7 +830,7 @@ ret_err_rqe:
+ ((u64)err_entry->data.err_warn_bitmap_hi << 32) |
+ (u64)err_entry->data.err_warn_bitmap_lo;
+ for (i = 0; i < BNX2FC_NUM_ERR_BITS; i++) {
+- if (err_warn_bit_map & (u64) (1 << i)) {
++ if (err_warn_bit_map & ((u64)1 << i)) {
+ err_warn = i;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 8e801179e64f5e636bf838292db11f99c5b46279 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Mon, 6 May 2019 17:26:49 -0700
+Subject: scsi: lpfc: add check for loss of ndlp when sending RRQ
+
+[ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ]
+
+There was a missing qualification of a valid ndlp structure when calling to
+send an RRQ for an abort. Add the check.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Tested-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index 0d214e6b8e9a..f3c6801c0b31 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -7094,7 +7094,10 @@ int
+ lpfc_send_rrq(struct lpfc_hba *phba, struct lpfc_node_rrq *rrq)
+ {
+ struct lpfc_nodelist *ndlp = lpfc_findnode_did(rrq->vport,
+- rrq->nlp_DID);
++ rrq->nlp_DID);
++ if (!ndlp)
++ return 1;
++
+ if (lpfc_test_rrq_active(phba, ndlp, rrq->xritag))
+ return lpfc_issue_els_rrq(rrq->vport, ndlp,
+ rrq->nlp_DID, rrq);
+--
+2.20.1
+
--- /dev/null
+From 6a792491bfc8b9183ae4746b3b520803e88004ca Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Mon, 6 May 2019 17:26:48 -0700
+Subject: scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show
+
+[ Upstream commit 79080d349f7f58a2e86c56043a3d04184d5f294a ]
+
+Many of the exit cases were not releasing the rcu read lock. Corrected the
+exit paths.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Tested-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 32 +++++++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index cb19b12e7211..55cd96e2469c 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -341,7 +341,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ phba->sli4_hba.scsi_xri_max,
+ lpfc_sli4_get_els_iocb_cnt(phba));
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ /* Port state is only one of two values for now. */
+ if (localport->port_id)
+@@ -357,7 +357,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ wwn_to_u64(vport->fc_nodename.u.wwn),
+ localport->port_id, statep);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
+ nrport = NULL;
+@@ -384,39 +384,39 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+
+ /* Tab in to show lport ownership. */
+ if (strlcat(buf, "NVME RPORT ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ if (phba->brd_no >= 10) {
+ if (strlcat(buf, " ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+
+ scnprintf(tmp, sizeof(tmp), "WWPN x%llx ",
+ nrport->port_name);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ scnprintf(tmp, sizeof(tmp), "WWNN x%llx ",
+ nrport->node_name);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ scnprintf(tmp, sizeof(tmp), "DID x%06x ",
+ nrport->port_id);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ /* An NVME rport can have multiple roles. */
+ if (nrport->port_role & FC_PORT_ROLE_NVME_INITIATOR) {
+ if (strlcat(buf, "INITIATOR ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+ if (nrport->port_role & FC_PORT_ROLE_NVME_TARGET) {
+ if (strlcat(buf, "TARGET ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+ if (nrport->port_role & FC_PORT_ROLE_NVME_DISCOVERY) {
+ if (strlcat(buf, "DISCSRVC ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+ if (nrport->port_role & ~(FC_PORT_ROLE_NVME_INITIATOR |
+ FC_PORT_ROLE_NVME_TARGET |
+@@ -424,12 +424,12 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ scnprintf(tmp, sizeof(tmp), "UNKNOWN ROLE x%x",
+ nrport->port_role);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+
+ scnprintf(tmp, sizeof(tmp), "%s\n", statep);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+ rcu_read_unlock();
+
+@@ -491,7 +491,13 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ atomic_read(&lport->cmpl_fcp_err));
+ strlcat(buf, tmp, PAGE_SIZE);
+
+-buffer_done:
++ /* RCU is already unlocked. */
++ goto buffer_done;
++
++ rcu_unlock_buf_done:
++ rcu_read_unlock();
++
++ buffer_done:
+ len = strnlen(buf, PAGE_SIZE);
+
+ if (unlikely(len >= (PAGE_SIZE - 1))) {
+--
+2.20.1
+
--- /dev/null
+From d1d5c55990f64799c6e62970b2acbe654000b94d Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 20 Apr 2019 12:05:54 +0800
+Subject: scsi: qedi: remove memset/memcpy to nfunc and use func instead
+
+[ Upstream commit c09581a52765a85f19fc35340127396d5e3379cc ]
+
+KASAN reports this:
+
+BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi]
+Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429
+
+CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x1c4/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ memcpy+0x1f/0x50 mm/kasan/common.c:130
+ qedi_dbg_err+0xda/0x330 [qedi]
+ ? 0xffffffffc12d0000
+ qedi_init+0x118/0x1000 [qedi]
+ ? 0xffffffffc12d0000
+ ? 0xffffffffc12d0000
+ ? 0xffffffffc12d0000
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003
+RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc
+R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
+
+The buggy address belongs to the variable:
+ __func__.67584+0x0/0xffffffffffffd520 [qedi]
+
+Memory state around the buggy address:
+ ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa
+ ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa
+> ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa
+ ^
+ ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa
+ ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa
+
+Currently the qedi_dbg_* family of functions can overrun the end of the
+source string if it is less than the destination buffer length because of
+the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc
+and just use func instead as it is always a null terminated string.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_dbg.c | 32 ++++++++------------------------
+ 1 file changed, 8 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_dbg.c b/drivers/scsi/qedi/qedi_dbg.c
+index 8fd28b056f73..3383314a3882 100644
+--- a/drivers/scsi/qedi/qedi_dbg.c
++++ b/drivers/scsi/qedi/qedi_dbg.c
+@@ -16,10 +16,6 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -28,9 +24,9 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_err("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_err("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_err("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ va_end(va);
+ }
+@@ -41,10 +37,6 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -56,9 +48,9 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_warn("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_warn("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_warn("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+@@ -70,10 +62,6 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -85,10 +73,10 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_notice("[%s]:[%s:%d]:%d: %pV",
+- dev_name(&qedi->pdev->dev), nfunc, line,
++ dev_name(&qedi->pdev->dev), func, line,
+ qedi->host_no, &vaf);
+ else
+- pr_notice("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_notice("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+@@ -100,10 +88,6 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -115,9 +99,9 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_info("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_info("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_info("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+--
+2.20.1
+
--- /dev/null
+From 7c35678757e7fc8f176e2b1dcfc4540a1c1a9b51 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 24 Apr 2019 16:02:56 +0800
+Subject: scsi: qedi: remove set but not used variables 'cdev' and 'udev'
+
+[ Upstream commit d0adee5d12752256ff0c87ad7f002f21fe49d618 ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/scsi/qedi/qedi_iscsi.c: In function 'qedi_ep_connect':
+drivers/scsi/qedi/qedi_iscsi.c:813:23: warning: variable 'udev' set but not used [-Wunused-but-set-variable]
+drivers/scsi/qedi/qedi_iscsi.c:812:18: warning: variable 'cdev' set but not used [-Wunused-but-set-variable]
+
+These have never been used since introduction.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_iscsi.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
+index 4130b9117055..1b7049dce169 100644
+--- a/drivers/scsi/qedi/qedi_iscsi.c
++++ b/drivers/scsi/qedi/qedi_iscsi.c
+@@ -810,8 +810,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr,
+ struct qedi_endpoint *qedi_ep;
+ struct sockaddr_in *addr;
+ struct sockaddr_in6 *addr6;
+- struct qed_dev *cdev = NULL;
+- struct qedi_uio_dev *udev = NULL;
+ struct iscsi_path path_req;
+ u32 msg_type = ISCSI_KEVENT_IF_DOWN;
+ u32 iscsi_cid = QEDI_CID_RESERVED;
+@@ -831,8 +829,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr,
+ }
+
+ qedi = iscsi_host_priv(shost);
+- cdev = qedi->cdev;
+- udev = qedi->udev;
+
+ if (test_bit(QEDI_IN_OFFLINE, &qedi->flags) ||
+ test_bit(QEDI_IN_RECOVERY, &qedi->flags)) {
+--
+2.20.1
+
--- /dev/null
+From e1ba3caabf9c9f2484bdeb846e7d8ade5244e98f Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 20 May 2019 12:36:54 +0800
+Subject: selftests: fib_rule_tests: fix local IPv4 address typo
+
+[ Upstream commit fc82d93e57e3d41f79eff19031588b262fc3d0b6 ]
+
+The IPv4 testing address are all in 192.51.100.0 subnet. It doesn't make
+sense to set a 198.51.100.1 local address. Should be a typo.
+
+Fixes: 65b2b4939a64 ("selftests: net: initial fib rule tests")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib_rule_tests.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/fib_rule_tests.sh b/tools/testing/selftests/net/fib_rule_tests.sh
+index d84193bdc307..dbd90ca73e44 100755
+--- a/tools/testing/selftests/net/fib_rule_tests.sh
++++ b/tools/testing/selftests/net/fib_rule_tests.sh
+@@ -55,7 +55,7 @@ setup()
+
+ $IP link add dummy0 type dummy
+ $IP link set dev dummy0 up
+- $IP address add 198.51.100.1/24 dev dummy0
++ $IP address add 192.51.100.1/24 dev dummy0
+ $IP -6 address add 2001:db8:1::1/64 dev dummy0
+
+ set +e
+--
+2.20.1
+
--- /dev/null
+From 41cf3b1a9e952a695b93478a1fae39f53fc2cf35 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 20 May 2019 15:37:49 -0700
+Subject: selftests/timers: Add missing fflush(stdout) calls
+
+[ Upstream commit fe48319243a626c860fd666ca032daacc2ba84a5 ]
+
+When running under a pipe, some timer tests would not report output in
+real-time because stdout flushes were missing after printf()s that lacked
+a newline. This adds them to restore real-time status output that humans
+can enjoy.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/timers/adjtick.c | 1 +
+ tools/testing/selftests/timers/leapcrash.c | 1 +
+ tools/testing/selftests/timers/mqueue-lat.c | 1 +
+ tools/testing/selftests/timers/nanosleep.c | 1 +
+ tools/testing/selftests/timers/nsleep-lat.c | 1 +
+ tools/testing/selftests/timers/raw_skew.c | 1 +
+ tools/testing/selftests/timers/set-tai.c | 1 +
+ tools/testing/selftests/timers/set-tz.c | 2 ++
+ tools/testing/selftests/timers/threadtest.c | 1 +
+ tools/testing/selftests/timers/valid-adjtimex.c | 2 ++
+ 10 files changed, 12 insertions(+)
+
+diff --git a/tools/testing/selftests/timers/adjtick.c b/tools/testing/selftests/timers/adjtick.c
+index 0caca3a06bd2..54d8d87f36b3 100644
+--- a/tools/testing/selftests/timers/adjtick.c
++++ b/tools/testing/selftests/timers/adjtick.c
+@@ -136,6 +136,7 @@ int check_tick_adj(long tickval)
+
+ eppm = get_ppm_drift();
+ printf("%lld usec, %lld ppm", systick + (systick * eppm / MILLION), eppm);
++ fflush(stdout);
+
+ tx1.modes = 0;
+ adjtimex(&tx1);
+diff --git a/tools/testing/selftests/timers/leapcrash.c b/tools/testing/selftests/timers/leapcrash.c
+index 830c462f605d..dc80728ed191 100644
+--- a/tools/testing/selftests/timers/leapcrash.c
++++ b/tools/testing/selftests/timers/leapcrash.c
+@@ -101,6 +101,7 @@ int main(void)
+ }
+ clear_time_state();
+ printf(".");
++ fflush(stdout);
+ }
+ printf("[OK]\n");
+ return ksft_exit_pass();
+diff --git a/tools/testing/selftests/timers/mqueue-lat.c b/tools/testing/selftests/timers/mqueue-lat.c
+index 1867db5d6f5e..7916cf5cc6ff 100644
+--- a/tools/testing/selftests/timers/mqueue-lat.c
++++ b/tools/testing/selftests/timers/mqueue-lat.c
+@@ -102,6 +102,7 @@ int main(int argc, char **argv)
+ int ret;
+
+ printf("Mqueue latency : ");
++ fflush(stdout);
+
+ ret = mqueue_lat_test();
+ if (ret < 0) {
+diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c
+index 8adb0bb51d4d..71b5441c2fd9 100644
+--- a/tools/testing/selftests/timers/nanosleep.c
++++ b/tools/testing/selftests/timers/nanosleep.c
+@@ -142,6 +142,7 @@ int main(int argc, char **argv)
+ continue;
+
+ printf("Nanosleep %-31s ", clockstring(clockid));
++ fflush(stdout);
+
+ length = 10;
+ while (length <= (NSEC_PER_SEC * 10)) {
+diff --git a/tools/testing/selftests/timers/nsleep-lat.c b/tools/testing/selftests/timers/nsleep-lat.c
+index c3c3dc10db17..eb3e79ed7b4a 100644
+--- a/tools/testing/selftests/timers/nsleep-lat.c
++++ b/tools/testing/selftests/timers/nsleep-lat.c
+@@ -155,6 +155,7 @@ int main(int argc, char **argv)
+ continue;
+
+ printf("nsleep latency %-26s ", clockstring(clockid));
++ fflush(stdout);
+
+ length = 10;
+ while (length <= (NSEC_PER_SEC * 10)) {
+diff --git a/tools/testing/selftests/timers/raw_skew.c b/tools/testing/selftests/timers/raw_skew.c
+index dcf73c5dab6e..b41d8dd0c40c 100644
+--- a/tools/testing/selftests/timers/raw_skew.c
++++ b/tools/testing/selftests/timers/raw_skew.c
+@@ -112,6 +112,7 @@ int main(int argv, char **argc)
+ printf("WARNING: ADJ_OFFSET in progress, this will cause inaccurate results\n");
+
+ printf("Estimating clock drift: ");
++ fflush(stdout);
+ sleep(120);
+
+ get_monotonic_and_raw(&mon, &raw);
+diff --git a/tools/testing/selftests/timers/set-tai.c b/tools/testing/selftests/timers/set-tai.c
+index 70fed27d8fd3..8c4179ee2ca2 100644
+--- a/tools/testing/selftests/timers/set-tai.c
++++ b/tools/testing/selftests/timers/set-tai.c
+@@ -55,6 +55,7 @@ int main(int argc, char **argv)
+ printf("tai offset started at %i\n", ret);
+
+ printf("Checking tai offsets can be properly set: ");
++ fflush(stdout);
+ for (i = 1; i <= 60; i++) {
+ ret = set_tai(i);
+ ret = get_tai();
+diff --git a/tools/testing/selftests/timers/set-tz.c b/tools/testing/selftests/timers/set-tz.c
+index 877fd5532fee..62bd33eb16f0 100644
+--- a/tools/testing/selftests/timers/set-tz.c
++++ b/tools/testing/selftests/timers/set-tz.c
+@@ -65,6 +65,7 @@ int main(int argc, char **argv)
+ printf("tz_minuteswest started at %i, dst at %i\n", min, dst);
+
+ printf("Checking tz_minuteswest can be properly set: ");
++ fflush(stdout);
+ for (i = -15*60; i < 15*60; i += 30) {
+ ret = set_tz(i, dst);
+ ret = get_tz_min();
+@@ -76,6 +77,7 @@ int main(int argc, char **argv)
+ printf("[OK]\n");
+
+ printf("Checking invalid tz_minuteswest values are caught: ");
++ fflush(stdout);
+
+ if (!set_tz(-15*60-1, dst)) {
+ printf("[FAILED] %i didn't return failure!\n", -15*60-1);
+diff --git a/tools/testing/selftests/timers/threadtest.c b/tools/testing/selftests/timers/threadtest.c
+index 759c9c06f1a0..cf3e48919874 100644
+--- a/tools/testing/selftests/timers/threadtest.c
++++ b/tools/testing/selftests/timers/threadtest.c
+@@ -163,6 +163,7 @@ int main(int argc, char **argv)
+ strftime(buf, 255, "%a, %d %b %Y %T %z", localtime(&start));
+ printf("%s\n", buf);
+ printf("Testing consistency with %i threads for %ld seconds: ", thread_count, runtime);
++ fflush(stdout);
+
+ /* spawn */
+ for (i = 0; i < thread_count; i++)
+diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c
+index d9d3ab93b31a..5397de708d3c 100644
+--- a/tools/testing/selftests/timers/valid-adjtimex.c
++++ b/tools/testing/selftests/timers/valid-adjtimex.c
+@@ -123,6 +123,7 @@ int validate_freq(void)
+ /* Set the leap second insert flag */
+
+ printf("Testing ADJ_FREQ... ");
++ fflush(stdout);
+ for (i = 0; i < NUM_FREQ_VALID; i++) {
+ tx.modes = ADJ_FREQUENCY;
+ tx.freq = valid_freq[i];
+@@ -250,6 +251,7 @@ int set_bad_offset(long sec, long usec, int use_nano)
+ int validate_set_offset(void)
+ {
+ printf("Testing ADJ_SETOFFSET... ");
++ fflush(stdout);
+
+ /* Test valid values */
+ if (set_offset(NSEC_PER_SEC - 1, 1))
+--
+2.20.1
+
asoc-cs42xx8-add-regcache-mask-dirty.patch
asoc-fsl_asrc-fix-the-issue-about-unsupported-rate.patch
drm-i915-sdvo-implement-proper-hdmi-audio-support-for-sdvo.patch
+x86-uaccess-kcov-disable-stack-protector.patch
+alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch
+alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch
+revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch
+s390-kasan-fix-strncpy_from_user-kasan-checks.patch
+drivers-misc-fix-out-of-bounds-access-in-function-pa.patch
+f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch
+scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch
+scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch
+scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch
+scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch
+arm64-mm-inhibit-huge-vmap-with-ptdump.patch
+nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch
+nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch
+nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch
+nvme-release-namespace-srcu-protection-before-perfor.patch
+nvme-fix-memory-leak-for-power-latency-tolerance.patch
+platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch
+platform-x86-pmc_atom-add-several-beckhoff-automatio.patch
+scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch
+libnvdimm-fix-compilation-warnings-with-w-1.patch
+selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch
+selftests-timers-add-missing-fflush-stdout-calls.patch
+tracing-prevent-hist_field_var_ref-from-accessing-nu.patch
+usbnet-ipheth-fix-racing-condition.patch
+kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch
+kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch
+kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch
+kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch
+tools-kvm_stat-fix-fields-filter-for-child-events.patch
--- /dev/null
+From e2c2f6ceb3ed3182c4e2c1581ca3fb819b92614f Mon Sep 17 00:00:00 2001
+From: Stefan Raspl <stefan.raspl@de.ibm.com>
+Date: Sun, 21 Apr 2019 15:26:24 +0200
+Subject: tools/kvm_stat: fix fields filter for child events
+
+[ Upstream commit 883d25e70b2f699fed9017e509d1ef8e36229b89 ]
+
+The fields filter would not work with child fields, as the respective
+parents would not be included. No parents displayed == no childs displayed.
+To reproduce, run on s390 (would work on other platforms, too, but would
+require a different filter name):
+- Run 'kvm_stat -d'
+- Press 'f'
+- Enter 'instruct'
+Notice that events like instruction_diag_44 or instruction_diag_500 are not
+displayed - the output remains empty.
+With this patch, we will filter by matching events and their parents.
+However, consider the following example where we filter by
+instruction_diag_44:
+
+ kvm statistics - summary
+ regex filter: instruction_diag_44
+ Event Total %Total CurAvg/s
+ exit_instruction 276 100.0 12
+ instruction_diag_44 256 92.8 11
+ Total 276 12
+
+Note that the parent ('exit_instruction') displays the total events, but
+the childs listed do not match its total (256 instead of 276). This is
+intended (since we're filtering all but one child), but might be confusing
+on first sight.
+
+Signed-off-by: Stefan Raspl <raspl@linux.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/kvm/kvm_stat/kvm_stat | 16 ++++++++++++----
+ tools/kvm/kvm_stat/kvm_stat.txt | 2 ++
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat
+index 195ba486640f..ba7ee74ee533 100755
+--- a/tools/kvm/kvm_stat/kvm_stat
++++ b/tools/kvm/kvm_stat/kvm_stat
+@@ -575,8 +575,12 @@ class TracepointProvider(Provider):
+ def update_fields(self, fields_filter):
+ """Refresh fields, applying fields_filter"""
+ self.fields = [field for field in self._get_available_fields()
+- if self.is_field_wanted(fields_filter, field) or
+- ARCH.tracepoint_is_child(field)]
++ if self.is_field_wanted(fields_filter, field)]
++ # add parents for child fields - otherwise we won't see any output!
++ for field in self._fields:
++ parent = ARCH.tracepoint_is_child(field)
++ if (parent and parent not in self._fields):
++ self.fields.append(parent)
+
+ @staticmethod
+ def _get_online_cpus():
+@@ -735,8 +739,12 @@ class DebugfsProvider(Provider):
+ def update_fields(self, fields_filter):
+ """Refresh fields, applying fields_filter"""
+ self._fields = [field for field in self._get_available_fields()
+- if self.is_field_wanted(fields_filter, field) or
+- ARCH.debugfs_is_child(field)]
++ if self.is_field_wanted(fields_filter, field)]
++ # add parents for child fields - otherwise we won't see any output!
++ for field in self._fields:
++ parent = ARCH.debugfs_is_child(field)
++ if (parent and parent not in self._fields):
++ self.fields.append(parent)
+
+ @property
+ def fields(self):
+diff --git a/tools/kvm/kvm_stat/kvm_stat.txt b/tools/kvm/kvm_stat/kvm_stat.txt
+index 0811d860fe75..c057ba52364e 100644
+--- a/tools/kvm/kvm_stat/kvm_stat.txt
++++ b/tools/kvm/kvm_stat/kvm_stat.txt
+@@ -34,6 +34,8 @@ INTERACTIVE COMMANDS
+ *c*:: clear filter
+
+ *f*:: filter by regular expression
++ :: *Note*: Child events pull in their parents, and parents' stats summarize
++ all child events, not just the filtered ones
+
+ *g*:: filter by guest name/PID
+
+--
+2.20.1
+
--- /dev/null
+From 9d5ad9072bd55982fef63a2e02fcbdd0399600b0 Mon Sep 17 00:00:00 2001
+From: Tom Zanussi <tom.zanussi@linux.intel.com>
+Date: Thu, 18 Apr 2019 10:18:50 -0500
+Subject: tracing: Prevent hist_field_var_ref() from accessing NULL
+ tracing_map_elts
+
+[ Upstream commit 55267c88c003a3648567beae7c90512d3e2ab15e ]
+
+hist_field_var_ref() is an implementation of hist_field_fn_t(), which
+can be called with a null tracing_map_elt elt param when assembling a
+key in event_hist_trigger().
+
+In the case of hist_field_var_ref() this doesn't make sense, because a
+variable can only be resolved by looking it up using an already
+assembled key i.e. a variable can't be used to assemble a key since
+the key is required in order to access the variable.
+
+Upper layers should prevent the user from constructing a key using a
+variable in the first place, but in case one slips through, it
+shouldn't cause a NULL pointer dereference. Also if one does slip
+through, we want to know about it, so emit a one-time warning in that
+case.
+
+Link: http://lkml.kernel.org/r/64ec8dc15c14d305295b64cdfcc6b2b9dd14753f.1555597045.git.tom.zanussi@linux.intel.com
+
+Reported-by: Vincent Bernat <vincent@bernat.ch>
+Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_hist.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
+index 11853e90b649..3f34cfb66a85 100644
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -1632,6 +1632,9 @@ static u64 hist_field_var_ref(struct hist_field *hist_field,
+ struct hist_elt_data *elt_data;
+ u64 var_val = 0;
+
++ if (WARN_ON_ONCE(!elt))
++ return var_val;
++
+ elt_data = elt->private_data;
+ var_val = elt_data->var_ref_vals[hist_field->var_ref_idx];
+
+--
+2.20.1
+
--- /dev/null
+From b4e94d8462c7cb873e499c57f501fe19bee90c84 Mon Sep 17 00:00:00 2001
+From: Bernd Eckstein <3erndeckstein@gmail.com>
+Date: Mon, 20 May 2019 17:31:09 +0200
+Subject: usbnet: ipheth: fix racing condition
+
+[ Upstream commit 94d250fae48e6f873d8362308f5c4d02cd1b1fd2 ]
+
+Fix a racing condition in ipheth.c that can lead to slow performance.
+
+Bug: In ipheth_tx(), netif_wake_queue() may be called on the callback
+ipheth_sndbulk_callback(), _before_ netif_stop_queue() is called.
+When this happens, the queue is stopped longer than it needs to be,
+thus reducing network performance.
+
+Fix: Move netif_stop_queue() in front of usb_submit_urb(). Now the order
+is always correct. In case, usb_submit_urb() fails, the queue is woken up
+again as callback will not fire.
+
+Testing: This racing condition is usually not noticeable, as it has to
+occur very frequently to slowdown the network. The callback from the USB
+is usually triggered slow enough, so the situation does not appear.
+However, on a Ubuntu Linux on VMWare Workstation, running on Windows 10,
+the we loose the race quite often and the following speedup can be noticed:
+
+Without this patch: Download: 4.10 Mbit/s, Upload: 4.01 Mbit/s
+With this patch: Download: 36.23 Mbit/s, Upload: 17.61 Mbit/s
+
+Signed-off-by: Oliver Zweigle <Oliver.Zweigle@faro.com>
+Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ipheth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 3d8a70d3ea9b..3d71f1716390 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -437,17 +437,18 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net)
+ dev);
+ dev->tx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+
++ netif_stop_queue(net);
+ retval = usb_submit_urb(dev->tx_urb, GFP_ATOMIC);
+ if (retval) {
+ dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n",
+ __func__, retval);
+ dev->net->stats.tx_errors++;
+ dev_kfree_skb_any(skb);
++ netif_wake_queue(net);
+ } else {
+ dev->net->stats.tx_packets++;
+ dev->net->stats.tx_bytes += skb->len;
+ dev_consume_skb_any(skb);
+- netif_stop_queue(net);
+ }
+
+ return NETDEV_TX_OK;
+--
+2.20.1
+
--- /dev/null
+From 10b0263ea1a24e7cb309c433f9699511decbd809 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 7 Mar 2019 19:54:25 +0100
+Subject: x86/uaccess, kcov: Disable stack protector
+
+[ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ]
+
+New tooling noticed this mishap:
+
+ kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled
+ kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled
+
+All the other instrumentation (KASAN,UBSAN) also have stack protector
+disabled.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/Makefile b/kernel/Makefile
+index 7a63d567fdb5..df5e3ca30acd 100644
+--- a/kernel/Makefile
++++ b/kernel/Makefile
+@@ -30,6 +30,7 @@ KCOV_INSTRUMENT_extable.o := n
+ # Don't self-instrument.
+ KCOV_INSTRUMENT_kcov.o := n
+ KASAN_SANITIZE_kcov.o := n
++CFLAGS_kcov.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
+
+ # cond_syscall is currently not LTO compatible
+ CFLAGS_sys_ni.o = $(DISABLE_LTO)
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
