--- /dev/null
+From fc124ad35dcd6708c413fb11e5047d84ccd64b9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 15:04:43 +0000
+Subject: afs: Fix afs_find_server lookups for ipv4 peers
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit 9bd0160d12370a076e44f8d1320cde9c83f2c647 ]
+
+afs_find_server tries to find a server that has an address that
+matches the transport address of an rxrpc peer. The code assumes
+that the transport address is always ipv6, with ipv4 represented
+as ipv4 mapped addresses, but that's not the case. If the transport
+family is AF_INET, srx->transport.sin6.sin6_addr.s6_addr32[] will
+be beyond the actual ipv4 address and will always be 0, and all
+ipv4 addresses will be seen as matching.
+
+As a result, the first ipv4 address seen on any server will be
+considered a match, and the server returned may be the wrong one.
+
+One of the consequences is that callbacks received over ipv4 will
+only be correctly applied for the server that happens to have the
+first ipv4 address on the fs_addresses4 list. Callbacks over ipv4
+from all other servers are dropped, causing the client to serve stale
+data.
+
+This is fixed by looking at the transport family, and comparing ipv4
+addresses based on a sockaddr_in structure rather than a sockaddr_in6.
+
+Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/server.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+diff --git a/fs/afs/server.c b/fs/afs/server.c
+index 1d329e6981d5..2c7f6211c360 100644
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -34,18 +34,11 @@ static void afs_dec_servers_outstanding(struct afs_net *net)
+ struct afs_server *afs_find_server(struct afs_net *net,
+ const struct sockaddr_rxrpc *srx)
+ {
+- const struct sockaddr_in6 *a = &srx->transport.sin6, *b;
+ const struct afs_addr_list *alist;
+ struct afs_server *server = NULL;
+ unsigned int i;
+- bool ipv6 = true;
+ int seq = 0, diff;
+
+- if (srx->transport.sin6.sin6_addr.s6_addr32[0] == 0 ||
+- srx->transport.sin6.sin6_addr.s6_addr32[1] == 0 ||
+- srx->transport.sin6.sin6_addr.s6_addr32[2] == htonl(0xffff))
+- ipv6 = false;
+-
+ rcu_read_lock();
+
+ do {
+@@ -54,7 +47,8 @@ struct afs_server *afs_find_server(struct afs_net *net,
+ server = NULL;
+ read_seqbegin_or_lock(&net->fs_addr_lock, &seq);
+
+- if (ipv6) {
++ if (srx->transport.family == AF_INET6) {
++ const struct sockaddr_in6 *a = &srx->transport.sin6, *b;
+ hlist_for_each_entry_rcu(server, &net->fs_addresses6, addr6_link) {
+ alist = rcu_dereference(server->addresses);
+ for (i = alist->nr_ipv4; i < alist->nr_addrs; i++) {
+@@ -70,15 +64,16 @@ struct afs_server *afs_find_server(struct afs_net *net,
+ }
+ }
+ } else {
++ const struct sockaddr_in *a = &srx->transport.sin, *b;
+ hlist_for_each_entry_rcu(server, &net->fs_addresses4, addr4_link) {
+ alist = rcu_dereference(server->addresses);
+ for (i = 0; i < alist->nr_ipv4; i++) {
+- b = &alist->addrs[i].transport.sin6;
+- diff = ((u16 __force)a->sin6_port -
+- (u16 __force)b->sin6_port);
++ b = &alist->addrs[i].transport.sin;
++ diff = ((u16 __force)a->sin_port -
++ (u16 __force)b->sin_port);
+ if (diff == 0)
+- diff = ((u32 __force)a->sin6_addr.s6_addr32[3] -
+- (u32 __force)b->sin6_addr.s6_addr32[3]);
++ diff = ((u32 __force)a->sin_addr.s_addr -
++ (u32 __force)b->sin_addr.s_addr);
+ if (diff == 0)
+ goto found;
+ }
+--
+2.20.1
+
--- /dev/null
+From e280d5b5ee899f83c31c19f8f94915d754b785da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 08:56:04 +0000
+Subject: afs: Fix creation calls in the dynamic root to fail with EOPNOTSUPP
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 1da4bd9f9d187f53618890d7b66b9628bbec3c70 ]
+
+Fix the lookup method on the dynamic root directory such that creation
+calls, such as mkdir, open(O_CREAT), symlink, etc. fail with EOPNOTSUPP
+rather than failing with some odd error (such as EEXIST).
+
+lookup() itself tries to create automount directories when it is invoked.
+These are cached locally in RAM and not committed to storage.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Tested-by: Jonathan Billings <jsbillings@jsbillings.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index f29c6dade7f6..069273a2483f 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -145,6 +145,9 @@ static struct dentry *afs_dynroot_lookup(struct inode *dir, struct dentry *dentr
+
+ ASSERTCMP(d_inode(dentry), ==, NULL);
+
++ if (flags & LOOKUP_CREATE)
++ return ERR_PTR(-EOPNOTSUPP);
++
+ if (dentry->d_name.len >= AFSNAMEMAX) {
+ _leave(" = -ENAMETOOLONG");
+ return ERR_PTR(-ENAMETOOLONG);
+--
+2.20.1
+
--- /dev/null
+From ca861ab5436384bd37cee35219a53669f5fb7c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 15:04:45 +0000
+Subject: afs: Fix SELinux setting security label on /afs
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit bcbccaf2edcf1b76f73f890e968babef446151a4 ]
+
+Make the AFS dynamic root superblock R/W so that SELinux can set the
+security label on it. Without this, upgrades to, say, the Fedora
+filesystem-afs RPM fail if afs is mounted on it because the SELinux label
+can't be (re-)applied.
+
+It might be better to make it possible to bypass the R/O check for LSM
+label application through setxattr.
+
+Fixes: 4d673da14533 ("afs: Support the AFS dynamic root")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: selinux@vger.kernel.org
+cc: linux-security-module@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/super.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/afs/super.c b/fs/afs/super.c
+index 4d3e274207fb..bd2608297473 100644
+--- a/fs/afs/super.c
++++ b/fs/afs/super.c
+@@ -404,7 +404,6 @@ static int afs_fill_super(struct super_block *sb,
+ /* allocate the root inode and dentry */
+ if (as->dyn_root) {
+ inode = afs_iget_pseudo_dir(sb, true);
+- sb->s_flags |= SB_RDONLY;
+ } else {
+ sprintf(sb->s_id, "%u", as->volume->vid);
+ afs_activate_volume(as->volume);
+--
+2.20.1
+
--- /dev/null
+From 4681e29f076053c0b66cdb5832d497a238f621b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2019 15:40:27 +0100
+Subject: ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+[ Upstream commit d2cd795c4ece1a24fda170c35eeb4f17d9826cbb ]
+
+The auto-parser assigns the bass speaker to DAC3 (NID 0x06) which
+is without the volume control. I do not see a reason to use DAC2,
+because the shared output to all speakers produces the sufficient
+and well balanced sound. The stereo support is enough for this
+purpose (laptop).
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Link: https://lore.kernel.org/r/20191129144027.14765-1-perex@perex.cz
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 0c007d14588a..bf42b6f7fb5c 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5441,6 +5441,16 @@ static void alc295_fixup_disable_dac3(struct hda_codec *codec,
+ }
+ }
+
++/* force NID 0x17 (Bass Speaker) to DAC1 to share it with the main speaker */
++static void alc285_fixup_speaker2_to_dac1(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ hda_nid_t conn[1] = { 0x02 };
++ snd_hda_override_conn_list(codec, 0x17, 1, conn);
++ }
++}
++
+ /* Hook to update amp GPIO4 for automute */
+ static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec,
+ struct hda_jack_callback *jack)
+@@ -5661,6 +5671,7 @@ enum {
+ ALC225_FIXUP_DISABLE_MIC_VREF,
+ ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC295_FIXUP_DISABLE_DAC3,
++ ALC285_FIXUP_SPEAKER2_TO_DAC1,
+ ALC280_FIXUP_HP_HEADSET_MIC,
+ ALC221_FIXUP_HP_FRONT_MIC,
+ ALC292_FIXUP_TPT460,
+@@ -6444,6 +6455,10 @@ static const struct hda_fixup alc269_fixups[] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc295_fixup_disable_dac3,
+ },
++ [ALC285_FIXUP_SPEAKER2_TO_DAC1] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_speaker2_to_dac1,
++ },
+ [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -7023,6 +7038,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
+ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+@@ -7206,6 +7222,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
+ {.id = ALC255_FIXUP_DELL_SPK_NOISE, .name = "dell-spk-noise"},
+ {.id = ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "alc225-dell1"},
+ {.id = ALC295_FIXUP_DISABLE_DAC3, .name = "alc295-disable-dac3"},
++ {.id = ALC285_FIXUP_SPEAKER2_TO_DAC1, .name = "alc285-speaker2-to-dac1"},
+ {.id = ALC280_FIXUP_HP_HEADSET_MIC, .name = "alc280-hp-headset"},
+ {.id = ALC221_FIXUP_HP_FRONT_MIC, .name = "alc221-hp-mic"},
+ {.id = ALC298_FIXUP_SPK_VOLUME, .name = "alc298-spk-volume"},
+--
+2.20.1
+
--- /dev/null
+From 2b6c6bb96632b3570344ef34758fe8f726ebc0b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 14:12:15 +0800
+Subject: ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker
+
+From: Kailang Yang <kailang@realtek.com>
+
+[ Upstream commit e79c22695abd3b75a6aecf4ea4b9607e8d82c49c ]
+
+Dell has new platform which has dual speaker connecting.
+They want dual speaker which use same dac for output.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/229c7efa2b474a16b7d8a916cd096b68@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 019dee96dbaa..9cd0cef9ec27 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5705,6 +5705,8 @@ enum {
+ ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC,
+ ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE,
+ ALC294_FIXUP_ASUS_INTSPK_GPIO,
++ ALC289_FIXUP_DELL_SPK2,
++ ALC289_FIXUP_DUAL_SPK,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -6775,6 +6777,21 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC
+ },
++ [ALC289_FIXUP_DELL_SPK2] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x17, 0x90170130 }, /* bass spk */
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE
++ },
++ [ALC289_FIXUP_DUAL_SPK] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_speaker2_to_dac1,
++ .chained = true,
++ .chain_id = ALC289_FIXUP_DELL_SPK2
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -6847,6 +6864,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
++ SND_PCI_QUIRK(0x1028, 0x097e, "Dell Precision", ALC289_FIXUP_DUAL_SPK),
++ SND_PCI_QUIRK(0x1028, 0x097d, "Dell Precision", ALC289_FIXUP_DUAL_SPK),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
+--
+2.20.1
+
--- /dev/null
+From 407c5d91179a1daca5742bf0d74edcee58d7a27c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2019 11:11:18 +0800
+Subject: ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC
+
+From: Chris Chiu <chiu@endlessm.com>
+
+[ Upstream commit 48e01504cf5315cbe6de9b7412e792bfcc3dd9e1 ]
+
+ASUS reported that there's an bass speaker in addition to internal
+speaker and it uses DAC 0x02. It was not enabled in the commit
+436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS
+UX431FLC") which only enables the amplifier and the front speaker.
+This commit enables the bass speaker on top of the aforementioned
+work to improve the acoustic experience.
+
+Fixes: 436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC")
+Signed-off-by: Chris Chiu <chiu@endlessm.com>
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191230031118.95076-1-chiu@endlessm.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 38 +++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 20 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 9cd0cef9ec27..0c007d14588a 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5702,11 +5702,12 @@ enum {
+ ALC256_FIXUP_ASUS_HEADSET_MIC,
+ ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
+ ALC299_FIXUP_PREDATOR_SPK,
+- ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC,
+ ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE,
+- ALC294_FIXUP_ASUS_INTSPK_GPIO,
+ ALC289_FIXUP_DELL_SPK2,
+ ALC289_FIXUP_DUAL_SPK,
++ ALC294_FIXUP_SPK2_TO_DAC1,
++ ALC294_FIXUP_ASUS_DUAL_SPK,
++
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -6750,16 +6751,6 @@ static const struct hda_fixup alc269_fixups[] = {
+ { }
+ }
+ },
+- [ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC] = {
+- .type = HDA_FIXUP_PINS,
+- .v.pins = (const struct hda_pintbl[]) {
+- { 0x14, 0x411111f0 }, /* disable confusing internal speaker */
+- { 0x19, 0x04a11150 }, /* use as headset mic, without its own jack detect */
+- { }
+- },
+- .chained = true,
+- .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
+- },
+ [ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -6770,13 +6761,6 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE
+ },
+- [ALC294_FIXUP_ASUS_INTSPK_GPIO] = {
+- .type = HDA_FIXUP_FUNC,
+- /* The GPIO must be pulled to initialize the AMP */
+- .v.func = alc_fixup_gpio4,
+- .chained = true,
+- .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC
+- },
+ [ALC289_FIXUP_DELL_SPK2] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -6792,6 +6776,20 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC289_FIXUP_DELL_SPK2
+ },
++ [ALC294_FIXUP_SPK2_TO_DAC1] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_speaker2_to_dac1,
++ .chained = true,
++ .chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC
++ },
++ [ALC294_FIXUP_ASUS_DUAL_SPK] = {
++ .type = HDA_FIXUP_FUNC,
++ /* The GPIO must be pulled to initialize the AMP */
++ .v.func = alc_fixup_gpio4,
++ .chained = true,
++ .chain_id = ALC294_FIXUP_SPK2_TO_DAC1
++ },
++
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -6953,7 +6951,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK),
+ SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
+ SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
+- SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_INTSPK_GPIO),
++ SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK),
+ SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
+ SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC),
+--
+2.20.1
+
--- /dev/null
+From 8150f297e277dede543eea66cff8401abf2342b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 17:18:20 -0500
+Subject: drm/amd/display: Fixed kernel panic when booting with DP-to-HDMI
+ dongle
+
+From: David Galiffi <David.Galiffi@amd.com>
+
+[ Upstream commit a51d9f8fe756beac51ce26ef54195da00a260d13 ]
+
+[Why]
+In dc_link_is_dp_sink_present, if dal_ddc_open fails, then
+dal_gpio_destroy_ddc is called, destroying pin_data and pin_clock. They
+are created only on dc_construct, and next aux access will cause a panic.
+
+[How]
+Instead of calling dal_gpio_destroy_ddc, call dal_ddc_close.
+
+Signed-off-by: David Galiffi <David.Galiffi@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+index c6f7c1344a9b..2f42964fb9f4 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+@@ -348,7 +348,7 @@ bool dc_link_is_dp_sink_present(struct dc_link *link)
+
+ if (GPIO_RESULT_OK != dal_ddc_open(
+ ddc, GPIO_MODE_INPUT, GPIO_DDC_CONFIG_TYPE_MODE_I2C)) {
+- dal_gpio_destroy_ddc(&ddc);
++ dal_ddc_close(ddc);
+
+ return present;
+ }
+--
+2.20.1
+
--- /dev/null
+From 11a2a1a05df28016ff9422f9e9bd845e3f8b00b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2019 12:08:58 +0100
+Subject: drm/amdgpu: add cache flush workaround to gfx8 emit_fence
+
+From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
+
+[ Upstream commit bf26da927a1cd57c9deb2db29ae8cf276ba8b17b ]
+
+The same workaround is used for gfx7.
+Both PAL and Mesa use it for gfx8 too, so port this commit to
+gfx_v8_0_ring_emit_fence_gfx.
+
+Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
+index 5a9534a82d40..e1cb7fa89e4d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
+@@ -6405,7 +6405,23 @@ static void gfx_v8_0_ring_emit_fence_gfx(struct amdgpu_ring *ring, u64 addr,
+ bool write64bit = flags & AMDGPU_FENCE_FLAG_64BIT;
+ bool int_sel = flags & AMDGPU_FENCE_FLAG_INT;
+
+- /* EVENT_WRITE_EOP - flush caches, send int */
++ /* Workaround for cache flush problems. First send a dummy EOP
++ * event down the pipe with seq one below.
++ */
++ amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4));
++ amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN |
++ EOP_TC_ACTION_EN |
++ EOP_TC_WB_ACTION_EN |
++ EVENT_TYPE(CACHE_FLUSH_AND_INV_TS_EVENT) |
++ EVENT_INDEX(5)));
++ amdgpu_ring_write(ring, addr & 0xfffffffc);
++ amdgpu_ring_write(ring, (upper_32_bits(addr) & 0xffff) |
++ DATA_SEL(1) | INT_SEL(0));
++ amdgpu_ring_write(ring, lower_32_bits(seq - 1));
++ amdgpu_ring_write(ring, upper_32_bits(seq - 1));
++
++ /* Then send the real EOP event down the pipe:
++ * EVENT_WRITE_EOP - flush caches, send int */
+ amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4));
+ amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN |
+ EOP_TC_ACTION_EN |
+@@ -7154,7 +7170,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = {
+ 5 + /* COND_EXEC */
+ 7 + /* PIPELINE_SYNC */
+ VI_FLUSH_GPU_TLB_NUM_WREG * 5 + 9 + /* VM_FLUSH */
+- 8 + /* FENCE for VM_FLUSH */
++ 12 + /* FENCE for VM_FLUSH */
+ 20 + /* GDS switch */
+ 4 + /* double SWITCH_BUFFER,
+ the first COND_EXEC jump to the place just
+@@ -7166,7 +7182,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = {
+ 31 + /* DE_META */
+ 3 + /* CNTX_CTRL */
+ 5 + /* HDP_INVL */
+- 8 + 8 + /* FENCE x2 */
++ 12 + 12 + /* FENCE x2 */
+ 2, /* SWITCH_BUFFER */
+ .emit_ib_size = 4, /* gfx_v8_0_ring_emit_ib_gfx */
+ .emit_ib = gfx_v8_0_ring_emit_ib_gfx,
+--
+2.20.1
+
--- /dev/null
+From 9e20c608f388ee0a3203cf12c5b7bb97e390e59e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 15:51:16 +0800
+Subject: drm/amdgpu: add check before enabling/disabling broadcast mode
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 6e807535dae5dbbd53bcc5e81047a20bf5eb08ea ]
+
+When security violation from new vbios happens, data fabric is
+risky to stop working. So prevent the direct access to DF
+mmFabricConfigAccessControl from the new vbios and onwards.
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/df_v3_6.c | 38 ++++++++++++++++------------
+ 1 file changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
+index d5ebe566809b..a1c941229f4b 100644
+--- a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
++++ b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
+@@ -75,23 +75,29 @@ static void df_v3_6_update_medium_grain_clock_gating(struct amdgpu_device *adev,
+ {
+ u32 tmp;
+
+- /* Put DF on broadcast mode */
+- adev->df_funcs->enable_broadcast_mode(adev, true);
+-
+- if (enable && (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG)) {
+- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater);
+- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
+- tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY;
+- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp);
+- } else {
+- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater);
+- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
+- tmp |= DF_V3_6_MGCG_DISABLE;
+- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp);
++ if (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG) {
++ /* Put DF on broadcast mode */
++ adev->df_funcs->enable_broadcast_mode(adev, true);
++
++ if (enable) {
++ tmp = RREG32_SOC15(DF, 0,
++ mmDF_PIE_AON0_DfGlobalClkGater);
++ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
++ tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY;
++ WREG32_SOC15(DF, 0,
++ mmDF_PIE_AON0_DfGlobalClkGater, tmp);
++ } else {
++ tmp = RREG32_SOC15(DF, 0,
++ mmDF_PIE_AON0_DfGlobalClkGater);
++ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
++ tmp |= DF_V3_6_MGCG_DISABLE;
++ WREG32_SOC15(DF, 0,
++ mmDF_PIE_AON0_DfGlobalClkGater, tmp);
++ }
++
++ /* Exit broadcast mode */
++ adev->df_funcs->enable_broadcast_mode(adev, false);
+ }
+-
+- /* Exit broadcast mode */
+- adev->df_funcs->enable_broadcast_mode(adev, false);
+ }
+
+ static void df_v3_6_get_clockgating_state(struct amdgpu_device *adev,
+--
+2.20.1
+
--- /dev/null
+From 7a7b52b676f6101e6c7a53715dd77d225d7754ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 16:52:37 -0800
+Subject: drm: limit to INT_MAX in create_blob ioctl
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c ]
+
+The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb
+("uaccess: disallow > INT_MAX copy sizes")
+
+Code itself should have been fine as-is.
+
+Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
+Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_property.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
+index cdb10f885a4f..69dfed57c2f8 100644
+--- a/drivers/gpu/drm/drm_property.c
++++ b/drivers/gpu/drm/drm_property.c
+@@ -556,7 +556,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
+ struct drm_property_blob *blob;
+ int ret;
+
+- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
++ if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
+ return ERR_PTR(-EINVAL);
+
+ blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From e734ecc7baaa0f4d4fa3f8372200f8714ed13534 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 10:52:52 +0200
+Subject: drm/nouveau: Move the declaration of struct nouveau_conn_atom up a
+ bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 37a68eab4cd92b507c9e8afd760fdc18e4fecac6 ]
+
+Place the declaration of struct nouveau_conn_atom above that of
+struct nouveau_connector. This commit makes no changes to the moved
+block what so ever, it just moves it up a bit.
+
+This is a preparation patch to fix some issues with connector handling
+on pre nv50 displays (which do not use atomic modesetting).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_connector.h | 110 ++++++++++----------
+ 1 file changed, 55 insertions(+), 55 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h
+index dc7454e7f19a..b46e99f7641e 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.h
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.h
+@@ -29,6 +29,7 @@
+
+ #include <nvif/notify.h>
+
++#include <drm/drm_crtc.h>
+ #include <drm/drm_edid.h>
+ #include <drm/drm_encoder.h>
+ #include <drm/drm_dp_helper.h>
+@@ -37,6 +38,60 @@
+
+ struct nvkm_i2c_port;
+
++#define nouveau_conn_atom(p) \
++ container_of((p), struct nouveau_conn_atom, state)
++
++struct nouveau_conn_atom {
++ struct drm_connector_state state;
++
++ struct {
++ /* The enum values specifically defined here match nv50/gf119
++ * hw values, and the code relies on this.
++ */
++ enum {
++ DITHERING_MODE_OFF = 0x00,
++ DITHERING_MODE_ON = 0x01,
++ DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON,
++ DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON,
++ DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON,
++ DITHERING_MODE_AUTO
++ } mode;
++ enum {
++ DITHERING_DEPTH_6BPC = 0x00,
++ DITHERING_DEPTH_8BPC = 0x02,
++ DITHERING_DEPTH_AUTO
++ } depth;
++ } dither;
++
++ struct {
++ int mode; /* DRM_MODE_SCALE_* */
++ struct {
++ enum {
++ UNDERSCAN_OFF,
++ UNDERSCAN_ON,
++ UNDERSCAN_AUTO,
++ } mode;
++ u32 hborder;
++ u32 vborder;
++ } underscan;
++ bool full;
++ } scaler;
++
++ struct {
++ int color_vibrance;
++ int vibrant_hue;
++ } procamp;
++
++ union {
++ struct {
++ bool dither:1;
++ bool scaler:1;
++ bool procamp:1;
++ };
++ u8 mask;
++ } set;
++};
++
+ struct nouveau_connector {
+ struct drm_connector base;
+ enum dcb_connector_type type;
+@@ -111,61 +166,6 @@ extern int nouveau_ignorelid;
+ extern int nouveau_duallink;
+ extern int nouveau_hdmimhz;
+
+-#include <drm/drm_crtc.h>
+-#define nouveau_conn_atom(p) \
+- container_of((p), struct nouveau_conn_atom, state)
+-
+-struct nouveau_conn_atom {
+- struct drm_connector_state state;
+-
+- struct {
+- /* The enum values specifically defined here match nv50/gf119
+- * hw values, and the code relies on this.
+- */
+- enum {
+- DITHERING_MODE_OFF = 0x00,
+- DITHERING_MODE_ON = 0x01,
+- DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON,
+- DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON,
+- DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON,
+- DITHERING_MODE_AUTO
+- } mode;
+- enum {
+- DITHERING_DEPTH_6BPC = 0x00,
+- DITHERING_DEPTH_8BPC = 0x02,
+- DITHERING_DEPTH_AUTO
+- } depth;
+- } dither;
+-
+- struct {
+- int mode; /* DRM_MODE_SCALE_* */
+- struct {
+- enum {
+- UNDERSCAN_OFF,
+- UNDERSCAN_ON,
+- UNDERSCAN_AUTO,
+- } mode;
+- u32 hborder;
+- u32 vborder;
+- } underscan;
+- bool full;
+- } scaler;
+-
+- struct {
+- int color_vibrance;
+- int vibrant_hue;
+- } procamp;
+-
+- union {
+- struct {
+- bool dither:1;
+- bool scaler:1;
+- bool procamp:1;
+- };
+- u8 mask;
+- } set;
+-};
+-
+ void nouveau_conn_attach_properties(struct drm_connector *);
+ void nouveau_conn_reset(struct drm_connector *);
+ struct drm_connector_state *
+--
+2.20.1
+
--- /dev/null
+From a3647856d92db708e0fa8be035eaec5ef0938945 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:12:13 +0200
+Subject: IB/mlx4: Follow mirror sequence of device add during device removal
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 89f988d93c62384758b19323c886db917a80c371 ]
+
+Current code device add sequence is:
+
+ib_register_device()
+ib_mad_init()
+init_sriov_init()
+register_netdev_notifier()
+
+Therefore, the remove sequence should be,
+
+unregister_netdev_notifier()
+close_sriov()
+mad_cleanup()
+ib_unregister_device()
+
+However it is not above.
+Hence, make do above remove sequence.
+
+Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
+index 0bbeaaae47e0..9386bb57b3d7 100644
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -3069,16 +3069,17 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr)
+ ibdev->ib_active = false;
+ flush_workqueue(wq);
+
+- mlx4_ib_close_sriov(ibdev);
+- mlx4_ib_mad_cleanup(ibdev);
+- ib_unregister_device(&ibdev->ib_dev);
+- mlx4_ib_diag_cleanup(ibdev);
+ if (ibdev->iboe.nb.notifier_call) {
+ if (unregister_netdevice_notifier(&ibdev->iboe.nb))
+ pr_warn("failure unregistering notifier\n");
+ ibdev->iboe.nb.notifier_call = NULL;
+ }
+
++ mlx4_ib_close_sriov(ibdev);
++ mlx4_ib_mad_cleanup(ibdev);
++ ib_unregister_device(&ibdev->ib_dev);
++ mlx4_ib_diag_cleanup(ibdev);
++
+ mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
+ ibdev->steer_qpn_count);
+ kfree(ibdev->ib_uc_qpns_bitmap);
+--
+2.20.1
+
--- /dev/null
+From ad1a7dd7b441983d13d53b81dba1e1180a570ad2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:12:14 +0200
+Subject: IB/mlx5: Fix steering rule of drop and count
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+[ Upstream commit ed9085fed9d95d5921582e3c8474f3736c5d2782 ]
+
+There are two flow rule destinations: QP and packet. While users are
+setting DROP packet rule, the QP should not be set as a destination.
+
+Fixes: 3b3233fbf02e ("IB/mlx5: Add flow counters binding support")
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Reviewed-by: Raed Salem <raeds@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20191212091214.315005-4-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index f4ffdc588ea0..df5be462dd28 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -3286,10 +3286,6 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
+ }
+
+ INIT_LIST_HEAD(&handler->list);
+- if (dst) {
+- memcpy(&dest_arr[0], dst, sizeof(*dst));
+- dest_num++;
+- }
+
+ for (spec_index = 0; spec_index < flow_attr->num_of_specs; spec_index++) {
+ err = parse_flow_attr(dev->mdev, spec->match_criteria,
+@@ -3303,6 +3299,11 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
+ ib_flow += ((union ib_flow_spec *)ib_flow)->size;
+ }
+
++ if (dst && !(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP)) {
++ memcpy(&dest_arr[0], dst, sizeof(*dst));
++ dest_num++;
++ }
++
+ if (!flow_is_multicast_only(flow_attr))
+ set_underlay_qp(dev, spec, underlay_qpn);
+
+@@ -3340,10 +3341,8 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
+ }
+
+ if (flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP) {
+- if (!(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_COUNT)) {
++ if (!dest_num)
+ rule_dst = NULL;
+- dest_num = 0;
+- }
+ } else {
+ if (is_egress)
+ flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_ALLOW;
+--
+2.20.1
+
--- /dev/null
+From f574b1fb7fd28be83a00c7fca58fd71cc2c4ec18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 09:55:46 +0100
+Subject: iio: adc: max9611: Fix too short conversion time delay
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 9fd229c478fbf77c41c8528aa757ef14210365f6 ]
+
+As of commit b9ddd5091160793e ("iio: adc: max9611: Fix temperature
+reading in probe"), max9611 initialization sometimes fails on the
+Salvator-X(S) development board with:
+
+ max9611 4-007f: Invalid value received from ADC 0x8000: aborting
+ max9611: probe of 4-007f failed with error -5
+
+The max9611 driver tests communications with the chip by reading the die
+temperature during the probe function, which returns an invalid value.
+
+According to the datasheet, the typical ADC conversion time is 2 ms, but
+no minimum or maximum values are provided. Maxim Technical Support
+confirmed this was tested with temperature Ta=25 degreeC, and promised
+to inform me if a maximum/minimum value is available (they didn't get
+back to me, so I assume it is not).
+
+However, the driver assumes a 1 ms conversion time. Usually the
+usleep_range() call returns after more than 1.8 ms, hence it succeeds.
+When it returns earlier, the data register may be read too early, and
+the previous measurement value will be returned. After boot, this is
+the temperature POR (power-on reset) value, causing the failure above.
+
+Fix this by increasing the delay from 1000-2000 µs to 3000-3300 µs.
+
+Note that this issue has always been present, but it was exposed by the
+aformentioned commit.
+
+Fixes: 69780a3bbc0b1e7e ("iio: adc: Add Maxim max9611 ADC driver")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/max9611.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c
+index 0884435eec68..9f1a5ef0b444 100644
+--- a/drivers/iio/adc/max9611.c
++++ b/drivers/iio/adc/max9611.c
+@@ -92,6 +92,12 @@
+ #define MAX9611_TEMP_SCALE_NUM 1000000
+ #define MAX9611_TEMP_SCALE_DIV 2083
+
++/*
++ * Conversion time is 2 ms (typically) at Ta=25 degreeC
++ * No maximum value is known, so play it safe.
++ */
++#define MAX9611_CONV_TIME_US_RANGE 3000, 3300
++
+ struct max9611_dev {
+ struct device *dev;
+ struct i2c_client *i2c_client;
+@@ -239,11 +245,9 @@ static int max9611_read_single(struct max9611_dev *max9611,
+ return ret;
+ }
+
+- /*
+- * need a delay here to make register configuration
+- * stabilize. 1 msec at least, from empirical testing.
+- */
+- usleep_range(1000, 2000);
++ /* need a delay here to make register configuration stabilize. */
++
++ usleep_range(MAX9611_CONV_TIME_US_RANGE);
+
+ ret = i2c_smbus_read_word_swapped(max9611->i2c_client, reg_addr);
+ if (ret < 0) {
+@@ -510,7 +514,7 @@ static int max9611_init(struct max9611_dev *max9611)
+ MAX9611_REG_CTRL2, 0);
+ return ret;
+ }
+- usleep_range(1000, 2000);
++ usleep_range(MAX9611_CONV_TIME_US_RANGE);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 107d9eaa0c4027f4066a39552102c015ecdd3767 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 10:42:25 +0800
+Subject: md: raid1: check rdev before reference in raid1_sync_request func
+
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+
+[ Upstream commit 028288df635f5a9addd48ac4677b720192747944 ]
+
+In raid1_sync_request func, rdev should be checked before reference.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 6800dcd50a11..abcb4c3a76c1 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2756,7 +2756,7 @@ static sector_t raid1_sync_request(struct mddev *mddev, sector_t sector_nr,
+ write_targets++;
+ }
+ }
+- if (bio->bi_end_io) {
++ if (rdev && bio->bi_end_io) {
+ atomic_inc(&rdev->nr_pending);
+ bio->bi_iter.bi_sector = sector_nr + rdev->data_offset;
+ bio_set_dev(bio, rdev->bdev);
+--
+2.20.1
+
--- /dev/null
+From f326c43f63d96fc63d6768589db095af3c11090d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 20:58:56 -0700
+Subject: net: make socket read/write_iter() honor IOCB_NOWAIT
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit ebfcd8955c0b52eb793bcbc9e71140e3d0cdb228 ]
+
+The socket read/write helpers only look at the file O_NONBLOCK. not
+the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2
+and io_uring that rely on not having the file itself marked nonblocking,
+but rather the iocb itself.
+
+Cc: netdev@vger.kernel.org
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index 18d27b8c2511..1290aad5d1c3 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -867,7 +867,7 @@ static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to)
+ .msg_iocb = iocb};
+ ssize_t res;
+
+- if (file->f_flags & O_NONBLOCK)
++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
+ msg.msg_flags = MSG_DONTWAIT;
+
+ if (iocb->ki_pos != 0)
+@@ -892,7 +892,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ if (iocb->ki_pos != 0)
+ return -ESPIPE;
+
+- if (file->f_flags & O_NONBLOCK)
++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
+ msg.msg_flags = MSG_DONTWAIT;
+
+ if (sock->type == SOCK_SEQPACKET)
+--
+2.20.1
+
--- /dev/null
+From c725abaa659b44dc04d087e41777cdcecbba58ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 00:59:29 +0100
+Subject: netfilter: nft_tproxy: Fix port selector on Big Endian
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 8cb4ec44de42b99b92399b4d1daf3dc430ed0186 ]
+
+On Big Endian architectures, u16 port value was extracted from the wrong
+parts of u32 sreg_port, just like commit 10596608c4d62 ("netfilter:
+nf_tables: fix mismatch in big-endian system") describes.
+
+Fixes: 4ed8eb6570a49 ("netfilter: nf_tables: Add native tproxy support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Florian Westphal <fw@strlen.de>
+Acked-by: MĂ¡tĂ© Eckl <ecklm94@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_tproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
+index f92a82c73880..95980154ef02 100644
+--- a/net/netfilter/nft_tproxy.c
++++ b/net/netfilter/nft_tproxy.c
+@@ -50,7 +50,7 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
+ taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);
+
+ if (priv->sreg_port)
+- tport = regs->data[priv->sreg_port];
++ tport = nft_reg_load16(®s->data[priv->sreg_port]);
+ if (!tport)
+ tport = hp->dest;
+
+@@ -117,7 +117,7 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
+ taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr);
+
+ if (priv->sreg_port)
+- tport = regs->data[priv->sreg_port];
++ tport = nft_reg_load16(®s->data[priv->sreg_port]);
+ if (!tport)
+ tport = hp->dest;
+
+--
+2.20.1
+
--- /dev/null
+From bc660dbca74e61077c830f50067e9d552638aa4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 09:59:37 -0800
+Subject: nvme-fc: fix double-free scenarios on hw queues
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit c869e494ef8b5846d9ba91f1e922c23cd444f0c1 ]
+
+If an error occurs on one of the ios used for creating an
+association, the creating routine has error paths that are
+invoked by the command failure and the error paths will free
+up the controller resources created to that point.
+
+But... the io was ultimately determined by an asynchronous
+completion routine that detected the error and which
+unconditionally invokes the error_recovery path which calls
+delete_association. Delete association deletes all outstanding
+io then tears down the controller resources. So the
+create_association thread can be running in parallel with
+the error_recovery thread. What was seen was the LLDD received
+a call to delete a queue, causing the LLDD to do a free of a
+resource, then the transport called the delete queue again
+causing the driver to repeat the free call. The second free
+routine corrupted the allocator. The transport shouldn't be
+making the duplicate call, and the delete queue is just one
+of the resources being freed.
+
+To fix, it is realized that the create_association path is
+completely serialized with one command at a time. So the
+failed io completion will always be seen by the create_association
+path and as of the failure, there are no ios to terminate and there
+is no reason to be manipulating queue freeze states, etc.
+The serialized condition stays true until the controller is
+transitioned to the LIVE state. Thus the fix is to change the
+error recovery path to check the controller state and only
+invoke the teardown path if not already in the CONNECTING state.
+
+Reviewed-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/fc.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
+index d567035571bf..1875f6b8a907 100644
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -2894,10 +2894,22 @@ nvme_fc_reconnect_or_delete(struct nvme_fc_ctrl *ctrl, int status)
+ static void
+ __nvme_fc_terminate_io(struct nvme_fc_ctrl *ctrl)
+ {
+- nvme_stop_keep_alive(&ctrl->ctrl);
++ /*
++ * if state is connecting - the error occurred as part of a
++ * reconnect attempt. The create_association error paths will
++ * clean up any outstanding io.
++ *
++ * if it's a different state - ensure all pending io is
++ * terminated. Given this can delay while waiting for the
++ * aborted io to return, we recheck adapter state below
++ * before changing state.
++ */
++ if (ctrl->ctrl.state != NVME_CTRL_CONNECTING) {
++ nvme_stop_keep_alive(&ctrl->ctrl);
+
+- /* will block will waiting for io to terminate */
+- nvme_fc_delete_association(ctrl);
++ /* will block will waiting for io to terminate */
++ nvme_fc_delete_association(ctrl);
++ }
+
+ if (ctrl->ctrl.state != NVME_CTRL_CONNECTING &&
+ !nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING))
+--
+2.20.1
+
--- /dev/null
+From 5cad0716f846fb22dfa96c3f740d1277a19fbfba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 15:15:26 -0800
+Subject: nvme_fc: add module to ops template to allow module references
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 863fbae929c7a5b64e96b8a3ffb34a29eefb9f8f ]
+
+In nvme-fc: it's possible to have connected active controllers
+and as no references are taken on the LLDD, the LLDD can be
+unloaded. The controller would enter a reconnect state and as
+long as the LLDD resumed within the reconnect timeout, the
+controller would resume. But if a namespace on the controller
+is the root device, allowing the driver to unload can be problematic.
+To reload the driver, it may require new io to the boot device,
+and as it's no longer connected we get into a catch-22 that
+eventually fails, and the system locks up.
+
+Fix this issue by taking a module reference for every connected
+controller (which is what the core layer did to the transport
+module). Reference is cleared when the controller is removed.
+
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/fc.c | 14 ++++++++++++--
+ drivers/nvme/target/fcloop.c | 1 +
+ drivers/scsi/lpfc/lpfc_nvme.c | 2 ++
+ drivers/scsi/qla2xxx/qla_nvme.c | 1 +
+ include/linux/nvme-fc-driver.h | 4 ++++
+ 5 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
+index 565bddcfd130..d567035571bf 100644
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -342,7 +342,8 @@ nvme_fc_register_localport(struct nvme_fc_port_info *pinfo,
+ !template->ls_req || !template->fcp_io ||
+ !template->ls_abort || !template->fcp_abort ||
+ !template->max_hw_queues || !template->max_sgl_segments ||
+- !template->max_dif_sgl_segments || !template->dma_boundary) {
++ !template->max_dif_sgl_segments || !template->dma_boundary ||
++ !template->module) {
+ ret = -EINVAL;
+ goto out_reghost_failed;
+ }
+@@ -1986,6 +1987,7 @@ nvme_fc_ctrl_free(struct kref *ref)
+ {
+ struct nvme_fc_ctrl *ctrl =
+ container_of(ref, struct nvme_fc_ctrl, ref);
++ struct nvme_fc_lport *lport = ctrl->lport;
+ unsigned long flags;
+
+ if (ctrl->ctrl.tagset) {
+@@ -2011,6 +2013,7 @@ nvme_fc_ctrl_free(struct kref *ref)
+ if (ctrl->ctrl.opts)
+ nvmf_free_options(ctrl->ctrl.opts);
+ kfree(ctrl);
++ module_put(lport->ops->module);
+ }
+
+ static void
+@@ -3040,10 +3043,15 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
+ goto out_fail;
+ }
+
++ if (!try_module_get(lport->ops->module)) {
++ ret = -EUNATCH;
++ goto out_free_ctrl;
++ }
++
+ idx = ida_simple_get(&nvme_fc_ctrl_cnt, 0, 0, GFP_KERNEL);
+ if (idx < 0) {
+ ret = -ENOSPC;
+- goto out_free_ctrl;
++ goto out_mod_put;
+ }
+
+ ctrl->ctrl.opts = opts;
+@@ -3185,6 +3193,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
+ out_free_ida:
+ put_device(ctrl->dev);
+ ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum);
++out_mod_put:
++ module_put(lport->ops->module);
+ out_free_ctrl:
+ kfree(ctrl);
+ out_fail:
+diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
+index 291f4121f516..f0536d341f2f 100644
+--- a/drivers/nvme/target/fcloop.c
++++ b/drivers/nvme/target/fcloop.c
+@@ -825,6 +825,7 @@ fcloop_targetport_delete(struct nvmet_fc_target_port *targetport)
+ #define FCLOOP_DMABOUND_4G 0xFFFFFFFF
+
+ static struct nvme_fc_port_template fctemplate = {
++ .module = THIS_MODULE,
+ .localport_delete = fcloop_localport_delete,
+ .remoteport_delete = fcloop_remoteport_delete,
+ .create_queue = fcloop_create_queue,
+diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c
+index f73726e55e44..6c355d87c709 100644
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -1903,6 +1903,8 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport,
+
+ /* Declare and initialization an instance of the FC NVME template. */
+ static struct nvme_fc_port_template lpfc_nvme_template = {
++ .module = THIS_MODULE,
++
+ /* initiator-based functions */
+ .localport_delete = lpfc_nvme_localport_delete,
+ .remoteport_delete = lpfc_nvme_remoteport_delete,
+diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
+index 5590d6e8b576..db367e428095 100644
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -560,6 +560,7 @@ static void qla_nvme_remoteport_delete(struct nvme_fc_remote_port *rport)
+ }
+
+ static struct nvme_fc_port_template qla_nvme_fc_transport = {
++ .module = THIS_MODULE,
+ .localport_delete = qla_nvme_localport_delete,
+ .remoteport_delete = qla_nvme_remoteport_delete,
+ .create_queue = qla_nvme_alloc_queue,
+diff --git a/include/linux/nvme-fc-driver.h b/include/linux/nvme-fc-driver.h
+index 496ff759f84c..2f3ae41c212d 100644
+--- a/include/linux/nvme-fc-driver.h
++++ b/include/linux/nvme-fc-driver.h
+@@ -282,6 +282,8 @@ struct nvme_fc_remote_port {
+ *
+ * Host/Initiator Transport Entrypoints/Parameters:
+ *
++ * @module: The LLDD module using the interface
++ *
+ * @localport_delete: The LLDD initiates deletion of a localport via
+ * nvme_fc_deregister_localport(). However, the teardown is
+ * asynchronous. This routine is called upon the completion of the
+@@ -395,6 +397,8 @@ struct nvme_fc_remote_port {
+ * Value is Mandatory. Allowed to be zero.
+ */
+ struct nvme_fc_port_template {
++ struct module *module;
++
+ /* initiator-based functions */
+ void (*localport_delete)(struct nvme_fc_local_port *);
+ void (*remoteport_delete)(struct nvme_fc_remote_port *);
+--
+2.20.1
+
--- /dev/null
+From 6784f991f19dd8a57257536472419ab11b71ade2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 01:21:31 +0200
+Subject: PM / devfreq: Don't fail devfreq_dev_release if not in list
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit 42a6b25e67df6ee6675e8d1eaf18065bd73328ba ]
+
+Right now devfreq_dev_release will print a warning and abort the rest of
+the cleanup if the devfreq instance is not part of the global
+devfreq_list. But this is a valid scenario, for example it can happen if
+the governor can't be found or on any other init error that happens
+after device_register.
+
+Initialize devfreq->node to an empty list head in devfreq_add_device so
+that list_del becomes a safe noop inside devfreq_dev_release and we can
+continue the rest of the cleanup.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index a47e76a62287..69bbb1e9ab23 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -575,11 +575,6 @@ static void devfreq_dev_release(struct device *dev)
+ struct devfreq *devfreq = to_devfreq(dev);
+
+ mutex_lock(&devfreq_list_lock);
+- if (IS_ERR(find_device_devfreq(devfreq->dev.parent))) {
+- mutex_unlock(&devfreq_list_lock);
+- dev_warn(&devfreq->dev, "releasing devfreq which doesn't exist\n");
+- return;
+- }
+ list_del(&devfreq->node);
+ mutex_unlock(&devfreq_list_lock);
+
+@@ -634,6 +629,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
+ devfreq->dev.parent = dev;
+ devfreq->dev.class = devfreq_class;
+ devfreq->dev.release = devfreq_dev_release;
++ INIT_LIST_HEAD(&devfreq->node);
+ devfreq->profile = profile;
+ strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN);
+ devfreq->previous_freq = profile->initial_freq;
+--
+2.20.1
+
--- /dev/null
+From 0b23786f36beaa786e15e27e52a70fd3eb20f42d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 23:34:18 +0200
+Subject: PM / devfreq: Fix devfreq_notifier_call returning errno
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit e876e710ede23f670494331e062d643928e4142a ]
+
+Notifier callbacks shouldn't return negative errno but one of the
+NOTIFY_OK/DONE/BAD values.
+
+The OPP core will ignore return values from notifiers but returning a
+value that matches NOTIFY_STOP_MASK will stop the notification chain.
+
+Fix by always returning NOTIFY_OK.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index 61fbaa89d7b4..34e297f28fc2 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -538,26 +538,28 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type,
+ void *devp)
+ {
+ struct devfreq *devfreq = container_of(nb, struct devfreq, nb);
+- int ret;
++ int err = -EINVAL;
+
+ mutex_lock(&devfreq->lock);
+
+ devfreq->scaling_min_freq = find_available_min_freq(devfreq);
+- if (!devfreq->scaling_min_freq) {
+- mutex_unlock(&devfreq->lock);
+- return -EINVAL;
+- }
++ if (!devfreq->scaling_min_freq)
++ goto out;
+
+ devfreq->scaling_max_freq = find_available_max_freq(devfreq);
+- if (!devfreq->scaling_max_freq) {
+- mutex_unlock(&devfreq->lock);
+- return -EINVAL;
+- }
++ if (!devfreq->scaling_max_freq)
++ goto out;
++
++ err = update_devfreq(devfreq);
+
+- ret = update_devfreq(devfreq);
++out:
+ mutex_unlock(&devfreq->lock);
++ if (err)
++ dev_err(devfreq->dev.parent,
++ "failed to update frequency from OPP notifier (%d)\n",
++ err);
+
+- return ret;
++ return NOTIFY_OK;
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From a40198264d5d45bf978d4d9163eb2b38a19ca617 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 23:34:19 +0200
+Subject: PM / devfreq: Set scaling_max_freq to max on OPP notifier error
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit e7cc792d00049c874010b398a27c3cc7bc8fef34 ]
+
+The devfreq_notifier_call functions will update scaling_min_freq and
+scaling_max_freq when the OPP table is updated.
+
+If fetching the maximum frequency fails then scaling_max_freq remains
+set to zero which is confusing. Set to ULONG_MAX instead so we don't
+need special handling for this case in other places.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index 34e297f28fc2..a47e76a62287 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -547,8 +547,10 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type,
+ goto out;
+
+ devfreq->scaling_max_freq = find_available_max_freq(devfreq);
+- if (!devfreq->scaling_max_freq)
++ if (!devfreq->scaling_max_freq) {
++ devfreq->scaling_max_freq = ULONG_MAX;
+ goto out;
++ }
+
+ err = update_devfreq(devfreq);
+
+--
+2.20.1
+
--- /dev/null
+From a1899f98d054edba8d934b844163a55856934944 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 15:39:12 +0100
+Subject: PM / hibernate: memory_bm_find_bit(): Tighten node optimisation
+
+From: Andy Whitcroft <apw@canonical.com>
+
+[ Upstream commit da6043fe85eb5ec621e34a92540735dcebbea134 ]
+
+When looking for a bit by number we make use of the cached result from the
+preceding lookup to speed up operation. Firstly we check if the requested
+pfn is within the cached zone and if not lookup the new zone. We then
+check if the offset for that pfn falls within the existing cached node.
+This happens regardless of whether the node is within the zone we are
+now scanning. With certain memory layouts it is possible for this to
+false trigger creating a temporary alias for the pfn to a different bit.
+This leads the hibernation code to free memory which it was never allocated
+with the expected fallout.
+
+Ensure the zone we are scanning matches the cached zone before considering
+the cached node.
+
+Deep thanks go to Andrea for many, many, many hours of hacking and testing
+that went into cornering this bug.
+
+Reported-by: Andrea Righi <andrea.righi@canonical.com>
+Tested-by: Andrea Righi <andrea.righi@canonical.com>
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/snapshot.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
+index 3d37c279c090..f2635fc751d9 100644
+--- a/kernel/power/snapshot.c
++++ b/kernel/power/snapshot.c
+@@ -736,8 +736,15 @@ static int memory_bm_find_bit(struct memory_bitmap *bm, unsigned long pfn,
+ * We have found the zone. Now walk the radix tree to find the leaf node
+ * for our PFN.
+ */
++
++ /*
++ * If the zone we wish to scan is the the current zone and the
++ * pfn falls into the current node then we do not need to walk
++ * the tree.
++ */
+ node = bm->cur.node;
+- if (((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn)
++ if (zone == bm->cur.zone &&
++ ((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn)
+ goto node_found;
+
+ node = zone->rtree;
+--
+2.20.1
+
--- /dev/null
+From a7bc31debbcd2e885b78b67e34694f77735904f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 09:24:26 +0800
+Subject: RDMA/cma: add missed unregister_pernet_subsys in init failure
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 44a7b6759000ac51b92715579a7bba9e3f9245c2 ]
+
+The driver forgets to call unregister_pernet_subsys() in the error path
+of cma_init().
+Add the missed call to fix it.
+
+Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Link: https://lore.kernel.org/r/20191206012426.12744-1-hslester96@gmail.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 1f373ba573b6..319bfef00a4a 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -4658,6 +4658,7 @@ static int __init cma_init(void)
+ err:
+ unregister_netdevice_notifier(&cma_nb);
+ ib_sa_unregister_client(&sa_client);
++ unregister_pernet_subsys(&cma_pernet_operations);
+ err_wq:
+ destroy_workqueue(cma_wq);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 70ca46cd302ef33c39515681ee13760384d37bb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 20:03:20 -0600
+Subject: rxe: correctly calculate iCRC for unaligned payloads
+
+From: Steve Wise <larrystevenwise@gmail.com>
+
+[ Upstream commit 2030abddec6884aaf5892f5724c48fc340e6826f ]
+
+If RoCE PDUs being sent or received contain pad bytes, then the iCRC
+is miscalculated, resulting in PDUs being emitted by RXE with an incorrect
+iCRC, as well as ingress PDUs being dropped due to erroneously detecting
+a bad iCRC in the PDU. The fix is to include the pad bytes, if any,
+in iCRC computations.
+
+Note: This bug has caused broken on-the-wire compatibility with actual
+hardware RoCE devices since the soft-RoCE driver was first put into the
+mainstream kernel. Fixing it will create an incompatibility with the
+original soft-RoCE devices, but is necessary to be compatible with real
+hardware devices.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Signed-off-by: Steve Wise <larrystevenwise@gmail.com>
+Link: https://lore.kernel.org/r/20191203020319.15036-2-larrystevenwise@gmail.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c | 2 +-
+ drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++++
+ drivers/infiniband/sw/rxe/rxe_resp.c | 7 +++++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c
+index d30dbac24583..695a607e2d14 100644
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -391,7 +391,7 @@ void rxe_rcv(struct sk_buff *skb)
+
+ calc_icrc = rxe_icrc_hdr(pkt, skb);
+ calc_icrc = rxe_crc32(rxe, calc_icrc, (u8 *)payload_addr(pkt),
+- payload_size(pkt));
++ payload_size(pkt) + bth_pad(pkt));
+ calc_icrc = (__force u32)cpu_to_be32(~calc_icrc);
+ if (unlikely(calc_icrc != pack_icrc)) {
+ if (skb->protocol == htons(ETH_P_IPV6))
+diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c
+index f7dd8de79941..1c1eae0ef8c2 100644
+--- a/drivers/infiniband/sw/rxe/rxe_req.c
++++ b/drivers/infiniband/sw/rxe/rxe_req.c
+@@ -500,6 +500,12 @@ static int fill_packet(struct rxe_qp *qp, struct rxe_send_wqe *wqe,
+ if (err)
+ return err;
+ }
++ if (bth_pad(pkt)) {
++ u8 *pad = payload_addr(pkt) + paylen;
++
++ memset(pad, 0, bth_pad(pkt));
++ crc = rxe_crc32(rxe, crc, pad, bth_pad(pkt));
++ }
+ }
+ p = payload_addr(pkt) + paylen + bth_pad(pkt);
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
+index 681d8e0913d0..9078cfd3b8bd 100644
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -737,6 +737,13 @@ static enum resp_states read_reply(struct rxe_qp *qp,
+ if (err)
+ pr_err("Failed copying memory\n");
+
++ if (bth_pad(&ack_pkt)) {
++ struct rxe_dev *rxe = to_rdev(qp->ibqp.device);
++ u8 *pad = payload_addr(&ack_pkt) + payload;
++
++ memset(pad, 0, bth_pad(&ack_pkt));
++ icrc = rxe_crc32(rxe, icrc, pad, bth_pad(&ack_pkt));
++ }
+ p = payload_addr(&ack_pkt) + payload + bth_pad(&ack_pkt);
+ *p = ~icrc;
+
+--
+2.20.1
+
--- /dev/null
+From d8ac30ceaa0849fd0f1a665a1af51e297209b260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2019 10:26:41 +0100
+Subject: s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 39d4a501a9ef55c57b51e3ef07fc2aeed7f30b3b ]
+
+Function perf_event_ever_overflow() and perf_event_account_interrupt()
+are called every time samples are processed by the interrupt handler.
+However function perf_event_account_interrupt() has checks to avoid being
+flooded with interrupts (more then 1000 samples are received per
+task_tick). Samples are then dropped and a PERF_RECORD_THROTTLED is
+added to the perf data. The perf subsystem limit calculation is:
+
+ maximum sample frequency := 100000 --> 1 samples per 10 us
+ task_tick = 10ms = 10000us --> 1000 samples per task_tick
+
+The work flow is
+
+measurement_alert() uses SDBT head and each SBDT points to 511
+ SDB pages, each with 126 sample entries. After processing 8 SBDs
+ and for each valid sample calling:
+
+ perf_event_overflow()
+ perf_event_account_interrupts()
+
+there is a considerable amount of samples being dropped, especially when
+the sample frequency is very high and near the 100000 limit.
+
+To avoid the high amount of samples being dropped near the end of a
+task_tick time frame, increment the sampling interval in case of
+dropped events. The CPU Measurement sampling facility on the s390
+supports only intervals, specifiing how many CPU cycles have to be
+executed before a sample is generated. Increase the interval when the
+samples being generated hit the task_tick limit.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 5c3fd9032b74..0f4957ac81b6 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1273,6 +1273,22 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ if (sampl_overflow)
+ OVERFLOW_REG(hwc) = DIV_ROUND_UP(OVERFLOW_REG(hwc) +
+ sampl_overflow, 1 + num_sdb);
++
++ /* Perf_event_overflow() and perf_event_account_interrupt() limit
++ * the interrupt rate to an upper limit. Roughly 1000 samples per
++ * task tick.
++ * Hitting this limit results in a large number
++ * of throttled REF_REPORT_THROTTLE entries and the samples
++ * are dropped.
++ * Slightly increase the interval to avoid hitting this limit.
++ */
++ if (event_overflow) {
++ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10);
++ debug_sprintf_event(sfdbg, 1, "%s: rate adjustment %ld\n",
++ __func__,
++ DIV_ROUND_UP(SAMPL_RATE(hwc), 10));
++ }
++
+ if (sampl_overflow || event_overflow)
+ debug_sprintf_event(sfdbg, 4, "hw_perf_event_update: "
+ "overflow stats: sample=%llu event=%llu\n",
+--
+2.20.1
+
--- /dev/null
+From e98e17cc6ba70e2845a46d19d40287f7986bec81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2019 15:24:25 +0100
+Subject: s390/cpum_sf: Avoid SBD overflow condition in irq handler
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 0539ad0b22877225095d8adef0c376f52cc23834 ]
+
+The s390 CPU Measurement sampling facility has an overflow condition
+which fires when all entries in a SBD are used.
+The measurement alert interrupt is triggered and reads out all samples
+in this SDB. It then tests the successor SDB, if this SBD is not full,
+the interrupt handler does not read any samples at all from this SDB
+The design waits for the hardware to fill this SBD and then trigger
+another meassurement alert interrupt.
+
+This scheme works nicely until
+an perf_event_overflow() function call discards the sample due to
+a too high sampling rate.
+The interrupt handler has logic to read out a partially filled SDB
+when the perf event overflow condition in linux common code is met.
+This causes the CPUM sampling measurement hardware and the PMU
+device driver to operate on the same SBD's trailer entry.
+This should not happen.
+
+This can be seen here using this trace:
+ cpumsf_pmu_add: tear:0xb5286000
+ hw_perf_event_update: sdbt 0xb5286000 full 1 over 0 flush_all:0
+ hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
+ above shows 1. interrupt
+ hw_perf_event_update: sdbt 0xb5286008 full 1 over 0 flush_all:0
+ hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
+ above shows 2. interrupt
+ ... this goes on fine until...
+ hw_perf_event_update: sdbt 0xb5286068 full 1 over 0 flush_all:0
+ perf_push_sample1: overflow
+ one or more samples read from the IRQ handler are rejected by
+ perf_event_overflow() and the IRQ handler advances to the next SDB
+ and modifies the trailer entry of a partially filled SDB.
+ hw_perf_event_update: sdbt 0xb5286070 full 0 over 0 flush_all:1
+ timestamp: 14:32:52.519953
+
+Next time the IRQ handler is called for this SDB the trailer entry shows
+an overflow count of 19 missed entries.
+ hw_perf_event_update: sdbt 0xb5286070 full 1 over 19 flush_all:1
+ timestamp: 14:32:52.970058
+
+Remove access to a follow on SDB when event overflow happened.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 0f4957ac81b6..5bfb1ce129f4 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1261,12 +1261,6 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ */
+ if (flush_all && done)
+ break;
+-
+- /* If an event overflow happened, discard samples by
+- * processing any remaining sample-data-blocks.
+- */
+- if (event_overflow)
+- flush_all = 1;
+ }
+
+ /* Account sample overflows in the event hardware structure */
+--
+2.20.1
+
--- /dev/null
+From 3069dc176e122dfa5cf1fbae461104cdf340a4ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 12:45:09 +0300
+Subject: scsi: iscsi: qla4xxx: fix double free in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fee92f25777789d73e1936b91472e9c4644457c8 ]
+
+On this error path we call qla4xxx_mem_free() and then the caller also
+calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a
+couple double frees:
+
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed
+
+Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx")
+Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 25c8ce54a976..f8acf101af3d 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -4280,7 +4280,6 @@ static int qla4xxx_mem_alloc(struct scsi_qla_host *ha)
+ return QLA_SUCCESS;
+
+ mem_alloc_error_exit:
+- qla4xxx_mem_free(ha);
+ return QLA_ERROR;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 2575c3f8fad9fa642160fe136756572898e13137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 09:11:18 +0800
+Subject: scsi: libsas: stop discovering if oob mode is disconnected
+
+From: Jason Yan <yanaijie@huawei.com>
+
+[ Upstream commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f ]
+
+The discovering of sas port is driven by workqueue in libsas. When libsas
+is processing port events or phy events in workqueue, new events may rise
+up and change the state of some structures such as asd_sas_phy. This may
+cause some problems such as follows:
+
+==>thread 1 ==>thread 2
+
+ ==>phy up
+ ==>phy_up_v3_hw()
+ ==>oob_mode = SATA_OOB_MODE;
+ ==>phy down quickly
+ ==>hisi_sas_phy_down()
+ ==>sas_ha->notify_phy_event()
+ ==>sas_phy_disconnected()
+ ==>oob_mode = OOB_NOT_CONNECTED
+==>workqueue wakeup
+==>sas_form_port()
+ ==>sas_discover_domain()
+ ==>sas_get_port_device()
+ ==>oob_mode is OOB_NOT_CONNECTED and device
+ is wrongly taken as expander
+
+This at last lead to the panic when libsas trying to issue a command to
+discover the device.
+
+[183047.614035] Unable to handle kernel NULL pointer dereference at
+virtual address 0000000000000058
+[183047.622896] Mem abort info:
+[183047.625762] ESR = 0x96000004
+[183047.628893] Exception class = DABT (current EL), IL = 32 bits
+[183047.634888] SET = 0, FnV = 0
+[183047.638015] EA = 0, S1PTW = 0
+[183047.641232] Data abort info:
+[183047.644189] ISV = 0, ISS = 0x00000004
+[183047.648100] CM = 0, WnR = 0
+[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp =
+00000000b7df67be
+[183047.657834] [0000000000000058] pgd=0000000000000000
+[183047.662789] Internal error: Oops: 96000004 [#1] SMP
+[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit =
+0x00000000417c4974)
+[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G
+W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1
+[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10,
+BIOS 0.15 10/22/2019
+[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain
+[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO)
+[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
+[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw]
+[183047.717153] sp : ffff00000f28ba60
+[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228
+[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200
+[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0
+[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228
+[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200
+[183047.747464] x19: 0000000000f80800 x18: 0000000000000010
+[183047.752848] x17: 0000000000000000 x16: 0000000000000000
+[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005
+[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20
+[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870
+[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0
+[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f
+[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0
+[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007
+[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000
+[183047.801307] Call trace:
+[183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
+[183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main]
+[183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main]
+[183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main]
+[183047.826757] smp_execute_task_sg+0xec/0x218
+[183047.831013] smp_execute_task+0x74/0xa0
+[183047.834921] sas_discover_expander.part.7+0x9c/0x5f8
+[183047.839959] sas_discover_root_expander+0x90/0x160
+[183047.844822] sas_discover_domain+0x1b8/0x1e8
+[183047.849164] process_one_work+0x1b4/0x3f8
+[183047.853246] worker_thread+0x54/0x470
+[183047.856981] kthread+0x134/0x138
+[183047.860283] ret_from_fork+0x10/0x18
+[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800)
+[183047.870097] kernel fault(0x1) notification starting on CPU 0
+[183047.875828] kernel fault(0x1) notification finished on CPU 0
+[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE)
+hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE)
+[183047.892418] ---[ end trace 4cc26083fc11b783 ]---
+[183047.897107] Kernel panic - not syncing: Fatal exception
+[183047.902403] kernel fault(0x5) notification starting on CPU 0
+[183047.908134] kernel fault(0x5) notification finished on CPU 0
+[183047.913865] SMP: stopping secondary CPUs
+[183047.917861] Kernel Offset: disabled
+[183047.921422] CPU features: 0x2,a2a00a38
+[183047.925243] Memory Limit: none
+[183047.928372] kernel reboot(0x2) notification starting on CPU 0
+[183047.934190] kernel reboot(0x2) notification finished on CPU 0
+[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception
+]---
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com
+Reported-by: Gao Chuan <gaochuan4@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_discover.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c
+index 0148ae62a52a..e320534310b1 100644
+--- a/drivers/scsi/libsas/sas_discover.c
++++ b/drivers/scsi/libsas/sas_discover.c
+@@ -97,12 +97,21 @@ static int sas_get_port_device(struct asd_sas_port *port)
+ else
+ dev->dev_type = SAS_SATA_DEV;
+ dev->tproto = SAS_PROTOCOL_SATA;
+- } else {
++ } else if (port->oob_mode == SAS_OOB_MODE) {
+ struct sas_identify_frame *id =
+ (struct sas_identify_frame *) dev->frame_rcvd;
+ dev->dev_type = id->dev_type;
+ dev->iproto = id->initiator_bits;
+ dev->tproto = id->target_bits;
++ } else {
++ /* If the oob mode is OOB_NOT_CONNECTED, the port is
++ * disconnected due to race with PHY down. We cannot
++ * continue to discover this port
++ */
++ sas_put_device(dev);
++ pr_warn("Port %016llx is disconnected when discovering\n",
++ SAS_ADDR(port->attached_sas_addr));
++ return -ENODEV;
+ }
+
+ sas_init_dev(dev);
+--
+2.20.1
+
--- /dev/null
+From 1ee44a7caeba758be925c0c68bf28ac595ed4ff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2019 03:22:46 +0000
+Subject: scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
+
+From: Bo Wu <wubo40@huawei.com>
+
+[ Upstream commit 9a1b0b9a6dab452fb0e39fe96880c4faf3878369 ]
+
+When phba->mbox_ext_buf_ctx.seqNum != phba->mbox_ext_buf_ctx.numBuf,
+dd_data should be freed before return SLI_CONFIG_HANDLED.
+
+When lpfc_sli_issue_mbox func return fails, pmboxq should be also freed in
+job_error tag.
+
+Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E7A966@DGGEML525-MBS.china.huawei.com
+Signed-off-by: Bo Wu <wubo40@huawei.com>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_bsg.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
+index 99aea52e584b..21f104c5eab6 100644
+--- a/drivers/scsi/lpfc/lpfc_bsg.c
++++ b/drivers/scsi/lpfc/lpfc_bsg.c
+@@ -4419,12 +4419,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ phba->mbox_ext_buf_ctx.seqNum++;
+ nemb_tp = phba->mbox_ext_buf_ctx.nembType;
+
+- dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
+- if (!dd_data) {
+- rc = -ENOMEM;
+- goto job_error;
+- }
+-
+ pbuf = (uint8_t *)dmabuf->virt;
+ size = job->request_payload.payload_len;
+ sg_copy_to_buffer(job->request_payload.sg_list,
+@@ -4461,6 +4455,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ "2968 SLI_CONFIG ext-buffer wr all %d "
+ "ebuffers received\n",
+ phba->mbox_ext_buf_ctx.numBuf);
++
++ dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
++ if (!dd_data) {
++ rc = -ENOMEM;
++ goto job_error;
++ }
++
+ /* mailbox command structure for base driver */
+ pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (!pmboxq) {
+@@ -4509,6 +4510,8 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ return SLI_CONFIG_HANDLED;
+
+ job_error:
++ if (pmboxq)
++ mempool_free(pmboxq, phba->mbox_mem_pool);
+ lpfc_bsg_dma_page_free(phba, dmabuf);
+ kfree(dd_data);
+
+--
+2.20.1
+
--- /dev/null
+From bc29a9b92bb0761bb36b9dd71897f7c85c646b25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:58 +0300
+Subject: scsi: qla2xxx: Configure local loop for N2N target
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit fd1de5830a5abaf444cc4312871e02c41e24fdc1 ]
+
+qla2x00_configure_local_loop initializes PLOGI payload for PLOGI ELS using
+Get Parameters mailbox command.
+
+In the case when the driver is running in target mode, the topology is N2N
+and the target port has higher WWPN, LOCAL_LOOP_UPDATE bit is cleared too
+early and PLOGI payload is not initialized by the Get Parameters
+command. That causes a failure of ELS IOCB carrying the PLOGI with 0x15 aka
+Data Underrun error.
+
+LOCAL_LOOP_UPDATE has to be set to initialize PLOGI payload.
+
+Fixes: 48acad099074 ("scsi: qla2xxx: Fix N2N link re-connect")
+Link: https://lore.kernel.org/r/20191125165702.1013-10-r.bolshakov@yadro.com
+Acked-by: Quinn Tran <qutran@marvell.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 4512aaa16f78..851f75b12216 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -4815,14 +4815,8 @@ qla2x00_configure_loop(scsi_qla_host_t *vha)
+ set_bit(RSCN_UPDATE, &flags);
+ clear_bit(LOCAL_LOOP_UPDATE, &flags);
+
+- } else if (ha->current_topology == ISP_CFG_N) {
+- clear_bit(RSCN_UPDATE, &flags);
+- if (qla_tgt_mode_enabled(vha)) {
+- /* allow the other side to start the login */
+- clear_bit(LOCAL_LOOP_UPDATE, &flags);
+- set_bit(RELOGIN_NEEDED, &vha->dpc_flags);
+- }
+- } else if (ha->current_topology == ISP_CFG_NL) {
++ } else if (ha->current_topology == ISP_CFG_NL ||
++ ha->current_topology == ISP_CFG_N) {
+ clear_bit(RSCN_UPDATE, &flags);
+ set_bit(LOCAL_LOOP_UPDATE, &flags);
+ } else if (!vha->flags.online ||
+--
+2.20.1
+
--- /dev/null
+From 0f33d70295c15aa474cd7f6efcfc88f300b9e7f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:56 +0300
+Subject: scsi: qla2xxx: Don't call qlt_async_event twice
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 2c2f4bed9b6299e6430a65a29b5d27b8763fdf25 ]
+
+MBA_PORT_UPDATE generates duplicate log lines in target mode because
+qlt_async_event is called twice. Drop the calls within the case as the
+function will be called right after the switch statement.
+
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-8-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvel.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index afe15b3e45fb..e6d162945f5d 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -1049,8 +1049,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+ ql_dbg(ql_dbg_async, vha, 0x5011,
+ "Asynchronous PORT UPDATE ignored %04x/%04x/%04x.\n",
+ mb[1], mb[2], mb[3]);
+-
+- qlt_async_event(mb[0], vha, mb);
+ break;
+ }
+
+@@ -1067,8 +1065,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+ set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
+ set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags);
+ set_bit(VP_CONFIG_OK, &vha->vp_flags);
+-
+- qlt_async_event(mb[0], vha, mb);
+ break;
+
+ case MBA_RSCN_UPDATE: /* State Change Registration */
+--
+2.20.1
+
--- /dev/null
+From 989d3c93f98262f427c4d9a57154a651fc78997b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:53 +0300
+Subject: scsi: qla2xxx: Drop superfluous INIT_WORK of del_work
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 600954e6f2df695434887dfc6a99a098859990cf ]
+
+del_work is already initialized inside qla2x00_alloc_fcport, there's no
+need to overwrite it. Indeed, it might prevent complete traversal of
+workqueue list.
+
+Fixes: a01c77d2cbc45 ("scsi: qla2xxx: Move session delete to driver work queue")
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-5-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 210ce294038d..8eda55e917e0 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1261,7 +1261,6 @@ void qlt_schedule_sess_for_deletion(struct fc_port *sess)
+ "Scheduling sess %p for deletion %8phC\n",
+ sess, sess->port_name);
+
+- INIT_WORK(&sess->del_work, qla24xx_delete_sess_fn);
+ WARN_ON(!queue_work(sess->vha->hw->wq, &sess->del_work));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 4b4ffb778abfc0df79615f754bc50a49d696cdcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:57 +0300
+Subject: scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 0334cdea1fba36fad8bdf9516f267ce01de625f7 ]
+
+The size of the buffer is hardcoded as 0x70 or 112 bytes, while the size of
+ELS IOCB is 0x40 and the size of PLOGI payload returned by Get Parameters
+command is 0x74.
+
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-9-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
+index c699bbb8485b..7e47321e003c 100644
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -2537,7 +2537,8 @@ qla24xx_els_logo_iocb(srb_t *sp, struct els_entry_24xx *els_iocb)
+ ql_dbg(ql_dbg_io + ql_dbg_buffer, vha, 0x3073,
+ "PLOGI ELS IOCB:\n");
+ ql_dump_buffer(ql_log_info, vha, 0x0109,
+- (uint8_t *)els_iocb, 0x70);
++ (uint8_t *)els_iocb,
++ sizeof(*els_iocb));
+ } else {
+ els_iocb->tx_byte_count = sizeof(struct els_logo_payload);
+ els_iocb->tx_address[0] =
+@@ -2703,7 +2704,8 @@ qla24xx_els_dcmd2_iocb(scsi_qla_host_t *vha, int els_opcode,
+
+ ql_dbg(ql_dbg_disc + ql_dbg_buffer, vha, 0x3073, "PLOGI buffer:\n");
+ ql_dump_buffer(ql_dbg_disc + ql_dbg_buffer, vha, 0x0109,
+- (uint8_t *)elsio->u.els_plogi.els_plogi_pyld, 0x70);
++ (uint8_t *)elsio->u.els_plogi.els_plogi_pyld,
++ sizeof(*elsio->u.els_plogi.els_plogi_pyld));
+
+ rval = qla2x00_start_sp(sp);
+ if (rval != QLA_SUCCESS) {
+--
+2.20.1
+
--- /dev/null
+From fde3f614cf50bfba657b297b4ff27db0488aeffc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:57:01 +0300
+Subject: scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit af22f0c7b052c5c203207f1e5ebd6aa65f87c538 ]
+
+PORT UPDATE asynchronous event is generated on the host that issues PLOGI
+ELS (in the case of higher WWPN). In that case, the event shouldn't be
+handled as it sets unwanted DPC flags (i.e. LOOP_RESYNC_NEEDED) that
+trigger link flap.
+
+Ignore the event if the host has higher WWPN, but handle otherwise.
+
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-13-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index b01f69dd4b28..abef3b29fa10 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -3871,6 +3871,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
+ vha->d_id.b24 = 0;
+ vha->d_id.b.al_pa = 1;
+ ha->flags.n2n_bigger = 1;
++ ha->flags.n2n_ae = 0;
+
+ id.b.al_pa = 2;
+ ql_dbg(ql_dbg_async, vha, 0x5075,
+@@ -3881,6 +3882,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
+ "Format 1: Remote login - Waiting for WWPN %8phC.\n",
+ rptid_entry->u.f1.port_name);
+ ha->flags.n2n_bigger = 0;
++ ha->flags.n2n_ae = 1;
+ }
+ qla24xx_post_newsess_work(vha, &id,
+ rptid_entry->u.f1.port_name,
+@@ -3892,7 +3894,6 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
+ /* if our portname is higher then initiate N2N login */
+
+ set_bit(N2N_LOGIN_NEEDED, &vha->dpc_flags);
+- ha->flags.n2n_ae = 1;
+ return;
+ break;
+ case TOPO_FL:
+--
+2.20.1
+
--- /dev/null
+From bb40ec63266594fff4e48df6d5f9444cdb7de86f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:59 +0300
+Subject: scsi: qla2xxx: Send Notify ACK after N2N PLOGI
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 5e6b01d84b9d20bcd77fc7c4733a2a4149bf220a ]
+
+qlt_handle_login schedules session for deletion even if a login is in
+progress. That causes login bouncing, i.e. a few logins are made before it
+settles down.
+
+Complete the first login by sending Notify Acknowledge IOCB via
+qlt_plogi_ack_unref if the session is pending login completion.
+
+Fixes: 9cd883f07a54 ("scsi: qla2xxx: Fix session cleanup for N2N")
+Cc: Krishna Kant <krishna.kant@purestorage.com>
+Cc: Alexei Potashnik <alexei@purestorage.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-11-r.bolshakov@yadro.com
+Acked-by: Quinn Tran <qutran@marvell.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 8eda55e917e0..e9545411ec5a 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -4779,6 +4779,7 @@ static int qlt_handle_login(struct scsi_qla_host *vha,
+
+ switch (sess->disc_state) {
+ case DSC_DELETED:
++ case DSC_LOGIN_PEND:
+ qlt_plogi_ack_unref(vha, pla);
+ break;
+
+--
+2.20.1
+
--- /dev/null
+nvme_fc-add-module-to-ops-template-to-allow-module-r.patch
+nvme-fc-fix-double-free-scenarios-on-hw-queues.patch
+drm-amdgpu-add-check-before-enabling-disabling-broad.patch
+drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch
+drm-amd-display-fixed-kernel-panic-when-booting-with.patch
+iio-adc-max9611-fix-too-short-conversion-time-delay.patch
+pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch
+pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch
+pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch
+afs-fix-afs_find_server-lookups-for-ipv4-peers.patch
+afs-fix-selinux-setting-security-label-on-afs.patch
+rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch
+rxe-correctly-calculate-icrc-for-unaligned-payloads.patch
+scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch
+scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch
+scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch
+scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch
+scsi-qla2xxx-configure-local-loop-for-n2n-target.patch
+scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch
+scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch
+scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
+scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch
+drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch
+usb-gadget-fix-wrong-endpoint-desc.patch
+net-make-socket-read-write_iter-honor-iocb_nowait.patch
+afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch
+md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch
+s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch
+s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch
+ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch
+ib-mlx5-fix-steering-rule-of-drop-and-count.patch
+xen-blkback-prevent-premature-module-unload.patch
+xen-balloon-fix-ballooned-page-accounting-without-ho.patch
+pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch
+alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch
+alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch
+alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch
+xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch
+taskstats-fix-data-race.patch
+drm-limit-to-int_max-in-create_blob-ioctl.patch
+netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch
--- /dev/null
+From 224fd0ecabb8e03ac2e4160bff890edc5bfce578 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 13:48:09 +0200
+Subject: taskstats: fix data-race
+
+From: Christian Brauner <christian.brauner@ubuntu.com>
+
+[ Upstream commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 ]
+
+When assiging and testing taskstats in taskstats_exit() there's a race
+when setting up and reading sig->stats when a thread-group with more
+than one thread exits:
+
+write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0:
+ taskstats_tgid_alloc kernel/taskstats.c:567 [inline]
+ taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ get_signal+0x2a2/0x1320 kernel/signal.c:2734
+ do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815
+ exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
+ do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1:
+ taskstats_tgid_alloc kernel/taskstats.c:559 [inline]
+ taskstats_exit+0xb2/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ __do_sys_exit_group kernel/exit.c:994 [inline]
+ __se_sys_exit_group kernel/exit.c:992 [inline]
+ __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992
+ do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fix this by using smp_load_acquire() and smp_store_release().
+
+Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com
+Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Marco Elver <elver@google.com>
+Reviewed-by: Will Deacon <will@kernel.org>
+Reviewed-by: Andrea Parri <parri.andrea@gmail.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/taskstats.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/taskstats.c b/kernel/taskstats.c
+index 4e62a4a8fa91..82393952683c 100644
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -564,25 +564,33 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
+ static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk)
+ {
+ struct signal_struct *sig = tsk->signal;
+- struct taskstats *stats;
++ struct taskstats *stats_new, *stats;
+
+- if (sig->stats || thread_group_empty(tsk))
+- goto ret;
++ /* Pairs with smp_store_release() below. */
++ stats = smp_load_acquire(&sig->stats);
++ if (stats || thread_group_empty(tsk))
++ return stats;
+
+ /* No problem if kmem_cache_zalloc() fails */
+- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
++ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
+
+ spin_lock_irq(&tsk->sighand->siglock);
+- if (!sig->stats) {
+- sig->stats = stats;
+- stats = NULL;
++ stats = sig->stats;
++ if (!stats) {
++ /*
++ * Pairs with smp_store_release() above and order the
++ * kmem_cache_zalloc().
++ */
++ smp_store_release(&sig->stats, stats_new);
++ stats = stats_new;
++ stats_new = NULL;
+ }
+ spin_unlock_irq(&tsk->sighand->siglock);
+
+- if (stats)
+- kmem_cache_free(taskstats_cache, stats);
+-ret:
+- return sig->stats;
++ if (stats_new)
++ kmem_cache_free(taskstats_cache, stats_new);
++
++ return stats;
+ }
+
+ /* Send pid data out on exit */
+--
+2.20.1
+
--- /dev/null
+From dc69659e755558503880c446186c7f87ded1581b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 23:34:56 -0800
+Subject: usb: gadget: fix wrong endpoint desc
+
+From: EJ Hsu <ejh@nvidia.com>
+
+[ Upstream commit e5b5da96da50ef30abb39cb9f694e99366404d24 ]
+
+Gadget driver should always use config_ep_by_speed() to initialize
+usb_ep struct according to usb device's operating speed. Otherwise,
+usb_ep struct may be wrong if usb devcie's operating speed is changed.
+
+The key point in this patch is that we want to make sure the desc pointer
+in usb_ep struct will be set to NULL when gadget is disconnected.
+This will force it to call config_ep_by_speed() to correctly initialize
+usb_ep struct based on the new operating speed when gadget is
+re-connected later.
+
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: EJ Hsu <ejh@nvidia.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_ecm.c | 6 +++++-
+ drivers/usb/gadget/function/f_rndis.c | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c
+index 6ce044008cf6..460d5d7c984f 100644
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -621,8 +621,12 @@ static void ecm_disable(struct usb_function *f)
+
+ DBG(cdev, "ecm deactivated\n");
+
+- if (ecm->port.in_ep->enabled)
++ if (ecm->port.in_ep->enabled) {
+ gether_disconnect(&ecm->port);
++ } else {
++ ecm->port.in_ep->desc = NULL;
++ ecm->port.out_ep->desc = NULL;
++ }
+
+ usb_ep_disable(ecm->notify);
+ ecm->notify->desc = NULL;
+diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c
+index d48df36622b7..0d8e4a364ca6 100644
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -618,6 +618,7 @@ static void rndis_disable(struct usb_function *f)
+ gether_disconnect(&rndis->port);
+
+ usb_ep_disable(rndis->notify);
++ rndis->notify->desc = NULL;
+ }
+
+ /*-------------------------------------------------------------------------*/
+--
+2.20.1
+
--- /dev/null
+From 20e39b55c892b07bdce3120d4a494f162dd1e33b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 15:17:50 +0100
+Subject: xen/balloon: fix ballooned page accounting without hotplug enabled
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit c673ec61ade89bf2f417960f986bc25671762efb ]
+
+When CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not defined
+reserve_additional_memory() will set balloon_stats.target_pages to a
+wrong value in case there are still some ballooned pages allocated via
+alloc_xenballooned_pages().
+
+This will result in balloon_process() no longer be triggered when
+ballooned pages are freed in batches.
+
+Reported-by: Nicholas Tsirakis <niko.tsirakis@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/balloon.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index 747a15acbce3..6fa7209f24f4 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -395,7 +395,8 @@ static struct notifier_block xen_memory_nb = {
+ #else
+ static enum bp_state reserve_additional_memory(void)
+ {
+- balloon_stats.target_pages = balloon_stats.current_pages;
++ balloon_stats.target_pages = balloon_stats.current_pages +
++ balloon_stats.target_unpopulated;
+ return BP_ECANCELED;
+ }
+ #endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */
+--
+2.20.1
+
--- /dev/null
+From 3b27b08119b8ea5221b9c43c3643bf00cb5e7ff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 14:53:05 +0000
+Subject: xen-blkback: prevent premature module unload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Durrant <pdurrant@amazon.com>
+
+[ Upstream commit fa2ac657f9783f0891b2935490afe9a7fd29d3fa ]
+
+Objects allocated by xen_blkif_alloc come from the 'blkif_cache' kmem
+cache. This cache is destoyed when xen-blkif is unloaded so it is
+necessary to wait for the deferred free routine used for such objects to
+complete. This necessity was missed in commit 14855954f636 "xen-blkback:
+allow module to be cleanly unloaded". This patch fixes the problem by
+taking/releasing extra module references in xen_blkif_alloc/free()
+respectively.
+
+Signed-off-by: Paul Durrant <pdurrant@amazon.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/xen-blkback/xenbus.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
+index 55869b362fdf..25c41ce070a7 100644
+--- a/drivers/block/xen-blkback/xenbus.c
++++ b/drivers/block/xen-blkback/xenbus.c
+@@ -179,6 +179,15 @@ static struct xen_blkif *xen_blkif_alloc(domid_t domid)
+ blkif->domid = domid;
+ atomic_set(&blkif->refcnt, 1);
+ init_completion(&blkif->drain_complete);
++
++ /*
++ * Because freeing back to the cache may be deferred, it is not
++ * safe to unload the module (and hence destroy the cache) until
++ * this has completed. To prevent premature unloading, take an
++ * extra module reference here and release only when the object
++ * has been freed back to the cache.
++ */
++ __module_get(THIS_MODULE);
+ INIT_WORK(&blkif->free_work, xen_blkif_deferred_free);
+
+ return blkif;
+@@ -328,6 +337,7 @@ static void xen_blkif_free(struct xen_blkif *blkif)
+
+ /* Make sure everything is drained before shutting down */
+ kmem_cache_free(xen_blkif_cachep, blkif);
++ module_put(THIS_MODULE);
+ }
+
+ int __init xen_blkif_interface_init(void)
+--
+2.20.1
+
--- /dev/null
+From babb48f2e8b7e6f74efdfbdaea7a44b94b876855 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 07:53:15 -0800
+Subject: xfs: fix mount failure crash on invalid iclog memory access
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 798a9cada4694ca8d970259f216cec47e675bfd5 ]
+
+syzbot (via KASAN) reports a use-after-free in the error path of
+xlog_alloc_log(). Specifically, the iclog freeing loop doesn't
+handle the case of a fully initialized ->l_iclog linked list.
+Instead, it assumes that the list is partially constructed and NULL
+terminated.
+
+This bug manifested because there was no possible error scenario
+after iclog list setup when the original code was added. Subsequent
+code and associated error conditions were added some time later,
+while the original error handling code was never updated. Fix up the
+error loop to terminate either on a NULL iclog or reaching the end
+of the list.
+
+Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
+index c3b610b687d1..7bba551cbf90 100644
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1578,6 +1578,8 @@ xlog_alloc_log(
+ if (iclog->ic_bp)
+ xfs_buf_free(iclog->ic_bp);
+ kmem_free(iclog);
++ if (prev_iclog == log->l_iclog)
++ break;
+ }
+ spinlock_destroy(&log->l_icloglock);
+ xfs_buf_free(log->l_xbuf);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
