--- /dev/null
+From 00abf69dd24f4444d185982379c5cc3bb7b6d1fc Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 7 May 2019 09:20:54 -0400
+Subject: ceph: flush dirty inodes before proceeding with remount
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 00abf69dd24f4444d185982379c5cc3bb7b6d1fc upstream.
+
+xfstest generic/452 was triggering a "Busy inodes after umount" warning.
+ceph was allowing the mount to go read-only without first flushing out
+dirty inodes in the cache. Ensure we sync out the filesystem before
+allowing a remount to proceed.
+
+Cc: stable@vger.kernel.org
+Link: http://tracker.ceph.com/issues/39571
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/super.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -712,6 +712,12 @@ static void ceph_umount_begin(struct sup
+ return;
+ }
+
++static int ceph_remount(struct super_block *sb, int *flags, char *data)
++{
++ sync_filesystem(sb);
++ return 0;
++}
++
+ static const struct super_operations ceph_super_ops = {
+ .alloc_inode = ceph_alloc_inode,
+ .destroy_inode = ceph_destroy_inode,
+@@ -719,6 +725,7 @@ static const struct super_operations cep
+ .drop_inode = ceph_drop_inode,
+ .sync_fs = ceph_sync_fs,
+ .put_super = ceph_put_super,
++ .remount_fs = ceph_remount,
+ .show_options = ceph_show_options,
+ .statfs = ceph_statfs,
+ .umount_begin = ceph_umount_begin,
--- /dev/null
+From 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb Mon Sep 17 00:00:00 2001
+From: Christoph Probst <kernel@probst.it>
+Date: Tue, 7 May 2019 17:16:40 +0200
+Subject: cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
+
+From: Christoph Probst <kernel@probst.it>
+
+commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream.
+
+Change strcat to strncpy in the "None" case to fix a buffer overflow
+when cinode->oplock is reset to 0 by another thread accessing the same
+cinode. It is never valid to append "None" to any other message.
+
+Consolidate multiple writes to cinode->oplock to reduce raciness.
+
+Signed-off-by: Christoph Probst <kernel@probst.it>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1329,26 +1329,28 @@ smb21_set_oplock_level(struct cifsInodeI
+ unsigned int epoch, bool *purge_cache)
+ {
+ char message[5] = {0};
++ unsigned int new_oplock = 0;
+
+ oplock &= 0xFF;
+ if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE)
+ return;
+
+- cinode->oplock = 0;
+ if (oplock & SMB2_LEASE_READ_CACHING_HE) {
+- cinode->oplock |= CIFS_CACHE_READ_FLG;
++ new_oplock |= CIFS_CACHE_READ_FLG;
+ strcat(message, "R");
+ }
+ if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) {
+- cinode->oplock |= CIFS_CACHE_HANDLE_FLG;
++ new_oplock |= CIFS_CACHE_HANDLE_FLG;
+ strcat(message, "H");
+ }
+ if (oplock & SMB2_LEASE_WRITE_CACHING_HE) {
+- cinode->oplock |= CIFS_CACHE_WRITE_FLG;
++ new_oplock |= CIFS_CACHE_WRITE_FLG;
+ strcat(message, "W");
+ }
+- if (!cinode->oplock)
+- strcat(message, "None");
++ if (!new_oplock)
++ strncpy(message, "None", sizeof(message));
++
++ cinode->oplock = new_oplock;
+ cifs_dbg(FYI, "%s Lease granted on inode %p\n", message,
+ &cinode->vfs_inode);
+ }
--- /dev/null
+From 40db569d6769ffa3864fd1b89616b1a7323568a8 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Fri, 12 Apr 2019 00:48:34 +0300
+Subject: clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 40db569d6769ffa3864fd1b89616b1a7323568a8 upstream.
+
+There are wrongly set parenthesis in the code that are resulting in a
+wrong configuration being programmed for PLLM. The original fix was made
+by Danny Huang in the downstream kernel. The patch was tested on Nyan Big
+Tegra124 chromebook, PLLM rate changing works correctly now and system
+doesn't lock up after changing the PLLM rate due to EMC scaling.
+
+Cc: <stable@vger.kernel.org>
+Tested-by: Steev Klimaszewski <steev@kali.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/tegra/clk-pll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -492,8 +492,8 @@ static void _update_pll_mnp(struct tegra
+ pll_override_writel(val, params->pmc_divp_reg, pll);
+
+ val = pll_override_readl(params->pmc_divnm_reg, pll);
+- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) |
+- ~(divn_mask(pll) << div_nmp->override_divn_shift);
++ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) |
++ (divn_mask(pll) << div_nmp->override_divn_shift));
+ val |= (cfg->m << div_nmp->override_divm_shift) |
+ (cfg->n << div_nmp->override_divn_shift);
+ pll_override_writel(val, params->pmc_divnm_reg, pll);
--- /dev/null
+From 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 24 Apr 2019 17:05:06 +0200
+Subject: fuse: fix writepages on 32bit
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 upstream.
+
+Writepage requests were cropped to i_size & 0xffffffff, which meant that
+mmaped writes to any file larger than 4G might be silently discarded.
+
+Fix by storing the file size in a properly sized variable (loff_t instead
+of size_t).
+
+Reported-by: Antonio SJ Musumeci <trapexit@spawn.link>
+Fixes: 6eaf4782eb09 ("fuse: writepages: crop secondary requests")
+Cc: <stable@vger.kernel.org> # v3.13
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1533,7 +1533,7 @@ __acquires(fc->lock)
+ {
+ struct fuse_conn *fc = get_fuse_conn(inode);
+ struct fuse_inode *fi = get_fuse_inode(inode);
+- size_t crop = i_size_read(inode);
++ loff_t crop = i_size_read(inode);
+ struct fuse_req *req;
+
+ while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) {
--- /dev/null
+From 0cbade024ba501313da3b7e5dd2a188a6bc491b5 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Thu, 18 Apr 2019 04:04:41 +0800
+Subject: fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
+
+From: Liu Bo <bo.liu@linux.alibaba.com>
+
+commit 0cbade024ba501313da3b7e5dd2a188a6bc491b5 upstream.
+
+fstests generic/228 reported this failure that fuse fallocate does not
+honor what 'ulimit -f' has set.
+
+This adds the necessary inode_newsize_ok() check.
+
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation")
+Cc: <stable@vger.kernel.org> # v3.5
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -2947,6 +2947,13 @@ static long fuse_file_fallocate(struct f
+ }
+ }
+
++ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
++ offset + length > i_size_read(inode)) {
++ err = inode_newsize_ok(inode, offset + length);
++ if (err)
++ return err;
++ }
++
+ if (!(mode & FALLOC_FL_KEEP_SIZE))
+ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+
--- /dev/null
+From 4e0eaf239fb33ebc671303e2b736fa043462e2f4 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 3 May 2019 11:44:34 +0300
+Subject: intel_th: msu: Fix single mode with IOMMU
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 4e0eaf239fb33ebc671303e2b736fa043462e2f4 upstream.
+
+Currently, the pages that are allocated for the single mode of MSC are not
+mapped into the device's dma space and the code is incorrectly using
+*_to_phys() in place of a dma address. This fails with IOMMU enabled and
+is otherwise bad practice.
+
+Fix the single mode buffer allocation to map the pages into the device's
+DMA space.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: ba82664c134e ("intel_th: Add Memory Storage Unit driver")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/msu.c | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/msu.c
++++ b/drivers/hwtracing/intel_th/msu.c
+@@ -90,6 +90,7 @@ struct msc_iter {
+ * @reg_base: register window base address
+ * @thdev: intel_th_device pointer
+ * @win_list: list of windows in multiblock mode
++ * @single_sgt: single mode buffer
+ * @nr_pages: total number of pages allocated for this buffer
+ * @single_sz: amount of data in single mode
+ * @single_wrap: single mode wrap occurred
+@@ -110,6 +111,7 @@ struct msc {
+ struct intel_th_device *thdev;
+
+ struct list_head win_list;
++ struct sg_table single_sgt;
+ unsigned long nr_pages;
+ unsigned long single_sz;
+ unsigned int single_wrap : 1;
+@@ -610,22 +612,45 @@ static void intel_th_msc_deactivate(stru
+ */
+ static int msc_buffer_contig_alloc(struct msc *msc, unsigned long size)
+ {
++ unsigned long nr_pages = size >> PAGE_SHIFT;
+ unsigned int order = get_order(size);
+ struct page *page;
++ int ret;
+
+ if (!size)
+ return 0;
+
++ ret = sg_alloc_table(&msc->single_sgt, 1, GFP_KERNEL);
++ if (ret)
++ goto err_out;
++
++ ret = -ENOMEM;
+ page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
+ if (!page)
+- return -ENOMEM;
++ goto err_free_sgt;
+
+ split_page(page, order);
+- msc->nr_pages = size >> PAGE_SHIFT;
++ sg_set_buf(msc->single_sgt.sgl, page_address(page), size);
++
++ ret = dma_map_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl, 1,
++ DMA_FROM_DEVICE);
++ if (ret < 0)
++ goto err_free_pages;
++
++ msc->nr_pages = nr_pages;
+ msc->base = page_address(page);
+- msc->base_addr = page_to_phys(page);
++ msc->base_addr = sg_dma_address(msc->single_sgt.sgl);
+
+ return 0;
++
++err_free_pages:
++ __free_pages(page, order);
++
++err_free_sgt:
++ sg_free_table(&msc->single_sgt);
++
++err_out:
++ return ret;
+ }
+
+ /**
+@@ -636,6 +661,10 @@ static void msc_buffer_contig_free(struc
+ {
+ unsigned long off;
+
++ dma_unmap_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl,
++ 1, DMA_FROM_DEVICE);
++ sg_free_table(&msc->single_sgt);
++
+ for (off = 0; off < msc->nr_pages << PAGE_SHIFT; off += PAGE_SIZE) {
+ struct page *page = virt_to_page(msc->base + off);
+
--- /dev/null
+From 43a0541e312f7136e081e6bf58f6c8a2e9672688 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Thu, 7 Mar 2019 01:50:07 +0300
+Subject: iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 43a0541e312f7136e081e6bf58f6c8a2e9672688 upstream.
+
+Both Tegra30 and Tegra114 have 4 ASID's and the corresponding bitfield of
+the TLB_FLUSH register differs from later Tegra generations that have 128
+ASID's.
+
+In a result the PTE's are now flushed correctly from TLB and this fixes
+problems with graphics (randomly failing tests) on Tegra30.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/tegra-smmu.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/drivers/iommu/tegra-smmu.c
++++ b/drivers/iommu/tegra-smmu.c
+@@ -91,7 +91,6 @@ static inline u32 smmu_readl(struct tegr
+ #define SMMU_TLB_FLUSH_VA_MATCH_ALL (0 << 0)
+ #define SMMU_TLB_FLUSH_VA_MATCH_SECTION (2 << 0)
+ #define SMMU_TLB_FLUSH_VA_MATCH_GROUP (3 << 0)
+-#define SMMU_TLB_FLUSH_ASID(x) (((x) & 0x7f) << 24)
+ #define SMMU_TLB_FLUSH_VA_SECTION(addr) ((((addr) & 0xffc00000) >> 12) | \
+ SMMU_TLB_FLUSH_VA_MATCH_SECTION)
+ #define SMMU_TLB_FLUSH_VA_GROUP(addr) ((((addr) & 0xffffc000) >> 12) | \
+@@ -194,8 +193,12 @@ static inline void smmu_flush_tlb_asid(s
+ {
+ u32 value;
+
+- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
+- SMMU_TLB_FLUSH_VA_MATCH_ALL;
++ if (smmu->soc->num_asids == 4)
++ value = (asid & 0x3) << 29;
++ else
++ value = (asid & 0x7f) << 24;
++
++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_MATCH_ALL;
+ smmu_writel(smmu, value, SMMU_TLB_FLUSH);
+ }
+
+@@ -205,8 +208,12 @@ static inline void smmu_flush_tlb_sectio
+ {
+ u32 value;
+
+- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
+- SMMU_TLB_FLUSH_VA_SECTION(iova);
++ if (smmu->soc->num_asids == 4)
++ value = (asid & 0x3) << 29;
++ else
++ value = (asid & 0x7f) << 24;
++
++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_SECTION(iova);
+ smmu_writel(smmu, value, SMMU_TLB_FLUSH);
+ }
+
+@@ -216,8 +223,12 @@ static inline void smmu_flush_tlb_group(
+ {
+ u32 value;
+
+- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
+- SMMU_TLB_FLUSH_VA_GROUP(iova);
++ if (smmu->soc->num_asids == 4)
++ value = (asid & 0x3) << 29;
++ else
++ value = (asid & 0x7f) << 24;
++
++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_GROUP(iova);
+ smmu_writel(smmu, value, SMMU_TLB_FLUSH);
+ }
+
--- /dev/null
+From ee37e62191a59d253fc916b9fc763deb777211e2 Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 2 Apr 2019 14:22:14 +0800
+Subject: md: add mddev->pers to avoid potential NULL pointer dereference
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+commit ee37e62191a59d253fc916b9fc763deb777211e2 upstream.
+
+When doing re-add, we need to ensure rdev->mddev->pers is not NULL,
+which can avoid potential NULL pointer derefence in fallowing
+add_bound_rdev().
+
+Fixes: a6da4ef85cef ("md: re-add a failed disk")
+Cc: Xiao Ni <xni@redhat.com>
+Cc: NeilBrown <neilb@suse.com>
+Cc: <stable@vger.kernel.org> # 4.4+
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -2690,8 +2690,10 @@ state_store(struct md_rdev *rdev, const
+ err = 0;
+ }
+ } else if (cmd_match(buf, "re-add")) {
+- if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
+- rdev->saved_raid_disk >= 0) {
++ if (!rdev->mddev->pers)
++ err = -EINVAL;
++ else if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
++ rdev->saved_raid_disk >= 0) {
+ /* clear_bit is performed _after_ all the devices
+ * have their local Faulty bit cleared. If any writes
+ * happen in the meantime in the local node, they
--- /dev/null
+From 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Sun, 24 Mar 2019 20:21:12 -0400
+Subject: media: ov6650: Fix sensor possibly not detected on probe
+
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+
+commit 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 upstream.
+
+After removal of clock_start() from before soc_camera_init_i2c() in
+soc_camera_probe() by commit 9aea470b399d ("[media] soc-camera: switch
+I2C subdevice drivers to use v4l2-clk") introduced in v3.11, the ov6650
+driver could no longer probe the sensor successfully because its clock
+was no longer turned on in advance. The issue was initially worked
+around by adding that missing clock_start() equivalent to OMAP1 camera
+interface driver - the only user of this sensor - but a propoer fix
+should be rather implemented in the sensor driver code itself.
+
+Fix the issue by inserting a delay between the clock is turned on and
+the sensor I2C registers are read for the first time.
+
+Tested on Amstrad Delta with now out of tree but still locally
+maintained omap1_camera host driver.
+
+Fixes: 9aea470b399d ("[media] soc-camera: switch I2C subdevice drivers to use v4l2-clk")
+
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/soc_camera/ov6650.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/soc_camera/ov6650.c
++++ b/drivers/media/i2c/soc_camera/ov6650.c
+@@ -843,6 +843,8 @@ static int ov6650_video_probe(struct i2c
+ if (ret < 0)
+ return ret;
+
++ msleep(20);
++
+ /*
+ * check and show product ID and manufacturer ID
+ */
--- /dev/null
+From f02f3755dbd14fb935d24b14650fff9ba92243b8 Mon Sep 17 00:00:00 2001
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Mon, 6 May 2019 11:57:03 +0800
+Subject: NFS4: Fix v4.0 client state corruption when mount
+
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+
+commit f02f3755dbd14fb935d24b14650fff9ba92243b8 upstream.
+
+stat command with soft mount never return after server is stopped.
+
+When alloc a new client, the state of the client will be set to
+NFS4CLNT_LEASE_EXPIRED.
+
+When the server is stopped, the state manager will work, and accord
+the state to recover. But the state is NFS4CLNT_LEASE_EXPIRED, it
+will drain the slot table and lead other task to wait queue, until
+the client recovered. Then the stat command is hung.
+
+When discover server trunking, the client will renew the lease,
+but check the client state, it lead the client state corruption.
+
+So, we need to call state manager to recover it when detect server
+ip trunking.
+
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4state.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -140,6 +140,10 @@ int nfs40_discover_server_trunking(struc
+ /* Sustain the lease, even if it's empty. If the clientid4
+ * goes stale it's of no use for trunking discovery. */
+ nfs4_schedule_state_renewal(*result);
++
++ /* If the client state need to recover, do it. */
++ if (clp->cl_state)
++ nfs4_schedule_state_manager(clp);
+ }
+ out:
+ return status;
--- /dev/null
+From 440868661f36071886ed360d91de83bd67c73b4f Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Tue, 30 Apr 2019 21:56:24 +0700
+Subject: of: fix clang -Wunsequenced for be32_to_cpu()
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+commit 440868661f36071886ed360d91de83bd67c73b4f upstream.
+
+Now, make the loop explicit to avoid clang warning.
+
+./include/linux/of.h:238:37: warning: multiple unsequenced modifications
+to 'cell' [-Wunsequenced]
+ r = (r << 32) | be32_to_cpu(*(cell++));
+ ^~
+./include/linux/byteorder/generic.h:95:21: note: expanded from macro
+'be32_to_cpu'
+ ^
+./include/uapi/linux/byteorder/little_endian.h:40:59: note: expanded
+from macro '__be32_to_cpu'
+ ^
+./include/uapi/linux/swab.h:118:21: note: expanded from macro '__swab32'
+ ___constant_swab32(x) : \
+ ^
+./include/uapi/linux/swab.h:18:12: note: expanded from macro
+'___constant_swab32'
+ (((__u32)(x) & (__u32)0x000000ffUL) << 24) | \
+ ^
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reported-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/460
+Suggested-by: David Laight <David.Laight@ACULAB.COM>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: stable@vger.kernel.org
+[robh: fix up whitespace]
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/of.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -199,8 +199,8 @@ extern struct device_node *of_find_all_n
+ static inline u64 of_read_number(const __be32 *cell, int size)
+ {
+ u64 r = 0;
+- while (size--)
+- r = (r << 32) | be32_to_cpu(*(cell++));
++ for (; size--; cell++)
++ r = (r << 32) | be32_to_cpu(*cell);
+ return r;
+ }
+
--- /dev/null
+From 1829dda0e87f4462782ca81be474c7890efe31ce Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 5 May 2019 23:54:34 +0200
+Subject: parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code
+
+From: Helge Deller <deller@gmx.de>
+
+commit 1829dda0e87f4462782ca81be474c7890efe31ce upstream.
+
+LEVEL is a very common word, and now after many years it suddenly
+clashed with another LEVEL define in the DRBD code.
+Rename it to PA_ASM_LEVEL instead.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/assembly.h | 6 +++---
+ arch/parisc/kernel/head.S | 4 ++--
+ arch/parisc/kernel/syscall.S | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/parisc/include/asm/assembly.h
++++ b/arch/parisc/include/asm/assembly.h
+@@ -59,14 +59,14 @@
+ #define LDCW ldcw,co
+ #define BL b,l
+ # ifdef CONFIG_64BIT
+-# define LEVEL 2.0w
++# define PA_ASM_LEVEL 2.0w
+ # else
+-# define LEVEL 2.0
++# define PA_ASM_LEVEL 2.0
+ # endif
+ #else
+ #define LDCW ldcw
+ #define BL bl
+-#define LEVEL 1.1
++#define PA_ASM_LEVEL 1.1
+ #endif
+
+ #ifdef __ASSEMBLY__
+--- a/arch/parisc/kernel/head.S
++++ b/arch/parisc/kernel/head.S
+@@ -22,7 +22,7 @@
+ #include <linux/linkage.h>
+ #include <linux/init.h>
+
+- .level LEVEL
++ .level PA_ASM_LEVEL
+
+ __INITDATA
+ ENTRY(boot_args)
+@@ -245,7 +245,7 @@ stext_pdc_ret:
+ ldo R%PA(fault_vector_11)(%r10),%r10
+
+ $is_pa20:
+- .level LEVEL /* restore 1.1 || 2.0w */
++ .level PA_ASM_LEVEL /* restore 1.1 || 2.0w */
+ #endif /*!CONFIG_64BIT*/
+ load32 PA(fault_vector_20),%r10
+
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -48,7 +48,7 @@ registers).
+ */
+ #define KILL_INSN break 0,0
+
+- .level LEVEL
++ .level PA_ASM_LEVEL
+
+ .text
+
ppp-deflate-fix-possible-crash-in-deflate_init.patch
tipc-switch-order-of-device-registration-to-fix-a-crash.patch
tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch
+parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd-code.patch
+stm-class-fix-channel-free-in-stm-output-free-path.patch
+stm-class-fix-channel-bitmap-on-32-bit-systems.patch
+md-add-mddev-pers-to-avoid-potential-null-pointer-dereference.patch
+intel_th-msu-fix-single-mode-with-iommu.patch
+of-fix-clang-wunsequenced-for-be32_to_cpu.patch
+cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch
+media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch
+nfs4-fix-v4.0-client-state-corruption-when-mount.patch
+clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch
+fuse-fix-writepages-on-32bit.patch
+fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch
+iommu-tegra-smmu-fix-invalid-asid-bits-on-tegra30-114.patch
+ceph-flush-dirty-inodes-before-proceeding-with-remount.patch
--- /dev/null
+From 51e0f227812ed81a368de54157ebe14396b4be03 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Wed, 17 Apr 2019 10:35:35 +0300
+Subject: stm class: Fix channel bitmap on 32-bit systems
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 51e0f227812ed81a368de54157ebe14396b4be03 upstream.
+
+Commit 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace
+Module devices") naively calculates the channel bitmap size in 64-bit
+chunks regardless of the size of underlying unsigned long, making the
+bitmap half as big on a 32-bit system. This leads to an out of bounds
+access with the upper half of the bitmap.
+
+Fix this by using BITS_TO_LONGS. While at it, convert to using
+struct_size() for the total size calculation of the master struct.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+Reported-by: Mulu He <muluhe@codeaurora.org>
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -158,11 +158,10 @@ stm_master(struct stm_device *stm, unsig
+ static int stp_master_alloc(struct stm_device *stm, unsigned int idx)
+ {
+ struct stp_master *master;
+- size_t size;
+
+- size = ALIGN(stm->data->sw_nchannels, 8) / 8;
+- size += sizeof(struct stp_master);
+- master = kzalloc(size, GFP_ATOMIC);
++ master = kzalloc(struct_size(master, chan_map,
++ BITS_TO_LONGS(stm->data->sw_nchannels)),
++ GFP_ATOMIC);
+ if (!master)
+ return -ENOMEM;
+
--- /dev/null
+From ee496da4c3915de3232b5f5cd20e21ae3e46fe8d Mon Sep 17 00:00:00 2001
+From: Tingwei Zhang <tingwei@codeaurora.org>
+Date: Wed, 17 Apr 2019 10:35:34 +0300
+Subject: stm class: Fix channel free in stm output free path
+
+From: Tingwei Zhang <tingwei@codeaurora.org>
+
+commit ee496da4c3915de3232b5f5cd20e21ae3e46fe8d upstream.
+
+Number of free masters is not set correctly in stm
+free path. Fix this by properly adding the number
+of output channels before setting them to 0 in
+stm_output_disclaim().
+
+Currently it is equivalent to doing nothing since
+master->nr_free is incremented by 0.
+
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+Signed-off-by: Tingwei Zhang <tingwei@codeaurora.org>
+Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Cc: stable@vger.kernel.org # v4.4
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -210,8 +210,8 @@ stm_output_disclaim(struct stm_device *s
+ bitmap_release_region(&master->chan_map[0], output->channel,
+ ilog2(output->nr_chans));
+
+- output->nr_chans = 0;
+ master->nr_free += output->nr_chans;
++ output->nr_chans = 0;
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
