--- /dev/null
+From 307f4065b9d7c1e887e8bdfb2487e4638559fea1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 15 Oct 2019 08:49:27 -0700
+Subject: blk-rq-qos: fix first node deletion of rq_qos_del()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 307f4065b9d7c1e887e8bdfb2487e4638559fea1 upstream.
+
+rq_qos_del() incorrectly assigns the node being deleted to the head if
+it was the first on the list in the !prev path. Fix it by iterating
+with ** instead.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt")
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-rq-qos.h | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/block/blk-rq-qos.h
++++ b/block/blk-rq-qos.h
+@@ -80,16 +80,13 @@ static inline void rq_qos_add(struct req
+
+ static inline void rq_qos_del(struct request_queue *q, struct rq_qos *rqos)
+ {
+- struct rq_qos *cur, *prev = NULL;
+- for (cur = q->rq_qos; cur; cur = cur->next) {
+- if (cur == rqos) {
+- if (prev)
+- prev->next = rqos->next;
+- else
+- q->rq_qos = cur;
++ struct rq_qos **cur;
++
++ for (cur = &q->rq_qos; *cur; cur = &(*cur)->next) {
++ if (*cur == rqos) {
++ *cur = rqos->next;
+ break;
+ }
+- prev = cur;
+ }
+ }
+
--- /dev/null
+From 44db1216efe37bf670f8d1019cdc41658d84baf5 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 9 Oct 2019 17:43:45 +0100
+Subject: Btrfs: add missing extents release on file extent cluster relocation error
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 44db1216efe37bf670f8d1019cdc41658d84baf5 upstream.
+
+If we error out when finding a page at relocate_file_extent_cluster(), we
+need to release the outstanding extents counter on the relocation inode,
+set by the previous call to btrfs_delalloc_reserve_metadata(), otherwise
+the inode's block reserve size can never decrease to zero and metadata
+space is leaked. Therefore add a call to btrfs_delalloc_release_extents()
+in case we can't find the target page.
+
+Fixes: 8b62f87bad9c ("Btrfs: rework outstanding_extents")
+CC: stable@vger.kernel.org # 4.19+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/relocation.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -3187,6 +3187,8 @@ static int relocate_file_extent_cluster(
+ if (!page) {
+ btrfs_delalloc_release_metadata(BTRFS_I(inode),
+ PAGE_SIZE, true);
++ btrfs_delalloc_release_extents(BTRFS_I(inode),
++ PAGE_SIZE, true);
+ ret = -ENOMEM;
+ goto out;
+ }
--- /dev/null
+From 4b654acdae850f48b8250b9a578a4eaa518c7a6f Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Thu, 10 Oct 2019 10:39:26 +0800
+Subject: btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group()
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 4b654acdae850f48b8250b9a578a4eaa518c7a6f upstream.
+
+In btrfs_read_block_groups(), if we have an invalid block group which
+has mixed type (DATA|METADATA) while the fs doesn't have MIXED_GROUPS
+feature, we error out without freeing the block group cache.
+
+This patch will add the missing btrfs_put_block_group() to prevent
+memory leak.
+
+Note for stable backports: the file to patch in versions <= 5.3 is
+fs/btrfs/extent-tree.c
+
+Fixes: 49303381f19a ("Btrfs: bail out if block group has different mixed flag")
+CC: stable@vger.kernel.org # 4.9+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -10000,6 +10000,7 @@ int btrfs_read_block_groups(struct btrfs
+ btrfs_err(info,
+ "bg %llu is a mixed block group but filesystem hasn't enabled mixed block groups",
+ cache->key.objectid);
++ btrfs_put_block_group(cache);
+ ret = -EINVAL;
+ goto error;
+ }
--- /dev/null
+From ba0b084ac309283db6e329785c1dc4f45fdbd379 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 16 Oct 2019 16:28:52 +0100
+Subject: Btrfs: check for the full sync flag while holding the inode lock during fsync
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit ba0b084ac309283db6e329785c1dc4f45fdbd379 upstream.
+
+We were checking for the full fsync flag in the inode before locking the
+inode, which is racy, since at that that time it might not be set but
+after we acquire the inode lock some other task set it. One case where
+this can happen is on a system low on memory and some concurrent task
+failed to allocate an extent map and therefore set the full sync flag on
+the inode, to force the next fsync to work in full mode.
+
+A consequence of missing the full fsync flag set is hitting the problems
+fixed by commit 0c713cbab620 ("Btrfs: fix race between ranged fsync and
+writeback of adjacent ranges"), BUG_ON() when dropping extents from a log
+tree, hitting assertion failures at tree-log.c:copy_items() or all sorts
+of weird inconsistencies after replaying a log due to file extents items
+representing ranges that overlap.
+
+So just move the check such that it's done after locking the inode and
+before starting writeback again.
+
+Fixes: 0c713cbab620 ("Btrfs: fix race between ranged fsync and writeback of adjacent ranges")
+CC: stable@vger.kernel.org # 5.2+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/file.c | 36 +++++++++++++++++-------------------
+ 1 file changed, 17 insertions(+), 19 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2056,25 +2056,7 @@ int btrfs_sync_file(struct file *file, l
+ struct btrfs_trans_handle *trans;
+ struct btrfs_log_ctx ctx;
+ int ret = 0, err;
+- u64 len;
+
+- /*
+- * If the inode needs a full sync, make sure we use a full range to
+- * avoid log tree corruption, due to hole detection racing with ordered
+- * extent completion for adjacent ranges, and assertion failures during
+- * hole detection.
+- */
+- if (test_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
+- &BTRFS_I(inode)->runtime_flags)) {
+- start = 0;
+- end = LLONG_MAX;
+- }
+-
+- /*
+- * The range length can be represented by u64, we have to do the typecasts
+- * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync()
+- */
+- len = (u64)end - (u64)start + 1;
+ trace_btrfs_sync_file(file, datasync);
+
+ btrfs_init_log_ctx(&ctx, inode);
+@@ -2101,6 +2083,19 @@ int btrfs_sync_file(struct file *file, l
+ atomic_inc(&root->log_batch);
+
+ /*
++ * If the inode needs a full sync, make sure we use a full range to
++ * avoid log tree corruption, due to hole detection racing with ordered
++ * extent completion for adjacent ranges, and assertion failures during
++ * hole detection. Do this while holding the inode lock, to avoid races
++ * with other tasks.
++ */
++ if (test_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
++ &BTRFS_I(inode)->runtime_flags)) {
++ start = 0;
++ end = LLONG_MAX;
++ }
++
++ /*
+ * Before we acquired the inode's lock, someone may have dirtied more
+ * pages in the target range. We need to make sure that writeback for
+ * any such pages does not start while we are logging the inode, because
+@@ -2127,8 +2122,11 @@ int btrfs_sync_file(struct file *file, l
+ /*
+ * We have to do this here to avoid the priority inversion of waiting on
+ * IO of a lower priority task while holding a transaciton open.
++ *
++ * Also, the range length can be represented by u64, we have to do the
++ * typecasts to avoid signed overflow if it's [0, LLONG_MAX].
+ */
+- ret = btrfs_wait_ordered_range(inode, start, len);
++ ret = btrfs_wait_ordered_range(inode, start, (u64)end - (u64)start + 1);
+ if (ret) {
+ up_write(&BTRFS_I(inode)->dio_sem);
+ inode_unlock(inode);
--- /dev/null
+From 1b2442b4ae0f234daeadd90e153b466332c466d8 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Thu, 17 Oct 2019 10:38:37 +0800
+Subject: btrfs: tracepoints: Fix bad entry members of qgroup events
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 1b2442b4ae0f234daeadd90e153b466332c466d8 upstream.
+
+[BUG]
+For btrfs:qgroup_meta_reserve event, the trace event can output garbage:
+
+ qgroup_meta_reserve: 9c7f6acc-b342-4037-bc47-7f6e4d2232d7: refroot=5(FS_TREE) type=DATA diff=2
+ qgroup_meta_reserve: 9c7f6acc-b342-4037-bc47-7f6e4d2232d7: refroot=5(FS_TREE) type=0x258792 diff=2
+
+The @type can be completely garbage, as DATA type is not possible for
+trace_qgroup_meta_reserve() trace event.
+
+[CAUSE]
+Ther are several problems related to qgroup trace events:
+- Unassigned entry member
+ Member entry::type of trace_qgroup_update_reserve() and
+ trace_qgourp_meta_reserve() is not assigned
+
+- Redundant entry member
+ Member entry::type is completely useless in
+ trace_qgroup_meta_convert()
+
+Fixes: 4ee0d8832c2e ("btrfs: qgroup: Update trace events for metadata reservation")
+CC: stable@vger.kernel.org # 4.10+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/trace/events/btrfs.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -1655,6 +1655,7 @@ TRACE_EVENT(qgroup_update_reserve,
+ __entry->qgid = qgroup->qgroupid;
+ __entry->cur_reserved = qgroup->rsv.values[type];
+ __entry->diff = diff;
++ __entry->type = type;
+ ),
+
+ TP_printk_btrfs("qgid=%llu type=%s cur_reserved=%llu diff=%lld",
+@@ -1677,6 +1678,7 @@ TRACE_EVENT(qgroup_meta_reserve,
+ TP_fast_assign_btrfs(root->fs_info,
+ __entry->refroot = root->objectid;
+ __entry->diff = diff;
++ __entry->type = type;
+ ),
+
+ TP_printk_btrfs("refroot=%llu(%s) type=%s diff=%lld",
+@@ -1693,7 +1695,6 @@ TRACE_EVENT(qgroup_meta_convert,
+ TP_STRUCT__entry_btrfs(
+ __field( u64, refroot )
+ __field( s64, diff )
+- __field( int, type )
+ ),
+
+ TP_fast_assign_btrfs(root->fs_info,
--- /dev/null
+From 03d9a9fe3f3aec508e485dd3dcfa1e99933b4bdb Mon Sep 17 00:00:00 2001
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Date: Mon, 14 Oct 2019 10:59:23 +0200
+Subject: CIFS: avoid using MID 0xFFFF
+
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+
+commit 03d9a9fe3f3aec508e485dd3dcfa1e99933b4bdb upstream.
+
+According to MS-CIFS specification MID 0xFFFF should not be used by the
+CIFS client, but we actually do. Besides, this has proven to cause races
+leading to oops between SendReceive2/cifs_demultiplex_thread. On SMB1,
+MID is a 2 byte value easy to reach in CurrentMid which may conflict with
+an oplock break notification request coming from server
+
+Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb1ops.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/cifs/smb1ops.c
++++ b/fs/cifs/smb1ops.c
+@@ -183,6 +183,9 @@ cifs_get_next_mid(struct TCP_Server_Info
+ /* we do not want to loop forever */
+ last_mid = cur_mid;
+ cur_mid++;
++ /* avoid 0xFFFF MID */
++ if (cur_mid == 0xffff)
++ cur_mid++;
+
+ /*
+ * This nested loop looks more expensive than it is.
--- /dev/null
+From 1a67c415965752879e2e9fad407bc44fc7f25f23 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Wed, 23 Oct 2019 15:37:19 -0700
+Subject: CIFS: Fix use after free of file info structures
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 1a67c415965752879e2e9fad407bc44fc7f25f23 upstream.
+
+Currently the code assumes that if a file info entry belongs
+to lists of open file handles of an inode and a tcon then
+it has non-zero reference. The recent changes broke that
+assumption when putting the last reference of the file info.
+There may be a situation when a file is being deleted but
+nothing prevents another thread to reference it again
+and start using it. This happens because we do not hold
+the inode list lock while checking the number of references
+of the file info structure. Fix this by doing the proper
+locking when doing the check.
+
+Fixes: 487317c99477d ("cifs: add spinlock for the openFileList to cifsInodeInfo")
+Fixes: cb248819d209d ("cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic")
+Cc: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -403,10 +403,11 @@ void _cifsFileInfo_put(struct cifsFileIn
+ bool oplock_break_cancelled;
+
+ spin_lock(&tcon->open_file_lock);
+-
++ spin_lock(&cifsi->open_file_lock);
+ spin_lock(&cifs_file->file_info_lock);
+ if (--cifs_file->count > 0) {
+ spin_unlock(&cifs_file->file_info_lock);
++ spin_unlock(&cifsi->open_file_lock);
+ spin_unlock(&tcon->open_file_lock);
+ return;
+ }
+@@ -419,9 +420,7 @@ void _cifsFileInfo_put(struct cifsFileIn
+ cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open);
+
+ /* remove it from the lists */
+- spin_lock(&cifsi->open_file_lock);
+ list_del(&cifs_file->flist);
+- spin_unlock(&cifsi->open_file_lock);
+ list_del(&cifs_file->tlist);
+
+ if (list_empty(&cifsi->openFileList)) {
+@@ -437,6 +436,7 @@ void _cifsFileInfo_put(struct cifsFileIn
+ cifs_set_oplock_level(cifsi, 0);
+ }
+
++ spin_unlock(&cifsi->open_file_lock);
+ spin_unlock(&tcon->open_file_lock);
+
+ oplock_break_cancelled = wait_oplock_handler ?
--- /dev/null
+From 65650b35133ff20f0c9ef0abd5c3c66dbce3ae57 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 9 Oct 2019 01:29:10 +0200
+Subject: cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 65650b35133ff20f0c9ef0abd5c3c66dbce3ae57 upstream.
+
+It is incorrect to set the cpufreq syscore shutdown callback pointer
+to cpufreq_suspend(), because that function cannot be run in the
+syscore stage of system shutdown for two reasons: (a) it may attempt
+to carry out actions depending on devices that have already been shut
+down at that point and (b) the RCU synchronization carried out by it
+may not be able to make progress then.
+
+The latter issue has been present since commit 45975c7d21a1 ("rcu:
+Define RCU-sched API in terms of RCU for Tree RCU PREEMPT builds"),
+but the former one has been there since commit 90de2a4aa9f3 ("cpufreq:
+suspend cpufreq governors on shutdown") regardless.
+
+Fix that by dropping cpufreq_syscore_ops altogether and making
+device_shutdown() call cpufreq_suspend() directly before shutting
+down devices, which is along the lines of what system-wide power
+management does.
+
+Fixes: 45975c7d21a1 ("rcu: Define RCU-sched API in terms of RCU for Tree RCU PREEMPT builds")
+Fixes: 90de2a4aa9f3 ("cpufreq: suspend cpufreq governors on shutdown")
+Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: 4.0+ <stable@vger.kernel.org> # 4.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/core.c | 3 +++
+ drivers/cpufreq/cpufreq.c | 10 ----------
+ 2 files changed, 3 insertions(+), 10 deletions(-)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -8,6 +8,7 @@
+ * Copyright (c) 2006 Novell, Inc.
+ */
+
++#include <linux/cpufreq.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/fwnode.h>
+@@ -2943,6 +2944,8 @@ void device_shutdown(void)
+ wait_for_device_probe();
+ device_block_probing();
+
++ cpufreq_suspend();
++
+ spin_lock(&devices_kset->list_lock);
+ /*
+ * Walk the devices list backward, shutting down each in turn.
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2578,14 +2578,6 @@ int cpufreq_unregister_driver(struct cpu
+ }
+ EXPORT_SYMBOL_GPL(cpufreq_unregister_driver);
+
+-/*
+- * Stop cpufreq at shutdown to make sure it isn't holding any locks
+- * or mutexes when secondary CPUs are halted.
+- */
+-static struct syscore_ops cpufreq_syscore_ops = {
+- .shutdown = cpufreq_suspend,
+-};
+-
+ struct kobject *cpufreq_global_kobject;
+ EXPORT_SYMBOL(cpufreq_global_kobject);
+
+@@ -2597,8 +2589,6 @@ static int __init cpufreq_core_init(void
+ cpufreq_global_kobject = kobject_create_and_add("cpufreq", &cpu_subsys.dev_root->kobj);
+ BUG_ON(!cpufreq_global_kobject);
+
+- register_syscore_ops(&cpufreq_syscore_ops);
+-
+ return 0;
+ }
+ module_param(off, int, 0444);
--- /dev/null
+From 13bd677a472d534bf100bab2713efc3f9e3f5978 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 16 Oct 2019 09:21:50 -0400
+Subject: dm cache: fix bugs when a GFP_NOWAIT allocation fails
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 13bd677a472d534bf100bab2713efc3f9e3f5978 upstream.
+
+GFP_NOWAIT allocation can fail anytime - it doesn't wait for memory being
+available and it fails if the mempool is exhausted and there is not enough
+memory.
+
+If we go down this path:
+ map_bio -> mg_start -> alloc_migration -> mempool_alloc(GFP_NOWAIT)
+we can see that map_bio() doesn't check the return value of mg_start(),
+and the bio is leaked.
+
+If we go down this path:
+ map_bio -> mg_start -> mg_lock_writes -> alloc_prison_cell ->
+ dm_bio_prison_alloc_cell_v2 -> mempool_alloc(GFP_NOWAIT) ->
+ mg_lock_writes -> mg_complete
+the bio is ended with an error - it is unacceptable because it could
+cause filesystem corruption if the machine ran out of memory
+temporarily.
+
+Change GFP_NOWAIT to GFP_NOIO, so that the mempool code will properly
+wait until memory becomes available. mempool_alloc with GFP_NOIO can't
+fail, so remove the code paths that deal with allocation failure.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-cache-target.c | 28 ++--------------------------
+ 1 file changed, 2 insertions(+), 26 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -541,7 +541,7 @@ static void wake_migration_worker(struct
+
+ static struct dm_bio_prison_cell_v2 *alloc_prison_cell(struct cache *cache)
+ {
+- return dm_bio_prison_alloc_cell_v2(cache->prison, GFP_NOWAIT);
++ return dm_bio_prison_alloc_cell_v2(cache->prison, GFP_NOIO);
+ }
+
+ static void free_prison_cell(struct cache *cache, struct dm_bio_prison_cell_v2 *cell)
+@@ -553,9 +553,7 @@ static struct dm_cache_migration *alloc_
+ {
+ struct dm_cache_migration *mg;
+
+- mg = mempool_alloc(&cache->migration_pool, GFP_NOWAIT);
+- if (!mg)
+- return NULL;
++ mg = mempool_alloc(&cache->migration_pool, GFP_NOIO);
+
+ memset(mg, 0, sizeof(*mg));
+
+@@ -663,10 +661,6 @@ static bool bio_detain_shared(struct cac
+ struct dm_bio_prison_cell_v2 *cell_prealloc, *cell;
+
+ cell_prealloc = alloc_prison_cell(cache); /* FIXME: allow wait if calling from worker */
+- if (!cell_prealloc) {
+- defer_bio(cache, bio);
+- return false;
+- }
+
+ build_key(oblock, end, &key);
+ r = dm_cell_get_v2(cache->prison, &key, lock_level(bio), bio, cell_prealloc, &cell);
+@@ -1492,11 +1486,6 @@ static int mg_lock_writes(struct dm_cach
+ struct dm_bio_prison_cell_v2 *prealloc;
+
+ prealloc = alloc_prison_cell(cache);
+- if (!prealloc) {
+- DMERR_LIMIT("%s: alloc_prison_cell failed", cache_device_name(cache));
+- mg_complete(mg, false);
+- return -ENOMEM;
+- }
+
+ /*
+ * Prevent writes to the block, but allow reads to continue.
+@@ -1534,11 +1523,6 @@ static int mg_start(struct cache *cache,
+ }
+
+ mg = alloc_migration(cache);
+- if (!mg) {
+- policy_complete_background_work(cache->policy, op, false);
+- background_work_end(cache);
+- return -ENOMEM;
+- }
+
+ mg->op = op;
+ mg->overwrite_bio = bio;
+@@ -1627,10 +1611,6 @@ static int invalidate_lock(struct dm_cac
+ struct dm_bio_prison_cell_v2 *prealloc;
+
+ prealloc = alloc_prison_cell(cache);
+- if (!prealloc) {
+- invalidate_complete(mg, false);
+- return -ENOMEM;
+- }
+
+ build_key(mg->invalidate_oblock, oblock_succ(mg->invalidate_oblock), &key);
+ r = dm_cell_lock_v2(cache->prison, &key,
+@@ -1668,10 +1648,6 @@ static int invalidate_start(struct cache
+ return -EPERM;
+
+ mg = alloc_migration(cache);
+- if (!mg) {
+- background_work_end(cache);
+- return -ENOMEM;
+- }
+
+ mg->overwrite_bio = bio;
+ mg->invalidate_cblock = cblock;
--- /dev/null
+From 28c9fac09ab0147158db0baeec630407a5e9b892 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 5 Oct 2019 13:21:01 +0200
+Subject: memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 28c9fac09ab0147158db0baeec630407a5e9b892 upstream.
+
+If 'jmb38x_ms_count_slots()' returns 0, we must undo the previous
+'pci_request_regions()' call.
+
+Goto 'err_out_int' to fix it.
+
+Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/memstick/host/jmb38x_ms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/memstick/host/jmb38x_ms.c
++++ b/drivers/memstick/host/jmb38x_ms.c
+@@ -949,7 +949,7 @@ static int jmb38x_ms_probe(struct pci_de
+ if (!cnt) {
+ rc = -ENODEV;
+ pci_dev_busy = 1;
+- goto err_out;
++ goto err_out_int;
+ }
+
+ jm = kzalloc(sizeof(struct jmb38x_ms)
--- /dev/null
+From 45144d42f299455911cc29366656c7324a3a7c97 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Mon, 14 Oct 2019 13:25:00 +0200
+Subject: PCI: PM: Fix pci_power_up()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 45144d42f299455911cc29366656c7324a3a7c97 upstream.
+
+There is an arbitrary difference between the system resume and
+runtime resume code paths for PCI devices regarding the delay to
+apply when switching the devices from D3cold to D0.
+
+Namely, pci_restore_standard_config() used in the runtime resume
+code path calls pci_set_power_state() which in turn invokes
+__pci_start_power_transition() to power up the device through the
+platform firmware and that function applies the transition delay
+(as per PCI Express Base Specification Revision 2.0, Section 6.6.1).
+However, pci_pm_default_resume_early() used in the system resume
+code path calls pci_power_up() which doesn't apply the delay at
+all and that causes issues to occur during resume from
+suspend-to-idle on some systems where the delay is required.
+
+Since there is no reason for that difference to exist, modify
+pci_power_up() to follow pci_set_power_state() more closely and
+invoke __pci_start_power_transition() from there to call the
+platform firmware to power up the device (in case that's necessary).
+
+Fixes: db288c9c5f9d ("PCI / PM: restore the original behavior of pci_set_power_state()")
+Reported-by: Daniel Drake <drake@endlessm.com>
+Tested-by: Daniel Drake <drake@endlessm.com>
+Link: https://lore.kernel.org/linux-pm/CAD8Lp44TYxrMgPLkHCqF9hv6smEurMXvmmvmtyFhZ6Q4SE+dig@mail.gmail.com/T/#m21be74af263c6a34f36e0fc5c77c5449d9406925
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: 3.10+ <stable@vger.kernel.org> # 3.10+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -926,19 +926,6 @@ void pci_update_current_state(struct pci
+ }
+
+ /**
+- * pci_power_up - Put the given device into D0 forcibly
+- * @dev: PCI device to power up
+- */
+-void pci_power_up(struct pci_dev *dev)
+-{
+- if (platform_pci_power_manageable(dev))
+- platform_pci_set_power_state(dev, PCI_D0);
+-
+- pci_raw_set_power_state(dev, PCI_D0);
+- pci_update_current_state(dev, PCI_D0);
+-}
+-
+-/**
+ * pci_platform_power_transition - Use platform to change device power state
+ * @dev: PCI device to handle.
+ * @state: State to put the device into.
+@@ -1117,6 +1104,17 @@ int pci_set_power_state(struct pci_dev *
+ EXPORT_SYMBOL(pci_set_power_state);
+
+ /**
++ * pci_power_up - Put the given device into D0 forcibly
++ * @dev: PCI device to power up
++ */
++void pci_power_up(struct pci_dev *dev)
++{
++ __pci_start_power_transition(dev, PCI_D0);
++ pci_raw_set_power_state(dev, PCI_D0);
++ pci_update_current_state(dev, PCI_D0);
++}
++
++/**
+ * pci_choose_state - Choose the power state of a PCI device
+ * @dev: PCI device to be suspended
+ * @state: target sleep state for the whole system. This is the value
--- /dev/null
+From f3a519e4add93b7b31a6616f0b09635ff2e6a159 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 22 Oct 2019 10:39:40 +0300
+Subject: perf/aux: Fix AUX output stopping
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit f3a519e4add93b7b31a6616f0b09635ff2e6a159 upstream.
+
+Commit:
+
+ 8a58ddae2379 ("perf/core: Fix exclusive events' grouping")
+
+allows CAP_EXCLUSIVE events to be grouped with other events. Since all
+of those also happen to be AUX events (which is not the case the other
+way around, because arch/s390), this changes the rules for stopping the
+output: the AUX event may not be on its PMU's context any more, if it's
+grouped with a HW event, in which case it will be on that HW event's
+context instead. If that's the case, munmap() of the AUX buffer can't
+find and stop the AUX event, potentially leaving the last reference with
+the atomic context, which will then end up freeing the AUX buffer. This
+will then trip warnings:
+
+Fix this by using the context's PMU context when looking for events
+to stop, instead of the event's PMU context.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191022073940.61814-1-alexander.shishkin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -6813,7 +6813,7 @@ static void __perf_event_output_stop(str
+ static int __perf_pmu_output_stop(void *info)
+ {
+ struct perf_event *event = info;
+- struct pmu *pmu = event->pmu;
++ struct pmu *pmu = event->ctx->pmu;
+ struct perf_cpu_context *cpuctx = this_cpu_ptr(pmu->pmu_cpu_context);
+ struct remote_output ro = {
+ .rb = event->rb,
--- /dev/null
+From 20504fa1d2ffd5d03cdd9dc9c9dd4ed4579b97ef Mon Sep 17 00:00:00 2001
+From: Patrick Williams <alpawi@amazon.com>
+Date: Tue, 1 Oct 2019 10:46:31 -0500
+Subject: pinctrl: armada-37xx: fix control of pins 32 and up
+
+From: Patrick Williams <alpawi@amazon.com>
+
+commit 20504fa1d2ffd5d03cdd9dc9c9dd4ed4579b97ef upstream.
+
+The 37xx configuration registers are only 32 bits long, so
+pins 32-35 spill over into the next register. The calculation
+for the register address was done, but the bitmask was not, so
+any configuration to pin 32 or above resulted in a bitmask that
+overflowed and performed no action.
+
+Fix the register / offset calculation to also adjust the offset.
+
+Fixes: 5715092a458c ("pinctrl: armada-37xx: Add gpio support")
+Signed-off-by: Patrick Williams <alpawi@amazon.com>
+Acked-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191001154634.96165-1-alpawi@amazon.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+@@ -218,11 +218,11 @@ static const struct armada_37xx_pin_data
+ };
+
+ static inline void armada_37xx_update_reg(unsigned int *reg,
+- unsigned int offset)
++ unsigned int *offset)
+ {
+ /* We never have more than 2 registers */
+- if (offset >= GPIO_PER_REG) {
+- offset -= GPIO_PER_REG;
++ if (*offset >= GPIO_PER_REG) {
++ *offset -= GPIO_PER_REG;
+ *reg += sizeof(u32);
+ }
+ }
+@@ -373,7 +373,7 @@ static inline void armada_37xx_irq_updat
+ {
+ int offset = irqd_to_hwirq(d);
+
+- armada_37xx_update_reg(reg, offset);
++ armada_37xx_update_reg(reg, &offset);
+ }
+
+ static int armada_37xx_gpio_direction_input(struct gpio_chip *chip,
+@@ -383,7 +383,7 @@ static int armada_37xx_gpio_direction_in
+ unsigned int reg = OUTPUT_EN;
+ unsigned int mask;
+
+- armada_37xx_update_reg(®, offset);
++ armada_37xx_update_reg(®, &offset);
+ mask = BIT(offset);
+
+ return regmap_update_bits(info->regmap, reg, mask, 0);
+@@ -396,7 +396,7 @@ static int armada_37xx_gpio_get_directio
+ unsigned int reg = OUTPUT_EN;
+ unsigned int val, mask;
+
+- armada_37xx_update_reg(®, offset);
++ armada_37xx_update_reg(®, &offset);
+ mask = BIT(offset);
+ regmap_read(info->regmap, reg, &val);
+
+@@ -410,7 +410,7 @@ static int armada_37xx_gpio_direction_ou
+ unsigned int reg = OUTPUT_EN;
+ unsigned int mask, val, ret;
+
+- armada_37xx_update_reg(®, offset);
++ armada_37xx_update_reg(®, &offset);
+ mask = BIT(offset);
+
+ ret = regmap_update_bits(info->regmap, reg, mask, mask);
+@@ -431,7 +431,7 @@ static int armada_37xx_gpio_get(struct g
+ unsigned int reg = INPUT_VAL;
+ unsigned int val, mask;
+
+- armada_37xx_update_reg(®, offset);
++ armada_37xx_update_reg(®, &offset);
+ mask = BIT(offset);
+
+ regmap_read(info->regmap, reg, &val);
+@@ -446,7 +446,7 @@ static void armada_37xx_gpio_set(struct
+ unsigned int reg = OUTPUT_VAL;
+ unsigned int mask, val;
+
+- armada_37xx_update_reg(®, offset);
++ armada_37xx_update_reg(®, &offset);
+ mask = BIT(offset);
+ val = value ? mask : 0;
+
--- /dev/null
+From b835d6953009dc350d61402a854b5a7178d8c615 Mon Sep 17 00:00:00 2001
+From: Patrick Williams <alpawi@amazon.com>
+Date: Tue, 1 Oct 2019 10:51:38 -0500
+Subject: pinctrl: armada-37xx: swap polarity on LED group
+
+From: Patrick Williams <alpawi@amazon.com>
+
+commit b835d6953009dc350d61402a854b5a7178d8c615 upstream.
+
+The configuration registers for the LED group have inverted
+polarity, which puts the GPIO into open-drain state when used in
+GPIO mode. Switch to '0' for GPIO and '1' for LED modes.
+
+Fixes: 87466ccd9401 ("pinctrl: armada-37xx: Add pin controller support for Armada 37xx")
+Signed-off-by: Patrick Williams <alpawi@amazon.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191001155154.99710-1-alpawi@amazon.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+@@ -183,10 +183,10 @@ static struct armada_37xx_pin_group arma
+ PIN_GRP_EXTRA("uart2", 9, 2, BIT(1) | BIT(13) | BIT(14) | BIT(19),
+ BIT(1) | BIT(13) | BIT(14), BIT(1) | BIT(19),
+ 18, 2, "gpio", "uart"),
+- PIN_GRP_GPIO("led0_od", 11, 1, BIT(20), "led"),
+- PIN_GRP_GPIO("led1_od", 12, 1, BIT(21), "led"),
+- PIN_GRP_GPIO("led2_od", 13, 1, BIT(22), "led"),
+- PIN_GRP_GPIO("led3_od", 14, 1, BIT(23), "led"),
++ PIN_GRP_GPIO_2("led0_od", 11, 1, BIT(20), BIT(20), 0, "led"),
++ PIN_GRP_GPIO_2("led1_od", 12, 1, BIT(21), BIT(21), 0, "led"),
++ PIN_GRP_GPIO_2("led2_od", 13, 1, BIT(22), BIT(22), 0, "led"),
++ PIN_GRP_GPIO_2("led3_od", 14, 1, BIT(23), BIT(23), 0, "led"),
+
+ };
+
--- /dev/null
+From 260996c30f4f3a732f45045e3e0efe27017615e4 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 23 Sep 2019 19:49:58 -0700
+Subject: pinctrl: cherryview: restore Strago DMI workaround for all versions
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 260996c30f4f3a732f45045e3e0efe27017615e4 upstream.
+
+This is essentially a revert of:
+
+e3f72b749da2 pinctrl: cherryview: fix Strago DMI workaround
+86c5dd6860a6 pinctrl: cherryview: limit Strago DMI workarounds to version 1.0
+
+because even with 1.1 versions of BIOS there are some pins that are
+configured as interrupts but not claimed by any driver, and they
+sometimes fire up and result in interrupt storms that cause touchpad
+stop functioning and other issues.
+
+Given that we are unlikely to qualify another firmware version for a
+while it is better to keep the workaround active on all Strago boards.
+
+Reported-by: Alex Levin <levinale@chromium.org>
+Fixes: 86c5dd6860a6 ("pinctrl: cherryview: limit Strago DMI workarounds to version 1.0")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Alex Levin <levinale@chromium.org>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1524,7 +1524,6 @@ static const struct dmi_system_id chv_no
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"),
+ DMI_MATCH(DMI_PRODUCT_FAMILY, "Intel_Strago"),
+- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
+ },
+ },
+ {
+@@ -1532,7 +1531,6 @@ static const struct dmi_system_id chv_no
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Setzer"),
+- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
+ },
+ },
+ {
+@@ -1540,7 +1538,6 @@ static const struct dmi_system_id chv_no
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Cyan"),
+- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
+ },
+ },
+ {
+@@ -1548,7 +1545,6 @@ static const struct dmi_system_id chv_no
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Celes"),
+- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
+ },
+ },
+ {}
parisc-fix-vmap-memory-leak-in-ioremap-iounmap.patch
edac-ghes-fix-use-after-free-in-ghes_edac-remove-path.patch
arm64-enable-workaround-for-cavium-tx2-erratum-219-when-running-smt.patch
+cifs-avoid-using-mid-0xffff.patch
+cifs-fix-use-after-free-of-file-info-structures.patch
+perf-aux-fix-aux-output-stopping.patch
+tracing-fix-race-in-perf_trace_buf-initialization.patch
+dm-cache-fix-bugs-when-a-gfp_nowait-allocation-fails.patch
+x86-boot-64-make-level2_kernel_pgt-pages-invalid-outside-kernel-area.patch
+x86-apic-x2apic-fix-a-null-pointer-deref-when-handling-a-dying-cpu.patch
+x86-hyperv-make-vapic-support-x2apic-mode.patch
+pinctrl-cherryview-restore-strago-dmi-workaround-for-all-versions.patch
+pinctrl-armada-37xx-fix-control-of-pins-32-and-up.patch
+pinctrl-armada-37xx-swap-polarity-on-led-group.patch
+btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch
+btrfs-add-missing-extents-release-on-file-extent-cluster-relocation-error.patch
+btrfs-check-for-the-full-sync-flag-while-holding-the-inode-lock-during-fsync.patch
+btrfs-tracepoints-fix-bad-entry-members-of-qgroup-events.patch
+memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch
+cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch
+xen-netback-fix-error-path-of-xenvif_connect_data.patch
+pci-pm-fix-pci_power_up.patch
+blk-rq-qos-fix-first-node-deletion-of-rq_qos_del.patch
--- /dev/null
+From 6b1340cc00edeadd52ebd8a45171f38c8de2a387 Mon Sep 17 00:00:00 2001
+From: Prateek Sood <prsood@codeaurora.org>
+Date: Tue, 15 Oct 2019 11:47:25 +0530
+Subject: tracing: Fix race in perf_trace_buf initialization
+
+From: Prateek Sood <prsood@codeaurora.org>
+
+commit 6b1340cc00edeadd52ebd8a45171f38c8de2a387 upstream.
+
+A race condition exists while initialiazing perf_trace_buf from
+perf_trace_init() and perf_kprobe_init().
+
+ CPU0 CPU1
+perf_trace_init()
+ mutex_lock(&event_mutex)
+ perf_trace_event_init()
+ perf_trace_event_reg()
+ total_ref_count == 0
+ buf = alloc_percpu()
+ perf_trace_buf[i] = buf
+ tp_event->class->reg() //fails perf_kprobe_init()
+ goto fail perf_trace_event_init()
+ perf_trace_event_reg()
+ fail:
+ total_ref_count == 0
+
+ total_ref_count == 0
+ buf = alloc_percpu()
+ perf_trace_buf[i] = buf
+ tp_event->class->reg()
+ total_ref_count++
+
+ free_percpu(perf_trace_buf[i])
+ perf_trace_buf[i] = NULL
+
+Any subsequent call to perf_trace_event_reg() will observe total_ref_count > 0,
+causing the perf_trace_buf to be always NULL. This can result in perf_trace_buf
+getting accessed from perf_trace_buf_alloc() without being initialized. Acquiring
+event_mutex in perf_kprobe_init() before calling perf_trace_event_init() should
+fix this race.
+
+The race caused the following bug:
+
+ Unable to handle kernel paging request at virtual address 0000003106f2003c
+ Mem abort info:
+ ESR = 0x96000045
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000045
+ CM = 0, WnR = 1
+ user pgtable: 4k pages, 39-bit VAs, pgdp = ffffffc034b9b000
+ [0000003106f2003c] pgd=0000000000000000, pud=0000000000000000
+ Internal error: Oops: 96000045 [#1] PREEMPT SMP
+ Process syz-executor (pid: 18393, stack limit = 0xffffffc093190000)
+ pstate: 80400005 (Nzcv daif +PAN -UAO)
+ pc : __memset+0x20/0x1ac
+ lr : memset+0x3c/0x50
+ sp : ffffffc09319fc50
+
+ __memset+0x20/0x1ac
+ perf_trace_buf_alloc+0x140/0x1a0
+ perf_trace_sys_enter+0x158/0x310
+ syscall_trace_enter+0x348/0x7c0
+ el0_svc_common+0x11c/0x368
+ el0_svc_handler+0x12c/0x198
+ el0_svc+0x8/0xc
+
+Ramdumps showed the following:
+ total_ref_count = 3
+ perf_trace_buf = (
+ 0x0 -> NULL,
+ 0x0 -> NULL,
+ 0x0 -> NULL,
+ 0x0 -> NULL)
+
+Link: http://lkml.kernel.org/r/1571120245-4186-1-git-send-email-prsood@codeaurora.org
+
+Cc: stable@vger.kernel.org
+Fixes: e12f03d7031a9 ("perf/core: Implement the 'perf_kprobe' PMU")
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Prateek Sood <prsood@codeaurora.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_event_perf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/trace_event_perf.c
++++ b/kernel/trace/trace_event_perf.c
+@@ -272,9 +272,11 @@ int perf_kprobe_init(struct perf_event *
+ goto out;
+ }
+
++ mutex_lock(&event_mutex);
+ ret = perf_trace_event_init(tp_event, p_event);
+ if (ret)
+ destroy_local_trace_kprobe(tp_event);
++ mutex_unlock(&event_mutex);
+ out:
+ kfree(func);
+ return ret;
+@@ -282,8 +284,10 @@ out:
+
+ void perf_kprobe_destroy(struct perf_event *p_event)
+ {
++ mutex_lock(&event_mutex);
+ perf_trace_event_close(p_event);
+ perf_trace_event_unreg(p_event);
++ mutex_unlock(&event_mutex);
+
+ destroy_local_trace_kprobe(p_event->tp_event);
+ }
--- /dev/null
+From 7a22e03b0c02988e91003c505b34d752a51de344 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 1 Oct 2019 13:50:19 -0700
+Subject: x86/apic/x2apic: Fix a NULL pointer deref when handling a dying cpu
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 7a22e03b0c02988e91003c505b34d752a51de344 upstream.
+
+Check that the per-cpu cluster mask pointer has been set prior to
+clearing a dying cpu's bit. The per-cpu pointer is not set until the
+target cpu reaches smp_callin() during CPUHP_BRINGUP_CPU, whereas the
+teardown function, x2apic_dead_cpu(), is associated with the earlier
+CPUHP_X2APIC_PREPARE. If an error occurs before the cpu is awakened,
+e.g. if do_boot_cpu() itself fails, x2apic_dead_cpu() will dereference
+the NULL pointer and cause a panic.
+
+ smpboot: do_boot_cpu failed(-22) to wakeup CPU#1
+ BUG: kernel NULL pointer dereference, address: 0000000000000008
+ RIP: 0010:x2apic_dead_cpu+0x1a/0x30
+ Call Trace:
+ cpuhp_invoke_callback+0x9a/0x580
+ _cpu_up+0x10d/0x140
+ do_cpu_up+0x69/0xb0
+ smp_init+0x63/0xa9
+ kernel_init_freeable+0xd7/0x229
+ ? rest_init+0xa0/0xa0
+ kernel_init+0xa/0x100
+ ret_from_fork+0x35/0x40
+
+Fixes: 023a611748fd5 ("x86/apic/x2apic: Simplify cluster management")
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191001205019.5789-1-sean.j.christopherson@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/x2apic_cluster.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/apic/x2apic_cluster.c
++++ b/arch/x86/kernel/apic/x2apic_cluster.c
+@@ -158,7 +158,8 @@ static int x2apic_dead_cpu(unsigned int
+ {
+ struct cluster_mask *cmsk = per_cpu(cluster_masks, dead_cpu);
+
+- cpumask_clear_cpu(dead_cpu, &cmsk->mask);
++ if (cmsk)
++ cpumask_clear_cpu(dead_cpu, &cmsk->mask);
+ free_cpumask_var(per_cpu(ipi_mask, dead_cpu));
+ return 0;
+ }
--- /dev/null
+From 2aa85f246c181b1fa89f27e8e20c5636426be624 Mon Sep 17 00:00:00 2001
+From: Steve Wahl <steve.wahl@hpe.com>
+Date: Tue, 24 Sep 2019 16:03:55 -0500
+Subject: x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area
+
+From: Steve Wahl <steve.wahl@hpe.com>
+
+commit 2aa85f246c181b1fa89f27e8e20c5636426be624 upstream.
+
+Our hardware (UV aka Superdome Flex) has address ranges marked
+reserved by the BIOS. Access to these ranges is caught as an error,
+causing the BIOS to halt the system.
+
+Initial page tables mapped a large range of physical addresses that
+were not checked against the list of BIOS reserved addresses, and
+sometimes included reserved addresses in part of the mapped range.
+Including the reserved range in the map allowed processor speculative
+accesses to the reserved range, triggering a BIOS halt.
+
+Used early in booting, the page table level2_kernel_pgt addresses 1
+GiB divided into 2 MiB pages, and it was set up to linearly map a full
+ 1 GiB of physical addresses that included the physical address range
+of the kernel image, as chosen by KASLR. But this also included a
+large range of unused addresses on either side of the kernel image.
+And unlike the kernel image's physical address range, this extra
+mapped space was not checked against the BIOS tables of usable RAM
+addresses. So there were times when the addresses chosen by KASLR
+would result in processor accessible mappings of BIOS reserved
+physical addresses.
+
+The kernel code did not directly access any of this extra mapped
+space, but having it mapped allowed the processor to issue speculative
+accesses into reserved memory, causing system halts.
+
+This was encountered somewhat rarely on a normal system boot, and much
+more often when starting the crash kernel if "crashkernel=512M,high"
+was specified on the command line (this heavily restricts the physical
+address of the crash kernel, in our case usually within 1 GiB of
+reserved space).
+
+The solution is to invalidate the pages of this table outside the kernel
+image's space before the page table is activated. It fixes this problem
+on our hardware.
+
+ [ bp: Touchups. ]
+
+Signed-off-by: Steve Wahl <steve.wahl@hpe.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Brijesh Singh <brijesh.singh@amd.com>
+Cc: dimitri.sivanich@hpe.com
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jordan Borgner <mail@jordan-borgner.de>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: mike.travis@hpe.com
+Cc: russ.anderson@hpe.com
+Cc: stable@vger.kernel.org
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Cc: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Link: https://lkml.kernel.org/r/9c011ee51b081534a7a15065b1681d200298b530.1569358539.git.steve.wahl@hpe.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/head64.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/head64.c
++++ b/arch/x86/kernel/head64.c
+@@ -222,13 +222,31 @@ unsigned long __head __startup_64(unsign
+ * we might write invalid pmds, when the kernel is relocated
+ * cleanup_highmap() fixes this up along with the mappings
+ * beyond _end.
++ *
++ * Only the region occupied by the kernel image has so far
++ * been checked against the table of usable memory regions
++ * provided by the firmware, so invalidate pages outside that
++ * region. A page table entry that maps to a reserved area of
++ * memory would allow processor speculation into that area,
++ * and on some hardware (particularly the UV platform) even
++ * speculative access to some reserved areas is caught as an
++ * error, causing the BIOS to halt the system.
+ */
+
+ pmd = fixup_pointer(level2_kernel_pgt, physaddr);
+- for (i = 0; i < PTRS_PER_PMD; i++) {
++
++ /* invalidate pages before the kernel image */
++ for (i = 0; i < pmd_index((unsigned long)_text); i++)
++ pmd[i] &= ~_PAGE_PRESENT;
++
++ /* fixup pages that are part of the kernel image */
++ for (; i <= pmd_index((unsigned long)_end); i++)
+ if (pmd[i] & _PAGE_PRESENT)
+ pmd[i] += load_delta;
+- }
++
++ /* invalidate pages after the kernel image */
++ for (; i < PTRS_PER_PMD; i++)
++ pmd[i] &= ~_PAGE_PRESENT;
+
+ /*
+ * Fixup phys_base - remove the memory encryption mask to obtain
--- /dev/null
+From e211288b72f15259da86eed6eca680758dbe9e74 Mon Sep 17 00:00:00 2001
+From: Roman Kagan <rkagan@virtuozzo.com>
+Date: Thu, 10 Oct 2019 12:33:05 +0000
+Subject: x86/hyperv: Make vapic support x2apic mode
+
+From: Roman Kagan <rkagan@virtuozzo.com>
+
+commit e211288b72f15259da86eed6eca680758dbe9e74 upstream.
+
+Now that there's Hyper-V IOMMU driver, Linux can switch to x2apic mode
+when supported by the vcpus.
+
+However, the apic access functions for Hyper-V enlightened apic assume
+xapic mode only.
+
+As a result, Linux fails to bring up secondary cpus when run as a guest
+in QEMU/KVM with both hv_apic and x2apic enabled.
+
+According to Michael Kelley, when in x2apic mode, the Hyper-V synthetic
+apic MSRs behave exactly the same as the corresponding architectural
+x2apic MSRs, so there's no need to override the apic accessors. The
+only exception is hv_apic_eoi_write, which benefits from lazy EOI when
+available; however, its implementation works for both xapic and x2apic
+modes.
+
+Fixes: 29217a474683 ("iommu/hyper-v: Add Hyper-V stub IOMMU driver")
+Fixes: 6b48cb5f8347 ("X86/Hyper-V: Enlighten APIC access")
+Suggested-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191010123258.16919-1-rkagan@virtuozzo.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/hyperv/hv_apic.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/hyperv/hv_apic.c
++++ b/arch/x86/hyperv/hv_apic.c
+@@ -256,11 +256,21 @@ void __init hv_apic_init(void)
+ }
+
+ if (ms_hyperv.hints & HV_X64_APIC_ACCESS_RECOMMENDED) {
+- pr_info("Hyper-V: Using MSR based APIC access\n");
++ pr_info("Hyper-V: Using enlightened APIC (%s mode)",
++ x2apic_enabled() ? "x2apic" : "xapic");
++ /*
++ * With x2apic, architectural x2apic MSRs are equivalent to the
++ * respective synthetic MSRs, so there's no need to override
++ * the apic accessors. The only exception is
++ * hv_apic_eoi_write, because it benefits from lazy EOI when
++ * available, but it works for both xapic and x2apic modes.
++ */
+ apic_set_eoi_write(hv_apic_eoi_write);
+- apic->read = hv_apic_read;
+- apic->write = hv_apic_write;
+- apic->icr_write = hv_apic_icr_write;
+- apic->icr_read = hv_apic_icr_read;
++ if (!x2apic_enabled()) {
++ apic->read = hv_apic_read;
++ apic->write = hv_apic_write;
++ apic->icr_write = hv_apic_icr_write;
++ apic->icr_read = hv_apic_icr_read;
++ }
+ }
+ }
--- /dev/null
+From 3d5c1a037d37392a6859afbde49be5ba6a70a6b3 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 18 Oct 2019 09:45:49 +0200
+Subject: xen/netback: fix error path of xenvif_connect_data()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 3d5c1a037d37392a6859afbde49be5ba6a70a6b3 upstream.
+
+xenvif_connect_data() calls module_put() in case of error. This is
+wrong as there is no related module_get().
+
+Remove the superfluous module_put().
+
+Fixes: 279f438e36c0a7 ("xen-netback: Don't destroy the netdev until the vif is shut down")
+Cc: <stable@vger.kernel.org> # 3.12
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Paul Durrant <paul@xen.org>
+Reviewed-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netback/interface.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -718,7 +718,6 @@ err_unmap:
+ xenvif_unmap_frontend_data_rings(queue);
+ netif_napi_del(&queue->napi);
+ err:
+- module_put(THIS_MODULE);
+ return err;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
