--- /dev/null
+From e20d3a055a457a10a4c748ce5b7c2ed3173a1324 Mon Sep 17 00:00:00 2001
+From: Johannes Krude <johannes@krude.de>
+Date: Wed, 12 Feb 2020 20:32:27 +0100
+Subject: bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill
+
+From: Johannes Krude <johannes@krude.de>
+
+commit e20d3a055a457a10a4c748ce5b7c2ed3173a1324 upstream.
+
+This if guards whether user-space wants a copy of the offload-jited
+bytecode and whether this bytecode exists. By erroneously doing a bitwise
+AND instead of a logical AND on user- and kernel-space buffer-size can lead
+to no data being copied to user-space especially when user-space size is a
+power of two and bigger then the kernel-space buffer.
+
+Fixes: fcfb126defda ("bpf: add new jited info fields in bpf_dev_offload and bpf_prog_info")
+Signed-off-by: Johannes Krude <johannes@krude.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/bpf/20200212193227.GA3769@phlox.h.transitiv.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/offload.c
++++ b/kernel/bpf/offload.c
+@@ -289,7 +289,7 @@ int bpf_prog_offload_info_fill(struct bp
+
+ ulen = info->jited_prog_len;
+ info->jited_prog_len = aux->offload->jited_len;
+- if (info->jited_prog_len & ulen) {
++ if (info->jited_prog_len && ulen) {
+ uinsns = u64_to_user_ptr(info->jited_prog_insns);
+ ulen = min_t(u32, info->jited_prog_len, ulen);
+ if (copy_to_user(uinsns, aux->offload->jited_image, ulen)) {
--- /dev/null
+From 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Fri, 14 Feb 2020 12:21:01 -0600
+Subject: ecryptfs: replace BUG_ON with error handling code
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+commit 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 upstream.
+
+In crypt_scatterlist, if the crypt_stat argument is not set up
+correctly, the kernel crashes. Instead, by returning an error code
+upstream, the error is handled safely.
+
+The issue is detected via a static analysis tool written by us.
+
+Fixes: 237fead619984 (ecryptfs: fs/Makefile and fs/Kconfig)
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Tyler Hicks <code@tyhicks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/crypto.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -325,8 +325,10 @@ static int crypt_scatterlist(struct ecry
+ struct extent_crypt_result ecr;
+ int rc = 0;
+
+- BUG_ON(!crypt_stat || !crypt_stat->tfm
+- || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
++ if (!crypt_stat || !crypt_stat->tfm
++ || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED))
++ return -EINVAL;
++
+ if (unlikely(ecryptfs_verbosity > 0)) {
+ ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
+ crypt_stat->key_size);
--- /dev/null
+From cba6437a1854fde5934098ec3bd0ee83af3129f5 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 12 Feb 2020 12:19:41 +0100
+Subject: genirq/proc: Reject invalid affinity masks (again)
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit cba6437a1854fde5934098ec3bd0ee83af3129f5 upstream.
+
+Qian Cai reported that the WARN_ON() in the x86/msi affinity setting code,
+which catches cases where the affinity setting is not done on the CPU which
+is the current target of the interrupt, triggers during CPU hotplug stress
+testing.
+
+It turns out that the warning which was added with the commit addressing
+the MSI affinity race unearthed yet another long standing bug.
+
+If user space writes a bogus affinity mask, i.e. it contains no online CPUs,
+then it calls irq_select_affinity_usr(). This was introduced for ALPHA in
+
+ eee45269b0f5 ("[PATCH] Alpha: convert to generic irq framework (generic part)")
+
+and subsequently made available for all architectures in
+
+ 18404756765c ("genirq: Expose default irq affinity mask (take 3)")
+
+which introduced the circumvention of the affinity setting restrictions for
+interrupt which cannot be moved in process context.
+
+The whole exercise is bogus in various aspects:
+
+ 1) If the interrupt is already started up then there is absolutely
+ no point to honour a bogus interrupt affinity setting from user
+ space. The interrupt is already assigned to an online CPU and it
+ does not make any sense to reassign it to some other randomly
+ chosen online CPU.
+
+ 2) If the interupt is not yet started up then there is no point
+ either. A subsequent startup of the interrupt will invoke
+ irq_setup_affinity() anyway which will chose a valid target CPU.
+
+So the only correct solution is to just return -EINVAL in case user space
+wrote an affinity mask which does not contain any online CPUs, except for
+ALPHA which has it's own magic sauce for this.
+
+Fixes: 18404756765c ("genirq: Expose default irq affinity mask (take 3)")
+Reported-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Qian Cai <cai@lca.pw>
+Link: https://lkml.kernel.org/r/878sl8xdbm.fsf@nanos.tec.linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/internals.h | 2 --
+ kernel/irq/manage.c | 18 ++----------------
+ kernel/irq/proc.c | 22 ++++++++++++++++++++++
+ 3 files changed, 24 insertions(+), 18 deletions(-)
+
+--- a/kernel/irq/internals.h
++++ b/kernel/irq/internals.h
+@@ -126,8 +126,6 @@ static inline void unregister_handler_pr
+
+ extern bool irq_can_set_affinity_usr(unsigned int irq);
+
+-extern int irq_select_affinity_usr(unsigned int irq);
+-
+ extern void irq_set_thread_affinity(struct irq_desc *desc);
+
+ extern int irq_do_set_affinity(struct irq_data *data,
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -441,23 +441,9 @@ int irq_setup_affinity(struct irq_desc *
+ {
+ return irq_select_affinity(irq_desc_get_irq(desc));
+ }
+-#endif
++#endif /* CONFIG_AUTO_IRQ_AFFINITY */
++#endif /* CONFIG_SMP */
+
+-/*
+- * Called when a bogus affinity is set via /proc/irq
+- */
+-int irq_select_affinity_usr(unsigned int irq)
+-{
+- struct irq_desc *desc = irq_to_desc(irq);
+- unsigned long flags;
+- int ret;
+-
+- raw_spin_lock_irqsave(&desc->lock, flags);
+- ret = irq_setup_affinity(desc);
+- raw_spin_unlock_irqrestore(&desc->lock, flags);
+- return ret;
+-}
+-#endif
+
+ /**
+ * irq_set_vcpu_affinity - Set vcpu affinity for the interrupt
+--- a/kernel/irq/proc.c
++++ b/kernel/irq/proc.c
+@@ -115,6 +115,28 @@ static int irq_affinity_list_proc_show(s
+ return show_irq_affinity(AFFINITY_LIST, m);
+ }
+
++#ifndef CONFIG_AUTO_IRQ_AFFINITY
++static inline int irq_select_affinity_usr(unsigned int irq)
++{
++ /*
++ * If the interrupt is started up already then this fails. The
++ * interrupt is assigned to an online CPU already. There is no
++ * point to move it around randomly. Tell user space that the
++ * selected mask is bogus.
++ *
++ * If not then any change to the affinity is pointless because the
++ * startup code invokes irq_setup_affinity() which will select
++ * a online CPU anyway.
++ */
++ return -EINVAL;
++}
++#else
++/* ALPHA magic affinity auto selector. Keep it for historical reasons. */
++static inline int irq_select_affinity_usr(unsigned int irq)
++{
++ return irq_select_affinity(irq);
++}
++#endif
+
+ static ssize_t write_irq_affinity(int type, struct file *file,
+ const char __user *buffer, size_t count, loff_t *pos)
--- /dev/null
+From e7598fac323aad0e502415edeffd567315994dd6 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Mon, 10 Feb 2020 10:36:56 +0100
+Subject: iommu/vt-d: Fix compile warning from intel-svm.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit e7598fac323aad0e502415edeffd567315994dd6 upstream.
+
+The intel_svm_is_pasid_valid() needs to be marked inline, otherwise it
+causes the compile warning below:
+
+ CC [M] drivers/dma/idxd/cdev.o
+In file included from drivers/dma/idxd/cdev.c:9:0:
+./include/linux/intel-svm.h:125:12: warning: ‘intel_svm_is_pasid_valid’ defined but not used [-Wunused-function]
+ static int intel_svm_is_pasid_valid(struct device *dev, int pasid)
+ ^~~~~~~~~~~~~~~~~~~~~~~~
+
+Reported-by: Borislav Petkov <bp@alien8.de>
+Fixes: 15060aba71711 ('iommu/vt-d: Helper function to query if a pasid has any active users')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/intel-svm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/intel-svm.h
++++ b/include/linux/intel-svm.h
+@@ -130,7 +130,7 @@ static inline int intel_svm_unbind_mm(st
+ BUG();
+ }
+
+-static int intel_svm_is_pasid_valid(struct device *dev, int pasid)
++static inline int intel_svm_is_pasid_valid(struct device *dev, int pasid)
+ {
+ return -EINVAL;
+ }
+++ /dev/null
-From a4443267800af240072280c44521caab61924e55 Mon Sep 17 00:00:00 2001
-From: Vitaly Kuznetsov <vkuznets@redhat.com>
-Date: Thu, 20 Feb 2020 18:22:04 +0100
-Subject: KVM: nVMX: clear PIN_BASED_POSTED_INTR from nested pinbased_ctls only when apicv is globally disabled
-
-From: Vitaly Kuznetsov <vkuznets@redhat.com>
-
-commit a4443267800af240072280c44521caab61924e55 upstream.
-
-When apicv is disabled on a vCPU (e.g. by enabling KVM_CAP_HYPERV_SYNIC*),
-nothing happens to VMX MSRs on the already existing vCPUs, however, all new
-ones are created with PIN_BASED_POSTED_INTR filtered out. This is very
-confusing and results in the following picture inside the guest:
-
-$ rdmsr -ax 0x48d
-ff00000016
-7f00000016
-7f00000016
-7f00000016
-
-This is observed with QEMU and 4-vCPU guest: QEMU creates vCPU0, does
-KVM_CAP_HYPERV_SYNIC2 and then creates the remaining three.
-
-L1 hypervisor may only check CPU0's controls to find out what features
-are available and it will be very confused later. Switch to setting
-PIN_BASED_POSTED_INTR control based on global 'enable_apicv' setting.
-
-Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/x86/kvm/vmx/capabilities.h | 1 +
- arch/x86/kvm/vmx/nested.c | 5 ++---
- arch/x86/kvm/vmx/nested.h | 3 +--
- arch/x86/kvm/vmx/vmx.c | 10 ++++------
- 4 files changed, 8 insertions(+), 11 deletions(-)
-
---- a/arch/x86/kvm/vmx/capabilities.h
-+++ b/arch/x86/kvm/vmx/capabilities.h
-@@ -12,6 +12,7 @@ extern bool __read_mostly enable_ept;
- extern bool __read_mostly enable_unrestricted_guest;
- extern bool __read_mostly enable_ept_ad_bits;
- extern bool __read_mostly enable_pml;
-+extern bool __read_mostly enable_apicv;
- extern int __read_mostly pt_mode;
-
- #define PT_MODE_SYSTEM 0
---- a/arch/x86/kvm/vmx/nested.c
-+++ b/arch/x86/kvm/vmx/nested.c
-@@ -5979,8 +5979,7 @@ void nested_vmx_set_vmcs_shadowing_bitma
- * bit in the high half is on if the corresponding bit in the control field
- * may be on. See also vmx_control_verify().
- */
--void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, u32 ept_caps,
-- bool apicv)
-+void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, u32 ept_caps)
- {
- /*
- * Note that as a general rule, the high half of the MSRs (bits in
-@@ -6007,7 +6006,7 @@ void nested_vmx_setup_ctls_msrs(struct n
- PIN_BASED_EXT_INTR_MASK |
- PIN_BASED_NMI_EXITING |
- PIN_BASED_VIRTUAL_NMIS |
-- (apicv ? PIN_BASED_POSTED_INTR : 0);
-+ (enable_apicv ? PIN_BASED_POSTED_INTR : 0);
- msrs->pinbased_ctls_high |=
- PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR |
- PIN_BASED_VMX_PREEMPTION_TIMER;
---- a/arch/x86/kvm/vmx/nested.h
-+++ b/arch/x86/kvm/vmx/nested.h
-@@ -17,8 +17,7 @@ enum nvmx_vmentry_status {
- };
-
- void vmx_leave_nested(struct kvm_vcpu *vcpu);
--void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, u32 ept_caps,
-- bool apicv);
-+void nested_vmx_setup_ctls_msrs(struct nested_vmx_msrs *msrs, u32 ept_caps);
- void nested_vmx_hardware_unsetup(void);
- __init int nested_vmx_hardware_setup(int (*exit_handlers[])(struct kvm_vcpu *));
- void nested_vmx_set_vmcs_shadowing_bitmap(void);
---- a/arch/x86/kvm/vmx/vmx.c
-+++ b/arch/x86/kvm/vmx/vmx.c
-@@ -95,7 +95,7 @@ module_param(emulate_invalid_guest_state
- static bool __read_mostly fasteoi = 1;
- module_param(fasteoi, bool, S_IRUGO);
-
--static bool __read_mostly enable_apicv = 1;
-+bool __read_mostly enable_apicv = 1;
- module_param(enable_apicv, bool, S_IRUGO);
-
- /*
-@@ -6803,8 +6803,7 @@ static struct kvm_vcpu *vmx_create_vcpu(
-
- if (nested)
- nested_vmx_setup_ctls_msrs(&vmx->nested.msrs,
-- vmx_capability.ept,
-- kvm_vcpu_apicv_active(&vmx->vcpu));
-+ vmx_capability.ept);
- else
- memset(&vmx->nested.msrs, 0, sizeof(vmx->nested.msrs));
-
-@@ -6884,8 +6883,7 @@ static int __init vmx_check_processor_co
- if (setup_vmcs_config(&vmcs_conf, &vmx_cap) < 0)
- return -EIO;
- if (nested)
-- nested_vmx_setup_ctls_msrs(&vmcs_conf.nested, vmx_cap.ept,
-- enable_apicv);
-+ nested_vmx_setup_ctls_msrs(&vmcs_conf.nested, vmx_cap.ept);
- if (memcmp(&vmcs_config, &vmcs_conf, sizeof(struct vmcs_config)) != 0) {
- printk(KERN_ERR "kvm: CPU %d feature inconsistency!\n",
- smp_processor_id());
-@@ -7792,7 +7790,7 @@ static __init int hardware_setup(void)
-
- if (nested) {
- nested_vmx_setup_ctls_msrs(&vmcs_config.nested,
-- vmx_capability.ept, enable_apicv);
-+ vmx_capability.ept);
-
- r = nested_vmx_hardware_setup(kvm_vmx_exit_handlers);
- if (r)
--- /dev/null
+From 495d2bbb11d2842917951961abb06e6ba45af6ae Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 27 Feb 2020 10:45:54 +0100
+Subject: Revert "dmaengine: imx-sdma: Fix memory leak"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit af8eca600b408a0e59d2848dfcfad60413f626a9 which is
+commit 02939cd167095f16328a1bd5cab5a90b550606df upstream.
+
+Andreas writes:
+ This patch breaks our imx6 board with the attached trace.
+ Reverting the patch makes it boot again.
+
+Reported-by: Andreas Tobler <andreas.tobler@onway.ch>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Robin Gong <yibin.gong@nxp.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/imx-sdma.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -738,8 +738,12 @@ static void sdma_start_desc(struct sdma_
+ return;
+ }
+ sdmac->desc = desc = to_sdma_desc(&vd->tx);
+-
+- list_del(&vd->node);
++ /*
++ * Do not delete the node in desc_issued list in cyclic mode, otherwise
++ * the desc allocated will never be freed in vchan_dma_desc_free_list
++ */
++ if (!(sdmac->flags & IMX_DMA_SG_LOOP))
++ list_del(&vd->node);
+
+ sdma->channel_control[channel].base_bd_ptr = desc->bd_phys;
+ sdma->channel_control[channel].current_bd_ptr = desc->bd_phys;
+@@ -1040,6 +1044,7 @@ static void sdma_channel_terminate_work(
+
+ spin_lock_irqsave(&sdmac->vc.lock, flags);
+ vchan_get_all_descriptors(&sdmac->vc, &head);
++ sdmac->desc = NULL;
+ spin_unlock_irqrestore(&sdmac->vc.lock, flags);
+ vchan_dma_desc_free_list(&sdmac->vc, &head);
+ }
+@@ -1047,19 +1052,11 @@ static void sdma_channel_terminate_work(
+ static int sdma_disable_channel_async(struct dma_chan *chan)
+ {
+ struct sdma_channel *sdmac = to_sdma_chan(chan);
+- unsigned long flags;
+-
+- spin_lock_irqsave(&sdmac->vc.lock, flags);
+
+ sdma_disable_channel(chan);
+
+- if (sdmac->desc) {
+- vchan_terminate_vdesc(&sdmac->desc->vd);
+- sdmac->desc = NULL;
++ if (sdmac->desc)
+ schedule_work(&sdmac->terminate_worker);
+- }
+-
+- spin_unlock_irqrestore(&sdmac->vc.lock, flags);
+
+ return 0;
+ }
--- /dev/null
+From 76261ada16dcc3be610396a46d35acc3efbda682 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 12 Feb 2020 21:08:59 -0800
+Subject: scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout"
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 76261ada16dcc3be610396a46d35acc3efbda682 upstream.
+
+Since commit 04060db41178 introduces soft lockups when toggling network
+interfaces, revert it.
+
+Link: https://marc.info/?l=target-devel&m=158157054906196
+Cc: Rahul Kundu <rahul.kundu@chelsio.com>
+Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Reported-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
+Fixes: 04060db41178 ("scsi: RDMA/isert: Fix a recently introduced regression related to logout")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 12 ++++++++++++
+ drivers/target/iscsi/iscsi_target.c | 6 +++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2584,6 +2584,17 @@ isert_wait4logout(struct isert_conn *ise
+ }
+ }
+
++static void
++isert_wait4cmds(struct iscsi_conn *conn)
++{
++ isert_info("iscsi_conn %p\n", conn);
++
++ if (conn->sess) {
++ target_sess_cmd_list_set_waiting(conn->sess->se_sess);
++ target_wait_for_sess_cmds(conn->sess->se_sess);
++ }
++}
++
+ /**
+ * isert_put_unsol_pending_cmds() - Drop commands waiting for
+ * unsolicitate dataout
+@@ -2631,6 +2642,7 @@ static void isert_wait_conn(struct iscsi
+
+ ib_drain_qp(isert_conn->qp);
+ isert_put_unsol_pending_cmds(conn);
++ isert_wait4cmds(conn);
+ isert_wait4logout(isert_conn);
+
+ queue_work(isert_release_wq, &isert_conn->release_work);
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4123,6 +4123,9 @@ int iscsit_close_connection(
+ iscsit_stop_nopin_response_timer(conn);
+ iscsit_stop_nopin_timer(conn);
+
++ if (conn->conn_transport->iscsit_wait_conn)
++ conn->conn_transport->iscsit_wait_conn(conn);
++
+ /*
+ * During Connection recovery drop unacknowledged out of order
+ * commands for this connection, and prepare the other commands
+@@ -4208,9 +4211,6 @@ int iscsit_close_connection(
+ target_sess_cmd_list_set_waiting(sess->se_sess);
+ target_wait_for_sess_cmds(sess->se_sess);
+
+- if (conn->conn_transport->iscsit_wait_conn)
+- conn->conn_transport->iscsit_wait_conn(conn);
+-
+ ahash_request_free(conn->conn_tx_hash);
+ if (conn->conn_rx_hash) {
+ struct crypto_ahash *tfm;
--- /dev/null
+From 807b9515b7d044cf77df31f1af9d842a76ecd5cb Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 12 Feb 2020 21:09:00 -0800
+Subject: scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 807b9515b7d044cf77df31f1af9d842a76ecd5cb upstream.
+
+Since commit e9d3009cb936 introduced a regression and since the fix for
+that regression was not perfect, revert this commit.
+
+Link: https://marc.info/?l=target-devel&m=158157054906195
+Cc: Rahul Kundu <rahul.kundu@chelsio.com>
+Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Reported-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
+Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 10 ++--------
+ include/scsi/iscsi_proto.h | 1 -
+ 2 files changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1157,9 +1157,7 @@ int iscsit_setup_scsi_cmd(struct iscsi_c
+ hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length,
+ conn->cid);
+
+- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
+- return iscsit_add_reject_cmd(cmd,
+- ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
++ target_get_sess_cmd(&cmd->se_cmd, true);
+
+ cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd,
+ scsilun_to_int(&hdr->lun));
+@@ -2000,9 +1998,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
+ conn->sess->se_sess, 0, DMA_NONE,
+ TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
+
+- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
+- return iscsit_add_reject_cmd(cmd,
+- ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
++ target_get_sess_cmd(&cmd->se_cmd, true);
+
+ /*
+ * TASK_REASSIGN for ERL=2 / connection stays inside of
+@@ -4208,8 +4204,6 @@ int iscsit_close_connection(
+ * must wait until they have completed.
+ */
+ iscsit_check_conn_usage_count(conn);
+- target_sess_cmd_list_set_waiting(sess->se_sess);
+- target_wait_for_sess_cmds(sess->se_sess);
+
+ ahash_request_free(conn->conn_tx_hash);
+ if (conn->conn_rx_hash) {
+--- a/include/scsi/iscsi_proto.h
++++ b/include/scsi/iscsi_proto.h
+@@ -638,7 +638,6 @@ struct iscsi_reject {
+ #define ISCSI_REASON_BOOKMARK_INVALID 9
+ #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10
+ #define ISCSI_REASON_NEGOTIATION_RESET 11
+-#define ISCSI_REASON_WAITING_FOR_LOGOUT 12
+
+ /* Max. number of Key=Value pairs in a text message */
+ #define MAX_KEY_VALUE_PAIRS 8192
btrfs-reset-fs_root-to-null-on-error-in-open_ctree.patch
btrfs-do-not-check-delayed-items-are-empty-for-single-transaction-cleanup.patch
btrfs-fix-btrfs_wait_ordered_range-so-that-it-waits-for-all-ordered-extents.patch
-kvm-nvmx-clear-pin_based_posted_intr-from-nested-pinbased_ctls-only-when-apicv-is-globally-disabled.patch
+revert-dmaengine-imx-sdma-fix-memory-leak.patch
+scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch
+scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch
+usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch
+usb-dwc2-fix-in-isoc-request-length-checking.patch
+staging-rtl8723bs-fix-copy-of-overlapping-memory.patch
+staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch
+ecryptfs-replace-bug_on-with-error-handling-code.patch
+iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch
+genirq-proc-reject-invalid-affinity-masks-again.patch
+bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch
--- /dev/null
+From b7db58105b80fa9232719c8329b995b3addfab55 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 5 Feb 2020 15:32:17 +0300
+Subject: staging: greybus: use after free in gb_audio_manager_remove_all()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b7db58105b80fa9232719c8329b995b3addfab55 upstream.
+
+When we call kobject_put() and it's the last reference to the kobject
+then it calls gb_audio_module_release() and frees module. We dereference
+"module" on the next line which is a use after free.
+
+Fixes: c77f85bbc91a ("greybus: audio: Fix incorrect counting of 'ida'")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Vaibhav Agarwal <vaibhav.sr@gmail.com>
+Link: https://lore.kernel.org/r/20200205123217.jreendkyxulqsool@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/greybus/audio_manager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/greybus/audio_manager.c
++++ b/drivers/staging/greybus/audio_manager.c
+@@ -89,8 +89,8 @@ void gb_audio_manager_remove_all(void)
+
+ list_for_each_entry_safe(module, next, &modules_list, list) {
+ list_del(&module->list);
+- kobject_put(&module->kobj);
+ ida_simple_remove(&module_id, module->id);
++ kobject_put(&module->kobj);
+ }
+
+ is_empty = list_empty(&modules_list);
--- /dev/null
+From 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sun, 26 Jan 2020 22:05:49 +0000
+Subject: staging: rtl8723bs: fix copy of overlapping memory
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 upstream.
+
+Currently the rtw_sprintf prints the contents of thread_name
+onto thread_name and this can lead to a potential copy of a
+string over itself. Avoid this by printing the literal string RTWHALXT
+instread of the contents of thread_name.
+
+Addresses-Coverity: ("copy of overlapping memory")
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20200126220549.9849-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c
++++ b/drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c
+@@ -478,14 +478,13 @@ int rtl8723bs_xmit_thread(void *context)
+ s32 ret;
+ struct adapter *padapter;
+ struct xmit_priv *pxmitpriv;
+- u8 thread_name[20] = "RTWHALXT";
+-
++ u8 thread_name[20];
+
+ ret = _SUCCESS;
+ padapter = context;
+ pxmitpriv = &padapter->xmitpriv;
+
+- rtw_sprintf(thread_name, 20, "%s-"ADPT_FMT, thread_name, ADPT_ARG(padapter));
++ rtw_sprintf(thread_name, 20, "RTWHALXT-" ADPT_FMT, ADPT_ARG(padapter));
+ thread_enter(thread_name);
+
+ DBG_871X("start "FUNC_ADPT_FMT"\n", FUNC_ADPT_ARG(padapter));
--- /dev/null
+From 860ef6cd3f90b84a1832f8a6485c90c34d3b588b Mon Sep 17 00:00:00 2001
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Date: Tue, 21 Jan 2020 14:24:04 +0400
+Subject: usb: dwc2: Fix in ISOC request length checking
+
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+
+commit 860ef6cd3f90b84a1832f8a6485c90c34d3b588b upstream.
+
+Moved ISOC request length checking from dwc2_hsotg_start_req() function to
+dwc2_hsotg_ep_queue().
+
+Fixes: 4fca54aa58293 ("usb: gadget: s3c-hsotg: add multi count support")
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc2/gadget.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -1004,11 +1004,6 @@ static void dwc2_hsotg_start_req(struct
+ else
+ packets = 1; /* send one packet if length is zero. */
+
+- if (hs_ep->isochronous && length > (hs_ep->mc * hs_ep->ep.maxpacket)) {
+- dev_err(hsotg->dev, "req length > maxpacket*mc\n");
+- return;
+- }
+-
+ if (dir_in && index != 0)
+ if (hs_ep->isochronous)
+ epsize = DXEPTSIZ_MC(packets);
+@@ -1312,6 +1307,13 @@ static int dwc2_hsotg_ep_queue(struct us
+ req->actual = 0;
+ req->status = -EINPROGRESS;
+
++ /* Don't queue ISOC request if length greater than mps*mc */
++ if (hs_ep->isochronous &&
++ req->length > (hs_ep->mc * hs_ep->ep.maxpacket)) {
++ dev_err(hs->dev, "req length > maxpacket*mc\n");
++ return -EINVAL;
++ }
++
+ /* In DDMA mode for ISOC's don't queue request if length greater
+ * than descriptor limits.
+ */
--- /dev/null
+From c724417baf162bd3e035659e22cdf990cfb0d917 Mon Sep 17 00:00:00 2001
+From: Jack Pham <jackp@codeaurora.org>
+Date: Thu, 30 Jan 2020 19:10:35 -0800
+Subject: usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
+
+From: Jack Pham <jackp@codeaurora.org>
+
+commit c724417baf162bd3e035659e22cdf990cfb0d917 upstream.
+
+SuperSpeedPlus peripherals must report their bMaxPower of the
+configuration descriptor in units of 8mA as per the USB 3.2
+specification. The current switch statement in encode_bMaxPower()
+only checks for USB_SPEED_SUPER but not USB_SPEED_SUPER_PLUS so
+the latter falls back to USB 2.0 encoding which uses 2mA units.
+Replace the switch with a simple if/else.
+
+Fixes: eae5820b852f ("usb: gadget: composite: Write SuperSpeedPlus config descriptors")
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/composite.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -437,12 +437,10 @@ static u8 encode_bMaxPower(enum usb_devi
+ val = CONFIG_USB_GADGET_VBUS_DRAW;
+ if (!val)
+ return 0;
+- switch (speed) {
+- case USB_SPEED_SUPER:
+- return DIV_ROUND_UP(val, 8);
+- default:
++ if (speed < USB_SPEED_SUPER)
+ return DIV_ROUND_UP(val, 2);
+- }
++ else
++ return DIV_ROUND_UP(val, 8);
+ }
+
+ static int config_buf(struct usb_configuration *config,
projects / thirdparty / kernel / stable-queue.git / commitdiff
