--- /dev/null
+From 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Fri, 14 Feb 2020 12:21:01 -0600
+Subject: ecryptfs: replace BUG_ON with error handling code
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+commit 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 upstream.
+
+In crypt_scatterlist, if the crypt_stat argument is not set up
+correctly, the kernel crashes. Instead, by returning an error code
+upstream, the error is handled safely.
+
+The issue is detected via a static analysis tool written by us.
+
+Fixes: 237fead619984 (ecryptfs: fs/Makefile and fs/Kconfig)
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Tyler Hicks <code@tyhicks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/crypto.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -339,8 +339,10 @@ static int crypt_scatterlist(struct ecry
+ struct extent_crypt_result ecr;
+ int rc = 0;
+
+- BUG_ON(!crypt_stat || !crypt_stat->tfm
+- || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
++ if (!crypt_stat || !crypt_stat->tfm
++ || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED))
++ return -EINVAL;
++
+ if (unlikely(ecryptfs_verbosity > 0)) {
+ ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
+ crypt_stat->key_size);
--- /dev/null
+From cba6437a1854fde5934098ec3bd0ee83af3129f5 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 12 Feb 2020 12:19:41 +0100
+Subject: genirq/proc: Reject invalid affinity masks (again)
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit cba6437a1854fde5934098ec3bd0ee83af3129f5 upstream.
+
+Qian Cai reported that the WARN_ON() in the x86/msi affinity setting code,
+which catches cases where the affinity setting is not done on the CPU which
+is the current target of the interrupt, triggers during CPU hotplug stress
+testing.
+
+It turns out that the warning which was added with the commit addressing
+the MSI affinity race unearthed yet another long standing bug.
+
+If user space writes a bogus affinity mask, i.e. it contains no online CPUs,
+then it calls irq_select_affinity_usr(). This was introduced for ALPHA in
+
+ eee45269b0f5 ("[PATCH] Alpha: convert to generic irq framework (generic part)")
+
+and subsequently made available for all architectures in
+
+ 18404756765c ("genirq: Expose default irq affinity mask (take 3)")
+
+which introduced the circumvention of the affinity setting restrictions for
+interrupt which cannot be moved in process context.
+
+The whole exercise is bogus in various aspects:
+
+ 1) If the interrupt is already started up then there is absolutely
+ no point to honour a bogus interrupt affinity setting from user
+ space. The interrupt is already assigned to an online CPU and it
+ does not make any sense to reassign it to some other randomly
+ chosen online CPU.
+
+ 2) If the interupt is not yet started up then there is no point
+ either. A subsequent startup of the interrupt will invoke
+ irq_setup_affinity() anyway which will chose a valid target CPU.
+
+So the only correct solution is to just return -EINVAL in case user space
+wrote an affinity mask which does not contain any online CPUs, except for
+ALPHA which has it's own magic sauce for this.
+
+Fixes: 18404756765c ("genirq: Expose default irq affinity mask (take 3)")
+Reported-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Qian Cai <cai@lca.pw>
+Link: https://lkml.kernel.org/r/878sl8xdbm.fsf@nanos.tec.linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/internals.h | 2 --
+ kernel/irq/manage.c | 18 ++----------------
+ kernel/irq/proc.c | 22 ++++++++++++++++++++++
+ 3 files changed, 24 insertions(+), 18 deletions(-)
+
+--- a/kernel/irq/internals.h
++++ b/kernel/irq/internals.h
+@@ -119,8 +119,6 @@ static inline void unregister_handler_pr
+
+ extern bool irq_can_set_affinity_usr(unsigned int irq);
+
+-extern int irq_select_affinity_usr(unsigned int irq);
+-
+ extern void irq_set_thread_affinity(struct irq_desc *desc);
+
+ extern int irq_do_set_affinity(struct irq_data *data,
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -382,23 +382,9 @@ int irq_setup_affinity(struct irq_desc *
+ {
+ return irq_select_affinity(irq_desc_get_irq(desc));
+ }
+-#endif
++#endif /* CONFIG_AUTO_IRQ_AFFINITY */
++#endif /* CONFIG_SMP */
+
+-/*
+- * Called when a bogus affinity is set via /proc/irq
+- */
+-int irq_select_affinity_usr(unsigned int irq)
+-{
+- struct irq_desc *desc = irq_to_desc(irq);
+- unsigned long flags;
+- int ret;
+-
+- raw_spin_lock_irqsave(&desc->lock, flags);
+- ret = irq_setup_affinity(desc);
+- raw_spin_unlock_irqrestore(&desc->lock, flags);
+- return ret;
+-}
+-#endif
+
+ /**
+ * irq_set_vcpu_affinity - Set vcpu affinity for the interrupt
+--- a/kernel/irq/proc.c
++++ b/kernel/irq/proc.c
+@@ -117,6 +117,28 @@ static int irq_affinity_list_proc_show(s
+ return show_irq_affinity(AFFINITY_LIST, m);
+ }
+
++#ifndef CONFIG_AUTO_IRQ_AFFINITY
++static inline int irq_select_affinity_usr(unsigned int irq)
++{
++ /*
++ * If the interrupt is started up already then this fails. The
++ * interrupt is assigned to an online CPU already. There is no
++ * point to move it around randomly. Tell user space that the
++ * selected mask is bogus.
++ *
++ * If not then any change to the affinity is pointless because the
++ * startup code invokes irq_setup_affinity() which will select
++ * a online CPU anyway.
++ */
++ return -EINVAL;
++}
++#else
++/* ALPHA magic affinity auto selector. Keep it for historical reasons. */
++static inline int irq_select_affinity_usr(unsigned int irq)
++{
++ return irq_select_affinity(irq);
++}
++#endif
+
+ static ssize_t write_irq_affinity(int type, struct file *file,
+ const char __user *buffer, size_t count, loff_t *pos)
--- /dev/null
+From e7598fac323aad0e502415edeffd567315994dd6 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Mon, 10 Feb 2020 10:36:56 +0100
+Subject: iommu/vt-d: Fix compile warning from intel-svm.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit e7598fac323aad0e502415edeffd567315994dd6 upstream.
+
+The intel_svm_is_pasid_valid() needs to be marked inline, otherwise it
+causes the compile warning below:
+
+ CC [M] drivers/dma/idxd/cdev.o
+In file included from drivers/dma/idxd/cdev.c:9:0:
+./include/linux/intel-svm.h:125:12: warning: ‘intel_svm_is_pasid_valid’ defined but not used [-Wunused-function]
+ static int intel_svm_is_pasid_valid(struct device *dev, int pasid)
+ ^~~~~~~~~~~~~~~~~~~~~~~~
+
+Reported-by: Borislav Petkov <bp@alien8.de>
+Fixes: 15060aba71711 ('iommu/vt-d: Helper function to query if a pasid has any active users')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/intel-svm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/intel-svm.h
++++ b/include/linux/intel-svm.h
+@@ -130,7 +130,7 @@ static inline int intel_svm_unbind_mm(st
+ BUG();
+ }
+
+-static int intel_svm_is_pasid_valid(struct device *dev, int pasid)
++static inline int intel_svm_is_pasid_valid(struct device *dev, int pasid)
+ {
+ return -EINVAL;
+ }
--- /dev/null
+From 76261ada16dcc3be610396a46d35acc3efbda682 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 12 Feb 2020 21:08:59 -0800
+Subject: scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout"
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 76261ada16dcc3be610396a46d35acc3efbda682 upstream.
+
+Since commit 04060db41178 introduces soft lockups when toggling network
+interfaces, revert it.
+
+Link: https://marc.info/?l=target-devel&m=158157054906196
+Cc: Rahul Kundu <rahul.kundu@chelsio.com>
+Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Reported-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
+Fixes: 04060db41178 ("scsi: RDMA/isert: Fix a recently introduced regression related to logout")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 12 ++++++++++++
+ drivers/target/iscsi/iscsi_target.c | 6 +++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2582,6 +2582,17 @@ isert_wait4logout(struct isert_conn *ise
+ }
+ }
+
++static void
++isert_wait4cmds(struct iscsi_conn *conn)
++{
++ isert_info("iscsi_conn %p\n", conn);
++
++ if (conn->sess) {
++ target_sess_cmd_list_set_waiting(conn->sess->se_sess);
++ target_wait_for_sess_cmds(conn->sess->se_sess);
++ }
++}
++
+ /**
+ * isert_put_unsol_pending_cmds() - Drop commands waiting for
+ * unsolicitate dataout
+@@ -2629,6 +2640,7 @@ static void isert_wait_conn(struct iscsi
+
+ ib_drain_qp(isert_conn->qp);
+ isert_put_unsol_pending_cmds(conn);
++ isert_wait4cmds(conn);
+ isert_wait4logout(isert_conn);
+
+ queue_work(isert_release_wq, &isert_conn->release_work);
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4155,6 +4155,9 @@ int iscsit_close_connection(
+ iscsit_stop_nopin_response_timer(conn);
+ iscsit_stop_nopin_timer(conn);
+
++ if (conn->conn_transport->iscsit_wait_conn)
++ conn->conn_transport->iscsit_wait_conn(conn);
++
+ /*
+ * During Connection recovery drop unacknowledged out of order
+ * commands for this connection, and prepare the other commands
+@@ -4240,9 +4243,6 @@ int iscsit_close_connection(
+ target_sess_cmd_list_set_waiting(sess->se_sess);
+ target_wait_for_sess_cmds(sess->se_sess);
+
+- if (conn->conn_transport->iscsit_wait_conn)
+- conn->conn_transport->iscsit_wait_conn(conn);
+-
+ ahash_request_free(conn->conn_tx_hash);
+ if (conn->conn_rx_hash) {
+ struct crypto_ahash *tfm;
--- /dev/null
+From 807b9515b7d044cf77df31f1af9d842a76ecd5cb Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 12 Feb 2020 21:09:00 -0800
+Subject: scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 807b9515b7d044cf77df31f1af9d842a76ecd5cb upstream.
+
+Since commit e9d3009cb936 introduced a regression and since the fix for
+that regression was not perfect, revert this commit.
+
+Link: https://marc.info/?l=target-devel&m=158157054906195
+Cc: Rahul Kundu <rahul.kundu@chelsio.com>
+Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Reported-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
+Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 10 ++--------
+ include/scsi/iscsi_proto.h | 1 -
+ 2 files changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1158,9 +1158,7 @@ int iscsit_setup_scsi_cmd(struct iscsi_c
+ hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length,
+ conn->cid);
+
+- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
+- return iscsit_add_reject_cmd(cmd,
+- ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
++ target_get_sess_cmd(&cmd->se_cmd, true);
+
+ cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd,
+ scsilun_to_int(&hdr->lun));
+@@ -2006,9 +2004,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
+ conn->sess->se_sess, 0, DMA_NONE,
+ TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
+
+- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
+- return iscsit_add_reject_cmd(cmd,
+- ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
++ target_get_sess_cmd(&cmd->se_cmd, true);
+
+ /*
+ * TASK_REASSIGN for ERL=2 / connection stays inside of
+@@ -4240,8 +4236,6 @@ int iscsit_close_connection(
+ * must wait until they have completed.
+ */
+ iscsit_check_conn_usage_count(conn);
+- target_sess_cmd_list_set_waiting(sess->se_sess);
+- target_wait_for_sess_cmds(sess->se_sess);
+
+ ahash_request_free(conn->conn_tx_hash);
+ if (conn->conn_rx_hash) {
+--- a/include/scsi/iscsi_proto.h
++++ b/include/scsi/iscsi_proto.h
+@@ -638,7 +638,6 @@ struct iscsi_reject {
+ #define ISCSI_REASON_BOOKMARK_INVALID 9
+ #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10
+ #define ISCSI_REASON_NEGOTIATION_RESET 11
+-#define ISCSI_REASON_WAITING_FOR_LOGOUT 12
+
+ /* Max. number of Key=Value pairs in a text message */
+ #define MAX_KEY_VALUE_PAIRS 8192
btrfs-fix-bytes_may_use-underflow-in-prealloc-error-condtition.patch
btrfs-do-not-check-delayed-items-are-empty-for-single-transaction-cleanup.patch
btrfs-fix-btrfs_wait_ordered_range-so-that-it-waits-for-all-ordered-extents.patch
+scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch
+scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch
+usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch
+staging-rtl8723bs-fix-copy-of-overlapping-memory.patch
+staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch
+ecryptfs-replace-bug_on-with-error-handling-code.patch
+iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch
+genirq-proc-reject-invalid-affinity-masks-again.patch
--- /dev/null
+From b7db58105b80fa9232719c8329b995b3addfab55 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 5 Feb 2020 15:32:17 +0300
+Subject: staging: greybus: use after free in gb_audio_manager_remove_all()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b7db58105b80fa9232719c8329b995b3addfab55 upstream.
+
+When we call kobject_put() and it's the last reference to the kobject
+then it calls gb_audio_module_release() and frees module. We dereference
+"module" on the next line which is a use after free.
+
+Fixes: c77f85bbc91a ("greybus: audio: Fix incorrect counting of 'ida'")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Vaibhav Agarwal <vaibhav.sr@gmail.com>
+Link: https://lore.kernel.org/r/20200205123217.jreendkyxulqsool@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/greybus/audio_manager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/greybus/audio_manager.c
++++ b/drivers/staging/greybus/audio_manager.c
+@@ -90,8 +90,8 @@ void gb_audio_manager_remove_all(void)
+
+ list_for_each_entry_safe(module, next, &modules_list, list) {
+ list_del(&module->list);
+- kobject_put(&module->kobj);
+ ida_simple_remove(&module_id, module->id);
++ kobject_put(&module->kobj);
+ }
+
+ is_empty = list_empty(&modules_list);
--- /dev/null
+From 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sun, 26 Jan 2020 22:05:49 +0000
+Subject: staging: rtl8723bs: fix copy of overlapping memory
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 upstream.
+
+Currently the rtw_sprintf prints the contents of thread_name
+onto thread_name and this can lead to a potential copy of a
+string over itself. Avoid this by printing the literal string RTWHALXT
+instread of the contents of thread_name.
+
+Addresses-Coverity: ("copy of overlapping memory")
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20200126220549.9849-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c
++++ b/drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c
+@@ -486,14 +486,13 @@ int rtl8723bs_xmit_thread(void *context)
+ s32 ret;
+ struct adapter *padapter;
+ struct xmit_priv *pxmitpriv;
+- u8 thread_name[20] = "RTWHALXT";
+-
++ u8 thread_name[20];
+
+ ret = _SUCCESS;
+ padapter = context;
+ pxmitpriv = &padapter->xmitpriv;
+
+- rtw_sprintf(thread_name, 20, "%s-"ADPT_FMT, thread_name, ADPT_ARG(padapter));
++ rtw_sprintf(thread_name, 20, "RTWHALXT-" ADPT_FMT, ADPT_ARG(padapter));
+ thread_enter(thread_name);
+
+ DBG_871X("start "FUNC_ADPT_FMT"\n", FUNC_ADPT_ARG(padapter));
--- /dev/null
+From c724417baf162bd3e035659e22cdf990cfb0d917 Mon Sep 17 00:00:00 2001
+From: Jack Pham <jackp@codeaurora.org>
+Date: Thu, 30 Jan 2020 19:10:35 -0800
+Subject: usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
+
+From: Jack Pham <jackp@codeaurora.org>
+
+commit c724417baf162bd3e035659e22cdf990cfb0d917 upstream.
+
+SuperSpeedPlus peripherals must report their bMaxPower of the
+configuration descriptor in units of 8mA as per the USB 3.2
+specification. The current switch statement in encode_bMaxPower()
+only checks for USB_SPEED_SUPER but not USB_SPEED_SUPER_PLUS so
+the latter falls back to USB 2.0 encoding which uses 2mA units.
+Replace the switch with a simple if/else.
+
+Fixes: eae5820b852f ("usb: gadget: composite: Write SuperSpeedPlus config descriptors")
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/composite.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -440,12 +440,10 @@ static u8 encode_bMaxPower(enum usb_devi
+ val = CONFIG_USB_GADGET_VBUS_DRAW;
+ if (!val)
+ return 0;
+- switch (speed) {
+- case USB_SPEED_SUPER:
+- return DIV_ROUND_UP(val, 8);
+- default:
++ if (speed < USB_SPEED_SUPER)
+ return DIV_ROUND_UP(val, 2);
+- }
++ else
++ return DIV_ROUND_UP(val, 8);
+ }
+
+ static int config_buf(struct usb_configuration *config,