--- /dev/null
+From c5554ef0f9398194ae2df4f55bb4e59288cabfd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2019 11:51:46 +0900
+Subject: ath9k_htc: Discard undersized packets
+
+From: Masashi Honma <masashi.honma@gmail.com>
+
+[ Upstream commit cd486e627e67ee9ab66914d36d3127ef057cc010 ]
+
+Sometimes the hardware will push small packets that trigger a WARN_ON
+in mac80211. Discard them early to avoid this issue.
+
+This patch ports 2 patches from ath9k to ath9k_htc.
+commit 3c0efb745a172bfe96459e20cbd37b0c945d5f8d "ath9k: discard
+undersized packets".
+commit df5c4150501ee7e86383be88f6490d970adcf157 "ath9k: correctly
+handle short radar pulses".
+
+[ 112.835889] ------------[ cut here ]------------
+[ 112.835971] WARNING: CPU: 5 PID: 0 at net/mac80211/rx.c:804 ieee80211_rx_napi+0xaac/0xb40 [mac80211]
+[ 112.835973] Modules linked in: ath9k_htc ath9k_common ath9k_hw ath mac80211 cfg80211 libarc4 nouveau snd_hda_codec_hdmi intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec video snd_hda_core ttm snd_hwdep drm_kms_helper snd_pcm crct10dif_pclmul snd_seq_midi drm snd_seq_midi_event crc32_pclmul snd_rawmidi ghash_clmulni_intel snd_seq aesni_intel aes_x86_64 crypto_simd cryptd snd_seq_device glue_helper snd_timer sch_fq_codel i2c_algo_bit fb_sys_fops snd input_leds syscopyarea sysfillrect sysimgblt intel_cstate mei_me intel_rapl_perf soundcore mxm_wmi lpc_ich mei kvm_intel kvm mac_hid irqbypass parport_pc ppdev lp parport ip_tables x_tables autofs4 hid_generic usbhid hid raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear e1000e ahci libahci wmi
+[ 112.836022] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 5.3.0-wt #1
+[ 112.836023] Hardware name: MouseComputer Co.,Ltd. X99-S01/X99-S01, BIOS 1.0C-W7 04/01/2015
+[ 112.836056] RIP: 0010:ieee80211_rx_napi+0xaac/0xb40 [mac80211]
+[ 112.836059] Code: 00 00 66 41 89 86 b0 00 00 00 e9 c8 fa ff ff 4c 89 b5 40 ff ff ff 49 89 c6 e9 c9 fa ff ff 48 c7 c7 e0 a2 a5 c0 e8 47 41 b0 e9 <0f> 0b 48 89 df e8 5a 94 2d ea e9 02 f9 ff ff 41 39 c1 44 89 85 60
+[ 112.836060] RSP: 0018:ffffaa6180220da8 EFLAGS: 00010286
+[ 112.836062] RAX: 0000000000000024 RBX: ffff909a20eeda00 RCX: 0000000000000000
+[ 112.836064] RDX: 0000000000000000 RSI: ffff909a2f957448 RDI: ffff909a2f957448
+[ 112.836065] RBP: ffffaa6180220e78 R08: 00000000000006e9 R09: 0000000000000004
+[ 112.836066] R10: 000000000000000a R11: 0000000000000001 R12: 0000000000000000
+[ 112.836068] R13: ffff909a261a47a0 R14: 0000000000000000 R15: 0000000000000004
+[ 112.836070] FS: 0000000000000000(0000) GS:ffff909a2f940000(0000) knlGS:0000000000000000
+[ 112.836071] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 112.836073] CR2: 00007f4e3ffffa08 CR3: 00000001afc0a006 CR4: 00000000001606e0
+[ 112.836074] Call Trace:
+[ 112.836076] <IRQ>
+[ 112.836083] ? finish_td+0xb3/0xf0
+[ 112.836092] ? ath9k_rx_prepare.isra.11+0x22f/0x2a0 [ath9k_htc]
+[ 112.836099] ath9k_rx_tasklet+0x10b/0x1d0 [ath9k_htc]
+[ 112.836105] tasklet_action_common.isra.22+0x63/0x110
+[ 112.836108] tasklet_action+0x22/0x30
+[ 112.836115] __do_softirq+0xe4/0x2da
+[ 112.836118] irq_exit+0xae/0xb0
+[ 112.836121] do_IRQ+0x86/0xe0
+[ 112.836125] common_interrupt+0xf/0xf
+[ 112.836126] </IRQ>
+[ 112.836130] RIP: 0010:cpuidle_enter_state+0xa9/0x440
+[ 112.836133] Code: 3d bc 20 38 55 e8 f7 1d 84 ff 49 89 c7 0f 1f 44 00 00 31 ff e8 28 29 84 ff 80 7d d3 00 0f 85 e6 01 00 00 fb 66 0f 1f 44 00 00 <45> 85 ed 0f 89 ff 01 00 00 41 c7 44 24 10 00 00 00 00 48 83 c4 18
+[ 112.836134] RSP: 0018:ffffaa61800e3e48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde
+[ 112.836136] RAX: ffff909a2f96b340 RBX: ffffffffabb58200 RCX: 000000000000001f
+[ 112.836137] RDX: 0000001a458adc5d RSI: 0000000026c9b581 RDI: 0000000000000000
+[ 112.836139] RBP: ffffaa61800e3e88 R08: 0000000000000002 R09: 000000000002abc0
+[ 112.836140] R10: ffffaa61800e3e18 R11: 000000000000002d R12: ffffca617fb40b00
+[ 112.836141] R13: 0000000000000002 R14: ffffffffabb582d8 R15: 0000001a458adc5d
+[ 112.836145] ? cpuidle_enter_state+0x98/0x440
+[ 112.836149] ? menu_select+0x370/0x600
+[ 112.836151] cpuidle_enter+0x2e/0x40
+[ 112.836154] call_cpuidle+0x23/0x40
+[ 112.836156] do_idle+0x204/0x280
+[ 112.836159] cpu_startup_entry+0x1d/0x20
+[ 112.836164] start_secondary+0x167/0x1c0
+[ 112.836169] secondary_startup_64+0xa4/0xb0
+[ 112.836173] ---[ end trace 9f4cd18479cc5ae5 ]---
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 23 +++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+index 92156e519168..52b42ecee621 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+@@ -972,6 +972,8 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
+ struct ath_htc_rx_status *rxstatus;
+ struct ath_rx_status rx_stats;
+ bool decrypt_error = false;
++ __be16 rs_datalen;
++ bool is_phyerr;
+
+ if (skb->len < HTC_RX_FRAME_HEADER_SIZE) {
+ ath_err(common, "Corrupted RX frame, dropping (len: %d)\n",
+@@ -981,11 +983,24 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
+
+ rxstatus = (struct ath_htc_rx_status *)skb->data;
+
+- if (be16_to_cpu(rxstatus->rs_datalen) -
+- (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0) {
++ rs_datalen = be16_to_cpu(rxstatus->rs_datalen);
++ if (unlikely(rs_datalen -
++ (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0)) {
+ ath_err(common,
+ "Corrupted RX data len, dropping (dlen: %d, skblen: %d)\n",
+- be16_to_cpu(rxstatus->rs_datalen), skb->len);
++ rs_datalen, skb->len);
++ goto rx_next;
++ }
++
++ is_phyerr = rxstatus->rs_status & ATH9K_RXERR_PHY;
++ /*
++ * Discard zero-length packets and packets smaller than an ACK
++ * which are not PHY_ERROR (short radar pulses have a length of 3)
++ */
++ if (unlikely(!rs_datalen || (rs_datalen < 10 && !is_phyerr))) {
++ ath_warn(common,
++ "Short RX data len, dropping (dlen: %d)\n",
++ rs_datalen);
+ goto rx_next;
+ }
+
+@@ -1010,7 +1025,7 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
+ * Process PHY errors and return so that the packet
+ * can be dropped.
+ */
+- if (rx_stats.rs_status & ATH9K_RXERR_PHY) {
++ if (unlikely(is_phyerr)) {
+ /* TODO: Not using DFS processing now. */
+ if (ath_cmn_process_fft(&priv->spec_priv, hdr,
+ &rx_stats, rx_status->mactime)) {
+--
+2.20.1
+
--- /dev/null
+From 41383af0b4f148cc9c6d0cf12ebe08dc6018051b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2019 11:51:45 +0900
+Subject: ath9k_htc: Modify byte order for an error message
+
+From: Masashi Honma <masashi.honma@gmail.com>
+
+[ Upstream commit e01fddc19d215f6ad397894ec2a851d99bf154e2 ]
+
+rs_datalen is be16 so we need to convert it before printing.
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+index f333ef1e3e7b..92156e519168 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+@@ -985,7 +985,7 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
+ (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0) {
+ ath_err(common,
+ "Corrupted RX data len, dropping (dlen: %d, skblen: %d)\n",
+- rxstatus->rs_datalen, skb->len);
++ be16_to_cpu(rxstatus->rs_datalen), skb->len);
+ goto rx_next;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From b908baf1e72f2a84843354ddf714afb9436315e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2019 16:12:36 -0600
+Subject: coresight: etb10: Do not call smp_processor_id from preemptible
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 730766bae3280a25d40ea76a53dc6342e84e6513 ]
+
+During a perf session we try to allocate buffers on the "node" associated
+with the CPU the event is bound to. If it is not bound to a CPU, we
+use the current CPU node, using smp_processor_id(). However this is unsafe
+in a pre-emptible context and could generate the splats as below :
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
+
+Use NUMA_NO_NODE hint instead of using the current node for events
+not bound to CPUs.
+
+Fixes: 2997aa4063d97fdb39 ("coresight: etb10: implementing AUX API")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable <stable@vger.kernel.org> # 4.6+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-etb10.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
+index ace55385b26f..245c32b52355 100644
+--- a/drivers/hwtracing/coresight/coresight-etb10.c
++++ b/drivers/hwtracing/coresight/coresight-etb10.c
+@@ -279,9 +279,7 @@ static void *etb_alloc_buffer(struct coresight_device *csdev, int cpu,
+ int node;
+ struct cs_buffers *buf;
+
+- if (cpu == -1)
+- cpu = smp_processor_id();
+- node = cpu_to_node(cpu);
++ node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
+
+ buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node);
+ if (!buf)
+--
+2.20.1
+
--- /dev/null
+From 1737e8b3428030726119aa43a00563693aa16264 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2019 16:12:35 -0600
+Subject: coresight: tmc-etf: Do not call smp_processor_id from preemptible
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 024c1fd9dbcc1d8a847f1311f999d35783921b7f ]
+
+During a perf session we try to allocate buffers on the "node" associated
+with the CPU the event is bound to. If it is not bound to a CPU, we
+use the current CPU node, using smp_processor_id(). However this is unsafe
+in a pre-emptible context and could generate the splats as below :
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
+ caller is tmc_alloc_etf_buffer+0x5c/0x60
+ CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344
+ Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019
+ Call trace:
+ dump_backtrace+0x0/0x150
+ show_stack+0x14/0x20
+ dump_stack+0x9c/0xc4
+ debug_smp_processor_id+0x10c/0x110
+ tmc_alloc_etf_buffer+0x5c/0x60
+ etm_setup_aux+0x1c4/0x230
+ rb_alloc_aux+0x1b8/0x2b8
+ perf_mmap+0x35c/0x478
+ mmap_region+0x34c/0x4f0
+ do_mmap+0x2d8/0x418
+ vm_mmap_pgoff+0xd0/0xf8
+ ksys_mmap_pgoff+0x88/0xf8
+ __arm64_sys_mmap+0x28/0x38
+ el0_svc_handler+0xd8/0x138
+ el0_svc+0x8/0xc
+
+Use NUMA_NO_NODE hint instead of using the current node for events
+not bound to CPUs.
+
+Fixes: 2e499bbc1a929ac ("coresight: tmc: implementing TMC-ETF AUX space API")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable <stable@vger.kernel.org> # 4.7+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etf.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c
+index 14df4e34c21c..faf68412eb92 100644
+--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c
+@@ -292,9 +292,7 @@ static void *tmc_alloc_etf_buffer(struct coresight_device *csdev, int cpu,
+ int node;
+ struct cs_buffers *buf;
+
+- if (cpu == -1)
+- cpu = smp_processor_id();
+- node = cpu_to_node(cpu);
++ node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
+
+ /* Allocate memory structure for interaction with Perf */
+ buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node);
+--
+2.20.1
+
--- /dev/null
+From a9160e4258816532340619274eb2ead5f18d6e29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 May 2019 00:24:33 +0300
+Subject: drm/mst: Fix MST sideband up-reply failure handling
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit d8fd3722207f154b53c80eee2cf4977c3fc25a92 ]
+
+Fix the breakage resulting in the stacktrace below, due to tx queue
+being full when trying to send an up-reply. txmsg->seqno is -1 in this
+case leading to a corruption of the mstb object by
+
+ txmsg->dst->tx_slots[txmsg->seqno] = NULL;
+
+in process_single_up_tx_qlock().
+
+[ +0,005162] [drm:process_single_tx_qlock [drm_kms_helper]] set_hdr_from_dst_qlock: failed to find slot
+[ +0,000015] [drm:drm_dp_send_up_ack_reply.constprop.19 [drm_kms_helper]] failed to send msg in q -11
+[ +0,000939] BUG: kernel NULL pointer dereference, address: 00000000000005a0
+[ +0,006982] #PF: supervisor write access in kernel mode
+[ +0,005223] #PF: error_code(0x0002) - not-present page
+[ +0,005135] PGD 0 P4D 0
+[ +0,002581] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[ +0,004359] CPU: 1 PID: 1200 Comm: kworker/u16:3 Tainted: G U 5.2.0-rc1+ #410
+[ +0,008433] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP, BIOS ICLSFWR1.R00.3175.A00.1904261428 04/26/2019
+[ +0,013323] Workqueue: i915-dp i915_digport_work_func [i915]
+[ +0,005676] RIP: 0010:queue_work_on+0x19/0x70
+[ +0,004372] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 41 56 49 89 f6 41 55 41 89 fd 41 54 55 53 48 89 d3 9c 5d fa e8 e7 81 0c 00 <f0> 48 0f ba 2b 00 73 31 45 31 e4 f7 c5 00 02 00 00 74 13 e8 cf 7f
+[ +0,018750] RSP: 0018:ffffc900007dfc50 EFLAGS: 00010006
+[ +0,005222] RAX: 0000000000000046 RBX: 00000000000005a0 RCX: 0000000000000001
+[ +0,007133] RDX: 000000000001b608 RSI: 0000000000000000 RDI: ffffffff82121972
+[ +0,007129] RBP: 0000000000000202 R08: 0000000000000000 R09: 0000000000000001
+[ +0,007129] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88847bfa5096
+[ +0,007131] R13: 0000000000000010 R14: ffff88849c08f3f8 R15: 0000000000000000
+[ +0,007128] FS: 0000000000000000(0000) GS:ffff88849dc80000(0000) knlGS:0000000000000000
+[ +0,008083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ +0,005749] CR2: 00000000000005a0 CR3: 0000000005210006 CR4: 0000000000760ee0
+[ +0,007128] PKRU: 55555554
+[ +0,002722] Call Trace:
+[ +0,002458] drm_dp_mst_handle_up_req+0x517/0x540 [drm_kms_helper]
+[ +0,006197] ? drm_dp_mst_hpd_irq+0x5b/0x9c0 [drm_kms_helper]
+[ +0,005764] drm_dp_mst_hpd_irq+0x5b/0x9c0 [drm_kms_helper]
+[ +0,005623] ? intel_dp_hpd_pulse+0x205/0x370 [i915]
+[ +0,005018] intel_dp_hpd_pulse+0x205/0x370 [i915]
+[ +0,004836] i915_digport_work_func+0xbb/0x140 [i915]
+[ +0,005108] process_one_work+0x245/0x610
+[ +0,004027] worker_thread+0x37/0x380
+[ +0,003684] ? process_one_work+0x610/0x610
+[ +0,004184] kthread+0x119/0x130
+[ +0,003240] ? kthread_park+0x80/0x80
+[ +0,003668] ret_from_fork+0x24/0x50
+
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190523212433.9058-1-imre.deak@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
+index 4a959740058e..f68dcf5790ad 100644
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -1536,7 +1536,11 @@ static void process_single_up_tx_qlock(struct drm_dp_mst_topology_mgr *mgr,
+ if (ret != 1)
+ DRM_DEBUG_KMS("failed to send msg in q %d\n", ret);
+
+- txmsg->dst->tx_slots[txmsg->seqno] = NULL;
++ if (txmsg->seqno != -1) {
++ WARN_ON((unsigned int)txmsg->seqno >
++ ARRAY_SIZE(txmsg->dst->tx_slots));
++ txmsg->dst->tx_slots[txmsg->seqno] = NULL;
++ }
+ }
+
+ static void drm_dp_queue_down_tx(struct drm_dp_mst_topology_mgr *mgr,
+--
+2.20.1
+
--- /dev/null
+From b9443411418e6d2990e111af3f74073cda048973 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 18:29:11 -0800
+Subject: net: add annotations on hh->hh_len lockless accesses
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c305c6ae79e2ce20c22660ceda94f0d86d639a82 ]
+
+KCSAN reported a data-race [1]
+
+While we can use READ_ONCE() on the read sides,
+we need to make sure hh->hh_len is written last.
+
+[1]
+
+BUG: KCSAN: data-race in eth_header_cache / neigh_resolve_output
+
+write to 0xffff8880b9dedcb8 of 4 bytes by task 29760 on cpu 0:
+ eth_header_cache+0xa9/0xd0 net/ethernet/eth.c:247
+ neigh_hh_init net/core/neighbour.c:1463 [inline]
+ neigh_resolve_output net/core/neighbour.c:1480 [inline]
+ neigh_resolve_output+0x415/0x470 net/core/neighbour.c:1470
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+ dst_output include/net/dst.h:436 [inline]
+ NF_HOOK include/linux/netfilter.h:305 [inline]
+ ndisc_send_skb+0x459/0x5f0 net/ipv6/ndisc.c:505
+ ndisc_send_ns+0x207/0x430 net/ipv6/ndisc.c:647
+ rt6_probe_deferred+0x98/0xf0 net/ipv6/route.c:615
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+read to 0xffff8880b9dedcb8 of 4 bytes by task 29572 on cpu 1:
+ neigh_resolve_output net/core/neighbour.c:1479 [inline]
+ neigh_resolve_output+0x113/0x470 net/core/neighbour.c:1470
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+ dst_output include/net/dst.h:436 [inline]
+ NF_HOOK include/linux/netfilter.h:305 [inline]
+ ndisc_send_skb+0x459/0x5f0 net/ipv6/ndisc.c:505
+ ndisc_send_ns+0x207/0x430 net/ipv6/ndisc.c:647
+ rt6_probe_deferred+0x98/0xf0 net/ipv6/route.c:615
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 29572 Comm: kworker/1:4 Not tainted 5.4.0-rc6+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events rt6_probe_deferred
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/net.c | 6 +++++-
+ include/net/neighbour.h | 2 +-
+ net/core/neighbour.c | 4 ++--
+ net/ethernet/eth.c | 7 ++++++-
+ 4 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
+index 15475892af0c..bc19ac0e662e 100644
+--- a/drivers/firewire/net.c
++++ b/drivers/firewire/net.c
+@@ -249,7 +249,11 @@ static int fwnet_header_cache(const struct neighbour *neigh,
+ h = (struct fwnet_header *)((u8 *)hh->hh_data + HH_DATA_OFF(sizeof(*h)));
+ h->h_proto = type;
+ memcpy(h->h_dest, neigh->ha, net->addr_len);
+- hh->hh_len = FWNET_HLEN;
++
++ /* Pairs with the READ_ONCE() in neigh_resolve_output(),
++ * neigh_hh_output() and neigh_update_hhs().
++ */
++ smp_store_release(&hh->hh_len, FWNET_HLEN);
+
+ return 0;
+ }
+diff --git a/include/net/neighbour.h b/include/net/neighbour.h
+index 1c0d07376125..a68a460fa4f3 100644
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -454,7 +454,7 @@ static inline int neigh_hh_output(const struct hh_cache *hh, struct sk_buff *skb
+
+ do {
+ seq = read_seqbegin(&hh->hh_lock);
+- hh_len = hh->hh_len;
++ hh_len = READ_ONCE(hh->hh_len);
+ if (likely(hh_len <= HH_DATA_MOD)) {
+ hh_alen = HH_DATA_MOD;
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index 44a29be7bfff..cd85cee14bd0 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -1058,7 +1058,7 @@ static void neigh_update_hhs(struct neighbour *neigh)
+
+ if (update) {
+ hh = &neigh->hh;
+- if (hh->hh_len) {
++ if (READ_ONCE(hh->hh_len)) {
+ write_seqlock_bh(&hh->hh_lock);
+ update(hh, neigh->dev, neigh->ha);
+ write_sequnlock_bh(&hh->hh_lock);
+@@ -1319,7 +1319,7 @@ int neigh_resolve_output(struct neighbour *neigh, struct sk_buff *skb)
+ struct net_device *dev = neigh->dev;
+ unsigned int seq;
+
+- if (dev->header_ops->cache && !neigh->hh.hh_len)
++ if (dev->header_ops->cache && !READ_ONCE(neigh->hh.hh_len))
+ neigh_hh_init(neigh);
+
+ do {
+diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
+index 24d7aff8db1a..204aa0131fbe 100644
+--- a/net/ethernet/eth.c
++++ b/net/ethernet/eth.c
+@@ -238,7 +238,12 @@ int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh, __be16
+ eth->h_proto = type;
+ memcpy(eth->h_source, dev->dev_addr, ETH_ALEN);
+ memcpy(eth->h_dest, neigh->ha, ETH_ALEN);
+- hh->hh_len = ETH_HLEN;
++
++ /* Pairs with READ_ONCE() in neigh_resolve_output(),
++ * neigh_hh_output() and neigh_update_hhs().
++ */
++ smp_store_release(&hh->hh_len, ETH_HLEN);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(eth_header_cache);
+--
+2.20.1
+
--- /dev/null
+From bd81c5441903835109fe5866d1e81403d56a89c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jun 2019 16:56:57 +1000
+Subject: powerpc/pseries/hvconsole: Fix stack overread via udbg
+
+From: Daniel Axtens <dja@axtens.net>
+
+[ Upstream commit 934bda59f286d0221f1a3ebab7f5156a996cc37d ]
+
+While developing KASAN for 64-bit book3s, I hit the following stack
+over-read.
+
+It occurs because the hypercall to put characters onto the terminal
+takes 2 longs (128 bits/16 bytes) of characters at a time, and so
+hvc_put_chars() would unconditionally copy 16 bytes from the argument
+buffer, regardless of supplied length. However, udbg_hvc_putc() can
+call hvc_put_chars() with a single-byte buffer, leading to the error.
+
+ ==================================================================
+ BUG: KASAN: stack-out-of-bounds in hvc_put_chars+0xdc/0x110
+ Read of size 8 at addr c0000000023e7a90 by task swapper/0
+
+ CPU: 0 PID: 0 Comm: swapper Not tainted 5.2.0-rc2-next-20190528-02824-g048a6ab4835b #113
+ Call Trace:
+ dump_stack+0x104/0x154 (unreliable)
+ print_address_description+0xa0/0x30c
+ __kasan_report+0x20c/0x224
+ kasan_report+0x18/0x30
+ __asan_report_load8_noabort+0x24/0x40
+ hvc_put_chars+0xdc/0x110
+ hvterm_raw_put_chars+0x9c/0x110
+ udbg_hvc_putc+0x154/0x200
+ udbg_write+0xf0/0x240
+ console_unlock+0x868/0xd30
+ register_console+0x970/0xe90
+ register_early_udbg_console+0xf8/0x114
+ setup_arch+0x108/0x790
+ start_kernel+0x104/0x784
+ start_here_common+0x1c/0x534
+
+ Memory state around the buggy address:
+ c0000000023e7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ c0000000023e7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
+ >c0000000023e7a80: f1 f1 01 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
+ ^
+ c0000000023e7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ c0000000023e7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ==================================================================
+
+Document that a 16-byte buffer is requred, and provide it in udbg.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/hvconsole.c | 2 +-
+ drivers/tty/hvc/hvc_vio.c | 16 +++++++++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hvconsole.c b/arch/powerpc/platforms/pseries/hvconsole.c
+index 74da18de853a..73ec15cd2708 100644
+--- a/arch/powerpc/platforms/pseries/hvconsole.c
++++ b/arch/powerpc/platforms/pseries/hvconsole.c
+@@ -62,7 +62,7 @@ EXPORT_SYMBOL(hvc_get_chars);
+ * @vtermno: The vtermno or unit_address of the adapter from which the data
+ * originated.
+ * @buf: The character buffer that contains the character data to send to
+- * firmware.
++ * firmware. Must be at least 16 bytes, even if count is less than 16.
+ * @count: Send this number of characters.
+ */
+ int hvc_put_chars(uint32_t vtermno, const char *buf, int count)
+diff --git a/drivers/tty/hvc/hvc_vio.c b/drivers/tty/hvc/hvc_vio.c
+index b05dc5086627..8bab8b00d47d 100644
+--- a/drivers/tty/hvc/hvc_vio.c
++++ b/drivers/tty/hvc/hvc_vio.c
+@@ -120,6 +120,14 @@ static int hvterm_raw_get_chars(uint32_t vtermno, char *buf, int count)
+ return got;
+ }
+
++/**
++ * hvterm_raw_put_chars: send characters to firmware for given vterm adapter
++ * @vtermno: The virtual terminal number.
++ * @buf: The characters to send. Because of the underlying hypercall in
++ * hvc_put_chars(), this buffer must be at least 16 bytes long, even if
++ * you are sending fewer chars.
++ * @count: number of chars to send.
++ */
+ static int hvterm_raw_put_chars(uint32_t vtermno, const char *buf, int count)
+ {
+ struct hvterm_priv *pv = hvterm_privs[vtermno];
+@@ -232,6 +240,7 @@ static const struct hv_ops hvterm_hvsi_ops = {
+ static void udbg_hvc_putc(char c)
+ {
+ int count = -1;
++ unsigned char bounce_buffer[16];
+
+ if (!hvterm_privs[0])
+ return;
+@@ -242,7 +251,12 @@ static void udbg_hvc_putc(char c)
+ do {
+ switch(hvterm_privs[0]->proto) {
+ case HV_PROTOCOL_RAW:
+- count = hvterm_raw_put_chars(0, &c, 1);
++ /*
++ * hvterm_raw_put_chars requires at least a 16-byte
++ * buffer, so go via the bounce buffer
++ */
++ bounce_buffer[0] = c;
++ count = hvterm_raw_put_chars(0, bounce_buffer, 1);
+ break;
+ case HV_PROTOCOL_HVSI:
+ count = hvterm_hvsi_put_chars(0, &c, 1);
+--
+2.20.1
+
--- /dev/null
+From c41bb5665f14349cad63098751f3b6e1f8dd5fa2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2019 15:52:34 +0100
+Subject: rxrpc: Fix possible NULL pointer access in ICMP handling
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit f0308fb0708078d6c1d8a4d533941a7a191af634 ]
+
+If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as
+the UDP socket is being shut down, rxrpc_error_report() may get called to
+deal with it after sk_user_data on the UDP socket has been cleared, leading
+to a NULL pointer access when this local endpoint record gets accessed.
+
+Fix this by just returning immediately if sk_user_data was NULL.
+
+The oops looks like the following:
+
+#PF: supervisor read access in kernel mode
+#PF: error_code(0x0000) - not-present page
+...
+RIP: 0010:rxrpc_error_report+0x1bd/0x6a9
+...
+Call Trace:
+ ? sock_queue_err_skb+0xbd/0xde
+ ? __udp4_lib_err+0x313/0x34d
+ __udp4_lib_err+0x313/0x34d
+ icmp_unreach+0x1ee/0x207
+ icmp_rcv+0x25b/0x28f
+ ip_protocol_deliver_rcu+0x95/0x10e
+ ip_local_deliver+0xe9/0x148
+ __netif_receive_skb_one_core+0x52/0x6e
+ process_backlog+0xdc/0x177
+ net_rx_action+0xf9/0x270
+ __do_softirq+0x1b6/0x39a
+ ? smpboot_register_percpu_thread+0xce/0xce
+ run_ksoftirqd+0x1d/0x42
+ smpboot_thread_fn+0x19e/0x1b3
+ kthread+0xf1/0xf6
+ ? kthread_delayed_work_timer_fn+0x83/0x83
+ ret_from_fork+0x24/0x30
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Reported-by: syzbot+611164843bd48cc2190c@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/peer_event.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
+index bf13b8470c9a..80950a4384aa 100644
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -148,6 +148,9 @@ void rxrpc_error_report(struct sock *sk)
+ struct rxrpc_peer *peer;
+ struct sk_buff *skb;
+
++ if (unlikely(!local))
++ return;
++
+ _enter("%p{%d}", sk, local->debug_id);
+
+ skb = sock_dequeue_err_skb(sk);
+--
+2.20.1
+
--- /dev/null
+From 7dd0300cc6571589e7610777ea3048e6e49e76b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Nov 2019 14:55:38 +0100
+Subject: s390/smp: fix physical to logical CPU map for SMT
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+[ Upstream commit 72a81ad9d6d62dcb79f7e8ad66ffd1c768b72026 ]
+
+If an SMT capable system is not IPL'ed from the first CPU the setup of
+the physical to logical CPU mapping is broken: the IPL core gets CPU
+number 0, but then the next core gets CPU number 1. Correct would be
+that all SMT threads of CPU 0 get the subsequent logical CPU numbers.
+
+This is important since a lot of code (like e.g. the CPU topology
+code) assumes that CPU maps are setup like this. If the mapping is
+broken the system will not IPL due to broken topology masks:
+
+[ 1.716341] BUG: arch topology broken
+[ 1.716342] the SMT domain not a subset of the MC domain
+[ 1.716343] BUG: arch topology broken
+[ 1.716344] the MC domain not a subset of the BOOK domain
+
+This scenario can usually not happen since LPARs are always IPL'ed
+from CPU 0 and also re-IPL is intiated from CPU 0. However older
+kernels did initiate re-IPL on an arbitrary CPU. If therefore a re-IPL
+from an old kernel into a new kernel is initiated this may lead to
+crash.
+
+Fix this by setting up the physical to logical CPU mapping correctly.
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/smp.c | 80 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 54 insertions(+), 26 deletions(-)
+
+diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
+index d52a94e9f57f..cba8e56cd63d 100644
+--- a/arch/s390/kernel/smp.c
++++ b/arch/s390/kernel/smp.c
+@@ -691,39 +691,67 @@ static struct sclp_core_info *smp_get_core_info(void)
+
+ static int smp_add_present_cpu(int cpu);
+
+-static int __smp_rescan_cpus(struct sclp_core_info *info, int sysfs_add)
++static int smp_add_core(struct sclp_core_entry *core, cpumask_t *avail,
++ bool configured, bool early)
+ {
+ struct pcpu *pcpu;
+- cpumask_t avail;
+- int cpu, nr, i, j;
++ int cpu, nr, i;
+ u16 address;
+
+ nr = 0;
+- cpumask_xor(&avail, cpu_possible_mask, cpu_present_mask);
+- cpu = cpumask_first(&avail);
+- for (i = 0; (i < info->combined) && (cpu < nr_cpu_ids); i++) {
+- if (sclp.has_core_type && info->core[i].type != boot_core_type)
++ if (sclp.has_core_type && core->type != boot_core_type)
++ return nr;
++ cpu = cpumask_first(avail);
++ address = core->core_id << smp_cpu_mt_shift;
++ for (i = 0; (i <= smp_cpu_mtid) && (cpu < nr_cpu_ids); i++) {
++ if (pcpu_find_address(cpu_present_mask, address + i))
+ continue;
+- address = info->core[i].core_id << smp_cpu_mt_shift;
+- for (j = 0; j <= smp_cpu_mtid; j++) {
+- if (pcpu_find_address(cpu_present_mask, address + j))
+- continue;
+- pcpu = pcpu_devices + cpu;
+- pcpu->address = address + j;
+- pcpu->state =
+- (cpu >= info->configured*(smp_cpu_mtid + 1)) ?
+- CPU_STATE_STANDBY : CPU_STATE_CONFIGURED;
+- smp_cpu_set_polarization(cpu, POLARIZATION_UNKNOWN);
+- set_cpu_present(cpu, true);
+- if (sysfs_add && smp_add_present_cpu(cpu) != 0)
+- set_cpu_present(cpu, false);
+- else
+- nr++;
+- cpu = cpumask_next(cpu, &avail);
+- if (cpu >= nr_cpu_ids)
++ pcpu = pcpu_devices + cpu;
++ pcpu->address = address + i;
++ if (configured)
++ pcpu->state = CPU_STATE_CONFIGURED;
++ else
++ pcpu->state = CPU_STATE_STANDBY;
++ smp_cpu_set_polarization(cpu, POLARIZATION_UNKNOWN);
++ set_cpu_present(cpu, true);
++ if (!early && smp_add_present_cpu(cpu) != 0)
++ set_cpu_present(cpu, false);
++ else
++ nr++;
++ cpumask_clear_cpu(cpu, avail);
++ cpu = cpumask_next(cpu, avail);
++ }
++ return nr;
++}
++
++static int __smp_rescan_cpus(struct sclp_core_info *info, bool early)
++{
++ struct sclp_core_entry *core;
++ cpumask_t avail;
++ bool configured;
++ u16 core_id;
++ int nr, i;
++
++ nr = 0;
++ cpumask_xor(&avail, cpu_possible_mask, cpu_present_mask);
++ /*
++ * Add IPL core first (which got logical CPU number 0) to make sure
++ * that all SMT threads get subsequent logical CPU numbers.
++ */
++ if (early) {
++ core_id = pcpu_devices[0].address >> smp_cpu_mt_shift;
++ for (i = 0; i < info->configured; i++) {
++ core = &info->core[i];
++ if (core->core_id == core_id) {
++ nr += smp_add_core(core, &avail, true, early);
+ break;
++ }
+ }
+ }
++ for (i = 0; i < info->combined; i++) {
++ configured = i < info->configured;
++ nr += smp_add_core(&info->core[i], &avail, configured, early);
++ }
+ return nr;
+ }
+
+@@ -771,7 +799,7 @@ static void __init smp_detect_cpus(void)
+
+ /* Add CPUs present at boot */
+ get_online_cpus();
+- __smp_rescan_cpus(info, 0);
++ __smp_rescan_cpus(info, true);
+ put_online_cpus();
+ kfree(info);
+ }
+@@ -1127,7 +1155,7 @@ int __ref smp_rescan_cpus(void)
+ return -ENOMEM;
+ get_online_cpus();
+ mutex_lock(&smp_cpu_state_mutex);
+- nr = __smp_rescan_cpus(info, 1);
++ nr = __smp_rescan_cpus(info, false);
+ mutex_unlock(&smp_cpu_state_mutex);
+ put_online_cpus();
+ kfree(info);
+--
+2.20.1
+
media-usb-fix-memory-leak-in-af9005_identify_state.patch
tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
fix-compat-handling-of-ficlonerange-fideduperange-and-fs_ioc_fiemap.patch
+drm-mst-fix-mst-sideband-up-reply-failure-handling.patch
+powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch
+coresight-tmc-etf-do-not-call-smp_processor_id-from-.patch
+coresight-etb10-do-not-call-smp_processor_id-from-pr.patch
+rxrpc-fix-possible-null-pointer-access-in-icmp-handl.patch
+ath9k_htc-modify-byte-order-for-an-error-message.patch
+ath9k_htc-discard-undersized-packets.patch
+net-add-annotations-on-hh-hh_len-lockless-accesses.patch
+s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch
+xen-blkback-avoid-unmapping-unmapped-grant-pages.patch
--- /dev/null
+From 7283683b3ca6601ded9b773501c043e66aca29e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2019 16:36:05 +0100
+Subject: xen/blkback: Avoid unmapping unmapped grant pages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: SeongJae Park <sjpark@amazon.de>
+
+[ Upstream commit f9bd84a8a845d82f9b5a081a7ae68c98a11d2e84 ]
+
+For each I/O request, blkback first maps the foreign pages for the
+request to its local pages. If an allocation of a local page for the
+mapping fails, it should unmap every mapping already made for the
+request.
+
+However, blkback's handling mechanism for the allocation failure does
+not mark the remaining foreign pages as unmapped. Therefore, the unmap
+function merely tries to unmap every valid grant page for the request,
+including the pages not mapped due to the allocation failure. On a
+system that fails the allocation frequently, this problem leads to
+following kernel crash.
+
+ [ 372.012538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
+ [ 372.012546] IP: [<ffffffff814071ac>] gnttab_unmap_refs.part.7+0x1c/0x40
+ [ 372.012557] PGD 16f3e9067 PUD 16426e067 PMD 0
+ [ 372.012562] Oops: 0002 [#1] SMP
+ [ 372.012566] Modules linked in: act_police sch_ingress cls_u32
+ ...
+ [ 372.012746] Call Trace:
+ [ 372.012752] [<ffffffff81407204>] gnttab_unmap_refs+0x34/0x40
+ [ 372.012759] [<ffffffffa0335ae3>] xen_blkbk_unmap+0x83/0x150 [xen_blkback]
+ ...
+ [ 372.012802] [<ffffffffa0336c50>] dispatch_rw_block_io+0x970/0x980 [xen_blkback]
+ ...
+ Decompressing Linux... Parsing ELF... done.
+ Booting the kernel.
+ [ 0.000000] Initializing cgroup subsys cpuset
+
+This commit fixes this problem by marking the grant pages of the given
+request that didn't mapped due to the allocation failure as invalid.
+
+Fixes: c6cc142dac52 ("xen-blkback: use balloon pages for all mappings")
+
+Reviewed-by: David Woodhouse <dwmw@amazon.de>
+Reviewed-by: Maximilian Heyne <mheyne@amazon.de>
+Reviewed-by: Paul Durrant <pdurrant@amazon.co.uk>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: SeongJae Park <sjpark@amazon.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/xen-blkback/blkback.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
+index d6eaaa25d1cc..a700e525535c 100644
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -929,6 +929,8 @@ next:
+ out_of_memory:
+ pr_alert("%s: out of memory\n", __func__);
+ put_free_pages(ring, pages_to_gnt, segs_to_map);
++ for (i = last_map; i < num; i++)
++ pages[i]->handle = BLKBACK_INVALID_HANDLE;
+ return -ENOMEM;
+ }
+
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
